site_archiver@lists.apple.com Delivered-To: darwin-dev@lists.apple.com Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=ueOAANRCrYWHdrCRddYqeiaro/tYD2YuQR/IFvC9w40=; b=UshZ2l1gUlxSo/lWc4uk0MJ+lPyYtQCcg+GyDA4vfFAdrNmPWXFLa8eCtAPM0Vcxfa F9pGA6TThBawRqFeV+IRlow2rH6JdJKJZgk1W4zlzBrhnUVNVG4BIiipxrGgE9cBB7LE tjMLTZUAmtGW6CMHz+doD1/E6bB29q6A84SFw= Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=LA5QkJZyXLq2SzzD0RusCAe1JZORKaJ8rWHOKIta20juoEkHoCshkTBx7+PolNX2Yg t2bGe3pdE8/j53W0Yeq4EKJi0hCjwGE/cvYzz0ygwYz063e0qV+zRniXgXXU4WGQoC0P 906d8EXQ3703Yw3LtL+mBNvlTJRWxAPiWG8Tw= 2009/2/5 John Michael Zorko <jmzorko@mac.com>:

Hello, all ...

I'm writing code to save file ACLs in a sqlite database. While learning how to read the ACL of a file / directory, I learned a lot just by looking at the source for the Darwin 'ls' command. However, i've a question. The 'ls' source (print.c:321) has a for loop that does something like this for each ACE in an ACL:

for (i = 0, first = 0; acl_perms[i].name != NULL; i++) { if (acl_get_perm_np(perms, acl_perms[i].perm) == 0) continue; if (!(acl_perms[i].flags & (isdir ? ACL_PERM_DIR : ACL_PERM_FILE))) continue; (void)printf("%s%s", first++ ? "," : "", acl_perms[i].name); }

... since this is a for loop and there is no break statement after the printf, i'm wondering if it is possible for one ACE to represent multiple permissions i.e. "jmzorko deny write allow read allow execute" (even though chmod only seems to take one user / permission at a time). I want to make sure I save everything about the ACL in my database.

An ACE contains an identity, a type and a set of permissions. This means that a single ACE can allow OR deny more than one permission but it can't allow AND deny. "jmzorko deny write allow read allow execute" breaks down into 2 ACES: jmzorko deny write jmzorko allow read execute Darwin ACLs follow the Windows ACL model pretty closely, so the description of ACL structure here <http://alt.pluralsight.com/wiki/default.aspx/Keith.GuideBook/WhatIsAnAccessControlList.html> is quite applicable. Just substitute GUID where it says SID. If you rewrite ACLs, remember to preserve the canonical ordering (see chmod(1)) because there's no API in the system to do that for you. -- James Peach | jorgar@gmail.com _______________________________________________ Do not post admin requests to the list. They will be ignored. Darwin-dev mailing list (Darwin-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/darwin-dev/site_archiver%40lists.appl... This email sent to site_archiver@lists.apple.com