Copying ACLs Between Directories

The fs copyacl command copies a source directory's ACL to one or more destination directories. It does not affect the source ACL at all, but changes each destination ACL as follows:

Note for AFS/DFS Migration Toolkit users: If the machine is configured to enable AFS users to access a DCE cell's DFS filespace via the AFS/DFS Migration Toolkit, then you can use the fs copyacl command to copy ACLs between DFS files and directories also. The command includes -id and -if flags for altering a DFS directory's Initial Container and Initial Object ACLs as well as its regular ACL; see the OpenAFS/DFS Migration Toolkit Administration Guide and Reference. You cannot copy ACLs between AFS and DFS directories, because they use different ACL formats. The fs command interpreter ignores the -id and -if flags if you include them when copying AFS ACLs.

To copy an ACL between directories

  1. Verify that you have the l (lookup) permission on the source ACL and the a (administer) permission on each destination ACL. To identify the source directory by naming a file in it, you must also have the r (read) permission on the source ACL. If necessary, issue the fs listacl command, which is fully described in Displaying ACLs.

       % fs listacl [<dir/file path>]
    
  2. Issue the fs copyacl command to copy a source ACL to the ACL on one or more destination directories. (The command appears here on two lines only for legibility.)

       % fs copyacl -fromdir <source directory> -todir <destination directory>+  \
                    [-clear]
    

    where

    co

    Is the shortest acceptable abbreviation for copyacl.

    -fromdir

    Names the source directory from which to copy the ACL. Partial pathnames are interpreted relative to the current working directory. If this argument names a file, the ACL is copied from its directory.

    -todir

    Names each destination directory to which to copy the source ACL. Partial pathnames are interpreted relative to the current working directory. Filenames are not acceptable.

    Specify the read/write path to each directory, to avoid the failure that results when you attempt to change a read-only volume. By convention, you indicate the read/write path by placing a period before the cell name at the pathname's second level (for example, /afs/.example.com). For further discussion of the concept of read/write and read-only paths through the filespace, see The Rules of Mount Point Traversal.

    -clear

    Completely overwrites each destination directory's ACL with the source ACL.

The following example copies the ACL from the current working directory's notes subdirectory to the plans subdirectory. The issuer does not include the -clear flag, so the entry for user pat remains on the plans directory's ACL although there is no corresponding entry on the notes directory's ACL.

   % fs la notes plans
   Access list for notes is
   Normal permissions:
      terry rlidwka
      smith rl
      jones rl
   Access list for plans is
   Normal permissions:
      terry rlidwk
      pat rlidwk
   % fs copyacl notes plans
   % fs la notes plans
   Access list for notes is
   Normal permissions:
      terry rlidwka
      smith rl
      jones rl
   Access list for plans is
   Normal permissions:
      terry rlidwka
      pat rlidwk
      smith rl
      jones rl