Names each AFS directory, or DFS directory or file, for which the set the
ACL. Partial pathnames are interpreted relative to the current working
Specify the read/write path to each directory (or DFS file), to avoid the failure that results from attempting to change a read-only volume. By convention, the read/write path is indicated by placing a period before the cell name at the pathnames second level (for example, /afs/.abc.com). For further discussion of the concept of read/write and read-only paths through the filespace, see the fs mkmount reference page.
|-acl <access list entries>+||
Defines a list of one or more ACL entries, each a pair that names:
in that order, separated by a space (thus every instance of this argument has two parts). The accepted AFS abbreviations and shorthand words, and the meaning of each, are as follows:
It is acceptable to mix entries that combine the individual letters with entries that use the shorthand words, but not use both types of notation within an individual pairing of user or group and permissions.
Granting the l (lookup) and i (insert) permissions without granting the w (write) and/or r (read) permissions is a special case, and grants rights approrpriate for dropbox directories. See the DROPBOXES section for details.
If setting ACLs on a pathname in DFS filespace, see the DFS documentation for the proper format and acceptable values for DFS ACL entries.
|-clear||Removes all existing entries on each ACL before adding the entries specified with the -acl argument.|
Places the specified ACL entries in the Negative rights section of each
ACL, explicitly denying the rights to the user or group, even if entries
on the accompanying Normal rights section of the ACL grant them
This argument is not supported for DFS files or directories, because DFS does not implement negative ACL permissions.
|-id||Places the ACL entries on the Initial Container ACL of each DFS directory, which are the only file system objects for which this flag is supported.|
|-if||Places the ACL entries on the Initial Object ACL of each DFS directory, which are the only file system objects for which this flag is supported.|
|-help||Prints the online help for this command. All other valid options are ignored.|
If an accessing user has the l (lookup) and i (insert) permissions on a directory, but not the w (write) and/or r (read) permissions, the user is implicitly granted the ability to write and/or read any file they create in that directory, until they close the file. This is to allow dropbox-style directories to exist, where users can deposit files, but cannot modify them later nor can they modify or read any files deposited in the directory by other users.
Note, however, that the dropbox functionality is not perfect. The fileserver does not have knowledge of when a file is opened or closed on the client, and so the fileserver always allows an accessing user to read or write to a file in a dropbox directory if they own the file. While the client prevents the user from reading or modifying their deposited file later, this is not enforced on the fileserver, and so should not be relied on for security.
Additionally, if dropbox permissions are granted to system:anyuser, unauthenticated users may deposit files in the directory. If an unauthenticated user deposits a file in the directory, the new file will be owned by the unauthenticated user ID, and is thus potentially modifiable by anyone.
In an effort to try and reduce accidentally publicizing private data, the fileserver may refuse read requests for dropbox files from unauthenticated users. As a result, depositing files as an unauthenticated user may arbitrarily fail if system:anyuser has been granted dropbox permissions. While this should be rare, it is not completely preventable, and so for this reason relying on unauthenticated users to be able to deposit files in a dropbox is NOT RECOMMENDED.
The following example adds two entries to the Normal rights section of the current working directorys ACL: the first entry grants r (read) and l (lookup) permissions to the group pat:friends, while the other (using the write shorthand) gives all permissions except a (administer) to the user smith.
% fs setacl -dir . -acl pat:friends rl smith write % fs listacl -path . Access list for . is Normal rights: pat:friends rl smith rlidwk
The following example includes the -clear flag, which removes the existing permissions (as displayed with the fs listacl command) from the current working directorys reports subdirectory and replaces them with a new set.
% fs listacl -dir reports Access list for reports is Normal rights: system:authuser rl pat:friends rlid smith rlidwk pat rlidwka Negative rights: terry rl % fs setacl -clear -dir reports -acl pat all smith write system:anyuser rl % fs listacl -dir reports Access list for reports is Normal rights: system:anyuser rl smith rlidwk pat rlidwka
The following example use the -dir and -acl switches because it sets the ACL for more than one directory (both the current working directory and its public subdirectory).
% fs setacl -dir . public -acl pat:friends rli % fs listacl -path . public Access list for . is Normal rights: pat rlidwka pat:friends rli Access list for public is Normal rights: pat rlidwka pat:friends rli
The issuer must have the a (administer) permission on the directorys ACL, a member of the system:administrators group, or, as a special case, must be the UID owner of the top-level directory of the volume containing this directory. The last provision allows the UID owner of a volume to repair accidental ACL errors without requiring intervention by a member of system:administrators.
Earlier versions of OpenAFS also extended implicit administer permission to the owner of any directory. In current versions of OpenAFS, only the owner of the top-level directory of the volume has this special permission.
fs_copyacl(1), fs_listacl(1), fs_mkmount(1)
IBM Corporation 2000. <http://www.ibm.com/> All Rights Reserved.
This documentation is covered by the IBM Public License Version 1.0. It was converted from HTML to POD by software written by Chas Williams and Russ Allbery, based on work by Alf Wachsmann and Elizabeth Cassell.