BlockStorage/repertory
1
0
Fork 0
Code Issues 3 Pull Requests Releases 9 Wiki Activity

refactor
All checks were successful
BlockStorage/repertory/pipeline/head This commit looks good
Details

Browse Source
This commit is contained in:
sgraves76
2024-09-27 14:07:13 -05:00
parent 6e52474953
commit 51cb2c0b9a
1 changed files with 56 additions and 52 deletions
Download Patch File Download Diff File Expand all files Collapse all files

108
repertory/librepertory/src/drives/fuse/fuse_drive_base.cpp
View File

@@ -43,68 +43,72 @@ auto fuse_drive_base::check_access(const std::string &api_path,
// Always allow root // Always allow root
auto current_uid = get_current_uid(); auto current_uid = get_current_uid();
if (current_uid != 0) { if (current_uid == 0) {
// Always allow forced user return api_error::success;
if (not forced_uid_.has_value() || (current_uid != get_effective_uid())) { }
// Always allow if checking file exists
if (F_OK != mask) {
const auto effective_uid =
(forced_uid_.has_value() ? forced_uid_.value()
: get_uid_from_meta(meta));
const auto effective_gid =
(forced_gid_.has_value() ? forced_gid_.value()
: get_gid_from_meta(meta));
// Create file mode // Always allow forced user
mode_t effective_mode = if (forced_uid_.has_value() || (current_uid == get_effective_uid())) {
forced_umask_.has_value() return api_error::success;
? ((S_IRWXU | S_IRWXG | S_IRWXO) & (~forced_umask_.value())) }
: get_mode_from_meta(meta);
// Create access mask // Always allow if checking file exists
mode_t active_mask = S_IRWXO; if (F_OK == mask) {
if (current_uid == effective_uid) { return api_error::success;
active_mask |= S_IRWXU; }
}
if (get_current_gid() == effective_gid) {
active_mask |= S_IRWXG;
}
if (utils::is_uid_member_of_group(current_uid, effective_gid)) {
active_mask |= S_IRWXG;
}
// Calculate effective file mode const auto effective_uid =
effective_mode &= active_mask; (forced_uid_.has_value() ? forced_uid_.value() : get_uid_from_meta(meta));
const auto effective_gid =
(forced_gid_.has_value() ? forced_gid_.value() : get_gid_from_meta(meta));
// Check allow execute // Create file mode
if ((mask & X_OK) == X_OK) { mode_t effective_mode =
if ((effective_mode & (S_IXUSR | S_IXGRP | S_IXOTH)) == 0) { forced_umask_.has_value()
return api_error::permission_denied; ? ((S_IRWXU | S_IRWXG | S_IRWXO) & (~forced_umask_.value()))
} : get_mode_from_meta(meta);
}
// Check allow write // Create access mask
if ((mask & W_OK) == W_OK) { mode_t active_mask = S_IRWXO;
if ((effective_mode & (S_IWUSR | S_IWGRP | S_IWOTH)) == 0) { if (current_uid == effective_uid) {
return api_error::access_denied; active_mask |= S_IRWXU;
} }
} if (get_current_gid() == effective_gid) {
active_mask |= S_IRWXG;
}
if (utils::is_uid_member_of_group(current_uid, effective_gid)) {
active_mask |= S_IRWXG;
}
// Check allow read // Calculate effective file mode
if ((mask & R_OK) == R_OK) { effective_mode &= active_mask;
if ((effective_mode & (S_IRUSR | S_IRGRP | S_IROTH)) == 0) {
return api_error::access_denied;
}
}
if (effective_mode == 0) { // Check allow execute
// Deny access if effective mode is 0 if ((mask & X_OK) == X_OK) {
return api_error::access_denied; if ((effective_mode & (S_IXUSR | S_IXGRP | S_IXOTH)) == 0) {
} return api_error::permission_denied;
}
} }
} }
// Check allow write
if ((mask & W_OK) == W_OK) {
if ((effective_mode & (S_IWUSR | S_IWGRP | S_IWOTH)) == 0) {
return api_error::access_denied;
}
}
// Check allow read
if ((mask & R_OK) == R_OK) {
if ((effective_mode & (S_IRUSR | S_IRGRP | S_IROTH)) == 0) {
return api_error::access_denied;
}
}
if (effective_mode == 0) {
// Deny access if effective mode is 0
return api_error::access_denied;
}
return api_error::success; return api_error::success;
} }