fs_cleanacl - Remove obsolete entries from an ACL


fs cleanacl [-path <dir/file path>+] [-help]


The fs cleanacl command removes from the access control list (ACL) of each specified directory or file any entry that refers to a user or group that no longer has a Protection Database entry. Such an entry appears on the ACL as a Auristor User Number (AUN) rather than a name, because without a Protection Database entry, the File Server cannot translate the AUN into a name.

Cleaning access control lists in this way not only keeps them from becoming crowded with irrelevant information, but also prevents the new possessor of a recycled AUN from obtaining access intended for the former possessor of the AUN. (Note that recycling AUNs is not recommended in any case.)


-path <dir/file path>+

Names each AFS file or directory to run the command on. Partial pathnames are interpreted relative to the current working directory, which is also the default value if this argument is omitted.

Specify the read/write path to avoid the failure that results from attempting to change a read-only volume. By convention, the read/write path is indicated by placing a period before the cell name at the pathname's second level (for example, /afs/ For further discussion of the concept of read/write and read-only paths through the filespace, see the fs mkmount reference page.


Prints the online help for this command. All other valid options are ignored.


If there are no obsolete entries on the ACL, the following message appears:

   Access list for <path> is fine.

Otherwise, the output reports the resulting state of the ACL, following the header

   Access list for <path> is now

At the same time, the following error message appears for each file in the cleaned directories:

   fs: '<filename>': Not a directory


The following example illustrates the cleaning of the ACLs on the current working directory and two of its subdirectories. Only the second subdirectory had obsolete entries on it.

   % fs cleanacl -path . ./reports ./sources
   Access list for . is fine.
   Access list for ./reports is fine.
   Access list for ./sources is now
   Normal rights:
      system:authuser rl
      pat rlidwka


The issuer must have the a (administer) permission on the directory's ACL, a member of the system:administrators group, or, as a special case, must be the UID owner of the top-level directory of the volume containing this directory. The last provision allows the UID owner of a volume to repair accidental ACL errors without requiring intervention by a member of system:administrators.


auristorfs_acls(7), fs_copyacl(1), fs_listacl(1), fs_mkmount(1), fs_setacl(1)


IBM Corporation 2000. All Rights Reserved.

This documentation is covered by the IBM Public License Version 1.0. It was converted from HTML to POD by software written by Chas Williams and Russ Allbery, based on work by Alf Wachsmann and Elizabeth Cassell.


"AFS" is a registered mark of International Business Machines Corporation, used under license. (USPTO Registration 1598389)

"OpenAFS" is a registered mark of International Business Machines Corporation. (USPTO Registration 4577045)

The "AuriStor" name, log 'S' brand mark, and icon are registered marks of AuriStor, Inc. (USPTO Registrations 4849419, 4849421, and 4928460) (EUIPO Registration 015539653).

"Your File System" is a registered mark of AuriStor, Inc. (USPTO Registrations 4801402 and 4849418).

"YFS" and "AuriStor File System" are trademarks of AuriStor, Inc.