1NFS4_SETFACL(1) NFSv4 Access Control Lists NFS4_SETFACL(1)
2
3
4
6 nfs4_setfacl, nfs4_editfacl - manipulate NFSv4 file/directory access
7 control lists
8
10 nfs4_setfacl [OPTIONS] COMMAND file...
11 nfs4_editfacl [OPTIONS] file...
12
14 nfs4_setfacl manipulates the NFSv4 Access Control List (ACL) of one or
15 more files (or directories), provided they are on a mounted NFSv4
16 filesystem which supports ACLs.
17
18 nfs4_editfacl is equivalent to nfs4_setfacl -e.
19
20 Refer to the nfs4_acl(5) manpage for information about NFSv4 ACL termi‐
21 nology and syntax.
22
23 COMMANDS
24 -a acl_spec [index]
25 add the ACEs from acl_spec to file's ACL. ACEs are inserted
26 starting at the indexth position (DEFAULT: 1) of file's ACL.
27
28 -A acl_file [index]
29 add the ACEs from the acl_spec in acl_file to file's ACL. ACEs
30 are inserted starting at the indexth position (DEFAULT: 1) of
31 file's ACL.
32
33 -x acl_spec | index
34 delete ACEs matched from acl_spec - or delete the indexth ACE -
35 from file's ACL. Note that the ordering of the ACEs in acl_spec
36 does not matter.
37
38 -X acl_file
39 delete ACEs matched from the acl_spec in acl_file from file's
40 ACL. Note that the ordering of the ACEs in the acl_spec does
41 not matter.
42
43 -s acl_spec
44 set file's ACL to acl_spec.
45
46 -S acl_file
47 set file's ACL to the acl_spec in acl_file.
48
49 -e, --edit
50 edit file's ACL in the editor defined in the EDITOR environment
51 variable (DEFAULT: vi(1)) and set the resulting ACL upon a clean
52 exit, assuming changes made in the editor were saved. Note that
53 if multiple files are specified, the editor will be serially
54 invoked once per file.
55
56 -m from_ace to_ace
57 modify file's ACL in-place by replacing from_ace with to_ace.
58
59 -?, -h, --help
60 display help text and exit.
61
62 --version
63 display this program's version and exit.
64
65 NOTE: if '-' is given as the acl_file with the -A/-X/-S flags, the
66 acl_spec will be read from stdin.
67
68 OPTIONS
69 -R, --recursive
70 recursively apply to a directory's files and subdirectories.
71 Similar to setfacl(1), the default behavior is to follow sym‐
72 links given on the command line and to skip symlinks encountered
73 while recursing through directories.
74
75 -L, --logical
76 in conjunction with -R/--recursive, a logical walk follows all
77 symbolic links.
78
79 -P, --physical
80 in conjunction with -R/--recursive, a physical walk skips all
81 symbolic links.
82
83 --test
84 display results of COMMAND, but do not save changes.
85
86
88 With nfs4_setfacl, one can use simple abbreviations ("aliases") to
89 express generic "read" (R), generic "write" (W), and generic "execute"
90 (X) permissions, familiar from the POSIX mode bits used by, e.g.,
91 chmod(1). To use these aliases, one can put them in the permissions
92 field of an NFSv4 ACE and nfs4_setfacl will convert them: an R is
93 expanded to rntcy, a W is expanded to watTNcCy (with D added to direc‐
94 tory ACEs), and an X is expanded to xtcy. Please refer to the
95 nfs4_acl(5) manpage for information on specific NFSv4 ACE permissions.
96
97 For example, if one wanted to grant generic "read" and "write" access
98 on a file, the NFSv4 permissions field would normally contain something
99 like rwatTnNcCy. Instead, one might use aliases to accomplish the same
100 goal with RW.
101
102 The two permissions not included in any of the aliases are d (delete)
103 and o (write-owner). However, they can still be used: e.g., a permis‐
104 sions field consisting of Wdo expresses generic "write" access as well
105 as the ability to delete and change ownership.
106
108 Assume that the file `foo' has the following NFSv4 ACL for the follow‐
109 ing examples:
110
111 A::OWNER@:rwatTnNcCy
112 D::OWNER@:x
113 A:g:GROUP@:rtncy
114 D:g:GROUP@:waxTC
115 A::EVERYONE@:rtncy
116 D::EVERYONE@:waxTC
117
118 - add ACE granting `alice@nfsdomain.org' generic "read" and "execute"
119 access (defaults to prepending ACE to ACL):
120 $ nfs4_setfacl -a A::alice@nfsdomain.org:rxtncy foo
121
122 - add the same ACE as above, but using aliases:
123 $ nfs4_setfacl -a A::alice@nfsdomain.org:RX foo
124
125 - edit existing ACL in a text editor and set modified ACL on clean
126 save/exit:
127 $ nfs4_setfacl -e foo
128
129 - set ACL (overwrites original) to contents of a spec_file named
130 `newacl.txt':
131 $ nfs4_setfacl -S newacl.txt foo
132
133 - recursively set the ACLs of all files and subdirectories in the cur‐
134 rent directory, skipping all symlinks encountered, to the ACL con‐
135 tained in the spec_file named `newacl.txt':
136 $ nfs4_setfacl -R -P -S newacl.txt *
137
138 - delete the first ACE, but only print the resulting ACL (does not save
139 changes):
140 $ nfs4_setfacl --test -x 1 foo
141
142 - delete the last two ACEs above:
143 $ nfs4_setfacl -x A::EVERYONE@rtncy,D::EVERYONE@:waxTC foo
144
145 - modify (in-place) the second ACE above:
146 $ nfs4_setfacl -m D::OWNER@:x D::OWNER@:xo foo
147
148 - set ACLs of `bar' and `frobaz' to ACL of `foo':
149 $ nfs4_getfacl foo | nfs4_setfacl -S - bar frobaz
150
152 nfs4_setfacl was written by people at CITI, the Center for Information
153 Technology Integration (http://www.citi.umich.edu). This manpage was
154 written by David Richter.
155
157 Please send bug reports, feature requests, and comments to
158 <nfsv4@linux-nfs.org>.
159
161 nfs4_getfacl(1), nfs4_acl(5), RFC3530 (NFSv4.0), NFSv4.1 Minor Version
162 Draft.
163
164
165
166Linux version 0.3.4, August 2018 NFS4_SETFACL(1)