Wed, 27 Nov 2024 23:00:07 +0100
add TODO to use a future ucx feature
51 | 1 | /* |
2 | * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER. | |
3 | * | |
4 | * Copyright 2013 Olaf Wintermann. All rights reserved. | |
5 | * | |
6 | * Redistribution and use in source and binary forms, with or without | |
7 | * modification, are permitted provided that the following conditions are met: | |
8 | * | |
9 | * 1. Redistributions of source code must retain the above copyright | |
10 | * notice, this list of conditions and the following disclaimer. | |
11 | * | |
12 | * 2. Redistributions in binary form must reproduce the above copyright | |
13 | * notice, this list of conditions and the following disclaimer in the | |
14 | * documentation and/or other materials provided with the distribution. | |
15 | * | |
16 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" | |
17 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
18 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | |
19 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE | |
20 | * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR | |
21 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF | |
22 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS | |
23 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN | |
24 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | |
25 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE | |
26 | * POSSIBILITY OF SUCH DAMAGE. | |
27 | */ | |
28 | ||
29 | #include <stdio.h> | |
30 | #include <stdlib.h> | |
73
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
31 | #include <unistd.h> |
51 | 32 | |
63
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
33 | #include "../util/util.h" |
51 | 34 | #include "../util/pool.h" |
141 | 35 | #include "../util/pblock.h" |
51 | 36 | #include "../safs/auth.h" |
73
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
37 | #include "log.h" |
51 | 38 | #include "acl.h" |
39 | ||
141 | 40 | #define AUTH_TYPE_BASIC "basic" |
41 | ||
51 | 42 | void acllist_createhandle(Session *sn, Request *rq) { |
43 | ACLListHandle *handle = pool_malloc(sn->pool, sizeof(ACLListHandle)); | |
44 | handle->defaultauthdb = NULL; | |
45 | handle->listhead = NULL; | |
46 | handle->listtail = NULL; | |
47 | rq->acllist = handle; | |
48 | } | |
49 | ||
52
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
50 | /* |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
51 | * append or prepend an ACL |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
52 | */ |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
53 | void acllist_add(Session *sn, Request *rq, ACLList *acl, int append) { |
51 | 54 | if(!rq->acllist) { |
55 | acllist_createhandle(sn, rq); | |
56 | } | |
57 | ACLListHandle *list = rq->acllist; | |
202
c374d11d6720
remove libnsl from linux makefile
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
141
diff
changeset
|
58 | |
51 | 59 | if(!list->defaultauthdb && acl->authdb) { |
60 | list->defaultauthdb = acl->authdb; | |
61 | } | |
202
c374d11d6720
remove libnsl from linux makefile
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
141
diff
changeset
|
62 | |
51 | 63 | ACLListElm *elm = pool_malloc(sn->pool, sizeof(ACLListElm)); |
64 | elm->acl = acl; | |
65 | elm->next = NULL; | |
66 | if(list->listhead == NULL) { | |
67 | list->listhead = elm; | |
68 | list->listtail = elm; | |
69 | } else { | |
52
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
70 | if(append) { |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
71 | list->listtail->next = elm; |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
72 | list->listtail = elm; |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
73 | } else { |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
74 | elm->next = list->listhead; |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
75 | list->listhead = elm; |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
76 | } |
51 | 77 | } |
78 | } | |
79 | ||
52
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
80 | void acllist_append(Session *sn, Request *rq, ACLList *acl) { |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
81 | acllist_add(sn, rq, acl, 1); |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
82 | } |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
83 | |
51 | 84 | void acllist_prepend(Session *sn, Request *rq, ACLList *acl) { |
52
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
85 | acllist_add(sn, rq, acl, 0); |
51 | 86 | } |
87 | ||
54 | 88 | uint32_t acl_oflag2mask(int oflags) { |
89 | /* TODO: | |
90 | * maybe there is a plattform where O_RDWR is not O_RDONLY | O_WRONLY | |
91 | */ | |
92 | uint32_t access_mask = 0; | |
93 | if((oflags & O_RDONLY) == O_RDONLY) { | |
94 | access_mask |= ACL_READ_DATA; | |
95 | } | |
96 | if((oflags & O_WRONLY) == O_WRONLY) { | |
97 | access_mask |= ACL_WRITE_DATA; | |
98 | } | |
99 | return access_mask; | |
100 | } | |
51 | 101 | |
54 | 102 | User* acllist_getuser(Session *sn, Request *rq, ACLListHandle *list) { |
261
f2c772336ecd
add some references to issues
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
260
diff
changeset
|
103 | // TODO: cache result #50 |
54 | 104 | if(!sn || !rq || !list) { |
105 | return NULL; | |
51 | 106 | } |
202
c374d11d6720
remove libnsl from linux makefile
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
141
diff
changeset
|
107 | |
51 | 108 | // get user |
109 | User *user = NULL; | |
110 | if(list->defaultauthdb) { | |
111 | char *usr; | |
112 | char *pw; | |
113 | if(!basicauth_getuser(sn, rq, &usr, &pw)) { | |
66
74babc0082b7
added authentication cache
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
63
diff
changeset
|
114 | int pwok; |
467
4d038bc6f86e
refactore ldap_auth to use resource pools
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
453
diff
changeset
|
115 | user = authdb_get_and_verify(list->defaultauthdb, sn, rq, usr, pw, &pwok); |
51 | 116 | if(!user) { |
66
74babc0082b7
added authentication cache
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
63
diff
changeset
|
117 | // wrong user or wrong password |
54 | 118 | return NULL; |
51 | 119 | } |
120 | // ok - user is authenticated | |
141 | 121 | pblock_kvinsert( |
122 | pb_key_auth_user, | |
123 | user->name, | |
124 | strlen(user->name), | |
125 | rq->vars); | |
126 | pblock_kvinsert( | |
127 | pb_key_auth_type, | |
128 | AUTH_TYPE_BASIC, | |
129 | sizeof(AUTH_TYPE_BASIC)-1, | |
130 | rq->vars); | |
51 | 131 | } |
54 | 132 | } |
202
c374d11d6720
remove libnsl from linux makefile
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
141
diff
changeset
|
133 | |
54 | 134 | return user; |
135 | } | |
136 | ||
137 | void acl_set_error_status(Session *sn, Request *rq, ACLList *acl, User *user) { | |
63
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
138 | if(sn == NULL || rq == NULL) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
139 | return; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
140 | } |
202
c374d11d6720
remove libnsl from linux makefile
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
141
diff
changeset
|
141 | |
54 | 142 | if(!user) { |
143 | char *value = NULL; | |
144 | if(acl->authprompt) { | |
145 | size_t realmlen = strlen(acl->authprompt); | |
146 | size_t len = realmlen + 16; | |
147 | value = pool_malloc(sn->pool, len); | |
148 | if(value) { | |
149 | snprintf( | |
150 | value, | |
151 | len, | |
152 | "Basic realm=\"%s\"", | |
153 | acl->authprompt); | |
154 | } | |
155 | } | |
156 | if(!value) { | |
157 | value = "Basic realm=\"login\""; | |
158 | } | |
159 | pblock_nvinsert("www-authenticate", value, rq->srvhdrs); | |
160 | protocol_status(sn, rq, PROTOCOL_UNAUTHORIZED, NULL); | |
51 | 161 | } else { |
54 | 162 | protocol_status(sn, rq, PROTOCOL_FORBIDDEN, NULL); |
163 | } | |
164 | } | |
165 | ||
166 | int acl_evaluate(Session *sn, Request *rq, int access_mask) { | |
167 | ACLListHandle *list = rq->acllist; | |
168 | if(!list) { | |
169 | return REQ_PROCEED; | |
170 | } | |
202
c374d11d6720
remove libnsl from linux makefile
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
141
diff
changeset
|
171 | |
54 | 172 | // we combine access_mask with the required access rights |
173 | access_mask |= rq->aclreqaccess; | |
202
c374d11d6720
remove libnsl from linux makefile
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
141
diff
changeset
|
174 | |
54 | 175 | // get user |
176 | User *user = acllist_getuser(sn, rq, list); | |
202
c374d11d6720
remove libnsl from linux makefile
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
141
diff
changeset
|
177 | |
54 | 178 | // evalutate all ACLs |
63
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
179 | ACLList *acl = acl_evallist(list, user, access_mask, NULL); |
54 | 180 | if(acl) { |
181 | acl_set_error_status(sn, rq, acl, user); | |
51 | 182 | return REQ_ABORTED; |
183 | } | |
202
c374d11d6720
remove libnsl from linux makefile
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
141
diff
changeset
|
184 | |
54 | 185 | return REQ_PROCEED; |
186 | } | |
187 | ||
63
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
188 | ACLList* acl_evallist( |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
189 | ACLListHandle *list, |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
190 | User *user, |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
191 | int access_mask, |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
192 | ACLList **externacl) |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
193 | { |
54 | 194 | if(!list) { |
195 | return NULL; | |
196 | } | |
63
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
197 | if(externacl) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
198 | *externacl = NULL; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
199 | } |
202
c374d11d6720
remove libnsl from linux makefile
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
141
diff
changeset
|
200 | |
51 | 201 | // evaluate each acl until one denies access |
202 | ACLListElm *elm = list->listhead; | |
203 | while(elm) { | |
204 | ACLList *acl = elm->acl; | |
63
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
205 | if(acl->isextern) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
206 | // set externacl to the first external acl |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
207 | if(externacl && *externacl == NULL) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
208 | *externacl = acl; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
209 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
210 | } else if(!acl->check(acl, user, access_mask)) { |
51 | 211 | // the acl denies access |
54 | 212 | return acl; |
202
c374d11d6720
remove libnsl from linux makefile
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
141
diff
changeset
|
213 | } |
51 | 214 | elm = elm->next; |
215 | } | |
202
c374d11d6720
remove libnsl from linux makefile
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
141
diff
changeset
|
216 | |
51 | 217 | // ok - all acls allowed access |
202
c374d11d6720
remove libnsl from linux makefile
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
141
diff
changeset
|
218 | |
54 | 219 | return NULL; |
51 | 220 | } |
221 | ||
54 | 222 | int wsacl_affects_user(WSAce *ace, User *user) { |
52
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
223 | int check_access = 0; |
202
c374d11d6720
remove libnsl from linux makefile
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
141
diff
changeset
|
224 | |
52
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
225 | /* |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
226 | * an ace can affect |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
227 | * a named user or group (ace->who is set) |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
228 | * the owner of the resource (ACL_OWNER is set) |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
229 | * the owning group of the resource (ACL_GROUP is set) |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
230 | * everyone (ACL_EVERYONE is set) |
202
c374d11d6720
remove libnsl from linux makefile
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
141
diff
changeset
|
231 | * |
52
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
232 | * Only one of this conditions should be true. The behavior on |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
233 | * illegal flag combination is undefined. We assume that the acls |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
234 | * are created correctly by the configuration loader. |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
235 | */ |
202
c374d11d6720
remove libnsl from linux makefile
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
141
diff
changeset
|
236 | |
52
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
237 | if(ace->who && user) { |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
238 | // this ace is defined for a named user or group |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
239 | if((ace->flags & ACL_IDENTIFIER_GROUP) == ACL_IDENTIFIER_GROUP) { |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
240 | if(user->check_group(user, ace->who)) { |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
241 | // the user is in the group |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
242 | check_access = 1; |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
243 | } |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
244 | } else { |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
245 | if(!strcmp(user->name, ace->who)) { |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
246 | check_access = 1; |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
247 | } |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
248 | } |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
249 | } else if((ace->flags & ACL_OWNER) == ACL_OWNER) { |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
250 | // TODO |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
251 | } else if((ace->flags & ACL_GROUP) == ACL_GROUP) { |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
252 | // TODO |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
253 | } else if((ace->flags & ACL_EVERYONE) == ACL_EVERYONE) { |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
254 | check_access = 1; |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
255 | } |
202
c374d11d6720
remove libnsl from linux makefile
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
141
diff
changeset
|
256 | |
52
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
257 | return check_access; |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
258 | } |
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
259 | |
202
c374d11d6720
remove libnsl from linux makefile
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
141
diff
changeset
|
260 | int wsacl_check(WSAcl *acl, User *user, int access_mask) { |
51 | 261 | int allow = 0; |
262 | uint32_t allowed_access = 0; | |
263 | // check each access control entry | |
264 | for(int i=0;i<acl->acenum;i++) { | |
202
c374d11d6720
remove libnsl from linux makefile
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
141
diff
changeset
|
265 | WSAce *ace = acl->ace[i]; |
52
aced2245fb1c
new pathcheck saf and code cleanup
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
51
diff
changeset
|
266 | if(wsacl_affects_user(ace, user)) { |
51 | 267 | if(ace->type == ACL_TYPE_ALLOWED) { |
202
c374d11d6720
remove libnsl from linux makefile
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
141
diff
changeset
|
268 | // add all new access rights |
54 | 269 | allowed_access |= (access_mask & ace->access_mask); |
51 | 270 | // check if we have all requested rights |
271 | if((allowed_access & access_mask) == access_mask) { | |
272 | allow = 1; | |
273 | break; | |
274 | } | |
275 | } else { | |
276 | // ACL_TYPE_DENIED | |
202
c374d11d6720
remove libnsl from linux makefile
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
141
diff
changeset
|
277 | |
51 | 278 | if((ace->access_mask & access_mask) != 0) { |
279 | // access denied | |
280 | break; | |
281 | } | |
282 | } | |
283 | } | |
284 | } | |
202
c374d11d6720
remove libnsl from linux makefile
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
141
diff
changeset
|
285 | |
51 | 286 | // TODO: events |
202
c374d11d6720
remove libnsl from linux makefile
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
141
diff
changeset
|
287 | |
54 | 288 | return allow; // allow is 0, if no ace set it to 1 |
51 | 289 | } |
63
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
290 | |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
291 | |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
292 | /* filesystem acl functions */ |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
293 | |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
294 | #if defined (__SVR4) && defined (__sun) |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
295 | |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
296 | #include <sys/acl.h> |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
297 | |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
298 | int solaris_acl_check( |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
299 | char *path, |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
300 | struct stat *s, |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
301 | uint32_t mask, |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
302 | uid_t uid, |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
303 | gid_t gid); |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
304 | int solaris_acl_affects_user( |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
305 | ace_t *ace, |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
306 | uid_t uid, |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
307 | gid_t gid, |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
308 | uid_t owner, |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
309 | gid_t owninggroup); |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
310 | |
241
4adad7faf452
add proppatch op
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
211
diff
changeset
|
311 | int fs_acl_check(SysACL *acl, User *user, const char *path, uint32_t access_mask) { |
415
d938228c382e
switch from ucx 2 to 3
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
261
diff
changeset
|
312 | cxmutstr p; |
63
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
313 | if(path[0] != '/') { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
314 | size_t n = 128; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
315 | char *cwd = malloc(n); |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
316 | while(!getcwd(cwd, n)) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
317 | if(errno == ERANGE) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
318 | n *= 2; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
319 | cwd = realloc(cwd, n); |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
320 | } else { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
321 | free(cwd); |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
322 | return 0; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
323 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
324 | } |
415
d938228c382e
switch from ucx 2 to 3
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
261
diff
changeset
|
325 | cxmutstr wd = cx_str(cwd); |
d938228c382e
switch from ucx 2 to 3
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
261
diff
changeset
|
326 | cxmutstr pp = cx_str((char*)path); |
202
c374d11d6720
remove libnsl from linux makefile
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
141
diff
changeset
|
327 | |
415
d938228c382e
switch from ucx 2 to 3
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
261
diff
changeset
|
328 | p = cx_strcat(3, wd, cx_strn("/", 1), pp); |
63
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
329 | } else { |
415
d938228c382e
switch from ucx 2 to 3
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
261
diff
changeset
|
330 | p = cx_strdup(cx_str((char*)path)); |
63
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
331 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
332 | if(p.ptr[p.length-1] == '/') { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
333 | p.ptr[p.length-1] = 0; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
334 | p.length--; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
335 | } |
202
c374d11d6720
remove libnsl from linux makefile
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
141
diff
changeset
|
336 | |
63
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
337 | // get uid/gid |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
338 | struct passwd pw; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
339 | if(user) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
340 | char *pwbuf = malloc(DEF_PWBUF); |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
341 | if(pwbuf == NULL) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
342 | free(p.ptr); |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
343 | return 0; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
344 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
345 | if(!util_getpwnam(user->name, &pw, pwbuf, DEF_PWBUF)) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
346 | free(pwbuf); |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
347 | free(p.ptr); |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
348 | return 0; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
349 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
350 | free(pwbuf); |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
351 | acl->user_uid = pw.pw_uid; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
352 | acl->user_gid = pw.pw_gid; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
353 | } else { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
354 | acl->user_uid = -1; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
355 | acl->user_gid = -1; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
356 | } |
202
c374d11d6720
remove libnsl from linux makefile
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
141
diff
changeset
|
357 | |
63
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
358 | // translate access_mask |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
359 | uint32_t mask = 0; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
360 | if((access_mask & ACL_READ_DATA) == ACL_READ_DATA) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
361 | mask |= ACE_READ_DATA; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
362 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
363 | if((access_mask & ACL_WRITE_DATA) == ACL_WRITE_DATA) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
364 | mask |= ACE_WRITE_DATA; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
365 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
366 | if((access_mask & ACL_ADD_FILE) == ACL_ADD_FILE) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
367 | mask |= ACE_ADD_FILE; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
368 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
369 | if((access_mask & ACL_READ_XATTR) == ACL_READ_XATTR) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
370 | mask |= ACE_READ_NAMED_ATTRS; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
371 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
372 | if((access_mask & ACL_WRITE_XATTR) == ACL_WRITE_XATTR) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
373 | mask |= ACE_WRITE_NAMED_ATTRS; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
374 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
375 | if((access_mask & ACL_EXECUTE) == ACL_EXECUTE) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
376 | mask |= ACE_EXECUTE; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
377 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
378 | if((access_mask & ACL_DELETE) == ACL_DELETE) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
379 | mask |= ACE_DELETE_CHILD; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
380 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
381 | if((access_mask & ACL_READ_ATTRIBUTES) == ACL_READ_ATTRIBUTES) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
382 | mask |= ACE_READ_ATTRIBUTES; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
383 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
384 | if((access_mask & ACL_WRITE_ATTRIBUTES) == ACL_WRITE_ATTRIBUTES) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
385 | mask |= ACE_WRITE_ATTRIBUTES; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
386 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
387 | if((access_mask & ACL_LIST) == ACL_LIST) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
388 | mask |= ACE_LIST_DIRECTORY; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
389 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
390 | if((access_mask & ACL_READ_ACL) == ACL_READ_ACL) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
391 | mask |= ACE_READ_ACL; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
392 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
393 | if((access_mask & ACL_WRITE_ACL) == ACL_WRITE_ACL) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
394 | mask |= ACE_WRITE_ACL; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
395 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
396 | if((access_mask & ACL_WRITE_OWNER) == ACL_WRITE_OWNER) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
397 | mask |= ACE_WRITE_OWNER; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
398 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
399 | if((access_mask & ACL_SYNCHRONIZE) == ACL_SYNCHRONIZE) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
400 | mask |= ACE_SYNCHRONIZE; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
401 | } |
202
c374d11d6720
remove libnsl from linux makefile
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
141
diff
changeset
|
402 | |
63
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
403 | /* |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
404 | * If the vfs wants to create new files, path does not name an existing |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
405 | * file. In this case, we check if the user has the ACE_ADD_FILE |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
406 | * permission for the parent directory |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
407 | */ |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
408 | struct stat s; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
409 | if(stat(p.ptr, &s)) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
410 | if(errno != ENOENT) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
411 | perror("fs_acl_check: stat"); |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
412 | free(p.ptr); |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
413 | return 0; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
414 | } else { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
415 | mask = ACE_ADD_FILE; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
416 | p = util_path_remove_last(p); |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
417 | if(stat(p.ptr, &s)) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
418 | free(p.ptr); |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
419 | return 0; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
420 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
421 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
422 | } |
202
c374d11d6720
remove libnsl from linux makefile
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
141
diff
changeset
|
423 | |
63
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
424 | /* |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
425 | * perform a acl check for the path and each parent directory |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
426 | * we don't check the file system root |
202
c374d11d6720
remove libnsl from linux makefile
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
141
diff
changeset
|
427 | * |
63
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
428 | * after the first check, we check only search permission for the |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
429 | * directories |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
430 | */ |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
431 | if(!solaris_acl_check(p.ptr, &s, mask, pw.pw_uid, pw.pw_gid)) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
432 | free(p.ptr); |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
433 | return 0; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
434 | } |
202
c374d11d6720
remove libnsl from linux makefile
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
141
diff
changeset
|
435 | |
63
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
436 | p = util_path_remove_last(p); |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
437 | mask = ACE_LIST_DIRECTORY; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
438 | while(p.length > 1) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
439 | if(stat(p.ptr, &s)) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
440 | free(p.ptr); |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
441 | return 0; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
442 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
443 | if(!solaris_acl_check(p.ptr, &s, mask, pw.pw_uid, pw.pw_gid)) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
444 | free(p.ptr); |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
445 | return 0; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
446 | } |
202
c374d11d6720
remove libnsl from linux makefile
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
141
diff
changeset
|
447 | |
63
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
448 | // cut the last file name from the path |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
449 | p = util_path_remove_last(p); |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
450 | } |
202
c374d11d6720
remove libnsl from linux makefile
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
141
diff
changeset
|
451 | |
c374d11d6720
remove libnsl from linux makefile
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
141
diff
changeset
|
452 | |
63
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
453 | return 1; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
454 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
455 | |
211
2160585200ac
add propfind/proppatch parser and first iteration of the new webdav api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
202
diff
changeset
|
456 | int fs_acl_check_fd(SysACL *acl, User *user, int fd, uint32_t access_mask) { |
2160585200ac
add propfind/proppatch parser and first iteration of the new webdav api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
202
diff
changeset
|
457 | // TODO: |
2160585200ac
add propfind/proppatch parser and first iteration of the new webdav api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
202
diff
changeset
|
458 | return 1; |
2160585200ac
add propfind/proppatch parser and first iteration of the new webdav api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
202
diff
changeset
|
459 | } |
2160585200ac
add propfind/proppatch parser and first iteration of the new webdav api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
202
diff
changeset
|
460 | |
63
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
461 | int solaris_acl_check( |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
462 | char *path, |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
463 | struct stat *s, |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
464 | uint32_t mask, |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
465 | uid_t uid, |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
466 | gid_t gid) |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
467 | { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
468 | //printf("solaris_acl_check %s\n", path); |
202
c374d11d6720
remove libnsl from linux makefile
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
141
diff
changeset
|
469 | |
63
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
470 | int nace = acl(path, ACE_GETACLCNT, 0, NULL); |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
471 | if(nace == -1) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
472 | perror("acl: ACE_GETACLCNT"); |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
473 | // TODO: log error |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
474 | return 0; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
475 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
476 | ace_t *aces = calloc(nace, sizeof(ace_t)); |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
477 | if(acl(path, ACE_GETACL, nace, aces) == 1) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
478 | perror("acl: ACE_GETACL"); |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
479 | // TODO: log error |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
480 | free(aces); |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
481 | return 0; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
482 | } |
202
c374d11d6720
remove libnsl from linux makefile
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
141
diff
changeset
|
483 | |
63
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
484 | int allow = 0; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
485 | uint32_t allowed_access = 0; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
486 | for(int i=0;i<nace;i++) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
487 | ace_t ace = aces[i]; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
488 | if(solaris_acl_affects_user(&ace, uid, gid, s->st_uid, s->st_gid)) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
489 | if(ace.a_type == ACE_ACCESS_ALLOWED_ACE_TYPE) { |
202
c374d11d6720
remove libnsl from linux makefile
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
141
diff
changeset
|
490 | // add all new access rights |
63
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
491 | allowed_access |= (mask & ace.a_access_mask); |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
492 | // check if we have all requested rights |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
493 | if((allowed_access & mask) == mask) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
494 | allow = 1; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
495 | break; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
496 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
497 | } else if(ace.a_type == ACE_ACCESS_DENIED_ACE_TYPE) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
498 | // ACL_TYPE_DENIED |
202
c374d11d6720
remove libnsl from linux makefile
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
141
diff
changeset
|
499 | |
63
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
500 | if((ace.a_access_mask & mask) != 0) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
501 | // access denied |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
502 | break; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
503 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
504 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
505 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
506 | } |
202
c374d11d6720
remove libnsl from linux makefile
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
141
diff
changeset
|
507 | |
63
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
508 | free(aces); |
202
c374d11d6720
remove libnsl from linux makefile
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
141
diff
changeset
|
509 | |
63
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
510 | //printf("return %d\n", allow); |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
511 | return allow; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
512 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
513 | |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
514 | int solaris_acl_affects_user( |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
515 | ace_t *ace, |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
516 | uid_t uid, |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
517 | gid_t gid, |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
518 | uid_t owner, |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
519 | gid_t owninggroup) |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
520 | { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
521 | /* |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
522 | * mostly the same as wsacl_affects_user |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
523 | */ |
202
c374d11d6720
remove libnsl from linux makefile
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
141
diff
changeset
|
524 | |
63
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
525 | int check_access = 0; |
202
c374d11d6720
remove libnsl from linux makefile
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
141
diff
changeset
|
526 | |
63
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
527 | if((ace->a_flags & ACE_OWNER) == ACE_OWNER) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
528 | if(uid == owner) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
529 | check_access = 1; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
530 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
531 | } else if((ace->a_flags & ACE_GROUP) == ACE_GROUP) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
532 | if(gid == owninggroup) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
533 | check_access = 1; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
534 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
535 | } else if((ace->a_flags & ACE_EVERYONE) == ACE_EVERYONE) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
536 | check_access = 1; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
537 | } else if(ace->a_who != -1 && uid != 0) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
538 | // this ace is defined for a named user or group |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
539 | if((ace->a_flags & ACE_IDENTIFIER_GROUP) == ACE_IDENTIFIER_GROUP) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
540 | // TODO: check all groups |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
541 | if(ace->a_who == gid) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
542 | // the user is in the group |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
543 | check_access = 1; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
544 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
545 | } else { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
546 | if(ace->a_who == uid) { |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
547 | check_access = 1; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
548 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
549 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
550 | } |
202
c374d11d6720
remove libnsl from linux makefile
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
141
diff
changeset
|
551 | |
63
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
552 | return check_access; |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
553 | } |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
554 | |
73
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
555 | void fs_acl_finish() { |
202
c374d11d6720
remove libnsl from linux makefile
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
141
diff
changeset
|
556 | |
73
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
557 | } |
63
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
558 | |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
559 | #endif |
66442f81f823
supports file system ACLs on Solaris
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
54
diff
changeset
|
560 | |
69
4a10bc0ee80d
compiles on os x
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
66
diff
changeset
|
561 | /* |
4a10bc0ee80d
compiles on os x
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
66
diff
changeset
|
562 | * generic code for all non acl unices |
4a10bc0ee80d
compiles on os x
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
66
diff
changeset
|
563 | * TODO: don't use OSX in the preprocessor directive |
4a10bc0ee80d
compiles on os x
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
66
diff
changeset
|
564 | */ |
4a10bc0ee80d
compiles on os x
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
66
diff
changeset
|
565 | #ifdef OSX |
4a10bc0ee80d
compiles on os x
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
66
diff
changeset
|
566 | |
453
4586d534f9b5
fix build on macos
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
415
diff
changeset
|
567 | int fs_acl_check(SysACL *acl, User *user, const char *path, uint32_t access_mask) { |
69
4a10bc0ee80d
compiles on os x
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
66
diff
changeset
|
568 | return 1; |
4a10bc0ee80d
compiles on os x
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
66
diff
changeset
|
569 | } |
4a10bc0ee80d
compiles on os x
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
66
diff
changeset
|
570 | |
211
2160585200ac
add propfind/proppatch parser and first iteration of the new webdav api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
202
diff
changeset
|
571 | int fs_acl_check_fd(SysACL *acl, User *user, int fd, uint32_t access_mask) { |
2160585200ac
add propfind/proppatch parser and first iteration of the new webdav api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
202
diff
changeset
|
572 | return 1; |
2160585200ac
add propfind/proppatch parser and first iteration of the new webdav api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
202
diff
changeset
|
573 | } |
2160585200ac
add propfind/proppatch parser and first iteration of the new webdav api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
202
diff
changeset
|
574 | |
73
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
575 | void fs_acl_finish() { |
202
c374d11d6720
remove libnsl from linux makefile
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
141
diff
changeset
|
576 | |
73
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
577 | } |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
578 | |
69
4a10bc0ee80d
compiles on os x
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
66
diff
changeset
|
579 | #endif |
73
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
580 | |
453
4586d534f9b5
fix build on macos
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
415
diff
changeset
|
581 | #if defined(BSD) && !defined(OSX) |
109
8a0a7754f123
experimental BSD support
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
100
diff
changeset
|
582 | |
260
4779a6fb4fbe
fix freebsd build
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
241
diff
changeset
|
583 | int fs_acl_check(SysACL *acl, User *user, const char *path, uint32_t access_mask) { |
109
8a0a7754f123
experimental BSD support
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
100
diff
changeset
|
584 | return 1; |
8a0a7754f123
experimental BSD support
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
100
diff
changeset
|
585 | } |
8a0a7754f123
experimental BSD support
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
100
diff
changeset
|
586 | |
211
2160585200ac
add propfind/proppatch parser and first iteration of the new webdav api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
202
diff
changeset
|
587 | int fs_acl_check_fd(SysACL *acl, User *user, int fd, uint32_t access_mask) { |
2160585200ac
add propfind/proppatch parser and first iteration of the new webdav api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
202
diff
changeset
|
588 | return 1; |
2160585200ac
add propfind/proppatch parser and first iteration of the new webdav api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
202
diff
changeset
|
589 | } |
2160585200ac
add propfind/proppatch parser and first iteration of the new webdav api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
202
diff
changeset
|
590 | |
109
8a0a7754f123
experimental BSD support
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
100
diff
changeset
|
591 | void fs_acl_finish() { |
202
c374d11d6720
remove libnsl from linux makefile
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
141
diff
changeset
|
592 | |
109
8a0a7754f123
experimental BSD support
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
100
diff
changeset
|
593 | } |
8a0a7754f123
experimental BSD support
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
100
diff
changeset
|
594 | |
8a0a7754f123
experimental BSD support
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
100
diff
changeset
|
595 | #endif |
8a0a7754f123
experimental BSD support
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
100
diff
changeset
|
596 | |
73
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
597 | |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
598 | #ifdef LINUX |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
599 | |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
600 | #include <sys/fsuid.h> |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
601 | |
260
4779a6fb4fbe
fix freebsd build
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
241
diff
changeset
|
602 | int fs_acl_check(SysACL *acl, User *user, const char *path, uint32_t access_mask) { |
73
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
603 | struct passwd *ws_pw = conf_getglobals()->Vuserpw; |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
604 | if(!ws_pw) { |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
605 | log_ereport(LOG_FAILURE, "fs_acl_check: unknown webserver uid/gid"); |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
606 | return 1; |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
607 | } |
202
c374d11d6720
remove libnsl from linux makefile
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
141
diff
changeset
|
608 | |
73
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
609 | // get uid/gid |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
610 | struct passwd pw; |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
611 | if(user) { |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
612 | char *pwbuf = malloc(DEF_PWBUF); |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
613 | if(pwbuf == NULL) { |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
614 | return 0; |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
615 | } |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
616 | if(!util_getpwnam(user->name, &pw, pwbuf, DEF_PWBUF)) { |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
617 | free(pwbuf); |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
618 | return 0; |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
619 | } |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
620 | free(pwbuf); |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
621 | acl->user_uid = pw.pw_uid; |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
622 | acl->user_gid = pw.pw_gid; |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
623 | } else { |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
624 | acl->user_uid = 0; |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
625 | acl->user_gid = 0; |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
626 | } |
202
c374d11d6720
remove libnsl from linux makefile
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
141
diff
changeset
|
627 | |
73
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
628 | // set fs uid/gid |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
629 | if(acl->user_uid != 0) { |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
630 | if(setfsuid(pw.pw_uid)) { |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
631 | log_ereport( |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
632 | LOG_FAILURE, |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
633 | "Cannot set fsuid to uid: %u", pw.pw_uid); |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
634 | } |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
635 | if(setfsgid(pw.pw_gid)) { |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
636 | log_ereport( |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
637 | LOG_FAILURE, |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
638 | "Cannot set fsgid to gid: %u", pw.pw_gid); |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
639 | } |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
640 | } |
202
c374d11d6720
remove libnsl from linux makefile
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
141
diff
changeset
|
641 | |
c374d11d6720
remove libnsl from linux makefile
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
141
diff
changeset
|
642 | |
73
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
643 | return 1; |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
644 | } |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
645 | |
211
2160585200ac
add propfind/proppatch parser and first iteration of the new webdav api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
202
diff
changeset
|
646 | int fs_acl_check_fd(SysACL *acl, User *user, int fd, uint32_t access_mask) { |
2160585200ac
add propfind/proppatch parser and first iteration of the new webdav api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
202
diff
changeset
|
647 | // TODO |
2160585200ac
add propfind/proppatch parser and first iteration of the new webdav api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
202
diff
changeset
|
648 | return 1; |
2160585200ac
add propfind/proppatch parser and first iteration of the new webdav api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
202
diff
changeset
|
649 | } |
2160585200ac
add propfind/proppatch parser and first iteration of the new webdav api
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
202
diff
changeset
|
650 | |
73
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
651 | void fs_acl_finish() { |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
652 | struct passwd *pw = conf_getglobals()->Vuserpw; |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
653 | if(!pw) { |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
654 | log_ereport( |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
655 | LOG_FAILURE, |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
656 | "global configuration broken (Vuserpw is null)"); |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
657 | return; |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
658 | } |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
659 | if(setfsuid(pw->pw_uid)) { |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
660 | log_ereport( |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
661 | LOG_FAILURE, |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
662 | "Cannot set fsuid back to server uid: %u", pw->pw_uid); |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
663 | } |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
664 | if(setfsgid(pw->pw_gid)) { |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
665 | log_ereport( |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
666 | LOG_FAILURE, |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
667 | "Cannot set fsgid back to server gid: %u", pw->pw_gid); |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
668 | } |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
669 | } |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
670 | |
79fa26ecd135
added file system ACLs for linux
Olaf Wintermann <olaf.wintermann@gmail.com>
parents:
69
diff
changeset
|
671 | #endif |