chacl.1 (2010 09)

ManualsBrandsHP ManualsSoftwareHP-UX Manpages

chacl(1) chacl(1)

NAME

chacl - add, modify, delete, copy, or summarize access control lists (ACLs) of ﬁles

SYNOPSIS

/usr/bin/chacl

acl ﬁle ...

chacl -r acl ﬁle ...

chacl -d aclpatt ﬁle ...

chacl -f fromﬁle toﬁle ...

chacl - [ z  Z  F

] ﬁle...

DESCRIPTION

chacl extends the capabilities of chmod(1), by enabling the user to grant or restrict ﬁle access to addi-

tional speciﬁc users and/or groups. Traditional ﬁle access permissions, set when a ﬁle is created, grant or

restrict access to the ﬁle’s owner, group, and other users. These ﬁle access permissions (eg.,

rwxrw-r--)

are mapped into three base access control list entries: one entry for the ﬁle’s owner (u

.%, mode), one for

the ﬁle’s group (

%.g, mode), and one for other users (%.%, mode).

chacl enables a user to designate up to thirteen additional sets of permissions (called optional access

control list (ACL) entries) which are stored in the access control list of the ﬁle.

To use chacl , the owner (or superuser) constructs an acl , a set of (user.group, mode) mappings to associ-

ate with one or more ﬁles. A speciﬁc user and group can be referred to by either name or number; any

user (u), group (g), or both can be referred to with a

symbol, representing any user or group. The @

symbol speciﬁes the ﬁle’s owner or group.

Read, write, and execute/search (

rwx) modes are identical to those used by chmod; symbolic operators

(op) add (

+), remove (-), or set (=) access rights. The entire acl should be quoted if it contains whitespace

or special characters. Although two variants for constructing the acl are available (and fully explained in

acl(5)), the following syntax is suggested:

entry [, entry ] ...

where the syntax for an entry is

u.g op mode[ op mode ] ...

By default,

chacl modiﬁes existing ACLs. It adds ACL entries or modiﬁes access rights in existing

ACL

entries. If acl contains an ACL entry already associated with a ﬁle, the entry’s mode bits are changed to

the new value given, or are modiﬁed by the speciﬁed operators. If the ﬁle’s

ACL does not already contain

the speciﬁed entry, that

ACL entry is added. chacl can also remove all access to ﬁles. Giving it a null

acl argument means either ‘‘no access’’ (when using the

-r option) or ‘‘no changes.’’

For a summary of the syntax, run

chacl without arguments.

If ﬁle is speciﬁed as

-, chacl reads from standard input.

Options

chacl recognizes the following options:

-r Replace old ACLs with the given ACL. All optional ACL entries are ﬁrst deleted from the

speciﬁed ﬁles’s ACLs, their base permissions are set to zero, and the new ACL is applied.

If acl does not contain an entry for the owner (u.%), the group (%.g), or other (%.%)

users of a ﬁle, that base ACL entry’s mode is set to zero (no access). The command affects

all of the ﬁle’s ACL entries, but does not change the ﬁle’s owner or group ID.

In chmod(1), the ‘‘modify’’ and ‘‘replace’’ operations are distinguished by the syntax

(string or octal value). There is no corollary for ACLs because they have a variable

number of entries. Hence chacl modiﬁes speciﬁc entries by default, and optionally

replaces all entries.

-d Delete the speciﬁed entries from the ACLs on all speciﬁed ﬁles. The aclpatt argument can

be an exact ACL or an ACL pattern (see acl (5)). chacl -d updates each ﬁle’s ACL only

if entries are deleted from it.

If you attempt to delete a base

ACL entry from any ﬁle, the entry remains but its access

mode is set to zero (no access). If you attempt to delete a non-existent ACL entry from a

ﬁle (that is, if an ACL entry pattern matches no ACL entry), chacl informs you of the

HP-UX 11i Version 3: September 2010 − 1 − Hewlett-Packard Company 1

Summary of content (4 pages)

PAGE 1
chacl(1) chacl(1) NAME chacl - add, modify, delete, copy, or summarize access control lists (ACLs) of files SYNOPSIS /usr/bin/chacl acl file ... chacl -r acl file ... chacl -d aclpatt file ... chacl -f fromfile tofile ... chacl - [ z  Z  F ] file ... DESCRIPTION chacl extends the capabilities of chmod(1), by enabling the user to grant or restrict file access to additional specific users and/or groups.
PAGE 2
chacl(1) chacl(1) error, continues, and eventually returns non-zero. -f fromfile tofile Copy the ACL from fromfile to the specified tofile , transferring ownership, if necessary (see acl (5), chown(2), or chownacl (3C)). fromfile can be - to represent standard input. This option implies the -r option. If the owner and group of fromfile are identical to those of tofile , chacl -f is identical to: chacl -r ‘lsacl fromfile‘ tofile ...
PAGE 3
chacl(1) chacl(1) chacl -r ’(@.%,rw-)’ - test Delete from file myfile the specific access rights, if any, for user 165 in group 13. Note that this is different from adding an ACL entry that restricts access for that user and group. The user’s resulting access rights depend on the entries remaining in the ACL. The command also deletes all entries for user jpc that have a read bit turned on (the asterisk can be used as a wildcard in the ACL pattern for user, group, or access mode): chacl -d ’165.13, jpc.
PAGE 4
(Notes) A (Notes) cA 4 Hewlett-Packard Company −1− HP-UX 11i Version 3: September 2010