[apple/libinfo.git] / membership.subproj / mbr_check_membership.3

.\" Copyright (c) 2005-2011 Apple Inc
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\"    notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\"    notice, this list of conditions and the following disclaimer in the
.\"    documentation and/or other materials provided with the distribution.
.\" 4. Neither the name of Apple Computer nor the names of its contributors
.\"    may be used to endorse or promote products derived from this software
.\"    without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY APPLE COMPUTER AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\"
.Dd November 5, 2011
.Dt MBR_CHECK_MEMBERSHIP 3
.Os "Mac OS X"
.Sh NAME
.Nm mbr_check_membership,
.Nm mbr_check_service_membership
.Nd check whether a user is a member of a group or service ACL
.Sh SYNOPSIS
.In membership.h
.Ft int
.Fn mbr_check_membership "uuid_t user" "uuid_t group" "int *ismember"
.Ft int
.Fn mbr_check_service_membership "uuid_t user" "const char *service" "int *ismember"
.Sh DESCRIPTION
.Fn mbr_check_membership
tests if a given user is a member of a group (either direct or indirect via a
nested group).
.Fa ismember
is set to 1 if the user is a member or 0 if not a member of the group.  
.Fn mbr_check_service_membership
similarly tests if a given user is a member of a service ACL group.  Service
ACLs are special groups defined with the prefix "com.apple.access_".  The
service is then prefixed (e.g., "afp" would check "com.apple.access_afp").
There is a special group that grants accessto all services called
"com.apple.access_all_services".
.Pp
Users may belong to any number of groups.
.Fn mbr_check_membership
should always be used to check group membership, rather than calling
.Xr getgroups 2
or
.Xr getgrouplist 2 .
The
.Xr setgroups 2
and
.Xr getgroups 2
routines are limited to a fixed number of gids,
and so may not include all of a user's groups.
.Pp
There are two special cases.
If the two uuids are equal, then 
.Fa ismember
is set to 1.
If the
.Fa group
uuid is equal to the reserved "everyone" uuid (ABCDEFAB-CDEF-ABCD-EFAB-CDEF0000000C), then
.Fa ismember
will be set to 1 for any valid user.
.Pp
Group membership information is managed by
.Xr opendirectoryd 8 .
.Sh RETURN VALUES
.Fn mbr_check_membership
does not test whether
.Fa group
exists or not.
Querying membership for a nonexistent group will result in
.Fa ismember
being set to 0.  The function returns 0 on success or one of the following error
codes on failure:
.Bl -tag -width Er
.It Bq Er EIO
Communication with
.Xr openditectoryd 8
failed.
.It Bq Er ENOENT
.Fa user
can not be found.
.El
.Pp
.Fn mbr_check_service_membership
is identical to
.Fn mbr_check_membership
except that ENOENT means no service ACL has been defined.
.Pp
.Sh SEE ALSO
.Xr odutil 1 ,
.Xr setgroups 2 ,
.Xr getgroups 2 ,
.Xr mbr_uid_to_uuid 3 ,
.Xr opendirectoryd 8
Commit	Line	Data
d31dd049	1	.\" Copyright (c) 2005-2011 Apple Inc
b3dd680f A	2	.\" All rights reserved.
	3	.\"
	4	.\" Redistribution and use in source and binary forms, with or without
	5	.\" modification, are permitted provided that the following conditions
	6	.\" are met:
	7	.\" 1. Redistributions of source code must retain the above copyright
	8	.\" notice, this list of conditions and the following disclaimer.
	9	.\" 2. Redistributions in binary form must reproduce the above copyright
	10	.\" notice, this list of conditions and the following disclaimer in the
	11	.\" documentation and/or other materials provided with the distribution.
	12	.\" 4. Neither the name of Apple Computer nor the names of its contributors
	13	.\" may be used to endorse or promote products derived from this software
	14	.\" without specific prior written permission.
	15	.\"
	16	.\" THIS SOFTWARE IS PROVIDED BY APPLE COMPUTER AND CONTRIBUTORS ``AS IS'' AND
	17	.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	18	.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
	19	.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
	20	.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
	21	.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
	22	.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
	23	.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
	24	.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
	25	.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
	26	.\" SUCH DAMAGE.
	27	.\"
	28	.\"
d31dd049	29	.Dd November 5, 2011
b3dd680f A	30	.Dt MBR_CHECK_MEMBERSHIP 3
	31	.Os "Mac OS X"
	32	.Sh NAME
d31dd049 A	33	.Nm mbr_check_membership,
	34	.Nm mbr_check_service_membership
	35	.Nd check whether a user is a member of a group or service ACL
b3dd680f A	36	.Sh SYNOPSIS
	37	.In membership.h
	38	.Ft int
	39	.Fn mbr_check_membership "uuid_t user" "uuid_t group" "int *ismember"
d31dd049 A	40	.Ft int
d31dd049 A	41	.Fn mbr_check_service_membership "uuid_t user" "const char service" "int ismember"
b3dd680f A	42	.Sh DESCRIPTION
b3dd680f A	43	.Fn mbr_check_membership
d31dd049 A	44	tests if a given user is a member of a group (either direct or indirect via a
d31dd049 A	45	nested group).
b3dd680f	46	.Fa ismember
d31dd049 A	47	is set to 1 if the user is a member or 0 if not a member of the group.
	48	.Fn mbr_check_service_membership
	49	similarly tests if a given user is a member of a service ACL group. Service
	50	ACLs are special groups defined with the prefix "com.apple.access_". The
	51	service is then prefixed (e.g., "afp" would check "com.apple.access_afp").
	52	There is a special group that grants accessto all services called
	53	"com.apple.access_all_services".
b3dd680f	54	.Pp
d49d4c81	55	Users may belong to any number of groups.
b3dd680f	56	.Fn mbr_check_membership
d31dd049 A	57	should always be used to check group membership, rather than calling
	58	.Xr getgroups 2
	59	or
	60	.Xr getgrouplist 2 .
b3dd680f A	61	The
	62	.Xr setgroups 2
	63	and
	64	.Xr getgroups 2
	65	routines are limited to a fixed number of gids,
	66	and so may not include all of a user's groups.
	67	.Pp
	68	There are two special cases.
	69	If the two uuids are equal, then
	70	.Fa ismember
	71	is set to 1.
	72	If the
	73	.Fa group
	74	uuid is equal to the reserved "everyone" uuid (ABCDEFAB-CDEF-ABCD-EFAB-CDEF0000000C), then
	75	.Fa ismember
	76	will be set to 1 for any valid user.
	77	.Pp
d31dd049 A	78	Group membership information is managed by
d31dd049 A	79	.Xr opendirectoryd 8 .
b3dd680f A	80	.Sh RETURN VALUES
b3dd680f A	81	.Fn mbr_check_membership
b3dd680f A	82	does not test whether
	83	.Fa group
	84	exists or not.
d49d4c81	85	Querying membership for a nonexistent group will result in
b3dd680f	86	.Fa ismember
d31dd049 A	87	being set to 0. The function returns 0 on success or one of the following error
	88	codes on failure:
	89	.Bl -tag -width Er
	90	.It Bq Er EIO
	91	Communication with
	92	.Xr openditectoryd 8
	93	failed.
	94	.It Bq Er ENOENT
	95	.Fa user
	96	can not be found.
	97	.El
	98	.Pp
	99	.Fn mbr_check_service_membership
	100	is identical to
	101	.Fn mbr_check_membership
	102	except that ENOENT means no service ACL has been defined.
	103	.Pp
b3dd680f	104	.Sh SEE ALSO
d31dd049	105	.Xr odutil 1 ,
b3dd680f A	106	.Xr setgroups 2 ,
	107	.Xr getgroups 2 ,
	108	.Xr mbr_uid_to_uuid 3 ,
d31dd049	109	.Xr opendirectoryd 8