diff -r c47e081b6c0f -r 66442f81f823 src/server/daemon/vfs.c --- a/src/server/daemon/vfs.c Thu May 09 19:41:11 2013 +0200 +++ b/src/server/daemon/vfs.c Sat May 11 13:28:26 2013 +0200 @@ -33,6 +33,7 @@ #include "../util/pool.h" #include "../ucx/map.h" +#include "acl.h" #include "vfs.h" static UcxMap *vfs_map; @@ -107,12 +108,18 @@ } // check ACLs - uid_t uid; // uid and gid will be initialized by sys_acl_check - gid_t gid; - if(sys_acl_check(ctx, access_mask, &uid, &gid)) { + SysACL sysacl; + if(sys_acl_check(ctx, access_mask, &sysacl)) { return NULL; } + if(sysacl.acl) { + if(!fs_acl_check(&sysacl, ctx->user, path, access_mask)) { + acl_set_error_status(ctx->sn, ctx->rq, sysacl.acl, ctx->user); + return NULL; + } + } + // open file mode_t mode = S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH; int fd = open(path, oflags, mode); @@ -124,6 +131,16 @@ return NULL; } + // if a file system acl is active, we set the owner for newly created files + if(((oflags & O_CREAT) == O_CREAT) && sysacl.user_uid != -1) { + if(fchown(fd, sysacl.user_uid, sysacl.user_gid)) { + perror("vfs_open: fchown"); + close(fd); + return NULL; + } + } + + VFSFile *file = pool ? pool_malloc(pool, sizeof(VFSFile)) : malloc(sizeof(VFSFile)); if(!file) { @@ -176,12 +193,18 @@ } // check ACLs - uid_t uid; // uid and gid will be initialized by sys_acl_check - gid_t gid; - if(sys_acl_check(ctx, access_mask, &uid, &gid)) { + SysACL sysacl; + if(sys_acl_check(ctx, access_mask, &sysacl)) { return -1; } + if(sysacl.acl) { + if(!fs_acl_check(&sysacl, ctx->user, path, access_mask)) { + acl_set_error_status(ctx->sn, ctx->rq, sysacl.acl, ctx->user); + return -1; + } + } + // stat if(stat(path, buf)) { if(ctx) { @@ -256,12 +279,18 @@ } // check ACLs - uid_t uid; // uid and gid will be initialized by sys_acl_check - gid_t gid; - if(sys_acl_check(ctx, access_mask, &uid, &gid)) { + SysACL sysacl; + if(sys_acl_check(ctx, access_mask, &sysacl)) { return NULL; } + if(sysacl.acl) { + if(!fs_acl_check(&sysacl, ctx->user, path, access_mask)) { + acl_set_error_status(ctx->sn, ctx->rq, sysacl.acl, ctx->user); + return NULL; + } + } + // open file int sys_fd = open(path, O_RDONLY); if(sys_fd == -1) { @@ -315,7 +344,7 @@ if(ctx && ctx->vfs) { return vfs_path_op(ctx, path, ctx->vfs->mkdir, ACL_ADD_FILE); } else { - return vfs_path_op(ctx, path, sys_mkdir, ACL_ADD_FILE); + return sys_path_op(ctx, path, sys_mkdir, ACL_ADD_FILE); } } @@ -323,7 +352,7 @@ if(ctx && ctx->vfs) { return vfs_path_op(ctx, path, ctx->vfs->unlink, ACL_DELETE); } else { - return vfs_path_op(ctx, path, sys_unlink, ACL_DELETE); + return sys_path_op(ctx, path, sys_unlink, ACL_DELETE); } } @@ -332,38 +361,43 @@ int vfs_path_op(VFSContext *ctx, char *path, vfs_op_f op, uint32_t access) { Session *sn; Request *rq; - uint32_t access_mask; + + uint32_t access_mask = ctx->aclreqaccess; + access_mask |= access; + if(!ctx->pool) { + // TODO: log warning + // broken VFSContext + return -1; + } + // ctx->aclreqaccess should be the complete access mask + uint32_t m = ctx->aclreqaccess; // save original access mask + ctx->aclreqaccess = access_mask; // set mask for vfs function call + int ret = op(ctx, path); + ctx->aclreqaccess = m; // restore original access mask + return ret; +} + +int sys_path_op(VFSContext *ctx, char *path, sys_op_f op, uint32_t access) { if(ctx) { - access_mask = ctx->aclreqaccess; - access_mask |= access; - if(!ctx->pool) { - // TODO: log warning - // broken VFSContext - } - if(ctx->vfs) { - // ctx->aclreqaccess should be the complete access mask - uint32_t m = ctx->aclreqaccess; // save original access mask - ctx->aclreqaccess = access_mask; // set mask for vfs->fstat call - int ret = op(ctx, path); - ctx->aclreqaccess = m; // restore original access mask - return ret; - } - } else { - sn = NULL; - rq = NULL; - access_mask = access; + access |= ctx->aclreqaccess; } // check ACLs - uid_t uid; // uid and gid will be initialized by sys_acl_check - gid_t gid; - if(sys_acl_check(ctx, access_mask, &uid, &gid)) { + SysACL sysacl; + if(sys_acl_check(ctx, access, &sysacl)) { return -1; } + if(sysacl.acl) { + if(!fs_acl_check(&sysacl, ctx->user, path, access)) { + acl_set_error_status(ctx->sn, ctx->rq, sysacl.acl, ctx->user); + return -1; + } + } + // do path operation - if(op(ctx, path)) { + if(op(ctx, path, &sysacl)) { // error if(ctx) { ctx->vfs_errno = errno; @@ -375,32 +409,25 @@ return 0; } -int sys_acl_check(VFSContext *ctx, uint32_t acm, uid_t *uid, gid_t *gid) { - /* - * we don't allow remote root access, so a uid of 0 means that - * no file system acl check is needed - */ - *uid = 0; - *gid = 0; +int sys_acl_check(VFSContext *ctx, uint32_t access_mask, SysACL *sysacl) { if(!ctx) { + if(sysacl) { + sysacl->acl = NULL; + } return 0; } ACLListHandle *acllist = ctx->acllist; if(acllist) { - ACLListElm *elm = acllist->listhead; - while(elm) { - ACLList *acl = elm->acl; - if(acl->isextern) { - // TODO - } else if(!acl->check(acl, ctx->user, acm)) { - // access denied - if(ctx->sn && ctx->rq) { - acl_set_error_status(ctx->sn, ctx->rq, acl, ctx->user); - } - return 1; - } - elm = elm->next; + ACLList *acl = acl_evallist( + acllist, + ctx->user, + access_mask, + &sysacl->acl); + + if(acl) { + acl_set_error_status(ctx->sn, ctx->rq, acl, ctx->user); + return 1; } } @@ -452,12 +479,20 @@ closedir(dir->data); } -int sys_mkdir(VFSContext *ctx, char *path) { +int sys_mkdir(VFSContext *ctx, char *path, SysACL *sysacl) { mode_t mode = S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH; - return mkdir(path, mode); + int ret = mkdir(path, mode); + if(ret == 0) { + if(sysacl->user_uid != -1) { + if(chown(path, sysacl->user_uid, sysacl->user_gid)) { + // TODO: error + } + } + } + return ret; } -int sys_unlink(VFSContext *ctx, char *path) { +int sys_unlink(VFSContext *ctx, char *path, SysACL *sysacl) { return unlink(path); }