acl.3
1 .\"- 2 .\" Copyright (c) 2000, 2001, 2002 Robert N. M. Watson 3 .\" All rights reserved. 4 .\" 5 .\" This software was developed by Robert Watson for the TrustedBSD Project. 6 .\" 7 .\" Redistribution and use in source and binary forms, with or without 8 .\" modification, are permitted provided that the following conditions 9 .\" are met: 10 .\" 1. Redistributions of source code must retain the above copyright 11 .\" notice, this list of conditions and the following disclaimer. 12 .\" 2. Redistributions in binary form must reproduce the above copyright 13 .\" notice, this list of conditions and the following disclaimer in the 14 .\" documentation and/or other materials provided with the distribution. 15 .\" 16 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 17 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19 .\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 20 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26 .\" SUCH DAMAGE. 27 .\" 28 .\" $FreeBSD: src/lib/libc/posix1e/acl.3,v 1.22 2003/02/06 11:04:46 charnier Exp $ 29 .\" 30 .Dd December 18, 2002 31 .Dt ACL 3 32 .Os 33 .Sh NAME 34 .Nm acl 35 .Nd introduction to the POSIX.1e ACL security API 36 .Sh LIBRARY 37 .Lb libc 38 .Sh SYNOPSIS 39 .In sys/types.h 40 .In sys/acl.h 41 .Sh DESCRIPTION 42 The system permits file systems to export Access Control Lists via the VFS, and 43 provides a library for userland access to and manipulation of these ACLs. 44 Not all file systems provide support for ACLs, and some may require that 45 ACL support be explicitly enabled by the administrator. 46 The library calls include routines to allocate, duplicate, retrieve, set, 47 and validate ACLs associated with file objects. 48 .Pp 49 This implementation of the POSIX.1e library differs from the standard 50 in a number of non-portable ways in order to support the MacOS/Darwin 51 ACL semantic. Where possible, these differences are implemented using 52 the mechanisms provided in the standard for such extensions. 53 Where routines are non-standard, they are suffixed with _np to indicate that 54 they are not portable. 55 .Pp 56 POSIX.1e describes a set of ACL manipulation routines to manage the 57 contents of ACLs, as well as their relationships with files; almost 58 all of these support routines are implemented. 59 .Pp 60 Available functions, sorted by behavior, include: 61 .Bl -tag -width indent 62 .It Fn acl_add_perm 63 This function is described in 64 .Xr acl_add_perm 3 , 65 and may be used to add permissions to a permission set. 66 .It Fn acl_clear_perms 67 This function is described in 68 .Xr acl_clear_perms 3 , 69 and may be used to clear all permissions from a permission set. 70 .It Fn acl_copy_entry 71 This function is described in 72 .Xr acl_copy_entry 3 , 73 and may be used to copy the contents of an ACL entry. 74 .It Fn acl_create_entry 75 This function is described in 76 .Xr acl_create_entry 3 , 77 and may be used to create an empty entry in an ACL. 78 .It Fn acl_delete_entry 79 This function is described in 80 .Xr acl_delete_entry 3 , 81 and may be used to delete an entry from an ACL. 82 .It Fn acl_delete_perm 83 This function is described in 84 .Xr acl_delete_perm 3 , 85 and may be used to delete permissions from a permset. 86 .It Fn acl_dup 87 This function is described in 88 .Xr acl_dup 3 , 89 and may be used to duplicate an ACL structure. 90 .It Fn acl_free 91 This function is described in 92 .Xr acl_free 3 , 93 and may be used to free userland working ACL storage. 94 .It Fn acl_from_text 95 This function is described in 96 .Xr acl_from_text 3 , 97 and may be used to convert a text-form ACL into working ACL state, if 98 the ACL has POSIX.1e semantics. 99 .It Fn acl_get_entry 100 This function is described in 101 .Xr acl_get_entry 3 , 102 and may be used to retrieve a designated ACL entry from an ACL. 103 .It Xo 104 .Fn acl_get_fd , 105 .Fn acl_get_fd_np , 106 .Fn acl_get_file , 107 .Fn acl_get_link_np 108 .Xc 109 These functions are described in 110 .Xr acl_get 3 , 111 and may be used to retrieve ACLs from file system objects. 112 .It Fn acl_get_permset 113 This function is described in 114 .Xr acl_get_permset 3 , 115 and may be used to retrieve a permset from an ACL entry. 116 .It Fn acl_get_qualifier 117 This function is described in 118 .Xr acl_get_qualifier 3 , 119 and may be used to retrieve the qualifier from an ACL entry. 120 .It Fn acl_get_tag_type 121 This function is described in 122 .Xr acl_get_tag_type 3 , 123 and may be used to retrieve the tag type from an ACL entry. 124 .It Fn acl_init 125 This function is described in 126 .Xr acl_init 3 , 127 and may be used to allocate a fresh (empty) ACL structure. 128 .It Xo 129 .Fn acl_set_fd , 130 .Fn acl_set_fd_np , 131 .Fn acl_set_file , 132 .Fn acl_set_link_np 133 .Xc 134 These functions are described in 135 .Xr acl_set 3 , 136 and may be used to assign an ACL to a file system object. 137 .It Fn acl_set_permset 138 This function is described in 139 .Xr acl_set_permset 3 , 140 and may be used to set the permissions of an ACL entry from a permset. 141 .It Fn acl_set_qualifier 142 This function is described in 143 .Xr acl_set_qualifier 3 , 144 and may be used to set the qualifier of an ACL. 145 .It Fn acl_set_tag_type 146 This function is described in 147 .Xr acl_set_tag_type 3 , 148 and may be used to set the tag type of an ACL. 149 .It Fn acl_to_text 150 This function is described in 151 .Xr acl_to_text 3 , 152 and may be used to generate a text-form of a POSIX.1e semantics ACL. 153 .It Xo 154 .Fn acl_valid , 155 .Fn acl_valid_fd_np , 156 .Fn acl_valid_file_np , 157 .Fn acl_valid_link_np 158 .Xc 159 These functions are described in 160 .Xr acl_valid 3 , 161 and may be used to validate an ACL as correct POSIX.1e-semantics, or 162 as appropriate for a particular file system object regardless of semantics. 163 .El 164 .Pp 165 The syscalls between the internal interfaces and the public library 166 routines may change over time, and as such are not documented. 167 They are not intended to be called directly without going through the 168 library. 169 .Sh SEE ALSO 170 .\".Xr getfacl 1 , 171 .\".Xr setfacl 1 , 172 .Xr ls 1 , 173 .Xr chmod 1 , 174 .Xr acl_add_perm 3 , 175 .Xr acl_clear_perms 3 , 176 .Xr acl_copy_entry 3 , 177 .Xr acl_create_entry 3 , 178 .Xr acl_delete_entry 3 , 179 .Xr acl_delete_perm 3 , 180 .Xr acl_dup 3 , 181 .Xr acl_free 3 , 182 .Xr acl_from_text 3 , 183 .Xr acl_get 3 , 184 .Xr acl_get_permset 3 , 185 .Xr acl_get_qualifier 3 , 186 .Xr acl_get_tag_type 3 , 187 .Xr acl_init 3 , 188 .Xr acl_set 3 , 189 .Xr acl_set_permset 3 , 190 .Xr acl_set_qualifier 3 , 191 .Xr acl_set_tag_type 3 , 192 .Xr acl_to_text 3 , 193 .Xr acl_valid 3 , 194 .Xr posix1e 3 195 .Sh UNSUPPORTED FUNCTIONS 196 .Xr acl_calc_mask 3 , 197 .Fn acl_delete_def_file 198 .Sh STANDARDS 199 POSIX.1e assigns security labels to all objects, extending the security 200 functionality described in POSIX.1. 201 These additional labels provide fine-grained discretionary access control, 202 fine-grained capabilities, and labels necessary for mandatory access 203 control. 204 POSIX.2c describes a set of userland utilities for manipulating these 205 labels. 206 .Pp 207 POSIX.1e is described in IEEE POSIX.1e draft 17. 208 .Sh HISTORY 209 This manpage is closely derived from the 210 .Fx 211 manpage by 212 .An Robert N M Watson 213 .Sh AUTHORS 214 .An Michael Smith 215 .An Robert N M Watson