1 '\" te 2 .\" Copyright (c) 2008, Sun Microsystems, Inc. All Rights Reserved. 3 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. 4 .\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. See the License for the specific language governing permissions and limitations under the License. 5 .\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner] 6 .TH ACL 5 "Sep 29, 2008" 7 .SH NAME 8 acl \- Access Control Lists 9 .SH DESCRIPTION 10 .sp 11 .LP 12 Access control lists (ACLs) are discretionary access control mechanisms that 13 grant and deny access to files and directories. Two different ACL models are 14 supported in the Solaris release:POSIX-draft ACLs and NFSv4 ACLs. 15 .sp 16 .LP 17 The older, POSIX-draft model is supported by the UFS file system. This model is 18 based on a withdrawn ACL POSIX specification that was never standardized. It 19 was subsequently withdrawn by the POSIX committee. 20 .sp 21 .LP 22 The other model is based on the standards of the NFSv4 working group and is an 23 approved standard from the Internet Engineering Task Force (IETF). The ZFS file 24 system uses the NFSv4 model, and provides richer semantics and finer grained 25 permission capabilities than the POSIX-draft model. 26 .SS "\fBPOSIX\fR-draft \fBACL\fRs" 27 .sp 28 .LP 29 POSIX-draft ACLs provide an alternative security mechanism to basic UNIX file 30 permissions in the Solaris release. Their purpose is to further restrict access 31 to files and directories or to extend permissions to a particular user. ACLs 32 can be used to change the permissions for the standard owner, group and other 33 class bits of a file's mode. ACLs can give additional users and groups access 34 to the file. A directory can also have a special kind of ACL called a 35 \fBdefault\fR ACL, which defines ACL entries to be inherited by descendents of 36 the directory. POSIX-draft ACLs have an ACL entry called \fBmask\fR. The mask 37 defines the maximum permissions that can be granted to additional user and 38 group entries. Whenever a file is created or its mode is changed by 39 \fBchmod\fR(1) or \fBchmod\fR(2), the mask is recomputed. It is recomputed to 40 be the group permission defined in the mode passed to \fBchmod\fR(2). 41 .sp 42 .LP 43 The POSIX-draft ACL model uses the standard \fBrwx\fR model of traditional UNIX 44 permissions. 45 .sp 46 .LP 47 An ACL is represented as follows: 48 .sp 49 .in +2 50 .nf 51 \fIacl_entry\fR[,\fIacl_entry\fR]... 52 .fi 53 .in -2 54 .sp 55 56 .sp 57 .LP 58 Each \fIacl_entry\fR contains one ACL entry. An ACL entry is represented by two 59 or three colon-separated(\fB:\fR) fields. 60 .sp 61 .ne 2 62 .na 63 \fB\fIuser\fR:[\fIuid\fR]:\fIperms\fR\fR 64 .ad 65 .RS 21n 66 If \fIuid\fR blank, it represents the file owner. 67 .RE 68 69 .sp 70 .ne 2 71 .na 72 \fB\fIgroup\fR:[\fIgid\fR]:\fIperms\fR\fR 73 .ad 74 .RS 21n 75 If \fIgid\fR is blank, it represents the owning group. 76 .RE 77 78 .sp 79 .ne 2 80 .na 81 \fB\fIother\fR:\fIperms\fR\fR 82 .ad 83 .RS 21n 84 Represents the file other class. 85 .RE 86 87 .sp 88 .ne 2 89 .na 90 \fB\fImask\fR:\fIperms\fR\fR 91 .ad 92 .RS 21n 93 Defines the \fBMAX\fR permission to hand out. 94 .RE 95 96 .sp 97 .LP 98 For example to give user \fBjoe\fR read and write permissions, the ACL entry is 99 specified as: 100 .sp 101 .in +2 102 .nf 103 user:joe:rw- 104 .fi 105 .in -2 106 .sp 107 108 .SS "\fBNFS\fRv4 \fBACL\fRs" 109 .sp 110 .LP 111 NFSv4 ACL model is based loosely on the Windows NT ACL model. NFSv4 ACLs 112 provide a much richer ACL model than POSIX-draft ACLs. 113 .sp 114 .LP 115 The major differences between NFSv4 and POSIX-draft ACLs are as follows: 116 .RS +4 117 .TP 118 .ie t \(bu 119 .el o 120 NFSv4 ACLs provide finer grained permissions than the \fBrwx\fR model. 121 .RE 122 .RS +4 123 .TP 124 .ie t \(bu 125 .el o 126 NFSv4 ACLs allow for both \fBALLOW\fR and \fBDENY\fR entries. 127 .RE 128 .RS +4 129 .TP 130 .ie t \(bu 131 .el o 132 NFSv4 ACLs provide a rich set of inheritance semantics. POSIX ACLs also have 133 inheritance, but with the NFSv4 model you can control the following inheritance 134 features: 135 .RS +4 136 .TP 137 .ie t \(bu 138 .el o 139 Whether inheritance cascades to both files and directories or only to files or 140 directories. 141 .RE 142 .RS +4 143 .TP 144 .ie t \(bu 145 .el o 146 In the case of directories, you can indicate whether inheritance is applied to 147 the directory itself, to just one level of subdirectories, or cascades to all 148 subdirectories of the directory. 149 .RE 150 .RE 151 .RS +4 152 .TP 153 .ie t \(bu 154 .el o 155 NFSv4 ACLs provide a mechanism for hooking into a system's audit trail. 156 Currently, Solaris does not support this mechanism. 157 .RE 158 .RS +4 159 .TP 160 .ie t \(bu 161 .el o 162 NFSv4 ACLs enable adminstrators to specify the order in which ACL entries are 163 checked. With POSIX-draft ACLs the file system reorders ACL entries into a well 164 defined, strict access, checking order. 165 .RE 166 .sp 167 .LP 168 POSIX-draft ACL semantics can be achieved with NFSv4 ACLs. However, only some 169 NFSv4 ACLs can be translated to equivalent POSIX-draft ACLs. 170 .sp 171 .LP 172 Permissions can be specified in three different \fBchmod\fR ACL formats: 173 verbose, compact, or positional. The verbose format uses words to indicate that 174 the permissions are separated with a forward slash (\fB/\fR) character. Compact 175 format uses the permission letters and positional format uses the permission 176 letters or the hypen (\fB-\fR) to identify no permissions. 177 .sp 178 .LP 179 The permissions for verbose mode and their abbreviated form in parentheses for 180 compact and positional mode are described as follows: 181 .sp 182 .ne 2 183 .na 184 \fBread_data (\fBr\fR)\fR 185 .ad 186 .RS 24n 187 Permission to read the data of the file 188 .RE 189 190 .sp 191 .ne 2 192 .na 193 \fBlist_directory (\fBr\fR)\fR 194 .ad 195 .RS 24n 196 Permission to list the contents of a directory. 197 .RE 198 199 .sp 200 .ne 2 201 .na 202 \fBwrite_data (\fBw\fR)\fR 203 .ad 204 .RS 24n 205 Permission to modify a file's data anywhere in the file's offset range. This 206 includes the ability to grow the file or write to any arbitrary offset. 207 .RE 208 209 .sp 210 .ne 2 211 .na 212 \fBadd_file (\fBw\fR)\fR 213 .ad 214 .RS 24n 215 Permission to add a new file to a directory. 216 .RE 217 218 .sp 219 .ne 2 220 .na 221 \fBappend_data (\fBp\fR)\fR 222 .ad 223 .RS 24n 224 The ability to modify the file's data, but only starting at EOF. Currently, 225 this permission is not supported. 226 .RE 227 228 .sp 229 .ne 2 230 .na 231 \fBadd_subdirectory (\fBp\fR)\fR 232 .ad 233 .RS 24n 234 Permission to create a subdirectory to a directory. 235 .RE 236 237 .sp 238 .ne 2 239 .na 240 \fBread_xattr (\fBR\fR)\fR 241 .ad 242 .RS 24n 243 The ability to read the extended attributes of a file or do a lookup in the 244 extended attributes directory. 245 .RE 246 247 .sp 248 .ne 2 249 .na 250 \fBwrite_xattr (\fBW\fR)\fR 251 .ad 252 .RS 24n 253 The ability to create extended attributes or write to the extended attributes 254 directory. 255 .RE 256 257 .sp 258 .ne 2 259 .na 260 \fBexecute (\fBx\fR)\fR 261 .ad 262 .RS 24n 263 Permission to execute a file. 264 .RE 265 266 .sp 267 .ne 2 268 .na 269 \fBread_attributes (\fBa\fR)\fR 270 .ad 271 .RS 24n 272 The ability to read basic attributes (non-ACLs) of a file. Basic attributes are 273 considered to be the stat level attributes. Allowing this access mask bit means 274 that the entity can execute \fBls\fR(1) and \fBstat\fR(2). 275 .RE 276 277 .sp 278 .ne 2 279 .na 280 \fBwrite_attributes (\fBA\fR)\fR 281 .ad 282 .RS 24n 283 Permission to change the times associated with a file or directory to an 284 arbitrary value. 285 .RE 286 287 .sp 288 .ne 2 289 .na 290 \fBdelete (\fBd\fR)\fR 291 .ad 292 .RS 24n 293 Permission to delete the file. 294 .RE 295 296 .sp 297 .ne 2 298 .na 299 \fBdelete_child (\fBD\fR)\fR 300 .ad 301 .RS 24n 302 Permission to delete a file within a directory. 303 .RE 304 305 .sp 306 .ne 2 307 .na 308 \fBread_acl (\fBc\fR)\fR 309 .ad 310 .RS 24n 311 Permission to read the ACL. 312 .RE 313 314 .sp 315 .ne 2 316 .na 317 \fBwrite_acl (\fBC\fR)\fR 318 .ad 319 .RS 24n 320 Permission to write the ACL or the ability to execute \fBchmod\fR(1) or 321 \fBsetfacl\fR(1). 322 .RE 323 324 .sp 325 .ne 2 326 .na 327 \fBwrite_owner (\fBo\fR)\fR 328 .ad 329 .RS 24n 330 Permission to change the owner or the ability to execute \fBchown\fR(1) or 331 \fBchgrp\fR(1). 332 .RE 333 334 .sp 335 .ne 2 336 .na 337 \fBsynchronize (\fBs\fR)\fR 338 .ad 339 .RS 24n 340 Permission to access a file locally at the server with synchronous reads and 341 writes. Currently, this permission is not supported. 342 .RE 343 344 .sp 345 .LP 346 The following inheritance flags are supported by NFSv4: 347 .sp 348 .ne 2 349 .na 350 \fBfile_inherit (\fBf\fR)\fR 351 .ad 352 .RS 26n 353 Inherit to all newly created files in a directory. 354 .RE 355 356 .sp 357 .ne 2 358 .na 359 \fBdir_inherit (\fBd\fR)\fR 360 .ad 361 .RS 26n 362 Inherit to all newly created directories in a directory. 363 .RE 364 365 .sp 366 .ne 2 367 .na 368 \fBinherit_only (\fBi\fR)\fR 369 .ad 370 .RS 26n 371 Placed on a directory, but does not apply to the directory itself, only to 372 newly created created files and directories. This flag requires file_inherit 373 and or dir_inherit to indicate what to inherit. 374 .RE 375 376 .sp 377 .ne 2 378 .na 379 \fBno_propagate (\fBn\fR)\fR 380 .ad 381 .RS 26n 382 Placed on directories and indicates that ACL entries should only be inherited 383 one level of the tree. This flag requires file_inherit and or dir_inherit to 384 indicate what to inherit. 385 .RE 386 387 .sp 388 .ne 2 389 .na 390 \fBsuccessful_access (\fBS)\fR)\fR 391 .ad 392 .RS 26n 393 Indicates if an alarm or audit record should be initiated upon successful 394 accesses. Used with audit/alarm ACE types. 395 .RE 396 397 .sp 398 .ne 2 399 .na 400 \fBfailed_access (\fBF\fR)\fR 401 .ad 402 .RS 26n 403 Indicates if an alarm or audit record should be initiated when access fails. 404 Used with audit/alarm ACE types. 405 .RE 406 407 .sp 408 .ne 2 409 .na 410 \fBinherited (\fBI\fR)\fR 411 .ad 412 .RS 26n 413 ACE was inherited. 414 .RE 415 416 .sp 417 .ne 2 418 .na 419 \fB\fB-\fR\fR 420 .ad 421 .RS 26n 422 No permission granted. 423 .RE 424 425 .sp 426 .LP 427 An NFSv4 ACL is expressed using the following syntax: 428 .sp 429 .in +2 430 .nf 431 \fIacl_entry\fR[,\fIacl_entry\fR]... 432 433 owner@:<perms>[:inheritance flags]:<allow|deny> 434 group@:<perms>[:inheritance flags]:<allow|deny> 435 everyone@:<perms>[:inheritance flags]:<allow|deny> 436 user:<username>[:inheritance flags]:<allow|deny> 437 group:<groupname>[:inheritance flags]:<allow|deny> 438 .fi 439 .in -2 440 441 .sp 442 .ne 2 443 .na 444 \fBowner@\fR 445 .ad 446 .RS 10n 447 File owner 448 .RE 449 450 .sp 451 .ne 2 452 .na 453 \fBgroup@\fR 454 .ad 455 .RS 10n 456 Group owner 457 .RE 458 459 .sp 460 .ne 2 461 .na 462 \fBuser\fR 463 .ad 464 .RS 10n 465 Permissions for a specific user 466 .RE 467 468 .sp 469 .ne 2 470 .na 471 \fBgroup\fR 472 .ad 473 .RS 10n 474 Permissions for a specific group 475 .RE 476 477 .sp 478 .LP 479 Permission and inheritance flags are separated by a \fB/\fR character. 480 .sp 481 .LP 482 ACL specification examples: 483 .sp 484 .in +2 485 .nf 486 user:fred:read_data/write_data/read_attributes:file_inherit:allow 487 owner@:read_data:allow,group@:read_data:allow,user:tom:read_data:deny 488 .fi 489 .in -2 490 .sp 491 492 .sp 493 .LP 494 Using the compact ACL format, permissions are specified by using 14 unique 495 letters to indicate permissions. 496 .sp 497 .LP 498 Using the positional ACL format, permissions are specified as positional 499 arguments similar to the \fBls -V\fR format. The hyphen (\fB-\fR), which 500 indicates that no permission is granted at that position, can be omitted and 501 only the required letters have to be specified. 502 .sp 503 .LP 504 The letters above are listed in the order they would be specified in positional 505 notation. 506 .sp 507 .LP 508 With these letters you can specify permissions in the following equivalent 509 ways. 510 .sp 511 .in +2 512 .nf 513 user:fred:rw------R------:file_inherit:allow 514 .fi 515 .in -2 516 .sp 517 518 .sp 519 .LP 520 Or you can remove the \fB-\fR and scrunch it together. 521 .sp 522 .in +2 523 .nf 524 user:fred:rwR:file_inherit:allow 525 .fi 526 .in -2 527 .sp 528 529 .sp 530 .LP 531 The inheritance flags can also be specified in a more compact manner, as 532 follows: 533 .sp 534 .in +2 535 .nf 536 user:fred:rwR:f:allow 537 user:fred:rwR:f------:allow 538 .fi 539 .in -2 540 .sp 541 542 .SS "Shell-level Solaris \fBAPI\fR" 543 .sp 544 .LP 545 The Solaris command interface supports the manipulation of ACLs. The following 546 Solaris utilities accommodate both ACL models: 547 .sp 548 .ne 2 549 .na 550 \fB\fBchmod\fR\fR 551 .ad 552 .RS 12n 553 The \fBchmod\fR utility has been enhanced to allow for the setting and deleting 554 of ACLs. This is achieved by extending the symbolic-mode argument to support 555 ACL manipulation. See \fBchmod\fR(1) for details. 556 .RE 557 558 .sp 559 .ne 2 560 .na 561 \fB\fBcompress\fR\fR 562 .ad 563 .RS 12n 564 When a file is compressed any ACL associated with the original file is 565 preserved with the compressed file. 566 .RE 567 568 .sp 569 .ne 2 570 .na 571 \fB\fBcp\fR\fR 572 .ad 573 .RS 12n 574 By default, \fBcp\fR ignores ACLs, unless the \fB-p\fR option is specified. 575 When \fB-p\fR is specified the owner and group id, permission modes, 576 modification and access times, ACLs, and extended attributes if applicable are 577 preserved. 578 .RE 579 580 .sp 581 .ne 2 582 .na 583 \fB\fBcpio\fR\fR 584 .ad 585 .RS 12n 586 ACLs are preserved when the \fB-P\fR option is specified. 587 .RE 588 589 .sp 590 .ne 2 591 .na 592 \fB\fBfind\fR\fR 593 .ad 594 .RS 12n 595 Find locates files with ACLs when the \fB-acl\fR flag is specified. 596 .RE 597 598 .sp 599 .ne 2 600 .na 601 \fB\fBls\fR\fR 602 .ad 603 .RS 12n 604 By default \fBls\fR does not display ACL information. When the \fB-v\fR option 605 is specified, a file's ACL is displayed. 606 .RE 607 608 .sp 609 .ne 2 610 .na 611 \fB\fBmv\fR\fR 612 .ad 613 .RS 12n 614 When a file is moved, all attributes are carried along with the renamed file. 615 When a file is moved across a file system boundary, the ACLs are replicated. If 616 the ACL information cannot be replicated, the move fails and the source file is 617 not removed. 618 .RE 619 620 .sp 621 .ne 2 622 .na 623 \fB\fBpack\fR\fR 624 .ad 625 .RS 12n 626 When a file is packed, any ACL associated with the original file is preserved 627 with the packed file. 628 .RE 629 630 .sp 631 .ne 2 632 .na 633 \fB\fBrcp\fR\fR 634 .ad 635 .RS 12n 636 \fBrcp\fR has been enhanced to support copying. A file's ACL is only preserved 637 when the remote host supports ACLs. 638 .RE 639 640 .sp 641 .ne 2 642 .na 643 \fB\fBtar\fR\fR 644 .ad 645 .RS 12n 646 ACLs are preserved when the \fB-p\fR option is specified. 647 .RE 648 649 .sp 650 .ne 2 651 .na 652 \fB\fBunpack\fR\fR 653 .ad 654 .RS 12n 655 When a file with an ACL is unpacked, the unpacked file retains the ACL 656 information. 657 .RE 658 659 .SS "Application-level \fBAPI\fR" 660 .sp 661 .LP 662 The primary interfaces required to access file system ACLs at the programmatic 663 level are the \fBacl_get()\fR and \fBacl_set()\fR functions. These functions 664 support both POSIX draft ACLs and NFSv4 ACLs. 665 .SS "Retrieving a file's \fBACL\fR" 666 .sp 667 .in +2 668 .nf 669 int acl_get(const char *path, int flag, acl_t **aclp); 670 int facl_get(int fd, int flag, acl_t **aclp); 671 .fi 672 .in -2 673 674 .sp 675 .LP 676 The \fBacl_get\fR(3SEC) and \fBfacl_get\fR(3SEC) functions retrieves an ACL on 677 a file whose name is given by path or referenced by the open file descriptor 678 fd. The flag argument specifies whether a trivial ACL should be retrieved. When 679 the flag argument equals \fBACL_NO_TRIVIAL\fR then only ACLs that are not 680 trivial are retrieved. The ACL is returned in the \fBaclp\fR argument. 681 .SS "Freeing \fBACL\fR structure" 682 .sp 683 .in +2 684 .nf 685 void acl_free(acl_t *aclp)s; 686 .fi 687 .in -2 688 689 .sp 690 .LP 691 The \fBacl_free()\fR function frees up memory allocated for the argument 692 \fBaclp;\fR. 693 .SS "Setting an \fBACL\fR on a file" 694 .sp 695 .in +2 696 .nf 697 int acl_set(const char *path, acl_t *aclp); 698 int facl_set(int fd, acl_t *aclp); 699 .fi 700 .in -2 701 702 .sp 703 .LP 704 The \fBacl_set\fR(3SEC) and \fBfacl_get\fR(3SEC) functions are used for setting 705 an ACL on a file whose name is given by path or referenced by the open file 706 descriptor \fBfd\fR. The \fBaclp\fR argument specifies the ACL to set. The 707 \fBacl_set\fR(3SEC) translates an POSIX-draft ACL into a NFSv4 ACL when the 708 target file systems supports NFSv4 ACLs. No translation is performed when 709 trying to set an NFSv4 ACL on a POSIX-draft ACL supported file system. 710 .SS "Determining an \fBACL\fR's trivialness" 711 .sp 712 .in +2 713 .nf 714 int acl_trivial(const char *path); 715 .fi 716 .in -2 717 718 .sp 719 .LP 720 The \fBacl_trivial()\fR function is used to determine whether a file has a 721 trivial ACL. The trivialness of a file's ACL depends on the type of ACL it is. 722 For POSIX-draft ACLs, it implies the ACL has greater than 723 \fBMIN_ACL_ENTRIES\fR. For NFSv4/ZFS style ACLs, it implies that the ACL has 724 entries other than \fBowner@\fR, \fBgroup@\fR and \fBeveryone@\fR, inheritance 725 flags are set, or the ACL is not ordered in a manner that meets POSIX access 726 control requirements. 727 .SS "Removing all \fBACL\fRs from a file" 728 .sp 729 .in +2 730 .nf 731 int acl_strip(const char *path, uid_t uid, gid_t gid, mode_t mode); 732 .fi 733 .in -2 734 735 .sp 736 .LP 737 The \fBacl_strip()\fR function removes all ACLs from a file and replaces them 738 with a trivial ACL based off of the passed in argument mode. After replacing 739 the ACL the owner and group of the file are set to the values specified in the 740 uid and gid parameters. 741 .SS "Converting \fBACL\fRs to/from external representation" 742 .sp 743 .in +2 744 .nf 745 int acl_fromtext(const char *path, acl_t **aclp); 746 char *acl_totext(acl_t *aclp, int flags); 747 .fi 748 .in -2 749 750 .sp 751 .LP 752 The \fBacl_text()\fR function converts an internal ACL representation pointed 753 to by aclp into an external representation. See \fBDESCRIPTION\fR for details 754 about external representation. 755 .sp 756 .LP 757 The \fBacl_fromtext()\fR functions converts and external representation into an 758 internal representation. See \fBDESCRIPTION\fR for details about external 759 representation. 760 .SH EXAMPLES 761 .sp 762 .LP 763 The following examples demonstrate how the API can be used to perform basic 764 operations on ACLs. 765 .LP 766 \fBExample 1 \fRRetrieving and Setting an ACL 767 .sp 768 .LP 769 Use the following to retrieve an ACL and set it on another file: 770 771 .sp 772 .in +2 773 .nf 774 error = acl_get("file", ACL_NO_TRIVIAL, &aclp); 775 776 if (error == 0 && aclp != NULL) { 777 error = acl_set("file2", aclp) 778 acl_free(aclp); 779 } 780 \&... 781 .fi 782 .in -2 783 784 .LP 785 \fBExample 2 \fRRetrieving and Setting Any ACLs 786 .sp 787 .LP 788 Use the following to retrieve any ACL, including trivial ACLs, and set it on 789 another file: 790 791 .sp 792 .in +2 793 .nf 794 error = acl_get("file3", 0, &aclp); 795 if (error == 0) { 796 error = acl_set("file4", aclp) 797 acl_free(aclp); 798 } 799 \&... 800 .fi 801 .in -2 802 803 .LP 804 \fBExample 3 \fRDetermining if a File has a Trivial ACL 805 .sp 806 .LP 807 Use the following to determine if a file has a trivial ACL: 808 809 .sp 810 .in +2 811 .nf 812 istrivial = acl_trivial("file") 813 814 if (istrivial == 0) 815 printf("file %s has a trivial ACL\n", file); 816 else 817 printf("file %s has a NON-trivial ACL\n", file); 818 \&... 819 .fi 820 .in -2 821 822 .LP 823 \fBExample 4 \fRRemoving all ACLs from a File 824 .sp 825 .LP 826 Use the following to remove all ACLs from a file, and set a new mode, owner, 827 and group: 828 829 .sp 830 .in +2 831 .nf 832 error = acl_strip("file", 10, 100, 0644); 833 \&... 834 .fi 835 .in -2 836 837 .SH SEE ALSO 838 .sp 839 .LP 840 \fBchgrp\fR(1), \fBchmod\fR(1), \fBchown\fR(1), \fBcp\fR(1), \fBcpio\fR(1), 841 \fBfind\fR(1), \fBls\fR(1), \fBmv\fR(1), \fBtar\fR(1), \fBsetfacl\fR(1), 842 \fBchmod\fR(2), \fBacl\fR(2),\fBstat\fR(2),\fBacl_get\fR(3SEC), 843 \fBaclsort\fR(3SEC), \fBacl_fromtext\fR(3SEC), \fBacl_free\fR(3SEC), 844 \fBacl_strip\fR(3SEC), \fBacl_trivial\fR(3SEC)