GETFACL(1) User Commands GETFACL(1)
NAME
getfacl - display discretionary file information
SYNOPSIS
getfacl [
-ad]
file...
DESCRIPTION
For each argument that is a regular file, special file, or named
pipe, the
getfacl utility displays the owner, the group, and the
Access Control List (
ACL). For each directory argument,
getfacl displays the owner, the group, and the
ACL and/or the default
ACL.
Only directories contain default
ACLs.
The
getfacl utility will fail if executed on a file system that
supports NFSv4
ACLs. See
acl(7) for a description of the difference
between the older POSIX-draft
ACLs and the newer NFSv4
ACLs. The
ls(1) utility, when used with the
-v or
-V options, will display
ACLs
on all types of file system.
The
getfacl utility may be executed on a file system that does not
support
ACLs. It reports the
ACL based on the base permission bits.
With no options specified,
getfacl displays the filename, the file
owner, the file group owner, and both the
ACL and the default
ACL, if
it exists.
OPTIONS
The following options are supported:
-a Displays the filename, the file owner, the file group owner,
and the
ACL of the file.
-d Displays the filename, the file owner, the file group owner,
and the default
ACL of the file, if it exists.
OPERANDS
The following operands are supported:
file The path name of a regular file, special file, or named pipe.
OUTPUT
The format for
ACL output is as follows:
# file: filename
# owner: uid
# group: gid
user::perm
user:uid:perm
group::perm
group:gid:perm
mask:perm
other:perm
default:user::perm
default:user:uid:perm
default:group::perm
default:group:gid:perm
default:mask:perm
default:other:perm
When multiple files are specified on the command line, a blank line
separates the
ACLs for each file.
The
ACL entries are displayed in the order in which they are
evaluated when an access check is performed. The default
ACL entries
that may exist on a directory have no effect on access checks.
The first three lines display the filename, the file owner, and the
file group owner. Notice that when only the
-d option is specified
and the file has no default
ACL, only these three lines are
displayed.
The
user entry without a user
ID indicates the permissions that are
granted to the file owner. One or more additional user entries
indicate the permissions that are granted to the specified users.
The
group entry without a group
ID indicates the permissions that are
granted to the file group owner. One or more additional group entries
indicate the permissions that are granted to the specified groups.
The
mask entry indicates the
ACL mask permissions. These are the
maximum permissions allowed to any user entries except the file
owner, and to any group entries, including the file group owner.
These permissions restrict the permissions specified in other
entries.
The
other entry indicates the permissions that are granted to others.
The
default entries may exist only for directories. These entries
indicate the default entries that are added to a file created within
the directory.
The
uid is a login name or a user
ID if there is no entry for the
uid in the system password file,
/etc/passwd. The
gid is a group name or
a group
ID if there is no entry for the
gid in the system group file,
/etc/group. The
perm is a three character string composed of the
letters representing the separate discretionary access rights:
r (read),
w (write),
x (execute/search), or the place holder character
-. The
perm is displayed in the following order:
rwx. If a permission
is not granted by an
ACL entry, the place holder character appears.
If you use the
chmod(1) command to change the file group owner
permissions on a file with
ACL entries, both the file group owner
permissions and the
ACL mask are changed to the new permissions. Be
aware that the new
ACL mask permissions may change the effective
permissions for additional users and groups who have
ACL entries on
the file.
In order to indicate that the
ACL mask restricts an
ACL entry,
getfacl displays an additional tab character, pound sign (
#), and the
actual permissions granted, following the entry.
EXAMPLES
Example 1: Displaying file information
Given file
foo, with an
ACL six entries long, the command
host%
getfacl foo would print:
# file: foo
# owner: shea
# group: staff
user::rwx
user:spy:---
user:mookie:r--
group::r--
mask::rw-
other::---
Example 2: Displaying information after chmod command
Continue with the above example, after
chmod 700 foo was issued:
host%
getfacl foo would print:
# file: foo
# owner: shea
# group: staff
user::rwx
user:spy:---
user:mookie:r-- #effective:---
group::---
mask::---
other::---
Example 3: Displaying information when ACL contains default entries
Given directory
doo, with an
ACL containing default entries, the
command
host%
getfacl -d doo would print:
# file: doo
# owner: shea
# group: staff
default:user::rwx
default:user:spy:---
default:user:mookie:r--
default:group::r--
default:mask::---
default:other::---
FILES
/etc/passwd system password file
/etc/group group file
ATTRIBUTES
See
attributes(7) for descriptions of the following attributes:
+--------------------+-----------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+--------------------+-----------------+
|Interface Stability | Evolving |
+--------------------+-----------------+
SEE ALSO
chmod(1),
ls(1),
setfacl(1),
acl(2),
aclsort(3SEC),
group(5),
passwd(5),
acl(7),
attributes(7)NOTES
The output from
getfacl is in the correct format for input to the
setfacl -f command. If the output from
getfacl is redirected to a
file, the file may be used as input to
setfacl. In this way, a user
may easily assign one file's
ACL to another file.
February 8, 2020 GETFACL(1)
