Set acl's for club home directories.

etc/accounts.cf

@@ -6,7 +6,6 @@ member_min_id = 20001
 member_max_id = 29999
 member_shell = "/bin/bash"
 member_home = "/users"
-member_home_acl = "u::rwx,g::rx,o::rx"
 member_home_skel = "/users/skel"
 
 ### Club Account Options ###
@@ -15,7 +14,6 @@ club_min_id = 30001
 club_max_id = 39999
 club_shell = "/bin/bash"
 club_home = "/users"
-club_home_acl = "A+group:%s:rwpRAxaWdDcCs:fd:allow"
 club_home_skel = "/users/skel"
 
 ### Administrative Account Options ###

src/homedir.c

@@ -11,7 +11,23 @@
 #include "util.h"
 #include "config.h"
 
-int ceo_create_home(char *homedir, char *skel, uid_t uid, gid_t gid) {
+static int set_acl(char *dir, char *acl_text, acl_type_t type) {
+    acl_t acl = acl_from_text(acl_text);
+    if (acl == (acl_t)NULL) {
+        errorpe("acl_from_text: %s", acl_text);
+        return -1;
+    }
+    if (acl_set_file(dir, type, acl) != 0) {
+        errorpe("acl_set_file: %s %s 0x%X %p", acl_text, dir, (int)type, (void*)acl);
+        acl_free(acl);
+        return -1;
+    }
+    acl_free(acl);
+
+    return 0;
+}
+
+int ceo_create_home(char *homedir, char *skel, uid_t uid, gid_t gid, char *access_acl, char *default_acl) {
     int mask;
     DIR *skeldir;
     struct dirent *skelent;
@@ -23,6 +39,11 @@ int ceo_create_home(char *homedir, char *skel, uid_t uid, gid_t gid) {
         return -1;
     }
 
+    if (access_acl && set_acl(homedir, access_acl, ACL_TYPE_ACCESS) != 0)
+        return -1;
+    if (default_acl && set_acl(homedir, default_acl, ACL_TYPE_DEFAULT) != 0)
+        return -1;
+
     skeldir = opendir(skel);
     if (!skeldir) {
         errorpe("failed to open %s", skel);

src/homedir.h

@@ -1,3 +1,5 @@
 #include <sys/acl.h>
 
-int ceo_create_home(char *homedir, char *skel, uid_t uid, gid_t gid);
+#define CLUB_ACL "u::rwx,g::r-x,o::r-x,g:%d:rwx,m::rwx"
+
+int ceo_create_home(char *homedir, char *skel, uid_t uid, gid_t gid, char *access_acl, char *default_acl);

src/op-adduser.c

@@ -171,7 +171,7 @@ static int32_t addmember(Ceo__AddUser *in, Ceo__AddUserResponse *out) {
     else
         response_message(out, 0, "successfully created ldap group");
 
-    if ((home_stat = ceo_create_home(homedir, member_home_skel,  id, id)))
+    if ((home_stat = ceo_create_home(homedir, member_home_skel, id, id, NULL, NULL)))
         response_message(out, EHOME, "unable to create home directory for %s", in->username);
     else
         response_message(out, 0, "successfully created home directory");
@@ -182,16 +182,19 @@ static int32_t addmember(Ceo__AddUser *in, Ceo__AddUserResponse *out) {
 
 static int32_t addclub(Ceo__AddUser *in, Ceo__AddUserResponse *out) {
     char homedir[1024];
+    char acl[64];
     int krb_stat, user_stat, group_stat, sudo_stat, home_stat;
     int id;
 
-    if (snprintf(homedir, sizeof(homedir), "%s/%s",
-                 club_home, in->username) >= sizeof(homedir))
+    if (snprintf(homedir, sizeof(homedir), "%s/%s", club_home, in->username) >= sizeof(homedir))
         fatal("homedir overflow");
 
     if ((id = ceo_new_uid(club_min_id, club_max_id)) <= 0)
         fatal("no available uids in range [%ld, %ld]", club_min_id, club_max_id);
 
+    if (snprintf(acl, sizeof(acl), CLUB_ACL, id) >= sizeof(acl))
+        fatal("acl overflow");
+
     if ((krb_stat = ceo_del_princ(in->username)))
         return response_message(out, EKERB, "unable to clear principal %s", in->username);
 
@@ -212,7 +215,7 @@ static int32_t addclub(Ceo__AddUser *in, Ceo__AddUserResponse *out) {
     else
         response_message(out, 0, "successfully created ldap sudoers");
 
-    if ((home_stat = ceo_create_home(homedir, club_home_skel, id, id)))
+    if ((home_stat = ceo_create_home(homedir, club_home_skel, id, id, acl, acl)))
         response_message(out, EHOME, "unable to create home directory for %s", in->username);
     else
         response_message(out, 0, "successfully created home directory");