ACL configuration file format

Updated: May 06, 2022

The ACL configuration file format is intended to facilitate both generation and parsing.

Descriptors

An ACL configuration file consists of zero or more text descriptors. A descriptor specifies properties of a PPS object path. In particular, it specifies access permissions (owner, mode, and ACL). A descriptor also records other important properties of the object, including whether it's a server object; whether it's persistent, and whether it should be created if it's missing on startup.

Descriptor format

A descriptor consists of two or more nonblank lines of text followed by a blank line (or end of file). The two mandatory lines of text define the:

These two mandatory lines may optionally be followed by an ACL, in either short or long text form.

The permissions described by the ACL (if one is present) take precedence over those specified in the details line. An ACL must be of a form usable by the acl_from_text() function (i.e., either short or long text form). The ACL must also be complete and valid according to acl_valid(). Specifically, an extended ACL must include an explicit ACL_MASK entry. No mask is computed if one is missing.

Leading and trailing whitespace are stripped from lines before processing.

Comments are introduced by the "#" character, and run to the end of the line; they are syntactically equivalent to whitespace.

Paths

Paths must be specified relative to the PPS mountpoint. They may not contain:

Paths for directories must end with a single separator character.

Details

The details line must not contain extraneous whitespace, and must be of the form:

user:group:mode[:property[,property...]]

where:

The properties are optional and consist of zero or more of the following:

Property Description
O_CREAT The object should be created if it's missing.
nopersist Disable persistence for this object and its attributes.
server Treat the object as a server object.

Sample ACL configuration file

The following example shows ACL configurations for a directory with an ACL in short text form, and for a file:

a/directory/
nobody:nobody:2711:O_CREAT # comment
user::rwx
group::x
other::x
mask::x                    # comment
group:nto:x

a/directory/file
nobody:nobody:640