acl_support.c revision 74191 
1/*-
2 * Copyright (c) 1999, 2000, 2001 Robert N. M. Watson
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 *    notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 *    notice, this list of conditions and the following disclaimer in the
12 *    documentation and/or other materials provided with the distribution.
13 *
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
24 * SUCH DAMAGE.
25 *
26 * $FreeBSD: head/lib/libc/posix1e/acl_support.c 74191 2001-03-13 02:31:32Z rwatson $
27 */
28/*
29 * Support functionality for the POSIX.1e ACL interface
30 * These calls are intended only to be called within the library.
31 */
32
33#include <sys/types.h>
34#include <sys/acl.h>
35#include <errno.h>
36#include <grp.h>
37#include <pwd.h>
38#include <stdio.h>
39#include <stdlib.h>
40
41#include "acl_support.h"
42
43#define ACL_STRING_PERM_WRITE   'w'
44#define ACL_STRING_PERM_READ    'r'
45#define ACL_STRING_PERM_EXEC    'x'
46#define ACL_STRING_PERM_NONE    '-'
47
48/*
49 * _posix1e_acl_entry_compare -- compare two acl_entry structures to
50 * determine the order they should appear in.  Used by _posix1e_acl_sort to
51 * sort ACL entries into the kernel-desired order -- i.e., the order useful
52 * for evaluation and O(n) validity checking.  Beter to have an O(nlogn) sort
53 * in userland and an O(n) in kernel than to have both in kernel.
54 */
55typedef int (*compare)(const void *, const void *);
56static int
57_posix1e_acl_entry_compare(struct acl_entry *a, struct acl_entry *b)
58{
59	/*
60	 * First, sort between tags -- conveniently defined in the correct
61	 * order for verification.
62	 */
63	if (a->ae_tag < b->ae_tag)
64		return (-1);
65	if (a->ae_tag > b->ae_tag)
66		return (1);
67
68	/*
69	 * Next compare uids/gids on appropriate types.
70	 */
71
72	if (a->ae_tag == ACL_USER || a->ae_tag == ACL_GROUP) {
73		if (a->ae_id < b->ae_id)
74			return (-1);
75		if (a->ae_id > b->ae_id)
76			return (1);
77
78		/* shouldn't be equal, fall through to the invalid case */
79	}
80
81	/*
82	 * Don't know how to sort multiple entries of the rest--either it's
83	 * a bad entry, or there shouldn't be more than one.  Ignore and the
84	 * validity checker can get it later.
85	 */
86	return (0);
87}
88
89/*
90 * _posix1e_acl_sort -- sort ACL entries in POSIX.1e-formatted ACLs
91 * Give the opportunity to fail, althouh we don't currently have a way
92 * to fail.
93 */
94int
95_posix1e_acl_sort(acl_t acl)
96{
97
98	qsort(&acl->acl_entry[0], acl->acl_cnt, sizeof(struct acl_entry),
99	    (compare) _posix1e_acl_entry_compare);
100
101	return (0);
102}
103
104/*
105 * acl_posix1e -- in what situations should we acl_sort before submission?
106 * We apply posix1e ACL semantics for any ACL of type ACL_TYPE_ACCESS or
107 * ACL_TYPE_DEFAULT
108 */
109int
110_posix1e_acl(acl_t acl, acl_type_t type)
111{
112
113	return ((type == ACL_TYPE_ACCESS) || (type == ACL_TYPE_DEFAULT));
114}
115
116/*
117 * _posix1e_acl_check -- given an ACL, check its validity.  This is mirrored
118 * from code in sys/kern/kern_acl.c, and if changes are made in one, they
119 * should be made in the other also.  This copy of acl_check is made
120 * available * in userland for the benefit of processes wanting to check ACLs
121 * for validity before submitting them to the kernel, or for performing
122 * in userland file system checking.  Needless to say, the kernel makes
123 * the real checks on calls to get/setacl.
124 *
125 * See the comments in kernel for explanation -- just briefly, it assumes
126 * an already sorted ACL, and checks based on that assumption.  The
127 * POSIX.1e interface, acl_valid(), will perform the sort before calling
128 * this.  Returns 0 on success, EINVAL on failure.
129 */
130int
131_posix1e_acl_check(struct acl *acl)
132{
133	struct acl_entry	*entry; 	/* current entry */
134	uid_t	obj_uid=-1, obj_gid=-1, highest_uid=0, highest_gid=0;
135	int	stage = ACL_USER_OBJ;
136	int	i = 0;
137	int	count_user_obj=0, count_user=0, count_group_obj=0,
138		count_group=0, count_mask=0, count_other=0;
139
140	/* printf("_posix1e_acl_check: checking acl with %d entries\n",
141	    acl->acl_cnt); */
142	while (i < acl->acl_cnt) {
143		entry = &acl->acl_entry[i];
144
145		if ((entry->ae_perm | ACL_PERM_BITS) != ACL_PERM_BITS)
146			return (EINVAL);
147
148		switch(entry->ae_tag) {
149		case ACL_USER_OBJ:
150			/* printf("_posix1e_acl_check: %d: ACL_USER_OBJ\n",
151			    i); */
152			if (stage > ACL_USER_OBJ)
153				return (EINVAL);
154			stage = ACL_USER;
155			count_user_obj++;
156			obj_uid = entry->ae_id;
157			break;
158
159		case ACL_USER:
160			/* printf("_posix1e_acl_check: %d: ACL_USER\n", i); */
161			if (stage > ACL_USER)
162				return (EINVAL);
163			stage = ACL_USER;
164			if (entry->ae_id == obj_uid)
165				return (EINVAL);
166			if (count_user && (entry->ae_id <= highest_uid))
167				return (EINVAL);
168			highest_uid = entry->ae_id;
169			count_user++;
170			break;
171
172		case ACL_GROUP_OBJ:
173			/* printf("_posix1e_acl_check: %d: ACL_GROUP_OBJ\n",
174			    i); */
175			if (stage > ACL_GROUP_OBJ)
176				return (EINVAL);
177			stage = ACL_GROUP;
178			count_group_obj++;
179			obj_gid = entry->ae_id;
180			break;
181
182		case ACL_GROUP:
183			/* printf("_posix1e_acl_check: %d: ACL_GROUP\n", i); */
184			if (stage > ACL_GROUP)
185				return (EINVAL);
186			stage = ACL_GROUP;
187			if (entry->ae_id == obj_gid)
188				return (EINVAL);
189			if (count_group && (entry->ae_id <= highest_gid))
190				return (EINVAL);
191			highest_gid = entry->ae_id;
192			count_group++;
193			break;
194
195		case ACL_MASK:
196			/* printf("_posix1e_acl_check: %d: ACL_MASK\n", i); */
197			if (stage > ACL_MASK)
198				return (EINVAL);
199			stage = ACL_MASK;
200			count_mask++;
201			break;
202
203		case ACL_OTHER:
204			/* printf("_posix1e_acl_check: %d: ACL_OTHER\n", i); */
205			if (stage > ACL_OTHER)
206				return (EINVAL);
207			stage = ACL_OTHER;
208			count_other++;
209			break;
210
211		default:
212			/* printf("_posix1e_acl_check: %d: INVALID\n", i); */
213			return (EINVAL);
214		}
215		i++;
216	}
217
218	if (count_user_obj != 1)
219		return (EINVAL);
220
221	if (count_group_obj != 1)
222		return (EINVAL);
223
224	if (count_mask != 0 && count_mask != 1)
225		return (EINVAL);
226
227	if (count_other != 1)
228		return (EINVAL);
229
230	return (0);
231}
232
233
234/*
235 * Given a uid/gid, return a username/groupname for the text form of an ACL
236 * XXX NOT THREAD SAFE, RELIES ON GETPWUID, GETGRGID
237 * XXX USES *PW* AND *GR* WHICH ARE STATEFUL AND THEREFORE THIS ROUTINE
238 * MAY HAVE SIDE-EFFECTS
239 */
240int
241_posix1e_acl_id_to_name(acl_tag_t tag, uid_t id, ssize_t buf_len, char *buf)
242{
243	struct group	*g;
244	struct passwd	*p;
245	int	i;
246
247	switch(tag) {
248	case ACL_USER:
249		p = getpwuid(id);
250		if (!p)
251			i = snprintf(buf, buf_len, "%d", id);
252		else
253			i = snprintf(buf, buf_len, "%s", p->pw_name);
254
255		if (i >= buf_len) {
256			errno = ENOMEM;
257			return (-1);
258		}
259		return (0);
260
261	case ACL_GROUP:
262		g = getgrgid(id);
263		if (!g)
264			i = snprintf(buf, buf_len, "%d", id);
265		else
266			i = snprintf(buf, buf_len, "%s", g->gr_name);
267
268		if (i >= buf_len) {
269			errno = ENOMEM;
270			return (-1);
271		}
272		return (0);
273
274	default:
275		return (EINVAL);
276	}
277}
278
279
280/*
281 * Given a username/groupname from a text form of an ACL, return the uid/gid
282 * XXX NOT THREAD SAFE, RELIES ON GETPWNAM, GETGRNAM
283 * XXX USES *PW* AND *GR* WHICH ARE STATEFUL AND THEREFORE THIS ROUTINE
284 * MAY HAVE SIDE-EFFECTS
285 *
286 * XXX currently doesn't deal correctly with a numeric uid being passed
287 * instead of a username.  What is correct behavior here?  Check chown.
288 */
289int
290_posix1e_acl_name_to_id(acl_tag_t tag, char *name, uid_t *id)
291{
292	struct group	*g;
293	struct passwd	*p;
294	unsigned long	l;
295	char 		*endp;
296
297	switch(tag) {
298	case ACL_USER:
299		p = getpwnam(name);
300		if (p == NULL) {
301			l = strtoul(name, &endp, 0);
302			if (*endp != '\0' || l != (unsigned long)(uid_t)l) {
303				errno = EINVAL;
304				return (-1);
305			}
306			*id = (uid_t)l;
307			return (0);
308		}
309		*id = p->pw_uid;
310		return (0);
311
312	case ACL_GROUP:
313		g = getgrnam(name);
314		if (g == NULL) {
315			l = strtoul(name, &endp, 0);
316			if (*endp != '\0' || l != (unsigned long)(gid_t)l) {
317				errno = EINVAL;
318				return (-1);
319			}
320			*id = (gid_t)l;
321			return (0);
322		}
323		*id = g->gr_gid;
324		return (0);
325
326	default:
327		return (EINVAL);
328	}
329}
330
331
332/*
333 * Given a right-shifted permission (i.e., direct ACL_PERM_* mask), fill
334 * in a string describing the permissions.
335 */
336int
337_posix1e_acl_perm_to_string(acl_perm_t perm, ssize_t buf_len, char *buf)
338{
339
340	if (buf_len < _POSIX1E_ACL_STRING_PERM_MAXSIZE + 1) {
341		errno = ENOMEM;
342		return (-1);
343	}
344
345	if ((perm | ACL_PERM_BITS) != ACL_PERM_BITS) {
346		errno = EINVAL;
347		return (-1);
348	}
349
350	buf[3] = 0;	/* null terminate */
351
352	if (perm & ACL_PERM_READ)
353		buf[0] = ACL_STRING_PERM_READ;
354	else
355		buf[0] = ACL_STRING_PERM_NONE;
356
357	if (perm & ACL_PERM_WRITE)
358		buf[1] = ACL_STRING_PERM_WRITE;
359	else
360		buf[1] = ACL_STRING_PERM_NONE;
361
362	if (perm & ACL_PERM_EXEC)
363		buf[2] = ACL_STRING_PERM_EXEC;
364	else
365		buf[2] = ACL_STRING_PERM_NONE;
366
367	return (0);
368}
369
370/*
371 * given a string, return a permission describing it
372 */
373int
374_posix1e_acl_string_to_perm(char *string, acl_perm_t *perm)
375{
376	acl_perm_t	myperm = ACL_PERM_NONE;
377	char	*ch;
378
379	ch = string;
380	while (*ch) {
381		switch(*ch) {
382		case ACL_STRING_PERM_READ:
383			myperm |= ACL_PERM_READ;
384			break;
385		case ACL_STRING_PERM_WRITE:
386			myperm |= ACL_PERM_WRITE;
387			break;
388		case ACL_STRING_PERM_EXEC:
389			myperm |= ACL_PERM_EXEC;
390			break;
391		case ACL_STRING_PERM_NONE:
392			break;
393		default:
394			return (EINVAL);
395		}
396		ch++;
397	}
398
399	*perm = myperm;
400	return (0);
401}
402
403/*
404 * Add an ACL entry without doing much checking, et al
405 */
406int
407_posix1e_acl_add_entry(acl_t acl, acl_tag_t tag, uid_t id, acl_perm_t perm)
408{
409	struct acl_entry	*e;
410
411	if (acl->acl_cnt >= ACL_MAX_ENTRIES) {
412		errno = ENOMEM;
413		return (-1);
414	}
415
416	e = &(acl->acl_entry[acl->acl_cnt]);
417	e->ae_perm = perm;
418	e->ae_tag = tag;
419	e->ae_id = id;
420	acl->acl_cnt++;
421
422	return (0);
423}
424