added: now we have a fourth part in permissions (guests)
e.g.: 07555 means:
7 for owner
5 for group
5 for others
5 for guests (not logged users)
added: the sticky bit for directories
e.g. permissions to a directory with a sticky bit set
can be set to: 017555
rewritten: rm/mv winix functions to correctly understand the sticky bit
added: Dir::FollowLink() recognizes ".." and "." now
consequently System::FollowAllLinks recognizes it too
added: umask -- calculating privileges for new files/directories
all users have their own umask (in meta)
and there is one in the config
(for guests and when a user has not definied its own one)
removed: mount option: only_root_remove
git-svn-id: svn://ttmath.org/publicrep/winix/trunk@801 e52654a7-88a9-db11-a3e9-0013d4bc506e
This commit is contained in:
122
core/system.cpp
122
core/system.cpp
@@ -2,7 +2,7 @@
|
||||
* This file is a part of Winix
|
||||
* and is not publicly distributed
|
||||
*
|
||||
* Copyright (c) 2010-2011, Tomasz Sowa
|
||||
* Copyright (c) 2010-2012, Tomasz Sowa
|
||||
* All rights reserved.
|
||||
*
|
||||
*/
|
||||
@@ -260,12 +260,12 @@ bool System::CanChangeUser(const Item & item, long new_user_id)
|
||||
// super user is allowed everything
|
||||
return true;
|
||||
|
||||
// !! przeciez to prosciej mozna zapisac
|
||||
// albo dac od razu return false
|
||||
if( item.user_id != new_user_id )
|
||||
if( item.user_id == -1 || new_user_id == -1 || item.user_id != new_user_id )
|
||||
// only super user can change the owner of an item
|
||||
return false;
|
||||
|
||||
// item.user_id is equal new_user_id -- we return true
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
@@ -285,10 +285,10 @@ bool System::CanChangeGroup(const Item & item, long new_group_id)
|
||||
// user is allowed to change the group only if he is an owner of the item
|
||||
// he can change only into a group in which he is a member of, or into a 'no_group'
|
||||
|
||||
if( !cur->session->puser )
|
||||
if( !cur->session->puser || cur->session->puser->id == -1 )
|
||||
return false;
|
||||
|
||||
if( cur->session->puser->id != item.user_id )
|
||||
if( item.user_id == -1 || cur->session->puser->id != item.user_id )
|
||||
return false;
|
||||
|
||||
if( new_group_id == -1 )
|
||||
@@ -316,12 +316,12 @@ bool System::CanChangePrivileges(const Item & item, int new_priv)
|
||||
|
||||
if( item.privileges != new_priv )
|
||||
{
|
||||
// the owner of an item is allowed to change the privileges
|
||||
|
||||
if( !cur->session->puser )
|
||||
// the owner of an item is allowed to change the privileges
|
||||
|
||||
if( !cur->session->puser || cur->session->puser->id == -1 )
|
||||
return false;
|
||||
|
||||
if( cur->session->puser->id != item.user_id )
|
||||
|
||||
if( item.user_id == -1 || cur->session->puser->id != item.user_id )
|
||||
return false;
|
||||
}
|
||||
|
||||
@@ -329,7 +329,7 @@ return true;
|
||||
}
|
||||
|
||||
|
||||
|
||||
// private
|
||||
bool System::HasAccess(const Item & item, int mask)
|
||||
{
|
||||
if( !cur->session )
|
||||
@@ -340,20 +340,26 @@ bool System::HasAccess(const Item & item, int mask)
|
||||
// super user is allowed everything
|
||||
return true;
|
||||
|
||||
if( cur->session->puser && cur->session->puser->id == item.user_id )
|
||||
if( cur->session->puser && item.user_id != -1 && cur->session->puser->id == item.user_id )
|
||||
{
|
||||
// the owner
|
||||
return ((item.privileges >> 9) & mask) == mask;
|
||||
}
|
||||
|
||||
if( cur->session->puser && item.group_id != -1 && cur->session->puser->IsMemberOf(item.group_id) )
|
||||
{
|
||||
// group
|
||||
return ((item.privileges >> 6) & mask) == mask;
|
||||
}
|
||||
|
||||
if( cur->session->puser && cur->session->puser->IsMemberOf(item.group_id) )
|
||||
if( cur->session->puser )
|
||||
{
|
||||
// group
|
||||
// others -- others logged people
|
||||
return ((item.privileges >> 3) & mask) == mask;
|
||||
}
|
||||
|
||||
// others
|
||||
|
||||
|
||||
// guests -- not logged people
|
||||
|
||||
return (item.privileges & mask) == mask;
|
||||
}
|
||||
|
||||
@@ -381,8 +387,8 @@ bool System::HasReadExecAccess(const Item & item)
|
||||
if( cur->session && cur->session->puser && cur->session->puser->super_user )
|
||||
{
|
||||
// there must be at least one 'x' (for the root)
|
||||
|
||||
return (item.privileges & 0111) != 0;
|
||||
// !! CHECK ME: is it applicable to directories too?
|
||||
return (item.privileges & 01111) != 0;
|
||||
}
|
||||
|
||||
return HasAccess(item, 5); // r+x
|
||||
@@ -468,6 +474,76 @@ size_t i = 0;
|
||||
}
|
||||
|
||||
|
||||
int System::NewPrivileges(int creation_mask)
|
||||
{
|
||||
if( cur && cur->session && cur->session->puser )
|
||||
{
|
||||
int umask = cur->session->puser->env.Int(L"umask", config->umask);
|
||||
return (~umask) & creation_mask;
|
||||
}
|
||||
else
|
||||
{
|
||||
return (~config->umask) & creation_mask;
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
from man sticky:
|
||||
A directory whose `sticky bit' is set becomes an append-only directory,
|
||||
or, more accurately, a directory in which the deletion of files is
|
||||
restricted. A file in a sticky directory may only be removed or renamed
|
||||
by a user if the user has write permission for the directory and the user
|
||||
is the owner of the file, the owner of the directory, or the super-user.
|
||||
This feature is usefully applied to directories such as /tmp which must
|
||||
be publicly writable but should deny users the license to arbitrarily
|
||||
delete or rename each others' files.
|
||||
*/
|
||||
bool System::CanRemoveRenameChild(const Item & dir, long child_item_user_id)
|
||||
{
|
||||
if( dir.type != Item::dir )
|
||||
return false;
|
||||
|
||||
if( !HasWriteAccess(dir) )
|
||||
return false;
|
||||
|
||||
if( (dir.privileges & 010000) == 0 )
|
||||
// there is no a sticky bit set to this directory
|
||||
return true;
|
||||
|
||||
if( cur->session->puser )
|
||||
{
|
||||
if( cur->session->puser->super_user )
|
||||
return true;
|
||||
|
||||
if( dir.user_id != -1 && cur->session->puser->id != -1 && child_item_user_id != -1 )
|
||||
{
|
||||
if( cur->session->puser->id == child_item_user_id ||
|
||||
cur->session->puser->id == dir.user_id )
|
||||
return true;
|
||||
}
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
int System::NewFilePrivileges()
|
||||
{
|
||||
return NewPrivileges(06666);
|
||||
}
|
||||
|
||||
|
||||
int System::NewDirPrivileges()
|
||||
{
|
||||
return NewPrivileges(07777);
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
bool System::CanUseHtml(long user_id)
|
||||
{
|
||||
return IsMemberOfGroup(user_id, L"allow_html");
|
||||
@@ -1068,9 +1144,9 @@ bool System::AddCommonFileToVar(const wchar_t * file_path, const wchar_t * url,
|
||||
|
||||
file_content_item.Clear();
|
||||
file_content_item.parent_id = var->id;
|
||||
file_content_item.user_id = -1;
|
||||
file_content_item.group_id = -1;
|
||||
file_content_item.privileges = 0755;
|
||||
file_content_item.user_id = var->user_id;
|
||||
file_content_item.group_id = var->group_id;
|
||||
file_content_item.privileges = 07555; // !! IMPROVE ME: may it should be added as a parameter to this function?
|
||||
file_content_item.subject = url;
|
||||
file_content_item.url = url;
|
||||
file_content_item.type = Item::file;
|
||||
|
||||
Reference in New Issue
Block a user