1 fs setacl AFS Commands fs setacl
6 fs setacl -- sets access control list for a directory.
10 fs setacl -dir <directory> -acl <access list entries>
14 ACCEPTABLE ABBREVIATIONS/ALIASES
17 fs sa -d <directory> -a <access list entries> [-c] [-n]
22 Puts the specified access list entries on the access control
23 list (ACL) of each specified directory.
27 If the ACL already grants certain rights to a user or group,
28 the rights specified with access list entries replace them,
29 rather than just being added to them.
31 Setting negative rights is generally unnecessary and not
32 recommended. Simply omitting a user or group from the
33 Normal rights list is normally adequate to prevent access.
34 In particular, note that it is futile to deny rights that
35 are granted to system:anyuser on the same ACL; all the user
36 needs to do is issue the unlog command to receive the denied
41 -dir specifies each directory for which the
42 access control list is to change.
43 Abbreviated pathnames are interpreted
44 relative to the directory in which the
47 -acl defines a list of one or more entries, each
50 - a user name or group name (letters
53 - the access right(s) to be
54 associated with the user/group
56 in that order, separated by a space. This
57 argument is unusual in requiring two parts
58 for each instance. The accepted
59 abbreviation of each right and the meaning
62 r READ. Allows the possessor to read the
63 contents of files in the directory and
64 to "stat" (issue ls -l for) file and
68 subdirectory elements in the directory.
70 w WRITE. Allows the possessor to modify
71 the contents of files in the directory
72 and to change their UNIX mode bits with
75 l LOOKUP. Allows the possessor to list
76 the names of files and subdirectories
77 in the directory (for example, by
78 issuing ls). The possessor may "stat"
79 (issue ls -l for) the directory itself
80 (but not for files and subdirectories
81 in it) and may examine the directory's
84 d DELETE. Allows the possessor to remove
85 files from the directory.
87 i INSERT. Allows the possessor to create
88 new files in the directory or move
89 existing files into it.
91 k LOCK. Allows the possessor to run
92 programs that need to issue the "flock"
93 system call on files in the directory.
95 a ADMINISTER. Allows the possessor to
96 change the directory's ACL.
98 A, B, C, D, E, F, G, H; by default, these
99 have no meaning to AFS server
100 processes. Administrators and
101 application programs may assign
102 meanings to them and place them on ACLs
103 to control access to the directory's
104 contents in new ways. The letters must
107 all all seven standard rights (rlidwka).
109 none no rights. Removes the user/group from
110 the ACL, but may not guarantee they
111 have no rights if they belong to groups
112 that remain on the ACL.
117 all rights except ADMINISTER (rlidwk).
119 It is legal to mix the individual letters
120 and the words within access list entries,
121 but not within an individual pairing of
122 user/group and rights.
124 -clear removes all existing entries on each access
125 control list before placing access list
126 entries on it. This should be used with
127 caution: if access list entries does not
128 grant all rights to the owner of the
132 directory, it can become awkward for the
133 owner to access items in the directory. In
134 particular, not having the LOOKUP right
135 makes it impossible to resolve the "dot" ( .
136 ) and "dot dot" ( . . ) shorthand from
137 within the directory.
139 -negative puts the specified access list entries in
140 the Negative rights section of each access
141 control list. The user/group is thus
142 explicitly denied the indicated rights, even
143 if entries on the accompanying Normal rights
144 section of the access control list grant
145 them rights. However, it is possible to
146 unlog to obtain rights granted to
147 system:anyuser on the Normal rights section
148 of the same ACL; see the WARNING above.
150 This flag affects all directories and access
151 list entries specified. Its use is not
152 recommended; see the WARNING section above.
153 If the issuer omits this flag, the access
154 list entries go into the Normal rights
155 section of the access control list.
157 -help prints the online help entry for this
158 command. Do not provide any other arguments
159 or flags with this one. See section 3.1 in
160 the Reference Manual for more details.
164 The following example adds two entries to the Normal rights
165 part of the current working directory's ACL: the first entry
166 grants READ and LOOKUP rights to pat:friends, while the
167 other (using the write shorthand) gives all rights except
170 % fs sa . pat:friends rl smith write
172 The following shows the effect of the -clear flag on the ACL
173 of the subdirectory reports by showing the ACL before and
174 after the command is issued:
176 % fs la reports Access list for reports is Normal rights:
177 system:authuser rl pat:friends rlid smith rlidwk
178 pat rlidwka Negative rights: terry rl
180 % fs sa -clear reports pat all smith write system:anyuser rl
181 % fs la reports Access list for reports is Normal rights:
182 system:anyuser rl smith rlidwk pat rlidwka
186 The following shows how the -dir and -acl switches are
187 necessary when more than one directory is specified. The
188 new entry granting READ, LOOKUP, and INSERT rights to
189 pat:friends is added to the ACL for both the current
190 directory and its public subdirectory.
192 % fs sa -d . public -a pat:friends rli
196 Issuer must have ADMINISTER rights to the directory; the
197 directory's owner and members of system:administrators