HP-UX Reference (11i v1 05/09) - 1 User Commands A-M (vol 1)
c
chacl(1) chacl(1)
NAME
chacl - add, modify, delete, copy, or summarize access control lists (ACLs) of files
SYNOPSIS
/usr/bin/chacl
acl file ...
chacl -r acl file ...
chacl -d aclpatt file ...
chacl -f fromfile tofile ...
chacl - [ z Z F
] file...
DESCRIPTION
chacl extends the capabilities of chmod(1), by enabling the user to grant or restrict file access to addi-
tional specific users and/or groups. Traditional file access permissions, set when a file is created, grant or
restrict access to the file’s owner, group, and other users. These file access permissions (eg.,
rwxrw-r--)
are mapped into three base access control list entries: one entry for the file’s owner (u
.%, mode), one for
the file’s group (
%.g, mode), and one for other users (
%.%, mode).
chacl enables a user to designate up to thirteen additional sets of permissions (called optional access con-
trol list (ACL) entries) which are stored in the access control list of the file.
To use chacl, the owner (or superuser) constructs an acl, a set of (user.group, mode) mappings to associate
with one or more files. A specific user and group can be referred to by either name or number; any user
(u), group (g), or both can be referred to with a
%
symbol, representing any user or group. The @ symbol
specifies the file’s owner or group.
Read, write, and execute/search (
rwx) modes are identical to those used by chmod; symbolic operators (op)
add (
+), remove (-), or set (=) access rights. The entire acl should be quoted if it contains whitespace or
special characters. Although two variants for constructing the acl are available (and fully explained in
acl(5)), the following syntax is suggested:
entry [, entry ] ...
where the syntax for an entry is
u.g op mode[op mode ] ...
By default,
chacl modifies existing ACLs. It adds ACL entries or modifies access rights in existing
ACL
entries. If acl contains an ACL entry already associated with a file, the entry’s mode bits are changed to the
new value given, or are modified by the specified operators. If the file’s
ACL does not already contain the
specified entry, that
ACL entry is added. chacl can also remove all access to files. Giving it a null acl
argument means either ‘‘no access’’ (when using the
-r option) or ‘‘no changes.’’
For a summary of the syntax, run
chacl without arguments.
If file is specified as -, chacl reads from standard input.
Options
chacl recognizes the following options:
-r Replace old ACLs with the given ACL. All optional ACL entries are first deleted from the
specified files’s ACLs, their base permissions are set to zero, and the new ACL is applied. If
acl does not contain an entry for the owner (u.%), the group (%.g), or other (%.%) users of
a file, that base ACL entry’s mode is set to zero (no access). The command affects all of the
file’s ACL entries, but does not change the file’s owner or group ID.
In chmod(1), the ‘‘modify’’ and ‘‘replace’’ operations are distinguished by the syntax (string
or octal value). There is no corollary for ACLs because they have a variable number of
entries. Hence chacl modifies specific entries by default, and optionally replaces all
entries.
-d Delete the specified entries from the ACLs on all specified files. The aclpatt argument can
be an exact ACL or an ACL pattern (see acl(5)). chacl -d updates each file’s ACL only if
entries are deleted from it.
If you attempt to delete a base ACL entry from any file, the entry remains but its access
mode is set to zero (no access). If you attempt to delete a non-existent ACL entry from a file
(that is, if an ACL entry pattern matches no ACL entry), chacl informs you of the error,
Section 1−−70 Hewlett-Packard Company − 1 − HP-UX 11i Version 1: September 2005