Set the access control list (ACL) for files or directories
Syntax:
setfacl [-bn] [-m entry[,entry...]] [-M acl_file]
[-x entry[,entry...]] [-X acl_file] [path ...]
Options:
Note: The options are processed in the order they appear on the command line.
- -b
- Remove all the extended ACLs from the specified files and directories.
- -M acl_file
- Merge the entries (see below) given in acl_file into the ACLs of the
specified files and directories. If you specify a hyphen (-) for
acl_file, setfacl reads the entries, one per
line, from standard input until you press
Ctrl
D
.
- -m entry[,entry...]
- Merge the given entries into the ACLs of the specified files and directories.
- -n
- Don't recalculate the permissions associated with the ACL mask entry.
- -X acl_file
- Remove the entries given in acl_file from the ACLs of the specified files and
directories. If you specify a hyphen (-) for acl_file,
setfacl reads the entries, one per line, from standard input until
you press
Ctrl
D
.
- -x entry[,entry...]
- Remove the given entries from the ACL of the specified files and directories.
- path ...
- The file or directory that you want to set the ACL for. If you specify a hyphen (-) or
don't specify any paths, setfacl reads them, one per line, from
standard input until you press
Ctrl
D
.
Description:
The setfacl utility modifies the access control list for files or directories.
ACLs extend the traditional permissions as set with chmod, giving you finer control over who has access to what.
The classes of permissions are:
- owner class
- group class, consisting of named users, the owning group, and named groups
- others (or world) class
For an overview of ACLs, see Access Control
Lists (ACLs) in the QNX Neutrino
User's Guide.
If you're using the -M or -m option, each entry is in one of
the following forms:
Entry type |
Form |
Owner |
user::permissions |
Named user (identified by name or by ID) |
user: user_name:permissions |
Owning group |
group::permissions |
Named group (identified by name or ID) |
group:group_name:permissions |
The upper bound on permissions for the group class. |
mask::permissions |
Others |
other::permissions |
If you wish, you can specify just the first letter of user, group,
mask, and other. The permissions are a combination of r (read),
w (write), x (execute), and - (no permission). You can put
these characters in any order and omit any no permission hyphens. If the entry
already exists in the ACL, the existing permissions are replaced by the new ones.
If you're using the -X or -x option, the permissions are
ignored, and all permissions are removed for the specified mask, named user, or named
group. You can't remove the entries for the owner, owning group, or others.
Note:
- (QNX Neutrino 7.0 or later) ACLs persist across reboots if the acl option for
the Power-Safe filesystem (fs-qnx6.so) is set to enable (the
default).
- Changes to an ACL can affect the file permissions (i.e., permissions as could be set by
chmod). The changes to the file permissions persist across reboots,
no matter the setting of the acl option.
The
setfacl utility is not atomic and cannot isolate itself from parallel
operations. When two instances of
setfacl try to set privilege on the
same file simultaneously, they may fail to update the privileges silently without returning
an error. In addition, these two instances overwrite each other and can lead to a
read-modify-write collision.
CAUTION:
Do not run two different
setfacl instances on the same file simultaneously.
Examples:
Add read-only permission for a specific user:
# setfacl -m user:frank:r my_file
# getfacl my_file
# file: my_file
# owner: mabel
# group: docs
user::rw-
user:frank:r--
group::rw-
mask::rw-
other::r--
Remove the permissions specified in my_acl from a file:
# cat my_acl
user:frank:
# setfacl -X my_acl my_file
Exit status:
- 0
- Success.
- > 0
- An error occurred.