xnu-4903.270.47.tar.gz

[apple/xnu.git] / bsd / man / man2 / access.2

diff --git a/bsd/man/man2/access.2 b/bsd/man/man2/access.2
index 2c89f7a1153e858ef5ddea175c6d51782f5130d5..c4b2f92f66524330319a28c6da87603da2a2ea02 100644 (file)
--- a/bsd/man/man2/access.2
+++ b/bsd/man/man2/access.2
@@ -1,5 +1,3 @@
-.\"    $NetBSD: access.2,v 1.7 1995/02/27 12:31:44 cgd Exp $
-.\"

 .\" Copyright (c) 1980, 1991, 1993
 .\"    The Regents of the University of California.  All rights reserved.
 .\"
 .\" Copyright (c) 1980, 1991, 1993
 .\"    The Regents of the University of California.  All rights reserved.
 .\"


@@ -11,10 +9,6 @@
 .\" 2. Redistributions in binary form must reproduce the above copyright
 .\"    notice, this list of conditions and the following disclaimer in the
 .\"    documentation and/or other materials provided with the distribution.
 .\" 2. Redistributions in binary form must reproduce the above copyright
 .\"    notice, this list of conditions and the following disclaimer in the
 .\"    documentation and/or other materials provided with the distribution.

-.\" 3. All advertising materials mentioning features or use of this software
-.\"    must display the following acknowledgement:
-.\"    This product includes software developed by the University of
-.\"    California, Berkeley and its contributors.

 .\" 4. Neither the name of the University nor the names of its contributors
 .\"    may be used to endorse or promote products derived from this software
 .\"    without specific prior written permission.
 .\" 4. Neither the name of the University nor the names of its contributors
 .\"    may be used to endorse or promote products derived from this software
 .\"    without specific prior written permission.


@@ -32,51 +26,57 @@
 .\" SUCH DAMAGE.
 .\"
 .\"     @(#)access.2   8.2 (Berkeley) 4/1/94
 .\" SUCH DAMAGE.
 .\"
 .\"     @(#)access.2   8.2 (Berkeley) 4/1/94

+.\" $FreeBSD$

 .\"
 .\"

-.Dd April 1, 1994
+.Dd September 15, 2014

 .Dt ACCESS 2
 .Dt ACCESS 2

-.Os BSD 4
+.Os

 .Sh NAME
 .Nm access ,
 .Nm faccessat
 .Sh NAME
 .Nm access ,
 .Nm faccessat

-.Nd check access permissions of a file or pathname
+.Nd check accessibility of a file

 .Sh SYNOPSIS
 .Sh SYNOPSIS

-.Fd #include <unistd.h>
+.In unistd.h

 .Ft int
 .Ft int

-.Fo access
-.Fa "const char *path"
-.Fa "int amode"
-.Fc
+.Fn access "const char *path" "int mode"

 .Ft int
 .Fn faccessat "int fd" "const char *path" "int mode" "int flag"
 .Sh DESCRIPTION
 The
 .Fn access
 .Ft int
 .Fn faccessat "int fd" "const char *path" "int mode" "int flag"
 .Sh DESCRIPTION
 The
 .Fn access

-function checks the accessibility of the
+system call checks the accessibility of the

 file named by
 file named by

+the

 .Fa path
 .Fa path

+argument

 for the access permissions indicated by
 for the access permissions indicated by

-.Fa amode .
+the
+.Fa mode
+argument.

 The value of
 The value of

-.Fa amode
-is the bitwise inclusive OR of the access permissions to be
+.Fa mode
+is either the bitwise-inclusive OR of the access permissions to be

 checked
 checked

-.Pf ( Dv R_OK
+.Dv ( R_OK

 for read permission,
 .Dv W_OK
 for read permission,
 .Dv W_OK

-for write permission and
+for write permission, and

 .Dv X_OK
 .Dv X_OK

-for execute/search permission) or the existence test,
-.Dv F_OK .
-All components of the pathname
-.Fa path
-are checked for access permissions (including
-.Dv F_OK ) .
+for execute/search permission),
+or the existence test
+.Pq Dv F_OK .
+.Pp
+For additional information, see the
+.Sx "File Access Permission"
+section of
+.Xr intro 2 .

 .Pp
 .Pp

-The real user ID is used in place of the effective user ID
-and the real group access list
-(including the real group ID) are
-used in place of the effective ID for verifying permission.
+The
+.Fn access
+system call uses
+the real user ID in place of the effective user ID,
+the real group ID in place of the effective group ID,
+and the rest of the group access list.

 .Pp
 The
 .Fn faccessat
 .Pp
 The
 .Fn faccessat


@@ -118,62 +118,45 @@ Likewise for
 and
 .Dv W_OK .
 .Sh RETURN VALUES
 and
 .Dv W_OK .
 .Sh RETURN VALUES

-If
-.Fa path
-cannot be found
-or if any of the desired access modes would not be granted,
-then a -1 value is returned and the global integer variable
-.Va errno
-is set to indicate the error.
-Otherwise, a 0 value is returned.
+.Rv -std

 .Sh ERRORS
 .Sh ERRORS

-Access to the file is denied if:
+.Fn access
+or
+.Fn faccessat
+will fail if:

 .Bl -tag -width Er
 .Bl -tag -width Er

-.\" ==========
-.It Bq Er EACCES
-Permission bits of the file mode do not permit the requested access,
-or search permission is denied on a component of the path prefix.
-.Pp
-The owner of a file has permission checked
-with respect to the ``owner'' read, write, and execute mode bits,
-members of the file's group other than the owner have permission checked
-with respect to the ``group'' mode bits,
-and all others have permissions checked
-with respect to the ``other'' mode bits.
-.\" 
-.\" ==========
-.It Bq Er EFAULT
-.Fa Path
-points outside the process's allocated address space.

 .It Bq Er EINVAL
 .It Bq Er EINVAL

-An invalid value was specified for
-.Ar amode .
-.\" ==========
-.It Bq Er EIO
-An I/O error occurred while reading from or writing to the file system.
-.\" ==========
-.It Bq Er ELOOP
-Too many symbolic links were encountered in translating the pathname.
-.\" ==========
+The value of the
+.Fa mode
+argument is invalid.
+.It Bq Er ENOTDIR
+A component of the path prefix is not a directory.

 .It Bq Er ENAMETOOLONG
 A component of a pathname exceeded 
 .Dv {NAME_MAX}
 characters, or an entire path name exceeded 
 .Dv {PATH_MAX}
 characters.
 .It Bq Er ENAMETOOLONG
 A component of a pathname exceeded 
 .Dv {NAME_MAX}
 characters, or an entire path name exceeded 
 .Dv {PATH_MAX}
 characters.

-.\" ==========

 .It Bq Er ENOENT
 The named file does not exist.
 .It Bq Er ENOENT
 The named file does not exist.

-.\" ==========
-.It Bq Er ENOTDIR
-A component of the path prefix is not a directory.
-.\" ==========
+.It Bq Er ELOOP
+Too many symbolic links were encountered in translating the pathname.

 .It Bq Er EROFS
 Write access is requested for a file on a read-only file system.
 .It Bq Er EROFS
 Write access is requested for a file on a read-only file system.

-.\" ==========

 .It Bq Er ETXTBSY
 Write access is requested for a pure procedure (shared text)
 .It Bq Er ETXTBSY
 Write access is requested for a pure procedure (shared text)

-file that is presently being executed.
+file presently being executed.
+.It Bq Er EACCES
+Permission bits of the file mode do not permit the requested
+access, or search permission is denied on a component of the
+path prefix.
+.It Bq Er EFAULT
+The
+.Fa path
+argument
+points outside the process's allocated address space.
+.It Bq Er EIO
+An I/O error occurred while reading from or writing to the file system.

 .El
 .Pp
 Also, the
 .El
 .Pp
 Also, the


@@ -204,16 +187,38 @@ nor a file descriptor associated with a directory.
 .El
 .Sh SEE ALSO
 .Xr chmod 2 ,
 .El
 .Sh SEE ALSO
 .Xr chmod 2 ,

+.Xr intro 2 ,

 .Xr stat 2
 .Sh STANDARDS
 The
 .Fn access
 .Xr stat 2
 .Sh STANDARDS
 The
 .Fn access

-function conforms to 
+system call is expected to conform to

 .St -p1003.1-90 .
 The
 .Fn faccessat
 system call is expected to conform to POSIX.1-2008 .
 .St -p1003.1-90 .
 The
 .Fn faccessat
 system call is expected to conform to POSIX.1-2008 .

-.Sh CAVEAT
+.Sh HISTORY
+The
+.Fn access
+function appeared in
+.At v7 .
+.Sh SECURITY CONSIDERATIONS
+The result of
+.Fn access
+should not be used to make an actual access control decision, since its
+response, even if correct at the moment it is formed, may be outdated at the
+time you act on it.
+.Fn access
+results should only be used to pre-flight, such as when configuring user
+interface elements or for optimization purposes.  The actual access control
+decision should be made by attempting to execute the relevant system call while
+holding the applicable credentials, and properly handling any resulting errors;
+and this must be done even though
+.Fn access
+may have predicted success.
+.Pp
+Additionally, set-user-ID and set-group-ID applications should restore the
+effective user or group ID,
+and perform actions directly rather than use

 .Fn access
 .Fn access

-is a potential security hole and
-should never be used.
+to simulate access checks for the real user or group ID.