Managing Systems and Workgroups: A Guide for HP-UX System Administrators
Administering a System: Managing System Security
Managing Access to Files and Directories
Chapter 8 767
Because chmod affects the class ACL entry and not the owning group
entry, chmod may be used to deny access to all additional user and group
entries without the need to reset each entry with setacl.
Changing the JFS Access Control List of a File with setacl
If you are user1 (the owner of the file junk used in examples earlier in
this section), you can provide read access for junk to an additional user
by adding an entry to the ACL naming that user and specifying read
access. You do this with the setacl command.
Using setacl -m For example, the following command gives user boss
read-only access to the file:
setacl -m u:boss:r-- junk
The -m (modify) option indicates that you are adding or changing an
entry to the ACL.
You can add group-specific entries in just the same way. For example, to
grant read and write access to everyone in the group dev, type the
following:
setacl -m g:dev:rw- junk
The -m option can be used to change an existing entry as well as add a
new one. If an entry already exists for the specified user or group, the
permissions for that entry are set to the values specified on the command
line.
Using setacl -d The -d option deletes an entry. With -d, you do not
specify any permissions in the ACL entry. For example, the following
command deletes the entry for the group dev:
setacl -d g:dev junk
Adding or changing multiple entries with setacl You may add,
change, or delete any number of entries on the same command line with
the -m and -d options. You can either supply a comma-separated list of
entries to an option, or repeat the option with additional entries. For
example the following two command lines have the same effect:
setacl -m u:user4:---,u:user5:r-- junk
setacl -m u:user4:--- -m u:user5:r-- junk
You can also combine the -m and -d options on the same command line.