Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help 
ACL(9)		       FreeBSD Kernel Developer's Manual		ACL(9)

NAME
     acl -- virtual file system	access control lists

SYNOPSIS
     #include <sys/param.h>
     #include <sys/vnode.h>
     #include <sys/acl.h>

     In	the kernel configuration file:
     options UFS_ACL

DESCRIPTION
     Access control lists, or ACLs, allow fine-grained specification of	rights
     for vnodes	representing files and directories.  However, as there are a
     plethora of file systems with differing ACL semantics, the	vnode inter-
     face is aware only	of the syntax of ACLs, relying on the underlying file
     system to implement the details.  Depending on the	underlying file	sys-
     tem, each file or directory may have zero or more ACLs associated with
     it, named using the type field of the appropriate vnode ACL calls:
     VOP_ACLCHECK(9), VOP_GETACL(9), and VOP_SETACL(9).

     Currently,	each ACL is represented	in-kernel by a fixed-size acl struc-
     ture, defined as follows:

	   struct acl {
		   int			   acl_cnt;
		   struct acl_entry	   acl_entry[ACL_MAX_ENTRIES];
	   };

     An	ACL is constructed from	a fixed	size array of ACL entries, each	of
     which consists of a set of	permissions, principal namespace, and princi-
     pal identifier.

     Each individual ACL entry is of the type acl_entry_t, which is a struc-
     ture with the following members:

     acl_tag_t ae_tag
	 The following is a list of definitions	of ACL types to	be set in
	 ae_tag:

	       ACL_UNDEFINED_FIELD  Undefined ACL type.
	       ACL_USER_OBJ	    Discretionary access rights	for processes
				    whose effective user ID matches the	user
				    ID of the file's owner.
	       ACL_USER		    Discretionary access rights	for processes
				    whose effective user ID matches the	ACL
				    entry qualifier.
	       ACL_GROUP_OBJ	    Discretionary access rights	for processes
				    whose effective group ID or	any supplemen-
				    tal	groups match the group ID of the
				    file's owner.
	       ACL_GROUP	    Discretionary access rights	for processes
				    whose effective group ID or	any supplemen-
				    tal	groups match the ACL entry qualifier.
	       ACL_MASK		    The	maximum	discretionary access rights
				    that can be	granted	to a process in	the
				    file group class.
	       ACL_OTHER	    Discretionary access rights	for processes
				    not	covered	by any other ACL entry.
	       ACL_OTHER_OBJ	    Same as ACL_OTHER.	Each ACL entry must
				    contain exactly one	ACL_USER_OBJ, one
				    ACL_GROUP_OBJ, and one ACL_OTHER.  If any
				    of ACL_USER, ACL_GROUP, or ACL_OTHER are
				    present, then exactly one ACL_MASK entry
				    should be present.

     uid_t ae_id
	 The ID	of user	for whom this ACL describes access permissions.

     acl_perm_t	ae_perm
	 This field defines what kind of access	the process matching this ACL
	 has for accessing the associated file.

	 ACL_EXECUTE	   The process may execute the associated file.

	 ACL_WRITE	   The process may write to the	associated file.

	 ACL_READ	   The process may read	from the associated file.

	 ACL_PERM_NONE	   The process has no read, write or execute permis-
			   sions to the	associated file.

IMPLEMENTATION NOTES
     typedef mode_t  *acl_permset_t;

     /*	internal ACL structure */
     struct acl	{
	     int		     acl_cnt;
	     struct acl_entry	     acl_entry[ACL_MAX_ENTRIES];
     };

     /*	external ACL structure */
     struct acl_t_struct {
	     struct acl		     ats_acl;
	     int		     ats_cur_entry;
     };
     typedef struct acl_t_struct *acl_t;

     /*
      *	Possible valid values for ae_tag field.
      */
     #define ACL_UNDEFINED_TAG	     0x00000000
     #define ACL_USER_OBJ	     0x00000001
     #define ACL_USER		     0x00000002
     #define ACL_GROUP_OBJ	     0x00000004
     #define ACL_GROUP		     0x00000008
     #define ACL_MASK		     0x00000010
     #define ACL_OTHER		     0x00000020
     #define ACL_OTHER_OBJ	     ACL_OTHER

     /*
      *	Possible valid values for acl_type_t arguments.
      */
     #define ACL_TYPE_ACCESS	     0x00000000
     #define ACL_TYPE_DEFAULT	     0x00000001
     #define ACL_TYPE_AFS	     0x00000002
     #define ACL_TYPE_CODA	     0x00000003
     #define ACL_TYPE_NTFS	     0x00000004
     #define ACL_TYPE_NWFS	     0x00000005

     /*
      *	Possible flags in ae_perm field.
      */
     #define ACL_EXECUTE	     0x0001
     #define ACL_WRITE		     0x0002
     #define ACL_READ		     0x0004
     #define ACL_PERM_NONE	     0x0000
     #define ACL_PERM_BITS	     (ACL_EXECUTE | ACL_WRITE |	ACL_READ)
     #define ACL_POSIX1E_BITS	     (ACL_EXECUTE | ACL_WRITE |	ACL_READ)

     /*
      *	Possible entry_id values for acl_get_entry()
      */
     #define ACL_FIRST_ENTRY	     0
     #define ACL_NEXT_ENTRY	     1

     /*
      *	Undefined value	in ae_id field
      */
     #define ACL_UNDEFINED_ID	     ((uid_t)-1)

SEE ALSO
     acl(3), vaccess_acl_posix1e(9), VFS(9), vnaccess(9), VOP_ACLCHECK(9),
     VOP_GETACL(9), VOP_SETACL(9)

AUTHORS
     This manual page was written by Robert Watson.

FreeBSD	11.1		       December	23, 1999		  FreeBSD 11.1
NAME | SYNOPSIS | DESCRIPTION | IMPLEMENTATION NOTES | SEE ALSO | AUTHORS

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=acl&sektion=9&manpath=FreeBSD+6.1-RELEASE>

home | help