1 GETFACL(1) User Commands GETFACL(1) 2 3 4 5 NAME 6 getfacl - display discretionary file information 7 8 SYNOPSIS 9 getfacl [-ad] file... 10 11 12 DESCRIPTION 13 For each argument that is a regular file, special file, or named pipe, 14 the getfacl utility displays the owner, the group, and the Access 15 Control List (ACL). For each directory argument, getfacl displays the 16 owner, the group, and the ACL and/or the default ACL. Only directories 17 contain default ACLs. 18 19 20 The getfacl utility will fail if executed on a file system that 21 supports NFSv4 ACLs. See acl(5) for a description of the difference 22 between the older POSIX-draft ACLs and the newer NFSv4 ACLs. The ls(1) 23 utility, when used with the -v or -V options, will display ACLs on all 24 types of file system. 25 26 27 The getfacl utility may be executed on a file system that does not 28 support ACLs. It reports the ACL based on the base permission bits. 29 30 31 With no options specified, getfacl displays the filename, the file 32 owner, the file group owner, and both the ACL and the default ACL, if 33 it exists. 34 35 OPTIONS 36 The following options are supported: 37 38 -a 39 Displays the filename, the file owner, the file group owner, and 40 the ACL of the file. 41 42 43 -d 44 Displays the filename, the file owner, the file group owner, and 45 the default ACL of the file, if it exists. 46 47 48 OPERANDS 49 The following operands are supported: 50 51 file 52 The path name of a regular file, special file, or named pipe. 53 54 55 OUTPUT 56 The format for ACL output is as follows: 57 58 # file: filename 59 # owner: uid 60 # group: gid 61 user::perm 62 user:uid:perm 63 group::perm 64 group:gid:perm 65 mask:perm 66 other:perm 67 default:user::perm 68 default:user:uid:perm 69 default:group::perm 70 default:group:gid:perm 71 default:mask:perm 72 default:other:perm 73 74 75 76 77 When multiple files are specified on the command line, a blank line 78 separates the ACLs for each file. 79 80 81 The ACL entries are displayed in the order in which they are evaluated 82 when an access check is performed. The default ACL entries that may 83 exist on a directory have no effect on access checks. 84 85 86 The first three lines display the filename, the file owner, and the 87 file group owner. Notice that when only the -d option is specified and 88 the file has no default ACL, only these three lines are displayed. 89 90 91 The user entry without a user ID indicates the permissions that are 92 granted to the file owner. One or more additional user entries indicate 93 the permissions that are granted to the specified users. 94 95 96 The group entry without a group ID indicates the permissions that are 97 granted to the file group owner. One or more additional group entries 98 indicate the permissions that are granted to the specified groups. 99 100 101 The mask entry indicates the ACL mask permissions. These are the 102 maximum permissions allowed to any user entries except the file owner, 103 and to any group entries, including the file group owner. These 104 permissions restrict the permissions specified in other entries. 105 106 107 The other entry indicates the permissions that are granted to others. 108 109 110 The default entries may exist only for directories. These entries 111 indicate the default entries that are added to a file created within 112 the directory. 113 114 115 The uid is a login name or a user ID if there is no entry for the uid 116 in the system password file, /etc/passwd. The gid is a group name or a 117 group ID if there is no entry for the gid in the system group file, 118 /etc/group. The perm is a three character string composed of the 119 letters representing the separate discretionary access rights: r 120 (read), w (write), x (execute/search), or the place holder character -. 121 The perm is displayed in the following order: rwx. If a permission is 122 not granted by an ACL entry, the place holder character appears. 123 124 125 If you use the chmod(1) command to change the file group owner 126 permissions on a file with ACL entries, both the file group owner 127 permissions and the ACL mask are changed to the new permissions. Be 128 aware that the new ACL mask permissions may change the effective 129 permissions for additional users and groups who have ACL entries on the 130 file. 131 132 133 In order to indicate that the ACL mask restricts an ACL entry, getfacl 134 displays an additional tab character, pound sign (#), and the actual 135 permissions granted, following the entry. 136 137 EXAMPLES 138 Example 1 Displaying file information 139 140 141 Given file foo, with an ACL six entries long, the command 142 143 144 host% getfacl foo 145 146 147 148 149 would print: 150 151 152 # file: foo 153 # owner: shea 154 # group: staff 155 user::rwx 156 user:spy:--- 157 user:mookie:r-- 158 group::r-- 159 mask::rw- 160 other::--- 161 162 163 164 Example 2 Displaying information after chmod command 165 166 167 Continue with the above example, after chmod 700 foo was issued: 168 169 170 host% getfacl foo 171 172 173 174 175 would print: 176 177 178 # file: foo 179 # owner: shea 180 # group: staff 181 user::rwx 182 user:spy:--- 183 user:mookie:r-- #effective:--- 184 group::--- 185 mask::--- 186 other::--- 187 188 189 190 Example 3 Displaying information when ACL contains default entries 191 192 193 Given directory doo, with an ACL containing default entries, the 194 command 195 196 197 host% getfacl -d doo 198 199 200 201 202 would print: 203 204 205 # file: doo 206 # owner: shea 207 # group: staff 208 default:user::rwx 209 default:user:spy:--- 210 default:user:mookie:r-- 211 default:group::r-- 212 default:mask::--- 213 default:other::--- 214 215 216 217 FILES 218 /etc/passwd 219 system password file 220 221 222 /etc/group 223 group file 224 225 226 ATTRIBUTES 227 See attributes(5) for descriptions of the following attributes: 228 229 230 231 232 +--------------------+-----------------+ 233 | ATTRIBUTE TYPE | ATTRIBUTE VALUE | 234 +--------------------+-----------------+ 235 |Interface Stability | Evolving | 236 +--------------------+-----------------+ 237 238 SEE ALSO 239 chmod(1), ls(1), setfacl(1), acl(2), aclsort(3SEC), group(4), 240 passwd(4), acl(5), attributes(5) 241 242 NOTES 243 The output from getfacl is in the correct format for input to the 244 setfacl -f command. If the output from getfacl is redirected to a file, 245 the file may be used as input to setfacl. In this way, a user may 246 easily assign one file's ACL to another file. 247 248 249 250 February 8, 2020 GETFACL(1)