Manual Pages  — ACL

Currently, each ACL is represented in-kernel by a fixed-size acl structure, defined as follows:

struct acl {
        unsigned int            acl_maxcnt;
        unsigned int            acl_cnt;
        int                     acl_spare[4];
        struct acl_entry        acl_entry[ACL_MAX_ENTRIES];
};

An ACL is constructed from a fixed size array of ACL entries, each of which consists of a set of permissions, principal namespace, and principal identifier. In this implementation, the acl_maxcnt field is always set to ACL_MAX_ENTRIES.

Each individual ACL entry is of the type acl_entry_t, which is a structure with the following members:

acl_tag_t ae_tag
	The following is a list of definitions of ACL types to be set in ae_tag:

ACL_UNDEFINED_FIELD
	Undefined ACL type.
ACL_USER_OBJ	Discretionary access rights for processes whose effective user ID matches the user ID of the file's owner.
ACL_USER	Discretionary access rights for processes whose effective user ID matches the ACL entry qualifier.
ACL_GROUP_OBJ	Discretionary access rights for processes whose effective group ID or any supplemental groups match the group ID of the file's owner.
ACL_GROUP	Discretionary access rights for processes whose effective group ID or any supplemental groups match the ACL entry qualifier.
ACL_MASK	The maximum discretionary access rights that can be granted to a process in the file group class. This is only valid for POSIX.1e ACLs.
ACL_OTHER	Discretionary access rights for processes not covered by any other ACL entry. This is only valid for POSIX.1e ACLs.
ACL_OTHER_OBJ	Same as ACL_OTHER.
ACL_EVERYONE	Discretionary access rights for all users. This is only valid for NFSv4 ACLs.

Each POSIX.1e ACL must contain exactly one ACL_USER_OBJ, one ACL_GROUP_OBJ, and one ACL_OTHER. If any of ACL_USER, ACL_GROUP, or ACL_OTHER are present, then exactly one ACL_MASK entry should be present.

uid_t ae_id
	The ID of user for whom this ACL describes access permissions. For entries other than ACL_USER and ACL_GROUP, this field should be set to ACL_UNDEFINED_ID.
acl_perm_t ae_perm
	This field defines what kind of access the process matching this ACL has for accessing the associated file. For POSIX.1e ACLs, the following are valid:

ACL_EXECUTE	The process may execute the associated file.
ACL_WRITE	The process may write to the associated file.
ACL_READ	The process may read from the associated file.
ACL_PERM_NONE	The process has no read, write or execute permissions to the associated file.

For NFSv4 ACLs, the following are valid:

ACL_READ_DATA	The process may read from the associated file.
ACL_LIST_DIRECTORY	Same as ACL_READ_DATA.
ACL_WRITE_DATA	The process may write to the associated file.
ACL_ADD_FILE	Same as ACL_ACL_WRITE_DATA.
ACL_APPEND_DATA ACL_ADD_SUBDIRECTORY
	Same as ACL_APPEND_DATA.
ACL_READ_NAMED_ATTRS	Ignored.
ACL_WRITE_NAMED_ATTRS
	Ignored.
ACL_EXECUTE	The process may execute the associated file.
ACL_DELETE_CHILD ACL_READ_ATTRIBUTES ACL_WRITE_ATTRIBUTES ACL_DELETE ACL_READ_ACL ACL_WRITE_ACL ACL_WRITE_OWNER ACL_SYNCHRONIZE
	Ignored.

acl_entry_type_t ae_entry_type
	This field defines the type of NFSv4 ACL entry. It is not used with POSIX.1e ACLs. The following values are valid:
ACL_ENTRY_TYPE_ALLOW ACL_ENTRY_TYPE_DENY

acl_flag_t ae_flags
	This field defines the inheritance flags of NFSv4 ACL entry. It is not used with POSIX.1e ACLs. The following values are valid:

ACL_ENTRY_FILE_INHERIT ACL_ENTRY_DIRECTORY_INHERIT ACL_ENTRY_NO_PROPAGATE_INHERIT ACL_ENTRY_INHERIT_ONLY ACL_ENTRY_INHERITED

The ACL_ENTRY_INHERITED flag is set on an ACE that has been inherited from its parent. It may also be set programmatically, and is valid on both files and directories.