SETPROT(8) Domain/OS BSD SETPROT(8)
NAME
setprot - modify object protection
SYNOPSIS
/etc/setprot [ -uv ] pathname ...
DESCRIPTION
setprot modifies Access Control Lists (ACLs) for objects as described in
a protection file. setprot can apply ACLs only to objects resident on
Domain/OS nodes.
OPTIONS
-u Display the command usage.
-v Display each line of the protection template before it is executed.
pathname
Pathname of optional template file. If omitted, setprot will take
commands from standard input.
ACL DEFINITION FILE FORMAT
The ACL definition file contains a series of single-line records
introduced by a keyword in the first column that defines the type of
information on the line. setprot currently recognizes the following
keyletters:
-a spec
Define the current ACL.
-[odfR] pathname
Assign the current ACL to pathname.
Generally, the ACL definition file first defines a "current ACL" by
building an ACL with ACL records, then using Object Records to assign the
current ACL to one or more file system objects, modifying the current ACL
or creating a new current ACL from scratch as appropriate.
Object Records
Records that contain the keyletter '-[odf]' are called "object records"
because they cause the current ACL to be assigned to an object. The
path_name field which must follow the command token can be any pathname
associated with a directory or file object.
Object records have four options, 'R', 'o', 'd', and 'f', any or all of
which may follow the '-' keyletter. The meaning of each option is similar
to the flags for the lsacl and chacl commands:
o Assign the current ACL to the object itself.
d If the object is a directory, assign the ACL to the initial
directory ACL for that directory.
f If the object is a directory, assign the ACL to the initial file ACL
for that directory.
R If the object is a directory, recursively apply the ACL to all files
and directories under that object.
At least one of the three options 'o', 'd', or 'f' must follow the '-'
keyletter.
ACL Entry Records
Records that begin with the keyletter a are called "ACL entry records"
because they define the current ACL.
The acl entry record defines all the entries in an object's access
control list (ACL). The following keyletters are defined:
-u spec define the owner required entry
-g spec define the group required entry
-z spec define the organization required entry
-o wrgts define the world rights
-e sid ergts define an extended ACL entry
-n specify network access permitted
-l specify local access only
-m mgrname specify the subsystem manager field by manager name
-d mgrname specify the subsystem data field by manager name
-mu high low specify the subsystem manager field by manager uid
-du high low specify the subsystem data field by manager uid
spec: <name> <frgts> | P<frgts>
name: user | group | org
frgts: [prwxks | I | U ]
wrgts: [prwxk | I | U ]
sid: user[.group[.org]]
ergts: [prwxk]
There are two types of entries in an ACL. The person, group,
organization, and world entries are required entries because they must be
present in every ACL on the system. Required ACL entries are introduced
by the u, g, z, and o keyletters in the ACL definition file. Each
required entry associates the name of a person, group, or organization
with a set of rights. The user, group, and world entries in an ACL
correspond to the UNIX model's user, group, and other permissions,
respectively. The organization entry corresponds to the rights that can
be granted to a user if he is in the named organization as defined in the
/etc/org file; just as the group entry corresponds to the rights that can
be granted to members of a group as defined in /etc/group.
An ACL can also contain extended entries. Extended ACL entries are
introduced by the 'e' keyletter in the ACL definition file. Each
extended entry associates a subject identifier (SID) that specifies a
person, group, and organization with a set of rights.on_name.
Each ACL entry has a set of rights associated with it. The set of rights
available for use with required entries are: "pwrxksIUP"; although I is
incompatible with any subset of "pwrxsU". Any valid set of the rights
available for use with required entries may be used for the
required_rights field. A u, g, and z field can include the 's' to add
the set-[user|group|organization]-ID rights to the ACL for an executable
binary object. If the 's' right is omitted, the set-user-ID right is
left off.
The set of rights available for use with extended entries are: "pwrxk".
Any valid set of the rights available for use with extended entries may
be used for the extended_rights field.
Application Rules
setprot applies the ACLs you specify in protection_template according to
the following rules:
setprot [-v] [path] ...
This command modifies the protections set on the files and directories as
described in the file path.
An example protection template can be generated using lprot.
SEE ALSO
chacl(1), chgrp(1), chmod(1), cpacl(1), lprot(1), lsacl(1), org(5),
passwd(5), acl(7), chown(8), edrgy(8), salacl(8).