2 Copyright (c) 2008, 2009, 2010 Frank Lahm <franklahm@gmail.com>
4 This program is free software; you can redistribute it and/or modify
5 it under the terms of the GNU General Public License as published by
6 the Free Software Foundation; either version 2 of the License, or
7 (at your option) any later version.
9 This program is distributed in the hope that it will be useful,
10 but WITHOUT ANY WARRANTY; without even the implied warranty of
11 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 GNU General Public License for more details.
17 #endif /* HAVE_CONFIG_H */
26 #ifdef HAVE_SOLARIS_ACLS
29 #ifdef HAVE_POSIX_ACLS
32 #ifdef HAVE_ACL_LIBACL_H
33 #include <acl/libacl.h>
36 #include <atalk/errchk.h>
37 #include <atalk/adouble.h>
38 #include <atalk/vfs.h>
39 #include <atalk/afp.h>
40 #include <atalk/util.h>
41 #include <atalk/cnid.h>
42 #include <atalk/logger.h>
43 #include <atalk/uuid.h>
44 #include <atalk/acl.h>
45 #include <atalk/bstrlib.h>
46 #include <atalk/bstradd.h>
48 #include "directory.h"
54 #include "acl_mappings.h"
58 #define SOLARIS_2_DARWIN 1
59 #define DARWIN_2_SOLARIS 2
60 #define POSIX_DEFAULT_2_DARWIN 3
61 #define POSIX_ACCESS_2_DARWIN 4
62 #define DARWIN_2_POSIX_DEFAULT 5
63 #define DARWIN_2_POSIX_ACCESS 6
68 /********************************************************
70 ********************************************************/
72 #ifdef HAVE_SOLARIS_ACLS
75 * Compile access rights for a user to one file-system object
77 * This combines combines all access rights for a user to one fs-object and
78 * returns the result as a Darwin allowed rights ACE.
79 * This must honor trivial ACEs which are a mode_t mapping.
81 * @param path (r) path to filesystem object
82 * @param sb (r) struct stat of path
83 * @param result (w) resulting Darwin allow ACE
85 * @returns 0 or -1 on error
87 static int solaris_acl_rights(const char *path,
88 const struct stat *sb,
92 int i, ace_count, checkgroup;
96 uint32_t rights, allowed_rights = 0, denied_rights = 0, darwin_rights;
98 /* Get ACL from file/dir */
99 EC_NEG1_LOG(ace_count = get_nfsv4_acl(path, &aces));
104 /* Now check requested rights */
106 do { /* Loop through ACEs */
108 flags = aces[i].a_flags;
109 type = aces[i].a_type;
110 rights = aces[i].a_access_mask;
112 if (flags & ACE_INHERIT_ONLY_ACE)
115 /* Now the tricky part: decide if ACE effects our user. I'll explain:
116 if its a dedicated (non trivial) ACE for the user
118 if its a ACE for a group we're member of
120 if its a trivial ACE_OWNER ACE and requested UUID is the owner
122 if its a trivial ACE_GROUP ACE and requested UUID is group
124 if its a trivial ACE_EVERYONE ACE
127 if (((who == uuid) && !(flags & (ACE_TRIVIAL|ACE_IDENTIFIER_GROUP)))
129 ((flags & ACE_IDENTIFIER_GROUP) && !(flags & ACE_GROUP) && gmem(who))
131 ((flags & ACE_OWNER) && (uuid == sb->st_uid))
133 ((flags & ACE_GROUP) && !(uuid == sb->st_uid) && gmem(sb->st_gid))
135 (flags & ACE_EVERYONE && !(uuid == sb->st_uid) && !gmem(sb->st_gid))
137 /* Found an applicable ACE */
138 if (type == ACE_ACCESS_ALLOWED_ACE_TYPE)
139 allowed_rights |= rights;
140 else if (type == ACE_ACCESS_DENIED_ACE_TYPE)
141 /* Only or to denied rights if not previously allowed !! */
142 denied_rights |= ((!allowed_rights) & rights);
144 } while (++i < ace_count);
147 /* Darwin likes to ask for "delete_child" on dir,
148 "write_data" is actually the same, so we add that for dirs */
149 if (S_ISDIR(sb->st_mode) && (allowed_rights & ACE_WRITE_DATA))
150 allowed_rights |= ACE_DELETE_CHILD;
152 /* Remove denied from allowed rights */
153 allowed_rights &= ~denied_rights;
157 for (i=0; nfsv4_to_darwin_rights[i].from != 0; i++) {
158 if (allowed_rights & nfsv4_to_darwin_rights[i].from)
159 darwin_rights |= nfsv4_to_darwin_rights[i].to;
162 *result |= darwin_rights;
165 if (aces) free(aces);
171 Maps ACE array from Solaris to Darwin. Darwin ACEs are stored in network byte order.
172 Return numer of mapped ACEs or -1 on error.
173 All errors while mapping (e.g. getting UUIDs from LDAP) are fatal.
175 static int map_aces_solaris_to_darwin(const ace_t *aces,
176 darwin_ace_t *darwin_aces,
183 struct passwd *pwd = NULL;
184 struct group *grp = NULL;
186 LOG(log_maxdebug, logtype_afpd, "map_aces_solaris_to_darwin: parsing %d ACES", ace_count);
189 LOG(log_maxdebug, logtype_afpd, "ACE No. %d", ace_count + 1);
190 /* if its a ACE resulting from nfsv4 mode mapping, discard it */
191 if (aces->a_flags & (ACE_OWNER | ACE_GROUP | ACE_EVERYONE)) {
192 LOG(log_debug, logtype_afpd, "trivial ACE");
197 if ( ! (aces->a_flags & ACE_IDENTIFIER_GROUP) ) { /* user ace */
198 LOG(log_debug, logtype_afpd, "uid: %d", aces->a_who);
199 EC_NULL_LOG(pwd = getpwuid(aces->a_who));
200 LOG(log_debug, logtype_afpd, "uid: %d -> name: %s", aces->a_who, pwd->pw_name);
201 EC_ZERO_LOG(getuuidfromname(pwd->pw_name,
203 darwin_aces->darwin_ace_uuid));
204 } else { /* group ace */
205 LOG(log_debug, logtype_afpd, "gid: %d", aces->a_who);
206 EC_NULL_LOG(grp = getgrgid(aces->a_who));
207 LOG(log_debug, logtype_afpd, "gid: %d -> name: %s", aces->a_who, grp->gr_name);
208 EC_ZERO_LOG(getuuidfromname(grp->gr_name,
210 darwin_aces->darwin_ace_uuid));
214 if (aces->a_type == ACE_ACCESS_ALLOWED_ACE_TYPE)
215 flags = DARWIN_ACE_FLAGS_PERMIT;
216 else if (aces->a_type == ACE_ACCESS_DENIED_ACE_TYPE)
217 flags = DARWIN_ACE_FLAGS_DENY;
218 else { /* unsupported type */
222 for(i=0; nfsv4_to_darwin_flags[i].from != 0; i++) {
223 if (aces->a_flags & nfsv4_to_darwin_flags[i].from)
224 flags |= nfsv4_to_darwin_flags[i].to;
226 darwin_aces->darwin_ace_flags = htonl(flags);
230 for (i=0; nfsv4_to_darwin_rights[i].from != 0; i++) {
231 if (aces->a_access_mask & nfsv4_to_darwin_rights[i].from)
232 rights |= nfsv4_to_darwin_rights[i].to;
234 darwin_aces->darwin_ace_rights = htonl(rights);
247 Maps ACE array from Darwin to Solaris. Darwin ACEs are expected in network byte order.
248 Return numer of mapped ACEs or -1 on error.
249 All errors while mapping (e.g. getting UUIDs from LDAP) are fatal.
251 static int map_aces_darwin_to_solaris(darwin_ace_t *darwin_aces,
256 int i, mapped_aces = 0;
257 uint32_t darwin_ace_flags;
258 uint32_t darwin_ace_rights;
259 uint16_t nfsv4_ace_flags;
260 uint32_t nfsv4_ace_rights;
268 nfsv4_ace_rights = 0;
271 EC_ZERO(getnamefromuuid(darwin_aces->darwin_ace_uuid, &name, &uuidtype));
274 EC_NULL_LOG(pwd = getpwnam(name));
275 nfsv4_aces->a_who = pwd->pw_uid;
278 EC_NULL_LOG(grp = getgrnam(name));
279 nfsv4_aces->a_who = (uid_t)(grp->gr_gid);
280 nfsv4_ace_flags |= ACE_IDENTIFIER_GROUP;
283 LOG(log_error, logtype_afpd, "map_aces_darwin_to_solaris: unkown uuidtype");
289 /* now type: allow/deny */
290 darwin_ace_flags = ntohl(darwin_aces->darwin_ace_flags);
291 if (darwin_ace_flags & DARWIN_ACE_FLAGS_PERMIT)
292 nfsv4_aces->a_type = ACE_ACCESS_ALLOWED_ACE_TYPE;
293 else if (darwin_ace_flags & DARWIN_ACE_FLAGS_DENY)
294 nfsv4_aces->a_type = ACE_ACCESS_DENIED_ACE_TYPE;
295 else { /* unsupported type */
300 for(i=0; darwin_to_nfsv4_flags[i].from != 0; i++) {
301 if (darwin_ace_flags & darwin_to_nfsv4_flags[i].from)
302 nfsv4_ace_flags |= darwin_to_nfsv4_flags[i].to;
306 darwin_ace_rights = ntohl(darwin_aces->darwin_ace_rights);
307 for (i=0; darwin_to_nfsv4_rights[i].from != 0; i++) {
308 if (darwin_ace_rights & darwin_to_nfsv4_rights[i].from)
309 nfsv4_ace_rights |= darwin_to_nfsv4_rights[i].to;
312 LOG(log_debug9, logtype_afpd,
313 "map_aces_darwin_to_solaris: ACE flags: Darwin:%08x -> NFSv4:%04x",
314 darwin_ace_flags, nfsv4_ace_flags);
315 LOG(log_debug9, logtype_afpd,
316 "map_aces_darwin_to_solaris: ACE rights: Darwin:%08x -> NFSv4:%08x",
317 darwin_ace_rights, nfsv4_ace_rights);
319 nfsv4_aces->a_flags = nfsv4_ace_flags;
320 nfsv4_aces->a_access_mask = nfsv4_ace_rights;
333 #endif /* HAVE_SOLARIS_ACLS */
335 /********************************************************
337 ********************************************************/
339 #ifdef HAVE_POSIX_ACLS
341 static uint32_t posix_permset_to_darwin_rights(acl_entry_t e, int is_dir)
345 acl_permset_t permset;
347 EC_ZERO_LOG(acl_get_permset(e, &permset));
349 #ifdef HAVE_ACL_GET_PERM_NP
350 if (acl_get_perm_np(permset, ACL_READ))
352 if (acl_get_perm(permset, ACL_READ))
354 rights = DARWIN_ACE_READ_DATA
355 | DARWIN_ACE_READ_EXTATTRIBUTES
356 | DARWIN_ACE_READ_ATTRIBUTES
357 | DARWIN_ACE_READ_SECURITY;
358 #ifdef HAVE_ACL_GET_PERM_NP
359 if (acl_get_perm_np(permset, ACL_WRITE)) {
361 if (acl_get_perm(permset, ACL_WRITE)) {
363 rights |= DARWIN_ACE_WRITE_DATA
364 | DARWIN_ACE_APPEND_DATA
365 | DARWIN_ACE_WRITE_EXTATTRIBUTES
366 | DARWIN_ACE_WRITE_ATTRIBUTES;
368 rights |= DARWIN_ACE_DELETE_CHILD;
370 #ifdef HAVE_ACL_GET_PERM_NP
371 if (acl_get_perm_np(permset, ACL_EXECUTE))
373 if (acl_get_perm(permset, ACL_EXECUTE))
375 rights |= DARWIN_ACE_EXECUTE;
378 LOG(log_maxdebug, logtype_afpd, "mapped rights: 0x%08x", rights);
383 * Compile access rights for a user to one file-system object
385 * This combines combines all access rights for a user to one fs-object and
386 * returns the result as a Darwin allowed rights ACE.
387 * This must honor trivial ACEs which are a mode_t mapping.
389 * @param path (r) path to filesystem object
390 * @param sb (r) struct stat of path
391 * @param result (rw) resulting Darwin allow ACE
393 * @returns 0 or -1 on error
395 static int posix_acl_rights(const char *path,
396 const struct stat *sb,
401 int entry_id = ACL_FIRST_ENTRY;
402 uint32_t rights = 0, maskrights = 0;
409 EC_NULL_LOGSTR(acl = acl_get_file(path, ACL_TYPE_ACCESS),
410 "acl_get_file(\"%s\"): %s", fullpathname(path), strerror(errno));
412 /* itereate through all ACEs to get the mask */
413 while (!havemask && acl_get_entry(acl, entry_id, &e) == 1) {
414 entry_id = ACL_NEXT_ENTRY;
415 EC_ZERO_LOG(acl_get_tag_type(e, &tag));
418 maskrights = posix_permset_to_darwin_rights(e, S_ISDIR(sb->st_mode));
419 LOG(log_maxdebug, logtype_afpd, "maskrights: 0x%08x", maskrights);
427 /* itereate through all ACEs */
428 entry_id = ACL_FIRST_ENTRY;
429 while (acl_get_entry(acl, entry_id, &e) == 1) {
430 entry_id = ACL_NEXT_ENTRY;
431 EC_ZERO_LOG(acl_get_tag_type(e, &tag));
434 EC_NULL_LOG(uid = (uid_t *)acl_get_qualifier(e));
436 LOG(log_maxdebug, logtype_afpd, "ACL_USER: %u", *uid);
437 rights |= posix_permset_to_darwin_rights(e, S_ISDIR(sb->st_mode));
443 if (sb->st_uid == uuid) {
444 LOG(log_maxdebug, logtype_afpd, "ACL_USER_OBJ: %u", sb->st_uid);
445 rights |= posix_permset_to_darwin_rights(e, S_ISDIR(sb->st_mode));
449 EC_NULL_LOG(gid = (gid_t *)acl_get_qualifier(e));
451 LOG(log_maxdebug, logtype_afpd, "ACL_GROUP: %u", *gid);
452 rights |= (posix_permset_to_darwin_rights(e, S_ISDIR(sb->st_mode)) & maskrights);
458 if (!(sb->st_uid == uuid) && gmem(sb->st_gid)) {
459 LOG(log_maxdebug, logtype_afpd, "ACL_GROUP_OBJ: %u", sb->st_gid);
460 rights |= posix_permset_to_darwin_rights(e, S_ISDIR(sb->st_mode));
464 if (!(sb->st_uid == uuid) && !gmem(sb->st_gid)) {
465 LOG(log_maxdebug, logtype_afpd, "ACL_OTHER");
466 rights |= posix_permset_to_darwin_rights(e, S_ISDIR(sb->st_mode));
477 if (acl) acl_free(acl);
478 if (uid) acl_free(uid);
479 if (gid) acl_free(gid);
484 * Add entries of one acl to another acl
486 * @param aclp (rw) destination acl where new aces will be added
487 * @param acl (r) source acl where aces will be copied from
489 * @returns 0 on success, -1 on error
491 static int acl_add_acl(acl_t *aclp, const acl_t acl)
497 for (id = ACL_FIRST_ENTRY; acl_get_entry(acl, id, &se) == 1; id = ACL_NEXT_ENTRY) {
498 EC_ZERO_LOG_ERR(acl_create_entry(aclp, &de), AFPERR_MISC);
499 EC_ZERO_LOG_ERR(acl_copy_entry(de, se), AFPERR_MISC);
507 * Map Darwin ACE rights to POSIX 1e perm
509 * We can only map few rights:
510 * DARWIN_ACE_READ_DATA -> ACL_READ
511 * DARWIN_ACE_WRITE_DATA -> ACL_WRITE
512 * DARWIN_ACE_DELETE_CHILD & (is_dir == 1) -> ACL_WRITE
513 * DARWIN_ACE_EXECUTE -> ACL_EXECUTE
515 * @param entry (rw) result of the mapping
516 * @param is_dir (r) 1 for dirs, 0 for files
518 * @returns mapping result as acl_perm_t, -1 on error
520 static acl_perm_t map_darwin_right_to_posix_permset(uint32_t darwin_ace_rights, int is_dir)
524 if (darwin_ace_rights & DARWIN_ACE_READ_DATA)
527 if (darwin_ace_rights & (DARWIN_ACE_WRITE_DATA | (DARWIN_ACE_DELETE_CHILD & is_dir)))
530 if (darwin_ace_rights & DARWIN_ACE_EXECUTE)
537 * Add a ACL_USER or ACL_GROUP permission to an ACL, extending existing ACEs
539 * Add a permission of "type" for user or group "id" to an ACL. Scan the ACL
540 * for existing permissions for this type/id, if there is one add the perm,
541 * otherwise create a new ACL entry.
542 * perm can be or'ed ACL_READ, ACL_WRITE and ACL_EXECUTE.
544 * @param aclp (rw) pointer to ACL
545 * @param type (r) acl_tag_t of ACL_USER or ACL_GROUP
546 * @param id (r) uid_t uid for ACL_USER, or gid casted to uid_t for ACL_GROUP
547 * @param perm (r) acl_perm_t permissions to add
549 * @returns 0 on success, -1 on failure
551 static int posix_acl_add_perm(acl_t *aclp, acl_tag_t type, uid_t id, acl_perm_t perm)
557 int entry_id = ACL_FIRST_ENTRY;
558 acl_permset_t permset;
561 for ( ; (! found) && acl_get_entry(*aclp, entry_id, &e) == 1; entry_id = ACL_NEXT_ENTRY) {
562 EC_ZERO_LOG(acl_get_tag_type(e, &tag));
563 if (tag != ACL_USER && tag != ACL_GROUP)
565 EC_NULL_LOG(eid = (uid_t *)acl_get_qualifier(e));
566 if ((*eid == id) && (type == tag)) {
567 /* found an ACE for this type/id */
569 EC_ZERO_LOG(acl_get_permset(e, &permset));
570 EC_ZERO_LOG(acl_add_perm(permset, perm));
578 /* there was no existing ACE for this type/id */
579 EC_ZERO_LOG(acl_create_entry(aclp, &e));
580 EC_ZERO_LOG(acl_set_tag_type(e, type));
581 EC_ZERO_LOG(acl_set_qualifier(e, &id));
582 EC_ZERO_LOG(acl_get_permset(e, &permset));
583 EC_ZERO_LOG(acl_clear_perms(permset));
584 EC_ZERO_LOG(acl_add_perm(permset, perm));
585 EC_ZERO_LOG(acl_set_permset(e, permset));
589 if (eid) acl_free(eid);
595 * Map Darwin ACL to POSIX ACL.
597 * aclp must point to a acl_init'ed acl_t or an acl_t that can eg contain default ACEs.
598 * Mapping pecularities:
599 * - we create a default ace (which inherits to files and dirs) if either
600 DARWIN_ACE_FLAGS_FILE_INHERIT or DARWIN_ACE_FLAGS_DIRECTORY_INHERIT is requested
601 * - we throw away DARWIN_ACE_FLAGS_LIMIT_INHERIT (can't be mapped), thus the ACL will
604 * @param darwin_aces (r) pointer to darwin_aces buffer
605 * @param def_aclp (rw) directories: pointer to an initialized acl_t with the default acl
606 * files: *def_aclp will be NULL
607 * @param acc_aclp (rw) pointer to an initialized acl_t with the access acl
608 * @param ace_count (r) number of ACEs in darwin_aces buffer
610 * @returns 0 on success storing the result in aclp, -1 on error.
612 static int map_aces_darwin_to_posix(const darwin_ace_t *darwin_aces,
623 uint32_t darwin_ace_flags, darwin_ace_rights;
627 for ( ; ace_count != 0; ace_count--, darwin_aces++) {
628 /* type: allow/deny, posix only has allow */
629 darwin_ace_flags = ntohl(darwin_aces->darwin_ace_flags);
630 if ( ! (darwin_ace_flags & DARWIN_ACE_FLAGS_PERMIT))
633 darwin_ace_rights = ntohl(darwin_aces->darwin_ace_rights);
634 perm = map_darwin_right_to_posix_permset(darwin_ace_rights, (*def_aclp != NULL));
636 continue; /* dont add empty perm */
638 LOG(log_debug, logtype_afpd, "map_ace: no: %u, flags: %08x, darwin: %08x, posix: %02x",
639 ace_count, darwin_ace_flags, darwin_ace_rights, perm);
642 EC_ZERO_LOG(getnamefromuuid(darwin_aces->darwin_ace_uuid, &name, &uuidtype));
645 EC_NULL_LOG(pwd = getpwnam(name));
648 LOG(log_debug, logtype_afpd, "map_ace: name: %s, uid: %u", name, id);
651 EC_NULL_LOG(grp = getgrnam(name));
653 id = (uid_t)(grp->gr_gid);
654 LOG(log_debug, logtype_afpd, "map_ace: name: %s, gid: %u", name, id);
662 if (darwin_ace_flags & DARWIN_ACE_INHERIT_CONTROL_FLAGS) {
663 if (*def_aclp == NULL) {
664 /* ace request inheritane but we haven't got a default acl pointer */
665 LOG(log_warning, logtype_afpd, "map_acl: unexpected ACE, flags: 0x%04x",
669 /* add it as default ace */
670 EC_ZERO_LOG(posix_acl_add_perm(def_aclp, tag, id, perm));
673 if (! (darwin_ace_flags & DARWIN_ACE_FLAGS_ONLY_INHERIT))
674 /* if it not a "inherit only" ace, it must be added as access aces too */
675 EC_ZERO_LOG(posix_acl_add_perm(acc_aclp, tag, id, perm));
677 EC_ZERO_LOG(posix_acl_add_perm(acc_aclp, tag, id, perm));
689 * Map ACEs from POSIX to Darwin.
690 * type is either POSIX_DEFAULT_2_DARWIN or POSIX_ACCESS_2_DARWIN, cf. acl_get_file.
691 * Return number of mapped ACES, -1 on error.
693 static int map_acl_posix_to_darwin(int type, const acl_t acl, darwin_ace_t *darwin_aces)
697 int entry_id = ACL_FIRST_ENTRY;
702 struct passwd *pwd = NULL;
703 struct group *grp = NULL;
705 uint32_t rights, maskrights = 0;
706 darwin_ace_t *saved_darwin_aces = darwin_aces;
708 LOG(log_maxdebug, logtype_afpd, "map_aces_posix_to_darwin(%s)",
709 (type & MAP_MASK) == POSIX_DEFAULT_2_DARWIN ?
710 "POSIX_DEFAULT_2_DARWIN" : "POSIX_ACCESS_2_DARWIN");
712 /* itereate through all ACEs */
713 while (acl_get_entry(acl, entry_id, &e) == 1) {
714 entry_id = ACL_NEXT_ENTRY;
717 EC_ZERO_LOG(acl_get_tag_type(e, &tag));
719 /* we return user and group ACE */
722 EC_NULL_LOG(uid = (uid_t *)acl_get_qualifier(e));
723 EC_NULL_LOG(pwd = getpwuid(*uid));
724 LOG(log_debug, logtype_afpd, "map_aces_posix_to_darwin: uid: %d -> name: %s",
726 EC_ZERO_LOG(getuuidfromname(pwd->pw_name, UUID_USER, darwin_aces->darwin_ace_uuid));
732 EC_NULL_LOG(gid = (gid_t *)acl_get_qualifier(e));
733 EC_NULL_LOG(grp = getgrgid(*gid));
734 LOG(log_debug, logtype_afpd, "map_aces_posix_to_darwin: gid: %d -> name: %s",
736 EC_ZERO_LOG(getuuidfromname(grp->gr_name, UUID_GROUP, darwin_aces->darwin_ace_uuid));
742 maskrights = posix_permset_to_darwin_rights(e, type & IS_DIR);
750 flags = DARWIN_ACE_FLAGS_PERMIT;
751 if ((type & MAP_MASK) == POSIX_DEFAULT_2_DARWIN)
752 flags |= DARWIN_ACE_FLAGS_FILE_INHERIT
753 | DARWIN_ACE_FLAGS_DIRECTORY_INHERIT
754 | DARWIN_ACE_FLAGS_ONLY_INHERIT;
755 darwin_aces->darwin_ace_flags = htonl(flags);
758 rights = posix_permset_to_darwin_rights(e, type & IS_DIR);
759 darwin_aces->darwin_ace_rights = htonl(rights);
765 /* Loop through the mapped ACE buffer once again, applying the mask */
766 for (int i = mapped_aces; i > 0; i--) {
767 saved_darwin_aces->darwin_ace_rights &= htonl(maskrights);
771 EC_STATUS(mapped_aces);
774 if (uid) acl_free(uid);
775 if (gid) acl_free(gid);
781 * Multiplex ACL mapping (SOLARIS_2_DARWIN, DARWIN_2_SOLARIS, POSIX_2_DARWIN, DARWIN_2_POSIX).
782 * Reads from 'aces' buffer, writes to 'rbuf' buffer.
783 * Caller must provide buffer.
784 * Darwin ACEs are read and written in network byte order.
785 * Needs to know how many ACEs are in the ACL (ace_count) for Solaris ACLs.
786 * Ignores trivial ACEs.
787 * Return no of mapped ACEs or -1 on error.
789 static int map_acl(int type, void *acl, darwin_ace_t *buf, int ace_count)
793 LOG(log_debug9, logtype_afpd, "map_acl: BEGIN");
795 switch (type & MAP_MASK) {
797 #ifdef HAVE_SOLARIS_ACLS
798 case SOLARIS_2_DARWIN:
799 mapped_aces = map_aces_solaris_to_darwin( acl, buf, ace_count);
802 case DARWIN_2_SOLARIS:
803 mapped_aces = map_aces_darwin_to_solaris( buf, acl, ace_count);
805 #endif /* HAVE_SOLARIS_ACLS */
807 #ifdef HAVE_POSIX_ACLS
808 case POSIX_DEFAULT_2_DARWIN:
809 mapped_aces = map_acl_posix_to_darwin(type, (const acl_t)acl, buf);
812 case POSIX_ACCESS_2_DARWIN:
813 mapped_aces = map_acl_posix_to_darwin(type, (const acl_t)acl, buf);
816 case DARWIN_2_POSIX_DEFAULT:
819 case DARWIN_2_POSIX_ACCESS:
821 #endif /* HAVE_POSIX_ACLS */
828 LOG(log_debug9, logtype_afpd, "map_acl: END");
832 /* Get ACL from object omitting trivial ACEs. Map to Darwin ACL style and
833 store Darwin ACL at rbuf. Add length of ACL written to rbuf to *rbuflen.
834 Returns 0 on success, -1 on error. */
835 static int get_and_map_acl(char *name, char *rbuf, size_t *rbuflen)
840 uint32_t *darwin_ace_count = (u_int32_t *)rbuf;
841 #ifdef HAVE_SOLARIS_ACLS
845 #ifdef HAVE_POSIX_ACLS
848 LOG(log_debug9, logtype_afpd, "get_and_map_acl: BEGIN");
850 /* Skip length and flags */
855 #ifdef HAVE_SOLARIS_ACLS
856 EC_NEG1(ace_count = get_nfsv4_acl(name, &aces));
857 EC_NEG1(mapped_aces = map_acl(SOLARIS_2_DARWIN, aces, (darwin_ace_t *)rbuf, ace_count));
858 #endif /* HAVE_SOLARIS_ACLS */
860 #ifdef HAVE_POSIX_ACLS
861 acl_t defacl = NULL , accacl = NULL;
863 /* stat to check if its a dir */
864 EC_ZERO_LOG(lstat(name, &st));
866 /* if its a dir, check for default acl too */
868 if (S_ISDIR(st.st_mode)) {
870 EC_NULL_LOG(defacl = acl_get_file(name, ACL_TYPE_DEFAULT));
871 EC_NEG1(mapped_aces = map_acl(POSIX_DEFAULT_2_DARWIN | dirflag,
873 (darwin_ace_t *)rbuf,
877 EC_NULL_LOG(accacl = acl_get_file(name, ACL_TYPE_ACCESS));
880 EC_NEG1(tmp = map_acl(POSIX_ACCESS_2_DARWIN | dirflag,
882 (darwin_ace_t *)(rbuf + mapped_aces * sizeof(darwin_ace_t)),
885 #endif /* HAVE_POSIX_ACLS */
887 LOG(log_debug, logtype_afpd, "get_and_map_acl: mapped %d ACEs", mapped_aces);
889 *darwin_ace_count = htonl(mapped_aces);
890 *rbuflen += sizeof(darwin_acl_header_t) + (mapped_aces * sizeof(darwin_ace_t));
895 #ifdef HAVE_SOLARIS_ACLS
896 if (aces) free(aces);
898 #ifdef HAVE_POSIX_ACLS
899 if (defacl) acl_free(defacl);
900 if (accacl) acl_free(accacl);
901 #endif /* HAVE_POSIX_ACLS */
903 LOG(log_debug9, logtype_afpd, "get_and_map_acl: END");
908 /* Removes all non-trivial ACLs from object. Returns full AFPERR code. */
909 static int remove_acl(const struct vol *vol,const char *path, int dir)
913 #if (defined HAVE_SOLARIS_ACLS || defined HAVE_POSIX_ACLS)
914 /* Ressource etc. first */
915 if ((ret = vol->vfs->vfs_remove_acl(vol, path, dir)) != AFP_OK)
917 /* now the data fork or dir */
918 ret = remove_acl_vfs(path);
925 - the client sends a complete list of ACEs, not only new ones. So we dont need to do
926 any combination business (one exception being 'kFileSec_Inherit': see next)
927 - client might request that we add inherited ACEs via 'kFileSec_Inherit'.
928 We will store inherited ACEs first, which is Darwins canonical order.
929 - returns AFPerror code
931 #ifdef HAVE_SOLARIS_ACLS
932 static int set_acl(const struct vol *vol,
939 int i, nfsv4_ace_count;
940 int tocopy_aces_count = 0, new_aces_count = 0, trivial_ace_count = 0;
941 ace_t *old_aces, *new_aces = NULL;
944 LOG(log_debug9, logtype_afpd, "set_acl: BEGIN");
947 /* inherited + trivial ACEs */
948 flags = ACE_INHERITED_ACE | ACE_OWNER | ACE_GROUP | ACE_EVERYONE;
950 /* only trivial ACEs */
951 flags = ACE_OWNER | ACE_GROUP | ACE_EVERYONE;
953 /* Get existing ACL and count ACEs which have to be copied */
954 if ((nfsv4_ace_count = get_nfsv4_acl(name, &old_aces)) == -1)
956 for ( i=0; i < nfsv4_ace_count; i++) {
957 if (old_aces[i].a_flags & flags)
961 /* Now malloc buffer exactly sized to fit all new ACEs */
962 if ((new_aces = malloc((ace_count + tocopy_aces_count) * sizeof(ace_t))) == NULL) {
963 LOG(log_error, logtype_afpd, "set_acl: malloc %s", strerror(errno));
964 EC_STATUS(AFPERR_MISC);
968 /* Start building new ACL */
970 /* Copy local inherited ACEs. Therefore we have 'Darwin canonical order' (see chmod there):
971 inherited ACEs first. */
973 for (i=0; i < nfsv4_ace_count; i++) {
974 if (old_aces[i].a_flags & ACE_INHERITED_ACE) {
975 memcpy(&new_aces[new_aces_count], &old_aces[i], sizeof(ace_t));
980 LOG(log_debug7, logtype_afpd, "set_acl: copied %d inherited ACEs", new_aces_count);
982 /* Now the ACEs from the client */
983 if ((ret = (map_acl(DARWIN_2_SOLARIS,
984 &new_aces[new_aces_count],
986 ace_count))) == -1) {
987 EC_STATUS(AFPERR_PARAM);
990 new_aces_count += ret;
991 LOG(log_debug7, logtype_afpd, "set_acl: mapped %d ACEs from client", ret);
993 /* Now copy the trivial ACEs */
994 for (i=0; i < nfsv4_ace_count; i++) {
995 if (old_aces[i].a_flags & (ACE_OWNER | ACE_GROUP | ACE_EVERYONE)) {
996 memcpy(&new_aces[new_aces_count], &old_aces[i], sizeof(ace_t));
1001 LOG(log_debug7, logtype_afpd, "set_acl: copied %d trivial ACEs", trivial_ace_count);
1003 /* Ressourcefork first.
1004 Note: for dirs we set the same ACL on the .AppleDouble/.Parent _file_. This
1005 might be strange for ACE_DELETE_CHILD and for inheritance flags. */
1006 if ((ret = (vol->vfs->vfs_acl(vol, name, ACE_SETACL, new_aces_count, new_aces))) != 0) {
1007 LOG(log_error, logtype_afpd, "set_acl: error setting acl: %s", strerror(errno));
1008 if (errno == (EACCES | EPERM))
1009 EC_STATUS(AFPERR_ACCESS);
1010 else if (errno == ENOENT)
1011 EC_STATUS(AFPERR_NOITEM);
1013 EC_STATUS(AFPERR_MISC);
1016 if ((ret = (acl(name, ACE_SETACL, new_aces_count, new_aces))) != 0) {
1017 LOG(log_error, logtype_afpd, "set_acl: error setting acl: %s", strerror(errno));
1018 if (errno == (EACCES | EPERM))
1019 EC_STATUS(AFPERR_ACCESS);
1020 else if (errno == ENOENT)
1021 EC_STATUS(AFPERR_NOITEM);
1023 EC_STATUS(AFPERR_MISC);
1030 if (old_aces) free(old_aces);
1031 if (new_aces) free(new_aces);
1033 LOG(log_debug9, logtype_afpd, "set_acl: END");
1036 #endif /* HAVE_SOLARIS_ACLS */
1038 #ifdef HAVE_POSIX_ACLS
1039 #ifndef HAVE_ACL_FROM_MODE
1040 static acl_t acl_from_mode(mode_t mode)
1044 acl_permset_t permset;
1046 if (!(acl = acl_init(3)))
1049 if (acl_create_entry(&acl, &entry) != 0)
1051 acl_set_tag_type(entry, ACL_USER_OBJ);
1052 acl_get_permset(entry, &permset);
1053 acl_clear_perms(permset);
1055 acl_add_perm(permset, ACL_READ);
1057 acl_add_perm(permset, ACL_WRITE);
1059 acl_add_perm(permset, ACL_EXECUTE);
1060 acl_set_permset(entry, permset);
1062 if (acl_create_entry(&acl, &entry) != 0)
1064 acl_set_tag_type(entry, ACL_GROUP_OBJ);
1065 acl_get_permset(entry, &permset);
1066 acl_clear_perms(permset);
1068 acl_add_perm(permset, ACL_READ);
1070 acl_add_perm(permset, ACL_WRITE);
1072 acl_add_perm(permset, ACL_EXECUTE);
1073 acl_set_permset(entry, permset);
1075 if (acl_create_entry(&acl, &entry) != 0)
1077 acl_set_tag_type(entry, ACL_OTHER);
1078 acl_get_permset(entry, &permset);
1079 acl_clear_perms(permset);
1081 acl_add_perm(permset, ACL_READ);
1083 acl_add_perm(permset, ACL_WRITE);
1085 acl_add_perm(permset, ACL_EXECUTE);
1086 acl_set_permset(entry, permset);
1096 static int set_acl(const struct vol *vol,
1099 darwin_ace_t *daces,
1103 acl_t def_acl = NULL;
1104 acl_t acc_acl = NULL;
1106 LOG(log_maxdebug, logtype_afpd, "set_acl: BEGIN");
1109 EC_ZERO_LOG_ERR(lstat(name, &st), AFPERR_NOOBJ);
1111 /* seed default ACL with access ACL */
1112 if (S_ISDIR(st.st_mode))
1113 EC_NULL_LOG_ERR(def_acl = acl_get_file(name, ACL_TYPE_ACCESS), AFPERR_MISC);
1115 /* for files def_acl will be NULL */
1117 /* create access acl from mode */
1118 EC_NULL_LOG_ERR(acc_acl = acl_from_mode(st.st_mode), AFPERR_MISC);
1120 /* adds the clients aces */
1121 EC_ZERO_ERR(map_aces_darwin_to_posix(daces, &def_acl, &acc_acl, ace_count), AFPERR_MISC);
1123 /* calcuate ACL mask */
1124 EC_ZERO_LOG_ERR(acl_calc_mask(&acc_acl), AFPERR_MISC);
1127 EC_ZERO_LOG_ERR(acl_valid(acc_acl), AFPERR_MISC);
1130 EC_ZERO_LOG_ERR(acl_set_file(name, ACL_TYPE_ACCESS, acc_acl), AFPERR_MISC);
1131 EC_ZERO_LOG_ERR(vol->vfs->vfs_acl(vol, name, ACL_TYPE_ACCESS, 0, acc_acl), AFPERR_MISC);
1134 EC_ZERO_LOG_ERR(acl_set_file(name, ACL_TYPE_DEFAULT, def_acl), AFPERR_MISC);
1135 EC_ZERO_LOG_ERR(vol->vfs->vfs_acl(vol, name, ACL_TYPE_DEFAULT, 0, def_acl), AFPERR_MISC);
1142 LOG(log_maxdebug, logtype_afpd, "set_acl: END");
1145 #endif /* HAVE_POSIX_ACLS */
1148 * Checks if a given UUID has requested_rights(type darwin_ace_rights) for path.
1150 * Note: this gets called frequently and is a good place for optimizations !
1152 * @param vol (r) volume
1153 * @param dir (rw) directory
1154 * @param path (r) path to filesystem object
1155 * @param uuid (r) UUID of user
1156 * @param requested_rights (r) requested Darwin ACE
1158 * @returns AFP result code
1160 static int check_acl_access(const struct vol *vol,
1164 uint32_t requested_rights)
1167 uint32_t allowed_rights = 0;
1168 char *username = NULL;
1169 uuidtype_t uuidtype;
1171 bstring parent = NULL;
1174 LOG(log_maxdebug, logtype_afpd, "check_acl_access(dir: \"%s\", path: \"%s\", curdir: \"%s\", 0x%08x)",
1175 cfrombstr(dir->d_fullpath), path, getcwdpath(), requested_rights);
1177 /* This check is not used anymore, as OS X Server seems to be ignoring too */
1179 /* Get uid or gid from UUID */
1180 EC_ZERO_ERR(getnamefromuuid(uuid, &username, &uuidtype), AFPERR_PARAM);
1185 LOG(log_warning, logtype_afpd, "check_acl_access: afp_access not supported for groups");
1186 EC_STATUS(AFPERR_MISC);
1189 EC_STATUS(AFPERR_MISC);
1194 EC_ZERO_LOG_ERR(lstat(path, &st), AFPERR_PARAM);
1196 is_dir = !strcmp(path, ".");
1198 if (is_dir && (curdir->d_rights_cache != 0xffffffff)) {
1199 /* its a dir and the cache value is valid */
1200 allowed_rights = curdir->d_rights_cache;
1201 LOG(log_debug, logtype_afpd, "check_access: allowed rights from dircache: 0x%08x", allowed_rights);
1203 #ifdef HAVE_SOLARIS_ACLS
1204 EC_ZERO_LOG(solaris_acl_rights(path, &st, &allowed_rights));
1206 #ifdef HAVE_POSIX_ACLS
1207 EC_ZERO_LOG(posix_acl_rights(path, &st, &allowed_rights));
1210 * The DARWIN_ACE_DELETE right might implicitly result from write acces to the parent
1211 * directory. As it seems the 10.6 AFP client is puzzled when this right is not
1212 * allowed where a delete would succeed because the parent dir gives write perms.
1213 * So we check the parent dir for write access and set the right accordingly.
1214 * Currentyl acl2ownermode calls us with dir = NULL, because it doesn't make sense
1215 * there to do this extra check -- afaict.
1217 if (vol && dir && (requested_rights & DARWIN_ACE_DELETE)) {
1219 uint32_t parent_rights = 0;
1221 if (curdir->d_did == DIRDID_ROOT_PARENT) {
1222 /* use volume path */
1223 EC_NULL_LOG_ERR(parent = bfromcstr(vol->v_path), AFPERR_MISC);
1225 /* build path for parent */
1226 EC_NULL_LOG_ERR(parent = bstrcpy(curdir->d_fullpath), AFPERR_MISC);
1227 EC_ZERO_LOG_ERR(bconchar(parent, '/'), AFPERR_MISC);
1228 EC_ZERO_LOG_ERR(bcatcstr(parent, path), AFPERR_MISC);
1229 EC_NEG1_LOG_ERR(i = bstrrchr(parent, '/'), AFPERR_MISC);
1230 EC_ZERO_LOG_ERR(binsertch(parent, i, 1, 0), AFPERR_MISC);
1233 LOG(log_debug, logtype_afpd,"parent: %s", cfrombstr(parent));
1234 EC_ZERO_LOG_ERR(lstat(cfrombstr(parent), &st), AFPERR_MISC);
1236 #ifdef HAVE_SOLARIS_ACLS
1237 EC_ZERO_LOG(solaris_acl_rights(cfrombstr(parent), &st, &parent_rights));
1239 #ifdef HAVE_POSIX_ACLS
1240 EC_ZERO_LOG(posix_acl_rights(path, &st, &parent_rights));
1242 if (parent_rights & (DARWIN_ACE_WRITE_DATA | DARWIN_ACE_DELETE_CHILD))
1243 allowed_rights |= DARWIN_ACE_DELETE; /* man, that was a lot of work! */
1247 /* Without DARWIN_ACE_DELETE set OS X 10.6 refuses to rename subdirectories in a
1250 if (allowed_rights & DARWIN_ACE_ADD_SUBDIRECTORY)
1251 allowed_rights |= DARWIN_ACE_DELETE;
1253 dir->d_rights_cache = allowed_rights;
1255 LOG(log_debug, logtype_afpd, "allowed rights: 0x%08x", allowed_rights);
1258 if ((requested_rights & allowed_rights) != requested_rights) {
1259 LOG(log_debug, logtype_afpd, "some requested right wasn't allowed: 0x%08x / 0x%08x",
1260 requested_rights, allowed_rights);
1261 EC_STATUS(AFPERR_ACCESS);
1263 LOG(log_debug, logtype_afpd, "all requested rights are allowed: 0x%08x",
1269 if (username) free(username);
1270 if (parent) bdestroy(parent);
1275 /********************************************************
1277 ********************************************************/
1279 int afp_access(AFPObj *obj, char *ibuf, size_t ibuflen _U_, char *rbuf _U_, size_t *rbuflen)
1284 uint32_t did, darwin_ace_rights;
1286 struct path *s_path;
1292 memcpy(&vid, ibuf, sizeof( vid ));
1293 ibuf += sizeof(vid);
1294 if (NULL == ( vol = getvolbyvid( vid ))) {
1295 LOG(log_error, logtype_afpd, "afp_access: error getting volid:%d", vid);
1296 return AFPERR_NOOBJ;
1299 memcpy(&did, ibuf, sizeof( did ));
1300 ibuf += sizeof( did );
1301 if (NULL == ( dir = dirlookup( vol, did ))) {
1302 LOG(log_error, logtype_afpd, "afp_access: error getting did:%d", did);
1309 /* Store UUID address */
1310 uuid = (uuidp_t)ibuf;
1311 ibuf += UUID_BINSIZE;
1313 /* Store ACE rights */
1314 memcpy(&darwin_ace_rights, ibuf, 4);
1315 darwin_ace_rights = ntohl(darwin_ace_rights);
1318 /* get full path and handle file/dir subtleties in netatalk code*/
1319 if (NULL == ( s_path = cname( vol, dir, &ibuf ))) {
1320 LOG(log_error, logtype_afpd, "afp_getacl: cname got an error!");
1321 return AFPERR_NOOBJ;
1323 if (!s_path->st_valid)
1324 of_statdir(vol, s_path);
1325 if ( s_path->st_errno != 0 ) {
1326 LOG(log_error, logtype_afpd, "afp_getacl: cant stat");
1327 return AFPERR_NOOBJ;
1330 ret = check_acl_access(vol, dir, s_path->u_name, uuid, darwin_ace_rights);
1335 int afp_getacl(AFPObj *obj, char *ibuf, size_t ibuflen _U_, char *rbuf _U_, size_t *rbuflen)
1341 uint16_t vid, bitmap;
1342 struct path *s_path;
1346 LOG(log_debug9, logtype_afpd, "afp_getacl: BEGIN");
1350 memcpy(&vid, ibuf, sizeof( vid ));
1351 ibuf += sizeof(vid);
1352 if (NULL == ( vol = getvolbyvid( vid ))) {
1353 LOG(log_error, logtype_afpd, "afp_getacl: error getting volid:%d", vid);
1354 return AFPERR_NOOBJ;
1357 memcpy(&did, ibuf, sizeof( did ));
1358 ibuf += sizeof( did );
1359 if (NULL == ( dir = dirlookup( vol, did ))) {
1360 LOG(log_error, logtype_afpd, "afp_getacl: error getting did:%d", did);
1364 memcpy(&bitmap, ibuf, sizeof( bitmap ));
1365 memcpy(rbuf, ibuf, sizeof( bitmap ));
1366 bitmap = ntohs( bitmap );
1367 ibuf += sizeof( bitmap );
1368 rbuf += sizeof( bitmap );
1369 *rbuflen += sizeof( bitmap );
1371 /* skip maxreplysize */
1374 /* get full path and handle file/dir subtleties in netatalk code*/
1375 if (NULL == ( s_path = cname( vol, dir, &ibuf ))) {
1376 LOG(log_error, logtype_afpd, "afp_getacl: cname got an error!");
1377 return AFPERR_NOOBJ;
1379 if (!s_path->st_valid)
1380 of_statdir(vol, s_path);
1381 if ( s_path->st_errno != 0 ) {
1382 LOG(log_error, logtype_afpd, "afp_getacl: cant stat");
1383 return AFPERR_NOOBJ;
1386 /* Shall we return owner UUID ? */
1387 if (bitmap & kFileSec_UUID) {
1388 LOG(log_debug, logtype_afpd, "afp_getacl: client requested files owner user UUID");
1389 if (NULL == (pw = getpwuid(s_path->st.st_uid))) {
1390 LOG(log_debug, logtype_afpd, "afp_getacl: local uid: %u", s_path->st.st_uid);
1391 localuuid_from_id(rbuf, UUID_USER, s_path->st.st_uid);
1393 LOG(log_debug, logtype_afpd, "afp_getacl: got uid: %d, name: %s", s_path->st.st_uid, pw->pw_name);
1394 if ((ret = getuuidfromname(pw->pw_name, UUID_USER, rbuf)) != 0)
1397 rbuf += UUID_BINSIZE;
1398 *rbuflen += UUID_BINSIZE;
1401 /* Shall we return group UUID ? */
1402 if (bitmap & kFileSec_GRPUUID) {
1403 LOG(log_debug, logtype_afpd, "afp_getacl: client requested files owner group UUID");
1404 if (NULL == (gr = getgrgid(s_path->st.st_gid))) {
1405 LOG(log_debug, logtype_afpd, "afp_getacl: local gid: %u", s_path->st.st_gid);
1406 localuuid_from_id(rbuf, UUID_GROUP, s_path->st.st_gid);
1408 LOG(log_debug, logtype_afpd, "afp_getacl: got gid: %d, name: %s", s_path->st.st_gid, gr->gr_name);
1409 if ((ret = getuuidfromname(gr->gr_name, UUID_GROUP, rbuf)) != 0)
1412 rbuf += UUID_BINSIZE;
1413 *rbuflen += UUID_BINSIZE;
1416 /* Shall we return ACL ? */
1417 if (bitmap & kFileSec_ACL) {
1418 LOG(log_debug, logtype_afpd, "afp_getacl: client requested files ACL");
1419 if (get_and_map_acl(s_path->u_name, rbuf, rbuflen) != 0) {
1420 LOG(log_error, logtype_afpd, "afp_getacl(\"%s/%s\"): mapping error",
1421 getcwdpath(), s_path->u_name);
1426 LOG(log_debug9, logtype_afpd, "afp_getacl: END");
1430 int afp_setacl(AFPObj *obj, char *ibuf, size_t ibuflen _U_, char *rbuf _U_, size_t *rbuflen)
1436 uint16_t vid, bitmap;
1437 struct path *s_path;
1439 LOG(log_debug9, logtype_afpd, "afp_setacl: BEGIN");
1443 memcpy(&vid, ibuf, sizeof( vid ));
1444 ibuf += sizeof(vid);
1445 if (NULL == ( vol = getvolbyvid( vid ))) {
1446 LOG(log_error, logtype_afpd, "afp_setacl: error getting volid:%d", vid);
1447 return AFPERR_NOOBJ;
1450 memcpy(&did, ibuf, sizeof( did ));
1451 ibuf += sizeof( did );
1452 if (NULL == ( dir = dirlookup( vol, did ))) {
1453 LOG(log_error, logtype_afpd, "afp_setacl: error getting did:%d", did);
1457 memcpy(&bitmap, ibuf, sizeof( bitmap ));
1458 bitmap = ntohs( bitmap );
1459 ibuf += sizeof( bitmap );
1461 /* get full path and handle file/dir subtleties in netatalk code*/
1462 if (NULL == ( s_path = cname( vol, dir, &ibuf ))) {
1463 LOG(log_error, logtype_afpd, "afp_setacl: cname got an error!");
1464 return AFPERR_NOOBJ;
1466 if (!s_path->st_valid)
1467 of_statdir(vol, s_path);
1468 if ( s_path->st_errno != 0 ) {
1469 LOG(log_error, logtype_afpd, "afp_setacl: cant stat");
1470 return AFPERR_NOOBJ;
1472 LOG(log_debug, logtype_afpd, "afp_setacl: unixname: %s", s_path->u_name);
1475 if ((unsigned long)ibuf & 1)
1478 /* Start processing request */
1480 /* Change owner: dont even try */
1481 if (bitmap & kFileSec_UUID) {
1482 LOG(log_note, logtype_afpd, "afp_setacl: change owner request, discarded");
1483 ret = AFPERR_ACCESS;
1484 ibuf += UUID_BINSIZE;
1487 /* Change group: certain changes might be allowed, so try it. FIXME: not implemented yet. */
1488 if (bitmap & kFileSec_UUID) {
1489 LOG(log_note, logtype_afpd, "afp_setacl: change group request, not supported");
1491 ibuf += UUID_BINSIZE;
1495 if (bitmap & kFileSec_REMOVEACL) {
1496 LOG(log_debug, logtype_afpd, "afp_setacl: Remove ACL request.");
1497 if ((ret = remove_acl(vol, s_path->u_name, S_ISDIR(s_path->st.st_mode))) != AFP_OK)
1498 LOG(log_error, logtype_afpd, "afp_setacl: error from remove_acl");
1502 if (bitmap & kFileSec_ACL) {
1503 LOG(log_debug, logtype_afpd, "afp_setacl: Change ACL request.");
1504 /* Get no of ACEs the client put on the wire */
1506 memcpy(&ace_count, ibuf, sizeof(uint32_t));
1507 ace_count = htonl(ace_count);
1508 ibuf += 8; /* skip ACL flags (see acls.h) */
1512 (bitmap & kFileSec_Inherit),
1513 (darwin_ace_t *)ibuf,
1518 LOG(log_warning, logtype_afpd, "afp_setacl(\"%s/%s\"): error",
1519 getcwdpath(), s_path->u_name);
1524 LOG(log_debug9, logtype_afpd, "afp_setacl: END");
1528 /********************************************************************
1529 * ACL funcs interfacing with other parts
1530 ********************************************************************/
1533 * map ACL to user maccess
1535 * This is the magic function that makes ACLs usable by calculating
1536 * the access granted by ACEs to the logged in user.
1538 int acltoownermode(char *path, struct stat *st, struct maccess *ma)
1541 uint32_t rights = 0;
1543 if ( ! (AFPobj->options.flags & OPTION_ACL2MACCESS)
1544 || (current_vol == NULL)
1545 || ! (current_vol->v_flags & AFPVOL_ACLS))
1548 LOG(log_maxdebug, logtype_afpd, "acltoownermode(\"%s/%s\", 0x%02x)",
1549 getcwdpath(), path, ma->ma_user);
1551 #ifdef HAVE_SOLARIS_ACLS
1552 EC_ZERO_LOG(solaris_acl_rights(path, st, &rights));
1554 #ifdef HAVE_POSIX_ACLS
1555 EC_ZERO_LOG(posix_acl_rights(path, st, &rights));
1558 LOG(log_maxdebug, logtype_afpd, "rights: 0x%08x", rights);
1560 if (rights & DARWIN_ACE_READ_DATA)
1561 ma->ma_user |= AR_UREAD;
1562 if (rights & DARWIN_ACE_WRITE_DATA)
1563 ma->ma_user |= AR_UWRITE;
1564 if (rights & (DARWIN_ACE_EXECUTE | DARWIN_ACE_SEARCH))
1565 ma->ma_user |= AR_USEARCH;
1567 LOG(log_maxdebug, logtype_afpd, "resulting user maccess: 0x%02x", ma->ma_user);
1574 * Check whether a volume supports ACLs
1576 * @param vol (r) volume
1578 * @returns 0 if not, 1 if yes
1580 int check_vol_acl_support(const struct vol *vol)
1584 #ifdef HAVE_SOLARIS_ACLS
1587 if (get_nfsv4_acl(vol->v_path, &aces) == -1)
1590 #ifdef HAVE_POSIX_ACLS
1593 if ((acl = acl_get_file(vol->v_path, ACL_TYPE_ACCESS)) == NULL)
1597 #ifdef HAVE_SOLARIS_ACLS
1598 if (aces) free(aces);
1600 #ifdef HAVE_POSIX_ACLS
1601 if (acl) acl_free(acl);
1602 #endif /* HAVE_POSIX_ACLS */
1604 LOG(log_debug, logtype_afpd, "Volume \"%s\" ACL support: %s",
1605 vol->v_path, ret ? "yes" : "no");