ACL(9)

HOME || NAME SYNOPSIS DESCRIPTION IMPLEMENTATION NOTES SEE ALSO AUTHORS 
NAME
     acl -- virtual file system access control lists

SYNOPSIS
     #include <sys/param.h>
     #include <sys/vnode.h>
     #include <sys/acl.h>

     In the kernel configuration file:
     options UFS_ACL

DESCRIPTION
     Access control lists, or ACLs, allow fine-grained specification of rights
     for vnodes representing files and directories.  However, as there are a
     plethora of file systems with differing ACL semantics, the vnode inter-
     face is aware only of the syntax of ACLs, relying on the underlying file
     system to implement the details.  Depending on the underlying file sys-
     tem, each file or directory may have zero or more ACLs associated with
     it, named using the type field of the appropriate vnode ACL calls:
     VOP_ACLCHECK(9), VOP_GETACL(9), and VOP_SETACL(9).

     Currently, each ACL is represented in-kernel by a fixed-size acl struc-
     ture, defined as follows:

	   struct acl {
		   int			   acl_cnt;
		   struct acl_entry	   acl_entry[ACL_MAX_ENTRIES];
	   };

     An ACL is constructed from a fixed size array of ACL entries, each of
     which consists of a set of permissions, principal namespace, and princi-
     pal identifier.

     Each individual ACL entry is of the type acl_entry_t, which is a struc-
     ture with the following members:

     acl_tag_t ae_tag
	 The following is a list of definitions of ACL types to be set in
	 ae_tag:

	       ACL_UNDEFINED_FIELD  Undefined ACL type.
	       ACL_USER_OBJ	    Discretionary access rights for processes
				    whose effective user ID matches the user
				    ID of the file's owner.
	       ACL_USER 	    Discretionary access rights for processes
				    whose effective user ID matches the ACL
				    entry qualifier.
	       ACL_GROUP_OBJ	    Discretionary access rights for processes
				    whose effective group ID or any supplemen-
				    tal groups match the group ID of the
				    file's owner.
	       ACL_GROUP	    Discretionary access rights for processes
				    whose effective group ID or any supplemen-
				    tal groups match the ACL entry qualifier.
	       ACL_MASK 	    The maximum discretionary access rights
				    that can be granted to a process in the
				    file group class.
	       ACL_OTHER	    Discretionary access rights for processes
				    not covered by any other ACL entry.
	       ACL_OTHER_OBJ	    Same as ACL_OTHER.	Each ACL entry must
				    contain exactly one ACL_USER_OBJ, one
				    ACL_GROUP_OBJ, and one ACL_OTHER.  If any
				    of ACL_USER, ACL_GROUP, or ACL_OTHER are
				    present, then exactly one ACL_MASK entry
				    should be present.

     uid_t ae_id
	 The ID of user for whom this ACL describes access permissions.

     acl_perm_t ae_perm
	 This field defines what kind of access the process matching this ACL
	 has for accessing the associated file.

	 ACL_EXECUTE	   The process may execute the associated file.

	 ACL_WRITE	   The process may write to the associated file.

	 ACL_READ	   The process may read from the associated file.

	 ACL_PERM_NONE	   The process has no read, write or execute permis-
			   sions to the associated file.

IMPLEMENTATION NOTES
     typedef mode_t  *acl_permset_t;

     /* internal ACL structure */
     struct acl {
	     int		     acl_cnt;
	     struct acl_entry	     acl_entry[ACL_MAX_ENTRIES];
     };

     /* external ACL structure */
     struct acl_t_struct {
	     struct acl 	     ats_acl;
	     int		     ats_cur_entry;
     };
     typedef struct acl_t_struct *acl_t;

     /*
      * Possible valid values for ae_tag field.
      */
     #define ACL_UNDEFINED_TAG	     0x00000000
     #define ACL_USER_OBJ	     0x00000001
     #define ACL_USER		     0x00000002
     #define ACL_GROUP_OBJ	     0x00000004
     #define ACL_GROUP		     0x00000008
     #define ACL_MASK		     0x00000010
     #define ACL_OTHER		     0x00000020
     #define ACL_OTHER_OBJ	     ACL_OTHER

     /*
      * Possible valid values for acl_type_t arguments.
      */
     #define ACL_TYPE_ACCESS	     0x00000000
     #define ACL_TYPE_DEFAULT	     0x00000001
     #define ACL_TYPE_AFS	     0x00000002
     #define ACL_TYPE_CODA	     0x00000003
     #define ACL_TYPE_NTFS	     0x00000004
     #define ACL_TYPE_NWFS	     0x00000005

     /*
      * Possible flags in ae_perm field.
      */
     #define ACL_EXECUTE	     0x0001
     #define ACL_WRITE		     0x0002
     #define ACL_READ		     0x0004
     #define ACL_PERM_NONE	     0x0000
     #define ACL_PERM_BITS	     (ACL_EXECUTE | ACL_WRITE | ACL_READ)
     #define ACL_POSIX1E_BITS	     (ACL_EXECUTE | ACL_WRITE | ACL_READ)

     /*
      * Possible entry_id values for acl_get_entry()
      */
     #define ACL_FIRST_ENTRY	     0
     #define ACL_NEXT_ENTRY	     1

     /*
      * Undefined value in ae_id field
      */
     #define ACL_UNDEFINED_ID	     ((uid_t)-1)

SEE ALSO
     acl(3), vaccess_acl_posix1e(9), VFS(9), vnaccess(9), VOP_ACLCHECK(9),
     VOP_GETACL(9), VOP_SETACL(9)

AUTHORS
     This man page was written by Robert Watson.