Table of Contents

Name

setfacl - set file access control lists

Synopsis

setfacl [-bkndtRY5vh] [ [[-s|-m|-x] acl_spec ...] file ... ] ...

setfacl [-bkndtRY5vh] [ [[-S|-M|-X] acl_file ...] file ... ] ...

setfacl [-t] -B file

Description

This utility sets Access Control Lists (ACLs) of files and directories. On the command line, a sequence of commands is followed by a sequence of files (which in turn can be followed by another sequence of commands, ...).

The options -s, -m, and -x expect an ACL on the command line. Multiple ACL entries are separated by colon characters (`,').

When reading from files using the -S, -M, and -X options, setfacl accepts a superset of the output getfacl produces. There is at most one ACL entry per line. After a Pound sign (`#'), everything up to the end of the line is treated as a comment.

The -s and -S options set the ACL of a file or a directory. The previous ACL is replaced. Absolute ACL entries are accepted as parameters.

The -m and -M options modify the ACL of a file or directory. Absolute as well as relative ACL entries are accepted as parameters.

The -x and -X options delete ACL enries. Only deletion ACL entries without permissions are accepted as parameters.

If setfacl is used on a file system which does not support ACLs, setfacl changes the access permission bits. If the ACL does not fit completely in the permission bits, setfacl fails.

Options

-b
Remove all extended ACL entries. The base ACL entries of the owner, group and others are retained.
-k
Remove all default ACL entries.
-n
Do not recalculate the effective rights mask. The usual behavior of setfacl, unless a mask is explicitly specified, is to recompute the mask to include the maximum set of permissions of the entries affected by the mask (all groups and named users).
-d
All operations apply to the default ACL. Regular ACL entries in the input set are promoted to default ACL entries. Default ACL entries in the input set are discarded. (A warning is issued if that happens).
-B
Restore a permission backup created by `getfacl -R' or similar. All permissions of a complete directory subtree can be restored using this mechanism. If the input to the restore operation contains owner comments or group comments, and setfacl is run by root, the owner and group are restored as well.
-t
Test mode. Instead of changing the ACLs of any files, the resulting ACLs are printed in the same format getfacl would produce.
-R
Apply all operations to all files and directories recursively.
-Y
Follow symbolic links. The usual behavior is to skip symbolic links in subdirectories.
-5
Traverse subdirectories in post-order. The default is pre-order traversal, that is, directories are processed before their children are processed.
-v
Print the version of setfacl and exit.
-h
Print help explaining the command line options.
--
End of command line options. All remaining parameters are interpreted as file names, even if they start with a dash.
-
If the file name parameter is a single dash, setfacl reads a list of files from standard input.

Acl Entries

The setfacl utility recognizes the following ACL entry formats (blanks inserted for clarity):

[d[efault]:] [u[ser]:]uid [:[+|^]perms]
Permissions of a named user. Permissions of the file owner if uid is empty.
[d[efault]:] g[roup]:gid [:[+|^]perms]
Permissions of a named group. Permissions of the owning group if gid is empty.
[d[efault]:] m[ask]:[+|^] perms
Effective rights mask
[d[efault]:] o[ther]:[+|^] perms
Permissions of others.

An ACL entry is absolute if it contains the perms field. It is relative if it includes one of the modifiers `+' or '^' as well. Absolute entries may be used in set or modify operations. Relative entries may only be used in modify operations. Named user entries and named group entries without any fields after uid or gid (the perms field missing) are used for deletion of entries only.

For uid and gid you can specify either a name or a number. The perms field can be a combination of the characters r, w, x, -, or a number (0-7).

Automatically Created Entries

Initially, files and directories contain only the three base ACL entries for the owner, the group, and others. There are some rules that need to be satisfied in order for an ACL to be valid:

To help the user ensure these rules, setfacl creates entries from existing entries under the following conditions:

Examples

Replacing the ACL of a file
setfacl -s u::rw,g::r,o:-,g:staff:rw file

Granting an additional user read access

setfacl -m u:lisa:r file

Adding write access to the permissions of a user

setfacl -m u:lisa:+w file

Revoking write access from all groups and all named users (using the effective rights mask)

setfacl -m m:rx file

Removing a named group entry from a file's ACL

setfacl -x g:staff file

Copying the ACL of one file to another

getfacl file1 | setfacl -S- file2

Copying the access ACL into the default ACL

getfacl -a dir | setfacl -d -M- dir

Copying a directory subtree; copying all ACLs from one subtree to the other (using the bash shell)

cp -r dir1 dir2 && (cd dir1 && getfacl -R .) | \ (cd dir2 && setfacl -B-)

Bugs

The chmod(1) utility is traditionally used to change the file permission bits. This utility is not aware of ACLs. To maximize compatibility (and to avoid unexpected results for users who are not aware of ACLs), changing the permission bits has the following effect on an ACL that is associated with a file:

This ensures file permissions are set `as expected' after a call to chmod(1) call.

Unfortunately, some versions of the chmod(1) utility include an optimization, so that the permission bits are not set if the new permission bits are the same as the old ones. For files that have an effective rights mask entry that is more restrictive than the group entry, the group may not be effectively granted all the `expected' rights after such a call.

The ls(1) utility should display a plus character (`+') after the permissions for files that have an ACL associated. This feature is not yet implemented.

Author

Andreas Gruenbacher, <a.gruenbacher@computer.org>.

Please send your bug reports, suggested features and comments to the above address.

See Also

getfacl(1), chmod(1), acl(2), acl(5)


Table of Contents