Open System Services System Calls Reference Manual (G06.29+, H06.08+, J06.03+)

ManualsBrandsHP ManualsServerHP NonStop G-Series

System Functions (a - d) acl(2)

cmd Speciﬁes the action to be taken by the acl( ) function. The cmd parameter can be

one of these values:

ACL_SET The acl( ) function stores the entries speciﬁed by the nentries

and aclbufp parameters in the ACL for the ﬁle. The new ACL

replaces any existing ACL for the ﬁle. This value for cmd can

only be executed by a process that has an effective user ID equal

to the owner of the ﬁle or the super ID, or is a member of the

Safeguard SECURITY-OSS-ADMINISTRATOR group. All

directories in the pathname must be searchable.

ACL_GET The buffer aclbufp is ﬁlled with the ACL entries for the ﬁle.

Discretionary read access to the ﬁle is not required, but all direc-

tories in the pathname must be searchable.

ACL_CNT The number of entries in the ACL for the ﬁle is returned. Dis-

cretionary read access to the ﬁle is not required, but all direc-

tories in the pathname must be searchable.

DESCRIPTION

The acl() function manipulates ACLs on ﬁle system objects in ﬁlesets that support OSS ACLs.

A process on a system that does not support ACLs can use the chmod() function to remotely

modify the permissions in the base ACL entries of a ﬁle (see the chmod(2) reference page).

ACLs are supported for OSS ﬁles only. For a detailed description of ACLs, see the acl(5) refer-

ence page.

A call to acl() speciﬁed with the ACL_SET command succeeds only if all of these conditions

are true:

• The ACL contains exactly one entry each of type USER_OBJ, GROUP_OBJ,

CLASS_OBJ, and OTHER_OBJ.

• If pathp points to a directory, the ACL contains at most one entry each of type

DEF_USER_OBJ, DEF_GROUP_OBJ, DEF_CLASS_OBJ, and

DEF_OTHER_OBJ.

• Entries of type USER, GROUP, DEF_USER,orDEF_GROUP do not contain dupli-

cate entries. A duplicate entry is one of the same type containing the same numeric ID.

• If the ACL contains no entries of type USER and no entries of type GROUP, the entries

of type GROUP_OBJ and CLASS_OBJ have the same permissions.

• If the ACL contains no entries of type DEF_USER and no entries of type

DEF_GROUP, and an entry of type DEF_GROUP_OBJ is speciﬁed, an entry of type

DEF_CLASS_OBJ is also speciﬁed and the two entries have the same permissions.

Accessing Files in Restricted-Access Filesets

When accessing a ﬁle in a restricted-access ﬁleset, the super ID (255,255 in the Guardian

environment, 65535 in the OSS environment) is restricted by the same ﬁle permissions and

owner privileges as any other user ID: It has no special privileges unless the executable ﬁle

started by the super ID has the PRIVSETID ﬁle privilege. In this case, the process started by the

super ID can switch to another ID and then access ﬁles in restricted-access ﬁlesets as that ID.

Processes that are started by a member of the Safeguard SECURITY-OSS-ADMINISTRATOR

(SOA) group have the appropriate privilege to use this function on any ﬁle in a restricted-access

ﬁleset. However, Network File System (NFS) clients are not granted SOA group privileges, even

if these clients are accessing the system with a user ID that is a member of the SOA security

group.

527186-023 Hewlett-Packard Company 1−11