acl (9)

Leading comments

-
 Copyright (c) 1999-2001 Robert N. M. Watson
 All rights reserved.

 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions
 are met:
 1. Redistributions of source code must retain the above copyright
    notice, this list of conditions and the following disclaimer.
 2. Redistributions in binary form must reproduce the above copyright
    notice, this list of conditions and the following disclaimer in the
    do...

(The comments found at the beginning of the groff file "man9/acl.9freebsd".)

NAME

acl - virtual file system access control lists

SYNOPSIS

In sys/param.h In sys/vnode.h In sys/acl.h

In the kernel configuration file: options UFS_ACL

DESCRIPTION

Access control lists, or ACLs, allow fine-grained specification of rights for vnodes representing files and directories. However, as there are a plethora of file systems with differing ACL semantics, the vnode interface is aware only of the syntax of ACLs, relying on the underlying file system to implement the details. Depending on the underlying file system, each file or directory may have zero or more ACLs associated with it, named using the Fa type field of the appropriate vnode ACL calls: VOP_ACLCHECK9, VOP_GETACL9, and VOP_SETACL9.

Currently, each ACL is represented in-kernel by a fixed-size Vt acl structure, defined as follows:

struct acl {
        unsigned int            acl_maxcnt;
        unsigned int            acl_cnt;
        int                     acl_spare[4];
        struct acl_entry        acl_entry[ACL_MAX_ENTRIES];
};

An ACL is constructed from a fixed size array of ACL entries, each of which consists of a set of permissions, principal namespace, and principal identifier. In this implementation, the Vt acl_maxcnt field is always set to ACL_MAX_ENTRIES

Each individual ACL entry is of the type Vt acl_entry_t , which is a structure with the following members:

Vt acl_tag_t ae_tag

The following is a list of definitions of ACL types to be set in ae_tag

ACL_UNDEFINED_FIELD

Undefined ACL type.

ACL_USER_OBJ

Discretionary access rights for processes whose effective user ID matches the user ID of the file's owner.

ACL_USER

Discretionary access rights for processes whose effective user ID matches the ACL entry qualifier.

ACL_GROUP_OBJ

Discretionary access rights for processes whose effective group ID or any supplemental groups match the group ID of the file's owner.

ACL_GROUP

Discretionary access rights for processes whose effective group ID or any supplemental groups match the ACL entry qualifier.

ACL_MASK

The maximum discretionary access rights that can be granted to a process in the file group class. This is only valid for POSIX.1e ACLs.

ACL_OTHER

Discretionary access rights for processes not covered by any other ACL entry. This is only valid for POSIX.1e ACLs.

ACL_OTHER_OBJ

Same as ACL_OTHER

ACL_EVERYONE

Discretionary access rights for all users. This is only valid for NFSv4 ACLs.

Each POSIX.1e ACL must contain exactly one ACL_USER_OBJ one ACL_GROUP_OBJ and one ACL_OTHER If any of ACL_USER ACL_GROUP or ACL_OTHER are present, then exactly one ACL_MASK entry should be present.

Vt uid_t ae_id

The ID of user for whom this ACL describes access permissions. For entries other than ACL_USER and ACL_GROUP this field should be set to ACL_UNDEFINED_ID

Vt acl_perm_t ae_perm

This field defines what kind of access the process matching this ACL has for accessing the associated file. For POSIX.1e ACLs, the following are valid:

ACL_EXECUTE

The process may execute the associated file.

ACL_WRITE

The process may write to the associated file.

ACL_READ

The process may read from the associated file.

ACL_PERM_NONE

The process has no read, write or execute permissions to the associated file.

For NFSv4 ACLs, the following are valid:

ACL_READ_DATA

The process may read from the associated file.

ACL_LIST_DIRECTORY

Same as ACL_READ_DATA

ACL_WRITE_DATA

The process may write to the associated file.

ACL_ADD_FILE

Same as ACL_ACL_WRITE_DATA

ACL_APPEND_DATA

ACL_ADD_SUBDIRECTORY

Same as ACL_APPEND_DATA

ACL_READ_NAMED_ATTRS

Ignored.

ACL_WRITE_NAMED_ATTRS

Ignored.

ACL_EXECUTE

The process may execute the associated file.

ACL_DELETE_CHILD

ACL_READ_ATTRIBUTES

ACL_WRITE_ATTRIBUTES

ACL_DELETE

ACL_READ_ACL

ACL_WRITE_ACL

ACL_WRITE_OWNER

ACL_SYNCHRONIZE

Ignored.

Vt acl_entry_type_t ae_entry_type

This field defines the type of NFSv4 ACL entry. It is not used with POSIX.1e ACLs. The following values are valid:

ACL_ENTRY_TYPE_ALLOW

ACL_ENTRY_TYPE_DENY

Vt acl_flag_t ae_flags

This field defines the inheritance flags of NFSv4 ACL entry. It is not used with POSIX.1e ACLs. The following values are valid:

ACL_ENTRY_FILE_INHERIT

ACL_ENTRY_DIRECTORY_INHERIT

ACL_ENTRY_NO_PROPAGATE_INHERIT

ACL_ENTRY_INHERIT_ONLY

SEE ALSO

acl(3), vaccess_acl_nfs49, vaccess_acl_posix1e9, VFS(9), vaccess(9), VOP_ACLCHECK9, VOP_GETACL9, VOP_SETACL9

AUTHORS

This manual page was written by An Robert Watson .