openafs/doc/html/AdminReference/auarf157.htm

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 4//EN">
<HTML><HEAD>
<TITLE>Administration Reference</TITLE>
<!-- Begin Header Records  ========================================== -->
<!-- /tmp/idwt3672/auarf000.scr converted by idb2h R4.2 (359) ID      -->
<!-- Workbench Version (AIX) on 3 Oct 2000 at 16:18:30                -->
<META HTTP-EQUIV="updated" CONTENT="Tue, 03 Oct 2000 16:18:29">
<META HTTP-EQUIV="review" CONTENT="Wed, 03 Oct 2001 16:18:29">
<META HTTP-EQUIV="expires" CONTENT="Thu, 03 Oct 2002 16:18:29">
</HEAD><BODY>
<!-- (C) IBM Corporation 2000. All Rights Reserved    --> 
<BODY bgcolor="ffffff"> 
<!-- End Header Records  ============================================ -->
<A NAME="Top_Of_Page"></A>
<H1>Administration Reference</H1>
<HR><P ALIGN="center"> <A HREF="../index.htm"><IMG SRC="../books.gif" BORDER="0" ALT="[Return to Library]"></A> <A HREF="auarf002.htm#ToC"><IMG SRC="../toc.gif" BORDER="0" ALT="[Contents]"></A> <A HREF="auarf156.htm"><IMG SRC="../prev.gif" BORDER="0" ALT="[Previous Topic]"></A> <A HREF="#Bot_Of_Page"><IMG SRC="../bot.gif" BORDER="0" ALT="[Bottom of Topic]"></A> <A HREF="auarf158.htm"><IMG SRC="../next.gif" BORDER="0" ALT="[Next Topic]"></A> <A HREF="auarf284.htm#HDRINDEX"><IMG SRC="../index.gif" BORDER="0" ALT="[Index]"></A> <P> 
<P>
<H2><A NAME="HDRFS_SETACL" HREF="auarf002.htm#ToC_171">fs setacl</A></H2>
<A NAME="IDX4924"></A>
<A NAME="IDX4925"></A>
<A NAME="IDX4926"></A>
<A NAME="IDX4927"></A>
<A NAME="IDX4928"></A>
<A NAME="IDX4929"></A>
<A NAME="IDX4930"></A>
<A NAME="IDX4931"></A>
<A NAME="IDX4932"></A>
<A NAME="IDX4933"></A>
<A NAME="IDX4934"></A>
<A NAME="IDX4935"></A>
<A NAME="IDX4936"></A>
<P><STRONG>Purpose</STRONG>
<P>Sets the ACL for a directory
<P><STRONG>Synopsis</STRONG>
<PRE><B>fs setacl -dir</B> &lt;<VAR>directory</VAR>><SUP>+</SUP>  <B>-acl</B> &lt;<VAR>access&nbsp;list&nbsp;entries</VAR>><SUP>+</SUP>  
          [<B>-clear</B>]  [<B>-negative</B>]  [<B>-id</B>]  [<B>-if</B>]  [<B>-help</B>]
    
<B>fs sa -d</B> &lt;<VAR>directory</VAR>><SUP>+</SUP>  <B>-a</B> &lt;<VAR>access&nbsp;list&nbsp;entries</VAR>><SUP>+</SUP>  
      [<B>-c</B>]  [<B>-n</B>]  [<B>-id</B>]  [<B>-if</B>]  [<B>-h</B>] 
      
<B>fs seta -d</B> &lt;<VAR>directory</VAR>><SUP>+</SUP>  <B>-a</B> &lt;<VAR>access&nbsp;list&nbsp;entries</VAR>><SUP>+</SUP>  
        [<B>-c</B>]  [<B>-n</B>]  [<B>-id</B>]  [<B>-if</B>]  [<B>-h</B>]
</PRE>
<P><STRONG>Description</STRONG>
<P>The <B>fs setacl</B> command adds the access control list (ACL) entries
specified with the <B>-acl</B> argument to the ACL of each directory named
by the <B>-dir</B> argument.
<P>If the <B>-dir</B> argument designates a pathname in DFS filespace
(accessed via the AFS/DFS Migration Toolkit Protocol Translator), it can be a
file as well as a directory. The ACL must already include an entry for
<B>mask_obj</B>, however. For more details, refer to the <I>IBM
AFS/DFS Migration Toolkit Administration Guide and Reference</I>.
<P>Only user and group entries are acceptable values for the <B>-acl</B>
argument. Do not place machine entries (IP addresses) directly on an
ACL; instead, make the machine entry a group member and place the group
on the ACL.
<P>To completely erase the existing ACL before adding the new entries, provide
the <B>-clear</B> flag. To add the specified entries to the
<TT>Negative</TT> <TT>rights</TT> section of the ACL (deny rights to
specified users or groups), provide the <B>-negative</B> flag.
<P>To display an ACL, use the <B>fs listacl</B> command. To copy an
ACL from one directory to another, use the <B>fs copyacl</B>
command.
<P><STRONG>Cautions</STRONG>
<P>If the ACL already grants certain permissions to a user or group, the
permissions specified with the <B>fs setacl</B> command replace the
existing permissions, rather than being added to them.
<P>Setting negative permissions is generally unnecessary and not
recommended. Simply omitting a user or group from the <TT>Normal</TT>
<TT>rights</TT> section of the ACL is normally adequate to prevent
access. In particular, note that it is futile to deny permissions that
are granted to members of the <B>system:anyuser</B> group on the
same ACL; the user needs only to issue the <B>unlog</B> command to
receive the denied permissions.
<P>When including the <B>-clear</B> option, be sure to reinstate an entry
for each directory's owner that includes at least the <B>l</B>
(<B>lookup</B>) permission. Without that permission, it is
impossible to resolve the "dot" ( . ) and "dot dot" ( . .
) shorthand from within the directory. (The directory's owner does
implicitly have the <B>a</B> [<B>administer</B>] permission even on a
cleared ACL, but must know to use it to add other permissions.)
<P><STRONG>Options</STRONG>
<DL>
<P><DT><B>-dir
</B><DD>Names each AFS directory, or DFS directory or file, for which the set the
ACL. Partial pathnames are interpreted relative to the current working
directory.
<P>Specify the read/write path to each directory (or DFS file), to avoid the
failure that results from attempting to change a read-only volume. By
convention, the read/write path is indicated by placing a period before the
cell name at the pathname's second level (for example,
<B>/afs/.abc.com</B>). For further discussion of the
concept of read/write and read-only paths through the filespace, see the
<B>fs mkmount</B> reference page.
<P><DT><B>-acl
</B><DD>Defines a list of one or more ACL entries, each a pair that names 
<UL>
<P><LI>A user name or group name as listed in the Protection Database
<P><LI>One or more ACL permissions, indicated either by combining the individual
letters or by one of the four acceptable shorthand words
</UL>
<P>
<P>in that order, separated by a space (thus every instance of this argument
has two parts). The accepted AFS abbreviations and shorthand words, and
the meaning of each, are as follows: 
<DL>
<P><DT><B>a
</B><DD>(<B>administer</B>): change the entries on the ACL
<P><DT><B>d
</B><DD>(<B>delete</B>): remove files and subdirectories from the
directory or move them to other directories
<P><DT><B>i
</B><DD>(<B>insert</B>): add files or subdirectories to the directory by
copying, moving or creating
<P><DT><B>k
</B><DD>(<B>lock</B>): set read locks or write locks on the files in the
directory
<P><DT><B>l
</B><DD>(<B>lookup</B>): list the files and subdirectories in the
directory, stat the directory itself, and issue the <B>fs listacl</B>
command to examine the directory's ACL
<P><DT><B>r
</B><DD>(<B>read</B>): read the contents of files in the directory;
issue the <B>ls -l</B> command to stat the elements in the directory
<P><DT><B>w
</B><DD>(<B>write</B>): modify the contents of files in the directory,
and issue the UNIX <B>chmod</B> command to change their mode bits
<P><DT><B>A, B, C, D, E, F, G, H
</B><DD>Have no default meaning to the AFS server processes, but are made
available for applications to use in controlling access to the
directory's contents in additional ways. The letters must be
uppercase.
<P><DT><B>all
</B><DD>Equals all seven permissions (<B>rlidwka</B>).
<A NAME="IDX4937"></A>
<A NAME="IDX4938"></A>
<A NAME="IDX4939"></A>
<A NAME="IDX4940"></A>
<P><DT><B>none
</B><DD>No permissions. Removes the user/group from the ACL, but does not
guarantee they have no permissions if they belong to groups that remain on the
ACL.
<A NAME="IDX4941"></A>
<A NAME="IDX4942"></A>
<P><DT><B>read
</B><DD>Equals the <B>r</B> (<B>read</B>) and <B>l</B>
(<B>lookup</B>) permissions.
<A NAME="IDX4943"></A>
<A NAME="IDX4944"></A>
<P><DT><B>write
</B><DD>Equals all permissions except <B>a</B> (<B>administer</B>), that
is, <B>rlidwk</B>.
<A NAME="IDX4945"></A>
<A NAME="IDX4946"></A>
</DL>
<P>
<P>It is acceptable to mix entries that combine the individual letters with
entries that use the shorthand words, but not use both types of notation
within an individual pairing of user or group and permissions. 
<P>To learn the proper format and acceptable values for DFS ACL entries, see
the <I>IBM AFS/DFS Migration Toolkit Administration Guide and
Reference</I>.
<P><DT><B>-clear
</B><DD>Removes all existing entries on each ACL before adding the entries
specified with the <B>-acl</B> argument.
<P><DT><B>-negative
</B><DD>Places the specified ACL entries in the <TT>Negative</TT>
<TT>rights</TT> section of each ACL, explicitly denying the rights to the
user or group, even if entries on the accompanying <TT>Normal</TT>
<TT>rights</TT> section of the ACL grant them permissions.
<P>This argument is not supported for DFS files or directories, because DFS
does not implement negative ACL permissions.
<P><DT><B>-id
</B><DD>Places the ACL entries on the Initial Container ACL of each DFS directory,
which are the only file system objects for which this flag is
supported.
<P><DT><B>-if
</B><DD>Places the ACL entries on the Initial Object ACL of each DFS directory,
which are the only file system objects for which this flag is
supported.
<P><DT><B>-help
</B><DD>Prints the online help for this command. All other valid options
are ignored.
</DL>
<P><STRONG>Examples</STRONG>
<P>The following example adds two entries to the <TT>Normal rights</TT>
section of the current working directory's ACL: the first entry
grants <B>r</B> (<B>read</B>) and <B>l</B> (<B>lookup</B>)
permissions to the group <B>pat:friends</B>, while the other (using
the <B>write</B> shorthand) gives all permissions except <B>a</B>
(<B>administer</B>) to the user <B>smith</B>.
<PRE>   % <B>fs setacl -dir . -acl pat:friends rl smith write</B>
   
   % <B>fs listacl -path </B>.
   Access list for . is
   Normal rights:
      pat:friends rl
      smith rlidwk
   
</PRE>
<P>The following example includes the <B>-clear</B> flag, which removes
the existing permissions (as displayed with the <B>fs listacl</B> command)
from the current working directory's <B>reports</B> subdirectory and
replaces them with a new set.
<PRE>   % <B>fs listacl -dir reports</B>
   Access list for reports is
   Normal rights:
      system:authuser rl
      pat:friends rlid
      smith rlidwk
      pat rlidwka
   Negative rights:
      terry rl
   
   % <B>fs setacl -clear -dir reports -acl pat all smith write system:anyuser rl</B>
   
   % <B>fs listacl -dir reports</B>
   Access list for reports is
   Normal rights:
      system:anyuser rl
      smith rlidwk
      pat rlidwka
   
</PRE>
<P>The following example use the <B>-dir</B> and <B>-acl</B> switches
because it sets the ACL for more than one directory (both the current working
directory and its <B>public</B> subdirectory).
<PRE>   % <B>fs setacl -dir . public -acl pat:friends rli</B>
      
   % <B>fs listacl -path . public</B>
   Access list for . is
   Normal rights:
      pat rlidwka
      pat:friends rli
   Access list for public is
   Normal rights:
      pat rlidwka
      pat:friends rli
   
</PRE>
<P><STRONG>Privilege Required</STRONG>
<P>The issuer must have the <B>a</B> (<B>administer</B>) permission on
the directory's ACL; the directory's owner and the members of
the <B>system:administrators</B> group have the right implicitly,
even if it does not appear on the ACL.
<P><STRONG>Related Information</STRONG>
<P><A HREF="auarf136.htm#HDRFS_COPYACL">fs copyacl</A>
<P><A HREF="auarf148.htm#HDRFS_LISTACL">fs listacl</A>
<P><A HREF="auarf153.htm#HDRFS_MKMOUNT">fs mkmount</A>
<P><I>IBM AFS/DFS Migration Toolkit Administration Guide and Reference</I>
<P>
<HR><P ALIGN="center"> <A HREF="../index.htm"><IMG SRC="../books.gif" BORDER="0" ALT="[Return to Library]"></A> <A HREF="auarf002.htm#ToC"><IMG SRC="../toc.gif" BORDER="0" ALT="[Contents]"></A> <A HREF="auarf156.htm"><IMG SRC="../prev.gif" BORDER="0" ALT="[Previous Topic]"></A> <A HREF="#Top_Of_Page"><IMG SRC="../top.gif" BORDER="0" ALT="[Top of Topic]"></A> <A HREF="auarf158.htm"><IMG SRC="../next.gif" BORDER="0" ALT="[Next Topic]"></A> <A HREF="auarf284.htm#HDRINDEX"><IMG SRC="../index.gif" BORDER="0" ALT="[Index]"></A> <P> 
<!-- Begin Footer Records  ========================================== -->
<P><HR><B> 
<br>&#169; <A HREF="http://www.ibm.com/">IBM Corporation 2000.</A>  All Rights Reserved 
</B> 
<!-- End Footer Records  ============================================ -->
<A NAME="Bot_Of_Page"></A>
</BODY></HTML>