1 /*- 2 * Copyright (c) 1999 Robert N. M. Watson 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24 * SUCH DAMAGE. 25 * 26 * $FreeBSD$ 27 */ 28 /* 29 * Support functionality for the POSIX.1e ACL interface 30 * These calls are intended only to be called within the library. 31 */ 32 33 #include <sys/types.h> 34 #include <sys/acl.h> 35 #include <errno.h> 36 #include <grp.h> 37 #include <pwd.h> 38 #include <stdio.h> 39 #include <stdlib.h> 40 41 #include "acl_support.h" 42 43 #define ACL_STRING_PERM_WRITE 'w' 44 #define ACL_STRING_PERM_READ 'r' 45 #define ACL_STRING_PERM_EXEC 'x' 46 #define ACL_STRING_PERM_NONE '-' 47 48 /* 49 * acl_entry_compare -- compare two acl_entry structures to determine the 50 * order they should appear in. Used by acl_sort to sort ACL entries into 51 * the kernel-desired order -- i.e., the order useful for evaluation and 52 * O(n) validity checking. Beter to have an O(nlogn) sort in userland and 53 * an O(n) in kernel than to have both in kernel. 54 */ 55 typedef int (*compare)(const void *, const void *); 56 static int 57 acl_entry_compare(struct acl_entry *a, struct acl_entry *b) 58 { 59 /* 60 * First, sort between tags -- conveniently defined in the correct 61 * order for verification. 62 */ 63 if (a->ae_tag < b->ae_tag) 64 return (-1); 65 if (a->ae_tag > b->ae_tag) 66 return (1); 67 68 /* 69 * Next compare uids/gids on appropriate types. 70 */ 71 72 if (a->ae_tag == ACL_USER || a->ae_tag == ACL_GROUP) { 73 if (a->ae_id < b->ae_id) 74 return (-1); 75 if (a->ae_id > b->ae_id) 76 return (1); 77 78 /* shouldn't be equal, fall through to the invalid case */ 79 } 80 81 /* 82 * Don't know how to sort multiple entries of the rest--either it's 83 * a bad entry, or there shouldn't be more than one. Ignore and the 84 * validity checker can get it later. 85 */ 86 return (0); 87 } 88 89 /* 90 * acl_sort -- sort ACL entries. 91 * Give the opportunity to fail, althouh we don't currently have a way 92 * to fail. 93 */ 94 int 95 acl_sort(acl_t acl) 96 { 97 98 qsort(&acl->acl_entry[0], acl->acl_cnt, sizeof(struct acl_entry), 99 (compare) acl_entry_compare); 100 101 return (0); 102 } 103 104 /* 105 * acl_posix1e -- in what situations should we acl_sort before submission? 106 * We apply posix1e ACL semantics for any ACL of type ACL_TYPE_ACCESS or 107 * ACL_TYPE_DEFAULT 108 */ 109 int 110 acl_posix1e(acl_t acl, acl_type_t type) 111 { 112 113 return ((type == ACL_TYPE_ACCESS) || (type == ACL_TYPE_DEFAULT)); 114 } 115 116 /* 117 * acl_check -- given an ACL, check its validity. This is mirrored from 118 * code in sys/kern/kern_acl.c, and if changes are made in one, they should 119 * be made in the other also. This copy of acl_check is made available 120 * in userland for the benefit of processes wanting to check ACLs for 121 * validity before submitting them to the kernel, or for performing 122 * in userland file system checking. Needless to say, the kernel makes 123 * the real checks on calls to get/setacl. 124 * 125 * See the comments in kernel for explanation -- just briefly, it assumes 126 * an already sorted ACL, and checks based on that assumption. The 127 * POSIX.1e interface, acl_valid(), will perform the sort before calling 128 * this. Returns 0 on success, EINVAL on failure. 129 */ 130 int 131 acl_check(struct acl *acl) 132 { 133 struct acl_entry *entry; /* current entry */ 134 uid_t obj_uid=-1, obj_gid=-1, highest_uid=0, highest_gid=0; 135 int stage = ACL_USER_OBJ; 136 int i = 0; 137 int count_user_obj=0, count_user=0, count_group_obj=0, 138 count_group=0, count_mask=0, count_other=0; 139 140 /* printf("acl_check: checking acl with %d entries\n", acl->acl_cnt); */ 141 while (i < acl->acl_cnt) { 142 143 entry = &acl->acl_entry[i]; 144 145 if ((entry->ae_perm | ACL_PERM_BITS) != ACL_PERM_BITS) 146 return (EINVAL); 147 148 switch(entry->ae_tag) { 149 case ACL_USER_OBJ: 150 /* printf("acl_check: %d: ACL_USER_OBJ\n", i); */ 151 if (stage > ACL_USER_OBJ) 152 return (EINVAL); 153 stage = ACL_USER; 154 count_user_obj++; 155 obj_uid = entry->ae_id; 156 break; 157 158 case ACL_USER: 159 /* printf("acl_check: %d: ACL_USER\n", i); */ 160 if (stage > ACL_USER) 161 return (EINVAL); 162 stage = ACL_USER; 163 if (entry->ae_id == obj_uid) 164 return (EINVAL); 165 if (count_user && (entry->ae_id <= highest_uid)) 166 return (EINVAL); 167 highest_uid = entry->ae_id; 168 count_user++; 169 break; 170 171 case ACL_GROUP_OBJ: 172 /* printf("acl_check: %d: ACL_GROUP_OBJ\n", i); */ 173 if (stage > ACL_GROUP_OBJ) 174 return (EINVAL); 175 stage = ACL_GROUP; 176 count_group_obj++; 177 obj_gid = entry->ae_id; 178 break; 179 180 case ACL_GROUP: 181 /* printf("acl_check: %d: ACL_GROUP\n", i); */ 182 if (stage > ACL_GROUP) 183 return (EINVAL); 184 stage = ACL_GROUP; 185 if (entry->ae_id == obj_gid) 186 return (EINVAL); 187 if (count_group && (entry->ae_id <= highest_gid)) 188 return (EINVAL); 189 highest_gid = entry->ae_id; 190 count_group++; 191 break; 192 193 case ACL_MASK: 194 /* printf("acl_check: %d: ACL_MASK\n", i); */ 195 if (stage > ACL_MASK) 196 return (EINVAL); 197 stage = ACL_MASK; 198 count_mask++; 199 break; 200 201 case ACL_OTHER: 202 /* printf("acl_check: %d: ACL_OTHER\n", i); */ 203 if (stage > ACL_OTHER) 204 return (EINVAL); 205 stage = ACL_OTHER; 206 count_other++; 207 break; 208 209 default: 210 /* printf("acl_check: %d: INVALID\n", i); */ 211 return (EINVAL); 212 } 213 i++; 214 } 215 216 if (count_user_obj != 1) 217 return (EINVAL); 218 219 if (count_group_obj != 1) 220 return (EINVAL); 221 222 if (count_mask != 0 && count_mask != 1) 223 return (EINVAL); 224 225 if (count_other != 1) 226 return (EINVAL); 227 228 return (0); 229 } 230 231 232 /* 233 * Given a uid/gid, return a username/groupname for the text form of an ACL 234 * XXX NOT THREAD SAFE, RELIES ON GETPWUID, GETGRGID 235 * XXX USES *PW* AND *GR* WHICH ARE STATEFUL AND THEREFORE THIS ROUTINE 236 * MAY HAVE SIDE-EFFECTS 237 */ 238 int 239 acl_id_to_name(acl_tag_t tag, uid_t id, ssize_t buf_len, char *buf) 240 { 241 struct group *g; 242 struct passwd *p; 243 int i; 244 245 switch(tag) { 246 case ACL_USER: 247 p = getpwuid(id); 248 if (!p) 249 i = snprintf(buf, buf_len, "%d", id); 250 else 251 i = snprintf(buf, buf_len, "%s", p->pw_name); 252 253 if (i >= buf_len) { 254 errno = ENOMEM; 255 return (-1); 256 } 257 return (0); 258 259 case ACL_GROUP: 260 g = getgrgid(id); 261 if (!g) 262 i = snprintf(buf, buf_len, "%d", id); 263 else 264 i = snprintf(buf, buf_len, "%s", g->gr_name); 265 266 if (i >= buf_len) { 267 errno = ENOMEM; 268 return (-1); 269 } 270 return (0); 271 272 default: 273 return (EINVAL); 274 } 275 } 276 277 278 /* 279 * Given a username/groupname from a text form of an ACL, return the uid/gid 280 * XXX NOT THREAD SAFE, RELIES ON GETPWNAM, GETGRNAM 281 * XXX USES *PW* AND *GR* WHICH ARE STATEFUL AND THEREFORE THIS ROUTINE 282 * MAY HAVE SIDE-EFFECTS 283 * 284 * XXX currently doesn't deal correctly with a numeric uid being passed 285 * instead of a username. What is correct behavior here? Check chown. 286 */ 287 int 288 acl_name_to_id(acl_tag_t tag, char *name, uid_t *id) 289 { 290 struct group *g; 291 struct passwd *p; 292 unsigned long l; 293 char *endp; 294 295 switch(tag) { 296 case ACL_USER: 297 p = getpwnam(name); 298 if (p == NULL) { 299 l = strtoul(name, &endp, 0); 300 if (*endp != '\0' || l != (unsigned long)(uid_t)l) { 301 errno = EINVAL; 302 return (-1); 303 } 304 *id = (uid_t)l; 305 return (0); 306 } 307 *id = p->pw_uid; 308 return (0); 309 310 case ACL_GROUP: 311 g = getgrnam(name); 312 if (g == NULL) { 313 l = strtoul(name, &endp, 0); 314 if (*endp != '\0' || l != (unsigned long)(gid_t)l) { 315 errno = EINVAL; 316 return (-1); 317 } 318 *id = (gid_t)l; 319 return (0); 320 } 321 *id = g->gr_gid; 322 return (0); 323 324 default: 325 return (EINVAL); 326 } 327 } 328 329 330 /* 331 * Given a right-shifted permission (i.e., direct ACL_PERM_* mask), fill 332 * in a string describing the permissions. 333 */ 334 int 335 acl_perm_to_string(acl_perm_t perm, ssize_t buf_len, char *buf) 336 { 337 338 if (buf_len < ACL_STRING_PERM_MAXSIZE + 1) { 339 errno = ENOMEM; 340 return (-1); 341 } 342 343 if ((perm | ACL_PERM_BITS) != ACL_PERM_BITS) { 344 errno = EINVAL; 345 return (-1); 346 } 347 348 buf[3] = 0; /* null terminate */ 349 350 if (perm & ACL_PERM_READ) 351 buf[0] = ACL_STRING_PERM_READ; 352 else 353 buf[0] = ACL_STRING_PERM_NONE; 354 355 if (perm & ACL_PERM_WRITE) 356 buf[1] = ACL_STRING_PERM_WRITE; 357 else 358 buf[1] = ACL_STRING_PERM_NONE; 359 360 if (perm & ACL_PERM_EXEC) 361 buf[2] = ACL_STRING_PERM_EXEC; 362 else 363 buf[2] = ACL_STRING_PERM_NONE; 364 365 return (0); 366 } 367 368 /* 369 * given a string, return a permission describing it 370 */ 371 int 372 acl_string_to_perm(char *string, acl_perm_t *perm) 373 { 374 acl_perm_t myperm = ACL_PERM_NONE; 375 char *ch; 376 377 ch = string; 378 while (*ch) { 379 switch(*ch) { 380 case ACL_STRING_PERM_READ: 381 myperm |= ACL_PERM_READ; 382 break; 383 case ACL_STRING_PERM_WRITE: 384 myperm |= ACL_PERM_WRITE; 385 break; 386 case ACL_STRING_PERM_EXEC: 387 myperm |= ACL_PERM_EXEC; 388 break; 389 case ACL_STRING_PERM_NONE: 390 break; 391 default: 392 return (EINVAL); 393 } 394 ch++; 395 } 396 397 *perm = myperm; 398 return (0); 399 } 400 401 /* 402 * Add an ACL entry without doing much checking, et al 403 */ 404 int 405 acl_add_entry(acl_t acl, acl_tag_t tag, uid_t id, acl_perm_t perm) 406 { 407 struct acl_entry *e; 408 409 if (acl->acl_cnt >= ACL_MAX_ENTRIES) { 410 errno = ENOMEM; 411 return (-1); 412 } 413 414 e = &(acl->acl_entry[acl->acl_cnt]); 415 e->ae_perm = perm; 416 e->ae_tag = tag; 417 e->ae_id = id; 418 acl->acl_cnt++; 419 420 return (0); 421 } 422