mirrors/systemd
0
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2024-11-23 18:23:32 +08:00
Code Issues Packages Projects Releases Wiki Activity

tmpfiles: implement augmenting of existing ACLs

Browse Source 
This is much more useful in practice (equivalent to setfacl -m).
This commit is contained in:
Zbigniew Jędrzejewski-Szmek 2015-01-18 05:02:47 -05:00
parent b705ab6a83
commit 50d9e46dbb
4 changed files with 96 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
man/tmpfiles.d.xml
View File

@ -234,7 +234,7 @@
to exclude paths from clean-up as controlled with the Age
parameter. Note that lines of this type do not influence the
effect of <varname>r</varname> or <varname>R</varname>
lines. Lines of this type accept shell-style globs in place
lines. Lines of this type accept shell-style globs in place
of normal path names. </para></listitem>
</varlistentry>
@ -246,7 +246,7 @@
not exclude the content if path is a directory, but only
directory itself. Note that lines of this type do not
influence the effect of <varname>r</varname> or
<varname>R</varname> lines. Lines of this type accept
<varname>R</varname> lines. Lines of this type accept
shell-style globs in place of normal path names.
</para></listitem>
</varlistentry>
@ -304,19 +304,25 @@
<varlistentry>
<term><varname>a</varname></term>
<listitem><para>Set POSIX ACLs (access control lists).
Lines of this type accept shell-style globs in
place of normal path names. This can be useful for
allowing additional access to certain files.
</para></listitem>
<term><varname>a+</varname></term>
<listitem><para>Set POSIX ACLs (access control lists). If
suffixed with <varname>+</varname>, specified mask will be
added to existing
entries. <command>systemd-tmpfiles</command> does not
automatically add the required base entries for user and
group to the specified mask, so they must be specified
explicitly if <varname>+</varname> is not used. The
mask will be added if not specified explicitly.
Lines of this type accept shell-style globs in place
of normal path names. This can be useful for allowing
additional access to certain files. </para></listitem>
</varlistentry>
<varlistentry>
<term><varname>A</varname></term>
<listitem><para>Recursively set POSIX ACLs. Lines of this
type accept shell-style globs in place of normal path
names. This can be useful for allowing additional access to
certain files.</para></listitem>
<term><varname>A+</varname></term>
<listitem><para>Same as <varname>a</varname> and
<varname>a+</varname>, but recursive.</para></listitem>
</varlistentry>
</variablelist>

49
src/shared/acl-util.c
View File

@ -150,7 +150,7 @@ int search_acl_groups(char*** dst, const char* path, bool* belong) {
return 0;
}
int parse_acl(char *text, acl_t *acl_access, acl_t *acl_default) {
int parse_acl(char *text, acl_t *acl_access, acl_t *acl_default, bool want_mask) {
_cleanup_free_ char **a = NULL, **d = NULL; /* strings are not be freed */
_cleanup_strv_free_ char **split;
char **entry;
@ -187,9 +187,11 @@ int parse_acl(char *text, acl_t *acl_access, acl_t *acl_default) {
if (!a_acl)
return -EINVAL;
r = calc_acl_mask_if_needed(&a_acl);
if (r < 0)
return r;
if (want_mask) {
r = calc_acl_mask_if_needed(&a_acl);
if (r < 0)
return r;
}
}
if (!strv_isempty(d)) {
@ -203,9 +205,11 @@ int parse_acl(char *text, acl_t *acl_access, acl_t *acl_default) {
if (!d_acl)
return -EINVAL;
r = calc_acl_mask_if_needed(&d_acl);
if (r < 0)
return r;
if (want_mask) {
r = calc_acl_mask_if_needed(&d_acl);
if (r < 0)
return r;
}
}
*acl_access = a_acl;
@ -213,3 +217,34 @@ int parse_acl(char *text, acl_t *acl_access, acl_t *acl_default) {
a_acl = d_acl = NULL;
return 0;
}
int acls_for_file(const char *path, acl_type_t type, acl_t new, acl_t *acl) {
_cleanup_(acl_freep) acl_t old;
acl_entry_t i;
int found, r;
old = acl_get_file(path, type);
if (!old)
return -errno;
for (found = acl_get_entry(new, ACL_FIRST_ENTRY, &i);
found > 0;
found = acl_get_entry(new, ACL_NEXT_ENTRY, &i)) {
acl_entry_t j;
if (acl_create_entry(&old, &j) < 0)
return -errno;
if (acl_copy_entry(j, i) < 0)
return -errno;
}
r = calc_acl_mask_if_needed(&old);
if (r < 0)
return r;
*acl = old;
old = NULL;
return 0;
}

3
src/shared/acl-util.h
View File

@ -32,7 +32,8 @@
int acl_find_uid(acl_t acl, uid_t uid, acl_entry_t *entry);
int calc_acl_mask_if_needed(acl_t *acl_p);
int search_acl_groups(char*** dst, const char* path, bool* belong);
int parse_acl(char *text, acl_t *acl_access, acl_t *acl_default);
int parse_acl(char *text, acl_t *acl_access, acl_t *acl_default, bool want_mask);
int acls_for_file(const char *path, acl_type_t type, acl_t new, acl_t *acl);
/* acl_free takes multiple argument types.
* Multiple cleanup functions are necessary. */

54
src/tmpfiles/tmpfiles.c
View File

@ -600,7 +600,9 @@ static int get_acls_from_arg(Item *item) {
assert(item);
r = parse_acl(item->argument, &item->acl_access, &item->acl_default);
/* If force (= modify) is set, we will not modify the acl
* afterwards, so the mask can be added now if necessary. */
r = parse_acl(item->argument, &item->acl_access, &item->acl_default, !item->force);
if (r < 0)
log_warning_errno(errno, "Failed to parse ACL \"%s\": %m. Ignoring",
item->argument);
@ -611,6 +613,32 @@ static int get_acls_from_arg(Item *item) {
return 0;
}
static int path_set_acl(const char *path, acl_type_t type, acl_t acl, bool modify) {
_cleanup_(acl_freep) acl_t cleanme = NULL;
int r;
if (modify) {
r = acls_for_file(path, type, acl, &cleanme);
if (r < 0)
return r;
acl = cleanme;
};
r = acl_set_file(path, type, acl);
if (r < 0) {
_cleanup_(acl_free_charpp) char *t;
r = -errno;
t = acl_to_any_text(acl, NULL, ',', TEXT_ABBREVIATE);
log_error_errno(r,
"Setting %s ACL \"%s\" on %s failed: %m",
type == ACL_TYPE_ACCESS ? "access" : "default",
strna(t), path);
}
return r;
}
static int path_set_acls(Item *item, const char *path) {
#ifdef HAVE_ACL
int r;
@ -619,27 +647,15 @@ static int path_set_acls(Item *item, const char *path) {
assert(path);
if (item->acl_access) {
r = acl_set_file(path, ACL_TYPE_ACCESS, item->acl_access);
if (r < 0) {
_cleanup_(acl_free_charpp) char *t;
t = acl_to_any_text(item->acl_access, NULL, ',', TEXT_ABBREVIATE);
return log_error_errno(errno,
"Setting access ACL \"%s\" on %s failed: %m",
strna(t), path);
}
r = path_set_acl(path, ACL_TYPE_ACCESS, item->acl_access, item->force);
if (r < 0)
return r;
}
if (item->acl_default) {
r = acl_set_file(path, ACL_TYPE_DEFAULT, item->acl_default);
if (r < 0) {
_cleanup_(acl_free_charpp) char *t;
t = acl_to_any_text(item->acl_default, NULL, ',', TEXT_ABBREVIATE);
return log_error_errno(errno,
"Setting default ACL \"%s\" on %s failed: %m",
strna(t), path);
}
r = path_set_acl(path, ACL_TYPE_DEFAULT, item->acl_default, item->force);
if (r < 0)
return r;
}
#endif