FreeBSD Manual Pages
ACL(9) BSD Kernel Developer's Manual ACL(9) NAME acl -- virtual file system access control lists SYNOPSIS #include <sys/param.h> #include <sys/vnode.h> #include <sys/acl.h> In the kernel configuration file: options UFS_ACL DESCRIPTION Access control lists, or ACLs, allow fine-grained specification of rights for vnodes representing files and directories. However, as there are a plethora of file systems with differing ACL semantics, the vnode inter- face is aware only of the syntax of ACLs, relying on the underlying file system to implement the details. Depending on the underlying file sys- tem, each file or directory may have zero or more ACLs associated with it, named using the type field of the appropriate vnode ACL calls: VOP_ACLCHECK(9), VOP_GETACL(9), and VOP_SETACL(9). Currently, each ACL is represented in-kernel by a fixed-size acl struc- ture, defined as follows: struct acl { int acl_cnt; struct acl_entry acl_entry[ACL_MAX_ENTRIES]; }; An ACL is constructed from a fixed size array of ACL entries, each of which consists of a set of permissions, principal namespace, and princi- pal identifier. Each individual ACL entry is of the type acl_entry_t, which is a struc- ture with the following members: acl_tag_t ae_tag The following is a list of definitions of ACL types to be set in ae_tag: ACL_UNDEFINED_FIELD Undefined ACL type. ACL_USER_OBJ Discretionary access rights for processes whose effective user ID matches the user ID of the file's owner. ACL_USER Discretionary access rights for processes whose effective user ID matches the ACL entry qualifier. ACL_GROUP_OBJ Discretionary access rights for processes whose effective group ID or any supplemen- tal groups match the group ID of the file's owner. ACL_GROUP Discretionary access rights for processes whose effective group ID or any supplemen- tal groups match the ACL entry qualifier. ACL_MASK The maximum discretionary access rights that can be granted to a process in the file group class. ACL_OTHER Discretionary access rights for processes not covered by any other ACL entry. ACL_OTHER_OBJ Same as ACL_OTHER. Each ACL entry must contain exactly one ACL_USER_OBJ, one ACL_GROUP_OBJ, and one ACL_OTHER. If any of ACL_USER, ACL_GROUP, or ACL_OTHER are present, then exactly one ACL_MASK entry should be present. uid_t ae_id The ID of user for whom this ACL describes access permissions. acl_perm_t ae_perm This field defines what kind of access the process matching this ACL has for accessing the associated file. ACL_EXECUTE The process may execute the associated file. ACL_WRITE The process may write to the associated file. ACL_READ The process may read from the associated file. ACL_PERM_NONE The process has no read, write or execute permis- sions to the associated file. IMPLEMENTATION NOTES typedef mode_t *acl_permset_t; /* internal ACL structure */ struct acl { int acl_cnt; struct acl_entry acl_entry[ACL_MAX_ENTRIES]; }; /* external ACL structure */ struct acl_t_struct { struct acl ats_acl; int ats_cur_entry; }; typedef struct acl_t_struct *acl_t; /* * Possible valid values for ae_tag field. */ #define ACL_UNDEFINED_TAG 0x00000000 #define ACL_USER_OBJ 0x00000001 #define ACL_USER 0x00000002 #define ACL_GROUP_OBJ 0x00000004 #define ACL_GROUP 0x00000008 #define ACL_MASK 0x00000010 #define ACL_OTHER 0x00000020 #define ACL_OTHER_OBJ ACL_OTHER /* * Possible valid values for acl_type_t arguments. */ #define ACL_TYPE_ACCESS 0x00000000 #define ACL_TYPE_DEFAULT 0x00000001 #define ACL_TYPE_AFS 0x00000002 #define ACL_TYPE_CODA 0x00000003 #define ACL_TYPE_NTFS 0x00000004 #define ACL_TYPE_NWFS 0x00000005 /* * Possible flags in ae_perm field. */ #define ACL_EXECUTE 0x0001 #define ACL_WRITE 0x0002 #define ACL_READ 0x0004 #define ACL_PERM_NONE 0x0000 #define ACL_PERM_BITS (ACL_EXECUTE | ACL_WRITE | ACL_READ) #define ACL_POSIX1E_BITS (ACL_EXECUTE | ACL_WRITE | ACL_READ) /* * Possible entry_id values for acl_get_entry() */ #define ACL_FIRST_ENTRY 0 #define ACL_NEXT_ENTRY 1 /* * Undefined value in ae_id field */ #define ACL_UNDEFINED_ID ((uid_t)-1) SEE ALSO acl(3), vaccess_acl_posix1e(9), VFS(9), vnaccess(9), VOP_ACLCHECK(9), VOP_GETACL(9), VOP_SETACL(9) AUTHORS This manual page was written by Robert Watson. BSD December 23, 1999 BSD
NAME | SYNOPSIS | DESCRIPTION | IMPLEMENTATION NOTES | SEE ALSO | AUTHORS
Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=acl&sektion=9&manpath=FreeBSD+6.1-RELEASE>