Sun, 23 Jun 2013 13:51:49 +0200
merge
51 | 1 | /* |
2 | * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER. | |
3 | * | |
4 | * Copyright 2013 Olaf Wintermann. All rights reserved. | |
5 | * | |
6 | * Redistribution and use in source and binary forms, with or without | |
7 | * modification, are permitted provided that the following conditions are met: | |
8 | * | |
9 | * 1. Redistributions of source code must retain the above copyright | |
10 | * notice, this list of conditions and the following disclaimer. | |
11 | * | |
12 | * 2. Redistributions in binary form must reproduce the above copyright | |
13 | * notice, this list of conditions and the following disclaimer in the | |
14 | * documentation and/or other materials provided with the distribution. | |
15 | * | |
16 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" | |
17 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
18 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | |
19 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE | |
20 | * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR | |
21 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF | |
22 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS | |
23 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN | |
24 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | |
25 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE | |
26 | * POSSIBILITY OF SUCH DAMAGE. | |
27 | */ | |
28 | ||
29 | #include <stdio.h> | |
30 | #include <stdlib.h> | |
73
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
31 | #include <unistd.h> |
51 | 32 | |
63
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
33 | #include "../util/util.h" |
51 | 34 | #include "../util/pool.h" |
35 | #include "../safs/auth.h" | |
73
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
36 | #include "log.h" |
51 | 37 | #include "acl.h" |
38 | ||
39 | void acllist_createhandle(Session *sn, Request *rq) { | |
40 | ACLListHandle *handle = pool_malloc(sn->pool, sizeof(ACLListHandle)); | |
41 | handle->defaultauthdb = NULL; | |
42 | handle->listhead = NULL; | |
43 | handle->listtail = NULL; | |
44 | rq->acllist = handle; | |
45 | } | |
46 | ||
52
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
47 | /* |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
48 | * append or prepend an ACL |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
49 | */ |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
50 | void acllist_add(Session *sn, Request *rq, ACLList *acl, int append) { |
51 | 51 | if(!rq->acllist) { |
52 | acllist_createhandle(sn, rq); | |
53 | } | |
54 | ACLListHandle *list = rq->acllist; | |
55 | ||
56 | if(!list->defaultauthdb && acl->authdb) { | |
57 | list->defaultauthdb = acl->authdb; | |
58 | } | |
59 | ||
60 | ACLListElm *elm = pool_malloc(sn->pool, sizeof(ACLListElm)); | |
61 | elm->acl = acl; | |
62 | elm->next = NULL; | |
63 | if(list->listhead == NULL) { | |
64 | list->listhead = elm; | |
65 | list->listtail = elm; | |
66 | } else { | |
52
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
67 | if(append) { |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
68 | list->listtail->next = elm; |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
69 | list->listtail = elm; |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
70 | } else { |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
71 | elm->next = list->listhead; |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
72 | list->listhead = elm; |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
73 | } |
51 | 74 | } |
75 | } | |
76 | ||
52
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
77 | void acllist_append(Session *sn, Request *rq, ACLList *acl) { |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
78 | acllist_add(sn, rq, acl, 1); |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
79 | } |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
80 | |
51 | 81 | void acllist_prepend(Session *sn, Request *rq, ACLList *acl) { |
52
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
82 | acllist_add(sn, rq, acl, 0); |
51 | 83 | } |
84 | ||
54 | 85 | uint32_t acl_oflag2mask(int oflags) { |
86 | /* TODO: | |
87 | * maybe there is a plattform where O_RDWR is not O_RDONLY | O_WRONLY | |
88 | */ | |
89 | uint32_t access_mask = 0; | |
90 | if((oflags & O_RDONLY) == O_RDONLY) { | |
91 | access_mask |= ACL_READ_DATA; | |
92 | } | |
93 | if((oflags & O_WRONLY) == O_WRONLY) { | |
94 | access_mask |= ACL_WRITE_DATA; | |
95 | } | |
96 | return access_mask; | |
97 | } | |
51 | 98 | |
54 | 99 | User* acllist_getuser(Session *sn, Request *rq, ACLListHandle *list) { |
100 | if(!sn || !rq || !list) { | |
101 | return NULL; | |
51 | 102 | } |
103 | ||
104 | // get user | |
105 | User *user = NULL; | |
106 | if(list->defaultauthdb) { | |
107 | char *usr; | |
108 | char *pw; | |
109 | if(!basicauth_getuser(sn, rq, &usr, &pw)) { | |
66
74babc0082b7
added authentication cache
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
63
diff
changeset
|
110 | int pwok; |
74babc0082b7
added authentication cache
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
63
diff
changeset
|
111 | user = authdb_get_and_verify(list->defaultauthdb, usr, pw, &pwok); |
51 | 112 | if(!user) { |
66
74babc0082b7
added authentication cache
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
63
diff
changeset
|
113 | // wrong user or wrong password |
54 | 114 | return NULL; |
51 | 115 | } |
116 | // ok - user is authenticated | |
117 | } | |
54 | 118 | } |
119 | ||
120 | return user; | |
121 | } | |
122 | ||
123 | void acl_set_error_status(Session *sn, Request *rq, ACLList *acl, User *user) { | |
63
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
124 | if(sn == NULL || rq == NULL) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
125 | return; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
126 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
127 | |
54 | 128 | if(!user) { |
129 | char *value = NULL; | |
130 | if(acl->authprompt) { | |
131 | size_t realmlen = strlen(acl->authprompt); | |
132 | size_t len = realmlen + 16; | |
133 | value = pool_malloc(sn->pool, len); | |
134 | if(value) { | |
135 | snprintf( | |
136 | value, | |
137 | len, | |
138 | "Basic realm=\"%s\"", | |
139 | acl->authprompt); | |
140 | } | |
141 | } | |
142 | if(!value) { | |
143 | value = "Basic realm=\"login\""; | |
144 | } | |
145 | pblock_nvinsert("www-authenticate", value, rq->srvhdrs); | |
146 | protocol_status(sn, rq, PROTOCOL_UNAUTHORIZED, NULL); | |
51 | 147 | } else { |
54 | 148 | protocol_status(sn, rq, PROTOCOL_FORBIDDEN, NULL); |
149 | } | |
150 | } | |
151 | ||
152 | int acl_evaluate(Session *sn, Request *rq, int access_mask) { | |
153 | ACLListHandle *list = rq->acllist; | |
154 | if(!list) { | |
155 | return REQ_PROCEED; | |
156 | } | |
157 | ||
158 | // we combine access_mask with the required access rights | |
159 | access_mask |= rq->aclreqaccess; | |
160 | ||
161 | // get user | |
162 | User *user = acllist_getuser(sn, rq, list); | |
163 | ||
164 | // evalutate all ACLs | |
63
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
165 | ACLList *acl = acl_evallist(list, user, access_mask, NULL); |
54 | 166 | if(acl) { |
167 | acl_set_error_status(sn, rq, acl, user); | |
168 | // TODO: don't free the user here | |
169 | if(user) { | |
170 | user->free(user); | |
171 | } | |
51 | 172 | return REQ_ABORTED; |
173 | } | |
174 | ||
54 | 175 | // access allowed, we can free the user |
176 | if(user) { | |
177 | user->free(user); | |
178 | } | |
179 | ||
180 | return REQ_PROCEED; | |
181 | } | |
182 | ||
63
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
183 | ACLList* acl_evallist( |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
184 | ACLListHandle *list, |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
185 | User *user, |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
186 | int access_mask, |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
187 | ACLList **externacl) |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
188 | { |
54 | 189 | if(!list) { |
190 | return NULL; | |
191 | } | |
63
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
192 | if(externacl) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
193 | *externacl = NULL; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
194 | } |
54 | 195 | |
51 | 196 | // evaluate each acl until one denies access |
197 | ACLListElm *elm = list->listhead; | |
198 | while(elm) { | |
199 | ACLList *acl = elm->acl; | |
63
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
200 | if(acl->isextern) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
201 | // set externacl to the first external acl |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
202 | if(externacl && *externacl == NULL) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
203 | *externacl = acl; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
204 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
205 | } else if(!acl->check(acl, user, access_mask)) { |
51 | 206 | // the acl denies access |
54 | 207 | return acl; |
51 | 208 | } |
209 | elm = elm->next; | |
210 | } | |
211 | ||
212 | // ok - all acls allowed access | |
54 | 213 | |
214 | return NULL; | |
51 | 215 | } |
216 | ||
54 | 217 | int wsacl_affects_user(WSAce *ace, User *user) { |
52
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
218 | int check_access = 0; |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
219 | |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
220 | /* |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
221 | * an ace can affect |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
222 | * a named user or group (ace->who is set) |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
223 | * the owner of the resource (ACL_OWNER is set) |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
224 | * the owning group of the resource (ACL_GROUP is set) |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
225 | * everyone (ACL_EVERYONE is set) |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
226 | * |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
227 | * Only one of this conditions should be true. The behavior on |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
228 | * illegal flag combination is undefined. We assume that the acls |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
229 | * are created correctly by the configuration loader. |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
230 | */ |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
231 | |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
232 | if(ace->who && user) { |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
233 | // this ace is defined for a named user or group |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
234 | if((ace->flags & ACL_IDENTIFIER_GROUP) == ACL_IDENTIFIER_GROUP) { |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
235 | if(user->check_group(user, ace->who)) { |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
236 | // the user is in the group |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
237 | check_access = 1; |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
238 | } |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
239 | } else { |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
240 | if(!strcmp(user->name, ace->who)) { |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
241 | check_access = 1; |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
242 | } |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
243 | } |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
244 | } else if((ace->flags & ACL_OWNER) == ACL_OWNER) { |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
245 | // TODO |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
246 | } else if((ace->flags & ACL_GROUP) == ACL_GROUP) { |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
247 | // TODO |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
248 | } else if((ace->flags & ACL_EVERYONE) == ACL_EVERYONE) { |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
249 | check_access = 1; |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
250 | } |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
251 | |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
252 | return check_access; |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
253 | } |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
254 | |
54 | 255 | int wsacl_check(WSAcl *acl, User *user, int access_mask) { |
51 | 256 | int allow = 0; |
257 | uint32_t allowed_access = 0; | |
258 | // check each access control entry | |
259 | for(int i=0;i<acl->acenum;i++) { | |
54 | 260 | WSAce *ace = acl->ace[i]; |
52
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
261 | if(wsacl_affects_user(ace, user)) { |
51 | 262 | if(ace->type == ACL_TYPE_ALLOWED) { |
263 | // add all new access rights | |
54 | 264 | allowed_access |= (access_mask & ace->access_mask); |
51 | 265 | // check if we have all requested rights |
266 | if((allowed_access & access_mask) == access_mask) { | |
267 | allow = 1; | |
268 | break; | |
269 | } | |
270 | } else { | |
271 | // ACL_TYPE_DENIED | |
272 | ||
273 | if((ace->access_mask & access_mask) != 0) { | |
274 | // access denied | |
275 | break; | |
276 | } | |
277 | } | |
278 | } | |
279 | } | |
280 | ||
281 | // TODO: events | |
282 | ||
54 | 283 | return allow; // allow is 0, if no ace set it to 1 |
51 | 284 | } |
63
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
285 | |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
286 | |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
287 | /* filesystem acl functions */ |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
288 | |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
289 | #if defined (__SVR4) && defined (__sun) |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
290 | |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
291 | #include <sys/acl.h> |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
292 | |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
293 | int solaris_acl_check( |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
294 | char *path, |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
295 | struct stat *s, |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
296 | uint32_t mask, |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
297 | uid_t uid, |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
298 | gid_t gid); |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
299 | int solaris_acl_affects_user( |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
300 | ace_t *ace, |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
301 | uid_t uid, |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
302 | gid_t gid, |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
303 | uid_t owner, |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
304 | gid_t owninggroup); |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
305 | |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
306 | int fs_acl_check(SysACL *acl, User *user, char *path, uint32_t access_mask) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
307 | sstr_t p; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
308 | if(path[0] != '/') { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
309 | size_t n = 128; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
310 | char *cwd = malloc(n); |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
311 | while(!getcwd(cwd, n)) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
312 | if(errno == ERANGE) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
313 | n *= 2; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
314 | cwd = realloc(cwd, n); |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
315 | } else { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
316 | free(cwd); |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
317 | return 0; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
318 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
319 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
320 | sstr_t wd = sstr(cwd); |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
321 | sstr_t pp = sstr(path); |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
322 | p.length = wd.length + pp.length + 1; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
323 | p.ptr = malloc(p.length + 1); |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
324 | p = sstrncat(3, p, wd, sstrn("/", 1), pp); |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
325 | p.ptr[p.length] = '\0'; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
326 | } else { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
327 | p = sstrdup(sstr(path)); |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
328 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
329 | if(p.ptr[p.length-1] == '/') { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
330 | p.ptr[p.length-1] = 0; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
331 | p.length--; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
332 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
333 | |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
334 | // get uid/gid |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
335 | struct passwd pw; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
336 | if(user) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
337 | char *pwbuf = malloc(DEF_PWBUF); |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
338 | if(pwbuf == NULL) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
339 | free(p.ptr); |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
340 | return 0; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
341 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
342 | if(!util_getpwnam(user->name, &pw, pwbuf, DEF_PWBUF)) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
343 | free(pwbuf); |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
344 | free(p.ptr); |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
345 | return 0; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
346 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
347 | free(pwbuf); |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
348 | acl->user_uid = pw.pw_uid; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
349 | acl->user_gid = pw.pw_gid; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
350 | } else { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
351 | acl->user_uid = -1; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
352 | acl->user_gid = -1; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
353 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
354 | |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
355 | // translate access_mask |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
356 | uint32_t mask = 0; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
357 | if((access_mask & ACL_READ_DATA) == ACL_READ_DATA) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
358 | mask |= ACE_READ_DATA; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
359 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
360 | if((access_mask & ACL_WRITE_DATA) == ACL_WRITE_DATA) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
361 | mask |= ACE_WRITE_DATA; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
362 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
363 | if((access_mask & ACL_ADD_FILE) == ACL_ADD_FILE) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
364 | mask |= ACE_ADD_FILE; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
365 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
366 | if((access_mask & ACL_READ_XATTR) == ACL_READ_XATTR) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
367 | mask |= ACE_READ_NAMED_ATTRS; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
368 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
369 | if((access_mask & ACL_WRITE_XATTR) == ACL_WRITE_XATTR) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
370 | mask |= ACE_WRITE_NAMED_ATTRS; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
371 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
372 | if((access_mask & ACL_EXECUTE) == ACL_EXECUTE) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
373 | mask |= ACE_EXECUTE; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
374 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
375 | if((access_mask & ACL_DELETE) == ACL_DELETE) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
376 | mask |= ACE_DELETE_CHILD; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
377 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
378 | if((access_mask & ACL_READ_ATTRIBUTES) == ACL_READ_ATTRIBUTES) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
379 | mask |= ACE_READ_ATTRIBUTES; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
380 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
381 | if((access_mask & ACL_WRITE_ATTRIBUTES) == ACL_WRITE_ATTRIBUTES) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
382 | mask |= ACE_WRITE_ATTRIBUTES; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
383 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
384 | if((access_mask & ACL_LIST) == ACL_LIST) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
385 | mask |= ACE_LIST_DIRECTORY; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
386 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
387 | if((access_mask & ACL_READ_ACL) == ACL_READ_ACL) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
388 | mask |= ACE_READ_ACL; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
389 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
390 | if((access_mask & ACL_WRITE_ACL) == ACL_WRITE_ACL) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
391 | mask |= ACE_WRITE_ACL; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
392 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
393 | if((access_mask & ACL_WRITE_OWNER) == ACL_WRITE_OWNER) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
394 | mask |= ACE_WRITE_OWNER; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
395 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
396 | if((access_mask & ACL_SYNCHRONIZE) == ACL_SYNCHRONIZE) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
397 | mask |= ACE_SYNCHRONIZE; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
398 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
399 | |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
400 | /* |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
401 | * If the vfs wants to create new files, path does not name an existing |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
402 | * file. In this case, we check if the user has the ACE_ADD_FILE |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
403 | * permission for the parent directory |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
404 | */ |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
405 | struct stat s; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
406 | if(stat(p.ptr, &s)) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
407 | if(errno != ENOENT) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
408 | perror("fs_acl_check: stat"); |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
409 | free(p.ptr); |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
410 | return 0; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
411 | } else { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
412 | mask = ACE_ADD_FILE; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
413 | p = util_path_remove_last(p); |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
414 | if(stat(p.ptr, &s)) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
415 | free(p.ptr); |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
416 | return 0; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
417 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
418 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
419 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
420 | |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
421 | /* |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
422 | * perform a acl check for the path and each parent directory |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
423 | * we don't check the file system root |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
424 | * |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
425 | * after the first check, we check only search permission for the |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
426 | * directories |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
427 | */ |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
428 | if(!solaris_acl_check(p.ptr, &s, mask, pw.pw_uid, pw.pw_gid)) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
429 | free(p.ptr); |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
430 | return 0; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
431 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
432 | |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
433 | p = util_path_remove_last(p); |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
434 | mask = ACE_LIST_DIRECTORY; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
435 | while(p.length > 1) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
436 | if(stat(p.ptr, &s)) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
437 | free(p.ptr); |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
438 | return 0; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
439 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
440 | if(!solaris_acl_check(p.ptr, &s, mask, pw.pw_uid, pw.pw_gid)) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
441 | free(p.ptr); |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
442 | return 0; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
443 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
444 | |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
445 | // cut the last file name from the path |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
446 | p = util_path_remove_last(p); |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
447 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
448 | |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
449 | |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
450 | return 1; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
451 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
452 | |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
453 | int solaris_acl_check( |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
454 | char *path, |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
455 | struct stat *s, |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
456 | uint32_t mask, |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
457 | uid_t uid, |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
458 | gid_t gid) |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
459 | { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
460 | //printf("solaris_acl_check %s\n", path); |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
461 | |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
462 | int nace = acl(path, ACE_GETACLCNT, 0, NULL); |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
463 | if(nace == -1) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
464 | perror("acl: ACE_GETACLCNT"); |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
465 | // TODO: log error |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
466 | return 0; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
467 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
468 | ace_t *aces = calloc(nace, sizeof(ace_t)); |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
469 | if(acl(path, ACE_GETACL, nace, aces) == 1) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
470 | perror("acl: ACE_GETACL"); |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
471 | // TODO: log error |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
472 | free(aces); |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
473 | return 0; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
474 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
475 | |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
476 | int allow = 0; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
477 | uint32_t allowed_access = 0; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
478 | for(int i=0;i<nace;i++) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
479 | ace_t ace = aces[i]; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
480 | if(solaris_acl_affects_user(&ace, uid, gid, s->st_uid, s->st_gid)) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
481 | if(ace.a_type == ACE_ACCESS_ALLOWED_ACE_TYPE) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
482 | // add all new access rights |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
483 | allowed_access |= (mask & ace.a_access_mask); |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
484 | // check if we have all requested rights |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
485 | if((allowed_access & mask) == mask) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
486 | allow = 1; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
487 | break; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
488 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
489 | } else if(ace.a_type == ACE_ACCESS_DENIED_ACE_TYPE) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
490 | // ACL_TYPE_DENIED |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
491 | |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
492 | if((ace.a_access_mask & mask) != 0) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
493 | // access denied |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
494 | break; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
495 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
496 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
497 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
498 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
499 | |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
500 | free(aces); |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
501 | |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
502 | //printf("return %d\n", allow); |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
503 | return allow; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
504 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
505 | |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
506 | int solaris_acl_affects_user( |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
507 | ace_t *ace, |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
508 | uid_t uid, |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
509 | gid_t gid, |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
510 | uid_t owner, |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
511 | gid_t owninggroup) |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
512 | { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
513 | /* |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
514 | * mostly the same as wsacl_affects_user |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
515 | */ |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
516 | |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
517 | int check_access = 0; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
518 | |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
519 | if((ace->a_flags & ACE_OWNER) == ACE_OWNER) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
520 | if(uid == owner) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
521 | check_access = 1; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
522 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
523 | } else if((ace->a_flags & ACE_GROUP) == ACE_GROUP) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
524 | if(gid == owninggroup) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
525 | check_access = 1; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
526 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
527 | } else if((ace->a_flags & ACE_EVERYONE) == ACE_EVERYONE) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
528 | check_access = 1; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
529 | } else if(ace->a_who != -1 && uid != 0) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
530 | // this ace is defined for a named user or group |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
531 | if((ace->a_flags & ACE_IDENTIFIER_GROUP) == ACE_IDENTIFIER_GROUP) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
532 | // TODO: check all groups |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
533 | if(ace->a_who == gid) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
534 | // the user is in the group |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
535 | check_access = 1; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
536 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
537 | } else { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
538 | if(ace->a_who == uid) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
539 | check_access = 1; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
540 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
541 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
542 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
543 | |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
544 | return check_access; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
545 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
546 | |
73
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
547 | void fs_acl_finish() { |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
548 | |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
549 | } |
63
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
550 | |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
551 | #endif |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
552 | |
69
4a10bc0ee80d
compiles on os x
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
66
diff
changeset
|
553 | /* |
4a10bc0ee80d
compiles on os x
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
66
diff
changeset
|
554 | * generic code for all non acl unices |
4a10bc0ee80d
compiles on os x
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
66
diff
changeset
|
555 | * TODO: don't use OSX in the preprocessor directive |
4a10bc0ee80d
compiles on os x
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
66
diff
changeset
|
556 | */ |
4a10bc0ee80d
compiles on os x
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
66
diff
changeset
|
557 | #ifdef OSX |
4a10bc0ee80d
compiles on os x
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
66
diff
changeset
|
558 | |
4a10bc0ee80d
compiles on os x
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
66
diff
changeset
|
559 | int fs_acl_check(SysACL *acl, User *user, char *path, uint32_t access_mask) { |
4a10bc0ee80d
compiles on os x
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
66
diff
changeset
|
560 | return 1; |
4a10bc0ee80d
compiles on os x
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
66
diff
changeset
|
561 | } |
4a10bc0ee80d
compiles on os x
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
66
diff
changeset
|
562 | |
73
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
563 | void fs_acl_finish() { |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
564 | |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
565 | } |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
566 | |
69
4a10bc0ee80d
compiles on os x
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
66
diff
changeset
|
567 | #endif |
73
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
568 | |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
569 | |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
570 | #ifdef LINUX |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
571 | |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
572 | #include <sys/fsuid.h> |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
573 | |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
574 | int fs_acl_check(SysACL *acl, User *user, char *path, uint32_t access_mask) { |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
575 | struct passwd *ws_pw = conf_getglobals()->Vuserpw; |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
576 | if(!ws_pw) { |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
577 | log_ereport(LOG_FAILURE, "fs_acl_check: unknown webserver uid/gid"); |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
578 | return 1; |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
579 | } |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
580 | |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
581 | // get uid/gid |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
582 | struct passwd pw; |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
583 | if(user) { |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
584 | char *pwbuf = malloc(DEF_PWBUF); |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
585 | if(pwbuf == NULL) { |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
586 | return 0; |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
587 | } |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
588 | if(!util_getpwnam(user->name, &pw, pwbuf, DEF_PWBUF)) { |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
589 | free(pwbuf); |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
590 | return 0; |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
591 | } |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
592 | free(pwbuf); |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
593 | acl->user_uid = pw.pw_uid; |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
594 | acl->user_gid = pw.pw_gid; |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
595 | } else { |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
596 | acl->user_uid = 0; |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
597 | acl->user_gid = 0; |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
598 | } |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
599 | |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
600 | // set fs uid/gid |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
601 | if(acl->user_uid != 0) { |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
602 | if(setfsuid(pw.pw_uid)) { |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
603 | log_ereport( |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
604 | LOG_FAILURE, |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
605 | "Cannot set fsuid to uid: %u", pw.pw_uid); |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
606 | } |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
607 | if(setfsgid(pw.pw_gid)) { |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
608 | log_ereport( |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
609 | LOG_FAILURE, |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
610 | "Cannot set fsgid to gid: %u", pw.pw_gid); |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
611 | } |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
612 | } |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
613 | |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
614 | |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
615 | return 1; |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
616 | } |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
617 | |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
618 | void fs_acl_finish() { |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
619 | struct passwd *pw = conf_getglobals()->Vuserpw; |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
620 | if(!pw) { |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
621 | log_ereport( |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
622 | LOG_FAILURE, |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
623 | "global configuration broken (Vuserpw is null)"); |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
624 | return; |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
625 | } |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
626 | if(setfsuid(pw->pw_uid)) { |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
627 | log_ereport( |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
628 | LOG_FAILURE, |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
629 | "Cannot set fsuid back to server uid: %u", pw->pw_uid); |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
630 | } |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
631 | if(setfsgid(pw->pw_gid)) { |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
632 | log_ereport( |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
633 | LOG_FAILURE, |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
634 | "Cannot set fsgid back to server gid: %u", pw->pw_gid); |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
635 | } |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
636 | } |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
637 | |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
638 | #endif |