getaccess(2) System Calls Manual getaccess(2)
NAME
getaccess() - get a user's effective access rights to a file
SYNOPSIS
DESCRIPTION
identifies the access rights (read, write, execute/search) a specific user ID has to an existing file. path points to a path name of a
file. If the call succeeds, it returns a value of zero or greater, representing the specified user's effective access rights (modes) to
the file. The rights are expressed as the logical OR of bits and whose values are defined in the header A return of zero means that access
is denied.
The uid parameter is a user ID. Special values, defined in represent the calling process's effective, real, or saved user ID:
Effective user ID.
Real user ID.
Saved user ID.
ngroups is the number of group IDs in gidset, not to exceed + 1. If the ngroups parameter is positive, the gidset parameter is an array of
group ID values to use in the check. If ngroups is a recognized negative value, gidset is ignored. Special negative values of ngroups,
defined in represent various combinations of the process's effective, real, or saved user ID and its supplementary groups list:
Use process's effective group ID only.
Use process's real group
ID only.
Use process's saved group
ID only.
Use process's supplementary groups only.
Use process's effective group
ID plus supplementary groups.
Use process's real group
ID plus supplementary groups.
Use process's saved group
ID plus supplementary groups.
The label and privs parameters are placeholders for future extensions. For now, the values of these parameters must be
The access check rules for access control lists are described in acl(5) and aclv(5). In addition, the bit is cleared for files on read-
only file systems or shared-text programs being executed. Note that as in access(2), the bit is not turned off for shared-text programs
open for writing because there is no easy way to know that a file open for writing is a shared-text program.
checks each directory component of path by first using the caller's effective user ID, effective group ID, and supplementary groups list,
regardless of the user ID specified. An error occurs, distinct from "no access allowed," if the caller cannot search the path to the file.
(In this case it is inappropriate for the caller to learn anything about the file.)
Comparison of access and getaccess
The following table compares various attributes of and
access() getaccess()
+=================================================================+
| Checks all ACL entries | Same |
| (HFS and JFS File Systems only)| |
+-----------------------------------------------------------------+
| Uses real uid, real gid, and | Uses specified uid and groups|
| supplementary groups list | list; macros available |
| | for typical values |
+-----------------------------------------------------------------+
| Checks specific mode value, | Returns all mode bits, each |
| returns succeed or fail | on or off |
+-----------------------------------------------------------------+
| Checks path to file using | Same |
| caller's effective ID | |
+-----------------------------------------------------------------+
| W_OK false if shared-text | Same |
| file currently being executed | |
+-----------------------------------------------------------------+
| W_OK false if file on | Same |
| read-only file system | |
+-----------------------------------------------------------------+
| X_OK not modified for file | Same |
| currently open for writing | |
+-----------------------------------------------------------------+
| R_OK and W_OK always true for | Same |
| superuser (except as described | |
| in Security Restrictions) or | |
| users with DAC_READ and | |
| DAC_WRITE privileges | |
+-----------------------------------------------------------------+
+-----------------------------------------------------------------+
| X_OK always true for | X_OK true for super-user or |
| superuser or users with | users with DAC_READ and |
| DAC_READ and DAC_WRITE | DAC_WRITE privilege |
| privileges. | if file is not a regular |
| See privileges(5) for more | file OR execute is set in. |
| information about privileged | See privileges(5) for more |
| access on systems that support | information about privileged |
| fine-grained privileges. | access on systems that |
| | support fine-grained |
| | privileges. |
+-----------------------------------------------------------------+
| -----------------------------------------------------+---------------------------+-------------------
| access() | getaccess()
| -----------------------------------------------------+---------------------------+-------------------
| Checks all ACL entries (HFS and JFS File Systems only) Same |
| -----------------------------------------------------+---------------------------+-------------------
| Uses real uid, real gid, and supplementary groups list Uses specified uid and
| | groups | list; macros
| | available for typical
| | values |
| -----------------------------------------------------+---------------------------+-------------------
| Checks specific mode value, returns succeed or fail | Returns| all mode bits,
| | each on|or off
| -----------------------------------------------------+---------------------------+-------------------
| Checks path to file using caller's effective IDs | Same |
| -----------------------------------------------------+---------------------------+-------------------
| W_OK false if shared-text file currently being executed Same |
| -----------------------------------------------------+---------------------------+-------------------
| W_OK false if file on read-only file system | Same |
| -----------------------------------------------------+---------------------------+-------------------
| X_OK not modified for file currently open for writing Same |
| -----------------------------------------------------+---------------------------+-------------------
| R_OK and W_OK always true for superuser (except as described in Secu- Same |
| rity Restrictions) or users with DAC_READ and DAC_WRITE privileges. |
| -----------------------------------------------------+---------------------------+-------------------
| X_OK always true for superuser or users with DAC_READ and DAC_WRITE X_OK true for superuser
| privileges. See privileges(5) for more information |about privileged or users with DAC_READ
| access on systems that support fine-grained privileges. and DAC_WRITE privilege
| | if file|is not a regu-
| | lar:file or execute is
| | set in. See privi-
| | leges(5) for more infor-
| | mation |about privileged
| | access |on systems that
| | support| fine-grained
| | privileges.
| | |
Security Restrictions | |
|entries.xecuteobitgismseteinlanysofothesfile'sr file | |
paccessgon(systems that supporttfine-grainediprivileges. | |
RETURN VALUE
| |
|returns the following values | |
| Successful completion. | |
| theuspecified-userttoethelspecifiedefile. the access rights of |
| Failure. | |
| is set to indicate the error. | |
ERRORS
| | |
|fails pathomprefixedenieswsearchnpermissionetonthencaller. | |
| path gTheereliablesdetectiontof thiscerroraisrimplementationhdependent. |
| ngroups | |
| n+r1.psalis;either zero, an unrecognized negative value, or a value larger than |
| gidset value.ns an invalid group | |
| The value of | |
| privs is not a null pointer. | |
| Too many symbolic links were encountered in translating the | |
| path name. | |
| The length of the specified path name exceeds | |
| istin,effect. length of a component of the path name exceeds |
| The named file does not exist (for example, | |
| path doesunotoexist).ponent of | |
| A component of the | |
| path prefix is not a directory. | |
| is not supported on some types of remote files. | |
| | |
EXAMPLES
| |
|andfsucceedsgifathedusermhassread access's effective access rights | |
| #include <unistd.h> | |
| #include <sys/getaccess.h> | |
| | |
| int mode; | |
| mode = getaccess ("test", UID_EUID, NGROUPS_EGID_SUPP, | |
| (int *) 0, (void *) 0, (void *) 0); | |
| | |
| if ((mode >= 0) && (mode & R_OK)) ... | |
| | |
|IDoupserone way to test access rights to file | |
| int gid = 109; | |
| int mode; | |
| | |
| mode = getaccess ("/tmp/hold", 23, 1, & gid, | |
| (void *) 0, (void *) 0); | |
| | |
| | |
gIDsetd thatnincludesethehprocess'sneffectiveigroup | |
| #include <sys/types.h> | |
| #include <unistd.h> | |
| | |
| gid_t *gidset; | |
| int ngroups; | |
| int ngroups_max; | |
| | |
| ngroups_max = sysconf(_SC_NGROUPS_MAX) + 1; | |
| | |
| gidset = (gid_t *)malloc(ngroups_max * sizeof(gid_t)); | |
| gidset[0] = getegid(); | |
| ngroups = 1 + getgroups (ngroups_max - 1, &gidset[1]); | |
| | |
AUTHOR
| | |
|was developed by HP. | |
SEE ALSO
| |
+unistd(5).(5),---------------------------------------------------------+---------------------------+
getaccess(2)