chacl(1)chacl(1)NAMEchacl - add, modify, delete, copy, or summarize access control lists
(ACLs) of files
SYNOPSIS
acl file ...
acl file ...
aclpatt file ...
fromfile tofile ...
file...
DESCRIPTION
extends the capabilities of chmod(1), by enabling the user to grant or
restrict file access to additional specific users and/or groups. Tra‐
ditional file access permissions, set when a file is created, grant or
restrict access to the file's owner, group, and other users. These
file access permissions (eg., are mapped into three base access control
list entries: one entry for the file's owner (umode), one for the
file's group g, mode), and one for other users mode).
enables a user to designate up to thirteen additional sets of permis‐
sions (called optional access control list (ACL) entries) which are
stored in the access control list of the file.
To use chacl, the owner (or superuser) constructs an acl, a set of
(user.group, mode) mappings to associate with one or more files. A
specific user and group can be referred to by either name or number;
any user (u), group (g), or both can be referred to with a symbol, rep‐
resenting any user or group. The @ symbol specifies the file's owner
or group.
Read, write, and execute/search modes are identical to those used by
chmod; symbolic operators (op) add remove or set access rights. The
entire acl should be quoted if it contains whitespace or special char‐
acters. Although two variants for constructing the acl are available
(and fully explained in acl(5)), the following syntax is suggested:
entry[, entry] ...
where the syntax for an entry is
u.g op mode[op mode] ...
By default, modifies existing ACLs. It adds ACL entries or modifies
access rights in existing ACL entries. If acl contains an ACL entry
already associated with a file, the entry's mode bits are changed to
the new value given, or are modified by the specified operators. If
the file's ACL does not already contain the specified entry, that ACL
entry is added. can also remove all access to files. Giving it a null
acl argument means either ``no access'' (when using the option) or ``no
changes.''
For a summary of the syntax, run without arguments.
If file is specified as reads from standard input.
Options
recognizes the following options:
Replace old ACLs with the given ACL. All optional ACL entries are
first deleted from the specified files's ACLs, their
base permissions are set to zero, and the new ACL is
applied. If acl does not contain an entry for the owner
(uthe group g), or other users of a file, that base ACL
entry's mode is set to zero (no access). The command
affects all of the file's ACL entries, but does not
change the file's owner or group ID.
In chmod(1), the ``modify'' and ``replace'' operations
are distinguished by the syntax (string or octal value).
There is no corollary for ACLs because they have a vari‐
able number of entries. Hence modifies specific entries
by default, and optionally replaces all entries.
Delete the specified entries from the
ACLs on all specified files. The aclpatt argument can
be an exact ACL or an ACL pattern (see acl(5)). updates
each file's ACL only if entries are deleted from it.
If you attempt to delete a base ACL entry from any file,
the entry remains but its access mode is set to zero (no
access). If you attempt to delete a non-existent ACL
entry from a file (that is, if an ACL entry pattern
matches no ACL entry), informs you of the error, contin‐
ues, and eventually returns non-zero.
Copy the ACL from fromfile to the specified tofile, transferring
ownership, if necessary (see acl(5), chown(2), or chow‐
nacl(3C)). fromfile can be to represent standard input.
This option implies the option. If the owner and group
of fromfile are identical to those of tofile, is identi‐
cal to:
To copy an ACL without transferring ownership, the above
command is suggested instead of
Delete (``zap'') all optional entries in the specified file's
ACLs, leaving only base entries.
Delete (``zap'') all optional entries in the specified file's
ACLs, and set the access modes in all base entries to
zero (no access). This is identical to replacing the
old ACL with a null ACL:
or using chmod(1), which deletes optional entries as a
side effect:
Incorporate (``fold'') optional
ACL entries into base ACL entries. The base ACL entry's
permission bits are altered, if necessary, to reflect
the caller's effective access rights to the file; all
optional entries, if any, are deleted.
For ordinary users, only the access mode of the owner
base ACL entry can be altered. Unlike the write bit is
not turned off for a file on a read-only file system or
a shared-text program being executed (see getaccess(1)).
For super-users, only the execute mode bit in the owner
base ACL entry might be changed, only if the file is not
an regular file or if an execute bit is not already set
in a base ACL entry mode, but is set in an optional ACL
entry mode.
acl also can be obtained from a string in a file:
Using @ in acl to represent ``file owner or group'' can cause to run
more slowly because it must reparse the ACL for each file (except with
the option).
EXTERNAL INFLUENCES
Environment Variables
determines the language in which messages are displayed.
If is not specified or is set to the empty string, a default of "C"
(see lang(5)) is used instead of If any internationalization variable
contains an invalid setting, behaves as if all internationalization
variables are set to "C". See environ(5).
RETURN VALUE
If succeeds, it returns a value of zero.
If encounters an error before it changes any file's ACL, it prints an
error message to standard error and returns 1. Such errors include
invalid invocation, invalid syntax of acl (aclpatt), a given user name
or group name is unknown, or inability to get an ACL from fromfile with
the option.
If cannot execute the requested operation, it prints an error message
to standard error, continues, and later returns 2. This includes cases
when a file does not exist, a file's ACL cannot be altered, more ACL
entries would result than are allowed, or an attempt is made to delete
a non-existing ACL entry.
EXAMPLES
The following command adds read access for user in any group, and
removes write access for any user in the files's groups, for files and
This command replaces the ACL on the file open as standard input and on
file with one which only allows the file owner read and write access.
Delete from file the specific access rights, if any, for user 165 in
group 13. Note that this is different from adding an ACL entry that
restricts access for that user and group. The user's resulting access
rights depend on the entries remaining in the ACL. The command also
deletes all entries for user that have a read bit turned on (the aster‐
isk can be used as a wildcard in the ACL pattern for user, group, or
access mode):
Copy the ACL from to and
Delete the optional ACL entries, if any, on the file open as standard
input.
Deny all access to all files in the current directory whose names start
with or
Incorporate the optional ACL entries of a file into the base ACL
entries:
WARNINGS
An ACL string cannot contain more than 16 unique entries, even though
converting @ symbols to user or group names and combining redundant
entries might result in fewer than 16 entries for some files.
DEPENDENCIES
will fail when the target file resides on a file system which does not
support ACLs.
NFS
Only the option is supported on remote files.
AUTHOR
was developed by HP.
SEE ALSOchmod(1), getaccess(1), lsacl(1), getacl(2), setacl(2), acl(5), glos‐
sary(9).
chacl(1)