12288 getfacl and setfacl could stand improvement
1 SETFACL(1) User Commands SETFACL(1) 2 3 4 5 NAME 6 setfacl - modify the Access Control List (ACL) for a file or files 7 8 SYNOPSIS 9 setfacl [-r] -s acl_entries file 10 11 12 setfacl [-r] -md acl_entries file 13 14 15 setfacl [-r] -f acl_file file 16 17 18 DESCRIPTION 19 For each file specified, setfacl either replaces its entire ACL, 20 including the default ACL on a directory, or it adds, modifies, or 21 deletes one or more ACL entries, including default entries on 22 directories. 23 24 25 When the setfacl command is used, it can result in changes to the file 26 permission bits. When the user ACL entry for the file owner is changed, 27 the file owner class permission bits are modified. When the group ACL 28 entry for the file group class is changed, the file group class 29 permission bits are modified. When the other ACL entry is changed, the 30 file other class permission bits are modified. 31 32 33 If you use the chmod(1) command to change the file group owner 34 permissions on a file with ACL entries, both the file group owner 35 permissions and the ACL mask are changed to the new permissions. Be 36 aware that the new ACL mask permissions can change the effective 37 permissions for additional users and groups who have ACL entries on the 38 file. 39 40 41 A directory can contain default ACL entries. If a file or directory is 42 created in a directory that contains default ACL entries, the newly 43 created file has permissions generated according to the intersection of 44 the default ACL entries and the permissions requested at creation time. 45 The umask(1) are not applied if the directory contains default ACL 46 entries. If a default ACL is specified for a specific user (or users), 47 the file has a regular ACL created. Otherwise, only the mode bits are 48 initialized according to the intersection described above. The default 49 ACL should be thought of as the maximum discretionary access 50 permissions that can be granted. 51 52 53 Use the setfacl command to set ACLs on files in a UFS file system, 54 which supports POSIX-draft ACLS (or aclent_t style ACLs). Use the chmod 55 command to set ACLs on files in a ZFS file system, which supports 56 NFSv4-style ACLS (or ace_t style ACLs). 57 58 acl_entries Syntax 59 For the -m and -s options, acl_entries are one or more comma-separated 60 ACL entries. 61 62 63 An ACL entry consists of the following fields separated by colons: 64 65 entry_type 66 Type of ACL entry on which to set file permissions. For 67 example, entry_type can be user (the owner of a file) or 68 mask (the ACL mask). 69 70 71 uid or gid 72 User name or user identification number. Or, group name 73 or group identification number. 74 75 76 perms 77 Represents the permissions that are set on entry_type. 78 perms can be indicated by the symbolic characters rwx or 79 a number (the same permissions numbers used with the 80 chmod command). 81 82 83 84 The following table shows the valid ACL entries (default entries can 85 only be specified for directories): 86 87 88 89 90 ACL Entry Description 91 -------------------------------------------------------------------- 92 u[ser]::perms File owner permissions. 93 g[roup]::perms File group owner permissions. 94 o[ther]:perms Permissions for users other than the 95 file owner or members of file group 96 owner. 97 m[ask]:perms The ACL mask. The mask entry 98 indicates the maximum permissions 99 allowed for users (other than the 100 owner) and for groups. The mask is a 101 quick way to change permissions on 102 all the users and groups. 103 u[ser]:uid:perms Permissions for a specific user. For 104 uid, you can specify either a user 105 name or a numeric UID. 106 g[roup]:gid:perms Permissions for a specific group. For 107 gid, you can specify either a group 108 name or a numeric GID. 109 d[efault]:u[ser]::perms Default file owner permissions. 110 d[efault]:g[roup]::perms Default file group owner permissions. 111 d[efault]:o[ther]:perms Default permissions for users other 112 than the file owner or members of the 113 file group owner. 114 d[efault]:m[ask]:perms Default ACL mask. 115 d[efault]:u[ser]:uid:perms Default permissions for a specific 116 user. For uid, you can specify either 117 a user name or a numeric UID. 118 d[efault]:g[roup]:gid:perms Default permissions for a specific 119 group. For gid, you can specify 120 either a group name or a numeric GID. 121 122 123 124 For the -d option, acl_entries are one or more comma-separated ACL 125 entries without permissions. Notice that the entries for file owner, 126 file group owner, ACL mask, and others can not be deleted. 127 128 OPTIONS 129 The options have the following meaning: 130 131 -d acl_entries 132 Deletes one or more entries from the file. The 133 entries for the file owner, the file group owner, and 134 others can not be deleted from the ACL. Notice that 135 deleting an entry does not necessarily have the same 136 effect as removing all permissions from the entry. 137 138 139 -f acl_file 140 Sets a file's ACL with the ACL entries contained in 141 the file named acl_file. The same constraints on 142 specified entries hold as with the -s option. The 143 entries are not required to be in any specific order 144 in the file. Also, if you specify a dash (-) for 145 acl_file, standard input is used to set the file's 146 ACL. 147 148 The character # in acl_file can be used to indicate a 149 comment. All characters, starting with the # until 150 the end of the line, are ignored. Notice that if the 151 acl_file has been created as the output of the 152 getfacl(1) command, any effective permissions, which 153 follow a #, are ignored. 154 155 156 -m acl_entries 157 Adds one or more new ACL entries to the file, and/or 158 modifies one or more existing ACL entries on the 159 file. If an entry already exists for a specified uid 160 or gid, the specified permissions replace the current 161 permissions. If an entry does not exist for the 162 specified uid or gid, an entry is created. When using 163 the -m option to modify a default ACL, you must 164 specify a complete default ACL (user, group, other, 165 mask, and any additional entries) the first time. 166 167 168 -r 169 Recalculates the permissions for the ACL mask entry. 170 The permissions specified in the ACL mask entry are 171 ignored and replaced by the maximum permissions 172 necessary to grant the access to all additional user, 173 file group owner, and additional group entries in the 174 ACL. The permissions in the additional user, file 175 group owner, and additional group entries are left 176 unchanged. 177 178 179 -s acl_entries 180 Sets a file's ACL. All old ACL entries are removed 181 and replaced with the newly specified ACL. The 182 entries need not be in any specific order. They are 183 sorted by the command before being applied to the 184 file. 185 186 Required entries: 187 188 o Exactly one user entry specified for the 189 file owner. 190 191 o Exactly one group entry for the file group 192 owner. 193 194 o Exactly one other entry specified. 195 If there are additional user and group entries: 196 197 o Exactly one mask entry specified for the 198 ACL mask that indicates the maximum 199 permissions allowed for users (other than 200 the owner) and groups. 201 202 o Must not be duplicate user entries with 203 the same uid. 204 205 o Must not be duplicate group entries with 206 the same gid. 207 If file is a directory, the following default ACL 208 entries can be specified: 209 210 o Exactly one default user entry for the 211 file owner. 212 213 o Exactly one default group entry for the 214 file group owner. 215 216 o Exactly one default mask entry for the ACL 217 mask. 218 219 o Exactly one default other entry. 220 There can be additional default user entries and 221 additional default group entries specified, but there 222 can not be duplicate additional default user entries 223 with the same uid, or duplicate default group entries 224 with the same gid. 225 226 227 EXAMPLES 228 Example 1 Adding read permission only 229 230 231 The following example adds one ACL entry to file abc, which gives user 232 shea read permission only. 233 234 235 setfacl -m user:shea:r-- abc 236 237 238 239 Example 2 Replacing a file's entire ACL 240 241 242 The following example replaces the entire ACL for the file abc, which 243 gives shea read access, the file owner all access, the file group owner 244 read access only, the ACL mask read access only, and others no access. 245 246 247 setfacl -s user:shea:rwx,user::rwx,group::rw-,mask:r--,other:--- abc 248 249 250 251 252 Notice that after this command, the file permission bits are rwxr-----. 253 Even though the file group owner was set with read/write permissions, 254 the ACL mask entry limits it to have only read permission. The mask 255 entry also specifies the maximum permissions available to all 256 additional user and group ACL entries. Once again, even though the user 257 shea was set with all access, the mask limits it to have only read 258 permission. The ACL mask entry is a quick way to limit or open access 259 to all the user and group entries in an ACL. For example, by changing 260 the mask entry to read/write, both the file group owner and user shea 261 would be given read/write access. 262 263 264 Example 3 Setting the same ACL on two files 265 266 267 The following example sets the same ACL on file abc as the file xyz. 268 269 270 getfacl xyz | setfacl -f - abc 271 272 273 274 FILES 275 /etc/passwd 276 password file 277 278 279 /etc/group 280 group file 281 282 283 SEE ALSO 284 chmod(1), getfacl(1), umask(1), aclcheck(3SEC), aclsort(3SEC), 285 group(4), passwd(4), attributes(5) 286 287 288 289 December 19, 2006 SETFACL(1) --- EOF ---