acl_support.c revision 56274
1/*- 2 * Copyright (c) 1999 Robert N. M. Watson 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24 * SUCH DAMAGE. 25 * 26 * $FreeBSD: head/lib/libc/posix1e/acl_support.c 56274 2000-01-19 06:13:59Z rwatson $ 27 */ 28/* 29 * Support functionality for the POSIX.1e ACL interface 30 * These calls are intended only to be called within the library. 31 */ 32 33#include <sys/types.h> 34#include <sys/acl.h> 35#include <errno.h> 36#include <grp.h> 37#include <pwd.h> 38#include <stdio.h> 39#include <stdlib.h> 40 41#include "acl_support.h" 42 43#define ACL_STRING_PERM_WRITE 'w' 44#define ACL_STRING_PERM_READ 'r' 45#define ACL_STRING_PERM_EXEC 'x' 46#define ACL_STRING_PERM_NONE '-' 47 48/* 49 * acl_entry_compare -- compare two acl_entry structures to determine the 50 * order they should appear in. Used by acl_sort to sort ACL entries into 51 * the kernel-desired order -- i.e., the order useful for evaluation and 52 * O(n) validity checking. Beter to have an O(nlogn) sort in userland and 53 * an O(n) in kernel than to have both in kernel. 54 */ 55typedef int (*compare)(const void *, const void *); 56static int 57acl_entry_compare(struct acl_entry *a, struct acl_entry *b) 58{ 59 /* 60 * First, sort between tags -- conveniently defined in the correct 61 * order for verification. 62 */ 63 if (a->ae_tag < b->ae_tag) 64 return (-1); 65 if (a->ae_tag > b->ae_tag) 66 return (1); 67 68 /* 69 * Next compare uids/gids on appropriate types. 70 */ 71 72 if (a->ae_tag == ACL_USER || a->ae_tag == ACL_GROUP) { 73 if (a->ae_id < b->ae_id) 74 return (-1); 75 if (a->ae_id > b->ae_id) 76 return (1); 77 78 /* shouldn't be equal, fall through to the invalid case */ 79 } 80 81 /* 82 * Don't know how to sort multiple entries of the rest--either it's 83 * a bad entry, or there shouldn't be more than one. Ignore and the 84 * validity checker can get it later. 85 */ 86 return (0); 87} 88 89 90/* 91 * acl_sort -- sort ACL entries. 92 * Give the opportunity to fail, althouh we don't currently have a way 93 * to fail. 94 */ 95int 96acl_sort(acl_t acl) 97{ 98 99 qsort(&acl->acl_entry[0], acl->acl_cnt, sizeof(struct acl_entry), 100 (compare) acl_entry_compare); 101 102 return (0); 103} 104 105 106/* 107 * acl_posix1e -- use a heuristic to determine if this is a POSIX.1e 108 * semantics ACL. This will be used by other routines to determine if 109 * they should call acl_sort() on the ACL before submitting to the kernel, 110 * as the POSIX.1e ACL semantics code requires sorted ACL submission. 111 * Also, acl_valid will use this to determine if it understands the 112 * semantics enough to check that the ACL is correct. 113 */ 114int 115acl_posix1e(acl_t acl) 116{ 117 int i; 118 119 /* assume it's POSIX.1e, and return 0 if otherwise */ 120 121 for (i = 0; i < acl->acl_cnt; i++) { 122 /* is the tag type POSIX.1e? */ 123 switch(acl->acl_entry[i].ae_tag) { 124 case ACL_USER_OBJ: 125 case ACL_USER: 126 case ACL_GROUP_OBJ: 127 case ACL_GROUP: 128 case ACL_MASK: 129 case ACL_OTHER: 130 break; 131 132 default: 133 return (0); 134 } 135 136 /* are the permissions POSIX.1e, or FreeBSD extensions? */ 137 if (((acl->acl_entry[i].ae_perm | ACL_POSIX1E_BITS) != 138 ACL_POSIX1E_BITS) && 139 ((acl->acl_entry[i].ae_perm | ACL_PERM_BITS) != 140 ACL_PERM_BITS)) 141 return (0); 142 } 143 144 return(1); 145} 146 147 148/* 149 * acl_check -- given an ACL, check its validity. This is mirrored from 150 * code in sys/kern/kern_acl.c, and if changes are made in one, they should 151 * be made in the other also. This copy of acl_check is made available 152 * in userland for the benefit of processes wanting to check ACLs for 153 * validity before submitting them to the kernel, or for performing 154 * in userland file system checking. Needless to say, the kernel makes 155 * the real checks on calls to get/setacl. 156 * 157 * See the comments in kernel for explanation -- just briefly, it assumes 158 * an already sorted ACL, and checks based on that assumption. The 159 * POSIX.1e interface, acl_valid(), will perform the sort before calling 160 * this. Returns 0 on success, EINVAL on failure. 161 */ 162int 163acl_check(struct acl *acl) 164{ 165 struct acl_entry *entry; /* current entry */ 166 uid_t obj_uid=-1, obj_gid=-1, highest_uid=0, highest_gid=0; 167 int stage = ACL_USER_OBJ; 168 int i = 0; 169 int count_user_obj=0, count_user=0, count_group_obj=0, 170 count_group=0, count_mask=0, count_other=0; 171 172 /* printf("acl_check: checking acl with %d entries\n", acl->acl_cnt); */ 173 while (i < acl->acl_cnt) { 174 175 entry = &acl->acl_entry[i]; 176 177 if ((entry->ae_perm | ACL_PERM_BITS) != ACL_PERM_BITS) 178 return (EINVAL); 179 180 switch(entry->ae_tag) { 181 case ACL_USER_OBJ: 182 /* printf("acl_check: %d: ACL_USER_OBJ\n", i); */ 183 if (stage > ACL_USER_OBJ) 184 return (EINVAL); 185 stage = ACL_USER; 186 count_user_obj++; 187 obj_uid = entry->ae_id; 188 break; 189 190 case ACL_USER: 191 /* printf("acl_check: %d: ACL_USER\n", i); */ 192 if (stage > ACL_USER) 193 return (EINVAL); 194 stage = ACL_USER; 195 if (entry->ae_id == obj_uid) 196 return (EINVAL); 197 if (count_user && (entry->ae_id <= highest_uid)) 198 return (EINVAL); 199 highest_uid = entry->ae_id; 200 count_user++; 201 break; 202 203 case ACL_GROUP_OBJ: 204 /* printf("acl_check: %d: ACL_GROUP_OBJ\n", i); */ 205 if (stage > ACL_GROUP_OBJ) 206 return (EINVAL); 207 stage = ACL_GROUP; 208 count_group_obj++; 209 obj_gid = entry->ae_id; 210 break; 211 212 case ACL_GROUP: 213 /* printf("acl_check: %d: ACL_GROUP\n", i); */ 214 if (stage > ACL_GROUP) 215 return (EINVAL); 216 stage = ACL_GROUP; 217 if (entry->ae_id == obj_gid) 218 return (EINVAL); 219 if (count_group && (entry->ae_id <= highest_gid)) 220 return (EINVAL); 221 highest_gid = entry->ae_id; 222 count_group++; 223 break; 224 225 case ACL_MASK: 226 /* printf("acl_check: %d: ACL_MASK\n", i); */ 227 if (stage > ACL_MASK) 228 return (EINVAL); 229 stage = ACL_MASK; 230 count_mask++; 231 break; 232 233 case ACL_OTHER: 234 /* printf("acl_check: %d: ACL_OTHER\n", i); */ 235 if (stage > ACL_OTHER) 236 return (EINVAL); 237 stage = ACL_OTHER; 238 count_other++; 239 break; 240 241 default: 242 /* printf("acl_check: %d: INVALID\n", i); */ 243 return (EINVAL); 244 } 245 i++; 246 } 247 248 if (count_user_obj != 1) 249 return (EINVAL); 250 251 if (count_group_obj != 1) 252 return (EINVAL); 253 254 if (count_mask != 0 && count_mask != 1) 255 return (EINVAL); 256 257 if (count_other != 1) 258 return (EINVAL); 259 260 return (0); 261} 262 263 264/* 265 * Given a uid/gid, return a username/groupname for the text form of an ACL 266 * XXX NOT THREAD SAFE, RELIES ON GETPWUID, GETGRGID 267 * XXX USES *PW* AND *GR* WHICH ARE STATEFUL AND THEREFORE THIS ROUTINE 268 * MAY HAVE SIDE-EFFECTS 269 */ 270int 271acl_id_to_name(acl_tag_t tag, uid_t id, ssize_t buf_len, char *buf) 272{ 273 struct group *g; 274 struct passwd *p; 275 int i; 276 277 switch(tag) { 278 case ACL_USER: 279 p = getpwuid(id); 280 if (!p) 281 i = snprintf(buf, buf_len, "%d", id); 282 else 283 i = snprintf(buf, buf_len, "%s", p->pw_name); 284 285 if (i >= buf_len) { 286 errno = ENOMEM; 287 return (-1); 288 } 289 return (0); 290 291 case ACL_GROUP: 292 g = getgrgid(id); 293 if (!g) 294 i = snprintf(buf, buf_len, "%d", id); 295 else 296 i = snprintf(buf, buf_len, "%s", g->gr_name); 297 298 if (i >= buf_len) { 299 errno = ENOMEM; 300 return (-1); 301 } 302 return (0); 303 304 default: 305 return (EINVAL); 306 } 307} 308 309 310/* 311 * Given a username/groupname from a text form of an ACL, return the uid/gid 312 * XXX NOT THREAD SAFE, RELIES ON GETPWNAM, GETGRNAM 313 * XXX USES *PW* AND *GR* WHICH ARE STATEFUL AND THEREFORE THIS ROUTINE 314 * MAY HAVE SIDE-EFFECTS 315 * 316 * XXX currently doesn't deal correctly with a numeric uid being passed 317 * instead of a username. What is correct behavior here? Check chown. 318 */ 319int 320acl_name_to_id(acl_tag_t tag, char *name, uid_t *id) 321{ 322 struct group *g; 323 struct passwd *p; 324 325 switch(tag) { 326 case ACL_USER: 327 p = getpwnam(name); 328 if (!p) { 329 errno = EINVAL; 330 return (-1); 331 } 332 *id = p->pw_uid; 333 return (0); 334 335 case ACL_GROUP: 336 g = getgrnam(name); 337 if (g) { 338 errno = EINVAL; 339 return (-1); 340 } 341 *id = g->gr_gid; 342 return (0); 343 344 default: 345 return (EINVAL); 346 } 347} 348 349 350/* 351 * Given a right-shifted permission (i.e., direct ACL_PERM_* mask), fill 352 * in a string describing the permissions. 353 */ 354int 355acl_perm_to_string(acl_perm_t perm, ssize_t buf_len, char *buf) 356{ 357 358 if (buf_len < ACL_STRING_PERM_MAXSIZE + 1) { 359 errno = ENOMEM; 360 return (-1); 361 } 362 363 if ((perm | ACL_PERM_BITS) != ACL_PERM_BITS) { 364 errno = EINVAL; 365 return (-1); 366 } 367 368 buf[3] = 0; /* null terminate */ 369 370 if (perm & ACL_PERM_READ) 371 buf[0] = ACL_STRING_PERM_READ; 372 else 373 buf[0] = ACL_STRING_PERM_NONE; 374 375 if (perm & ACL_PERM_WRITE) 376 buf[1] = ACL_STRING_PERM_WRITE; 377 else 378 buf[1] = ACL_STRING_PERM_NONE; 379 380 if (perm & ACL_PERM_EXEC) 381 buf[2] = ACL_STRING_PERM_EXEC; 382 else 383 buf[2] = ACL_STRING_PERM_NONE; 384 385 return (0); 386} 387 388 389/* 390 * given a string, return a permission describing it 391 */ 392int 393acl_string_to_perm(char *string, acl_perm_t *perm) 394{ 395 acl_perm_t myperm = ACL_PERM_NONE; 396 char *ch; 397 398 ch = string; 399 while (*ch) { 400 switch(*ch) { 401 case ACL_STRING_PERM_READ: 402 myperm |= ACL_PERM_READ; 403 break; 404 case ACL_STRING_PERM_WRITE: 405 myperm |= ACL_PERM_WRITE; 406 break; 407 case ACL_STRING_PERM_EXEC: 408 myperm |= ACL_PERM_EXEC; 409 break; 410 case ACL_STRING_PERM_NONE: 411 break; 412 default: 413 return (EINVAL); 414 } 415 ch++; 416 } 417 418 *perm = myperm; 419 return (0); 420} 421 422 423 424/* 425 * Add an ACL entry without doing much checking, et al 426 */ 427int 428acl_add_entry(acl_t acl, acl_tag_t tag, uid_t id, acl_perm_t perm) 429{ 430 struct acl_entry *e; 431 432 if (acl->acl_cnt >= ACL_MAX_ENTRIES) { 433 errno = ENOMEM; 434 return (-1); 435 } 436 437 e = &(acl->acl_entry[acl->acl_cnt]); 438 e->ae_perm = perm; 439 e->ae_tag = tag; 440 e->ae_id = id; 441 acl->acl_cnt++; 442 443 return (0); 444} 445 446 447 448 449