ACL(9) BSD Kernel Developer's Manual ACL(9)
NAME
acl -- virtual file system access control lists
SYNOPSIS
#include <sys/param.h>
#include <sys/vnode.h>
#include <sys/acl.h>
In the kernel configuration file:
options UFS_ACL
DESCRIPTION
Access control lists, or ACLs, allow fine-grained specification of rights for vnodes representing files and directories. However, as there
are a plethora of file systems with differing ACL semantics, the vnode interface is aware only of the syntax of ACLs, relying on the underly-
ing file system to implement the details. Depending on the underlying file system, each file or directory may have zero or more ACLs associ-
ated with it, named using the type field of the appropriate vnode ACL calls: VOP_ACLCHECK(9), VOP_GETACL(9), and VOP_SETACL(9).
Currently, each ACL is represented in-kernel by a fixed-size acl structure, defined as follows:
struct acl {
unsigned int acl_maxcnt;
unsigned int acl_cnt;
int acl_spare[4];
struct acl_entry acl_entry[ACL_MAX_ENTRIES];
};
An ACL is constructed from a fixed size array of ACL entries, each of which consists of a set of permissions, principal namespace, and prin-
cipal identifier. In this implementation, the acl_maxcnt field is always set to ACL_MAX_ENTRIES.
Each individual ACL entry is of the type acl_entry_t, which is a structure with the following members:
acl_tag_t ae_tag
The following is a list of definitions of ACL types to be set in ae_tag:
ACL_UNDEFINED_FIELD Undefined ACL type.
ACL_USER_OBJ Discretionary access rights for processes whose effective user ID matches the user ID of the file's owner.
ACL_USER Discretionary access rights for processes whose effective user ID matches the ACL entry qualifier.
ACL_GROUP_OBJ Discretionary access rights for processes whose effective group ID or any supplemental groups match the group
ID of the file's owner.
ACL_GROUP Discretionary access rights for processes whose effective group ID or any supplemental groups match the ACL
entry qualifier.
ACL_MASK The maximum discretionary access rights that can be granted to a process in the file group class. This is
only valid for POSIX.1e ACLs.
ACL_OTHER Discretionary access rights for processes not covered by any other ACL entry. This is only valid for POSIX.1e
ACLs.
ACL_OTHER_OBJ Same as ACL_OTHER.
ACL_EVERYONE Discretionary access rights for all users. This is only valid for NFSv4 ACLs.
Each POSIX.1e ACL must contain exactly one ACL_USER_OBJ, one ACL_GROUP_OBJ, and one ACL_OTHER. If any of ACL_USER, ACL_GROUP, or
ACL_OTHER are present, then exactly one ACL_MASK entry should be present.
uid_t ae_id
The ID of user for whom this ACL describes access permissions. For entries other than ACL_USER and ACL_GROUP, this field should be set
to ACL_UNDEFINED_ID.
acl_perm_t ae_perm
This field defines what kind of access the process matching this ACL has for accessing the associated file. For POSIX.1e ACLs, the fol-
lowing are valid:
ACL_EXECUTE The process may execute the associated file.
ACL_WRITE The process may write to the associated file.
ACL_READ The process may read from the associated file.
ACL_PERM_NONE The process has no read, write or execute permissions to the associated file.
For NFSv4 ACLs, the following are valid:
ACL_READ_DATA The process may read from the associated file.
ACL_LIST_DIRECTORY Same as ACL_READ_DATA.
ACL_WRITE_DATA The process may write to the associated file.
ACL_ADD_FILE Same as ACL_ACL_WRITE_DATA.
ACL_APPEND_DATA
ACL_ADD_SUBDIRECTORY Same as ACL_APPEND_DATA.
ACL_READ_NAMED_ATTRS Ignored.
ACL_WRITE_NAMED_ATTRS Ignored.
ACL_EXECUTE The process may execute the associated file.
ACL_DELETE_CHILD
ACL_READ_ATTRIBUTES
ACL_WRITE_ATTRIBUTES
ACL_DELETE
ACL_READ_ACL
ACL_WRITE_ACL
ACL_WRITE_OWNER
ACL_SYNCHRONIZE Ignored.
acl_entry_type_t ae_entry_type
This field defines the type of NFSv4 ACL entry. It is not used with POSIX.1e ACLs. The following values are valid:
ACL_ENTRY_TYPE_ALLOW
ACL_ENTRY_TYPE_DENY
acl_flag_t ae_flags
This field defines the inheritance flags of NFSv4 ACL entry. It is not used with POSIX.1e ACLs. The following values are valid:
ACL_ENTRY_FILE_INHERIT
ACL_ENTRY_DIRECTORY_INHERIT
ACL_ENTRY_NO_PROPAGATE_INHERIT
ACL_ENTRY_INHERIT_ONLY
SEE ALSO
acl(3), vaccess(9), vaccess_acl_nfs4(9), vaccess_acl_posix1e(9), VFS(9), VOP_ACLCHECK(9), VOP_GETACL(9), VOP_SETACL(9)
AUTHORS
This manual page was written by Robert Watson.
BSD
September 18, 2009 BSD