3 fs setacl - Sets the ACL for a directory
10 B<fs setacl> S<<< B<-dir> <I<directory>>+ >>> S<<< B<-acl> <I<access list entries>>+ >>>
11 [B<-clear>] [B<-negative>] [B<-id>] [B<-if>] [B<-help>]
13 B<fs sa> S<<< B<-d> <I<directory>>+ >>> S<<< B<-a> <I<access list entries>>+ >>>
14 [B<-c>] [B<-n>] [B<-id>] [B<-if>] [B<-h>]
16 B<fs seta> S<<< B<-d> <I<directory>>+ >>> S<<< B<-a> <I<access list entries>>+ >>>
17 [B<-c>] [B<-n>] [B<-id>] [B<-if>] [B<-h>]
24 The B<fs setacl> command adds the access control list (ACL) entries
25 specified with the B<-acl> argument to the ACL of each directory named by
28 If the B<-dir> argument designates a pathname in DFS filespace (accessed
29 via the AFS/DFS Migration Toolkit Protocol Translator), it can be a file
30 as well as a directory. The ACL must already include an entry for
31 C<mask_obj>, however. For more details, refer to the I<IBM AFS/DFS
32 Migration Toolkit Administration Guide and Reference>.
34 Only user and group entries are acceptable values for the B<-acl>
35 argument. Do not place machine entries (IP addresses) directly on an ACL;
36 instead, make the machine entry a group member and place the group on the
39 To completely erase the existing ACL before adding the new entries,
40 provide the B<-clear> flag. To add the specified entries to the C<Negative
41 rights> section of the ACL (deny rights to specified users or groups),
42 provide the B<-negative> flag.
44 To display an ACL, use the fs listacl command. To copy an ACL from one
45 directory to another, use the B<fs copyacl> command.
49 If the ACL already grants certain permissions to a user or group, the
50 permissions specified with the B<fs setacl> command replace the existing
51 permissions, rather than being added to them.
53 Setting negative permissions is generally unnecessary and not
54 recommended. Simply omitting a user or group from the C<Normal rights>
55 section of the ACL is normally adequate to prevent access. In particular,
56 note that it is futile to deny permissions that are granted to members of
57 the system:anyuser group on the same ACL; the user needs only to issue the
58 B<unlog> command to receive the denied permissions.
60 When including the B<-clear> option, be sure to reinstate an entry for
61 each directory's owner that includes at least the C<l> (lookup)
62 permission. Without that permission, it is impossible to resolve the "dot"
63 (C<.>) and "dot dot" (C<..>) shorthand from within the directory. (The
64 directory's owner does implicitly have the C<a> (administer) permission
65 even on a cleared ACL, but must know to use it to add other permissions.)
71 =item B<-dir> <I<directory>>+
73 Names each AFS directory, or DFS directory or file, for which the set the
74 ACL. Partial pathnames are interpreted relative to the current working
77 Specify the read/write path to each directory (or DFS file), to avoid the
78 failure that results from attempting to change a read-only volume. By
79 convention, the read/write path is indicated by placing a period before
80 the cell name at the pathname's second level (for example,
81 F</afs/.abc.com>). For further discussion of the concept of read/write and
82 read-only paths through the filespace, see the B<fs mkmount> reference
85 =item B<-acl> <I<access list entries>>+
87 Defines a list of one or more ACL entries, each a pair that names:
93 A user name or group name as listed in the Protection Database.
97 One or more ACL permissions, indicated either by combining the individual
98 letters or by one of the four acceptable shorthand words.
102 in that order, separated by a space (thus every instance of this argument
103 has two parts). The accepted AFS abbreviations and shorthand words, and
104 the meaning of each, are as follows:
110 Change the entries on the ACL.
114 Remove files and subdirectories from the directory or move them to other
119 Add files or subdirectories to the directory by copying, moving or
124 Set read locks or write locks on the files in the directory.
128 List the files and subdirectories in the directory, stat the directory
129 itself, and issue the B<fs listacl> command to examine the directory's
134 Read the contents of files in the directory; issue the C<ls -l> command to
135 stat the elements in the directory.
139 Modify the contents of files in the directory, and issue the UNIX B<chmod>
140 command to change their mode bits.
142 =item A, B, C, D, E, F, G, H
144 Have no default meaning to the AFS server processes, but are made
145 available for applications to use in controlling access to the directory's
146 contents in additional ways. The letters must be uppercase.
150 Equals all seven permissions (C<rlidwka>).
154 No permissions. Removes the user/group from the ACL, but does not
155 guarantee they have no permissions if they belong to groups that remain on
160 Equals the C<r> (read) and C<l> (lookup) permissions.
164 Equals all permissions except C<a> (administer), that is, C<rlidwk>.
168 It is acceptable to mix entries that combine the individual letters with
169 entries that use the shorthand words, but not use both types of notation
170 within an individual pairing of user or group and permissions.
172 To learn the proper format and acceptable values for DFS ACL entries, see
173 the I<IBM AFS/DFS Migration Toolkit Administration Guide and Reference>.
177 Removes all existing entries on each ACL before adding the entries
178 specified with the B<-acl> argument.
182 Places the specified ACL entries in the C<Negative rights> section of each
183 ACL, explicitly denying the rights to the user or group, even if entries
184 on the accompanying C<Normal rights> section of the ACL grant them
187 This argument is not supported for DFS files or directories, because DFS
188 does not implement negative ACL permissions.
192 Places the ACL entries on the Initial Container ACL of each DFS directory,
193 which are the only file system objects for which this flag is supported.
197 Places the ACL entries on the Initial Object ACL of each DFS directory,
198 which are the only file system objects for which this flag is supported.
202 Prints the online help for this command. All other valid options are
209 The following example adds two entries to the C<Normal rights> section of
210 the current working directory's ACL: the first entry grants C<r> (read)
211 and C<l> (lookup) permissions to the group pat:friends, while the other
212 (using the C<write> shorthand) gives all permissions except C<a>
213 (administer) to the user C<smith>.
215 % fs setacl -dir . -acl pat:friends rl smith write
223 The following example includes the B<-clear> flag, which removes the
224 existing permissions (as displayed with the B<fs listacl> command) from
225 the current working directory's F<reports> subdirectory and replaces them
228 % fs listacl -dir reports
229 Access list for reports is
238 % fs setacl -clear -dir reports -acl pat all smith write system:anyuser rl
240 % fs listacl -dir reports
241 Access list for reports is
247 The following example use the B<-dir> and B<-acl> switches because it sets
248 the ACL for more than one directory (both the current working directory
249 and its F<public> subdirectory).
251 % fs setacl -dir . public -acl pat:friends rli
253 % fs listacl -path . public
258 Access list for public is
263 =head1 PRIVILEGE REQUIRED
265 The issuer must have the C<a> (administer) permission on the directory's
266 ACL; the directory's owner and the members of the system:administrators
267 group have the right implicitly, even if it does not appear on the ACL.
275 I<IBM AFS/DFS Migration Toolkit Administration Guide and Reference>
279 IBM Corporation 2000. <http://www.ibm.com/> All Rights Reserved.
281 This documentation is covered by the IBM Public License Version 1.0. It was
282 converted from HTML to POD by software written by Chas Williams and Russ
283 Allbery, based on work by Alf Wachsmann and Elizabeth Cassell.