I was curious if there was any utility or library function available to
evaluate a ZFS ACL. The standard POSIX access(2) call is available to
evaluate access by the current process, but I would like to evaluate an ACL
in one process that would be able to determine whether or not some other
user had a particular permission. Obviously, the running process would need
to have read privileges on the ACL itself, but I''d rather not
reimplement
the complexity of actually interpreting the ACL. Something like:
access("/path/to/file", R_OK, 400)
Where 400 is the UID of the user whose access should be tested. Clearly
there is already code to do so within the filesystem layer, given that
privileges are enforced. It''s probably unlikely, but I was hoping this
code
could be reutilized from a user level process to make the same
determination rather than having to read the entire ACL, verify what groups
the user is in, etc.
Thanks for any suggestions...
--
Paul B. Henson | (909) 979-6361 | http://www.csupomona.edu/~henson/
Operating Systems and Network Analyst | henson at csupomona.edu
California State Polytechnic University | Pomona CA 91768
Paul B. Henson writes:> > I was curious if there was any utility or library function available to > evaluate a ZFS ACL. The standard POSIX access(2) call is available to > evaluate access by the current process, but I would like to evaluate an ACL > in one process that would be able to determine whether or not some other > user had a particular permission. Obviously, the running process would need > to have read privileges on the ACL itself, but I''d rather not reimplement > the complexity of actually interpreting the ACL. Something like: > > access("/path/to/file", R_OK, 400) > > Where 400 is the UID of the user whose access should be tested. Clearly > there is already code to do so within the filesystem layer, given that > privileges are enforced. It''s probably unlikely, but I was hoping this code > could be reutilized from a user level process to make the same > determination rather than having to read the entire ACL, verify what groups > the user is in, etc. > > Thanks for any suggestions... >I don''t know if such a tool exists, but I''m in the process or writing one (as part of a larger ACL admin tool) if you are intersted. Ian
On Wed, 23 Jul 2008, Ian Collins wrote:> I don''t know if such a tool exists, but I''m in the process or writing one > (as part of a larger ACL admin tool) if you are intersted.If there is no standard routine to handle this functionality, I would very much appreciate a copy of your code... Thanks... -- Paul B. Henson | (909) 979-6361 | http://www.csupomona.edu/~henson/ Operating Systems and Network Analyst | henson at csupomona.edu California State Polytechnic University | Pomona CA 91768
"Paul B. Henson" <henson at acm.org> wrote:> > I was curious if there was any utility or library function available to > evaluate a ZFS ACL. The standard POSIX access(2) call is available to > evaluate access by the current process, but I would like to evaluate an ACL > in one process that would be able to determine whether or not some other > user had a particular permission. Obviously, the running process would need > to have read privileges on the ACL itself, but I''d rather not reimplement > the complexity of actually interpreting the ACL. Something like: > > access("/path/to/file", R_OK, 400) > > Where 400 is the UID of the user whose access should be tested. ClearlyThis is not the POSIX access() call which only has 2 parameters. Depending on the platform where you are, there is either access("/path/to/file", R_OK | E_OK ) or eaccess("/path/to/file", R_OK) euidaccess("/path/to/file", R_OK) J?rg -- EMail:joerg at schily.isdn.cs.tu-berlin.de (home) J?rg Schilling D-13353 Berlin js at cs.tu-berlin.de (uni) schilling at fokus.fraunhofer.de (work) Blog: http://schily.blogspot.com/ URL: http://cdrecord.berlios.de/old/private/ ftp://ftp.berlios.de/pub/schily
On Tue, 5 Aug 2008, Joerg Schilling wrote:> This is not the POSIX access() call which only has 2 parameters.Yes, I''m aware of that; it was meant to be an example of something I wished existed :). -- Paul B. Henson | (909) 979-6361 | http://www.csupomona.edu/~henson/ Operating Systems and Network Analyst | henson at csupomona.edu California State Polytechnic University | Pomona CA 91768