SNACL

Section: User Commands (1)
Updated: August 2016

NAME

snacl – Display and modify ACLs

SYNOPSIS

snacl [-D] [-R] [-r] [-x] -l file…
snacl [-D] [-R] { +a | +ai | +a# index | +ai# index } ACE file…
snacl [-D] [-R] { -a ACE | -a# index } file…
snacl [-D] [-R] { =a# | =ai# } index ACE file…
snacl [-D] [-R] { -E | -C | -i | -I | -N } file…

DESCRIPTION

snacl is used to display and modify Windows-style ACLs forfiles and directories on a StorNext file system.

OPTIONS

-l file
The -l option is used to display sercurity information including file ownership, Posix permission bits, and ACLs. Use of -l requires read permission on the specified file which may be a file or directory.
+a ACE file
The +a option is used to add an ACE to an ACL while maintaining canonoical order. If the ACL for the file is not currently in canonical order, the use of +a is not allowed and +a# must be used instead when adding ACEs. See the section CANONICAL ORDERING below.
+ai ACE file
The +ai option behaves the same as the +a option except that added ACEs are marked with the inherited bit.
+a# index ACE file
The +a# option is used to add an ACE to an ACL at the specified index.
+ai# index ACE file
The +ai# option behaves the same as the +a# option except that added ACEs ae marked with the inherited bit.
-a ACE file
The -a option is used to delete ACEs. Existing DACL entries matching ACE are deleted if they match exactly. If an existing entry contains a superset of the rights specified by ACE only, the listed rights are removed. When using -a on a directory, ACEs for the directory’s descendants are not affected unless the -R option is also specified.
-a# index file
The -a# option is used to delete an ACE at the specified index.
=a# index ACE file
The =a# option is used to replace an ACE at the specified index.
=ai# index ACE file
The =ai# option behaves the same as the =a# option except that added ACEs are maked with the inherited bit.
-E
The -E option is used to assign ACEs to a file by reading values from stdin separated by newlines. If the file has an existing ACL, it is first removed.
-C
The -C option is used to determine whether files contain ACLs in non-canonical order. When -C is used, snacl exits with a value of 0 if any of the specified files contains an ACL in non-canonical order. Otherwise, non-zero is returned.
-D
The -D option enables debugging.
-i
The -i option is used to remove the inherited bit from all ACEs in the specified files.
-I
The -I option is used to remove all inherited ACEs from specified files.
-N
The -N option is used to completely remove the ACL (all ACEs) from the specified files.
-r
The -r option forces snacl to display raw SIDs when listing ACEs instead of mapping them to user and group names.
-R
The -R option causes snacl to perform the requested operation recursively.
-x
The -x option causes snacl to operate in “expert” mode when displaying security information so that additional, low-level information about the security descriptor is shown. This option may be removed in a future release or its output format changed.

ACE FORMAT

ACEs are specified using the following syntax:

principal { allow | deny } permissions_and_inhertance_flags

The principal is the name of a user or group. In cases where a user and group exist with the same name, it must be prefixed with “user:” or “group:” to remove ambiguity. If a user or group name contains spaces, the spaces should be replaced with plus (+) signs. For example, for the group “Domain Users”, specify “domain+users” Alternatively, spaces are allowed in principal names if colons (:) are used as a delimiter. For example: “user:fred flintstone:allow:read”

The permissions_and_inhertance_flags field is a comma-separated list of permissions and inheritance flags that may be mixed. Each ACE must have at least one permission specified.

The following section provides all the permission keywords and a description of the actions they grant.

The following permissions apply to both files and directories:

delete
Remove the file or directory. Deletion is granted either by this permssion or the delete_child on the parent directory.
readattr
Read the basic attributes from a file or directory. This is implictly granted if the file or directory can be looked up and it is not explicitly denied.
writeattr
Update basic attributes for a file or directory.
readextattr
List or read the extended attributes for a file or directory.
writeextattr
Update extended attributes for a file or directory.
readsecurity
Read the security information for a file or directory.
writesecurity
Write the security information for a file or directory.
chown
Change the ownership of a file or directory.

The following permissions apply only to directories:

list
List entries (readdir).
search
Look up files by name. In addition to stat(2), this permission is required for name space operations such as file creation, deletion, and rename.
add_file
Create a file
add_subdirectory
Create a subdirectory
delete_child
Delete a file or subdirectory. Deletion is granted either by this permission on the parent or delete permission on the target.

The following permissions apply to files only:

read
Open for reading.
write
Open for writing.
append
Open a file for appending writes.
execute
Execute the file.

The following are inheritance flags which only apply to directories:

file_inherit
ACE should inherit to (non-directory) files.
directory_inherit
ACE should inherit to directories.
limit_inherit
This flag prevents newly created subdirectories which inherited the specified ACE from its parent from further propagating the ACE to its children.
only_inherit
This flag caues the ACE to be inherited to files and subdirectories but not used for permission processing on the directory. Note that the only_inherit flag is never inherited.

There is also a special flag:

full_access
This is shorthand for: list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit

CANONICAL ORDERING

ACEs are always processed in the order they are listed in the ACL. However, there is a preferred order for ACEs that typically results in the simplest ACL that achives the desired result. This is called canonical order and its use is a best practice. The order is:

1. Explict Denied ACEs (if any)
2. Explict Allowed ACEs (if any)
3. Inherited Denied ACEs (if any)
4. Inherited Allowed ACEs (if any)

When ACEs are always added using snacl +a, canonical ordering is preserved. If ACEs are added using snacl +a# or snacl +ai# or if they are modified using snacl =a#, canonical ordering may be broken. Also, ACEs are inherited in the same order as the parent so if the ACL on the parent directory does not use canonical ordering, the child may inherit ACEs in non-canonical order. The ACL on a file can be tested for canonical order using snacl -C.

EXAMPLES

List the ACL for a file.

$ snacl -l foo
-rw-r–r– joe staff foo

0: user:jane allow write
1: group:staff allow write,delete

Add an ACE to the ACL of a file, maintaining canonical order:

$ snacl -l foo
-rw-r–r– joe staff foo

0: user:jane allow write
$ snacl +a “user:fred deny read,write” foo
$ snacl -l foo
-rw-r–r– joe staff foo

0: user:fred deny read,write

1: user:jane allow write

Add an ACE to the ACL of a file, maintaining canonical order.

$ snacl -l foo
-rw-r–r– joe staff foo

0: user:jane allow write
$ snacl +ai “user:fred allow write” foo

0: user:jane allow write

1: user:fred inherited allow write

Add an ACE to the ACL of a file at a particular index disregarding canonical ordering:

$ snacl -l foo
-rw-r–r– joe staff foo

0: user:jane allow write
$ snacl +a# 1 “user:fred deny write” foo

0: user:jane allow write

1: user:fred deny write

Remove read permission for a user. Note that since the ACE contains other permissions, it is not removed completely.

$ snacl -l foo
-rw-r–r– joe staff foo

0: user:jane allow write,delete
$ snacl -a “user:jane allow delete” foo
$ snacl -l foo
-rw-r–r– joe staff foo

0: user:jane allow write

Remove a particular ACE from an ACL.

$ snacl -l foo
-rw-r–r– joe staff foo

0: user:jane allow write,delete

1: user:fred allow delete

2: user:wendy allow write,delete
$ snacl -a# 1 foo
$ snacl -l foo

0: user:jane allow write,delete

1: user:wendy allow write,delete

Replace an ACE:

$ snacl -l foo
-rw-r–r– joe staff foo

0: user:jane allow write,delete

1: user:fred allow delete

2: user:wendy allow write,delete
$ snacl =a# 1 “john allow write” foo
$ snacl -l foo
-rw-r–r– joe staff foo

0: user:jane allow write,delete

1: user:john allow write

2: user:wendy allow write,delete

Assign ACE values from stdin:

$ cat myacl.txt
user:jane allow write
user:joe deny read
$ snacl -E foo < myacl.txt
$ snacl -l foo
-rw-r–r– joe staff foo

0: user:jane allow write

1: user:joe deny read

Check for canonical order:

$ snacl -l foo
-rw-r–r– joe staff foo

0: user:joe deny write

1: user:jane allow write
$ snacl -C foo
$ echo $?
1
$ snacl -l bar
-rw-r–r– joe staff foo

0: user:jane allow write

1: user:joe deny write
$ snacl -C bar
$ echo $?
0

Remove inherited bit from ACEs.

$ snacl -l foo
-rw-r–r– joe staff foo

0: user:jane inherited allow write

1: user:joe allow write
$ snacl -i foo
$ snacl -l foo
-rw-r–r– joe staff foo

0: user:jane allow write

1: user:joe allow write

Remove inherited ACEs:

$ snacl -l foo
-rw-r–r– joe staff foo

0: user:jane inherited allow write

1: user:joe allow write
$ snacl -I foo
$ snacl -l foo
-rw-r–r– joe staff foo

0: user:joe allow write

Remove entire ACL:

$ snacl -l foo
-rw-r–r– joe staff foo

0: user:jane inherited allow write

1: user:joe allow write
$ snacl -N foo
$ snacl -l foo
-rw-r–r– joe staff foo

SEE ALSO