MBR_CHECK_MEMBERSHIP(3) Library Functions Manual MBR_CHECK_MEMBERSHIP(3)

mbr_check_membership, mbr_check_service_membershipcheck whether a user is a member of a group or service ACL

#include <membership.h>

int
mbr_check_membership(uuid_t user, uuid_t group, int *ismember);

int
mbr_check_service_membership(uuid_t user, const char *service, int *ismember);

() tests if a given user is a member of a group (either direct or indirect via a nested group). ismember is set to 1 if the user is a member or 0 if not a member of the group. () similarly tests if a given user is a member of a service ACL group. Service ACLs are special groups defined with the prefix "com.apple.access_". The service is then prefixed (e.g., "afp" would check "com.apple.access_afp"). There is a special group that grants accessto all services called "com.apple.access_all_services".

Users may belong to any number of groups. () should always be used to check group membership, rather than calling getgroups(2) or getgrouplist(2). The setgroups(2) and getgroups(2) routines are limited to a fixed number of gids, and so may not include all of a user's groups.

There are two special cases. If the two uuids are equal, then ismember is set to 1. If the group uuid is equal to the reserved "everyone" uuid (ABCDEFAB-CDEF-ABCD-EFAB-CDEF0000000C), then ismember will be set to 1 for any valid user.

Group membership information is managed by opendirectoryd(8).

mbr_check_membership() does not test whether group exists or not. Querying membership for a nonexistent group will result in ismember being set to 0. The function returns 0 on success or one of the following error codes on failure:

[EIO]
Communication with opendirectoryd(8) failed.
[ENOENT]
user can not be found.

mbr_check_service_membership() is identical to mbr_check_membership() except that ENOENT means no service ACL has been defined.

odutil(1), setgroups(2), getgroups(2), mbr_uid_to_uuid(3), opendirectoryd(8)

November 5, 2011 Mac OS X