Paul B. Henson wrote:
> I asked a while back if there was any utility function to evaluate a ZFS
> ACL, I didn't get much of a response and was unable to find anything, so
> decided to implement my own C code.
>
> It appears the acl_get() function is a convenient way to read the ACL;
> however, I don't see an efficient way to parse the data structure returned.
>
> The function returns an "acl_t *", which is defined in <sys/acl.h> as
> "typedef struct acl_info acl_t;"
>
> The acl_info struct does not appear to be defined in any header files
> shipped with Solaris 10. Browsing the opensolaris code base, I found the
> definition in <sys/acl_impl.h> to be:
>
> struct acl_info {
> acl_type_t acl_type; /* style of acl */
> int acl_cnt; /* number of acl entries */
> int acl_entry_size; /* sizeof acl entry */
> int acl_flags; /* special flags about acl */
> void *acl_aclp; /* the acl */
> };
>
> Is the acl_t intentionally designed to be opaque?
Yes, its meant to be opaque.
The layout of the acl_t will likely change in the not too distant future.
> can do with it is pass it to acltotext(), which will return a text string
> describing the ACL.
>
> It doesn't seem particularly efficient to pass a C structure to a function
> that converts it to a string, and then use C code to parse the text string.
>
> I would prefer to directly access the acl_info structure.
>
There are a number of private interfaces in libsec to retrieve stuff out
of the ACL, but they aren't documented interfaces, such as acl_data()
which will return you the pointer to the array of ace_t's and acl_cnt()
that will return you the number of ACEs in the array. With those two
interfaces you can then easily iterate over the ACL.
> So either I use the raw underlying system call, which is less than
> desirable, or I use acl_get() but have to perform text parsing, which is
> less than desirable.
>
> I think I'm inclined to simply copy the data structure definition from
> <sys/acl_impl.h> into my code so I can access the acl_t directly, which
> probably isn't recommended and will no doubt break if the internal
> implementation changes; but it seems the effort to fix it when it breaks
> would be less than either the effort to use the underlying system call or
> the effort to parse the text.
>
> Unless I'm missing something? Thanks for any feedback...
>
>
We are currently investigating adding more functionality to libsec to
provide many of the things you desire. We will have iterators, editing
capabilities and so on.
-Mark
_______________________________________________
zfs-discuss mailing list
zfs-discuss@opensolaris.org
http://mail.opensolaris.org/mailman/listinfo/zfs-discuss
