2 * Store Windows ACLs in xattrs.
4 * Copyright (C) Volker Lendecke, 2008
5 * Copyright (C) Jeremy Allison, 2008
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 3 of the License, or
10 * (at your option) any later version.
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, see <http://www.gnu.org/licenses/>.
21 /* NOTE: This is an experimental module, not yet finished. JRA. */
24 #include "librpc/gen_ndr/xattr.h"
25 #include "librpc/gen_ndr/ndr_xattr.h"
28 #define DBGC_CLASS DBGC_VFS
30 static NTSTATUS create_acl_blob(const struct security_descriptor *psd,
34 #define HASH_SECURITY_INFO (OWNER_SECURITY_INFORMATION | \
35 GROUP_SECURITY_INFORMATION | \
36 DACL_SECURITY_INFORMATION | \
37 SACL_SECURITY_INFORMATION)
39 /*******************************************************************
40 Hash a security descriptor.
41 *******************************************************************/
43 static NTSTATUS hash_sd(struct security_descriptor *psd,
47 struct MD5Context tctx;
50 memset(hash, '\0', 16);
51 status = create_acl_blob(psd, &blob, hash);
52 if (!NT_STATUS_IS_OK(status)) {
56 MD5Update(&tctx, blob.data, blob.length);
57 MD5Final(hash, &tctx);
61 /*******************************************************************
62 Parse out a struct security_descriptor from a DATA_BLOB.
63 *******************************************************************/
65 static NTSTATUS parse_acl_blob(const DATA_BLOB *pblob,
67 struct security_descriptor **ppdesc,
70 TALLOC_CTX *ctx = talloc_tos();
71 struct xattr_NTACL xacl;
72 enum ndr_err_code ndr_err;
75 ndr_err = ndr_pull_struct_blob(pblob, ctx, NULL, &xacl,
76 (ndr_pull_flags_fn_t)ndr_pull_xattr_NTACL);
78 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
79 DEBUG(5, ("parse_acl_blob: ndr_pull_xattr_NTACL failed: %s\n",
80 ndr_errstr(ndr_err)));
81 return ndr_map_error2ntstatus(ndr_err);;
84 if (xacl.version != 2) {
85 return NT_STATUS_REVISION_MISMATCH;
88 *ppdesc = make_sec_desc(ctx, SEC_DESC_REVISION, xacl.info.sd_hs->sd->type | SEC_DESC_SELF_RELATIVE,
89 (security_info & OWNER_SECURITY_INFORMATION)
90 ? xacl.info.sd_hs->sd->owner_sid : NULL,
91 (security_info & GROUP_SECURITY_INFORMATION)
92 ? xacl.info.sd_hs->sd->group_sid : NULL,
93 (security_info & SACL_SECURITY_INFORMATION)
94 ? xacl.info.sd_hs->sd->sacl : NULL,
95 (security_info & DACL_SECURITY_INFORMATION)
96 ? xacl.info.sd_hs->sd->dacl : NULL,
99 memcpy(hash, xacl.info.sd_hs->hash, 16);
100 TALLOC_FREE(xacl.info.sd);
102 return (*ppdesc != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
105 /*******************************************************************
106 Pull a security descriptor into a DATA_BLOB from a xattr.
107 *******************************************************************/
109 static NTSTATUS get_acl_blob(TALLOC_CTX *ctx,
110 vfs_handle_struct *handle,
125 tmp = TALLOC_REALLOC_ARRAY(ctx, val, uint8_t, size);
128 return NT_STATUS_NO_MEMORY;
133 if (fsp && fsp->fh->fd != -1) {
134 sizeret = SMB_VFS_FGETXATTR(fsp, XATTR_NTACL_NAME, val, size);
136 sizeret = SMB_VFS_GETXATTR(handle->conn, name,
137 XATTR_NTACL_NAME, val, size);
144 /* Max ACL size is 65536 bytes. */
147 if ((errno == ERANGE) && (size != 65536)) {
148 /* Too small, try again. */
153 /* Real error - exit here. */
155 return map_nt_error_from_unix(errno);
159 pblob->length = sizeret;
163 /*******************************************************************
164 Create a DATA_BLOB from a security descriptor.
165 *******************************************************************/
167 static NTSTATUS create_acl_blob(const struct security_descriptor *psd,
171 struct xattr_NTACL xacl;
172 struct security_descriptor_hash sd_hs;
173 enum ndr_err_code ndr_err;
174 TALLOC_CTX *ctx = talloc_tos();
180 xacl.info.sd_hs = &sd_hs;
181 xacl.info.sd_hs->sd = CONST_DISCARD(struct security_descriptor *, psd);
182 memcpy(&xacl.info.sd_hs->hash[0], hash, 16);
184 ndr_err = ndr_push_struct_blob(
185 pblob, ctx, NULL, &xacl,
186 (ndr_push_flags_fn_t)ndr_push_xattr_NTACL);
188 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
189 DEBUG(5, ("create_acl_blob: ndr_push_xattr_NTACL failed: %s\n",
190 ndr_errstr(ndr_err)));
191 return ndr_map_error2ntstatus(ndr_err);;
197 /*******************************************************************
198 Store a DATA_BLOB into an xattr given an fsp pointer.
199 *******************************************************************/
201 static NTSTATUS store_acl_blob_fsp(vfs_handle_struct *handle,
208 DEBUG(10,("store_acl_blob_fsp: storing blob length %u on file %s\n",
209 (unsigned int)pblob->length, fsp_str_dbg(fsp)));
212 if (fsp->fh->fd != -1) {
213 ret = SMB_VFS_FSETXATTR(fsp, XATTR_NTACL_NAME,
214 pblob->data, pblob->length, 0);
216 ret = SMB_VFS_SETXATTR(fsp->conn, fsp->fsp_name->base_name,
218 pblob->data, pblob->length, 0);
226 DEBUG(5, ("store_acl_blob_fsp: setting attr failed for file %s"
230 return map_nt_error_from_unix(errno);
235 /*******************************************************************
236 Store a DATA_BLOB into an xattr given a pathname.
237 *******************************************************************/
239 static NTSTATUS store_acl_blob_pathname(vfs_handle_struct *handle,
243 connection_struct *conn = handle->conn;
247 DEBUG(10,("store_acl_blob_pathname: storing blob "
248 "length %u on file %s\n",
249 (unsigned int)pblob->length, fname));
252 ret = SMB_VFS_SETXATTR(conn, fname,
254 pblob->data, pblob->length, 0);
261 DEBUG(5, ("store_acl_blob_pathname: setting attr failed "
262 "for file %s with error %s\n",
265 return map_nt_error_from_unix(errno);
270 /*******************************************************************
271 Store a DATA_BLOB into an xattr given a pathname.
272 *******************************************************************/
274 static NTSTATUS get_nt_acl_xattr_internal(vfs_handle_struct *handle,
277 uint32 security_info,
278 struct security_descriptor **ppdesc)
283 uint8_t hash_tmp[16];
284 struct security_descriptor *pdesc_next = NULL;
286 if (fsp && name == NULL) {
287 name = fsp->fsp_name->base_name;
290 DEBUG(10, ("get_nt_acl_xattr_internal: name=%s\n", name));
292 status = get_acl_blob(talloc_tos(), handle, fsp, name, &blob);
293 if (!NT_STATUS_IS_OK(status)) {
294 DEBUG(10, ("get_acl_blob returned %s\n", nt_errstr(status)));
298 status = parse_acl_blob(&blob, security_info, ppdesc, &hash[0]);
299 if (!NT_STATUS_IS_OK(status)) {
300 DEBUG(10, ("parse_acl_blob returned %s\n",
305 /* If there was no stored hash, don't check. */
306 memset(&hash_tmp[0], '\0', 16);
307 if (memcmp(&hash[0], &hash_tmp[0], 16) == 0) {
308 /* No hash, goto return blob sd. */
312 /* Get the full underlying sd, then hash. */
314 status = SMB_VFS_NEXT_FGET_NT_ACL(handle,
319 status = SMB_VFS_NEXT_GET_NT_ACL(handle,
325 if (!NT_STATUS_IS_OK(status)) {
329 status = hash_sd(pdesc_next, hash_tmp);
330 if (!NT_STATUS_IS_OK(status)) {
334 if (memcmp(&hash[0], &hash_tmp[0], 16) == 0) {
335 TALLOC_FREE(pdesc_next);
336 /* Hash matches, return blob sd. */
340 /* Hash doesn't match, return underlying sd. */
342 if (!(security_info & OWNER_SECURITY_INFORMATION)) {
343 pdesc_next->owner_sid = NULL;
345 if (!(security_info & GROUP_SECURITY_INFORMATION)) {
346 pdesc_next->group_sid = NULL;
348 if (!(security_info & DACL_SECURITY_INFORMATION)) {
349 pdesc_next->dacl = NULL;
351 if (!(security_info & SACL_SECURITY_INFORMATION)) {
352 pdesc_next->sacl = NULL;
355 TALLOC_FREE(*ppdesc);
356 *ppdesc = pdesc_next;
360 TALLOC_FREE(blob.data);
364 /*********************************************************************
365 Create a default security descriptor for a file in case no inheritance
366 exists. All permissions to the owner and SYSTEM.
367 *********************************************************************/
369 static struct security_descriptor *default_file_sd(TALLOC_CTX *mem_ctx,
370 SMB_STRUCT_STAT *psbuf)
372 struct dom_sid owner_sid, group_sid;
374 struct security_ace *pace = NULL;
375 struct security_acl *pacl = NULL;
377 uid_to_sid(&owner_sid, psbuf->st_ex_uid);
378 gid_to_sid(&group_sid, psbuf->st_ex_gid);
380 pace = TALLOC_ARRAY(mem_ctx, struct security_ace, 2);
385 init_sec_ace(&pace[0], &owner_sid, SEC_ACE_TYPE_ACCESS_ALLOWED,
386 SEC_RIGHTS_FILE_ALL, 0);
387 init_sec_ace(&pace[1], &global_sid_System, SEC_ACE_TYPE_ACCESS_ALLOWED,
388 SEC_RIGHTS_FILE_ALL, 0);
390 pacl = make_sec_acl(mem_ctx,
397 return make_sec_desc(mem_ctx,
398 SECURITY_DESCRIPTOR_REVISION_1,
399 SEC_DESC_SELF_RELATIVE|SEC_DESC_DACL_PRESENT,
407 /*********************************************************************
408 *********************************************************************/
410 static NTSTATUS inherit_new_acl(vfs_handle_struct *handle,
411 struct smb_filename *smb_fname,
415 TALLOC_CTX *ctx = talloc_tos();
417 struct security_descriptor *parent_desc = NULL;
418 struct security_descriptor *psd = NULL;
419 struct security_descriptor *pdesc_next = NULL;
425 if (!parent_dirname(ctx, smb_fname->base_name, &parent_name, NULL)) {
426 return NT_STATUS_NO_MEMORY;
429 DEBUG(10,("inherit_new_acl: check directory %s\n",
432 status = get_nt_acl_xattr_internal(handle,
435 (OWNER_SECURITY_INFORMATION |
436 GROUP_SECURITY_INFORMATION |
437 DACL_SECURITY_INFORMATION),
439 if (NT_STATUS_IS_OK(status)) {
440 /* Create an inherited descriptor from the parent. */
442 if (DEBUGLEVEL >= 10) {
443 DEBUG(10,("inherit_new_acl: parent acl is:\n"));
444 NDR_PRINT_DEBUG(security_descriptor, parent_desc);
447 status = se_create_child_secdesc(ctx,
451 &handle->conn->server_info->ptok->user_sids[PRIMARY_USER_SID_INDEX],
452 &handle->conn->server_info->ptok->user_sids[PRIMARY_GROUP_SID_INDEX],
454 if (!NT_STATUS_IS_OK(status)) {
458 if (DEBUGLEVEL >= 10) {
459 DEBUG(10,("inherit_new_acl: child acl is:\n"));
460 NDR_PRINT_DEBUG(security_descriptor, psd);
464 DEBUG(10,("inherit_new_acl: directory %s failed "
467 nt_errstr(status) ));
470 if (!psd || psd->dacl == NULL) {
474 if (fsp && !fsp->is_directory && fsp->fh->fd != -1) {
475 ret = SMB_VFS_FSTAT(fsp, &smb_fname->st);
477 if (fsp && fsp->posix_open) {
478 ret = SMB_VFS_LSTAT(handle->conn, smb_fname);
480 ret = SMB_VFS_STAT(handle->conn, smb_fname);
484 return map_nt_error_from_unix(errno);
486 psd = default_file_sd(ctx, &smb_fname->st);
488 return NT_STATUS_NO_MEMORY;
491 if (DEBUGLEVEL >= 10) {
492 DEBUG(10,("inherit_new_acl: default acl is:\n"));
493 NDR_PRINT_DEBUG(security_descriptor, psd);
497 /* Object exists. Read the current SD to get the hash. */
499 status = SMB_VFS_NEXT_FGET_NT_ACL(handle,
504 status = SMB_VFS_NEXT_GET_NT_ACL(handle,
505 smb_fname->base_name,
510 if (!NT_STATUS_IS_OK(status)) {
514 status = hash_sd(pdesc_next, hash);
515 if (!NT_STATUS_IS_OK(status)) {
518 status = create_acl_blob(psd, &blob, hash);
519 if (!NT_STATUS_IS_OK(status)) {
523 return store_acl_blob_fsp(handle, fsp, &blob);
525 return store_acl_blob_pathname(handle, smb_fname->base_name,
530 /*********************************************************************
531 Check ACL on open. For new files inherit from parent directory.
532 *********************************************************************/
534 static int open_acl_xattr(vfs_handle_struct *handle,
535 struct smb_filename *smb_fname,
540 uint32_t access_granted = 0;
541 struct security_descriptor *pdesc = NULL;
542 bool file_existed = true;
547 /* Stream open. Base filename open already did the ACL check. */
548 DEBUG(10,("open_acl_xattr: stream open on %s\n",
549 smb_fname_str_dbg(smb_fname) ));
550 return SMB_VFS_NEXT_OPEN(handle, smb_fname, fsp, flags, mode);
553 status = get_full_smb_filename(talloc_tos(), smb_fname,
555 if (!NT_STATUS_IS_OK(status)) {
556 errno = map_errno_from_nt_status(status);
560 status = get_nt_acl_xattr_internal(handle,
563 (OWNER_SECURITY_INFORMATION |
564 GROUP_SECURITY_INFORMATION |
565 DACL_SECURITY_INFORMATION),
567 if (NT_STATUS_IS_OK(status)) {
568 /* See if we can access it. */
569 status = smb1_file_se_access_check(pdesc,
570 handle->conn->server_info->ptok,
573 if (!NT_STATUS_IS_OK(status)) {
574 DEBUG(10,("open_acl_xattr: file %s open "
575 "refused with error %s\n",
576 smb_fname_str_dbg(smb_fname),
577 nt_errstr(status) ));
578 errno = map_errno_from_nt_status(status);
581 } else if (NT_STATUS_EQUAL(status,NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
582 file_existed = false;
585 DEBUG(10,("open_acl_xattr: get_nt_acl_attr_internal for "
586 "file %s returned %s\n",
587 smb_fname_str_dbg(smb_fname),
588 nt_errstr(status) ));
590 fsp->fh->fd = SMB_VFS_NEXT_OPEN(handle, smb_fname, fsp, flags, mode);
592 if (!file_existed && fsp->fh->fd != -1) {
593 /* File was created. Inherit from parent directory. */
594 status = fsp_set_smb_fname(fsp, smb_fname);
595 if (!NT_STATUS_IS_OK(status)) {
596 errno = map_errno_from_nt_status(status);
599 inherit_new_acl(handle, smb_fname, fsp, false);
605 static int mkdir_acl_xattr(vfs_handle_struct *handle, const char *path, mode_t mode)
607 struct smb_filename *smb_fname = NULL;
608 int ret = SMB_VFS_NEXT_MKDIR(handle, path, mode);
615 status = create_synthetic_smb_fname(talloc_tos(), path, NULL, NULL,
617 if (!NT_STATUS_IS_OK(status)) {
618 errno = map_errno_from_nt_status(status);
622 /* New directory - inherit from parent. */
623 inherit_new_acl(handle, smb_fname, NULL, true);
624 TALLOC_FREE(smb_fname);
628 /*********************************************************************
629 Fetch a security descriptor given an fsp.
630 *********************************************************************/
632 static NTSTATUS fget_nt_acl_xattr(vfs_handle_struct *handle, files_struct *fsp,
633 uint32 security_info, struct security_descriptor **ppdesc)
635 return get_nt_acl_xattr_internal(handle, fsp,
636 NULL, security_info, ppdesc);
639 /*********************************************************************
640 Fetch a security descriptor given a pathname.
641 *********************************************************************/
643 static NTSTATUS get_nt_acl_xattr(vfs_handle_struct *handle,
644 const char *name, uint32 security_info, struct security_descriptor **ppdesc)
646 return get_nt_acl_xattr_internal(handle, NULL,
647 name, security_info, ppdesc);
650 /*********************************************************************
651 Store a security descriptor given an fsp.
652 *********************************************************************/
654 static NTSTATUS fset_nt_acl_xattr(vfs_handle_struct *handle, files_struct *fsp,
655 uint32 security_info_sent, const struct security_descriptor *psd)
659 struct security_descriptor *pdesc_next = NULL;
662 if (DEBUGLEVEL >= 10) {
663 DEBUG(10,("fset_nt_acl_xattr: incoming sd for file %s\n",
665 NDR_PRINT_DEBUG(security_descriptor,
666 CONST_DISCARD(struct security_descriptor *,psd));
669 /* Ensure owner and group are set. */
670 if (!psd->owner_sid || !psd->group_sid) {
672 DOM_SID owner_sid, group_sid;
673 struct security_descriptor *nc_psd = dup_sec_desc(talloc_tos(), psd);
678 if (fsp->is_directory || fsp->fh->fd == -1) {
679 if (fsp->posix_open) {
680 ret = SMB_VFS_LSTAT(fsp->conn, fsp->fsp_name);
682 ret = SMB_VFS_STAT(fsp->conn, fsp->fsp_name);
685 ret = SMB_VFS_FSTAT(fsp, &fsp->fsp_name->st);
688 /* Lower level acl set succeeded,
689 * so still return OK. */
692 create_file_sids(&fsp->fsp_name->st, &owner_sid, &group_sid);
693 /* This is safe as nc_psd is discarded at fn exit. */
694 nc_psd->owner_sid = &owner_sid;
695 nc_psd->group_sid = &group_sid;
696 security_info_sent |= (OWNER_SECURITY_INFORMATION|GROUP_SECURITY_INFORMATION);
700 status = SMB_VFS_NEXT_FSET_NT_ACL(handle, fsp, security_info_sent, psd);
701 if (!NT_STATUS_IS_OK(status)) {
705 /* Get the full underlying sd, then hash. */
706 status = SMB_VFS_NEXT_FGET_NT_ACL(handle,
711 if (!NT_STATUS_IS_OK(status)) {
715 status = hash_sd(pdesc_next, hash);
716 if (!NT_STATUS_IS_OK(status)) {
721 if ((security_info_sent & DACL_SECURITY_INFORMATION) &&
723 (psd->type & (SE_DESC_DACL_AUTO_INHERITED|
724 SE_DESC_DACL_AUTO_INHERIT_REQ))==
725 (SE_DESC_DACL_AUTO_INHERITED|
726 SE_DESC_DACL_AUTO_INHERIT_REQ) ) {
727 struct security_descriptor *new_psd = NULL;
728 status = append_parent_acl(fsp, psd, &new_psd);
729 if (!NT_STATUS_IS_OK(status)) {
730 /* Lower level acl set succeeded,
731 * so still return OK. */
738 if (DEBUGLEVEL >= 10) {
739 DEBUG(10,("fset_nt_acl_xattr: storing xattr sd for file %s\n",
741 NDR_PRINT_DEBUG(security_descriptor,
742 CONST_DISCARD(struct security_descriptor *,psd));
744 create_acl_blob(psd, &blob, hash);
745 store_acl_blob_fsp(handle, fsp, &blob);
750 /*********************************************************************
751 Remove a Windows ACL - we're setting the underlying POSIX ACL.
752 *********************************************************************/
754 static int sys_acl_set_file_xattr(vfs_handle_struct *handle,
759 int ret = SMB_VFS_NEXT_SYS_ACL_SET_FILE(handle,
768 SMB_VFS_REMOVEXATTR(handle->conn, name, XATTR_NTACL_NAME);
774 /*********************************************************************
775 Remove a Windows ACL - we're setting the underlying POSIX ACL.
776 *********************************************************************/
778 static int sys_acl_set_fd_xattr(vfs_handle_struct *handle,
782 int ret = SMB_VFS_NEXT_SYS_ACL_SET_FD(handle,
790 SMB_VFS_FREMOVEXATTR(fsp, XATTR_NTACL_NAME);
796 /* VFS operations structure */
798 static vfs_op_tuple skel_op_tuples[] =
800 {SMB_VFS_OP(mkdir_acl_xattr), SMB_VFS_OP_MKDIR, SMB_VFS_LAYER_TRANSPARENT},
801 {SMB_VFS_OP(open_acl_xattr), SMB_VFS_OP_OPEN, SMB_VFS_LAYER_TRANSPARENT},
803 /* NT File ACL operations */
805 {SMB_VFS_OP(fget_nt_acl_xattr),SMB_VFS_OP_FGET_NT_ACL,SMB_VFS_LAYER_TRANSPARENT},
806 {SMB_VFS_OP(get_nt_acl_xattr), SMB_VFS_OP_GET_NT_ACL, SMB_VFS_LAYER_TRANSPARENT},
807 {SMB_VFS_OP(fset_nt_acl_xattr),SMB_VFS_OP_FSET_NT_ACL,SMB_VFS_LAYER_TRANSPARENT},
809 /* POSIX ACL operations. */
810 {SMB_VFS_OP(sys_acl_set_file_xattr), SMB_VFS_OP_SYS_ACL_SET_FILE, SMB_VFS_LAYER_TRANSPARENT},
811 {SMB_VFS_OP(sys_acl_set_fd_xattr), SMB_VFS_OP_SYS_ACL_SET_FD, SMB_VFS_LAYER_TRANSPARENT},
813 {SMB_VFS_OP(NULL), SMB_VFS_OP_NOOP, SMB_VFS_LAYER_NOOP}
816 NTSTATUS vfs_acl_xattr_init(void)
818 return smb_register_vfs(SMB_VFS_INTERFACE_VERSION, "acl_xattr", skel_op_tuples);