FreeBSD 4.11 manual page repository

FreeBSD is a free computer operating system based on BSD UNIX originally. Many IT companies, like DeployIS is using it to provide an up-to-date, stable operating system.

acl - introduction to the POSIX.1e ACL security API



      acl - introduction to the POSIX.1e ACL security API


      library “libposix1e”


      #include <sys/types.h>
      #include <sys/acl.h>


      As shipped, FreeBSD 4.0 permits file systems to export Access Control
      Lists via the VFS, and provides a library for userland access to and
      manipulation of these ACLs, but support for ACLs is not provided by any
      file systems shipped in the base operating system.  The library calls
      shipped with 4.0 include routines to allocate, duplicate, retrieve, set,
      and validate ACLs associated with file objects.  As well as the POSIX.1e
      routines, there are a number of non-portable extensions defined that
      allow for alternative ACL semantics than the POSIX.1e semantics, such as
      AFS, NTFS, Coda, and NWFS semantics.  Where routines are non-standard,
      they are suffixed with _np to indicate that they are not portable.
      POSIX.1e describes a set of ACL manipulation routines to manage the con‐
      tents of ACLs, as well as their relationships with files.  This manipula‐
      tion library is not currently implemented in FreeBSD, although a third
      party library was under development at the time this document was writ‐
      ten.  There is a general consensus that the POSIX.1e manipulation rou‐
      tines are ambiguously defined in the specification, and don’t meet the
      needs of most applications.  For the time being, applications may
      directly manipulate the ACL structures, defined in acl.h, although the
      recommended usage is to only ever handle text-form ACLs in applications,
      generated and maintained using acl_from_text() and acl_to_text(), passed
      directly to and from the management routines.  In this manner, an appli‐
      cation can remain safely unaware of the contents of ACLs.
      Available functions, sorted by behavior, include:
      acl_delete_def_file(), acl_delete_file_np(), acl_delete_fd_np()
      These functions are described in acl_delete(3), and may be used to delete
      ACLs from file system objects.
      This function is described in acl_free(3), and may be used to free user‐
      land working ACL storage.
      This function is described in acl_from_text(3), and may be used to con‐
      vert a text-form ACL into working ACL state, if the ACL has POSIX.1e
      acl_get_file(), acl_get_fd(), acl_get_fd_np()
      These functions are described in acl_get(3), and may be used to retrieve
      ACLs from file system objects.
      This function is described in acl_init(3), and may be used to allocate a
      fresh (empty) ACL structure.
      This function is described in acl_dup(3), and may be used to duplicate an
      ACL structure.
      acl_set_file(), acl_set_fd(), acl_set_fd_np()
      These functions are described in acl_set(3), and may be used to assign an
      ACL to a file system object.
      This function is described in acl_to_text(3), and may be used to generate
      a text-form of a POSIX.1e semantics ACL.
      acl_valid(), acl_valid_file_np(), acl_valid_fd_np()
      Thee functions are described in acl_valid(3), and may be used to validate
      an ACL as correct POSIX.1e-semantics, or as appropriate for a particular
      file system object regardless of semantics.
      Documentation of the internal kernel interfaces backing these calls may
      be found in acl(9).  The syscalls between the internal interfaces and the
      public library routines may change over time, and as such are not docu‐
      mented.  They are not intended to be called directly without going
      through the library.
      FreeBSD’s support for POSIX.1e interfaces and features is still under
      development at this time.


      POSIX.1e assigns security labels to all objects, extending the security
      functionality described in POSIX.1.  These additional labels provide
      fine-grained discretionary access control, fine-grained capabilities, and
      labels necessary for mandatory access control.  POSIX.2c describes a set
      of userland utilities for manipulating these labels.  These userland
      utilities are not bundled with FreeBSD 4.0 so as to discourage their use
      in the short term.
      acl(3), acl_dup(3), acl_free(3), acl_from_text(3), acl_get(3),
      acl_set(3), acl_to_text(3), acl_valid(3), acl(9)


      POSIX.1e is described in IEEE POSIX.1e draft 17.  Discussion of the draft
      continues on the cross-platform POSIX.1e implementation mailing list.  To
      join this list, see the FreeBSD POSIX.1e implementation page for more


      POSIX.1e support was introduced in FreeBSD 4.0, and development contin‐


      Robert N M Watson


      These features are not yet fully implemented.  In particular, the shipped
      version of UFS/FFS does not support storage of additional security
      labels, and so is unable to (easily) provide support for most of these


Based on BSD UNIX
FreeBSD is an advanced operating system for x86 compatible (including Pentium and Athlon), amd64 compatible (including Opteron, Athlon64, and EM64T), UltraSPARC, IA-64, PC-98 and ARM architectures. It is derived from BSD, the version of UNIX developed at the University of California, Berkeley. It is developed and maintained by a large team of individuals. Additional platforms are in various stages of development.