6 OMODE = 0x7, /* Topen/Tcreate mode */
15 static char EPermission[] = "permission denied";
18 permFile(File* file, Fid* fid, int perm)
23 if(!fileGetDir(file, &de))
27 * User none only gets other permissions.
29 if(strcmp(fid->uname, unamenone) != 0){
31 * There is only one uid<->uname mapping
32 * and it's already cached in the Fid, but
33 * it might have changed during the lifetime
36 if((u = unameByUid(de.uid)) != nil){
37 if(strcmp(fid->uname, u) == 0 && ((perm<<6) & de.mode)){
44 if(groupMember(de.gid, fid->uname) && ((perm<<3) & de.mode)){
50 if(perm == PermX && (de.mode & ModeDir)){
54 if(!groupMember(uidnoworld, fid->uname)){
59 if(fsysNoPermCheck(fid->fsys) || (fid->con->flags&ConNoPermCheck)){
70 permFid(Fid* fid, int p)
72 return permFile(fid->file, fid, p);
76 permParent(Fid* fid, int p)
81 parent = fileGetParent(fid->file);
82 r = permFile(parent, fid, p);
89 validFileName(char* name)
93 if(name == nil || name[0] == '\0'){
94 werrstr("no file name");
98 if(name[1] == '\0' || (name[1] == '.' && name[2] == '\0')){
99 werrstr(". and .. illegal as file name");
104 for(p = name; *p != '\0'; p++){
105 if((*p & 0xFF) < 040){
106 werrstr("bad character in file name");
121 char *gid, *strs, *uid;
122 int gl, op, retval, tsync, wstatallow;
124 if((fid = fidGet(m->con, m->t.fid, FidFWlock)) == nil)
130 if(strcmp(fid->uname, unamenone) == 0 || (fid->qid.type & QTAUTH)){
131 werrstr(EPermission);
134 if(fileIsRoFs(fid->file) || !groupWriteMember(fid->uname)){
135 werrstr("read-only filesystem");
139 if(!fileGetDir(fid->file, &de))
142 strs = vtmalloc(m->t.nstat);
143 if(convM2D(m->t.stat, m->t.nstat, &dir, strs) == 0){
144 werrstr("wstat -- protocol botch");
149 * Run through each of the (sub-)fields in the provided Dir
150 * checking for validity and whether it's a default:
151 * .type, .dev and .atime are completely ignored and not checked;
152 * .qid.path, .qid.vers and .muid are checked for validity but
153 * any attempt to change them is an error.
154 * .qid.type/.mode, .mtime, .name, .length, .uid and .gid can
155 * possibly be changed.
157 * 'Op' flags there are changed fields, i.e. it's not a no-op.
158 * 'Tsync' flags all fields are defaulted.
161 if(dir.qid.path != ~0){
162 if(dir.qid.path != de.qid){
163 werrstr("wstat -- attempt to change qid.path");
168 if(dir.qid.vers != (u32int)~0){
169 if(dir.qid.vers != de.mcount){
170 werrstr("wstat -- attempt to change qid.vers");
175 if(dir.muid != nil && *dir.muid != '\0'){
176 if((uid = uidByUname(dir.muid)) == nil){
177 werrstr("wstat -- unknown muid");
180 if(strcmp(uid, de.mid) != 0){
181 werrstr("wstat -- attempt to change muid");
190 * Check .qid.type and .mode agree if neither is defaulted.
192 if(dir.qid.type != (uchar)~0 && dir.mode != (u32int)~0){
193 if(dir.qid.type != ((dir.mode>>24) & 0xFF)){
194 werrstr("wstat -- qid.type/mode mismatch");
202 if(dir.qid.type != (uchar)~0 || dir.mode != (u32int)~0){
204 * .qid.type or .mode isn't defaulted, check for unknown bits.
207 dir.mode = (dir.qid.type<<24)|(de.mode & 0777);
208 if(dir.mode & ~(DMDIR|DMAPPEND|DMEXCL|DMTMP|0777)){
209 werrstr("wstat -- unknown bits in qid.type/mode");
214 * Synthesise a mode to check against the current settings.
216 mode = dir.mode & 0777;
217 if(dir.mode & DMEXCL)
218 mode |= ModeExclusive;
219 if(dir.mode & DMAPPEND)
224 mode |= ModeTemporary;
226 if((de.mode^mode) & ModeDir){
227 werrstr("wstat -- attempt to change directory bit");
231 if((de.mode & (ModeAppend|ModeExclusive|ModeTemporary|0777)) != mode){
232 de.mode &= ~(ModeAppend|ModeExclusive|ModeTemporary|0777);
239 if(dir.mtime != (u32int)~0){
240 if(dir.mtime != de.mtime){
241 de.mtime = dir.mtime;
247 if(dir.length != ~0){
248 if(dir.length != de.size){
250 * Cannot change length on append-only files.
251 * If we're changing the append bit, it's okay.
253 if(de.mode & oldmode & ModeAppend){
254 werrstr("wstat -- attempt to change length of append-only file");
257 if(de.mode & ModeDir){
258 werrstr("wstat -- attempt to change length of directory");
261 de.size = dir.length;
268 * Check for permission to change .mode, .mtime or .length,
269 * must be owner or leader of either group, for which test gid
270 * is needed; permission checks on gid will be done later.
272 if(dir.gid != nil && *dir.gid != '\0'){
273 if((gid = uidByUname(dir.gid)) == nil){
274 werrstr("wstat -- unknown gid");
280 gid = vtstrdup(de.gid);
282 wstatallow = (fsysWstatAllow(fid->fsys) || (m->con->flags&ConWstatAllow));
285 * 'Gl' counts whether neither, one or both groups are led.
287 gl = groupLeader(gid, fid->uname) != 0;
288 gl += groupLeader(de.gid, fid->uname) != 0;
290 if(op && !wstatallow){
291 if(strcmp(fid->uid, de.uid) != 0 && !gl){
292 werrstr("wstat -- not owner or group leader");
298 * Check for permission to change group, must be
299 * either owner and in new group or leader of both groups.
300 * If gid is nil here then
302 if(strcmp(gid, de.gid) != 0){
304 && !(strcmp(fid->uid, de.uid) == 0 && groupMember(gid, fid->uname))
306 werrstr("wstat -- not owner and not group leaders");
318 * Check .name is valid and different to the current.
319 * If so, check write permission in parent.
321 if(dir.name != nil && *dir.name != '\0'){
322 if(!validFileName(dir.name))
324 if(strcmp(dir.name, de.elem) != 0){
325 if(permParent(fid, PermW) <= 0)
328 de.elem = vtstrdup(dir.name);
335 * Check for permission to change owner - must be god.
337 if(dir.uid != nil && *dir.uid != '\0'){
338 if((uid = uidByUname(dir.uid)) == nil){
339 werrstr("wstat -- unknown uid");
342 if(strcmp(uid, de.uid) != 0){
344 werrstr("wstat -- not owner");
347 if(strcmp(uid, uidnoworld) == 0){
348 werrstr(EPermission);
360 retval = fileSetDir(fid->file, &de, fid->uid);
366 * All values were defaulted,
367 * make the state of the file exactly what it
368 * claims to be before returning...
392 if((fid = fidGet(m->con, m->t.fid, 0)) == nil)
394 if(fid->qid.type & QTAUTH){
395 memset(&dir, 0, sizeof(Dir));
398 dir.atime = time(0L);
399 dir.mtime = dir.atime;
402 dir.uid = fid->uname;
403 dir.gid = fid->uname;
404 dir.muid = fid->uname;
406 if((m->r.nstat = convD2M(&dir, m->data, m->con->msize)) == 0){
407 werrstr("stat QTAUTH botch");
416 if(!fileGetDir(fid->file, &de)){
423 * TODO: optimise this copy (in convS2M) away somehow.
424 * This pettifoggery with m->data will do for the moment.
426 m->r.nstat = dirDe2M(&de, m->data, m->con->msize);
434 _rTclunk(Fid* fid, int remove)
442 if(remove && !(fid->qid.type & QTAUTH)){
443 if((rok = permParent(fid, PermW)) > 0)
444 rok = fileRemove(fid->file, fid->uid);
456 if((fid = fidGet(m->con, m->t.fid, FidFWlock)) == nil)
458 return _rTclunk(fid, 1);
466 if((fid = fidGet(m->con, m->t.fid, FidFWlock)) == nil)
468 _rTclunk(fid, (fid->open & FidORclose));
479 if((fid = fidGet(m->con, m->t.fid, 0)) == nil)
481 if(!(fid->open & FidOWrite)){
482 werrstr("fid not open for write");
487 if(count < 0 || count > m->con->msize-IOHDRSZ){
488 werrstr("write count too big");
492 werrstr("write offset negative");
495 if(fid->excl != nil && !exclUpdate(fid))
498 if(fid->qid.type & QTDIR){
499 werrstr("is a directory");
502 else if(fid->qid.type & QTAUTH)
503 n = authWrite(fid, m->t.data, count);
505 n = fileWrite(fid->file, m->t.data, count, m->t.offset, fid->uid);
527 if((fid = fidGet(m->con, m->t.fid, 0)) == nil)
529 if(!(fid->open & FidORead)){
530 werrstr("fid not open for read");
535 if(count < 0 || count > m->con->msize-IOHDRSZ){
536 werrstr("read count too big");
540 werrstr("read offset negative");
543 if(fid->excl != nil && !exclUpdate(fid))
547 * TODO: optimise this copy (in convS2M) away somehow.
548 * This pettifoggery with m->data will do for the moment.
550 data = m->data+IOHDRSZ;
551 if(fid->qid.type & QTDIR)
552 n = dirRead(fid, data, count, m->t.offset);
553 else if(fid->qid.type & QTAUTH)
554 n = authRead(fid, data, count);
556 n = fileRead(fid->file, data, count, m->t.offset);
561 m->r.data = (char*)data;
577 int omode, open, perm;
579 if((fid = fidGet(m->con, m->t.fid, FidFWlock)) == nil)
582 werrstr("fid open for I/O");
585 if(fileIsRoFs(fid->file) || !groupWriteMember(fid->uname)){
586 werrstr("read-only filesystem");
589 if(!fileIsDir(fid->file)){
590 werrstr("not a directory");
593 if(permFid(fid, PermW) <= 0)
595 if(!validFileName(m->t.name))
597 if(strcmp(fid->uid, uidnoworld) == 0){
598 werrstr(EPermission);
602 omode = m->t.mode & OMODE;
605 if(omode == OREAD || omode == ORDWR || omode == OEXEC)
607 if(omode == OWRITE || omode == ORDWR)
609 if((open & (FidOWrite|FidORead)) == 0){
610 werrstr("unknown mode");
613 if(m->t.perm & DMDIR){
614 if((m->t.mode & (ORCLOSE|OTRUNC)) || (open & FidOWrite)){
615 werrstr("illegal mode");
618 if(m->t.perm & DMAPPEND){
619 werrstr("illegal perm");
624 mode = fileGetMode(fid->file);
626 if(m->t.perm & DMDIR)
627 perm &= ~0777|(mode & 0777);
629 perm &= ~0666|(mode & 0666);
631 if(m->t.perm & DMDIR)
633 if(m->t.perm & DMAPPEND)
635 if(m->t.perm & DMEXCL)
636 mode |= ModeExclusive;
637 if(m->t.perm & DMTMP)
638 mode |= ModeTemporary;
640 if((file = fileCreate(fid->file, m->t.name, mode, fid->uid)) == nil){
644 fileDecRef(fid->file);
646 fid->qid.vers = fileGetMcount(file);
647 fid->qid.path = fileGetId(file);
649 mode = fileGetMode(fid->file);
651 fid->qid.type = QTDIR;
653 fid->qid.type = QTFILE;
654 if(mode & ModeAppend)
655 fid->qid.type |= QTAPPEND;
656 if(mode & ModeExclusive){
657 fid->qid.type |= QTEXCL;
658 assert(exclAlloc(fid) != 0);
660 if(m->t.mode & ORCLOSE)
665 m->r.iounit = m->con->msize-IOHDRSZ;
679 int isdir, mode, omode, open, rofs;
681 if((fid = fidGet(m->con, m->t.fid, FidFWlock)) == nil)
684 werrstr("fid open for I/O");
688 isdir = fileIsDir(fid->file);
690 rofs = fileIsRoFs(fid->file) || !groupWriteMember(fid->uname);
692 if(m->t.mode & ORCLOSE){
694 werrstr("is a directory");
698 werrstr("read-only filesystem");
701 if(permParent(fid, PermW) <= 0)
707 omode = m->t.mode & OMODE;
708 if(omode == OREAD || omode == ORDWR){
709 if(permFid(fid, PermR) <= 0)
713 if(omode == OWRITE || omode == ORDWR || (m->t.mode & OTRUNC)){
715 werrstr("is a directory");
719 werrstr("read-only filesystem");
722 if(permFid(fid, PermW) <= 0)
728 werrstr("is a directory");
731 if(permFid(fid, PermX) <= 0)
735 if((open & (FidOWrite|FidORead)) == 0){
736 werrstr("unknown mode");
740 mode = fileGetMode(fid->file);
741 if((mode & ModeExclusive) && exclAlloc(fid) == 0)
745 * Everything checks out, try to commit any changes.
747 if((m->t.mode & OTRUNC) && !(mode & ModeAppend))
748 if(!fileTruncate(fid->file, fid->uid))
751 if(isdir && fid->db != nil){
756 fid->qid.vers = fileGetMcount(fid->file);
758 m->r.iounit = m->con->msize-IOHDRSZ;
779 Fid *fid, *ofid, *nfid;
782 if(t->fid == t->newfid)
788 * The file identified by t->fid must be valid in the
789 * current session and must not have been opened for I/O
790 * by an open or create message.
792 if((ofid = fidGet(m->con, t->fid, wlock)) == nil)
795 werrstr("file open for I/O");
801 * If newfid is not the same as fid, allocate a new file;
802 * a side effect is checking newfid is not already in use (error);
803 * if there are no names to walk this will be equivalent to a
804 * simple 'clone' operation.
805 * It's a no-op if newfid is the same as fid and t->nwname is 0.
808 if(t->fid != t->newfid){
809 nfid = fidGet(m->con, t->newfid, FidFWlock|FidFCreate);
811 werrstr("%s: walk: newfid 0x%ud in use",
816 nfid->open = ofid->open & ~FidORclose;
817 nfid->file = fileIncRef(ofid->file);
818 nfid->qid = ofid->qid;
819 nfid->uid = vtstrdup(ofid->uid);
820 nfid->uname = vtstrdup(ofid->uname);
821 nfid->fsys = fsysIncRef(ofid->fsys);
842 for(nwname = 0; nwname < t->nwname; nwname++){
844 * Walked elements must represent a directory and
845 * the implied user must have permission to search
846 * the directory. Walking .. is always allowed, so that
847 * you can't walk into a directory and then not be able
850 if(!(qid.type & QTDIR)){
851 werrstr("not a directory");
854 switch(permFile(file, fid, PermX)){
858 if(strcmp(t->wname[nwname], "..") == 0)
863 if((nfile = fileWalk(file, t->wname[nwname])) == nil)
870 if(fileIsAppend(file))
871 qid.type |= QTAPPEND;
872 if(fileIsTemporary(file))
874 if(fileIsExclusive(file))
876 qid.vers = fileGetMcount(file);
877 qid.path = fileGetId(file);
878 r->wqid[r->nwqid++] = qid;
881 if(nwname == t->nwname){
883 * Walked all elements. Update the target fid
884 * from the temporary qid used during the walk,
887 fid->qid = r->wqid[r->nwqid-1];
888 fileDecRef(fid->file);
900 * Didn't walk all elements, 'clunk' nfid if it exists
901 * and leave fid untouched.
902 * It's not an error if some of the elements were walked OK.
917 if(m->t.oldtag != NOTAG)
923 parseAname(char *aname, char **fsname, char **path)
927 if(aname && aname[0])
930 s = vtstrdup("main/active");
932 if((*path = strchr(s, '/')) != nil)
940 * Check remote IP address against /mnt/ipok.
941 * Sources.cs.bell-labs.com uses this to disallow
942 * network connections from Sudan, Libya, etc.,
943 * following U.S. cryptography export regulations.
951 if(con->flags&ConIPCheck){
952 if(con->remote[0] == 0){
953 werrstr("cannot verify unknown remote address");
956 if(access("/mnt/ipok/ok", AEXIST) < 0){
957 /* mount closes the fd on success */
958 if((fd = open("/srv/ipok", ORDWR)) >= 0
959 && mount(fd, -1, "/mnt/ipok", MREPL, "") < 0)
961 if(access("/mnt/ipok/ok", AEXIST) < 0){
962 werrstr("cannot verify remote address");
966 snprint(ok, sizeof ok, "/mnt/ipok/ok/%s", con->remote);
967 if((p = strchr(ok, '!')) != nil)
969 if(access(ok, AEXIST) < 0){
970 werrstr("restricted remote address");
985 if((fid = fidGet(m->con, m->t.fid, FidFWlock|FidFCreate)) == nil)
988 parseAname(m->t.aname, &fsname, &path);
989 if((fsys = fsysGet(fsname)) == nil){
996 if(m->t.uname[0] != '\0')
997 fid->uname = vtstrdup(m->t.uname);
999 fid->uname = vtstrdup(unamenone);
1002 if((fid->con->flags&ConIPCheck) && !conIPCheck(fid->con)){
1003 consPrint("reject %s from %s: %r\n", fid->uname, fid->con->remote);
1009 if(fsysNoAuthCheck(fsys) || (m->con->flags&ConNoAuthCheck)){
1010 if((fid->uid = uidByUname(fid->uname)) == nil)
1011 fid->uid = vtstrdup(unamenone);
1013 else if(!authCheck(&m->t, fid, fsys)){
1020 if((fid->file = fsysGetRoot(fsys, path)) == nil){
1021 fsysFsRUnlock(fsys);
1026 fsysFsRUnlock(fsys);
1029 fid->qid = (Qid){fileGetId(fid->file), 0, QTDIR};
1030 m->r.qid = fid->qid;
1045 char *fsname, *path;
1047 parseAname(m->t.aname, &fsname, &path);
1048 if((fsys = fsysGet(fsname)) == nil){
1054 if(fsysNoAuthCheck(fsys) || (m->con->flags&ConNoAuthCheck)){
1056 werrstr("authentication disabled");
1060 if(strcmp(m->t.uname, unamenone) == 0){
1061 werrstr("user 'none' requires no authentication");
1067 if((afid = fidGet(con, m->t.afid, FidFWlock|FidFCreate)) == nil){
1074 if((afd = open("/mnt/factotum/rpc", ORDWR)) < 0){
1075 werrstr("can't open \"/mnt/factotum/rpc\"");
1082 if((afid->rpc = auth_allocrpc()) == nil){
1084 if((afid->rpc = auth_allocrpc(afd)) == nil){
1087 werrstr("can't auth_allocrpc");
1091 if(auth_rpc(afid->rpc, "start", "proto=p9any role=server", 23) != ARok){
1092 werrstr("can't auth_rpc");
1097 afid->open = FidOWrite|FidORead;
1098 afid->qid.type = QTAUTH;
1099 afid->qid.path = m->t.afid;
1100 afid->uname = vtstrdup(m->t.uname);
1102 m->r.qid = afid->qid;
1120 if(con->state != ConInit){
1121 qunlock(&con->lock);
1122 werrstr("Tversion: down");
1125 con->state = ConNew;
1128 * Release the karma of past lives and suffering.
1129 * Should this be done before or after checking the
1130 * validity of the Tversion?
1134 if(t->tag != NOTAG){
1135 qunlock(&con->lock);
1136 werrstr("Tversion: invalid tag");
1141 qunlock(&con->lock);
1142 werrstr("Tversion: message size too small");
1145 if(t->msize < con->msize)
1146 r->msize = t->msize;
1148 r->msize = con->msize;
1150 r->version = "unknown";
1151 if(t->version[0] == '9' && t->version[1] == 'P'){
1153 * Currently, the only defined version
1154 * is "9P2000"; ignore any later versions.
1156 v = strtol(&t->version[2], 0, 10);
1158 r->version = VERSION9P;
1159 con->msize = r->msize;
1162 else if(strcmp(t->version, "9PEoF") == 0){
1163 r->version = "9PEoF";
1164 con->msize = r->msize;
1165 con->state = ConMoribund;
1168 * Don't want to attempt to write this
1169 * message as the connection may be already
1175 qunlock(&con->lock);
1180 int (*rFcall[Tmax])(Msg*) = {
1181 [Tversion] = rTversion,
1183 [Tattach] = rTattach,
1187 [Tcreate] = rTcreate,
1191 [Tremove] = rTremove,