getaccess(2)getaccess(2)NAMEgetaccess() - get a user's effective access rights to a file
SYNOPSISDESCRIPTION
identifies the access rights (read, write, execute/search) a specific
user ID has to an existing file. path points to a path name of a file.
If the call succeeds, it returns a value of zero or greater, represent‐
ing the specified user's effective access rights (modes) to the file.
The rights are expressed as the logical OR of bits and whose values are
defined in the header A return of zero means that access is denied.
The uid parameter is a user ID. Special values, defined in represent
the calling process's effective, real, or saved user ID:
Effective user ID.
Real user ID.
Saved user ID.
ngroups is the number of group IDs in gidset, not to exceed + 1. If
the ngroups parameter is positive, the gidset parameter is an array of
group ID values to use in the check. If ngroups is a recognized nega‐
tive value, gidset is ignored. Special negative values of ngroups,
defined in represent various combinations of the process's effective,
real, or saved user ID and its supplementary groups list:
Use process's effective group ID only.
Use process's real group
ID only.
Use process's saved group
ID only.
Use process's supplementary groups only.
Use process's effective group
ID plus supplementary groups.
Use process's real group
ID plus supplementary groups.
Use process's saved group
ID plus supplementary groups.
The label and privs parameters are placeholders for future extensions.
For now, the values of these parameters must be
The access check rules for access control lists are described in acl(5)
and aclv(5). In addition, the bit is cleared for files on read-only
file systems or shared-text programs being executed. Note that as in
access(2), the bit is not turned off for shared-text programs open for
writing because there is no easy way to know that a file open for writ‐
ing is a shared-text program.
checks each directory component of path by first using the caller's
effective user ID, effective group ID, and supplementary groups list,
regardless of the user ID specified. An error occurs, distinct from
"no access allowed," if the caller cannot search the path to the file.
(In this case it is inappropriate for the caller to learn anything
about the file.)
Comparison of access and getaccess
The following table compares various attributes of and
access()getaccess()
+=================================================================+
| Checks all ACL entries | Same |
| (HFS and JFS File Systems only)| |
+-----------------------------------------------------------------+
| Uses real uid, real gid, and | Uses specified uid and groups|
| supplementary groups list | list; macros available |
| | for typical values |
+-----------------------------------------------------------------+
| Checks specific mode value, | Returns all mode bits, each |
| returns succeed or fail | on or off |
+-----------------------------------------------------------------+
| Checks path to file using | Same |
| caller's effective ID | |
+-----------------------------------------------------------------+
| W_OK false if shared-text | Same |
| file currently being executed | |
+-----------------------------------------------------------------+
| W_OK false if file on | Same |
| read-only file system | |
+-----------------------------------------------------------------+
| X_OK not modified for file | Same |
| currently open for writing | |
+-----------------------------------------------------------------+
| R_OK and W_OK always true for | Same |
| superuser (except as described | |
| in Security Restrictions) or | |
| users with DAC_READ and | |
| DAC_WRITE privileges | |
+-----------------------------------------------------------------+
+-----------------------------------------------------------------+
| X_OK always true for | X_OK true for super-user or |
| superuser or users with | users with DAC_READ and |
| DAC_READ and DAC_WRITE | DAC_WRITE privilege |
| privileges. | if file is not a regular |
| See privileges(5) for more | file OR execute is set in. |
| information about privileged | See privileges(5) for more |
| access on systems that support | information about privileged |
| fine-grained privileges. | access on systems that |
| | support fine-grained |
| | privileges. |
+-----------------------------------------------------------------+
───────┬───────────────────────────────────────────────────────────────────────┬───────────────────── │
│ access() │ getaccess() │
───────┼───────────────────────────────────────────────────────────────────────┼───────────────────── │
Checks│all ACL entries (HFS and JFS File Systems only) Same │ │
───────┼───────────────────────────────────────────────────────────────────────┼───────────────────── │
Uses real uid, real gid, and supplementary groups list Uses │specified uid and │
│ groups list; macros │
│ available for typical │
│ values │
───────┼───────────────────────────────────────────────────────────────────────┼───────────────────── │
Checks│specific mode value, returns succeed or fail Returns all mode bits, │
│ each on or off │
───────┼───────────────────────────────────────────────────────────────────────┼───────────────────── │
Checks│path to file using caller's effective IDs Same │ │
───────┼───────────────────────────────────────────────────────────────────────┼───────────────────── │
W_OK false if shared-text file currently being executed Same │ │
───────┼───────────────────────────────────────────────────────────────────────┼───────────────────── │
W_OK false if file on read-only file system Same │ │
───────┼───────────────────────────────────────────────────────────────────────┼───────────────────── │
X_OK not modified for file currently open for writing Same │ │
───────┼───────────────────────────────────────────────────────────────────────┼───────────────────── │
R_OK and W_OK always true for superuser (except as described in Secu‐ Same │ │
rity Restrictions) or users with DAC_READ and DAC_WRITE privileges. │ │
───────┼───────────────────────────────────────────────────────────────────────┼───────────────────── │
X_OK always true for superuser or users with DAC_READ and DAC_WRITE X_OK true for superuser │
privileges. See privileges(5) for more information about privileged or users with DAC_READ │
access│on systems that support fine-grained privileges. and DAC_WRITE privilege │
│ if file is not a regu‐ │
│ lar:file or execute is │
│ set │in. See privi‐ │
│ leges(5) for more infor‐ │
│ mation about privileged │
│ access on systems that │
│ support fine-grained │
│ privileges. │
│ │ │
Security Restrictions │ │
│entries.xecuteobitgismseteinlanysofothesfile'sr file │ │
paccessgon(systems that supporttfine-grainediprivileges. │ │
RETURN VALUE │ │
│returns the following values │ │
│ Successful completion. │ │
│ Returns a non-negative value representing the access │ │
│ rthetspecified user to the specified file. │ │
│ Failure. │ │
│ is set to indicate the error. │ │
ERRORS │ │ │
│fails pathomprefixedenieswsearchnpermissionetonthencaller. │ │
│ path gidset points outside the allocated address space of the │ │
│ pTheereliable detection of this error is implementation │ │
│ dependent. │ │
│ ngroups │ │
│ ngroupsaliis either zero, an unrecognized negative value, │ │
│ o+ 1.value larger than │ │
│ gidset value.ns an invalid group │ │
│ The value of │ │
│ privs is not a null pointer. │ │
│ Too many symbolic links were encountered in translating the │ │
│ path name. │ │
│ The length of the specified path name exceeds │ │
│ bytes, or the length of a component of the path name │ │
│ eistinseffect. │ │
│ The named file does not exist (for example, │ │
│ path doesunotoexist).ponent of │ │
│ A component of the │ │
│ path prefix is not a directory. │ │
│ is not supported on some types of remote files. │ │
│ │ │
EXAMPLES │ │
│andfsucceedsgifathedusermhassread access's effective access rights │ │
│ #include <unistd.h> │ │
│ #include <sys/getaccess.h> │ │
│ │ │
│ int mode; │ │
│ mode = getaccess ("test", UID_EUID, NGROUPS_EGID_SUPP, │ │
│ (int *) 0, (void *) 0, (void *) 0); │ │
│ │ │
│ if ((mode >= 0) && (mode & R_OK)) ... │ │
│ │ │
│IDoupserone way to test access rights to file │ │
│ int gid = 109; │ │
│ int mode; │ │
│ │ │
│ mode = getaccess ("/tmp/hold", 23, 1, & gid, │ │
│ (void *) 0, (void *) 0); │ │
│ │ │
│ │ │
gIDsetd thatnincludesethehprocess'sneffectiveigroup │ │
│ #include <sys/types.h> │ │
│ #include <unistd.h> │ │
│ │ │
│ gid_t *gidset; │ │
│ int ngroups; │ │
│ int ngroups_max; │ │
│ │ │
│ ngroups_max = sysconf(_SC_NGROUPS_MAX) + 1; │ │
│ │ │
│ gidset = (gid_t *)malloc(ngroups_max * sizeof(gid_t)); │ │
│ gidset[0] = getegid(); │ │
│ ngroups = 1 + getgroups (ngroups_max - 1, &gidset[1]); │ │
│ │ │
AUTHOR │ │ │
│was developed by HP. │ │
SEE ALSO │ │
└unistd(5).(5),─────────────────────────────────────────────────────────┴───────────────────────────┘
getaccess(2)
