Completely Replacing an ACL

Completely Replacing an ACL
	Chapter 4. Protecting Your Directories and Files

It is sometimes simplest to clear an ACL completely before defining new permissions on it, for instance if the mix of normal and negative permissions makes it difficult to understand how their interaction affects access to the directory. To clear an ACL completely while you define new entries, include the -clear flag on the fs setacl command. When you include this flag, you can create entries on either the normal permissions or the negative permissions section of the ACL, but not on both at once.

Remember to create an entry for yourself. As the owner of the directory, you always have the a (administer) permission required to replace a deleted entry, but the effects the effects of a missing ACL entry can be confusing enough to make it difficult to realize that the problem is a missing entry. In particular, the lack of the l (lookup) permission prevents you from using any shorthand notation in pathnames (such as a period for the current working directory or two periods for the parent directory).

To Replace an ACL Completely

Issue the fs setacl command with the -clear flag to clear the ACL completely before setting either normal or negative permissions. Because you need to grant the owner of the directory all permissions, it is better in most cases to set normal permissions at this point.

   % fs setacl  -dir <directory>⁺ -acl <access list entries>⁺ -clear  [-negative]

where

sa: Is an acceptable alias for setacl (and seta is the shortest acceptable abbreviation).
-dir: Names one or more directories to which to apply the ACL entries defined by the -acl argument. For a detailed description of acceptable values, see To Add, Remove, or Edit Normal ACL Permissions.
-acl: Specifies one or more ACL entries, each of which pairs a user or group name and a set of permissions. Separate the pairs, and the two parts of each pair, with one or more spaces. Remember to grant all permissions to the owner of the directory. For a detailed description of acceptable values, see To Add, Remove, or Edit Normal ACL Permissions.
-clear: Removes all entries from each ACL before creating the entries indicated by the -acl argument.
-negative: Places the entries defined by the -acl argument on the negative permissions section of each ACL.

Example: Replacing an ACL

The following example clears the ACL on the current working directory and creates entries that grant all permissions to user terry and all permissions except a to user pat.

   % fs setacl . terry all pat write -clear
   % fs listacl .
   Access control list for . is
   Normal rights:
     terry rlidwka
     pat rlidwk


Changing an ACL		Copying ACLs Between Directories