setacl(1) DG/UX B2 Security R4.12MU02 setacl(1)
NAME
setacl - change the access control list (ACL) of one or more objects
SYNOPSIS
setacl [-lqrv] [-dkbcpn] [-I ifile] [-i ientries] [-U ufile]
[-u uentries] [-X xfile] [-x xentries]
{-o objecttype [object ...]}|{object ...}
where:
objecttype The object type of the specified objects.
ifile The name of a file containing ACL entries to completely
replace the existing ACL. Use a dash ( -) to indicate
standard input. A dash can also be used for ufile or
xfile, however, no more than one option can have - as
its argument.
ientries A text string of one or more ACL entries to completely
replace the existing ACL. These entries are in the same
format as those in ifile, except that these are
separated by commas (not by new lines) and can contain
neither white space nor comments.
ufile The name of a file containing ACL entries to update the
ACL.
uentries A text string of one or more ACL entries to update the
ACL.
xfile The name of a file containing ACL entries to be removed.
xentries A text string of one or more ACL entries to be removed.
xentries contains entries similar to ientries, but perm
text strings (see the -I option) are ignored.
object Name of file object whose ACL setacl will change.
DESCRIPTION
The setacl command changes the ACL of the specified objects. The ACL
of an object specifies its discretionary access permissions.
Options
-l If target is a symbolic link, operate on the link. The
default behavior is to operate on the object referenced by the
link.
-q Do not write diagnostic messages. The usage error message is
always written.
-r Recursively descend through directory file objects, setting
the ACL for each file. Works only for file objects.
-v Display the ACL that would be set, but do not set it or
process the targets. If setacl -v does not return any errors,
and you issue the same setacl command without the -v option,
there is no guarantee that it will succeed.
-o Specify the type of the object arguments. If you use -o
objecttype but omit object, setacl uses the default object.
Values for objecttype, the objects associated with them, the
specification format for the objects, and the default objects
are listed below.
Value Object Format Default
f file file name working directory (.)
p process PID number invoking process ID (0)
m shared memory shared memory ID 0
s semaphore semaphore set ID 0
q message queue message queue ID 0
If -o objecttype is not specified and one or objects are
specified, then the default object type is f (file).
Note that UNIX-domain sockets are file objects.
-I Use the ACL entries from ifile to completely replace the
existing ACL on each specified object. Other options may then
further modify the ACL.
ifile is human-readable and comprises lines delimited with the
new-line character. A line can either be a comment or an ACL
entry. Only one ACL can appear in ifile. A comment begins
with the number sign (#) and ends at the end of the line.
Blank lines are ignored.
ACL entries have the following syntax:
u[ser]::perm # owning user entry
g[roup]::perm # owning group entry
o[ther]::perm # other entry
mask::perm # optional mask entry
u[ser]:uid:perm # optional additional user entry
g[roup]:gid:perm # optional additional group entry
where:
perm A three-character text string of the form rwx, that
specifies permissions. The permissions are as follows:
r read access
w write access
x execute or search access
- absence of the particular access permission
uid A text string--either a user name or user ID number.
gid A text string--either a group name or group ID number.
After all specified operations are performed, the resulting
ACL must have at least the owning user entry (user::perm), the
owning group entry (group::perm), and the other entry
(other::perm). These entries can appear only once. You can
append a comment to the end of an ACL entry.
If the mask entry is present, it limits the access permissions
of all entries other than the owning user entry and the other
entry.
The entries may appear in any order; duplicate entries are not
allowed. However, it is permissible to have an entry such as
user:uid1:perm, where uid1 is also the owner of the file
object, or an entry such as group:gid1:perm, where gid1 is
also the owning group of the object.
-i Use the ACL entries from the specified string ientries to
completely replace the existing ACL. Other options may then
further modify the ACL.
-U Read ACL entries from ufile. setacl tries to find for each
update entry an entry in the existing ACL of the same type and
ID. If such an entry exists, the update entry replaces it.
If none exists, the update entry is added to the existing ACL.
-u Get ACL entries from uentries to update in the existing ACL.
-X Read ACL entries from xfile to remove from the existing ACL.
setacl uses the these entries to remove entries of the same
type and ID from the existing ACL. xfile is a human-readable
file composed of lines similar to the ones in ifile, except
that perm text strings are ignored.
-x Get ACL entries from xentries to remove from the existing ACL.
setacl uses the specified entries to remove entries of the
same type and ID from the existing ACL.
-d Set the default ACL. Only a directory file object can have a
default ACL. The effect of placing a default ACL on a
directory is that the default ACL becomes the access ACL
(possibly modified) of all new objects created in the
directory, and becomes the default ACL (unmodified) of any
(sub)directory created in the directory.
If you use both -d and -r, setacl tries to set only default
ACLs on directory file objects.
-k Remove all entries from the existing default ACL. If you use
-k but omit -d, all other options apply to the access ACL.
-b Remove all but the mandatory base entries from the existing
ACL. If there is a mask entry, then the new owning group
permission is the intersection of the existing owning group
permission and the mask entry permission. The -b option is
ignored if -k and -d are also present.
The mandatory base entries are:
the owning user entry
the owning group entry
the other entry
-c Recalculate the mask entry as follows: The existing mask entry
is removed. The new mask entry is computed as the bitwise OR
of all remaining entries--other than the owning user entry and
the other entry. In other words, if any of these entries has
the r, w, or x access permission, then the new mask entry will
also have that access permission. The -c option cannot be
used with -n.
-p Purge the existing ACL of user and group entry permissions not
allowed by the mask before applying changes specified by
options -U, -u, -X or -x. The -p option is overridden by -I
or -i.
-n Do not perform the mask calculation. The -n option cannot be
used with -c.
The options are executed in the following order:
1. -b, -i or -I, and -p.
2. All -u, -U, -x and -X options in the order specified on the
command line.
3. -c or -n.
EXAMPLES
setacl -I my.acl a b c
setacl -i u::rwx,g::r-x,o::---,u:joe:rwx,u:bob:--- file2
setacl -u user:moe:--- a b c
setacl -x u:joe,u:bob file4
DIAGNOSTICS
The setacl command writes all diagnostic messages to stderr. The
setacl command exits with one of the following values:
0 Executed correctly and set the ACLs of all the objects.
1 ACLs are not supported on this system.
2 Could not set the ACL of at least one object.
3 Usage is incorrect.
SEE ALSO
getacl(1), ls(1), dgsetoacl(2), acllibrary(3).
Licensed material--property of copyright holder(s)