SETCIFSACL(1) CIFS Access Control List Tools SETCIFSACL(1)NAME
setcifsacl - Userspace helper to alter an ACL in a security descriptor for Common Internet File System (CIFS)
SYNOPSIS
setcifsacl [-v|-a|-D|-M|-S] "{one or more ACEs}" {file system object}
DESCRIPTION
This tool is part of the cifs-utils suite.
setcifsacl is a userspace helper program for the Linux CIFS client file system. It is intended to alter an ACL of a security descriptor
for a file system object. Whether a security descriptor to be set is applied or not is determined by the CIFS/SMB server.
This program uses a plugin to handle the mapping of user and group names to SIDs. /etc/cifs-utils/idmap-plugin should be a symlink that
points to the correct plugin to use.
OPTIONS -h
Print usage message and exit.
-v
Print version number and exit.
-a
Add one or more ACEs to an ACL of a security descriptor. An ACE is added even if the same ACE exists in the ACL.
-D
Delete one or more ACEs from an ACL of a security descriptor. Entire ACE has to match in an existing ACL for the listed ACEs to be
deleted.
-M
Modify one or more ACEs from an ACL of a security descriptor. SID and type are used to match for existing ACEs to be modified with the
list of ACEs specified.
-S
Set an ACL of security descriptor with the list of ACEs Existing ACL is replaced entirely with the specified ACEs.
Every ACE entry starts with "ACL:" One or more ACEs are specified within double quotes. Multiple ACEs are separated by a comma.
Following fields of an ACE can be modified with possible values:
SID: Either a name or a raw SID value.
type: ALLOWED (0x0), DENIED (0x1), OBJECT_ALLOWED (0x5), OBJECT_DENIED (0x6)
flags: OBJECT_INHERIT_FLAG (OI or 0x1), CONTAINER_INHERIT_FLAG (CI or 0x2), NO_PROPAGATE_INHERIT_FLAG (NI or 0x4), INHERIT_ONLY_FLAG (IO or
0x8), INHERITED_ACE_FLAG (IA or 0x10) or a combination/OR of these values.
mask: Either one of FULL, CHANGE, READ, a combination of R W X D P O, or a hex value
EXAMPLES
Add an ACE
setcifsacl -a "ACL:CIFSTESTDOMuser2:DENIED/0x1/D" <file_name> setcifsacl -a "ACL:CIFSTESTDOMuser1:ALLOWED/OI|CI|NI/D" <file_name>
Delete an ACE
setcifsacl -D "ACL:S-1-1-0:0x1/OI/0x1201ff" <file_name>
Modify an ACE
setcifsacl -M "ACL:CIFSTESTDOMuser1:ALLOWED/0x1f/CHANGE" <file_name>
Set an ACL
setcifsacl -S "ACL:CIFSTESTDOMAdministrator:0x0/0x0/FULL,
ACL:CIFSTESTDOMuser2:0x0/0x0/FULL" <file_name>
NOTES
Kernel support for getcifsacl/setcifsacl utilities was initially introduced in the 2.6.37 kernel.
SEE ALSO mount.cifs(8), getcifsacl(1)AUTHOR
Shirish Pargaonkar wrote the setcifsacl program.
The Linux CIFS Mailing list is the preferred place to ask questions regarding these programs.
cifs-utils 08/19/2011 SETCIFSACL(1)
Check Out this Related Man Page
NFS4_SETFACL(1) NFSv4 Access Control Lists NFS4_SETFACL(1)NAME
nfs4_setfacl, nfs4_editfacl - manipulate NFSv4 file/directory access control lists
SYNOPSIS
nfs4_setfacl [OPTIONS] COMMAND file...
nfs4_editfacl [OPTIONS] file...
DESCRIPTION
nfs4_setfacl manipulates the NFSv4 Access Control List (ACL) of one or more files (or directories), provided they are on a mounted NFSv4
filesystem which supports ACLs.
nfs4_editfacl is equivalent to nfs4_setfacl -e.
Refer to the nfs4_acl(5) manpage for information about NFSv4 ACL terminology and syntax.
COMMANDS
-a acl_spec [index]
add the ACEs from acl_spec to file's ACL. ACEs are inserted starting at the indexth position (DEFAULT: 1) of file's ACL.
-A acl_file [index]
add the ACEs from the acl_spec in acl_file to file's ACL. ACEs are inserted starting at the indexth position (DEFAULT: 1) of file's
ACL.
-x acl_spec | index
delete ACEs matched from acl_spec - or delete the indexth ACE - from file's ACL. Note that the ordering of the ACEs in acl_spec
does not matter.
-X acl_file
delete ACEs matched from the acl_spec in acl_file from file's ACL. Note that the ordering of the ACEs in the acl_spec does not mat-
ter.
-s acl_spec
set file's ACL to acl_spec.
-S acl_file
set file's ACL to the acl_spec in acl_file.
-e, --edit
edit file's ACL in the editor defined in the EDITOR environment variable (DEFAULT: vi(1)) and set the resulting ACL upon a clean
exit, assuming changes made in the editor were saved. Note that if multiple files are specified, the editor will be serially
invoked once per file.
-m from_ace to_ace
modify file's ACL in-place by replacing from_ace with to_ace.
-?, -h, --help
display help text and exit.
--version
display this program's version and exit.
NOTE: if '-' is given as the acl_file with the -A/-X/-S flags, the acl_spec will be read from stdin.
OPTIONS
-R, --recursive
recursively apply to a directory's files and subdirectories. Similar to setfacl(1), the default behavior is to follow symlinks
given on the command line and to skip symlinks encountered while recursing through directories.
-L, --logical
in conjunction with -R/--recursive, a logical walk follows all symbolic links.
-P, --physical
in conjunction with -R/--recursive, a physical walk skips all symbolic links.
--test
display results of COMMAND, but do not save changes.
PERMISSIONS ALIASES
With nfs4_setfacl, one can use simple abbreviations ("aliases") to express generic "read" (R), generic "write" (W), and generic "execute"
(X) permissions, familiar from the POSIX mode bits used by, e.g., chmod(1). To use these aliases, one can put them in the permissions
field of an NFSv4 ACE and nfs4_setfacl will convert them: an R is expanded to rntcy, a W is expanded to watTNcCy (with D added to directory
ACEs), and an X is expanded to xtcy. Please refer to the nfs4_acl(5) manpage for information on specific NFSv4 ACE permissions.
For example, if one wanted to grant generic "read" and "write" access on a file, the NFSv4 permissions field would normally contain some-
thing like rwatTnNcCy. Instead, one might use aliases to accomplish the same goal with RW.
The two permissions not included in any of the aliases are d (delete) and o (write-owner). However, they can still be used: e.g., a per-
missions field consisting of Wdo expresses generic "write" access as well as the ability to delete and change ownership.
EXAMPLES
Assume that the file `foo' has the following NFSv4 ACL for the following examples:
A::OWNER@:rwatTnNcCy
D::OWNER@:x
A:g:GROUP@:rtncy
D:g:GROUP@:waxTC
A::EVERYONE@:rtncy
D::EVERYONE@:waxTC
- add ACE granting `alice@nfsdomain.org' generic "read" and "execute" access (defaults to prepending ACE to ACL):
$ nfs4_setfacl -a A::alice@nfsdomain.org:rxtncy foo
- add the same ACE as above, but using aliases:
$ nfs4_setfacl -a A::alice@nfsdomain.org:RX foo
- edit existing ACL in a text editor and set modified ACL on clean save/exit:
$ nfs4_setfacl -e foo
- set ACL (overwrites original) to contents of a spec_file named `newacl.txt':
$ nfs4_setfacl -S newacl.txt foo
- recursively set the ACLs of all files and subdirectories in the current directory, skipping all symlinks encountered, to the ACL con-
tained in the spec_file named `newacl.txt':
$ nfs4_setfacl -R -P -S newacl.txt *
- delete the first ACE, but only print the resulting ACL (does not save changes):
$ nfs4_setfacl --test -x 1 foo
- delete the last two ACEs above:
$ nfs4_setfacl -x "A::EVERYONE@rtncy, D::EVERYONE@:waxTC" foo
- modify (in-place) the second ACE above:
$ nfs4_setfacl -m D::OWNER@:x D::OWNER@:xo foo
- set ACLs of `bar' and `frobaz' to ACL of `foo':
$ nfs4_getfacl foo | nfs4_setfacl -S - bar frobaz
AUTHORS
nfs4_setfacl was written by people at CITI, the Center for Information Technology Integration (http://www.citi.umich.edu). This manpage
was written by David Richter.
CONTACT
Please send bug reports, feature requests, and comments to <nfsv4@linux-nfs.org>.
SEE ALSO nfs4_getfacl(1), nfs4_acl(5), RFC3530 (NFSv4.0), NFSv4.1 Minor Version Draft.
Linux version 0.3.3, August 2008 NFS4_SETFACL(1)