1setfacl(1) User Commands setfacl(1)
2
3
4
6 setfacl - modify the Access Control List (ACL) for a file or files
7
9 setfacl [-r] -s acl_entries file
10
11
12 setfacl [-r] -md acl_entries file
13
14
15 setfacl [-r] -f acl_file file
16
17
19 For each file specified, setfacl either replaces its entire ACL,
20 including the default ACL on a directory, or it adds, modifies, or
21 deletes one or more ACL entries, including default entries on directo‐
22 ries.
23
24
25 When the setfacl command is used, it can result in changes to the file
26 permission bits. When the user ACL entry for the file owner is changed,
27 the file owner class permission bits are modified. When the group ACL
28 entry for the file group class is changed, the file group class permis‐
29 sion bits are modified. When the other ACL entry is changed, the file
30 other class permission bits are modified.
31
32
33 If you use the chmod(1) command to change the file group owner permis‐
34 sions on a file with ACL entries, both the file group owner permissions
35 and the ACL mask are changed to the new permissions. Be aware that the
36 new ACL mask permissions can change the effective permissions for addi‐
37 tional users and groups who have ACL entries on the file.
38
39
40 A directory can contain default ACL entries. If a file or directory is
41 created in a directory that contains default ACL entries, the newly
42 created file has permissions generated according to the intersection of
43 the default ACL entries and the permissions requested at creation time.
44 The umask(1) are not applied if the directory contains default ACL
45 entries. If a default ACL is specified for a specific user (or users),
46 the file has a regular ACL created. Otherwise, only the mode bits are
47 initialized according to the intersection described above. The default
48 ACL should be thought of as the maximum discretionary access permis‐
49 sions that can be granted.
50
51
52 Use the setfacl command to set ACLs on files in a UFS file system,
53 which supports POSIX-draft ACLS (or aclent_t style ACLs). Use the chmod
54 command to set ACLs on files in a ZFS file system, which supports
55 NFSv4-style ACLS (or ace_t style ACLs).
56
57 acl_entries Syntax
58 For the -m and -s options, acl_entries are one or more comma-separated
59 ACL entries.
60
61
62 An ACL entry consists of the following fields separated by colons:
63
64 entry_type Type of ACL entry on which to set file permissions. For
65 example, entry_type can be user (the owner of a file) or
66 mask (the ACL mask).
67
68
69 uid or gid User name or user identification number. Or, group name
70 or group identification number.
71
72
73 perms Represents the permissions that are set on entry_type.
74 perms can be indicated by the symbolic characters rwx or
75 a number (the same permissions numbers used with the
76 chmod command).
77
78
79
80 The following table shows the valid ACL entries (default entries can
81 only be specified for directories):
82
83
84
85
86 ACL Entry Description
87 ────────────────────────────────────────────────────────────────────
88 u[ser]::perms File owner permissions.
89 g[roup]::perms File group owner permissions.
90 o[ther]:perms Permissions for users other than the
91 file owner or members of file group
92 owner.
93 m[ask]:perms The ACL mask. The mask entry indi‐
94 cates the maximum permissions allowed
95 for users (other than the owner) and
96 for groups. The mask is a quick way
97 to change permissions on all the
98 users and groups.
99 u[ser]:uid:perms Permissions for a specific user. For
100 uid, you can specify either a user
101 name or a numeric UID.
102 g[roup]:gid:perms Permissions for a specific group. For
103 gid, you can specify either a group
104 name or a numeric GID.
105 d[efault]:u[ser]::perms Default file owner permissions.
106 d[efault]:g[roup]::perms Default file group owner permissions.
107 d[efault]:o[ther]:perms Default permissions for users other
108 than the file owner or members of the
109 file group owner.
110 d[efault]:m[ask]:perms Default ACL mask.
111 d[efault]:u[ser]:uid:perms Default permissions for a specific
112 user. For uid, you can specify either
113 a user name or a numeric UID.
114 d[efault]:g[roup]:gid:perms Default permissions for a specific
115 group. For gid, you can specify
116 either a group name or a numeric GID.
117
118
119
120 For the -d option, acl_entries are one or more comma-separated ACL
121 entries without permissions. Notice that the entries for file owner,
122 file group owner, ACL mask, and others can not be deleted.
123
125 The options have the following meaning:
126
127 -d acl_entries Deletes one or more entries from the file. The
128 entries for the file owner, the file group owner, and
129 others can not be deleted from the ACL. Notice that
130 deleting an entry does not necessarily have the same
131 effect as removing all permissions from the entry.
132
133
134 -f acl_file Sets a file's ACL with the ACL entries contained in
135 the file named acl_file. The same constraints on
136 specified entries hold as with the -s option. The
137 entries are not required to be in any specific order
138 in the file. Also, if you specify a dash (-) for
139 acl_file, standard input is used to set the file's
140 ACL.
141
142 The character # in acl_file can be used to indicate a
143 comment. All characters, starting with the # until
144 the end of the line, are ignored. Notice that if the
145 acl_file has been created as the output of the get‐
146 facl(1) command, any effective permissions, which
147 follow a #, are ignored.
148
149
150 -m acl_entries Adds one or more new ACL entries to the file, and/or
151 modifies one or more existing ACL entries on the
152 file. If an entry already exists for a specified uid
153 or gid, the specified permissions replace the current
154 permissions. If an entry does not exist for the spec‐
155 ified uid or gid, an entry is created. When using the
156 -m option to modify a default ACL, you must specify a
157 complete default ACL (user, group, other, mask, and
158 any additional entries) the first time.
159
160
161 -r Recalculates the permissions for the ACL mask entry.
162 The permissions specified in the ACL mask entry are
163 ignored and replaced by the maximum permissions nec‐
164 essary to grant the access to all additional user,
165 file group owner, and additional group entries in the
166 ACL. The permissions in the additional user, file
167 group owner, and additional group entries are left
168 unchanged.
169
170
171 -s acl_entries Sets a file's ACL. All old ACL entries are removed
172 and replaced with the newly specified ACL. The
173 entries need not be in any specific order. They are
174 sorted by the command before being applied to the
175 file.
176
177 Required entries:
178
179 o Exactly one user entry specified for the
180 file owner.
181
182 o Exactly one group entry for the file group
183 owner.
184
185 o Exactly one other entry specified.
186 If there are additional user and group entries:
187
188 o Exactly one mask entry specified for the
189 ACL mask that indicates the maximum per‐
190 missions allowed for users (other than the
191 owner) and groups.
192
193 o Must not be duplicate user entries with
194 the same uid.
195
196 o Must not be duplicate group entries with
197 the same gid.
198 If file is a directory, the following default ACL
199 entries can be specified:
200
201 o Exactly one default user entry for the
202 file owner.
203
204 o Exactly one default group entry for the
205 file group owner.
206
207 o Exactly one default mask entry for the ACL
208 mask.
209
210 o Exactly one default other entry.
211 There can be additional default user entries and
212 additional default group entries specified, but there
213 can not be duplicate additional default user entries
214 with the same uid, or duplicate default group entries
215 with the same gid.
216
217
219 Example 1 Adding read permission only
220
221
222 The following example adds one ACL entry to file abc, which gives user
223 shea read permission only.
224
225
226 setfacl -m user:shea:r−− abc
227
228
229
230 Example 2 Replacing a file's entire ACL
231
232
233 The following example replaces the entire ACL for the file abc, which
234 gives shea read access, the file owner all access, the file group owner
235 read access only, the ACL mask read access only, and others no access.
236
237
238 setfacl -s user:shea:rwx,user::rwx,group::rw-,mask:r--,other:--- abc
239
240
241
242
243 Notice that after this command, the file permission bits are rwxr-----.
244 Even though the file group owner was set with read/write permissions,
245 the ACL mask entry limits it to have only read permission. The mask
246 entry also specifies the maximum permissions available to all addi‐
247 tional user and group ACL entries. Once again, even though the user
248 shea was set with all access, the mask limits it to have only read per‐
249 mission. The ACL mask entry is a quick way to limit or open access to
250 all the user and group entries in an ACL. For example, by changing the
251 mask entry to read/write, both the file group owner and user shea would
252 be given read/write access.
253
254
255 Example 3 Setting the same ACL on two files
256
257
258 The following example sets the same ACL on file abc as the file xyz.
259
260
261 getfacl xyz | setfacl -f − abc
262
263
264
266 /etc/passwd password file
267
268
269 /etc/group group file
270
271
273 See attributes(5) for descriptions of the following attributes:
274
275
276
277
278 ┌─────────────────────────────┬─────────────────────────────┐
279 │ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
280 ├─────────────────────────────┼─────────────────────────────┤
281 │Availability │SUNWcsu │
282 └─────────────────────────────┴─────────────────────────────┘
283
285 chmod(1), getfacl(1), umask(1), aclcheck(3SEC), aclsort(3SEC),
286 group(4), passwd(4), attributes(5)
287
288
289
290SunOS 5.11 19 Dec 2006 setfacl(1)