webserver: comparison src/server/daemon/acl.c

-:196a3caebdc7
+:c374d11d6720
 void acllist_add(Session *sn, Request *rq, ACLList *acl, int append) {
 if(!rq->acllist) {
 acllist_createhandle(sn, rq);
 }
 ACLListHandle *list = rq->acllist;
 if(!list->defaultauthdb && acl->authdb) {
 list->defaultauthdb = acl->authdb;
 }
 ACLListElm *elm = pool_malloc(sn->pool, sizeof(ACLListElm));
 elm->acl = acl;
 elm->next = NULL;
 if(list->listhead == NULL) {
 list->listhead = elm;
 User* acllist_getuser(Session *sn, Request *rq, ACLListHandle *list) {
 if(!sn || !rq || !list) {
 return NULL;
 }
 // get user
 User *user = NULL;
 if(list->defaultauthdb) {
 char *usr;
 char *pw;
 AUTH_TYPE_BASIC,
 sizeof(AUTH_TYPE_BASIC)-1,
 rq->vars);
 }
 }
 return user;
 }
 void acl_set_error_status(Session *sn, Request *rq, ACLList *acl, User *user) {
 if(sn == NULL || rq == NULL) {
 return;
 }
 if(!user) {
 char *value = NULL;
 if(acl->authprompt) {
 size_t realmlen = strlen(acl->authprompt);
 size_t len = realmlen + 16;
 int acl_evaluate(Session *sn, Request *rq, int access_mask) {
 ACLListHandle *list = rq->acllist;
 if(!list) {
 return REQ_PROCEED;
 }
 // we combine access_mask with the required access rights
 access_mask |= rq->aclreqaccess;
 // get user
 User *user = acllist_getuser(sn, rq, list);
 // evalutate all ACLs
 ACLList *acl = acl_evallist(list, user, access_mask, NULL);
 if(acl) {
 acl_set_error_status(sn, rq, acl, user);
 // TODO: don't free the user here
 if(user) {
 user->free(user);
 }
 return REQ_ABORTED;
 }
 // access allowed, we can free the user
 if(user) {
 user->free(user);
 }
 return REQ_PROCEED;
 }
 ACLList* acl_evallist(
 ACLListHandle *list,
 return NULL;
 }
 if(externacl) {
 *externacl = NULL;
 }
 // evaluate each acl until one denies access
 ACLListElm *elm = list->listhead;
 while(elm) {
 ACLList *acl = elm->acl;
 if(acl->isextern) {
 *externacl = acl;
 }
 } else if(!acl->check(acl, user, access_mask)) {
 // the acl denies access
 return acl;
 }
 elm = elm->next;
 }
 // ok - all acls allowed access
 return NULL;
 }
 int wsacl_affects_user(WSAce *ace, User *user) {
 int check_access = 0;
 /*
 * an ace can affect
 *   a named user or group (ace->who is set)
 *   the owner of the resource (ACL_OWNER is set)
 *   the owning group of the resource (ACL_GROUP is set)
 *   everyone (ACL_EVERYONE is set)
 *
 * Only one of this conditions should be true. The behavior on
 * illegal flag combination is undefined. We assume that the acls
 * are created correctly by the configuration loader.
 */
 if(ace->who && user) {
 // this ace is defined for a named user or group
 if((ace->flags & ACL_IDENTIFIER_GROUP) == ACL_IDENTIFIER_GROUP) {
 if(user->check_group(user, ace->who)) {
 // the user is in the group
 } else if((ace->flags & ACL_GROUP) == ACL_GROUP) {
 // TODO
 } else if((ace->flags & ACL_EVERYONE) == ACL_EVERYONE) {
 check_access = 1;
 }
 return check_access;
 }
 int wsacl_check(WSAcl *acl, User *user, int access_mask) {
 int allow = 0;
 uint32_t allowed_access = 0;
 // check each access control entry
 for(int i=0;i<acl->acenum;i++) {
 WSAce *ace = acl->ace[i];
 if(wsacl_affects_user(ace, user)) {
 if(ace->type == ACL_TYPE_ALLOWED) {
 // add all new access rights
 allowed_access |= (access_mask & ace->access_mask);
 // check if we have all requested rights
 if((allowed_access & access_mask) == access_mask) {
 allow = 1;
 break;
 }
 } else {
 // ACL_TYPE_DENIED
 if((ace->access_mask & access_mask) != 0) {
 // access denied
 break;
 }
 }
 }
 }
 // TODO: events
 return allow; // allow is 0, if no ace set it to 1
 }
 /* filesystem acl functions */
 return 0;
 }
 }
 sstr_t wd = sstr(cwd);
 sstr_t pp = sstr(path);
 p = sstrcat(3, wd, sstrn("/", 1), pp);
 } else {
 p = sstrdup(sstr(path));
 }
 if(p.ptr[p.length-1] == '/') {
 p.ptr[p.length-1] = 0;
 p.length--;
 }
 // get uid/gid
 struct passwd pw;
 if(user) {
 char *pwbuf = malloc(DEF_PWBUF);
 if(pwbuf == NULL) {
 acl->user_gid = pw.pw_gid;
 } else {
 acl->user_uid = -1;
 acl->user_gid = -1;
 }
 // translate access_mask
 uint32_t mask = 0;
 if((access_mask & ACL_READ_DATA) == ACL_READ_DATA) {
 mask |= ACE_READ_DATA;
 }
 mask |= ACE_WRITE_OWNER;
 }
 if((access_mask & ACL_SYNCHRONIZE) == ACL_SYNCHRONIZE) {
 mask |= ACE_SYNCHRONIZE;
 }
 /*
 * If the vfs wants to create new files, path does not name an existing
 * file. In this case, we check if the user has the ACE_ADD_FILE
 * permission for the parent directory
 */
 free(p.ptr);
 return 0;
 }
 }
 }
 /*
 * perform a acl check for the path and each parent directory
 * we don't check the file system root
 *
 * after the first check, we check only search permission for the
 * directories
 */
 if(!solaris_acl_check(p.ptr, &s, mask, pw.pw_uid, pw.pw_gid)) {
 free(p.ptr);
 return 0;
 }
 p = util_path_remove_last(p);
 mask = ACE_LIST_DIRECTORY;
 while(p.length > 1) {
 if(stat(p.ptr, &s)) {
 free(p.ptr);
 }
 if(!solaris_acl_check(p.ptr, &s, mask, pw.pw_uid, pw.pw_gid)) {
 free(p.ptr);
 return 0;
 }
 // cut the last file name from the path
 p = util_path_remove_last(p);
 }
 return 1;
 }
 int solaris_acl_check(
 char *path,
 uint32_t mask,
 uid_t uid,
 gid_t gid)
 {
 //printf("solaris_acl_check %s\n", path);
 int nace = acl(path, ACE_GETACLCNT, 0, NULL);
 if(nace == -1) {
 perror("acl: ACE_GETACLCNT");
 // TODO: log error
 return 0;
 perror("acl: ACE_GETACL");
 // TODO: log error
 free(aces);
 return 0;
 }
 int allow = 0;
 uint32_t allowed_access = 0;
 for(int i=0;i<nace;i++) {
 ace_t ace = aces[i];
 if(solaris_acl_affects_user(&ace, uid, gid, s->st_uid, s->st_gid)) {
 if(ace.a_type == ACE_ACCESS_ALLOWED_ACE_TYPE) {
 // add all new access rights
 allowed_access |= (mask & ace.a_access_mask);
 // check if we have all requested rights
 if((allowed_access & mask) == mask) {
 allow = 1;
 break;
 }
 } else if(ace.a_type == ACE_ACCESS_DENIED_ACE_TYPE) {
 // ACL_TYPE_DENIED
 if((ace.a_access_mask & mask) != 0) {
 // access denied
 break;
 }
 }
 }
 }
 free(aces);
 //printf("return %d\n", allow);
 return allow;
 }
 int solaris_acl_affects_user(
 gid_t owninggroup)
 {
 /*
 * mostly the same as wsacl_affects_user
 */
 int check_access = 0;
 if((ace->a_flags & ACE_OWNER) == ACE_OWNER) {
 if(uid == owner) {
 check_access = 1;
 }
 } else if((ace->a_flags & ACE_GROUP) == ACE_GROUP) {
 if(ace->a_who == uid) {
 check_access = 1;
 }
 }
 }
 return check_access;
 }
 void fs_acl_finish() {
 }
 #endif
 /*
 int fs_acl_check(SysACL *acl, User *user, char *path, uint32_t access_mask) {
 return 1;
 }
 void fs_acl_finish() {
 }
 #endif
 #ifdef BSD
 int fs_acl_check(SysACL *acl, User *user, char *path, uint32_t access_mask) {
 return 1;
 }
 void fs_acl_finish() {
 }
 #endif
 struct passwd *ws_pw = conf_getglobals()->Vuserpw;
 if(!ws_pw) {
 log_ereport(LOG_FAILURE, "fs_acl_check: unknown webserver uid/gid");
 return 1;
 }
 // get uid/gid
 struct passwd pw;
 if(user) {
 char *pwbuf = malloc(DEF_PWBUF);
 if(pwbuf == NULL) {
 acl->user_gid = pw.pw_gid;
 } else {
 acl->user_uid = 0;
 acl->user_gid = 0;
 }
 // set fs uid/gid
 if(acl->user_uid != 0) {
 if(setfsuid(pw.pw_uid)) {
 log_ereport(
 LOG_FAILURE,
 log_ereport(
 LOG_FAILURE,
 "Cannot set fsgid to gid: %u", pw.pw_gid);
 }
 }
 return 1;
 }
 void fs_acl_finish() {
 struct passwd *pw = conf_getglobals()->Vuserpw;

Mercurial > hg > webserver / file comparison

comparison: src/server/daemon/acl.c

src/server/daemon/acl.c