acl_support.c revision 91035 
1/*-
2 * Copyright (c) 1999, 2000, 2001 Robert N. M. Watson
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 *    notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 *    notice, this list of conditions and the following disclaimer in the
12 *    documentation and/or other materials provided with the distribution.
13 *
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
24 * SUCH DAMAGE.
25 *
26 * $FreeBSD: head/lib/libc/posix1e/acl_support.c 91035 2002-02-21 23:18:04Z jedgar $
27 */
28/*
29 * Support functionality for the POSIX.1e ACL interface
30 * These calls are intended only to be called within the library.
31 */
32
33#include <sys/types.h>
34#include "namespace.h"
35#include <sys/acl.h>
36#include "un-namespace.h"
37#include <errno.h>
38#include <grp.h>
39#include <pwd.h>
40#include <stdio.h>
41#include <stdlib.h>
42
43#include "acl_support.h"
44
45#define ACL_STRING_PERM_WRITE   'w'
46#define ACL_STRING_PERM_READ    'r'
47#define ACL_STRING_PERM_EXEC    'x'
48#define ACL_STRING_PERM_NONE    '-'
49
50/*
51 * _posix1e_acl_entry_compare -- compare two acl_entry structures to
52 * determine the order they should appear in.  Used by _posix1e_acl_sort to
53 * sort ACL entries into the kernel-desired order -- i.e., the order useful
54 * for evaluation and O(n) validity checking.  Beter to have an O(nlogn) sort
55 * in userland and an O(n) in kernel than to have both in kernel.
56 */
57typedef int (*compare)(const void *, const void *);
58static int
59_posix1e_acl_entry_compare(struct acl_entry *a, struct acl_entry *b)
60{
61	/*
62	 * First, sort between tags -- conveniently defined in the correct
63	 * order for verification.
64	 */
65	if (a->ae_tag < b->ae_tag)
66		return (-1);
67	if (a->ae_tag > b->ae_tag)
68		return (1);
69
70	/*
71	 * Next compare uids/gids on appropriate types.
72	 */
73
74	if (a->ae_tag == ACL_USER || a->ae_tag == ACL_GROUP) {
75		if (a->ae_id < b->ae_id)
76			return (-1);
77		if (a->ae_id > b->ae_id)
78			return (1);
79
80		/* shouldn't be equal, fall through to the invalid case */
81	}
82
83	/*
84	 * Don't know how to sort multiple entries of the rest--either it's
85	 * a bad entry, or there shouldn't be more than one.  Ignore and the
86	 * validity checker can get it later.
87	 */
88	return (0);
89}
90
91/*
92 * _posix1e_acl_sort -- sort ACL entries in POSIX.1e-formatted ACLs
93 * Give the opportunity to fail, although we don't currently have a way
94 * to fail.
95 */
96int
97_posix1e_acl_sort(acl_t acl)
98{
99	struct acl *acl_int;
100
101	acl_int = &acl->ats_acl;
102
103	qsort(&acl_int->acl_entry[0], acl_int->acl_cnt,
104	    sizeof(struct acl_entry), (compare) _posix1e_acl_entry_compare);
105
106	return (0);
107}
108
109/*
110 * acl_posix1e -- in what situations should we acl_sort before submission?
111 * We apply posix1e ACL semantics for any ACL of type ACL_TYPE_ACCESS or
112 * ACL_TYPE_DEFAULT
113 */
114int
115_posix1e_acl(acl_t acl, acl_type_t type)
116{
117
118	return ((type == ACL_TYPE_ACCESS) || (type == ACL_TYPE_DEFAULT));
119}
120
121/*
122 * _posix1e_acl_check -- given an ACL, check its validity.  This is mirrored
123 * from code in sys/kern/kern_acl.c, and if changes are made in one, they
124 * should be made in the other also.  This copy of acl_check is made
125 * available * in userland for the benefit of processes wanting to check ACLs
126 * for validity before submitting them to the kernel, or for performing
127 * in userland file system checking.  Needless to say, the kernel makes
128 * the real checks on calls to get/setacl.
129 *
130 * See the comments in kernel for explanation -- just briefly, it assumes
131 * an already sorted ACL, and checks based on that assumption.  The
132 * POSIX.1e interface, acl_valid(), will perform the sort before calling
133 * this.  Returns 0 on success, EINVAL on failure.
134 */
135int
136_posix1e_acl_check(acl_t acl)
137{
138	struct acl *acl_int;
139	struct acl_entry	*entry; 	/* current entry */
140	uid_t	obj_uid=-1, obj_gid=-1, highest_uid=0, highest_gid=0;
141	int	stage = ACL_USER_OBJ;
142	int	i = 0;
143	int	count_user_obj=0, count_user=0, count_group_obj=0,
144		count_group=0, count_mask=0, count_other=0;
145
146	acl_int = &acl->ats_acl;
147
148	/* printf("_posix1e_acl_check: checking acl with %d entries\n",
149	    acl->acl_cnt); */
150	while (i < acl_int->acl_cnt) {
151		entry = &acl_int->acl_entry[i];
152
153		if ((entry->ae_perm | ACL_PERM_BITS) != ACL_PERM_BITS)
154			return (EINVAL);
155
156		switch(entry->ae_tag) {
157		case ACL_USER_OBJ:
158			/* printf("_posix1e_acl_check: %d: ACL_USER_OBJ\n",
159			    i); */
160			if (stage > ACL_USER_OBJ)
161				return (EINVAL);
162			stage = ACL_USER;
163			count_user_obj++;
164			obj_uid = entry->ae_id;
165			break;
166
167		case ACL_USER:
168			/* printf("_posix1e_acl_check: %d: ACL_USER\n", i); */
169			if (stage > ACL_USER)
170				return (EINVAL);
171			stage = ACL_USER;
172			if (entry->ae_id == obj_uid)
173				return (EINVAL);
174			if (count_user && (entry->ae_id <= highest_uid))
175				return (EINVAL);
176			highest_uid = entry->ae_id;
177			count_user++;
178			break;
179
180		case ACL_GROUP_OBJ:
181			/* printf("_posix1e_acl_check: %d: ACL_GROUP_OBJ\n",
182			    i); */
183			if (stage > ACL_GROUP_OBJ)
184				return (EINVAL);
185			stage = ACL_GROUP;
186			count_group_obj++;
187			obj_gid = entry->ae_id;
188			break;
189
190		case ACL_GROUP:
191			/* printf("_posix1e_acl_check: %d: ACL_GROUP\n", i); */
192			if (stage > ACL_GROUP)
193				return (EINVAL);
194			stage = ACL_GROUP;
195			if (entry->ae_id == obj_gid)
196				return (EINVAL);
197			if (count_group && (entry->ae_id <= highest_gid))
198				return (EINVAL);
199			highest_gid = entry->ae_id;
200			count_group++;
201			break;
202
203		case ACL_MASK:
204			/* printf("_posix1e_acl_check: %d: ACL_MASK\n", i); */
205			if (stage > ACL_MASK)
206				return (EINVAL);
207			stage = ACL_MASK;
208			count_mask++;
209			break;
210
211		case ACL_OTHER:
212			/* printf("_posix1e_acl_check: %d: ACL_OTHER\n", i); */
213			if (stage > ACL_OTHER)
214				return (EINVAL);
215			stage = ACL_OTHER;
216			count_other++;
217			break;
218
219		default:
220			/* printf("_posix1e_acl_check: %d: INVALID\n", i); */
221			return (EINVAL);
222		}
223		i++;
224	}
225
226	if (count_user_obj != 1)
227		return (EINVAL);
228
229	if (count_group_obj != 1)
230		return (EINVAL);
231
232	if (count_mask != 0 && count_mask != 1)
233		return (EINVAL);
234
235	if (count_other != 1)
236		return (EINVAL);
237
238	return (0);
239}
240
241
242/*
243 * Given a uid/gid, return a username/groupname for the text form of an ACL
244 * XXX NOT THREAD SAFE, RELIES ON GETPWUID, GETGRGID
245 * XXX USES *PW* AND *GR* WHICH ARE STATEFUL AND THEREFORE THIS ROUTINE
246 * MAY HAVE SIDE-EFFECTS
247 */
248int
249_posix1e_acl_id_to_name(acl_tag_t tag, uid_t id, ssize_t buf_len, char *buf)
250{
251	struct group	*g;
252	struct passwd	*p;
253	int	i;
254
255	switch(tag) {
256	case ACL_USER:
257		p = getpwuid(id);
258		if (!p)
259			i = snprintf(buf, buf_len, "%d", id);
260		else
261			i = snprintf(buf, buf_len, "%s", p->pw_name);
262
263		if (i < 0 || i >= buf_len) {
264			errno = ENOMEM;
265			return (-1);
266		}
267		return (0);
268
269	case ACL_GROUP:
270		g = getgrgid(id);
271		if (g == NULL)
272			i = snprintf(buf, buf_len, "%d", id);
273		else
274			i = snprintf(buf, buf_len, "%s", g->gr_name);
275
276		if (i < 0 || i >= buf_len) {
277			errno = ENOMEM;
278			return (-1);
279		}
280		return (0);
281
282	default:
283		return (EINVAL);
284	}
285}
286
287
288/*
289 * Given a username/groupname from a text form of an ACL, return the uid/gid
290 * XXX NOT THREAD SAFE, RELIES ON GETPWNAM, GETGRNAM
291 * XXX USES *PW* AND *GR* WHICH ARE STATEFUL AND THEREFORE THIS ROUTINE
292 * MAY HAVE SIDE-EFFECTS
293 *
294 * XXX currently doesn't deal correctly with a numeric uid being passed
295 * instead of a username.  What is correct behavior here?  Check chown.
296 */
297int
298_posix1e_acl_name_to_id(acl_tag_t tag, char *name, uid_t *id)
299{
300	struct group	*g;
301	struct passwd	*p;
302	unsigned long	l;
303	char 		*endp;
304
305	switch(tag) {
306	case ACL_USER:
307		p = getpwnam(name);
308		if (p == NULL) {
309			l = strtoul(name, &endp, 0);
310			if (*endp != '\0' || l != (unsigned long)(uid_t)l) {
311				errno = EINVAL;
312				return (-1);
313			}
314			*id = (uid_t)l;
315			return (0);
316		}
317		*id = p->pw_uid;
318		return (0);
319
320	case ACL_GROUP:
321		g = getgrnam(name);
322		if (g == NULL) {
323			l = strtoul(name, &endp, 0);
324			if (*endp != '\0' || l != (unsigned long)(gid_t)l) {
325				errno = EINVAL;
326				return (-1);
327			}
328			*id = (gid_t)l;
329			return (0);
330		}
331		*id = g->gr_gid;
332		return (0);
333
334	default:
335		return (EINVAL);
336	}
337}
338
339
340/*
341 * Given a right-shifted permission (i.e., direct ACL_PERM_* mask), fill
342 * in a string describing the permissions.
343 */
344int
345_posix1e_acl_perm_to_string(acl_perm_t perm, ssize_t buf_len, char *buf)
346{
347
348	if (buf_len < _POSIX1E_ACL_STRING_PERM_MAXSIZE + 1) {
349		errno = ENOMEM;
350		return (-1);
351	}
352
353	if ((perm | ACL_PERM_BITS) != ACL_PERM_BITS) {
354		errno = EINVAL;
355		return (-1);
356	}
357
358	buf[3] = 0;	/* null terminate */
359
360	if (perm & ACL_READ)
361		buf[0] = ACL_STRING_PERM_READ;
362	else
363		buf[0] = ACL_STRING_PERM_NONE;
364
365	if (perm & ACL_WRITE)
366		buf[1] = ACL_STRING_PERM_WRITE;
367	else
368		buf[1] = ACL_STRING_PERM_NONE;
369
370	if (perm & ACL_EXECUTE)
371		buf[2] = ACL_STRING_PERM_EXEC;
372	else
373		buf[2] = ACL_STRING_PERM_NONE;
374
375	return (0);
376}
377
378/*
379 * given a string, return a permission describing it
380 */
381int
382_posix1e_acl_string_to_perm(char *string, acl_perm_t *perm)
383{
384	acl_perm_t	myperm = ACL_PERM_NONE;
385	char	*ch;
386
387	ch = string;
388	while (*ch) {
389		switch(*ch) {
390		case ACL_STRING_PERM_READ:
391			myperm |= ACL_READ;
392			break;
393		case ACL_STRING_PERM_WRITE:
394			myperm |= ACL_WRITE;
395			break;
396		case ACL_STRING_PERM_EXEC:
397			myperm |= ACL_EXECUTE;
398			break;
399		case ACL_STRING_PERM_NONE:
400			break;
401		default:
402			return (EINVAL);
403		}
404		ch++;
405	}
406
407	*perm = myperm;
408	return (0);
409}
410
411/*
412 * Add an ACL entry without doing much checking, et al
413 */
414int
415_posix1e_acl_add_entry(acl_t acl, acl_tag_t tag, uid_t id, acl_perm_t perm)
416{
417	struct acl		*acl_int;
418	struct acl_entry	*e;
419
420	acl_int = &acl->ats_acl;
421
422	if (acl_int->acl_cnt >= ACL_MAX_ENTRIES) {
423		errno = ENOMEM;
424		return (-1);
425	}
426
427	e = &(acl_int->acl_entry[acl_int->acl_cnt]);
428	e->ae_perm = perm;
429	e->ae_tag = tag;
430	e->ae_id = id;
431	acl_int->acl_cnt++;
432
433	return (0);
434}
435