Access Control List Management

You can use commands to view and set ACLs.

Applications programmers and other subsystem developers can use the ACL library interfaces and ACL conversion routines described in this section.

ACL administration commands

You can use the following commands to work with ACLs for a file system object:

aclget: Writes to standard output the ACL of the file object named FileObject, presented in readable format or writes the same to the output file named outAclFile.
aclput: Sets the ACL of FileObject on the file system using the input specified through standard input or inAclFile.
acledit: Opens an editor for editing the ACL of the specified FileObject.
aclconvert: Converts an ACL from one type to another type. This command fails if the conversion is not supported.
aclgettypes: Gets ACL types supported by a file system path.

ACL library interfaces

ACL Library interfaces act as front-ends to the applications that need to access ACLs. The applications (including the generic ACL administration commands given above) do not directly invoke the undocumented ACL syscalls; instead, they access the generic syscalls and the type-specific loadable modules via the library interfaces. This will shield the customer application programmers from the complexity of using loadable modules, and reduces the backward binary compatibility issues for future AIX® releases.

The following library interfaces call syscalls.

aclx_fget and aclx_get: The aclx_get and aclx_fget functions retrieve the access control information for a file system object, and put it into the memory region specified by acl. The size and type information for the acl are stored in *acl_sz and *acl_type.
aclx_fput and aclx_put: The aclx_put and aclx_fput functions store the access control information specified in acl for the input file object. These functions do not do ACL type conversions; for doing ACL type conversion, the caller has to explicitly call the aclx_convert function.
aclx_gettypes: The aclx_gettypes function gets the list of ACL types supported on the particular file system. A file system type can support more than one ACL type simultaneously. Each file system object is associated with an unique ACL type belonging to the list of ACL types supported by the file system.
aclx_gettypeinfo: The aclx_gettypeinfo function gets the characteristics and capabilities of an ACL type on the file system specified by path. Note that the ACL characteristics will normally be of a data structure type, which is specific for each particular ACL type. The data structures used for AIXC and NFS4 ACLs will be described in a separate document.
aclx_print and aclx_printStr: These two functions convert the ACL given in binary format into textual representation. These functions are called by the aclget and acledit commands.
aclx_scan and aclx_scanStr: These two functions convert the given textual representation of the ACL into binary format.
aclx_convert: Converts an ACL from one type to another. This function is used for implicit conversion by commands, such as cp, mv, or tar.

ACL conversion

ACL conversion allows you to convert one ACL type to another. Support of multiple ACL types is dependent upon what ACL types are support on a specific physical file system. All file systems do not support all ACL types. For example, file system one might support only AIXC ACL types, and file system two might support AIXC and NFS4 ACL types. You can copy AIXC ACLs between the two file systems, but you must use ACL conversion to copy the NFS ACLs from file system two to file system one. ACL conversion preserves the access control information as much as possible.

Note: The conversion process is approximate and could result in loss of access control information. You should consider this when planning your ACL conversions.

ACL conversion in the AIX operating system is supported with the following infrastructure:

Library routines: These routines and user level ACL framework enable ACL conversion from one ACL type to another.
aclconvert command: This command converts ACLs.
aclput and acledit commands: These commands are used to modify ACL types.
cp and mv commands: These commands have been enabled to handle multiple ACL types and perform any internal ACL conversion, as necessary.
backup command: This command converts the ACL information to a known type and form (AIXC ACL type), if requested to backup in the legacy format. To retrieve the ACL in its native format, specifiy the -U option. See backup for more information.

Each ACL type is unique, and refinement of access control masks varies widely from one ACL type to another. The conversion algorithms are approximate and are not equivalent to manually converting an ACL. In some cases, the conversion will not be exact. For example, NFS4 ACLs cannot truly be converted to AIXC ACLs because NFS4 ACLs provides up to 16 access masks and has inheritance features that are not supported in the AIXC ACL type). You should not use the ACL conversion facilities and interfaces if you are concerned about the loss of access control information.

Note: The ACL conversion algorithms are proprietary in nature and are subject to change.