From: František Dvořák Date: Sat, 19 Oct 2013 19:15:58 +0000 (+0200) Subject: Enable file-level permissions check. X-Git-Url: http://scientific.zcu.cz/git/?a=commitdiff_plain;h=2e35ebb620d9aa8a29b20ed78f9b8f119cd33a28;p=dmlite-plugins-vfs.git Enable file-level permissions check. --- diff --git a/src/VfsNs.cpp b/src/VfsNs.cpp index bf0882e..dc272ac 100644 --- a/src/VfsNs.cpp +++ b/src/VfsNs.cpp @@ -102,6 +102,7 @@ void VfsCatalog::setSecurityContext(const SecurityContext* ctx) throw (DmExcepti std::string subj = ctx->credentials.clientName; secCtx_ = ctx; + debug("'%s'", subj.c_str()); this->clientName = subj; this->allowCurrent = vfsEvalRegex(this->allowRegex, this->denyRegex, subj.c_str()); @@ -337,6 +338,9 @@ ExtendedStat VfsCatalog::extendedStat(const std::string& path, bool follow) thro // use the retrieved xattrs vfsUpdateExtendedStat(meta, xattrs); + if (checkPermissions(this->secCtx_, meta.acl, meta.stat, S_IREAD) != 0) + vfsThrow(EACCES, "not enough permissions for '%s' to read '%s'", clientName.c_str(), meta.name.c_str()); + #if 0 // XXX: black magic // dmlite tests require proper count in st_nlink, @@ -1281,15 +1285,6 @@ int VfsCatalog::vfsCheckPermissions(const std::string& path, mode_t mode) { /// -/// override all permission checks - no file-level permissions in zero version -/// -int VfsCatalog::checkPermissions(const SecurityContext *context, const Acl &acl, const struct stat &stat, mode_t mode) { - return 0; -} - - - -/// /// Get extended attributes. /// /// @param path local disk namespace path diff --git a/src/VfsNs.h b/src/VfsNs.h index 7f830d5..ba05e9c 100644 --- a/src/VfsNs.h +++ b/src/VfsNs.h @@ -125,8 +125,6 @@ namespace dmlite { std::string prefix_; private: - int checkPermissions(const SecurityContext *context, const Acl &acl, const struct stat &stat, mode_t mode); - regex_t *allowRegex, *denyRegex, *allowWriteRegex, *denyWriteRegex; bool allowCurrent, allowWriteCurrent; std::string clientName;