Museum

Home

Lab Overview

Retrotechnology Articles

⇒ Online Manual

Media Vault

Software Library

Restoration Projects

Artifacts Sought

Related Articles

lsacl(1)

cpacl(1)

chmod(1)

chgrp(1)

chorg(1)

chown(2)

umask(2)

salacl(1M)

acl(5)

CHACL(1)                        Domain/OS SysV                        CHACL(1)



NAME
     chacl - change access control list

SYNOPSIS
     chacl [ -odfvLR ] <spec> file...

     chacl [ -odfvLR ] -D <sid> file ...

     chacl [ -odfvLR ] [ -u <owner> ] [ -g <group> ] [ -z <organization>]
     file...

     chacl [ -odfvLR ] { -c | -l | -n } file ...

     chacl [ -vLR ] { -B | -S } file...

DESCRIPTION
     The chacl command changes the entries in an object's access control list
     (ACL). Use the specification (spec) part of the command line either to
     set the rights for a given subject identifier (sid), or to change the
     inheritance mechanisms of a directory. The specification syntax, shown
     below, is similar to chmod's symbolic mode form.

     <spec>:        <sid><op><rights> | <req><op><inh> | <spec>[,<spec>...]
     <sid>:         %.%.% | <req>
     <req>:         [ugzo] | a
     <op>:          = | + | -
     <inh>:         [UP]
     <rights>: [prwxksI]

OPTIONS
     -B
     -S        The -B (BSD) and -S (SysV) options simply set a directory to
               use the appropriate semantics.  Any existing  ACLs are removed,
               and the protections on the directory are determined by the
               current umask(2).  Owner, group, and organization inheritance
               are determined using the appropriate semantics (SysV, all from
               current process; BSD, owner from current process, group from
               directory.  Organization is marked "ignore" for both).

     -c        Force calculation of the extended entry mask.  The mask
               represents the maximum rights of all extended ACL entries, and
               is automatically calculated each time chacl is run.  This
               option is used to undo the effects of the chmod command, as
               chmod affects the mask as well as the world required entry
               (%.%.%) when changing rights for "other".

     -l        Set local access. With local access set, an object can be
               accessed only from the node on which it is located.

     -n        Set network access.

     -o        Make the changes on the ACL itself for the objects specified.
               If the -o, -d, or -f options are not specified, -o is assumed
               These options can be used in any combination.

     -d        Make the changes on the initial directory ACL.

     -f        Apply the changes to the initial file ACL.

     -v        (verbose) List each destination as the ACL is changed.


     -L        Follow any soft links encountered, and operate on the object to
               which the link points.  Since soft links in Domain/OS do not
               have ACLs, attempting to change a soft link without the -L flag
               simply results in a warning, with no change.

     -R        Apply the changes recursively to any directories encountered
               among the files listed.  Be very careful when combining this
               option with the -L option!

     -D        Delete extended entries from an ACL.  Required entries may not
               be deleted, so <sid> must be an actual subject identifier (see
               below).

     -u        Set the owner field in an ACL.

     -g        Set the group field in an ACL.

     -z        Set the organization field in an ACL.

SUBJECT IDENTIFIERS
     The sid (Subject IDentifier) used in the first form (<sid><op><rights>)
     is a way of specifying a user or set of users.  It may include a
     username, group name and organization name, any of which may be replaced
     with the wildcard %, or left off, as described in acl(7).  The special
     cases u, g, z and o refer to the required entries in the ACL for user,
     group, organization and world.  The special case a refers to the all of
     the above (user, group, organization and world), as does a null SID
     field.  These special cases do not affect required entries that are
     marked "Ignore".  Short user IDs that are a combination of the letters u,
     g, z and o are distinguished  from the special cases by the use of the %
     syntax described above.  Thus oz+x adds execute rights for other and
     organization, whereas oz.%.%+x or oz..+x adds execute rights for just the
     user oz.

ACCESS RIGHTS
     Access rights are specified by the op (operator) and rights parameters to
     chacl.  Valid operators are =, +, and -. The = operator specifies
     absolute rights for the SID.  If the ACL already contains an entry for
     this SID, acl changes it to contain the rights listed.  Otherwise, it
     adds an entry with the specified SID and access rights.

     If you specify the + operator, the rights are added to any existing
     rights for the specified SID. Likewise, the - operator removes the rights
     from the ACL entry for the SID.  If no entry exists for the SID, the
     entire ACL is searched for more general entries that apply to this SID.
     The specified rights are then added to or removed from this aggregate set
     of rights, and a new entry is created for the specific SID.

     Access rights consist of any combination of the following letters:

     Files:

     p    Protect rights; allow rights to be changed
     r    Read rights; allows file to be read
     w    Write rights; allows file to be written
     x    Execute rights: allows file to be executed
     k    Keep; prevents file from being deleted or having its name changed
     s    Set ID; usable only with u, g and z (user, group, and
          organization); causes this executable to be run with
          the effective ID of the user, group or organization

     Directories:

     p    Protect rights; allow rights to be changed
     r    Read rights; allows directory to be listed
     w    Write rights; allows names to be added, changed or deleted

     x    Execute rights; allows subordinate objects to be used, without allowing
          the directory to be listed; also called search rights
     k    Keep; prevents directory from being deleted or having its name changed

     The following is used alone, and overrides any other rights specified:

     I    Ignore; used to ignore the rights in the required owner, group,
          organization, and other entries

     To change the inheritance properties of a directory, use the second form
     of ACL specification (<req><op><inh>).  In this case, the first field
     must consist only of required entries u, g, z, or a (user, group,
     organization, all) and the second field specifies the inheritance option.

     The valid inheritance options are as follows:

     U    Umask; the rights for new objects in this directory are those
          requested by the process creating them as modified by the umask(2)
          of that process

     P    Process; inherit user, group or organization from the
          process creating a new object in this directory

EXAMPLES
          chacl g+w *

     Add write rights for the group to each file in this directory.

          chacl a=rx foo

     Give owner, group, organization and world read and execute rights to the
     file foo.

          chacl ugz=I .

     Ignore the required entries for owner, group and organization.

          chacl %.os=prwx .

     Give the os group full rights to this directory.

          chacl ..mktg-pw,..r_d=prwx .

     Be sure that the mktg organization does not have write or protect rights
     and that r_d has full rights to the current directory.

          chacl -B /usr/u/bar

     Strip any extended ACLs from /usr/u/bar, and set it up as a BSD
     directory.

          chacl -D arnold.staff *

     Delete any ACL entries referring to arnold.staff.

          chacl -od susan+x /usr/u/zap

     Always allow susan to use objects in /usr/u/zap directory, and to search
     any new sub-directories.

          chacl -odf user=  magicdir

     Insure that user has no rights to magicdir, nor to any files or sub-
     directories subsequently created in magicdir.

          chacl -f ugz=UP .

     Newly created files in the current directory inherit owner, group, and
     organization (and the associated rights) from the process.

          chacl -df g-P .

     Do not inherit group from the process, that is, inherit it from this
     directory for new files and sub-directories.

SEE ALSO
     lsacl(1), cpacl(1), chmod(1), chgrp(1), chorg(1),chown(2), umask(2),
     salacl(1M), acl(5)

Typewritten Software • bear@typewritten.org • Edmonds, WA 98026