1433d6423SLionel Sambuc /* This file deals with protection in the file system. It contains the code
2433d6423SLionel Sambuc * for four system calls that relate to protection.
3433d6423SLionel Sambuc *
4433d6423SLionel Sambuc * The entry points into this file are
5433d6423SLionel Sambuc * do_chmod: perform the CHMOD and FCHMOD system calls
6433d6423SLionel Sambuc * do_chown: perform the CHOWN and FCHOWN system calls
7433d6423SLionel Sambuc * do_umask: perform the UMASK system call
8433d6423SLionel Sambuc * do_access: perform the ACCESS system call
9433d6423SLionel Sambuc */
10433d6423SLionel Sambuc
11433d6423SLionel Sambuc #include "fs.h"
12433d6423SLionel Sambuc #include <sys/stat.h>
13433d6423SLionel Sambuc #include <unistd.h>
14433d6423SLionel Sambuc #include <assert.h>
15433d6423SLionel Sambuc #include <minix/callnr.h>
16433d6423SLionel Sambuc #include "file.h"
17433d6423SLionel Sambuc #include "path.h"
18433d6423SLionel Sambuc #include <minix/vfsif.h>
19433d6423SLionel Sambuc #include "vnode.h"
20433d6423SLionel Sambuc #include "vmnt.h"
21433d6423SLionel Sambuc
22433d6423SLionel Sambuc /*===========================================================================*
23433d6423SLionel Sambuc * do_chmod *
24433d6423SLionel Sambuc *===========================================================================*/
do_chmod(void)25433d6423SLionel Sambuc int do_chmod(void)
26433d6423SLionel Sambuc {
27433d6423SLionel Sambuc /* Perform the chmod(name, mode) and fchmod(fd, mode) system calls.
28433d6423SLionel Sambuc * syscall might provide 'name' embedded in the message.
29433d6423SLionel Sambuc */
30433d6423SLionel Sambuc
31433d6423SLionel Sambuc struct filp *flp;
32433d6423SLionel Sambuc struct vnode *vp;
33433d6423SLionel Sambuc struct vmnt *vmp;
34433d6423SLionel Sambuc int r, rfd;
35433d6423SLionel Sambuc mode_t result_mode;
36433d6423SLionel Sambuc char fullpath[PATH_MAX];
37433d6423SLionel Sambuc struct lookup resolve;
38433d6423SLionel Sambuc mode_t new_mode;
39433d6423SLionel Sambuc
40433d6423SLionel Sambuc flp = NULL;
41433d6423SLionel Sambuc
42433d6423SLionel Sambuc lookup_init(&resolve, fullpath, PATH_NOFLAGS, &vmp, &vp);
43433d6423SLionel Sambuc resolve.l_vmnt_lock = VMNT_READ;
44433d6423SLionel Sambuc resolve.l_vnode_lock = VNODE_WRITE;
45433d6423SLionel Sambuc
46433d6423SLionel Sambuc if (job_call_nr == VFS_CHMOD) {
47433d6423SLionel Sambuc new_mode = job_m_in.m_lc_vfs_path.mode;
48433d6423SLionel Sambuc /* Temporarily open the file */
49433d6423SLionel Sambuc if (copy_path(fullpath, sizeof(fullpath)) != OK)
50433d6423SLionel Sambuc return(err_code);
51433d6423SLionel Sambuc if ((vp = eat_path(&resolve, fp)) == NULL) return(err_code);
52433d6423SLionel Sambuc } else { /* call_nr == VFS_FCHMOD */
53433d6423SLionel Sambuc rfd = job_m_in.m_lc_vfs_fchmod.fd;
54433d6423SLionel Sambuc new_mode = job_m_in.m_lc_vfs_fchmod.mode;
55433d6423SLionel Sambuc /* File is already opened; get a pointer to vnode from filp. */
56433d6423SLionel Sambuc if ((flp = get_filp(rfd, VNODE_WRITE)) == NULL) return(err_code);
57433d6423SLionel Sambuc vp = flp->filp_vno;
58433d6423SLionel Sambuc assert(vp);
59433d6423SLionel Sambuc dup_vnode(vp);
60433d6423SLionel Sambuc }
61433d6423SLionel Sambuc
62433d6423SLionel Sambuc assert(vp);
63433d6423SLionel Sambuc
64433d6423SLionel Sambuc /* Only the owner or the super_user may change the mode of a file.
65433d6423SLionel Sambuc * No one may change the mode of a file on a read-only file system.
66433d6423SLionel Sambuc */
67433d6423SLionel Sambuc if (vp->v_uid != fp->fp_effuid && fp->fp_effuid != SU_UID)
68433d6423SLionel Sambuc r = EPERM;
69433d6423SLionel Sambuc else
70433d6423SLionel Sambuc r = read_only(vp);
71433d6423SLionel Sambuc
72433d6423SLionel Sambuc if (r == OK) {
73433d6423SLionel Sambuc /* Now make the change. Clear setgid bit if file is not in caller's
74433d6423SLionel Sambuc * group */
75433d6423SLionel Sambuc if (fp->fp_effuid != SU_UID && vp->v_gid != fp->fp_effgid)
76433d6423SLionel Sambuc new_mode &= ~I_SET_GID_BIT;
77433d6423SLionel Sambuc
78433d6423SLionel Sambuc r = req_chmod(vp->v_fs_e, vp->v_inode_nr, new_mode, &result_mode);
79433d6423SLionel Sambuc if (r == OK)
80433d6423SLionel Sambuc vp->v_mode = result_mode;
81433d6423SLionel Sambuc }
82433d6423SLionel Sambuc
83433d6423SLionel Sambuc if (job_call_nr == VFS_CHMOD) {
84433d6423SLionel Sambuc unlock_vnode(vp);
85433d6423SLionel Sambuc unlock_vmnt(vmp);
86433d6423SLionel Sambuc } else { /* VFS_FCHMOD */
87433d6423SLionel Sambuc unlock_filp(flp);
88433d6423SLionel Sambuc }
89433d6423SLionel Sambuc
90433d6423SLionel Sambuc put_vnode(vp);
91433d6423SLionel Sambuc return(r);
92433d6423SLionel Sambuc }
93433d6423SLionel Sambuc
94433d6423SLionel Sambuc
95433d6423SLionel Sambuc /*===========================================================================*
96433d6423SLionel Sambuc * do_chown *
97433d6423SLionel Sambuc *===========================================================================*/
do_chown(void)98433d6423SLionel Sambuc int do_chown(void)
99433d6423SLionel Sambuc {
100433d6423SLionel Sambuc /* Perform the chown(path, owner, group) and fchmod(fd, owner, group) system
101433d6423SLionel Sambuc * calls. */
102433d6423SLionel Sambuc struct filp *flp;
103433d6423SLionel Sambuc struct vnode *vp;
104433d6423SLionel Sambuc struct vmnt *vmp;
105433d6423SLionel Sambuc int r, rfd;
106433d6423SLionel Sambuc uid_t uid, new_uid;
107433d6423SLionel Sambuc gid_t gid, new_gid;
108433d6423SLionel Sambuc mode_t new_mode;
109433d6423SLionel Sambuc char fullpath[PATH_MAX];
110433d6423SLionel Sambuc struct lookup resolve;
111433d6423SLionel Sambuc vir_bytes vname1;
112433d6423SLionel Sambuc size_t vname1_length;
113433d6423SLionel Sambuc
114433d6423SLionel Sambuc flp = NULL;
115433d6423SLionel Sambuc uid = job_m_in.m_lc_vfs_chown.owner;
116433d6423SLionel Sambuc gid = job_m_in.m_lc_vfs_chown.group;
117433d6423SLionel Sambuc
118433d6423SLionel Sambuc if (job_call_nr == VFS_CHOWN) {
119433d6423SLionel Sambuc vname1 = job_m_in.m_lc_vfs_chown.name;
120433d6423SLionel Sambuc vname1_length = job_m_in.m_lc_vfs_chown.len;
121433d6423SLionel Sambuc
122433d6423SLionel Sambuc lookup_init(&resolve, fullpath, PATH_NOFLAGS, &vmp, &vp);
123433d6423SLionel Sambuc resolve.l_vmnt_lock = VMNT_READ;
124433d6423SLionel Sambuc resolve.l_vnode_lock = VNODE_WRITE;
125433d6423SLionel Sambuc
126433d6423SLionel Sambuc /* Temporarily open the file. */
127433d6423SLionel Sambuc if (fetch_name(vname1, vname1_length, fullpath) != OK)
128433d6423SLionel Sambuc return(err_code);
129433d6423SLionel Sambuc if ((vp = eat_path(&resolve, fp)) == NULL) return(err_code);
130433d6423SLionel Sambuc } else { /* call_nr == VFS_FCHOWN */
131433d6423SLionel Sambuc rfd = job_m_in.m_lc_vfs_chown.fd;
132433d6423SLionel Sambuc
133433d6423SLionel Sambuc /* File is already opened; get a pointer to the vnode from filp. */
134433d6423SLionel Sambuc if ((flp = get_filp(rfd, VNODE_WRITE)) == NULL)
135433d6423SLionel Sambuc return(err_code);
136433d6423SLionel Sambuc vp = flp->filp_vno;
137433d6423SLionel Sambuc dup_vnode(vp);
138433d6423SLionel Sambuc }
139433d6423SLionel Sambuc
140433d6423SLionel Sambuc r = read_only(vp);
141433d6423SLionel Sambuc if (r == OK) {
142433d6423SLionel Sambuc /* FS is R/W. Whether call is allowed depends on ownership, etc. */
143433d6423SLionel Sambuc /* The super user can do anything, so check permissions only if we're
144433d6423SLionel Sambuc a regular user. */
145433d6423SLionel Sambuc if (fp->fp_effuid != SU_UID) {
146433d6423SLionel Sambuc /* Regular users can only change groups of their own files. */
147433d6423SLionel Sambuc if (vp->v_uid != fp->fp_effuid) r = EPERM;
148433d6423SLionel Sambuc if (vp->v_uid != uid) r = EPERM; /* no giving away */
149433d6423SLionel Sambuc if (fp->fp_effgid != gid) r = EPERM;
150433d6423SLionel Sambuc }
151433d6423SLionel Sambuc }
152433d6423SLionel Sambuc
153433d6423SLionel Sambuc if (r == OK) {
154433d6423SLionel Sambuc /* Do not change uid/gid if new uid/gid is -1. */
155433d6423SLionel Sambuc new_uid = (uid == (uid_t)-1 ? vp->v_uid : uid);
156433d6423SLionel Sambuc new_gid = (gid == (gid_t)-1 ? vp->v_gid : gid);
157433d6423SLionel Sambuc
158433d6423SLionel Sambuc if (new_uid > UID_MAX || new_gid > GID_MAX)
159433d6423SLionel Sambuc r = EINVAL;
160433d6423SLionel Sambuc else if ((r = req_chown(vp->v_fs_e, vp->v_inode_nr, new_uid, new_gid,
161433d6423SLionel Sambuc &new_mode)) == OK) {
162433d6423SLionel Sambuc vp->v_uid = new_uid;
163433d6423SLionel Sambuc vp->v_gid = new_gid;
164433d6423SLionel Sambuc vp->v_mode = new_mode;
165433d6423SLionel Sambuc }
166433d6423SLionel Sambuc }
167433d6423SLionel Sambuc
168433d6423SLionel Sambuc if (job_call_nr == VFS_CHOWN) {
169433d6423SLionel Sambuc unlock_vnode(vp);
170433d6423SLionel Sambuc unlock_vmnt(vmp);
171433d6423SLionel Sambuc } else { /* VFS_FCHOWN */
172433d6423SLionel Sambuc unlock_filp(flp);
173433d6423SLionel Sambuc }
174433d6423SLionel Sambuc
175433d6423SLionel Sambuc put_vnode(vp);
176433d6423SLionel Sambuc return(r);
177433d6423SLionel Sambuc }
178433d6423SLionel Sambuc
179433d6423SLionel Sambuc /*===========================================================================*
180433d6423SLionel Sambuc * do_umask *
181433d6423SLionel Sambuc *===========================================================================*/
do_umask(void)182433d6423SLionel Sambuc int do_umask(void)
183433d6423SLionel Sambuc {
184433d6423SLionel Sambuc /* Perform the umask(2) system call. */
185433d6423SLionel Sambuc mode_t complement, new_umask;
186433d6423SLionel Sambuc
187433d6423SLionel Sambuc new_umask = job_m_in.m_lc_vfs_umask.mask;
188433d6423SLionel Sambuc
189433d6423SLionel Sambuc complement = ~fp->fp_umask; /* set 'r' to complement of old mask */
190433d6423SLionel Sambuc fp->fp_umask = ~(new_umask & RWX_MODES);
191433d6423SLionel Sambuc return(complement); /* return complement of old mask */
192433d6423SLionel Sambuc }
193433d6423SLionel Sambuc
194433d6423SLionel Sambuc
195433d6423SLionel Sambuc /*===========================================================================*
196433d6423SLionel Sambuc * do_access *
197433d6423SLionel Sambuc *===========================================================================*/
do_access(void)198433d6423SLionel Sambuc int do_access(void)
199433d6423SLionel Sambuc {
200433d6423SLionel Sambuc /* Perform the access(name, mode) system call.
201433d6423SLionel Sambuc * syscall might provide 'name' embedded in the message.
202433d6423SLionel Sambuc */
203433d6423SLionel Sambuc int r;
204433d6423SLionel Sambuc struct vnode *vp;
205433d6423SLionel Sambuc struct vmnt *vmp;
206433d6423SLionel Sambuc char fullpath[PATH_MAX];
207433d6423SLionel Sambuc struct lookup resolve;
208433d6423SLionel Sambuc mode_t access;
209433d6423SLionel Sambuc
210433d6423SLionel Sambuc access = job_m_in.m_lc_vfs_path.mode;
211433d6423SLionel Sambuc
212433d6423SLionel Sambuc lookup_init(&resolve, fullpath, PATH_NOFLAGS, &vmp, &vp);
213433d6423SLionel Sambuc resolve.l_vmnt_lock = VMNT_READ;
214433d6423SLionel Sambuc resolve.l_vnode_lock = VNODE_READ;
215433d6423SLionel Sambuc
216433d6423SLionel Sambuc /* First check to see if the mode is correct. */
217433d6423SLionel Sambuc if ( (access & ~(R_OK | W_OK | X_OK)) != 0 && access != F_OK)
218433d6423SLionel Sambuc return(EINVAL);
219433d6423SLionel Sambuc
220433d6423SLionel Sambuc /* Temporarily open the file. */
221433d6423SLionel Sambuc if (copy_path(fullpath, sizeof(fullpath)) != OK)
222433d6423SLionel Sambuc return(err_code);
223433d6423SLionel Sambuc if ((vp = eat_path(&resolve, fp)) == NULL) return(err_code);
224433d6423SLionel Sambuc
225433d6423SLionel Sambuc r = forbidden(fp, vp, access);
226433d6423SLionel Sambuc
227433d6423SLionel Sambuc unlock_vnode(vp);
228433d6423SLionel Sambuc unlock_vmnt(vmp);
229433d6423SLionel Sambuc
230433d6423SLionel Sambuc put_vnode(vp);
231433d6423SLionel Sambuc return(r);
232433d6423SLionel Sambuc }
233433d6423SLionel Sambuc
234433d6423SLionel Sambuc
235433d6423SLionel Sambuc /*===========================================================================*
236433d6423SLionel Sambuc * forbidden *
237433d6423SLionel Sambuc *===========================================================================*/
forbidden(struct fproc * rfp,struct vnode * vp,mode_t access_desired)238433d6423SLionel Sambuc int forbidden(struct fproc *rfp, struct vnode *vp, mode_t access_desired)
239433d6423SLionel Sambuc {
240433d6423SLionel Sambuc /* Given a pointer to an vnode, 'vp', and the access desired, determine
241433d6423SLionel Sambuc * if the access is allowed, and if not why not. The routine looks up the
242433d6423SLionel Sambuc * caller's uid in the 'fproc' table. If access is allowed, OK is returned
243433d6423SLionel Sambuc * if it is forbidden, EACCES is returned.
244433d6423SLionel Sambuc */
245433d6423SLionel Sambuc
246433d6423SLionel Sambuc register mode_t bits, perm_bits;
247433d6423SLionel Sambuc uid_t uid;
248433d6423SLionel Sambuc gid_t gid;
249433d6423SLionel Sambuc int r, shift;
250433d6423SLionel Sambuc
251433d6423SLionel Sambuc if (vp->v_uid == (uid_t) -1 || vp->v_gid == (gid_t) -1) return(EACCES);
252433d6423SLionel Sambuc
253433d6423SLionel Sambuc /* Isolate the relevant rwx bits from the mode. */
254433d6423SLionel Sambuc bits = vp->v_mode;
255433d6423SLionel Sambuc uid = (job_call_nr == VFS_ACCESS ? rfp->fp_realuid : rfp->fp_effuid);
256433d6423SLionel Sambuc gid = (job_call_nr == VFS_ACCESS ? rfp->fp_realgid : rfp->fp_effgid);
257433d6423SLionel Sambuc
258433d6423SLionel Sambuc if (uid == SU_UID) {
259433d6423SLionel Sambuc /* Grant read and write permission. Grant search permission for
260433d6423SLionel Sambuc * directories. Grant execute permission (for non-directories) if
261433d6423SLionel Sambuc * and only if one of the 'X' bits is set.
262433d6423SLionel Sambuc */
263433d6423SLionel Sambuc if ( S_ISDIR(bits) || bits & ((X_BIT << 6) | (X_BIT << 3) | X_BIT))
264433d6423SLionel Sambuc perm_bits = R_BIT | W_BIT | X_BIT;
265433d6423SLionel Sambuc else
266433d6423SLionel Sambuc perm_bits = R_BIT | W_BIT;
267433d6423SLionel Sambuc } else {
268433d6423SLionel Sambuc if (uid == vp->v_uid) shift = 6; /* owner */
269433d6423SLionel Sambuc else if (gid == vp->v_gid) shift = 3; /* group */
270433d6423SLionel Sambuc else if (in_group(fp, vp->v_gid) == OK) shift = 3; /* suppl. groups */
271433d6423SLionel Sambuc else shift = 0; /* other */
272433d6423SLionel Sambuc perm_bits = (bits >> shift) & (R_BIT | W_BIT | X_BIT);
273433d6423SLionel Sambuc }
274433d6423SLionel Sambuc
275433d6423SLionel Sambuc /* If access desired is not a subset of what is allowed, it is refused. */
276433d6423SLionel Sambuc r = OK;
277433d6423SLionel Sambuc if ((perm_bits | access_desired) != perm_bits) r = EACCES;
278433d6423SLionel Sambuc
279433d6423SLionel Sambuc /* Check to see if someone is trying to write on a file system that is
280433d6423SLionel Sambuc * mounted read-only.
281433d6423SLionel Sambuc */
282433d6423SLionel Sambuc if (r == OK)
283433d6423SLionel Sambuc if (access_desired & W_BIT)
284433d6423SLionel Sambuc r = read_only(vp);
285433d6423SLionel Sambuc
286433d6423SLionel Sambuc return(r);
287433d6423SLionel Sambuc }
288433d6423SLionel Sambuc
289433d6423SLionel Sambuc /*===========================================================================*
290433d6423SLionel Sambuc * read_only *
291433d6423SLionel Sambuc *===========================================================================*/
292*a0814afbSRichard Sailer int
read_only(struct vnode * vp)293*a0814afbSRichard Sailer read_only(
294*a0814afbSRichard Sailer struct vnode *vp /* ptr to inode whose file sys is to be cked */
295*a0814afbSRichard Sailer )
296433d6423SLionel Sambuc {
297433d6423SLionel Sambuc /* Check to see if the file system on which the inode 'ip' resides is mounted
298433d6423SLionel Sambuc * read only. If so, return EROFS, else return OK.
299433d6423SLionel Sambuc */
300433d6423SLionel Sambuc assert(vp);
301433d6423SLionel Sambuc return(vp->v_vmnt && (vp->v_vmnt->m_flags & VMNT_READONLY) ? EROFS : OK);
302433d6423SLionel Sambuc }
303