unixdev.net


Switch to SpeakEasy.net DSL

The Modular Manual Browser

Home Page
Manual: (SunOS-5.10)
Page:
Section:
Apropos / Subsearch:
optional field

setfacl(1)                       User Commands                      setfacl(1)



NAME
       setfacl - modify the Access Control List (ACL) for a file or files

SYNOPSIS
       setfacl [-r] -s acl_entries file

       setfacl [-r] -md acl_entries file

       setfacl [-r] -f acl_file file

DESCRIPTION
       For  each  file  specified, setfacl will either replace its entire ACL,
       including the default ACL on a directory, or it will  add,  modify,  or
       delete  one  or more ACL entries, including default entries on directo-
       ries.

       When the setfacl command is used, it may result  in   changes  to   the
       file   permission  bits.  When the user ACL entry for the file owner is
       changed, the file owner  class  permission bits   will   be   modified.
       When  the group ACL entry for the file group class is changed, the file
       group class permission bits will be modified. When the other ACL  entry
       is changed, the file other class permission bits will be modified.

       If  you use the chmod(1) command to change the file group owner permis-
       sions on a file with ACL entries, both the file group owner permissions
       and  the ACL mask are changed to the new permissions. Be aware that the
       new ACL mask permissions may change the effective permissions for addi-
       tional users and groups who have ACL entries on the file.

       A  directory may contain default ACL entries. If a file or directory is
       created in a directory that contains default  ACL  entries,  the  newly
       created  file  will have permissions generated according to the  inter-
       section of the default ACL entries and  the  permissions  requested  at
       creation  time.  The umask(1) will not be applied if the directory con-
       tains default ACL entries. If a default ACL is specified for a specific
       user  (or  users), the file will have a regular ACL created. Otherwise,
       only the mode bits will be initialized according  to  the  intersection
       described  above.  The  default ACL should be thought of as the maximum
       discretionary access permissions that may be granted.

   acl_entries Syntax
       For the -m and -s options, acl_entries are one or more  comma-separated
       ACL entries.

       An ACL entry consists of the following fields separated by colons:

       entry_type      Type of ACL entry on which to set file permissions. For
                       example, entry_type can be user (the owner of  a  file)
                       or mask (the ACL mask).



       uid or gid      User name or user identification number. Or, group name
                       or group identification number.



       perms           Represents the permissions that are set on  entry_type.
                       perms  can  be indicated by the symbolic characters rwx
                       or a number (the same permissions numbers used with the
                       chmod command).




       The  following  table  shows the valid ACL entries (default entries may
       only be specified for directories):

       tab(); lw(2.000000i) lw(3.500000i).  ACL EntryDescription u[ser]::perms
       File  owner  permissions.  g[roup]::perms File group owner permissions.
       o[ther]:perms T{ Permissions for users other than  the  file  owner  or
       members of file group owner.  T} m[ask]:perms T{ The ACL mask. The mask
       entry indicates the maximum permissions allowed for users  (other  than
       the  owner)  and  for groups. The mask is a quick way to change permis-
       sions on all the users and groups.  T}  u[ser]:uid:permsT{  Permissions
       for  a  specific user. For uid, you can specify either a user name or a
       numeric UID.  T} g[roup]:gid:permsT{ Permissions for a specific  group.
       For  gid,  you  can  specify  either a group name or a numeric GID.  T}
       d[efault]:u[ser]::perms     Default     file     owner     permissions.
       d[efault]:g[roup]::perms  T{  Default file group owner permissions.  T}
       d[efault]:o[ther]:perms T{ Default permissions for users other than the
       file    owner    or    members   of   the   file   group   owner.    T}
       d[efault]:m[ask]:perms Default ACL mask.   d[efault]:u[ser]:uid:permsT{
       Default  permissions  for  a  specific  user.  For uid, you can specify
       either a user name or a numeric UID.  T}  d[efault]:g[roup]:gid:permsT{
       Default  permissions  for  a  specific  group. For gid, you can specify
       either a group name or a numeric GID.  T}


       For the -d option, acl_entries are  one  or  more  comma-separated  ACL
       entries  without  permissions.  Notice that the entries for file owner,
       file group owner, ACL mask, and others may not be deleted.

OPTIONS
       The options have the following meaning:

       -d acl_entries  Deletes one or more entries from the file. The  entries
                       for  the  file  owner, the file group owner, and others
                       may not be deleted from the ACL. Notice  that  deleting
                       an  entry  does not necessarily have the same effect as
                       removing all permissions from the entry.



       -f acl_file     Seta a file's ACL with the ACL entries contained in the
                       file  named acl_file. The same constraints on specified
                       entries hold as with the -s option. The entries are not
                       required to be in any specific order in the file. Also,
                       if you specify a dash '-' for acl_file, standard  input
                       is used to set the file's ACL.

                       The character "#" in acl_file may be used to indicate a
                       comment. All characters, starting with  the  "#"  until
                       the  end  of  the line, will be ignored. Notice that if
                       the acl_file has been created as the output of the get-
                       facl(1)  command, any effective permissions, which will
                       follow a "#", will be ignored.



       -m acl_entries  Adds one or more new ACL entries to  the  file,  and/or
                       modifies  one or more existing ACL entries on the file.
                       If an entry already exists for a specified uid or  gid,
                       the specified permissions will replace the current per-
                       missions. If an entry does not exist for the  specified
                       uid or gid, an entry will be created. When using the -m
                       option to modify a default ACL, you must specify a com-
                       plete  default  ACL  (user, group, other, mask, and any
                       additional entries) the first time.



       -r              Recalculates the permissions for the  ACL  mask  entry.
                       The  permissions  specified  in  the ACL mask entry are
                       ignored and replaced by the maximum permissions  neces-
                       sary  to  grant the access to all additional user, file
                       group owner, and additional group entries in  the  ACL.
                       The  permissions  in  the  additional  user, file group
                       owner, and additional group entries are left unchanged.



       -s acl_entries  Sets a file's ACL. All old ACL entries are removed  and
                       replaced with the newly specified ACL. The entries need
                       not be in any specific order. They will  be  sorted  by
                       the command before being applied to the file.

                       Required entries:


                         o  Exactly  one  user  entry  specified  for the file
                            owner.

                         o  Exactly one group entry for the file group owner.

                         o  Exactly one other entry specified.


                       If there are additional user and group entries:


                         o  Exactly one mask entry specified for the ACL  mask
                            that indicates the maximum permissions allowed for
                            users (other than the owner) and groups.

                         o  Must not be duplicate user entries with  the  same
                            uid.

                         o  Must  not be duplicate group entries with the same
                            gid.


                       If file is  a  directory,  the  following  default  ACL
                       entries may be specified:


                         o  Exactly one default user entry for the file owner.

                         o  Exactly one default group entry for the file group
                            owner.

                         o  Exactly one default mask entry for the ACL mask.

                         o  Exactly one default other entry.


                       There may be additional default user entries and  addi-
                       tional  default  group entries specified, but there may
                       not be duplicate additional default user  entries  with
                       the  same  uid, or duplicate default group entries with
                       the same gid.



EXAMPLES
       Example 1: Adding read permission only

       The following example adds one ACL entry to file abc, which gives  user
       shea read permission only.

       setfacl -m user:shea:r-- abc

       Example 2: Replacing a file's entire ACL

       The  following  example replaces the entire ACL for the file abc, which
       gives shea read access, the file owner all access, the file group owner
       read access only, the ACL mask read access only, and others no access.

       setfacl -s user:shea:rwx,user::rwx,group::rw-,mask:r--,other:--- abc

       Notice that after this command, the file permission bits are rwxr-----.
       Even though the file group owner was set with  read/write  permissions,
       the  ACL  mask  entry  limits it to have only read permission. The mask
       entry also specifies the maximum permissions  available  to  all  addi-
       tional  user  and  group  ACL entries. Once again, even though the user
       shea was set with all access, the mask limits it to have only read per-
       mission.   The ACL mask entry is a quick way to limit or open access to
       all the user and group entries in an ACL. For example, by changing  the
       mask entry to read/write, both the file group owner and user shea would
       be given read/write access.

       Example 3: Setting the same ACL on two files

       The following example sets the same ACL on file abc as the file xyz.

       getfacl xyz | setfacl -f - abc

FILES
       /etc/passwd     password file



       /etc/group      group file



ATTRIBUTES
       See attributes(5) for descriptions of the following attributes:


       tab()    allbox;    cw(2.750000i)|     cw(2.750000i)     lw(2.750000i)|
       lw(2.750000i).  ATTRIBUTE TYPEATTRIBUTE VALUE AvailabilitySUNWcsu


SEE ALSO
       chmod(1),    getfacl(1),   umask(1),   aclcheck(3SEC),   aclsort(3SEC),
       group(4), passwd(4), attributes(5)



SunOS 5.10                        31 Oct 2002                       setfacl(1)