/*
Copyright (c) 2010 Frank Lahm <franklahm@gmail.com>
+ Copyright (c) 2011 Laura Mueller <laura-mueller@uni-duesseldorf.de>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
#include "config.h"
#endif /* HAVE_CONFIG_H */
-#ifdef HAVE_NFSv4_ACLS
+#ifdef HAVE_ACLS
#include <unistd.h>
#include <sys/types.h>
#include <atalk/afp.h>
#include <atalk/util.h>
#include <atalk/acl.h>
+#include <atalk/unix.h>
+
+#ifdef HAVE_NFSV4_ACLS
/* Get ACL. Allocates storage as needed. Caller must free.
* Returns no of ACEs or -1 on error. */
*retAces = NULL;
/* Only call acl() for regular files and directories, otherwise just return 0 */
- if (lstat(name, &st) != 0)
+ if (lstat(name, &st) != 0) {
+ LOG(log_debug, logtype_afpd, "get_nfsv4_acl(\"%s/%s\"): %s", getcwdpath(), name, strerror(errno));
return -1;
- if ( ! (S_ISREG(st.st_mode) || S_ISDIR(st.st_mode)))
+ }
+
+ if (S_ISLNK(st.st_mode))
+ /* sorry, no ACLs for symlinks */
+ return 0;
+
+ if ( ! (S_ISREG(st.st_mode) || S_ISDIR(st.st_mode))) {
+ LOG(log_debug, logtype_afpd, "get_nfsv4_acl(\"%s/%s\"): special", getcwdpath(), name);
return 0;
+ }
- if ((ace_count = acl(name, ACE_GETACLCNT, 0, NULL)) == 0)
+ if ((ace_count = acl(name, ACE_GETACLCNT, 0, NULL)) == 0) {
+ LOG(log_debug, logtype_afpd, "get_nfsv4_acl(\"%s/%s\"): 0 ACEs", getcwdpath(), name);
return 0;
+ }
if (ace_count == -1) {
- LOG(log_error, logtype_afpd, "get_nfsv4_acl: acl('%s/%s', ACE_GETACLCNT): ace_count %i, error: %s",
+ LOG(log_debug, logtype_afpd, "get_nfsv4_acl: acl('%s/%s', ACE_GETACLCNT): ace_count %i, error: %s",
getcwdpath(), name, ace_count, strerror(errno));
return -1;
}
* Change mode of file preserving existing explicit ACEs
*
* nfsv4_chmod
- * (1) reads objects ACL (acl1)
+ * (1) reads objects ACL (acl1), may return 0 or -1 NFSv4 ACEs on eg UFS fs
* (2) removes all trivial ACEs from the ACL by calling strip_trivial_aces(), possibly
* leaving 0 ACEs in the ACL if there were only trivial ACEs as mapped from the mode
- * (3) calls chmod() with mode
+ * (3) calls chmod() with mode, we're done if step (1) returned 0 for noaces
* (4) reads the changed ACL (acl2) which
* a) might still contain explicit ACEs (up to onnv132)
* b) will have any explicit ACE removed (starting with onnv145/Openindiana)
{
int ret = -1;
int noaces, nnaces;
- ace_t *oacl = NULL, *nacl = NULL, *cacl;
+ ace_t *oacl = NULL, *nacl = NULL, *cacl = NULL;
+
+ LOG(log_debug, logtype_afpd, "nfsv4_chmod(\"%s/%s\", %04o)",
+ getcwdpath(), name, mode);
+
+ if ((noaces = get_nfsv4_acl(name, &oacl)) < 1) /* (1) */
+ return chmod(name, mode);
- if ((noaces = get_nfsv4_acl(name, &oacl)) == -1) /* (1) */
- goto exit;
if ((noaces = strip_trivial_aces(&oacl, noaces)) == -1) /* (2) */
goto exit;
if (chmod(name, mode) != 0) /* (3) */
goto exit;
- if ((nnaces = get_nfsv4_acl(name, &nacl)) == -1) /* (4) */
- goto exit;
+ if ((nnaces = get_nfsv4_acl(name, &nacl)) == -1) {/* (4) */
+ if (errno != EACCES)
+ goto exit;
+ become_root();
+ nnaces = get_nfsv4_acl(name, &nacl);
+ unbecome_root();
+ if (nnaces == -1)
+ goto exit;
+ }
+
if ((nnaces = strip_nontrivial_aces(&nacl, nnaces)) == -1) /* (5) */
goto exit;
goto exit;
if ((ret = acl(name, ACE_SETACL, noaces + nnaces, cacl)) != 0) {
- LOG(log_error, logtype_afpd, "nfsv4_chmod: error setting acl: %s", strerror(errno));
- goto exit;
+ if (errno != EACCES) {
+ LOG(log_error, logtype_afpd, "nfsv4_chmod: error setting acl: %s", strerror(errno));
+ goto exit;
+ }
+ become_root();
+ ret = acl(name, ACE_SETACL, noaces + nnaces, cacl);
+ unbecome_root();
+ if (ret != 0) {
+ LOG(log_error, logtype_afpd, "nfsv4_chmod: error setting acl: %s", strerror(errno));
+ goto exit;
+ }
}
exit:
if (nacl) free(nacl);
if (cacl) free(cacl);
+ LOG(log_debug, logtype_afpd, "nfsv4_chmod(\"%s/%s\", %04o): result: %d",
+ getcwdpath(), name, mode, ret);
+
return ret;
}
-#if 0
-static int set_acl_vfs(const struct vol *vol, char *name, int inherit, char *ibuf)
-{
- int ret, i, nfsv4_ace_count, tocopy_aces_count = 0, new_aces_count = 0, trivial_ace_count = 0;
- ace_t *old_aces, *new_aces = NULL;
- uint16_t flags;
- uint32_t ace_count;
-
- LOG(log_debug9, logtype_afpd, "set_acl: BEGIN");
-
- /* Get no of ACEs the client put on the wire */
- ace_count = htonl(*((uint32_t *)ibuf));
- ibuf += 8; /* skip ACL flags (see acls.h) */
-
- if (inherit)
- /* inherited + trivial ACEs */
- flags = ACE_INHERITED_ACE | ACE_OWNER | ACE_GROUP | ACE_EVERYONE;
- else
- /* only trivial ACEs */
- flags = ACE_OWNER | ACE_GROUP | ACE_EVERYONE;
-
- /* Get existing ACL and count ACEs which have to be copied */
- if ((nfsv4_ace_count = get_nfsv4_acl(name, &old_aces)) == -1)
- return AFPERR_MISC;
- for ( i=0; i < nfsv4_ace_count; i++) {
- if (old_aces[i].a_flags & flags)
- tocopy_aces_count++;
- }
+#endif /* HAVE_NFSV4_ACLS */
- /* Now malloc buffer exactly sized to fit all new ACEs */
- new_aces = malloc( (ace_count + tocopy_aces_count) * sizeof(ace_t) );
- if (new_aces == NULL) {
- LOG(log_error, logtype_afpd, "set_acl: malloc %s", strerror(errno));
- ret = AFPERR_MISC;
- goto cleanup;
- }
+#ifdef HAVE_POSIX_ACLS
- /* Start building new ACL */
+/* This is a workaround for chmod() on filestystems supporting Posix 1003.1e draft 17
+ * compliant ACLs. For objects with extented ACLs, eg objects with an ACL_MASK entry,
+ * chmod() manipulates ACL_MASK instead of ACL_GROUP_OBJ. As OS X isn't aware of
+ * this behavior calling FPSetFileDirParms may lead to unpredictable results. For
+ * more information see section 23.1.2 of Posix 1003.1e draft 17.
+ *
+ * posix_chmod() accepts the same arguments as chmod() and returns 0 in case of
+ * success or -1 in case something went wrong.
+ */
- /* Copy local inherited ACEs. Therefore we have 'Darwin canonical order' (see chmod there):
- inherited ACEs first. */
- if (inherit) {
- for (i=0; i < nfsv4_ace_count; i++) {
- if (old_aces[i].a_flags & ACE_INHERITED_ACE) {
- memcpy(&new_aces[new_aces_count], &old_aces[i], sizeof(ace_t));
- new_aces_count++;
+#define SEARCH_GROUP_OBJ 0x01
+#define SEARCH_MASK 0x02
+
+int posix_chmod(const char *name, mode_t mode) {
+ int ret = 0;
+ int entry_id = ACL_FIRST_ENTRY;
+ acl_entry_t entry;
+ acl_entry_t group_entry;
+ acl_tag_t tag;
+ acl_t acl;
+ u_char not_found = (SEARCH_GROUP_OBJ|SEARCH_MASK); /* used as flags */
+
+ LOG(log_maxdebug, logtype_afpd, "posix_chmod(\"%s\", mode: %04o) BEGIN",
+ fullpathname(name), mode);
+
+ /* Call chmod() first because there might be some special bits to be set which
+ * aren't related to access control.
+ */
+#ifdef BSD4_4
+ /*
+ * On FreeBSD chmod_acl() ends up in here too, but on
+ * FreeBSD sine ~9.1 with ZFS doesn't allow setting the g+s bit.
+ * Fixes PR #491.
+ */
+ mode &= 0777;
+#endif
+ ret = chmod(name, mode);
+
+ if (ret)
+ goto done;
+
+ /* Check if the underlying filesystem supports ACLs. */
+ acl = acl_get_file(name, ACL_TYPE_ACCESS);
+
+ if (acl) {
+ /* There is no need to keep iterating once we have found ACL_GROUP_OBJ and ACL_MASK. */
+ while ((acl_get_entry(acl, entry_id, &entry) == 1) && not_found) {
+ entry_id = ACL_NEXT_ENTRY;
+
+ ret = acl_get_tag_type(entry, &tag);
+
+ if (ret) {
+ LOG(log_error, logtype_afpd, "posix_chmod: Failed to get tag type.");
+ goto cleanup;
+ }
+
+ switch (tag) {
+ case ACL_GROUP_OBJ:
+ group_entry = entry;
+ not_found &= ~SEARCH_GROUP_OBJ;
+ break;
+
+ case ACL_MASK:
+ not_found &= ~SEARCH_MASK;
+ break;
+
+ default:
+ break;
}
}
- }
- LOG(log_debug7, logtype_afpd, "set_acl: copied %d inherited ACEs", new_aces_count);
+ if (!not_found) {
+ /* The filesystem object has extented ACLs. We have to update ACL_GROUP_OBJ
+ * with the group permissions.
+ */
+ acl_permset_t permset;
+ acl_perm_t perm = 0;
+
+ ret = acl_get_permset(group_entry, &permset);
+
+ if (ret) {
+ LOG(log_error, logtype_afpd, "posix_chmod: Can't get permset.");
+ goto cleanup;
+ }
+ ret = acl_clear_perms(permset);
- /* Now the ACEs from the client */
- ret = map_acl(DARWIN_2_SOLARIS, &new_aces[new_aces_count], (darwin_ace_t *)ibuf, ace_count);
- if (ret == -1) {
- ret = AFPERR_PARAM;
- goto cleanup;
- }
- new_aces_count += ace_count;
- LOG(log_debug7, logtype_afpd, "set_acl: mapped %d ACEs from client", ace_count);
-
- /* Now copy the trivial ACEs */
- for (i=0; i < nfsv4_ace_count; i++) {
- if (old_aces[i].a_flags & (ACE_OWNER | ACE_GROUP | ACE_EVERYONE)) {
- memcpy(&new_aces[new_aces_count], &old_aces[i], sizeof(ace_t));
- new_aces_count++;
- trivial_ace_count++;
+ if (ret)
+ goto cleanup;
+
+ if (mode & S_IXGRP)
+ perm |= ACL_EXECUTE;
+
+ if (mode & S_IWGRP)
+ perm |= ACL_WRITE;
+
+ if (mode & S_IRGRP)
+ perm |= ACL_READ;
+
+ ret = acl_add_perm(permset, perm);
+
+ if (ret)
+ goto cleanup;
+
+ ret = acl_set_permset(group_entry, permset);
+
+ if (ret) {
+ LOG(log_error, logtype_afpd, "posix_chmod: Can't set permset.");
+ goto cleanup;
+ }
+ /* also update ACL_MASK */
+ ret = acl_calc_mask(&acl);
+
+ if (ret) {
+ LOG(log_error, logtype_afpd, "posix_chmod: acl_calc_mask failed.");
+ goto cleanup;
+ }
+ ret = acl_set_file(name, ACL_TYPE_ACCESS, acl);
}
+cleanup:
+ acl_free(acl);
}
- LOG(log_debug7, logtype_afpd, "set_acl: copied %d trivial ACEs", trivial_ace_count);
-
- /* Ressourcefork first.
- Note: for dirs we set the same ACL on the .AppleDouble/.Parent _file_. This
- might be strange for ACE_DELETE_CHILD and for inheritance flags. */
- if ( (ret = vol->vfs->vfs_acl(vol, name, ACE_SETACL, new_aces_count, new_aces)) != 0) {
- LOG(log_error, logtype_afpd, "set_acl: error setting acl: %s", strerror(errno));
- if (errno == (EACCES | EPERM))
- ret = AFPERR_ACCESS;
- else if (errno == ENOENT)
- ret = AFPERR_NOITEM;
- else
- ret = AFPERR_MISC;
- goto cleanup;
- }
- if ( (ret = acl(name, ACE_SETACL, new_aces_count, new_aces)) != 0) {
- LOG(log_error, logtype_afpd, "set_acl: error setting acl: %s", strerror(errno));
- if (errno == (EACCES | EPERM))
- ret = AFPERR_ACCESS;
- else if (errno == ENOENT)
- ret = AFPERR_NOITEM;
- else
- ret = AFPERR_MISC;
- goto cleanup;
- }
+done:
+ LOG(log_maxdebug, logtype_afpd, "posix_chmod(\"%s\", mode: %04o): END: %d",
+ fullpathname(name), mode, ret);
+ return ret;
+}
- ret = AFP_OK;
+/*
+ * posix_fchmod() accepts the same arguments as fchmod() and returns 0 in case of
+ * success or -1 in case something went wrong.
+ */
+int posix_fchmod(int fd, mode_t mode) {
+ int ret = 0;
+ int entry_id = ACL_FIRST_ENTRY;
+ acl_entry_t entry;
+ acl_entry_t group_entry;
+ acl_tag_t tag;
+ acl_t acl;
+ u_char not_found = (SEARCH_GROUP_OBJ|SEARCH_MASK); /* used as flags */
+
+ /* Call chmod() first because there might be some special bits to be set which
+ * aren't related to access control.
+ */
+ ret = fchmod(fd, mode);
+
+ if (ret)
+ goto done;
+
+ /* Check if the underlying filesystem supports ACLs. */
+ acl = acl_get_fd(fd);
+
+ if (acl) {
+ /* There is no need to keep iterating once we have found ACL_GROUP_OBJ and ACL_MASK. */
+ while ((acl_get_entry(acl, entry_id, &entry) == 1) && not_found) {
+ entry_id = ACL_NEXT_ENTRY;
+
+ ret = acl_get_tag_type(entry, &tag);
+
+ if (ret) {
+ LOG(log_error, logtype_afpd, "posix_fchmod: Failed to get tag type.");
+ goto cleanup;
+ }
-cleanup:
- free(old_aces);
- free(new_aces);
+ switch (tag) {
+ case ACL_GROUP_OBJ:
+ group_entry = entry;
+ not_found &= ~SEARCH_GROUP_OBJ;
+ break;
- LOG(log_debug9, logtype_afpd, "set_acl: END");
+ case ACL_MASK:
+ not_found &= ~SEARCH_MASK;
+ break;
+
+ default:
+ break;
+ }
+ }
+ if (!not_found) {
+ /* The filesystem object has extented ACLs. We have to update ACL_GROUP_OBJ
+ * with the group permissions.
+ */
+ acl_permset_t permset;
+ acl_perm_t perm = 0;
+
+ ret = acl_get_permset(group_entry, &permset);
+
+ if (ret) {
+ LOG(log_error, logtype_afpd, "posix_fchmod: Can't get permset.");
+ goto cleanup;
+ }
+ ret = acl_clear_perms(permset);
+
+ if (ret)
+ goto cleanup;
+
+ if (mode & S_IXGRP)
+ perm |= ACL_EXECUTE;
+
+ if (mode & S_IWGRP)
+ perm |= ACL_WRITE;
+
+ if (mode & S_IRGRP)
+ perm |= ACL_READ;
+
+ ret = acl_add_perm(permset, perm);
+
+ if (ret)
+ goto cleanup;
+
+ ret = acl_set_permset(group_entry, permset);
+
+ if (ret) {
+ LOG(log_error, logtype_afpd, "posix_fchmod: Can't set permset.");
+ goto cleanup;
+ }
+ /* also update ACL_MASK */
+ ret = acl_calc_mask(&acl);
+
+ if (ret) {
+ LOG(log_error, logtype_afpd, "posix_fchmod: acl_calc_mask failed.");
+ goto cleanup;
+ }
+ ret = acl_set_fd(fd, acl);
+ }
+cleanup:
+ acl_free(acl);
+ }
+done:
return ret;
}
-#endif /* 0 */
-#endif /* HAVE_NFSv4_ACLS */
+#endif /* HAVE_POSIX_ACLS */
+
+#endif /* HAVE_ACLS */