| Completely Replacing an ACL | ||
|---|---|---|
 | Chapter 14. Managing Access Control Lists |  |
| Completely Replacing an ACL | ||
|---|---|---|
| | Chapter 14. Managing Access Control Lists | |
It is sometimes simplest to clear an ACL completely before defining new permissions on it, for instance if the mix of normal and negative permissions makes it difficult to understand how their interaction affects a user's access to the directory. To clear an ACL completely while you define new entries, include the -clear flag on the fs setacl command. When you include this flag, you can create entries on either the normal permissions or the negative permissions section of the ACL, but not on both at once.
Remember to create an entry that grants appropriate permissions to the directory's owner. The owner implicitly has the a (administer) permission required to replace a deleted entry, but the effects of a missing ACL entry (particularly the lack of the lookup permission) can be so confusing that it becomes difficult for the owner to realize that the missing entry is causing the problems.
Verify that you have the a (administer) permission on each directory for which you are editing the ACL. If necessary, issue the fs listacl command, which is fully described in Displaying ACLs.
% fs listacl [<dir/file path>]
Issue the fs setacl command with the -clear flag to clear the ACL completely before setting either normal or negative permissions. Because you need to grant the owner of the directory all permissions, it is better in most cases to set normal permissions at this point.
% fs setacl -dir <directory>+ -acl <access list entries>+ -clear \ [-negative]
where
Is an acceptable alias for setacl (and seta is the shortest acceptable abbreviation).
Names one or more directories to which to apply the negative ACL entries defined by the -acl argument. Specify the read/write path to each directory, to avoid the failure that results when you attempt to change a read-only volume. For a detailed description of acceptable values, see To add, remove, or edit normal ACL permissions.
Specifies one or more ACL entries, each of which pairs a user or group name and a set of permissions. Separate the pairs, and the two parts of each pair, with one or more spaces. Remember to grant all permissions to the owner of the directory. For a detailed description of acceptable values, see To add, remove, or edit normal ACL permissions.
Removes all entries from each ACL before creating the entries indicated by the -acl argument.
Places the entries defined by the -acl argument on the negative permissions section of each ACL.
| |  | |
| Setting ACL Entries |  | Copying ACLs Between Directories |