1NFS4_SETFACL(1) NFSv4 Access Control Lists NFS4_SETFACL(1)
2
6 nfs4_setfacl, nfs4_editfacl - manipulate NFSv4 file/directory access
7 control lists
8
10 nfs4_setfacl [OPTIONS] COMMAND file...
11 nfs4_editfacl [OPTIONS] file...
12
14 nfs4_setfacl manipulates the NFSv4 Access Control List (ACL) of one or
15 more files (or directories), provided they are on a mounted NFSv4
16 filesystem which supports ACLs.
17 nfs4_editfacl is equivalent to nfs4_setfacl -e.
19 Refer to the nfs4_acl(5) manpage for information about NFSv4 ACL termi‐
21 nology and syntax.
22 COMMANDS
24 -a acl_spec
25 add the ACEs from acl_spec to file's ACL. ACEs are inserted
26 starting at the default position 1 of file's ACL.
27 -A acl_file
29 add the ACEs from the acl_spec in acl_file to file's ACL. ACEs
30 are inserted starting at the default position 1 of file's ACL.
31 -x acl_spec
33 delete ACEs matched from acl_spec from file's ACL. Note that
34 the ordering of the ACEs in acl_spec does not matter.
35 -X acl_file
37 delete ACEs matched from the acl_spec in acl_file from file's
38 ACL. Note that the ordering of the ACEs in the acl_spec does
39 not matter.
40 -i index
42 ACEs are inserted or deleted starting at the indexth position
43 (DEFAULT: 1) of file's ACL. It can be used only with the add or
44 delete action.
45 -s acl_spec
47 set file's ACL to acl_spec.
48 -S acl_file
50 set file's ACL to the acl_spec in acl_file.
51 -e, --edit
53 edit file's ACL in the editor defined in the EDITOR environment
54 variable (DEFAULT: vi(1)) and set the resulting ACL upon a clean
55 exit, assuming changes made in the editor were saved. Note that
56 if multiple files are specified, the editor will be serially in‐
57 voked once per file.
58 -m from_ace to_ace
60 modify file's ACL in-place by replacing from_ace with to_ace.
61 -?, -h, --help
63 display help text and exit.
64 --version
66 display this program's version and exit.
67 NOTE: if '-' is given as the acl_file with the -A/-X/-S flags, the
69 acl_spec will be read from stdin.
70 OPTIONS
72 -R, --recursive
73 recursively apply to a directory's files and subdirectories.
74 Similar to setfacl(1), the default behavior is to follow sym‐
75 links given on the command line and to skip symlinks encountered
76 while recursing through directories.
77 -L, --logical
79 in conjunction with -R/--recursive, a logical walk follows all
80 symbolic links.
81 -P, --physical
83 in conjunction with -R/--recursive, a physical walk skips all
84 symbolic links.
85 --dacl
87 acts on the dacl only. This functionality is only available if
88 the server supports NFSv4 minor version 1 or newer.
89 --sacl
91 acts on the sacl only. This functionality is only available if
92 the server supports NFSv4 minor version 1 or newer.
93 --test
95 display results of COMMAND, but do not save changes.
96
99 With nfs4_setfacl, one can use simple abbreviations ("aliases") to ex‐
100 press generic "read" (R), generic "write" (W), and generic "execute"
101 (X) permissions, familiar from the POSIX mode bits used by, e.g.,
102 chmod(1). To use these aliases, one can put them in the permissions
103 field of an NFSv4 ACE and nfs4_setfacl will convert them: an R is ex‐
104 panded to rntcy, a W is expanded to watTNcCy (with D added to directory
105 ACEs), and an X is expanded to xtcy. Please refer to the nfs4_acl(5)
106 manpage for information on specific NFSv4 ACE permissions.
107 For example, if one wanted to grant generic "read" and "write" access
109 on a file, the NFSv4 permissions field would normally contain something
110 like rwatTnNcCy. Instead, one might use aliases to accomplish the same
111 goal with RW.
112 The two permissions not included in any of the aliases are d (delete)
114 and o (write-owner). However, they can still be used: e.g., a permis‐
115 sions field consisting of Wdo expresses generic "write" access as well
116 as the ability to delete and change ownership.
117
119 Assume that the file `foo' has the following NFSv4 ACL for the follow‐
120 ing examples:
121 A::OWNER@:rwatTnNcCy
123 D::OWNER@:x
124 A:g:GROUP@:rtncy
125 D:g:GROUP@:waxTC
126 A::EVERYONE@:rtncy
127 D::EVERYONE@:waxTC
128 - add ACE granting `alice@nfsdomain.org' generic "read" and "execute"
130 access (defaults to prepending ACE to ACL):
131 $ nfs4_setfacl -a A::alice@nfsdomain.org:rxtncy foo
132 - add the same ACE as above, but using aliases:
134 $ nfs4_setfacl -a A::alice@nfsdomain.org:RX foo
135 - add the same ACE as above, at index 2:
137 $ nfs4_setfacl -i 2 -a A::alice@nfsdomain.org:RX foo
138 - edit existing ACL in a text editor and set modified ACL on clean
140 save/exit:
141 $ nfs4_setfacl -e foo
142 - set ACL (overwrites original) to contents of a spec_file named
144 `newacl.txt':
145 $ nfs4_setfacl -S newacl.txt foo
146 - recursively set the ACLs of all files and subdirectories in the cur‐
148 rent directory, skipping all symlinks encountered, to the ACL con‐
149 tained in the spec_file named `newacl.txt':
150 $ nfs4_setfacl -R -P -S newacl.txt *
151 - delete the first ACE, but only print the resulting ACL (does not save
153 changes):
154 $ nfs4_setfacl --test -x 1 foo
155 - delete the last two ACEs above:
157 $ nfs4_setfacl -x A::EVERYONE@rtncy,D::EVERYONE@:waxTC foo
158 - modify (in-place) the second ACE above:
160 $ nfs4_setfacl -m D::OWNER@:x D::OWNER@:xo foo
161 - set ACLs of `bar' and `frobaz' to ACL of `foo':
163 $ nfs4_getfacl foo | nfs4_setfacl -S - bar frobaz
164
166 nfs4_setfacl was written by people at CITI, the Center for Information
167 Technology Integration (http://www.citi.umich.edu). This manpage was
168 written by David Richter.
169
171 Please send bug reports, feature requests, and comments to
172 <nfsv4@linux-nfs.org>.
173
175 nfs4_getfacl(1), nfs4_acl(5), RFC3530 (NFSv4.0), NFSv4.1 Minor Version
176 Draft.
177Linux version 0.3.4, August 2018 NFS4_SETFACL(1)