Provided by: openafs-client_1.8.12.1-1_amd64 
      
    
NAME
       fs_setacl - Sets the ACL for a directory
SYNOPSIS
       fs setacl -dir <directory>+ -acl <access list entries>+
           [-clear] [-negative] [-id] [-if] [-help]
       fs sa -d <directory>+ -a <access list entries>+
           [-c] [-n] [-id] [-if] [-h]
       fs seta -d <directory>+ -a <access list entries>+
           [-c] [-n] [-id] [-if] [-h]
DESCRIPTION
       The fs setacl command adds the access control list (ACL) entries specified with the -acl argument to the
       ACL of each directory named by the -dir argument.
       If the -dir argument designates a pathname in DFS filespace (accessed via the AFS/DFS Migration Toolkit
       Protocol Translator), it can be a file as well as a directory. The ACL must already include an entry for
       "mask_obj", however.
       Only user and group entries are acceptable values for the -acl argument. Do not place machine entries (IP
       addresses) directly on an ACL; instead, make the machine entry a group member and place the group on the
       ACL.
       To completely erase the existing ACL before adding the new entries, provide the -clear flag. To add the
       specified entries to the "Negative rights" section of the ACL (deny rights to specified users or groups),
       provide the -negative flag.
       To display an ACL, use the fs listacl command. To copy an ACL from one directory to another, use the fs
       copyacl command.
CAUTIONS
       If the ACL already grants certain permissions to a user or group, the permissions specified with the fs
       setacl command replace the existing permissions, rather than being added to them.
       Setting negative permissions is generally unnecessary and not recommended. Simply omitting a user or
       group from the "Normal rights" section of the ACL is normally adequate to prevent access. In particular,
       note that it is futile to deny permissions that are granted to members of the system:anyuser group on the
       same ACL; the user needs only to issue the unlog command to receive the denied permissions.
       When including the -clear option, be sure to reinstate an entry for each directory's owner that includes
       at least the "l" (lookup) permission. Without that permission, it is impossible to resolve the "dot"
       (".") and "dot dot" ("..") shorthand from within the directory. (The directory's owner does implicitly
       have the "a" (administer) permission even on a cleared ACL, but must know to use it to add other
       permissions.)
OPTIONS
       -dir <directory>+
           Names  each AFS directory, or DFS directory or file, for which the set the ACL. Partial pathnames are
           interpreted relative to the current working directory.
           Specify the read/write path to each directory (or DFS file), to avoid the failure that  results  from
           attempting to change a read-only volume. By convention, the read/write path is indicated by placing a
           period  before  the  cell  name  at the pathname's second level (for example, /afs/.example.com). For
           further discussion of the concept of read/write and read-only paths through the filespace, see the fs
           mkmount reference page.
       -acl <access list entries>+
           Defines a list of one or more ACL entries, each a pair that names:
           •   A user name or group name as listed in the Protection Database.
           •   One or more ACL permissions, indicated either by combining the individual letters or  by  one  of
               the  four  acceptable  shorthand  words,  optionally  followed  by a single plus (+) or minus (-)
               chracter to request a relative ACL change
           in that order, separated by a space (thus every  instance  of  this  argument  has  two  parts).  The
           accepted AFS abbreviations and shorthand words, and the meaning of each, are as follows:
           a (administer)
               Change the entries on the ACL.
           d (delete)
               Remove files and subdirectories from the directory or move them to other directories.
           i (insert)
               Add files or subdirectories to the directory by copying, moving or creating.
           k (lock)
               Set read locks or write locks on the files in the directory.
           l (lookup)
               List  the  files and subdirectories in the directory, stat the directory itself, and issue the fs
               listacl command to examine the directory's ACL.
           r (read)
               Read the contents of files in the directory; issue the "ls -l" command to stat  the  elements  in
               the directory.
           w (write)
               Modify  the  contents of files in the directory, and issue the UNIX chmod command to change their
               mode bits.
           A, B, C, D, E, F, G, H
               Have no default meaning to the AFS server processes, but are made available for  applications  to
               use  in  controlling  access  to the directory's contents in additional ways. The letters must be
               uppercase.
           all Equals all seven permissions ("rlidwka").
           none
               No permissions. Removes the user/group from  the  ACL,  but  does  not  guarantee  they  have  no
               permissions if they belong to groups that remain on the ACL.
           read
               Equals the "r" (read) and "l" (lookup) permissions.
           write
               Equals all permissions except "a" (administer), that is, "rlidwk".
           It  is  acceptable  to  mix  entries  that  combine  the individual letters with entries that use the
           shorthand words, but not use both types of notation within an individual pairing of user or group and
           permissions.
           Granting the "l" (lookup) and "i" (insert) permissions without granting the "w"  (write)  and/or  "r"
           (read)  permissions  is a special case, and grants rights approrpriate for "dropbox" directories. See
           the "DROPBOXES" section for details.
           If setting ACLs on a pathname in DFS filespace, see the DFS documentation for the proper  format  and
           acceptable values for DFS ACL entries.
       -clear
           Removes all existing entries on each ACL before adding the entries specified with the -acl argument.
       -negative
           Places the specified ACL entries in the "Negative rights" section of each ACL, explicitly denying the
           rights  to  the user or group, even if entries on the accompanying "Normal rights" section of the ACL
           grant them permissions.
           This argument is not supported for DFS files or directories, because DFS does not implement  negative
           ACL permissions.
       -id Places  the  ACL  entries on the Initial Container ACL of each DFS directory, which are the only file
           system objects for which this flag is supported.
       -if Places the ACL entries on the Initial Object ACL of each DFS  directory,  which  are  the  only  file
           system objects for which this flag is supported.
       -help
           Prints the online help for this command. All other valid options are ignored.
DROPBOXES
       If  an  accessing  user has the "l" (lookup) and "i" (insert) permissions on a directory, but not the "w"
       (write) and/or "r" (read) permissions, the user is implicitly granted the ability to  write  and/or  read
       any  file  they  create  in  that  directory, until they close the file. This is to allow "dropbox"-style
       directories to exist, where users can deposit files, but cannot modify them later nor can they modify  or
       read any files deposited in the directory by other users.
       Note,  however,  that the dropbox functionality is not perfect. The fileserver does not have knowledge of
       when a file is opened or closed on the client, and so the fileserver always allows an accessing  user  to
       read  or  write  to  a file in a "dropbox" directory if they own the file.  While the client prevents the
       user from reading or modifying their deposited file later, this is not enforced on the fileserver, and so
       should not be relied on for security.
       Additionally, if "dropbox" permissions are granted to "system:anyuser", unauthenticated users may deposit
       files in the directory. If an unauthenticated user deposits a file in the directory, the new file will be
       owned by the unauthenticated user ID, and is thus potentially modifiable by anyone.
       In an effort to try and reduce accidentally publicizing private data,  the  fileserver  may  refuse  read
       requests  for  "dropbox"  files  from  unauthenticated  users.  As  a  result,  depositing  files  as  an
       unauthenticated user may arbitrarily fail if "system:anyuser" has been granted dropbox permissions. While
       this should be rare, it is not completely preventable, and so for this reason relying on  unauthenticated
       users to be able to deposit files in a dropbox is NOT RECOMMENDED.
EXAMPLES
       The  following example adds two entries to the "Normal rights" section of the current working directory's
       ACL: the first entry grants "r" (read) and "l" (lookup) permissions to the group pat:friends,  while  the
       other (using the "write" shorthand) gives all permissions except "a" (administer) to the user "smith".
          % fs setacl -dir . -acl pat:friends rl smith write
          % fs listacl -path .
          Access list for . is
          Normal rights:
             pat:friends rl
             smith rlidwk
       The following example includes the -clear flag, which removes the existing permissions (as displayed with
       the  fs listacl command) from the current working directory's reports subdirectory and replaces them with
       a new set.
          % fs listacl -dir reports
          Access list for reports is
          Normal rights:
             system:authuser rl
             pat:friends rlid
             smith rlidwk
             pat rlidwka
          Negative rights:
             terry rl
          % fs setacl -clear -dir reports -acl pat all smith write system:anyuser rl
          % fs listacl -dir reports
          Access list for reports is
          Normal rights:
             system:anyuser rl
             smith rlidwk
             pat rlidwka
       The following example use the -dir and -acl switches because it sets the ACL for more than one  directory
       (both the current working directory and its public subdirectory).
          % fs setacl -dir . public -acl pat:friends rli
          % fs listacl -path . public
          Access list for . is
          Normal rights:
             pat rlidwka
             pat:friends rli
          Access list for public is
          Normal rights:
             pat rlidwka
             pat:friends rli
       The following example demonstrates the use of the + and - options to modfiy ACLs relative to the existing
       set
          % fs setacl dir . -acl pat:friends r-
          % fs listacl -path .
          Access list for . is
          Normal rights:
             pat rlidwka
             pat:friends li
          % fs setacl dir . acl pat:friends w+
          % fs listacl -path .
          Access list for . is
          Normal rights:
             pat rlidwka
             pat:friends wli
PRIVILEGE REQUIRED
       The  issuer  must  have  the  "a"  (administer)  permission  on  the  directory's  ACL,  a  member of the
       system:administrators group, or, as a special case, must be the UID owner of the top-level  directory  of
       the  volume  containing  this  directory.   The last provision allows the UID owner of a volume to repair
       accidental ACL errors without requiring intervention by a member of system:administrators.
       Earlier versions of OpenAFS also extended implicit administer permission to the owner of  any  directory.
       In  current versions of OpenAFS, only the owner of the top-level directory of the volume has this special
       permission.
SEE ALSO
       fs_copyacl(1), fs_listacl(1), fs_mkmount(1)
COPYRIGHT
       IBM Corporation 2000. <http://www.ibm.com/> All Rights Reserved.
       This documentation is covered by the IBM Public License Version 1.0.  It was converted from HTML  to  POD
       by  software  written  by  Chas  Williams  and Russ Allbery, based on work by Alf Wachsmann and Elizabeth
       Cassell.
OpenAFS                                            2024-08-22                                       FS_SETACL(1)