acl(1m)acl(1m)NAME
acl - A dcecp object that manages DCE access control lists
SYNOPSIS
acl check acl_name_list [-entry] [-type manager_type_name]
acl delete acl_name_list [-ic | -io | -entry] [-type manager_type_name]
[-local]
acl help [operation | -verbose]
acl modify acl_name_list [-ic | -io | -entry] [-type manager_type_name]
[-cell new_cell_name] {-add acl_entry_list_with_permissions [-mask
{calc | nocalc}] | -change acl_entry_list_with_permissions [-mask {calc
| nocalc}] | -remove acl_entry_list_without_permissions [-uuid] |
-purge} [-local]
acl operations
acl permissions acl_name_list [-ic | -io | -entry] [-type man‐
ager_type_name] [-local]
acl replace acl_name_list [-ic | -io | -entry] [-type man‐
ager_type_name] -acl acl_entry_list [-cell new_default_cellname]
[-local]
acl show acl_name_list [-ic | -io | -entry] [-type manager_type_name]
[-cell | -managers] [-local]
ARGUMENTS
A list of one or more objects whose ACLs are to be acted on. You can
identify objects by using the object's fully qualified names, for exam‐
ple, /.:/hosts/gumby.
You can also use a list of string bindings with residual names
appended. The residual name indicates whether the object is a princi‐
pal, group, or organization by supplying its principal, group, or orga‐
nization name. There are four possible formats you can use to specify
a string binding.
In string syntax, you can use
{uuid@prot_seq:net_addr residual_name} Another allowable string syntax
is {uuid@prot_seq:net_addr[endpoint] residual_name} In Tcl syntax, you
can use {uuid prot_seq net_addr residual_name} Another allowable Tcl
syntax is {uuid prot_seq net_addr endpoint residual_name} The name of
the acl operation for which to display help information.
DESCRIPTION
The acl object represents an access control list (ACL), which may exist
on any object such as a server, name service entry, container (direc‐
tory), or file.
ACLs consist of ACL entries. ACL entries are visible only as members
of ACLs. There is no object that represents ACL entries, only the acl
object representing an entire ACL. Most of the acl operations deal
directly with the ACL. See DATA STRUCTURES for a description of the
syntax of ACLs and ACL entries. An ACL has one attribute, called cell,
that represents the default cell of the ACL.
In most cases, the name of an object also specifies the name of the
associated ACL to manipulate. However, some objects have more than one
ACL, and some names can refer to more than one object. These ambigui‐
ties are resolved by using various options on the command line.
An object can have more than one ACL. For example, container objects—
such as Cell Directory Service (CDS) directories and directories in the
registry—have three ACLs: one ACL controls access to the container
object itself, a second ACL specifies the default ACL on new objects
added to the container (the Initial Object ACL), and a third ACL speci‐
fies the default ACL on new containers added to the container (the Ini‐
tial Container ACL). By default, the acl commands operate on the ACL
of the container object. Use the -ic option to operate on the Initial
Container ACL. Use the -io option to operate on the Initial Object
ACL. Simple objects (those that are not container objects) do not have
Initial Container or Initial Object ACLs.
Some servers that have ACLs also store their network location informa‐
tion in a server entry in CDS. The server entry has the same name as
the server itself and may also have an attached ACL. Use the -entry
option to operate on the server entry ACL in CDS rather than the
server's ACL.
All dced objects have ACLs. When the dced on the local machine is in
partial service mode, you must use the -local option to access dced
object ACLs. To access dced object ACLs, specify only the residual
portion of the object name to the acl command. For example, use host‐
data, not /.:/hosts/gumby/config/hostdata.
Some DCE objects have more than one purpose. For instance, a registry
object can represent a principal and it can also act as a directory (a
container). An example is a principal name that identifies another
cell (for instance, /.../comp.com) with which you want to establish
authenticated operation. In this case, the cell maintains a principal
name /.:/comp.com. The registry object for this principal name is as
follows: /.:/sec/principal/comp.com
Assume the cell also has a hierarchical (subordinate) cell named
/.../comp.com/test_cell. The cell maintains another principal name
/.:/comp.com/test_cell. The registry object for this principal name is
as follows: /.:/sec/principal/comp.com/test_cell
Consequently, the registry object /.:/sec/principal/comp.com also acts
as a directory because it contains the hierarchical cell name
/.:/sec/principal/comp.com/test_cell. The ACL Manager that operates on
registry objects differs from the ACL Manager that operates on registry
directories. For instance, the latter ACL Manager has an i (insert)
permission bit that controls who can add new objects to the directory.
Consequently, most acl commands provide a -type option that lets you
specify the appropriate ACL Manager when operating on registry objects
that are also directories. You can list the ACL Managers available for
registry objects by using the acl show -managers command.
DATA STRUCTURES
ACL Entry Syntax
An ACL entry has the following syntax: type[:key]:permissions
where: Identifies the role of the ACL entry. Identifies the specific
principal or group to whom the entry applies. For an entry type of
extended, key contains the ACL data. The ACL permissions.
The syntax of an ACL entry is a list of two or three elements. The
first element is the type, the optional second element is the key, and
the last element is the set of permission bits. The permission bits
are represented by a single character if the permission is granted and
by a - (dash) if it is not. An ACL is a list of ACL entries. An exam‐
ple of an ACL is as follows: {unauthenticated -r-----} {user_obj
crwx---} {user britten crwx---} {user mahler -rwx---} {foreign_user
/.../C=US/O=OSF/OU=dce/pro/bach crwxidt} {group_obj -rwx---} {group dds
-rwx---} {any_other -r-----} {extended
c417faf8-8340-11c9-ace3-08001e5559bb.a.b.c.a1.4.0a0b0c0d -rwx---}
On output the above syntax is used, with one addition. If masking pro‐
duces ineffective bits in an ACL entry, the entry has two additional
elements. The first is the identifier effective, and the second is the
set of effective permissions. These elements are added only for those
ACL entries that have ineffective bits, as seen in the following exam‐
ple: {mask_obj -r-----} {user_obj crwx---} {user britten crwx--- effec‐
tive -r-----}
On input, do not include the identifier effective or the effective per‐
missions. You can enter permissions in any order, omitting the -
(dash) for permissions not granted. For example, the above ACL could
be entered as: {mask_obj r} {user_obj crwx} {user britten wcrx}
Defined ACL Entry Types
Permissions for the object's real or effective owner. Permissions for
the object's real or effective owning group. Permissions for others
authenticated in the local cell who are not otherwise named by a more
specific entry type. Permissions for a specific authenticated princi‐
pal user in the ACL's cell. This type of ACL entry must include a key
that identifies the specific principal. Permissions for a specific
group in the ACL's cell. This type of ACL entry must include a key
that identifies the specific group. Permissions for a specific,
authenticated user in a foreign cell. This type of ACL entry must
include a key that identifies the specific principal and the princi‐
pal's cell. Permissions for a specific group in a foreign cell. This
type of ACL entry must include a key that identifies the specific group
and the group's cell. Permissions for all authenticated principals in
a specific foreign cell, unless those principals are specifically named
in an ACL entry of type foreign_user or are members in a group named in
an entry of type foreign_group. This type of ACL entry must include a
key that identifies the specific foreign cell. Permissions for all
authenticated principals unless those principals match a more specific
entry in the ACL. Permissions for the object mask that is applied to
all entry types except user_obj, other_obj, and unauthenticated. Maxi‐
mum permissions applied when the accessor does not pass authentication
procedures. This entry is used for principals that have failed authen‐
tication due to bad keys, principals who are entirely outside of any
authentication cell, and principals who choose not to use authenticated
access. Permissions granted to an unauthenticated principal are masked
with this entry, if it exists. If this entry does not exist, access to
unauthenticated principals is always denied. A special entry that
allows client applications running at earlier DCE versions to copy ACLs
to and from ACL Managers running at the current DCE version without
losing any data. The extended entry allows the application running at
the lower version to obtain a printable form of the ACL. The extended
ACL entry has the following form: extended:uuid.ndr.ndr.ndr.ndr.num‐
ber_of_byte.data where: Identifies the type extended ACL entry. (This
UUID can identify one of the ACL entry types described here or an as-
yet-undefined ACL entry type.) Up to four network data representation
(NDR) format labels (in hexadecimal format and separated by periods)
that identify the encoding of data. A decimal number that specifies
the total number of bytes in data. The ACL data in hexadecimal form.
(Each byte of ACL data is two hexadecimal digits.) The ACL data
includes all of the ACL entry specifications except the permissions
(described later) that are entered separately. The data is not inter‐
preted; it is assumed that the ACL Manager to which the data is being
passed can understand that data. Delegated permissions for the
object's real or effective owner. Delegated permissions for the
object's real or effective group. Delegated permissions for others in
the local cell who are not otherwise named by a more specific entry
type. Delegated permissions for a specific principal user in the ACL's
cell. This type of ACL entry must include a key that identifies the
specific principal. Delegated permissions for a specific group in the
ACL's cell. This type of ACL entry must include a key that identifies
the specific group. Delegated permissions for a specific, authenti‐
cated user in a foreign cell. This type of ACL entry must include a
key that identifies the specific principal and the principal's cell.
Delegated permissions for a specific, authenticated group in a foreign
cell. This type of ACL entry must include a key that identifies the
specific group and the group's cell. Delegated permissions for all
authenticated principals in a specific foreign cell, unless those prin‐
cipals are specifically named in an ACL entry of type foreign_user or
foreign_user_delegate or are members in a group named in an entry of
type foreign_group or foreign_group_delegate. This type of ACL entry
must include a key that identifies the specific foreign cell. Dele‐
gated permissions for all authenticated principals unless those princi‐
pals match a more specific entry in the ACL.
Key
The key identifier (principal, group name, or cell) specifies the prin‐
cipal or group to which the ACL entry applies. For entries of entry
type extended, key is the data passed from one ACL Manager to another.
In some cases, such as when a registry object no longer exists but an
ACL entry still contains a reference to that object, key can be repre‐
sented by a UUID. A key is required for the following types of ACL
entries: Requires a principal name only. Requires a group name only.
Requires a fully qualified cell name in addition to the principal name.
Requires a fully qualified cell name in addition to the group name.
Requires a fully qualified cell name. Requires a fully qualified cell
name, the principal name, and a key that identifies the principal and
the principal's cell. Requires a fully qualified cell name, the group
name, and a key that identifies the group and the group's cell.
Permissions
The permissions argument specifies the set of permissions that defines
the access rights conferred by the entry. Since each ACL Manager
defines the permission tokens and meanings appropriate for the objects
it controls, the actual tokens and their meanings vary. For example
the Distributed File Service (DFS), the Directory Service, and the
Security Service each implement a separate ACL Manager, and each can
use a different set of tokens and permissions. Use the permissions
operation to display the currently available tokens and their meanings.
See the documentation for the DCE component you are using to obtain a
more detailed description of its specific permissions.
ATTRIBUTES
Represents the default cell of the ACL. Manipulation of this attribute
is possible only through the modify and show operations.
See the OSF DCE Administration Guide for more information about ACL
attributes.
OPERATIONS
acl check
Returns the permissions granted by the ACL to the principal entering
the command. The syntax is as follows: acl check acl_name_list
[-entry] [-type manager_type_name]
Options
Specifies that the command is to operate on the ACL of the namespace
entry of the named object. Specifies that the command uses a particu‐
lar ACL Manager. This option is needed only for objects that have more
than one purpose, such as for principal names that also act as directo‐
ries.
The check operation returns the permissions granted in the specified
object's ACL to the principal that invoked the command. The argument
is a list of names of object's whose ACLs are to be operated on. If
you specify no options, the permissions from the ACL for the object
named by the operation are returned.
Privileges Required
The permissions required are defined by the object's ACL Manager. Use
the permissions operation to display the currently available tokens and
their meanings. See the documentation for the DCE component you are
using to obtain a more detailed description of its specific permis‐
sions.
Examples
dcecp> acl check {006f859c-
ed3d-1d57-a383-0000c0239a70@ncacn_ip_tcp:130.105.5.45 \ > princi‐
pal/aaa} rwdtcia dcecp>
dcecp> acl check /.:/hosts rwdtcia dcecp>
acl delete
Deletes all ACL entries from the object, except the user_obj entry, if
it exists. The syntax is as follows: acl delete acl_name_list [-ic |
-io | -entry] [-type manager_type_name] [-local]
Options
Specifies that the command is to operate on the Initial Container ACL
of the named object. Specifies that the command is to operate on the
Initial Object ACL of the named object. Specifies that the command is
to operate on the ACL of the namespace entry of the object. Specifies
that the command uses a particular ACL Manager. This option is needed
only for objects that have more than one purpose, such as for principal
names that also act as directories. Specifies that the command is to
operate on the ACL of a dced object while the dced on the local machine
is in partial service mode.
The delete operation removes all ACL entries from the object, except
the user_obj entry, if it exists. Note that if you use delete on an
object whose ACL does not contain a user_obj ACL entry (either because
the object's ACL Managers do not support user_obj entries or because
the ACL is empty), the command displays a "bad syntax" error.
The argument is a list of names of objects whose ACLs are to be oper‐
ated on. This operation returns an empty string on success.
Privileges Required
The permissions required are defined by the object's ACL Manager. Use
the permissions operation to display the currently available tokens and
their meanings. See the documentation for the DCE component you are
using to obtain a more detailed description of its specific permis‐
sions.
Examples
dcecp> acl delete {/.:/hosts/oddball/gumby /.:/pokey} dcecp>
acl help
Returns help information about the acl object and its operations. The
syntax is as follows: acl help [operation | -verbose]
Options Displays information about the acl object.
Used without an argument or option, the acl help command returns brief
information about each acl operation. The optional operation argument
is the name of an operation about which you want detailed information.
Alternatively, you can use the -verbose option for more detailed infor‐
mation about the acl object itself.
Privileges Required
No special privileges are needed to use the acl help command.
Examples
dcecp> acl help check Returns ACL permissions of invoker.
delete Deletes all ACL entries except 'user_obj' if it
exists. modify Adds, removes, or changes ACL entries and
attributes. permissions Returns permissions associated with an
object. replace Replaces entire ACL with new ACL entries
and attributes. show Returns ACL entries or attributes
on an object. help Prints a summary of command-line
options. operations Returns a list of the valid operations
for this command. dcecp>
acl modify
Changes attributes and entries of ACLs. The syntax is as follows: acl
modify acl_name_list [-ic | -io | -entry] [-type manager_type_name]
[-cell new_cell_name] {-add acl_entry_list_with_permissions [-mask
{calc | nocalc}] | -change acl_entry_list_with_permissions [-mask {calc
| nocalc}] | -remove acl_entry_list_without_permissions [-uuid] |
-purge} [-local]
Options Changes the value of the cell attribute by specifying the new
default cell. It must be one value, not a list. The -cell option is
always applied before the other options. Note that changing the
default cell of an ACL that has user or group ACL entries, or their
delegate counterparts, can be dangerous. The principal and groups men‐
tioned in these ACL entries must be in the default cell. If the
default cell changes, these ACL entries must change as well. Adds the
ACL entries to the ACL. The value of this option is a list of ACL
entries with permissions filled in. You can use the -mask option to
force or prevent mask recalculation. Changes existing ACL entries in
the ACL. The value of this option is a list of ACL entries with per‐
missions filled in. The permissions are the new permissions placed on
the specified ACL entries. The ACL entries must exist in the ACL or an
error occurs. You can use the -mask option to force or prevent mask
recalculation. Removes existing ACL entries from the ACL. The value
of this option is a list of ACL entries with no permissions. The ACL
entries must exist in the ACL or an error occurs. Purges all masked
permissions (before any other modifications are made), in all ACL
entries except user_obj, other_obj, mask_obj, user_obj_delegate,
other_obj_delegate, and unauthenticated if they exist. This option is
useful only for ACLs that contain an entry of type mask_obj. Indicates
that the entries in the acl_entry_list_without_permissions argument are
UUIDs rather than names. If a modify operation causes a mask recalcu‐
lation that unintentionally adds permissions to an existing ACL entry,
the modify operation ceases with an error unless you specify the -mask
option with a value of either calc or nocalc, or a unique abbreviation
of one of these values.
Specifying calc creates or modifies the object's mask_obj type entry
with permissions equal to the union of all entries other than type
user_obj, other_obj, mask_obj, and unauthenticated. This creation or
modification is done after all other modifications to the ACL are per‐
formed. The new mask is set even if it grants permissions previously
masked out. It is recommended that you use this option only if not
specifying it results in an error. If you specify the calc option for
an ACL Manager that does not support the mask_obj entry type, an error
is returned.
Specifying nocalc means that a new mask should not be calculated.
The -mask option can be used only if the -add or -change option is also
used and only if the object's ACL Managers support the mask_obj ACL
type. In addition, you cannot use the -mask option if you specify a
mask_obj ACL entry in the command (by using the -add or -change
options). Specifies that the operation act on the Initial Container
ACL of the named object. Specifies that the operation act on the Ini‐
tial Object ACL of the named object. Specifies that the operation act
on the ACL of the namespace entry of the named object. Specifies that
the operation act on the ACL of a dced object while the dced on the
local machine is in partial service mode. Specifies that the command
uses a particular ACL Manager. This option is needed only for objects
that have more than one purpose, such as for principal names that also
act as directories.
The modify operation changes one or more individual ACL entries. The
argument is a list of names of ACLs to be modified. They are processed
in the order they are entered. The specific operation to perform is
described by using options.
The -uuid option can be used to remove ACL entries associated with
orphaned UUIDs. An orphaned UUID refers to an object such as a princi‐
pal or group that has been deleted from the registry, but still has an
ACL entry on an object.
Multiple actions can be specified on the command line; they are pro‐
cessed in a fixed order to guarantee proper processing of the ACLs.
See [POSIX.6] for a description of this processing order. Either all
the changes specified in the operation are made or none are. This oper‐
ation returns an empty string on success.
Privileges Required
The permissions required are defined by the object's ACL Manager. Use
the permissions operation to display the currently available tokens and
their meanings. See the documentation for the DCE component you are
using to obtain a more detailed description of its specific permis‐
sions.
Examples
dcecp> acl modify /.:/hosts -add {user mahler rwcia} dcecp>
dcecp> acl modify /.:/hosts -change {user mahler rwdtcia} dcecp>
dcecp> acl modify /.:/hosts -add {group dce rwdtcia} -remove {user
mahler} dcecp>
dcecp> acl modify /.:/hosts -remove {user
0c8a15fc-761e-11d0-a176-08000985b5a6} -uuid dcecp>
acl operations
Returns a list of the operations supported by the acl object. The syn‐
tax is as follows: acl operations
The list of available operations is in alphabetical order except for
help and operations, which are listed last.
Privileges Required
No special privileges are needed to use the acl operations command.
Examples
dcecp> acl operations check delete modify permissions replace show help
operations dcecp>
acl permissions
Returns a list describing the permissions associated with an object.
The syntax is as follows: acl permissions acl_name_list [-ic | -io |
-entry] [-type manager_type_name] [-local]
Options
Specifies that the command is to operate on the Initial Container ACL
of the named object. Specifies that the command is to operate on the
Initial Object ACL of the named object. Specifies that the command is
to operate on the ACL of the namespace entry of the named object.
Specifies that the command uses a particular ACL Manager. This option
is needed only for objects that have more than one purpose, such as for
principal names that also act as directories. Specifies that the com‐
mand is to operate on the ACL of a dced object while the dced on the
local machine is in partial service mode.
The permissions operation returns a list of the permissions associated
with an object. For each permission, the operation shows the permis‐
sion token and a description of the permission. The manager_type_name
argument is a list of names of ACL Manager types whose permissions are
to be returned. If more than one name is entered, the output is con‐
catenated and a blank line inserted between each manager type.
Privileges Required
The permissions required are defined by the object's ACL Manager. Use
the permissions operation to display the currently available tokens and
their meanings. See the documentation for the DCE component you are
using to obtain a more detailed description of its specific permis‐
sions.
Examples
dcecp> acl permissions /.:/hosts {r {read entry attributes}} {w {update
entry attributes}} {d {delete entry}} {t {test attribute values}} {c
{change ACL}} {i {create new directory entries}} {a {administer direc‐
tory replication}} dcecp>
acl replace
Replaces the entire ACL on the object specified by the argument with
the supplied value. The syntax is as follows: acl replace acl_name_list
[-ic | -io | -entry] [-type manager_type_name] -acl acl_entry_list
[-cell new_default_cellname] [-local]
Options
Specifies that the operation act on the Initial Container ACL of the
named object. Specifies that the operation act on the Initial Object
ACL of the named object. Specifies that the operation act on the ACL
of the namespace entry of the named object. Specifies that the command
use a particular ACL Manager. This option is needed only for objects
that have more than one purpose, such as for principal names that also
act as directories. Specifies ACL entries and their new values. Spec‐
ifies a new default cell for all of the ACLs named in acl_entry_list.
The -cell option is always applied before the other options. Specifies
that the operation act on the ACL of a dced object while the dced on
the local machine is in partial service mode.
The replace operation replaces the entire ACL on the object specified
by the argument with the supplied value. The argument is a list of
names of ACLs to be operated on. The syntax of the value of the -acl
option is a list of ACL entries. The -cell option specifies the new
default cell of the ACL. Its value is the name of one cell only (it is
not a list). This operation returns an empty string on success.
Privileges Required
The permissions required are defined by the object's ACL Manager. Use
the permissions operation to display the currently available tokens and
their meanings. See the documentation for the DCE component you are
using to obtain a more detailed description of its specific permis‐
sions.
Examples
dcecp> acl replace /.:/hosts -acl {group dce rwdtcia} dcecp>
acl show
Returns a list of the ACL entries for the specified object. The syntax
is as follows: acl show acl_name_list [-ic | -io | -entry] [-type man‐
ager_type_name] [-cell | -managers] [-local]
Options Specifies that the command is to operate on the Initial Con‐
tainer ACL of the named object. Specifies that the command is to oper‐
ate on the Initial Object ACL of the named object. Specifies that the
command is to operate on the ACL of the namespace entry of the named
object. Specifies that the command uses a particular ACL Manager.
This option is needed only for objects that have more than one purpose,
such as for principal names that also act as directories. Returns the
default cell name for the ACL. Returns a list of ACL Managers avail‐
able for the named ACL. Specifies that the command is to operate on
the ACL of a dced object while the dced on the local machine is in par‐
tial service mode.
The show operation returns a list of the ACL entries for the specified
object. The argument is a list of names of objects whose ACLs are to
be operated on. If more than one name is given, the output is concate‐
nated and a blank line inserted between objects. If they exist, the
mask_obj and unauthenticated ACL entries are displayed first.
Note that since UUIDs and not names are stored in ACLs, dcecp may not
be able to determine the name associated with an ACL entry. In this
case, the UUID is returned as the key instead of the name. dcecp may
be unable to determine the name associated with an ACL entry if the
default cell stored in the ACL is incorrect, or if the users and groups
specified in the user and group entries are not registered in the
default cell.
If a UUID replaces a name of a user and group, you can recover by
adopting the orphaned UUID. To do this, create a new user or group
using the UUID found in the ACL. The name of the new user or group is
then available.
Privileges Required
The permissions required are defined by the object's ACL Manager. Use
the permissions operation to display the currently available tokens and
their meanings. See the documentation for the DCE component you are
using to obtain a more detailed description of its specific permis‐
sions.
Examples
dcecp> acl show /.:/hosts {unauthenticated r--t---} {user cell_admin
rwdtcia} {user hosts/absolut/cds-server rwdtcia} {user hosts/abso‐
lut/self rwdtcia} {user root rwdtcia} {group subsys/dce/cds-admin rwdt‐
cia} {group subsys/dce/cds-server rwdtcia} {any_other r--t---} dcecp>
RELATED INFORMATION
Commands: dcecp(1m), dcecp_account(1m), dcecp_group(1m), dcecp_organi‐
zation(1m), dcecp_principal(1m), dcecp_registry(1m), dcecp_xat‐
trschema(1m).
acl(1m)
