hp-ux reference - h20628.5)..... configuration and binary files used by file system...

HP-UX Reference

Section 5: Miscellaneous TopicsSection 7: Device (Special) FilesSection 9: General Information

Index

HP-UX 11i Version 2

Volume 9 of 9

Manufacturing Part Number : B2355-90787

Printed In USA

E0803

Printed in USA

Copyright 1983-2003 Hewlett-Packard Development Company LP.

ii

Legal NoticesThe information in this document is subject to change without notice.

Hewlett-Packard makes no warranty of any kind with regard to thismanual, including, but not limited to, the implied warranties ofmerchantability and fitness for a particular purpose. Hewlett-Packardshall not be held liable for errors contained herein or direct, indirect,special, incidental or consequential damages in connection with thefurnishing, performance, or use of this material.

Use of this document and any supporting software media is restricted tothis product only. Additional copies of the programs may be made forsecurity and back-up purposes only. Resale of the programs, in theirpresent form or with alterations, is expressly prohibited.

Warranty

A copy of the specific warranty terms applicable to your Hewlett-Packardproduct and replacement parts can be obtained from your local Sales andService Office.

U.S. Government License

Proprietary computer software. Valid license from HP required forpossession, use or copying. Consistent with FAR 12.211 and 12.212,Commercial Computer Software, Computer Software Documentation,and Technical Data forCommercial Items are licensed to the U.S.Government under vendors standard commercial license.

Copyright Notices

Reproduction, adaptation, or translation of this document without priorwritten permission is prohibited, except as allowed under the copyrightlaws.

This document and the software it describes may also be protected underone or more of the following copyrights. Additional copyrights areacknowledged in some individual manpages.

Copyright 1983-2003 Hewlett-Packard Development Company, LP.

Copyright 1979, 1980, 1983, 1985-1993 The Regents of the Universityof California.

iii

Copyright 1980, 1984, 1986 Novell, Inc.

Copyright 1985, 1986, 1988 Massachusetts Institute of Technology

Copyright 1986-2000 Sun Microsystems, Inc.

Copyright 1988 Carnegie Mellon University

Copyright 1989-1991 The University of Maryland

Copyright 1989-1993 The Open Software Foundation, Inc.

Copyright 1990 Motorola, Inc.

Copyright 1990-1992 Cornell University

Copyright 1991-2003 Mentat, Inc.

Copyright 1996 Morning Star Technologies, Inc.

Copyright 1996 Progressive Systems, Inc.

Trademark Notices

Intel and Itanium are registered trademarks of Intel Corporation inthe US and other countries and are used under license.

Java is a US trademark of Sun Microsystems, Inc.

Microsoft and MS-DOS are U.S. registered trademarks of MicrosoftCorporation.

OSF/Motif is a trademark of The Open Group in the US and othercountries.

UNIX is a registered trademark of The Open Group.

X Window System is a trademark of The Open Group.

iv

Revision HistoryThis documents printing date and part number indicate its edition. Theprinting date changes when a new edition is printed. (Minor correctionsand updates which are incorporated at reprint do not cause the date tochange.) New editions of this manual incorporate all material updatedsince the previous edition.

Part Number Date, Release, Format, Distribution

B2355-60103 August 2003. HP-UX release 11i version 2, one volumeHTML, docs.hp.com and Instant Information.

B2355-90779-87 August 2003. HP-UX release 11i version 2, ninevolumes PDF, docs.hp.com and print.

B9106-90010 June 2002. HP-UX release 11i version 1.6, one volumeHTML, docs.hp.com and Instant Information.

B9106-90007 June 2001. HP-UX release 11i version 1.5, sevenvolumes HTML, docs.hp.com and Instant Information.

B2355-90688 December 2000. HP-UX release 11i version 1, ninevolumes.

B2355-90166 October 1997. HP-UX release 11.0, five volumes.

B2355-90128 July 1996. HP-UX release 10.20, five volumes, onlineonly.

B2355-90052 July 1995. HP-UX release 10.0, four volumes.

ConventionsWe use the following typographical conventions.

audit (5) An HP-UX manpage. audit is the name and 5 is thesection in the HP-UX Reference. On the web and on theInstant Information CD, it may be a hot link to the

v

manpage itself. From the HP-UX command line, youcan enter man audit or man 5 audit to view themanpage. See man (1).

Book Title The title of a book. On the web and on the InstantInformation CD, it may be a hot link to the book itself.

KeyCap The name of a keyboard key. Note that Return and Enterboth refer to the same key.

Emphasis Text that is emphasized.

Emphasis Text that is strongly emphasized.

ENVIRONVAR The name of an environment variable.

[ERRORNAME] The name of an error number, usually returned in theerrno variable.

Term The defined use of an important word or phrase.

ComputerOutput Text displayed by the computer.

UserInput Commands and other text that you type.

Command A command name or qualified command phrase.

Variable The name of a variable that you may replace in acommand or function or information in a display thatrepresents several possible values.

[ ] The contents are optional in formats and commanddescriptions. If the contents are a list separated by |,you may choose one of the items.

{ } The contents are required in formats and commanddescriptions. If the contents are a list separated by |,you must choose one of the items.

... The preceding element may be repeated an arbitrarynumber of times.

| Separates items in a list of choices.

vii

PrefaceHP-UX is the Hewlett-Packard Companys implementation of anoperating system that is compatible with various industry standards. Itis based on the UNIX System V Release 4 operating system andincludes important features from the Fourth Berkeley SoftwareDistribution.

The nine volumes of this manual contain the system referencedocumentation, made up of individual entries called manpages, namedfor the man command that displays them on the system. The entries arealso known as manual pages or reference pages.

GeneralIntroduction

For a general introduction to HP-UX and the structure and format of themanpages, please see the introduction (9) manpage in volume 9.

SectionIntroductions

The manpages are divided into sections that also have introduction(intro) manpages that describe the contents. These are:

intro (1) Section 1: User Commands(A-M in volume 1; N-Z in volume 2)

intro (1M) Section 1M: System Administration Commands(A-M in volume 3; N-Z in volume 4)

intro (2) Section 2: System Calls(in volume 5)

intro (3C) Section 3: Library Functions(A-M in volume 6; N-Z in volume 7)

intro (4) Section 4: File Formats(in volume 8)

intro (5) Section 5: Miscellaneous Topics(in volume 9)

intro (7) Section 7: Device (Special) Files(in volume 9)

intro (9) Section 9: General Information(in volume 9)

Volume NineTable of Contents

Section 5Section 7Section 9

Index

Table of ContentsVolume Nine

Section 5: Miscellaneous Topics Entry Name(Section): name Descriptionintro(5) ........................................................................................................................ introduction to miscellanyacctresume : suspend and resume accounting when available disk

space reaches threshold ............................................................................................. see acctsuspend(5)acctsuspend(5): acctresume , acctsuspend .............. suspend and resume accounting when available disk

space reaches thresholdacl(5): acl .................................................................................................... introduction to access control listsaclv(5): aclv ......................................................................................... introduction to JFS access control listsaio(5): aio() .............................................................................................................. POSIX asynchronous I/Oaio_listio_max(5) ............ maximum number of POSIX asynchronous I/O that can be specified in a listio() callaio_max_ops(5) .................. maximum number of POSIX async I/O operations that can be queued at any timeaio_monitor_run_sec(5): aio_monitor_run_sec

..................................................................... frequency of AIO thread pool monitor execution (in seconds)aio_physmem_pct(5)

......... percentage of physical memory lockable for request call-back POSIX asynchronous I/O operationsaio_prio_delta_max(5) ........... greatest delta (slowdown factor) allowed in POSIX async IO request prioritiesaio_proc_threads(5): aio_proc_threads .......... maximum number of process threads allowed in AIO poolaio_proc_thread_pct(5): aio_proc_thread_pct

............................................................................... percentage of all process threads allowed in AIO poolaio_req_per_thread(5): aio_req_per_thread

...................................... desirable ratio between number of pending AIO requests and servicing threadsaliases(5): aliases ..................................................................................................... aliases file for sendmailallocate_fs_swapmap(5) ................... determines when swapmap structures are allocated for filesystem swapalwaysdump(5) .......... defines which classes of kernel memory pages are dumped when a kernel panic occursaries(5): Aries ......................................................... emulate PA-RISC applications on Itanium-based systemascii(5): ascii ........................................................................................................ map of ASCII character setaudio(5): audio .................................................................................... audio tools available through HP VUEaudit(5) ................................................................................................. introduction to HP-UX Auditing Systemchanq_hash_locks(5): chanq_hash_locks

................................................ size of hashed pool of spinlocks protecting the channel queue hash tablescomplex(5): complex ........................................................................................ complex functions and macroscore_addshmem_read(5) .......... determines the inclusion of readable shared memory in a process core dumpcore_addshmem_write(5) ......... determines the inclusion of read/write shared memory in process core dumpcreate_fastlinks(5) ................................................................... configure the system to use fast symbolic linkscurses(5): curses ................................................... definition for screen handling and optimisation functionsdbc_max_pct(5) ................ maximum percentage of memory to be used for caching file I/O data and metadatadbc_min_pct(5) .......................... minimum percentage of memory used for caching file I/O data and metadatadefault_disk_ir(5) ................................ enable/disable the use of a devices write cache in the SCSI subsystemdirent(5): dirent.h ............................................................ format of directory streams and directory entriesdld.so(5): dld.so ...................................................................................................................... dynamic loaderdma32_pool_size(5): dma32_pool_size ............. the amount of memory to reserve for the 32-bit DMA pooldnlc_hash_locks(5) ........................................ number of locks for the Directory Name Lookup Cache (DNLC)dontdump(5): dontdump

..................... defines which classes of kernel memory pages are not dumped when a kernel panic occursdst: difference between Universal (Greenwich mean) and local time ..................................... see timezone(5)dump_compress_on(5): dump_compress_on

........................ system dumps memory pages, compressed or uncompressed, when a kernel panic occursenable_idds(5): enable_idds ............................................................. enable intrusion detection data sourceenviron(5): environ ............................................................................................................. user environmenteqmemsize(5) ...................... determines the minimum size (in pages) of the equivalently mapped reserve poolexecutable_stack(5) ............................................. controls whether program stacks are executable by defaultfcntl(5) ..................................................................................................................................... file control optionsfenv(5): fenv ........................................................................ floating-point environment macros and functionsfs_async(5) ....................................... enables write calls to return before write operation is complete (Boolean)fs_symlinks(5) .............................................. maximum number of symbolic links used to resolve a path namefs_wrapper(5) .............................. configuration and binary files used by file system administration commands

HP-UX 11i Version 2: August 2003 Hewlett-Packard Company ix


Entry Name(Section): name Descriptiongssapi(5): gssapi() ......................................... Generic Security Service Application Programming Interfacehdlpreg_hash_locks(5) .......................................................... determines the size of the pregion spinlock poolhfs_revra_per_disk(5) ......... maximum HFS file system blocks to be read in one read-ahead operation when

sequentially reading backwardshier(5): hier .................................................................................................................... file system hierarchyhostname(5): hostname ............................................................................... host name resolution descriptionhosts_access(5): hosts_access ................................................................. format of host access control filesinttypes(5): inttypes ................................................................................................ basic integer data typesioctl(5): ioctl ............................................................................................... generic device control commandskconfig(5): kconfig ............................................................... introduction to kernel configuration commandskerberos(5) ................................................................................................. introduction to the Kerberos systemkrs(5) ............................................................................................................................... kernel registry servicesksi_alloc_max(5) ...................................................... system-wide limit of queued signals that can be allocatedksi_send_max(5) ........................................................................ limit on number of queued signals per processlang(5): lang .............................................................................................. description of supported languageslanginfo(5): langinfo .................................................................................... language information constantslibcrash(5): libcrash ............................................................................................. crash dump access librarylibcres.a(5): libcres.a .................................................................................... subset of functions from libc.alimits(5): limits ............................................................................................ implementation-specific constantsman(5): man .................................................................................................... macros for formatting manpagesmanuals(5) ............................................................................................................. list of HP-UX documentationmath(5): math ..................................................................................................... math functions and constantsmaxdsiz(5): maxdsiz , maxdsiz_64bit ... maximum size (in bytes) of the data segment for any user processmaxdsiz_64bit : maximum size (in bytes) of the data segment for any user process .............. see maxdsiz(5)maxdsiz_64bit : maximum size (in bytes) of the data segment for any user process .............. see maxdsiz(5)maxfiles(5) .......................................................... initial (soft) maximum number of file descriptors per processmaxfiles_lim(5) .............................................................. hard maximum number of file descriptors per processmaxrsessiz(5): maxrsessiz , maxrsessiz_64bit

................................................................ maximum size (in bytes) of the RSE stack for any user processmaxrsessiz_64bit: maximum size (in bytes) of the RSE stack for any user process ........ see maxrsessiz(5)maxssiz(5): maxssiz , maxssiz_64bit ................. maximum size (in bytes) of the stack for any user processmaxssiz_64bit : maximum size (in bytes) of the stack for any user process ........................... see maxssiz(5)maxssiz_64bit : maximum size (in bytes) of the stack for any user process ........................... see maxssiz(5)maxtsiz(5): maxtsiz , maxtsiz_64bit ..... maximum size (in bytes) of the text segment for any user processmaxtsiz_64bit : maximum size (in bytes) of the text segment for any user process ................ see maxtsiz(5)maxtsiz_64bit : maximum size (in bytes) of the text segment for any user process ................ see maxtsiz(5)maxuprc(5) .................................................................. limits the maximum number of user processes per usermaxvgs(5) ................... maximum number of LVM Volume Groups that can be created/activated on the systemmax_acct_file_size(5): max_acct_file_size .............................. defines the maximum accounting file sizemax_async_ports(5): max_async_ports

............................................. maximum number of asynchronous disk ports that can be open at any timemax_mem_window(5) ........ maximum number of group-private 32-bit shared memory windows configurable

by usersmax_thread_proc(5) .......................................... defines the maximum number of threads allowed per processmesg(5): mesg .............................................................. enable or disable System V IPC messages at boot timemknod(5): mknod ..................................................................................... macros for handling device numbersmm(5): mm ............................................................................ the MM macro package for formatting documentsmman(5) .................................................................................................................. memory mapping definitionsmsgmap(5): msgmap .............................. number of entries in the System V IPC message space resource mapmsgmax(5): msgmax ................................................................. maximum System V IPC message size in bytesmsgmnb(5): msgmnb .............................. maximum number of bytes on a single System V IPC message queuemsgmni(5): msgmni .............. maximum number of system-wide System V IPC message queues (IDs) allowedmsgseg(5): msgseg ................................................. number of System V IPC message segments in the systemmsgssz(5): msgssz ........................................................ number of bytes in a System V IPC message segmentmsgtql(5): msgtql ............................ maximum number of System V IPC messages in the system at any timemtab: mounted file system table ............................................................................................... see pfs_fstab(5)ncdnode(5) ....................................................................... maximum number of open CDFS files (system-wide)nclist(5) ................................................................................... number of cblocks for pty and tty data transfersncsize(5) .................................................................. number of Directory Name Lookup Cache (DNLC) entriesndir(5): ndir.h ......................................................................................... format of HP-UX directory streamsnfile(5) ................................................................................. maximum number of file descriptors (system-wide)

x Hewlett-Packard Company HP-UX 11i Version 2: August 2003


Entry Name(Section): name Descriptionnflocks(5) ............................................................................................................ maximum number of file locksninode(5) ......................................... maximum number of HFS file system open inodes that can be in memorynkthread(5) .......................................................... limits the number of threads allowed to run simultaneouslynproc(5) ............................................................. limits the number of processes allowed to run simultaneouslynpty(5): npty .............................................................................. maximum number of pseudo-teletypes (ptys)nstrevent(5) .................................................................... maximum number of outstanding STREAMS bufcallsnstrpty(5): nstrpty ........................................... maximum number of streams-based pseudo-teletypes (ptys)nstrpush(5) .......................................................... maximum number of STREAMS modules in a single streamnstrsched(5) ........................................................................... number of STREAMS scheduler daemons to runnstrtel(5) .......... specifies the number of telnet device files the kernel can support for incoming telnet sessionsnswapdev(5) ........................................................... maximum number of devices that can be enabled for swapnswapfs(5) ........................................................ maximum number of file systems that can be enabled for swapnsysmap(5): nsysmap , nsysmap64 ............... number of entries in a kernel dynamic memory allocation mapnsysmap64 : number of entries in a kernel dynamic memory allocation map .......................... see nsysmap(5)orientation(5): orientation ...................................................................................... orientation of a streampam_unix(5): pam_unixauthentication, account, session, and password management PAM modules for UNIXpam_updbe(5): pam_updbe ....................................................................... PAM user policy definition modulepartition(5): partition ........................................................ display information about Partition commandspa_maxssiz(5): pa_maxssiz_32bit, pa_maxssiz_64bit

.......................................................... maximum size (in bytes) of the stack for any PA-RISC user processpa_maxssiz_64bit: maximum size (in bytes) of the stack for any PA-RISC user process

..................................................................................................................................... see pa_maxssiz(5)pfdat_hash_locks(5) ................................................................... determines the size of the pfdat spinlock poolpfs_exports(5): pfs_exports ................................................................... directories to export to PFS clientspfs_fstab(5): pfs_fstab ............................................................................... static file system mounting tablepfs_xtab(5) : directories to export to PFS clients ............................................................. see fps_exports(5)physical_io_buffers(5) ............................................................................... total physical I/O buffers on systemportal(5): portal.h .................................................................................... header file for future applicationspthread_stubs(5): pthread_stubs .... list of pthread calls for which the stubs are provided in the C libraryquota(5): quota ............................................................................................................................... disk quotasrcsintro(5): rcsintro ............................................................................................ description of RCS commandsregexp(5): ................................... regular expression and pattern matching notation definitionsregion_hash_locks(5) ............................................................... determines the size of the region spinlock poolremote_nfs_swap(5) ............................................................................................. enable swapping across NFSrtsched_numpri(5) .......................... number of priority values to support for POSIX.1b realtime applicationsscroll_lines(5) ........................................... number of scrollable lines used by the Internal Terminal Emulatorscsi_maxphys(5) ........................................................... maximum allowed length of an I/O on all SCSI devicesscsi_max_qdepth(5) .................................... maximum number of I/Os that target will queue up for executionsecure_sid_scripts(5): secure_sid_scripts

.................................................................. controls whether setuid and setgid bits on scripts are honoredsema(5) ...................................................................... enable or disable System V IPC semaphores at boot timesemaem(5) ................................................ maximum cumulative value changes per System V IPC semop() callsemmni(5) ............................................................ number of System V IPC system-wide semaphore identifierssemmns(5) .................................................................................. number of System V system-wide semaphoressemmnu(5) .................................................. number of System V IPC system-wide semaphore undo structuressemmsl(5) .......................................................... maximum number of System V IPC semaphores per identifiersemume(5) ........................................................... maximum number of System V IPC undo entries per processsemvmx(5) ................................................................... maximum value of any single System V IPC semaphoresendfile_max(5) ....................................................... maximum number of Buffer Cache Pages used by sendfileshmem(5) ........................................................................................ enable or disable System V shared memoryshmmax(5) .................................................... maximum size (in bytes) for a System V shared memory segmentshmmni(5) ............................................ number of System V shared memory segment identifiers in the systemshmseg(5) ............................................... maximum number of System V shared memory segments per processsignal(5): signal.h ........................................................................................................ description of signalssignal.h : description of signals .................................................................................................. see signal(5)sis(5) ............................................................................................................. secure internet services descriptionstat(5): stat ......................................................................... data returned by stat/fstat/lstat system callstdarg(5): stdarg .............................................................................................. handle variable argument liststdsyms(5): stdsyms

............ description of "named defines" and other specifications for name space from HP-UX header filesstrctlsz(5) ............................................................................ maximum size of streams message control in bytes

HP-UX 11i Version 2: August 2003 Hewlett-Packard Company xi


Entry Name(Section): name Descriptionstreampipes(5) ........................................................................................ force all pipes to be STREAMS-basedstrmsgsz(5) ............................................................................. maximum size of streams message data in bytesst_ats_enabled(5) ............................................................ determines whether to reserve a tape device on openst_fail_overruns(5) .......................... determines whether variable block mode read requests smaller than the

physical record size will failst_large_recs(5) ............................. determines maximum logical record size allowed through the stape driversuffix(5): suffix ....................................................................................................... file-name suffix conventionsswapmem_on(5) .............................................. allow physical memory size to exceed the available swap spaceswchunk(5) ....................................................................................................... swap chunk size in 1 KB blockssysv_hash_locks(5) ............................................................................. System V IPC hashed spinlock pool sizetcphashsz(5) ......................................................................... determines the size of the networking hash tablesterm(5): term .................................................................................................................... terminal capabilitiesthread_safety(5): thread_safety ............................................ list of libc, libpthread and libgen interfaces:

Not thread-safe, Cancellation Points, Cancel Safe, Async Signal Safe, Async Cancel Safetimeslice(5) ................................................................................... scheduling interval in clock ticks per secondtimezone(5): dst, timezone ........................ difference between Universal (Greenwich mean) and local timetypes(5) ..................................................................................................................... primitive system data typesunctrl(5): unctrl ....................................................................................................... definition for unctrl()unistd(5): unistd.h .................................................................... standard structures and symbolic constantsunistd.h : standard structures and symbolic constants .............................................................. see unistd(5)unlockable_mem(5): unlockable_mem

...................................................... amount of physical memory that may not be locked by user processesunwind(5): unwind .............................................. stack unwind library entry points and convenience macrosvalues(5) .................................................................................................................... machine-dependent valuesvarargs(5): varargs.h ...................................................................................... handle variable argument listvps_ceiling(5) ................................................................ maximum (in kilobytes) of system-selectable page sizevps_chatr_ceiling(5) ........................................................ maximum (in kilobytes) of user selectable page sizevps_pagesize(5) ................................................................ minimum (in kilobytes) of system-selected page sizevxfs_bc_bufhwm(5): vxfs_bc_bufhwm ................................................ Determine the VxFS buffer cache sizevxfs_ifree_timelag(5): vxfs_ifree_timelag Specify the minimum time a VxFS inode spends on a freelistvxfs_max_ra_kbytes(5) ....... maximum amount of read-ahead data, in KB, that kernel may have outstanding

for a single VxFS file systemvxfs_ra_per_disk(5) .................................................... amount of VxFS file system read-ahead per disk, in KBvx_maxlink(5): vx_maxlink ............................................................... Configure the number of links to a filevx_ncsize(5) .................................................. number of bytes reserved for directory pathname cache for VxFSvx_ninode(5): vx_ninode ................................................................... Determine the internal node table sizexferlog(5): xferlog .............................................................................................................. FTP server logfile

Section 7: Device (Special) Files Entry Name(Section): name Descriptionintro(7): intro ............................................................................................ introduction to device special filesarp(7P): arp ............................................................................................................ address resolution protocolautochanger(7): autochanger ................................................................ SCSI media changer device driversblmode(7): blmode ............................................................................................ terminal block mode interfacecent(7): cent ................................................................................................... Centronics-compatible interfaceclone(7) .................................................................... open a major and minor device pair on a STREAMS driverconsole(7): console ................................................................................................... system console interfaceddfa(7): ddfa ............................. Data Communications and Terminal Controller Device File Access softwarediag0(7): diag0 ....................................................................................... diagnostic interface to I/O subsystemdiag1(7): diag1 ....................................................................................... diagnostic interface to I/O subsystemdiag2(7): diag2 .................................................................................................................. diagnostic interfacedisk(7): disk .......................................................................................................................... direct disk accessdlpi(7): dlpi .......................................................................................................... data link provider interfacefloppy(7): floppy ................................................................................... flexible or floppy disk device driverframebuf(7): framebuf ................................................................ information for raster frame-buffer devicesgang_sched(7): gang_sched ................................................................................................... Gang Schedulerhil(7): hil ........................................................................................................................ HP-HIL device driverhilkbd(7): hilkbd ........................................................................................ HP-HIL mapped keyboard driverinet(7F): inet .............................................................................................................. Internet protocol familyiomap(7): iomap ....................................................................................................... physical address mapping

xii Hewlett-Packard Company HP-UX 11i Version 2: August 2003


Entry Name(Section): name DescriptionIP(7P): IP ................................................................................................................................ Internet ProtocolIP6(7P): IP ............................................................................................................. Internet Protocol, version 6ipmi(7): ipmi ....................................................................... intelligent platform management interface driverkmem: kernel memory ...................................................................................................................... see mem(7)kmem(7): kmem ............................................................. perform I/O on kernel memory based on symbol namelan(7): lan ................................................................................................ network I/O card access informationldterm(7): ldterm ......................................................................... STREAMS terminal line discipline modulelp(7): lp ........................................................................................................................................... line printerlvm(7): lvm ...................................................................................................... Logical Volume Manager (LVM)mem(7): mem, kmem ...................................................................................................................... main memorymodem(7): modem ............................................................................... asynchronous serial modem line controlmt(7): mt ....................................................................................... magnetic tape interface for stape and tape2NDP(7P): NDP ....................................................................................................... Neighbor Discovery Protocolnfs(7): nfs, NFS ................................................................................................................... network file systemnull(7): null .......................................................................................................................................... null filepckt(7): pckt ....................................................................................... Packet Mode module for STREAMS ptypoll(7): poll ....................................................................... monitor I/O conditions on multiple file descriptorsps2(7): ps2, ps2kbd, ps2mouse ........................................... PS/2 keyboard and mouse device driver and filesptem(7): ptem ................................................................. STREAMS pty (pseudo-terminal) Emulation moduleptm(7): ptm ............................................................................. STREAMS master pty (pseudo-terminal) driverpts(7): pts ............................................................................................................... STREAMS slave pty driverpty(7): pty ..................................................................................................................... pseudo terminal driverrandom(7): random, urandom ..................................................................... strong random number generatorrouting(7) ................................................................................. system support for local network packet routingsad(7) ................................................................................................................ STREAMS administrative driverscsi(7): scsi .............................................................. Small Computer System Interface (SCSI) device driversscsi_ctl(7): scsi_ctl ..................................................................................... SCSI pass-through device driverscsi_disk(7): scsi_disk ................................................................................ SCSI direct access device driverscsi_tape(7): scsi_tape ......................................................................... SCSI sequential access device driversioc_io(7): sioc_io .............................................................................................. SCSI pass-through interfaceslp_syntax(7): slp_syntax ...................................................................................... SLP Service URL Syntaxsocket(7): socket ............................................................................................... Interprocess communicationsstreamio(7) ................................................................................................................ STREAMS ioctl commandsstrlog(7) .............................................................................................................................. STREAMS log driversttyv6(7): stty ................................................................. terminal interface for Version 6/PWB compatibilityTCP(7P): TCP ....................................................................................... Internet Transmission Control Protocoltelm: STREAMS Telnet master driver .............................................................................................. see tels(7)tels(7): tels, telm ................................................................................... STREAMS slave and master driverstermio(7): termio, termios ................................................................................... general terminal interfacetermios : general terminal interface ........................................................................................... see termio(7)termiox(7): termiox ................................................................................ extended general terminal interfacetimod(7) ................................................... STREAMS module for reads and writes by Transport Interface userstirdwr(7) .................................................. STREAMS module for reads and writes by Transport Interface userstty(7): tty ........................................................................................................... controlling terminal interfaceUDP(7P): udp ................................................................................................. Internet user datagram protocolUNIX(7P): UNIX ...................................................................................... local communication domain protocolurandom : strong random number generator .............................................................................. see random(7)vxfsio(7) .......................................................................................................... VxFS file system control functionsxopen_networking(7): xopen_networking .................................................... Interprocess communicationszero(7): zero ......................................................................................................................................... zero file

Section 9: General Information Entry Name(Section): name Descriptionintro(9): intro ................................................................. introduction to HP-UX general information sectionglossary(9) ................................................................................................. description of common HP-UX termsintroduction(9) ................................... introduction to the HP-UX operating system and the HP-UX Reference

Index: All Volumes

HP-UX 11i Version 2: August 2003 Hewlett-Packard Company xiii

Notes

xiv Hewlett-Packard Company HP-UX 11i Version 2: August 2003

Section 5

Miscellaneous Topics

A A

intro(5) intro(5)

NAMEintro - introduction to miscellany

DESCRIPTIONThis section describes miscellaneous facilities, such as: macro packages, character set tables, the file sys-tem hierarchy, and operating system tunable parameters.

SEE ALSOintroduction(9).

Other Documentation Tunable Kernel Parameters HP-UX on the Internet at http://docs.hp.com.

HP-UX 11i Version 2: August 2003 1 Hewlett-Packard Company Section 51

A aA

acctsuspend(5) acctsuspend(5)(Tunable Kernel Parameters)

NAMEacctsuspend, acctresume - suspend and resume accounting when available disk space reaches threshold

VALUESFailsafe

Default.

Defaultacctsuspend: 2

acctresume: 4

Allowed valuesacctresume: -100 - 101

acctsuspend: -100 - acctresume-1

Recommended valuesacctsuspend: 2 - 6

acctresume: 4 - 10 (But more than acctsuspend)

DESCRIPTIONThe acctsuspend and acctresume tunables control when accounting stops and resumes due to diskspace constraints. When free disk space on the file system being used by accounting reaches the suspen-sion threshold, which is the acctsuspend percentage relative to the percentage of disk space availableonly to the superuser, accounting is suspended until such time as the free disk space reaches the resump-tion threshold, which is the acctresume percentage relative to the percentage of disk space availableonly to the superuser.

Note: Since the acctsuspend and acctresume values are specified relative to the percentage ofdisk space available only to the superuser, negative values of these parameters can make sense. Forexample, if the superuser has reserved 10 percent of the disk space on the file system at file systemcreation time, and acctsuspend is -5 and acctresume is 0, the suspension threshold will be 5 percentof the total disk space and the resumption threshold will be 10 percent of the total disk space.

Who Is Expected to Change This Tunable?Anyone using accounting.

Restrictions on ChangingChanges to this tunable take effect at the next reboot.

When Should the Value of This Tunable Be Raised?Increasing either variable should be considered when it is necessary to maintain a higher percentage offree space on the accounting filesystem.

What Are the Side Effects of Raising the Value of This Tunable?The higher either value is, the less accounting data may be captured. The further the values areseparated, the greater the amount of potentially lost accounting data.

When Should the Value of This Tunable Be Lowered?If additional disk space is needed for accounting data, and it cannot be obtained by moving files off of thefilesystem, then the value of acctsuspend should be lowered.

What Are the Side Effects of Lowering the Value of This Tunable?Filesystem performance (writing accounting records) decreases as the filesystem fills up. In turn, thiswill decrease the overall performance of accounting processes.

What Other Tunables Should Be Changed at the Same Time?When changing either of these tunables, both should be considered.

WARNINGSAll HP-UX kernel tunable parameters are release specific. This parameter may be removed or have itsmeaning changed in future releases of HP-UX.

Section 52 Hewlett-Packard Company 1 HP-UX 11i Version 2: August 2003

A aA

acctsuspend(5) acctsuspend(5)(Tunable Kernel Parameters)

AUTHORacctsuspend and acctresume were developed by HP.

SEE ALSOaccton(1M).


A aA

acl(5) acl(5)

NAMEacl - introduction to HFS access control lists

DESCRIPTIONAccess control lists are a key enforcement mechanism of discretionary access control (see Definitionsbelow), for specifying access to files by users and groups more selectively than traditional HP-UXmechanisms allow.

HP-UX already enables non-privileged users or processes, such as file owners, to allow or deny otherusers access to files and other objects on a need to know basis, as determined by their user and/or groupidentity (see passwd (4) and group (4)). This level of control is accomplished by setting or manipulating afiles permission bits to grant or restrict access by owner, group, and others (see chmod(2)).

ACLs offer a greater degree of selectivity than permission bits. ACLs allow the file owner or superuser topermit or deny access to a list of users, groups, or combinations thereof.

ACLs are supported as a superset of the UNIX operating system discretionary access control (DAC)mechanism for files, but not for other objects such as inter-process communication (IPC) objects.

This manual page describes ACLs as implemented on HFS file systems only. See aclv (5) for a descriptionof ACLs in JFS file systems.

DefinitionsBecause control of access to data is a key concern of computer security, we provide the followingdefinitions, based on those of the Department of Defense Trusted Computer System Evaluation Criteria ,to explain further both the concepts of access control and its relevance to HP-UX security features:

access A specific type of interaction between a subject and an object that results in theflow of information from one to the other. Subjects include persons, processes, ordevices that cause information to flow among objects or change the system state.Objects include files (ordinary files, directories, special files, FIFOs, etc.) and inter-process communication (IPC) features (shared memory, message queues, sema-phores, sockets).

access control list (ACL)An access control list is a set of (user.group, mode) entries associated with a file thatspecify permissions for all possible user-ID/group-ID combinations.

access control list (ACL) entryAn entry in an ACL that specifies access rights for one user and group ID combina-tion.

change permissionThe right to alter DAC information (permission bits or ACL entries). Change per-mission is granted to object (file) owners and to privileged users.

discretionary access control (DAC)A means of restricting access to objects based on the identity of subjects and/orgroups to which they belong. The controls are discretionary in the sense that a sub-ject with a certain access permission is capable of passing that permission (perhapsindirectly) to any other subject.

mode Three bits in each ACL entry which represent read, write, and execute/search per-missions. These bits may exist in addition to the 16 mode bits associated with everyfile in the file system (see glossary (9)).

privilege The ability to ignore access restrictions and change restrictions imposed by securitypolicy and implemented in an access control mechanism. In HP-UX, superusersand members of certain groups (see privgrp (4)) are the only privileged users.

restrictive versus permissiveAn individual ACL entry is considered restrictive or permissive, depending on con-text. Restrictive entries deny a user and/or group access that would otherwise begranted by less-specific base or optional ACL entries (see below). Permissive entriesgrant a user and/or group access that would otherwise be denied by less-specificbase or optional ACL entries.


A aA

acl(5) acl(5)

Access Control List EntriesAn access control list (ACL) consists of sets of (user.group, mode) entries associated with a file that specifypermissions. Each entry specifies for one user-ID/group-ID combination a set of access permissions,including read, write, and execute/search.

To help understand the relationship between access control lists and traditional file permissions, considerthe following file and its permissions:

-rwxr-xr-- james admin datafile

The file owner is user james.The files group is admin.The name of the file is datafile.The file owner permissions are rwx.The file group permissions are r-x.The file other permissions are r--.

In an ACL, user and group IDs can be represented by names or numbers, found in /etc/passwd. Thefollowing special symbols can also be used:

% Symbol representing no specific user or group.@ Symbol representing the current file owner or group.

Base ACL EntriesWhen a file is created, three base access control list entries are mapped from the files access permissionbits to match a files owner and group and its traditional permission bits. Base ACL entries can bechanged by the chmod(2) and setacl (2) system calls.

(uid.%,mode) Base ACL entry for the files owner(%.gid,mode) Base ACL entry for the files group(%.%,mode) Base entry for other users

(Except where noted, examples are represented in short form notation. See ACL Notation, below.)

Optional ACL entriesOptional access control list entries contain additional access control information, which the user can setwith the setacl (2) system call to further allow or deny file access. Up to thirteen additional user/groupcombinations can be specified.

For example, the following optional access control list entries can be associated with our file:

(mary.admin, rwx) Grant read, write, and execute access to user mary in group admin.

(george.%, ---) Deny any access to user george in no specific group.

ACL NotationSupported library calls and commands that manage ACLs recognize three different symbolic representa-tions:

operator form For input of entire ACLs and modifications to existing ACLs, in a syntax similar to thatused by chmod(1).

short form Easier to read, intended primarily for output. chacl (1) accepts this form as input so thatit can interpret output from lsacl (1).

long form A multi-line format useful for greater clarity, and supported only for output.

For our example file, the base ACL entries could be represented in the three notations as follows:

operator form james.% = rwx, %.admin = rx, %.% = r

short form (james.%,rwx) (%.admin,r-x) (%.%,r--)

long form rwx james.%r-x %.adminr-- %.%

In addition to basic ACL usage, some library calls and commands understand and use a variation ofoperator and short forms. See the section below on ACL Patterns .


A aA

acl(5) acl(5)

ACL UniquenessEntries are unique in each ACL. There can only be one (u.g, mode) entry for any pair of u and g values;one (u.%, mode) entry for a given value of u; one (%.g, mode) entry for a given value of g; and one (%.%,mode) entry for each file. For example, an ACL can have a (23.14, mode) entry and a (23.%, mode) entry,but not two (23.14, mode) entries or two (23.%, mode) entries.

Access Check AlgorithmACL entries can be categorized by four levels of specificity. In access checking, ACLs are compared to theeffective user and group IDs in this order:

(u.g, rwx) specific user, specific group(u.%, rwx) specific user, no specific group(%.g, rwx) no specific user, specific group(%.%, rwx) no specific user, no specific group

Once an entry for the combination of a process effective user ID and effective group ID (or any supple-mentary group ID) is matched, no further (that is, less specific) entries are checked. More specific entriesthat match take precedence over any less specific ones that also match.

If a process has more than one group ID (that is, a non-null supplementary groups list), more than one(u.g, mode) or (%.g, mode) entry might apply for that process. If so, the access modes in all matchingentries (of the same level of specificity, u.g or %.g) are ORd together. Access is granted if the resultingmode bits allow it. Since entries are unique, the order of entries in each entry type is insignificant.

Because the traditional UNIX permission bits are mapped into base ACL entries, they are included inaccess checks.

If a request is made for more than one type of access, such as opening a file for both reading and writing,access is granted only if the process is allowed all requested types of access. Note that access can begranted if the process has two groups in its groups list, one of which is only allowed read access, and theother of which is only allowed write access. In other words, even if the requested access is not granted byany one entry, it may be granted by a combination of entries due to the process belonging to severalgroups.

Operator Form of ACLs (input only)user. group operator mode [ operator mode ]... , ...

Multiple entries are separated by commas, as in chmod(1). Each entry consists of a user identifier andgroup identifier followed by one or more operators and mode characters, as in the mode syntax acceptedby chmod(1).

The entire ACL must be a single argument, and thus should be quoted to the shell if it contains whi-tespace or special characters. Whitespace is ignored except within names. A null ACL is legitimate, andmeans either no access or no changes, depending on context.

Each user or group ID may be represented by:

name Valid user or group name.number Valid numeric ID value.% No specific user or group, as appropriate.@ Current file owner or group, as appropriate; useful for referring to a files u.% and %.g

base ACL entries.

An operator is always required in each entry. Operators are:

= Set all bits in the entry to the given mode value.+ Set the indicated mode bits in the entry.- Clear the indicated mode bits in the entry.

The mode is represented by an octal value of 0 through 7; or any combination of r, w, and x can begiven in any order (see EXAMPLES below). A null mode denies access if the operator is =, or representsno change if the operator is + or -.

Multiple entries and multiple operator-mode parts in an entry are applied in the order specified.Conflicts do not result in error; the last specified entry or operator takes effect. Entries need not appearin any particular order.

Note that chmod(1) allows only u, g, o, or a to refer symbolically to the file owner, group, other, or allusers, respectively. Since ACLs work with arbitrary user and group identifiers, @ is provided as a con-venience.


A aA

acl(5) acl(5)

The exact syntax is:

acl ::= [entry[,entry]...]entry ::= id . id op mode [op mode]...id ::= name | number | % | @op ::= = | + | -mode ::= 0..7 | [char[char]...]char ::= r | w | x

Short Form of ACLs (input and output)(user . group, mode) ...

Short form differs from operator form in several ways:

Entries are surrounded by parentheses rather than being separated by commas.

Each entry specifies the mode, including all mode bits. It is not possible to change the mode valuewith + and - operators. However, the comma functions like the = operator in operator form.

For clarity, hyphens represent unset permission bits in the output of the mode field and are allowedin input. This resembles the mode output style used by ls (1).

Multiple entries are concatenated. For consistency with operator form, a dot (.) is used to separate userand group IDs.

On output, no whitespace is printed except in names (if any). ID numbers are printed if no matchingnames are known. Either ID can be printed as % for no specific user or group. The mode isrepresented as , that is, it always has three characters, padded with hyphens for unsetmode bits. If the ACL is read from the system, entries are ordered by specificity, then by numeric valuesof ID parts.

On input, the entire ACL must be a single argument, and thus should be quoted to the shell if it containswhitespace or special characters. Whitespace is ignored except within names. A null ACL is legitimate,and means either no access or no changes, depending on context.

User and group IDs are represented as in operator form.

The mode is represented by an octal value of 0 through 7; or any combination of r, w, x and - (ignored)can be given in any order (see EXAMPLES below). A null mode denies access.

Redundancy does not result in error; the last entry for any user-ID/group-ID combination takes effect.Entries need not appear in any particular order.


acl ::= [entry[entry]...]entry ::= (id.id,mode)id ::= name | number | % | @mode ::= 0..7 | [char[char]...]char ::= r | w | x | -

Long Form of ACLs (output only)mode user . group

Each entry occupies a single line of output. The mode appears first in a fixed-width field, using hyphens(for unset mode bits) for easy vertical scanning. Each user and group ID is shown as a name if known, anumber if unknown, or % for no specific user or group. Entries are ordered from most to least specific,then by numeric values of ID parts.

Note that every ACL printed has at least three entries, the base ACL entries (that is, uid.%, %.gid, and%.%).


acl ::= entry[entry]...entry ::= modeid.idmode ::= id ::= name | number | %


A aA

acl(5) acl(5)

ACL PatternsSome library calls and commands recognize and use ACL patterns instead of exact ACLs to allow opera-tions on all entries that match the patterns. ACL syntax is extended in the following ways:

wildcard user and group IDsA user or group name of * (wildcard) matches the user or group ID in any entry, includ-ing % (no specific user or group).

mode bits on, off, or ignoredFor operator-form input, the operators =, +, and - are applied as follows:

= entry mode value matches this mode value exactly+ these bits turned on in entry mode value- these bits turned off in entry mode value

When only + and - operators are used, commands ignore the values of unspecified modebits.

Short-form patterns treat the mode identically to the = operator in operator form.

wildcard mode valuesA mode of * (wildcard) in operator or short form input (for example, ajs.%=* or(ajs.%,*)) matches any mode value, provided no other mode value is given in aoperator-form entry. Also, the mode part of an entry can be omitted altogether for thesame effect.

entries not combinedEntries with matching user and group ID values are not combined. Each entry specifiedis applied separately by commands that accept patterns.

ACL Operations SupportedThe system calls setacl (2) and getacl (2) allow setting or getting the entire ACL for a file in the form of anarray of acl_entry structures. To check access rights to a file, see access (2) and getaccess (2).

Various library calls are provided to manage ACLs:

acltostr (3C) Convert acl_entry arrays to printable strings.

strtoacl (3C) Parse and convert ACL strings to acl_entry arrays.

strtoaclpatt (3C)Parse and convert ACL pattern strings to acl_entry_patt arrays.

setaclentry (3C)fsetaclentry Add, modify, or delete a single ACL entry in one files ACL.

cpacl (3C)fcpacl Copy an ACL and file miscellaneous mode bits (see chmod(2)) from one file to another,

transfer ownership if needed (see below), and handle remote files correctly.

chownacl (3C) Change the file owner and/or group represented in an ACL, that is, transfer ownership(see below).

The following commands are available to manage ACLs and permissions:

chacl (1) Add, modify, or delete individual entries or all optional entries in ACLs on one or morefiles, remove all access to files, or incorporate ACLs into permission bits.

lsacl (1) List ACLs on files.

chmod(1) Change permission bits and other file miscellaneous mode bits.

ls (1) In long form, list permission bits and other file attributes.

find (1) Find files according to their attributes, including ACLs.

getaccess (1) List access rights to file(s).

ACL Interaction with stat(2), chmod(2), and chown(2)stat The st_mode field summarizes the callers access rights to the file. It differs from file permission

bits only if the file has one or more optional entries applicable to the caller. The st_basemodefield provides the files actual permission bits. The st_acl field indicates the presence of optionalACL entries in the files ACL.


A aA

acl(5) acl(5)

The st_mode field contains a user-dependent summary, so that programs ignorant of ACLs thatuse stat (2) and chmod(2) are more likely to produce expected results, and so that stat (2) pro-vides reasonable information about remote files over NFS. The st_basemode and st_acl fields areuseful only for local files.

chmod For conformance with IEEE Standard POSIX 1003.1-1988, chmod(2) deletes any optional entriesin a files ACL. Unfortunately, since chmod(2) is used to set file miscellaneous mode bits as wellas permission bits, extra effort is required in some cases to preserve a files ACL.

chown If the new owner and/or group of a file does not already have an optional (u.%, mode) and/or(%.g, mode) entry in the files ACL, it inherits the old owners and/or groups file access permis-sion bits and base ACL entry:

(id1,mode1) -> (id2,mode1)

This is the traditional behavior. However, if the new owner and/or group of a file already has anoptional (u.%, mode) and/or (%.g, mode) entry in the files ACL, the ACL does not change:

(id1, mode1) -> (id1, mode1)(id2, mode2) -> (id2, mode2)

Existing access information in the ACL is preserved. However, because the old optional ACLentry becomes the new base ACL entry and vice versa, the files access permission bits change.

Transferring ownership of ACLs by chown(2) allows a file to be transferred to a different user orgroup, or copied by a different user or group than the owner (using cpacl (3C) or chownacl (3C)),and later returned to the original owner or group without net changes to its ACL. The extracomplexity is necessary because:

ACLs are a backward-compatible superset of permission bits (which are coupled to fileowner and group IDs), not a replacement for them.

it enables users and programs that deal with ACLs to do so simply, rather than with a com-bination of permission bits and ACL entries. Also, the access check algorithm is simplerand more symmetrical; permission bits do not eclipse or mask ACL entries.

EXAMPLESOperator Form

The following sets the %.% entry to restrict other users to only reading the file.

chacl %.% = r myfile

The following allows user bill in any group to write the file, assuming that no restrictive entry is morespecific than the bill.% entry (for example, a bill.adm entry that denies writing).

chacl bill.% +w myfile

The following ACL specification contains two entries. The first one deletes write and adds read capabilityto the entry for user 12, group 4. The second entry denies access for any unspecified user in anyunspecified group.

chacl 12.4-w+r, %.% = myfile

The following pair of entries sets the u.% entry for the files owner to allow both read and execute andresults in adding write and execute capabilities for other users (the %.% entry). Note that a modecharacter is purposely repeated for illustration purposes.

chacl @.% = 5, %.% + xwx myfile

Short FormHere is a typical ACL as it might be printed. It allows user jpc to read or execute the file while in groupadm; it denies user ajs access to the file while in group trux; it allows user jpc in any group (exceptadm) to only read the file; any other user in group bin may read or execute the file; and any other usermay only read the file.

(jpc.adm,r-x)(ajs.trux,---)(jpc.%,r--)(%.bin,r-x)(%.%,r--)

The following allows other users to only read the file.

chacl (%.%,r) myfile

The following sets write-only access for user bill in any group.


A aA

acl(5) acl(5)

chacl (bill.%,-w-) myfile

The following sets the entry for user 12 in group 4 to allow read and write.

chacl (12.4,wr) myfile

The following sets the base ACL entry for the files owner to allow both read and execute, and sets writeand execute capabilities for other users (the %.% entry).

chacl (@.%, 5) (%.%, xwx) myfile

Long FormHere is the same ACL as in an earlier example, printed in long form.

r-x jpc.adm--- ajs.truxr-- jpc.%r-x %.binr-- %.%

ACL PatternsThe following command locates files whose ACLs contain an entry that allows read access and denieswrite access to some user/group combination.

find / -acl *.*+r-w -print

The following matches entries for any user in group bin and for user tammy in any group, regardless ofthe entries mode values. Matching optional ACL entries are deleted and mode values in matching baseACL entries are set to zero:

chacl -d %.bin, tammy.*=* myfile

The following matches all entries, deleting optional entries and setting mode values of base ACL entriesto zero:

chacl -d (*.*,*) myfile

HEADERSHeader

The header file defines the following constants to govern the numbers of entries per ACL:

NACLENTRIES maximum number of entries per ACL, including base entriesNBASEENTRIES number of base entriesNOPTENTRIES number of optional entries

The ACL entry structure structacl_entry is also defined, and includes the following members:

aclid_t uid; /* user ID */aclid_t gid; /* group ID */aclmode_t mode; /* see */

The header also defines the types aclid_t and aclmode_t.

Non-specific user and group ID values:

ACL_NSUSER non-specific user IDACL_NSGROUP non-specific group ID

A special nentries value ACL_DELOPT is used with setacl (2) to delete optional entries.

Header The header defines constants for use with getaccess (2).

Special parameter values for uid:

UID_EUID use effective user IDUID_RUID use real user IDUID_SUID use saved user ID

Special parameter values for ngroups:

NGROUPS_EGID processs effective gid


A aA

acl(5) acl(5)

NGROUPS_RGID processs real gidNGROUPS_SGID processs saved gidNGROUPS_SUPP processs supplementary groups onlyNGROUPS_EGID_SUPP processs eff gid plus supp groupsNGROUPS_RGID_SUPP processs real gid plus supp groupsNGROUPS_SGID_SUPP processs saved gid plus supp groups

Header The header file defines several constants for use with ACL support library calls.

Symbolic forms of ACLs for acltostr() :

FORM_SHORTFORM_LONG

Magic values for various calls:

ACL_FILEOWNER files owner IDACL_FILEGROUP files group IDACL_ANYUSER wildcard user IDACL_ANYGROUP wildcard group IDMODE_DEL delete one ACL entry

Mask for valid mode bits in ACL entries:

MODEMASK (R_OK | W_OK | X_OK)

The header also defines the struct acl_entry_patt ACL pattern entry structure,which includes the following members:

aclid_t uid; /* user ID */aclid_t gid; /* group ID */aclmode_t onmode; /* mode bits that must be on */aclmode_t offmode; /* mode bits that must be off */

WARNINGSACLs are intended for use on ordinary files and directories. Optional ACL entries are not recommendedon files that are manipulated by certain system utilities, such as terminal special files and LP schedulercontrol files. These utilities might delete optional entries, including those whose intent is restrictive,without warning as a consequence of calling chmod(2), thereby increasing access unexpectedly.

Most, but not all, supported utilities are able to handle ACLs correctly. However, only the fbackup (1M)and frecover (1M) file archive utilities handle access control lists properly. When using programs (such asarchive programs ar (1), cpio (1), ftio (1), tar (1), and dump(1M)) unable to handle ACLs on files withoptional ACL entries, note the Access Control List information included on their respective referencepages, to avoid loss of data.

If a user name is defined in the /etc/passwd file or a group name is defined in the /etc/group fileas % or @, or for patterns, , ACL syntax cannot reference that name as itself because the symbols haveother meanings. However, such users or groups can still be referenced by their ID numbers. User and/orgroup names must not include the following characters:

. Do not use in user names.+ Do not use in group names.- Do not use in group names.= Do not use for operator form input of group names., Do not use for short form or for operator form patterns.) Do not use for short form patterns.

It is possible to specify an ACL pattern using the @ (file owner or group) or * (wildcard) symbols so that itcannot match certain files, perhaps depending on their ownership, by giving two entries, one with specificvalues and the other using @ or *, which are equivalent for a file but contain different mode values. Forexample:

find / -acl (ajs.%,r)(@.%,rw) -print

cannot match a file owned by ajs.


A aA

acl(5) acl(5)

DEPENDENCIESNFS NFS does not support ACLs on remote files. Individual manual entries specify the behavior of vari-

ous system calls, library calls, and commands under these circumstances. Be careful when transfer-ring a file with optional entries over a network or when manipulating a remote file because optionalentries may be silently deleted.

AUTHORThe access control list design described here was developed by HP.

FILES Header file that supports setacl (2) and getacl (2). Header file that supports getaccess (2). Header file that supports ACL library calls./etc/passwd Defines user names and user and group ID values./etc/group Defines group names.

SEE ALSOchacl(1), chmod(1), cp(1), find(1), getaccess(1), ln(1), ls(1), lsacl(1), mv(1), rm(1), fbackup(1M),frecover(1M), fsck(1M), fsdb(1M) access(2), chmod(2), chown(2), creat(2), getaccess(2), getacl(2),mknod(2), open(2), setacl(2), stat(2), acltostr(3C), chownacl(3C), cpacl(3C), setaclentry(3C), strtoacl(3C),group(4), passwd(4), privgrp(4), aclv(5).


A aA

aclv(5) aclv(5)

NAMEaclv - introduction to JFS access control lists (ACLs)

DESCRIPTIONAccess control lists (ACLs) are a key enforcement mechanism of discretionary access control (seeDefinitions below), for specifying access to files by users and groups more selectively than traditional HP-UX mechanisms allow.

HP-UX already enables non-privileged users or processes, such as file owners, to allow or deny otherusers access to files and other objects on a need to know basis, as determined by their user and/or groupidentity (see passwd (4) and group (4)). This level of control is accomplished by setting or manipulating afiles permission bits to grant or restrict access by owner, group, and others (see chmod(2)).

ACLs offer a greater degree of selectivity than permission bits. ACLs allow the file owner or superuser topermit or deny access to a list of users and groups other than the file owner and owning group.

ACLs are supported as a superset of the UNIX operating system discretionary access control (DAC)mechanism for files, but not for other objects such as inter-process communication (IPC) objects.

This manual page describes ACLs as implemented on JFS file systems only. See acl (5) for a descriptionof ACLs in HFS file systems.

DefinitionsBecause control of access to data is a key concern of computer security, we provide the followingdefinitions, based on those of the Department of Defense Trusted Computer System Evaluation Criteria, toexplain further both the concepts of access control and its relevance to HP-UX security features:

access A specific type of interaction between a subject and an object that results in the flow ofinformation from one to the other. Subjects include persons, processes, or devices thatcause information to flow among objects or change the system state. Objects include files(ordinary files, directories, special files, FIFOs, etc.) and inter-process communication(IPC) features (shared memory, message queues, semaphores, sockets).

access control list (ACL)An access control list is a set of (user|group, mode) entries associated with a file thatspecify permissions for all possible user-IDs and/or group-IDs.

access control list (ACL) entryAn entry in an ACL that specifies access rights for a files owner, owning group, groupclass, additional user, additional group, or all others.

change permissionThe right to alter DAC information (permission bits or ACL entries). Change permissionis granted to object (file) owners and to privileged users.

discretionary access control (DAC)A means of restricting access to objects based on the identity of subjects and/or groups towhich they belong. The controls are discretionary in the sense that a subject with a cer-tain access permission is capable of passing that permission (perhaps indirectly) to anyother subject.

mode Three bits in each ACL entry which represent read, write, and execute/search permis-sions. These bits may exist in addition to the 16 mode bits associated with every file inthe file system (see glossary (9)).

privilege The ability to ignore access restrictions and change restrictions imposed by security pol-icy and implemented in an access control mechanism. In HP-UX, superusers andmembers of certain groups (see privgrp (4)) are the only privileged users.

restrictive versus permissiveAn individual ACL entry is considered restrictive or permissive, depending on context.Restrictive entries deny a user and/or group access that would otherwise be granted byless-specific base or optional ACL entries (see below). Permissive entries grant a userand/or group access that would otherwise be denied by less-specific base or optional ACLentries.


A aA

aclv(5) aclv(5)

Access Control List EntriesAn access control list (ACL) consists of a set of one-line entries associated with a file that specify permis-sions. Each entry specifies for one user-ID or group-ID a set of access permissions, including read, write,and execute/search.

To help understand the relationship between access control lists and traditional file permissions, considerthe following file and its permissions:

-rwxr-xr-- james admin datafile

The file owner is user james.The files group is admin.The name of the file is datafile.The file owner permissions are rwx.The file group permissions are r-x.The file other permissions are r--.

In an ACL, user and group IDs can be represented by names or numbers, found in /etc/passwd.

ACL NotationSupported commands that manage JFS ACLs recognize the following symbolic representation:

[d[efault]:]u[ser]:[uid]:perm

[d[efault]:]g[roup]:[gid]:perm

[d[efault]:]c[lass]:perm

[d[efault]:]o[ther]:perm

An ACL entry prefixed with d: or default:, can only occur in a directorys ACL, and it indicates thatthe remainder of the entry is not to be used in determining the access rights to the directory, but isinstead to be applied to any files or subdirectories created in the directory (see ACL Inheritance, below).

The uid and gid fields contain either numeric user or group IDs, or their corresponding character stringsfrom /etc/passwd or /etc/group. The perm field indicates access permission either in symbolicform, as a combination of r, w, x and -, or in numeric form, as an octal value of 0 through 7 representingthe sum of 4 for read permission, 2 for write permission and 1 for execute permission.

Base ACL EntriesWhen a file is created, four base access control list entries are mapped from the files access permissionbits to match a files owner and group and its traditional permission bits. This is known as a minimalACL. Base ACL entries can be changed by the chmod(2) and acl (2) system calls.

u::perm Base ACL entry for the files owner

g::perm Base ACL entry for the files group

c::perm Base ACL entry for the files group class

o::perm Base ACL entry for others

When an ACL is minimal, i.e., it has no optional ACL entries (see next section), then the group andclass permissions are exactly equal.

Optional ACL entriesOptional access control list entries contain additional access control information, which the user can setwith the acl (2) system call to further allow or deny file access. Up to thirteen optional ACL entries can bespecified.

For example, the following optional access control list entries can be associated with our file:

u:mary:rwx Grant read, write, and execute access to user mary.

user:george:--- Deny any access to user george.

g:writers:rw- Grant read and write access to members of group writers.

Class EntriesIn an ACL that contains more than one user entry and/or more than one group entry, the classentry specifies the maximum permissions that can be granted by any of the additional user and groupentries. If a particular permission is not granted in the class entry, then it cannot be granted by any


A aA

aclv(5) aclv(5)

ACL entries (except for the first user [owner] entry and the other entry). Any permission can bedenied to a particular user or group. The class entry acts as a upper bound for file permissions.

When an ACL contains more than one user and/or group entry, the collection of additional user andgroup entries are referred to as the groupclass entries, since the effective permission granted by any ofthese additional entries is limited by the class entry.

If there are additional entries in the ACL, the class entry will no longer necessarily equal the value ofthe permission for the owning group as reported by ls -l. This feature is useful because it means thatthe chmod(1) command can usefully affect the permissions of a file that has additional ACL entries.

ACL UniquenessEntries are unique in each ACL. There can only be one of each type of base entry, and one entry for anygiven user or group ID. Likewise, there can only be one of each type of default base entry, and onedefault entry for any given user or group ID.

ACL InheritanceWhen a directorys ACL contains default entries, those entries are not used in determining access to thedirectory itself. Instead, every time a file is created in the directory, the directorys default ACL entriesare added as non-default ACL entries to the new file.

For example, suppose the directory /a has the following ACL, as reported by getacl (1):

# file: /a# owner: alpha# group: unouser::rwxgroup::rwxclass:rwxother:rwxdefault:user:beta:r--default:user:gamma:r--default:group:dos:---default:group:tres:---

Then, any new file created in /a would have its ACL initialized using a combination of the creatorsumask (e.g., 022) and /as default ACL entries as follows:

# file: /a/file# owner: creator_uid# group: creator_giduser::rw-user:beta:r--user:gamma:r--group::r--group:dos:---group:tres:---class:r--other:r--

When a new subdirectory is created, the parent directorys default ACL entries are added to the new sub-directory twice, first as its non-default ACL entries, and second as the subdirectorys default ACL entries.In this way, default ACLs propagate downward as trees of directories are created. If the file created inthe previous example were instead a directory, its ACL would appear as follows:

# file: /a/dir# owner: creator_uid# group: creator_giduser::rwxuser:beta:r--user:gamma:r--group::r-xgroup:dos:---group:tres:---class:r-xother:r-x


A aA

aclv(5) aclv(5)

default:user:beta:r--default:user:gamma:r--default:group:dos:---default:group:tres:---

Access Check AlgorithmTo determine the permission granted to an accessing processs effective user ID (EGID) and effectivegroup ID (EGID), respectively, the following checks are made, in the following order:

If the EUID of the process is the same as the owner of the file, grant the permissions specified in theuser:: entry.

If the EUID matches the UID specified in one of the additional user:uid: entries, grant the per-missions specified in that entry, bitwise-ANDed with the permissions specified in the class entry.

If the EGID of the process is the same as the owning group of the file, grant the permissionsspecified in the group:: entry.

If the EGID matches the UID specified in one of the additional group:gid: entries, grant the per-missions specified in that entry, bitwise-ANDed with the permissions specified in the class entry.

Otherwise, grant the permissions specified in the other entry.

Once access rights have been determined by one of the above checks, the subsequent checks in the list arenot performed.

ACL Operations SupportedACLs may be set, retrieved or counted, via the acl (2) system call. ACLs may be set or modified using thesetacl (1) command, and may be retrieved using the getacl (1) command. The permissions granted to aparticular user or group ID may be determined via the getaccess (1) command and the getaccess (2) systemcall. Files with certain ACL properties may be located using the -aclv option of find(1).

ACL Interaction with stat(2), chmod(2), and chown(2)stat The st_mode field summarizes the callers access rights to the file. It differs from file permission

bits only if the file has one or more optional entries applicable to the caller. The st_basemodefield provides the files actual permission bits. The st_aclv field indicates the presence of optionalACL entries in the files ACL.

The st_mode field contains a user-dependent summary, so that programs ignorant of ACLs thatuse stat (2) and chmod(2) are more likely to produce expected results, and so that stat (2) pro-vides reasonable information about remote files over NFS. The st_basemode and st_aclv fieldsare useful only for local files.

chmod Setting the group permission bits via chmod(2) system call affects the files class entry, whichwould in turn affect the permissions granted by additional user:uid: and group:gid:entries. In particular, using chmod(2) to set a files permission bits to all zeroes removes allaccess to the file, regardless of permissions granted by any additional user:uid: orgroup:gid: entries.

chown When a files owner or owning group are changed via chown(2) to a UID or GID which have exist-ing user:uid: or group:gid: entries, those entries are not removed from the ACL, but theyare rendered moot, because the user:: or group:: entries take precedence.

HEADERSHeader

The header file defines the following constants to govern the numbers of entries perACL:

NACLVENTRIES maximum number of entries per ACL, including base entriesNACLBASE number of base entries

The ACL structure struct acl is also defined, and includes the following members:

int a_type; /* type of entry */uid_t a_id; /* group ID */ushort a_perm; /* see */

The header also defines the set of valid values for the a_type field, as well as the validvalues for the cmd argument to the acl (2) system call.


A aA

aclv(5) aclv(5)

Header The header defines constants for use with getaccess (2).

Special parameter values for uid :

UID_EUID use effective user IDUID_RUID use real user IDUID_SUID use saved user ID

Special parameter values for ngroups:

NGROUPS_EGID processs effective gidNGROUPS_RGID processs real gidNGROUPS_SGID processs saved gidNGROUPS_SUPP processs supplementary groups onlyNGROUPS_EGID_SUPP processs eff gid plus supp groupsNGROUPS_RGID_SUPP processs real gid plus supp groupsNGROUPS_SGID_SUPP processs saved gid plus supp groups

WARNINGSACLs cannot be used to restrict the superusers access.

Most, but not all, supported utilities are able to handle ACLs correctly. However, only the fbackup (1M)and frecover (1M) file archive utilities handle access control lists properly. When using programs (such asarchive programs ar (1), cpio (1), ftio (1), tar (1), and dump(1M)) unable to handle ACLs on files withoptional ACL entries, note the Access Control List information included on their respective referencepages, to avoid loss of data.

DEPENDENCIESNFS NFS does not support ACLs on remote files. Individual manual entries specify the behavior of vari-

ous system calls

hp-ux reference - h20628.5)..... configuration and binary files used by file system...

Documents