DESCRIPTION

     The setfacl utility sets discretionary access control information on the
     specified file(s).  If no files are specified, or the list consists of
     the only "-", the file names are taken from the standard input.

     The following options are available:

     -b      Remove all ACL entries except for the three required entries.  If
             the ACL contains a ``mask'' entry, the permissions of the
             ``group'' entry in the resulting ACL will be set to the permis-
             sion associated with both the ``group'' and ``mask'' entries of
             the current ACL.

     -d      The operations apply to the default ACL entries instead of access
             ACL entries.  Currently only directories may have default ACL's.

     -h      If the target of the operation is a symbolic link, perform the
             operation on the symbolic link itself, rather than following the
             link.

     -k      Delete any default ACL entries on the specified files.  It is not
             considered an error if the specified files do not have any
             default ACL entries.  An error will be reported if any of the
             specified files cannot have a default entry (i.e. non-directo-
             ries).

     -m entries
             Modify the ACL entries on the specified files by adding new
             entries and modifying existing ACL entries with the ACL entries
             specified in entries.

     -M file
             Modify the ACL entries on the specified files by adding new ACL
             entries and modifying existing ACL entries with the ACL entries
             specified in the file file.  If file is -, the input is taken
             from stdin.

     -n      Do not recalculate the permissions associated with the ACL mask
             entry.

     -x entries
             Remove the ACL entries specified in entries from the access or
             default ACL of the specified files.

     -X file
             Remove the ACL entries specified in the file file from the access
             or default ACL of the specified files.

     The above options are evaluated in the order specified on the command-
     line.


     ACL qualifier
             The ACL qualifier field describes the user or group associated
             with the ACL entry.  It may consist of one of the following: uid
             or user name, gid or group name, or empty.  For ``user'' ACL
             entries, an empty field specifies access granted to the file
             owner.  For ``group'' ACL entries, an empty field specifies
             access granted to the file owning group.  ``mask'' and ``other''
             ACL entries do not use this field.

     access permissions
             The access permissions field contains up to one of each of the
             following: `r', `w', and `x' to set read, write, and execute per-
             missions, respectively.  Each of these may be excluded or
             replaced with a `-' character to indicate no access.

     A ``mask'' ACL entry is required on a file with any ACL entries other
     than the default ``user'', ``group'', and ``other'' ACL entries.  If the
     -n option is not specified and no ``mask'' ACL entry was specified, the
     setfacl utility will apply a ``mask'' ACL entry consisting of the union
     of the permissions associated with all ``group'' ACL entries in the
     resulting ACL.

     Traditional POSIX interfaces acting on file system object modes have mod-
     ified semantics in the presence of POSIX.1e extended ACLs.  When a mask
     entry is present on the access ACL of an object, the mask entry is sub-
     stituted for the group bits; this occurs in programs such as stat(1) or
     ls(1).  When the mode is modified on an object that has a mask entry, the
     changes applied to the group bits will actually be applied to the mask
     entry.  These semantics provide for greater application compatibility:
     applications modifying the mode instead of the ACL will see conservative
     behavior, limiting the effective rights granted by all of the additional
     user and group entries; this occurs in programs such as chmod(1).

     ACL entries applied from a file using the -M or -X options shall be of
     the following form: one ACL entry per line, as previously specified;
     whitespace is ignored; any text after a `#' is ignored (comments).

     When ACL entries are evaluated, the access check algorithm checks the ACL
     entries in the following order: file owner, ``user'' ACL entries, file
     owning group, ``group'' ACL entries, and ``other'' ACL entry.

     Multiple ACL entries specified on the command line are separated by com-
     mas.

EXIT STATUS

     The setfacl utility exits 0 on success, and >0 if an error occurs.

EXAMPLES

           setfacl -m u::rwx,g:mail:rw file

     Sets read, write, and execute permissions for the file owner's ACL entry
     file.

           getfacl file1 | setfacl -b -n -M - file2

     Copy ACL entries from file1 to file2.

SEE ALSO

     getfacl(1), acl(3), getextattr(8), setextattr(8), acl(9), extattr(9)

STANDARDS

     The setfacl utility is expected to be IEEE Std 1003.2c compliant.

HISTORY

     Extended Attribute and Access Control List support was developed as part
     of the TrustedBSD Project and introduced in FreeBSD 5.0.

AUTHORS

     The setfacl utility was written by Chris D. Faulhaber <jedgar@fxp.org>.

BSD                             January 7, 2001                            BSD