diff options
Diffstat (limited to 'share/man/man9/acl.9')
-rw-r--r-- | share/man/man9/acl.9 | 218 |
1 files changed, 218 insertions, 0 deletions
diff --git a/share/man/man9/acl.9 b/share/man/man9/acl.9 new file mode 100644 index 000000000000..c7ba84016b3c --- /dev/null +++ b/share/man/man9/acl.9 @@ -0,0 +1,218 @@ +.\"- +.\" Copyright (c) 1999-2001 Robert N. M. Watson +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.Dd December 23, 1999 +.Os +.Dt ACL 9 +.Sh NAME +.Nm acl +.Nd virtual file system access control lists +.Sh SYNOPSIS +.In sys/param.h +.In sys/vnode.h +.In sys/acl.h +.Pp +In the kernel configuration file: +.Cd "options UFS_ACL" +.Sh DESCRIPTION +Access control lists, or ACLs, +allow fine-grained specification of rights +for vnodes representing files and directories. +However, as there are a plethora of file systems with differing ACL semantics, +the vnode interface is aware only of the syntax of ACLs, +relying on the underlying file system to implement the details. +Depending on the underlying file system, each file or directory +may have zero or more ACLs associated with it, named using the +.Fa type +field of the appropriate vnode ACL calls: +.Xr VOP_ACLCHECK 9 , +.Xr VOP_GETACL 9 , +and +.Xr VOP_SETACL 9 . +.Pp +Currently, each ACL is represented in-kernel by a fixed-size +.Vt acl +structure, defined as follows: +.Bd -literal -offset indent +struct acl { + unsigned int acl_maxcnt; + unsigned int acl_cnt; + int acl_spare[4]; + struct acl_entry acl_entry[ACL_MAX_ENTRIES]; +}; +.Ed +.Pp +An ACL is constructed from a fixed size array of ACL entries, +each of which consists of a set of permissions, principal namespace, +and principal identifier. +In this implementation, the +.Vt acl_maxcnt +field is always set to +.Dv ACL_MAX_ENTRIES . +.Pp +Each individual ACL entry is of the type +.Vt acl_entry_t , +which is a structure with the following members: +.Bl -tag -width 2n +.It Vt acl_tag_t Va ae_tag +The following is a list of definitions of ACL types +to be set in +.Va ae_tag : +.Pp +.Bl -tag -width ".Dv ACL_UNDEFINED_FIELD" -offset indent -compact +.It Dv ACL_UNDEFINED_FIELD +Undefined ACL type. +.It Dv ACL_USER_OBJ +Discretionary access rights for processes whose effective user ID +matches the user ID of the file's owner. +.It Dv ACL_USER +Discretionary access rights for processes whose effective user ID +matches the ACL entry qualifier. +.It Dv ACL_GROUP_OBJ +Discretionary access rights for processes whose effective group ID +or any supplemental groups +match the group ID of the file's owner. +.It Dv ACL_GROUP +Discretionary access rights for processes whose effective group ID +or any supplemental groups +match the ACL entry qualifier. +.It Dv ACL_MASK +The maximum discretionary access rights that can be granted +to a process in the file group class. +This is only valid for POSIX.1e ACLs. +.It Dv ACL_OTHER +Discretionary access rights for processes not covered by any other ACL +entry. +This is only valid for POSIX.1e ACLs. +.It Dv ACL_OTHER_OBJ +Same as +.Dv ACL_OTHER . +.It Dv ACL_EVERYONE +Discretionary access rights for all users. +This is only valid for NFSv4 ACLs. +.El +.Pp +Each POSIX.1e ACL must contain exactly one +.Dv ACL_USER_OBJ , +one +.Dv ACL_GROUP_OBJ , +and one +.Dv ACL_OTHER . +If any of +.Dv ACL_USER , +.Dv ACL_GROUP , +or +.Dv ACL_OTHER +are present, then exactly one +.Dv ACL_MASK +entry should be present. +.It Vt uid_t Va ae_id +The ID of user for whom this ACL describes access permissions. +For entries other than +.Dv ACL_USER +and +.Dv ACL_GROUP , +this field should be set to +.Dv ACL_UNDEFINED_ID . +.It Vt acl_perm_t Va ae_perm +This field defines what kind of access the process matching this ACL has +for accessing the associated file. +For POSIX.1e ACLs, the following are valid: +.Bl -tag -width ".Dv ACL_WRITE_NAMED_ATTRS" +.It Dv ACL_EXECUTE +The process may execute the associated file. +.It Dv ACL_WRITE +The process may write to the associated file. +.It Dv ACL_READ +The process may read from the associated file. +.It Dv ACL_PERM_NONE +The process has no read, write or execute permissions +to the associated file. +.El +.Pp +For NFSv4 ACLs, the following are valid: +.Bl -tag -width ".Dv ACL_WRITE_NAMED_ATTRS" +.It Dv ACL_READ_DATA +The process may read from the associated file. +.It Dv ACL_LIST_DIRECTORY +Same as +.Dv ACL_READ_DATA . +.It Dv ACL_WRITE_DATA +The process may write to the associated file. +.It Dv ACL_ADD_FILE +Same as +.Dv ACL_ACL_WRITE_DATA . +.It Dv ACL_APPEND_DATA +.It Dv ACL_ADD_SUBDIRECTORY +Same as +.Dv ACL_APPEND_DATA . +.It Dv ACL_READ_NAMED_ATTRS +Ignored. +.It Dv ACL_WRITE_NAMED_ATTRS +Ignored. +.It Dv ACL_EXECUTE +The process may execute the associated file. +.It Dv ACL_DELETE_CHILD +.It Dv ACL_READ_ATTRIBUTES +.It Dv ACL_WRITE_ATTRIBUTES +.It Dv ACL_DELETE +.It Dv ACL_READ_ACL +.It Dv ACL_WRITE_ACL +.It Dv ACL_WRITE_OWNER +.It Dv ACL_SYNCHRONIZE +Ignored. +.El +.It Vt acl_entry_type_t Va ae_entry_type +This field defines the type of NFSv4 ACL entry. +It is not used with POSIX.1e ACLs. +The following values are valid: +.Bl -tag -width ".Dv ACL_WRITE_NAMED_ATTRS" +.It Dv ACL_ENTRY_TYPE_ALLOW +.It Dv ACL_ENTRY_TYPE_DENY +.El +.It Vt acl_flag_t Va ae_flags +This field defines the inheritance flags of NFSv4 ACL entry. +It is not used with POSIX.1e ACLs. +The following values are valid: +.Bl -tag -width ".Dv ACL_ENTRY_DIRECTORY_INHERIT" +.It Dv ACL_ENTRY_FILE_INHERIT +.It Dv ACL_ENTRY_DIRECTORY_INHERIT +.It Dv ACL_ENTRY_NO_PROPAGATE_INHERIT +.It Dv ACL_ENTRY_INHERIT_ONLY +.El +.El +.Sh SEE ALSO +.Xr acl 3 , +.Xr vaccess_acl_posix1e 9 , +.Xr VFS 9 , +.Xr vnaccess 9 , +.Xr VOP_ACLCHECK 9 , +.Xr VOP_GETACL 9 , +.Xr VOP_SETACL 9 +.Sh AUTHORS +This manual page was written by +.An Robert Watson . |