Print this page
12288 getfacl and setfacl could stand improvement
*** 6,17 ****
acl - Access Control Lists
DESCRIPTION
Access control lists (ACLs) are discretionary access control mechanisms
that grant and deny access to files and directories. Two different ACL
! models are supported in the Solaris release: POSIX-draft ACLs and NFSv4
! ACLs.
The older, POSIX-draft model is supported by the UFS file system. This
model is based on a withdrawn ACL POSIX specification that was never
standardized. It was subsequently withdrawn by the POSIX committee.
--- 6,16 ----
acl - Access Control Lists
DESCRIPTION
Access control lists (ACLs) are discretionary access control mechanisms
that grant and deny access to files and directories. Two different ACL
! models are supported in this release: POSIX-draft ACLs and NFSv4 ACLs.
The older, POSIX-draft model is supported by the UFS file system. This
model is based on a withdrawn ACL POSIX specification that was never
standardized. It was subsequently withdrawn by the POSIX committee.
*** 23,44 ****
semantics and finer grained permission capabilities than the POSIX-
draft model.
POSIX-draft ACLs
POSIX-draft ACLs provide an alternative security mechanism to basic
! UNIX file permissions in the Solaris release. Their purpose is to
! further restrict access to files and directories or to extend
! permissions to a particular user. ACLs can be used to change the
! permissions for the standard owner, group and other class bits of a
! file's mode. ACLs can give additional users and groups access to the
! file. A directory can also have a special kind of ACL called a default
! ACL, which defines ACL entries to be inherited by descendents of the
! directory. POSIX-draft ACLs have an ACL entry called mask. The mask
! defines the maximum permissions that can be granted to additional user
! and group entries. Whenever a file is created or its mode is changed by
! chmod(1) or chmod(2), the mask is recomputed. It is recomputed to be
! the group permission defined in the mode passed to chmod(2).
The POSIX-draft ACL model uses the standard rwx model of traditional
UNIX permissions.
--- 22,43 ----
semantics and finer grained permission capabilities than the POSIX-
draft model.
POSIX-draft ACLs
POSIX-draft ACLs provide an alternative security mechanism to basic
! UNIX file permissions. Their purpose is to further restrict access to
! files and directories or to extend permissions to a particular user.
! ACLs can be used to change the permissions for the standard owner,
! group and other class bits of a file's mode. ACLs can give additional
! users and groups access to the file. A directory can also have a
! special kind of ACL called a default ACL, which defines ACL entries to
! be inherited by descendents of the directory. POSIX-draft ACLs have an
! ACL entry called mask. The mask defines the maximum permissions that
! can be granted to additional user and group entries. Whenever a file is
! created or its mode is changed by chmod(1) or chmod(2), the mask is
! recomputed. It is recomputed to be the group permission defined in the
! mode passed to chmod(2).
The POSIX-draft ACL model uses the standard rwx model of traditional
UNIX permissions.
*** 76,86 ****
user:joe:rw-
NFSv4 ACLs
! NFSv4 ACL model is based loosely on the Windows NT ACL model. NFSv4
ACLs provide a much richer ACL model than POSIX-draft ACLs.
The major differences between NFSv4 and POSIX-draft ACLs are as
follows:
--- 75,85 ----
user:joe:rw-
NFSv4 ACLs
! The NFSv4 ACL model is based loosely on the Windows NT ACL model. NFSv4
ACLs provide a much richer ACL model than POSIX-draft ACLs.
The major differences between NFSv4 and POSIX-draft ACLs are as
follows:
*** 101,111 ****
inheritance is applied to the directory itself, to just
one level of subdirectories, or cascades to all
subdirectories of the directory.
o NFSv4 ACLs provide a mechanism for hooking into a system's
! audit trail. Currently, Solaris does not support this
mechanism.
o NFSv4 ACLs enable administrators to specify the order in
which ACL entries are checked. With POSIX-draft ACLs the
file system reorders ACL entries into a well defined, strict
--- 100,110 ----
inheritance is applied to the directory itself, to just
one level of subdirectories, or cascades to all
subdirectories of the directory.
o NFSv4 ACLs provide a mechanism for hooking into a system's
! audit trail. Currently, illumos does not support this
mechanism.
o NFSv4 ACLs enable administrators to specify the order in
which ACL entries are checked. With POSIX-draft ACLs the
file system reorders ACL entries into a well defined, strict
*** 340,352 ****
user:fred:rwR:f:allow
user:fred:rwR:f------:allow
! Shell-level Solaris API
! The Solaris command interface supports the manipulation of ACLs. The
! following Solaris utilities accommodate both ACL models:
chmod
The chmod utility has been enhanced to allow for the
setting and deleting of ACLs. This is achieved by extending
the symbolic-mode argument to support ACL manipulation. See
--- 339,351 ----
user:fred:rwR:f:allow
user:fred:rwR:f------:allow
! Shell-level API
! Several utilities support the manipulation of ACLs. The following
! utilities accommodate both ACL models:
chmod
The chmod utility has been enhanced to allow for the
setting and deleting of ACLs. This is achieved by extending
the symbolic-mode argument to support ACL manipulation. See
*** 407,438 ****
Application-level API
The primary interfaces required to access file system ACLs at the
programmatic level are the acl_get() and acl_set() functions. These
! functions support both POSIX draft ACLs and NFSv4 ACLs.
Retrieving a file's ACL
int acl_get(const char *path, int flag, acl_t **aclp);
int facl_get(int fd, int flag, acl_t **aclp);
! The acl_get(3SEC) and facl_get(3SEC) functions retrieves an ACL on a
file whose name is given by path or referenced by the open file
descriptor fd. The flag argument specifies whether a trivial ACL should
! be retrieved. When the flag argument equals ACL_NO_TRIVIAL then only
! ACLs that are not trivial are retrieved. The ACL is returned in the
! aclp argument.
Freeing ACL structure
! void acl_free(acl_t *aclp)s;
The acl_free() function frees up memory allocated for the argument
! aclp;.
Setting an ACL on a file
int acl_set(const char *path, acl_t *aclp);
int facl_set(int fd, acl_t *aclp);
--- 406,437 ----
Application-level API
The primary interfaces required to access file system ACLs at the
programmatic level are the acl_get() and acl_set() functions. These
! functions support both POSIX-draft ACLs and NFSv4 ACLs.
Retrieving a file's ACL
int acl_get(const char *path, int flag, acl_t **aclp);
int facl_get(int fd, int flag, acl_t **aclp);
! The acl_get(3SEC) and facl_get(3SEC) functions retrieve an ACL on a
file whose name is given by path or referenced by the open file
descriptor fd. The flag argument specifies whether a trivial ACL should
! be retrieved. When the flag argument equals ACL_NO_TRIVIAL only ACLs
! that are not trivial are retrieved. The ACL is returned in the aclp
! argument.
Freeing ACL structure
! void acl_free(acl_t *aclp);
The acl_free() function frees up memory allocated for the argument
! aclp.
Setting an ACL on a file
int acl_set(const char *path, acl_t *aclp);
int facl_set(int fd, acl_t *aclp);
*** 439,452 ****
The acl_set(3SEC) and facl_get(3SEC) functions are used for setting an
ACL on a file whose name is given by path or referenced by the open
file descriptor fd. The aclp argument specifies the ACL to set. The
! acl_set(3SEC) translates an POSIX-draft ACL into a NFSv4 ACL when the
! target file systems supports NFSv4 ACLs. No translation is performed
! when trying to set an NFSv4 ACL on a POSIX-draft ACL supported file
! system.
Determining an ACL's trivialness
int acl_trivial(const char *path);
--- 438,451 ----
The acl_set(3SEC) and facl_get(3SEC) functions are used for setting an
ACL on a file whose name is given by path or referenced by the open
file descriptor fd. The aclp argument specifies the ACL to set. The
! acl_set(3SEC) function translates a POSIX-draft ACL into a NFSv4 ACL
! when the target file system supports NFSv4 ACLs. No translation is
! performed when trying to set an NFSv4 ACL on a POSIX-draft ACL
! supported file system.
Determining an ACL's trivialness
int acl_trivial(const char *path);
*** 473,484 ****
The acl_totext() function converts an internal ACL representation
pointed to by aclp into an external representation. See DESCRIPTION for
details about external representation.
! The acl_fromtext() functions converts and external representation into
! an internal representation. See DESCRIPTION for details about external
representation.
EXAMPLES
The following examples demonstrate how the API can be used to perform
basic operations on ACLs.
--- 472,483 ----
The acl_totext() function converts an internal ACL representation
pointed to by aclp into an external representation. See DESCRIPTION for
details about external representation.
! The acl_fromtext() function converts an external representation into an
! internal representation. See DESCRIPTION for details about external
representation.
EXAMPLES
The following examples demonstrate how the API can be used to perform
basic operations on ACLs.
*** 546,551 ****
aclsort(3SEC), acl_fromtext(3SEC), acl_free(3SEC), acl_strip(3SEC),
acl_trivial(3SEC)
! November 24, 2014 ACL(5)
--- 545,550 ----
aclsort(3SEC), acl_fromtext(3SEC), acl_free(3SEC), acl_strip(3SEC),
acl_trivial(3SEC)
! February 8, 2020 ACL(5)