webserver: comparison src/server/daemon/acl.c

-:c47e081b6c0f
+:66442f81f823
 */
 #include <stdio.h>
 #include <stdlib.h>
+#include "../util/util.h"
 #include "../util/pool.h"
 #include "../safs/auth.h"
 #include "acl.h"
 void acllist_createhandle(Session *sn, Request *rq) {
 return user;
 }
 void acl_set_error_status(Session *sn, Request *rq, ACLList *acl, User *user) {
+if(sn == NULL || rq == NULL) {
+return;
+}
 if(!user) {
 char *value = NULL;
 if(acl->authprompt) {
 size_t realmlen = strlen(acl->authprompt);
 size_t len = realmlen + 16;
 // get user
 User *user = acllist_getuser(sn, rq, list);
 // evalutate all ACLs
-ACLList *acl = acl_evallist(list, user, access_mask);
+ACLList *acl = acl_evallist(list, user, access_mask, NULL);
 if(acl) {
 acl_set_error_status(sn, rq, acl, user);
 // TODO: don't free the user here
 if(user) {
 user->free(user);
 }
 return REQ_PROCEED;
 }
-ACLList* acl_evallist(ACLListHandle *list, User *user, int access_mask) {
+ACLList* acl_evallist(
+ACLListHandle *list,
+User *user,
+int access_mask,
+ACLList **externacl)
+{
 if(!list) {
 return NULL;
+}
+if(externacl) {
+*externacl = NULL;
 }
 // evaluate each acl until one denies access
 ACLListElm *elm = list->listhead;
 while(elm) {
 ACLList *acl = elm->acl;
-if(!acl->check(acl, user, access_mask)) {
+if(acl->isextern) {
+// set externacl to the first external acl
+if(externacl && *externacl == NULL) {
+*externacl = acl;
+}
+} else if(!acl->check(acl, user, access_mask)) {
 // the acl denies access
 return acl;
 }
 elm = elm->next;
 }
 // TODO: events
 return allow; // allow is 0, if no ace set it to 1
 }
+/* filesystem acl functions */
+#if defined (__SVR4) && defined (__sun)
+#include <sys/acl.h>
+int solaris_acl_check(
+char *path,
+struct stat *s,
+uint32_t mask,
+uid_t uid,
+gid_t gid);
+int solaris_acl_affects_user(
+ace_t *ace,
+uid_t uid,
+gid_t gid,
+uid_t owner,
+gid_t owninggroup);
+int fs_acl_check(SysACL *acl, User *user, char *path, uint32_t access_mask) {
+sstr_t p;
+if(path[0] != '/') {
+size_t n = 128;
+char *cwd = malloc(n);
+while(!getcwd(cwd, n)) {
+if(errno == ERANGE) {
+n *= 2;
+cwd = realloc(cwd, n);
+} else {
+free(cwd);
+return 0;
+}
+}
+sstr_t wd = sstr(cwd);
+sstr_t pp = sstr(path);
+p.length = wd.length + pp.length + 1;
+p.ptr = malloc(p.length + 1);
+p = sstrncat(3, p, wd, sstrn("/", 1), pp);
+p.ptr[p.length] = '\0';
+} else {
+p = sstrdup(sstr(path));
+}
+if(p.ptr[p.length-1] == '/') {
+p.ptr[p.length-1] = 0;
+p.length--;
+}
+// get uid/gid
+struct passwd pw;
+if(user) {
+char *pwbuf = malloc(DEF_PWBUF);
+if(pwbuf == NULL) {
+free(p.ptr);
+return 0;
+}
+if(!util_getpwnam(user->name, &pw, pwbuf, DEF_PWBUF)) {
+free(pwbuf);
+free(p.ptr);
+return 0;
+}
+free(pwbuf);
+acl->user_uid = pw.pw_uid;
+acl->user_gid = pw.pw_gid;
+} else {
+acl->user_uid = -1;
+acl->user_gid = -1;
+}
+// translate access_mask
+uint32_t mask = 0;
+if((access_mask & ACL_READ_DATA) == ACL_READ_DATA) {
+mask |= ACE_READ_DATA;
+}
+if((access_mask & ACL_WRITE_DATA) == ACL_WRITE_DATA) {
+mask |= ACE_WRITE_DATA;
+}
+if((access_mask & ACL_ADD_FILE) == ACL_ADD_FILE) {
+mask |= ACE_ADD_FILE;
+}
+if((access_mask & ACL_READ_XATTR) == ACL_READ_XATTR) {
+mask |= ACE_READ_NAMED_ATTRS;
+}
+if((access_mask & ACL_WRITE_XATTR) == ACL_WRITE_XATTR) {
+mask |= ACE_WRITE_NAMED_ATTRS;
+}
+if((access_mask & ACL_EXECUTE) == ACL_EXECUTE) {
+mask |= ACE_EXECUTE;
+}
+if((access_mask & ACL_DELETE) == ACL_DELETE) {
+mask |= ACE_DELETE_CHILD;
+}
+if((access_mask & ACL_READ_ATTRIBUTES) == ACL_READ_ATTRIBUTES) {
+mask |= ACE_READ_ATTRIBUTES;
+}
+if((access_mask & ACL_WRITE_ATTRIBUTES) == ACL_WRITE_ATTRIBUTES) {
+mask |= ACE_WRITE_ATTRIBUTES;
+}
+if((access_mask & ACL_LIST) == ACL_LIST) {
+mask |= ACE_LIST_DIRECTORY;
+}
+if((access_mask & ACL_READ_ACL) == ACL_READ_ACL) {
+mask |= ACE_READ_ACL;
+}
+if((access_mask & ACL_WRITE_ACL) == ACL_WRITE_ACL) {
+mask |= ACE_WRITE_ACL;
+}
+if((access_mask & ACL_WRITE_OWNER) == ACL_WRITE_OWNER) {
+mask |= ACE_WRITE_OWNER;
+}
+if((access_mask & ACL_SYNCHRONIZE) == ACL_SYNCHRONIZE) {
+mask |= ACE_SYNCHRONIZE;
+}
+/*
+* If the vfs wants to create new files, path does not name an existing
+* file. In this case, we check if the user has the ACE_ADD_FILE
+* permission for the parent directory
+*/
+struct stat s;
+if(stat(p.ptr, &s)) {
+if(errno != ENOENT) {
+perror("fs_acl_check: stat");
+free(p.ptr);
+return 0;
+} else {
+mask = ACE_ADD_FILE;
+p = util_path_remove_last(p);
+if(stat(p.ptr, &s)) {
+free(p.ptr);
+return 0;
+}
+}
+}
+/*
+* perform a acl check for the path and each parent directory
+* we don't check the file system root
+*
+* after the first check, we check only search permission for the
+* directories
+*/
+if(!solaris_acl_check(p.ptr, &s, mask, pw.pw_uid, pw.pw_gid)) {
+free(p.ptr);
+return 0;
+}
+p = util_path_remove_last(p);
+mask = ACE_LIST_DIRECTORY;
+while(p.length > 1) {
+if(stat(p.ptr, &s)) {
+free(p.ptr);
+return 0;
+}
+if(!solaris_acl_check(p.ptr, &s, mask, pw.pw_uid, pw.pw_gid)) {
+free(p.ptr);
+return 0;
+}
+// cut the last file name from the path
+p = util_path_remove_last(p);
+}
+return 1;
+}
+int solaris_acl_check(
+char *path,
+struct stat *s,
+uint32_t mask,
+uid_t uid,
+gid_t gid)
+{
+//printf("solaris_acl_check %s\n", path);
+int nace = acl(path, ACE_GETACLCNT, 0, NULL);
+if(nace == -1) {
+perror("acl: ACE_GETACLCNT");
+// TODO: log error
+return 0;
+}
+ace_t *aces = calloc(nace, sizeof(ace_t));
+if(acl(path, ACE_GETACL, nace, aces) == 1) {
+perror("acl: ACE_GETACL");
+// TODO: log error
+free(aces);
+return 0;
+}
+int allow = 0;
+uint32_t allowed_access = 0;
+for(int i=0;i<nace;i++) {
+ace_t ace = aces[i];
+if(solaris_acl_affects_user(&ace, uid, gid, s->st_uid, s->st_gid)) {
+if(ace.a_type == ACE_ACCESS_ALLOWED_ACE_TYPE) {
+// add all new access rights
+allowed_access |= (mask & ace.a_access_mask);
+// check if we have all requested rights
+if((allowed_access & mask) == mask) {
+allow = 1;
+break;
+}
+} else if(ace.a_type == ACE_ACCESS_DENIED_ACE_TYPE) {
+// ACL_TYPE_DENIED
+if((ace.a_access_mask & mask) != 0) {
+// access denied
+break;
+}
+}
+}
+}
+free(aces);
+//printf("return %d\n", allow);
+return allow;
+}
+int solaris_acl_affects_user(
+ace_t *ace,
+uid_t uid,
+gid_t gid,
+uid_t owner,
+gid_t owninggroup)
+{
+/*
+* mostly the same as wsacl_affects_user
+*/
+int check_access = 0;
+if((ace->a_flags & ACE_OWNER) == ACE_OWNER) {
+if(uid == owner) {
+check_access = 1;
+}
+} else if((ace->a_flags & ACE_GROUP) == ACE_GROUP) {
+if(gid == owninggroup) {
+check_access = 1;
+}
+} else if((ace->a_flags & ACE_EVERYONE) == ACE_EVERYONE) {
+check_access = 1;
+} else if(ace->a_who != -1 && uid != 0) {
+// this ace is defined for a named user or group
+if((ace->a_flags & ACE_IDENTIFIER_GROUP) == ACE_IDENTIFIER_GROUP) {
+// TODO: check all groups
+if(ace->a_who == gid) {
+// the user is in the group
+check_access = 1;
+}
+} else {
+if(ace->a_who == uid) {
+check_access = 1;
+}
+}
+}
+return check_access;
+}
+#endif

Mercurial > hg > webserver / file comparison

comparison: src/server/daemon/acl.c

src/server/daemon/acl.c