The examples in this section demonstrate the use of the dcecp acl command to list and modify a directory's ACL. The following example uses the dcecp acl show command to display an object's ACL. The example shows the output of the command when it is used to display the ACL for the directory drafts:
dcecp> acl show /.../abc.com/fs/doc/drafts
{mask_obj r-x - }
{user_obj rwxcid}
{user dale rwx-id effective r-x - }
{group_obj rwx - effective r-x - }
{group writers rwx - effective r-x - }
{other_obj rwx - }
The output displays the ACL entries for the object. If an entry's permissions are restricted by the mask_obj entry, the permissions that remain after filtering through the mask are labeled effective. In this example, the permissions (rwx-id) granted to dale are restricted by the mask_obj entry to r and x. Users belonging to the group writers are, like dale, restricted to r and x access. The owner of the directory (user_obj) retains all of the specified permissions (rwxcid) because user_obj is not filtered by mask_obj.
Suppose another user, pierette, needs to have all of the permissions except c on the directory. Suppose further that pierette is a member of the group writers, which effectively has only the r and x permissions on the directory. To give pierette the required permissions, the following need to be done:
· A user entry for pierette needs to be added to grant the desired permissions, not all of which are granted to the group writers.
· The mask_obj entry needs to be expanded to allow for the additional permissions; it currently filters all user and group entries to only the r and x permissions.
The following example performs both of these operations with one invocation of the dcecp acl modify command. It uses the -add option to add an entry for pierette to the ACL. It also uses the -mask option with the value calc to recalculate the permissions granted by the mask_obj entry to include those to be granted to pierette. Alternatively, the -mask option could be used with the value nocalc to prevent recalculation of the permissions granted by the mask_obj entry, but this would cause the mask_obj entry to restrict pierette's permissions. The command fails unless one of the two values is specified with the -mask option.
Note: The dcecp acl modify command dynamically recalculates the mask_obj entry as necessary when new entries are added to an ACL. By default, it refuses to readjust the mask_obj entry if doing so would grant currently masked permissions to another entry. In such cases, you must specify the calc or nocalc value with the -mask option to direct the command's actions with respect to the mask_obj entry.
dcecp> acl modify /.../abc.com/fs/doc/drafts -add {user pierette rwxid} \
> -mask calc
The following example displays the new and modified ACL entries that grant pierette all permissions except c. Note that expanding the permissions allowed by the mask_obj entry increased the permissions granted to the other entries filtered by the mask.
dcecp> acl show /.../abc.com/fs/doc/drafts
{mask_obj rwx-id}
{user_obj rwxcid}
{user dale rwx-id}
{user pierette rwx-id}
{group_obj rwx - }
{group writers rwx - }
{other_obj rwx - }
Recall that DCE LFS evaluates the more-specific user entries before it checks the less-specific entries. Therefore, pierette, although a member of the group writers, receives the permissions granted by the user pierette entry. This is true regardless of whether pierette is granted more or fewer permissions via the user entry.