Museum

Home

Lab Overview

Retrotechnology Articles

Online Manuals

⇒ setacl(1) — DG/UX 5.4.2T

Media Vault

Software Library

Restoration Projects

Artifacts Sought

Related Articles

getacl(1)

ls(1)



setacl(1)                  C2 Trusted DG/UX 5.4.2T                 setacl(1)


NAME
       setacl - change the access control list (ACL) of one or more file
       objects

SYNOPSIS
       setacl [-lqrv] [-dkbcpn]
               [-o objecttype]
               [-I ifile] [-i ientries]
               [-U ufile] [-u uentries]
               [-X xfile] [-x xentries]
               [-o objecttype]
               object . . .

   where:
       ifile        is a file containing ACL entries.  setacl uses these
                    entries to completely replace the existing ACL.  Other
                    options may then further modify the ACL.

       ientries     is a text string of one or more ACL entries.  setacl
                    uses these entries to completely replace the existing
                    ACL.  Other options may then further modify the ACL.

       ufile        is a file containing ACL entries.  setacl updates these
                    entries in the ACL.

       uentries     is a text string of one or more ACL entries.  setacl
                    updates these entries in the ACL.

       xfile        is a file containing ACL entries.  setacl removes these
                    entries from the ACL.

       xentries     is a text string of one or more ACL entries.  setacl
                    removes these entries from the ACL.

       object       is the name(s) of the file object(s) whose ACL setacl
                    will change.

DESCRIPTION
       The setacl command changes the ACL of the specified objects.  The ACL
       of an object specifies its discretionary access permissions.

       Options are:

       -l           causes setacl not to follow symbolic links, i.e., no
                    action is taken for symbolic links.

       -q           stops setacl from writing diagnostic messages.  The
                    usage error message is always written.

       -r           causes setacl to recursively descend through directory
                    file objects, setting the ACL for each file.  -r works
                    only for objects of type file.

       -v           causes setacl to only display the ACL that would be set,



Licensed material--property of copyright holder(s)                         1




setacl(1)                  C2 Trusted DG/UX 5.4.2T                 setacl(1)


                    but does not set it.  It also causes setacl to not
                    process the targets.  Thus, if setacl -v does not return
                    any errors, and the same setacl command is issued
                    without the -v option, there is no guarantee that it
                    will succeed.


       -o objecttype
                    objecttype specifies the type of the object arguments.
                    If -o objecttype is specified but an object is not,
                    setacl uses the default objects listed below.  The
                    values for objecttype, the objects associated with
                    them, and the specification format for the objects are
                    also listed below.

              Value      Object        Specification Format and Defaults

              f          file          filename (defaults to the current
                                       working directory, that is, ".")
                                       Note that UNIX®-domain sockets are
                                       file objects.



       -I ifile     Use the ACL entries from the specified file ifile.

                    -I - specifies stdin. stdin can also be specified on
                    options -U - or -X -. However, no more than one of these
                    options at time can specify stdin.

                    If -I is specified, then setacl will attempt to set the
                    ACL described in the -I input source on each specified
                    object.  Only one ACL can appear in the input source.

                    ifile is human-readable. It is composed of lines
                    delimited with the newline character. A line can either
                    be a comment or an ACL entry.  A comment begins with the
                    '#' character and ends at the end of the line. Lines
                    composed of only whitespace are ignored.  Only one ACL
                    can appear in ifile.

                    The ACL entries have the following syntax:

                    user::perm     # owning user entry

                    group::perm    # owning group entry

                    other::perm    # other entry

                    mask::perm     # optional mask entry

                    user:uid:perm  # optional additional user entry

                    group:gid:perm # optional additional group entry



Licensed material--property of copyright holder(s)                         2




setacl(1)                  C2 Trusted DG/UX 5.4.2T                 setacl(1)


                    perm is a 3-character text string of the form rwx, that
                    specifies permissions. r specifies read access, w
                    specifies write access, and x specifies execute or
                    search access. A dash (-) is used to indicate the
                    absence of a particular access permission.

                    uid is a text string -- either a user name or user id
                    number.

                    gid is a text string -- either a group name or group id
                    number.

                    After all specified operations are performed, the
                    resulting ACL must have at least the owning user entry
                    (user::perm), the owning group entry (group::perm), and
                    the other entry (other::perm). These entries may appear
                    only once.

                    If the mask entry is present, it is used to limit the
                    access permissions of all entries other than the owning
                    user entry and the other entry.

                    The entries may appear in any order, and duplicate
                    entries are not allowed.  However, it is permissible to
                    have an entry such as user:uid1:perm, where uid1 is also
                    the owner of the file object, or an entry such as
                    group:gid1:perm, where gid1 is also the owning group of
                    the object.

                    The respective abbreviations for user, group, and other
                    are u, g, and o respectively.  A comment can be appended
                    to the end of an ACL entry.

       -i ientries  Use the ACL entries from the specified string ientries
                    to completely replace the existing ACL.  Other options
                    may then further modify the ACL.

                    ientries is a text string composed of entries of the
                    form specified above.  The only differences are that the
                    ACL entries in ientries are separated by commas (not by
                    newlines) and can contain neither whitespace nor
                    comments. For example:

                    -i u::rwx,g::r-x,o::---,u:joe:rwx,u:bob:---

       -U ufile     Read ACL entries from the specified file ufile.  setacl
                    tries to find for each update entry an entry in the
                    existing ACL of the same type and id.  If such an entry
                    exists, the update entry replaces it.  If none exists,
                    the update entry is added to the existing ACL.

       -u uentries  Get ACL entries from the specified text string uentries
                    to update in the existing ACL.  uentries is a string of
                    the same format as ientries.



Licensed material--property of copyright holder(s)                         3




setacl(1)                  C2 Trusted DG/UX 5.4.2T                 setacl(1)


       -X xfile     Read ACL entries from the specified file xfile to remove
                    from the existing ACL.  setacl uses the specified
                    entries to remove entries of the same type and id from
                    the existing ACL.  xfile is a human-readable file
                    composed of lines similar to the ones in ifile, the only
                    difference being perm text strings are ignored.

       -x xentries  Get ACL entries from the specified text string xentries
                    to remove from the existing ACL.  setacl uses the
                    specified entries to remove entries of the same type and
                    id from the existing ACL.

                    xentries is a text string composed of entries similar to
                    the ones in ientries, the only difference being perm
                    text strings are ignored, for example:

                    -x u:joe,u:bob

       -d           Set the default ACL.  Only a directory file object can
                    have a default ACL.  The effect of placing a default ACL
                    on a directory is that the default ACL will become the
                    access ACL (possibly modified  -- see the Security
                    Features User's Guide for the Trusted DG/UX System) of
                    all new objects created in the directory, and will
                    become the default ACL (unmodified) of any
                    (sub)directory created in the directory.

                    If both -d and -r are selected, then setacl will only
                    attempt to set default ACLs on directory file objects.

       -k           causes setacl to remove all entries from the existing
                    default ACL.

                    If the -k option is specified, but the -d option is not
                    specified, then all other options apply to the access
                    ACL.


       -b           Remove all but the mandatory base entries from the
                    existing ACL.  If there is a mask entry, then the new
                    owning group permission is the intersection of the
                    existing owning group permission and the mask entry
                    permission.

                    -b is ignored if -k and -d are also present.

                    The mandatory base entries are:
                      the owning user entry
                      the owning group entry
                      the other entry

       -c           Causes the recalculation of the mask entry as follows.
                    The existing mask entry is removed. The new mask entry
                    is computed as the bitwise OR of all remaining entries



Licensed material--property of copyright holder(s)                         4




setacl(1)                  C2 Trusted DG/UX 5.4.2T                 setacl(1)


                    -- other than the owning user entry and the other entry.
                    In other words, if any of these entries has the r, w, or
                    x access permission, then the new mask entry will also
                    have that access permission.

                    -c cannot be used with -n.

       -p           Purge the existing ACL of user and group entry
                    permissions not allowed by the mask before applying
                    changes specified by options -U, -u, -X or -x.

                    -p is overridden by -I or -i.

       -n           Do not perform the mask calculation.

                    -n cannot be used with -c.

       The options are executed in the following order:

              1.  -b, -i or -I, and -p.

              2.  All -u, -U, -x and -X options in the order specified on
              the command line.

              3.  -c or -n.

EXAMPLES
       setacl -I my.acl a b c

       setacl -u u:moe:--- a b c


DIAGNOSTICS
       setacl writes all diagnostic messages to stderr.

       setacl exits with one of the following values:

            0      setacl executed correctly and set the ACLs of all the
                   objects.

            1      ACLs are not supported on this system.

            2      setacl could not set the ACL of at least one object.

            3      setacl usage is wrong.

SEE ALSO
       getacl(1), ls(1), dgsetoacl(2), acllibrary(3),
       Security Features User's Guide for the Trusted DG/UX System.








Licensed material--property of copyright holder(s)                         5


Typewritten Software • bear@typewritten.org • Edmonds, WA 98026