acl —
virtual file system access control lists
Access control lists, or ACLs, allow fine-grained specification of rights for
  vnodes representing files and directories. However, as there are a plethora of
  file systems with differing ACL semantics, the vnode interface is aware only
  of the syntax of ACLs, relying on the underlying file system to implement the
  details. Depending on the underlying file system, each file or directory may
  have zero or more ACLs associated with it, named using the
  type field of the appropriate vnode ACL calls:
  VOP_ACLCHECK(9),
  VOP_GETACL(9), and
  VOP_SETACL(9).
Currently, each ACL is represented in-kernel by a fixed-size
    acl structure, defined as follows:
struct acl {
        unsigned int            acl_maxcnt;
        unsigned int            acl_cnt;
        int                     acl_spare[4];
        struct acl_entry        acl_entry[ACL_MAX_ENTRIES];
};
 
An ACL is constructed from a fixed size array of ACL entries, each
    of which consists of a set of permissions, principal namespace, and
    principal identifier. In this implementation, the
    acl_maxcnt field is always set to
    ACL_MAX_ENTRIES.
Each individual ACL entry is of the type
    acl_entry_t, which is a structure with the following
    members:
  - acl_tag_t ae_tag
- The following is a list of definitions of ACL types to be set in
      ae_tag:
    
    
    
      - ACL_UNDEFINED_FIELD
- Undefined ACL type.
- ACL_USER_OBJ
- Discretionary access rights for processes whose effective user ID
          matches the user ID of the file's owner.
- ACL_USER
- Discretionary access rights for processes whose effective user ID
          matches the ACL entry qualifier.
- ACL_GROUP_OBJ
- Discretionary access rights for processes whose effective group ID or
          any supplemental groups match the group ID of the file's owner.
- ACL_GROUP
- Discretionary access rights for processes whose effective group ID or
          any supplemental groups match the ACL entry qualifier.
- ACL_MASK
- The maximum discretionary access rights that can be granted to a
          process in the file group class. This is only valid for POSIX.1e
        ACLs.
- ACL_OTHER
- Discretionary access rights for processes not covered by any other ACL
          entry. This is only valid for POSIX.1e ACLs.
- ACL_OTHER_OBJ
- Same as ACL_OTHER.
- ACL_EVERYONE
- Discretionary access rights for all users. This is only valid for
          NFSv4 ACLs.
 
 Each POSIX.1e ACL must contain exactly one
        ACL_USER_OBJ, oneACL_GROUP_OBJ, and oneACL_OTHER. If any ofACL_USER,ACL_GROUP, orACL_OTHERare present, then exactly oneACL_MASKentry should be present.
 
- uid_t ae_id
- The ID of user for whom this ACL describes access permissions. For entries
      other than ACL_USERandACL_GROUP, this field should be set toACL_UNDEFINED_ID.
- acl_perm_t ae_perm
- This field defines what kind of access the process matching this ACL has
      for accessing the associated file. For POSIX.1e ACLs, the following are
      valid:
    
      - ACL_EXECUTE
- The process may execute the associated file.
- ACL_WRITE
- The process may write to the associated file.
- ACL_READ
- The process may read from the associated file.
- ACL_PERM_NONE
- The process has no read, write or execute permissions to the
          associated file.
 For NFSv4 ACLs, the following are valid: 
      - ACL_READ_DATA
- The process may read from the associated file.
- ACL_LIST_DIRECTORY
- Same as ACL_READ_DATA.
- ACL_WRITE_DATA
- The process may write to the associated file.
- ACL_ADD_FILE
- Same as ACL_ACL_WRITE_DATA.
- ACL_APPEND_DATA
-  
- ACL_ADD_SUBDIRECTORY
- Same as ACL_APPEND_DATA.
- ACL_READ_NAMED_ATTRS
- Ignored.
- ACL_WRITE_NAMED_ATTRS
- Ignored.
- ACL_EXECUTE
- The process may execute the associated file.
- ACL_DELETE_CHILD
-  
- ACL_READ_ATTRIBUTES
-  
- ACL_WRITE_ATTRIBUTES
-  
- ACL_DELETE
-  
- ACL_READ_ACL
-  
- ACL_WRITE_ACL
-  
- ACL_WRITE_OWNER
-  
- ACL_SYNCHRONIZE
- Ignored.
 
- acl_entry_type_t
    ae_entry_type
- This field defines the type of NFSv4 ACL entry. It is not used with
      POSIX.1e ACLs. The following values are valid:
    
      - ACL_ENTRY_TYPE_ALLOW
-  
- ACL_ENTRY_TYPE_DENY
-  
 
- acl_flag_t ae_flags
- This field defines the inheritance flags of NFSv4 ACL entry. It is not
      used with POSIX.1e ACLs. The following values are valid:
    
      - ACL_ENTRY_FILE_INHERIT
-  
- ACL_ENTRY_DIRECTORY_INHERIT
-  
- ACL_ENTRY_NO_PROPAGATE_INHERIT
-  
- ACL_ENTRY_INHERIT_ONLY
-  
- ACL_ENTRY_INHERITED
-  
 TheACL_ENTRY_INHERITEDflag is set on an ACE that
      has been inherited from its parent. It may also be set programmatically,
      and is valid on both files and directories.
This manual page was written by Robert Watson.