NAME
aaccll - introduction to the POSIX.1e ACL security API
LLIIBBRRAARRYYStandard C Library (libc, -lc)
SYNOPSIS
##iinncclluuddee <
> ##iinncclluuddee <
> DESCRIPTION
The system permits file systems to export Access Control Lists via the VFS, and provides a library for userland access to and manipulation of these ACLs. Not all file systems provide support for ACLs, and some may require that ACL support be explicitly enabled by the administrator. The library calls include routines to allocate, duplicate, retrieve, set, and validate ACLs associated with file objects. This implementation of the POSIX.1e library differs from the standard ina number of non-portable ways in order to support the MacOS/Darwin ACL
semantic. Where possible, these differences are implemented using the mechanisms provided in the standard for such extensions. Where routinesare non-standard, they are suffixed with np to indicate that they are
not portable.POSIX.1e describes a set of ACL manipulation routines to manage the con-
tents of ACLs, as well as their relationships with files; almost all of these support routines are implemented. Available functions, sorted by behavior, include: aaccllaaddddppeerrmm()This function is described in acladdperm(3), and may be used to
add permissions to a permission set. aaccllcclleeaarrppeerrmmss()This function is described in aclclearperms(3), and may be used
to clear all permissions from a permission set. aaccllccooppyyeennttrryy()This function is described in aclcopyentry(3), and may be used
to copy the contents of an ACL entry. aaccllccrreeaatteeeennttrryy()This function is described in aclcreateentry(3), and may be
used to create an empty entry in an ACL. aaccllddeelleetteeffddnnpp(), aaccllddeelleetteeffiilleennpp(), aaccllddeelleetteelliinnkknnpp()These functions are described in acldelete(3), and may be used
to delete ACLs from file system objects. aaccllddeelleetteeeennttrryy()This function is described in acldeleteentry(3), and may be
used to delete an entry from an ACL. aaccllddeelleetteeppeerrmm()This function is described in acldeleteperm(3), and may be used
to delete permissions from a permset. aacclldduupp()This function is described in acldup(3), and may be used to
duplicate an ACL structure. aaccllffrreeee()This function is described in aclfree(3), and may be used to
free userland working ACL storage. aaccllffrroommtteexxtt()This function is described in aclfromtext(3), and may be used
to convert a text-form ACL into working ACL state, if the ACL has
POSIX.1e semantics. aaccllggeetteennttrryy()This function is described in aclgetentry(3), and may be used
to retrieve a designated ACL entry from an ACL. aaccllggeettffdd(), aaccllggeettffddnnpp(), aaccllggeettffiillee(), aaccllggeettlliinnkknnpp()These functions are described in aclget(3), and may be used to
retrieve ACLs from file system objects. aaccllggeettppeerrmmsseett()This function is described in aclgetpermset(3), and may be used
to retrieve a permset from an ACL entry. aaccllggeettqquuaalliiffiieerr()This function is described in aclgetqualifier(3), and may be
used to retrieve the qualifier from an ACL entry. aaccllggeettttaaggttyyppee()This function is described in aclgettagtype(3), and may be
used to retrieve the tag type from an ACL entry. aacclliinniitt()This function is described in aclinit(3), and may be used to
allocate a fresh (empty) ACL structure. aaccllsseettffdd(), aaccllsseettffddnnpp(), aaccllsseettffiillee(), aaccllsseettlliinnkknnpp()These functions are described in aclset(3), and may be used to
assign an ACL to a file system object. aaccllsseettppeerrmmsseett()This function is described in aclsetpermset(3), and may be used
to set the permissions of an ACL entry from a permset. aaccllsseettqquuaalliiffiieerr()This function is described in aclsetqualifier(3), and may be
used to set the qualifier of an ACL. aaccllsseettttaaggttyyppee()This function is described in aclsettagtype(3), and may be
used to set the tag type of an ACL. aaccllttootteexxtt()This function is described in acltotext(3), and may be used to
generate a text-form of a POSIX.1e semantics ACL.
aaccllvvaalliidd(), aaccllvvaalliiddffddnnpp(), aaccllvvaalliiddffiilleennpp(), aaccllvvaalliiddlliinnkknnpp()These functions are described in aclvalid(3), and may be used to
validate an ACL as correct POSIX.1e-semantics, or as appropriate
for a particular file system object regardless of semantics. Documentation of the internal kernel interfaces backing these calls maybe found in acl(9). The syscalls between the internal interfaces and the
public library routines may change over time, and as such are not docu-
mented. They are not intended to be called directly without going through the library.SEE ALSO
getfacl(1), setfacl(1), acladdperm(3), aclclearperms(3),
aclcopyentry(3), aclcreateentry(3), acldeleteentry(3),
acldeleteperm(3), acldup(3), aclfree(3), aclfromtext(3),
aclget(3), aclgetpermset(3), aclgetqualifier(3),
aclgettagtype(3), aclinit(3), aclset(3), aclsetpermset(3),
aclsetqualifier(3), aclsettagtype(3), acltotext(3), aclvalid(3),
posix1e(3), acl(9)
UUNNSSUUPPPPOORRTTEEDD FFUUNNCCTTIIOONNSSaclcalcmask(3), aaccllddeelleetteeddeeffffiillee()
STANDARDS POSIX.1e assigns security labels to all objects, extending the security functionality described in POSIX.1. These additional labels providefine-grained discretionary access control, fine-grained capabilities, and
labels necessary for mandatory access control. POSIX.2c describes a set of userland utilities for manipulating these labels. POSIX.1e is described in IEEE POSIX.1e draft 17. HISTORY This manpage is closely derived from the FreeBSD manpage by Robert N M Watson AUTHORS Michael Smith Robert N M Watson BSD December 18, 2002 BSD