setfacl [-r] -md acl_entries file ...
setfacl [-r] -f acl_file file ...
The -s option will set the ACL to the entries specified on the command line. The -f option will set the ACL the entries contained within the file acl_file. The -d option will delete one or more specified entries from the file’s ACL. The -m option will add or modify one or more specified ACL entries. The -r option will cause the permissions specified in the mask entry to be ignored and replaced by the maximum permissions needed for the file group class.
One of the options -s, -m, -d, or -f must be specified. If -s or -f are specified, other options are invalid. The -m and -d options may be combined.
When the setfacl command is used, it may result in changes to the file permission bits. When the user ACL entry for the file owner is changed, the file owner class permission bits will be modified. When the group ACL entry for the file group class is changed, the file group class permission bits will be modified. When the other ACL entry is changed, the file other class permission bits will be modified.
A directory may contain default ACL entries. If a file is created in a directory, which contains default ACL entries, the newly created file will an ACL initialized to the default ACL entries.
For the -m and -s options, acl_entries are one or more comma separated ACL entries selected from the following list. For the -f option, acl_file must contain ACL entries, one to a line, selected from the following list. Default entries may only be specified for directories. Bold face indicates that characters must be typed as specified, brackets denote optional characters, and italicized characters are to be specified by the user.
u[ser]::operm | perm u[ser]:uid:operm | perm g[roup]::operm | perm g[roup]:gid:operm | perm m[ask]:operm | perm o[ther]:operm | perm d[efault]:u[ser]::operm | perm d[efault]:u[ser]:uid:operm | perm d[efault]:g[roup]::operm | perm d[efault]:g[roup]:gid:operm | perm d[efault]:m[ask]:operm | perm d[efault]:o[ther]:operm | perm
For the -d option, acl_entries are one or more comma separated ACL entries without permissions, selected from the following list. Note that the entries for file owner, owning group, file group class, and others may not be deleted.
u[ser]:uid g[roup]:gid d[fault]:u[ser]:uid d[fault]:g[roup]:gid d[fault]:m[ask]: d[fault]:o[ther]:
The character "#" in acl_file may be used to indicate a comment. All characters, starting with the "#", until the end of the line, will be ignored. Note that if the acl_file has been created as the output of the getfacl(1) command, any effective permissions, which will follow a "#", will be ignored.
1) To add one ACL entry to file "foo", giving user "shea" read permission only, type:
setfacl -m user:shea:r-- foo
2) To replace the entire ACL for the file "foo", adding an entry for user "shea", allowing read/write access, an entry for the file owner allowing all access, an entry for the file group allowing read access only, an entry for file group class allowing read/write, and an entry for others disallowing all access, type:
setfacl -s user:shea:rw-,user::rwx,group::r--,mask:rw-,other:--- foo
Note that following this command, the file permission bits will be set to rwxrw----. Even though the file owning group has only read permission, the maximum permissions available to all additional user ACL entries, and all group ACL entries, are read and write. This is because the mask entry specifies these permissions.
To set the same ACL on file "foo" as the file "bar", type:
getfacl bar | setfacl -f - foo
Table of Contents