mirror of
https://git.FreeBSD.org/src.git
synced 2024-12-29 12:03:03 +00:00
8d5d039f80
Approved by: re
210 lines
6.3 KiB
Groff
210 lines
6.3 KiB
Groff
.\"-
|
|
.\" Copyright (c) 1999-2001 Robert N. M. Watson
|
|
.\" All rights reserved.
|
|
.\"
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
.\" modification, are permitted provided that the following conditions
|
|
.\" are met:
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
.\"
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
|
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
|
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
.\" SUCH DAMAGE.
|
|
.\"
|
|
.\" $FreeBSD$
|
|
.\"
|
|
.Dd December 23, 1999
|
|
.Os
|
|
.Dt ACL 9
|
|
.Sh NAME
|
|
.Nm acl
|
|
.Nd virtual file system access control lists
|
|
.Sh SYNOPSIS
|
|
.In sys/param.h
|
|
.In sys/vnode.h
|
|
.In sys/acl.h
|
|
.Pp
|
|
In the kernel configuration file:
|
|
.Cd "options UFS_ACL"
|
|
.Sh DESCRIPTION
|
|
Access control lists, or ACLs,
|
|
allow fine-grained specification of rights
|
|
for vnodes representing files and directories.
|
|
However, as there are a plethora of file systems with differing ACL semantics,
|
|
the vnode interface is aware only of the syntax of ACLs,
|
|
relying on the underlying file system to implement the details.
|
|
Depending on the underlying file system, each file or directory
|
|
may have zero or more ACLs associated with it, named using the
|
|
.Fa type
|
|
field of the appropriate vnode ACL calls:
|
|
.Xr VOP_ACLCHECK 9 ,
|
|
.Xr VOP_GETACL 9 ,
|
|
and
|
|
.Xr VOP_SETACL 9 .
|
|
.Pp
|
|
Currently, each ACL is represented in-kernel by a fixed-size
|
|
.Vt acl
|
|
structure, defined as follows:
|
|
.Bd -literal -offset indent
|
|
struct acl {
|
|
int acl_cnt;
|
|
struct acl_entry acl_entry[ACL_MAX_ENTRIES];
|
|
};
|
|
.Ed
|
|
.Pp
|
|
An ACL is constructed from a fixed size array of ACL entries,
|
|
each of which consists of a set of permissions, principal namespace,
|
|
and principal identifier.
|
|
.Pp
|
|
Each individual ACL entry is of the type
|
|
.Vt acl_entry_t ,
|
|
which is a structure with the following members:
|
|
.Bl -tag -width 2n
|
|
.It Vt acl_tag_t Va ae_tag
|
|
The following is a list of definitions of ACL types
|
|
to be set in
|
|
.Va ae_tag :
|
|
.Pp
|
|
.Bl -tag -width ".Dv ACL_UNDEFINED_FIELD" -offset indent -compact
|
|
.It Dv ACL_UNDEFINED_FIELD
|
|
Undefined ACL type.
|
|
.It Dv ACL_USER_OBJ
|
|
Discretionary access rights for processes whose effective user ID
|
|
matches the user ID of the file's owner.
|
|
.It Dv ACL_USER
|
|
Discretionary access rights for processes whose effective user ID
|
|
matches the ACL entry qualifier.
|
|
.It Dv ACL_GROUP_OBJ
|
|
Discretionary access rights for processes whose effective group ID
|
|
or any supplemental groups
|
|
match the group ID of the file's owner.
|
|
.It Dv ACL_GROUP
|
|
Discretionary access rights for processes whose effective group ID
|
|
or any supplemental groups
|
|
match the ACL entry qualifier.
|
|
.It Dv ACL_MASK
|
|
The maximum discretionary access rights that can be granted
|
|
to a process in the file group class.
|
|
.It Dv ACL_OTHER
|
|
Discretionary access rights for processes not covered by any other ACL
|
|
entry.
|
|
.It Dv ACL_OTHER_OBJ
|
|
Same as
|
|
.Dv ACL_OTHER .
|
|
Each ACL entry must contain exactly one
|
|
.Dv ACL_USER_OBJ ,
|
|
one
|
|
.Dv ACL_GROUP_OBJ ,
|
|
and one
|
|
.Dv ACL_OTHER .
|
|
If any of
|
|
.Dv ACL_USER ,
|
|
.Dv ACL_GROUP ,
|
|
or
|
|
.Dv ACL_OTHER
|
|
are present, then exactly one
|
|
.Dv ACL_MASK
|
|
entry should be present.
|
|
.El
|
|
.It Vt uid_t Va ae_id
|
|
The ID of user for whom this ACL describes access permissions.
|
|
.It Vt acl_perm_t Va ae_perm
|
|
This field defines what kind of access the process matching this ACL has
|
|
for accessing the associated file.
|
|
.Bl -tag -width ".Dv ACL_POSIX1E_BITS"
|
|
.It Dv ACL_EXECUTE
|
|
The process may execute the associated file.
|
|
.It Dv ACL_WRITE
|
|
The process may write to the associated file.
|
|
.It Dv ACL_READ
|
|
The process may read from the associated file.
|
|
.It Dv ACL_PERM_NONE
|
|
The process has no read, write or execute permissions
|
|
to the associated file.
|
|
.El
|
|
.El
|
|
.Pp
|
|
.Sh IMPLEMENTATION NOTES
|
|
.Bd -literal
|
|
typedef mode_t *acl_permset_t;
|
|
|
|
/* internal ACL structure */
|
|
struct acl {
|
|
int acl_cnt;
|
|
struct acl_entry acl_entry[ACL_MAX_ENTRIES];
|
|
};
|
|
|
|
/* external ACL structure */
|
|
struct acl_t_struct {
|
|
struct acl ats_acl;
|
|
int ats_cur_entry;
|
|
};
|
|
typedef struct acl_t_struct *acl_t;
|
|
|
|
/*
|
|
* Possible valid values for ae_tag field.
|
|
*/
|
|
#define ACL_UNDEFINED_TAG 0x00000000
|
|
#define ACL_USER_OBJ 0x00000001
|
|
#define ACL_USER 0x00000002
|
|
#define ACL_GROUP_OBJ 0x00000004
|
|
#define ACL_GROUP 0x00000008
|
|
#define ACL_MASK 0x00000010
|
|
#define ACL_OTHER 0x00000020
|
|
#define ACL_OTHER_OBJ ACL_OTHER
|
|
|
|
/*
|
|
* Possible valid values for acl_type_t arguments.
|
|
*/
|
|
#define ACL_TYPE_ACCESS 0x00000000
|
|
#define ACL_TYPE_DEFAULT 0x00000001
|
|
#define ACL_TYPE_AFS 0x00000002
|
|
#define ACL_TYPE_CODA 0x00000003
|
|
#define ACL_TYPE_NTFS 0x00000004
|
|
#define ACL_TYPE_NWFS 0x00000005
|
|
|
|
/*
|
|
* Possible flags in ae_perm field.
|
|
*/
|
|
#define ACL_EXECUTE 0x0001
|
|
#define ACL_WRITE 0x0002
|
|
#define ACL_READ 0x0004
|
|
#define ACL_PERM_NONE 0x0000
|
|
#define ACL_PERM_BITS (ACL_EXECUTE | ACL_WRITE | ACL_READ)
|
|
#define ACL_POSIX1E_BITS (ACL_EXECUTE | ACL_WRITE | ACL_READ)
|
|
|
|
/*
|
|
* Possible entry_id values for acl_get_entry()
|
|
*/
|
|
#define ACL_FIRST_ENTRY 0
|
|
#define ACL_NEXT_ENTRY 1
|
|
|
|
/*
|
|
* Undefined value in ae_id field
|
|
*/
|
|
#define ACL_UNDEFINED_ID ((uid_t)-1)
|
|
.Ed
|
|
.Sh SEE ALSO
|
|
.Xr acl 3 ,
|
|
.Xr vaccess_acl_posix1e 9 ,
|
|
.Xr VFS 9 ,
|
|
.Xr vnaccess 9 ,
|
|
.Xr VOP_ACLCHECK 9 ,
|
|
.Xr VOP_GETACL 9 ,
|
|
.Xr VOP_SETACL 9
|
|
.Sh AUTHORS
|
|
This man page was written by
|
|
.An Robert Watson .
|