1acl_totext(3SEC) File Access Control Library Functions acl_totext(3SEC)
2
3
4
6 acl_totext, acl_fromtext - convert internal representation to or from
7 external representation
8
10 cc [ flag... ] file... -lsec [ library... ]
11 #include <sys/acl.h>
12
13 char *acl_totext(acl_t *aclp, int flags);
14
15
16 int acl_fromtext(char *acltextp, acl_t **aclp);
17
18
20 The acl_totext() function converts an internal ACL representation
21 pointed to by aclp into an external ACL representation. The memory for
22 the external text string is obtained using malloc(3C). The caller is
23 responsible for freeing the memory upon completion.
24
25
26 The format of the external ACL is controlled by the flags argument.
27 Values for flags are constructed by a bitwise-inclusive-OR of flags
28 from the following list, defined in <sys/acl.h>.
29
30 ACL_COMPACT_FMT For NFSv4 ACLs, the ACL entries will be formatted
31 using the compact ACL format detailed in ls(1) for
32 the -V option.
33
34
35 ACL_APPEND_ID Append the uid or gid for additional user or group
36 entries. This flag is used to construt ACL entries
37 in a manner that is suitable for archive utilities
38 such as tar(1). When the ACL is translated from the
39 external format to internal representation using
40 acl_fromtext(), the appended ID will be used to pop‐
41 ulate the uid or gid field of the ACL entry when the
42 user or group name does not exist on the host sys‐
43 tem. The appended id will be ignored when the user
44 or group name does exist on the system.
45
46
47 ACL_SID_FMT For NFSv4 ACLs, the ACL entries for user or group
48 entries will use the usersid or groupsid format when
49 the "id" field in the ACL entry is an ephemeral uid
50 or gid. The raw sid format will only be used when
51 the "id" cannot be resolved to a windows name.
52
53
54
55 The acl_fromtext() function converts an external ACL representation
56 pointed to by acltextp into an internal ACL representation. The memory
57 for the list of ACL entries is obtained using malloc(3C). The caller is
58 responsible for freeing the memory upon completion. Depending on type
59 of ACLs a file system supports, one of two external external represen‐
60 tations are possible. For POSIX draft file systems such as ufs, the
61 external representation is described in acltotext(3SEC). The external
62 ACL representation For NFSv4-style ACLs is detailed as follows.
63
64
65 Each acl_entry contains one ACL entry. The external representation of
66 an ACL entry contains three, four or five colon separated fields. The
67 first field contains the ACL entry type. The entry type keywords are
68 defined as:
69
70 everyone@ This ACL entry specifies the access granted to any user or
71 group that does not match any previous ACL entry.
72
73
74 group This ACL entry with a GID specifies the access granted to
75 a additional group of the object.
76
77
78 group@ This ACL entry with no GID specified in the ACL entry
79 field specifies the access granted to the owning group of
80 the object.
81
82
83 groupsid This ACL entry with a SID or Windows name specifies the
84 access granted to a Windows group. This type of entry is
85 for a CIFS server created file.
86
87
88 owner@ This ACL entry with no UID specified in the ACL entry
89 field specifies the access granted to the owner of the
90 object.
91
92
93 sid This ACL entry with a SID or Windows name when the entry
94 could be either a group or a user.
95
96
97 user This ACL entry with a UID specifies the access granted to
98 a additional user of the object.
99
100
101 usersid This ACL entry with a SID or Windows name specifies the
102 access granted to a Windows user. This type of entry is
103 for a CIFS server created file.
104
105
106
107 The second field contains the ACL entry ID, and is used only for user
108 or group ACL entries. This field is not used for owner@, group@, or
109 everyone@ entries.
110
111 uid This field contains a user-name or user-ID. If the user-name
112 cannot be resolved to a UID, then the entry is assumed to be a
113 numeric UID.
114
115
116 gid This field contains a group-name or group-ID. If the group-name
117 can't be resolved to a GID, then the entry is assumed to be a
118 numeric GID.
119
120
121
122 The third field contains the discretionary access permissions. The for‐
123 mat of the permissions depends on whether ACL_COMPACT_FMT is specified.
124 When the flags field does not request ACL_COMPACT_FMT, the following
125 format is used with a forward slash (/) separating the permissions.
126
127 add_file Add a file to a directory.
128
129
130 add_subdirectory Add a subdirectory.
131
132
133 append Append data.
134
135
136 delete Delete.
137
138
139 delete_child Delete child.
140
141
142 execute Execute permission.
143
144
145 list_directory List a directory.
146
147
148 read_acl Read ACL.
149
150
151 read_data Read permission.
152
153
154 read_attributes Read attributes.
155
156
157 read_xattr Read named attributes.
158
159
160 synchronize Synchronize.
161
162
163 write_acl Write ACL.
164
165
166 write_attributes Write attributes.
167
168
169 write_data Write permission.
170
171
172 write_owner Write owner.
173
174
175 write_xattr Write named attributes.
176
177
178
179 This format allows permissions to be specified as, for example:
180 read_data/read_xattr/read_attributes.
181
182
183 When ACL_COMPACT_FMT is specified, the permissions consist of 14 unique
184 letters. A hyphen (-) character is used to indicate that the permis‐
185 sion at that position is not specified.
186
187 a read attributes
188
189
190 A write attributes
191
192
193 c read ACL
194
195
196 C write ACL
197
198
199 d delete
200
201
202 D delete child
203
204
205 o write owner
206
207
208 p append
209
210
211 r read_data
212
213
214 R read named attributes
215
216
217 s synchronize
218
219
220 w write_data
221
222
223 W write named attributes
224
225
226 x execute
227
228
229
230 This format allows compact permissions to be represented as, for exam‐
231 ple: rw--d-a-------
232
233
234 The fourth field is optional when ACL_COMPACT_FMT is not specified, in
235 which case the field will be present only when the ACL entry has inher‐
236 itance flags set. The following is the list of inheritance flags sepa‐
237 rated by a slash (/) character.
238
239 dir_inherit ACE_DIRECTORY_INHERIT_ACE
240
241
242 file_inherit ACE_FILE_INHERIT_ACE
243
244
245 inherit_only ACE_INHERIT_ONLY_ACE
246
247
248 no_propagate ACE_NO_PROPAGATE_INHERIT_ACE
249
250
251
252 When ACL_COMPACT_FMT is specified the inheritance will always be
253 present and is represented as positional arguments. A hyphen (-) char‐
254 acter is used to indicate that the inheritance flag at that position is
255 not specified.
256
257 d dir_inherit
258
259
260 f file_inherit
261
262
263 F failed access (not currently supported)
264
265
266 i inherit_only
267
268
269 n no_propagate
270
271
272 S successful access (not currently supported)
273
274
275
276 The fifth field contains the type of the ACE (allow or deny):
277
278 allow The mask specified in field three should be allowed.
279
280
281 deny The mask specified in field three should be denied.
282
283
285 Upon successful completion, the acl_totext() function returns a pointer
286 to a text string. Otherwise, it returns NULL.
287
288
289 Upon successful completion, the acl_fromtext() function returns 0. Oth‐
290 erwise, the return value is set to one of the following:
291
292 EACL_FIELD_NOT_BLANK A field that should be blank is not blank.
293
294
295 EACL_FLAGS_ERROR An invalid ACL flag was specified.
296
297
298 EACL_INHERIT_ERROR An invalid inheritance field was specified.
299
300
301 EACL_INVALID_ACCESS_TYPE An invalid access type was specified.
302
303
304 EACL_INVALID_STR The string is NULL.
305
306
307 EACL_INVALID_USER_GROUP The required user or group name not found.
308
309
310 EACL_MISSING_FIELDS The ACL needs more fields to be specified.
311
312
313 EACL_PERM_MASK_ERROR The permission mask is invalid.
314
315
316 EACL_UNKNOWN_DATA Unknown data was found in the ACL.
317
318
320 Example 1 Examples of permissions when ACL_COMPACT_FMT is not speci‐
321 fied.
322
323 user:joe:read_data/write_data:file_inherit/dir_inherit:allow
324
325
326
327 owner@:read_acl:allow,user:tom:read_data:file_inherit/inherit_only:deny
328
329
330
331 Example 2 Examples of permissions when ACL_COMPACT_FMT is specified.
332
333 user:joe:rw------------:fd----:allow
334
335
336
337 owner@:----------c---:------allow,user:tom:r-------------:f-i---:deny
338
339
340
342 See attributes(5) for descriptions of the following attributes:
343
344
345
346
347 ┌─────────────────────────────┬─────────────────────────────┐
348 │ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
349 ├─────────────────────────────┼─────────────────────────────┤
350 │Interface Stability │Committed │
351 ├─────────────────────────────┼─────────────────────────────┤
352 │MT-Level │Safe │
353 └─────────────────────────────┴─────────────────────────────┘
354
356 ls(1), tar(1), acl(2), malloc(3C), aclfromtext(3SEC), acl(5),
357 attributes(5)
358
359
360
361SunOS 5.11 16 Jun 2008 acl_totext(3SEC)