1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
|
<table class="head">
<tr>
<td class="head-ltitle">ACL(9)</td>
<td class="head-vol">Kernel Developer's Manual</td>
<td class="head-rtitle">ACL(9)</td>
</tr>
</table>
<div class="manual-text">
<section class="Sh">
<h1 class="Sh" id="NAME"><a class="permalink" href="#NAME">NAME</a></h1>
<p class="Pp"><code class="Nm">acl</code> — <span class="Nd">virtual file
system access control lists</span></p>
</section>
<section class="Sh">
<h1 class="Sh" id="SYNOPSIS"><a class="permalink" href="#SYNOPSIS">SYNOPSIS</a></h1>
<p class="Pp"><code class="In">#include
<<a class="In">sys/param.h</a>></code>
<br/>
<code class="In">#include <<a class="In">sys/vnode.h</a>></code>
<br/>
<code class="In">#include <<a class="In">sys/acl.h</a>></code></p>
<p class="Pp">In the kernel configuration file:
<br/>
<code class="Cd">options UFS_ACL</code></p>
</section>
<section class="Sh">
<h1 class="Sh" id="DESCRIPTION"><a class="permalink" href="#DESCRIPTION">DESCRIPTION</a></h1>
<p class="Pp">Access control lists, or ACLs, allow fine-grained specification of
rights for vnodes representing files and directories. However, as there are
a plethora of file systems with differing ACL semantics, the vnode interface
is aware only of the syntax of ACLs, relying on the underlying file system
to implement the details. Depending on the underlying file system, each file
or directory may have zero or more ACLs associated with it, named using the
<var class="Fa">type</var> field of the appropriate vnode ACL calls:
<a class="Xr">VOP_ACLCHECK(9)</a>, <a class="Xr">VOP_GETACL(9)</a>, and
<a class="Xr">VOP_SETACL(9)</a>.</p>
<p class="Pp">Currently, each ACL is represented in-kernel by a fixed-size
<var class="Vt">acl</var> structure, defined as follows:</p>
<div class="Bd Pp Bd-indent Li">
<pre>struct acl {
unsigned int acl_maxcnt;
unsigned int acl_cnt;
int acl_spare[4];
struct acl_entry acl_entry[ACL_MAX_ENTRIES];
};</pre>
</div>
<p class="Pp">An ACL is constructed from a fixed size array of ACL entries, each
of which consists of a set of permissions, principal namespace, and
principal identifier. In this implementation, the
<var class="Vt">acl_maxcnt</var> field is always set to
<code class="Dv">ACL_MAX_ENTRIES</code>.</p>
<p class="Pp">Each individual ACL entry is of the type
<var class="Vt">acl_entry_t</var>, which is a structure with the following
members:</p>
<dl class="Bl-tag">
<dt><var class="Vt">acl_tag_t</var> <var class="Va">ae_tag</var></dt>
<dd>The following is a list of definitions of ACL types to be set in
<var class="Va">ae_tag</var>:
<p class="Pp"></p>
<div class="Bd-indent">
<dl class="Bl-tag Bl-compact">
<dt id="ACL_UNDEFINED_FIELD"><a class="permalink" href="#ACL_UNDEFINED_FIELD"><code class="Dv">ACL_UNDEFINED_FIELD</code></a></dt>
<dd>Undefined ACL type.</dd>
<dt id="ACL_USER_OBJ"><a class="permalink" href="#ACL_USER_OBJ"><code class="Dv">ACL_USER_OBJ</code></a></dt>
<dd>Discretionary access rights for processes whose effective user ID
matches the user ID of the file's owner.</dd>
<dt id="ACL_USER"><a class="permalink" href="#ACL_USER"><code class="Dv">ACL_USER</code></a></dt>
<dd>Discretionary access rights for processes whose effective user ID
matches the ACL entry qualifier.</dd>
<dt id="ACL_GROUP_OBJ"><a class="permalink" href="#ACL_GROUP_OBJ"><code class="Dv">ACL_GROUP_OBJ</code></a></dt>
<dd>Discretionary access rights for processes whose effective group ID or
any supplemental groups match the group ID of the file's owner.</dd>
<dt id="ACL_GROUP"><a class="permalink" href="#ACL_GROUP"><code class="Dv">ACL_GROUP</code></a></dt>
<dd>Discretionary access rights for processes whose effective group ID or
any supplemental groups match the ACL entry qualifier.</dd>
<dt id="ACL_MASK"><a class="permalink" href="#ACL_MASK"><code class="Dv">ACL_MASK</code></a></dt>
<dd>The maximum discretionary access rights that can be granted to a
process in the file group class. This is only valid for POSIX.1e
ACLs.</dd>
<dt id="ACL_OTHER"><a class="permalink" href="#ACL_OTHER"><code class="Dv">ACL_OTHER</code></a></dt>
<dd>Discretionary access rights for processes not covered by any other ACL
entry. This is only valid for POSIX.1e ACLs.</dd>
<dt id="ACL_OTHER_OBJ"><a class="permalink" href="#ACL_OTHER_OBJ"><code class="Dv">ACL_OTHER_OBJ</code></a></dt>
<dd>Same as <code class="Dv">ACL_OTHER</code>.</dd>
<dt id="ACL_EVERYONE"><a class="permalink" href="#ACL_EVERYONE"><code class="Dv">ACL_EVERYONE</code></a></dt>
<dd>Discretionary access rights for all users. This is only valid for
NFSv4 ACLs.</dd>
</dl>
</div>
<p class="Pp">Each POSIX.1e ACL must contain exactly one
<code class="Dv">ACL_USER_OBJ</code>, one
<code class="Dv">ACL_GROUP_OBJ</code>, and one
<code class="Dv">ACL_OTHER</code>. If any of
<code class="Dv">ACL_USER</code>, <code class="Dv">ACL_GROUP</code>, or
<code class="Dv">ACL_OTHER</code> are present, then exactly one
<code class="Dv">ACL_MASK</code> entry should be present.</p>
</dd>
<dt><var class="Vt">uid_t</var> <var class="Va">ae_id</var></dt>
<dd>The ID of user for whom this ACL describes access permissions. For entries
other than <code class="Dv">ACL_USER</code> and
<code class="Dv">ACL_GROUP</code>, this field should be set to
<code class="Dv">ACL_UNDEFINED_ID</code>.</dd>
<dt><var class="Vt">acl_perm_t</var> <var class="Va">ae_perm</var></dt>
<dd>This field defines what kind of access the process matching this ACL has
for accessing the associated file. For POSIX.1e ACLs, the following are
valid:
<dl class="Bl-tag">
<dt id="ACL_EXECUTE"><a class="permalink" href="#ACL_EXECUTE"><code class="Dv">ACL_EXECUTE</code></a></dt>
<dd>The process may execute the associated file.</dd>
<dt id="ACL_WRITE"><a class="permalink" href="#ACL_WRITE"><code class="Dv">ACL_WRITE</code></a></dt>
<dd>The process may write to the associated file.</dd>
<dt id="ACL_READ"><a class="permalink" href="#ACL_READ"><code class="Dv">ACL_READ</code></a></dt>
<dd>The process may read from the associated file.</dd>
<dt id="ACL_PERM_NONE"><a class="permalink" href="#ACL_PERM_NONE"><code class="Dv">ACL_PERM_NONE</code></a></dt>
<dd>The process has no read, write or execute permissions to the
associated file.</dd>
</dl>
<p class="Pp">For NFSv4 ACLs, the following are valid:</p>
<dl class="Bl-tag">
<dt id="ACL_READ_DATA"><a class="permalink" href="#ACL_READ_DATA"><code class="Dv">ACL_READ_DATA</code></a></dt>
<dd>The process may read from the associated file.</dd>
<dt id="ACL_LIST_DIRECTORY"><a class="permalink" href="#ACL_LIST_DIRECTORY"><code class="Dv">ACL_LIST_DIRECTORY</code></a></dt>
<dd>Same as <code class="Dv">ACL_READ_DATA</code>.</dd>
<dt id="ACL_WRITE_DATA"><a class="permalink" href="#ACL_WRITE_DATA"><code class="Dv">ACL_WRITE_DATA</code></a></dt>
<dd>The process may write to the associated file.</dd>
<dt id="ACL_ADD_FILE"><a class="permalink" href="#ACL_ADD_FILE"><code class="Dv">ACL_ADD_FILE</code></a></dt>
<dd>Same as <code class="Dv">ACL_ACL_WRITE_DATA</code>.</dd>
<dt id="ACL_APPEND_DATA"><a class="permalink" href="#ACL_APPEND_DATA"><code class="Dv">ACL_APPEND_DATA</code></a></dt>
<dd style="width: auto;"> </dd>
<dt id="ACL_ADD_SUBDIRECTORY"><a class="permalink" href="#ACL_ADD_SUBDIRECTORY"><code class="Dv">ACL_ADD_SUBDIRECTORY</code></a></dt>
<dd>Same as <code class="Dv">ACL_APPEND_DATA</code>.</dd>
<dt id="ACL_READ_NAMED_ATTRS"><a class="permalink" href="#ACL_READ_NAMED_ATTRS"><code class="Dv">ACL_READ_NAMED_ATTRS</code></a></dt>
<dd>Ignored.</dd>
<dt id="ACL_WRITE_NAMED_ATTRS"><a class="permalink" href="#ACL_WRITE_NAMED_ATTRS"><code class="Dv">ACL_WRITE_NAMED_ATTRS</code></a></dt>
<dd>Ignored.</dd>
<dt id="ACL_EXECUTE~2"><a class="permalink" href="#ACL_EXECUTE~2"><code class="Dv">ACL_EXECUTE</code></a></dt>
<dd>The process may execute the associated file.</dd>
<dt id="ACL_DELETE_CHILD"><a class="permalink" href="#ACL_DELETE_CHILD"><code class="Dv">ACL_DELETE_CHILD</code></a></dt>
<dd style="width: auto;"> </dd>
<dt id="ACL_READ_ATTRIBUTES"><a class="permalink" href="#ACL_READ_ATTRIBUTES"><code class="Dv">ACL_READ_ATTRIBUTES</code></a></dt>
<dd style="width: auto;"> </dd>
<dt id="ACL_WRITE_ATTRIBUTES"><a class="permalink" href="#ACL_WRITE_ATTRIBUTES"><code class="Dv">ACL_WRITE_ATTRIBUTES</code></a></dt>
<dd style="width: auto;"> </dd>
<dt id="ACL_DELETE"><a class="permalink" href="#ACL_DELETE"><code class="Dv">ACL_DELETE</code></a></dt>
<dd style="width: auto;"> </dd>
<dt id="ACL_READ_ACL"><a class="permalink" href="#ACL_READ_ACL"><code class="Dv">ACL_READ_ACL</code></a></dt>
<dd style="width: auto;"> </dd>
<dt id="ACL_WRITE_ACL"><a class="permalink" href="#ACL_WRITE_ACL"><code class="Dv">ACL_WRITE_ACL</code></a></dt>
<dd style="width: auto;"> </dd>
<dt id="ACL_WRITE_OWNER"><a class="permalink" href="#ACL_WRITE_OWNER"><code class="Dv">ACL_WRITE_OWNER</code></a></dt>
<dd style="width: auto;"> </dd>
<dt id="ACL_SYNCHRONIZE"><a class="permalink" href="#ACL_SYNCHRONIZE"><code class="Dv">ACL_SYNCHRONIZE</code></a></dt>
<dd>Ignored.</dd>
</dl>
</dd>
<dt><var class="Vt">acl_entry_type_t</var>
<var class="Va">ae_entry_type</var></dt>
<dd>This field defines the type of NFSv4 ACL entry. It is not used with
POSIX.1e ACLs. The following values are valid:
<dl class="Bl-tag">
<dt id="ACL_ENTRY_TYPE_ALLOW"><a class="permalink" href="#ACL_ENTRY_TYPE_ALLOW"><code class="Dv">ACL_ENTRY_TYPE_ALLOW</code></a></dt>
<dd style="width: auto;"> </dd>
<dt id="ACL_ENTRY_TYPE_DENY"><a class="permalink" href="#ACL_ENTRY_TYPE_DENY"><code class="Dv">ACL_ENTRY_TYPE_DENY</code></a></dt>
<dd style="width: auto;"> </dd>
</dl>
</dd>
<dt><var class="Vt">acl_flag_t</var> <var class="Va">ae_flags</var></dt>
<dd>This field defines the inheritance flags of NFSv4 ACL entry. It is not
used with POSIX.1e ACLs. The following values are valid:
<dl class="Bl-tag">
<dt id="ACL_ENTRY_FILE_INHERIT"><a class="permalink" href="#ACL_ENTRY_FILE_INHERIT"><code class="Dv">ACL_ENTRY_FILE_INHERIT</code></a></dt>
<dd style="width: auto;"> </dd>
<dt id="ACL_ENTRY_DIRECTORY_INHERIT"><a class="permalink" href="#ACL_ENTRY_DIRECTORY_INHERIT"><code class="Dv">ACL_ENTRY_DIRECTORY_INHERIT</code></a></dt>
<dd style="width: auto;"> </dd>
<dt id="ACL_ENTRY_NO_PROPAGATE_INHERIT"><a class="permalink" href="#ACL_ENTRY_NO_PROPAGATE_INHERIT"><code class="Dv">ACL_ENTRY_NO_PROPAGATE_INHERIT</code></a></dt>
<dd style="width: auto;"> </dd>
<dt id="ACL_ENTRY_INHERIT_ONLY"><a class="permalink" href="#ACL_ENTRY_INHERIT_ONLY"><code class="Dv">ACL_ENTRY_INHERIT_ONLY</code></a></dt>
<dd style="width: auto;"> </dd>
<dt id="ACL_ENTRY_INHERITED"><a class="permalink" href="#ACL_ENTRY_INHERITED"><code class="Dv">ACL_ENTRY_INHERITED</code></a></dt>
<dd style="width: auto;"> </dd>
</dl>
The <code class="Dv">ACL_ENTRY_INHERITED</code> flag is set on an ACE that
has been inherited from its parent. It may also be set programmatically,
and is valid on both files and directories.</dd>
</dl>
</section>
<section class="Sh">
<h1 class="Sh" id="SEE_ALSO"><a class="permalink" href="#SEE_ALSO">SEE
ALSO</a></h1>
<p class="Pp"><a class="Xr">acl(3)</a>, <a class="Xr">vaccess(9)</a>,
<a class="Xr">vaccess_acl_nfs4(9)</a>,
<a class="Xr">vaccess_acl_posix1e(9)</a>, <a class="Xr">VFS(9)</a>,
<a class="Xr">VOP_ACLCHECK(9)</a>, <a class="Xr">VOP_GETACL(9)</a>,
<a class="Xr">VOP_SETACL(9)</a></p>
</section>
<section class="Sh">
<h1 class="Sh" id="AUTHORS"><a class="permalink" href="#AUTHORS">AUTHORS</a></h1>
<p class="Pp">This manual page was written by <span class="An">Robert
Watson</span>.</p>
</section>
</div>
<table class="foot">
<tr>
<td class="foot-date">September 4, 2015</td>
<td class="foot-os">FreeBSD 15.0</td>
</tr>
</table>
|
