1 /* 2 * (The copyright below applies to ufs_access()) 3 * 4 * Copyright (c) 1982, 1986, 1989, 1993, 1995 5 * The Regents of the University of California. All rights reserved. 6 * (c) UNIX System Laboratories, Inc. 7 * All or some portions of this file are derived from material licensed 8 * to the University of California by American Telephone and Telegraph 9 * Co. or Unix System Laboratories, Inc. and are reproduced herein with 10 * the permission of UNIX System Laboratories, Inc. 11 * 12 * Redistribution and use in source and binary forms, with or without 13 * modification, are permitted provided that the following conditions 14 * are met: 15 * 1. Redistributions of source code must retain the above copyright 16 * notice, this list of conditions and the following disclaimer. 17 * 2. Redistributions in binary form must reproduce the above copyright 18 * notice, this list of conditions and the following disclaimer in the 19 * documentation and/or other materials provided with the distribution. 20 * 3. All advertising materials mentioning features or use of this software 21 * must display the following acknowledgement: 22 * This product includes software developed by the University of 23 * California, Berkeley and its contributors. 24 * 4. Neither the name of the University nor the names of its contributors 25 * may be used to endorse or promote products derived from this software 26 * without specific prior written permission. 27 * 28 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 29 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 30 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 31 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 32 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 33 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 34 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 35 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 36 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 37 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 38 * SUCH DAMAGE. 39 * 40 * @(#)ufs_vnops.c 8.27 (Berkeley) 5/27/95 41 * $DragonFly: src/sys/kern/vfs_helper.c,v 1.5 2008/05/25 18:34:46 dillon Exp $ 42 */ 43 44 #include "opt_quota.h" 45 #include "opt_suiddir.h" 46 47 #include <sys/param.h> 48 #include <sys/systm.h> 49 #include <sys/conf.h> 50 #include <sys/kernel.h> 51 #include <sys/fcntl.h> 52 #include <sys/stat.h> 53 #include <sys/mount.h> 54 #include <sys/unistd.h> 55 #include <sys/vnode.h> 56 #include <sys/file.h> /* XXX */ 57 #include <sys/proc.h> 58 #include <sys/priv.h> 59 #include <sys/jail.h> 60 61 /* 62 * vop_helper_access() 63 * 64 * Provide standard UNIX semanics for VOP_ACCESS, but without the quota 65 * code. This procedure was basically pulled out of UFS. 66 */ 67 int 68 vop_helper_access(struct vop_access_args *ap, uid_t ino_uid, gid_t ino_gid, 69 mode_t ino_mode, u_int32_t ino_flags) 70 { 71 struct vnode *vp = ap->a_vp; 72 struct ucred *cred = ap->a_cred; 73 mode_t mask, mode = ap->a_mode; 74 gid_t *gp; 75 int i; 76 #ifdef QUOTA 77 /*int error;*/ 78 #endif 79 80 /* 81 * Disallow write attempts on read-only filesystems; 82 * unless the file is a socket, fifo, or a block or 83 * character device resident on the filesystem. 84 */ 85 if (mode & VWRITE) { 86 switch (vp->v_type) { 87 case VDIR: 88 case VLNK: 89 case VREG: 90 case VDATABASE: 91 if (vp->v_mount->mnt_flag & MNT_RDONLY) 92 return (EROFS); 93 #ifdef QUOTA 94 /* check quota here XXX */ 95 #endif 96 break; 97 default: 98 break; 99 } 100 } 101 102 /* If immutable bit set, nobody gets to write it. */ 103 if ((mode & VWRITE) && (ino_flags & IMMUTABLE)) 104 return (EPERM); 105 106 /* Otherwise, user id 0 always gets access. */ 107 if (cred->cr_uid == 0) 108 return (0); 109 110 mask = 0; 111 112 /* Otherwise, check the owner. */ 113 if (cred->cr_uid == ino_uid) { 114 if (mode & VEXEC) 115 mask |= S_IXUSR; 116 if (mode & VREAD) 117 mask |= S_IRUSR; 118 if (mode & VWRITE) 119 mask |= S_IWUSR; 120 return ((ino_mode & mask) == mask ? 0 : EACCES); 121 } 122 123 /* Otherwise, check the groups. */ 124 for (i = 0, gp = cred->cr_groups; i < cred->cr_ngroups; i++, gp++) 125 if (ino_gid == *gp) { 126 if (mode & VEXEC) 127 mask |= S_IXGRP; 128 if (mode & VREAD) 129 mask |= S_IRGRP; 130 if (mode & VWRITE) 131 mask |= S_IWGRP; 132 return ((ino_mode & mask) == mask ? 0 : EACCES); 133 } 134 135 /* Otherwise, check everyone else. */ 136 if (mode & VEXEC) 137 mask |= S_IXOTH; 138 if (mode & VREAD) 139 mask |= S_IROTH; 140 if (mode & VWRITE) 141 mask |= S_IWOTH; 142 return ((ino_mode & mask) == mask ? 0 : EACCES); 143 } 144 145 int 146 vop_helper_setattr_flags(u_int32_t *ino_flags, u_int32_t vaflags, 147 uid_t uid, struct ucred *cred) 148 { 149 int error; 150 151 /* 152 * If uid doesn't match only a privileged user can change the flags 153 */ 154 if (cred->cr_uid != uid && 155 (error = priv_check_cred(cred, PRIV_VFS_SYSFLAGS, 0))) { 156 return(error); 157 } 158 if (cred->cr_uid == 0 && 159 (!jailed(cred)|| jail_chflags_allowed)) { 160 if ((*ino_flags & (SF_NOUNLINK|SF_IMMUTABLE|SF_APPEND)) && 161 securelevel > 0) 162 return (EPERM); 163 *ino_flags = vaflags; 164 } else { 165 if (*ino_flags & (SF_NOUNLINK|SF_IMMUTABLE|SF_APPEND) || 166 (vaflags & UF_SETTABLE) != vaflags) 167 return (EPERM); 168 *ino_flags &= SF_SETTABLE; 169 *ino_flags |= vaflags & UF_SETTABLE; 170 } 171 return(0); 172 } 173 174 /* 175 * This helper function may be used by VFSs to implement UNIX initial 176 * ownership semantics when creating new objects inside directories. 177 */ 178 uid_t 179 vop_helper_create_uid(struct mount *mp, mode_t dmode, uid_t duid, 180 struct ucred *cred, mode_t *modep) 181 { 182 #ifdef SUIDDIR 183 if ((mp->mnt_flag & MNT_SUIDDIR) && (dmode & S_ISUID) && 184 duid != cred->cr_uid && duid) { 185 *modep &= ~07111; 186 return(duid); 187 } 188 #endif 189 return(cred->cr_uid); 190 } 191 192 /* 193 * This helper may be used by VFSs to implement unix chmod semantics. 194 * 195 * XXX TEMPORARY chmod override for VCHR devices. Allow the device to 196 * override the uid if the uid is not root. This is used 197 * by pty's to set the owner for the related tty. 198 * 199 * XXX REMOVE THE OVERRIDE WHEN DEVFS IS MERGED. 200 */ 201 int 202 vop_helper_chmod(struct vnode *vp, mode_t new_mode, struct ucred *cred, 203 uid_t cur_uid, gid_t cur_gid, mode_t *cur_modep) 204 { 205 int error; 206 cdev_t dev; 207 208 /* 209 * HACK to support openpty(). If called by root openpty() chown's 210 * the tty and we allow this. If not called by root the kernel 211 * saves the uid in si_uid and if the tty is not owned by root we 212 * override it here. 213 * 214 * NOTE: The vnode might not be open so v_rdev might not be assigned. 215 */ 216 if (vp->v_type == VCHR && cur_uid == 0) { 217 if ((dev = vp->v_rdev) == NULL) 218 cur_uid = 0; 219 if (dev) 220 cur_uid = dev->si_uid; 221 } 222 223 if (cred->cr_uid != cur_uid) { 224 error = priv_check_cred(cred, PRIV_VFS_CHMOD, 0); 225 if (error) 226 return (error); 227 } 228 if (cred->cr_uid) { 229 if (vp->v_type != VDIR && (*cur_modep & S_ISTXT)) 230 return (EFTYPE); 231 if (!groupmember(cur_gid, cred) && (*cur_modep & S_ISGID)) 232 return (EPERM); 233 } 234 *cur_modep &= ~ALLPERMS; 235 *cur_modep |= new_mode & ALLPERMS; 236 return(0); 237 } 238 239 /* 240 * This helper may be used by VFSs to implement unix chown semantics. 241 */ 242 int 243 vop_helper_chown(struct vnode *vp, uid_t new_uid, gid_t new_gid, 244 struct ucred *cred, 245 uid_t *cur_uidp, gid_t *cur_gidp, mode_t *cur_modep) 246 { 247 gid_t ogid; 248 uid_t ouid; 249 int error; 250 251 if (new_uid == (uid_t)VNOVAL) 252 new_uid = *cur_uidp; 253 if (new_gid == (gid_t)VNOVAL) 254 new_gid = *cur_gidp; 255 256 /* 257 * If we don't own the file, are trying to change the owner 258 * of the file, or are not a member of the target group, 259 * the caller must be privileged or the call fails. 260 */ 261 if ((cred->cr_uid != *cur_uidp || new_uid != *cur_uidp || 262 (new_gid != *cur_gidp && !(cred->cr_gid == new_gid || 263 groupmember(new_gid, cred)))) && 264 (error = priv_check_cred(cred, PRIV_VFS_CHOWN, 0))) { 265 return (error); 266 } 267 ogid = *cur_gidp; 268 ouid = *cur_uidp; 269 /* XXX QUOTA CODE */ 270 *cur_uidp = new_uid; 271 *cur_gidp = new_gid; 272 /* XXX QUOTA CODE */ 273 274 /* 275 * DragonFly clears both SUID and SGID if either the owner or 276 * group is changed and root isn't doing it. If root is doing 277 * it we do not clear SUID/SGID. 278 */ 279 if (cred->cr_uid != 0 && (ouid != new_uid || ogid != new_gid)) 280 *cur_modep &= ~(S_ISUID | S_ISGID); 281 return(0); 282 } 283 284