![[BACK]](/cvsweb/icons/back.gif){kind=icon}
Return to acl_check.3 CVS log ![[TXT]](/cvsweb/icons/text.gif){kind=icon}
![[DIR]](/cvsweb/icons/dir.gif){kind=icon}
Up to [CSRG BSD Unix] / 43BSDReno / kerberosIV / man|
Return to acl_check.3 CVS log | Up to [CSRG BSD Unix] / 43BSDReno / kerberosIV / man |
1.1 root 1: .\" $Source: /mit/kerberos/src/man/RCS/acl_check.3,v $
2: .\" $Author: jtkohl $
3: .\" $Header: acl_check.3,v 4.1 89/01/23 11:06:54 jtkohl Exp $
4: .\" Copyright 1989 by the Massachusetts Institute of Technology.
5: .\"
6: .\" For copying and distribution information,
7: .\" please see the file <mit-copyright.h>.
8: .\"
9: .TH ACL_CHECK 3 "Kerberos Version 4.0" "MIT Project Athena"
10: .SH NAME
11: acl_canonicalize_principal, acl_check, acl_exact_match, acl_add,
12: acl_delete, acl_initialize \- Access control list routines
13: .SH SYNOPSIS
14: .nf
15: .nj
16: .ft B
17: cc <files> \-lacl \-lkrb
18: .PP
19: .ft B
20: #include <krb.h>
21: .PP
22: .ft B
23: acl_canonicalize_principal(principal, buf)
24: char *principal;
25: char *buf;
26: .PP
27: .ft B
28: acl_check(acl, principal)
29: char *acl;
30: char *principal;
31: .PP
32: .ft B
33: acl_exact_match(acl, principal)
34: char *acl;
35: char *principal;
36: .PP
37: .ft B
38: acl_add(acl, principal)
39: char *acl;
40: char *principal;
41: .PP
42: .ft B
43: acl_delete(acl, principal)
44: char *acl;
45: char *principal;
46: .PP
47: .ft B
48: acl_initialize(acl_file, mode)
49: char *acl_file;
50: int mode;
51: .fi
52: .ft R
53: .SH DESCRIPTION
54: .SS Introduction
55: .PP
56: An access control list (ACL) is a list of principals, where each
57: principal is represented by a text string which cannot contain
58: whitespace. The library allows application programs to refer to named
59: access control lists to test membership and to atomically add and
60: delete principals using a natural and intuitive interface. At
61: present, the names of access control lists are required to be Unix
62: filenames, and refer to human-readable Unix files; in the future, when
63: a networked ACL server is implemented, the names may refer to a
64: different namespace specific to the ACL service.
65: .PP
66: .SS Principal Names
67: .PP
68: Principal names have the form
69: .nf
70: .in +5n
71: <name>[.<instance>][@<realm>]
72: .in -5n
73: e.g.:
74: .in +5n
75: asp
76: asp.root
77: [email protected]
78: [email protected]
79: [email protected]
80: .in -5n
81: .fi
82: It is possible for principals to be underspecified. If an instance is
83: missing, it is assumed to be "". If realm is missing, it is assumed
84: to be the local realm as determined by
85: .IR krb_get_lrealm (3).
86: The canonical form contains all of name, instance,
87: and realm; the acl_add and acl_delete routines will always
88: leave the file in that form. Note that the canonical form of
89: [email protected] is actually [email protected].
90: .SS Routines
91: .PP
92: .I acl_canonicalize_principal
93: stores the canonical form of
94: .I principal
95: in
96: .IR buf .
97: .I Buf
98: must contain enough
99: space to store a principal, given the limits on the sizes of name,
100: instance, and realm specified as ANAME_SZ, INST_SZ, and REALM_SZ,
101: respectively, in
102: .IR /usr/include/krb.h .
103: .PP
104: .I acl_check
105: returns nonzero if
106: .I principal
107: appears in
108: .IR acl .
109: Returns 0 if principal
110: does not appear in acl, or if an error occurs. Canonicalizes
111: principal before checking, and allows the ACL to contain wildcards. The
112: only supported wildcards are entries of the form
113: name.*@realm, *.*@realm, and *.*@*. An asterisk matches any value for the
114: its component field. For example, "jtkohl.*@*" would match principal
115: jtkohl, with any instance and any realm.
116: .PP
117: .I acl_exact_match
118: performs like
119: .IR acl_check ,
120: but does no canonicalization or wildcard matching.
121: .PP
122: .I acl_add
123: atomically adds
124: .I principal
125: to
126: .IR acl .
127: Returns 0 if successful, nonzero otherwise. It is considered a failure
128: if
129: .I principal
130: is already in
131: .IR acl .
132: This routine will canonicalize
133: .IR principal ,
134: but will treat wildcards literally.
135: .PP
136: .I acl_delete
137: atomically deletes
138: .I principal
139: from
140: .IR acl .
141: Returns 0 if successful,
142: nonzero otherwise. It is considered a failure if
143: .I principal
144: is not
145: already in
146: .IR acl .
147: This routine will canonicalize
148: .IR principal ,
149: but will treat wildcards literally.
150: .PP
151: .I acl_initialize
152: initializes
153: .IR acl_file .
154: If the file
155: .I acl_file
156: does not exist,
157: .I acl_initialize
158: creates it with mode
159: .IR mode .
160: If the file
161: .I acl_file
162: exists,
163: .I acl_initialize
164: removes all members. Returns 0 if successful,
165: nonzero otherwise. WARNING: Mode argument is likely to change with
166: the eventual introduction of an ACL service.
167: .SH NOTES
168: In the presence of concurrency, there is a very small chance that
169: .I acl_add
170: or
171: .I acl_delete
172: could report success even though it would have
173: had no effect. This is a necessary side effect of using lock files
174: for concurrency control rather than flock(2), which is not supported
175: by NFS.
176: .PP
177: The current implementation caches ACLs in memory in a hash-table
178: format for increased efficiency in checking membership; one effect of
179: the caching scheme is that one file descriptor will be kept open for
180: each ACL cached, up to a maximum of 8.
181: .SH SEE ALSO
182: kerberos(3), krb_get_lrealm(3)
183: .SH AUTHOR
184: James Aspnes (MIT Project Athena)
This archive runs on limited infrastructure. Preserving old code on modern bandwidth. Automated agents are requested to crawl responsibly.