1962 lines
56 KiB
C++
1962 lines
56 KiB
C++
/* sec/acl.cc: Solaris compatible ACL functions.
|
|
|
|
Written by Corinna Vinschen <corinna@vinschen.de>
|
|
|
|
This file is part of Cygwin.
|
|
|
|
This software is a copyrighted work licensed under the terms of the
|
|
Cygwin license. Please consult the file "CYGWIN_LICENSE" for
|
|
details. */
|
|
|
|
#include "winsup.h"
|
|
#include <stdlib.h>
|
|
#include <ctype.h>
|
|
#include "cygerrno.h"
|
|
#include "security.h"
|
|
#include "path.h"
|
|
#include "fhandler.h"
|
|
#include "dtable.h"
|
|
#include "cygheap.h"
|
|
#include "ntdll.h"
|
|
#include "tls_pbuf.h"
|
|
#include "sec_posixacl.h"
|
|
|
|
/* How does a correctly constructed new-style Windows ACL claiming to be a
|
|
POSIX ACL look like?
|
|
|
|
- NULL deny ACE (special bits, CLASS_OBJ).
|
|
|
|
- USER_OBJ deny. If the user has less permissions than the sum of CLASS_OBJ
|
|
(or GROUP_OBJ if CLASS_OBJ doesn't exist) and OTHER_OBJ, deny the excess
|
|
permissions so that group and other perms don't spill into the owner perms.
|
|
|
|
USER_OBJ deny ACE == ~USER_OBJ & (CLASS_OBJ | OTHER_OBJ)
|
|
or
|
|
USER_OBJ deny ACE == ~USER_OBJ & (GROUP_OBJ | OTHER_OBJ)
|
|
|
|
- USER deny. If a user has more permissions than CLASS_OBJ, or if the
|
|
user has less permissions than OTHER_OBJ, deny the excess permissions.
|
|
|
|
USER deny ACE == (USER & ~CLASS_OBJ) | (~USER & OTHER_OBJ)
|
|
|
|
- USER_OBJ allow ACE
|
|
- USER allow ACEs
|
|
|
|
The POSIX permissions returned for a USER entry are the allow bits alone!
|
|
|
|
- GROUP{_OBJ} deny. If a group has more permissions than CLASS_OBJ,
|
|
or less permissions than OTHER_OBJ, deny the excess permissions.
|
|
|
|
GROUP{_OBJ} deny ACEs == (GROUP & ~CLASS_OBJ)
|
|
|
|
- GROUP_OBJ allow ACE
|
|
- GROUP allow ACEs
|
|
|
|
The POSIX permissions returned for a GROUP entry are the allow bits alone!
|
|
|
|
- 2. GROUP{_OBJ} deny. If a group has less permissions than OTHER_OBJ,
|
|
deny the excess permissions.
|
|
|
|
2. GROUP{_OBJ} deny ACEs == (~GROUP & OTHER_OBJ)
|
|
|
|
- OTHER_OBJ allow ACE
|
|
|
|
Rinse and repeat for default ACEs with INHERIT flags set.
|
|
|
|
- Default NULL deny ACE (S_ISGID, CLASS_OBJ). */
|
|
|
|
/* POSIX <-> Win32 */
|
|
|
|
/* Historically, these bits are stored in a NULL allow SID ACE. To distinguish
|
|
the new ACL style from the old one, we're using an access denied ACE, plus
|
|
setting an as yet unused bit in the access mask. The new ACEs can exist
|
|
twice in an ACL, the "normal one" containing CLASS_OBJ and special bits
|
|
and the one with INHERIT bit set to pass the DEF_CLASS_OBJ bits and the
|
|
S_ISGID bit on. */
|
|
#define CYG_ACE_ISVTX 0x001 /* 0x200 <-> 0x001 */
|
|
#define CYG_ACE_ISGID 0x002 /* 0x400 <-> 0x002 */
|
|
#define CYG_ACE_ISUID 0x004 /* 0x800 <-> 0x004 */
|
|
#define CYG_ACE_ISBITS_TO_POSIX(val) \
|
|
(((val) & 0x007) << 9)
|
|
#define CYG_ACE_ISBITS_TO_WIN(val) \
|
|
(((val) & (S_ISVTX | S_ISUID | S_ISGID)) >> 9)
|
|
|
|
#define CYG_ACE_MASK_X 0x008 /* 0x001 <-> 0x008 */
|
|
#define CYG_ACE_MASK_W 0x010 /* 0x002 <-> 0x010 */
|
|
#define CYG_ACE_MASK_R 0x020 /* 0x004 <-> 0x020 */
|
|
#define CYG_ACE_MASK_RWX 0x038
|
|
#define CYG_ACE_MASK_VALID 0x040 /* has mask if set */
|
|
#define CYG_ACE_MASK_TO_POSIX(val) \
|
|
(((val) & CYG_ACE_MASK_RWX) >> 3)
|
|
#define CYG_ACE_MASK_TO_WIN(val) \
|
|
((((val) & S_IRWXO) << 3) \
|
|
| CYG_ACE_MASK_VALID)
|
|
#define CYG_ACE_NEW_STYLE READ_CONTROL /* New style if set. */
|
|
|
|
/* Define own bit masks rather than using the GENERIC masks. The latter
|
|
also contain standard rights, which we don't need here. */
|
|
#define FILE_ALLOW_READ (FILE_READ_DATA | FILE_READ_ATTRIBUTES | \
|
|
FILE_READ_EA)
|
|
#define FILE_DENY_READ (FILE_READ_DATA | FILE_READ_EA)
|
|
#define FILE_ALLOW_WRITE (FILE_WRITE_DATA | FILE_WRITE_ATTRIBUTES | \
|
|
FILE_WRITE_EA | FILE_APPEND_DATA)
|
|
#define FILE_DENY_WRITE FILE_ALLOW_WRITE | FILE_DELETE_CHILD
|
|
#define FILE_DENY_WRITE_OWNER (FILE_WRITE_DATA | FILE_WRITE_EA | \
|
|
FILE_APPEND_DATA | FILE_DELETE_CHILD)
|
|
#define FILE_ALLOW_EXEC (FILE_EXECUTE)
|
|
#define FILE_DENY_EXEC FILE_ALLOW_EXEC
|
|
|
|
#define STD_RIGHTS_OTHER (STANDARD_RIGHTS_READ | SYNCHRONIZE)
|
|
#define STD_RIGHTS_OWNER (STANDARD_RIGHTS_ALL | SYNCHRONIZE)
|
|
|
|
int
|
|
searchace (aclent_t *aclp, int nentries, int type, uid_t id)
|
|
{
|
|
int i;
|
|
|
|
for (i = 0; i < nentries; ++i)
|
|
if ((aclp[i].a_type == type
|
|
&& (id == ACL_UNDEFINED_ID || aclp[i].a_id == id))
|
|
|| !aclp[i].a_type)
|
|
return i;
|
|
return -1;
|
|
}
|
|
|
|
/* From the attributes and the POSIX ACL list, compute a new-style Cygwin
|
|
security descriptor. The function returns a pointer to the
|
|
SECURITY_DESCRIPTOR in sd_ret, or NULL if the function fails.
|
|
|
|
This function *requires* a verified and sorted acl list! */
|
|
PSECURITY_DESCRIPTOR
|
|
set_posix_access (mode_t attr, uid_t uid, gid_t gid,
|
|
aclent_t *aclbufp, int nentries,
|
|
security_descriptor &sd_ret,
|
|
bool is_samba)
|
|
{
|
|
SECURITY_DESCRIPTOR sd;
|
|
cyg_ldap cldap;
|
|
PSID owner = NULL, group = NULL;
|
|
cygsid smb_owner, smb_group;
|
|
NTSTATUS status;
|
|
tmp_pathbuf tp;
|
|
cygpsid *aclsid;
|
|
PACL acl;
|
|
size_t acl_len = sizeof (ACL);
|
|
mode_t user_obj, group_obj, other_obj, deny;
|
|
mode_t class_obj = 0;
|
|
DWORD access;
|
|
int idx, start_idx, tmp_idx;
|
|
bool owner_eq_group = false;
|
|
bool dev_has_admins = false;
|
|
bool has_class_obj;
|
|
|
|
/* Initialize local security descriptor. */
|
|
RtlCreateSecurityDescriptor (&sd, SECURITY_DESCRIPTOR_REVISION);
|
|
|
|
/* As in alloc_sd, set SE_DACL_PROTECTED to prevent the DACL from being
|
|
modified by inheritable ACEs. */
|
|
RtlSetControlSecurityDescriptor (&sd, SE_DACL_PROTECTED, SE_DACL_PROTECTED);
|
|
|
|
/* Fetch owner and group and set in security descriptor.
|
|
|
|
For Samba we check if there's an RFC2307 mapping in place, otherwise
|
|
we're trying to create an ACL with the wrong Windows SIDs rather than
|
|
the correct Unix SIDs. Same happens below for mapping other USER and
|
|
GROUP SIDs. */
|
|
if (is_samba)
|
|
{
|
|
uint32_t smb_uid, smb_gid;
|
|
|
|
smb_uid = cygheap->ugid_cache.reverse_get_uid (uid);
|
|
if (smb_uid != ILLEGAL_UID)
|
|
owner = smb_owner.create (22, 2, 1, smb_uid);
|
|
smb_gid = cygheap->ugid_cache.reverse_get_gid (gid);
|
|
if (smb_gid != ILLEGAL_GID)
|
|
group = smb_group.create (22, 2, 2, smb_gid);
|
|
}
|
|
if (!owner)
|
|
owner = sidfromuid (uid, &cldap);
|
|
if (!group)
|
|
group = sidfromgid (gid, &cldap);
|
|
if (!owner || !group)
|
|
{
|
|
set_errno (EINVAL);
|
|
return NULL;
|
|
}
|
|
status = RtlSetOwnerSecurityDescriptor (&sd, owner, FALSE);
|
|
if (!NT_SUCCESS (status))
|
|
{
|
|
__seterrno_from_nt_status (status);
|
|
return NULL;
|
|
}
|
|
status = RtlSetGroupSecurityDescriptor (&sd, group, FALSE);
|
|
if (!NT_SUCCESS (status))
|
|
{
|
|
__seterrno_from_nt_status (status);
|
|
return NULL;
|
|
}
|
|
owner_eq_group = RtlEqualSid (owner, group);
|
|
if (S_ISCHR (attr))
|
|
dev_has_admins = well_known_admins_sid == owner
|
|
|| well_known_admins_sid == group;
|
|
|
|
/* No POSIX ACL? Use attr to generate one from scratch. */
|
|
if (!aclbufp)
|
|
{
|
|
aclbufp = (aclent_t *) tp.c_get ();
|
|
aclbufp[0].a_type = USER_OBJ;
|
|
aclbufp[0].a_id = ACL_UNDEFINED_ID;
|
|
aclbufp[0].a_perm = (attr >> 6) & S_IRWXO;
|
|
aclbufp[1].a_type = GROUP_OBJ;
|
|
aclbufp[1].a_id = ACL_UNDEFINED_ID;
|
|
aclbufp[1].a_perm = (attr >> 3) & S_IRWXO;
|
|
aclbufp[2].a_type = OTHER_OBJ;
|
|
aclbufp[2].a_id = ACL_UNDEFINED_ID;
|
|
aclbufp[2].a_perm = attr & S_IRWXO;
|
|
nentries = MIN_ACL_ENTRIES;
|
|
if (S_ISDIR (attr))
|
|
{
|
|
aclbufp[3].a_type = DEF_USER_OBJ;
|
|
aclbufp[3].a_id = ACL_UNDEFINED_ID;
|
|
aclbufp[3].a_perm = (attr >> 6) & S_IRWXO;
|
|
aclbufp[4].a_type = GROUP_OBJ;
|
|
aclbufp[4].a_id = ACL_UNDEFINED_ID;
|
|
aclbufp[4].a_perm = (attr >> 3) & S_IRWXO;
|
|
aclbufp[5].a_type = OTHER_OBJ;
|
|
aclbufp[5].a_id = ACL_UNDEFINED_ID;
|
|
aclbufp[5].a_perm = attr & S_IRWXO;
|
|
nentries += MIN_ACL_ENTRIES;
|
|
}
|
|
}
|
|
|
|
/* Collect SIDs of all entries in aclbufp. */
|
|
aclsid = (cygpsid *) tp.w_get ();
|
|
for (idx = 0; idx < nentries; ++idx)
|
|
switch (aclbufp[idx].a_type)
|
|
{
|
|
case USER_OBJ:
|
|
aclsid[idx] = owner;
|
|
break;
|
|
case DEF_USER_OBJ:
|
|
aclsid[idx] = well_known_creator_owner_sid;
|
|
break;
|
|
case USER:
|
|
case DEF_USER:
|
|
aclsid[idx] = NO_SID;
|
|
if (is_samba)
|
|
{
|
|
uint32_t smb_uid;
|
|
cygsid *smb_sid;
|
|
|
|
smb_uid = cygheap->ugid_cache.reverse_get_uid (aclbufp[idx].a_id);
|
|
if (smb_uid != ILLEGAL_UID)
|
|
{
|
|
smb_sid = (cygsid *) alloca (sizeof (cygsid));
|
|
aclsid[idx] = smb_sid->create (22, 2, 1, smb_uid);
|
|
}
|
|
}
|
|
if (!aclsid[idx])
|
|
aclsid[idx] = sidfromuid (aclbufp[idx].a_id, &cldap);
|
|
break;
|
|
case GROUP_OBJ:
|
|
aclsid[idx] = group;
|
|
break;
|
|
case DEF_GROUP_OBJ:
|
|
aclsid[idx] = !(attr & S_ISGID) ? (PSID) well_known_creator_group_sid
|
|
: group;
|
|
break;
|
|
case GROUP:
|
|
case DEF_GROUP:
|
|
aclsid[idx] = NO_SID;
|
|
if (is_samba)
|
|
{
|
|
uint32_t smb_gid;
|
|
cygsid *smb_sid;
|
|
|
|
smb_gid = cygheap->ugid_cache.reverse_get_gid (aclbufp[idx].a_id);
|
|
if (smb_gid != ILLEGAL_GID)
|
|
{
|
|
smb_sid = (cygsid *) alloca (sizeof (cygsid));
|
|
aclsid[idx] = smb_sid->create (22, 2, 2, smb_gid);
|
|
}
|
|
}
|
|
if (!aclsid[idx])
|
|
aclsid[idx] = sidfromgid (aclbufp[idx].a_id, &cldap);
|
|
break;
|
|
case CLASS_OBJ:
|
|
case DEF_CLASS_OBJ:
|
|
aclsid[idx] = well_known_null_sid;
|
|
break;
|
|
case OTHER_OBJ:
|
|
case DEF_OTHER_OBJ:
|
|
aclsid[idx] = well_known_world_sid;
|
|
break;
|
|
}
|
|
|
|
/* Initialize ACL. */
|
|
acl = (PACL) tp.w_get ();
|
|
RtlCreateAcl (acl, ACL_MAXIMUM_SIZE, ACL_REVISION);
|
|
|
|
/* This loop has two runs, the first handling the actual permission,
|
|
the second handling the default permissions. */
|
|
idx = 0;
|
|
for (int def = 0; def <= ACL_DEFAULT; def += ACL_DEFAULT)
|
|
{
|
|
DWORD inherit = def ? SUB_CONTAINERS_AND_OBJECTS_INHERIT | INHERIT_ONLY
|
|
: NO_INHERITANCE;
|
|
|
|
/* No default ACEs on files. */
|
|
if (def && !S_ISDIR (attr))
|
|
{
|
|
/* Trying to set default ACEs on a non-directory is an error.
|
|
The underlying functions on Linux return EACCES. */
|
|
if (idx < nentries && aclbufp[idx].a_type & ACL_DEFAULT)
|
|
{
|
|
set_errno (EACCES);
|
|
return NULL;
|
|
}
|
|
break;
|
|
}
|
|
|
|
/* To check if the NULL SID deny ACE is required we need user_obj. */
|
|
tmp_idx = searchace (aclbufp, nentries, def | USER_OBJ);
|
|
/* No default entries present? */
|
|
if (tmp_idx < 0)
|
|
break;
|
|
user_obj = aclbufp[tmp_idx].a_perm;
|
|
/* To compute deny access masks, we need group_obj, other_obj and... */
|
|
tmp_idx = searchace (aclbufp, nentries, def | GROUP_OBJ);
|
|
group_obj = aclbufp[tmp_idx].a_perm;
|
|
tmp_idx = searchace (aclbufp, nentries, def | OTHER_OBJ);
|
|
other_obj = aclbufp[tmp_idx].a_perm;
|
|
|
|
/* ... class_obj. Create NULL deny ACE. Only the S_ISGID attribute gets
|
|
inherited. For directories check if we are also going to generate
|
|
default entries. If not we have a problem. We can't generate only a
|
|
single, inheritable NULL SID ACE because that leads to (fixable, TODO)
|
|
access problems when trying to create the matching child permissions.
|
|
Therefore we remove the S_ISGID bit on the directory because having it
|
|
set would be misleading. */
|
|
if (!def && S_ISDIR (attr) && (attr & S_ISGID))
|
|
{
|
|
/* Check for a required entry per POSIX. */
|
|
tmp_idx = searchace (aclbufp, nentries, DEF_USER_OBJ);
|
|
if (tmp_idx < 0)
|
|
attr &= ~S_ISGID;
|
|
}
|
|
access = CYG_ACE_ISBITS_TO_WIN (def ? attr & S_ISGID : attr)
|
|
| CYG_ACE_NEW_STYLE;
|
|
tmp_idx = searchace (aclbufp, nentries, def | CLASS_OBJ);
|
|
if (tmp_idx >= 0)
|
|
{
|
|
has_class_obj = true;
|
|
class_obj = aclbufp[tmp_idx].a_perm;
|
|
access |= CYG_ACE_MASK_TO_WIN (class_obj);
|
|
}
|
|
else
|
|
{
|
|
/* Setting class_obj to group_obj allows to write below code without
|
|
additional checks for existence of a CLASS_OBJ. */
|
|
has_class_obj = false;
|
|
class_obj = group_obj;
|
|
}
|
|
/* Note that Windows filters the ACE Mask value so it only reflects
|
|
the bit values supported by the object type. The result is that
|
|
we can't set a CLASS_OBJ value for ptys. The get_posix_access
|
|
function has to workaround that.
|
|
|
|
We also don't write the NULL SID ACE in case we have a simple POSIX
|
|
permission ACL with the user perms >= group perms >= other perms and
|
|
no special bits set. In all other cases we either need the NULL SID
|
|
ACE or we write it to avoid calls to AuthZ from get_posix_access. */
|
|
if (!S_ISCHR (attr)
|
|
&& (has_class_obj
|
|
|| access != CYG_ACE_NEW_STYLE
|
|
|| ((user_obj | group_obj | other_obj) != user_obj
|
|
|| (group_obj | other_obj) != group_obj))
|
|
&& !add_access_denied_ace (acl, access, well_known_null_sid, acl_len,
|
|
inherit))
|
|
return NULL;
|
|
|
|
/* Do we potentially chmod a file with owner SID == group SID? If so,
|
|
make sure the owner perms are always >= group perms. */
|
|
if (!def && owner_eq_group)
|
|
aclbufp[0].a_perm |= group_obj & class_obj;
|
|
|
|
/* This loop has two runs, the first w/ check_types == (USER_OBJ | USER),
|
|
the second w/ check_types == (GROUP_OBJ | GROUP). Each run creates
|
|
first the deny, then the allow ACEs for the current types. */
|
|
for (int check_types = USER_OBJ | USER;
|
|
check_types < CLASS_OBJ;
|
|
check_types <<= 2)
|
|
{
|
|
/* Create deny ACEs for users, then 1st run for groups. For groups,
|
|
only take CLASS_OBJ permissions into account. Class permissions
|
|
are handled in the 2nd deny loop below. */
|
|
for (start_idx = idx;
|
|
idx < nentries && aclbufp[idx].a_type & check_types;
|
|
++idx)
|
|
{
|
|
/* Avoid creating DENY ACEs for the second occurrence of
|
|
accounts which show up twice, as USER_OBJ and USER, or
|
|
GROUP_OBJ and GROUP. */
|
|
if ((aclbufp[idx].a_type & USER && aclsid[idx] == owner)
|
|
|| (aclbufp[idx].a_type & GROUP && aclsid[idx] == group))
|
|
continue;
|
|
/* For the rules how to construct the deny access mask, see the
|
|
comment right at the start of this file. */
|
|
if (aclbufp[idx].a_type & USER_OBJ)
|
|
deny = ~aclbufp[idx].a_perm & (class_obj | other_obj);
|
|
else if (aclbufp[idx].a_type & USER)
|
|
deny = (aclbufp[idx].a_perm & ~class_obj)
|
|
| (~aclbufp[idx].a_perm & other_obj);
|
|
/* Accommodate Windows: Only generate deny masks for SYSTEM
|
|
and the Administrators group in terms of the execute bit,
|
|
if they are not the primary group. */
|
|
else if (aclbufp[idx].a_type & GROUP
|
|
&& (aclsid[idx] == well_known_system_sid
|
|
|| aclsid[idx] == well_known_admins_sid))
|
|
deny = aclbufp[idx].a_perm & ~(class_obj | S_IROTH | S_IWOTH);
|
|
else
|
|
deny = (aclbufp[idx].a_perm & ~class_obj);
|
|
if (!deny)
|
|
continue;
|
|
access = 0;
|
|
if (deny & S_IROTH)
|
|
access |= FILE_DENY_READ;
|
|
if (deny & S_IWOTH)
|
|
access |= (aclbufp[idx].a_type & USER_OBJ)
|
|
? FILE_DENY_WRITE_OWNER : FILE_DENY_WRITE;
|
|
if (deny & S_IXOTH)
|
|
access |= FILE_DENY_EXEC;
|
|
if (!add_access_denied_ace (acl, access, aclsid[idx], acl_len,
|
|
inherit))
|
|
return NULL;
|
|
}
|
|
/* Create allow ACEs for users, then groups. */
|
|
for (idx = start_idx;
|
|
idx < nentries && aclbufp[idx].a_type & check_types;
|
|
++idx)
|
|
{
|
|
/* Don't set FILE_READ/WRITE_ATTRIBUTES unconditionally on Samba,
|
|
otherwise it enforces read permissions. */
|
|
access = STD_RIGHTS_OTHER | (is_samba ? 0 : FILE_READ_ATTRIBUTES);
|
|
if (aclbufp[idx].a_type & USER_OBJ)
|
|
{
|
|
access |= STD_RIGHTS_OWNER;
|
|
if (!is_samba)
|
|
access |= FILE_WRITE_ATTRIBUTES;
|
|
/* Set FILE_DELETE_CHILD on files with "rwx" perms for the
|
|
owner so that the owner gets "full control" (Duh). */
|
|
if (aclbufp[idx].a_perm == S_IRWXO)
|
|
access |= FILE_DELETE_CHILD;
|
|
}
|
|
if (aclbufp[idx].a_perm & S_IROTH)
|
|
access |= FILE_ALLOW_READ;
|
|
if (aclbufp[idx].a_perm & S_IWOTH)
|
|
access |= FILE_ALLOW_WRITE;
|
|
if (aclbufp[idx].a_perm & S_IXOTH)
|
|
access |= FILE_ALLOW_EXEC;
|
|
/* Handle S_ISVTX. */
|
|
if (S_ISDIR (attr)
|
|
&& (aclbufp[idx].a_perm & (S_IWOTH | S_IXOTH))
|
|
== (S_IWOTH | S_IXOTH)
|
|
&& (!(attr & S_ISVTX) || aclbufp[idx].a_type & USER_OBJ))
|
|
access |= FILE_DELETE_CHILD;
|
|
/* For ptys, make sure the Administrators group has WRITE_DAC
|
|
and WRITE_OWNER perms. */
|
|
if (dev_has_admins && aclsid[idx] == well_known_admins_sid)
|
|
access |= STD_RIGHTS_OWNER;
|
|
if (!add_access_allowed_ace (acl, access, aclsid[idx], acl_len,
|
|
inherit))
|
|
return NULL;
|
|
}
|
|
/* 2nd deny loop: Create deny ACEs for groups when they have less
|
|
permissions than OTHER_OBJ. */
|
|
if (check_types == (GROUP_OBJ | GROUP))
|
|
for (idx = start_idx;
|
|
idx < nentries && aclbufp[idx].a_type & check_types;
|
|
++idx)
|
|
{
|
|
if (aclbufp[idx].a_type & GROUP && aclsid[idx] == group)
|
|
continue;
|
|
/* Only generate deny masks for SYSTEM and the Administrators
|
|
group if they are the primary group. */
|
|
if (aclbufp[idx].a_type & GROUP
|
|
&& (aclsid[idx] == well_known_system_sid
|
|
|| aclsid[idx] == well_known_admins_sid))
|
|
deny = 0;
|
|
else
|
|
deny = (~aclbufp[idx].a_perm & other_obj);
|
|
if (!deny)
|
|
continue;
|
|
access = 0;
|
|
if (deny & S_IROTH)
|
|
access |= FILE_DENY_READ;
|
|
if (deny & S_IWOTH)
|
|
access |= FILE_DENY_WRITE;
|
|
if (deny & S_IXOTH)
|
|
access |= FILE_DENY_EXEC;
|
|
if (!add_access_denied_ace (acl, access, aclsid[idx], acl_len,
|
|
inherit))
|
|
return NULL;
|
|
}
|
|
}
|
|
/* For ptys if the admins group isn't in the ACL, add an ACE to make
|
|
sure the admins group has WRITE_DAC and WRITE_OWNER perms. */
|
|
if (S_ISCHR (attr) && !dev_has_admins
|
|
&& !add_access_allowed_ace (acl,
|
|
STD_RIGHTS_OWNER | FILE_ALLOW_READ
|
|
| FILE_ALLOW_WRITE,
|
|
well_known_admins_sid, acl_len,
|
|
NO_INHERITANCE))
|
|
return NULL;
|
|
/* Create allow ACE for other. It's preceeded by class_obj if it exists.
|
|
If so, skip it. */
|
|
if (aclbufp[idx].a_type & CLASS_OBJ)
|
|
++idx;
|
|
access = STD_RIGHTS_OTHER | (is_samba ? 0 : FILE_READ_ATTRIBUTES);
|
|
if (aclbufp[idx].a_perm & S_IROTH)
|
|
access |= FILE_ALLOW_READ;
|
|
if (aclbufp[idx].a_perm & S_IWOTH)
|
|
access |= FILE_ALLOW_WRITE;
|
|
if (aclbufp[idx].a_perm & S_IXOTH)
|
|
access |= FILE_ALLOW_EXEC;
|
|
/* Handle S_ISVTX. */
|
|
if (S_ISDIR (attr)
|
|
&& (aclbufp[idx].a_perm & (S_IWOTH | S_IXOTH)) == (S_IWOTH | S_IXOTH)
|
|
&& !(attr & S_ISVTX))
|
|
access |= FILE_DELETE_CHILD;
|
|
if (!add_access_allowed_ace (acl, access, aclsid[idx++], acl_len,
|
|
inherit))
|
|
return NULL;
|
|
}
|
|
|
|
/* Set AclSize to computed value. */
|
|
acl->AclSize = acl_len;
|
|
debug_printf ("ACL-Size: %u", acl_len);
|
|
/* Create DACL for local security descriptor. */
|
|
status = RtlSetDaclSecurityDescriptor (&sd, TRUE, acl, FALSE);
|
|
if (!NT_SUCCESS (status))
|
|
{
|
|
__seterrno_from_nt_status (status);
|
|
return NULL;
|
|
}
|
|
/* Make self relative security descriptor in sd_ret. */
|
|
DWORD sd_size = 0;
|
|
RtlAbsoluteToSelfRelativeSD (&sd, sd_ret, &sd_size);
|
|
if (sd_size <= 0)
|
|
{
|
|
__seterrno ();
|
|
return NULL;
|
|
}
|
|
if (!sd_ret.realloc (sd_size))
|
|
{
|
|
set_errno (ENOMEM);
|
|
return NULL;
|
|
}
|
|
status = RtlAbsoluteToSelfRelativeSD (&sd, sd_ret, &sd_size);
|
|
if (!NT_SUCCESS (status))
|
|
{
|
|
__seterrno_from_nt_status (status);
|
|
return NULL;
|
|
}
|
|
debug_printf ("Created SD-Size: %u", sd_ret.size ());
|
|
return sd_ret;
|
|
}
|
|
|
|
/* This function *requires* a verified and sorted acl list! */
|
|
int
|
|
setacl (HANDLE handle, path_conv &pc, int nentries, aclent_t *aclbufp,
|
|
bool &writable)
|
|
{
|
|
security_descriptor sd, sd_ret;
|
|
mode_t attr = pc.isdir () ? S_IFDIR : 0;
|
|
uid_t uid;
|
|
gid_t gid;
|
|
|
|
if (get_file_sd (handle, pc, sd, false))
|
|
return -1;
|
|
if (get_posix_access (sd, attr, &uid, &gid, NULL, 0) < 0)
|
|
return -1;
|
|
if (!set_posix_access (attr, uid, gid, aclbufp, nentries,
|
|
sd_ret, pc.fs_is_samba ()))
|
|
return -1;
|
|
/* FIXME? Caller needs to know if any write perms are set to allow removing
|
|
the DOS R/O bit. */
|
|
writable = true;
|
|
return set_file_sd (handle, pc, sd_ret, false);
|
|
}
|
|
|
|
/* Temporary access denied bits used by getace and get_posix_access during
|
|
Windows ACL processing. These bits get removed before the created POSIX
|
|
ACL gets published. */
|
|
#define DENY_R 040000
|
|
#define DENY_W 020000
|
|
#define DENY_X 010000
|
|
#define DENY_RWX (DENY_R | DENY_W | DENY_X)
|
|
|
|
/* New style ACL means, just read the bits and store them away. Don't
|
|
create masked values on your own. */
|
|
static void
|
|
getace (aclent_t &acl, int type, int id, DWORD win_ace_mask,
|
|
DWORD win_ace_type, bool new_style)
|
|
{
|
|
acl.a_type = type;
|
|
acl.a_id = id;
|
|
|
|
if ((win_ace_mask & FILE_READ_BITS)
|
|
&& (new_style || !(acl.a_perm & (S_IROTH | DENY_R))))
|
|
{
|
|
if (win_ace_type == ACCESS_ALLOWED_ACE_TYPE)
|
|
acl.a_perm |= S_IROTH;
|
|
else if (win_ace_type == ACCESS_DENIED_ACE_TYPE)
|
|
acl.a_perm |= DENY_R;
|
|
}
|
|
|
|
if ((win_ace_mask & FILE_WRITE_BITS)
|
|
&& (new_style || !(acl.a_perm & (S_IWOTH | DENY_W))))
|
|
{
|
|
if (win_ace_type == ACCESS_ALLOWED_ACE_TYPE)
|
|
acl.a_perm |= S_IWOTH;
|
|
else if (win_ace_type == ACCESS_DENIED_ACE_TYPE)
|
|
acl.a_perm |= DENY_W;
|
|
}
|
|
|
|
if ((win_ace_mask & FILE_EXEC_BITS)
|
|
&& (new_style || !(acl.a_perm & (S_IXOTH | DENY_X))))
|
|
{
|
|
if (win_ace_type == ACCESS_ALLOWED_ACE_TYPE)
|
|
acl.a_perm |= S_IXOTH;
|
|
else if (win_ace_type == ACCESS_DENIED_ACE_TYPE)
|
|
acl.a_perm |= DENY_X;
|
|
}
|
|
}
|
|
|
|
/* From the SECURITY_DESCRIPTOR given in psd, compute user, owner, posix
|
|
attributes, as well as the POSIX acl. The function returns the number
|
|
of entries returned in aclbufp, or -1 in case of error.
|
|
|
|
When called from chmod, it also returns the fact if the ACL is a "standard"
|
|
ACL. A "standard" ACL is an ACL which only consists of ACEs for owner,
|
|
group, other, as well as (this is Windows) the Administrators group and
|
|
SYSTEM. See fhandler_disk_file::fchmod for how this is used to fake
|
|
stock POSIX perms even if Administrators and SYSTEM is in the ACE. */
|
|
int
|
|
get_posix_access (PSECURITY_DESCRIPTOR psd,
|
|
mode_t &attr_ret, uid_t *uid_ret, gid_t *gid_ret,
|
|
aclent_t *aclbufp, int nentries, bool *std_acl)
|
|
{
|
|
tmp_pathbuf tp;
|
|
NTSTATUS status;
|
|
BOOLEAN dummy, acl_exists;
|
|
SECURITY_DESCRIPTOR_CONTROL ctrl;
|
|
ULONG rev;
|
|
PACL acl;
|
|
PACCESS_ALLOWED_ACE ace;
|
|
cygpsid owner_sid, group_sid;
|
|
cyg_ldap cldap;
|
|
uid_t uid;
|
|
gid_t gid;
|
|
mode_t attr = 0;
|
|
aclent_t *lacl = NULL;
|
|
cygpsid ace_sid, *aclsid;
|
|
int pos, type, id, idx;
|
|
|
|
bool owner_eq_group;
|
|
bool just_created = false;
|
|
bool standard_ACEs_only = true;
|
|
bool new_style = false;
|
|
bool saw_user_obj = false;
|
|
bool saw_group_obj = false;
|
|
bool saw_other_obj = false;
|
|
bool saw_def_user_obj = false;
|
|
bool saw_def_group_obj = false;
|
|
bool has_class_perm = false;
|
|
bool has_def_class_perm = false;
|
|
|
|
mode_t class_perm = 0;
|
|
mode_t def_class_perm = 0;
|
|
int types_def = 0;
|
|
int def_pgrp_pos = -1;
|
|
|
|
if (aclbufp && nentries < MIN_ACL_ENTRIES)
|
|
{
|
|
set_errno (EINVAL);
|
|
return -1;
|
|
}
|
|
/* If reading the security descriptor failed, treat the object as
|
|
unreadable. */
|
|
if (!psd)
|
|
{
|
|
attr_ret &= S_IFMT;
|
|
if (uid_ret)
|
|
*uid_ret = ACL_UNDEFINED_ID;
|
|
if (gid_ret)
|
|
*gid_ret = ACL_UNDEFINED_ID;
|
|
if (aclbufp)
|
|
{
|
|
aclbufp[0].a_type = USER_OBJ;
|
|
aclbufp[0].a_id = ACL_UNDEFINED_ID;
|
|
aclbufp[0].a_perm = 0;
|
|
aclbufp[1].a_type = GROUP_OBJ;
|
|
aclbufp[1].a_id = ACL_UNDEFINED_ID;
|
|
aclbufp[1].a_perm = 0;
|
|
aclbufp[2].a_type = OTHER_OBJ;
|
|
aclbufp[2].a_id = ACL_UNDEFINED_ID;
|
|
aclbufp[2].a_perm = 0;
|
|
return MIN_ACL_ENTRIES;
|
|
}
|
|
return 0;
|
|
}
|
|
/* Fetch owner, group, and ACL from security descriptor. */
|
|
status = RtlGetOwnerSecurityDescriptor (psd, (PSID *) &owner_sid, &dummy);
|
|
if (!NT_SUCCESS (status))
|
|
{
|
|
__seterrno_from_nt_status (status);
|
|
return -1;
|
|
}
|
|
status = RtlGetGroupSecurityDescriptor (psd, (PSID *) &group_sid, &dummy);
|
|
if (!NT_SUCCESS (status))
|
|
{
|
|
__seterrno_from_nt_status (status);
|
|
return -1;
|
|
}
|
|
status = RtlGetDaclSecurityDescriptor (psd, &acl_exists, &acl, &dummy);
|
|
if (!NT_SUCCESS (status))
|
|
{
|
|
__seterrno_from_nt_status (status);
|
|
return -1;
|
|
}
|
|
/* Set uidret, gidret, and initalize attributes. */
|
|
uid = owner_sid.get_uid (&cldap);
|
|
gid = group_sid.get_gid (&cldap);
|
|
attr = attr_ret & S_IFMT;
|
|
just_created = attr_ret & S_JUSTCREATED;
|
|
/* Remember the fact that owner and group are the same account. */
|
|
owner_eq_group = owner_sid == group_sid;
|
|
|
|
/* Create and initialize local aclent_t array. */
|
|
lacl = (aclent_t *) tp.c_get ();
|
|
memset (lacl, 0, MAX_ACL_ENTRIES * sizeof (aclent_t *));
|
|
lacl[0].a_type = USER_OBJ;
|
|
lacl[0].a_id = uid;
|
|
lacl[1].a_type = GROUP_OBJ;
|
|
lacl[1].a_id = gid;
|
|
lacl[2].a_type = OTHER_OBJ;
|
|
lacl[2].a_id = ACL_UNDEFINED_ID;
|
|
/* Create array to collect SIDs of all entries in lacl. */
|
|
aclsid = (cygpsid *) tp.w_get ();
|
|
aclsid[0] = owner_sid;
|
|
aclsid[1] = group_sid;
|
|
aclsid[2] = well_known_world_sid;
|
|
|
|
/* No ACEs? Everybody has full access. */
|
|
if (!acl_exists || !acl || acl->AceCount == 0)
|
|
{
|
|
for (pos = 0; pos < MIN_ACL_ENTRIES; ++pos)
|
|
lacl[pos].a_perm = S_IROTH | S_IWOTH | S_IXOTH;
|
|
goto out;
|
|
}
|
|
|
|
/* Files and dirs are created with a NULL descriptor, so inheritence
|
|
rules kick in. If no inheritable entries exist in the parent object,
|
|
Windows will create entries according to the user token's default DACL.
|
|
These entries are not desired and we ignore them at creation time.
|
|
We're just checking the SE_DACL_AUTO_INHERITED flag here, since that's
|
|
what we set in get_file_sd. Read the longish comment there before
|
|
changing this test! */
|
|
if (just_created
|
|
&& NT_SUCCESS (RtlGetControlSecurityDescriptor (psd, &ctrl, &rev))
|
|
&& !(ctrl & SE_DACL_AUTO_INHERITED))
|
|
;
|
|
else for (idx = 0; idx < acl->AceCount; ++idx)
|
|
{
|
|
if (!NT_SUCCESS (RtlGetAce (acl, idx, (PVOID *) &ace)))
|
|
continue;
|
|
|
|
ace_sid = (PSID) &ace->SidStart;
|
|
|
|
if (ace_sid == well_known_null_sid)
|
|
{
|
|
/* Fetch special bits. */
|
|
attr |= CYG_ACE_ISBITS_TO_POSIX (ace->Mask);
|
|
if (ace->Header.AceType == ACCESS_DENIED_ACE_TYPE
|
|
&& ace->Mask & CYG_ACE_NEW_STYLE)
|
|
{
|
|
/* New-style ACL. Note the fact that a mask value is present
|
|
since that changes how getace fetches the information. That's
|
|
fine, because the NULL deny ACE is supposed to precede all
|
|
USER, GROUP and GROUP_OBJ entries. Any ACL not created that
|
|
way has been rearranged by the Windows functionality to create
|
|
the brain-dead "canonical" ACL order and is broken anyway. */
|
|
new_style = true;
|
|
attr |= CYG_ACE_ISBITS_TO_POSIX (ace->Mask);
|
|
if (ace->Mask & CYG_ACE_MASK_VALID)
|
|
{
|
|
if (!(ace->Header.AceFlags & INHERIT_ONLY))
|
|
{
|
|
if ((pos = searchace (lacl, MAX_ACL_ENTRIES, CLASS_OBJ))
|
|
>= 0)
|
|
{
|
|
lacl[pos].a_type = CLASS_OBJ;
|
|
lacl[pos].a_id = ACL_UNDEFINED_ID;
|
|
lacl[pos].a_perm = CYG_ACE_MASK_TO_POSIX (ace->Mask);
|
|
aclsid[pos] = well_known_null_sid;
|
|
has_class_perm = true;
|
|
class_perm = lacl[pos].a_perm;
|
|
}
|
|
}
|
|
if (S_ISDIR (attr)
|
|
&& (ace->Header.AceFlags & SUB_CONTAINERS_AND_OBJECTS_INHERIT) != 0)
|
|
{
|
|
if ((pos = searchace (lacl, MAX_ACL_ENTRIES,
|
|
DEF_CLASS_OBJ)) >= 0)
|
|
{
|
|
lacl[pos].a_type = DEF_CLASS_OBJ;
|
|
lacl[pos].a_id = ACL_UNDEFINED_ID;
|
|
lacl[pos].a_perm = CYG_ACE_MASK_TO_POSIX (ace->Mask);
|
|
aclsid[pos] = well_known_null_sid;
|
|
has_def_class_perm = true;
|
|
def_class_perm = lacl[pos].a_perm;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
continue;
|
|
}
|
|
if (ace_sid == owner_sid)
|
|
{
|
|
type = USER_OBJ;
|
|
id = uid;
|
|
}
|
|
else if (ace_sid == group_sid)
|
|
{
|
|
type = GROUP_OBJ;
|
|
id = gid;
|
|
}
|
|
else if (ace_sid == well_known_world_sid)
|
|
{
|
|
type = OTHER_OBJ;
|
|
id = ACL_UNDEFINED_ID;
|
|
if (ace->Header.AceType == ACCESS_ALLOWED_ACE_TYPE
|
|
&& !(ace->Header.AceFlags & INHERIT_ONLY))
|
|
saw_other_obj = true;
|
|
}
|
|
else if (ace_sid == well_known_creator_owner_sid)
|
|
{
|
|
type = DEF_USER_OBJ;
|
|
id = ACL_UNDEFINED_ID;
|
|
saw_def_user_obj = true;
|
|
}
|
|
else if (ace_sid == well_known_creator_group_sid)
|
|
{
|
|
type = DEF_GROUP_OBJ;
|
|
id = ACL_UNDEFINED_ID;
|
|
saw_def_group_obj = true;
|
|
}
|
|
else
|
|
{
|
|
id = ace_sid.get_id (TRUE, &type, &cldap);
|
|
if (!type)
|
|
continue;
|
|
}
|
|
/* If the SGID attribute is set on a just created file or dir, the
|
|
first group in the ACL is the desired primary group of the new
|
|
object. Alternatively, the first repetition of the owner SID is
|
|
the desired primary group, and we mark the object as owner_eq_group
|
|
object. */
|
|
if (just_created && attr & S_ISGID && !saw_group_obj
|
|
&& (type == GROUP || (type == USER_OBJ && saw_user_obj)))
|
|
{
|
|
type = GROUP_OBJ;
|
|
lacl[1].a_id = gid = id;
|
|
if (type == USER_OBJ)
|
|
owner_eq_group = true;
|
|
}
|
|
if (!(ace->Header.AceFlags & INHERIT_ONLY || type & ACL_DEFAULT))
|
|
{
|
|
if (type == USER_OBJ)
|
|
{
|
|
/* If we get a second entry for the owner SID, it's either a
|
|
GROUP_OBJ entry for the same SID, if owner SID == group SID,
|
|
or it's an additional USER entry. The latter can happen
|
|
when chown'ing a file. */
|
|
if (saw_user_obj)
|
|
{
|
|
if (owner_eq_group && !saw_group_obj)
|
|
{
|
|
type = GROUP_OBJ;
|
|
/* Gid and uid are not necessarily the same even if the
|
|
SID is the same: /etc/group is in use and the user got
|
|
added to /etc/group using another gid than the uid.
|
|
This is a border case but it happened and resetting id
|
|
to gid is not much of a burden. */
|
|
id = gid;
|
|
if (ace->Header.AceType == ACCESS_ALLOWED_ACE_TYPE)
|
|
saw_group_obj = true;
|
|
}
|
|
else
|
|
type = USER;
|
|
}
|
|
else if (ace->Header.AceType == ACCESS_ALLOWED_ACE_TYPE)
|
|
saw_user_obj = true;
|
|
}
|
|
else if (type == GROUP_OBJ)
|
|
{
|
|
/* Same for the primary group. */
|
|
if (ace->Header.AceType == ACCESS_ALLOWED_ACE_TYPE)
|
|
{
|
|
if (saw_group_obj)
|
|
type = GROUP;
|
|
saw_group_obj = true;
|
|
}
|
|
}
|
|
if ((pos = searchace (lacl, MAX_ACL_ENTRIES, type, id)) >= 0)
|
|
{
|
|
getace (lacl[pos], type, id, ace->Mask, ace->Header.AceType,
|
|
new_style && type & (USER | GROUP_OBJ | GROUP));
|
|
aclsid[pos] = ace_sid;
|
|
if (!new_style)
|
|
{
|
|
/* Fix up CLASS_OBJ value. */
|
|
if (type & (USER | GROUP))
|
|
{
|
|
has_class_perm = true;
|
|
/* Accommodate Windows: Never add SYSTEM and Admins to
|
|
CLASS_OBJ. Unless (implicitly) if they are the
|
|
GROUP_OBJ entry. */
|
|
if (ace_sid != well_known_system_sid
|
|
&& ace_sid != well_known_admins_sid)
|
|
{
|
|
class_perm |= lacl[pos].a_perm;
|
|
standard_ACEs_only = false;
|
|
}
|
|
}
|
|
}
|
|
/* For a newly created file, we'd like to know if we're running
|
|
with a standard ACL, one only consisting of POSIX perms, plus
|
|
SYSTEM and Admins as maximum non-POSIX perms entries. If it's
|
|
a standard ACL, we apply umask. That's not entirely correct,
|
|
but it's probably the best we can do. Chmod also wants to
|
|
know this. See there for the details. */
|
|
else if (type & (USER | GROUP)
|
|
&& standard_ACEs_only
|
|
&& ace_sid != well_known_system_sid
|
|
&& ace_sid != well_known_admins_sid)
|
|
standard_ACEs_only = false;
|
|
}
|
|
}
|
|
if (S_ISDIR (attr)
|
|
&& (ace->Header.AceFlags & SUB_CONTAINERS_AND_OBJECTS_INHERIT) != 0)
|
|
{
|
|
if (type == USER_OBJ)
|
|
{
|
|
/* As above: If we get a second entry for the owner SID, it's
|
|
a GROUP_OBJ entry for the same SID if owner SID == group SID,
|
|
but this time only if the S_ISGID bit is set. Otherwise it's
|
|
an additional USER entry. */
|
|
if (saw_def_user_obj)
|
|
{
|
|
if (owner_eq_group && !saw_def_group_obj && attr & S_ISGID)
|
|
{
|
|
/* Needs post-processing in the following GROUP_OBJ block.
|
|
Set id to ACL_UNDEFINED_ID to play it safe. */
|
|
type = GROUP_OBJ;
|
|
id = ACL_UNDEFINED_ID;
|
|
}
|
|
else
|
|
type = USER;
|
|
}
|
|
else if (ace->Header.AceType == ACCESS_ALLOWED_ACE_TYPE)
|
|
saw_def_user_obj = true;
|
|
}
|
|
if (type == GROUP_OBJ)
|
|
{
|
|
/* If the SGID bit is set, the inheritable entry for the
|
|
primary group is, in fact, the DEF_GROUP_OBJ entry,
|
|
so don't change the type to GROUP in this case. */
|
|
if (!new_style || saw_def_group_obj || !(attr & S_ISGID))
|
|
type = GROUP;
|
|
else if (ace->Header.AceType == ACCESS_ALLOWED_ACE_TYPE)
|
|
saw_def_group_obj = true;
|
|
}
|
|
type |= ACL_DEFAULT;
|
|
types_def |= type;
|
|
if ((pos = searchace (lacl, MAX_ACL_ENTRIES, type, id)) >= 0)
|
|
{
|
|
getace (lacl[pos], type, id, ace->Mask, ace->Header.AceType,
|
|
new_style && type & (USER | GROUP_OBJ | GROUP));
|
|
aclsid[pos] = ace_sid;
|
|
if (!new_style)
|
|
{
|
|
/* Fix up DEF_CLASS_OBJ value. */
|
|
if (type & (USER | GROUP))
|
|
{
|
|
has_def_class_perm = true;
|
|
/* Accommodate Windows: Never add SYSTEM and Admins to
|
|
CLASS_OBJ. Unless (implicitly) if they are the
|
|
GROUP_OBJ entry. */
|
|
if (ace_sid != well_known_system_sid
|
|
&& ace_sid != well_known_admins_sid)
|
|
def_class_perm |= lacl[pos].a_perm;
|
|
}
|
|
/* And note the position of the DEF_GROUP_OBJ entry. */
|
|
if (type == DEF_GROUP_OBJ)
|
|
def_pgrp_pos = pos;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
/* If this is a just created file, and this is an ACL with only standard
|
|
entries, or if standard POSIX permissions are missing (probably no
|
|
inherited ACEs so created from a default DACL), assign the permissions
|
|
specified by the file creation mask. The values get masked by the
|
|
actually requested permissions by the caller per POSIX 1003.1e draft 17. */
|
|
if (just_created)
|
|
{
|
|
mode_t perms = (S_IRWXU | S_IRWXG | S_IRWXO) & ~cygheap->umask;
|
|
if (standard_ACEs_only || !saw_user_obj)
|
|
lacl[0].a_perm = (perms >> 6) & S_IRWXO;
|
|
if (standard_ACEs_only || !saw_group_obj)
|
|
lacl[1].a_perm = (perms >> 3) & S_IRWXO;
|
|
if (standard_ACEs_only || !saw_other_obj)
|
|
lacl[2].a_perm = perms & S_IRWXO;
|
|
}
|
|
/* If this is an old-style or non-Cygwin ACL, and secondary user and group
|
|
entries exist in the ACL, fake a matching CLASS_OBJ entry. The CLASS_OBJ
|
|
permissions are the or'ed permissions of the primary group permissions
|
|
and all secondary user and group permissions. */
|
|
if (!new_style && has_class_perm
|
|
&& (pos = searchace (lacl, MAX_ACL_ENTRIES, 0)) >= 0)
|
|
{
|
|
lacl[pos].a_type = CLASS_OBJ;
|
|
lacl[pos].a_id = ACL_UNDEFINED_ID;
|
|
class_perm |= lacl[1].a_perm;
|
|
lacl[pos].a_perm = class_perm;
|
|
aclsid[pos] = well_known_null_sid;
|
|
}
|
|
/* For ptys, fake a mask if the admins group is neither owner nor group.
|
|
In that case we have an extra ACE for the admins group, and we need a
|
|
CLASS_OBJ to get a valid POSIX ACL. However, Windows filters the ACE
|
|
Mask value so it only reflects the bit values supported by the object
|
|
type. The result is that we can't set an explicit CLASS_OBJ value for
|
|
ptys in the NULL SID ACE. */
|
|
else if (S_ISCHR (attr) && owner_sid != well_known_admins_sid
|
|
&& group_sid != well_known_admins_sid
|
|
&& (pos = searchace (lacl, MAX_ACL_ENTRIES, CLASS_OBJ)) >= 0)
|
|
{
|
|
lacl[pos].a_type = CLASS_OBJ;
|
|
lacl[pos].a_id = ACL_UNDEFINED_ID;
|
|
lacl[pos].a_perm = lacl[1].a_perm; /* == group perms */
|
|
aclsid[pos] = well_known_null_sid;
|
|
}
|
|
/* Ensure that the default acl contains at least
|
|
DEF_(USER|GROUP|OTHER)_OBJ entries. */
|
|
if (types_def && (pos = searchace (lacl, MAX_ACL_ENTRIES, 0)) >= 0)
|
|
{
|
|
if (!(types_def & USER_OBJ))
|
|
{
|
|
lacl[pos].a_type = DEF_USER_OBJ;
|
|
lacl[pos].a_id = uid;
|
|
lacl[pos].a_perm = lacl[0].a_perm;
|
|
aclsid[pos] = well_known_creator_owner_sid;
|
|
pos++;
|
|
}
|
|
if (!(types_def & GROUP_OBJ) && pos < MAX_ACL_ENTRIES)
|
|
{
|
|
lacl[pos].a_type = DEF_GROUP_OBJ;
|
|
lacl[pos].a_id = gid;
|
|
lacl[pos].a_perm = lacl[1].a_perm;
|
|
/* Note the position of the DEF_GROUP_OBJ entry. */
|
|
def_pgrp_pos = pos;
|
|
aclsid[pos] = well_known_creator_group_sid;
|
|
pos++;
|
|
}
|
|
if (!(types_def & OTHER_OBJ) && pos < MAX_ACL_ENTRIES)
|
|
{
|
|
lacl[pos].a_type = DEF_OTHER_OBJ;
|
|
lacl[pos].a_id = ACL_UNDEFINED_ID;
|
|
lacl[pos].a_perm = lacl[2].a_perm;
|
|
aclsid[pos] = well_known_world_sid;
|
|
pos++;
|
|
}
|
|
}
|
|
/* If this is an old-style or non-Cygwin ACL, and secondary user default
|
|
and group default entries exist in the ACL, fake a matching DEF_CLASS_OBJ
|
|
entry. The DEF_CLASS_OBJ permissions are the or'ed permissions of the
|
|
primary group default permissions and all secondary user and group def.
|
|
permissions. */
|
|
if (!new_style && has_def_class_perm
|
|
&& (pos = searchace (lacl, MAX_ACL_ENTRIES, 0)) >= 0)
|
|
{
|
|
lacl[pos].a_type = DEF_CLASS_OBJ;
|
|
lacl[pos].a_id = ACL_UNDEFINED_ID;
|
|
lacl[pos].a_perm = def_class_perm;
|
|
if (def_pgrp_pos >= 0)
|
|
lacl[pos].a_perm |= lacl[def_pgrp_pos].a_perm;
|
|
aclsid[pos] = well_known_null_sid;
|
|
}
|
|
|
|
/* Make sure `pos' contains the number of used entries in lacl. */
|
|
if ((pos = searchace (lacl, MAX_ACL_ENTRIES, 0)) < 0)
|
|
pos = MAX_ACL_ENTRIES;
|
|
|
|
/* For old-style or non-Cygwin ACLs, check for merging permissions. */
|
|
if (!just_created && !new_style)
|
|
for (idx = 0; idx < pos; ++idx)
|
|
{
|
|
if (lacl[idx].a_type & (USER_OBJ | USER)
|
|
&& !(lacl[idx].a_type & ACL_DEFAULT))
|
|
{
|
|
mode_t perm;
|
|
|
|
/* Don't merge if the user already has all permissions, or... */
|
|
if (lacl[idx].a_perm == S_IRWXO)
|
|
continue;
|
|
/* ...if the sum of perms is less than or equal the user's perms. */
|
|
perm = lacl[idx].a_perm
|
|
| (has_class_perm ? class_perm : lacl[1].a_perm)
|
|
| lacl[2].a_perm;
|
|
if (perm == lacl[idx].a_perm)
|
|
continue;
|
|
/* Otherwise, if we use the Windows user DB, utilize Authz to make
|
|
sure all user permissions are correctly reflecting the Windows
|
|
permissions. */
|
|
if (cygheap->pg.nss_pwd_db ()
|
|
&& authz_get_user_attribute (&perm, psd, aclsid[idx]))
|
|
lacl[idx].a_perm = perm;
|
|
/* Otherwise we only check the current user. If the user entry
|
|
has a deny ACE, don't check. */
|
|
else if (lacl[idx].a_id == myself->uid
|
|
&& !(lacl[idx].a_perm & DENY_RWX))
|
|
{
|
|
/* Sum up all permissions of groups the user is member of, plus
|
|
everyone perms, and merge them to user perms. */
|
|
BOOL ret;
|
|
|
|
perm = lacl[2].a_perm & S_IRWXO;
|
|
for (int gidx = 1; gidx < pos; ++gidx)
|
|
if (lacl[gidx].a_type & (GROUP_OBJ | GROUP)
|
|
&& CheckTokenMembership (cygheap->user.issetuid ()
|
|
? cygheap->user.imp_token () : NULL,
|
|
aclsid[gidx], &ret)
|
|
&& ret)
|
|
perm |= lacl[gidx].a_perm & S_IRWXO;
|
|
lacl[idx].a_perm |= perm;
|
|
}
|
|
}
|
|
/* For all groups, if everyone has more permissions, add everyone
|
|
perms to group perms. Skip groups with deny ACE. */
|
|
else if (lacl[idx].a_type & (GROUP_OBJ | GROUP)
|
|
&& !(lacl[idx].a_type & ACL_DEFAULT)
|
|
&& !(lacl[idx].a_perm & DENY_RWX))
|
|
lacl[idx].a_perm |= lacl[2].a_perm & S_IRWXO;
|
|
}
|
|
/* If owner SID == group SID (Microsoft Accounts) merge group perms into
|
|
user perms but leave group perms intact. That's a fake, but it allows
|
|
to keep track of the POSIX group perms without much effort. */
|
|
if (owner_eq_group)
|
|
lacl[0].a_perm |= lacl[1].a_perm;
|
|
/* Construct POSIX permission bits. Fortunately we know exactly where
|
|
to fetch the affecting bits from, at least as long as the array
|
|
hasn't been sorted. */
|
|
attr |= (lacl[0].a_perm & S_IRWXO) << 6;
|
|
attr |= ((has_class_perm ? class_perm : lacl[1].a_perm) & S_IRWXO) << 3;
|
|
attr |= (lacl[2].a_perm & S_IRWXO);
|
|
|
|
out:
|
|
if (uid_ret)
|
|
*uid_ret = uid;
|
|
if (gid_ret)
|
|
*gid_ret = gid;
|
|
attr_ret = attr;
|
|
if (aclbufp)
|
|
{
|
|
if (pos > nentries)
|
|
{
|
|
set_errno (ENOSPC);
|
|
return -1;
|
|
}
|
|
memcpy (aclbufp, lacl, pos * sizeof (aclent_t));
|
|
for (idx = 0; idx < pos; ++idx)
|
|
aclbufp[idx].a_perm &= S_IRWXO;
|
|
aclsort (pos, 0, aclbufp);
|
|
}
|
|
if (std_acl)
|
|
*std_acl = standard_ACEs_only;
|
|
return pos;
|
|
}
|
|
|
|
int
|
|
getacl (HANDLE handle, path_conv &pc, int nentries, aclent_t *aclbufp)
|
|
{
|
|
security_descriptor sd;
|
|
mode_t attr = pc.isdir () ? S_IFDIR : 0;
|
|
|
|
if (get_file_sd (handle, pc, sd, false))
|
|
return -1;
|
|
int pos = get_posix_access (sd, attr, NULL, NULL, aclbufp, nentries);
|
|
syscall_printf ("%R = getacl(%S)", pos, pc.get_nt_native_path ());
|
|
return pos;
|
|
}
|
|
|
|
extern "C" int
|
|
acl (const char *path, int cmd, int nentries, aclent_t *aclbufp)
|
|
{
|
|
int res = -1;
|
|
|
|
fhandler_base *fh = build_fh_name (path, PC_SYM_FOLLOW | PC_KEEP_HANDLE,
|
|
stat_suffixes);
|
|
if (!fh || !fh->exists ())
|
|
set_errno (ENOENT);
|
|
else if (fh->error ())
|
|
{
|
|
debug_printf ("got %d error from build_fh_name", fh->error ());
|
|
set_errno (fh->error ());
|
|
}
|
|
else
|
|
res = fh->facl (cmd, nentries, aclbufp);
|
|
|
|
delete fh;
|
|
syscall_printf ("%R = acl(%s)", res, path);
|
|
return res;
|
|
}
|
|
|
|
extern "C" int
|
|
facl (int fd, int cmd, int nentries, aclent_t *aclbufp)
|
|
{
|
|
cygheap_fdget cfd (fd);
|
|
if (cfd < 0)
|
|
{
|
|
syscall_printf ("-1 = facl (%d)", fd);
|
|
return -1;
|
|
}
|
|
if (cfd->get_flags () & O_PATH)
|
|
{
|
|
set_errno (EBADF);
|
|
return -1;
|
|
}
|
|
int res = cfd->facl (cmd, nentries, aclbufp);
|
|
syscall_printf ("%R = facl(%s) )", res, cfd->get_name ());
|
|
return res;
|
|
}
|
|
|
|
int
|
|
__aclcheck (aclent_t *aclbufp, int nentries, int *which, bool posix)
|
|
{
|
|
bool has_user_obj = false;
|
|
bool has_group_obj = false;
|
|
bool has_other_obj = false;
|
|
bool has_class_obj = false;
|
|
bool has_ug_objs = false;
|
|
bool has_def_objs = false;
|
|
bool has_def_user_obj = false;
|
|
bool has_def_group_obj = false;
|
|
bool has_def_other_obj = false;
|
|
bool has_def_class_obj = false;
|
|
bool has_def_ug_objs = false;
|
|
int pos2;
|
|
|
|
for (int pos = 0; pos < nentries; ++pos)
|
|
{
|
|
/* POSIX ACLs may contain deleted entries. Just ignore them. */
|
|
if (posix && aclbufp[pos].a_type == ACL_DELETED_TAG)
|
|
continue;
|
|
/* POSIX defines two sorts of ACLs, access and default, none of which
|
|
is supposed to have the ACL_DEFAULT flag set. */
|
|
if (posix && (aclbufp[pos].a_type & ACL_DEFAULT))
|
|
{
|
|
if (which)
|
|
*which = pos;
|
|
return ENTRY_ERROR;
|
|
}
|
|
switch (aclbufp[pos].a_type)
|
|
{
|
|
case USER_OBJ:
|
|
if (has_user_obj)
|
|
{
|
|
if (which)
|
|
*which = pos;
|
|
return USER_ERROR;
|
|
}
|
|
has_user_obj = true;
|
|
break;
|
|
case GROUP_OBJ:
|
|
if (has_group_obj)
|
|
{
|
|
if (which)
|
|
*which = pos;
|
|
return GRP_ERROR;
|
|
}
|
|
has_group_obj = true;
|
|
break;
|
|
case OTHER_OBJ:
|
|
if (has_other_obj)
|
|
{
|
|
if (which)
|
|
*which = pos;
|
|
return OTHER_ERROR;
|
|
}
|
|
has_other_obj = true;
|
|
break;
|
|
case CLASS_OBJ:
|
|
if (has_class_obj)
|
|
{
|
|
if (which)
|
|
*which = pos;
|
|
return CLASS_ERROR;
|
|
}
|
|
has_class_obj = true;
|
|
break;
|
|
case USER:
|
|
case GROUP:
|
|
if ((pos2 = searchace (aclbufp + pos + 1, nentries - pos - 1,
|
|
aclbufp[pos].a_type, aclbufp[pos].a_id)) >= 0)
|
|
{
|
|
if (which)
|
|
*which = pos2;
|
|
return DUPLICATE_ERROR;
|
|
}
|
|
has_ug_objs = true;
|
|
break;
|
|
case DEF_USER_OBJ:
|
|
if (has_def_user_obj)
|
|
{
|
|
if (which)
|
|
*which = pos;
|
|
return USER_ERROR;
|
|
}
|
|
has_def_objs = has_def_user_obj = true;
|
|
break;
|
|
case DEF_GROUP_OBJ:
|
|
if (has_def_group_obj)
|
|
{
|
|
if (which)
|
|
*which = pos;
|
|
return GRP_ERROR;
|
|
}
|
|
has_def_objs = has_def_group_obj = true;
|
|
break;
|
|
case DEF_OTHER_OBJ:
|
|
if (has_def_other_obj)
|
|
{
|
|
if (which)
|
|
*which = pos;
|
|
return OTHER_ERROR;
|
|
}
|
|
has_def_objs = has_def_other_obj = true;
|
|
break;
|
|
case DEF_CLASS_OBJ:
|
|
if (has_def_class_obj)
|
|
{
|
|
if (which)
|
|
*which = pos;
|
|
return CLASS_ERROR;
|
|
}
|
|
has_def_objs = has_def_class_obj = true;
|
|
break;
|
|
case DEF_USER:
|
|
case DEF_GROUP:
|
|
if ((pos2 = searchace (aclbufp + pos + 1, nentries - pos - 1,
|
|
aclbufp[pos].a_type, aclbufp[pos].a_id)) >= 0)
|
|
{
|
|
if (which)
|
|
*which = pos2;
|
|
return DUPLICATE_ERROR;
|
|
}
|
|
has_def_objs = has_def_ug_objs = true;
|
|
break;
|
|
default:
|
|
if (which)
|
|
*which = pos;
|
|
return ENTRY_ERROR;
|
|
}
|
|
}
|
|
if (!has_user_obj
|
|
|| !has_group_obj
|
|
|| !has_other_obj
|
|
|| (has_ug_objs && !has_class_obj))
|
|
{
|
|
if (which)
|
|
*which = -1;
|
|
return MISS_ERROR;
|
|
}
|
|
/* Check for missing default entries only on Solaris ACLs. */
|
|
if (!posix &&
|
|
((has_def_objs
|
|
&& !(has_def_user_obj && has_def_group_obj && has_def_other_obj))
|
|
|| (has_def_ug_objs && !has_def_class_obj)))
|
|
{
|
|
if (which)
|
|
*which = -1;
|
|
return MISS_ERROR;
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
extern "C" int
|
|
aclcheck (aclent_t *aclbufp, int nentries, int *which)
|
|
{
|
|
return __aclcheck (aclbufp, nentries, which, false);
|
|
}
|
|
|
|
/* For the sake of acl_calc_mask, return -1 if the ACL doesn't need a mask
|
|
or if a mask entry already exists (__aclcalcmask sets the mask by itself).
|
|
Otherwise return the mask value so acl_calc_mask can create a mask entry.
|
|
This doesn't matter when called from aclsort. */
|
|
mode_t
|
|
__aclcalcmask (aclent_t *aclbufp, int nentries)
|
|
{
|
|
mode_t mask = 0;
|
|
bool need_mask = false;
|
|
int mask_idx = -1;
|
|
|
|
for (int idx = 0; idx < nentries; ++idx)
|
|
switch (aclbufp[idx].a_type)
|
|
{
|
|
case USER:
|
|
case GROUP:
|
|
need_mask = true;
|
|
fallthrough;
|
|
case GROUP_OBJ:
|
|
mask |= aclbufp[idx].a_perm;
|
|
break;
|
|
case CLASS_OBJ:
|
|
mask_idx = idx;
|
|
break;
|
|
default:
|
|
break;
|
|
}
|
|
if (mask_idx != -1)
|
|
aclbufp[mask_idx].a_perm = mask;
|
|
if (need_mask && mask_idx == -1)
|
|
return mask;
|
|
return (acl_perm_t) -1;
|
|
}
|
|
|
|
static int
|
|
acecmp (const void *a1, const void *a2)
|
|
{
|
|
#define ace(i) ((const aclent_t *) a##i)
|
|
int ret = ace (1)->a_type - ace (2)->a_type;
|
|
if (!ret)
|
|
ret = ace (1)->a_id - ace (2)->a_id;
|
|
return ret;
|
|
#undef ace
|
|
}
|
|
|
|
/* Sorts any acl. Called from sec_posixacl.cc. */
|
|
int
|
|
__aclsort (int nentries, aclent_t *aclbufp)
|
|
{
|
|
if (!aclbufp || nentries < 0)
|
|
{
|
|
set_errno (EINVAL);
|
|
return -1;
|
|
}
|
|
if (nentries > 0)
|
|
qsort ((void *) aclbufp, nentries, sizeof (aclent_t), acecmp);
|
|
return 0;
|
|
}
|
|
|
|
extern "C" int
|
|
aclsort (int nentries, int calclass, aclent_t *aclbufp)
|
|
{
|
|
if (!aclbufp || nentries < MIN_ACL_ENTRIES
|
|
|| aclcheck (aclbufp, nentries, NULL))
|
|
{
|
|
set_errno (EINVAL);
|
|
return -1;
|
|
}
|
|
qsort ((void *) aclbufp, nentries, sizeof (aclent_t), acecmp);
|
|
if (calclass)
|
|
__aclcalcmask (aclbufp, nentries);
|
|
return 0;
|
|
}
|
|
|
|
extern "C" int
|
|
acltomode (aclent_t *aclbufp, int nentries, mode_t *modep)
|
|
{
|
|
int pos;
|
|
|
|
if (!aclbufp || nentries < 1 || !modep)
|
|
{
|
|
set_errno (EINVAL);
|
|
return -1;
|
|
}
|
|
*modep = 0;
|
|
if ((pos = searchace (aclbufp, nentries, USER_OBJ)) < 0
|
|
|| !aclbufp[pos].a_type)
|
|
{
|
|
set_errno (EINVAL);
|
|
return -1;
|
|
}
|
|
*modep |= (aclbufp[pos].a_perm & S_IRWXO) << 6;
|
|
if ((pos = searchace (aclbufp, nentries, GROUP_OBJ)) < 0
|
|
|| !aclbufp[pos].a_type)
|
|
{
|
|
set_errno (EINVAL);
|
|
return -1;
|
|
}
|
|
*modep |= (aclbufp[pos].a_perm & S_IRWXO) << 3;
|
|
int cpos;
|
|
if ((cpos = searchace (aclbufp, nentries, CLASS_OBJ)) >= 0
|
|
&& aclbufp[cpos].a_type == CLASS_OBJ)
|
|
*modep |= ((aclbufp[pos].a_perm & S_IRWXO) & aclbufp[cpos].a_perm) << 3;
|
|
if ((pos = searchace (aclbufp, nentries, OTHER_OBJ)) < 0
|
|
|| !aclbufp[pos].a_type)
|
|
{
|
|
set_errno (EINVAL);
|
|
return -1;
|
|
}
|
|
*modep |= aclbufp[pos].a_perm & S_IRWXO;
|
|
return 0;
|
|
}
|
|
|
|
extern "C" int
|
|
aclfrommode (aclent_t *aclbufp, int nentries, mode_t *modep)
|
|
{
|
|
int pos;
|
|
|
|
if (!aclbufp || nentries < 1 || !modep)
|
|
{
|
|
set_errno (EINVAL);
|
|
return -1;
|
|
}
|
|
if ((pos = searchace (aclbufp, nentries, USER_OBJ)) < 0
|
|
|| !aclbufp[pos].a_type)
|
|
{
|
|
set_errno (EINVAL);
|
|
return -1;
|
|
}
|
|
aclbufp[pos].a_perm = (*modep & S_IRWXU) >> 6;
|
|
if ((pos = searchace (aclbufp, nentries, GROUP_OBJ)) < 0
|
|
|| !aclbufp[pos].a_type)
|
|
{
|
|
set_errno (EINVAL);
|
|
return -1;
|
|
}
|
|
aclbufp[pos].a_perm = (*modep & S_IRWXG) >> 3;
|
|
if ((pos = searchace (aclbufp, nentries, CLASS_OBJ)) >= 0
|
|
&& aclbufp[pos].a_type == CLASS_OBJ)
|
|
aclbufp[pos].a_perm = (*modep & S_IRWXG) >> 3;
|
|
if ((pos = searchace (aclbufp, nentries, OTHER_OBJ)) < 0
|
|
|| !aclbufp[pos].a_type)
|
|
{
|
|
set_errno (EINVAL);
|
|
return -1;
|
|
}
|
|
aclbufp[pos].a_perm = (*modep & S_IRWXO);
|
|
return 0;
|
|
}
|
|
|
|
extern "C" int
|
|
acltopbits (aclent_t *aclbufp, int nentries, mode_t *pbitsp)
|
|
{
|
|
return acltomode (aclbufp, nentries, pbitsp);
|
|
}
|
|
|
|
extern "C" int
|
|
aclfrompbits (aclent_t *aclbufp, int nentries, mode_t *pbitsp)
|
|
{
|
|
return aclfrommode (aclbufp, nentries, pbitsp);
|
|
}
|
|
|
|
static char *
|
|
permtostr (char *bufp, mode_t perm)
|
|
{
|
|
*bufp++ = (perm & S_IROTH) ? 'r' : '-';
|
|
*bufp++ = (perm & S_IWOTH) ? 'w' : '-';
|
|
*bufp++ = (perm & S_IXOTH) ? 'x' : '-';
|
|
return bufp;
|
|
}
|
|
|
|
#define _OPT(o) (options & (o))
|
|
|
|
#define _CHK(l) \
|
|
if (bufp + (l) >= buf + 2 * NT_MAX_PATH - 1) \
|
|
{ \
|
|
set_errno (ENOMEM); \
|
|
return NULL; \
|
|
}
|
|
#define _CPY(s) ({ \
|
|
const char *_s = (s); \
|
|
_CHK (strlen (_s)); \
|
|
bufp = stpcpy (bufp, _s); \
|
|
})
|
|
#define _PTS(p) { \
|
|
_CHK (3); \
|
|
bufp = permtostr (bufp, p); \
|
|
}
|
|
|
|
#define _CMP(s) (!strncmp (bufp, acl_part[s].str, acl_part[s].len))
|
|
|
|
struct _acl_part
|
|
{
|
|
const char *str;
|
|
size_t len;
|
|
};
|
|
|
|
static _acl_part acl_part_l[] =
|
|
{
|
|
{ "default:", 8 },
|
|
{ "user:", 5 },
|
|
{ "group:", 6 },
|
|
{ "mask:", 5 },
|
|
{ "other:", 6 }
|
|
};
|
|
|
|
static _acl_part acl_part_s[] =
|
|
{
|
|
{ "d:", 2 },
|
|
{ "u:", 2 },
|
|
{ "g:", 2 },
|
|
{ "m:", 2 },
|
|
{ "o:", 2 }
|
|
};
|
|
|
|
enum _acl_type {
|
|
default_s,
|
|
user_s,
|
|
group_s,
|
|
mask_s,
|
|
other_s,
|
|
none_s
|
|
};
|
|
|
|
char *
|
|
__acltotext (aclent_t *aclbufp, int aclcnt, const char *prefix, char separator,
|
|
int options)
|
|
{
|
|
if (!aclbufp || aclcnt < 0 || aclcnt > MAX_ACL_ENTRIES
|
|
|| (aclcnt > 0 && aclsort (aclcnt, 0, aclbufp)))
|
|
{
|
|
set_errno (EINVAL);
|
|
return NULL;
|
|
}
|
|
cyg_ldap cldap;
|
|
tmp_pathbuf tp;
|
|
char *buf = tp.t_get ();
|
|
char *bufp = buf;
|
|
char *entry_start;
|
|
bool first = true;
|
|
struct passwd *pw;
|
|
struct group *gr;
|
|
mode_t mask = S_IRWXO;
|
|
mode_t def_mask = S_IRWXO;
|
|
mode_t effective;
|
|
int pos;
|
|
_acl_part *acl_part = _OPT (TEXT_ABBREVIATE) ? acl_part_s : acl_part_l;
|
|
|
|
*bufp = '\0';
|
|
/* If effective rights are requested, fetch mask values. */
|
|
if (_OPT (TEXT_SOME_EFFECTIVE | TEXT_ALL_EFFECTIVE))
|
|
{
|
|
if ((pos = searchace (aclbufp, aclcnt, CLASS_OBJ)) >= 0)
|
|
mask = aclbufp[pos].a_perm;
|
|
if ((pos = searchace (aclbufp, aclcnt, DEF_CLASS_OBJ)) >= 0)
|
|
def_mask = aclbufp[pos].a_perm;
|
|
}
|
|
for (pos = 0; pos < aclcnt; ++pos)
|
|
{
|
|
if (!first)
|
|
{
|
|
_CHK (1);
|
|
*bufp++ = separator;
|
|
}
|
|
first = false;
|
|
/* Rememeber start position of entry to compute TEXT_SMART_INDENT tabs. */
|
|
entry_start = bufp;
|
|
/* prefix */
|
|
if (prefix)
|
|
_CPY (prefix);
|
|
/* Solaris default acl? */
|
|
if (!_OPT (TEXT_IS_POSIX) && aclbufp[pos].a_type & ACL_DEFAULT)
|
|
_CPY (acl_part[default_s].str);
|
|
/* acl type */
|
|
switch (aclbufp[pos].a_type & ~ACL_DEFAULT)
|
|
{
|
|
case USER_OBJ:
|
|
case USER:
|
|
_CPY (acl_part[user_s].str);
|
|
break;
|
|
case GROUP_OBJ:
|
|
case GROUP:
|
|
_CPY (acl_part[group_s].str);
|
|
break;
|
|
case CLASS_OBJ:
|
|
_CPY (acl_part[mask_s].str);
|
|
break;
|
|
case OTHER_OBJ:
|
|
_CPY (acl_part[other_s].str);
|
|
break;
|
|
}
|
|
/* id, if any */
|
|
switch (aclbufp[pos].a_type & ~ACL_DEFAULT)
|
|
{
|
|
case USER:
|
|
if (_OPT (TEXT_NUMERIC_IDS)
|
|
|| !(pw = internal_getpwuid (aclbufp[pos].a_id, &cldap)))
|
|
{
|
|
_CHK (11);
|
|
bufp += __small_sprintf (bufp, "%u:", aclbufp[pos].a_id);
|
|
}
|
|
else
|
|
{
|
|
_CHK (strlen (pw->pw_name + 1));
|
|
bufp += __small_sprintf (bufp, "%s:", pw->pw_name);
|
|
}
|
|
break;
|
|
case GROUP:
|
|
if (_OPT (TEXT_NUMERIC_IDS)
|
|
|| !(gr = internal_getgrgid (aclbufp[pos].a_id, &cldap)))
|
|
{
|
|
_CHK (11);
|
|
bufp += __small_sprintf (bufp, "%u:", aclbufp[pos].a_id);
|
|
}
|
|
else
|
|
{
|
|
_CHK (strlen (gr->gr_name));
|
|
bufp += __small_sprintf (bufp, "%s:", gr->gr_name);
|
|
}
|
|
break;
|
|
default:
|
|
_CPY (":");
|
|
break;
|
|
}
|
|
/* real permissions */
|
|
_PTS (aclbufp[pos].a_perm);
|
|
if (!_OPT (TEXT_SOME_EFFECTIVE | TEXT_ALL_EFFECTIVE))
|
|
continue;
|
|
/* effective permissions */
|
|
switch (aclbufp[pos].a_type)
|
|
{
|
|
case USER:
|
|
case GROUP_OBJ:
|
|
case GROUP:
|
|
effective = aclbufp[pos].a_perm & mask;
|
|
break;
|
|
case DEF_USER:
|
|
case DEF_GROUP_OBJ:
|
|
case DEF_GROUP:
|
|
effective = aclbufp[pos].a_perm & def_mask;
|
|
break;
|
|
default:
|
|
continue;
|
|
}
|
|
if (_OPT (TEXT_ALL_EFFECTIVE) || effective != aclbufp[pos].a_perm)
|
|
{
|
|
if (_OPT (TEXT_SMART_INDENT))
|
|
{
|
|
int tabs = 3 - (bufp - entry_start) / 8;
|
|
if (tabs-- > 0)
|
|
{
|
|
_CHK (tabs);
|
|
while (tabs-- > 0)
|
|
*bufp++ = '\t';
|
|
}
|
|
}
|
|
_CPY ("\t#effective:");
|
|
_PTS (effective);
|
|
}
|
|
}
|
|
if (_OPT (TEXT_END_SEPARATOR))
|
|
{
|
|
_CHK (1);
|
|
*bufp++ = separator;
|
|
}
|
|
*bufp = '\0';
|
|
return strdup (buf);
|
|
}
|
|
|
|
extern "C" char *
|
|
acltotext (aclent_t *aclbufp, int aclcnt)
|
|
{
|
|
return __acltotext (aclbufp, aclcnt, NULL, ',', 0);
|
|
}
|
|
|
|
static mode_t
|
|
permfromstr (char *perm, bool posix_long)
|
|
{
|
|
mode_t mode = 0;
|
|
int idx;
|
|
|
|
if (perm[0] == 'r')
|
|
mode |= S_IROTH;
|
|
else if (perm[0] != '-')
|
|
return 01000;
|
|
if (perm[1] == 'w')
|
|
mode |= S_IWOTH;
|
|
else if (perm[1] != '-')
|
|
return 01000;
|
|
if (perm[2] == 'x')
|
|
mode |= S_IXOTH;
|
|
else if (perm[2] != '-')
|
|
return 01000;
|
|
idx = 3;
|
|
/* In posix long mode, only tabs up to a hash sign allowed. */
|
|
if (posix_long)
|
|
while (perm[idx] == '\t')
|
|
++idx;
|
|
if (perm[idx] == '\0' || (posix_long && perm[idx] == '#'))
|
|
return mode;
|
|
return 01000;
|
|
}
|
|
|
|
void *
|
|
__aclfromtext (const char *acltextp, int *aclcnt, bool posix)
|
|
{
|
|
if (!acltextp || strlen (acltextp) >= 2 * NT_MAX_PATH)
|
|
{
|
|
set_errno (EINVAL);
|
|
return NULL;
|
|
}
|
|
cyg_ldap cldap;
|
|
tmp_pathbuf tp;
|
|
const char *delim;
|
|
_acl_part *acl_part;
|
|
char *bufp, *lasts, *qualifier;
|
|
int pos = 0;
|
|
int acl_type;
|
|
|
|
aclent_t *lacl = (aclent_t *) tp.c_get ();
|
|
memset (lacl, 0, MAX_ACL_ENTRIES * sizeof (aclent_t *));
|
|
char *buf = tp.t_get ();
|
|
stpcpy (buf, acltextp);
|
|
|
|
if (posix)
|
|
{
|
|
/* Posix long or short form. Any \n in the string means long form. */
|
|
if (strchr (buf, '\n'))
|
|
{
|
|
delim = "\n";
|
|
acl_part = acl_part_l;
|
|
}
|
|
else
|
|
{
|
|
delim = ",";
|
|
acl_part = acl_part_s;
|
|
}
|
|
}
|
|
else
|
|
{
|
|
/* Solaris aclfromtext format. */
|
|
delim = ",";
|
|
acl_part = acl_part_l;
|
|
}
|
|
|
|
for (bufp = strtok_r (buf, delim, &lasts);
|
|
bufp;
|
|
bufp = strtok_r (NULL, delim, &lasts))
|
|
{
|
|
/* Handle default acl entries only for Solaris ACLs. */
|
|
if (!posix && _CMP (default_s))
|
|
{
|
|
lacl[pos].a_type |= ACL_DEFAULT;
|
|
bufp += acl_part[default_s].len;
|
|
}
|
|
lacl[pos].a_id = ACL_UNDEFINED_ID;
|
|
for (acl_type = user_s; acl_type < none_s; ++acl_type)
|
|
if (_CMP (acl_type))
|
|
break;
|
|
if (acl_type == none_s)
|
|
{
|
|
set_errno (EINVAL);
|
|
return NULL;
|
|
}
|
|
bufp += acl_part[acl_type].len;
|
|
switch (acl_type)
|
|
{
|
|
case user_s:
|
|
case group_s:
|
|
qualifier = bufp;
|
|
bufp = strchrnul (bufp, ':');
|
|
*bufp++ = '\0';
|
|
/* No qualifier? USER_OBJ or GROUP_OBJ */
|
|
if (!*qualifier)
|
|
{
|
|
lacl[pos].a_type |= (acl_type == user_s) ? USER_OBJ : GROUP_OBJ;
|
|
break;
|
|
}
|
|
/* Some qualifier, USER or GROUP */
|
|
lacl[pos].a_type |= (acl_type == user_s) ? USER : GROUP;
|
|
if (isdigit (*qualifier))
|
|
{
|
|
char *ep;
|
|
|
|
id_t id = strtol (qualifier, &ep, 10);
|
|
if (*ep == '\0')
|
|
{
|
|
lacl[pos].a_id = id;
|
|
break;
|
|
}
|
|
}
|
|
if (acl_type == user_s)
|
|
{
|
|
struct passwd *pw = internal_getpwnam (qualifier, &cldap);
|
|
if (pw)
|
|
lacl[pos].a_id = pw->pw_uid;
|
|
}
|
|
else
|
|
{
|
|
struct group *gr = internal_getgrnam (qualifier, &cldap);
|
|
if (gr)
|
|
lacl[pos].a_id = gr->gr_gid;
|
|
}
|
|
if (lacl[pos].a_id == ACL_UNDEFINED_ID)
|
|
{
|
|
set_errno (EINVAL);
|
|
return NULL;
|
|
}
|
|
break;
|
|
case mask_s:
|
|
case other_s:
|
|
if (*bufp++ != ':')
|
|
{
|
|
set_errno (EINVAL);
|
|
return NULL;
|
|
}
|
|
lacl[pos].a_type |= (acl_type == mask_s) ? CLASS_OBJ : OTHER_OBJ;
|
|
break;
|
|
}
|
|
/* In posix long mode, the next char after the permissions may be a tab
|
|
followed by effective permissions we can ignore here. */
|
|
if ((lacl[pos].a_perm = permfromstr (bufp, *delim == '\n')) == 01000)
|
|
{
|
|
set_errno (EINVAL);
|
|
return NULL;
|
|
}
|
|
++pos;
|
|
}
|
|
if (posix)
|
|
{
|
|
acl_t acl = (acl_t) acl_init (pos);
|
|
if (acl)
|
|
{
|
|
memcpy (acl->entry, lacl, pos * sizeof (aclent_t));
|
|
acl->count = pos;
|
|
if (aclcnt)
|
|
*aclcnt = pos;
|
|
}
|
|
return (void *) acl;
|
|
}
|
|
else
|
|
{
|
|
aclent_t *aclp = (aclent_t *) malloc (pos * sizeof (aclent_t));
|
|
if (aclp)
|
|
{
|
|
memcpy (aclp, lacl, pos * sizeof (aclent_t));
|
|
if (aclcnt)
|
|
*aclcnt = pos;
|
|
}
|
|
return (void *) aclp;
|
|
}
|
|
}
|
|
|
|
extern "C" aclent_t *
|
|
aclfromtext (char *acltextp, int *aclcnt)
|
|
{
|
|
return (aclent_t *) __aclfromtext (acltextp, aclcnt, false);
|
|
}
|