1/* 2 * security.h - Exports for handling security/ACLs in NTFS. 3 * Originated from the Linux-NTFS project. 4 * 5 * Copyright (c) 2004 Anton Altaparmakov 6 * Copyright (c) 2005-2006 Szabolcs Szakacsits 7 * Copyright (c) 2007-2010 Jean-Pierre Andre 8 * 9 * This program/include file is free software; you can redistribute it and/or 10 * modify it under the terms of the GNU General Public License as published 11 * by the Free Software Foundation; either version 2 of the License, or 12 * (at your option) any later version. 13 * 14 * This program/include file is distributed in the hope that it will be 15 * useful, but WITHOUT ANY WARRANTY; without even the implied warranty 16 * of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 * GNU General Public License for more details. 18 * 19 * You should have received a copy of the GNU General Public License 20 * along with this program (in the main directory of the NTFS-3G 21 * distribution in the file COPYING); if not, write to the Free Software 22 * Foundation,Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 23 */ 24 25#ifndef _NTFS_SECURITY_H 26#define _NTFS_SECURITY_H 27 28#include "types.h" 29#include "layout.h" 30#include "inode.h" 31#include "dir.h" 32#include "endians.h" 33 34#ifndef POSIXACLS 35#define POSIXACLS 0 36#endif 37 38/* 39 * item in the mapping list 40 */ 41 42struct MAPPING { 43 struct MAPPING *next; 44 int xid; /* linux id : uid or gid */ 45 SID *sid; /* Windows id : usid or gsid */ 46 int grcnt; /* group count (for users only) */ 47 gid_t *groups; /* groups which the user is member of */ 48}; 49 50/* 51 * Entry in the permissions cache 52 * Note : this cache is not organized as a generic cache 53 */ 54 55struct CACHED_PERMISSIONS { 56 uid_t uid; 57 gid_t gid; 58 le32 inh_fileid; 59 le32 inh_dirid; 60#if POSIXACLS 61 struct POSIX_SECURITY *pxdesc; 62 unsigned int pxdescsize:16; 63#endif 64 unsigned int mode:12; 65 unsigned int valid:1; 66} ; 67 68/* 69 * Entry in the permissions cache for directories with no security_id 70 */ 71 72struct CACHED_PERMISSIONS_LEGACY { 73 struct CACHED_PERMISSIONS_LEGACY *next; 74 struct CACHED_PERMISSIONS_LEGACY *previous; 75 void *variable; 76 size_t varsize; 77 union ALIGNMENT payload[0]; 78 /* above fields must match "struct CACHED_GENERIC" */ 79 u64 mft_no; 80 struct CACHED_PERMISSIONS perm; 81} ; 82 83/* 84 * Entry in the securid cache 85 */ 86 87struct CACHED_SECURID { 88 struct CACHED_SECURID *next; 89 struct CACHED_SECURID *previous; 90 void *variable; 91 size_t varsize; 92 union ALIGNMENT payload[0]; 93 /* above fields must match "struct CACHED_GENERIC" */ 94 uid_t uid; 95 gid_t gid; 96 unsigned int dmode; 97 le32 securid; 98} ; 99 100/* 101 * Header of the security cache 102 * (has no cache structure by itself) 103 */ 104 105struct CACHED_PERMISSIONS_HEADER { 106 unsigned int last; 107 /* statistics for permissions */ 108 unsigned long p_writes; 109 unsigned long p_reads; 110 unsigned long p_hits; 111} ; 112 113/* 114 * The whole permissions cache 115 */ 116 117struct PERMISSIONS_CACHE { 118 struct CACHED_PERMISSIONS_HEADER head; 119 struct CACHED_PERMISSIONS *cachetable[1]; /* array of variable size */ 120} ; 121 122/* 123 * Security flags values 124 */ 125 126enum { 127 SECURITY_DEFAULT, /* rely on fuse for permissions checking */ 128 SECURITY_RAW, /* force same ownership/permissions on files */ 129 SECURITY_ACL, /* enable Posix ACLs (when compiled in) */ 130 SECURITY_ADDSECURIDS, /* upgrade old security descriptors */ 131 SECURITY_STATICGRPS, /* use static groups for access control */ 132 SECURITY_WANTED /* a security related option was present */ 133} ; 134 135/* 136 * Security context, needed by most security functions 137 */ 138 139enum { MAPUSERS, MAPGROUPS, MAPCOUNT } ; 140 141struct SECURITY_CONTEXT { 142 ntfs_volume *vol; 143 struct MAPPING *mapping[MAPCOUNT]; 144 struct PERMISSIONS_CACHE **pseccache; 145 uid_t uid; /* uid of user requesting (not the mounter) */ 146 gid_t gid; /* gid of user requesting (not the mounter) */ 147 pid_t tid; /* thread id of thread requesting */ 148 mode_t umask; /* umask of requesting thread */ 149 } ; 150 151#if POSIXACLS 152 153/* 154 * Posix ACL structures 155 */ 156 157struct POSIX_ACE { 158 u16 tag; 159 u16 perms; 160 s32 id; 161} __attribute__((__packed__)); 162 163struct POSIX_ACL { 164 u8 version; 165 u8 flags; 166 u16 filler; 167 struct POSIX_ACE ace[0]; 168} __attribute__((__packed__)); 169 170struct POSIX_SECURITY { 171 mode_t mode; 172 int acccnt; 173 int defcnt; 174 int firstdef; 175 u16 tagsset; 176 u16 filler; 177 struct POSIX_ACL acl; 178} ; 179 180/* 181 * Posix tags, cpu-endian 16 bits 182 */ 183 184enum { 185 POSIX_ACL_USER_OBJ = 1, 186 POSIX_ACL_USER = 2, 187 POSIX_ACL_GROUP_OBJ = 4, 188 POSIX_ACL_GROUP = 8, 189 POSIX_ACL_MASK = 16, 190 POSIX_ACL_OTHER = 32, 191 POSIX_ACL_SPECIAL = 64 /* internal use only */ 192} ; 193 194#define POSIX_ACL_EXTENSIONS (POSIX_ACL_USER | POSIX_ACL_GROUP | POSIX_ACL_MASK) 195 196/* 197 * Posix permissions, cpu-endian 16 bits 198 */ 199 200enum { 201 POSIX_PERM_X = 1, 202 POSIX_PERM_W = 2, 203 POSIX_PERM_R = 4, 204 POSIX_PERM_DENIAL = 64 /* internal use only */ 205} ; 206 207#define POSIX_VERSION 2 208 209#endif 210 211extern BOOL ntfs_guid_is_zero(const GUID *guid); 212extern char *ntfs_guid_to_mbs(const GUID *guid, char *guid_str); 213 214extern int ntfs_sid_to_mbs_size(const SID *sid); 215extern char *ntfs_sid_to_mbs(const SID *sid, char *sid_str, 216 size_t sid_str_size); 217extern void ntfs_generate_guid(GUID *guid); 218extern int ntfs_sd_add_everyone(ntfs_inode *ni); 219 220extern le32 ntfs_security_hash(const SECURITY_DESCRIPTOR_RELATIVE *sd, 221 const u32 len); 222 223int ntfs_build_mapping(struct SECURITY_CONTEXT *scx, const char *usermap_path, 224 BOOL allowdef); 225int ntfs_get_owner_mode(struct SECURITY_CONTEXT *scx, 226 ntfs_inode *ni, struct stat*); 227int ntfs_set_mode(struct SECURITY_CONTEXT *scx, ntfs_inode *ni, mode_t mode); 228BOOL ntfs_allowed_as_owner(struct SECURITY_CONTEXT *scx, ntfs_inode *ni); 229int ntfs_allowed_access(struct SECURITY_CONTEXT *scx, 230 ntfs_inode *ni, int accesstype); 231int ntfs_allowed_create(struct SECURITY_CONTEXT *scx, 232 ntfs_inode *ni, gid_t *pgid, mode_t *pdsetgid); 233BOOL old_ntfs_allowed_dir_access(struct SECURITY_CONTEXT *scx, 234 const char *path, int accesstype); 235 236#if POSIXACLS 237le32 ntfs_alloc_securid(struct SECURITY_CONTEXT *scx, 238 uid_t uid, gid_t gid, ntfs_inode *dir_ni, 239 mode_t mode, BOOL isdir); 240#else 241le32 ntfs_alloc_securid(struct SECURITY_CONTEXT *scx, 242 uid_t uid, gid_t gid, mode_t mode, BOOL isdir); 243#endif 244int ntfs_set_owner(struct SECURITY_CONTEXT *scx, ntfs_inode *ni, 245 uid_t uid, gid_t gid); 246int ntfs_set_ownmod(struct SECURITY_CONTEXT *scx, 247 ntfs_inode *ni, uid_t uid, gid_t gid, mode_t mode); 248#if POSIXACLS 249int ntfs_set_owner_mode(struct SECURITY_CONTEXT *scx, 250 ntfs_inode *ni, uid_t uid, gid_t gid, 251 mode_t mode, struct POSIX_SECURITY *pxdesc); 252#else 253int ntfs_set_owner_mode(struct SECURITY_CONTEXT *scx, 254 ntfs_inode *ni, uid_t uid, gid_t gid, mode_t mode); 255#endif 256le32 ntfs_inherited_id(struct SECURITY_CONTEXT *scx, 257 ntfs_inode *dir_ni, BOOL fordir); 258int ntfs_open_secure(ntfs_volume *vol); 259int ntfs_close_secure(ntfs_volume *vol); 260 261void ntfs_destroy_security_context(struct SECURITY_CONTEXT *scx); 262 263#if POSIXACLS 264 265int ntfs_set_inherited_posix(struct SECURITY_CONTEXT *scx, 266 ntfs_inode *ni, uid_t uid, gid_t gid, 267 ntfs_inode *dir_ni, mode_t mode); 268int ntfs_get_posix_acl(struct SECURITY_CONTEXT *scx, ntfs_inode *ni, 269 const char *name, char *value, size_t size); 270int ntfs_set_posix_acl(struct SECURITY_CONTEXT *scx, ntfs_inode *ni, 271 const char *name, const char *value, size_t size, 272 int flags); 273int ntfs_remove_posix_acl(struct SECURITY_CONTEXT *scx, ntfs_inode *ni, 274 const char *name); 275#endif 276 277int ntfs_get_ntfs_acl(struct SECURITY_CONTEXT *scx, ntfs_inode *ni, 278 char *value, size_t size); 279int ntfs_set_ntfs_acl(struct SECURITY_CONTEXT *scx, ntfs_inode *ni, 280 const char *value, size_t size, int flags); 281 282int ntfs_get_ntfs_attrib(ntfs_inode *ni, char *value, size_t size); 283int ntfs_set_ntfs_attrib(ntfs_inode *ni, 284 const char *value, size_t size, int flags); 285 286 287/* 288 * Security API for direct access to security descriptors 289 * based on Win32 API 290 */ 291 292#define MAGIC_API 0x09042009 293 294struct SECURITY_API { 295 u32 magic; 296 struct SECURITY_CONTEXT security; 297 struct PERMISSIONS_CACHE *seccache; 298} ; 299 300/* 301 * The following constants are used in interfacing external programs. 302 * They are not to be stored on disk and must be defined in their 303 * native cpu representation. 304 * When disk representation (le) is needed, use SE_DACL_PRESENT, etc. 305 */ 306enum { OWNER_SECURITY_INFORMATION = 1, 307 GROUP_SECURITY_INFORMATION = 2, 308 DACL_SECURITY_INFORMATION = 4, 309 SACL_SECURITY_INFORMATION = 8 310} ; 311 312int ntfs_get_file_security(struct SECURITY_API *scapi, 313 const char *path, u32 selection, 314 char *buf, u32 buflen, u32 *psize); 315int ntfs_set_file_security(struct SECURITY_API *scapi, 316 const char *path, u32 selection, const char *attr); 317int ntfs_get_file_attributes(struct SECURITY_API *scapi, 318 const char *path); 319BOOL ntfs_set_file_attributes(struct SECURITY_API *scapi, 320 const char *path, s32 attrib); 321BOOL ntfs_read_directory(struct SECURITY_API *scapi, 322 const char *path, ntfs_filldir_t callback, void *context); 323int ntfs_read_sds(struct SECURITY_API *scapi, 324 char *buf, u32 size, u32 offset); 325INDEX_ENTRY *ntfs_read_sii(struct SECURITY_API *scapi, 326 INDEX_ENTRY *entry); 327INDEX_ENTRY *ntfs_read_sdh(struct SECURITY_API *scapi, 328 INDEX_ENTRY *entry); 329struct SECURITY_API *ntfs_initialize_file_security(const char *device, 330 unsigned long flags); 331BOOL ntfs_leave_file_security(struct SECURITY_API *scx); 332 333int ntfs_get_usid(struct SECURITY_API *scapi, uid_t uid, char *buf); 334int ntfs_get_gsid(struct SECURITY_API *scapi, gid_t gid, char *buf); 335int ntfs_get_user(struct SECURITY_API *scapi, const SID *usid); 336int ntfs_get_group(struct SECURITY_API *scapi, const SID *gsid); 337 338#endif /* defined _NTFS_SECURITY_H */ 339