chacl - add, modify, delete, copy, or summarize access control lists
(ACLs) of files
/usr/bin/chacl acl file ...
chacl -r acl file ...
chacl -d aclpatt file ...
chacl -f fromfile tofile ...
chacl -[z|Z|F] file...
chacl extends the capabilities of chmod(1), by enabling the user to
grant or restrict file access to additional specific users and/or
groups. Traditional file access permissions, set when a file is
created, grant or restrict access to the file's owner, group, and
other users. These file access permissions (eg., rwxrw-r--) are
mapped into three base access control list entries: one entry for the
file's owner (u.%, mode), one for the file's group (%.g, mode), and
one for other users (%.%, mode).
chacl enables a user to designate up to thirteen additional sets of
permissions (called optional access control list (ACL) entries) which
are stored in the access control list of the file.
To use chacl, the owner (or superuser) constructs an acl, a set of
(user.group, mode) mappings to associate with one or more files. A
specific user and group can be referred to by either name or number;
any user (u), group (g), or both can be referred to with a % symbol,
representing any user or group. The @ symbol specifies the file's
owner or group.
Read, write, and execute/search (rwx) modes are identical to those
used by chmod; symbolic operators (op) add (+), remove (-), or set (=)
access rights. The entire acl should be quoted if it contains
whitespace or special characters. Although two variants for
constructing the acl are available (and fully explained in acl(5)),
the following syntax is suggested:
entry[, entry] ...
where the syntax for an entry is
u.g op mode[op mode] ...
By default, chacl modifies existing ACLs. It adds ACL entries or
modifies access rights in existing ACL entries. If acl contains an
Hewlett-Packard Company - 1 - HP-UX Release 11i: November 2000
ACL entry already associated with a file, the entry's mode bits are
changed to the new value given, or are modified by the specified
operators. If the file's ACL does not already contain the specified
entry, that ACL entry is added. chacl can also remove all access to
files. Giving it a null acl argument means either ``no access'' (when
using the -r option) or ``no changes.''
For a summary of the syntax, run chacl without arguments.
If file is specified as -, chacl reads from standard input.
chacl recognizes the following options:
-r Replace old ACLs with the given ACL. All optional ACL
entries are first deleted from the specified files's
ACLs, their base permissions are set to zero, and the
new ACL is applied. If acl does not contain an entry
for the owner (u.%), the group (%.g), or other (%.%)
users of a file, that base ACL entry's mode is set to
zero (no access). The command affects all of the
file's ACL entries, but does not change the file's
owner or group ID.
In chmod(1), the ``modify'' and ``replace'' operations
are distinguished by the syntax (string or octal
value). There is no corollary for ACLs because they
have a variable number of entries. Hence chacl
modifies specific entries by default, and optionally
replaces all entries.
-d Delete the specified entries from the ACLs on all
specified files. The aclpatt argument can be an exact
ACL or an ACL pattern (see acl(5)). chacl -d updates
each file's ACL only if entries are deleted from it.
If you attempt to delete a base ACL entry from any
file, the entry remains but its access mode is set to
zero (no access). If you attempt to delete a non-
existent ACL entry from a file (that is, if an ACL
entry pattern matches no ACL entry), chacl informs you
of the error, continues, and eventually returns non-
-f fromfile tofile
Copy the ACL from fromfile to the specified tofile,
transferring ownership, if necessary (see acl(5),
chown(2), or chownacl(3C)). fromfile can be - to
represent standard input.
Hewlett-Packard Company - 2 - HP-UX Release 11i: November 2000
This option implies the -r option. If the owner and
group of fromfile are identical to those of tofile,
chacl -f is identical to:
chacl -r `lsacl fromfile` tofile ...
To copy an ACL without transferring ownership, the
above command is suggested instead of chacl -f.
-z Delete (``zap'') all optional entries in the specified
file's ACLs, leaving only base entries.
-Z Delete (``zap'') all optional entries in the specified
file's ACLs, and set the access modes in all base
entries to zero (no access). This is identical to
replacing the old ACL with a null ACL:
chacl -r '' file ...
or using chmod(1), which deletes optional entries as a
chmod 0 file ...
-F Incorporate (``fold'') optional ACL entries into base
ACL entries. The base ACL entry's permission bits are
altered, if necessary, to reflect the caller's
effective access rights to the file; all optional
entries, if any, are deleted.
For ordinary users, only the access mode of the owner
base ACL entry can be altered. Unlike getaccess, the
write bit is not turned off for a file on a read-only
file system or a shared-text program being executed
For super-users, only the execute mode bit in the owner
base ACL entry might be changed, only if the file is
not an regular file or if an execute bit is not already
set in a base ACL entry mode, but is set in an optional
ACL entry mode.
acl also can be obtained from a string in a file:
chacl `cat file` files ...
Using @ in acl to represent ``file owner or group'' can cause chacl to
run more slowly because it must reparse the ACL for each file (except
with the -d option).
Hewlett-Packard Company - 3 - HP-UX Release 11i: November 2000
LANG determines the language in which messages are displayed.
If LANG is not specified or is set to the empty string, a default of
"C" (see lang(5)) is used instead of LANG. If any
internationalization variable contains an invalid setting, chacl
behaves as if all internationalization variables are set to "C". See
If chacl succeeds, it returns a value of zero.
If chacl encounters an error before it changes any file's ACL, it
prints an error message to standard error and returns 1. Such errors
include invalid invocation, invalid syntax of acl (aclpatt), a given
user name or group name is unknown, or inability to get an ACL from
fromfile with the -f option.
If chacl cannot execute the requested operation, it prints an error
message to standard error, continues, and later returns 2. This
includes cases when a file does not exist, a file's ACL cannot be
altered, more ACL entries would result than are allowed, or an attempt
is made to delete a non-existing ACL entry.
The following command adds read access for user jpc in any group, and
removes write access for any user in the files's groups, for files x
chacl "jpc.%+r, %.@-w" x y
This command replaces the ACL on the file open as standard input and
on file test with one which only allows the file owner read and write
chacl -r '(@.%,rw-)' - test
Delete from file myfile the specific access rights, if any, for user
165 in group 13. Note that this is different from adding an ACL entry
that restricts access for that user and group. The user's resulting
access rights depend on the entries remaining in the ACL. The command
also deletes all entries for user jpc that have a read bit turned on
(the asterisk can be used as a wildcard in the ACL pattern for user,
group, or access mode):
chacl -d '165.13, jpc.*+r' myfile
Copy the ACL from oldfile to slow/hare and fast/tortoise.
Hewlett-Packard Company - 4 - HP-UX Release 11i: November 2000
chacl -f oldfile slow/hare fast/tortoise
Delete the optional ACL entries, if any, on the file open as standard
chacl -z -
Deny all access to all files in the current directory whose names
start with a, b, or c:
chacl -Z [a-c]*
Incorporate the optional ACL entries of a file (fun.stuff) into the
base ACL entries:
chacl -F fun.stuff
An ACL string cannot contain more than 16 unique entries, even though
converting @ symbols to user or group names and combining redundant
entries might result in fewer than 16 entries for some files.
chacl will fail when the target file resides on a file system which
does not support ACLs.
Only the -F option is supported on remote files.
chacl was developed by HP.
chmod(1), getaccess(1), lsacl(1), getacl(2), setacl(2), acl(5),
Hewlett-Packard Company - 5 - HP-UX Release 11i: November 2000