ACL configuration file format
The ACL configuration file format is intended to facilitate both generation and parsing.
Descriptors
An ACL configuration file consists of zero or more text descriptors. A descriptor specifies properties of a PPS object path. In particular, it specifies access permissions (owner, mode, and ACL). A descriptor also records other important properties of the object, including whether it's a server object; whether it's persistent, and whether it should be created if it's missing on startup.
Descriptor format
A descriptor consists of two or more nonblank lines of text followed by a blank line (or end of file). The two mandatory lines of text define the:
- file or directory path
- file or directory details
These two mandatory lines may optionally be followed by an ACL, in either short or long text form.
The permissions described by the ACL (if one is present) take precedence over those specified in the details line. An ACL must be of a form usable by the acl_from_text() function (i.e., either short or long text form). The ACL must also be complete and valid according to acl_valid(). Specifically, an extended ACL must include an explicit ACL_MASK entry. No mask is computed if one is missing.
Leading and trailing whitespace are stripped from lines before processing.
Comments are introduced by the "#" character, and run to the end of the line; they are syntactically equivalent to whitespace.
Paths
Paths must be specified relative to the PPS mountpoint. They may not contain:
- extraneous path separators or relative components such as "." or ".."
- leading or trailing whitespaces
- the "#" character
Paths for directories must end with a single separator character.
Details
The details line must not contain extraneous whitespace, and must be of the form:
user:group:mode[:property[,property...]]
where:
- user is the file or directory owner
- group is the file or directory group
- mode is a bit map of file permissions: read, write, and execute for user, group, and other (as well as the setuid, setgid, and sticky bits), stored as an octal number
The properties are optional and consist of zero or more of the following:
| Property | Description |
|---|---|
| O_CREAT | The object should be created if it's missing. |
| nopersist | Disable persistence for this object and its attributes. |
| server | Treat the object as a server object. |
Sample ACL configuration file
The following example shows ACL configurations for a directory with an ACL in short text form, and for a file:
a/directory/
nobody:nobody:2711:O_CREAT # comment
user::rwx
group::x
other::x
mask::x # comment
group:nto:x
a/directory/file
nobody:nobody:640