2 Copyright (c) 2008, 2009, 2010 Frank Lahm <franklahm@gmail.com>
4 This program is free software; you can redistribute it and/or modify
5 it under the terms of the GNU General Public License as published by
6 the Free Software Foundation; either version 2 of the License, or
7 (at your option) any later version.
9 This program is distributed in the hope that it will be useful,
10 but WITHOUT ANY WARRANTY; without even the implied warranty of
11 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 GNU General Public License for more details.
17 #endif /* HAVE_CONFIG_H */
26 #ifdef HAVE_SOLARIS_ACLS
29 #ifdef HAVE_POSIX_ACLS
31 #include <acl/libacl.h>
34 #include <atalk/adouble.h>
35 #include <atalk/vfs.h>
36 #include <atalk/afp.h>
37 #include <atalk/util.h>
38 #include <atalk/cnid.h>
39 #include <atalk/logger.h>
40 #include <atalk/uuid.h>
41 #include <atalk/acl.h>
43 #include "directory.h"
49 #include "acl_mappings.h"
52 #define SOLARIS_2_DARWIN 1
53 #define DARWIN_2_SOLARIS 2
54 #define POSIX_DEFAULT_2_DARWIN 3
55 #define POSIX_ACCESS_2_DARWIN 4
56 #define DARWIN_2_POSIX 5
61 /********************************************************
62 * Basic and helper funcs
63 ********************************************************/
66 Takes a users name, uid and primary gid and checks if user is member of any group
67 Returns -1 if no or error, 0 if yes
69 static int check_group(char *name, uid_t uid _U_, gid_t pgid, gid_t path_gid)
77 grp = getgrgid(path_gid);
82 while (grp->gr_mem[i] != NULL) {
83 if ( (strcmp(grp->gr_mem[i], name)) == 0 ) {
84 LOG(log_debug, logtype_afpd, "check_group: requested user:%s is member of: %s", name, grp->gr_name);
93 /********************************************************
95 ********************************************************/
97 #ifdef HAVE_SOLARIS_ACLS
99 Remove any trivial ACE "in-place". Returns no of non-trivial ACEs
101 static int strip_trivial_aces(ace_t **saces, int sacecount)
105 ace_t *aces = *saces;
108 /* Count non-trivial ACEs */
109 for (i=0; i < sacecount; ) {
110 if ( ! (aces[i].a_flags & (ACE_OWNER | ACE_GROUP | ACE_EVERYONE)))
114 /* malloc buffer for new ACL */
115 if ((new_aces = malloc(nontrivaces * sizeof(ace_t))) == NULL) {
116 LOG(log_error, logtype_afpd, "strip_trivial_aces: malloc %s", strerror(errno));
120 /* Copy non-trivial ACEs */
121 for (i=0, j=0; i < sacecount; ) {
122 if ( ! (aces[i].a_flags & (ACE_OWNER | ACE_GROUP | ACE_EVERYONE))) {
123 memcpy(&new_aces[j], &aces[i], sizeof(ace_t));
132 LOG(log_debug7, logtype_afpd, "strip_trivial_aces: non-trivial ACEs: %d", nontrivaces);
138 Remove non-trivial ACEs "in-place". Returns no of trivial ACEs.
140 static int strip_nontrivial_aces(ace_t **saces, int sacecount)
144 ace_t *aces = *saces;
147 /* Count trivial ACEs */
148 for (i=0; i < sacecount; ) {
149 if ((aces[i].a_flags & (ACE_OWNER | ACE_GROUP | ACE_EVERYONE)))
153 /* malloc buffer for new ACL */
154 if ((new_aces = malloc(trivaces * sizeof(ace_t))) == NULL) {
155 LOG(log_error, logtype_afpd, "strip_nontrivial_aces: malloc %s", strerror(errno));
159 /* Copy trivial ACEs */
160 for (i=0, j=0; i < sacecount; ) {
161 if ((aces[i].a_flags & (ACE_OWNER | ACE_GROUP | ACE_EVERYONE))) {
162 memcpy(&new_aces[j], &aces[i], sizeof(ace_t));
171 LOG(log_debug7, logtype_afpd, "strip_nontrivial_aces: trivial ACEs: %d", trivaces);
179 static ace_t *concat_aces(ace_t *aces1, int ace1count, ace_t *aces2, int ace2count)
184 /* malloc buffer for new ACL */
185 if ((new_aces = malloc((ace1count + ace2count) * sizeof(ace_t))) == NULL) {
186 LOG(log_error, logtype_afpd, "combine_aces: malloc %s", strerror(errno));
190 /* Copy ACEs from buf1 */
191 for (i=0; i < ace1count; ) {
192 memcpy(&new_aces[i], &aces1[i], sizeof(ace_t));
198 /* Copy ACEs from buf2 */
199 for (i=0; i < ace2count; ) {
200 memcpy(&new_aces[j], &aces2[i], sizeof(ace_t));
209 Maps ACE array from Solaris to Darwin. Darwin ACEs are stored in network byte order.
210 Return numer of mapped ACEs or -1 on error.
211 All errors while mapping (e.g. getting UUIDs from LDAP) are fatal.
213 static int map_aces_solaris_to_darwin(ace_t *aces, darwin_ace_t *darwin_aces, int ace_count)
218 struct passwd *pwd = NULL;
219 struct group *grp = NULL;
221 LOG(log_debug7, logtype_afpd, "map_aces_solaris_to_darwin: parsing %d ACES", ace_count);
224 LOG(log_debug7, logtype_afpd, "map_aces_solaris_to_darwin: parsing ACE No. %d", ace_count + 1);
225 /* if its a ACE resulting from nfsv4 mode mapping, discard it */
226 if (aces->a_flags & (ACE_OWNER | ACE_GROUP | ACE_EVERYONE)) {
227 LOG(log_debug, logtype_afpd, "map_aces_solaris_to_darwin: trivial ACE");
232 if ( ! (aces->a_flags & ACE_IDENTIFIER_GROUP) ) {
234 LOG(log_debug, logtype_afpd, "map_aces_solaris_to_darwin: found user ACE with uid: %d", aces->a_who);
235 pwd = getpwuid(aces->a_who);
237 LOG(log_error, logtype_afpd, "map_aces_solaris_to_darwin: getpwuid error: %s", strerror(errno));
240 LOG(log_debug, logtype_afpd, "map_aces_solaris_to_darwin: uid: %d -> name: %s", aces->a_who, pwd->pw_name);
241 if ( (getuuidfromname(pwd->pw_name, UUID_USER, darwin_aces->darwin_ace_uuid)) != 0) {
242 LOG(log_error, logtype_afpd, "map_aces_solaris_to_darwin: getuuidfromname error");
246 /* its a group ace */
247 LOG(log_debug, logtype_afpd, "map_aces_solaris_to_darwin: found group ACE with gid: %d", aces->a_who);
248 grp = getgrgid(aces->a_who);
250 LOG(log_error, logtype_afpd, "map_aces_solaris_to_darwin: getgrgid error: %s", strerror(errno));
253 LOG(log_debug, logtype_afpd, "map_aces_solaris_to_darwin: gid: %d -> name: %s", aces->a_who, grp->gr_name);
254 if ( (getuuidfromname(grp->gr_name, UUID_GROUP, darwin_aces->darwin_ace_uuid)) != 0) {
255 LOG(log_error, logtype_afpd, "map_aces_solaris_to_darwin: getuuidfromname error");
261 if (aces->a_type == ACE_ACCESS_ALLOWED_ACE_TYPE)
262 flags = DARWIN_ACE_FLAGS_PERMIT;
263 else if (aces->a_type == ACE_ACCESS_DENIED_ACE_TYPE)
264 flags = DARWIN_ACE_FLAGS_DENY;
265 else { /* unsupported type */
269 for(i=0; nfsv4_to_darwin_flags[i].from != 0; i++) {
270 if (aces->a_flags & nfsv4_to_darwin_flags[i].from)
271 flags |= nfsv4_to_darwin_flags[i].to;
273 darwin_aces->darwin_ace_flags = htonl(flags);
277 for (i=0; nfsv4_to_darwin_rights[i].from != 0; i++) {
278 if (aces->a_access_mask & nfsv4_to_darwin_rights[i].from)
279 rights |= nfsv4_to_darwin_rights[i].to;
281 darwin_aces->darwin_ace_rights = htonl(rights);
292 Maps ACE array from Darwin to Solaris. Darwin ACEs are expected in network byte order.
293 Return numer of mapped ACEs or -1 on error.
294 All errors while mapping (e.g. getting UUIDs from LDAP) are fatal.
296 int map_aces_darwin_to_solaris(darwin_ace_t *darwin_aces, ace_t *nfsv4_aces, int ace_count)
298 int i, mapped_aces = 0;
299 uint32_t darwin_ace_flags;
300 uint32_t darwin_ace_rights;
301 uint16_t nfsv4_ace_flags;
302 uint32_t nfsv4_ace_rights;
310 nfsv4_ace_rights = 0;
313 if ( (getnamefromuuid(darwin_aces->darwin_ace_uuid, &name, &uuidtype)) != 0)
315 if (uuidtype == UUID_USER) {
316 pwd = getpwnam(name);
318 LOG(log_error, logtype_afpd, "map_aces_darwin_to_solaris: getpwnam: %s", strerror(errno));
322 nfsv4_aces->a_who = pwd->pw_uid;
323 } else { /* hopefully UUID_GROUP*/
324 grp = getgrnam(name);
326 LOG(log_error, logtype_afpd, "map_aces_darwin_to_solaris: getgrnam: %s", strerror(errno));
330 nfsv4_aces->a_who = (uid_t)(grp->gr_gid);
331 nfsv4_ace_flags |= ACE_IDENTIFIER_GROUP;
336 /* now type: allow/deny */
337 darwin_ace_flags = ntohl(darwin_aces->darwin_ace_flags);
338 if (darwin_ace_flags & DARWIN_ACE_FLAGS_PERMIT)
339 nfsv4_aces->a_type = ACE_ACCESS_ALLOWED_ACE_TYPE;
340 else if (darwin_ace_flags & DARWIN_ACE_FLAGS_DENY)
341 nfsv4_aces->a_type = ACE_ACCESS_DENIED_ACE_TYPE;
342 else { /* unsupported type */
347 for(i=0; darwin_to_nfsv4_flags[i].from != 0; i++) {
348 if (darwin_ace_flags & darwin_to_nfsv4_flags[i].from)
349 nfsv4_ace_flags |= darwin_to_nfsv4_flags[i].to;
353 darwin_ace_rights = ntohl(darwin_aces->darwin_ace_rights);
354 for (i=0; darwin_to_nfsv4_rights[i].from != 0; i++) {
355 if (darwin_ace_rights & darwin_to_nfsv4_rights[i].from)
356 nfsv4_ace_rights |= darwin_to_nfsv4_rights[i].to;
359 LOG(log_debug9, logtype_afpd, "map_aces_darwin_to_solaris: ACE flags: Darwin:%08x -> NFSv4:%04x", darwin_ace_flags, nfsv4_ace_flags);
360 LOG(log_debug9, logtype_afpd, "map_aces_darwin_to_solaris: ACE rights: Darwin:%08x -> NFSv4:%08x", darwin_ace_rights, nfsv4_ace_rights);
362 nfsv4_aces->a_flags = nfsv4_ace_flags;
363 nfsv4_aces->a_access_mask = nfsv4_ace_rights;
372 #endif /* HAVE_SOLARIS_ACLS */
375 * Map ACEs from POSIX to Darwin.
376 * type is either POSIX_DEFAULT_2_DARWIN or POSIX_ACCESS_2_DARWIN, cf. acl_get_file.
377 * Return number of mapped ACES, -1 on error.
379 #ifdef HAVE_POSIX_ACLS
380 static int map_acl_posix_to_darwin(int type, const acl_t acl, darwin_ace_t *darwin_aces)
384 int entry_id = ACL_FIRST_ENTRY;
387 acl_permset_t permset, mask;
390 struct passwd *pwd = NULL;
391 struct group *grp = NULL;
394 darwin_ace_t *saved_darwin_aces = darwin_aces;
396 LOG(log_maxdebug, logtype_afpd, "map_aces_posix_to_darwin(%s)",
397 (type & MAP_MASK) == POSIX_DEFAULT_2_DARWIN ?
398 "POSIX_DEFAULT_2_DARWIN" : "POSIX_ACCESS_2_DARWIN");
400 /* itereate through all ACEs */
401 while (acl_get_entry(acl, entry_id, &e) == 1) {
402 entry_id = ACL_NEXT_ENTRY;
405 if (acl_get_tag_type(e, &tag) != 0) {
406 LOG(log_error, logtype_afpd, "map_aces_posix_to_darwin: acl_get_tag_type: %s", strerror(errno));
411 /* we return user and group ACE */
414 if ((uid = (uid_t *)acl_get_qualifier(e)) == NULL) {
415 LOG(log_error, logtype_afpd, "map_aces_posix_to_darwin: acl_get_qualifier: %s",
420 if ((pwd = getpwuid(*uid)) == NULL) {
421 LOG(log_error, logtype_afpd, "map_aces_posix_to_darwin: getpwuid error: %s",
426 LOG(log_debug, logtype_afpd, "map_aces_posix_to_darwin: uid: %d -> name: %s",
428 if (getuuidfromname(pwd->pw_name, UUID_USER, darwin_aces->darwin_ace_uuid) != 0) {
429 LOG(log_error, logtype_afpd, "map_aces_posix_to_darwin: getuuidfromname error");
438 if ((gid = (gid_t *)acl_get_qualifier(e)) == NULL) {
439 LOG(log_error, logtype_afpd, "map_aces_posix_to_darwin: acl_get_qualifier: %s",
444 if ((grp = getgrgid(*gid)) == NULL) {
445 LOG(log_error, logtype_afpd, "map_aces_posix_to_darwin: getgrgid error: %s",
450 LOG(log_debug, logtype_afpd, "map_aces_posix_to_darwin: gid: %d -> name: %s",
452 if (getuuidfromname(grp->gr_name, UUID_GROUP, darwin_aces->darwin_ace_uuid) != 0) {
453 LOG(log_error, logtype_afpd, "map_aces_solaris_to_darwin: getuuidfromname error");
461 /* store mask so we can apply it later in a second loop */
463 if (acl_get_permset(e, &mask) != 0) {
464 LOG(log_error, logtype_afpd, "map_aces_solaris_to_darwin: acl_get_permset: %s", strerror(errno));
475 flags = DARWIN_ACE_FLAGS_PERMIT;
476 if ((type & MAP_MASK) == POSIX_DEFAULT_2_DARWIN)
477 flags |= DARWIN_ACE_FLAGS_FILE_INHERIT
478 | DARWIN_ACE_FLAGS_DIRECTORY_INHERIT
479 | DARWIN_ACE_FLAGS_ONLY_INHERIT;
480 darwin_aces->darwin_ace_flags = htonl(flags);
483 if (acl_get_permset(e, &permset) != 0) {
484 LOG(log_error, logtype_afpd, "map_aces_solaris_to_darwin: acl_get_permset: %s", strerror(errno));
489 if (acl_get_perm(permset, ACL_READ))
490 rights = DARWIN_ACE_READ_DATA
491 | DARWIN_ACE_READ_EXTATTRIBUTES
492 | DARWIN_ACE_READ_ATTRIBUTES
493 | DARWIN_ACE_READ_SECURITY;
494 if (acl_get_perm(permset, ACL_WRITE)) {
495 rights |= DARWIN_ACE_WRITE_DATA
496 | DARWIN_ACE_APPEND_DATA
497 | DARWIN_ACE_WRITE_EXTATTRIBUTES
498 | DARWIN_ACE_WRITE_ATTRIBUTES;
499 if ((type & ~MAP_MASK) == IS_DIR)
500 rights |= DARWIN_ACE_DELETE;
502 if (acl_get_perm(permset, ACL_EXECUTE))
503 rights |= DARWIN_ACE_EXECUTE;
505 darwin_aces->darwin_ace_rights = htonl(rights);
512 /* Loop through the mapped ACE buffer once again, applying the mask */
513 /* Map the mask to Darwin ACE rights first */
515 if (acl_get_perm(mask, ACL_READ))
516 rights = DARWIN_ACE_READ_DATA
517 | DARWIN_ACE_READ_EXTATTRIBUTES
518 | DARWIN_ACE_READ_ATTRIBUTES
519 | DARWIN_ACE_READ_SECURITY;
520 if (acl_get_perm(mask, ACL_WRITE)) {
521 rights |= DARWIN_ACE_WRITE_DATA
522 | DARWIN_ACE_APPEND_DATA
523 | DARWIN_ACE_WRITE_EXTATTRIBUTES
524 | DARWIN_ACE_WRITE_ATTRIBUTES;
525 if ((type & ~MAP_MASK) == IS_DIR)
526 rights |= DARWIN_ACE_DELETE;
528 if (acl_get_perm(mask, ACL_EXECUTE))
529 rights |= DARWIN_ACE_EXECUTE;
530 for (int i = mapped_aces; i > 0; i--) {
531 saved_darwin_aces->darwin_ace_rights &= htonl(rights);
537 if (uid) acl_free(uid);
538 if (gid) acl_free(gid);
545 * Multiplex ACL mapping (SOLARIS_2_DARWIN, DARWIN_2_SOLARIS, POSIX_2_DARWIN, DARWIN_2_POSIX).
546 * Reads from 'aces' buffer, writes to 'rbuf' buffer.
547 * Caller must provide buffer.
548 * Darwin ACEs are read and written in network byte order.
549 * Needs to know how many ACEs are in the ACL (ace_count) for Solaris ACLs.
550 * Ignores trivial ACEs.
551 * Return no of mapped ACEs or -1 on error.
553 static int map_acl(int type, const void *acl, darwin_ace_t *buf, int ace_count)
557 LOG(log_debug9, logtype_afpd, "map_acl: BEGIN");
559 switch (type & MAP_MASK) {
561 #ifdef HAVE_SOLARIS_ACLS
562 case SOLARIS_2_DARWIN:
563 mapped_aces = map_aces_solaris_to_darwin( acl, buf, ace_count);
566 case DARWIN_2_SOLARIS:
567 mapped_aces = map_aces_darwin_to_solaris( buf, acl, ace_count);
569 #endif /* HAVE_SOLARIS_ACLS */
571 #ifdef HAVE_POSIX_ACLS
572 case POSIX_DEFAULT_2_DARWIN:
573 mapped_aces = map_acl_posix_to_darwin(type, (const acl_t)acl, buf);
576 case POSIX_ACCESS_2_DARWIN:
577 mapped_aces = map_acl_posix_to_darwin(type, (const acl_t)acl, buf);
582 #endif /* HAVE_POSIX_ACLS */
589 LOG(log_debug9, logtype_afpd, "map_acl: END");
593 /* Get ACL from object omitting trivial ACEs. Map to Darwin ACL style and
594 store Darwin ACL at rbuf. Add length of ACL written to rbuf to *rbuflen.
595 Returns 0 on success, -1 on error. */
596 static int get_and_map_acl(char *name, char *rbuf, size_t *rbuflen)
601 uint32_t *darwin_ace_count = (u_int32_t *)rbuf;
602 #ifdef HAVE_SOLARIS_ACLS
605 #ifdef HAVE_POSIX_ACLS
608 LOG(log_debug9, logtype_afpd, "get_and_map_acl: BEGIN");
610 /* Skip length and flags */
615 #ifdef HAVE_SOLARIS_ACLS
616 if ( (ace_count = get_nfsv4_acl(name, &aces)) == -1) {
617 LOG(log_error, logtype_afpd, "get_and_map_acl: couldnt get ACL");
621 if ( (mapped_aces = map_acl(SOLARIS_2_DARWIN, aces, (darwin_ace_t *)rbuf, ace_count)) == -1) {
625 #endif /* HAVE_SOLARIS_ACLS */
627 #ifdef HAVE_POSIX_ACLS
628 acl_t defacl = NULL , accacl = NULL;
630 /* stat to check if its a dir */
631 if (stat(name, &st) != 0) {
632 LOG(log_error, logtype_afpd, "get_and_map_acl: stat: %s", strerror(errno));
637 /* if its a dir, check for default acl too */
639 if (S_ISDIR(st.st_mode)) {
641 if ((defacl = acl_get_file(name, ACL_TYPE_DEFAULT)) == NULL) {
642 LOG(log_error, logtype_afpd, "get_and_map_acl: couldnt get default ACL"); err = -1; goto cleanup;
644 if (defacl && (mapped_aces = map_acl(POSIX_DEFAULT_2_DARWIN | dirflag,
646 (darwin_ace_t *)rbuf,
648 err = -1; goto cleanup;
652 if ((accacl = acl_get_file(name, ACL_TYPE_ACCESS)) == NULL) {
653 LOG(log_error, logtype_afpd, "get_and_map_acl: couldnt get access ACL"); err = -1; goto cleanup;
656 if (accacl && (mapped_aces += map_acl(POSIX_ACCESS_2_DARWIN | dirflag,
658 (darwin_ace_t *)(rbuf + mapped_aces * sizeof(darwin_ace_t)),
660 err = -1; goto cleanup;
662 #endif /* HAVE_POSIX_ACLS */
664 LOG(log_debug, logtype_afpd, "get_and_map_acl: mapped %d ACEs", mapped_aces);
667 *darwin_ace_count = htonl(mapped_aces);
668 *rbuflen += sizeof(darwin_acl_header_t) + (mapped_aces * sizeof(darwin_ace_t));
671 #ifdef HAVE_SOLARIS_ACLS
674 #ifdef HAVE_POSIX_ACLS
675 if (defacl) acl_free(defacl);
676 if (accacl) acl_free(accacl);
677 #endif /* HAVE_POSIX_ACLS */
679 LOG(log_debug9, logtype_afpd, "get_and_map_acl: END");
683 /* Removes all non-trivial ACLs from object. Returns full AFPERR code. */
684 static int remove_acl(const struct vol *vol,const char *path, int dir)
688 #ifdef HAVE_SOLARIS_ACLS
689 /* Ressource etc. first */
690 if ((ret = vol->vfs->vfs_remove_acl(vol, path, dir)) != AFP_OK)
692 /* now the data fork or dir */
693 ret = remove_acl_vfs(path);
700 - the client sends a complete list of ACEs, not only new ones. So we dont need to do
701 any combination business (one exception being 'kFileSec_Inherit': see next)
702 - client might request that we add inherited ACEs via 'kFileSec_Inherit'.
703 We will store inherited ACEs first, which is Darwins canonical order.
704 - returns AFPerror code
706 #ifdef HAVE_SOLARIS_ACLS
707 static int set_acl(const struct vol *vol, char *name, int inherit, char *ibuf)
709 int ret, i, nfsv4_ace_count, tocopy_aces_count = 0, new_aces_count = 0, trivial_ace_count = 0;
710 ace_t *old_aces, *new_aces = NULL;
714 LOG(log_debug9, logtype_afpd, "set_acl: BEGIN");
716 /* Get no of ACEs the client put on the wire */
717 ace_count = htonl(*((uint32_t *)ibuf));
718 ibuf += 8; /* skip ACL flags (see acls.h) */
721 /* inherited + trivial ACEs */
722 flags = ACE_INHERITED_ACE | ACE_OWNER | ACE_GROUP | ACE_EVERYONE;
724 /* only trivial ACEs */
725 flags = ACE_OWNER | ACE_GROUP | ACE_EVERYONE;
727 /* Get existing ACL and count ACEs which have to be copied */
728 if ((nfsv4_ace_count = get_nfsv4_acl(name, &old_aces)) == -1)
730 for ( i=0; i < nfsv4_ace_count; i++) {
731 if (old_aces[i].a_flags & flags)
735 /* Now malloc buffer exactly sized to fit all new ACEs */
736 new_aces = malloc( (ace_count + tocopy_aces_count) * sizeof(ace_t) );
737 if (new_aces == NULL) {
738 LOG(log_error, logtype_afpd, "set_acl: malloc %s", strerror(errno));
743 /* Start building new ACL */
745 /* Copy local inherited ACEs. Therefore we have 'Darwin canonical order' (see chmod there):
746 inherited ACEs first. */
748 for (i=0; i < nfsv4_ace_count; i++) {
749 if (old_aces[i].a_flags & ACE_INHERITED_ACE) {
750 memcpy(&new_aces[new_aces_count], &old_aces[i], sizeof(ace_t));
755 LOG(log_debug7, logtype_afpd, "set_acl: copied %d inherited ACEs", new_aces_count);
757 /* Now the ACEs from the client */
758 ret = map_acl(DARWIN_2_SOLARIS, &new_aces[new_aces_count], (darwin_ace_t *)ibuf, ace_count);
763 new_aces_count += ace_count;
764 LOG(log_debug7, logtype_afpd, "set_acl: mapped %d ACEs from client", ace_count);
766 /* Now copy the trivial ACEs */
767 for (i=0; i < nfsv4_ace_count; i++) {
768 if (old_aces[i].a_flags & (ACE_OWNER | ACE_GROUP | ACE_EVERYONE)) {
769 memcpy(&new_aces[new_aces_count], &old_aces[i], sizeof(ace_t));
774 LOG(log_debug7, logtype_afpd, "set_acl: copied %d trivial ACEs", trivial_ace_count);
776 /* Ressourcefork first.
777 Note: for dirs we set the same ACL on the .AppleDouble/.Parent _file_. This
778 might be strange for ACE_DELETE_CHILD and for inheritance flags. */
779 if ( (ret = vol->vfs->vfs_acl(vol, name, ACE_SETACL, new_aces_count, new_aces)) != 0) {
780 LOG(log_error, logtype_afpd, "set_acl: error setting acl: %s", strerror(errno));
781 if (errno == (EACCES | EPERM))
783 else if (errno == ENOENT)
789 if ( (ret = acl(name, ACE_SETACL, new_aces_count, new_aces)) != 0) {
790 LOG(log_error, logtype_afpd, "set_acl: error setting acl: %s", strerror(errno));
791 if (errno == (EACCES | EPERM))
793 else if (errno == ENOENT)
806 LOG(log_debug9, logtype_afpd, "set_acl: END");
809 #endif /* HAVE_SOLARIS_ACLS */
811 #ifdef HAVE_POSIX_ACLS
812 static int set_acl(const struct vol *vol, char *name, int inherit, char *ibuf)
816 #endif /* HAVE_POSIX_ACLS */
819 Checks if a given UUID has requested_rights(type darwin_ace_rights) for path.
820 Note: this gets called frequently and is a good place for optimizations !
822 #ifdef HAVE_SOLARIS_ACLS
823 static int check_acl_access(const char *path, const uuidp_t uuid, uint32_t requested_darwin_rights)
825 int ret, i, ace_count, dir, checkgroup;
826 char *username = NULL; /* might be group too */
830 uint32_t requested_rights = 0, allowed_rights = 0, denied_rights = 0;
834 int check_user_trivace = 0, check_group_trivace = 0;
841 LOG(log_debug9, logtype_afpd, "check_access: BEGIN. Request: %08x", requested_darwin_rights);
843 /* Get uid or gid from UUID */
844 if ( (getnamefromuuid(uuid, &username, &uuidtype)) != 0) {
845 LOG(log_error, logtype_afpd, "check_access: error getting name from UUID");
850 if ((lstat(path, &st)) != 0) {
851 LOG(log_error, logtype_afpd, "check_access: stat: %s", strerror(errno));
855 dir = S_ISDIR(st.st_mode);
857 if (uuidtype == UUID_USER) {
858 pwd = getpwnam(username);
860 LOG(log_error, logtype_afpd, "check_access: getpwnam: %s", strerror(errno));
867 /* If user is file/dir owner we must check the user trivial ACE */
868 if (uid == st.st_uid) {
869 LOG(log_debug, logtype_afpd, "check_access: user: %s is files owner. Must check trivial user ACE", username);
870 check_user_trivace = 1;
873 /* Now check if requested user is files owning group. If yes we must check the group trivial ACE */
874 if ( (check_group(username, uid, pgid, st.st_gid)) == 0) {
875 LOG(log_debug, logtype_afpd, "check_access: user: %s is in group: %d. Must check trivial group ACE", username, st.st_gid);
876 check_group_trivace = 1;
878 } else { /* hopefully UUID_GROUP*/
879 LOG(log_error, logtype_afpd, "check_access: afp_access for UUID of groups not supported!");
881 grp = getgrnam(username);
883 LOG(log_error, logtype_afpd, "check_access: getgrnam: %s", strerror(errno));
886 if (st.st_gid == grp->gr_gid )
887 check_group_trivace = 1;
891 /* Map requested rights to Solaris style. */
892 for (i=0; darwin_to_nfsv4_rights[i].from != 0; i++) {
893 if (requested_darwin_rights & darwin_to_nfsv4_rights[i].from)
894 requested_rights |= darwin_to_nfsv4_rights[i].to;
897 /* Get ACL from file/dir */
898 if ( (ace_count = get_nfsv4_acl(path, &aces)) == -1) {
899 LOG(log_error, logtype_afpd, "check_access: error getting ACEs");
903 if (ace_count == 0) {
904 LOG(log_debug, logtype_afpd, "check_access: 0 ACEs from get_nfsv4_acl");
909 /* Now check requested rights */
912 do { /* Loop through ACEs */
914 flags = aces[i].a_flags;
915 type = aces[i].a_type;
916 rights = aces[i].a_access_mask;
918 if (flags & ACE_INHERIT_ONLY_ACE)
921 /* Check if its a group ACE and set checkgroup to 1 if yes */
923 if ( (flags & ACE_IDENTIFIER_GROUP) && !(flags & ACE_GROUP) ) {
924 if ( (check_group(username, uid, pgid, who)) == 0)
930 /* Now the tricky part: decide if ACE effects our user. I'll explain:
931 if its a dedicated (non trivial) ACE for the user
933 if its a ACE for a group we're member of
935 if its a trivial ACE_OWNER ACE and requested UUID is the owner
937 if its a trivial ACE_GROUP ACE and requested UUID is group
939 if its a trivial ACE_EVERYONE ACE
943 ( (who == uid) && !(flags & (ACE_TRIVIAL|ACE_IDENTIFIER_GROUP)) ) ||
945 ( (flags & ACE_OWNER) && check_user_trivace ) ||
946 ( (flags & ACE_GROUP) && check_group_trivace ) ||
947 ( flags & ACE_EVERYONE )
949 /* Found an applicable ACE */
950 if (type == ACE_ACCESS_ALLOWED_ACE_TYPE)
951 allowed_rights |= rights;
952 else if (type == ACE_ACCESS_DENIED_ACE_TYPE)
953 /* Only or to denied rights if not previously allowed !! */
954 denied_rights |= ((!allowed_rights) & rights);
956 } while (++i < ace_count);
959 /* Darwin likes to ask for "delete_child" on dir,
960 "write_data" is actually the same, so we add that for dirs */
961 if (dir && (allowed_rights & ACE_WRITE_DATA))
962 allowed_rights |= ACE_DELETE_CHILD;
964 if (requested_rights & denied_rights) {
965 LOG(log_debug, logtype_afpd, "check_access: some requested right was denied:");
967 } else if ((requested_rights & allowed_rights) != requested_rights) {
968 LOG(log_debug, logtype_afpd, "check_access: some requested right wasn't allowed:");
971 LOG(log_debug, logtype_afpd, "check_access: all requested rights are allowed:");
975 LOG(log_debug, logtype_afpd, "check_access: Requested rights: %08x, allowed_rights: %08x, denied_rights: %08x, Result: %d",
976 requested_rights, allowed_rights, denied_rights, ret);
982 LOG(log_debug9, logtype_afpd, "check_access: END");
986 #endif /* HAVE_SOLARIS_ACLS */
988 #ifdef HAVE_POSIX_ACLS
989 static int check_acl_access(const char *path, const uuidp_t uuid, uint32_t requested_darwin_rights)
992 * FIXME: for OS X >= 10.6 it seems fp_access isn't called anymore, instead
993 * the client just tries to perform any action, relying on the server
994 * to enforce permission (which the OS does for us), returning appropiate
995 * error codes in case the action failed.
996 * So to summarize: I think it's safe to not implement this function and
997 * just always return AFP_OK.
1001 #endif /* HAVE_POSIX_ACLS */
1003 /********************************************************
1005 ********************************************************/
1007 int afp_access(AFPObj *obj, char *ibuf, size_t ibuflen _U_, char *rbuf _U_, size_t *rbuflen)
1012 uint32_t did, darwin_ace_rights;
1014 struct path *s_path;
1017 LOG(log_debug9, logtype_afpd, "afp_access: BEGIN");
1022 memcpy(&vid, ibuf, sizeof( vid ));
1023 ibuf += sizeof(vid);
1024 if (NULL == ( vol = getvolbyvid( vid ))) {
1025 LOG(log_error, logtype_afpd, "afp_access: error getting volid:%d", vid);
1026 return AFPERR_NOOBJ;
1029 memcpy(&did, ibuf, sizeof( did ));
1030 ibuf += sizeof( did );
1031 if (NULL == ( dir = dirlookup( vol, did ))) {
1032 LOG(log_error, logtype_afpd, "afp_access: error getting did:%d", did);
1039 /* Store UUID address */
1040 uuid = (uuidp_t)ibuf;
1041 ibuf += UUID_BINSIZE;
1043 /* Store ACE rights */
1044 memcpy(&darwin_ace_rights, ibuf, 4);
1045 darwin_ace_rights = ntohl(darwin_ace_rights);
1048 /* get full path and handle file/dir subtleties in netatalk code*/
1049 if (NULL == ( s_path = cname( vol, dir, &ibuf ))) {
1050 LOG(log_error, logtype_afpd, "afp_getacl: cname got an error!");
1051 return AFPERR_NOOBJ;
1053 if (!s_path->st_valid)
1054 of_statdir(vol, s_path);
1055 if ( s_path->st_errno != 0 ) {
1056 LOG(log_error, logtype_afpd, "afp_getacl: cant stat");
1057 return AFPERR_NOOBJ;
1060 ret = check_acl_access(s_path->u_name, uuid, darwin_ace_rights);
1062 LOG(log_debug9, logtype_afpd, "afp_access: END");
1066 int afp_getacl(AFPObj *obj, char *ibuf, size_t ibuflen _U_, char *rbuf _U_, size_t *rbuflen)
1072 uint16_t vid, bitmap;
1073 struct path *s_path;
1077 LOG(log_debug9, logtype_afpd, "afp_getacl: BEGIN");
1081 memcpy(&vid, ibuf, sizeof( vid ));
1082 ibuf += sizeof(vid);
1083 if (NULL == ( vol = getvolbyvid( vid ))) {
1084 LOG(log_error, logtype_afpd, "afp_getacl: error getting volid:%d", vid);
1085 return AFPERR_NOOBJ;
1088 memcpy(&did, ibuf, sizeof( did ));
1089 ibuf += sizeof( did );
1090 if (NULL == ( dir = dirlookup( vol, did ))) {
1091 LOG(log_error, logtype_afpd, "afp_getacl: error getting did:%d", did);
1095 memcpy(&bitmap, ibuf, sizeof( bitmap ));
1096 memcpy(rbuf, ibuf, sizeof( bitmap ));
1097 bitmap = ntohs( bitmap );
1098 ibuf += sizeof( bitmap );
1099 rbuf += sizeof( bitmap );
1100 *rbuflen += sizeof( bitmap );
1102 /* skip maxreplysize */
1105 /* get full path and handle file/dir subtleties in netatalk code*/
1106 if (NULL == ( s_path = cname( vol, dir, &ibuf ))) {
1107 LOG(log_error, logtype_afpd, "afp_getacl: cname got an error!");
1108 return AFPERR_NOOBJ;
1110 if (!s_path->st_valid)
1111 of_statdir(vol, s_path);
1112 if ( s_path->st_errno != 0 ) {
1113 LOG(log_error, logtype_afpd, "afp_getacl: cant stat");
1114 return AFPERR_NOOBJ;
1117 /* Shall we return owner UUID ? */
1118 if (bitmap & kFileSec_UUID) {
1119 LOG(log_debug, logtype_afpd, "afp_getacl: client requested files owner user UUID");
1120 if (NULL == (pw = getpwuid(s_path->st.st_uid)))
1122 LOG(log_debug, logtype_afpd, "afp_getacl: got uid: %d, name: %s", s_path->st.st_uid, pw->pw_name);
1123 if ((ret = getuuidfromname(pw->pw_name, UUID_USER, rbuf)) != 0)
1125 rbuf += UUID_BINSIZE;
1126 *rbuflen += UUID_BINSIZE;
1129 /* Shall we return group UUID ? */
1130 if (bitmap & kFileSec_GRPUUID) {
1131 LOG(log_debug, logtype_afpd, "afp_getacl: client requested files owner group UUID");
1132 if (NULL == (gr = getgrgid(s_path->st.st_gid)))
1134 LOG(log_debug, logtype_afpd, "afp_getacl: got gid: %d, name: %s", s_path->st.st_gid, gr->gr_name);
1135 if ((ret = getuuidfromname(gr->gr_name, UUID_GROUP, rbuf)) != 0)
1137 rbuf += UUID_BINSIZE;
1138 *rbuflen += UUID_BINSIZE;
1141 /* Shall we return ACL ? */
1142 if (bitmap & kFileSec_ACL) {
1143 LOG(log_debug, logtype_afpd, "afp_getacl: client requested files ACL");
1144 get_and_map_acl(s_path->u_name, rbuf, rbuflen);
1147 LOG(log_debug9, logtype_afpd, "afp_getacl: END");
1151 int afp_setacl(AFPObj *obj, char *ibuf, size_t ibuflen _U_, char *rbuf _U_, size_t *rbuflen)
1157 uint16_t vid, bitmap;
1158 struct path *s_path;
1160 LOG(log_debug9, logtype_afpd, "afp_setacl: BEGIN");
1164 memcpy(&vid, ibuf, sizeof( vid ));
1165 ibuf += sizeof(vid);
1166 if (NULL == ( vol = getvolbyvid( vid ))) {
1167 LOG(log_error, logtype_afpd, "afp_setacl: error getting volid:%d", vid);
1168 return AFPERR_NOOBJ;
1171 memcpy(&did, ibuf, sizeof( did ));
1172 ibuf += sizeof( did );
1173 if (NULL == ( dir = dirlookup( vol, did ))) {
1174 LOG(log_error, logtype_afpd, "afp_setacl: error getting did:%d", did);
1178 memcpy(&bitmap, ibuf, sizeof( bitmap ));
1179 bitmap = ntohs( bitmap );
1180 ibuf += sizeof( bitmap );
1182 /* get full path and handle file/dir subtleties in netatalk code*/
1183 if (NULL == ( s_path = cname( vol, dir, &ibuf ))) {
1184 LOG(log_error, logtype_afpd, "afp_setacl: cname got an error!");
1185 return AFPERR_NOOBJ;
1187 if (!s_path->st_valid)
1188 of_statdir(vol, s_path);
1189 if ( s_path->st_errno != 0 ) {
1190 LOG(log_error, logtype_afpd, "afp_setacl: cant stat");
1191 return AFPERR_NOOBJ;
1193 LOG(log_debug, logtype_afpd, "afp_setacl: unixname: %s", s_path->u_name);
1196 if ((unsigned long)ibuf & 1)
1199 /* Start processing request */
1201 /* Change owner: dont even try */
1202 if (bitmap & kFileSec_UUID) {
1203 LOG(log_debug, logtype_afpd, "afp_setacl: change owner request. discarded.");
1204 ret = AFPERR_ACCESS;
1205 ibuf += UUID_BINSIZE;
1208 /* Change group: certain changes might be allowed, so try it. FIXME: not implemented yet. */
1209 if (bitmap & kFileSec_UUID) {
1210 LOG(log_debug, logtype_afpd, "afp_setacl: change group request. not supported this time.");
1212 ibuf += UUID_BINSIZE;
1216 if (bitmap & kFileSec_REMOVEACL) {
1217 LOG(log_debug, logtype_afpd, "afp_setacl: Remove ACL request.");
1218 if ((ret = remove_acl(vol, s_path->u_name, S_ISDIR(s_path->st.st_mode))) != AFP_OK)
1219 LOG(log_error, logtype_afpd, "afp_setacl: error from remove_acl");
1223 if (bitmap & kFileSec_ACL) {
1224 LOG(log_debug, logtype_afpd, "afp_setacl: Change ACL request.");
1226 /* Check if its our job to preserve inherited ACEs */
1227 if (bitmap & kFileSec_Inherit)
1228 ret = set_acl(vol, s_path->u_name, 1, ibuf);
1230 ret = set_acl(vol, s_path->u_name, 0, ibuf);
1234 LOG(log_warning, logtype_afpd, "afp_setacl(\"%s/%s\"): error",
1235 getcwdpath(), s_path->u_name);
1240 LOG(log_debug9, logtype_afpd, "afp_setacl: END");
1245 unix.c/accessmode calls this: map ACL to OS 9 mode
1247 void acltoownermode(char *path, struct stat *st, uid_t uid, struct maccess *ma)
1251 int r_ok, w_ok, x_ok;
1253 if ( ! (AFPobj->options.flags & OPTION_UUID) || ! (AFPobj->options.flags & OPTION_ACL2OS9MODE))
1256 LOG(log_maxdebug, logtype_afpd, "acltoownermode('%s')", path);
1258 if ((pw = getpwuid(uid)) == NULL) {
1259 LOG(log_error, logtype_afpd, "acltoownermode: %s", strerror(errno));
1263 /* We need the UUID for check_acl_access */
1264 if ((getuuidfromname(pw->pw_name, UUID_USER, uuid)) != 0)
1267 /* These work for files and dirs */
1268 r_ok = check_acl_access(path, uuid, DARWIN_ACE_READ_DATA);
1269 w_ok = check_acl_access(path, uuid, (DARWIN_ACE_WRITE_DATA|DARWIN_ACE_APPEND_DATA));
1270 x_ok = check_acl_access(path, uuid, DARWIN_ACE_EXECUTE);
1272 LOG(log_debug7, logtype_afpd, "acltoownermode: ma_user before: %04o",ma->ma_user);
1274 ma->ma_user |= AR_UREAD;
1276 ma->ma_user |= AR_UWRITE;
1278 ma->ma_user |= AR_USEARCH;
1279 LOG(log_debug7, logtype_afpd, "acltoownermode: ma_user after: %04o", ma->ma_user);
1285 We're being called at the end of afp_createdir. We're (hopefully) inside dir
1286 and ".AppleDouble" and ".AppleDouble/.Parent" should have already been created.
1287 We then inherit any explicit ACE from "." to ".AppleDouble" and ".AppleDouble/.Parent".
1288 FIXME: add to VFS layer ?
1290 #ifdef HAVE_SOLARIS_ACLS
1291 void addir_inherit_acl(const struct vol *vol)
1293 ace_t *diraces = NULL, *adaces = NULL, *combinedaces = NULL;
1294 int diracecount, adacecount;
1296 LOG(log_debug9, logtype_afpd, "addir_inherit_acl: BEGIN");
1298 /* Check if ACLs are enabled for the volume */
1299 if (vol->v_flags & AFPVOL_ACLS) {
1301 if ((diracecount = get_nfsv4_acl(".", &diraces)) <= 0)
1303 /* Remove any trivial ACE from "." */
1304 if ((diracecount = strip_trivial_aces(&diraces, diracecount)) <= 0)
1308 Inherit to ".AppleDouble"
1311 if ((adacecount = get_nfsv4_acl(".AppleDouble", &adaces)) <= 0)
1313 /* Remove any non-trivial ACE from ".AppleDouble" */
1314 if ((adacecount = strip_nontrivial_aces(&adaces, adacecount)) <= 0)
1318 if ((combinedaces = concat_aces(diraces, diracecount, adaces, adacecount)) == NULL)
1321 /* Now set new acl */
1322 if ((acl(".AppleDouble", ACE_SETACL, diracecount + adacecount, combinedaces)) != 0)
1323 LOG(log_error, logtype_afpd, "addir_inherit_acl: acl: %s", strerror(errno));
1328 combinedaces = NULL;
1331 Inherit to ".AppleDouble/.Parent"
1334 if ((adacecount = get_nfsv4_acl(".AppleDouble/.Parent", &adaces)) <= 0)
1336 if ((adacecount = strip_nontrivial_aces(&adaces, adacecount)) <= 0)
1340 if ((combinedaces = concat_aces(diraces, diracecount, adaces, adacecount)) == NULL)
1343 /* Now set new acl */
1344 if ((acl(".AppleDouble/.Parent", ACE_SETACL, diracecount + adacecount, combinedaces)) != 0)
1345 LOG(log_error, logtype_afpd, "addir_inherit_acl: acl: %s", strerror(errno));
1351 LOG(log_debug9, logtype_afpd, "addir_inherit_acl: END");
1357 #endif /* HAVE_SOLARIS_ACLS */
1359 #ifdef HAVE_POSIX_ACLS
1360 void addir_inherit_acl(const struct vol *vol)
1364 #endif /* HAVE_POSIX_ACLS */
projects / netatalk.git / blob