2 Copyright (c) 2008, 2009, 2010 Frank Lahm <franklahm@gmail.com>
4 This program is free software; you can redistribute it and/or modify
5 it under the terms of the GNU General Public License as published by
6 the Free Software Foundation; either version 2 of the License, or
7 (at your option) any later version.
9 This program is distributed in the hope that it will be useful,
10 but WITHOUT ANY WARRANTY; without even the implied warranty of
11 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 GNU General Public License for more details.
17 #endif /* HAVE_CONFIG_H */
26 #ifdef HAVE_SOLARIS_ACLS
29 #ifdef HAVE_POSIX_ACLS
31 #include <acl/libacl.h>
34 #include <atalk/adouble.h>
35 #include <atalk/vfs.h>
36 #include <atalk/afp.h>
37 #include <atalk/util.h>
38 #include <atalk/cnid.h>
39 #include <atalk/logger.h>
40 #include <atalk/uuid.h>
41 #include <atalk/acl.h>
43 #include "directory.h"
49 #include "acl_mappings.h"
52 #define SOLARIS_2_DARWIN 1
53 #define DARWIN_2_SOLARIS 2
54 #define POSIX_DEFAULT_2_DARWIN 3
55 #define POSIX_ACCESS_2_DARWIN 4
56 #define DARWIN_2_POSIX 5
61 /********************************************************
62 * Basic and helper funcs
63 ********************************************************/
66 Takes a users name, uid and primary gid and checks if user is member of any group
67 Returns -1 if no or error, 0 if yes
69 static int check_group(char *name, uid_t uid _U_, gid_t pgid, gid_t path_gid)
77 grp = getgrgid(path_gid);
82 while (grp->gr_mem[i] != NULL) {
83 if ( (strcmp(grp->gr_mem[i], name)) == 0 ) {
84 LOG(log_debug, logtype_afpd, "check_group: requested user:%s is member of: %s", name, grp->gr_name);
93 /********************************************************
95 ********************************************************/
97 #ifdef HAVE_SOLARIS_ACLS
99 Remove any trivial ACE "in-place". Returns no of non-trivial ACEs
101 static int strip_trivial_aces(ace_t **saces, int sacecount)
105 ace_t *aces = *saces;
108 /* Count non-trivial ACEs */
109 for (i=0; i < sacecount; ) {
110 if ( ! (aces[i].a_flags & (ACE_OWNER | ACE_GROUP | ACE_EVERYONE)))
114 /* malloc buffer for new ACL */
115 if ((new_aces = malloc(nontrivaces * sizeof(ace_t))) == NULL) {
116 LOG(log_error, logtype_afpd, "strip_trivial_aces: malloc %s", strerror(errno));
120 /* Copy non-trivial ACEs */
121 for (i=0, j=0; i < sacecount; ) {
122 if ( ! (aces[i].a_flags & (ACE_OWNER | ACE_GROUP | ACE_EVERYONE))) {
123 memcpy(&new_aces[j], &aces[i], sizeof(ace_t));
132 LOG(log_debug7, logtype_afpd, "strip_trivial_aces: non-trivial ACEs: %d", nontrivaces);
138 Remove non-trivial ACEs "in-place". Returns no of trivial ACEs.
140 static int strip_nontrivial_aces(ace_t **saces, int sacecount)
144 ace_t *aces = *saces;
147 /* Count trivial ACEs */
148 for (i=0; i < sacecount; ) {
149 if ((aces[i].a_flags & (ACE_OWNER | ACE_GROUP | ACE_EVERYONE)))
153 /* malloc buffer for new ACL */
154 if ((new_aces = malloc(trivaces * sizeof(ace_t))) == NULL) {
155 LOG(log_error, logtype_afpd, "strip_nontrivial_aces: malloc %s", strerror(errno));
159 /* Copy trivial ACEs */
160 for (i=0, j=0; i < sacecount; ) {
161 if ((aces[i].a_flags & (ACE_OWNER | ACE_GROUP | ACE_EVERYONE))) {
162 memcpy(&new_aces[j], &aces[i], sizeof(ace_t));
171 LOG(log_debug7, logtype_afpd, "strip_nontrivial_aces: trivial ACEs: %d", trivaces);
179 static ace_t *concat_aces(ace_t *aces1, int ace1count, ace_t *aces2, int ace2count)
184 /* malloc buffer for new ACL */
185 if ((new_aces = malloc((ace1count + ace2count) * sizeof(ace_t))) == NULL) {
186 LOG(log_error, logtype_afpd, "combine_aces: malloc %s", strerror(errno));
190 /* Copy ACEs from buf1 */
191 for (i=0; i < ace1count; ) {
192 memcpy(&new_aces[i], &aces1[i], sizeof(ace_t));
198 /* Copy ACEs from buf2 */
199 for (i=0; i < ace2count; ) {
200 memcpy(&new_aces[j], &aces2[i], sizeof(ace_t));
209 Maps ACE array from Solaris to Darwin. Darwin ACEs are stored in network byte order.
210 Return numer of mapped ACEs or -1 on error.
211 All errors while mapping (e.g. getting UUIDs from LDAP) are fatal.
213 static int map_aces_solaris_to_darwin(ace_t *aces, darwin_ace_t *darwin_aces, int ace_count)
218 struct passwd *pwd = NULL;
219 struct group *grp = NULL;
221 LOG(log_debug7, logtype_afpd, "map_aces_solaris_to_darwin: parsing %d ACES", ace_count);
224 LOG(log_debug7, logtype_afpd, "map_aces_solaris_to_darwin: parsing ACE No. %d", ace_count + 1);
225 /* if its a ACE resulting from nfsv4 mode mapping, discard it */
226 if (aces->a_flags & (ACE_OWNER | ACE_GROUP | ACE_EVERYONE)) {
227 LOG(log_debug, logtype_afpd, "map_aces_solaris_to_darwin: trivial ACE");
232 if ( ! (aces->a_flags & ACE_IDENTIFIER_GROUP) ) {
234 LOG(log_debug, logtype_afpd, "map_aces_solaris_to_darwin: found user ACE with uid: %d", aces->a_who);
235 pwd = getpwuid(aces->a_who);
237 LOG(log_error, logtype_afpd, "map_aces_solaris_to_darwin: getpwuid error: %s", strerror(errno));
240 LOG(log_debug, logtype_afpd, "map_aces_solaris_to_darwin: uid: %d -> name: %s", aces->a_who, pwd->pw_name);
241 if ( (getuuidfromname(pwd->pw_name, UUID_USER, darwin_aces->darwin_ace_uuid)) != 0) {
242 LOG(log_error, logtype_afpd, "map_aces_solaris_to_darwin: getuuidfromname error");
246 /* its a group ace */
247 LOG(log_debug, logtype_afpd, "map_aces_solaris_to_darwin: found group ACE with gid: %d", aces->a_who);
248 grp = getgrgid(aces->a_who);
250 LOG(log_error, logtype_afpd, "map_aces_solaris_to_darwin: getgrgid error: %s", strerror(errno));
253 LOG(log_debug, logtype_afpd, "map_aces_solaris_to_darwin: gid: %d -> name: %s", aces->a_who, grp->gr_name);
254 if ( (getuuidfromname(grp->gr_name, UUID_GROUP, darwin_aces->darwin_ace_uuid)) != 0) {
255 LOG(log_error, logtype_afpd, "map_aces_solaris_to_darwin: getuuidfromname error");
261 if (aces->a_type == ACE_ACCESS_ALLOWED_ACE_TYPE)
262 flags = DARWIN_ACE_FLAGS_PERMIT;
263 else if (aces->a_type == ACE_ACCESS_DENIED_ACE_TYPE)
264 flags = DARWIN_ACE_FLAGS_DENY;
265 else { /* unsupported type */
269 for(i=0; nfsv4_to_darwin_flags[i].from != 0; i++) {
270 if (aces->a_flags & nfsv4_to_darwin_flags[i].from)
271 flags |= nfsv4_to_darwin_flags[i].to;
273 darwin_aces->darwin_ace_flags = htonl(flags);
277 for (i=0; nfsv4_to_darwin_rights[i].from != 0; i++) {
278 if (aces->a_access_mask & nfsv4_to_darwin_rights[i].from)
279 rights |= nfsv4_to_darwin_rights[i].to;
281 darwin_aces->darwin_ace_rights = htonl(rights);
292 Maps ACE array from Darwin to Solaris. Darwin ACEs are expected in network byte order.
293 Return numer of mapped ACEs or -1 on error.
294 All errors while mapping (e.g. getting UUIDs from LDAP) are fatal.
296 int map_aces_darwin_to_solaris(darwin_ace_t *darwin_aces, ace_t *nfsv4_aces, int ace_count)
298 int i, mapped_aces = 0;
299 uint32_t darwin_ace_flags;
300 uint32_t darwin_ace_rights;
301 uint16_t nfsv4_ace_flags;
302 uint32_t nfsv4_ace_rights;
310 nfsv4_ace_rights = 0;
313 if ( (getnamefromuuid(darwin_aces->darwin_ace_uuid, &name, &uuidtype)) != 0)
315 if (uuidtype == UUID_USER) {
316 pwd = getpwnam(name);
318 LOG(log_error, logtype_afpd, "map_aces_darwin_to_solaris: getpwnam: %s", strerror(errno));
321 nfsv4_aces->a_who = pwd->pw_uid;
322 } else { /* hopefully UUID_GROUP*/
323 grp = getgrnam(name);
325 LOG(log_error, logtype_afpd, "map_aces_darwin_to_solaris: getgrnam: %s", strerror(errno));
328 nfsv4_aces->a_who = (uid_t)(grp->gr_gid);
329 nfsv4_ace_flags |= ACE_IDENTIFIER_GROUP;
334 /* now type: allow/deny */
335 darwin_ace_flags = ntohl(darwin_aces->darwin_ace_flags);
336 if (darwin_ace_flags & DARWIN_ACE_FLAGS_PERMIT)
337 nfsv4_aces->a_type = ACE_ACCESS_ALLOWED_ACE_TYPE;
338 else if (darwin_ace_flags & DARWIN_ACE_FLAGS_DENY)
339 nfsv4_aces->a_type = ACE_ACCESS_DENIED_ACE_TYPE;
340 else { /* unsupported type */
345 for(i=0; darwin_to_nfsv4_flags[i].from != 0; i++) {
346 if (darwin_ace_flags & darwin_to_nfsv4_flags[i].from)
347 nfsv4_ace_flags |= darwin_to_nfsv4_flags[i].to;
351 darwin_ace_rights = ntohl(darwin_aces->darwin_ace_rights);
352 for (i=0; darwin_to_nfsv4_rights[i].from != 0; i++) {
353 if (darwin_ace_rights & darwin_to_nfsv4_rights[i].from)
354 nfsv4_ace_rights |= darwin_to_nfsv4_rights[i].to;
357 LOG(log_debug9, logtype_afpd, "map_aces_darwin_to_solaris: ACE flags: Darwin:%08x -> NFSv4:%04x", darwin_ace_flags, nfsv4_ace_flags);
358 LOG(log_debug9, logtype_afpd, "map_aces_darwin_to_solaris: ACE rights: Darwin:%08x -> NFSv4:%08x", darwin_ace_rights, nfsv4_ace_rights);
360 nfsv4_aces->a_flags = nfsv4_ace_flags;
361 nfsv4_aces->a_access_mask = nfsv4_ace_rights;
370 #endif /* HAVE_SOLARIS_ACLS */
373 * Map ACEs from POSIX to Darwin.
374 * type is either POSIX_DEFAULT_2_DARWIN or POSIX_ACCESS_2_DARWIN, cf. acl_get_file.
375 * Return number of mapped ACES, -1 on error.
377 #ifdef HAVE_POSIX_ACLS
378 static int map_acl_posix_to_darwin(int type, const acl_t acl, darwin_ace_t *darwin_aces)
382 int entry_id = ACL_FIRST_ENTRY;
385 acl_permset_t permset, mask;
388 struct passwd *pwd = NULL;
389 struct group *grp = NULL;
392 darwin_ace_t *saved_darwin_aces = darwin_aces;
394 LOG(log_maxdebug, logtype_afpd, "map_aces_posix_to_darwin(%s)",
395 (type & MAP_MASK) == POSIX_DEFAULT_2_DARWIN ?
396 "POSIX_DEFAULT_2_DARWIN" : "POSIX_ACCESS_2_DARWIN");
398 /* itereate through all ACEs */
399 while (acl_get_entry(acl, entry_id, &e) == 1) {
400 entry_id = ACL_NEXT_ENTRY;
403 if (acl_get_tag_type(e, &tag) != 0) {
404 LOG(log_error, logtype_afpd, "map_aces_posix_to_darwin: acl_get_tag_type: %s", strerror(errno));
409 /* we return user and group ACE */
412 if ((uid = (uid_t *)acl_get_qualifier(e)) == NULL) {
413 LOG(log_error, logtype_afpd, "map_aces_posix_to_darwin: acl_get_qualifier: %s",
418 if ((pwd = getpwuid(*uid)) == NULL) {
419 LOG(log_error, logtype_afpd, "map_aces_posix_to_darwin: getpwuid error: %s",
424 LOG(log_debug, logtype_afpd, "map_aces_posix_to_darwin: uid: %d -> name: %s",
426 if (getuuidfromname(pwd->pw_name, UUID_USER, darwin_aces->darwin_ace_uuid) != 0) {
427 LOG(log_error, logtype_afpd, "map_aces_posix_to_darwin: getuuidfromname error");
436 if ((gid = (gid_t *)acl_get_qualifier(e)) == NULL) {
437 LOG(log_error, logtype_afpd, "map_aces_posix_to_darwin: acl_get_qualifier: %s",
442 if ((grp = getgrgid(*gid)) == NULL) {
443 LOG(log_error, logtype_afpd, "map_aces_posix_to_darwin: getgrgid error: %s",
448 LOG(log_debug, logtype_afpd, "map_aces_posix_to_darwin: gid: %d -> name: %s",
450 if (getuuidfromname(grp->gr_name, UUID_GROUP, darwin_aces->darwin_ace_uuid) != 0) {
451 LOG(log_error, logtype_afpd, "map_aces_solaris_to_darwin: getuuidfromname error");
459 /* store mask so we can apply it later in a second loop */
461 if (acl_get_permset(e, &mask) != 0) {
462 LOG(log_error, logtype_afpd, "map_aces_solaris_to_darwin: acl_get_permset: %s", strerror(errno));
473 flags = DARWIN_ACE_FLAGS_PERMIT;
474 if ((type & MAP_MASK) == POSIX_DEFAULT_2_DARWIN)
475 flags |= DARWIN_ACE_FLAGS_FILE_INHERIT
476 | DARWIN_ACE_FLAGS_DIRECTORY_INHERIT
477 | DARWIN_ACE_FLAGS_ONLY_INHERIT;
478 darwin_aces->darwin_ace_flags = htonl(flags);
481 if (acl_get_permset(e, &permset) != 0) {
482 LOG(log_error, logtype_afpd, "map_aces_solaris_to_darwin: acl_get_permset: %s", strerror(errno));
487 if (acl_get_perm(permset, ACL_READ))
488 rights = DARWIN_ACE_READ_DATA
489 | DARWIN_ACE_READ_EXTATTRIBUTES
490 | DARWIN_ACE_READ_ATTRIBUTES
491 | DARWIN_ACE_READ_SECURITY;
492 if (acl_get_perm(permset, ACL_WRITE)) {
493 rights |= DARWIN_ACE_WRITE_DATA
494 | DARWIN_ACE_APPEND_DATA
495 | DARWIN_ACE_WRITE_EXTATTRIBUTES
496 | DARWIN_ACE_WRITE_ATTRIBUTES;
497 if ((type & ~MAP_MASK) == IS_DIR)
498 rights |= DARWIN_ACE_DELETE;
500 if (acl_get_perm(permset, ACL_EXECUTE))
501 rights |= DARWIN_ACE_EXECUTE;
503 darwin_aces->darwin_ace_rights = htonl(rights);
510 /* Loop through the mapped ACE buffer once again, applying the mask */
511 /* Map the mask to Darwin ACE rights first */
513 if (acl_get_perm(mask, ACL_READ))
514 rights = DARWIN_ACE_READ_DATA
515 | DARWIN_ACE_READ_EXTATTRIBUTES
516 | DARWIN_ACE_READ_ATTRIBUTES
517 | DARWIN_ACE_READ_SECURITY;
518 if (acl_get_perm(mask, ACL_WRITE)) {
519 rights |= DARWIN_ACE_WRITE_DATA
520 | DARWIN_ACE_APPEND_DATA
521 | DARWIN_ACE_WRITE_EXTATTRIBUTES
522 | DARWIN_ACE_WRITE_ATTRIBUTES;
523 if ((type & ~MAP_MASK) == IS_DIR)
524 rights |= DARWIN_ACE_DELETE;
526 if (acl_get_perm(mask, ACL_EXECUTE))
527 rights |= DARWIN_ACE_EXECUTE;
528 for (int i = mapped_aces; i > 0; i--) {
529 saved_darwin_aces->darwin_ace_rights &= htonl(rights);
535 if (uid) acl_free(uid);
536 if (gid) acl_free(gid);
543 * Multiplex ACL mapping (SOLARIS_2_DARWIN, DARWIN_2_SOLARIS, POSIX_2_DARWIN, DARWIN_2_POSIX).
544 * Reads from 'aces' buffer, writes to 'rbuf' buffer.
545 * Caller must provide buffer.
546 * Darwin ACEs are read and written in network byte order.
547 * Needs to know how many ACEs are in the ACL (ace_count) for Solaris ACLs.
548 * Ignores trivial ACEs.
549 * Return no of mapped ACEs or -1 on error.
551 static int map_acl(int type, const void *acl, darwin_ace_t *buf, int ace_count)
555 LOG(log_debug9, logtype_afpd, "map_acl: BEGIN");
557 switch (type & MAP_MASK) {
559 #ifdef HAVE_SOLARIS_ACLS
560 case SOLARIS_2_DARWIN:
561 mapped_aces = map_aces_solaris_to_darwin( acl, buf, ace_count);
564 case DARWIN_2_SOLARIS:
565 mapped_aces = map_aces_darwin_to_solaris( buf, acl, ace_count);
567 #endif /* HAVE_SOLARIS_ACLS */
569 #ifdef HAVE_POSIX_ACLS
570 case POSIX_DEFAULT_2_DARWIN:
571 mapped_aces = map_acl_posix_to_darwin(type, (const acl_t)acl, buf);
574 case POSIX_ACCESS_2_DARWIN:
575 mapped_aces = map_acl_posix_to_darwin(type, (const acl_t)acl, buf);
580 #endif /* HAVE_POSIX_ACLS */
587 LOG(log_debug9, logtype_afpd, "map_acl: END");
591 /* Get ACL from object omitting trivial ACEs. Map to Darwin ACL style and
592 store Darwin ACL at rbuf. Add length of ACL written to rbuf to *rbuflen.
593 Returns 0 on success, -1 on error. */
594 static int get_and_map_acl(char *name, char *rbuf, size_t *rbuflen)
599 uint32_t *darwin_ace_count = (u_int32_t *)rbuf;
600 #ifdef HAVE_SOLARIS_ACLS
603 #ifdef HAVE_POSIX_ACLS
606 LOG(log_debug9, logtype_afpd, "get_and_map_acl: BEGIN");
608 /* Skip length and flags */
613 #ifdef HAVE_SOLARIS_ACLS
614 if ( (ace_count = get_nfsv4_acl(name, &aces)) == -1) {
615 LOG(log_error, logtype_afpd, "get_and_map_acl: couldnt get ACL");
619 if ( (mapped_aces = map_acl(SOLARIS_2_DARWIN, aces, (darwin_ace_t *)rbuf, ace_count)) == -1) {
623 #endif /* HAVE_SOLARIS_ACLS */
625 #ifdef HAVE_POSIX_ACLS
626 acl_t defacl = NULL , accacl = NULL;
628 /* stat to check if its a dir */
629 if (stat(name, &st) != 0) {
630 LOG(log_error, logtype_afpd, "get_and_map_acl: stat: %s", strerror(errno));
635 /* if its a dir, check for default acl too */
637 if (S_ISDIR(st.st_mode)) {
639 if ((defacl = acl_get_file(name, ACL_TYPE_DEFAULT)) == NULL) {
640 LOG(log_error, logtype_afpd, "get_and_map_acl: couldnt get default ACL"); err = -1; goto cleanup;
642 if (defacl && (mapped_aces = map_acl(POSIX_DEFAULT_2_DARWIN | dirflag,
644 (darwin_ace_t *)rbuf,
646 err = -1; goto cleanup;
650 if ((accacl = acl_get_file(name, ACL_TYPE_ACCESS)) == NULL) {
651 LOG(log_error, logtype_afpd, "get_and_map_acl: couldnt get access ACL"); err = -1; goto cleanup;
654 if (accacl && (mapped_aces += map_acl(POSIX_ACCESS_2_DARWIN | dirflag,
656 (darwin_ace_t *)(rbuf + mapped_aces * sizeof(darwin_ace_t)),
658 err = -1; goto cleanup;
660 #endif /* HAVE_POSIX_ACLS */
662 LOG(log_debug, logtype_afpd, "get_and_map_acl: mapped %d ACEs", mapped_aces);
665 *darwin_ace_count = htonl(mapped_aces);
666 *rbuflen += sizeof(darwin_acl_header_t) + (mapped_aces * sizeof(darwin_ace_t));
669 #ifdef HAVE_SOLARIS_ACLS
672 #ifdef HAVE_POSIX_ACLS
673 if (defacl) acl_free(defacl);
674 if (accacl) acl_free(accacl);
675 #endif /* HAVE_POSIX_ACLS */
677 LOG(log_debug9, logtype_afpd, "get_and_map_acl: END");
681 /* Removes all non-trivial ACLs from object. Returns full AFPERR code. */
682 static int remove_acl(const struct vol *vol,const char *path, int dir)
686 /* Ressource etc. first */
687 if ((ret = vol->vfs->vfs_remove_acl(vol, path, dir)) != AFP_OK)
689 /* now the data fork or dir */
690 return (remove_acl_vfs(path));
695 - the client sends a complete list of ACEs, not only new ones. So we dont need to do
696 any combination business (one exception being 'kFileSec_Inherit': see next)
697 - client might request that we add inherited ACEs via 'kFileSec_Inherit'.
698 We will store inherited ACEs first, which is Darwins canonical order.
699 - returns AFPerror code
701 #ifdef HAVE_SOLARIS_ACLS
702 static int set_acl(const struct vol *vol, char *name, int inherit, char *ibuf)
704 int ret, i, nfsv4_ace_count, tocopy_aces_count = 0, new_aces_count = 0, trivial_ace_count = 0;
705 ace_t *old_aces, *new_aces = NULL;
709 LOG(log_debug9, logtype_afpd, "set_acl: BEGIN");
711 /* Get no of ACEs the client put on the wire */
712 ace_count = htonl(*((uint32_t *)ibuf));
713 ibuf += 8; /* skip ACL flags (see acls.h) */
716 /* inherited + trivial ACEs */
717 flags = ACE_INHERITED_ACE | ACE_OWNER | ACE_GROUP | ACE_EVERYONE;
719 /* only trivial ACEs */
720 flags = ACE_OWNER | ACE_GROUP | ACE_EVERYONE;
722 /* Get existing ACL and count ACEs which have to be copied */
723 if ((nfsv4_ace_count = get_nfsv4_acl(name, &old_aces)) == -1)
725 for ( i=0; i < nfsv4_ace_count; i++) {
726 if (old_aces[i].a_flags & flags)
730 /* Now malloc buffer exactly sized to fit all new ACEs */
731 new_aces = malloc( (ace_count + tocopy_aces_count) * sizeof(ace_t) );
732 if (new_aces == NULL) {
733 LOG(log_error, logtype_afpd, "set_acl: malloc %s", strerror(errno));
738 /* Start building new ACL */
740 /* Copy local inherited ACEs. Therefore we have 'Darwin canonical order' (see chmod there):
741 inherited ACEs first. */
743 for (i=0; i < nfsv4_ace_count; i++) {
744 if (old_aces[i].a_flags & ACE_INHERITED_ACE) {
745 memcpy(&new_aces[new_aces_count], &old_aces[i], sizeof(ace_t));
750 LOG(log_debug7, logtype_afpd, "set_acl: copied %d inherited ACEs", new_aces_count);
752 /* Now the ACEs from the client */
753 ret = map_acl(DARWIN_2_SOLARIS, &new_aces[new_aces_count], (darwin_ace_t *)ibuf, ace_count);
758 new_aces_count += ace_count;
759 LOG(log_debug7, logtype_afpd, "set_acl: mapped %d ACEs from client", ace_count);
761 /* Now copy the trivial ACEs */
762 for (i=0; i < nfsv4_ace_count; i++) {
763 if (old_aces[i].a_flags & (ACE_OWNER | ACE_GROUP | ACE_EVERYONE)) {
764 memcpy(&new_aces[new_aces_count], &old_aces[i], sizeof(ace_t));
769 LOG(log_debug7, logtype_afpd, "set_acl: copied %d trivial ACEs", trivial_ace_count);
771 /* Ressourcefork first.
772 Note: for dirs we set the same ACL on the .AppleDouble/.Parent _file_. This
773 might be strange for ACE_DELETE_CHILD and for inheritance flags. */
774 if ( (ret = vol->vfs->vfs_acl(vol, name, ACE_SETACL, new_aces_count, new_aces)) != 0) {
775 LOG(log_error, logtype_afpd, "set_acl: error setting acl: %s", strerror(errno));
776 if (errno == (EACCES | EPERM))
778 else if (errno == ENOENT)
784 if ( (ret = acl(name, ACE_SETACL, new_aces_count, new_aces)) != 0) {
785 LOG(log_error, logtype_afpd, "set_acl: error setting acl: %s", strerror(errno));
786 if (errno == (EACCES | EPERM))
788 else if (errno == ENOENT)
801 LOG(log_debug9, logtype_afpd, "set_acl: END");
804 #endif /* HAVE_SOLARIS_ACLS */
806 #ifdef HAVE_POSIX_ACLS
807 static int set_acl(const struct vol *vol, char *name, int inherit, char *ibuf)
811 #endif /* HAVE_POSIX_ACLS */
814 Checks if a given UUID has requested_rights(type darwin_ace_rights) for path.
815 Note: this gets called frequently and is a good place for optimizations !
817 #ifdef HAVE_SOLARIS_ACLS
818 static int check_acl_access(const char *path, const uuidp_t uuid, uint32_t requested_darwin_rights)
820 int ret, i, ace_count, dir, checkgroup;
821 char *username; /* might be group too */
825 uint32_t requested_rights = 0, allowed_rights = 0, denied_rights = 0;
829 int check_user_trivace = 0, check_group_trivace = 0;
836 LOG(log_debug9, logtype_afpd, "check_access: BEGIN. Request: %08x", requested_darwin_rights);
838 /* Get uid or gid from UUID */
839 if ( (getnamefromuuid(uuid, &username, &uuidtype)) != 0) {
840 LOG(log_error, logtype_afpd, "check_access: error getting name from UUID");
845 if ((lstat(path, &st)) != 0) {
846 LOG(log_error, logtype_afpd, "check_access: stat: %s", strerror(errno));
850 dir = S_ISDIR(st.st_mode);
852 if (uuidtype == UUID_USER) {
853 pwd = getpwnam(username);
855 LOG(log_error, logtype_afpd, "check_access: getpwnam: %s", strerror(errno));
862 /* If user is file/dir owner we must check the user trivial ACE */
863 if (uid == st.st_uid) {
864 LOG(log_debug, logtype_afpd, "check_access: user: %s is files owner. Must check trivial user ACE", username);
865 check_user_trivace = 1;
868 /* Now check if requested user is files owning group. If yes we must check the group trivial ACE */
869 if ( (check_group(username, uid, pgid, st.st_gid)) == 0) {
870 LOG(log_debug, logtype_afpd, "check_access: user: %s is in group: %d. Must check trivial group ACE", username, st.st_gid);
871 check_group_trivace = 1;
873 } else { /* hopefully UUID_GROUP*/
874 LOG(log_error, logtype_afpd, "check_access: afp_access for UUID of groups not supported!");
876 grp = getgrnam(username);
878 LOG(log_error, logtype_afpd, "check_access: getgrnam: %s", strerror(errno));
881 if (st.st_gid == grp->gr_gid )
882 check_group_trivace = 1;
886 /* Map requested rights to Solaris style. */
887 for (i=0; darwin_to_nfsv4_rights[i].from != 0; i++) {
888 if (requested_darwin_rights & darwin_to_nfsv4_rights[i].from)
889 requested_rights |= darwin_to_nfsv4_rights[i].to;
892 /* Get ACL from file/dir */
893 if ( (ace_count = get_nfsv4_acl(path, &aces)) == -1) {
894 LOG(log_error, logtype_afpd, "check_access: error getting ACEs");
898 /* Now check requested rights */
901 do { /* Loop through ACEs */
903 flags = aces[i].a_flags;
904 type = aces[i].a_type;
905 rights = aces[i].a_access_mask;
907 if (flags & ACE_INHERIT_ONLY_ACE)
910 /* Check if its a group ACE and set checkgroup to 1 if yes */
912 if ( (flags & ACE_IDENTIFIER_GROUP) && !(flags & ACE_GROUP) ) {
913 if ( (check_group(username, uid, pgid, who)) == 0)
919 /* Now the tricky part: decide if ACE effects our user. I'll explain:
920 if its a dedicated (non trivial) ACE for the user
922 if its a ACE for a group we're member of
924 if its a trivial ACE_OWNER ACE and requested UUID is the owner
926 if its a trivial ACE_GROUP ACE and requested UUID is group
928 if its a trivial ACE_EVERYONE ACE
932 ( (who == uid) && !(flags & (ACE_TRIVIAL|ACE_IDENTIFIER_GROUP)) ) ||
934 ( (flags & ACE_OWNER) && check_user_trivace ) ||
935 ( (flags & ACE_GROUP) && check_group_trivace ) ||
936 ( flags & ACE_EVERYONE )
938 /* Found an applicable ACE */
939 if (type == ACE_ACCESS_ALLOWED_ACE_TYPE)
940 allowed_rights |= rights;
941 else if (type == ACE_ACCESS_DENIED_ACE_TYPE)
942 /* Only or to denied rights if not previously allowed !! */
943 denied_rights |= ((!allowed_rights) & rights);
945 } while (++i < ace_count);
948 /* Darwin likes to ask for "delete_child" on dir,
949 "write_data" is actually the same, so we add that for dirs */
950 if (dir && (allowed_rights & ACE_WRITE_DATA))
951 allowed_rights |= ACE_DELETE_CHILD;
953 if (requested_rights & denied_rights) {
954 LOG(log_debug, logtype_afpd, "check_access: some requested right was denied:");
956 } else if ((requested_rights & allowed_rights) != requested_rights) {
957 LOG(log_debug, logtype_afpd, "check_access: some requested right wasn't allowed:");
960 LOG(log_debug, logtype_afpd, "check_access: all requested rights are allowed:");
964 LOG(log_debug, logtype_afpd, "check_access: Requested rights: %08x, allowed_rights: %08x, denied_rights: %08x, Result: %d",
965 requested_rights, allowed_rights, denied_rights, ret);
971 LOG(log_debug9, logtype_afpd, "check_access: END");
975 #endif /* HAVE_SOLARIS_ACLS */
977 #ifdef HAVE_POSIX_ACLS
978 static int check_acl_access(const char *path, const uuidp_t uuid, uint32_t requested_darwin_rights)
981 * FIXME: for OS X >= 10.6 it seems fp_access isn't called anymore, instead
982 * the client just tries to perform any action, relying on the server
983 * to enforce permission (which the OS does for us), returning appropiate
984 * error codes in case the action failed.
985 * So to summarize: I think it's safe to not implement this function and
986 * just always return AFP_OK.
990 #endif /* HAVE_POSIX_ACLS */
992 /********************************************************
994 ********************************************************/
996 int afp_access(AFPObj *obj, char *ibuf, size_t ibuflen _U_, char *rbuf _U_, size_t *rbuflen)
1001 uint32_t did, darwin_ace_rights;
1003 struct path *s_path;
1006 LOG(log_debug9, logtype_afpd, "afp_access: BEGIN");
1011 memcpy(&vid, ibuf, sizeof( vid ));
1012 ibuf += sizeof(vid);
1013 if (NULL == ( vol = getvolbyvid( vid ))) {
1014 LOG(log_error, logtype_afpd, "afp_access: error getting volid:%d", vid);
1015 return AFPERR_NOOBJ;
1018 memcpy(&did, ibuf, sizeof( did ));
1019 ibuf += sizeof( did );
1020 if (NULL == ( dir = dirlookup( vol, did ))) {
1021 LOG(log_error, logtype_afpd, "afp_access: error getting did:%d", did);
1028 /* Store UUID address */
1029 uuid = (uuidp_t)ibuf;
1030 ibuf += UUID_BINSIZE;
1032 /* Store ACE rights */
1033 memcpy(&darwin_ace_rights, ibuf, 4);
1034 darwin_ace_rights = ntohl(darwin_ace_rights);
1037 /* get full path and handle file/dir subtleties in netatalk code*/
1038 if (NULL == ( s_path = cname( vol, dir, &ibuf ))) {
1039 LOG(log_error, logtype_afpd, "afp_getacl: cname got an error!");
1040 return AFPERR_NOOBJ;
1042 if (!s_path->st_valid)
1043 of_statdir(vol, s_path);
1044 if ( s_path->st_errno != 0 ) {
1045 LOG(log_error, logtype_afpd, "afp_getacl: cant stat");
1046 return AFPERR_NOOBJ;
1049 ret = check_acl_access(s_path->u_name, uuid, darwin_ace_rights);
1051 LOG(log_debug9, logtype_afpd, "afp_access: END");
1055 int afp_getacl(AFPObj *obj, char *ibuf, size_t ibuflen _U_, char *rbuf _U_, size_t *rbuflen)
1061 uint16_t vid, bitmap;
1062 struct path *s_path;
1066 LOG(log_debug9, logtype_afpd, "afp_getacl: BEGIN");
1070 memcpy(&vid, ibuf, sizeof( vid ));
1071 ibuf += sizeof(vid);
1072 if (NULL == ( vol = getvolbyvid( vid ))) {
1073 LOG(log_error, logtype_afpd, "afp_getacl: error getting volid:%d", vid);
1074 return AFPERR_NOOBJ;
1077 memcpy(&did, ibuf, sizeof( did ));
1078 ibuf += sizeof( did );
1079 if (NULL == ( dir = dirlookup( vol, did ))) {
1080 LOG(log_error, logtype_afpd, "afp_getacl: error getting did:%d", did);
1084 memcpy(&bitmap, ibuf, sizeof( bitmap ));
1085 memcpy(rbuf, ibuf, sizeof( bitmap ));
1086 bitmap = ntohs( bitmap );
1087 ibuf += sizeof( bitmap );
1088 rbuf += sizeof( bitmap );
1089 *rbuflen += sizeof( bitmap );
1091 /* skip maxreplysize */
1094 /* get full path and handle file/dir subtleties in netatalk code*/
1095 if (NULL == ( s_path = cname( vol, dir, &ibuf ))) {
1096 LOG(log_error, logtype_afpd, "afp_getacl: cname got an error!");
1097 return AFPERR_NOOBJ;
1099 if (!s_path->st_valid)
1100 of_statdir(vol, s_path);
1101 if ( s_path->st_errno != 0 ) {
1102 LOG(log_error, logtype_afpd, "afp_getacl: cant stat");
1103 return AFPERR_NOOBJ;
1106 /* Shall we return owner UUID ? */
1107 if (bitmap & kFileSec_UUID) {
1108 LOG(log_debug, logtype_afpd, "afp_getacl: client requested files owner user UUID");
1109 if (NULL == (pw = getpwuid(s_path->st.st_uid)))
1111 LOG(log_debug, logtype_afpd, "afp_getacl: got uid: %d, name: %s", s_path->st.st_uid, pw->pw_name);
1112 if ((ret = getuuidfromname(pw->pw_name, UUID_USER, rbuf)) != 0)
1114 rbuf += UUID_BINSIZE;
1115 *rbuflen += UUID_BINSIZE;
1118 /* Shall we return group UUID ? */
1119 if (bitmap & kFileSec_GRPUUID) {
1120 LOG(log_debug, logtype_afpd, "afp_getacl: client requested files owner group UUID");
1121 if (NULL == (gr = getgrgid(s_path->st.st_gid)))
1123 LOG(log_debug, logtype_afpd, "afp_getacl: got gid: %d, name: %s", s_path->st.st_gid, gr->gr_name);
1124 if ((ret = getuuidfromname(gr->gr_name, UUID_GROUP, rbuf)) != 0)
1126 rbuf += UUID_BINSIZE;
1127 *rbuflen += UUID_BINSIZE;
1130 /* Shall we return ACL ? */
1131 if (bitmap & kFileSec_ACL) {
1132 LOG(log_debug, logtype_afpd, "afp_getacl: client requested files ACL");
1133 get_and_map_acl(s_path->u_name, rbuf, rbuflen);
1136 LOG(log_debug9, logtype_afpd, "afp_getacl: END");
1140 int afp_setacl(AFPObj *obj, char *ibuf, size_t ibuflen _U_, char *rbuf _U_, size_t *rbuflen)
1146 uint16_t vid, bitmap;
1147 struct path *s_path;
1149 LOG(log_debug9, logtype_afpd, "afp_setacl: BEGIN");
1153 memcpy(&vid, ibuf, sizeof( vid ));
1154 ibuf += sizeof(vid);
1155 if (NULL == ( vol = getvolbyvid( vid ))) {
1156 LOG(log_error, logtype_afpd, "afp_setacl: error getting volid:%d", vid);
1157 return AFPERR_NOOBJ;
1160 memcpy(&did, ibuf, sizeof( did ));
1161 ibuf += sizeof( did );
1162 if (NULL == ( dir = dirlookup( vol, did ))) {
1163 LOG(log_error, logtype_afpd, "afp_setacl: error getting did:%d", did);
1167 memcpy(&bitmap, ibuf, sizeof( bitmap ));
1168 bitmap = ntohs( bitmap );
1169 ibuf += sizeof( bitmap );
1171 /* get full path and handle file/dir subtleties in netatalk code*/
1172 if (NULL == ( s_path = cname( vol, dir, &ibuf ))) {
1173 LOG(log_error, logtype_afpd, "afp_setacl: cname got an error!");
1174 return AFPERR_NOOBJ;
1176 if (!s_path->st_valid)
1177 of_statdir(vol, s_path);
1178 if ( s_path->st_errno != 0 ) {
1179 LOG(log_error, logtype_afpd, "afp_setacl: cant stat");
1180 return AFPERR_NOOBJ;
1182 LOG(log_debug, logtype_afpd, "afp_setacl: unixname: %s", s_path->u_name);
1185 if ((unsigned long)ibuf & 1)
1188 /* Start processing request */
1190 /* Change owner: dont even try */
1191 if (bitmap & kFileSec_UUID) {
1192 LOG(log_debug, logtype_afpd, "afp_setacl: change owner request. discarded.");
1193 ret = AFPERR_ACCESS;
1194 ibuf += UUID_BINSIZE;
1197 /* Change group: certain changes might be allowed, so try it. FIXME: not implemented yet. */
1198 if (bitmap & kFileSec_UUID) {
1199 LOG(log_debug, logtype_afpd, "afp_setacl: change group request. not supported this time.");
1201 ibuf += UUID_BINSIZE;
1205 if (bitmap & kFileSec_REMOVEACL) {
1206 LOG(log_debug, logtype_afpd, "afp_setacl: Remove ACL request.");
1207 if ((ret = remove_acl(vol, s_path->u_name, S_ISDIR(s_path->st.st_mode))) != AFP_OK)
1208 LOG(log_error, logtype_afpd, "afp_setacl: error from remove_acl");
1212 if (bitmap & kFileSec_ACL) {
1213 LOG(log_debug, logtype_afpd, "afp_setacl: Change ACL request.");
1215 /* Check if its our job to preserve inherited ACEs */
1216 if (bitmap & kFileSec_Inherit)
1217 ret = set_acl(vol, s_path->u_name, 1, ibuf);
1219 ret = set_acl(vol, s_path->u_name, 0, ibuf);
1226 LOG(log_debug9, logtype_afpd, "afp_setacl: END");
1231 unix.c/accessmode calls this: map ACL to OS 9 mode
1233 void acltoownermode(char *path, struct stat *st, uid_t uid, struct maccess *ma)
1237 int r_ok, w_ok, x_ok;
1239 if ( ! (AFPobj->options.flags & OPTION_UUID) || ! (AFPobj->options.flags & OPTION_ACL2OS9MODE))
1242 LOG(log_maxdebug, logtype_afpd, "acltoownermode('%s')", path);
1244 if ((pw = getpwuid(uid)) == NULL) {
1245 LOG(log_error, logtype_afpd, "acltoownermode: %s", strerror(errno));
1249 /* We need the UUID for check_acl_access */
1250 if ((getuuidfromname(pw->pw_name, UUID_USER, uuid)) != 0)
1253 /* These work for files and dirs */
1254 r_ok = check_acl_access(path, uuid, DARWIN_ACE_READ_DATA);
1255 w_ok = check_acl_access(path, uuid, (DARWIN_ACE_WRITE_DATA|DARWIN_ACE_APPEND_DATA));
1256 x_ok = check_acl_access(path, uuid, DARWIN_ACE_EXECUTE);
1258 LOG(log_debug7, logtype_afpd, "acltoownermode: ma_user before: %04o",ma->ma_user);
1260 ma->ma_user |= AR_UREAD;
1262 ma->ma_user |= AR_UWRITE;
1264 ma->ma_user |= AR_USEARCH;
1265 LOG(log_debug7, logtype_afpd, "acltoownermode: ma_user after: %04o", ma->ma_user);
1271 We're being called at the end of afp_createdir. We're (hopefully) inside dir
1272 and ".AppleDouble" and ".AppleDouble/.Parent" should have already been created.
1273 We then inherit any explicit ACE from "." to ".AppleDouble" and ".AppleDouble/.Parent".
1274 FIXME: add to VFS layer ?
1276 #ifdef HAVE_SOLARIS_ACLS
1277 void addir_inherit_acl(const struct vol *vol)
1279 ace_t *diraces = NULL, *adaces = NULL, *combinedaces = NULL;
1280 int diracecount, adacecount;
1282 LOG(log_debug9, logtype_afpd, "addir_inherit_acl: BEGIN");
1284 /* Check if ACLs are enabled for the volume */
1285 if (vol->v_flags & AFPVOL_ACLS) {
1287 if ((diracecount = get_nfsv4_acl(".", &diraces)) <= 0)
1289 /* Remove any trivial ACE from "." */
1290 if ((diracecount = strip_trivial_aces(&diraces, diracecount)) <= 0)
1294 Inherit to ".AppleDouble"
1297 if ((adacecount = get_nfsv4_acl(".AppleDouble", &adaces)) <= 0)
1299 /* Remove any non-trivial ACE from ".AppleDouble" */
1300 if ((adacecount = strip_nontrivial_aces(&adaces, adacecount)) <= 0)
1304 if ((combinedaces = concat_aces(diraces, diracecount, adaces, adacecount)) == NULL)
1307 /* Now set new acl */
1308 if ((acl(".AppleDouble", ACE_SETACL, diracecount + adacecount, combinedaces)) != 0)
1309 LOG(log_error, logtype_afpd, "addir_inherit_acl: acl: %s", strerror(errno));
1314 combinedaces = NULL;
1317 Inherit to ".AppleDouble/.Parent"
1320 if ((adacecount = get_nfsv4_acl(".AppleDouble/.Parent", &adaces)) <= 0)
1322 if ((adacecount = strip_nontrivial_aces(&adaces, adacecount)) <= 0)
1326 if ((combinedaces = concat_aces(diraces, diracecount, adaces, adacecount)) == NULL)
1329 /* Now set new acl */
1330 if ((acl(".AppleDouble/.Parent", ACE_SETACL, diracecount + adacecount, combinedaces)) != 0)
1331 LOG(log_error, logtype_afpd, "addir_inherit_acl: acl: %s", strerror(errno));
1337 LOG(log_debug9, logtype_afpd, "addir_inherit_acl: END");
1343 #endif /* HAVE_SOLARIS_ACLS */
1345 #ifdef HAVE_POSIX_ACLS
1346 void addir_inherit_acl(const struct vol *vol)
1350 #endif /* HAVE_POSIX_ACLS */
projects / netatalk.git / blob