setacl [-r] [-m acl_entries] -d acl_entries file ...
setacl [-r] -f acl_file file ...
The -s option will set the ACL to the entries specified on the command line. The -f option will set the ACL the entries contained within the file acl_file. The -d option will delete one or more specified entries from the file's ACL. The -m option will add or modify one or more specified ACL entries.
One of the options -s, -m, -d, or -f must be specified. If -s or -f are specified, other options are invalid. The -m and -d options may be combined.
For the -m and -s options, acl_entries are one or more comma separated ACL entries selected from the following list. For the -f option, acl_file must contain ACL entries, one to a line, selected from the same list. Default entries may only be specified for directories. Bold face indicates that characters must be typed as specified, brackets denote optional characters, and italicized characters are to be specified by the user.
u[ser]::operm | perm u[ser]:uid:operm | perm g[roup]::operm | perm g[roup]:gid:operm | perm c[lass]:operm | perm o[ther]:operm | perm d[efault]:u[ser]::operm | perm d[efault]:u[ser]:uid:operm | perm d[efault]:g[roup]::operm | perm d[efault]:g[roup]:gid:operm | perm d[efault]:c[lass]:operm | perm d[efault]:o[ther]:operm | perm
For the -d option, acl_entries are one or more comma separated ACL entries without permissions, selected from the following list.
u[ser]:uid g[roup]:gid d[efault]:u[ser]: d[efault]:u[ser]:uid d[efault]:g[roup]: d[efault]:g[roup]:gid d[efault]:c[lass]: d[efault]:o[ther]:
In the above lists, the user specifies the following:
The options have the following meanings:
Specifically, deleting an entry for a specific user would cause that user's permissions to be determined by the ``other'' entry (or the owning ``group'' entry, if the user is in that group).
When the setacl command is used, it may result in changes to the file permission bits. When the ``user'' ACL entry for the file owner is changed, the file owner permission bits will be modified. When the ``other'' ACL entry is changed, the file other permission bits will be modified. When additional ``user'' ACL entries and/or any ``group'' ACL entries are set or modified, the file group class permission bits will be modified to reflect the maximum permissions allowed by the additional ``user'' entries and all the ``group'' entries.
If an ACL does not contain additional ``user'' and additional ``group'' entries, the permissions in the ``group'' entry for the object owning ``group'' and the ``class'' entry must be the same. Therefore, if the -d option is specified and results in no additional user entries and no additional group entries, the ``class'' entry permissions will be set equal to the permissions of the owning group entry (this is equivalent to using the -r option).
A directory may contain default ACL entries. If a file is created in a directory which contains default ACL entries, the entries will be added to the newly created file.
If an ACL does not contain additional ``default:user'' and additional ``default:group'' entries and a ``default:group'' entry is specified for the object owning group, then a ``default:class'' entry must also be specified, and the permissions in the ``default:group'' entry for the object owning group and the permissions for the ``default:class'' entry must be the same.
This command may be executed on a file system that does not support ACLs, to set the permissions for the three base entries for the file owner, file owning group, and others. Additional entries and default entries will not be allowed in this case.
To add one ACL entry to file filea , giving user ``archer'' read permission only, type:
setacl -m user:archer:r-- filea
If an entry for user ``archer'' already exists, this command will set the permissions in that entry to r--.
To replace the entire ACL for file filea, adding entries for users ``archer'', and ``fletcher'', allowing read/write access, an entry for the file owner allowing all access, an entry for the file group allowing read access only, and an entry for others disallowing all access, type:
setacl -r -s user::rwx,user:archer:rw-,user:fletcher:rw-,\ group::r--,class:---,other:--- filea
Even though the file owning group has only read permission, the maximum permissions available to all additional ``user'' ACL entries, and all ``group'' ACL entries, are read and write, since the two additional ``user'' entries both specify these permissions.
To set the same ACL on file filea as in the above example, using the -f option, type:
setacl -r -f filea.acl filea
with file filea.acl edited to contain:
user::rwx user:archer:rw- user:fletcher:rw- group::r-- other:---
Because the -r option was specified, no ``class'' entry was needed. If a class entry had been present it would have been ignored.