fsal_status_t fsal_check_access(fsal_op_context_t * p_context, /* IN */ fsal_accessflags_t access_type, /* IN */ struct stat *p_buffstat, /* IN */ fsal_attrib_list_t * p_object_attributes /* IN */ ) { /* sanity checks. */ if((!p_object_attributes && !p_buffstat) || !p_context) ReturnCode(ERR_FSAL_FAULT, 0); /* The root user ignores the mode/uid/gid of the file */ #ifdef _USE_HPSS if(p_context->credential.hpss_usercred.Uid == 0) ReturnCode(ERR_FSAL_NO_ERROR, 0); #else if(p_context->credential.user == 0) ReturnCode(ERR_FSAL_NO_ERROR, 0); #endif #ifdef _USE_NFS4_ACL /* If ACL exists and given access type is ace4 mask, use ACL to check access. */ LogDebug(COMPONENT_FSAL, "fsal_check_access: pattr=%p, pacl=%p, is_ace4_mask=%d", p_object_attributes, p_object_attributes ? p_object_attributes->acl : 0, IS_FSAL_ACE4_MASK_VALID(access_type)); if(p_object_attributes && p_object_attributes->acl && IS_FSAL_ACE4_MASK_VALID(access_type)) { return fsal_check_access_acl(p_context, FSAL_ACE4_MASK(access_type), p_object_attributes); } #endif /* Use mode to check access. */ return fsal_check_access_no_acl(p_context, FSAL_MODE_MASK(access_type), p_buffstat, p_object_attributes); LogDebug(COMPONENT_FSAL, "fsal_check_access: invalid access_type = 0X%x", access_type); ReturnCode(ERR_FSAL_ACCESS, 0); }
/* XXX : ACL */ fsal_status_t fsal_internal_testAccess(fsal_op_context_t * p_context, /* IN */ fsal_accessflags_t access_type, /* IN */ struct stat * p_buffstat, /* IN */ fsal_attrib_list_t * p_object_attributes /* IN */ ) { fsal_accessflags_t missing_access; unsigned int is_grp, i; fsal_uid_t uid; fsal_gid_t gid; fsal_accessmode_t mode; fsal_uid_t userid = ((vfsfsal_op_context_t *)p_context)->credential.user; fsal_uid_t groupid = ((vfsfsal_op_context_t *)p_context)->credential.group; /* sanity checks. */ if((!p_object_attributes && !p_buffstat) || !p_context) ReturnCode(ERR_FSAL_FAULT, 0); /* If the FSAL_F_OK flag is set, returns ERR INVAL */ if(access_type & FSAL_F_OK) ReturnCode(ERR_FSAL_INVAL, 0); /* test root access */ if(userid == 0) ReturnCode(ERR_FSAL_NO_ERROR, 0); /* unsatisfied flags */ missing_access = FSAL_MODE_MASK(access_type); /* only modes, no ACLs here */ if(p_object_attributes) { uid = p_object_attributes->owner; gid = p_object_attributes->group; mode = p_object_attributes->mode; } else { uid = p_buffstat->st_uid; gid = p_buffstat->st_gid; mode = unix2fsal_mode(p_buffstat->st_mode); } /* Test if file belongs to user. */ if(userid == uid) { LogFullDebug(COMPONENT_FSAL, "File belongs to user %d", uid); if(mode & FSAL_MODE_RUSR) missing_access &= ~FSAL_R_OK; if(mode & FSAL_MODE_WUSR) missing_access &= ~FSAL_W_OK; if(mode & FSAL_MODE_XUSR) missing_access &= ~FSAL_X_OK; /* handle the creation of a new 500 file correctly */ if((missing_access & FSAL_OWNER_OK) != 0) missing_access = 0; if(missing_access == 0) ReturnCode(ERR_FSAL_NO_ERROR, 0); else { LogFullDebug(COMPONENT_FSAL, "Mode=%#o, Access=%#o, Rights missing: %#o", mode, access_type, missing_access); ReturnCode(ERR_FSAL_ACCESS, 0); } } /* missing_access will be nonzero triggering a failure * even though FSAL_OWNER_OK is not even a real posix file * permission */ missing_access &= ~FSAL_OWNER_OK; /* Test if the file belongs to user's group. */ is_grp = (groupid == gid); if(is_grp) LogFullDebug(COMPONENT_FSAL, "File belongs to user's group %d", groupid); /* Test if file belongs to alt user's groups */ if(!is_grp) { for(i = 0; i < ((vfsfsal_op_context_t *)p_context)->credential.nbgroups; i++) { is_grp = (((vfsfsal_op_context_t *)p_context)->credential.alt_groups[i] == gid); if(is_grp) LogFullDebug(COMPONENT_FSAL, "File belongs to user's alt group %d", ((vfsfsal_op_context_t *)p_context)->credential.alt_groups[i]); // exits loop if found if(is_grp) break; } } /* finally apply group rights */ if(is_grp) { if(mode & FSAL_MODE_RGRP) missing_access &= ~FSAL_R_OK; if(mode & FSAL_MODE_WGRP) missing_access &= ~FSAL_W_OK; if(mode & FSAL_MODE_XGRP) missing_access &= ~FSAL_X_OK; if(missing_access == 0) ReturnCode(ERR_FSAL_NO_ERROR, 0); else ReturnCode(ERR_FSAL_ACCESS, 0); } /* test other perms */ if(mode & FSAL_MODE_ROTH) missing_access &= ~FSAL_R_OK; if(mode & FSAL_MODE_WOTH) missing_access &= ~FSAL_W_OK; if(mode & FSAL_MODE_XOTH) missing_access &= ~FSAL_X_OK; /* XXX ACLs. */ if(missing_access == 0) ReturnCode(ERR_FSAL_NO_ERROR, 0); else ReturnCode(ERR_FSAL_ACCESS, 0); }
/* XXX : ACL */ fsal_status_t fsal_internal_testAccess(posixfsal_op_context_t * p_context, /* IN */ fsal_accessflags_t access_type, /* IN */ struct stat * p_buffstat, /* IN */ fsal_attrib_list_t * p_object_attributes /* IN */ ) { fsal_accessflags_t missing_access; unsigned int is_grp, i; fsal_uid_t uid; fsal_gid_t gid; fsal_accessmode_t mode; /* sanity checks. */ if((!p_object_attributes && !p_buffstat) || !p_context) ReturnCode(ERR_FSAL_FAULT, 0); /* If the FSAL_F_OK flag is set, returns ERR INVAL */ if(access_type & FSAL_F_OK) ReturnCode(ERR_FSAL_INVAL, 0); /* test root access */ if(p_context->credential.user == 0) ReturnCode(ERR_FSAL_NO_ERROR, 0); /* unsatisfied flags */ missing_access = FSAL_MODE_MASK(access_type); /* only modes, no ACLs here */ if(p_object_attributes) { uid = p_object_attributes->owner; gid = p_object_attributes->group; mode = p_object_attributes->mode; } else { uid = p_buffstat->st_uid; gid = p_buffstat->st_gid; mode = unix2fsal_mode(p_buffstat->st_mode); } /* Test if file belongs to user. */ if(p_context->credential.user == uid) { LogFullDebug(COMPONENT_FSAL, "File belongs to user %d", uid); if(mode & FSAL_MODE_RUSR) missing_access &= ~FSAL_R_OK; if(mode & FSAL_MODE_WUSR) missing_access &= ~FSAL_W_OK; if(mode & FSAL_MODE_XUSR) missing_access &= ~FSAL_X_OK; if((missing_access & FSAL_OWNER_OK) != 0) missing_access = 0; if(missing_access == 0) ReturnCode(ERR_FSAL_NO_ERROR, 0); else ReturnCode(ERR_FSAL_ACCESS, 0); } /* FSAL_OWNER_OK allows overriding checks if the file is owned by the * requester. It shouldn't take part in any further tests */ missing_access &= ~FSAL_OWNER_OK; /* Test if the file belongs to user's group. */ is_grp = (p_context->credential.group == gid); if(is_grp) LogFullDebug(COMPONENT_FSAL, "File belongs to user's group %d", p_context->credential.group); /* Test if file belongs to alt user's groups */ if(!is_grp) { for(i = 0; i < p_context->credential.nbgroups; i++) { is_grp = (p_context->credential.alt_groups[i] == gid); if(is_grp) LogFullDebug(COMPONENT_FSAL, "File belongs to user's alt group %d", p_context->credential.alt_groups[i]); // exits loop if found if(is_grp) break; } } /* finally apply group rights */ if(is_grp) { if(mode & FSAL_MODE_RGRP) missing_access &= ~FSAL_R_OK; if(mode & FSAL_MODE_WGRP) missing_access &= ~FSAL_W_OK; if(mode & FSAL_MODE_XGRP) missing_access &= ~FSAL_X_OK; if(missing_access == 0) ReturnCode(ERR_FSAL_NO_ERROR, 0); else ReturnCode(ERR_FSAL_ACCESS, 0); } /* test other perms */ if(mode & FSAL_MODE_ROTH) missing_access &= ~FSAL_R_OK; if(mode & FSAL_MODE_WOTH) missing_access &= ~FSAL_W_OK; if(mode & FSAL_MODE_XOTH) missing_access &= ~FSAL_X_OK; /* XXX ACLs. */ if(missing_access == 0) ReturnCode(ERR_FSAL_NO_ERROR, 0); else ReturnCode(ERR_FSAL_ACCESS, 0); }
/* Check the access from an existing fsal_attrib_list_t or struct stat */ fsal_status_t fsal_internal_testAccess(cephfsal_op_context_t* context, fsal_accessflags_t access_type, struct stat * st, fsal_attrib_list_t * object_attributes) { fsal_accessflags_t missing_access; unsigned int is_grp, i; fsal_uid_t uid; fsal_gid_t gid; fsal_accessmode_t mode; fsal_uid_t userid = context->credential.user; fsal_uid_t groupid = context->credential.group; /* sanity checks. */ if((!object_attributes && !st) || !context) ReturnCode(ERR_FSAL_FAULT, 0); /* If the FSAL_F_OK flag is set, returns ERR INVAL */ if(access_type & FSAL_F_OK) ReturnCode(ERR_FSAL_INVAL, 0); /* test root access */ if(userid == 0) ReturnCode(ERR_FSAL_NO_ERROR, 0); /* unsatisfied flags */ missing_access = FSAL_MODE_MASK(access_type); /* only modes, no ACLs here */ if(object_attributes) { uid = object_attributes->owner; gid = object_attributes->group; mode = object_attributes->mode; } else { uid = st->st_uid; gid = st->st_gid; mode = unix2fsal_mode(st->st_mode); } /* Test if file belongs to user. */ if(userid == uid) { LogFullDebug(COMPONENT_FSAL, "File belongs to user %d", uid); if(mode & FSAL_MODE_RUSR) missing_access &= ~FSAL_R_OK; if(mode & FSAL_MODE_WUSR) missing_access &= ~FSAL_W_OK; if(mode & FSAL_MODE_XUSR) missing_access &= ~FSAL_X_OK; if((missing_access & FSAL_OWNER_OK) != 0) missing_access = 0; if(missing_access == 0) ReturnCode(ERR_FSAL_NO_ERROR, 0); else { LogFullDebug(COMPONENT_FSAL, "Mode=%#o, Access=%#o, Rights missing: %#o", mode, access_type, missing_access); ReturnCode(ERR_FSAL_ACCESS, 0); } } /* Test if the file belongs to user's group. */ is_grp = (groupid == gid); if(is_grp) LogFullDebug(COMPONENT_FSAL, "File belongs to user's group %d", groupid); /* Test if file belongs to alt user's groups */ if(!is_grp) { for(i = 0; i < context->credential.nbgroups; i++) { is_grp = context->credential.alt_groups[i] == gid; if(is_grp) LogFullDebug(COMPONENT_FSAL, "File belongs to user's alt group %d", context->credential.alt_groups[i]); // exits loop if found if(is_grp) break; } } /* finally apply group rights */ if(is_grp) { if(mode & FSAL_MODE_RGRP) missing_access &= ~FSAL_R_OK; if(mode & FSAL_MODE_WGRP) missing_access &= ~FSAL_W_OK; if(mode & FSAL_MODE_XGRP) missing_access &= ~FSAL_X_OK; if(missing_access == 0) ReturnCode(ERR_FSAL_NO_ERROR, 0); else ReturnCode(ERR_FSAL_ACCESS, 0); } /* test other perms */ if(mode & FSAL_MODE_ROTH) missing_access &= ~FSAL_R_OK; if(mode & FSAL_MODE_WOTH) missing_access &= ~FSAL_W_OK; if(mode & FSAL_MODE_XOTH) missing_access &= ~FSAL_X_OK; if(missing_access == 0) ReturnCode(ERR_FSAL_NO_ERROR, 0); else ReturnCode(ERR_FSAL_ACCESS, 0); }