Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
chacl(1)		    General Commands Manual		      chacl(1)

       chacl  -	 add,  modify, delete, copy, or	summarize access control lists
       (ACLs) of files

       acl file	...

       acl file	...

       aclpatt file ...

       fromfile	tofile	...


       extends the capabilities	of chmod(1), by	enabling the user to grant  or
       restrict	 file access to	additional specific users and/or groups.  Tra-
       ditional	file access permissions, set when a file is created, grant  or
       restrict	 access	 to  the  file's owner,	group, and other users.	 These
       file access permissions (eg., are mapped	into three base	access control
       list  entries:  one  entry  for	the  file's owner (umode), one for the
       file's group g, mode), and one for other	users mode).

       enables a user to designate up to thirteen additional sets  of  permis-
       sions  (called  optional	 access	 control list (ACL) entries) which are
       stored in the access control list of the	file.

       To use chacl, the owner (or superuser) constructs  an  acl,  a  set  of
       (,  mode)  mappings  to  associate with one or	more files.  A
       specific	user and group can be referred to by either  name  or  number;
       any user	(u), group (g),	or both	can be referred	to with	a symbol, rep-
       resenting any user or group.  The @ symbol specifies the	 file's	 owner
       or group.

       Read,  write,  and  execute/search modes	are identical to those used by
       chmod; symbolic operators (op) add remove or set	 access	 rights.   The
       entire  acl should be quoted if it contains whitespace or special char-
       acters.	Although two variants for constructing the acl	are  available
       (and fully explained in acl(5)),	the following syntax is	suggested:

	      entry[, entry] ...

       where the syntax	for an entry is

	      u.g op mode[op mode] ...

       By  default,  modifies  existing	ACLs.  It adds ACL entries or modifies
       access rights in	existing ACL entries.  If acl contains	an  ACL	 entry
       already	associated  with  a file, the entry's mode bits	are changed to
       the new value given, or are modified by the  specified  operators.   If
       the  file's  ACL	does not already contain the specified entry, that ACL
       entry is	added.	can also remove	all access to files.  Giving it	a null
       acl argument means either ``no access'' (when using the option) or ``no

       For a summary of	the syntax, run	without	arguments.

       If file is specified as reads from standard input.

       recognizes the following	options:

       Replace old    ACLs with	the given ACL.	All optional ACL  entries  are
		      first  deleted  from  the	 specified files's ACLs, their
		      base permissions are set to zero,	and the	new ACL	is ap-
		      plied.   If  acl does not	contain	an entry for the owner
		      (uthe group g), or other users of	a file,	that base  ACL
		      entry's  mode  is	 set to	zero (no access).  The command
		      affects all of the file's	 ACL  entries,	but  does  not
		      change the file's	owner or group ID.

		      In  chmod(1),  the ``modify'' and	``replace'' operations
		      are distinguished	by the syntax (string or octal value).
		      There is no corollary for	ACLs because they have a vari-
		      able number of entries.  Hence modifies specific entries
		      by default, and optionally replaces all entries.

       Delete the specified entries from the
		      ACLs  on	all specified files.  The aclpatt argument can
		      be an exact ACL or an ACL	pattern	(see acl(5)).  updates
		      each file's ACL only if entries are deleted from it.

		      If you attempt to	delete a base ACL entry	from any file,
		      the entry	remains	but its	access mode is set to zero (no
		      access).	 If  you  attempt to delete a non-existent ACL
		      entry from a file	(that is,  if  an  ACL	entry  pattern
		      matches no ACL entry), informs you of the	error, contin-
		      ues, and eventually returns non-zero.

       Copy the	      ACL from fromfile	to the specified tofile,  transferring
		      ownership,  if necessary (see acl(5), chown(2), or chow-
		      nacl(3C)).  fromfile can be to represent standard	input.

		      This option implies the option.  If the owner and	 group
		      of fromfile are identical	to those of tofile, is identi-
		      cal to:

		      To copy an ACL without transferring ownership, the above
		      command is suggested instead of

       Delete (``zap'')	all optional entries in	the specified file's
		      ACLs, leaving only base entries.

       Delete (``zap'')	all optional entries in	the specified file's
		      ACLs,  and  set  the access modes	in all base entries to
		      zero (no access).	 This is identical  to	replacing  the
		      old ACL with a null ACL:

		      or  using	 chmod(1), which deletes optional entries as a
		      side effect:

       Incorporate (``fold'') optional
		      ACL entries into base ACL	entries.  The base ACL entry's
		      permission   bits	 are altered, if necessary, to reflect
		      the caller's effective access rights to  the  file;  all
		      optional entries,	if any,	are deleted.

		      For  ordinary  users,  only the access mode of the owner
		      base ACL entry can be altered.  Unlike the write bit  is
		      not  turned off for a file on a read-only	file system or
		      a	shared-text program being executed (see	getaccess(1)).

		      For super-users, only the	execute	mode bit in the	 owner
		      base ACL entry might be changed, only if the file	is not
		      an regular file or if an execute bit is not already  set
		      in  a base ACL entry mode, but is	set in an optional ACL
		      entry mode.

       acl also	can be obtained	from a string in a file:

       Using @ in acl to represent ``file owner	or group'' can	cause  to  run
       more  slowly because it must reparse the	ACL for	each file (except with
       the option).

   Environment Variables
       determines the language in which	messages are displayed.

       If is not specified or is set to	the empty string,  a  default  of  "C"
       (see  lang(5))  is used instead of If any internationalization variable
       contains	an invalid setting, behaves  as	 if  all  internationalization
       variables are set to "C".  See environ(5).

       If succeeds, it returns a value of zero.

       If  encounters  an error	before it changes any file's ACL, it prints an
       error message to	standard error and returns 1.  Such errors include in-
       valid invocation, invalid syntax	of acl (aclpatt), a given user name or
       group name is unknown, or inability to get an ACL  from	fromfile  with
       the option.

       If  cannot  execute the requested operation, it prints an error message
       to standard error, continues, and later returns 2.  This	includes cases
       when  a	file  does not exist, a	file's ACL cannot be altered, more ACL
       entries would result than are allowed, or an attempt is made to	delete
       a non-existing ACL entry.

       The  following  command adds read access	for user in any	group, and re-
       moves write access for any user in the files's groups, for files	and

       This command replaces the ACL on	the file open as standard input	and on
       file with one which only	allows the file	owner read and write access.

       Delete  from  file  the specific	access rights, if any, for user	165 in
       group 13.  Note that this is different from adding an  ACL  entry  that
       restricts  access for that user and group.  The user's resulting	access
       rights depend on	the entries remaining in the ACL.   The	 command  also
       deletes all entries for user that have a	read bit turned	on (the	aster-
       isk can be used as a wildcard in	the ACL	pattern	for  user,  group,  or
       access mode):

       Copy the	ACL from to and

       Delete  the  optional ACL entries, if any, on the file open as standard

       Deny all	access to all files in the current directory whose names start
       with or

       Incorporate  the	 optional  ACL entries of a file into the base ACL en-

       An ACL string cannot contain more than 16 unique	entries,  even	though
       converting @ symbols to user or group names and combining redundant en-
       tries might result in fewer than	16 entries for some files.

       will fail when the target file resides on a file	system which does  not
       support ACLs.

       Only the	option is supported on remote files.

       was developed by	HP.

       chmod(1),  getaccess(1),	 lsacl(1), getacl(2), setacl(2), acl(5), glos-



Want to link to this manual page? Use this URL:

home | help