OSF DCE Application Development Guide--Core Components

ManualsBrandsHP ManualsServerHP NonStop G-Series

631

632

633

634

635

636

637

638

639

640

The Access Control List APIs

identiﬁed by the ACL handle in combination with the manager type that manages it.

ACL editing calls must also specify the ACL type to be read or otherwise manipulated

(the object, default container, or default Object ACL types).

An application calls sec_acl_bind( ) to get an ACL handle. The handle itself is opaque

to the calling program, which needs none of the information encoded in it to use the ACL

interface. A program can obtain the list of ACL manager types protecting an object and

pass this data, along with the ACL type identiﬁer, to another client-side routine. The

following two calls perform this function:

• sec_acl_get_manager_types() returns a list of UUIDs of the manager types.

• sec_acl_get_manager_types_semantics() returns UUIDs of the manager types, and

also the POSIX semantics supported by each manager type. The output of this call is

used by the sec_acl_calc_mask( ) routine when it calculates a new mask_obj mask.

In the absence of CDS, an application may call sec_acl_bind_to_addr( ); this call binds

to a network address rather than a cell namespace entry.

Once an application is ﬁnished using an ACL handle, it should call

sec_acl_release_handle() to dispose of it.

31.1.2 ACL Editors and Browsers

After obtaining a handle to the object in question (and using

sec_acl_get_manager_types( ) or sec_acl_get_manager_types_semantics( ) to

determine the ACL manager types protecting the object), editors and browsers use the

sec_acl_lookup( ) function to return a copy of an object’s ACL.

Once an object’s ACL is retrieved, the editor can call sec_acl_get_printstring() to

receive instructions about how to display the permissions of the ACL in a human-

readable form. This call returns a symbol or word for each permission (a character

string), and also a bitmask, with a bit (or bits) set to encode the permission. In addition,

the print string structure includes a short explanation of each permission.

An ACL cannot be modiﬁed in part. To change an ACL, an editor must read the entire

ACL (the sec_acl_t structure), modify it, and replace it entirely by calling

sec_acl_replace( ). If the ACL manager supports the mask_obj mask type, you can use

sec_acl_calc_mask() to calculate a new sec_acl_e_type_mask_obj entry type. This

function is supported for POSIX compatibility only, for those applications that use

mask_obj with its POSIX semantics. Accordingly, sec_acl_calc_mask( ) returns the

union of the permissions of all ACL entries other than user_obj, other_obj,

unauthenticated (and the pre-existing mask_obj). These correspond approximately to

what POSIX calls the ‘‘File Group Class’’ of ACL entries, although that designation is

not appropriate in the DCE context. In particular, sec_acl_calc_mask() works

independently of DCE DFS.

Use the sec_acl_get_manager_types_semantics() routine to obtain the required POSIX

semantics and determine if the manager to which the ACL list will be submitted supports

the sec_acl_e_type_mask_obj entry type.

124245 Tandem Computers Incorporated 31−3