Previous Table of Contents Next


Setting Permissions for a File from a Command Line

To set ACL permissions from a command line, you must specify at least the basic set of user, group, other, and mask permissions. Type the following command to set ACL permissions: setfacl -s u::<perm>,g::<perm>,o:<perm>, m:<perm>, [u:<UID>:<perm>], [g:<GID>:<perm>

You can set users by using either their username or their UID number. Note that before you can use the username argument, the user account must already exist in the Passwd database or in the local /etc/passwd file. You can assign permissions to any UID by number, regardless of whether a user account exists.

In the same way, you can set group names by using either the group name or the GID number.

The following example assigns all of the permissions to the user, restricts group permissions to read-only, and denies permissions to other. The default mask sets read-write permissions, and user ray is assigned read-write permissions to the file foo.

First, take a look at the current permissions for the file:

castle% ls -l foo
-rw-rw-rw-    1 winsor       staff      0 Oct 3 14:22 foo

Then set permissions for user, group, owner, and the mask and add one user to the ACL:

castle% setfacl -s u::rwx,g::r—,o:—,mask:rw-,u:ray:rw- foo

Using octal values, as shown in the following example, gives you the same result:

castle% setfacl -s u::7,g::4,o:0,mask:6,u:ray:6 foo

Next, verify that the permissions have been set and that the file has an ACL:

castle% ls -l foo
-rwxrw—    +  1 winsor   staff      0 Oct  3 14:22 foo

As you can see, the permissions for the file are changed and the plus sign after the permission field shows that the file has an ACL. Last, use the getfacl command to verify that everything has been set correctly:

castle% getfacl foo

# file: foo
# owner: winsor
# group: staff
user::rwx
user:ray:rw-         #effective:rw-
group::rw-           #effective:rw-
mask:rw-
other:—
castle%

The getfacl command always displays ACL permissions symbolically, regardless of how you specify the values from the command line.

Using an ACL Configuration File to Set Permissions

You can create an ACL configuration file that contains a list of the permissions you want to set and then use that filename as an argument to the setfacl -s command.


NOTE:  You can use a configuration file only with the -s option to the setfacl command.

Use the following steps to set up the ACL configuration file:

1.  Use any editor to create a file.
2.  Edit the file to include the permissions you want to set, putting each statement on a separate line. Be sure to include permissions for user, group, other, and mask as a minimum set.
3.  Save the file by using any filename you choose.
4.  Type setfacl -f <acl_filename> <filename1> [<filename2>] [<filename3>] and press Return.
5.  Type getfacl <filename1> [<filename2>] [<filename3>] and press Return to verify that the permissions are set correctly.


NOTE:  If you make typographical errors in the configuration file, the command might return a prompt without displaying any error messages. If you make syntax errors, the setfacl command might display an error message. Be sure to use the getfacl command to check that the permissions are set properly.

In the following example, the owner has rwx permissions, group has rw-, other has , and the mask is rw-. Three users with different permissions are also granted access to the file. The acl_file (named anything) contains the following access list:

u::rwx
g::rw-
o:—
m:rw-
u:ray:rwx
u:des:rw-
u:rob:r—

Once you have set up the ACL for the file named anything, you can use the setfacl -f option to assign those same permissions to one more file. In the following example, the file named anything is used as the argument to the -f option to change ACLs for the files foo and bar so that they match the file anything:

castle% setfacl -f anything foo bar
castle% getfacl foo bar

# file: foo
# owner: winsor
# group: staff
user::rwx
user:ray:rwx         #effective:rwx
user:des:rw-         #effective:rw-
user:rob:r—         #effective:r—
group::rw-           #effective:rw-
mask:rw-
other:—

# file: bar
# owner: winsor
# group: staff
user::rwx
user:ray:rwx         #effective:rwx
user:des:rw-         #effective:rw-
user:rob:r—         #effective:r—
group::rw-           #effective:rw-
mask:rw-
other:—
castle%

Adding and Modifying ACL Permissions

You can add and modify ACL permissions for a file that already has an ACL or for any existing UFS file or directory by using the setfacl -m command. Arguments to the setfacl -m command use the same syntax and structure as arguments to the setfacl -s command.

Because each file already has a default owner, group, other, and mask setting, you can use the setfacl -m command on any UFS file without first using the setfacl -s command to specify an owner, group, other, or mask setting. If the file already has the permissions you want to use, you can simply use the setfacl -m command to modify (and create) the ACL for any file or directory.

When you use the -m option, if an entry already exists for a specified UID or GID, the permissions you specify replace the current permissions. If an entry does not exist, it is created.

Type the following syntax to add and modify permissions for a file or files and press Return:

setfacl -m <acl_entry_list><filename1> [<filename2>] [<filename3>]

In the following example, permissions for user ray are modified from rwx to rw- for the file foo.

castle% setfacl -m u:ray:rw- foo
castle% getfacl foo

# file: foo
# owner: winsor
# group: staff
user::rw-
user:ray:rw-         #effective:rw-
group::rw-           #effective:rw-
mask:rw-
other:rw-
castle%


Previous Table of Contents Next