Print this page
12288 getfacl and setfacl could stand improvement
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/man/man1/setfacl.1
+++ new/usr/src/man/man1/setfacl.1
1 1 '\" te
2 2 .\" Copyright (c) 2006, Sun Microsystems, Inc. All Rights Reserved
3 +.\" Copyright (c) 2020 Peter Tribble.
3 4 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License.
4 5 .\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. See the License for the specific language governing permissions and limitations under the License.
5 6 .\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
6 -.TH SETFACL 1 "Dec 19, 2006"
7 +.TH SETFACL 1 "Feb 8, 2020"
7 8 .SH NAME
8 9 setfacl \- modify the Access Control List (ACL) for a file or files
9 10 .SH SYNOPSIS
10 -.LP
11 11 .nf
12 12 \fBsetfacl\fR [\fB-r\fR] \fB-s\fR \fIacl_entries\fR \fIfile\fR
13 13 .fi
14 14
15 15 .LP
16 16 .nf
17 17 \fBsetfacl\fR [\fB-r\fR] \fB-md\fR \fIacl_entries\fR \fIfile\fR
18 18 .fi
19 19
20 20 .LP
21 21 .nf
22 22 \fBsetfacl\fR [\fB-r\fR] \fB-f\fR \fIacl_file\fR \fIfile\fR
23 23 .fi
24 24
25 25 .SH DESCRIPTION
26 -.sp
27 -.LP
28 26 For each file specified, \fBsetfacl\fR either replaces its entire \fBACL\fR,
29 27 including the default \fBACL\fR on a directory, or it adds, modifies, or
30 28 deletes one or more \fBACL\fR entries, including default entries on
31 29 directories.
32 30 .sp
33 31 .LP
32 +The \fBsetfacl\fR utility can only manipulate POSIX-draft \fBACL\fRs. See
33 +\fBacl\fR(5) for a description of the difference between the older POSIX-draft
34 +\fBACL\fRs and the newer NFSv4 \fBACL\fRs. The \fBchmod\fR(1) utility can
35 +be used to manipulate \fBACL\fRs on all types of file system.
36 +.sp
37 +.LP
34 38 When the \fBsetfacl\fR command is used, it can result in changes to the file
35 39 permission bits. When the user \fBACL\fR entry for the file owner is changed,
36 40 the file owner class permission bits are modified. When the group \fBACL\fR
37 41 entry for the file group class is changed, the file group class permission bits
38 42 are modified. When the other \fBACL\fR entry is changed, the file other class
39 43 permission bits are modified.
40 44 .sp
41 45 .LP
42 46 If you use the \fBchmod\fR(1) command to change the file group owner
43 47 permissions on a file with \fBACL\fR entries, both the file group owner
44 48 permissions and the \fBACL\fR mask are changed to the new permissions. Be aware
45 49 that the new \fBACL\fR mask permissions can change the effective permissions
46 50 for additional users and groups who have \fBACL\fR entries on the file.
47 51 .sp
48 52 .LP
49 53 A directory can contain default \fBACL\fR entries. If a file or directory is
50 54 created in a directory that contains default \fBACL\fR entries, the newly
51 55 created file has permissions generated according to the intersection of the
52 56 default \fBACL\fR entries and the permissions requested at creation time. The
53 57 \fBumask\fR(1) are not applied if the directory contains default \fBACL\fR
54 58 entries. If a default \fBACL\fR is specified for a specific user (or users),
55 59 the file has a regular \fBACL\fR created. Otherwise, only the mode bits are
|
↓ open down ↓ |
12 lines elided |
↑ open up ↑ |
56 60 initialized according to the intersection described above. The default
57 61 \fBACL\fR should be thought of as the maximum discretionary access permissions
58 62 that can be granted.
59 63 .sp
60 64 .LP
61 65 Use the \fBsetfacl\fR command to set ACLs on files in a UFS file system, which
62 66 supports POSIX-draft ACLS (or \fBaclent_t\fR style ACLs). Use the \fBchmod\fR
63 67 command to set ACLs on files in a ZFS file system, which supports NFSv4-style
64 68 ACLS (or \fBace_t\fR style ACLs).
65 69 .SS "\fIacl_entries\fR Syntax"
66 -.sp
67 -.LP
68 70 For the \fB-m\fR and \fB-s\fR options, \fIacl_entries\fR are one or more
69 71 comma-separated \fBACL\fR entries.
70 72 .sp
71 73 .LP
72 74 An \fBACL\fR entry consists of the following fields separated by colons:
73 75 .sp
74 76 .ne 2
75 77 .na
76 78 \fB\fIentry_type\fR\fR
77 79 .ad
78 80 .RS 14n
79 81 Type of \fBACL\fR entry on which to set file permissions. For example,
80 82 \fIentry_type\fR can be \fBuser\fR (the owner of a file) or \fBmask\fR (the
81 83 \fBACL\fR mask).
82 84 .RE
83 85
84 86 .sp
85 87 .ne 2
86 88 .na
87 89 \fB\fIuid\fR or \fIgid\fR\fR
88 90 .ad
89 91 .RS 14n
90 92 User name or user identification number. Or, group name or group identification
91 93 number.
92 94 .RE
93 95
94 96 .sp
95 97 .ne 2
96 98 .na
97 99 \fB\fIperms\fR\fR
98 100 .ad
99 101 .RS 14n
100 102 Represents the permissions that are set on \fIentry_type\fR. \fIperms\fR can be
101 103 indicated by the symbolic characters \fBrwx\fR or a number (the same
102 104 permissions numbers used with the \fBchmod\fR command).
103 105 .RE
104 106
105 107 .sp
106 108 .LP
|
↓ open down ↓ |
29 lines elided |
↑ open up ↑ |
107 109 The following table shows the valid \fBACL\fR entries (default entries can only
108 110 be specified for directories):
109 111 .sp
110 112
111 113 .sp
112 114 .TS
113 115 c c
114 116 l l .
115 117 \fBACL\fR Entry Description
116 118 _
117 -u[ser]::\fIperms\fR File owner permissions.
118 -g[roup]::\fIperms\fR File group owner permissions.
119 -o[ther]:\fIperms\fR T{
119 +u[ser]::\fIperms\fR File owner permissions.
120 +g[roup]::\fIperms\fR File group owner permissions.
121 +o[ther]:\fIperms\fR T{
120 122 Permissions for users other than the file owner or members of file group owner.
121 123 T}
122 -m[ask]:\fIperms\fR T{
124 +m[ask]:\fIperms\fR T{
123 125 The \fBACL\fR mask. The mask entry indicates the maximum permissions allowed for users (other than the owner) and for groups. The mask is a quick way to change permissions on all the users and groups.
124 126 T}
125 127 u[ser]:\fIuid:perms\fR T{
126 128 Permissions for a specific user. For \fIuid\fR, you can specify either a user name or a numeric UID.
127 129 T}
128 130 g[roup]:\fIgid:perms\fR T{
129 131 Permissions for a specific group. For \fIgid\fR, you can specify either a group name or a numeric GID.
130 132 T}
131 -d[efault]:u[ser]::\fIperms\fR Default file owner permissions.
132 -d[efault]:g[roup]::\fIperms\fR Default file group owner permissions.
133 -d[efault]:o[ther]:\fIperms\fR T{
133 +d[efault]:u[ser]::\fIperms\fR Default file owner permissions.
134 +d[efault]:g[roup]::\fIperms\fR Default file group owner permissions.
135 +d[efault]:o[ther]:\fIperms\fR T{
134 136 Default permissions for users other than the file owner or members of the file group owner.
135 137 T}
136 -d[efault]:m[ask]:\fIperms\fR Default \fBACL\fR mask.
138 +d[efault]:m[ask]:\fIperms\fR Default \fBACL\fR mask.
137 139 d[efault]:u[ser]:\fIuid\fR:\fIperms\fR T{
138 140 Default permissions for a specific user. For \fIuid\fR, you can specify either a user name or a numeric UID.
139 141 T}
140 142 d[efault]:g[roup]:\fIgid\fR:\fIperms\fR T{
141 143 Default permissions for a specific group. For \fIgid\fR, you can specify either a group name or a numeric GID.
142 144 T}
143 145 .TE
144 146
145 147 .sp
146 148 .LP
147 149 For the \fB-d\fR option, \fIacl_entries\fR are one or more comma-separated
148 150 \fBACL\fR entries without permissions. Notice that the entries for file owner,
149 151 file group owner, \fBACL\fR mask, and others can not be deleted.
150 152 .SH OPTIONS
151 -.sp
152 -.LP
153 153 The options have the following meaning:
154 154 .sp
155 155 .ne 2
156 156 .na
157 157 \fB\fB-d\fR \fIacl_entries\fR\fR
158 158 .ad
159 159 .RS 18n
160 160 Deletes one or more entries from the file. The entries for the file owner, the
161 161 file group owner, and others can not be deleted from the \fBACL\fR. Notice that
162 162 deleting an entry does not necessarily have the same effect as removing all
163 163 permissions from the entry.
164 164 .RE
165 165
166 166 .sp
167 167 .ne 2
168 168 .na
169 169 \fB\fB-f\fR \fIacl_file\fR\fR
170 170 .ad
171 171 .RS 18n
172 172 Sets a file's \fBACL\fR with the \fBACL\fR entries contained in the file named
173 173 \fIacl_file\fR. The same constraints on specified entries hold as with the
174 174 \fB-s\fR option. The entries are not required to be in any specific order in
175 175 the file. Also, if you specify a dash (\fB-\fR) for \fIacl_file\fR, standard
176 176 input is used to set the file's \fBACL\fR.
177 177 .sp
178 178 The character \fB#\fR in \fIacl_file\fR can be used to indicate a comment. All
179 179 characters, starting with the \fB#\fR until the end of the line, are ignored.
180 180 Notice that if the \fIacl_file\fR has been created as the output of the
181 181 \fBgetfacl\fR(1) command, any effective permissions, which follow a \fB#\fR,
182 182 are ignored.
183 183 .RE
184 184
185 185 .sp
186 186 .ne 2
187 187 .na
188 188 \fB\fB-m\fR \fIacl_entries\fR\fR
189 189 .ad
190 190 .RS 18n
191 191 Adds one or more new \fBACL\fR entries to the file, and/or modifies one or more
192 192 existing \fBACL\fR entries on the file. If an entry already exists for a
193 193 specified \fIuid\fR or \fIgid\fR, the specified permissions replace the current
194 194 permissions. If an entry does not exist for the specified \fIuid\fR or
195 195 \fIgid\fR, an entry is created. When using the \fB-m\fR option to modify a
196 196 default \fBACL\fR, you must specify a complete default \fBACL\fR (user, group,
197 197 other, mask, and any additional entries) the first time.
198 198 .RE
199 199
200 200 .sp
201 201 .ne 2
202 202 .na
203 203 \fB\fB-r\fR\fR
204 204 .ad
205 205 .RS 18n
206 206 Recalculates the permissions for the \fBACL\fR mask entry. The permissions
207 207 specified in the \fBACL\fR mask entry are ignored and replaced by the maximum
208 208 permissions necessary to grant the access to all additional user, file group
209 209 owner, and additional group entries in the \fBACL\fR. The permissions in the
210 210 additional user, file group owner, and additional group entries are left
211 211 unchanged.
212 212 .RE
213 213
214 214 .sp
215 215 .ne 2
216 216 .na
217 217 \fB\fB-s\fR \fIacl_entries\fR\fR
218 218 .ad
219 219 .RS 18n
220 220 Sets a file's \fBACL\fR. All old \fBACL\fR entries are removed and replaced
221 221 with the newly specified \fBACL\fR. The entries need not be in any specific
222 222 order. They are sorted by the command before being applied to the file.
223 223 .sp
224 224 Required entries:
225 225 .RS +4
226 226 .TP
227 227 .ie t \(bu
228 228 .el o
229 229 Exactly one \fBuser\fR entry specified for the file owner.
230 230 .RE
231 231 .RS +4
232 232 .TP
233 233 .ie t \(bu
234 234 .el o
235 235 Exactly one \fBgroup\fR entry for the file group owner.
236 236 .RE
237 237 .RS +4
238 238 .TP
239 239 .ie t \(bu
240 240 .el o
241 241 Exactly one \fBother\fR entry specified.
242 242 .RE
243 243 If there are additional user and group entries:
244 244 .RS +4
245 245 .TP
246 246 .ie t \(bu
247 247 .el o
248 248 Exactly one \fBmask\fR entry specified for the \fBACL\fR mask that indicates
249 249 the maximum permissions allowed for users (other than the owner) and groups.
250 250 .RE
251 251 .RS +4
252 252 .TP
253 253 .ie t \(bu
254 254 .el o
255 255 Must not be duplicate \fBuser\fR entries with the same \fIuid\fR.
256 256 .RE
257 257 .RS +4
258 258 .TP
259 259 .ie t \(bu
260 260 .el o
261 261 Must not be duplicate \fBgroup\fR entries with the same \fIgid\fR.
262 262 .RE
263 263 If \fIfile\fR is a directory, the following default \fBACL\fR entries can be
264 264 specified:
265 265 .RS +4
266 266 .TP
267 267 .ie t \(bu
268 268 .el o
269 269 Exactly one \fBdefault user\fR entry for the file owner.
270 270 .RE
271 271 .RS +4
272 272 .TP
273 273 .ie t \(bu
274 274 .el o
275 275 Exactly one \fBdefault group\fR entry for the file group owner.
276 276 .RE
277 277 .RS +4
278 278 .TP
279 279 .ie t \(bu
280 280 .el o
281 281 Exactly one \fBdefault mask\fR entry for the \fBACL\fR mask.
282 282 .RE
283 283 .RS +4
284 284 .TP
285 285 .ie t \(bu
|
↓ open down ↓ |
123 lines elided |
↑ open up ↑ |
286 286 .el o
287 287 Exactly one \fBdefault other\fR entry.
288 288 .RE
289 289 There can be additional \fBdefault user\fR entries and additional \fBdefault
290 290 group\fR entries specified, but there can not be duplicate additional
291 291 \fBdefault user\fR entries with the same \fIuid\fR, or duplicate \fBdefault
292 292 group\fR entries with the same \fIgid\fR.
293 293 .RE
294 294
295 295 .SH EXAMPLES
296 -.LP
297 296 \fBExample 1 \fRAdding read permission only
298 297 .sp
299 298 .LP
300 299 The following example adds one \fBACL\fR entry to file \fBabc\fR, which gives
301 300 user \fBshea\fR read permission only.
302 301
303 302 .sp
304 303 .in +2
305 304 .nf
306 305 \fBsetfacl -m user:shea:r\(mi\(mi abc\fR
307 306 .fi
308 307 .in -2
309 308 .sp
310 309
311 310 .LP
312 311 \fBExample 2 \fRReplacing a file's entire \fBACL\fR
313 312 .sp
314 313 .LP
315 314 The following example replaces the entire \fBACL\fR for the file \fBabc\fR,
316 315 which gives \fBshea\fR read access, the file owner all access, the file group
317 316 owner read access only, the \fBACL\fR mask read access only, and others no
318 317 access.
319 318
320 319 .sp
321 320 .in +2
322 321 .nf
323 322 \fBsetfacl -s user:shea:rwx,user::rwx,group::rw-,mask:r--,other:--- abc\fR
324 323 .fi
325 324 .in -2
326 325 .sp
327 326
328 327 .sp
329 328 .LP
330 329 Notice that after this command, the file permission bits are \fBrwxr-----\fR.
331 330 Even though the file group owner was set with read/write permissions, the
332 331 \fBACL\fR mask entry limits it to have only read permission. The mask entry
333 332 also specifies the maximum permissions available to all additional user and
334 333 group \fBACL\fR entries. Once again, even though the user \fBshea\fR was set
335 334 with all access, the mask limits it to have only read permission. The \fBACL\fR
336 335 mask entry is a quick way to limit or open access to all the user and group
337 336 entries in an \fBACL\fR. For example, by changing the mask entry to read/write,
338 337 both the file group owner and user \fBshea\fR would be given read/write access.
339 338
340 339 .LP
341 340 \fBExample 3 \fRSetting the same \fBACL\fR on two files
342 341 .sp
343 342 .LP
344 343 The following example sets the same \fBACL\fR on file \fBabc\fR as the file
345 344 \fBxyz\fR.
|
↓ open down ↓ |
39 lines elided |
↑ open up ↑ |
346 345
347 346 .sp
348 347 .in +2
349 348 .nf
350 349 \fBgetfacl xyz | setfacl -f \(mi abc\fR
351 350 .fi
352 351 .in -2
353 352 .sp
354 353
355 354 .SH FILES
356 -.sp
357 355 .ne 2
358 356 .na
359 357 \fB\fB/etc/passwd\fR\fR
360 358 .ad
361 359 .RS 15n
362 360 password file
363 361 .RE
364 362
365 363 .sp
366 364 .ne 2
367 365 .na
368 366 \fB\fB/etc/group\fR\fR
369 367 .ad
370 368 .RS 15n
371 369 group file
372 370 .RE
373 371
374 372 .SH SEE ALSO
375 -.sp
376 -.LP
377 373 \fBchmod\fR(1), \fBgetfacl\fR(1), \fBumask\fR(1), \fBaclcheck\fR(3SEC),
378 -\fBaclsort\fR(3SEC), \fBgroup\fR(4), \fBpasswd\fR(4), \fBattributes\fR(5)
374 +\fBaclsort\fR(3SEC), \fBgroup\fR(4), \fBpasswd\fR(4), \fBacl\fR(5),
375 +\fBattributes\fR(5)
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX