o Add a man page for the kernel vaccess() call, a utility function to

  generate access control decisions.

Obtained from:	TrustedBSD Project

1 files changed, 110 insertions, 0 deletions

diff --git a/share/man/man9/vaccess.9 b/share/man/man9/vaccess.9
new file mode 100644
index 0000000..c30bb55
--- /dev/null
+++ b/share/man/man9/vaccess.9
@@ -0,0 +1,110 @@
+.\"-
+.\" Copyright (c) 2001 Robert N. M. Watson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $FreeBSD$
+.\"
+.Dd August 22, 2001
+.Os
+.Dt vaccess 9
+.Sh NAME
+.Nm vaccess
+.Nd generate an access control decision using vnode parameters
+.Sh SYNOPSIS
+.Fd #include <sys/param.h>
+.Fd #include <sys/vnode.h>
+.Ft int
+.Fn vaccess "enum vtype type" "mode_t file_mode" "uid_t file_uid" "gid_t file_gid" "mode_t acc_mode" "struct ucred *cred" "int *privused"
+.Sh DESCRIPTION
+This call implements the logic for the UNIX discretionary file security model
+common to many file systems in FreeBSD.
+It accepts the vnodes type
+.Fa vtype ,
+.Fa mode ,
+owning uid 
+.Fa file_uid ,
+owning gid
+.Fa file_gid ,
+desired access mode
+.Fa acc_mode ,
+requesting credential
+.Fa cred ,
+and an optional call-by-reference int pointer returning whether or not
+privilege was required for successful evaluation of the call; the
+.Fa privused
+pointer may be set to NULL by the caller in order not to be informed of
+privilege information, or it may point to an integer that will be set to
+1 if privilege is used, and 0 otherwise.
+.Pp
+This call is intended to support implementations of
+.Xr VOP_ACCESS 9 ,
+which will use their own accessor methods to retrieve the vnode properties,
+and then invoke
+.Fn vaccess
+in order to perform the actual check.
+Implementations of
+.Xr VOP_ACCESS 9
+may choose to implement additional security mechanisms whose results will
+be composed with the return value.
+.Pp
+The algorithm used by
+.Fn vaccess
+selects a component of the file permission bits based on comparing the
+passed credential, file owner, and file group.
+If the credential's effective uid matches the file owner, then the
+owner component of the permission bits is selected.
+If the uid does not match, then the credential's effective gid, followed
+by additional groups, are compared with the file group--if there is
+a match, then the group component of the permission bits is selected.
+If neither the credential uid or gids match the passed file owner and
+group, then then the other component of the permission bits is selected.
+.Pp
+Once appropriate protections are selected for the current credential,
+the requested access mode, in combination with the vnode type, will be
+compared with the discretionary rights available for the credential.
+If the rights granted by discretionary protections are insufficient,
+then super-user privilege, if available for the credential, will also be
+considered.
+.Sh RETURN VALUES
+.Fn vaccess
+will return 0 on success, or a non-zero error value on failure.
+.Sh ERRORS
+.Bl -tag -width Er
+.It Bq Er EACCES
+Permission denied.
+An attempt was made to access a file in a way forbidden by its file access
+permissions.
+.It Bq Er EPERM
+Operation not permitted.
+An attempt was made to perform an operation limited to processes with
+appropriate privileges or to the owner of a file or other resource.
+.El
+.Sh SEE ALSO
+.Xr vnode 9 ,
+.Xr VOP_ACCESS 9
+.Sh AUTHORS
+This man page and the current implementation of
+.Fn vaccess
+were written by
+.An Robert Watson .