NAME
fs_listacl - Displays ACLs
SYNOPSIS
fs listacl [-path <dir/file path>+] [-id] [-if] [-help]
fs la [-p <dir/file path>+] [-id] [-if] [-h]
fs lista [-p <dir/file path>+] [-id] [-if] [-h]
DESCRIPTION
The fs listacl command displays the access control list (ACL)
associated with each specified file, directory, or symbolic link. The
specified element can reside in the DFS filespace if the issuer is
using the AFS/DFS Migration Toolkit Protocol Translator to access DFS
data (and DFS does implement per-file ACLs). To display the ACL of the
current working directory, omit the -path argument.
To alter an ACL, use the fs setacl command. To copy an ACL from one
directory to another, use the fs copyacl command. To remove obsolete
entries from an ACL, use the fs cleanacl command.
CAUTIONS
Placing a user or group on the "Negative rights" section of the ACL
does not guarantee denial of permissions, if the "Normal rights"
section grants the permissions to members of the system:anyuser group.
In that case, the user needs only to issue the unlog command to obtain
the permissions granted to the system:anyuser group.
OPTIONS
-path <dir/file path>+
Names each directory or file for which to display the ACL. For AFS
files, the output displays the ACL from the file’s parent
directory; DFS files do have their own ACL. Incomplete pathnames
are interpreted relative to the current working directory, which is
also the default value if this argument is omitted.
-id Displays the Initial Container ACL of each DFS directory. This
argument is supported only on DFS directories accessed via the
AFS/DFS Migration Toolkit Protocol Translator.
-if Displays the Initial Object ACL of each DFS directory. This
argument is supported only on DFS directories accessed via the
AFS/DFS Migration Toolkit Protocol Translator.
-help
Prints the online help for this command. All other valid options
are ignored.
OUTPUT
The first line of the output for each file, directory, or symbolic link
reads as follows:
Access list for <directory> is
If the issuer used shorthand notation in the pathname, such as the
period (".") to represent the current current directory, that notation
sometimes appears instead of the full pathname of the directory.
Next, the "Normal rights" header precedes a list of users and groups
who are granted the indicated permissions, with one pairing of user or
group and permissions on each line. If negative permissions have been
assigned to any user or group, those entries follow a "Negative rights"
header. The format of negative entries is the same as those on the
"Normal rights" section of the ACL, but the user or group is denied
rather than granted the indicated permissions.
AFS does not implement per-file ACLs, so for a file the command
displays the ACL on its directory. The output for a symbolic link
displays the ACL that applies to its target file or directory, rather
than the ACL on the directory that houses the symbolic link.
The permissions for AFS enable the possessor to perform the indicated
action:
a (administer)
Change the entries on the ACL.
d (delete)
Remove files and subdirectories from the directory or move them to
other directories.
i (insert)
Add files or subdirectories to the directory by copying, moving or
creating.
k (lock)
Set read locks or write locks on the files in the directory.
l (lookup)
List the files and subdirectories in the directory, stat the
directory itself, and issue the fs listacl command to examine the
directory’s ACL.
r (read)
Read the contents of files in the directory; issue the "ls -l"
command to stat the elements in the directory.
w (write)
Modify the contents of files in the directory, and issue the UNIX
chmod command to change their mode bits
A, B, C, D, E, F, G, H
Have no default meaning to the AFS server processes, but are made
available for applications to use in controlling access to the
directory’s contents in additional ways. The letters must be
uppercase.
For DFS files and directories, the permissions are similar, except that
the DFS "x" (execute) permission replaces the AFS "l" (lookup)
permission, DFS "c" (control) replaces AFS "a" (administer), and there
is no DFS equivalent to the AFS "k" (lock) permission. The meanings of
the various permissions also differ slightly, and DFS does not
implement negative permissions. For a complete description of DFS
permissions, see the DFS documentation and the IBM AFS/DFS Migration
Toolkit Administration Guide and Reference.
EXAMPLES
The following command displays the ACL on the home directory of the
user "pat" (the current working directory), and on its "private"
subdirectory.
% fs listacl -path . private
Access list for . is
Normal rights:
system:authuser rl
pat rlidwka
pat:friends rlid
Negative rights:
smith rlidwka
Access list for private is
Normal rights:
pat rlidwka
PRIVILEGE REQUIRED
If the -path argument names an AFS directory, the issuer must have the
"l" (lookup) permission on its ACL and the ACL for every directory that
precedes it in the pathname.
If the -path argument names an AFS file, the issuer must have the "l"
(lookup) and "r" (read) permissions on the ACL of the file’s directory,
and the l permission on the ACL of each directory that precedes it in
the pathname.
If the -path argument names a DFS directory or file, the issuer must
have the "x" (execute) permission on its ACL and on the ACL of each
directory that precedes it in the pathname.
SEE ALSO
fs_cleanacl(1), fs_copyacl(1), fs_setacl(1)
IBM AFS/DFS Migration Toolkit Administration Guide and Reference
COPYRIGHT
IBM Corporation 2000. <http://www.ibm.com/> All Rights Reserved.
This documentation is covered by the IBM Public License Version 1.0.
It was converted from HTML to POD by software written by Chas Williams
and Russ Allbery, based on work by Alf Wachsmann and Elizabeth Cassell.