mmgetacl command

Displays the GPFS access control list of a file or directory.

Synopsis

mmgetacl [-d] [-o OutFilename] [-k {nfs4 | posix | native}] Filename

Availability

Available on all IBM Spectrum Scale editions. Available on AIX® and Linux.

Description

Use the mmgetacl command to display the ACL of a file or directory.

For information about NFS V4 ACLs, see Managing GPFS access control lists and Native NFS and GPFS.

Users may need to see ACLs in their true form as well as how they are translated for access evaluations. There are four cases:

By default, mmgetacl returns the ACL in a format consistent with the file system setting, specified using the -k flag on the mmcrfs or mmchfs commands.
If the setting is posix, the ACL is shown as a traditional ACL.

If the setting is nfs4, the ACL is shown as an NFS V4 ACL.

If the setting is all, the ACL is returned in its true form.
The command mmgetacl -k nfs4 always produces an NFS V4 ACL.
The command mmgetacl -k posix always produces a traditional ACL.
The command mmgetacl -k native always shows the ACL in its true form regardless of the file system setting.

The following describes how mmgetacl works for POSIX and NFS V4 ACLs:

Command               ACL    mmcrfs -k  Display        -d (default)
-------------------   -----  ---------  -------------  --------------
mmgetacl              posix  posix      Access ACL     Default ACL
mmgetacl              posix  nfs4       NFS V4 ACL     Error[1]
mmgetacl              posix  all        Access ACL     Default ACL
mmgetacl              nfs4   posix      Access ACL[2]  Default ACL[2]
mmgetacl              nfs4   nfs4       NFS V4 ACL     Error[1]
mmgetacl              nfs4   all        NFS V4 ACL     Error[1]
mmgetacl -k native    posix  any        Access ACL     Default ACL
mmgetacl -k native    nfs4   any        NFS V4 ACL     Error[1]
mmgetacl -k posix     posix  any        Access ACL     Default ACL
mmgetacl -k posix     nfs4   any        Access ACL[2]  Default ACL[2]
mmgetacl -k nfs4      any    any        NFS V4 ACL     Error[1]
---------------------------------------------------------------------
[1] NFS V4 ACLs include inherited entries. Consequently, there cannot 
    be a separate default ACL.
[2] Only the mode entries (owner, group, everyone) are translated. 
    The rwx values are derived from the 
    NFS V4 file mode attribute. Since the NFS V4 ACL is more granular 
    in nature, some information is lost in this translation.
---------------------------------------------------------------------

Parameters

Filename: The path name of the file or directory for which the ACL is to be displayed. If the -d option is specified, Filename must contain the name of a directory.

Options

-d

Specifies that the default ACL of a directory is to be displayed.

-k {nfs4 | posix | native}

nfs4: Always produces an NFS V4 ACL.
posix: Always produces a traditional ACL.
native: Always shows the ACL in its true form regardless of the file system setting.

-o OutFilename

The path name of a file to which the ACL is to be written.

Exit status

0: Successful completion.
nonzero: A failure has occurred.

Security

You must have read access to the directory where the file exists to run the mmgetacl command.

You may issue the mmgetacl command only from a node in the GPFS cluster where the file system is mounted.

Examples

To display the ACL for a file named project2.history, issue this command:
```
mmgetacl project2.history
```
The system displays information similar to:
```
#owner:paul
#group:design
user::rwxc
group::r-x-
other::r-x-
```
This is an example of an NFS V4 ACL displayed using mmgetacl. Each entry consists of three lines reflecting the greater number of permissions in a text format. An entry is either an allow entry or a deny entry. An X indicates that the particular permission is selected, a minus sign (–) indicates that is it not selected. The following access control entry explicitly allows READ, EXECUTE and READ_ATTR to the staff group on a file:
```
group:staff:r-x-:allow
 (X)READ/LIST (-)WRITE/CREATE (-)APPEND/MKDIR (-)SYNCHRONIZE (-)READ_ACL  (X)READ_ATTR  (-)READ_NAMED
 (-)DELETE    (-)DELETE_CHILD (-)CHOWN (X)EXEC/SEARCH (-)WRITE_ACL (-)WRITE_ATTR (-)WRITE_NAMED
```
This is an example of a directory ACLs, which may include inherit entries (the equivalent of a default ACL). These do not apply to the directory itself, but instead become the initial ACL for any objects created within the directory. The following access control entry explicitly denies READ/LIST, READ_ATTR, and EXEC/SEARCH to the sys group.
```
group:sys:----:deny:DirInherit
 (X)READ/LIST (-)WRITE/CREATE (-)APPEND/MKDIR (-)SYNCHRONIZE (-)READ_ACL  (X)READ_ATTR  (-)READ_NAMED
 (-)DELETE    (-)DELETE_CHILD (-)CHOWN (X)EXEC/SEARCH (-)WRITE_ACL (-)WRITE_ATTR (-)WRITE_NAMED
```

Location

/usr/lpp/mmfs/bin