Museum

Home

Lab Overview

Retrotechnology Articles

Online Manuals

⇒ edacl — Apollo

Media Vault

Software Library

Restoration Projects

Artifacts Sought

Related Articles

PROTECTION ACLS

ACLS

PROTECTION

PROTECTION SIDS

PROTECTION RIGHTS

6.0;edacl (edit_access_control_list), revision 6.0, 87/05/06
EDACL (EDIT_ACCESS_CONTROL_LIST) -- Edit or list an ACL.
usage:
EDACL [ [-C ppon rts] [-CF ppon rts]
        [-A ppon rts] [-AF ppon rts] [-AR ppon rts]
        [-D ppon] [-DF ppon rts] [-DR ppon rts]
        [-CDN node] [-CN ppon node]
        [-SETPERS {ppon|0}] [-SETPROJ {ppon|0}] [-SETORG {ppon|0}]
        [-L] [-Q]
      ]
      [-I|-P]
      [-DIR|-FILE|-IF|-ID]
      [-UNIX]
      [-DYN[AMIC]]
      pathname...


FORMAT

  EDACL [commands] [options] pathname...


  Every  directory  and  file  has  an associated access control list (ACL) that
  lists users and their rights to the object.  EDACL edits or displays  the  ACL
  of the object(s) specified.     The structure and usage of an ACL is described
  in detail in HELP PROTECTION ACLS.


ARGUMENTS

  pathname
  (required)         Specify the object whose ACL you wish to edit  or  display.
                     Multiple pathnames and wildcarding are permitted.

  commands
  (optional)          Specify  the  action(s)  described  below.   If you do not
                     specify a command,  EDACL  enters  an  interactive  editing
                     mode.

                     Default if omitted:  read commands from standard input; do
                                          not precede commands with a hyphen (-)
                                          in this mode.

  COMMANDS

  Many of the commands described below take arguments called 'sid' and 'rights'.
  These are summarized in the sections preceeding the EXAMPLES.

  -L                 List ACL entries.

  -A sid rights
                     Add  the  specified  entry  to an ACL.  You will receive an
                     error message if the ACL entry exists.

  -AF sid rights
                     Add force. Add the specified entry to an ACL.  You will not
                     receive an error message if the ACL entry exists.

  -AR sid rights
                     Add  the  specified  rights to an ACL.  You will receive an
                     error message if the entry does not exist.

  -C sid rights
                     Change  the  access rights in the entry for 'sid' (replaces
                     current rights).  You will receive an error message if  the
                     entry does not exist.

  -CF sid rights
                     Change force.  Change the access rights in  the  entry  for
                     'sid'  (replaces  current rights).  You will not receive an
                     error message if the entry does not exist.

  -D sid             Delete the ACL entry for 'sid'.  You will receive an  error
                     message  if  the  entry  does  not  exist.    If  'sid'  is
                     '%.%.%.%', then EDACL will leave the entry with 'S' and 'E'
                     rights to maintain DOMAIN/IX compatibility.

  -DF sid rights
                     Delete force.  Delete the specified rights from  the  entry
                     for  'sid'.    You will not receive an error message if the
                     ACL entry does not exist.

  -DR sid rights
                     Delete  the specified rights from the entry for 'sid'.  You
                     will receive an error message if the entry does not exist.

  -CDN node          Change the default node ID.

  -CN sid node       Change the node ID entry in 'sid'.

  -Q                 Quit without changing the object's ACL.   This  command  is
                     useful  only  when  you supply EDACL commands interactively
                     (see -I). To signal successful completion  and  update  the
                     ACL, use EOF in standard input (usually <CTRL/Z>).

  The   following   three   commands  are  meaningful  primarily  for  DOMAIN/IX
  applications. If the pertinent index is enabled,  the  process  executing  the
  file  assumes  the  PERSON, PROJECT, and/or ORGANIZATION identity of the file.
  (This is the DOMAIN/IX equivalent of AEGIS protected subsystems.)  The indexes
  may be set for both files and directories, but are meaningful only for files.

  -SETPERS {sid|0}
                     Assign the SET PERSON index to 'sid'.

                     If you specify '0' (zero) instead of a sid, the SET  PERSON
                     index is deleted.

  -SETPROJ {sid|0}
                     Assign the SET PROJECT index to 'sid'.

                     If you specify '0' (zero) instead of a sid, the SET PROJECT
                     index is deleted.

  -SETORG {sid|0}
                     Assign the SET ORGANIZATION index to 'sid'.

                     If you specify  '0'  (zero)  instead  of  a  sid,  the  SET
                     ORGANIZATION index is deleted.


OPTIONS

  -DIR               Only operate on directories.

  -FILE              Only operate on files.

  -ID                  Edit  the  default  initial  ACL  for  directories  (-DIR
                     implied).

  -IF                Edit the default initial ACL for files (-DIR implied).

  -UNIX              Enable editing of 'S' and 'E' rights for directories.  This
                     is   meaningful   primarily   for  DOMAIN/IX  applications.
                     Modification of these rights is disabled by default, unless
                     this option is specified.

  -DYN[AMIC]          Create  a dynamic ACL for use with DOMAIN/IX applications.
                     Dynamic ACLs are computed and  assigned  "on  the  fly"  by
                     DOMAIN/IX  programs;  thus,  they  change from user to user
                     rather than remaining static, like AEGIS ACLs.  Use of this
                     option  precludes  the  use of any of the editing functions
                     listed above in the "COMMANDS" section.

  The following two options apply only when EDACL reads commands  from  standard
  input:

  -P                  EDACL interprets commands when it receives an EOF (usually
                     <CTRL/Z>).  This is the default when  you  have  redirected
                     standard  input  (i.e.,  instructed  the  program  to  read
                     commands from a Shell  program,  here  document,  file,  or
                     pipe).

  -I                  EDACL  interprets commands as you enter them.  This is the
                     default when you have not redirected standard input.    You
                     may  only  specify one pathname (with no wildcards) in this
                     mode.  EDACL changes a copy of the ACL;  the  command  does
                     not  assign  a  new ACL to an object until it reads an EOF.
                     Thus, EDACL -I does not change an ACL if you terminate  the
                     session with the "Q" command.

  This  command  uses  the command line parser, and so also accepts the standard
  command options listed in HELP CL.


  SIDS

  A complete description of SID syntax and usage is available in

    $ HELP PROTECTION SIDS

  RIGHTS

  A complete description of the various protection rights is available in

    $ HELP PROTECTION RIGHTS


EXAMPLES

  1. The order of the commands in the following sequence is significant.

     $ edacl -L sales                  List ACL for the file 'sales'.  The
       %.%.%.%     pgndwrx              ppon is all wildcards (%.%.%.%), so
                                        all users have complete rights
     $                                  (pgndwrx) to 'sales'.


     $ edacl sales -cf dan.%  -none    Deny user DAN access to 'sales'.
     $ edacl -L sales                  Other users still have all rights.
       DAN.%.%.%    -------             Note that the system automatically
       %.%.%.%      pgndwrx             places specific entries before
     $                                  general ones.


     $ edacl sales -a joe -owner       Add user JOE to the ACL for 'sales'
     $ edacl -L sales                   with all rights.
       joe.%.%.%    pgndwrx
       dan.%.%.%    -------
       %.%.%.%      pgndwrx
     $


     $ edacl sales -a %.%.mktg wrx     Allow users in the MKTG organization
     $ edacl -L sales                   to change file contents, but do not
       joe.%.%.%     pgndwrx            let them assign rights to others (p
       dan.%.%.%.    -------            and g), change the node ID entry (n),
       %.%.mktg.%    ----wrx            or delete the file (d).
       %.%.%.%       pgndwrx
     $


     $ edacl sales -c % r              Change everyone else's access to read
     $ edacl -L sales                   only.  Note that the more liberal
       joe.%.%.%     pgndwrx            rights (wrx) assigned to the MKTG
       dan.%.%.%     -------            organization in the previous line
       %.%.mktg.%    ----wrx            still apply, since specific entries
       %.%.%.%       ----r--            override general ones.
     $

  2. The following examples illustrate the effect of the -UNIX option.

     $ edacl dir
     dir
     * l
      %.%.%.%                          pgndcalrse
     * a jim -none
      jim.%.%.%                        --------se
     * a ers -r
      ers.%.%.%                        -------rse
     * l
      jim.%.%.%                        --------se
      ers.%.%.%                        -------rse
      %.%.%.%                          pgndcalrse

     Now specify -UNIX ...

     $ edacl dir -unix
     dir
     * l
      %.%.%.%                          pgndcalrse
     * a jim -none
      jim.%.%.%                        ----------
     * a ers -r
      ers.%.%.%                        -------r--
     * l
      rees.%.%.%                       ----------
      ers.%.%.%                        -------r--
      %.%.%.%                          pgndcalrse

  3. Set the initial file ACL for the directory //test/tmp/dir to be dynamic.

     $ edacl //test/tmpdir -if -dyn


RELATED TOPICS

  More information is available.  Type:

  - HELP PROTECTION ACLS
   for a detailed description of ACLS.

  - HELP ACLS
   for a list of commands used to manipulate ACLS.

  - HELP PROTECTION
   for a general discussion of DOMAIN protection mechanisms.

  - HELP PROTECTION SIDS
   for details about subject identifiers (PPON's).

  - HELP PROTECTION RIGHTS
   for details about the various access rights and what they mean.

Typewritten Software • bear@typewritten.org • Edmonds, WA 98026