]> git.saurik.com Git - apple/libc.git/blame - posix1e/acl.3
Libc-391.5.18.tar.gz
[apple/libc.git] / posix1e / acl.3
CommitLineData
3d9156a7
A
1.\"-
2.\" Copyright (c) 2000, 2001, 2002 Robert N. M. Watson
3.\" All rights reserved.
4.\"
5.\" This software was developed by Robert Watson for the TrustedBSD Project.
6.\"
7.\" Redistribution and use in source and binary forms, with or without
8.\" modification, are permitted provided that the following conditions
9.\" are met:
10.\" 1. Redistributions of source code must retain the above copyright
11.\" notice, this list of conditions and the following disclaimer.
12.\" 2. Redistributions in binary form must reproduce the above copyright
13.\" notice, this list of conditions and the following disclaimer in the
14.\" documentation and/or other materials provided with the distribution.
15.\"
16.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
17.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
20.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26.\" SUCH DAMAGE.
27.\"
28.\" $FreeBSD: src/lib/libc/posix1e/acl.3,v 1.22 2003/02/06 11:04:46 charnier Exp $
29.\"
30.Dd December 18, 2002
31.Dt ACL 3
32.Os
33.Sh NAME
34.Nm acl
35.Nd introduction to the POSIX.1e ACL security API
36.Sh LIBRARY
37.Lb libc
38.Sh SYNOPSIS
39.In sys/types.h
40.In sys/acl.h
41.Sh DESCRIPTION
42The system permits file systems to export Access Control Lists via the VFS, and
43provides a library for userland access to and manipulation of these ACLs.
44Not all file systems provide support for ACLs, and some may require that
45ACL support be explicitly enabled by the administrator.
46The library calls include routines to allocate, duplicate, retrieve, set,
47and validate ACLs associated with file objects.
48.Pp
49This implementation of the POSIX.1e library differs from the standard
50in a number of non-portable ways in order to support the MacOS/Darwin
51ACL semantic. Where possible, these differences are implemented using
52the mechanisms provided in the standard for such extensions.
53Where routines are non-standard, they are suffixed with _np to indicate that
54they are not portable.
55.Pp
56POSIX.1e describes a set of ACL manipulation routines to manage the
57contents of ACLs, as well as their relationships with files; almost
58all of these support routines are implemented.
59.Pp
60Available functions, sorted by behavior, include:
61.Bl -tag -width indent
62.It Fn acl_add_perm
63This function is described in
64.Xr acl_add_perm 3 ,
65and may be used to add permissions to a permission set.
66.It Fn acl_clear_perms
67This function is described in
68.Xr acl_clear_perms 3 ,
69and may be used to clear all permissions from a permission set.
70.It Fn acl_copy_entry
71This function is described in
72.Xr acl_copy_entry 3 ,
73and may be used to copy the contents of an ACL entry.
74.It Fn acl_create_entry
75This function is described in
76.Xr acl_create_entry 3 ,
77and may be used to create an empty entry in an ACL.
78.It Xo
79.Fn acl_delete_fd_np ,
80.Fn acl_delete_file_np ,
81.Fn acl_delete_link_np
82.Xc
83These functions are described in
84.Xr acl_delete 3 ,
85and may be used to delete ACLs from file system objects.
86.It Fn acl_delete_entry
87This function is described in
88.Xr acl_delete_entry 3 ,
89and may be used to delete an entry from an ACL.
90.It Fn acl_delete_perm
91This function is described in
92.Xr acl_delete_perm 3 ,
93and may be used to delete permissions from a permset.
94.It Fn acl_dup
95This function is described in
96.Xr acl_dup 3 ,
97and may be used to duplicate an ACL structure.
98.It Fn acl_free
99This function is described in
100.Xr acl_free 3 ,
101and may be used to free userland working ACL storage.
102.It Fn acl_from_text
103This function is described in
104.Xr acl_from_text 3 ,
105and may be used to convert a text-form ACL into working ACL state, if
106the ACL has POSIX.1e semantics.
107.It Fn acl_get_entry
108This function is described in
109.Xr acl_get_entry 3 ,
110and may be used to retrieve a designated ACL entry from an ACL.
111.It Xo
112.Fn acl_get_fd ,
113.Fn acl_get_fd_np ,
114.Fn acl_get_file ,
115.Fn acl_get_link_np
116.Xc
117These functions are described in
118.Xr acl_get 3 ,
119and may be used to retrieve ACLs from file system objects.
120.It Fn acl_get_permset
121This function is described in
122.Xr acl_get_permset 3 ,
123and may be used to retrieve a permset from an ACL entry.
124.It Fn acl_get_qualifier
125This function is described in
126.Xr acl_get_qualifier 3 ,
127and may be used to retrieve the qualifier from an ACL entry.
128.It Fn acl_get_tag_type
129This function is described in
130.Xr acl_get_tag_type 3 ,
131and may be used to retrieve the tag type from an ACL entry.
132.It Fn acl_init
133This function is described in
134.Xr acl_init 3 ,
135and may be used to allocate a fresh (empty) ACL structure.
136.It Xo
137.Fn acl_set_fd ,
138.Fn acl_set_fd_np ,
139.Fn acl_set_file ,
140.Fn acl_set_link_np
141.Xc
142These functions are described in
143.Xr acl_set 3 ,
144and may be used to assign an ACL to a file system object.
145.It Fn acl_set_permset
146This function is described in
147.Xr acl_set_permset 3 ,
148and may be used to set the permissions of an ACL entry from a permset.
149.It Fn acl_set_qualifier
150This function is described in
151.Xr acl_set_qualifier 3 ,
152and may be used to set the qualifier of an ACL.
153.It Fn acl_set_tag_type
154This function is described in
155.Xr acl_set_tag_type 3 ,
156and may be used to set the tag type of an ACL.
157.It Fn acl_to_text
158This function is described in
159.Xr acl_to_text 3 ,
160and may be used to generate a text-form of a POSIX.1e semantics ACL.
161.It Xo
162.Fn acl_valid ,
163.Fn acl_valid_fd_np ,
164.Fn acl_valid_file_np ,
165.Fn acl_valid_link_np
166.Xc
167These functions are described in
168.Xr acl_valid 3 ,
169and may be used to validate an ACL as correct POSIX.1e-semantics, or
170as appropriate for a particular file system object regardless of semantics.
171.El
172.Pp
173Documentation of the internal kernel interfaces backing these calls may
174be found in
175.Xr acl 9 .
176The syscalls between the internal interfaces and the public library
177routines may change over time, and as such are not documented.
178They are not intended to be called directly without going through the
179library.
180.Sh SEE ALSO
181.Xr getfacl 1 ,
182.Xr setfacl 1 ,
183.Xr acl_add_perm 3 ,
184.Xr acl_clear_perms 3 ,
185.Xr acl_copy_entry 3 ,
186.Xr acl_create_entry 3 ,
187.Xr acl_delete_entry 3 ,
188.Xr acl_delete_perm 3 ,
189.Xr acl_dup 3 ,
190.Xr acl_free 3 ,
191.Xr acl_from_text 3 ,
192.Xr acl_get 3 ,
193.Xr acl_get_permset 3 ,
194.Xr acl_get_qualifier 3 ,
195.Xr acl_get_tag_type 3 ,
196.Xr acl_init 3 ,
197.Xr acl_set 3 ,
198.Xr acl_set_permset 3 ,
199.Xr acl_set_qualifier 3 ,
200.Xr acl_set_tag_type 3 ,
201.Xr acl_to_text 3 ,
202.Xr acl_valid 3 ,
203.Xr posix1e 3 ,
204.Xr acl 9
205.Sh UNSUPPORTED FUNCTIONS
206.Xr acl_calc_mask 3 ,
207.Fn acl_delete_def_file
208.Sh STANDARDS
209POSIX.1e assigns security labels to all objects, extending the security
210functionality described in POSIX.1.
211These additional labels provide fine-grained discretionary access control,
212fine-grained capabilities, and labels necessary for mandatory access
213control.
214POSIX.2c describes a set of userland utilities for manipulating these
215labels.
216.Pp
217POSIX.1e is described in IEEE POSIX.1e draft 17.
218.Sh HISTORY
219This manpage is closely derived from the
220.Fx
221manpage by
222.An Robert N M Watson
223.Sh AUTHORS
224.An Michael Smith
225.An Robert N M Watson