1 .TH apply-default-acl 1
4 apply-default-acl \- Apply default POSIX ACLs to files and directories.
8 \fBapply-default-acl\fR [\fB-rx\fR] \fIpath\fR [\fIpath2 ...\fR]
13 If the directory containing \fIpath\fR has a default ACL, the ACL on
14 \fIpath\fR is replaced with that default. Neither symbolic nor hard
15 links are followed; symbolic links are ignored in all path components
16 to avoid a dangerous race condition.
18 By default, a heuristic is used to determine whether or not the
19 execute bit is masked on \fIpath\fR. If \fIpath\fR is not a directory,
20 and no user or group has \fBeffective\fR execute permissions on
21 \fIpath\fR, then the execute bit will not masked. Otherwise, it is
22 left alone. In effect we pretend that the \fBx\fR permission acts like
23 the \fBX\fR (note the case difference) permission of \fBsetfacl\fR.
25 This behavior can be modified with the \fB--no-exec-mask\fR flag.
28 .IP \fB\-\-recursive\fR,\ \fB\-r\fR
29 Apply default ACLs recursively. This works top-down, so if directory
30 \fBfoo\fR is in another directory \fBbar\fR which has a default ACL,
31 then \fBbar\fR's default ACL will be applied to \fBfoo\fR before the
32 contents of \fBfoo\fR are processed.
33 .IP \fB\-\-no-exec-mask\fR,\ \fB\-x\fR
34 Apply the default ACL literally; that is, don't use a heuristic to
35 decide whether or not to mask the execute bit. This usually results in
36 looser-than-necessary execute permissions.
39 .IP "I. Argument validation" 0.4i
41 .IP "a. If any part of the target path contains a symlink" 0.4i
43 .IP "b. If there's no default ACL to apply"
45 .IP "c. If the target is not a (non-hardlink) regular file or directory"
48 .IP "II. ACL application"
50 .IP "a. If the target is a directory" 0.4i
51 Set the target's default ACL equal to its parent's default ACL
52 .IP "b. Set the target's access ACL equal to its parent's default ACL"
53 .IP "c. If the target is a directory"
55 .IP "d. If the target was executable by anyone"
57 .IP "e. If \fB--no-exec-mask\fR was given"
59 .IP "f. Unset the user/group/other/mask execute bits"
60 .IP "g. Return success"
63 The action of apply-default ACL largely mimics what the kernel would
64 do if you ran \fImkdir\fR or \fItouch\fR to create a new file. The one
65 point of disagreement is on how to mask group-execute permissions for
66 files. The kernel will let the \(dqmask\(dq bits prevent group-execute,
67 whereas apply-default-acl will explicitly remove the group-execute bits.
72 .I $ setfacl --default --modify user:mjo:rw herp
74 .I $ getfacl --omit-header herp/derp
77 group::r-x #effective:r--
82 In the same situation, apply-default-acl will mask the group \fBx\fR bit:
85 .I $ apply-default-acl herp/derp
86 .I $ getfacl --omit-header herp/derp
94 The author is of the opinion that the latter is more sensible, if not
95 simply more consistent.
99 When given a single path, the following codes correspond directly to
100 the action of the program on that path:
101 .IP \fB0\ (EXIT_SUCCESS)\fR
103 .IP \fB1\ (EXIT_FAILURE)\fR
104 Failure due to a symlink, hardlink, or invalid/inaccessible path
106 Other unexpected library error
108 When called on multiple paths, the results from all paths are
109 collected and the \(dqworst\(dq result is returned. For example, if
110 one path succeeds and another fails, the overall result will be
111 failure. If one succeeds, one fails, and one causes an error, then the
112 overall result will be an error; and so on.
114 When the \fB\-\-recursive\fR flag is used, the exit code is computed
115 as if all affected paths were passed, depth-first, on the command-line.