acl(4) acl(4)
acl - Access Control Lists
#include <sys/acl.h>
Access Control Lists (ACLs) are supported on XFS file systems only.
ACLs provide a mechanism for finer grained access control than the
traditional UNIX discretionary access control mechanism. An ACL is a
list of users and/or groups and their access rights, which is associated
with a file or directory. ACLs are optional. In addition to the ACL
used to mediate access, a directory may have a second ACL which defines
the default initial ACL for files created in that directory. Files have
only the single access control ACL.
At the interface to the library routines, ACLs are represented in a
struct acl which is defined in <sys/acl.h>.
#define ACL_MAX_ENTRIES 25
typedef ushort acl_perm_t;
typedef int acl_type_t;
typedef int acl_tag_t;
struct acl_entry {
acl_tag_t ae_tag;
uid_t ae_id;
acl_perm_t ae_perm;
};
typedef struct acl_entry * acl_entry_t;
struct acl {
int acl_cnt;
struct acl_entry acl_entry[ACL_MAX_ENTRIES];
};
This is a fixed size structure with a variable number of active struct
acl_entry entries. The maximum number of entries is ACL_MAX_ENTRIES
which is currently defined to be 25. The number of active entries is
indicated in acl_cnt.
A struct acl_entry consists of three fields, ae_tag, which identifies the
type of the entry, and is one of the following values (all other values
are invalid):
ACL_USER_OBJ (0x01)
access permissions for the file's owner.
Page 1
acl(4) acl(4)
ACL_USER (0x02)
access permissions for a user other than the owner.
ACL_GROUP_OBJ (0x04)
access permissions for users with the same group as the
file's group
ACL_GROUP (0x08)
access permissions for other groups
ACL_MASK (0x10)
mask entry
ACL_OTHER_OBJ (0x20)
other entry.
The ae_id field of struct acl_entry specifies the UID or
GID for the entry. The ae_perm field specifies the
permissions using the following defined values:
ACL_READ (0x04)
read access permitted
ACL_WRITE (0x02)
write access permitted
ACL_EXECUTE (0x01)
execute (search for directories) access permitted
As with the basic permissions for a file, these may be or'ed together.
Two types of ACLs are defined. ACL_TYPE_ACCESS (0) indicates that the ACL
is to be used in making access control decisions for the file or
directory with which it is associated. ACL_TYPE_DEFAULT (1) indicates
that the ACL is a default ACL. Default ACLs are associated only with
directories, and supply the initial ACL for a file created in that
directory. Note that file-creation mode masks may effect the ACLs of
files created as a result of using directory default ACLs (see umask(1)).
ACLs are supplied using the acl_get_fil
calls.
EXTERNAL REPRESENTATION [Toc] [Back] ACLs are represented in a standard format for human readable input /
output. Each ACL entry is specified as three colon separated fields.
ACL entries are separated by white space or new lines. Everything after a
"#" character is considered a comment and is ignored to the end of the
line. The first field of an ACL entry is the entry type, which can be
one of the following: "user", "group", "other", "mask", "u", "g", "o",
"m".
The second field is a user name, numeric UID, group name, or numeric GID,
depending on the value of the first field. (acl_from_text(3c) supports
only the strings, not the numeric UID/GID values.) If the second field
Page 2
acl(4) acl(4)
is empty, it implies that the ACL entry is for the owning user or group
of the file. Mask and other entries must have an empty second field.
The third field is the discretionary access permissions for this ACL
entry. This may be represented in two forms. The first is the string
"rwx" where each letter may be replaced by a "-" indicating no access of
that type. The parsing of this string by acl_from_text(3c) requires that
it be exactly as shown and not be reordered, e.g. rxw is not valid.
Some programs allow a second form, the relative symbolic form (used for
input). The relative symbolic form is preceded by a ``+'' to indicate
additional access or a ``^'' to indicate that access is to be removed,
similarly to the inputs to the chmod(1) command. The relative symbolic
string is at least one character. The symbolic string contains at most
one each of the following characters in any order: "r", "w", and "x".
P�P�P�Pa�a�a�ag�g�g�ge�e�e�e 3�3�3�3 [ Back ]
|
