2 * Unix SMB/Netbios implementation.
3 * VFS module to get and set HP-UX ACLs
4 * Copyright (C) Michael Adam 2006,2008
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <http://www.gnu.org/licenses/>.
21 * This module supports JFS (POSIX) ACLs on VxFS (Veritas * Filesystem).
22 * These are available on HP-UX 11.00 if JFS 3.3 is installed.
23 * On HP-UX 11i (11.11 and above) these ACLs are supported out of
26 * There is another form of ACLs on HFS. These ACLs have a
27 * completely different API and their own set of userland tools.
28 * Since HFS seems to be considered deprecated, HFS acls
29 * are not supported. (They could be supported through a separate
30 * vfs-module if there is demand.)
33 /* =================================================================
36 * The original hpux-acl code in lib/sysacls.c was based upon the
37 * solaris acl code in the same file. Now for the new modularized
38 * acl implementation, I have taken the code from vfs_solarisacls.c
39 * and did similar adaptations as were done before, essentially
40 * reusing the original internal aclsort functions.
41 * The check for the presence of the acl() call has been adopted, and
42 * a check for the presence of the aclsort() call has been added.
44 * Michael Adam <obnox@samba.org>
46 * ================================================================= */
50 #include "system/filesys.h"
51 #include "smbd/smbd.h"
52 #include "modules/vfs_hpuxacl.h"
56 * including standard header <sys/aclv.h>
58 * included here as a quick hack for the special HP-UX-situation:
60 * The problem is that, on HP-UX, jfs/posix acls are
61 * defined in <sys/aclv.h>, while the deprecated hfs acls
62 * are defined inside <sys/acl.h>.
65 /* GROUP is defined somewhere else so undef it here... */
68 /* dl.h: needed to check for acl call via shl_findsym */
71 typedef struct acl HPUX_ACE_T;
72 typedef struct acl *HPUX_ACL_T;
73 typedef int HPUX_ACL_TAG_T; /* the type of an ACL entry */
74 typedef ushort HPUX_PERM_T;
76 /* Structure to capture the count for each type of ACE.
77 * (for hpux_internal_aclsort */
78 struct hpux_acl_types {
99 /* for convenience: check if hpux acl entry is a default entry? */
100 #define _IS_DEFAULT(ace) ((ace).a_type & ACL_DEFAULT)
101 #define _IS_OF_TYPE(ace, type) ( \
102 (((type) == SMB_ACL_TYPE_ACCESS) && !_IS_DEFAULT(ace)) \
104 (((type) == SMB_ACL_TYPE_DEFAULT) && _IS_DEFAULT(ace)) \
108 /* prototypes for private functions */
110 static HPUX_ACL_T hpux_acl_init(int count);
111 static bool smb_acl_to_hpux_acl(SMB_ACL_T smb_acl,
112 HPUX_ACL_T *solariacl, int *count,
113 SMB_ACL_TYPE_T type);
114 static SMB_ACL_T hpux_acl_to_smb_acl(HPUX_ACL_T hpuxacl, int count,
115 SMB_ACL_TYPE_T type, TALLOC_CTX *mem_ctx);
116 static HPUX_ACL_TAG_T smb_tag_to_hpux_tag(SMB_ACL_TAG_T smb_tag);
117 static SMB_ACL_TAG_T hpux_tag_to_smb_tag(HPUX_ACL_TAG_T hpux_tag);
118 static bool hpux_add_to_acl(HPUX_ACL_T *hpux_acl, int *count,
119 HPUX_ACL_T add_acl, int add_count, SMB_ACL_TYPE_T type);
120 static bool hpux_acl_get_file(const char *name, HPUX_ACL_T *hpuxacl,
122 static SMB_ACL_PERM_T hpux_perm_to_smb_perm(const HPUX_PERM_T perm);
123 static HPUX_PERM_T smb_perm_to_hpux_perm(const SMB_ACL_PERM_T perm);
125 static bool hpux_acl_check(HPUX_ACL_T hpux_acl, int count);
127 /* aclsort (internal) and helpers: */
128 static bool hpux_acl_sort(HPUX_ACL_T acl, int count);
129 static int hpux_internal_aclsort(int acl_count, int calclass, HPUX_ACL_T aclp);
130 static void hpux_count_obj(int acl_count, HPUX_ACL_T aclp,
131 struct hpux_acl_types *acl_type_count);
132 static void hpux_swap_acl_entries(HPUX_ACE_T *aclp0, HPUX_ACE_T *aclp1);
133 static bool hpux_prohibited_duplicate_type(int acl_type);
135 static bool hpux_acl_call_present(void);
136 static bool hpux_aclsort_call_present(void);
139 /* public functions - the api */
141 SMB_ACL_T hpuxacl_sys_acl_get_file(vfs_handle_struct *handle,
146 SMB_ACL_T result = NULL;
148 HPUX_ACL_T hpux_acl = NULL;
150 DEBUG(10, ("hpuxacl_sys_acl_get_file called for file '%s'.\n",
153 if(hpux_acl_call_present() == False) {
154 /* Looks like we don't have the acl() system call on HPUX.
155 * May be the system doesn't have the latest version of JFS.
160 if (type != SMB_ACL_TYPE_ACCESS && type != SMB_ACL_TYPE_DEFAULT) {
161 DEBUG(10, ("invalid SMB_ACL_TYPE given (%d)\n", type));
166 DEBUGADD(10, ("getting %s acl\n",
167 ((type == SMB_ACL_TYPE_ACCESS) ? "access" : "default")));
169 if (!hpux_acl_get_file(path_p, &hpux_acl, &count)) {
172 result = hpux_acl_to_smb_acl(hpux_acl, count, type, mem_ctx);
173 if (result == NULL) {
174 DEBUG(10, ("conversion hpux_acl -> smb_acl failed (%s).\n",
179 DEBUG(10, ("hpuxacl_sys_acl_get_file %s.\n",
180 ((result == NULL) ? "failed" : "succeeded" )));
187 * get the access ACL of a file referred to by a fd
189 SMB_ACL_T hpuxacl_sys_acl_get_fd(vfs_handle_struct *handle,
194 * HPUX doesn't have the facl call. Fake it using the path.... JRA.
197 * We know we're in the same conn context. So we
198 * can use the relative path.
200 DEBUG(10, ("redirecting call of hpuxacl_sys_acl_get_fd to "
201 "hpuxacl_sys_acl_get_file (no facl syscall on HPUX).\n"));
203 return hpuxacl_sys_acl_get_file(handle,
204 fsp->fsp_name->base_name,
210 int hpuxacl_sys_acl_set_file(vfs_handle_struct *handle,
216 HPUX_ACL_T hpux_acl = NULL;
218 struct smb_filename *smb_fname = NULL;
221 DEBUG(10, ("hpuxacl_sys_acl_set_file called for file '%s'\n",
224 smb_fname = synthetic_smb_fname(talloc_tos(), name, NULL, NULL, 0);
225 if (smb_fname == NULL) {
226 status = NT_STATUS_NO_MEMORY;
230 if(hpux_acl_call_present() == False) {
231 /* Looks like we don't have the acl() system call on HPUX.
232 * May be the system doesn't have the latest version of JFS.
237 if ((type != SMB_ACL_TYPE_ACCESS) && (type != SMB_ACL_TYPE_DEFAULT)) {
239 DEBUG(10, ("invalid smb acl type given (%d).\n", type));
242 DEBUGADD(10, ("setting %s acl\n",
243 ((type == SMB_ACL_TYPE_ACCESS) ? "access" : "default")));
245 if(!smb_acl_to_hpux_acl(theacl, &hpux_acl, &count, type)) {
246 DEBUG(10, ("conversion smb_acl -> hpux_acl failed (%s).\n",
252 * We can directly use SMB_VFS_STAT here, as if this was a
253 * POSIX call on a symlink, we've already refused it.
254 * For a Windows acl mapped call on a symlink, we want to follow
257 ret = SMB_VFS_STAT(handle->conn, smb_fname);
259 DEBUG(10, ("Error in stat call: %s\n", strerror(errno)));
262 if (S_ISDIR(smb_fname->st.st_ex_mode)) {
264 * if the file is a directory, there is extra work to do:
265 * since the hpux acl call stores both the access acl and
266 * the default acl as provided, we have to get the acl part
267 * that has _not_ been specified in "type" from the file first
268 * and concatenate it with the acl provided.
270 HPUX_ACL_T other_acl;
272 SMB_ACL_TYPE_T other_type;
274 other_type = (type == SMB_ACL_TYPE_ACCESS)
275 ? SMB_ACL_TYPE_DEFAULT
276 : SMB_ACL_TYPE_ACCESS;
277 DEBUGADD(10, ("getting acl from filesystem\n"));
278 if (!hpux_acl_get_file(smb_fname->base_name, &other_acl,
280 DEBUG(10, ("error getting acl from directory\n"));
283 DEBUG(10, ("adding %s part of fs acl to given acl\n",
284 ((other_type == SMB_ACL_TYPE_ACCESS)
287 if (!hpux_add_to_acl(&hpux_acl, &count, other_acl,
288 other_count, other_type))
290 DEBUG(10, ("error adding other acl.\n"));
291 SAFE_FREE(other_acl);
294 SAFE_FREE(other_acl);
296 else if (type != SMB_ACL_TYPE_ACCESS) {
301 if (!hpux_acl_sort(hpux_acl, count)) {
302 DEBUG(10, ("resulting acl is not valid!\n"));
305 DEBUG(10, ("resulting acl is valid.\n"));
307 ret = acl(discard_const_p(char, smb_fname->base_name), ACL_SET, count,
310 DEBUG(0, ("ERROR calling acl: %s\n", strerror(errno)));
314 DEBUG(10, ("hpuxacl_sys_acl_set_file %s.\n",
315 ((ret != 0) ? "failed" : "succeeded")));
316 TALLOC_FREE(smb_fname);
322 * set the access ACL on the file referred to by a fd
324 int hpuxacl_sys_acl_set_fd(vfs_handle_struct *handle,
329 * HPUX doesn't have the facl call. Fake it using the path.... JRA.
332 * We know we're in the same conn context. So we
333 * can use the relative path.
335 DEBUG(10, ("redirecting call of hpuxacl_sys_acl_set_fd to "
336 "hpuxacl_sys_acl_set_file (no facl syscall on HPUX)\n"));
338 return hpuxacl_sys_acl_set_file(handle,
339 fsp->fsp_name->base_name,
340 SMB_ACL_TYPE_ACCESS, theacl);
345 * delete the default ACL of a directory
347 * This is achieved by fetching the access ACL and rewriting it
348 * directly, via the hpux system call: the ACL_SET call on
349 * directories writes both the access and the default ACL as provided.
351 * XXX: posix acl_delete_def_file returns an error if
352 * the file referred to by path is not a directory.
353 * this function does not complain but the actions
354 * have no effect on a file other than a directory.
355 * But sys_acl_delete_default_file is only called in
356 * smbd/posixacls.c after having checked that the file
357 * is a directory, anyways. So implementing the extra
358 * check is considered unnecessary. --- Agreed? XXX
360 int hpuxacl_sys_acl_delete_def_file(vfs_handle_struct *handle,
361 const struct smb_filename *smb_fname)
368 DEBUG(10, ("entering hpuxacl_sys_acl_delete_def_file.\n"));
370 smb_acl = hpuxacl_sys_acl_get_file(handle, smb_fname->base_name,
371 SMB_ACL_TYPE_ACCESS);
372 if (smb_acl == NULL) {
373 DEBUG(10, ("getting file acl failed!\n"));
376 if (!smb_acl_to_hpux_acl(smb_acl, &hpux_acl, &count,
377 SMB_ACL_TYPE_ACCESS))
379 DEBUG(10, ("conversion smb_acl -> hpux_acl failed.\n"));
382 if (!hpux_acl_sort(hpux_acl, count)) {
383 DEBUG(10, ("resulting acl is not valid!\n"));
386 ret = acl(discard_const_p(char, smb_fname->base_name),
387 ACL_SET, count, hpux_acl);
389 DEBUG(10, ("settinge file acl failed!\n"));
393 DEBUG(10, ("hpuxacl_sys_acl_delete_def_file %s.\n",
394 ((ret != 0) ? "failed" : "succeeded" )));
395 TALLOC_FREE(smb_acl);
404 static HPUX_ACL_T hpux_acl_init(int count)
406 HPUX_ACL_T hpux_acl =
407 (HPUX_ACL_T)SMB_MALLOC(sizeof(HPUX_ACE_T) * count);
408 if (hpux_acl == NULL) {
415 * Convert the SMB acl to the ACCESS or DEFAULT part of a
416 * hpux ACL, as desired.
418 static bool smb_acl_to_hpux_acl(SMB_ACL_T smb_acl,
419 HPUX_ACL_T *hpux_acl, int *count,
424 int check_which, check_rc;
426 DEBUG(10, ("entering smb_acl_to_hpux_acl\n"));
431 for (i = 0; i < smb_acl->count; i++) {
432 const struct smb_acl_entry *smb_entry = &(smb_acl->acl[i]);
433 HPUX_ACE_T hpux_entry;
435 ZERO_STRUCT(hpux_entry);
437 hpux_entry.a_type = smb_tag_to_hpux_tag(smb_entry->a_type);
438 if (hpux_entry.a_type == 0) {
439 DEBUG(10, ("smb_tag to hpux_tag failed\n"));
442 switch(hpux_entry.a_type) {
444 DEBUG(10, ("got tag type USER with uid %d\n",
445 smb_entry->info.user.uid));
446 hpux_entry.a_id = (uid_t)smb_entry->info.user.uid;
449 DEBUG(10, ("got tag type GROUP with gid %d\n",
450 smb_entry->info.group.gid));
451 hpux_entry.a_id = (uid_t)smb_entry->info.group.gid;
456 if (type == SMB_ACL_TYPE_DEFAULT) {
457 DEBUG(10, ("adding default bit to hpux ace\n"));
458 hpux_entry.a_type |= ACL_DEFAULT;
462 smb_perm_to_hpux_perm(smb_entry->a_perm);
463 DEBUG(10, ("assembled the following hpux ace:\n"));
464 DEBUGADD(10, (" - type: 0x%04x\n", hpux_entry.a_type));
465 DEBUGADD(10, (" - id: %d\n", hpux_entry.a_id));
466 DEBUGADD(10, (" - perm: o%o\n", hpux_entry.a_perm));
467 if (!hpux_add_to_acl(hpux_acl, count, &hpux_entry,
470 DEBUG(10, ("error adding acl entry\n"));
473 DEBUG(10, ("count after adding: %d (i: %d)\n", *count, i));
474 DEBUG(10, ("test, if entry has been copied into acl:\n"));
475 DEBUGADD(10, (" - type: 0x%04x\n",
476 (*hpux_acl)[(*count)-1].a_type));
477 DEBUGADD(10, (" - id: %d\n",
478 (*hpux_acl)[(*count)-1].a_id));
479 DEBUGADD(10, (" - perm: o%o\n",
480 (*hpux_acl)[(*count)-1].a_perm));
487 SAFE_FREE(*hpux_acl);
489 DEBUG(10, ("smb_acl_to_hpux_acl %s\n",
490 ((ret == True) ? "succeeded" : "failed")));
495 * convert either the access or the default part of a
496 * soaris acl to the SMB_ACL format.
498 static SMB_ACL_T hpux_acl_to_smb_acl(HPUX_ACL_T hpux_acl, int count,
499 SMB_ACL_TYPE_T type, TALLOC_CTX *mem_ctx)
504 if ((result = sys_acl_init(mem_ctx)) == NULL) {
505 DEBUG(10, ("error allocating memory for SMB_ACL\n"));
508 for (i = 0; i < count; i++) {
509 SMB_ACL_ENTRY_T smb_entry;
510 SMB_ACL_PERM_T smb_perm;
512 if (!_IS_OF_TYPE(hpux_acl[i], type)) {
515 result->acl = talloc_realloc(result, result->acl, struct smb_acl_entry, result->count + 1);
516 if (result->acl == NULL) {
517 DEBUG(10, ("error reallocating memory for SMB_ACL\n"));
520 smb_entry = &result->acl[result->count];
521 if (sys_acl_set_tag_type(smb_entry,
522 hpux_tag_to_smb_tag(hpux_acl[i].a_type)) != 0)
524 DEBUG(10, ("invalid tag type given: 0x%04x\n",
525 hpux_acl[i].a_type));
528 /* intentionally not checking return code here: */
529 sys_acl_set_qualifier(smb_entry, (void *)&hpux_acl[i].a_id);
530 smb_perm = hpux_perm_to_smb_perm(hpux_acl[i].a_perm);
531 if (sys_acl_set_permset(smb_entry, &smb_perm) != 0) {
532 DEBUG(10, ("invalid permset given: %d\n",
533 hpux_acl[i].a_perm));
542 DEBUG(10, ("hpux_acl_to_smb_acl %s\n",
543 ((result == NULL) ? "failed" : "succeeded")));
549 static HPUX_ACL_TAG_T smb_tag_to_hpux_tag(SMB_ACL_TAG_T smb_tag)
551 HPUX_ACL_TAG_T hpux_tag = 0;
553 DEBUG(10, ("smb_tag_to_hpux_tag\n"));
554 DEBUGADD(10, (" --> got smb tag 0x%04x\n", smb_tag));
560 case SMB_ACL_USER_OBJ:
566 case SMB_ACL_GROUP_OBJ:
567 hpux_tag = GROUP_OBJ;
570 hpux_tag = OTHER_OBJ;
573 hpux_tag = CLASS_OBJ;
576 DEBUGADD(10, (" !!! unknown smb tag type 0x%04x\n", smb_tag));
580 DEBUGADD(10, (" --> determined hpux tag 0x%04x\n", hpux_tag));
585 static SMB_ACL_TAG_T hpux_tag_to_smb_tag(HPUX_ACL_TAG_T hpux_tag)
587 SMB_ACL_TAG_T smb_tag = 0;
589 DEBUG(10, ("hpux_tag_to_smb_tag:\n"));
590 DEBUGADD(10, (" --> got hpux tag 0x%04x\n", hpux_tag));
592 hpux_tag &= ~ACL_DEFAULT;
596 smb_tag = SMB_ACL_USER;
599 smb_tag = SMB_ACL_USER_OBJ;
602 smb_tag = SMB_ACL_GROUP;
605 smb_tag = SMB_ACL_GROUP_OBJ;
608 smb_tag = SMB_ACL_OTHER;
611 smb_tag = SMB_ACL_MASK;
614 DEBUGADD(10, (" !!! unknown hpux tag type: 0x%04x\n",
619 DEBUGADD(10, (" --> determined smb tag 0x%04x\n", smb_tag));
626 * The permission bits used in the following two permission conversion
627 * functions are same, but the functions make us independent of the concrete
628 * permission data types.
630 static SMB_ACL_PERM_T hpux_perm_to_smb_perm(const HPUX_PERM_T perm)
632 SMB_ACL_PERM_T smb_perm = 0;
633 smb_perm |= ((perm & SMB_ACL_READ) ? SMB_ACL_READ : 0);
634 smb_perm |= ((perm & SMB_ACL_WRITE) ? SMB_ACL_WRITE : 0);
635 smb_perm |= ((perm & SMB_ACL_EXECUTE) ? SMB_ACL_EXECUTE : 0);
640 static HPUX_PERM_T smb_perm_to_hpux_perm(const SMB_ACL_PERM_T perm)
642 HPUX_PERM_T hpux_perm = 0;
643 hpux_perm |= ((perm & SMB_ACL_READ) ? SMB_ACL_READ : 0);
644 hpux_perm |= ((perm & SMB_ACL_WRITE) ? SMB_ACL_WRITE : 0);
645 hpux_perm |= ((perm & SMB_ACL_EXECUTE) ? SMB_ACL_EXECUTE : 0);
650 static bool hpux_acl_get_file(const char *name, HPUX_ACL_T *hpux_acl,
654 static HPUX_ACE_T dummy_ace;
656 DEBUG(10, ("hpux_acl_get_file called for file '%s'\n", name));
659 * The original code tries some INITIAL_ACL_SIZE
660 * and only did the ACL_CNT call upon failure
661 * (for performance reasons).
662 * For the sake of simplicity, I skip this for now.
664 * NOTE: There is a catch here on HP-UX: acl with cmd parameter
665 * ACL_CNT fails with errno EINVAL when called with a NULL
666 * pointer as last argument. So we need to use a dummy acl
667 * struct here (we make it static so it does not need to be
668 * instantiated or malloced each time this function is
669 * called). Btw: the count parameter does not seem to matter...
671 *count = acl(discard_const_p(char, name), ACL_CNT, 0, &dummy_ace);
673 DEBUG(10, ("acl ACL_CNT failed: %s\n", strerror(errno)));
676 *hpux_acl = hpux_acl_init(*count);
677 if (*hpux_acl == NULL) {
678 DEBUG(10, ("error allocating memory for hpux acl...\n"));
681 *count = acl(discard_const_p(char, name), ACL_GET, *count, *hpux_acl);
683 DEBUG(10, ("acl ACL_GET failed: %s\n", strerror(errno)));
689 DEBUG(10, ("hpux_acl_get_file %s.\n",
690 ((result == True) ? "succeeded" : "failed" )));
698 * Add entries to a hpux ACL.
700 * Entries are directly added to the hpuxacl parameter.
701 * if memory allocation fails, this may result in hpuxacl
702 * being NULL. if the resulting acl is to be checked and is
703 * not valid, it is kept in hpuxacl but False is returned.
705 * The type of ACEs (access/default) to be added to the ACL can
706 * be selected via the type parameter.
707 * I use the SMB_ACL_TYPE_T type here. Since SMB_ACL_TYPE_ACCESS
708 * is defined as "0", this means that one can only add either
709 * access or default ACEs from the given ACL, not both at the same
710 * time. If it should become necessary to add all of an ACL, one
711 * would have to replace this parameter by another type.
713 static bool hpux_add_to_acl(HPUX_ACL_T *hpux_acl, int *count,
714 HPUX_ACL_T add_acl, int add_count,
719 if ((type != SMB_ACL_TYPE_ACCESS) && (type != SMB_ACL_TYPE_DEFAULT))
721 DEBUG(10, ("invalid acl type given: %d\n", type));
725 for (i = 0; i < add_count; i++) {
726 if (!_IS_OF_TYPE(add_acl[i], type)) {
729 ADD_TO_ARRAY(NULL, HPUX_ACE_T, add_acl[i],
731 if (hpux_acl == NULL) {
732 DEBUG(10, ("error enlarging acl.\n"));
742 * sort the ACL and check it for validity
744 * [original comment from lib/sysacls.c:]
746 * if it's a minimal ACL with only 4 entries then we
747 * need to recalculate the mask permissions to make
748 * sure that they are the same as the GROUP_OBJ
749 * permissions as required by the UnixWare acl() system call.
751 * (note: since POSIX allows minimal ACLs which only contain
752 * 3 entries - ie there is no mask entry - we should, in theory,
753 * check for this and add a mask entry if necessary - however
754 * we "know" that the caller of this interface always specifies
755 * a mask, so in practice "this never happens" (tm) - if it *does*
756 * happen aclsort() will fail and return an error and someone will
759 static bool hpux_acl_sort(HPUX_ACL_T hpux_acl, int count)
761 int fixmask = (count <= 4);
763 if (hpux_internal_aclsort(count, fixmask, hpux_acl) != 0) {
772 * Helpers for hpux_internal_aclsort:
774 * - hpux_swap_acl_entries
775 * - hpux_prohibited_duplicate_type
776 * - hpux_get_needed_class_perm
780 * Counts the different number of objects in a given array of ACL
784 * acl_count - Count of ACLs in the array of ACL strucutres.
785 * aclp - Array of ACL structures.
786 * acl_type_count - Pointer to acl_types structure. Should already be
790 * acl_type_count - This structure is filled up with counts of various
794 static void hpux_count_obj(int acl_count, HPUX_ACL_T aclp, struct hpux_acl_types *acl_type_count)
798 memset(acl_type_count, 0, sizeof(struct hpux_acl_types));
800 for(i=0;i<acl_count;i++) {
801 switch(aclp[i].a_type) {
803 acl_type_count->n_user++;
806 acl_type_count->n_user_obj++;
809 acl_type_count->n_def_user_obj++;
812 acl_type_count->n_group++;
815 acl_type_count->n_group_obj++;
818 acl_type_count->n_def_group_obj++;
821 acl_type_count->n_other_obj++;
824 acl_type_count->n_def_other_obj++;
827 acl_type_count->n_class_obj++;
830 acl_type_count->n_def_class_obj++;
833 acl_type_count->n_def_user++;
836 acl_type_count->n_def_group++;
839 acl_type_count->n_illegal_obj++;
845 /* hpux_swap_acl_entries: Swaps two ACL entries.
847 * Inputs: aclp0, aclp1 - ACL entries to be swapped.
850 static void hpux_swap_acl_entries(HPUX_ACE_T *aclp0, HPUX_ACE_T *aclp1)
854 temp_acl.a_type = aclp0->a_type;
855 temp_acl.a_id = aclp0->a_id;
856 temp_acl.a_perm = aclp0->a_perm;
858 aclp0->a_type = aclp1->a_type;
859 aclp0->a_id = aclp1->a_id;
860 aclp0->a_perm = aclp1->a_perm;
862 aclp1->a_type = temp_acl.a_type;
863 aclp1->a_id = temp_acl.a_id;
864 aclp1->a_perm = temp_acl.a_perm;
867 /* hpux_prohibited_duplicate_type
868 * Identifies if given ACL type can have duplicate entries or
871 * Inputs: acl_type - ACL Type.
877 * True - If the ACL type matches any of the prohibited types.
878 * False - If the ACL type doesn't match any of the prohibited types.
881 static bool hpux_prohibited_duplicate_type(int acl_type)
894 /* hpux_get_needed_class_perm
895 * Returns the permissions of a ACL structure only if the ACL
896 * type matches one of the pre-determined types for computing
897 * CLASS_OBJ permissions.
899 * Inputs: aclp - Pointer to ACL structure.
902 static int hpux_get_needed_class_perm(struct acl *aclp)
904 switch(aclp->a_type) {
920 /* hpux_internal_aclsort: aclsort for HPUX.
922 * -> The aclsort() system call is available on the latest HPUX General
923 * -> Patch Bundles. So for HPUX, we developed our version of aclsort
924 * -> function. Because, we don't want to update to a new
925 * -> HPUX GR bundle just for aclsort() call.
927 * aclsort sorts the array of ACL structures as per the description in
928 * aclsort man page. Refer to aclsort man page for more details
932 * acl_count - Count of ACLs in the array of ACL structures.
933 * calclass - If this is not zero, then we compute the CLASS_OBJ
935 * aclp - Array of ACL structures.
939 * aclp - Sorted array of ACL structures.
943 * Returns 0 for success -1 for failure. Prints a message to the Samba
944 * debug log in case of failure.
947 static int hpux_internal_aclsort(int acl_count, int calclass, HPUX_ACL_T aclp)
949 struct hpux_acl_types acl_obj_count;
950 int n_class_obj_perm = 0;
953 DEBUG(10,("Entering hpux_internal_aclsort. (calclass = %d)\n", calclass));
955 if (hpux_aclsort_call_present()) {
956 DEBUG(10, ("calling hpux aclsort\n"));
957 return aclsort(acl_count, calclass, aclp);
960 DEBUG(10, ("using internal aclsort\n"));
963 DEBUG(10,("Zero acl count passed. Returning Success\n"));
968 DEBUG(0,("Null ACL pointer in hpux_acl_sort. Returning Failure. \n"));
972 /* Count different types of ACLs in the ACLs array */
974 hpux_count_obj(acl_count, aclp, &acl_obj_count);
976 /* There should be only one entry each of type USER_OBJ, GROUP_OBJ,
977 * CLASS_OBJ and OTHER_OBJ
980 if ( (acl_obj_count.n_user_obj != 1) ||
981 (acl_obj_count.n_group_obj != 1) ||
982 (acl_obj_count.n_class_obj != 1) ||
983 (acl_obj_count.n_other_obj != 1) )
985 DEBUG(0,("hpux_internal_aclsort: More than one entry or no entries for \
986 USER OBJ or GROUP_OBJ or OTHER_OBJ or CLASS_OBJ\n"));
990 /* If any of the default objects are present, there should be only
994 if ( (acl_obj_count.n_def_user_obj > 1) ||
995 (acl_obj_count.n_def_group_obj > 1) ||
996 (acl_obj_count.n_def_other_obj > 1) ||
997 (acl_obj_count.n_def_class_obj > 1) )
999 DEBUG(0,("hpux_internal_aclsort: More than one entry for DEF_CLASS_OBJ \
1000 or DEF_USER_OBJ or DEF_GROUP_OBJ or DEF_OTHER_OBJ\n"));
1004 /* We now have proper number of OBJ and DEF_OBJ entries. Now sort the acl
1007 * Sorting crieteria - First sort by ACL type. If there are multiple entries of
1008 * same ACL type, sort by ACL id.
1010 * I am using the trival kind of sorting method here because, performance isn't
1011 * really effected by the ACLs feature. More over there aren't going to be more
1012 * than 17 entries on HPUX.
1015 for(i=0; i<acl_count;i++) {
1016 for (j=i+1; j<acl_count; j++) {
1017 if( aclp[i].a_type > aclp[j].a_type ) {
1018 /* ACL entries out of order, swap them */
1019 hpux_swap_acl_entries((aclp+i), (aclp+j));
1020 } else if ( aclp[i].a_type == aclp[j].a_type ) {
1021 /* ACL entries of same type, sort by id */
1022 if(aclp[i].a_id > aclp[j].a_id) {
1023 hpux_swap_acl_entries((aclp+i), (aclp+j));
1024 } else if (aclp[i].a_id == aclp[j].a_id) {
1025 /* We have a duplicate entry. */
1026 if(hpux_prohibited_duplicate_type(aclp[i].a_type)) {
1027 DEBUG(0, ("hpux_internal_aclsort: Duplicate entry: Type(hex): %x Id: %d\n",
1028 aclp[i].a_type, aclp[i].a_id));
1036 /* set the class obj permissions to the computed one. */
1038 int n_class_obj_index = -1;
1040 for(i=0;i<acl_count;i++) {
1041 n_class_obj_perm |= hpux_get_needed_class_perm((aclp+i));
1043 if(aclp[i].a_type == CLASS_OBJ)
1044 n_class_obj_index = i;
1046 aclp[n_class_obj_index].a_perm = n_class_obj_perm;
1054 * hpux_acl_call_present:
1056 * This checks if the POSIX ACL system call is defined
1057 * which basically corresponds to whether JFS 3.3 or
1058 * higher is installed. If acl() was called when it
1059 * isn't defined, it causes the process to core dump
1060 * so it is important to check this and avoid acl()
1061 * calls if it isn't there.
1064 static bool hpux_acl_call_present(void)
1067 shl_t handle = NULL;
1070 static bool already_checked = False;
1077 ret_val = shl_findsym(&handle, "acl", TYPE_PROCEDURE, &value);
1080 DEBUG(5, ("hpux_acl_call_present: shl_findsym() returned %d, errno = %d, error %s\n",
1081 ret_val, errno, strerror(errno)));
1082 DEBUG(5,("hpux_acl_call_present: acl() system call is not present. Check if you have JFS 3.3 and above?\n"));
1087 DEBUG(10,("hpux_acl_call_present: acl() system call is present. We have JFS 3.3 or above \n"));
1089 already_checked = True;
1094 * runtime check for presence of aclsort library call.
1095 * same code as for acl call. if there are more of these,
1096 * a dispatcher function could be handy...
1099 static bool hpux_aclsort_call_present(void)
1101 shl_t handle = NULL;
1104 static bool already_checked = False;
1106 if (already_checked) {
1111 ret_val = shl_findsym(&handle, "aclsort", TYPE_PROCEDURE, &value);
1113 DEBUG(5, ("hpux_aclsort_call_present: shl_findsym "
1114 "returned %d, errno = %d, error %s",
1115 ret_val, errno, strerror(errno)));
1116 DEBUG(5, ("hpux_aclsort_call_present: "
1117 "aclsort() function not available.\n"));
1120 DEBUG(10,("hpux_aclsort_call_present: aclsort() function present.\n"));
1121 already_checked = True;
1127 * acl check function:
1128 * unused at the moment but could be used to get more
1129 * concrete error messages for debugging...
1130 * (acl sort just says that the acl is invalid...)
1132 static bool hpux_acl_check(HPUX_ACL_T hpux_acl, int count)
1137 check_rc = aclcheck(hpux_acl, count, &check_which);
1138 if (check_rc != 0) {
1139 DEBUG(10, ("acl is not valid:\n"));
1140 DEBUGADD(10, (" - return code: %d\n", check_rc));
1141 DEBUGADD(10, (" - which: %d\n", check_which));
1142 if (check_which != -1) {
1143 DEBUGADD(10, (" - invalid entry:\n"));
1144 DEBUGADD(10, (" * type: %d:\n",
1145 hpux_acl[check_which].a_type));
1146 DEBUGADD(10, (" * id: %d\n",
1147 hpux_acl[check_which].a_id));
1148 DEBUGADD(10, (" * perm: 0o%o\n",
1149 hpux_acl[check_which].a_perm));
1157 /* VFS operations structure */
1159 static struct vfs_fn_pointers hpuxacl_fns = {
1160 .sys_acl_get_file_fn = hpuxacl_sys_acl_get_file,
1161 .sys_acl_get_fd_fn = hpuxacl_sys_acl_get_fd,
1162 .sys_acl_blob_get_file_fn = posix_sys_acl_blob_get_file,
1163 .sys_acl_blob_get_fd_fn = posix_sys_acl_blob_get_fd,
1164 .sys_acl_set_file_fn = hpuxacl_sys_acl_set_file,
1165 .sys_acl_set_fd_fn = hpuxacl_sys_acl_set_fd,
1166 .sys_acl_delete_def_file_fn = hpuxacl_sys_acl_delete_def_file,
1169 NTSTATUS vfs_hpuxacl_init(TALLOC_CTX *ctx)
1171 return smb_register_vfs(SMB_VFS_INTERFACE_VERSION, "hpuxacl",
git.samba.org / samba.git / blob