/* Remove all perms specified in modifier from rentry*/
int
subtract_from_entry(acl_entry_t rentry, acl_entry_t modifier, int* valid_perms)
{
acl_permset_t rperms, mperms;
acl_flagset_t rflags, mflags;
if (valid_perms)
*valid_perms = 0;
int i;
if ((acl_get_permset(rentry, &rperms) != 0) ||
(acl_get_flagset_np(rentry, &rflags) != 0) ||
(acl_get_permset(modifier, &mperms) != 0) ||
(acl_get_flagset_np(modifier, &mflags) != 0)) {
// err(1, "error computing ACL modification");
fprintf(stderr, "chmod: error computing ACL modification: %s\n", strerror(errno));
pthread_exit(NULL);
}
for (i = 0; acl_perms[i].name != NULL; i++) {
if (acl_get_perm_np(mperms, acl_perms[i].perm))
acl_delete_perm(rperms, acl_perms[i].perm);
else if (valid_perms && acl_get_perm_np(rperms, acl_perms[i].perm))
(*valid_perms)++;
}
for (i = 0; acl_flags[i].name != NULL; i++) {
if (acl_get_flag_np(mflags, acl_flags[i].flag))
acl_delete_flag_np(rflags, acl_flags[i].flag);
}
acl_set_permset(rentry, rperms);
acl_set_flagset_np(rentry, rflags);
return 0;
}
static int
acl_match(acl_entry_t aclent, struct myacl_t *myacl)
{
gid_t g, *gp;
uid_t u, *up;
acl_tag_t tag_type;
acl_permset_t opaque_ps;
int permset = 0;
acl_get_tag_type(aclent, &tag_type);
/* translate the silly opaque permset to a bitmap */
acl_get_permset(aclent, &opaque_ps);
if (acl_get_perm_np(opaque_ps, ACL_EXECUTE))
permset |= ARCHIVE_ENTRY_ACL_EXECUTE;
if (acl_get_perm_np(opaque_ps, ACL_WRITE))
permset |= ARCHIVE_ENTRY_ACL_WRITE;
if (acl_get_perm_np(opaque_ps, ACL_READ))
permset |= ARCHIVE_ENTRY_ACL_READ;
if (permset != myacl->permset)
return (0);
switch (tag_type) {
case ACL_USER_OBJ:
if (myacl->tag != ARCHIVE_ENTRY_ACL_USER_OBJ) return (0);
break;
case ACL_USER:
if (myacl->tag != ARCHIVE_ENTRY_ACL_USER)
return (0);
up = acl_get_qualifier(aclent);
u = *up;
acl_free(up);
if ((uid_t)myacl->qual != u)
return (0);
break;
case ACL_GROUP_OBJ:
if (myacl->tag != ARCHIVE_ENTRY_ACL_GROUP_OBJ) return (0);
break;
case ACL_GROUP:
if (myacl->tag != ARCHIVE_ENTRY_ACL_GROUP)
return (0);
gp = acl_get_qualifier(aclent);
g = *gp;
acl_free(gp);
if ((gid_t)myacl->qual != g)
return (0);
break;
case ACL_MASK:
if (myacl->tag != ARCHIVE_ENTRY_ACL_MASK) return (0);
break;
case ACL_OTHER:
if (myacl->tag != ARCHIVE_ENTRY_ACL_OTHER) return (0);
break;
}
return (1);
}
int
compare_acl_permsets(acl_permset_t aperms, acl_permset_t bperms)
{
int i;
/* TBD Implement other match levels as needed */
for (i = 0; acl_perms[i].name != NULL; i++) {
if (acl_get_perm_np(aperms, acl_perms[i].perm) !=
acl_get_perm_np(bperms, acl_perms[i].perm))
return MATCH_NONE;
}
return MATCH_EXACT;
}
static int
acl_permset_to_bitmap(acl_permset_t opaque_ps)
{
static struct { int machine; int portable; } perms[] = {
{ACL_EXECUTE, ARCHIVE_ENTRY_ACL_EXECUTE},
{ACL_WRITE, ARCHIVE_ENTRY_ACL_WRITE},
{ACL_READ, ARCHIVE_ENTRY_ACL_READ},
{ACL_READ_DATA, ARCHIVE_ENTRY_ACL_READ_DATA},
{ACL_LIST_DIRECTORY, ARCHIVE_ENTRY_ACL_LIST_DIRECTORY},
{ACL_WRITE_DATA, ARCHIVE_ENTRY_ACL_WRITE_DATA},
{ACL_ADD_FILE, ARCHIVE_ENTRY_ACL_ADD_FILE},
{ACL_APPEND_DATA, ARCHIVE_ENTRY_ACL_APPEND_DATA},
{ACL_ADD_SUBDIRECTORY, ARCHIVE_ENTRY_ACL_ADD_SUBDIRECTORY},
{ACL_READ_NAMED_ATTRS, ARCHIVE_ENTRY_ACL_READ_NAMED_ATTRS},
{ACL_WRITE_NAMED_ATTRS, ARCHIVE_ENTRY_ACL_WRITE_NAMED_ATTRS},
{ACL_DELETE_CHILD, ARCHIVE_ENTRY_ACL_DELETE_CHILD},
{ACL_READ_ATTRIBUTES, ARCHIVE_ENTRY_ACL_READ_ATTRIBUTES},
{ACL_WRITE_ATTRIBUTES, ARCHIVE_ENTRY_ACL_WRITE_ATTRIBUTES},
{ACL_DELETE, ARCHIVE_ENTRY_ACL_DELETE},
{ACL_READ_ACL, ARCHIVE_ENTRY_ACL_READ_ACL},
{ACL_WRITE_ACL, ARCHIVE_ENTRY_ACL_WRITE_ACL},
{ACL_WRITE_OWNER, ARCHIVE_ENTRY_ACL_WRITE_OWNER},
{ACL_SYNCHRONIZE, ARCHIVE_ENTRY_ACL_SYNCHRONIZE}
};
int i, permset = 0;
for (i = 0; i < (int)(sizeof(perms)/sizeof(perms[0])); ++i)
if (acl_get_perm_np(opaque_ps, perms[i].machine))
permset |= perms[i].portable;
return permset;
}
/* Add the perms specified in modifier to rentry */
static int
merge_entry_perms(acl_entry_t rentry, acl_entry_t modifier)
{
acl_permset_t rperms, mperms;
acl_flagset_t rflags, mflags;
int i;
if ((acl_get_permset(rentry, &rperms) != 0) ||
(acl_get_flagset_np(rentry, &rflags) != 0) ||
(acl_get_permset(modifier, &mperms) != 0) ||
(acl_get_flagset_np(modifier, &mflags) != 0)) {
// err(1, "error computing ACL modification");
fprintf(stderr, "chmod: error computing ACL modification: %s\n", strerror(errno));
pthread_exit(NULL);
}
for (i = 0; acl_perms[i].name != NULL; i++) {
if (acl_get_perm_np(mperms, acl_perms[i].perm))
acl_add_perm(rperms, acl_perms[i].perm);
}
for (i = 0; acl_flags[i].name != NULL; i++) {
if (acl_get_flag_np(mflags, acl_flags[i].flag))
acl_add_flag_np(rflags, acl_flags[i].flag);
}
acl_set_permset(rentry, rperms);
acl_set_flagset_np(rentry, rflags);
return 0;
}
/* Add the perms specified in modifier to rentry */
static int
merge_entry_perms(acl_entry_t rentry, acl_entry_t modifier)
{
acl_permset_t rperms, mperms;
acl_flagset_t rflags, mflags;
int i;
if ((acl_get_permset(rentry, &rperms) != 0) ||
(acl_get_flagset_np(rentry, &rflags) != 0) ||
(acl_get_permset(modifier, &mperms) != 0) ||
(acl_get_flagset_np(modifier, &mflags) != 0))
err(1, "error computing ACL modification");
for (i = 0; acl_perms[i].name != NULL; i++) {
if (acl_get_perm_np(mperms, acl_perms[i].perm))
acl_add_perm(rperms, acl_perms[i].perm);
}
for (i = 0; acl_flags[i].name != NULL; i++) {
if (acl_get_flag_np(mflags, acl_flags[i].flag))
acl_add_flag_np(rflags, acl_flags[i].flag);
}
acl_set_permset(rentry, rperms);
acl_set_flagset_np(rentry, rflags);
return 0;
}
static int check_facl(pool *p, const char *path, int mode, void *acl, int nents,
struct stat *st, uid_t uid, gid_t gid, array_header *suppl_gids) {
# if defined(HAVE_BSD_POSIX_ACL) || defined(HAVE_LINUX_POSIX_ACL)
register unsigned int i;
int have_access_entry = FALSE, res = -1;
pool *acl_pool;
acl_t facl = acl;
acl_entry_t ae;
acl_tag_t ae_type;
acl_entry_t acl_user_entry = NULL;
acl_entry_t acl_group_entry = NULL;
acl_entry_t acl_other_entry = NULL;
acl_entry_t acl_mask_entry = NULL;
array_header *acl_groups;
array_header *acl_users;
/* Iterate through all of the ACL entries, sorting them for later
* checking.
*/
res = acl_get_entry(facl, ACL_FIRST_ENTRY, &ae);
if (res < 0) {
pr_log_debug(DEBUG10, "FS: unable to retrieve first ACL entry for '%s': %s",
path, strerror(errno));
errno = EACCES;
return -1;
}
if (res == 0) {
pr_log_debug(DEBUG3, "FS: ill-formed ACL for '%s' has no entries!", path);
errno = EACCES;
return -1;
}
acl_pool = make_sub_pool(p);
acl_groups = make_array(acl_pool, 1, sizeof(acl_entry_t));
acl_users = make_array(acl_pool, 1, sizeof(acl_entry_t));
while (res > 0) {
if (acl_get_tag_type(ae, &ae_type) < 0) {
pr_log_debug(DEBUG5,
"FS: error retrieving type of ACL entry for '%s': %s", path,
strerror(errno));
res = acl_get_entry(facl, ACL_NEXT_ENTRY, &ae);
continue;
}
if (ae_type & ACL_USER_OBJ) {
acl_copy_entry(acl_user_entry, ae);
} else if (ae_type & ACL_USER) {
acl_entry_t *ae_dup = push_array(acl_users);
acl_copy_entry(*ae_dup, ae);
} else if (ae_type & ACL_GROUP_OBJ) {
acl_copy_entry(acl_group_entry, ae);
} else if (ae_type & ACL_GROUP) {
acl_entry_t *ae_dup = push_array(acl_groups);
acl_copy_entry(*ae_dup, ae);
} else if (ae_type & ACL_OTHER) {
acl_copy_entry(acl_other_entry, ae);
} else if (ae_type & ACL_MASK) {
acl_copy_entry(acl_mask_entry, ae);
}
res = acl_get_entry(facl, ACL_NEXT_ENTRY, &ae);
}
/* Select the ACL entry that determines access. */
res = -1;
/* 1. If the given user ID matches the file owner, use that entry for
* access.
*/
if (uid == st->st_uid) {
/* Check the acl_user_entry for access. */
acl_copy_entry(ae, acl_user_entry);
ae_type = ACL_USER_OBJ;
have_access_entry = TRUE;
}
/* 2. If not matched above, and f the given user ID matches one of the
* named user entries, use that entry for access.
*/
for (i = 0; !have_access_entry && i < acl_users->nelts; i++) {
acl_entry_t e = ((acl_entry_t *) acl_users->elts)[i];
if (uid == *((uid_t *) acl_get_qualifier(e))) {
/* Check this entry for access. Note that it'll need to
* be modified by the mask, if any, later.
*/
acl_copy_entry(ae, e);
ae_type = ACL_USER;
have_access_entry = TRUE;
break;
}
}
/* 3. If not matched above, and if one of the group IDs matches the
* group owner entry, and the group owner entry contains the
* requested permissions, use that entry for access.
*/
if (!have_access_entry &&
gid == st->st_gid) {
/* Check the acl_group_entry for access. First though, we need to
* see if the acl_group_entry contains the requested permissions.
*/
acl_permset_t perms;
acl_get_permset(acl_group_entry, &perms);
# if defined(HAVE_BSD_POSIX_ACL)
if (acl_get_perm_np(perms, mode) == 1) {
# elif defined(HAVE_LINUX_POSIX_ACL)
if (acl_get_perm(perms, mode) == 1) {
# endif
acl_copy_entry(ae, acl_group_entry);
ae_type = ACL_GROUP_OBJ;
have_access_entry = TRUE;
}
}
if (suppl_gids) {
for (i = 0; !have_access_entry && i < suppl_gids->nelts; i++) {
gid_t suppl_gid = ((gid_t *) suppl_gids->elts)[i];
if (suppl_gid == st->st_gid) {
/* Check the acl_group_entry for access. First though, we need to
* see if the acl_group_entry contains the requested permissions.
*/
acl_permset_t perms;
acl_get_permset(acl_group_entry, &perms);
# if defined(HAVE_BSD_POSIX_ACL)
if (acl_get_perm_np(perms, mode) == 1) {
# elif defined(HAVE_LINUX_POSIX_ACL)
if (acl_get_perm(perms, mode) == 1) {
# endif
acl_copy_entry(ae, acl_group_entry);
ae_type = ACL_GROUP_OBJ;
have_access_entry = TRUE;
break;
}
}
}
}
/* 5. If not matched above, and if one of the group IDs matches one
* of the named group entries, and that entry contains the requested
* permissions, use that entry for access.
*/
for (i = 0; !have_access_entry && i < acl_groups->nelts; i++) {
acl_entry_t e = ((acl_entry_t *) acl_groups->elts)[i];
if (gid == *((gid_t *) acl_get_qualifier(e))) {
/* Check this entry for access. Note that it'll need to
* be modified by the mask, if any, later.
*/
acl_permset_t perms;
acl_get_permset(e, &perms);
# if defined(HAVE_BSD_POSIX_ACL)
if (acl_get_perm_np(perms, mode) == 1) {
# elif defined(HAVE_LINUX_POSIX_ACL)
if (acl_get_perm(perms, mode) == 1) {
# endif
acl_copy_entry(ae, e);
ae_type = ACL_GROUP;
have_access_entry = TRUE;
break;
}
}
if (suppl_gids) {
register unsigned int j;
for (j = 0; !have_access_entry && j < suppl_gids->nelts; j++) {
gid_t suppl_gid = ((gid_t *) suppl_gids->elts)[j];
if (suppl_gid == *((gid_t *) acl_get_qualifier(e))) {
/* Check this entry for access. Note that it'll need to
* be modified by the mask, if any, later.
*/
acl_permset_t perms;
acl_get_permset(e, &perms);
# if defined(HAVE_BSD_POSIX_ACL)
if (acl_get_perm_np(perms, mode) == 1) {
# elif defined(HAVE_LINUX_POSIX_ACL)
if (acl_get_perm(perms, mode) == 1) {
# endif
acl_copy_entry(ae, e);
ae_type = ACL_GROUP;
have_access_entry = TRUE;
break;
}
}
}
}
}
/* 6. If not matched above, and if one of the group IDs matches
* the group owner or any of the named group entries, but neither
* the group owner entry nor any of the named group entries contains
* the requested permissions, access is denied.
*/
/* 7. If not matched above, the other entry determines access.
*/
if (!have_access_entry) {
acl_copy_entry(ae, acl_other_entry);
ae_type = ACL_OTHER;
have_access_entry = TRUE;
}
/* Access determination:
*
* If either the user owner entry or other entry were used, and the
* entry contains the requested permissions, access is permitted.
*
* Otherwise, if the selected entry and the mask entry both contain
* the requested permissions, access is permitted.
*
* Otherwise, access is denied.
*/
switch (ae_type) {
case ACL_USER_OBJ:
case ACL_OTHER: {
acl_permset_t perms;
acl_get_permset(ae, &perms);
# if defined(HAVE_BSD_POSIX_ACL)
if (acl_get_perm_np(perms, mode) == 1) {
# elif defined(HAVE_LINUX_POSIX_ACL)
if (acl_get_perm(perms, mode) == 1) {
# endif
res = 0;
}
break;
}
default: {
acl_permset_t ent_perms, mask_perms;
acl_get_permset(ae, &ent_perms);
acl_get_permset(acl_mask_entry, &mask_perms);
# if defined(HAVE_BSD_POSIX_ACL)
if (acl_get_perm_np(ent_perms, mode) == 1 &&
acl_get_perm_np(mask_perms, mode) == 1) {
# elif defined(HAVE_LINUX_POSIX_ACL)
if (acl_get_perm(ent_perms, mode) == 1 &&
acl_get_perm(mask_perms, mode) == 1) {
# endif
res = 0;
}
break;
}
}
destroy_pool(acl_pool);
if (res < 0)
errno = EACCES;
return res;
# elif defined(HAVE_SOLARIS_POSIX_ACL)
register unsigned int i;
int have_access_entry = FALSE, idx, res = -1;
pool *acl_pool;
aclent_t *acls = acl;
aclent_t ae;
int ae_type = 0;
aclent_t acl_user_entry;
aclent_t acl_group_entry;
aclent_t acl_other_entry;
aclent_t acl_mask_entry;
array_header *acl_groups;
array_header *acl_users;
/* In the absence of any clear documentation, I'll assume that
* Solaris ACLs follow the same selection and checking algorithm
* as do BSD and Linux.
*/
res = aclcheck(acls, nents, &idx);
switch (res) {
case 0:
break;
case GRP_ERROR:
pr_log_debug(DEBUG3, "FS: ill-formed ACL for '%s': %s", path,
"too many GROUP entries");
errno = EACCES;
return -1;
case USER_ERROR:
pr_log_debug(DEBUG3, "FS: ill-formed ACL for '%s': %s", path,
"too many USER entries");
errno = EACCES;
return -1;
case OTHER_ERROR:
pr_log_debug(DEBUG3, "FS: ill-formed ACL for '%s': %s", path,
"too many OTHER entries");
errno = EACCES;
return -1;
case CLASS_ERROR:
pr_log_debug(DEBUG3, "FS: ill-formed ACL for '%s': %s", path,
"too many CLASS entries");
errno = EACCES;
return -1;
case DUPLICATE_ERROR:
pr_log_debug(DEBUG3, "FS: ill-formed ACL for '%s': %s", path,
"duplicate entries");
errno = EACCES;
return -1;
case MISS_ERROR:
pr_log_debug(DEBUG3, "FS: ill-formed ACL for '%s': %s", path,
"missing required entry");
errno = EACCES;
return -1;
case MEM_ERROR:
pr_log_debug(DEBUG3, "FS: ill-formed ACL for '%s': %s", path,
"Out of memory!");
errno = EACCES;
return -1;
case ENTRY_ERROR:
pr_log_debug(DEBUG3, "FS: ill-formed ACL for '%s': %s", path,
"invalid entry type");
errno = EACCES;
return -1;
}
/* Iterate through all of the ACL entries, sorting them for later
* checking.
*/
acl_pool = make_sub_pool(p);
acl_groups = make_array(acl_pool, 1, sizeof(aclent_t));
acl_users = make_array(acl_pool, 1, sizeof(aclent_t));
for (i = 0; i < nents; i++) {
if (acls[i].a_type & USER_OBJ) {
memcpy(&acl_user_entry, &(acls[i]), sizeof(aclent_t));
} else if (acls[i].a_type & USER) {
aclent_t *ae_dup = push_array(acl_users);
memcpy(ae_dup, &(acls[i]), sizeof(aclent_t));
} else if (acls[i].a_type & GROUP_OBJ) {
memcpy(&acl_group_entry, &(acls[i]), sizeof(aclent_t));
} else if (acls[i].a_type & GROUP) {
aclent_t *ae_dup = push_array(acl_groups);
memcpy(ae_dup, &(acls[i]), sizeof(aclent_t));
} else if (acls[i].a_type & OTHER_OBJ) {
memcpy(&acl_other_entry, &(acls[i]), sizeof(aclent_t));
} else if (acls[i].a_type & CLASS_OBJ) {
memcpy(&acl_mask_entry, &(acls[i]), sizeof(aclent_t));
}
}
/* Select the ACL entry that determines access. */
res = -1;
/* 1. If the given user ID matches the file owner, use that entry for
* access.
*/
if (uid == st->st_uid) {
/* Check the acl_user_entry for access. */
memcpy(&ae, &acl_user_entry, sizeof(aclent_t));
ae_type = USER_OBJ;
have_access_entry = TRUE;
}
/* 2. If not matched above, and f the given user ID matches one of the
* named user entries, use that entry for access.
*/
for (i = 0; !have_access_entry && i < acl_users->nelts; i++) {
aclent_t e;
memcpy(&e, &(((aclent_t *) acl_users->elts)[i]), sizeof(aclent_t));
if (uid == e.a_id) {
/* Check this entry for access. Note that it'll need to
* be modified by the mask, if any, later.
*/
memcpy(&ae, &e, sizeof(aclent_t));
ae_type = USER;
have_access_entry = TRUE;
break;
}
}
/* 3. If not matched above, and if one of the group IDs matches the
* group owner entry, and the group owner entry contains the
* requested permissions, use that entry for access.
*/
if (!have_access_entry &&
gid == st->st_gid) {
/* Check the acl_group_entry for access. First though, we need to
* see if the acl_group_entry contains the requested permissions.
*/
if (acl_group_entry.a_perm & mode) {
memcpy(&ae, &acl_group_entry, sizeof(aclent_t));
ae_type = GROUP_OBJ;
have_access_entry = TRUE;
}
}
if (suppl_gids) {
for (i = 0; !have_access_entry && i < suppl_gids->nelts; i++) {
gid_t suppl_gid = ((gid_t *) suppl_gids->elts)[i];
if (suppl_gid == st->st_gid) {
/* Check the acl_group_entry for access. First though, we need to
* see if the acl_group_entry contains the requested permissions.
*/
if (acl_group_entry.a_perm & mode) {
memcpy(&ae, &acl_group_entry, sizeof(aclent_t));
ae_type = GROUP_OBJ;
have_access_entry = TRUE;
break;
}
}
}
}
/* 5. If not matched above, and if one of the group IDs matches one
* of the named group entries, and that entry contains the requested
* permissions, use that entry for access.
*/
for (i = 0; !have_access_entry && i < acl_groups->nelts; i++) {
aclent_t e;
memcpy(&e, &(((aclent_t *) acl_groups->elts)[i]), sizeof(aclent_t));
if (gid == e.a_id) {
/* Check this entry for access. Note that it'll need to
* be modified by the mask, if any, later.
*/
if (e.a_perm & mode) {
memcpy(&ae, &e, sizeof(aclent_t));
ae_type = GROUP;
have_access_entry = TRUE;
break;
}
}
if (suppl_gids) {
register unsigned int j;
for (j = 0; !have_access_entry && j < suppl_gids->nelts; j++) {
gid_t suppl_gid = ((gid_t *) suppl_gids->elts)[j];
if (suppl_gid == e.a_id) {
/* Check this entry for access. Note that it'll need to
* be modified by the mask, if any, later.
*/
if (e.a_perm & mode) {
memcpy(&ae, &e, sizeof(aclent_t));
ae_type = GROUP;
have_access_entry = TRUE;
break;
}
}
}
}
}
/* 6. If not matched above, and if one of the group IDs matches
* the group owner or any of the named group entries, but neither
* the group owner entry nor any of the named group entries contains
* the requested permissions, access is denied.
*/
/* 7. If not matched above, the other entry determines access.
*/
if (!have_access_entry) {
memcpy(&ae, &acl_other_entry, sizeof(aclent_t));
ae_type = OTHER_OBJ;
have_access_entry = TRUE;
}
/* Access determination:
*
* If either the user owner entry or other entry were used, and the
* entry contains the requested permissions, access is permitted.
*
* Otherwise, if the selected entry and the mask entry both contain
* the requested permissions, access is permitted.
*
* Otherwise, access is denied.
*/
switch (ae_type) {
case USER_OBJ:
case OTHER_OBJ:
if (ae.a_perm & mode)
res = 0;
break;
default:
if ((ae.a_perm & mode) &&
(acl_mask_entry.a_perm & mode))
res = 0;
break;
}
destroy_pool(acl_pool);
if (res < 0)
errno = EACCES;
return res;
# endif /* HAVE_SOLARIS_POSIX_ACL */
}
/* FSIO handlers
*/
static int facl_fsio_access(pr_fs_t *fs, const char *path, int mode,
uid_t uid, gid_t gid, array_header *suppl_gids) {
int nents = 0;
struct stat st;
void *acls;
pr_fs_clear_cache();
if (pr_fsio_stat(path, &st) < 0)
return -1;
/* Look up the acl for this path. */
# if defined(HAVE_BSD_POSIX_ACL) || defined(HAVE_LINUX_POSIX_ACL)
acls = acl_get_file(path, ACL_TYPE_ACCESS);
if (!acls) {
pr_log_debug(DEBUG10, "FS: unable to retrieve ACL for '%s': %s",
path, strerror(errno));
return -1;
}
# elif defined(HAVE_SOLARIS_POSIX_ACL)
nents = acl(path, GETACLCNT, 0, NULL);
if (nents < 0) {
pr_log_debug(DEBUG10, "FS: unable to retrieve ACL count for '%s': %s",
path, strerror(errno));
return -1;
}
acls = pcalloc(fs->fs_pool, nents * sizeof(aclent_t));
nents = acl(path, GETACL, nents, acls);
if (nents < 0) {
pr_log_debug(DEBUG10, "FS: unable to retrieve ACL for '%s': %s",
path, strerror(errno));
return -1;
}
# endif
return check_facl(fs->fs_pool, path, mode, acls, nents, &st,
uid, gid, suppl_gids);
}
static int facl_fsio_faccess(pr_fh_t *fh, int mode, uid_t uid, gid_t gid,
array_header *suppl_gids) {
int nents = 0;
struct stat st;
void *acls;
pr_fs_clear_cache();
if (pr_fsio_fstat(fh, &st) < 0)
return -1;
/* Look up the acl for this fd. */
# if defined(HAVE_BSD_POSIX_ACL) || defined(HAVE_LINUX_POSIX_ACL)
acls = acl_get_fd(PR_FH_FD(fh));
if (!acls) {
pr_log_debug(DEBUG10, "FS: unable to retrieve ACL for '%s': %s",
fh->fh_path, strerror(errno));
return -1;
}
# elif defined(HAVE_SOLARIS_POSIX_ACL)
nents = facl(PR_FH_FD(fh), GETACLCNT, 0, NULL);
if (nents < 0) {
pr_log_debug(DEBUG10, "FS: unable to retrieve ACL count for '%s': %s",
fh->fh_path, strerror(errno));
return -1;
}
acls = pcalloc(fh->fh_fs->fs_pool, nents * sizeof(aclent_t));
nents = facl(PR_FH_FD(fh), GETACL, nents, acls);
if (nents < 0) {
pr_log_debug(DEBUG10, "FS: unable to retrieve ACL for '%s': %s",
fh->fh_path, strerror(errno));
return -1;
}
# endif
return check_facl(fh->fh_fs->fs_pool, fh->fh_path, mode, acls, nents, &st,
uid, gid, suppl_gids);
}
#endif /* HAVE_POSIX_ACL */
/* Initialization routines
*/
static int facl_init(void) {
#if defined(PR_USE_FACL) && defined(HAVE_POSIX_ACL)
pr_fs_t *fs = pr_register_fs(permanent_pool, "facl", "/");
if (!fs) {
pr_log_pri(PR_LOG_ERR, MOD_FACL_VERSION ": error registering fs: %s",
strerror(errno));
return -1;
}
/* Ensure that our ACL-checking handlers are used. */
fs->access = facl_fsio_access;
fs->faccess = facl_fsio_faccess;
#endif /* PR_USE_FACL and HAVE_POSIX_ACL */
return 0;
}
/* Module Tables
*/
module facl_module = {
/* Always NULL */
NULL, NULL,
/* Module API version */
0x20,
/* Module name */
"facl",
/* Module configuration directive handlers */
NULL,
/* Module command handlers */
NULL,
/* Module authentication handlers */
NULL,
/* Module initialization */
facl_init,
/* Session initialization */
NULL,
/* Module version */
MOD_FACL_VERSION
};
/*
* Compatibility wrappers for applications compiled against libc from before
* NFSv4 ACLs were added.
*/
int
__oldacl_get_perm_np(acl_permset_t permset_d, oldacl_perm_t perm)
{
return (acl_get_perm_np(permset_d, perm));
}
static bool smb_ace_to_internal(acl_entry_t posix_ace,
struct smb_acl_entry *ace)
{
acl_tag_t tag;
acl_permset_t permset;
if (acl_get_tag_type(posix_ace, &tag) != 0) {
DEBUG(0, ("smb_acl_get_tag_type failed\n"));
return False;
}
switch(tag) {
case ACL_USER:
ace->a_type = SMB_ACL_USER;
break;
case ACL_USER_OBJ:
ace->a_type = SMB_ACL_USER_OBJ;
break;
case ACL_GROUP:
ace->a_type = SMB_ACL_GROUP;
break;
case ACL_GROUP_OBJ:
ace->a_type = SMB_ACL_GROUP_OBJ;
break;
case ACL_OTHER:
ace->a_type = SMB_ACL_OTHER;
break;
case ACL_MASK:
ace->a_type = SMB_ACL_MASK;
break;
default:
DEBUG(0, ("unknown tag type %d\n", (unsigned int)tag));
return False;
}
switch(ace->a_type) {
case SMB_ACL_USER: {
uid_t *puid = (uid_t *)acl_get_qualifier(posix_ace);
if (puid == NULL) {
DEBUG(0, ("smb_acl_get_qualifier failed\n"));
return False;
}
ace->uid = *puid;
acl_free(puid);
break;
}
case SMB_ACL_GROUP: {
gid_t *pgid = (uid_t *)acl_get_qualifier(posix_ace);
if (pgid == NULL) {
DEBUG(0, ("smb_acl_get_qualifier failed\n"));
return False;
}
ace->gid = *pgid;
acl_free(pgid);
break;
}
default:
break;
}
if (acl_get_permset(posix_ace, &permset) != 0) {
DEBUG(0, ("smb_acl_get_mode failed\n"));
return False;
}
ace->a_perm = 0;
#ifdef HAVE_ACL_GET_PERM_NP
ace->a_perm |= (acl_get_perm_np(permset, ACL_READ) ? SMB_ACL_READ : 0);
ace->a_perm |= (acl_get_perm_np(permset, ACL_WRITE) ? SMB_ACL_WRITE : 0);
ace->a_perm |= (acl_get_perm_np(permset, ACL_EXECUTE) ? SMB_ACL_EXECUTE : 0);
#else
ace->a_perm |= (acl_get_perm(permset, ACL_READ) ? SMB_ACL_READ : 0);
ace->a_perm |= (acl_get_perm(permset, ACL_WRITE) ? SMB_ACL_WRITE : 0);
ace->a_perm |= (acl_get_perm(permset, ACL_EXECUTE) ? SMB_ACL_EXECUTE : 0);
#endif
return True;
}
char *
acl_to_text(acl_t acl, ssize_t *len_p)
{
acl_tag_t tag;
acl_entry_t entry = NULL;
acl_flagset_t flags;
acl_permset_t perms;
uid_t id;
int i, first;
int isgid;
size_t bufsize = 1024;
char *buf = NULL;
if (!_ACL_VALID_ACL(acl)) {
errno = EINVAL;
return NULL;
}
if (len_p == NULL)
if ((len_p = alloca(sizeof(ssize_t))) == NULL)
goto err_nomem;
*len_p = 0;
if ((buf = malloc(bufsize)) == NULL)
goto err_nomem;
if (!raosnprintf(&buf, &bufsize, len_p, "!#acl %d", 1))
goto err_nomem;
if (acl_get_flagset_np(acl, &flags) == 0)
{
for (i = 0, first = 0; acl_flags[i].name != NULL; ++i)
{
if (acl_flags[i].type & ACL_TYPE_ACL
&& acl_get_flag_np(flags, acl_flags[i].flag) != 0)
{
if(!raosnprintf(&buf, &bufsize, len_p, "%s%s",
first++ ? "," : " ", acl_flags[i].name))
goto err_nomem;
}
}
}
for (;acl_get_entry(acl,
entry == NULL ? ACL_FIRST_ENTRY : ACL_NEXT_ENTRY, &entry) == 0;)
{
int valid;
uuid_t *uu;
char *str, uu_str[37];
if (((uu = (uuid_t *) acl_get_qualifier(entry)) == NULL)
|| (acl_get_tag_type(entry, &tag) != 0)
|| (acl_get_flagset_np(entry, &flags) != 0)
|| (acl_get_permset(entry, &perms) != 0)) {
if (uu != NULL) acl_free(uu);
continue;
}
uuid_unparse_upper(*uu, uu_str);
if ((str = uuid_to_name(uu, &id, &isgid)) != NULL) {
valid = raosnprintf(&buf, &bufsize, len_p, "\n%s:%s:%s:%d:%s",
isgid ? "group" : "user",
uu_str,
str,
id,
(tag == ACL_EXTENDED_ALLOW) ? "allow" : "deny");
} else {
valid = raosnprintf(&buf, &bufsize, len_p, "\nuser:%s:::%s",
uu_str,
(tag == ACL_EXTENDED_ALLOW) ? "allow" : "deny");
}
free(str);
acl_free(uu);
if (!valid)
goto err_nomem;
for (i = 0; acl_flags[i].name != NULL; ++i)
{
if (acl_flags[i].type & (ACL_TYPE_DIR | ACL_TYPE_FILE))
{
if(acl_get_flag_np(flags, acl_flags[i].flag) != 0)
{
if(!raosnprintf(&buf, &bufsize, len_p, ",%s",
acl_flags[i].name))
goto err_nomem;
}
}
}
for (i = 0, first = 0; acl_perms[i].name != NULL; ++i)
{
if (acl_perms[i].type & (ACL_TYPE_DIR | ACL_TYPE_FILE))
{
if(acl_get_perm_np(perms, acl_perms[i].perm) != 0)
{
if(!raosnprintf(&buf, &bufsize, len_p, "%s%s",
first++ ? "," : ":", acl_perms[i].name))
goto err_nomem;
}
}
}
}
buf[(*len_p)++] = '\n';
buf[(*len_p)] = 0;
return buf;
err_nomem:
if (buf != NULL)
free(buf);
errno = ENOMEM;
return NULL;
}
