BlockStorage/repertory
1
0
Fork 0
Code Issues 3 Pull Requests Releases 9 Wiki Activity

refactor
All checks were successful
BlockStorage/repertory/pipeline/head This commit looks good
Details

Browse Source
This commit is contained in:
sgraves76
2024-09-27 14:07:13 -05:00
parent 6e52474953
commit 51cb2c0b9a
1 changed files with 56 additions and 52 deletions
Download Patch File Download Diff File Expand all files Collapse all files

108
repertory/librepertory/src/drives/fuse/fuse_drive_base.cpp
View File

@@ -43,68 +43,72 @@ auto fuse_drive_base::check_access(const std::string &api_path,
// Always allow root
auto current_uid = get_current_uid();
if (current_uid != 0) {
// Always allow forced user
if (not forced_uid_.has_value() || (current_uid != get_effective_uid())) {
// Always allow if checking file exists
if (F_OK != mask) {
const auto effective_uid =
(forced_uid_.has_value() ? forced_uid_.value()
: get_uid_from_meta(meta));
const auto effective_gid =
(forced_gid_.has_value() ? forced_gid_.value()
: get_gid_from_meta(meta));
if (current_uid == 0) {
return api_error::success;
}
// Create file mode
mode_t effective_mode =
forced_umask_.has_value()
? ((S_IRWXU | S_IRWXG | S_IRWXO) & (~forced_umask_.value()))
: get_mode_from_meta(meta);
// Always allow forced user
if (forced_uid_.has_value() || (current_uid == get_effective_uid())) {
return api_error::success;
}
// Create access mask
mode_t active_mask = S_IRWXO;
if (current_uid == effective_uid) {
active_mask |= S_IRWXU;
}
if (get_current_gid() == effective_gid) {
active_mask |= S_IRWXG;
}
if (utils::is_uid_member_of_group(current_uid, effective_gid)) {
active_mask |= S_IRWXG;
}
// Always allow if checking file exists
if (F_OK == mask) {
return api_error::success;
}
// Calculate effective file mode
effective_mode &= active_mask;
const auto effective_uid =
(forced_uid_.has_value() ? forced_uid_.value() : get_uid_from_meta(meta));
const auto effective_gid =
(forced_gid_.has_value() ? forced_gid_.value() : get_gid_from_meta(meta));
// Check allow execute
if ((mask & X_OK) == X_OK) {
if ((effective_mode & (S_IXUSR | S_IXGRP | S_IXOTH)) == 0) {
return api_error::permission_denied;
}
}
// Create file mode
mode_t effective_mode =
forced_umask_.has_value()
? ((S_IRWXU | S_IRWXG | S_IRWXO) & (~forced_umask_.value()))
: get_mode_from_meta(meta);
// Check allow write
if ((mask & W_OK) == W_OK) {
if ((effective_mode & (S_IWUSR | S_IWGRP | S_IWOTH)) == 0) {
return api_error::access_denied;
}
}
// Create access mask
mode_t active_mask = S_IRWXO;
if (current_uid == effective_uid) {
active_mask |= S_IRWXU;
}
if (get_current_gid() == effective_gid) {
active_mask |= S_IRWXG;
}
if (utils::is_uid_member_of_group(current_uid, effective_gid)) {
active_mask |= S_IRWXG;
}
// Check allow read
if ((mask & R_OK) == R_OK) {
if ((effective_mode & (S_IRUSR | S_IRGRP | S_IROTH)) == 0) {
return api_error::access_denied;
}
}
// Calculate effective file mode
effective_mode &= active_mask;
if (effective_mode == 0) {
// Deny access if effective mode is 0
return api_error::access_denied;
}
}
// Check allow execute
if ((mask & X_OK) == X_OK) {
if ((effective_mode & (S_IXUSR | S_IXGRP | S_IXOTH)) == 0) {
return api_error::permission_denied;
}
}
// Check allow write
if ((mask & W_OK) == W_OK) {
if ((effective_mode & (S_IWUSR | S_IWGRP | S_IWOTH)) == 0) {
return api_error::access_denied;
}
}
// Check allow read
if ((mask & R_OK) == R_OK) {
if ((effective_mode & (S_IRUSR | S_IRGRP | S_IROTH)) == 0) {
return api_error::access_denied;
}
}
if (effective_mode == 0) {
// Deny access if effective mode is 0
return api_error::access_denied;
}
return api_error::success;
}