 |
Index for Section 1 |
|
 |
Alphabetical listing for S |
|
setacl(1)
NAME
setacl - Changes the access control list on a file or directory (ACL)
SYNOPSIS
setacl [-a] [-b] [-k] [-K]
[-b] [-d -D] [-x entries]
[-X file1] [-u entries]
[-U file2] filename ...
FLAGS
-a Specifies access ACL.
-b Reset the ACL to just the base entries (u::, g::, o::).
-d The operation applies to the default access ACL. Default ACLs must
contain at least the 3 base entries (the entries that correspond to the
permission bits). When you first create a default ACL, if you do not
specify these 3 entries they default to the current value of the 3 base
entries (or permission bits) of the directory's access ACL. You should
specify values for the 3 base entries if the current value in the
access ACL is not appropriate.
The -d flag is not defined by POSIX.
-D The operation applies to the default directory ACL. Default ACLs must
contain at least the 3 base entries (the entries that correspond to the
permission bits). When you first create a default ACL, if you do not
specify these 3 entries they default to the current value of the 3 base
entries (or permission bits) of the directory's access ACL. You should
specify values for the 3 base entries if the current value in the
access ACL is not appropriate.
The -D flag is not defined by POSIX.
-k Delete the default access ACL for the designated directory.
-K Delete the default directory ACL for the designated directory. The -K
flag is not defined by POSIX.
-X file1
Removes the ACL entries designated in file1 from the designated object.
-x entries
Removes the designated entries in the ACL from the designated object.
-u entries
Updates the ACL with the specified entries that match existing entries
in tag type and tag qualifier. ACL entries are added if they are not
already present in the ACL. See the Contents of an ACL Entry section
for the format of ACL entries.
-U file2
Updates the ACL with the entries specified in file2 that match existing
entries in tag type and tag qualifier. ACL entries are added if they
are not already present in the ACL. See the Contents of an ACL Entry
section for the format of ACL entries.
The -a, -d, and -D flags are not mutually exclusive; they can all be
specified, and all are set. If none are specified the -a flag is assumed.
The -d and -D flags only apply to directories.
The -b flag is applied before any of the -u, -U, -x, or -X flags
Multiple -u, -U, -x, and -X flags are all applied to the acl in the order
listed on the command line. All of flags are applied to a temporary copy
of the ACL before the ACL is applied to the files. It is not an error for
an intermediate version of the ACL to be ill formed, as long as the ACL is
well formed by the time it is applied.
Several flags accept arguments of the following types:
entries The ACL entries used to perform the requested operation.
Multiple ACL entries are separated by commas. There is no
required ordering of entries.
file A file containing ACL entries to use to perform the requested
operation. Each entry should be on a separate line. There is no
required ordering of entries. If a line contains the comment
character, #, setacl ignores the line.
DESCRIPTION
Note
This command is based on Draft 13 of the POSIX P1003.6 standard.
The command may change as the P1003.6 standard is finalized.
The setacl command sets the access control list (ACL) to the designated
list of objects, which can be one or more files or directories.
Contents of an ACL Entry
The external representation of an ACL entry consists of three colon (:)
separated fields. The first field is a tag type, the second field contains
optional qualifiers whose meaning depend on the tag type, and the third
field is a list of the permissions. The following examples are typical:
user::rwx
user:jdoe:rw-
user:mightymouse:r--
user:bsmith:rwx
group::r--
other::---
The tag types and associated qualifiers are:
user If the qualifier field is empty, the entry defines the
permissions of the user who owns the file or directory. User
names or UIDs can be specified as qualifiers; in this case, the
entry defines the permissions of these users.
group If the qualifier field is empty, the entry defines the
permissions of users who are members of the group associated with
the file or directory. Group names or GIDs can be specified as
qualifiers; in this case the entry defines the permissions of
members of these groups.
other No qualifiers are allowed for the other tag type. This entry
specifies the permissions for users who are not covered by any
other entries.
The third field specifies the discretionary access permissions. They are:
Letter Octal PERMISSION
r 4 Read access
w 2 Write access
x 1 Execute/Search access
- 0 No access
A set of permissions in an ACL entry is internally represented in three
bits and displayed as a character string, as in untrusted Tru64 UNIX.
The set of permissions can be specified in three ways:
As an octal digit. Add the numbers shown above to determine the
permissions. The value 0 (zero), for example, specifies no
permissions, and the value 7 specifies all permissions.
As an absolute character string. An absolute character string contains
three characters. The first specifies read permission, the second
write permission, and the third specifies execute/search permission.
To grant all permissions, specify rwx in that order. To deny one or
more permissions, use the character - in the appropriate positions.
For example, the entry r-x grants read and execute/search permissions
and denies write permission.
As a relative character string. A relative character string adds or
removes permissions from the existing set. To add permissions, specify
a "+" followed by one or more permission letters. For example, +r adds
read permission to the existing set. To remove permissions, specify a
"^" followed by one or more permission letters. For example, ^x
removes execute/search permission.
Both octal digits and absolute character strings set the permissions to the
specified values. One of these forms should be used for new entries.
Relative permissions update an existing ACL entry (flags -u and -U) with an
input entry that matches in tag type and tag qualifier. If setacl adds an
entry to an ACL, a + prefix is ignored and the set of permissions is
entered as an absolute string; if the prefix is ^, the permissions field is
set to no access. If an entry is to be removed from an ACL, input
permissions are ignored altogether.
Suppose an ACL entry is specified with relative permissions,
group:dec:^wx (remove wx permissions)
to be applied to a matching entry with permissions r-x. The matching entry
will have a new set of permissions as follows:
group:dec:r-- (read only)
Contents of an ACL
An ACL contains at least three entries:
A user entry with no qualifiers
A group entry with no qualifiers
An other entry
An ACL also has one or more user or group entries with qualifiers.
user::rwx
group::rw-
user:user1:r-x
group:dec:--x
other::rwx
The entry group::rw- is the file group owner and specifies the read and
write permissions.
DEFAULT ACLs
The default directory ACL allows the owner or a privileged user to
associate an ACL with a directory that is to be inherited as an access ACL
when a subdirectory is created. The default directory ACL will also be
inherited as the default directory ACL by the new directory.
The default access ACL allows the owner or a privileged user to associate
an ACL with a directory that is to be inherited as an access ACL when an
object is created within the directory. If the object being created is a
directory and a default directory ACL exists on the parent directory, it is
inherited as the access ACL and not the default access ACL. The default
access ACL is inherited as the default access ACL for any subdirectory
created
Like access ACLs, both default directory ACLs and default access ACLs must
contain at a minimum the 3 base entries that equate to the permission bits
(user::, group::, other::).
AUTHORIZATIONS
To change or remove the ACL of a file, the user must either own the file or
be privileged.
EXAMPLES
1. Assume that the ACL on a file named shared contains the following
minimum entries:
user::rwx
group::r-x
other::---
The following command updates and adds entries:
$ setacl -u group::r--,user:alpha:-w- shared
The resulting ACL entries are:
user::rwx
user:alpha:-w-
group::r--
other::---
The owning group entry on the command line matches the existing group
entry, so the permission set is reduced to read only. The user entry
on the command line does not match an existing entry and is added.
2. Assume that the ACL on a file named shared contains the following
entries:
user::rwx
user:user1:-w-
group::-w-
group:dec:-wx
other::---
Apply the setacl -u command (update) to the shared file as follows:
$ setacl -u user:user1:-wx shared
The resulting ACL entries are:
user::rwx
user:user1:-wx-
group::-w-
group:dec:-wx
other::---
3. Assume that the directory foo contains no default ACLs, and the
following command is issued:
$ setacl -d -u user::rw-,group::r--,other::r--,user:dec:rw- foo
Any file or directory that is created within the directory foo now
inherits the following ACL as the access ACL:
user::rw-
user:dec:r--
group::r--
other::r--
4. Assume that the directory foo contains no default ACLs, and the
following command is issued:
$ setacl -D -u user::rwx,group::r-x,other::---,user:dec:r-x foo
Any directory that is created within the directory foo now inherits
the following ACL as the access ACL, as well as its default directory
ACL:
user::rwx
user:dec:r-x
group::r-x
other::---
5. Assume that the directory foo contains no default ACLs, the 3 base
entries of the access ACL on directory foo are u::rwx, group::r-x,
other::r-x, and the following commands are issued:
$ setacl -D -u user:dec:r-- foo
$ setacl -d -u user::rw-,group::r--,other::---,user:alpha:r-- foo
Any directory that is created within the directory foo now inherits
the default directory ACL of foo as its access ACL as well as its
default directory ACL:
user::rwx
user:dec:r--
group::r-x
other::r-x
In addition, any directory that is created within the directory foo
inherits the default access ACL of foo as its default access ACL:
user::rw-
user:alpha:r--
group::r--
other::r--
Any file created in directory foo inherits the default access ACL of
foo as its access ACL:
user::rw-
user:alpha:r--
group::r--
other::r--
EXIT VALUES
If setacl is invoked incorrectly or cannot decipher the specified ACL, it
returns an exit status of 1. setacl returns an exit status of 0 (zero) if
all files are changed.
ERRORS
The setacl command displays an error message explaining why an ACL of a
file could not be changed.
RELATED INFORMATION
Commands: getacl(1)
Files: acl(4)
Security