/* [<][>][^][v][top][bottom][index][help] */
DEFINITIONS
This source file includes following definitions.
- hpuxacl_sys_acl_get_file
- hpuxacl_sys_acl_get_fd
- hpuxacl_sys_acl_set_file
- hpuxacl_sys_acl_set_fd
- hpuxacl_sys_acl_delete_def_file
- hpux_acl_init
- smb_acl_to_hpux_acl
- hpux_acl_to_smb_acl
- smb_tag_to_hpux_tag
- hpux_tag_to_smb_tag
- hpux_perm_to_smb_perm
- smb_perm_to_hpux_perm
- hpux_acl_get_file
- hpux_add_to_acl
- hpux_acl_sort
- hpux_count_obj
- hpux_swap_acl_entries
- hpux_prohibited_duplicate_type
- hpux_get_needed_class_perm
- hpux_internal_aclsort
- hpux_acl_call_present
- hpux_aclsort_call_present
- hpux_acl_check
- vfs_hpuxacl_init
1 /*
2 * Unix SMB/Netbios implementation.
3 * VFS module to get and set HP-UX ACLs
4 * Copyright (C) Michael Adam 2006,2008
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <http://www.gnu.org/licenses/>.
18 */
19
20 /*
21 * This module supports JFS (POSIX) ACLs on VxFS (Veritas * Filesystem).
22 * These are available on HP-UX 11.00 if JFS 3.3 is installed.
23 * On HP-UX 11i (11.11 and above) these ACLs are supported out of
24 * the box.
25 *
26 * There is another form of ACLs on HFS. These ACLs have a
27 * completely different API and their own set of userland tools.
28 * Since HFS seems to be considered deprecated, HFS acls
29 * are not supported. (They could be supported through a separate
30 * vfs-module if there is demand.)
31 */
32
33 /* =================================================================
34 * NOTE:
35 *
36 * The original hpux-acl code in lib/sysacls.c was based upon the
37 * solaris acl code in the same file. Now for the new modularized
38 * acl implementation, I have taken the code from vfs_solarisacls.c
39 * and did similar adaptations as were done before, essentially
40 * reusing the original internal aclsort functions.
41 * The check for the presence of the acl() call has been adopted, and
42 * a check for the presence of the aclsort() call has been added.
43 *
44 * Michael Adam <obnox@samba.org>
45 *
46 * ================================================================= */
47
48
49 #include "includes.h"
50
51 /*
52 * including standard header <sys/aclv.h>
53 *
54 * included here as a quick hack for the special HP-UX-situation:
55 *
56 * The problem is that, on HP-UX, jfs/posix acls are
57 * defined in <sys/aclv.h>, while the deprecated hfs acls
58 * are defined inside <sys/acl.h>.
59 *
60 */
61 /* GROUP is defined somewhere else so undef it here... */
62 #undef GROUP
63 #include <sys/aclv.h>
64 /* dl.h: needed to check for acl call via shl_findsym */
65 #include <dl.h>
66
67 typedef struct acl HPUX_ACE_T;
68 typedef struct acl *HPUX_ACL_T;
69 typedef int HPUX_ACL_TAG_T; /* the type of an ACL entry */
70 typedef ushort HPUX_PERM_T;
71
72 /* Structure to capture the count for each type of ACE.
73 * (for hpux_internal_aclsort */
74 struct hpux_acl_types {
75 int n_user;
76 int n_def_user;
77 int n_user_obj;
78 int n_def_user_obj;
79
80 int n_group;
81 int n_def_group;
82 int n_group_obj;
83 int n_def_group_obj;
84
85 int n_other;
86 int n_other_obj;
87 int n_def_other_obj;
88
89 int n_class_obj;
90 int n_def_class_obj;
91
92 int n_illegal_obj;
93 };
94
95 /* for convenience: check if hpux acl entry is a default entry? */
96 #define _IS_DEFAULT(ace) ((ace).a_type & ACL_DEFAULT)
97 #define _IS_OF_TYPE(ace, type) ( \
98 (((type) == SMB_ACL_TYPE_ACCESS) && !_IS_DEFAULT(ace)) \
99 || \
100 (((type) == SMB_ACL_TYPE_DEFAULT) && _IS_DEFAULT(ace)) \
101 )
102
103
104 /* prototypes for private functions */
105
106 static HPUX_ACL_T hpux_acl_init(int count);
107 static bool smb_acl_to_hpux_acl(SMB_ACL_T smb_acl,
108 HPUX_ACL_T *solariacl, int *count,
109 SMB_ACL_TYPE_T type);
110 static SMB_ACL_T hpux_acl_to_smb_acl(HPUX_ACL_T hpuxacl, int count,
111 SMB_ACL_TYPE_T type);
112 static HPUX_ACL_TAG_T smb_tag_to_hpux_tag(SMB_ACL_TAG_T smb_tag);
113 static SMB_ACL_TAG_T hpux_tag_to_smb_tag(HPUX_ACL_TAG_T hpux_tag);
114 static bool hpux_add_to_acl(HPUX_ACL_T *hpux_acl, int *count,
115 HPUX_ACL_T add_acl, int add_count, SMB_ACL_TYPE_T type);
116 static bool hpux_acl_get_file(const char *name, HPUX_ACL_T *hpuxacl,
117 int *count);
118 static SMB_ACL_PERM_T hpux_perm_to_smb_perm(const HPUX_PERM_T perm);
119 static HPUX_PERM_T smb_perm_to_hpux_perm(const SMB_ACL_PERM_T perm);
120 #if 0
121 static bool hpux_acl_check(HPUX_ACL_T hpux_acl, int count);
122 #endif
123 /* aclsort (internal) and helpers: */
124 static bool hpux_acl_sort(HPUX_ACL_T acl, int count);
125 static int hpux_internal_aclsort(int acl_count, int calclass, HPUX_ACL_T aclp);
126 static void hpux_count_obj(int acl_count, HPUX_ACL_T aclp,
127 struct hpux_acl_types *acl_type_count);
128 static void hpux_swap_acl_entries(HPUX_ACE_T *aclp0, HPUX_ACE_T *aclp1);
129 static bool hpux_prohibited_duplicate_type(int acl_type);
130
131 static bool hpux_acl_call_present(void);
132 static bool hpux_aclsort_call_present(void);
133
134
135 /* public functions - the api */
136
137 SMB_ACL_T hpuxacl_sys_acl_get_file(vfs_handle_struct *handle,
/* [<][>][^][v][top][bottom][index][help] */
138 const char *path_p,
139 SMB_ACL_TYPE_T type)
140 {
141 SMB_ACL_T result = NULL;
142 int count;
143 HPUX_ACL_T hpux_acl = NULL;
144
145 DEBUG(10, ("hpuxacl_sys_acl_get_file called for file '%s'.\n",
146 path_p));
147
148 if(hpux_acl_call_present() == False) {
149 /* Looks like we don't have the acl() system call on HPUX.
150 * May be the system doesn't have the latest version of JFS.
151 */
152 goto done;
153 }
154
155 if (type != SMB_ACL_TYPE_ACCESS && type != SMB_ACL_TYPE_DEFAULT) {
156 DEBUG(10, ("invalid SMB_ACL_TYPE given (%d)\n", type));
157 errno = EINVAL;
158 goto done;
159 }
160
161 DEBUGADD(10, ("getting %s acl\n",
162 ((type == SMB_ACL_TYPE_ACCESS) ? "access" : "default")));
163
164 if (!hpux_acl_get_file(path_p, &hpux_acl, &count)) {
165 goto done;
166 }
167 result = hpux_acl_to_smb_acl(hpux_acl, count, type);
168 if (result == NULL) {
169 DEBUG(10, ("conversion hpux_acl -> smb_acl failed (%s).\n",
170 strerror(errno)));
171 }
172
173 done:
174 DEBUG(10, ("hpuxacl_sys_acl_get_file %s.\n",
175 ((result == NULL) ? "failed" : "succeeded" )));
176 SAFE_FREE(hpux_acl);
177 return result;
178 }
179
180
181 /*
182 * get the access ACL of a file referred to by a fd
183 */
184 SMB_ACL_T hpuxacl_sys_acl_get_fd(vfs_handle_struct *handle,
/* [<][>][^][v][top][bottom][index][help] */
185 files_struct *fsp)
186 {
187 /*
188 * HPUX doesn't have the facl call. Fake it using the path.... JRA.
189 */
190 /* For all I see, the info should already be in the fsp
191 * parameter, but get it again to be safe --- necessary? */
192 files_struct *file_struct_p = file_find_fd(fsp->fh->fd);
193 if (file_struct_p == NULL) {
194 errno = EBADF;
195 return NULL;
196 }
197 /*
198 * We know we're in the same conn context. So we
199 * can use the relative path.
200 */
201 DEBUG(10, ("redirecting call of hpuxacl_sys_acl_get_fd to "
202 "hpuxacl_sys_acl_get_file (no facl syscall on HPUX).\n"));
203
204 return hpuxacl_sys_acl_get_file(handle, file_struct_p->fsp_name,
205 SMB_ACL_TYPE_ACCESS);
206 }
207
208
209 int hpuxacl_sys_acl_set_file(vfs_handle_struct *handle,
/* [<][>][^][v][top][bottom][index][help] */
210 const char *name,
211 SMB_ACL_TYPE_T type,
212 SMB_ACL_T theacl)
213 {
214 int ret = -1;
215 SMB_STRUCT_STAT s;
216 HPUX_ACL_T hpux_acl = NULL;
217 int count;
218
219 DEBUG(10, ("hpuxacl_sys_acl_set_file called for file '%s'\n",
220 name));
221
222
223 if(hpux_acl_call_present() == False) {
224 /* Looks like we don't have the acl() system call on HPUX.
225 * May be the system doesn't have the latest version of JFS.
226 */
227 goto done;
228 }
229
230 if ((type != SMB_ACL_TYPE_ACCESS) && (type != SMB_ACL_TYPE_DEFAULT)) {
231 errno = EINVAL;
232 DEBUG(10, ("invalid smb acl type given (%d).\n", type));
233 goto done;
234 }
235 DEBUGADD(10, ("setting %s acl\n",
236 ((type == SMB_ACL_TYPE_ACCESS) ? "access" : "default")));
237
238 if(!smb_acl_to_hpux_acl(theacl, &hpux_acl, &count, type)) {
239 DEBUG(10, ("conversion smb_acl -> hpux_acl failed (%s).\n",
240 strerror(errno)));
241 goto done;
242 }
243
244 /*
245 * if the file is a directory, there is extra work to do:
246 * since the hpux acl call stores both the access acl and
247 * the default acl as provided, we have to get the acl part
248 * that has _not_ been specified in "type" from the file first
249 * and concatenate it with the acl provided.
250 */
251 if (lp_posix_pathnames()) {
252 ret = SMB_VFS_LSTAT(handle->conn, name, &s);
253 } else {
254 ret = SMB_VFS_STAT(handle->conn, name, &s);
255 }
256
257 if (ret != 0) {
258 DEBUG(10, ("Error in stat call: %s\n", strerror(errno)));
259 goto done;
260 }
261 if (S_ISDIR(s.st_mode)) {
262 HPUX_ACL_T other_acl;
263 int other_count;
264 SMB_ACL_TYPE_T other_type;
265
266 other_type = (type == SMB_ACL_TYPE_ACCESS)
267 ? SMB_ACL_TYPE_DEFAULT
268 : SMB_ACL_TYPE_ACCESS;
269 DEBUGADD(10, ("getting acl from filesystem\n"));
270 if (!hpux_acl_get_file(name, &other_acl, &other_count)) {
271 DEBUG(10, ("error getting acl from directory\n"));
272 goto done;
273 }
274 DEBUG(10, ("adding %s part of fs acl to given acl\n",
275 ((other_type == SMB_ACL_TYPE_ACCESS)
276 ? "access"
277 : "default")));
278 if (!hpux_add_to_acl(&hpux_acl, &count, other_acl,
279 other_count, other_type))
280 {
281 DEBUG(10, ("error adding other acl.\n"));
282 SAFE_FREE(other_acl);
283 goto done;
284 }
285 SAFE_FREE(other_acl);
286 }
287 else if (type != SMB_ACL_TYPE_ACCESS) {
288 errno = EINVAL;
289 goto done;
290 }
291
292 if (!hpux_acl_sort(hpux_acl, count)) {
293 DEBUG(10, ("resulting acl is not valid!\n"));
294 goto done;
295 }
296 DEBUG(10, ("resulting acl is valid.\n"));
297
298 ret = acl(CONST_DISCARD(char *, name), ACL_SET, count, hpux_acl);
299 if (ret != 0) {
300 DEBUG(0, ("ERROR calling acl: %s\n", strerror(errno)));
301 }
302
303 done:
304 DEBUG(10, ("hpuxacl_sys_acl_set_file %s.\n",
305 ((ret != 0) ? "failed" : "succeeded")));
306 SAFE_FREE(hpux_acl);
307 return ret;
308 }
309
310 /*
311 * set the access ACL on the file referred to by a fd
312 */
313 int hpuxacl_sys_acl_set_fd(vfs_handle_struct *handle,
/* [<][>][^][v][top][bottom][index][help] */
314 files_struct *fsp,
315 SMB_ACL_T theacl)
316 {
317 /*
318 * HPUX doesn't have the facl call. Fake it using the path.... JRA.
319 */
320 /* For all I see, the info should already be in the fsp
321 * parameter, but get it again to be safe --- necessary? */
322 files_struct *file_struct_p = file_find_fd(fsp->fh->fd);
323 if (file_struct_p == NULL) {
324 errno = EBADF;
325 return -1;
326 }
327 /*
328 * We know we're in the same conn context. So we
329 * can use the relative path.
330 */
331 DEBUG(10, ("redirecting call of hpuxacl_sys_acl_set_fd to "
332 "hpuxacl_sys_acl_set_file (no facl syscall on HPUX)\n"));
333
334 return hpuxacl_sys_acl_set_file(handle, file_struct_p->fsp_name,
335 SMB_ACL_TYPE_ACCESS, theacl);
336 }
337
338
339 /*
340 * delete the default ACL of a directory
341 *
342 * This is achieved by fetching the access ACL and rewriting it
343 * directly, via the hpux system call: the ACL_SET call on
344 * directories writes both the access and the default ACL as provided.
345 *
346 * XXX: posix acl_delete_def_file returns an error if
347 * the file referred to by path is not a directory.
348 * this function does not complain but the actions
349 * have no effect on a file other than a directory.
350 * But sys_acl_delete_default_file is only called in
351 * smbd/posixacls.c after having checked that the file
352 * is a directory, anyways. So implementing the extra
353 * check is considered unnecessary. --- Agreed? XXX
354 */
355 int hpuxacl_sys_acl_delete_def_file(vfs_handle_struct *handle,
/* [<][>][^][v][top][bottom][index][help] */
356 const char *path)
357 {
358 SMB_ACL_T smb_acl;
359 int ret = -1;
360 HPUX_ACL_T hpux_acl;
361 int count;
362
363 DEBUG(10, ("entering hpuxacl_sys_acl_delete_def_file.\n"));
364
365 smb_acl = hpuxacl_sys_acl_get_file(handle, path,
366 SMB_ACL_TYPE_ACCESS);
367 if (smb_acl == NULL) {
368 DEBUG(10, ("getting file acl failed!\n"));
369 goto done;
370 }
371 if (!smb_acl_to_hpux_acl(smb_acl, &hpux_acl, &count,
372 SMB_ACL_TYPE_ACCESS))
373 {
374 DEBUG(10, ("conversion smb_acl -> hpux_acl failed.\n"));
375 goto done;
376 }
377 if (!hpux_acl_sort(hpux_acl, count)) {
378 DEBUG(10, ("resulting acl is not valid!\n"));
379 goto done;
380 }
381 ret = acl(CONST_DISCARD(char *, path), ACL_SET, count, hpux_acl);
382 if (ret != 0) {
383 DEBUG(10, ("settinge file acl failed!\n"));
384 }
385
386 done:
387 DEBUG(10, ("hpuxacl_sys_acl_delete_def_file %s.\n",
388 ((ret != 0) ? "failed" : "succeeded" )));
389 SAFE_FREE(smb_acl);
390 return ret;
391 }
392
393
394 /*
395 * private functions
396 */
397
398 static HPUX_ACL_T hpux_acl_init(int count)
/* [<][>][^][v][top][bottom][index][help] */
399 {
400 HPUX_ACL_T hpux_acl =
401 (HPUX_ACL_T)SMB_MALLOC(sizeof(HPUX_ACE_T) * count);
402 if (hpux_acl == NULL) {
403 errno = ENOMEM;
404 }
405 return hpux_acl;
406 }
407
408 /*
409 * Convert the SMB acl to the ACCESS or DEFAULT part of a
410 * hpux ACL, as desired.
411 */
412 static bool smb_acl_to_hpux_acl(SMB_ACL_T smb_acl,
/* [<][>][^][v][top][bottom][index][help] */
413 HPUX_ACL_T *hpux_acl, int *count,
414 SMB_ACL_TYPE_T type)
415 {
416 bool ret = False;
417 int i;
418 int check_which, check_rc;
419
420 DEBUG(10, ("entering smb_acl_to_hpux_acl\n"));
421
422 *hpux_acl = NULL;
423 *count = 0;
424
425 for (i = 0; i < smb_acl->count; i++) {
426 const struct smb_acl_entry *smb_entry = &(smb_acl->acl[i]);
427 HPUX_ACE_T hpux_entry;
428
429 ZERO_STRUCT(hpux_entry);
430
431 hpux_entry.a_type = smb_tag_to_hpux_tag(smb_entry->a_type);
432 if (hpux_entry.a_type == 0) {
433 DEBUG(10, ("smb_tag to hpux_tag failed\n"));
434 goto fail;
435 }
436 switch(hpux_entry.a_type) {
437 case USER:
438 DEBUG(10, ("got tag type USER with uid %d\n",
439 smb_entry->uid));
440 hpux_entry.a_id = (uid_t)smb_entry->uid;
441 break;
442 case GROUP:
443 DEBUG(10, ("got tag type GROUP with gid %d\n",
444 smb_entry->gid));
445 hpux_entry.a_id = (uid_t)smb_entry->gid;
446 break;
447 default:
448 break;
449 }
450 if (type == SMB_ACL_TYPE_DEFAULT) {
451 DEBUG(10, ("adding default bit to hpux ace\n"));
452 hpux_entry.a_type |= ACL_DEFAULT;
453 }
454
455 hpux_entry.a_perm =
456 smb_perm_to_hpux_perm(smb_entry->a_perm);
457 DEBUG(10, ("assembled the following hpux ace:\n"));
458 DEBUGADD(10, (" - type: 0x%04x\n", hpux_entry.a_type));
459 DEBUGADD(10, (" - id: %d\n", hpux_entry.a_id));
460 DEBUGADD(10, (" - perm: o%o\n", hpux_entry.a_perm));
461 if (!hpux_add_to_acl(hpux_acl, count, &hpux_entry,
462 1, type))
463 {
464 DEBUG(10, ("error adding acl entry\n"));
465 goto fail;
466 }
467 DEBUG(10, ("count after adding: %d (i: %d)\n", *count, i));
468 DEBUG(10, ("test, if entry has been copied into acl:\n"));
469 DEBUGADD(10, (" - type: 0x%04x\n",
470 (*hpux_acl)[(*count)-1].a_type));
471 DEBUGADD(10, (" - id: %d\n",
472 (*hpux_acl)[(*count)-1].a_id));
473 DEBUGADD(10, (" - perm: o%o\n",
474 (*hpux_acl)[(*count)-1].a_perm));
475 }
476
477 ret = True;
478 goto done;
479
480 fail:
481 SAFE_FREE(*hpux_acl);
482 done:
483 DEBUG(10, ("smb_acl_to_hpux_acl %s\n",
484 ((ret == True) ? "succeeded" : "failed")));
485 return ret;
486 }
487
488 /*
489 * convert either the access or the default part of a
490 * soaris acl to the SMB_ACL format.
491 */
492 static SMB_ACL_T hpux_acl_to_smb_acl(HPUX_ACL_T hpux_acl, int count,
/* [<][>][^][v][top][bottom][index][help] */
493 SMB_ACL_TYPE_T type)
494 {
495 SMB_ACL_T result;
496 int i;
497
498 if ((result = sys_acl_init(0)) == NULL) {
499 DEBUG(10, ("error allocating memory for SMB_ACL\n"));
500 goto fail;
501 }
502 for (i = 0; i < count; i++) {
503 SMB_ACL_ENTRY_T smb_entry;
504 SMB_ACL_PERM_T smb_perm;
505
506 if (!_IS_OF_TYPE(hpux_acl[i], type)) {
507 continue;
508 }
509 result = SMB_REALLOC(result,
510 sizeof(struct smb_acl_t) +
511 (sizeof(struct smb_acl_entry) *
512 (result->count + 1)));
513 if (result == NULL) {
514 DEBUG(10, ("error reallocating memory for SMB_ACL\n"));
515 goto fail;
516 }
517 smb_entry = &result->acl[result->count];
518 if (sys_acl_set_tag_type(smb_entry,
519 hpux_tag_to_smb_tag(hpux_acl[i].a_type)) != 0)
520 {
521 DEBUG(10, ("invalid tag type given: 0x%04x\n",
522 hpux_acl[i].a_type));
523 goto fail;
524 }
525 /* intentionally not checking return code here: */
526 sys_acl_set_qualifier(smb_entry, (void *)&hpux_acl[i].a_id);
527 smb_perm = hpux_perm_to_smb_perm(hpux_acl[i].a_perm);
528 if (sys_acl_set_permset(smb_entry, &smb_perm) != 0) {
529 DEBUG(10, ("invalid permset given: %d\n",
530 hpux_acl[i].a_perm));
531 goto fail;
532 }
533 result->count += 1;
534 }
535 goto done;
536
537 fail:
538 SAFE_FREE(result);
539 done:
540 DEBUG(10, ("hpux_acl_to_smb_acl %s\n",
541 ((result == NULL) ? "failed" : "succeeded")));
542 return result;
543 }
544
545
546
547 static HPUX_ACL_TAG_T smb_tag_to_hpux_tag(SMB_ACL_TAG_T smb_tag)
/* [<][>][^][v][top][bottom][index][help] */
548 {
549 HPUX_ACL_TAG_T hpux_tag = 0;
550
551 DEBUG(10, ("smb_tag_to_hpux_tag\n"));
552 DEBUGADD(10, (" --> got smb tag 0x%04x\n", smb_tag));
553
554 switch (smb_tag) {
555 case SMB_ACL_USER:
556 hpux_tag = USER;
557 break;
558 case SMB_ACL_USER_OBJ:
559 hpux_tag = USER_OBJ;
560 break;
561 case SMB_ACL_GROUP:
562 hpux_tag = GROUP;
563 break;
564 case SMB_ACL_GROUP_OBJ:
565 hpux_tag = GROUP_OBJ;
566 break;
567 case SMB_ACL_OTHER:
568 hpux_tag = OTHER_OBJ;
569 break;
570 case SMB_ACL_MASK:
571 hpux_tag = CLASS_OBJ;
572 break;
573 default:
574 DEBUGADD(10, (" !!! unknown smb tag type 0x%04x\n", smb_tag));
575 break;
576 }
577
578 DEBUGADD(10, (" --> determined hpux tag 0x%04x\n", hpux_tag));
579
580 return hpux_tag;
581 }
582
583 static SMB_ACL_TAG_T hpux_tag_to_smb_tag(HPUX_ACL_TAG_T hpux_tag)
/* [<][>][^][v][top][bottom][index][help] */
584 {
585 SMB_ACL_TAG_T smb_tag = 0;
586
587 DEBUG(10, ("hpux_tag_to_smb_tag:\n"));
588 DEBUGADD(10, (" --> got hpux tag 0x%04x\n", hpux_tag));
589
590 hpux_tag &= ~ACL_DEFAULT;
591
592 switch (hpux_tag) {
593 case USER:
594 smb_tag = SMB_ACL_USER;
595 break;
596 case USER_OBJ:
597 smb_tag = SMB_ACL_USER_OBJ;
598 break;
599 case GROUP:
600 smb_tag = SMB_ACL_GROUP;
601 break;
602 case GROUP_OBJ:
603 smb_tag = SMB_ACL_GROUP_OBJ;
604 break;
605 case OTHER_OBJ:
606 smb_tag = SMB_ACL_OTHER;
607 break;
608 case CLASS_OBJ:
609 smb_tag = SMB_ACL_MASK;
610 break;
611 default:
612 DEBUGADD(10, (" !!! unknown hpux tag type: 0x%04x\n",
613 hpux_tag));
614 break;
615 }
616
617 DEBUGADD(10, (" --> determined smb tag 0x%04x\n", smb_tag));
618
619 return smb_tag;
620 }
621
622
623 /*
624 * The permission bits used in the following two permission conversion
625 * functions are same, but the functions make us independent of the concrete
626 * permission data types.
627 */
628 static SMB_ACL_PERM_T hpux_perm_to_smb_perm(const HPUX_PERM_T perm)
/* [<][>][^][v][top][bottom][index][help] */
629 {
630 SMB_ACL_PERM_T smb_perm = 0;
631 smb_perm |= ((perm & SMB_ACL_READ) ? SMB_ACL_READ : 0);
632 smb_perm |= ((perm & SMB_ACL_WRITE) ? SMB_ACL_WRITE : 0);
633 smb_perm |= ((perm & SMB_ACL_EXECUTE) ? SMB_ACL_EXECUTE : 0);
634 return smb_perm;
635 }
636
637
638 static HPUX_PERM_T smb_perm_to_hpux_perm(const SMB_ACL_PERM_T perm)
/* [<][>][^][v][top][bottom][index][help] */
639 {
640 HPUX_PERM_T hpux_perm = 0;
641 hpux_perm |= ((perm & SMB_ACL_READ) ? SMB_ACL_READ : 0);
642 hpux_perm |= ((perm & SMB_ACL_WRITE) ? SMB_ACL_WRITE : 0);
643 hpux_perm |= ((perm & SMB_ACL_EXECUTE) ? SMB_ACL_EXECUTE : 0);
644 return hpux_perm;
645 }
646
647
648 static bool hpux_acl_get_file(const char *name, HPUX_ACL_T *hpux_acl,
/* [<][>][^][v][top][bottom][index][help] */
649 int *count)
650 {
651 bool result = False;
652 static HPUX_ACE_T dummy_ace;
653
654 DEBUG(10, ("hpux_acl_get_file called for file '%s'\n", name));
655
656 /*
657 * The original code tries some INITIAL_ACL_SIZE
658 * and only did the ACL_CNT call upon failure
659 * (for performance reasons).
660 * For the sake of simplicity, I skip this for now.
661 *
662 * NOTE: There is a catch here on HP-UX: acl with cmd parameter
663 * ACL_CNT fails with errno EINVAL when called with a NULL
664 * pointer as last argument. So we need to use a dummy acl
665 * struct here (we make it static so it does not need to be
666 * instantiated or malloced each time this function is
667 * called). Btw: the count parameter does not seem to matter...
668 */
669 *count = acl(CONST_DISCARD(char *, name), ACL_CNT, 0, &dummy_ace);
670 if (*count < 0) {
671 DEBUG(10, ("acl ACL_CNT failed: %s\n", strerror(errno)));
672 goto done;
673 }
674 *hpux_acl = hpux_acl_init(*count);
675 if (*hpux_acl == NULL) {
676 DEBUG(10, ("error allocating memory for hpux acl...\n"));
677 goto done;
678 }
679 *count = acl(CONST_DISCARD(char *, name), ACL_GET, *count, *hpux_acl);
680 if (*count < 0) {
681 DEBUG(10, ("acl ACL_GET failed: %s\n", strerror(errno)));
682 goto done;
683 }
684 result = True;
685
686 done:
687 DEBUG(10, ("hpux_acl_get_file %s.\n",
688 ((result == True) ? "succeeded" : "failed" )));
689 return result;
690 }
691
692
693
694
695 /*
696 * Add entries to a hpux ACL.
697 *
698 * Entries are directly added to the hpuxacl parameter.
699 * if memory allocation fails, this may result in hpuxacl
700 * being NULL. if the resulting acl is to be checked and is
701 * not valid, it is kept in hpuxacl but False is returned.
702 *
703 * The type of ACEs (access/default) to be added to the ACL can
704 * be selected via the type parameter.
705 * I use the SMB_ACL_TYPE_T type here. Since SMB_ACL_TYPE_ACCESS
706 * is defined as "0", this means that one can only add either
707 * access or default ACEs from the given ACL, not both at the same
708 * time. If it should become necessary to add all of an ACL, one
709 * would have to replace this parameter by another type.
710 */
711 static bool hpux_add_to_acl(HPUX_ACL_T *hpux_acl, int *count,
/* [<][>][^][v][top][bottom][index][help] */
712 HPUX_ACL_T add_acl, int add_count,
713 SMB_ACL_TYPE_T type)
714 {
715 int i;
716
717 if ((type != SMB_ACL_TYPE_ACCESS) && (type != SMB_ACL_TYPE_DEFAULT))
718 {
719 DEBUG(10, ("invalid acl type given: %d\n", type));
720 errno = EINVAL;
721 return False;
722 }
723 for (i = 0; i < add_count; i++) {
724 if (!_IS_OF_TYPE(add_acl[i], type)) {
725 continue;
726 }
727 ADD_TO_ARRAY(NULL, HPUX_ACE_T, add_acl[i],
728 hpux_acl, count);
729 if (hpux_acl == NULL) {
730 DEBUG(10, ("error enlarging acl.\n"));
731 errno = ENOMEM;
732 return False;
733 }
734 }
735 return True;
736 }
737
738
739 /*
740 * sort the ACL and check it for validity
741 *
742 * [original comment from lib/sysacls.c:]
743 *
744 * if it's a minimal ACL with only 4 entries then we
745 * need to recalculate the mask permissions to make
746 * sure that they are the same as the GROUP_OBJ
747 * permissions as required by the UnixWare acl() system call.
748 *
749 * (note: since POSIX allows minimal ACLs which only contain
750 * 3 entries - ie there is no mask entry - we should, in theory,
751 * check for this and add a mask entry if necessary - however
752 * we "know" that the caller of this interface always specifies
753 * a mask, so in practice "this never happens" (tm) - if it *does*
754 * happen aclsort() will fail and return an error and someone will
755 * have to fix it...)
756 */
757 static bool hpux_acl_sort(HPUX_ACL_T hpux_acl, int count)
/* [<][>][^][v][top][bottom][index][help] */
758 {
759 int fixmask = (count <= 4);
760
761 if (hpux_internal_aclsort(count, fixmask, hpux_acl) != 0) {
762 errno = EINVAL;
763 return False;
764 }
765 return True;
766 }
767
768
769 /*
770 * Helpers for hpux_internal_aclsort:
771 * - hpux_count_obj
772 * - hpux_swap_acl_entries
773 * - hpux_prohibited_duplicate_type
774 * - hpux_get_needed_class_perm
775 */
776
777 /* hpux_count_obj:
778 * Counts the different number of objects in a given array of ACL
779 * structures.
780 * Inputs:
781 *
782 * acl_count - Count of ACLs in the array of ACL strucutres.
783 * aclp - Array of ACL structures.
784 * acl_type_count - Pointer to acl_types structure. Should already be
785 * allocated.
786 * Output:
787 *
788 * acl_type_count - This structure is filled up with counts of various
789 * acl types.
790 */
791
792 static void hpux_count_obj(int acl_count, HPUX_ACL_T aclp, struct hpux_acl_types *acl_type_count)
/* [<][>][^][v][top][bottom][index][help] */
793 {
794 int i;
795
796 memset(acl_type_count, 0, sizeof(struct hpux_acl_types));
797
798 for(i=0;i<acl_count;i++) {
799 switch(aclp[i].a_type) {
800 case USER:
801 acl_type_count->n_user++;
802 break;
803 case USER_OBJ:
804 acl_type_count->n_user_obj++;
805 break;
806 case DEF_USER_OBJ:
807 acl_type_count->n_def_user_obj++;
808 break;
809 case GROUP:
810 acl_type_count->n_group++;
811 break;
812 case GROUP_OBJ:
813 acl_type_count->n_group_obj++;
814 break;
815 case DEF_GROUP_OBJ:
816 acl_type_count->n_def_group_obj++;
817 break;
818 case OTHER_OBJ:
819 acl_type_count->n_other_obj++;
820 break;
821 case DEF_OTHER_OBJ:
822 acl_type_count->n_def_other_obj++;
823 break;
824 case CLASS_OBJ:
825 acl_type_count->n_class_obj++;
826 break;
827 case DEF_CLASS_OBJ:
828 acl_type_count->n_def_class_obj++;
829 break;
830 case DEF_USER:
831 acl_type_count->n_def_user++;
832 break;
833 case DEF_GROUP:
834 acl_type_count->n_def_group++;
835 break;
836 default:
837 acl_type_count->n_illegal_obj++;
838 break;
839 }
840 }
841 }
842
843 /* hpux_swap_acl_entries: Swaps two ACL entries.
844 *
845 * Inputs: aclp0, aclp1 - ACL entries to be swapped.
846 */
847
848 static void hpux_swap_acl_entries(HPUX_ACE_T *aclp0, HPUX_ACE_T *aclp1)
/* [<][>][^][v][top][bottom][index][help] */
849 {
850 HPUX_ACE_T temp_acl;
851
852 temp_acl.a_type = aclp0->a_type;
853 temp_acl.a_id = aclp0->a_id;
854 temp_acl.a_perm = aclp0->a_perm;
855
856 aclp0->a_type = aclp1->a_type;
857 aclp0->a_id = aclp1->a_id;
858 aclp0->a_perm = aclp1->a_perm;
859
860 aclp1->a_type = temp_acl.a_type;
861 aclp1->a_id = temp_acl.a_id;
862 aclp1->a_perm = temp_acl.a_perm;
863 }
864
865 /* hpux_prohibited_duplicate_type
866 * Identifies if given ACL type can have duplicate entries or
867 * not.
868 *
869 * Inputs: acl_type - ACL Type.
870 *
871 * Outputs:
872 *
873 * Return..
874 *
875 * True - If the ACL type matches any of the prohibited types.
876 * False - If the ACL type doesn't match any of the prohibited types.
877 */
878
879 static bool hpux_prohibited_duplicate_type(int acl_type)
/* [<][>][^][v][top][bottom][index][help] */
880 {
881 switch(acl_type) {
882 case USER:
883 case GROUP:
884 case DEF_USER:
885 case DEF_GROUP:
886 return True;
887 default:
888 return False;
889 }
890 }
891
892 /* hpux_get_needed_class_perm
893 * Returns the permissions of a ACL structure only if the ACL
894 * type matches one of the pre-determined types for computing
895 * CLASS_OBJ permissions.
896 *
897 * Inputs: aclp - Pointer to ACL structure.
898 */
899
900 static int hpux_get_needed_class_perm(struct acl *aclp)
/* [<][>][^][v][top][bottom][index][help] */
901 {
902 switch(aclp->a_type) {
903 case USER:
904 case GROUP_OBJ:
905 case GROUP:
906 case DEF_USER_OBJ:
907 case DEF_USER:
908 case DEF_GROUP_OBJ:
909 case DEF_GROUP:
910 case DEF_CLASS_OBJ:
911 case DEF_OTHER_OBJ:
912 return aclp->a_perm;
913 default:
914 return 0;
915 }
916 }
917
918 /* hpux_internal_aclsort: aclsort for HPUX.
919 *
920 * -> The aclsort() system call is availabe on the latest HPUX General
921 * -> Patch Bundles. So for HPUX, we developed our version of aclsort
922 * -> function. Because, we don't want to update to a new
923 * -> HPUX GR bundle just for aclsort() call.
924 *
925 * aclsort sorts the array of ACL structures as per the description in
926 * aclsort man page. Refer to aclsort man page for more details
927 *
928 * Inputs:
929 *
930 * acl_count - Count of ACLs in the array of ACL structures.
931 * calclass - If this is not zero, then we compute the CLASS_OBJ
932 * permissions.
933 * aclp - Array of ACL structures.
934 *
935 * Outputs:
936 *
937 * aclp - Sorted array of ACL structures.
938 *
939 * Outputs:
940 *
941 * Returns 0 for success -1 for failure. Prints a message to the Samba
942 * debug log in case of failure.
943 */
944
945 static int hpux_internal_aclsort(int acl_count, int calclass, HPUX_ACL_T aclp)
/* [<][>][^][v][top][bottom][index][help] */
946 {
947 struct hpux_acl_types acl_obj_count;
948 int n_class_obj_perm = 0;
949 int i, j;
950
951 DEBUG(10,("Entering hpux_internal_aclsort. (calclass = %d)\n", calclass));
952
953 if (hpux_aclsort_call_present()) {
954 DEBUG(10, ("calling hpux aclsort\n"));
955 return aclsort(acl_count, calclass, aclp);
956 }
957
958 DEBUG(10, ("using internal aclsort\n"));
959
960 if(!acl_count) {
961 DEBUG(10,("Zero acl count passed. Returning Success\n"));
962 return 0;
963 }
964
965 if(aclp == NULL) {
966 DEBUG(0,("Null ACL pointer in hpux_acl_sort. Returning Failure. \n"));
967 return -1;
968 }
969
970 /* Count different types of ACLs in the ACLs array */
971
972 hpux_count_obj(acl_count, aclp, &acl_obj_count);
973
974 /* There should be only one entry each of type USER_OBJ, GROUP_OBJ,
975 * CLASS_OBJ and OTHER_OBJ
976 */
977
978 if ( (acl_obj_count.n_user_obj != 1) ||
979 (acl_obj_count.n_group_obj != 1) ||
980 (acl_obj_count.n_class_obj != 1) ||
981 (acl_obj_count.n_other_obj != 1) )
982 {
983 DEBUG(0,("hpux_internal_aclsort: More than one entry or no entries for \
984 USER OBJ or GROUP_OBJ or OTHER_OBJ or CLASS_OBJ\n"));
985 return -1;
986 }
987
988 /* If any of the default objects are present, there should be only
989 * one of them each.
990 */
991
992 if ( (acl_obj_count.n_def_user_obj > 1) ||
993 (acl_obj_count.n_def_group_obj > 1) ||
994 (acl_obj_count.n_def_other_obj > 1) ||
995 (acl_obj_count.n_def_class_obj > 1) )
996 {
997 DEBUG(0,("hpux_internal_aclsort: More than one entry for DEF_CLASS_OBJ \
998 or DEF_USER_OBJ or DEF_GROUP_OBJ or DEF_OTHER_OBJ\n"));
999 return -1;
1000 }
1001
1002 /* We now have proper number of OBJ and DEF_OBJ entries. Now sort the acl
1003 * structures.
1004 *
1005 * Sorting crieteria - First sort by ACL type. If there are multiple entries of
1006 * same ACL type, sort by ACL id.
1007 *
1008 * I am using the trival kind of sorting method here because, performance isn't
1009 * really effected by the ACLs feature. More over there aren't going to be more
1010 * than 17 entries on HPUX.
1011 */
1012
1013 for(i=0; i<acl_count;i++) {
1014 for (j=i+1; j<acl_count; j++) {
1015 if( aclp[i].a_type > aclp[j].a_type ) {
1016 /* ACL entries out of order, swap them */
1017 hpux_swap_acl_entries((aclp+i), (aclp+j));
1018 } else if ( aclp[i].a_type == aclp[j].a_type ) {
1019 /* ACL entries of same type, sort by id */
1020 if(aclp[i].a_id > aclp[j].a_id) {
1021 hpux_swap_acl_entries((aclp+i), (aclp+j));
1022 } else if (aclp[i].a_id == aclp[j].a_id) {
1023 /* We have a duplicate entry. */
1024 if(hpux_prohibited_duplicate_type(aclp[i].a_type)) {
1025 DEBUG(0, ("hpux_internal_aclsort: Duplicate entry: Type(hex): %x Id: %d\n",
1026 aclp[i].a_type, aclp[i].a_id));
1027 return -1;
1028 }
1029 }
1030 }
1031 }
1032 }
1033
1034 /* set the class obj permissions to the computed one. */
1035 if(calclass) {
1036 int n_class_obj_index = -1;
1037
1038 for(i=0;i<acl_count;i++) {
1039 n_class_obj_perm |= hpux_get_needed_class_perm((aclp+i));
1040
1041 if(aclp[i].a_type == CLASS_OBJ)
1042 n_class_obj_index = i;
1043 }
1044 aclp[n_class_obj_index].a_perm = n_class_obj_perm;
1045 }
1046
1047 return 0;
1048 }
1049
1050
1051 /*
1052 * hpux_acl_call_present:
1053 *
1054 * This checks if the POSIX ACL system call is defined
1055 * which basically corresponds to whether JFS 3.3 or
1056 * higher is installed. If acl() was called when it
1057 * isn't defined, it causes the process to core dump
1058 * so it is important to check this and avoid acl()
1059 * calls if it isn't there.
1060 */
1061
1062 static bool hpux_acl_call_present(void)
/* [<][>][^][v][top][bottom][index][help] */
1063 {
1064
1065 shl_t handle = NULL;
1066 void *value;
1067 int ret_val=0;
1068 static bool already_checked = False;
1069
1070 if(already_checked)
1071 return True;
1072
1073 errno = 0;
1074
1075 ret_val = shl_findsym(&handle, "acl", TYPE_PROCEDURE, &value);
1076
1077 if(ret_val != 0) {
1078 DEBUG(5, ("hpux_acl_call_present: shl_findsym() returned %d, errno = %d, error %s\n",
1079 ret_val, errno, strerror(errno)));
1080 DEBUG(5,("hpux_acl_call_present: acl() system call is not present. Check if you have JFS 3.3 and above?\n"));
1081 errno = ENOSYS;
1082 return False;
1083 }
1084
1085 DEBUG(10,("hpux_acl_call_present: acl() system call is present. We have JFS 3.3 or above \n"));
1086
1087 already_checked = True;
1088 return True;
1089 }
1090
1091 /*
1092 * runtime check for presence of aclsort library call.
1093 * same code as for acl call. if there are more of these,
1094 * a dispatcher function could be handy...
1095 */
1096
1097 static bool hpux_aclsort_call_present(void)
/* [<][>][^][v][top][bottom][index][help] */
1098 {
1099 shl_t handle = NULL;
1100 void *value;
1101 int ret_val = 0;
1102 static bool already_checked = False;
1103
1104 if (already_checked) {
1105 return True;
1106 }
1107
1108 errno = 0;
1109 ret_val = shl_findsym(&handle, "aclsort", TYPE_PROCEDURE, &value);
1110 if (ret_val != 0) {
1111 DEBUG(5, ("hpux_aclsort_call_present: shl_findsym "
1112 "returned %d, errno = %d, error %s",
1113 ret_val, errno, strerror(errno)));
1114 DEBUG(5, ("hpux_aclsort_call_present: "
1115 "aclsort() function not available.\n"));
1116 return False;
1117 }
1118 DEBUG(10,("hpux_aclsort_call_present: aclsort() function present.\n"));
1119 already_checked = True;
1120 return True;
1121 }
1122
1123 #if 0
1124 /*
1125 * acl check function:
1126 * unused at the moment but could be used to get more
1127 * concrete error messages for debugging...
1128 * (acl sort just says that the acl is invalid...)
1129 */
1130 static bool hpux_acl_check(HPUX_ACL_T hpux_acl, int count)
/* [<][>][^][v][top][bottom][index][help] */
1131 {
1132 int check_rc;
1133 int check_which;
1134
1135 check_rc = aclcheck(hpux_acl, count, &check_which);
1136 if (check_rc != 0) {
1137 DEBUG(10, ("acl is not valid:\n"));
1138 DEBUGADD(10, (" - return code: %d\n", check_rc));
1139 DEBUGADD(10, (" - which: %d\n", check_which));
1140 if (check_which != -1) {
1141 DEBUGADD(10, (" - invalid entry:\n"));
1142 DEBUGADD(10, (" * type: %d:\n",
1143 hpux_acl[check_which].a_type));
1144 DEBUGADD(10, (" * id: %d\n",
1145 hpux_acl[check_which].a_id));
1146 DEBUGADD(10, (" * perm: 0o%o\n",
1147 hpux_acl[check_which].a_perm));
1148 }
1149 return False;
1150 }
1151 return True;
1152 }
1153 #endif
1154
1155 /* VFS operations structure */
1156
1157 static vfs_op_tuple hpuxacl_op_tuples[] = {
1158 /* Disk operations */
1159 {SMB_VFS_OP(hpuxacl_sys_acl_get_file),
1160 SMB_VFS_OP_SYS_ACL_GET_FILE,
1161 SMB_VFS_LAYER_TRANSPARENT},
1162
1163 {SMB_VFS_OP(hpuxacl_sys_acl_get_fd),
1164 SMB_VFS_OP_SYS_ACL_GET_FD,
1165 SMB_VFS_LAYER_TRANSPARENT},
1166
1167 {SMB_VFS_OP(hpuxacl_sys_acl_set_file),
1168 SMB_VFS_OP_SYS_ACL_SET_FILE,
1169 SMB_VFS_LAYER_TRANSPARENT},
1170
1171 {SMB_VFS_OP(hpuxacl_sys_acl_set_fd),
1172 SMB_VFS_OP_SYS_ACL_SET_FD,
1173 SMB_VFS_LAYER_TRANSPARENT},
1174
1175 {SMB_VFS_OP(hpuxacl_sys_acl_delete_def_file),
1176 SMB_VFS_OP_SYS_ACL_DELETE_DEF_FILE,
1177 SMB_VFS_LAYER_TRANSPARENT},
1178
1179 {SMB_VFS_OP(NULL),
1180 SMB_VFS_OP_NOOP,
1181 SMB_VFS_LAYER_NOOP}
1182 };
1183
1184 NTSTATUS vfs_hpuxacl_init(void)
/* [<][>][^][v][top][bottom][index][help] */
1185 {
1186 return smb_register_vfs(SMB_VFS_INTERFACE_VERSION, "hpuxacl",
1187 hpuxacl_op_tuples);
1188 }
1189
1190 /* ENTE */