10.0;acl (access_control_list), revision 1.0, 88/06/01
acl (access_control_list) -- List or copy an ACL.
usage: acl [target_object [source_object]] [-d|-f]
[-i|-id|-if|-all]
[-is]
[-links]
[-l]
[-br]
[-qw|-qa|-nq]
[-ae]
DESCRIPTION
Every directory and file has an associated access control list (ACL)
that lists users and their rights to the object. acl lets you copy an
ACL from one object to another, or display an ACL. For a detailed
discussion of ACL structure and usage, please refer to help protection
acls.
ARGUMENTS
target_object (optional)
Specify the object whose ACL you want to set or
display. You may use a wildcard to specify this
argument. Do not, however, specify $ acl /...
(anything) because this may render your node
unusable. This wildcard sequence includes files in the
/sys tree, which require special ACL settings in order
for system software to run.
Default if omitted: use current working directory.
source_object (optional)
Specify the file or directory whose ACL(s) is to be
used to set the ACL(s) of the target object(s).
Default if omitted: display target_object's ACL.
OPTIONS
The following options confine the acl command's operation to target
objects of the given type.
-d Set or display ACLs of only those target objects that are
directories. If used with -i, -id, or -if options, set or
display initial ACLs for subdirectories.
-f Set or display ACLs of only those target objects that are
files.
The following options control the acl command's effect on target objects.
If the target object is a directory, they cause acl to operate only on
the initial ACLs stored within that directory for use on newly created
objects, not on the ACL of the directory itself. Note that this does not
imply that all the target object(s) are directories. (That is what -d
specifies.)
-i Set or display initial ACLs. If you are setting the ACLs of a
target directory, the source object's type (file or directory)
-i determines which initial ACL (the one for files or the one
for directories) of the target directory is set.
If the target object is a file (or if a wildcarded target list
includes files) and the source is a directory, you get an error
unless you also specify -is (so that the initial file ACL in
the source directory, rather than the ACL of the directory
itself, can be copied to target files). If both source and
target are files, then the source file's ACL is applied to the
target file, as you would expect.
-id Set or display only the initial ACLs inside those target
objects that are directories that apply to new subdirectories
created in those directories.
-if Set or display only the initial ACLs inside those target
objects that are directories that apply to new files created in
those directories. (Specifying both -id and -if is the same as
-i. Specifying neither implies -d.)
The following option specifies that one (or both) of the initial ACLs
inside the source object is to be copied to the target, rather than the
ACL of the source itself. This assumes that the source object is a
directory, not a file, since files cannot contain initial ACLs for
subordinate objects.
-is Copy the initial ACL(s) in the source object (which must be a
directory) to the target. If there is a single target object
(either a file or a directory), then the appropriate initial
ACL inside the source is applied to the target. If the -i
option is also specified, then both initial ACLs in the source
are copied to the initial ACLs inside those target objects that
are directories.
The following option specifies that all the ACLs of the target object(s)
are to be set or displayed.
-all Set or display all ACLs of the target object(s). If you are
using wildcards to specify the target, you may qualify this
action by also specifying -d or -f. If the source object is a
directory, then all of its ACLs (both its own and the two
initial ACLs that it applies to newly created subordinate
objects) are used to set the corresponding ACLs of the target
object(s). If -is is also specified, however, the ACL of the
source object itself is not used, although all three ACLs of
the target directories are still set. Thus you can use -all
(with or without -is) to propagate new ACLs throughout
subtrees.
The following options perform miscellaneous tasks:
-links Operate on the links if the target_object is a wildcard that
specifies link(s) By default acl does not operate on links
specified with wildcards. However, acl always operates on
links you specify explicitly (without wildcards). This
option does not apply to UNIX hard links, which are always
operated on since they are indistinguishable from the original
directory entry .
-l List object names as the command sets ACLs.
-br Display ACLs only, not object names.
acl uses the command-line parser, and so also accepts the standard
command options listed in help cl.
EXAMPLES
Display the acl on file1 $ acl file1 Assign old_file's ACL to new_file.
$ acl new_file old_file
Set the initial ACLs inside joe using the initial ACLs inside mary (which
must be a directory).
$ acl joe mary -i -is
Set the initial file ACL in all subdirectories of the current working
directory whose names begin with abc to the ACL of file1.
$ acl abc?* file1 -d -if
Set the ACLs of all files in the current working directory whose names
begin with abc to the initial file ACL inside dir2.
$ acl abc?* dir2 -f -is
Set the initial ACLs in all subdirectories of the current working
directory whose names begin with abc, using the initial ACLs in dir2, and
the ACLs of all files whose names begin with abc, using the initial file
ACL in dir2. (Adding -d confines the operation to directories.)
$ acl abc?* dir2 -i -is
Set the ACLs of all files matched, using the initial file ACL in dir2,
and the ACLs of all directories matched using the ACL of dir2 itself. The
initial ACLs inside those matched directories are set using the initial
ACLs inside dir2.
$ acl abc?* dir2 -all
Set the ACLs of all files matched using the initial file ACL in dir2, and
the ACLs of all directories matched using the initial directory ACL in
dir2. The initial ACLs inside those matched directories are set using
the initial ACLs inside dir2.
$ acl abc?* dir2 -all -is
SEE ALSO
More information is available. Type
help acls For a list of ACL-related commands
help protection For general information on Domain protection mechanisms
help protection acls
For detailed information on ACL structure and usage
help protection sids
For information on subject identifiers
help protection rights
For information on access rights