Search all pages
Professions, Sciences, Humanities, Business, ...
Text-based, GUI, Audio, Video, Keyboards, Mouse, Images,...
Conversions, tests, processing, manipulation,...
Integer, Floating point, Matrix, Statistics, Boolean, ...
Algorithms, Memory, Process control, Debugging, ...
Data storage, Integrity, Encryption, Compression, ...
Networks, protocols, Interprocess, Remote, Client Server, ...
Timing, Calendar and Clock, Audio, Video, Printer, Controls...
Management, Filtering, File & Directory access, Viewers, ...
RocketLink!--> Man page versions:
acl_canonicalize_principal, acl_check, acl_exact_match,
acl_add, acl_delete, acl_initialize - Access control list
cc <files> -lacl -lkrb
An access control list (ACL) is a list of principals,
where each principal is represented by a text string which
cannot contain whitespace. The library allows application
programs to refer to named access control lists to test
membership and to atomically add and delete principals
using a natural and intuitive interface. At present, the
names of access control lists are required to be Unix
filenames, and refer to human-readable Unix files; in the
future, when a networked ACL server is implemented, the
names may refer to a different namespace specific to the
Principal names have the form
MIT Project Athena Kerberos Version 4.0 1
It is possible for principals to be underspecified. If an
instance is missing, it is assumed to be "". If realm is
missing, it is assumed to be the local realm as determined
by krb_get_lrealm(3). The canonical form contains all of
name, instance, and realm; the acl_add and acl_delete rou-
tines will always leave the file in that form. Note that
the canonical form of asp@ATHENA.MIT.EDU is actually
acl_canonicalize_principal stores the canonical form of
principal in buf. Buf must contain enough space to store
a principal, given the limits on the sizes of name,
instance, and realm specified as ANAME_SZ, INST_SZ, and
REALM_SZ, respectively, in /usr/include/kerberosIV/ker-
acl_check returns nonzero if principal appears in acl.
Returns 0 if principal does not appear in acl, or if an
error occurs. Canonicalizes principal before checking,
and allows the ACL to contain wildcards. The only sup-
ported wildcards are entries of the form name.*@realm,
*.*@realm, and *.*@*. An asterisk matches any value for
the its component field. For example, "jtkohl.*@*" would
match principal jtkohl, with any instance and any realm.
acl_exact_match performs like acl_check, but does no
canonicalization or wildcard matching.
acl_add atomically adds principal to acl. Returns 0 if
successful, nonzero otherwise. It is considered a failure
if principal is already in acl. This routine will canoni-
calize principal, but will treat wildcards literally.
acl_delete atomically deletes principal from acl. Returns
0 if successful, nonzero otherwise. It is considered a
failure if principal is not already in acl. This routine
will canonicalize principal, but will treat wildcards lit-
acl_initialize initializes acl_file. If the file acl_file
does not exist, acl_initialize creates it with mode mode.
If the file acl_file exists, acl_initialize removes all
members. Returns 0 if successful, nonzero otherwise.
WARNING: Mode argument is likely to change with the even-
tual introduction of an ACL service.
In the presence of concurrency, there is a very small
chance that acl_add or acl_delete could report success
MIT Project Athena Kerberos Version 4.0 2
even though it would have had no effect. This is a neces-
sary side effect of using lock files for concurrency con-
trol rather than flock(2), which is not supported by NFS.
The current implementation caches ACLs in memory in a
hash-table format for increased efficiency in checking
membership; one effect of the caching scheme is that one
file descriptor will be kept open for each ACL cached, up
to a maximum of 8.
James Aspnes (MIT Project Athena)
MIT Project Athena Kerberos Version 4.0 3
Source: OpenBSD 2.6 man pages. Copyright: Portions are copyrighted by BERKELEY
SOFTWARE DESIGN, INC., The Regents of the University of California, Massachusetts
Institute of Technology, Free Software Foundation, FreeBSD Inc., and others.
(Corrections, notes, and links courtesy of RocketAware.com)
FreeBSD Sources for acl_check(3) functions
Up to: File Access Limits - Limiting access to files (permissions, locking, et al)
Up to: Process Limits: File Access - Process Limits on File access (permissions, ownership, modes, et al)
RocketLink!--> Man page versions:
Search | About | Comments | Submit Path: RocketAware > man pages >
RocketAware.com is a service of Mib Software
Copyright 1999, Forrest J. Cavalier III. All Rights Reserved.
We welcome submissions and comments