Provided by: openafs-client_1.8.10-2ubuntu1~23.10.1_amd64 bug

NAME

       fs_listacl - Displays ACLs

SYNOPSIS

       fs listacl [-path <dir/file path>+] [-id] [-if] [-cmd] [-help]

       fs la [-p <dir/file path>+] [-id] [-if] [-cmd] [-h]

       fs lista [-p <dir/file path>+] [-id] [-if] [-cmd] [-h]

DESCRIPTION

       The fs listacl command displays the access control list (ACL) associated with each
       specified file, directory, or symbolic link. The specified element can reside in the DFS
       filespace if the issuer is using the AFS/DFS Migration Toolkit Protocol Translator to
       access DFS data (and DFS does implement per-file ACLs). To display the ACL of the current
       working directory, omit the -path argument.

       To alter an ACL, use the fs setacl command. To copy an ACL from one directory to another,
       use the fs copyacl command. To remove obsolete entries from an ACL, use the fs cleanacl
       command.

CAUTIONS

       Placing a user or group on the "Negative rights" section of the ACL does not guarantee
       denial of permissions, if the "Normal rights" section grants the permissions to members of
       the system:anyuser group. In that case, the user needs only to issue the unlog command to
       obtain the permissions granted to the system:anyuser group.

OPTIONS

       -path <dir/file path>+
           Names each directory or file for which to display the ACL. For AFS files, the output
           displays the ACL from the file's parent directory; DFS files do have their own ACL.
           Incomplete pathnames are interpreted relative to the current working directory, which
           is also the default value if this argument is omitted.

       -id Displays the Initial Container ACL of each DFS directory. This argument is supported
           only on DFS directories accessed via the AFS/DFS Migration Toolkit Protocol
           Translator.

       -if Displays the Initial Object ACL of each DFS directory. This argument is supported only
           on DFS directories accessed via the AFS/DFS Migration Toolkit Protocol Translator.

       -cmd
           Outputs an fs setacl command string that can be used to recreate the ACL applied to
           the specified file, directory or symbolic link.

       -help
           Prints the online help for this command. All other valid options are ignored.

OUTPUT

       The first line of the output for each file, directory, or symbolic link reads as follows:

          Access list for <directory> is

       If the issuer used shorthand notation in the pathname, such as the period (".") to
       represent the current current directory, that notation sometimes appears instead of the
       full pathname of the directory.

       Next, the "Normal rights" header precedes a list of users and groups who are granted the
       indicated permissions, with one pairing of user or group and permissions on each line. If
       negative permissions have been assigned to any user or group, those entries follow a
       "Negative rights" header. The format of negative entries is the same as those on the
       "Normal rights" section of the ACL, but the user or group is denied rather than granted
       the indicated permissions.

       AFS does not implement per-file ACLs, so for a file the command displays the ACL on its
       directory. The output for a symbolic link displays the ACL that applies to its target file
       or directory, rather than the ACL on the directory that houses the symbolic link.

       The permissions for AFS enable the possessor to perform the indicated action:

       a (administer)
           Change the entries on the ACL.

       d (delete)
           Remove files and subdirectories from the directory or move them to other directories.

       i (insert)
           Add files or subdirectories to the directory by copying, moving or creating.

       k (lock)
           Set read locks or write locks on the files in the directory.

       l (lookup)
           List the files and subdirectories in the directory, stat the directory itself, and
           issue the fs listacl command to examine the directory's ACL.

       r (read)
           Read the contents of files in the directory; issue the "ls -l" command to stat the
           elements in the directory.

       w (write)
           Modify the contents of files in the directory, and issue the UNIX chmod command to
           change their mode bits

       A, B, C, D, E, F, G, H
           Have no default meaning to the AFS server processes, but are made available for
           applications to use in controlling access to the directory's contents in additional
           ways. The letters must be uppercase.

       For DFS files and directories, the permissions are similar, except that the DFS "x"
       (execute) permission replaces the AFS "l" (lookup) permission, DFS "c" (control) replaces
       AFS "a" (administer), and there is no DFS equivalent to the AFS "k" (lock) permission. The
       meanings of the various permissions also differ slightly, and DFS does not implement
       negative permissions. For a complete description of DFS permissions, see the DFS
       documentation.

EXAMPLES

       The following command displays the ACL on the home directory of the user "pat" (the
       current working directory), and on its "private" subdirectory.

          % fs listacl -path . private
          Access list for . is
          Normal rights:
             system:authuser rl
             pat rlidwka
             pat:friends rlid
          Negative rights:
             smith rlidwka
          Access list for private is
          Normal rights:
             pat rlidwka

       The following command generates the fs setacl command required to recreate the ACL on the
       home directory of the user "pat" (the current working directory), and on its "private"
       subdirectory.

          % fs listacl -path . private -cmd
          fs setacl -dir . -acl system:authuser rl  pat rlidwka   pat:friends rlid
          fs setacl -dir . -acl smith rlidwka -negative
          fs setacl -dir private -acl pat rlidwka

PRIVILEGE REQUIRED

       If the -path argument names an AFS directory, the issuer must have the "l" (lookup)
       permission on its ACL and the ACL for every directory that precedes it in the pathname.

       If the -path argument names an AFS file, the issuer must have the "l" (lookup) and "r"
       (read) permissions on the ACL of the file's directory, and the l permission on the ACL of
       each directory that precedes it in the pathname.

       If the -path argument names a DFS directory or file, the issuer must have the "x"
       (execute) permission on its ACL and on the ACL of each directory that precedes it in the
       pathname.

SEE ALSO

       fs_cleanacl(1), fs_copyacl(1), fs_setacl(1)

COPYRIGHT

       IBM Corporation 2000. <http://www.ibm.com/> All Rights Reserved.

       This documentation is covered by the IBM Public License Version 1.0.  It was converted
       from HTML to POD by software written by Chas Williams and Russ Allbery, based on work by
       Alf Wachsmann and Elizabeth Cassell.