Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
 HP-UX Reference > S

setacl(1)

HP-UX 11i Version 3: February 2007
» 

Technical documentation

» Feedback
Content starts here

 » Table of Contents

 » Index

spacerspacerspacer
spacer
spacer
  		 
 

NAME

setacl — modify access control lists (ACLs) for files (JFS File Systems only)

SYNOPSIS

setacl [-n] -s acl_entries file...

setacl [-n] -m|-d acl_entries [-m|-d acl_entries]... file...

setacl [-n] -f acl_file file...

DESCRIPTION

For each file specified, setacl will either replace its entire ACL, including the default ACL on a directory, or it will add, modify, or delete one or more ACL entries, including default entries on directories.

The -s option will set the ACL to the entries specified on the command line. The -f option will set the ACL to the entries contained within the file acl_file. The -d option will delete one or more specified entries from the file's ACL. The -m option will add or modify one or more specified ACL entries.

One of the options -s, -m, -d, or -f must be specified. If -s or -f are specified, other options are invalid. The -m and -d options may be combined, and multiple -m and -d options may be specified.

For the -m and -s options, acl_entries are one or more comma separated ACL entries selected from the following list. For the -f option, acl_file must contain ACL entries, one to a line, selected from the same list. Default entries may only be specified for directories. Bold face' indicates that characters must be typed as specified, brackets denote optional characters, and italicized characters are to be specified by the user. Choices, of which exactly one must be selected, are separated by vertical bars.

  • u[ser]:: operm|perm

  • u[ser]: uid: operm|perm

  • g[roup]:: operm|perm

  • g[roup]: gid: operm|perm

  • c[lass]: operm|perm

  • o[ther]: operm|perm

  • d[efault]:u[ser]:: operm|perm

  • d[efault]:u[ser]: uid: operm|perm

  • d[efault]:g[roup]:: operm|perm

  • d[efault]:g[roup]: gid: operm|perm

  • d[efault]:c[lass]:: operm|perm

  • d[efault]:o[ther]:: operm|perm

For the -d option, acl_entries are one or more comma separated ACL entries without permissions, selected from the following list. Note that the entries for file owner, owning group, and others may not be deleted.

  • u[ser]: uid

  • g[roup]: gid

  • d[efault]:u[ser]:

  • d[efault]:u[ser]: uid

  • d[efault]:g[roup]:

  • d[efault]:g[roup]: gid

  • d[efault]:c[lass]:

  • d[efault]:o[ther]:

In the above lists, the user specifies the following:

perm

is a permissions string composed of the characters r (read), w (write), and x (execute), each of which may appear at most one time, in any order. The character - may be specified as a placeholder.

operm

is the octal representation of the above permissions, with 7 representing all permissions, or rwx, and 0 representing no permissions, or ---.

uid

is a login name or user ID.

gid

is a group name or group ID.

The options have the following meanings:

-n

Normally, setacl recalculates the group class entry so as to ensure that permissions granted in the additional ACL entries will actually be granted, and the value specified in the class entry is ignored. If the -n option is specified, the recalculation is not performed, and the value specified in the class entry is used.

-s

Set a file's ACL. All old ACL entries are removed, and replaced with the newly specified ACL. There must be exactly one user entry specified for the owner of the file, exactly one group entry specified for the owning group of the file, and exactly one other entry specified. If the -n option is not specified there must also be exactly one class entry specified. There may be additional user ACL entries and additional group ACL entries specified, but there may not be duplicate additional user ACL entries with the same uid, or duplicate additional group ACL entries with the same gid.

If the file is a directory, default ACL entries may be specified. There may be at most one default:user entry for the owner of the file, at most one default:group entry for the owning group of the file, at most one default:class entry for the file group class, and at most one default:other entry for other users. There may be additional default:user entries and additional default:group entries specified, but there may not be duplicate additional default:user entries with the same uid, or duplicate additional default:group entries with the same gid.

setacl never recalculates the default:class entry, regardless of whether or not the -n option was specified.

An entry with no permissions will result in the specified uid or gid being denied access to the file.

The entries need not be in order. They will be sorted by the command before being applied to the file.

-m

Add one or more new ACL entries to the file, and/or change one or more existing ACL entries on the file. If an entry already exists for a specified uid or gid, the specified permissions will replace the current permissions. If an entry does not exist for the specified uid or gid, an entry will be created.

-d

Delete one or more existing ACL entries from the file. The entries for the file owner, the owning group, and others may not be deleted from the ACL. Note that deleting an entry does not necessarily have the same effect as removing all permissions from the entry. Specifically, deleting an entry for a specific user would cause that user's permissions to be determined by the other entry (or the owning group entry, if the user is in that group).

-f

Set a file's ACL with the ACL entries contained in the file named acl_file. The same constraints on specified entries hold as with the -s option. The entries are not required to be in any specific order in the file specified as acl_file. The character '#' in acl_file may be used to indicate a comment. All characters, starting with the '#', until the end of the line, will be ignored. Note that if the acl_file has been created as the output of the getacl command, any effective permissions, which will have been written with a preceding '#', will also be ignored.

When the setacl command is used, it may result in changes to the file permission bits. When the user ACL entry for the file owner is changed, the file owner permission bits will be modified. When the other ACL entry is changed, the file other permission bits will be modified. When additional user ACL entries and/or any group ACL entries are set or modified, the file group permission bits will be modified to reflect the maximum permissions allowed by the additional user entries and all the group entries.

If an ACL contains no additional user or additional group entries, the permissions in the group entry for the object owning group and the class entry must be the same. Therefore, if the -d option is specified and results in no additional user entries and no additional group entries, the class entry permissions will be set equal to the permissions of the owning group entry. This happens regardless of whether or not the -n option was specified.

A directory may contain default ACL entries. If a file is created in a directory which contains default ACL entries, the entries will be added to the newly created file. Note that the default permissions specified for the file owner, file owning group, and others, will be constrained by the umask and the mode specified in the file creation call.

If an ACL contains no additional default:user or additional default:group entries and a default:group entry is specified for the object owning group, then a default:class entry must also be specified, and the permissions in the default:group entry for the object owning group and the permissions for the default:class entry must be the same.

This command may be executed on a file system that does not support ACLs, to set the permissions for the three base entries for the file owner, file owning group, and others. Additional entries and default entries will not be allowed in this case.

EXAMPLES

To add one ACL entry to file filea, giving user archer read permission only, type:

setacl -m user:archer:r-- filea

If an entry for user archer already exists, this command will set the permissions in that entry to r--.

To replace the entire ACL for file filea, adding entries for users archer and fletcher, allowing read/write access, an entry for the file owner allowing all access, an entry for the file group allowing read access only, and an entry for others disallowing all access, type:

  • setacl -s user::rwx,user:archer:rw-,user:fletcher:rw-,\

    group::r--,other:--- filea

Note that following this command, the file permission bits would be set to -rwxrw----. Even though the file owning group has only read permission, the maximum permissions available to all additional user ACL entries, and all group ACL entries, are read and write, since the two additional user entries both specify these permissions.

To set the same ACL on file filea as in the above example, using the -f option, type:

setacl -f filea.acl filea

with file filea.acl edited to contain:

user::rwx user:archer:rw- user:fletcher:rw- group::r-- other:---

Because the -n option was not specified, no class entry was needed. If a class entry had been present it would have been ignored.

FILES

/etc/passwd

user IDs

/etc/group

group IDs

SEE ALSO

acl(2), aclsort(3C), chmod(1), getacl(1), ls(1).



serialize
  		 


sh  
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 1983-2007 Hewlett-Packard Development Company, L.P.