Print this page
12288 getfacl and setfacl could stand improvement
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/man/man5/acl.5
+++ new/usr/src/man/man5/acl.5
1 1 '\" te
2 +.\" Copyright (c) 2020 Peter Tribble.
2 3 .\" Copyright 2014 Nexenta Systems, Inc. All rights reserved.
3 4 .\" Copyright (c) 2008, Sun Microsystems, Inc. All Rights Reserved.
4 5 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License.
5 6 .\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. See the License for the specific language governing permissions and limitations under the License.
6 7 .\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
7 -.TH ACL 5 "Nov 24, 2014"
8 +.TH ACL 5 "Feb 8, 2020"
8 9 .SH NAME
9 10 acl \- Access Control Lists
10 11 .SH DESCRIPTION
11 -.LP
12 12 Access control lists (ACLs) are discretionary access control mechanisms that
13 13 grant and deny access to files and directories. Two different ACL models are
14 -supported in the Solaris release: POSIX-draft ACLs and NFSv4 ACLs.
14 +supported in this release: POSIX-draft ACLs and NFSv4 ACLs.
15 15 .sp
16 16 .LP
17 17 The older, POSIX-draft model is supported by the UFS file system. This model is
18 18 based on a withdrawn ACL POSIX specification that was never standardized. It
19 19 was subsequently withdrawn by the POSIX committee.
20 20 .sp
21 21 .LP
22 22 The other model is based on the standards of the NFSv4 working group and is an
23 23 approved standard from the Internet Engineering Task Force (IETF). The ZFS file
24 24 system uses the NFSv4 model, and provides richer semantics and finer grained
25 25 permission capabilities than the POSIX-draft model.
26 -.SS "\fBPOSIX\fR-draft \fBACL\fRs"
27 -.LP
26 +.SS "POSIX-draft ACLs"
28 27 POSIX-draft ACLs provide an alternative security mechanism to basic UNIX file
29 -permissions in the Solaris release. Their purpose is to further restrict access
28 +permissions. Their purpose is to further restrict access
30 29 to files and directories or to extend permissions to a particular user. ACLs
31 30 can be used to change the permissions for the standard owner, group and other
32 31 class bits of a file's mode. ACLs can give additional users and groups access
33 32 to the file. A directory can also have a special kind of ACL called a
34 33 \fBdefault\fR ACL, which defines ACL entries to be inherited by descendents of
35 34 the directory. POSIX-draft ACLs have an ACL entry called \fBmask\fR. The mask
36 35 defines the maximum permissions that can be granted to additional user and
37 36 group entries. Whenever a file is created or its mode is changed by
38 37 \fBchmod\fR(1) or \fBchmod\fR(2), the mask is recomputed. It is recomputed to
39 38 be the group permission defined in the mode passed to \fBchmod\fR(2).
40 39 .sp
41 40 .LP
42 41 The POSIX-draft ACL model uses the standard \fBrwx\fR model of traditional UNIX
43 42 permissions.
44 43 .sp
45 44 .LP
46 45 An ACL is represented as follows:
47 46 .sp
48 47 .in +2
49 48 .nf
50 49 \fIacl_entry\fR[,\fIacl_entry\fR]...
51 50 .fi
52 51 .in -2
53 52 .sp
54 53
55 54 .sp
56 55 .LP
57 56 Each \fIacl_entry\fR contains one ACL entry. An ACL entry is represented by two
58 57 or three colon-separated(\fB:\fR) fields.
59 58 .sp
60 59 .ne 2
61 60 .na
62 61 \fB\fIuser\fR:[\fIuid\fR]:\fIperms\fR\fR
63 62 .ad
64 63 .RS 21n
65 64 If \fIuid\fR blank, it represents the file owner.
66 65 .RE
67 66
68 67 .sp
69 68 .ne 2
70 69 .na
71 70 \fB\fIgroup\fR:[\fIgid\fR]:\fIperms\fR\fR
72 71 .ad
73 72 .RS 21n
74 73 If \fIgid\fR is blank, it represents the owning group.
75 74 .RE
76 75
77 76 .sp
78 77 .ne 2
79 78 .na
80 79 \fB\fIother\fR:\fIperms\fR\fR
81 80 .ad
82 81 .RS 21n
83 82 Represents the file other class.
84 83 .RE
85 84
86 85 .sp
87 86 .ne 2
88 87 .na
89 88 \fB\fImask\fR:\fIperms\fR\fR
90 89 .ad
91 90 .RS 21n
92 91 Defines the \fBMAX\fR permission to hand out.
93 92 .RE
94 93
95 94 .sp
96 95 .LP
|
↓ open down ↓ |
57 lines elided |
↑ open up ↑ |
97 96 For example to give user \fBjoe\fR read and write permissions, the ACL entry is
98 97 specified as:
99 98 .sp
100 99 .in +2
101 100 .nf
102 101 user:joe:rw-
103 102 .fi
104 103 .in -2
105 104 .sp
106 105
107 -.SS "\fBNFS\fRv4 \fBACL\fRs"
108 -.LP
109 -NFSv4 ACL model is based loosely on the Windows NT ACL model. NFSv4 ACLs
106 +.SS "NFSv4 ACLs"
107 +The NFSv4 ACL model is based loosely on the Windows NT ACL model. NFSv4 ACLs
110 108 provide a much richer ACL model than POSIX-draft ACLs.
111 109 .sp
112 110 .LP
113 111 The major differences between NFSv4 and POSIX-draft ACLs are as follows:
114 112 .RS +4
115 113 .TP
116 114 .ie t \(bu
117 115 .el o
118 116 NFSv4 ACLs provide finer grained permissions than the \fBrwx\fR model.
119 117 .RE
120 118 .RS +4
121 119 .TP
122 120 .ie t \(bu
123 121 .el o
124 122 NFSv4 ACLs allow for both \fBALLOW\fR and \fBDENY\fR entries.
125 123 .RE
126 124 .RS +4
127 125 .TP
128 126 .ie t \(bu
129 127 .el o
130 128 NFSv4 ACLs provide a rich set of inheritance semantics. POSIX ACLs also have
131 129 inheritance, but with the NFSv4 model you can control the following inheritance
132 130 features:
133 131 .RS +4
134 132 .TP
135 133 .ie t \(bu
136 134 .el o
137 135 Whether inheritance cascades to both files and directories or only to files or
138 136 directories.
139 137 .RE
140 138 .RS +4
141 139 .TP
142 140 .ie t \(bu
143 141 .el o
|
↓ open down ↓ |
24 lines elided |
↑ open up ↑ |
144 142 In the case of directories, you can indicate whether inheritance is applied to
145 143 the directory itself, to just one level of subdirectories, or cascades to all
146 144 subdirectories of the directory.
147 145 .RE
148 146 .RE
149 147 .RS +4
150 148 .TP
151 149 .ie t \(bu
152 150 .el o
153 151 NFSv4 ACLs provide a mechanism for hooking into a system's audit trail.
154 -Currently, Solaris does not support this mechanism.
152 +Currently, illumos does not support this mechanism.
155 153 .RE
156 154 .RS +4
157 155 .TP
158 156 .ie t \(bu
159 157 .el o
160 158 NFSv4 ACLs enable administrators to specify the order in which ACL entries are
161 159 checked. With POSIX-draft ACLs the file system reorders ACL entries into a well
162 160 defined, strict access, checking order.
163 161 .RE
164 162 .sp
165 163 .LP
166 164 POSIX-draft ACL semantics can be achieved with NFSv4 ACLs. However, only some
167 165 NFSv4 ACLs can be translated to equivalent POSIX-draft ACLs.
168 166 .sp
169 167 .LP
170 168 Permissions can be specified in three different \fBchmod\fR ACL formats:
171 169 verbose, compact, or positional. The verbose format uses words to indicate that
172 170 the permissions are separated with a forward slash (\fB/\fR) character. Compact
173 171 format uses the permission letters and positional format uses the permission
174 172 letters or the hyphen (\fB-\fR) to identify no permissions.
175 173 .sp
176 174 .LP
177 175 The permissions for verbose mode and their abbreviated form in parentheses for
178 176 compact and positional mode are described as follows:
179 177 .sp
180 178 .ne 2
181 179 .na
182 180 \fBread_data (\fBr\fR)\fR
183 181 .ad
184 182 .RS 24n
185 183 Permission to read the data of the file
186 184 .RE
187 185
188 186 .sp
189 187 .ne 2
190 188 .na
191 189 \fBlist_directory (\fBr\fR)\fR
192 190 .ad
193 191 .RS 24n
194 192 Permission to list the contents of a directory.
195 193 .RE
196 194
197 195 .sp
198 196 .ne 2
199 197 .na
200 198 \fBwrite_data (\fBw\fR)\fR
201 199 .ad
202 200 .RS 24n
203 201 Permission to modify a file's data anywhere in the file's offset range. This
204 202 includes the ability to grow the file or write to any arbitrary offset.
205 203 .RE
206 204
207 205 .sp
208 206 .ne 2
209 207 .na
210 208 \fBadd_file (\fBw\fR)\fR
211 209 .ad
212 210 .RS 24n
213 211 Permission to add a new file to a directory.
214 212 .RE
215 213
216 214 .sp
217 215 .ne 2
218 216 .na
219 217 \fBappend_data (\fBp\fR)\fR
220 218 .ad
221 219 .RS 24n
222 220 The ability to modify the file's data, but only starting at EOF. Currently,
223 221 this permission is not supported.
224 222 .RE
225 223
226 224 .sp
227 225 .ne 2
228 226 .na
229 227 \fBadd_subdirectory (\fBp\fR)\fR
230 228 .ad
231 229 .RS 24n
232 230 Permission to create a subdirectory to a directory.
233 231 .RE
234 232
235 233 .sp
236 234 .ne 2
237 235 .na
238 236 \fBread_xattr (\fBR\fR)\fR
239 237 .ad
240 238 .RS 24n
241 239 The ability to read the extended attributes of a file or do a lookup in the
242 240 extended attributes directory.
243 241 .RE
244 242
245 243 .sp
246 244 .ne 2
247 245 .na
248 246 \fBwrite_xattr (\fBW\fR)\fR
249 247 .ad
250 248 .RS 24n
251 249 The ability to create extended attributes or write to the extended attributes
252 250 directory.
253 251 .RE
254 252
255 253 .sp
256 254 .ne 2
257 255 .na
258 256 \fBexecute (\fBx\fR)\fR
259 257 .ad
260 258 .RS 24n
261 259 Permission to execute a file.
262 260 .RE
263 261
264 262 .sp
265 263 .ne 2
266 264 .na
267 265 \fBread_attributes (\fBa\fR)\fR
268 266 .ad
269 267 .RS 24n
270 268 The ability to read basic attributes (non-ACLs) of a file. Basic attributes are
271 269 considered to be the stat level attributes. Allowing this access mask bit means
272 270 that the entity can execute \fBls\fR(1) and \fBstat\fR(2).
273 271 .RE
274 272
275 273 .sp
276 274 .ne 2
277 275 .na
278 276 \fBwrite_attributes (\fBA\fR)\fR
279 277 .ad
280 278 .RS 24n
281 279 Permission to change the times associated with a file or directory to an
282 280 arbitrary value.
283 281 .RE
284 282
285 283 .sp
286 284 .ne 2
287 285 .na
288 286 \fBdelete (\fBd\fR)\fR
289 287 .ad
290 288 .RS 24n
291 289 Permission to delete the file.
292 290 .RE
293 291
294 292 .sp
295 293 .ne 2
296 294 .na
297 295 \fBdelete_child (\fBD\fR)\fR
298 296 .ad
299 297 .RS 24n
300 298 Permission to delete a file within a directory.
301 299 .RE
302 300
303 301 .sp
304 302 .ne 2
305 303 .na
306 304 \fBread_acl (\fBc\fR)\fR
307 305 .ad
308 306 .RS 24n
309 307 Permission to read the ACL.
310 308 .RE
311 309
312 310 .sp
313 311 .ne 2
314 312 .na
315 313 \fBwrite_acl (\fBC\fR)\fR
316 314 .ad
317 315 .RS 24n
318 316 Permission to write the ACL or the ability to execute \fBchmod\fR(1) or
319 317 \fBsetfacl\fR(1).
320 318 .RE
321 319
322 320 .sp
323 321 .ne 2
324 322 .na
325 323 \fBwrite_owner (\fBo\fR)\fR
326 324 .ad
327 325 .RS 24n
328 326 Permission to change the owner or the ability to execute \fBchown\fR(1) or
329 327 \fBchgrp\fR(1).
330 328 .RE
331 329
332 330 .sp
333 331 .ne 2
334 332 .na
335 333 \fBsynchronize (\fBs\fR)\fR
336 334 .ad
337 335 .RS 24n
338 336 Permission to access a file locally at the server with synchronous reads and
339 337 writes. Currently, this permission is not supported.
340 338 .RE
341 339
342 340 .sp
343 341 .LP
344 342 The following inheritance flags are supported by NFSv4 ACLs:
345 343 .sp
346 344 .ne 2
347 345 .na
348 346 \fBfile_inherit (\fBf\fR)\fR
349 347 .ad
350 348 .RS 26n
351 349 Inherit to all newly created files in a directory.
352 350 .RE
353 351
354 352 .sp
355 353 .ne 2
356 354 .na
357 355 \fBdir_inherit (\fBd\fR)\fR
358 356 .ad
359 357 .RS 26n
360 358 Inherit to all newly created directories in a directory.
361 359 .RE
362 360
363 361 .sp
364 362 .ne 2
365 363 .na
366 364 \fBinherit_only (\fBi\fR)\fR
367 365 .ad
368 366 .RS 26n
369 367 Placed on a directory, but does not apply to the directory itself, only to
370 368 newly created files and directories. This flag requires file_inherit
371 369 and/or dir_inherit to indicate what to inherit.
372 370 .RE
373 371
374 372 .sp
375 373 .ne 2
376 374 .na
377 375 \fBno_propagate (\fBn\fR)\fR
378 376 .ad
379 377 .RS 26n
380 378 Placed on directories and indicates that ACL entries should only be inherited
381 379 one level of the tree. This flag requires file_inherit and/or dir_inherit to
382 380 indicate what to inherit.
383 381 .RE
384 382
385 383 .sp
386 384 .ne 2
387 385 .na
388 386 \fBsuccessful_access (\fBS\fR)\fR
389 387 .ad
390 388 .RS 26n
391 389 Indicates whether an alarm or audit record should be initiated upon successful
392 390 accesses. Used with audit/alarm ACE types.
393 391 .RE
394 392
395 393 .sp
396 394 .ne 2
397 395 .na
398 396 \fBfailed_access (\fBF\fR)\fR
399 397 .ad
400 398 .RS 26n
401 399 Indicates whether an alarm or audit record should be initiated when access
402 400 fails. Used with audit/alarm ACE types.
403 401 .RE
404 402
405 403 .sp
406 404 .ne 2
407 405 .na
408 406 \fBinherited (\fBI\fR)\fR
409 407 .ad
410 408 .RS 26n
411 409 ACE was inherited.
412 410 .RE
413 411
414 412 .sp
415 413 .ne 2
416 414 .na
417 415 \fB\fB-\fR\fR
418 416 .ad
419 417 .RS 26n
420 418 No permission granted.
421 419 .RE
422 420
423 421 .sp
424 422 .LP
425 423 An NFSv4 ACL is expressed using the following syntax:
426 424 .sp
427 425 .in +2
428 426 .nf
429 427 \fIacl_entry\fR[,\fIacl_entry\fR]...
430 428
431 429 owner@:<perms>[:inheritance flags]:<allow|deny>
432 430 group@:<perms>[:inheritance flags]:<allow|deny>
433 431 everyone@:<perms>[:inheritance flags]:<allow|deny>
434 432 user:<username>:<perms>[:inheritance flags]:<allow|deny>
435 433 usersid:<sid string>:<perms>[:inheritance flags]:<allow|deny>
436 434 group:<groupname>:<perms>[:inheritance flags]:<allow|deny>
437 435 groupsid:<sid string>:<perms>[:inheritance flags]:<allow|deny>
438 436 sid:<sid string>:<perms>[:inheritance flags]:<allow|deny>
439 437 .fi
440 438 .in -2
441 439
442 440 .sp
443 441 .ne 2
444 442 .na
445 443 \fBowner@\fR
446 444 .ad
447 445 .RS 10n
448 446 File owner
449 447 .RE
450 448
451 449 .sp
452 450 .ne 2
453 451 .na
454 452 \fBgroup@\fR
455 453 .ad
456 454 .RS 10n
457 455 Group owner
458 456 .RE
459 457
460 458 .sp
461 459 .ne 2
462 460 .na
463 461 \fBuser\fR
464 462 .ad
465 463 .RS 10n
466 464 Permissions for a specific user
467 465 .RE
468 466
469 467 .sp
470 468 .ne 2
471 469 .na
472 470 \fBgroup\fR
473 471 .ad
474 472 .RS 10n
475 473 Permissions for a specific group
476 474 .RE
477 475
478 476 .sp
479 477 .LP
480 478 Permission and inheritance flags are separated by a \fB/\fR character.
481 479 .sp
482 480 .LP
483 481 ACL specification examples:
484 482 .sp
485 483 .in +2
486 484 .nf
487 485 user:fred:read_data/write_data/read_attributes:file_inherit:allow
488 486 owner@:read_data:allow,group@:read_data:allow,user:tom:read_data:deny
489 487 .fi
490 488 .in -2
491 489 .sp
492 490
493 491 .sp
494 492 .LP
495 493 Using the compact ACL format, permissions are specified by using 14 unique
496 494 letters to indicate permissions.
497 495 .sp
498 496 .LP
499 497 Using the positional ACL format, permissions are specified as positional
500 498 arguments similar to the \fBls -V\fR format. The hyphen (\fB-\fR), which
501 499 indicates that no permission is granted at that position, can be omitted and
502 500 only the required letters have to be specified.
503 501 .sp
504 502 .LP
505 503 The letters above are listed in the order they would be specified in positional
506 504 notation.
507 505 .sp
508 506 .LP
509 507 With these letters you can specify permissions in the following equivalent
510 508 ways.
511 509 .sp
512 510 .in +2
513 511 .nf
514 512 user:fred:rw------R------:file_inherit:allow
515 513 .fi
516 514 .in -2
517 515 .sp
518 516
519 517 .sp
520 518 .LP
521 519 Or you can remove the \fB-\fR and scrunch it together.
522 520 .sp
523 521 .in +2
524 522 .nf
525 523 user:fred:rwR:file_inherit:allow
526 524 .fi
527 525 .in -2
528 526 .sp
529 527
530 528 .sp
531 529 .LP
532 530 The inheritance flags can also be specified in a more compact manner, as
|
↓ open down ↓ |
368 lines elided |
↑ open up ↑ |
533 531 follows:
534 532 .sp
535 533 .in +2
536 534 .nf
537 535 user:fred:rwR:f:allow
538 536 user:fred:rwR:f------:allow
539 537 .fi
540 538 .in -2
541 539 .sp
542 540
543 -.SS "Shell-level Solaris \fBAPI\fR"
544 -.LP
545 -The Solaris command interface supports the manipulation of ACLs. The following
546 -Solaris utilities accommodate both ACL models:
541 +.SS "Shell-level API"
542 +Several utilities support the manipulation of ACLs. The following
543 +utilities accommodate both ACL models:
547 544 .sp
548 545 .ne 2
549 546 .na
550 547 \fB\fBchmod\fR\fR
551 548 .ad
552 549 .RS 12n
553 550 The \fBchmod\fR utility has been enhanced to allow for the setting and deleting
554 551 of ACLs. This is achieved by extending the symbolic-mode argument to support
555 552 ACL manipulation. See \fBchmod\fR(1) for details.
556 553 .RE
557 554
558 555 .sp
559 556 .ne 2
560 557 .na
561 558 \fB\fBcompress\fR\fR
562 559 .ad
563 560 .RS 12n
564 561 When a file is compressed any ACL associated with the original file is
565 562 preserved with the compressed file.
566 563 .RE
567 564
568 565 .sp
569 566 .ne 2
570 567 .na
571 568 \fB\fBcp\fR\fR
572 569 .ad
573 570 .RS 12n
574 571 By default, \fBcp\fR ignores ACLs, unless the \fB-p\fR option is specified.
575 572 When \fB-p\fR is specified the owner and group id, permission modes,
576 573 modification and access times, ACLs, and extended attributes if applicable are
577 574 preserved.
578 575 .RE
579 576
580 577 .sp
581 578 .ne 2
582 579 .na
583 580 \fB\fBcpio\fR\fR
584 581 .ad
585 582 .RS 12n
586 583 ACLs are preserved when the \fB-P\fR option is specified.
587 584 .RE
588 585
589 586 .sp
590 587 .ne 2
591 588 .na
592 589 \fB\fBfind\fR\fR
593 590 .ad
594 591 .RS 12n
595 592 Find locates files with ACLs when the \fB-acl\fR flag is specified.
596 593 .RE
597 594
598 595 .sp
599 596 .ne 2
600 597 .na
601 598 \fB\fBls\fR\fR
602 599 .ad
603 600 .RS 12n
604 601 By default \fBls\fR does not display ACL information. When the \fB-v\fR option
605 602 is specified, a file's ACL is displayed.
606 603 .RE
607 604
608 605 .sp
609 606 .ne 2
610 607 .na
611 608 \fB\fBmv\fR\fR
612 609 .ad
613 610 .RS 12n
614 611 When a file is moved, all attributes are carried along with the renamed file.
615 612 When a file is moved across a file system boundary, the ACLs are replicated. If
616 613 the ACL information cannot be replicated, the move fails and the source file is
617 614 not removed.
618 615 .RE
619 616
620 617 .sp
621 618 .ne 2
622 619 .na
623 620 \fB\fBpack\fR\fR
624 621 .ad
625 622 .RS 12n
626 623 When a file is packed, any ACL associated with the original file is preserved
627 624 with the packed file.
628 625 .RE
629 626
630 627 .sp
631 628 .ne 2
632 629 .na
633 630 \fB\fBrcp\fR\fR
634 631 .ad
635 632 .RS 12n
636 633 \fBrcp\fR has been enhanced to support copying. A file's ACL is only preserved
637 634 when the remote host supports ACLs.
638 635 .RE
639 636
640 637 .sp
641 638 .ne 2
642 639 .na
643 640 \fB\fBtar\fR\fR
644 641 .ad
645 642 .RS 12n
646 643 ACLs are preserved when the \fB-p\fR option is specified.
647 644 .RE
648 645
|
↓ open down ↓ |
92 lines elided |
↑ open up ↑ |
649 646 .sp
650 647 .ne 2
651 648 .na
652 649 \fB\fBunpack\fR\fR
653 650 .ad
654 651 .RS 12n
655 652 When a file with an ACL is unpacked, the unpacked file retains the ACL
656 653 information.
657 654 .RE
658 655
659 -.SS "Application-level \fBAPI\fR"
660 -.LP
656 +.SS "Application-level API"
661 657 The primary interfaces required to access file system ACLs at the programmatic
662 658 level are the \fBacl_get()\fR and \fBacl_set()\fR functions. These functions
663 -support both POSIX draft ACLs and NFSv4 ACLs.
664 -.SS "Retrieving a file's \fBACL\fR"
659 +support both POSIX-draft ACLs and NFSv4 ACLs.
660 +.SS "Retrieving a file's ACL"
665 661 .in +2
666 662 .nf
667 663 int acl_get(const char *path, int flag, acl_t **aclp);
668 664 int facl_get(int fd, int flag, acl_t **aclp);
669 665 .fi
670 666 .in -2
671 667
672 668 .sp
673 669 .LP
674 -The \fBacl_get\fR(3SEC) and \fBfacl_get\fR(3SEC) functions retrieves an ACL on
670 +The \fBacl_get\fR(3SEC) and \fBfacl_get\fR(3SEC) functions retrieve an ACL on
675 671 a file whose name is given by path or referenced by the open file descriptor
676 672 fd. The flag argument specifies whether a trivial ACL should be retrieved. When
677 -the flag argument equals \fBACL_NO_TRIVIAL\fR then only ACLs that are not
673 +the flag argument equals \fBACL_NO_TRIVIAL\fR only ACLs that are not
678 674 trivial are retrieved. The ACL is returned in the \fBaclp\fR argument.
679 -.SS "Freeing \fBACL\fR structure"
675 +.SS "Freeing ACL structure"
680 676 .in +2
681 677 .nf
682 -void acl_free(acl_t *aclp)s;
678 +void acl_free(acl_t *aclp);
683 679 .fi
684 680 .in -2
685 681
686 682 .sp
687 683 .LP
688 684 The \fBacl_free()\fR function frees up memory allocated for the argument
689 -\fBaclp;\fR.
690 -.SS "Setting an \fBACL\fR on a file"
685 +\fBaclp\fR.
686 +.SS "Setting an ACL on a file"
691 687 .in +2
692 688 .nf
693 689 int acl_set(const char *path, acl_t *aclp);
694 690 int facl_set(int fd, acl_t *aclp);
695 691 .fi
696 692 .in -2
697 693
698 694 .sp
699 695 .LP
700 696 The \fBacl_set\fR(3SEC) and \fBfacl_get\fR(3SEC) functions are used for setting
701 697 an ACL on a file whose name is given by path or referenced by the open file
702 698 descriptor \fBfd\fR. The \fBaclp\fR argument specifies the ACL to set. The
703 -\fBacl_set\fR(3SEC) translates an POSIX-draft ACL into a NFSv4 ACL when the
704 -target file systems supports NFSv4 ACLs. No translation is performed when
699 +\fBacl_set\fR(3SEC) function translates a POSIX-draft ACL into a NFSv4 ACL when
700 +the target file system supports NFSv4 ACLs. No translation is performed when
705 701 trying to set an NFSv4 ACL on a POSIX-draft ACL supported file system.
706 -.SS "Determining an \fBACL\fR's trivialness"
702 +.SS "Determining an ACL's trivialness"
707 703 .in +2
708 704 .nf
709 705 int acl_trivial(const char *path);
710 706 .fi
711 707 .in -2
712 708
713 709 .sp
714 710 .LP
715 711 The \fBacl_trivial()\fR function is used to determine whether a file has a
716 712 trivial ACL.
717 -.SS "Removing all \fBACL\fRs from a file"
713 +.SS "Removing all ACLs from a file"
718 714 .in +2
719 715 .nf
720 716 int acl_strip(const char *path, uid_t uid, gid_t gid, mode_t mode);
721 717 .fi
722 718 .in -2
723 719
724 720 .sp
725 721 .LP
726 722 The \fBacl_strip()\fR function removes all ACLs from a file and replaces them
727 723 with a trivial ACL based off of the passed in argument mode. After replacing
728 724 the ACL the owner and group of the file are set to the values specified in the
729 725 uid and gid parameters.
730 -.SS "Converting \fBACL\fRs to/from external representation"
726 +.SS "Converting ACLs to/from external representation"
731 727 .in +2
732 728 .nf
733 729 int acl_fromtext(const char *path, acl_t **aclp);
734 730 char *acl_totext(acl_t *aclp, int flags);
735 731 .fi
736 732 .in -2
737 733
738 734 .sp
739 735 .LP
740 736 The \fBacl_totext()\fR function converts an internal ACL representation pointed
741 737 to by aclp into an external representation. See \fBDESCRIPTION\fR for details
742 738 about external representation.
743 739 .sp
744 740 .LP
745 -The \fBacl_fromtext()\fR functions converts and external representation into an
741 +The \fBacl_fromtext()\fR function converts an external representation into an
746 742 internal representation. See \fBDESCRIPTION\fR for details about external
747 743 representation.
748 744 .SH EXAMPLES
749 -.LP
750 745 The following examples demonstrate how the API can be used to perform basic
751 746 operations on ACLs.
752 747 .LP
753 748 \fBExample 1 \fRRetrieving and Setting an ACL
754 749 .sp
755 750 .LP
756 751 Use the following to retrieve an ACL and set it on another file:
757 752
758 753 .sp
759 754 .in +2
760 755 .nf
761 756 error = acl_get("file", ACL_NO_TRIVIAL, &aclp);
762 757
763 758 if (error == 0 && aclp != NULL) {
764 759 .in +8
765 760 error = acl_set("file2", aclp);
766 761 acl_free(aclp);
767 762 .in -8
768 763 }
769 764 \&...
770 765 .fi
771 766 .in -2
772 767
773 768 .LP
774 769 \fBExample 2 \fRRetrieving and Setting Any ACLs
775 770 .sp
776 771 .LP
777 772 Use the following to retrieve any ACL, including trivial ACLs, and set it on
778 773 another file:
779 774
780 775 .sp
781 776 .in +2
782 777 .nf
783 778 error = acl_get("file3", 0, &aclp);
784 779 if (error == 0) {
785 780 .in +8
786 781 error = acl_set("file4", aclp);
787 782 acl_free(aclp);
788 783 .in -8
789 784 }
790 785 \&...
791 786 .fi
792 787 .in -2
793 788
794 789 .LP
795 790 \fBExample 3 \fRDetermining if a File has a Trivial ACL
796 791 .sp
797 792 .LP
798 793 Use the following to determine if a file has a trivial ACL:
799 794
800 795 .sp
801 796 .in +2
802 797 .nf
803 798 char *file = "file5";
804 799 istrivial = acl_trivial(file);
805 800
806 801 if (istrivial == 0)
807 802 .in +8
808 803 printf("file %s has a trivial ACL\en", file);
809 804 .in -8
810 805 else
811 806 .in +8
812 807 printf("file %s has a NON-trivial ACL\en", file);
813 808 .in -8
814 809 \&...
815 810 .fi
816 811 .in -2
817 812
818 813 .LP
819 814 \fBExample 4 \fRRemoving all ACLs from a File
820 815 .sp
821 816 .LP
822 817 Use the following to remove all ACLs from a file, and set a new mode, owner,
823 818 and group:
|
↓ open down ↓ |
64 lines elided |
↑ open up ↑ |
824 819
825 820 .sp
826 821 .in +2
827 822 .nf
828 823 error = acl_strip("file", 10, 100, 0644);
829 824 \&...
830 825 .fi
831 826 .in -2
832 827
833 828 .SH SEE ALSO
834 -.LP
835 829 \fBchgrp\fR(1), \fBchmod\fR(1), \fBchown\fR(1), \fBcp\fR(1), \fBcpio\fR(1),
836 830 \fBfind\fR(1), \fBls\fR(1), \fBmv\fR(1), \fBtar\fR(1), \fBsetfacl\fR(1),
837 831 \fBchmod\fR(2), \fBacl\fR(2), \fBstat\fR(2), \fBacl_get\fR(3SEC),
838 832 \fBaclsort\fR(3SEC), \fBacl_fromtext\fR(3SEC), \fBacl_free\fR(3SEC),
839 833 \fBacl_strip\fR(3SEC), \fBacl_trivial\fR(3SEC)
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX