1 '\" te
2 .\" Copyright (c) 2006, Sun Microsystems, Inc. All Rights Reserved
3 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License.
4 .\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. See the License for the specific language governing permissions and limitations under the License.
5 .\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
6 .TH SETFACL 1 "Dec 19, 2006"
7 .SH NAME
8 setfacl \- modify the Access Control List (ACL) for a file or files
9 .SH SYNOPSIS
10 .LP
11 .nf
12 \fBsetfacl\fR [\fB-r\fR] \fB-s\fR \fIacl_entries\fR \fIfile\fR
13 .fi
14
15 .LP
16 .nf
17 \fBsetfacl\fR [\fB-r\fR] \fB-md\fR \fIacl_entries\fR \fIfile\fR
18 .fi
19
20 .LP
21 .nf
22 \fBsetfacl\fR [\fB-r\fR] \fB-f\fR \fIacl_file\fR \fIfile\fR
23 .fi
24
25 .SH DESCRIPTION
26 .sp
27 .LP
28 For each file specified, \fBsetfacl\fR either replaces its entire \fBACL\fR,
29 including the default \fBACL\fR on a directory, or it adds, modifies, or
30 deletes one or more \fBACL\fR entries, including default entries on
31 directories.
32 .sp
33 .LP
34 When the \fBsetfacl\fR command is used, it can result in changes to the file
35 permission bits. When the user \fBACL\fR entry for the file owner is changed,
36 the file owner class permission bits are modified. When the group \fBACL\fR
37 entry for the file group class is changed, the file group class permission bits
38 are modified. When the other \fBACL\fR entry is changed, the file other class
39 permission bits are modified.
40 .sp
41 .LP
42 If you use the \fBchmod\fR(1) command to change the file group owner
43 permissions on a file with \fBACL\fR entries, both the file group owner
44 permissions and the \fBACL\fR mask are changed to the new permissions. Be aware
45 that the new \fBACL\fR mask permissions can change the effective permissions
46 for additional users and groups who have \fBACL\fR entries on the file.
47 .sp
48 .LP
49 A directory can contain default \fBACL\fR entries. If a file or directory is
50 created in a directory that contains default \fBACL\fR entries, the newly
51 created file has permissions generated according to the intersection of the
52 default \fBACL\fR entries and the permissions requested at creation time. The
53 \fBumask\fR(1) are not applied if the directory contains default \fBACL\fR
54 entries. If a default \fBACL\fR is specified for a specific user (or users),
55 the file has a regular \fBACL\fR created. Otherwise, only the mode bits are
56 initialized according to the intersection described above. The default
57 \fBACL\fR should be thought of as the maximum discretionary access permissions
58 that can be granted.
59 .sp
60 .LP
61 Use the \fBsetfacl\fR command to set ACLs on files in a UFS file system, which
62 supports POSIX-draft ACLS (or \fBaclent_t\fR style ACLs). Use the \fBchmod\fR
63 command to set ACLs on files in a ZFS file system, which supports NFSv4-style
64 ACLS (or \fBace_t\fR style ACLs).
65 .SS "\fIacl_entries\fR Syntax"
66 .sp
67 .LP
68 For the \fB-m\fR and \fB-s\fR options, \fIacl_entries\fR are one or more
69 comma-separated \fBACL\fR entries.
70 .sp
71 .LP
72 An \fBACL\fR entry consists of the following fields separated by colons:
73 .sp
74 .ne 2
75 .na
76 \fB\fIentry_type\fR\fR
77 .ad
78 .RS 14n
79 Type of \fBACL\fR entry on which to set file permissions. For example,
80 \fIentry_type\fR can be \fBuser\fR (the owner of a file) or \fBmask\fR (the
81 \fBACL\fR mask).
82 .RE
83
84 .sp
85 .ne 2
86 .na
87 \fB\fIuid\fR or \fIgid\fR\fR
131 d[efault]:u[ser]::\fIperms\fR Default file owner permissions.
132 d[efault]:g[roup]::\fIperms\fR Default file group owner permissions.
133 d[efault]:o[ther]:\fIperms\fR T{
134 Default permissions for users other than the file owner or members of the file group owner.
135 T}
136 d[efault]:m[ask]:\fIperms\fR Default \fBACL\fR mask.
137 d[efault]:u[ser]:\fIuid\fR:\fIperms\fR T{
138 Default permissions for a specific user. For \fIuid\fR, you can specify either a user name or a numeric UID.
139 T}
140 d[efault]:g[roup]:\fIgid\fR:\fIperms\fR T{
141 Default permissions for a specific group. For \fIgid\fR, you can specify either a group name or a numeric GID.
142 T}
143 .TE
144
145 .sp
146 .LP
147 For the \fB-d\fR option, \fIacl_entries\fR are one or more comma-separated
148 \fBACL\fR entries without permissions. Notice that the entries for file owner,
149 file group owner, \fBACL\fR mask, and others can not be deleted.
150 .SH OPTIONS
151 .sp
152 .LP
153 The options have the following meaning:
154 .sp
155 .ne 2
156 .na
157 \fB\fB-d\fR \fIacl_entries\fR\fR
158 .ad
159 .RS 18n
160 Deletes one or more entries from the file. The entries for the file owner, the
161 file group owner, and others can not be deleted from the \fBACL\fR. Notice that
162 deleting an entry does not necessarily have the same effect as removing all
163 permissions from the entry.
164 .RE
165
166 .sp
167 .ne 2
168 .na
169 \fB\fB-f\fR \fIacl_file\fR\fR
170 .ad
171 .RS 18n
172 Sets a file's \fBACL\fR with the \fBACL\fR entries contained in the file named
276 .RE
277 .RS +4
278 .TP
279 .ie t \(bu
280 .el o
281 Exactly one \fBdefault mask\fR entry for the \fBACL\fR mask.
282 .RE
283 .RS +4
284 .TP
285 .ie t \(bu
286 .el o
287 Exactly one \fBdefault other\fR entry.
288 .RE
289 There can be additional \fBdefault user\fR entries and additional \fBdefault
290 group\fR entries specified, but there can not be duplicate additional
291 \fBdefault user\fR entries with the same \fIuid\fR, or duplicate \fBdefault
292 group\fR entries with the same \fIgid\fR.
293 .RE
294
295 .SH EXAMPLES
296 .LP
297 \fBExample 1 \fRAdding read permission only
298 .sp
299 .LP
300 The following example adds one \fBACL\fR entry to file \fBabc\fR, which gives
301 user \fBshea\fR read permission only.
302
303 .sp
304 .in +2
305 .nf
306 \fBsetfacl -m user:shea:r\(mi\(mi abc\fR
307 .fi
308 .in -2
309 .sp
310
311 .LP
312 \fBExample 2 \fRReplacing a file's entire \fBACL\fR
313 .sp
314 .LP
315 The following example replaces the entire \fBACL\fR for the file \fBabc\fR,
316 which gives \fBshea\fR read access, the file owner all access, the file group
336 mask entry is a quick way to limit or open access to all the user and group
337 entries in an \fBACL\fR. For example, by changing the mask entry to read/write,
338 both the file group owner and user \fBshea\fR would be given read/write access.
339
340 .LP
341 \fBExample 3 \fRSetting the same \fBACL\fR on two files
342 .sp
343 .LP
344 The following example sets the same \fBACL\fR on file \fBabc\fR as the file
345 \fBxyz\fR.
346
347 .sp
348 .in +2
349 .nf
350 \fBgetfacl xyz | setfacl -f \(mi abc\fR
351 .fi
352 .in -2
353 .sp
354
355 .SH FILES
356 .sp
357 .ne 2
358 .na
359 \fB\fB/etc/passwd\fR\fR
360 .ad
361 .RS 15n
362 password file
363 .RE
364
365 .sp
366 .ne 2
367 .na
368 \fB\fB/etc/group\fR\fR
369 .ad
370 .RS 15n
371 group file
372 .RE
373
374 .SH SEE ALSO
375 .sp
376 .LP
377 \fBchmod\fR(1), \fBgetfacl\fR(1), \fBumask\fR(1), \fBaclcheck\fR(3SEC),
378 \fBaclsort\fR(3SEC), \fBgroup\fR(4), \fBpasswd\fR(4), \fBattributes\fR(5)
|
1 '\" te
2 .\" Copyright (c) 2006, Sun Microsystems, Inc. All Rights Reserved
3 .\" Copyright (c) 2020 Peter Tribble.
4 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License.
5 .\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. See the License for the specific language governing permissions and limitations under the License.
6 .\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
7 .TH SETFACL 1 "Feb 8, 2020"
8 .SH NAME
9 setfacl \- modify the Access Control List (ACL) for a file or files
10 .SH SYNOPSIS
11 .nf
12 \fBsetfacl\fR [\fB-r\fR] \fB-s\fR \fIacl_entries\fR \fIfile\fR
13 .fi
14
15 .LP
16 .nf
17 \fBsetfacl\fR [\fB-r\fR] \fB-md\fR \fIacl_entries\fR \fIfile\fR
18 .fi
19
20 .LP
21 .nf
22 \fBsetfacl\fR [\fB-r\fR] \fB-f\fR \fIacl_file\fR \fIfile\fR
23 .fi
24
25 .SH DESCRIPTION
26 For each file specified, \fBsetfacl\fR either replaces its entire \fBACL\fR,
27 including the default \fBACL\fR on a directory, or it adds, modifies, or
28 deletes one or more \fBACL\fR entries, including default entries on
29 directories.
30 .sp
31 .LP
32 The \fBsetfacl\fR utility can only manipulate POSIX-draft \fBACL\fRs. See
33 \fBacl\fR(5) for a description of the difference between the older POSIX-draft
34 \fBACL\fRs and the newer NFSv4 \fBACL\fRs. The \fBchmod\fR(1) utility can
35 be used to manipulate \fBACL\fRs on all types of file system.
36 .sp
37 .LP
38 When the \fBsetfacl\fR command is used, it can result in changes to the file
39 permission bits. When the user \fBACL\fR entry for the file owner is changed,
40 the file owner class permission bits are modified. When the group \fBACL\fR
41 entry for the file group class is changed, the file group class permission bits
42 are modified. When the other \fBACL\fR entry is changed, the file other class
43 permission bits are modified.
44 .sp
45 .LP
46 If you use the \fBchmod\fR(1) command to change the file group owner
47 permissions on a file with \fBACL\fR entries, both the file group owner
48 permissions and the \fBACL\fR mask are changed to the new permissions. Be aware
49 that the new \fBACL\fR mask permissions can change the effective permissions
50 for additional users and groups who have \fBACL\fR entries on the file.
51 .sp
52 .LP
53 A directory can contain default \fBACL\fR entries. If a file or directory is
54 created in a directory that contains default \fBACL\fR entries, the newly
55 created file has permissions generated according to the intersection of the
56 default \fBACL\fR entries and the permissions requested at creation time. The
57 \fBumask\fR(1) are not applied if the directory contains default \fBACL\fR
58 entries. If a default \fBACL\fR is specified for a specific user (or users),
59 the file has a regular \fBACL\fR created. Otherwise, only the mode bits are
60 initialized according to the intersection described above. The default
61 \fBACL\fR should be thought of as the maximum discretionary access permissions
62 that can be granted.
63 .sp
64 .LP
65 Use the \fBsetfacl\fR command to set ACLs on files in a UFS file system, which
66 supports POSIX-draft ACLS (or \fBaclent_t\fR style ACLs). Use the \fBchmod\fR
67 command to set ACLs on files in a ZFS file system, which supports NFSv4-style
68 ACLS (or \fBace_t\fR style ACLs).
69 .SS "\fIacl_entries\fR Syntax"
70 For the \fB-m\fR and \fB-s\fR options, \fIacl_entries\fR are one or more
71 comma-separated \fBACL\fR entries.
72 .sp
73 .LP
74 An \fBACL\fR entry consists of the following fields separated by colons:
75 .sp
76 .ne 2
77 .na
78 \fB\fIentry_type\fR\fR
79 .ad
80 .RS 14n
81 Type of \fBACL\fR entry on which to set file permissions. For example,
82 \fIentry_type\fR can be \fBuser\fR (the owner of a file) or \fBmask\fR (the
83 \fBACL\fR mask).
84 .RE
85
86 .sp
87 .ne 2
88 .na
89 \fB\fIuid\fR or \fIgid\fR\fR
133 d[efault]:u[ser]::\fIperms\fR Default file owner permissions.
134 d[efault]:g[roup]::\fIperms\fR Default file group owner permissions.
135 d[efault]:o[ther]:\fIperms\fR T{
136 Default permissions for users other than the file owner or members of the file group owner.
137 T}
138 d[efault]:m[ask]:\fIperms\fR Default \fBACL\fR mask.
139 d[efault]:u[ser]:\fIuid\fR:\fIperms\fR T{
140 Default permissions for a specific user. For \fIuid\fR, you can specify either a user name or a numeric UID.
141 T}
142 d[efault]:g[roup]:\fIgid\fR:\fIperms\fR T{
143 Default permissions for a specific group. For \fIgid\fR, you can specify either a group name or a numeric GID.
144 T}
145 .TE
146
147 .sp
148 .LP
149 For the \fB-d\fR option, \fIacl_entries\fR are one or more comma-separated
150 \fBACL\fR entries without permissions. Notice that the entries for file owner,
151 file group owner, \fBACL\fR mask, and others can not be deleted.
152 .SH OPTIONS
153 The options have the following meaning:
154 .sp
155 .ne 2
156 .na
157 \fB\fB-d\fR \fIacl_entries\fR\fR
158 .ad
159 .RS 18n
160 Deletes one or more entries from the file. The entries for the file owner, the
161 file group owner, and others can not be deleted from the \fBACL\fR. Notice that
162 deleting an entry does not necessarily have the same effect as removing all
163 permissions from the entry.
164 .RE
165
166 .sp
167 .ne 2
168 .na
169 \fB\fB-f\fR \fIacl_file\fR\fR
170 .ad
171 .RS 18n
172 Sets a file's \fBACL\fR with the \fBACL\fR entries contained in the file named
276 .RE
277 .RS +4
278 .TP
279 .ie t \(bu
280 .el o
281 Exactly one \fBdefault mask\fR entry for the \fBACL\fR mask.
282 .RE
283 .RS +4
284 .TP
285 .ie t \(bu
286 .el o
287 Exactly one \fBdefault other\fR entry.
288 .RE
289 There can be additional \fBdefault user\fR entries and additional \fBdefault
290 group\fR entries specified, but there can not be duplicate additional
291 \fBdefault user\fR entries with the same \fIuid\fR, or duplicate \fBdefault
292 group\fR entries with the same \fIgid\fR.
293 .RE
294
295 .SH EXAMPLES
296 \fBExample 1 \fRAdding read permission only
297 .sp
298 .LP
299 The following example adds one \fBACL\fR entry to file \fBabc\fR, which gives
300 user \fBshea\fR read permission only.
301
302 .sp
303 .in +2
304 .nf
305 \fBsetfacl -m user:shea:r\(mi\(mi abc\fR
306 .fi
307 .in -2
308 .sp
309
310 .LP
311 \fBExample 2 \fRReplacing a file's entire \fBACL\fR
312 .sp
313 .LP
314 The following example replaces the entire \fBACL\fR for the file \fBabc\fR,
315 which gives \fBshea\fR read access, the file owner all access, the file group
335 mask entry is a quick way to limit or open access to all the user and group
336 entries in an \fBACL\fR. For example, by changing the mask entry to read/write,
337 both the file group owner and user \fBshea\fR would be given read/write access.
338
339 .LP
340 \fBExample 3 \fRSetting the same \fBACL\fR on two files
341 .sp
342 .LP
343 The following example sets the same \fBACL\fR on file \fBabc\fR as the file
344 \fBxyz\fR.
345
346 .sp
347 .in +2
348 .nf
349 \fBgetfacl xyz | setfacl -f \(mi abc\fR
350 .fi
351 .in -2
352 .sp
353
354 .SH FILES
355 .ne 2
356 .na
357 \fB\fB/etc/passwd\fR\fR
358 .ad
359 .RS 15n
360 password file
361 .RE
362
363 .sp
364 .ne 2
365 .na
366 \fB\fB/etc/group\fR\fR
367 .ad
368 .RS 15n
369 group file
370 .RE
371
372 .SH SEE ALSO
373 \fBchmod\fR(1), \fBgetfacl\fR(1), \fBumask\fR(1), \fBaclcheck\fR(3SEC),
374 \fBaclsort\fR(3SEC), \fBgroup\fR(4), \fBpasswd\fR(4), \fBacl\fR(5),
375 \fBattributes\fR(5)
|