acl_edit(8sec)
Edits or lists an objects ACLs
Synopsis
acl_edit {[-e] pathname | -addr string_binding component_name}
[-ic | -io] [-n | -c]
[command_line_subcommands]
[-ngui] [-v]
Options
-e pathname
Specifies that the ACL on the Directory Service entry is to be edited. You must specify the pathname argument if you use the -e option.
The -e option is especially useful in case of an ambiguous path name. The pathname argument can be interpreted in two ways if it is the name of a leaf object in the Directory Service (that is, if it is not the name of a directory). It can be interpreted as the Directory Service entry itself, or as the object (whatever it is) referenced by that Directory Service entry. When such a path name is specified, the -e option directs acl_edit to the ACL on the Directory Service entry.
-addr string_binding component_name
The -addr option lets you identify the object whose ACLs you want to edit by supplying the RPC binding handle of the ACL
manager that controls access to the object (with the string_binding argument) and the relative path name of the object (with the component_name argument). Because you have
identified the RPC binding handle, you can specify only the objects relative path name for component_name.
The most common way to identify the object whose ACLs you want to manipulate is through the pathname argument, described below. The -addr option is used primarily by applications that do not use the Directory Service, but do use the generic ACL manager. It can also be used if the Directory Service is unavailable.
-ic
For container objects only, specifies that the objects Initial Container Creation ACL is to be edited. The Initial Container Creation ACL is applied by default to any
containers created within the ACLd container. If this option is specified and the object named in pathname is not a container, an error is returned.
-io
For container objects only, specifies that the objects Initial Object Creation ACL is to be edited. The Initial Object Creation ACL is applied by default to simple
objects (that is, objects that are not containers) created within the ACLd container. If this option is specified and the object is not a container, an error is returned.
-n
Specifies that a new mask should not be calculated. This option is useful only for objects that support the mask_obj entry type and that are required to recalculate
a new mask after they are modified.
If a modify operation creates a mask that unintentionally adds permissions to an existing ACL entry, the modify causing the mask recalculation aborts with an error unless you specify either the -c or -n option.
-c
Creates or modifies the objects mask_obj type entry with permissions equal to the union of all entries other than type user_obj, other_obj, and
unauthenticated. This creation or modification is done after all other modifications to the ACL are performed. The new mask is set even if it grants permissions previously masked out. It
is recommended that you use this option only if not specifying it results in an error. This option is useful only for objects that support the mask_obj entry type and are required to
recalculate a new mask after they are modified.
If a modify operation creates a mask that unintentionally adds permissions to an existing ACL entry, the modify causing the mask recalculation aborts with an error unless you specify either the -c or -n option.
If you specify the -c option for an ACL that does not support mask_obj entry type, acl_edit returns an error when it attempts to save the ACL and aborts all subcommands supplied on the command line.
-ngui
Specifies that a Graphical User Interface (GUI) should not be used even if a GUI is available. If your version of acl_edit supports a GUI and your terminal is
capable of using it, invoking acl_edit without this option brings up the GUI mode. Use the -ngui option to bring up command-line mode. However, if a GUI is not available, or the
terminal is not capable of using the GUI, acl_edit comes up in command-line mode regardless of whether you supply this option.
-v
Run in verbose mode.
Arguments
pathname
The full pathname of the object whose ACL is to be viewed or edited. If the object is in another cell, pathname must be fully qualified to include the cell
identifier.
command_line_subcommands
The command-line subcommands, which act on the object specified by pathname, are entered as part of the command string that invokes
acl_edit. Only one command-line subcommand can be specified per invocation. See the description of the equivalent interactive subcommand for a more detailed description of the command
functions.
-m [acl_entry] acl_entry...
Adds a new ACL entry or changes the permissions of an existing entry. You can enter multiple entries, each separated by a space.
-p
Purges all masked permissions (before any other modifications are made). This option is useful only for ACLs that contain an entry of type mask_obj. Use it to
prevent unintentionally granting permissions to an existing entry when a new mask is calculated as a result of adding or modifying an ACL entry.
-d [acl_entry] acl_entry...
Deletes an existing entry from the ACL associated with the specified object. You can enter multiple entries, each separated by a
space.
-s [acl_entry] acl_entry...
Replaces (substitutes) the ACL information associated with this object with acl_entry. All existing entries are removed
and replaced by the newly specified entries. If you specify the -s subcommand, you cannot specify the -f or -k subcommand. You can enter multiple entries, each separated
by a space.
-f file
Assigns the ACL information contained in file to the object. All existing entries are removed and replaced by the entries in the file. If you specify
the -f subcommand, you cannot specify the -s or -k subcommand.
-k
Removes all entries, except entries of type user_obj (if they are present). If you specify the -k subcommand, you cannot specify the -f or
-s subcommand.
-l
Lists the entries in the objects ACL.
The command-line subcommands are evaluated in the following order:
1. -p
2. -s or -f or -k
3. -d
4. -m
5. -l
Notes
With the exception of the following subcommands, this command is replaced at Revision 1.1 by the dcecp command. This command may be fully replaced by the
dcecp command in a future release of DCE, and may no longer be supported at that time.
· abort
· commit
· exit
· help
· test access
More: