setfacl [-r] -s acl_entries file
setfacl [-r] -md acl_entries file
setfacl [-r] -f acl_file file
For each file specified, setfacl either replaces its entire ACL, including the default ACL on a directory, or it adds, modifies, or deletes one or more ACL entries, including default entries on directories.
When the setfacl command is used, it can result in changes to the file permission bits. When the user ACL entry for the file owner is changed, the file owner class permission bits are modified. When the group ACL entry for the file group class is changed, the file group class permission bits are modified. When the other ACL entry is changed, the file other class permission bits are modified.
If you use the chmod(1) command to change the file group owner permissions on a file with ACL entries, both the file group owner permissions and the ACL mask are changed to the new permissions. Be aware that the new ACL mask permissions can change the effective permissions for additional users and groups who have ACL entries on the file.
A directory can contain default ACL entries. If a file or directory is created in a directory that contains default ACL entries, the newly created file has permissions generated according to the intersection of the default ACL entries and the permissions requested at creation time. The umask(1) are not applied if the directory contains default ACL entries. If a default ACL is specified for a specific user (or users), the file has a regular ACL created. Otherwise, only the mode bits are initialized according to the intersection described above. The default ACL should be thought of as the maximum discretionary access permissions that can be granted.
Use the setfacl command to set ACLs on files in a UFS file system, which supports POSIX-draft ACLS (or aclent_t style ACLs). Use the chmod command to set ACLs on files in a ZFS file system, which supports NFSv4-style ACLS (or ace_t style ACLs).
For the -m and -s options, acl_entries are one or more comma-separated ACL entries.
An ACL entry consists of the following fields separated by colons:
uid or gid
The following table shows the valid ACL entries (default entries can only be specified for directories):
|u[ser]::perms||File owner permissions.|
The options have the following meaning:
The character # in acl_file can be used to indicate a comment. All characters, starting with the # until the end of the line, are ignored. Notice that if the acl_file has been created as the output of the getfacl(1) command, any effective permissions, which follow a #, are ignored.
Example 1 Adding read permission only
The following example adds one ACL entry to file abc, which gives user shea read permission only.
setfacl -m user:shea:r-- abc
Example 2 Replacing a file's entire ACL
The following example replaces the entire ACL for the file abc, which gives shea read access, the file owner all access, the file group owner read access only, the ACL mask read access only, and others no access.
setfacl -s user:shea:rwx,user::rwx,group::rw-,mask:r--,other:--- abc
Notice that after this command, the file permission bits are rwxr-----. Even though the file group owner was set with read/write permissions, the ACL mask entry limits it to have only read permission. The mask entry also specifies the maximum permissions available to all additional user and group ACL entries. Once again, even though the user shea was set with all access, the mask limits it to have only read permission. The ACL mask entry is a quick way to limit or open access to all the user and group entries in an ACL. For example, by changing the mask entry to read/write, both the file group owner and user shea would be given read/write access.
Example 3 Setting the same ACL on two files
The following example sets the same ACL on file abc as the file xyz.
getfacl xyz | setfacl -f - abc
See attributes(5) for descriptions of the following attributes: