2 Unix SMB/CIFS implementation.
3 Samba system utilities for ACL support.
4 Copyright (C) Jeremy Allison 2000.
5 Copyright (C) Volker Lendecke 2006
6 Copyright (C) Michael Adam 2006,2008
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 #include "system/passwd.h"
25 #if defined(HAVE_POSIX_ACLS)
26 #include "modules/vfs_posixacl.h"
29 #if defined(HAVE_SOLARIS_UNIXWARE_ACLS)
30 #include "modules/vfs_solarisacl.h"
33 #if defined(HAVE_HPUX_ACLS)
34 #include "modules/vfs_hpuxacl.h"
37 #if defined(HAVE_AIX_ACLS)
38 #include "modules/vfs_aixacl.h"
42 #define DBGC_CLASS DBGC_ACLS
45 * Note that while this code implements sufficient functionality
46 * to support the sys_acl_* interfaces it does not provide all
47 * of the semantics of the POSIX ACL interfaces.
49 * In particular, an ACL entry descriptor (SMB_ACL_ENTRY_T) returned
50 * from a call to sys_acl_get_entry() should not be assumed to be
51 * valid after calling any of the following functions, which may
52 * reorder the entries in the ACL.
58 int sys_acl_get_entry(SMB_ACL_T acl_d, int entry_id, SMB_ACL_ENTRY_T *entry_p)
60 if (entry_id != SMB_ACL_FIRST_ENTRY && entry_id != SMB_ACL_NEXT_ENTRY) {
65 if (entry_p == NULL) {
70 if (entry_id == SMB_ACL_FIRST_ENTRY) {
74 if (acl_d->next < 0) {
79 if (acl_d->next >= acl_d->count) {
83 *entry_p = &acl_d->acl[acl_d->next++];
88 int sys_acl_get_tag_type(SMB_ACL_ENTRY_T entry_d, SMB_ACL_TAG_T *type_p)
90 *type_p = entry_d->a_type;
95 int sys_acl_get_permset(SMB_ACL_ENTRY_T entry_d, SMB_ACL_PERMSET_T *permset_p)
97 *permset_p = &entry_d->a_perm;
102 void *sys_acl_get_qualifier(SMB_ACL_ENTRY_T entry_d)
104 if (entry_d->a_type == SMB_ACL_USER) {
105 return &entry_d->info.user.uid;
108 if (entry_d->a_type == SMB_ACL_GROUP) {
109 return &entry_d->info.group.gid;
116 int sys_acl_clear_perms(SMB_ACL_PERMSET_T permset_d)
123 int sys_acl_add_perm(SMB_ACL_PERMSET_T permset_d, SMB_ACL_PERM_T perm)
125 if (perm != SMB_ACL_READ && perm != SMB_ACL_WRITE
126 && perm != SMB_ACL_EXECUTE) {
131 if (permset_d == NULL) {
141 int sys_acl_get_perm(SMB_ACL_PERMSET_T permset_d, SMB_ACL_PERM_T perm)
143 return *permset_d & perm;
146 char *sys_acl_to_text(const struct smb_acl_t *acl_d, ssize_t *len_p)
153 * use an initial estimate of 20 bytes per ACL entry
154 * when allocating memory for the text representation
158 maxlen = 20 * acl_d->count;
159 if ((text = (char *)SMB_MALLOC(maxlen)) == NULL) {
164 for (i = 0; i < acl_d->count; i++) {
165 struct smb_acl_entry *ap = &acl_d->acl[i];
174 switch (ap->a_type) {
176 * for debugging purposes it's probably more
177 * useful to dump unknown tag types rather
178 * than just returning an error
181 slprintf(tagbuf, sizeof(tagbuf)-1, "0x%x",
187 id = uidtoname(ap->info.user.uid);
190 case SMB_ACL_USER_OBJ:
195 if ((gr = getgrgid(ap->info.group.gid)) == NULL) {
196 slprintf(idbuf, sizeof(idbuf)-1, "%ld",
197 (long)ap->info.group.gid);
204 case SMB_ACL_GROUP_OBJ:
218 perms[0] = (ap->a_perm & SMB_ACL_READ) ? 'r' : '-';
219 perms[1] = (ap->a_perm & SMB_ACL_WRITE) ? 'w' : '-';
220 perms[2] = (ap->a_perm & SMB_ACL_EXECUTE) ? 'x' : '-';
223 /* <tag> : <qualifier> : rwx \n \0 */
224 nbytes = strlen(tag) + 1 + strlen(id) + 1 + 3 + 1 + 1;
227 * If this entry would overflow the buffer
228 * allocate enough additional memory for this
229 * entry and an estimate of another 20 bytes
230 * for each entry still to be processed
232 if ((len + nbytes) > maxlen) {
233 maxlen += nbytes + 20 * (acl_d->count - i);
234 if ((text = (char *)SMB_REALLOC(text, maxlen)) == NULL) {
241 slprintf(&text[len], nbytes, "%s:%s:%s\n", tag, id, perms);
251 SMB_ACL_T sys_acl_init(TALLOC_CTX *mem_ctx)
255 if ((a = talloc(mem_ctx, struct smb_acl_t)) == NULL) {
263 a->acl = talloc_array(a, struct smb_acl_entry, 0);
273 int sys_acl_create_entry(SMB_ACL_T *acl_p, SMB_ACL_ENTRY_T *entry_p)
276 SMB_ACL_ENTRY_T entry_d;
277 struct smb_acl_entry *acl;
279 if (acl_p == NULL || entry_p == NULL || (acl_d = *acl_p) == NULL) {
284 acl = talloc_realloc(acl_d, acl_d->acl, struct smb_acl_entry, acl_d->count+1);
290 entry_d = &acl_d->acl[acl_d->count];
291 entry_d->a_type = SMB_ACL_TAG_INVALID;
299 int sys_acl_set_tag_type(SMB_ACL_ENTRY_T entry_d, SMB_ACL_TAG_T tag_type)
303 case SMB_ACL_USER_OBJ:
305 case SMB_ACL_GROUP_OBJ:
308 entry_d->a_type = tag_type;
318 int sys_acl_set_qualifier(SMB_ACL_ENTRY_T entry_d, void *qual_p)
320 if (entry_d->a_type == SMB_ACL_USER) {
321 entry_d->info.user.uid = *((uid_t *)qual_p);
324 if (entry_d->a_type == SMB_ACL_GROUP) {
325 entry_d->info.group.gid = *((gid_t *)qual_p);
333 int sys_acl_set_permset(SMB_ACL_ENTRY_T entry_d, SMB_ACL_PERMSET_T permset_d)
335 if (*permset_d & ~(SMB_ACL_READ|SMB_ACL_WRITE|SMB_ACL_EXECUTE)) {
340 entry_d->a_perm = *permset_d;
345 int sys_acl_free_text(char *text)
351 int sys_acl_valid(SMB_ACL_T acl_d)
358 * acl_get_file, acl_get_fd, acl_set_file, acl_set_fd and
359 * sys_acl_delete_def_fd are to be redirected to the default
360 * statically-bound acl vfs module, but they are replaceable.
363 #if defined(HAVE_POSIX_ACLS)
365 SMB_ACL_T sys_acl_get_fd(vfs_handle_struct *handle,
370 return posixacl_sys_acl_get_fd(handle, fsp, type, mem_ctx);
373 int sys_acl_set_fd(vfs_handle_struct *handle,
378 return posixacl_sys_acl_set_fd(handle, fsp, type, acl_d);
381 int sys_acl_delete_def_fd(vfs_handle_struct *handle,
384 return posixacl_sys_acl_delete_def_fd(handle, fsp);
387 #elif defined(HAVE_AIX_ACLS)
389 SMB_ACL_T sys_acl_get_fd(vfs_handle_struct *handle,
394 return aixacl_sys_acl_get_fd(handle, fsp, type, mem_ctx);
397 int sys_acl_set_fd(vfs_handle_struct *handle,
402 return aixacl_sys_acl_set_fd(handle, fsp, type, acl_d);
405 int sys_acl_delete_def_fd(vfs_handle_struct *handle,
408 return aixacl_sys_acl_delete_def_fd(handle, fsp);
410 #elif defined(HAVE_SOLARIS_UNIXWARE_ACLS)
412 SMB_ACL_T sys_acl_get_fd(vfs_handle_struct *handle,
417 return solarisacl_sys_acl_get_fd(handle, fsp, type,
421 int sys_acl_set_fd(vfs_handle_struct *handle,
426 return solarisacl_sys_acl_set_fd(handle,
432 int sys_acl_delete_def_fd(vfs_handle_struct *handle,
435 return solarisacl_sys_acl_delete_def_fd(handle, fsp);
437 #elif defined(HAVE_HPUX_ACLS)
439 SMB_ACL_T sys_acl_get_fd(vfs_handle_struct *handle,
444 return hpuxacl_sys_acl_get_fd(handle, fsp, mem_ctx);
447 int sys_acl_set_fd(vfs_handle_struct *handle,
452 return hpuxacl_sys_acl_set_file(handle, fsp->fsp_name, type, acl_d);
455 int sys_acl_delete_def_fd(vfs_handle_struct *handle,
458 return hpuxacl_sys_acl_delete_def_fd(handle, fsp);
462 SMB_ACL_T sys_acl_get_fd(vfs_handle_struct *handle,
475 int sys_acl_set_fd(vfs_handle_struct *handle,
488 int sys_acl_delete_def_fd(vfs_handle_struct *handle,
500 /************************************************************************
501 Deliberately outside the ACL defines. Return 1 if this is a "no acls"
503 ************************************************************************/
505 int no_acl_syscall_error(int err)
513 if (err == ENOTSUP) {