Check access permissions
#include <sys/iofunc.h> int iofunc_check_access( resmgr_context_t *ctp, const iofunc_attr_t *attr, mode_t checkmode, const struct _client_info *info );
libc
Use the -l c option to qcc to link against this library. This library is usually included automatically.
The iofunc_check_access() function verifies that the client is allowed access to the resource, as specified by a combination of who the client is (info), and the resource attributes attr->mode, attr->uid and attr->gid. Access is tested based upon the checkmode parameter.
The checkmode parameter determines which checks are done. It's a bitwise OR of the following constants:
If the client's effective user ID matches that of attr->uid, then the permission check is made against the owner permission field of attr->mode (mask 0700 octal).
If the client's effective user ID doesn't match that of attr->uid, then if the client's effective group ID matches that of attr->gid, or one of the client's supplementary group IDs matches attr->gid, the check is made against the group permission field of attr->mode (mask 0070 octal).
If none of the group fields match, the check is made against the other permission field of attr->mode (mask 0007 octal).
The S_ISUID and S_ISGID flags are mutually exclusive, that is, you may specify at most one of them. In conjunction with the S_ISUID and S_ISGID flags, you may specify zero or more of the S_IREAD, S_IWRITE, and S_IEXEC flags. If no flags are specified, the permission checks are performed for privileged (root) access.
Here's some pseudo-code to try to explain this:
if an ability check was requested using iofunc_client_info_able(), and the check failed: return EACCES if superuser: return EOK if S_ISUID and effective user ID == file user ID: return EOK if S_ISGID and effective group ID == file group ID, or a supplemental group ID == file group ID: return EOK if S_IREAD or S_IWRITE or S_IEXEC: if caller's user ID == effective user ID: if all permissions are set in file's owner mode bits: return EOK else: return EACCES if ( caller's group ID or supplementary group IDs ) == effective group ID: if all permissions are set in file's group mode bits: return EOK else: return EACCES if all permissions are set in file's other mode bits: return EOK else: return EACCES return EPERM
Safety: | |
---|---|
Cancellation point | No |
Interrupt handler | No |
Signal handler | Yes |
Thread | Yes |