}
-int has_default_tag_acl(const char* path, acl_tag_t tag_type) {
+int has_default_tag_acl(const char* path, acl_tag_t desired_tag) {
/* Returns one if the given path has a default ACL for the supplied
tag, zero if it doesn't, and -1 on error. */
acl_t defacl = acl_get_file(path, ACL_TYPE_DEFAULT);
return -1;
}
else {
- if (tag == tag_type) {
+ if (tag == desired_tag) {
return 1;
}
}
}
-int get_default_tag_permset(const char* path,
- acl_tag_t tag_type,
- acl_permset_t* output_perms) {
- /* Returns one if successful, zero when the ACL doesn't exist, and
+int get_default_tag_entry(const char* path,
+ acl_tag_t desired_tag,
+ acl_entry_t* entry) {
+ /* Returns one if successful, zero when the ACL doesn't exist, and
-1 on unexpected errors. */
acl_t defacl = acl_get_file(path, ACL_TYPE_DEFAULT);
if (defacl == (acl_t)NULL) {
/* Follow the acl_foo convention of -1 == error. */
- errno = EINVAL;
return 0;
}
- acl_entry_t entry;
- int result = acl_get_entry(defacl, ACL_FIRST_ENTRY, &entry);
+ int result = acl_get_entry(defacl, ACL_FIRST_ENTRY, entry);
while (result == 1) {
acl_tag_t tag = ACL_UNDEFINED_TAG;
- int tag_result = acl_get_tag_type(entry, &tag);
+ int tag_result = acl_get_tag_type(*entry, &tag);
if (tag_result == -1) {
- perror("get_default_tag_permset (acl_get_tag_type)");
+ perror("get_default_tag_entry (acl_get_tag_type)");
return -1;
}
- else {
- if (tag == tag_type) {
- /* We found the right tag, now get the permset. */
- int ps_result = acl_get_permset(entry, output_perms);
- if (ps_result == -1) {
- perror("get_default_tag_permset (acl_get_permset)");
- }
-
- if (ps_result == 0) {
- return 1;
- }
- else {
- return 0;
- }
- }
+
+ if (tag == desired_tag) {
+ /* We found the right tag, so return successfully. */
+ return 1;
}
- result = acl_get_entry(defacl, ACL_NEXT_ENTRY, &entry);
+ result = acl_get_entry(defacl, ACL_NEXT_ENTRY, entry);
}
/* This catches both the initial acl_get_entry and the ones at the
end of the loop. */
if (result == -1) {
- perror("get_default_tag_permset (acl_get_entry)");
+ perror("get_default_tag_entry (acl_get_entry)");
return -1;
}
}
+
+int get_default_tag_permset(const char* path,
+ acl_tag_t desired_tag,
+ acl_permset_t* output_perms) {
+ /* Returns one if successful, zero when the ACL doesn't exist, and
+ -1 on unexpected errors. */
+ acl_t defacl = acl_get_file(path, ACL_TYPE_DEFAULT);
+
+ if (defacl == (acl_t)NULL) {
+ /* Follow the acl_foo convention of -1 == error. */
+ return 0;
+ }
+
+ acl_entry_t entry;
+ int result = get_default_tag_entry(path, desired_tag, &entry);
+
+ if (result == 1) {
+ /* We found the right tag, now get the permset. */
+ int ps_result = acl_get_permset(entry, output_perms);
+ if (ps_result == -1) {
+ perror("get_default_tag_permset (acl_get_permset)");
+ }
+
+ if (ps_result == 0) {
+ return 1;
+ }
+ else {
+ return 0;
+ }
+ }
+ else {
+ return result;
+ }
+}
+
+
int has_default_tag_perm(const char* path,
acl_tag_t tag,
acl_perm_t perm) {
return p_result;
}
+int remove_default_tag_perm(const char* path,
+ acl_tag_t tag,
+ acl_perm_t perm) {
+ /* Attempt to remove perm from tag. Returns one if successful, zero
+ if there was nothing to do, and -1 on errors. */
+ int hdta = has_default_tag_acl(path, tag);
+ if (hdta != 1) {
+ /* Failure or error. */
+ return hdta;
+ }
+
+ acl_permset_t permset;
+ bool ps_result = get_default_tag_permset(path, tag, &permset);
+
+ if (ps_result != 1) {
+ /* Failure or error. */
+ return ps_result;
+ }
+
+ int d_result = acl_delete_perm(permset, perm);
+ if (d_result == -1) {
+ perror("remove_default_tag_perm (acl_delete_perm)");
+ return -1;
+ }
+
+ /* We've only removed perm from the permset; now we have to replace
+ the permset. */
+ acl_entry_t entry;
+ int entry_result = get_default_tag_entry(path, tag, &entry);
+
+ if (entry_result == -1) {
+ perror("remove_default_tag_perm (get_default_tag_entry)");
+ return -1;
+ }
+
+ if (entry_result == 1) {
+ /* Success. */
+ int s_result = acl_set_permset(entry, permset);
+ if (s_result == -1) {
+ perror("remove_default_tag_perm (acl_set_permset)");
+ return -1;
+ }
+
+ return 1;
+ }
+ else {
+ return 0;
+ }
+}
+
+int remove_default_group_obj_execute(const char* path) {
+ return remove_default_tag_perm(path, ACL_GROUP_OBJ, ACL_EXECUTE);
+}
+
+
int has_default_user_obj_read(const char* path) {
return has_default_tag_perm(path, ACL_USER_OBJ, ACL_READ);
}
mode_t path_mode = get_mode(path);
- /* If parent has a default user ACL, apply it to path via chmod. */
- if (has_default_user_obj_read(parent)) {
- path_mode |= S_IRUSR;
- }
+ /* If parent has a default user ACL, apply it. */
+ if (has_default_user_obj_acl(parent)) {
- if (has_default_user_obj_write(parent)) {
- path_mode |= S_IWUSR;
- }
+ if (has_default_user_obj_read(parent)) {
+ /* Add user read. */
+ path_mode |= S_IRUSR;
+ }
+ else {
+ /* Remove user read. */
+ path_mode &= ~S_IRUSR;
+ }
- /* However, we don't want to set the execute bit on via the ACL
- unless it was on originally. Furthermore, if the ACL denies
- execute, we want to honor that. */
- if (has_default_user_obj_acl(parent)) {
+
+ if (has_default_user_obj_write(parent)) {
+ /* Add user write. */
+ path_mode |= S_IWUSR;
+ }
+ else {
+ /* Remove user write. */
+ path_mode &= ~S_IWUSR;
+ }
+
+
+ /* We don't want to set the execute bit on via the ACL unless it
+ was on originally. */
if (!has_default_user_obj_execute(parent)) {
- /* It has a user ACL, but no user execute is granted. */
+ /* Remove user execute. */
path_mode &= ~S_IXUSR;
}
}
/* Do the same thing with the other perms/ACL. */
- if (has_default_other_read(parent)) {
- path_mode |= S_IROTH;
- }
+ if (has_default_other_acl(parent)) {
- if (has_default_other_write(parent)) {
- path_mode |= S_IWOTH;
- }
+ if (has_default_other_read(parent)) {
+ path_mode |= S_IROTH;
+ }
+ else {
+ path_mode &= ~S_IROTH;
+ }
- if (has_default_other_acl(parent)) {
+
+ if (has_default_other_write(parent)) {
+ path_mode |= S_IWOTH;
+ }
+ else {
+ path_mode &= ~S_IWOTH;
+ }
+
+
+ /* We don't want to set the execute bit on via the ACL unless it
+ was on originally. */
if (!has_default_other_execute(parent)) {
- /* It has an other ACL, but no other execute is granted. */
path_mode &= ~S_IXOTH;
}
}
+
if (has_minimal_default_acl(parent)) {
/* With a minimal ACL, we'll repeat for the group bits what we
already did for the owner/other bits. */
- if (has_default_group_obj_read(parent)) {
- path_mode |= S_IRGRP;
- }
+ if (has_default_group_obj_acl(parent)) {
+ if (has_default_group_obj_read(parent)) {
+ path_mode |= S_IRGRP;
+ }
+ else {
+ path_mode &= ~S_IRGRP;
+ }
- if (has_default_group_obj_write(parent)) {
- path_mode |= S_IWGRP;
- }
- if (has_default_group_obj_acl(parent)) {
+ if (has_default_group_obj_write(parent)) {
+ path_mode |= S_IWGRP;
+ }
+ else {
+ path_mode &= ~S_IWGRP;
+ }
+
+ /* We don't want to set the execute bit on via the ACL unless it
+ was on originally. */
if (!has_default_group_obj_execute(parent)) {
- /* It has a group ACL, but no group execute is granted. */
path_mode &= ~S_IXGRP;
}
}
from the mode bits, but from the group:: ACL entry. So, to do
this, we remove the group::x entry. */
if (has_default_group_obj_execute(path)) {
- /* remove_default_group_obj_execute(path);*/
+ remove_default_group_obj_execute(path);
}
}
}
bool result = reapply_default_acl(target);
if (result) {
- printf("Success.\n");
return EXIT_SUCCESS;
}
else {
projects / apply-default-acl.git / commitdiff