src/server/daemon/acl.c

Mon, 06 Mar 2017 17:30:52 +0100

author
Olaf Wintermann <olaf.wintermann@gmail.com>
date
Mon, 06 Mar 2017 17:30:52 +0100
branch
srvctrl
changeset 178
4760f7f1b197
parent 141
ff311b63c3af
child 202
c374d11d6720
permissions
-rw-r--r--

closes branch srvctrl

51
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
1 /*
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
2 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
3 *
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
4 * Copyright 2013 Olaf Wintermann. All rights reserved.
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
5 *
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
6 * Redistribution and use in source and binary forms, with or without
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
7 * modification, are permitted provided that the following conditions are met:
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
8 *
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
9 * 1. Redistributions of source code must retain the above copyright
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
10 * notice, this list of conditions and the following disclaimer.
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
11 *
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
12 * 2. Redistributions in binary form must reproduce the above copyright
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
13 * notice, this list of conditions and the following disclaimer in the
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
14 * documentation and/or other materials provided with the distribution.
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
15 *
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
16 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
17 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
19 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
20 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
21 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
22 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
23 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
24 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
25 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
26 * POSSIBILITY OF SUCH DAMAGE.
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
27 */
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
28
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
29 #include <stdio.h>
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
30 #include <stdlib.h>
73
79fa26ecd135 added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 69
diff changeset
31 #include <unistd.h>
51
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
32
63
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
33 #include "../util/util.h"
51
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
34 #include "../util/pool.h"
141
ff311b63c3af many fixes
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 109
diff changeset
35 #include "../util/pblock.h"
51
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
36 #include "../safs/auth.h"
73
79fa26ecd135 added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 69
diff changeset
37 #include "log.h"
51
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
38 #include "acl.h"
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
39
141
ff311b63c3af many fixes
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 109
diff changeset
40 #define AUTH_TYPE_BASIC "basic"
ff311b63c3af many fixes
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 109
diff changeset
41
51
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
42 void acllist_createhandle(Session *sn, Request *rq) {
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
43 ACLListHandle *handle = pool_malloc(sn->pool, sizeof(ACLListHandle));
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
44 handle->defaultauthdb = NULL;
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
45 handle->listhead = NULL;
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
46 handle->listtail = NULL;
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
47 rq->acllist = handle;
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
48 }
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
49
52
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
50 /*
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
51 * append or prepend an ACL
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
52 */
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
53 void acllist_add(Session *sn, Request *rq, ACLList *acl, int append) {
51
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
54 if(!rq->acllist) {
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
55 acllist_createhandle(sn, rq);
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
56 }
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
57 ACLListHandle *list = rq->acllist;
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
58
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
59 if(!list->defaultauthdb && acl->authdb) {
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
60 list->defaultauthdb = acl->authdb;
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
61 }
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
62
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
63 ACLListElm *elm = pool_malloc(sn->pool, sizeof(ACLListElm));
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
64 elm->acl = acl;
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
65 elm->next = NULL;
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
66 if(list->listhead == NULL) {
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
67 list->listhead = elm;
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
68 list->listtail = elm;
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
69 } else {
52
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
70 if(append) {
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
71 list->listtail->next = elm;
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
72 list->listtail = elm;
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
73 } else {
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
74 elm->next = list->listhead;
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
75 list->listhead = elm;
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
76 }
51
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
77 }
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
78 }
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
79
52
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
80 void acllist_append(Session *sn, Request *rq, ACLList *acl) {
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
81 acllist_add(sn, rq, acl, 1);
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
82 }
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
83
51
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
84 void acllist_prepend(Session *sn, Request *rq, ACLList *acl) {
52
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
85 acllist_add(sn, rq, acl, 0);
51
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
86 }
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
87
54
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
88 uint32_t acl_oflag2mask(int oflags) {
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
89 /* TODO:
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
90 * maybe there is a plattform where O_RDWR is not O_RDONLY | O_WRONLY
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
91 */
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
92 uint32_t access_mask = 0;
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
93 if((oflags & O_RDONLY) == O_RDONLY) {
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
94 access_mask |= ACL_READ_DATA;
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
95 }
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
96 if((oflags & O_WRONLY) == O_WRONLY) {
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
97 access_mask |= ACL_WRITE_DATA;
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
98 }
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
99 return access_mask;
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
100 }
51
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
101
54
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
102 User* acllist_getuser(Session *sn, Request *rq, ACLListHandle *list) {
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
103 if(!sn || !rq || !list) {
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
104 return NULL;
51
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
105 }
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
106
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
107 // get user
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
108 User *user = NULL;
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
109 if(list->defaultauthdb) {
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
110 char *usr;
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
111 char *pw;
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
112 if(!basicauth_getuser(sn, rq, &usr, &pw)) {
66
74babc0082b7 added authentication cache
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 63
diff changeset
113 int pwok;
74babc0082b7 added authentication cache
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 63
diff changeset
114 user = authdb_get_and_verify(list->defaultauthdb, usr, pw, &pwok);
51
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
115 if(!user) {
66
74babc0082b7 added authentication cache
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 63
diff changeset
116 // wrong user or wrong password
54
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
117 return NULL;
51
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
118 }
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
119 // ok - user is authenticated
141
ff311b63c3af many fixes
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 109
diff changeset
120 pblock_kvinsert(
ff311b63c3af many fixes
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 109
diff changeset
121 pb_key_auth_user,
ff311b63c3af many fixes
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 109
diff changeset
122 user->name,
ff311b63c3af many fixes
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 109
diff changeset
123 strlen(user->name),
ff311b63c3af many fixes
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 109
diff changeset
124 rq->vars);
ff311b63c3af many fixes
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 109
diff changeset
125 pblock_kvinsert(
ff311b63c3af many fixes
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 109
diff changeset
126 pb_key_auth_type,
ff311b63c3af many fixes
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 109
diff changeset
127 AUTH_TYPE_BASIC,
ff311b63c3af many fixes
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 109
diff changeset
128 sizeof(AUTH_TYPE_BASIC)-1,
ff311b63c3af many fixes
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 109
diff changeset
129 rq->vars);
51
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
130 }
54
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
131 }
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
132
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
133 return user;
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
134 }
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
135
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
136 void acl_set_error_status(Session *sn, Request *rq, ACLList *acl, User *user) {
63
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
137 if(sn == NULL || rq == NULL) {
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
138 return;
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
139 }
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
140
54
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
141 if(!user) {
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
142 char *value = NULL;
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
143 if(acl->authprompt) {
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
144 size_t realmlen = strlen(acl->authprompt);
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
145 size_t len = realmlen + 16;
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
146 value = pool_malloc(sn->pool, len);
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
147 if(value) {
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
148 snprintf(
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
149 value,
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
150 len,
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
151 "Basic realm=\"%s\"",
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
152 acl->authprompt);
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
153 }
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
154 }
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
155 if(!value) {
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
156 value = "Basic realm=\"login\"";
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
157 }
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
158 pblock_nvinsert("www-authenticate", value, rq->srvhdrs);
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
159 protocol_status(sn, rq, PROTOCOL_UNAUTHORIZED, NULL);
51
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
160 } else {
54
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
161 protocol_status(sn, rq, PROTOCOL_FORBIDDEN, NULL);
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
162 }
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
163 }
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
164
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
165 int acl_evaluate(Session *sn, Request *rq, int access_mask) {
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
166 ACLListHandle *list = rq->acllist;
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
167 if(!list) {
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
168 return REQ_PROCEED;
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
169 }
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
170
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
171 // we combine access_mask with the required access rights
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
172 access_mask |= rq->aclreqaccess;
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
173
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
174 // get user
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
175 User *user = acllist_getuser(sn, rq, list);
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
176
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
177 // evalutate all ACLs
63
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
178 ACLList *acl = acl_evallist(list, user, access_mask, NULL);
54
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
179 if(acl) {
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
180 acl_set_error_status(sn, rq, acl, user);
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
181 // TODO: don't free the user here
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
182 if(user) {
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
183 user->free(user);
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
184 }
51
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
185 return REQ_ABORTED;
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
186 }
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
187
54
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
188 // access allowed, we can free the user
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
189 if(user) {
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
190 user->free(user);
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
191 }
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
192
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
193 return REQ_PROCEED;
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
194 }
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
195
63
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
196 ACLList* acl_evallist(
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
197 ACLListHandle *list,
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
198 User *user,
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
199 int access_mask,
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
200 ACLList **externacl)
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
201 {
54
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
202 if(!list) {
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
203 return NULL;
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
204 }
63
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
205 if(externacl) {
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
206 *externacl = NULL;
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
207 }
54
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
208
51
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
209 // evaluate each acl until one denies access
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
210 ACLListElm *elm = list->listhead;
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
211 while(elm) {
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
212 ACLList *acl = elm->acl;
63
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
213 if(acl->isextern) {
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
214 // set externacl to the first external acl
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
215 if(externacl && *externacl == NULL) {
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
216 *externacl = acl;
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
217 }
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
218 } else if(!acl->check(acl, user, access_mask)) {
51
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
219 // the acl denies access
54
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
220 return acl;
51
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
221 }
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
222 elm = elm->next;
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
223 }
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
224
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
225 // ok - all acls allowed access
54
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
226
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
227 return NULL;
51
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
228 }
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
229
54
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
230 int wsacl_affects_user(WSAce *ace, User *user) {
52
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
231 int check_access = 0;
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
232
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
233 /*
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
234 * an ace can affect
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
235 * a named user or group (ace->who is set)
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
236 * the owner of the resource (ACL_OWNER is set)
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
237 * the owning group of the resource (ACL_GROUP is set)
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
238 * everyone (ACL_EVERYONE is set)
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
239 *
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
240 * Only one of this conditions should be true. The behavior on
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
241 * illegal flag combination is undefined. We assume that the acls
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
242 * are created correctly by the configuration loader.
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
243 */
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
244
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
245 if(ace->who && user) {
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
246 // this ace is defined for a named user or group
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
247 if((ace->flags & ACL_IDENTIFIER_GROUP) == ACL_IDENTIFIER_GROUP) {
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
248 if(user->check_group(user, ace->who)) {
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
249 // the user is in the group
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
250 check_access = 1;
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
251 }
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
252 } else {
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
253 if(!strcmp(user->name, ace->who)) {
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
254 check_access = 1;
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
255 }
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
256 }
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
257 } else if((ace->flags & ACL_OWNER) == ACL_OWNER) {
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
258 // TODO
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
259 } else if((ace->flags & ACL_GROUP) == ACL_GROUP) {
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
260 // TODO
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
261 } else if((ace->flags & ACL_EVERYONE) == ACL_EVERYONE) {
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
262 check_access = 1;
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
263 }
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
264
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
265 return check_access;
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
266 }
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
267
54
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
268 int wsacl_check(WSAcl *acl, User *user, int access_mask) {
51
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
269 int allow = 0;
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
270 uint32_t allowed_access = 0;
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
271 // check each access control entry
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
272 for(int i=0;i<acl->acenum;i++) {
54
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
273 WSAce *ace = acl->ace[i];
52
aced2245fb1c new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 51
diff changeset
274 if(wsacl_affects_user(ace, user)) {
51
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
275 if(ace->type == ACL_TYPE_ALLOWED) {
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
276 // add all new access rights
54
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
277 allowed_access |= (access_mask & ace->access_mask);
51
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
278 // check if we have all requested rights
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
279 if((allowed_access & access_mask) == access_mask) {
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
280 allow = 1;
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
281 break;
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
282 }
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
283 } else {
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
284 // ACL_TYPE_DENIED
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
285
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
286 if((ace->access_mask & access_mask) != 0) {
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
287 // access denied
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
288 break;
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
289 }
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
290 }
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
291 }
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
292 }
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
293
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
294 // TODO: events
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
295
54
3a1d5a52adfc new vfs api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 53
diff changeset
296 return allow; // allow is 0, if no ace set it to 1
51
b28cf69f42e8 added acls
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
diff changeset
297 }
63
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
298
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
299
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
300 /* filesystem acl functions */
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
301
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
302 #if defined (__SVR4) && defined (__sun)
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
303
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
304 #include <sys/acl.h>
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
305
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
306 int solaris_acl_check(
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
307 char *path,
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
308 struct stat *s,
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
309 uint32_t mask,
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
310 uid_t uid,
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
311 gid_t gid);
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
312 int solaris_acl_affects_user(
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
313 ace_t *ace,
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
314 uid_t uid,
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
315 gid_t gid,
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
316 uid_t owner,
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
317 gid_t owninggroup);
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
318
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
319 int fs_acl_check(SysACL *acl, User *user, char *path, uint32_t access_mask) {
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
320 sstr_t p;
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
321 if(path[0] != '/') {
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
322 size_t n = 128;
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
323 char *cwd = malloc(n);
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
324 while(!getcwd(cwd, n)) {
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
325 if(errno == ERANGE) {
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
326 n *= 2;
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
327 cwd = realloc(cwd, n);
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
328 } else {
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
329 free(cwd);
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
330 return 0;
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
331 }
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
332 }
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
333 sstr_t wd = sstr(cwd);
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
334 sstr_t pp = sstr(path);
100
e9bb8449df02 fixed solaris build
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 93
diff changeset
335
e9bb8449df02 fixed solaris build
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 93
diff changeset
336 p = sstrcat(3, wd, sstrn("/", 1), pp);
63
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
337 } else {
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
338 p = sstrdup(sstr(path));
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
339 }
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
340 if(p.ptr[p.length-1] == '/') {
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
341 p.ptr[p.length-1] = 0;
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
342 p.length--;
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
343 }
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
344
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
345 // get uid/gid
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
346 struct passwd pw;
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
347 if(user) {
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
348 char *pwbuf = malloc(DEF_PWBUF);
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
349 if(pwbuf == NULL) {
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
350 free(p.ptr);
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
351 return 0;
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
352 }
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
353 if(!util_getpwnam(user->name, &pw, pwbuf, DEF_PWBUF)) {
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
354 free(pwbuf);
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
355 free(p.ptr);
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
356 return 0;
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
357 }
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
358 free(pwbuf);
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
359 acl->user_uid = pw.pw_uid;
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
360 acl->user_gid = pw.pw_gid;
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
361 } else {
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
362 acl->user_uid = -1;
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
363 acl->user_gid = -1;
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
364 }
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
365
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
366 // translate access_mask
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
367 uint32_t mask = 0;
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
368 if((access_mask & ACL_READ_DATA) == ACL_READ_DATA) {
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
369 mask |= ACE_READ_DATA;
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
370 }
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
371 if((access_mask & ACL_WRITE_DATA) == ACL_WRITE_DATA) {
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
372 mask |= ACE_WRITE_DATA;
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
373 }
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
374 if((access_mask & ACL_ADD_FILE) == ACL_ADD_FILE) {
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
375 mask |= ACE_ADD_FILE;
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
376 }
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
377 if((access_mask & ACL_READ_XATTR) == ACL_READ_XATTR) {
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
378 mask |= ACE_READ_NAMED_ATTRS;
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
379 }
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
380 if((access_mask & ACL_WRITE_XATTR) == ACL_WRITE_XATTR) {
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
381 mask |= ACE_WRITE_NAMED_ATTRS;
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
382 }
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
383 if((access_mask & ACL_EXECUTE) == ACL_EXECUTE) {
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
384 mask |= ACE_EXECUTE;
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
385 }
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
386 if((access_mask & ACL_DELETE) == ACL_DELETE) {
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
387 mask |= ACE_DELETE_CHILD;
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
388 }
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
389 if((access_mask & ACL_READ_ATTRIBUTES) == ACL_READ_ATTRIBUTES) {
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
390 mask |= ACE_READ_ATTRIBUTES;
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
391 }
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
392 if((access_mask & ACL_WRITE_ATTRIBUTES) == ACL_WRITE_ATTRIBUTES) {
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
393 mask |= ACE_WRITE_ATTRIBUTES;
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
394 }
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
395 if((access_mask & ACL_LIST) == ACL_LIST) {
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
396 mask |= ACE_LIST_DIRECTORY;
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
397 }
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
398 if((access_mask & ACL_READ_ACL) == ACL_READ_ACL) {
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
399 mask |= ACE_READ_ACL;
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
400 }
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
401 if((access_mask & ACL_WRITE_ACL) == ACL_WRITE_ACL) {
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
402 mask |= ACE_WRITE_ACL;
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
403 }
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
404 if((access_mask & ACL_WRITE_OWNER) == ACL_WRITE_OWNER) {
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
405 mask |= ACE_WRITE_OWNER;
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
406 }
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
407 if((access_mask & ACL_SYNCHRONIZE) == ACL_SYNCHRONIZE) {
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
408 mask |= ACE_SYNCHRONIZE;
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
409 }
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
410
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
411 /*
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
412 * If the vfs wants to create new files, path does not name an existing
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
413 * file. In this case, we check if the user has the ACE_ADD_FILE
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
414 * permission for the parent directory
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
415 */
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
416 struct stat s;
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
417 if(stat(p.ptr, &s)) {
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
418 if(errno != ENOENT) {
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
419 perror("fs_acl_check: stat");
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
420 free(p.ptr);
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
421 return 0;
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
422 } else {
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
423 mask = ACE_ADD_FILE;
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
424 p = util_path_remove_last(p);
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
425 if(stat(p.ptr, &s)) {
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
426 free(p.ptr);
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
427 return 0;
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
428 }
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
429 }
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
430 }
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
431
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
432 /*
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
433 * perform a acl check for the path and each parent directory
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
434 * we don't check the file system root
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
435 *
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
436 * after the first check, we check only search permission for the
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
437 * directories
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
438 */
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
439 if(!solaris_acl_check(p.ptr, &s, mask, pw.pw_uid, pw.pw_gid)) {
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
440 free(p.ptr);
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
441 return 0;
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
442 }
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
443
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
444 p = util_path_remove_last(p);
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
445 mask = ACE_LIST_DIRECTORY;
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
446 while(p.length > 1) {
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
447 if(stat(p.ptr, &s)) {
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
448 free(p.ptr);
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
449 return 0;
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
450 }
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
451 if(!solaris_acl_check(p.ptr, &s, mask, pw.pw_uid, pw.pw_gid)) {
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
452 free(p.ptr);
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
453 return 0;
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
454 }
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
455
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
456 // cut the last file name from the path
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
457 p = util_path_remove_last(p);
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
458 }
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
459
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
460
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
461 return 1;
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
462 }
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
463
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
464 int solaris_acl_check(
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
465 char *path,
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
466 struct stat *s,
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
467 uint32_t mask,
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
468 uid_t uid,
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
469 gid_t gid)
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
470 {
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
471 //printf("solaris_acl_check %s\n", path);
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
472
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
473 int nace = acl(path, ACE_GETACLCNT, 0, NULL);
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
474 if(nace == -1) {
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
475 perror("acl: ACE_GETACLCNT");
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
476 // TODO: log error
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
477 return 0;
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
478 }
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
479 ace_t *aces = calloc(nace, sizeof(ace_t));
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
480 if(acl(path, ACE_GETACL, nace, aces) == 1) {
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
481 perror("acl: ACE_GETACL");
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
482 // TODO: log error
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
483 free(aces);
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
484 return 0;
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
485 }
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
486
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
487 int allow = 0;
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
488 uint32_t allowed_access = 0;
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
489 for(int i=0;i<nace;i++) {
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
490 ace_t ace = aces[i];
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
491 if(solaris_acl_affects_user(&ace, uid, gid, s->st_uid, s->st_gid)) {
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
492 if(ace.a_type == ACE_ACCESS_ALLOWED_ACE_TYPE) {
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
493 // add all new access rights
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
494 allowed_access |= (mask & ace.a_access_mask);
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
495 // check if we have all requested rights
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
496 if((allowed_access & mask) == mask) {
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
497 allow = 1;
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
498 break;
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
499 }
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
500 } else if(ace.a_type == ACE_ACCESS_DENIED_ACE_TYPE) {
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
501 // ACL_TYPE_DENIED
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
502
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
503 if((ace.a_access_mask & mask) != 0) {
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
504 // access denied
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
505 break;
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
506 }
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
507 }
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
508 }
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
509 }
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
510
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
511 free(aces);
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
512
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
513 //printf("return %d\n", allow);
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
514 return allow;
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
515 }
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
516
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
517 int solaris_acl_affects_user(
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
518 ace_t *ace,
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
519 uid_t uid,
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
520 gid_t gid,
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
521 uid_t owner,
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
522 gid_t owninggroup)
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
523 {
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
524 /*
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
525 * mostly the same as wsacl_affects_user
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
526 */
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
527
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
528 int check_access = 0;
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
529
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
530 if((ace->a_flags & ACE_OWNER) == ACE_OWNER) {
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
531 if(uid == owner) {
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
532 check_access = 1;
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
533 }
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
534 } else if((ace->a_flags & ACE_GROUP) == ACE_GROUP) {
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
535 if(gid == owninggroup) {
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
536 check_access = 1;
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
537 }
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
538 } else if((ace->a_flags & ACE_EVERYONE) == ACE_EVERYONE) {
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
539 check_access = 1;
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
540 } else if(ace->a_who != -1 && uid != 0) {
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
541 // this ace is defined for a named user or group
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
542 if((ace->a_flags & ACE_IDENTIFIER_GROUP) == ACE_IDENTIFIER_GROUP) {
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
543 // TODO: check all groups
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
544 if(ace->a_who == gid) {
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
545 // the user is in the group
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
546 check_access = 1;
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
547 }
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
548 } else {
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
549 if(ace->a_who == uid) {
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
550 check_access = 1;
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
551 }
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
552 }
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
553 }
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
554
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
555 return check_access;
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
556 }
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
557
73
79fa26ecd135 added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 69
diff changeset
558 void fs_acl_finish() {
79fa26ecd135 added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 69
diff changeset
559
79fa26ecd135 added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 69
diff changeset
560 }
63
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
561
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
562 #endif
66442f81f823 supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 54
diff changeset
563
69
4a10bc0ee80d compiles on os x
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 66
diff changeset
564 /*
4a10bc0ee80d compiles on os x
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 66
diff changeset
565 * generic code for all non acl unices
4a10bc0ee80d compiles on os x
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 66
diff changeset
566 * TODO: don't use OSX in the preprocessor directive
4a10bc0ee80d compiles on os x
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 66
diff changeset
567 */
4a10bc0ee80d compiles on os x
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 66
diff changeset
568 #ifdef OSX
4a10bc0ee80d compiles on os x
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 66
diff changeset
569
4a10bc0ee80d compiles on os x
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 66
diff changeset
570 int fs_acl_check(SysACL *acl, User *user, char *path, uint32_t access_mask) {
4a10bc0ee80d compiles on os x
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 66
diff changeset
571 return 1;
4a10bc0ee80d compiles on os x
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 66
diff changeset
572 }
4a10bc0ee80d compiles on os x
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 66
diff changeset
573
73
79fa26ecd135 added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 69
diff changeset
574 void fs_acl_finish() {
79fa26ecd135 added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 69
diff changeset
575
79fa26ecd135 added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 69
diff changeset
576 }
79fa26ecd135 added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 69
diff changeset
577
69
4a10bc0ee80d compiles on os x
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 66
diff changeset
578 #endif
73
79fa26ecd135 added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 69
diff changeset
579
109
8a0a7754f123 experimental BSD support
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 100
diff changeset
580 #ifdef BSD
8a0a7754f123 experimental BSD support
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 100
diff changeset
581
8a0a7754f123 experimental BSD support
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 100
diff changeset
582 int fs_acl_check(SysACL *acl, User *user, char *path, uint32_t access_mask) {
8a0a7754f123 experimental BSD support
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 100
diff changeset
583 return 1;
8a0a7754f123 experimental BSD support
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 100
diff changeset
584 }
8a0a7754f123 experimental BSD support
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 100
diff changeset
585
8a0a7754f123 experimental BSD support
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 100
diff changeset
586 void fs_acl_finish() {
8a0a7754f123 experimental BSD support
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 100
diff changeset
587
8a0a7754f123 experimental BSD support
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 100
diff changeset
588 }
8a0a7754f123 experimental BSD support
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 100
diff changeset
589
8a0a7754f123 experimental BSD support
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 100
diff changeset
590 #endif
8a0a7754f123 experimental BSD support
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 100
diff changeset
591
73
79fa26ecd135 added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 69
diff changeset
592
79fa26ecd135 added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 69
diff changeset
593 #ifdef LINUX
79fa26ecd135 added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 69
diff changeset
594
79fa26ecd135 added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 69
diff changeset
595 #include <sys/fsuid.h>
79fa26ecd135 added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 69
diff changeset
596
79fa26ecd135 added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 69
diff changeset
597 int fs_acl_check(SysACL *acl, User *user, char *path, uint32_t access_mask) {
79fa26ecd135 added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 69
diff changeset
598 struct passwd *ws_pw = conf_getglobals()->Vuserpw;
79fa26ecd135 added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 69
diff changeset
599 if(!ws_pw) {
79fa26ecd135 added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 69
diff changeset
600 log_ereport(LOG_FAILURE, "fs_acl_check: unknown webserver uid/gid");
79fa26ecd135 added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 69
diff changeset
601 return 1;
79fa26ecd135 added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 69
diff changeset
602 }
79fa26ecd135 added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 69
diff changeset
603
79fa26ecd135 added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 69
diff changeset
604 // get uid/gid
79fa26ecd135 added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 69
diff changeset
605 struct passwd pw;
79fa26ecd135 added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 69
diff changeset
606 if(user) {
79fa26ecd135 added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 69
diff changeset
607 char *pwbuf = malloc(DEF_PWBUF);
79fa26ecd135 added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 69
diff changeset
608 if(pwbuf == NULL) {
79fa26ecd135 added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 69
diff changeset
609 return 0;
79fa26ecd135 added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 69
diff changeset
610 }
79fa26ecd135 added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 69
diff changeset
611 if(!util_getpwnam(user->name, &pw, pwbuf, DEF_PWBUF)) {
79fa26ecd135 added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 69
diff changeset
612 free(pwbuf);
79fa26ecd135 added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 69
diff changeset
613 return 0;
79fa26ecd135 added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 69
diff changeset
614 }
79fa26ecd135 added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 69
diff changeset
615 free(pwbuf);
79fa26ecd135 added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 69
diff changeset
616 acl->user_uid = pw.pw_uid;
79fa26ecd135 added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 69
diff changeset
617 acl->user_gid = pw.pw_gid;
79fa26ecd135 added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 69
diff changeset
618 } else {
79fa26ecd135 added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 69
diff changeset
619 acl->user_uid = 0;
79fa26ecd135 added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 69
diff changeset
620 acl->user_gid = 0;
79fa26ecd135 added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 69
diff changeset
621 }
79fa26ecd135 added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 69
diff changeset
622
79fa26ecd135 added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 69
diff changeset
623 // set fs uid/gid
79fa26ecd135 added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 69
diff changeset
624 if(acl->user_uid != 0) {
79fa26ecd135 added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 69
diff changeset
625 if(setfsuid(pw.pw_uid)) {
79fa26ecd135 added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 69
diff changeset
626 log_ereport(
79fa26ecd135 added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 69
diff changeset
627 LOG_FAILURE,
79fa26ecd135 added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 69
diff changeset
628 "Cannot set fsuid to uid: %u", pw.pw_uid);
79fa26ecd135 added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 69
diff changeset
629 }
79fa26ecd135 added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 69
diff changeset
630 if(setfsgid(pw.pw_gid)) {
79fa26ecd135 added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 69
diff changeset
631 log_ereport(
79fa26ecd135 added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 69
diff changeset
632 LOG_FAILURE,
79fa26ecd135 added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 69
diff changeset
633 "Cannot set fsgid to gid: %u", pw.pw_gid);
79fa26ecd135 added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 69
diff changeset
634 }
79fa26ecd135 added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 69
diff changeset
635 }
79fa26ecd135 added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 69
diff changeset
636
79fa26ecd135 added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 69
diff changeset
637
79fa26ecd135 added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 69
diff changeset
638 return 1;
79fa26ecd135 added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 69
diff changeset
639 }
79fa26ecd135 added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 69
diff changeset
640
79fa26ecd135 added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 69
diff changeset
641 void fs_acl_finish() {
79fa26ecd135 added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 69
diff changeset
642 struct passwd *pw = conf_getglobals()->Vuserpw;
79fa26ecd135 added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 69
diff changeset
643 if(!pw) {
79fa26ecd135 added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 69
diff changeset
644 log_ereport(
79fa26ecd135 added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 69
diff changeset
645 LOG_FAILURE,
79fa26ecd135 added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 69
diff changeset
646 "global configuration broken (Vuserpw is null)");
79fa26ecd135 added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 69
diff changeset
647 return;
79fa26ecd135 added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 69
diff changeset
648 }
79fa26ecd135 added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 69
diff changeset
649 if(setfsuid(pw->pw_uid)) {
79fa26ecd135 added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 69
diff changeset
650 log_ereport(
79fa26ecd135 added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 69
diff changeset
651 LOG_FAILURE,
79fa26ecd135 added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 69
diff changeset
652 "Cannot set fsuid back to server uid: %u", pw->pw_uid);
79fa26ecd135 added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 69
diff changeset
653 }
79fa26ecd135 added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 69
diff changeset
654 if(setfsgid(pw->pw_gid)) {
79fa26ecd135 added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 69
diff changeset
655 log_ereport(
79fa26ecd135 added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 69
diff changeset
656 LOG_FAILURE,
79fa26ecd135 added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 69
diff changeset
657 "Cannot set fsgid back to server gid: %u", pw->pw_gid);
79fa26ecd135 added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 69
diff changeset
658 }
79fa26ecd135 added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 69
diff changeset
659 }
79fa26ecd135 added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 69
diff changeset
660
79fa26ecd135 added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents: 69
diff changeset
661 #endif

mercurial