2 Copyright (c) 2008, 2009, 2010 Frank Lahm <franklahm@gmail.com>
4 This program is free software; you can redistribute it and/or modify
5 it under the terms of the GNU General Public License as published by
6 the Free Software Foundation; either version 2 of the License, or
7 (at your option) any later version.
9 This program is distributed in the hope that it will be useful,
10 but WITHOUT ANY WARRANTY; without even the implied warranty of
11 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 GNU General Public License for more details.
17 #endif /* HAVE_CONFIG_H */
26 #ifdef HAVE_SOLARIS_ACLS
29 #ifdef HAVE_POSIX_ACLS
31 #include <acl/libacl.h>
34 #include <atalk/errchk.h>
35 #include <atalk/adouble.h>
36 #include <atalk/vfs.h>
37 #include <atalk/afp.h>
38 #include <atalk/util.h>
39 #include <atalk/cnid.h>
40 #include <atalk/logger.h>
41 #include <atalk/uuid.h>
42 #include <atalk/acl.h>
43 #include <atalk/bstrlib.h>
44 #include <atalk/bstradd.h>
46 #include "directory.h"
52 #include "acl_mappings.h"
55 #define SOLARIS_2_DARWIN 1
56 #define DARWIN_2_SOLARIS 2
57 #define POSIX_DEFAULT_2_DARWIN 3
58 #define POSIX_ACCESS_2_DARWIN 4
59 #define DARWIN_2_POSIX_DEFAULT 5
60 #define DARWIN_2_POSIX_ACCESS 6
65 /********************************************************
66 * Basic and helper funcs
67 ********************************************************/
70 * Takes a user by pointer to his/her struct passwd entry and checks if user
71 * is member of group "gid".
73 * @param pwd (r) pointer to struct passwd of user
74 * @returns 1 if user is member, 0 if not, -1 on error
76 static int check_group(const struct passwd *pwd, gid_t gid)
82 if (pwd->pw_gid == gid)
85 EC_NULL(grp = getgrgid(gid));
88 while (grp->gr_mem[i] != NULL) {
89 if ((strcmp(grp->gr_mem[i], pwd->pw_name)) == 0) {
90 LOG(log_debug, logtype_afpd, "user:%s is member of: %s",
91 pwd->pw_name, grp->gr_name);
103 /********************************************************
105 ********************************************************/
107 #ifdef HAVE_SOLARIS_ACLS
110 * Compile access rights for a user to one file-system object
112 * This combines combines all access rights for a user to one fs-object and
113 * returns the result as a Darwin allowed rights ACE.
114 * This must honor trivial ACEs which are a mode_t mapping.
116 * @param path (r) path to filesystem object
117 * @param sb (r) struct stat of path
118 * @param pwd (r) struct passwd of user
119 * @param result (w) resulting Darwin allow ACE
121 * @returns 0 or -1 on error
123 static int solaris_acl_rights(const char *path,
124 const struct stat *sb,
125 const struct passwd *pwd,
129 int i, ace_count, checkgroup;
132 uint16_t flags, type;
133 uint32_t rights, allowed_rights = 0, denied_rights = 0, darwin_rights;
135 /* Get ACL from file/dir */
136 EC_NEG1_LOG(ace_count = get_nfsv4_acl(path, &aces));
138 if (ace_count == 0) {
139 LOG(log_warning, logtype_afpd, "Zero ACEs from get_nfsv4_acl");
143 /* Now check requested rights */
145 do { /* Loop through ACEs */
147 flags = aces[i].a_flags;
148 type = aces[i].a_type;
149 rights = aces[i].a_access_mask;
151 if (flags & ACE_INHERIT_ONLY_ACE)
154 /* Now the tricky part: decide if ACE effects our user. I'll explain:
155 if its a dedicated (non trivial) ACE for the user
157 if its a ACE for a group we're member of
159 if its a trivial ACE_OWNER ACE and requested UUID is the owner
161 if its a trivial ACE_GROUP ACE and requested UUID is group
163 if its a trivial ACE_EVERYONE ACE
166 if (((who == pwd->pw_uid) && !(flags & (ACE_TRIVIAL|ACE_IDENTIFIER_GROUP)))
168 ((flags & ACE_IDENTIFIER_GROUP)
169 && !(flags & ACE_GROUP)
170 && (check_group(pwd, who) == 1))
172 ((flags & ACE_OWNER) && (pwd->pw_uid == sb->st_uid))
174 ((flags & ACE_GROUP) && (check_group(pwd, sb->st_gid) == 1))
176 (flags & ACE_EVERYONE)
178 /* Found an applicable ACE */
179 if (type == ACE_ACCESS_ALLOWED_ACE_TYPE)
180 allowed_rights |= rights;
181 else if (type == ACE_ACCESS_DENIED_ACE_TYPE)
182 /* Only or to denied rights if not previously allowed !! */
183 denied_rights |= ((!allowed_rights) & rights);
185 } while (++i < ace_count);
188 /* Darwin likes to ask for "delete_child" on dir,
189 "write_data" is actually the same, so we add that for dirs */
190 if (S_ISDIR(sb->st_mode) && (allowed_rights & ACE_WRITE_DATA))
191 allowed_rights |= ACE_DELETE_CHILD;
193 /* Remove denied from allowed rights */
194 allowed_rights &= ~denied_rights;
198 for (i=0; nfsv4_to_darwin_rights[i].from != 0; i++) {
199 if (allowed_rights & nfsv4_to_darwin_rights[i].from)
200 darwin_rights |= nfsv4_to_darwin_rights[i].to;
203 *result |= darwin_rights;
206 if (aces) free(aces);
212 Maps ACE array from Solaris to Darwin. Darwin ACEs are stored in network byte order.
213 Return numer of mapped ACEs or -1 on error.
214 All errors while mapping (e.g. getting UUIDs from LDAP) are fatal.
216 static int map_aces_solaris_to_darwin(const ace_t *aces,
217 darwin_ace_t *darwin_aces,
224 struct passwd *pwd = NULL;
225 struct group *grp = NULL;
227 LOG(log_maxdebug, logtype_afpd, "map_aces_solaris_to_darwin: parsing %d ACES", ace_count);
230 LOG(log_maxdebug, logtype_afpd, "ACE No. %d", ace_count + 1);
231 /* if its a ACE resulting from nfsv4 mode mapping, discard it */
232 if (aces->a_flags & (ACE_OWNER | ACE_GROUP | ACE_EVERYONE)) {
233 LOG(log_debug, logtype_afpd, "trivial ACE");
238 if ( ! (aces->a_flags & ACE_IDENTIFIER_GROUP) ) { /* user ace */
239 LOG(log_debug, logtype_afpd, "uid: %d", aces->a_who);
240 EC_NULL_LOG(pwd = getpwuid(aces->a_who));
241 LOG(log_debug, logtype_afpd, "uid: %d -> name: %s", aces->a_who, pwd->pw_name);
242 EC_ZERO_LOG(getuuidfromname(pwd->pw_name,
244 darwin_aces->darwin_ace_uuid));
245 } else { /* group ace */
246 LOG(log_debug, logtype_afpd, "gid: %d", aces->a_who);
247 EC_NULL_LOG(grp = getgrgid(aces->a_who));
248 LOG(log_debug, logtype_afpd, "gid: %d -> name: %s", aces->a_who, grp->gr_name);
249 EC_ZERO_LOG(getuuidfromname(grp->gr_name,
251 darwin_aces->darwin_ace_uuid));
255 if (aces->a_type == ACE_ACCESS_ALLOWED_ACE_TYPE)
256 flags = DARWIN_ACE_FLAGS_PERMIT;
257 else if (aces->a_type == ACE_ACCESS_DENIED_ACE_TYPE)
258 flags = DARWIN_ACE_FLAGS_DENY;
259 else { /* unsupported type */
263 for(i=0; nfsv4_to_darwin_flags[i].from != 0; i++) {
264 if (aces->a_flags & nfsv4_to_darwin_flags[i].from)
265 flags |= nfsv4_to_darwin_flags[i].to;
267 darwin_aces->darwin_ace_flags = htonl(flags);
271 for (i=0; nfsv4_to_darwin_rights[i].from != 0; i++) {
272 if (aces->a_access_mask & nfsv4_to_darwin_rights[i].from)
273 rights |= nfsv4_to_darwin_rights[i].to;
275 darwin_aces->darwin_ace_rights = htonl(rights);
288 Maps ACE array from Darwin to Solaris. Darwin ACEs are expected in network byte order.
289 Return numer of mapped ACEs or -1 on error.
290 All errors while mapping (e.g. getting UUIDs from LDAP) are fatal.
292 static int map_aces_darwin_to_solaris(darwin_ace_t *darwin_aces,
297 int i, mapped_aces = 0;
298 uint32_t darwin_ace_flags;
299 uint32_t darwin_ace_rights;
300 uint16_t nfsv4_ace_flags;
301 uint32_t nfsv4_ace_rights;
309 nfsv4_ace_rights = 0;
312 EC_ZERO(getnamefromuuid(darwin_aces->darwin_ace_uuid, &name, &uuidtype));
320 EC_NULL_LOG(pwd = getpwnam(name));
321 nfsv4_aces->a_who = pwd->pw_uid;
324 EC_NULL_LOG(grp = getgrnam(name));
325 nfsv4_aces->a_who = (uid_t)(grp->gr_gid);
326 nfsv4_ace_flags |= ACE_IDENTIFIER_GROUP;
332 /* now type: allow/deny */
333 darwin_ace_flags = ntohl(darwin_aces->darwin_ace_flags);
334 if (darwin_ace_flags & DARWIN_ACE_FLAGS_PERMIT)
335 nfsv4_aces->a_type = ACE_ACCESS_ALLOWED_ACE_TYPE;
336 else if (darwin_ace_flags & DARWIN_ACE_FLAGS_DENY)
337 nfsv4_aces->a_type = ACE_ACCESS_DENIED_ACE_TYPE;
338 else { /* unsupported type */
343 for(i=0; darwin_to_nfsv4_flags[i].from != 0; i++) {
344 if (darwin_ace_flags & darwin_to_nfsv4_flags[i].from)
345 nfsv4_ace_flags |= darwin_to_nfsv4_flags[i].to;
349 darwin_ace_rights = ntohl(darwin_aces->darwin_ace_rights);
350 for (i=0; darwin_to_nfsv4_rights[i].from != 0; i++) {
351 if (darwin_ace_rights & darwin_to_nfsv4_rights[i].from)
352 nfsv4_ace_rights |= darwin_to_nfsv4_rights[i].to;
355 LOG(log_debug9, logtype_afpd, "map_aces_darwin_to_solaris: ACE flags: Darwin:%08x -> NFSv4:%04x", darwin_ace_flags, nfsv4_ace_flags);
356 LOG(log_debug9, logtype_afpd, "map_aces_darwin_to_solaris: ACE rights: Darwin:%08x -> NFSv4:%08x", darwin_ace_rights, nfsv4_ace_rights);
358 nfsv4_aces->a_flags = nfsv4_ace_flags;
359 nfsv4_aces->a_access_mask = nfsv4_ace_rights;
372 #endif /* HAVE_SOLARIS_ACLS */
374 /********************************************************
376 ********************************************************/
378 #ifdef HAVE_POSIX_ACLS
381 * Add entries of one acl to another acl
383 * @param aclp (rw) destination acl where new aces will be added
384 * @param acl (r) source acl where aces will be copied from
386 * @returns 0 on success, -1 on error
388 static int acl_add_acl(acl_t *aclp, const acl_t acl)
394 for (id = ACL_FIRST_ENTRY; acl_get_entry(acl, id, &se) == 1; id = ACL_NEXT_ENTRY) {
395 EC_ZERO_LOG_ERR(acl_create_entry(aclp, &de), AFPERR_MISC);
396 EC_ZERO_LOG_ERR(acl_copy_entry(de, se), AFPERR_MISC);
404 * Map Darwin ACE rights to POSIX 1e perm
406 * We can only map few rights:
407 * DARWIN_ACE_READ_DATA -> ACL_READ
408 * DARWIN_ACE_WRITE_DATA -> ACL_WRITE
409 * DARWIN_ACE_DELETE_CHILD & (is_dir == 1) -> ACL_WRITE
410 * DARWIN_ACE_EXECUTE -> ACL_EXECUTE
412 * @param entry (rw) result of the mapping
413 * @param is_dir (r) 1 for dirs, 0 for files
415 * @returns mapping result as acl_perm_t, -1 on error
417 static acl_perm_t map_darwin_right_to_posix_permset(uint32_t darwin_ace_rights, int is_dir)
421 if (darwin_ace_rights & DARWIN_ACE_READ_DATA)
424 if (darwin_ace_rights & (DARWIN_ACE_WRITE_DATA | (DARWIN_ACE_DELETE_CHILD & is_dir)))
427 if (darwin_ace_rights & DARWIN_ACE_EXECUTE)
434 * Add a ACL_USER or ACL_GROUP permission to an ACL, extending existing ACEs
436 * Add a permission of "type" for user or group "id" to an ACL. Scan the ACL
437 * for existing permissions for this type/id, if there is one add the perm,
438 * otherwise create a new ACL entry.
439 * perm can be or'ed ACL_READ, ACL_WRITE and ACL_EXECUTE.
441 * @param aclp (rw) pointer to ACL
442 * @param type (r) acl_tag_t of ACL_USER or ACL_GROUP
443 * @param id (r) uid_t uid for ACL_USER, or gid casted to uid_t for ACL_GROUP
444 * @param perm (r) acl_perm_t permissions to add
446 * @returns 0 on success, -1 on failure
448 static int posix_acl_add_perm(acl_t *aclp, acl_tag_t type, uid_t id, acl_perm_t perm)
454 int entry_id = ACL_FIRST_ENTRY;
455 acl_permset_t permset;
458 for ( ; (! found) && acl_get_entry(*aclp, entry_id, &e) == 1; entry_id = ACL_NEXT_ENTRY) {
459 EC_ZERO_LOG(acl_get_tag_type(e, &tag));
460 if (tag != ACL_USER && tag != ACL_GROUP)
462 EC_NULL_LOG(eid = (uid_t *)acl_get_qualifier(e));
463 if ((*eid == id) && (type == tag)) {
464 /* found an ACE for this type/id */
466 EC_ZERO_LOG(acl_get_permset(e, &permset));
467 EC_ZERO_LOG(acl_add_perm(permset, perm));
475 /* there was no existing ACE for this type/id */
476 EC_ZERO_LOG(acl_create_entry(aclp, &e));
477 EC_ZERO_LOG(acl_set_tag_type(e, type));
478 EC_ZERO_LOG(acl_set_qualifier(e, &id));
479 EC_ZERO_LOG(acl_get_permset(e, &permset));
480 EC_ZERO_LOG(acl_clear_perms(permset));
481 EC_ZERO_LOG(acl_add_perm(permset, perm));
482 EC_ZERO_LOG(acl_set_permset(e, permset));
486 if (eid) acl_free(eid);
492 * Map Darwin ACL to POSIX ACL.
494 * aclp must point to a acl_init'ed acl_t or an acl_t that can eg contain default ACEs.
495 * Mapping pecularities:
496 * - we create a default ace (which inherits to files and dirs) if either
497 DARWIN_ACE_FLAGS_FILE_INHERIT or DARWIN_ACE_FLAGS_DIRECTORY_INHERIT is requested
498 * - we throw away DARWIN_ACE_FLAGS_LIMIT_INHERIT (can't be mapped), thus the ACL will
501 * @param darwin_aces (r) pointer to darwin_aces buffer
502 * @param def_aclp (rw) directories: pointer to an initialized acl_t with the default acl
503 * files: *def_aclp will be NULL
504 * @param acc_aclp (rw) pointer to an initialized acl_t with the access acl
505 * @param ace_count (r) number of ACEs in darwin_aces buffer
507 * @returns 0 on success storing the result in aclp, -1 on error.
509 static int map_aces_darwin_to_posix(const darwin_ace_t *darwin_aces,
520 uint32_t darwin_ace_flags, darwin_ace_rights;
524 for ( ; ace_count != 0; ace_count--, darwin_aces++) {
525 /* type: allow/deny, posix only has allow */
526 darwin_ace_flags = ntohl(darwin_aces->darwin_ace_flags);
527 if ( ! (darwin_ace_flags & DARWIN_ACE_FLAGS_PERMIT))
530 darwin_ace_rights = ntohl(darwin_aces->darwin_ace_rights);
531 perm = map_darwin_right_to_posix_permset(darwin_ace_rights, (*def_aclp != NULL));
533 continue; /* dont add empty perm */
535 LOG(log_debug, logtype_afpd, "map_ace: no: %u, flags: %08x, darwin: %08x, posix: %02x",
536 ace_count, darwin_ace_flags, darwin_ace_rights, perm);
539 EC_ZERO_LOG(getnamefromuuid(darwin_aces->darwin_ace_uuid, &name, &uuidtype));
546 EC_NULL_LOG(pwd = getpwnam(name));
549 LOG(log_debug, logtype_afpd, "map_ace: name: %s, uid: %u", name, id);
552 EC_NULL_LOG(grp = getgrnam(name));
554 id = (uid_t)(grp->gr_gid);
555 LOG(log_debug, logtype_afpd, "map_ace: name: %s, gid: %u", name, id);
561 if (darwin_ace_flags & DARWIN_ACE_INHERIT_CONTROL_FLAGS) {
562 if (*def_aclp == NULL) {
563 /* ace request inheritane but we haven't got a default acl pointer */
564 LOG(log_warning, logtype_afpd, "map_acl: unexpected ACE, flags: 0x%04x",
568 /* add it as default ace */
569 EC_ZERO_LOG(posix_acl_add_perm(def_aclp, tag, id, perm));
572 if (! (darwin_ace_flags & DARWIN_ACE_FLAGS_ONLY_INHERIT))
573 /* if it not a "inherit only" ace, it must be added as access aces too */
574 EC_ZERO_LOG(posix_acl_add_perm(acc_aclp, tag, id, perm));
576 EC_ZERO_LOG(posix_acl_add_perm(acc_aclp, tag, id, perm));
588 * Map ACEs from POSIX to Darwin.
589 * type is either POSIX_DEFAULT_2_DARWIN or POSIX_ACCESS_2_DARWIN, cf. acl_get_file.
590 * Return number of mapped ACES, -1 on error.
592 static int map_acl_posix_to_darwin(int type, const acl_t acl, darwin_ace_t *darwin_aces)
597 int entry_id = ACL_FIRST_ENTRY;
600 acl_permset_t permset, mask;
603 struct passwd *pwd = NULL;
604 struct group *grp = NULL;
607 darwin_ace_t *saved_darwin_aces = darwin_aces;
609 LOG(log_maxdebug, logtype_afpd, "map_aces_posix_to_darwin(%s)",
610 (type & MAP_MASK) == POSIX_DEFAULT_2_DARWIN ?
611 "POSIX_DEFAULT_2_DARWIN" : "POSIX_ACCESS_2_DARWIN");
613 /* itereate through all ACEs */
614 while (acl_get_entry(acl, entry_id, &e) == 1) {
615 entry_id = ACL_NEXT_ENTRY;
618 EC_ZERO_LOG(acl_get_tag_type(e, &tag));
620 /* we return user and group ACE */
623 EC_NULL_LOG(uid = (uid_t *)acl_get_qualifier(e));
624 EC_NULL_LOG(pwd = getpwuid(*uid));
625 LOG(log_debug, logtype_afpd, "map_aces_posix_to_darwin: uid: %d -> name: %s",
627 EC_ZERO_LOG(getuuidfromname(pwd->pw_name, UUID_USER, darwin_aces->darwin_ace_uuid));
633 EC_NULL_LOG(gid = (gid_t *)acl_get_qualifier(e));
634 EC_NULL_LOG(grp = getgrgid(*gid));
635 LOG(log_debug, logtype_afpd, "map_aces_posix_to_darwin: gid: %d -> name: %s",
637 EC_ZERO_LOG(getuuidfromname(grp->gr_name, UUID_GROUP, darwin_aces->darwin_ace_uuid));
642 /* store mask so we can apply it later in a second loop */
644 EC_ZERO_LOG(acl_get_permset(e, &mask));
653 flags = DARWIN_ACE_FLAGS_PERMIT;
654 if ((type & MAP_MASK) == POSIX_DEFAULT_2_DARWIN)
655 flags |= DARWIN_ACE_FLAGS_FILE_INHERIT
656 | DARWIN_ACE_FLAGS_DIRECTORY_INHERIT
657 | DARWIN_ACE_FLAGS_ONLY_INHERIT;
658 darwin_aces->darwin_ace_flags = htonl(flags);
661 EC_ZERO_LOG(acl_get_permset(e, &permset));
664 if (acl_get_perm(permset, ACL_READ))
665 rights = DARWIN_ACE_READ_DATA
666 | DARWIN_ACE_READ_EXTATTRIBUTES
667 | DARWIN_ACE_READ_ATTRIBUTES
668 | DARWIN_ACE_READ_SECURITY;
669 if (acl_get_perm(permset, ACL_WRITE)) {
670 rights |= DARWIN_ACE_WRITE_DATA
671 | DARWIN_ACE_APPEND_DATA
672 | DARWIN_ACE_WRITE_EXTATTRIBUTES
673 | DARWIN_ACE_WRITE_ATTRIBUTES;
674 if ((type & ~MAP_MASK) == IS_DIR)
675 rights |= DARWIN_ACE_DELETE;
677 if (acl_get_perm(permset, ACL_EXECUTE))
678 rights |= DARWIN_ACE_EXECUTE;
680 darwin_aces->darwin_ace_rights = htonl(rights);
687 /* Loop through the mapped ACE buffer once again, applying the mask */
688 /* Map the mask to Darwin ACE rights first */
690 if (acl_get_perm(mask, ACL_READ))
691 rights = DARWIN_ACE_READ_DATA
692 | DARWIN_ACE_READ_EXTATTRIBUTES
693 | DARWIN_ACE_READ_ATTRIBUTES
694 | DARWIN_ACE_READ_SECURITY;
695 if (acl_get_perm(mask, ACL_WRITE)) {
696 rights |= DARWIN_ACE_WRITE_DATA
697 | DARWIN_ACE_APPEND_DATA
698 | DARWIN_ACE_WRITE_EXTATTRIBUTES
699 | DARWIN_ACE_WRITE_ATTRIBUTES;
700 if ((type & ~MAP_MASK) == IS_DIR)
701 rights |= DARWIN_ACE_DELETE;
703 if (acl_get_perm(mask, ACL_EXECUTE))
704 rights |= DARWIN_ACE_EXECUTE;
705 for (int i = mapped_aces; i > 0; i--) {
706 saved_darwin_aces->darwin_ace_rights &= htonl(rights);
710 EC_STATUS(mapped_aces);
713 if (uid) acl_free(uid);
714 if (gid) acl_free(gid);
720 * Multiplex ACL mapping (SOLARIS_2_DARWIN, DARWIN_2_SOLARIS, POSIX_2_DARWIN, DARWIN_2_POSIX).
721 * Reads from 'aces' buffer, writes to 'rbuf' buffer.
722 * Caller must provide buffer.
723 * Darwin ACEs are read and written in network byte order.
724 * Needs to know how many ACEs are in the ACL (ace_count) for Solaris ACLs.
725 * Ignores trivial ACEs.
726 * Return no of mapped ACEs or -1 on error.
728 static int map_acl(int type, void *acl, darwin_ace_t *buf, int ace_count)
732 LOG(log_debug9, logtype_afpd, "map_acl: BEGIN");
734 switch (type & MAP_MASK) {
736 #ifdef HAVE_SOLARIS_ACLS
737 case SOLARIS_2_DARWIN:
738 mapped_aces = map_aces_solaris_to_darwin( acl, buf, ace_count);
741 case DARWIN_2_SOLARIS:
742 mapped_aces = map_aces_darwin_to_solaris( buf, acl, ace_count);
744 #endif /* HAVE_SOLARIS_ACLS */
746 #ifdef HAVE_POSIX_ACLS
747 case POSIX_DEFAULT_2_DARWIN:
748 mapped_aces = map_acl_posix_to_darwin(type, (const acl_t)acl, buf);
751 case POSIX_ACCESS_2_DARWIN:
752 mapped_aces = map_acl_posix_to_darwin(type, (const acl_t)acl, buf);
755 case DARWIN_2_POSIX_DEFAULT:
758 case DARWIN_2_POSIX_ACCESS:
760 #endif /* HAVE_POSIX_ACLS */
767 LOG(log_debug9, logtype_afpd, "map_acl: END");
771 /* Get ACL from object omitting trivial ACEs. Map to Darwin ACL style and
772 store Darwin ACL at rbuf. Add length of ACL written to rbuf to *rbuflen.
773 Returns 0 on success, -1 on error. */
774 static int get_and_map_acl(char *name, char *rbuf, size_t *rbuflen)
779 uint32_t *darwin_ace_count = (u_int32_t *)rbuf;
780 #ifdef HAVE_SOLARIS_ACLS
784 #ifdef HAVE_POSIX_ACLS
787 LOG(log_debug9, logtype_afpd, "get_and_map_acl: BEGIN");
789 /* Skip length and flags */
794 #ifdef HAVE_SOLARIS_ACLS
795 EC_NEG1(ace_count = get_nfsv4_acl(name, &aces));
796 EC_NEG1(mapped_aces = map_acl(SOLARIS_2_DARWIN, aces, (darwin_ace_t *)rbuf, ace_count));
797 #endif /* HAVE_SOLARIS_ACLS */
799 #ifdef HAVE_POSIX_ACLS
800 acl_t defacl = NULL , accacl = NULL;
802 /* stat to check if its a dir */
803 EC_ZERO_LOG(stat(name, &st));
805 /* if its a dir, check for default acl too */
807 if (S_ISDIR(st.st_mode)) {
809 EC_NULL_LOG(defacl = acl_get_file(name, ACL_TYPE_DEFAULT));
810 EC_NEG1(mapped_aces = map_acl(POSIX_DEFAULT_2_DARWIN | dirflag,
812 (darwin_ace_t *)rbuf,
816 EC_NULL_LOG(accacl = acl_get_file(name, ACL_TYPE_ACCESS));
819 EC_NEG1(tmp = map_acl(POSIX_ACCESS_2_DARWIN | dirflag,
821 (darwin_ace_t *)(rbuf + mapped_aces * sizeof(darwin_ace_t)),
824 #endif /* HAVE_POSIX_ACLS */
826 LOG(log_debug, logtype_afpd, "get_and_map_acl: mapped %d ACEs", mapped_aces);
828 *darwin_ace_count = htonl(mapped_aces);
829 *rbuflen += sizeof(darwin_acl_header_t) + (mapped_aces * sizeof(darwin_ace_t));
834 #ifdef HAVE_SOLARIS_ACLS
835 if (aces) free(aces);
837 #ifdef HAVE_POSIX_ACLS
838 if (defacl) acl_free(defacl);
839 if (accacl) acl_free(accacl);
840 #endif /* HAVE_POSIX_ACLS */
842 LOG(log_debug9, logtype_afpd, "get_and_map_acl: END");
847 /* Removes all non-trivial ACLs from object. Returns full AFPERR code. */
848 static int remove_acl(const struct vol *vol,const char *path, int dir)
852 #if (defined HAVE_SOLARIS_ACLS || defined HAVE_POSIX_ACLS)
853 /* Ressource etc. first */
854 if ((ret = vol->vfs->vfs_remove_acl(vol, path, dir)) != AFP_OK)
856 /* now the data fork or dir */
857 ret = remove_acl_vfs(path);
864 - the client sends a complete list of ACEs, not only new ones. So we dont need to do
865 any combination business (one exception being 'kFileSec_Inherit': see next)
866 - client might request that we add inherited ACEs via 'kFileSec_Inherit'.
867 We will store inherited ACEs first, which is Darwins canonical order.
868 - returns AFPerror code
870 #ifdef HAVE_SOLARIS_ACLS
871 static int set_acl(const struct vol *vol,
878 int i, nfsv4_ace_count;
879 int tocopy_aces_count = 0, new_aces_count = 0, trivial_ace_count = 0;
880 ace_t *old_aces, *new_aces = NULL;
883 LOG(log_debug9, logtype_afpd, "set_acl: BEGIN");
886 /* inherited + trivial ACEs */
887 flags = ACE_INHERITED_ACE | ACE_OWNER | ACE_GROUP | ACE_EVERYONE;
889 /* only trivial ACEs */
890 flags = ACE_OWNER | ACE_GROUP | ACE_EVERYONE;
892 /* Get existing ACL and count ACEs which have to be copied */
893 if ((nfsv4_ace_count = get_nfsv4_acl(name, &old_aces)) == -1)
895 for ( i=0; i < nfsv4_ace_count; i++) {
896 if (old_aces[i].a_flags & flags)
900 /* Now malloc buffer exactly sized to fit all new ACEs */
901 if ((new_aces = malloc((ace_count + tocopy_aces_count) * sizeof(ace_t))) == NULL) {
902 LOG(log_error, logtype_afpd, "set_acl: malloc %s", strerror(errno));
903 EC_STATUS(AFPERR_MISC);
907 /* Start building new ACL */
909 /* Copy local inherited ACEs. Therefore we have 'Darwin canonical order' (see chmod there):
910 inherited ACEs first. */
912 for (i=0; i < nfsv4_ace_count; i++) {
913 if (old_aces[i].a_flags & ACE_INHERITED_ACE) {
914 memcpy(&new_aces[new_aces_count], &old_aces[i], sizeof(ace_t));
919 LOG(log_debug7, logtype_afpd, "set_acl: copied %d inherited ACEs", new_aces_count);
921 /* Now the ACEs from the client */
922 if ((ret = (map_acl(DARWIN_2_SOLARIS,
923 &new_aces[new_aces_count],
925 ace_count))) == -1) {
926 EC_STATUS(AFPERR_PARAM);
929 new_aces_count += ret;
930 LOG(log_debug7, logtype_afpd, "set_acl: mapped %d ACEs from client", ret);
932 /* Now copy the trivial ACEs */
933 for (i=0; i < nfsv4_ace_count; i++) {
934 if (old_aces[i].a_flags & (ACE_OWNER | ACE_GROUP | ACE_EVERYONE)) {
935 memcpy(&new_aces[new_aces_count], &old_aces[i], sizeof(ace_t));
940 LOG(log_debug7, logtype_afpd, "set_acl: copied %d trivial ACEs", trivial_ace_count);
942 /* Ressourcefork first.
943 Note: for dirs we set the same ACL on the .AppleDouble/.Parent _file_. This
944 might be strange for ACE_DELETE_CHILD and for inheritance flags. */
945 if ((ret = (vol->vfs->vfs_acl(vol, name, ACE_SETACL, new_aces_count, new_aces))) != 0) {
946 LOG(log_error, logtype_afpd, "set_acl: error setting acl: %s", strerror(errno));
947 if (errno == (EACCES | EPERM))
948 EC_STATUS(AFPERR_ACCESS);
949 else if (errno == ENOENT)
950 EC_STATUS(AFPERR_NOITEM);
952 EC_STATUS(AFPERR_MISC);
955 if ((ret = (acl(name, ACE_SETACL, new_aces_count, new_aces))) != 0) {
956 LOG(log_error, logtype_afpd, "set_acl: error setting acl: %s", strerror(errno));
957 if (errno == (EACCES | EPERM))
958 EC_STATUS(AFPERR_ACCESS);
959 else if (errno == ENOENT)
960 EC_STATUS(AFPERR_NOITEM);
962 EC_STATUS(AFPERR_MISC);
969 if (old_aces) free(old_aces);
970 if (new_aces) free(new_aces);
972 LOG(log_debug9, logtype_afpd, "set_acl: END");
975 #endif /* HAVE_SOLARIS_ACLS */
977 #ifdef HAVE_POSIX_ACLS
978 static int set_acl(const struct vol *vol,
985 acl_t def_acl = NULL;
986 acl_t acc_acl = NULL;
988 LOG(log_maxdebug, logtype_afpd, "set_acl: BEGIN");
991 EC_ZERO_LOG_ERR(stat(name, &st), AFPERR_NOOBJ);
993 /* seed default ACL with access ACL */
994 if (S_ISDIR(st.st_mode))
995 EC_NULL_LOG_ERR(def_acl = acl_get_file(name, ACL_TYPE_ACCESS), AFPERR_MISC);
997 /* for files def_acl will be NULL */
999 /* create access acl from mode */
1000 EC_NULL_LOG_ERR(acc_acl = acl_from_mode(st.st_mode), AFPERR_MISC);
1002 /* adds the clients aces */
1003 EC_ZERO_ERR(map_aces_darwin_to_posix(daces, &def_acl, &acc_acl, ace_count), AFPERR_MISC);
1005 /* calcuate ACL mask */
1006 EC_ZERO_LOG_ERR(acl_calc_mask(&acc_acl), AFPERR_MISC);
1009 EC_ZERO_LOG_ERR(acl_valid(acc_acl), AFPERR_MISC);
1012 EC_ZERO_LOG_ERR(acl_set_file(name, ACL_TYPE_ACCESS, acc_acl), AFPERR_MISC);
1013 EC_ZERO_LOG_ERR(vol->vfs->vfs_acl(vol, name, ACL_TYPE_ACCESS, 0, acc_acl), AFPERR_MISC);
1016 EC_ZERO_LOG_ERR(acl_set_file(name, ACL_TYPE_DEFAULT, def_acl), AFPERR_MISC);
1017 EC_ZERO_LOG_ERR(vol->vfs->vfs_acl(vol, name, ACL_TYPE_DEFAULT, 0, def_acl), AFPERR_MISC);
1024 LOG(log_maxdebug, logtype_afpd, "set_acl: END");
1027 #endif /* HAVE_POSIX_ACLS */
1030 * Checks if a given UUID has requested_rights(type darwin_ace_rights) for path.
1032 * Note: this gets called frequently and is a good place for optimizations !
1034 * @param vol (r) volume
1035 * @param dir (r) directory
1036 * @param path (r) path to filesystem object
1037 * @param uuid (r) UUID of user
1038 * @param requested_rights (r) requested Darwin ACE
1040 * @returns AFP result code
1042 static int check_acl_access(const struct vol *vol,
1043 const struct dir *dir,
1046 uint32_t requested_rights)
1049 uint32_t allowed_rights = 0;
1050 char *username = NULL;
1051 uuidtype_t uuidtype;
1054 bstring parent = NULL;
1056 LOG(log_maxdebug, logtype_afpd, "check_access: Request: 0x%08x", requested_rights);
1058 /* Get uid or gid from UUID */
1059 EC_ZERO_LOG_ERR(getnamefromuuid(uuid, &username, &uuidtype), AFPERR_PARAM);
1060 EC_ZERO_LOG_ERR(lstat(path, &st), AFPERR_PARAM);
1064 LOG(log_warning, logtype_afpd, "check_access: afp_access not supported for groups");
1065 EC_STATUS(AFPERR_MISC);
1069 LOG(log_warning, logtype_afpd, "check_access: local UUID");
1070 EC_STATUS(AFPERR_MISC);
1074 EC_NULL_LOG_ERR(pwd = getpwnam(username), AFPERR_MISC);
1076 #ifdef HAVE_SOLARIS_ACLS
1077 EC_ZERO_LOG(solaris_acl_rights(path, &st, pwd, &allowed_rights));
1079 #ifdef HAVE_POSIX_ACLS
1082 LOG(log_debug, logtype_afpd, "allowed rights: 0x%08x", allowed_rights);
1085 * The DARWIN_ACE_DELETE right might implicitly result from write acces to the parent
1086 * directory. As it seems the 10.6 AFP client is puzzled when this right is not
1087 * allowed where a delete would succeed because the parent dir gives write perms.
1088 * So we check the parent dir for write access and set the right accordingly.
1089 * Currentyl acl2ownermode calls us with dir = NULL, because it doesn't make sense
1090 * there to do this extra check -- afaict.
1092 if (vol && dir && (requested_rights & DARWIN_ACE_DELETE)) {
1094 uint32_t parent_rights = 0;
1096 if (dir->d_did == DIRDID_ROOT_PARENT) {
1097 /* use volume path */
1098 EC_NULL_LOG_ERR(parent = bfromcstr(vol->v_path), AFPERR_MISC);
1100 /* build path for parent */
1101 EC_NULL_LOG_ERR(parent = bstrcpy(dir->d_fullpath), AFPERR_MISC);
1102 EC_ZERO_LOG_ERR(bconchar(parent, '/'), AFPERR_MISC);
1103 EC_ZERO_LOG_ERR(bcatcstr(parent, path), AFPERR_MISC);
1104 EC_NEG1_LOG_ERR(i = bstrrchr(parent, '/'), AFPERR_MISC);
1105 EC_ZERO_LOG_ERR(binsertch(parent, i, 1, 0), AFPERR_MISC);
1108 LOG(log_debug, logtype_afpd,"parent: %s", cfrombstr(parent));
1109 EC_ZERO_LOG_ERR(lstat(cfrombstr(parent), &st), AFPERR_MISC);
1111 #ifdef HAVE_SOLARIS_ACLS
1112 EC_ZERO_LOG(solaris_acl_rights(cfrombstr(parent), &st, pwd, &parent_rights));
1114 #ifdef HAVE_POSIX_ACLS
1116 if (parent_rights & (DARWIN_ACE_WRITE_DATA | DARWIN_ACE_DELETE_CHILD))
1117 allowed_rights |= DARWIN_ACE_DELETE; /* man, that was a lot of work! */
1120 if ((requested_rights & allowed_rights) != requested_rights) {
1121 LOG(log_debug, logtype_afpd, "some requested right wasn't allowed: 0x%08x / 0x%08x",
1122 requested_rights, allowed_rights);
1123 EC_STATUS(AFPERR_ACCESS);
1125 LOG(log_debug, logtype_afpd, "all requested rights are allowed: 0x%08x",
1131 if (username) free(username);
1132 if (parent) bdestroy(parent);
1137 /********************************************************
1139 ********************************************************/
1141 int afp_access(AFPObj *obj, char *ibuf, size_t ibuflen _U_, char *rbuf _U_, size_t *rbuflen)
1146 uint32_t did, darwin_ace_rights;
1148 struct path *s_path;
1154 memcpy(&vid, ibuf, sizeof( vid ));
1155 ibuf += sizeof(vid);
1156 if (NULL == ( vol = getvolbyvid( vid ))) {
1157 LOG(log_error, logtype_afpd, "afp_access: error getting volid:%d", vid);
1158 return AFPERR_NOOBJ;
1161 memcpy(&did, ibuf, sizeof( did ));
1162 ibuf += sizeof( did );
1163 if (NULL == ( dir = dirlookup( vol, did ))) {
1164 LOG(log_error, logtype_afpd, "afp_access: error getting did:%d", did);
1171 /* Store UUID address */
1172 uuid = (uuidp_t)ibuf;
1173 ibuf += UUID_BINSIZE;
1175 /* Store ACE rights */
1176 memcpy(&darwin_ace_rights, ibuf, 4);
1177 darwin_ace_rights = ntohl(darwin_ace_rights);
1180 /* get full path and handle file/dir subtleties in netatalk code*/
1181 if (NULL == ( s_path = cname( vol, dir, &ibuf ))) {
1182 LOG(log_error, logtype_afpd, "afp_getacl: cname got an error!");
1183 return AFPERR_NOOBJ;
1185 if (!s_path->st_valid)
1186 of_statdir(vol, s_path);
1187 if ( s_path->st_errno != 0 ) {
1188 LOG(log_error, logtype_afpd, "afp_getacl: cant stat");
1189 return AFPERR_NOOBJ;
1192 ret = check_acl_access(vol, dir, s_path->u_name, uuid, darwin_ace_rights);
1197 int afp_getacl(AFPObj *obj, char *ibuf, size_t ibuflen _U_, char *rbuf _U_, size_t *rbuflen)
1203 uint16_t vid, bitmap;
1204 struct path *s_path;
1208 LOG(log_debug9, logtype_afpd, "afp_getacl: BEGIN");
1212 memcpy(&vid, ibuf, sizeof( vid ));
1213 ibuf += sizeof(vid);
1214 if (NULL == ( vol = getvolbyvid( vid ))) {
1215 LOG(log_error, logtype_afpd, "afp_getacl: error getting volid:%d", vid);
1216 return AFPERR_NOOBJ;
1219 memcpy(&did, ibuf, sizeof( did ));
1220 ibuf += sizeof( did );
1221 if (NULL == ( dir = dirlookup( vol, did ))) {
1222 LOG(log_error, logtype_afpd, "afp_getacl: error getting did:%d", did);
1226 memcpy(&bitmap, ibuf, sizeof( bitmap ));
1227 memcpy(rbuf, ibuf, sizeof( bitmap ));
1228 bitmap = ntohs( bitmap );
1229 ibuf += sizeof( bitmap );
1230 rbuf += sizeof( bitmap );
1231 *rbuflen += sizeof( bitmap );
1233 /* skip maxreplysize */
1236 /* get full path and handle file/dir subtleties in netatalk code*/
1237 if (NULL == ( s_path = cname( vol, dir, &ibuf ))) {
1238 LOG(log_error, logtype_afpd, "afp_getacl: cname got an error!");
1239 return AFPERR_NOOBJ;
1241 if (!s_path->st_valid)
1242 of_statdir(vol, s_path);
1243 if ( s_path->st_errno != 0 ) {
1244 LOG(log_error, logtype_afpd, "afp_getacl: cant stat");
1245 return AFPERR_NOOBJ;
1248 /* Shall we return owner UUID ? */
1249 if (bitmap & kFileSec_UUID) {
1250 LOG(log_debug, logtype_afpd, "afp_getacl: client requested files owner user UUID");
1251 if (NULL == (pw = getpwuid(s_path->st.st_uid)))
1253 LOG(log_debug, logtype_afpd, "afp_getacl: got uid: %d, name: %s", s_path->st.st_uid, pw->pw_name);
1254 if ((ret = getuuidfromname(pw->pw_name, UUID_USER, rbuf)) != 0)
1256 rbuf += UUID_BINSIZE;
1257 *rbuflen += UUID_BINSIZE;
1260 /* Shall we return group UUID ? */
1261 if (bitmap & kFileSec_GRPUUID) {
1262 LOG(log_debug, logtype_afpd, "afp_getacl: client requested files owner group UUID");
1263 if (NULL == (gr = getgrgid(s_path->st.st_gid)))
1265 LOG(log_debug, logtype_afpd, "afp_getacl: got gid: %d, name: %s", s_path->st.st_gid, gr->gr_name);
1266 if ((ret = getuuidfromname(gr->gr_name, UUID_GROUP, rbuf)) != 0)
1268 rbuf += UUID_BINSIZE;
1269 *rbuflen += UUID_BINSIZE;
1272 /* Shall we return ACL ? */
1273 if (bitmap & kFileSec_ACL) {
1274 LOG(log_debug, logtype_afpd, "afp_getacl: client requested files ACL");
1275 get_and_map_acl(s_path->u_name, rbuf, rbuflen);
1278 LOG(log_debug9, logtype_afpd, "afp_getacl: END");
1282 int afp_setacl(AFPObj *obj, char *ibuf, size_t ibuflen _U_, char *rbuf _U_, size_t *rbuflen)
1288 uint16_t vid, bitmap;
1289 struct path *s_path;
1291 LOG(log_debug9, logtype_afpd, "afp_setacl: BEGIN");
1295 memcpy(&vid, ibuf, sizeof( vid ));
1296 ibuf += sizeof(vid);
1297 if (NULL == ( vol = getvolbyvid( vid ))) {
1298 LOG(log_error, logtype_afpd, "afp_setacl: error getting volid:%d", vid);
1299 return AFPERR_NOOBJ;
1302 memcpy(&did, ibuf, sizeof( did ));
1303 ibuf += sizeof( did );
1304 if (NULL == ( dir = dirlookup( vol, did ))) {
1305 LOG(log_error, logtype_afpd, "afp_setacl: error getting did:%d", did);
1309 memcpy(&bitmap, ibuf, sizeof( bitmap ));
1310 bitmap = ntohs( bitmap );
1311 ibuf += sizeof( bitmap );
1313 /* get full path and handle file/dir subtleties in netatalk code*/
1314 if (NULL == ( s_path = cname( vol, dir, &ibuf ))) {
1315 LOG(log_error, logtype_afpd, "afp_setacl: cname got an error!");
1316 return AFPERR_NOOBJ;
1318 if (!s_path->st_valid)
1319 of_statdir(vol, s_path);
1320 if ( s_path->st_errno != 0 ) {
1321 LOG(log_error, logtype_afpd, "afp_setacl: cant stat");
1322 return AFPERR_NOOBJ;
1324 LOG(log_debug, logtype_afpd, "afp_setacl: unixname: %s", s_path->u_name);
1327 if ((unsigned long)ibuf & 1)
1330 /* Start processing request */
1332 /* Change owner: dont even try */
1333 if (bitmap & kFileSec_UUID) {
1334 LOG(log_note, logtype_afpd, "afp_setacl: change owner request, discarded");
1335 ret = AFPERR_ACCESS;
1336 ibuf += UUID_BINSIZE;
1339 /* Change group: certain changes might be allowed, so try it. FIXME: not implemented yet. */
1340 if (bitmap & kFileSec_UUID) {
1341 LOG(log_note, logtype_afpd, "afp_setacl: change group request, not supported");
1343 ibuf += UUID_BINSIZE;
1347 if (bitmap & kFileSec_REMOVEACL) {
1348 LOG(log_debug, logtype_afpd, "afp_setacl: Remove ACL request.");
1349 if ((ret = remove_acl(vol, s_path->u_name, S_ISDIR(s_path->st.st_mode))) != AFP_OK)
1350 LOG(log_error, logtype_afpd, "afp_setacl: error from remove_acl");
1354 if (bitmap & kFileSec_ACL) {
1355 LOG(log_debug, logtype_afpd, "afp_setacl: Change ACL request.");
1356 /* Get no of ACEs the client put on the wire */
1358 memcpy(&ace_count, ibuf, sizeof(uint32_t));
1359 ace_count = htonl(ace_count);
1360 ibuf += 8; /* skip ACL flags (see acls.h) */
1364 (bitmap & kFileSec_Inherit),
1365 (darwin_ace_t *)ibuf,
1370 LOG(log_warning, logtype_afpd, "afp_setacl(\"%s/%s\"): error",
1371 getcwdpath(), s_path->u_name);
1376 LOG(log_debug9, logtype_afpd, "afp_setacl: END");
1381 unix.c/accessmode calls this: map ACL to OS 9 mode
1383 void acltoownermode(char *path, struct stat *st, uid_t uid, struct maccess *ma)
1387 int r_ok, w_ok, x_ok;
1389 if ( ! (AFPobj->options.flags & OPTION_UUID)
1391 ! (AFPobj->options.flags & OPTION_ACL2UARIGHTS))
1394 LOG(log_maxdebug, logtype_afpd, "acltoownermode('%s')", path);
1396 if ((pw = getpwuid(uid)) == NULL) {
1397 LOG(log_error, logtype_afpd, "acltoownermode: %s", strerror(errno));
1401 /* We need the UUID for check_acl_access */
1402 if ((getuuidfromname(pw->pw_name, UUID_USER, uuid)) != 0)
1405 /* These work for files and dirs */
1406 r_ok = check_acl_access(NULL, NULL, path, uuid, DARWIN_ACE_READ_DATA);
1407 w_ok = check_acl_access(NULL, NULL, path, uuid, (DARWIN_ACE_WRITE_DATA|DARWIN_ACE_APPEND_DATA));
1408 x_ok = check_acl_access(NULL, NULL, path, uuid, DARWIN_ACE_EXECUTE);
1410 LOG(log_debug7, logtype_afpd, "acltoownermode: ma_user before: %04o",ma->ma_user);
1412 ma->ma_user |= AR_UREAD;
1414 ma->ma_user |= AR_UWRITE;
1416 ma->ma_user |= AR_USEARCH;
1417 LOG(log_debug7, logtype_afpd, "acltoownermode: ma_user after: %04o", ma->ma_user);
1423 We're being called at the end of afp_createdir. We're (hopefully) inside dir
1424 and ".AppleDouble" and ".AppleDouble/.Parent" should have already been created.
1425 We then inherit any explicit ACE from "." to ".AppleDouble" and ".AppleDouble/.Parent".
1426 FIXME: add to VFS layer ?
1428 #ifdef HAVE_SOLARIS_ACLS
1429 void addir_inherit_acl(const struct vol *vol)
1431 ace_t *diraces = NULL, *adaces = NULL, *combinedaces = NULL;
1432 int diracecount, adacecount;
1434 LOG(log_debug9, logtype_afpd, "addir_inherit_acl: BEGIN");
1436 /* Check if ACLs are enabled for the volume */
1437 if (vol->v_flags & AFPVOL_ACLS) {
1439 if ((diracecount = get_nfsv4_acl(".", &diraces)) <= 0)
1441 /* Remove any trivial ACE from "." */
1442 if ((diracecount = strip_trivial_aces(&diraces, diracecount)) <= 0)
1446 Inherit to ".AppleDouble"
1449 if ((adacecount = get_nfsv4_acl(".AppleDouble", &adaces)) <= 0)
1451 /* Remove any non-trivial ACE from ".AppleDouble" */
1452 if ((adacecount = strip_nontrivial_aces(&adaces, adacecount)) <= 0)
1456 if ((combinedaces = concat_aces(diraces, diracecount, adaces, adacecount)) == NULL)
1459 /* Now set new acl */
1460 if ((acl(".AppleDouble", ACE_SETACL, diracecount + adacecount, combinedaces)) != 0)
1461 LOG(log_error, logtype_afpd, "addir_inherit_acl: acl: %s", strerror(errno));
1466 combinedaces = NULL;
1469 Inherit to ".AppleDouble/.Parent"
1472 if ((adacecount = get_nfsv4_acl(".AppleDouble/.Parent", &adaces)) <= 0)
1474 if ((adacecount = strip_nontrivial_aces(&adaces, adacecount)) <= 0)
1478 if ((combinedaces = concat_aces(diraces, diracecount, adaces, adacecount)) == NULL)
1481 /* Now set new acl */
1482 if ((acl(".AppleDouble/.Parent", ACE_SETACL, diracecount + adacecount, combinedaces)) != 0)
1483 LOG(log_error, logtype_afpd, "addir_inherit_acl: acl: %s", strerror(errno));
1489 LOG(log_debug9, logtype_afpd, "addir_inherit_acl: END");
1495 #endif /* HAVE_SOLARIS_ACLS */
1497 #ifdef HAVE_POSIX_ACLS
1498 void addir_inherit_acl(const struct vol *vol)
1502 #endif /* HAVE_POSIX_ACLS */