unixdev.net


Switch to SpeakEasy.net DSL

The Modular Manual Browser

Home Page
Manual: (HP-UX-11.11)
Page:
Section:
Apropos / Subsearch:
optional field



 chacl(1)							    chacl(1)




 NAME
      chacl - add, modify, delete, copy, or summarize access control lists
      (ACLs) of files

 SYNOPSIS
      /usr/bin/chacl acl file ...

      chacl -r acl file ...

      chacl -d aclpatt file ...

      chacl -f fromfile tofile	...

      chacl -[z|Z|F] file...

 DESCRIPTION
      chacl extends the capabilities of chmod(1), by enabling the user to
      grant or restrict file access to additional specific users and/or
      groups.  Traditional file access permissions, set when a file is
      created, grant or restrict access to the file's owner, group, and
      other users.  These file access permissions (eg., rwxrw-r--) are
      mapped into three base access control list entries: one entry for the
      file's owner (u.%, mode), one for the file's group (%.g, mode), and
      one for other users (%.%, mode).

      chacl enables a user to designate up to thirteen additional sets of
      permissions (called optional access control list (ACL) entries) which
      are stored in the access control list of the file.

      To use chacl, the owner (or superuser) constructs an acl, a set of
      (user.group, mode) mappings to associate with one or more files.	A
      specific user and group can be referred to by either name or number;
      any user (u), group (g), or both can be referred to with a % symbol,
      representing any user or group.  The @ symbol specifies the file's
      owner or group.

      Read, write, and execute/search (rwx) modes are identical to those
      used by chmod; symbolic operators (op) add (+), remove (-), or set (=)
      access rights.  The entire acl should be quoted if it contains
      whitespace or special characters.	 Although two variants for
      constructing the acl are available (and fully explained in acl(5)),
      the following syntax is suggested:

	   entry[, entry] ...

      where the syntax for an entry is

	   u.g op mode[op mode] ...

      By default, chacl modifies existing ACLs.	 It adds ACL entries or
      modifies access rights in existing ACL entries.  If acl contains an



 Hewlett-Packard Company	    - 1 -   HP-UX Release 11i: November 2000






 chacl(1)							    chacl(1)




      ACL entry already associated with a file, the entry's mode bits are
      changed to the new value given, or are modified by the specified
      operators.  If the file's ACL does not already contain the specified
      entry, that ACL entry is added.  chacl can also remove all access to
      files.  Giving it a null acl argument means either ``no access'' (when
      using the -r option) or ``no changes.''

      For a summary of the syntax, run chacl without arguments.

      If file is specified as -, chacl reads from standard input.

    Options
      chacl recognizes the following options:

      -r	     Replace old ACLs with the given ACL.  All optional ACL
		     entries are first deleted from the specified files's
		     ACLs, their base permissions are set to zero, and the
		     new ACL is applied.  If acl does not contain an entry
		     for the owner (u.%), the group (%.g), or other (%.%)
		     users of a file, that base ACL entry's mode is set to
		     zero (no access).	The command affects all of the
		     file's ACL entries, but does not change the file's
		     owner or group ID.

		     In chmod(1), the ``modify'' and ``replace'' operations
		     are distinguished by the syntax (string or octal
		     value).  There is no corollary for ACLs because they
		     have a variable number of entries.	 Hence chacl
		     modifies specific entries by default, and optionally
		     replaces all entries.

      -d	     Delete the specified entries from the ACLs on all
		     specified files.  The aclpatt argument can be an exact
		     ACL or an ACL pattern (see acl(5)).  chacl -d updates
		     each file's ACL only if entries are deleted from it.

		     If you attempt to delete a base ACL entry from any
		     file, the entry remains but its access mode is set to
		     zero (no access).	If you attempt to delete a non-
		     existent ACL entry from a file (that is, if an ACL
		     entry pattern matches no ACL entry), chacl informs you
		     of the error, continues, and eventually returns non-
		     zero.

      -f fromfile tofile
		     Copy the ACL from fromfile to the specified tofile,
		     transferring ownership, if necessary (see acl(5),
		     chown(2), or chownacl(3C)).  fromfile can be - to
		     represent standard input.





 Hewlett-Packard Company	    - 2 -   HP-UX Release 11i: November 2000






 chacl(1)							    chacl(1)




		     This option implies the -r option.	 If the owner and
		     group of fromfile are identical to those of tofile,
		     chacl -f is identical to:

			  chacl -r `lsacl fromfile` tofile ...

		     To copy an ACL without transferring ownership, the
		     above command is suggested instead of chacl -f.

      -z	     Delete (``zap'') all optional entries in the specified
		     file's ACLs, leaving only base entries.

      -Z	     Delete (``zap'') all optional entries in the specified
		     file's ACLs, and set the access modes in all base
		     entries to zero (no access).  This is identical to
		     replacing the old ACL with a null ACL:

			  chacl -r '' file ...

		     or using chmod(1), which deletes optional entries as a
		     side effect:

			  chmod 0 file ...

      -F	     Incorporate (``fold'') optional ACL entries into base
		     ACL entries.  The base ACL entry's permission  bits are
		     altered, if necessary, to reflect the caller's
		     effective access rights to the file; all optional
		     entries, if any, are deleted.

		     For ordinary users, only the access mode of the owner
		     base ACL entry can be altered.  Unlike getaccess, the
		     write bit is not turned off for a file on a read-only
		     file system or a shared-text program being executed
		     (see getaccess(1)).

		     For super-users, only the execute mode bit in the owner
		     base ACL entry might be changed, only if the file is
		     not an regular file or if an execute bit is not already
		     set in a base ACL entry mode, but is set in an optional
		     ACL entry mode.

      acl also can be obtained from a string in a file:

	   chacl `cat file` files ...

      Using @ in acl to represent ``file owner or group'' can cause chacl to
      run more slowly because it must reparse the ACL for each file (except
      with the -d option).





 Hewlett-Packard Company	    - 3 -   HP-UX Release 11i: November 2000






 chacl(1)							    chacl(1)




 EXTERNAL INFLUENCES
    Environment Variables
      LANG determines the language in which messages are displayed.

      If LANG is not specified or is set to the empty string, a default of
      "C" (see lang(5)) is used instead of LANG.  If any
      internationalization variable contains an invalid setting, chacl
      behaves as if all internationalization variables are set to "C".	See
      environ(5).

 RETURN VALUE
      If chacl succeeds, it returns a value of zero.

      If chacl encounters an error before it changes any file's ACL, it
      prints an error message to standard error and returns 1.	Such errors
      include invalid invocation, invalid syntax of acl (aclpatt), a given
      user name or group name is unknown, or inability to get an ACL from
      fromfile with the -f option.

      If chacl cannot execute the requested operation, it prints an error
      message to standard error, continues, and later returns 2.  This
      includes cases when a file does not exist, a file's ACL cannot be
      altered, more ACL entries would result than are allowed, or an attempt
      is made to delete a non-existing ACL entry.

 EXAMPLES
      The following command adds read access for user jpc in any group, and
      removes write access for any user in the files's groups, for files x
      and y.

	   chacl "jpc.%+r, %.@-w" x y

      This command replaces the ACL on the file open as standard input and
      on file test with one which only allows the file owner read and write
      access.

	   chacl -r '(@.%,rw-)' - test

      Delete from file myfile the specific access rights, if any, for user
      165 in group 13.	Note that this is different from adding an ACL entry
      that restricts access for that user and group.  The user's resulting
      access rights depend on the entries remaining in the ACL.	 The command
      also deletes all entries for user jpc that have a read bit turned on
      (the asterisk can be used as a wildcard in the ACL pattern for user,
      group, or access mode):

	   chacl -d '165.13, jpc.*+r' myfile

      Copy the ACL from oldfile to slow/hare and fast/tortoise.





 Hewlett-Packard Company	    - 4 -   HP-UX Release 11i: November 2000






 chacl(1)							    chacl(1)




	   chacl -f oldfile slow/hare fast/tortoise

      Delete the optional ACL entries, if any, on the file open as standard
      input.

	   chacl -z -

      Deny all access to all files in the current directory whose names
      start with a, b, or c:

	   chacl -Z [a-c]*

      Incorporate the optional ACL entries of a file (fun.stuff) into the
      base ACL entries:

	   chacl -F fun.stuff

 WARNINGS
      An ACL string cannot contain more than 16 unique entries, even though
      converting @ symbols to user or group names and combining redundant
      entries might result in fewer than 16 entries for some files.

 DEPENDENCIES
      chacl will fail when the target file resides on a file system which
      does not support ACLs.

    NFS
      Only the -F option is supported on remote files.

 AUTHOR
      chacl was developed by HP.

 SEE ALSO
      chmod(1), getaccess(1), lsacl(1), getacl(2), setacl(2), acl(5),
      glossary(9).



















 Hewlett-Packard Company	    - 5 -   HP-UX Release 11i: November 2000