acl(9)

NAME

acl - virtual file system access control lists

SYNOPSIS

#include <sys/param.h>
#include <sys/vnode.h>
#include <sys/acl.h>
In the kernel configuration file:
options UFS_ACL

DESCRIPTION

Access control lists, or ACLs, allow fine-grained specifica

tion of rights
for vnodes representing files and directories. However, as

there are a
plethora of file systems with differing ACL semantics, the

vnode interface is aware only of the syntax of ACLs, relying on the un

derlying file
system to implement the details. Depending on the underly

ing file system, each file or directory may have zero or more ACLs asso

ciated with
it, named using the type field of the appropriate vnode ACL

calls:
VOP_ACLCHECK(9), VOP_GETACL(9), and VOP_SETACL(9).

Currently, each ACL is represented in-kernel by a fixed-size

acl structure, defined as follows:

struct acl {

int acl_cnt;
struct acl_entry acl_entry[ACL_MAX_EN

TRIES];

};

An ACL is constructed from a fixed size array of ACL en

tries, each of
which consists of a set of permissions, principal namespace,

and principal identifier.

Each individual ACL entry is of the type acl_entry_t, which

is a structure with the following members:

acl_tag_t ae_tag

The following is a list of definitions of ACL types to

be set in
ae_tag:

ACL_UNDEFINED_FIELD Undefined ACL type.
ACL_USER_OBJ Discretionary access

rights for pro

cesses whose effective

user ID matches
the user ID of the file's

owner.

ACL_USER Discretionary access

rights for pro

cesses whose effective

user ID matches
the ACL entry qualifier.

ACL_GROUP_OBJ Discretionary access

rights for pro

cesses whose effective

group ID or any
supplemental groups match

the group ID
of the file's owner.

ACL_GROUP Discretionary access

rights for pro

cesses whose effective

group ID or any
supplemental groups match

the ACL
entry qualifier.

ACL_MASK The maximum discretionary

access

rights that can be grant

ed to a process in the file group

class.

ACL_OTHER Discretionary access

rights for pro

cesses not covered by any

other ACL
entry.

ACL_OTHER_OBJ Same as ACL_OTHER. Each

ACL entry

must contain exactly one

ACL_USER_OBJ,
one ACL_GROUP_OBJ, and

one ACL_OTHER.
If any of ACL_USER,

ACL_GROUP, or
ACL_OTHER are present,

then exactly
one ACL_MASK entry should

be present.

uid_t ae_id

The ID of user for whom this ACL describes access per

missions.

acl_perm_t ae_perm

This field defines what kind of access the process

matching this ACL
has for accessing the associated file.

ACL_EXECUTE The process may execute the asso

ciated file.

ACL_WRITE The process may write to the asso

ciated file.

ACL_READ The process may read from the as

sociated file.

ACL_PERM_NONE The process has no read, write or

execute per

missions to the associated file.

IMPLEMENTATION NOTES

typedef mode_t *acl_permset_t;

/* internal ACL structure */
struct acl {

int acl_cnt;
struct acl_entry acl_entry[ACL_MAX_ENTRIES];

};

/* external ACL structure */
struct acl_t_struct {

struct acl ats_acl;
int ats_cur_entry;

};
typedef struct acl_t_struct *acl_t;

/*

* Possible valid values for ae_tag field.
*/

#define ACL_UNDEFINED_TAG 0x00000000
#define ACL_USER_OBJ 0x00000001
#define ACL_USER 0x00000002
#define ACL_GROUP_OBJ 0x00000004
#define ACL_GROUP 0x00000008
#define ACL_MASK 0x00000010
#define ACL_OTHER 0x00000020
#define ACL_OTHER_OBJ ACL_OTHER

/*

* Possible valid values for acl_type_t arguments.
*/

#define ACL_TYPE_ACCESS 0x00000000
#define ACL_TYPE_DEFAULT 0x00000001
#define ACL_TYPE_AFS 0x00000002
#define ACL_TYPE_CODA 0x00000003
#define ACL_TYPE_NTFS 0x00000004
#define ACL_TYPE_NWFS 0x00000005

/*

* Possible flags in ae_perm field.
*/

#define ACL_EXECUTE 0x0001
#define ACL_WRITE 0x0002
#define ACL_READ 0x0004
#define ACL_PERM_NONE 0x0000
#define ACL_PERM_BITS (ACL_EXECUTE | ACL_WRITE

ACL_READ)
#define ACL_POSIX1E_BITS (ACL_EXECUTE | ACL_WRITE

ACL_READ)

/*

* Possible entry_id values for acl_get_entry()
*/

#define ACL_FIRST_ENTRY 0
#define ACL_NEXT_ENTRY 1

/*

* Undefined value in ae_id field
*/

#define ACL_UNDEFINED_ID ((uid_t)-1)

SEE ALSO

acl(3), vaccess_acl_posix1e(9), VFS(9), vnaccess(9),

VOP_ACLCHECK(9),
VOP_GETACL(9), VOP_SETACL(9)

AUTHORS

This manual page was written by Robert Watson.

BSD December 23, 1999

BSD