NAME
mbr_check_membership,
mbr_check_service_membership —
check whether a user is a member of a
group or service ACL
SYNOPSIS
#include
<membership.h>
int
mbr_check_membership(uuid_t
user, uuid_t group,
int *ismember);
int
mbr_check_service_membership(uuid_t
user, const char
*service, int
*ismember);
DESCRIPTION
mbr_check_membership()
tests if a given user is a member of a group (either direct or indirect via
a nested group). ismember is set to 1 if the user is a
member or 0 if not a member of the group.
mbr_check_service_membership()
similarly tests if a given user is a member of a service ACL group. Service
ACLs are special groups defined with the prefix
"com.apple.access_". The service is then prefixed (e.g.,
"afp" would check "com.apple.access_afp"). There is a
special group that grants accessto all services called
"com.apple.access_all_services".
Users may belong to any number of
groups.
mbr_check_membership()
should always be used to check group membership, rather than calling
getgroups(2) or
getgrouplist(2). The
setgroups(2) and
getgroups(2) routines are limited to a fixed number of gids, and so
may not include all of a user's groups.
There are two special cases. If the two uuids are equal, then ismember is set to 1. If the group uuid is equal to the reserved "everyone" uuid (ABCDEFAB-CDEF-ABCD-EFAB-CDEF0000000C), then ismember will be set to 1 for any valid user.
Group membership information is managed by opendirectoryd(8).
RETURN VALUES
mbr_check_membership() does not test
whether group exists or not. Querying membership for a
nonexistent group will result in ismember being set to
0. The function returns 0 on success or one of the following error codes on
failure:
- [
EIO] - Communication with opendirectoryd(8) failed.
- [
ENOENT] - user can not be found.
mbr_check_service_membership() is
identical to mbr_check_membership() except that
ENOENT means no service ACL has been defined.
SEE ALSO
odutil(1), setgroups(2), getgroups(2), mbr_uid_to_uuid(3), opendirectoryd(8)