14330ec31SRobert Watson.\"- 24330ec31SRobert Watson.\" Copyright (c) 2001 Robert N. M. Watson 34330ec31SRobert Watson.\" All rights reserved. 44330ec31SRobert Watson.\" 54330ec31SRobert Watson.\" Redistribution and use in source and binary forms, with or without 64330ec31SRobert Watson.\" modification, are permitted provided that the following conditions 74330ec31SRobert Watson.\" are met: 84330ec31SRobert Watson.\" 1. Redistributions of source code must retain the above copyright 94330ec31SRobert Watson.\" notice, this list of conditions and the following disclaimer. 104330ec31SRobert Watson.\" 2. Redistributions in binary form must reproduce the above copyright 114330ec31SRobert Watson.\" notice, this list of conditions and the following disclaimer in the 124330ec31SRobert Watson.\" documentation and/or other materials provided with the distribution. 134330ec31SRobert Watson.\" 144330ec31SRobert Watson.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 154330ec31SRobert Watson.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 164330ec31SRobert Watson.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 174330ec31SRobert Watson.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 184330ec31SRobert Watson.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 194330ec31SRobert Watson.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 204330ec31SRobert Watson.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 214330ec31SRobert Watson.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 224330ec31SRobert Watson.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 234330ec31SRobert Watson.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 244330ec31SRobert Watson.\" SUCH DAMAGE. 254330ec31SRobert Watson.\" 26*4c9c0b64SMateusz Guzik.Dd August 23, 2022 279342a2c7SRobert Watson.Dt VACCESS 9 28aa12cea2SUlrich Spörlein.Os 294330ec31SRobert Watson.Sh NAME 304330ec31SRobert Watson.Nm vaccess 314330ec31SRobert Watson.Nd generate an access control decision using vnode parameters 324330ec31SRobert Watson.Sh SYNOPSIS 33f16b3c0dSChad David.In sys/param.h 349342a2c7SRobert Watson.In sys/vnode.h 354330ec31SRobert Watson.Ft int 369342a2c7SRobert Watson.Fo vaccess 379342a2c7SRobert Watson.Fa "enum vtype type" 389342a2c7SRobert Watson.Fa "mode_t file_mode" 399342a2c7SRobert Watson.Fa "uid_t file_uid" 409342a2c7SRobert Watson.Fa "gid_t file_gid" 4115bc6b2bSEdward Tomasz Napierala.Fa "accmode_t accmode" 429342a2c7SRobert Watson.Fa "struct ucred *cred" 439342a2c7SRobert Watson.Fc 444330ec31SRobert Watson.Sh DESCRIPTION 459342a2c7SRobert WatsonThis call implements the logic for the 469342a2c7SRobert Watson.Ux 479342a2c7SRobert Watsondiscretionary file security model 489342a2c7SRobert Watsoncommon to many file systems in 499342a2c7SRobert Watson.Fx . 504330ec31SRobert WatsonIt accepts the vnodes type 519342a2c7SRobert Watson.Fa type , 52ef3f517fSRobert Watsonpermissions via 539342a2c7SRobert Watson.Fa file_mode , 549342a2c7SRobert Watsonowning UID 554330ec31SRobert Watson.Fa file_uid , 569342a2c7SRobert Watsonowning GID 574330ec31SRobert Watson.Fa file_gid , 584330ec31SRobert Watsondesired access mode 59*4c9c0b64SMateusz Guzik.Fa accmode 60*4c9c0b64SMateusz Guzikand requesting credential 61*4c9c0b64SMateusz Guzik.Fa cred . 624330ec31SRobert Watson.Pp 634330ec31SRobert WatsonThis call is intended to support implementations of 644330ec31SRobert Watson.Xr VOP_ACCESS 9 , 65b82af3f5SMike Pritchardwhich will use their own access methods to retrieve the vnode properties, 664330ec31SRobert Watsonand then invoke 674330ec31SRobert Watson.Fn vaccess 684330ec31SRobert Watsonin order to perform the actual check. 694330ec31SRobert WatsonImplementations of 704330ec31SRobert Watson.Xr VOP_ACCESS 9 714330ec31SRobert Watsonmay choose to implement additional security mechanisms whose results will 724330ec31SRobert Watsonbe composed with the return value. 734330ec31SRobert Watson.Pp 744330ec31SRobert WatsonThe algorithm used by 754330ec31SRobert Watson.Fn vaccess 764330ec31SRobert Watsonselects a component of the file permission bits based on comparing the 774330ec31SRobert Watsonpassed credential, file owner, and file group. 789342a2c7SRobert WatsonIf the credential's effective UID matches the file owner, then the 794330ec31SRobert Watsonowner component of the permission bits is selected. 809342a2c7SRobert WatsonIf the UID does not match, then the credential's effective GID, followed 819342a2c7SRobert Watsonby additional groups, are compared with the file group\[em]if there is 824330ec31SRobert Watsona match, then the group component of the permission bits is selected. 839342a2c7SRobert WatsonIf neither the credential UID or GIDs match the passed file owner and 849342a2c7SRobert Watsongroup, then the other component of the permission bits is selected. 854330ec31SRobert Watson.Pp 864330ec31SRobert WatsonOnce appropriate protections are selected for the current credential, 874330ec31SRobert Watsonthe requested access mode, in combination with the vnode type, will be 884330ec31SRobert Watsoncompared with the discretionary rights available for the credential. 894330ec31SRobert WatsonIf the rights granted by discretionary protections are insufficient, 904330ec31SRobert Watsonthen super-user privilege, if available for the credential, will also be 914330ec31SRobert Watsonconsidered. 924330ec31SRobert Watson.Sh RETURN VALUES 934330ec31SRobert Watson.Fn vaccess 944330ec31SRobert Watsonwill return 0 on success, or a non-zero error value on failure. 954330ec31SRobert Watson.Sh ERRORS 964330ec31SRobert Watson.Bl -tag -width Er 974330ec31SRobert Watson.It Bq Er EACCES 984330ec31SRobert WatsonPermission denied. 994330ec31SRobert WatsonAn attempt was made to access a file in a way forbidden by its file access 1004330ec31SRobert Watsonpermissions. 1014330ec31SRobert Watson.It Bq Er EPERM 1024330ec31SRobert WatsonOperation not permitted. 1034330ec31SRobert WatsonAn attempt was made to perform an operation limited to processes with 1044330ec31SRobert Watsonappropriate privileges or to the owner of a file or other resource. 1054330ec31SRobert Watson.El 1064330ec31SRobert Watson.Sh SEE ALSO 107a9315ddeSEdward Tomasz Napierala.Xr vaccess_acl_nfs4 9 , 108c369ba59SRobert Watson.Xr vaccess_acl_posix1e 9 , 1094330ec31SRobert Watson.Xr vnode 9 , 1104330ec31SRobert Watson.Xr VOP_ACCESS 9 1114330ec31SRobert Watson.Sh AUTHORS 112571dba6eSHiten PandyaThis manual page and the current implementation of 1134330ec31SRobert Watson.Fn vaccess 1144330ec31SRobert Watsonwere written by 1154330ec31SRobert Watson.An Robert Watson . 116