1 .\" $Id: acl_check.3,v 1.2 1996/06/12 21:29:08 bg Exp $
2 .\" Copyright 1989 by the Massachusetts Institute of Technology.
4 .\" For copying and distribution information,
5 .\" please see the file <mit-copyright.h>.
7 .TH ACL_CHECK 3 "Kerberos Version 4.0" "MIT Project Athena"
9 acl_canonicalize_principal, acl_check, acl_exact_match, acl_add,
10 acl_delete, acl_initialize \- Access control list routines
15 cc <files> \-lacl \-lkrb
21 acl_canonicalize_principal(principal, buf)
26 acl_check(acl, principal)
31 acl_exact_match(acl, principal)
36 acl_add(acl, principal)
41 acl_delete(acl, principal)
46 acl_initialize(acl_file, mode)
54 An access control list (ACL) is a list of principals, where each
55 principal is represented by a text string which cannot contain
56 whitespace. The library allows application programs to refer to named
57 access control lists to test membership and to atomically add and
58 delete principals using a natural and intuitive interface. At
59 present, the names of access control lists are required to be Unix
60 filenames, and refer to human-readable Unix files; in the future, when
61 a networked ACL server is implemented, the names may refer to a
62 different namespace specific to the ACL service.
66 Principal names have the form
69 <name>[.<instance>][@<realm>]
77 asp.root@ATHENA.MIT.EDU
80 It is possible for principals to be underspecified. If an instance is
81 missing, it is assumed to be "". If realm is missing, it is assumed
82 to be the local realm as determined by
83 .IR krb_get_lrealm (3).
84 The canonical form contains all of name, instance,
85 and realm; the acl_add and acl_delete routines will always
86 leave the file in that form. Note that the canonical form of
87 asp@ATHENA.MIT.EDU is actually asp.@ATHENA.MIT.EDU.
90 .I acl_canonicalize_principal
91 stores the canonical form of
97 space to store a principal, given the limits on the sizes of name,
98 instance, and realm specified as ANAME_SZ, INST_SZ, and REALM_SZ,
100 .IR /usr/include/krb.h .
107 Returns 0 if principal
108 does not appear in acl, or if an error occurs. Canonicalizes
109 principal before checking, and allows the ACL to contain wildcards. The
110 only supported wildcards are entries of the form
111 name.*@realm, *.*@realm, and *.*@*. An asterisk matches any value for the
112 its component field. For example, "jtkohl.*@*" would match principal
113 jtkohl, with any instance and any realm.
118 but does no canonicalization or wildcard matching.
125 Returns 0 if successful, nonzero otherwise. It is considered a failure
130 This routine will canonicalize
132 but will treat wildcards literally.
139 Returns 0 if successful,
140 nonzero otherwise. It is considered a failure if
145 This routine will canonicalize
147 but will treat wildcards literally.
162 removes all members. Returns 0 if successful,
163 nonzero otherwise. WARNING: Mode argument is likely to change with
164 the eventual introduction of an ACL service.
166 In the presence of concurrency, there is a very small chance that
170 could report success even though it would have
171 had no effect. This is a necessary side effect of using lock files
172 for concurrency control rather than flock(2), which is not supported
175 The current implementation caches ACLs in memory in a hash-table
176 format for increased efficiency in checking membership; one effect of
177 the caching scheme is that one file descriptor will be kept open for
178 each ACL cached, up to a maximum of 8.
180 kerberos(3), krb_get_lrealm(3)
182 James Aspnes (MIT Project Athena)