acledit Command

Purpose

Edits the access control information of a file.

Syntax

acledit [ -t ACL_type ] [ -v ] FileObject

Description

The acledit command lets you change the access control information of the file specified by the FileObject parameter. The command displays the current access control information and lets the file owner change it with the editor specified by the EDITOR environment variable. Before making any changes permanent, the command asks if you want to proceed.

Note: The EDITOR environment variable must be specified with a complete path name; otherwise, the acledit command will fail. The maximum size of the ACL data is dependent on the ACL type.

The access control information displayed depends on the ACL type associated with the file system object. Information typically includes access control entries displayed for owner and others. Also, file mode bits associated with the object could be displayed.

The following is an example of the access control information of a file:

attributes: SUID
base permissions:
    owner  (frank): rw-
    group (system): r-x
    others        : ---
extended permissions:
    enabled
        permit    rw-    u:dhs
        deny      r--    u:chas,    g:system
        specify   r--    u:john,    g:gateway, g:mail
        permit    rw-    g:account, g:finance

Note: If the acledit command is operating in a trusted path, the editor must have the trusted process attribute set.

Flags

Item	Description
-t	This optional input specifies the ACL type in which the ACL data will be stored at the end of the ACL editing process. If no option is specified, then the ACL currently associated with the file system object will be edited in its ACL type format. If an ACL type is specified with this flag, then it is assumed that user is trying to modify the current ACL type and store the ACL in a new ACL type format. When this flag is specified and the ACL type does not match the type that exists currently, it is expected that user will modify the contents of the ACL data to format into the new ACL type specific format before saving. The supported ACL types are ACLX and NFS4.
-v	Displays the ACL information in Verbose mode. Comment lines will be added to explain more details about the ACL associated with the FS object. These comment lines are generated when the command is executed and do not reside anywhere persistently. Hence, any modifications to the same will be lost when acledit is exited.

Item

Description

-t

This optional input specifies the ACL type in which the ACL data will be stored at the end of the ACL editing process. If no option is specified, then the ACL currently associated with the file system object will be edited in its ACL type format. If an ACL type is specified with this flag, then it is assumed that user is trying to modify the current ACL type and store the ACL in a new ACL type format. When this flag is specified and the ACL type does not match the type that exists currently, it is expected that user will modify the contents of the ACL data to format into the new ACL type specific format before saving. The supported ACL types are ACLX and NFS4.

-v

Displays the ACL information in Verbose mode. Comment lines will be added to explain more details about the ACL associated with the FS object. These comment lines are generated when the command is executed and do not reside anywhere persistently. Hence, any modifications to the same will be lost when acledit is exited.

Security

Access Control

This command should be a standard user command and have the trusted computing base attribute.

Auditing Events

If the auditing subsystem is properly configured and is enabled, the acledit command generates the following audit record or event every time the command is run:

Event	Information
FILE_Acl	Lists access controls.

Files Accessed

Mode	File
x	/usr/bin/aclget
x	/usr/bin/aclput

Attention RBAC users and Trusted AIX® users: This command can perform privileged operations. Only privileged users can run privileged operations. For more information about authorizations and privileges, see Privileged Command Database in Security. For a list of privileges and the authorizations associated with this command, see the lssecattr command or the getcmdattr subcommand.

Examples

To edit the access control information of the plans file, enter:

acledit plans

Files

Item	Description
/usr/bin/acledit	Contains the acledit command.