s3: smbd: Reformat users of can_write_to_file().
[samba.git] / source3 / smbd / posix_acls.c
1 /*
2    Unix SMB/CIFS implementation.
3    SMB NT Security Descriptor / Unix permission conversion.
4    Copyright (C) Jeremy Allison 1994-2009.
5    Copyright (C) Andreas Gruenbacher 2002.
6    Copyright (C) Simo Sorce <idra@samba.org> 2009.
7
8    This program is free software; you can redistribute it and/or modify
9    it under the terms of the GNU General Public License as published by
10    the Free Software Foundation; either version 3 of the License, or
11    (at your option) any later version.
12
13    This program is distributed in the hope that it will be useful,
14    but WITHOUT ANY WARRANTY; without even the implied warranty of
15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
16    GNU General Public License for more details.
17
18    You should have received a copy of the GNU General Public License
19    along with this program.  If not, see <http://www.gnu.org/licenses/>.
20 */
21
22 #include "includes.h"
23 #include "smbd/smbd.h"
24 #include "system/filesys.h"
25 #include "../libcli/security/security.h"
26 #include "trans2.h"
27 #include "passdb/lookup_sid.h"
28 #include "auth.h"
29 #include "../librpc/gen_ndr/idmap.h"
30 #include "../librpc/gen_ndr/ndr_smb_acl.h"
31 #include "lib/param/loadparm.h"
32
33 extern const struct generic_mapping file_generic_mapping;
34
35 #undef  DBGC_CLASS
36 #define DBGC_CLASS DBGC_ACLS
37
38 /****************************************************************************
39  Data structures representing the internal ACE format.
40 ****************************************************************************/
41
42 enum ace_owner {UID_ACE, GID_ACE, WORLD_ACE};
43 enum ace_attribute {ALLOW_ACE, DENY_ACE}; /* Used for incoming NT ACLS. */
44
45 typedef struct canon_ace {
46         struct canon_ace *next, *prev;
47         SMB_ACL_TAG_T type;
48         mode_t perms; /* Only use S_I(R|W|X)USR mode bits here. */
49         struct dom_sid trustee;
50         enum ace_owner owner_type;
51         enum ace_attribute attr;
52         struct unixid unix_ug;
53         uint8_t ace_flags; /* From windows ACE entry. */
54 } canon_ace;
55
56 #define ALL_ACE_PERMS (S_IRUSR|S_IWUSR|S_IXUSR)
57
58 /*
59  * EA format of user.SAMBA_PAI (Samba_Posix_Acl_Interitance)
60  * attribute on disk - version 1.
61  * All values are little endian.
62  *
63  * |  1   |  1   |   2         |         2           |  ....
64  * +------+------+-------------+---------------------+-------------+--------------------+
65  * | vers | flag | num_entries | num_default_entries | ..entries.. | default_entries... |
66  * +------+------+-------------+---------------------+-------------+--------------------+
67  *
68  * Entry format is :
69  *
70  * |  1   |       4           |
71  * +------+-------------------+
72  * | value|  uid/gid or world |
73  * | type |  value            |
74  * +------+-------------------+
75  *
76  * Version 2 format. Stores extra Windows metadata about an ACL.
77  *
78  * |  1   |  2       |   2         |         2           |  ....
79  * +------+----------+-------------+---------------------+-------------+--------------------+
80  * | vers | ace      | num_entries | num_default_entries | ..entries.. | default_entries... |
81  * |   2  |  type    |             |                     |             |                    |
82  * +------+----------+-------------+---------------------+-------------+--------------------+
83  *
84  * Entry format is :
85  *
86  * |  1   |  1   |       4           |
87  * +------+------+-------------------+
88  * | ace  | value|  uid/gid or world |
89  * | flag | type |  value            |
90  * +------+-------------------+------+
91  *
92  */
93
94 #define PAI_VERSION_OFFSET                      0
95
96 #define PAI_V1_FLAG_OFFSET                      1
97 #define PAI_V1_NUM_ENTRIES_OFFSET               2
98 #define PAI_V1_NUM_DEFAULT_ENTRIES_OFFSET       4
99 #define PAI_V1_ENTRIES_BASE                     6
100 #define PAI_V1_ACL_FLAG_PROTECTED               0x1
101 #define PAI_V1_ENTRY_LENGTH                     5
102
103 #define PAI_V1_VERSION                          1
104
105 #define PAI_V2_TYPE_OFFSET                      1
106 #define PAI_V2_NUM_ENTRIES_OFFSET               3
107 #define PAI_V2_NUM_DEFAULT_ENTRIES_OFFSET       5
108 #define PAI_V2_ENTRIES_BASE                     7
109 #define PAI_V2_ENTRY_LENGTH                     6
110
111 #define PAI_V2_VERSION                          2
112
113 /*
114  * In memory format of user.SAMBA_PAI attribute.
115  */
116
117 struct pai_entry {
118         struct pai_entry *next, *prev;
119         uint8_t ace_flags;
120         enum ace_owner owner_type;
121         struct unixid unix_ug;
122 };
123
124 struct pai_val {
125         uint16_t sd_type;
126         unsigned int num_entries;
127         struct pai_entry *entry_list;
128         unsigned int num_def_entries;
129         struct pai_entry *def_entry_list;
130 };
131
132 /************************************************************************
133  Return a uint32_t of the pai_entry principal.
134 ************************************************************************/
135
136 static uint32_t get_pai_entry_val(struct pai_entry *paie)
137 {
138         switch (paie->owner_type) {
139                 case UID_ACE:
140                         DEBUG(10,("get_pai_entry_val: uid = %u\n", (unsigned int)paie->unix_ug.id ));
141                         return (uint32_t)paie->unix_ug.id;
142                 case GID_ACE:
143                         DEBUG(10,("get_pai_entry_val: gid = %u\n", (unsigned int)paie->unix_ug.id ));
144                         return (uint32_t)paie->unix_ug.id;
145                 case WORLD_ACE:
146                 default:
147                         DEBUG(10,("get_pai_entry_val: world ace\n"));
148                         return (uint32_t)-1;
149         }
150 }
151
152 /************************************************************************
153  Return a uint32_t of the entry principal.
154 ************************************************************************/
155
156 static uint32_t get_entry_val(canon_ace *ace_entry)
157 {
158         switch (ace_entry->owner_type) {
159                 case UID_ACE:
160                         DEBUG(10,("get_entry_val: uid = %u\n", (unsigned int)ace_entry->unix_ug.id ));
161                         return (uint32_t)ace_entry->unix_ug.id;
162                 case GID_ACE:
163                         DEBUG(10,("get_entry_val: gid = %u\n", (unsigned int)ace_entry->unix_ug.id ));
164                         return (uint32_t)ace_entry->unix_ug.id;
165                 case WORLD_ACE:
166                 default:
167                         DEBUG(10,("get_entry_val: world ace\n"));
168                         return (uint32_t)-1;
169         }
170 }
171
172 /************************************************************************
173  Create the on-disk format (always v2 now). Caller must free.
174 ************************************************************************/
175
176 static char *create_pai_buf_v2(canon_ace *file_ace_list,
177                                 canon_ace *dir_ace_list,
178                                 uint16_t sd_type,
179                                 size_t *store_size)
180 {
181         char *pai_buf = NULL;
182         canon_ace *ace_list = NULL;
183         char *entry_offset = NULL;
184         unsigned int num_entries = 0;
185         unsigned int num_def_entries = 0;
186         unsigned int i;
187
188         for (ace_list = file_ace_list; ace_list; ace_list = ace_list->next) {
189                 num_entries++;
190         }
191
192         for (ace_list = dir_ace_list; ace_list; ace_list = ace_list->next) {
193                 num_def_entries++;
194         }
195
196         DEBUG(10,("create_pai_buf_v2: num_entries = %u, num_def_entries = %u\n", num_entries, num_def_entries ));
197
198         *store_size = PAI_V2_ENTRIES_BASE +
199                 ((num_entries + num_def_entries)*PAI_V2_ENTRY_LENGTH);
200
201         pai_buf = talloc_array(talloc_tos(), char, *store_size);
202         if (!pai_buf) {
203                 return NULL;
204         }
205
206         /* Set up the header. */
207         memset(pai_buf, '\0', PAI_V2_ENTRIES_BASE);
208         SCVAL(pai_buf,PAI_VERSION_OFFSET,PAI_V2_VERSION);
209         SSVAL(pai_buf,PAI_V2_TYPE_OFFSET, sd_type);
210         SSVAL(pai_buf,PAI_V2_NUM_ENTRIES_OFFSET,num_entries);
211         SSVAL(pai_buf,PAI_V2_NUM_DEFAULT_ENTRIES_OFFSET,num_def_entries);
212
213         DEBUG(10,("create_pai_buf_v2: sd_type = 0x%x\n",
214                         (unsigned int)sd_type ));
215
216         entry_offset = pai_buf + PAI_V2_ENTRIES_BASE;
217
218         i = 0;
219         for (ace_list = file_ace_list; ace_list; ace_list = ace_list->next) {
220                 uint8_t type_val = (uint8_t)ace_list->owner_type;
221                 uint32_t entry_val = get_entry_val(ace_list);
222
223                 SCVAL(entry_offset,0,ace_list->ace_flags);
224                 SCVAL(entry_offset,1,type_val);
225                 SIVAL(entry_offset,2,entry_val);
226                 DEBUG(10,("create_pai_buf_v2: entry %u [0x%x] [0x%x] [0x%x]\n",
227                         i,
228                         (unsigned int)ace_list->ace_flags,
229                         (unsigned int)type_val,
230                         (unsigned int)entry_val ));
231                 i++;
232                 entry_offset += PAI_V2_ENTRY_LENGTH;
233         }
234
235         for (ace_list = dir_ace_list; ace_list; ace_list = ace_list->next) {
236                 uint8_t type_val = (uint8_t)ace_list->owner_type;
237                 uint32_t entry_val = get_entry_val(ace_list);
238
239                 SCVAL(entry_offset,0,ace_list->ace_flags);
240                 SCVAL(entry_offset,1,type_val);
241                 SIVAL(entry_offset,2,entry_val);
242                 DEBUG(10,("create_pai_buf_v2: entry %u [0x%x] [0x%x] [0x%x]\n",
243                         i,
244                         (unsigned int)ace_list->ace_flags,
245                         (unsigned int)type_val,
246                         (unsigned int)entry_val ));
247                 i++;
248                 entry_offset += PAI_V2_ENTRY_LENGTH;
249         }
250
251         return pai_buf;
252 }
253
254 /************************************************************************
255  Store the user.SAMBA_PAI attribute on disk.
256 ************************************************************************/
257
258 static void store_inheritance_attributes(files_struct *fsp,
259                                         canon_ace *file_ace_list,
260                                         canon_ace *dir_ace_list,
261                                         uint16_t sd_type)
262 {
263         int ret;
264         size_t store_size;
265         char *pai_buf;
266
267         if (!lp_map_acl_inherit(SNUM(fsp->conn))) {
268                 return;
269         }
270
271         pai_buf = create_pai_buf_v2(file_ace_list, dir_ace_list,
272                                 sd_type, &store_size);
273
274         if (fsp->fh->fd != -1) {
275                 ret = SMB_VFS_FSETXATTR(fsp, SAMBA_POSIX_INHERITANCE_EA_NAME,
276                                 pai_buf, store_size, 0);
277         } else {
278                 ret = SMB_VFS_SETXATTR(fsp->conn, fsp->fsp_name,
279                                        SAMBA_POSIX_INHERITANCE_EA_NAME,
280                                        pai_buf, store_size, 0);
281         }
282
283         TALLOC_FREE(pai_buf);
284
285         DEBUG(10,("store_inheritance_attribute: type 0x%x for file %s\n",
286                 (unsigned int)sd_type,
287                 fsp_str_dbg(fsp)));
288
289         if (ret == -1 && !no_acl_syscall_error(errno)) {
290                 DEBUG(1,("store_inheritance_attribute: Error %s\n", strerror(errno) ));
291         }
292 }
293
294 /************************************************************************
295  Delete the in memory inheritance info.
296 ************************************************************************/
297
298 static void free_inherited_info(struct pai_val *pal)
299 {
300         if (pal) {
301                 struct pai_entry *paie, *paie_next;
302                 for (paie = pal->entry_list; paie; paie = paie_next) {
303                         paie_next = paie->next;
304                         TALLOC_FREE(paie);
305                 }
306                 for (paie = pal->def_entry_list; paie; paie = paie_next) {
307                         paie_next = paie->next;
308                         TALLOC_FREE(paie);
309                 }
310                 TALLOC_FREE(pal);
311         }
312 }
313
314 /************************************************************************
315  Get any stored ACE flags.
316 ************************************************************************/
317
318 static uint16_t get_pai_flags(struct pai_val *pal, canon_ace *ace_entry, bool default_ace)
319 {
320         struct pai_entry *paie;
321
322         if (!pal) {
323                 return 0;
324         }
325
326         /* If the entry exists it is inherited. */
327         for (paie = (default_ace ? pal->def_entry_list : pal->entry_list); paie; paie = paie->next) {
328                 if (ace_entry->owner_type == paie->owner_type &&
329                                 get_entry_val(ace_entry) == get_pai_entry_val(paie))
330                         return paie->ace_flags;
331         }
332         return 0;
333 }
334
335 /************************************************************************
336  Ensure an attribute just read is valid - v1.
337 ************************************************************************/
338
339 static bool check_pai_ok_v1(const char *pai_buf, size_t pai_buf_data_size)
340 {
341         uint16_t num_entries;
342         uint16_t num_def_entries;
343
344         if (pai_buf_data_size < PAI_V1_ENTRIES_BASE) {
345                 /* Corrupted - too small. */
346                 return false;
347         }
348
349         if (CVAL(pai_buf,PAI_VERSION_OFFSET) != PAI_V1_VERSION) {
350                 return false;
351         }
352
353         num_entries = SVAL(pai_buf,PAI_V1_NUM_ENTRIES_OFFSET);
354         num_def_entries = SVAL(pai_buf,PAI_V1_NUM_DEFAULT_ENTRIES_OFFSET);
355
356         /* Check the entry lists match. */
357         /* Each entry is 5 bytes (type plus 4 bytes of uid or gid). */
358
359         if (((num_entries + num_def_entries)*PAI_V1_ENTRY_LENGTH) +
360                         PAI_V1_ENTRIES_BASE != pai_buf_data_size) {
361                 return false;
362         }
363
364         return true;
365 }
366
367 /************************************************************************
368  Ensure an attribute just read is valid - v2.
369 ************************************************************************/
370
371 static bool check_pai_ok_v2(const char *pai_buf, size_t pai_buf_data_size)
372 {
373         uint16_t num_entries;
374         uint16_t num_def_entries;
375
376         if (pai_buf_data_size < PAI_V2_ENTRIES_BASE) {
377                 /* Corrupted - too small. */
378                 return false;
379         }
380
381         if (CVAL(pai_buf,PAI_VERSION_OFFSET) != PAI_V2_VERSION) {
382                 return false;
383         }
384
385         num_entries = SVAL(pai_buf,PAI_V2_NUM_ENTRIES_OFFSET);
386         num_def_entries = SVAL(pai_buf,PAI_V2_NUM_DEFAULT_ENTRIES_OFFSET);
387
388         /* Check the entry lists match. */
389         /* Each entry is 6 bytes (flags + type + 4 bytes of uid or gid). */
390
391         if (((num_entries + num_def_entries)*PAI_V2_ENTRY_LENGTH) +
392                         PAI_V2_ENTRIES_BASE != pai_buf_data_size) {
393                 return false;
394         }
395
396         return true;
397 }
398
399 /************************************************************************
400  Decode the owner.
401 ************************************************************************/
402
403 static bool get_pai_owner_type(struct pai_entry *paie, const char *entry_offset)
404 {
405         paie->owner_type = (enum ace_owner)CVAL(entry_offset,0);
406         switch( paie->owner_type) {
407                 case UID_ACE:
408                         paie->unix_ug.type = ID_TYPE_UID;
409                         paie->unix_ug.id = (uid_t)IVAL(entry_offset,1);
410                         DEBUG(10,("get_pai_owner_type: uid = %u\n",
411                                 (unsigned int)paie->unix_ug.id ));
412                         break;
413                 case GID_ACE:
414                         paie->unix_ug.type = ID_TYPE_GID;
415                         paie->unix_ug.id = (gid_t)IVAL(entry_offset,1);
416                         DEBUG(10,("get_pai_owner_type: gid = %u\n",
417                                 (unsigned int)paie->unix_ug.id ));
418                         break;
419                 case WORLD_ACE:
420                         paie->unix_ug.type = ID_TYPE_NOT_SPECIFIED;
421                         paie->unix_ug.id = -1;
422                         DEBUG(10,("get_pai_owner_type: world ace\n"));
423                         break;
424                 default:
425                         DEBUG(10,("get_pai_owner_type: unknown type %u\n",
426                                 (unsigned int)paie->owner_type ));
427                         return false;
428         }
429         return true;
430 }
431
432 /************************************************************************
433  Process v2 entries.
434 ************************************************************************/
435
436 static const char *create_pai_v1_entries(struct pai_val *paiv,
437                                 const char *entry_offset,
438                                 bool def_entry)
439 {
440         unsigned int i;
441
442         for (i = 0; i < paiv->num_entries; i++) {
443                 struct pai_entry *paie = talloc(talloc_tos(), struct pai_entry);
444                 if (!paie) {
445                         return NULL;
446                 }
447
448                 paie->ace_flags = SEC_ACE_FLAG_INHERITED_ACE;
449                 if (!get_pai_owner_type(paie, entry_offset)) {
450                         TALLOC_FREE(paie);
451                         return NULL;
452                 }
453
454                 if (!def_entry) {
455                         DLIST_ADD(paiv->entry_list, paie);
456                 } else {
457                         DLIST_ADD(paiv->def_entry_list, paie);
458                 }
459                 entry_offset += PAI_V1_ENTRY_LENGTH;
460         }
461         return entry_offset;
462 }
463
464 /************************************************************************
465  Convert to in-memory format from version 1.
466 ************************************************************************/
467
468 static struct pai_val *create_pai_val_v1(const char *buf, size_t size)
469 {
470         const char *entry_offset;
471         struct pai_val *paiv = NULL;
472
473         if (!check_pai_ok_v1(buf, size)) {
474                 return NULL;
475         }
476
477         paiv = talloc(talloc_tos(), struct pai_val);
478         if (!paiv) {
479                 return NULL;
480         }
481
482         memset(paiv, '\0', sizeof(struct pai_val));
483
484         paiv->sd_type = (CVAL(buf,PAI_V1_FLAG_OFFSET) == PAI_V1_ACL_FLAG_PROTECTED) ?
485                         SEC_DESC_DACL_PROTECTED : 0;
486
487         paiv->num_entries = SVAL(buf,PAI_V1_NUM_ENTRIES_OFFSET);
488         paiv->num_def_entries = SVAL(buf,PAI_V1_NUM_DEFAULT_ENTRIES_OFFSET);
489
490         entry_offset = buf + PAI_V1_ENTRIES_BASE;
491
492         DEBUG(10,("create_pai_val: num_entries = %u, num_def_entries = %u\n",
493                         paiv->num_entries, paiv->num_def_entries ));
494
495         entry_offset = create_pai_v1_entries(paiv, entry_offset, false);
496         if (entry_offset == NULL) {
497                 free_inherited_info(paiv);
498                 return NULL;
499         }
500         entry_offset = create_pai_v1_entries(paiv, entry_offset, true);
501         if (entry_offset == NULL) {
502                 free_inherited_info(paiv);
503                 return NULL;
504         }
505
506         return paiv;
507 }
508
509 /************************************************************************
510  Process v2 entries.
511 ************************************************************************/
512
513 static const char *create_pai_v2_entries(struct pai_val *paiv,
514                                 unsigned int num_entries,
515                                 const char *entry_offset,
516                                 bool def_entry)
517 {
518         unsigned int i;
519
520         for (i = 0; i < num_entries; i++) {
521                 struct pai_entry *paie = talloc(talloc_tos(), struct pai_entry);
522                 if (!paie) {
523                         return NULL;
524                 }
525
526                 paie->ace_flags = CVAL(entry_offset,0);
527
528                 if (!get_pai_owner_type(paie, entry_offset+1)) {
529                         TALLOC_FREE(paie);
530                         return NULL;
531                 }
532                 if (!def_entry) {
533                         DLIST_ADD(paiv->entry_list, paie);
534                 } else {
535                         DLIST_ADD(paiv->def_entry_list, paie);
536                 }
537                 entry_offset += PAI_V2_ENTRY_LENGTH;
538         }
539         return entry_offset;
540 }
541
542 /************************************************************************
543  Convert to in-memory format from version 2.
544 ************************************************************************/
545
546 static struct pai_val *create_pai_val_v2(const char *buf, size_t size)
547 {
548         const char *entry_offset;
549         struct pai_val *paiv = NULL;
550
551         if (!check_pai_ok_v2(buf, size)) {
552                 return NULL;
553         }
554
555         paiv = talloc(talloc_tos(), struct pai_val);
556         if (!paiv) {
557                 return NULL;
558         }
559
560         memset(paiv, '\0', sizeof(struct pai_val));
561
562         paiv->sd_type = SVAL(buf,PAI_V2_TYPE_OFFSET);
563
564         paiv->num_entries = SVAL(buf,PAI_V2_NUM_ENTRIES_OFFSET);
565         paiv->num_def_entries = SVAL(buf,PAI_V2_NUM_DEFAULT_ENTRIES_OFFSET);
566
567         entry_offset = buf + PAI_V2_ENTRIES_BASE;
568
569         DEBUG(10,("create_pai_val_v2: sd_type = 0x%x num_entries = %u, num_def_entries = %u\n",
570                         (unsigned int)paiv->sd_type,
571                         paiv->num_entries, paiv->num_def_entries ));
572
573         entry_offset = create_pai_v2_entries(paiv, paiv->num_entries,
574                                 entry_offset, false);
575         if (entry_offset == NULL) {
576                 free_inherited_info(paiv);
577                 return NULL;
578         }
579         entry_offset = create_pai_v2_entries(paiv, paiv->num_def_entries,
580                                 entry_offset, true);
581         if (entry_offset == NULL) {
582                 free_inherited_info(paiv);
583                 return NULL;
584         }
585
586         return paiv;
587 }
588
589 /************************************************************************
590  Convert to in-memory format - from either version 1 or 2.
591 ************************************************************************/
592
593 static struct pai_val *create_pai_val(const char *buf, size_t size)
594 {
595         if (size < 1) {
596                 return NULL;
597         }
598         if (CVAL(buf,PAI_VERSION_OFFSET) == PAI_V1_VERSION) {
599                 return create_pai_val_v1(buf, size);
600         } else if (CVAL(buf,PAI_VERSION_OFFSET) == PAI_V2_VERSION) {
601                 return create_pai_val_v2(buf, size);
602         } else {
603                 return NULL;
604         }
605 }
606
607 /************************************************************************
608  Load the user.SAMBA_PAI attribute.
609 ************************************************************************/
610
611 static struct pai_val *fload_inherited_info(files_struct *fsp)
612 {
613         char *pai_buf;
614         size_t pai_buf_size = 1024;
615         struct pai_val *paiv = NULL;
616         ssize_t ret;
617
618         if (!lp_map_acl_inherit(SNUM(fsp->conn))) {
619                 return NULL;
620         }
621
622         if ((pai_buf = talloc_array(talloc_tos(), char, pai_buf_size)) == NULL) {
623                 return NULL;
624         }
625
626         do {
627                 if (fsp->fh->fd != -1) {
628                         ret = SMB_VFS_FGETXATTR(fsp, SAMBA_POSIX_INHERITANCE_EA_NAME,
629                                         pai_buf, pai_buf_size);
630                 } else {
631                         ret = SMB_VFS_GETXATTR(fsp->conn,
632                                                fsp->fsp_name,
633                                                SAMBA_POSIX_INHERITANCE_EA_NAME,
634                                                pai_buf, pai_buf_size);
635                 }
636
637                 if (ret == -1) {
638                         if (errno != ERANGE) {
639                                 break;
640                         }
641                         /* Buffer too small - enlarge it. */
642                         pai_buf_size *= 2;
643                         TALLOC_FREE(pai_buf);
644                         if (pai_buf_size > 1024*1024) {
645                                 return NULL; /* Limit malloc to 1mb. */
646                         }
647                         if ((pai_buf = talloc_array(talloc_tos(), char, pai_buf_size)) == NULL)
648                                 return NULL;
649                 }
650         } while (ret == -1);
651
652         DEBUG(10,("load_inherited_info: ret = %lu for file %s\n",
653                   (unsigned long)ret, fsp_str_dbg(fsp)));
654
655         if (ret == -1) {
656                 /* No attribute or not supported. */
657 #if defined(ENOATTR)
658                 if (errno != ENOATTR)
659                         DEBUG(10,("load_inherited_info: Error %s\n", strerror(errno) ));
660 #else
661                 if (errno != ENOSYS)
662                         DEBUG(10,("load_inherited_info: Error %s\n", strerror(errno) ));
663 #endif
664                 TALLOC_FREE(pai_buf);
665                 return NULL;
666         }
667
668         paiv = create_pai_val(pai_buf, ret);
669
670         if (paiv) {
671                 DEBUG(10,("load_inherited_info: ACL type is 0x%x for file %s\n",
672                           (unsigned int)paiv->sd_type, fsp_str_dbg(fsp)));
673         }
674
675         TALLOC_FREE(pai_buf);
676         return paiv;
677 }
678
679 /************************************************************************
680  Load the user.SAMBA_PAI attribute.
681 ************************************************************************/
682
683 static struct pai_val *load_inherited_info(const struct connection_struct *conn,
684                                            const struct smb_filename *smb_fname)
685 {
686         char *pai_buf;
687         size_t pai_buf_size = 1024;
688         struct pai_val *paiv = NULL;
689         ssize_t ret;
690
691         if (!lp_map_acl_inherit(SNUM(conn))) {
692                 return NULL;
693         }
694
695         if ((pai_buf = talloc_array(talloc_tos(), char, pai_buf_size)) == NULL) {
696                 return NULL;
697         }
698
699         do {
700                 ret = SMB_VFS_GETXATTR(conn, smb_fname,
701                                        SAMBA_POSIX_INHERITANCE_EA_NAME,
702                                        pai_buf, pai_buf_size);
703
704                 if (ret == -1) {
705                         if (errno != ERANGE) {
706                                 break;
707                         }
708                         /* Buffer too small - enlarge it. */
709                         pai_buf_size *= 2;
710                         TALLOC_FREE(pai_buf);
711                         if (pai_buf_size > 1024*1024) {
712                                 return NULL; /* Limit malloc to 1mb. */
713                         }
714                         if ((pai_buf = talloc_array(talloc_tos(), char, pai_buf_size)) == NULL)
715                                 return NULL;
716                 }
717         } while (ret == -1);
718
719         DEBUG(10,("load_inherited_info: ret = %lu for file %s\n",
720                         (unsigned long)ret, smb_fname->base_name));
721
722         if (ret == -1) {
723                 /* No attribute or not supported. */
724 #if defined(ENOATTR)
725                 if (errno != ENOATTR)
726                         DEBUG(10,("load_inherited_info: Error %s\n", strerror(errno) ));
727 #else
728                 if (errno != ENOSYS)
729                         DEBUG(10,("load_inherited_info: Error %s\n", strerror(errno) ));
730 #endif
731                 TALLOC_FREE(pai_buf);
732                 return NULL;
733         }
734
735         paiv = create_pai_val(pai_buf, ret);
736
737         if (paiv) {
738                 DEBUG(10,("load_inherited_info: ACL type 0x%x for file %s\n",
739                         (unsigned int)paiv->sd_type,
740                         smb_fname->base_name));
741         }
742
743         TALLOC_FREE(pai_buf);
744         return paiv;
745 }
746
747 /****************************************************************************
748  Functions to manipulate the internal ACE format.
749 ****************************************************************************/
750
751 /****************************************************************************
752  Count a linked list of canonical ACE entries.
753 ****************************************************************************/
754
755 static size_t count_canon_ace_list( canon_ace *l_head )
756 {
757         size_t count = 0;
758         canon_ace *ace;
759
760         for (ace = l_head; ace; ace = ace->next)
761                 count++;
762
763         return count;
764 }
765
766 /****************************************************************************
767  Free a linked list of canonical ACE entries.
768 ****************************************************************************/
769
770 static void free_canon_ace_list( canon_ace *l_head )
771 {
772         canon_ace *list, *next;
773
774         for (list = l_head; list; list = next) {
775                 next = list->next;
776                 DLIST_REMOVE(l_head, list);
777                 TALLOC_FREE(list);
778         }
779 }
780
781 /****************************************************************************
782  Function to duplicate a canon_ace entry.
783 ****************************************************************************/
784
785 static canon_ace *dup_canon_ace( canon_ace *src_ace)
786 {
787         canon_ace *dst_ace = talloc(talloc_tos(), canon_ace);
788
789         if (dst_ace == NULL)
790                 return NULL;
791
792         *dst_ace = *src_ace;
793         dst_ace->prev = dst_ace->next = NULL;
794         return dst_ace;
795 }
796
797 /****************************************************************************
798  Print out a canon ace.
799 ****************************************************************************/
800
801 static void print_canon_ace(canon_ace *pace, int num)
802 {
803         struct dom_sid_buf buf;
804         dbgtext( "canon_ace index %d. Type = %s ", num, pace->attr == ALLOW_ACE ? "allow" : "deny" );
805         dbgtext( "SID = %s ", dom_sid_str_buf(&pace->trustee, &buf));
806         if (pace->owner_type == UID_ACE) {
807                 dbgtext( "uid %u ", (unsigned int)pace->unix_ug.id);
808         } else if (pace->owner_type == GID_ACE) {
809                 dbgtext( "gid %u ", (unsigned int)pace->unix_ug.id);
810         } else
811                 dbgtext( "other ");
812         switch (pace->type) {
813                 case SMB_ACL_USER:
814                         dbgtext( "SMB_ACL_USER ");
815                         break;
816                 case SMB_ACL_USER_OBJ:
817                         dbgtext( "SMB_ACL_USER_OBJ ");
818                         break;
819                 case SMB_ACL_GROUP:
820                         dbgtext( "SMB_ACL_GROUP ");
821                         break;
822                 case SMB_ACL_GROUP_OBJ:
823                         dbgtext( "SMB_ACL_GROUP_OBJ ");
824                         break;
825                 case SMB_ACL_OTHER:
826                         dbgtext( "SMB_ACL_OTHER ");
827                         break;
828                 default:
829                         dbgtext( "MASK " );
830                         break;
831         }
832
833         dbgtext( "ace_flags = 0x%x ", (unsigned int)pace->ace_flags);
834         dbgtext( "perms ");
835         dbgtext( "%c", pace->perms & S_IRUSR ? 'r' : '-');
836         dbgtext( "%c", pace->perms & S_IWUSR ? 'w' : '-');
837         dbgtext( "%c\n", pace->perms & S_IXUSR ? 'x' : '-');
838 }
839
840 /****************************************************************************
841  Print out a canon ace list.
842 ****************************************************************************/
843
844 static void print_canon_ace_list(const char *name, canon_ace *ace_list)
845 {
846         int count = 0;
847
848         if( DEBUGLVL( 10 )) {
849                 dbgtext( "print_canon_ace_list: %s\n", name );
850                 for (;ace_list; ace_list = ace_list->next, count++)
851                         print_canon_ace(ace_list, count );
852         }
853 }
854
855 /****************************************************************************
856  Map POSIX ACL perms to canon_ace permissions (a mode_t containing only S_(R|W|X)USR bits).
857 ****************************************************************************/
858
859 static mode_t convert_permset_to_mode_t(SMB_ACL_PERMSET_T permset)
860 {
861         mode_t ret = 0;
862
863         ret |= (sys_acl_get_perm(permset, SMB_ACL_READ) ? S_IRUSR : 0);
864         ret |= (sys_acl_get_perm(permset, SMB_ACL_WRITE) ? S_IWUSR : 0);
865         ret |= (sys_acl_get_perm(permset, SMB_ACL_EXECUTE) ? S_IXUSR : 0);
866
867         return ret;
868 }
869
870 /****************************************************************************
871  Map generic UNIX permissions to canon_ace permissions (a mode_t containing only S_(R|W|X)USR bits).
872 ****************************************************************************/
873
874 mode_t unix_perms_to_acl_perms(mode_t mode, int r_mask, int w_mask, int x_mask)
875 {
876         mode_t ret = 0;
877
878         if (mode & r_mask)
879                 ret |= S_IRUSR;
880         if (mode & w_mask)
881                 ret |= S_IWUSR;
882         if (mode & x_mask)
883                 ret |= S_IXUSR;
884
885         return ret;
886 }
887
888 /****************************************************************************
889  Map canon_ace permissions (a mode_t containing only S_(R|W|X)USR bits) to
890  an SMB_ACL_PERMSET_T.
891 ****************************************************************************/
892
893 int map_acl_perms_to_permset(mode_t mode, SMB_ACL_PERMSET_T *p_permset)
894 {
895         if (sys_acl_clear_perms(*p_permset) ==  -1)
896                 return -1;
897         if (mode & S_IRUSR) {
898                 if (sys_acl_add_perm(*p_permset, SMB_ACL_READ) == -1)
899                         return -1;
900         }
901         if (mode & S_IWUSR) {
902                 if (sys_acl_add_perm(*p_permset, SMB_ACL_WRITE) == -1)
903                         return -1;
904         }
905         if (mode & S_IXUSR) {
906                 if (sys_acl_add_perm(*p_permset, SMB_ACL_EXECUTE) == -1)
907                         return -1;
908         }
909         return 0;
910 }
911
912 /****************************************************************************
913  Function to create owner and group SIDs from a SMB_STRUCT_STAT.
914 ****************************************************************************/
915
916 static void create_file_sids(const SMB_STRUCT_STAT *psbuf,
917                              struct dom_sid *powner_sid,
918                              struct dom_sid *pgroup_sid)
919 {
920         uid_to_sid( powner_sid, psbuf->st_ex_uid );
921         gid_to_sid( pgroup_sid, psbuf->st_ex_gid );
922 }
923
924 /****************************************************************************
925  Merge aces with a common UID or GID - if both are allow or deny, OR the permissions together and
926  delete the second one. If the first is deny, mask the permissions off and delete the allow
927  if the permissions become zero, delete the deny if the permissions are non zero.
928 ****************************************************************************/
929
930 static void merge_aces( canon_ace **pp_list_head, bool dir_acl)
931 {
932         canon_ace *l_head = *pp_list_head;
933         canon_ace *curr_ace_outer;
934         canon_ace *curr_ace_outer_next;
935
936         /*
937          * First, merge allow entries with identical SIDs, and deny entries
938          * with identical SIDs.
939          */
940
941         for (curr_ace_outer = l_head; curr_ace_outer; curr_ace_outer = curr_ace_outer_next) {
942                 canon_ace *curr_ace;
943                 canon_ace *curr_ace_next;
944
945                 curr_ace_outer_next = curr_ace_outer->next; /* Save the link in case we delete. */
946
947                 for (curr_ace = curr_ace_outer->next; curr_ace; curr_ace = curr_ace_next) {
948                         bool can_merge = false;
949
950                         curr_ace_next = curr_ace->next; /* Save the link in case of delete. */
951
952                         /* For file ACLs we can merge if the SIDs and ALLOW/DENY
953                          * types are the same. For directory acls we must also
954                          * ensure the POSIX ACL types are the same.
955                          *
956                          * For the IDMAP_BOTH case, we must not merge
957                          * the UID and GID ACE values for same SID
958                          */
959
960                         if (!dir_acl) {
961                                 can_merge = (curr_ace->unix_ug.id == curr_ace_outer->unix_ug.id &&
962                                              curr_ace->owner_type == curr_ace_outer->owner_type &&
963                                              (curr_ace->attr == curr_ace_outer->attr));
964                         } else {
965                                 can_merge = (curr_ace->unix_ug.id == curr_ace_outer->unix_ug.id &&
966                                              curr_ace->owner_type == curr_ace_outer->owner_type &&
967                                              (curr_ace->type == curr_ace_outer->type) &&
968                                              (curr_ace->attr == curr_ace_outer->attr));
969                         }
970
971                         if (can_merge) {
972                                 if( DEBUGLVL( 10 )) {
973                                         dbgtext("merge_aces: Merging ACE's\n");
974                                         print_canon_ace( curr_ace_outer, 0);
975                                         print_canon_ace( curr_ace, 0);
976                                 }
977
978                                 /* Merge two allow or two deny ACE's. */
979
980                                 /* Theoretically we shouldn't merge a dir ACE if
981                                  * one ACE has the CI flag set, and the other
982                                  * ACE has the OI flag set, but this is rare
983                                  * enough we can ignore it. */
984
985                                 curr_ace_outer->perms |= curr_ace->perms;
986                                 curr_ace_outer->ace_flags |= curr_ace->ace_flags;
987                                 DLIST_REMOVE(l_head, curr_ace);
988                                 TALLOC_FREE(curr_ace);
989                                 curr_ace_outer_next = curr_ace_outer->next; /* We may have deleted the link. */
990                         }
991                 }
992         }
993
994         /*
995          * Now go through and mask off allow permissions with deny permissions.
996          * We can delete either the allow or deny here as we know that each SID
997          * appears only once in the list.
998          */
999
1000         for (curr_ace_outer = l_head; curr_ace_outer; curr_ace_outer = curr_ace_outer_next) {
1001                 canon_ace *curr_ace;
1002                 canon_ace *curr_ace_next;
1003
1004                 curr_ace_outer_next = curr_ace_outer->next; /* Save the link in case we delete. */
1005
1006                 for (curr_ace = curr_ace_outer->next; curr_ace; curr_ace = curr_ace_next) {
1007
1008                         curr_ace_next = curr_ace->next; /* Save the link in case of delete. */
1009
1010                         /*
1011                          * Subtract ACE's with different entries. Due to the ordering constraints
1012                          * we've put on the ACL, we know the deny must be the first one.
1013                          */
1014
1015                         if (curr_ace->unix_ug.id == curr_ace_outer->unix_ug.id &&
1016                             (curr_ace->owner_type == curr_ace_outer->owner_type) &&
1017                             (curr_ace_outer->attr == DENY_ACE) && (curr_ace->attr == ALLOW_ACE)) {
1018
1019                                 if( DEBUGLVL( 10 )) {
1020                                         dbgtext("merge_aces: Masking ACE's\n");
1021                                         print_canon_ace( curr_ace_outer, 0);
1022                                         print_canon_ace( curr_ace, 0);
1023                                 }
1024
1025                                 curr_ace->perms &= ~curr_ace_outer->perms;
1026
1027                                 if (curr_ace->perms == 0) {
1028
1029                                         /*
1030                                          * The deny overrides the allow. Remove the allow.
1031                                          */
1032
1033                                         DLIST_REMOVE(l_head, curr_ace);
1034                                         TALLOC_FREE(curr_ace);
1035                                         curr_ace_outer_next = curr_ace_outer->next; /* We may have deleted the link. */
1036
1037                                 } else {
1038
1039                                         /*
1040                                          * Even after removing permissions, there
1041                                          * are still allow permissions - delete the deny.
1042                                          * It is safe to delete the deny here,
1043                                          * as we are guarenteed by the deny first
1044                                          * ordering that all the deny entries for
1045                                          * this SID have already been merged into one
1046                                          * before we can get to an allow ace.
1047                                          */
1048
1049                                         DLIST_REMOVE(l_head, curr_ace_outer);
1050                                         TALLOC_FREE(curr_ace_outer);
1051                                         break;
1052                                 }
1053                         }
1054
1055                 } /* end for curr_ace */
1056         } /* end for curr_ace_outer */
1057
1058         /* We may have modified the list. */
1059
1060         *pp_list_head = l_head;
1061 }
1062
1063 /****************************************************************************
1064  Map canon_ace perms to permission bits NT.
1065  The attr element is not used here - we only process deny entries on set,
1066  not get. Deny entries are implicit on get with ace->perms = 0.
1067 ****************************************************************************/
1068
1069 uint32_t map_canon_ace_perms(int snum,
1070                                 enum security_ace_type *pacl_type,
1071                                 mode_t perms,
1072                                 bool directory_ace)
1073 {
1074         uint32_t nt_mask = 0;
1075
1076         *pacl_type = SEC_ACE_TYPE_ACCESS_ALLOWED;
1077
1078         if (lp_acl_map_full_control(snum) && ((perms & ALL_ACE_PERMS) == ALL_ACE_PERMS)) {
1079                 if (directory_ace) {
1080                         nt_mask = UNIX_DIRECTORY_ACCESS_RWX;
1081                 } else {
1082                         nt_mask = (UNIX_ACCESS_RWX & ~DELETE_ACCESS);
1083                 }
1084         } else if ((perms & ALL_ACE_PERMS) == (mode_t)0) {
1085                 /*
1086                  * Windows NT refuses to display ACEs with no permissions in them (but
1087                  * they are perfectly legal with Windows 2000). If the ACE has empty
1088                  * permissions we cannot use 0, so we use the otherwise unused
1089                  * WRITE_OWNER permission, which we ignore when we set an ACL.
1090                  * We abstract this into a #define of UNIX_ACCESS_NONE to allow this
1091                  * to be changed in the future.
1092                  */
1093
1094                 nt_mask = 0;
1095         } else {
1096                 if (directory_ace) {
1097                         nt_mask |= ((perms & S_IRUSR) ? UNIX_DIRECTORY_ACCESS_R : 0 );
1098                         nt_mask |= ((perms & S_IWUSR) ? UNIX_DIRECTORY_ACCESS_W : 0 );
1099                         nt_mask |= ((perms & S_IXUSR) ? UNIX_DIRECTORY_ACCESS_X : 0 );
1100                 } else {
1101                         nt_mask |= ((perms & S_IRUSR) ? UNIX_ACCESS_R : 0 );
1102                         nt_mask |= ((perms & S_IWUSR) ? UNIX_ACCESS_W : 0 );
1103                         nt_mask |= ((perms & S_IXUSR) ? UNIX_ACCESS_X : 0 );
1104                 }
1105         }
1106
1107         if ((perms & S_IWUSR) && lp_dos_filemode(snum)) {
1108                 nt_mask |= (SEC_STD_WRITE_DAC|SEC_STD_WRITE_OWNER|DELETE_ACCESS);
1109         }
1110
1111         DEBUG(10,("map_canon_ace_perms: Mapped (UNIX) %x to (NT) %x\n",
1112                         (unsigned int)perms, (unsigned int)nt_mask ));
1113
1114         return nt_mask;
1115 }
1116
1117 /****************************************************************************
1118  Map NT perms to a UNIX mode_t.
1119 ****************************************************************************/
1120
1121 #define FILE_SPECIFIC_READ_BITS (FILE_READ_DATA|FILE_READ_EA)
1122 #define FILE_SPECIFIC_WRITE_BITS (FILE_WRITE_DATA|FILE_APPEND_DATA|FILE_WRITE_EA)
1123 #define FILE_SPECIFIC_EXECUTE_BITS (FILE_EXECUTE)
1124
1125 static mode_t map_nt_perms( uint32_t *mask, int type)
1126 {
1127         mode_t mode = 0;
1128
1129         switch(type) {
1130         case S_IRUSR:
1131                 if((*mask) & GENERIC_ALL_ACCESS)
1132                         mode = S_IRUSR|S_IWUSR|S_IXUSR;
1133                 else {
1134                         mode |= ((*mask) & (GENERIC_READ_ACCESS|FILE_SPECIFIC_READ_BITS)) ? S_IRUSR : 0;
1135                         mode |= ((*mask) & (GENERIC_WRITE_ACCESS|FILE_SPECIFIC_WRITE_BITS)) ? S_IWUSR : 0;
1136                         mode |= ((*mask) & (GENERIC_EXECUTE_ACCESS|FILE_SPECIFIC_EXECUTE_BITS)) ? S_IXUSR : 0;
1137                 }
1138                 break;
1139         case S_IRGRP:
1140                 if((*mask) & GENERIC_ALL_ACCESS)
1141                         mode = S_IRGRP|S_IWGRP|S_IXGRP;
1142                 else {
1143                         mode |= ((*mask) & (GENERIC_READ_ACCESS|FILE_SPECIFIC_READ_BITS)) ? S_IRGRP : 0;
1144                         mode |= ((*mask) & (GENERIC_WRITE_ACCESS|FILE_SPECIFIC_WRITE_BITS)) ? S_IWGRP : 0;
1145                         mode |= ((*mask) & (GENERIC_EXECUTE_ACCESS|FILE_SPECIFIC_EXECUTE_BITS)) ? S_IXGRP : 0;
1146                 }
1147                 break;
1148         case S_IROTH:
1149                 if((*mask) & GENERIC_ALL_ACCESS)
1150                         mode = S_IROTH|S_IWOTH|S_IXOTH;
1151                 else {
1152                         mode |= ((*mask) & (GENERIC_READ_ACCESS|FILE_SPECIFIC_READ_BITS)) ? S_IROTH : 0;
1153                         mode |= ((*mask) & (GENERIC_WRITE_ACCESS|FILE_SPECIFIC_WRITE_BITS)) ? S_IWOTH : 0;
1154                         mode |= ((*mask) & (GENERIC_EXECUTE_ACCESS|FILE_SPECIFIC_EXECUTE_BITS)) ? S_IXOTH : 0;
1155                 }
1156                 break;
1157         }
1158
1159         return mode;
1160 }
1161
1162 /****************************************************************************
1163  Unpack a struct security_descriptor into a UNIX owner and group.
1164 ****************************************************************************/
1165
1166 NTSTATUS unpack_nt_owners(struct connection_struct *conn,
1167                         uid_t *puser, gid_t *pgrp,
1168                         uint32_t security_info_sent, const struct
1169                         security_descriptor *psd)
1170 {
1171         *puser = (uid_t)-1;
1172         *pgrp = (gid_t)-1;
1173
1174         if(security_info_sent == 0) {
1175                 DEBUG(0,("unpack_nt_owners: no security info sent !\n"));
1176                 return NT_STATUS_OK;
1177         }
1178
1179         /*
1180          * Validate the owner and group SID's.
1181          */
1182
1183         DEBUG(5,("unpack_nt_owners: validating owner_sids.\n"));
1184
1185         /*
1186          * Don't immediately fail if the owner sid cannot be validated.
1187          * This may be a group chown only set.
1188          */
1189
1190         if (security_info_sent & SECINFO_OWNER) {
1191                 if (!sid_to_uid(psd->owner_sid, puser)) {
1192                         if (lp_force_unknown_acl_user(SNUM(conn))) {
1193                                 /* this allows take ownership to work
1194                                  * reasonably */
1195                                 *puser = get_current_uid(conn);
1196                         } else {
1197                                 struct dom_sid_buf buf;
1198                                 DBG_NOTICE("unable to validate"
1199                                            " owner sid for %s\n",
1200                                            dom_sid_str_buf(psd->owner_sid,
1201                                                            &buf));
1202                                 return NT_STATUS_INVALID_OWNER;
1203                         }
1204                 }
1205                 DEBUG(3,("unpack_nt_owners: owner sid mapped to uid %u\n",
1206                          (unsigned int)*puser ));
1207         }
1208
1209         /*
1210          * Don't immediately fail if the group sid cannot be validated.
1211          * This may be an owner chown only set.
1212          */
1213
1214         if (security_info_sent & SECINFO_GROUP) {
1215                 if (!sid_to_gid(psd->group_sid, pgrp)) {
1216                         if (lp_force_unknown_acl_user(SNUM(conn))) {
1217                                 /* this allows take group ownership to work
1218                                  * reasonably */
1219                                 *pgrp = get_current_gid(conn);
1220                         } else {
1221                                 DEBUG(3,("unpack_nt_owners: unable to validate"
1222                                          " group sid.\n"));
1223                                 return NT_STATUS_INVALID_OWNER;
1224                         }
1225                 }
1226                 DEBUG(3,("unpack_nt_owners: group sid mapped to gid %u\n",
1227                          (unsigned int)*pgrp));
1228         }
1229
1230         DEBUG(5,("unpack_nt_owners: owner_sids validated.\n"));
1231
1232         return NT_STATUS_OK;
1233 }
1234
1235
1236 static void trim_ace_perms(canon_ace *pace)
1237 {
1238         pace->perms = pace->perms & (S_IXUSR|S_IWUSR|S_IRUSR);
1239 }
1240
1241 static void ensure_minimal_owner_ace_perms(const bool is_directory,
1242                                            canon_ace *pace)
1243 {
1244         pace->perms |= S_IRUSR;
1245         if (is_directory) {
1246                 pace->perms |= (S_IWUSR|S_IXUSR);
1247         }
1248 }
1249
1250 /****************************************************************************
1251  Check if a given uid/SID is in a group gid/SID. This is probably very
1252  expensive and will need optimisation. A *lot* of optimisation :-). JRA.
1253 ****************************************************************************/
1254
1255 static bool uid_entry_in_group(connection_struct *conn, canon_ace *uid_ace, canon_ace *group_ace )
1256 {
1257         bool is_sid = false;
1258         bool has_sid = false;
1259         struct security_token *security_token = NULL;
1260
1261         /* "Everyone" always matches every uid. */
1262
1263         if (dom_sid_equal(&group_ace->trustee, &global_sid_World))
1264                 return True;
1265
1266         /*
1267          * if we have session info in conn, we already have the (SID
1268          * based) NT token and don't need to do the complex
1269          * user_in_group_sid() call
1270          */
1271         if (conn->session_info) {
1272                 security_token = conn->session_info->security_token;
1273                 /* security_token should not be NULL */
1274                 SMB_ASSERT(security_token);
1275                 is_sid = security_token_is_sid(security_token,
1276                                                &uid_ace->trustee);
1277                 if (is_sid) {
1278                         has_sid = security_token_has_sid(security_token,
1279                                                          &group_ace->trustee);
1280
1281                         if (has_sid) {
1282                                 return true;
1283                         }
1284                 }
1285
1286         }
1287
1288         /*
1289          * if it's the current user, we already have the unix token
1290          * and don't need to do the complex user_in_group_sid() call
1291          */
1292         if (uid_ace->unix_ug.id == get_current_uid(conn)) {
1293                 const struct security_unix_token *curr_utok = NULL;
1294                 size_t i;
1295
1296                 if (group_ace->unix_ug.id == get_current_gid(conn)) {
1297                         return True;
1298                 }
1299
1300                 curr_utok = get_current_utok(conn);
1301                 for (i=0; i < curr_utok->ngroups; i++) {
1302                         if (group_ace->unix_ug.id == curr_utok->groups[i]) {
1303                                 return True;
1304                         }
1305                 }
1306         }
1307
1308         /*
1309          * user_in_group_sid() uses create_token_from_sid()
1310          * which creates an artificial NT token given just a username,
1311          * so this is not reliable for users from foreign domains
1312          * exported by winbindd!
1313          */
1314         return user_sid_in_group_sid(&uid_ace->trustee, &group_ace->trustee);
1315 }
1316
1317 /****************************************************************************
1318  A well formed POSIX file or default ACL has at least 3 entries, a
1319  SMB_ACL_USER_OBJ, SMB_ACL_GROUP_OBJ, SMB_ACL_OTHER_OBJ.
1320  In addition, the owner must always have at least read access.
1321  When using this call on get_acl, the pst struct is valid and contains
1322  the mode of the file.
1323 ****************************************************************************/
1324
1325 static bool ensure_canon_entry_valid_on_get(connection_struct *conn,
1326                                         canon_ace **pp_ace,
1327                                         const struct dom_sid *pfile_owner_sid,
1328                                         const struct dom_sid *pfile_grp_sid,
1329                                         const SMB_STRUCT_STAT *pst)
1330 {
1331         canon_ace *pace;
1332         bool got_user = false;
1333         bool got_group = false;
1334         bool got_other = false;
1335
1336         for (pace = *pp_ace; pace; pace = pace->next) {
1337                 if (pace->type == SMB_ACL_USER_OBJ) {
1338                         got_user = true;
1339                 } else if (pace->type == SMB_ACL_GROUP_OBJ) {
1340                         got_group = true;
1341                 } else if (pace->type == SMB_ACL_OTHER) {
1342                         got_other = true;
1343                 }
1344         }
1345
1346         if (!got_user) {
1347                 if ((pace = talloc(talloc_tos(), canon_ace)) == NULL) {
1348                         DEBUG(0,("malloc fail.\n"));
1349                         return false;
1350                 }
1351
1352                 ZERO_STRUCTP(pace);
1353                 pace->type = SMB_ACL_USER_OBJ;
1354                 pace->owner_type = UID_ACE;
1355                 pace->unix_ug.type = ID_TYPE_UID;
1356                 pace->unix_ug.id = pst->st_ex_uid;
1357                 pace->trustee = *pfile_owner_sid;
1358                 pace->attr = ALLOW_ACE;
1359                 pace->perms = unix_perms_to_acl_perms(pst->st_ex_mode, S_IRUSR, S_IWUSR, S_IXUSR);
1360                 DLIST_ADD(*pp_ace, pace);
1361         }
1362
1363         if (!got_group) {
1364                 if ((pace = talloc(talloc_tos(), canon_ace)) == NULL) {
1365                         DEBUG(0,("malloc fail.\n"));
1366                         return false;
1367                 }
1368
1369                 ZERO_STRUCTP(pace);
1370                 pace->type = SMB_ACL_GROUP_OBJ;
1371                 pace->owner_type = GID_ACE;
1372                 pace->unix_ug.type = ID_TYPE_GID;
1373                 pace->unix_ug.id = pst->st_ex_gid;
1374                 pace->trustee = *pfile_grp_sid;
1375                 pace->attr = ALLOW_ACE;
1376                 pace->perms = unix_perms_to_acl_perms(pst->st_ex_mode, S_IRGRP, S_IWGRP, S_IXGRP);
1377                 DLIST_ADD(*pp_ace, pace);
1378         }
1379
1380         if (!got_other) {
1381                 if ((pace = talloc(talloc_tos(), canon_ace)) == NULL) {
1382                         DEBUG(0,("malloc fail.\n"));
1383                         return false;
1384                 }
1385
1386                 ZERO_STRUCTP(pace);
1387                 pace->type = SMB_ACL_OTHER;
1388                 pace->owner_type = WORLD_ACE;
1389                 pace->unix_ug.type = ID_TYPE_NOT_SPECIFIED;
1390                 pace->unix_ug.id = -1;
1391                 pace->trustee = global_sid_World;
1392                 pace->attr = ALLOW_ACE;
1393                 pace->perms = unix_perms_to_acl_perms(pst->st_ex_mode, S_IROTH, S_IWOTH, S_IXOTH);
1394                 DLIST_ADD(*pp_ace, pace);
1395         }
1396
1397         return true;
1398 }
1399
1400 /****************************************************************************
1401  A well formed POSIX file or default ACL has at least 3 entries, a
1402  SMB_ACL_USER_OBJ, SMB_ACL_GROUP_OBJ, SMB_ACL_OTHER_OBJ.
1403  In addition, the owner must always have at least read access.
1404  When using this call on set_acl, the pst struct has
1405  been modified to have a mode containing the default for this file or directory
1406  type.
1407 ****************************************************************************/
1408
1409 static bool ensure_canon_entry_valid_on_set(connection_struct *conn,
1410                                         canon_ace **pp_ace,
1411                                         bool is_default_acl,
1412                                         const struct share_params *params,
1413                                         const bool is_directory,
1414                                         const struct dom_sid *pfile_owner_sid,
1415                                         const struct dom_sid *pfile_grp_sid,
1416                                         const SMB_STRUCT_STAT *pst)
1417 {
1418         canon_ace *pace;
1419         canon_ace *pace_user = NULL;
1420         canon_ace *pace_group = NULL;
1421         canon_ace *pace_other = NULL;
1422         bool got_duplicate_user = false;
1423         bool got_duplicate_group = false;
1424
1425         for (pace = *pp_ace; pace; pace = pace->next) {
1426                 trim_ace_perms(pace);
1427                 if (pace->type == SMB_ACL_USER_OBJ) {
1428                         ensure_minimal_owner_ace_perms(is_directory, pace);
1429                         pace_user = pace;
1430                 } else if (pace->type == SMB_ACL_GROUP_OBJ) {
1431                         pace_group = pace;
1432                 } else if (pace->type == SMB_ACL_OTHER) {
1433                         pace_other = pace;
1434                 }
1435         }
1436
1437         if (!pace_user) {
1438                 canon_ace *pace_iter;
1439
1440                 if ((pace = talloc(talloc_tos(), canon_ace)) == NULL) {
1441                         DEBUG(0,("talloc fail.\n"));
1442                         return false;
1443                 }
1444
1445                 ZERO_STRUCTP(pace);
1446                 pace->type = SMB_ACL_USER_OBJ;
1447                 pace->owner_type = UID_ACE;
1448                 pace->unix_ug.type = ID_TYPE_UID;
1449                 pace->unix_ug.id = pst->st_ex_uid;
1450                 pace->trustee = *pfile_owner_sid;
1451                 pace->attr = ALLOW_ACE;
1452                 /* Start with existing user permissions, principle of least
1453                    surprises for the user. */
1454                 pace->perms = unix_perms_to_acl_perms(pst->st_ex_mode, S_IRUSR, S_IWUSR, S_IXUSR);
1455
1456                 /* See if the owning user is in any of the other groups in
1457                    the ACE, or if there's a matching user entry (by uid
1458                    or in the case of ID_TYPE_BOTH by SID).
1459                    If so, OR in the permissions from that entry. */
1460
1461
1462                 for (pace_iter = *pp_ace; pace_iter; pace_iter = pace_iter->next) {
1463                         if (pace_iter->type == SMB_ACL_USER &&
1464                                         pace_iter->unix_ug.id == pace->unix_ug.id) {
1465                                 pace->perms |= pace_iter->perms;
1466                         } else if (pace_iter->type == SMB_ACL_GROUP_OBJ || pace_iter->type == SMB_ACL_GROUP) {
1467                                 if (dom_sid_equal(&pace->trustee, &pace_iter->trustee)) {
1468                                         pace->perms |= pace_iter->perms;
1469                                 } else if (uid_entry_in_group(conn, pace, pace_iter)) {
1470                                         pace->perms |= pace_iter->perms;
1471                                 }
1472                         }
1473                 }
1474
1475                 if (pace->perms == 0) {
1476                         /* If we only got an "everyone" perm, just use that. */
1477                         if (pace_other)
1478                                 pace->perms = pace_other->perms;
1479                 }
1480
1481                 /*
1482                  * Ensure we have default parameters for the
1483                  * user (owner) even on default ACLs.
1484                  */
1485                 ensure_minimal_owner_ace_perms(is_directory, pace);
1486
1487                 DLIST_ADD(*pp_ace, pace);
1488                 pace_user = pace;
1489         }
1490
1491         if (!pace_group) {
1492                 if ((pace = talloc(talloc_tos(), canon_ace)) == NULL) {
1493                         DEBUG(0,("talloc fail.\n"));
1494                         return false;
1495                 }
1496
1497                 ZERO_STRUCTP(pace);
1498                 pace->type = SMB_ACL_GROUP_OBJ;
1499                 pace->owner_type = GID_ACE;
1500                 pace->unix_ug.type = ID_TYPE_GID;
1501                 pace->unix_ug.id = pst->st_ex_gid;
1502                 pace->trustee = *pfile_grp_sid;
1503                 pace->attr = ALLOW_ACE;
1504
1505                 /* If we only got an "everyone" perm, just use that. */
1506                 if (pace_other) {
1507                         pace->perms = pace_other->perms;
1508                 } else {
1509                         pace->perms = 0;
1510                 }
1511
1512                 DLIST_ADD(*pp_ace, pace);
1513                 pace_group = pace;
1514         }
1515
1516         if (!pace_other) {
1517                 if ((pace = talloc(talloc_tos(), canon_ace)) == NULL) {
1518                         DEBUG(0,("talloc fail.\n"));
1519                         return false;
1520                 }
1521
1522                 ZERO_STRUCTP(pace);
1523                 pace->type = SMB_ACL_OTHER;
1524                 pace->owner_type = WORLD_ACE;
1525                 pace->unix_ug.type = ID_TYPE_NOT_SPECIFIED;
1526                 pace->unix_ug.id = -1;
1527                 pace->trustee = global_sid_World;
1528                 pace->attr = ALLOW_ACE;
1529                 pace->perms = 0;
1530
1531                 DLIST_ADD(*pp_ace, pace);
1532                 pace_other = pace;
1533         }
1534
1535         /* Ensure when setting a POSIX ACL, that the uid for a
1536            SMB_ACL_USER_OBJ ACE (the owner ACE entry) has a duplicate
1537            permission entry as an SMB_ACL_USER, and a gid for a
1538            SMB_ACL_GROUP_OBJ ACE (the primary group ACE entry) also has
1539            a duplicate permission entry as an SMB_ACL_GROUP. If not,
1540            then if the ownership or group ownership of this file or
1541            directory gets changed, the user or group can lose their
1542            access. */
1543
1544         for (pace = *pp_ace; pace; pace = pace->next) {
1545                 if (pace->type == SMB_ACL_USER &&
1546                                 pace->unix_ug.id == pace_user->unix_ug.id) {
1547                         /* Already got one. */
1548                         got_duplicate_user = true;
1549                 } else if (pace->type == SMB_ACL_GROUP &&
1550                                 pace->unix_ug.id == pace_group->unix_ug.id) {
1551                         /* Already got one. */
1552                         got_duplicate_group = true;
1553                 } else if ((pace->type == SMB_ACL_GROUP)
1554                            && (dom_sid_equal(&pace->trustee, &pace_user->trustee))) {
1555                         /* If the SID owning the file appears
1556                          * in a group entry, then we have
1557                          * enough duplication, they will still
1558                          * have access */
1559                         got_duplicate_user = true;
1560                 }
1561         }
1562
1563         /* If the SID is equal for the user and group that we need
1564            to add the duplicate for, add only the group */
1565         if (!got_duplicate_user && !got_duplicate_group
1566                         && dom_sid_equal(&pace_group->trustee,
1567                                         &pace_user->trustee)) {
1568                 /* Add a duplicate SMB_ACL_GROUP entry, this
1569                  * will cover the owning SID as well, as it
1570                  * will always be mapped to both a uid and
1571                  * gid. */
1572
1573                 if ((pace = talloc(talloc_tos(), canon_ace)) == NULL) {
1574                         DEBUG(0,("talloc fail.\n"));
1575                         return false;
1576                 }
1577
1578                 ZERO_STRUCTP(pace);
1579                 pace->type = SMB_ACL_GROUP;;
1580                 pace->owner_type = GID_ACE;
1581                 pace->unix_ug.type = ID_TYPE_GID;
1582                 pace->unix_ug.id = pace_group->unix_ug.id;
1583                 pace->trustee = pace_group->trustee;
1584                 pace->attr = pace_group->attr;
1585                 pace->perms = pace_group->perms;
1586
1587                 DLIST_ADD(*pp_ace, pace);
1588
1589                 /* We're done here, make sure the
1590                    statements below are not executed. */
1591                 got_duplicate_user = true;
1592                 got_duplicate_group = true;
1593         }
1594
1595         if (!got_duplicate_user) {
1596                 /* Add a duplicate SMB_ACL_USER entry. */
1597                 if ((pace = talloc(talloc_tos(), canon_ace)) == NULL) {
1598                         DEBUG(0,("talloc fail.\n"));
1599                         return false;
1600                 }
1601
1602                 ZERO_STRUCTP(pace);
1603                 pace->type = SMB_ACL_USER;;
1604                 pace->owner_type = UID_ACE;
1605                 pace->unix_ug.type = ID_TYPE_UID;
1606                 pace->unix_ug.id = pace_user->unix_ug.id;
1607                 pace->trustee = pace_user->trustee;
1608                 pace->attr = pace_user->attr;
1609                 pace->perms = pace_user->perms;
1610
1611                 DLIST_ADD(*pp_ace, pace);
1612
1613                 got_duplicate_user = true;
1614         }
1615
1616         if (!got_duplicate_group) {
1617                 /* Add a duplicate SMB_ACL_GROUP entry. */
1618                 if ((pace = talloc(talloc_tos(), canon_ace)) == NULL) {
1619                         DEBUG(0,("talloc fail.\n"));
1620                         return false;
1621                 }
1622
1623                 ZERO_STRUCTP(pace);
1624                 pace->type = SMB_ACL_GROUP;;
1625                 pace->owner_type = GID_ACE;
1626                 pace->unix_ug.type = ID_TYPE_GID;
1627                 pace->unix_ug.id = pace_group->unix_ug.id;
1628                 pace->trustee = pace_group->trustee;
1629                 pace->attr = pace_group->attr;
1630                 pace->perms = pace_group->perms;
1631
1632                 DLIST_ADD(*pp_ace, pace);
1633
1634                 got_duplicate_group = true;
1635         }
1636
1637         return true;
1638 }
1639
1640 /****************************************************************************
1641  Check if a POSIX ACL has the required SMB_ACL_USER_OBJ and SMB_ACL_GROUP_OBJ entries.
1642  If it does not have them, check if there are any entries where the trustee is the
1643  file owner or the owning group, and map these to SMB_ACL_USER_OBJ and SMB_ACL_GROUP_OBJ.
1644  Note we must not do this to default directory ACLs.
1645 ****************************************************************************/
1646
1647 static void check_owning_objs(canon_ace *ace, struct dom_sid *pfile_owner_sid, struct dom_sid *pfile_grp_sid)
1648 {
1649         bool got_user_obj, got_group_obj;
1650         canon_ace *current_ace;
1651         int i, entries;
1652
1653         entries = count_canon_ace_list(ace);
1654         got_user_obj = False;
1655         got_group_obj = False;
1656
1657         for (i=0, current_ace = ace; i < entries; i++, current_ace = current_ace->next) {
1658                 if (current_ace->type == SMB_ACL_USER_OBJ)
1659                         got_user_obj = True;
1660                 else if (current_ace->type == SMB_ACL_GROUP_OBJ)
1661                         got_group_obj = True;
1662         }
1663         if (got_user_obj && got_group_obj) {
1664                 DEBUG(10,("check_owning_objs: ACL had owning user/group entries.\n"));
1665                 return;
1666         }
1667
1668         for (i=0, current_ace = ace; i < entries; i++, current_ace = current_ace->next) {
1669                 if (!got_user_obj && current_ace->owner_type == UID_ACE &&
1670                                 dom_sid_equal(&current_ace->trustee, pfile_owner_sid)) {
1671                         current_ace->type = SMB_ACL_USER_OBJ;
1672                         got_user_obj = True;
1673                 }
1674                 if (!got_group_obj && current_ace->owner_type == GID_ACE &&
1675                                 dom_sid_equal(&current_ace->trustee, pfile_grp_sid)) {
1676                         current_ace->type = SMB_ACL_GROUP_OBJ;
1677                         got_group_obj = True;
1678                 }
1679         }
1680         if (!got_user_obj)
1681                 DEBUG(10,("check_owning_objs: ACL is missing an owner entry.\n"));
1682         if (!got_group_obj)
1683                 DEBUG(10,("check_owning_objs: ACL is missing an owning group entry.\n"));
1684 }
1685
1686 static bool add_current_ace_to_acl(files_struct *fsp, struct security_ace *psa,
1687                                    canon_ace **file_ace, canon_ace **dir_ace,
1688                                    bool *got_file_allow, bool *got_dir_allow,
1689                                    bool *all_aces_are_inherit_only,
1690                                    canon_ace *current_ace)
1691 {
1692
1693         /*
1694          * Map the given NT permissions into a UNIX mode_t containing only
1695          * S_I(R|W|X)USR bits.
1696          */
1697
1698         current_ace->perms |= map_nt_perms( &psa->access_mask, S_IRUSR);
1699         current_ace->attr = (psa->type == SEC_ACE_TYPE_ACCESS_ALLOWED) ? ALLOW_ACE : DENY_ACE;
1700
1701         /* Store the ace_flag. */
1702         current_ace->ace_flags = psa->flags;
1703
1704         /*
1705          * Now add the created ace to either the file list, the directory
1706          * list, or both. We *MUST* preserve the order here (hence we use
1707          * DLIST_ADD_END) as NT ACLs are order dependent.
1708          */
1709
1710         if (fsp->fsp_flags.is_directory) {
1711
1712                 /*
1713                  * We can only add to the default POSIX ACE list if the ACE is
1714                  * designed to be inherited by both files and directories.
1715                  */
1716
1717                 if ((psa->flags & (SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT)) ==
1718                     (SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT)) {
1719
1720                         canon_ace *current_dir_ace = current_ace;
1721                         DLIST_ADD_END(*dir_ace, current_ace);
1722
1723                         /*
1724                          * Note if this was an allow ace. We can't process
1725                          * any further deny ace's after this.
1726                          */
1727
1728                         if (current_ace->attr == ALLOW_ACE)
1729                                 *got_dir_allow = True;
1730
1731                         if ((current_ace->attr == DENY_ACE) && *got_dir_allow) {
1732                                 DEBUG(0,("add_current_ace_to_acl: "
1733                                          "malformed ACL in "
1734                                          "inheritable ACL! Deny entry "
1735                                          "after Allow entry. Failing "
1736                                          "to set on file %s.\n",
1737                                          fsp_str_dbg(fsp)));
1738                                 return False;
1739                         }
1740
1741                         if( DEBUGLVL( 10 )) {
1742                                 dbgtext("add_current_ace_to_acl: adding dir ACL:\n");
1743                                 print_canon_ace( current_ace, 0);
1744                         }
1745
1746                         /*
1747                          * If this is not an inherit only ACE we need to add a duplicate
1748                          * to the file acl.
1749                          */
1750
1751                         if (!(psa->flags & SEC_ACE_FLAG_INHERIT_ONLY)) {
1752                                 canon_ace *dup_ace = dup_canon_ace(current_ace);
1753
1754                                 if (!dup_ace) {
1755                                         DEBUG(0,("add_current_ace_to_acl: malloc fail !\n"));
1756                                         return False;
1757                                 }
1758
1759                                 /*
1760                                  * We must not free current_ace here as its
1761                                  * pointer is now owned by the dir_ace list.
1762                                  */
1763                                 current_ace = dup_ace;
1764                                 /* We've essentially split this ace into two,
1765                                  * and added the ace with inheritance request
1766                                  * bits to the directory ACL. Drop those bits for
1767                                  * the ACE we're adding to the file list. */
1768                                 current_ace->ace_flags &= ~(SEC_ACE_FLAG_OBJECT_INHERIT|
1769                                                             SEC_ACE_FLAG_CONTAINER_INHERIT|
1770                                                             SEC_ACE_FLAG_INHERIT_ONLY);
1771                         } else {
1772                                 /*
1773                                  * We must not free current_ace here as its
1774                                  * pointer is now owned by the dir_ace list.
1775                                  */
1776                                 current_ace = NULL;
1777                         }
1778
1779                         /*
1780                          * current_ace is now either owned by file_ace
1781                          * or is NULL. We can safely operate on current_dir_ace
1782                          * to treat mapping for default acl entries differently
1783                          * than access acl entries.
1784                          */
1785
1786                         if (current_dir_ace->owner_type == UID_ACE) {
1787                                 /*
1788                                  * We already decided above this is a uid,
1789                                  * for default acls ace's only CREATOR_OWNER
1790                                  * maps to ACL_USER_OBJ. All other uid
1791                                  * ace's are ACL_USER.
1792                                  */
1793                                 if (dom_sid_equal(&current_dir_ace->trustee,
1794                                                   &global_sid_Creator_Owner)) {
1795                                         current_dir_ace->type = SMB_ACL_USER_OBJ;
1796                                 } else {
1797                                         current_dir_ace->type = SMB_ACL_USER;
1798                                 }
1799                         }
1800
1801                         if (current_dir_ace->owner_type == GID_ACE) {
1802                                 /*
1803                                  * We already decided above this is a gid,
1804                                  * for default acls ace's only CREATOR_GROUP
1805                                  * maps to ACL_GROUP_OBJ. All other uid
1806                                  * ace's are ACL_GROUP.
1807                                  */
1808                                 if (dom_sid_equal(&current_dir_ace->trustee,
1809                                                   &global_sid_Creator_Group)) {
1810                                         current_dir_ace->type = SMB_ACL_GROUP_OBJ;
1811                                 } else {
1812                                         current_dir_ace->type = SMB_ACL_GROUP;
1813                                 }
1814                         }
1815                 }
1816         }
1817
1818         /*
1819          * Only add to the file ACL if not inherit only.
1820          */
1821
1822         if (current_ace && !(psa->flags & SEC_ACE_FLAG_INHERIT_ONLY)) {
1823                 DLIST_ADD_END(*file_ace, current_ace);
1824
1825                 /*
1826                  * Note if this was an allow ace. We can't process
1827                  * any further deny ace's after this.
1828                  */
1829
1830                 if (current_ace->attr == ALLOW_ACE)
1831                         *got_file_allow = True;
1832
1833                 if ((current_ace->attr == DENY_ACE) && *got_file_allow) {
1834                         DEBUG(0,("add_current_ace_to_acl: malformed "
1835                                  "ACL in file ACL ! Deny entry after "
1836                                  "Allow entry. Failing to set on file "
1837                                  "%s.\n", fsp_str_dbg(fsp)));
1838                         return False;
1839                 }
1840
1841                 if( DEBUGLVL( 10 )) {
1842                         dbgtext("add_current_ace_to_acl: adding file ACL:\n");
1843                         print_canon_ace( current_ace, 0);
1844                 }
1845                 *all_aces_are_inherit_only = False;
1846                 /*
1847                  * We must not free current_ace here as its
1848                  * pointer is now owned by the file_ace list.
1849                  */
1850                 current_ace = NULL;
1851         }
1852
1853         /*
1854          * Free if ACE was not added.
1855          */
1856
1857         TALLOC_FREE(current_ace);
1858         return true;
1859 }
1860
1861 /****************************************************************************
1862  Unpack a struct security_descriptor into two canonical ace lists.
1863 ****************************************************************************/
1864
1865 static bool create_canon_ace_lists(files_struct *fsp,
1866                                         const SMB_STRUCT_STAT *pst,
1867                                         struct dom_sid *pfile_owner_sid,
1868                                         struct dom_sid *pfile_grp_sid,
1869                                         canon_ace **ppfile_ace,
1870                                         canon_ace **ppdir_ace,
1871                                         const struct security_acl *dacl)
1872 {
1873         bool all_aces_are_inherit_only = (fsp->fsp_flags.is_directory);
1874         canon_ace *file_ace = NULL;
1875         canon_ace *dir_ace = NULL;
1876         canon_ace *current_ace = NULL;
1877         bool got_dir_allow = False;
1878         bool got_file_allow = False;
1879         uint32_t i, j;
1880
1881         *ppfile_ace = NULL;
1882         *ppdir_ace = NULL;
1883
1884         /*
1885          * Convert the incoming ACL into a more regular form.
1886          */
1887
1888         for(i = 0; i < dacl->num_aces; i++) {
1889                 struct security_ace *psa = &dacl->aces[i];
1890
1891                 if((psa->type != SEC_ACE_TYPE_ACCESS_ALLOWED) && (psa->type != SEC_ACE_TYPE_ACCESS_DENIED)) {
1892                         DEBUG(3,("create_canon_ace_lists: unable to set anything but an ALLOW or DENY ACE.\n"));
1893                         return False;
1894                 }
1895         }
1896
1897         /*
1898          * Deal with the fact that NT 4.x re-writes the canonical format
1899          * that we return for default ACLs. If a directory ACE is identical
1900          * to a inherited directory ACE then NT changes the bits so that the
1901          * first ACE is set to OI|IO and the second ACE for this SID is set
1902          * to CI. We need to repair this. JRA.
1903          */
1904
1905         for(i = 0; i < dacl->num_aces; i++) {
1906                 struct security_ace *psa1 = &dacl->aces[i];
1907
1908                 for (j = i + 1; j < dacl->num_aces; j++) {
1909                         struct security_ace *psa2 = &dacl->aces[j];
1910
1911                         if (psa1->access_mask != psa2->access_mask)
1912                                 continue;
1913
1914                         if (!dom_sid_equal(&psa1->trustee, &psa2->trustee))
1915                                 continue;
1916
1917                         /*
1918                          * Ok - permission bits and SIDs are equal.
1919                          * Check if flags were re-written.
1920                          */
1921
1922                         if (psa1->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
1923
1924                                 psa1->flags |= (psa2->flags & (SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT));
1925                                 psa2->flags &= ~(SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT);
1926
1927                         } else if (psa2->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
1928
1929                                 psa2->flags |= (psa1->flags & (SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT));
1930                                 psa1->flags &= ~(SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT);
1931
1932                         }
1933                 }
1934         }
1935
1936         for(i = 0; i < dacl->num_aces; i++) {
1937                 struct security_ace *psa = &dacl->aces[i];
1938
1939                 /*
1940                  * Create a canon_ace entry representing this NT DACL ACE.
1941                  */
1942
1943                 if ((current_ace = talloc(talloc_tos(), canon_ace)) == NULL) {
1944                         free_canon_ace_list(file_ace);
1945                         free_canon_ace_list(dir_ace);
1946                         DEBUG(0,("create_canon_ace_lists: malloc fail.\n"));
1947                         return False;
1948                 }
1949
1950                 ZERO_STRUCTP(current_ace);
1951
1952                 sid_copy(&current_ace->trustee, &psa->trustee);
1953
1954                 /*
1955                  * Try and work out if the SID is a user or group
1956                  * as we need to flag these differently for POSIX.
1957                  * Note what kind of a POSIX ACL this should map to.
1958                  */
1959
1960                 if( dom_sid_equal(&current_ace->trustee, &global_sid_World)) {
1961                         current_ace->owner_type = WORLD_ACE;
1962                         current_ace->unix_ug.type = ID_TYPE_NOT_SPECIFIED;
1963                         current_ace->unix_ug.id = -1;
1964                         current_ace->type = SMB_ACL_OTHER;
1965                 } else if (dom_sid_equal(&current_ace->trustee, &global_sid_Creator_Owner)) {
1966                         current_ace->owner_type = UID_ACE;
1967                         current_ace->unix_ug.type = ID_TYPE_UID;
1968                         current_ace->unix_ug.id = pst->st_ex_uid;
1969                         current_ace->type = SMB_ACL_USER_OBJ;
1970
1971                         /*
1972                          * The Creator Owner entry only specifies inheritable permissions,
1973                          * never access permissions. WinNT doesn't always set the ACE to
1974                          * INHERIT_ONLY, though.
1975                          */
1976
1977                         psa->flags |= SEC_ACE_FLAG_INHERIT_ONLY;
1978
1979                 } else if (dom_sid_equal(&current_ace->trustee, &global_sid_Creator_Group)) {
1980                         current_ace->owner_type = GID_ACE;
1981                         current_ace->unix_ug.type = ID_TYPE_GID;
1982                         current_ace->unix_ug.id = pst->st_ex_gid;
1983                         current_ace->type = SMB_ACL_GROUP_OBJ;
1984
1985                         /*
1986                          * The Creator Group entry only specifies inheritable permissions,
1987                          * never access permissions. WinNT doesn't always set the ACE to
1988                          * INHERIT_ONLY, though.
1989                          */
1990                         psa->flags |= SEC_ACE_FLAG_INHERIT_ONLY;
1991
1992                 } else {
1993                         struct unixid unixid;
1994
1995                         if (!sids_to_unixids(&current_ace->trustee, 1, &unixid)) {
1996                                 struct dom_sid_buf buf;
1997                                 free_canon_ace_list(file_ace);
1998                                 free_canon_ace_list(dir_ace);
1999                                 TALLOC_FREE(current_ace);
2000                                 DBG_ERR("sids_to_unixids failed for %s "
2001                                         "(allocation failure)\n",
2002                                         dom_sid_str_buf(&current_ace->trustee,
2003                                                         &buf));
2004                                 return false;
2005                         }
2006
2007                         if (unixid.type == ID_TYPE_BOTH) {
2008                                 /*
2009                                  * We must add both a user and group
2010                                  * entry POSIX_ACL.
2011                                  * This is due to the fact that in POSIX
2012                                  * user entries are more specific than
2013                                  * groups.
2014                                  */
2015                                 current_ace->owner_type = UID_ACE;
2016                                 current_ace->unix_ug.type = ID_TYPE_UID;
2017                                 current_ace->unix_ug.id = unixid.id;
2018                                 current_ace->type =
2019                                         (unixid.id == pst->st_ex_uid) ?
2020                                                 SMB_ACL_USER_OBJ :
2021                                                 SMB_ACL_USER;
2022
2023                                 /* Add the user object to the posix ACL,
2024                                    and proceed to the group mapping
2025                                    below. This handles the talloc_free
2026                                    of current_ace if not added for some
2027                                    reason */
2028                                 if (!add_current_ace_to_acl(fsp,
2029                                                 psa,
2030                                                 &file_ace,
2031                                                 &dir_ace,
2032                                                 &got_file_allow,
2033                                                 &got_dir_allow,
2034                                                 &all_aces_are_inherit_only,
2035                                                 current_ace)) {
2036                                         free_canon_ace_list(file_ace);
2037                                         free_canon_ace_list(dir_ace);
2038                                         return false;
2039                                 }
2040
2041                                 if ((current_ace = talloc(talloc_tos(),
2042                                                 canon_ace)) == NULL) {
2043                                         free_canon_ace_list(file_ace);
2044                                         free_canon_ace_list(dir_ace);
2045                                         DEBUG(0,("create_canon_ace_lists: "
2046                                                 "malloc fail.\n"));
2047                                         return False;
2048                                 }
2049
2050                                 ZERO_STRUCTP(current_ace);
2051
2052                                 sid_copy(&current_ace->trustee, &psa->trustee);
2053
2054                                 current_ace->unix_ug.type = ID_TYPE_GID;
2055                                 current_ace->unix_ug.id = unixid.id;
2056                                 current_ace->owner_type = GID_ACE;
2057                                 /* If it's the primary group, this is a
2058                                    group_obj, not a group. */
2059                                 if (current_ace->unix_ug.id == pst->st_ex_gid) {
2060                                         current_ace->type = SMB_ACL_GROUP_OBJ;
2061                                 } else {
2062                                         current_ace->type = SMB_ACL_GROUP;
2063                                 }
2064
2065                         } else if (unixid.type == ID_TYPE_UID) {
2066                                 current_ace->owner_type = UID_ACE;
2067                                 current_ace->unix_ug.type = ID_TYPE_UID;
2068                                 current_ace->unix_ug.id = unixid.id;
2069                                 /* If it's the owning user, this is a user_obj,
2070                                    not a user. */
2071                                 if (current_ace->unix_ug.id == pst->st_ex_uid) {
2072                                         current_ace->type = SMB_ACL_USER_OBJ;
2073                                 } else {
2074                                         current_ace->type = SMB_ACL_USER;
2075                                 }
2076                         } else if (unixid.type == ID_TYPE_GID) {
2077                                 current_ace->unix_ug.type = ID_TYPE_GID;
2078                                 current_ace->unix_ug.id = unixid.id;
2079                                 current_ace->owner_type = GID_ACE;
2080                                 /* If it's the primary group, this is a
2081                                    group_obj, not a group. */
2082                                 if (current_ace->unix_ug.id == pst->st_ex_gid) {
2083                                         current_ace->type = SMB_ACL_GROUP_OBJ;
2084                                 } else {
2085                                         current_ace->type = SMB_ACL_GROUP;
2086                                 }
2087                         } else {
2088                                 struct dom_sid_buf buf;
2089                                 /*
2090                                  * Silently ignore map failures in non-mappable SIDs (NT Authority, BUILTIN etc).
2091                                  */
2092
2093                                 if (non_mappable_sid(&psa->trustee)) {
2094                                         DBG_DEBUG("ignoring "
2095                                                   "non-mappable SID %s\n",
2096                                                   dom_sid_str_buf(
2097                                                           &psa->trustee,
2098                                                           &buf));
2099                                         TALLOC_FREE(current_ace);
2100                                         continue;
2101                                 }
2102
2103                                 if (lp_force_unknown_acl_user(SNUM(fsp->conn))) {
2104                                         DBG_DEBUG("ignoring unknown or "
2105                                                   "foreign SID %s\n",
2106                                                   dom_sid_str_buf(
2107                                                           &psa->trustee,
2108                                                           &buf));
2109                                         TALLOC_FREE(current_ace);
2110                                         continue;
2111                                 }
2112
2113                                 free_canon_ace_list(file_ace);
2114                                 free_canon_ace_list(dir_ace);
2115                                 DBG_ERR("unable to map SID %s to uid or "
2116                                         "gid.\n",
2117                                         dom_sid_str_buf(&current_ace->trustee,
2118                                                         &buf));
2119                                 TALLOC_FREE(current_ace);
2120                                 return false;
2121                         }
2122                 }
2123
2124                 /* handles the talloc_free of current_ace if not added for some reason */
2125                 if (!add_current_ace_to_acl(fsp, psa, &file_ace, &dir_ace,
2126                                             &got_file_allow, &got_dir_allow,
2127                                             &all_aces_are_inherit_only, current_ace)) {
2128                         free_canon_ace_list(file_ace);
2129                         free_canon_ace_list(dir_ace);
2130                         return false;
2131                 }
2132         }
2133
2134         if (fsp->fsp_flags.is_directory && all_aces_are_inherit_only) {
2135                 /*
2136                  * Windows 2000 is doing one of these weird 'inherit acl'
2137                  * traverses to conserve NTFS ACL resources. Just pretend
2138                  * there was no DACL sent. JRA.
2139                  */
2140
2141                 DEBUG(10,("create_canon_ace_lists: Win2k inherit acl traverse. Ignoring DACL.\n"));
2142                 free_canon_ace_list(file_ace);
2143                 free_canon_ace_list(dir_ace);
2144                 file_ace = NULL;
2145                 dir_ace = NULL;
2146         } else {
2147                 /*
2148                  * Check if we have SMB_ACL_USER_OBJ and SMB_ACL_GROUP_OBJ entries in
2149                  * the file ACL. If we don't have them, check if any SMB_ACL_USER/SMB_ACL_GROUP
2150                  * entries can be converted to *_OBJ. Don't do this for the default
2151                  * ACL, we will create them separately for this if needed inside
2152                  * ensure_canon_entry_valid_on_set().
2153                  */
2154                 if (file_ace) {
2155                         check_owning_objs(file_ace, pfile_owner_sid, pfile_grp_sid);
2156                 }
2157         }
2158
2159         *ppfile_ace = file_ace;
2160         *ppdir_ace = dir_ace;
2161
2162         return True;
2163 }
2164
2165 /****************************************************************************
2166  ASCII art time again... JRA :-).
2167
2168  We have 4 cases to process when moving from an NT ACL to a POSIX ACL. Firstly,
2169  we insist the ACL is in canonical form (ie. all DENY entries preceede ALLOW
2170  entries). Secondly, the merge code has ensured that all duplicate SID entries for
2171  allow or deny have been merged, so the same SID can only appear once in the deny
2172  list or once in the allow list.
2173
2174  We then process as follows :
2175
2176  ---------------------------------------------------------------------------
2177  First pass - look for a Everyone DENY entry.
2178
2179  If it is deny all (rwx) trunate the list at this point.
2180  Else, walk the list from this point and use the deny permissions of this
2181  entry as a mask on all following allow entries. Finally, delete
2182  the Everyone DENY entry (we have applied it to everything possible).
2183
2184  In addition, in this pass we remove any DENY entries that have 
2185  no permissions (ie. they are a DENY nothing).
2186  ---------------------------------------------------------------------------
2187  Second pass - only deal with deny user entries.
2188
2189  DENY user1 (perms XXX)
2190
2191  new_perms = 0
2192  for all following allow group entries where user1 is in group
2193         new_perms |= group_perms;
2194
2195  user1 entry perms = new_perms & ~ XXX;
2196
2197  Convert the deny entry to an allow entry with the new perms and
2198  push to the end of the list. Note if the user was in no groups
2199  this maps to a specific allow nothing entry for this user.
2200
2201  The common case from the NT ACL choser (userX deny all) is
2202  optimised so we don't do the group lookup - we just map to
2203  an allow nothing entry.
2204
2205  What we're doing here is inferring the allow permissions the
2206  person setting the ACE on user1 wanted by looking at the allow
2207  permissions on the groups the user is currently in. This will
2208  be a snapshot, depending on group membership but is the best
2209  we can do and has the advantage of failing closed rather than
2210  open.
2211  ---------------------------------------------------------------------------
2212  Third pass - only deal with deny group entries.
2213
2214  DENY group1 (perms XXX)
2215
2216  for all following allow user entries where user is in group1
2217    user entry perms = user entry perms & ~ XXX;
2218
2219  If there is a group Everyone allow entry with permissions YYY,
2220  convert the group1 entry to an allow entry and modify its
2221  permissions to be :
2222
2223  new_perms = YYY & ~ XXX
2224
2225  and push to the end of the list.
2226
2227  If there is no group Everyone allow entry then convert the
2228  group1 entry to a allow nothing entry and push to the end of the list.
2229
2230  Note that the common case from the NT ACL choser (groupX deny all)
2231  cannot be optimised here as we need to modify user entries who are
2232  in the group to change them to a deny all also.
2233
2234  What we're doing here is modifying the allow permissions of
2235  user entries (which are more specific in POSIX ACLs) to mask
2236  out the explicit deny set on the group they are in. This will
2237  be a snapshot depending on current group membership but is the
2238  best we can do and has the advantage of failing closed rather
2239  than open.
2240  ---------------------------------------------------------------------------
2241  Fourth pass - cope with cumulative permissions.
2242
2243  for all allow user entries, if there exists an allow group entry with
2244  more permissive permissions, and the user is in that group, rewrite the
2245  allow user permissions to contain both sets of permissions.
2246
2247  Currently the code for this is #ifdef'ed out as these semantics make
2248  no sense to me. JRA.
2249  ---------------------------------------------------------------------------
2250
2251  Note we *MUST* do the deny user pass first as this will convert deny user
2252  entries into allow user entries which can then be processed by the deny
2253  group pass.
2254
2255  The above algorithm took a *lot* of thinking about - hence this
2256  explaination :-). JRA.
2257 ****************************************************************************/
2258
2259 /****************************************************************************
2260  Process a canon_ace list entries. This is very complex code. We need
2261  to go through and remove the "deny" permissions from any allow entry that matches
2262  the id of this entry. We have already refused any NT ACL that wasn't in correct
2263  order (DENY followed by ALLOW). If any allow entry ends up with zero permissions,
2264  we just remove it (to fail safe). We have already removed any duplicate ace
2265  entries. Treat an "Everyone" DENY_ACE as a special case - use it to mask all
2266  allow entries.
2267 ****************************************************************************/
2268
2269 static void process_deny_list(connection_struct *conn, canon_ace **pp_ace_list )
2270 {
2271         canon_ace *ace_list = *pp_ace_list;
2272         canon_ace *curr_ace = NULL;
2273         canon_ace *curr_ace_next = NULL;
2274
2275         /* Pass 1 above - look for an Everyone, deny entry. */
2276
2277         for (curr_ace = ace_list; curr_ace; curr_ace = curr_ace_next) {
2278                 canon_ace *allow_ace_p;
2279
2280                 curr_ace_next = curr_ace->next; /* So we can't lose the link. */
2281
2282                 if (curr_ace->attr != DENY_ACE)
2283                         continue;
2284
2285                 if (curr_ace->perms == (mode_t)0) {
2286
2287                         /* Deny nothing entry - delete. */
2288
2289                         DLIST_REMOVE(ace_list, curr_ace);
2290                         continue;
2291                 }
2292
2293                 if (!dom_sid_equal(&curr_ace->trustee, &global_sid_World))
2294                         continue;
2295
2296                 /* JRATEST - assert. */
2297                 SMB_ASSERT(curr_ace->owner_type == WORLD_ACE);
2298
2299                 if (curr_ace->perms == ALL_ACE_PERMS) {
2300
2301                         /*
2302                          * Optimisation. This is a DENY_ALL to Everyone. Truncate the
2303                          * list at this point including this entry.
2304                          */
2305
2306                         canon_ace *prev_entry = DLIST_PREV(curr_ace);
2307
2308                         free_canon_ace_list( curr_ace );
2309                         if (prev_entry)
2310                                 DLIST_REMOVE(ace_list, prev_entry);
2311                         else {
2312                                 /* We deleted the entire list. */
2313                                 ace_list = NULL;
2314                         }
2315                         break;
2316                 }
2317
2318                 for (allow_ace_p = curr_ace->next; allow_ace_p; allow_ace_p = allow_ace_p->next) {
2319
2320                         /* 
2321                          * Only mask off allow entries.
2322                          */
2323
2324                         if (allow_ace_p->attr != ALLOW_ACE)
2325                                 continue;
2326
2327                         allow_ace_p->perms &= ~curr_ace->perms;
2328                 }
2329
2330                 /*
2331                  * Now it's been applied, remove it.
2332                  */
2333
2334                 DLIST_REMOVE(ace_list, curr_ace);
2335         }
2336
2337         /* Pass 2 above - deal with deny user entries. */
2338
2339         for (curr_ace = ace_list; curr_ace; curr_ace = curr_ace_next) {
2340                 mode_t new_perms = (mode_t)0;
2341                 canon_ace *allow_ace_p;
2342
2343                 curr_ace_next = curr_ace->next; /* So we can't lose the link. */
2344
2345                 if (curr_ace->attr != DENY_ACE)
2346                         continue;
2347
2348                 if (curr_ace->owner_type != UID_ACE)
2349                         continue;
2350
2351                 if (curr_ace->perms == ALL_ACE_PERMS) {
2352
2353                         /*
2354                          * Optimisation - this is a deny everything to this user.
2355                          * Convert to an allow nothing and push to the end of the list.
2356                          */
2357
2358                         curr_ace->attr = ALLOW_ACE;
2359                         curr_ace->perms = (mode_t)0;
2360                         DLIST_DEMOTE(ace_list, curr_ace);
2361                         continue;
2362                 }
2363
2364                 for (allow_ace_p = curr_ace->next; allow_ace_p; allow_ace_p = allow_ace_p->next) {
2365
2366                         if (allow_ace_p->attr != ALLOW_ACE)
2367                                 continue;
2368
2369                         /* We process GID_ACE and WORLD_ACE entries only. */
2370
2371                         if (allow_ace_p->owner_type == UID_ACE)
2372                                 continue;
2373
2374                         if (uid_entry_in_group(conn, curr_ace, allow_ace_p))
2375                                 new_perms |= allow_ace_p->perms;
2376                 }
2377
2378                 /*
2379                  * Convert to a allow entry, modify the perms and push to the end
2380                  * of the list.
2381                  */
2382
2383                 curr_ace->attr = ALLOW_ACE;
2384                 curr_ace->perms = (new_perms & ~curr_ace->perms);
2385                 DLIST_DEMOTE(ace_list, curr_ace);
2386         }
2387
2388         /* Pass 3 above - deal with deny group entries. */
2389
2390         for (curr_ace = ace_list; curr_ace; curr_ace = curr_ace_next) {
2391                 canon_ace *allow_ace_p;
2392                 canon_ace *allow_everyone_p = NULL;
2393
2394                 curr_ace_next = curr_ace->next; /* So we can't lose the link. */
2395
2396                 if (curr_ace->attr != DENY_ACE)
2397                         continue;
2398
2399                 if (curr_ace->owner_type != GID_ACE)
2400                         continue;
2401
2402                 for (allow_ace_p = curr_ace->next; allow_ace_p; allow_ace_p = allow_ace_p->next) {
2403
2404                         if (allow_ace_p->attr != ALLOW_ACE)
2405                                 continue;
2406
2407                         /* Store a pointer to the Everyone allow, if it exists. */
2408                         if (allow_ace_p->owner_type == WORLD_ACE)
2409                                 allow_everyone_p = allow_ace_p;
2410
2411                         /* We process UID_ACE entries only. */
2412
2413                         if (allow_ace_p->owner_type != UID_ACE)
2414                                 continue;
2415
2416                         /* Mask off the deny group perms. */
2417
2418                         if (uid_entry_in_group(conn, allow_ace_p, curr_ace))
2419                                 allow_ace_p->perms &= ~curr_ace->perms;
2420                 }
2421
2422                 /*
2423                  * Convert the deny to an allow with the correct perms and
2424                  * push to the end of the list.
2425                  */
2426
2427                 curr_ace->attr = ALLOW_ACE;
2428                 if (allow_everyone_p)
2429                         curr_ace->perms = allow_everyone_p->perms & ~curr_ace->perms;
2430                 else
2431                         curr_ace->perms = (mode_t)0;
2432                 DLIST_DEMOTE(ace_list, curr_ace);
2433         }
2434
2435         /* Doing this fourth pass allows Windows semantics to be layered
2436          * on top of POSIX semantics. I'm not sure if this is desirable.
2437          * For example, in W2K ACLs there is no way to say, "Group X no
2438          * access, user Y full access" if user Y is a member of group X.
2439          * This seems completely broken semantics to me.... JRA.
2440          */
2441
2442 #if 0
2443         /* Pass 4 above - deal with allow entries. */
2444
2445         for (curr_ace = ace_list; curr_ace; curr_ace = curr_ace_next) {
2446                 canon_ace *allow_ace_p;
2447
2448                 curr_ace_next = curr_ace->next; /* So we can't lose the link. */
2449
2450                 if (curr_ace->attr != ALLOW_ACE)
2451                         continue;
2452
2453                 if (curr_ace->owner_type != UID_ACE)
2454                         continue;
2455
2456                 for (allow_ace_p = ace_list; allow_ace_p; allow_ace_p = allow_ace_p->next) {
2457
2458                         if (allow_ace_p->attr != ALLOW_ACE)
2459                                 continue;
2460
2461                         /* We process GID_ACE entries only. */
2462
2463                         if (allow_ace_p->owner_type != GID_ACE)
2464                                 continue;
2465
2466                         /* OR in the group perms. */
2467
2468                         if (uid_entry_in_group(conn, curr_ace, allow_ace_p))
2469                                 curr_ace->perms |= allow_ace_p->perms;
2470                 }
2471         }
2472 #endif
2473
2474         *pp_ace_list = ace_list;
2475 }
2476
2477 /****************************************************************************
2478  Unpack a struct security_descriptor into two canonical ace lists. We don't depend on this
2479  succeeding.
2480 ****************************************************************************/
2481
2482 static bool unpack_canon_ace(files_struct *fsp,
2483                                 const SMB_STRUCT_STAT *pst,
2484                                 struct dom_sid *pfile_owner_sid,
2485                                 struct dom_sid *pfile_grp_sid,
2486                                 canon_ace **ppfile_ace,
2487                                 canon_ace **ppdir_ace,
2488                                 uint32_t security_info_sent,
2489                                 const struct security_descriptor *psd)
2490 {
2491         canon_ace *file_ace = NULL;
2492         canon_ace *dir_ace = NULL;
2493         bool ok;
2494
2495         *ppfile_ace = NULL;
2496         *ppdir_ace = NULL;
2497
2498         if(security_info_sent == 0) {
2499                 DEBUG(0,("unpack_canon_ace: no security info sent !\n"));
2500                 return False;
2501         }
2502
2503         /*
2504          * If no DACL then this is a chown only security descriptor.
2505          */
2506
2507         if(!(security_info_sent & SECINFO_DACL) || !psd->dacl)
2508                 return True;
2509
2510         /*
2511          * Now go through the DACL and create the canon_ace lists.
2512          */
2513
2514         if (!create_canon_ace_lists(fsp, pst, pfile_owner_sid, pfile_grp_sid,
2515                                     &file_ace, &dir_ace, psd->dacl)) {
2516                 return False;
2517         }
2518
2519         if ((file_ace == NULL) && (dir_ace == NULL)) {
2520                 /* W2K traverse DACL set - ignore. */
2521                 return True;
2522         }
2523
2524         /*
2525          * Go through the canon_ace list and merge entries
2526          * belonging to identical users of identical allow or deny type.
2527          * We can do this as all deny entries come first, followed by
2528          * all allow entries (we have mandated this before accepting this acl).
2529          */
2530
2531         print_canon_ace_list( "file ace - before merge", file_ace);
2532         merge_aces( &file_ace, false);
2533
2534         print_canon_ace_list( "dir ace - before merge", dir_ace);
2535         merge_aces( &dir_ace, true);
2536
2537         /*
2538          * NT ACLs are order dependent. Go through the acl lists and
2539          * process DENY entries by masking the allow entries.
2540          */
2541
2542         print_canon_ace_list( "file ace - before deny", file_ace);
2543         process_deny_list(fsp->conn, &file_ace);
2544
2545         print_canon_ace_list( "dir ace - before deny", dir_ace);
2546         process_deny_list(fsp->conn, &dir_ace);
2547
2548         /*
2549          * A well formed POSIX file or default ACL has at least 3 entries, a 
2550          * SMB_ACL_USER_OBJ, SMB_ACL_GROUP_OBJ, SMB_ACL_OTHER_OBJ
2551          * and optionally a mask entry. Ensure this is the case.
2552          */
2553
2554         print_canon_ace_list( "file ace - before valid", file_ace);
2555
2556         ok = ensure_canon_entry_valid_on_set(
2557                 fsp->conn,
2558                 &file_ace,
2559                 false,
2560                 fsp->conn->params,
2561                 fsp->fsp_flags.is_directory,
2562                 pfile_owner_sid,
2563                 pfile_grp_sid,
2564                 pst);
2565         if (!ok) {
2566                 free_canon_ace_list(file_ace);
2567                 free_canon_ace_list(dir_ace);
2568                 return False;
2569         }
2570
2571         print_canon_ace_list( "dir ace - before valid", dir_ace);
2572
2573         if (dir_ace != NULL) {
2574                 ok = ensure_canon_entry_valid_on_set(
2575                         fsp->conn,
2576                         &dir_ace,
2577                         true,
2578                         fsp->conn->params,
2579                         fsp->fsp_flags.is_directory,
2580                         pfile_owner_sid,
2581                         pfile_grp_sid,
2582                         pst);
2583                 if (!ok) {
2584                         free_canon_ace_list(file_ace);
2585                         free_canon_ace_list(dir_ace);
2586                         return False;
2587                 }
2588         }
2589
2590         print_canon_ace_list( "file ace - return", file_ace);
2591         print_canon_ace_list( "dir ace - return", dir_ace);
2592
2593         *ppfile_ace = file_ace;
2594         *ppdir_ace = dir_ace;
2595         return True;
2596
2597 }
2598
2599 /******************************************************************************
2600  When returning permissions, try and fit NT display
2601  semantics if possible. Note the the canon_entries here must have been malloced.
2602  The list format should be - first entry = owner, followed by group and other user
2603  entries, last entry = other.
2604
2605  Note that this doesn't exactly match the NT semantics for an ACL. As POSIX entries
2606  are not ordered, and match on the most specific entry rather than walking a list,
2607  then a simple POSIX permission of rw-r--r-- should really map to 5 entries,
2608
2609  Entry 0: owner : deny all except read and write.
2610  Entry 1: owner : allow read and write.
2611  Entry 2: group : deny all except read.
2612  Entry 3: group : allow read.
2613  Entry 4: Everyone : allow read.
2614
2615  But NT cannot display this in their ACL editor !
2616 ********************************************************************************/
2617
2618 static void arrange_posix_perms(const char *filename, canon_ace **pp_list_head)
2619 {
2620         canon_ace *l_head = *pp_list_head;
2621         canon_ace *owner_ace = NULL;
2622         canon_ace *other_ace = NULL;
2623         canon_ace *ace = NULL;
2624
2625         for (ace = l_head; ace; ace = ace->next) {
2626                 if (ace->type == SMB_ACL_USER_OBJ)
2627                         owner_ace = ace;
2628                 else if (ace->type == SMB_ACL_OTHER) {
2629                         /* Last ace - this is "other" */
2630                         other_ace = ace;
2631                 }
2632         }
2633
2634         if (!owner_ace || !other_ace) {
2635                 DEBUG(0,("arrange_posix_perms: Invalid POSIX permissions for file %s, missing owner or other.\n",
2636                         filename ));
2637                 return;
2638         }
2639
2640         /*
2641          * The POSIX algorithm applies to owner first, and other last,
2642          * so ensure they are arranged in this order.
2643          */
2644
2645         if (owner_ace) {
2646                 DLIST_PROMOTE(l_head, owner_ace);
2647         }
2648
2649         if (other_ace) {
2650                 DLIST_DEMOTE(l_head, other_ace);
2651         }
2652
2653         /* We have probably changed the head of the list. */
2654
2655         *pp_list_head = l_head;
2656 }
2657
2658 /****************************************************************************
2659  Create a linked list of canonical ACE entries.
2660 ****************************************************************************/
2661
2662 static canon_ace *canonicalise_acl(struct connection_struct *conn,
2663                                    const char *fname, SMB_ACL_T posix_acl,
2664                                    const SMB_STRUCT_STAT *psbuf,
2665                                    const struct dom_sid *powner, const struct dom_sid *pgroup, struct pai_val *pal, SMB_ACL_TYPE_T the_acl_type)
2666 {
2667         mode_t acl_mask = (S_IRUSR|S_IWUSR|S_IXUSR);
2668         canon_ace *l_head = NULL;
2669         canon_ace *ace = NULL;
2670         canon_ace *next_ace = NULL;
2671         int entry_id = SMB_ACL_FIRST_ENTRY;
2672         bool is_default_acl = (the_acl_type == SMB_ACL_TYPE_DEFAULT);
2673         SMB_ACL_ENTRY_T entry;
2674         size_t ace_count;
2675
2676         while ( posix_acl && (sys_acl_get_entry(posix_acl, entry_id, &entry) == 1)) {
2677                 SMB_ACL_TAG_T tagtype;
2678                 SMB_ACL_PERMSET_T permset;
2679                 struct dom_sid sid;
2680                 struct unixid unix_ug;
2681                 enum ace_owner owner_type;
2682
2683                 entry_id = SMB_ACL_NEXT_ENTRY;
2684
2685                 if (sys_acl_get_tag_type(entry, &tagtype) == -1)
2686                         continue;
2687
2688                 if (sys_acl_get_permset(entry, &permset) == -1)
2689                         continue;
2690
2691                 /* Decide which SID to use based on the ACL type. */
2692                 switch(tagtype) {
2693                         case SMB_ACL_USER_OBJ:
2694                                 /* Get the SID from the owner. */
2695                                 sid_copy(&sid, powner);
2696                                 unix_ug.type = ID_TYPE_UID;
2697                                 unix_ug.id = psbuf->st_ex_uid;
2698                                 owner_type = UID_ACE;
2699                                 break;
2700                         case SMB_ACL_USER:
2701                                 {
2702                                         uid_t *puid = (uid_t *)sys_acl_get_qualifier(entry);
2703                                         if (puid == NULL) {
2704                                                 DEBUG(0,("canonicalise_acl: Failed to get uid.\n"));
2705                                                 continue;
2706                                         }
2707                                         uid_to_sid( &sid, *puid);
2708                                         unix_ug.type = ID_TYPE_UID;
2709                                         unix_ug.id = *puid;
2710                                         owner_type = UID_ACE;
2711                                         break;
2712                                 }
2713                         case SMB_ACL_GROUP_OBJ:
2714                                 /* Get the SID from the owning group. */
2715                                 sid_copy(&sid, pgroup);
2716                                 unix_ug.type = ID_TYPE_GID;
2717                                 unix_ug.id = psbuf->st_ex_gid;
2718                                 owner_type = GID_ACE;
2719                                 break;
2720                         case SMB_ACL_GROUP:
2721                                 {
2722                                         gid_t *pgid = (gid_t *)sys_acl_get_qualifier(entry);
2723                                         if (pgid == NULL) {
2724                                                 DEBUG(0,("canonicalise_acl: Failed to get gid.\n"));
2725                                                 continue;
2726                                         }
2727                                         gid_to_sid( &sid, *pgid);
2728                                         unix_ug.type = ID_TYPE_GID;
2729                                         unix_ug.id = *pgid;
2730                                         owner_type = GID_ACE;
2731                                         break;
2732                                 }
2733                         case SMB_ACL_MASK:
2734                                 acl_mask = convert_permset_to_mode_t(permset);
2735                                 continue; /* Don't count the mask as an entry. */
2736                         case SMB_ACL_OTHER:
2737                                 /* Use the Everyone SID */
2738                                 sid = global_sid_World;
2739                                 unix_ug.type = ID_TYPE_NOT_SPECIFIED;
2740                                 unix_ug.id = -1;
2741                                 owner_type = WORLD_ACE;
2742                                 break;
2743                         default:
2744                                 DEBUG(0,("canonicalise_acl: Unknown tagtype %u\n", (unsigned int)tagtype));
2745                                 continue;
2746                 }
2747
2748                 /*
2749                  * Add this entry to the list.
2750                  */
2751
2752                 if ((ace = talloc(talloc_tos(), canon_ace)) == NULL)
2753                         goto fail;
2754
2755                 *ace = (canon_ace) {
2756                         .type = tagtype,
2757                         .perms = convert_permset_to_mode_t(permset),
2758                         .attr = ALLOW_ACE,
2759                         .trustee = sid,
2760                         .unix_ug = unix_ug,
2761                         .owner_type = owner_type
2762                 };
2763                 ace->ace_flags = get_pai_flags(pal, ace, is_default_acl);
2764
2765                 DLIST_ADD(l_head, ace);
2766         }
2767
2768         /*
2769          * This next call will ensure we have at least a user/group/world set.
2770          */
2771
2772         if (!ensure_canon_entry_valid_on_get(conn, &l_head,
2773                                       powner, pgroup,
2774                                       psbuf))
2775                 goto fail;
2776
2777         /*
2778          * Now go through the list, masking the permissions with the
2779          * acl_mask. Ensure all DENY Entries are at the start of the list.
2780          */
2781
2782         DEBUG(10,("canonicalise_acl: %s ace entries before arrange :\n", is_default_acl ?  "Default" : "Access"));
2783
2784         for ( ace_count = 0, ace = l_head; ace; ace = next_ace, ace_count++) {
2785                 next_ace = ace->next;
2786
2787                 /* Masks are only applied to entries other than USER_OBJ and OTHER. */
2788                 if (ace->type != SMB_ACL_OTHER && ace->type != SMB_ACL_USER_OBJ)
2789                         ace->perms &= acl_mask;
2790
2791                 if (ace->perms == 0) {
2792                         DLIST_PROMOTE(l_head, ace);
2793                 }
2794
2795                 if( DEBUGLVL( 10 ) ) {
2796                         print_canon_ace(ace, ace_count);
2797                 }
2798         }
2799
2800         arrange_posix_perms(fname,&l_head );
2801
2802         print_canon_ace_list( "canonicalise_acl: ace entries after arrange", l_head );
2803
2804         return l_head;
2805
2806   fail:
2807
2808         free_canon_ace_list(l_head);
2809         return NULL;
2810 }
2811
2812 /****************************************************************************
2813  Check if the current user group list contains a given group.
2814 ****************************************************************************/
2815
2816 bool current_user_in_group(connection_struct *conn, gid_t gid)
2817 {
2818         uint32_t i;
2819         const struct security_unix_token *utok = get_current_utok(conn);
2820
2821         for (i = 0; i < utok->ngroups; i++) {
2822                 if (utok->groups[i] == gid) {
2823                         return True;
2824                 }
2825         }
2826
2827         return False;
2828 }
2829
2830 /****************************************************************************
2831  Should we override a deny ? Check 'acl group control' and 'dos filemode'.
2832 ****************************************************************************/
2833
2834 static bool acl_group_override(connection_struct *conn,
2835                                const struct smb_filename *smb_fname)
2836 {
2837         if ((errno != EPERM) && (errno != EACCES)) {
2838                 return false;
2839         }
2840
2841         /* file primary group == user primary or supplementary group */
2842         if (lp_acl_group_control(SNUM(conn)) &&
2843             current_user_in_group(conn, smb_fname->st.st_ex_gid)) {
2844                 return true;
2845         }
2846
2847         /* user has writeable permission */
2848         if (lp_dos_filemode(SNUM(conn)) &&
2849             can_write_to_file(conn,
2850                                 smb_fname))
2851         {
2852                 return true;
2853         }
2854
2855         return false;
2856 }
2857
2858 /****************************************************************************
2859  Attempt to apply an ACL to a file or directory.
2860 ****************************************************************************/
2861
2862 static bool set_canon_ace_list(files_struct *fsp,
2863                                 canon_ace *the_ace,
2864                                 bool default_ace,
2865                                 const SMB_STRUCT_STAT *psbuf,
2866                                 bool *pacl_set_support)
2867 {
2868         connection_struct *conn = fsp->conn;
2869         bool ret = False;
2870         SMB_ACL_T the_acl = sys_acl_init(talloc_tos());
2871         canon_ace *p_ace;
2872         int i;
2873         SMB_ACL_ENTRY_T mask_entry;
2874         bool got_mask_entry = False;
2875         SMB_ACL_PERMSET_T mask_permset;
2876         SMB_ACL_TYPE_T the_acl_type = (default_ace ? SMB_ACL_TYPE_DEFAULT : SMB_ACL_TYPE_ACCESS);
2877         bool needs_mask = False;
2878         mode_t mask_perms = 0;
2879
2880         /* Use the psbuf that was passed in. */
2881         if (psbuf != &fsp->fsp_name->st) {
2882                 fsp->fsp_name->st = *psbuf;
2883         }
2884
2885 #if defined(POSIX_ACL_NEEDS_MASK)
2886         /* HP-UX always wants to have a mask (called "class" there). */
2887         needs_mask = True;
2888 #endif
2889
2890         if (the_acl == NULL) {
2891                 DEBUG(0, ("sys_acl_init failed to allocate an ACL\n"));
2892                 return false;
2893         }
2894
2895         if( DEBUGLVL( 10 )) {
2896                 dbgtext("set_canon_ace_list: setting ACL:\n");
2897                 for (i = 0, p_ace = the_ace; p_ace; p_ace = p_ace->next, i++ ) {
2898                         print_canon_ace( p_ace, i);
2899                 }
2900         }
2901
2902         for (i = 0, p_ace = the_ace; p_ace; p_ace = p_ace->next, i++ ) {
2903                 SMB_ACL_ENTRY_T the_entry;
2904                 SMB_ACL_PERMSET_T the_permset;
2905
2906                 /*
2907                  * ACLs only "need" an ACL_MASK entry if there are any named user or
2908                  * named group entries. But if there is an ACL_MASK entry, it applies
2909                  * to ACL_USER, ACL_GROUP, and ACL_GROUP_OBJ entries. Set the mask
2910                  * so that it doesn't deny (i.e., mask off) any permissions.
2911                  */
2912
2913                 if (p_ace->type == SMB_ACL_USER || p_ace->type == SMB_ACL_GROUP) {
2914                         needs_mask = True;
2915                         mask_perms |= p_ace->perms;
2916                 } else if (p_ace->type == SMB_ACL_GROUP_OBJ) {
2917                         mask_perms |= p_ace->perms;
2918                 }
2919
2920                 /*
2921                  * Get the entry for this ACE.
2922                  */
2923
2924                 if (sys_acl_create_entry(&the_acl, &the_entry) == -1) {
2925                         DEBUG(0,("set_canon_ace_list: Failed to create entry %d. (%s)\n",
2926                                 i, strerror(errno) ));
2927                         goto fail;
2928                 }
2929
2930                 if (p_ace->type == SMB_ACL_MASK) {
2931                         mask_entry = the_entry;
2932                         got_mask_entry = True;
2933                 }
2934
2935                 /*
2936                  * Ok - we now know the ACL calls should be working, don't
2937                  * allow fallback to chmod.
2938                  */
2939
2940                 *pacl_set_support = True;
2941
2942                 /*
2943                  * Initialise the entry from the canon_ace.
2944                  */
2945
2946                 /*
2947                  * First tell the entry what type of ACE this is.
2948                  */
2949
2950                 if (sys_acl_set_tag_type(the_entry, p_ace->type) == -1) {
2951                         DEBUG(0,("set_canon_ace_list: Failed to set tag type on entry %d. (%s)\n",
2952                                 i, strerror(errno) ));
2953                         goto fail;
2954                 }
2955
2956                 /*
2957                  * Only set the qualifier (user or group id) if the entry is a user
2958                  * or group id ACE.
2959                  */
2960
2961                 if ((p_ace->type == SMB_ACL_USER) || (p_ace->type == SMB_ACL_GROUP)) {
2962                         if (sys_acl_set_qualifier(the_entry,(void *)&p_ace->unix_ug.id) == -1) {
2963                                 DEBUG(0,("set_canon_ace_list: Failed to set qualifier on entry %d. (%s)\n",
2964                                         i, strerror(errno) ));
2965                                 goto fail;
2966                         }
2967                 }
2968
2969                 /*
2970                  * Convert the mode_t perms in the canon_ace to a POSIX permset.
2971                  */
2972
2973                 if (sys_acl_get_permset(the_entry, &the_permset) == -1) {
2974                         DEBUG(0,("set_canon_ace_list: Failed to get permset on entry %d. (%s)\n",
2975                                 i, strerror(errno) ));
2976                         goto fail;
2977                 }
2978
2979                 if (map_acl_perms_to_permset(p_ace->perms, &the_permset) == -1) {
2980                         DEBUG(0,("set_canon_ace_list: Failed to create permset for mode (%u) on entry %d. (%s)\n",
2981                                 (unsigned int)p_ace->perms, i, strerror(errno) ));
2982                         goto fail;
2983                 }
2984
2985                 /*
2986                  * ..and apply them to the entry.
2987                  */
2988
2989                 if (sys_acl_set_permset(the_entry, the_permset) == -1) {
2990                         DEBUG(0,("set_canon_ace_list: Failed to add permset on entry %d. (%s)\n",
2991                                 i, strerror(errno) ));
2992                         goto fail;
2993                 }
2994
2995                 if( DEBUGLVL( 10 ))
2996                         print_canon_ace( p_ace, i);
2997
2998         }
2999
3000         if (needs_mask && !got_mask_entry) {
3001                 if (sys_acl_create_entry(&the_acl, &mask_entry) == -1) {
3002                         DEBUG(0,("set_canon_ace_list: Failed to create mask entry. (%s)\n", strerror(errno) ));
3003                         goto fail;
3004                 }
3005
3006                 if (sys_acl_set_tag_type(mask_entry, SMB_ACL_MASK) == -1) {
3007                         DEBUG(0,("set_canon_ace_list: Failed to set tag type on mask entry. (%s)\n",strerror(errno) ));
3008                         goto fail;
3009                 }
3010
3011                 if (sys_acl_get_permset(mask_entry, &mask_permset) == -1) {
3012                         DEBUG(0,("set_canon_ace_list: Failed to get mask permset. (%s)\n", strerror(errno) ));
3013                         goto fail;
3014                 }
3015
3016                 if (map_acl_perms_to_permset(S_IRUSR|S_IWUSR|S_IXUSR, &mask_permset) == -1) {
3017                         DEBUG(0,("set_canon_ace_list: Failed to create mask permset. (%s)\n", strerror(errno) ));
3018                         goto fail;
3019                 }
3020
3021                 if (sys_acl_set_permset(mask_entry, mask_permset) == -1) {
3022                         DEBUG(0,("set_canon_ace_list: Failed to add mask permset. (%s)\n", strerror(errno) ));
3023                         goto fail;
3024                 }
3025         }
3026
3027         /*
3028          * Finally apply it to the file or directory.
3029          */
3030
3031         if (default_ace || fsp->fsp_flags.is_directory || fsp->fh->fd == -1) {
3032                 if (SMB_VFS_SYS_ACL_SET_FILE(conn, fsp->fsp_name,
3033                                              the_acl_type, the_acl) == -1) {
3034                         /*
3035                          * Some systems allow all the above calls and only fail with no ACL support
3036                          * when attempting to apply the acl. HPUX with HFS is an example of this. JRA.
3037                          */
3038                         if (no_acl_syscall_error(errno)) {
3039                                 *pacl_set_support = False;
3040                         }
3041
3042                         if (acl_group_override(conn, fsp->fsp_name)) {
3043                                 int sret;
3044
3045                                 DEBUG(5,("set_canon_ace_list: acl group "
3046                                          "control on and current user in file "
3047                                          "%s primary group.\n",
3048                                          fsp_str_dbg(fsp)));
3049
3050                                 become_root();
3051                                 sret = SMB_VFS_SYS_ACL_SET_FILE(conn,
3052                                     fsp->fsp_name, the_acl_type,
3053                                     the_acl);
3054                                 unbecome_root();
3055                                 if (sret == 0) {
3056                                         ret = True;     
3057                                 }
3058                         }
3059
3060                         if (ret == False) {
3061                                 DEBUG(2,("set_canon_ace_list: "
3062                                          "sys_acl_set_file type %s failed for "
3063                                          "file %s (%s).\n",
3064                                          the_acl_type == SMB_ACL_TYPE_DEFAULT ?
3065                                          "directory default" : "file",
3066                                          fsp_str_dbg(fsp), strerror(errno)));
3067                                 goto fail;
3068                         }
3069                 }
3070         } else {
3071                 if (SMB_VFS_SYS_ACL_SET_FD(fsp, the_acl) == -1) {
3072                         /*
3073                          * Some systems allow all the above calls and only fail with no ACL support
3074                          * when attempting to apply the acl. HPUX with HFS is an example of this. JRA.
3075                          */
3076                         if (no_acl_syscall_error(errno)) {
3077                                 *pacl_set_support = False;
3078                         }
3079
3080                         if (acl_group_override(conn, fsp->fsp_name)) {
3081                                 int sret;
3082
3083                                 DEBUG(5,("set_canon_ace_list: acl group "
3084                                          "control on and current user in file "
3085                                          "%s primary group.\n",
3086                                          fsp_str_dbg(fsp)));
3087
3088                                 become_root();
3089                                 sret = SMB_VFS_SYS_ACL_SET_FD(fsp, the_acl);
3090                                 unbecome_root();
3091                                 if (sret == 0) {
3092                                         ret = True;
3093                                 }
3094                         }
3095
3096                         if (ret == False) {
3097                                 DEBUG(2,("set_canon_ace_list: "
3098                                          "sys_acl_set_file failed for file %s "
3099                                          "(%s).\n",
3100                                          fsp_str_dbg(fsp), strerror(errno)));
3101                                 goto fail;
3102                         }
3103                 }
3104         }
3105
3106         ret = True;
3107
3108   fail:
3109
3110         if (the_acl != NULL) {
3111                 TALLOC_FREE(the_acl);
3112         }
3113
3114         return ret;
3115 }
3116
3117 /****************************************************************************
3118  
3119 ****************************************************************************/
3120
3121 SMB_ACL_T free_empty_sys_acl(connection_struct *conn, SMB_ACL_T the_acl)
3122 {
3123         SMB_ACL_ENTRY_T entry;
3124
3125         if (!the_acl)
3126                 return NULL;
3127         if (sys_acl_get_entry(the_acl, SMB_ACL_FIRST_ENTRY, &entry) != 1) {
3128                 TALLOC_FREE(the_acl);
3129                 return NULL;
3130         }
3131         return the_acl;
3132 }
3133
3134 /****************************************************************************
3135  Convert a canon_ace to a generic 3 element permission - if possible.
3136 ****************************************************************************/
3137
3138 #define MAP_PERM(p,mask,result) (((p) & (mask)) ? (result) : 0 )
3139
3140 static bool convert_canon_ace_to_posix_perms( files_struct *fsp, canon_ace *file_ace_list, mode_t *posix_perms)
3141 {
3142         size_t ace_count = count_canon_ace_list(file_ace_list);
3143         canon_ace *ace_p;
3144         canon_ace *owner_ace = NULL;
3145         canon_ace *group_ace = NULL;
3146         canon_ace *other_ace = NULL;
3147
3148         if (ace_count > 5) {
3149                 DEBUG(3,("convert_canon_ace_to_posix_perms: Too many ACE "
3150                          "entries for file %s to convert to posix perms.\n",
3151                          fsp_str_dbg(fsp)));
3152                 return False;
3153         }
3154
3155         for (ace_p = file_ace_list; ace_p; ace_p = ace_p->next) {
3156                 if (ace_p->owner_type == UID_ACE)
3157                         owner_ace = ace_p;
3158                 else if (ace_p->owner_type == GID_ACE)
3159                         group_ace = ace_p;
3160                 else if (ace_p->owner_type == WORLD_ACE)
3161                         other_ace =&n