Print this page
4023 - Typo in file(1) manpage and various others
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/man/man5/acl.5
+++ new/usr/src/man/man5/acl.5
1 1 '\" te
2 2 .\" Copyright (c) 2008, Sun Microsystems, Inc. All Rights Reserved.
3 3 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License.
4 4 .\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. See the License for the specific language governing permissions and limitations under the License.
5 5 .\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
6 -.TH ACL 5 "Sep 29, 2008"
6 +.TH ACL 5 "Sep 10, 2013"
7 7 .SH NAME
8 8 acl \- Access Control Lists
9 9 .SH DESCRIPTION
10 10 .sp
11 11 .LP
12 12 Access control lists (ACLs) are discretionary access control mechanisms that
13 13 grant and deny access to files and directories. Two different ACL models are
14 14 supported in the Solaris release:POSIX-draft ACLs and NFSv4 ACLs.
15 15 .sp
16 16 .LP
17 17 The older, POSIX-draft model is supported by the UFS file system. This model is
18 18 based on a withdrawn ACL POSIX specification that was never standardized. It
19 19 was subsequently withdrawn by the POSIX committee.
20 20 .sp
21 21 .LP
22 22 The other model is based on the standards of the NFSv4 working group and is an
23 23 approved standard from the Internet Engineering Task Force (IETF). The ZFS file
24 24 system uses the NFSv4 model, and provides richer semantics and finer grained
25 25 permission capabilities than the POSIX-draft model.
26 26 .SS "\fBPOSIX\fR-draft \fBACL\fRs"
27 27 .sp
28 28 .LP
29 29 POSIX-draft ACLs provide an alternative security mechanism to basic UNIX file
30 30 permissions in the Solaris release. Their purpose is to further restrict access
31 31 to files and directories or to extend permissions to a particular user. ACLs
32 32 can be used to change the permissions for the standard owner, group and other
33 33 class bits of a file's mode. ACLs can give additional users and groups access
34 34 to the file. A directory can also have a special kind of ACL called a
35 35 \fBdefault\fR ACL, which defines ACL entries to be inherited by descendents of
36 36 the directory. POSIX-draft ACLs have an ACL entry called \fBmask\fR. The mask
37 37 defines the maximum permissions that can be granted to additional user and
38 38 group entries. Whenever a file is created or its mode is changed by
39 39 \fBchmod\fR(1) or \fBchmod\fR(2), the mask is recomputed. It is recomputed to
40 40 be the group permission defined in the mode passed to \fBchmod\fR(2).
41 41 .sp
42 42 .LP
43 43 The POSIX-draft ACL model uses the standard \fBrwx\fR model of traditional UNIX
44 44 permissions.
45 45 .sp
46 46 .LP
47 47 An ACL is represented as follows:
48 48 .sp
49 49 .in +2
50 50 .nf
51 51 \fIacl_entry\fR[,\fIacl_entry\fR]...
52 52 .fi
53 53 .in -2
54 54 .sp
55 55
56 56 .sp
57 57 .LP
58 58 Each \fIacl_entry\fR contains one ACL entry. An ACL entry is represented by two
59 59 or three colon-separated(\fB:\fR) fields.
60 60 .sp
61 61 .ne 2
62 62 .na
63 63 \fB\fIuser\fR:[\fIuid\fR]:\fIperms\fR\fR
64 64 .ad
65 65 .RS 21n
66 66 If \fIuid\fR blank, it represents the file owner.
67 67 .RE
68 68
69 69 .sp
70 70 .ne 2
71 71 .na
72 72 \fB\fIgroup\fR:[\fIgid\fR]:\fIperms\fR\fR
73 73 .ad
74 74 .RS 21n
75 75 If \fIgid\fR is blank, it represents the owning group.
76 76 .RE
77 77
78 78 .sp
79 79 .ne 2
80 80 .na
81 81 \fB\fIother\fR:\fIperms\fR\fR
82 82 .ad
83 83 .RS 21n
84 84 Represents the file other class.
85 85 .RE
86 86
87 87 .sp
88 88 .ne 2
89 89 .na
90 90 \fB\fImask\fR:\fIperms\fR\fR
91 91 .ad
92 92 .RS 21n
93 93 Defines the \fBMAX\fR permission to hand out.
94 94 .RE
95 95
96 96 .sp
97 97 .LP
98 98 For example to give user \fBjoe\fR read and write permissions, the ACL entry is
99 99 specified as:
100 100 .sp
101 101 .in +2
102 102 .nf
103 103 user:joe:rw-
104 104 .fi
105 105 .in -2
106 106 .sp
107 107
108 108 .SS "\fBNFS\fRv4 \fBACL\fRs"
109 109 .sp
110 110 .LP
111 111 NFSv4 ACL model is based loosely on the Windows NT ACL model. NFSv4 ACLs
112 112 provide a much richer ACL model than POSIX-draft ACLs.
113 113 .sp
114 114 .LP
115 115 The major differences between NFSv4 and POSIX-draft ACLs are as follows:
116 116 .RS +4
117 117 .TP
118 118 .ie t \(bu
119 119 .el o
120 120 NFSv4 ACLs provide finer grained permissions than the \fBrwx\fR model.
121 121 .RE
122 122 .RS +4
123 123 .TP
124 124 .ie t \(bu
125 125 .el o
126 126 NFSv4 ACLs allow for both \fBALLOW\fR and \fBDENY\fR entries.
127 127 .RE
128 128 .RS +4
129 129 .TP
130 130 .ie t \(bu
131 131 .el o
132 132 NFSv4 ACLs provide a rich set of inheritance semantics. POSIX ACLs also have
133 133 inheritance, but with the NFSv4 model you can control the following inheritance
134 134 features:
135 135 .RS +4
136 136 .TP
137 137 .ie t \(bu
138 138 .el o
139 139 Whether inheritance cascades to both files and directories or only to files or
140 140 directories.
141 141 .RE
142 142 .RS +4
143 143 .TP
144 144 .ie t \(bu
145 145 .el o
146 146 In the case of directories, you can indicate whether inheritance is applied to
147 147 the directory itself, to just one level of subdirectories, or cascades to all
148 148 subdirectories of the directory.
149 149 .RE
150 150 .RE
151 151 .RS +4
152 152 .TP
153 153 .ie t \(bu
154 154 .el o
155 155 NFSv4 ACLs provide a mechanism for hooking into a system's audit trail.
156 156 Currently, Solaris does not support this mechanism.
157 157 .RE
158 158 .RS +4
159 159 .TP
160 160 .ie t \(bu
161 161 .el o
162 162 NFSv4 ACLs enable adminstrators to specify the order in which ACL entries are
163 163 checked. With POSIX-draft ACLs the file system reorders ACL entries into a well
164 164 defined, strict access, checking order.
165 165 .RE
166 166 .sp
167 167 .LP
168 168 POSIX-draft ACL semantics can be achieved with NFSv4 ACLs. However, only some
169 169 NFSv4 ACLs can be translated to equivalent POSIX-draft ACLs.
170 170 .sp
171 171 .LP
172 172 Permissions can be specified in three different \fBchmod\fR ACL formats:
173 173 verbose, compact, or positional. The verbose format uses words to indicate that
174 174 the permissions are separated with a forward slash (\fB/\fR) character. Compact
175 175 format uses the permission letters and positional format uses the permission
176 176 letters or the hypen (\fB-\fR) to identify no permissions.
177 177 .sp
178 178 .LP
179 179 The permissions for verbose mode and their abbreviated form in parentheses for
180 180 compact and positional mode are described as follows:
181 181 .sp
182 182 .ne 2
183 183 .na
184 184 \fBread_data (\fBr\fR)\fR
185 185 .ad
186 186 .RS 24n
187 187 Permission to read the data of the file
188 188 .RE
189 189
190 190 .sp
191 191 .ne 2
192 192 .na
193 193 \fBlist_directory (\fBr\fR)\fR
194 194 .ad
195 195 .RS 24n
196 196 Permission to list the contents of a directory.
197 197 .RE
198 198
199 199 .sp
200 200 .ne 2
201 201 .na
202 202 \fBwrite_data (\fBw\fR)\fR
203 203 .ad
204 204 .RS 24n
205 205 Permission to modify a file's data anywhere in the file's offset range. This
206 206 includes the ability to grow the file or write to any arbitrary offset.
207 207 .RE
208 208
209 209 .sp
210 210 .ne 2
211 211 .na
212 212 \fBadd_file (\fBw\fR)\fR
213 213 .ad
214 214 .RS 24n
215 215 Permission to add a new file to a directory.
216 216 .RE
217 217
218 218 .sp
219 219 .ne 2
220 220 .na
221 221 \fBappend_data (\fBp\fR)\fR
222 222 .ad
223 223 .RS 24n
224 224 The ability to modify the file's data, but only starting at EOF. Currently,
225 225 this permission is not supported.
226 226 .RE
227 227
228 228 .sp
229 229 .ne 2
230 230 .na
231 231 \fBadd_subdirectory (\fBp\fR)\fR
232 232 .ad
233 233 .RS 24n
234 234 Permission to create a subdirectory to a directory.
235 235 .RE
236 236
237 237 .sp
238 238 .ne 2
239 239 .na
240 240 \fBread_xattr (\fBR\fR)\fR
241 241 .ad
242 242 .RS 24n
243 243 The ability to read the extended attributes of a file or do a lookup in the
244 244 extended attributes directory.
245 245 .RE
246 246
247 247 .sp
248 248 .ne 2
249 249 .na
250 250 \fBwrite_xattr (\fBW\fR)\fR
251 251 .ad
252 252 .RS 24n
253 253 The ability to create extended attributes or write to the extended attributes
254 254 directory.
255 255 .RE
256 256
257 257 .sp
258 258 .ne 2
259 259 .na
260 260 \fBexecute (\fBx\fR)\fR
261 261 .ad
262 262 .RS 24n
263 263 Permission to execute a file.
264 264 .RE
265 265
266 266 .sp
267 267 .ne 2
268 268 .na
269 269 \fBread_attributes (\fBa\fR)\fR
270 270 .ad
271 271 .RS 24n
272 272 The ability to read basic attributes (non-ACLs) of a file. Basic attributes are
273 273 considered to be the stat level attributes. Allowing this access mask bit means
274 274 that the entity can execute \fBls\fR(1) and \fBstat\fR(2).
275 275 .RE
276 276
277 277 .sp
278 278 .ne 2
279 279 .na
280 280 \fBwrite_attributes (\fBA\fR)\fR
281 281 .ad
282 282 .RS 24n
283 283 Permission to change the times associated with a file or directory to an
284 284 arbitrary value.
285 285 .RE
286 286
287 287 .sp
288 288 .ne 2
289 289 .na
290 290 \fBdelete (\fBd\fR)\fR
291 291 .ad
292 292 .RS 24n
293 293 Permission to delete the file.
294 294 .RE
295 295
296 296 .sp
297 297 .ne 2
298 298 .na
299 299 \fBdelete_child (\fBD\fR)\fR
300 300 .ad
301 301 .RS 24n
302 302 Permission to delete a file within a directory.
303 303 .RE
304 304
305 305 .sp
306 306 .ne 2
307 307 .na
308 308 \fBread_acl (\fBc\fR)\fR
309 309 .ad
310 310 .RS 24n
311 311 Permission to read the ACL.
312 312 .RE
313 313
314 314 .sp
315 315 .ne 2
316 316 .na
317 317 \fBwrite_acl (\fBC\fR)\fR
318 318 .ad
319 319 .RS 24n
320 320 Permission to write the ACL or the ability to execute \fBchmod\fR(1) or
321 321 \fBsetfacl\fR(1).
322 322 .RE
323 323
324 324 .sp
325 325 .ne 2
326 326 .na
327 327 \fBwrite_owner (\fBo\fR)\fR
328 328 .ad
329 329 .RS 24n
330 330 Permission to change the owner or the ability to execute \fBchown\fR(1) or
331 331 \fBchgrp\fR(1).
332 332 .RE
333 333
334 334 .sp
335 335 .ne 2
336 336 .na
337 337 \fBsynchronize (\fBs\fR)\fR
338 338 .ad
339 339 .RS 24n
340 340 Permission to access a file locally at the server with synchronous reads and
341 341 writes. Currently, this permission is not supported.
342 342 .RE
343 343
344 344 .sp
345 345 .LP
346 346 The following inheritance flags are supported by NFSv4:
347 347 .sp
348 348 .ne 2
349 349 .na
350 350 \fBfile_inherit (\fBf\fR)\fR
351 351 .ad
352 352 .RS 26n
353 353 Inherit to all newly created files in a directory.
354 354 .RE
355 355
356 356 .sp
357 357 .ne 2
358 358 .na
359 359 \fBdir_inherit (\fBd\fR)\fR
360 360 .ad
361 361 .RS 26n
362 362 Inherit to all newly created directories in a directory.
363 363 .RE
364 364
365 365 .sp
366 366 .ne 2
367 367 .na
368 368 \fBinherit_only (\fBi\fR)\fR
369 369 .ad
370 370 .RS 26n
371 371 Placed on a directory, but does not apply to the directory itself, only to
372 372 newly created created files and directories. This flag requires file_inherit
373 373 and or dir_inherit to indicate what to inherit.
374 374 .RE
375 375
376 376 .sp
377 377 .ne 2
378 378 .na
379 379 \fBno_propagate (\fBn\fR)\fR
380 380 .ad
381 381 .RS 26n
382 382 Placed on directories and indicates that ACL entries should only be inherited
383 383 one level of the tree. This flag requires file_inherit and or dir_inherit to
384 384 indicate what to inherit.
385 385 .RE
386 386
387 387 .sp
388 388 .ne 2
389 389 .na
390 390 \fBsuccessful_access (\fBS)\fR)\fR
391 391 .ad
392 392 .RS 26n
393 393 Indicates if an alarm or audit record should be initiated upon successful
394 394 accesses. Used with audit/alarm ACE types.
395 395 .RE
396 396
397 397 .sp
398 398 .ne 2
399 399 .na
400 400 \fBfailed_access (\fBF\fR)\fR
401 401 .ad
402 402 .RS 26n
403 403 Indicates if an alarm or audit record should be initiated when access fails.
404 404 Used with audit/alarm ACE types.
405 405 .RE
406 406
407 407 .sp
408 408 .ne 2
409 409 .na
410 410 \fBinherited (\fBI\fR)\fR
411 411 .ad
412 412 .RS 26n
413 413 ACE was inherited.
414 414 .RE
415 415
416 416 .sp
417 417 .ne 2
418 418 .na
419 419 \fB\fB-\fR\fR
420 420 .ad
421 421 .RS 26n
422 422 No permission granted.
423 423 .RE
424 424
425 425 .sp
426 426 .LP
427 427 An NFSv4 ACL is expressed using the following syntax:
428 428 .sp
429 429 .in +2
430 430 .nf
431 431 \fIacl_entry\fR[,\fIacl_entry\fR]...
432 432
433 433 owner@:<perms>[:inheritance flags]:<allow|deny>
434 434 group@:<perms>[:inheritance flags]:<allow|deny>
435 435 everyone@:<perms>[:inheritance flags]:<allow|deny>
436 436 user:<username>[:inheritance flags]:<allow|deny>
437 437 group:<groupname>[:inheritance flags]:<allow|deny>
438 438 .fi
439 439 .in -2
440 440
441 441 .sp
442 442 .ne 2
443 443 .na
444 444 \fBowner@\fR
445 445 .ad
446 446 .RS 10n
447 447 File owner
448 448 .RE
449 449
450 450 .sp
451 451 .ne 2
452 452 .na
453 453 \fBgroup@\fR
454 454 .ad
455 455 .RS 10n
456 456 Group owner
457 457 .RE
458 458
459 459 .sp
460 460 .ne 2
461 461 .na
462 462 \fBuser\fR
463 463 .ad
464 464 .RS 10n
465 465 Permissions for a specific user
466 466 .RE
467 467
468 468 .sp
469 469 .ne 2
470 470 .na
471 471 \fBgroup\fR
472 472 .ad
473 473 .RS 10n
474 474 Permissions for a specific group
475 475 .RE
476 476
477 477 .sp
478 478 .LP
479 479 Permission and inheritance flags are separated by a \fB/\fR character.
480 480 .sp
481 481 .LP
482 482 ACL specification examples:
483 483 .sp
484 484 .in +2
485 485 .nf
486 486 user:fred:read_data/write_data/read_attributes:file_inherit:allow
487 487 owner@:read_data:allow,group@:read_data:allow,user:tom:read_data:deny
488 488 .fi
489 489 .in -2
490 490 .sp
491 491
492 492 .sp
493 493 .LP
494 494 Using the compact ACL format, permissions are specified by using 14 unique
495 495 letters to indicate permissions.
496 496 .sp
497 497 .LP
498 498 Using the positional ACL format, permissions are specified as positional
499 499 arguments similar to the \fBls -V\fR format. The hyphen (\fB-\fR), which
500 500 indicates that no permission is granted at that position, can be omitted and
501 501 only the required letters have to be specified.
502 502 .sp
503 503 .LP
504 504 The letters above are listed in the order they would be specified in positional
505 505 notation.
506 506 .sp
507 507 .LP
508 508 With these letters you can specify permissions in the following equivalent
509 509 ways.
510 510 .sp
511 511 .in +2
512 512 .nf
513 513 user:fred:rw------R------:file_inherit:allow
514 514 .fi
515 515 .in -2
516 516 .sp
517 517
518 518 .sp
519 519 .LP
520 520 Or you can remove the \fB-\fR and scrunch it together.
521 521 .sp
522 522 .in +2
523 523 .nf
524 524 user:fred:rwR:file_inherit:allow
525 525 .fi
526 526 .in -2
527 527 .sp
528 528
529 529 .sp
530 530 .LP
531 531 The inheritance flags can also be specified in a more compact manner, as
532 532 follows:
533 533 .sp
534 534 .in +2
535 535 .nf
536 536 user:fred:rwR:f:allow
537 537 user:fred:rwR:f------:allow
538 538 .fi
539 539 .in -2
540 540 .sp
541 541
542 542 .SS "Shell-level Solaris \fBAPI\fR"
543 543 .sp
544 544 .LP
545 545 The Solaris command interface supports the manipulation of ACLs. The following
546 546 Solaris utilities accommodate both ACL models:
547 547 .sp
548 548 .ne 2
549 549 .na
550 550 \fB\fBchmod\fR\fR
551 551 .ad
552 552 .RS 12n
553 553 The \fBchmod\fR utility has been enhanced to allow for the setting and deleting
554 554 of ACLs. This is achieved by extending the symbolic-mode argument to support
555 555 ACL manipulation. See \fBchmod\fR(1) for details.
556 556 .RE
557 557
558 558 .sp
559 559 .ne 2
560 560 .na
561 561 \fB\fBcompress\fR\fR
562 562 .ad
563 563 .RS 12n
564 564 When a file is compressed any ACL associated with the original file is
565 565 preserved with the compressed file.
566 566 .RE
567 567
568 568 .sp
569 569 .ne 2
570 570 .na
571 571 \fB\fBcp\fR\fR
572 572 .ad
573 573 .RS 12n
574 574 By default, \fBcp\fR ignores ACLs, unless the \fB-p\fR option is specified.
575 575 When \fB-p\fR is specified the owner and group id, permission modes,
576 576 modification and access times, ACLs, and extended attributes if applicable are
577 577 preserved.
578 578 .RE
579 579
580 580 .sp
581 581 .ne 2
582 582 .na
583 583 \fB\fBcpio\fR\fR
584 584 .ad
585 585 .RS 12n
586 586 ACLs are preserved when the \fB-P\fR option is specified.
587 587 .RE
588 588
589 589 .sp
590 590 .ne 2
591 591 .na
592 592 \fB\fBfind\fR\fR
593 593 .ad
594 594 .RS 12n
595 595 Find locates files with ACLs when the \fB-acl\fR flag is specified.
596 596 .RE
597 597
598 598 .sp
599 599 .ne 2
600 600 .na
601 601 \fB\fBls\fR\fR
602 602 .ad
603 603 .RS 12n
604 604 By default \fBls\fR does not display ACL information. When the \fB-v\fR option
605 605 is specified, a file's ACL is displayed.
606 606 .RE
607 607
608 608 .sp
609 609 .ne 2
610 610 .na
611 611 \fB\fBmv\fR\fR
612 612 .ad
613 613 .RS 12n
614 614 When a file is moved, all attributes are carried along with the renamed file.
615 615 When a file is moved across a file system boundary, the ACLs are replicated. If
616 616 the ACL information cannot be replicated, the move fails and the source file is
617 617 not removed.
618 618 .RE
619 619
620 620 .sp
621 621 .ne 2
622 622 .na
623 623 \fB\fBpack\fR\fR
624 624 .ad
625 625 .RS 12n
626 626 When a file is packed, any ACL associated with the original file is preserved
627 627 with the packed file.
628 628 .RE
629 629
630 630 .sp
631 631 .ne 2
632 632 .na
633 633 \fB\fBrcp\fR\fR
634 634 .ad
635 635 .RS 12n
636 636 \fBrcp\fR has been enhanced to support copying. A file's ACL is only preserved
637 637 when the remote host supports ACLs.
638 638 .RE
639 639
640 640 .sp
641 641 .ne 2
642 642 .na
643 643 \fB\fBtar\fR\fR
644 644 .ad
645 645 .RS 12n
646 646 ACLs are preserved when the \fB-p\fR option is specified.
647 647 .RE
648 648
649 649 .sp
650 650 .ne 2
651 651 .na
652 652 \fB\fBunpack\fR\fR
653 653 .ad
654 654 .RS 12n
655 655 When a file with an ACL is unpacked, the unpacked file retains the ACL
656 656 information.
657 657 .RE
658 658
659 659 .SS "Application-level \fBAPI\fR"
660 660 .sp
661 661 .LP
662 662 The primary interfaces required to access file system ACLs at the programmatic
663 663 level are the \fBacl_get()\fR and \fBacl_set()\fR functions. These functions
664 664 support both POSIX draft ACLs and NFSv4 ACLs.
665 665 .SS "Retrieving a file's \fBACL\fR"
666 666 .sp
667 667 .in +2
668 668 .nf
669 669 int acl_get(const char *path, int flag, acl_t **aclp);
670 670 int facl_get(int fd, int flag, acl_t **aclp);
671 671 .fi
672 672 .in -2
673 673
674 674 .sp
675 675 .LP
676 676 The \fBacl_get\fR(3SEC) and \fBfacl_get\fR(3SEC) functions retrieves an ACL on
677 677 a file whose name is given by path or referenced by the open file descriptor
678 678 fd. The flag argument specifies whether a trivial ACL should be retrieved. When
679 679 the flag argument equals \fBACL_NO_TRIVIAL\fR then only ACLs that are not
680 680 trivial are retrieved. The ACL is returned in the \fBaclp\fR argument.
681 681 .SS "Freeing \fBACL\fR structure"
682 682 .sp
683 683 .in +2
684 684 .nf
685 685 void acl_free(acl_t *aclp)s;
686 686 .fi
687 687 .in -2
688 688
689 689 .sp
690 690 .LP
691 691 The \fBacl_free()\fR function frees up memory allocated for the argument
692 692 \fBaclp;\fR.
693 693 .SS "Setting an \fBACL\fR on a file"
694 694 .sp
695 695 .in +2
696 696 .nf
697 697 int acl_set(const char *path, acl_t *aclp);
698 698 int facl_set(int fd, acl_t *aclp);
699 699 .fi
700 700 .in -2
701 701
702 702 .sp
703 703 .LP
704 704 The \fBacl_set\fR(3SEC) and \fBfacl_get\fR(3SEC) functions are used for setting
705 705 an ACL on a file whose name is given by path or referenced by the open file
706 706 descriptor \fBfd\fR. The \fBaclp\fR argument specifies the ACL to set. The
707 707 \fBacl_set\fR(3SEC) translates an POSIX-draft ACL into a NFSv4 ACL when the
708 708 target file systems supports NFSv4 ACLs. No translation is performed when
709 709 trying to set an NFSv4 ACL on a POSIX-draft ACL supported file system.
710 710 .SS "Determining an \fBACL\fR's trivialness"
711 711 .sp
712 712 .in +2
713 713 .nf
714 714 int acl_trivial(const char *path);
715 715 .fi
716 716 .in -2
717 717
718 718 .sp
719 719 .LP
720 720 The \fBacl_trivial()\fR function is used to determine whether a file has a
721 721 trivial ACL. The trivialness of a file's ACL depends on the type of ACL it is.
722 722 For POSIX-draft ACLs, it implies the ACL has greater than
723 723 \fBMIN_ACL_ENTRIES\fR. For NFSv4/ZFS style ACLs, it implies that the ACL has
724 724 entries other than \fBowner@\fR, \fBgroup@\fR and \fBeveryone@\fR, inheritance
725 725 flags are set, or the ACL is not ordered in a manner that meets POSIX access
726 726 control requirements.
727 727 .SS "Removing all \fBACL\fRs from a file"
728 728 .sp
729 729 .in +2
730 730 .nf
731 731 int acl_strip(const char *path, uid_t uid, gid_t gid, mode_t mode);
732 732 .fi
733 733 .in -2
734 734
735 735 .sp
736 736 .LP
737 737 The \fBacl_strip()\fR function removes all ACLs from a file and replaces them
738 738 with a trivial ACL based off of the passed in argument mode. After replacing
739 739 the ACL the owner and group of the file are set to the values specified in the
740 740 uid and gid parameters.
741 741 .SS "Converting \fBACL\fRs to/from external representation"
742 742 .sp
743 743 .in +2
744 744 .nf
745 745 int acl_fromtext(const char *path, acl_t **aclp);
746 746 char *acl_totext(acl_t *aclp, int flags);
747 747 .fi
748 748 .in -2
749 749
750 750 .sp
751 751 .LP
752 752 The \fBacl_text()\fR function converts an internal ACL representation pointed
753 753 to by aclp into an external representation. See \fBDESCRIPTION\fR for details
754 754 about external representation.
755 755 .sp
756 756 .LP
757 757 The \fBacl_fromtext()\fR functions converts and external representation into an
758 758 internal representation. See \fBDESCRIPTION\fR for details about external
759 759 representation.
760 760 .SH EXAMPLES
761 761 .sp
762 762 .LP
763 763 The following examples demonstrate how the API can be used to perform basic
764 764 operations on ACLs.
765 765 .LP
766 766 \fBExample 1 \fRRetrieving and Setting an ACL
767 767 .sp
768 768 .LP
769 769 Use the following to retrieve an ACL and set it on another file:
770 770
771 771 .sp
772 772 .in +2
773 773 .nf
774 774 error = acl_get("file", ACL_NO_TRIVIAL, &aclp);
775 775
776 776 if (error == 0 && aclp != NULL) {
777 777 error = acl_set("file2", aclp)
778 778 acl_free(aclp);
779 779 }
780 780 \&...
781 781 .fi
782 782 .in -2
783 783
784 784 .LP
785 785 \fBExample 2 \fRRetrieving and Setting Any ACLs
786 786 .sp
787 787 .LP
788 788 Use the following to retrieve any ACL, including trivial ACLs, and set it on
789 789 another file:
790 790
791 791 .sp
792 792 .in +2
793 793 .nf
794 794 error = acl_get("file3", 0, &aclp);
795 795 if (error == 0) {
796 796 error = acl_set("file4", aclp)
797 797 acl_free(aclp);
798 798 }
799 799 \&...
800 800 .fi
801 801 .in -2
802 802
803 803 .LP
804 804 \fBExample 3 \fRDetermining if a File has a Trivial ACL
|
↓ open down ↓ |
788 lines elided |
↑ open up ↑ |
805 805 .sp
806 806 .LP
807 807 Use the following to determine if a file has a trivial ACL:
808 808
809 809 .sp
810 810 .in +2
811 811 .nf
812 812 istrivial = acl_trivial("file")
813 813
814 814 if (istrivial == 0)
815 -printf("file %s has a trivial ACL\n", file);
815 +printf("file %s has a trivial ACL\en", file);
816 816 else
817 -printf("file %s has a NON-trivial ACL\n", file);
817 +printf("file %s has a NON-trivial ACL\en", file);
818 818 \&...
819 819 .fi
820 820 .in -2
821 821
822 822 .LP
823 823 \fBExample 4 \fRRemoving all ACLs from a File
824 824 .sp
825 825 .LP
826 826 Use the following to remove all ACLs from a file, and set a new mode, owner,
827 827 and group:
828 828
829 829 .sp
830 830 .in +2
831 831 .nf
832 832 error = acl_strip("file", 10, 100, 0644);
833 833 \&...
834 834 .fi
835 835 .in -2
836 836
837 837 .SH SEE ALSO
838 838 .sp
839 839 .LP
840 840 \fBchgrp\fR(1), \fBchmod\fR(1), \fBchown\fR(1), \fBcp\fR(1), \fBcpio\fR(1),
841 841 \fBfind\fR(1), \fBls\fR(1), \fBmv\fR(1), \fBtar\fR(1), \fBsetfacl\fR(1),
842 842 \fBchmod\fR(2), \fBacl\fR(2),\fBstat\fR(2),\fBacl_get\fR(3SEC),
843 843 \fBaclsort\fR(3SEC), \fBacl_fromtext\fR(3SEC), \fBacl_free\fR(3SEC),
844 844 \fBacl_strip\fR(3SEC), \fBacl_trivial\fR(3SEC)
|
↓ open down ↓ |
17 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX