getfacl(1)
NAME
getfacl - display discretionary file information
SYNOPSIS
getfacl [-ad] file...
DESCRIPTION
For each argument that is a regular file, special file, or
named pipe, getfacl displays the owner, the group, and the
Access Control List (ACL). For each directory argument, get-
facl displays the owner, the group, and the ACL and/or the
default ACL. Only directories contain default ACLs.
getfacl may be executed on a file system that does not sup-
port ACLs. It reports the ACL based on the base permission
bits.
With no options specified, getfacl displays the filename,
the file owner, the file group owner, and both the ACL and
the default ACL, if it exists.
OPTIONS
The following options are supported:
-a Display the filename, the file owner, the file group
owner, and the ACL of the file.
-d Display the filename, the file owner, the file group
owner, and the default ACL of the file, if it exists.
OPERANDS
The following operands are supported:
file The path name of a regular file, special file, or
named pipe.
OUTPUT
The format for ACL output is as follows:
# file: filename
# owner: uid
# group: gid
user::perm
user:uid:perm
group::perm
group:gid:perm
mask:perm
other:perm
default:user::perm
default:user:uid:perm
default:group::perm
default:group:gid:perm
default:mask:perm
default:other:perm
When multiple files are specified on the command line, a
blank line separates the ACLs for each file.
The ACL entries are displayed in the order in which they are
evaluated when an access check is performed. The default ACL
entries that may exist on a directory have no effect on
access checks.
The first three lines display the filename, the file owner,
and the file group owner. Note that when only the -d option
is specified and the file has no default ACL, only these
three lines are displayed.
The user entry without a user ID indicates the permissions
that are granted to the file owner. One or more additional
user entries indicate the permissions that are granted to
the specified users.
The group entry without a group ID indicates the permissions
that are granted to the file group owner. One or more addi-
tional group entries indicate the permissions that are
granted to the specified groups.
The mask entry indicates the ACL mask permissions. These are
the maximum permissions allowed to any user entries except
the file owner, and to any group entries, including the file
group owner. These permissions restrict the permissions
specified in other entries.
The other entry indicates the permissions that are granted
to others.
The default entries may exist only for directories, and
indicate the default entries that are added to a file
created within the directory.
The uid is a login name or a user ID if there is no entry
for the uid in the system password file, /etc/passwd. The
gid is a group name or a group ID if there is no entry for
the gid in the system group file, /etc/group. The perm is a
three character string composed of the letters representing
the separate discretionary access rights: r (read), w
(write), x (execute/search), or the place holder character
-. The perm is displayed in the following order: rwx. If a
permission is not granted by an ACL entry, the place holder
character appears.
If you use the chmod(1) command to change the file group
owner permissions on a file with ACL entries, both the file
group owner permissions and the ACL mask are changed to the
new permissions. Be aware that the new ACL mask permissions
may change the effective permissions for additional users
and groups who have ACL entries on the file.
In order to indicate that the ACL mask restrict an ACL
entry, getfacl displays an additional tab character, pound
sign ("#"), and the actual permissions granted, following
the entry.
EXAMPLES
Example 1: Displaying file information
Given file "foo", with an ACL six entries long, the command
host% getfacl foo
would print:
# file: foo
# owner: shea
# group: staff
user::rwx
user:spy:---
user:mookie:r--
group::r--
mask::rw-
other::---
Example 2: Displaying information after chmod command
Continue with the above example, after "chmod 700 foo" was
issued:
host% getfacl foo
would print:
# file: foo
# owner: shea
# group: staff
user::rwx
user:spy:---
user:mookie:r-- #effective:---
group::---
mask::---
other::---
Example 3: Displaying information when ACL contains default
entries
Given directory "doo", with an ACL containing default
entries, the command
host% getfacl -d doo
would print:
# file: doo
# owner: shea
# group: staff
default:user::rwx
default:user:spy:---
default:user:mookie:r--
default:group::r--
default:mask::---
default:other::---
FILES
/etc/passwd
system password file
/etc/group
group file
ATTRIBUTES
See attributes(5) for descriptions of the following attri-
butes:
____________________________________________________________
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
|_____________________________|_____________________________|
| Availability | SUNWcsu |
|_____________________________|_____________________________|
| Interface Stability | Evolving |
|_____________________________|_____________________________|
SEE ALSO
chmod(1), ls(1), setfacl(1), acl(2), aclsort(3SEC),
group(4), passwd(4), attributes(5)
NOTES
The output from getfacl is in the correct format for input
to the setfacl -f command. If the output from getfacl is
redirected to a file, the file may be used as input to set-
facl. In this way, a user may easily assign one file's ACL
to another file.
Man(1) output converted with
man2html