DCE_SECURITY, Admin Intro, acl_edit
*Conan The Librarian (sorry for the slow response - running on an old VAX)
|
VMS Help DCE_SECURITY, Admin Intro, acl_edit *Conan The Librarian (sorry for the slow response - running on an old VAX) |
|
NAME
acl_edit - Edits or lists an object's ACLs
SYNOPSIS
acl_edit {[-e] pathname | -addr string_binding component_name}
[-ic | -io] [-n | -c] [command_line_subcommands] [-ngui]
[-v]
OPTIONS
-e pathname Specifies that the ACL on the Directory Service
entry is to be edited. You must specify the
pathname argument if you use the -e option. The
-e option is especially useful in case of an
ambiguous pathname. The pathname argument can be
interpreted in two ways if it is the name of a
leaf object in the Directory Service (that is, if
it is not the name of a directory). It can be
interpreted as the Directory Service entry itself,
or as the object (whatever it is) referenced by
that Directory Service entry. When such a path-
name is specified, the -e option directs acl_edit
to the ACL on the Directory Service entry.
-addr string_binding component_name
The -addr option lets you identify the object
whose ACLs you want to edit by supplying the RPC
binding handle of the ACL Manager that controls
access to the object (with the string_binding
argument) and the relative pathname of the object
(with the component_name argument). Because you
have identified the RPC binding handle, you can
specify only the object's relative pathname for
component_name. The most common way to identify
the object whose ACLs you want to manipulate is
through the pathname argument, described below.
The -addr option is used primarily by applications
that do not use the Directory Service, but do use
the generic ACL Manager. It can also be used if
the Directory Service is unavailable.
-ic For container objects only, specifies that the
object's Initial Container Creation ACL is to be
edited. The Initial Container Creation ACL is
applied by default to any containers created
within the ACL'd container. If this option is
specified and the object named in pathname is not
a container, an error is returned.
-io For container objects only, specifies that the
object's Initial Object Creation ACL is to be
edited. The Initial Object Creation ACL is applied
by default to any simple objects (that is, objects
that are not containers) created within the ACL'd
container. If this option is specified and the
object is not a container, an error is returned.
-n Specifies that a new mask should not be calculated.
This option is useful only for objects that
support the mask_obj entry type and that are
required to recalculate a new mask after they are
modified. If a modify operation creates a mask
that unintentionally adds permissions to an
existing acl entry, the modify causing the mask
recalculation will abort with an error unless you
specify either the -c or -n option.
-c Creates or modifies the object's mask_obj type
entry with permissions equal to the union of all
entries other than type user_obj, other_obj, and
unauthenticated. This creation or modification is
done after all other modifications to the ACL are
performed. The new mask is set even if it grants
permissions previously masked out. It is
recommended that you use this option only if not
specifying it results in an error. This option is
useful only for objects that support the mask_obj
entry type and are required to recalculate a new
mask after they are modified. If a modify
operation creates a mask that unintentionally adds
permissions to an existing acl entry, the modify
causing the mask recalculation will abort with an
error unless you specify either the -c or -n option.
If you specify the -c option for an ACL that does
not support mask_obj entry type, acl_edit returns
an error when it attempts to save the ACL, aborting
all subcommands supplied on the command line.
-ngui Specifies that a Graphical User Interface (GUI)
should not be used even if a GUI is available.
If your version of acl_edit supports a GUI and
your terminal is capable of using it, invoking
acl_edit without this option will bring up the GUI
mode. Use the -ngui option to bring up command-
line mode. However, if a GUI is not available, or
the terminal is not capable of using the GUI,
acl_edit comes up in command-line mode regardless
of wheter you supply this option or not.
-v Run in verbose mode.
ARGUMENTS
pathname The full pathname of the object whose ACL is to be
viewed or edited. If the object is in another
cell, pathname must be fully qualified to include
the cell identifier.
command_line_subcommands
The command-line subcommands, which act on the
object specified by pathname, are entered as part
of the command string that invokes acl_edit. Only
one command-line subcommand can be specified per
invocation. The commands follow. See the
description of the equivalent interactive
subcommand for a more detailed description of the
command functions.
-m [acl_entry] acl_entry...
Adds a new ACL entry or changes the
permissions of an existing entry. You
can enter multiple entries, each
separated by a space.
-p Purges all masked permissions (before
any other modifications are made). This
option is useful only for ACLs that
contain an entry of type mask_obj. Use it
to prevent unintentionally granting
permissions to an existing entry when a
new mask is calculated as a result of
adding or modifying an ACL entry.
-d [acl_entry] acl_entry...
Deletes an existing entry from the ACL
associated with the specified object.
You can enter multiple entries, each
separated by a space.
-s [acl_entry] acl_entry...
Replaces (substitutes) the ACL information
associated with this object with
acl_entry. All existing entries are
removed and replaced by the newly
specified entries. If you specify the -s
subcommand, you cannot specify the -f or
-k subcommand. You can enter multiple
entries, each separated by a space.
-f file Assigns the ACL information contained in
file to the object. All existing entries
are removed and replaced by the entries
in the file. If you specify the -f sub-
command, you cannot specify the -s or -k
subcommand.
-k Removes all entries, except entries of
type user_obj (if they are present).
If you specify the -k subcommand, you
cannot specify the -f or -s subcommand.
-l Lists the entries in the object's ACL.
The command-line subcommands are evaluated in the following order:
1.
-p
2.
-s or -f or -k
3.
-d
4.
-m
5.
-l
NOTES
With the exception of the following subcommands, this command is replaced
at Revision 1.1 by the dcecp command. This command may be fully replaced
by the dcecp command in a future release of DCE, and may no longer be
supported at that time.
+ abort
+ commit
+ exit
+ help
+ test access
DESCRIPTION
The acl_edit command is a client program that, when invoked, binds to the
specified object's ACL Manager (which is implemented in the object's
server), and allows the user to manipulate the object's ACL through the
standard DCE ACL interface. This interface is the sec_acl_...() interface
documented in the OSF DCE Application Development Reference.
The acl_edit command automatically binds to the server of the object
specified, and then communicates (through the standard DCE ACL interface)
with that server's ACL manager in response to user input.
Exactly what the object "specified" is depends partly on whether or not
the -e option is specified. Specifying -e means that you want to operate
on the Directory Service ACL - in other words, you want acl_edit to bind
to the CDS server and allow you to operate on the ACL maintained by that
server on the object's directory entry. If, on the the ACL on the object
to which the directory entry refers - then you simply omit the -e option.
The result will be that acl_edit will bind to that object's server (the
server must, of course, implement an ACL manager), giving you access to
the object's ACL.
All acl_edit subcommands act on the object specified by pathname when you
invoked acl_edit. You can invoke acl_edit in either command-line or
interactive mode:
+ To invoke acl_edit in command-line mode, enter the command, the
object's pathname, options, and the command-line subcommand on the
line that invokes acl_edit. Only one command-line subcommand can be
entered per acl_edit invocation.
+ To invoke acl_edit in interactive mode, enter only acl_edit, the
object's pathname, and options. The acl_edit prompt is then
displayed. In this mode, you enter interactive subcommands that
let you edit and view entries in the object's ACL and view help
information about the acl_edit command itself.
Changes you make in command-line mode are saved when you enter the
command.
In interactive mode, you must explicitly save your changes. To do so, use
the commit subcommand to save the changes without exiting acl_edit or the
exit subcommand to save the changes and exit acl_edit. Use the abort
subcommand to exit acl_edit and save none of the changes you have made.
When you invoke acl_edit for a specific object's ACL, that ACL is not
locked. This means that it is possible for multiple users to edit the
ACL simultaneously, with each change overwriting the previous changes.
For this reason, the number of users assigned rights to change a
particular ACL should be tightly controlled and limited to one user if
possible.
INTERACTIVE SUBCOMMANDS
The following subcommands are available when acl_edit is invoked in
interactive mode. All of the commands act on the ACL associated with the
object specified by pathname when acl_edit was invoked.
? Displays the available acl_edit subcommands.
ab[ort] Exits acl_edit without saving the changes to the object's ACL.
as[sign] filename
Applies the ACL entries in filename to the specified object.
This subcommand removes existing entries and replaces them with
the entries in the file.
c[ell] name
Sets the cell name to be associated with the ACL. This sub-
command is used primarily to facilitate copying ACLs to
different cells. The default cell name stays in place until
you run the subcommand again to change it.
co[mmit] Saves all changes to the ACL without exiting.
d[elete] acl_entry
Deletes the specified ACL entry.
e[xit] Exits from acl_edit, saving any changes to the object's ACL.
g[et_access]
Displays the permissions granted in the specified object's ACL
to the principal that invoked acl_edit.
h[elp] [command ...]
Initiates the help facility. If you enter only the command
help, acl_edit displays a list of all commands and their
functions. If you enter help and a command (or commands
separated by a space), acl_edit displays help information on
the specified commands. Entering help sec_acl_entry displays
information about ACL entries.
k[ill_entries]
Removes all ACL entries except the user_obj entry if it exists.
l[ist] Lists the entries in the object's ACL.
m[odify] acl_entry [-n | -c]
Adds a new ACL entry or replaces an existing ACL entry. This
command affects a single ACL entry. To add or replace all of
an object's ACL entries, see the su[bstitute] subcommand. For
objects that support the mask_obj entry type and are required
to calculate a new mask when their ACLs are modified, the -n
option specifies that a new mask should not be calculated; the
-c option specifies that the object's mask_obj entry should
have permissions equal to the union of all entries other than
user_obj, other_obj, and unauthenticated. The mask is
calculated after the ACL is modified.
If you use the -c option, the new mask is set even if it
grants permissions previously masked out. It is recommended
that you use the -c option only if not specifying it results
in an error. If the new mask unintentionally grants
permissions to an existing entry, the modify operation
causing the mask recalculation will abort with an error
unless you specify either the -c or -n option.
p[ermissions]
Lists the available permission tokens and explanations.
pu[rge] Purges all masked permissions. This option is useful only for
ACLs that contain an entry of type mask_obj. Use it to prevent
unintentionally granting permissions to an existing entry when
a new mask is calculated as a result of adding or modifying an
ACL entry.
su[bstitute] acl_entry [acl_entry ...]
Replaces all ACL entries with the one or ones specified. This
subcommand removes all existing entries and adds the ones
specified by acl_entry. To replace only a single ACL entry,
see the m[odify] subcommand.
t[est_access] [permissions ...]
Tests whether or not the permissions specified in the command
are granted to the principal under whose DCE identity the
acl_edit command was invoked. The option returns Granted if
the permissions are granted or Denied if they are not.
ACL ENTRIES
An ACL entry has the following syntax:
type[:key]:permissions
where:
type Identifies the role of the ACL entry.
key Identifies the specific principal or group to whom
the entry applies. For an entry type of extended,
key contains the ACL data.
permissions The ACL permissions.
A thorough description of each syntax component follows.
Type The type tag identifies the role of the ACL entry.
Valid types are the following:
+ user_obj - Permissions for the object's real or
effective user.
+ group_obj - Permissions for the object's real or
effective group.
+ other_obj - Permissions for others in the local cell
who are not otherwise named by a more
specific entry type.
+ user - Permissions for a specific principal
user in the ACL's cell. This type of
ACL entry must include a key that
identifies the specific principal.
+ group - Permissions for a specific group in the
ACL's cell. This type of ACL entry must
include a key that identifies the
specific group.
+ foreign_user
Permissions for a specific, authenticated
user in a foreign cell. This type of ACL
entry must include a key that identifies
the specific principal and the principal's
cell.
+ foreign_group
Permissions for a specific, authenticated
group in a foreign cell. This type of ACL
entry must include a key that identifies
the specific group and the group's cell.
+ foreign_other
Permissions for all authenticated
principals in a specific foreign cell,
unless those principals are specifically
named in an ACL entry of type foreign_user
or members in a group named in an entry of
type foreign_group. This type of ACL
entry must include a key that identifies
the specific foreign cell.
+ any_other - Permissions for all authenticated
principals unless those principals match
a more specific entry in the ACL.
+ mask_obj - Permissions for the object mask that is
applied to all entry types except user_obj,
other_obj, and unauthenticated.
+ unauthenticated
Maximum permissions applied when the
accessor does not pass authentication
procedures. This entry is used for
principals that have failed authentica-
tion due to bad keys, principals who
are entirely outside of any authentication
cell, and principals who choose not to use
authenticated access. Permissions granted
to an unauthenticated principal are masked
with this entry, if it exists. If this
entry does not exist, access to unauthenti-
cated principals is always denied.
+ extended - A special entry that allows client
applications running at earlier DCE
versions to copy ACLs to and from ACL
Managers running at the current DCE
version without losing any data. The
extended entry allows the application
running at the lower version to obtain a
printable form of the ACL. The extended
ACL entry has the following form:
extended:uuid.ndr.ndr.ndr.ndr.number_of_byte.data
where:
uuid Identifies the type extended ACL
entry. (This UUID can identify
one of the ACL entry types
described here or an as-yet-
undefined ACL entry type.)
ndr.ndr.ndr.ndr
Up to three Network Data
Representation (NDR) format labels
(in hexadecimal format and
separated by periods) that
identify the encoding of data.
number_of_bytes
A decimal number that specifies
the total number of bytes in data.
data The ACL data in hexadecimal form.
(Each byte of ACL data is two
hexadecimal digits.) The ACL data
includes all of the ACL entry
specifications except the
permissions (described later) that
are entered separately. The data
is not interpreted; it is assumed
that the ACL Manager to which the
data is being passed can understand
that data.
Key
The key identifier (principal or group name) specifies the principal or
group to which the ACL entry applies. For entries of entry type
extended, key is the data passed from one ACL Manager to another. A key
is required for the following types of ACL entries:
+ user - Requires a principal name only.
+ group - Requires a group name only.
+ foreign_user - Requires a fully qualified cell name in addition to
the principal name.
+ foreign_group - Requires a fully qualified cell name in addition to
the group name.
+ foreign_other - Requires a fully qualified cell name.
Permissions
The permissions argument specifies the set of permissions that defines
the access rights conferred by the entry. Since each ACL Manager defines
the permission tokens and meanings appropriate for the objects it
controls, the actual tokens and their meanings vary. For example, the
Distributed File Service, the Directory Service, and the Security
Registry Service each implement a separate ACL Manager, and each can use
a different set of tokens and permissions. This means that file system
objects, objects in the namespace, and registry objects could each use
different permissions. Use the p[ermissions] subcommand to display the
currently available tokens and their meanings. See the documentation for
the DCE component you are using to obtain a more detailed description of
its specific permissions.
EXAMPLES
1. The following example uses the interactive interface to set permis-
sions for the unauthenticated and mask_obj entry type:
sec_acl_edit> m mask_obj:rwx
sec_acl_edit> m unauthenticated:r
2. The following example uses the interactive interface to set permis-
sions for the effective user, group, and others in the ACL's cell:
sec_acl_edit> m user_obj:crwx
sec_acl_edit> m group_obj:rwx
sec_acl_edit> m other_obj:rwx
3. The following example uses the command-line interface to invoke
acl_edit and assign permissions for the file progress_chart to the
authenticated user mike in the local cell:
% acl_edit /.../dresden.com/fs/walden/progress_chart -m user:mike:cx
Note that because this entry will be filtered through the object
mask (mask_obj), which specifies only rwx permissions, the actual
permissions will be rwx, not crwx. The l(ist) subcommand will show
those permissions as follows:
user:mike:crwx #effective -rwx---
4. The following example uses the interactive interface to set permis-
sions for the authenticated foreign user named burati in the cell
named /.../usc-cs.uscal.edu:
sec_acl_edit> m foreign_user:/.../usc-cs.uscal.edu/sailing/staff/bux
5. The following example uses the non-interactive command-line inter-
face to invoke acl_edit and set the Initial Container Creation
permissions for the directory that is named walden:
% acl_edit /.../dresden.com/fs/walden -ic -m /user:walden:crwxid
|
|
