Print this page
12288 getfacl and setfacl could stand improvement
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/man/man3sec/acl_totext.3sec
+++ new/usr/src/man/man3sec/acl_totext.3sec
1 1 '\" te
2 2 .\" Copyright (c) 20068 Sun Microsystems, Inc. All Rights Reserved.
3 3 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License.
4 4 .\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. See the License for the specific language governing permissions and limitations under the License.
5 5 .\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
6 6 .TH ACL_TOTEXT 3SEC "Jun 16, 2008"
7 7 .SH NAME
8 8 acl_totext, acl_fromtext \- convert internal representation to or from
9 9 external representation
10 10 .SH SYNOPSIS
11 -.LP
12 11 .nf
13 12 cc [ \fIflag\fR\&.\|.\|. ] \fIfile\fR\&.\|.\|. \fB-lsec\fR [ \fIlibrary\fR\&.\|.\|. ]
14 13 #include <sys/acl.h>
15 14
16 15 \fBchar *\fR\fBacl_totext\fR(\fBacl_t *\fR\fIaclp\fR, \fBint\fR \fIflags\fR);
17 16 .fi
18 17
19 18 .LP
20 19 .nf
21 20 \fBint\fR \fBacl_fromtext\fR(\fBchar *\fR\fIacltextp\fR, \fBacl_t **\fR\fIaclp\fR);
22 21 .fi
23 22
24 23 .SH DESCRIPTION
25 -.sp
26 -.LP
27 24 The \fBacl_totext()\fR function converts an internal ACL representation pointed
28 25 to by \fIaclp\fR into an external ACL representation. The memory for the
29 26 external text string is obtained using \fBmalloc\fR(3C). The caller is
30 27 responsible for freeing the memory upon completion.
31 28 .sp
32 29 .LP
33 30 The format of the external ACL is controlled by the \fIflags\fR argument.
34 31 Values for \fIflags\fR are constructed by a bitwise-inclusive-OR of \fIflags\fR
35 32 from the following list, defined in <\fBsys/acl.h\fR>.
36 33 .sp
37 34 .ne 2
38 35 .na
39 36 \fB\fBACL_COMPACT_FMT\fR\fR
40 37 .ad
41 38 .RS 19n
42 39 For NFSv4 ACLs, the ACL entries will be formatted using the compact ACL format
|
↓ open down ↓ |
6 lines elided |
↑ open up ↑ |
43 40 detailed in \fBls\fR(1) for the \fB-V\fR option.
44 41 .RE
45 42
46 43 .sp
47 44 .ne 2
48 45 .na
49 46 \fB\fBACL_APPEND_ID\fR\fR
50 47 .ad
51 48 .RS 19n
52 49 Append the \fBuid\fR or \fBgid\fR for additional user or group entries. This
53 -flag is used to construt ACL entries in a manner that is suitable for archive
50 +flag is used to construct ACL entries in a manner that is suitable for archive
54 51 utilities such as \fBtar\fR(1). When the ACL is translated from the external
55 52 format to internal representation using \fBacl_fromtext()\fR, the appended ID
56 53 will be used to populate the \fBuid\fR or \fBgid\fR field of the ACL entry when
57 54 the user or group name does not exist on the host system. The appended id will
58 55 be ignored when the user or group name does exist on the system.
59 56 .RE
60 57
61 58 .sp
62 59 .ne 2
63 60 .na
64 61 \fB\fBACL_SID_FMT\fR\fR
65 62 .ad
66 63 .RS 19n
67 64 For NFSv4 ACLs, the ACL entries for user or group entries will use the
68 65 \fBusersid\fR or \fBgroupsid\fR format when the "id" field in the ACL entry is
69 66 an ephemeral \fBuid\fR or \fBgid\fR. The raw \fBsid\fR format will only be
70 67 used when the "id" cannot be resolved to a windows name.
71 68 .RE
72 69
73 70 .sp
74 71 .LP
75 72 The \fBacl_fromtext()\fR function converts an external ACL representation
76 73 pointed to by \fIacltextp\fR into an internal ACL representation. The memory
77 74 for the list of ACL entries is obtained using \fBmalloc\fR(3C). The caller is
78 75 responsible for freeing the memory upon completion. Depending on type of ACLs a
79 76 file system supports, one of two external external representations are
80 77 possible. For POSIX draft file systems such as ufs, the external representation
81 78 is described in \fBacltotext\fR(3SEC). The external ACL representation For
82 79 NFSv4-style ACLs is detailed as follows.
83 80 .sp
84 81 .LP
85 82 Each \fBacl_entry\fR contains one ACL entry. The external representation of an
86 83 ACL entry contains three, four or five colon separated fields. The first field
87 84 contains the ACL entry type. The entry type keywords are defined as:
88 85 .sp
89 86 .ne 2
90 87 .na
91 88 \fB\fBeveryone@\fR\fR
92 89 .ad
93 90 .RS 13n
94 91 This ACL entry specifies the access granted to any user or group that does not
95 92 match any previous ACL entry.
96 93 .RE
97 94
98 95 .sp
99 96 .ne 2
100 97 .na
101 98 \fB\fBgroup\fR\fR
102 99 .ad
103 100 .RS 13n
104 101 This ACL entry with a GID specifies the access granted to a additional group of
105 102 the object.
106 103 .RE
107 104
108 105 .sp
109 106 .ne 2
110 107 .na
111 108 \fB\fBgroup@\fR\fR
112 109 .ad
113 110 .RS 13n
114 111 This ACL entry with no GID specified in the ACL entry field specifies the
115 112 access granted to the owning group of the object.
116 113 .RE
117 114
118 115 .sp
119 116 .ne 2
120 117 .na
121 118 \fB\fBgroupsid\fR\fR
122 119 .ad
123 120 .RS 13n
124 121 This ACL entry with a SID or Windows name specifies the access granted to a
125 122 Windows group. This type of entry is for a CIFS server created file.
126 123 .RE
127 124
128 125 .sp
129 126 .ne 2
130 127 .na
131 128 \fB\fBowner@\fR\fR
132 129 .ad
133 130 .RS 13n
134 131 This ACL entry with no UID specified in the ACL entry field specifies the
135 132 access granted to the owner of the object.
136 133 .RE
137 134
138 135 .sp
139 136 .ne 2
140 137 .na
141 138 \fB\fBsid\fR\fR
142 139 .ad
143 140 .RS 13n
144 141 This ACL entry with a SID or Windows name when the entry could be either a
145 142 group or a user.
146 143 .RE
147 144
148 145 .sp
149 146 .ne 2
150 147 .na
151 148 \fB\fBuser\fR\fR
152 149 .ad
153 150 .RS 13n
154 151 This ACL entry with a UID specifies the access granted to a additional user of
155 152 the object.
156 153 .RE
157 154
158 155 .sp
159 156 .ne 2
160 157 .na
161 158 \fB\fBusersid\fR\fR
162 159 .ad
163 160 .RS 13n
164 161 This ACL entry with a SID or Windows name specifies the access granted to a
165 162 Windows user. This type of entry is for a CIFS server created file.
166 163 .RE
167 164
168 165 .sp
169 166 .LP
170 167 The second field contains the ACL entry ID, and is used only for user or group
171 168 ACL entries. This field is not used for \fBowner@\fR, \fBgroup@\fR, or
172 169 \fBeveryone@\fR entries.
173 170 .sp
174 171 .ne 2
175 172 .na
176 173 \fB\fBuid\fR\fR
177 174 .ad
178 175 .RS 7n
179 176 This field contains a user-name or user-ID. If the user-name cannot be resolved
180 177 to a UID, then the entry is assumed to be a numeric UID.
181 178 .RE
182 179
183 180 .sp
184 181 .ne 2
185 182 .na
186 183 \fB\fBgid\fR\fR
187 184 .ad
188 185 .RS 7n
189 186 This field contains a group-name or group-ID. If the group-name can't be
190 187 resolved to a GID, then the entry is assumed to be a numeric GID.
191 188 .RE
192 189
193 190 .sp
194 191 .LP
195 192 The third field contains the discretionary access permissions. The format of
196 193 the permissions depends on whether \fBACL_COMPACT_FMT\fR is specified. When the
197 194 \fIflags\fR field does not request \fBACL_COMPACT_FMT\fR, the following format
198 195 is used with a forward slash (/) separating the permissions.
199 196 .sp
200 197 .ne 2
201 198 .na
202 199 \fB\fBadd_file\fR\fR
203 200 .ad
204 201 .RS 20n
205 202 Add a file to a directory.
206 203 .RE
207 204
208 205 .sp
209 206 .ne 2
210 207 .na
211 208 \fB\fBadd_subdirectory\fR\fR
212 209 .ad
213 210 .RS 20n
214 211 Add a subdirectory.
215 212 .RE
216 213
217 214 .sp
218 215 .ne 2
219 216 .na
220 217 \fB\fBappend\fR\fR
221 218 .ad
222 219 .RS 20n
223 220 Append data.
224 221 .RE
225 222
226 223 .sp
227 224 .ne 2
228 225 .na
229 226 \fB\fBdelete\fR\fR
230 227 .ad
231 228 .RS 20n
232 229 Delete.
233 230 .RE
234 231
235 232 .sp
236 233 .ne 2
237 234 .na
238 235 \fB\fBdelete_child\fR\fR
239 236 .ad
240 237 .RS 20n
241 238 Delete child.
242 239 .RE
243 240
244 241 .sp
245 242 .ne 2
246 243 .na
247 244 \fB\fBexecute\fR\fR
248 245 .ad
249 246 .RS 20n
250 247 Execute permission.
251 248 .RE
252 249
253 250 .sp
254 251 .ne 2
255 252 .na
256 253 \fB\fBlist_directory\fR\fR
257 254 .ad
258 255 .RS 20n
259 256 List a directory.
260 257 .RE
261 258
262 259 .sp
263 260 .ne 2
264 261 .na
265 262 \fB\fBread_acl\fR\fR
266 263 .ad
267 264 .RS 20n
268 265 Read ACL.
269 266 .RE
270 267
271 268 .sp
272 269 .ne 2
273 270 .na
274 271 \fB\fBread_data\fR\fR
275 272 .ad
276 273 .RS 20n
277 274 Read permission.
278 275 .RE
279 276
280 277 .sp
281 278 .ne 2
282 279 .na
283 280 \fB\fBread_attributes\fR\fR
284 281 .ad
285 282 .RS 20n
286 283 Read attributes.
287 284 .RE
288 285
289 286 .sp
290 287 .ne 2
291 288 .na
292 289 \fB\fBread_xattr\fR\fR
293 290 .ad
294 291 .RS 20n
295 292 Read named attributes.
296 293 .RE
297 294
298 295 .sp
299 296 .ne 2
300 297 .na
301 298 \fB\fBsynchronize\fR\fR
302 299 .ad
303 300 .RS 20n
304 301 Synchronize.
305 302 .RE
306 303
307 304 .sp
308 305 .ne 2
309 306 .na
310 307 \fB\fBwrite_acl\fR\fR
311 308 .ad
312 309 .RS 20n
313 310 Write ACL.
314 311 .RE
315 312
316 313 .sp
317 314 .ne 2
318 315 .na
319 316 \fB\fBwrite_attributes\fR\fR
320 317 .ad
321 318 .RS 20n
322 319 Write attributes.
323 320 .RE
324 321
325 322 .sp
326 323 .ne 2
327 324 .na
328 325 \fB\fBwrite_data\fR\fR
329 326 .ad
330 327 .RS 20n
331 328 Write permission.
332 329 .RE
333 330
334 331 .sp
335 332 .ne 2
336 333 .na
337 334 \fB\fBwrite_owner\fR\fR
338 335 .ad
339 336 .RS 20n
340 337 Write owner.
341 338 .RE
342 339
343 340 .sp
344 341 .ne 2
345 342 .na
346 343 \fB\fBwrite_xattr\fR\fR
347 344 .ad
348 345 .RS 20n
349 346 Write named attributes.
350 347 .RE
351 348
352 349 .sp
353 350 .LP
354 351 This format allows permissions to be specified as, for example:
355 352 \fBread_data\fR/\fBread_xattr\fR/\fBread_attributes\fR.
356 353 .sp
357 354 .LP
358 355 When \fBACL_COMPACT_FMT\fR is specified, the permissions consist of 14 unique
359 356 letters. A hyphen (-) character is used to indicate that the permission at
360 357 that position is not specified.
361 358 .sp
362 359 .ne 2
363 360 .na
364 361 \fB\fBa\fR\fR
365 362 .ad
366 363 .RS 5n
367 364 read attributes
368 365 .RE
369 366
370 367 .sp
371 368 .ne 2
372 369 .na
373 370 \fB\fBA\fR\fR
374 371 .ad
375 372 .RS 5n
376 373 write attributes
377 374 .RE
378 375
379 376 .sp
380 377 .ne 2
381 378 .na
382 379 \fB\fBc\fR\fR
383 380 .ad
384 381 .RS 5n
385 382 read ACL
386 383 .RE
387 384
388 385 .sp
389 386 .ne 2
390 387 .na
391 388 \fB\fBC\fR\fR
392 389 .ad
393 390 .RS 5n
394 391 write ACL
395 392 .RE
396 393
397 394 .sp
398 395 .ne 2
399 396 .na
400 397 \fB\fBd\fR\fR
401 398 .ad
402 399 .RS 5n
403 400 delete
404 401 .RE
405 402
406 403 .sp
407 404 .ne 2
408 405 .na
409 406 \fB\fBD\fR\fR
410 407 .ad
411 408 .RS 5n
412 409 delete child
413 410 .RE
414 411
415 412 .sp
416 413 .ne 2
417 414 .na
418 415 \fB\fBo\fR\fR
419 416 .ad
420 417 .RS 5n
421 418 write owner
422 419 .RE
423 420
424 421 .sp
425 422 .ne 2
426 423 .na
427 424 \fB\fBp\fR\fR
428 425 .ad
429 426 .RS 5n
430 427 append
431 428 .RE
432 429
433 430 .sp
434 431 .ne 2
435 432 .na
436 433 \fB\fBr\fR\fR
437 434 .ad
438 435 .RS 5n
439 436 read_data
440 437 .RE
441 438
442 439 .sp
443 440 .ne 2
444 441 .na
445 442 \fB\fBR\fR\fR
446 443 .ad
447 444 .RS 5n
448 445 read named attributes
449 446 .RE
450 447
451 448 .sp
452 449 .ne 2
453 450 .na
454 451 \fB\fBs\fR\fR
455 452 .ad
456 453 .RS 5n
457 454 synchronize
458 455 .RE
459 456
460 457 .sp
461 458 .ne 2
462 459 .na
463 460 \fB\fBw\fR\fR
464 461 .ad
465 462 .RS 5n
466 463 write_data
467 464 .RE
468 465
469 466 .sp
470 467 .ne 2
471 468 .na
472 469 \fB\fBW\fR\fR
473 470 .ad
474 471 .RS 5n
475 472 write named attributes
476 473 .RE
477 474
478 475 .sp
479 476 .ne 2
480 477 .na
481 478 \fB\fBx\fR\fR
482 479 .ad
483 480 .RS 5n
484 481 execute
485 482 .RE
486 483
487 484 .sp
488 485 .LP
489 486 This format allows compact permissions to be represented as, for example:
490 487 \fBrw--d-a-------\fR
491 488 .sp
492 489 .LP
493 490 The fourth field is optional when \fBACL_COMPACT_FMT\fR is not specified, in
494 491 which case the field will be present only when the ACL entry has inheritance
495 492 flags set. The following is the list of inheritance flags separated by a slash
496 493 (/) character.
497 494 .sp
498 495 .ne 2
499 496 .na
500 497 \fB\fBdir_inherit\fR\fR
501 498 .ad
502 499 .RS 16n
503 500 \fBACE_DIRECTORY_INHERIT_ACE\fR
504 501 .RE
505 502
506 503 .sp
507 504 .ne 2
508 505 .na
509 506 \fB\fBfile_inherit\fR\fR
510 507 .ad
511 508 .RS 16n
512 509 \fBACE_FILE_INHERIT_ACE\fR
513 510 .RE
514 511
515 512 .sp
516 513 .ne 2
517 514 .na
518 515 \fB\fBinherit_only\fR\fR
519 516 .ad
520 517 .RS 16n
521 518 \fBACE_INHERIT_ONLY_ACE\fR
522 519 .RE
523 520
524 521 .sp
525 522 .ne 2
526 523 .na
527 524 \fB\fBno_propagate\fR\fR
528 525 .ad
529 526 .RS 16n
530 527 \fBACE_NO_PROPAGATE_INHERIT_ACE\fR
531 528 .RE
532 529
533 530 .sp
534 531 .LP
535 532 When \fBACL_COMPACT_FMT\fR is specified the inheritance will always be present
536 533 and is represented as positional arguments. A hyphen (-) character is used to
537 534 indicate that the inheritance flag at that position is not specified.
538 535 .sp
539 536 .ne 2
540 537 .na
541 538 \fB\fBd\fR\fR
542 539 .ad
543 540 .RS 5n
544 541 \fBdir_inherit\fR
545 542 .RE
546 543
547 544 .sp
548 545 .ne 2
549 546 .na
550 547 \fB\fBf\fR\fR
551 548 .ad
552 549 .RS 5n
553 550 \fBfile_inherit\fR
554 551 .RE
555 552
556 553 .sp
557 554 .ne 2
558 555 .na
559 556 \fB\fBF\fR\fR
560 557 .ad
561 558 .RS 5n
562 559 failed access (not currently supported)
563 560 .RE
564 561
565 562 .sp
566 563 .ne 2
567 564 .na
568 565 \fB\fBi\fR\fR
569 566 .ad
570 567 .RS 5n
571 568 \fBinherit_only\fR
572 569 .RE
573 570
574 571 .sp
575 572 .ne 2
576 573 .na
577 574 \fB\fBn\fR\fR
578 575 .ad
579 576 .RS 5n
580 577 \fBno_propagate\fR
581 578 .RE
582 579
583 580 .sp
584 581 .ne 2
585 582 .na
586 583 \fB\fBS\fR\fR
587 584 .ad
588 585 .RS 5n
589 586 successful access (not currently supported)
590 587 .RE
591 588
592 589 .sp
593 590 .LP
594 591 The fifth field contains the type of the ACE (\fBallow\fR or \fBdeny\fR):
595 592 .sp
596 593 .ne 2
597 594 .na
598 595 \fB\fBallow\fR\fR
599 596 .ad
600 597 .RS 9n
601 598 The mask specified in field three should be allowed.
602 599 .RE
603 600
|
↓ open down ↓ |
540 lines elided |
↑ open up ↑ |
604 601 .sp
605 602 .ne 2
606 603 .na
607 604 \fB\fBdeny\fR\fR
608 605 .ad
609 606 .RS 9n
610 607 The mask specified in field three should be denied.
611 608 .RE
612 609
613 610 .SH RETURN VALUES
614 -.sp
615 -.LP
616 611 Upon successful completion, the \fBacl_totext()\fR function returns a pointer
617 612 to a text string. Otherwise, it returns \fINULL\fR.
618 613 .sp
619 614 .LP
620 615 Upon successful completion, the \fBacl_fromtext()\fR function returns 0.
621 616 Otherwise, the return value is set to one of the following:
622 617 .sp
623 618 .ne 2
624 619 .na
625 620 \fB\fBEACL_FIELD_NOT_BLANK\fR\fR
626 621 .ad
627 622 .RS 28n
628 623 A field that should be blank is not blank.
629 624 .RE
630 625
631 626 .sp
632 627 .ne 2
633 628 .na
634 629 \fB\fBEACL_FLAGS_ERROR\fR\fR
635 630 .ad
636 631 .RS 28n
637 632 An invalid ACL flag was specified.
638 633 .RE
639 634
640 635 .sp
641 636 .ne 2
642 637 .na
643 638 \fB\fBEACL_INHERIT_ERROR\fR\fR
644 639 .ad
645 640 .RS 28n
646 641 An invalid inheritance field was specified.
647 642 .RE
648 643
649 644 .sp
650 645 .ne 2
651 646 .na
652 647 \fB\fBEACL_INVALID_ACCESS_TYPE\fR\fR
653 648 .ad
654 649 .RS 28n
655 650 An invalid access type was specified.
656 651 .RE
657 652
658 653 .sp
659 654 .ne 2
660 655 .na
661 656 \fB\fBEACL_INVALID_STR\fR\fR
662 657 .ad
663 658 .RS 28n
664 659 The string is \fINULL\fR.
665 660 .RE
666 661
667 662 .sp
668 663 .ne 2
669 664 .na
670 665 \fB\fBEACL_INVALID_USER_GROUP\fR\fR
671 666 .ad
672 667 .RS 28n
673 668 The required user or group name not found.
674 669 .RE
675 670
676 671 .sp
677 672 .ne 2
678 673 .na
679 674 \fB\fBEACL_MISSING_FIELDS\fR\fR
680 675 .ad
681 676 .RS 28n
682 677 The ACL needs more fields to be specified.
683 678 .RE
684 679
685 680 .sp
686 681 .ne 2
687 682 .na
688 683 \fB\fBEACL_PERM_MASK_ERROR\fR\fR
689 684 .ad
690 685 .RS 28n
691 686 The permission mask is invalid.
692 687 .RE
693 688
|
↓ open down ↓ |
68 lines elided |
↑ open up ↑ |
694 689 .sp
695 690 .ne 2
696 691 .na
697 692 \fB\fBEACL_UNKNOWN_DATA\fR\fR
698 693 .ad
699 694 .RS 28n
700 695 Unknown data was found in the ACL.
701 696 .RE
702 697
703 698 .SH EXAMPLES
704 -.LP
705 699 \fBExample 1 \fRExamples of permissions when \fBACL_COMPACT_FMT\fR is not
706 700 specified.
707 701 .sp
708 702 .in +2
709 703 .nf
710 704 user:joe:read_data/write_data:file_inherit/dir_inherit:allow
711 705 .fi
712 706 .in -2
713 707 .sp
714 708
715 709 .sp
716 710 .in +2
717 711 .nf
718 712 owner@:read_acl:allow,user:tom:read_data:file_inherit/inherit_only:deny
719 713 .fi
720 714 .in -2
721 715 .sp
722 716
723 717 .LP
724 718 \fBExample 2 \fRExamples of permissions when \fBACL_COMPACT_FMT\fR is
725 719 specified.
726 720 .sp
727 721 .in +2
728 722 .nf
729 723 user:joe:rw------------:fd----:allow
730 724 .fi
731 725 .in -2
732 726 .sp
|
↓ open down ↓ |
18 lines elided |
↑ open up ↑ |
733 727
734 728 .sp
735 729 .in +2
736 730 .nf
737 731 owner@:----------c---:------allow,user:tom:r-------------:f-i---:deny
738 732 .fi
739 733 .in -2
740 734 .sp
741 735
742 736 .SH ATTRIBUTES
743 -.sp
744 -.LP
745 737 See \fBattributes\fR(5) for descriptions of the following attributes:
746 738 .sp
747 739
748 740 .sp
749 741 .TS
750 742 box;
751 743 c | c
752 744 l | l .
753 745 ATTRIBUTE TYPE ATTRIBUTE VALUE
754 746 _
755 747 Interface Stability Committed
756 748 _
757 749 MT-Level Safe
758 750 .TE
759 751
760 752 .SH SEE ALSO
761 -.sp
762 -.LP
763 753 \fBls\fR(1), \fBtar\fR(1), \fBacl\fR(2), \fBmalloc\fR(3C),
764 754 \fBaclfromtext\fR(3SEC), \fBacl\fR(5), \fBattributes\fR(5)
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX