facl-gate New usr/src/man/man1/getfacl.1

   1 '\" te
   2 .\" \&.Copyright (c) 2002, Sun Microsystems, Inc.  All Rights Reserved
   3 .\" Copyright (c) 2020 Peter Tribble.
   4 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License").  You may not use this file except in compliance with the License.
   5 .\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.  See the License for the specific language governing permissions and limitations under the License.
   6 .\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE.  If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
   7 .TH GETFACL 1 "Feb 8, 2020"
   8 .SH NAME
   9 getfacl \- display discretionary file information
  10 .SH SYNOPSIS
  11 .nf
  12 \fBgetfacl\fR [\fB-ad\fR] \fIfile\fR...
  13 .fi
  14 
  15 .SH DESCRIPTION
  16 For each argument that is a regular file, special file, or named pipe, the
  17 \fBgetfacl\fR utility displays the owner, the group, and the Access Control
  18 List (\fBACL\fR). For each directory argument, \fBgetfacl\fR displays the
  19 owner, the group, and the \fBACL\fR and/or the default \fBACL\fR. Only
  20 directories contain default \fBACL\fRs.
  21 .sp
  22 .LP
  23 The \fBgetfacl\fR utility will fail if executed on a file system that supports
  24 NFSv4 \fBACL\fRs.  See \fBacl\fR(5) for a description of the difference
  25 between the older POSIX-draft \fBACL\fRs and the newer NFSv4 \fBACL\fRs.  The
  26 \fBls\fR(1) utility, when used with the \fB-v\fR or \fB-V\fR options, will
  27 display \fBACL\fRs on all types of file system.
  28 .sp
  29 .LP
  30 The \fBgetfacl\fR utility may be executed on a file system that does not
  31 support \fBACL\fRs. It reports the \fBACL\fR based on the base permission bits.
  32 .sp
  33 .LP
  34 With no options specified, \fBgetfacl\fR displays the filename, the file owner,
  35 the file group owner, and both the \fBACL\fR and the default \fBACL\fR, if it
  36 exists.
  37 .SH OPTIONS
  38 The following options are supported:
  39 .sp
  40 .ne 2
  41 .na
  42 \fB\fB-a\fR\fR
  43 .ad
  44 .RS 6n
  45 Displays the filename, the file owner, the file group owner, and the \fBACL\fR
  46 of the file.
  47 .RE
  48 
  49 .sp
  50 .ne 2
  51 .na
  52 \fB\fB-d\fR\fR
  53 .ad
  54 .RS 6n
  55 Displays the filename, the file owner, the file group owner, and the default
  56 \fBACL\fR of the file, if it exists.
  57 .RE
  58 
  59 .SH OPERANDS
  60 The following operands are supported:
  61 .sp
  62 .ne 2
  63 .na
  64 \fB\fIfile\fR\fR
  65 .ad
  66 .RS 8n
  67 The path name of a regular file, special file, or named pipe.
  68 .RE
  69 
  70 .SH OUTPUT
  71 The format for \fBACL\fR output is as follows:
  72 .sp
  73 .in +2
  74 .nf
  75 # file: filename
  76 # owner: uid
  77 # group: gid
  78 user::perm
  79 user:uid:perm
  80 group::perm
  81 group:gid:perm
  82 mask:perm
  83 other:perm
  84 default:user::perm
  85 default:user:uid:perm
  86 default:group::perm
  87 default:group:gid:perm
  88 default:mask:perm
  89 default:other:perm
  90 .fi
  91 .in -2
  92 .sp
  93 
  94 .sp
  95 .LP
  96 When multiple files are specified on the command line, a blank line separates
  97 the \fBACL\fRs for each file.
  98 .sp
  99 .LP
 100 The \fBACL\fR entries are displayed in the order in which they are evaluated
 101 when an access check is performed. The default \fBACL\fR entries that may exist
 102 on a directory have no effect on access checks.
 103 .sp
 104 .LP
 105 The first three lines display the filename, the file owner, and the file group
 106 owner. Notice that when only the \fB-d\fR option is specified and the file has
 107 no default \fBACL\fR, only these three lines are displayed.
 108 .sp
 109 .LP
 110 The \fBuser\fR entry without a user \fBID\fR indicates the permissions that
 111 are granted to the file owner. One or more additional user entries indicate the
 112 permissions that are granted to the specified users.
 113 .sp
 114 .LP
 115 The \fBgroup\fR entry without a group \fBID\fR indicates the permissions that
 116 are granted to the file group owner. One or more additional group entries
 117 indicate the permissions that are granted to the specified groups.
 118 .sp
 119 .LP
 120 The \fBmask\fR entry indicates the \fBACL\fR mask permissions. These are the
 121 maximum permissions allowed to any user entries except the file owner, and to
 122 any group entries, including the file group owner. These permissions restrict
 123 the permissions specified in other entries.
 124 .sp
 125 .LP
 126 The \fBother\fR entry indicates the permissions that are granted to others.
 127 .sp
 128 .LP
 129 The \fBdefault\fR entries may exist only for directories. These entries
 130 indicate the default entries that are added to a file created within the
 131 directory.
 132 .sp
 133 .LP
 134 The \fBuid\fR is a login name or a user \fBID\fR if there is no entry for the
 135 \fBuid\fR in the system password file, \fB/etc/passwd\fR. The \fBgid\fR is a
 136 group name or a group \fBID\fR if there is no entry for the \fBgid\fR in the
 137 system group file, \fB/etc/group\fR. The \fBperm\fR is a three character string
 138 composed of the letters representing the separate discretionary access rights:
 139 \fBr\fR (read), \fBw\fR (write), \fBx\fR (execute/search), or the place holder
 140 character \fB\(mi\fR\&. The \fBperm\fR is displayed in the following order:
 141 \fBrwx\fR. If a permission is not granted by an \fBACL\fR entry, the place
 142 holder character appears.
 143 .sp
 144 .LP
 145 If you use the \fBchmod\fR(1) command to change the file group owner
 146 permissions on a file with \fBACL\fR entries, both the file group owner
 147 permissions and the \fBACL\fR mask are changed to the new permissions. Be aware
 148 that the new \fBACL\fR mask permissions may change the effective permissions
 149 for additional users and groups who have \fBACL\fR entries on the file.
 150 .sp
 151 .LP
 152 In order to indicate that the \fBACL\fR mask restricts an \fBACL\fR entry,
 153 \fBgetfacl\fR displays an additional tab character, pound sign (\fB#\fR), and
 154 the actual permissions granted, following the entry.
 155 .SH EXAMPLES
 156 \fBExample 1 \fRDisplaying file information
 157 .sp
 158 .LP
 159 Given file \fBfoo\fR, with an \fBACL\fR six entries long, the command
 160 
 161 .sp
 162 .in +2
 163 .nf
 164 host% \fBgetfacl foo\fR
 165 .fi
 166 .in -2
 167 .sp
 168 
 169 .sp
 170 .LP
 171 would print:
 172 
 173 .sp
 174 .in +2
 175 .nf
 176 # file: foo
 177 # owner: shea
 178 # group: staff
 179 user::rwx
 180 user:spy:\|\(mi\|\(mi\|\(mi
 181 user:mookie:r\|\(mi\|\(mi
 182 group::r\|\(mi\|\(mi
 183 mask::rw\|\(mi
 184 other::\|\(mi\|\(mi\|\(mi
 185 .fi
 186 .in -2
 187 .sp
 188 
 189 .LP
 190 \fBExample 2 \fRDisplaying information after chmod command
 191 .sp
 192 .LP
 193 Continue with the above example, after \fBchmod\fR \fB700 foo\fR was issued:
 194 
 195 .sp
 196 .in +2
 197 .nf
 198 host% \fBgetfacl foo\fR
 199 .fi
 200 .in -2
 201 .sp
 202 
 203 .sp
 204 .LP
 205 would print:
 206 
 207 .sp
 208 .in +2
 209 .nf
 210 # file: foo
 211 # owner: shea
 212 # group: staff
 213 user::rwx
 214 user:spy:\|\(mi\|\(mi\|\(mi
 215 user:mookie:r\|\(mi\|\(mi     #effective:\|\(mi\|\(mi\|\(mi
 216 group::\|\(mi\|\(mi\|\(mi
 217 mask::\|\(mi\|\(mi\|\(mi
 218 other::\|\(mi\|\(mi\|\(mi
 219 .fi
 220 .in -2
 221 .sp
 222 
 223 .LP
 224 \fBExample 3 \fRDisplaying information when ACL contains default entries
 225 .sp
 226 .LP
 227 Given directory \fBdoo\fR, with an \fBACL\fR containing default entries, the
 228 command
 229 
 230 .sp
 231 .in +2
 232 .nf
 233 host% \fBgetfacl -d doo\fR
 234 .fi
 235 .in -2
 236 .sp
 237 
 238 .sp
 239 .LP
 240 would print:
 241 
 242 .sp
 243 .in +2
 244 .nf
 245 # file: doo
 246 # owner: shea
 247 # group: staff
 248 default:user::rwx
 249 default:user:spy:\|\(mi\|\(mi\|\(mi
 250 default:user:mookie:r\|\(mi\|\(mi
 251 default:group::r\|\(mi\|\(mi
 252 default:mask::\|\(mi\|\(mi\|\(mi
 253 default:other::\|\(mi\|\(mi\|\(mi
 254 .fi
 255 .in -2
 256 .sp
 257 
 258 .SH FILES
 259 .ne 2
 260 .na
 261 \fB\fB/etc/passwd\fR\fR
 262 .ad
 263 .RS 15n
 264 system password file
 265 .RE
 266 
 267 .sp
 268 .ne 2
 269 .na
 270 \fB\fB/etc/group\fR\fR
 271 .ad
 272 .RS 15n
 273 group file
 274 .RE
 275 
 276 .SH ATTRIBUTES
 277 See \fBattributes\fR(5) for descriptions of the following attributes:
 278 .sp
 279 
 280 .sp
 281 .TS
 282 box;
 283 c | c
 284 l | l .
 285 ATTRIBUTE TYPE  ATTRIBUTE VALUE
 286 _
 287 Interface Stability     Evolving
 288 .TE
 289 
 290 .SH SEE ALSO
 291 \fBchmod\fR(1), \fBls\fR(1), \fBsetfacl\fR(1), \fBacl\fR(2),
 292 \fBaclsort\fR(3SEC), \fBgroup\fR(4), \fBpasswd\fR(4), \fBacl\fR(5),
 293 \fBattributes\fR(5)
 294 .SH NOTES
 295 The output from \fBgetfacl\fR is in the correct format for input to the
 296 \fBsetfacl\fR \fB-f\fR command. If the output from \fBgetfacl\fR is redirected
 297 to a file, the file may be used as input to \fBsetfacl\fR. In this way, a user
 298 may easily assign one file's \fBACL\fR to another file.