Changeset b8bd90f6 in rtems


Ignore:
Timestamp:
Nov 17, 2014, 8:01:53 AM (5 years ago)
Author:
Sebastian Huber <sebastian.huber@…>
Branches:
4.11, master
Children:
065d72ce
Parents:
0b3fcf5
git-author:
Sebastian Huber <sebastian.huber@…> (11/17/14 08:01:53)
git-committer:
Sebastian Huber <sebastian.huber@…> (11/20/14 09:30:23)
Message:

Add supplementary groups to user environment

Files:
1 added
5 edited

Legend:

Unmodified
Added
Removed
  • cpukit/include/rtems/userenv.h

    r0b3fcf5 rb8bd90f6  
    2626 * XXX: We do not rely on this.
    2727 */
     28#include <sys/param.h>
    2829#include <limits.h>
    2930
     
    5354#endif
    5455
     56/**
     57 * @brief User environment.
     58 */
    5559typedef struct {
     60  /**
     61   * @brief The anchor directory for relative paths.
     62   */
    5663  rtems_filesystem_global_location_t *current_directory;
     64
     65  /**
     66   * @brief The anchor directory for absolute paths.
     67   */
    5768  rtems_filesystem_global_location_t *root_directory;
    58   /* Default mode for all files. */
    59   mode_t                           umask;
    60   /* _POSIX_types */
    61   uid_t                            uid;
    62   gid_t                            gid;
    63   uid_t                            euid;
    64   gid_t                            egid;
    65   char      login_buffer[LOGIN_NAME_MAX];
    66   pid_t                            pgrp; /* process group id */
     69
     70  /**
     71   * @brief The file mode creation mask.
     72   */
     73  mode_t umask;
     74
     75  /**
     76   * @brief The real user ID.
     77   */
     78  uid_t uid;
     79
     80  /**
     81   * @brief The real group ID.
     82   */
     83  gid_t gid;
     84
     85  /**
     86   * @brief The effective user ID.
     87   */
     88  uid_t euid;
     89
     90  /**
     91   * @brief The effective group ID.
     92   */
     93  gid_t egid;
     94
     95  /**
     96   * @brief The login buffer.
     97   */
     98  char login_buffer[LOGIN_NAME_MAX];
     99
     100  /**
     101   * @brief The process group ID.
     102   */
     103  pid_t pgrp;
     104
     105  /**
     106   * @brief The count of supplementary group IDs.
     107   */
     108  size_t ngroups;
     109
     110  /**
     111   * @brief The list of supplementary group IDs.
     112   */
     113  gid_t groups[NGROUPS];
    67114} rtems_user_env_t;
    68115
     
    117164void rtems_libio_use_global_env(void);
    118165
     166/**
     167 * @brief Gets the supplementary group IDs using the current user ID and
     168 * updates the table of supplementary group IDs in the current user
     169 * environment.
     170 *
     171 * In case of an error, the count of supplementary group IDs is set to zero.
     172 */
     173void rtems_current_user_env_getgroups(void);
     174
    119175/** @} */
    120176
  • cpukit/libcsupport/Makefile.am

    r0b3fcf5 rb8bd90f6  
    5959    src/libio_exit.c \
    6060    src/open_dev_console.c src/__usrenv.c src/rtems_mkdir.c
     61BASE_FS_C_FILES += src/uenvgetgroups.c
    6162
    6263TERMIOS_C_FILES = src/cfgetispeed.c src/cfgetospeed.c src/cfsetispeed.c \
  • cpukit/libcsupport/include/rtems/libio_.h

    r0b3fcf5 rb8bd90f6  
    811811);
    812812
     813/**
     814 * @brief Checks if access to an object is allowed for the current user.
     815 *
     816 * If the effective UID is zero or equals the UID of the object, then the user
     817 * permission flags of the object will be used.  Otherwise if the effective GID
     818 * is zero or equals the GID of the object or one of the supplementary group
     819 * IDs is equal to the GID of the object, then the group permission flags of
     820 * the object will be used.  Otherwise the other permission flags of the object
     821 * will be used.
     822 *
     823 * @param[in] flags The flags determining the access type.  It can be
     824 *   RTEMS_FS_PERMS_READ, RTEMS_FS_PERMS_WRITE or RTEMS_FS_PERMS_EXEC.
     825 * @param[in] object_mode The mode of the object specifying the permission flags.
     826 * @param[in] object_uid The UID of the object.
     827 * @param[in] object_gid The GID of the object.
     828 *
     829 * @retval true Access is allowed.
     830 * @retval false Otherwise.
     831 */
    813832bool rtems_filesystem_check_access(
    814   int eval_flags,
    815   mode_t node_mode,
    816   uid_t node_uid,
    817   gid_t node_gid
     833  int flags,
     834  mode_t object_mode,
     835  uid_t object_uid,
     836  gid_t object_gid
    818837);
    819838
  • cpukit/libcsupport/src/sup_fs_check_permissions.c

    r0b3fcf5 rb8bd90f6  
    7171);
    7272
    73 bool rtems_filesystem_check_access(
    74   int eval_flags,
    75   mode_t node_mode,
    76   uid_t node_uid,
    77   gid_t node_gid
     73static bool equals_supplementary_group(
     74  const rtems_user_env_t *uenv,
     75  gid_t object_gid
    7876)
    7977{
    80   mode_t perm_flags = eval_flags & RTEMS_FS_PERMS_RWX;
    81   uid_t task_uid = geteuid();
     78  size_t i;
    8279
    83   if (task_uid == 0 || task_uid == node_uid) {
    84     perm_flags <<= RTEMS_FS_USR_SHIFT;
    85   } else {
    86     gid_t task_gid = getegid();
    87 
    88     if (task_gid == 0 || task_gid == node_gid) {
    89       perm_flags <<= RTEMS_FS_GRP_SHIFT;
    90     } else {
    91       perm_flags <<= RTEMS_FS_OTH_SHIFT;
     80  for (i = 0; i < uenv->ngroups; ++i) {
     81    if (uenv->groups[i] == object_gid) {
     82      return true;
    9283    }
    9384  }
    9485
    95   return (perm_flags & node_mode) == perm_flags;
     86  return false;
     87}
     88
     89bool rtems_filesystem_check_access(
     90  int flags,
     91  mode_t object_mode,
     92  uid_t object_uid,
     93  gid_t object_gid
     94)
     95{
     96  const rtems_user_env_t *uenv = rtems_current_user_env_get();
     97  mode_t access_flags = flags & RTEMS_FS_PERMS_RWX;
     98  uid_t task_uid = uenv->euid;
     99
     100  if (task_uid == 0 || task_uid == object_uid) {
     101    access_flags <<= RTEMS_FS_USR_SHIFT;
     102  } else {
     103    gid_t task_gid = uenv->egid;
     104
     105    if (
     106      task_gid == 0
     107        || task_gid == object_gid
     108        || equals_supplementary_group(uenv, object_gid)
     109    ) {
     110      access_flags <<= RTEMS_FS_GRP_SHIFT;
     111    } else {
     112      access_flags <<= RTEMS_FS_OTH_SHIFT;
     113    }
     114  }
     115
     116  return (access_flags & object_mode) == access_flags;
    96117}
    97118
  • testsuites/fstests/fsnofs01/init.c

    r0b3fcf5 rb8bd90f6  
    1717#endif
    1818
     19#define TESTS_USE_PRINTK
    1920#include "tmacros.h"
    2021
     
    322323}
    323324
     325typedef struct {
     326  int flags;
     327  mode_t object_mode;
     328  uid_t object_uid;
     329  gid_t object_gid;
     330  bool expected_ok;
     331} check_access_case;
     332
     333#define FR RTEMS_FS_PERMS_READ
     334#define FW RTEMS_FS_PERMS_WRITE
     335#define FX RTEMS_FS_PERMS_EXEC
     336
     337#define UR S_IRUSR
     338#define UW S_IWUSR
     339#define UX S_IXUSR
     340
     341#define GR S_IRGRP
     342#define GW S_IWGRP
     343#define GX S_IXGRP
     344
     345#define OR S_IROTH
     346#define OW S_IWOTH
     347#define OX S_IXOTH
     348
     349static const check_access_case check_access_euid_0_cases[] = {
     350  { 0,   0, 6, 7, true },
     351  { FR,  0, 6, 7, false },
     352  { FW,  0, 6, 7, false },
     353  { FX,  0, 6, 7, false },
     354  { FR, UR, 6, 7, true },
     355  { FW, UW, 6, 7, true },
     356  { FX, UX, 6, 7, true },
     357  { FR, GR, 6, 7, false },
     358  { FW, GW, 6, 7, false },
     359  { FX, GX, 6, 7, false },
     360  { FR, OR, 6, 7, false },
     361  { FW, OW, 6, 7, false },
     362  { FX, OX, 6, 7, false }
     363};
     364
     365static const check_access_case check_access_egid_0_cases[] = {
     366  { 0,   0, 6, 7, true },
     367  { FR,  0, 6, 7, false },
     368  { FW,  0, 6, 7, false },
     369  { FX,  0, 6, 7, false },
     370  { FR, UR, 6, 7, false },
     371  { FW, UW, 6, 7, false },
     372  { FX, UX, 6, 7, false },
     373  { FR, GR, 6, 7, true },
     374  { FW, GW, 6, 7, true },
     375  { FX, GX, 6, 7, true },
     376  { FR, OR, 6, 7, false },
     377  { FW, OW, 6, 7, false },
     378  { FX, OX, 6, 7, false }
     379};
     380
     381static const check_access_case check_access_other_cases[] = {
     382  { 0,   0, 3, 7, true },
     383  { FR,  0, 3, 7, false },
     384  { FW,  0, 3, 7, false },
     385  { FX,  0, 3, 7, false },
     386  { FR, UR, 3, 7, true },
     387  { FW, UW, 3, 7, true },
     388  { FX, UX, 3, 7, true },
     389  { FR, GR, 3, 7, false },
     390  { FW, GW, 3, 7, false },
     391  { FX, GX, 3, 7, false },
     392  { FR, OR, 3, 7, false },
     393  { FW, OW, 3, 7, false },
     394  { FX, OX, 3, 7, false },
     395  { 0,   0, 6, 4, true },
     396  { FR,  0, 6, 4, false },
     397  { FW,  0, 6, 4, false },
     398  { FX,  0, 6, 4, false },
     399  { FR, UR, 6, 4, false },
     400  { FW, UW, 6, 4, false },
     401  { FX, UX, 6, 4, false },
     402  { FR, GR, 6, 4, true },
     403  { FW, GW, 6, 4, true },
     404  { FX, GX, 6, 4, true },
     405  { FR, OR, 6, 4, false },
     406  { FW, OW, 6, 4, false },
     407  { FX, OX, 6, 4, false },
     408  { 0,   0, 6, 5, true },
     409  { FR,  0, 6, 5, false },
     410  { FW,  0, 6, 5, false },
     411  { FX,  0, 6, 5, false },
     412  { FR, UR, 6, 5, false },
     413  { FW, UW, 6, 5, false },
     414  { FX, UX, 6, 5, false },
     415  { FR, GR, 6, 5, true },
     416  { FW, GW, 6, 5, true },
     417  { FX, GX, 6, 5, true },
     418  { FR, OR, 6, 5, false },
     419  { FW, OW, 6, 5, false },
     420  { FX, OX, 6, 5, false },
     421  { 0,   0, 6, 7, true },
     422  { FR,  0, 6, 7, false },
     423  { FW,  0, 6, 7, false },
     424  { FX,  0, 6, 7, false },
     425  { FR, UR, 6, 7, false },
     426  { FW, UW, 6, 7, false },
     427  { FX, UX, 6, 7, false },
     428  { FR, GR, 6, 7, false },
     429  { FW, GW, 6, 7, false },
     430  { FX, GX, 6, 7, false },
     431  { FR, OR, 6, 7, true },
     432  { FW, OW, 6, 7, true },
     433  { FX, OX, 6, 7, true }
     434};
     435
     436static void check_access(const check_access_case *table, size_t n)
     437{
     438  size_t i;
     439
     440  for (i = 0; i < n; ++i) {
     441    const check_access_case *cac = &table[i];
     442    bool ok = rtems_filesystem_check_access(
     443      cac->flags,
     444      cac->object_mode,
     445      cac->object_uid,
     446      cac->object_gid
     447    );
     448
     449    rtems_test_assert(ok == cac->expected_ok);
     450  }
     451}
     452
     453static void test_check_access(void)
     454{
     455  rtems_user_env_t *uenv = rtems_current_user_env_get();
     456
     457  rtems_test_assert(uenv->uid == 0);
     458  rtems_test_assert(uenv->gid == 0);
     459  rtems_test_assert(uenv->euid == 0);
     460  rtems_test_assert(uenv->egid == 0);
     461  rtems_test_assert(uenv->ngroups == 0);
     462
     463  uenv->uid = 1;
     464  uenv->gid = 2;
     465
     466  check_access(
     467    &check_access_euid_0_cases[0],
     468    RTEMS_ARRAY_SIZE(check_access_euid_0_cases)
     469  );
     470
     471  uenv->euid = 3;
     472
     473  check_access(
     474    &check_access_egid_0_cases[0],
     475    RTEMS_ARRAY_SIZE(check_access_egid_0_cases)
     476  );
     477
     478  uenv->egid = 4;
     479  uenv->ngroups = 1;
     480  uenv->groups[0] = 5;
     481
     482  check_access(
     483    &check_access_other_cases[0],
     484    RTEMS_ARRAY_SIZE(check_access_other_cases)
     485  );
     486
     487  uenv->uid = 0;
     488  uenv->gid = 0;
     489  uenv->euid = 0;
     490  uenv->egid = 0;
     491  uenv->ngroups = 0;
     492}
     493
    324494static void Init(rtems_task_argument arg)
    325495{
     
    335505  test_path_ops();
    336506  test_user_env();
     507  test_check_access();
    337508
    338509  rtems_test_endk();
Note: See TracChangeset for help on using the changeset viewer.