Skip site navigation (1)Skip section navigation (2)

FreeBSD Man Pages

Man Page or Keyword Search:
Man Architecture
Apropos Keyword Search (all sections) Output format
home | help
ACL(9)		       FreeBSD Kernel Developer's Manual		ACL(9)

NAME
     acl -- virtual file system	access control lists

SYNOPSIS
     #include <sys/param.h>
     #include <sys/vnode.h>
     #include <sys/acl.h>

     In	the kernel configuration file:
     options UFS_ACL

DESCRIPTION
     Access control lists, or ACLs, allow fine-grained specification of	rights
     for vnodes	representing files and directories.  However, as there are a
     plethora of file systems with differing ACL semantics, the	vnode inter-
     face is aware only	of the syntax of ACLs, relying on the underlying file
     system to implement the details.  Depending on the	underlying file	sys-
     tem, each file or directory may have zero or more ACLs associated with
     it, named using the type field of the appropriate vnode ACL calls:
     VOP_ACLCHECK(9), VOP_GETACL(9), and VOP_SETACL(9).

     Currently,	each ACL is represented	in-kernel by a fixed-size acl struc-
     ture, defined as follows:

	   struct acl {
		   unsigned int		   acl_maxcnt;
		   unsigned int		   acl_cnt;
		   int			   acl_spare[4];
		   struct acl_entry	   acl_entry[ACL_MAX_ENTRIES];
	   };

     An	ACL is constructed from	a fixed	size array of ACL entries, each	of
     which consists of a set of	permissions, principal namespace, and princi-
     pal identifier.  In this implementation, the acl_maxcnt field is always
     set to ACL_MAX_ENTRIES.

     Each individual ACL entry is of the type acl_entry_t, which is a struc-
     ture with the following members:

     acl_tag_t ae_tag
	 The following is a list of definitions	of ACL types to	be set in
	 ae_tag:

	       ACL_UNDEFINED_FIELD  Undefined ACL type.
	       ACL_USER_OBJ	    Discretionary access rights	for processes
				    whose effective user ID matches the	user
				    ID of the file's owner.
	       ACL_USER		    Discretionary access rights	for processes
				    whose effective user ID matches the	ACL
				    entry qualifier.
	       ACL_GROUP_OBJ	    Discretionary access rights	for processes
				    whose effective group ID or	any supplemen-
				    tal	groups match the group ID of the
				    file's owner.
	       ACL_GROUP	    Discretionary access rights	for processes
				    whose effective group ID or	any supplemen-
				    tal	groups match the ACL entry qualifier.
	       ACL_MASK		    The	maximum	discretionary access rights
				    that can be	granted	to a process in	the
				    file group class.  This is only valid for
				    POSIX.1e ACLs.
	       ACL_OTHER	    Discretionary access rights	for processes
				    not	covered	by any other ACL entry.	 This
				    is only valid for POSIX.1e ACLs.
	       ACL_OTHER_OBJ	    Same as ACL_OTHER.
	       ACL_EVERYONE	    Discretionary access rights	for all	users.
				    This is only valid for NFSv4 ACLs.

	 Each POSIX.1e ACL must	contain	exactly	one ACL_USER_OBJ, one
	 ACL_GROUP_OBJ,	and one	ACL_OTHER.  If any of ACL_USER,	ACL_GROUP, or
	 ACL_OTHER are present,	then exactly one ACL_MASK entry	should be
	 present.

     uid_t ae_id
	 The ID	of user	for whom this ACL describes access permissions.	 For
	 entries other than ACL_USER and ACL_GROUP, this field should be set
	 to ACL_UNDEFINED_ID.

     acl_perm_t	ae_perm
	 This field defines what kind of access	the process matching this ACL
	 has for accessing the associated file.	 For POSIX.1e ACLs, the	fol-
	 lowing	are valid:

	 ACL_EXECUTE		The process may	execute	the associated file.

	 ACL_WRITE		The process may	write to the associated	file.

	 ACL_READ		The process may	read from the associated file.

	 ACL_PERM_NONE		The process has	no read, write or execute per-
				missions to the	associated file.

	 For NFSv4 ACLs, the following are valid:

	 ACL_READ_DATA		The process may	read from the associated file.

	 ACL_LIST_DIRECTORY	Same as	ACL_READ_DATA.

	 ACL_WRITE_DATA		The process may	write to the associated	file.

	 ACL_ADD_FILE		Same as	ACL_ACL_WRITE_DATA.

	 ACL_APPEND_DATA

	 ACL_ADD_SUBDIRECTORY	Same as	ACL_APPEND_DATA.

	 ACL_READ_NAMED_ATTRS	Ignored.

	 ACL_WRITE_NAMED_ATTRS	Ignored.

	 ACL_EXECUTE		The process may	execute	the associated file.

	 ACL_DELETE_CHILD

	 ACL_READ_ATTRIBUTES

	 ACL_WRITE_ATTRIBUTES

	 ACL_DELETE

	 ACL_READ_ACL

	 ACL_WRITE_ACL

	 ACL_WRITE_OWNER

	 ACL_SYNCHRONIZE	Ignored.

     acl_entry_type_t ae_entry_type
	 This field defines the	type of	NFSv4 ACL entry.  It is	not used with
	 POSIX.1e ACLs.	 The following values are valid:

	 ACL_ENTRY_TYPE_ALLOW

	 ACL_ENTRY_TYPE_DENY

     acl_flag_t	ae_flags
	 This field defines the	inheritance flags of NFSv4 ACL entry.  It is
	 not used with POSIX.1e	ACLs.  The following values are	valid:

	 ACL_ENTRY_FILE_INHERIT

	 ACL_ENTRY_DIRECTORY_INHERIT

	 ACL_ENTRY_NO_PROPAGATE_INHERIT

	 ACL_ENTRY_INHERIT_ONLY

SEE ALSO
     acl(3), vaccess_acl_nfs4(9), vaccess_acl_posix1e(9), VFS(9), vaccess(9),
     VOP_ACLCHECK(9), VOP_GETACL(9), VOP_SETACL(9)

AUTHORS
     This manual page was written by Robert Watson.

FreeBSD	10.1		      September	18, 2009		  FreeBSD 10.1

NAME | SYNOPSIS | DESCRIPTION | SEE ALSO | AUTHORS

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=acl&sektion=9&manpath=FreeBSD+9.2-RELEASE>

home | help