Purpose
Remove obsolete entries from an ACL
Synopsis
fs cleanacl [-path <dir/file path>+] [-help] fs cl [-p <dir/file path>+] [-h]
Description
The fs cleanacl command removes from the access control list (ACL) of each specified directory or file any entry that refers to a user or group that no longer has a Protection Database entry. Such an entry appears on the ACL as an AFS user ID number (UID) rather than a name, because without a Protection Database entry, the File Server cannot translate the UID into a name.
Cleaning access control lists in this way not only keeps them from becoming crowded with irrelevant information, but also prevents the new possessor of a recycled AFS UID from obtaining access intended for the former possessor of the AFS UID. (Note that recycling UIDs is not recommended in any case.)
Options
Specify the read/write path to each directory, to avoid the failure that results from attempting to change a read-only volume. By convention, the read/write path is indicated by placing a period before the cell name at the pathname's second level (for example, /afs/.abc.com). For further discussion of the concept of read/write and read-only paths through the filespace, see the fs mkmount reference page.
Output
If there are no obsolete entries on the ACL, the following message appears:
Access list for dir/file path is fine.
Otherwise, the output reports the resulting state of the ACL, following the header
Access list for dir/file path is now
At the same time, the following error message appears for each file in the cleaned directories:
fs: 'filename': Not a directory
Examples
The following example illustrates the cleaning of the ACLs on the current working directory and two of its subdirectories. Only the second subdirectory had obsolete entries on it.
% fs cleanacl -path . ./reports ./sources Access list for . is fine. Access list for ./reports is fine. Access list for ./sources is now Normal rights: system:authuser rl pat rlidwka
Privilege Required
The issuer must have the a (administer) permission on each directory's ACL (or the ACL of each file's parent directory); the directory's owner and the members of the system:administrators group have the right implicitly, even if it does not appear on the ACL.
Related Information