Museum

Home

Lab Overview

Retrotechnology Articles

Online Manuals

⇒ setacl(1) — DG/UX R4.11MU05

Media Vault

Software Library

Restoration Projects

Artifacts Sought

Related Articles

getacl(1)

ls(1)



setacl(1)                DG/UX B2 Security R4.12MU02               setacl(1)


NAME
       setacl - change the access control list (ACL) of one or more objects

SYNOPSIS
       setacl [-lqrv] [-dkbcpn] [-I ifile] [-i ientries] [-U ufile]
              [-u uentries] [-X xfile] [-x xentries]
              {-o objecttype [object ...]}|{object ...}

   where:
       objecttype  The object type of the specified objects.

       ifile        The name of a file containing ACL entries to completely
                    replace the existing ACL.  Use a dash ( -) to indicate
                    standard input. A dash can also be used for ufile or
                    xfile, however, no more than one option can have - as
                    its argument.

       ientries     A text string of one or more ACL entries to completely
                    replace the existing ACL.  These entries are in the same
                    format as those in ifile, except that these are
                    separated by commas (not by new lines) and can contain
                    neither white space nor comments.

       ufile        The name of a file containing ACL entries to update the
                    ACL.

       uentries     A text string of one or more ACL entries to update the
                    ACL.

       xfile        The name of a file containing ACL entries to be removed.

       xentries     A text string of one or more ACL entries to be removed.
                    xentries contains entries similar to ientries, but perm
                    text strings (see the -I option) are ignored.

       object       Name of file object whose ACL setacl will change.

DESCRIPTION
       The setacl command changes the ACL of the specified objects.  The ACL
       of an object specifies its discretionary access permissions.

   Options
       -l     If target is a symbolic link, operate on the link.  The
              default behavior is to operate on the object referenced by the
              link.

       -q     Do not write diagnostic messages.  The usage error message is
              always written.

       -r     Recursively descend through directory file objects, setting
              the ACL for each file.  Works only for file objects.

       -v     Display the ACL that would be set, but do not set it or
              process the targets.  If setacl -v does not return any errors,
              and you issue the same setacl command without the -v option,
              there is no guarantee that it will succeed.

       -o     Specify the type of the object arguments.  If you use -o
              objecttype but omit object, setacl uses the default object.
              Values for objecttype, the objects associated with them, the
              specification format for the objects, and the default objects
              are listed below.

              Value  Object         Format            Default

              f      file           file name         working directory (.)
              p      process        PID number        invoking process ID (0)
              m      shared memory  shared memory ID  0
              s      semaphore      semaphore set ID  0
              q      message queue  message queue ID  0

              If -o objecttype is not specified and one or objects are
              specified, then the default object type is f (file).

              Note that UNIX-domain sockets are file objects.

       -I     Use the ACL entries from ifile to completely replace the
              existing ACL on each specified object.  Other options may then
              further modify the ACL.

              ifile is human-readable and comprises lines delimited with the
              new-line character.  A line can either be a comment or an ACL
              entry.  Only one ACL can appear in ifile.  A comment begins
              with the number sign (#) and ends at the end of the line.
              Blank lines are ignored.

              ACL entries have the following syntax:
                     u[ser]::perm      # owning user entry
                     g[roup]::perm     # owning group entry
                     o[ther]::perm     # other entry
                     mask::perm        # optional mask entry
                     u[ser]:uid:perm   # optional additional user entry
                     g[roup]:gid:perm  # optional additional group entry
              where:
              perm   A three-character text string of the form rwx, that
                     specifies permissions.  The permissions are as follows:
                          r    read access
                          w    write access
                          x    execute or search access
                          -    absence of the particular access permission
              uid    A text string--either a user name or user ID number.
              gid    A text string--either a group name or group ID number.

              After all specified operations are performed, the resulting
              ACL must have at least the owning user entry (user::perm), the
              owning group entry (group::perm), and the other entry
              (other::perm).  These entries can appear only once.  You can
              append a comment to the end of an ACL entry.

              If the mask entry is present, it limits the access permissions
              of all entries other than the owning user entry and the other
              entry.

              The entries may appear in any order; duplicate entries are not
              allowed.  However, it is permissible to have an entry such as
              user:uid1:perm, where uid1 is also the owner of the file
              object, or an entry such as group:gid1:perm, where gid1 is
              also the owning group of the object.

       -i     Use the ACL entries from the specified string ientries to
              completely replace the existing ACL.  Other options may then
              further modify the ACL.

       -U     Read ACL entries from ufile.  setacl tries to find for each
              update entry an entry in the existing ACL of the same type and
              ID.  If such an entry exists, the update entry replaces it.
              If none exists, the update entry is added to the existing ACL.

       -u     Get ACL entries from uentries to update in the existing ACL.

       -X     Read ACL entries from xfile to remove from the existing ACL.
              setacl uses the these entries to remove entries of the same
              type and ID from the existing ACL.  xfile is a human-readable
              file composed of lines similar to the ones in ifile, except
              that perm text strings are ignored.

       -x     Get ACL entries from xentries to remove from the existing ACL.
              setacl uses the specified entries to remove entries of the
              same type and ID from the existing ACL.

       -d     Set the default ACL.  Only a directory file object can have a
              default ACL.  The effect of placing a default ACL on a
              directory is that the default ACL becomes the access ACL
              (possibly modified) of all new objects created in the
              directory, and becomes the default ACL (unmodified) of any
              (sub)directory created in the directory.

              If you use both -d and -r, setacl tries to set only default
              ACLs on directory file objects.

       -k     Remove all entries from the existing default ACL.  If you use
              -k but omit -d, all other options apply to the access ACL.

       -b     Remove all but the mandatory base entries from the existing
              ACL.  If there is a mask entry, then the new owning group
              permission is the intersection of the existing owning group
              permission and the mask entry permission.  The -b option is
              ignored if -k and -d are also present.

              The mandatory base entries are:
                     the owning user entry
                     the owning group entry
                     the other entry

       -c     Recalculate the mask entry as follows: The existing mask entry
              is removed.  The new mask entry is computed as the bitwise OR
              of all remaining entries--other than the owning user entry and
              the other entry.  In other words, if any of these entries has
              the r, w, or x access permission, then the new mask entry will
              also have that access permission.  The -c option cannot be
              used with -n.

       -p     Purge the existing ACL of user and group entry permissions not
              allowed by the mask before applying changes specified by
              options -U, -u, -X or -x.  The -p option is overridden by -I
              or -i.

       -n     Do not perform the mask calculation.  The -n option cannot be
              used with -c.

       The options are executed in the following order:

         1.   -b, -i or -I, and -p.

         2.   All -u, -U, -x and -X options in the order specified on the
              command line.

         3.   -c or -n.

EXAMPLES
       setacl -I my.acl a b c

       setacl -i u::rwx,g::r-x,o::---,u:joe:rwx,u:bob:--- file2

       setacl -u user:moe:--- a b c

       setacl -x u:joe,u:bob file4

DIAGNOSTICS
       The setacl command writes all diagnostic messages to stderr.  The
       setacl command exits with one of the following values:

          0   Executed correctly and set the ACLs of all the objects.

          1   ACLs are not supported on this system.

          2   Could not set the ACL of at least one object.

          3   Usage is incorrect.

SEE ALSO
       getacl(1), ls(1), dgsetoacl(2), acllibrary(3).


Licensed material--property of copyright holder(s)

Typewritten Software • bear@typewritten.org • Edmonds, WA 98026