aclput Command

Purpose

Sets the access control information of a file.

Syntax

aclput [ -i inAclFile ] [ -R ] [ -t acl_type ] [ -v ]FileObject

Description

The aclput command sets the access control information of the file object specified by the FileObject parameter. The command reads standard input for the access control information, unless you specify the -i flag.

Note: If you are reading from standard input your entries must match the expected format of the access control information or you will get an error message. Use the Ctrl-D key sequence to complete the session.

Access Control List

Access Control Lists form the core of protection for file system objects. Each file system object is uniquely associated with one piece of data, called ACL, that defines the access rights to the object. ACL could consist of multiple Access Control Entries (ACEs), each defining one particular set of access rights for an user. Typically, ACE consists of information such as identification (to whom this ACE applies) and access rights (allow-read, deny-write). ACE might also capture information such as inheritance flags and alarm and audit flags. The format and enforcement of ACL data is entirely dependent on the ACL type in which they are defined. AIX® provides for existence of multiple ACL types on the operating system. The list of ACLs supported by a file system instance is dependent on the physical file system implementation for that file system instance.

Flags

Item Description
-i inAclFile Specifies the input file for access control information. If the access control information in the file specified by the InFile parameter is not correct, when you try to apply it to a file, an error message preceded by an asterisk is added to the input file.
Note: The size of the ACL information depends on the ACL type.
-R Applys ACL to this directory and its children file system objects recursively.
-t ACL_type Specifies the ACL type of the ACL information being displayed. If this option is not provided the actual ACL data in its original ACL type will be displayed. The supported ACL types are ACLX and NFS4.
-v Verbose option. This option displays many comment lines as part of the ACL data display. This could help in understanding the details of complex ACL types.

Security

Access Control

This command should be a standard user program and have the trusted computing base attribute.

Auditing Events

If the auditing subsystem is properly configured and is enabled, the aclput command generates the following audit record or event every time the command is run:

Event Information
FILE_WriteXacl Modification to access controls.

Attention RBAC users and Trusted AIX users: This command can perform privileged operations. Only privileged users can run privileged operations. For more information about authorizations and privileges, see Privileged Command Database in Security. For a list of privileges and the authorizations associated with this command, see the lssecattr command or the getcmdattr subcommand.

Examples

  1. To set the access control information for the status file with information from standard input, enter:
    aclput status
    attributes: SUID
    and then press the Ctrl-D sequence to exit the session.
  2. To set the access control information for the status file with information stored in the acldefs file, enter:

    aclput -i acldefs status

  3. To set the access control information for the status file with the same information used for the plans file, enter:
    aclget plans | aclput status
  4. To set the access control information for the status file with an edited version of the access control information for the plans file, you must enter two commands. First, enter:

    aclget    -o acl plans  

    This stores the access control information for the plans file in the acl file. Edit the information in the acl file, using your favorite editor. Then, enter:

    aclput -iacl status

    This second command takes the access control information in the acl file and puts it on the status file.

Files

Item Description
/usr/bin/aclput Contains the aclput command.