Commit | Line | Data |
---|---|---|
805e021f CE |
1 | =head1 NAME |
2 | ||
3 | fs_listacl - Displays ACLs | |
4 | ||
5 | =head1 SYNOPSIS | |
6 | ||
7 | =for html | |
8 | <div class="synopsis"> | |
9 | ||
10 | B<fs listacl> S<<< [B<-path> <I<dir/file path>>+] >>> [B<-id>] [B<-if>] [B<-cmd>] [B<-help>] | |
11 | ||
12 | B<fs la> S<<< [B<-p> <I<dir/file path>>+] >>> [B<-id>] [B<-if>] [B<-cmd>] [B<-h>] | |
13 | ||
14 | B<fs lista> S<<< [B<-p> <I<dir/file path>>+] >>> [B<-id>] [B<-if>] [B<-cmd>] [B<-h>] | |
15 | ||
16 | =for html | |
17 | </div> | |
18 | ||
19 | =head1 DESCRIPTION | |
20 | ||
21 | The B<fs listacl> command displays the access control list (ACL) | |
22 | associated with each specified file, directory, or symbolic link. The | |
23 | specified element can reside in the DFS filespace if the issuer is using | |
24 | the AFS/DFS Migration Toolkit Protocol Translator to access DFS data (and | |
25 | DFS does implement per-file ACLs). To display the ACL of the current | |
26 | working directory, omit the B<-path> argument. | |
27 | ||
28 | To alter an ACL, use the B<fs setacl> command. To copy an ACL from one | |
29 | directory to another, use the B<fs copyacl> command. To remove obsolete | |
30 | entries from an ACL, use the B<fs cleanacl> command. | |
31 | ||
32 | =head1 CAUTIONS | |
33 | ||
34 | Placing a user or group on the C<Negative rights> section of the ACL does | |
35 | not guarantee denial of permissions, if the C<Normal rights> section | |
36 | grants the permissions to members of the system:anyuser group. In that | |
37 | case, the user needs only to issue the B<unlog> command to obtain the | |
38 | permissions granted to the system:anyuser group. | |
39 | ||
40 | =head1 OPTIONS | |
41 | ||
42 | =over 4 | |
43 | ||
44 | =item B<-path> <I<dir/file path>>+ | |
45 | ||
46 | Names each directory or file for which to display the ACL. For AFS files, | |
47 | the output displays the ACL from the file's parent directory; DFS files do | |
48 | have their own ACL. Incomplete pathnames are interpreted relative to the | |
49 | current working directory, which is also the default value if this | |
50 | argument is omitted. | |
51 | ||
52 | =item B<-id> | |
53 | ||
54 | Displays the Initial Container ACL of each DFS directory. This argument is | |
55 | supported only on DFS directories accessed via the AFS/DFS Migration | |
56 | Toolkit Protocol Translator. | |
57 | ||
58 | =item B<-if> | |
59 | ||
60 | Displays the Initial Object ACL of each DFS directory. This argument is | |
61 | supported only on DFS directories accessed via the AFS/DFS Migration | |
62 | Toolkit Protocol Translator. | |
63 | ||
64 | =item B<-cmd> | |
65 | ||
66 | Outputs an B<fs setacl> command string that can be used to recreate | |
67 | the ACL applied to the specified file, directory or symbolic link. | |
68 | ||
69 | =item B<-help> | |
70 | ||
71 | Prints the online help for this command. All other valid options are | |
72 | ignored. | |
73 | ||
74 | =back | |
75 | ||
76 | =head1 OUTPUT | |
77 | ||
78 | The first line of the output for each file, directory, or symbolic link | |
79 | reads as follows: | |
80 | ||
81 | Access list for <directory> is | |
82 | ||
83 | If the issuer used shorthand notation in the pathname, such as the period | |
84 | (C<.>) to represent the current current directory, that notation sometimes | |
85 | appears instead of the full pathname of the directory. | |
86 | ||
87 | Next, the C<Normal rights> header precedes a list of users and groups who | |
88 | are granted the indicated permissions, with one pairing of user or group | |
89 | and permissions on each line. If negative permissions have been assigned | |
90 | to any user or group, those entries follow a C<Negative rights> | |
91 | header. The format of negative entries is the same as those on the | |
92 | C<Normal rights> section of the ACL, but the user or group is denied | |
93 | rather than granted the indicated permissions. | |
94 | ||
95 | AFS does not implement per-file ACLs, so for a file the command displays | |
96 | the ACL on its directory. The output for a symbolic link displays the ACL | |
97 | that applies to its target file or directory, rather than the ACL on the | |
98 | directory that houses the symbolic link. | |
99 | ||
100 | The permissions for AFS enable the possessor to perform the indicated | |
101 | action: | |
102 | ||
103 | =over 4 | |
104 | ||
105 | =item a (administer) | |
106 | ||
107 | Change the entries on the ACL. | |
108 | ||
109 | =item d (delete) | |
110 | ||
111 | Remove files and subdirectories from the directory or move them to other | |
112 | directories. | |
113 | ||
114 | =item i (insert) | |
115 | ||
116 | Add files or subdirectories to the directory by copying, moving or | |
117 | creating. | |
118 | ||
119 | =item k (lock) | |
120 | ||
121 | Set read locks or write locks on the files in the directory. | |
122 | ||
123 | =item l (lookup) | |
124 | ||
125 | List the files and subdirectories in the directory, stat the directory | |
126 | itself, and issue the B<fs listacl> command to examine the directory's | |
127 | ACL. | |
128 | ||
129 | =item r (read) | |
130 | ||
131 | Read the contents of files in the directory; issue the C<ls -l> command to | |
132 | stat the elements in the directory. | |
133 | ||
134 | =item w (write) | |
135 | ||
136 | Modify the contents of files in the directory, and issue the UNIX B<chmod> | |
137 | command to change their mode bits | |
138 | ||
139 | =item A, B, C, D, E, F, G, H | |
140 | ||
141 | Have no default meaning to the AFS server processes, but are made | |
142 | available for applications to use in controlling access to the directory's | |
143 | contents in additional ways. The letters must be uppercase. | |
144 | ||
145 | =back | |
146 | ||
147 | For DFS files and directories, the permissions are similar, except that | |
148 | the DFS C<x> (execute) permission replaces the AFS C<l> (lookup) | |
149 | permission, DFS C<c> (control) replaces AFS C<a> (administer), and there | |
150 | is no DFS equivalent to the AFS C<k> (lock) permission. The meanings of | |
151 | the various permissions also differ slightly, and DFS does not implement | |
152 | negative permissions. For a complete description of DFS permissions, see | |
153 | the DFS documentation. | |
154 | ||
155 | =head1 EXAMPLES | |
156 | ||
157 | The following command displays the ACL on the home directory of the user | |
158 | C<pat> (the current working directory), and on its C<private> | |
159 | subdirectory. | |
160 | ||
161 | % fs listacl -path . private | |
162 | Access list for . is | |
163 | Normal rights: | |
164 | system:authuser rl | |
165 | pat rlidwka | |
166 | pat:friends rlid | |
167 | Negative rights: | |
168 | smith rlidwka | |
169 | Access list for private is | |
170 | Normal rights: | |
171 | pat rlidwka | |
172 | ||
173 | The following command generates the B<fs setacl> command required to | |
174 | recreate the ACL on the home directory of the user | |
175 | C<pat> (the current working directory), and on its C<private> | |
176 | subdirectory. | |
177 | ||
178 | % fs listacl -path . private -cmd | |
179 | fs setacl -dir . -acl system:authuser rl pat rlidwka pat:friends rlid | |
180 | fs setacl -dir . -acl smith rlidwka -negative | |
181 | fs setacl -dir private -acl pat rlidwka | |
182 | ||
183 | =head1 PRIVILEGE REQUIRED | |
184 | ||
185 | If the B<-path> argument names an AFS directory, the issuer must have the | |
186 | C<l> (lookup) permission on its ACL and the ACL for every directory that | |
187 | precedes it in the pathname. | |
188 | ||
189 | If the B<-path> argument names an AFS file, the issuer must have the C<l> | |
190 | (lookup) and C<r> (read) permissions on the ACL of the file's directory, | |
191 | and the B<l> permission on the ACL of each directory that precedes it in | |
192 | the pathname. | |
193 | ||
194 | If the B<-path> argument names a DFS directory or file, the issuer must | |
195 | have the C<x> (execute) permission on its ACL and on the ACL of each | |
196 | directory that precedes it in the pathname. | |
197 | ||
198 | =head1 SEE ALSO | |
199 | ||
200 | L<fs_cleanacl(1)>, | |
201 | L<fs_copyacl(1)>, | |
202 | L<fs_setacl(1)> | |
203 | ||
204 | =head1 COPYRIGHT | |
205 | ||
206 | IBM Corporation 2000. <http://www.ibm.com/> All Rights Reserved. | |
207 | ||
208 | This documentation is covered by the IBM Public License Version 1.0. It was | |
209 | converted from HTML to POD by software written by Chas Williams and Russ | |
210 | Allbery, based on work by Alf Wachsmann and Elizabeth Cassell. |