243 system manual pages should live with the software

Reviewed by: garrett@nexenta.com
Reviewed by: gwr@nexenta.com
Reviewed by: trisk@opensolaris.org
Approved by: gwr@nexenta.com

--HG--
extra : rebase_source : 0c599d0bec0dc8865fbba67721a7a6cd6b1feefb

11 files changed, 2250 insertions, 0 deletions

diff --git a/usr/src/man/man3sec/Makefile b/usr/src/man/man3sec/Makefile
new file mode 100644
index 0000000000..ebfe324b37
--- /dev/null
+++ b/usr/src/man/man3sec/Makefile
@@ -0,0 +1,54 @@
+#
+# This file and its contents are supplied under the terms of the
+# Common Development and Distribution License ("CDDL"), version 1.0.
+# You may only use this file in accordance with the terms of version
+# 1.0 of the CDDL.
+#
+# A full copy of the text of the CDDL should have accompanied this
+# source.  A copy of the CDDL is also available via the Internet
+# at http://www.illumos.org/license/CDDL.
+#
+
+# Copyright 2011, Richard Lowe
+
+include ../../Makefile.master
+
+MANSECT = 	3sec
+
+MANFILES = 	acl_check.3sec		\
+	 	acl_free.3sec		\
+	 	acl_get.3sec		\
+	 	acl_strip.3sec		\
+	 	acl_totext.3sec		\
+	 	acl_trivial.3sec	\
+	 	aclcheck.3sec		\
+	 	aclsort.3sec		\
+	 	acltomode.3sec		\
+	 	acltotext.3sec
+
+MANSOFILES =	acl_fromtext.3sec	\
+		acl_set.3sec		\
+		aclfrommode.3sec	\
+		aclfromtext.3sec	\
+		facl_get.3sec		\
+		facl_set.3sec
+
+MANFILES +=	$(MANSOFILES)
+
+acl_set.3sec		:= SOSRC = man3sec/acl_get.3sec
+facl_get.3sec		:= SOSRC = man3sec/acl_get.3sec
+facl_set.3sec		:= SOSRC = man3sec/acl_get.3sec
+
+acl_fromtext.3sec	:= SOSRC = man3sec/acl_totext.3sec
+
+aclfrommode.3sec	:= SOSRC = man3sec/acltomode.3sec
+
+aclfromtext.3sec	:= SOSRC = man3sec/acltotext.3sec
+
+.KEEP_STATE:
+
+include ../Makefile.man
+
+install: $(ROOTMANFILES)
+
+
diff --git a/usr/src/man/man3sec/acl_check.3sec b/usr/src/man/man3sec/acl_check.3sec
new file mode 100644
index 0000000000..b3a383c6af
--- /dev/null
+++ b/usr/src/man/man3sec/acl_check.3sec
@@ -0,0 +1,149 @@
+'\" te
+.\" Copyright (c) 2008, Sun Microsystems, Inc. All Rights Reserved.
+.\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License").  You may not use this file except in compliance with the License.
+.\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.  See the License for the specific language governing permissions and limitations under the License.
+.\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE.  If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
+.TH acl_check 3SEC "22 Apr 2008" "SunOS 5.11" "File Access Control Library Functions"
+.SH NAME
+acl_check \- check the validity of an ACL
+.SH SYNOPSIS
+.LP
+.nf
+cc [ \fIflag\fR\&.\|.\|. ] \fIfile\fR\&.\|.\|. \fB-lsec\fR [ \fIlibrary\fR\&.\|.\|. ] 
+#include <sys/acl.h>
+
+\fBint\fR \fBacl_check\fR(\fBacl_t *\fR\fIaclp\fR, \fBint\fR \fIisdir\fR);
+.fi
+
+.SH DESCRIPTION
+.sp
+.LP
+The \fBacl_check()\fR function checks the validity of an ACL pointed to by
+\fIaclp\fR. The \fIisdir\fR argument checks the validity of an ACL that will be
+applied to a directory. The ACL can be either a POSIX draft ACL as supported by
+UFS or NFSv4 ACL as supported by ZFS or NFSV4.
+.sp
+.LP
+When the function verifies a POSIX draft ACL, the rules followed are described
+in \fBaclcheck\fR(3SEC). For NFSv4 ACL, the ACL is verified against the
+following rules:
+.RS +4
+.TP
+.ie t \(bu
+.el o
+The inheritance flags are valid.
+.RE
+.RS +4
+.TP
+.ie t \(bu
+.el o
+The ACL must have at least one ACL entry and no more than
+{\fBMAX_ACL_ENTRIES\fR}.
+.RE
+.RS +4
+.TP
+.ie t \(bu
+.el o
+The permission field contains only supported permissions.
+.RE
+.RS +4
+.TP
+.ie t \(bu
+.el o
+The entry type is valid.
+.RE
+.RS +4
+.TP
+.ie t \(bu
+.el o
+The flag fields contain only valid flags as supported by NFSv4/ZFS.
+.RE
+.sp
+.LP
+If any of the above rules are violated, the function fails with \fBerrno\fR set
+to \fBEINVAL\fR.
+.SH RETURN VALUES
+.sp
+.LP
+If the ACL is valid, \fBacl_check()\fR returns 0. Otherwise \fBerrno\fR is set
+to \fBEINVAL\fR and the return value is set to one of the following:
+.sp
+.ne 2
+.mk
+.na
+\fB\fBEACL_INHERIT_ERROR\fR\fR
+.ad
+.RS 23n
+.rt  
+There are invalid inheritance flags specified.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBEACL_FLAGS_ERROR\fR\fR
+.ad
+.RS 23n
+.rt  
+There are invalid flags specified on the ACL that don't map to supported flags
+in NFSV4/ZFS ACL model.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBEACL_ENTRY_ERROR\fR\fR
+.ad
+.RS 23n
+.rt  
+The ACL contains an unknown value in the type field.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBEACL_MEM_ERROR\fR\fR
+.ad
+.RS 23n
+.rt  
+The system cannot allocate any memory.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBEACL_INHERIT_NOTDIR\fR\fR
+.ad
+.RS 23n
+.rt  
+Inheritance flags are only allowed for ACLs on directories.
+.RE
+
+.SH ATTRIBUTES
+.sp
+.LP
+See \fBattributes\fR(5) for descriptions of the following attributes:
+.sp
+
+.sp
+.TS
+tab() box;
+cw(2.75i) |cw(2.75i) 
+lw(2.75i) |lw(2.75i) 
+.
+ATTRIBUTE TYPEATTRIBUTE VALUE
+_
+Interface StabilityCommitted
+_
+MT-LevelMT-Safe
+.TE
+
+.SH SEE ALSO
+.sp
+.LP
+\fBacl\fR(2), \fBaclcheck\fR(3SEC), \fBaclsort\fR(3SEC), \fBacl\fR(5),
+\fBattributes\fR(5)
diff --git a/usr/src/man/man3sec/acl_free.3sec b/usr/src/man/man3sec/acl_free.3sec
new file mode 100644
index 0000000000..d1a5e8615a
--- /dev/null
+++ b/usr/src/man/man3sec/acl_free.3sec
@@ -0,0 +1,49 @@
+'\" te
+.\" Copyright (c) 2005, Sun Microsystems, Inc. All Rights Reserved.
+.\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License").  You may not use this file except in compliance with the License.
+.\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.  See the License for the specific language governing permissions and limitations under the License.
+.\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE.  If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
+.TH acl_free 3SEC "6 Oct 2005" "SunOS 5.11" "File Access Control Library Functions"
+.SH NAME
+acl_free \- free memory associated with an acl_t structure
+.SH SYNOPSIS
+.LP
+.nf
+cc [ \fIflag\fR\&.\|.\|. ] \fIfile\fR\&.\|.\|. \fB-lsec\fR [ \fIlibrary\fR\&.\|.\|. ] 
+#include <sys/acl.h>
+
+\fBvoid\fR \fBacl_free\fR(\fBacl_t *\fR\fIaclp\fR);
+.fi
+
+.SH DESCRIPTION
+.sp
+.LP
+The \fBacl_free()\fR function frees memory allocated for the acl_t structure
+pointed to by the \fIaclp\fR argument.
+.SH RETURN VALUES
+.sp
+.LP
+The \fBacl_free()\fR function does not return a value.
+.SH ATTRIBUTES
+.sp
+.LP
+See \fBattributes\fR(5) for descriptions of the following attributes:
+.sp
+
+.sp
+.TS
+tab() box;
+cw(2.75i) |cw(2.75i) 
+lw(2.75i) |lw(2.75i) 
+.
+ATTRIBUTE TYPEATTRIBUTE VALUE
+_
+Interface StabilityEvolving
+_
+MT-LevelMT-Safe
+.TE
+
+.SH SEE ALSO
+.sp
+.LP
+\fBacl_get\fR(3SEC), \fBacl\fR(5), \fBattributes\fR(5)
diff --git a/usr/src/man/man3sec/acl_get.3sec b/usr/src/man/man3sec/acl_get.3sec
new file mode 100644
index 0000000000..0e14bef268
--- /dev/null
+++ b/usr/src/man/man3sec/acl_get.3sec
@@ -0,0 +1,148 @@
+'\" te
+.\" Copyright (c) 2005, Sun Microsystems, Inc. All Rights Reserved.
+.\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License").  You may not use this file except in compliance with the License.
+.\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.  See the License for the specific language governing permissions and limitations under the License.
+.\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE.  If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
+.TH acl_get 3SEC "6 Oct 2005" "SunOS 5.11" "File Access Control Library Functions"
+.SH NAME
+acl_get, facl_get, acl_set, facl_set \- get or set a file's Access Control List
+(ACL)
+.SH SYNOPSIS
+.LP
+.nf
+cc [ \fIflag\fR\&.\|.\|. ] \fIfile\fR\&.\|.\|. \fB-lsec\fR [ \fIlibrary\fR\&.\|.\|. ] 
+#include <sys/acl.h>
+
+\fBint *\fR\fBacl_get\fR(\fBconst char *\fR\fIpath\fR, \fBint\fR \fIflag\fR, \fBacl_t **\fR\fIaclp\fR);
+.fi
+
+.LP
+.nf
+\fBint *\fR\fBfacl_get\fR(\fBint\fR \fIfd\fR, \fBint\fR \fIflag\fR, \fBacl_t **\fR\fIaclp\fR);
+.fi
+
+.LP
+.nf
+\fBint\fR \fBacl_set\fR(\fBconst char *\fR\fIpath\fR, \fBacl_t *\fR\fIaclp\fR);
+.fi
+
+.LP
+.nf
+\fBint\fR \fBfacl_set\fR(\fBint\fR \fIfd\fR, \fBacl_t *\fR\fIaclp\fR);
+.fi
+
+.SH DESCRIPTION
+.sp
+.LP
+The \fBacl_get()\fR and \fBfacl_get()\fR functions retrieve an Access Control
+List (ACL) of a file whose name is given by \fIpath\fR or referenced by the
+open file descriptor \fIfd\fR. The \fIflag\fR argument specifies whether a
+trivial ACL should be retrieved. When the \fIflag\fR argument is
+\fBACL_NO_TRIVIAL\fR, only ACLs that are not trivial will be retrieved. The ACL
+is returned in the \fIaclp\fR argument.
+.sp
+.LP
+The \fBacl_set()\fR and \fBfacl_set()\fR functions are used for setting an ACL
+of a file whose name is given by \fIpath\fR or referenced by the open file
+descriptor \fIfd\fR. The \fIaclp\fR argument specifies the ACL to set.
+.sp
+.LP
+The \fBacl_get()\fR and \fBacl_set()\fR functions support multiple types of
+ACLs.  When possible, the \fBacl_set()\fR function translates an ACL to the
+target file's style of ACL. Currently this is only possible when translating
+from a POSIX-draft ACL such as on UFS to a file system that supports NFSv4 ACL
+semantics such as ZFS or NFSv4.
+.SH RETURN VALUES
+.sp
+.LP
+Upon successful completion, \fBacl_get()\fR and \fBfacl_get()\fR return 0 and
+\fIaclp\fR is non-\fINULL\fR. The \fIaclp\fR argument can be \fINULL\fR after
+successful completion if the file had a trivial ACL and the \fIflag\fR argument
+was \fBACL_NO_TRIVIAL\fR. Otherwise, -1 is returned and \fBerrno\fR is set to
+indicate the error.
+.sp
+.LP
+Upon successful completion, \fBacl_set()\fR and \fBfacl_set()\fR return 0.
+Otherwise, -1 is returned and \fBerrno\fR is set to indicate the error.
+.SH ERRORS
+.sp
+.LP
+These functions will fail if:
+.sp
+.ne 2
+.mk
+.na
+\fB\fBEACCES\fR\fR
+.ad
+.RS 11n
+.rt  
+The caller does not have access to a component of \fIpath\fR.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBEIO\fR\fR
+.ad
+.RS 11n
+.rt  
+A disk I/O error has occured while retrieving the ACL.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBENOENT\fR\fR
+.ad
+.RS 11n
+.rt  
+A component of the \fIpath\fR does not exist.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBENOSYS\fR\fR
+.ad
+.RS 11n
+.rt  
+The file system does not support ACLs.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBENOTSUP\fR\fR
+.ad
+.RS 11n
+.rt  
+The ACL supplied could not be translated to an NFSv4 ACL.
+.RE
+
+.SH ATTRIBUTES
+.sp
+.LP
+See \fBattributes\fR(5) for descriptions of the following attributes:
+.sp
+
+.sp
+.TS
+tab() box;
+cw(2.75i) |cw(2.75i) 
+lw(2.75i) |lw(2.75i) 
+.
+ATTRIBUTE TYPEATTRIBUTE VALUE
+_
+Interface StabilityEvolving
+_
+MT-LevelMT-Safe
+.TE
+
+.SH SEE ALSO
+.sp
+.LP
+\fBchmod\fR(1), \fBacl\fR(2), \fBacl\fR(5), \fBattributes\fR(5)
diff --git a/usr/src/man/man3sec/acl_strip.3sec b/usr/src/man/man3sec/acl_strip.3sec
new file mode 100644
index 0000000000..95ce33d6e7
--- /dev/null
+++ b/usr/src/man/man3sec/acl_strip.3sec
@@ -0,0 +1,170 @@
+'\" te
+.\" Copyright (c) 2005, Sun Microsystems, Inc. All Rights Reserved.
+.\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License").  You may not use this file except in compliance with the License.
+.\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.  See the License for the specific language governing permissions and limitations under the License.
+.\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE.  If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
+.TH acl_strip 3SEC "6 Oct 2005" "SunOS 5.11" "File Access Control Library Functions"
+.SH NAME
+acl_strip \- remove all ACLs from a file
+.SH SYNOPSIS
+.LP
+.nf
+cc [ \fIflag\fR\&.\|.\|. ] \fIfile\fR\&.\|.\|. \fB-lsec\fR [ \fIlibrary\fR\&.\|.\|. ] 
+#include <sys/acl.h>
+
+\fBint\fR \fBacl_strip\fR(\fBconst char *\fR\fIpath\fR, \fBuid_t\fR \fIuid\fR, \fBgid_t\fR \fIgid\fR, \fBmode_t\fR \fImode\fR);
+.fi
+
+.SH DESCRIPTION
+.sp
+.LP
+The \fBacl_strip()\fR function removes all ACLs from a file and replaces them
+with a trivial ACL based on the \fImode\fR argument. After replacing the ACL,
+the owner and group of the file are set to the values specified by the
+\fIuid\fR and \fIgid\fR arguments.
+.SH RETURN VALUES
+.sp
+.LP
+Upon successful completion, \fBacl_strip()\fR returns 0. Otherwise it returns
+-1 and sets \fBerrno\fR to indicate the error.
+.SH ERRORS
+.sp
+.LP
+The \fBacl_strip()\fR function will fail if:
+.sp
+.ne 2
+.mk
+.na
+\fB\fBEACCES\fR\fR
+.ad
+.RS 16n
+.rt  
+Search permission is denied on a component of the path prefix of \fIpath\fR.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBEFAULT\fR\fR
+.ad
+.RS 16n
+.rt  
+The \fIpath\fR argument points to an illegal address.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBEINVAL\fR\fR
+.ad
+.RS 16n
+.rt  
+The \fIuid\fR or \fIgid\fR argument is out of range.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBEIO\fR\fR
+.ad
+.RS 16n
+.rt  
+A disk I/O error has occurred while storing or retrieving the ACL.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBELOOP\fR\fR
+.ad
+.RS 16n
+.rt  
+A loop exists in symbolic links encountered during the resolution of the
+\fIpath\fR argument.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBENAMETOOLONG\fR\fR
+.ad
+.RS 16n
+.rt  
+The length of  the \fIpath\fR argument  exceeds {\fBPATH_MAX\fR},  or the
+length of a path component exceeds {\fBNAME_MAX\fR} while \fB_POSIX_NO_TRUNC\fR
+is in effect.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBENOENT\fR\fR
+.ad
+.RS 16n
+.rt  
+A component of \fIpath\fR does not exist.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBENOTDIR\fR\fR
+.ad
+.RS 16n
+.rt  
+A component of the prefix of \fIpath\fR is not a directory.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBEPERM\fR\fR
+.ad
+.RS 16n
+.rt  
+The effective user ID does not match the owner of the file and the process does
+not have appropriate privileges.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBEROFS\fR\fR
+.ad
+.RS 16n
+.rt  
+The file system is mounted read-only.
+.RE
+
+.SH ATTRIBUTES
+.sp
+.LP
+See \fBattributes\fR(5) for descriptions of the following attributes:
+.sp
+
+.sp
+.TS
+tab() box;
+cw(2.75i) |cw(2.75i) 
+lw(2.75i) |lw(2.75i) 
+.
+ATTRIBUTE TYPEATTRIBUTE VALUE
+_
+Interface StabilityEvolving
+_
+MT-LevelMT-Safe
+.TE
+
+.SH SEE ALSO
+.sp
+.LP
+\fBacl_get\fR(3SEC), \fBacl_trivial\fR(3SEC), \fBacl\fR(5), \fBattributes\fR(5)
diff --git a/usr/src/man/man3sec/acl_totext.3sec b/usr/src/man/man3sec/acl_totext.3sec
new file mode 100644
index 0000000000..c70cab81b0
--- /dev/null
+++ b/usr/src/man/man3sec/acl_totext.3sec
@@ -0,0 +1,895 @@
+'\" te
+.\" Copyright (c) 20068 Sun Microsystems, Inc. All Rights Reserved.
+.\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License").  You may not use this file except in compliance with the License.
+.\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.  See the License for the specific language governing permissions and limitations under the License.
+.\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE.  If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
+.TH acl_totext 3SEC "16 Jun 2008" "SunOS 5.11" "File Access Control Library Functions"
+.SH NAME
+acl_totext, acl_fromtext \- convert internal representation  to or from
+external representation
+.SH SYNOPSIS
+.LP
+.nf
+cc [ \fIflag\fR\&.\|.\|. ] \fIfile\fR\&.\|.\|. \fB-lsec\fR [ \fIlibrary\fR\&.\|.\|. ]
+#include <sys/acl.h>
+
+\fBchar *\fR\fBacl_totext\fR(\fBacl_t *\fR\fIaclp\fR, \fBint\fR \fIflags\fR);
+.fi
+
+.LP
+.nf
+\fBint\fR \fBacl_fromtext\fR(\fBchar *\fR\fIacltextp\fR, \fBacl_t **\fR\fIaclp\fR);
+.fi
+
+.SH DESCRIPTION
+.sp
+.LP
+The \fBacl_totext()\fR function converts an internal ACL representation pointed
+to by \fIaclp\fR into an external ACL representation. The memory for the
+external text string is obtained using \fBmalloc\fR(3C). The caller is
+responsible for freeing the memory upon completion.
+.sp
+.LP
+The format of the external ACL is controlled by the \fIflags\fR argument.
+Values for \fIflags\fR are constructed by a bitwise-inclusive-OR of \fIflags\fR
+from the following list, defined in <\fBsys/acl.h\fR>.
+.sp
+.ne 2
+.mk
+.na
+\fB\fBACL_COMPACT_FMT\fR\fR
+.ad
+.RS 19n
+.rt  
+For NFSv4 ACLs, the ACL entries will be formatted using the compact ACL format
+detailed in \fBls\fR(1) for the \fB-V\fR option.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBACL_APPEND_ID\fR\fR
+.ad
+.RS 19n
+.rt  
+Append the \fBuid\fR or \fBgid\fR for additional user or group entries.  This
+flag is used to construt ACL entries in a manner that is suitable for archive
+utilities such as \fBtar\fR(1). When the ACL is translated from the external
+format to internal representation using \fBacl_fromtext()\fR, the appended ID
+will be used to populate the \fBuid\fR or \fBgid\fR field of the ACL entry when
+the user or group name does not exist on the host system. The appended id will
+be ignored when the user or group name does exist on the system.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBACL_SID_FMT\fR\fR
+.ad
+.RS 19n
+.rt  
+For NFSv4 ACLs, the ACL entries for user or group entries will use the
+\fBusersid\fR or \fBgroupsid\fR format when the "id" field in the ACL entry is
+an ephemeral \fBuid\fR or \fBgid\fR.  The raw \fBsid\fR format will only be
+used when the "id" cannot be resolved to a windows name.
+.RE
+
+.sp
+.LP
+The \fBacl_fromtext()\fR function converts an external ACL representation
+pointed to by \fIacltextp\fR into an internal ACL representation. The memory
+for the list of ACL entries is obtained using \fBmalloc\fR(3C). The caller is
+responsible for freeing the memory upon completion. Depending on type of ACLs a
+file system supports, one of two external external representations are
+possible. For POSIX draft file systems such as ufs, the external representation
+is described in \fBacltotext\fR(3SEC). The external ACL representation For
+NFSv4-style ACLs is detailed as follows.
+.sp
+.LP
+Each \fBacl_entry\fR contains one ACL entry. The external representation of an
+ACL entry contains three, four or five colon separated fields. The first field
+contains the ACL entry type. The entry type keywords are defined as:
+.sp
+.ne 2
+.mk
+.na
+\fB\fBeveryone@\fR\fR
+.ad
+.RS 13n
+.rt  
+This ACL entry specifies the access granted to any user or group that does not
+match any previous ACL entry.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBgroup\fR\fR
+.ad
+.RS 13n
+.rt  
+This ACL entry with a GID specifies the access granted to a additional group of
+the object.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBgroup@\fR\fR
+.ad
+.RS 13n
+.rt  
+This ACL entry with no GID specified in the ACL entry field specifies the
+access granted to the owning group of the object.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBgroupsid\fR\fR
+.ad
+.RS 13n
+.rt  
+This ACL entry with a SID or Windows name specifies the access granted to a
+Windows group. This type of entry is for a CIFS server created file.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBowner@\fR\fR
+.ad
+.RS 13n
+.rt  
+This ACL entry with no UID specified in the ACL entry field specifies the
+access granted to the owner of the object.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBsid\fR\fR
+.ad
+.RS 13n
+.rt  
+This ACL entry with a SID or Windows name when the entry could be either a
+group or a user.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBuser\fR\fR
+.ad
+.RS 13n
+.rt  
+This ACL entry with a UID specifies the access granted to a additional user of
+the object.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBusersid\fR\fR
+.ad
+.RS 13n
+.rt  
+This ACL entry with a SID or Windows name specifies the access granted to a
+Windows user. This type of entry is for a CIFS server created file.
+.RE
+
+.sp
+.LP
+The second field contains the ACL entry ID, and is used only for user or group
+ACL entries. This field is not used for \fBowner@\fR, \fBgroup@\fR, or
+\fBeveryone@\fR entries.
+.sp
+.ne 2
+.mk
+.na
+\fB\fBuid\fR\fR
+.ad
+.RS 7n
+.rt  
+This field contains a user-name or user-ID. If the user-name cannot be resolved
+to a UID, then the entry is assumed to be a numeric UID.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBgid\fR\fR
+.ad
+.RS 7n
+.rt  
+This field contains a group-name or group-ID. If the group-name can't be
+resolved to a GID, then the entry is assumed to be a numeric GID.
+.RE
+
+.sp
+.LP
+The third field contains the discretionary access permissions. The format of
+the permissions depends on whether \fBACL_COMPACT_FMT\fR is specified. When the
+\fIflags\fR field does not request \fBACL_COMPACT_FMT\fR, the following format
+is used with a forward slash (/) separating the permissions.
+.sp
+.ne 2
+.mk
+.na
+\fB\fBadd_file\fR\fR
+.ad
+.RS 20n
+.rt  
+Add a file to a directory.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBadd_subdirectory\fR\fR
+.ad
+.RS 20n
+.rt  
+Add a subdirectory.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBappend\fR\fR
+.ad
+.RS 20n
+.rt  
+Append data.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBdelete\fR\fR
+.ad
+.RS 20n
+.rt  
+Delete.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBdelete_child\fR\fR
+.ad
+.RS 20n
+.rt  
+Delete child.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBexecute\fR\fR
+.ad
+.RS 20n
+.rt  
+Execute permission.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBlist_directory\fR\fR
+.ad
+.RS 20n
+.rt  
+List a directory.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBread_acl\fR\fR
+.ad
+.RS 20n
+.rt  
+Read ACL.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBread_data\fR\fR
+.ad
+.RS 20n
+.rt  
+Read permission.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBread_attributes\fR\fR
+.ad
+.RS 20n
+.rt  
+Read attributes.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBread_xattr\fR\fR
+.ad
+.RS 20n
+.rt  
+Read named attributes.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBsynchronize\fR\fR
+.ad
+.RS 20n
+.rt  
+Synchronize.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBwrite_acl\fR\fR
+.ad
+.RS 20n
+.rt  
+Write ACL.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBwrite_attributes\fR\fR
+.ad
+.RS 20n
+.rt  
+Write attributes.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBwrite_data\fR\fR
+.ad
+.RS 20n
+.rt  
+Write permission.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBwrite_owner\fR\fR
+.ad
+.RS 20n
+.rt  
+Write owner.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBwrite_xattr\fR\fR
+.ad
+.RS 20n
+.rt  
+Write named attributes.
+.RE
+
+.sp
+.LP
+This format allows permissions to be specified as, for example:
+\fBread_data\fR/\fBread_xattr\fR/\fBread_attributes\fR.
+.sp
+.LP
+When \fBACL_COMPACT_FMT\fR is specified, the permissions consist of 14 unique
+letters.  A hyphen (-) character is used to indicate that the permission at
+that position is not specified.
+.sp
+.ne 2
+.mk
+.na
+\fB\fBa\fR\fR
+.ad
+.RS 5n
+.rt  
+read attributes
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBA\fR\fR
+.ad
+.RS 5n
+.rt  
+write attributes
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBc\fR\fR
+.ad
+.RS 5n
+.rt  
+read ACL
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBC\fR\fR
+.ad
+.RS 5n
+.rt  
+write ACL
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBd\fR\fR
+.ad
+.RS 5n
+.rt  
+delete
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBD\fR\fR
+.ad
+.RS 5n
+.rt  
+delete child
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBo\fR\fR
+.ad
+.RS 5n
+.rt  
+write owner
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBp\fR\fR
+.ad
+.RS 5n
+.rt  
+append
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBr\fR\fR
+.ad
+.RS 5n
+.rt  
+read_data
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBR\fR\fR
+.ad
+.RS 5n
+.rt  
+read named attributes
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBs\fR\fR
+.ad
+.RS 5n
+.rt  
+synchronize
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBw\fR\fR
+.ad
+.RS 5n
+.rt  
+write_data
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBW\fR\fR
+.ad
+.RS 5n
+.rt  
+write named attributes
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBx\fR\fR
+.ad
+.RS 5n
+.rt  
+execute
+.RE
+
+.sp
+.LP
+This format allows compact permissions to be represented as, for example:
+\fBrw--d-a-------\fR
+.sp
+.LP
+The fourth field is optional when \fBACL_COMPACT_FMT\fR is not specified, in
+which case the field will be present only when the ACL entry has inheritance
+flags set. The following is the list of inheritance flags separated by a slash
+(/) character.
+.sp
+.ne 2
+.mk
+.na
+\fB\fBdir_inherit\fR\fR
+.ad
+.RS 16n
+.rt  
+\fBACE_DIRECTORY_INHERIT_ACE\fR
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBfile_inherit\fR\fR
+.ad
+.RS 16n
+.rt  
+\fBACE_FILE_INHERIT_ACE\fR
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBinherit_only\fR\fR
+.ad
+.RS 16n
+.rt  
+\fBACE_INHERIT_ONLY_ACE\fR
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBno_propagate\fR\fR
+.ad
+.RS 16n
+.rt  
+\fBACE_NO_PROPAGATE_INHERIT_ACE\fR
+.RE
+
+.sp
+.LP
+When \fBACL_COMPACT_FMT\fR is specified the inheritance will always be present
+and is represented as positional arguments. A hyphen (-) character is used to
+indicate that the inheritance flag at that position is not specified.
+.sp
+.ne 2
+.mk
+.na
+\fB\fBd\fR\fR
+.ad
+.RS 5n
+.rt  
+\fBdir_inherit\fR
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBf\fR\fR
+.ad
+.RS 5n
+.rt  
+\fBfile_inherit\fR
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBF\fR\fR
+.ad
+.RS 5n
+.rt  
+failed access (not currently supported)
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBi\fR\fR
+.ad
+.RS 5n
+.rt  
+\fBinherit_only\fR
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBn\fR\fR
+.ad
+.RS 5n
+.rt  
+\fBno_propagate\fR
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBS\fR\fR
+.ad
+.RS 5n
+.rt  
+successful access (not currently supported)
+.RE
+
+.sp
+.LP
+The fifth field contains the type of the ACE (\fBallow\fR or \fBdeny\fR):
+.sp
+.ne 2
+.mk
+.na
+\fB\fBallow\fR\fR
+.ad
+.RS 9n
+.rt  
+The mask specified in field three should be allowed.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBdeny\fR\fR
+.ad
+.RS 9n
+.rt  
+The mask specified in field three should be denied.
+.RE
+
+.SH RETURN VALUES
+.sp
+.LP
+Upon successful completion, the \fBacl_totext()\fR function returns a pointer
+to a text string. Otherwise, it returns \fINULL\fR.
+.sp
+.LP
+Upon successful completion, the \fBacl_fromtext()\fR function returns 0.
+Otherwise, the return value is set to one of the following:
+.sp
+.ne 2
+.mk
+.na
+\fB\fBEACL_FIELD_NOT_BLANK\fR\fR
+.ad
+.RS 28n
+.rt  
+A field that should be blank is not blank.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBEACL_FLAGS_ERROR\fR\fR
+.ad
+.RS 28n
+.rt  
+An invalid ACL flag was specified.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBEACL_INHERIT_ERROR\fR\fR
+.ad
+.RS 28n
+.rt  
+An invalid inheritance field was specified.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBEACL_INVALID_ACCESS_TYPE\fR\fR
+.ad
+.RS 28n
+.rt  
+An invalid access type was specified.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBEACL_INVALID_STR\fR\fR
+.ad
+.RS 28n
+.rt  
+The string is \fINULL\fR.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBEACL_INVALID_USER_GROUP\fR\fR
+.ad
+.RS 28n
+.rt  
+The required user or group name not found.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBEACL_MISSING_FIELDS\fR\fR
+.ad
+.RS 28n
+.rt  
+The ACL needs more fields to be specified.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBEACL_PERM_MASK_ERROR\fR\fR
+.ad
+.RS 28n
+.rt  
+The permission mask is invalid.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBEACL_UNKNOWN_DATA\fR\fR
+.ad
+.RS 28n
+.rt  
+Unknown data was found in the ACL.
+.RE
+
+.SH EXAMPLES
+.LP
+\fBExample 1 \fRExamples of permissions when \fBACL_COMPACT_FMT\fR is not
+specified.
+.sp
+.in +2
+.nf
+user:joe:read_data/write_data:file_inherit/dir_inherit:allow
+.fi
+.in -2
+.sp
+
+.sp
+.in +2
+.nf
+owner@:read_acl:allow,user:tom:read_data:file_inherit/inherit_only:deny
+.fi
+.in -2
+.sp
+
+.LP
+\fBExample 2 \fRExamples of permissions when \fBACL_COMPACT_FMT\fR is
+specified.
+.sp
+.in +2
+.nf
+user:joe:rw------------:fd----:allow
+.fi
+.in -2
+.sp
+
+.sp
+.in +2
+.nf
+owner@:----------c---:------allow,user:tom:r-------------:f-i---:deny
+.fi
+.in -2
+.sp
+
+.SH ATTRIBUTES
+.sp
+.LP
+See \fBattributes\fR(5) for descriptions of the following attributes:
+.sp
+
+.sp
+.TS
+tab() box;
+cw(2.75i) |cw(2.75i) 
+lw(2.75i) |lw(2.75i) 
+.
+ATTRIBUTE TYPEATTRIBUTE VALUE
+_
+Interface StabilityCommitted
+_
+MT-LevelSafe
+.TE
+
+.SH SEE ALSO
+.sp
+.LP
+\fBls\fR(1), \fBtar\fR(1), \fBacl\fR(2), \fBmalloc\fR(3C),
+\fBaclfromtext\fR(3SEC), \fBacl\fR(5), \fBattributes\fR(5)
diff --git a/usr/src/man/man3sec/acl_trivial.3sec b/usr/src/man/man3sec/acl_trivial.3sec
new file mode 100644
index 0000000000..dc59362396
--- /dev/null
+++ b/usr/src/man/man3sec/acl_trivial.3sec
@@ -0,0 +1,83 @@
+'\" te
+.\" Copyright (c) 2005, Sun Microsystems, Inc. All Rights Reserved.
+.\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License").  You may not use this file except in compliance with the License.
+.\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.  See the License for the specific language governing permissions and limitations under the License.
+.\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE.  If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
+.TH acl_trivial 3SEC "6 Oct 2005" "SunOS 5.11" "File Access Control Library Functions"
+.SH NAME
+acl_trivial \- determine whether a file has a trivial ACL
+.SH SYNOPSIS
+.LP
+.nf
+cc [ \fIflag\fR\&.\|.\|. ] \fIfile\fR\&.\|.\|. \fB-lsec\fR [ \fIlibrary\fR\&.\|.\|. ] 
+#include <sys/acl.h>
+
+\fBint\fR \fBacl_trivial\fR(\fBchar *\fR\fIpath\fR);
+.fi
+
+.SH DESCRIPTION
+.sp
+.LP
+The \fBacl_trivial()\fR function is used to determine whether a file has a
+trivial ACL. Whether an ACL is trivial depends on the type of the ACL. A POSIX
+draft ACL is trivial if it has greater than \fBMIN_ACL_ENTRIES\fR. An
+NFSv4/ZFS-style ACL is trivial if it either has entries other than
+\fBowner@\fR, \fBgroup@\fR, and \fBeveryone@\fR, has inheritance flags set, or
+is not ordered in a manner that meets POSIX access control requirements.
+.SH RETURN VALUES
+.sp
+.LP
+Upon successful completion, \fBacl_trivial()\fR returns 0 if the file's ACL is
+trivial and 1 if the file's ACL is not trivial. If it could not be determined
+whether a file's ACL is trivial, -1 is returned and \fBerrno\fR is set to
+indicate the error.
+.SH ERRORS
+.sp
+.LP
+The \fBacl_trivial()\fR function will fail if:
+.sp
+.ne 2
+.mk
+.na
+\fB\fBEACCES\fR\fR
+.ad
+.RS 10n
+.rt  
+A file's ACL could not be read.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBENOENT\fR\fR
+.ad
+.RS 10n
+.rt  
+A component of \fIpath\fR does not name an existing file or \fIpath\fR is an
+empty string.
+.RE
+
+.SH ATTRIBUTES
+.sp
+.LP
+See \fBattributes\fR(5) for descriptions of the following attributes:
+.sp
+
+.sp
+.TS
+tab() box;
+cw(2.75i) |cw(2.75i) 
+lw(2.75i) |lw(2.75i) 
+.
+ATTRIBUTE TYPEATTRIBUTE VALUE
+_
+Interface StabilityEvolving
+_
+MT-LevelMT-Safe
+.TE
+
+.SH SEE ALSO
+.sp
+.LP
+\fBacl\fR(5), \fBattributes\fR(5)
diff --git a/usr/src/man/man3sec/aclcheck.3sec b/usr/src/man/man3sec/aclcheck.3sec
new file mode 100644
index 0000000000..02922e1957
--- /dev/null
+++ b/usr/src/man/man3sec/aclcheck.3sec
@@ -0,0 +1,239 @@
+'\" te
+.\" Copyright (c) 2001, Sun Microsystems, Inc.
+.\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License").  You may not use this file except in compliance with the License.
+.\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.  See the License for the specific language governing permissions and limitations under the License.
+.\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE.  If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
+.TH aclcheck 3SEC "10 Dec 2001" "SunOS 5.11" "File Access Control Library Functions"
+.SH NAME
+aclcheck \- check the validity of an ACL
+.SH SYNOPSIS
+.LP
+.nf
+\fBcc\fR [ \fIflag\fR... ] \fIfile\fR... \fB-lsec\fR [ \fIlibrary\fR... ]
+#include <sys/acl.h>
+
+\fBint\fR \fBaclcheck\fR(\fBaclent_t *\fR\fIaclbufp\fR, \fBint\fR \fInentries\fR, \fBint *\fR\fIwhich\fR);
+.fi
+
+.SH DESCRIPTION
+.sp
+.LP
+The \fBaclcheck()\fR function checks the validity of an \fBACL\fR pointed to by
+\fIaclbufp.\fR The \fInentries\fR argument is the number of entries contained
+in the buffer. The \fIwhich\fR parameter returns the index of the first entry
+that is invalid.
+.sp
+.LP
+The function verifies that an \fBACL\fR pointed to by \fIaclbufp\fR is valid
+according to the following rules:
+.RS +4
+.TP
+.ie t \(bu
+.el o
+There must be exactly one \fBGROUP_OBJ\fR \fBACL\fR entry.
+.RE
+.RS +4
+.TP
+.ie t \(bu
+.el o
+There must be exactly one \fBUSER_OBJ\fR \fBACL\fR entry.
+.RE
+.RS +4
+.TP
+.ie t \(bu
+.el o
+There must be exactly one \fBOTHER_OBJ\fR \fBACL\fR entry.
+.RE
+.RS +4
+.TP
+.ie t \(bu
+.el o
+If there are any \fBGROUP\fR \fBACL\fR entries, then the group \fBID\fR in each
+group \fBACL\fR entry must be unique.
+.RE
+.RS +4
+.TP
+.ie t \(bu
+.el o
+If there are any \fBUSER\fR \fBACL\fR entries, then the user \fBID\fR in each
+user \fBACL\fR entry must be unique.
+.RE
+.RS +4
+.TP
+.ie t \(bu
+.el o
+If there are any \fBGROUP\fR or \fBUSER\fR \fBACL\fR entries, then there must
+be exactly one \fBCLASS_OBJ\fR (\fBACL\fR mask) entry.
+.RE
+.RS +4
+.TP
+.ie t \(bu
+.el o
+If there are any default \fBACL\fR entries, then the following apply:
+.RS +4
+.TP
+.ie t \(bu
+.el o
+There must be exactly one default \fBGROUP_OBJ\fR \fBACL\fR entry.
+.RE
+.RS +4
+.TP
+.ie t \(bu
+.el o
+There must be exactly one default \fBOTHER_OBJ\fR \fBACL\fR entry.
+.RE
+.RS +4
+.TP
+.ie t \(bu
+.el o
+There must be exactly one default \fBUSER_OBJ\fR \fBACL\fR entry.
+.RE
+.RS +4
+.TP
+.ie t \(bu
+.el o
+If there are any \fBDEF_GROUP\fR entries, then the group \fBID\fR in each
+\fBDEF_GROUP\fR \fBACL\fR entry must be unique.
+.RE
+.RS +4
+.TP
+.ie t \(bu
+.el o
+If there are any \fBDEF_USER\fR entries, then the user \fBID\fR in each
+\fBDEF_USER\fR \fBACL\fR entry must be unique.
+.RE
+.RS +4
+.TP
+.ie t \(bu
+.el o
+If there are any \fBDEF_GROUP\fR or \fBDEF_USER\fR entries, then there must be
+exactly one \fBDEF_CLASS_OBJ\fR (default \fBACL\fR mask) entry.
+.RE
+.RE
+.RS +4
+.TP
+.ie t \(bu
+.el o
+If any of the above rules are violated, then the function fails with
+\fBerrno\fR set to  \fBEINVAL\fR.
+.RE
+.SH RETURN VALUES
+.sp
+.LP
+If the \fBACL\fR is valid, \fBalcheck()\fR will return \fB0\fR. Otherwise
+\fBerrno\fR is set to \fBEINVAL\fR and return code is set to one of the
+following:
+.sp
+.ne 2
+.mk
+.na
+\fB\fBGRP_ERROR\fR\fR
+.ad
+.RS 19n
+.rt  
+There is more than one \fBGROUP_OBJ\fR or \fBDEF_GROUP_OBJ\fR \fBACL\fR entry.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBUSER_ERROR\fR\fR
+.ad
+.RS 19n
+.rt  
+There is more than one \fBUSER_OBJ\fR or \fBDEF_USER_OBJ\fR \fBACL\fR entry.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBCLASS_ERROR\fR\fR
+.ad
+.RS 19n
+.rt  
+There is more than one \fBCLASS_OBJ\fR (\fBACL\fR mask) or \fBDEF_CLASS_OBJ\fR
+(default \fBACL\fR mask) entry.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBOTHER_ERROR\fR\fR
+.ad
+.RS 19n
+.rt  
+There is more than one \fBOTHER_OBJ\fR or \fBDEF_OTHER_OBJ\fR \fBACL\fR entry.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBDUPLICATE_ERROR\fR\fR
+.ad
+.RS 19n
+.rt  
+Duplicate entries of \fBUSER\fR, \fBGROUP\fR, \fBDEF_USER\fR, or
+\fBDEF_GROUP\fR.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBENTRY_ERROR\fR\fR
+.ad
+.RS 19n
+.rt  
+The entry type is invalid.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBMISS_ERROR\fR\fR
+.ad
+.RS 19n
+.rt  
+Missing an entry. The \fIwhich\fR parameter returns \fB\(mi1\fR in this case.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBMEM_ERROR\fR\fR
+.ad
+.RS 19n
+.rt  
+The system cannot allocate any memory. The \fBwhich\fR parameter returns
+\fB\(mi1\fR in this case.
+.RE
+
+.SH ATTRIBUTES
+.sp
+.LP
+See \fBattributes\fR(5) for descriptions of the following attributes:
+.sp
+
+.sp
+.TS
+tab() box;
+cw(2.75i) |cw(2.75i) 
+lw(2.75i) |lw(2.75i) 
+.
+ATTRIBUTE TYPEATTRIBUTE VALUE
+_
+Interface StabilityEvolving
+_
+MT-LevelUnsafe
+.TE
+
+.SH SEE ALSO
+.sp
+.LP
+\fBacl\fR(2), \fBaclsort\fR(3SEC), \fBattributes\fR(5)
diff --git a/usr/src/man/man3sec/aclsort.3sec b/usr/src/man/man3sec/aclsort.3sec
new file mode 100644
index 0000000000..344bb4d105
--- /dev/null
+++ b/usr/src/man/man3sec/aclsort.3sec
@@ -0,0 +1,102 @@
+'\" te
+.\" Copyright (c) 2001, Sun Microsystems, Inc.
+.\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License").  You may not use this file except in compliance with the License.
+.\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.  See the License for the specific language governing permissions and limitations under the License.
+.\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE.  If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
+.TH aclsort 3SEC "10 Dec 2001" "SunOS 5.11" "File Access Control Library Functions"
+.SH NAME
+aclsort \- sort an ACL
+.SH SYNOPSIS
+.LP
+.nf
+\fBcc\fR [ \fIflag\fR ... ] \fIfile\fR ... \fB-lsec\fR [ \fIlibrary\fR ... ]
+#include <sys/acl.h>
+
+\fBint\fR \fBaclsort\fR(\fBint\fR \fInentries\fR, \fBint\fR \fIcalclass\fR, \fBaclent_t *\fR\fIaclbufp\fR);
+.fi
+
+.SH DESCRIPTION
+.sp
+.LP
+The \fIaclbufp\fR argument points to a buffer containing \fBACL\fR entries. The
+\fInentries\fR argument specifies the number of \fBACL\fR entries in the
+buffer. The \fIcalclass\fR argument, if non-zero, indicates that the
+\fBCLASS_OBJ\fR (\fBACL\fR mask) permissions should be recalculated. The union
+of the permission bits associated with all \fBACL\fR entries in the buffer
+other than \fBCLASS_OBJ\fR, \fBOTHER_OBJ\fR, and \fBUSER_OBJ\fR is calculated.
+The result is copied to the permission bits associated with the \fBCLASS_OBJ\fR
+entry.
+.sp
+.LP
+The \fBaclsort()\fR function sorts the contents of the \fBACL\fR buffer as
+follows:
+.RS +4
+.TP
+.ie t \(bu
+.el o
+Entries will be in the order \fBUSER_OBJ\fR, \fBUSER\fR, \fBGROUP_OBJ\fR,
+\fBGROUP\fR, \fBCLASS_OBJ\fR (\fBACL\fR mask), \fBOTHER_OBJ\fR,
+\fBDEF_USER_OBJ\fR, \fBDEF_USER\fR, \fBDEF_GROUP_OBJ\fR, \fBDEF_GROUP\fR,
+\fBDEF_CLASS_OBJ\fR (default \fBACL\fR mask), and \fBDEF_OTHER_OBJ\fR.
+.RE
+.RS +4
+.TP
+.ie t \(bu
+.el o
+Entries of type \fBUSER\fR, \fBGROUP\fR, \fBDEF_USER\fR, and \fBDEF_GROUP\fR
+will be sorted in increasing order by \fBID\fR.
+.RE
+.sp
+.LP
+The \fBaclsort()\fR function will succeed if all of the following are true:
+.RS +4
+.TP
+.ie t \(bu
+.el o
+There is exactly one entry each of type \fBUSER_OBJ\fR, \fBGROUP_OBJ\fR,
+\fBCLASS_OBJ\fR (\fBACL\fR mask), and \fBOTHER_OBJ\fR.
+.RE
+.RS +4
+.TP
+.ie t \(bu
+.el o
+There is exactly one entry each of type \fBDEF_USER_OBJ\fR,
+\fBDEF_GROUP_OBJ\fR, \fBDEF_CLASS_OBJ\fR (default \fBACL\fR mask), and
+\fBDEF_OTHER_OBJ\fR if there are any default entries.
+.RE
+.RS +4
+.TP
+.ie t \(bu
+.el o
+Entries of type \fBUSER\fR, \fBGROUP\fR, \fBDEF_USER\fR, or \fBDEF_GROUP\fR may
+not contain duplicate entries. A duplicate entry is one of the same type
+containing the same numeric \fBID\fR.
+.RE
+.SH RETURN VALUES
+.sp
+.LP
+Upon successful completion, the function returns \fB0\fR. Otherwise, it returns
+\fB\(mi1\fR\&.
+.SH ATTRIBUTES
+.sp
+.LP
+See \fBattributes\fR(5) for descriptions of the following attributes:
+.sp
+
+.sp
+.TS
+tab() box;
+cw(2.75i) |cw(2.75i) 
+lw(2.75i) |lw(2.75i) 
+.
+ATTRIBUTE TYPEATTRIBUTE VALUE
+_
+Interface StabilityEvolving
+_
+MT-LevelUnsafe
+.TE
+
+.SH SEE ALSO
+.sp
+.LP
+\fBacl\fR(2), \fBaclcheck\fR(3SEC), \fBattributes\fR(5)
diff --git a/usr/src/man/man3sec/acltomode.3sec b/usr/src/man/man3sec/acltomode.3sec
new file mode 100644
index 0000000000..72045760b0
--- /dev/null
+++ b/usr/src/man/man3sec/acltomode.3sec
@@ -0,0 +1,92 @@
+'\" te
+.\" Copyright (c) 2001, Sun Microsystems, Inc.
+.\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License").  You may not use this file except in compliance with the License.
+.\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.  See the License for the specific language governing permissions and limitations under the License.
+.\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE.  If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
+.TH acltomode 3SEC "10 Dec 2001" "SunOS 5.11" "File Access Control Library Functions"
+.SH NAME
+acltomode, aclfrommode \- convert an ACL to or from permission bits
+.SH SYNOPSIS
+.LP
+.nf
+\fBcc\fR [ \fIflag\fR... ] \fIfile\fR... \fB-lsec\fR [ \fIlibrary\fR... ]
+#include <sys/types.h>
+#include <sys/acl.h>
+
+
+
+\fBint\fR \fBacltomode\fR(\fBaclent_t *\fR\fIaclbufp\fR, \fBint\fR \fInentries\fR, \fBmode_t *\fR\fImodep\fR);
+.fi
+
+.LP
+.nf
+\fBint\fR \fBaclfrommode\fR(\fBaclent_t *\fR\fIaclbufp\fR, \fBint\fR \fInentries\fR, \fBmode_t *\fR\fImodep\fR);
+.fi
+
+.SH DESCRIPTION
+.sp
+.LP
+The \fBacltomode()\fR function converts an \fBACL\fR pointed to by
+\fIaclbufp\fR into the permission bits buffer pointed to by \fImodep\fR. If the
+\fBUSER_OBJ\fR \fBACL\fR entry, \fBGROUP_OBJ\fR \fBACL\fR entry, or the
+\fBOTHER_OBJ\fR \fBACL\fR entry cannot be found in  the \fBACL\fR buffer, then
+the function fails with \fBerrno\fR set to \fBEINVAL\fR.
+.sp
+.LP
+The \fBUSER_OBJ\fR \fBACL\fR entry permission bits are copied to the file owner
+class bits in the permission bits buffer. The \fBOTHER_OBJ\fR \fBACL\fR entry
+permission bits are copied to the file other class bits in the permission bits
+buffer. If there is a \fBCLASS_OBJ\fR (\fBACL\fR mask) entry, the
+\fBCLASS_OBJ\fR \fBACL\fR entry permission bits are copied to the file group
+class bits in the permission bits buffer. Otherwise, the \fBGROUP_OBJ\fR
+\fBACL\fR entry permission bits are copied to the file group class bits in the
+permission bits buffer.
+.sp
+.LP
+The \fBaclfrommode()\fR function converts the permission bits pointed to by
+\fImodep\fR into an ACL pointed to by \fIaclbufp\fR. If the \fBUSER_OBJ\fR
+\fBACL\fR entry, \fBGROUP_OBJ\fR ACL entry, or the \fBOTHER_OBJ\fR ACL entry
+cannot be found in the \fBACL\fR buffer, the function fails with  \fBerrno\fR
+set to \fBEINVAL\fR.
+.sp
+.LP
+The file owner class bits from the permission bits buffer are copied to the
+\fBUSER_OBJ\fR \fBACL\fR entry. The file other class bits from the permission
+bits buffer are copied to  the \fBOTHER_OBJ\fR \fBACL\fR entry. If there is a
+\fBCLASS_OBJ\fR (\fBACL\fR mask) entry, the file group class bits from the
+permission bits buffer are copied to the \fBCLASS_OBJ\fR \fBACL\fR entry, and
+the \fBGROUP_OBJ\fR \fBACL\fR entry is not modified. Otherwise, the file group
+class bits from the permission bits buffer are copied to the \fBGROUP_OBJ\fR
+\fBACL\fR entry.
+.sp
+.LP
+The \fInentries\fR argument represents the number of \fBACL\fR entries in the
+buffer pointed to by \fIaclbufp\fR.
+.SH RETURN VALUES
+.sp
+.LP
+Upon successful completion, the function returns \fB0\fR. Otherwise, it returns
+\fB\(mi1\fR and sets \fBerrno\fR to indicate the error.
+.SH ATTRIBUTES
+.sp
+.LP
+See \fBattributes\fR(5) for descriptions of the following attributes:
+.sp
+
+.sp
+.TS
+tab() box;
+cw(2.75i) |cw(2.75i) 
+lw(2.75i) |lw(2.75i) 
+.
+ATTRIBUTE TYPEATTRIBUTE VALUE
+_
+Interface Stability Evolving
+_
+MT-LevelUnsafe
+.TE
+
+.SH SEE ALSO
+.sp
+.LP
+\fBacl\fR(2), \fBattributes\fR(5)
diff --git a/usr/src/man/man3sec/acltotext.3sec b/usr/src/man/man3sec/acltotext.3sec
new file mode 100644
index 0000000000..b70a6bcbeb
--- /dev/null
+++ b/usr/src/man/man3sec/acltotext.3sec
@@ -0,0 +1,269 @@
+'\" te
+.\" Copyright (c) 2001, Sun Microsystems, Inc.
+.\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License").  You may not use this file except in compliance with the License.
+.\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.  See the License for the specific language governing permissions and limitations under the License.
+.\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE.  If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
+.TH acltotext 3SEC "10 Dec 2001" "SunOS 5.11" "File Access Control Library Functions"
+.SH NAME
+acltotext, aclfromtext \- convert internal representation to or from external
+representation
+.SH SYNOPSIS
+.LP
+.nf
+\fBcc\fR [ \fIflag\fR... ] \fIfile\fR... \fB-lsec\fR [ \fIlibrary\fR... ]
+#include <sys/acl.h>
+
+\fBchar *\fR\fBacltotext\fR(\fBaclent_t *\fR\fIaclbufp\fR, \fBint\fR \fIaclcnt\fR);
+.fi
+
+.LP
+.nf
+\fBaclent_t *\fR\fBaclfromtext\fR(\fBchar *\fR\fIacltextp\fR, \fBint *\fR\fIaclcnt\fR);
+.fi
+
+.SH DESCRIPTION
+.sp
+.LP
+The \fBacltotext()\fR function converts an internal \fBACL\fR representation
+pointed to by \fIaclbufp\fR into an external \fBACL\fR representation. The
+space for the external text string is obtained using \fBmalloc\fR(3C). The
+caller is responsible for freeing the space upon completion..
+.sp
+.LP
+The \fBaclfromtext()\fR function converts an external \fBACL\fR representation
+pointed to by \fIacltextp\fR into an internal \fBACL\fR representation.  The
+space for the list of \fBACL\fR entries is obtained using \fBmalloc\fR(3C). The
+caller is responsible for freeing the space upon completion. The \fIaclcnt\fR
+argument indicates the number of \fBACL\fR entries found.
+.sp
+.LP
+An external \fBACL\fR representation is defined as follows:
+.sp
+.LP
+<acl_entry>[,<acl_entry>]\|.\|.\|.
+.sp
+.LP
+Each <acl_entry> contains one \fBACL\fR entry. The external representation of
+an \fBACL\fR entry contains two or three colon-separated fields. The first
+field contains the \fBACL\fR entry tag type. The entry type keywords are
+defined as:
+.sp
+.ne 2
+.mk
+.na
+\fB\fBuser\fR\fR
+.ad
+.RS 17n
+.rt  
+This \fBACL\fR entry with no \fBUID\fR specified in the \fBACL\fR entry
+\fBID\fR field specifies the access granted to the owner of the object.
+Otherwise, this \fBACL\fR entry specifies the access granted to a specific
+user-name or user-id number.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBgroup\fR\fR
+.ad
+.RS 17n
+.rt  
+This \fBACL\fR entry with no \fBGID\fR specified in the \fBACL\fR entry
+\fBID\fR field specifies the access granted to the owning group of the object.
+Otherwise, this \fBACL\fR entry specifies the access granted to a specific
+group-name or group-id number.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBother\fR\fR
+.ad
+.RS 17n
+.rt  
+This \fBACL\fR entry specifies the access granted to any user or group that
+does not match any other \fBACL\fR entry.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBmask\fR\fR
+.ad
+.RS 17n
+.rt  
+This \fBACL\fR entry specifies the maximum access granted to user or group
+entries.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBdefault:user\fR\fR
+.ad
+.RS 17n
+.rt  
+This \fBACL\fR entry with no uid specified in the \fBACL\fR entry \fBID\fR
+field specifies the default access granted to the owner of the object.
+Otherwise, this \fBACL\fR entry specifies the default access granted to a
+specific user-name or user-\fBID\fR number.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBdefault:group\fR\fR
+.ad
+.RS 17n
+.rt  
+This \fBACL\fR entry with no gid specified in the \fBACL\fR entry \fBID\fR
+field specifies the default access granted to the owning group of the object.
+Otherwise, this \fBACL\fR entry specifies the default access granted to a
+specific group-name or group-\fBID\fR number.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBdefault:other\fR\fR
+.ad
+.RS 17n
+.rt  
+This \fBACL\fR entry specifies the default access for other entry.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBdefault:mask\fR\fR
+.ad
+.RS 17n
+.rt  
+This \fBACL\fR entry specifies the default access for mask entry.
+.RE
+
+.sp
+.LP
+The second field contains the \fBACL\fR entry \fBID\fR, as follows:
+.sp
+.ne 2
+.mk
+.na
+\fB\fBuid\fR\fR
+.ad
+.RS 9n
+.rt  
+This field specifies a user-name, or user-\fBID\fR if there is no user-name
+associated with the user-\fBID\fR number.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBgid\fR\fR
+.ad
+.RS 9n
+.rt  
+This field specifies a group-name, or group-\fBID\fR if there is no group-name
+associated with the group-\fBID\fR number.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBempty\fR\fR
+.ad
+.RS 9n
+.rt  
+This field is used by the user and group \fBACL\fR entry types.
+.RE
+
+.sp
+.LP
+The third field contains the following symbolic discretionary access
+permissions:
+.sp
+.ne 2
+.mk
+.na
+\fB\fBr\fR\fR
+.ad
+.RS 9n
+.rt  
+read permission
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBw\fR\fR
+.ad
+.RS 9n
+.rt  
+write permission
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBx\fR\fR
+.ad
+.RS 9n
+.rt  
+execute/search permission
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fB\(mi\fR \fR
+.ad
+.RS 9n
+.rt  
+no access
+.RE
+
+.SH RETURN VALUES
+.sp
+.LP
+Upon successful completion, the \fBacltotext()\fR function returns a pointer to
+a text string. Otherwise, it returns \fBNULL\fR.
+.sp
+.LP
+Upon successful completion, the \fBaclfromtext()\fR function returns a pointer
+to a list of \fBACL\fR entries. Otherwise, it returns \fBNULL\fR.
+.SH ATTRIBUTES
+.sp
+.LP
+See \fBattributes\fR(5) for descriptions of the following attributes:
+.sp
+
+.sp
+.TS
+tab() box;
+cw(2.75i) |cw(2.75i) 
+lw(2.75i) |lw(2.75i) 
+.
+ATTRIBUTE TYPEATTRIBUTE VALUE
+_
+Interface StabilityEvolving
+_
+MT-LevelUnsafe
+.TE
+
+.SH SEE ALSO
+.sp
+.LP
+\fBacl\fR(2), \fBmalloc\fR(3C), \fBattributes\fR(5)