mmeditacl command

Creates or changes a GPFS™ access control list.

Synopsis

mmeditacl [-d] [-k {nfs4 | posix | native}] Filename

Availability

Available on all IBM Spectrum Scale™ editions.

Description

Use the mmeditacl command for interactive editing of the ACL of a file or directory. This command uses the default editor, specified in the EDITOR environment variable, to display the current access control information, and allows the file owner to change it. The command verifies the change request with the user before making permanent changes.

This command cannot be run from a Windows node.

The EDITOR environment variable must contain a complete path name, for example: 
export EDITOR=/bin/vi

For information about NFS V4 ACLs, see Managing GPFS access control lists and NFS and GPFS.

Users may need to see ACLs in their true form as well as how they are translated for access evaluations. There are four cases:
  1. By default, mmeditacl returns the ACL in a format consistent with the file system setting, specified using the -k flag on the mmcrfs or mmchfs commands.
    • If the setting is posix, the ACL is shown as a traditional ACL.
    • If the setting is nfs4, the ACL is shown as an NFS V4 ACL.
    • If the setting is all, the ACL is returned in its true form.
  2. The command mmeditacl -k nfs4 always produces an NFS V4 ACL.
  3. The command mmeditacl -k posix always produces a traditional ACL.
  4. The command mmeditacl -k native always shows the ACL in its true form regardless of the file system setting.
The following describes how mmeditacl works for POSIX and NFS V4 ACLs: 
Command               ACL    mmcrfs -k  Display        -d (default)
-------------------   -----  ---------  -------------  --------------
mmeditacl             posix  posix      Access ACL     Default ACL
mmeditacl             posix  nfs4       NFS V4 ACL     Error[1]
mmeditacl             posix  all        Access ACL     Default ACL
mmeditacl             nfs4   posix      Access ACL[2]  Default ACL[2]
mmeditacl             nfs4   nfs4       NFS V4 ACL     Error[1]
mmeditacl             nfs4   all        NFS V4 ACL     Error[1]
mmeditacl -k native   posix  any        Access ACL     Default ACL
mmeditacl -k native   nfs4   any        NFS V4 ACL     Error[1]
mmeditacl -k posix    posix  any        Access ACL     Default ACL
mmeditacl -k posix    nfs4   any        Access ACL[2]  Default ACL[2]
mmeditacl -k nfs4     any    any        NFS V4 ACL     Error[1]
---------------------------------------------------------------------
[1] NFS V4 ACLs include inherited entries. Consequently, there cannot 
    be a separate default ACL.
[2] Only the mode entries (owner, group, everyone) are translated. 
    The rwx values are derived from the 
    NFS V4 file mode attribute. Since the NFS V4 ACL is more granular 
    in nature, some information is lost in this translation.
---------------------------------------------------------------------

In the case of NFS V4 ACLs, there is no concept of a default ACL. Instead, there is a single ACL and the individual access control entries can be flagged as being inherited (either by files, directories, both, or neither). Consequently, specifying the -d flag for an NFS V4 ACL is an error. By its nature, storing an NFS V4 ACL implies changing the inheritable entries (the GPFS default ACL) as well.

Depending on the file system's -k setting (posix, nfs4, or all), mmeditacl may be restricted. The mmeditacl command is not allowed to store an NFS V4 ACL if -k posix is in effect, and is not allowed to store a POSIX ACL if -k nfs4 is in effect. For more information, see the description of the -k flag for the mmchfs, mmcrfs, and mmlsfs commands.

Parameters

Filename
The path name of the file or directory for which the ACL is to be edited. If the -d option is specified, Filename must contain the name of a directory.

Options

-d
Specifies that the default ACL of a directory is to be edited.
-k {nfs4 | posix | native}
nfs4
Always produces an NFS V4 ACL.
posix
Always produces a traditional ACL.
native
Always shows the ACL in its true form regardless of the file system setting.

This option should not be used for routine ACL manipulation. It is intended to provide a way to show the translations that are done. For example, if a posix ACL is translated by NFS V4. Beware that if the -k nfs4 flag is used, but the file system does not allow NFS V4 ACLs, you will not be able to store the ACL that is returned. If the file system does support NFS V4 ACLs, the -k nfs4 flag is an easy way to convert an existing posix ACL to nfs4 format.

Exit status

0
Successful completion.
nonzero
A failure has occurred.

Security

You may issue the mmeditacl command only from a node in the GPFS cluster where the file system is mounted.

The mmeditacl command may be used to display an ACL. POSIX ACLs may be displayed by any user with access to the file or directory. NFS V4 ACLs have a READ_ACL permission that is required for non-privileged users to be able to see an ACL. To change an existing ACL, the user must either be the owner, the root user, or someone with control permission (WRITE_ACL is required where the existing ACL is of type NFS V4).

Examples

To edit the ACL for a file named project2.history, issue this command: 
mmeditacl project2.history
The current ACL entries are displayed using the default editor, provided that the EDITOR environment variable specifies a complete path name. When the file is saved, the system displays information similar to: 
mmeditacl: 6027-967 Should the modified ACL be applied? (yes) or (no)
After responding yes, the ACLs are applied.

See also

Location

/usr/lpp/mmfs/bin
Parent topic: Command reference