You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
467 lines
15 KiB
467 lines
15 KiB
.\" Copyright (c) 2010 Joerg Sonnenberger
|
|
.\" Copyright (c) 2016 Martin Matuska
|
|
.\" All rights reserved.
|
|
.\"
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
.\" modification, are permitted provided that the following conditions
|
|
.\" are met:
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
.\"
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
|
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
|
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
.\" SUCH DAMAGE.
|
|
.\"
|
|
.Dd February 15, 2017
|
|
.Dt ARCHIVE_ENTRY_ACL 3
|
|
.Os
|
|
.Sh NAME
|
|
.Nm archive_entry_acl_add_entry ,
|
|
.Nm archive_entry_acl_add_entry_w ,
|
|
.Nm archive_entry_acl_clear ,
|
|
.Nm archive_entry_acl_count ,
|
|
.Nm archive_entry_acl_from_text ,
|
|
.Nm archive_entry_acl_from_text_w,
|
|
.Nm archive_entry_acl_next ,
|
|
.Nm archive_entry_acl_next_w ,
|
|
.Nm archive_entry_acl_reset ,
|
|
.Nm archive_entry_acl_to_text ,
|
|
.Nm archive_entry_acl_to_text_w ,
|
|
.Nm archive_entry_acl_types
|
|
.Nd functions for manipulating Access Control Lists in archive entry descriptions
|
|
.Sh LIBRARY
|
|
Streaming Archive Library (libarchive, -larchive)
|
|
.Sh SYNOPSIS
|
|
.In archive_entry.h
|
|
.Ft void
|
|
.Fo archive_entry_acl_add_entry
|
|
.Fa "struct archive_entry *a"
|
|
.Fa "int type"
|
|
.Fa "int permset"
|
|
.Fa "int tag"
|
|
.Fa "int qualifier"
|
|
.Fa "const char *name"
|
|
.Fc
|
|
.Ft void
|
|
.Fo archive_entry_acl_add_entry_w
|
|
.Fa "struct archive_entry *a"
|
|
.Fa "int type"
|
|
.Fa "int permset"
|
|
.Fa "int tag"
|
|
.Fa "int qualifier"
|
|
.Fa "const wchar_t *name"
|
|
.Fc
|
|
.Ft void
|
|
.Fn archive_entry_acl_clear "struct archive_entry *a"
|
|
.Ft int
|
|
.Fn archive_entry_acl_count "struct archive_entry *a" "int type"
|
|
.Ft int
|
|
.Fo archive_entry_acl_from_text
|
|
.Fa "struct archive_entry *a"
|
|
.Fa "const char *text"
|
|
.Fa "int type"
|
|
.Fc
|
|
.Ft int
|
|
.Fo archive_entry_acl_from_text_w
|
|
.Fa "struct archive_entry *a"
|
|
.Fa "const wchar_t *text"
|
|
.Fa "int type"
|
|
.Fc
|
|
.Ft int
|
|
.Fo archive_entry_acl_next
|
|
.Fa "struct archive_entry *a"
|
|
.Fa "int type"
|
|
.Fa "int *ret_type"
|
|
.Fa "int *ret_permset"
|
|
.Fa "int *ret_tag"
|
|
.Fa "int *ret_qual"
|
|
.Fa "const char **ret_name"
|
|
.Fc
|
|
.Ft int
|
|
.Fo archive_entry_acl_next_w
|
|
.Fa "struct archive_entry *a"
|
|
.Fa "int type"
|
|
.Fa "int *ret_type"
|
|
.Fa "int *ret_permset"
|
|
.Fa "int *ret_tag"
|
|
.Fa "int *ret_qual"
|
|
.Fa "const wchar_t **ret_name"
|
|
.Fc
|
|
.Ft int
|
|
.Fn archive_entry_acl_reset "struct archive_entry *a" "int type"
|
|
.Ft char *
|
|
.Fo archive_entry_acl_to_text
|
|
.Fa "struct archive_entry *a"
|
|
.Fa "ssize_t *len_p"
|
|
.Fa "int flags"
|
|
.Fc
|
|
.Ft wchar_t *
|
|
.Fo archive_entry_acl_to_text_w
|
|
.Fa "struct archive_entry *a"
|
|
.Fa "ssize_t *len_p"
|
|
.Fa "int flags"
|
|
.Fc
|
|
.Ft int
|
|
.Fn archive_entry_acl_types "struct archive_entry *a"
|
|
.\" enum?
|
|
.Sh DESCRIPTION
|
|
The
|
|
.Dq Access Control Lists (ACLs)
|
|
extend the standard Unix perssion model.
|
|
The ACL interface of
|
|
.Nm libarchive
|
|
supports both POSIX.1e and NFSv4 style ACLs. Use of ACLs is restricted by
|
|
various levels of ACL support in operating systems, file systems and archive
|
|
formats.
|
|
.Ss POSIX.1e Access Control Lists
|
|
A POSIX.1e ACL consists of a number of independent entries.
|
|
Each entry specifies the permission set as bitmask of basic permissions.
|
|
Valid permissions in the
|
|
.Fa permset
|
|
are:
|
|
.Bl -tag -offset indent -compact -width "ARCHIVE_ENTRY_ACL_EXECUTE"
|
|
.It Dv ARCHIVE_ENTRY_ACL_READ ( Sy r )
|
|
.It Dv ARCHIVE_ENTRY_ACL_WRITE ( Sy w )
|
|
.It Dv ARCHIVE_ENTRY_ACL_EXECUTE ( Sy x )
|
|
.El
|
|
The permissions correspond to the normal Unix permissions.
|
|
.Pp
|
|
The
|
|
.Fa tag
|
|
specifies the principal to which the permission applies.
|
|
Valid values are:
|
|
.Bl -hang -offset indent -compact -width "ARCHIVE_ENTRY_ACL_GROUP_OBJ"
|
|
.It Dv ARCHIVE_ENTRY_ACL_USER
|
|
The user specified by the name field.
|
|
.It Dv ARCHIVE_ENTRY_ACL_USER_OBJ
|
|
The owner of the file.
|
|
.It Dv ARCHIVE_ENTRY_ACL_GROUP
|
|
The group specied by the name field.
|
|
.It Dv ARCHIVE_ENTRY_ACL_GROUP_OBJ
|
|
The group who owns the file.
|
|
.It Dv ARCHIVE_ENTRY_ACL_MASK
|
|
The maximum permissions to be obtained via group permissions.
|
|
.It Dv ARCHIVE_ENTRY_ACL_OTHER
|
|
Any principal who is not file owner or a member of the owning group.
|
|
.El
|
|
.Pp
|
|
The principals
|
|
.Dv ARCHIVE_ENTRY_ACL_USER_OBJ ,
|
|
.Dv ARCHIVE_ENTRY_ACL_GROUP_OBJ
|
|
and
|
|
.Dv ARCHIVE_ENTRY_ACL_OTHER
|
|
are equivalent to user, group and other in the classic Unix permission
|
|
model and specify non-extended ACL entries.
|
|
.Pp
|
|
All files with have an access ACL
|
|
.Pq Dv ARCHIVE_ENTRY_ACL_TYPE_ACCESS .
|
|
This specifies the permissions required for access to the file itself.
|
|
Directories have an additional ACL
|
|
.Pq Dv ARCHIVE_ENTRY_ACL_TYPE_DEFAULT ,
|
|
which controls the initial access ACL for newly created directory entries.
|
|
.Ss NFSv4 Access Control Lists
|
|
A NFSv4 ACL consists of multiple individual entries called Access Control
|
|
Entries (ACEs).
|
|
.Pp
|
|
There are four possible types of a NFSv4 ACE:
|
|
.Bl -hang -offset indent -compact -width "ARCHIVE_ENTRY_ACL_TYE_ALLOW"
|
|
.It Dv ARCHIVE_ENTRY_ACL_TYPE_ALLOW
|
|
Allow principal to perform actions requiring given permissions.
|
|
.It Dv ARCHIVE_ENTRY_ACL_TYPE_DENY
|
|
Prevent principal from performing actions requiring given permissions.
|
|
.It Dv ARCHIVE_ENTRY_ACL_TYPE_AUDIT
|
|
Log access attempts by principal which require given permissions.
|
|
.It Dv ARCHIVE_ENTRY_ACL_TYPE_ALARM
|
|
Trigger a system alarm on access attempts by principal which require given
|
|
permissions.
|
|
.El
|
|
.Pp
|
|
The
|
|
.Fa tag
|
|
specifies the principal to which the permission applies.
|
|
Valid values are:
|
|
.Bl -hang -offset indent -compact -width "ARCHIVE_ENTRY_ACL_GROUP_OBJ"
|
|
.It Dv ARCHIVE_ENTRY_ACL_USER
|
|
The user specified by the name field.
|
|
.It Dv ARCHIVE_ENTRY_ACL_USER_OBJ
|
|
The owner of the file.
|
|
.It Dv ARCHIVE_ENTRY_ACL_GROUP
|
|
The group specied by the name field.
|
|
.It Dv ARCHIVE_ENTRY_ACL_GROUP_OBJ
|
|
The group who owns the file.
|
|
.It Dv ARCHIVE_ENTRY_ACL_EVERYONE
|
|
Any principal who is not file owner or a member of the owning group.
|
|
.El
|
|
.Pp
|
|
Entries with the
|
|
.Dv ARCHIVE_ENTRY_ACL_USER
|
|
or
|
|
.Dv ARCHIVE_ENTRY_ACL_GROUP
|
|
tag store the user and group name in the
|
|
.Fa name
|
|
string and optionally the user or group ID in the
|
|
.Fa qualifier
|
|
integer.
|
|
.Pp
|
|
NFSv4 ACE permissions and flags are stored in the same
|
|
.Fa permset
|
|
bitfield. Some permissions share the same constant and permission character but
|
|
have different effect on directories than on files. The following ACE
|
|
permissions are supported:
|
|
.Bl -tag -offset indent -compact -width ARCHIV
|
|
.It Dv ARCHIVE_ENTRY_ACL_READ_DATA ( Sy r )
|
|
Read data (file).
|
|
.It Dv ARCHIVE_ENTRY_ACL_LIST_DIRECTORY ( Sy r )
|
|
List entries (directory).
|
|
.It ARCHIVE_ENTRY_ACL_WRITE_DATA ( Sy w )
|
|
Write data (file).
|
|
.It ARCHIVE_ENTRY_ACL_ADD_FILE ( Sy w )
|
|
Create files (directory).
|
|
.It Dv ARCHIVE_ENTRY_ACL_EXECUTE ( Sy x )
|
|
Execute file or change into a directory.
|
|
.It Dv ARCHIVE_ENTRY_ACL_APPEND_DATA ( Sy p )
|
|
Append data (file).
|
|
.It Dv ARCHIVE_ENTRY_ACL_ADD_SUBDIRECTORY ( Sy p )
|
|
Create subdirectories (directory).
|
|
.It Dv ARCHIVE_ENTRY_ACL_DELETE_CHILD ( Sy D )
|
|
Remove files and subdirectories inside a directory.
|
|
.It Dv ARCHIVE_ENTRY_ACL_DELETE ( Sy d )
|
|
Remove file or directory.
|
|
.It Dv ARCHIVE_ENTRY_ACL_READ_ATTRIBUTES ( Sy a )
|
|
Read file or directory attributes.
|
|
.It Dv ARCHIVE_ENTRY_ACL_WRITE_ATTRIBUTES ( Sy A )
|
|
Write file or directory attributes.
|
|
.It Dv ARCHIVE_ENTRY_ACL_READ_NAMED_ATTRS ( Sy R )
|
|
Read named file or directory attributes.
|
|
.It Dv ARCHIVE_ENTRY_ACL_WRITE_NAMED_ATTRS ( Sy W )
|
|
Write named file or directory attributes.
|
|
.It Dv ARCHIVE_ENTRY_ACL_READ_ACL ( Sy c )
|
|
Read file or directory ACL.
|
|
.It Dv ARCHIVE_ENTRY_ACL_WRITE_ACL ( Sy C )
|
|
Write file or directory ACL.
|
|
.It Dv ARCHIVE_ENTRY_ACL_WRITE_OWNER ( Sy o )
|
|
Change owner of a file or directory.
|
|
.It Dv ARCHIVE_ENTRY_ACL_SYNCHRONIZE ( Sy s )
|
|
Use synchronous I/O.
|
|
.El
|
|
.Pp
|
|
The following NFSv4 ACL inheritance flags are supported:
|
|
.Bl -tag -offset indent -compact -width ARCHIV
|
|
.It Dv ARCHIVE_ENTRY_ACL_ENTRY_FILE_INHERIT ( Sy f )
|
|
Inherit parent directory ACE to files.
|
|
.It Dv ARCHIVE_ENTRY_ACL_ENTRY_DIRECTORY_INHERIT ( Sy d )
|
|
Inherit parent directory ACE to subdirectories.
|
|
.It Dv ARCHIVE_ENTRY_ACL_ENTRY_INHERIT_ONLY ( Sy i )
|
|
Only inherit, do not apply the permission on the directory itself.
|
|
.It Dv ARCHIVE_ENTRY_ACL_ENTRY_NO_PROPAGATE_INHERIT ( Sy n )
|
|
Do not propagate inherit flags. Only first-level entries inherit ACLs.
|
|
.It Dv ARCHIVE_ENTRY_ACL_ENTRY_SUCCESSFUL_ACCESS ( Sy S )
|
|
Trigger alarm or audit on succesful access.
|
|
.It Dv ARCHIVE_ENTRY_ACL_ENTRY_FAILED_ACCESS ( Sy F )
|
|
Trigger alarm or audit on failed access.
|
|
.It Dv ARCHIVE_ENTRY_ACL_ENTRY_INHERITED ( Sy I )
|
|
Mark that ACE was inherited.
|
|
.El
|
|
.Ss Functions
|
|
.Fn archive_entry_acl_add_entry
|
|
and
|
|
.Fn archive_entry_acl_add_entry_w
|
|
add a single ACL entry.
|
|
For the access ACL and non-extended principals, the classic Unix permissions
|
|
are updated. An archive enry cannot contain both POSIX.1e and NFSv4 ACL
|
|
entries.
|
|
.Pp
|
|
.Fn archive_entry_acl_clear
|
|
removes all ACL entries and resets the enumeration pointer.
|
|
.Pp
|
|
.Fn archive_entry_acl_count
|
|
counts the ACL entries that have the given type mask.
|
|
.Fa type
|
|
can be the bitwise-or of
|
|
.Bl -tag -offset indent -compact -width "ARCHIVE_ENTRY_ACL_TYPE_DEFAULT"
|
|
.It Dv ARCHIVE_ENTRY_ACL_TYPE_ACCESS
|
|
.It Dv ARCHIVE_ENTRY_ACL_TYPE_DEFAULT
|
|
.El
|
|
for POSIX.1e ACLs and
|
|
.Bl -tag -offset indent -compact -width "ARCHIVE_ENTRY_ACL_TYPE_ALLOW"
|
|
.It Dv ARCHIVE_ENTRY_ACL_TYPE_ALLOW
|
|
.It Dv ARCHIVE_ENTRY_ACL_TYPE_DENY
|
|
.It Dv ARCHIVE_ENTRY_ACL_TYPE_AUDIT
|
|
.It Dv ARCHIVE_ENTRY_ACL_TYPE_ALARM
|
|
.El
|
|
for NFSv4 ACLs. For POSIX.1e ACLs if
|
|
.Dv ARCHIVE_ENTRY_ACL_TYPE_ACCESS
|
|
is included and at least one extended ACL entry is found,
|
|
the three non-extened ACLs are added.
|
|
.Pp
|
|
.Fn archive_entry_acl_from_text
|
|
and
|
|
.Fn archive_entry_acl_from_text_w
|
|
add new
|
|
.Pq or merge with existing
|
|
ACL entries from
|
|
.Pq wide
|
|
text. The argument
|
|
.Fa type
|
|
may take one of the following values:
|
|
.Bl -tag -offset indent -compact -width "ARCHIVE_ENTRY_ACL_TYPE_DEFAULT"
|
|
.It Dv ARCHIVE_ENTRY_ACL_TYPE_ACCESS
|
|
.It Dv ARCHIVE_ENTRY_ACL_TYPE_DEFAULT
|
|
.It Dv ARCHIVE_ENTRY_ACL_TYPE_NFS4
|
|
.El
|
|
Supports all formats that can be created with
|
|
.Fn archive_entry_acl_to_text
|
|
or respective
|
|
.Fn archive_entry_acl_to_text_w .
|
|
Existing ACL entries are preserved. To get a clean new ACL from text
|
|
.Fn archive_entry_acl_clear
|
|
must be called first. Entries prefixed with
|
|
.Dq default:
|
|
are treated as
|
|
.Dv ARCHIVE_ENTRY_ACL_TYPE_DEFAULT
|
|
unless
|
|
.Fa type
|
|
is
|
|
.Dv ARCHIVE_ENTRY_ACL_TYPE_NFS4 .
|
|
Invalid entries, non-parseable ACL entries and entries beginning with
|
|
the
|
|
.Sq #
|
|
character
|
|
.Pq comments
|
|
are skipped.
|
|
.Pp
|
|
.Fn archive_entry_acl_next
|
|
and
|
|
.Fn archive_entry_acl_next_w
|
|
return the next entry of the ACL list.
|
|
This functions may only be called after
|
|
.Fn archive_entry_acl_reset
|
|
has indicated the presence of extended ACL entries.
|
|
.Pp
|
|
.Fn archive_entry_acl_reset
|
|
prepare reading the list of ACL entries with
|
|
.Fn archive_entry_acl_next
|
|
or
|
|
.Fn archive_entry_acl_next_w .
|
|
The function returns either 0, if no non-extended ACLs are found.
|
|
In this case, the access permissions should be obtained by
|
|
.Xr archive_entry_mode 3
|
|
or set using
|
|
.Xr chmod 2 .
|
|
Otherwise, the function returns the same value as
|
|
.Fn archive_entry_acl_count .
|
|
.Pp
|
|
.Fn archive_entry_acl_to_text
|
|
and
|
|
.Fn archive_entry_acl_to_text_w
|
|
convert the ACL entries for the given type into a
|
|
.Pq wide
|
|
string of ACL entries separated by newline. If the the pointer
|
|
.Fa len_p
|
|
is not NULL, then the function shall return the length of the string
|
|
.Pq not including the NULL terminator
|
|
in the location pointed to by
|
|
.Fa len_p .
|
|
The
|
|
.Fa flag
|
|
argument is a bitwise-or.
|
|
.Pp
|
|
The following flags are effective only on POSIX.1e ACL:
|
|
.Bl -tag -offset indent -compact -width ARCHIV
|
|
.It Dv ARCHIVE_ENTRY_ACL_TYPE_ACCESS
|
|
Output access ACLs.
|
|
.It Dv ARCHIVE_ENTRY_ACL_TYPE_DEFAULT
|
|
Output POSIX.1e default ACLs.
|
|
.It Dv ARCHIVE_ENTRY_ACL_STYLE_MARK_DEFAULT
|
|
Prefix each default ACL entry with the word
|
|
.Dq default: .
|
|
.It Dv ARCHIVE_ENTRY_ACL_STYLE_SOLARIS
|
|
The mask and other ACLs don not contain a double colon.
|
|
.El
|
|
.Pp
|
|
The following flags are effecive only on NFSv4 ACL:
|
|
.Bl -tag -offset indent -compact -width ARCHIV
|
|
.It Dv ARCHIVE_ENTRY_ACL_STYLE_COMPACT
|
|
Do not output minus characters for unset permissions and flags in NFSv4 ACL
|
|
permission and flag fields.
|
|
.El
|
|
.Pp
|
|
The following flags are effective on both POSIX.1e and NFSv4 ACL:
|
|
.Bl -tag -offset indent -compact -width ARCHIV
|
|
.It Dv ARCHIVE_ENTRY_ACL_STYLE_EXTRA_ID
|
|
Add an additional colon-separated field containing the user or group id.
|
|
.It Dv ARCHIVE_ENTRY_ACL_STYLE_SEPARATOR_COMMA
|
|
Separate ACL entries with comma instead of newline.
|
|
.El
|
|
.Pp
|
|
If the archive entry contains NFSv4 ACLs, all types of NFSv4 ACLs are returned.
|
|
It the entry contains POSIX.1e ACLs and none of the flags
|
|
.Dv ARCHIVE_ENTRY_ACL_TYPE_ACCESS
|
|
or
|
|
.Dv ARCHIVE_ENTRY_ACL_TYPE_DEFAULT
|
|
are specified, both access and default entries are returned and default entries
|
|
are prefixed with
|
|
.Dq default: .
|
|
.Pp
|
|
.Fn archive_entry_acl_types
|
|
get ACL entry types contained in an archive entry's ACL. As POSIX.1e and NFSv4
|
|
ACL entries cannot be mixed, this function is a very efficient way to detect if
|
|
an ACL already contains POSIX.1e or NFSv4 ACL entries.
|
|
.Sh RETURN VALUES
|
|
.Fn archive_entry_acl_count
|
|
and
|
|
.Fn archive_entry_acl_reset
|
|
returns the number of ACL entries that match the given type mask.
|
|
For POSIX.1e ACLS if the type mask includes
|
|
.Dv ARCHIVE_ENTRY_ACL_TYPE_ACCESS
|
|
and at least one extended ACL entry exists, the three classic Unix
|
|
permissions are counted.
|
|
.Pp
|
|
.Fn archive_entry_acl_from_text
|
|
and
|
|
.Fn archive_entry_acl_from_text_w
|
|
return
|
|
.Dv ARCHIVE_OK
|
|
if all entries were successfully parsed and
|
|
.Dv ARCHIVE_WARN
|
|
if one or more entries were invalid or non-parseable.
|
|
.Pp
|
|
.Fn archive_entry_acl_next
|
|
and
|
|
.Fn archive_entry_acl_next_w
|
|
return
|
|
.Dv ARCHIVE_OK
|
|
on success,
|
|
.Dv ARCHIVE_EOF
|
|
if no more ACL entries exist
|
|
and
|
|
.Dv ARCHIVE_WARN
|
|
if
|
|
.Fn archive_entry_acl_reset
|
|
has not been called first.
|
|
.Pp
|
|
.Fn archive_entry_acl_to_text
|
|
returns a string representing the ACL entries matching the given type and
|
|
flags on success or NULL on error.
|
|
.Pp
|
|
.Fn archive_entry_acl_to_text_w
|
|
returns a wide string representing the ACL entries matching the given type
|
|
and flags on success or NULL on error.
|
|
.Pp
|
|
.Fn archive_entry_acl_types
|
|
returns a bitmask of ACL entry types or 0 if archive entry has no ACL entries.
|
|
.Sh SEE ALSO
|
|
.Xr archive_entry 3 ,
|
|
.Xr libarchive 3
|