![[BACK]](/cvsweb/icons/back.gif){kind=icon}
Return to acl_check.3 CVS log ![[TXT]](/cvsweb/icons/text.gif){kind=icon}
![[DIR]](/cvsweb/icons/dir.gif){kind=icon}
Up to [CSRG BSD Unix] / 43BSDReno / kerberosIV / man|
Return to acl_check.3 CVS log | Up to [CSRG BSD Unix] / 43BSDReno / kerberosIV / man |
1.1 ! root 1: .\" $Source: /mit/kerberos/src/man/RCS/acl_check.3,v $ ! 2: .\" $Author: jtkohl $ ! 3: .\" $Header: acl_check.3,v 4.1 89/01/23 11:06:54 jtkohl Exp $ ! 4: .\" Copyright 1989 by the Massachusetts Institute of Technology. ! 5: .\" ! 6: .\" For copying and distribution information, ! 7: .\" please see the file <mit-copyright.h>. ! 8: .\" ! 9: .TH ACL_CHECK 3 "Kerberos Version 4.0" "MIT Project Athena" ! 10: .SH NAME ! 11: acl_canonicalize_principal, acl_check, acl_exact_match, acl_add, ! 12: acl_delete, acl_initialize \- Access control list routines ! 13: .SH SYNOPSIS ! 14: .nf ! 15: .nj ! 16: .ft B ! 17: cc <files> \-lacl \-lkrb ! 18: .PP ! 19: .ft B ! 20: #include <krb.h> ! 21: .PP ! 22: .ft B ! 23: acl_canonicalize_principal(principal, buf) ! 24: char *principal; ! 25: char *buf; ! 26: .PP ! 27: .ft B ! 28: acl_check(acl, principal) ! 29: char *acl; ! 30: char *principal; ! 31: .PP ! 32: .ft B ! 33: acl_exact_match(acl, principal) ! 34: char *acl; ! 35: char *principal; ! 36: .PP ! 37: .ft B ! 38: acl_add(acl, principal) ! 39: char *acl; ! 40: char *principal; ! 41: .PP ! 42: .ft B ! 43: acl_delete(acl, principal) ! 44: char *acl; ! 45: char *principal; ! 46: .PP ! 47: .ft B ! 48: acl_initialize(acl_file, mode) ! 49: char *acl_file; ! 50: int mode; ! 51: .fi ! 52: .ft R ! 53: .SH DESCRIPTION ! 54: .SS Introduction ! 55: .PP ! 56: An access control list (ACL) is a list of principals, where each ! 57: principal is represented by a text string which cannot contain ! 58: whitespace. The library allows application programs to refer to named ! 59: access control lists to test membership and to atomically add and ! 60: delete principals using a natural and intuitive interface. At ! 61: present, the names of access control lists are required to be Unix ! 62: filenames, and refer to human-readable Unix files; in the future, when ! 63: a networked ACL server is implemented, the names may refer to a ! 64: different namespace specific to the ACL service. ! 65: .PP ! 66: .SS Principal Names ! 67: .PP ! 68: Principal names have the form ! 69: .nf ! 70: .in +5n ! 71: <name>[.<instance>][@<realm>] ! 72: .in -5n ! 73: e.g.: ! 74: .in +5n ! 75: asp ! 76: asp.root ! 77: [email protected] ! 78: [email protected] ! 79: [email protected] ! 80: .in -5n ! 81: .fi ! 82: It is possible for principals to be underspecified. If an instance is ! 83: missing, it is assumed to be "". If realm is missing, it is assumed ! 84: to be the local realm as determined by ! 85: .IR krb_get_lrealm (3). ! 86: The canonical form contains all of name, instance, ! 87: and realm; the acl_add and acl_delete routines will always ! 88: leave the file in that form. Note that the canonical form of ! 89: [email protected] is actually [email protected]. ! 90: .SS Routines ! 91: .PP ! 92: .I acl_canonicalize_principal ! 93: stores the canonical form of ! 94: .I principal ! 95: in ! 96: .IR buf . ! 97: .I Buf ! 98: must contain enough ! 99: space to store a principal, given the limits on the sizes of name, ! 100: instance, and realm specified as ANAME_SZ, INST_SZ, and REALM_SZ, ! 101: respectively, in ! 102: .IR /usr/include/krb.h . ! 103: .PP ! 104: .I acl_check ! 105: returns nonzero if ! 106: .I principal ! 107: appears in ! 108: .IR acl . ! 109: Returns 0 if principal ! 110: does not appear in acl, or if an error occurs. Canonicalizes ! 111: principal before checking, and allows the ACL to contain wildcards. The ! 112: only supported wildcards are entries of the form ! 113: name.*@realm, *.*@realm, and *.*@*. An asterisk matches any value for the ! 114: its component field. For example, "jtkohl.*@*" would match principal ! 115: jtkohl, with any instance and any realm. ! 116: .PP ! 117: .I acl_exact_match ! 118: performs like ! 119: .IR acl_check , ! 120: but does no canonicalization or wildcard matching. ! 121: .PP ! 122: .I acl_add ! 123: atomically adds ! 124: .I principal ! 125: to ! 126: .IR acl . ! 127: Returns 0 if successful, nonzero otherwise. It is considered a failure ! 128: if ! 129: .I principal ! 130: is already in ! 131: .IR acl . ! 132: This routine will canonicalize ! 133: .IR principal , ! 134: but will treat wildcards literally. ! 135: .PP ! 136: .I acl_delete ! 137: atomically deletes ! 138: .I principal ! 139: from ! 140: .IR acl . ! 141: Returns 0 if successful, ! 142: nonzero otherwise. It is considered a failure if ! 143: .I principal ! 144: is not ! 145: already in ! 146: .IR acl . ! 147: This routine will canonicalize ! 148: .IR principal , ! 149: but will treat wildcards literally. ! 150: .PP ! 151: .I acl_initialize ! 152: initializes ! 153: .IR acl_file . ! 154: If the file ! 155: .I acl_file ! 156: does not exist, ! 157: .I acl_initialize ! 158: creates it with mode ! 159: .IR mode . ! 160: If the file ! 161: .I acl_file ! 162: exists, ! 163: .I acl_initialize ! 164: removes all members. Returns 0 if successful, ! 165: nonzero otherwise. WARNING: Mode argument is likely to change with ! 166: the eventual introduction of an ACL service. ! 167: .SH NOTES ! 168: In the presence of concurrency, there is a very small chance that ! 169: .I acl_add ! 170: or ! 171: .I acl_delete ! 172: could report success even though it would have ! 173: had no effect. This is a necessary side effect of using lock files ! 174: for concurrency control rather than flock(2), which is not supported ! 175: by NFS. ! 176: .PP ! 177: The current implementation caches ACLs in memory in a hash-table ! 178: format for increased efficiency in checking membership; one effect of ! 179: the caching scheme is that one file descriptor will be kept open for ! 180: each ACL cached, up to a maximum of 8. ! 181: .SH SEE ALSO ! 182: kerberos(3), krb_get_lrealm(3) ! 183: .SH AUTHOR ! 184: James Aspnes (MIT Project Athena)
This archive runs on limited infrastructure. Preserving old code on modern bandwidth. Automated agents are requested to crawl responsibly.