From 1519a60abe957431ec99382c9d2b4d58fb3142a5 Mon Sep 17 00:00:00 2001 From: Frank Lahm Date: Wed, 27 Oct 2010 11:50:37 +0200 Subject: [PATCH 1/1] Optimize ACL access calculations and enable acl2maccess by default --- etc/afpd/acls.c | 87 +++++++++++------------------------------- etc/afpd/acls.h | 2 +- etc/afpd/afp_options.c | 5 ++- etc/afpd/globals.h | 2 +- 4 files changed, 27 insertions(+), 69 deletions(-) diff --git a/etc/afpd/acls.c b/etc/afpd/acls.c index 62e36a7e..89738835 100644 --- a/etc/afpd/acls.c +++ b/etc/afpd/acls.c @@ -47,7 +47,7 @@ #include "desktop.h" #include "volume.h" #include "fork.h" - +#include "unix.h" #include "acls.h" #include "acl_mappings.h" @@ -62,44 +62,6 @@ #define MAP_MASK 31 #define IS_DIR 32 -/******************************************************** - * Basic and helper funcs - ********************************************************/ - -/*! - * Takes a user by pointer to his/her struct passwd entry and checks if user - * is member of group "gid". - * - * @param pwd (r) pointer to struct passwd of user - * @returns 1 if user is member, 0 if not, -1 on error -*/ -static int check_group(const struct passwd *pwd, gid_t gid) -{ - EC_INIT; - int i; - struct group *grp; - - if (pwd->pw_gid == gid) - return 1; - - EC_NULL(grp = getgrgid(gid)); - - i = 0; - while (grp->gr_mem[i] != NULL) { - if ((strcmp(grp->gr_mem[i], pwd->pw_name)) == 0) { - LOG(log_debug, logtype_afpd, "user:%s is member of: %s", - pwd->pw_name, grp->gr_name); - return 1; - } - i++; - } - - EC_STATUS(0); - -EC_CLEANUP: - EC_EXIT; -} - /******************************************************** * Solaris funcs ********************************************************/ @@ -165,13 +127,11 @@ static int solaris_acl_rights(const char *path, process ACE */ if (((who == pwd->pw_uid) && !(flags & (ACE_TRIVIAL|ACE_IDENTIFIER_GROUP))) || - ((flags & ACE_IDENTIFIER_GROUP) - && !(flags & ACE_GROUP) - && (check_group(pwd, who) == 1)) + ((flags & ACE_IDENTIFIER_GROUP) && !(flags & ACE_GROUP) && gmem(who)) || ((flags & ACE_OWNER) && (pwd->pw_uid == sb->st_uid)) || - ((flags & ACE_GROUP) && (check_group(pwd, sb->st_gid) == 1)) + ((flags & ACE_GROUP) && gmem(sb->st_gid)) || (flags & ACE_EVERYONE) ) { @@ -1380,43 +1340,40 @@ int afp_setacl(AFPObj *obj, char *ibuf, size_t ibuflen _U_, char *rbuf _U_, size /* unix.c/accessmode calls this: map ACL to OS 9 mode */ -void acltoownermode(char *path, struct stat *st, uid_t uid, struct maccess *ma) +int acltoownermode(char *path, struct stat *st, uid_t uid, struct maccess *ma) { + EC_INIT; struct passwd *pw; - atalk_uuid_t uuid; - int r_ok, w_ok, x_ok; + uint32_t rights = 0; if ( ! (AFPobj->options.flags & OPTION_UUID) || - ! (AFPobj->options.flags & OPTION_ACL2UARIGHTS)) - return; + ! (AFPobj->options.flags & OPTION_ACL2MACCESS)) + return 0; LOG(log_maxdebug, logtype_afpd, "acltoownermode('%s')", path); - if ((pw = getpwuid(uid)) == NULL) { - LOG(log_error, logtype_afpd, "acltoownermode: %s", strerror(errno)); - return; - } + EC_NULL_LOG(pw = getpwuid(uid)); - /* We need the UUID for check_acl_access */ - if ((getuuidfromname(pw->pw_name, UUID_USER, uuid)) != 0) - return; +#ifdef HAVE_SOLARIS_ACLS + EC_ZERO_LOG(solaris_acl_rights(path, st, pw, &rights)); +#endif +#ifdef HAVE_POSIX_ACLS +#endif - /* These work for files and dirs */ - r_ok = check_acl_access(NULL, NULL, path, uuid, DARWIN_ACE_READ_DATA); - w_ok = check_acl_access(NULL, NULL, path, uuid, (DARWIN_ACE_WRITE_DATA|DARWIN_ACE_APPEND_DATA)); - x_ok = check_acl_access(NULL, NULL, path, uuid, DARWIN_ACE_EXECUTE); + LOG(log_debug, logtype_afpd, "rights: 0x%08x", rights); - LOG(log_debug7, logtype_afpd, "acltoownermode: ma_user before: %04o",ma->ma_user); - if (r_ok == 0) + LOG(log_maxdebug, logtype_afpd, "acltoownermode: ma_user before: %04o",ma->ma_user); + if (rights & DARWIN_ACE_READ_DATA) ma->ma_user |= AR_UREAD; - if (w_ok == 0) + if (rights & DARWIN_ACE_WRITE_DATA) ma->ma_user |= AR_UWRITE; - if (x_ok == 0) + if (rights & (DARWIN_ACE_EXECUTE | DARWIN_ACE_SEARCH)) ma->ma_user |= AR_USEARCH; - LOG(log_debug7, logtype_afpd, "acltoownermode: ma_user after: %04o", ma->ma_user); + LOG(log_maxdebug, logtype_afpd, "acltoownermode: ma_user after: %04o", ma->ma_user); - return; +EC_CLEANUP: + EC_EXIT; } /* diff --git a/etc/afpd/acls.h b/etc/afpd/acls.h index 6befff82..3acf0acb 100644 --- a/etc/afpd/acls.h +++ b/etc/afpd/acls.h @@ -111,6 +111,6 @@ int afp_setacl (AFPObj *obj, char *ibuf, size_t ibuflen, char *rbuf, size_t *rb /* Parse afp_ldap.conf */ extern int acl_ldap_readconfig(char *name); -extern void acltoownermode(char *path, struct stat *st,uid_t uid, struct maccess *ma); +extern int acltoownermode(char *path, struct stat *st,uid_t uid, struct maccess *ma); #endif diff --git a/etc/afpd/afp_options.c b/etc/afpd/afp_options.c index 0d3ef8cb..cc823997 100644 --- a/etc/afpd/afp_options.c +++ b/etc/afpd/afp_options.c @@ -199,6 +199,7 @@ void afp_options_init(struct afp_options *options) options->flags |= OPTION_NOSLP; #endif options->dircachesize = DEFAULT_MAX_DIRCACHE_SIZE; + options->flags |= OPTION_ACL2MACCESS; } /* parse an afpd.conf line. i'm doing it this way because it's @@ -244,8 +245,8 @@ int afp_options_parseline(char *buf, struct afp_options *options) options->flags |= OPTION_CUSTOMICON; if (strstr(buf, " -advertise_ssh")) options->flags |= OPTION_ANNOUNCESSH; - if (strstr(buf, " -acl2uarights")) - options->flags |= OPTION_ACL2UARIGHTS; + if (strstr(buf, " -noacl2maccess")) + options->flags &= ~OPTION_ACL2MACCESS; /* passwd bits */ if (strstr(buf, " -nosavepassword")) diff --git a/etc/afpd/globals.h b/etc/afpd/globals.h index 1d86fd35..e37ebf64 100644 --- a/etc/afpd/globals.h +++ b/etc/afpd/globals.h @@ -35,7 +35,7 @@ #define OPTION_NOSLP (1 << 5) #define OPTION_ANNOUNCESSH (1 << 6) #define OPTION_UUID (1 << 7) -#define OPTION_ACL2UARIGHTS (1 << 8) +#define OPTION_ACL2MACCESS (1 << 8) #define OPTION_NOZEROCONF (1 << 9) #ifdef FORCE_UIDGID -- 2.39.2