12288 getfacl and setfacl could stand improvement

   1 SETFACL(1)                       User Commands                      SETFACL(1)
   2 
   3 
   4 
   5 NAME
   6        setfacl - modify the Access Control List (ACL) for a file or files
   7 
   8 SYNOPSIS
   9        setfacl [-r] -s acl_entries file
  10 
  11 
  12        setfacl [-r] -md acl_entries file
  13 
  14 
  15        setfacl [-r] -f acl_file file
  16 
  17 
  18 DESCRIPTION
  19        For each file specified, setfacl either replaces its entire ACL,
  20        including the default ACL on a directory, or it adds, modifies, or
  21        deletes one or more ACL entries, including default entries on
  22        directories.
  23 
  24 






  25        When the setfacl command is used, it can result in changes to the file
  26        permission bits. When the user ACL entry for the file owner is changed,
  27        the file owner class permission bits are modified. When the group ACL
  28        entry for the file group class is changed, the file group class
  29        permission bits are modified. When the other ACL entry is changed, the
  30        file other class permission bits are modified.
  31 
  32 
  33        If you use the chmod(1) command to change the file group owner
  34        permissions on a file with ACL entries, both the file group owner
  35        permissions and the ACL mask are changed to the new permissions. Be
  36        aware that the new ACL mask permissions can change the effective
  37        permissions for additional users and groups who have ACL entries on the
  38        file.
  39 
  40 
  41        A directory can contain default ACL entries. If a file or directory is
  42        created in a directory that contains default ACL entries, the newly
  43        created file has permissions generated according to the intersection of
  44        the default ACL entries and the permissions requested at creation time.
  45        The umask(1) are not applied if the directory contains default ACL
  46        entries. If a default ACL is specified for a specific user (or users),
  47        the file has a regular ACL created. Otherwise, only the mode bits are
  48        initialized according to the intersection described above. The default
  49        ACL should be thought of as the maximum discretionary access
  50        permissions that can be granted.
  51 
  52 
  53        Use the setfacl command to set ACLs on files in a UFS file system,
  54        which supports POSIX-draft ACLS (or aclent_t style ACLs). Use the chmod
  55        command to set ACLs on files in a ZFS file system, which supports
  56        NFSv4-style ACLS (or ace_t style ACLs).
  57 
  58    acl_entries Syntax
  59        For the -m and -s options, acl_entries are one or more comma-separated
  60        ACL entries.
  61 
  62 
  63        An ACL entry consists of the following fields separated by colons:
  64 
  65        entry_type
  66                      Type of ACL entry on which to set file permissions. For
  67                      example, entry_type can be user (the owner of a file) or
  68                      mask (the ACL mask).
  69 
  70 
  71        uid or gid
  72                      User name or user identification number. Or, group name
  73                      or group identification number.
  74 
  75 
  76        perms
  77                      Represents the permissions that are set on entry_type.
  78                      perms can be indicated by the symbolic characters rwx or
  79                      a number (the same permissions numbers used with the
  80                      chmod command).
  81 
  82 
  83 
  84        The following table shows the valid ACL entries (default entries can
  85        only be specified for directories):
  86 
  87 
  88 
  89 
  90                 ACL Entry                         Description
  91        --------------------------------------------------------------------
  92        u[ser]::perms                 File owner permissions.
  93        g[roup]::perms                File group owner permissions.
  94        o[ther]:perms                 Permissions for users other than the
  95                                      file owner or members of file group
  96                                      owner.
  97        m[ask]:perms                  The ACL mask. The mask entry
  98                                      indicates the maximum permissions
  99                                      allowed for users (other than the
 100                                      owner) and for groups. The mask is a
 101                                      quick way to change permissions on
 102                                      all the users and groups.
 103        u[ser]:uid:perms              Permissions for a specific user. For
 104                                      uid, you can specify either a user
 105                                      name or a numeric UID.
 106        g[roup]:gid:perms             Permissions for a specific group. For
 107                                      gid, you can specify either a group
 108                                      name or a numeric GID.
 109        d[efault]:u[ser]::perms       Default file owner permissions.
 110        d[efault]:g[roup]::perms      Default file group owner permissions.
 111        d[efault]:o[ther]:perms       Default permissions for users other
 112                                      than the file owner or members of the
 113                                      file group owner.
 114        d[efault]:m[ask]:perms        Default ACL mask.
 115        d[efault]:u[ser]:uid:perms    Default permissions for a specific
 116                                      user. For uid, you can specify either
 117                                      a user name or a numeric UID.
 118        d[efault]:g[roup]:gid:perms   Default permissions for a specific
 119                                      group. For gid, you can specify
 120                                      either a group name or a numeric GID.
 121 
 122 
 123 
 124        For the -d option, acl_entries are one or more comma-separated ACL
 125        entries without permissions. Notice that the entries for file owner,
 126        file group owner, ACL mask, and others can not be deleted.
 127 
 128 OPTIONS
 129        The options have the following meaning:
 130 
 131        -d acl_entries
 132                          Deletes one or more entries from the file. The
 133                          entries for the file owner, the file group owner, and
 134                          others can not be deleted from the ACL. Notice that
 135                          deleting an entry does not necessarily have the same
 136                          effect as removing all permissions from the entry.
 137 
 138 
 139        -f acl_file
 140                          Sets a file's ACL with the ACL entries contained in
 141                          the file named acl_file. The same constraints on
 142                          specified entries hold as with the -s option. The
 143                          entries are not required to be in any specific order
 144                          in the file. Also, if you specify a dash (-) for
 145                          acl_file, standard input is used to set the file's
 146                          ACL.
 147 
 148                          The character # in acl_file can be used to indicate a
 149                          comment. All characters, starting with the # until
 150                          the end of the line, are ignored.  Notice that if the
 151                          acl_file has been created as the output of the
 152                          getfacl(1) command, any effective permissions, which
 153                          follow a #, are ignored.
 154 
 155 
 156        -m acl_entries
 157                          Adds one or more new ACL entries to the file, and/or
 158                          modifies one or more existing ACL entries on the
 159                          file. If an entry already exists for a specified uid
 160                          or gid, the specified permissions replace the current
 161                          permissions. If an entry does not exist for the
 162                          specified uid or gid, an entry is created. When using
 163                          the -m option to modify a default ACL, you must
 164                          specify a complete default ACL (user, group, other,
 165                          mask, and any additional entries) the first time.
 166 
 167 
 168        -r
 169                          Recalculates the permissions for the ACL mask entry.
 170                          The permissions specified in the ACL mask entry are
 171                          ignored and replaced by the maximum permissions
 172                          necessary to grant the access to all additional user,
 173                          file group owner, and additional group entries in the
 174                          ACL. The permissions in the additional user, file
 175                          group owner, and additional group entries are left
 176                          unchanged.
 177 
 178 
 179        -s acl_entries
 180                          Sets a file's ACL. All old ACL entries are removed
 181                          and replaced with the newly specified ACL. The
 182                          entries need not be in any specific order. They are
 183                          sorted by the command before being applied to the
 184                          file.
 185 
 186                          Required entries:
 187 
 188                              o      Exactly one user entry specified for the
 189                                     file owner.
 190 
 191                              o      Exactly one group entry for the file group
 192                                     owner.
 193 
 194                              o      Exactly one other entry specified.
 195                          If there are additional user and group entries:
 196 
 197                              o      Exactly one mask entry specified for the
 198                                     ACL mask that indicates the maximum
 199                                     permissions allowed for users (other than
 200                                     the owner) and groups.
 201 
 202                              o      Must not be duplicate user entries with
 203                                     the same uid.
 204 
 205                              o      Must not be duplicate group entries with
 206                                     the same gid.
 207                          If file is a directory, the following default ACL
 208                          entries can be specified:
 209 
 210                              o      Exactly one default user entry for the
 211                                     file owner.
 212 
 213                              o      Exactly one default group entry for the
 214                                     file group owner.
 215 
 216                              o      Exactly one default mask entry for the ACL
 217                                     mask.
 218 
 219                              o      Exactly one default other entry.
 220                          There can be additional default user entries and
 221                          additional default group entries specified, but there
 222                          can not be duplicate additional default user entries
 223                          with the same uid, or duplicate default group entries
 224                          with the same gid.
 225 
 226 
 227 EXAMPLES
 228        Example 1 Adding read permission only
 229 
 230 
 231        The following example adds one ACL entry to file abc, which gives user
 232        shea read permission only.
 233 
 234 
 235          setfacl -m user:shea:r-- abc
 236 
 237 
 238 
 239        Example 2 Replacing a file's entire ACL
 240 
 241 
 242        The following example replaces the entire ACL for the file abc, which
 243        gives shea read access, the file owner all access, the file group owner
 244        read access only, the ACL mask read access only, and others no access.
 245 
 246 
 247          setfacl -s user:shea:rwx,user::rwx,group::rw-,mask:r--,other:--- abc
 248 
 249 
 250 
 251 
 252        Notice that after this command, the file permission bits are rwxr-----.
 253        Even though the file group owner was set with read/write permissions,
 254        the ACL mask entry limits it to have only read permission. The mask
 255        entry also specifies the maximum permissions available to all
 256        additional user and group ACL entries. Once again, even though the user
 257        shea was set with all access, the mask limits it to have only read
 258        permission. The ACL mask entry is a quick way to limit or open access
 259        to all the user and group entries in an ACL. For example, by changing
 260        the mask entry to read/write, both the file group owner and user shea
 261        would be given read/write access.
 262 
 263 
 264        Example 3 Setting the same ACL on two files
 265 
 266 
 267        The following example sets the same ACL on file abc as the file xyz.
 268 
 269 
 270          getfacl xyz | setfacl -f - abc
 271 
 272 
 273 
 274 FILES
 275        /etc/passwd
 276                       password file
 277 
 278 
 279        /etc/group
 280                       group file
 281 
 282 
 283 SEE ALSO
 284        chmod(1), getfacl(1), umask(1), aclcheck(3SEC), aclsort(3SEC),
 285        group(4), passwd(4), attributes(5)
 286 
 287 
 288 
 289                                December 19, 2006                    SETFACL(1)
--- EOF ---