Add acl(9) from FreeBSD.
Needs work before it should be added to the build.
This commit is contained in:
parent
1a8462f3d5
commit
e830eb67a9
|
@ -0,0 +1,226 @@
|
|||
.\" $NetBSD: acl.9,v 1.1 2020/06/18 20:38:42 wiz Exp $
|
||||
.\"-
|
||||
.\" Copyright (c) 1999-2001 Robert N. M. Watson
|
||||
.\" All rights reserved.
|
||||
.\"
|
||||
.\" Redistribution and use in source and binary forms, with or without
|
||||
.\" modification, are permitted provided that the following conditions
|
||||
.\" are met:
|
||||
.\" 1. Redistributions of source code must retain the above copyright
|
||||
.\" notice, this list of conditions and the following disclaimer.
|
||||
.\" 2. Redistributions in binary form must reproduce the above copyright
|
||||
.\" notice, this list of conditions and the following disclaimer in the
|
||||
.\" documentation and/or other materials provided with the distribution.
|
||||
.\"
|
||||
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
||||
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
||||
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
.\" SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $FreeBSD: head/share/man/man9/acl.9 287445 2015-09-04 00:14:20Z delphij $
|
||||
.\"
|
||||
.Dd September 4, 2015
|
||||
.Dt ACL 9
|
||||
.Os
|
||||
.Sh NAME
|
||||
.Nm acl
|
||||
.Nd virtual file system access control lists
|
||||
.Sh SYNOPSIS
|
||||
.In sys/param.h
|
||||
.In sys/vnode.h
|
||||
.In sys/acl.h
|
||||
.Pp
|
||||
In the kernel configuration file:
|
||||
.Cd "options UFS_ACL"
|
||||
.Sh DESCRIPTION
|
||||
Access control lists, or ACLs,
|
||||
allow fine-grained specification of rights
|
||||
for vnodes representing files and directories.
|
||||
However, as there are a plethora of file systems with differing ACL semantics,
|
||||
the vnode interface is aware only of the syntax of ACLs,
|
||||
relying on the underlying file system to implement the details.
|
||||
Depending on the underlying file system, each file or directory
|
||||
may have zero or more ACLs associated with it, named using the
|
||||
.Fa type
|
||||
field of the appropriate vnode ACL calls:
|
||||
.Xr VOP_ACLCHECK 9 ,
|
||||
.Xr VOP_GETACL 9 ,
|
||||
and
|
||||
.Xr VOP_SETACL 9 .
|
||||
.Pp
|
||||
Currently, each ACL is represented in-kernel by a fixed-size
|
||||
.Vt acl
|
||||
structure, defined as follows:
|
||||
.Bd -literal -offset indent
|
||||
struct acl {
|
||||
unsigned int acl_maxcnt;
|
||||
unsigned int acl_cnt;
|
||||
int acl_spare[4];
|
||||
struct acl_entry acl_entry[ACL_MAX_ENTRIES];
|
||||
};
|
||||
.Ed
|
||||
.Pp
|
||||
An ACL is constructed from a fixed size array of ACL entries,
|
||||
each of which consists of a set of permissions, principal namespace,
|
||||
and principal identifier.
|
||||
In this implementation, the
|
||||
.Vt acl_maxcnt
|
||||
field is always set to
|
||||
.Dv ACL_MAX_ENTRIES .
|
||||
.Pp
|
||||
Each individual ACL entry is of the type
|
||||
.Vt acl_entry_t ,
|
||||
which is a structure with the following members:
|
||||
.Bl -tag -width 2n
|
||||
.It Vt acl_tag_t Va ae_tag
|
||||
The following is a list of definitions of ACL types
|
||||
to be set in
|
||||
.Va ae_tag :
|
||||
.Pp
|
||||
.Bl -tag -width ".Dv ACL_UNDEFINED_FIELD" -offset indent -compact
|
||||
.It Dv ACL_UNDEFINED_FIELD
|
||||
Undefined ACL type.
|
||||
.It Dv ACL_USER_OBJ
|
||||
Discretionary access rights for processes whose effective user ID
|
||||
matches the user ID of the file's owner.
|
||||
.It Dv ACL_USER
|
||||
Discretionary access rights for processes whose effective user ID
|
||||
matches the ACL entry qualifier.
|
||||
.It Dv ACL_GROUP_OBJ
|
||||
Discretionary access rights for processes whose effective group ID
|
||||
or any supplemental groups
|
||||
match the group ID of the file's owner.
|
||||
.It Dv ACL_GROUP
|
||||
Discretionary access rights for processes whose effective group ID
|
||||
or any supplemental groups
|
||||
match the ACL entry qualifier.
|
||||
.It Dv ACL_MASK
|
||||
The maximum discretionary access rights that can be granted
|
||||
to a process in the file group class.
|
||||
This is only valid for POSIX.1e ACLs.
|
||||
.It Dv ACL_OTHER
|
||||
Discretionary access rights for processes not covered by any other ACL
|
||||
entry.
|
||||
This is only valid for POSIX.1e ACLs.
|
||||
.It Dv ACL_OTHER_OBJ
|
||||
Same as
|
||||
.Dv ACL_OTHER .
|
||||
.It Dv ACL_EVERYONE
|
||||
Discretionary access rights for all users.
|
||||
This is only valid for NFSv4 ACLs.
|
||||
.El
|
||||
.Pp
|
||||
Each POSIX.1e ACL must contain exactly one
|
||||
.Dv ACL_USER_OBJ ,
|
||||
one
|
||||
.Dv ACL_GROUP_OBJ ,
|
||||
and one
|
||||
.Dv ACL_OTHER .
|
||||
If any of
|
||||
.Dv ACL_USER ,
|
||||
.Dv ACL_GROUP ,
|
||||
or
|
||||
.Dv ACL_OTHER
|
||||
are present, then exactly one
|
||||
.Dv ACL_MASK
|
||||
entry should be present.
|
||||
.It Vt uid_t Va ae_id
|
||||
The ID of user for whom this ACL describes access permissions.
|
||||
For entries other than
|
||||
.Dv ACL_USER
|
||||
and
|
||||
.Dv ACL_GROUP ,
|
||||
this field should be set to
|
||||
.Dv ACL_UNDEFINED_ID .
|
||||
.It Vt acl_perm_t Va ae_perm
|
||||
This field defines what kind of access the process matching this ACL has
|
||||
for accessing the associated file.
|
||||
For POSIX.1e ACLs, the following are valid:
|
||||
.Bl -tag -width ".Dv ACL_WRITE_NAMED_ATTRS"
|
||||
.It Dv ACL_EXECUTE
|
||||
The process may execute the associated file.
|
||||
.It Dv ACL_WRITE
|
||||
The process may write to the associated file.
|
||||
.It Dv ACL_READ
|
||||
The process may read from the associated file.
|
||||
.It Dv ACL_PERM_NONE
|
||||
The process has no read, write or execute permissions
|
||||
to the associated file.
|
||||
.El
|
||||
.Pp
|
||||
For NFSv4 ACLs, the following are valid:
|
||||
.Bl -tag -width ".Dv ACL_WRITE_NAMED_ATTRS"
|
||||
.It Dv ACL_READ_DATA
|
||||
The process may read from the associated file.
|
||||
.It Dv ACL_LIST_DIRECTORY
|
||||
Same as
|
||||
.Dv ACL_READ_DATA .
|
||||
.It Dv ACL_WRITE_DATA
|
||||
The process may write to the associated file.
|
||||
.It Dv ACL_ADD_FILE
|
||||
Same as
|
||||
.Dv ACL_ACL_WRITE_DATA .
|
||||
.It Dv ACL_APPEND_DATA
|
||||
.It Dv ACL_ADD_SUBDIRECTORY
|
||||
Same as
|
||||
.Dv ACL_APPEND_DATA .
|
||||
.It Dv ACL_READ_NAMED_ATTRS
|
||||
Ignored.
|
||||
.It Dv ACL_WRITE_NAMED_ATTRS
|
||||
Ignored.
|
||||
.It Dv ACL_EXECUTE
|
||||
The process may execute the associated file.
|
||||
.It Dv ACL_DELETE_CHILD
|
||||
.It Dv ACL_READ_ATTRIBUTES
|
||||
.It Dv ACL_WRITE_ATTRIBUTES
|
||||
.It Dv ACL_DELETE
|
||||
.It Dv ACL_READ_ACL
|
||||
.It Dv ACL_WRITE_ACL
|
||||
.It Dv ACL_WRITE_OWNER
|
||||
.It Dv ACL_SYNCHRONIZE
|
||||
Ignored.
|
||||
.El
|
||||
.It Vt acl_entry_type_t Va ae_entry_type
|
||||
This field defines the type of NFSv4 ACL entry.
|
||||
It is not used with POSIX.1e ACLs.
|
||||
The following values are valid:
|
||||
.Bl -tag -width ".Dv ACL_WRITE_NAMED_ATTRS"
|
||||
.It Dv ACL_ENTRY_TYPE_ALLOW
|
||||
.It Dv ACL_ENTRY_TYPE_DENY
|
||||
.El
|
||||
.It Vt acl_flag_t Va ae_flags
|
||||
This field defines the inheritance flags of NFSv4 ACL entry.
|
||||
It is not used with POSIX.1e ACLs.
|
||||
The following values are valid:
|
||||
.Bl -tag -width ".Dv ACL_ENTRY_DIRECTORY_INHERIT"
|
||||
.It Dv ACL_ENTRY_FILE_INHERIT
|
||||
.It Dv ACL_ENTRY_DIRECTORY_INHERIT
|
||||
.It Dv ACL_ENTRY_NO_PROPAGATE_INHERIT
|
||||
.It Dv ACL_ENTRY_INHERIT_ONLY
|
||||
.It Dv ACL_ENTRY_INHERITED
|
||||
.El
|
||||
The
|
||||
.Dv ACL_ENTRY_INHERITED
|
||||
flag is set on an ACE that has been inherited from its parent.
|
||||
It may also be set programmatically, and is valid on both files
|
||||
and directories.
|
||||
.El
|
||||
.Sh SEE ALSO
|
||||
.Xr acl 3 ,
|
||||
.Xr vaccess 9 ,
|
||||
.Xr vaccess_acl_nfs4 9 ,
|
||||
.Xr vaccess_acl_posix1e 9 ,
|
||||
.Xr VFS 9 ,
|
||||
.Xr VOP_ACLCHECK 9 ,
|
||||
.Xr VOP_GETACL 9 ,
|
||||
.Xr VOP_SETACL 9
|
||||
.Sh AUTHORS
|
||||
This manual page was written by
|
||||
.An Robert Watson .
|
Loading…
Reference in New Issue