Displaying an ACL

To display the ACL associated with a file or directory, issue the fs listacl command.

Note for AFS/DFS Migration Toolkit users: If the machine on which you issue the fs listacl command is configured to access a DCE cell's DFS filespace via the AFS/DFS Migration Toolkit, you can use the command to display the ACL on DFS files and directories. To display a DFS directory's Initial Container or Initial Object ACL instead of the regular one, include the fs listacl command's -id or -if flag. For more information, ask your system administrator. The fs command interpreter ignores the -id and -if flags if you include them when displaying an AFS ACL.

To display an ACL

  1. Issue the fs listacl command.

       % fs listacl [<dir/file path>+]
    

    where

    la

    Is an acceptable alias for listacl (and lista is the shortest acceptable abbreviation).

    dir/file path

    Names one or more files or directories for which to display the ACL. For a file, the output displays the ACL on its directory. If you omit this argument, the output is for the current working directory. Partial pathnames are interpreted relative to the current working directory. You can also use the following notation on its own or as part of a pathname:

    .

    (A single period). Specifies the current working directory.

    ..

    (Two periods). Specifies the current working directory's parent directory.

    *

    (The asterisk). Specifies each file and subdirectory in the current working directory. The ACL displayed for a file is always the same as for its directory, but the ACL for each subdirectory can differ.

The output for each file or directory specified as dir/file path begins with the following header to identify it:

   Access list for  dir/file path is

The Normal rights header appears on the next line, followed by lines that each pair a user or group name and a set of permissions. The permissions appear as the single letters defined in The AFS ACL Permissions, and always in the order rlidwka. If there are any negative permissions, the Negative rights header appears next, followed by pairs of negative permissions.

If the following error message appears instead of an ACL, you do not have the permissions needed to display an ACL. To specify a directory name as the dir/file path argument, you must have the l (lookup) permission on the ACL. To specify a filename, you must also have the r (read) permission on its directory's ACL.

   fs: You don't have the required access permissions on 'dir/file path'

Example: Displaying the ACL on One Directory

The following example displays the ACL on user terry's home directory in the Example Corporation cell:

   % fs la /afs/example.com/usr/terry
   Access list for /afs/example.com/usr/terry is
   Normal rights:
      system:authuser rl
      pat rlw
      terry rlidwka
   Negative rights:
      terry:other-dept rl
      jones rl

where pat, terry, and jones are individual users, system:authuser is a system group, and terry:other-dept is a group that terry owns. The list of normal permissions grants all permissions to terry, the rlw permissions to pat, and the rl permissions to the members of the system:authuser group.

The list of negative permissions denies the rl permissions to jones and the members of the terry:other-dept group. These entries effectively prevent them from accessing terry's home directory in any way; they cancel out the rl permissions extended to the system:authuser group, which is the only entry on the normal permissions section of the ACL that possibly applies to them.

Example: Displaying the ACLs on Multiple Directories

The following example illustrates how you can specify pathnames in different ways, and the appearance of the output for multiple directories. It displays the ACL for three directories: the current working directory (which is a subdirectory of user terry's home directory), the home directory for user pat, and another subdirectory of terry's home directory called plans.

   % fs listacl  .  /afs/example.com/usr/pat  ../plans
   Access list for . is
   Normal rights:
      system:anyuser rl
      pat:dept rliw
   Access list for /afs/example.com/usr/pat is
   Normal rights:
      system:anyuser rl
      pat rlidwka
      terry rliw
   Access list for ../plans is
   Normal rights:
      terry rlidwka
      pat rlidw