[hcoop/debian/openafs.git] / doc / man-pages / pod1 / fs_cleanacl.pod

=head1 NAME

fs_cleanacl - Remove obsolete entries from an ACL

=head1 SYNOPSIS

=for html
<div class="synopsis">

B<fs cleanacl> S<<< [B<-path> <I<dir/file path>>+] >>> [B<-help>]

B<fs cl> S<<< [B<-p> <I<dir/file path>>+] >>> [B<-h>]

=for html
</div>

=head1 DESCRIPTION

The B<fs cleanacl> command removes from the access control list (ACL) of
each specified directory or file any entry that refers to a user or group
that no longer has a Protection Database entry. Such an entry appears on
the ACL as an AFS user ID number (UID) rather than a name, because without
a Protection Database entry, the File Server cannot translate the UID into
a name.

Cleaning access control lists in this way not only keeps them from
becoming crowded with irrelevant information, but also prevents the new
possessor of a recycled AFS UID from obtaining access intended for the
former possessor of the AFS UID. (Note that recycling UIDs is not
recommended in any case.)

=head1 OPTIONS

=over 4

=item B<-path> <I<dir/file path>>+

Names each directory for which to clean the ACL (specifying a filename
cleans its directory's ACL). If this argument is omitted, the current
working directory's ACL is cleaned.

Specify the read/write path to each directory, to avoid the failure that
results from attempting to change a read-only volume. By convention, the
read/write path is indicated by placing a period before the cell name at
the pathname's second level (for example, F</afs/.example.com>). For further
discussion of the concept of read/write and read-only paths through the
filespace, see the B<fs mkmount> reference page.

=item B<-help>

Prints the online help for this command. All other valid options are
ignored.

=back

=head1 OUTPUT

If there are no obsolete entries on the ACL, the following message
appears:

   Access list for <path> is fine.

Otherwise, the output reports the resulting state of the ACL, following the
header

   Access list for <path> is now

At the same time, the following error message appears for each file in the
cleaned directories:

   fs: '<filename>': Not a directory

=head1 EXAMPLES

The following example illustrates the cleaning of the ACLs on the current
working directory and two of its subdirectories. Only the second
subdirectory had obsolete entries on it.

   % fs cleanacl -path . ./reports ./sources
   Access list for . is fine.
   Access list for ./reports is fine.
   Access list for ./sources is now
   Normal rights:
      system:authuser rl
      pat rlidwka

=head1 PRIVILEGE REQUIRED

The issuer must have the C<a> (administer) permission on each directory's
ACL (or the ACL of each file's parent directory); the directory's owner
and the members of the system:administrators group have the right
implicitly, even if it does not appear on the ACL.

=head1 SEE ALSO

L<fs_listacl(1)>,
L<fs_mkmount(1)>

=head1 COPYRIGHT

IBM Corporation 2000. <http://www.ibm.com/> All Rights Reserved.

This documentation is covered by the IBM Public License Version 1.0.  It was
converted from HTML to POD by software written by Chas Williams and Russ
Allbery, based on work by Alf Wachsmann and Elizabeth Cassell.
Commit	Line	Data
805e021f CE	1	=head1 NAME
	2
	3	fs_cleanacl - Remove obsolete entries from an ACL
	4
	5	=head1 SYNOPSIS
	6
	7	=for html
	8	<div class="synopsis">
	9
	10	B<fs cleanacl> S<<< [B<-path> <I<dir/file path>>+] >>> [B<-help>]
	11
	12	B<fs cl> S<<< [B<-p> <I<dir/file path>>+] >>> [B<-h>]
	13
	14	=for html
	15	</div>
	16
	17	=head1 DESCRIPTION
	18
	19	The B<fs cleanacl> command removes from the access control list (ACL) of
	20	each specified directory or file any entry that refers to a user or group
	21	that no longer has a Protection Database entry. Such an entry appears on
	22	the ACL as an AFS user ID number (UID) rather than a name, because without
	23	a Protection Database entry, the File Server cannot translate the UID into
	24	a name.
	25
	26	Cleaning access control lists in this way not only keeps them from
	27	becoming crowded with irrelevant information, but also prevents the new
	28	possessor of a recycled AFS UID from obtaining access intended for the
	29	former possessor of the AFS UID. (Note that recycling UIDs is not
	30	recommended in any case.)
	31
	32	=head1 OPTIONS
	33
	34	=over 4
	35
	36	=item B<-path> <I<dir/file path>>+
	37
	38	Names each directory for which to clean the ACL (specifying a filename
	39	cleans its directory's ACL). If this argument is omitted, the current
	40	working directory's ACL is cleaned.
	41
	42	Specify the read/write path to each directory, to avoid the failure that
	43	results from attempting to change a read-only volume. By convention, the
	44	read/write path is indicated by placing a period before the cell name at
	45	the pathname's second level (for example, F</afs/.example.com>). For further
	46	discussion of the concept of read/write and read-only paths through the
	47	filespace, see the B<fs mkmount> reference page.
	48
	49	=item B<-help>
	50
	51	Prints the online help for this command. All other valid options are
	52	ignored.
	53
	54	=back
	55
	56	=head1 OUTPUT
	57
	58	If there are no obsolete entries on the ACL, the following message
	59	appears:
	60
	61	Access list for <path> is fine.
	62
	63	Otherwise, the output reports the resulting state of the ACL, following the
	64	header
65
66	Access list for <path> is now
67
68	At the same time, the following error message appears for each file in the
69	cleaned directories:
70
71	fs: '<filename>': Not a directory
72
73	=head1 EXAMPLES
74
75	The following example illustrates the cleaning of the ACLs on the current
76	working directory and two of its subdirectories. Only the second
77	subdirectory had obsolete entries on it.
78
79	% fs cleanacl -path . ./reports ./sources
80	Access list for . is fine.
81	Access list for ./reports is fine.
82	Access list for ./sources is now
83	Normal rights:
84	system:authuser rl
85	pat rlidwka
86
87	=head1 PRIVILEGE REQUIRED
88
89	The issuer must have the C<a> (administer) permission on each directory's
90	ACL (or the ACL of each file's parent directory); the directory's owner
91	and the members of the system:administrators group have the right
92	implicitly, even if it does not appear on the ACL.
93
94	=head1 SEE ALSO
95
96	L<fs_listacl(1)>,
97	L<fs_mkmount(1)>
98
99	=head1 COPYRIGHT
100
101	IBM Corporation 2000. <http://www.ibm.com/> All Rights Reserved.
102
103	This documentation is covered by the IBM Public License Version 1.0. It was
104	converted from HTML to POD by software written by Chas Williams and Russ
105	Allbery, based on work by Alf Wachsmann and Elizabeth Cassell.