OnWorks favicon

fs_setacl - Online in the Cloud

Run fs_setacl in OnWorks free hosting provider over Ubuntu Online, Fedora Online, Windows online emulator or MAC OS online emulator

This is the command fs_setacl that can be run in the OnWorks free hosting provider using one of our multiple free online workstations such as Ubuntu Online, Fedora Online, Windows online emulator or MAC OS online emulator



fs_setacl - Sets the ACL for a directory


fs setacl -dir <directory>+ -acl <access list entries>+
[-clear] [-negative] [-id] [-if] [-help]

fs sa -d <directory>+ -a <access list entries>+
[-c] [-n] [-id] [-if] [-h]

fs seta -d <directory>+ -a <access list entries>+
[-c] [-n] [-id] [-if] [-h]


The fs setacl command adds the access control list (ACL) entries specified with the -acl
argument to the ACL of each directory named by the -dir argument.

If the -dir argument designates a pathname in DFS filespace (accessed via the AFS/DFS
Migration Toolkit Protocol Translator), it can be a file as well as a directory. The ACL
must already include an entry for "mask_obj", however.

Only user and group entries are acceptable values for the -acl argument. Do not place
machine entries (IP addresses) directly on an ACL; instead, make the machine entry a group
member and place the group on the ACL.

To completely erase the existing ACL before adding the new entries, provide the -clear
flag. To add the specified entries to the "Negative rights" section of the ACL (deny
rights to specified users or groups), provide the -negative flag.

To display an ACL, use the fs listacl command. To copy an ACL from one directory to
another, use the fs copyacl command.


If the ACL already grants certain permissions to a user or group, the permissions
specified with the fs setacl command replace the existing permissions, rather than being
added to them.

Setting negative permissions is generally unnecessary and not recommended. Simply omitting
a user or group from the "Normal rights" section of the ACL is normally adequate to
prevent access. In particular, note that it is futile to deny permissions that are granted
to members of the system:anyuser group on the same ACL; the user needs only to issue the
unlog command to receive the denied permissions.

When including the -clear option, be sure to reinstate an entry for each directory's owner
that includes at least the "l" (lookup) permission. Without that permission, it is
impossible to resolve the "dot" (".") and "dot dot" ("..") shorthand from within the
directory. (The directory's owner does implicitly have the "a" (administer) permission
even on a cleared ACL, but must know to use it to add other permissions.)


-dir <directory>+
Names each AFS directory, or DFS directory or file, for which the set the ACL. Partial
pathnames are interpreted relative to the current working directory.

Specify the read/write path to each directory (or DFS file), to avoid the failure that
results from attempting to change a read-only volume. By convention, the read/write
path is indicated by placing a period before the cell name at the pathname's second
level (for example, /afs/.abc.com). For further discussion of the concept of
read/write and read-only paths through the filespace, see the fs mkmount reference

-acl <access list entries>+
Defines a list of one or more ACL entries, each a pair that names:

· A user name or group name as listed in the Protection Database.

· One or more ACL permissions, indicated either by combining the individual letters
or by one of the four acceptable shorthand words.

in that order, separated by a space (thus every instance of this argument has two
parts). The accepted AFS abbreviations and shorthand words, and the meaning of each,
are as follows:

a (administer)
Change the entries on the ACL.

d (delete)
Remove files and subdirectories from the directory or move them to other

i (insert)
Add files or subdirectories to the directory by copying, moving or creating.

k (lock)
Set read locks or write locks on the files in the directory.

l (lookup)
List the files and subdirectories in the directory, stat the directory itself, and
issue the fs listacl command to examine the directory's ACL.

r (read)
Read the contents of files in the directory; issue the "ls -l" command to stat the
elements in the directory.

w (write)
Modify the contents of files in the directory, and issue the UNIX chmod command to
change their mode bits.

A, B, C, D, E, F, G, H
Have no default meaning to the AFS server processes, but are made available for
applications to use in controlling access to the directory's contents in
additional ways. The letters must be uppercase.

all Equals all seven permissions ("rlidwka").

No permissions. Removes the user/group from the ACL, but does not guarantee they
have no permissions if they belong to groups that remain on the ACL.

Equals the "r" (read) and "l" (lookup) permissions.

Equals all permissions except "a" (administer), that is, "rlidwk".

It is acceptable to mix entries that combine the individual letters with entries that
use the shorthand words, but not use both types of notation within an individual
pairing of user or group and permissions.

Granting the "l" (lookup) and "i" (insert) permissions without granting the "w"
(write) and/or "r" (read) permissions is a special case, and grants rights
approrpriate for "dropbox" directories. See the DROPBOXES section for details.

If setting ACLs on a pathname in DFS filespace, see the DFS documentation for the
proper format and acceptable values for DFS ACL entries.

Removes all existing entries on each ACL before adding the entries specified with the
-acl argument.

Places the specified ACL entries in the "Negative rights" section of each ACL,
explicitly denying the rights to the user or group, even if entries on the
accompanying "Normal rights" section of the ACL grant them permissions.

This argument is not supported for DFS files or directories, because DFS does not
implement negative ACL permissions.

-id Places the ACL entries on the Initial Container ACL of each DFS directory, which are
the only file system objects for which this flag is supported.

-if Places the ACL entries on the Initial Object ACL of each DFS directory, which are the
only file system objects for which this flag is supported.

Prints the online help for this command. All other valid options are ignored.


If an accessing user has the "l" (lookup) and "i" (insert) permissions on a directory, but
not the "w" (write) and/or "r" (read) permissions, the user is implicitly granted the
ability to write and/or read any file they create in that directory, until they close the
file. This is to allow "dropbox"-style directories to exist, where users can deposit
files, but cannot modify them later nor can they modify or read any files deposited in the
directory by other users.

Note, however, that the dropbox functionality is not perfect. The fileserver does not have
knowledge of when a file is opened or closed on the client, and so the fileserver always
allows an accessing user to read or write to a file in a "dropbox" directory if they own
the file. While the client prevents the user from reading or modifying their deposited
file later, this is not enforced on the fileserver, and so should not be relied on for

Additionally, if "dropbox" permissions are granted to "system:anyuser", unauthenticated
users may deposit files in the directory. If an unauthenticated user deposits a file in
the directory, the new file will be owned by the unauthenticated user ID, and is thus
potentially modifiable by anyone.

In an effort to try and reduce accidentally publicizing private data, the fileserver may
refuse read requests for "dropbox" files from unauthenticated users. As a result,
depositing files as an unauthenticated user may arbitrarily fail if "system:anyuser" has
been granted dropbox permissions. While this should be rare, it is not completely
preventable, and so for this reason relying on unauthenticated users to be able to deposit
files in a dropbox is NOT RECOMMENDED.


The following example adds two entries to the "Normal rights" section of the current
working directory's ACL: the first entry grants "r" (read) and "l" (lookup) permissions to
the group pat:friends, while the other (using the "write" shorthand) gives all permissions
except "a" (administer) to the user "smith".

% fs setacl -dir . -acl pat:friends rl smith write

% fs listacl -path .
Access list for . is
Normal rights:
pat:friends rl
smith rlidwk

The following example includes the -clear flag, which removes the existing permissions (as
displayed with the fs listacl command) from the current working directory's reports
subdirectory and replaces them with a new set.

% fs listacl -dir reports
Access list for reports is
Normal rights:
system:authuser rl
pat:friends rlid
smith rlidwk
pat rlidwka
Negative rights:
terry rl

% fs setacl -clear -dir reports -acl pat all smith write system:anyuser rl

% fs listacl -dir reports
Access list for reports is
Normal rights:
system:anyuser rl
smith rlidwk
pat rlidwka

The following example use the -dir and -acl switches because it sets the ACL for more than
one directory (both the current working directory and its public subdirectory).

% fs setacl -dir . public -acl pat:friends rli

% fs listacl -path . public
Access list for . is
Normal rights:
pat rlidwka
pat:friends rli
Access list for public is
Normal rights:
pat rlidwka
pat:friends rli


The issuer must have the "a" (administer) permission on the directory's ACL, a member of
the system:administrators group, or, as a special case, must be the UID owner of the top-
level directory of the volume containing this directory. The last provision allows the
UID owner of a volume to repair accidental ACL errors without requiring intervention by a
member of system:administrators.

Earlier versions of OpenAFS also extended implicit administer permission to the owner of
any directory. In current versions of OpenAFS, only the owner of the top-level directory
of the volume has this special permission.

Use fs_setacl online using onworks.net services

Free Servers & Workstations

Download Windows & Linux apps

  • 1
    Zabbix is an enterprise-class open
    source distributed monitoring solution
    designed to monitor and track
    performance and availability of network
    servers, device...
    Download Zabbix
  • 2
    This repository is no longer maintained
    and is kept for archival purposes. See
    https://invent.kde.org/sdk/kdiff3 for
    the newest code and
    Download KDiff3
  • 3
    USBLoaderGX is a GUI for
    Waninkoko's USB Loader, based on
    libwiigui. It allows listing and
    launching Wii games, Gamecube games and
    homebrew on Wii and WiiU...
    Download USBLoaderGX
  • 4
    Firebird RDBMS offers ANSI SQL features
    & runs on Linux, Windows &
    several Unix platforms. Features
    excellent concurrency & performance
    & power...
    Download Firebird
  • 5
    KompoZer is a wysiwyg HTML editor using
    the Mozilla Composer codebase. As
    Nvu's development has been stopped
    in 2005, KompoZer fixes many bugs and
    adds a f...
    Download KompoZer
  • 6
    Free Manga Downloader
    Free Manga Downloader
    The Free Manga Downloader (FMD) is an
    open source application written in
    Object-Pascal for managing and
    downloading manga from various websites.
    This is a mirr...
    Download Free Manga Downloader
  • More »

Linux commands