1 /*-
2 * Copyright (c) 1999 Robert N. M. Watson
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 *
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
24 * SUCH DAMAGE.
25 *
26 *$FreeBSD: src/lib/libposix1e/acl_support.c,v 1.3 2000/01/26 04:19:37 rwatson Exp $
27 *$DragonFly: src/lib/libposix1e/acl_support.c,v 1.3 2005/08/04 17:27:09 drhodus Exp $
28 */
29 /*
30 * Support functionality for the POSIX.1e ACL interface
31 * These calls are intended only to be called within the library.
32 */
33
34 #include <sys/types.h>
35 #include <sys/acl.h>
36 #include <errno.h>
37 #include <grp.h>
38 #include <pwd.h>
39 #include <stdio.h>
40 #include <stdlib.h>
41
42 #include "acl_support.h"
43
44 #define ACL_STRING_PERM_WRITE 'w'
45 #define ACL_STRING_PERM_READ 'r'
46 #define ACL_STRING_PERM_EXEC 'x'
47 #define ACL_STRING_PERM_NONE '-'
48
49 /*
50 * acl_entry_compare -- compare two acl_entry structures to determine the
51 * order they should appear in. Used by acl_sort to sort ACL entries into
52 * the kernel-desired order -- i.e., the order useful for evaluation and
53 * O(n) validity checking. Beter to have an O(nlogn) sort in userland and
54 * an O(n) in kernel than to have both in kernel.
55 */
56 typedef int (*compare)(const void *, const void *);
57 static int
acl_entry_compare(struct acl_entry * a,struct acl_entry * b)58 acl_entry_compare(struct acl_entry *a, struct acl_entry *b)
59 {
60 /*
61 * First, sort between tags -- conveniently defined in the correct
62 * order for verification.
63 */
64 if (a->ae_tag < b->ae_tag)
65 return (-1);
66 if (a->ae_tag > b->ae_tag)
67 return (1);
68
69 /*
70 * Next compare uids/gids on appropriate types.
71 */
72
73 if (a->ae_tag == ACL_USER || a->ae_tag == ACL_GROUP) {
74 if (a->ae_id < b->ae_id)
75 return (-1);
76 if (a->ae_id > b->ae_id)
77 return (1);
78
79 /* shouldn't be equal, fall through to the invalid case */
80 }
81
82 /*
83 * Don't know how to sort multiple entries of the rest--either it's
84 * a bad entry, or there shouldn't be more than one. Ignore and the
85 * validity checker can get it later.
86 */
87 return (0);
88 }
89
90 /*
91 * acl_sort -- sort ACL entries.
92 * Give the opportunity to fail, althouh we don't currently have a way
93 * to fail.
94 */
95 int
acl_sort(acl_t acl)96 acl_sort(acl_t acl)
97 {
98
99 qsort(&acl->acl_entry[0], acl->acl_cnt, sizeof(struct acl_entry),
100 (compare) acl_entry_compare);
101
102 return (0);
103 }
104
105 /*
106 * acl_posix1e -- in what situations should we acl_sort before submission?
107 * We apply posix1e ACL semantics for any ACL of type ACL_TYPE_ACCESS or
108 * ACL_TYPE_DEFAULT
109 */
110 int
acl_posix1e(acl_t acl,acl_type_t type)111 acl_posix1e(acl_t acl, acl_type_t type)
112 {
113
114 return ((type == ACL_TYPE_ACCESS) || (type == ACL_TYPE_DEFAULT));
115 }
116
117 /*
118 * acl_check -- given an ACL, check its validity. This is mirrored from
119 * code in sys/kern/kern_acl.c, and if changes are made in one, they should
120 * be made in the other also. This copy of acl_check is made available
121 * in userland for the benefit of processes wanting to check ACLs for
122 * validity before submitting them to the kernel, or for performing
123 * in userland file system checking. Needless to say, the kernel makes
124 * the real checks on calls to get/setacl.
125 *
126 * See the comments in kernel for explanation -- just briefly, it assumes
127 * an already sorted ACL, and checks based on that assumption. The
128 * POSIX.1e interface, acl_valid(), will perform the sort before calling
129 * this. Returns 0 on success, EINVAL on failure.
130 */
131 int
acl_check(struct acl * acl)132 acl_check(struct acl *acl)
133 {
134 struct acl_entry *entry; /* current entry */
135 uid_t obj_uid=-1, obj_gid=-1, highest_uid=0, highest_gid=0;
136 int stage = ACL_USER_OBJ;
137 int i = 0;
138 int count_user_obj=0, count_user=0, count_group_obj=0,
139 count_group=0, count_mask=0, count_other=0;
140
141 /* printf("acl_check: checking acl with %d entries\n", acl->acl_cnt); */
142 while (i < acl->acl_cnt) {
143
144 entry = &acl->acl_entry[i];
145
146 if ((entry->ae_perm | ACL_PERM_BITS) != ACL_PERM_BITS)
147 return (EINVAL);
148
149 switch(entry->ae_tag) {
150 case ACL_USER_OBJ:
151 /* printf("acl_check: %d: ACL_USER_OBJ\n", i); */
152 if (stage > ACL_USER_OBJ)
153 return (EINVAL);
154 stage = ACL_USER;
155 count_user_obj++;
156 obj_uid = entry->ae_id;
157 break;
158
159 case ACL_USER:
160 /* printf("acl_check: %d: ACL_USER\n", i); */
161 if (stage > ACL_USER)
162 return (EINVAL);
163 stage = ACL_USER;
164 if (entry->ae_id == obj_uid)
165 return (EINVAL);
166 if (count_user && (entry->ae_id <= highest_uid))
167 return (EINVAL);
168 highest_uid = entry->ae_id;
169 count_user++;
170 break;
171
172 case ACL_GROUP_OBJ:
173 /* printf("acl_check: %d: ACL_GROUP_OBJ\n", i); */
174 if (stage > ACL_GROUP_OBJ)
175 return (EINVAL);
176 stage = ACL_GROUP;
177 count_group_obj++;
178 obj_gid = entry->ae_id;
179 break;
180
181 case ACL_GROUP:
182 /* printf("acl_check: %d: ACL_GROUP\n", i); */
183 if (stage > ACL_GROUP)
184 return (EINVAL);
185 stage = ACL_GROUP;
186 if (entry->ae_id == obj_gid)
187 return (EINVAL);
188 if (count_group && (entry->ae_id <= highest_gid))
189 return (EINVAL);
190 highest_gid = entry->ae_id;
191 count_group++;
192 break;
193
194 case ACL_MASK:
195 /* printf("acl_check: %d: ACL_MASK\n", i); */
196 if (stage > ACL_MASK)
197 return (EINVAL);
198 stage = ACL_MASK;
199 count_mask++;
200 break;
201
202 case ACL_OTHER:
203 /* printf("acl_check: %d: ACL_OTHER\n", i); */
204 if (stage > ACL_OTHER)
205 return (EINVAL);
206 stage = ACL_OTHER;
207 count_other++;
208 break;
209
210 default:
211 /* printf("acl_check: %d: INVALID\n", i); */
212 return (EINVAL);
213 }
214 i++;
215 }
216
217 if (count_user_obj != 1)
218 return (EINVAL);
219
220 if (count_group_obj != 1)
221 return (EINVAL);
222
223 if (count_mask != 0 && count_mask != 1)
224 return (EINVAL);
225
226 if (count_other != 1)
227 return (EINVAL);
228
229 return (0);
230 }
231
232
233 /*
234 * Given a uid/gid, return a username/groupname for the text form of an ACL
235 * XXX NOT THREAD SAFE, RELIES ON GETPWUID, GETGRGID
236 * XXX USES *PW* AND *GR* WHICH ARE STATEFUL AND THEREFORE THIS ROUTINE
237 * MAY HAVE SIDE-EFFECTS
238 */
239 int
acl_id_to_name(acl_tag_t tag,uid_t id,ssize_t buf_len,char * buf)240 acl_id_to_name(acl_tag_t tag, uid_t id, ssize_t buf_len, char *buf)
241 {
242 struct group *g;
243 struct passwd *p;
244 int i;
245
246 switch(tag) {
247 case ACL_USER:
248 p = getpwuid(id);
249 if (!p)
250 i = snprintf(buf, buf_len, "%d", id);
251 else
252 i = snprintf(buf, buf_len, "%s", p->pw_name);
253
254 if (i >= buf_len) {
255 errno = ENOMEM;
256 return (-1);
257 }
258 return (0);
259
260 case ACL_GROUP:
261 g = getgrgid(id);
262 if (!g)
263 i = snprintf(buf, buf_len, "%d", id);
264 else
265 i = snprintf(buf, buf_len, "%s", g->gr_name);
266
267 if (i >= buf_len) {
268 errno = ENOMEM;
269 return (-1);
270 }
271 return (0);
272
273 default:
274 return (EINVAL);
275 }
276 }
277
278
279 /*
280 * Given a username/groupname from a text form of an ACL, return the uid/gid
281 * XXX NOT THREAD SAFE, RELIES ON GETPWNAM, GETGRNAM
282 * XXX USES *PW* AND *GR* WHICH ARE STATEFUL AND THEREFORE THIS ROUTINE
283 * MAY HAVE SIDE-EFFECTS
284 *
285 * XXX currently doesn't deal correctly with a numeric uid being passed
286 * instead of a username. What is correct behavior here? Check chown.
287 */
288 int
acl_name_to_id(acl_tag_t tag,char * name,uid_t * id)289 acl_name_to_id(acl_tag_t tag, char *name, uid_t *id)
290 {
291 struct group *g;
292 struct passwd *p;
293
294 switch(tag) {
295 case ACL_USER:
296 p = getpwnam(name);
297 if (!p) {
298 errno = EINVAL;
299 return (-1);
300 }
301 *id = p->pw_uid;
302 return (0);
303
304 case ACL_GROUP:
305 g = getgrnam(name);
306 if (g) {
307 errno = EINVAL;
308 return (-1);
309 }
310 *id = g->gr_gid;
311 return (0);
312
313 default:
314 return (EINVAL);
315 }
316 }
317
318
319 /*
320 * Given a right-shifted permission (i.e., direct ACL_PERM_* mask), fill
321 * in a string describing the permissions.
322 */
323 int
acl_perm_to_string(acl_perm_t perm,ssize_t buf_len,char * buf)324 acl_perm_to_string(acl_perm_t perm, ssize_t buf_len, char *buf)
325 {
326
327 if (buf_len < ACL_STRING_PERM_MAXSIZE + 1) {
328 errno = ENOMEM;
329 return (-1);
330 }
331
332 if ((perm | ACL_PERM_BITS) != ACL_PERM_BITS) {
333 errno = EINVAL;
334 return (-1);
335 }
336
337 buf[3] = 0; /* null terminate */
338
339 if (perm & ACL_PERM_READ)
340 buf[0] = ACL_STRING_PERM_READ;
341 else
342 buf[0] = ACL_STRING_PERM_NONE;
343
344 if (perm & ACL_PERM_WRITE)
345 buf[1] = ACL_STRING_PERM_WRITE;
346 else
347 buf[1] = ACL_STRING_PERM_NONE;
348
349 if (perm & ACL_PERM_EXEC)
350 buf[2] = ACL_STRING_PERM_EXEC;
351 else
352 buf[2] = ACL_STRING_PERM_NONE;
353
354 return (0);
355 }
356
357 /*
358 * given a string, return a permission describing it
359 */
360 int
acl_string_to_perm(char * string,acl_perm_t * perm)361 acl_string_to_perm(char *string, acl_perm_t *perm)
362 {
363 acl_perm_t myperm = ACL_PERM_NONE;
364 char *ch;
365
366 ch = string;
367 while (*ch) {
368 switch(*ch) {
369 case ACL_STRING_PERM_READ:
370 myperm |= ACL_PERM_READ;
371 break;
372 case ACL_STRING_PERM_WRITE:
373 myperm |= ACL_PERM_WRITE;
374 break;
375 case ACL_STRING_PERM_EXEC:
376 myperm |= ACL_PERM_EXEC;
377 break;
378 case ACL_STRING_PERM_NONE:
379 break;
380 default:
381 return (EINVAL);
382 }
383 ch++;
384 }
385
386 *perm = myperm;
387 return (0);
388 }
389
390 /*
391 * Add an ACL entry without doing much checking, et al
392 */
393 int
acl_add_entry(acl_t acl,acl_tag_t tag,uid_t id,acl_perm_t perm)394 acl_add_entry(acl_t acl, acl_tag_t tag, uid_t id, acl_perm_t perm)
395 {
396 struct acl_entry *e;
397
398 if (acl->acl_cnt >= ACL_MAX_ENTRIES) {
399 errno = ENOMEM;
400 return (-1);
401 }
402
403 e = &(acl->acl_entry[acl->acl_cnt]);
404 e->ae_perm = perm;
405 e->ae_tag = tag;
406 e->ae_id = id;
407 acl->acl_cnt++;
408
409 return (0);
410 }
411