Online Man Page
This form may be used to access the UNIX man pages. Note this form runs on a Solaris machine, so the results may disagree with other operating system implementations of the commands.
NAME
setfacl - modify the Access Control List (ACL) for a file or
files
SYNOPSIS
setfacl [-r] -s acl_entries file
setfacl [-r] -md acl_entries file
setfacl [-r] -f acl_file file
DESCRIPTION
For each file specified, setfacl either replaces its entire
ACL, including the default ACL on a directory, or it adds,
modifies, or deletes one or more ACL entries, including
default entries on directories.
When the setfacl command is used, it can result in changes
to the file permission bits. When the user ACL entry for the
file owner is changed, the file owner class permission bits
are modified. When the group ACL entry for the file group
class is changed, the file group class permission bits are
modified. When the other ACL entry is changed, the file
other class permission bits are modified.
If you use the chmod(1) command to change the file group
owner permissions on a file with ACL entries, both the file
group owner permissions and the ACL mask are changed to the
new permissions. Be aware that the new ACL mask permissions
can change the effective permissions for additional users
and groups who have ACL entries on the file.
A directory can contain default ACL entries. If a file or
directory is created in a directory that contains default
ACL entries, the newly created file has permissions gen-
erated according to the intersection of the default ACL
entries and the permissions requested at creation time. The
umask(1) are not applied if the directory contains default
ACL entries. If a default ACL is specified for a specific
user (or users), the file has a regular ACL created. Other-
wise, only the mode bits are initialized according to the
intersection described above. The default ACL should be
thought of as the maximum discretionary access permissions
that can be granted.
Use the setfacl command to set ACLs on files in a UFS file
system, which supports POSIX-draft ACLS (or aclent_t style
ACLs). Use the chmod command to set ACLs on files in a ZFS
file system, which supports NFSv4-style ACLS (or ace_t style
ACLs).
acl_entries Syntax
For the -m and -s options, acl_entries are one or more
comma-separated ACL entries.
An ACL entry consists of the following fields separated by
colons:
entry_type Type of ACL entry on which to set file permis-
sions. For example, entry_type can be user
(the owner of a file) or mask (the ACL mask).
uid or gid User name or user identification number. Or,
group name or group identification number.
perms Represents the permissions that are set on
entry_type. perms can be indicated by the sym-
bolic characters rwx or a number (the same
permissions numbers used with the chmod com-
mand).
The following table shows the valid ACL entries (default
entries can only be specified for directories):
ACL Entry Description
___________________________________________________________________
u[ser]::perms File owner permissions.
g[roup]::perms File group owner permissions.
o[ther]:perms Permissions for users other than the
file owner or members of file group
owner.
m[ask]:perms The ACL mask. The mask entry indi-
cates the maximum permissions allowed
for users (other than the owner) and
for groups. The mask is a quick way
to change permissions on all the
users and groups.
u[ser]:uid:perms Permissions for a specific user. For
uid, you can specify either a user
name or a numeric UID.
g[roup]:gid:perms Permissions for a specific group. For
gid, you can specify either a group
name or a numeric GID.
d[efault]:u[ser]::perms Default file owner permissions.
d[efault]:g[roup]::perms Default file group owner permissions.
d[efault]:o[ther]:perms Default permissions for users other
than the file owner or members of the
file group owner.
d[efault]:m[ask]:perms Default ACL mask.
d[efault]:u[ser]:uid:perms Default permissions for a specific
user. For uid, you can specify either
a user name or a numeric UID.
d[efault]:g[roup]:gid:perms Default permissions for a specific
group. For gid, you can specify
either a group name or a numeric GID.
For the -d option, acl_entries are one or more comma-
separated ACL entries without permissions. Notice that the
entries for file owner, file group owner, ACL mask, and oth-
ers can not be deleted.
OPTIONS
The options have the following meaning:
-d acl_entries Deletes one or more entries from the file.
The entries for the file owner, the file
group owner, and others can not be deleted
from the ACL. Notice that deleting an
entry does not necessarily have the same
effect as removing all permissions from
the entry.
-f acl_file Sets a file's ACL with the ACL entries
contained in the file named acl_file. The
same constraints on specified entries hold
as with the -s option. The entries are not
required to be in any specific order in
the file. Also, if you specify a dash (-)
for acl_file, standard input is used to
set the file's ACL.
The character # in acl_file can be used to
indicate a comment. All characters, start-
ing with the # until the end of the line,
are ignored. Notice that if the acl_file
has been created as the output of the get-
facl(1) command, any effective permis-
sions, which follow a #, are ignored.
-m acl_entries Adds one or more new ACL entries to the
file, and/or modifies one or more existing
ACL entries on the file. If an entry
already exists for a specified uid or gid,
the specified permissions replace the
current permissions. If an entry does not
exist for the specified uid or gid, an
entry is created. When using the -m option
to modify a default ACL, you must specify
a complete default ACL (user, group,
other, mask, and any additional entries)
the first time.
-r Recalculates the permissions for the ACL
mask entry. The permissions specified in
the ACL mask entry are ignored and
replaced by the maximum permissions neces-
sary to grant the access to all additional
user, file group owner, and additional
group entries in the ACL. The permissions
in the additional user, file group owner,
and additional group entries are left
unchanged.
-s acl_entries Sets a file's ACL. All old ACL entries are
removed and replaced with the newly speci-
fied ACL. The entries need not be in any
specific order. They are sorted by the
command before being applied to the file.
Required entries:
o Exactly one user entry specified
for the file owner.
o Exactly one group entry for the
file group owner.
o Exactly one other entry speci-
fied.
If there are additional user and group
entries:
o Exactly one mask entry specified
for the ACL mask that indicates
the maximum permissions allowed
for users (other than the owner)
and groups.
o Must not be duplicate user
entries with the same uid.
o Must not be duplicate group
entries with the same gid.
If file is a directory, the following
default ACL entries can be specified:
o Exactly one default user entry
for the file owner.
o Exactly one default group entry
for the file group owner.
o Exactly one default mask entry
for the ACL mask.
o Exactly one default other entry.
There can be additional default user
entries and additional default group
entries specified, but there can not be
duplicate additional default user entries
with the same uid, or duplicate default
group entries with the same gid.
EXAMPLES
Example 1 Adding read permission only
The following example adds one ACL entry to file abc, which
gives user shea read permission only.
setfacl -m user:shea:r-- abc
Example 2 Replacing a file's entire ACL
The following example replaces the entire ACL for the file
abc, which gives shea read access, the file owner all
access, the file group owner read access only, the ACL mask
read access only, and others no access.
setfacl -s user:shea:rwx,user::rwx,group::rw-,mask:r--,other:--- abc
Notice that after this command, the file permission bits are
rwxr-----. Even though the file group owner was set with
read/write permissions, the ACL mask entry limits it to have
only read permission. The mask entry also specifies the max-
imum permissions available to all additional user and group
ACL entries. Once again, even though the user shea was set
with all access, the mask limits it to have only read per-
mission. The ACL mask entry is a quick way to limit or open
access to all the user and group entries in an ACL. For
example, by changing the mask entry to read/write, both the
file group owner and user shea would be given read/write
access.
Example 3 Setting the same ACL on two files
The following example sets the same ACL on file abc as the
file xyz.
getfacl xyz | setfacl -f - abc
FILES
/etc/passwd password file
/etc/group group file
ATTRIBUTES
See attributes(5) for descriptions of the following attri-
butes:
____________________________________________________________
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
|_____________________________|_____________________________|
| Availability | SUNWcsu |
|_____________________________|_____________________________|
SEE ALSO
chmod(1), getfacl(1), umask(1), aclcheck(3SEC),
aclsort(3SEC), group(4), passwd(4), attributes(5)