setfacl [–ahqv] -s entries [path ... ]
setfacl [–ahqv] -S file [path ...
setfacl [–ahqv] -D type [...] [path ... ]
setfacl [–ahqv] -m|M|x|X EntryOrFile [...] [path ... ]
setfacl sets (replaces), modifies, or removes the access control list (ACL). It also updates and deletes ACL entries for each file and directory that was specified by path. If path was not specified, then file and directory names are read from standard input (stdin). In this case, the input should give one path name per line.
Requirement: To issue setfacl, you must be the file owner or have superuser authority (either UID 0 or READ access to SUPERUSER.FILESYS.CHANGEPERMS in the UNIXPRIV class).
If you specify stdin ("-") in place of a file name, you cannot specify it for any of the other options, and you cannot read the target path names from stdin.
The maximum number of ACL entries for a file or directory is regulated by the security product and the physical file system.
The first two forms allow you to set (replace) the entire ACL. The third form allows you to delete an entire extended ACL. The fourth form allows you to delete, add or modify ACL entries. You can specify the m, M, x, and X options on a single command line, but you can only specify each option once.
When you are setting the access ACL, the ACL entries must consist of three required base ACL entries that correspond to the file permission bits. The ACL entries must also consist of zero or more extended ACL entries, which will allow a greater level of granularity when controlling access. The permissions for base entries must be in absolute form.
When you are updating ACL entries, you can specify zero or more base entries.
u[ser]::perm
g[roup]::perm
o[ther]::perm
They correspond to the owner, group and
other fields of the file permission bits. [d[efault]: | f[default]:]u[ser]:uid:[+|^]perm
[d[efault]: | f[default]:]g[roup]:gid:[+|^]perm
where:
Rule: For relative permission settings, only one of + or ^ is allowed per ACL entry. When using relative permissions, you must have at least one of r, w, or x. For example, +rw or ^rwx.
The first field of an ACL entry is optional; it specifies the type of ACL (access, directory default, or file default) that will be processed. If the type is not specified, the operation applies only to the access ACL. If you are updating the ACL entries, you can specify the base ACL entries; however, specifying the base ACL entries might cause the file or directory's permission bits to change if what is specified is different than the current settings.
user:BILLYJC:+rw
and
user entry BILLYJC does not currently exist, then the resulting entry
will be: user:BILLYJC:rw-
Similarly, if you
try to remove the permissions from an extended ACL entry that does
not exist, the resulting permissions will be: ---
That
is, no permission. For additional information about ACLs and ACL entries, see z/OS UNIX System Services Planning.
The specified entries must be unique for each ACL type and its associated user or group combinations.
The specified entries must be unique for each ACL type and its associated user or group combinations.
setfacl -s user::rwx,group::---,other::---,user:billy:r-x foo
This might change the permission bits of the file.
setfacl -m group:cartoons:+r foo
setfacl -s "u::rwx,g::---,o::---, \
user:user1:r-x,group:thegang:r--,user:user2:r-x, \
d:user:user1:r-x,d:group:thegang:r--,d:user:user2:r-x" Haunted
getfacl foo | setfacl -S - bar
setfacl -x user:user3,d:user:user3,f:user:user3 *
setfacl -D e *
setfacl -m user:user1:rwx Haunted
setfacl -x user:user1 $(find Haunted -type f -acl_user user1)
Even if the setfacl command is successful in removing access from user1, user1 might still be able to obtain access to the files in directory Haunted based on the file permission bits, assuming the user has search permission for Haunted.
See Localization for more information.
An approved POSIX standard does not exist for setfacl.
chmod, find, getfacl, ls, filetest, pax, test