/* only directories can have inherit flags set */
static int
remove_inherit_flags(acl_t *acl)
{
int entry_id;
acl_entry_t acl_entry;
acl_flagset_t acl_flags;
entry_id = ACL_FIRST_ENTRY;
while (acl_get_entry(*acl, entry_id, &acl_entry) > 0) {
entry_id = ACL_NEXT_ENTRY;
if (acl_get_flagset_np(acl_entry, &acl_flags) < 0)
err(EX_OSERR, "acl_get_flagset_np() failed");
acl_delete_flag_np(acl_flags, ACL_ENTRY_FILE_INHERIT);
acl_delete_flag_np(acl_flags, ACL_ENTRY_DIRECTORY_INHERIT);
acl_delete_flag_np(acl_flags, ACL_ENTRY_NO_PROPAGATE_INHERIT);
acl_delete_flag_np(acl_flags, ACL_ENTRY_INHERIT_ONLY);
if (acl_set_flagset_np(acl_entry, acl_flags) < 0)
err(EX_OSERR, "acl_set_flagset_np() failed");
}
return (0);
}
/* Remove all perms specified in modifier from rentry*/
int
subtract_from_entry(acl_entry_t rentry, acl_entry_t modifier, int* valid_perms)
{
acl_permset_t rperms, mperms;
acl_flagset_t rflags, mflags;
if (valid_perms)
*valid_perms = 0;
int i;
if ((acl_get_permset(rentry, &rperms) != 0) ||
(acl_get_flagset_np(rentry, &rflags) != 0) ||
(acl_get_permset(modifier, &mperms) != 0) ||
(acl_get_flagset_np(modifier, &mflags) != 0)) {
// err(1, "error computing ACL modification");
fprintf(stderr, "chmod: error computing ACL modification: %s\n", strerror(errno));
pthread_exit(NULL);
}
for (i = 0; acl_perms[i].name != NULL; i++) {
if (acl_get_perm_np(mperms, acl_perms[i].perm))
acl_delete_perm(rperms, acl_perms[i].perm);
else if (valid_perms && acl_get_perm_np(rperms, acl_perms[i].perm))
(*valid_perms)++;
}
for (i = 0; acl_flags[i].name != NULL; i++) {
if (acl_get_flag_np(mflags, acl_flags[i].flag))
acl_delete_flag_np(rflags, acl_flags[i].flag);
}
acl_set_permset(rentry, rperms);
acl_set_flagset_np(rentry, rflags);
return 0;
}
int
modify_file_acl(unsigned int optflags, const char *path, acl_t modifier, int position, int inheritance_level, int follow) {
acl_t oacl = NULL;
unsigned aindex = 0, flag_new_acl = 0;
acl_entry_t newent = NULL;
acl_entry_t entry = NULL;
unsigned retval = 0;
extern int chmod_fflag;
/* XXX acl_get_file() returns a zero entry ACL if an ACL was previously
* associated with the file, and has had its entries removed.
* However, POSIX 1003.1e states that a zero entry ACL should be
* returned if the caller asks for ACL_TYPE_DEFAULT, and no ACL is
* associated with the path; it
* does not specifically state that a request for ACL_TYPE_EXTENDED
* should not return a zero entry ACL, however.
*/
/* Determine if we've been given a zero entry ACL, or create an ACL if
* none exists. There are some issues to consider here: Should we create
* a zero-entry ACL for a delete or check canonicity operation?
*/
if (path == NULL)
chmod_usage();
if (optflags & ACL_CLEAR_FLAG) {
filesec_t fsec = filesec_init();
if (fsec == NULL) {
// err(1, "filesec_init() failed");
fprintf(stderr, "chmod: filesec_init() failed: %s\n", strerror(errno));
pthread_exit(NULL);
}
if (filesec_set_property(fsec, FILESEC_ACL, _FILESEC_REMOVE_ACL) != 0) {
// err(1, "filesec_set_property() failed");
fprintf(stderr, "chmod: filesec_set_property() failed: %s\n", strerror(errno));
pthread_exit(NULL);
}
if (follow) {
if (chmodx_np(path, fsec) != 0) {
if (!chmod_fflag) {
// warn("Failed to clear ACL on file %s", path);
fprintf(stderr, "chmod: Failed to clear ACL on file %s: %s\n", path, strerror(errno));
}
retval = 1;
}
} else {
int fd = open(path, O_SYMLINK);
if (fd != -1) {
if (fchmodx_np(fd, fsec) != 0) {
if (!chmod_fflag) {
fprintf(stderr, "chmod: Failed to clear ACL on file %s: %s\n", path, strerror(errno));
// warn("Failed to clear ACL on file %s", path);
}
retval = 1;
}
close(fd);
} else {
if (!chmod_fflag) {
// warn("Failed to open file %s", path);
fprintf(stderr, "chmod: Failed to open file %s: %s\n", path, strerror(errno));
}
retval = 1;
}
}
filesec_free(fsec);
return (retval);
}
if (optflags & ACL_FROM_STDIN) {
oacl = acl_dup(modifier);
} else {
if (follow) {
oacl = acl_get_file(path, ACL_TYPE_EXTENDED);
} else {
int fd = open(path, O_SYMLINK);
if (fd != -1) {
oacl = acl_get_fd_np(fd, ACL_TYPE_EXTENDED);
close(fd);
}
}
if ((oacl == NULL) ||
(acl_get_entry(oacl,ACL_FIRST_ENTRY, &newent) != 0)) {
if ((oacl = acl_init(1)) == NULL) {
// err(1, "acl_init() failed");
fprintf(stderr, "chmod: acl_init() failed: %s\n", strerror(errno));
pthread_exit(NULL);
}
flag_new_acl = 1;
position = 0;
}
if ((0 == flag_new_acl) && (optflags & (ACL_REMOVE_INHERIT_FLAG |
ACL_REMOVE_INHERITED_ENTRIES))) {
acl_t facl = NULL;
if ((facl = acl_init(1)) == NULL) {
//err(1, "acl_init() failed");
fprintf(stderr, "chmod: acl_init() failed: %s\n", strerror(errno));
pthread_exit(NULL);
}
for (aindex = 0;
acl_get_entry(oacl,
(entry == NULL ? ACL_FIRST_ENTRY :
ACL_NEXT_ENTRY), &entry) == 0;
aindex++) {
acl_flagset_t eflags;
acl_entry_t fent = NULL;
if (acl_get_flagset_np(entry, &eflags) != 0) {
fprintf(stderr, "chmod: Unable to obtain flagset: %s\n", strerror(errno));
pthread_exit(NULL);
// err(1, "Unable to obtain flagset");
}
if (acl_get_flag_np(eflags, ACL_ENTRY_INHERITED)) {
if (optflags & ACL_REMOVE_INHERIT_FLAG) {
acl_delete_flag_np(eflags, ACL_ENTRY_INHERITED);
acl_set_flagset_np(entry, eflags);
acl_create_entry(&facl, &fent);
acl_copy_entry(fent, entry);
}
}
else {
acl_create_entry(&facl, &fent);
acl_copy_entry(fent, entry);
}
}
if (oacl)
acl_free(oacl);
oacl = facl;
} else if (optflags & ACL_TO_STDOUT) {
ssize_t len; /* need to get printacl() from ls(1) */
char *text = acl_to_text(oacl, &len);
puts(text);
acl_free(text);
} else if (optflags & ACL_CHECK_CANONICITY) {
if (flag_new_acl) {
// warnx("No ACL currently associated with file '%s'", path);
fprintf(stderr, "chmod: No ACL currently associated with file '%s'\n", path);
}
retval = is_canonical(oacl);
} else if ((optflags & ACL_SET_FLAG) && (position == -1) &&
(!is_canonical(oacl))) {
// warnx("The specified file '%s' does not have an ACL in canonical order, please specify a position with +a# ", path);
fprintf(stderr, "chmod: The specified file '%s' does not have an ACL in canonical order, please specify a position with +a# \n", path);
retval = 1;
} else if (((optflags & ACL_DELETE_FLAG) && (position != -1))
|| (optflags & ACL_CHECK_CANONICITY)) {
retval = modify_acl(&oacl, NULL, optflags, position,
inheritance_level, flag_new_acl, path);
} else if ((optflags & (ACL_REMOVE_INHERIT_FLAG|ACL_REMOVE_INHERITED_ENTRIES)) && flag_new_acl) {
// warnx("No ACL currently associated with file '%s'", path);
fprintf(stderr, "chmod: No ACL currently associated with file '%s'\n", path);
retval = 1;
} else {
if (!modifier) { /* avoid bus error in acl_get_entry */
// errx(1, "Internal error: modifier should not be NULL");
fprintf(stderr, "Internal error: modifier should not be NULL\n");
pthread_exit(NULL);
}
for (aindex = 0;
acl_get_entry(modifier,
(entry == NULL ? ACL_FIRST_ENTRY :
ACL_NEXT_ENTRY), &entry) == 0;
aindex++) {
retval += modify_acl(&oacl, entry, optflags,
position, inheritance_level,
flag_new_acl, path);
}
}
}
/* XXX Potential race here, since someone else could've modified or
* read the ACL on this file (with the intention of modifying it) in
* the interval from acl_get_file() to acl_set_file(); we can
* minimize one aspect of this window by comparing the original acl
* to a fresh one from acl_get_file() but we could consider a
* "changeset" mechanism, common locking strategy, or kernel
* supplied reservation mechanism to prevent this race.
*/
if (!(optflags & (ACL_TO_STDOUT|ACL_CHECK_CANONICITY))) {
int status = -1;
if (follow) {
status = acl_set_file(path, ACL_TYPE_EXTENDED, oacl);
} else {
int fd = open(path, O_SYMLINK);
if (fd != -1) {
status = acl_set_fd_np(fd, oacl,
ACL_TYPE_EXTENDED);
close(fd);
}
}
if (status != 0) {
if (!chmod_fflag)
fprintf(stderr, "chmod: Failed to set ACL on file '%s': %s\n", path, strerror(errno));
// warn("Failed to set ACL on file '%s'", path);
retval = 1;
}
}
if (oacl)
acl_free(oacl);
return retval;
}
