summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMichael Adam <obnox@samba.org>2007-04-27 08:43:06 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 12:19:42 -0500
commit59ac1167a64d16725dbd66779ffbacb377dd0712 (patch)
treeb260b3c90f26eb97d19d10ed42af03d7a689b2cd
parent7159de50652a4f1ccd7cb623cb7c96a4d28b81fc (diff)
downloadsamba-59ac1167a64d16725dbd66779ffbacb377dd0712.tar.gz
samba-59ac1167a64d16725dbd66779ffbacb377dd0712.tar.bz2
samba-59ac1167a64d16725dbd66779ffbacb377dd0712.zip
r22529: Add implementation of HP-UX ACLs in the new vfs-module framework.
(This used to be commit aef5aad67884eb47d30fa2fadddb33e4005b8143)
-rw-r--r--source3/modules/vfs_hpuxacl.c1193
1 files changed, 1137 insertions, 56 deletions
diff --git a/source3/modules/vfs_hpuxacl.c b/source3/modules/vfs_hpuxacl.c
index aeb078c32d..97dd7b0716 100644
--- a/source3/modules/vfs_hpuxacl.c
+++ b/source3/modules/vfs_hpuxacl.c
@@ -1,101 +1,1182 @@
/*
- Unix SMB/Netbios implementation.
- VFS module to get and set hpux acls
- Copyright (C) Michael Adam 2006
+ * Unix SMB/Netbios implementation.
+ * VFS module to get and set HP-UX ACLs
+ * Copyright (C) Michael Adam 2006
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ */
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
- (at your option) any later version.
+/*
+ * This module supports JFS (POSIX) ACLs on VxFS (Veritas * Filesystem).
+ * These are available on HP-UX 11.00 if JFS 3.3 is installed.
+ * On HP-UX 11i (11.11 and above) these ACLs are supported out of
+ * the box.
+ *
+ * There is another form of ACLs on HFS. These ACLs have a
+ * completely different API and their own set of userland tools.
+ * Since HFS seems to be considered deprecated, HFS acls
+ * are not supported. (They could be supported through a separate
+ * vfs-module if there is demand.)
+ */
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
+/* =================================================================
+ * NOTE:
+ *
+ * The original hpux-acl code in lib/sysacls.c was based upon the
+ * solaris acl code in the same file. Now for the new modularized
+ * acl implementation, I have taken the code from vfs_solarisacls.c
+ * and did similar adaptations as were done before, essentially
+ * reusing the original internal aclsort functions.
+ * The check for the presence of the acl() call has been adopted, and
+ * a check for the presence of the aclsort() call has been added.
+ *
+ * Michael Adam <obnox@samba.org>
+ *
+ * ================================================================= */
- You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-*/
#include "includes.h"
-/* prototypes for private functions first - for clarity */
+/*
+ * including standard header <sys/aclv.h>
+ *
+ * included here as a quick hack for the special HP-UX-situation:
+ *
+ * The problem is that, on HP-UX, jfs/posix acls are
+ * defined in <sys/aclv.h>, while the deprecated hfs acls
+ * are defined inside <sys/acl.h>.
+ *
+ */
+/* GROUP is defined somewhere else so undef it here... */
+#undef GROUP
+#include <sys/aclv.h>
+/* dl.h: needed to check for acl call via shl_findsym */
+#include <dl.h>
+
+typedef struct acl HPUX_ACE_T;
+typedef struct acl *HPUX_ACL_T;
+typedef int HPUX_ACL_TAG_T; /* the type of an ACL entry */
+typedef ushort HPUX_PERM_T;
+
+/* Structure to capture the count for each type of ACE.
+ * (for hpux_internal_aclsort */
+struct hpux_acl_types {
+ int n_user;
+ int n_def_user;
+ int n_user_obj;
+ int n_def_user_obj;
+
+ int n_group;
+ int n_def_group;
+ int n_group_obj;
+ int n_def_group_obj;
+
+ int n_other;
+ int n_other_obj;
+ int n_def_other_obj;
+
+ int n_class_obj;
+ int n_def_class_obj;
+
+ int n_illegal_obj;
+};
+
+/* for convenience: check if hpux acl entry is a default entry? */
+#define _IS_DEFAULT(ace) ((ace).a_type & ACL_DEFAULT)
+#define _IS_OF_TYPE(ace, type) ( \
+ (((type) == SMB_ACL_TYPE_ACCESS) && !_IS_DEFAULT(ace)) \
+ || \
+ (((type) == SMB_ACL_TYPE_DEFAULT) && _IS_DEFAULT(ace)) \
+)
+
+
+/* prototypes for private functions */
+
+static HPUX_ACL_T hpux_acl_init(int count);
+static BOOL smb_acl_to_hpux_acl(SMB_ACL_T smb_acl,
+ HPUX_ACL_T *solariacl, int *count,
+ SMB_ACL_TYPE_T type);
+static SMB_ACL_T hpux_acl_to_smb_acl(HPUX_ACL_T hpuxacl, int count,
+ SMB_ACL_TYPE_T type);
+static HPUX_ACL_TAG_T smb_tag_to_hpux_tag(SMB_ACL_TAG_T smb_tag);
+static SMB_ACL_TAG_T hpux_tag_to_smb_tag(HPUX_ACL_TAG_T hpux_tag);
+static BOOL hpux_add_to_acl(HPUX_ACL_T *hpux_acl, int *count,
+ HPUX_ACL_T add_acl, int add_count, SMB_ACL_TYPE_T type);
+static BOOL hpux_acl_get_file(const char *name, HPUX_ACL_T *hpuxacl,
+ int *count);
+static SMB_ACL_PERM_T hpux_perm_to_smb_perm(const HPUX_PERM_T perm);
+static HPUX_PERM_T smb_perm_to_hpux_perm(const SMB_ACL_PERM_T perm);
+#if 0
+static BOOL hpux_acl_check(HPUX_ACL_T hpux_acl, int count);
+#endif
+/* aclsort (internal) and helpers: */
+static BOOL hpux_acl_sort(HPUX_ACL_T acl, int count);
+static int hpux_internal_aclsort(int acl_count, int calclass, HPUX_ACL_T aclp);
+static int hpux_count_obj(int acl_count, HPUX_ACL_T aclp,
+ struct hpux_acl_types *acl_type_count);
+static void hpux_swap_acl_entries(HPUX_ACE_T *aclp0, HPUX_ACE_T *aclp1);
+static BOOL hpux_prohibited_duplicate_type(int acl_type);
+
+static BOOL hpux_acl_call_present(void);
+static BOOL hpux_aclsort_call_present(void);
+
/* public functions - the api */
SMB_ACL_T hpuxacl_sys_acl_get_file(vfs_handle_struct *handle,
- const char *path_p,
- SMB_ACL_TYPE_T type)
+ const char *path_p,
+ SMB_ACL_TYPE_T type)
{
- errno = ENOTSUP;
- return NULL;
+ SMB_ACL_T result = NULL;
+ int count;
+ HPUX_ACL_T hpux_acl;
+
+ DEBUG(10, ("hpuxacl_sys_acl_get_file called for file '%s'.\n",
+ path_p));
+
+ if(hpux_acl_call_present() == False) {
+ /* Looks like we don't have the acl() system call on HPUX.
+ * May be the system doesn't have the latest version of JFS.
+ */
+ goto done;
+ }
+
+ if (type != SMB_ACL_TYPE_ACCESS && type != SMB_ACL_TYPE_DEFAULT) {
+ DEBUG(10, ("invalid SMB_ACL_TYPE given (%d)\n", type));
+ errno = EINVAL;
+ goto done;
+ }
+
+ DEBUGADD(10, ("getting %s acl\n",
+ ((type == SMB_ACL_TYPE_ACCESS) ? "access" : "default")));
+
+ if (!hpux_acl_get_file(path_p, &hpux_acl, &count)) {
+ goto done;
+ }
+ result = hpux_acl_to_smb_acl(hpux_acl, count, type);
+ if (result == NULL) {
+ DEBUG(10, ("conversion hpux_acl -> smb_acl failed (%s).\n",
+ strerror(errno)));
+ }
+
+ done:
+ DEBUG(10, ("hpuxacl_sys_acl_get_file %s.\n",
+ ((result == NULL) ? "failed" : "succeeded" )));
+ SAFE_FREE(hpux_acl);
+ return result;
}
+
+/*
+ * get the access ACL of a file referred to by a fd
+ */
SMB_ACL_T hpuxacl_sys_acl_get_fd(vfs_handle_struct *handle,
- files_struct *fsp,
- int fd)
+ files_struct *fsp,
+ int fd)
{
- errno = ENOTSUP;
- return NULL;
+ /*
+ * HPUX doesn't have the facl call. Fake it using the path.... JRA.
+ */
+ /* For all I see, the info should already be in the fsp
+ * parameter, but get it again to be safe --- necessary? */
+ files_struct *file_struct_p = file_find_fd(fd);
+ if (file_struct_p == NULL) {
+ errno = EBADF;
+ return NULL;
+ }
+ /*
+ * We know we're in the same conn context. So we
+ * can use the relative path.
+ */
+ DEBUG(10, ("redirecting call of hpuxacl_sys_acl_get_fd to "
+ "hpuxacl_sys_acl_get_file (no facl syscall on HPUX).\n"));
+
+ return hpuxacl_sys_acl_get_file(handle, file_struct_p->fsp_name,
+ SMB_ACL_TYPE_ACCESS);
}
+
int hpuxacl_sys_acl_set_file(vfs_handle_struct *handle,
- const char *name,
- SMB_ACL_TYPE_T type,
- SMB_ACL_T theacl)
+ const char *name,
+ SMB_ACL_TYPE_T type,
+ SMB_ACL_T theacl)
{
- errno = ENOTSUP;
- return -1;
+ int ret = -1;
+ SMB_STRUCT_STAT s;
+ HPUX_ACL_T hpux_acl;
+ int count;
+
+ DEBUG(10, ("hpuxacl_sys_acl_set_file called for file '%s'\n",
+ name));
+
+
+ if(hpux_acl_call_present() == False) {
+ /* Looks like we don't have the acl() system call on HPUX.
+ * May be the system doesn't have the latest version of JFS.
+ */
+ goto done;
+ }
+
+ if ((type != SMB_ACL_TYPE_ACCESS) && (type != SMB_ACL_TYPE_DEFAULT)) {
+ errno = EINVAL;
+ DEBUG(10, ("invalid smb acl type given (%d).\n", type));
+ goto done;
+ }
+ DEBUGADD(10, ("setting %s acl\n",
+ ((type == SMB_ACL_TYPE_ACCESS) ? "access" : "default")));
+
+ if(!smb_acl_to_hpux_acl(theacl, &hpux_acl, &count, type)) {
+ DEBUG(10, ("conversion smb_acl -> hpux_acl failed (%s).\n",
+ strerror(errno)));
+ goto done;
+ }
+
+ /*
+ * if the file is a directory, there is extra work to do:
+ * since the hpux acl call stores both the access acl and
+ * the default acl as provided, we have to get the acl part
+ * that has _not_ been specified in "type" from the file first
+ * and concatenate it with the acl provided.
+ */
+ if (SMB_VFS_STAT(handle->conn, name, &s) != 0) {
+ DEBUG(10, ("Error in stat call: %s\n", strerror(errno)));
+ goto done;
+ }
+ if (S_ISDIR(s.st_mode)) {
+ HPUX_ACL_T other_acl;
+ int other_count;
+ SMB_ACL_TYPE_T other_type;
+
+ other_type = (type == SMB_ACL_TYPE_ACCESS)
+ ? SMB_ACL_TYPE_DEFAULT
+ : SMB_ACL_TYPE_ACCESS;
+ DEBUGADD(10, ("getting acl from filesystem\n"));
+ if (!hpux_acl_get_file(name, &other_acl, &other_count)) {
+ DEBUG(10, ("error getting acl from directory\n"));
+ goto done;
+ }
+ DEBUG(10, ("adding %s part of fs acl to given acl\n",
+ ((other_type == SMB_ACL_TYPE_ACCESS)
+ ? "access"
+ : "default")));
+ if (!hpux_add_to_acl(&hpux_acl, &count, other_acl,
+ other_count, other_type))
+ {
+ DEBUG(10, ("error adding other acl.\n"));
+ SAFE_FREE(other_acl);
+ goto done;
+ }
+ SAFE_FREE(other_acl);
+ }
+ else if (type != SMB_ACL_TYPE_ACCESS) {
+ errno = EINVAL;
+ goto done;
+ }
+
+ if (!hpux_acl_sort(hpux_acl, count)) {
+ DEBUG(10, ("resulting acl is not valid!\n"));
+ goto done;
+ }
+ DEBUG(10, ("resulting acl is valid.\n"));
+
+ ret = acl(CONST_DISCARD(char *, name), ACL_SET, count, hpux_acl);
+ if (ret != 0) {
+ DEBUG(0, ("ERROR calling acl: %s\n", strerror(errno)));
+ }
+
+ done:
+ DEBUG(10, ("hpuxacl_sys_acl_set_file %s.\n",
+ ((ret != 0) ? "failed" : "succeeded")));
+ SAFE_FREE(hpux_acl);
+ return ret;
}
+/*
+ * set the access ACL on the file referred to by a fd
+ */
int hpuxacl_sys_acl_set_fd(vfs_handle_struct *handle,
- files_struct *fsp,
- int fd, SMB_ACL_T theacl)
+ files_struct *fsp,
+ int fd, SMB_ACL_T theacl)
{
- errno = ENOTSUP;
- return -1;
+ /*
+ * HPUX doesn't have the facl call. Fake it using the path.... JRA.
+ */
+ /* For all I see, the info should already be in the fsp
+ * parameter, but get it again to be safe --- necessary? */
+ files_struct *file_struct_p = file_find_fd(fd);
+ if (file_struct_p == NULL) {
+ errno = EBADF;
+ return -1;
+ }
+ /*
+ * We know we're in the same conn context. So we
+ * can use the relative path.
+ */
+ DEBUG(10, ("redirecting call of hpuxacl_sys_acl_set_fd to "
+ "hpuxacl_sys_acl_set_file (no facl syscall on HPUX)\n"));
+
+ return hpuxacl_sys_acl_set_file(handle, file_struct_p->fsp_name,
+ SMB_ACL_TYPE_ACCESS, theacl);
}
+
+/*
+ * delete the default ACL of a directory
+ *
+ * This is achieved by fetching the access ACL and rewriting it
+ * directly, via the hpux system call: the ACL_SET call on
+ * directories writes both the access and the default ACL as provided.
+ *
+ * XXX: posix acl_delete_def_file returns an error if
+ * the file referred to by path is not a directory.
+ * this function does not complain but the actions
+ * have no effect on a file other than a directory.
+ * But sys_acl_delete_default_file is only called in
+ * smbd/posixacls.c after having checked that the file
+ * is a directory, anyways. So implementing the extra
+ * check is considered unnecessary. --- Agreed? XXX
+ */
int hpuxacl_sys_acl_delete_def_file(vfs_handle_struct *handle,
- const char *path)
+ const char *path)
+{
+ SMB_ACL_T smb_acl;
+ int ret = -1;
+ HPUX_ACL_T hpux_acl;
+ int count;
+
+ DEBUG(10, ("entering hpuxacl_sys_acl_delete_def_file.\n"));
+
+ smb_acl = hpuxacl_sys_acl_get_file(handle, path,
+ SMB_ACL_TYPE_ACCESS);
+ if (smb_acl == NULL) {
+ DEBUG(10, ("getting file acl failed!\n"));
+ goto done;
+ }
+ if (!smb_acl_to_hpux_acl(smb_acl, &hpux_acl, &count,
+ SMB_ACL_TYPE_ACCESS))
+ {
+ DEBUG(10, ("conversion smb_acl -> hpux_acl failed.\n"));
+ goto done;
+ }
+ if (!hpux_acl_sort(hpux_acl, count)) {
+ DEBUG(10, ("resulting acl is not valid!\n"));
+ goto done;
+ }
+ ret = acl(CONST_DISCARD(char *, path), ACL_SET, count, hpux_acl);
+ if (ret != 0) {
+ DEBUG(10, ("settinge file acl failed!\n"));
+ }
+
+ done:
+ DEBUG(10, ("hpuxacl_sys_acl_delete_def_file %s.\n",
+ ((ret != 0) ? "failed" : "succeeded" )));
+ SAFE_FREE(smb_acl);
+ return ret;
+}
+
+
+/*
+ * private functions
+ */
+
+static HPUX_ACL_T hpux_acl_init(int count)
{
- errno = ENOTSUP;
- return -1;
+ HPUX_ACL_T hpux_acl =
+ (HPUX_ACL_T)SMB_MALLOC(sizeof(HPUX_ACE_T) * count);
+ if (hpux_acl == NULL) {
+ errno = ENOMEM;
+ }
+ return hpux_acl;
}
-/* private functions */
+/*
+ * Convert the SMB acl to the ACCESS or DEFAULT part of a
+ * hpux ACL, as desired.
+ */
+static BOOL smb_acl_to_hpux_acl(SMB_ACL_T smb_acl,
+ HPUX_ACL_T *hpux_acl, int *count,
+ SMB_ACL_TYPE_T type)
+{
+ BOOL ret = False;
+ int i;
+ int check_which, check_rc;
+
+ DEBUG(10, ("entering smb_acl_to_hpux_acl\n"));
+
+ *hpux_acl = NULL;
+ *count = 0;
+
+ for (i = 0; i < smb_acl->count; i++) {
+ const struct smb_acl_entry *smb_entry = &(smb_acl->acl[i]);
+ HPUX_ACE_T hpux_entry;
+
+ ZERO_STRUCT(hpux_entry);
+
+ hpux_entry.a_type = smb_tag_to_hpux_tag(smb_entry->a_type);
+ if (hpux_entry.a_type == 0) {
+ DEBUG(10, ("smb_tag to hpux_tag failed\n"));
+ goto fail;
+ }
+ switch(hpux_entry.a_type) {
+ case USER:
+ DEBUG(10, ("got tag type USER with uid %d\n",
+ smb_entry->uid));
+ hpux_entry.a_id = (uid_t)smb_entry->uid;
+ break;
+ case GROUP:
+ DEBUG(10, ("got tag type GROUP with gid %d\n",
+ smb_entry->gid));
+ hpux_entry.a_id = (uid_t)smb_entry->gid;
+ break;
+ default:
+ break;
+ }
+ if (type == SMB_ACL_TYPE_DEFAULT) {
+ DEBUG(10, ("adding default bit to hpux ace\n"));
+ hpux_entry.a_type |= ACL_DEFAULT;
+ }
+
+ hpux_entry.a_perm =
+ smb_perm_to_hpux_perm(smb_entry->a_perm);
+ DEBUG(10, ("assembled the following hpux ace:\n"));
+ DEBUGADD(10, (" - type: 0x%04x\n", hpux_entry.a_type));
+ DEBUGADD(10, (" - id: %d\n", hpux_entry.a_id));
+ DEBUGADD(10, (" - perm: o%o\n", hpux_entry.a_perm));
+ if (!hpux_add_to_acl(hpux_acl, count, &hpux_entry,
+ 1, type))
+ {
+ DEBUG(10, ("error adding acl entry\n"));
+ goto fail;
+ }
+ DEBUG(10, ("count after adding: %d (i: %d)\n", *count, i));
+ DEBUG(10, ("test, if entry has been copied into acl:\n"));
+ DEBUGADD(10, (" - type: 0x%04x\n",
+ (*hpux_acl)[(*count)-1].a_type));
+ DEBUGADD(10, (" - id: %d\n",
+ (*hpux_acl)[(*count)-1].a_id));
+ DEBUGADD(10, (" - perm: o%o\n",
+ (*hpux_acl)[(*count)-1].a_perm));
+ }
+
+ ret = True;
+ goto done;
+
+ fail:
+ SAFE_FREE(*hpux_acl);
+ done:
+ DEBUG(10, ("smb_acl_to_hpux_acl %s\n",
+ ((ret == True) ? "succeeded" : "failed")));
+ return ret;
+}
+
+/*
+ * convert either the access or the default part of a
+ * soaris acl to the SMB_ACL format.
+ */
+static SMB_ACL_T hpux_acl_to_smb_acl(HPUX_ACL_T hpux_acl, int count,
+ SMB_ACL_TYPE_T type)
+{
+ SMB_ACL_T result;
+ int i;
+
+ if ((result = sys_acl_init(0)) == NULL) {
+ DEBUG(10, ("error allocating memory for SMB_ACL\n"));
+ goto fail;
+ }
+ for (i = 0; i < count; i++) {
+ SMB_ACL_ENTRY_T smb_entry;
+ SMB_ACL_PERM_T smb_perm;
+
+ if (!_IS_OF_TYPE(hpux_acl[i], type)) {
+ continue;
+ }
+ result = SMB_REALLOC(result,
+ sizeof(struct smb_acl_t) +
+ (sizeof(struct smb_acl_entry) *
+ (result->count + 1)));
+ if (result == NULL) {
+ DEBUG(10, ("error reallocating memory for SMB_ACL\n"));
+ goto fail;
+ }
+ smb_entry = &result->acl[result->count];
+ if (sys_acl_set_tag_type(smb_entry,
+ hpux_tag_to_smb_tag(hpux_acl[i].a_type)) != 0)
+ {
+ DEBUG(10, ("invalid tag type given: 0x%04x\n",
+ hpux_acl[i].a_type));
+ goto fail;
+ }
+ /* intentionally not checking return code here: */
+ sys_acl_set_qualifier(smb_entry, (void *)&hpux_acl[i].a_id);
+ smb_perm = hpux_perm_to_smb_perm(hpux_acl[i].a_perm);
+ if (sys_acl_set_permset(smb_entry, &smb_perm) != 0) {
+ DEBUG(10, ("invalid permset given: %d\n",
+ hpux_acl[i].a_perm));
+ goto fail;
+ }
+ result->count += 1;
+ }
+ goto done;
+
+ fail:
+ SAFE_FREE(result);
+ done:
+ DEBUG(10, ("hpux_acl_to_smb_acl %s\n",
+ ((result == NULL) ? "failed" : "succeeded")));
+ return result;
+}
+
+
+
+static HPUX_ACL_TAG_T smb_tag_to_hpux_tag(SMB_ACL_TAG_T smb_tag)
+{
+ HPUX_ACL_TAG_T hpux_tag = 0;
+
+ DEBUG(10, ("smb_tag_to_hpux_tag\n"));
+ DEBUGADD(10, (" --> got smb tag 0x%04x\n", smb_tag));
+
+ switch (smb_tag) {
+ case SMB_ACL_USER:
+ hpux_tag = USER;
+ break;
+ case SMB_ACL_USER_OBJ:
+ hpux_tag = USER_OBJ;
+ break;
+ case SMB_ACL_GROUP:
+ hpux_tag = GROUP;
+ break;
+ case SMB_ACL_GROUP_OBJ:
+ hpux_tag = GROUP_OBJ;
+ break;
+ case SMB_ACL_OTHER:
+ hpux_tag = OTHER_OBJ;
+ break;
+ case SMB_ACL_MASK:
+ hpux_tag = CLASS_OBJ;
+ break;
+ default:
+ DEBUGADD(10, (" !!! unknown smb tag type 0x%04x\n", smb_tag));
+ break;
+ }
+
+ DEBUGADD(10, (" --> determined hpux tag 0x%04x\n", hpux_tag));
+
+ return hpux_tag;
+}
+
+static SMB_ACL_TAG_T hpux_tag_to_smb_tag(HPUX_ACL_TAG_T hpux_tag)
+{
+ SMB_ACL_TAG_T smb_tag = 0;
+
+ DEBUG(10, ("hpux_tag_to_smb_tag:\n"));
+ DEBUGADD(10, (" --> got hpux tag 0x%04x\n", hpux_tag));
+
+ hpux_tag &= ~ACL_DEFAULT;
+
+ switch (hpux_tag) {
+ case USER:
+ smb_tag = SMB_ACL_USER;
+ break;
+ case USER_OBJ:
+ smb_tag = SMB_ACL_USER_OBJ;
+ break;
+ case GROUP:
+ smb_tag = SMB_ACL_GROUP;
+ break;
+ case GROUP_OBJ:
+ smb_tag = SMB_ACL_GROUP_OBJ;
+ break;
+ case OTHER_OBJ:
+ smb_tag = SMB_ACL_OTHER;
+ break;
+ case CLASS_OBJ:
+ smb_tag = SMB_ACL_MASK;
+ break;
+ default:
+ DEBUGADD(10, (" !!! unknown hpux tag type: 0x%04x\n",
+ hpux_tag));
+ break;
+ }
+
+ DEBUGADD(10, (" --> determined smb tag 0x%04x\n", smb_tag));
+
+ return smb_tag;
+}
+
+
+/*
+ * The permission bits used in the following two permission conversion
+ * functions are same, but the functions make us independent of the concrete
+ * permission data types.
+ */
+static SMB_ACL_PERM_T hpux_perm_to_smb_perm(const HPUX_PERM_T perm)
+{
+ SMB_ACL_PERM_T smb_perm = 0;
+ smb_perm |= ((perm & SMB_ACL_READ) ? SMB_ACL_READ : 0);
+ smb_perm |= ((perm & SMB_ACL_WRITE) ? SMB_ACL_WRITE : 0);
+ smb_perm |= ((perm & SMB_ACL_EXECUTE) ? SMB_ACL_EXECUTE : 0);
+ return smb_perm;
+}
+
+
+static HPUX_PERM_T smb_perm_to_hpux_perm(const SMB_ACL_PERM_T perm)
+{
+ HPUX_PERM_T hpux_perm = 0;
+ hpux_perm |= ((perm & SMB_ACL_READ) ? SMB_ACL_READ : 0);
+ hpux_perm |= ((perm & SMB_ACL_WRITE) ? SMB_ACL_WRITE : 0);
+ hpux_perm |= ((perm & SMB_ACL_EXECUTE) ? SMB_ACL_EXECUTE : 0);
+ return hpux_perm;
+}
+
+
+static BOOL hpux_acl_get_file(const char *name, HPUX_ACL_T *hpux_acl,
+ int *count)
+{
+ BOOL result = False;
+ static HPUX_ACE_T dummy_ace;
+
+ DEBUG(10, ("hpux_acl_get_file called for file '%s'\n", name));
+
+ /*
+ * The original code tries some INITIAL_ACL_SIZE
+ * and only did the ACL_CNT call upon failure
+ * (for performance reasons).
+ * For the sake of simplicity, I skip this for now.
+ *
+ * NOTE: There is a catch here on HP-UX: acl with cmd parameter
+ * ACL_CNT fails with errno EINVAL when called with a NULL
+ * pointer as last argument. So we need to use a dummy acl
+ * struct here (we make it static so it does not need to be
+ * instantiated or malloced each time this function is
+ * called). Btw: the count parameter does not seem to matter...
+ */
+ *count = acl(CONST_DISCARD(char *, name), ACL_CNT, 0, &dummy_ace);
+ if (*count < 0) {
+ DEBUG(10, ("acl ACL_CNT failed: %s\n", strerror(errno)));
+ goto done;
+ }
+ *hpux_acl = hpux_acl_init(*count);
+ if (*hpux_acl == NULL) {
+ DEBUG(10, ("error allocating memory for hpux acl...\n"));
+ goto done;
+ }
+ *count = acl(CONST_DISCARD(char *, name), ACL_GET, *count, *hpux_acl);
+ if (*count < 0) {
+ DEBUG(10, ("acl ACL_GET failed: %s\n", strerror(errno)));
+ goto done;
+ }
+ result = True;
+
+ done:
+ DEBUG(10, ("hpux_acl_get_file %s.\n",
+ ((result == True) ? "succeeded" : "failed" )));
+ return result;
+}
+
+
+
+
+/*
+ * Add entries to a hpux ACL.
+ *
+ * Entries are directly added to the hpuxacl parameter.
+ * if memory allocation fails, this may result in hpuxacl
+ * being NULL. if the resulting acl is to be checked and is
+ * not valid, it is kept in hpuxacl but False is returned.
+ *
+ * The type of ACEs (access/default) to be added to the ACL can
+ * be selected via the type parameter.
+ * I use the SMB_ACL_TYPE_T type here. Since SMB_ACL_TYPE_ACCESS
+ * is defined as "0", this means that one can only add either
+ * access or default ACEs from the given ACL, not both at the same
+ * time. If it should become necessary to add all of an ACL, one
+ * would have to replace this parameter by another type.
+ */
+static BOOL hpux_add_to_acl(HPUX_ACL_T *hpux_acl, int *count,
+ HPUX_ACL_T add_acl, int add_count,
+ SMB_ACL_TYPE_T type)
+{
+ int i;
+
+ if ((type != SMB_ACL_TYPE_ACCESS) && (type != SMB_ACL_TYPE_DEFAULT))
+ {
+ DEBUG(10, ("invalid acl type given: %d\n", type));
+ errno = EINVAL;
+ return False;
+ }
+ for (i = 0; i < add_count; i++) {
+ if (!_IS_OF_TYPE(add_acl[i], type)) {
+ continue;
+ }
+ ADD_TO_ARRAY(NULL, HPUX_ACE_T, add_acl[i],
+ hpux_acl, count);
+ if (hpux_acl == NULL) {
+ DEBUG(10, ("error enlarging acl.\n"));
+ errno = ENOMEM;
+ return False;
+ }
+ }
+ return True;
+}
+
+
+/*
+ * sort the ACL and check it for validity
+ *
+ * [original comment from lib/sysacls.c:]
+ *
+ * if it's a minimal ACL with only 4 entries then we
+ * need to recalculate the mask permissions to make
+ * sure that they are the same as the GROUP_OBJ
+ * permissions as required by the UnixWare acl() system call.
+ *
+ * (note: since POSIX allows minimal ACLs which only contain
+ * 3 entries - ie there is no mask entry - we should, in theory,
+ * check for this and add a mask entry if necessary - however
+ * we "know" that the caller of this interface always specifies
+ * a mask, so in practice "this never happens" (tm) - if it *does*
+ * happen aclsort() will fail and return an error and someone will
+ * have to fix it...)
+ */
+static BOOL hpux_acl_sort(HPUX_ACL_T hpux_acl, int count)
+{
+ int fixmask = (count <= 4);
+
+ if (hpux_internal_aclsort(count, fixmask, hpux_acl) != 0) {
+ errno = EINVAL;
+ return False;
+ }
+ return True;
+}
+
+
+/*
+ * Helpers for hpux_internal_aclsort:
+ * - hpux_count_obj
+ * - hpux_swap_acl_entries
+ * - hpux_prohibited_duplicate_type
+ * - hpux_get_needed_class_perm
+ */
+
+/* hpux_count_obj:
+ * Counts the different number of objects in a given array of ACL
+ * structures.
+ * Inputs:
+ *
+ * acl_count - Count of ACLs in the array of ACL strucutres.
+ * aclp - Array of ACL structures.
+ * acl_type_count - Pointer to acl_types structure. Should already be
+ * allocated.
+ * Output:
+ *
+ * acl_type_count - This structure is filled up with counts of various
+ * acl types.
+ */
+
+static void hpux_count_obj(int acl_count, HPUX_ACL_T aclp, struct hpux_acl_types *acl_type_count)
+{
+ int i;
+
+ memset(acl_type_count, 0, sizeof(struct hpux_acl_types));
+
+ for(i=0;i<acl_count;i++) {
+ switch(aclp[i].a_type) {
+ case USER:
+ acl_type_count->n_user++;
+ break;
+ case USER_OBJ:
+ acl_type_count->n_user_obj++;
+ break;
+ case DEF_USER_OBJ:
+ acl_type_count->n_def_user_obj++;
+ break;
+ case GROUP:
+ acl_type_count->n_group++;
+ break;
+ case GROUP_OBJ:
+ acl_type_count->n_group_obj++;
+ break;
+ case DEF_GROUP_OBJ:
+ acl_type_count->n_def_group_obj++;
+ break;
+ case OTHER_OBJ:
+ acl_type_count->n_other_obj++;
+ break;
+ case DEF_OTHER_OBJ:
+ acl_type_count->n_def_other_obj++;
+ break;
+ case CLASS_OBJ:
+ acl_type_count->n_class_obj++;
+ break;
+ case DEF_CLASS_OBJ:
+ acl_type_count->n_def_class_obj++;
+ break;
+ case DEF_USER:
+ acl_type_count->n_def_user++;
+ break;
+ case DEF_GROUP:
+ acl_type_count->n_def_group++;
+ break;
+ default:
+ acl_type_count->n_illegal_obj++;
+ break;
+ }
+ }
+}
+
+/* hpux_swap_acl_entries: Swaps two ACL entries.
+ *
+ * Inputs: aclp0, aclp1 - ACL entries to be swapped.
+ */
+
+static void hpux_swap_acl_entries(HPUX_ACE_T *aclp0, HPUX_ACE_T *aclp1)
+{
+ HPUX_ACE_T temp_acl;
+
+ temp_acl.a_type = aclp0->a_type;
+ temp_acl.a_id = aclp0->a_id;
+ temp_acl.a_perm = aclp0->a_perm;
+
+ aclp0->a_type = aclp1->a_type;
+ aclp0->a_id = aclp1->a_id;
+ aclp0->a_perm = aclp1->a_perm;
+
+ aclp1->a_type = temp_acl.a_type;
+ aclp1->a_id = temp_acl.a_id;
+ aclp1->a_perm = temp_acl.a_perm;
+}
+
+/* hpux_prohibited_duplicate_type
+ * Identifies if given ACL type can have duplicate entries or
+ * not.
+ *
+ * Inputs: acl_type - ACL Type.
+ *
+ * Outputs:
+ *
+ * Return..
+ *
+ * True - If the ACL type matches any of the prohibited types.
+ * False - If the ACL type doesn't match any of the prohibited types.
+ */
+
+static BOOL hpux_prohibited_duplicate_type(int acl_type)
+{
+ switch(acl_type) {
+ case USER:
+ case GROUP:
+ case DEF_USER:
+ case DEF_GROUP:
+ return True;
+ default:
+ return False;
+ }
+}
+
+/* hpux_get_needed_class_perm
+ * Returns the permissions of a ACL structure only if the ACL
+ * type matches one of the pre-determined types for computing
+ * CLASS_OBJ permissions.
+ *
+ * Inputs: aclp - Pointer to ACL structure.
+ */
+
+static int hpux_get_needed_class_perm(struct acl *aclp)
+{
+ switch(aclp->a_type) {
+ case USER:
+ case GROUP_OBJ:
+ case GROUP:
+ case DEF_USER_OBJ:
+ case DEF_USER:
+ case DEF_GROUP_OBJ:
+ case DEF_GROUP:
+ case DEF_CLASS_OBJ:
+ case DEF_OTHER_OBJ:
+ return aclp->a_perm;
+ default:
+ return 0;
+ }
+}
+
+/* hpux_internal_aclsort: aclsort for HPUX.
+ *
+ * -> The aclsort() system call is availabe on the latest HPUX General
+ * -> Patch Bundles. So for HPUX, we developed our version of aclsort
+ * -> function. Because, we don't want to update to a new
+ * -> HPUX GR bundle just for aclsort() call.
+ *
+ * aclsort sorts the array of ACL structures as per the description in
+ * aclsort man page. Refer to aclsort man page for more details
+ *
+ * Inputs:
+ *
+ * acl_count - Count of ACLs in the array of ACL structures.
+ * calclass - If this is not zero, then we compute the CLASS_OBJ
+ * permissions.
+ * aclp - Array of ACL structures.
+ *
+ * Outputs:
+ *
+ * aclp - Sorted array of ACL structures.
+ *
+ * Outputs:
+ *
+ * Returns 0 for success -1 for failure. Prints a message to the Samba
+ * debug log in case of failure.
+ */
+
+static int hpux_internal_aclsort(int acl_count, int calclass, HPUX_ACL_T aclp)
+{
+ struct hpux_acl_types acl_obj_count;
+ int n_class_obj_perm = 0;
+ int i, j;
+
+ DEBUG(10,("Entering hpux_internal_aclsort. (calclass = %d)\n", calclass));
+
+ if (hpux_aclsort_call_present()) {
+ DEBUG(10, ("calling hpux aclsort\n"));
+ return aclsort(acl_count, calclass, aclp);
+ }
+
+ DEBUG(10, ("using internal aclsort\n"));
+
+ if(!acl_count) {
+ DEBUG(10,("Zero acl count passed. Returning Success\n"));
+ return 0;
+ }
+
+ if(aclp == NULL) {
+ DEBUG(0,("Null ACL pointer in hpux_acl_sort. Returning Failure. \n"));
+ return -1;
+ }
+
+ /* Count different types of ACLs in the ACLs array */
+
+ hpux_count_obj(acl_count, aclp, &acl_obj_count);
+
+ /* There should be only one entry each of type USER_OBJ, GROUP_OBJ,
+ * CLASS_OBJ and OTHER_OBJ
+ */
+
+ if ( (acl_obj_count.n_user_obj != 1) ||
+ (acl_obj_count.n_group_obj != 1) ||
+ (acl_obj_count.n_class_obj != 1) ||
+ (acl_obj_count.n_other_obj != 1) )
+ {
+ DEBUG(0,("hpux_internal_aclsort: More than one entry or no entries for \
+USER OBJ or GROUP_OBJ or OTHER_OBJ or CLASS_OBJ\n"));
+ return -1;
+ }
+
+ /* If any of the default objects are present, there should be only
+ * one of them each.
+ */
+
+ if ( (acl_obj_count.n_def_user_obj > 1) ||
+ (acl_obj_count.n_def_group_obj > 1) ||
+ (acl_obj_count.n_def_other_obj > 1) ||
+ (acl_obj_count.n_def_class_obj > 1) )
+ {
+ DEBUG(0,("hpux_internal_aclsort: More than one entry for DEF_CLASS_OBJ \
+or DEF_USER_OBJ or DEF_GROUP_OBJ or DEF_OTHER_OBJ\n"));
+ return -1;
+ }
+
+ /* We now have proper number of OBJ and DEF_OBJ entries. Now sort the acl
+ * structures.
+ *
+ * Sorting crieteria - First sort by ACL type. If there are multiple entries of
+ * same ACL type, sort by ACL id.
+ *
+ * I am using the trival kind of sorting method here because, performance isn't
+ * really effected by the ACLs feature. More over there aren't going to be more
+ * than 17 entries on HPUX.
+ */
+
+ for(i=0; i<acl_count;i++) {
+ for (j=i+1; j<acl_count; j++) {
+ if( aclp[i].a_type > aclp[j].a_type ) {
+ /* ACL entries out of order, swap them */
+ hpux_swap_acl_entries((aclp+i), (aclp+j));
+ } else if ( aclp[i].a_type == aclp[j].a_type ) {
+ /* ACL entries of same type, sort by id */
+ if(aclp[i].a_id > aclp[j].a_id) {
+ hpux_swap_acl_entries((aclp+i), (aclp+j));
+ } else if (aclp[i].a_id == aclp[j].a_id) {
+ /* We have a duplicate entry. */
+ if(hpux_prohibited_duplicate_type(aclp[i].a_type)) {
+ DEBUG(0, ("hpux_internal_aclsort: Duplicate entry: Type(hex): %x Id: %d\n",
+ aclp[i].a_type, aclp[i].a_id));
+ return -1;
+ }
+ }
+ }
+ }
+ }
+
+ /* set the class obj permissions to the computed one. */
+ if(calclass) {
+ int n_class_obj_index = -1;
+
+ for(i=0;i<acl_count;i++) {
+ n_class_obj_perm |= hpux_get_needed_class_perm((aclp+i));
+
+ if(aclp[i].a_type == CLASS_OBJ)
+ n_class_obj_index = i;
+ }
+ aclp[n_class_obj_index].a_perm = n_class_obj_perm;
+ }
+
+ return 0;
+}
+
+
+/*
+ * hpux_acl_call_present:
+ *
+ * This checks if the POSIX ACL system call is defined
+ * which basically corresponds to whether JFS 3.3 or
+ * higher is installed. If acl() was called when it
+ * isn't defined, it causes the process to core dump
+ * so it is important to check this and avoid acl()
+ * calls if it isn't there.
+ */
+
+static BOOL hpux_acl_call_present(void)
+{
+
+ shl_t handle = NULL;
+ void *value;
+ int ret_val=0;
+ static BOOL already_checked = False;
+
+ if(already_checked)
+ return True;
+
+ errno = 0;
+
+ ret_val = shl_findsym(&handle, "acl", TYPE_PROCEDURE, &value);
+
+ if(ret_val != 0) {
+ DEBUG(5, ("hpux_acl_call_present: shl_findsym() returned %d, errno = %d, error %s\n",
+ ret_val, errno, strerror(errno)));
+ DEBUG(5,("hpux_acl_call_present: acl() system call is not present. Check if you have JFS 3.3 and above?\n"));
+ errno = ENOSYS;
+ return False;
+ }
+
+ DEBUG(10,("hpux_acl_call_present: acl() system call is present. We have JFS 3.3 or above \n"));
+
+ already_checked = True;
+ return True;
+}
+
+/*
+ * runtime check for presence of aclsort library call.
+ * same code as for acl call. if there are more of these,
+ * a dispatcher function could be handy...
+ */
+
+static BOOL hpux_aclsort_call_present(void)
+{
+ shl_t handle = NULL;
+ void *value;
+ int ret_val = 0;
+ static BOOL already_checked = False;
+
+ if (already_checked) {
+ return True;
+ }
+
+ errno = 0;
+ ret_val = shl_findsym(&handle, "aclsort", TYPE_PROCEDURE, &value);
+ if (ret_val != 0) {
+ DEBUG(5, ("hpux_aclsort_call_present: shl_findsym "
+ "returned %d, errno = %d, error %s",
+ ret_val, errno, strerror(errno)));
+ DEBUG(5, ("hpux_aclsort_call_present: "
+ "aclsort() function not available.\n"));
+ return False;
+ }
+ DEBUG(10,("hpux_aclsort_call_present: aclsort() function present.\n"));
+ already_checked = True;
+ return True;
+}
+
+#if 0
+/*
+ * acl check function:
+ * unused at the moment but could be used to get more
+ * concrete error messages for debugging...
+ * (acl sort just says that the acl is invalid...)
+ */
+static BOOL hpux_acl_check(HPUX_ACL_T hpux_acl, int count)
+{
+ int check_rc;
+ int check_which;
+
+ check_rc = aclcheck(hpux_acl, count, &check_which);
+ if (check_rc != 0) {
+ DEBUG(10, ("acl is not valid:\n"));
+ DEBUGADD(10, (" - return code: %d\n", check_rc));
+ DEBUGADD(10, (" - which: %d\n", check_which));
+ if (check_which != -1) {
+ DEBUGADD(10, (" - invalid entry:\n"));
+ DEBUGADD(10, (" * type: %d:\n",
+ hpux_acl[check_which].a_type));
+ DEBUGADD(10, (" * id: %d\n",
+ hpux_acl[check_which].a_id));
+ DEBUGADD(10, (" * perm: 0o%o\n",
+ hpux_acl[check_which].a_perm));
+ }
+ return False;
+ }
+ return True;
+}
+#endif
/* VFS operations structure */
static vfs_op_tuple hpuxacl_op_tuples[] = {
/* Disk operations */
- {SMB_VFS_OP(hpuxacl_sys_acl_get_file),
- SMB_VFS_OP_SYS_ACL_GET_FILE,
- SMB_VFS_LAYER_TRANSPARENT},
+ {SMB_VFS_OP(hpuxacl_sys_acl_get_file),
+ SMB_VFS_OP_SYS_ACL_GET_FILE,
+ SMB_VFS_LAYER_TRANSPARENT},
- {SMB_VFS_OP(hpuxacl_sys_acl_get_fd),
- SMB_VFS_OP_SYS_ACL_GET_FD,
- SMB_VFS_LAYER_TRANSPARENT},
+ {SMB_VFS_OP(hpuxacl_sys_acl_get_fd),
+ SMB_VFS_OP_SYS_ACL_GET_FD,
+ SMB_VFS_LAYER_TRANSPARENT},
- {SMB_VFS_OP(hpuxacl_sys_acl_set_file),
- SMB_VFS_OP_SYS_ACL_SET_FILE,
- SMB_VFS_LAYER_TRANSPARENT},
+ {SMB_VFS_OP(hpuxacl_sys_acl_set_file),
+ SMB_VFS_OP_SYS_ACL_SET_FILE,
+ SMB_VFS_LAYER_TRANSPARENT},
- {SMB_VFS_OP(hpuxacl_sys_acl_set_fd),
- SMB_VFS_OP_SYS_ACL_SET_FD,
- SMB_VFS_LAYER_TRANSPARENT},
+ {SMB_VFS_OP(hpuxacl_sys_acl_set_fd),
+ SMB_VFS_OP_SYS_ACL_SET_FD,
+ SMB_VFS_LAYER_TRANSPARENT},
- {SMB_VFS_OP(hpuxacl_sys_acl_delete_def_file),
- SMB_VFS_OP_SYS_ACL_DELETE_DEF_FILE,
- SMB_VFS_LAYER_TRANSPARENT},
+ {SMB_VFS_OP(hpuxacl_sys_acl_delete_def_file),
+ SMB_VFS_OP_SYS_ACL_DELETE_DEF_FILE,
+ SMB_VFS_LAYER_TRANSPARENT},
- {SMB_VFS_OP(NULL),
- SMB_VFS_OP_NOOP,
- SMB_VFS_LAYER_NOOP}
+ {SMB_VFS_OP(NULL),
+ SMB_VFS_OP_NOOP,
+ SMB_VFS_LAYER_NOOP}
};
-NTSTATUS vfs_hpuxacl_init(void);
NTSTATUS vfs_hpuxacl_init(void)
{
return smb_register_vfs(SMB_VFS_INTERFACE_VERSION, "hpuxacl",