1/* 2 Copyright (c) 2008, 2009, 2010 Frank Lahm <franklahm@gmail.com> 3 Copyright (c) 2011 Laura Mueller <laura-mueller@uni-duesseldorf.de> 4 5 This program is free software; you can redistribute it and/or modify 6 it under the terms of the GNU General Public License as published by 7 the Free Software Foundation; either version 2 of the License, or 8 (at your option) any later version. 9 10 This program is distributed in the hope that it will be useful, 11 but WITHOUT ANY WARRANTY; without even the implied warranty of 12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 GNU General Public License for more details. 14*/ 15 16#ifdef HAVE_CONFIG_H 17#include "config.h" 18#endif /* HAVE_CONFIG_H */ 19 20#include <string.h> 21#include <strings.h> 22#include <stdio.h> 23#include <stdlib.h> 24#include <grp.h> 25#include <pwd.h> 26#include <errno.h> 27#ifdef HAVE_SOLARIS_ACLS 28#include <sys/acl.h> 29#endif 30#ifdef HAVE_POSIX_ACLS 31#include <sys/acl.h> 32#endif 33#ifdef HAVE_ACL_LIBACL_H 34#include <acl/libacl.h> 35#endif 36 37#include <atalk/errchk.h> 38#include <atalk/adouble.h> 39#include <atalk/vfs.h> 40#include <atalk/afp.h> 41#include <atalk/util.h> 42#include <atalk/cnid.h> 43#include <atalk/logger.h> 44#include <atalk/uuid.h> 45#include <atalk/acl.h> 46#include <atalk/bstrlib.h> 47#include <atalk/bstradd.h> 48 49#include "directory.h" 50#include "desktop.h" 51#include "volume.h" 52#include "fork.h" 53#include "unix.h" 54#include "acls.h" 55#include "acl_mappings.h" 56#include "auth.h" 57 58/* for map_acl() */ 59#define SOLARIS_2_DARWIN 1 60#define DARWIN_2_SOLARIS 2 61#define POSIX_DEFAULT_2_DARWIN 3 62#define POSIX_ACCESS_2_DARWIN 4 63#define DARWIN_2_POSIX_DEFAULT 5 64#define DARWIN_2_POSIX_ACCESS 6 65 66#define MAP_MASK 31 67#define IS_DIR 32 68 69/* bit flags for set_acl() and map_aces_darwin_to_posix() */ 70#define HAS_DEFAULT_ACL 0x01 71#define HAS_EXT_DEFAULT_ACL 0x02 72 73/******************************************************** 74 * Solaris funcs 75 ********************************************************/ 76 77#ifdef HAVE_SOLARIS_ACLS 78 79/*! 80 * Compile access rights for a user to one file-system object 81 * 82 * This combines combines all access rights for a user to one fs-object and 83 * returns the result as a Darwin allowed rights ACE. 84 * This must honor trivial ACEs which are a mode_t mapping. 85 * 86 * @param path (r) path to filesystem object 87 * @param sb (r) struct stat of path 88 * @param result (w) resulting Darwin allow ACE 89 * 90 * @returns 0 or -1 on error 91 */ 92static int solaris_acl_rights(const char *path, 93 const struct stat *sb, 94 uint32_t *result) 95{ 96 EC_INIT; 97 int i, ace_count, checkgroup; 98 ace_t *aces = NULL; 99 uid_t who; 100 uint16_t flags, type; 101 uint32_t rights, allowed_rights = 0, denied_rights = 0, darwin_rights; 102 103 /* Get ACL from file/dir */ 104 EC_NEG1_LOG(ace_count = get_nfsv4_acl(path, &aces)); 105 106 if (ace_count == 0) 107 goto EC_CLEANUP; 108 109 /* Now check requested rights */ 110 i = 0; 111 do { /* Loop through ACEs */ 112 who = aces[i].a_who; 113 flags = aces[i].a_flags; 114 type = aces[i].a_type; 115 rights = aces[i].a_access_mask; 116 117 if (flags & ACE_INHERIT_ONLY_ACE) 118 continue; 119 120 /* Now the tricky part: decide if ACE effects our user. I'll explain: 121 if its a dedicated (non trivial) ACE for the user 122 OR 123 if its a ACE for a group we're member of 124 OR 125 if its a trivial ACE_OWNER ACE and requested UUID is the owner 126 OR 127 if its a trivial ACE_GROUP ACE and requested UUID is group 128 OR 129 if its a trivial ACE_EVERYONE ACE 130 THEN 131 process ACE */ 132 if (((who == uuid) && !(flags & (ACE_TRIVIAL|ACE_IDENTIFIER_GROUP))) 133 || 134 ((flags & ACE_IDENTIFIER_GROUP) && !(flags & ACE_GROUP) && gmem(who)) 135 || 136 ((flags & ACE_OWNER) && (uuid == sb->st_uid)) 137 || 138 ((flags & ACE_GROUP) && !(uuid == sb->st_uid) && gmem(sb->st_gid)) 139 || 140 (flags & ACE_EVERYONE && !(uuid == sb->st_uid) && !gmem(sb->st_gid)) 141 ) { 142 /* Found an applicable ACE */ 143 if (type == ACE_ACCESS_ALLOWED_ACE_TYPE) 144 allowed_rights |= rights; 145 else if (type == ACE_ACCESS_DENIED_ACE_TYPE) 146 /* Only or to denied rights if not previously allowed !! */ 147 denied_rights |= ((!allowed_rights) & rights); 148 } 149 } while (++i < ace_count); 150 151 152 /* Darwin likes to ask for "delete_child" on dir, 153 "write_data" is actually the same, so we add that for dirs */ 154 if (S_ISDIR(sb->st_mode) && (allowed_rights & ACE_WRITE_DATA)) 155 allowed_rights |= ACE_DELETE_CHILD; 156 157 /* Remove denied from allowed rights */ 158 allowed_rights &= ~denied_rights; 159 160 /* map rights */ 161 darwin_rights = 0; 162 for (i=0; nfsv4_to_darwin_rights[i].from != 0; i++) { 163 if (allowed_rights & nfsv4_to_darwin_rights[i].from) 164 darwin_rights |= nfsv4_to_darwin_rights[i].to; 165 } 166 167 *result |= darwin_rights; 168 169EC_CLEANUP: 170 if (aces) free(aces); 171 172 EC_EXIT; 173} 174 175/* 176 Maps ACE array from Solaris to Darwin. Darwin ACEs are stored in network byte order. 177 Return numer of mapped ACEs or -1 on error. 178 All errors while mapping (e.g. getting UUIDs from LDAP) are fatal. 179*/ 180static int map_aces_solaris_to_darwin(const ace_t *aces, 181 darwin_ace_t *darwin_aces, 182 int ace_count) 183{ 184 EC_INIT; 185 int i, count = 0; 186 uint32_t flags; 187 uint32_t rights; 188 struct passwd *pwd = NULL; 189 struct group *grp = NULL; 190 191 LOG(log_maxdebug, logtype_afpd, "map_aces_solaris_to_darwin: parsing %d ACES", ace_count); 192 193 while(ace_count--) { 194 LOG(log_maxdebug, logtype_afpd, "ACE No. %d", ace_count + 1); 195 /* if its a ACE resulting from nfsv4 mode mapping, discard it */ 196 if (aces->a_flags & (ACE_OWNER | ACE_GROUP | ACE_EVERYONE)) { 197 LOG(log_debug, logtype_afpd, "trivial ACE"); 198 aces++; 199 continue; 200 } 201 202 if ( ! (aces->a_flags & ACE_IDENTIFIER_GROUP) ) { /* user ace */ 203 LOG(log_debug, logtype_afpd, "uid: %d", aces->a_who); 204 EC_NULL_LOG(pwd = getpwuid(aces->a_who)); 205 LOG(log_debug, logtype_afpd, "uid: %d -> name: %s", aces->a_who, pwd->pw_name); 206 EC_ZERO_LOG(getuuidfromname(pwd->pw_name, 207 UUID_USER, 208 darwin_aces->darwin_ace_uuid)); 209 } else { /* group ace */ 210 LOG(log_debug, logtype_afpd, "gid: %d", aces->a_who); 211 EC_NULL_LOG(grp = getgrgid(aces->a_who)); 212 LOG(log_debug, logtype_afpd, "gid: %d -> name: %s", aces->a_who, grp->gr_name); 213 EC_ZERO_LOG(getuuidfromname(grp->gr_name, 214 UUID_GROUP, 215 darwin_aces->darwin_ace_uuid)); 216 } 217 218 /* map flags */ 219 if (aces->a_type == ACE_ACCESS_ALLOWED_ACE_TYPE) 220 flags = DARWIN_ACE_FLAGS_PERMIT; 221 else if (aces->a_type == ACE_ACCESS_DENIED_ACE_TYPE) 222 flags = DARWIN_ACE_FLAGS_DENY; 223 else { /* unsupported type */ 224 aces++; 225 continue; 226 } 227 for(i=0; nfsv4_to_darwin_flags[i].from != 0; i++) { 228 if (aces->a_flags & nfsv4_to_darwin_flags[i].from) 229 flags |= nfsv4_to_darwin_flags[i].to; 230 } 231 darwin_aces->darwin_ace_flags = htonl(flags); 232 233 /* map rights */ 234 rights = 0; 235 for (i=0; nfsv4_to_darwin_rights[i].from != 0; i++) { 236 if (aces->a_access_mask & nfsv4_to_darwin_rights[i].from) 237 rights |= nfsv4_to_darwin_rights[i].to; 238 } 239 darwin_aces->darwin_ace_rights = htonl(rights); 240 241 count++; 242 aces++; 243 darwin_aces++; 244 } 245 246 return count; 247EC_CLEANUP: 248 EC_EXIT; 249} 250 251/* 252 Maps ACE array from Darwin to Solaris. Darwin ACEs are expected in network byte order. 253 Return numer of mapped ACEs or -1 on error. 254 All errors while mapping (e.g. getting UUIDs from LDAP) are fatal. 255*/ 256static int map_aces_darwin_to_solaris(darwin_ace_t *darwin_aces, 257 ace_t *nfsv4_aces, 258 int ace_count) 259{ 260 EC_INIT; 261 int i, mapped_aces = 0; 262 uint32_t darwin_ace_flags; 263 uint32_t darwin_ace_rights; 264 uint16_t nfsv4_ace_flags; 265 uint32_t nfsv4_ace_rights; 266 char *name = NULL; 267 uuidtype_t uuidtype; 268 struct passwd *pwd; 269 struct group *grp; 270 271 while(ace_count--) { 272 nfsv4_ace_flags = 0; 273 nfsv4_ace_rights = 0; 274 275 /* uid/gid first */ 276 EC_ZERO(getnamefromuuid(darwin_aces->darwin_ace_uuid, &name, &uuidtype)); 277 switch (uuidtype) { 278 case UUID_USER: 279 EC_NULL_LOG(pwd = getpwnam(name)); 280 nfsv4_aces->a_who = pwd->pw_uid; 281 break; 282 case UUID_GROUP: 283 EC_NULL_LOG(grp = getgrnam(name)); 284 nfsv4_aces->a_who = (uid_t)(grp->gr_gid); 285 nfsv4_ace_flags |= ACE_IDENTIFIER_GROUP; 286 break; 287 default: 288 LOG(log_error, logtype_afpd, "map_aces_darwin_to_solaris: unkown uuidtype"); 289 EC_FAIL; 290 } 291 free(name); 292 name = NULL; 293 294 /* now type: allow/deny */ 295 darwin_ace_flags = ntohl(darwin_aces->darwin_ace_flags); 296 if (darwin_ace_flags & DARWIN_ACE_FLAGS_PERMIT) 297 nfsv4_aces->a_type = ACE_ACCESS_ALLOWED_ACE_TYPE; 298 else if (darwin_ace_flags & DARWIN_ACE_FLAGS_DENY) 299 nfsv4_aces->a_type = ACE_ACCESS_DENIED_ACE_TYPE; 300 else { /* unsupported type */ 301 darwin_aces++; 302 continue; 303 } 304 /* map flags */ 305 for(i=0; darwin_to_nfsv4_flags[i].from != 0; i++) { 306 if (darwin_ace_flags & darwin_to_nfsv4_flags[i].from) 307 nfsv4_ace_flags |= darwin_to_nfsv4_flags[i].to; 308 } 309 310 /* map rights */ 311 darwin_ace_rights = ntohl(darwin_aces->darwin_ace_rights); 312 for (i=0; darwin_to_nfsv4_rights[i].from != 0; i++) { 313 if (darwin_ace_rights & darwin_to_nfsv4_rights[i].from) 314 nfsv4_ace_rights |= darwin_to_nfsv4_rights[i].to; 315 } 316 317 LOG(log_debug9, logtype_afpd, 318 "map_aces_darwin_to_solaris: ACE flags: Darwin:%08x -> NFSv4:%04x", 319 darwin_ace_flags, nfsv4_ace_flags); 320 LOG(log_debug9, logtype_afpd, 321 "map_aces_darwin_to_solaris: ACE rights: Darwin:%08x -> NFSv4:%08x", 322 darwin_ace_rights, nfsv4_ace_rights); 323 324 nfsv4_aces->a_flags = nfsv4_ace_flags; 325 nfsv4_aces->a_access_mask = nfsv4_ace_rights; 326 327 mapped_aces++; 328 darwin_aces++; 329 nfsv4_aces++; 330 } 331 332 return mapped_aces; 333EC_CLEANUP: 334 if (name) 335 free(name); 336 EC_EXIT; 337} 338#endif /* HAVE_SOLARIS_ACLS */ 339 340/******************************************************** 341 * POSIX 1e funcs 342 ********************************************************/ 343 344#ifdef HAVE_POSIX_ACLS 345 346static uint32_t posix_permset_to_darwin_rights(acl_entry_t e, int is_dir) 347{ 348 EC_INIT; 349 uint32_t rights = 0; 350 acl_permset_t permset; 351 352 EC_ZERO_LOG(acl_get_permset(e, &permset)); 353 354#ifdef HAVE_ACL_GET_PERM_NP 355 if (acl_get_perm_np(permset, ACL_READ)) 356#else 357 if (acl_get_perm(permset, ACL_READ)) 358#endif 359 rights = DARWIN_ACE_READ_DATA 360 | DARWIN_ACE_READ_EXTATTRIBUTES 361 | DARWIN_ACE_READ_ATTRIBUTES 362 | DARWIN_ACE_READ_SECURITY; 363#ifdef HAVE_ACL_GET_PERM_NP 364 if (acl_get_perm_np(permset, ACL_WRITE)) { 365#else 366 if (acl_get_perm(permset, ACL_WRITE)) { 367#endif 368 rights |= DARWIN_ACE_WRITE_DATA 369 | DARWIN_ACE_APPEND_DATA 370 | DARWIN_ACE_WRITE_EXTATTRIBUTES 371 | DARWIN_ACE_WRITE_ATTRIBUTES; 372 if (is_dir) 373 rights |= DARWIN_ACE_DELETE_CHILD; 374 } 375#ifdef HAVE_ACL_GET_PERM_NP 376 if (acl_get_perm_np(permset, ACL_EXECUTE)) 377#else 378 if (acl_get_perm(permset, ACL_EXECUTE)) 379#endif 380 rights |= DARWIN_ACE_EXECUTE; 381 382EC_CLEANUP: 383 LOG(log_maxdebug, logtype_afpd, "mapped rights: 0x%08x", rights); 384 return rights; 385} 386 387/*! 388 * Compile access rights for a user to one file-system object 389 * 390 * This combines combines all access rights for a user to one fs-object and 391 * returns the result as a Darwin allowed rights ACE. 392 * This must honor trivial ACEs which are a mode_t mapping. 393 * 394 * @param path (r) path to filesystem object 395 * @param sb (r) struct stat of path 396 * @param result (rw) resulting Darwin allow ACE 397 * 398 * @returns 0 or -1 on error 399 */ 400static int posix_acl_rights(const char *path, 401 const struct stat *sb, 402 uint32_t *result) 403{ 404 EC_INIT; 405 int entry_id = ACL_FIRST_ENTRY; 406 uint32_t rights = 0; /* rights which do not depend on ACL_MASK */ 407 uint32_t acl_rights = 0; /* rights which are subject to limitations imposed by ACL_MASK */ 408 uint32_t mask_rights = 0xffffffff; 409 uid_t *uid = NULL; 410 gid_t *gid = NULL; 411 acl_t acl = NULL; 412 acl_entry_t e; 413 acl_tag_t tag; 414 415 EC_NULL_LOGSTR(acl = acl_get_file(path, ACL_TYPE_ACCESS), 416 "acl_get_file(\"%s\"): %s", fullpathname(path), strerror(errno)); 417 418 /* Iterate through all ACEs. If we apply mask_rights later there is no need to iterate twice. */ 419 while (acl_get_entry(acl, entry_id, &e) == 1) { 420 entry_id = ACL_NEXT_ENTRY; 421 EC_ZERO_LOG(acl_get_tag_type(e, &tag)); 422 423 switch (tag) { 424 case ACL_USER_OBJ: 425 if (sb->st_uid == uuid) { 426 LOG(log_maxdebug, logtype_afpd, "ACL_USER_OBJ: %u", sb->st_uid); 427 rights |= posix_permset_to_darwin_rights(e, S_ISDIR(sb->st_mode)); 428 } 429 break; 430 431 case ACL_USER: 432 EC_NULL_LOG(uid = (uid_t *)acl_get_qualifier(e)); 433 434 if (*uid == uuid) { 435 LOG(log_maxdebug, logtype_afpd, "ACL_USER: %u", *uid); 436 acl_rights |= posix_permset_to_darwin_rights(e, S_ISDIR(sb->st_mode)); 437 } 438 acl_free(uid); 439 uid = NULL; 440 break; 441 442 case ACL_GROUP_OBJ: 443 if (!(sb->st_uid == uuid) && gmem(sb->st_gid)) { 444 LOG(log_maxdebug, logtype_afpd, "ACL_GROUP_OBJ: %u", sb->st_gid); 445 acl_rights |= posix_permset_to_darwin_rights(e, S_ISDIR(sb->st_mode)); 446 } 447 break; 448 449 case ACL_GROUP: 450 EC_NULL_LOG(gid = (gid_t *)acl_get_qualifier(e)); 451 452 if (gmem(*gid)) { 453 LOG(log_maxdebug, logtype_afpd, "ACL_GROUP: %u", *gid); 454 acl_rights |= posix_permset_to_darwin_rights(e, S_ISDIR(sb->st_mode)); 455 } 456 acl_free(gid); 457 gid = NULL; 458 break; 459 460 case ACL_MASK: 461 mask_rights = posix_permset_to_darwin_rights(e, S_ISDIR(sb->st_mode)); 462 LOG(log_maxdebug, logtype_afpd, "maskrights: 0x%08x", mask_rights); 463 break; 464 465 case ACL_OTHER: 466 if (!(sb->st_uid == uuid) && !gmem(sb->st_gid)) { 467 LOG(log_maxdebug, logtype_afpd, "ACL_OTHER"); 468 rights |= posix_permset_to_darwin_rights(e, S_ISDIR(sb->st_mode)); 469 } 470 break; 471 472 default: 473 continue; 474 } 475 } /* while */ 476 477 /* apply the mask and collect the rights */ 478 rights |= (acl_rights & mask_rights); 479 480 *result |= rights; 481 482EC_CLEANUP: 483 if (acl) acl_free(acl); 484 if (uid) acl_free(uid); 485 if (gid) acl_free(gid); 486 EC_EXIT; 487} 488 489/*! 490 * Helper function for posix_acls_to_uaperms() to convert Posix ACL permissions 491 * into access rights needed to fill ua_permissions of a FPUnixPrivs structure. 492 * 493 * @param entry (r) Posix ACL entry 494 * 495 * @returns access rights 496 */ 497static u_char acl_permset_to_uarights(acl_entry_t entry) { 498 acl_permset_t permset; 499 u_char rights = 0; 500 501 if (acl_get_permset(entry, &permset) == -1) 502 return rights; 503 504#ifdef HAVE_ACL_GET_PERM_NP 505 if (acl_get_perm_np(permset, ACL_READ)) 506#else 507 if (acl_get_perm(permset, ACL_READ)) 508#endif 509 rights |= AR_UREAD; 510 511#ifdef HAVE_ACL_GET_PERM_NP 512 if (acl_get_perm_np(permset, ACL_WRITE)) 513#else 514 if (acl_get_perm(permset, ACL_WRITE)) 515#endif 516 rights |= AR_UWRITE; 517 518#ifdef HAVE_ACL_GET_PERM_NP 519 if (acl_get_perm_np(permset, ACL_EXECUTE)) 520#else 521 if (acl_get_perm(permset, ACL_EXECUTE)) 522#endif 523 rights |= AR_USEARCH; 524 525 return rights; 526} 527 528/*! 529 * Update FPUnixPrivs for a file-system object on a volume supporting ACLs 530 * 531 * Checks permissions granted by ACLS for a user to one fs-object and 532 * updates user and group permissions in given struct maccess. As OS X 533 * doesn't conform to Posix 1003.1e Draft 17 it expects proper group 534 * permissions in st_mode of struct stat even if the fs-object has an 535 * ACL_MASK entry, st_mode gets modified to properly reflect group 536 * permissions. 537 * 538 * @param path (r) path to filesystem object 539 * @param sb (rw) struct stat of path 540 * @param maccess (rw) struct maccess of path 541 * 542 * @returns 0 or -1 on error 543 */ 544static int posix_acls_to_uaperms(const char *path, struct stat *sb, struct maccess *ma) { 545 EC_INIT; 546 547 int entry_id = ACL_FIRST_ENTRY; 548 acl_entry_t entry; 549 acl_tag_t tag; 550 acl_t acl = NULL; 551 uid_t *uid; 552 gid_t *gid; 553 uid_t whoami = geteuid(); 554 555 u_char group_rights = 0x00; 556 u_char acl_rights = 0x00; 557 u_char mask = 0xff; 558 559 EC_NULL_LOG(acl = acl_get_file(path, ACL_TYPE_ACCESS)); 560 561 /* iterate through all ACEs */ 562 while (acl_get_entry(acl, entry_id, &entry) == 1) { 563 entry_id = ACL_NEXT_ENTRY; 564 EC_ZERO_LOG(acl_get_tag_type(entry, &tag)); 565 566 switch (tag) { 567 case ACL_USER: 568 EC_NULL_LOG(uid = (uid_t *)acl_get_qualifier(entry)); 569 570 if (*uid == uuid && !(whoami == sb->st_uid)) { 571 LOG(log_maxdebug, logtype_afpd, "ACL_USER: %u", *uid); 572 acl_rights |= acl_permset_to_uarights(entry); 573 } 574 acl_free(uid); 575 break; 576 577 case ACL_GROUP_OBJ: 578 group_rights = acl_permset_to_uarights(entry); 579 LOG(log_maxdebug, logtype_afpd, "ACL_GROUP_OBJ: %u", sb->st_gid); 580 581 if (gmem(sb->st_gid) && !(whoami == sb->st_uid)) 582 acl_rights |= group_rights; 583 break; 584 585 case ACL_GROUP: 586 EC_NULL_LOG(gid = (gid_t *)acl_get_qualifier(entry)); 587 588 if (gmem(*gid) && !(whoami == sb->st_uid)) { 589 LOG(log_maxdebug, logtype_afpd, "ACL_GROUP: %u", *gid); 590 acl_rights |= acl_permset_to_uarights(entry); 591 } 592 acl_free(gid); 593 break; 594 595 case ACL_MASK: 596 mask = acl_permset_to_uarights(entry); 597 LOG(log_maxdebug, logtype_afpd, "ACL_MASK: 0x%02x", mask); 598 break; 599 600 default: 601 break; 602 } 603 } 604 /* apply the mask and adjust user and group permissions */ 605 ma->ma_user |= (acl_rights & mask); 606 ma->ma_group = (group_rights & mask); 607 608 /* update st_mode to properly reflect group permissions */ 609 sb->st_mode &= ~S_IRWXG; 610 611 if (ma->ma_group & AR_USEARCH) 612 sb->st_mode |= S_IXGRP; 613 614 if (ma->ma_group & AR_UWRITE) 615 sb->st_mode |= S_IWGRP; 616 617 if (ma->ma_group & AR_UREAD) 618 sb->st_mode |= S_IRGRP; 619 620EC_CLEANUP: 621 if (acl) acl_free(acl); 622 623 EC_EXIT; 624} 625 626/*! 627 * Add entries of one acl to another acl 628 * 629 * @param aclp (rw) destination acl where new aces will be added 630 * @param acl (r) source acl where aces will be copied from 631 * 632 * @returns 0 on success, -1 on error 633 */ 634static int acl_add_acl(acl_t *aclp, const acl_t acl) 635{ 636 EC_INIT; 637 int id; 638 acl_entry_t se, de; 639 640 for (id = ACL_FIRST_ENTRY; acl_get_entry(acl, id, &se) == 1; id = ACL_NEXT_ENTRY) { 641 EC_ZERO_LOG_ERR(acl_create_entry(aclp, &de), AFPERR_MISC); 642 EC_ZERO_LOG_ERR(acl_copy_entry(de, se), AFPERR_MISC); 643 } 644 645EC_CLEANUP: 646 EC_EXIT; 647} 648 649/*! 650 * Map Darwin ACE rights to POSIX 1e perm 651 * 652 * We can only map few rights: 653 * DARWIN_ACE_READ_DATA -> ACL_READ 654 * DARWIN_ACE_WRITE_DATA -> ACL_WRITE 655 * DARWIN_ACE_DELETE_CHILD & (is_dir == 1) -> ACL_WRITE 656 * DARWIN_ACE_EXECUTE -> ACL_EXECUTE 657 * 658 * @param entry (rw) result of the mapping 659 * @param is_dir (r) 1 for dirs, 0 for files 660 * 661 * @returns mapping result as acl_perm_t, -1 on error 662 */ 663static acl_perm_t map_darwin_right_to_posix_permset(uint32_t darwin_ace_rights, int is_dir) 664{ 665 acl_perm_t perm = 0; 666 667 if (darwin_ace_rights & DARWIN_ACE_READ_DATA) 668 perm |= ACL_READ; 669 670 if (darwin_ace_rights & (DARWIN_ACE_WRITE_DATA | (is_dir ? DARWIN_ACE_DELETE_CHILD : 0))) 671 perm |= ACL_WRITE; 672 673 if (darwin_ace_rights & DARWIN_ACE_EXECUTE) 674 perm |= ACL_EXECUTE; 675 676 return perm; 677} 678 679/*! 680 * Add a ACL_USER or ACL_GROUP permission to an ACL, extending existing ACEs 681 * 682 * Add a permission of "type" for user or group "id" to an ACL. Scan the ACL 683 * for existing permissions for this type/id, if there is one add the perm, 684 * otherwise create a new ACL entry. 685 * perm can be or'ed ACL_READ, ACL_WRITE and ACL_EXECUTE. 686 * 687 * @param aclp (rw) pointer to ACL 688 * @param type (r) acl_tag_t of ACL_USER or ACL_GROUP 689 * @param id (r) uid_t uid for ACL_USER, or gid casted to uid_t for ACL_GROUP 690 * @param perm (r) acl_perm_t permissions to add 691 * 692 * @returns 0 on success, -1 on failure 693 */ 694static int posix_acl_add_perm(acl_t *aclp, acl_tag_t type, uid_t id, acl_perm_t perm) 695{ 696 EC_INIT; 697 uid_t *eid = NULL; 698 acl_entry_t e; 699 acl_tag_t tag; 700 int entry_id = ACL_FIRST_ENTRY; 701 acl_permset_t permset; 702 703 int found = 0; 704 for ( ; (! found) && acl_get_entry(*aclp, entry_id, &e) == 1; entry_id = ACL_NEXT_ENTRY) { 705 EC_ZERO_LOG(acl_get_tag_type(e, &tag)); 706 if (tag != ACL_USER && tag != ACL_GROUP) 707 continue; 708 EC_NULL_LOG(eid = (uid_t *)acl_get_qualifier(e)); 709 if ((*eid == id) && (type == tag)) { 710 /* found an ACE for this type/id */ 711 found = 1; 712 EC_ZERO_LOG(acl_get_permset(e, &permset)); 713 EC_ZERO_LOG(acl_add_perm(permset, perm)); 714 } 715 716 acl_free(eid); 717 eid = NULL; 718 } 719 720 if ( ! found) { 721 /* there was no existing ACE for this type/id */ 722 EC_ZERO_LOG(acl_create_entry(aclp, &e)); 723 EC_ZERO_LOG(acl_set_tag_type(e, type)); 724 EC_ZERO_LOG(acl_set_qualifier(e, &id)); 725 EC_ZERO_LOG(acl_get_permset(e, &permset)); 726 EC_ZERO_LOG(acl_clear_perms(permset)); 727 EC_ZERO_LOG(acl_add_perm(permset, perm)); 728 EC_ZERO_LOG(acl_set_permset(e, permset)); 729 } 730 731EC_CLEANUP: 732 if (eid) acl_free(eid); 733 734 EC_EXIT; 735} 736 737/*! 738 * Map Darwin ACL to POSIX ACL. 739 * 740 * aclp must point to a acl_init'ed acl_t or an acl_t that can eg contain default ACEs. 741 * Mapping pecularities: 742 * - we create a default ace (which inherits to files and dirs) if either 743 DARWIN_ACE_FLAGS_FILE_INHERIT or DARWIN_ACE_FLAGS_DIRECTORY_INHERIT is requested 744 * - we throw away DARWIN_ACE_FLAGS_LIMIT_INHERIT (can't be mapped), thus the ACL will 745 * not be limited 746 * 747 * @param darwin_aces (r) pointer to darwin_aces buffer 748 * @param def_aclp (rw) directories: pointer to an initialized acl_t with 749 the default acl files: *def_aclp will be NULL 750 * @param acc_aclp (rw) pointer to an initialized acl_t with the access acl 751 * @param ace_count (r) number of ACEs in darwin_aces buffer 752 * @param default_acl_flags (rw) flags to indicate if the object has a basic default 753 * acl or an extended default acl. 754 * 755 * @returns 0 on success storing the result in aclp, -1 on error. default_acl_flags 756 * is set to HAS_DEFAULT_ACL|HAS_EXT_DEFAULT_ACL in case there is at least one 757 * extended default ace. Otherwise default_acl_flags is left unchanged. 758 */ 759static int map_aces_darwin_to_posix(const darwin_ace_t *darwin_aces, 760 acl_t *def_aclp, 761 acl_t *acc_aclp, 762 int ace_count, 763 uint32_t *default_acl_flags) 764{ 765 EC_INIT; 766 char *name = NULL; 767 uuidtype_t uuidtype; 768 struct passwd *pwd; 769 struct group *grp; 770 uid_t id; 771 uint32_t darwin_ace_flags, darwin_ace_rights; 772 acl_tag_t tag; 773 acl_perm_t perm; 774 775 for ( ; ace_count != 0; ace_count--, darwin_aces++) { 776 /* type: allow/deny, posix only has allow */ 777 darwin_ace_flags = ntohl(darwin_aces->darwin_ace_flags); 778 if ( ! (darwin_ace_flags & DARWIN_ACE_FLAGS_PERMIT)) 779 continue; 780 781 darwin_ace_rights = ntohl(darwin_aces->darwin_ace_rights); 782 perm = map_darwin_right_to_posix_permset(darwin_ace_rights, (*def_aclp != NULL)); 783 if (perm == 0) 784 continue; /* dont add empty perm */ 785 786 LOG(log_debug, logtype_afpd, "map_ace: no: %u, flags: %08x, darwin: %08x, posix: %02x", 787 ace_count, darwin_ace_flags, darwin_ace_rights, perm); 788 789 /* uid/gid */ 790 EC_ZERO_LOG(getnamefromuuid(darwin_aces->darwin_ace_uuid, &name, &uuidtype)); 791 switch (uuidtype) { 792 case UUID_USER: 793 EC_NULL_LOG(pwd = getpwnam(name)); 794 tag = ACL_USER; 795 id = pwd->pw_uid; 796 LOG(log_debug, logtype_afpd, "map_ace: name: %s, uid: %u", name, id); 797 break; 798 case UUID_GROUP: 799 EC_NULL_LOG(grp = getgrnam(name)); 800 tag = ACL_GROUP; 801 id = (uid_t)(grp->gr_gid); 802 LOG(log_debug, logtype_afpd, "map_ace: name: %s, gid: %u", name, id); 803 break; 804 default: 805 continue; 806 } 807 free(name); 808 name = NULL; 809 810 if (darwin_ace_flags & DARWIN_ACE_INHERIT_CONTROL_FLAGS) { 811 if (*def_aclp == NULL) { 812 /* ace request inheritane but we haven't got a default acl pointer */ 813 LOG(log_warning, logtype_afpd, "map_acl: unexpected ACE, flags: 0x%04x", 814 darwin_ace_flags); 815 EC_FAIL; 816 } 817 /* add it as default ace */ 818 EC_ZERO_LOG(posix_acl_add_perm(def_aclp, tag, id, perm)); 819 *default_acl_flags = (HAS_DEFAULT_ACL|HAS_EXT_DEFAULT_ACL); 820 821 if (! (darwin_ace_flags & DARWIN_ACE_FLAGS_ONLY_INHERIT)) 822 /* if it not a "inherit only" ace, it must be added as access aces too */ 823 EC_ZERO_LOG(posix_acl_add_perm(acc_aclp, tag, id, perm)); 824 } else { 825 EC_ZERO_LOG(posix_acl_add_perm(acc_aclp, tag, id, perm)); 826 } 827 } 828 829EC_CLEANUP: 830 if (name) 831 free(name); 832 833 EC_EXIT; 834} 835 836/* 837 * Map ACEs from POSIX to Darwin. 838 * type is either POSIX_DEFAULT_2_DARWIN or POSIX_ACCESS_2_DARWIN, cf. acl_get_file. 839 * Return number of mapped ACES, -1 on error. 840 */ 841static int map_acl_posix_to_darwin(int type, const acl_t acl, darwin_ace_t *darwin_aces) 842{ 843 EC_INIT; 844 int mapped_aces = 0; 845 int entry_id = ACL_FIRST_ENTRY; 846 acl_entry_t e; 847 acl_tag_t tag; 848 uid_t *uid = NULL; 849 gid_t *gid = NULL; 850 struct passwd *pwd = NULL; 851 struct group *grp = NULL; 852 uint32_t flags; 853 uint32_t rights, maskrights = 0; 854 darwin_ace_t *saved_darwin_aces = darwin_aces; 855 856 LOG(log_maxdebug, logtype_afpd, "map_aces_posix_to_darwin(%s)", 857 (type & MAP_MASK) == POSIX_DEFAULT_2_DARWIN ? 858 "POSIX_DEFAULT_2_DARWIN" : "POSIX_ACCESS_2_DARWIN"); 859 860 /* itereate through all ACEs */ 861 while (acl_get_entry(acl, entry_id, &e) == 1) { 862 entry_id = ACL_NEXT_ENTRY; 863 864 /* get ACE type */ 865 EC_ZERO_LOG(acl_get_tag_type(e, &tag)); 866 867 /* we return user and group ACE */ 868 switch (tag) { 869 case ACL_USER: 870 EC_NULL_LOG(uid = (uid_t *)acl_get_qualifier(e)); 871 EC_NULL_LOG(pwd = getpwuid(*uid)); 872 LOG(log_debug, logtype_afpd, "map_aces_posix_to_darwin: uid: %d -> name: %s", 873 *uid, pwd->pw_name); 874 EC_ZERO_LOG(getuuidfromname(pwd->pw_name, UUID_USER, darwin_aces->darwin_ace_uuid)); 875 acl_free(uid); 876 uid = NULL; 877 break; 878 879 case ACL_GROUP: 880 EC_NULL_LOG(gid = (gid_t *)acl_get_qualifier(e)); 881 EC_NULL_LOG(grp = getgrgid(*gid)); 882 LOG(log_debug, logtype_afpd, "map_aces_posix_to_darwin: gid: %d -> name: %s", 883 *gid, grp->gr_name); 884 EC_ZERO_LOG(getuuidfromname(grp->gr_name, UUID_GROUP, darwin_aces->darwin_ace_uuid)); 885 acl_free(gid); 886 gid = NULL; 887 break; 888 889 case ACL_MASK: 890 maskrights = posix_permset_to_darwin_rights(e, type & IS_DIR); 891 continue; 892 893 default: 894 continue; 895 } 896 897 /* flags */ 898 flags = DARWIN_ACE_FLAGS_PERMIT; 899 if ((type & MAP_MASK) == POSIX_DEFAULT_2_DARWIN) 900 flags |= DARWIN_ACE_FLAGS_FILE_INHERIT 901 | DARWIN_ACE_FLAGS_DIRECTORY_INHERIT 902 | DARWIN_ACE_FLAGS_ONLY_INHERIT; 903 darwin_aces->darwin_ace_flags = htonl(flags); 904 905 /* rights */ 906 rights = posix_permset_to_darwin_rights(e, type & IS_DIR); 907 darwin_aces->darwin_ace_rights = htonl(rights); 908 909 darwin_aces++; 910 mapped_aces++; 911 } /* while */ 912 913 /* Loop through the mapped ACE buffer once again, applying the mask */ 914 for (int i = mapped_aces; i > 0; i--) { 915 saved_darwin_aces->darwin_ace_rights &= htonl(maskrights); 916 saved_darwin_aces++; 917 } 918 919 EC_STATUS(mapped_aces); 920 921EC_CLEANUP: 922 if (uid) acl_free(uid); 923 if (gid) acl_free(gid); 924 EC_EXIT; 925} 926#endif 927 928/* 929 * Multiplex ACL mapping (SOLARIS_2_DARWIN, DARWIN_2_SOLARIS, POSIX_2_DARWIN, DARWIN_2_POSIX). 930 * Reads from 'aces' buffer, writes to 'rbuf' buffer. 931 * Caller must provide buffer. 932 * Darwin ACEs are read and written in network byte order. 933 * Needs to know how many ACEs are in the ACL (ace_count) for Solaris ACLs. 934 * Ignores trivial ACEs. 935 * Return no of mapped ACEs or -1 on error. 936 */ 937static int map_acl(int type, void *acl, darwin_ace_t *buf, int ace_count) 938{ 939 int mapped_aces; 940 941 LOG(log_debug9, logtype_afpd, "map_acl: BEGIN"); 942 943 switch (type & MAP_MASK) { 944 945#ifdef HAVE_SOLARIS_ACLS 946 case SOLARIS_2_DARWIN: 947 mapped_aces = map_aces_solaris_to_darwin( acl, buf, ace_count); 948 break; 949 950 case DARWIN_2_SOLARIS: 951 mapped_aces = map_aces_darwin_to_solaris( buf, acl, ace_count); 952 break; 953#endif /* HAVE_SOLARIS_ACLS */ 954 955#ifdef HAVE_POSIX_ACLS 956 case POSIX_DEFAULT_2_DARWIN: 957 mapped_aces = map_acl_posix_to_darwin(type, (const acl_t)acl, buf); 958 break; 959 960 case POSIX_ACCESS_2_DARWIN: 961 mapped_aces = map_acl_posix_to_darwin(type, (const acl_t)acl, buf); 962 break; 963 964 case DARWIN_2_POSIX_DEFAULT: 965 break; 966 967 case DARWIN_2_POSIX_ACCESS: 968 break; 969#endif /* HAVE_POSIX_ACLS */ 970 971 default: 972 mapped_aces = -1; 973 break; 974 } 975 976 LOG(log_debug9, logtype_afpd, "map_acl: END"); 977 return mapped_aces; 978} 979 980/* Get ACL from object omitting trivial ACEs. Map to Darwin ACL style and 981 store Darwin ACL at rbuf. Add length of ACL written to rbuf to *rbuflen. 982 Returns 0 on success, -1 on error. */ 983static int get_and_map_acl(char *name, char *rbuf, size_t *rbuflen) 984{ 985 EC_INIT; 986 int mapped_aces = 0; 987 int dirflag; 988 uint32_t *darwin_ace_count = (u_int32_t *)rbuf; 989#ifdef HAVE_SOLARIS_ACLS 990 int ace_count = 0; 991 ace_t *aces = NULL; 992#endif 993#ifdef HAVE_POSIX_ACLS 994 struct stat st; 995#endif 996 LOG(log_debug9, logtype_afpd, "get_and_map_acl: BEGIN"); 997 998 /* Skip length and flags */ 999 rbuf += 4; 1000 *rbuf = 0; 1001 rbuf += 4; 1002 1003#ifdef HAVE_SOLARIS_ACLS 1004 EC_NEG1(ace_count = get_nfsv4_acl(name, &aces)); 1005 EC_NEG1(mapped_aces = map_acl(SOLARIS_2_DARWIN, aces, (darwin_ace_t *)rbuf, ace_count)); 1006#endif /* HAVE_SOLARIS_ACLS */ 1007 1008#ifdef HAVE_POSIX_ACLS 1009 acl_t defacl = NULL , accacl = NULL; 1010 1011 /* stat to check if its a dir */ 1012 EC_ZERO_LOG(lstat(name, &st)); 1013 1014 /* if its a dir, check for default acl too */ 1015 dirflag = 0; 1016 if (S_ISDIR(st.st_mode)) { 1017 dirflag = IS_DIR; 1018 EC_NULL_LOG(defacl = acl_get_file(name, ACL_TYPE_DEFAULT)); 1019 EC_NEG1(mapped_aces = map_acl(POSIX_DEFAULT_2_DARWIN | dirflag, 1020 defacl, 1021 (darwin_ace_t *)rbuf, 1022 0)); 1023 } 1024 1025 EC_NULL_LOG(accacl = acl_get_file(name, ACL_TYPE_ACCESS)); 1026 1027 int tmp; 1028 EC_NEG1(tmp = map_acl(POSIX_ACCESS_2_DARWIN | dirflag, 1029 accacl, 1030 (darwin_ace_t *)(rbuf + mapped_aces * sizeof(darwin_ace_t)), 1031 0)); 1032 mapped_aces += tmp; 1033#endif /* HAVE_POSIX_ACLS */ 1034 1035 LOG(log_debug, logtype_afpd, "get_and_map_acl: mapped %d ACEs", mapped_aces); 1036 1037 *darwin_ace_count = htonl(mapped_aces); 1038 *rbuflen += sizeof(darwin_acl_header_t) + (mapped_aces * sizeof(darwin_ace_t)); 1039 1040 EC_STATUS(0); 1041 1042EC_CLEANUP: 1043#ifdef HAVE_SOLARIS_ACLS 1044 if (aces) free(aces); 1045#endif 1046#ifdef HAVE_POSIX_ACLS 1047 if (defacl) acl_free(defacl); 1048 if (accacl) acl_free(accacl); 1049#endif /* HAVE_POSIX_ACLS */ 1050 1051 LOG(log_debug9, logtype_afpd, "get_and_map_acl: END"); 1052 1053 EC_EXIT; 1054} 1055 1056/* Removes all non-trivial ACLs from object. Returns full AFPERR code. */ 1057static int remove_acl(const struct vol *vol,const char *path, int dir) 1058{ 1059 int ret = AFP_OK; 1060 1061#if (defined HAVE_SOLARIS_ACLS || defined HAVE_POSIX_ACLS) 1062 /* Ressource etc. first */ 1063 if ((ret = vol->vfs->vfs_remove_acl(vol, path, dir)) != AFP_OK) 1064 return ret; 1065 /* now the data fork or dir */ 1066 ret = remove_acl_vfs(path); 1067#endif 1068 return ret; 1069} 1070 1071/* 1072 Set ACL. Subtleties: 1073 - the client sends a complete list of ACEs, not only new ones. So we dont need to do 1074 any combination business (one exception being 'kFileSec_Inherit': see next) 1075 - client might request that we add inherited ACEs via 'kFileSec_Inherit'. 1076 We will store inherited ACEs first, which is Darwins canonical order. 1077 - returns AFPerror code 1078*/ 1079#ifdef HAVE_SOLARIS_ACLS 1080static int set_acl(const struct vol *vol, 1081 char *name, 1082 int inherit, 1083 darwin_ace_t *daces, 1084 uint32_t ace_count) 1085{ 1086 EC_INIT; 1087 int i, nfsv4_ace_count; 1088 int tocopy_aces_count = 0, new_aces_count = 0, trivial_ace_count = 0; 1089 ace_t *old_aces, *new_aces = NULL; 1090 uint16_t flags; 1091 1092 LOG(log_debug9, logtype_afpd, "set_acl: BEGIN"); 1093 1094 if (inherit) 1095 /* inherited + trivial ACEs */ 1096 flags = ACE_INHERITED_ACE | ACE_OWNER | ACE_GROUP | ACE_EVERYONE; 1097 else 1098 /* only trivial ACEs */ 1099 flags = ACE_OWNER | ACE_GROUP | ACE_EVERYONE; 1100 1101 /* Get existing ACL and count ACEs which have to be copied */ 1102 if ((nfsv4_ace_count = get_nfsv4_acl(name, &old_aces)) == -1) 1103 return AFPERR_MISC; 1104 for ( i=0; i < nfsv4_ace_count; i++) { 1105 if (old_aces[i].a_flags & flags) 1106 tocopy_aces_count++; 1107 } 1108 1109 /* Now malloc buffer exactly sized to fit all new ACEs */ 1110 if ((new_aces = malloc((ace_count + tocopy_aces_count) * sizeof(ace_t))) == NULL) { 1111 LOG(log_error, logtype_afpd, "set_acl: malloc %s", strerror(errno)); 1112 EC_STATUS(AFPERR_MISC); 1113 goto EC_CLEANUP; 1114 } 1115 1116 /* Start building new ACL */ 1117 1118 /* Copy local inherited ACEs. Therefore we have 'Darwin canonical order' (see chmod there): 1119 inherited ACEs first. */ 1120 if (inherit) { 1121 for (i=0; i < nfsv4_ace_count; i++) { 1122 if (old_aces[i].a_flags & ACE_INHERITED_ACE) { 1123 memcpy(&new_aces[new_aces_count], &old_aces[i], sizeof(ace_t)); 1124 new_aces_count++; 1125 } 1126 } 1127 } 1128 LOG(log_debug7, logtype_afpd, "set_acl: copied %d inherited ACEs", new_aces_count); 1129 1130 /* Now the ACEs from the client */ 1131 if ((ret = (map_acl(DARWIN_2_SOLARIS, 1132 &new_aces[new_aces_count], 1133 daces, 1134 ace_count))) == -1) { 1135 EC_STATUS(AFPERR_PARAM); 1136 goto EC_CLEANUP; 1137 } 1138 new_aces_count += ret; 1139 LOG(log_debug7, logtype_afpd, "set_acl: mapped %d ACEs from client", ret); 1140 1141 /* Now copy the trivial ACEs */ 1142 for (i=0; i < nfsv4_ace_count; i++) { 1143 if (old_aces[i].a_flags & (ACE_OWNER | ACE_GROUP | ACE_EVERYONE)) { 1144 memcpy(&new_aces[new_aces_count], &old_aces[i], sizeof(ace_t)); 1145 new_aces_count++; 1146 trivial_ace_count++; 1147 } 1148 } 1149 LOG(log_debug7, logtype_afpd, "set_acl: copied %d trivial ACEs", trivial_ace_count); 1150 1151 /* Ressourcefork first. 1152 Note: for dirs we set the same ACL on the .AppleDouble/.Parent _file_. This 1153 might be strange for ACE_DELETE_CHILD and for inheritance flags. */ 1154 if ((ret = (vol->vfs->vfs_acl(vol, name, ACE_SETACL, new_aces_count, new_aces))) != 0) { 1155 LOG(log_error, logtype_afpd, "set_acl: error setting acl: %s", strerror(errno)); 1156 if (errno == (EACCES | EPERM)) 1157 EC_STATUS(AFPERR_ACCESS); 1158 else if (errno == ENOENT) 1159 EC_STATUS(AFPERR_NOITEM); 1160 else 1161 EC_STATUS(AFPERR_MISC); 1162 goto EC_CLEANUP; 1163 } 1164 if ((ret = (acl(name, ACE_SETACL, new_aces_count, new_aces))) != 0) { 1165 LOG(log_error, logtype_afpd, "set_acl: error setting acl: %s", strerror(errno)); 1166 if (errno == (EACCES | EPERM)) 1167 EC_STATUS(AFPERR_ACCESS); 1168 else if (errno == ENOENT) 1169 EC_STATUS(AFPERR_NOITEM); 1170 else 1171 EC_STATUS(AFPERR_MISC); 1172 goto EC_CLEANUP; 1173 } 1174 1175 EC_STATUS(AFP_OK); 1176 1177EC_CLEANUP: 1178 if (old_aces) free(old_aces); 1179 if (new_aces) free(new_aces); 1180 1181 LOG(log_debug9, logtype_afpd, "set_acl: END"); 1182 EC_EXIT; 1183} 1184#endif /* HAVE_SOLARIS_ACLS */ 1185 1186#ifdef HAVE_POSIX_ACLS 1187#ifndef HAVE_ACL_FROM_MODE 1188static acl_t acl_from_mode(mode_t mode) 1189{ 1190 acl_t acl; 1191 acl_entry_t entry; 1192 acl_permset_t permset; 1193 1194 if (!(acl = acl_init(3))) 1195 return NULL; 1196 1197 if (acl_create_entry(&acl, &entry) != 0) 1198 goto error; 1199 acl_set_tag_type(entry, ACL_USER_OBJ); 1200 acl_get_permset(entry, &permset); 1201 acl_clear_perms(permset); 1202 if (mode & S_IRUSR) 1203 acl_add_perm(permset, ACL_READ); 1204 if (mode & S_IWUSR) 1205 acl_add_perm(permset, ACL_WRITE); 1206 if (mode & S_IXUSR) 1207 acl_add_perm(permset, ACL_EXECUTE); 1208 acl_set_permset(entry, permset); 1209 1210 if (acl_create_entry(&acl, &entry) != 0) 1211 goto error; 1212 acl_set_tag_type(entry, ACL_GROUP_OBJ); 1213 acl_get_permset(entry, &permset); 1214 acl_clear_perms(permset); 1215 if (mode & S_IRGRP) 1216 acl_add_perm(permset, ACL_READ); 1217 if (mode & S_IWGRP) 1218 acl_add_perm(permset, ACL_WRITE); 1219 if (mode & S_IXGRP) 1220 acl_add_perm(permset, ACL_EXECUTE); 1221 acl_set_permset(entry, permset); 1222 1223 if (acl_create_entry(&acl, &entry) != 0) 1224 goto error; 1225 acl_set_tag_type(entry, ACL_OTHER); 1226 acl_get_permset(entry, &permset); 1227 acl_clear_perms(permset); 1228 if (mode & S_IROTH) 1229 acl_add_perm(permset, ACL_READ); 1230 if (mode & S_IWOTH) 1231 acl_add_perm(permset, ACL_WRITE); 1232 if (mode & S_IXOTH) 1233 acl_add_perm(permset, ACL_EXECUTE); 1234 acl_set_permset(entry, permset); 1235 1236 return acl; 1237 1238error: 1239 acl_free(acl); 1240 return NULL; 1241} 1242#endif 1243 1244static int set_acl(const struct vol *vol, 1245 const char *name, 1246 int inherit _U_, 1247 darwin_ace_t *daces, 1248 uint32_t ace_count) 1249{ 1250 EC_INIT; 1251 struct stat st; 1252 acl_t default_acl = NULL; 1253 acl_t access_acl = NULL; 1254 acl_entry_t entry; 1255 acl_tag_t tag; 1256 int entry_id = ACL_FIRST_ENTRY; 1257 int has_def_acl = 0; 1258 /* flags to indicate if the object has a minimal default acl and/or an extended 1259 * default acl. 1260 */ 1261 uint32_t default_acl_flags = 0; 1262 1263 LOG(log_maxdebug, logtype_afpd, "set_acl: BEGIN"); 1264 1265 EC_NULL_LOG_ERR(access_acl = acl_get_file(name, ACL_TYPE_ACCESS), AFPERR_MISC); 1266 1267 /* Iterate through acl and remove all extended acl entries. */ 1268 while (acl_get_entry(access_acl, entry_id, &entry) == 1) { 1269 entry_id = ACL_NEXT_ENTRY; 1270 EC_ZERO_LOG(acl_get_tag_type(entry, &tag)); 1271 1272 if ((tag == ACL_USER) || (tag == ACL_GROUP) || (tag == ACL_MASK)) { 1273 EC_ZERO_LOG_ERR(acl_delete_entry(access_acl, entry), AFPERR_MISC); 1274 } 1275 } /* while */ 1276 1277 /* In case we are acting on a directory prepare a default acl. For files default_acl will be NULL. 1278 * If the directory already has a default acl it will be preserved. 1279 */ 1280 EC_ZERO_LOG_ERR(lstat(name, &st), AFPERR_NOOBJ); 1281 1282 if (S_ISDIR(st.st_mode)) { 1283 default_acl = acl_get_file(name, ACL_TYPE_DEFAULT); 1284 1285 if (default_acl) { 1286 /* If default_acl is not empty then the dir has a default acl. */ 1287 if (acl_get_entry(default_acl, ACL_FIRST_ENTRY, &entry) == 1) 1288 default_acl_flags = HAS_DEFAULT_ACL; 1289 1290 acl_free(default_acl); 1291 } 1292 default_acl = acl_dup(access_acl); 1293 } 1294 /* adds the clients aces */ 1295 EC_ZERO_ERR(map_aces_darwin_to_posix(daces, &default_acl, &access_acl, ace_count, &default_acl_flags), AFPERR_MISC); 1296 1297 /* calcuate ACL mask */ 1298 EC_ZERO_LOG_ERR(acl_calc_mask(&access_acl), AFPERR_MISC); 1299 1300 /* is it ok? */ 1301 EC_ZERO_LOG_ERR(acl_valid(access_acl), AFPERR_MISC); 1302 1303 /* set it */ 1304 EC_ZERO_LOG_ERR(acl_set_file(name, ACL_TYPE_ACCESS, access_acl), AFPERR_MISC); 1305 EC_ZERO_LOG_ERR(vol->vfs->vfs_acl(vol, name, ACL_TYPE_ACCESS, 0, access_acl), AFPERR_MISC); 1306 1307 if (default_acl) { 1308 /* If the dir has an extended default acl it's ACL_MASK must be updated.*/ 1309 if (default_acl_flags & HAS_EXT_DEFAULT_ACL) 1310 EC_ZERO_LOG_ERR(acl_calc_mask(&default_acl), AFPERR_MISC); 1311 1312 if (default_acl_flags) { 1313 EC_ZERO_LOG_ERR(acl_valid(default_acl), AFPERR_MISC); 1314 EC_ZERO_LOG_ERR(acl_set_file(name, ACL_TYPE_DEFAULT, default_acl), AFPERR_MISC); 1315 EC_ZERO_LOG_ERR(vol->vfs->vfs_acl(vol, name, ACL_TYPE_DEFAULT, 0, default_acl), AFPERR_MISC); 1316 } 1317 } 1318 1319EC_CLEANUP: 1320 if (access_acl) acl_free(access_acl); 1321 if (default_acl) acl_free(default_acl); 1322 1323 LOG(log_maxdebug, logtype_afpd, "set_acl: END"); 1324 EC_EXIT; 1325} 1326#endif /* HAVE_POSIX_ACLS */ 1327 1328/*! 1329 * Checks if a given UUID has requested_rights(type darwin_ace_rights) for path. 1330 * 1331 * Note: this gets called frequently and is a good place for optimizations ! 1332 * 1333 * @param vol (r) volume 1334 * @param dir (rw) directory 1335 * @param path (r) path to filesystem object 1336 * @param uuid (r) UUID of user 1337 * @param requested_rights (r) requested Darwin ACE 1338 * 1339 * @returns AFP result code 1340*/ 1341static int check_acl_access(const struct vol *vol, 1342 struct dir *dir, 1343 const char *path, 1344 const uuidp_t uuid, 1345 uint32_t requested_rights) 1346{ 1347 int ret; 1348 uint32_t allowed_rights = 0; 1349 char *username = NULL; 1350 uuidtype_t uuidtype; 1351 struct stat st; 1352 bstring parent = NULL; 1353 int is_dir; 1354 1355 LOG(log_maxdebug, logtype_afpd, "check_acl_access(dir: \"%s\", path: \"%s\", curdir: \"%s\", 0x%08x)", 1356 cfrombstr(dir->d_fullpath), path, getcwdpath(), requested_rights); 1357 1358 /* This check is not used anymore, as OS X Server seems to be ignoring too */ 1359#if 0 1360 /* Get uid or gid from UUID */ 1361 EC_ZERO_ERR(getnamefromuuid(uuid, &username, &uuidtype), AFPERR_PARAM); 1362 switch (uuidtype) { 1363 case UUID_USER: 1364 break; 1365 case UUID_GROUP: 1366 LOG(log_warning, logtype_afpd, "check_acl_access: afp_access not supported for groups"); 1367 EC_STATUS(AFPERR_MISC); 1368 goto EC_CLEANUP; 1369 default: 1370 EC_STATUS(AFPERR_MISC); 1371 goto EC_CLEANUP; 1372 } 1373#endif 1374 1375 EC_ZERO_LOG_ERR(ostat(path, &st, vol_syml_opt(vol)), AFPERR_PARAM); 1376 1377 is_dir = !strcmp(path, "."); 1378 1379 if (is_dir && (curdir->d_rights_cache != 0xffffffff)) { 1380 /* its a dir and the cache value is valid */ 1381 allowed_rights = curdir->d_rights_cache; 1382 LOG(log_debug, logtype_afpd, "check_access: allowed rights from dircache: 0x%08x", allowed_rights); 1383 } else { 1384#ifdef HAVE_SOLARIS_ACLS 1385 EC_ZERO_LOG(solaris_acl_rights(path, &st, &allowed_rights)); 1386#endif 1387#ifdef HAVE_POSIX_ACLS 1388 EC_ZERO_LOG(posix_acl_rights(path, &st, &allowed_rights)); 1389#endif 1390 /* 1391 * The DARWIN_ACE_DELETE right might implicitly result from write acces to the parent 1392 * directory. As it seems the 10.6 AFP client is puzzled when this right is not 1393 * allowed where a delete would succeed because the parent dir gives write perms. 1394 * So we check the parent dir for write access and set the right accordingly. 1395 * Currentyl acl2ownermode calls us with dir = NULL, because it doesn't make sense 1396 * there to do this extra check -- afaict. 1397 */ 1398 if (vol && dir && (requested_rights & DARWIN_ACE_DELETE)) { 1399 int i; 1400 uint32_t parent_rights = 0; 1401 1402 if (curdir->d_did == DIRDID_ROOT_PARENT) { 1403 /* use volume path */ 1404 EC_NULL_LOG_ERR(parent = bfromcstr(vol->v_path), AFPERR_MISC); 1405 } else { 1406 /* build path for parent */ 1407 EC_NULL_LOG_ERR(parent = bstrcpy(curdir->d_fullpath), AFPERR_MISC); 1408 EC_ZERO_LOG_ERR(bconchar(parent, '/'), AFPERR_MISC); 1409 EC_ZERO_LOG_ERR(bcatcstr(parent, path), AFPERR_MISC); 1410 EC_NEG1_LOG_ERR(i = bstrrchr(parent, '/'), AFPERR_MISC); 1411 EC_ZERO_LOG_ERR(binsertch(parent, i, 1, 0), AFPERR_MISC); 1412 } 1413 1414 LOG(log_debug, logtype_afpd,"parent: %s", cfrombstr(parent)); 1415 EC_ZERO_LOG_ERR(lstat(cfrombstr(parent), &st), AFPERR_MISC); 1416 1417#ifdef HAVE_SOLARIS_ACLS 1418 EC_ZERO_LOG(solaris_acl_rights(cfrombstr(parent), &st, &parent_rights)); 1419#endif 1420#ifdef HAVE_POSIX_ACLS 1421 EC_ZERO_LOG(posix_acl_rights(path, &st, &parent_rights)); 1422#endif 1423 if (parent_rights & (DARWIN_ACE_WRITE_DATA | DARWIN_ACE_DELETE_CHILD)) 1424 allowed_rights |= DARWIN_ACE_DELETE; /* man, that was a lot of work! */ 1425 } 1426 1427 if (is_dir) { 1428 /* Without DARWIN_ACE_DELETE set OS X 10.6 refuses to rename subdirectories in a 1429 * directory. 1430 */ 1431 if (allowed_rights & DARWIN_ACE_ADD_SUBDIRECTORY) 1432 allowed_rights |= DARWIN_ACE_DELETE; 1433 1434 curdir->d_rights_cache = allowed_rights; 1435 } 1436 LOG(log_debug, logtype_afpd, "allowed rights: 0x%08x", allowed_rights); 1437 } 1438 1439 if ((requested_rights & allowed_rights) != requested_rights) { 1440 LOG(log_debug, logtype_afpd, "some requested right wasn't allowed: 0x%08x / 0x%08x", 1441 requested_rights, allowed_rights); 1442 EC_STATUS(AFPERR_ACCESS); 1443 } else { 1444 LOG(log_debug, logtype_afpd, "all requested rights are allowed: 0x%08x", 1445 requested_rights); 1446 EC_STATUS(AFP_OK); 1447 } 1448 1449EC_CLEANUP: 1450 if (username) free(username); 1451 if (parent) bdestroy(parent); 1452 1453 EC_EXIT; 1454} 1455 1456/******************************************************** 1457 * Interface 1458 ********************************************************/ 1459 1460int afp_access(AFPObj *obj, char *ibuf, size_t ibuflen _U_, char *rbuf _U_, size_t *rbuflen) 1461{ 1462 int ret; 1463 struct vol *vol; 1464 struct dir *dir; 1465 uint32_t did, darwin_ace_rights; 1466 uint16_t vid; 1467 struct path *s_path; 1468 uuidp_t uuid; 1469 1470 *rbuflen = 0; 1471 ibuf += 2; 1472 1473 memcpy(&vid, ibuf, sizeof( vid )); 1474 ibuf += sizeof(vid); 1475 if (NULL == ( vol = getvolbyvid( vid ))) { 1476 LOG(log_error, logtype_afpd, "afp_access: error getting volid:%d", vid); 1477 return AFPERR_NOOBJ; 1478 } 1479 1480 memcpy(&did, ibuf, sizeof( did )); 1481 ibuf += sizeof( did ); 1482 if (NULL == ( dir = dirlookup( vol, did ))) { 1483 LOG(log_error, logtype_afpd, "afp_access: error getting did:%d", did); 1484 return afp_errno; 1485 } 1486 1487 /* Skip bitmap */ 1488 ibuf += 2; 1489 1490 /* Store UUID address */ 1491 uuid = (uuidp_t)ibuf; 1492 ibuf += UUID_BINSIZE; 1493 1494 /* Store ACE rights */ 1495 memcpy(&darwin_ace_rights, ibuf, 4); 1496 darwin_ace_rights = ntohl(darwin_ace_rights); 1497 ibuf += 4; 1498 1499 /* get full path and handle file/dir subtleties in netatalk code*/ 1500 if (NULL == ( s_path = cname( vol, dir, &ibuf ))) { 1501 LOG(log_error, logtype_afpd, "afp_getacl: cname got an error!"); 1502 return AFPERR_NOOBJ; 1503 } 1504 if (!s_path->st_valid) 1505 of_statdir(vol, s_path); 1506 if ( s_path->st_errno != 0 ) { 1507 LOG(log_error, logtype_afpd, "afp_getacl: cant stat"); 1508 return AFPERR_NOOBJ; 1509 } 1510 1511 ret = check_acl_access(vol, dir, s_path->u_name, uuid, darwin_ace_rights); 1512 1513 return ret; 1514} 1515 1516int afp_getacl(AFPObj *obj, char *ibuf, size_t ibuflen _U_, char *rbuf _U_, size_t *rbuflen) 1517{ 1518 struct vol *vol; 1519 struct dir *dir; 1520 int ret; 1521 uint32_t did; 1522 uint16_t vid, bitmap; 1523 struct path *s_path; 1524 struct passwd *pw; 1525 struct group *gr; 1526 1527 LOG(log_debug9, logtype_afpd, "afp_getacl: BEGIN"); 1528 *rbuflen = 0; 1529 ibuf += 2; 1530 1531 memcpy(&vid, ibuf, sizeof( vid )); 1532 ibuf += sizeof(vid); 1533 if (NULL == ( vol = getvolbyvid( vid ))) { 1534 LOG(log_error, logtype_afpd, "afp_getacl: error getting volid:%d", vid); 1535 return AFPERR_NOOBJ; 1536 } 1537 1538 memcpy(&did, ibuf, sizeof( did )); 1539 ibuf += sizeof( did ); 1540 if (NULL == ( dir = dirlookup( vol, did ))) { 1541 LOG(log_error, logtype_afpd, "afp_getacl: error getting did:%d", did); 1542 return afp_errno; 1543 } 1544 1545 memcpy(&bitmap, ibuf, sizeof( bitmap )); 1546 memcpy(rbuf, ibuf, sizeof( bitmap )); 1547 bitmap = ntohs( bitmap ); 1548 ibuf += sizeof( bitmap ); 1549 rbuf += sizeof( bitmap ); 1550 *rbuflen += sizeof( bitmap ); 1551 1552 /* skip maxreplysize */ 1553 ibuf += 4; 1554 1555 /* get full path and handle file/dir subtleties in netatalk code*/ 1556 if (NULL == ( s_path = cname( vol, dir, &ibuf ))) { 1557 LOG(log_error, logtype_afpd, "afp_getacl: cname got an error!"); 1558 return AFPERR_NOOBJ; 1559 } 1560 if (!s_path->st_valid) 1561 of_statdir(vol, s_path); 1562 if ( s_path->st_errno != 0 ) { 1563 LOG(log_error, logtype_afpd, "afp_getacl: cant stat"); 1564 return AFPERR_NOOBJ; 1565 } 1566 1567 /* Shall we return owner UUID ? */ 1568 if (bitmap & kFileSec_UUID) { 1569 LOG(log_debug, logtype_afpd, "afp_getacl: client requested files owner user UUID"); 1570 if (NULL == (pw = getpwuid(s_path->st.st_uid))) { 1571 LOG(log_debug, logtype_afpd, "afp_getacl: local uid: %u", s_path->st.st_uid); 1572 localuuid_from_id(rbuf, UUID_USER, s_path->st.st_uid); 1573 } else { 1574 LOG(log_debug, logtype_afpd, "afp_getacl: got uid: %d, name: %s", s_path->st.st_uid, pw->pw_name); 1575 if ((ret = getuuidfromname(pw->pw_name, UUID_USER, rbuf)) != 0) 1576 return AFPERR_MISC; 1577 } 1578 rbuf += UUID_BINSIZE; 1579 *rbuflen += UUID_BINSIZE; 1580 } 1581 1582 /* Shall we return group UUID ? */ 1583 if (bitmap & kFileSec_GRPUUID) { 1584 LOG(log_debug, logtype_afpd, "afp_getacl: client requested files owner group UUID"); 1585 if (NULL == (gr = getgrgid(s_path->st.st_gid))) { 1586 LOG(log_debug, logtype_afpd, "afp_getacl: local gid: %u", s_path->st.st_gid); 1587 localuuid_from_id(rbuf, UUID_GROUP, s_path->st.st_gid); 1588 } else { 1589 LOG(log_debug, logtype_afpd, "afp_getacl: got gid: %d, name: %s", s_path->st.st_gid, gr->gr_name); 1590 if ((ret = getuuidfromname(gr->gr_name, UUID_GROUP, rbuf)) != 0) 1591 return AFPERR_MISC; 1592 } 1593 rbuf += UUID_BINSIZE; 1594 *rbuflen += UUID_BINSIZE; 1595 } 1596 1597 /* Shall we return ACL ? */ 1598 if (bitmap & kFileSec_ACL) { 1599 LOG(log_debug, logtype_afpd, "afp_getacl: client requested files ACL"); 1600 if (get_and_map_acl(s_path->u_name, rbuf, rbuflen) != 0) { 1601 LOG(log_error, logtype_afpd, "afp_getacl(\"%s/%s\"): mapping error", 1602 getcwdpath(), s_path->u_name); 1603 return AFPERR_MISC; 1604 } 1605 } 1606 1607 LOG(log_debug9, logtype_afpd, "afp_getacl: END"); 1608 return AFP_OK; 1609} 1610 1611int afp_setacl(AFPObj *obj, char *ibuf, size_t ibuflen _U_, char *rbuf _U_, size_t *rbuflen) 1612{ 1613 struct vol *vol; 1614 struct dir *dir; 1615 int ret; 1616 uint32_t did; 1617 uint16_t vid, bitmap; 1618 struct path *s_path; 1619 1620 LOG(log_debug9, logtype_afpd, "afp_setacl: BEGIN"); 1621 *rbuflen = 0; 1622 ibuf += 2; 1623 1624 memcpy(&vid, ibuf, sizeof( vid )); 1625 ibuf += sizeof(vid); 1626 if (NULL == ( vol = getvolbyvid( vid ))) { 1627 LOG(log_error, logtype_afpd, "afp_setacl: error getting volid:%d", vid); 1628 return AFPERR_NOOBJ; 1629 } 1630 1631 memcpy(&did, ibuf, sizeof( did )); 1632 ibuf += sizeof( did ); 1633 if (NULL == ( dir = dirlookup( vol, did ))) { 1634 LOG(log_error, logtype_afpd, "afp_setacl: error getting did:%d", did); 1635 return afp_errno; 1636 } 1637 1638 memcpy(&bitmap, ibuf, sizeof( bitmap )); 1639 bitmap = ntohs( bitmap ); 1640 ibuf += sizeof( bitmap ); 1641 1642 /* get full path and handle file/dir subtleties in netatalk code*/ 1643 if (NULL == ( s_path = cname( vol, dir, &ibuf ))) { 1644 LOG(log_error, logtype_afpd, "afp_setacl: cname got an error!"); 1645 return AFPERR_NOOBJ; 1646 } 1647 if (!s_path->st_valid) 1648 of_statdir(vol, s_path); 1649 if ( s_path->st_errno != 0 ) { 1650 LOG(log_error, logtype_afpd, "afp_setacl: cant stat"); 1651 return AFPERR_NOOBJ; 1652 } 1653 LOG(log_debug, logtype_afpd, "afp_setacl: unixname: %s", s_path->u_name); 1654 1655 /* Padding? */ 1656 if ((unsigned long)ibuf & 1) 1657 ibuf++; 1658 1659 /* Start processing request */ 1660 1661 /* Change owner: dont even try */ 1662 if (bitmap & kFileSec_UUID) { 1663 LOG(log_note, logtype_afpd, "afp_setacl: change owner request, discarded"); 1664 ret = AFPERR_ACCESS; 1665 ibuf += UUID_BINSIZE; 1666 } 1667 1668 /* Change group: certain changes might be allowed, so try it. FIXME: not implemented yet. */ 1669 if (bitmap & kFileSec_UUID) { 1670 LOG(log_note, logtype_afpd, "afp_setacl: change group request, not supported"); 1671 ret = AFPERR_PARAM; 1672 ibuf += UUID_BINSIZE; 1673 } 1674 1675 /* Remove ACL ? */ 1676 if (bitmap & kFileSec_REMOVEACL) { 1677 LOG(log_debug, logtype_afpd, "afp_setacl: Remove ACL request."); 1678 if ((ret = remove_acl(vol, s_path->u_name, S_ISDIR(s_path->st.st_mode))) != AFP_OK) 1679 LOG(log_error, logtype_afpd, "afp_setacl: error from remove_acl"); 1680 } 1681 1682 /* Change ACL ? */ 1683 if (bitmap & kFileSec_ACL) { 1684 LOG(log_debug, logtype_afpd, "afp_setacl: Change ACL request."); 1685 /* Get no of ACEs the client put on the wire */ 1686 uint32_t ace_count; 1687 memcpy(&ace_count, ibuf, sizeof(uint32_t)); 1688 ace_count = htonl(ace_count); 1689 ibuf += 8; /* skip ACL flags (see acls.h) */ 1690 1691 ret = set_acl(vol, 1692 s_path->u_name, 1693 (bitmap & kFileSec_Inherit), 1694 (darwin_ace_t *)ibuf, 1695 ace_count); 1696 if (ret == 0) 1697 ret = AFP_OK; 1698 else { 1699 LOG(log_warning, logtype_afpd, "afp_setacl(\"%s/%s\"): error", 1700 getcwdpath(), s_path->u_name); 1701 ret = AFPERR_MISC; 1702 } 1703 } 1704 1705 LOG(log_debug9, logtype_afpd, "afp_setacl: END"); 1706 return ret; 1707} 1708 1709/******************************************************************** 1710 * ACL funcs interfacing with other parts 1711 ********************************************************************/ 1712 1713/*! 1714 * map ACL to user maccess 1715 * 1716 * This is the magic function that makes ACLs usable by calculating 1717 * the access granted by ACEs to the logged in user. 1718 */ 1719int acltoownermode(const struct vol *vol, char *path, struct stat *st, struct maccess *ma) 1720{ 1721 EC_INIT; 1722 uint32_t rights = 0; 1723 1724 if ( ! (AFPobj->options.flags & OPTION_ACL2MACCESS) 1725 || ! (vol->v_flags & AFPVOL_ACLS)) 1726 return 0; 1727 1728 LOG(log_maxdebug, logtype_afpd, "acltoownermode(\"%s/%s\", 0x%02x)", 1729 getcwdpath(), path, ma->ma_user); 1730 1731#ifdef HAVE_SOLARIS_ACLS 1732 EC_ZERO_LOG(solaris_acl_rights(path, st, &rights)); 1733 1734 LOG(log_maxdebug, logtype_afpd, "rights: 0x%08x", rights); 1735 1736 if (rights & DARWIN_ACE_READ_DATA) 1737 ma->ma_user |= AR_UREAD; 1738 if (rights & DARWIN_ACE_WRITE_DATA) 1739 ma->ma_user |= AR_UWRITE; 1740 if (rights & (DARWIN_ACE_EXECUTE | DARWIN_ACE_SEARCH)) 1741 ma->ma_user |= AR_USEARCH; 1742#endif 1743 1744#ifdef HAVE_POSIX_ACLS 1745 EC_ZERO_LOG(posix_acls_to_uaperms(path, st, ma)); 1746#endif 1747 1748 LOG(log_maxdebug, logtype_afpd, "resulting user maccess: 0x%02x group maccess: 0x%02x", ma->ma_user, ma->ma_group); 1749 1750EC_CLEANUP: 1751 EC_EXIT; 1752} 1753 1754/*! 1755 * Check whether a volume supports ACLs 1756 * 1757 * @param vol (r) volume 1758 * 1759 * @returns 0 if not, 1 if yes 1760 */ 1761int check_vol_acl_support(const struct vol *vol) 1762{ 1763 int ret = 0; 1764 1765#ifdef HAVE_SOLARIS_ACLS 1766 ace_t *aces = NULL; 1767 ret = 1; 1768 if (get_nfsv4_acl(vol->v_path, &aces) == -1) 1769 ret = 0; 1770#endif 1771#ifdef HAVE_POSIX_ACLS 1772 acl_t acl = NULL; 1773 ret = 1; 1774 if ((acl = acl_get_file(vol->v_path, ACL_TYPE_ACCESS)) == NULL) 1775 ret = 0; 1776#endif 1777 1778#ifdef HAVE_SOLARIS_ACLS 1779 if (aces) free(aces); 1780#endif 1781#ifdef HAVE_POSIX_ACLS 1782 if (acl) acl_free(acl); 1783#endif /* HAVE_POSIX_ACLS */ 1784 1785 LOG(log_debug, logtype_afpd, "Volume \"%s\" ACL support: %s", 1786 vol->v_path, ret ? "yes" : "no"); 1787 return ret; 1788} 1789