2 * Store Windows ACLs in xattrs, or a tdb if configured that way.
4 * Copyright (C) Volker Lendecke, 2008
5 * Copyright (C) Jeremy Allison, 2008
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 3 of the License, or
10 * (at your option) any later version.
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, see <http://www.gnu.org/licenses/>.
21 /* NOTE: This is an experimental module, not yet finished. JRA. */
24 #include "librpc/gen_ndr/xattr.h"
25 #include "librpc/gen_ndr/ndr_xattr.h"
28 #define DBGC_CLASS DBGC_VFS
30 static unsigned int ref_count;
31 static struct db_context *acl_db;
33 /*******************************************************************
34 Open acl_db if not already open, increment ref count.
35 *******************************************************************/
37 static bool acl_tdb_init(struct db_context **pp_db)
47 dbname = lock_path("file_ntacls.tdb");
55 *pp_db = db_open(NULL, dbname, 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0600);
71 /*******************************************************************
72 Lower ref count and close acl_db if zero.
73 *******************************************************************/
75 static void free_acl_xattr_data(void **pptr)
77 struct db_context **pp_db = (struct db_context **)pptr;
86 /*******************************************************************
87 Fetch_lock the tdb acl record for a file
88 *******************************************************************/
90 static struct db_record *acl_xattr_tdb_lock(TALLOC_CTX *mem_ctx,
91 struct db_context *db,
92 const struct file_id *id)
95 push_file_id_16((char *)id_buf, id);
96 return db->fetch_locked(db,
102 /*******************************************************************
103 Parse out a struct security_descriptor from a DATA_BLOB.
104 *******************************************************************/
106 static NTSTATUS parse_acl_blob(const DATA_BLOB *pblob,
107 uint32 security_info,
108 struct security_descriptor **ppdesc)
110 TALLOC_CTX *ctx = talloc_tos();
111 struct xattr_NTACL xacl;
112 enum ndr_err_code ndr_err;
115 ndr_err = ndr_pull_struct_blob(pblob, ctx, NULL, &xacl,
116 (ndr_pull_flags_fn_t)ndr_pull_xattr_NTACL);
118 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
119 DEBUG(5, ("parse_acl_blob: ndr_pull_xattr_NTACL failed: %s\n",
120 ndr_errstr(ndr_err)));
121 return ndr_map_error2ntstatus(ndr_err);;
124 if (xacl.version != 2) {
125 return NT_STATUS_REVISION_MISMATCH;
128 *ppdesc = make_sec_desc(ctx, SEC_DESC_REVISION, xacl.info.sd_hs->sd->type | SEC_DESC_SELF_RELATIVE,
129 (security_info & OWNER_SECURITY_INFORMATION)
130 ? xacl.info.sd_hs->sd->owner_sid : NULL,
131 (security_info & GROUP_SECURITY_INFORMATION)
132 ? xacl.info.sd_hs->sd->group_sid : NULL,
133 (security_info & SACL_SECURITY_INFORMATION)
134 ? xacl.info.sd_hs->sd->sacl : NULL,
135 (security_info & DACL_SECURITY_INFORMATION)
136 ? xacl.info.sd_hs->sd->dacl : NULL,
139 TALLOC_FREE(xacl.info.sd);
141 return (*ppdesc != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
144 /*******************************************************************
145 Pull a security descriptor into a DATA_BLOB from a tdb store.
146 *******************************************************************/
148 static NTSTATUS get_acl_blob(TALLOC_CTX *ctx,
149 vfs_handle_struct *handle,
157 struct db_context *db;
158 SMB_STRUCT_STAT sbuf;
160 SMB_VFS_HANDLE_GET_DATA(handle, db, struct db_context,
161 return NT_STATUS_INTERNAL_DB_CORRUPTION);
163 if (fsp && fsp->fh->fd != -1) {
164 if (SMB_VFS_FSTAT(fsp, &sbuf) == -1) {
165 return map_nt_error_from_unix(errno);
168 if (SMB_VFS_STAT(handle->conn, name, &sbuf) == -1) {
169 return map_nt_error_from_unix(errno);
172 id = vfs_file_id_from_sbuf(handle->conn, &sbuf);
174 push_file_id_16((char *)id_buf, &id);
178 make_tdb_data(id_buf, sizeof(id_buf)),
180 return NT_STATUS_INTERNAL_DB_CORRUPTION;
183 pblob->data = data.dptr;
184 pblob->length = data.dsize;
186 DEBUG(10,("get_acl_blob: returned %u bytes from file %s\n",
187 (unsigned int)data.dsize, name ));
189 if (pblob->length == 0 || pblob->data == NULL) {
190 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
195 /*******************************************************************
196 Create a DATA_BLOB from a security descriptor.
197 *******************************************************************/
199 static NTSTATUS create_acl_blob(const struct security_descriptor *psd, DATA_BLOB *pblob)
201 struct xattr_NTACL xacl;
202 struct security_descriptor_hash sd_hs;
203 enum ndr_err_code ndr_err;
204 TALLOC_CTX *ctx = talloc_tos();
210 xacl.info.sd_hs = &sd_hs;
211 xacl.info.sd_hs->sd = CONST_DISCARD(struct security_descriptor *, psd);
212 memset(&xacl.info.sd_hs->hash[0], '\0', 16);
214 ndr_err = ndr_push_struct_blob(
215 pblob, ctx, NULL, &xacl,
216 (ndr_push_flags_fn_t)ndr_push_xattr_NTACL);
218 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
219 DEBUG(5, ("create_acl_blob: ndr_push_xattr_NTACL failed: %s\n",
220 ndr_errstr(ndr_err)));
221 return ndr_map_error2ntstatus(ndr_err);;
227 /*******************************************************************
228 Store a DATA_BLOB into a tdb record given an fsp pointer.
229 *******************************************************************/
231 static NTSTATUS store_acl_blob_fsp(vfs_handle_struct *handle,
237 SMB_STRUCT_STAT sbuf;
239 struct db_context *db;
240 struct db_record *rec;
242 DEBUG(10,("store_acl_blob_fsp: storing blob length %u on file %s\n",
243 (unsigned int)pblob->length, fsp->fsp_name));
245 SMB_VFS_HANDLE_GET_DATA(handle, db, struct db_context,
246 return NT_STATUS_INTERNAL_DB_CORRUPTION);
248 if (fsp->fh->fd != -1) {
249 if (SMB_VFS_FSTAT(fsp, &sbuf) == -1) {
250 return map_nt_error_from_unix(errno);
253 if (SMB_VFS_STAT(handle->conn, fsp->fsp_name, &sbuf) == -1) {
254 return map_nt_error_from_unix(errno);
257 id = vfs_file_id_from_sbuf(handle->conn, &sbuf);
259 push_file_id_16((char *)id_buf, &id);
260 rec = db->fetch_locked(db, talloc_tos(),
261 make_tdb_data(id_buf,
264 DEBUG(0, ("store_acl_blob_fsp_tdb: fetch_lock failed\n"));
265 return NT_STATUS_INTERNAL_DB_CORRUPTION;
267 data.dptr = pblob->data;
268 data.dsize = pblob->length;
269 return rec->store(rec, data, 0);
272 /*******************************************************************
273 Store a DATA_BLOB into a tdb record given a pathname.
274 *******************************************************************/
276 static NTSTATUS store_acl_blob_pathname(vfs_handle_struct *handle,
283 SMB_STRUCT_STAT sbuf;
284 struct db_context *db;
285 struct db_record *rec;
287 DEBUG(10,("store_acl_blob_pathname: storing blob "
288 "length %u on file %s\n",
289 (unsigned int)pblob->length, fname));
291 SMB_VFS_HANDLE_GET_DATA(handle, db, struct db_context,
292 return NT_STATUS_INTERNAL_DB_CORRUPTION);
294 if (SMB_VFS_STAT(handle->conn, fname, &sbuf) == -1) {
295 return map_nt_error_from_unix(errno);
298 id = vfs_file_id_from_sbuf(handle->conn, &sbuf);
299 push_file_id_16((char *)id_buf, &id);
301 rec = db->fetch_locked(db, talloc_tos(),
302 make_tdb_data(id_buf,
305 DEBUG(0, ("store_acl_blob_pathname_tdb: fetch_lock failed\n"));
306 return NT_STATUS_INTERNAL_DB_CORRUPTION;
308 data.dptr = pblob->data;
309 data.dsize = pblob->length;
310 return rec->store(rec, data, 0);
313 /*******************************************************************
314 Store a DATA_BLOB into an xattr given a pathname.
315 *******************************************************************/
317 static NTSTATUS get_nt_acl_xattr_internal(vfs_handle_struct *handle,
320 uint32 security_info,
321 struct security_descriptor **ppdesc)
323 TALLOC_CTX *ctx = talloc_tos();
327 if (fsp && name == NULL) {
328 name = fsp->fsp_name;
331 DEBUG(10, ("get_nt_acl_xattr_internal: name=%s\n", name));
333 status = get_acl_blob(ctx, handle, fsp, name, &blob);
334 if (!NT_STATUS_IS_OK(status)) {
335 DEBUG(10, ("get_acl_blob returned %s\n", nt_errstr(status)));
339 status = parse_acl_blob(&blob, security_info, ppdesc);
340 if (!NT_STATUS_IS_OK(status)) {
341 DEBUG(10, ("parse_acl_blob returned %s\n",
346 TALLOC_FREE(blob.data);
350 /*********************************************************************
351 Create a default security descriptor for a file in case no inheritance
352 exists. All permissions to the owner and SYSTEM.
353 *********************************************************************/
355 static struct security_descriptor *default_file_sd(TALLOC_CTX *mem_ctx,
356 SMB_STRUCT_STAT *psbuf)
358 struct dom_sid owner_sid, group_sid;
360 struct security_ace *pace = NULL;
361 struct security_acl *pacl = NULL;
363 uid_to_sid(&owner_sid, psbuf->st_uid);
364 gid_to_sid(&group_sid, psbuf->st_gid);
366 pace = TALLOC_ARRAY(mem_ctx, struct security_ace, 2);
371 init_sec_ace(&pace[0], &owner_sid, SEC_ACE_TYPE_ACCESS_ALLOWED,
372 SEC_RIGHTS_FILE_ALL, 0);
373 init_sec_ace(&pace[1], &global_sid_System, SEC_ACE_TYPE_ACCESS_ALLOWED,
374 SEC_RIGHTS_FILE_ALL, 0);
376 pacl = make_sec_acl(mem_ctx,
383 return make_sec_desc(mem_ctx,
384 SECURITY_DESCRIPTOR_REVISION_1,
385 SEC_DESC_SELF_RELATIVE|SEC_DESC_DACL_PRESENT,
393 /*********************************************************************
394 *********************************************************************/
396 static NTSTATUS inherit_new_acl(vfs_handle_struct *handle,
401 TALLOC_CTX *ctx = talloc_tos();
403 struct security_descriptor *parent_desc = NULL;
404 struct security_descriptor *psd = NULL;
409 if (!parent_dirname_talloc(ctx,
413 return NT_STATUS_NO_MEMORY;
416 DEBUG(10,("inherit_new_acl: check directory %s\n",
419 status = get_nt_acl_xattr_internal(handle,
422 (OWNER_SECURITY_INFORMATION |
423 GROUP_SECURITY_INFORMATION |
424 DACL_SECURITY_INFORMATION),
426 if (NT_STATUS_IS_OK(status)) {
427 /* Create an inherited descriptor from the parent. */
429 if (DEBUGLEVEL >= 10) {
430 DEBUG(10,("inherit_new_acl: parent acl is:\n"));
431 NDR_PRINT_DEBUG(security_descriptor, parent_desc);
434 status = se_create_child_secdesc(ctx,
438 &handle->conn->server_info->ptok->user_sids[PRIMARY_USER_SID_INDEX],
439 &handle->conn->server_info->ptok->user_sids[PRIMARY_GROUP_SID_INDEX],
441 if (!NT_STATUS_IS_OK(status)) {
445 if (DEBUGLEVEL >= 10) {
446 DEBUG(10,("inherit_new_acl: child acl is:\n"));
447 NDR_PRINT_DEBUG(security_descriptor, psd);
451 DEBUG(10,("inherit_new_acl: directory %s failed "
454 nt_errstr(status) ));
457 if (!psd || psd->dacl == NULL) {
458 SMB_STRUCT_STAT sbuf;
462 if (fsp && !fsp->is_directory && fsp->fh->fd != -1) {
463 ret = SMB_VFS_FSTAT(fsp, &sbuf);
465 ret = SMB_VFS_STAT(handle->conn,fname, &sbuf);
468 return map_nt_error_from_unix(errno);
470 psd = default_file_sd(ctx, &sbuf);
472 return NT_STATUS_NO_MEMORY;
475 if (DEBUGLEVEL >= 10) {
476 DEBUG(10,("inherit_new_acl: default acl is:\n"));
477 NDR_PRINT_DEBUG(security_descriptor, psd);
481 status = create_acl_blob(psd, &blob);
482 if (!NT_STATUS_IS_OK(status)) {
486 return store_acl_blob_fsp(handle, fsp, &blob);
488 return store_acl_blob_pathname(handle, fname, &blob);
492 /*********************************************************************
493 Check ACL on open. For new files inherit from parent directory.
494 *********************************************************************/
496 static int open_acl_xattr(vfs_handle_struct *handle,
502 uint32_t access_granted = 0;
503 struct security_descriptor *pdesc = NULL;
504 bool file_existed = true;
505 NTSTATUS status = get_nt_acl_xattr_internal(handle,
508 (OWNER_SECURITY_INFORMATION |
509 GROUP_SECURITY_INFORMATION |
510 DACL_SECURITY_INFORMATION),
512 if (NT_STATUS_IS_OK(status)) {
513 /* See if we can access it. */
514 status = smb1_file_se_access_check(pdesc,
515 handle->conn->server_info->ptok,
518 if (!NT_STATUS_IS_OK(status)) {
519 DEBUG(10,("open_acl_xattr: file %s open "
520 "refused with error %s\n",
522 nt_errstr(status) ));
523 errno = map_errno_from_nt_status(status);
526 } else if (NT_STATUS_EQUAL(status,NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
527 file_existed = false;
530 DEBUG(10,("open_acl_xattr: get_nt_acl_attr_internal for "
531 "file %s returned %s\n",
533 nt_errstr(status) ));
535 fsp->fh->fd = SMB_VFS_NEXT_OPEN(handle, fname, fsp, flags, mode);
537 if (!file_existed && fsp->fh->fd != -1) {
538 /* File was created. Inherit from parent directory. */
539 string_set(&fsp->fsp_name, fname);
540 inherit_new_acl(handle, fname, fsp, false);
546 /*********************************************************************
547 On unlink we need to delete the tdb record (if using tdb).
548 *********************************************************************/
550 static int unlink_acl_xattr(vfs_handle_struct *handle, const char *path)
552 SMB_STRUCT_STAT sbuf;
554 struct db_context *db;
555 struct db_record *rec;
558 SMB_VFS_HANDLE_GET_DATA(handle, db, struct db_context, return -1);
560 if (SMB_VFS_STAT(handle->conn, path, &sbuf) == -1) {
564 ret = SMB_VFS_NEXT_UNLINK(handle, path);
570 id = vfs_file_id_from_sbuf(handle->conn, &sbuf);
572 rec = acl_xattr_tdb_lock(talloc_tos(), db, &id);
575 * If rec == NULL there's not much we can do about it
579 DEBUG(10,("unlink_acl_xattr: path %s rec == NULL\n",
585 rec->delete_rec(rec);
591 /*********************************************************************
592 Store an inherited SD on mkdir.
593 *********************************************************************/
595 static int mkdir_acl_xattr(vfs_handle_struct *handle, const char *path, mode_t mode)
597 int ret = SMB_VFS_NEXT_MKDIR(handle, path, mode);
602 /* New directory - inherit from parent. */
603 inherit_new_acl(handle, path, NULL, true);
607 /*********************************************************************
608 On rmdir we need to delete the tdb record (if using tdb).
609 *********************************************************************/
611 static int rmdir_acl_xattr(vfs_handle_struct *handle, const char *path)
613 SMB_STRUCT_STAT sbuf;
615 struct db_context *db;
616 struct db_record *rec;
619 SMB_VFS_HANDLE_GET_DATA(handle, db, struct db_context, return -1);
621 if (SMB_VFS_STAT(handle->conn, path, &sbuf) == -1) {
625 ret = SMB_VFS_NEXT_RMDIR(handle, path);
631 id = vfs_file_id_from_sbuf(handle->conn, &sbuf);
633 rec = acl_xattr_tdb_lock(talloc_tos(), db, &id);
636 * If rec == NULL there's not much we can do about it
640 DEBUG(10,("rmdir_acl_xattr: path %s rec == NULL\n",
646 rec->delete_rec(rec);
652 /*********************************************************************
653 Fetch a security descriptor given an fsp.
654 *********************************************************************/
656 static NTSTATUS fget_nt_acl_xattr(vfs_handle_struct *handle, files_struct *fsp,
657 uint32 security_info, struct security_descriptor **ppdesc)
659 NTSTATUS status = get_nt_acl_xattr_internal(handle, fsp,
660 NULL, security_info, ppdesc);
661 if (NT_STATUS_IS_OK(status)) {
662 if (DEBUGLEVEL >= 10) {
663 DEBUG(10,("fget_nt_acl_xattr: returning xattr sd for file %s\n",
665 NDR_PRINT_DEBUG(security_descriptor, *ppdesc);
670 DEBUG(10,("fget_nt_acl_xattr: failed to get xattr sd for file %s, Error %s\n",
672 nt_errstr(status) ));
674 return SMB_VFS_NEXT_FGET_NT_ACL(handle, fsp,
675 security_info, ppdesc);
678 /*********************************************************************
679 Fetch a security descriptor given a pathname.
680 *********************************************************************/
682 static NTSTATUS get_nt_acl_xattr(vfs_handle_struct *handle,
683 const char *name, uint32 security_info, struct security_descriptor **ppdesc)
685 NTSTATUS status = get_nt_acl_xattr_internal(handle, NULL,
686 name, security_info, ppdesc);
687 if (NT_STATUS_IS_OK(status)) {
688 if (DEBUGLEVEL >= 10) {
689 DEBUG(10,("get_nt_acl_xattr: returning xattr sd for file %s\n",
691 NDR_PRINT_DEBUG(security_descriptor, *ppdesc);
696 DEBUG(10,("get_nt_acl_xattr: failed to get xattr sd for file %s, Error %s\n",
698 nt_errstr(status) ));
700 return SMB_VFS_NEXT_GET_NT_ACL(handle, name,
701 security_info, ppdesc);
704 /*********************************************************************
705 Store a security descriptor given an fsp.
706 *********************************************************************/
708 static NTSTATUS fset_nt_acl_xattr(vfs_handle_struct *handle, files_struct *fsp,
709 uint32 security_info_sent, const struct security_descriptor *psd)
714 if (DEBUGLEVEL >= 10) {
715 DEBUG(10,("fset_nt_acl_xattr: incoming sd for file %s\n",
717 NDR_PRINT_DEBUG(security_descriptor,
718 CONST_DISCARD(struct security_descriptor *,psd));
721 status = SMB_VFS_NEXT_FSET_NT_ACL(handle, fsp, security_info_sent, psd);
722 if (!NT_STATUS_IS_OK(status)) {
726 /* Ensure owner and group are set. */
727 if (!psd->owner_sid || !psd->group_sid) {
729 SMB_STRUCT_STAT sbuf;
730 DOM_SID owner_sid, group_sid;
731 struct security_descriptor *nc_psd = dup_sec_desc(talloc_tos(), psd);
736 if (fsp->is_directory || fsp->fh->fd == -1) {
737 ret = SMB_VFS_STAT(fsp->conn,fsp->fsp_name, &sbuf);
739 ret = SMB_VFS_FSTAT(fsp, &sbuf);
742 /* Lower level acl set succeeded,
743 * so still return OK. */
746 create_file_sids(&sbuf, &owner_sid, &group_sid);
747 /* This is safe as nc_psd is discarded at fn exit. */
748 nc_psd->owner_sid = &owner_sid;
749 nc_psd->group_sid = &group_sid;
750 security_info_sent |= (OWNER_SECURITY_INFORMATION|GROUP_SECURITY_INFORMATION);
754 if ((security_info_sent & DACL_SECURITY_INFORMATION) &&
756 (psd->type & (SE_DESC_DACL_AUTO_INHERITED|
757 SE_DESC_DACL_AUTO_INHERIT_REQ))==
758 (SE_DESC_DACL_AUTO_INHERITED|
759 SE_DESC_DACL_AUTO_INHERIT_REQ) ) {
760 struct security_descriptor *new_psd = NULL;
761 status = append_parent_acl(fsp, psd, &new_psd);
762 if (!NT_STATUS_IS_OK(status)) {
763 /* Lower level acl set succeeded,
764 * so still return OK. */
770 if (DEBUGLEVEL >= 10) {
771 DEBUG(10,("fset_nt_acl_xattr: storing xattr sd for file %s\n",
773 NDR_PRINT_DEBUG(security_descriptor,
774 CONST_DISCARD(struct security_descriptor *,psd));
776 create_acl_blob(psd, &blob);
777 store_acl_blob_fsp(handle, fsp, &blob);
782 /*******************************************************************
783 Handle opening the storage tdb if so configured.
784 *******************************************************************/
786 static int connect_acl_xattr(struct vfs_handle_struct *handle,
790 struct db_context *db;
793 res = SMB_VFS_NEXT_CONNECT(handle, service, user);
798 if (!acl_tdb_init(&db)) {
799 SMB_VFS_NEXT_DISCONNECT(handle);
803 SMB_VFS_HANDLE_SET_DATA(handle, db, free_acl_xattr_data,
804 struct db_context, return -1);
809 /* VFS operations structure */
811 static vfs_op_tuple skel_op_tuples[] =
813 {SMB_VFS_OP(connect_acl_xattr), SMB_VFS_OP_CONNECT, SMB_VFS_LAYER_TRANSPARENT},
815 {SMB_VFS_OP(mkdir_acl_xattr), SMB_VFS_OP_MKDIR, SMB_VFS_LAYER_TRANSPARENT},
816 {SMB_VFS_OP(rmdir_acl_xattr), SMB_VFS_OP_RMDIR, SMB_VFS_LAYER_TRANSPARENT},
818 {SMB_VFS_OP(open_acl_xattr), SMB_VFS_OP_OPEN, SMB_VFS_LAYER_TRANSPARENT},
819 {SMB_VFS_OP(unlink_acl_xattr), SMB_VFS_OP_UNLINK, SMB_VFS_LAYER_TRANSPARENT},
821 /* NT File ACL operations */
823 {SMB_VFS_OP(fget_nt_acl_xattr),SMB_VFS_OP_FGET_NT_ACL,SMB_VFS_LAYER_TRANSPARENT},
824 {SMB_VFS_OP(get_nt_acl_xattr), SMB_VFS_OP_GET_NT_ACL, SMB_VFS_LAYER_TRANSPARENT},
825 {SMB_VFS_OP(fset_nt_acl_xattr),SMB_VFS_OP_FSET_NT_ACL,SMB_VFS_LAYER_TRANSPARENT},
827 {SMB_VFS_OP(NULL), SMB_VFS_OP_NOOP, SMB_VFS_LAYER_NOOP}
830 NTSTATUS vfs_acl_xattr_init(void)
832 return smb_register_vfs(SMB_VFS_INTERFACE_VERSION, "acl_tdb", skel_op_tuples);
git.samba.org / idra / samba.git / blob