setfacl(1) User Commands setfacl(1)NAMEsetfacl - modify the Access Control List (ACL) for a file or files
SYNOPSISsetfacl [-r] -s acl_entries file
setfacl [-r] -md acl_entries file
setfacl [-r] -f acl_file file
DESCRIPTION
For each file specified, setfacl either replaces its entire ACL,
including the default ACL on a directory, or it adds, modifies, or
deletes one or more ACL entries, including default entries on directo‐
ries.
When the setfacl command is used, it can result in changes to the file
permission bits. When the user ACL entry for the file owner is changed,
the file owner class permission bits are modified. When the group ACL
entry for the file group class is changed, the file group class permis‐
sion bits are modified. When the other ACL entry is changed, the file
other class permission bits are modified.
If you use the chmod(1) command to change the file group owner permis‐
sions on a file with ACL entries, both the file group owner permissions
and the ACL mask are changed to the new permissions. Be aware that the
new ACL mask permissions can change the effective permissions for addi‐
tional users and groups who have ACL entries on the file.
A directory can contain default ACL entries. If a file or directory is
created in a directory that contains default ACL entries, the newly
created file has permissions generated according to the intersection of
the default ACL entries and the permissions requested at creation time.
The umask(1) are not applied if the directory contains default ACL
entries. If a default ACL is specified for a specific user (or users),
the file has a regular ACL created. Otherwise, only the mode bits are
initialized according to the intersection described above. The default
ACL should be thought of as the maximum discretionary access permis‐
sions that can be granted.
Use the setfacl command to set ACLs on files in a UFS file system,
which supports POSIX-draft ACLS (or aclent_t style ACLs). Use the chmod
command to set ACLs on files in a ZFS file system, which supports
NFSv4-style ACLS (or ace_t style ACLs).
acl_entries Syntax
For the -m and -s options, acl_entries are one or more comma-separated
ACL entries.
An ACL entry consists of the following fields separated by colons:
entry_type Type of ACL entry on which to set file permissions. For
example, entry_type can be user (the owner of a file) or
mask (the ACL mask).
uid or gid User name or user identification number. Or, group name
or group identification number.
perms Represents the permissions that are set on entry_type.
perms can be indicated by the symbolic characters rwx or
a number (the same permissions numbers used with the
chmod command).
The following table shows the valid ACL entries (default entries can
only be specified for directories):
ACL Entry Description
────────────────────────────────────────────────────────────────────
u[ser]::perms File owner permissions.
g[roup]::perms File group owner permissions.
o[ther]:perms Permissions for users other than the
file owner or members of file group
owner.
m[ask]:perms The ACL mask. The mask entry indi‐
cates the maximum permissions allowed
for users (other than the owner) and
for groups. The mask is a quick way
to change permissions on all the
users and groups.
u[ser]:uid:perms Permissions for a specific user. For
uid, you can specify either a user
name or a numeric UID.
g[roup]:gid:perms Permissions for a specific group. For
gid, you can specify either a group
name or a numeric GID.
d[efault]:u[ser]::perms Default file owner permissions.
d[efault]:g[roup]::perms Default file group owner permissions.
d[efault]:o[ther]:perms Default permissions for users other
than the file owner or members of the
file group owner.
d[efault]:m[ask]:perms Default ACL mask.
d[efault]:u[ser]:uid:perms Default permissions for a specific
user. For uid, you can specify either
a user name or a numeric UID.
d[efault]:g[roup]:gid:perms Default permissions for a specific
group. For gid, you can specify
either a group name or a numeric GID.
For the -d option, acl_entries are one or more comma-separated ACL
entries without permissions. Notice that the entries for file owner,
file group owner, ACL mask, and others can not be deleted.
OPTIONS
The options have the following meaning:
-d acl_entries Deletes one or more entries from the file. The
entries for the file owner, the file group owner, and
others can not be deleted from the ACL. Notice that
deleting an entry does not necessarily have the same
effect as removing all permissions from the entry.
-f acl_file Sets a file's ACL with the ACL entries contained in
the file named acl_file. The same constraints on
specified entries hold as with the -s option. The
entries are not required to be in any specific order
in the file. Also, if you specify a dash (-) for
acl_file, standard input is used to set the file's
ACL.
The character # in acl_file can be used to indicate a
comment. All characters, starting with the # until
the end of the line, are ignored. Notice that if the
acl_file has been created as the output of the get‐
facl(1) command, any effective permissions, which
follow a #, are ignored.
-m acl_entries Adds one or more new ACL entries to the file, and/or
modifies one or more existing ACL entries on the
file. If an entry already exists for a specified uid
or gid, the specified permissions replace the current
permissions. If an entry does not exist for the spec‐
ified uid or gid, an entry is created. When using the
-m option to modify a default ACL, you must specify a
complete default ACL (user, group, other, mask, and
any additional entries) the first time.
-r Recalculates the permissions for the ACL mask entry.
The permissions specified in the ACL mask entry are
ignored and replaced by the maximum permissions nec‐
essary to grant the access to all additional user,
file group owner, and additional group entries in the
ACL. The permissions in the additional user, file
group owner, and additional group entries are left
unchanged.
-s acl_entries Sets a file's ACL. All old ACL entries are removed
and replaced with the newly specified ACL. The
entries need not be in any specific order. They are
sorted by the command before being applied to the
file.
Required entries:
o Exactly one user entry specified for the
file owner.
o Exactly one group entry for the file group
owner.
o Exactly one other entry specified.
If there are additional user and group entries:
o Exactly one mask entry specified for the
ACL mask that indicates the maximum per‐
missions allowed for users (other than the
owner) and groups.
o Must not be duplicate user entries with
the same uid.
o Must not be duplicate group entries with
the same gid.
If file is a directory, the following default ACL
entries can be specified:
o Exactly one default user entry for the
file owner.
o Exactly one default group entry for the
file group owner.
o Exactly one default mask entry for the ACL
mask.
o Exactly one default other entry.
There can be additional default user entries and
additional default group entries specified, but there
can not be duplicate additional default user entries
with the same uid, or duplicate default group entries
with the same gid.
EXAMPLES
Example 1 Adding read permission only
The following example adds one ACL entry to file abc, which gives user
shea read permission only.
setfacl-m user:shea:r−− abc
Example 2 Replacing a file's entire ACL
The following example replaces the entire ACL for the file abc, which
gives shea read access, the file owner all access, the file group owner
read access only, the ACL mask read access only, and others no access.
setfacl-s user:shea:rwx,user::rwx,group::rw-,mask:r--,other:--- abc
Notice that after this command, the file permission bits are rwxr-----.
Even though the file group owner was set with read/write permissions,
the ACL mask entry limits it to have only read permission. The mask
entry also specifies the maximum permissions available to all addi‐
tional user and group ACL entries. Once again, even though the user
shea was set with all access, the mask limits it to have only read per‐
mission. The ACL mask entry is a quick way to limit or open access to
all the user and group entries in an ACL. For example, by changing the
mask entry to read/write, both the file group owner and user shea would
be given read/write access.
Example 3 Setting the same ACL on two files
The following example sets the same ACL on file abc as the file xyz.
getfacl xyz | setfacl-f − abc
FILES
/etc/passwd password file
/etc/group group file
ATTRIBUTES
See attributes(5) for descriptions of the following attributes:
┌─────────────────────────────┬─────────────────────────────┐
│ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
├─────────────────────────────┼─────────────────────────────┤
│Availability │SUNWcsu │
└─────────────────────────────┴─────────────────────────────┘
SEE ALSOchmod(1), getfacl(1), umask(1), aclcheck(3SEC), aclsort(3SEC),
group(4), passwd(4), attributes(5)SunOS 5.10 19 Dec 2006 setfacl(1)