Skip site navigation (1)Skip section navigation (2)

FreeBSD Man Pages

Man Page or Keyword Search:
Man Architecture
Apropos Keyword Search (all sections) Output format
home | help
ACL(9)                 FreeBSD Kernel Developer's Manual                ACL(9)

NAME
     acl - virtual file system access control lists

SYNOPSIS
     #include <sys/param.h>
     #include <sys/vnode.h>
     #include <sys/acl.h>

     In the kernel configuration file:
     options UFS_ACL

DESCRIPTION
     Access control lists, or ACLs, allow fine-grained specification of rights
     for vnodes representing files and directories.  However, as there are a
     plethora of file systems with differing ACL semantics, the vnode
     interface is aware only of the syntax of ACLs, relying on the underlying
     file system to implement the details.  Depending on the underlying file
     system, each file or directory may have zero or more ACLs associated with
     it, named using the type field of the appropriate vnode ACL calls:
     VOP_ACLCHECK(9), VOP_GETACL(9), and VOP_SETACL(9).

     Currently, each ACL is represented in-kernel by a fixed-size acl
     structure, defined as follows:

           struct acl {
                   unsigned int            acl_maxcnt;
                   unsigned int            acl_cnt;
                   int                     acl_spare[4];
                   struct acl_entry        acl_entry[ACL_MAX_ENTRIES];
           };

     An ACL is constructed from a fixed size array of ACL entries, each of
     which consists of a set of permissions, principal namespace, and
     principal identifier.  In this implementation, the acl_maxcnt field is
     always set to ACL_MAX_ENTRIES.

     Each individual ACL entry is of the type acl_entry_t, which is a
     structure with the following members:

     acl_tag_t ae_tag
         The following is a list of definitions of ACL types to be set in
         ae_tag:

               ACL_UNDEFINED_FIELD      Undefined ACL type.
               ACL_USER_OBJ             Discretionary access rights for
                                        processes whose effective user ID
                                        matches the user ID of the file's
                                        owner.
               ACL_USER                 Discretionary access rights for
                                        processes whose effective user ID
                                        matches the ACL entry qualifier.
               ACL_GROUP_OBJ            Discretionary access rights for
                                        processes whose effective group ID or
                                        any supplemental groups match the
                                        group ID of the file's owner.
               ACL_GROUP                Discretionary access rights for
                                        processes whose effective group ID or
                                        any supplemental groups match the ACL
                                        entry qualifier.
               ACL_MASK                 The maximum discretionary access
                                        rights that can be granted to a
                                        process in the file group class.  This
                                        is only valid for POSIX.1e ACLs.
               ACL_OTHER                Discretionary access rights for
                                        processes not covered by any other ACL
                                        entry.  This is only valid for
                                        POSIX.1e ACLs.
               ACL_OTHER_OBJ            Same as ACL_OTHER.
               ACL_EVERYONE             Discretionary access rights for all
                                        users.  This is only valid for NFSv4
                                        ACLs.

         Each POSIX.1e ACL must contain exactly one ACL_USER_OBJ, one
         ACL_GROUP_OBJ, and one ACL_OTHER.  If any of ACL_USER, ACL_GROUP, or
         ACL_OTHER are present, then exactly one ACL_MASK entry should be
         present.

     uid_t ae_id
         The ID of user for whom this ACL describes access permissions.  For
         entries other than ACL_USER and ACL_GROUP, this field should be set
         to ACL_UNDEFINED_ID.

     acl_perm_t ae_perm
         This field defines what kind of access the process matching this ACL
         has for accessing the associated file.  For POSIX.1e ACLs, the
         following are valid:

         ACL_EXECUTE                The process may execute the associated
                                    file.

         ACL_WRITE                  The process may write to the associated
                                    file.

         ACL_READ                   The process may read from the associated
                                    file.

         ACL_PERM_NONE              The process has no read, write or execute
                                    permissions to the associated file.

         For NFSv4 ACLs, the following are valid:

         ACL_READ_DATA              The process may read from the associated
                                    file.

         ACL_LIST_DIRECTORY         Same as ACL_READ_DATA.

         ACL_WRITE_DATA             The process may write to the associated
                                    file.

         ACL_ADD_FILE               Same as ACL_ACL_WRITE_DATA.

         ACL_APPEND_DATA

         ACL_ADD_SUBDIRECTORY       Same as ACL_APPEND_DATA.

         ACL_READ_NAMED_ATTRS       Ignored.

         ACL_WRITE_NAMED_ATTRS      Ignored.

         ACL_EXECUTE                The process may execute the associated
                                    file.

         ACL_DELETE_CHILD

         ACL_READ_ATTRIBUTES

         ACL_WRITE_ATTRIBUTES

         ACL_DELETE

         ACL_READ_ACL

         ACL_WRITE_ACL

         ACL_WRITE_OWNER

         ACL_SYNCHRONIZE            Ignored.

     acl_entry_type_t ae_entry_type
         This field defines the type of NFSv4 ACL entry.  It is not used with
         POSIX.1e ACLs.  The following values are valid:

         ACL_ENTRY_TYPE_ALLOW

         ACL_ENTRY_TYPE_DENY

     acl_flag_t ae_flags
         This field defines the inheritance flags of NFSv4 ACL entry.  It is
         not used with POSIX.1e ACLs.  The following values are valid:

         ACL_ENTRY_FILE_INHERIT

         ACL_ENTRY_DIRECTORY_INHERIT

         ACL_ENTRY_NO_PROPAGATE_INHERIT

         ACL_ENTRY_INHERIT_ONLY

SEE ALSO
     acl(3), vaccess_acl_nfs4(9), vaccess_acl_posix1e(9), VFS(9), vaccess(9),
     VOP_ACLCHECK(9), VOP_GETACL(9), VOP_SETACL(9)

AUTHORS
     This manual page was written by Robert Watson.

FreeBSD 11.0-PRERELEASE       September 18, 2009       FreeBSD 11.0-PRERELEASE

NAME | SYNOPSIS | DESCRIPTION | SEE ALSO | AUTHORS

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=acl&sektion=9&manpath=FreeBSD+10.0-RELEASE>

home | help