acl(9)
- NetBSD Manual Pages
ACL(9) NetBSD Kernel Developer's Manual ACL(9)
NAME
acl -- virtual file system access control lists
SYNOPSIS
#include <sys/param.h>
#include <sys/vnode.h>
#include <sys/acl.h>
In the kernel configuration file:
options UFS_ACL
DESCRIPTION
Access control lists, or ACLs, allow fine-grained specification of rights
for vnodes representing files and directories. However, as there are a
plethora of file systems with differing ACL semantics, the vnode inter-
face is aware only of the syntax of ACLs, relying on the underlying file
system to implement the details. Depending on the underlying file sys-
tem, each file or directory may have zero or more ACLs associated with
it, named using the type field of the appropriate vnode ACL calls:
VOP_ACLCHECK(9), VOP_GETACL(9), and VOP_SETACL(9).
Currently, each ACL is represented in-kernel by a fixed-size acl struc-
ture, defined as follows:
struct acl {
unsigned int acl_maxcnt;
unsigned int acl_cnt;
int acl_spare[4];
struct acl_entry acl_entry[ACL_MAX_ENTRIES];
};
An ACL is constructed from a fixed size array of ACL entries, each of
which consists of a set of permissions, principal namespace, and princi-
pal identifier. In this implementation, the acl_maxcnt field is always
set to ACL_MAX_ENTRIES.
Each individual ACL entry is of the type acl_entry_t, which is a struc-
ture with the following members:
acl_tag_t ae_tag
The following is a list of definitions of ACL types to be set in
ae_tag:
ACL_UNDEFINED_FIELD Undefined ACL type.
ACL_USER_OBJ Discretionary access rights for processes
whose effective user ID matches the user
ID of the file's owner.
ACL_USER Discretionary access rights for processes
whose effective user ID matches the ACL
entry qualifier.
ACL_GROUP_OBJ Discretionary access rights for processes
whose effective group ID or any supplemen-
tal groups match the group ID of the
file's owner.
ACL_GROUP Discretionary access rights for processes
whose effective group ID or any supplemen-
tal groups match the ACL entry qualifier.
ACL_MASK The maximum discretionary access rights
that can be granted to a process in the
file group class. This is only valid for
POSIX.1e ACLs.
ACL_OTHER Discretionary access rights for processes
not covered by any other ACL entry. This
is only valid for POSIX.1e ACLs.
ACL_OTHER_OBJ Same as ACL_OTHER.
ACL_EVERYONE Discretionary access rights for all users.
This is only valid for NFSv4 ACLs.
Each POSIX.1e ACL must contain exactly one ACL_USER_OBJ, one
ACL_GROUP_OBJ, and one ACL_OTHER. If any of ACL_USER, ACL_GROUP, or
ACL_OTHER are present, then exactly one ACL_MASK entry should be
present.
uid_t ae_id
The ID of user for whom this ACL describes access permissions. For
entries other than ACL_USER and ACL_GROUP, this field should be set
to ACL_UNDEFINED_ID.
acl_perm_t ae_perm
This field defines what kind of access the process matching this ACL
has for accessing the associated file. For POSIX.1e ACLs, the fol-
lowing are valid:
ACL_EXECUTE The process may execute the associated file.
ACL_WRITE The process may write to the associated file.
ACL_READ The process may read from the associated file.
ACL_PERM_NONE The process has no read, write or execute per-
missions to the associated file.
For NFSv4 ACLs, the following are valid:
ACL_READ_DATA The process may read from the associated file.
ACL_LIST_DIRECTORY Same as ACL_READ_DATA.
ACL_WRITE_DATA The process may write to the associated file.
ACL_ADD_FILE Same as ACL_ACL_WRITE_DATA.
ACL_APPEND_DATA
ACL_ADD_SUBDIRECTORY Same as ACL_APPEND_DATA.
ACL_READ_NAMED_ATTRS Ignored.
ACL_WRITE_NAMED_ATTRS Ignored.
ACL_EXECUTE The process may execute the associated file.
ACL_DELETE_CHILD
ACL_READ_ATTRIBUTES
ACL_WRITE_ATTRIBUTES
ACL_DELETE
ACL_READ_ACL
ACL_WRITE_ACL
ACL_WRITE_OWNER
ACL_SYNCHRONIZE Ignored.
acl_entry_type_t ae_entry_type
This field defines the type of NFSv4 ACL entry. It is not used with
POSIX.1e ACLs. The following values are valid:
ACL_ENTRY_TYPE_ALLOW
ACL_ENTRY_TYPE_DENY
acl_flag_t ae_flags
This field defines the inheritance flags of NFSv4 ACL entry. It is
not used with POSIX.1e ACLs. The following values are valid:
ACL_ENTRY_FILE_INHERIT
ACL_ENTRY_DIRECTORY_INHERIT
ACL_ENTRY_NO_PROPAGATE_INHERIT
ACL_ENTRY_INHERIT_ONLY
ACL_ENTRY_INHERITED
The ACL_ENTRY_INHERITED flag is set on an ACE that has been inherited
from its parent. It may also be set programmatically, and is valid
on both files and directories.
SEE ALSO
acl(3), genfs(9), genfs_can_access(9), genfs_can_access_acl_nfs4(9),
genfs_can_access_acl_posix1e(9), VOP_ACLCHECK(9), VOP_GETACL(9),
VOP_SETACL(9)
AUTHORS
This manual page was written by Robert Watson.
NetBSD 10.99 January 18, 2022 NetBSD 10.99
Powered by man-cgi (2024-03-20).
Maintained for NetBSD
by Kimmo Suominen.
Based on man-cgi by Panagiotis Christias.