.\" Automatically generated by Pod::Man 4.10 (Pod::Simple 3.35) .\" .\" Standard preamble: .\" ======================================================================== .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" Set up some character translations and predefined strings. \*(-- will .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left .\" double quote, and \*(R" will give a right double quote. \*(C+ will .\" give a nicer C++. Capital omega is used to do unbreakable dashes and .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, .\" nothing in troff, for use with C<>. .tr \(*W- .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' .ie n \{\ . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} .el\{\ . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' . ds C` . ds C' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" .\" If the F register is >0, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .\" .\" Avoid warning from groff about undefined register 'F'. .de IX .. .nr rF 0 .if \n(.g .if rF .nr rF 1 .if (\n(rF:(\n(.g==0)) \{\ . if \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{\ . nr % 0 . nr F 2 . \} . \} .\} .rr rF .\" .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). .\" Fear. Run. Save yourself. No user-serviceable parts. . \" fudge factors for nroff and troff .if n \{\ . ds #H 0 . ds #V .8m . ds #F .3m . ds #[ \f1 . ds #] \fP .\} .if t \{\ . ds #H ((1u-(\\\\n(.fu%2u))*.13m) . ds #V .6m . ds #F 0 . ds #[ \& . ds #] \& .\} . \" simple accents for nroff and troff .if n \{\ . ds ' \& . ds ` \& . ds ^ \& . ds , \& . ds ~ ~ . ds / .\} .if t \{\ . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' .\} . \" troff and (daisy-wheel) nroff accents .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' .ds 8 \h'\*(#H'\(*b\h'-\*(#H' .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] .ds ae a\h'-(\w'a'u*4/10)'e .ds Ae A\h'-(\w'A'u*4/10)'E . \" corrections for vroff .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' . \" for low resolution devices (crt and lpr) .if \n(.H>23 .if \n(.V>19 \ \{\ . ds : e . ds 8 ss . ds o a . ds d- d\h'-1'\(ga . ds D- D\h'-1'\(hy . ds th \o'bp' . ds Th \o'LP' . ds ae ae . ds Ae AE .\} .rm #[ #] #H #V #F C .\" ======================================================================== .\" .IX Title "FS_SETACL 1" .TH FS_SETACL 1 "2021-01-27" "OpenAFS" "AFS Command Reference" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" fs_setacl \- Sets the ACL for a directory .SH "SYNOPSIS" .IX Header "SYNOPSIS" \&\fBfs setacl\fR \fB\-dir\fR\ <\fIdirectory\fR>+ \fB\-acl\fR\ <\fIaccess\ list\ entries\fR>+ [\fB\-clear\fR] [\fB\-negative\fR] [\fB\-id\fR] [\fB\-if\fR] [\fB\-help\fR] .PP \&\fBfs sa\fR \fB\-d\fR\ <\fIdirectory\fR>+ \fB\-a\fR\ <\fIaccess\ list\ entries\fR>+ [\fB\-c\fR] [\fB\-n\fR] [\fB\-id\fR] [\fB\-if\fR] [\fB\-h\fR] .PP \&\fBfs seta\fR \fB\-d\fR\ <\fIdirectory\fR>+ \fB\-a\fR\ <\fIaccess\ list\ entries\fR>+ [\fB\-c\fR] [\fB\-n\fR] [\fB\-id\fR] [\fB\-if\fR] [\fB\-h\fR] .SH "DESCRIPTION" .IX Header "DESCRIPTION" The \fBfs setacl\fR command adds the access control list (\s-1ACL\s0) entries specified with the \fB\-acl\fR argument to the \s-1ACL\s0 of each directory named by the \fB\-dir\fR argument. .PP If the \fB\-dir\fR argument designates a pathname in \s-1DFS\s0 filespace (accessed via the \s-1AFS/DFS\s0 Migration Toolkit Protocol Translator), it can be a file as well as a directory. The \s-1ACL\s0 must already include an entry for \&\f(CW\*(C`mask_obj\*(C'\fR, however. .PP Only user and group entries are acceptable values for the \fB\-acl\fR argument. Do not place machine entries (\s-1IP\s0 addresses) directly on an \s-1ACL\s0; instead, make the machine entry a group member and place the group on the \&\s-1ACL.\s0 .PP To completely erase the existing \s-1ACL\s0 before adding the new entries, provide the \fB\-clear\fR flag. To add the specified entries to the \f(CW\*(C`Negative rights\*(C'\fR section of the \s-1ACL\s0 (deny rights to specified users or groups), provide the \fB\-negative\fR flag. .PP To display an \s-1ACL,\s0 use the fs listacl command. To copy an \s-1ACL\s0 from one directory to another, use the \fBfs copyacl\fR command. .SH "CAUTIONS" .IX Header "CAUTIONS" If the \s-1ACL\s0 already grants certain permissions to a user or group, the permissions specified with the \fBfs setacl\fR command replace the existing permissions, rather than being added to them. .PP Setting negative permissions is generally unnecessary and not recommended. Simply omitting a user or group from the \f(CW\*(C`Normal rights\*(C'\fR section of the \s-1ACL\s0 is normally adequate to prevent access. In particular, note that it is futile to deny permissions that are granted to members of the system:anyuser group on the same \s-1ACL\s0; the user needs only to issue the \&\fBunlog\fR command to receive the denied permissions. .PP When including the \fB\-clear\fR option, be sure to reinstate an entry for each directory's owner that includes at least the \f(CW\*(C`l\*(C'\fR (lookup) permission. Without that permission, it is impossible to resolve the \*(L"dot\*(R" (\f(CW\*(C`.\*(C'\fR) and \*(L"dot dot\*(R" (\f(CW\*(C`..\*(C'\fR) shorthand from within the directory. (The directory's owner does implicitly have the \f(CW\*(C`a\*(C'\fR (administer) permission even on a cleared \s-1ACL,\s0 but must know to use it to add other permissions.) .SH "OPTIONS" .IX Header "OPTIONS" .IP "\fB\-dir\fR <\fIdirectory\fR>+" 4 .IX Item "-dir +" Names each \s-1AFS\s0 directory, or \s-1DFS\s0 directory or file, for which the set the \&\s-1ACL.\s0 Partial pathnames are interpreted relative to the current working directory. .Sp Specify the read/write path to each directory (or \s-1DFS\s0 file), to avoid the failure that results from attempting to change a read-only volume. By convention, the read/write path is indicated by placing a period before the cell name at the pathname's second level (for example, \&\fI/afs/.example.com\fR). For further discussion of the concept of read/write and read-only paths through the filespace, see the \fBfs mkmount\fR reference page. .IP "\fB\-acl\fR <\fIaccess list entries\fR>+" 4 .IX Item "-acl +" Defines a list of one or more \s-1ACL\s0 entries, each a pair that names: .RS 4 .IP "\(bu" 4 A user name or group name as listed in the Protection Database. .IP "\(bu" 4 One or more \s-1ACL\s0 permissions, indicated either by combining the individual letters or by one of the four acceptable shorthand words, optionally followed by a single plus (+) or minus (\-) chracter to request a relative \&\s-1ACL\s0 change .RE .RS 4 .Sp in that order, separated by a space (thus every instance of this argument has two parts). The accepted \s-1AFS\s0 abbreviations and shorthand words, and the meaning of each, are as follows: .IP "a (administer)" 4 .IX Item "a (administer)" Change the entries on the \s-1ACL.\s0 .IP "d (delete)" 4 .IX Item "d (delete)" Remove files and subdirectories from the directory or move them to other directories. .IP "i (insert)" 4 .IX Item "i (insert)" Add files or subdirectories to the directory by copying, moving or creating. .IP "k (lock)" 4 .IX Item "k (lock)" Set read locks or write locks on the files in the directory. .IP "l (lookup)" 4 .IX Item "l (lookup)" List the files and subdirectories in the directory, stat the directory itself, and issue the \fBfs listacl\fR command to examine the directory's \&\s-1ACL.\s0 .IP "r (read)" 4 .IX Item "r (read)" Read the contents of files in the directory; issue the \f(CW\*(C`ls \-l\*(C'\fR command to stat the elements in the directory. .IP "w (write)" 4 .IX Item "w (write)" Modify the contents of files in the directory, and issue the \s-1UNIX\s0 \fBchmod\fR command to change their mode bits. .IP "A, B, C, D, E, F, G, H" 4 .IX Item "A, B, C, D, E, F, G, H" Have no default meaning to the \s-1AFS\s0 server processes, but are made available for applications to use in controlling access to the directory's contents in additional ways. The letters must be uppercase. .IP "all" 4 .IX Item "all" Equals all seven permissions (\f(CW\*(C`rlidwka\*(C'\fR). .IP "none" 4 .IX Item "none" No permissions. Removes the user/group from the \s-1ACL,\s0 but does not guarantee they have no permissions if they belong to groups that remain on the \s-1ACL.\s0 .IP "read" 4 .IX Item "read" Equals the \f(CW\*(C`r\*(C'\fR (read) and \f(CW\*(C`l\*(C'\fR (lookup) permissions. .IP "write" 4 .IX Item "write" Equals all permissions except \f(CW\*(C`a\*(C'\fR (administer), that is, \f(CW\*(C`rlidwk\*(C'\fR. .RE .RS 4 .Sp It is acceptable to mix entries that combine the individual letters with entries that use the shorthand words, but not use both types of notation within an individual pairing of user or group and permissions. .Sp Granting the \f(CW\*(C`l\*(C'\fR (lookup) and \f(CW\*(C`i\*(C'\fR (insert) permissions without granting the \f(CW\*(C`w\*(C'\fR (write) and/or \f(CW\*(C`r\*(C'\fR (read) permissions is a special case, and grants rights approrpriate for \*(L"dropbox\*(R" directories. See the \&\*(L"\s-1DROPBOXES\*(R"\s0 section for details. .Sp If setting ACLs on a pathname in \s-1DFS\s0 filespace, see the \s-1DFS\s0 documentation for the proper format and acceptable values for \s-1DFS ACL\s0 entries. .RE .IP "\fB\-clear\fR" 4 .IX Item "-clear" Removes all existing entries on each \s-1ACL\s0 before adding the entries specified with the \fB\-acl\fR argument. .IP "\fB\-negative\fR" 4 .IX Item "-negative" Places the specified \s-1ACL\s0 entries in the \f(CW\*(C`Negative rights\*(C'\fR section of each \&\s-1ACL,\s0 explicitly denying the rights to the user or group, even if entries on the accompanying \f(CW\*(C`Normal rights\*(C'\fR section of the \s-1ACL\s0 grant them permissions. .Sp This argument is not supported for \s-1DFS\s0 files or directories, because \s-1DFS\s0 does not implement negative \s-1ACL\s0 permissions. .IP "\fB\-id\fR" 4 .IX Item "-id" Places the \s-1ACL\s0 entries on the Initial Container \s-1ACL\s0 of each \s-1DFS\s0 directory, which are the only file system objects for which this flag is supported. .IP "\fB\-if\fR" 4 .IX Item "-if" Places the \s-1ACL\s0 entries on the Initial Object \s-1ACL\s0 of each \s-1DFS\s0 directory, which are the only file system objects for which this flag is supported. .IP "\fB\-help\fR" 4 .IX Item "-help" Prints the online help for this command. All other valid options are ignored. .SH "DROPBOXES" .IX Header "DROPBOXES" If an accessing user has the \f(CW\*(C`l\*(C'\fR (lookup) and \f(CW\*(C`i\*(C'\fR (insert) permissions on a directory, but not the \f(CW\*(C`w\*(C'\fR (write) and/or \f(CW\*(C`r\*(C'\fR (read) permissions, the user is implicitly granted the ability to write and/or read any file they create in that directory, until they close the file. This is to allow \*(L"dropbox\*(R"\-style directories to exist, where users can deposit files, but cannot modify them later nor can they modify or read any files deposited in the directory by other users. .PP Note, however, that the dropbox functionality is not perfect. The fileserver does not have knowledge of when a file is opened or closed on the client, and so the fileserver always allows an accessing user to read or write to a file in a \*(L"dropbox\*(R" directory if they own the file. While the client prevents the user from reading or modifying their deposited file later, this is not enforced on the fileserver, and so should not be relied on for security. .PP Additionally, if \*(L"dropbox\*(R" permissions are granted to \f(CW\*(C`system:anyuser\*(C'\fR, unauthenticated users may deposit files in the directory. If an unauthenticated user deposits a file in the directory, the new file will be owned by the unauthenticated user \s-1ID,\s0 and is thus potentially modifiable by anyone. .PP In an effort to try and reduce accidentally publicizing private data, the fileserver may refuse read requests for \*(L"dropbox\*(R" files from unauthenticated users. As a result, depositing files as an unauthenticated user may arbitrarily fail if \f(CW\*(C`system:anyuser\*(C'\fR has been granted dropbox permissions. While this should be rare, it is not completely preventable, and so for this reason relying on unauthenticated users to be able to deposit files in a dropbox is \&\fB\s-1NOT RECOMMENDED\s0\fR. .SH "EXAMPLES" .IX Header "EXAMPLES" The following example adds two entries to the \f(CW\*(C`Normal rights\*(C'\fR section of the current working directory's \s-1ACL:\s0 the first entry grants \f(CW\*(C`r\*(C'\fR (read) and \f(CW\*(C`l\*(C'\fR (lookup) permissions to the group pat:friends, while the other (using the \f(CW\*(C`write\*(C'\fR shorthand) gives all permissions except \f(CW\*(C`a\*(C'\fR (administer) to the user \f(CW\*(C`smith\*(C'\fR. .PP .Vb 1 \& % fs setacl \-dir . \-acl pat:friends rl smith write \& \& % fs listacl \-path . \& Access list for . is \& Normal rights: \& pat:friends rl \& smith rlidwk .Ve .PP The following example includes the \fB\-clear\fR flag, which removes the existing permissions (as displayed with the \fBfs listacl\fR command) from the current working directory's \fIreports\fR subdirectory and replaces them with a new set. .PP .Vb 9 \& % fs listacl \-dir reports \& Access list for reports is \& Normal rights: \& system:authuser rl \& pat:friends rlid \& smith rlidwk \& pat rlidwka \& Negative rights: \& terry rl \& \& % fs setacl \-clear \-dir reports \-acl pat all smith write system:anyuser rl \& \& % fs listacl \-dir reports \& Access list for reports is \& Normal rights: \& system:anyuser rl \& smith rlidwk \& pat rlidwka .Ve .PP The following example use the \fB\-dir\fR and \fB\-acl\fR switches because it sets the \s-1ACL\s0 for more than one directory (both the current working directory and its \fIpublic\fR subdirectory). .PP .Vb 1 \& % fs setacl \-dir . public \-acl pat:friends rli \& \& % fs listacl \-path . public \& Access list for . is \& Normal rights: \& pat rlidwka \& pat:friends rli \& Access list for public is \& Normal rights: \& pat rlidwka \& pat:friends rli .Ve .PP The following example demonstrates the use of the + and \- options to modfiy ACLs relative to the existing set .PP .Vb 12 \& % fs setacl dir . \-acl pat:friends r\- \& % fs listacl \-path . \& Access list for . is \& Normal rights: \& pat rlidwka \& pat:friends li \& % fs setacl dir . acl pat:friends w+ \& % fs listacl \-path . \& Access list for . is \& Normal rights: \& pat rlidwka \& pat:friends wli .Ve .SH "PRIVILEGE REQUIRED" .IX Header "PRIVILEGE REQUIRED" The issuer must have the \f(CW\*(C`a\*(C'\fR (administer) permission on the directory's \&\s-1ACL,\s0 a member of the system:administrators group, or, as a special case, must be the \s-1UID\s0 owner of the top-level directory of the volume containing this directory. The last provision allows the \s-1UID\s0 owner of a volume to repair accidental \s-1ACL\s0 errors without requiring intervention by a member of system:administrators. .PP Earlier versions of OpenAFS also extended implicit administer permission to the owner of any directory. In current versions of OpenAFS, only the owner of the top-level directory of the volume has this special permission. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBfs_copyacl\fR\|(1), \&\fBfs_listacl\fR\|(1), \&\fBfs_mkmount\fR\|(1) .SH "COPYRIGHT" .IX Header "COPYRIGHT" \&\s-1IBM\s0 Corporation 2000. All Rights Reserved. .PP This documentation is covered by the \s-1IBM\s0 Public License Version 1.0. It was converted from \s-1HTML\s0 to \s-1POD\s0 by software written by Chas Williams and Russ Allbery, based on work by Alf Wachsmann and Elizabeth Cassell.