1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
|
.\"-
.\" Copyright (c) 1999-2001 Robert N. M. Watson
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $FreeBSD$
.\"
.Dd December 23, 1999
.Os
.Dt ACL 9
.Sh NAME
.Nm acl
.Nd virtual file system access control lists
.Sh SYNOPSIS
.In sys/param.h
.In sys/vnode.h
.In sys/acl.h
.Pp
In the kernel configuration file:
.Cd "options UFS_ACL"
.Sh DESCRIPTION
Access control lists, or ACLs,
allow fine-grained specification of rights
for vnodes representing files and directories.
However, as there are a plethora of file systems with differing ACL semantics,
the vnode interface is aware only of the syntax of ACLs,
relying on the underlying file system to implement the details.
Depending on the underlying file system, each file or directory
may have zero or more ACLs associated with it, named using the
.Fa type
field of the appropriate vnode ACL calls:
.Xr VOP_ACLCHECK 9 ,
.Xr VOP_GETACL 9 ,
and
.Xr VOP_SETACL 9 .
.Pp
Currently, each ACL is represented in-kernel by a fixed-size
.Vt acl
structure, defined as follows:
.Bd -literal -offset indent
struct acl {
int acl_cnt;
struct acl_entry acl_entry[ACL_MAX_ENTRIES];
};
.Ed
.Pp
An ACL is constructed from a fixed size array of ACL entries,
each of which consists of a set of permissions, principal namespace,
and principal identifier.
.Pp
Each individual ACL entry is of the type
.Vt acl_entry_t ,
which is a structure with the following members:
.Bl -tag -width 2n
.It Vt acl_tag_t Va ae_tag
The following is a list of definitions of ACL types
to be set in
.Va ae_tag :
.Pp
.Bl -tag -width ".Dv ACL_UNDEFINED_FIELD" -offset indent -compact
.It Dv ACL_UNDEFINED_FIELD
Undefined ACL type.
.It Dv ACL_USER_OBJ
Discretionary access rights for processes whose effective user ID
matches the user ID of the file's owner.
.It Dv ACL_USER
Discretionary access rights for processes whose effective user ID
matches the ACL entry qualifier.
.It Dv ACL_GROUP_OBJ
Discretionary access rights for processes whose effective group ID
or any supplemental groups
match the group ID of the file's owner.
.It Dv ACL_GROUP
Discretionary access rights for processes whose effective group ID
or any supplemental groups
match the ACL entry qualifier.
.It Dv ACL_MASK
The maximum discretionary access rights that can be granted
to a process in the file group class.
.It Dv ACL_OTHER
Discretionary access rights for processes not covered by any other ACL
entry.
.It Dv ACL_OTHER_OBJ
Same as
.Dv ACL_OTHER .
Each ACL entry must contain exactly one
.Dv ACL_USER_OBJ ,
one
.Dv ACL_GROUP_OBJ ,
and one
.Dv ACL_OTHER .
If any of
.Dv ACL_USER ,
.Dv ACL_GROUP ,
or
.Dv ACL_OTHER
are present, then exactly one
.Dv ACL_MASK
entry should be present.
.El
.It Vt uid_t Va ae_id
The ID of user for whom this ACL describes access permissions.
.It Vt acl_perm_t Va ae_perm
This field defines what kind of access the process matching this ACL has
for accessing the associated file.
.Bl -tag -width ".Dv ACL_POSIX1E_BITS"
.It Dv ACL_EXECUTE
The process may execute the associated file.
.It Dv ACL_WRITE
The process may write to the associated file.
.It Dv ACL_READ
The process may read from the associated file.
.It Dv ACL_PERM_NONE
The process has no read, write or execute permissions
to the associated file.
.El
.El
.Pp
.Sh IMPLEMENTATION NOTES
.Bd -literal
typedef mode_t *acl_permset_t;
/* internal ACL structure */
struct acl {
int acl_cnt;
struct acl_entry acl_entry[ACL_MAX_ENTRIES];
};
/* external ACL structure */
struct acl_t_struct {
struct acl ats_acl;
int ats_cur_entry;
};
typedef struct acl_t_struct *acl_t;
/*
* Possible valid values for ae_tag field.
*/
#define ACL_UNDEFINED_TAG 0x00000000
#define ACL_USER_OBJ 0x00000001
#define ACL_USER 0x00000002
#define ACL_GROUP_OBJ 0x00000004
#define ACL_GROUP 0x00000008
#define ACL_MASK 0x00000010
#define ACL_OTHER 0x00000020
#define ACL_OTHER_OBJ ACL_OTHER
/*
* Possible valid values for acl_type_t arguments.
*/
#define ACL_TYPE_ACCESS 0x00000000
#define ACL_TYPE_DEFAULT 0x00000001
#define ACL_TYPE_AFS 0x00000002
#define ACL_TYPE_CODA 0x00000003
#define ACL_TYPE_NTFS 0x00000004
#define ACL_TYPE_NWFS 0x00000005
/*
* Possible flags in ae_perm field.
*/
#define ACL_EXECUTE 0x0001
#define ACL_WRITE 0x0002
#define ACL_READ 0x0004
#define ACL_PERM_NONE 0x0000
#define ACL_PERM_BITS (ACL_EXECUTE | ACL_WRITE | ACL_READ)
#define ACL_POSIX1E_BITS (ACL_EXECUTE | ACL_WRITE | ACL_READ)
/*
* Possible entry_id values for acl_get_entry()
*/
#define ACL_FIRST_ENTRY 0
#define ACL_NEXT_ENTRY 1
/*
* Undefined value in ae_id field
*/
#define ACL_UNDEFINED_ID ((uid_t)-1)
.Ed
.Sh SEE ALSO
.Xr acl 3 ,
.Xr vaccess_acl_posix1e 9 ,
.Xr VFS 9 ,
.Xr vnaccess 9 ,
.Xr VOP_ACLCHECK 9 ,
.Xr VOP_GETACL 9 ,
.Xr VOP_SETACL 9
.Sh AUTHORS
This man page was written by
.An Robert Watson .
|