The
utility sets discretionary access control information on
the specified file(s).
If no files are specified, or the list consists of the only
`-
'
the file names are taken from the standard input.
The following options are available:
-b
Remove all ACL entries except for the three required entries.
If the ACL contains a
``mask
''
entry, the permissions of the
``group
''
entry in the resulting ACL will be set to the permission
associated with both the
``group
''
and
``mask
''
entries of the current ACL.
-d
The operations apply to the default ACL entries instead of
access ACL entries.
Currently only directories may have
default ACL's.
-h
If the target of the operation is a symbolic link, perform the operation
on the symbolic link itself, rather than following the link.
-k
Delete any default ACL entries on the specified files.
It
is not considered an error if the specified files do not have
any default ACL entries.
An error will be reported if any of
the specified files cannot have a default entry (i.e.
non-directories).
-m entries
Modify the ACL entries on the specified files by adding new
entries and modifying existing ACL entries with the ACL entries
specified in
entries
-M file
Modify the ACL entries on the specified files by adding new
ACL entries and modifying existing ACL entries with the ACL
entries specified in the file
file
If
file
is
-,
the input is taken from stdin.
-n
Do not recalculate the permissions associated with the ACL
mask entry.
-x entries
Remove the ACL entries specified in
entries
from the access or default ACL of the specified files.
-X file
Remove the ACL entries specified in the file
file
from the access or default ACL of the specified files.
The above options are evaluated in the order specified
on the command-line.
ACL ENTRIES
An ACL entry contains three colon-separated fields:
an ACL tag, an ACL qualifier, and discretionary access
permissions:
ACL tag
The ACL tag specifies the ACL entry type and consists of
one of the following:
``user
''
or
`u'
specifying the access
granted to the owner of the file or a specified user;
``group
''
or
`g'
specifying the access granted to the file owning group
or a specified group;
``other
''
or
`o'
specifying the access
granted to any process that does not match any user or group
ACL entry;
``mask
''
or
`m'
specifying the maximum access
granted to any ACL entry except the
``user
''
ACL entry for the file owner and the
``other
''
ACL entry.
ACL qualifier
The ACL qualifier field describes the user or group associated with
the ACL entry.
It may consist of one of the following: uid or
user name, gid or group name, or empty.
For
``user
''
ACL entries, an empty field specifies access granted to the
file owner.
For
``group
''
ACL entries, an empty field specifies access granted to the
file owning group.
``mask
''
and
``other
''
ACL entries do not use this field.
access permissions
The access permissions field contains up to one of each of
the following:
`r'
,
`w'
,
and
`x'
to set read, write, and
execute permissions, respectively.
Each of these may be excluded
or replaced with a
`-'
character to indicate no access.
A
``mask
''
ACL entry is required on a file with any ACL entries other than
the default
``user
''
``group
''
and
``other
''
ACL entries.
If the
-n
option is not specified and no
``mask
''
ACL entry was specified, the
utility
will apply a
``mask
''
ACL entry consisting of the union of the permissions associated
with all
``group
''
ACL entries in the resulting ACL.
Traditional POSIX interfaces acting on file system object modes have
modified semantics in the presence of POSIX.1e extended ACLs.
When a mask entry is present on the access ACL of an object, the mask
entry is substituted for the group bits; this occurs in programs such
as
stat(1)
or
ls(1).
When the mode is modified on an object that has a mask entry, the
changes applied to the group bits will actually be applied to the
mask entry.
These semantics provide for greater application compatibility:
applications modifying the mode instead of the ACL will see
conservative behavior, limiting the effective rights granted by all
of the additional user and group entries; this occurs in programs
such as
chmod(1).
ACL entries applied from a file using the
-M
or
-X
options shall be of the following form: one ACL entry per line, as
previously specified; whitespace is ignored; any text after a
`#'
is ignored (comments).
When ACL entries are evaluated, the access check algorithm checks
the ACL entries in the following order: file owner,
``user
''
ACL entries, file owning group,
``group
''
ACL entries, and
``other
''
ACL entry.
Multiple ACL entries specified on the command line are
separated by commas.
EXIT STATUS
Ex -std
EXAMPLES
setfacl -m u::rwx,g:mail:rw file
Sets read, write, and execute permissions for the
file
owner's ACL entry and read and write permissions for group mail on
file
setfacl -M file1 file2
Sets/updates the ACL entries contained in
file1
on
file2
setfacl -x g:mail:rw file
Remove the group mail ACL entry containing read/write permissions
from
file
setfacl -bn file
Remove all
``access
''
ACL entries except for the three required from
file
