2 Copyright (c) 2010 Frank Lahm <franklahm@gmail.com>
3 Copyright (c) 2011 Laura Mueller <laura-mueller@uni-duesseldorf.de>
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License as published by
7 the Free Software Foundation; either version 2 of the License, or
8 (at your option) any later version.
10 This program is distributed in the hope that it will be useful,
11 but WITHOUT ANY WARRANTY; without even the implied warranty of
12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 GNU General Public License for more details.
18 #endif /* HAVE_CONFIG_H */
23 #include <sys/types.h>
32 #include <atalk/logger.h>
33 #include <atalk/afp.h>
34 #include <atalk/util.h>
35 #include <atalk/acl.h>
36 #include <atalk/unix.h>
38 #ifdef HAVE_SOLARIS_ACLS
40 /* Get ACL. Allocates storage as needed. Caller must free.
41 * Returns no of ACEs or -1 on error. */
42 int get_nfsv4_acl(const char *name, ace_t **retAces)
49 /* Only call acl() for regular files and directories, otherwise just return 0 */
50 if (lstat(name, &st) != 0) {
51 LOG(log_debug, logtype_afpd, "get_nfsv4_acl(\"%s/%s\"): %s", getcwdpath(), name, strerror(errno));
55 if (S_ISLNK(st.st_mode))
56 /* sorry, no ACLs for symlinks */
59 if ( ! (S_ISREG(st.st_mode) || S_ISDIR(st.st_mode))) {
60 LOG(log_debug, logtype_afpd, "get_nfsv4_acl(\"%s/%s\"): special", getcwdpath(), name);
64 if ((ace_count = acl(name, ACE_GETACLCNT, 0, NULL)) == 0) {
65 LOG(log_debug, logtype_afpd, "get_nfsv4_acl(\"%s/%s\"): 0 ACEs", getcwdpath(), name);
69 if (ace_count == -1) {
70 LOG(log_debug, logtype_afpd, "get_nfsv4_acl: acl('%s/%s', ACE_GETACLCNT): ace_count %i, error: %s",
71 getcwdpath(), name, ace_count, strerror(errno));
75 aces = malloc(ace_count * sizeof(ace_t));
77 LOG(log_error, logtype_afpd, "get_nfsv4_acl: malloc error");
81 if ( (acl(name, ACE_GETACL, ace_count, aces)) == -1 ) {
82 LOG(log_error, logtype_afpd, "get_nfsv4_acl: acl(ACE_GETACL) error");
87 LOG(log_debug9, logtype_afpd, "get_nfsv4_acl: file: %s -> No. of ACEs: %d", name, ace_count);
96 ace_t *concat_aces(ace_t *aces1, int ace1count, ace_t *aces2, int ace2count)
101 /* malloc buffer for new ACL */
102 if ((new_aces = malloc((ace1count + ace2count) * sizeof(ace_t))) == NULL) {
103 LOG(log_error, logtype_afpd, "combine_aces: malloc %s", strerror(errno));
107 /* Copy ACEs from buf1 */
108 for (i=0; i < ace1count; ) {
109 memcpy(&new_aces[i], &aces1[i], sizeof(ace_t));
115 /* Copy ACEs from buf2 */
116 for (i=0; i < ace2count; ) {
117 memcpy(&new_aces[j], &aces2[i], sizeof(ace_t));
125 Remove any trivial ACE "in-place". Returns no of non-trivial ACEs
127 int strip_trivial_aces(ace_t **saces, int sacecount)
131 ace_t *aces = *saces;
134 if (aces == NULL || sacecount <= 0)
137 /* Count non-trivial ACEs */
138 for (i=0; i < sacecount; ) {
139 if ( ! (aces[i].a_flags & (ACE_OWNER | ACE_GROUP | ACE_EVERYONE)))
143 /* malloc buffer for new ACL */
144 if ((new_aces = malloc(nontrivaces * sizeof(ace_t))) == NULL) {
145 LOG(log_error, logtype_afpd, "strip_trivial_aces: malloc %s", strerror(errno));
149 /* Copy non-trivial ACEs */
150 for (i=0, j=0; i < sacecount; ) {
151 if ( ! (aces[i].a_flags & (ACE_OWNER | ACE_GROUP | ACE_EVERYONE))) {
152 memcpy(&new_aces[j], &aces[i], sizeof(ace_t));
161 LOG(log_debug7, logtype_afpd, "strip_trivial_aces: non-trivial ACEs: %d", nontrivaces);
167 Remove non-trivial ACEs "in-place". Returns no of trivial ACEs.
169 int strip_nontrivial_aces(ace_t **saces, int sacecount)
173 ace_t *aces = *saces;
176 /* Count trivial ACEs */
177 for (i=0; i < sacecount; ) {
178 if ((aces[i].a_flags & (ACE_OWNER | ACE_GROUP | ACE_EVERYONE)))
182 /* malloc buffer for new ACL */
183 if ((new_aces = malloc(trivaces * sizeof(ace_t))) == NULL) {
184 LOG(log_error, logtype_afpd, "strip_nontrivial_aces: malloc %s", strerror(errno));
188 /* Copy trivial ACEs */
189 for (i=0, j=0; i < sacecount; ) {
190 if ((aces[i].a_flags & (ACE_OWNER | ACE_GROUP | ACE_EVERYONE))) {
191 memcpy(&new_aces[j], &aces[i], sizeof(ace_t));
200 LOG(log_debug7, logtype_afpd, "strip_nontrivial_aces: trivial ACEs: %d", trivaces);
206 * Change mode of file preserving existing explicit ACEs
209 * (1) reads objects ACL (acl1), may return 0 or -1 NFSv4 ACEs on eg UFS fs
210 * (2) removes all trivial ACEs from the ACL by calling strip_trivial_aces(), possibly
211 * leaving 0 ACEs in the ACL if there were only trivial ACEs as mapped from the mode
212 * (3) calls chmod() with mode, we're done if step (1) returned 0 for noaces
213 * (4) reads the changed ACL (acl2) which
214 * a) might still contain explicit ACEs (up to onnv132)
215 * b) will have any explicit ACE removed (starting with onnv145/Openindiana)
216 * (5) strip any explicit ACE from acl2 using strip_nontrivial_aces()
217 * (6) merge acl2 and acl2
218 * (7) set the ACL merged ACL on the object
220 int nfsv4_chmod(char *name, mode_t mode)
224 ace_t *oacl = NULL, *nacl = NULL, *cacl = NULL;
226 LOG(log_debug, logtype_afpd, "nfsv4_chmod(\"%s/%s\", %04o)",
227 getcwdpath(), name, mode);
229 if ((noaces = get_nfsv4_acl(name, &oacl)) < 1) /* (1) */
230 return chmod(name, mode);
232 if ((noaces = strip_trivial_aces(&oacl, noaces)) == -1) /* (2) */
235 if (chmod(name, mode) != 0) /* (3) */
238 if ((nnaces = get_nfsv4_acl(name, &nacl)) == -1) {/* (4) */
242 nnaces = get_nfsv4_acl(name, &nacl);
248 if ((nnaces = strip_nontrivial_aces(&nacl, nnaces)) == -1) /* (5) */
251 if ((cacl = concat_aces(oacl, noaces, nacl, nnaces)) == NULL) /* (6) */
254 if ((ret = acl(name, ACE_SETACL, noaces + nnaces, cacl)) != 0) {
255 if (errno != EACCES) {
256 LOG(log_error, logtype_afpd, "nfsv4_chmod: error setting acl: %s", strerror(errno));
260 ret = acl(name, ACE_SETACL, noaces + nnaces, cacl);
263 LOG(log_error, logtype_afpd, "nfsv4_chmod: error setting acl: %s", strerror(errno));
269 if (oacl) free(oacl);
270 if (nacl) free(nacl);
271 if (cacl) free(cacl);
273 LOG(log_debug, logtype_afpd, "nfsv4_chmod(\"%s/%s\", %04o): result: %d",
274 getcwdpath(), name, mode, ret);
279 #endif /* HAVE_SOLARIS_ACLS */
281 #ifdef HAVE_POSIX_ACLS
283 /* This is a workaround for chmod() on filestystems supporting Posix 1003.1e draft 17
284 * compliant ACLs. For objects with extented ACLs, eg objects with an ACL_MASK entry,
285 * chmod() manipulates ACL_MASK instead of ACL_GROUP_OBJ. As OS X isn't aware of
286 * this behavior calling FPSetFileDirParms may lead to unpredictable results. For
287 * more information see section 23.1.2 of Posix 1003.1e draft 17.
289 * posix_chmod() accepts the same arguments as chmod() and returns 0 in case of
290 * success or -1 in case something went wrong.
293 #define SEARCH_GROUP_OBJ 0x01
294 #define SEARCH_MASK 0x02
296 int posix_chmod(const char *name, mode_t mode) {
298 int entry_id = ACL_FIRST_ENTRY;
300 acl_entry_t group_entry;
303 u_char not_found = (SEARCH_GROUP_OBJ|SEARCH_MASK); /* used as flags */
305 LOG(log_maxdebug, logtype_afpd, "posix_chmod: %s mode: 0x%08x", name, mode);
307 /* Call chmod() first because there might be some special bits to be set which
308 * aren't related to access control.
310 ret = chmod(name, mode);
315 /* Check if the underlying filesystem supports ACLs. */
316 acl = acl_get_file(name, ACL_TYPE_ACCESS);
319 /* There is no need to keep iterating once we have found ACL_GROUP_OBJ and ACL_MASK. */
320 while ((acl_get_entry(acl, entry_id, &entry) == 1) && not_found) {
321 entry_id = ACL_NEXT_ENTRY;
323 ret = acl_get_tag_type(entry, &tag);
326 LOG(log_error, logtype_afpd, "posix_chmod: Failed to get tag type.");
333 not_found &= ~SEARCH_GROUP_OBJ;
337 not_found &= ~SEARCH_MASK;
345 /* The filesystem object has extented ACLs. We have to update ACL_GROUP_OBJ
346 * with the group permissions.
348 acl_permset_t permset;
351 ret = acl_get_permset(group_entry, &permset);
354 LOG(log_error, logtype_afpd, "posix_chmod: Can't get permset.");
357 ret = acl_clear_perms(permset);
371 ret = acl_add_perm(permset, perm);
376 ret = acl_set_permset(group_entry, permset);
379 LOG(log_error, logtype_afpd, "posix_chmod: Can't set permset.");
382 /* also update ACL_MASK */
383 ret = acl_calc_mask(&acl);
386 LOG(log_error, logtype_afpd, "posix_chmod: acl_calc_mask failed.");
389 ret = acl_set_file(name, ACL_TYPE_ACCESS, acl);
395 LOG(log_maxdebug, logtype_afpd, "posix_chmod: %d", ret);
400 * posix_fchmod() accepts the same arguments as fchmod() and returns 0 in case of
401 * success or -1 in case something went wrong.
403 int posix_fchmod(int fd, mode_t mode) {
405 int entry_id = ACL_FIRST_ENTRY;
407 acl_entry_t group_entry;
410 u_char not_found = (SEARCH_GROUP_OBJ|SEARCH_MASK); /* used as flags */
412 /* Call chmod() first because there might be some special bits to be set which
413 * aren't related to access control.
415 ret = fchmod(fd, mode);
420 /* Check if the underlying filesystem supports ACLs. */
421 acl = acl_get_fd(fd);
424 /* There is no need to keep iterating once we have found ACL_GROUP_OBJ and ACL_MASK. */
425 while ((acl_get_entry(acl, entry_id, &entry) == 1) && not_found) {
426 entry_id = ACL_NEXT_ENTRY;
428 ret = acl_get_tag_type(entry, &tag);
431 LOG(log_error, logtype_afpd, "posix_fchmod: Failed to get tag type.");
438 not_found &= ~SEARCH_GROUP_OBJ;
442 not_found &= ~SEARCH_MASK;
450 /* The filesystem object has extented ACLs. We have to update ACL_GROUP_OBJ
451 * with the group permissions.
453 acl_permset_t permset;
456 ret = acl_get_permset(group_entry, &permset);
459 LOG(log_error, logtype_afpd, "posix_fchmod: Can't get permset.");
462 ret = acl_clear_perms(permset);
476 ret = acl_add_perm(permset, perm);
481 ret = acl_set_permset(group_entry, permset);
484 LOG(log_error, logtype_afpd, "posix_fchmod: Can't set permset.");
487 /* also update ACL_MASK */
488 ret = acl_calc_mask(&acl);
491 LOG(log_error, logtype_afpd, "posix_fchmod: acl_calc_mask failed.");
494 ret = acl_set_fd(fd, acl);
503 #endif /* HAVE_POSIX_ACLS */
505 #endif /* HAVE_ACLS */
projects / netatalk.git / blob