1 /* 2 * security.h - Exports for handling security/ACLs in NTFS. 3 * Originated from the Linux-NTFS project. 4 * 5 * Copyright (c) 2004 Anton Altaparmakov 6 * Copyright (c) 2005-2006 Szabolcs Szakacsits 7 * Copyright (c) 2007-2010 Jean-Pierre Andre 8 * 9 * This program/include file is free software; you can redistribute it and/or 10 * modify it under the terms of the GNU General Public License as published 11 * by the Free Software Foundation; either version 2 of the License, or 12 * (at your option) any later version. 13 * 14 * This program/include file is distributed in the hope that it will be 15 * useful, but WITHOUT ANY WARRANTY; without even the implied warranty 16 * of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 * GNU General Public License for more details. 18 * 19 * You should have received a copy of the GNU General Public License 20 * along with this program (in the main directory of the NTFS-3G 21 * distribution in the file COPYING); if not, write to the Free Software 22 * Foundation,Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 23 */ 24 25 #ifndef _NTFS_SECURITY_H 26 #define _NTFS_SECURITY_H 27 28 #include "types.h" 29 #include "layout.h" 30 #include "inode.h" 31 #include "dir.h" 32 #include "endians.h" 33 34 #ifndef POSIXACLS 35 #define POSIXACLS 0 36 #endif 37 38 /* 39 * item in the mapping list 40 */ 41 42 struct MAPPING { 43 struct MAPPING *next; 44 int xid; /* linux id : uid or gid */ 45 SID *sid; /* Windows id : usid or gsid */ 46 int grcnt; /* group count (for users only) */ 47 gid_t *groups; /* groups which the user is member of */ 48 }; 49 50 /* 51 * Entry in the permissions cache 52 * Note : this cache is not organized as a generic cache 53 */ 54 55 struct CACHED_PERMISSIONS { 56 uid_t uid; 57 gid_t gid; 58 le32 inh_fileid; 59 le32 inh_dirid; 60 #if POSIXACLS 61 struct POSIX_SECURITY *pxdesc; 62 unsigned int pxdescsize:16; 63 #endif 64 unsigned int mode:12; 65 unsigned int valid:1; 66 } ; 67 68 /* 69 * Entry in the permissions cache for directories with no security_id 70 */ 71 72 struct CACHED_PERMISSIONS_LEGACY { 73 struct CACHED_PERMISSIONS_LEGACY *next; 74 struct CACHED_PERMISSIONS_LEGACY *previous; 75 void *variable; 76 size_t varsize; 77 union ALIGNMENT payload[0]; 78 /* above fields must match "struct CACHED_GENERIC" */ 79 u64 mft_no; 80 struct CACHED_PERMISSIONS perm; 81 } ; 82 83 /* 84 * Entry in the securid cache 85 */ 86 87 struct CACHED_SECURID { 88 struct CACHED_SECURID *next; 89 struct CACHED_SECURID *previous; 90 void *variable; 91 size_t varsize; 92 union ALIGNMENT payload[0]; 93 /* above fields must match "struct CACHED_GENERIC" */ 94 uid_t uid; 95 gid_t gid; 96 unsigned int dmode; 97 le32 securid; 98 } ; 99 100 /* 101 * Header of the security cache 102 * (has no cache structure by itself) 103 */ 104 105 struct CACHED_PERMISSIONS_HEADER { 106 unsigned int last; 107 /* statistics for permissions */ 108 unsigned long p_writes; 109 unsigned long p_reads; 110 unsigned long p_hits; 111 } ; 112 113 /* 114 * The whole permissions cache 115 */ 116 117 struct PERMISSIONS_CACHE { 118 struct CACHED_PERMISSIONS_HEADER head; 119 struct CACHED_PERMISSIONS *cachetable[1]; /* array of variable size */ 120 } ; 121 122 /* 123 * Security flags values 124 */ 125 126 enum { 127 SECURITY_DEFAULT, /* rely on fuse for permissions checking */ 128 SECURITY_RAW, /* force same ownership/permissions on files */ 129 SECURITY_ACL, /* enable Posix ACLs (when compiled in) */ 130 SECURITY_ADDSECURIDS, /* upgrade old security descriptors */ 131 SECURITY_STATICGRPS, /* use static groups for access control */ 132 SECURITY_WANTED /* a security related option was present */ 133 } ; 134 135 /* 136 * Security context, needed by most security functions 137 */ 138 139 enum { MAPUSERS, MAPGROUPS, MAPCOUNT } ; 140 141 struct SECURITY_CONTEXT { 142 ntfs_volume *vol; 143 struct MAPPING *mapping[MAPCOUNT]; 144 struct PERMISSIONS_CACHE **pseccache; 145 uid_t uid; /* uid of user requesting (not the mounter) */ 146 gid_t gid; /* gid of user requesting (not the mounter) */ 147 pid_t tid; /* thread id of thread requesting */ 148 mode_t umask; /* umask of requesting thread */ 149 } ; 150 151 #if POSIXACLS 152 153 /* 154 * Posix ACL structures 155 */ 156 157 struct POSIX_ACE { 158 u16 tag; 159 u16 perms; 160 s32 id; 161 } __attribute__((__packed__)); 162 163 struct POSIX_ACL { 164 u8 version; 165 u8 flags; 166 u16 filler; 167 struct POSIX_ACE ace[0]; 168 } __attribute__((__packed__)); 169 170 struct POSIX_SECURITY { 171 mode_t mode; 172 int acccnt; 173 int defcnt; 174 int firstdef; 175 u16 tagsset; 176 u16 filler; 177 struct POSIX_ACL acl; 178 } ; 179 180 /* 181 * Posix tags, cpu-endian 16 bits 182 */ 183 184 enum { 185 POSIX_ACL_USER_OBJ = 1, 186 POSIX_ACL_USER = 2, 187 POSIX_ACL_GROUP_OBJ = 4, 188 POSIX_ACL_GROUP = 8, 189 POSIX_ACL_MASK = 16, 190 POSIX_ACL_OTHER = 32, 191 POSIX_ACL_SPECIAL = 64 /* internal use only */ 192 } ; 193 194 #define POSIX_ACL_EXTENSIONS (POSIX_ACL_USER | POSIX_ACL_GROUP | POSIX_ACL_MASK) 195 196 /* 197 * Posix permissions, cpu-endian 16 bits 198 */ 199 200 enum { 201 POSIX_PERM_X = 1, 202 POSIX_PERM_W = 2, 203 POSIX_PERM_R = 4, 204 POSIX_PERM_DENIAL = 64 /* internal use only */ 205 } ; 206 207 #define POSIX_VERSION 2 208 209 #endif 210 211 extern BOOL ntfs_guid_is_zero(const GUID *guid); 212 extern char *ntfs_guid_to_mbs(const GUID *guid, char *guid_str); 213 214 extern int ntfs_sid_to_mbs_size(const SID *sid); 215 extern char *ntfs_sid_to_mbs(const SID *sid, char *sid_str, 216 size_t sid_str_size); 217 extern void ntfs_generate_guid(GUID *guid); 218 extern int ntfs_sd_add_everyone(ntfs_inode *ni); 219 220 extern le32 ntfs_security_hash(const SECURITY_DESCRIPTOR_RELATIVE *sd, 221 const u32 len); 222 223 int ntfs_build_mapping(struct SECURITY_CONTEXT *scx, const char *usermap_path, 224 BOOL allowdef); 225 int ntfs_get_owner_mode(struct SECURITY_CONTEXT *scx, 226 ntfs_inode *ni, struct stat*); 227 int ntfs_set_mode(struct SECURITY_CONTEXT *scx, ntfs_inode *ni, mode_t mode); 228 BOOL ntfs_allowed_as_owner(struct SECURITY_CONTEXT *scx, ntfs_inode *ni); 229 int ntfs_allowed_access(struct SECURITY_CONTEXT *scx, 230 ntfs_inode *ni, int accesstype); 231 int ntfs_allowed_create(struct SECURITY_CONTEXT *scx, 232 ntfs_inode *ni, gid_t *pgid, mode_t *pdsetgid); 233 BOOL old_ntfs_allowed_dir_access(struct SECURITY_CONTEXT *scx, 234 const char *path, int accesstype); 235 236 #if POSIXACLS 237 le32 ntfs_alloc_securid(struct SECURITY_CONTEXT *scx, 238 uid_t uid, gid_t gid, ntfs_inode *dir_ni, 239 mode_t mode, BOOL isdir); 240 #else 241 le32 ntfs_alloc_securid(struct SECURITY_CONTEXT *scx, 242 uid_t uid, gid_t gid, mode_t mode, BOOL isdir); 243 #endif 244 int ntfs_set_owner(struct SECURITY_CONTEXT *scx, ntfs_inode *ni, 245 uid_t uid, gid_t gid); 246 int ntfs_set_ownmod(struct SECURITY_CONTEXT *scx, 247 ntfs_inode *ni, uid_t uid, gid_t gid, mode_t mode); 248 #if POSIXACLS 249 int ntfs_set_owner_mode(struct SECURITY_CONTEXT *scx, 250 ntfs_inode *ni, uid_t uid, gid_t gid, 251 mode_t mode, struct POSIX_SECURITY *pxdesc); 252 #else 253 int ntfs_set_owner_mode(struct SECURITY_CONTEXT *scx, 254 ntfs_inode *ni, uid_t uid, gid_t gid, mode_t mode); 255 #endif 256 le32 ntfs_inherited_id(struct SECURITY_CONTEXT *scx, 257 ntfs_inode *dir_ni, BOOL fordir); 258 int ntfs_open_secure(ntfs_volume *vol); 259 int ntfs_close_secure(ntfs_volume *vol); 260 261 void ntfs_destroy_security_context(struct SECURITY_CONTEXT *scx); 262 263 #if POSIXACLS 264 265 int ntfs_set_inherited_posix(struct SECURITY_CONTEXT *scx, 266 ntfs_inode *ni, uid_t uid, gid_t gid, 267 ntfs_inode *dir_ni, mode_t mode); 268 int ntfs_get_posix_acl(struct SECURITY_CONTEXT *scx, ntfs_inode *ni, 269 const char *name, char *value, size_t size); 270 int ntfs_set_posix_acl(struct SECURITY_CONTEXT *scx, ntfs_inode *ni, 271 const char *name, const char *value, size_t size, 272 int flags); 273 int ntfs_remove_posix_acl(struct SECURITY_CONTEXT *scx, ntfs_inode *ni, 274 const char *name); 275 #endif 276 277 int ntfs_get_ntfs_acl(struct SECURITY_CONTEXT *scx, ntfs_inode *ni, 278 char *value, size_t size); 279 int ntfs_set_ntfs_acl(struct SECURITY_CONTEXT *scx, ntfs_inode *ni, 280 const char *value, size_t size, int flags); 281 282 int ntfs_get_ntfs_attrib(ntfs_inode *ni, char *value, size_t size); 283 int ntfs_set_ntfs_attrib(ntfs_inode *ni, 284 const char *value, size_t size, int flags); 285 286 287 /* 288 * Security API for direct access to security descriptors 289 * based on Win32 API 290 */ 291 292 #define MAGIC_API 0x09042009 293 294 struct SECURITY_API { 295 u32 magic; 296 struct SECURITY_CONTEXT security; 297 struct PERMISSIONS_CACHE *seccache; 298 } ; 299 300 /* 301 * The following constants are used in interfacing external programs. 302 * They are not to be stored on disk and must be defined in their 303 * native cpu representation. 304 * When disk representation (le) is needed, use SE_DACL_PRESENT, etc. 305 */ 306 enum { OWNER_SECURITY_INFORMATION = 1, 307 GROUP_SECURITY_INFORMATION = 2, 308 DACL_SECURITY_INFORMATION = 4, 309 SACL_SECURITY_INFORMATION = 8 310 } ; 311 312 int ntfs_get_file_security(struct SECURITY_API *scapi, 313 const char *path, u32 selection, 314 char *buf, u32 buflen, u32 *psize); 315 int ntfs_set_file_security(struct SECURITY_API *scapi, 316 const char *path, u32 selection, const char *attr); 317 int ntfs_get_file_attributes(struct SECURITY_API *scapi, 318 const char *path); 319 BOOL ntfs_set_file_attributes(struct SECURITY_API *scapi, 320 const char *path, s32 attrib); 321 BOOL ntfs_read_directory(struct SECURITY_API *scapi, 322 const char *path, ntfs_filldir_t callback, void *context); 323 int ntfs_read_sds(struct SECURITY_API *scapi, 324 char *buf, u32 size, u32 offset); 325 INDEX_ENTRY *ntfs_read_sii(struct SECURITY_API *scapi, 326 INDEX_ENTRY *entry); 327 INDEX_ENTRY *ntfs_read_sdh(struct SECURITY_API *scapi, 328 INDEX_ENTRY *entry); 329 struct SECURITY_API *ntfs_initialize_file_security(const char *device, 330 unsigned long flags); 331 BOOL ntfs_leave_file_security(struct SECURITY_API *scx); 332 333 int ntfs_get_usid(struct SECURITY_API *scapi, uid_t uid, char *buf); 334 int ntfs_get_gsid(struct SECURITY_API *scapi, gid_t gid, char *buf); 335 int ntfs_get_user(struct SECURITY_API *scapi, const SID *usid); 336 int ntfs_get_group(struct SECURITY_API *scapi, const SID *gsid); 337 338 #endif /* defined _NTFS_SECURITY_H */ 339