GETFACL(1)GETFACL(1)NAMEgetfacl - display discretionary file information
SYNOPSISgetfacl [-ad] file...
DESCRIPTION
For each argument that is a regular file, special file, or named pipe,
the getfacl utility displays the owner, the group, and the Access Con‐
trol List (ACL). For each directory argument, getfacl displays the
owner, the group, and the ACL and/or the default ACL. Only directories
contain default ACLs.
The getfacl utility may be executed on a file system that does not sup‐
port ACLs. It reports the ACL based on the base permission bits.
With no options specified, getfacl displays the filename, the file
owner, the file group owner, and both the ACL and the default ACL, if
it exists.
OPTIONS
The following options are supported:
-a
Displays the filename, the file owner, the file group owner, and
the ACL of the file.
-d
Displays the filename, the file owner, the file group owner, and
the default ACL of the file, if it exists.
OPERANDS
The following operands are supported:
file
The path name of a regular file, special file, or named pipe.
OUTPUT
The format for ACL output is as follows:
# file: filename
# owner: uid
# group: gid
user::perm
user:uid:perm
group::perm
group:gid:perm
mask:perm
other:perm
default:user::perm
default:user:uid:perm
default:group::perm
default:group:gid:perm
default:mask:perm
default:other:perm
When multiple files are specified on the command line, a blank line
separates the ACLs for each file.
The ACL entries are displayed in the order in which they are evaluated
when an access check is performed. The default ACL entries that may
exist on a directory have no effect on access checks.
The first three lines display the filename, the file owner, and the
file group owner. Notice that when only the -d option is specified and
the file has no default ACL, only these three lines are displayed.
The user entry without a user ID indicates the permissions that are
granted to the file owner. One or more additional user entries indicate
the permissions that are granted to the specified users.
The group entry without a group ID indicates the permissions that are
granted to the file group owner. One or more additional group entries
indicate the permissions that are granted to the specified groups.
The mask entry indicates the ACL mask permissions. These are the maxi‐
mum permissions allowed to any user entries except the file owner, and
to any group entries, including the file group owner. These permissions
restrict the permissions specified in other entries.
The other entry indicates the permissions that are granted to others.
The default entries may exist only for directories. These entries indi‐
cate the default entries that are added to a file created within the
directory.
The uid is a login name or a user ID if there is no entry for the uid
in the system password file, /etc/passwd. The gid is a group name or a
group ID if there is no entry for the gid in the system group file,
/etc/group. The perm is a three character string composed of the let‐
ters representing the separate discretionary access rights: r (read), w
(write), x (execute/search), or the place holder character −. The perm
is displayed in the following order: rwx. If a permission is not
granted by an ACL entry, the place holder character appears.
If you use the chmod(1) command to change the file group owner permis‐
sions on a file with ACL entries, both the file group owner permissions
and the ACL mask are changed to the new permissions. Be aware that the
new ACL mask permissions may change the effective permissions for addi‐
tional users and groups who have ACL entries on the file.
In order to indicate that the ACL mask restricts an ACL entry, getfacl
displays an additional tab character, pound sign (#), and the actual
permissions granted, following the entry.
EXAMPLES
Example 1 Displaying file information
Given file foo, with an ACL six entries long, the command
host% getfacl foo
would print:
# file: foo
# owner: shea
# group: staff
user::rwx
user:spy:−−−
user:mookie:r−−
group::r−−
mask::rw−
other::−−−
Example 2 Displaying information after chmod command
Continue with the above example, after chmod 700 foo was issued:
host% getfacl foo
would print:
# file: foo
# owner: shea
# group: staff
user::rwx
user:spy:−−−
user:mookie:r−− #effective:−−−
group::−−−
mask::−−−
other::−−−
Example 3 Displaying information when ACL contains default entries
Given directory doo, with an ACL containing default entries, the com‐
mand
host% getfacl-d doo
would print:
# file: doo
# owner: shea
# group: staff
default:user::rwx
default:user:spy:−−−
default:user:mookie:r−−
default:group::r−−
default:mask::−−−
default:other::−−−
FILES
/etc/passwd
system password file
/etc/group
group file
ATTRIBUTES
See attributes(5) for descriptions of the following attributes:
┌────────────────────┬─────────────────┐
│ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
├────────────────────┼─────────────────┤
│Interface Stability │ Evolving │
└────────────────────┴─────────────────┘
SEE ALSOchmod(1), ls(1), setfacl(1), acl(2), aclsort(3SEC), group(4),
passwd(4), attributes(5)NOTES
The output from getfacl is in the correct format for input to the set‐
facl -f command. If the output from getfacl is redirected to a file,
the file may be used as input to setfacl. In this way, a user may eas‐
ily assign one file's ACL to another file.
Nov 5, 1994 GETFACL(1)