1 /*- 2 * Copyright (c) 1999, 2000, 2001 Robert N. M. Watson 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24 * SUCH DAMAGE. 25 * 26 * $FreeBSD$ 27 */ 28 /* 29 * Support functionality for the POSIX.1e ACL interface 30 * These calls are intended only to be called within the library. 31 */ 32 33 #include <sys/types.h> 34 #include "namespace.h" 35 #include <sys/acl.h> 36 #include "un-namespace.h" 37 #include <errno.h> 38 #include <grp.h> 39 #include <pwd.h> 40 #include <stdio.h> 41 #include <stdlib.h> 42 43 #include "acl_support.h" 44 45 #define ACL_STRING_PERM_WRITE 'w' 46 #define ACL_STRING_PERM_READ 'r' 47 #define ACL_STRING_PERM_EXEC 'x' 48 #define ACL_STRING_PERM_NONE '-' 49 50 /* 51 * _posix1e_acl_entry_compare -- compare two acl_entry structures to 52 * determine the order they should appear in. Used by _posix1e_acl_sort to 53 * sort ACL entries into the kernel-desired order -- i.e., the order useful 54 * for evaluation and O(n) validity checking. Beter to have an O(nlogn) sort 55 * in userland and an O(n) in kernel than to have both in kernel. 56 */ 57 typedef int (*compare)(const void *, const void *); 58 static int 59 _posix1e_acl_entry_compare(struct acl_entry *a, struct acl_entry *b) 60 { 61 /* 62 * First, sort between tags -- conveniently defined in the correct 63 * order for verification. 64 */ 65 if (a->ae_tag < b->ae_tag) 66 return (-1); 67 if (a->ae_tag > b->ae_tag) 68 return (1); 69 70 /* 71 * Next compare uids/gids on appropriate types. 72 */ 73 74 if (a->ae_tag == ACL_USER || a->ae_tag == ACL_GROUP) { 75 if (a->ae_id < b->ae_id) 76 return (-1); 77 if (a->ae_id > b->ae_id) 78 return (1); 79 80 /* shouldn't be equal, fall through to the invalid case */ 81 } 82 83 /* 84 * Don't know how to sort multiple entries of the rest--either it's 85 * a bad entry, or there shouldn't be more than one. Ignore and the 86 * validity checker can get it later. 87 */ 88 return (0); 89 } 90 91 /* 92 * _posix1e_acl_sort -- sort ACL entries in POSIX.1e-formatted ACLs 93 * Give the opportunity to fail, althouh we don't currently have a way 94 * to fail. 95 */ 96 int 97 _posix1e_acl_sort(acl_t acl) 98 { 99 struct acl *acl_int; 100 101 acl_int = &acl->ats_acl; 102 103 qsort(&acl_int->acl_entry[0], acl_int->acl_cnt, 104 sizeof(struct acl_entry), (compare) _posix1e_acl_entry_compare); 105 106 return (0); 107 } 108 109 /* 110 * acl_posix1e -- in what situations should we acl_sort before submission? 111 * We apply posix1e ACL semantics for any ACL of type ACL_TYPE_ACCESS or 112 * ACL_TYPE_DEFAULT 113 */ 114 int 115 _posix1e_acl(acl_t acl, acl_type_t type) 116 { 117 118 return ((type == ACL_TYPE_ACCESS) || (type == ACL_TYPE_DEFAULT)); 119 } 120 121 /* 122 * _posix1e_acl_check -- given an ACL, check its validity. This is mirrored 123 * from code in sys/kern/kern_acl.c, and if changes are made in one, they 124 * should be made in the other also. This copy of acl_check is made 125 * available * in userland for the benefit of processes wanting to check ACLs 126 * for validity before submitting them to the kernel, or for performing 127 * in userland file system checking. Needless to say, the kernel makes 128 * the real checks on calls to get/setacl. 129 * 130 * See the comments in kernel for explanation -- just briefly, it assumes 131 * an already sorted ACL, and checks based on that assumption. The 132 * POSIX.1e interface, acl_valid(), will perform the sort before calling 133 * this. Returns 0 on success, EINVAL on failure. 134 */ 135 int 136 _posix1e_acl_check(acl_t acl) 137 { 138 struct acl *acl_int; 139 struct acl_entry *entry; /* current entry */ 140 uid_t obj_uid=-1, obj_gid=-1, highest_uid=0, highest_gid=0; 141 int stage = ACL_USER_OBJ; 142 int i = 0; 143 int count_user_obj=0, count_user=0, count_group_obj=0, 144 count_group=0, count_mask=0, count_other=0; 145 146 acl_int = &acl->ats_acl; 147 148 /* printf("_posix1e_acl_check: checking acl with %d entries\n", 149 acl->acl_cnt); */ 150 while (i < acl_int->acl_cnt) { 151 entry = &acl_int->acl_entry[i]; 152 153 if ((entry->ae_perm | ACL_PERM_BITS) != ACL_PERM_BITS) 154 return (EINVAL); 155 156 switch(entry->ae_tag) { 157 case ACL_USER_OBJ: 158 /* printf("_posix1e_acl_check: %d: ACL_USER_OBJ\n", 159 i); */ 160 if (stage > ACL_USER_OBJ) 161 return (EINVAL); 162 stage = ACL_USER; 163 count_user_obj++; 164 obj_uid = entry->ae_id; 165 break; 166 167 case ACL_USER: 168 /* printf("_posix1e_acl_check: %d: ACL_USER\n", i); */ 169 if (stage > ACL_USER) 170 return (EINVAL); 171 stage = ACL_USER; 172 if (entry->ae_id == obj_uid) 173 return (EINVAL); 174 if (count_user && (entry->ae_id <= highest_uid)) 175 return (EINVAL); 176 highest_uid = entry->ae_id; 177 count_user++; 178 break; 179 180 case ACL_GROUP_OBJ: 181 /* printf("_posix1e_acl_check: %d: ACL_GROUP_OBJ\n", 182 i); */ 183 if (stage > ACL_GROUP_OBJ) 184 return (EINVAL); 185 stage = ACL_GROUP; 186 count_group_obj++; 187 obj_gid = entry->ae_id; 188 break; 189 190 case ACL_GROUP: 191 /* printf("_posix1e_acl_check: %d: ACL_GROUP\n", i); */ 192 if (stage > ACL_GROUP) 193 return (EINVAL); 194 stage = ACL_GROUP; 195 if (entry->ae_id == obj_gid) 196 return (EINVAL); 197 if (count_group && (entry->ae_id <= highest_gid)) 198 return (EINVAL); 199 highest_gid = entry->ae_id; 200 count_group++; 201 break; 202 203 case ACL_MASK: 204 /* printf("_posix1e_acl_check: %d: ACL_MASK\n", i); */ 205 if (stage > ACL_MASK) 206 return (EINVAL); 207 stage = ACL_MASK; 208 count_mask++; 209 break; 210 211 case ACL_OTHER: 212 /* printf("_posix1e_acl_check: %d: ACL_OTHER\n", i); */ 213 if (stage > ACL_OTHER) 214 return (EINVAL); 215 stage = ACL_OTHER; 216 count_other++; 217 break; 218 219 default: 220 /* printf("_posix1e_acl_check: %d: INVALID\n", i); */ 221 return (EINVAL); 222 } 223 i++; 224 } 225 226 if (count_user_obj != 1) 227 return (EINVAL); 228 229 if (count_group_obj != 1) 230 return (EINVAL); 231 232 if (count_mask != 0 && count_mask != 1) 233 return (EINVAL); 234 235 if (count_other != 1) 236 return (EINVAL); 237 238 return (0); 239 } 240 241 242 /* 243 * Given a uid/gid, return a username/groupname for the text form of an ACL 244 * XXX NOT THREAD SAFE, RELIES ON GETPWUID, GETGRGID 245 * XXX USES *PW* AND *GR* WHICH ARE STATEFUL AND THEREFORE THIS ROUTINE 246 * MAY HAVE SIDE-EFFECTS 247 */ 248 int 249 _posix1e_acl_id_to_name(acl_tag_t tag, uid_t id, ssize_t buf_len, char *buf) 250 { 251 struct group *g; 252 struct passwd *p; 253 int i; 254 255 switch(tag) { 256 case ACL_USER: 257 p = getpwuid(id); 258 if (!p) 259 i = snprintf(buf, buf_len, "%d", id); 260 else 261 i = snprintf(buf, buf_len, "%s", p->pw_name); 262 263 if (i >= buf_len) { 264 errno = ENOMEM; 265 return (-1); 266 } 267 return (0); 268 269 case ACL_GROUP: 270 g = getgrgid(id); 271 if (!g) 272 i = snprintf(buf, buf_len, "%d", id); 273 else 274 i = snprintf(buf, buf_len, "%s", g->gr_name); 275 276 if (i >= buf_len) { 277 errno = ENOMEM; 278 return (-1); 279 } 280 return (0); 281 282 default: 283 return (EINVAL); 284 } 285 } 286 287 288 /* 289 * Given a username/groupname from a text form of an ACL, return the uid/gid 290 * XXX NOT THREAD SAFE, RELIES ON GETPWNAM, GETGRNAM 291 * XXX USES *PW* AND *GR* WHICH ARE STATEFUL AND THEREFORE THIS ROUTINE 292 * MAY HAVE SIDE-EFFECTS 293 * 294 * XXX currently doesn't deal correctly with a numeric uid being passed 295 * instead of a username. What is correct behavior here? Check chown. 296 */ 297 int 298 _posix1e_acl_name_to_id(acl_tag_t tag, char *name, uid_t *id) 299 { 300 struct group *g; 301 struct passwd *p; 302 unsigned long l; 303 char *endp; 304 305 switch(tag) { 306 case ACL_USER: 307 p = getpwnam(name); 308 if (p == NULL) { 309 l = strtoul(name, &endp, 0); 310 if (*endp != '\0' || l != (unsigned long)(uid_t)l) { 311 errno = EINVAL; 312 return (-1); 313 } 314 *id = (uid_t)l; 315 return (0); 316 } 317 *id = p->pw_uid; 318 return (0); 319 320 case ACL_GROUP: 321 g = getgrnam(name); 322 if (g == NULL) { 323 l = strtoul(name, &endp, 0); 324 if (*endp != '\0' || l != (unsigned long)(gid_t)l) { 325 errno = EINVAL; 326 return (-1); 327 } 328 *id = (gid_t)l; 329 return (0); 330 } 331 *id = g->gr_gid; 332 return (0); 333 334 default: 335 return (EINVAL); 336 } 337 } 338 339 340 /* 341 * Given a right-shifted permission (i.e., direct ACL_PERM_* mask), fill 342 * in a string describing the permissions. 343 */ 344 int 345 _posix1e_acl_perm_to_string(acl_perm_t perm, ssize_t buf_len, char *buf) 346 { 347 348 if (buf_len < _POSIX1E_ACL_STRING_PERM_MAXSIZE + 1) { 349 errno = ENOMEM; 350 return (-1); 351 } 352 353 if ((perm | ACL_PERM_BITS) != ACL_PERM_BITS) { 354 errno = EINVAL; 355 return (-1); 356 } 357 358 buf[3] = 0; /* null terminate */ 359 360 if (perm & ACL_READ) 361 buf[0] = ACL_STRING_PERM_READ; 362 else 363 buf[0] = ACL_STRING_PERM_NONE; 364 365 if (perm & ACL_WRITE) 366 buf[1] = ACL_STRING_PERM_WRITE; 367 else 368 buf[1] = ACL_STRING_PERM_NONE; 369 370 if (perm & ACL_EXECUTE) 371 buf[2] = ACL_STRING_PERM_EXEC; 372 else 373 buf[2] = ACL_STRING_PERM_NONE; 374 375 return (0); 376 } 377 378 /* 379 * given a string, return a permission describing it 380 */ 381 int 382 _posix1e_acl_string_to_perm(char *string, acl_perm_t *perm) 383 { 384 acl_perm_t myperm = ACL_PERM_NONE; 385 char *ch; 386 387 ch = string; 388 while (*ch) { 389 switch(*ch) { 390 case ACL_STRING_PERM_READ: 391 myperm |= ACL_READ; 392 break; 393 case ACL_STRING_PERM_WRITE: 394 myperm |= ACL_WRITE; 395 break; 396 case ACL_STRING_PERM_EXEC: 397 myperm |= ACL_EXECUTE; 398 break; 399 case ACL_STRING_PERM_NONE: 400 break; 401 default: 402 return (EINVAL); 403 } 404 ch++; 405 } 406 407 *perm = myperm; 408 return (0); 409 } 410 411 /* 412 * Add an ACL entry without doing much checking, et al 413 */ 414 int 415 _posix1e_acl_add_entry(acl_t acl, acl_tag_t tag, uid_t id, acl_perm_t perm) 416 { 417 struct acl *acl_int; 418 struct acl_entry *e; 419 420 acl_int = &acl->ats_acl; 421 422 if (acl_int->acl_cnt >= ACL_MAX_ENTRIES) { 423 errno = ENOMEM; 424 return (-1); 425 } 426 427 e = &(acl_int->acl_entry[acl_int->acl_cnt]); 428 e->ae_perm = perm; 429 e->ae_tag = tag; 430 e->ae_id = id; 431 acl_int->acl_cnt++; 432 433 return (0); 434 } 435