|HP-UX Reference > C
HP-UX 11i Version 3: February 2007
chacl — add, modify, delete, copy, or summarize access control lists (ACLs) of files
/usr/bin/chacl acl file ...
chacl -r acl file ...
chacl -d aclpatt file ...
chacl -f fromfile tofile ...
chacl -[z|Z|F] file...
chacl extends the capabilities of chmod(1), by enabling the user to grant or restrict file access to additional specific users and/or groups. Traditional file access permissions, set when a file is created, grant or restrict access to the file's owner, group, and other users. These file access permissions (eg., rwxrw-r--) are mapped into three base access control list entries: one entry for the file's owner (u .%, mode), one for the file's group (%. g, mode), and one for other users (%.%, mode).
chacl enables a user to designate up to thirteen additional sets of permissions (called optional access control list (ACL) entries) which are stored in the access control list of the file.
To use chacl, the owner (or superuser) constructs an acl, a set of (user.group, mode) mappings to associate with one or more files. A specific user and group can be referred to by either name or number; any user (u), group (g), or both can be referred to with a % symbol, representing any user or group. The @ symbol specifies the file's owner or group.
Read, write, and execute/search (rwx) modes are identical to those used by chmod; symbolic operators (op) add (+), remove (-), or set (=) access rights. The entire acl should be quoted if it contains whitespace or special characters. Although two variants for constructing the acl are available (and fully explained in acl(5)), the following syntax is suggested:
entry[, entry] ...
where the syntax for an entry is
u.g op mode[op mode] ...
By default, chacl modifies existing ACLs. It adds ACL entries or modifies access rights in existing ACL entries. If acl contains an ACL entry already associated with a file, the entry's mode bits are changed to the new value given, or are modified by the specified operators. If the file's ACL does not already contain the specified entry, that ACL entry is added. chacl can also remove all access to files. Giving it a null acl argument means either ``no access'' (when using the -r option) or ``no changes.''
For a summary of the syntax, run chacl without arguments.
If file is specified as -, chacl reads from standard input.
chacl recognizes the following options:
acl also can be obtained from a string in a file:
chacl `cat file` files ...
Using @ in acl to represent ``file owner or group'' can cause chacl to run more slowly because it must reparse the ACL for each file (except with the -d option).
LANG determines the language in which messages are displayed.
If LANG is not specified or is set to the empty string, a default of "C" (see lang(5)) is used instead of LANG. If any internationalization variable contains an invalid setting, chacl behaves as if all internationalization variables are set to "C". See environ(5).
If chacl succeeds, it returns a value of zero.
If chacl encounters an error before it changes any file's ACL, it prints an error message to standard error and returns 1. Such errors include invalid invocation, invalid syntax of acl (aclpatt), a given user name or group name is unknown, or inability to get an ACL from fromfile with the -f option.
If chacl cannot execute the requested operation, it prints an error message to standard error, continues, and later returns 2. This includes cases when a file does not exist, a file's ACL cannot be altered, more ACL entries would result than are allowed, or an attempt is made to delete a non-existing ACL entry.
The following command adds read access for user jpc in any group, and removes write access for any user in the files's groups, for files x and y.
This command replaces the ACL on the file open as standard input and on file test with one which only allows the file owner read and write access.
Delete from file myfile the specific access rights, if any, for user 165 in group 13. Note that this is different from adding an ACL entry that restricts access for that user and group. The user's resulting access rights depend on the entries remaining in the ACL. The command also deletes all entries for user jpc that have a read bit turned on (the asterisk can be used as a wildcard in the ACL pattern for user, group, or access mode):
chacl -d '165.13, jpc.*+r' myfile
Copy the ACL from oldfile to slow/hare and fast/tortoise.
chacl -f oldfile slow/hare fast/tortoise
Delete the optional ACL entries, if any, on the file open as standard input.
chacl -z -
Deny all access to all files in the current directory whose names start with a, b, or c:
chacl -Z [a-c]*
Incorporate the optional ACL entries of a file (fun.stuff) into the base ACL entries:
chacl -F fun.stuff
An ACL string cannot contain more than 16 unique entries, even though converting @ symbols to user or group names and combining redundant entries might result in fewer than 16 entries for some files.
chacl will fail when the target file resides on a file system which does not support ACLs.