2 Copyright (c) 2008, 2009, 2010 Frank Lahm <franklahm@gmail.com>
4 This program is free software; you can redistribute it and/or modify
5 it under the terms of the GNU General Public License as published by
6 the Free Software Foundation; either version 2 of the License, or
7 (at your option) any later version.
9 This program is distributed in the hope that it will be useful,
10 but WITHOUT ANY WARRANTY; without even the implied warranty of
11 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 GNU General Public License for more details.
17 #endif /* HAVE_CONFIG_H */
26 #ifdef HAVE_SOLARIS_ACLS
29 #ifdef HAVE_POSIX_ACLS
31 #include <acl/libacl.h>
34 #include <atalk/errchk.h>
35 #include <atalk/adouble.h>
36 #include <atalk/vfs.h>
37 #include <atalk/afp.h>
38 #include <atalk/util.h>
39 #include <atalk/cnid.h>
40 #include <atalk/logger.h>
41 #include <atalk/uuid.h>
42 #include <atalk/acl.h>
44 #include "directory.h"
50 #include "acl_mappings.h"
53 #define SOLARIS_2_DARWIN 1
54 #define DARWIN_2_SOLARIS 2
55 #define POSIX_DEFAULT_2_DARWIN 3
56 #define POSIX_ACCESS_2_DARWIN 4
57 #define DARWIN_2_POSIX_DEFAULT 5
58 #define DARWIN_2_POSIX_ACCESS 6
63 /********************************************************
64 * Basic and helper funcs
65 ********************************************************/
68 Takes a users name, uid and primary gid and checks if user is member of any group
69 Returns -1 if no or error, 0 if yes
71 static int check_group(char *name, uid_t uid _U_, gid_t pgid, gid_t path_gid)
80 EC_NULL(grp = getgrgid(path_gid));
83 while (grp->gr_mem[i] != NULL) {
84 if ( (strcmp(grp->gr_mem[i], name)) == 0 ) {
85 LOG(log_debug, logtype_afpd, "check_group: requested user:%s is member of: %s", name, grp->gr_name);
96 /********************************************************
98 ********************************************************/
100 #ifdef HAVE_SOLARIS_ACLS
102 Remove any trivial ACE "in-place". Returns no of non-trivial ACEs
104 static int strip_trivial_aces(ace_t **saces, int sacecount)
109 ace_t *aces = *saces;
112 /* Count non-trivial ACEs */
113 for (i=0; i < sacecount; ) {
114 if ( ! (aces[i].a_flags & (ACE_OWNER | ACE_GROUP | ACE_EVERYONE)))
118 /* malloc buffer for new ACL */
119 EC_NULL_LOG(new_aces = malloc(nontrivaces * sizeof(ace_t)));
121 /* Copy non-trivial ACEs */
122 for (i=0, j=0; i < sacecount; ) {
123 if ( ! (aces[i].a_flags & (ACE_OWNER | ACE_GROUP | ACE_EVERYONE))) {
124 memcpy(&new_aces[j], &aces[i], sizeof(ace_t));
133 LOG(log_debug7, logtype_afpd, "strip_trivial_aces: non-trivial ACEs: %d", nontrivaces);
141 Remove non-trivial ACEs "in-place". Returns no of trivial ACEs.
143 static int strip_nontrivial_aces(ace_t **saces, int sacecount)
148 ace_t *aces = *saces;
151 /* Count trivial ACEs */
152 for (i=0; i < sacecount; ) {
153 if ((aces[i].a_flags & (ACE_OWNER | ACE_GROUP | ACE_EVERYONE)))
157 /* malloc buffer for new ACL */
158 EC_NULL_LOG(new_aces = malloc(trivaces * sizeof(ace_t)));
160 /* Copy trivial ACEs */
161 for (i=0, j=0; i < sacecount; ) {
162 if ((aces[i].a_flags & (ACE_OWNER | ACE_GROUP | ACE_EVERYONE))) {
163 memcpy(&new_aces[j], &aces[i], sizeof(ace_t));
172 LOG(log_debug7, logtype_afpd, "strip_nontrivial_aces: trivial ACEs: %d", trivaces);
182 static ace_t *concat_aces(ace_t *aces1, int ace1count, ace_t *aces2, int ace2count)
188 /* malloc buffer for new ACL */
189 EC_NULL_LOG(new_aces = malloc((ace1count + ace2count) * sizeof(ace_t)));
191 /* Copy ACEs from buf1 */
192 for (i=0; i < ace1count; ) {
193 memcpy(&new_aces[i], &aces1[i], sizeof(ace_t));
199 /* Copy ACEs from buf2 */
200 for (i=0; i < ace2count; ) {
201 memcpy(&new_aces[j], &aces2[i], sizeof(ace_t));
212 Maps ACE array from Solaris to Darwin. Darwin ACEs are stored in network byte order.
213 Return numer of mapped ACEs or -1 on error.
214 All errors while mapping (e.g. getting UUIDs from LDAP) are fatal.
216 static int map_aces_solaris_to_darwin(ace_t *aces, darwin_ace_t *darwin_aces, int ace_count)
222 struct passwd *pwd = NULL;
223 struct group *grp = NULL;
225 LOG(log_debug7, logtype_afpd, "map_aces_solaris_to_darwin: parsing %d ACES", ace_count);
228 LOG(log_debug7, logtype_afpd, "map_aces_solaris_to_darwin: parsing ACE No. %d", ace_count + 1);
229 /* if its a ACE resulting from nfsv4 mode mapping, discard it */
230 if (aces->a_flags & (ACE_OWNER | ACE_GROUP | ACE_EVERYONE)) {
231 LOG(log_debug, logtype_afpd, "map_aces_solaris_to_darwin: trivial ACE");
236 if ( ! (aces->a_flags & ACE_IDENTIFIER_GROUP) ) {
238 LOG(log_debug, logtype_afpd, "map_aces_solaris_to_darwin: found user ACE with uid: %d", aces->a_who);
240 EC_NULL_LOG(pwd = getpwuid(aces->a_who));
241 LOG(log_debug, logtype_afpd, "map_aces_solaris_to_darwin: uid: %d -> name: %s", aces->a_who, pwd->pw_name);
243 EC_ZERO_LOG(getuuidfromname(pwd->pw_name, UUID_USER, darwin_aces->darwin_ace_uuid));
245 /* its a group ace */
246 LOG(log_debug, logtype_afpd, "map_aces_solaris_to_darwin: found group ACE with gid: %d", aces->a_who);
248 EC_NULL_LOG(grp = getgrgid(aces->a_who));
249 LOG(log_debug, logtype_afpd, "map_aces_solaris_to_darwin: gid: %d -> name: %s", aces->a_who, grp->gr_name);
250 EC_ZERO_LOG(getuuidfromname(grp->gr_name, UUID_GROUP, darwin_aces->darwin_ace_uuid));
254 if (aces->a_type == ACE_ACCESS_ALLOWED_ACE_TYPE)
255 flags = DARWIN_ACE_FLAGS_PERMIT;
256 else if (aces->a_type == ACE_ACCESS_DENIED_ACE_TYPE)
257 flags = DARWIN_ACE_FLAGS_DENY;
258 else { /* unsupported type */
262 for(i=0; nfsv4_to_darwin_flags[i].from != 0; i++) {
263 if (aces->a_flags & nfsv4_to_darwin_flags[i].from)
264 flags |= nfsv4_to_darwin_flags[i].to;
266 darwin_aces->darwin_ace_flags = htonl(flags);
270 for (i=0; nfsv4_to_darwin_rights[i].from != 0; i++) {
271 if (aces->a_access_mask & nfsv4_to_darwin_rights[i].from)
272 rights |= nfsv4_to_darwin_rights[i].to;
274 darwin_aces->darwin_ace_rights = htonl(rights);
287 Maps ACE array from Darwin to Solaris. Darwin ACEs are expected in network byte order.
288 Return numer of mapped ACEs or -1 on error.
289 All errors while mapping (e.g. getting UUIDs from LDAP) are fatal.
291 int map_aces_darwin_to_solaris(darwin_ace_t *darwin_aces, ace_t *nfsv4_aces, int ace_count)
294 int i, mapped_aces = 0;
295 uint32_t darwin_ace_flags;
296 uint32_t darwin_ace_rights;
297 uint16_t nfsv4_ace_flags;
298 uint32_t nfsv4_ace_rights;
306 nfsv4_ace_rights = 0;
309 EC_ZERO(getnamefromuuid(darwin_aces->darwin_ace_uuid, &name, &uuidtype));
311 if (uuidtype == UUID_USER) {
312 EC_NULL_LOG(pwd = getpwnam(name));
313 nfsv4_aces->a_who = pwd->pw_uid;
314 } else { /* hopefully UUID_GROUP*/
315 EC_NULL_LOG(grp = getgrnam(name));
316 nfsv4_aces->a_who = (uid_t)(grp->gr_gid);
317 nfsv4_ace_flags |= ACE_IDENTIFIER_GROUP;
322 /* now type: allow/deny */
323 darwin_ace_flags = ntohl(darwin_aces->darwin_ace_flags);
324 if (darwin_ace_flags & DARWIN_ACE_FLAGS_PERMIT)
325 nfsv4_aces->a_type = ACE_ACCESS_ALLOWED_ACE_TYPE;
326 else if (darwin_ace_flags & DARWIN_ACE_FLAGS_DENY)
327 nfsv4_aces->a_type = ACE_ACCESS_DENIED_ACE_TYPE;
328 else { /* unsupported type */
333 for(i=0; darwin_to_nfsv4_flags[i].from != 0; i++) {
334 if (darwin_ace_flags & darwin_to_nfsv4_flags[i].from)
335 nfsv4_ace_flags |= darwin_to_nfsv4_flags[i].to;
339 darwin_ace_rights = ntohl(darwin_aces->darwin_ace_rights);
340 for (i=0; darwin_to_nfsv4_rights[i].from != 0; i++) {
341 if (darwin_ace_rights & darwin_to_nfsv4_rights[i].from)
342 nfsv4_ace_rights |= darwin_to_nfsv4_rights[i].to;
345 LOG(log_debug9, logtype_afpd, "map_aces_darwin_to_solaris: ACE flags: Darwin:%08x -> NFSv4:%04x", darwin_ace_flags, nfsv4_ace_flags);
346 LOG(log_debug9, logtype_afpd, "map_aces_darwin_to_solaris: ACE rights: Darwin:%08x -> NFSv4:%08x", darwin_ace_rights, nfsv4_ace_rights);
348 nfsv4_aces->a_flags = nfsv4_ace_flags;
349 nfsv4_aces->a_access_mask = nfsv4_ace_rights;
362 #endif /* HAVE_SOLARIS_ACLS */
364 /********************************************************
366 ********************************************************/
368 #ifdef HAVE_POSIX_ACLS
371 * Add entries of one acl to another acl
373 * @param aclp (rw) destination acl where new aces will be added
374 * @param acl (r) source acl where aces will be copied from
376 * @returns 0 on success, -1 on error
378 static int acl_add_acl(acl_t *aclp, const acl_t acl)
384 for (id = ACL_FIRST_ENTRY; acl_get_entry(acl, id, &se) == 1; id = ACL_NEXT_ENTRY) {
385 EC_ZERO_LOG_ERR(acl_create_entry(aclp, &de), AFPERR_MISC);
386 EC_ZERO_LOG_ERR(acl_copy_entry(de, se), AFPERR_MISC);
394 * Map Darwin ACE rights to POSIX 1e perm
396 * We can only map few rights:
397 * DARWIN_ACE_READ_DATA -> ACL_READ
398 * DARWIN_ACE_WRITE_DATA -> ACL_WRITE
399 * DARWIN_ACE_DELETE_CHILD & (is_dir == 1) -> ACL_WRITE
400 * DARWIN_ACE_EXECUTE -> ACL_EXECUTE
402 * @param entry (rw) result of the mapping
403 * @param is_dir (r) 1 for dirs, 0 for files
405 * @returns mapping result as acl_perm_t, -1 on error
407 static acl_perm_t map_darwin_right_to_posix_permset(uint32_t darwin_ace_rights, int is_dir)
411 if (darwin_ace_rights & DARWIN_ACE_READ_DATA)
414 if (darwin_ace_rights & (DARWIN_ACE_WRITE_DATA | (DARWIN_ACE_DELETE_CHILD & is_dir)))
417 if (darwin_ace_rights & DARWIN_ACE_EXECUTE)
424 * Add a ACL_USER or ACL_GROUP permission to an ACL, extending existing ACEs
426 * Add a permission of "type" for user or group "id" to an ACL. Scan the ACL
427 * for existing permissions for this type/id, if there is one add the perm,
428 * otherwise create a new ACL entry.
429 * perm can be or'ed ACL_READ, ACL_WRITE and ACL_EXECUTE.
431 * @param aclp (rw) pointer to ACL
432 * @param type (r) acl_tag_t of ACL_USER or ACL_GROUP
433 * @param id (r) uid_t uid for ACL_USER, or gid casted to uid_t for ACL_GROUP
434 * @param perm (r) acl_perm_t permissions to add
436 * @returns 0 on success, -1 on failure
438 static int posix_acl_add_perm(acl_t *aclp, acl_tag_t type, uid_t id, acl_perm_t perm)
444 int entry_id = ACL_FIRST_ENTRY;
445 acl_permset_t permset;
448 for ( ; (! found) && acl_get_entry(*aclp, entry_id, &e) == 1; entry_id = ACL_NEXT_ENTRY) {
449 EC_ZERO_LOG(acl_get_tag_type(e, &tag));
450 if (tag != ACL_USER && tag != ACL_GROUP)
452 EC_NULL_LOG(eid = (uid_t *)acl_get_qualifier(e));
453 if ((*eid == id) && (type == tag)) {
454 /* found an ACE for this type/id */
456 EC_ZERO_LOG(acl_get_permset(e, &permset));
457 EC_ZERO_LOG(acl_add_perm(permset, perm));
465 /* there was no existing ACE for this type/id */
466 EC_ZERO_LOG(acl_create_entry(aclp, &e));
467 EC_ZERO_LOG(acl_set_tag_type(e, type));
468 EC_ZERO_LOG(acl_set_qualifier(e, &id));
469 EC_ZERO_LOG(acl_get_permset(e, &permset));
470 EC_ZERO_LOG(acl_clear_perms(permset));
471 EC_ZERO_LOG(acl_add_perm(permset, perm));
472 EC_ZERO_LOG(acl_set_permset(e, permset));
476 if (eid) acl_free(eid);
482 * Map Darwin ACL to POSIX ACL.
484 * aclp must point to a acl_init'ed acl_t or an acl_t that can eg contain default ACEs.
485 * Mapping pecularities:
486 * - we create a default ace (which inherits to files and dirs) if either
487 DARWIN_ACE_FLAGS_FILE_INHERIT or DARWIN_ACE_FLAGS_DIRECTORY_INHERIT is requested
488 * - we throw away DARWIN_ACE_FLAGS_LIMIT_INHERIT (can't be mapped), thus the ACL will
491 * @param darwin_aces (r) pointer to darwin_aces buffer
492 * @param def_aclp (rw) directories: pointer to an initialized acl_t with the default acl
493 * files: *def_aclp will be NULL
494 * @param acc_aclp (rw) pointer to an initialized acl_t with the access acl
495 * @param ace_count (r) number of ACEs in darwin_aces buffer
497 * @returns 0 on success storing the result in aclp, -1 on error.
499 static int map_aces_darwin_to_posix(const darwin_ace_t *darwin_aces,
510 uint32_t darwin_ace_flags, darwin_ace_rights;
514 for ( ; ace_count != 0; ace_count--, darwin_aces++) {
515 /* type: allow/deny, posix only has allow */
516 darwin_ace_flags = ntohl(darwin_aces->darwin_ace_flags);
517 if ( ! (darwin_ace_flags & DARWIN_ACE_FLAGS_PERMIT))
520 darwin_ace_rights = ntohl(darwin_aces->darwin_ace_rights);
521 perm = map_darwin_right_to_posix_permset(darwin_ace_rights, (*def_aclp != NULL));
523 continue; /* dont add empty perm */
525 LOG(log_debug, logtype_afpd, "map_ace: no: %u, flags: %08x, darwin: %08x, posix: %02x",
526 ace_count, darwin_ace_flags, darwin_ace_rights, perm);
529 EC_ZERO_LOG(getnamefromuuid(darwin_aces->darwin_ace_uuid, &name, &uuidtype));
530 if (uuidtype == UUID_USER) {
531 EC_NULL_LOG(pwd = getpwnam(name));
534 LOG(log_debug, logtype_afpd, "map_ace: name: %s, uid: %u", name, id);
535 } else { /* hopefully UUID_GROUP*/
536 EC_NULL_LOG(grp = getgrnam(name));
538 id = (uid_t)(grp->gr_gid);
539 LOG(log_debug, logtype_afpd, "map_ace: name: %s, gid: %u", name, id);
544 if (darwin_ace_flags & DARWIN_ACE_INHERIT_CONTROL_FLAGS) {
545 if (*def_aclp == NULL) {
546 /* ace request inheritane but we haven't got a default acl pointer */
547 LOG(log_warning, logtype_afpd, "map_acl: unexpected ACE, flags: 0x%04x",
551 /* add it as default ace */
552 EC_ZERO_LOG(posix_acl_add_perm(def_aclp, tag, id, perm));
555 if (! (darwin_ace_flags & DARWIN_ACE_FLAGS_ONLY_INHERIT))
556 /* if it not a "inherit only" ace, it must be added as access aces too */
557 EC_ZERO_LOG(posix_acl_add_perm(acc_aclp, tag, id, perm));
559 EC_ZERO_LOG(posix_acl_add_perm(acc_aclp, tag, id, perm));
571 * Map ACEs from POSIX to Darwin.
572 * type is either POSIX_DEFAULT_2_DARWIN or POSIX_ACCESS_2_DARWIN, cf. acl_get_file.
573 * Return number of mapped ACES, -1 on error.
575 static int map_acl_posix_to_darwin(int type, const acl_t acl, darwin_ace_t *darwin_aces)
580 int entry_id = ACL_FIRST_ENTRY;
583 acl_permset_t permset, mask;
586 struct passwd *pwd = NULL;
587 struct group *grp = NULL;
590 darwin_ace_t *saved_darwin_aces = darwin_aces;
592 LOG(log_maxdebug, logtype_afpd, "map_aces_posix_to_darwin(%s)",
593 (type & MAP_MASK) == POSIX_DEFAULT_2_DARWIN ?
594 "POSIX_DEFAULT_2_DARWIN" : "POSIX_ACCESS_2_DARWIN");
596 /* itereate through all ACEs */
597 while (acl_get_entry(acl, entry_id, &e) == 1) {
598 entry_id = ACL_NEXT_ENTRY;
601 EC_ZERO_LOG(acl_get_tag_type(e, &tag));
603 /* we return user and group ACE */
606 EC_NULL_LOG(uid = (uid_t *)acl_get_qualifier(e));
607 EC_NULL_LOG(pwd = getpwuid(*uid));
608 LOG(log_debug, logtype_afpd, "map_aces_posix_to_darwin: uid: %d -> name: %s",
610 EC_ZERO_LOG(getuuidfromname(pwd->pw_name, UUID_USER, darwin_aces->darwin_ace_uuid));
616 EC_NULL_LOG(gid = (gid_t *)acl_get_qualifier(e));
617 EC_NULL_LOG(grp = getgrgid(*gid));
618 LOG(log_debug, logtype_afpd, "map_aces_posix_to_darwin: gid: %d -> name: %s",
620 EC_ZERO_LOG(getuuidfromname(grp->gr_name, UUID_GROUP, darwin_aces->darwin_ace_uuid));
625 /* store mask so we can apply it later in a second loop */
627 EC_ZERO_LOG(acl_get_permset(e, &mask));
636 flags = DARWIN_ACE_FLAGS_PERMIT;
637 if ((type & MAP_MASK) == POSIX_DEFAULT_2_DARWIN)
638 flags |= DARWIN_ACE_FLAGS_FILE_INHERIT
639 | DARWIN_ACE_FLAGS_DIRECTORY_INHERIT
640 | DARWIN_ACE_FLAGS_ONLY_INHERIT;
641 darwin_aces->darwin_ace_flags = htonl(flags);
644 EC_ZERO_LOG(acl_get_permset(e, &permset));
647 if (acl_get_perm(permset, ACL_READ))
648 rights = DARWIN_ACE_READ_DATA
649 | DARWIN_ACE_READ_EXTATTRIBUTES
650 | DARWIN_ACE_READ_ATTRIBUTES
651 | DARWIN_ACE_READ_SECURITY;
652 if (acl_get_perm(permset, ACL_WRITE)) {
653 rights |= DARWIN_ACE_WRITE_DATA
654 | DARWIN_ACE_APPEND_DATA
655 | DARWIN_ACE_WRITE_EXTATTRIBUTES
656 | DARWIN_ACE_WRITE_ATTRIBUTES;
657 if ((type & ~MAP_MASK) == IS_DIR)
658 rights |= DARWIN_ACE_DELETE;
660 if (acl_get_perm(permset, ACL_EXECUTE))
661 rights |= DARWIN_ACE_EXECUTE;
663 darwin_aces->darwin_ace_rights = htonl(rights);
670 /* Loop through the mapped ACE buffer once again, applying the mask */
671 /* Map the mask to Darwin ACE rights first */
673 if (acl_get_perm(mask, ACL_READ))
674 rights = DARWIN_ACE_READ_DATA
675 | DARWIN_ACE_READ_EXTATTRIBUTES
676 | DARWIN_ACE_READ_ATTRIBUTES
677 | DARWIN_ACE_READ_SECURITY;
678 if (acl_get_perm(mask, ACL_WRITE)) {
679 rights |= DARWIN_ACE_WRITE_DATA
680 | DARWIN_ACE_APPEND_DATA
681 | DARWIN_ACE_WRITE_EXTATTRIBUTES
682 | DARWIN_ACE_WRITE_ATTRIBUTES;
683 if ((type & ~MAP_MASK) == IS_DIR)
684 rights |= DARWIN_ACE_DELETE;
686 if (acl_get_perm(mask, ACL_EXECUTE))
687 rights |= DARWIN_ACE_EXECUTE;
688 for (int i = mapped_aces; i > 0; i--) {
689 saved_darwin_aces->darwin_ace_rights &= htonl(rights);
693 EC_STATUS(mapped_aces);
696 if (uid) acl_free(uid);
697 if (gid) acl_free(gid);
703 * Multiplex ACL mapping (SOLARIS_2_DARWIN, DARWIN_2_SOLARIS, POSIX_2_DARWIN, DARWIN_2_POSIX).
704 * Reads from 'aces' buffer, writes to 'rbuf' buffer.
705 * Caller must provide buffer.
706 * Darwin ACEs are read and written in network byte order.
707 * Needs to know how many ACEs are in the ACL (ace_count) for Solaris ACLs.
708 * Ignores trivial ACEs.
709 * Return no of mapped ACEs or -1 on error.
711 static int map_acl(int type, const void *acl, darwin_ace_t *buf, int ace_count)
715 LOG(log_debug9, logtype_afpd, "map_acl: BEGIN");
717 switch (type & MAP_MASK) {
719 #ifdef HAVE_SOLARIS_ACLS
720 case SOLARIS_2_DARWIN:
721 mapped_aces = map_aces_solaris_to_darwin( acl, buf, ace_count);
724 case DARWIN_2_SOLARIS:
725 mapped_aces = map_aces_darwin_to_solaris( buf, acl, ace_count);
727 #endif /* HAVE_SOLARIS_ACLS */
729 #ifdef HAVE_POSIX_ACLS
730 case POSIX_DEFAULT_2_DARWIN:
731 mapped_aces = map_acl_posix_to_darwin(type, (const acl_t)acl, buf);
734 case POSIX_ACCESS_2_DARWIN:
735 mapped_aces = map_acl_posix_to_darwin(type, (const acl_t)acl, buf);
738 case DARWIN_2_POSIX_DEFAULT:
741 case DARWIN_2_POSIX_ACCESS:
743 #endif /* HAVE_POSIX_ACLS */
750 LOG(log_debug9, logtype_afpd, "map_acl: END");
754 /* Get ACL from object omitting trivial ACEs. Map to Darwin ACL style and
755 store Darwin ACL at rbuf. Add length of ACL written to rbuf to *rbuflen.
756 Returns 0 on success, -1 on error. */
757 static int get_and_map_acl(char *name, char *rbuf, size_t *rbuflen)
762 uint32_t *darwin_ace_count = (u_int32_t *)rbuf;
763 #ifdef HAVE_SOLARIS_ACLS
767 #ifdef HAVE_POSIX_ACLS
770 LOG(log_debug9, logtype_afpd, "get_and_map_acl: BEGIN");
772 /* Skip length and flags */
777 #ifdef HAVE_SOLARIS_ACLS
778 EC_NEG1(ace_count = get_nfsv4_acl(name, &aces));
779 EC_NEG1(mapped_aces = map_acl(SOLARIS_2_DARWIN, aces, (darwin_ace_t *)rbuf, ace_count));
780 #endif /* HAVE_SOLARIS_ACLS */
782 #ifdef HAVE_POSIX_ACLS
783 acl_t defacl = NULL , accacl = NULL;
785 /* stat to check if its a dir */
786 EC_ZERO_LOG(stat(name, &st));
788 /* if its a dir, check for default acl too */
790 if (S_ISDIR(st.st_mode)) {
792 EC_NULL_LOG(defacl = acl_get_file(name, ACL_TYPE_DEFAULT));
793 EC_NEG1(mapped_aces = map_acl(POSIX_DEFAULT_2_DARWIN | dirflag,
795 (darwin_ace_t *)rbuf,
799 EC_NULL_LOG(accacl = acl_get_file(name, ACL_TYPE_ACCESS));
802 EC_NEG1(tmp = map_acl(POSIX_ACCESS_2_DARWIN | dirflag,
804 (darwin_ace_t *)(rbuf + mapped_aces * sizeof(darwin_ace_t)),
807 #endif /* HAVE_POSIX_ACLS */
809 LOG(log_debug, logtype_afpd, "get_and_map_acl: mapped %d ACEs", mapped_aces);
811 *darwin_ace_count = htonl(mapped_aces);
812 *rbuflen += sizeof(darwin_acl_header_t) + (mapped_aces * sizeof(darwin_ace_t));
817 #ifdef HAVE_SOLARIS_ACLS
818 if (aces) free(aces);
820 #ifdef HAVE_POSIX_ACLS
821 if (defacl) acl_free(defacl);
822 if (accacl) acl_free(accacl);
823 #endif /* HAVE_POSIX_ACLS */
825 LOG(log_debug9, logtype_afpd, "get_and_map_acl: END");
830 /* Removes all non-trivial ACLs from object. Returns full AFPERR code. */
831 static int remove_acl(const struct vol *vol,const char *path, int dir)
835 #if (defined HAVE_SOLARIS_ACLS || defined HAVE_POSIX_ACLS)
836 /* Ressource etc. first */
837 if ((ret = vol->vfs->vfs_remove_acl(vol, path, dir)) != AFP_OK)
839 /* now the data fork or dir */
840 ret = remove_acl_vfs(path);
847 - the client sends a complete list of ACEs, not only new ones. So we dont need to do
848 any combination business (one exception being 'kFileSec_Inherit': see next)
849 - client might request that we add inherited ACEs via 'kFileSec_Inherit'.
850 We will store inherited ACEs first, which is Darwins canonical order.
851 - returns AFPerror code
853 #ifdef HAVE_SOLARIS_ACLS
854 static int set_acl(const struct vol *vol,
861 int i, nfsv4_ace_count;
862 int tocopy_aces_count = 0, new_aces_count = 0, trivial_ace_count = 0;
863 ace_t *old_aces, *new_aces = NULL;
867 LOG(log_debug9, logtype_afpd, "set_acl: BEGIN");
870 /* inherited + trivial ACEs */
871 flags = ACE_INHERITED_ACE | ACE_OWNER | ACE_GROUP | ACE_EVERYONE;
873 /* only trivial ACEs */
874 flags = ACE_OWNER | ACE_GROUP | ACE_EVERYONE;
876 /* Get existing ACL and count ACEs which have to be copied */
877 if ((nfsv4_ace_count = get_nfsv4_acl(name, &old_aces)) == -1)
879 for ( i=0; i < nfsv4_ace_count; i++) {
880 if (old_aces[i].a_flags & flags)
884 /* Now malloc buffer exactly sized to fit all new ACEs */
885 if (EC_NULL_CUSTOM(new_aces = malloc((ace_count + tocopy_aces_count) * sizeof(ace_t)))) {
886 LOG(log_error, logtype_afpd, "set_acl: malloc %s", strerror(errno));
887 EC_STATUS(AFPERR_MISC);
891 /* Start building new ACL */
893 /* Copy local inherited ACEs. Therefore we have 'Darwin canonical order' (see chmod there):
894 inherited ACEs first. */
896 for (i=0; i < nfsv4_ace_count; i++) {
897 if (old_aces[i].a_flags & ACE_INHERITED_ACE) {
898 memcpy(&new_aces[new_aces_count], &old_aces[i], sizeof(ace_t));
903 LOG(log_debug7, logtype_afpd, "set_acl: copied %d inherited ACEs", new_aces_count);
905 /* Now the ACEs from the client */
906 if (EC_NEG1_CUSTOM(map_acl(DARWIN_2_SOLARIS,
907 &new_aces[new_aces_count],
910 EC_STATUS(AFPERR_PARAM);
913 new_aces_count += ace_count;
914 LOG(log_debug7, logtype_afpd, "set_acl: mapped %d ACEs from client", ace_count);
916 /* Now copy the trivial ACEs */
917 for (i=0; i < nfsv4_ace_count; i++) {
918 if (old_aces[i].a_flags & (ACE_OWNER | ACE_GROUP | ACE_EVERYONE)) {
919 memcpy(&new_aces[new_aces_count], &old_aces[i], sizeof(ace_t));
924 LOG(log_debug7, logtype_afpd, "set_acl: copied %d trivial ACEs", trivial_ace_count);
926 /* Ressourcefork first.
927 Note: for dirs we set the same ACL on the .AppleDouble/.Parent _file_. This
928 might be strange for ACE_DELETE_CHILD and for inheritance flags. */
929 if (EC_ZERO_CUSTOM(vol->vfs->vfs_acl(vol, name, ACE_SETACL, new_aces_count, new_aces))) {
930 LOG(log_error, logtype_afpd, "set_acl: error setting acl: %s", strerror(errno));
931 if (errno == (EACCES | EPERM))
932 EC_STATUS(AFPERR_ACCESS);
933 else if (errno == ENOENT)
934 EC_STATUS(AFPERR_NOITEM);
936 EC_STATUS(AFPERR_MISC);
939 if (EC_ZERO_CUSTOM(acl(name, ACE_SETACL, new_aces_count, new_aces))) {
940 LOG(log_error, logtype_afpd, "set_acl: error setting acl: %s", strerror(errno));
941 if (errno == (EACCES | EPERM))
942 EC_STATUS(AFPERR_ACCESS);
943 else if (errno == ENOENT)
944 EC_STATUS(AFPERR_NOITEM);
946 EC_STATUS(AFPERR_MISC);
953 if (old_aces) free(old_aces);
954 if (new_aces) free(new_aces);
956 LOG(log_debug9, logtype_afpd, "set_acl: END");
959 #endif /* HAVE_SOLARIS_ACLS */
961 #ifdef HAVE_POSIX_ACLS
962 static int set_acl(const struct vol *vol,
969 acl_t def_acl = NULL;
970 acl_t acc_acl = NULL;
972 LOG(log_maxdebug, logtype_afpd, "set_acl: BEGIN");
975 EC_ZERO_LOG_ERR(stat(name, &st), AFPERR_NOOBJ);
977 /* seed default ACL with access ACL */
978 if (S_ISDIR(st.st_mode))
979 EC_NULL_LOG_ERR(def_acl = acl_get_file(name, ACL_TYPE_ACCESS), AFPERR_MISC);
981 /* for files def_acl will be NULL */
983 /* create access acl from mode */
984 EC_NULL_LOG_ERR(acc_acl = acl_from_mode(st.st_mode), AFPERR_MISC);
986 /* adds the clients aces */
987 EC_ZERO_ERR(map_aces_darwin_to_posix(daces, &def_acl, &acc_acl, ace_count), AFPERR_MISC);
989 /* calcuate ACL mask */
990 EC_ZERO_LOG_ERR(acl_calc_mask(&acc_acl), AFPERR_MISC);
993 EC_ZERO_LOG_ERR(acl_valid(acc_acl), AFPERR_MISC);
996 EC_ZERO_LOG_ERR(acl_set_file(name, ACL_TYPE_ACCESS, acc_acl), AFPERR_MISC);
997 EC_ZERO_LOG_ERR(vol->vfs->vfs_acl(vol, name, ACL_TYPE_ACCESS, 0, acc_acl), AFPERR_MISC);
1000 EC_ZERO_LOG_ERR(acl_set_file(name, ACL_TYPE_DEFAULT, def_acl), AFPERR_MISC);
1001 EC_ZERO_LOG_ERR(vol->vfs->vfs_acl(vol, name, ACL_TYPE_DEFAULT, 0, def_acl), AFPERR_MISC);
1008 LOG(log_maxdebug, logtype_afpd, "set_acl: END");
1011 #endif /* HAVE_POSIX_ACLS */
1014 Checks if a given UUID has requested_rights(type darwin_ace_rights) for path.
1015 Note: this gets called frequently and is a good place for optimizations !
1017 #ifdef HAVE_SOLARIS_ACLS
1018 static int check_acl_access(const char *path, const uuidp_t uuid, uint32_t requested_darwin_rights)
1020 int ret, i, ace_count, dir, checkgroup;
1021 char *username = NULL; /* might be group too */
1022 uuidtype_t uuidtype;
1025 uint32_t requested_rights = 0, allowed_rights = 0, denied_rights = 0;
1029 int check_user_trivace = 0, check_group_trivace = 0;
1036 LOG(log_debug9, logtype_afpd, "check_access: BEGIN. Request: %08x", requested_darwin_rights);
1038 /* Get uid or gid from UUID */
1039 if ( (getnamefromuuid(uuid, &username, &uuidtype)) != 0) {
1040 LOG(log_error, logtype_afpd, "check_access: error getting name from UUID");
1041 return AFPERR_PARAM;
1045 if ((lstat(path, &st)) != 0) {
1046 LOG(log_error, logtype_afpd, "check_access: stat: %s", strerror(errno));
1050 dir = S_ISDIR(st.st_mode);
1052 if (uuidtype == UUID_USER) {
1053 pwd = getpwnam(username);
1055 LOG(log_error, logtype_afpd, "check_access: getpwnam: %s", strerror(errno));
1062 /* If user is file/dir owner we must check the user trivial ACE */
1063 if (uid == st.st_uid) {
1064 LOG(log_debug, logtype_afpd, "check_access: user: %s is files owner. Must check trivial user ACE", username);
1065 check_user_trivace = 1;
1068 /* Now check if requested user is files owning group. If yes we must check the group trivial ACE */
1069 if ( (check_group(username, uid, pgid, st.st_gid)) == 0) {
1070 LOG(log_debug, logtype_afpd, "check_access: user: %s is in group: %d. Must check trivial group ACE", username, st.st_gid);
1071 check_group_trivace = 1;
1073 } else { /* hopefully UUID_GROUP*/
1074 LOG(log_error, logtype_afpd, "check_access: afp_access for UUID of groups not supported!");
1076 grp = getgrnam(username);
1078 LOG(log_error, logtype_afpd, "check_access: getgrnam: %s", strerror(errno));
1081 if (st.st_gid == grp->gr_gid )
1082 check_group_trivace = 1;
1086 /* Map requested rights to Solaris style. */
1087 for (i=0; darwin_to_nfsv4_rights[i].from != 0; i++) {
1088 if (requested_darwin_rights & darwin_to_nfsv4_rights[i].from)
1089 requested_rights |= darwin_to_nfsv4_rights[i].to;
1092 /* Get ACL from file/dir */
1093 if ( (ace_count = get_nfsv4_acl(path, &aces)) == -1) {
1094 LOG(log_error, logtype_afpd, "check_access: error getting ACEs");
1098 if (ace_count == 0) {
1099 LOG(log_debug, logtype_afpd, "check_access: 0 ACEs from get_nfsv4_acl");
1104 /* Now check requested rights */
1105 ret = AFPERR_ACCESS;
1107 do { /* Loop through ACEs */
1108 who = aces[i].a_who;
1109 flags = aces[i].a_flags;
1110 type = aces[i].a_type;
1111 rights = aces[i].a_access_mask;
1113 if (flags & ACE_INHERIT_ONLY_ACE)
1116 /* Check if its a group ACE and set checkgroup to 1 if yes */
1118 if ( (flags & ACE_IDENTIFIER_GROUP) && !(flags & ACE_GROUP) ) {
1119 if ( (check_group(username, uid, pgid, who)) == 0)
1125 /* Now the tricky part: decide if ACE effects our user. I'll explain:
1126 if its a dedicated (non trivial) ACE for the user
1128 if its a ACE for a group we're member of
1130 if its a trivial ACE_OWNER ACE and requested UUID is the owner
1132 if its a trivial ACE_GROUP ACE and requested UUID is group
1134 if its a trivial ACE_EVERYONE ACE
1138 ( (who == uid) && !(flags & (ACE_TRIVIAL|ACE_IDENTIFIER_GROUP)) ) ||
1140 ( (flags & ACE_OWNER) && check_user_trivace ) ||
1141 ( (flags & ACE_GROUP) && check_group_trivace ) ||
1142 ( flags & ACE_EVERYONE )
1144 /* Found an applicable ACE */
1145 if (type == ACE_ACCESS_ALLOWED_ACE_TYPE)
1146 allowed_rights |= rights;
1147 else if (type == ACE_ACCESS_DENIED_ACE_TYPE)
1148 /* Only or to denied rights if not previously allowed !! */
1149 denied_rights |= ((!allowed_rights) & rights);
1151 } while (++i < ace_count);
1154 /* Darwin likes to ask for "delete_child" on dir,
1155 "write_data" is actually the same, so we add that for dirs */
1156 if (dir && (allowed_rights & ACE_WRITE_DATA))
1157 allowed_rights |= ACE_DELETE_CHILD;
1159 if (requested_rights & denied_rights) {
1160 LOG(log_debug, logtype_afpd, "check_access: some requested right was denied:");
1161 ret = AFPERR_ACCESS;
1162 } else if ((requested_rights & allowed_rights) != requested_rights) {
1163 LOG(log_debug, logtype_afpd, "check_access: some requested right wasn't allowed:");
1164 ret = AFPERR_ACCESS;
1166 LOG(log_debug, logtype_afpd, "check_access: all requested rights are allowed:");
1170 LOG(log_debug, logtype_afpd, "check_access: Requested rights: %08x, allowed_rights: %08x, denied_rights: %08x, Result: %d",
1171 requested_rights, allowed_rights, denied_rights, ret);
1177 LOG(log_debug9, logtype_afpd, "check_access: END");
1181 #endif /* HAVE_SOLARIS_ACLS */
1183 #ifdef HAVE_POSIX_ACLS
1184 static int check_acl_access(const char *path, const uuidp_t uuid, uint32_t requested_darwin_rights)
1187 * FIXME: for OS X >= 10.6 it seems fp_access isn't called anymore, instead
1188 * the client just tries to perform any action, relying on the server
1189 * to enforce permission (which the OS does for us), returning appropiate
1190 * error codes in case the action failed.
1191 * So to summarize: I think it's safe to not implement this function and
1192 * just always return AFP_OK.
1196 #endif /* HAVE_POSIX_ACLS */
1198 /********************************************************
1200 ********************************************************/
1202 int afp_access(AFPObj *obj, char *ibuf, size_t ibuflen _U_, char *rbuf _U_, size_t *rbuflen)
1207 uint32_t did, darwin_ace_rights;
1209 struct path *s_path;
1212 LOG(log_debug9, logtype_afpd, "afp_access: BEGIN");
1217 memcpy(&vid, ibuf, sizeof( vid ));
1218 ibuf += sizeof(vid);
1219 if (NULL == ( vol = getvolbyvid( vid ))) {
1220 LOG(log_error, logtype_afpd, "afp_access: error getting volid:%d", vid);
1221 return AFPERR_NOOBJ;
1224 memcpy(&did, ibuf, sizeof( did ));
1225 ibuf += sizeof( did );
1226 if (NULL == ( dir = dirlookup( vol, did ))) {
1227 LOG(log_error, logtype_afpd, "afp_access: error getting did:%d", did);
1234 /* Store UUID address */
1235 uuid = (uuidp_t)ibuf;
1236 ibuf += UUID_BINSIZE;
1238 /* Store ACE rights */
1239 memcpy(&darwin_ace_rights, ibuf, 4);
1240 darwin_ace_rights = ntohl(darwin_ace_rights);
1243 /* get full path and handle file/dir subtleties in netatalk code*/
1244 if (NULL == ( s_path = cname( vol, dir, &ibuf ))) {
1245 LOG(log_error, logtype_afpd, "afp_getacl: cname got an error!");
1246 return AFPERR_NOOBJ;
1248 if (!s_path->st_valid)
1249 of_statdir(vol, s_path);
1250 if ( s_path->st_errno != 0 ) {
1251 LOG(log_error, logtype_afpd, "afp_getacl: cant stat");
1252 return AFPERR_NOOBJ;
1255 ret = check_acl_access(s_path->u_name, uuid, darwin_ace_rights);
1257 LOG(log_debug9, logtype_afpd, "afp_access: END");
1261 int afp_getacl(AFPObj *obj, char *ibuf, size_t ibuflen _U_, char *rbuf _U_, size_t *rbuflen)
1267 uint16_t vid, bitmap;
1268 struct path *s_path;
1272 LOG(log_debug9, logtype_afpd, "afp_getacl: BEGIN");
1276 memcpy(&vid, ibuf, sizeof( vid ));
1277 ibuf += sizeof(vid);
1278 if (NULL == ( vol = getvolbyvid( vid ))) {
1279 LOG(log_error, logtype_afpd, "afp_getacl: error getting volid:%d", vid);
1280 return AFPERR_NOOBJ;
1283 memcpy(&did, ibuf, sizeof( did ));
1284 ibuf += sizeof( did );
1285 if (NULL == ( dir = dirlookup( vol, did ))) {
1286 LOG(log_error, logtype_afpd, "afp_getacl: error getting did:%d", did);
1290 memcpy(&bitmap, ibuf, sizeof( bitmap ));
1291 memcpy(rbuf, ibuf, sizeof( bitmap ));
1292 bitmap = ntohs( bitmap );
1293 ibuf += sizeof( bitmap );
1294 rbuf += sizeof( bitmap );
1295 *rbuflen += sizeof( bitmap );
1297 /* skip maxreplysize */
1300 /* get full path and handle file/dir subtleties in netatalk code*/
1301 if (NULL == ( s_path = cname( vol, dir, &ibuf ))) {
1302 LOG(log_error, logtype_afpd, "afp_getacl: cname got an error!");
1303 return AFPERR_NOOBJ;
1305 if (!s_path->st_valid)
1306 of_statdir(vol, s_path);
1307 if ( s_path->st_errno != 0 ) {
1308 LOG(log_error, logtype_afpd, "afp_getacl: cant stat");
1309 return AFPERR_NOOBJ;
1312 /* Shall we return owner UUID ? */
1313 if (bitmap & kFileSec_UUID) {
1314 LOG(log_debug, logtype_afpd, "afp_getacl: client requested files owner user UUID");
1315 if (NULL == (pw = getpwuid(s_path->st.st_uid)))
1317 LOG(log_debug, logtype_afpd, "afp_getacl: got uid: %d, name: %s", s_path->st.st_uid, pw->pw_name);
1318 if ((ret = getuuidfromname(pw->pw_name, UUID_USER, rbuf)) != 0)
1320 rbuf += UUID_BINSIZE;
1321 *rbuflen += UUID_BINSIZE;
1324 /* Shall we return group UUID ? */
1325 if (bitmap & kFileSec_GRPUUID) {
1326 LOG(log_debug, logtype_afpd, "afp_getacl: client requested files owner group UUID");
1327 if (NULL == (gr = getgrgid(s_path->st.st_gid)))
1329 LOG(log_debug, logtype_afpd, "afp_getacl: got gid: %d, name: %s", s_path->st.st_gid, gr->gr_name);
1330 if ((ret = getuuidfromname(gr->gr_name, UUID_GROUP, rbuf)) != 0)
1332 rbuf += UUID_BINSIZE;
1333 *rbuflen += UUID_BINSIZE;
1336 /* Shall we return ACL ? */
1337 if (bitmap & kFileSec_ACL) {
1338 LOG(log_debug, logtype_afpd, "afp_getacl: client requested files ACL");
1339 get_and_map_acl(s_path->u_name, rbuf, rbuflen);
1342 LOG(log_debug9, logtype_afpd, "afp_getacl: END");
1346 int afp_setacl(AFPObj *obj, char *ibuf, size_t ibuflen _U_, char *rbuf _U_, size_t *rbuflen)
1352 uint16_t vid, bitmap;
1353 struct path *s_path;
1355 LOG(log_debug9, logtype_afpd, "afp_setacl: BEGIN");
1359 memcpy(&vid, ibuf, sizeof( vid ));
1360 ibuf += sizeof(vid);
1361 if (NULL == ( vol = getvolbyvid( vid ))) {
1362 LOG(log_error, logtype_afpd, "afp_setacl: error getting volid:%d", vid);
1363 return AFPERR_NOOBJ;
1366 memcpy(&did, ibuf, sizeof( did ));
1367 ibuf += sizeof( did );
1368 if (NULL == ( dir = dirlookup( vol, did ))) {
1369 LOG(log_error, logtype_afpd, "afp_setacl: error getting did:%d", did);
1373 memcpy(&bitmap, ibuf, sizeof( bitmap ));
1374 bitmap = ntohs( bitmap );
1375 ibuf += sizeof( bitmap );
1377 /* get full path and handle file/dir subtleties in netatalk code*/
1378 if (NULL == ( s_path = cname( vol, dir, &ibuf ))) {
1379 LOG(log_error, logtype_afpd, "afp_setacl: cname got an error!");
1380 return AFPERR_NOOBJ;
1382 if (!s_path->st_valid)
1383 of_statdir(vol, s_path);
1384 if ( s_path->st_errno != 0 ) {
1385 LOG(log_error, logtype_afpd, "afp_setacl: cant stat");
1386 return AFPERR_NOOBJ;
1388 LOG(log_debug, logtype_afpd, "afp_setacl: unixname: %s", s_path->u_name);
1391 if ((unsigned long)ibuf & 1)
1394 /* Start processing request */
1396 /* Change owner: dont even try */
1397 if (bitmap & kFileSec_UUID) {
1398 LOG(log_note, logtype_afpd, "afp_setacl: change owner request, discarded");
1399 ret = AFPERR_ACCESS;
1400 ibuf += UUID_BINSIZE;
1403 /* Change group: certain changes might be allowed, so try it. FIXME: not implemented yet. */
1404 if (bitmap & kFileSec_UUID) {
1405 LOG(log_note, logtype_afpd, "afp_setacl: change group request, not supported");
1407 ibuf += UUID_BINSIZE;
1411 if (bitmap & kFileSec_REMOVEACL) {
1412 LOG(log_debug, logtype_afpd, "afp_setacl: Remove ACL request.");
1413 if ((ret = remove_acl(vol, s_path->u_name, S_ISDIR(s_path->st.st_mode))) != AFP_OK)
1414 LOG(log_error, logtype_afpd, "afp_setacl: error from remove_acl");
1418 if (bitmap & kFileSec_ACL) {
1419 LOG(log_debug, logtype_afpd, "afp_setacl: Change ACL request.");
1420 /* Get no of ACEs the client put on the wire */
1422 memcpy(&ace_count, ibuf, sizeof(uint32_t));
1423 ace_count = htonl(ace_count);
1424 ibuf += 8; /* skip ACL flags (see acls.h) */
1428 (bitmap & kFileSec_Inherit),
1429 (darwin_ace_t *)ibuf,
1434 LOG(log_warning, logtype_afpd, "afp_setacl(\"%s/%s\"): error",
1435 getcwdpath(), s_path->u_name);
1440 LOG(log_debug9, logtype_afpd, "afp_setacl: END");
1445 unix.c/accessmode calls this: map ACL to OS 9 mode
1447 void acltoownermode(char *path, struct stat *st, uid_t uid, struct maccess *ma)
1451 int r_ok, w_ok, x_ok;
1453 if ( ! (AFPobj->options.flags & OPTION_UUID) || ! (AFPobj->options.flags & OPTION_ACL2OS9MODE))
1456 LOG(log_maxdebug, logtype_afpd, "acltoownermode('%s')", path);
1458 if ((pw = getpwuid(uid)) == NULL) {
1459 LOG(log_error, logtype_afpd, "acltoownermode: %s", strerror(errno));
1463 /* We need the UUID for check_acl_access */
1464 if ((getuuidfromname(pw->pw_name, UUID_USER, uuid)) != 0)
1467 /* These work for files and dirs */
1468 r_ok = check_acl_access(path, uuid, DARWIN_ACE_READ_DATA);
1469 w_ok = check_acl_access(path, uuid, (DARWIN_ACE_WRITE_DATA|DARWIN_ACE_APPEND_DATA));
1470 x_ok = check_acl_access(path, uuid, DARWIN_ACE_EXECUTE);
1472 LOG(log_debug7, logtype_afpd, "acltoownermode: ma_user before: %04o",ma->ma_user);
1474 ma->ma_user |= AR_UREAD;
1476 ma->ma_user |= AR_UWRITE;
1478 ma->ma_user |= AR_USEARCH;
1479 LOG(log_debug7, logtype_afpd, "acltoownermode: ma_user after: %04o", ma->ma_user);
1485 We're being called at the end of afp_createdir. We're (hopefully) inside dir
1486 and ".AppleDouble" and ".AppleDouble/.Parent" should have already been created.
1487 We then inherit any explicit ACE from "." to ".AppleDouble" and ".AppleDouble/.Parent".
1488 FIXME: add to VFS layer ?
1490 #ifdef HAVE_SOLARIS_ACLS
1491 void addir_inherit_acl(const struct vol *vol)
1493 ace_t *diraces = NULL, *adaces = NULL, *combinedaces = NULL;
1494 int diracecount, adacecount;
1496 LOG(log_debug9, logtype_afpd, "addir_inherit_acl: BEGIN");
1498 /* Check if ACLs are enabled for the volume */
1499 if (vol->v_flags & AFPVOL_ACLS) {
1501 if ((diracecount = get_nfsv4_acl(".", &diraces)) <= 0)
1503 /* Remove any trivial ACE from "." */
1504 if ((diracecount = strip_trivial_aces(&diraces, diracecount)) <= 0)
1508 Inherit to ".AppleDouble"
1511 if ((adacecount = get_nfsv4_acl(".AppleDouble", &adaces)) <= 0)
1513 /* Remove any non-trivial ACE from ".AppleDouble" */
1514 if ((adacecount = strip_nontrivial_aces(&adaces, adacecount)) <= 0)
1518 if ((combinedaces = concat_aces(diraces, diracecount, adaces, adacecount)) == NULL)
1521 /* Now set new acl */
1522 if ((acl(".AppleDouble", ACE_SETACL, diracecount + adacecount, combinedaces)) != 0)
1523 LOG(log_error, logtype_afpd, "addir_inherit_acl: acl: %s", strerror(errno));
1528 combinedaces = NULL;
1531 Inherit to ".AppleDouble/.Parent"
1534 if ((adacecount = get_nfsv4_acl(".AppleDouble/.Parent", &adaces)) <= 0)
1536 if ((adacecount = strip_nontrivial_aces(&adaces, adacecount)) <= 0)
1540 if ((combinedaces = concat_aces(diraces, diracecount, adaces, adacecount)) == NULL)
1543 /* Now set new acl */
1544 if ((acl(".AppleDouble/.Parent", ACE_SETACL, diracecount + adacecount, combinedaces)) != 0)
1545 LOG(log_error, logtype_afpd, "addir_inherit_acl: acl: %s", strerror(errno));
1551 LOG(log_debug9, logtype_afpd, "addir_inherit_acl: END");
1557 #endif /* HAVE_SOLARIS_ACLS */
1559 #ifdef HAVE_POSIX_ACLS
1560 void addir_inherit_acl(const struct vol *vol)
1564 #endif /* HAVE_POSIX_ACLS */
projects / netatalk.git / blob