xref: /illumos-gate/usr/src/man/man1/getfacl.1 (revision 598f4ceed9327d2d6c2325dd67cae3aa06f7fea6)
te
.Copyright (c) 2002, Sun Microsystems, Inc. All Rights Reserved
The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License.
You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. See the License for the specific language governing permissions and limitations under the License.
When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
GETFACL 1 "Nov 5, 1994"
NAME
getfacl - display discretionary file information
SYNOPSIS

getfacl [-ad] file...
DESCRIPTION

For each argument that is a regular file, special file, or named pipe, the getfacl utility displays the owner, the group, and the Access Control List (ACL). For each directory argument, getfacl displays the owner, the group, and the ACL and/or the default ACL. Only directories contain default ACLs.

The getfacl utility may be executed on a file system that does not support ACLs. It reports the ACL based on the base permission bits.

With no options specified, getfacl displays the filename, the file owner, the file group owner, and both the ACL and the default ACL, if it exists.

OPTIONS

The following options are supported: -a

Displays the filename, the file owner, the file group owner, and the ACL of the file.

-d

Displays the filename, the file owner, the file group owner, and the default ACL of the file, if it exists.

OPERANDS

The following operands are supported: file

The path name of a regular file, special file, or named pipe.

OUTPUT

The format for ACL output is as follows:

# file: filename 
# owner: uid 
# group: gid 
user::perm 
user:uid:perm 
group::perm 
group:gid:perm 
mask:perm 
other:perm 
default:user::perm 
default:user:uid:perm 
default:group::perm 
default:group:gid:perm 
default:mask:perm 
default:other:perm

When multiple files are specified on the command line, a blank line separates the ACLs for each file.

The ACL entries are displayed in the order in which they are evaluated when an access check is performed. The default ACL entries that may exist on a directory have no effect on access checks.

The first three lines display the filename, the file owner, and the file group owner. Notice that when only the -d option is specified and the file has no default ACL, only these three lines are displayed.

The user entry without a user ID indicates the permissions that are granted to the file owner. One or more additional user entries indicate the permissions that are granted to the specified users.

The group entry without a group ID indicates the permissions that are granted to the file group owner. One or more additional group entries indicate the permissions that are granted to the specified groups.

The mask entry indicates the ACL mask permissions. These are the maximum permissions allowed to any user entries except the file owner, and to any group entries, including the file group owner. These permissions restrict the permissions specified in other entries.

The other entry indicates the permissions that are granted to others.

The default entries may exist only for directories. These entries indicate the default entries that are added to a file created within the directory.

The uid is a login name or a user ID if there is no entry for the uid in the system password file, /etc/passwd. The gid is a group name or a group ID if there is no entry for the gid in the system group file, /etc/group. The perm is a three character string composed of the letters representing the separate discretionary access rights: r (read), w (write), x (execute/search), or the place holder character -. The perm is displayed in the following order: rwx. If a permission is not granted by an ACL entry, the place holder character appears.

If you use the chmod(1) command to change the file group owner permissions on a file with ACL entries, both the file group owner permissions and the ACL mask are changed to the new permissions. Be aware that the new ACL mask permissions may change the effective permissions for additional users and groups who have ACL entries on the file.

In order to indicate that the ACL mask restricts an ACL entry, getfacl displays an additional tab character, pound sign (#), and the actual permissions granted, following the entry.

EXAMPLES

Example 1 Displaying file information

Given file foo, with an ACL six entries long, the command

host% getfacl foo

would print:

# file: foo
# owner: shea
# group: staff
user::rwx
user:spy:\|-\|-\|-
user:mookie:r\|-\|-
group::r\|-\|-
mask::rw\|-
other::\|-\|-\|-

Example 2 Displaying information after chmod command

Continue with the above example, after chmod 700 foo was issued:

host% getfacl foo

would print:

# file: foo
# owner: shea
# group: staff
user::rwx
user:spy:\|-\|-\|-
user:mookie:r\|-\|- #effective:\|-\|-\|-
group::\|-\|-\|-
mask::\|-\|-\|-
other::\|-\|-\|-

Example 3 Displaying information when ACL contains default entries

Given directory doo, with an ACL containing default entries, the command

host% getfacl -d doo

would print:

# file: doo
# owner: shea
# group: staff
default:user::rwx
default:user:spy:\|-\|-\|-
default:user:mookie:r\|-\|-
default:group::r\|-\|-
default:mask::\|-\|-\|-
default:other::\|-\|-\|-
FILES
/etc/passwd

system password file

/etc/group

group file

ATTRIBUTES

See attributes(5) for descriptions of the following attributes:

ATTRIBUTE TYPE ATTRIBUTE VALUE
Interface Stability Evolving
SEE ALSO

chmod(1), ls(1), setfacl(1), acl(2), aclsort(3SEC), group(4), passwd(4), attributes(5)

NOTES

The output from getfacl is in the correct format for input to the setfacl -f command. If the output from getfacl is redirected to a file, the file may be used as input to setfacl. In this way, a user may easily assign one file's ACL to another file.