.\" -*- mode: troff; coding: utf-8 -*-
.\" Automatically generated by Pod::Man 5.01 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
.ie n \{\
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\" ========================================================================
.\"
.IX Title "FS_LISTACL 1"
.TH FS_LISTACL 1 2024-03-20 OpenAFS "AFS Command Reference"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH NAME
fs_listacl \- Displays ACLs
.SH SYNOPSIS
.IX Header "SYNOPSIS"
\&\fBfs listacl\fR [\fB\-path\fR\ <\fIdir/file\ path\fR>+] [\fB\-id\fR] [\fB\-if\fR] [\fB\-cmd\fR] [\fB\-help\fR]
.PP
\&\fBfs la\fR [\fB\-p\fR\ <\fIdir/file\ path\fR>+] [\fB\-id\fR] [\fB\-if\fR] [\fB\-cmd\fR] [\fB\-h\fR]
.PP
\&\fBfs lista\fR [\fB\-p\fR\ <\fIdir/file\ path\fR>+] [\fB\-id\fR] [\fB\-if\fR] [\fB\-cmd\fR] [\fB\-h\fR]
.SH DESCRIPTION
.IX Header "DESCRIPTION"
The \fBfs listacl\fR command displays the access control list (ACL)
associated with each specified file, directory, or symbolic link. The
specified element can reside in the DFS filespace if the issuer is using
the AFS/DFS Migration Toolkit Protocol Translator to access DFS data (and
DFS does implement per-file ACLs). To display the ACL of the current
working directory, omit the \fB\-path\fR argument.
.PP
To alter an ACL, use the \fBfs setacl\fR command. To copy an ACL from one
directory to another, use the \fBfs copyacl\fR command. To remove obsolete
entries from an ACL, use the \fBfs cleanacl\fR command.
.SH CAUTIONS
.IX Header "CAUTIONS"
Placing a user or group on the \f(CW\*(C`Negative rights\*(C'\fR section of the ACL does
not guarantee denial of permissions, if the \f(CW\*(C`Normal rights\*(C'\fR section
grants the permissions to members of the system:anyuser group. In that
case, the user needs only to issue the \fBunlog\fR command to obtain the
permissions granted to the system:anyuser group.
.SH OPTIONS
.IX Header "OPTIONS"
.IP "\fB\-path\fR <\fIdir/file path\fR>+" 4
.IX Item "-path
+"
Names each directory or file for which to display the ACL. For AFS files,
the output displays the ACL from the file's parent directory; DFS files do
have their own ACL. Incomplete pathnames are interpreted relative to the
current working directory, which is also the default value if this
argument is omitted.
.IP \fB\-id\fR 4
.IX Item "-id"
Displays the Initial Container ACL of each DFS directory. This argument is
supported only on DFS directories accessed via the AFS/DFS Migration
Toolkit Protocol Translator.
.IP \fB\-if\fR 4
.IX Item "-if"
Displays the Initial Object ACL of each DFS directory. This argument is
supported only on DFS directories accessed via the AFS/DFS Migration
Toolkit Protocol Translator.
.IP \fB\-cmd\fR 4
.IX Item "-cmd"
Outputs an \fBfs setacl\fR command string that can be used to recreate
the ACL applied to the specified file, directory or symbolic link.
.IP \fB\-help\fR 4
.IX Item "-help"
Prints the online help for this command. All other valid options are
ignored.
.SH OUTPUT
.IX Header "OUTPUT"
The first line of the output for each file, directory, or symbolic link
reads as follows:
.PP
.Vb 1
\& Access list for is
.Ve
.PP
If the issuer used shorthand notation in the pathname, such as the period
(\f(CW\*(C`.\*(C'\fR) to represent the current current directory, that notation sometimes
appears instead of the full pathname of the directory.
.PP
Next, the \f(CW\*(C`Normal rights\*(C'\fR header precedes a list of users and groups who
are granted the indicated permissions, with one pairing of user or group
and permissions on each line. If negative permissions have been assigned
to any user or group, those entries follow a \f(CW\*(C`Negative rights\*(C'\fR
header. The format of negative entries is the same as those on the
\&\f(CW\*(C`Normal rights\*(C'\fR section of the ACL, but the user or group is denied
rather than granted the indicated permissions.
.PP
AFS does not implement per-file ACLs, so for a file the command displays
the ACL on its directory. The output for a symbolic link displays the ACL
that applies to its target file or directory, rather than the ACL on the
directory that houses the symbolic link.
.PP
The permissions for AFS enable the possessor to perform the indicated
action:
.IP "a (administer)" 4
.IX Item "a (administer)"
Change the entries on the ACL.
.IP "d (delete)" 4
.IX Item "d (delete)"
Remove files and subdirectories from the directory or move them to other
directories.
.IP "i (insert)" 4
.IX Item "i (insert)"
Add files or subdirectories to the directory by copying, moving or
creating.
.IP "k (lock)" 4
.IX Item "k (lock)"
Set read locks or write locks on the files in the directory.
.IP "l (lookup)" 4
.IX Item "l (lookup)"
List the files and subdirectories in the directory, stat the directory
itself, and issue the \fBfs listacl\fR command to examine the directory's
ACL.
.IP "r (read)" 4
.IX Item "r (read)"
Read the contents of files in the directory; issue the \f(CW\*(C`ls \-l\*(C'\fR command to
stat the elements in the directory.
.IP "w (write)" 4
.IX Item "w (write)"
Modify the contents of files in the directory, and issue the UNIX \fBchmod\fR
command to change their mode bits
.IP "A, B, C, D, E, F, G, H" 4
.IX Item "A, B, C, D, E, F, G, H"
Have no default meaning to the AFS server processes, but are made
available for applications to use in controlling access to the directory's
contents in additional ways. The letters must be uppercase.
.PP
For DFS files and directories, the permissions are similar, except that
the DFS \f(CW\*(C`x\*(C'\fR (execute) permission replaces the AFS \f(CW\*(C`l\*(C'\fR (lookup)
permission, DFS \f(CW\*(C`c\*(C'\fR (control) replaces AFS \f(CW\*(C`a\*(C'\fR (administer), and there
is no DFS equivalent to the AFS \f(CW\*(C`k\*(C'\fR (lock) permission. The meanings of
the various permissions also differ slightly, and DFS does not implement
negative permissions. For a complete description of DFS permissions, see
the DFS documentation.
.SH EXAMPLES
.IX Header "EXAMPLES"
The following command displays the ACL on the home directory of the user
\&\f(CW\*(C`pat\*(C'\fR (the current working directory), and on its \f(CW\*(C`private\*(C'\fR
subdirectory.
.PP
.Vb 11
\& % fs listacl \-path . private
\& Access list for . is
\& Normal rights:
\& system:authuser rl
\& pat rlidwka
\& pat:friends rlid
\& Negative rights:
\& smith rlidwka
\& Access list for private is
\& Normal rights:
\& pat rlidwka
.Ve
.PP
The following command generates the \fBfs setacl\fR command required to
recreate the ACL on the home directory of the user
\&\f(CW\*(C`pat\*(C'\fR (the current working directory), and on its \f(CW\*(C`private\*(C'\fR
subdirectory.
.PP
.Vb 4
\& % fs listacl \-path . private \-cmd
\& fs setacl \-dir . \-acl system:authuser rl pat rlidwka pat:friends rlid
\& fs setacl \-dir . \-acl smith rlidwka \-negative
\& fs setacl \-dir private \-acl pat rlidwka
.Ve
.SH "PRIVILEGE REQUIRED"
.IX Header "PRIVILEGE REQUIRED"
If the \fB\-path\fR argument names an AFS directory, the issuer must have the
\&\f(CW\*(C`l\*(C'\fR (lookup) permission on its ACL and the ACL for every directory that
precedes it in the pathname.
.PP
If the \fB\-path\fR argument names an AFS file, the issuer must have the \f(CW\*(C`l\*(C'\fR
(lookup) and \f(CW\*(C`r\*(C'\fR (read) permissions on the ACL of the file's directory,
and the \fBl\fR permission on the ACL of each directory that precedes it in
the pathname.
.PP
If the \fB\-path\fR argument names a DFS directory or file, the issuer must
have the \f(CW\*(C`x\*(C'\fR (execute) permission on its ACL and on the ACL of each
directory that precedes it in the pathname.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBfs_cleanacl\fR\|(1),
\&\fBfs_copyacl\fR\|(1),
\&\fBfs_setacl\fR\|(1)
.SH COPYRIGHT
.IX Header "COPYRIGHT"
IBM Corporation 2000. All Rights Reserved.
.PP
This documentation is covered by the IBM Public License Version 1.0. It was
converted from HTML to POD by software written by Chas Williams and Russ
Allbery, based on work by Alf Wachsmann and Elizabeth Cassell.