Manualshelf

OSF DCE Administration Guide--Core Components

ManualsBrandsHP ManualsServerHP NonStop G-Series
361362363364365366367368369370
OSF DCE Administration Guide—Core Components
the principal is the object’s owner or a member of the object’s group, you must use the
user_obj or group_obj entry types to ensure that access is denied.
To deny access to all unauthenticated users, do not create the unauthenticated mask. If
this mask is not created (ACL entry type of unauthenticated), only authenticated
principals can access the object. The same behavior is achieved by creating an
unauthenticated mask with no permissions (or a dash in place of the permissions). This
method also has the additional advantage of illustrating graphically that unauthenticated
users have no access rights.
28.3 ACL Management Tasks
ACL management involves creating, modifying, and deleting the entries for the ACLs
on DCE entities. You can use the DCE control program to do all of these tasks. The
control program’s acl commands perform the following operations on ACLs:
Create and modify ACL entries for DCE objects in the local cell and foreign cells.
(Note that when objects are created they are associated with initial ACL entries. See
Section 28.5 for more information.)
Display the permissions implemented for an object by the object’s ACL manager.
Create and modify masks used to restrict allowable permissions.
Note: Standard UNIX tools that display and manipulate UNIX modes have an
effect only on the ACLs established for the file system.
For a detailed description of the DCE control program’s acl commands, see the
acl(8dce) reference page.
28.4 Copying ACLs
To copy an ACL from one DCE object to another, use the DCE control program acl
replace command with the -acl option as shown here:
dcecp> acl replace /.:/hosts/hermes -acl [acl show /.:/hosts/cyclops]
The example command replaces the ACL for the host hermes with the ACL for the host
cyclops whose name is specified in the acl show command invoked by the -acl option.
Note how the -acl show command in the -acl option is enclosed in [ ] (brackets). This is
required when the -acl option value is a command invocation.
If you are copying between cells, use the acl replace command’s -cell option, as well as
its -acl option. For example:
dcecp> acl replace /.:/hosts/hermes -acl [acl show /.:/hosts/cyclops] \
-cell [acl show /.:/hosts/cyclops -cell]
28 16 Tandem Computers Incorporated 124243