Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
Storing POSIX.1e-style ACLs in tar files
Table of Contents
I currently know of two approaches for storing POSIX.1e ACLs in tar archives. The first was originally developed by Joerg Schilling for _star_ and subsequently adopted by libarchive and by GNU tar. The other was developed by Sun Microsystems for Solaris.
POSIX.1e ACLs are simpler and the draft specification defines a portable interchange format, so the picture here is a little clearer than for NFSv4 ACLs (or other system-specific ACL implementations). I've begun to document NFSv4 ACL storage approaches in [TarNFS4ACLs].
Some of these techniques are similar to ones used for storing POSIX.1e extended attributes. See [TarExtendedAttributes] for more information.
Star stores POSIX.1e ACLs in pax attributes with the names SCHILY.acl.access and SCHILY.acl.default. The values of these attributes are the textual ACL entries for the access and default ACLs, respectively. The textual format follows POSIX.1e draft 17:
- Individual entries are separated by commas.
- A fourth colon-separated field is added to user and group entries with the numeric uid or gid.
Prior to the standardization of the pax extended format, Sun introduced a separate entry in tar files to hold the ACL information. This entry has type "A" and immediately precedes the file to which it applies. The body of this entry consists of the following:
- An ASCII number in octal followed by a single NULL byte. The value is 01000000 plus the number of entries in the ACL. The 01000000 value flags this as a POSIX.1e ACL; the count of entries is redundant and can generally be ignored.
- A textual list of all ACL entries. This list includes both default and access entries. The default entries have the text "default" prepended (e.g., "defaultuser::rwx"). The entries are comma-separated. Unlike the _star_ format, there is no additional field for the user/group ID.
AIX implemented a system similar to Solaris but with a number of problems. Most obviously, the ACL is stored after the entry and not before. This constrains the possible implementations (libarchive, for example, wants to see all metadata before reading the body). The format used is also pretty non-portable. The TarNFS4ACLs page has some additional details about this format.
POSIX.1e was an attempt to define standard mechanisms for handling extended attributes and ACLs on POSIX systems. Unfortunately, the committee working on POSIX.1e was unable to come to a consensus and the standard was never completed. The final version of POSIX.1e is "Draft 17" which has served as the basis for many system implementations. Unfortunately, the final draft has several obvious omissions that have been filled in different fashions.