2 * Copyright (c) 1999 Robert N. M. Watson
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29 * Support functionality for the POSIX.1e ACL interface
30 * These calls are intended only to be called within the library.
33 #include <sys/types.h>
41 #include "acl_support.h"
43 #define ACL_STRING_PERM_WRITE 'w'
44 #define ACL_STRING_PERM_READ 'r'
45 #define ACL_STRING_PERM_EXEC 'x'
46 #define ACL_STRING_PERM_NONE '-'
49 * acl_entry_compare -- compare two acl_entry structures to determine the
50 * order they should appear in. Used by acl_sort to sort ACL entries into
51 * the kernel-desired order -- i.e., the order useful for evaluation and
52 * O(n) validity checking. Beter to have an O(nlogn) sort in userland and
53 * an O(n) in kernel than to have both in kernel.
55 typedef int (*compare)(const void *, const void *);
57 acl_entry_compare(struct acl_entry *a, struct acl_entry *b)
60 * First, sort between tags -- conveniently defined in the correct
61 * order for verification.
63 if (a->ae_tag < b->ae_tag)
65 if (a->ae_tag > b->ae_tag)
69 * Next compare uids/gids on appropriate types.
72 if (a->ae_tag == ACL_USER || a->ae_tag == ACL_GROUP) {
73 if (a->ae_id < b->ae_id)
75 if (a->ae_id > b->ae_id)
78 /* shouldn't be equal, fall through to the invalid case */
82 * Don't know how to sort multiple entries of the rest--either it's
83 * a bad entry, or there shouldn't be more than one. Ignore and the
84 * validity checker can get it later.
91 * acl_sort -- sort ACL entries.
92 * Give the opportunity to fail, althouh we don't currently have a way
99 qsort(&acl->acl_entry[0], acl->acl_cnt, sizeof(struct acl_entry),
100 (compare) acl_entry_compare);
107 * acl_posix1e -- use a heuristic to determine if this is a POSIX.1e
108 * semantics ACL. This will be used by other routines to determine if
109 * they should call acl_sort() on the ACL before submitting to the kernel,
110 * as the POSIX.1e ACL semantics code requires sorted ACL submission.
111 * Also, acl_valid will use this to determine if it understands the
112 * semantics enough to check that the ACL is correct.
115 acl_posix1e(acl_t acl)
119 /* assume it's POSIX.1e, and return 0 if otherwise */
121 for (i = 0; i < acl->acl_cnt; i++) {
122 /* is the tag type POSIX.1e? */
123 switch(acl->acl_entry[i].ae_tag) {
136 /* are the permissions POSIX.1e, or FreeBSD extensions? */
137 if (((acl->acl_entry[i].ae_perm | ACL_POSIX1E_BITS) !=
139 ((acl->acl_entry[i].ae_perm | ACL_PERM_BITS) !=
149 * acl_check -- given an ACL, check its validity. This is mirrored from
150 * code in sys/kern/kern_acl.c, and if changes are made in one, they should
151 * be made in the other also. This copy of acl_check is made available
152 * in userland for the benefit of processes wanting to check ACLs for
153 * validity before submitting them to the kernel, or for performing
154 * in userland file system checking. Needless to say, the kernel makes
155 * the real checks on calls to get/setacl.
157 * See the comments in kernel for explanation -- just briefly, it assumes
158 * an already sorted ACL, and checks based on that assumption. The
159 * POSIX.1e interface, acl_valid(), will perform the sort before calling
160 * this. Returns 0 on success, EINVAL on failure.
163 acl_check(struct acl *acl)
165 struct acl_entry *entry; /* current entry */
166 uid_t obj_uid=-1, obj_gid=-1, highest_uid=0, highest_gid=0;
167 int stage = ACL_USER_OBJ;
169 int count_user_obj=0, count_user=0, count_group_obj=0,
170 count_group=0, count_mask=0, count_other=0;
172 /* printf("acl_check: checking acl with %d entries\n", acl->acl_cnt); */
173 while (i < acl->acl_cnt) {
175 entry = &acl->acl_entry[i];
177 if ((entry->ae_perm | ACL_PERM_BITS) != ACL_PERM_BITS)
180 switch(entry->ae_tag) {
182 /* printf("acl_check: %d: ACL_USER_OBJ\n", i); */
183 if (stage > ACL_USER_OBJ)
187 obj_uid = entry->ae_id;
191 /* printf("acl_check: %d: ACL_USER\n", i); */
192 if (stage > ACL_USER)
195 if (entry->ae_id == obj_uid)
197 if (count_user && (entry->ae_id <= highest_uid))
199 highest_uid = entry->ae_id;
204 /* printf("acl_check: %d: ACL_GROUP_OBJ\n", i); */
205 if (stage > ACL_GROUP_OBJ)
209 obj_gid = entry->ae_id;
213 /* printf("acl_check: %d: ACL_GROUP\n", i); */
214 if (stage > ACL_GROUP)
217 if (entry->ae_id == obj_gid)
219 if (count_group && (entry->ae_id <= highest_gid))
221 highest_gid = entry->ae_id;
226 /* printf("acl_check: %d: ACL_MASK\n", i); */
227 if (stage > ACL_MASK)
234 /* printf("acl_check: %d: ACL_OTHER\n", i); */
235 if (stage > ACL_OTHER)
242 /* printf("acl_check: %d: INVALID\n", i); */
248 if (count_user_obj != 1)
251 if (count_group_obj != 1)
254 if (count_mask != 0 && count_mask != 1)
257 if (count_other != 1)
265 * Given a uid/gid, return a username/groupname for the text form of an ACL
266 * XXX NOT THREAD SAFE, RELIES ON GETPWUID, GETGRGID
267 * XXX USES *PW* AND *GR* WHICH ARE STATEFUL AND THEREFORE THIS ROUTINE
268 * MAY HAVE SIDE-EFFECTS
271 acl_id_to_name(acl_tag_t tag, uid_t id, ssize_t buf_len, char *buf)
281 i = snprintf(buf, buf_len, "%d", id);
283 i = snprintf(buf, buf_len, "%s", p->pw_name);
294 i = snprintf(buf, buf_len, "%d", id);
296 i = snprintf(buf, buf_len, "%s", g->gr_name);
311 * Given a username/groupname from a text form of an ACL, return the uid/gid
312 * XXX NOT THREAD SAFE, RELIES ON GETPWNAM, GETGRNAM
313 * XXX USES *PW* AND *GR* WHICH ARE STATEFUL AND THEREFORE THIS ROUTINE
314 * MAY HAVE SIDE-EFFECTS
316 * XXX currently doesn't deal correctly with a numeric uid being passed
317 * instead of a username. What is correct behavior here? Check chown.
320 acl_name_to_id(acl_tag_t tag, char *name, uid_t *id)
351 * Given a right-shifted permission (i.e., direct ACL_PERM_* mask), fill
352 * in a string describing the permissions.
355 acl_perm_to_string(acl_perm_t perm, ssize_t buf_len, char *buf)
358 if (buf_len < ACL_STRING_PERM_MAXSIZE + 1) {
363 if ((perm | ACL_PERM_BITS) != ACL_PERM_BITS) {
368 buf[3] = 0; /* null terminate */
370 if (perm & ACL_PERM_READ)
371 buf[0] = ACL_STRING_PERM_READ;
373 buf[0] = ACL_STRING_PERM_NONE;
375 if (perm & ACL_PERM_WRITE)
376 buf[1] = ACL_STRING_PERM_WRITE;
378 buf[1] = ACL_STRING_PERM_NONE;
380 if (perm & ACL_PERM_EXEC)
381 buf[2] = ACL_STRING_PERM_EXEC;
383 buf[2] = ACL_STRING_PERM_NONE;
390 * given a string, return a permission describing it
393 acl_string_to_perm(char *string, acl_perm_t *perm)
395 acl_perm_t myperm = ACL_PERM_NONE;
401 case ACL_STRING_PERM_READ:
402 myperm |= ACL_PERM_READ;
404 case ACL_STRING_PERM_WRITE:
405 myperm |= ACL_PERM_WRITE;
407 case ACL_STRING_PERM_EXEC:
408 myperm |= ACL_PERM_EXEC;
410 case ACL_STRING_PERM_NONE:
425 * Add an ACL entry without doing much checking, et al
428 acl_add_entry(acl_t acl, acl_tag_t tag, uid_t id, acl_perm_t perm)
432 if (acl->acl_cnt >= MAX_ACL_ENTRIES) {
437 e = &(acl->acl_entry[acl->acl_cnt]);
projects / FreeBSD / FreeBSD.git / blob