Mon, 06 Mar 2017 17:30:52 +0100
closes branch srvctrl
51 | 1 | /* |
2 | * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER. | |
3 | * | |
4 | * Copyright 2013 Olaf Wintermann. All rights reserved. | |
5 | * | |
6 | * Redistribution and use in source and binary forms, with or without | |
7 | * modification, are permitted provided that the following conditions are met: | |
8 | * | |
9 | * 1. Redistributions of source code must retain the above copyright | |
10 | * notice, this list of conditions and the following disclaimer. | |
11 | * | |
12 | * 2. Redistributions in binary form must reproduce the above copyright | |
13 | * notice, this list of conditions and the following disclaimer in the | |
14 | * documentation and/or other materials provided with the distribution. | |
15 | * | |
16 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" | |
17 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
18 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | |
19 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE | |
20 | * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR | |
21 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF | |
22 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS | |
23 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN | |
24 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | |
25 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE | |
26 | * POSSIBILITY OF SUCH DAMAGE. | |
27 | */ | |
28 | ||
29 | #include <stdio.h> | |
30 | #include <stdlib.h> | |
73
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
31 | #include <unistd.h> |
51 | 32 | |
63
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
33 | #include "../util/util.h" |
51 | 34 | #include "../util/pool.h" |
141 | 35 | #include "../util/pblock.h" |
51 | 36 | #include "../safs/auth.h" |
73
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
37 | #include "log.h" |
51 | 38 | #include "acl.h" |
39 | ||
141 | 40 | #define AUTH_TYPE_BASIC "basic" |
41 | ||
51 | 42 | void acllist_createhandle(Session *sn, Request *rq) { |
43 | ACLListHandle *handle = pool_malloc(sn->pool, sizeof(ACLListHandle)); | |
44 | handle->defaultauthdb = NULL; | |
45 | handle->listhead = NULL; | |
46 | handle->listtail = NULL; | |
47 | rq->acllist = handle; | |
48 | } | |
49 | ||
52
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
50 | /* |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
51 | * append or prepend an ACL |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
52 | */ |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
53 | void acllist_add(Session *sn, Request *rq, ACLList *acl, int append) { |
51 | 54 | if(!rq->acllist) { |
55 | acllist_createhandle(sn, rq); | |
56 | } | |
57 | ACLListHandle *list = rq->acllist; | |
58 | ||
59 | if(!list->defaultauthdb && acl->authdb) { | |
60 | list->defaultauthdb = acl->authdb; | |
61 | } | |
62 | ||
63 | ACLListElm *elm = pool_malloc(sn->pool, sizeof(ACLListElm)); | |
64 | elm->acl = acl; | |
65 | elm->next = NULL; | |
66 | if(list->listhead == NULL) { | |
67 | list->listhead = elm; | |
68 | list->listtail = elm; | |
69 | } else { | |
52
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
70 | if(append) { |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
71 | list->listtail->next = elm; |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
72 | list->listtail = elm; |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
73 | } else { |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
74 | elm->next = list->listhead; |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
75 | list->listhead = elm; |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
76 | } |
51 | 77 | } |
78 | } | |
79 | ||
52
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
80 | void acllist_append(Session *sn, Request *rq, ACLList *acl) { |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
81 | acllist_add(sn, rq, acl, 1); |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
82 | } |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
83 | |
51 | 84 | void acllist_prepend(Session *sn, Request *rq, ACLList *acl) { |
52
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
85 | acllist_add(sn, rq, acl, 0); |
51 | 86 | } |
87 | ||
54 | 88 | uint32_t acl_oflag2mask(int oflags) { |
89 | /* TODO: | |
90 | * maybe there is a plattform where O_RDWR is not O_RDONLY | O_WRONLY | |
91 | */ | |
92 | uint32_t access_mask = 0; | |
93 | if((oflags & O_RDONLY) == O_RDONLY) { | |
94 | access_mask |= ACL_READ_DATA; | |
95 | } | |
96 | if((oflags & O_WRONLY) == O_WRONLY) { | |
97 | access_mask |= ACL_WRITE_DATA; | |
98 | } | |
99 | return access_mask; | |
100 | } | |
51 | 101 | |
54 | 102 | User* acllist_getuser(Session *sn, Request *rq, ACLListHandle *list) { |
103 | if(!sn || !rq || !list) { | |
104 | return NULL; | |
51 | 105 | } |
106 | ||
107 | // get user | |
108 | User *user = NULL; | |
109 | if(list->defaultauthdb) { | |
110 | char *usr; | |
111 | char *pw; | |
112 | if(!basicauth_getuser(sn, rq, &usr, &pw)) { | |
66
74babc0082b7
added authentication cache
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
63
diff
changeset
|
113 | int pwok; |
74babc0082b7
added authentication cache
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
63
diff
changeset
|
114 | user = authdb_get_and_verify(list->defaultauthdb, usr, pw, &pwok); |
51 | 115 | if(!user) { |
66
74babc0082b7
added authentication cache
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
63
diff
changeset
|
116 | // wrong user or wrong password |
54 | 117 | return NULL; |
51 | 118 | } |
119 | // ok - user is authenticated | |
141 | 120 | pblock_kvinsert( |
121 | pb_key_auth_user, | |
122 | user->name, | |
123 | strlen(user->name), | |
124 | rq->vars); | |
125 | pblock_kvinsert( | |
126 | pb_key_auth_type, | |
127 | AUTH_TYPE_BASIC, | |
128 | sizeof(AUTH_TYPE_BASIC)-1, | |
129 | rq->vars); | |
51 | 130 | } |
54 | 131 | } |
132 | ||
133 | return user; | |
134 | } | |
135 | ||
136 | void acl_set_error_status(Session *sn, Request *rq, ACLList *acl, User *user) { | |
63
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
137 | if(sn == NULL || rq == NULL) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
138 | return; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
139 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
140 | |
54 | 141 | if(!user) { |
142 | char *value = NULL; | |
143 | if(acl->authprompt) { | |
144 | size_t realmlen = strlen(acl->authprompt); | |
145 | size_t len = realmlen + 16; | |
146 | value = pool_malloc(sn->pool, len); | |
147 | if(value) { | |
148 | snprintf( | |
149 | value, | |
150 | len, | |
151 | "Basic realm=\"%s\"", | |
152 | acl->authprompt); | |
153 | } | |
154 | } | |
155 | if(!value) { | |
156 | value = "Basic realm=\"login\""; | |
157 | } | |
158 | pblock_nvinsert("www-authenticate", value, rq->srvhdrs); | |
159 | protocol_status(sn, rq, PROTOCOL_UNAUTHORIZED, NULL); | |
51 | 160 | } else { |
54 | 161 | protocol_status(sn, rq, PROTOCOL_FORBIDDEN, NULL); |
162 | } | |
163 | } | |
164 | ||
165 | int acl_evaluate(Session *sn, Request *rq, int access_mask) { | |
166 | ACLListHandle *list = rq->acllist; | |
167 | if(!list) { | |
168 | return REQ_PROCEED; | |
169 | } | |
170 | ||
171 | // we combine access_mask with the required access rights | |
172 | access_mask |= rq->aclreqaccess; | |
173 | ||
174 | // get user | |
175 | User *user = acllist_getuser(sn, rq, list); | |
176 | ||
177 | // evalutate all ACLs | |
63
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
178 | ACLList *acl = acl_evallist(list, user, access_mask, NULL); |
54 | 179 | if(acl) { |
180 | acl_set_error_status(sn, rq, acl, user); | |
181 | // TODO: don't free the user here | |
182 | if(user) { | |
183 | user->free(user); | |
184 | } | |
51 | 185 | return REQ_ABORTED; |
186 | } | |
187 | ||
54 | 188 | // access allowed, we can free the user |
189 | if(user) { | |
190 | user->free(user); | |
191 | } | |
192 | ||
193 | return REQ_PROCEED; | |
194 | } | |
195 | ||
63
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
196 | ACLList* acl_evallist( |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
197 | ACLListHandle *list, |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
198 | User *user, |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
199 | int access_mask, |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
200 | ACLList **externacl) |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
201 | { |
54 | 202 | if(!list) { |
203 | return NULL; | |
204 | } | |
63
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
205 | if(externacl) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
206 | *externacl = NULL; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
207 | } |
54 | 208 | |
51 | 209 | // evaluate each acl until one denies access |
210 | ACLListElm *elm = list->listhead; | |
211 | while(elm) { | |
212 | ACLList *acl = elm->acl; | |
63
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
213 | if(acl->isextern) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
214 | // set externacl to the first external acl |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
215 | if(externacl && *externacl == NULL) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
216 | *externacl = acl; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
217 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
218 | } else if(!acl->check(acl, user, access_mask)) { |
51 | 219 | // the acl denies access |
54 | 220 | return acl; |
51 | 221 | } |
222 | elm = elm->next; | |
223 | } | |
224 | ||
225 | // ok - all acls allowed access | |
54 | 226 | |
227 | return NULL; | |
51 | 228 | } |
229 | ||
54 | 230 | int wsacl_affects_user(WSAce *ace, User *user) { |
52
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
231 | int check_access = 0; |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
232 | |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
233 | /* |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
234 | * an ace can affect |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
235 | * a named user or group (ace->who is set) |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
236 | * the owner of the resource (ACL_OWNER is set) |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
237 | * the owning group of the resource (ACL_GROUP is set) |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
238 | * everyone (ACL_EVERYONE is set) |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
239 | * |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
240 | * Only one of this conditions should be true. The behavior on |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
241 | * illegal flag combination is undefined. We assume that the acls |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
242 | * are created correctly by the configuration loader. |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
243 | */ |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
244 | |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
245 | if(ace->who && user) { |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
246 | // this ace is defined for a named user or group |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
247 | if((ace->flags & ACL_IDENTIFIER_GROUP) == ACL_IDENTIFIER_GROUP) { |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
248 | if(user->check_group(user, ace->who)) { |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
249 | // the user is in the group |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
250 | check_access = 1; |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
251 | } |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
252 | } else { |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
253 | if(!strcmp(user->name, ace->who)) { |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
254 | check_access = 1; |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
255 | } |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
256 | } |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
257 | } else if((ace->flags & ACL_OWNER) == ACL_OWNER) { |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
258 | // TODO |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
259 | } else if((ace->flags & ACL_GROUP) == ACL_GROUP) { |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
260 | // TODO |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
261 | } else if((ace->flags & ACL_EVERYONE) == ACL_EVERYONE) { |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
262 | check_access = 1; |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
263 | } |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
264 | |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
265 | return check_access; |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
266 | } |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
267 | |
54 | 268 | int wsacl_check(WSAcl *acl, User *user, int access_mask) { |
51 | 269 | int allow = 0; |
270 | uint32_t allowed_access = 0; | |
271 | // check each access control entry | |
272 | for(int i=0;i<acl->acenum;i++) { | |
54 | 273 | WSAce *ace = acl->ace[i]; |
52
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
274 | if(wsacl_affects_user(ace, user)) { |
51 | 275 | if(ace->type == ACL_TYPE_ALLOWED) { |
276 | // add all new access rights | |
54 | 277 | allowed_access |= (access_mask & ace->access_mask); |
51 | 278 | // check if we have all requested rights |
279 | if((allowed_access & access_mask) == access_mask) { | |
280 | allow = 1; | |
281 | break; | |
282 | } | |
283 | } else { | |
284 | // ACL_TYPE_DENIED | |
285 | ||
286 | if((ace->access_mask & access_mask) != 0) { | |
287 | // access denied | |
288 | break; | |
289 | } | |
290 | } | |
291 | } | |
292 | } | |
293 | ||
294 | // TODO: events | |
295 | ||
54 | 296 | return allow; // allow is 0, if no ace set it to 1 |
51 | 297 | } |
63
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
298 | |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
299 | |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
300 | /* filesystem acl functions */ |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
301 | |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
302 | #if defined (__SVR4) && defined (__sun) |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
303 | |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
304 | #include <sys/acl.h> |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
305 | |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
306 | int solaris_acl_check( |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
307 | char *path, |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
308 | struct stat *s, |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
309 | uint32_t mask, |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
310 | uid_t uid, |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
311 | gid_t gid); |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
312 | int solaris_acl_affects_user( |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
313 | ace_t *ace, |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
314 | uid_t uid, |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
315 | gid_t gid, |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
316 | uid_t owner, |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
317 | gid_t owninggroup); |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
318 | |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
319 | int fs_acl_check(SysACL *acl, User *user, char *path, uint32_t access_mask) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
320 | sstr_t p; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
321 | if(path[0] != '/') { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
322 | size_t n = 128; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
323 | char *cwd = malloc(n); |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
324 | while(!getcwd(cwd, n)) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
325 | if(errno == ERANGE) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
326 | n *= 2; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
327 | cwd = realloc(cwd, n); |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
328 | } else { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
329 | free(cwd); |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
330 | return 0; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
331 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
332 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
333 | sstr_t wd = sstr(cwd); |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
334 | sstr_t pp = sstr(path); |
100
e9bb8449df02
fixed solaris build
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
93
diff
changeset
|
335 | |
e9bb8449df02
fixed solaris build
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
93
diff
changeset
|
336 | p = sstrcat(3, wd, sstrn("/", 1), pp); |
63
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
337 | } else { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
338 | p = sstrdup(sstr(path)); |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
339 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
340 | if(p.ptr[p.length-1] == '/') { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
341 | p.ptr[p.length-1] = 0; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
342 | p.length--; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
343 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
344 | |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
345 | // get uid/gid |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
346 | struct passwd pw; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
347 | if(user) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
348 | char *pwbuf = malloc(DEF_PWBUF); |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
349 | if(pwbuf == NULL) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
350 | free(p.ptr); |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
351 | return 0; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
352 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
353 | if(!util_getpwnam(user->name, &pw, pwbuf, DEF_PWBUF)) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
354 | free(pwbuf); |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
355 | free(p.ptr); |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
356 | return 0; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
357 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
358 | free(pwbuf); |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
359 | acl->user_uid = pw.pw_uid; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
360 | acl->user_gid = pw.pw_gid; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
361 | } else { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
362 | acl->user_uid = -1; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
363 | acl->user_gid = -1; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
364 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
365 | |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
366 | // translate access_mask |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
367 | uint32_t mask = 0; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
368 | if((access_mask & ACL_READ_DATA) == ACL_READ_DATA) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
369 | mask |= ACE_READ_DATA; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
370 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
371 | if((access_mask & ACL_WRITE_DATA) == ACL_WRITE_DATA) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
372 | mask |= ACE_WRITE_DATA; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
373 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
374 | if((access_mask & ACL_ADD_FILE) == ACL_ADD_FILE) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
375 | mask |= ACE_ADD_FILE; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
376 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
377 | if((access_mask & ACL_READ_XATTR) == ACL_READ_XATTR) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
378 | mask |= ACE_READ_NAMED_ATTRS; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
379 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
380 | if((access_mask & ACL_WRITE_XATTR) == ACL_WRITE_XATTR) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
381 | mask |= ACE_WRITE_NAMED_ATTRS; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
382 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
383 | if((access_mask & ACL_EXECUTE) == ACL_EXECUTE) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
384 | mask |= ACE_EXECUTE; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
385 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
386 | if((access_mask & ACL_DELETE) == ACL_DELETE) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
387 | mask |= ACE_DELETE_CHILD; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
388 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
389 | if((access_mask & ACL_READ_ATTRIBUTES) == ACL_READ_ATTRIBUTES) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
390 | mask |= ACE_READ_ATTRIBUTES; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
391 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
392 | if((access_mask & ACL_WRITE_ATTRIBUTES) == ACL_WRITE_ATTRIBUTES) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
393 | mask |= ACE_WRITE_ATTRIBUTES; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
394 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
395 | if((access_mask & ACL_LIST) == ACL_LIST) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
396 | mask |= ACE_LIST_DIRECTORY; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
397 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
398 | if((access_mask & ACL_READ_ACL) == ACL_READ_ACL) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
399 | mask |= ACE_READ_ACL; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
400 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
401 | if((access_mask & ACL_WRITE_ACL) == ACL_WRITE_ACL) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
402 | mask |= ACE_WRITE_ACL; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
403 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
404 | if((access_mask & ACL_WRITE_OWNER) == ACL_WRITE_OWNER) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
405 | mask |= ACE_WRITE_OWNER; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
406 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
407 | if((access_mask & ACL_SYNCHRONIZE) == ACL_SYNCHRONIZE) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
408 | mask |= ACE_SYNCHRONIZE; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
409 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
410 | |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
411 | /* |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
412 | * If the vfs wants to create new files, path does not name an existing |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
413 | * file. In this case, we check if the user has the ACE_ADD_FILE |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
414 | * permission for the parent directory |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
415 | */ |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
416 | struct stat s; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
417 | if(stat(p.ptr, &s)) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
418 | if(errno != ENOENT) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
419 | perror("fs_acl_check: stat"); |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
420 | free(p.ptr); |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
421 | return 0; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
422 | } else { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
423 | mask = ACE_ADD_FILE; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
424 | p = util_path_remove_last(p); |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
425 | if(stat(p.ptr, &s)) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
426 | free(p.ptr); |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
427 | return 0; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
428 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
429 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
430 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
431 | |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
432 | /* |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
433 | * perform a acl check for the path and each parent directory |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
434 | * we don't check the file system root |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
435 | * |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
436 | * after the first check, we check only search permission for the |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
437 | * directories |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
438 | */ |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
439 | if(!solaris_acl_check(p.ptr, &s, mask, pw.pw_uid, pw.pw_gid)) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
440 | free(p.ptr); |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
441 | return 0; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
442 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
443 | |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
444 | p = util_path_remove_last(p); |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
445 | mask = ACE_LIST_DIRECTORY; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
446 | while(p.length > 1) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
447 | if(stat(p.ptr, &s)) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
448 | free(p.ptr); |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
449 | return 0; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
450 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
451 | if(!solaris_acl_check(p.ptr, &s, mask, pw.pw_uid, pw.pw_gid)) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
452 | free(p.ptr); |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
453 | return 0; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
454 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
455 | |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
456 | // cut the last file name from the path |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
457 | p = util_path_remove_last(p); |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
458 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
459 | |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
460 | |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
461 | return 1; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
462 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
463 | |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
464 | int solaris_acl_check( |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
465 | char *path, |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
466 | struct stat *s, |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
467 | uint32_t mask, |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
468 | uid_t uid, |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
469 | gid_t gid) |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
470 | { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
471 | //printf("solaris_acl_check %s\n", path); |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
472 | |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
473 | int nace = acl(path, ACE_GETACLCNT, 0, NULL); |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
474 | if(nace == -1) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
475 | perror("acl: ACE_GETACLCNT"); |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
476 | // TODO: log error |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
477 | return 0; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
478 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
479 | ace_t *aces = calloc(nace, sizeof(ace_t)); |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
480 | if(acl(path, ACE_GETACL, nace, aces) == 1) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
481 | perror("acl: ACE_GETACL"); |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
482 | // TODO: log error |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
483 | free(aces); |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
484 | return 0; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
485 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
486 | |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
487 | int allow = 0; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
488 | uint32_t allowed_access = 0; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
489 | for(int i=0;i<nace;i++) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
490 | ace_t ace = aces[i]; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
491 | if(solaris_acl_affects_user(&ace, uid, gid, s->st_uid, s->st_gid)) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
492 | if(ace.a_type == ACE_ACCESS_ALLOWED_ACE_TYPE) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
493 | // add all new access rights |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
494 | allowed_access |= (mask & ace.a_access_mask); |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
495 | // check if we have all requested rights |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
496 | if((allowed_access & mask) == mask) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
497 | allow = 1; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
498 | break; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
499 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
500 | } else if(ace.a_type == ACE_ACCESS_DENIED_ACE_TYPE) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
501 | // ACL_TYPE_DENIED |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
502 | |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
503 | if((ace.a_access_mask & mask) != 0) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
504 | // access denied |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
505 | break; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
506 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
507 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
508 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
509 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
510 | |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
511 | free(aces); |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
512 | |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
513 | //printf("return %d\n", allow); |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
514 | return allow; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
515 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
516 | |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
517 | int solaris_acl_affects_user( |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
518 | ace_t *ace, |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
519 | uid_t uid, |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
520 | gid_t gid, |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
521 | uid_t owner, |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
522 | gid_t owninggroup) |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
523 | { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
524 | /* |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
525 | * mostly the same as wsacl_affects_user |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
526 | */ |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
527 | |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
528 | int check_access = 0; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
529 | |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
530 | if((ace->a_flags & ACE_OWNER) == ACE_OWNER) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
531 | if(uid == owner) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
532 | check_access = 1; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
533 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
534 | } else if((ace->a_flags & ACE_GROUP) == ACE_GROUP) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
535 | if(gid == owninggroup) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
536 | check_access = 1; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
537 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
538 | } else if((ace->a_flags & ACE_EVERYONE) == ACE_EVERYONE) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
539 | check_access = 1; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
540 | } else if(ace->a_who != -1 && uid != 0) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
541 | // this ace is defined for a named user or group |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
542 | if((ace->a_flags & ACE_IDENTIFIER_GROUP) == ACE_IDENTIFIER_GROUP) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
543 | // TODO: check all groups |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
544 | if(ace->a_who == gid) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
545 | // the user is in the group |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
546 | check_access = 1; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
547 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
548 | } else { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
549 | if(ace->a_who == uid) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
550 | check_access = 1; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
551 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
552 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
553 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
554 | |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
555 | return check_access; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
556 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
557 | |
73
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
558 | void fs_acl_finish() { |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
559 | |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
560 | } |
63
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
561 | |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
562 | #endif |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
563 | |
69
4a10bc0ee80d
compiles on os x
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
66
diff
changeset
|
564 | /* |
4a10bc0ee80d
compiles on os x
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
66
diff
changeset
|
565 | * generic code for all non acl unices |
4a10bc0ee80d
compiles on os x
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
66
diff
changeset
|
566 | * TODO: don't use OSX in the preprocessor directive |
4a10bc0ee80d
compiles on os x
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
66
diff
changeset
|
567 | */ |
4a10bc0ee80d
compiles on os x
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
66
diff
changeset
|
568 | #ifdef OSX |
4a10bc0ee80d
compiles on os x
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
66
diff
changeset
|
569 | |
4a10bc0ee80d
compiles on os x
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
66
diff
changeset
|
570 | int fs_acl_check(SysACL *acl, User *user, char *path, uint32_t access_mask) { |
4a10bc0ee80d
compiles on os x
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
66
diff
changeset
|
571 | return 1; |
4a10bc0ee80d
compiles on os x
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
66
diff
changeset
|
572 | } |
4a10bc0ee80d
compiles on os x
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
66
diff
changeset
|
573 | |
73
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
574 | void fs_acl_finish() { |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
575 | |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
576 | } |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
577 | |
69
4a10bc0ee80d
compiles on os x
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
66
diff
changeset
|
578 | #endif |
73
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
579 | |
109
8a0a7754f123
experimental BSD support
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
100
diff
changeset
|
580 | #ifdef BSD |
8a0a7754f123
experimental BSD support
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
100
diff
changeset
|
581 | |
8a0a7754f123
experimental BSD support
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
100
diff
changeset
|
582 | int fs_acl_check(SysACL *acl, User *user, char *path, uint32_t access_mask) { |
8a0a7754f123
experimental BSD support
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
100
diff
changeset
|
583 | return 1; |
8a0a7754f123
experimental BSD support
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
100
diff
changeset
|
584 | } |
8a0a7754f123
experimental BSD support
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
100
diff
changeset
|
585 | |
8a0a7754f123
experimental BSD support
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
100
diff
changeset
|
586 | void fs_acl_finish() { |
8a0a7754f123
experimental BSD support
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
100
diff
changeset
|
587 | |
8a0a7754f123
experimental BSD support
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
100
diff
changeset
|
588 | } |
8a0a7754f123
experimental BSD support
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
100
diff
changeset
|
589 | |
8a0a7754f123
experimental BSD support
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
100
diff
changeset
|
590 | #endif |
8a0a7754f123
experimental BSD support
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
100
diff
changeset
|
591 | |
73
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
592 | |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
593 | #ifdef LINUX |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
594 | |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
595 | #include <sys/fsuid.h> |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
596 | |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
597 | int fs_acl_check(SysACL *acl, User *user, char *path, uint32_t access_mask) { |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
598 | struct passwd *ws_pw = conf_getglobals()->Vuserpw; |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
599 | if(!ws_pw) { |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
600 | log_ereport(LOG_FAILURE, "fs_acl_check: unknown webserver uid/gid"); |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
601 | return 1; |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
602 | } |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
603 | |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
604 | // get uid/gid |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
605 | struct passwd pw; |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
606 | if(user) { |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
607 | char *pwbuf = malloc(DEF_PWBUF); |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
608 | if(pwbuf == NULL) { |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
609 | return 0; |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
610 | } |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
611 | if(!util_getpwnam(user->name, &pw, pwbuf, DEF_PWBUF)) { |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
612 | free(pwbuf); |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
613 | return 0; |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
614 | } |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
615 | free(pwbuf); |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
616 | acl->user_uid = pw.pw_uid; |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
617 | acl->user_gid = pw.pw_gid; |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
618 | } else { |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
619 | acl->user_uid = 0; |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
620 | acl->user_gid = 0; |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
621 | } |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
622 | |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
623 | // set fs uid/gid |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
624 | if(acl->user_uid != 0) { |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
625 | if(setfsuid(pw.pw_uid)) { |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
626 | log_ereport( |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
627 | LOG_FAILURE, |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
628 | "Cannot set fsuid to uid: %u", pw.pw_uid); |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
629 | } |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
630 | if(setfsgid(pw.pw_gid)) { |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
631 | log_ereport( |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
632 | LOG_FAILURE, |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
633 | "Cannot set fsgid to gid: %u", pw.pw_gid); |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
634 | } |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
635 | } |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
636 | |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
637 | |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
638 | return 1; |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
639 | } |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
640 | |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
641 | void fs_acl_finish() { |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
642 | struct passwd *pw = conf_getglobals()->Vuserpw; |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
643 | if(!pw) { |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
644 | log_ereport( |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
645 | LOG_FAILURE, |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
646 | "global configuration broken (Vuserpw is null)"); |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
647 | return; |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
648 | } |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
649 | if(setfsuid(pw->pw_uid)) { |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
650 | log_ereport( |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
651 | LOG_FAILURE, |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
652 | "Cannot set fsuid back to server uid: %u", pw->pw_uid); |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
653 | } |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
654 | if(setfsgid(pw->pw_gid)) { |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
655 | log_ereport( |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
656 | LOG_FAILURE, |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
657 | "Cannot set fsgid back to server gid: %u", pw->pw_gid); |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
658 | } |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
659 | } |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
660 | |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
661 | #endif |