fs_listacl - Displays ACLs


fs listacl [-path <dir/file path>+] [-cmd] [-help]


The fs listacl command (alias fs la) displays the access control list (ACL) associated with each specified file, directory, mount point or symbolic link. To display the ACL of the current working directory, omit the -path argument.

To alter an ACL, use the fs_setacl(1) command. To copy an ACL from one object to another, use the fs_copyacl(1) command. To remove obsolete entries from an ACL, use the fs_cleanacl(1) command.


Placing a user or group on the Negative rights section of the ACL does not guarantee denial of permissions, if the Normal rights section grants the permissions to either the anonymous identity or the system:anyuser group. If so, the user need only discard their authentication tokens via the unlog(1) command to become anonymous and obtain the granted permissions.


-path <dir/file path>+

Names each AFS file or directory to run the command on. Partial pathnames are interpreted relative to the current working directory, which is also the default value if this argument is omitted.


Outputs an fs_setacl(1) command string that can be used to recreate the ACL applied to the specified object.


Prints the online help for this command. All other valid options are ignored.


The first line of the output for each object reads as follows:

   Access list [(inherited)] for <object> is

If the issuer used shorthand notation in the pathname, such as the period (.) to represent the current current directory, that notation sometimes appears instead of the full pathname of the directory.

Next, the Normal rights header precedes a list of users and groups who are granted the indicated permissions, with one pairing of user or group list and permissions on each line. If rights have been revoked from any user or group list, those entries follow a Negative rights header. The format of negative entries is the same as those on the Normal rights section of the ACL, but the user or group list is denied rather than granted the indicated permissions.

The output for a symbolic link or mount point displays the ACL that applies to its target file or directory, rather than the ACL that applies to the symbolic link or mount point.

If the object is a file with no file specific ACL, (inherited) will appear in the output to indicate that the file is currently inheriting its permissions from the parent directory. In this state, access to the file will be affected by ACL changes to the parent. If there is no indication that the ACL is inherited, the ACL shown is specific to the file and is not affected by changes to the parent's ACL.

If the volume containing the object has a maximum ACL set, it will be shown following the object's ACL. Access to the object will also need to statisfy the volume maximum ACL. Volume maximum ACLs can be adjusted by members of the system:administrators group via use of the vos_setmaxacl(1) command.

The permissions enable the grantee to perform the indicated action:

a (administer)

Change the entries on the ACL.

d (delete)

Remove files and subdirectories from the directory or move them to other directories.

i (insert)

Add files or subdirectories to the directory by copying, moving or creating.

k (lock)

Set read locks on the files in the directory.

l (lookup)

List the files and subdirectories in the directory, stat the directory itself, and issue the fs listacl command to examine the directory's ACL.

r (read)

Read the contents of files in the directory; issue the ls -l command to stat the elements in the directory.

w (write)

Modify the contents of files in the directory, set write locks, and issue the UNIX chmod or fs chmod command to change their mode bits.

A, B, C, D, E, F, G, H

Have no default meaning to the File Server, but are made available for applications to use in controlling access to the directory's contents in additional ways. The letters must be uppercase.


The following command displays the ACL on the home directory of the user pat (the current working directory), and on its private subdirectory.

   % fs listacl -path . private
   Access list for . is
   Normal rights:
      system:authuser rl
      pat rlidwka
      pat:friends rlid
   Negative rights:
      smith rlidwka
   Access list for private is
   Normal rights:
      pat rlidwka

The following command generates the fs_setacl(1) command required to recreate the ACL on the home directory of the user pat (the current working directory), and on its private subdirectory.

   % fs listacl -path . private -cmd
   fs setacl -path . -acl system:authuser rl  pat rlidwka   pat:friends rlid
   fs setacl -path . -acl smith rlidwka -negative
   fs setacl -path private -acl pat rlidwka


If the -path argument names a directory under /afs, the issuer must have the l (lookup) permission on its ACL and the ACL for every directory that precedes it in the pathname.

If the -path argument names a file under /afs, the issuer must have the r (read) permission for the file and the l (lookup) permission on the ACL of each directory that precedes it in the pathname.


auristorfs_acls(7), fs_chmod(1), fs_cleanacl(1), fs_copyacl(1), fs_setacl(1) fs_removeacl(1) vos_setmaxacl(1) vos_listmaxacl(1)


IBM Corporation 2000. All Rights Reserved.

This documentation is covered by the IBM Public License Version 1.0. It was converted from HTML to POD by software written by Chas Williams and Russ Allbery, based on work by Alf Wachsmann and Elizabeth Cassell.


"AFS" is a registered mark of International Business Machines Corporation, used under license. (USPTO Registration 1598389)

"OpenAFS" is a registered mark of International Business Machines Corporation. (USPTO Registration 4577045)

The "AuriStor" name, log 'S' brand mark, and icon are registered marks of AuriStor, Inc. (USPTO Registrations 4849419, 4849421, and 4928460) (EUIPO Registration 015539653).

"Your File System" is a registered mark of AuriStor, Inc. (USPTO Registrations 4801402 and 4849418).

"YFS" and "AuriStor File System" are trademarks of AuriStor, Inc.