acl_edit(1m) Open Software Foundation acl_edit(1m)
NAME [Toc] [Back]
acl_edit - Edits or lists an object's ACLs
SYNOPSIS [Toc] [Back]
acl_edit {[-e] pathname | -addr string_binding component_name} [-ic |
-io] [-n | -c] [command_line_subcommands] [-ngui] [-v]
OPTIONS [Toc] [Back]
-e pathname
Specifies that the ACL on the Directory Service entry is to
be edited. You must specify the pathname argument if you
use the -e option.
The -e option is especially useful in case of an ambiguous
pathname. The pathname argument can be interpreted in two
ways if it is the name of a leaf object in the Directory
Service (that is, if it is not the name of a directory). It
can be interpreted as the Directory Service entry itself, or
as the object (whatever it is) referenced by that Directory
Service entry. When such a pathname is specified, the -e
option directs acl_edit to the ACL on the Directory Service
entry.
-addr string_binding component_name
The -addr option lets you identify the object whose ACLs you
want to edit by supplying the RPC binding handle of the ACL
Manager that controls access to the object (with the
string_binding argument) and the relative pathname of the
object (with the component_name argument). Because you have
identified the RPC binding handle, you can specify only the
object's relative pathname for component_name.
The most common way to identify the object whose ACLs you
want to manipulate is through the pathname argument,
described below. The -addr option is used primarily by
applications that do not use the Directory Service, but do
use the generic ACL Manager. It can also be used if the
Directory Service is unavailable.
-ic For container objects only, specifies that the object's
Initial Container Creation ACL is to be edited. The Initial
Container Creation ACL is applied by default to any
containers created within the ACL'd container. If this
option is specified and the object named in pathname is not
a container, an error is returned.
-io For container objects only, specifies that the object's
Initial Object Creation ACL is to be edited. The Initial
Object Creation ACL is applied by default to any simple
objects (that is, objects that are not containers) created
Hewlett-Packard Company - 1 OSF DCE 1.1/HP DCE 1.8 PHSS_26394-96
acl_edit(1m) Open Software Foundation acl_edit(1m)
within the ACL'd container. If this option is specified and
the object is not a container, an error is returned.
-n Specifies that a new mask should not be calculated. This
option is useful only for objects that support the mask_obj
entry type and that are required to recalculate a new mask
after they are modified.
If a modify operation creates a mask that unintentionally
adds permissions to an existing acl entry, the modify
causing the mask recalculation will abort with an error
unless you specify either the -c or -n option.
-c Creates or modifies the object's mask_obj type entry with
permissions equal to the union of all entries other than
type user_obj, other_obj, and unauthenticated. This
creation or modification is done after all other
modifications to the ACL are performed. The new mask is set
even if it grants permissions previously masked out. It is
recommended that you use this option only if not specifying
it results in an error. This option is useful only for
objects that support the mask_obj entry type and are
required to recalculate a new mask after they are modified.
If a modify operation creates a mask that unintentionally
adds permissions to an existing acl entry, the modify
causing the mask recalculation will abort with an error
unless you specify either the -c or -n option.
If you specify the -c option for an ACL that does not
support mask_obj entry type, acl_edit returns an error when
it attempts to save the ACL, aborting all subcommands
supplied on the command line.
-ngui Specifies that a Graphical User Interface (GUI) should not
be used even if a GUI is available. If your version of
acl_edit supports a GUI and your terminal is capable of
using it, invoking acl_edit without this option will bring
up the GUI mode. Use the -ngui option to bring up commandline
mode. However, if a GUI is not available, or the
terminal is not capable of using the GUI, acl_edit comes up
in command-line mode regardless of wheter you supply this
option or not.
-v Run in verbose mode.
ARGUMENTS [Toc] [Back]
pathname The full pathname of the object whose ACL is to be viewed or
edited. If the object is in another cell, pathname must be
fully qualified to include the cell identifier.
Hewlett-Packard Company - 2 OSF DCE 1.1/HP DCE 1.8 PHSS_26394-96
acl_edit(1m) Open Software Foundation acl_edit(1m)
command_line_subcommands
The command-line subcommands, which act on the object
specified by pathname, are entered as part of the command
string that invokes acl_edit. Only one command-line
subcommand can be specified per invocation. The commands
follow. See the description of the equivalent interactive
subcommand for a more detailed description of the command
functions.
-m [acl_entry] acl_entry...
Adds a new ACL entry or changes the permissions of
an existing entry. You can enter multiple entries,
each separated by a space.
-p Purges all masked permissions (before any other
modifications are made). This option is useful
only for ACLs that contain an entry of type
mask_obj. Use it to prevent unintentionally
granting permissions to an existing entry when a
new mask is calculated as a result of adding or
modifying an ACL entry.
-d [acl_entry] acl_entry...
Deletes an existing entry from the ACL associated
with the specified object. You can enter multiple
entries, each separated by a space.
-s [acl_entry] acl_entry...
Replaces (substitutes) the ACL information
associated with this object with acl_entry. All
existing entries are removed and replaced by the
newly specified entries. If you specify the -s
subcommand, you cannot specify the -f or -k
subcommand. You can enter multiple entries, each
separated by a space.
-f file Assigns the ACL information contained in file to
the object. All existing entries are removed and
replaced by the entries in the file. If you
specify the -f subcommand, you cannot specify the
-s or -k subcommand.
-k Removes all entries, except entries of type
user_obj (if they are present). If you specify
the -k subcommand, you cannot specify the -f or -s
subcommand.
-l Lists the entries in the object's ACL.
The command-line subcommands are evaluated in the following
Hewlett-Packard Company - 3 OSF DCE 1.1/HP DCE 1.8 PHSS_26394-96
acl_edit(1m) Open Software Foundation acl_edit(1m)
order:
1. -p
2. -s or -f or -k
3. -d
4. -m
5. -l
NOTES [Toc] [Back]
With the exception of the following subcommands, this command is
replaced at Revision 1.1 by the dcecp command. This command may be
fully replaced by the dcecp command in a future release of DCE, and
may no longer be supported at that time.
+ abort
+ commit
+ exit
+ help
+ test access
DESCRIPTION [Toc] [Back]
The acl_edit command is a client program that, when invoked, binds to
the specified object's ACL Manager (which is implemented in the
object's server), and allows the user to manipulate the object's ACL
through the standard DCE ACL interface. This interface is the
sec_acl_...() interface documented in the OSF DCE Application
Development Reference.
The acl_edit command automatically binds to the server of the object
specified, and then communicates (through the standard DCE ACL
interface) with that server's ACL manager in response to user input.
Exactly what the ``object specified'' is depends partly on whether or
not the -e option is specified. Specifying -e means that you want to
operate on the Directory Service ACL - in other words, you want
acl_edit to bind to the CDS server and allow you to operate on the ACL
maintained by that server on the object's directory entry. If, on the
the ACL on the object to which the directory entry refers - then you
simply omit the -e option. The result will be that acl_edit will bind
to that object's server (the server must, of course, implement an ACL
Hewlett-Packard Company - 4 OSF DCE 1.1/HP DCE 1.8 PHSS_26394-96
acl_edit(1m) Open Software Foundation acl_edit(1m)
manager), giving you access to the object's ACL.
All acl_edit subcommands act on the object specified by pathname when
you invoked acl_edit. You can invoke acl_edit in either command-line
or interactive mode:
+ To invoke acl_edit in command-line mode, enter the command, the
object's pathname, options, and the command-line subcommand on
the line that invokes acl_edit. Only one command-line subcommand
can be entered per acl_edit invocation.
+ To invoke acl_edit in interactive mode, enter only acl_edit, the
object's pathname, and options. The acl_edit prompt is then
displayed. In this mode, you enter interactive subcommands that
let you edit and view entries in the object's ACL and view help
information about the acl_edit command itself.
Changes you make in command-line mode are saved when you enter the
command. In interactive mode, you must explicitly save your changes.
To do so, use the commit subcommand to save the changes without
exiting acl_edit or the exit subcommand to save the changes and exit
acl_edit. Use the abort subcommand to exit acl_edit and save none of
the changes you have made.
Note: When you invoke acl_edit for a specific object's ACL,
that ACL is not locked. This means that it is possible
for multiple users to edit the ACL simultaneously, with
each change overwriting the previous changes. For this
reason, the number of users assigned rights to change a
particular ACL should be tightly controlled and limited
to one user if possible.
INTERACTIVE SUBCOMMANDS [Toc] [Back]
The following subcommands are available when acl_edit is invoked in
interactive mode. All of the commands act on the ACL associated with
the object specified by pathname when acl_edit was invoked.
? Displays the available acl_edit subcommands.
ab[ort] Exits acl_edit without saving the changes to the object's
ACL.
as[sign] filename
Applies the ACL entries in filename to the specified object.
This subcommand removes existing entries and replaces them
with the entries in the file.
c[ell] name
Sets the cell name to be associated with the ACL. This
Hewlett-Packard Company - 5 OSF DCE 1.1/HP DCE 1.8 PHSS_26394-96
acl_edit(1m) Open Software Foundation acl_edit(1m)
subcommand is used primarily to facilitate copying ACLs to
different cells. The default cell name stays in place until
you run the subcommand again to change it.
co[mmit] Saves all changes to the ACL without exiting.
d[elete] acl_entry
Deletes the specified ACL entry.
e[xit] Exits from acl_edit, saving any changes to the object's ACL.
g[et_access]
Displays the permissions granted in the specified object's
ACL to the principal that invoked acl_edit.
h[elp] [command ...]
Initiates the help facility. If you enter only the command
help, acl_edit displays a list of all commands and their
functions. If you enter help and a command (or commands
separated by a space), acl_edit displays help information on
the specified commands. Entering help sec_acl_entry displays
information about ACL entries.
k[ill_entries]
Removes all ACL entries except the user_obj entry if it
exists.
l[ist] Lists the entries in the object's ACL.
m[odify] acl_entry [-n | -c]
Adds a new ACL entry or replaces an existing ACL entry.
This command affects a single ACL entry. To add or replace
all of an object's ACL entries, see the su[bstitute]
subcommand.
For objects that support the mask_obj entry type and are
required to calculate a new mask when their ACLs are
modified, the -n option specifies that a new mask should not
be calculated; the -c option specifies that the object's
mask_obj entry should have permissions equal to the union of
all entries other than user_obj, other_obj, and
unauthenticated. The mask is calculated after the ACL is
modified.
If you use the -c option, the new mask is set even if it
grants permissions previously masked out. It is recommended
that you use the -c option only if not specifying it results
in an error. If the new mask unintentionally grants
permissions to an existing entry, the modify operation
causing the mask recalculation will abort with an error
unless you specify either the -c or -n option.
Hewlett-Packard Company - 6 OSF DCE 1.1/HP DCE 1.8 PHSS_26394-96
acl_edit(1m) Open Software Foundation acl_edit(1m)
p[ermissions]
Lists the available permission tokens and explanations.
pu[rge] Purges all masked permissions. This option is useful only
for ACLs that contain an entry of type mask_obj. Use it to
prevent unintentionally granting permissions to an existing
entry when a new mask is calculated as a result of adding or
modifying an ACL entry.
su[bstitute] acl_entry [acl_entry ...]
Replaces all ACL entries with the one or ones specified.
This subcommand removes all existing entries and adds the
ones specified by acl_entry. To replace only a single ACL
entry, see the m[odify] subcommand.
t[est_access] [permissions ...]
Tests whether or not the permissions specified in the
command are granted to the principal under whose DCE
identity the acl_edit command was invoked. The option
returns ranted if the permissions are granted or enied if
they are not.
ACL ENTRIES [Toc] [Back]
An ACL entry has the following syntax:
type[:key]:permissions
where:
type Identifies the role of the ACL entry.
key Identifies the specific principal or group to whom the entry
applies. For an entry type of extended, key contains the ACL
data.
permissions
The ACL permissions.
A thorough description of each syntax component follows.
Type [Toc] [Back]
The type tag identifies the role of the ACL entry. Valid types are
the following:
+ user_obj - Permissions for the object's real or effective user.
Hewlett-Packard Company - 7 OSF DCE 1.1/HP DCE 1.8 PHSS_26394-96
acl_edit(1m) Open Software Foundation acl_edit(1m)
+ group_obj - Permissions for the object's real or effective group.
+ other_obj - Permissions for others in the local cell who are not
otherwise named by a more specific entry type.
+ user - Permissions for a specific principal user in the ACL's
cell. This type of ACL entry must include a key that identifies
the specific principal.
+ group - Permissions for a specific group in the ACL's cell. This
type of ACL entry must include a key that identifies the specific
group.
+ foreign_user - Permissions for a specific, authenticated user in
a foreign cell. This type of ACL entry must include a key that
identifies the specific principal and the principal's cell.
+ foreign_group - Permissions for a specific, authenticated group
in a foreign cell. This type of ACL entry must include a key that
identifies the specific group and the group's cell.
+ foreign_other - Permissions for all authenticated principals in
a specific foreign cell, unless those principals are specifically
named in an ACL entry of type foreign_user or members in a group
named in an entry of type foreign_group. This type of ACL entry
must include a key that identifies the specific foreign cell.
+ any_other - Permissions for all authenticated principals unless
those principals match a more specific entry in the ACL.
+ mask_obj - Permissions for the object mask that is applied to
all entry types except user_obj, other_obj, and unauthenticated.
+ unauthenticated - Maximum permissions applied when the accessor
does not pass authentication procedures. This entry is used for
principals that have failed authentication due to bad keys,
principals who are entirely outside of any authentication cell,
and principals who choose not to use authenticated access.
Permissions granted to an unauthenticated principal are masked
with this entry, if it exists. If this entry does not exist,
access to unauthenticated principals is always denied.
+ extended - A special entry that allows client applications
running at earlier DCE versions to copy ACLs to and from ACL
Managers running at the current DCE version without losing any
data. The extended entry allows the application running at the
lower version to obtain a printable form of the ACL. The
extended ACL entry has the following form:
extended:uuid.ndr.ndr.ndr.ndr.number_of_byte.data
where:
Hewlett-Packard Company - 8 OSF DCE 1.1/HP DCE 1.8 PHSS_26394-96
acl_edit(1m) Open Software Foundation acl_edit(1m)
uuid Identifies the type extended ACL entry. (This UUID can
identify one of the ACL entry types described here or
an as-yet-undefined ACL entry type.)
ndr.ndr.ndr.ndr
Up to three Network Data Representation (NDR) format
labels (in hexadecimal format and separated by periods)
that identify the encoding of data.
number_of_bytes
A decimal number that specifies the total number of
bytes in data.
data The ACL data in hexadecimal form. (Each byte of ACL
data is two hexadecimal digits.) The ACL data includes
all of the ACL entry specifications except the
permissions (described later) that are entered
separately. The data is not interpreted; it is assumed
that the ACL Manager to which the data is being passed
can understand that data.
Key [Toc] [Back]
The key identifier (principal or group name) specifies the principal
or group to which the ACL entry applies. For entries of entry type
extended, key is the data passed from one ACL Manager to another. A
key is required for the following types of ACL entries:
+ user - Requires a principal name only.
+ group - Requires a group name only.
+ foreign_user - Requires a fully qualified cell name in addition
to the principal name.
+ foreign_group - Requires a fully qualified cell name in addition
to the group name.
+ foreign_other - Requires a fully qualified cell name.
Permissions [Toc] [Back]
The permissions argument specifies the set of permissions that defines
the access rights conferred by the entry. Since each ACL Manager
defines the permission tokens and meanings appropriate for the objects
it controls, the actual tokens and their meanings vary. For example,
the Distributed File Service, the Directory Service, and the Security
Registry Service each implement a separate ACL Manager, and each can
use a different set of tokens and permissions. This means that file
system objects, objects in the namespace, and registry objects could
Hewlett-Packard Company - 9 OSF DCE 1.1/HP DCE 1.8 PHSS_26394-96
acl_edit(1m) Open Software Foundation acl_edit(1m)
each use different permissions. Use the p[ermissions] subcommand to
display the currently available tokens and their meanings. See the
documentation for the DCE component you are using to obtain a more
detailed description of its specific permissions.
EXAMPLES [Toc] [Back]
1. The following example uses the interactive interface to set
permissions for the unauthenticated and mask_obj entry type:
ec_acl_edit> m mask_obj:rwx
ec_acl_edit> m unauthenticated:r
2. The following example uses the interactive interface to set
permissions for the effective user, group, and others in the
ACL's cell:
ec_acl_edit> m user_obj:crwx
ec_acl_edit> m group_obj:rwx
ec_acl_edit> m other_obj:rwx
3. The following example uses the command-line interface to invoke
acl_edit and assign permissions for the file progress_chart to
the authenticated user mike in the local cell:
% acl_edit /.../dresden.com/fs/walden/progress_chart -m user:mike:crwx
Note that because this entry will be filtered through the object
mask (mask_obj), which specifies only rwx permissions, the actual
permissions will be rwx, not crwx. The l(ist) subcommand will
show those permissions as follows:
user:mike:crwx #effective -rwx---
4. The following example uses the interactive interface to set
permissions for the authenticated foreign user named burati in
the cell named /.../usc-cs.uscal.edu:
ec_acl_edit> m foreign_user:/.../usc-cs.uscal.edu/sailing/staff/burati:rwx
5. The following example uses the non-interactive command-line
interface to invoke acl_edit and set the Initial Container
Creation permissions for the directory that is named walden:
% acl_edit /.../dresden.com/fs/walden -ic -m /user:walden:crwxid
Hewlett-Packard Company - 10 OSF DCE 1.1/HP DCE 1.8 PHSS_26394-96
acl_edit(1m) Open Software Foundation acl_edit(1m)
Hewlett-Packard Company - 11 -�OSF DCE 1.1/HP DCE 1.8 PHSS_26394-96 [ Back ] |
