10.0;acl (access_control_list), revision 1.0, 88/05/18
acl (access_control_list) -- List or copy an ACL.
usage: acl [target_object [source_object]] [-d|-f]
[-i|-id|-if|-all]
[-is]
[-links]
[-l]
[-br]
[-qw|-qa|-nq]
[-ae] [-conv]
DESCRIPTION
Every directory and file has an associated access control list (ACL)
that lists users and their rights to the object. acl lets you copy an
ACL from one object to another, or display an ACL. For a detailed
discussion of ACL structure and usage, please refer to help edacl.
ARGUMENTS
target_object (optional)
Specify the object whose ACL you want to set or
display. You may use a wildcard to specify this
argument. Do not, however, specify $ acl /...
(anything) because this may render your node
unusable. This wildcard sequence includes files in the
/sys tree, which require special ACL settings in order
for system software to run.
Default if omitted: use current working directory.
source_object (optional)
Specify the file or directory whose ACL(s) is to be
used to set the ACL(s) of the target object(s).
Default if omitted: display target_object's ACL
OPTIONS
The following options confine the acl command's operation to target
objects of the given type.
-d Set or display ACLs of only those target objects that are
directories. If used with -i, -id, or -if options, set or
display initial ACLs for subdirectories.
-f Set or display ACLs of only those target objects that are
files.
The following options control the acl command's effect on target objects.
If the target object is a directory, they cause acl to operate only on
the initial ACLs stored within that directory for use on newly created
objects, not on the ACL of the directory itself. Note that this does not
imply that all the target object(s) are directories. (That is what -d
specifies.)
-i Set or display initial ACLs. If you are setting the ACLs of a
target directory, the source object's type (file or directory)
-i determines which initial ACL (the one for files or the one
for directories) of the target directory is set. If the target
object is a file (or if a wildcarded target list includes
files) and the source is a directory, you get an error unless
you also specify -is (so that the initial file ACL in the
source directory, rather than the ACL of the directory itself,
can be copied to target files). If both source and target are
files, then the source file's ACL is applied to the target
file, as you would expect. You must run sald
(salvage_directory) on target directories that have never
contained initial ACLs (that is, those directories created
using software prior to SR4.1).
-id Set or display only the initial ACLs inside those target
objects that are directories that apply to new subdirectories
created in those directories.
-if Set or display only the initial ACLs inside those target
objects that are directories that apply to new files created in
those directories. (Specifying both -id and -if is the same as
-i. Specifying neither implies -d.)
The following option specifies that one (or both) of the initial ACLs
inside the source object is to be copied to the target, rather than the
ACL of the source itself. This assumes that the source object is a
directory, not a file, since files cannot contain initial ACLs for
subordinate objects.
-is Copy the initial ACL(s) in the source object (which must be a
directory) to the target. If there is a single target object
(either a file or a directory), then the appropriate initial
ACL inside the source is applied to the target. If the -i
option is also specified, then both initial ACLs in the source
are copied to the initial ACLs inside those target objects that
are directories.
The following option specifies that all the ACLs of the target object(s)
are to be set or displayed.
-all Set or display all ACLs of the target object(s). If you are
using wildcards to specify the target, you may qualify this
action by also specifying -d or -f. If the source object is a
directory, then all of its ACLs (both its own and the two
initial ACLs that it applies to newly created subordinate
objects) are used to set the corresponding ACLs of the target
object(s). If -is is also specified, however, the ACL of the
source object itself is not used, although all three ACLs of
the target directories are still set. Thus you can use -all
(with or without -is) to propagate new ACLs throughout
subtrees.
The following options perform miscellaneous tasks:
-links Operate on the links if the target_object is a wildcard that
specifies link(s) By default acl does not operate on links
specified with wildcards. However, acl always operates on
links you specify explicitly (without wildcards). This
option does not apply to UNIX hard links, which are always
operated on since they are indistinguishable from the original
directory entry .
-l List object names as the command sets ACLs.
-br Display ACLs only, not object names.
-conv[ert]
Set the owner entry in the target from the first person.%.%
entry in the source with P rights. The first %.group.% entry
in the source becomes the group entry in the target, and the
first %.%.org entry in the source becomes the organization
entry in the target.
Used with the -conv option, cpf, cpt, and acl duplicate
Domain/IX behavior. Their default behavior is to turn SR9.7
ACLs into SR10 extended entries. For more information on SR10
behavior, see Managing Aegis System Software.
acl uses the command-line parser, and so also accepts the
standard command options listed in help cl
EXAMPLES
Assign old_file's ACL to new_file.
$ acl new_file old_file
Set the initial ACLs inside joe using the initial ACLs inside mary (which
must be a directory).
$ acl joe mary -i -is
Set the initial file ACL in all subdirectories of the current working
directory whose names begin with abc to the ACL of file1.
$ acl abc?* file1 -d -if
Set the ACLs of all files in the current working directory whose names
begin with abc to the initial file ACL inside dir2.
$ acl abc?* dir2 -f -is
Set the initial ACLs in all subdirectories of the current working
directory whose names begin with abc, using the initial ACLs in dir2, and
the ACLs of all files whose names begin with abc, using the initial file
ACL in dir2. (Adding -d confines the operation to directories.)
$ acl abc?* dir2 -i -is
Set the ACLs of all files matched, using the initial file ACL in dir2.
The ACLs of all directories matched using the ACL of dir2 itself. The
initial ACLs inside those matched directories are set using the initial
ACLs inside dir2.
$ acl abc?* dir2 -all
Set the ACLs of all files matched using the initial file ACL in dir2. The
ACLs of all directories matched using the initial directory ACL in dir2.
The initial ACLs inside those matched directories using the initial ACLs
inside dir2.
$ acl abc?* dir2 -all -is
SEE ALSO
More information is available. Type
help acls For a list of ACL-related commands
help protection For general information on Domain protection mechanisms
help protection acls
For detailed information on ACL structure and usage
help protection sids
For information on subject identifiers
help protection rights
For information on access rights