Setting ACL Entries

To add, remove, or edit ACL entries, use the fs setacl command. By default, the command manipulates entries on the normal permissions section of the ACL. To manipulate entries on the negative permissions section, include the -negative flag.

You must have the a (administer) permission on an ACL to edit it. The owner of a directory (as reported by the ls -ld) command and members of the system:administrators group always implicitly have it on every ACL. By default, members of the system:administrators group also implicitly have the l (lookup) permission.

Note for AFS/DFS Migration Toolkit users: If the machine on which you issue the fs setacl command is configured to access a DCE cell's DFS filespace via the AFS/DFS Migration Toolkit, you can use the command to set the ACL on DFS files and directories. To set a DFS directory's Initial Container and Initial Object ACL instead of the regular one, include the fs setacl command's -id or -if flag. For instructions, see the OpenAFS/DFS Migration Toolkit Administration Guide and Reference. The fs command interpreter ignores the -id and -if flags if you include them when setting an AFS ACL.

To add, remove, or edit normal ACL permissions

  1. Verify that you have the a (administer) permission on each directory for which you are editing the ACL. If necessary, issue the fs listacl command, which is fully described in Displaying ACLs.

       % fs listacl [<dir/file path>]
    
  2. Issue the fs setacl command to edit entries in the normal permissions section of the ACL. To remove an entry, specify the none shorthand as the permissions. If an ACL entry already exists, the permissions you specify completely replace those in the existing entry.

       % fs setacl  -dir <directory>+ -acl <access list entries>+
    

    where

    sa

    Is an acceptable alias for setacl (and seta is the shortest acceptable abbreviation).

    -dir

    Names one or more directories to which to apply the ACL entries defined by the -acl argument. Partial pathnames are interpreted relative to the current working directory.

    Specify the read/write path to each directory, to avoid the failure that results when you attempt to change a read-only volume. By convention, you indicate the read/write path by placing a period before the cell name at the pathname's second level (for example, /afs/.example.com). For further discussion of the concept of read/write and read-only paths through the filespace, see The Rules of Mount Point Traversal.

    You can also use the following notation on its own or as part of a pathname:

    .

    (A single period). If used by itself, sets the ACL on the current working directory.

    ..

    (Two periods). If used by itself, sets the ACL on the current working directory's parent directory.

    *

    (The asterisk). Sets the ACL on each of the subdirectories in the current working directory. You must precede it with the -dir switch, since it potentially designates multiple directories. The fs command interpreter generates the following error message for each file in the directory:

       fs: 'filename': Not a directory
    

    If you specify only one directory or file name, you can omit the -dir and -acl switches.

    -acl

    Specifies one or more ACL entries, each of which pairs a user or group name and a set of permissions. Separate the pairs, and the two parts of each pair, with one or more spaces.

    To define the permissions, provide either:

    • One or more of the letters that represent the standard or auxiliary permissions (rlidwka and ABCDEFGH), in any order

    • One of the four shorthand notations:

      • all (equals rlidwka)

      • none (removes the entry)

      • read (equals rl)

      • write (equals rlidwk)

    For a more detailed description of the permissions and shorthand notations, see The AFS ACL Permissions.

    On a single command line, you can combine user and group entries. You can also use individual letters in some pairs and the shorthand notations in other pairs, but cannot combine letters and shorthand notation within a single pair.

Either of the following examples grants user pat the r (read) and l (lookup) permissions on the ACL of the notes subdirectory in the issuer's home directory. They illustrate how it is possible to omit the -dir and -acl switches when you name only one directory.

   % fs sa ~/notes pat rl
   % fs sa ~/notes pat read

The following example edits the ACL for the current working directory. It removes the entry for the system:anyuser group, and adds two entries: one grants all permissions except a (administer) to the members of the terry:colleagues group and the other grants the r (read) and l (lookup) permissions to the system:authuser group. The command appears on two lines here only for legibility.

   % fs  sa  -dir . -acl  system:anyuser  none  terry:colleagues  write  \
           system:authuser  rl

To add, remove, or edit negative ACL permissions

  1. Verify that you have the a (administer) permission on each directory for which you are editing the ACL. If necessary, issue the fs listacl command, which is fully described in Displaying ACLs.

       % fs listacl [<dir/file path>]
    
  2. Issue the fs setacl command with the -negative flag to edit entries in the negative permissions section of the ACL. To remove an entry, specify the none shorthand as the permissions. If an ACL entry already exists for a user or group, the permissions you specify completely replace those in the existing entry.

       % fs setacl -dir <directory>+ -acl <access list entries>+  -negative 
    

    where

    sa

    Is an acceptable alias for setacl (and seta is the shortest acceptable abbreviation).

    -dir

    Names one or more directories to which to apply the negative ACL entries defined by the -acl argument. Specify the read/write path to each directory, to avoid the failure that results when you attempt to change a read-only volume. For a detailed description of acceptable values, see To add, remove, or edit normal ACL permissions.

    -acl

    Specifies one or more ACL entries, each of which pairs a user or group name and a set of permissions. Separate the pairs, and the two parts of each pair, with one or more spaces. For a detailed description of acceptable values, see To add, remove, or edit normal ACL permissions. Keep in mind that the usual meaning of each permission is reversed.

    -negative

    Places the entries defined by the -acl argument on the negative permissions section of the ACL for each directory named by the -dir argument.

The following example denies user pat the w (write) and d (delete) permissions for the project subdirectory of the current working directory.

   % fs sa project pat wd -neg