2 * Copyright (c) 2001 Chris D. Faulhaber
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27 #include <sys/cdefs.h>
28 #include <sys/param.h>
30 #include <sys/queue.h>
45 #define OP_MERGE_ACL 0x00 /* merge acl's (-mM) */
46 #define OP_REMOVE_DEF 0x01 /* remove default acl's (-k) */
47 #define OP_REMOVE_EXT 0x02 /* remove extended acl's (-b) */
48 #define OP_REMOVE_ACL 0x03 /* remove acl's (-xX) */
49 #define OP_REMOVE_BY_NUMBER 0x04 /* remove acl's (-xX) by acl entry number */
50 #define OP_ADD_ACL 0x05 /* add acls entries at a given position */
52 /* TAILQ entry for acl operations */
57 TAILQ_ENTRY(sf_entry) next;
59 static TAILQ_HEAD(, sf_entry) entrylist;
68 static bool need_mask;
69 static acl_type_t acl_type = ACL_TYPE_ACCESS;
71 static int handle_file(FTS *ftsp, FTSENT *file);
72 static acl_t clear_inheritance_flags(acl_t acl);
73 static char **stdin_files(void);
74 static void usage(void);
80 fprintf(stderr, "usage: setfacl [-R [-H | -L | -P]] [-bdhkn] "
81 "[-a position entries] [-m entries] [-M file] "
82 "[-x entries] [-X file] [file ...]\n");
90 char filename[PATH_MAX];
94 err(1, "cannot have more than one stdin");
98 bzero(&filename, sizeof(filename));
99 /* Start with an array size sufficient for basic cases. */
101 files_list = zmalloc(fl_count * sizeof(char *));
102 while (fgets(filename, (int)sizeof(filename), stdin)) {
104 filename[strlen(filename) - 1] = '\0';
105 files_list[i] = strdup(filename);
106 if (files_list[i] == NULL)
107 err(1, "strdup() failed");
108 /* Grow array if necessary. */
109 if (++i == fl_count) {
111 if (fl_count > SIZE_MAX / sizeof(char *))
112 errx(1, "Too many input files");
113 files_list = zrealloc(files_list,
114 fl_count * sizeof(char *));
118 /* fts_open() requires the last array element to be NULL. */
119 files_list[i] = NULL;
125 * Remove any inheritance flags from NFSv4 ACLs when running in recursive
126 * mode. This is to avoid files being assigned identical ACLs to their
127 * parent directory while also being set to inherit them.
129 * The acl argument is assumed to be valid.
132 clear_inheritance_flags(acl_t acl)
135 acl_entry_t acl_entry;
136 acl_flagset_t acl_flagset;
137 int acl_brand, entry_id;
139 (void)acl_get_brand_np(acl, &acl_brand);
140 if (acl_brand != ACL_BRAND_NFS4)
145 warn("acl_dup() failed");
149 entry_id = ACL_FIRST_ENTRY;
150 while (acl_get_entry(nacl, entry_id, &acl_entry) == 1) {
151 entry_id = ACL_NEXT_ENTRY;
152 if (acl_get_flagset_np(acl_entry, &acl_flagset) != 0) {
153 warn("acl_get_flagset_np() failed");
156 if (acl_get_flag_np(acl_flagset, ACL_ENTRY_INHERIT_ONLY) == 1) {
157 if (acl_delete_entry(nacl, acl_entry) != 0)
158 warn("acl_delete_entry() failed");
161 if (acl_delete_flag_np(acl_flagset,
162 ACL_ENTRY_FILE_INHERIT |
163 ACL_ENTRY_DIRECTORY_INHERIT |
164 ACL_ENTRY_NO_PROPAGATE_INHERIT) != 0)
165 warn("acl_delete_flag_np() failed");
172 handle_file(FTS *ftsp, FTSENT *file)
175 acl_entry_t unused_entry;
176 int local_error, ret;
177 struct sf_entry *entry;
181 switch (file->fts_info) {
183 /* Do not recurse if -R not specified. */
185 fts_set(ftsp, file, FTS_SKIP);
188 /* Skip the second visit to a directory. */
192 warnx("%s: %s", file->fts_path, strerror(file->fts_errno));
198 if (acl_type == ACL_TYPE_DEFAULT && file->fts_info != FTS_D) {
199 warnx("%s: default ACL may only be set on a directory",
204 follow_symlink = (!R_flag && !h_flag) || (R_flag && L_flag) ||
205 (R_flag && H_flag && file->fts_level == FTS_ROOTLEVEL);
208 ret = pathconf(file->fts_accpath, _PC_ACL_NFS4);
210 ret = lpathconf(file->fts_accpath, _PC_ACL_NFS4);
212 if (acl_type == ACL_TYPE_DEFAULT) {
213 warnx("%s: there are no default entries in NFSv4 ACLs",
217 acl_type = ACL_TYPE_NFS4;
218 } else if (ret == 0) {
219 if (acl_type == ACL_TYPE_NFS4)
220 acl_type = ACL_TYPE_ACCESS;
221 } else if (ret < 0 && errno != EINVAL && errno != ENOENT) {
222 warn("%s: pathconf(_PC_ACL_NFS4) failed",
227 acl = acl_get_file(file->fts_accpath, acl_type);
229 acl = acl_get_link_np(file->fts_accpath, acl_type);
232 warn("%s: acl_get_file() failed", file->fts_path);
234 warn("%s: acl_get_link_np() failed", file->fts_path);
238 /* Cycle through each option. */
239 TAILQ_FOREACH(entry, &entrylist, next) {
243 if (R_flag && file->fts_info != FTS_D &&
244 acl_type == ACL_TYPE_NFS4)
245 nacl = clear_inheritance_flags(nacl);
246 local_error += add_acl(nacl, entry->entry_number, &acl,
250 if (R_flag && file->fts_info != FTS_D &&
251 acl_type == ACL_TYPE_NFS4)
252 nacl = clear_inheritance_flags(nacl);
253 local_error += merge_acl(nacl, &acl, file->fts_path);
258 * Don't try to call remove_ext() for empty
261 if (acl_type == ACL_TYPE_DEFAULT &&
262 acl_get_entry(acl, ACL_FIRST_ENTRY,
263 &unused_entry) == 0) {
264 local_error += remove_default(&acl,
268 remove_ext(&acl, file->fts_path);
272 if (acl_type == ACL_TYPE_NFS4) {
273 warnx("%s: there are no default entries in "
274 "NFSv4 ACLs; cannot remove",
279 if (acl_delete_def_file(file->fts_accpath) == -1) {
280 warn("%s: acl_delete_def_file() failed",
284 if (acl_type == ACL_TYPE_DEFAULT)
285 local_error += remove_default(&acl,
290 local_error += remove_acl(nacl, &acl, file->fts_path);
293 case OP_REMOVE_BY_NUMBER:
294 local_error += remove_by_number(entry->entry_number,
295 &acl, file->fts_path);
300 if (nacl != entry->acl) {
311 * Don't try to set an empty default ACL; it will always fail.
312 * Use acl_delete_def_file(3) instead.
314 if (acl_type == ACL_TYPE_DEFAULT &&
315 acl_get_entry(acl, ACL_FIRST_ENTRY, &unused_entry) == 0) {
316 if (acl_delete_def_file(file->fts_accpath) == -1) {
317 warn("%s: acl_delete_def_file() failed",
324 /* Don't bother setting the ACL if something is broken. */
327 } else if (acl_type != ACL_TYPE_NFS4 && need_mask &&
328 set_acl_mask(&acl, file->fts_path) == -1) {
329 warnx("%s: failed to set ACL mask", file->fts_path);
331 } else if (follow_symlink) {
332 if (acl_set_file(file->fts_accpath, acl_type, acl) == -1) {
333 warn("%s: acl_set_file() failed", file->fts_path);
337 if (acl_set_link_np(file->fts_accpath, acl_type, acl) == -1) {
338 warn("%s: acl_set_link_np() failed", file->fts_path);
349 main(int argc, char *argv[])
351 int carried_error, ch, entry_number, fts_options;
355 struct sf_entry *entry;
358 acl_type = ACL_TYPE_ACCESS;
359 carried_error = fts_options = 0;
360 have_mask = have_stdin = n_flag = false;
362 TAILQ_INIT(&entrylist);
364 while ((ch = getopt(argc, argv, "HLM:PRX:a:bdhkm:nx:")) != -1)
375 entry = zmalloc(sizeof(struct sf_entry));
376 entry->acl = get_acl_from_file(optarg);
377 if (entry->acl == NULL)
378 err(1, "%s: get_acl_from_file() failed",
380 entry->op = OP_MERGE_ACL;
381 TAILQ_INSERT_TAIL(&entrylist, entry, next);
384 H_flag = L_flag = false;
390 entry = zmalloc(sizeof(struct sf_entry));
391 entry->acl = get_acl_from_file(optarg);
392 entry->op = OP_REMOVE_ACL;
393 TAILQ_INSERT_TAIL(&entrylist, entry, next);
396 entry = zmalloc(sizeof(struct sf_entry));
398 entry_number = strtol(optarg, &end, 10);
399 if (end - optarg != (int)strlen(optarg))
400 errx(1, "%s: invalid entry number", optarg);
401 if (entry_number < 0)
403 "%s: entry number cannot be less than zero",
405 entry->entry_number = entry_number;
407 if (argv[optind] == NULL)
408 errx(1, "missing ACL");
409 entry->acl = acl_from_text(argv[optind]);
410 if (entry->acl == NULL)
411 err(1, "%s", argv[optind]);
413 entry->op = OP_ADD_ACL;
414 TAILQ_INSERT_TAIL(&entrylist, entry, next);
417 entry = zmalloc(sizeof(struct sf_entry));
418 entry->op = OP_REMOVE_EXT;
419 TAILQ_INSERT_TAIL(&entrylist, entry, next);
422 acl_type = ACL_TYPE_DEFAULT;
428 entry = zmalloc(sizeof(struct sf_entry));
429 entry->op = OP_REMOVE_DEF;
430 TAILQ_INSERT_TAIL(&entrylist, entry, next);
433 entry = zmalloc(sizeof(struct sf_entry));
434 entry->acl = acl_from_text(optarg);
435 if (entry->acl == NULL)
436 err(1, "%s", optarg);
437 entry->op = OP_MERGE_ACL;
438 TAILQ_INSERT_TAIL(&entrylist, entry, next);
444 entry = zmalloc(sizeof(struct sf_entry));
445 entry_number = strtol(optarg, &end, 10);
446 if (end - optarg == (int)strlen(optarg)) {
447 if (entry_number < 0)
449 "%s: entry number cannot be less than zero",
451 entry->entry_number = entry_number;
452 entry->op = OP_REMOVE_BY_NUMBER;
454 entry->acl = acl_from_text(optarg);
455 if (entry->acl == NULL)
456 err(1, "%s", optarg);
457 entry->op = OP_REMOVE_ACL;
459 TAILQ_INSERT_TAIL(&entrylist, entry, next);
468 if (!n_flag && TAILQ_EMPTY(&entrylist))
471 /* Take list of files from stdin. */
472 if (argc == 0 || strcmp(argv[0], "-") == 0) {
473 files_list = stdin_files();
479 errx(1, "the -R and -h options may not be "
480 "specified together.");
482 fts_options = FTS_LOGICAL;
484 fts_options = FTS_PHYSICAL;
487 fts_options |= FTS_COMFOLLOW;
491 fts_options = FTS_PHYSICAL;
493 fts_options = FTS_LOGICAL;
496 /* Open all files. */
497 if ((ftsp = fts_open(files_list, fts_options | FTS_NOSTAT, 0)) == NULL)
499 while (errno = 0, (file = fts_read(ftsp)) != NULL)
500 carried_error += handle_file(ftsp, file);
504 return (carried_error);