chacl man page on HP-UX

Man page or keyword search:  
man Server   10987 pages
apropos Keyword Search (all sections)
Output format
HP-UX logo
[printable version]

chacl(1)							      chacl(1)

       chacl  -	 add,  modify, delete, copy, or summarize access control lists
       (ACLs) of files

       acl file ...

       acl file ...

       aclpatt file ...

       fromfile tofile	...


       extends the capabilities of chmod(1), by enabling the user to grant  or
       restrict	 file access to additional specific users and/or groups.  Tra‐
       ditional file access permissions, set when a file is created, grant  or
       restrict	 access	 to  the  file's owner, group, and other users.	 These
       file access permissions (eg., are mapped into three base access control
       list  entries:  one  entry  for	the  file's owner (umode), one for the
       file's group g, mode), and one for other users mode).

       enables a user to designate up to thirteen additional sets  of  permis‐
       sions  (called  optional	 access	 control list (ACL) entries) which are
       stored in the access control list of the file.

       To use chacl, the owner (or superuser) constructs  an  acl,  a  set  of
       (,  mode)  mappings  to  associate with one or more files.  A
       specific user and group can be referred to by either  name  or  number;
       any user (u), group (g), or both can be referred to with a symbol, rep‐
       resenting any user or group.  The @ symbol specifies the	 file's	 owner
       or group.

       Read,  write,  and  execute/search modes are identical to those used by
       chmod; symbolic operators (op) add remove or set	 access	 rights.   The
       entire  acl should be quoted if it contains whitespace or special char‐
       acters.	Although two variants for constructing the acl	are  available
       (and fully explained in acl(5)), the following syntax is suggested:

	      entry[, entry] ...

       where the syntax for an entry is

	      u.g op mode[op mode] ...

       By  default,  modifies  existing ACLs.  It adds ACL entries or modifies
       access rights in existing ACL entries.  If acl contains	an  ACL	 entry
       already	associated  with  a file, the entry's mode bits are changed to
       the new value given, or are modified by the  specified  operators.   If
       the  file's  ACL does not already contain the specified entry, that ACL
       entry is added.	can also remove all access to files.  Giving it a null
       acl argument means either ``no access'' (when using the option) or ``no

       For a summary of the syntax, run without arguments.

       If file is specified as reads from standard input.

       recognizes the following options:

       Replace old    ACLs with the given ACL.	All optional ACL  entries  are
		      first  deleted  from  the	 specified files's ACLs, their
		      base permissions are set to zero, and  the  new  ACL  is
		      applied.	If acl does not contain an entry for the owner
		      (uthe group g), or other users of a file, that base  ACL
		      entry's  mode  is	 set to zero (no access).  The command
		      affects all of the file's	 ACL  entries,	but  does  not
		      change the file's owner or group ID.

		      In  chmod(1),  the ``modify'' and ``replace'' operations
		      are distinguished by the syntax (string or octal value).
		      There is no corollary for ACLs because they have a vari‐
		      able number of entries.  Hence modifies specific entries
		      by default, and optionally replaces all entries.

       Delete the specified entries from the
		      ACLs  on	all specified files.  The aclpatt argument can
		      be an exact ACL or an ACL pattern (see acl(5)).  updates
		      each file's ACL only if entries are deleted from it.

		      If you attempt to delete a base ACL entry from any file,
		      the entry remains but its access mode is set to zero (no
		      access).	 If  you  attempt to delete a non-existent ACL
		      entry from a file (that is,  if  an  ACL	entry  pattern
		      matches no ACL entry), informs you of the error, contin‐
		      ues, and eventually returns non-zero.

       Copy the	      ACL from fromfile to the specified tofile,  transferring
		      ownership,  if necessary (see acl(5), chown(2), or chow‐
		      nacl(3C)).  fromfile can be to represent standard input.

		      This option implies the option.  If the owner and	 group
		      of fromfile are identical to those of tofile, is identi‐
		      cal to:

		      To copy an ACL without transferring ownership, the above
		      command is suggested instead of

       Delete (``zap'') all optional entries in the specified file's
		      ACLs, leaving only base entries.

       Delete (``zap'') all optional entries in the specified file's
		      ACLs,  and  set  the access modes in all base entries to
		      zero (no access).	 This is identical  to	replacing  the
		      old ACL with a null ACL:

		      or  using	 chmod(1), which deletes optional entries as a
		      side effect:

       Incorporate (``fold'') optional
		      ACL entries into base ACL entries.  The base ACL entry's
		      permission   bits	 are altered, if necessary, to reflect
		      the caller's effective access rights to  the  file;  all
		      optional entries, if any, are deleted.

		      For  ordinary  users,  only the access mode of the owner
		      base ACL entry can be altered.  Unlike the write bit  is
		      not  turned off for a file on a read-only file system or
		      a shared-text program being executed (see getaccess(1)).

		      For super-users, only the execute mode bit in the	 owner
		      base ACL entry might be changed, only if the file is not
		      an regular file or if an execute bit is not already  set
		      in  a base ACL entry mode, but is set in an optional ACL
		      entry mode.

       acl also can be obtained from a string in a file:

       Using @ in acl to represent ``file owner or group'' can	cause  to  run
       more  slowly because it must reparse the ACL for each file (except with
       the option).

   Environment Variables
       determines the language in which messages are displayed.

       If is not specified or is set to the empty string,  a  default  of  "C"
       (see  lang(5))  is used instead of If any internationalization variable
       contains an invalid setting, behaves  as	 if  all  internationalization
       variables are set to "C".  See environ(5).

       If succeeds, it returns a value of zero.

       If  encounters  an error before it changes any file's ACL, it prints an
       error message to standard error and returns  1.	 Such  errors  include
       invalid	invocation, invalid syntax of acl (aclpatt), a given user name
       or group name is unknown, or inability to get an ACL from fromfile with
       the option.

       If  cannot  execute the requested operation, it prints an error message
       to standard error, continues, and later returns 2.  This includes cases
       when  a	file  does not exist, a file's ACL cannot be altered, more ACL
       entries would result than are allowed, or an attempt is made to	delete
       a non-existing ACL entry.

       The  following  command	adds  read  access  for user in any group, and
       removes write access for any user in the files's groups, for files and

       This command replaces the ACL on the file open as standard input and on
       file with one which only allows the file owner read and write access.

       Delete  from  file  the specific access rights, if any, for user 165 in
       group 13.  Note that this is different from adding an  ACL  entry  that
       restricts  access for that user and group.  The user's resulting access
       rights depend on the entries remaining in the ACL.   The	 command  also
       deletes all entries for user that have a read bit turned on (the aster‐
       isk can be used as a wildcard in the ACL pattern for  user,  group,  or
       access mode):

       Copy the ACL from to and

       Delete  the  optional ACL entries, if any, on the file open as standard

       Deny all access to all files in the current directory whose names start
       with or

       Incorporate  the	 optional  ACL	entries	 of  a	file into the base ACL

       An ACL string cannot contain more than 16 unique entries,  even	though
       converting  @  symbols  to  user or group names and combining redundant
       entries might result in fewer than 16 entries for some files.

       will fail when the target file resides on a file system which does  not
       support ACLs.

       Only the option is supported on remote files.

       was developed by HP.

       chmod(1),  getaccess(1),	 lsacl(1), getacl(2), setacl(2), acl(5), glos‐


List of man pages available for HP-UX

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
Vote for polarhome
Free Shell Accounts :: the biggest list on the net