Administration Reference

fs copyacl

Purpose

Copies an ACL from one directory to one or more other directories

Synopsis

fs copyacl -fromdir <source directory (or DFS file)>  
           -todir <destination directory (or DFS file)>+  
           [-clear]  [-id]  [-if]  [-help]
   
fs co -f <source directory (or DFS file)>  
      -t <destination directory (or DFS file)>+  
      [-c]  [-id]  [-if]  [-h]

Description

The fs copyacl command copies the access control list (ACL) from a source directory to each specified destination directory. The source directory's ACL is unchanged, and changes to the destination directory's ACL obey the following rules:

• If an entry on the source ACL does not already exist on the destination ACL, it is added.

• If an entry exists on both the source and destination ACLs, the permissions from the source ACL entry replace the current permissions on the destination ACL entry.

• If an entry on the destination ACL has no corresponding entry on the source ACL, it is removed if the -clear flag is included and is unchanged otherwise. In other words, if the -clear flag is provided, the source ACL completely replaces the destination ACL.

When using this command to copy ACLs between objects in DFS filespace accessed via the AFS/DFS Migration Toolkit Protocol Translator, it is possible to specify files, as well as directories, with the -fromdir and -todir arguments. For more information on copying ACLs between DFS directories and files, refer to the IBM AFS/DFS Migration Toolkit Administration Guide and Reference.

Cautions

Do not copy ACLs between AFS and DFS files or directories. The ACL formats are incompatible.

Options

-fromdir

Specifies the source directory from which to copy the ACL. (Specifying an AFS file copies its directory's ACL, but specifying a DFS file copies its own ACL). A partial pathname is interpreted relative to the current working directory.

-todir

Specifies each directory for which to alter the ACL to match the source ACL. (Specifying an AFS file halts the command with an error, but specifying a DFS file alters the file's ACL). A partial pathname is interpreted relative to the current working directory.

Specify the read/write path to each directory (or DFS file), to avoid the failure that results from attempting to change a read-only volume. By convention, the read/write path is indicated by placing a period before the cell name at the pathname's second level (for example, /afs/.abc.com). For further discussion of the concept of read/write and read-only paths through the filespace, see the fs mkmount reference page.

-clear

Replaces the ACL of each destination directory with the source ACL.

-id

Modifies the Initial Container ACL of each DFS directory named by the -todir argument, rather than the regular Object ACL. This argument is supported only when both the source and each destination directory reside in DFS and are accessed via the AFS/DFS Migration Toolkit Protocol Translator.

-if

Modifies the Initial Object ACL of each DFS directory named by the -todir argument, rather than the regular Object ACL. This argument is supported only when both the source and each destination directory reside in DFS and are accessed via the AFS/DFS Migration Toolkit Protocol Translator.

-help

Prints the online help for this command. All other valid options are ignored.

Examples

The following example command copies the current working directory's ACL to its subdirectory called reports. Note that the source directory's ACL is unaffected. Entries on the reports directory's that are not on the source ACL of the current directory remain unaffected as well, because the -clear flag is not used.

   % fs listacl . reports
   Access list for . is
   Normal rights:
      pat rlidwka
      smith rlidwk
   Access list for reports is
   Normal rights:
      pat rl
      pat:friends rl
   Negative rights
      jones rlidwka
   
   % fs copyacl -fromdir . -todir reports
   
   % fs listacl . reports
   Access list for . is
   Normal rights:
      pat rlidwka
      smith rlidwk
   Access list for reports is
   Normal rights:
      pat rlidwka
      pat:friends rl
      smith rlidwk
   Negative rights
      jones rlidwka
   

Privilege Required

To copy an ACL between AFS objects, the issuer must have the l (lookup)) permission on the source directory's ACL and the a (administer) permission on each destination directory's ACL. If the -fromdir argument names a file rather than a directory, the issuer must have both the l and r (read) permissions on the ACL of the file's directory.

To copy an ACL between DFS objects, the issuer must have the r permission on the source directory or file's ACL and the c (control) permission on each destination directory or file's ACL.

Related Information

fs listacl

fs mkmount

fs setacl

IBM AFS/DFS Migration Toolkit Administration Guide and Reference