• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * security.h - Exports for handling security/ACLs in NTFS.
3  *              Originated from the Linux-NTFS project.
4  *
5  * Copyright (c) 2004      Anton Altaparmakov
6  * Copyright (c) 2005-2006 Szabolcs Szakacsits
7  * Copyright (c) 2007-2010 Jean-Pierre Andre
8  *
9  * This program/include file is free software; you can redistribute it and/or
10  * modify it under the terms of the GNU General Public License as published
11  * by the Free Software Foundation; either version 2 of the License, or
12  * (at your option) any later version.
13  *
14  * This program/include file is distributed in the hope that it will be
15  * useful, but WITHOUT ANY WARRANTY; without even the implied warranty
16  * of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License
20  * along with this program (in the main directory of the NTFS-3G
21  * distribution in the file COPYING); if not, write to the Free Software
22  * Foundation,Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
23  */
24 
25 #ifndef _NTFS_SECURITY_H
26 #define _NTFS_SECURITY_H
27 
28 #include "types.h"
29 #include "layout.h"
30 #include "inode.h"
31 #include "dir.h"
32 #include "endians.h"
33 
34 #ifndef POSIXACLS
35 #define POSIXACLS 0
36 #endif
37 
38 /*
39  *          item in the mapping list
40  */
41 
42 struct MAPPING {
43 	struct MAPPING *next;
44 	int xid;		/* linux id : uid or gid */
45 	SID *sid;		/* Windows id : usid or gsid */
46 	int grcnt;		/* group count (for users only) */
47 	gid_t *groups;		/* groups which the user is member of */
48 };
49 
50 /*
51  *		Entry in the permissions cache
52  *	Note : this cache is not organized as a generic cache
53  */
54 
55 struct CACHED_PERMISSIONS {
56 	uid_t uid;
57 	gid_t gid;
58 	le32 inh_fileid;
59 	le32 inh_dirid;
60 #if POSIXACLS
61 	struct POSIX_SECURITY *pxdesc;
62 	unsigned int pxdescsize:16;
63 #endif
64 	unsigned int mode:12;
65 	unsigned int valid:1;
66 } ;
67 
68 /*
69  *	Entry in the permissions cache for directories with no security_id
70  */
71 
72 struct CACHED_PERMISSIONS_LEGACY {
73 	struct CACHED_PERMISSIONS_LEGACY *next;
74 	struct CACHED_PERMISSIONS_LEGACY *previous;
75 	void *variable;
76 	size_t varsize;
77 	union ALIGNMENT payload[0];
78 		/* above fields must match "struct CACHED_GENERIC" */
79 	u64 mft_no;
80 	struct CACHED_PERMISSIONS perm;
81 } ;
82 
83 /*
84  *	Entry in the securid cache
85  */
86 
87 struct CACHED_SECURID {
88 	struct CACHED_SECURID *next;
89 	struct CACHED_SECURID *previous;
90 	void *variable;
91 	size_t varsize;
92 	union ALIGNMENT payload[0];
93 		/* above fields must match "struct CACHED_GENERIC" */
94 	uid_t uid;
95 	gid_t gid;
96 	unsigned int dmode;
97 	le32 securid;
98 } ;
99 
100 /*
101  *	Header of the security cache
102  *	(has no cache structure by itself)
103  */
104 
105 struct CACHED_PERMISSIONS_HEADER {
106 	unsigned int last;
107 			/* statistics for permissions */
108 	unsigned long p_writes;
109 	unsigned long p_reads;
110 	unsigned long p_hits;
111 } ;
112 
113 /*
114  *	The whole permissions cache
115  */
116 
117 struct PERMISSIONS_CACHE {
118 	struct CACHED_PERMISSIONS_HEADER head;
119 	struct CACHED_PERMISSIONS *cachetable[1]; /* array of variable size */
120 } ;
121 
122 /*
123  *	Security flags values
124  */
125 
126 enum {
127 	SECURITY_DEFAULT,	/* rely on fuse for permissions checking */
128 	SECURITY_RAW,		/* force same ownership/permissions on files */
129 	SECURITY_ACL,		/* enable Posix ACLs (when compiled in) */
130 	SECURITY_ADDSECURIDS,	/* upgrade old security descriptors */
131 	SECURITY_STATICGRPS,	/* use static groups for access control */
132 	SECURITY_WANTED		/* a security related option was present */
133 } ;
134 
135 /*
136  *	Security context, needed by most security functions
137  */
138 
139 enum { MAPUSERS, MAPGROUPS, MAPCOUNT } ;
140 
141 struct SECURITY_CONTEXT {
142 	ntfs_volume *vol;
143 	struct MAPPING *mapping[MAPCOUNT];
144 	struct PERMISSIONS_CACHE **pseccache;
145 	uid_t uid; /* uid of user requesting (not the mounter) */
146 	gid_t gid; /* gid of user requesting (not the mounter) */
147 	pid_t tid; /* thread id of thread requesting */
148 	mode_t umask; /* umask of requesting thread */
149 	} ;
150 
151 #if POSIXACLS
152 
153 /*
154  *		       Posix ACL structures
155  */
156 
157 struct POSIX_ACE {
158 	u16 tag;
159 	u16 perms;
160 	s32 id;
161 } __attribute__((__packed__));
162 
163 struct POSIX_ACL {
164 	u8 version;
165 	u8 flags;
166 	u16 filler;
167 	struct POSIX_ACE ace[0];
168 } __attribute__((__packed__));
169 
170 struct POSIX_SECURITY {
171 	mode_t mode;
172 	int acccnt;
173 	int defcnt;
174 	int firstdef;
175 	u16 tagsset;
176 	u16 filler;
177 	struct POSIX_ACL acl;
178 } ;
179 
180 /*
181  *		Posix tags, cpu-endian 16 bits
182  */
183 
184 enum {
185 	POSIX_ACL_USER_OBJ =	1,
186 	POSIX_ACL_USER =	2,
187 	POSIX_ACL_GROUP_OBJ =	4,
188 	POSIX_ACL_GROUP =	8,
189 	POSIX_ACL_MASK =	16,
190 	POSIX_ACL_OTHER =	32,
191 	POSIX_ACL_SPECIAL =	64  /* internal use only */
192 } ;
193 
194 #define POSIX_ACL_EXTENSIONS (POSIX_ACL_USER | POSIX_ACL_GROUP | POSIX_ACL_MASK)
195 
196 /*
197  *		Posix permissions, cpu-endian 16 bits
198  */
199 
200 enum {
201 	POSIX_PERM_X =		1,
202 	POSIX_PERM_W =		2,
203 	POSIX_PERM_R =		4,
204 	POSIX_PERM_DENIAL =	64 /* internal use only */
205 } ;
206 
207 #define POSIX_VERSION 2
208 
209 #endif
210 
211 extern BOOL ntfs_guid_is_zero(const GUID *guid);
212 extern char *ntfs_guid_to_mbs(const GUID *guid, char *guid_str);
213 
214 extern int ntfs_sid_to_mbs_size(const SID *sid);
215 extern char *ntfs_sid_to_mbs(const SID *sid, char *sid_str,
216 		size_t sid_str_size);
217 extern void ntfs_generate_guid(GUID *guid);
218 extern int ntfs_sd_add_everyone(ntfs_inode *ni);
219 
220 extern le32 ntfs_security_hash(const SECURITY_DESCRIPTOR_RELATIVE *sd,
221 			       const u32 len);
222 
223 int ntfs_build_mapping(struct SECURITY_CONTEXT *scx, const char *usermap_path,
224 		BOOL allowdef);
225 int ntfs_get_owner_mode(struct SECURITY_CONTEXT *scx,
226 		ntfs_inode *ni, struct stat*);
227 int ntfs_set_mode(struct SECURITY_CONTEXT *scx, ntfs_inode *ni, mode_t mode);
228 BOOL ntfs_allowed_as_owner(struct SECURITY_CONTEXT *scx, ntfs_inode *ni);
229 int ntfs_allowed_access(struct SECURITY_CONTEXT *scx,
230 		ntfs_inode *ni, int accesstype);
231 int ntfs_allowed_create(struct SECURITY_CONTEXT *scx,
232 		ntfs_inode *ni, gid_t *pgid, mode_t *pdsetgid);
233 BOOL old_ntfs_allowed_dir_access(struct SECURITY_CONTEXT *scx,
234 		const char *path, int accesstype);
235 
236 #if POSIXACLS
237 le32 ntfs_alloc_securid(struct SECURITY_CONTEXT *scx,
238 		uid_t uid, gid_t gid, ntfs_inode *dir_ni,
239 		mode_t mode, BOOL isdir);
240 #else
241 le32 ntfs_alloc_securid(struct SECURITY_CONTEXT *scx,
242 		uid_t uid, gid_t gid, mode_t mode, BOOL isdir);
243 #endif
244 int ntfs_set_owner(struct SECURITY_CONTEXT *scx, ntfs_inode *ni,
245 		uid_t uid, gid_t gid);
246 int ntfs_set_ownmod(struct SECURITY_CONTEXT *scx,
247 		ntfs_inode *ni, uid_t uid, gid_t gid, mode_t mode);
248 #if POSIXACLS
249 int ntfs_set_owner_mode(struct SECURITY_CONTEXT *scx,
250 		ntfs_inode *ni, uid_t uid, gid_t gid,
251 		mode_t mode, struct POSIX_SECURITY *pxdesc);
252 #else
253 int ntfs_set_owner_mode(struct SECURITY_CONTEXT *scx,
254 		ntfs_inode *ni, uid_t uid, gid_t gid, mode_t mode);
255 #endif
256 le32 ntfs_inherited_id(struct SECURITY_CONTEXT *scx,
257 		ntfs_inode *dir_ni, BOOL fordir);
258 int ntfs_open_secure(ntfs_volume *vol);
259 int ntfs_close_secure(ntfs_volume *vol);
260 
261 void ntfs_destroy_security_context(struct SECURITY_CONTEXT *scx);
262 
263 #if POSIXACLS
264 
265 int ntfs_set_inherited_posix(struct SECURITY_CONTEXT *scx,
266 		ntfs_inode *ni, uid_t uid, gid_t gid,
267 		ntfs_inode *dir_ni, mode_t mode);
268 int ntfs_get_posix_acl(struct SECURITY_CONTEXT *scx, ntfs_inode *ni,
269 			const char *name, char *value, size_t size);
270 int ntfs_set_posix_acl(struct SECURITY_CONTEXT *scx, ntfs_inode *ni,
271 			const char *name, const char *value, size_t size,
272 			int flags);
273 int ntfs_remove_posix_acl(struct SECURITY_CONTEXT *scx, ntfs_inode *ni,
274 			const char *name);
275 #endif
276 
277 int ntfs_get_ntfs_acl(struct SECURITY_CONTEXT *scx, ntfs_inode *ni,
278 			char *value, size_t size);
279 int ntfs_set_ntfs_acl(struct SECURITY_CONTEXT *scx, ntfs_inode *ni,
280 			const char *value, size_t size, int flags);
281 
282 int ntfs_get_ntfs_attrib(ntfs_inode *ni, char *value, size_t size);
283 int ntfs_set_ntfs_attrib(ntfs_inode *ni,
284 			const char *value, size_t size,	int flags);
285 
286 
287 /*
288  *		Security API for direct access to security descriptors
289  *	based on Win32 API
290  */
291 
292 #define MAGIC_API 0x09042009
293 
294 struct SECURITY_API {
295 	u32 magic;
296 	struct SECURITY_CONTEXT security;
297 	struct PERMISSIONS_CACHE *seccache;
298 } ;
299 
300 /*
301  *  The following constants are used in interfacing external programs.
302  *  They are not to be stored on disk and must be defined in their
303  *  native cpu representation.
304  *  When disk representation (le) is needed, use SE_DACL_PRESENT, etc.
305  */
306 enum {	OWNER_SECURITY_INFORMATION = 1,
307 	GROUP_SECURITY_INFORMATION = 2,
308 	DACL_SECURITY_INFORMATION = 4,
309 	SACL_SECURITY_INFORMATION = 8
310 } ;
311 
312 int ntfs_get_file_security(struct SECURITY_API *scapi,
313                 const char *path, u32 selection,
314                 char *buf, u32 buflen, u32 *psize);
315 int ntfs_set_file_security(struct SECURITY_API *scapi,
316 		const char *path, u32 selection, const char *attr);
317 int ntfs_get_file_attributes(struct SECURITY_API *scapi,
318 		const char *path);
319 BOOL ntfs_set_file_attributes(struct SECURITY_API *scapi,
320 		const char *path, s32 attrib);
321 BOOL ntfs_read_directory(struct SECURITY_API *scapi,
322 		const char *path, ntfs_filldir_t callback, void *context);
323 int ntfs_read_sds(struct SECURITY_API *scapi,
324 		char *buf, u32 size, u32 offset);
325 INDEX_ENTRY *ntfs_read_sii(struct SECURITY_API *scapi,
326 		INDEX_ENTRY *entry);
327 INDEX_ENTRY *ntfs_read_sdh(struct SECURITY_API *scapi,
328 		INDEX_ENTRY *entry);
329 struct SECURITY_API *ntfs_initialize_file_security(const char *device,
330                                 unsigned long flags);
331 BOOL ntfs_leave_file_security(struct SECURITY_API *scx);
332 
333 int ntfs_get_usid(struct SECURITY_API *scapi, uid_t uid, char *buf);
334 int ntfs_get_gsid(struct SECURITY_API *scapi, gid_t gid, char *buf);
335 int ntfs_get_user(struct SECURITY_API *scapi, const SID *usid);
336 int ntfs_get_group(struct SECURITY_API *scapi, const SID *gsid);
337 
338 #endif /* defined _NTFS_SECURITY_H */
339