1 SETFACL(1) User Commands SETFACL(1) 2 3 4 5 NAME 6 setfacl - modify the Access Control List (ACL) for a file or files 7 8 SYNOPSIS 9 setfacl [-r] -s acl_entries file 10 11 12 setfacl [-r] -md acl_entries file 13 14 15 setfacl [-r] -f acl_file file 16 17 18 DESCRIPTION 19 For each file specified, setfacl either replaces its entire ACL, 20 including the default ACL on a directory, or it adds, modifies, or 21 deletes one or more ACL entries, including default entries on 22 directories. 23 24 25 The setfacl utility can only manipulate POSIX-draft ACLs. See acl(5) 26 for a description of the difference between the older POSIX-draft ACLs 27 and the newer NFSv4 ACLs. The chmod(1) utility can be used to 28 manipulate ACLs on all types of file system. 29 30 31 When the setfacl command is used, it can result in changes to the file 32 permission bits. When the user ACL entry for the file owner is changed, 33 the file owner class permission bits are modified. When the group ACL 34 entry for the file group class is changed, the file group class 35 permission bits are modified. When the other ACL entry is changed, the 36 file other class permission bits are modified. 37 38 39 If you use the chmod(1) command to change the file group owner 40 permissions on a file with ACL entries, both the file group owner 41 permissions and the ACL mask are changed to the new permissions. Be 42 aware that the new ACL mask permissions can change the effective 43 permissions for additional users and groups who have ACL entries on the 44 file. 45 46 47 A directory can contain default ACL entries. If a file or directory is 48 created in a directory that contains default ACL entries, the newly 49 created file has permissions generated according to the intersection of 50 the default ACL entries and the permissions requested at creation time. 51 The umask(1) are not applied if the directory contains default ACL 52 entries. If a default ACL is specified for a specific user (or users), 53 the file has a regular ACL created. Otherwise, only the mode bits are 54 initialized according to the intersection described above. The default 55 ACL should be thought of as the maximum discretionary access 56 permissions that can be granted. 57 58 59 Use the setfacl command to set ACLs on files in a UFS file system, 60 which supports POSIX-draft ACLS (or aclent_t style ACLs). Use the chmod 61 command to set ACLs on files in a ZFS file system, which supports 62 NFSv4-style ACLS (or ace_t style ACLs). 63 64 acl_entries Syntax 65 For the -m and -s options, acl_entries are one or more comma-separated 66 ACL entries. 67 68 69 An ACL entry consists of the following fields separated by colons: 70 71 entry_type 72 Type of ACL entry on which to set file permissions. For 73 example, entry_type can be user (the owner of a file) or 74 mask (the ACL mask). 75 76 77 uid or gid 78 User name or user identification number. Or, group name 79 or group identification number. 80 81 82 perms 83 Represents the permissions that are set on entry_type. 84 perms can be indicated by the symbolic characters rwx or 85 a number (the same permissions numbers used with the 86 chmod command). 87 88 89 90 The following table shows the valid ACL entries (default entries can 91 only be specified for directories): 92 93 94 95 96 ACL Entry Description 97 -------------------------------------------------------------------- 98 u[ser]::perms File owner permissions. 99 g[roup]::perms File group owner permissions. 100 o[ther]:perms Permissions for users other than the 101 file owner or members of file group 102 owner. 103 m[ask]:perms The ACL mask. The mask entry 104 indicates the maximum permissions 105 allowed for users (other than the 106 owner) and for groups. The mask is a 107 quick way to change permissions on 108 all the users and groups. 109 u[ser]:uid:perms Permissions for a specific user. For 110 uid, you can specify either a user 111 name or a numeric UID. 112 g[roup]:gid:perms Permissions for a specific group. For 113 gid, you can specify either a group 114 name or a numeric GID. 115 d[efault]:u[ser]::perms Default file owner permissions. 116 d[efault]:g[roup]::perms Default file group owner permissions. 117 d[efault]:o[ther]:perms Default permissions for users other 118 than the file owner or members of the 119 file group owner. 120 d[efault]:m[ask]:perms Default ACL mask. 121 d[efault]:u[ser]:uid:perms Default permissions for a specific 122 user. For uid, you can specify either 123 a user name or a numeric UID. 124 d[efault]:g[roup]:gid:perms Default permissions for a specific 125 group. For gid, you can specify 126 either a group name or a numeric GID. 127 128 129 130 For the -d option, acl_entries are one or more comma-separated ACL 131 entries without permissions. Notice that the entries for file owner, 132 file group owner, ACL mask, and others can not be deleted. 133 134 OPTIONS 135 The options have the following meaning: 136 137 -d acl_entries 138 Deletes one or more entries from the file. The 139 entries for the file owner, the file group owner, and 140 others can not be deleted from the ACL. Notice that 141 deleting an entry does not necessarily have the same 142 effect as removing all permissions from the entry. 143 144 145 -f acl_file 146 Sets a file's ACL with the ACL entries contained in 147 the file named acl_file. The same constraints on 148 specified entries hold as with the -s option. The 149 entries are not required to be in any specific order 150 in the file. Also, if you specify a dash (-) for 151 acl_file, standard input is used to set the file's 152 ACL. 153 154 The character # in acl_file can be used to indicate a 155 comment. All characters, starting with the # until 156 the end of the line, are ignored. Notice that if the 157 acl_file has been created as the output of the 158 getfacl(1) command, any effective permissions, which 159 follow a #, are ignored. 160 161 162 -m acl_entries 163 Adds one or more new ACL entries to the file, and/or 164 modifies one or more existing ACL entries on the 165 file. If an entry already exists for a specified uid 166 or gid, the specified permissions replace the current 167 permissions. If an entry does not exist for the 168 specified uid or gid, an entry is created. When using 169 the -m option to modify a default ACL, you must 170 specify a complete default ACL (user, group, other, 171 mask, and any additional entries) the first time. 172 173 174 -r 175 Recalculates the permissions for the ACL mask entry. 176 The permissions specified in the ACL mask entry are 177 ignored and replaced by the maximum permissions 178 necessary to grant the access to all additional user, 179 file group owner, and additional group entries in the 180 ACL. The permissions in the additional user, file 181 group owner, and additional group entries are left 182 unchanged. 183 184 185 -s acl_entries 186 Sets a file's ACL. All old ACL entries are removed 187 and replaced with the newly specified ACL. The 188 entries need not be in any specific order. They are 189 sorted by the command before being applied to the 190 file. 191 192 Required entries: 193 194 o Exactly one user entry specified for the 195 file owner. 196 197 o Exactly one group entry for the file group 198 owner. 199 200 o Exactly one other entry specified. 201 If there are additional user and group entries: 202 203 o Exactly one mask entry specified for the 204 ACL mask that indicates the maximum 205 permissions allowed for users (other than 206 the owner) and groups. 207 208 o Must not be duplicate user entries with 209 the same uid. 210 211 o Must not be duplicate group entries with 212 the same gid. 213 If file is a directory, the following default ACL 214 entries can be specified: 215 216 o Exactly one default user entry for the 217 file owner. 218 219 o Exactly one default group entry for the 220 file group owner. 221 222 o Exactly one default mask entry for the ACL 223 mask. 224 225 o Exactly one default other entry. 226 There can be additional default user entries and 227 additional default group entries specified, but there 228 can not be duplicate additional default user entries 229 with the same uid, or duplicate default group entries 230 with the same gid. 231 232 233 EXAMPLES 234 Example 1 Adding read permission only 235 236 237 The following example adds one ACL entry to file abc, which gives user 238 shea read permission only. 239 240 241 setfacl -m user:shea:r-- abc 242 243 244 245 Example 2 Replacing a file's entire ACL 246 247 248 The following example replaces the entire ACL for the file abc, which 249 gives shea read access, the file owner all access, the file group owner 250 read access only, the ACL mask read access only, and others no access. 251 252 253 setfacl -s user:shea:rwx,user::rwx,group::rw-,mask:r--,other:--- abc 254 255 256 257 258 Notice that after this command, the file permission bits are rwxr-----. 259 Even though the file group owner was set with read/write permissions, 260 the ACL mask entry limits it to have only read permission. The mask 261 entry also specifies the maximum permissions available to all 262 additional user and group ACL entries. Once again, even though the user 263 shea was set with all access, the mask limits it to have only read 264 permission. The ACL mask entry is a quick way to limit or open access 265 to all the user and group entries in an ACL. For example, by changing 266 the mask entry to read/write, both the file group owner and user shea 267 would be given read/write access. 268 269 270 Example 3 Setting the same ACL on two files 271 272 273 The following example sets the same ACL on file abc as the file xyz. 274 275 276 getfacl xyz | setfacl -f - abc 277 278 279 280 FILES 281 /etc/passwd 282 password file 283 284 285 /etc/group 286 group file 287 288 289 SEE ALSO 290 chmod(1), getfacl(1), umask(1), aclcheck(3SEC), aclsort(3SEC), 291 group(4), passwd(4), acl(5), attributes(5) 292 293 294 295 February 8, 2020 SETFACL(1)