Print this page
9842 man page typos and spelling
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/man/man5/acl.5
+++ new/usr/src/man/man5/acl.5
1 1 '\" te
2 2 .\" Copyright 2014 Nexenta Systems, Inc. All rights reserved.
3 3 .\" Copyright (c) 2008, Sun Microsystems, Inc. All Rights Reserved.
4 4 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License.
5 5 .\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. See the License for the specific language governing permissions and limitations under the License.
6 6 .\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
7 7 .TH ACL 5 "Nov 24, 2014"
8 8 .SH NAME
9 9 acl \- Access Control Lists
10 10 .SH DESCRIPTION
11 11 .LP
12 12 Access control lists (ACLs) are discretionary access control mechanisms that
13 13 grant and deny access to files and directories. Two different ACL models are
14 14 supported in the Solaris release: POSIX-draft ACLs and NFSv4 ACLs.
15 15 .sp
16 16 .LP
17 17 The older, POSIX-draft model is supported by the UFS file system. This model is
18 18 based on a withdrawn ACL POSIX specification that was never standardized. It
19 19 was subsequently withdrawn by the POSIX committee.
20 20 .sp
21 21 .LP
22 22 The other model is based on the standards of the NFSv4 working group and is an
23 23 approved standard from the Internet Engineering Task Force (IETF). The ZFS file
24 24 system uses the NFSv4 model, and provides richer semantics and finer grained
25 25 permission capabilities than the POSIX-draft model.
26 26 .SS "\fBPOSIX\fR-draft \fBACL\fRs"
27 27 .LP
28 28 POSIX-draft ACLs provide an alternative security mechanism to basic UNIX file
29 29 permissions in the Solaris release. Their purpose is to further restrict access
30 30 to files and directories or to extend permissions to a particular user. ACLs
31 31 can be used to change the permissions for the standard owner, group and other
32 32 class bits of a file's mode. ACLs can give additional users and groups access
33 33 to the file. A directory can also have a special kind of ACL called a
34 34 \fBdefault\fR ACL, which defines ACL entries to be inherited by descendents of
35 35 the directory. POSIX-draft ACLs have an ACL entry called \fBmask\fR. The mask
36 36 defines the maximum permissions that can be granted to additional user and
37 37 group entries. Whenever a file is created or its mode is changed by
38 38 \fBchmod\fR(1) or \fBchmod\fR(2), the mask is recomputed. It is recomputed to
39 39 be the group permission defined in the mode passed to \fBchmod\fR(2).
40 40 .sp
41 41 .LP
42 42 The POSIX-draft ACL model uses the standard \fBrwx\fR model of traditional UNIX
43 43 permissions.
44 44 .sp
45 45 .LP
46 46 An ACL is represented as follows:
47 47 .sp
48 48 .in +2
49 49 .nf
50 50 \fIacl_entry\fR[,\fIacl_entry\fR]...
51 51 .fi
52 52 .in -2
53 53 .sp
54 54
55 55 .sp
56 56 .LP
57 57 Each \fIacl_entry\fR contains one ACL entry. An ACL entry is represented by two
58 58 or three colon-separated(\fB:\fR) fields.
59 59 .sp
60 60 .ne 2
61 61 .na
62 62 \fB\fIuser\fR:[\fIuid\fR]:\fIperms\fR\fR
63 63 .ad
64 64 .RS 21n
65 65 If \fIuid\fR blank, it represents the file owner.
66 66 .RE
67 67
68 68 .sp
69 69 .ne 2
70 70 .na
71 71 \fB\fIgroup\fR:[\fIgid\fR]:\fIperms\fR\fR
72 72 .ad
73 73 .RS 21n
74 74 If \fIgid\fR is blank, it represents the owning group.
75 75 .RE
76 76
77 77 .sp
78 78 .ne 2
79 79 .na
80 80 \fB\fIother\fR:\fIperms\fR\fR
81 81 .ad
82 82 .RS 21n
83 83 Represents the file other class.
84 84 .RE
85 85
86 86 .sp
87 87 .ne 2
88 88 .na
89 89 \fB\fImask\fR:\fIperms\fR\fR
90 90 .ad
91 91 .RS 21n
92 92 Defines the \fBMAX\fR permission to hand out.
93 93 .RE
94 94
95 95 .sp
96 96 .LP
97 97 For example to give user \fBjoe\fR read and write permissions, the ACL entry is
98 98 specified as:
99 99 .sp
100 100 .in +2
101 101 .nf
102 102 user:joe:rw-
103 103 .fi
104 104 .in -2
105 105 .sp
106 106
107 107 .SS "\fBNFS\fRv4 \fBACL\fRs"
108 108 .LP
109 109 NFSv4 ACL model is based loosely on the Windows NT ACL model. NFSv4 ACLs
110 110 provide a much richer ACL model than POSIX-draft ACLs.
111 111 .sp
112 112 .LP
113 113 The major differences between NFSv4 and POSIX-draft ACLs are as follows:
114 114 .RS +4
115 115 .TP
116 116 .ie t \(bu
117 117 .el o
118 118 NFSv4 ACLs provide finer grained permissions than the \fBrwx\fR model.
119 119 .RE
120 120 .RS +4
121 121 .TP
122 122 .ie t \(bu
123 123 .el o
124 124 NFSv4 ACLs allow for both \fBALLOW\fR and \fBDENY\fR entries.
125 125 .RE
126 126 .RS +4
127 127 .TP
128 128 .ie t \(bu
129 129 .el o
130 130 NFSv4 ACLs provide a rich set of inheritance semantics. POSIX ACLs also have
131 131 inheritance, but with the NFSv4 model you can control the following inheritance
132 132 features:
133 133 .RS +4
134 134 .TP
135 135 .ie t \(bu
136 136 .el o
137 137 Whether inheritance cascades to both files and directories or only to files or
138 138 directories.
139 139 .RE
140 140 .RS +4
141 141 .TP
142 142 .ie t \(bu
143 143 .el o
144 144 In the case of directories, you can indicate whether inheritance is applied to
145 145 the directory itself, to just one level of subdirectories, or cascades to all
146 146 subdirectories of the directory.
147 147 .RE
148 148 .RE
149 149 .RS +4
|
↓ open down ↓ |
149 lines elided |
↑ open up ↑ |
150 150 .TP
151 151 .ie t \(bu
152 152 .el o
153 153 NFSv4 ACLs provide a mechanism for hooking into a system's audit trail.
154 154 Currently, Solaris does not support this mechanism.
155 155 .RE
156 156 .RS +4
157 157 .TP
158 158 .ie t \(bu
159 159 .el o
160 -NFSv4 ACLs enable adminstrators to specify the order in which ACL entries are
160 +NFSv4 ACLs enable administrators to specify the order in which ACL entries are
161 161 checked. With POSIX-draft ACLs the file system reorders ACL entries into a well
162 162 defined, strict access, checking order.
163 163 .RE
164 164 .sp
165 165 .LP
166 166 POSIX-draft ACL semantics can be achieved with NFSv4 ACLs. However, only some
167 167 NFSv4 ACLs can be translated to equivalent POSIX-draft ACLs.
168 168 .sp
169 169 .LP
170 170 Permissions can be specified in three different \fBchmod\fR ACL formats:
171 171 verbose, compact, or positional. The verbose format uses words to indicate that
172 172 the permissions are separated with a forward slash (\fB/\fR) character. Compact
173 173 format uses the permission letters and positional format uses the permission
174 -letters or the hypen (\fB-\fR) to identify no permissions.
174 +letters or the hyphen (\fB-\fR) to identify no permissions.
175 175 .sp
176 176 .LP
177 177 The permissions for verbose mode and their abbreviated form in parentheses for
178 178 compact and positional mode are described as follows:
179 179 .sp
180 180 .ne 2
181 181 .na
182 182 \fBread_data (\fBr\fR)\fR
183 183 .ad
184 184 .RS 24n
185 185 Permission to read the data of the file
186 186 .RE
187 187
188 188 .sp
189 189 .ne 2
190 190 .na
191 191 \fBlist_directory (\fBr\fR)\fR
192 192 .ad
193 193 .RS 24n
194 194 Permission to list the contents of a directory.
195 195 .RE
196 196
197 197 .sp
198 198 .ne 2
199 199 .na
200 200 \fBwrite_data (\fBw\fR)\fR
201 201 .ad
202 202 .RS 24n
203 203 Permission to modify a file's data anywhere in the file's offset range. This
204 204 includes the ability to grow the file or write to any arbitrary offset.
205 205 .RE
206 206
207 207 .sp
208 208 .ne 2
209 209 .na
210 210 \fBadd_file (\fBw\fR)\fR
211 211 .ad
212 212 .RS 24n
213 213 Permission to add a new file to a directory.
214 214 .RE
215 215
216 216 .sp
217 217 .ne 2
218 218 .na
219 219 \fBappend_data (\fBp\fR)\fR
220 220 .ad
221 221 .RS 24n
222 222 The ability to modify the file's data, but only starting at EOF. Currently,
223 223 this permission is not supported.
224 224 .RE
225 225
226 226 .sp
227 227 .ne 2
228 228 .na
229 229 \fBadd_subdirectory (\fBp\fR)\fR
230 230 .ad
231 231 .RS 24n
232 232 Permission to create a subdirectory to a directory.
233 233 .RE
234 234
235 235 .sp
236 236 .ne 2
237 237 .na
238 238 \fBread_xattr (\fBR\fR)\fR
239 239 .ad
240 240 .RS 24n
241 241 The ability to read the extended attributes of a file or do a lookup in the
242 242 extended attributes directory.
243 243 .RE
244 244
245 245 .sp
246 246 .ne 2
247 247 .na
248 248 \fBwrite_xattr (\fBW\fR)\fR
249 249 .ad
250 250 .RS 24n
251 251 The ability to create extended attributes or write to the extended attributes
252 252 directory.
253 253 .RE
254 254
255 255 .sp
256 256 .ne 2
257 257 .na
258 258 \fBexecute (\fBx\fR)\fR
259 259 .ad
260 260 .RS 24n
261 261 Permission to execute a file.
262 262 .RE
263 263
264 264 .sp
265 265 .ne 2
266 266 .na
267 267 \fBread_attributes (\fBa\fR)\fR
268 268 .ad
269 269 .RS 24n
270 270 The ability to read basic attributes (non-ACLs) of a file. Basic attributes are
271 271 considered to be the stat level attributes. Allowing this access mask bit means
272 272 that the entity can execute \fBls\fR(1) and \fBstat\fR(2).
273 273 .RE
274 274
275 275 .sp
276 276 .ne 2
277 277 .na
278 278 \fBwrite_attributes (\fBA\fR)\fR
279 279 .ad
280 280 .RS 24n
281 281 Permission to change the times associated with a file or directory to an
282 282 arbitrary value.
283 283 .RE
284 284
285 285 .sp
286 286 .ne 2
287 287 .na
288 288 \fBdelete (\fBd\fR)\fR
289 289 .ad
290 290 .RS 24n
291 291 Permission to delete the file.
292 292 .RE
293 293
294 294 .sp
295 295 .ne 2
296 296 .na
297 297 \fBdelete_child (\fBD\fR)\fR
298 298 .ad
299 299 .RS 24n
300 300 Permission to delete a file within a directory.
301 301 .RE
302 302
303 303 .sp
304 304 .ne 2
305 305 .na
306 306 \fBread_acl (\fBc\fR)\fR
307 307 .ad
308 308 .RS 24n
309 309 Permission to read the ACL.
310 310 .RE
311 311
312 312 .sp
313 313 .ne 2
314 314 .na
315 315 \fBwrite_acl (\fBC\fR)\fR
316 316 .ad
317 317 .RS 24n
318 318 Permission to write the ACL or the ability to execute \fBchmod\fR(1) or
319 319 \fBsetfacl\fR(1).
320 320 .RE
321 321
322 322 .sp
323 323 .ne 2
324 324 .na
325 325 \fBwrite_owner (\fBo\fR)\fR
326 326 .ad
327 327 .RS 24n
328 328 Permission to change the owner or the ability to execute \fBchown\fR(1) or
329 329 \fBchgrp\fR(1).
330 330 .RE
331 331
332 332 .sp
333 333 .ne 2
334 334 .na
335 335 \fBsynchronize (\fBs\fR)\fR
336 336 .ad
337 337 .RS 24n
338 338 Permission to access a file locally at the server with synchronous reads and
339 339 writes. Currently, this permission is not supported.
340 340 .RE
341 341
342 342 .sp
343 343 .LP
344 344 The following inheritance flags are supported by NFSv4 ACLs:
345 345 .sp
346 346 .ne 2
347 347 .na
348 348 \fBfile_inherit (\fBf\fR)\fR
349 349 .ad
350 350 .RS 26n
351 351 Inherit to all newly created files in a directory.
352 352 .RE
353 353
354 354 .sp
355 355 .ne 2
356 356 .na
357 357 \fBdir_inherit (\fBd\fR)\fR
358 358 .ad
359 359 .RS 26n
360 360 Inherit to all newly created directories in a directory.
361 361 .RE
362 362
363 363 .sp
364 364 .ne 2
365 365 .na
366 366 \fBinherit_only (\fBi\fR)\fR
367 367 .ad
368 368 .RS 26n
369 369 Placed on a directory, but does not apply to the directory itself, only to
370 370 newly created files and directories. This flag requires file_inherit
371 371 and/or dir_inherit to indicate what to inherit.
372 372 .RE
373 373
374 374 .sp
375 375 .ne 2
376 376 .na
377 377 \fBno_propagate (\fBn\fR)\fR
378 378 .ad
379 379 .RS 26n
380 380 Placed on directories and indicates that ACL entries should only be inherited
381 381 one level of the tree. This flag requires file_inherit and/or dir_inherit to
382 382 indicate what to inherit.
383 383 .RE
384 384
385 385 .sp
386 386 .ne 2
387 387 .na
388 388 \fBsuccessful_access (\fBS\fR)\fR
389 389 .ad
390 390 .RS 26n
391 391 Indicates whether an alarm or audit record should be initiated upon successful
392 392 accesses. Used with audit/alarm ACE types.
393 393 .RE
394 394
395 395 .sp
396 396 .ne 2
397 397 .na
398 398 \fBfailed_access (\fBF\fR)\fR
399 399 .ad
400 400 .RS 26n
401 401 Indicates whether an alarm or audit record should be initiated when access
402 402 fails. Used with audit/alarm ACE types.
403 403 .RE
404 404
405 405 .sp
406 406 .ne 2
407 407 .na
408 408 \fBinherited (\fBI\fR)\fR
409 409 .ad
410 410 .RS 26n
411 411 ACE was inherited.
412 412 .RE
413 413
414 414 .sp
415 415 .ne 2
416 416 .na
417 417 \fB\fB-\fR\fR
418 418 .ad
419 419 .RS 26n
420 420 No permission granted.
421 421 .RE
422 422
423 423 .sp
424 424 .LP
425 425 An NFSv4 ACL is expressed using the following syntax:
426 426 .sp
427 427 .in +2
428 428 .nf
429 429 \fIacl_entry\fR[,\fIacl_entry\fR]...
430 430
431 431 owner@:<perms>[:inheritance flags]:<allow|deny>
432 432 group@:<perms>[:inheritance flags]:<allow|deny>
433 433 everyone@:<perms>[:inheritance flags]:<allow|deny>
434 434 user:<username>:<perms>[:inheritance flags]:<allow|deny>
435 435 usersid:<sid string>:<perms>[:inheritance flags]:<allow|deny>
436 436 group:<groupname>:<perms>[:inheritance flags]:<allow|deny>
437 437 groupsid:<sid string>:<perms>[:inheritance flags]:<allow|deny>
438 438 sid:<sid string>:<perms>[:inheritance flags]:<allow|deny>
439 439 .fi
440 440 .in -2
441 441
442 442 .sp
443 443 .ne 2
444 444 .na
445 445 \fBowner@\fR
446 446 .ad
447 447 .RS 10n
448 448 File owner
449 449 .RE
450 450
451 451 .sp
452 452 .ne 2
453 453 .na
454 454 \fBgroup@\fR
455 455 .ad
456 456 .RS 10n
457 457 Group owner
458 458 .RE
459 459
460 460 .sp
461 461 .ne 2
462 462 .na
463 463 \fBuser\fR
464 464 .ad
465 465 .RS 10n
466 466 Permissions for a specific user
467 467 .RE
468 468
469 469 .sp
470 470 .ne 2
471 471 .na
472 472 \fBgroup\fR
473 473 .ad
474 474 .RS 10n
475 475 Permissions for a specific group
476 476 .RE
477 477
478 478 .sp
479 479 .LP
480 480 Permission and inheritance flags are separated by a \fB/\fR character.
481 481 .sp
482 482 .LP
483 483 ACL specification examples:
484 484 .sp
485 485 .in +2
486 486 .nf
487 487 user:fred:read_data/write_data/read_attributes:file_inherit:allow
488 488 owner@:read_data:allow,group@:read_data:allow,user:tom:read_data:deny
489 489 .fi
490 490 .in -2
491 491 .sp
492 492
493 493 .sp
494 494 .LP
495 495 Using the compact ACL format, permissions are specified by using 14 unique
496 496 letters to indicate permissions.
497 497 .sp
498 498 .LP
499 499 Using the positional ACL format, permissions are specified as positional
500 500 arguments similar to the \fBls -V\fR format. The hyphen (\fB-\fR), which
501 501 indicates that no permission is granted at that position, can be omitted and
502 502 only the required letters have to be specified.
503 503 .sp
504 504 .LP
505 505 The letters above are listed in the order they would be specified in positional
506 506 notation.
507 507 .sp
508 508 .LP
509 509 With these letters you can specify permissions in the following equivalent
510 510 ways.
511 511 .sp
512 512 .in +2
513 513 .nf
514 514 user:fred:rw------R------:file_inherit:allow
515 515 .fi
516 516 .in -2
517 517 .sp
518 518
519 519 .sp
520 520 .LP
521 521 Or you can remove the \fB-\fR and scrunch it together.
522 522 .sp
523 523 .in +2
524 524 .nf
525 525 user:fred:rwR:file_inherit:allow
526 526 .fi
527 527 .in -2
528 528 .sp
529 529
530 530 .sp
531 531 .LP
532 532 The inheritance flags can also be specified in a more compact manner, as
533 533 follows:
534 534 .sp
535 535 .in +2
536 536 .nf
537 537 user:fred:rwR:f:allow
538 538 user:fred:rwR:f------:allow
539 539 .fi
540 540 .in -2
541 541 .sp
542 542
543 543 .SS "Shell-level Solaris \fBAPI\fR"
544 544 .LP
545 545 The Solaris command interface supports the manipulation of ACLs. The following
546 546 Solaris utilities accommodate both ACL models:
547 547 .sp
548 548 .ne 2
549 549 .na
550 550 \fB\fBchmod\fR\fR
551 551 .ad
552 552 .RS 12n
553 553 The \fBchmod\fR utility has been enhanced to allow for the setting and deleting
554 554 of ACLs. This is achieved by extending the symbolic-mode argument to support
555 555 ACL manipulation. See \fBchmod\fR(1) for details.
556 556 .RE
557 557
558 558 .sp
559 559 .ne 2
560 560 .na
561 561 \fB\fBcompress\fR\fR
562 562 .ad
563 563 .RS 12n
564 564 When a file is compressed any ACL associated with the original file is
565 565 preserved with the compressed file.
566 566 .RE
567 567
568 568 .sp
569 569 .ne 2
570 570 .na
571 571 \fB\fBcp\fR\fR
572 572 .ad
573 573 .RS 12n
574 574 By default, \fBcp\fR ignores ACLs, unless the \fB-p\fR option is specified.
575 575 When \fB-p\fR is specified the owner and group id, permission modes,
576 576 modification and access times, ACLs, and extended attributes if applicable are
577 577 preserved.
578 578 .RE
579 579
580 580 .sp
581 581 .ne 2
582 582 .na
583 583 \fB\fBcpio\fR\fR
584 584 .ad
585 585 .RS 12n
586 586 ACLs are preserved when the \fB-P\fR option is specified.
587 587 .RE
588 588
589 589 .sp
590 590 .ne 2
591 591 .na
592 592 \fB\fBfind\fR\fR
593 593 .ad
594 594 .RS 12n
595 595 Find locates files with ACLs when the \fB-acl\fR flag is specified.
596 596 .RE
597 597
598 598 .sp
599 599 .ne 2
600 600 .na
601 601 \fB\fBls\fR\fR
602 602 .ad
603 603 .RS 12n
604 604 By default \fBls\fR does not display ACL information. When the \fB-v\fR option
605 605 is specified, a file's ACL is displayed.
606 606 .RE
607 607
608 608 .sp
609 609 .ne 2
610 610 .na
611 611 \fB\fBmv\fR\fR
612 612 .ad
613 613 .RS 12n
614 614 When a file is moved, all attributes are carried along with the renamed file.
615 615 When a file is moved across a file system boundary, the ACLs are replicated. If
616 616 the ACL information cannot be replicated, the move fails and the source file is
617 617 not removed.
618 618 .RE
619 619
620 620 .sp
621 621 .ne 2
622 622 .na
623 623 \fB\fBpack\fR\fR
624 624 .ad
625 625 .RS 12n
626 626 When a file is packed, any ACL associated with the original file is preserved
627 627 with the packed file.
628 628 .RE
629 629
630 630 .sp
631 631 .ne 2
632 632 .na
633 633 \fB\fBrcp\fR\fR
634 634 .ad
635 635 .RS 12n
636 636 \fBrcp\fR has been enhanced to support copying. A file's ACL is only preserved
637 637 when the remote host supports ACLs.
638 638 .RE
639 639
640 640 .sp
641 641 .ne 2
642 642 .na
643 643 \fB\fBtar\fR\fR
644 644 .ad
645 645 .RS 12n
646 646 ACLs are preserved when the \fB-p\fR option is specified.
647 647 .RE
648 648
649 649 .sp
650 650 .ne 2
651 651 .na
652 652 \fB\fBunpack\fR\fR
653 653 .ad
654 654 .RS 12n
655 655 When a file with an ACL is unpacked, the unpacked file retains the ACL
656 656 information.
657 657 .RE
658 658
659 659 .SS "Application-level \fBAPI\fR"
660 660 .LP
661 661 The primary interfaces required to access file system ACLs at the programmatic
662 662 level are the \fBacl_get()\fR and \fBacl_set()\fR functions. These functions
663 663 support both POSIX draft ACLs and NFSv4 ACLs.
664 664 .SS "Retrieving a file's \fBACL\fR"
665 665 .in +2
666 666 .nf
667 667 int acl_get(const char *path, int flag, acl_t **aclp);
668 668 int facl_get(int fd, int flag, acl_t **aclp);
669 669 .fi
670 670 .in -2
671 671
672 672 .sp
673 673 .LP
674 674 The \fBacl_get\fR(3SEC) and \fBfacl_get\fR(3SEC) functions retrieves an ACL on
675 675 a file whose name is given by path or referenced by the open file descriptor
676 676 fd. The flag argument specifies whether a trivial ACL should be retrieved. When
677 677 the flag argument equals \fBACL_NO_TRIVIAL\fR then only ACLs that are not
678 678 trivial are retrieved. The ACL is returned in the \fBaclp\fR argument.
679 679 .SS "Freeing \fBACL\fR structure"
680 680 .in +2
681 681 .nf
682 682 void acl_free(acl_t *aclp)s;
683 683 .fi
684 684 .in -2
685 685
686 686 .sp
687 687 .LP
688 688 The \fBacl_free()\fR function frees up memory allocated for the argument
689 689 \fBaclp;\fR.
690 690 .SS "Setting an \fBACL\fR on a file"
691 691 .in +2
692 692 .nf
693 693 int acl_set(const char *path, acl_t *aclp);
694 694 int facl_set(int fd, acl_t *aclp);
695 695 .fi
696 696 .in -2
697 697
698 698 .sp
699 699 .LP
700 700 The \fBacl_set\fR(3SEC) and \fBfacl_get\fR(3SEC) functions are used for setting
701 701 an ACL on a file whose name is given by path or referenced by the open file
702 702 descriptor \fBfd\fR. The \fBaclp\fR argument specifies the ACL to set. The
703 703 \fBacl_set\fR(3SEC) translates an POSIX-draft ACL into a NFSv4 ACL when the
704 704 target file systems supports NFSv4 ACLs. No translation is performed when
705 705 trying to set an NFSv4 ACL on a POSIX-draft ACL supported file system.
706 706 .SS "Determining an \fBACL\fR's trivialness"
707 707 .in +2
708 708 .nf
709 709 int acl_trivial(const char *path);
710 710 .fi
711 711 .in -2
712 712
713 713 .sp
714 714 .LP
715 715 The \fBacl_trivial()\fR function is used to determine whether a file has a
716 716 trivial ACL.
717 717 .SS "Removing all \fBACL\fRs from a file"
718 718 .in +2
719 719 .nf
720 720 int acl_strip(const char *path, uid_t uid, gid_t gid, mode_t mode);
721 721 .fi
722 722 .in -2
723 723
724 724 .sp
725 725 .LP
726 726 The \fBacl_strip()\fR function removes all ACLs from a file and replaces them
727 727 with a trivial ACL based off of the passed in argument mode. After replacing
728 728 the ACL the owner and group of the file are set to the values specified in the
729 729 uid and gid parameters.
730 730 .SS "Converting \fBACL\fRs to/from external representation"
731 731 .in +2
732 732 .nf
733 733 int acl_fromtext(const char *path, acl_t **aclp);
734 734 char *acl_totext(acl_t *aclp, int flags);
735 735 .fi
736 736 .in -2
737 737
738 738 .sp
739 739 .LP
740 740 The \fBacl_totext()\fR function converts an internal ACL representation pointed
741 741 to by aclp into an external representation. See \fBDESCRIPTION\fR for details
742 742 about external representation.
743 743 .sp
744 744 .LP
745 745 The \fBacl_fromtext()\fR functions converts and external representation into an
746 746 internal representation. See \fBDESCRIPTION\fR for details about external
747 747 representation.
748 748 .SH EXAMPLES
749 749 .LP
750 750 The following examples demonstrate how the API can be used to perform basic
751 751 operations on ACLs.
752 752 .LP
753 753 \fBExample 1 \fRRetrieving and Setting an ACL
754 754 .sp
755 755 .LP
756 756 Use the following to retrieve an ACL and set it on another file:
757 757
758 758 .sp
759 759 .in +2
760 760 .nf
761 761 error = acl_get("file", ACL_NO_TRIVIAL, &aclp);
762 762
763 763 if (error == 0 && aclp != NULL) {
764 764 .in +8
765 765 error = acl_set("file2", aclp);
766 766 acl_free(aclp);
767 767 .in -8
768 768 }
769 769 \&...
770 770 .fi
771 771 .in -2
772 772
773 773 .LP
774 774 \fBExample 2 \fRRetrieving and Setting Any ACLs
775 775 .sp
776 776 .LP
777 777 Use the following to retrieve any ACL, including trivial ACLs, and set it on
778 778 another file:
779 779
780 780 .sp
781 781 .in +2
782 782 .nf
783 783 error = acl_get("file3", 0, &aclp);
784 784 if (error == 0) {
785 785 .in +8
786 786 error = acl_set("file4", aclp);
787 787 acl_free(aclp);
788 788 .in -8
789 789 }
790 790 \&...
791 791 .fi
792 792 .in -2
793 793
794 794 .LP
795 795 \fBExample 3 \fRDetermining if a File has a Trivial ACL
796 796 .sp
797 797 .LP
798 798 Use the following to determine if a file has a trivial ACL:
799 799
800 800 .sp
801 801 .in +2
802 802 .nf
803 803 char *file = "file5";
804 804 istrivial = acl_trivial(file);
805 805
806 806 if (istrivial == 0)
807 807 .in +8
808 808 printf("file %s has a trivial ACL\en", file);
809 809 .in -8
810 810 else
811 811 .in +8
812 812 printf("file %s has a NON-trivial ACL\en", file);
813 813 .in -8
814 814 \&...
815 815 .fi
816 816 .in -2
817 817
818 818 .LP
819 819 \fBExample 4 \fRRemoving all ACLs from a File
820 820 .sp
821 821 .LP
822 822 Use the following to remove all ACLs from a file, and set a new mode, owner,
823 823 and group:
824 824
825 825 .sp
826 826 .in +2
827 827 .nf
828 828 error = acl_strip("file", 10, 100, 0644);
829 829 \&...
830 830 .fi
831 831 .in -2
832 832
833 833 .SH SEE ALSO
834 834 .LP
835 835 \fBchgrp\fR(1), \fBchmod\fR(1), \fBchown\fR(1), \fBcp\fR(1), \fBcpio\fR(1),
836 836 \fBfind\fR(1), \fBls\fR(1), \fBmv\fR(1), \fBtar\fR(1), \fBsetfacl\fR(1),
837 837 \fBchmod\fR(2), \fBacl\fR(2), \fBstat\fR(2), \fBacl_get\fR(3SEC),
838 838 \fBaclsort\fR(3SEC), \fBacl_fromtext\fR(3SEC), \fBacl_free\fR(3SEC),
839 839 \fBacl_strip\fR(3SEC), \fBacl_trivial\fR(3SEC)
|
↓ open down ↓ |
655 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX