mmgetacl command
Displays the GPFS™ access control list of a file or directory.
Synopsis
mmgetacl [-d] [-o OutFilename] [-k {nfs4 | posix | native}] Filename
Availability
Available on all IBM Spectrum Scale™ editions. Available on AIX® and Linux.
Description
Use the mmgetacl command to display the ACL of a file or directory.
For information about NFS V4 ACLs, see Managing GPFS access control lists and Native NFS and GPFS.
Users
may need to see ACLs in their true form as well as how they are translated
for access evaluations. There are four cases:
- By
default, mmgetacl returns the ACL in a format
consistent with the file system setting, specified using the -k flag
on the mmcrfs or mmchfs commands.
If the setting is posix, the ACL is shown as a traditional ACL.
If the setting is nfs4, the ACL is shown as an NFS V4 ACL.
If the setting is all, the ACL is returned in its true form.
- The command mmgetacl -k nfs4 always produces an NFS V4 ACL.
- The command mmgetacl -k posix always produces a traditional ACL.
- The command mmgetacl -k native always shows the ACL in its true form regardless of the file system setting.
The following describes how mmgetacl works
for POSIX and NFS V4 ACLs:
Command ACL mmcrfs -k Display -d (default)
------------------- ----- --------- ------------- --------------
mmgetacl posix posix Access ACL Default ACL
mmgetacl posix nfs4 NFS V4 ACL Error[1]
mmgetacl posix all Access ACL Default ACL
mmgetacl nfs4 posix Access ACL[2] Default ACL[2]
mmgetacl nfs4 nfs4 NFS V4 ACL Error[1]
mmgetacl nfs4 all NFS V4 ACL Error[1]
mmgetacl -k native posix any Access ACL Default ACL
mmgetacl -k native nfs4 any NFS V4 ACL Error[1]
mmgetacl -k posix posix any Access ACL Default ACL
mmgetacl -k posix nfs4 any Access ACL[2] Default ACL[2]
mmgetacl -k nfs4 any any NFS V4 ACL Error[1]
---------------------------------------------------------------------
[1] NFS V4 ACLs include inherited entries. Consequently, there cannot
be a separate default ACL.
[2] Only the mode entries (owner, group, everyone) are translated.
The rwx values are derived from the
NFS V4 file mode attribute. Since the NFS V4 ACL is more granular
in nature, some information is lost in this translation.
---------------------------------------------------------------------
Parameters
- Filename
- The path name of the file or directory for which the ACL is to be displayed. If the -d option is specified, Filename must contain the name of a directory.
Options
- -d
- Specifies that the default ACL of a directory is to be displayed.
- -k {nfs4 | posix | native}
-
- nfs4
- Always produces an NFS V4 ACL.
- posix
- Always produces a traditional ACL.
- native
- Always shows the ACL in its true form regardless of the file system setting.
- -o OutFilename
- The path name of a file to which the ACL is to be written.
Exit status
- 0
- Successful completion.
- nonzero
- A failure has occurred.
Security
You must have read access to the directory where the file exists to run the mmgetacl command.
You may issue the mmgetacl command only from a node in the GPFS cluster where the file system is mounted.
Examples
- To display the ACL for a file named project2.history,
issue this command:
The system displays information similar to:mmgetacl project2.history
#owner:paul #group:design user::rwxc group::r-x- other::r-x-
- This is an example of an NFS V4 ACL displayed using mmgetacl.
Each entry consists of three lines reflecting the greater number of
permissions in a text format. An entry is either an allow entry
or a deny entry. An X indicates
that the particular permission is selected, a minus sign (–)
indicates that is it not selected. The following access control entry
explicitly allows READ, EXECUTE and READ_ATTR to
the staff group on a file:
group:staff:r-x-:allow (X)READ/LIST (-)WRITE/CREATE (-)APPEND/MKDIR (-)SYNCHRONIZE (-)READ_ACL (X)READ_ATTR (-)READ_NAMED (-)DELETE (-)DELETE_CHILD (-)CHOWN (X)EXEC/SEARCH (-)WRITE_ACL (-)WRITE_ATTR (-)WRITE_NAMED
- This is an example of a directory ACLs, which may include inherit entries
(the equivalent of a default ACL). These do not apply to the directory
itself, but instead become the initial ACL for any objects created
within the directory. The following access control entry explicitly
denies READ/LIST, READ_ATTR,
and EXEC/SEARCH to the sys group.
group:sys:----:deny:DirInherit (X)READ/LIST (-)WRITE/CREATE (-)APPEND/MKDIR (-)SYNCHRONIZE (-)READ_ACL (X)READ_ATTR (-)READ_NAMED (-)DELETE (-)DELETE_CHILD (-)CHOWN (X)EXEC/SEARCH (-)WRITE_ACL (-)WRITE_ATTR (-)WRITE_NAMED