/* * Make file non-readable by modifying its permissions. * If file supports "posix" attributes, then modify it. * Otherwise check for "acl" attributes. */ private static void makeFileNonReadable(String file) throws IOException { Path filePath = Paths.get(file); Set<String> supportedAttr = filePath.getFileSystem().supportedFileAttributeViews(); if (supportedAttr.contains("posix")) { Files.setPosixFilePermissions(filePath, PosixFilePermissions.fromString("-w--w----")); } else if (supportedAttr.contains("acl")) { UserPrincipal fileOwner = Files.getOwner(filePath); AclFileAttributeView view = Files.getFileAttributeView(filePath, AclFileAttributeView.class); AclEntry entry = AclEntry.newBuilder() .setType(AclEntryType.DENY) .setPrincipal(fileOwner) .setPermissions(AclEntryPermission.READ_DATA) .build(); List<AclEntry> acl = view.getAcl(); acl.add(0, entry); view.setAcl(acl); } }
/** Encode the ACL to the given buffer */ private static void encode(List<AclEntry> acl, long address) { long offset = address; for (AclEntry ace : acl) { int flags = 0; // map UserPrincipal to uid and flags UserPrincipal who = ace.principal(); if (!(who instanceof UnixUserPrincipals.User)) throw new ProviderMismatchException(); UnixUserPrincipals.User user = (UnixUserPrincipals.User) who; int uid; if (user.isSpecial()) { uid = -1; if (who == UnixUserPrincipals.SPECIAL_OWNER) flags |= ACE_OWNER; else if (who == UnixUserPrincipals.SPECIAL_GROUP) flags |= (ACE_GROUP | ACE_IDENTIFIER_GROUP); else if (who == UnixUserPrincipals.SPECIAL_EVERYONE) flags |= ACE_EVERYONE; else throw new AssertionError("Unable to map special identifier"); } else { if (user instanceof UnixUserPrincipals.Group) { uid = user.gid(); flags |= ACE_IDENTIFIER_GROUP; } else { uid = user.uid(); } } // map ACE type int type; switch (ace.type()) { case ALLOW: type = ACE_ACCESS_ALLOWED_ACE_TYPE; break; case DENY: type = ACE_ACCESS_DENIED_ACE_TYPE; break; case AUDIT: type = ACE_SYSTEM_AUDIT_ACE_TYPE; break; case ALARM: type = ACE_SYSTEM_ALARM_ACE_TYPE; break; default: throw new AssertionError("Unable to map ACE type"); } // map permissions Set<AclEntryPermission> aceMask = ace.permissions(); int mask = 0; if (aceMask.contains(AclEntryPermission.READ_DATA)) mask |= ACE_READ_DATA; if (aceMask.contains(AclEntryPermission.WRITE_DATA)) mask |= ACE_WRITE_DATA; if (aceMask.contains(AclEntryPermission.APPEND_DATA)) mask |= ACE_APPEND_DATA; if (aceMask.contains(AclEntryPermission.READ_NAMED_ATTRS)) mask |= ACE_READ_NAMED_ATTRS; if (aceMask.contains(AclEntryPermission.WRITE_NAMED_ATTRS)) mask |= ACE_WRITE_NAMED_ATTRS; if (aceMask.contains(AclEntryPermission.EXECUTE)) mask |= ACE_EXECUTE; if (aceMask.contains(AclEntryPermission.DELETE_CHILD)) mask |= ACE_DELETE_CHILD; if (aceMask.contains(AclEntryPermission.READ_ATTRIBUTES)) mask |= ACE_READ_ATTRIBUTES; if (aceMask.contains(AclEntryPermission.WRITE_ATTRIBUTES)) mask |= ACE_WRITE_ATTRIBUTES; if (aceMask.contains(AclEntryPermission.DELETE)) mask |= ACE_DELETE; if (aceMask.contains(AclEntryPermission.READ_ACL)) mask |= ACE_READ_ACL; if (aceMask.contains(AclEntryPermission.WRITE_ACL)) mask |= ACE_WRITE_ACL; if (aceMask.contains(AclEntryPermission.WRITE_OWNER)) mask |= ACE_WRITE_OWNER; if (aceMask.contains(AclEntryPermission.SYNCHRONIZE)) mask |= ACE_SYNCHRONIZE; // FIXME - it would be desirable to know here if the file is a // directory or not. Solaris returns EINVAL if an ACE has a directory // -only flag and the file is not a directory. Set<AclEntryFlag> aceFlags = ace.flags(); if (aceFlags.contains(AclEntryFlag.FILE_INHERIT)) flags |= ACE_FILE_INHERIT_ACE; if (aceFlags.contains(AclEntryFlag.DIRECTORY_INHERIT)) flags |= ACE_DIRECTORY_INHERIT_ACE; if (aceFlags.contains(AclEntryFlag.NO_PROPAGATE_INHERIT)) flags |= ACE_NO_PROPAGATE_INHERIT_ACE; if (aceFlags.contains(AclEntryFlag.INHERIT_ONLY)) flags |= ACE_INHERIT_ONLY_ACE; unsafe.putInt(offset + OFFSETOF_UID, uid); unsafe.putInt(offset + OFFSETOF_MASK, mask); unsafe.putShort(offset + OFFSETOF_FLAGS, (short) flags); unsafe.putShort(offset + OFFSETOF_TYPE, (short) type); offset += SIZEOF_ACE_T; } }
/** Decode the buffer, returning an ACL */ private static List<AclEntry> decode(long address, int n) { ArrayList<AclEntry> acl = new ArrayList<>(n); for (int i = 0; i < n; i++) { long offset = address + i * SIZEOF_ACE_T; int uid = unsafe.getInt(offset + OFFSETOF_UID); int mask = unsafe.getInt(offset + OFFSETOF_MASK); int flags = (int) unsafe.getShort(offset + OFFSETOF_FLAGS); int type = (int) unsafe.getShort(offset + OFFSETOF_TYPE); // map uid and flags to UserPrincipal UnixUserPrincipals.User who = null; if ((flags & ACE_OWNER) > 0) { who = UnixUserPrincipals.SPECIAL_OWNER; } else if ((flags & ACE_GROUP) > 0) { who = UnixUserPrincipals.SPECIAL_GROUP; } else if ((flags & ACE_EVERYONE) > 0) { who = UnixUserPrincipals.SPECIAL_EVERYONE; } else if ((flags & ACE_IDENTIFIER_GROUP) > 0) { who = UnixUserPrincipals.fromGid(uid); } else { who = UnixUserPrincipals.fromUid(uid); } AclEntryType aceType = null; switch (type) { case ACE_ACCESS_ALLOWED_ACE_TYPE: aceType = AclEntryType.ALLOW; break; case ACE_ACCESS_DENIED_ACE_TYPE: aceType = AclEntryType.DENY; break; case ACE_SYSTEM_AUDIT_ACE_TYPE: aceType = AclEntryType.AUDIT; break; case ACE_SYSTEM_ALARM_ACE_TYPE: aceType = AclEntryType.ALARM; break; default: assert false; } Set<AclEntryPermission> aceMask = EnumSet.noneOf(AclEntryPermission.class); if ((mask & ACE_READ_DATA) > 0) aceMask.add(AclEntryPermission.READ_DATA); if ((mask & ACE_WRITE_DATA) > 0) aceMask.add(AclEntryPermission.WRITE_DATA); if ((mask & ACE_APPEND_DATA) > 0) aceMask.add(AclEntryPermission.APPEND_DATA); if ((mask & ACE_READ_NAMED_ATTRS) > 0) aceMask.add(AclEntryPermission.READ_NAMED_ATTRS); if ((mask & ACE_WRITE_NAMED_ATTRS) > 0) aceMask.add(AclEntryPermission.WRITE_NAMED_ATTRS); if ((mask & ACE_EXECUTE) > 0) aceMask.add(AclEntryPermission.EXECUTE); if ((mask & ACE_DELETE_CHILD) > 0) aceMask.add(AclEntryPermission.DELETE_CHILD); if ((mask & ACE_READ_ATTRIBUTES) > 0) aceMask.add(AclEntryPermission.READ_ATTRIBUTES); if ((mask & ACE_WRITE_ATTRIBUTES) > 0) aceMask.add(AclEntryPermission.WRITE_ATTRIBUTES); if ((mask & ACE_DELETE) > 0) aceMask.add(AclEntryPermission.DELETE); if ((mask & ACE_READ_ACL) > 0) aceMask.add(AclEntryPermission.READ_ACL); if ((mask & ACE_WRITE_ACL) > 0) aceMask.add(AclEntryPermission.WRITE_ACL); if ((mask & ACE_WRITE_OWNER) > 0) aceMask.add(AclEntryPermission.WRITE_OWNER); if ((mask & ACE_SYNCHRONIZE) > 0) aceMask.add(AclEntryPermission.SYNCHRONIZE); Set<AclEntryFlag> aceFlags = EnumSet.noneOf(AclEntryFlag.class); if ((flags & ACE_FILE_INHERIT_ACE) > 0) aceFlags.add(AclEntryFlag.FILE_INHERIT); if ((flags & ACE_DIRECTORY_INHERIT_ACE) > 0) aceFlags.add(AclEntryFlag.DIRECTORY_INHERIT); if ((flags & ACE_NO_PROPAGATE_INHERIT_ACE) > 0) aceFlags.add(AclEntryFlag.NO_PROPAGATE_INHERIT); if ((flags & ACE_INHERIT_ONLY_ACE) > 0) aceFlags.add(AclEntryFlag.INHERIT_ONLY); // build the ACL entry and add it to the list AclEntry ace = AclEntry.newBuilder() .setType(aceType) .setPrincipal(who) .setPermissions(aceMask) .setFlags(aceFlags) .build(); acl.add(ace); } return acl; }