2 * Convert AFS acls to NT acls and vice versa.
4 * Copyright (C) Volker Lendecke, 2003
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <http://www.gnu.org/licenses/>.
21 #include "system/filesys.h"
22 #include "smbd/smbd.h"
23 #include "../librpc/gen_ndr/lsa.h"
24 #include "../libcli/security/security.h"
25 #include "../libcli/security/dom_sid.h"
29 #define DBGC_CLASS DBGC_VFS
34 #include <afs/venus.h>
35 #include <afs/prs_fs.h>
39 extern const struct dom_sid global_sid_World;
40 extern const struct dom_sid global_sid_Builtin_Administrators;
41 extern const struct dom_sid global_sid_Builtin_Backup_Operators;
42 extern const struct dom_sid global_sid_Authenticated_Users;
43 extern const struct dom_sid global_sid_NULL;
45 static char space_replacement = '%';
47 /* Do we expect SIDs as pts names? */
54 enum lsa_SidType type;
63 struct afs_ace *acelist;
68 uint16 in_size, out_size;
72 static bool init_afs_acl(struct afs_acl *acl)
75 acl->ctx = talloc_init("afs_acl");
76 if (acl->ctx == NULL) {
77 DEBUG(10, ("Could not init afs_acl"));
83 static void free_afs_acl(struct afs_acl *acl)
86 talloc_destroy(acl->ctx);
92 static struct afs_ace *clone_afs_ace(TALLOC_CTX *mem_ctx, struct afs_ace *ace)
94 struct afs_ace *result = talloc(mem_ctx, struct afs_ace);
102 result->name = talloc_strdup(mem_ctx, ace->name);
104 if (result->name == NULL) {
111 static struct afs_ace *new_afs_ace(TALLOC_CTX *mem_ctx,
113 const char *name, uint32 rights)
116 enum lsa_SidType type;
117 struct afs_ace *result;
119 if (strcmp(name, "system:administrators") == 0) {
121 sid_copy(&sid, &global_sid_Builtin_Administrators);
122 type = SID_NAME_ALIAS;
124 } else if (strcmp(name, "system:anyuser") == 0) {
126 sid_copy(&sid, &global_sid_World);
127 type = SID_NAME_ALIAS;
129 } else if (strcmp(name, "system:authuser") == 0) {
131 sid_copy(&sid, &global_sid_Authenticated_Users);
132 type = SID_NAME_WKN_GRP;
134 } else if (strcmp(name, "system:backup") == 0) {
136 sid_copy(&sid, &global_sid_Builtin_Backup_Operators);
137 type = SID_NAME_ALIAS;
140 /* All PTS users/groups are expressed as SIDs */
142 sid_copy(&sid, &global_sid_NULL);
143 type = SID_NAME_UNKNOWN;
145 if (string_to_sid(&sid, name)) {
146 const char *user, *domain;
147 /* We have to find the type, look up the SID */
148 lookup_sid(talloc_tos(), &sid,
149 &domain, &user, &type);
154 const char *domain, *uname;
157 p = strchr_m(name, *lp_winbind_separator());
162 if (!lookup_name(talloc_tos(), name, LOOKUP_NAME_ALL,
163 &domain, &uname, &sid, &type)) {
164 DEBUG(10, ("Could not find AFS user %s\n", name));
166 sid_copy(&sid, &global_sid_NULL);
167 type = SID_NAME_UNKNOWN;
172 result = talloc(mem_ctx, struct afs_ace);
174 if (result == NULL) {
175 DEBUG(0, ("Could not talloc AFS ace\n"));
179 result->name = talloc_strdup(mem_ctx, name);
180 if (result->name == NULL) {
181 DEBUG(0, ("Could not talloc AFS ace name\n"));
188 result->positive = positive;
189 result->rights = rights;
194 static void add_afs_ace(struct afs_acl *acl,
196 const char *name, uint32 rights)
200 for (ace = acl->acelist; ace != NULL; ace = ace->next) {
201 if ((ace->positive == positive) &&
202 (strequal(ace->name, name))) {
203 ace->rights |= rights;
208 ace = new_afs_ace(acl->ctx, positive, name, rights);
210 ace->next = acl->acelist;
215 DEBUG(10, ("add_afs_ace: Added %s entry for %s with rights %d\n",
216 ace->positive?"positive":"negative",
217 ace->name, ace->rights));
220 /* AFS ACLs in string form are a long string of fields delimited with \n.
222 * First line: Number of positive entries
223 * Second line: Number of negative entries
224 * Third and following lines: The entries themselves
226 * An ACE is a line of two fields, delimited by \t.
229 * Second field: Rights
232 static bool parse_afs_acl(struct afs_acl *acl, const char *acl_str)
240 strlcpy(str, acl_str, MAXSIZE);
242 if (sscanf(p, "%d", &nplus) != 1)
245 DEBUG(10, ("Found %d positive entries\n", nplus));
247 if ((p = strchr(p, '\n')) == NULL)
251 if (sscanf(p, "%d", &nminus) != 1)
254 DEBUG(10, ("Found %d negative entries\n", nminus));
256 if ((p = strchr(p, '\n')) == NULL)
260 for (aces = nplus+nminus; aces > 0; aces--)
270 if ((p = strchr(p, '\t')) == NULL)
275 if (sscanf(p, "%d", &rights) != 1)
278 if ((p = strchr(p, '\n')) == NULL)
282 fstrcpy(name, namep);
284 while ((space = strchr_m(name, space_replacement)) != NULL)
287 add_afs_ace(acl, nplus>0, name, rights);
295 static bool unparse_afs_acl(struct afs_acl *acl, char *acl_str)
297 /* TODO: String length checks!!!! */
302 struct afs_ace *ace = acl->acelist;
306 while (ace != NULL) {
314 fstr_sprintf(line, "%d\n", positives);
315 if (strlcat(acl_str, line, MAXSIZE) >= MAXSIZE) {
319 fstr_sprintf(line, "%d\n", negatives);
320 if (strlcat(acl_str, line, MAXSIZE) >= MAXSIZE) {
326 while (ace != NULL) {
327 fstr_sprintf(line, "%s\t%d\n", ace->name, ace->rights);
328 if (strlcat(acl_str, line, MAXSIZE) >= MAXSIZE) {
336 static uint32 afs_to_nt_file_rights(uint32 rights)
340 if (rights & PRSFS_READ)
341 result |= FILE_READ_DATA | FILE_READ_EA |
342 FILE_EXECUTE | FILE_READ_ATTRIBUTES |
343 READ_CONTROL_ACCESS | SYNCHRONIZE_ACCESS;
345 if (rights & PRSFS_WRITE)
346 result |= FILE_WRITE_DATA | FILE_WRITE_ATTRIBUTES |
347 FILE_WRITE_EA | FILE_APPEND_DATA;
349 if (rights & PRSFS_LOCK)
350 result |= WRITE_OWNER_ACCESS;
352 if (rights & PRSFS_DELETE)
353 result |= DELETE_ACCESS;
358 static void afs_to_nt_dir_rights(uint32 afs_rights, uint32 *nt_rights,
362 *flag = SEC_ACE_FLAG_OBJECT_INHERIT |
363 SEC_ACE_FLAG_CONTAINER_INHERIT;
365 if (afs_rights & PRSFS_INSERT)
366 *nt_rights |= FILE_ADD_FILE | FILE_ADD_SUBDIRECTORY;
368 if (afs_rights & PRSFS_LOOKUP)
369 *nt_rights |= FILE_READ_DATA | FILE_READ_EA |
370 FILE_EXECUTE | FILE_READ_ATTRIBUTES |
371 READ_CONTROL_ACCESS | SYNCHRONIZE_ACCESS;
373 if (afs_rights & PRSFS_WRITE)
374 *nt_rights |= FILE_WRITE_ATTRIBUTES | FILE_WRITE_DATA |
375 FILE_APPEND_DATA | FILE_WRITE_EA;
377 if ((afs_rights & (PRSFS_INSERT|PRSFS_LOOKUP|PRSFS_DELETE)) ==
378 (PRSFS_INSERT|PRSFS_LOOKUP|PRSFS_DELETE))
379 *nt_rights |= FILE_WRITE_ATTRIBUTES | FILE_WRITE_EA |
380 GENERIC_WRITE_ACCESS;
382 if (afs_rights & PRSFS_DELETE)
383 *nt_rights |= DELETE_ACCESS;
385 if (afs_rights & PRSFS_ADMINISTER)
386 *nt_rights |= FILE_DELETE_CHILD | WRITE_DAC_ACCESS |
389 if ( (afs_rights & PRSFS_LOOKUP) ==
390 (afs_rights & (PRSFS_LOOKUP|PRSFS_READ)) ) {
391 /* Only lookup right */
392 *flag = SEC_ACE_FLAG_CONTAINER_INHERIT;
396 #define AFS_FILE_RIGHTS (PRSFS_READ|PRSFS_WRITE|PRSFS_LOCK)
397 #define AFS_DIR_RIGHTS (PRSFS_INSERT|PRSFS_LOOKUP|PRSFS_DELETE|PRSFS_ADMINISTER)
399 static void split_afs_acl(struct afs_acl *acl,
400 struct afs_acl *dir_acl,
401 struct afs_acl *file_acl)
405 init_afs_acl(dir_acl);
406 init_afs_acl(file_acl);
408 for (ace = acl->acelist; ace != NULL; ace = ace->next) {
409 if (ace->rights & AFS_FILE_RIGHTS) {
410 add_afs_ace(file_acl, ace->positive, ace->name,
411 ace->rights & AFS_FILE_RIGHTS);
414 if (ace->rights & AFS_DIR_RIGHTS) {
415 add_afs_ace(dir_acl, ace->positive, ace->name,
416 ace->rights & AFS_DIR_RIGHTS);
421 static bool same_principal(struct afs_ace *x, struct afs_ace *y)
423 return ( (x->positive == y->positive) &&
424 (dom_sid_compare(&x->sid, &y->sid) == 0) );
427 static void merge_afs_acls(struct afs_acl *dir_acl,
428 struct afs_acl *file_acl,
429 struct afs_acl *target)
433 init_afs_acl(target);
435 for (ace = dir_acl->acelist; ace != NULL; ace = ace->next) {
436 struct afs_ace *file_ace;
439 for (file_ace = file_acl->acelist;
441 file_ace = file_ace->next) {
442 if (!same_principal(ace, file_ace))
445 add_afs_ace(target, ace->positive, ace->name,
446 ace->rights | file_ace->rights);
451 add_afs_ace(target, ace->positive, ace->name,
455 for (ace = file_acl->acelist; ace != NULL; ace = ace->next) {
456 struct afs_ace *dir_ace;
457 bool already_seen = false;
459 for (dir_ace = dir_acl->acelist;
461 dir_ace = dir_ace->next) {
462 if (!same_principal(ace, dir_ace))
468 add_afs_ace(target, ace->positive, ace->name,
473 #define PERMS_READ 0x001200a9
474 #define PERMS_CHANGE 0x001301bf
475 #define PERMS_FULL 0x001f01ff
477 static struct static_dir_ace_mapping {
485 { 0, SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT,
486 PERMS_FULL, 127 /* rlidwka */ },
489 { 0, SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT,
490 PERMS_CHANGE, 63 /* rlidwk */ },
492 /* Read (including list folder content) */
493 { 0, SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT,
494 PERMS_READ, 9 /* rl */ },
496 /* Read without list folder content -- same as "l" */
497 { 0, SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT,
498 0x00120089, 8 /* l */ },
500 /* some stupid workaround for preventing fallbacks */
501 { 0, 0x3, 0x0012019F, 9 /* rl */ },
502 { 0, 0x13, PERMS_FULL, 127 /* full */ },
504 /* read, delete and execute access plus synchronize */
505 { 0, 0x3, 0x001300A9, 9 /* should be rdl, set to rl */},
506 /* classical read list */
507 { 0, 0x13, 0x001200A9, 9 /* rl */},
508 /* almost full control, no delete */
509 { 0, 0x13, PERMS_CHANGE, 63 /* rwidlk */},
512 { 0, SEC_ACE_FLAG_CONTAINER_INHERIT,
513 PERMS_READ, 8 /* l */ },
515 /* FULL without inheritance -- in all cases here we also get
516 the corresponding INHERIT_ONLY ACE in the same ACL */
517 { 0, 0, PERMS_FULL, 127 /* rlidwka */ },
519 /* FULL inherit only -- counterpart to previous one */
520 { 0, SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_INHERIT_ONLY,
521 PERMS_FULL | SEC_GENERIC_WRITE, 127 /* rlidwka */ },
523 /* CHANGE without inheritance -- in all cases here we also get
524 the corresponding INHERIT_ONLY ACE in the same ACL */
525 { 0, 0, PERMS_CHANGE, 63 /* rlidwk */ },
527 /* CHANGE inherit only -- counterpart to previous one */
528 { 0, SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_INHERIT_ONLY,
529 PERMS_CHANGE | SEC_GENERIC_WRITE, 63 /* rlidwk */ },
531 /* End marker, hopefully there's no afs right 9999 :-) */
535 static uint32 nt_to_afs_dir_rights(const char *filename, const struct security_ace *ace)
538 uint32 rights = ace->access_mask;
539 uint8 flags = ace->flags;
541 struct static_dir_ace_mapping *m;
543 for (m = &ace_mappings[0]; m->afs_rights != 9999; m++) {
544 if ( (ace->type == m->type) &&
545 (ace->flags == m->flags) &&
546 (ace->access_mask == m->mask) )
547 return m->afs_rights;
550 DEBUG(1, ("AFSACL FALLBACK: 0x%X 0x%X 0x%X %s %X\n",
551 ace->type, ace->flags, ace->access_mask, filename, rights));
553 if (rights & (GENERIC_ALL_ACCESS|WRITE_DAC_ACCESS)) {
554 result |= PRSFS_READ | PRSFS_WRITE | PRSFS_INSERT |
555 PRSFS_LOOKUP | PRSFS_DELETE | PRSFS_LOCK |
559 if (rights & (GENERIC_READ_ACCESS|FILE_READ_DATA)) {
560 result |= PRSFS_LOOKUP;
561 if (flags & SEC_ACE_FLAG_OBJECT_INHERIT) {
562 result |= PRSFS_READ;
566 if (rights & (GENERIC_WRITE_ACCESS|FILE_WRITE_DATA)) {
567 result |= PRSFS_INSERT | PRSFS_DELETE;
568 if (flags & SEC_ACE_FLAG_OBJECT_INHERIT) {
569 result |= PRSFS_WRITE | PRSFS_LOCK;
576 static uint32 nt_to_afs_file_rights(const char *filename, const struct security_ace *ace)
579 uint32 rights = ace->access_mask;
581 if (rights & (GENERIC_READ_ACCESS|FILE_READ_DATA)) {
582 result |= PRSFS_READ;
585 if (rights & (GENERIC_WRITE_ACCESS|FILE_WRITE_DATA)) {
586 result |= PRSFS_WRITE | PRSFS_LOCK;
592 static size_t afs_to_nt_acl_common(struct afs_acl *afs_acl,
593 SMB_STRUCT_STAT *psbuf,
594 uint32 security_info,
596 struct security_descriptor **ppdesc)
598 struct security_ace *nt_ace_list;
599 struct dom_sid owner_sid, group_sid;
600 struct security_acl *psa = NULL;
604 struct afs_ace *afs_ace;
606 uid_to_sid(&owner_sid, psbuf->st_ex_uid);
607 gid_to_sid(&group_sid, psbuf->st_ex_gid);
609 if (afs_acl->num_aces) {
610 nt_ace_list = talloc_array(mem_ctx, struct security_ace, afs_acl->num_aces);
612 if (nt_ace_list == NULL)
618 afs_ace = afs_acl->acelist;
621 while (afs_ace != NULL) {
623 uint8 flag = SEC_ACE_FLAG_OBJECT_INHERIT |
624 SEC_ACE_FLAG_CONTAINER_INHERIT;
626 if (afs_ace->type == SID_NAME_UNKNOWN) {
627 DEBUG(10, ("Ignoring unknown name %s\n",
629 afs_ace = afs_ace->next;
633 if (S_ISDIR(psbuf->st_ex_mode))
634 afs_to_nt_dir_rights(afs_ace->rights, &nt_rights,
637 nt_rights = afs_to_nt_file_rights(afs_ace->rights);
639 init_sec_ace(&nt_ace_list[good_aces++], &(afs_ace->sid),
640 SEC_ACE_TYPE_ACCESS_ALLOWED, nt_rights, flag);
641 afs_ace = afs_ace->next;
644 psa = make_sec_acl(mem_ctx, NT4_ACL_REVISION,
645 good_aces, nt_ace_list);
649 *ppdesc = make_sec_desc(mem_ctx, SD_REVISION,
650 SEC_DESC_SELF_RELATIVE,
651 (security_info & SECINFO_OWNER)
653 (security_info & SECINFO_GROUP)
655 NULL, psa, &sd_size);
660 static size_t afs_to_nt_acl(struct afs_acl *afs_acl,
661 struct connection_struct *conn,
662 struct smb_filename *smb_fname,
663 uint32 security_info,
665 struct security_descriptor **ppdesc)
669 /* Get the stat struct for the owner info. */
670 if (lp_posix_pathnames()) {
671 ret = SMB_VFS_LSTAT(conn, smb_fname);
673 ret = SMB_VFS_STAT(conn, smb_fname);
679 return afs_to_nt_acl_common(afs_acl, &smb_fname->st, security_info,
683 static size_t afs_fto_nt_acl(struct afs_acl *afs_acl,
684 struct files_struct *fsp,
685 uint32 security_info,
687 struct security_descriptor **ppdesc)
689 SMB_STRUCT_STAT sbuf;
691 if (fsp->fh->fd == -1) {
692 /* Get the stat struct for the owner info. */
693 return afs_to_nt_acl(afs_acl, fsp->conn, fsp->fsp_name,
694 security_info, mem_ctx, ppdesc);
697 if(SMB_VFS_FSTAT(fsp, &sbuf) != 0) {
701 return afs_to_nt_acl_common(afs_acl, &sbuf, security_info,
705 static bool mappable_sid(const struct dom_sid *sid)
707 struct dom_sid domain_sid;
709 if (dom_sid_compare(sid, &global_sid_Builtin_Administrators) == 0)
712 if (dom_sid_compare(sid, &global_sid_World) == 0)
715 if (dom_sid_compare(sid, &global_sid_Authenticated_Users) == 0)
718 if (dom_sid_compare(sid, &global_sid_Builtin_Backup_Operators) == 0)
721 string_to_sid(&domain_sid, "S-1-5-21");
723 if (sid_compare_domain(sid, &domain_sid) == 0)
729 static bool nt_to_afs_acl(const char *filename,
730 uint32 security_info_sent,
731 const struct security_descriptor *psd,
732 uint32 (*nt_to_afs_rights)(const char *filename,
733 const struct security_ace *ace),
734 struct afs_acl *afs_acl)
736 const struct security_acl *dacl;
739 /* Currently we *only* look at the dacl */
741 if (((security_info_sent & SECINFO_DACL) == 0) ||
745 if (!init_afs_acl(afs_acl))
750 for (i = 0; i < dacl->num_aces; i++) {
751 const struct security_ace *ace = &(dacl->aces[i]);
752 const char *dom_name, *name;
753 enum lsa_SidType name_type;
756 if (ace->type != SEC_ACE_TYPE_ACCESS_ALLOWED) {
757 /* First cut: Only positive ACEs */
761 if (!mappable_sid(&ace->trustee)) {
762 DEBUG(10, ("Ignoring unmappable SID %s\n",
763 sid_string_dbg(&ace->trustee)));
767 if (dom_sid_compare(&ace->trustee,
768 &global_sid_Builtin_Administrators) == 0) {
770 name = "system:administrators";
772 } else if (dom_sid_compare(&ace->trustee,
773 &global_sid_World) == 0) {
775 name = "system:anyuser";
777 } else if (dom_sid_compare(&ace->trustee,
778 &global_sid_Authenticated_Users) == 0) {
780 name = "system:authuser";
782 } else if (dom_sid_compare(&ace->trustee,
783 &global_sid_Builtin_Backup_Operators)
786 name = "system:backup";
790 if (!lookup_sid(talloc_tos(), &ace->trustee,
791 &dom_name, &name, &name_type)) {
792 DEBUG(1, ("AFSACL: Could not lookup SID %s on file %s\n",
793 sid_string_dbg(&ace->trustee),
798 if ( (name_type == SID_NAME_USER) ||
799 (name_type == SID_NAME_DOM_GRP) ||
800 (name_type == SID_NAME_ALIAS) ) {
802 tmp = talloc_asprintf(talloc_tos(), "%s%s%s",
803 dom_name, lp_winbind_separator(),
808 if (!strlower_m(tmp)) {
815 /* Expect all users/groups in pts as SIDs */
816 name = talloc_strdup(
818 sid_string_tos(&ace->trustee));
825 while ((p = strchr_m(name, ' ')) != NULL)
826 *p = space_replacement;
828 add_afs_ace(afs_acl, true, name,
829 nt_to_afs_rights(filename, ace));
835 static bool afs_get_afs_acl(const char *filename, struct afs_acl *acl)
843 DEBUG(5, ("afs_get_afs_acl: %s\n", filename));
846 iob.out_size = MAXSIZE;
847 iob.in = iob.out = space;
849 ret = afs_syscall(AFSCALL_PIOCTL, filename, VIOCGETAL,
853 DEBUG(1, ("got error from PIOCTL: %d\n", ret));
857 if (!init_afs_acl(acl))
860 if (!parse_afs_acl(acl, space)) {
861 DEBUG(1, ("Could not parse AFS acl\n"));
869 /* For setting an AFS ACL we have to take care of the ACEs we could
870 * not properly map to SIDs. Merge all of them into the new ACL. */
872 static void merge_unknown_aces(struct afs_acl *src, struct afs_acl *dst)
876 for (ace = src->acelist; ace != NULL; ace = ace->next)
878 struct afs_ace *copy;
880 if (ace->type != SID_NAME_UNKNOWN) {
881 DEBUG(10, ("Not merging known ACE for %s\n",
886 DEBUG(10, ("Merging unknown ACE for %s\n", ace->name));
888 copy = clone_afs_ace(dst->ctx, ace);
891 DEBUG(0, ("Could not clone ACE for %s\n", ace->name));
895 copy->next = dst->acelist;
901 static NTSTATUS afs_set_nt_acl(vfs_handle_struct *handle, files_struct *fsp,
902 uint32 security_info_sent,
903 const struct security_descriptor *psd)
905 struct afs_acl old_afs_acl, new_afs_acl;
906 struct afs_acl dir_acl, file_acl;
907 char acl_string[MAXSIZE];
911 const char *fileacls;
913 fileacls = lp_parm_const_string(SNUM(handle->conn), "afsacl", "fileacls",
916 sidpts = lp_parm_bool(SNUM(handle->conn), "afsacl", "sidpts", false);
918 ZERO_STRUCT(old_afs_acl);
919 ZERO_STRUCT(new_afs_acl);
920 ZERO_STRUCT(dir_acl);
921 ZERO_STRUCT(file_acl);
923 name = talloc_strdup(talloc_tos(), fsp->fsp_name->base_name);
925 return NT_STATUS_NO_MEMORY;
928 if (!fsp->is_directory) {
929 /* We need to get the name of the directory containing the
930 * file, this is where the AFS acls live */
931 char *p = strrchr(name, '/');
935 name = talloc_strdup(talloc_tos(), ".");
937 return NT_STATUS_NO_MEMORY;
942 if (!afs_get_afs_acl(name, &old_afs_acl)) {
943 DEBUG(3, ("Could not get old ACL of %s\n", fsp_str_dbg(fsp)));
947 split_afs_acl(&old_afs_acl, &dir_acl, &file_acl);
949 if (fsp->is_directory) {
951 if (!strequal(fileacls, "yes")) {
952 /* Throw away file acls, we depend on the
953 * inheritance ACEs that also give us file
955 free_afs_acl(&file_acl);
958 free_afs_acl(&dir_acl);
959 if (!nt_to_afs_acl(fsp->fsp_name->base_name,
960 security_info_sent, psd,
961 nt_to_afs_dir_rights, &dir_acl))
964 if (strequal(fileacls, "no")) {
969 if (strequal(fileacls, "ignore")) {
974 free_afs_acl(&file_acl);
975 if (!nt_to_afs_acl(fsp->fsp_name->base_name,
976 security_info_sent, psd,
977 nt_to_afs_file_rights, &file_acl))
981 merge_afs_acls(&dir_acl, &file_acl, &new_afs_acl);
983 merge_unknown_aces(&old_afs_acl, &new_afs_acl);
985 unparse_afs_acl(&new_afs_acl, acl_string);
988 iob.in_size = 1+strlen(iob.in);
992 DEBUG(10, ("trying to set acl '%s' on file %s\n", iob.in, name));
994 ret = afs_syscall(AFSCALL_PIOCTL, name, VIOCSETAL, (char *)&iob, 0);
997 DEBUG(10, ("VIOCSETAL returned %d\n", ret));
1001 free_afs_acl(&dir_acl);
1002 free_afs_acl(&file_acl);
1003 free_afs_acl(&old_afs_acl);
1004 free_afs_acl(&new_afs_acl);
1006 return (ret == 0) ? NT_STATUS_OK : NT_STATUS_ACCESS_DENIED;
1009 static NTSTATUS afsacl_fget_nt_acl(struct vfs_handle_struct *handle,
1010 struct files_struct *fsp,
1011 uint32 security_info,
1012 TALLOC_CTX *mem_ctx,
1013 struct security_descriptor **ppdesc)
1018 DEBUG(5, ("afsacl_fget_nt_acl: %s\n", fsp_str_dbg(fsp)));
1020 sidpts = lp_parm_bool(SNUM(fsp->conn), "afsacl", "sidpts", false);
1022 if (!afs_get_afs_acl(fsp->fsp_name->base_name, &acl)) {
1023 return NT_STATUS_ACCESS_DENIED;
1026 sd_size = afs_fto_nt_acl(&acl, fsp, security_info, mem_ctx, ppdesc);
1030 return (sd_size != 0) ? NT_STATUS_OK : NT_STATUS_ACCESS_DENIED;
1033 static NTSTATUS afsacl_get_nt_acl(struct vfs_handle_struct *handle,
1034 const char *name, uint32 security_info,
1035 TALLOC_CTX *mem_ctx,
1036 struct security_descriptor **ppdesc)
1040 struct smb_filename *smb_fname = NULL;
1043 DEBUG(5, ("afsacl_get_nt_acl: %s\n", name));
1045 sidpts = lp_parm_bool(SNUM(handle->conn), "afsacl", "sidpts", false);
1047 if (!afs_get_afs_acl(name, &acl)) {
1048 return NT_STATUS_ACCESS_DENIED;
1051 smb_fname = synthetic_smb_fname(talloc_tos(), name, NULL, NULL);
1052 if (smb_fname == NULL) {
1054 return NT_STATUS_NO_MEMORY;
1057 sd_size = afs_to_nt_acl(&acl, handle->conn, smb_fname, security_info,
1059 TALLOC_FREE(smb_fname);
1063 return (sd_size != 0) ? NT_STATUS_OK : NT_STATUS_ACCESS_DENIED;
1066 NTSTATUS afsacl_fset_nt_acl(vfs_handle_struct *handle,
1068 uint32 security_info_sent,
1069 const struct security_descriptor *psd)
1071 return afs_set_nt_acl(handle, fsp, security_info_sent, psd);
1074 static int afsacl_connect(vfs_handle_struct *handle,
1075 const char *service,
1079 int ret = SMB_VFS_NEXT_CONNECT(handle, service, user);
1085 spc = lp_parm_const_string(SNUM(handle->conn), "afsacl", "space", "%");
1088 space_replacement = spc[0];
1093 /* We don't have a linear form of the AFS ACL yet */
1094 static int afsacl_sys_acl_blob_get_file(vfs_handle_struct *handle, const char *path_p, TALLOC_CTX *mem_ctx, char **blob_description, DATA_BLOB *blob)
1100 /* We don't have a linear form of the AFS ACL yet */
1101 static int afsacl_sys_acl_blob_get_fd(vfs_handle_struct *handle, files_struct *fsp, TALLOC_CTX *mem_ctx, char **blob_description, DATA_BLOB *blob)
1107 static struct vfs_fn_pointers vfs_afsacl_fns = {
1108 .connect_fn = afsacl_connect,
1109 .fget_nt_acl_fn = afsacl_fget_nt_acl,
1110 .get_nt_acl_fn = afsacl_get_nt_acl,
1111 .fset_nt_acl_fn = afsacl_fset_nt_acl,
1112 .sys_acl_blob_get_file_fn = afsacl_sys_acl_blob_get_file,
1113 .sys_acl_blob_get_fd_fn = afsacl_sys_acl_blob_get_fd
1116 NTSTATUS vfs_afsacl_init(void);
1117 NTSTATUS vfs_afsacl_init(void)
1119 return smb_register_vfs(SMB_VFS_INTERFACE_VERSION, "afsacl",