xref: /illumos-gate/usr/src/lib/libsec/common/acltext.c (revision ef8846857fcf954444cdc77e72249afef48377d2)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #pragma ident	"%Z%%M%	%I%	%E% SMI"
27 /*LINTLIBRARY*/
28 
29 #include <grp.h>
30 #include <pwd.h>
31 #include <string.h>
32 #include <limits.h>
33 #include <stdlib.h>
34 #include <errno.h>
35 #include <sys/param.h>
36 #include <sys/types.h>
37 #include <sys/stat.h>
38 #include <sys/acl.h>
39 #include <aclutils.h>
40 
41 #define	ID_STR_MAX	20	/* digits in LONG_MAX */
42 
43 #define	APPENDED_ID_MAX	ID_STR_MAX + 1		/* id + colon */
44 /*
45  * yyinteractive controls whether yyparse should print out
46  * error messages to stderr, and whether or not id's should be
47  * allowed from acl_fromtext().
48  */
49 int	yyinteractive;
50 acl_t	*yyacl;
51 char	*yybuf;
52 
53 extern acl_t *acl_alloc(enum acl_type);
54 
55 
56 struct dynaclstr {
57 	size_t bufsize;		/* current size of aclexport */
58 	char *aclexport;
59 };
60 
61 static char *strappend(char *, char *);
62 static char *convert_perm(char *, o_mode_t);
63 static int increase_length(struct dynaclstr *, size_t);
64 
65 static void
66 aclent_perms(int perm, char *txt_perms)
67 {
68 	if (perm & S_IROTH)
69 		txt_perms[0] = 'r';
70 	else
71 		txt_perms[0] = '-';
72 	if (perm & S_IWOTH)
73 		txt_perms[1] = 'w';
74 	else
75 		txt_perms[1] = '-';
76 	if (perm & S_IXOTH)
77 		txt_perms[2] = 'x';
78 	else
79 		txt_perms[2] = '-';
80 	txt_perms[3] = '\0';
81 }
82 
83 static char *
84 pruname(uid_t uid, char *uidp, size_t buflen, int noresolve)
85 {
86 	struct passwd	*passwdp = NULL;
87 
88 	if (noresolve == 0)
89 		passwdp = getpwuid(uid);
90 	if (passwdp == (struct passwd *)NULL) {
91 		/* could not get passwd information: display uid instead */
92 		(void) snprintf(uidp, buflen, "%ld", (long)uid);
93 	} else {
94 		(void) strlcpy(uidp, passwdp->pw_name, buflen);
95 	}
96 	return (uidp);
97 }
98 
99 static char *
100 prgname(gid_t gid, char *gidp, size_t buflen, int noresolve)
101 {
102 	struct group	*groupp = NULL;
103 
104 	if (noresolve == 0)
105 		groupp = getgrgid(gid);
106 	if (groupp == (struct group *)NULL) {
107 		/* could not get group information: display gid instead */
108 		(void) snprintf(gidp, buflen, "%ld", (long)gid);
109 	} else {
110 		(void) strlcpy(gidp, groupp->gr_name, buflen);
111 	}
112 	return (gidp);
113 }
114 static void
115 aclent_printacl(acl_t *aclp)
116 {
117 	aclent_t *tp;
118 	int aclcnt;
119 	int mask;
120 	int slot = 0;
121 	char perm[4];
122 	char uidp[ID_STR_MAX];
123 	char gidp[ID_STR_MAX];
124 
125 	/* display ACL: assume it is sorted. */
126 	aclcnt = aclp->acl_cnt;
127 	for (tp = aclp->acl_aclp; tp && aclcnt--; tp++) {
128 		if (tp->a_type == CLASS_OBJ)
129 			mask = tp->a_perm;
130 	}
131 	aclcnt = aclp->acl_cnt;
132 	for (tp = aclp->acl_aclp; aclcnt--; tp++) {
133 		(void) printf("     %d:", slot++);
134 		switch (tp->a_type) {
135 		case USER:
136 			aclent_perms(tp->a_perm, perm);
137 			(void) printf("user:%s:%s\t\t",
138 			    pruname(tp->a_id, uidp, sizeof (uidp), 0), perm);
139 			aclent_perms((tp->a_perm & mask), perm);
140 			(void) printf("#effective:%s\n", perm);
141 			break;
142 		case USER_OBJ:
143 			/* no need to display uid */
144 			aclent_perms(tp->a_perm, perm);
145 			(void) printf("user::%s\n", perm);
146 			break;
147 		case GROUP:
148 			aclent_perms(tp->a_perm, perm);
149 			(void) printf("group:%s:%s\t\t",
150 			    prgname(tp->a_id, gidp, sizeof (gidp), 0), perm);
151 			aclent_perms(tp->a_perm & mask, perm);
152 			(void) printf("#effective:%s\n", perm);
153 			break;
154 		case GROUP_OBJ:
155 			aclent_perms(tp->a_perm, perm);
156 			(void) printf("group::%s\t\t", perm);
157 			aclent_perms(tp->a_perm & mask, perm);
158 			(void) printf("#effective:%s\n", perm);
159 			break;
160 		case CLASS_OBJ:
161 			aclent_perms(tp->a_perm, perm);
162 			(void) printf("mask:%s\n", perm);
163 			break;
164 		case OTHER_OBJ:
165 			aclent_perms(tp->a_perm, perm);
166 			(void) printf("other:%s\n", perm);
167 			break;
168 		case DEF_USER:
169 			aclent_perms(tp->a_perm, perm);
170 			(void) printf("default:user:%s:%s\n",
171 			    pruname(tp->a_id, uidp, sizeof (uidp), 0), perm);
172 			break;
173 		case DEF_USER_OBJ:
174 			aclent_perms(tp->a_perm, perm);
175 			(void) printf("default:user::%s\n", perm);
176 			break;
177 		case DEF_GROUP:
178 			aclent_perms(tp->a_perm, perm);
179 			(void) printf("default:group:%s:%s\n",
180 			    prgname(tp->a_id, gidp, sizeof (gidp), 0), perm);
181 			break;
182 		case DEF_GROUP_OBJ:
183 			aclent_perms(tp->a_perm, perm);
184 			(void) printf("default:group::%s\n", perm);
185 			break;
186 		case DEF_CLASS_OBJ:
187 			aclent_perms(tp->a_perm, perm);
188 			(void) printf("default:mask:%s\n", perm);
189 			break;
190 		case DEF_OTHER_OBJ:
191 			aclent_perms(tp->a_perm, perm);
192 			(void) printf("default:other:%s\n", perm);
193 			break;
194 		default:
195 			(void) fprintf(stderr,
196 			    dgettext(TEXT_DOMAIN, "unrecognized entry\n"));
197 			break;
198 		}
199 	}
200 }
201 
202 static void
203 split_line(char *str, int cols)
204 {
205 	char *ptr;
206 	int len;
207 	int i;
208 	int last_split;
209 	char *pad = "";
210 	int pad_len;
211 
212 	len = strlen(str);
213 	ptr = str;
214 	pad_len = 0;
215 
216 	ptr = str;
217 	last_split = 0;
218 	for (i = 0; i != len; i++) {
219 		if ((i + pad_len + 4) >= cols) {
220 			(void) printf("%s%.*s\n", pad, last_split, ptr);
221 			ptr = &ptr[last_split];
222 			len = strlen(ptr);
223 			i = 0;
224 			pad_len = 4;
225 			pad = "         ";
226 		} else {
227 			if (ptr[i] == '/' || ptr[i] == ':') {
228 				last_split = i;
229 			}
230 		}
231 	}
232 	if (i == len) {
233 		(void) printf("%s%s\n", pad, ptr);
234 	}
235 }
236 
237 #define	OWNERAT_TXT	"owner@"
238 #define	GROUPAT_TXT	"group@"
239 #define	EVERYONEAT_TXT	"everyone@"
240 #define	GROUP_TXT	"group:"
241 #define	USER_TXT	"user:"
242 
243 char *
244 ace_type_txt(char *buf, char **endp, ace_t *acep, int flags)
245 {
246 
247 	char idp[ID_STR_MAX];
248 
249 	if (buf == NULL)
250 		return (NULL);
251 
252 	switch (acep->a_flags & ACE_TYPE_FLAGS) {
253 	case ACE_OWNER:
254 		strcpy(buf, OWNERAT_TXT);
255 		*endp = buf + sizeof (OWNERAT_TXT) - 1;
256 		break;
257 
258 	case ACE_GROUP|ACE_IDENTIFIER_GROUP:
259 		strcpy(buf, GROUPAT_TXT);
260 		*endp = buf + sizeof (GROUPAT_TXT) - 1;
261 		break;
262 
263 	case ACE_IDENTIFIER_GROUP:
264 		strcpy(buf, GROUP_TXT);
265 		strcat(buf, prgname(acep->a_who, idp,
266 		    sizeof (idp), flags & ACL_NORESOLVE));
267 		*endp = buf + strlen(buf);
268 		break;
269 
270 	case ACE_EVERYONE:
271 		strcpy(buf, EVERYONEAT_TXT);
272 		*endp = buf + sizeof (EVERYONEAT_TXT) - 1;
273 		break;
274 
275 	case 0:
276 		strcpy(buf, USER_TXT);
277 		strcat(buf, pruname(acep->a_who, idp,
278 		    sizeof (idp), flags & ACL_NORESOLVE));
279 		*endp = buf + strlen(buf);
280 		break;
281 	}
282 
283 	return (buf);
284 }
285 
286 #define	READ_DATA_TXT	"read_data/"
287 #define	WRITE_DATA_TXT	"write_data/"
288 #define	EXECUTE_TXT	"execute/"
289 #define	READ_XATTR_TXT	"read_xattr/"
290 #define	WRITE_XATTR_TXT	"write_xattr/"
291 #define	READ_ATTRIBUTES_TXT "read_attributes/"
292 #define	WRITE_ATTRIBUTES_TXT "write_attributes/"
293 #define	DELETE_TXT	"delete/"
294 #define	DELETE_CHILD_TXT "delete_child/"
295 #define	WRITE_OWNER_TXT "write_owner/"
296 #define	READ_ACL_TXT	"read_acl/"
297 #define	WRITE_ACL_TXT	"write_acl/"
298 #define	APPEND_DATA_TXT "append_data/"
299 #define	READ_DIR_TXT	"list_directory/read_data/"
300 #define	ADD_DIR_TXT	"add_subdirectory/append_data/"
301 #define	ADD_FILE_TXT	"add_file/write_data/"
302 #define	SYNCHRONIZE_TXT "synchronize"	/* not slash on this one */
303 
304 char *
305 ace_perm_txt(char *buf, char **endp, uint32_t mask,
306     uint32_t iflags, int isdir, int flags)
307 {
308 	char *lend = buf;		/* local end */
309 
310 	if (buf == NULL)
311 		return (NULL);
312 
313 	if (flags & ACL_COMPACT_FMT) {
314 
315 		if (mask & ACE_READ_DATA)
316 			buf[0] = 'r';
317 		else
318 			buf[0] = '-';
319 		if (mask & ACE_WRITE_DATA)
320 			buf[1] = 'w';
321 		else
322 			buf[1] = '-';
323 		if (mask & ACE_EXECUTE)
324 			buf[2] = 'x';
325 		else
326 			buf[2] = '-';
327 		if (mask & ACE_APPEND_DATA)
328 			buf[3] = 'p';
329 		else
330 			buf[3] = '-';
331 		if (mask & ACE_DELETE)
332 			buf[4] = 'd';
333 		else
334 			buf[4] = '-';
335 		if (mask & ACE_DELETE_CHILD)
336 			buf[5] = 'D';
337 		else
338 			buf[5] = '-';
339 		if (mask & ACE_READ_ATTRIBUTES)
340 			buf[6] = 'a';
341 		else
342 			buf[6] = '-';
343 		if (mask & ACE_WRITE_ATTRIBUTES)
344 			buf[7] = 'A';
345 		else
346 			buf[7] = '-';
347 		if (mask & ACE_READ_NAMED_ATTRS)
348 			buf[8] = 'R';
349 		else
350 			buf[8] = '-';
351 		if (mask & ACE_WRITE_NAMED_ATTRS)
352 			buf[9] = 'W';
353 		else
354 			buf[9] = '-';
355 		if (mask & ACE_READ_ACL)
356 			buf[10] = 'c';
357 		else
358 			buf[10] = '-';
359 		if (mask & ACE_WRITE_ACL)
360 			buf[11] = 'C';
361 		else
362 			buf[11] = '-';
363 		if (mask & ACE_WRITE_OWNER)
364 			buf[12] = 'o';
365 		else
366 			buf[12] = '-';
367 		if (mask & ACE_SYNCHRONIZE)
368 			buf[13] = 's';
369 		else
370 			buf[13] = '-';
371 		buf[14] = '\0';
372 		*endp = buf + 14;
373 		return (buf);
374 	} else {
375 		/*
376 		 * If ACE is a directory, but inheritance indicates its
377 		 * for a file then print permissions for file rather than
378 		 * dir.
379 		 */
380 		if (isdir) {
381 			if (mask & ACE_LIST_DIRECTORY) {
382 				if (iflags == ACE_FILE_INHERIT_ACE) {
383 					strcpy(lend, READ_DATA_TXT);
384 					lend += sizeof (READ_DATA_TXT) - 1;
385 				} else {
386 					strcpy(lend, READ_DIR_TXT);
387 					lend += sizeof (READ_DIR_TXT) - 1;
388 				}
389 			}
390 			if (mask & ACE_ADD_FILE) {
391 				if (iflags == ACE_FILE_INHERIT_ACE) {
392 					strcpy(lend, WRITE_DATA_TXT);
393 					lend += sizeof (WRITE_DATA_TXT) - 1;
394 				} else {
395 					strcpy(lend, ADD_FILE_TXT);
396 					lend +=
397 					    sizeof (ADD_FILE_TXT) -1;
398 				}
399 			}
400 			if (mask & ACE_ADD_SUBDIRECTORY) {
401 				if (iflags == ACE_FILE_INHERIT_ACE) {
402 					strcpy(lend, APPEND_DATA_TXT);
403 					lend += sizeof (APPEND_DATA_TXT) - 1;
404 				} else {
405 					strcpy(lend, ADD_DIR_TXT);
406 					lend += sizeof (ADD_DIR_TXT) - 1;
407 				}
408 			}
409 		} else {
410 			if (mask & ACE_READ_DATA) {
411 				strcpy(lend, READ_DATA_TXT);
412 				lend += sizeof (READ_DATA_TXT) - 1;
413 			}
414 			if (mask & ACE_WRITE_DATA) {
415 				strcpy(lend, WRITE_DATA_TXT);
416 				lend += sizeof (WRITE_DATA_TXT) - 1;
417 			}
418 			if (mask & ACE_APPEND_DATA) {
419 				strcpy(lend, APPEND_DATA_TXT);
420 				lend += sizeof (APPEND_DATA_TXT) - 1;
421 			}
422 		}
423 		if (mask & ACE_READ_NAMED_ATTRS) {
424 			strcpy(lend, READ_XATTR_TXT);
425 			lend += sizeof (READ_XATTR_TXT) - 1;
426 		}
427 		if (mask & ACE_WRITE_NAMED_ATTRS) {
428 			strcpy(lend, WRITE_XATTR_TXT);
429 			lend += sizeof (WRITE_XATTR_TXT) - 1;
430 		}
431 		if (mask & ACE_EXECUTE) {
432 			strcpy(lend, EXECUTE_TXT);
433 			lend += sizeof (EXECUTE_TXT) - 1;
434 		}
435 		if (mask & ACE_DELETE_CHILD) {
436 			strcpy(lend, DELETE_CHILD_TXT);
437 			lend += sizeof (DELETE_CHILD_TXT) - 1;
438 		}
439 		if (mask & ACE_READ_ATTRIBUTES) {
440 			strcpy(lend, READ_ATTRIBUTES_TXT);
441 			lend += sizeof (READ_ATTRIBUTES_TXT) - 1;
442 		}
443 		if (mask & ACE_WRITE_ATTRIBUTES) {
444 			strcpy(lend, WRITE_ATTRIBUTES_TXT);
445 			lend += sizeof (WRITE_ATTRIBUTES_TXT) - 1;
446 		}
447 		if (mask & ACE_DELETE) {
448 			strcpy(lend, DELETE_TXT);
449 			lend += sizeof (DELETE_TXT) - 1;
450 		}
451 		if (mask & ACE_READ_ACL) {
452 			strcpy(lend, READ_ACL_TXT);
453 			lend += sizeof (READ_ACL_TXT) - 1;
454 		}
455 		if (mask & ACE_WRITE_ACL) {
456 			strcpy(lend, WRITE_ACL_TXT);
457 			lend += sizeof (WRITE_ACL_TXT) - 1;
458 		}
459 		if (mask & ACE_WRITE_OWNER) {
460 			strcpy(lend, WRITE_OWNER_TXT);
461 			lend += sizeof (WRITE_OWNER_TXT) - 1;
462 		}
463 		if (mask & ACE_SYNCHRONIZE) {
464 			strcpy(lend, SYNCHRONIZE_TXT);
465 			lend += sizeof (SYNCHRONIZE_TXT) - 1;
466 		}
467 
468 		if (*(lend - 1) == '/')
469 			*--lend = '\0';
470 	}
471 
472 	*endp = lend;
473 	return (buf);
474 }
475 
476 #define	ALLOW_TXT	"allow"
477 #define	DENY_TXT	"deny"
478 #define	ALARM_TXT	"alarm"
479 #define	AUDIT_TXT	"audit"
480 #define	UNKNOWN_TXT	"unknown"
481 char *
482 ace_access_txt(char *buf, char **endp, int type)
483 {
484 
485 	if (buf == NULL)
486 		return (NULL);
487 
488 	if (type == ACE_ACCESS_ALLOWED_ACE_TYPE) {
489 		strcpy(buf, ALLOW_TXT);
490 		*endp += sizeof (ALLOW_TXT) - 1;
491 	} else if (type == ACE_ACCESS_DENIED_ACE_TYPE) {
492 		strcpy(buf, DENY_TXT);
493 		*endp += sizeof (DENY_TXT) - 1;
494 	} else if (type == ACE_SYSTEM_AUDIT_ACE_TYPE) {
495 		strcpy(buf, AUDIT_TXT);
496 		*endp += sizeof (AUDIT_TXT) - 1;
497 	} else if (type == ACE_SYSTEM_ALARM_ACE_TYPE) {
498 		strcpy(buf, ALARM_TXT);
499 		*endp += sizeof (ALARM_TXT) - 1;
500 	} else {
501 		strcpy(buf, UNKNOWN_TXT);
502 		*endp += sizeof (UNKNOWN_TXT) - 1;
503 	}
504 
505 	return (buf);
506 }
507 
508 static char *
509 ace_inherit_txt(char *buf, char **endp, uint32_t iflags, int flags)
510 {
511 
512 	char *lend = buf;
513 
514 	if (buf == NULL) {
515 		return (NULL);
516 	}
517 
518 	if (flags & ACL_COMPACT_FMT) {
519 		if (iflags & ACE_FILE_INHERIT_ACE)
520 			buf[0] = 'f';
521 		else
522 			buf[0] = '-';
523 		if (iflags & ACE_DIRECTORY_INHERIT_ACE)
524 			buf[1] = 'd';
525 		else
526 			buf[1] = '-';
527 		if (iflags & ACE_INHERIT_ONLY_ACE)
528 			buf[2] = 'i';
529 		else
530 			buf[2] = '-';
531 		if (iflags & ACE_NO_PROPAGATE_INHERIT_ACE)
532 			buf[3] = 'n';
533 		else
534 			buf[3] = '-';
535 		if (iflags & ACE_SUCCESSFUL_ACCESS_ACE_FLAG)
536 			buf[4] = 'S';
537 		else
538 			buf[4] = '-';
539 		if (iflags & ACE_FAILED_ACCESS_ACE_FLAG)
540 			buf[5] = 'F';
541 		else
542 			buf[5] = '-';
543 		buf[6] = '\0';
544 		*endp = buf + 6;
545 	} else {
546 		if (iflags & ACE_FILE_INHERIT_ACE) {
547 			strcpy(lend, "file_inherit/");
548 			lend += sizeof ("file_inherit/") - 1;
549 		}
550 		if (iflags & ACE_DIRECTORY_INHERIT_ACE) {
551 			strcpy(lend, "dir_inherit/");
552 			lend += sizeof ("dir_inherit/") - 1;
553 		}
554 		if (iflags & ACE_NO_PROPAGATE_INHERIT_ACE) {
555 			strcpy(lend, "no_propagate/");
556 			lend += sizeof ("no_propagate/") - 1;
557 		}
558 		if (iflags & ACE_INHERIT_ONLY_ACE) {
559 			strcpy(lend, "inherit_only/");
560 			lend += sizeof ("inherit_only/") - 1;
561 		}
562 
563 		if (*(lend - 1) == '/')
564 			*--lend = '\0';
565 		*endp = lend;
566 	}
567 
568 	return (buf);
569 }
570 
571 /*
572  * Convert internal acl representation to external representation.
573  *
574  * The length of a non-owning user name or non-owning group name ie entries
575  * of type DEF_USER, USER, DEF_GROUP or GROUP, can exceed LOGNAME_MAX.  We
576  * thus check the length of these entries, and if greater than LOGNAME_MAX,
577  * we realloc() via increase_length().
578  *
579  * The LOGNAME_MAX, ENTRYTYPELEN and PERMS limits are otherwise always
580  * adhered to.
581  */
582 
583 /*
584  * acltotext() converts each ACL entry to look like this:
585  *
586  *    entry_type:uid^gid^name:perms[:id]
587  *
588  * The maximum length of entry_type is 14 ("defaultgroup::" and
589  * "defaultother::") hence ENTRYTYPELEN is set to 14.
590  *
591  * The max length of a uid^gid^name entry (in theory) is 8, hence we use,
592  * however the ID could be a number so we therefore use ID_STR_MAX
593  *
594  * The length of a perms entry is 4 to allow for the comma appended to each
595  * to each acl entry.  Hence PERMS is set to 4.
596  */
597 
598 #define	ENTRYTYPELEN	14
599 #define	PERMS		4
600 #define	ACL_ENTRY_SIZE	(ENTRYTYPELEN + ID_STR_MAX + PERMS + APPENDED_ID_MAX)
601 #define	UPDATE_WHERE	where = dstr->aclexport + strlen(dstr->aclexport)
602 
603 char *
604 aclent_acltotext(aclent_t  *aclp, int aclcnt, int flags)
605 {
606 	char		*aclexport;
607 	char		*where;
608 	struct group	*groupp = NULL;
609 	struct passwd	*passwdp = NULL;
610 	struct dynaclstr *dstr;
611 	int		i, rtn;
612 	size_t		excess = 0;
613 	char		id[ID_STR_MAX], *idstr;
614 
615 	if (aclp == NULL)
616 		return (NULL);
617 	if ((dstr = malloc(sizeof (struct dynaclstr))) == NULL)
618 		return (NULL);
619 	dstr->bufsize = aclcnt * ACL_ENTRY_SIZE;
620 	if ((dstr->aclexport = malloc(dstr->bufsize)) == NULL) {
621 		free(dstr);
622 		return (NULL);
623 	}
624 	*dstr->aclexport = '\0';
625 	where = dstr->aclexport;
626 
627 	for (i = 0; i < aclcnt; i++, aclp++) {
628 		switch (aclp->a_type) {
629 		case DEF_USER_OBJ:
630 		case USER_OBJ:
631 			if (aclp->a_type == USER_OBJ)
632 				where = strappend(where, "user::");
633 			else
634 				where = strappend(where, "defaultuser::");
635 			where = convert_perm(where, aclp->a_perm);
636 			break;
637 		case DEF_USER:
638 		case USER:
639 			if (aclp->a_type == USER)
640 				where = strappend(where, "user:");
641 			else
642 				where = strappend(where, "defaultuser:");
643 			if ((flags & ACL_NORESOLVE) == 0)
644 				passwdp = getpwuid(aclp->a_id);
645 			if (passwdp == (struct passwd *)NULL) {
646 				/* put in uid instead */
647 				(void) sprintf(where, "%d", aclp->a_id);
648 				UPDATE_WHERE;
649 			} else {
650 				excess = strlen(passwdp->pw_name) - LOGNAME_MAX;
651 				if (excess > 0) {
652 					rtn = increase_length(dstr, excess);
653 					if (rtn == 1) {
654 						UPDATE_WHERE;
655 					} else {
656 						free(dstr->aclexport);
657 						free(dstr);
658 						return (NULL);
659 					}
660 				}
661 				where = strappend(where, passwdp->pw_name);
662 			}
663 			where = strappend(where, ":");
664 			where = convert_perm(where, aclp->a_perm);
665 			break;
666 		case DEF_GROUP_OBJ:
667 		case GROUP_OBJ:
668 			if (aclp->a_type == GROUP_OBJ)
669 				where = strappend(where, "group::");
670 			else
671 				where = strappend(where, "defaultgroup::");
672 			where = convert_perm(where, aclp->a_perm);
673 			break;
674 		case DEF_GROUP:
675 		case GROUP:
676 			if (aclp->a_type == GROUP)
677 				where = strappend(where, "group:");
678 			else
679 				where = strappend(where, "defaultgroup:");
680 			if ((flags & ACL_NORESOLVE) == 0)
681 				groupp = getgrgid(aclp->a_id);
682 			if (groupp == (struct group *)NULL) {
683 				/* put in gid instead */
684 				(void) sprintf(where, "%d", aclp->a_id);
685 				UPDATE_WHERE;
686 			} else {
687 				excess = strlen(groupp->gr_name) - LOGNAME_MAX;
688 				if (excess > 0) {
689 					rtn = increase_length(dstr, excess);
690 					if (rtn == 1) {
691 						UPDATE_WHERE;
692 					} else {
693 						free(dstr->aclexport);
694 						free(dstr);
695 						return (NULL);
696 					}
697 				}
698 				where = strappend(where, groupp->gr_name);
699 			}
700 			where = strappend(where, ":");
701 			where = convert_perm(where, aclp->a_perm);
702 			break;
703 		case DEF_CLASS_OBJ:
704 		case CLASS_OBJ:
705 			if (aclp->a_type == CLASS_OBJ)
706 				where = strappend(where, "mask:");
707 			else
708 				where = strappend(where, "defaultmask:");
709 			where = convert_perm(where, aclp->a_perm);
710 			break;
711 		case DEF_OTHER_OBJ:
712 		case OTHER_OBJ:
713 			if (aclp->a_type == OTHER_OBJ)
714 				where = strappend(where, "other:");
715 			else
716 				where = strappend(where, "defaultother:");
717 			where = convert_perm(where, aclp->a_perm);
718 			break;
719 		default:
720 			free(dstr->aclexport);
721 			free(dstr);
722 			return (NULL);
723 
724 		}
725 
726 		if ((flags & ACL_APPEND_ID) && ((aclp->a_type == USER) ||
727 		    (aclp->a_type == DEF_USER) || (aclp->a_type == GROUP) ||
728 		    (aclp->a_type == DEF_GROUP))) {
729 			where = strappend(where, ":");
730 			id[ID_STR_MAX - 1] = '\0'; /* null terminate buffer */
731 			idstr = lltostr(aclp->a_id, &id[ID_STR_MAX - 1]);
732 			where = strappend(where, idstr);
733 		}
734 		if (i < aclcnt - 1)
735 			where = strappend(where, ",");
736 	}
737 	aclexport = dstr->aclexport;
738 	free(dstr);
739 	return (aclexport);
740 
741 
742 
743 
744 }
745 
746 char *
747 acltotext(aclent_t *aclp, int aclcnt)
748 {
749 	return (aclent_acltotext(aclp, aclcnt, 0));
750 }
751 
752 
753 aclent_t *
754 aclfromtext(char *aclstr, int *aclcnt)
755 {
756 	acl_t *aclp;
757 	aclent_t *aclentp;
758 	int error;
759 
760 	error = acl_fromtext(aclstr, &aclp);
761 	if (error)
762 		return (NULL);
763 
764 	aclentp = aclp->acl_aclp;
765 	aclp->acl_aclp = NULL;
766 	*aclcnt = aclp->acl_cnt;
767 
768 	acl_free(aclp);
769 	return (aclentp);
770 }
771 
772 
773 static char *
774 strappend(char *where, char *newstr)
775 {
776 	(void) strcat(where, newstr);
777 	return (where + strlen(newstr));
778 }
779 
780 static char *
781 convert_perm(char *where, o_mode_t perm)
782 {
783 	if (perm & S_IROTH)
784 		where = strappend(where, "r");
785 	else
786 		where = strappend(where, "-");
787 	if (perm & S_IWOTH)
788 		where = strappend(where, "w");
789 	else
790 		where = strappend(where, "-");
791 	if (perm & S_IXOTH)
792 		where = strappend(where, "x");
793 	else
794 		where = strappend(where, "-");
795 	/* perm is the last field */
796 	return (where);
797 }
798 
799 /*
800  * Callers should check the return code as this routine may change the string
801  * pointer in dynaclstr.
802  */
803 static int
804 increase_length(struct dynaclstr *dacl, size_t increase)
805 {
806 	char *tptr;
807 	size_t newsize;
808 
809 	newsize = dacl->bufsize + increase;
810 	tptr = realloc(dacl->aclexport, newsize);
811 	if (tptr != NULL) {
812 		dacl->aclexport = tptr;
813 		dacl->bufsize = newsize;
814 		return (1);
815 	} else
816 		return (0);
817 }
818 
819 /*
820  * ace_acltotext() convert each ace formatted acl to look like this:
821  *
822  * entry_type:uid^gid^name:perms[:flags]:<allow|deny>[:id][,]
823  *
824  * The maximum length of entry_type is 5 ("group")
825  *
826  * The max length of a uid^gid^name entry (in theory) is 8,
827  * however id could be a number so we therefore use ID_STR_MAX
828  *
829  * The length of a perms entry is 144 i.e read_data/write_data...
830  * to each acl entry.
831  *
832  * iflags: file_inherit/dir_inherit/inherit_only/no_propagate
833  *
834  */
835 
836 #define	ACE_ENTRYTYPLEN		6
837 #define	IFLAGS_SIZE		51
838 #define	ACCESS_TYPE_SIZE	7	/* if unknown */
839 #define	COLON_CNT		3
840 #define	PERMS_LEN		216
841 #define	ACE_ENTRY_SIZE	(ACE_ENTRYTYPLEN + ID_STR_MAX + PERMS_LEN +\
842     ACCESS_TYPE_SIZE + IFLAGS_SIZE + COLON_CNT + APPENDED_ID_MAX)
843 
844 static char *
845 ace_acltotext(acl_t *aceaclp, int flags)
846 {
847 	ace_t		*aclp = aceaclp->acl_aclp;
848 	int		aclcnt = aceaclp->acl_cnt;
849 	char		*aclexport;
850 	char		*endp;
851 	int		i;
852 	char		id[ID_STR_MAX], *idstr;
853 	int		isdir = (aceaclp->acl_flags & ACL_IS_DIR);
854 
855 	if (aclp == NULL)
856 		return (NULL);
857 	if ((aclexport = malloc(aclcnt * ACE_ENTRY_SIZE)) == NULL)
858 		return (NULL);
859 
860 	aclexport[0] = '\0';
861 	endp = aclexport;
862 	for (i = 0; i < aclcnt; i++, aclp++) {
863 
864 		(void) ace_type_txt(endp, &endp, aclp, flags);
865 		*endp++ = ':';
866 		*endp = '\0';
867 		(void) ace_perm_txt(endp, &endp, aclp->a_access_mask,
868 		    aclp->a_flags, isdir, flags);
869 		*endp++ = ':';
870 		*endp = '\0';
871 		(void) ace_inherit_txt(endp, &endp, aclp->a_flags, flags);
872 		if (flags & ACL_COMPACT_FMT || aclp->a_flags &
873 		    (ACE_FILE_INHERIT_ACE | ACE_DIRECTORY_INHERIT_ACE |
874 		    (ACE_INHERIT_ONLY_ACE | ACE_NO_PROPAGATE_INHERIT_ACE))) {
875 			*endp++ = ':';
876 			*endp = '\0';
877 		}
878 		(void) ace_access_txt(endp, &endp, aclp->a_type);
879 
880 		if ((flags & ACL_APPEND_ID) &&
881 		    (((aclp->a_flags & ACE_TYPE_FLAGS) == 0) ||
882 		    ((aclp->a_flags & ACE_TYPE_FLAGS) ==
883 		    ACE_IDENTIFIER_GROUP))) {
884 			*endp++ = ':';
885 			*endp = '\0';
886 			id[ID_STR_MAX -1] = '\0'; /* null terminate buffer */
887 			idstr = lltostr(aclp->a_who, &id[ID_STR_MAX - 1]);
888 			strcpy(endp, idstr);
889 			endp += strlen(idstr);
890 		}
891 		if (i < aclcnt - 1) {
892 			*endp++ = ',';
893 			*(endp + 1) = '\0';
894 		}
895 	}
896 	return (aclexport);
897 }
898 
899 char *
900 acl_totext(acl_t *aclp, int flags)
901 {
902 
903 	char *txtp;
904 
905 	if (aclp == NULL)
906 		return (NULL);
907 
908 	switch (aclp->acl_type) {
909 	case ACE_T:
910 		txtp = ace_acltotext(aclp, flags);
911 		break;
912 	case ACLENT_T:
913 		txtp = aclent_acltotext(aclp->acl_aclp, aclp->acl_cnt, flags);
914 		break;
915 	}
916 
917 	return (txtp);
918 }
919 
920 int
921 acl_fromtext(const char *acltextp, acl_t **ret_aclp)
922 {
923 	int error;
924 	char *buf;
925 
926 	buf = malloc(strlen(acltextp) + 2);
927 	if (buf == NULL)
928 		return (EACL_MEM_ERROR);
929 	strcpy(buf, acltextp);
930 	strcat(buf, "\n");
931 	yybuf = buf;
932 	yyreset();
933 	error = yyparse();
934 	free(buf);
935 
936 	if (yyacl) {
937 		if (error == 0)
938 			*ret_aclp = yyacl;
939 		else {
940 			acl_free(yyacl);
941 		}
942 		yyacl = NULL;
943 	}
944 	return (error);
945 }
946 
947 int
948 acl_parse(const char *acltextp, acl_t **aclp)
949 {
950 	int error;
951 
952 	yyinteractive = 1;
953 	error = acl_fromtext(acltextp, aclp);
954 	yyinteractive = 0;
955 	return (error);
956 }
957 
958 static void
959 ace_compact_printacl(acl_t *aclp)
960 {
961 	int cnt;
962 	ace_t *acep;
963 	char *endp;
964 	char buf[ACE_ENTRY_SIZE];
965 
966 	for (cnt = 0, acep = aclp->acl_aclp;
967 	    cnt != aclp->acl_cnt; cnt++, acep++) {
968 		buf[0] = '\0';
969 		(void) printf("    %14s:", ace_type_txt(buf, &endp, acep, 0));
970 		(void) printf("%s:", ace_perm_txt(endp, &endp,
971 		    acep->a_access_mask, acep->a_flags,
972 		    aclp->acl_flags & ACL_IS_DIR, ACL_COMPACT_FMT));
973 		(void) printf("%s:",
974 		    ace_inherit_txt(endp, &endp, acep->a_flags,
975 			ACL_COMPACT_FMT));
976 		(void) printf("%s\n", ace_access_txt(endp, &endp,
977 		    acep->a_type));
978 	}
979 }
980 
981 static void
982 ace_printacl(acl_t *aclp, int cols, int compact)
983 {
984 	int  slot = 0;
985 	char *token;
986 	char *acltext;
987 
988 	if (compact) {
989 		ace_compact_printacl(aclp);
990 		return;
991 	}
992 
993 	acltext = acl_totext(aclp, 0);
994 
995 	if (acltext == NULL)
996 		return;
997 
998 	token = strtok(acltext, ",");
999 	if (token == NULL) {
1000 		free(acltext);
1001 		return;
1002 	}
1003 
1004 	do {
1005 		(void) printf("     %d:", slot++);
1006 		split_line(token, cols - 5);
1007 	} while (token = strtok(NULL, ","));
1008 	free(acltext);
1009 }
1010 
1011 /*
1012  * pretty print an ACL.
1013  * For aclent_t ACL's the format is
1014  * similar to the old format used by getfacl,
1015  * with the addition of adding a "slot" number
1016  * before each entry.
1017  *
1018  * for ace_t ACL's the cols variable will break up
1019  * the long lines into multiple lines and will also
1020  * print a "slot" number.
1021  */
1022 void
1023 acl_printacl(acl_t *aclp, int cols, int compact)
1024 {
1025 
1026 	switch (aclp->acl_type) {
1027 	case ACLENT_T:
1028 		aclent_printacl(aclp);
1029 		break;
1030 	case ACE_T:
1031 		ace_printacl(aclp, cols, compact);
1032 		break;
1033 	}
1034 }
1035 
1036 typedef struct value_table {
1037 	char		p_letter; /* perm letter such as 'r' */
1038 	uint32_t	p_value; /* value for perm when pletter found */
1039 } value_table_t;
1040 
1041 #define	ACE_PERM_COUNT 14
1042 
1043 /*
1044  * The permission tables are layed out in positional order
1045  * a '-' character will indicate a permission at a given
1046  * position is not specified.  The '-' is not part of the
1047  * table, but will be checked for in the permission computation
1048  * routine.
1049  */
1050 value_table_t ace_perm_table[ACE_PERM_COUNT] = {
1051 	{ 'r', ACE_READ_DATA},
1052 	{ 'w', ACE_WRITE_DATA},
1053 	{ 'x', ACE_EXECUTE},
1054 	{ 'p', ACE_APPEND_DATA},
1055 	{ 'd', ACE_DELETE},
1056 	{ 'D', ACE_DELETE_CHILD},
1057 	{ 'a', ACE_READ_ATTRIBUTES},
1058 	{ 'A', ACE_WRITE_ATTRIBUTES},
1059 	{ 'R', ACE_READ_NAMED_ATTRS},
1060 	{ 'W', ACE_WRITE_NAMED_ATTRS},
1061 	{ 'c', ACE_READ_ACL},
1062 	{ 'C', ACE_WRITE_ACL},
1063 	{ 'o', ACE_WRITE_OWNER},
1064 	{ 's', ACE_SYNCHRONIZE}
1065 };
1066 
1067 #define	ACLENT_PERM_COUNT 3
1068 
1069 value_table_t aclent_perm_table[ACLENT_PERM_COUNT] = {
1070 	{ 'r', S_IROTH},
1071 	{ 'w', S_IWOTH},
1072 	{ 'x', S_IXOTH}
1073 };
1074 
1075 #define	IFLAG_COUNT	6
1076 value_table_t inherit_table[IFLAG_COUNT] = {
1077 	{'f', ACE_FILE_INHERIT_ACE},
1078 	{'d', ACE_DIRECTORY_INHERIT_ACE},
1079 	{'i', ACE_INHERIT_ONLY_ACE},
1080 	{'n', ACE_NO_PROPAGATE_INHERIT_ACE},
1081 	{'S', ACE_SUCCESSFUL_ACCESS_ACE_FLAG},
1082 	{'F', ACE_FAILED_ACCESS_ACE_FLAG}
1083 };
1084 
1085 /*
1086  * compute value from a permission table or inheritance table
1087  * based on string passed in.  If positional is set then
1088  * string must match order in permtab, otherwise any order
1089  * is allowed.
1090  */
1091 int
1092 compute_values(value_table_t *permtab, int count,
1093     char *permstr, int positional, uint32_t *mask)
1094 {
1095 	uint32_t perm_val = 0;
1096 	char *pstr;
1097 	int i, found;
1098 
1099 	if (count < 0)
1100 		return (1);
1101 
1102 	if (positional) {
1103 		for (i = 0, pstr = permstr; i != count && pstr &&
1104 		    *pstr; i++, pstr++) {
1105 			if (*pstr == permtab[i].p_letter) {
1106 				perm_val |= permtab[i].p_value;
1107 			} else if (*pstr != '-') {
1108 				return (1);
1109 			}
1110 		}
1111 	} else {  /* random order single letters with no '-' */
1112 		for (pstr = permstr; pstr && *pstr; pstr++) {
1113 			for (found = 0, i = 0; i != count; i++) {
1114 				if (*pstr == permtab[i].p_letter) {
1115 					perm_val |= permtab[i].p_value;
1116 					found = 1;
1117 					break;
1118 				}
1119 			}
1120 			if (found == 0)
1121 				return (1);
1122 		}
1123 	}
1124 
1125 	*mask = perm_val;
1126 	return (0);
1127 }
1128 
1129 /*
1130  * compute value for inheritance flags.
1131  */
1132 int
1133 compute_ace_inherit(char *str, uint32_t *imask)
1134 {
1135 	int error;
1136 	int positional = 0;
1137 
1138 	if (strlen(str) == IFLAG_COUNT)
1139 		positional = 1;
1140 
1141 	error = compute_values(inherit_table, IFLAG_COUNT,
1142 	    str, positional, imask);
1143 
1144 	if (error)
1145 		return (EACL_INHERIT_ERROR);
1146 
1147 	return (error);
1148 }
1149 
1150 
1151 /*
1152  * compute value for ACE permissions.
1153  */
1154 int
1155 compute_ace_perms(char *str, uint32_t *mask)
1156 {
1157 	int positional = 0;
1158 	int error;
1159 
1160 	if (strlen(str) == ACE_PERM_COUNT)
1161 		positional = 1;
1162 
1163 	error = compute_values(ace_perm_table, ACE_PERM_COUNT,
1164 	    str, positional, mask);
1165 
1166 	if (error && positional) {
1167 		/*
1168 		 * If positional was set, then make sure permissions
1169 		 * aren't actually valid in non positional case where
1170 		 * all permissions are specified, just in random order.
1171 		 */
1172 		error = compute_values(ace_perm_table,
1173 		    ACE_PERM_COUNT, str, 0, mask);
1174 	}
1175 	if (error)
1176 		error = EACL_PERM_MASK_ERROR;
1177 
1178 	return (error);
1179 }
1180 
1181 
1182 
1183 /*
1184  * compute values for aclent permissions.
1185  */
1186 int
1187 compute_aclent_perms(char *str, o_mode_t *mask)
1188 {
1189 	int error;
1190 	uint32_t pmask;
1191 
1192 	if (strlen(str) != ACLENT_PERM_COUNT)
1193 		return (EACL_PERM_MASK_ERROR);
1194 
1195 	*mask = 0;
1196 	error = compute_values(aclent_perm_table, ACLENT_PERM_COUNT,
1197 	    str, 1, &pmask);
1198 	if (error == 0) {
1199 		*mask = (o_mode_t)pmask;
1200 	} else
1201 		error = EACL_PERM_MASK_ERROR;
1202 	return (error);
1203 }
1204 
1205 /*
1206  * determine ACE permissions.
1207  */
1208 int
1209 ace_perm_mask(struct acl_perm_type *aclperm, uint32_t *mask)
1210 {
1211 	int error;
1212 
1213 	if (aclperm->perm_style == PERM_TYPE_EMPTY) {
1214 		*mask = 0;
1215 		return (0);
1216 	}
1217 
1218 	if (aclperm->perm_style == PERM_TYPE_ACE) {
1219 		*mask = aclperm->perm_val;
1220 		return (0);
1221 	}
1222 
1223 	error = compute_ace_perms(aclperm->perm_str, mask);
1224 	if (error) {
1225 		acl_error(dgettext(TEXT_DOMAIN,
1226 		    "Invalid permission(s) '%s' specified\n"),
1227 		    aclperm->perm_str);
1228 		return (EACL_PERM_MASK_ERROR);
1229 	}
1230 
1231 	return (0);
1232 }
1233