Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
HP-UX Reference > C


HP-UX 11i Version 3: February 2007

Technical documentation

» Feedback
Content starts here

 » Table of Contents

 » Index


chacl — add, modify, delete, copy, or summarize access control lists (ACLs) of files


/usr/bin/chacl acl file ...

chacl -r acl file ...

chacl -d aclpatt file ...

chacl -f fromfile tofile ...

chacl -[z|Z|F] file...


chacl extends the capabilities of chmod(1), by enabling the user to grant or restrict file access to additional specific users and/or groups. Traditional file access permissions, set when a file is created, grant or restrict access to the file's owner, group, and other users. These file access permissions (eg., rwxrw-r--) are mapped into three base access control list entries: one entry for the file's owner (u .%, mode), one for the file's group (%. g, mode), and one for other users (%.%, mode).

chacl enables a user to designate up to thirteen additional sets of permissions (called optional access control list (ACL) entries) which are stored in the access control list of the file.

To use chacl, the owner (or superuser) constructs an acl, a set of (user.group, mode) mappings to associate with one or more files. A specific user and group can be referred to by either name or number; any user (u), group (g), or both can be referred to with a % symbol, representing any user or group. The @ symbol specifies the file's owner or group.

Read, write, and execute/search (rwx) modes are identical to those used by chmod; symbolic operators (op) add (+), remove (-), or set (=) access rights. The entire acl should be quoted if it contains whitespace or special characters. Although two variants for constructing the acl are available (and fully explained in acl(5)), the following syntax is suggested:

entry[, entry] ...

where the syntax for an entry is

u.g op mode[op mode] ...

By default, chacl modifies existing ACLs. It adds ACL entries or modifies access rights in existing ACL entries. If acl contains an ACL entry already associated with a file, the entry's mode bits are changed to the new value given, or are modified by the specified operators. If the file's ACL does not already contain the specified entry, that ACL entry is added. chacl can also remove all access to files. Giving it a null acl argument means either ``no access'' (when using the -r option) or ``no changes.''

For a summary of the syntax, run chacl without arguments.

If file is specified as -, chacl reads from standard input.


chacl recognizes the following options:


Replace old ACLs with the given ACL. All optional ACL entries are first deleted from the specified files's ACLs, their base permissions are set to zero, and the new ACL is applied. If acl does not contain an entry for the owner (u .%), the group (%. g), or other (%.%) users of a file, that base ACL entry's mode is set to zero (no access). The command affects all of the file's ACL entries, but does not change the file's owner or group ID.

In chmod(1), the ``modify'' and ``replace'' operations are distinguished by the syntax (string or octal value). There is no corollary for ACLs because they have a variable number of entries. Hence chacl modifies specific entries by default, and optionally replaces all entries.


Delete the specified entries from the ACLs on all specified files. The aclpatt argument can be an exact ACL or an ACL pattern (see acl(5)). chacl -d updates each file's ACL only if entries are deleted from it.

If you attempt to delete a base ACL entry from any file, the entry remains but its access mode is set to zero (no access). If you attempt to delete a non-existent ACL entry from a file (that is, if an ACL entry pattern matches no ACL entry), chacl informs you of the error, continues, and eventually returns non-zero.

-f fromfile tofile

Copy the ACL from fromfile to the specified tofile, transferring ownership, if necessary (see acl(5), chown(2), or chownacl(3C)). fromfile can be - to represent standard input.

This option implies the -r option. If the owner and group of fromfile are identical to those of tofile, chacl -f is identical to:

chacl -r `lsacl fromfile` tofile ...

To copy an ACL without transferring ownership, the above command is suggested instead of chacl -f.


Delete (``zap'') all optional entries in the specified file's ACLs, leaving only base entries.


Delete (``zap'') all optional entries in the specified file's ACLs, and set the access modes in all base entries to zero (no access). This is identical to replacing the old ACL with a null ACL:

chacl -r '' file ...

or using chmod(1), which deletes optional entries as a side effect:

chmod 0 file ...


Incorporate (``fold'') optional ACL entries into base ACL entries. The base ACL entry's permission bits are altered, if necessary, to reflect the caller's effective access rights to the file; all optional entries, if any, are deleted.

For ordinary users, only the access mode of the owner base ACL entry can be altered. Unlike getaccess, the write bit is not turned off for a file on a read-only file system or a shared-text program being executed (see getaccess(1)).

For super-users, only the execute mode bit in the owner base ACL entry might be changed, only if the file is not an regular file or if an execute bit is not already set in a base ACL entry mode, but is set in an optional ACL entry mode.

acl also can be obtained from a string in a file:

chacl `cat file` files ...

Using @ in acl to represent ``file owner or group'' can cause chacl to run more slowly because it must reparse the ACL for each file (except with the -d option).


Environment Variables

LANG determines the language in which messages are displayed.

If LANG is not specified or is set to the empty string, a default of "C" (see lang(5)) is used instead of LANG. If any internationalization variable contains an invalid setting, chacl behaves as if all internationalization variables are set to "C". See environ(5).


If chacl succeeds, it returns a value of zero.

If chacl encounters an error before it changes any file's ACL, it prints an error message to standard error and returns 1. Such errors include invalid invocation, invalid syntax of acl (aclpatt), a given user name or group name is unknown, or inability to get an ACL from fromfile with the -f option.

If chacl cannot execute the requested operation, it prints an error message to standard error, continues, and later returns 2. This includes cases when a file does not exist, a file's ACL cannot be altered, more ACL entries would result than are allowed, or an attempt is made to delete a non-existing ACL entry.


The following command adds read access for user jpc in any group, and removes write access for any user in the files's groups, for files x and y.

  • chacl "jpc.%+r, %.@-w" x y

This command replaces the ACL on the file open as standard input and on file test with one which only allows the file owner read and write access.

  • chacl -r '(@.%,rw-)' - test

Delete from file myfile the specific access rights, if any, for user 165 in group 13. Note that this is different from adding an ACL entry that restricts access for that user and group. The user's resulting access rights depend on the entries remaining in the ACL. The command also deletes all entries for user jpc that have a read bit turned on (the asterisk can be used as a wildcard in the ACL pattern for user, group, or access mode):

chacl -d '165.13, jpc.*+r' myfile

Copy the ACL from oldfile to slow/hare and fast/tortoise.

chacl -f oldfile slow/hare fast/tortoise

Delete the optional ACL entries, if any, on the file open as standard input.

chacl -z -

Deny all access to all files in the current directory whose names start with a, b, or c:

chacl -Z [a-c]*

Incorporate the optional ACL entries of a file (fun.stuff) into the base ACL entries:

chacl -F fun.stuff


An ACL string cannot contain more than 16 unique entries, even though converting @ symbols to user or group names and combining redundant entries might result in fewer than 16 entries for some files.


chacl will fail when the target file resides on a file system which does not support ACLs.


Only the -F option is supported on remote files.


chacl was developed by HP.

Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 1983-2007 Hewlett-Packard Development Company, L.P.