Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
HP-UX System Administrator's Guide: Security Management: HP-UX 11i Version 3 > Chapter 6 File System Security

Using HFS ACLs


Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Glossary

 » Index

You set HFS ACL permissions with the chacl command and display them with the lsacl command. See Example 6-1.

IMPORTANT: You must use chmod with the -A option when working with files that have HFS ACL permissions assigned. Without the -A option, chmod will delete the ACL permissions from the file. The syntax is:
# chmod -A mode file

The chacl command is a superset of the chmod command. Any specific permissions you assign with the chacl command are added to the more general permissions assigned with the chmod command.

When a file has ACLs, the ll command displays a plus sign (+) after the permission string.

If a user.group matches more than one HFS ACL entry, the more specific entry takes precedence. See Example 6-2.

Example 6-1 Creating an HFS ACL

In this example, the chmod command restricts write permissions for myfile to only the user, allan. The chmod command also deletes any previous HFS ACLs.

$ chmod 644 myfile $ ll myfile -rw-r--r-- 1 allan users 0 Sep 21 16:56 myfile $ lsacl myfile (allan.%,rw-)(%.users,r--)(%.%,r--) myfile

The lsacl command displays just the default (no ACL) values, corresponding to the basic owner, group, and other permissions.

The chacl command gives read and write access to myfile to another user.

$ chacl 'naomi.users=rw' myfile $ ll myfile -rw-r--r--+ 1 allan users 0 Sep 21 16:56 myfile lsacl myfile (naomi.users,rw-)(allan.%,rw-)(%.users,r--)(%.%,r--) myfile

Notice two things: the ll permissions display has a + appended, indicating that ACLs exist and that the ll permissions string did not change. The additional entry in the lsacl display specifies that user naomi in group users has read and write access to myfile.

Example 6-2 Multiple HFS ACL Matches

If a user's user.group combination matches more than one ACL entry, the most specific entry takes precedence. In this example, first set the file permissions.

$ chmod 644 myfile

Use the chacl command on myfile to add a write-only entry for user naomi:

$ chacl naomi.%=w myfile
$ lsacl myfile
(naomi.%,-w-)(allan.%,rw-)(%.users,r--)(%.%,r--) myfile

Now, user naomi has write access to file myfile, using the ACL defined for naomi.%, but does not have read access to the file because naomi.% takes precedence over the ACLs defined for %.users and %.%.

The lsaclcommand displays the HFS ACLs in decreasing order of specificity. That is, permission matches are attempted from left to right.

HFS ACLs and HP-UX Commands and Calls

The following commands and system calls work with ACLs on HFS file systems:

Table 6-2 HFS ACL Commands



Changes HFS ACLs of files.


Lists user's access rights to files.


Lists HFS ACLs of files.


Table 6-3 HFS ACL System Calls

System CallDescription


Gets a user's effective access rights to a file.

getacl(), fgetacl()

Gets HFS ACL information.

setacl(), fsetacl()

Sets HFS ACL information.


Converts HFS ACL structure to string form.


Changes the owner or group represented in an HFS file's ACL.

cpacl(), fcpacl()

Copies HFS ACL and mode bits from one file to another.

setaclentry(), fsetaclentry()

Adds, modifies, or deletes an HFS file's ACL entry.


Parses and converts HFS ACL structure to string form.


Parses and converts HFS ACL pattern strings to arrays.


The following commands, system calls, and subroutine libraries affect ACL entries, sometimes in unexpected ways.

Table 6-4 Commands and Calls Affecting ACL Entries

Command or CallDescription


Deletes HFS ACLs by default. Use the -A option to retain HFS ACLs.


Deletes HFS ACL entries. Use getacl() and setacl() to save and restore the HFS ACL entries.


Does not set a file's optional ACL entries.


Identifies files whose ACL entries match or include specific ACL patterns on HFS or JFS file systems.

ls -l

The long form indicates the existence of ACLs by displaying a plus sign (+) after the file's permission bits.


Does not support optional ACL entries on /var/mail/* files.

compact, compress, cp, ed, pack, unpack

Copies ACL entries to the new files they create.

frecover, fbackup

Use only these commands to selectively recover and back up files. Use the -A option when backing up from an ACL system for recovery on a system that does not support ACLs.

ar, cpio, ftio, shar, tar, dump, restore

These commands do not retain ACLs when archiving and restoring. They use the st_mode value returned by stat().

rcs, sccs

These commands do not support ACLs.


HFS access control lists use additional “continuation inodes” when creating new file systems. Consider them when using the following commands:

  • fsck: Returns the number of files with ACL entries as a value for icont. Use the -p option to clear unreferenced continuation inodes. See fsck(1M).

  • diskusg, ncheck: Ignores continuation inodes. See diskusg(1M) and ncheck(1M).

  • mkfs: Allows for continuation inodes on new disks. See mkfs(1M).

Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 2008 Hewlett-Packard Development Company, L.P.