4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
22 * Copyright (c) 1993, 2010, Oracle and/or its affiliates. All rights reserved.
26 * setfacl [-r] -f aclfile file ...
27 * setfacl [-r] -d acl_entries file ...
28 * setfacl [-r] -m acl_entries file ...
29 * setfacl [-r] -s acl_entries file ...
30 * This command deletes/adds/modifies/sets discretionary information for a file
41 #include <sys/types.h>
50 static int get_acl_info(char *filep
, aclent_t
**aclpp
);
51 static int mod_entries(aclent_t
*, int, char *, char *, char *, int);
52 static int set_file_entries(char *, char *, int);
53 static int set_online_entries(char *, char *, int);
55 static int parse_entry_list(aclent_t
**, int *, char *, int);
56 static int convert_to_aclent_t(char *, int *, aclent_t
**, int);
57 static int parse_entry(char *, aclent_t
*, int);
58 static void err_handle(int, aclent_t
*);
59 static int conv_id(char *);
62 main(int argc
, char *argv
[])
71 int aclcnt
; /* used by -m -d */
72 aclent_t
*aclp
; /* used by -m -d */
73 char *aclfilep
; /* acl file argument */
74 char *d_entryp
= NULL
; /* ptr to del entry list */
75 char *m_entryp
= NULL
; /* ptr to mod entry list */
76 char *s_entryp
= NULL
; /* ptr to set entry list */
77 char *work_dp
= NULL
; /* working ptrs for the above */
81 (void) setlocale(LC_ALL
, "");
82 (void) textdomain(TEXT_DOMAIN
);
87 while ((c
= getopt(argc
, argv
, "rm:d:s:f:")) != EOF
) {
93 if (dflag
|| fflag
|| sflag
)
99 if (mflag
|| fflag
|| sflag
)
105 if (fflag
|| sflag
|| mflag
|| dflag
)
111 if (fflag
|| sflag
|| mflag
|| dflag
)
124 /* one of these flags should be set */
125 if (!fflag
&& !sflag
&& !mflag
&& !dflag
)
128 /* no file arguments */
132 for (; optind
< argc
; optind
++) {
133 register char *filep
;
135 filep
= argv
[optind
];
137 /* modify and delete: we need to get the ACL first */
138 if (mflag
|| dflag
) {
139 if (m_entryp
!= NULL
) {
141 work_mp
= strdup(m_entryp
);
142 if (work_mp
== NULL
) {
144 gettext("out of memory %s\n"),
150 if (d_entryp
!= NULL
) {
152 work_dp
= strdup(d_entryp
);
153 if (work_dp
== NULL
) {
155 gettext("out of memory %s\n"),
161 aclcnt
= get_acl_info(filep
, &aclp
);
164 if (mod_entries(aclp
, aclcnt
, work_mp
,
165 work_dp
, filep
, rflag
) == -1)
168 if (set_file_entries(aclfilep
, filep
, rflag
) == -1)
171 if (s_entryp
!= NULL
) {
173 work_sp
= strdup(s_entryp
);
174 if (work_sp
== NULL
) {
176 gettext("out of memory %s\n"),
181 if (set_online_entries(work_sp
, filep
, rflag
) == -1)
189 * For add, modify, and delete, we need to get the ACL of the file first.
192 get_acl_info(char *filep
, aclent_t
**aclpp
)
196 if ((aclcnt
= acl(filep
, GETACLCNT
, 0, NULL
)) < 0) {
197 if (errno
== ENOSYS
) {
198 (void) fprintf(stderr
,
199 gettext("File system doesn't support aclent_t "
201 "See acl(5) for more information on"
202 " ACL styles support by Solaris.\n"));
205 (void) fprintf(stderr
,
206 gettext("%s: failed to get acl count\n"), filep
);
207 perror("get acl count error");
210 if (aclcnt
< MIN_ACL_ENTRIES
) {
211 (void) fprintf(stderr
,
212 gettext("%d: acl count is too small from %s\n"),
217 if ((*aclpp
= (aclent_t
*)malloc(sizeof (aclent_t
) * aclcnt
)) == NULL
) {
218 (void) fprintf(stderr
, gettext("out of memory\n"));
221 if (acl(filep
, GETACL
, aclcnt
, *aclpp
) < 0) {
222 (void) fprintf(stderr
,
223 gettext("%s: failed to get acl entries\n"), filep
);
224 perror("getacl error");
231 * mod_entries() handles add, delete, and modify ACL entries of a file.
232 * The real action is in convert_to_aclent_t() called by parse_entry_list().
233 * aclp: points ACL of a file and may be changed by lower level routine.
234 * modp: modify entry list in ascii format
235 * delp: delete entry list in ascii format
236 * fnamep: file of interest
239 mod_entries(aclent_t
*aclp
, int cnt
, char *modp
, char *delp
,
240 char *fnamep
, int rfg
)
242 int rc
; /* return code */
244 /* modify and add: from -m option */
245 if (parse_entry_list(&aclp
, &cnt
, modp
, MODIFY
) == -1)
248 /* deletion: from -d option */
249 if (parse_entry_list(&aclp
, &cnt
, delp
, DELETE
) == -1)
252 if (aclsort(cnt
, rfg
, aclp
) == -1) {
253 (void) err_handle(cnt
, aclp
);
254 (void) fprintf(stderr
,
255 gettext("aclcnt %d, file %s\n"), cnt
, fnamep
);
259 if (acl(fnamep
, SETACL
, cnt
, aclp
) < 0) {
261 gettext("%s: failed to set acl entries\n"), fnamep
);
262 perror("setacl error");
269 * set_file_entries() creates ACL entries from ACL file (acl_fnamep).
270 * It opens the file and converts every line (one line per acl entry)
271 * into aclent_t format. It then recalculates the mask according to rflag.
272 * Finally it sets ACL to the file (fnamep).
275 set_file_entries(char *acl_fnamep
, char *fnamep
, int rflag
)
283 if (strcmp(acl_fnamep
, "-") == 0)
286 if ((acl_fp
= fopen(acl_fnamep
, "r")) == NULL
) {
287 fprintf(stderr
, gettext("Can't open acl file %s\n"),
292 while (fgets(buf
, BUFSIZ
, acl_fp
) != NULL
) {
293 if (buf
[0] == '#' || buf
[0] == '\n')
296 /* check effective permission: add a null after real perm */
297 if ((tp
= (char *)strchr(buf
, '#')) != NULL
) {
299 while (*tp
== ' ' || *tp
== '\t') {
304 gettext("entry format error %s\n"),
312 /* remove <nl> at the end if there is one */
313 if ((tp
= (char *)strchr(buf
, '\n')) != NULL
)
316 if (convert_to_aclent_t(buf
, &aclcnt
, &aclp
, SET
) == -1)
320 if (aclsort(aclcnt
, rflag
, aclp
) == -1) {
321 (void) err_handle(aclcnt
, aclp
);
322 (void) fprintf(stderr
, gettext("aclcnt %d, aclfile %s\n"),
327 if (acl(fnamep
, SETACL
, aclcnt
, aclp
) < 0) {
329 gettext("%s: failed to set acl entries\n"), fnamep
);
330 perror("setacl error");
337 * set_online_entries() parses the acl entries from command line (setp).
338 * It converts the comma separated acl entries into aclent_t format.
339 * It then recalculates the mask according to rflag.
340 * Finally it sets ACL to the file (fnamep).
343 set_online_entries(char *setp
, char *fnamep
, int rflag
)
349 if (parse_entry_list(&aclp
, &aclcnt
, setp
, SET
) == -1)
352 if (aclsort(aclcnt
, rflag
, aclp
) == -1) {
353 (void) err_handle(aclcnt
, aclp
);
354 (void) fprintf(stderr
,
355 gettext("aclcnt %d, file %s\n"), aclcnt
, fnamep
);
359 if (acl(fnamep
, SETACL
, aclcnt
, aclp
) < 0) {
361 gettext("%s: failed to set acl entries\n"), fnamep
);
362 perror("setacl error");
369 * parse_entry_list() parses entry list (listp) separated by commas.
370 * Once it gets an ACL entry, it calls convert_to_aclent_t() to convert
371 * to internal format.
374 parse_entry_list(aclent_t
**aclpp
, int *aclcntp
, char *listp
, int mode
)
380 while ((commap
= (char *)strchr(listp
, ',')) != NULL
) {
383 /* aclcnt may be updated after the call: add or modify */
384 if (convert_to_aclent_t(listp
, aclcntp
, aclpp
, mode
) == -1)
388 /* this is for only one entry or last entry */
389 if (*listp
!= '\0') {
391 if (convert_to_aclent_t(listp
, aclcntp
, aclpp
, mode
) == -1)
398 * convert_to_aclent_t() converts an acl entry in ascii format (fields separated
399 * by colon) into aclent_t and appends it to the current ACL. It also handles
400 * memory allocation/deallocation for acl entries in aclent_t format.
401 * aclpp that contains acl entries in acl format will be returned.
402 * We don't check duplicates.
405 convert_to_aclent_t(char *entryp
, int *cntp
, aclent_t
**aclpp
, int mode
)
409 aclent_t
*taclp
, *centry
= NULL
, *gentry
= NULL
;
418 new_aclp
= reallocarray(*aclpp
, *cntp
, sizeof (aclent_t
));
420 new_aclp
= (aclent_t
*) malloc(sizeof (aclent_t
) * (*cntp
));
421 if (new_aclp
== NULL
) {
423 gettext("Insufficient memory for acl %d\n"), *cntp
);
427 tmpacl
.a_id
= 0; /* id field needs to be initialized */
428 if (entryp
[0] == 'u')
429 tmpacl
.a_id
= getuid(); /* id field for user */
430 if (entryp
[0] == 'g')
431 tmpacl
.a_id
= getgid(); /* id field for group */
434 if (parse_entry(entryp
, &tmpacl
, mode
) == -1)
437 is_obj
= ((tmpacl
.a_type
== USER_OBJ
) ||
438 (tmpacl
.a_type
== GROUP_OBJ
) ||
439 (tmpacl
.a_type
== CLASS_OBJ
) ||
440 (tmpacl
.a_type
== DEF_USER_OBJ
) ||
441 (tmpacl
.a_type
== DEF_GROUP_OBJ
) ||
442 (tmpacl
.a_type
== DEF_OTHER_OBJ
));
446 case MODIFY
: /* and add */
447 for (taclp
= new_aclp
; cur_cnt
-- > 0; taclp
++) {
448 if (taclp
->a_type
== tmpacl
.a_type
&&
449 ((taclp
->a_id
== tmpacl
.a_id
) || is_obj
)) {
451 /* cnt is added before it's called */
453 taclp
->a_perm
= tmpacl
.a_perm
;
457 if (!found
) /* Add it to the end: no need to change cntp */
458 memcpy(new_aclp
+ *cntp
-1, &tmpacl
, sizeof (aclent_t
));
462 for (taclp
= new_aclp
; cur_cnt
-- > 0; taclp
++) {
463 if (taclp
->a_type
== tmpacl
.a_type
&&
464 ((taclp
->a_id
== tmpacl
.a_id
) || is_obj
)) {
466 /* move up the rest */
467 while (cur_cnt
-- > 0) {
468 memcpy(taclp
, taclp
+1,
481 /* we may check duplicate before copying over?? */
482 memcpy(new_aclp
+ *cntp
-1, &tmpacl
, sizeof (aclent_t
));
487 gettext("Unrecognized mode: internal error\n"));
492 * If converting from non-trivial acl entry to trivial one,
493 * reset CLASS_OBJ's permission with that of GROUP_OBJ.
496 if (mode
== DELETE
) {
497 boolean_t trivial
= B_TRUE
; /* assumption */
499 for (taclp
= new_aclp
; cur_cnt
-- > 0; taclp
++) {
500 switch (taclp
->a_type
) {
512 * Confirmed that the new acl set is
513 * still a non-trivial acl.
519 if (centry
!= NULL
&& gentry
!= NULL
&& trivial
== B_TRUE
)
520 centry
->a_perm
= gentry
->a_perm
;
522 *aclpp
= new_aclp
; /* return new acl entries */
529 (void) fprintf(stderr
, gettext("usage:\n"));
530 (void) fprintf(stderr
,
531 gettext("\tsetfacl [-r] -f aclfile file ...\n"));
532 (void) fprintf(stderr
,
533 gettext("\tsetfacl [-r] -d acl_entries file ...\n"));
534 (void) fprintf(stderr
,
535 gettext("\tsetfacl [-r] -m acl_entries file ...\n"));
536 (void) fprintf(stderr
,
537 gettext("\tsetfacl [-r] -s acl_entries file ...\n"));
542 err_handle(int cnt
, aclent_t
*aclentp
)
547 rc
= aclcheck(aclentp
, cnt
, &which
);
551 gettext("There is more than one user owner entry"));
553 gettext(" -- error found at entry index %d\n"), which
);
557 gettext("There is more than one group owner entry"));
559 gettext(" -- error found at entry index %d\n"), which
);
563 gettext("There is more than one mask entry"));
565 gettext(" -- error found at entry index %d\n"), which
);
569 gettext("There is more than one other entry"));
571 gettext(" -- error found at entry index %d\n"), which
);
573 case DUPLICATE_ERROR
:
575 gettext("Duplicate user or group entries"));
577 gettext(" -- error found at entry index %d\n"), which
);
581 gettext("Missing user/group owner, other, mask entry\n"));
585 gettext("Insufficient memory\n"));
589 gettext("Unrecognized entry type"));
591 gettext(" -- error found at entry index %d\n"), which
);
594 /* error is not from aclcheck */
596 gettext("aclsort error\n"));
602 parse_entry(char *fieldp
, aclent_t
*aclentp
, int mode
)
605 int def_flag
= 0, mo_flag
= 0;
610 colonp
= (char *)strchr(fieldp
, ':');
611 if (colonp
== NULL
) {
613 gettext("Can't find colon delimiter %s\n"), fieldp
);
617 if ((strcmp(fieldp
, "default") == 0) || (strcmp(fieldp
, "d") == 0)) {
620 colonp
= (char *)strchr(fieldp
, ':');
621 if (colonp
== NULL
) {
623 gettext("Can't find colon delimiter %s\n"), fieldp
);
629 /* process entry type */
630 if ((strcmp(fieldp
, "user") == 0) || (strcmp(fieldp
, "u") == 0)) {
632 aclentp
->a_type
= DEF_USER
;
634 aclentp
->a_type
= USER
;
636 if ((strcmp(fieldp
, "group") == 0) || (strcmp(fieldp
, "g") == 0)) {
638 aclentp
->a_type
= DEF_GROUP
;
640 aclentp
->a_type
= GROUP
;
642 if ((strcmp(fieldp
, "mask") == 0) || (strcmp(fieldp
, "m") == 0)) {
644 aclentp
->a_type
= DEF_CLASS_OBJ
;
646 aclentp
->a_type
= CLASS_OBJ
;
648 if ((strcmp(fieldp
, "other") == 0) || (strcmp(fieldp
, "o") == 0)) {
650 aclentp
->a_type
= DEF_OTHER_OBJ
;
652 aclentp
->a_type
= OTHER_OBJ
;
655 /* still can't determine entry type */
656 if (aclentp
->a_type
== 0) {
658 gettext("Unrecognized entry type %s \n"), fieldp
);
662 /* mask and other entries dont have id field */
663 if (aclentp
->a_type
!= CLASS_OBJ
&& aclentp
->a_type
!= OTHER_OBJ
&&
664 aclentp
->a_type
!= DEF_CLASS_OBJ
&&
665 aclentp
->a_type
!= DEF_OTHER_OBJ
) {
668 colonp
= (char *)strchr(fieldp
, ':');
669 if (colonp
== NULL
) {
670 if (mode
!= DELETE
) {
672 gettext("Can't find colon delimiter %s\n"),
679 if (*fieldp
== '\0') {
681 if (aclentp
->a_type
== USER
)
682 aclentp
->a_type
= USER_OBJ
;
683 if (aclentp
->a_type
== DEF_USER
)
684 aclentp
->a_type
= DEF_USER_OBJ
;
685 if (aclentp
->a_type
== GROUP
)
686 aclentp
->a_type
= GROUP_OBJ
;
687 if (aclentp
->a_type
== DEF_GROUP
)
688 aclentp
->a_type
= DEF_GROUP_OBJ
;
690 /* see if it's a user/group name */
691 if (aclentp
->a_type
== USER
||
692 aclentp
->a_type
== USER_OBJ
||
693 aclentp
->a_type
== DEF_USER
||
694 aclentp
->a_type
== DEF_USER_OBJ
) {
695 if ((pwp
= getpwnam(fieldp
)) != NULL
)
696 aclentp
->a_id
= pwp
->pw_uid
;
698 /* treat it as numeric id */
699 id
= conv_id(fieldp
);
706 if ((grp
= getgrnam(fieldp
)) != NULL
)
707 aclentp
->a_id
= grp
->gr_gid
;
709 id
= conv_id(fieldp
);
717 /* it is mask/other entry */
721 /* process permission: rwx and [0]n format */
723 /* delete format: no permission field */
726 colonp
= (char *)strchr(fieldp
, ':');
727 if (colonp
!= NULL
) {
729 /* Use only single : on mask/other entry */
730 (void) fprintf(stderr
, gettext("use only 1 colon for "
731 "mask and other entries.\n"));
734 /* it's ok to have extra colon */
739 if ((int)strlen(fieldp
) > 3) {
741 gettext("only rwx or [0]n format is allowed\n"));
744 if (strlen(fieldp
) == 3) {
746 /* treat it as rwx */
748 aclentp
->a_perm
+= 4;
750 if (*fieldp
!= '-') {
752 gettext("Unrecognized character "));
754 gettext("found in mode field\n"));
759 aclentp
->a_perm
+= 2;
761 if (*fieldp
!= '-') {
763 gettext("Unrecognized character "));
765 gettext("found in mode field\n"));
770 aclentp
->a_perm
+= 1;
772 if (*fieldp
!= '-') {
774 gettext("Unrecognized character "));
776 gettext("found in mode field\n"));
785 if (*fieldp
>= '0' && *fieldp
<= '7')
786 aclentp
->a_perm
= *fieldp
- '0';
788 fprintf(stderr
, gettext("Unrecognized character "));
789 fprintf(stderr
, gettext("found in mode field\n"));
792 if (aclentp
->a_perm
== 0 && *++fieldp
!= '\0') {
793 /* look at next char */
794 if (*fieldp
>= '0' && *fieldp
<= '7')
795 aclentp
->a_perm
= *fieldp
- '0';
797 fprintf(stderr
, gettext("Unrecognized character "));
798 fprintf(stderr
, gettext("found in mode field\n"));
800 gettext("Check also the number of fields "));
802 gettext("(default) mask and other entries\n"));
806 /* check for junk at the end ??? */
811 * This function is different from atoi() in that it checks for
812 * valid digit in the id field whereas atoi() won't report any
816 conv_id(char *fieldp
)
820 for (; *fieldp
!= '\0'; fieldp
++) {
821 if (!isdigit(*fieldp
)) {
822 fprintf(stderr
, gettext("non-digit in id field\n"));
825 a_id
= a_id
* 10 + (*fieldp
- '0');