Content-type: text/html Man page of ipc_acl

ipc_acl

Section: System Calls (2)
Index Return to Main Contents
 

NAME

msg_statacl, msg_chacl, sem_statacl, sem_chacl, shm_statacl, shm_chacl - Manipulate ACLs on interprocess communications objects (ACL)  

LIBRARY

Security Library (libsecurity.a)  

SYNOPSIS

#include <sys/security.h> #include <acl.h>

msg_statacl(        int msqid,
       int size,
       acle_t *acl);

msg_chacl(        int msqid,
       int size,
       acle_t *acl);

sem_statacl(        int semid,
       int size,
       acle_t *acl);

sem_chacl(        int semid,
       int size,
       acle_t *acl);

shm_statacl(        int shmid,
       int size,
       acle_t *acl);

shm_chacl(        int shmid,
       int size,
       acle_t *acl);
 

PARAMETERS

Specifies the message queue identifier (returned from msgget()). Specifies the semaphore identifier (returned from semget()). Specifies the shared memory identifier (returned from shmget()). Specifies the number of entries in the acl array. Points to a buffer containing an array of size structures of type acl_t.  

DESCRIPTION

These functions retrieve and assign ACLs for interprocess communications (IPC) objects. The msqid, semid, and shmid parameters are obtained from the msgget(), semget(), or shmget() functions, respectively.

To assign a new ACL, the acl parameter must point to a buffer containing size structures of type acle_t. An empty ACL, which deltes the ACL associated with the object, is assigned by passing a size parameter of 0. In this case, the acl parameter is ignored.

To remove an existing ACL from an object (causing access to the object to be controlled only by permission bits), the acl parameter must be set to ACL_DELETE and the size parameter to -1.

A process must have owner rights with respect to an IPC object in order to change or remove its ACL; that is, its effective user ID must match the object's owner or creator ID, or the process must have the owner effective privilege. A process with an effective user ID of 0 (zero) implicitly has this privilege.

For calls that retrieve an object's ACL, the acl parameter points to an array of acle_t structures into which the ACL entries can be copied. The size parameter indicates the number of entries in the acl array. This number may be 0, in which case no entries are fetched and the acl parameter is ignored. This provides a means to determine the actual size of an ACL so that sufficient space to hold it can be dynamically allocated. If the ACL has more than size entries, only the first size entries are fetched. For calls that set an object's ACL, acl references the new ACL, and size indicates the number of entries it contains. To rename an object's ACL (access to the object is completely determined by permission bits), specify ACL_DELETE for acl and a size of -1. An acl of NULL and a size of 0 specifies a NULL ACL, which restricts access to the object to processes with the privilege to override discretionary access control.  

NOTES

Programs using these routines must be compiled with -lsecurity.  

ERRORS

If the following conditions occur, the acl_read() function sets errno to the corresponding value: The msqid, semid, or shmid parameter is not a valid IPC object identifier for that type of object, or there is a WILDACRD ACL associated with the object (sec_errno is set to ESEC_WILDCARD_TAG), or the access control list policy could not be configured (ESEC_ACL_CONFIG_FAILURE). The function is one of the chacl varieties, the effective user ID of the calling process is not either the creator or the owner of the object, and the process does not have ownership rights to the object (ESEC_NOT_OWNER). The acl parameter points to an illegal address.  

DIAGNOSTICS

For the msg_statacl(), sem_statacl(), and shm_statacl() functions, the call returns the number of ACL entries associated with the IPC object. This number may exceed the number of entries actually copied into the caller's buffer. For the msg_chacl(), sem_chacl(), and shm_chacl() functions, a 0 (zero) indicates a successful ACL change. Failure is indicated by a return value of -1 with the global variable errno set to indicate the error.  

RELATED INFORMATION

setacl(1), getacl(1), acl(4), acl_set_fd(3), acl_set_file(3), acl_get_fd(3), acl_get_file(3)

Security delim off


 

Index

NAME
LIBRARY
SYNOPSIS
PARAMETERS
DESCRIPTION
NOTES
ERRORS
DIAGNOSTICS
RELATED INFORMATION

This document was created by man2html, using the manual pages.
Time: 02:40:16 GMT, October 02, 2010