]>
Commit | Line | Data |
---|---|---|
3d9156a7 A |
1 | .\"- |
2 | .\" Copyright (c) 2000, 2001, 2002 Robert N. M. Watson | |
3 | .\" All rights reserved. | |
4 | .\" | |
5 | .\" This software was developed by Robert Watson for the TrustedBSD Project. | |
6 | .\" | |
7 | .\" Redistribution and use in source and binary forms, with or without | |
8 | .\" modification, are permitted provided that the following conditions | |
9 | .\" are met: | |
10 | .\" 1. Redistributions of source code must retain the above copyright | |
11 | .\" notice, this list of conditions and the following disclaimer. | |
12 | .\" 2. Redistributions in binary form must reproduce the above copyright | |
13 | .\" notice, this list of conditions and the following disclaimer in the | |
14 | .\" documentation and/or other materials provided with the distribution. | |
15 | .\" | |
16 | .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND | |
17 | .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
18 | .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | |
19 | .\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE | |
20 | .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |
21 | .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | |
22 | .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
23 | .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | |
24 | .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | |
25 | .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | |
26 | .\" SUCH DAMAGE. | |
27 | .\" | |
28 | .\" $FreeBSD: src/lib/libc/posix1e/acl.3,v 1.22 2003/02/06 11:04:46 charnier Exp $ | |
29 | .\" | |
30 | .Dd December 18, 2002 | |
31 | .Dt ACL 3 | |
32 | .Os | |
33 | .Sh NAME | |
34 | .Nm acl | |
35 | .Nd introduction to the POSIX.1e ACL security API | |
36 | .Sh LIBRARY | |
37 | .Lb libc | |
38 | .Sh SYNOPSIS | |
39 | .In sys/types.h | |
40 | .In sys/acl.h | |
41 | .Sh DESCRIPTION | |
42 | The system permits file systems to export Access Control Lists via the VFS, and | |
43 | provides a library for userland access to and manipulation of these ACLs. | |
44 | Not all file systems provide support for ACLs, and some may require that | |
45 | ACL support be explicitly enabled by the administrator. | |
46 | The library calls include routines to allocate, duplicate, retrieve, set, | |
47 | and validate ACLs associated with file objects. | |
48 | .Pp | |
49 | This implementation of the POSIX.1e library differs from the standard | |
50 | in a number of non-portable ways in order to support the MacOS/Darwin | |
51 | ACL semantic. Where possible, these differences are implemented using | |
52 | the mechanisms provided in the standard for such extensions. | |
53 | Where routines are non-standard, they are suffixed with _np to indicate that | |
54 | they are not portable. | |
55 | .Pp | |
56 | POSIX.1e describes a set of ACL manipulation routines to manage the | |
57 | contents of ACLs, as well as their relationships with files; almost | |
58 | all of these support routines are implemented. | |
59 | .Pp | |
60 | Available functions, sorted by behavior, include: | |
61 | .Bl -tag -width indent | |
62 | .It Fn acl_add_perm | |
63 | This function is described in | |
64 | .Xr acl_add_perm 3 , | |
65 | and may be used to add permissions to a permission set. | |
66 | .It Fn acl_clear_perms | |
67 | This function is described in | |
68 | .Xr acl_clear_perms 3 , | |
69 | and may be used to clear all permissions from a permission set. | |
70 | .It Fn acl_copy_entry | |
71 | This function is described in | |
72 | .Xr acl_copy_entry 3 , | |
73 | and may be used to copy the contents of an ACL entry. | |
74 | .It Fn acl_create_entry | |
75 | This function is described in | |
76 | .Xr acl_create_entry 3 , | |
77 | and may be used to create an empty entry in an ACL. | |
78 | .It Xo | |
79 | .Fn acl_delete_fd_np , | |
80 | .Fn acl_delete_file_np , | |
81 | .Fn acl_delete_link_np | |
82 | .Xc | |
83 | These functions are described in | |
84 | .Xr acl_delete 3 , | |
85 | and may be used to delete ACLs from file system objects. | |
86 | .It Fn acl_delete_entry | |
87 | This function is described in | |
88 | .Xr acl_delete_entry 3 , | |
89 | and may be used to delete an entry from an ACL. | |
90 | .It Fn acl_delete_perm | |
91 | This function is described in | |
92 | .Xr acl_delete_perm 3 , | |
93 | and may be used to delete permissions from a permset. | |
94 | .It Fn acl_dup | |
95 | This function is described in | |
96 | .Xr acl_dup 3 , | |
97 | and may be used to duplicate an ACL structure. | |
98 | .It Fn acl_free | |
99 | This function is described in | |
100 | .Xr acl_free 3 , | |
101 | and may be used to free userland working ACL storage. | |
102 | .It Fn acl_from_text | |
103 | This function is described in | |
104 | .Xr acl_from_text 3 , | |
105 | and may be used to convert a text-form ACL into working ACL state, if | |
106 | the ACL has POSIX.1e semantics. | |
107 | .It Fn acl_get_entry | |
108 | This function is described in | |
109 | .Xr acl_get_entry 3 , | |
110 | and may be used to retrieve a designated ACL entry from an ACL. | |
111 | .It Xo | |
112 | .Fn acl_get_fd , | |
113 | .Fn acl_get_fd_np , | |
114 | .Fn acl_get_file , | |
115 | .Fn acl_get_link_np | |
116 | .Xc | |
117 | These functions are described in | |
118 | .Xr acl_get 3 , | |
119 | and may be used to retrieve ACLs from file system objects. | |
120 | .It Fn acl_get_permset | |
121 | This function is described in | |
122 | .Xr acl_get_permset 3 , | |
123 | and may be used to retrieve a permset from an ACL entry. | |
124 | .It Fn acl_get_qualifier | |
125 | This function is described in | |
126 | .Xr acl_get_qualifier 3 , | |
127 | and may be used to retrieve the qualifier from an ACL entry. | |
128 | .It Fn acl_get_tag_type | |
129 | This function is described in | |
130 | .Xr acl_get_tag_type 3 , | |
131 | and may be used to retrieve the tag type from an ACL entry. | |
132 | .It Fn acl_init | |
133 | This function is described in | |
134 | .Xr acl_init 3 , | |
135 | and may be used to allocate a fresh (empty) ACL structure. | |
136 | .It Xo | |
137 | .Fn acl_set_fd , | |
138 | .Fn acl_set_fd_np , | |
139 | .Fn acl_set_file , | |
140 | .Fn acl_set_link_np | |
141 | .Xc | |
142 | These functions are described in | |
143 | .Xr acl_set 3 , | |
144 | and may be used to assign an ACL to a file system object. | |
145 | .It Fn acl_set_permset | |
146 | This function is described in | |
147 | .Xr acl_set_permset 3 , | |
148 | and may be used to set the permissions of an ACL entry from a permset. | |
149 | .It Fn acl_set_qualifier | |
150 | This function is described in | |
151 | .Xr acl_set_qualifier 3 , | |
152 | and may be used to set the qualifier of an ACL. | |
153 | .It Fn acl_set_tag_type | |
154 | This function is described in | |
155 | .Xr acl_set_tag_type 3 , | |
156 | and may be used to set the tag type of an ACL. | |
157 | .It Fn acl_to_text | |
158 | This function is described in | |
159 | .Xr acl_to_text 3 , | |
160 | and may be used to generate a text-form of a POSIX.1e semantics ACL. | |
161 | .It Xo | |
162 | .Fn acl_valid , | |
163 | .Fn acl_valid_fd_np , | |
164 | .Fn acl_valid_file_np , | |
165 | .Fn acl_valid_link_np | |
166 | .Xc | |
167 | These functions are described in | |
168 | .Xr acl_valid 3 , | |
169 | and may be used to validate an ACL as correct POSIX.1e-semantics, or | |
170 | as appropriate for a particular file system object regardless of semantics. | |
171 | .El | |
172 | .Pp | |
173 | Documentation of the internal kernel interfaces backing these calls may | |
174 | be found in | |
175 | .Xr acl 9 . | |
176 | The syscalls between the internal interfaces and the public library | |
177 | routines may change over time, and as such are not documented. | |
178 | They are not intended to be called directly without going through the | |
179 | library. | |
180 | .Sh SEE ALSO | |
181 | .Xr getfacl 1 , | |
182 | .Xr setfacl 1 , | |
183 | .Xr acl_add_perm 3 , | |
184 | .Xr acl_clear_perms 3 , | |
185 | .Xr acl_copy_entry 3 , | |
186 | .Xr acl_create_entry 3 , | |
187 | .Xr acl_delete_entry 3 , | |
188 | .Xr acl_delete_perm 3 , | |
189 | .Xr acl_dup 3 , | |
190 | .Xr acl_free 3 , | |
191 | .Xr acl_from_text 3 , | |
192 | .Xr acl_get 3 , | |
193 | .Xr acl_get_permset 3 , | |
194 | .Xr acl_get_qualifier 3 , | |
195 | .Xr acl_get_tag_type 3 , | |
196 | .Xr acl_init 3 , | |
197 | .Xr acl_set 3 , | |
198 | .Xr acl_set_permset 3 , | |
199 | .Xr acl_set_qualifier 3 , | |
200 | .Xr acl_set_tag_type 3 , | |
201 | .Xr acl_to_text 3 , | |
202 | .Xr acl_valid 3 , | |
203 | .Xr posix1e 3 , | |
204 | .Xr acl 9 | |
205 | .Sh UNSUPPORTED FUNCTIONS | |
206 | .Xr acl_calc_mask 3 , | |
207 | .Fn acl_delete_def_file | |
208 | .Sh STANDARDS | |
209 | POSIX.1e assigns security labels to all objects, extending the security | |
210 | functionality described in POSIX.1. | |
211 | These additional labels provide fine-grained discretionary access control, | |
212 | fine-grained capabilities, and labels necessary for mandatory access | |
213 | control. | |
214 | POSIX.2c describes a set of userland utilities for manipulating these | |
215 | labels. | |
216 | .Pp | |
217 | POSIX.1e is described in IEEE POSIX.1e draft 17. | |
218 | .Sh HISTORY | |
219 | This manpage is closely derived from the | |
220 | .Fx | |
221 | manpage by | |
222 | .An Robert N M Watson | |
223 | .Sh AUTHORS | |
224 | .An Michael Smith | |
225 | .An Robert N M Watson |