Print this page
12288 getfacl and setfacl could stand improvement
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/man/man1/setfacl.1.man.txt
+++ new/usr/src/man/man1/setfacl.1.man.txt
1 1 SETFACL(1) User Commands SETFACL(1)
2 2
3 3
4 4
5 5 NAME
6 6 setfacl - modify the Access Control List (ACL) for a file or files
7 7
8 8 SYNOPSIS
9 9 setfacl [-r] -s acl_entries file
10 10
11 11
12 12 setfacl [-r] -md acl_entries file
13 13
14 14
|
↓ open down ↓ |
14 lines elided |
↑ open up ↑ |
15 15 setfacl [-r] -f acl_file file
16 16
17 17
18 18 DESCRIPTION
19 19 For each file specified, setfacl either replaces its entire ACL,
20 20 including the default ACL on a directory, or it adds, modifies, or
21 21 deletes one or more ACL entries, including default entries on
22 22 directories.
23 23
24 24
25 + The setfacl utility can only manipulate POSIX-draft ACLs. See acl(5)
26 + for a description of the difference between the older POSIX-draft ACLs
27 + and the newer NFSv4 ACLs. The chmod(1) utility can be used to
28 + manipulate ACLs on all types of file system.
29 +
30 +
25 31 When the setfacl command is used, it can result in changes to the file
26 32 permission bits. When the user ACL entry for the file owner is changed,
27 33 the file owner class permission bits are modified. When the group ACL
28 34 entry for the file group class is changed, the file group class
29 35 permission bits are modified. When the other ACL entry is changed, the
30 36 file other class permission bits are modified.
31 37
32 38
33 39 If you use the chmod(1) command to change the file group owner
34 40 permissions on a file with ACL entries, both the file group owner
35 41 permissions and the ACL mask are changed to the new permissions. Be
36 42 aware that the new ACL mask permissions can change the effective
37 43 permissions for additional users and groups who have ACL entries on the
38 44 file.
39 45
40 46
41 47 A directory can contain default ACL entries. If a file or directory is
42 48 created in a directory that contains default ACL entries, the newly
43 49 created file has permissions generated according to the intersection of
44 50 the default ACL entries and the permissions requested at creation time.
45 51 The umask(1) are not applied if the directory contains default ACL
46 52 entries. If a default ACL is specified for a specific user (or users),
47 53 the file has a regular ACL created. Otherwise, only the mode bits are
48 54 initialized according to the intersection described above. The default
49 55 ACL should be thought of as the maximum discretionary access
50 56 permissions that can be granted.
51 57
52 58
53 59 Use the setfacl command to set ACLs on files in a UFS file system,
54 60 which supports POSIX-draft ACLS (or aclent_t style ACLs). Use the chmod
55 61 command to set ACLs on files in a ZFS file system, which supports
56 62 NFSv4-style ACLS (or ace_t style ACLs).
57 63
58 64 acl_entries Syntax
59 65 For the -m and -s options, acl_entries are one or more comma-separated
60 66 ACL entries.
61 67
62 68
63 69 An ACL entry consists of the following fields separated by colons:
64 70
65 71 entry_type
66 72 Type of ACL entry on which to set file permissions. For
67 73 example, entry_type can be user (the owner of a file) or
68 74 mask (the ACL mask).
69 75
70 76
71 77 uid or gid
72 78 User name or user identification number. Or, group name
73 79 or group identification number.
74 80
75 81
76 82 perms
77 83 Represents the permissions that are set on entry_type.
78 84 perms can be indicated by the symbolic characters rwx or
79 85 a number (the same permissions numbers used with the
80 86 chmod command).
81 87
82 88
83 89
84 90 The following table shows the valid ACL entries (default entries can
85 91 only be specified for directories):
86 92
87 93
88 94
89 95
90 96 ACL Entry Description
91 97 --------------------------------------------------------------------
92 98 u[ser]::perms File owner permissions.
93 99 g[roup]::perms File group owner permissions.
94 100 o[ther]:perms Permissions for users other than the
95 101 file owner or members of file group
96 102 owner.
97 103 m[ask]:perms The ACL mask. The mask entry
98 104 indicates the maximum permissions
99 105 allowed for users (other than the
100 106 owner) and for groups. The mask is a
101 107 quick way to change permissions on
102 108 all the users and groups.
103 109 u[ser]:uid:perms Permissions for a specific user. For
104 110 uid, you can specify either a user
105 111 name or a numeric UID.
106 112 g[roup]:gid:perms Permissions for a specific group. For
107 113 gid, you can specify either a group
108 114 name or a numeric GID.
109 115 d[efault]:u[ser]::perms Default file owner permissions.
110 116 d[efault]:g[roup]::perms Default file group owner permissions.
111 117 d[efault]:o[ther]:perms Default permissions for users other
112 118 than the file owner or members of the
113 119 file group owner.
114 120 d[efault]:m[ask]:perms Default ACL mask.
115 121 d[efault]:u[ser]:uid:perms Default permissions for a specific
116 122 user. For uid, you can specify either
117 123 a user name or a numeric UID.
118 124 d[efault]:g[roup]:gid:perms Default permissions for a specific
119 125 group. For gid, you can specify
120 126 either a group name or a numeric GID.
121 127
122 128
123 129
124 130 For the -d option, acl_entries are one or more comma-separated ACL
125 131 entries without permissions. Notice that the entries for file owner,
126 132 file group owner, ACL mask, and others can not be deleted.
127 133
128 134 OPTIONS
129 135 The options have the following meaning:
130 136
131 137 -d acl_entries
132 138 Deletes one or more entries from the file. The
133 139 entries for the file owner, the file group owner, and
134 140 others can not be deleted from the ACL. Notice that
135 141 deleting an entry does not necessarily have the same
136 142 effect as removing all permissions from the entry.
137 143
138 144
139 145 -f acl_file
140 146 Sets a file's ACL with the ACL entries contained in
141 147 the file named acl_file. The same constraints on
142 148 specified entries hold as with the -s option. The
143 149 entries are not required to be in any specific order
144 150 in the file. Also, if you specify a dash (-) for
145 151 acl_file, standard input is used to set the file's
146 152 ACL.
147 153
148 154 The character # in acl_file can be used to indicate a
149 155 comment. All characters, starting with the # until
150 156 the end of the line, are ignored. Notice that if the
151 157 acl_file has been created as the output of the
152 158 getfacl(1) command, any effective permissions, which
153 159 follow a #, are ignored.
154 160
155 161
156 162 -m acl_entries
157 163 Adds one or more new ACL entries to the file, and/or
158 164 modifies one or more existing ACL entries on the
159 165 file. If an entry already exists for a specified uid
160 166 or gid, the specified permissions replace the current
161 167 permissions. If an entry does not exist for the
162 168 specified uid or gid, an entry is created. When using
163 169 the -m option to modify a default ACL, you must
164 170 specify a complete default ACL (user, group, other,
165 171 mask, and any additional entries) the first time.
166 172
167 173
168 174 -r
169 175 Recalculates the permissions for the ACL mask entry.
170 176 The permissions specified in the ACL mask entry are
171 177 ignored and replaced by the maximum permissions
172 178 necessary to grant the access to all additional user,
173 179 file group owner, and additional group entries in the
174 180 ACL. The permissions in the additional user, file
175 181 group owner, and additional group entries are left
176 182 unchanged.
177 183
178 184
179 185 -s acl_entries
180 186 Sets a file's ACL. All old ACL entries are removed
181 187 and replaced with the newly specified ACL. The
182 188 entries need not be in any specific order. They are
183 189 sorted by the command before being applied to the
184 190 file.
185 191
186 192 Required entries:
187 193
188 194 o Exactly one user entry specified for the
189 195 file owner.
190 196
191 197 o Exactly one group entry for the file group
192 198 owner.
193 199
194 200 o Exactly one other entry specified.
195 201 If there are additional user and group entries:
196 202
197 203 o Exactly one mask entry specified for the
198 204 ACL mask that indicates the maximum
199 205 permissions allowed for users (other than
200 206 the owner) and groups.
201 207
202 208 o Must not be duplicate user entries with
203 209 the same uid.
204 210
205 211 o Must not be duplicate group entries with
206 212 the same gid.
207 213 If file is a directory, the following default ACL
208 214 entries can be specified:
209 215
210 216 o Exactly one default user entry for the
211 217 file owner.
212 218
213 219 o Exactly one default group entry for the
214 220 file group owner.
215 221
216 222 o Exactly one default mask entry for the ACL
217 223 mask.
218 224
219 225 o Exactly one default other entry.
220 226 There can be additional default user entries and
221 227 additional default group entries specified, but there
222 228 can not be duplicate additional default user entries
223 229 with the same uid, or duplicate default group entries
224 230 with the same gid.
225 231
226 232
227 233 EXAMPLES
228 234 Example 1 Adding read permission only
229 235
230 236
231 237 The following example adds one ACL entry to file abc, which gives user
232 238 shea read permission only.
233 239
234 240
235 241 setfacl -m user:shea:r-- abc
236 242
237 243
238 244
239 245 Example 2 Replacing a file's entire ACL
240 246
241 247
242 248 The following example replaces the entire ACL for the file abc, which
243 249 gives shea read access, the file owner all access, the file group owner
244 250 read access only, the ACL mask read access only, and others no access.
245 251
246 252
247 253 setfacl -s user:shea:rwx,user::rwx,group::rw-,mask:r--,other:--- abc
248 254
249 255
250 256
251 257
252 258 Notice that after this command, the file permission bits are rwxr-----.
253 259 Even though the file group owner was set with read/write permissions,
254 260 the ACL mask entry limits it to have only read permission. The mask
255 261 entry also specifies the maximum permissions available to all
256 262 additional user and group ACL entries. Once again, even though the user
257 263 shea was set with all access, the mask limits it to have only read
258 264 permission. The ACL mask entry is a quick way to limit or open access
259 265 to all the user and group entries in an ACL. For example, by changing
260 266 the mask entry to read/write, both the file group owner and user shea
261 267 would be given read/write access.
262 268
263 269
264 270 Example 3 Setting the same ACL on two files
265 271
266 272
267 273 The following example sets the same ACL on file abc as the file xyz.
268 274
269 275
270 276 getfacl xyz | setfacl -f - abc
271 277
272 278
273 279
274 280 FILES
|
↓ open down ↓ |
240 lines elided |
↑ open up ↑ |
275 281 /etc/passwd
276 282 password file
277 283
278 284
279 285 /etc/group
280 286 group file
281 287
282 288
283 289 SEE ALSO
284 290 chmod(1), getfacl(1), umask(1), aclcheck(3SEC), aclsort(3SEC),
285 - group(4), passwd(4), attributes(5)
291 + group(4), passwd(4), acl(5), attributes(5)
286 292
287 293
288 294
289 - December 19, 2006 SETFACL(1)
295 + February 8, 2020 SETFACL(1)
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX