| 1 | =head1 NAME |
| 2 | |
| 3 | fs_listacl - Displays ACLs |
| 4 | |
| 5 | =head1 SYNOPSIS |
| 6 | |
| 7 | =for html |
| 8 | <div class="synopsis"> |
| 9 | |
| 10 | B<fs listacl> S<<< [B<-path> <I<dir/file path>>+] >>> [B<-id>] [B<-if>] [B<-cmd>] [B<-help>] |
| 11 | |
| 12 | B<fs la> S<<< [B<-p> <I<dir/file path>>+] >>> [B<-id>] [B<-if>] [B<-cmd>] [B<-h>] |
| 13 | |
| 14 | B<fs lista> S<<< [B<-p> <I<dir/file path>>+] >>> [B<-id>] [B<-if>] [B<-cmd>] [B<-h>] |
| 15 | |
| 16 | =for html |
| 17 | </div> |
| 18 | |
| 19 | =head1 DESCRIPTION |
| 20 | |
| 21 | The B<fs listacl> command displays the access control list (ACL) |
| 22 | associated with each specified file, directory, or symbolic link. The |
| 23 | specified element can reside in the DFS filespace if the issuer is using |
| 24 | the AFS/DFS Migration Toolkit Protocol Translator to access DFS data (and |
| 25 | DFS does implement per-file ACLs). To display the ACL of the current |
| 26 | working directory, omit the B<-path> argument. |
| 27 | |
| 28 | To alter an ACL, use the B<fs setacl> command. To copy an ACL from one |
| 29 | directory to another, use the B<fs copyacl> command. To remove obsolete |
| 30 | entries from an ACL, use the B<fs cleanacl> command. |
| 31 | |
| 32 | =head1 CAUTIONS |
| 33 | |
| 34 | Placing a user or group on the C<Negative rights> section of the ACL does |
| 35 | not guarantee denial of permissions, if the C<Normal rights> section |
| 36 | grants the permissions to members of the system:anyuser group. In that |
| 37 | case, the user needs only to issue the B<unlog> command to obtain the |
| 38 | permissions granted to the system:anyuser group. |
| 39 | |
| 40 | =head1 OPTIONS |
| 41 | |
| 42 | =over 4 |
| 43 | |
| 44 | =item B<-path> <I<dir/file path>>+ |
| 45 | |
| 46 | Names each directory or file for which to display the ACL. For AFS files, |
| 47 | the output displays the ACL from the file's parent directory; DFS files do |
| 48 | have their own ACL. Incomplete pathnames are interpreted relative to the |
| 49 | current working directory, which is also the default value if this |
| 50 | argument is omitted. |
| 51 | |
| 52 | =item B<-id> |
| 53 | |
| 54 | Displays the Initial Container ACL of each DFS directory. This argument is |
| 55 | supported only on DFS directories accessed via the AFS/DFS Migration |
| 56 | Toolkit Protocol Translator. |
| 57 | |
| 58 | =item B<-if> |
| 59 | |
| 60 | Displays the Initial Object ACL of each DFS directory. This argument is |
| 61 | supported only on DFS directories accessed via the AFS/DFS Migration |
| 62 | Toolkit Protocol Translator. |
| 63 | |
| 64 | =item B<-cmd> |
| 65 | |
| 66 | Outputs an B<fs setacl> command string that can be used to recreate |
| 67 | the ACL applied to the specified file, directory or symbolic link. |
| 68 | |
| 69 | =item B<-help> |
| 70 | |
| 71 | Prints the online help for this command. All other valid options are |
| 72 | ignored. |
| 73 | |
| 74 | =back |
| 75 | |
| 76 | =head1 OUTPUT |
| 77 | |
| 78 | The first line of the output for each file, directory, or symbolic link |
| 79 | reads as follows: |
| 80 | |
| 81 | Access list for <directory> is |
| 82 | |
| 83 | If the issuer used shorthand notation in the pathname, such as the period |
| 84 | (C<.>) to represent the current current directory, that notation sometimes |
| 85 | appears instead of the full pathname of the directory. |
| 86 | |
| 87 | Next, the C<Normal rights> header precedes a list of users and groups who |
| 88 | are granted the indicated permissions, with one pairing of user or group |
| 89 | and permissions on each line. If negative permissions have been assigned |
| 90 | to any user or group, those entries follow a C<Negative rights> |
| 91 | header. The format of negative entries is the same as those on the |
| 92 | C<Normal rights> section of the ACL, but the user or group is denied |
| 93 | rather than granted the indicated permissions. |
| 94 | |
| 95 | AFS does not implement per-file ACLs, so for a file the command displays |
| 96 | the ACL on its directory. The output for a symbolic link displays the ACL |
| 97 | that applies to its target file or directory, rather than the ACL on the |
| 98 | directory that houses the symbolic link. |
| 99 | |
| 100 | The permissions for AFS enable the possessor to perform the indicated |
| 101 | action: |
| 102 | |
| 103 | =over 4 |
| 104 | |
| 105 | =item a (administer) |
| 106 | |
| 107 | Change the entries on the ACL. |
| 108 | |
| 109 | =item d (delete) |
| 110 | |
| 111 | Remove files and subdirectories from the directory or move them to other |
| 112 | directories. |
| 113 | |
| 114 | =item i (insert) |
| 115 | |
| 116 | Add files or subdirectories to the directory by copying, moving or |
| 117 | creating. |
| 118 | |
| 119 | =item k (lock) |
| 120 | |
| 121 | Set read locks or write locks on the files in the directory. |
| 122 | |
| 123 | =item l (lookup) |
| 124 | |
| 125 | List the files and subdirectories in the directory, stat the directory |
| 126 | itself, and issue the B<fs listacl> command to examine the directory's |
| 127 | ACL. |
| 128 | |
| 129 | =item r (read) |
| 130 | |
| 131 | Read the contents of files in the directory; issue the C<ls -l> command to |
| 132 | stat the elements in the directory. |
| 133 | |
| 134 | =item w (write) |
| 135 | |
| 136 | Modify the contents of files in the directory, and issue the UNIX B<chmod> |
| 137 | command to change their mode bits |
| 138 | |
| 139 | =item A, B, C, D, E, F, G, H |
| 140 | |
| 141 | Have no default meaning to the AFS server processes, but are made |
| 142 | available for applications to use in controlling access to the directory's |
| 143 | contents in additional ways. The letters must be uppercase. |
| 144 | |
| 145 | =back |
| 146 | |
| 147 | For DFS files and directories, the permissions are similar, except that |
| 148 | the DFS C<x> (execute) permission replaces the AFS C<l> (lookup) |
| 149 | permission, DFS C<c> (control) replaces AFS C<a> (administer), and there |
| 150 | is no DFS equivalent to the AFS C<k> (lock) permission. The meanings of |
| 151 | the various permissions also differ slightly, and DFS does not implement |
| 152 | negative permissions. For a complete description of DFS permissions, see |
| 153 | the DFS documentation. |
| 154 | |
| 155 | =head1 EXAMPLES |
| 156 | |
| 157 | The following command displays the ACL on the home directory of the user |
| 158 | C<pat> (the current working directory), and on its C<private> |
| 159 | subdirectory. |
| 160 | |
| 161 | % fs listacl -path . private |
| 162 | Access list for . is |
| 163 | Normal rights: |
| 164 | system:authuser rl |
| 165 | pat rlidwka |
| 166 | pat:friends rlid |
| 167 | Negative rights: |
| 168 | smith rlidwka |
| 169 | Access list for private is |
| 170 | Normal rights: |
| 171 | pat rlidwka |
| 172 | |
| 173 | The following command generates the B<fs setacl> command required to |
| 174 | recreate the ACL on the home directory of the user |
| 175 | C<pat> (the current working directory), and on its C<private> |
| 176 | subdirectory. |
| 177 | |
| 178 | % fs listacl -path . private -cmd |
| 179 | fs setacl -dir . -acl system:authuser rl pat rlidwka pat:friends rlid |
| 180 | fs setacl -dir . -acl smith rlidwka -negative |
| 181 | fs setacl -dir private -acl pat rlidwka |
| 182 | |
| 183 | =head1 PRIVILEGE REQUIRED |
| 184 | |
| 185 | If the B<-path> argument names an AFS directory, the issuer must have the |
| 186 | C<l> (lookup) permission on its ACL and the ACL for every directory that |
| 187 | precedes it in the pathname. |
| 188 | |
| 189 | If the B<-path> argument names an AFS file, the issuer must have the C<l> |
| 190 | (lookup) and C<r> (read) permissions on the ACL of the file's directory, |
| 191 | and the B<l> permission on the ACL of each directory that precedes it in |
| 192 | the pathname. |
| 193 | |
| 194 | If the B<-path> argument names a DFS directory or file, the issuer must |
| 195 | have the C<x> (execute) permission on its ACL and on the ACL of each |
| 196 | directory that precedes it in the pathname. |
| 197 | |
| 198 | =head1 SEE ALSO |
| 199 | |
| 200 | L<fs_cleanacl(1)>, |
| 201 | L<fs_copyacl(1)>, |
| 202 | L<fs_setacl(1)> |
| 203 | |
| 204 | =head1 COPYRIGHT |
| 205 | |
| 206 | IBM Corporation 2000. <http://www.ibm.com/> All Rights Reserved. |
| 207 | |
| 208 | This documentation is covered by the IBM Public License Version 1.0. It was |
| 209 | converted from HTML to POD by software written by Chas Williams and Russ |
| 210 | Allbery, based on work by Alf Wachsmann and Elizabeth Cassell. |