* Some useful sids
*/
-DOM_SID global_sid_Builtin; /* Local well-known domain */
DOM_SID global_sid_World_Domain; /* Everyone domain */
DOM_SID global_sid_World; /* Everyone */
DOM_SID global_sid_Creator_Owner_Domain; /* Creator Owner domain */
DOM_SID global_sid_NT_Authority; /* NT Authority */
DOM_SID global_sid_NULL; /* NULL sid */
-DOM_SID global_sid_Builtin_Guests; /* Builtin guest users */
DOM_SID global_sid_Authenticated_Users; /* All authenticated rids */
DOM_SID global_sid_Network; /* Network rids */
static DOM_SID global_sid_Creator_Group; /* Creator Group */
static DOM_SID global_sid_Anonymous; /* Anonymous login */
+DOM_SID global_sid_Builtin; /* Local well-known domain */
+DOM_SID global_sid_Builtin_Administrators;
+DOM_SID global_sid_Builtin_Users;
+DOM_SID global_sid_Builtin_Guests; /* Builtin guest users */
+
/*
* An NT compatible anonymous token.
*/
void generate_wellknown_sids(void)
{
string_to_sid(&global_sid_Builtin, "S-1-5-32");
+ string_to_sid(&global_sid_Builtin_Administrators, "S-1-5-32-544");
+ string_to_sid(&global_sid_Builtin_Users, "S-1-5-32-545");
string_to_sid(&global_sid_Builtin_Guests, "S-1-5-32-546");
string_to_sid(&global_sid_World_Domain, "S-1-1");
string_to_sid(&global_sid_World, "S-1-1-0");
#ifdef WITH_SENDFILE
BOOL bUseSendfile;
#endif
+ BOOL bProfileAcls;
+
char dummy[3]; /* for alignment */
}
service;
#ifdef WITH_SENDFILE
False, /* bUseSendfile */
#endif
+ False, /* bProfileAcls */
"" /* dummy */
};
{"nt pipe support", P_BOOL, P_GLOBAL, &Globals.bNTPipeSupport, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
{"nt acl support", P_BOOL, P_LOCAL, &sDefault.bNTAclSupport, NULL, NULL, FLAG_GLOBAL | FLAG_SHARE | FLAG_ADVANCED | FLAG_WIZARD},
{"nt status support", P_BOOL, P_GLOBAL, &Globals.bNTStatusSupport, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
+ {"profile acls", P_BOOL, P_LOCAL, &sDefault.bProfileAcls, NULL, NULL, FLAG_GLOBAL | FLAG_SHARE | FLAG_ADVANCED | FLAG_WIZARD},
+
{"announce version", P_STRING, P_GLOBAL, &Globals.szAnnounceVersion, NULL, NULL, FLAG_DEVELOPER},
{"announce as", P_ENUM, P_GLOBAL, &Globals.announce_as, NULL, enum_announce_as, FLAG_DEVELOPER},
{"max mux", P_INTEGER, P_GLOBAL, &Globals.max_mux, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
#ifdef WITH_SENDFILE
FN_LOCAL_BOOL(lp_use_sendfile, bUseSendfile)
#endif
+FN_LOCAL_BOOL(lp_profile_acls, bProfileAcls)
FN_LOCAL_INTEGER(lp_create_mask, iCreate_mask)
FN_LOCAL_INTEGER(lp_force_create_mode, iCreate_force_mode)
FN_LOCAL_INTEGER(lp_security_mask, iSecurity_mask)
size_t get_nt_acl(files_struct *fsp, SEC_DESC **ppdesc)
{
+ extern DOM_SID global_sid_Builtin_Administrators;
+ extern DOM_SID global_sid_Builtin_Users;
connection_struct *conn = fsp->conn;
SMB_STRUCT_STAT sbuf;
SEC_ACE *nt_ace_list = NULL;
SMB_ACL_T dir_acl = NULL;
canon_ace *file_ace = NULL;
canon_ace *dir_ace = NULL;
+ size_t num_profile_acls = 0;
*ppdesc = NULL;
* Get the owner, group and world SIDs.
*/
- create_file_sids(&sbuf, &owner_sid, &group_sid);
+ if (lp_profile_acls(SNUM(fsp->conn))) {
+ /* For WXP SP1 the owner must be administrators. */
+ sid_copy(&owner_sid, &global_sid_Builtin_Administrators);
+ sid_copy(&group_sid, &global_sid_Builtin_Users);
+ num_profile_acls = 2;
+ } else {
+ create_file_sids(&sbuf, &owner_sid, &group_sid);
+ }
/* Create the canon_ace lists. */
file_ace = canonicalise_acl( fsp, posix_acl, &sbuf, &owner_sid, &group_sid);
}
/* Allocate the ace list. */
- if ((nt_ace_list = (SEC_ACE *)malloc((num_acls + num_dir_acls)* sizeof(SEC_ACE))) == NULL) {
+ if ((nt_ace_list = (SEC_ACE *)malloc((num_acls + num_profile_acls + num_dir_acls)* sizeof(SEC_ACE))) == NULL) {
DEBUG(0,("get_nt_acl: Unable to malloc space for nt_ace_list.\n"));
goto done;
}
init_sec_ace(&nt_ace_list[num_aces++], &ace->trustee, nt_acl_type, acc, 0);
}
+ /* The User must have access to a profile share - even if we can't map the SID. */
+ if (lp_profile_acls(SNUM(fsp->conn))) {
+ SEC_ACCESS acc;
+ init_sec_access(&acc,FILE_GENERIC_ALL);
+ init_sec_ace(&nt_ace_list[num_aces++], &global_sid_Builtin_Users, SEC_ACE_TYPE_ACCESS_ALLOWED, acc, 0);
+ }
+
ace = dir_ace;
for (i = 0; i < num_dir_acls; i++, ace = ace->next) {
SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_INHERIT_ONLY);
}
+ /* The User must have access to a profile share - even if we can't map the SID. */
+ if (lp_profile_acls(SNUM(fsp->conn))) {
+ SEC_ACCESS acc;
+ init_sec_access(&acc,FILE_GENERIC_ALL);
+ init_sec_ace(&nt_ace_list[num_aces++], &global_sid_Builtin_Users, SEC_ACE_TYPE_ACCESS_ALLOWED, acc,
+ SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT|
+ SEC_ACE_FLAG_INHERIT_ONLY);
+ }
+
/*
* Sort to force deny entries to the front.
*/