The Trustee Rights Utility (rights) for Linux allows you to specify trustee rights for directories and files in the NSS file system. This utility does not provide support for trustees on Linux file systems. It is also not meant to be used to set trustees for NSS volumes on NetWare. The trustee information is saved in the file and directory metadata in the NSS volume and works seamlessly with NetWare if the volume is moved to a NetWare server.
rights [OPTIONS]
rights [TOPTIONS] trustee USERNAME
rights [DOPTIONS] delete USERNAME
rights [IOPTIONS] irf
rights [EROPTIONS] effective USERNAME
rights [FOPTIONS] inherited USERNAME
rights [SOPTIONS] show
The first argument indicates the action to be taken.
Option |
Description |
---|---|
trustee |
Adds or modifies a trustee on a file or directory. |
delete |
Removes a trustee from a file or directory. |
irf |
Sets the inherited rights filter on a directory. |
effective |
Displays a user’s effective rights. |
inherited |
Display the inheritance for a user to a file. |
show |
Displays the trustees and inherited rights filter. |
Option |
Description |
---|---|
-v, --version |
Displays the program version information. |
-h, --help |
Displays the help screen. |
Option |
Description |
---|---|
-r, --rights=MASK |
Specifies the rights to be given to this trustee. For more information, see MASK. If the No Rights (n) option is assigned, the trustee is removed. If rights are not specified, the default assignment is Read and File Scan rights. |
-f, --file=filename |
Specifies the name of file or directory to assign trustees to. Filename is the path for the file or directory. For example: -f /users/username/userfile.sxi --file=/designs/topsecret If a file or directory is not specified, the current directory is used. |
-d, --dst |
Specify this option to assign trustees to the DST primary volume and shadow volume. NOTE:Ensure that the filename specified with this option is a DST primary volume. |
-S, --softlink |
Do not follow link option. |
-n, --namespace |
Sets the lookup namespace as DOS, UNIX, LONG or MACINTOSH. |
-a, --activedirectory |
Specifies the Active Directory user name and group. If you have used Windows Server Manager to add users to AD, and if those user names contain any of the following special characters: / \ [ ] : ; | = , + * ? < > @ and ", they are replaced with an underscore (_). Ensure to specify the correct AD user names. The AD user name format is NETBIOSNameOfDomain\\username. |
Option |
Description |
---|---|
-f, --file=filename |
Specifies the name of file or directory to delete trustees from. Filename is the path for the file or directory. If a file or directory is not specified, the current directory is used. |
-d, --dst |
Specify this option to delete trustees from the DST primary volume and shadow volume. NOTE:Ensure that the filename specified with this option is a DST primary volume. |
-S, --softlink |
Do not follow link option. |
-n, --namespace |
Sets the lookup namespace as DOS, UNIX, LONG or MACINTOSH. |
-a, --activedirectory |
Specifies the Active Directory user name and group. If you have used Windows Server Manager to add users to AD, and if those user names contain any of the following special characters: / \ [ ] : ; | = , + * ? < > @ and ", they are replaced with an underscore (_). Ensure to specify the correct AD user names. The AD user name format is NETBIOSNameOfDomain\\username. |
Option |
Description |
---|---|
-r, --rights=MASK |
Specifies the rights to be passed through the filter. For more information, see MASK. If rights are not specified, the default assignment is All Rights. |
-f, --file=filename |
Specifies the name of the directory where the filter is to be applied. Filename is the path for the directory. If a directory is not specified, the current directory is used. |
-d, --dst |
Specify this option to apply filter on the DST primary volume and shadow volume. NOTE:Ensure that the filename specified with this option is a DST primary volume. |
-S, --softlink |
Do not follow link option. |
-n, --namespace |
Sets the lookup namespace as DOS, UNIX, LONG or MACINTOSH. |
Option |
Description |
---|---|
-f, --file=filename |
Specifies the name of file or directory where effective rights are to be calculated. Filename is the path for the file or directory. If a file or directory is not specified, the current directory is used. |
-d, --dst |
Specify this option to calculate the effective rights of the DST primary volume and shadow volume. NOTE:Ensure that the filename specified with this option is a DST primary volume. |
-S, --softlink |
Do not follow link option. |
-n, --namespace |
Sets the lookup namespace as DOS, UNIX, LONG or MACINTOSH. |
-a, --activedirectory |
Specifies the Active Directory user name and group. If you have used Windows Server Manager to add users to AD, and if those user names contain any of the following special characters: / \ [ ] : ; | = , + * ? < > @ and ", they are replaced with an underscore (_). Ensure to specify the correct AD user names. The AD user name format is NETBIOSNameOfDomain\\username. |
Option |
Description |
---|---|
-f, --file=filename |
Specifies the name of file or directory where effective rights are to be calculated. Filename is the path for the file or directory. If a file or directory is not specified, the current directory is used. |
-d, --dst |
Specify this option to display a list of trustees and inherited rights for the DST primary volume and shadow volume. NOTE:Ensure that the filename specified with this option is a DST primary volume. |
-S, --softlink |
Do not follow link option. |
-a, --activedirectory |
Specifies the Active Directory user name and group. If you have used Windows Server Manager to add users to AD, and if those user names contain any of the following special characters: / \ [ ] : ; | = , + * ? < > @ and ", they are replaced with an underscore (_). Ensure to specify the correct AD user names. The AD user name format is NETBIOSNameOfDomain\\username. |
Option |
Description |
---|---|
-f, --file=filename |
Specifies the name of the file or directory to display a list of trustees for that file or directory. If a file or directory is not specified, the current directory is used. |
-d, --dst |
Specify this option to display the trustees and inherited rights filter for the DST primary volume and shadow volume. NOTE:Ensure that the filename specified with this option is a DST primary volume. |
-S, --softlink |
Do not follow link option. |
-n, --namespace |
Sets the lookup namespace as DOS, UNIX, LONG or MACINTOSH. |
The USERNAME is the fully distinguished name of the eDirectory or Active Directory (AD) object, including the tree name. Use the username.context.treename format, such as
joe.engineer.acme_tree
If you use special characters in a username, you must escape those special characters in the command line.
For example, the $ (dollar sign) is a special character reserved to the shell and must be escaped. For the bash shell, the command could be written in one of two ways on the command line:
rights -f /media/nss/DATA/stuff -r none \$j\$o\$e.engineer.acme_tree
rights -f /media/nss/DATA/stuff -r none '$j$o$e.engineer.acme_tree'
If you are using another shell, the special characters might need a different escape technique. In this case, please refer to the shell documentation for this information.
The mask is a string of characters, with each character representing certain rights. The following table lists the rights, the letter to use for each right, and what the right is used for. By default, if you do not specify the rights to assign, the specified user gets the Read and File Scan rights (rf) to the specified file or directory.
Right |
Letter |
Description |
---|---|---|
Supervisor |
s |
Has all rights to the file or directory. Also can grant or revoke the Access Control right. |
Read |
r |
Grants the right to open and read files in the directory. |
Write |
w |
Grants the right to open and write to files in the directory. |
Create |
c |
Grants the right to create files and subdirectories. The user can also salvage (undelete) deleted files. |
Erase |
e |
Grants the right to erase files and directories. The user can also purge deleted files. |
Modify |
m |
Modifies the metadata of the file or directory. For example, rename files and directories, or change file attributes. |
File Scan |
f |
Grants the right to display and search on file and directory names in the file system structure. |
Access Control |
a |
Grants the right to add and remove trustees, and change trustee rights to files and directories. This right does not allow the trustee to add or remove the Supervisor right for any user. Also, it does not allow to remove the trustee with the Supervisor right. |
No Rights |
none |
Revokes all rights. |
All Rights |
all |
Grants all rights (srwcemfa) |
rights -f /designs/topsecret -r rwfc trustee joe.engineer.acme_tree
This command assigns Read, Write, File Scan, and Create rights to the /designs/topsecret directory for user joe in the engineer context of the acme_tree eDirectory tree.
For Active Directory users, use the netbios name of the AD domain followed by the user name. For example, NETBIOSNameOfDomain\\user.
rights --file=/designs/topsecret/joe.txt trustee jsmith.engineering.acme_tree
This command assigns Read and File Scan rights (the default rights setting) to the /designs/topsecret/joe.txt file for user joe in the engineer context of the acme_tree eDirectory tree.
rights -d -f /designs/topsecret show
This command displays the trustees and inherited rights filter for the DST primary volume and shadow volume. In this example, /designs/topsecret represents the DST primary volume.
For information about setting file system directory and file attributes, see attrib.