United States-English |
|
|
HP-UX Reference > Ggetaccess(2)HP-UX 11i Version 3: February 2007 |
|
NAMEgetaccess() — get a user's effective access rights to a file SYNOPSIS#include <sys/getaccess.h> int getaccess( const char *path, uid_t uid, int ngroups, const gid_t *gidset, void *label, void *privs ); DESCRIPTIONgetaccess() identifies the access rights (read, write, execute/search) a specific user ID has to an existing file. path points to a path name of a file. If the call succeeds, it returns a value of zero or greater, representing the specified user's effective access rights (modes) to the file. The rights are expressed as the logical OR of bits (R_OK, W_OK, and X_OK) whose values are defined in the header <unistd.h>. A return of zero means that access is denied. The uid parameter is a user ID. Special values, defined in <sys/getaccess.h>, represent the calling process's effective, real, or saved user ID:
ngroups is the number of group IDs in gidset, not to exceed sysconf(_SC_NGROUPS_MAX) + 1. If the ngroups parameter is positive, the gidset parameter is an array of group ID values to use in the check. If ngroups is a recognized negative value, gidset is ignored. Special negative values of ngroups, defined in <sys/getaccess.h>, represent various combinations of the process's effective, real, or saved user ID and its supplementary groups list:
The label and privs parameters are placeholders for future extensions. For now, the values of these parameters must be (void *) 0. The access check rules for access control lists are described in acl(5) and aclv(5). In addition, the W_OK bit is cleared for files on read-only file systems or shared-text programs being executed. Note that as in access(2), the X_OK bit is not turned off for shared-text programs open for writing because there is no easy way to know that a file open for writing is a shared-text program. getaccess() checks each directory component of path by first using the caller's effective user ID, effective group ID, and supplementary groups list, regardless of the user ID specified. An error occurs, distinct from "no access allowed," if the caller cannot search the path to the file. (In this case it is inappropriate for the caller to learn anything about the file.) Comparison of access and getaccessThe following table compares various attributes of access() and getaccess().
Security RestrictionsIf the caller's user ID is 0, or has the DACREAD and DACWRITE privilege, or if it is UID_EUID, UID_RUID, or UID_SUID (see <sys/getaccess.h>) and the process's respective user ID is 0, R_OK and W_OK are always set except when W_OK is cleared for files on read-only file systems or shared-text programs being executed. X_OK is set if and only if the file is not a regular file or the execute bit is set in any of the file's ACL entries. See privileges(5) for more information about privileged access on systems that support fine-grained privileges. RETURN VALUEgetaccess() returns the following values:
ERRORSgetaccess() fails if any of the following conditions are encountered:
EXAMPLESThe following call determines the caller's effective access rights to file test and succeeds if the user has read access: #include <unistd.h> #include <sys/getaccess.h> int mode; mode = getaccess ("test", UID_EUID, NGROUPS_EGID_SUPP, (int *) 0, (void *) 0, (void *) 0); if ((mode >= 0) && (mode & R_OK)) ... Here is one way to test access rights to file /tmp/hold for user ID 23, group ID 109: int gid = 109; int mode; mode = getaccess ("/tmp/hold", 23, 1, & gid, (void *) 0, (void *) 0); Should the need arise, the following code builds a gidset that includes the process's effective group ID: #include <sys/types.h> #include <unistd.h> gid_t *gidset; int ngroups; int ngroups_max; ngroups_max = sysconf(_SC_NGROUPS_MAX) + 1; gidset = (gid_t *)malloc(ngroups_max * sizeof(gid_t)); gidset[0] = getegid(); ngroups = 1 + getgroups (ngroups_max - 1, &gidset[1]); |
Printable version | ||
|