setacl(1) C2 Trusted DG/UX 5.4.2T setacl(1)
NAME
setacl - change the access control list (ACL) of one or more file
objects
SYNOPSIS
setacl [-lqrv] [-dkbcpn]
[-o objecttype]
[-I ifile] [-i ientries]
[-U ufile] [-u uentries]
[-X xfile] [-x xentries]
[-o objecttype]
object . . .
where:
ifile is a file containing ACL entries. setacl uses these
entries to completely replace the existing ACL. Other
options may then further modify the ACL.
ientries is a text string of one or more ACL entries. setacl
uses these entries to completely replace the existing
ACL. Other options may then further modify the ACL.
ufile is a file containing ACL entries. setacl updates these
entries in the ACL.
uentries is a text string of one or more ACL entries. setacl
updates these entries in the ACL.
xfile is a file containing ACL entries. setacl removes these
entries from the ACL.
xentries is a text string of one or more ACL entries. setacl
removes these entries from the ACL.
object is the name(s) of the file object(s) whose ACL setacl
will change.
DESCRIPTION
The setacl command changes the ACL of the specified objects. The ACL
of an object specifies its discretionary access permissions.
Options are:
-l causes setacl not to follow symbolic links, i.e., no
action is taken for symbolic links.
-q stops setacl from writing diagnostic messages. The
usage error message is always written.
-r causes setacl to recursively descend through directory
file objects, setting the ACL for each file. -r works
only for objects of type file.
-v causes setacl to only display the ACL that would be set,
Licensed material--property of copyright holder(s) 1
setacl(1) C2 Trusted DG/UX 5.4.2T setacl(1)
but does not set it. It also causes setacl to not
process the targets. Thus, if setacl -v does not return
any errors, and the same setacl command is issued
without the -v option, there is no guarantee that it
will succeed.
-o objecttype
objecttype specifies the type of the object arguments.
If -o objecttype is specified but an object is not,
setacl uses the default objects listed below. The
values for objecttype, the objects associated with
them, and the specification format for the objects are
also listed below.
Value Object Specification Format and Defaults
f file filename (defaults to the current
working directory, that is, ".")
Note that UNIX®-domain sockets are
file objects.
-I ifile Use the ACL entries from the specified file ifile.
-I - specifies stdin. stdin can also be specified on
options -U - or -X -. However, no more than one of these
options at time can specify stdin.
If -I is specified, then setacl will attempt to set the
ACL described in the -I input source on each specified
object. Only one ACL can appear in the input source.
ifile is human-readable. It is composed of lines
delimited with the newline character. A line can either
be a comment or an ACL entry. A comment begins with the
'#' character and ends at the end of the line. Lines
composed of only whitespace are ignored. Only one ACL
can appear in ifile.
The ACL entries have the following syntax:
user::perm # owning user entry
group::perm # owning group entry
other::perm # other entry
mask::perm # optional mask entry
user:uid:perm # optional additional user entry
group:gid:perm # optional additional group entry
Licensed material--property of copyright holder(s) 2
setacl(1) C2 Trusted DG/UX 5.4.2T setacl(1)
perm is a 3-character text string of the form rwx, that
specifies permissions. r specifies read access, w
specifies write access, and x specifies execute or
search access. A dash (-) is used to indicate the
absence of a particular access permission.
uid is a text string -- either a user name or user id
number.
gid is a text string -- either a group name or group id
number.
After all specified operations are performed, the
resulting ACL must have at least the owning user entry
(user::perm), the owning group entry (group::perm), and
the other entry (other::perm). These entries may appear
only once.
If the mask entry is present, it is used to limit the
access permissions of all entries other than the owning
user entry and the other entry.
The entries may appear in any order, and duplicate
entries are not allowed. However, it is permissible to
have an entry such as user:uid1:perm, where uid1 is also
the owner of the file object, or an entry such as
group:gid1:perm, where gid1 is also the owning group of
the object.
The respective abbreviations for user, group, and other
are u, g, and o respectively. A comment can be appended
to the end of an ACL entry.
-i ientries Use the ACL entries from the specified string ientries
to completely replace the existing ACL. Other options
may then further modify the ACL.
ientries is a text string composed of entries of the
form specified above. The only differences are that the
ACL entries in ientries are separated by commas (not by
newlines) and can contain neither whitespace nor
comments. For example:
-i u::rwx,g::r-x,o::---,u:joe:rwx,u:bob:---
-U ufile Read ACL entries from the specified file ufile. setacl
tries to find for each update entry an entry in the
existing ACL of the same type and id. If such an entry
exists, the update entry replaces it. If none exists,
the update entry is added to the existing ACL.
-u uentries Get ACL entries from the specified text string uentries
to update in the existing ACL. uentries is a string of
the same format as ientries.
Licensed material--property of copyright holder(s) 3
setacl(1) C2 Trusted DG/UX 5.4.2T setacl(1)
-X xfile Read ACL entries from the specified file xfile to remove
from the existing ACL. setacl uses the specified
entries to remove entries of the same type and id from
the existing ACL. xfile is a human-readable file
composed of lines similar to the ones in ifile, the only
difference being perm text strings are ignored.
-x xentries Get ACL entries from the specified text string xentries
to remove from the existing ACL. setacl uses the
specified entries to remove entries of the same type and
id from the existing ACL.
xentries is a text string composed of entries similar to
the ones in ientries, the only difference being perm
text strings are ignored, for example:
-x u:joe,u:bob
-d Set the default ACL. Only a directory file object can
have a default ACL. The effect of placing a default ACL
on a directory is that the default ACL will become the
access ACL (possibly modified -- see the Security
Features User's Guide for the Trusted DG/UX System) of
all new objects created in the directory, and will
become the default ACL (unmodified) of any
(sub)directory created in the directory.
If both -d and -r are selected, then setacl will only
attempt to set default ACLs on directory file objects.
-k causes setacl to remove all entries from the existing
default ACL.
If the -k option is specified, but the -d option is not
specified, then all other options apply to the access
ACL.
-b Remove all but the mandatory base entries from the
existing ACL. If there is a mask entry, then the new
owning group permission is the intersection of the
existing owning group permission and the mask entry
permission.
-b is ignored if -k and -d are also present.
The mandatory base entries are:
the owning user entry
the owning group entry
the other entry
-c Causes the recalculation of the mask entry as follows.
The existing mask entry is removed. The new mask entry
is computed as the bitwise OR of all remaining entries
Licensed material--property of copyright holder(s) 4
setacl(1) C2 Trusted DG/UX 5.4.2T setacl(1)
-- other than the owning user entry and the other entry.
In other words, if any of these entries has the r, w, or
x access permission, then the new mask entry will also
have that access permission.
-c cannot be used with -n.
-p Purge the existing ACL of user and group entry
permissions not allowed by the mask before applying
changes specified by options -U, -u, -X or -x.
-p is overridden by -I or -i.
-n Do not perform the mask calculation.
-n cannot be used with -c.
The options are executed in the following order:
1. -b, -i or -I, and -p.
2. All -u, -U, -x and -X options in the order specified on
the command line.
3. -c or -n.
EXAMPLES
setacl -I my.acl a b c
setacl -u u:moe:--- a b c
DIAGNOSTICS
setacl writes all diagnostic messages to stderr.
setacl exits with one of the following values:
0 setacl executed correctly and set the ACLs of all the
objects.
1 ACLs are not supported on this system.
2 setacl could not set the ACL of at least one object.
3 setacl usage is wrong.
SEE ALSO
getacl(1), ls(1), dgsetoacl(2), acllibrary(3),
Security Features User's Guide for the Trusted DG/UX System.
Licensed material--property of copyright holder(s) 5