Changing an ACL

Changing an ACL
	Chapter 4. Protecting Your Directories and Files

To add, remove, or edit ACL entries, use the fs setacl command. By default, the command manipulates entries on the normal permissions section of the ACL. To manipulate entries on the negative permissions section, include the -negative flag as instructed in To Add, Remove, or Edit Negative ACL Permissions.

You can change any ACL on which you already have the a permission. You always have the a permission on the ACL of every directory that you own, even if you accidentally remove that permission from the ACL. (The ls -ld command reports a directory's owner.) Your system administrator normally designates you as the owner of your home directory and its subdirectories, and you possibly own other directories also.

If an ACL entry already exists for the user or group you specify, then the new permissions completely replace the existing permissions rather than being added to them. In other words, when issuing the fs setacl command, you must include all permissions that you want to grant to a user or group.

Note for AFS/DFS Migration Toolkit users: If the machine on which you issue the fs setacl command is configured to access a DCE cell's DFS filespace via the AFS/DFS Migration Toolkit, you can use the command to set the ACL on DFS files and directories. To set a DFS directory's Initial Container or Initial Object ACL instead of the regular one, include the fs setacl command's -id or -if flag. For more information, ask your system administrator. The fs command interpreter ignores the -id and -if flags if you include them when setting an AFS ACL.

To Add, Remove, or Edit Normal ACL Permissions

Issue the fs setacl command to edit entries in the normal permissions section of the ACL. To remove an entry, specify the none shorthand as the permissions. If an ACL entry already exists for a user or group, the permissions you specify completely replace those in the existing entry.

   % fs setacl  -dir <directory>⁺ -acl <access list entries>⁺

where

sa

Is an acceptable alias for setacl (and seta is the shortest acceptable abbreviation).

-dir

Names one or more directories to which to apply the ACL entries defined by the -acl argument. Partial pathnames are interpreted relative to the current working directory. You can also use the following notation on its own or as part of a pathname:

.

(A single period). If used by itself, sets the ACL on the current working directory.

..

(Two periods). If used by itself, sets the ACL on the current working directory's parent directory.

*

(The asterisk). Sets the ACL on each of the subdirectories in the current working directory. You must precede it with the -dir switch, since it potentially designates multiple directories. The fs command interpreter generates the following error message for each file in the directory:

   fs: 'filename': Not a directory

If you specify only one directory (or file) name, you can omit the -dir and -acl switches. For more on omitting switches, see Appendix B, OpenAFS Command Syntax and Online Help.

-acl

Specifies one or more ACL entries, each of which pairs a user or group name and a set of permissions. Separate the pairs, and the two parts of each pair, with one or more spaces.

To define the permissions, provide either:

One or more of the letters that represent the standard or auxiliary permissions (rlidwka and ABCDEFGH), in any order
One of the four shorthand notations:
- all (equals rlidwka)
- none (removes the entry)
- read (equals rl)
- write (equals rlidwk)

On a single command line, you can combine user and group entries. Also, you can both combine individual letters and use the shorthand notations, but not within a single pair.

Example: Adding a Single ACL Entry

Either of the following example commands grants user pat the r and l permissions on the ACL of the notes subdirectory of the current working directory. They illustrate how it is possible to omit the -dir and -acl switches when you name only one directory.

   % fs sa notes pat rl
   % fs sa notes pat read

Example: Setting Several ACL Entries on One Directory

The following example edits the ACL for the current working directory. It removes the entry for the system:anyuser group, and adds two entries: one grants all permissions except a to the members of the terry:colleagues group and the other grants the r and l permissions to the system:authuser group.

   % fs sa  -dir . -acl  system:anyuser none  terry:colleagues write  \
            system:authuser rl

To Add, Remove, or Edit Negative ACL Permissions

Issue the fs setacl command with the -negative flag to edit entries in the negative permissions section of the ACL. To remove an entry, specify the none shorthand as the permissions. If an ACL entry already exists for a user or group, the permissions you specify completely replace those in the existing entry.

   % fs setacl  -dir <directory>⁺ -acl <access list entries>⁺  -negative

where

sa: Is an acceptable alias for setacl (and seta is the shortest acceptable abbreviation).
-dir: Names one or more directories to which to apply the negative ACL entries defined by the -acl argument. For a detailed description of acceptable values, see To Add, Remove, or Edit Normal ACL Permissions.
-acl: Specifies one or more ACL entries, each of which pairs a user or group name and a set of permissions. Separate the pairs, and the two parts of each pair, with one or more spaces. For a detailed description of acceptable values, see To Add, Remove, or Edit Normal ACL Permissions. Keep in mind that the usual meaning of each permission is reversed.
-negative: Places the entries defined by the -acl argument on the negative permissions section of the ACL for each directory named by the -dir argument.

Example: Setting an Entry in the Negative Permissions Section

User terry has granted all access permissions except a to the group terry:team on her plans subdirectory.

   % cd /afs/example.com/usr/terry
   % fs listacl plans
   Access control list for plans is
   Normal rights:
      system:anyuser rl
      terry:team rlidwk
      terry  rlidwka

However, terry notices that one of the members of the group, user pat, has been making inappropriate changes to files. To prevent this without removing pat from the group or changing the permissions for the terry:team group, terry creates an entry on the negative permissions section of the ACL that denies the w and d permissions to pat:

   % fs setacl plans pat wd -negative
   % fs listacl plans
   Access control list for plans is
   Normal rights:
      system:anyuser rl
      terry:team rlidwk
      terry: rlidwka
   Negative rights:
      pat wd

Example: Restoring Access by Removing an Entry from the Negative Permissions Section

In the previous example, user terry put pat on the negative permissions section of ACL for the plans subdirectory. But the result has been inconvenient and pat has promised not to change files any more. To enable pat to exercise all permissions granted to the members of the terry:team group, terry removes the entry for pat from the negative permissions section of the ACL.

   % fs setacl plans pat  none -negative
   % fs listacl plans
   Access control list for plans is
   Normal rights:
      system:anyuser rl
      terry:team rlidwk
      terry  rlidwka


Displaying an ACL		Completely Replacing an ACL