11.9. Access Control ListsAn access control list (ACL) is an ordered list of access control entries (ACEs). ACLs represent a popular implementation approach[17] to the access control mechanism based on the Access Matrix model. In this model, we have the following entities:
An ACL enumerates through its ACEs which objects may or may not access a particular object for one or more rights. As we will see in Section 11.10, ACLs are evaluated by the kauth subsystem in the kernel. Evaluation begins at the first ACE in the list, which may theoretically contain any number of ACEs. The request is denied if an ACE denies any of the requested rights; the remaining ACEs, if any, are not considered. Conversely, the request is granted if all requested rights are satisfied by the ACEs evaluated so faragain, the remaining ACEs are not considered.
The Mac OS X chmod command can be used to insert or delete an ACE at a specific position in an ACL. The Mac OS X ACL implementation requires extended attributes to be supported in the file system. As we will see in Chapter 12, HFS+, which has native support for extended attributes, stores an ACL as the attribute data of a special attribute named com.apple.system.Security. Before ACLs can be used on an HFS+ volume, they must be enabled on the volumeeither through the fsaclctl command-line program or, programmatically, by using the HFS_SETACLSTATE file system control operation. ... int ret; char volume_path[...]; u_int32_t aclstate = 1; // 1 enables, 0 disables ... // HFS_SETACLSTATE is defined in bsd/hfs/hfs_fsctl.h ret = fsctl(volume_path, HFS_SETACLSTATE, (void *)aclstate, 0); ... The system library implements the POSIX.1e ACL security API, which is documented in the acl(3) manual page. Figure 1129 shows a program thatgiven a file (or folder) pathnameuses the acl(3) API to create an ACL, add an entry to it that denies deletion of that file to the calling user, and associate the ACL with the file. Figure 1129. A program to create and set an ACL
Figure 1129 illustrates numerous steps involved in manipulating ACLs. However, you can achieve the same effect as the program with a single chmod command line: $ chmod +a '<username> deny delete' <pathname> The acl_set_file() function, which is implemented in the system library, internally uses an extended version of the chmod() system call to set the ACL. Given an ACL, it performs the following operations:
Besides chmod(), several other system calls were extended in Mac OS X 10.4 to add support for ACLsfor example, there are extended versions of open(), umask(), stat(), lstat(), fstat(), fchmod(), mkfifo(), and mkdir(). The following code excerpt shows how the program from Figure 1129 might be modified to create a file with an ACL. ... // assuming the ACL has been set up at this point // create a file security object filesec = filesec_init(); // set the ACL as the file security object's property filesec_set_property(filesec, FILESEC_ACL, &acl); if ((fd = openx_np(argv[1], O_CREAT | O_RDWR | O_EXCL, filesec)) < 0) perror("openx_np"); else close(fd); filesec_free(filesec); ... |