| SETFACL(1) | General Commands Manual | SETFACL(1) | 
setfacl —
| setfacl | [ -bdhkn] [-aposition entries] [-Mfile] [-mentries] [-R[-H|-L|-P]] [-Xfile] [-xentries | position]
      [file ...] | 
setfacl utility sets discretionary access control
  information on the specified file(s). If no files are specified, or the list
  consists of the only ‘-’, the file names
  are taken from the standard input.
The following options are available:
-a
    position entries-bmask” entry, the
      permissions of the “group” entry in
      the resulting ACL will be set to the permission associated with both the
      “group” and
      “mask” entries of the current
    ACL.-d-H-R option is specified, symbolic links on
      the command line are followed and hence unaffected by the command.
      (Symbolic links encountered during tree traversal are not followed.)-h-k-L-R option is specified, all symbolic links
      are followed.-M
    file-, the input is taken from stdin.-m
    entries-a and -x
      options instead.-n-P-R option is specified, no symbolic links
      are followed. This is the default.-R-X
    file-x
    entries | positionThe above options are evaluated in the order specified on the command-line.
user” or
      ‘u’ specifying the access granted to
      the owner of the file or a specified user;
      “group” or
      ‘g’ specifying the access granted to
      the file owning group or a specified group;
      “other” or
      ‘o’ specifying the access granted to
      any process that does not match any user or group ACL entry;
      “mask” or
      ‘m’ specifying the maximum access
      granted to any ACL entry except the
      “user” ACL entry for the file owner
      and the “other” ACL entry.user”
      ACL entries, an empty field specifies access granted to the file owner.
      For “group” ACL entries, an empty
      field specifies access granted to the file owning group.
      “mask” and
      “other” ACL entries do not use this
      field.r’,
      ‘w’, and
      ‘x’ to set read, write, and execute
      permissions, respectively. Each of these may be excluded or replaced with
      a ‘-’ character to indicate no
      access.A “mask” ACL entry is
    required on a file with any ACL entries other than the default
    “user”,
    “group”, and
    “other” ACL entries. If the
    -n option is not specified and no
    “mask” ACL entry was specified, the
    setfacl utility will apply a
    “mask” ACL entry consisting of the
    union of the permissions associated with all
    “group” ACL entries in the resulting
    ACL.
Traditional POSIX interfaces acting on file system object modes have modified semantics in the presence of POSIX.1e extended ACLs. When a mask entry is present on the access ACL of an object, the mask entry is substituted for the group bits; this occurs in programs such as stat(1) or ls(1). When the mode is modified on an object that has a mask entry, the changes applied to the group bits will actually be applied to the mask entry. These semantics provide for greater application compatibility: applications modifying the mode instead of the ACL will see conservative behavior, limiting the effective rights granted by all of the additional user and group entries; this occurs in programs such as chmod(1).
ACL entries applied from a file using the
    -M or -X options shall be of
    the following form: one ACL entry per line, as previously specified;
    whitespace is ignored; any text after a
    ‘#’ is ignored (comments).
When POSIX.1e ACL entries are evaluated, the access check
    algorithm checks the ACL entries in the following order: file owner,
    “user” ACL entries, file owning group,
    “group” ACL entries, and
    “other” ACL entry.
Multiple ACL entries specified on the command line are separated by commas.
It is possible for files and directories to inherit ACL entries
    from their parent directory. This is accomplished through the use of the
    default ACL. It should be noted that before you can specify a default ACL,
    the mandatory ACL entries for user, group, other and mask must be set. For
    more details see the examples below. Default ACLs can be created by using
    -d.
user” and
  “group” tags), discretionary access
  permissions, ACL inheritance flags, and ACL type:
user” or
      ‘u’ specifying the access granted to
      the specified user; “group” or
      ‘g’ specifying the access granted to
      the specified group; “owner@”
      specifying the access granted to the owner of the file;
      “group@” specifying the access
      granted to the file owning group;
      “everyone@” specifying everyone.
      Note that “everyone@” is not the
      same as traditional Unix “other” -
      it means, literally, everyone, including file owner and owning group.owner@”,
      “group@”, or
      “everyone@”, this field is omitted
      altogether, including the trailing comma./’ character; in short form,
      they are concatenated together. Valid permissions are:
    In addition, the following permission sets may be used:
/’ character; in short form,
      they are concatenated together. Valid inheritance flags are:
    Other than the "inherited" flag, inheritance flags may be only set on directories.
allow”
      or “deny”.ACL entries applied from a file using the
    -M or -X options shall be of
    the following form: one ACL entry per line, as previously specified;
    whitespace is ignored; any text after a
    ‘#’ is ignored (comments).
NFSv4 ACL entries are evaluated in their visible order.
Multiple ACL entries specified on the command line are separated by commas.
Note that the file owner is always granted the read_acl, write_acl, read_attributes, and write_attributes permissions, even if the ACL would deny it.
setfacl utility exits 0 on success,
  and >0 if an error occurs.
setfacl -d -m
  u::rwx,g::rx,o::rx,mask::rwx dirsetfacl -d -m g:admins:rwx
  dirThe first command sets the mandatory elements of the POSIX.1e default ACL. The second command specifies that users in group admins can have read, write, and execute permissions for directory named "dir". It should be noted that any files or directories created underneath "dir" will inherit these default ACLs upon creation.
setfacl -m u::rwx,g:mail:rw
  fileSets read, write, and execute permissions for the file owner's POSIX.1e ACL entry and read and write permissions for group mail on file.
setfacl -m
  owner@:rwxp::allow,g:mail:rwp::allow fileSemantically equal to the example above, but for NFSv4 ACL.
setfacl -M file1 file2Sets/updates the ACL entries contained in file1 on file2.
setfacl -x g:mail:rw
  fileRemove the group mail POSIX.1e ACL entry containing read/write permissions from file.
setfacl -x0 fileRemove the first entry from the NFSv4 ACL from file.
setfacl -bn fileRemove all “access” ACL
    entries except for the three required from file.
getfacl file1 | setfacl -b -n -M -
  file2Copy ACL entries from file1 to file2.
setfacl utility is expected to be IEEE Std 1003.2c
  compliant.
setfacl utility was written by
  Chris D. Faulhaber
  <jedgar@fxp.org>. NFSv4
  ACL support was implemented by Edward Tomasz Napierala
  <trasz@FreeBSD.org>.
| October 26, 2018 | NetBSD 10.0 |