SETFACL(1) User Commands SETFACL(1)
NAME
setfacl - modify the Access Control List (ACL) for a file or files
SYNOPSIS
setfacl [
-r]
-s acl_entries file setfacl [
-r]
-md acl_entries file setfacl [
-r]
-f acl_file fileDESCRIPTION
For each file specified,
setfacl either replaces its entire
ACL,
including the default
ACL on a directory, or it adds, modifies, or
deletes one or more
ACL entries, including default entries on
directories.
The
setfacl utility can only manipulate POSIX-draft
ACLs. See
acl(7) for a description of the difference between the older POSIX-draft
ACLs and the newer NFSv4
ACLs. The
chmod(1) utility can be used to
manipulate
ACLs on all types of file system.
When the
setfacl command is used, it can result in changes to the
file permission bits. When the user
ACL entry for the file owner is
changed, the file owner class permission bits are modified. When the
group
ACL entry for the file group class is changed, the file group
class permission bits are modified. When the other
ACL entry is
changed, the file other class permission bits are modified.
If you use the
chmod(1) command to change the file group owner
permissions on a file with
ACL entries, both the file group owner
permissions and the
ACL mask are changed to the new permissions. Be
aware that the new
ACL mask permissions can change the effective
permissions for additional users and groups who have
ACL entries on
the file.
A directory can contain default
ACL entries. If a file or directory
is created in a directory that contains default
ACL entries, the
newly created file has permissions generated according to the
intersection of the default
ACL entries and the permissions requested
at creation time. The
umask(1) are not applied if the directory
contains default
ACL entries. If a default
ACL is specified for a
specific user (or users), the file has a regular
ACL created.
Otherwise, only the mode bits are initialized according to the
intersection described above. The default
ACL should be thought of as
the maximum discretionary access permissions that can be granted.
Use the
setfacl command to set ACLs on files in a UFS file system,
which supports POSIX-draft ACLS (or
aclent_t style ACLs). Use the
chmod command to set ACLs on files in a ZFS file system, which
supports NFSv4-style ACLS (or
ace_t style ACLs).
acl_entries Syntax
For the
-m and
-s options,
acl_entries are one or more comma-
separated
ACL entries.
An
ACL entry consists of the following fields separated by colons:
entry_type Type of
ACL entry on which to set file permissions. For
example,
entry_type can be
user (the owner of a file)
or
mask (the
ACL mask).
uid or
gid User name or user identification number. Or, group name
or group identification number.
perms Represents the permissions that are set on
entry_type.
perms can be indicated by the symbolic characters
rwx or a number (the same permissions numbers used with the
chmod command).
The following table shows the valid
ACL entries (default entries can
only be specified for directories):
ACL Entry Description
--------------------------------------------------------------------
u[ser]::
perms File owner permissions.
g[roup]::
perms File group owner permissions.
o[ther]:
perms Permissions for users other than the
file owner or members of file group
owner.
m[ask]:
perms The
ACL mask. The mask entry
indicates the maximum permissions
allowed for users (other than the
owner) and for groups. The mask is a
quick way to change permissions on
all the users and groups.
u[ser]:
uid:perms Permissions for a specific user. For
uid, you can specify either a user
name or a numeric UID.
g[roup]:
gid:perms Permissions for a specific group. For
gid, you can specify either a group
name or a numeric GID.
d[efault]:u[ser]::
perms Default file owner permissions.
d[efault]:g[roup]::
perms Default file group owner permissions.
d[efault]:o[ther]:
perms Default permissions for users other
than the file owner or members of the
file group owner.
d[efault]:m[ask]:
perms Default
ACL mask.
d[efault]:u[ser]:
uid:
perms Default permissions for a specific
user. For
uid, you can specify either
a user name or a numeric UID.
d[efault]:g[roup]:
gid:
perms Default permissions for a specific
group. For
gid, you can specify
either a group name or a numeric GID.
For the
-d option,
acl_entries are one or more comma-separated
ACL entries without permissions. Notice that the entries for file owner,
file group owner,
ACL mask, and others can not be deleted.
OPTIONS
The options have the following meaning:
-d acl_entries Deletes one or more entries from the file. The
entries for the file owner, the file group owner,
and others can not be deleted from the
ACL. Notice
that deleting an entry does not necessarily have
the same effect as removing all permissions from
the entry.
-f acl_file Sets a file's
ACL with the
ACL entries contained in
the file named
acl_file. The same constraints on
specified entries hold as with the
-s option. The
entries are not required to be in any specific
order in the file. Also, if you specify a dash (
-)
for
acl_file, standard input is used to set the
file's
ACL.
The character
# in
acl_file can be used to indicate
a comment. All characters, starting with the
# until the end of the line, are ignored. Notice
that if the
acl_file has been created as the output
of the
getfacl(1) command, any effective
permissions, which follow a
#, are ignored.
-m acl_entries Adds one or more new
ACL entries to the file,
and/or modifies one or more existing
ACL entries on
the file. If an entry already exists for a
specified
uid or
gid, the specified permissions
replace the current permissions. If an entry does
not exist for the specified
uid or
gid, an entry is
created. When using the
-m option to modify a
default
ACL, you must specify a complete default
ACL (user, group, other, mask, and any additional
entries) the first time.
-r Recalculates the permissions for the
ACL mask
entry. The permissions specified in the
ACL mask
entry are ignored and replaced by the maximum
permissions necessary to grant the access to all
additional user, file group owner, and additional
group entries in the
ACL. The permissions in the
additional user, file group owner, and additional
group entries are left unchanged.
-s acl_entries Sets a file's
ACL. All old
ACL entries are removed
and replaced with the newly specified
ACL. The
entries need not be in any specific order. They are
sorted by the command before being applied to the
file.
Required entries:
o Exactly one
user entry specified for the
file owner.
o Exactly one
group entry for the file
group owner.
o Exactly one
other entry specified.
If there are additional user and group entries:
o Exactly one
mask entry specified for the
ACL mask that indicates the maximum
permissions allowed for users (other
than the owner) and groups.
o Must not be duplicate
user entries with
the same
uid.
o Must not be duplicate
group entries with
the same
gid.
If
file is a directory, the following default
ACL entries can be specified:
o Exactly one
default user entry for the
file owner.
o Exactly one
default group entry for the
file group owner.
o Exactly one
default mask entry for the
ACL mask.
o Exactly one
default other entry.
There can be additional
default user entries and
additional
default group entries specified, but
there can not be duplicate additional
default user entries with the same
uid, or duplicate
default group entries with the same
gid.
EXAMPLES
Example 1: Adding read permission only
The following example adds one
ACL entry to file
abc, which gives
user
shea read permission only.
setfacl -m user:shea:r-- abc Example 2: Replacing a file's entire ACL
The following example replaces the entire
ACL for the file
abc, which
gives
shea read access, the file owner all access, the file group
owner read access only, the
ACL mask read access only, and others no
access.
setfacl -s user:shea:rwx,user::rwx,group::rw-,mask:r--,other:--- abc Notice that after this command, the file permission bits are
rwxr-----. Even though the file group owner was set with read/write
permissions, the
ACL mask entry limits it to have only read
permission. The mask entry also specifies the maximum permissions
available to all additional user and group
ACL entries. Once again,
even though the user
shea was set with all access, the mask limits it
to have only read permission. The
ACL mask entry is a quick way to
limit or open access to all the user and group entries in an
ACL. For
example, by changing the mask entry to read/write, both the file
group owner and user
shea would be given read/write access.
Example 3: Setting the same ACL on two files
The following example sets the same
ACL on file
abc as the file
xyz.
getfacl xyz | setfacl -f - abcFILES
/etc/passwd password file
/etc/group group file
SEE ALSO
chmod(1),
getfacl(1),
umask(1),
aclcheck(3SEC),
aclsort(3SEC),
group(5),
passwd(5),
acl(7),
attributes(7) February 8, 2020 SETFACL(1)
