Displaying ACLs

To display the ACL associated with a file, directory or symbolic link, issue the fs listacl command. The output for a symbolic link displays the ACL that applies to its target file or directory, rather than the ACL on the directory that houses the symbolic link.

Note for AFS/DFS Migration Toolkit users: If the machine on which you issue the fs listacl command is configured to access a DCE cell's DFS filespace via the AFS/DFS Migration Toolkit, you can use the command to display the ACL on DFS files and directories. To display a DFS directory's Initial Container and Initial Object ACL instead of the regular one, include the fs listacl command's -id or -if flag. For instructions, see the OpenAFS/DFS Migration Toolkit Administration Guide and Reference. The fs command interpreter ignores the -id and -if flags if you include them when displaying an AFS ACL.

To display an ACL

  1. Issue the fs listacl command.

       % fs listacl [<dir/file path>+]



    Is an acceptable alias for listacl (and lista is the shortest acceptable abbreviation).

    dir/file path

    Names one or more files or directories for which to display the ACL. For files, the output displays the ACL for its directory. If you omit this argument, the output is for the current working directory. Partial pathnames are interpreted relative to the current working directory. You can also use the following notation on its own or as part of a pathname:


    (A single period). Specifies the current working directory.


    (Two periods). Specifies the current working directory's parent directory.


    (The asterisk). Specifies each file and subdirectory in the current working directory. The ACL displayed for a file is always the same as for its directory, but the ACL for each subdirectory can differ.

The following error message indicates that you do not have the permissions needed to display an ACL. To specify a directory name as the dir/file path argument, you must have the l (lookup) permission on the ACL. To specify a filename, you must also have the r (read) permission on its directory's ACL.

   fs: You don't have the required access permissions on 'dir/file path'

Members of the system:administrators group and the directory's owner (as reported by the ls -ld command) implicitly have the a (administer) permission on every directory's ACL, and can use the fs setacl command to grant themselves the required permissions; for instructions, see Setting ACL Entries.

The output for each file or directory specified as dir/file path begins with the following header to identify it:

   Access list for  dir/file path is

The Normal rights header appears on the next line, followed by lines that each pair a user or group name and a set of permissions. The permissions appear as the single letters defined in The AFS ACL Permissions, and always in the order rlidwka. If there are any negative permissions, the Negative rights header appears next, followed by pairs of negative permissions.

The following example displays the ACL on user terry's home directory in the Example Corporation cell:

   % fs la /afs/example.com/usr/terry
   Access list for /afs/example.com/usr/terry is
   Normal permissions:
      system:authuser rl
      pat rlw
      terry rlidwka
   Negative permissions:
      terry:other-dept rl
      jones rl

where pat, terry, and jones are individual users, system:authuser is a system group, and terry:other-dept is a group that terry owns. The list of normal permissions grants all permissions to terry, the r (read), l (lookup), and w (write) permissions to pat, and the r and l permissions to the members of the system:authuser group.

The list of negative permissions denies the r and l permissions to jones and the members of the terry:other-dept group. These entries effectively prevent them from accessing terry's home directory in any way, because they cancel out the r and l permissions extended to the system:authuser group, which is the only entry on the Normal rights section of the ACL that possibly applies to them.