table of contents
other sections
ACL(9) | Kernel Developer's Manual | ACL(9) |
NAME¶
acl — virtual file system access control listsSYNOPSIS¶
#include <sys/param.h>#include <sys/vnode.h>
#include <sys/acl.h> In the kernel configuration file:
options UFS_ACL
DESCRIPTION¶
Access control lists, or ACLs, allow fine-grained specification of rights for vnodes representing files and directories. However, as there are a plethora of file systems with differing ACL semantics, the vnode interface is aware only of the syntax of ACLs, relying on the underlying file system to implement the details. Depending on the underlying file system, each file or directory may have zero or more ACLs associated with it, named using the type field of the appropriate vnode ACL calls: VOP_ACLCHECK(9), VOP_GETACL(9), and VOP_SETACL(9). Currently, each ACL is represented in-kernel by a fixed-size acl structure, defined as follows:struct acl { unsigned int acl_maxcnt; unsigned int acl_cnt; int acl_spare[4]; struct acl_entry acl_entry[ACL_MAX_ENTRIES]; };
ACL_MAX_ENTRIES
.
Each individual ACL entry is of the type acl_entry_t,
which is a structure with the following members:
- acl_tag_t ae_tag
- The following is a list of definitions of ACL types to be
set in ae_tag:
ACL_UNDEFINED_FIELD
- Undefined ACL type.
ACL_USER_OBJ
- Discretionary access rights for processes whose effective user ID matches the user ID of the file's owner.
ACL_USER
- Discretionary access rights for processes whose effective user ID matches the ACL entry qualifier.
ACL_GROUP_OBJ
- Discretionary access rights for processes whose effective group ID or any supplemental groups match the group ID of the file's owner.
ACL_GROUP
- Discretionary access rights for processes whose effective group ID or any supplemental groups match the ACL entry qualifier.
ACL_MASK
- The maximum discretionary access rights that can be granted to a process in the file group class. This is only valid for POSIX.1e ACLs.
ACL_OTHER
- Discretionary access rights for processes not covered by any other ACL entry. This is only valid for POSIX.1e ACLs.
ACL_OTHER_OBJ
- Same as
ACL_OTHER
. ACL_EVERYONE
- Discretionary access rights for all users. This is only valid for NFSv4 ACLs.
ACL_USER_OBJ
, oneACL_GROUP_OBJ
, and oneACL_OTHER
. If any ofACL_USER
,ACL_GROUP
, orACL_OTHER
are present, then exactly oneACL_MASK
entry should be present. - uid_t ae_id
- The ID of user for whom this ACL describes access
permissions. For entries other than
ACL_USER
andACL_GROUP
, this field should be set toACL_UNDEFINED_ID
. - acl_perm_t ae_perm
- This field defines what kind of access the process matching
this ACL has for accessing the associated file. For POSIX.1e ACLs, the
following are valid:
ACL_EXECUTE
- The process may execute the associated file.
ACL_WRITE
- The process may write to the associated file.
ACL_READ
- The process may read from the associated file.
ACL_PERM_NONE
- The process has no read, write or execute permissions to the associated file.
ACL_READ_DATA
- The process may read from the associated file.
ACL_LIST_DIRECTORY
- Same as
ACL_READ_DATA
. ACL_WRITE_DATA
- The process may write to the associated file.
ACL_ADD_FILE
- Same as
ACL_ACL_WRITE_DATA
. ACL_APPEND_DATA
ACL_ADD_SUBDIRECTORY
- Same as
ACL_APPEND_DATA
. ACL_READ_NAMED_ATTRS
- Ignored.
ACL_WRITE_NAMED_ATTRS
- Ignored.
ACL_EXECUTE
- The process may execute the associated file.
ACL_DELETE_CHILD
ACL_READ_ATTRIBUTES
ACL_WRITE_ATTRIBUTES
ACL_DELETE
ACL_READ_ACL
ACL_WRITE_ACL
ACL_WRITE_OWNER
ACL_SYNCHRONIZE
- Ignored.
- acl_entry_type_t ae_entry_type
- This field defines the type of NFSv4 ACL entry. It is not
used with POSIX.1e ACLs. The following values are valid:
ACL_ENTRY_TYPE_ALLOW
ACL_ENTRY_TYPE_DENY
- acl_flag_t ae_flags
- This field defines the inheritance flags of NFSv4 ACL
entry. It is not used with POSIX.1e ACLs. The following values are valid:
ACL_ENTRY_FILE_INHERIT
ACL_ENTRY_DIRECTORY_INHERIT
ACL_ENTRY_NO_PROPAGATE_INHERIT
ACL_ENTRY_INHERIT_ONLY
SEE ALSO¶
acl(3), vaccess_acl_nfs4(9), vaccess_acl_posix1e(9), VFS(9), vnaccess(9), VOP_ACLCHECK(9), VOP_GETACL(9), VOP_SETACL(9)AUTHORS¶
This manual page was written by Robert Watson.September 18, 2009 | Debian |