1 '\" te
   2 .\" Copyright 2014 Nexenta Systems, Inc.  All rights reserved.
   3 .\" Copyright (c) 2008, Sun Microsystems, Inc. All Rights Reserved.
   4 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License").  You may not use this file except in compliance with the License.
   5 .\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.  See the License for the specific language governing permissions and limitations under the License.
   6 .\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE.  If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
   7 .TH ACL 5 "Nov 24, 2014"
   8 .SH NAME
   9 acl \- Access Control Lists
  10 .SH DESCRIPTION
  11 .LP
  12 Access control lists (ACLs) are discretionary access control mechanisms that
  13 grant and deny access to files and directories. Two different ACL models are
  14 supported in the Solaris release: POSIX-draft ACLs and NFSv4 ACLs.
  15 .sp
  16 .LP
  17 The older, POSIX-draft model is supported by the UFS file system. This model is
  18 based on a withdrawn ACL POSIX specification that was never standardized. It
  19 was subsequently withdrawn by the POSIX committee.
  20 .sp
  21 .LP
  22 The other model is based on the standards of the NFSv4 working group and is an
  23 approved standard from the Internet Engineering Task Force (IETF). The ZFS file
  24 system uses the NFSv4 model, and provides richer semantics and finer grained
  25 permission capabilities than the POSIX-draft model.
  26 .SS "\fBPOSIX\fR-draft \fBACL\fRs"
  27 .LP
  28 POSIX-draft ACLs provide an alternative security mechanism to basic UNIX file
  29 permissions in the Solaris release. Their purpose is to further restrict access
  30 to files and directories or to extend permissions to a particular user. ACLs
  31 can be used to change the permissions for the standard owner, group and other
  32 class bits of a file's mode. ACLs can give additional users and groups access
  33 to the file. A directory can also have a special kind of ACL called a
  34 \fBdefault\fR ACL, which defines ACL entries to be inherited by descendents of
  35 the directory. POSIX-draft ACLs have an ACL entry called \fBmask\fR. The mask
  36 defines the maximum permissions that can be granted to additional user and
  37 group entries. Whenever a file is created or its mode is changed by
  38 \fBchmod\fR(1) or \fBchmod\fR(2), the mask is recomputed. It is recomputed to
  39 be the group permission defined in the mode passed to \fBchmod\fR(2).
  40 .sp
  41 .LP
  42 The POSIX-draft ACL model uses the standard \fBrwx\fR model of traditional UNIX
  43 permissions.
  44 .sp
  45 .LP
  46 An ACL is represented as follows:
  47 .sp
  48 .in +2
  49 .nf
  50 \fIacl_entry\fR[,\fIacl_entry\fR]...
  51 .fi
  52 .in -2
  53 .sp
  54 
  55 .sp
  56 .LP
  57 Each \fIacl_entry\fR contains one ACL entry. An ACL entry is represented by two
  58 or three colon-separated(\fB:\fR) fields.
  59 .sp
  60 .ne 2
  61 .na
  62 \fB\fIuser\fR:[\fIuid\fR]:\fIperms\fR\fR
  63 .ad
  64 .RS 21n
  65 If \fIuid\fR blank, it represents the file owner.
  66 .RE
  67 
  68 .sp
  69 .ne 2
  70 .na
  71 \fB\fIgroup\fR:[\fIgid\fR]:\fIperms\fR\fR
  72 .ad
  73 .RS 21n
  74 If \fIgid\fR is blank, it represents the owning group.
  75 .RE
  76 
  77 .sp
  78 .ne 2
  79 .na
  80 \fB\fIother\fR:\fIperms\fR\fR
  81 .ad
  82 .RS 21n
  83 Represents the file other class.
  84 .RE
  85 
  86 .sp
  87 .ne 2
  88 .na
  89 \fB\fImask\fR:\fIperms\fR\fR
  90 .ad
  91 .RS 21n
  92 Defines the \fBMAX\fR permission to hand out.
  93 .RE
  94 
  95 .sp
  96 .LP
  97 For example to give user \fBjoe\fR read and write permissions, the ACL entry is
  98 specified as:
  99 .sp
 100 .in +2
 101 .nf
 102 user:joe:rw-
 103 .fi
 104 .in -2
 105 .sp
 106 
 107 .SS "\fBNFS\fRv4 \fBACL\fRs"
 108 .LP
 109 NFSv4 ACL model is based loosely on the Windows NT ACL model. NFSv4 ACLs
 110 provide a much richer ACL model than POSIX-draft ACLs.
 111 .sp
 112 .LP
 113 The major differences between NFSv4 and POSIX-draft ACLs are as follows:
 114 .RS +4
 115 .TP
 116 .ie t \(bu
 117 .el o
 118 NFSv4 ACLs provide finer grained permissions than the \fBrwx\fR model.
 119 .RE
 120 .RS +4
 121 .TP
 122 .ie t \(bu
 123 .el o
 124 NFSv4 ACLs allow for both \fBALLOW\fR and \fBDENY\fR entries.
 125 .RE
 126 .RS +4
 127 .TP
 128 .ie t \(bu
 129 .el o
 130 NFSv4 ACLs provide a rich set of inheritance semantics. POSIX ACLs also have
 131 inheritance, but with the NFSv4 model you can control the following inheritance
 132 features:
 133 .RS +4
 134 .TP
 135 .ie t \(bu
 136 .el o
 137 Whether inheritance cascades to both files and directories or only to files or
 138 directories.
 139 .RE
 140 .RS +4
 141 .TP
 142 .ie t \(bu
 143 .el o
 144 In the case of directories, you can indicate whether inheritance is applied to
 145 the directory itself, to just one level of subdirectories, or cascades to all
 146 subdirectories of the directory.
 147 .RE
 148 .RE
 149 .RS +4
 150 .TP
 151 .ie t \(bu
 152 .el o
 153 NFSv4 ACLs provide a mechanism for hooking into a system's audit trail.
 154 Currently, Solaris does not support this mechanism.
 155 .RE
 156 .RS +4
 157 .TP
 158 .ie t \(bu
 159 .el o
 160 NFSv4 ACLs enable administrators to specify the order in which ACL entries are
 161 checked. With POSIX-draft ACLs the file system reorders ACL entries into a well
 162 defined, strict access, checking order.
 163 .RE
 164 .sp
 165 .LP
 166 POSIX-draft ACL semantics can be achieved with NFSv4 ACLs. However, only some
 167 NFSv4 ACLs can be translated to equivalent POSIX-draft ACLs.
 168 .sp
 169 .LP
 170 Permissions can be specified in three different \fBchmod\fR ACL formats:
 171 verbose, compact, or positional. The verbose format uses words to indicate that
 172 the permissions are separated with a forward slash (\fB/\fR) character. Compact
 173 format uses the permission letters and positional format uses the permission
 174 letters or the hyphen (\fB-\fR) to identify no permissions.
 175 .sp
 176 .LP
 177 The permissions for verbose mode and their abbreviated form in parentheses for
 178 compact and positional mode are described as follows:
 179 .sp
 180 .ne 2
 181 .na
 182 \fBread_data (\fBr\fR)\fR
 183 .ad
 184 .RS 24n
 185 Permission to read the data of the file
 186 .RE
 187 
 188 .sp
 189 .ne 2
 190 .na
 191 \fBlist_directory (\fBr\fR)\fR
 192 .ad
 193 .RS 24n
 194 Permission to list the contents of a directory.
 195 .RE
 196 
 197 .sp
 198 .ne 2
 199 .na
 200 \fBwrite_data (\fBw\fR)\fR
 201 .ad
 202 .RS 24n
 203 Permission to modify a file's data anywhere in the file's offset range. This
 204 includes the ability to grow the file or write to any arbitrary offset.
 205 .RE
 206 
 207 .sp
 208 .ne 2
 209 .na
 210 \fBadd_file (\fBw\fR)\fR
 211 .ad
 212 .RS 24n
 213 Permission to add a new file to a directory.
 214 .RE
 215 
 216 .sp
 217 .ne 2
 218 .na
 219 \fBappend_data (\fBp\fR)\fR
 220 .ad
 221 .RS 24n
 222 The ability to modify the file's data, but only starting at EOF. Currently,
 223 this permission is not supported.
 224 .RE
 225 
 226 .sp
 227 .ne 2
 228 .na
 229 \fBadd_subdirectory (\fBp\fR)\fR
 230 .ad
 231 .RS 24n
 232 Permission to create a subdirectory to a directory.
 233 .RE
 234 
 235 .sp
 236 .ne 2
 237 .na
 238 \fBread_xattr (\fBR\fR)\fR
 239 .ad
 240 .RS 24n
 241 The ability to read the extended attributes of a file or do a lookup in the
 242 extended attributes directory.
 243 .RE
 244 
 245 .sp
 246 .ne 2
 247 .na
 248 \fBwrite_xattr (\fBW\fR)\fR
 249 .ad
 250 .RS 24n
 251 The ability to create extended attributes or write to the extended attributes
 252 directory.
 253 .RE
 254 
 255 .sp
 256 .ne 2
 257 .na
 258 \fBexecute (\fBx\fR)\fR
 259 .ad
 260 .RS 24n
 261 Permission to execute a file.
 262 .RE
 263 
 264 .sp
 265 .ne 2
 266 .na
 267 \fBread_attributes (\fBa\fR)\fR
 268 .ad
 269 .RS 24n
 270 The ability to read basic attributes (non-ACLs) of a file. Basic attributes are
 271 considered to be the stat level attributes. Allowing this access mask bit means
 272 that the entity can execute \fBls\fR(1) and \fBstat\fR(2).
 273 .RE
 274 
 275 .sp
 276 .ne 2
 277 .na
 278 \fBwrite_attributes (\fBA\fR)\fR
 279 .ad
 280 .RS 24n
 281 Permission to change the times associated with a file or directory to an
 282 arbitrary value.
 283 .RE
 284 
 285 .sp
 286 .ne 2
 287 .na
 288 \fBdelete (\fBd\fR)\fR
 289 .ad
 290 .RS 24n
 291 Permission to delete the file.
 292 .RE
 293 
 294 .sp
 295 .ne 2
 296 .na
 297 \fBdelete_child (\fBD\fR)\fR
 298 .ad
 299 .RS 24n
 300 Permission to delete a file within a directory.
 301 .RE
 302 
 303 .sp
 304 .ne 2
 305 .na
 306 \fBread_acl (\fBc\fR)\fR
 307 .ad
 308 .RS 24n
 309 Permission to read the ACL.
 310 .RE
 311 
 312 .sp
 313 .ne 2
 314 .na
 315 \fBwrite_acl (\fBC\fR)\fR
 316 .ad
 317 .RS 24n
 318 Permission to write the ACL or the ability to execute \fBchmod\fR(1) or
 319 \fBsetfacl\fR(1).
 320 .RE
 321 
 322 .sp
 323 .ne 2
 324 .na
 325 \fBwrite_owner (\fBo\fR)\fR
 326 .ad
 327 .RS 24n
 328 Permission to change the owner or the ability to execute \fBchown\fR(1) or
 329 \fBchgrp\fR(1).
 330 .RE
 331 
 332 .sp
 333 .ne 2
 334 .na
 335 \fBsynchronize (\fBs\fR)\fR
 336 .ad
 337 .RS 24n
 338 Permission to access a file locally at the server with synchronous reads and
 339 writes. Currently, this permission is not supported.
 340 .RE
 341 
 342 .sp
 343 .LP
 344 The following inheritance flags are supported by NFSv4 ACLs:
 345 .sp
 346 .ne 2
 347 .na
 348 \fBfile_inherit (\fBf\fR)\fR
 349 .ad
 350 .RS 26n
 351 Inherit to all newly created files in a directory.
 352 .RE
 353 
 354 .sp
 355 .ne 2
 356 .na
 357 \fBdir_inherit (\fBd\fR)\fR
 358 .ad
 359 .RS 26n
 360 Inherit to all newly created directories in a directory.
 361 .RE
 362 
 363 .sp
 364 .ne 2
 365 .na
 366 \fBinherit_only (\fBi\fR)\fR
 367 .ad
 368 .RS 26n
 369 Placed on a directory, but does not apply to the directory itself, only to
 370 newly created files and directories. This flag requires file_inherit
 371 and/or dir_inherit to indicate what to inherit.
 372 .RE
 373 
 374 .sp
 375 .ne 2
 376 .na
 377 \fBno_propagate (\fBn\fR)\fR
 378 .ad
 379 .RS 26n
 380 Placed on directories and indicates that ACL entries should only be inherited
 381 one level of the tree. This flag requires file_inherit and/or dir_inherit to
 382 indicate what to inherit.
 383 .RE
 384 
 385 .sp
 386 .ne 2
 387 .na
 388 \fBsuccessful_access (\fBS\fR)\fR
 389 .ad
 390 .RS 26n
 391 Indicates whether an alarm or audit record should be initiated upon successful
 392 accesses. Used with audit/alarm ACE types.
 393 .RE
 394 
 395 .sp
 396 .ne 2
 397 .na
 398 \fBfailed_access (\fBF\fR)\fR
 399 .ad
 400 .RS 26n
 401 Indicates whether an alarm or audit record should be initiated when access
 402 fails. Used with audit/alarm ACE types.
 403 .RE
 404 
 405 .sp
 406 .ne 2
 407 .na
 408 \fBinherited (\fBI\fR)\fR
 409 .ad
 410 .RS 26n
 411 ACE was inherited.
 412 .RE
 413 
 414 .sp
 415 .ne 2
 416 .na
 417 \fB\fB-\fR\fR
 418 .ad
 419 .RS 26n
 420 No permission granted.
 421 .RE
 422 
 423 .sp
 424 .LP
 425 An NFSv4 ACL is expressed using the following syntax:
 426 .sp
 427 .in +2
 428 .nf
 429 \fIacl_entry\fR[,\fIacl_entry\fR]...
 430 
 431     owner@:<perms>[:inheritance flags]:<allow|deny>
 432     group@:<perms>[:inheritance flags]:<allow|deny>
 433     everyone@:<perms>[:inheritance flags]:<allow|deny>
 434     user:<username>:<perms>[:inheritance flags]:<allow|deny>
 435     usersid:<sid string>:<perms>[:inheritance flags]:<allow|deny>
 436     group:<groupname>:<perms>[:inheritance flags]:<allow|deny>
 437     groupsid:<sid string>:<perms>[:inheritance flags]:<allow|deny>
 438     sid:<sid string>:<perms>[:inheritance flags]:<allow|deny>
 439 .fi
 440 .in -2
 441 
 442 .sp
 443 .ne 2
 444 .na
 445 \fBowner@\fR
 446 .ad
 447 .RS 10n
 448 File owner
 449 .RE
 450 
 451 .sp
 452 .ne 2
 453 .na
 454 \fBgroup@\fR
 455 .ad
 456 .RS 10n
 457 Group owner
 458 .RE
 459 
 460 .sp
 461 .ne 2
 462 .na
 463 \fBuser\fR
 464 .ad
 465 .RS 10n
 466 Permissions for a specific user
 467 .RE
 468 
 469 .sp
 470 .ne 2
 471 .na
 472 \fBgroup\fR
 473 .ad
 474 .RS 10n
 475 Permissions for a specific group
 476 .RE
 477 
 478 .sp
 479 .LP
 480 Permission and inheritance flags are separated by a \fB/\fR character.
 481 .sp
 482 .LP
 483 ACL specification examples:
 484 .sp
 485 .in +2
 486 .nf
 487 user:fred:read_data/write_data/read_attributes:file_inherit:allow
 488 owner@:read_data:allow,group@:read_data:allow,user:tom:read_data:deny
 489 .fi
 490 .in -2
 491 .sp
 492 
 493 .sp
 494 .LP
 495 Using the compact ACL format, permissions are specified by using 14 unique
 496 letters to indicate permissions.
 497 .sp
 498 .LP
 499 Using the positional ACL format, permissions are specified as positional
 500 arguments similar to the \fBls -V\fR format. The hyphen (\fB-\fR), which
 501 indicates that no permission is granted at that position, can be omitted and
 502 only the required letters have to be specified.
 503 .sp
 504 .LP
 505 The letters above are listed in the order they would be specified in positional
 506 notation.
 507 .sp
 508 .LP
 509 With these letters you can specify permissions in the following equivalent
 510 ways.
 511 .sp
 512 .in +2
 513 .nf
 514 user:fred:rw------R------:file_inherit:allow
 515 .fi
 516 .in -2
 517 .sp
 518 
 519 .sp
 520 .LP
 521 Or you can remove the \fB-\fR and scrunch it together.
 522 .sp
 523 .in +2
 524 .nf
 525 user:fred:rwR:file_inherit:allow
 526 .fi
 527 .in -2
 528 .sp
 529 
 530 .sp
 531 .LP
 532 The inheritance flags can also be specified in a more compact manner, as
 533 follows:
 534 .sp
 535 .in +2
 536 .nf
 537 user:fred:rwR:f:allow
 538 user:fred:rwR:f------:allow
 539 .fi
 540 .in -2
 541 .sp
 542 
 543 .SS "Shell-level Solaris \fBAPI\fR"
 544 .LP
 545 The Solaris command interface supports the manipulation of ACLs. The following
 546 Solaris utilities accommodate both ACL models:
 547 .sp
 548 .ne 2
 549 .na
 550 \fB\fBchmod\fR\fR
 551 .ad
 552 .RS 12n
 553 The \fBchmod\fR utility has been enhanced to allow for the setting and deleting
 554 of ACLs. This is achieved by extending the symbolic-mode argument to support
 555 ACL manipulation. See \fBchmod\fR(1) for details.
 556 .RE
 557 
 558 .sp
 559 .ne 2
 560 .na
 561 \fB\fBcompress\fR\fR
 562 .ad
 563 .RS 12n
 564 When a file is compressed any ACL associated with the original file is
 565 preserved with the compressed file.
 566 .RE
 567 
 568 .sp
 569 .ne 2
 570 .na
 571 \fB\fBcp\fR\fR
 572 .ad
 573 .RS 12n
 574 By default, \fBcp\fR ignores ACLs, unless the \fB-p\fR option is specified.
 575 When \fB-p\fR is specified the owner and group id, permission modes,
 576 modification and access times, ACLs, and extended attributes if applicable are
 577 preserved.
 578 .RE
 579 
 580 .sp
 581 .ne 2
 582 .na
 583 \fB\fBcpio\fR\fR
 584 .ad
 585 .RS 12n
 586 ACLs are preserved when the \fB-P\fR option is specified.
 587 .RE
 588 
 589 .sp
 590 .ne 2
 591 .na
 592 \fB\fBfind\fR\fR
 593 .ad
 594 .RS 12n
 595 Find locates files with ACLs when the \fB-acl\fR flag is specified.
 596 .RE
 597 
 598 .sp
 599 .ne 2
 600 .na
 601 \fB\fBls\fR\fR
 602 .ad
 603 .RS 12n
 604 By default \fBls\fR does not display ACL information. When the \fB-v\fR option
 605 is specified, a file's ACL is displayed.
 606 .RE
 607 
 608 .sp
 609 .ne 2
 610 .na
 611 \fB\fBmv\fR\fR
 612 .ad
 613 .RS 12n
 614 When a file is moved, all attributes are carried along with the renamed file.
 615 When a file is moved across a file system boundary, the ACLs are replicated. If
 616 the ACL information cannot be replicated, the move fails and the source file is
 617 not removed.
 618 .RE
 619 
 620 .sp
 621 .ne 2
 622 .na
 623 \fB\fBpack\fR\fR
 624 .ad
 625 .RS 12n
 626 When a file is packed, any ACL associated with the original file is preserved
 627 with the packed file.
 628 .RE
 629 
 630 .sp
 631 .ne 2
 632 .na
 633 \fB\fBrcp\fR\fR
 634 .ad
 635 .RS 12n
 636 \fBrcp\fR has been enhanced to support copying. A file's ACL is only preserved
 637 when the remote host supports ACLs.
 638 .RE
 639 
 640 .sp
 641 .ne 2
 642 .na
 643 \fB\fBtar\fR\fR
 644 .ad
 645 .RS 12n
 646 ACLs are preserved when the \fB-p\fR option is specified.
 647 .RE
 648 
 649 .sp
 650 .ne 2
 651 .na
 652 \fB\fBunpack\fR\fR
 653 .ad
 654 .RS 12n
 655 When a file with an ACL is unpacked, the unpacked file retains the ACL
 656 information.
 657 .RE
 658 
 659 .SS "Application-level \fBAPI\fR"
 660 .LP
 661 The primary interfaces required to access file system ACLs at the programmatic
 662 level are the \fBacl_get()\fR and \fBacl_set()\fR functions. These functions
 663 support both POSIX draft ACLs and NFSv4 ACLs.
 664 .SS "Retrieving a file's \fBACL\fR"
 665 .in +2
 666 .nf
 667 int acl_get(const char *path, int flag, acl_t **aclp);
 668 int facl_get(int fd, int flag, acl_t **aclp);
 669 .fi
 670 .in -2
 671 
 672 .sp
 673 .LP
 674 The \fBacl_get\fR(3SEC) and \fBfacl_get\fR(3SEC) functions retrieves an ACL on
 675 a file whose name is given by path or referenced by the open file descriptor
 676 fd. The flag argument specifies whether a trivial ACL should be retrieved. When
 677 the flag argument equals \fBACL_NO_TRIVIAL\fR then only ACLs that are not
 678 trivial are retrieved. The ACL is returned in the \fBaclp\fR argument.
 679 .SS "Freeing \fBACL\fR structure"
 680 .in +2
 681 .nf
 682 void acl_free(acl_t *aclp)s;
 683 .fi
 684 .in -2
 685 
 686 .sp
 687 .LP
 688 The \fBacl_free()\fR function frees up memory allocated for the argument
 689 \fBaclp;\fR.
 690 .SS "Setting an \fBACL\fR on a file"
 691 .in +2
 692 .nf
 693 int acl_set(const char *path, acl_t *aclp);
 694 int facl_set(int fd, acl_t *aclp);
 695 .fi
 696 .in -2
 697 
 698 .sp
 699 .LP
 700 The \fBacl_set\fR(3SEC) and \fBfacl_get\fR(3SEC) functions are used for setting
 701 an ACL on a file whose name is given by path or referenced by the open file
 702 descriptor \fBfd\fR. The \fBaclp\fR argument specifies the ACL to set. The
 703 \fBacl_set\fR(3SEC) translates an POSIX-draft ACL into a NFSv4 ACL when the
 704 target file systems supports NFSv4 ACLs. No translation is performed when
 705 trying to set an NFSv4 ACL on a POSIX-draft ACL supported file system.
 706 .SS "Determining an \fBACL\fR's trivialness"
 707 .in +2
 708 .nf
 709 int acl_trivial(const char *path);
 710 .fi
 711 .in -2
 712 
 713 .sp
 714 .LP
 715 The \fBacl_trivial()\fR function is used to determine whether a file has a
 716 trivial ACL.
 717 .SS "Removing all \fBACL\fRs from a file"
 718 .in +2
 719 .nf
 720 int acl_strip(const char *path, uid_t uid, gid_t gid, mode_t mode);
 721 .fi
 722 .in -2
 723 
 724 .sp
 725 .LP
 726 The \fBacl_strip()\fR function removes all ACLs from a file and replaces them
 727 with a trivial ACL based off of the passed in argument mode. After replacing
 728 the ACL the owner and group of the file are set to the values specified in the
 729 uid and gid parameters.
 730 .SS "Converting \fBACL\fRs to/from external representation"
 731 .in +2
 732 .nf
 733 int acl_fromtext(const char *path, acl_t **aclp);
 734 char *acl_totext(acl_t *aclp, int flags);
 735 .fi
 736 .in -2
 737 
 738 .sp
 739 .LP
 740 The \fBacl_totext()\fR function converts an internal ACL representation pointed
 741 to by aclp into an external representation. See \fBDESCRIPTION\fR for details
 742 about external representation.
 743 .sp
 744 .LP
 745 The \fBacl_fromtext()\fR functions converts and external representation into an
 746 internal representation. See \fBDESCRIPTION\fR for details about external
 747 representation.
 748 .SH EXAMPLES
 749 .LP
 750 The following examples demonstrate how the API can be used to perform basic
 751 operations on ACLs.
 752 .LP
 753 \fBExample 1 \fRRetrieving and Setting an ACL
 754 .sp
 755 .LP
 756 Use the following to retrieve an ACL and set it on another file:
 757 
 758 .sp
 759 .in +2
 760 .nf
 761 error = acl_get("file", ACL_NO_TRIVIAL, &aclp);
 762 
 763 if (error == 0 && aclp != NULL) {
 764 .in +8
 765 error = acl_set("file2", aclp);
 766 acl_free(aclp);
 767 .in -8
 768 }
 769 \&...
 770 .fi
 771 .in -2
 772 
 773 .LP
 774 \fBExample 2 \fRRetrieving and Setting Any ACLs
 775 .sp
 776 .LP
 777 Use the following to retrieve any ACL, including trivial ACLs, and set it on
 778 another file:
 779 
 780 .sp
 781 .in +2
 782 .nf
 783 error = acl_get("file3", 0, &aclp);
 784 if (error == 0) {
 785 .in +8
 786 error = acl_set("file4", aclp);
 787 acl_free(aclp);
 788 .in -8
 789 }
 790 \&...
 791 .fi
 792 .in -2
 793 
 794 .LP
 795 \fBExample 3 \fRDetermining if a File has a Trivial ACL
 796 .sp
 797 .LP
 798 Use the following to determine if a file has a trivial ACL:
 799 
 800 .sp
 801 .in +2
 802 .nf
 803 char *file = "file5";
 804 istrivial = acl_trivial(file);
 805 
 806 if (istrivial == 0)
 807 .in +8
 808 printf("file %s has a trivial ACL\en", file);
 809 .in -8
 810 else
 811 .in +8
 812 printf("file %s has a NON-trivial ACL\en", file);
 813 .in -8
 814 \&...
 815 .fi
 816 .in -2
 817 
 818 .LP
 819 \fBExample 4 \fRRemoving all ACLs from a File
 820 .sp
 821 .LP
 822 Use the following to remove all ACLs from a file, and set a new mode, owner,
 823 and group:
 824 
 825 .sp
 826 .in +2
 827 .nf
 828 error = acl_strip("file", 10, 100, 0644);
 829 \&...
 830 .fi
 831 .in -2
 832 
 833 .SH SEE ALSO
 834 .LP
 835 \fBchgrp\fR(1), \fBchmod\fR(1), \fBchown\fR(1), \fBcp\fR(1), \fBcpio\fR(1),
 836 \fBfind\fR(1), \fBls\fR(1), \fBmv\fR(1), \fBtar\fR(1), \fBsetfacl\fR(1),
 837 \fBchmod\fR(2), \fBacl\fR(2), \fBstat\fR(2), \fBacl_get\fR(3SEC),
 838 \fBaclsort\fR(3SEC), \fBacl_fromtext\fR(3SEC), \fBacl_free\fR(3SEC),
 839 \fBacl_strip\fR(3SEC), \fBacl_trivial\fR(3SEC)