132900e82SRobert Watson.\"- 28a2d4f51SChris D. Faulhaber.\" Copyright (c) 1999-2001 Robert N. M. Watson 332900e82SRobert Watson.\" All rights reserved. 432900e82SRobert Watson.\" 532900e82SRobert Watson.\" Redistribution and use in source and binary forms, with or without 632900e82SRobert Watson.\" modification, are permitted provided that the following conditions 732900e82SRobert Watson.\" are met: 832900e82SRobert Watson.\" 1. Redistributions of source code must retain the above copyright 932900e82SRobert Watson.\" notice, this list of conditions and the following disclaimer. 1032900e82SRobert Watson.\" 2. Redistributions in binary form must reproduce the above copyright 1132900e82SRobert Watson.\" notice, this list of conditions and the following disclaimer in the 1232900e82SRobert Watson.\" documentation and/or other materials provided with the distribution. 1332900e82SRobert Watson.\" 1432900e82SRobert Watson.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 1532900e82SRobert Watson.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 1632900e82SRobert Watson.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 1732900e82SRobert Watson.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 1832900e82SRobert Watson.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 1932900e82SRobert Watson.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 2032900e82SRobert Watson.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 2132900e82SRobert Watson.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 2232900e82SRobert Watson.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 2332900e82SRobert Watson.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 2432900e82SRobert Watson.\" SUCH DAMAGE. 2532900e82SRobert Watson.\" 2632900e82SRobert Watson.\" $FreeBSD$ 2732900e82SRobert Watson.\" 2832900e82SRobert Watson.Dd December 23, 1999 2932900e82SRobert Watson.Os 3032900e82SRobert Watson.Dt ACL 9 3132900e82SRobert Watson.Sh NAME 3232900e82SRobert Watson.Nm acl 3332900e82SRobert Watson.Nd virtual file system access control lists 3432900e82SRobert Watson.Sh SYNOPSIS 3532eef9aeSRuslan Ermilov.In sys/param.h 3632eef9aeSRuslan Ermilov.In sys/vnode.h 3732eef9aeSRuslan Ermilov.In sys/acl.h 3832900e82SRobert Watson.Pp 39cae2a33cSChris CostelloIn the kernel configuration file: 40cae2a33cSChris Costello.Cd "options UFS_ACL" 41cae2a33cSChris Costello.Sh DESCRIPTION 42cae2a33cSChris CostelloAccess control lists, or ACLs, 43cae2a33cSChris Costelloallow fine-grained specification of rights 44cae2a33cSChris Costellofor vnodes representing files and directories. 45cae2a33cSChris CostelloHowever, as there are a plethora of file systems with differing ACL semantics, 46cae2a33cSChris Costellothe vnode interface is aware only of the syntax of ACLs, 47cae2a33cSChris Costellorelying on the underlying file system to implement the details. 48cae2a33cSChris CostelloDepending on the underlying file system, each file or directory 49cae2a33cSChris Costellomay have zero or more ACLs associated with it, named using the 50cae2a33cSChris Costello.Fa type 51cae2a33cSChris Costellofield of the appropriate vnode ACL calls: 52cae2a33cSChris Costello.Xr VOP_ACLCHECK 9 , 53cae2a33cSChris Costello.Xr VOP_GETACL 9 , 54cae2a33cSChris Costelloand 55cae2a33cSChris Costello.Xr VOP_SETACL 9 . 56cae2a33cSChris Costello.Pp 57cae2a33cSChris CostelloCurrently, each ACL is represented in-kernel by a fixed-size 58cae2a33cSChris Costello.Vt acl 59cae2a33cSChris Costellostructure, defined as follows: 60cae2a33cSChris Costello.Bd -literal -offset indent 61cae2a33cSChris Costellostruct acl { 62cae2a33cSChris Costello int acl_cnt; 63cae2a33cSChris Costello struct acl_entry acl_entry[ACL_MAX_ENTRIES]; 6432900e82SRobert Watson}; 65cae2a33cSChris Costello.Ed 66cae2a33cSChris Costello.Pp 67cae2a33cSChris CostelloAn ACL is constructed from a fixed size array of ACL entries, 68cae2a33cSChris Costelloeach of which consists of a set of permissions, principal namespace, 69cae2a33cSChris Costelloand principal identifier. 70cae2a33cSChris Costello.Pp 71cae2a33cSChris CostelloEach individual ACL entry is of the type 72cae2a33cSChris Costello.Vt acl_entry_t , 73cae2a33cSChris Costellowhich is a structure with the following members: 743f640b03SRuslan Ermilov.Bl -tag -width 2n 75cae2a33cSChris Costello.It Vt acl_tag_t Va ae_tag 76cae2a33cSChris CostelloThe following is a list of definitions of ACL types 77cae2a33cSChris Costelloto be set in 78cae2a33cSChris Costello.Va ae_tag : 79cae2a33cSChris Costello.Pp 803f640b03SRuslan Ermilov.Bl -tag -width ".Dv ACL_UNDEFINED_FIELD" -offset indent -compact 81cae2a33cSChris Costello.It Dv ACL_UNDEFINED_FIELD 82cae2a33cSChris CostelloUndefined ACL type. 83cae2a33cSChris Costello.It Dv ACL_USER_OBJ 84cae2a33cSChris CostelloDiscretionary access rights for processes whose effective user ID 85cae2a33cSChris Costellomatches the user ID of the file's owner. 86cae2a33cSChris Costello.It Dv ACL_USER 87cae2a33cSChris CostelloDiscretionary access rights for processes whose effective user ID 88cae2a33cSChris Costellomatches the ACL entry qualifier. 89cae2a33cSChris Costello.It Dv ACL_GROUP_OBJ 90cae2a33cSChris CostelloDiscretionary access rights for processes whose effective group ID 91cae2a33cSChris Costelloor any supplemental groups 92cae2a33cSChris Costellomatch the group ID of the file's owner. 93cae2a33cSChris Costello.It Dv ACL_GROUP 94cae2a33cSChris CostelloDiscretionary access rights for processes whose effective group ID 95cae2a33cSChris Costelloor any supplemental groups 96cae2a33cSChris Costellomatch the ACL entry qualifier. 97cae2a33cSChris Costello.It Dv ACL_MASK 98cae2a33cSChris CostelloThe maximum discretionary access rights that can be granted 99cae2a33cSChris Costelloto a process in the file group class. 100cae2a33cSChris Costello.It Dv ACL_OTHER 101cae2a33cSChris CostelloDiscretionary access rights for processes not covered by any other ACL 102cae2a33cSChris Costelloentry. 103cae2a33cSChris Costello.It Dv ACL_OTHER_OBJ 104cae2a33cSChris CostelloSame as 105cae2a33cSChris Costello.Dv ACL_OTHER . 106cae2a33cSChris CostelloEach ACL entry must contain exactly one 107cae2a33cSChris Costello.Dv ACL_USER_OBJ , 108cae2a33cSChris Costelloone 109cae2a33cSChris Costello.Dv ACL_GROUP_OBJ , 110cae2a33cSChris Costelloand one 111cae2a33cSChris Costello.Dv ACL_OTHER . 112cae2a33cSChris CostelloIf any of 113cae2a33cSChris Costello.Dv ACL_USER , 114cae2a33cSChris Costello.Dv ACL_GROUP , 115cae2a33cSChris Costelloor 116cae2a33cSChris Costello.Dv ACL_OTHER 117cae2a33cSChris Costelloare present, then exactly one 118cae2a33cSChris Costello.Dv ACL_MASK 119cae2a33cSChris Costelloentry should be present. 120cae2a33cSChris Costello.El 121cae2a33cSChris Costello.It Vt uid_t Va ae_id 122cae2a33cSChris CostelloThe ID of user for whom this ACL describes access permissions. 123cae2a33cSChris Costello.It Vt acl_perm_t Va ae_perm 124cae2a33cSChris CostelloThis field defines what kind of access the process matching this ACL has 125cae2a33cSChris Costellofor accessing the associated file. 1263f640b03SRuslan Ermilov.Bl -tag -width ".Dv ACL_POSIX1E_BITS" 127cae2a33cSChris Costello.It Dv ACL_EXECUTE 128cae2a33cSChris CostelloThe process may execute the associated file. 129cae2a33cSChris Costello.It Dv ACL_WRITE 130cae2a33cSChris CostelloThe process may write to the associated file. 131cae2a33cSChris Costello.It Dv ACL_READ 132cae2a33cSChris CostelloThe process may read from the associated file. 133cae2a33cSChris Costello.It Dv ACL_PERM_NONE 134cae2a33cSChris CostelloThe process has no read, write or execute permissions 135cae2a33cSChris Costelloto the associated file. 136cae2a33cSChris Costello.El 137cae2a33cSChris Costello.El 138cae2a33cSChris Costello.Pp 139cae2a33cSChris Costello.Sh IMPLEMENTATION NOTES 140cae2a33cSChris Costello.Bd -literal 141cae2a33cSChris Costellotypedef mode_t *acl_permset_t; 14232900e82SRobert Watson 1438a2d4f51SChris D. Faulhaber/* internal ACL structure */ 14432900e82SRobert Watsonstruct acl { 14532900e82SRobert Watson int acl_cnt; 146ca7d2b82SRobert Watson struct acl_entry acl_entry[ACL_MAX_ENTRIES]; 14732900e82SRobert Watson}; 1488a2d4f51SChris D. Faulhaber 1498a2d4f51SChris D. Faulhaber/* external ACL structure */ 1508a2d4f51SChris D. Faulhaberstruct acl_t_struct { 1518a2d4f51SChris D. Faulhaber struct acl ats_acl; 1528a2d4f51SChris D. Faulhaber int ats_cur_entry; 1538a2d4f51SChris D. Faulhaber}; 1548a2d4f51SChris D. Faulhabertypedef struct acl_t_struct *acl_t; 15532900e82SRobert Watson 15632900e82SRobert Watson/* 1578a2d4f51SChris D. Faulhaber * Possible valid values for ae_tag field. 15832900e82SRobert Watson */ 1598a2d4f51SChris D. Faulhaber#define ACL_UNDEFINED_TAG 0x00000000 16032900e82SRobert Watson#define ACL_USER_OBJ 0x00000001 16132900e82SRobert Watson#define ACL_USER 0x00000002 16232900e82SRobert Watson#define ACL_GROUP_OBJ 0x00000004 16332900e82SRobert Watson#define ACL_GROUP 0x00000008 16432900e82SRobert Watson#define ACL_MASK 0x00000010 16532900e82SRobert Watson#define ACL_OTHER 0x00000020 16632900e82SRobert Watson#define ACL_OTHER_OBJ ACL_OTHER 16732900e82SRobert Watson 168ca7d2b82SRobert Watson/* 1698a2d4f51SChris D. Faulhaber * Possible valid values for acl_type_t arguments. 170ca7d2b82SRobert Watson */ 17132900e82SRobert Watson#define ACL_TYPE_ACCESS 0x00000000 17232900e82SRobert Watson#define ACL_TYPE_DEFAULT 0x00000001 173ca7d2b82SRobert Watson#define ACL_TYPE_AFS 0x00000002 174ca7d2b82SRobert Watson#define ACL_TYPE_CODA 0x00000003 175ca7d2b82SRobert Watson#define ACL_TYPE_NTFS 0x00000004 176ca7d2b82SRobert Watson#define ACL_TYPE_NWFS 0x00000005 17732900e82SRobert Watson 17832900e82SRobert Watson/* 1798a2d4f51SChris D. Faulhaber * Possible flags in ae_perm field. 18032900e82SRobert Watson */ 1818a2d4f51SChris D. Faulhaber#define ACL_EXECUTE 0x0001 1828a2d4f51SChris D. Faulhaber#define ACL_WRITE 0x0002 1838a2d4f51SChris D. Faulhaber#define ACL_READ 0x0004 18432900e82SRobert Watson#define ACL_PERM_NONE 0x0000 1858a2d4f51SChris D. Faulhaber#define ACL_PERM_BITS (ACL_EXECUTE | ACL_WRITE | ACL_READ) 1868a2d4f51SChris D. Faulhaber#define ACL_POSIX1E_BITS (ACL_EXECUTE | ACL_WRITE | ACL_READ) 1878a2d4f51SChris D. Faulhaber 1888a2d4f51SChris D. Faulhaber/* 1898a2d4f51SChris D. Faulhaber * Possible entry_id values for acl_get_entry() 1908a2d4f51SChris D. Faulhaber */ 1918a2d4f51SChris D. Faulhaber#define ACL_FIRST_ENTRY 0 1928a2d4f51SChris D. Faulhaber#define ACL_NEXT_ENTRY 1 1938a2d4f51SChris D. Faulhaber 1948a2d4f51SChris D. Faulhaber/* 1958a2d4f51SChris D. Faulhaber * Undefined value in ae_id field 1968a2d4f51SChris D. Faulhaber */ 1978a2d4f51SChris D. Faulhaber#define ACL_UNDEFINED_ID ((uid_t)-1) 19832900e82SRobert Watson.Ed 19932900e82SRobert Watson.Sh SEE ALSO 20067ea1c24SChris Costello.Xr acl 3 , 20167ea1c24SChris Costello.Xr vaccess_acl_posix1e 9 , 20232900e82SRobert Watson.Xr VFS 9 , 2033f640b03SRuslan Ermilov.Xr vnaccess 9 , 20432900e82SRobert Watson.Xr VOP_ACLCHECK 9 , 20532900e82SRobert Watson.Xr VOP_GETACL 9 , 2066fe89339SBen Smithurst.Xr VOP_SETACL 9 20732900e82SRobert Watson.Sh AUTHORS 208571dba6eSHiten PandyaThis manual page was written by 20932900e82SRobert Watson.An Robert Watson . 210