chacl(1)						      General Commands Manual							  chacl(1)

NAME

       chacl - add, modify, delete, copy, or summarize access control lists (ACLs) of files

SYNOPSIS

       acl file ...

       acl file ...

       aclpatt file ...

       fromfile tofile	...

       file...

DESCRIPTION

       extends	the  capabilities  of  chmod(1), by enabling the user to grant or restrict file access to additional specific users and/or groups.
       Traditional file access permissions, set when a file is created, grant or restrict access to the file's	owner,	group,	and  other  users.
       These file access permissions (eg., are mapped into three base access control list entries: one entry for the file's owner (umode), one for
       the file's group g, mode), and one for other users mode).

       enables a user to designate up to thirteen additional sets of permissions (called optional access control list  (ACL)  entries)	which  are
       stored in the access control list of the file.

       To use chacl, the owner (or superuser) constructs an acl, a set of (user.group, mode) mappings to associate with one or more files.  A spe-
       cific user and group can be referred to by either name or number; any user (u), group (g), or both can be referred to with a symbol, repre-
       senting any user or group.  The @ symbol specifies the file's owner or group.

       Read,  write,  and execute/search modes are identical to those used by chmod; symbolic operators (op) add remove or set access rights.  The
       entire acl should be quoted if it contains whitespace or special characters.  Although two variants for constructing the acl are  available
       (and fully explained in acl(5)), the following syntax is suggested:

	      entry[, entry] ...

       where the syntax for an entry is

	      u.g op mode[op mode] ...

       By  default,  modifies existing ACLs.  It adds ACL entries or modifies access rights in existing ACL entries.  If acl contains an ACL entry
       already associated with a file, the entry's mode bits are changed to the new value given, or are modified by the specified  operators.	If
       the  file's  ACL  does not already contain the specified entry, that ACL entry is added.  can also remove all access to files.  Giving it a
       null acl argument means either ``no access'' (when using the option) or ``no changes.''

       For a summary of the syntax, run without arguments.

       If file is specified as reads from standard input.

   Options
       recognizes the following options:

       Replace old    ACLs with the given ACL.	All optional ACL entries are first deleted from the specified files's ACLs, their base permissions
		      are  set to zero, and the new ACL is applied.  If acl does not contain an entry for the owner (uthe group g), or other users
		      of a file, that base ACL entry's mode is set to zero (no access).  The command affects all of the file's	ACL  entries,  but
		      does not change the file's owner or group ID.

		      In chmod(1), the ``modify'' and ``replace'' operations are distinguished by the syntax (string or octal value).  There is no
		      corollary for ACLs because they have a variable number of entries.  Hence modifies specific entries by default, and  option-
		      ally replaces all entries.

       Delete the specified entries from the
		      ACLs  on all specified files.  The aclpatt argument can be an exact ACL or an ACL pattern (see acl(5)).  updates each file's
		      ACL only if entries are deleted from it.

		      If you attempt to delete a base ACL entry from any file, the entry remains but its access mode is set to zero  (no  access).
		      If  you  attempt	to  delete  a  non-existent ACL entry from a file (that is, if an ACL entry pattern matches no ACL entry),
		      informs you of the error, continues, and eventually returns non-zero.

       Copy the       ACL from fromfile to the specified tofile, transferring ownership, if necessary (see  acl(5),  chown(2),	or  chownacl(3C)).
		      fromfile can be to represent standard input.

		      This option implies the option.  If the owner and group of fromfile are identical to those of tofile, is identical to:

		      To copy an ACL without transferring ownership, the above command is suggested instead of

       Delete (``zap'') all optional entries in the specified file's
		      ACLs, leaving only base entries.

       Delete (``zap'') all optional entries in the specified file's
		      ACLs,  and  set the access modes in all base entries to zero (no access).  This is identical to replacing the old ACL with a
		      null ACL:

		      or using chmod(1), which deletes optional entries as a side effect:

       Incorporate (``fold'') optional
		      ACL entries into base ACL entries.  The base ACL entry's permission  bits are altered, if necessary, to reflect the caller's
		      effective access rights to the file; all optional entries, if any, are deleted.

		      For ordinary users, only the access mode of the owner base ACL entry can be altered.  Unlike the write bit is not turned off
		      for a file on a read-only file system or a shared-text program being executed (see getaccess(1)).

		      For super-users, only the execute mode bit in the owner base ACL entry might be changed, only if the file is not an  regular
		      file or if an execute bit is not already set in a base ACL entry mode, but is set in an optional ACL entry mode.

       acl also can be obtained from a string in a file:

       Using @ in acl to represent ``file owner or group'' can cause to run more slowly because it must reparse the ACL for each file (except with
       the option).

EXTERNAL INFLUENCES

   Environment Variables
       determines the language in which messages are displayed.

       If is not specified or is set to the empty string, a default of "C" (see lang(5)) is used instead of If any  internationalization  variable
       contains an invalid setting, behaves as if all internationalization variables are set to "C".  See environ(5).

RETURN VALUE

       If succeeds, it returns a value of zero.

       If  encounters  an error before it changes any file's ACL, it prints an error message to standard error and returns 1.  Such errors include
       invalid invocation, invalid syntax of acl (aclpatt), a given user name or group name is unknown, or inability to get an ACL  from  fromfile
       with the option.

       If  cannot  execute  the  requested operation, it prints an error message to standard error, continues, and later returns 2.  This includes
       cases when a file does not exist, a file's ACL cannot be altered, more ACL entries would result than are allowed, or an attempt is made	to
       delete a non-existing ACL entry.

EXAMPLES

       The following command adds read access for user in any group, and removes write access for any user in the files's groups, for files and

       This  command  replaces	the  ACL  on  the file open as standard input and on file with one which only allows the file owner read and write
       access.

       Delete from file the specific access rights, if any, for user 165 in group 13.  Note that this is different from adding an ACL  entry  that
       restricts access for that user and group.  The user's resulting access rights depend on the entries remaining in the ACL.  The command also
       deletes all entries for user that have a read bit turned on (the asterisk can be used as a wildcard in the ACL pattern for user, group,	or
       access mode):

       Copy the ACL from to and

       Delete the optional ACL entries, if any, on the file open as standard input.

       Deny all access to all files in the current directory whose names start with or

       Incorporate the optional ACL entries of a file into the base ACL entries:

WARNINGS

       An  ACL	string cannot contain more than 16 unique entries, even though converting @ symbols to user or group names and combining redundant
       entries might result in fewer than 16 entries for some files.

DEPENDENCIES

       will fail when the target file resides on a file system which does not support ACLs.

   NFS
       Only the option is supported on remote files.

AUTHOR

       was developed by HP.

SEE ALSO

       chmod(1), getaccess(1), lsacl(1), getacl(2), setacl(2), acl(5), glossary(9).

																	  chacl(1)