7479aea0762d3144424d69306a6890698658bbe4
[samba.git] / source3 / smbd / posix_acls.c
1 /*
2    Unix SMB/CIFS implementation.
3    SMB NT Security Descriptor / Unix permission conversion.
4    Copyright (C) Jeremy Allison 1994-2000.
5    Copyright (C) Andreas Gruenbacher 2002.
6
7    This program is free software; you can redistribute it and/or modify
8    it under the terms of the GNU General Public License as published by
9    the Free Software Foundation; either version 3 of the License, or
10    (at your option) any later version.
11
12    This program is distributed in the hope that it will be useful,
13    but WITHOUT ANY WARRANTY; without even the implied warranty of
14    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
15    GNU General Public License for more details.
16
17    You should have received a copy of the GNU General Public License
18    along with this program.  If not, see <http://www.gnu.org/licenses/>.
19 */
20
21 #include "includes.h"
22
23 extern struct current_user current_user;
24 extern const struct generic_mapping file_generic_mapping;
25
26 #undef  DBGC_CLASS
27 #define DBGC_CLASS DBGC_ACLS
28
29 /****************************************************************************
30  Data structures representing the internal ACE format.
31 ****************************************************************************/
32
33 enum ace_owner {UID_ACE, GID_ACE, WORLD_ACE};
34 enum ace_attribute {ALLOW_ACE, DENY_ACE}; /* Used for incoming NT ACLS. */
35
36 typedef union posix_id {
37                 uid_t uid;
38                 gid_t gid;
39                 int world;
40 } posix_id;
41
42 typedef struct canon_ace {
43         struct canon_ace *next, *prev;
44         SMB_ACL_TAG_T type;
45         mode_t perms; /* Only use S_I(R|W|X)USR mode bits here. */
46         DOM_SID trustee;
47         enum ace_owner owner_type;
48         enum ace_attribute attr;
49         posix_id unix_ug;
50         bool inherited;
51 } canon_ace;
52
53 #define ALL_ACE_PERMS (S_IRUSR|S_IWUSR|S_IXUSR)
54
55 /*
56  * EA format of user.SAMBA_PAI (Samba_Posix_Acl_Interitance)
57  * attribute on disk.
58  *
59  * |  1   |  1   |   2         |         2           |  .... 
60  * +------+------+-------------+---------------------+-------------+--------------------+
61  * | vers | flag | num_entries | num_default_entries | ..entries.. | default_entries... |
62  * +------+------+-------------+---------------------+-------------+--------------------+
63  */
64
65 #define PAI_VERSION_OFFSET      0
66 #define PAI_FLAG_OFFSET         1
67 #define PAI_NUM_ENTRIES_OFFSET  2
68 #define PAI_NUM_DEFAULT_ENTRIES_OFFSET  4
69 #define PAI_ENTRIES_BASE        6
70
71 #define PAI_VERSION             1
72 #define PAI_ACL_FLAG_PROTECTED  0x1
73 #define PAI_ENTRY_LENGTH        5
74
75 /*
76  * In memory format of user.SAMBA_PAI attribute.
77  */
78
79 struct pai_entry {
80         struct pai_entry *next, *prev;
81         enum ace_owner owner_type;
82         posix_id unix_ug;
83 };
84
85 struct pai_val {
86         bool pai_protected;
87         unsigned int num_entries;
88         struct pai_entry *entry_list;
89         unsigned int num_def_entries;
90         struct pai_entry *def_entry_list;
91 };
92
93 /************************************************************************
94  Return a uint32 of the pai_entry principal.
95 ************************************************************************/
96
97 static uint32 get_pai_entry_val(struct pai_entry *paie)
98 {
99         switch (paie->owner_type) {
100                 case UID_ACE:
101                         DEBUG(10,("get_pai_entry_val: uid = %u\n", (unsigned int)paie->unix_ug.uid ));
102                         return (uint32)paie->unix_ug.uid;
103                 case GID_ACE:
104                         DEBUG(10,("get_pai_entry_val: gid = %u\n", (unsigned int)paie->unix_ug.gid ));
105                         return (uint32)paie->unix_ug.gid;
106                 case WORLD_ACE:
107                 default:
108                         DEBUG(10,("get_pai_entry_val: world ace\n"));
109                         return (uint32)-1;
110         }
111 }
112
113 /************************************************************************
114  Return a uint32 of the entry principal.
115 ************************************************************************/
116
117 static uint32 get_entry_val(canon_ace *ace_entry)
118 {
119         switch (ace_entry->owner_type) {
120                 case UID_ACE:
121                         DEBUG(10,("get_entry_val: uid = %u\n", (unsigned int)ace_entry->unix_ug.uid ));
122                         return (uint32)ace_entry->unix_ug.uid;
123                 case GID_ACE:
124                         DEBUG(10,("get_entry_val: gid = %u\n", (unsigned int)ace_entry->unix_ug.gid ));
125                         return (uint32)ace_entry->unix_ug.gid;
126                 case WORLD_ACE:
127                 default:
128                         DEBUG(10,("get_entry_val: world ace\n"));
129                         return (uint32)-1;
130         }
131 }
132
133 /************************************************************************
134  Count the inherited entries.
135 ************************************************************************/
136
137 static unsigned int num_inherited_entries(canon_ace *ace_list)
138 {
139         unsigned int num_entries = 0;
140
141         for (; ace_list; ace_list = ace_list->next)
142                 if (ace_list->inherited)
143                         num_entries++;
144         return num_entries;
145 }
146
147 /************************************************************************
148  Create the on-disk format. Caller must free.
149 ************************************************************************/
150
151 static char *create_pai_buf(canon_ace *file_ace_list, canon_ace *dir_ace_list, bool pai_protected, size_t *store_size)
152 {
153         char *pai_buf = NULL;
154         canon_ace *ace_list = NULL;
155         char *entry_offset = NULL;
156         unsigned int num_entries = 0;
157         unsigned int num_def_entries = 0;
158
159         for (ace_list = file_ace_list; ace_list; ace_list = ace_list->next)
160                 if (ace_list->inherited)
161                         num_entries++;
162
163         for (ace_list = dir_ace_list; ace_list; ace_list = ace_list->next)
164                 if (ace_list->inherited)
165                         num_def_entries++;
166
167         DEBUG(10,("create_pai_buf: num_entries = %u, num_def_entries = %u\n", num_entries, num_def_entries ));
168
169         *store_size = PAI_ENTRIES_BASE + ((num_entries + num_def_entries)*PAI_ENTRY_LENGTH);
170
171         pai_buf = (char *)SMB_MALLOC(*store_size);
172         if (!pai_buf) {
173                 return NULL;
174         }
175
176         /* Set up the header. */
177         memset(pai_buf, '\0', PAI_ENTRIES_BASE);
178         SCVAL(pai_buf,PAI_VERSION_OFFSET,PAI_VERSION);
179         SCVAL(pai_buf,PAI_FLAG_OFFSET,(pai_protected ? PAI_ACL_FLAG_PROTECTED : 0));
180         SSVAL(pai_buf,PAI_NUM_ENTRIES_OFFSET,num_entries);
181         SSVAL(pai_buf,PAI_NUM_DEFAULT_ENTRIES_OFFSET,num_def_entries);
182
183         entry_offset = pai_buf + PAI_ENTRIES_BASE;
184
185         for (ace_list = file_ace_list; ace_list; ace_list = ace_list->next) {
186                 if (ace_list->inherited) {
187                         uint8 type_val = (unsigned char)ace_list->owner_type;
188                         uint32 entry_val = get_entry_val(ace_list);
189
190                         SCVAL(entry_offset,0,type_val);
191                         SIVAL(entry_offset,1,entry_val);
192                         entry_offset += PAI_ENTRY_LENGTH;
193                 }
194         }
195
196         for (ace_list = dir_ace_list; ace_list; ace_list = ace_list->next) {
197                 if (ace_list->inherited) {
198                         uint8 type_val = (unsigned char)ace_list->owner_type;
199                         uint32 entry_val = get_entry_val(ace_list);
200
201                         SCVAL(entry_offset,0,type_val);
202                         SIVAL(entry_offset,1,entry_val);
203                         entry_offset += PAI_ENTRY_LENGTH;
204                 }
205         }
206
207         return pai_buf;
208 }
209
210 /************************************************************************
211  Store the user.SAMBA_PAI attribute on disk.
212 ************************************************************************/
213
214 static void store_inheritance_attributes(files_struct *fsp, canon_ace *file_ace_list,
215                                         canon_ace *dir_ace_list, bool pai_protected)
216 {
217         int ret;
218         size_t store_size;
219         char *pai_buf;
220
221         if (!lp_map_acl_inherit(SNUM(fsp->conn)))
222                 return;
223
224         /*
225          * Don't store if this ACL isn't protected and
226          * none of the entries in it are marked as inherited.
227          */
228
229         if (!pai_protected && num_inherited_entries(file_ace_list) == 0 && num_inherited_entries(dir_ace_list) == 0) {
230                 /* Instead just remove the attribute if it exists. */
231                 if (fsp->fh->fd != -1)
232                         SMB_VFS_FREMOVEXATTR(fsp, SAMBA_POSIX_INHERITANCE_EA_NAME);
233                 else
234                         SMB_VFS_REMOVEXATTR(fsp->conn, fsp->fsp_name, SAMBA_POSIX_INHERITANCE_EA_NAME);
235                 return;
236         }
237
238         pai_buf = create_pai_buf(file_ace_list, dir_ace_list, pai_protected, &store_size);
239
240         if (fsp->fh->fd != -1)
241                 ret = SMB_VFS_FSETXATTR(fsp, SAMBA_POSIX_INHERITANCE_EA_NAME,
242                                 pai_buf, store_size, 0);
243         else
244                 ret = SMB_VFS_SETXATTR(fsp->conn,fsp->fsp_name, SAMBA_POSIX_INHERITANCE_EA_NAME,
245                                 pai_buf, store_size, 0);
246
247         SAFE_FREE(pai_buf);
248
249         DEBUG(10,("store_inheritance_attribute:%s for file %s\n", pai_protected ? " (protected)" : "", fsp->fsp_name));
250         if (ret == -1 && !no_acl_syscall_error(errno))
251                 DEBUG(1,("store_inheritance_attribute: Error %s\n", strerror(errno) ));
252 }
253
254 /************************************************************************
255  Delete the in memory inheritance info.
256 ************************************************************************/
257
258 static void free_inherited_info(struct pai_val *pal)
259 {
260         if (pal) {
261                 struct pai_entry *paie, *paie_next;
262                 for (paie = pal->entry_list; paie; paie = paie_next) {
263                         paie_next = paie->next;
264                         SAFE_FREE(paie);
265                 }
266                 for (paie = pal->def_entry_list; paie; paie = paie_next) {
267                         paie_next = paie->next;
268                         SAFE_FREE(paie);
269                 }
270                 SAFE_FREE(pal);
271         }
272 }
273
274 /************************************************************************
275  Was this ACL protected ?
276 ************************************************************************/
277
278 static bool get_protected_flag(struct pai_val *pal)
279 {
280         if (!pal)
281                 return False;
282         return pal->pai_protected;
283 }
284
285 /************************************************************************
286  Was this ACE inherited ?
287 ************************************************************************/
288
289 static bool get_inherited_flag(struct pai_val *pal, canon_ace *ace_entry, bool default_ace)
290 {
291         struct pai_entry *paie;
292
293         if (!pal)
294                 return False;
295
296         /* If the entry exists it is inherited. */
297         for (paie = (default_ace ? pal->def_entry_list : pal->entry_list); paie; paie = paie->next) {
298                 if (ace_entry->owner_type == paie->owner_type &&
299                                 get_entry_val(ace_entry) == get_pai_entry_val(paie))
300                         return True;
301         }
302         return False;
303 }
304
305 /************************************************************************
306  Ensure an attribute just read is valid.
307 ************************************************************************/
308
309 static bool check_pai_ok(char *pai_buf, size_t pai_buf_data_size)
310 {
311         uint16 num_entries;
312         uint16 num_def_entries;
313
314         if (pai_buf_data_size < PAI_ENTRIES_BASE) {
315                 /* Corrupted - too small. */
316                 return False;
317         }
318
319         if (CVAL(pai_buf,PAI_VERSION_OFFSET) != PAI_VERSION)
320                 return False;
321
322         num_entries = SVAL(pai_buf,PAI_NUM_ENTRIES_OFFSET);
323         num_def_entries = SVAL(pai_buf,PAI_NUM_DEFAULT_ENTRIES_OFFSET);
324
325         /* Check the entry lists match. */
326         /* Each entry is 5 bytes (type plus 4 bytes of uid or gid). */
327
328         if (((num_entries + num_def_entries)*PAI_ENTRY_LENGTH) + PAI_ENTRIES_BASE != pai_buf_data_size)
329                 return False;
330
331         return True;
332 }
333
334
335 /************************************************************************
336  Convert to in-memory format.
337 ************************************************************************/
338
339 static struct pai_val *create_pai_val(char *buf, size_t size)
340 {
341         char *entry_offset;
342         struct pai_val *paiv = NULL;
343         int i;
344
345         if (!check_pai_ok(buf, size))
346                 return NULL;
347
348         paiv = SMB_MALLOC_P(struct pai_val);
349         if (!paiv)
350                 return NULL;
351
352         memset(paiv, '\0', sizeof(struct pai_val));
353
354         paiv->pai_protected = (CVAL(buf,PAI_FLAG_OFFSET) == PAI_ACL_FLAG_PROTECTED);
355
356         paiv->num_entries = SVAL(buf,PAI_NUM_ENTRIES_OFFSET);
357         paiv->num_def_entries = SVAL(buf,PAI_NUM_DEFAULT_ENTRIES_OFFSET);
358
359         entry_offset = buf + PAI_ENTRIES_BASE;
360
361         DEBUG(10,("create_pai_val:%s num_entries = %u, num_def_entries = %u\n",
362                         paiv->pai_protected ? " (pai_protected)" : "", paiv->num_entries, paiv->num_def_entries ));
363
364         for (i = 0; i < paiv->num_entries; i++) {
365                 struct pai_entry *paie;
366
367                 paie = SMB_MALLOC_P(struct pai_entry);
368                 if (!paie) {
369                         free_inherited_info(paiv);
370                         return NULL;
371                 }
372
373                 paie->owner_type = (enum ace_owner)CVAL(entry_offset,0);
374                 switch( paie->owner_type) {
375                         case UID_ACE:
376                                 paie->unix_ug.uid = (uid_t)IVAL(entry_offset,1);
377                                 DEBUG(10,("create_pai_val: uid = %u\n", (unsigned int)paie->unix_ug.uid ));
378                                 break;
379                         case GID_ACE:
380                                 paie->unix_ug.gid = (gid_t)IVAL(entry_offset,1);
381                                 DEBUG(10,("create_pai_val: gid = %u\n", (unsigned int)paie->unix_ug.gid ));
382                                 break;
383                         case WORLD_ACE:
384                                 paie->unix_ug.world = -1;
385                                 DEBUG(10,("create_pai_val: world ace\n"));
386                                 break;
387                         default:
388                                 free_inherited_info(paiv);
389                                 return NULL;
390                 }
391                 entry_offset += PAI_ENTRY_LENGTH;
392                 DLIST_ADD(paiv->entry_list, paie);
393         }
394
395         for (i = 0; i < paiv->num_def_entries; i++) {
396                 struct pai_entry *paie;
397
398                 paie = SMB_MALLOC_P(struct pai_entry);
399                 if (!paie) {
400                         free_inherited_info(paiv);
401                         return NULL;
402                 }
403
404                 paie->owner_type = (enum ace_owner)CVAL(entry_offset,0);
405                 switch( paie->owner_type) {
406                         case UID_ACE:
407                                 paie->unix_ug.uid = (uid_t)IVAL(entry_offset,1);
408                                 DEBUG(10,("create_pai_val: (def) uid = %u\n", (unsigned int)paie->unix_ug.uid ));
409                                 break;
410                         case GID_ACE:
411                                 paie->unix_ug.gid = (gid_t)IVAL(entry_offset,1);
412                                 DEBUG(10,("create_pai_val: (def) gid = %u\n", (unsigned int)paie->unix_ug.gid ));
413                                 break;
414                         case WORLD_ACE:
415                                 paie->unix_ug.world = -1;
416                                 DEBUG(10,("create_pai_val: (def) world ace\n"));
417                                 break;
418                         default:
419                                 free_inherited_info(paiv);
420                                 return NULL;
421                 }
422                 entry_offset += PAI_ENTRY_LENGTH;
423                 DLIST_ADD(paiv->def_entry_list, paie);
424         }
425
426         return paiv;
427 }
428
429 /************************************************************************
430  Load the user.SAMBA_PAI attribute.
431 ************************************************************************/
432
433 static struct pai_val *fload_inherited_info(files_struct *fsp)
434 {
435         char *pai_buf;
436         size_t pai_buf_size = 1024;
437         struct pai_val *paiv = NULL;
438         ssize_t ret;
439
440         if (!lp_map_acl_inherit(SNUM(fsp->conn)))
441                 return NULL;
442
443         if ((pai_buf = (char *)SMB_MALLOC(pai_buf_size)) == NULL)
444                 return NULL;
445
446         do {
447                 if (fsp->fh->fd != -1)
448                         ret = SMB_VFS_FGETXATTR(fsp, SAMBA_POSIX_INHERITANCE_EA_NAME,
449                                         pai_buf, pai_buf_size);
450                 else
451                         ret = SMB_VFS_GETXATTR(fsp->conn,fsp->fsp_name,SAMBA_POSIX_INHERITANCE_EA_NAME,
452                                         pai_buf, pai_buf_size);
453
454                 if (ret == -1) {
455                         if (errno != ERANGE) {
456                                 break;
457                         }
458                         /* Buffer too small - enlarge it. */
459                         pai_buf_size *= 2;
460                         SAFE_FREE(pai_buf);
461                         if (pai_buf_size > 1024*1024) {
462                                 return NULL; /* Limit malloc to 1mb. */
463                         }
464                         if ((pai_buf = (char *)SMB_MALLOC(pai_buf_size)) == NULL)
465                                 return NULL;
466                 }
467         } while (ret == -1);
468
469         DEBUG(10,("load_inherited_info: ret = %lu for file %s\n", (unsigned long)ret, fsp->fsp_name));
470
471         if (ret == -1) {
472                 /* No attribute or not supported. */
473 #if defined(ENOATTR)
474                 if (errno != ENOATTR)
475                         DEBUG(10,("load_inherited_info: Error %s\n", strerror(errno) ));
476 #else
477                 if (errno != ENOSYS)
478                         DEBUG(10,("load_inherited_info: Error %s\n", strerror(errno) ));
479 #endif
480                 SAFE_FREE(pai_buf);
481                 return NULL;
482         }
483
484         paiv = create_pai_val(pai_buf, ret);
485
486         if (paiv && paiv->pai_protected)
487                 DEBUG(10,("load_inherited_info: ACL is protected for file %s\n", fsp->fsp_name));
488
489         SAFE_FREE(pai_buf);
490         return paiv;
491 }
492
493 /************************************************************************
494  Load the user.SAMBA_PAI attribute.
495 ************************************************************************/
496
497 static struct pai_val *load_inherited_info(const struct connection_struct *conn,
498                                            const char *fname)
499 {
500         char *pai_buf;
501         size_t pai_buf_size = 1024;
502         struct pai_val *paiv = NULL;
503         ssize_t ret;
504
505         if (!lp_map_acl_inherit(SNUM(conn))) {
506                 return NULL;
507         }
508
509         if ((pai_buf = (char *)SMB_MALLOC(pai_buf_size)) == NULL) {
510                 return NULL;
511         }
512
513         do {
514                 ret = SMB_VFS_GETXATTR(conn, fname,
515                                        SAMBA_POSIX_INHERITANCE_EA_NAME,
516                                        pai_buf, pai_buf_size);
517
518                 if (ret == -1) {
519                         if (errno != ERANGE) {
520                                 break;
521                         }
522                         /* Buffer too small - enlarge it. */
523                         pai_buf_size *= 2;
524                         SAFE_FREE(pai_buf);
525                         if (pai_buf_size > 1024*1024) {
526                                 return NULL; /* Limit malloc to 1mb. */
527                         }
528                         if ((pai_buf = (char *)SMB_MALLOC(pai_buf_size)) == NULL)
529                                 return NULL;
530                 }
531         } while (ret == -1);
532
533         DEBUG(10,("load_inherited_info: ret = %lu for file %s\n", (unsigned long)ret, fname));
534
535         if (ret == -1) {
536                 /* No attribute or not supported. */
537 #if defined(ENOATTR)
538                 if (errno != ENOATTR)
539                         DEBUG(10,("load_inherited_info: Error %s\n", strerror(errno) ));
540 #else
541                 if (errno != ENOSYS)
542                         DEBUG(10,("load_inherited_info: Error %s\n", strerror(errno) ));
543 #endif
544                 SAFE_FREE(pai_buf);
545                 return NULL;
546         }
547
548         paiv = create_pai_val(pai_buf, ret);
549
550         if (paiv && paiv->pai_protected) {
551                 DEBUG(10,("load_inherited_info: ACL is protected for file %s\n", fname));
552         }
553
554         SAFE_FREE(pai_buf);
555         return paiv;
556 }
557
558 /****************************************************************************
559  Functions to manipulate the internal ACE format.
560 ****************************************************************************/
561
562 /****************************************************************************
563  Count a linked list of canonical ACE entries.
564 ****************************************************************************/
565
566 static size_t count_canon_ace_list( canon_ace *list_head )
567 {
568         size_t count = 0;
569         canon_ace *ace;
570
571         for (ace = list_head; ace; ace = ace->next)
572                 count++;
573
574         return count;
575 }
576
577 /****************************************************************************
578  Free a linked list of canonical ACE entries.
579 ****************************************************************************/
580
581 static void free_canon_ace_list( canon_ace *list_head )
582 {
583         canon_ace *list, *next;
584
585         for (list = list_head; list; list = next) {
586                 next = list->next;
587                 DLIST_REMOVE(list_head, list);
588                 SAFE_FREE(list);
589         }
590 }
591
592 /****************************************************************************
593  Function to duplicate a canon_ace entry.
594 ****************************************************************************/
595
596 static canon_ace *dup_canon_ace( canon_ace *src_ace)
597 {
598         canon_ace *dst_ace = SMB_MALLOC_P(canon_ace);
599
600         if (dst_ace == NULL)
601                 return NULL;
602
603         *dst_ace = *src_ace;
604         dst_ace->prev = dst_ace->next = NULL;
605         return dst_ace;
606 }
607
608 /****************************************************************************
609  Print out a canon ace.
610 ****************************************************************************/
611
612 static void print_canon_ace(canon_ace *pace, int num)
613 {
614         dbgtext( "canon_ace index %d. Type = %s ", num, pace->attr == ALLOW_ACE ? "allow" : "deny" );
615         dbgtext( "SID = %s ", sid_string_dbg(&pace->trustee));
616         if (pace->owner_type == UID_ACE) {
617                 const char *u_name = uidtoname(pace->unix_ug.uid);
618                 dbgtext( "uid %u (%s) ", (unsigned int)pace->unix_ug.uid, u_name );
619         } else if (pace->owner_type == GID_ACE) {
620                 char *g_name = gidtoname(pace->unix_ug.gid);
621                 dbgtext( "gid %u (%s) ", (unsigned int)pace->unix_ug.gid, g_name );
622         } else
623                 dbgtext( "other ");
624         switch (pace->type) {
625                 case SMB_ACL_USER:
626                         dbgtext( "SMB_ACL_USER ");
627                         break;
628                 case SMB_ACL_USER_OBJ:
629                         dbgtext( "SMB_ACL_USER_OBJ ");
630                         break;
631                 case SMB_ACL_GROUP:
632                         dbgtext( "SMB_ACL_GROUP ");
633                         break;
634                 case SMB_ACL_GROUP_OBJ:
635                         dbgtext( "SMB_ACL_GROUP_OBJ ");
636                         break;
637                 case SMB_ACL_OTHER:
638                         dbgtext( "SMB_ACL_OTHER ");
639                         break;
640                 default:
641                         dbgtext( "MASK " );
642                         break;
643         }
644         if (pace->inherited)
645                 dbgtext( "(inherited) ");
646         dbgtext( "perms ");
647         dbgtext( "%c", pace->perms & S_IRUSR ? 'r' : '-');
648         dbgtext( "%c", pace->perms & S_IWUSR ? 'w' : '-');
649         dbgtext( "%c\n", pace->perms & S_IXUSR ? 'x' : '-');
650 }
651
652 /****************************************************************************
653  Print out a canon ace list.
654 ****************************************************************************/
655
656 static void print_canon_ace_list(const char *name, canon_ace *ace_list)
657 {
658         int count = 0;
659
660         if( DEBUGLVL( 10 )) {
661                 dbgtext( "print_canon_ace_list: %s\n", name );
662                 for (;ace_list; ace_list = ace_list->next, count++)
663                         print_canon_ace(ace_list, count );
664         }
665 }
666
667 /****************************************************************************
668  Map POSIX ACL perms to canon_ace permissions (a mode_t containing only S_(R|W|X)USR bits).
669 ****************************************************************************/
670
671 static mode_t convert_permset_to_mode_t(connection_struct *conn, SMB_ACL_PERMSET_T permset)
672 {
673         mode_t ret = 0;
674
675         ret |= (SMB_VFS_SYS_ACL_GET_PERM(conn, permset, SMB_ACL_READ) ? S_IRUSR : 0);
676         ret |= (SMB_VFS_SYS_ACL_GET_PERM(conn, permset, SMB_ACL_WRITE) ? S_IWUSR : 0);
677         ret |= (SMB_VFS_SYS_ACL_GET_PERM(conn, permset, SMB_ACL_EXECUTE) ? S_IXUSR : 0);
678
679         return ret;
680 }
681
682 /****************************************************************************
683  Map generic UNIX permissions to canon_ace permissions (a mode_t containing only S_(R|W|X)USR bits).
684 ****************************************************************************/
685
686 static mode_t unix_perms_to_acl_perms(mode_t mode, int r_mask, int w_mask, int x_mask)
687 {
688         mode_t ret = 0;
689
690         if (mode & r_mask)
691                 ret |= S_IRUSR;
692         if (mode & w_mask)
693                 ret |= S_IWUSR;
694         if (mode & x_mask)
695                 ret |= S_IXUSR;
696
697         return ret;
698 }
699
700 /****************************************************************************
701  Map canon_ace permissions (a mode_t containing only S_(R|W|X)USR bits) to
702  an SMB_ACL_PERMSET_T.
703 ****************************************************************************/
704
705 static int map_acl_perms_to_permset(connection_struct *conn, mode_t mode, SMB_ACL_PERMSET_T *p_permset)
706 {
707         if (SMB_VFS_SYS_ACL_CLEAR_PERMS(conn, *p_permset) ==  -1)
708                 return -1;
709         if (mode & S_IRUSR) {
710                 if (SMB_VFS_SYS_ACL_ADD_PERM(conn, *p_permset, SMB_ACL_READ) == -1)
711                         return -1;
712         }
713         if (mode & S_IWUSR) {
714                 if (SMB_VFS_SYS_ACL_ADD_PERM(conn, *p_permset, SMB_ACL_WRITE) == -1)
715                         return -1;
716         }
717         if (mode & S_IXUSR) {
718                 if (SMB_VFS_SYS_ACL_ADD_PERM(conn, *p_permset, SMB_ACL_EXECUTE) == -1)
719                         return -1;
720         }
721         return 0;
722 }
723
724 /****************************************************************************
725  Function to create owner and group SIDs from a SMB_STRUCT_STAT.
726 ****************************************************************************/
727
728 static void create_file_sids(const SMB_STRUCT_STAT *psbuf, DOM_SID *powner_sid, DOM_SID *pgroup_sid)
729 {
730         uid_to_sid( powner_sid, psbuf->st_uid );
731         gid_to_sid( pgroup_sid, psbuf->st_gid );
732 }
733
734 /****************************************************************************
735  Is the identity in two ACEs equal ? Check both SID and uid/gid.
736 ****************************************************************************/
737
738 static bool identity_in_ace_equal(canon_ace *ace1, canon_ace *ace2)
739 {
740         if (sid_equal(&ace1->trustee, &ace2->trustee)) {
741                 return True;
742         }
743         if (ace1->owner_type == ace2->owner_type) {
744                 if (ace1->owner_type == UID_ACE &&
745                                 ace1->unix_ug.uid == ace2->unix_ug.uid) {
746                         return True;
747                 } else if (ace1->owner_type == GID_ACE &&
748                                 ace1->unix_ug.gid == ace2->unix_ug.gid) {
749                         return True;
750                 }
751         }
752         return False;
753 }
754
755 /****************************************************************************
756  Merge aces with a common sid - if both are allow or deny, OR the permissions together and
757  delete the second one. If the first is deny, mask the permissions off and delete the allow
758  if the permissions become zero, delete the deny if the permissions are non zero.
759 ****************************************************************************/
760
761 static void merge_aces( canon_ace **pp_list_head )
762 {
763         canon_ace *list_head = *pp_list_head;
764         canon_ace *curr_ace_outer;
765         canon_ace *curr_ace_outer_next;
766
767         /*
768          * First, merge allow entries with identical SIDs, and deny entries
769          * with identical SIDs.
770          */
771
772         for (curr_ace_outer = list_head; curr_ace_outer; curr_ace_outer = curr_ace_outer_next) {
773                 canon_ace *curr_ace;
774                 canon_ace *curr_ace_next;
775
776                 curr_ace_outer_next = curr_ace_outer->next; /* Save the link in case we delete. */
777
778                 for (curr_ace = curr_ace_outer->next; curr_ace; curr_ace = curr_ace_next) {
779
780                         curr_ace_next = curr_ace->next; /* Save the link in case of delete. */
781
782                         if (identity_in_ace_equal(curr_ace, curr_ace_outer) &&
783                                 (curr_ace->attr == curr_ace_outer->attr)) {
784
785                                 if( DEBUGLVL( 10 )) {
786                                         dbgtext("merge_aces: Merging ACE's\n");
787                                         print_canon_ace( curr_ace_outer, 0);
788                                         print_canon_ace( curr_ace, 0);
789                                 }
790
791                                 /* Merge two allow or two deny ACE's. */
792
793                                 curr_ace_outer->perms |= curr_ace->perms;
794                                 DLIST_REMOVE(list_head, curr_ace);
795                                 SAFE_FREE(curr_ace);
796                                 curr_ace_outer_next = curr_ace_outer->next; /* We may have deleted the link. */
797                         }
798                 }
799         }
800
801         /*
802          * Now go through and mask off allow permissions with deny permissions.
803          * We can delete either the allow or deny here as we know that each SID
804          * appears only once in the list.
805          */
806
807         for (curr_ace_outer = list_head; curr_ace_outer; curr_ace_outer = curr_ace_outer_next) {
808                 canon_ace *curr_ace;
809                 canon_ace *curr_ace_next;
810
811                 curr_ace_outer_next = curr_ace_outer->next; /* Save the link in case we delete. */
812
813                 for (curr_ace = curr_ace_outer->next; curr_ace; curr_ace = curr_ace_next) {
814
815                         curr_ace_next = curr_ace->next; /* Save the link in case of delete. */
816
817                         /*
818                          * Subtract ACE's with different entries. Due to the ordering constraints
819                          * we've put on the ACL, we know the deny must be the first one.
820                          */
821
822                         if (identity_in_ace_equal(curr_ace, curr_ace_outer) &&
823                                 (curr_ace_outer->attr == DENY_ACE) && (curr_ace->attr == ALLOW_ACE)) {
824
825                                 if( DEBUGLVL( 10 )) {
826                                         dbgtext("merge_aces: Masking ACE's\n");
827                                         print_canon_ace( curr_ace_outer, 0);
828                                         print_canon_ace( curr_ace, 0);
829                                 }
830
831                                 curr_ace->perms &= ~curr_ace_outer->perms;
832
833                                 if (curr_ace->perms == 0) {
834
835                                         /*
836                                          * The deny overrides the allow. Remove the allow.
837                                          */
838
839                                         DLIST_REMOVE(list_head, curr_ace);
840                                         SAFE_FREE(curr_ace);
841                                         curr_ace_outer_next = curr_ace_outer->next; /* We may have deleted the link. */
842
843                                 } else {
844
845                                         /*
846                                          * Even after removing permissions, there
847                                          * are still allow permissions - delete the deny.
848                                          * It is safe to delete the deny here,
849                                          * as we are guarenteed by the deny first
850                                          * ordering that all the deny entries for
851                                          * this SID have already been merged into one
852                                          * before we can get to an allow ace.
853                                          */
854
855                                         DLIST_REMOVE(list_head, curr_ace_outer);
856                                         SAFE_FREE(curr_ace_outer);
857                                         break;
858                                 }
859                         }
860
861                 } /* end for curr_ace */
862         } /* end for curr_ace_outer */
863
864         /* We may have modified the list. */
865
866         *pp_list_head = list_head;
867 }
868
869 /****************************************************************************
870  Check if we need to return NT4.x compatible ACL entries.
871 ****************************************************************************/
872
873 static bool nt4_compatible_acls(void)
874 {
875         int compat = lp_acl_compatibility();
876
877         if (compat == ACL_COMPAT_AUTO) {
878                 enum remote_arch_types ra_type = get_remote_arch();
879
880                 /* Automatically adapt to client */
881                 return (ra_type <= RA_WINNT);
882         } else
883                 return (compat == ACL_COMPAT_WINNT);
884 }
885
886
887 /****************************************************************************
888  Map canon_ace perms to permission bits NT.
889  The attr element is not used here - we only process deny entries on set,
890  not get. Deny entries are implicit on get with ace->perms = 0.
891 ****************************************************************************/
892
893 static SEC_ACCESS map_canon_ace_perms(int snum,
894                                 enum security_ace_type *pacl_type,
895                                 mode_t perms,
896                                 bool directory_ace)
897 {
898         SEC_ACCESS sa;
899         uint32 nt_mask = 0;
900
901         *pacl_type = SEC_ACE_TYPE_ACCESS_ALLOWED;
902
903         if (lp_acl_map_full_control(snum) && ((perms & ALL_ACE_PERMS) == ALL_ACE_PERMS)) {
904                 if (directory_ace) {
905                         nt_mask = UNIX_DIRECTORY_ACCESS_RWX;
906                 } else {
907                         nt_mask = (UNIX_ACCESS_RWX & ~DELETE_ACCESS);
908                 }
909         } else if ((perms & ALL_ACE_PERMS) == (mode_t)0) {
910                 /*
911                  * Windows NT refuses to display ACEs with no permissions in them (but
912                  * they are perfectly legal with Windows 2000). If the ACE has empty
913                  * permissions we cannot use 0, so we use the otherwise unused
914                  * WRITE_OWNER permission, which we ignore when we set an ACL.
915                  * We abstract this into a #define of UNIX_ACCESS_NONE to allow this
916                  * to be changed in the future.
917                  */
918
919                 if (nt4_compatible_acls())
920                         nt_mask = UNIX_ACCESS_NONE;
921                 else
922                         nt_mask = 0;
923         } else {
924                 if (directory_ace) {
925                         nt_mask |= ((perms & S_IRUSR) ? UNIX_DIRECTORY_ACCESS_R : 0 );
926                         nt_mask |= ((perms & S_IWUSR) ? UNIX_DIRECTORY_ACCESS_W : 0 );
927                         nt_mask |= ((perms & S_IXUSR) ? UNIX_DIRECTORY_ACCESS_X : 0 );
928                 } else {
929                         nt_mask |= ((perms & S_IRUSR) ? UNIX_ACCESS_R : 0 );
930                         nt_mask |= ((perms & S_IWUSR) ? UNIX_ACCESS_W : 0 );
931                         nt_mask |= ((perms & S_IXUSR) ? UNIX_ACCESS_X : 0 );
932                 }
933         }
934
935         DEBUG(10,("map_canon_ace_perms: Mapped (UNIX) %x to (NT) %x\n",
936                         (unsigned int)perms, (unsigned int)nt_mask ));
937
938         init_sec_access(&sa,nt_mask);
939         return sa;
940 }
941
942 /****************************************************************************
943  Map NT perms to a UNIX mode_t.
944 ****************************************************************************/
945
946 #define FILE_SPECIFIC_READ_BITS (FILE_READ_DATA|FILE_READ_EA|FILE_READ_ATTRIBUTES)
947 #define FILE_SPECIFIC_WRITE_BITS (FILE_WRITE_DATA|FILE_APPEND_DATA|FILE_WRITE_EA|FILE_WRITE_ATTRIBUTES)
948 #define FILE_SPECIFIC_EXECUTE_BITS (FILE_EXECUTE)
949
950 static mode_t map_nt_perms( uint32 *mask, int type)
951 {
952         mode_t mode = 0;
953
954         switch(type) {
955         case S_IRUSR:
956                 if((*mask) & GENERIC_ALL_ACCESS)
957                         mode = S_IRUSR|S_IWUSR|S_IXUSR;
958                 else {
959                         mode |= ((*mask) & (GENERIC_READ_ACCESS|FILE_SPECIFIC_READ_BITS)) ? S_IRUSR : 0;
960                         mode |= ((*mask) & (GENERIC_WRITE_ACCESS|FILE_SPECIFIC_WRITE_BITS)) ? S_IWUSR : 0;
961                         mode |= ((*mask) & (GENERIC_EXECUTE_ACCESS|FILE_SPECIFIC_EXECUTE_BITS)) ? S_IXUSR : 0;
962                 }
963                 break;
964         case S_IRGRP:
965                 if((*mask) & GENERIC_ALL_ACCESS)
966                         mode = S_IRGRP|S_IWGRP|S_IXGRP;
967                 else {
968                         mode |= ((*mask) & (GENERIC_READ_ACCESS|FILE_SPECIFIC_READ_BITS)) ? S_IRGRP : 0;
969                         mode |= ((*mask) & (GENERIC_WRITE_ACCESS|FILE_SPECIFIC_WRITE_BITS)) ? S_IWGRP : 0;
970                         mode |= ((*mask) & (GENERIC_EXECUTE_ACCESS|FILE_SPECIFIC_EXECUTE_BITS)) ? S_IXGRP : 0;
971                 }
972                 break;
973         case S_IROTH:
974                 if((*mask) & GENERIC_ALL_ACCESS)
975                         mode = S_IROTH|S_IWOTH|S_IXOTH;
976                 else {
977                         mode |= ((*mask) & (GENERIC_READ_ACCESS|FILE_SPECIFIC_READ_BITS)) ? S_IROTH : 0;
978                         mode |= ((*mask) & (GENERIC_WRITE_ACCESS|FILE_SPECIFIC_WRITE_BITS)) ? S_IWOTH : 0;
979                         mode |= ((*mask) & (GENERIC_EXECUTE_ACCESS|FILE_SPECIFIC_EXECUTE_BITS)) ? S_IXOTH : 0;
980                 }
981                 break;
982         }
983
984         return mode;
985 }
986
987 /****************************************************************************
988  Unpack a SEC_DESC into a UNIX owner and group.
989 ****************************************************************************/
990
991 NTSTATUS unpack_nt_owners(int snum, uid_t *puser, gid_t *pgrp, uint32 security_info_sent, SEC_DESC *psd)
992 {
993         DOM_SID owner_sid;
994         DOM_SID grp_sid;
995
996         *puser = (uid_t)-1;
997         *pgrp = (gid_t)-1;
998
999         if(security_info_sent == 0) {
1000                 DEBUG(0,("unpack_nt_owners: no security info sent !\n"));
1001                 return NT_STATUS_OK;
1002         }
1003
1004         /*
1005          * Validate the owner and group SID's.
1006          */
1007
1008         memset(&owner_sid, '\0', sizeof(owner_sid));
1009         memset(&grp_sid, '\0', sizeof(grp_sid));
1010
1011         DEBUG(5,("unpack_nt_owners: validating owner_sids.\n"));
1012
1013         /*
1014          * Don't immediately fail if the owner sid cannot be validated.
1015          * This may be a group chown only set.
1016          */
1017
1018         if (security_info_sent & OWNER_SECURITY_INFORMATION) {
1019                 sid_copy(&owner_sid, psd->owner_sid);
1020                 if (!sid_to_uid(&owner_sid, puser)) {
1021                         if (lp_force_unknown_acl_user(snum)) {
1022                                 /* this allows take ownership to work
1023                                  * reasonably */
1024                                 *puser = current_user.ut.uid;
1025                         } else {
1026                                 DEBUG(3,("unpack_nt_owners: unable to validate"
1027                                          " owner sid for %s\n",
1028                                          sid_string_dbg(&owner_sid)));
1029                                 return NT_STATUS_INVALID_OWNER;
1030                         }
1031                 }
1032                 DEBUG(3,("unpack_nt_owners: owner sid mapped to uid %u\n",
1033                          (unsigned int)*puser ));
1034         }
1035
1036         /*
1037          * Don't immediately fail if the group sid cannot be validated.
1038          * This may be an owner chown only set.
1039          */
1040
1041         if (security_info_sent & GROUP_SECURITY_INFORMATION) {
1042                 sid_copy(&grp_sid, psd->group_sid);
1043                 if (!sid_to_gid( &grp_sid, pgrp)) {
1044                         if (lp_force_unknown_acl_user(snum)) {
1045                                 /* this allows take group ownership to work
1046                                  * reasonably */
1047                                 *pgrp = current_user.ut.gid;
1048                         } else {
1049                                 DEBUG(3,("unpack_nt_owners: unable to validate"
1050                                          " group sid.\n"));
1051                                 return NT_STATUS_INVALID_OWNER;
1052                         }
1053                 }
1054                 DEBUG(3,("unpack_nt_owners: group sid mapped to gid %u\n",
1055                          (unsigned int)*pgrp));
1056         }
1057
1058         DEBUG(5,("unpack_nt_owners: owner_sids validated.\n"));
1059
1060         return NT_STATUS_OK;
1061 }
1062
1063 /****************************************************************************
1064  Ensure the enforced permissions for this share apply.
1065 ****************************************************************************/
1066
1067 static void apply_default_perms(const struct share_params *params,
1068                                 const bool is_directory, canon_ace *pace,
1069                                 mode_t type)
1070 {
1071         mode_t and_bits = (mode_t)0;
1072         mode_t or_bits = (mode_t)0;
1073
1074         /* Get the initial bits to apply. */
1075
1076         if (is_directory) {
1077                 and_bits = lp_dir_security_mask(params->service);
1078                 or_bits = lp_force_dir_security_mode(params->service);
1079         } else {
1080                 and_bits = lp_security_mask(params->service);
1081                 or_bits = lp_force_security_mode(params->service);
1082         }
1083
1084         /* Now bounce them into the S_USR space. */     
1085         switch(type) {
1086         case S_IRUSR:
1087                 /* Ensure owner has read access. */
1088                 pace->perms |= S_IRUSR;
1089                 if (is_directory)
1090                         pace->perms |= (S_IWUSR|S_IXUSR);
1091                 and_bits = unix_perms_to_acl_perms(and_bits, S_IRUSR, S_IWUSR, S_IXUSR);
1092                 or_bits = unix_perms_to_acl_perms(or_bits, S_IRUSR, S_IWUSR, S_IXUSR);
1093                 break;
1094         case S_IRGRP:
1095                 and_bits = unix_perms_to_acl_perms(and_bits, S_IRGRP, S_IWGRP, S_IXGRP);
1096                 or_bits = unix_perms_to_acl_perms(or_bits, S_IRGRP, S_IWGRP, S_IXGRP);
1097                 break;
1098         case S_IROTH:
1099                 and_bits = unix_perms_to_acl_perms(and_bits, S_IROTH, S_IWOTH, S_IXOTH);
1100                 or_bits = unix_perms_to_acl_perms(or_bits, S_IROTH, S_IWOTH, S_IXOTH);
1101                 break;
1102         }
1103
1104         pace->perms = ((pace->perms & and_bits)|or_bits);
1105 }
1106
1107 /****************************************************************************
1108  Check if a given uid/SID is in a group gid/SID. This is probably very
1109  expensive and will need optimisation. A *lot* of optimisation :-). JRA.
1110 ****************************************************************************/
1111
1112 static bool uid_entry_in_group( canon_ace *uid_ace, canon_ace *group_ace )
1113 {
1114         const char *u_name = NULL;
1115
1116         /* "Everyone" always matches every uid. */
1117
1118         if (sid_equal(&group_ace->trustee, &global_sid_World))
1119                 return True;
1120
1121         /* Assume that the current user is in the current group (force group) */
1122
1123         if (uid_ace->unix_ug.uid == current_user.ut.uid && group_ace->unix_ug.gid == current_user.ut.gid)
1124                 return True;
1125
1126         /* u_name talloc'ed off tos. */
1127         u_name = uidtoname(uid_ace->unix_ug.uid);
1128         if (!u_name) {
1129                 return False;
1130         }
1131         return user_in_group_sid(u_name, &group_ace->trustee);
1132 }
1133
1134 /****************************************************************************
1135  A well formed POSIX file or default ACL has at least 3 entries, a 
1136  SMB_ACL_USER_OBJ, SMB_ACL_GROUP_OBJ, SMB_ACL_OTHER_OBJ.
1137  In addition, the owner must always have at least read access.
1138  When using this call on get_acl, the pst struct is valid and contains
1139  the mode of the file. When using this call on set_acl, the pst struct has
1140  been modified to have a mode containing the default for this file or directory
1141  type.
1142 ****************************************************************************/
1143
1144 static bool ensure_canon_entry_valid(canon_ace **pp_ace,
1145                                      const struct share_params *params,
1146                                      const bool is_directory,
1147                                                         const DOM_SID *pfile_owner_sid,
1148                                                         const DOM_SID *pfile_grp_sid,
1149                                                         const SMB_STRUCT_STAT *pst,
1150                                                         bool setting_acl)
1151 {
1152         canon_ace *pace;
1153         bool got_user = False;
1154         bool got_grp = False;
1155         bool got_other = False;
1156         canon_ace *pace_other = NULL;
1157
1158         for (pace = *pp_ace; pace; pace = pace->next) {
1159                 if (pace->type == SMB_ACL_USER_OBJ) {
1160
1161                         if (setting_acl)
1162                                 apply_default_perms(params, is_directory, pace, S_IRUSR);
1163                         got_user = True;
1164
1165                 } else if (pace->type == SMB_ACL_GROUP_OBJ) {
1166
1167                         /*
1168                          * Ensure create mask/force create mode is respected on set.
1169                          */
1170
1171                         if (setting_acl)
1172                                 apply_default_perms(params, is_directory, pace, S_IRGRP);
1173                         got_grp = True;
1174
1175                 } else if (pace->type == SMB_ACL_OTHER) {
1176
1177                         /*
1178                          * Ensure create mask/force create mode is respected on set.
1179                          */
1180
1181                         if (setting_acl)
1182                                 apply_default_perms(params, is_directory, pace, S_IROTH);
1183                         got_other = True;
1184                         pace_other = pace;
1185                 }
1186         }
1187
1188         if (!got_user) {
1189                 if ((pace = SMB_MALLOC_P(canon_ace)) == NULL) {
1190                         DEBUG(0,("ensure_canon_entry_valid: malloc fail.\n"));
1191                         return False;
1192                 }
1193
1194                 ZERO_STRUCTP(pace);
1195                 pace->type = SMB_ACL_USER_OBJ;
1196                 pace->owner_type = UID_ACE;
1197                 pace->unix_ug.uid = pst->st_uid;
1198                 pace->trustee = *pfile_owner_sid;
1199                 pace->attr = ALLOW_ACE;
1200
1201                 if (setting_acl) {
1202                         /* See if the owning user is in any of the other groups in
1203                            the ACE. If so, OR in the permissions from that group. */
1204
1205                         bool group_matched = False;
1206                         canon_ace *pace_iter;
1207
1208                         for (pace_iter = *pp_ace; pace_iter; pace_iter = pace_iter->next) {
1209                                 if (pace_iter->type == SMB_ACL_GROUP_OBJ || pace_iter->type == SMB_ACL_GROUP) {
1210                                         if (uid_entry_in_group(pace, pace_iter)) {
1211                                                 pace->perms |= pace_iter->perms;
1212                                                 group_matched = True;
1213                                         }
1214                                 }
1215                         }
1216
1217                         /* If we only got an "everyone" perm, just use that. */
1218                         if (!group_matched) {
1219                                 if (got_other)
1220                                         pace->perms = pace_other->perms;
1221                                 else
1222                                         pace->perms = 0;
1223                         }
1224
1225                         apply_default_perms(params, is_directory, pace, S_IRUSR);
1226                 } else {
1227                         pace->perms = unix_perms_to_acl_perms(pst->st_mode, S_IRUSR, S_IWUSR, S_IXUSR);
1228                 }
1229
1230                 DLIST_ADD(*pp_ace, pace);
1231         }
1232
1233         if (!got_grp) {
1234                 if ((pace = SMB_MALLOC_P(canon_ace)) == NULL) {
1235                         DEBUG(0,("ensure_canon_entry_valid: malloc fail.\n"));
1236                         return False;
1237                 }
1238
1239                 ZERO_STRUCTP(pace);
1240                 pace->type = SMB_ACL_GROUP_OBJ;
1241                 pace->owner_type = GID_ACE;
1242                 pace->unix_ug.uid = pst->st_gid;
1243                 pace->trustee = *pfile_grp_sid;
1244                 pace->attr = ALLOW_ACE;
1245                 if (setting_acl) {
1246                         /* If we only got an "everyone" perm, just use that. */
1247                         if (got_other)
1248                                 pace->perms = pace_other->perms;
1249                         else
1250                                 pace->perms = 0;
1251                         apply_default_perms(params, is_directory, pace, S_IRGRP);
1252                 } else {
1253                         pace->perms = unix_perms_to_acl_perms(pst->st_mode, S_IRGRP, S_IWGRP, S_IXGRP);
1254                 }
1255
1256                 DLIST_ADD(*pp_ace, pace);
1257         }
1258
1259         if (!got_other) {
1260                 if ((pace = SMB_MALLOC_P(canon_ace)) == NULL) {
1261                         DEBUG(0,("ensure_canon_entry_valid: malloc fail.\n"));
1262                         return False;
1263                 }
1264
1265                 ZERO_STRUCTP(pace);
1266                 pace->type = SMB_ACL_OTHER;
1267                 pace->owner_type = WORLD_ACE;
1268                 pace->unix_ug.world = -1;
1269                 pace->trustee = global_sid_World;
1270                 pace->attr = ALLOW_ACE;
1271                 if (setting_acl) {
1272                         pace->perms = 0;
1273                         apply_default_perms(params, is_directory, pace, S_IROTH);
1274                 } else
1275                         pace->perms = unix_perms_to_acl_perms(pst->st_mode, S_IROTH, S_IWOTH, S_IXOTH);
1276
1277                 DLIST_ADD(*pp_ace, pace);
1278         }
1279
1280         return True;
1281 }
1282
1283 /****************************************************************************
1284  Check if a POSIX ACL has the required SMB_ACL_USER_OBJ and SMB_ACL_GROUP_OBJ entries.
1285  If it does not have them, check if there are any entries where the trustee is the
1286  file owner or the owning group, and map these to SMB_ACL_USER_OBJ and SMB_ACL_GROUP_OBJ.
1287 ****************************************************************************/
1288
1289 static void check_owning_objs(canon_ace *ace, DOM_SID *pfile_owner_sid, DOM_SID *pfile_grp_sid)
1290 {
1291         bool got_user_obj, got_group_obj;
1292         canon_ace *current_ace;
1293         int i, entries;
1294
1295         entries = count_canon_ace_list(ace);
1296         got_user_obj = False;
1297         got_group_obj = False;
1298
1299         for (i=0, current_ace = ace; i < entries; i++, current_ace = current_ace->next) {
1300                 if (current_ace->type == SMB_ACL_USER_OBJ)
1301                         got_user_obj = True;
1302                 else if (current_ace->type == SMB_ACL_GROUP_OBJ)
1303                         got_group_obj = True;
1304         }
1305         if (got_user_obj && got_group_obj) {
1306                 DEBUG(10,("check_owning_objs: ACL had owning user/group entries.\n"));
1307                 return;
1308         }
1309
1310         for (i=0, current_ace = ace; i < entries; i++, current_ace = current_ace->next) {
1311                 if (!got_user_obj && current_ace->owner_type == UID_ACE &&
1312                                 sid_equal(&current_ace->trustee, pfile_owner_sid)) {
1313                         current_ace->type = SMB_ACL_USER_OBJ;
1314                         got_user_obj = True;
1315                 }
1316                 if (!got_group_obj && current_ace->owner_type == GID_ACE &&
1317                                 sid_equal(&current_ace->trustee, pfile_grp_sid)) {
1318                         current_ace->type = SMB_ACL_GROUP_OBJ;
1319                         got_group_obj = True;
1320                 }
1321         }
1322         if (!got_user_obj)
1323                 DEBUG(10,("check_owning_objs: ACL is missing an owner entry.\n"));
1324         if (!got_group_obj)
1325                 DEBUG(10,("check_owning_objs: ACL is missing an owning group entry.\n"));
1326 }
1327
1328 /****************************************************************************
1329  Unpack a SEC_DESC into two canonical ace lists.
1330 ****************************************************************************/
1331
1332 static bool create_canon_ace_lists(files_struct *fsp, SMB_STRUCT_STAT *pst,
1333                                                         DOM_SID *pfile_owner_sid,
1334                                                         DOM_SID *pfile_grp_sid,
1335                                                         canon_ace **ppfile_ace, canon_ace **ppdir_ace,
1336                                                         SEC_ACL *dacl)
1337 {
1338         bool all_aces_are_inherit_only = (fsp->is_directory ? True : False);
1339         canon_ace *file_ace = NULL;
1340         canon_ace *dir_ace = NULL;
1341         canon_ace *current_ace = NULL;
1342         bool got_dir_allow = False;
1343         bool got_file_allow = False;
1344         int i, j;
1345
1346         *ppfile_ace = NULL;
1347         *ppdir_ace = NULL;
1348
1349         /*
1350          * Convert the incoming ACL into a more regular form.
1351          */
1352
1353         for(i = 0; i < dacl->num_aces; i++) {
1354                 SEC_ACE *psa = &dacl->aces[i];
1355
1356                 if((psa->type != SEC_ACE_TYPE_ACCESS_ALLOWED) && (psa->type != SEC_ACE_TYPE_ACCESS_DENIED)) {
1357                         DEBUG(3,("create_canon_ace_lists: unable to set anything but an ALLOW or DENY ACE.\n"));
1358                         return False;
1359                 }
1360
1361                 if (nt4_compatible_acls()) {
1362                         /*
1363                          * The security mask may be UNIX_ACCESS_NONE which should map into
1364                          * no permissions (we overload the WRITE_OWNER bit for this) or it
1365                          * should be one of the ALL/EXECUTE/READ/WRITE bits. Arrange for this
1366                          * to be so. Any other bits override the UNIX_ACCESS_NONE bit.
1367                          */
1368
1369                         /*
1370                          * Convert GENERIC bits to specific bits.
1371                          */
1372  
1373                         se_map_generic(&psa->access_mask, &file_generic_mapping);
1374
1375                         psa->access_mask &= (UNIX_ACCESS_NONE|FILE_ALL_ACCESS);
1376
1377                         if(psa->access_mask != UNIX_ACCESS_NONE)
1378                                 psa->access_mask &= ~UNIX_ACCESS_NONE;
1379                 }
1380         }
1381
1382         /*
1383          * Deal with the fact that NT 4.x re-writes the canonical format
1384          * that we return for default ACLs. If a directory ACE is identical
1385          * to a inherited directory ACE then NT changes the bits so that the
1386          * first ACE is set to OI|IO and the second ACE for this SID is set
1387          * to CI. We need to repair this. JRA.
1388          */
1389
1390         for(i = 0; i < dacl->num_aces; i++) {
1391                 SEC_ACE *psa1 = &dacl->aces[i];
1392
1393                 for (j = i + 1; j < dacl->num_aces; j++) {
1394                         SEC_ACE *psa2 = &dacl->aces[j];
1395
1396                         if (psa1->access_mask != psa2->access_mask)
1397                                 continue;
1398
1399                         if (!sid_equal(&psa1->trustee, &psa2->trustee))
1400                                 continue;
1401
1402                         /*
1403                          * Ok - permission bits and SIDs are equal.
1404                          * Check if flags were re-written.
1405                          */
1406
1407                         if (psa1->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
1408
1409                                 psa1->flags |= (psa2->flags & (SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT));
1410                                 psa2->flags &= ~(SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT);
1411
1412                         } else if (psa2->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
1413
1414                                 psa2->flags |= (psa1->flags & (SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT));
1415                                 psa1->flags &= ~(SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT);
1416
1417                         }
1418                 }
1419         }
1420
1421         for(i = 0; i < dacl->num_aces; i++) {
1422                 SEC_ACE *psa = &dacl->aces[i];
1423
1424                 /*
1425                  * Create a cannon_ace entry representing this NT DACL ACE.
1426                  */
1427
1428                 if ((current_ace = SMB_MALLOC_P(canon_ace)) == NULL) {
1429                         free_canon_ace_list(file_ace);
1430                         free_canon_ace_list(dir_ace);
1431                         DEBUG(0,("create_canon_ace_lists: malloc fail.\n"));
1432                         return False;
1433                 }
1434
1435                 ZERO_STRUCTP(current_ace);
1436
1437                 sid_copy(&current_ace->trustee, &psa->trustee);
1438
1439                 /*
1440                  * Try and work out if the SID is a user or group
1441                  * as we need to flag these differently for POSIX.
1442                  * Note what kind of a POSIX ACL this should map to.
1443                  */
1444
1445                 if( sid_equal(&current_ace->trustee, &global_sid_World)) {
1446                         current_ace->owner_type = WORLD_ACE;
1447                         current_ace->unix_ug.world = -1;
1448                         current_ace->type = SMB_ACL_OTHER;
1449                 } else if (sid_equal(&current_ace->trustee, &global_sid_Creator_Owner)) {
1450                         current_ace->owner_type = UID_ACE;
1451                         current_ace->unix_ug.uid = pst->st_uid;
1452                         current_ace->type = SMB_ACL_USER_OBJ;
1453
1454                         /*
1455                          * The Creator Owner entry only specifies inheritable permissions,
1456                          * never access permissions. WinNT doesn't always set the ACE to
1457                          *INHERIT_ONLY, though.
1458                          */
1459
1460                         if (nt4_compatible_acls())
1461                                 psa->flags |= SEC_ACE_FLAG_INHERIT_ONLY;
1462                 } else if (sid_equal(&current_ace->trustee, &global_sid_Creator_Group)) {
1463                         current_ace->owner_type = GID_ACE;
1464                         current_ace->unix_ug.gid = pst->st_gid;
1465                         current_ace->type = SMB_ACL_GROUP_OBJ;
1466
1467                         /*
1468                          * The Creator Group entry only specifies inheritable permissions,
1469                          * never access permissions. WinNT doesn't always set the ACE to
1470                          *INHERIT_ONLY, though.
1471                          */
1472                         if (nt4_compatible_acls())
1473                                 psa->flags |= SEC_ACE_FLAG_INHERIT_ONLY;
1474
1475                 } else if (sid_to_uid( &current_ace->trustee, &current_ace->unix_ug.uid)) {
1476                         current_ace->owner_type = UID_ACE;
1477                         /* If it's the owning user, this is a user_obj, not
1478                          * a user. */
1479                         if (current_ace->unix_ug.uid == pst->st_uid) {
1480                                 current_ace->type = SMB_ACL_USER_OBJ;
1481                         } else {
1482                                 current_ace->type = SMB_ACL_USER;
1483                         }
1484                 } else if (sid_to_gid( &current_ace->trustee, &current_ace->unix_ug.gid)) {
1485                         current_ace->owner_type = GID_ACE;
1486                         /* If it's the primary group, this is a group_obj, not
1487                          * a group. */
1488                         if (current_ace->unix_ug.gid == pst->st_gid) {
1489                                 current_ace->type = SMB_ACL_GROUP_OBJ;
1490                         } else {
1491                                 current_ace->type = SMB_ACL_GROUP;
1492                         }
1493                 } else {
1494                         /*
1495                          * Silently ignore map failures in non-mappable SIDs (NT Authority, BUILTIN etc).
1496                          */
1497
1498                         if (non_mappable_sid(&psa->trustee)) {
1499                                 DEBUG(10, ("create_canon_ace_lists: ignoring "
1500                                            "non-mappable SID %s\n",
1501                                            sid_string_dbg(&psa->trustee)));
1502                                 SAFE_FREE(current_ace);
1503                                 continue;
1504                         }
1505
1506                         free_canon_ace_list(file_ace);
1507                         free_canon_ace_list(dir_ace);
1508                         DEBUG(0, ("create_canon_ace_lists: unable to map SID "
1509                                   "%s to uid or gid.\n",
1510                                   sid_string_dbg(&current_ace->trustee)));
1511                         SAFE_FREE(current_ace);
1512                         return False;
1513                 }
1514
1515                 /*
1516                  * Map the given NT permissions into a UNIX mode_t containing only
1517                  * S_I(R|W|X)USR bits.
1518                  */
1519
1520                 current_ace->perms |= map_nt_perms( &psa->access_mask, S_IRUSR);
1521                 current_ace->attr = (psa->type == SEC_ACE_TYPE_ACCESS_ALLOWED) ? ALLOW_ACE : DENY_ACE;
1522                 current_ace->inherited = ((psa->flags & SEC_ACE_FLAG_INHERITED_ACE) ? True : False);
1523
1524                 /*
1525                  * Now add the created ace to either the file list, the directory
1526                  * list, or both. We *MUST* preserve the order here (hence we use
1527                  * DLIST_ADD_END) as NT ACLs are order dependent.
1528                  */
1529
1530                 if (fsp->is_directory) {
1531
1532                         /*
1533                          * We can only add to the default POSIX ACE list if the ACE is
1534                          * designed to be inherited by both files and directories.
1535                          */
1536
1537                         if ((psa->flags & (SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT)) ==
1538                                 (SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT)) {
1539
1540                                 DLIST_ADD_END(dir_ace, current_ace, canon_ace *);
1541
1542                                 /*
1543                                  * Note if this was an allow ace. We can't process
1544                                  * any further deny ace's after this.
1545                                  */
1546
1547                                 if (current_ace->attr == ALLOW_ACE)
1548                                         got_dir_allow = True;
1549
1550                                 if ((current_ace->attr == DENY_ACE) && got_dir_allow) {
1551                                         DEBUG(0,("create_canon_ace_lists: malformed ACL in inheritable ACL ! \
1552 Deny entry after Allow entry. Failing to set on file %s.\n", fsp->fsp_name ));
1553                                         free_canon_ace_list(file_ace);
1554                                         free_canon_ace_list(dir_ace);
1555                                         return False;
1556                                 }       
1557
1558                                 if( DEBUGLVL( 10 )) {
1559                                         dbgtext("create_canon_ace_lists: adding dir ACL:\n");
1560                                         print_canon_ace( current_ace, 0);
1561                                 }
1562
1563                                 /*
1564                                  * If this is not an inherit only ACE we need to add a duplicate
1565                                  * to the file acl.
1566                                  */
1567
1568                                 if (!(psa->flags & SEC_ACE_FLAG_INHERIT_ONLY)) {
1569                                         canon_ace *dup_ace = dup_canon_ace(current_ace);
1570
1571                                         if (!dup_ace) {
1572                                                 DEBUG(0,("create_canon_ace_lists: malloc fail !\n"));
1573                                                 free_canon_ace_list(file_ace);
1574                                                 free_canon_ace_list(dir_ace);
1575                                                 return False;
1576                                         }
1577
1578                                         /*
1579                                          * We must not free current_ace here as its
1580                                          * pointer is now owned by the dir_ace list.
1581                                          */
1582                                         current_ace = dup_ace;
1583                                 } else {
1584                                         /*
1585                                          * We must not free current_ace here as its
1586                                          * pointer is now owned by the dir_ace list.
1587                                          */
1588                                         current_ace = NULL;
1589                                 }
1590                         }
1591                 }
1592
1593                 /*
1594                  * Only add to the file ACL if not inherit only.
1595                  */
1596
1597                 if (current_ace && !(psa->flags & SEC_ACE_FLAG_INHERIT_ONLY)) {
1598                         DLIST_ADD_END(file_ace, current_ace, canon_ace *);
1599
1600                         /*
1601                          * Note if this was an allow ace. We can't process
1602                          * any further deny ace's after this.
1603                          */
1604
1605                         if (current_ace->attr == ALLOW_ACE)
1606                                 got_file_allow = True;
1607
1608                         if ((current_ace->attr == DENY_ACE) && got_file_allow) {
1609                                 DEBUG(0,("create_canon_ace_lists: malformed ACL in file ACL ! \
1610 Deny entry after Allow entry. Failing to set on file %s.\n", fsp->fsp_name ));
1611                                 free_canon_ace_list(file_ace);
1612                                 free_canon_ace_list(dir_ace);
1613                                 return False;
1614                         }       
1615
1616                         if( DEBUGLVL( 10 )) {
1617                                 dbgtext("create_canon_ace_lists: adding file ACL:\n");
1618                                 print_canon_ace( current_ace, 0);
1619                         }
1620                         all_aces_are_inherit_only = False;
1621                         /*
1622                          * We must not free current_ace here as its
1623                          * pointer is now owned by the file_ace list.
1624                          */
1625                         current_ace = NULL;
1626                 }
1627
1628                 /*
1629                  * Free if ACE was not added.
1630                  */
1631
1632                 SAFE_FREE(current_ace);
1633         }
1634
1635         if (fsp->is_directory && all_aces_are_inherit_only) {
1636                 /*
1637                  * Windows 2000 is doing one of these weird 'inherit acl'
1638                  * traverses to conserve NTFS ACL resources. Just pretend
1639                  * there was no DACL sent. JRA.
1640                  */
1641
1642                 DEBUG(10,("create_canon_ace_lists: Win2k inherit acl traverse. Ignoring DACL.\n"));
1643                 free_canon_ace_list(file_ace);
1644                 free_canon_ace_list(dir_ace);
1645                 file_ace = NULL;
1646                 dir_ace = NULL;
1647         } else {
1648                 /*
1649                  * Check if we have SMB_ACL_USER_OBJ and SMB_ACL_GROUP_OBJ entries in each
1650                  * ACL. If we don't have them, check if any SMB_ACL_USER/SMB_ACL_GROUP
1651                  * entries can be converted to *_OBJ. Usually we will already have these
1652                  * entries in the Default ACL, and the Access ACL will not have them.
1653                  */
1654                 if (file_ace) {
1655                         check_owning_objs(file_ace, pfile_owner_sid, pfile_grp_sid);
1656                 }
1657                 if (dir_ace) {
1658                         check_owning_objs(dir_ace, pfile_owner_sid, pfile_grp_sid);
1659                 }
1660         }
1661
1662         *ppfile_ace = file_ace;
1663         *ppdir_ace = dir_ace;
1664
1665         return True;
1666 }
1667
1668 /****************************************************************************
1669  ASCII art time again... JRA :-).
1670
1671  We have 4 cases to process when moving from an NT ACL to a POSIX ACL. Firstly,
1672  we insist the ACL is in canonical form (ie. all DENY entries preceede ALLOW
1673  entries). Secondly, the merge code has ensured that all duplicate SID entries for
1674  allow or deny have been merged, so the same SID can only appear once in the deny
1675  list or once in the allow list.
1676
1677  We then process as follows :
1678
1679  ---------------------------------------------------------------------------
1680  First pass - look for a Everyone DENY entry.
1681
1682  If it is deny all (rwx) trunate the list at this point.
1683  Else, walk the list from this point and use the deny permissions of this
1684  entry as a mask on all following allow entries. Finally, delete
1685  the Everyone DENY entry (we have applied it to everything possible).
1686
1687  In addition, in this pass we remove any DENY entries that have 
1688  no permissions (ie. they are a DENY nothing).
1689  ---------------------------------------------------------------------------
1690  Second pass - only deal with deny user entries.
1691
1692  DENY user1 (perms XXX)
1693
1694  new_perms = 0
1695  for all following allow group entries where user1 is in group
1696         new_perms |= group_perms;
1697
1698  user1 entry perms = new_perms & ~ XXX;
1699
1700  Convert the deny entry to an allow entry with the new perms and
1701  push to the end of the list. Note if the user was in no groups
1702  this maps to a specific allow nothing entry for this user.
1703
1704  The common case from the NT ACL choser (userX deny all) is
1705  optimised so we don't do the group lookup - we just map to
1706  an allow nothing entry.
1707
1708  What we're doing here is inferring the allow permissions the
1709  person setting the ACE on user1 wanted by looking at the allow
1710  permissions on the groups the user is currently in. This will
1711  be a snapshot, depending on group membership but is the best
1712  we can do and has the advantage of failing closed rather than
1713  open.
1714  ---------------------------------------------------------------------------
1715  Third pass - only deal with deny group entries.
1716
1717  DENY group1 (perms XXX)
1718
1719  for all following allow user entries where user is in group1
1720    user entry perms = user entry perms & ~ XXX;
1721
1722  If there is a group Everyone allow entry with permissions YYY,
1723  convert the group1 entry to an allow entry and modify its
1724  permissions to be :
1725
1726  new_perms = YYY & ~ XXX
1727
1728  and push to the end of the list.
1729
1730  If there is no group Everyone allow entry then convert the
1731  group1 entry to a allow nothing entry and push to the end of the list.
1732
1733  Note that the common case from the NT ACL choser (groupX deny all)
1734  cannot be optimised here as we need to modify user entries who are
1735  in the group to change them to a deny all also.
1736
1737  What we're doing here is modifying the allow permissions of
1738  user entries (which are more specific in POSIX ACLs) to mask
1739  out the explicit deny set on the group they are in. This will
1740  be a snapshot depending on current group membership but is the
1741  best we can do and has the advantage of failing closed rather
1742  than open.
1743  ---------------------------------------------------------------------------
1744  Fourth pass - cope with cumulative permissions.
1745
1746  for all allow user entries, if there exists an allow group entry with
1747  more permissive permissions, and the user is in that group, rewrite the
1748  allow user permissions to contain both sets of permissions.
1749
1750  Currently the code for this is #ifdef'ed out as these semantics make
1751  no sense to me. JRA.
1752  ---------------------------------------------------------------------------
1753
1754  Note we *MUST* do the deny user pass first as this will convert deny user
1755  entries into allow user entries which can then be processed by the deny
1756  group pass.
1757
1758  The above algorithm took a *lot* of thinking about - hence this
1759  explaination :-). JRA.
1760 ****************************************************************************/
1761
1762 /****************************************************************************
1763  Process a canon_ace list entries. This is very complex code. We need
1764  to go through and remove the "deny" permissions from any allow entry that matches
1765  the id of this entry. We have already refused any NT ACL that wasn't in correct
1766  order (DENY followed by ALLOW). If any allow entry ends up with zero permissions,
1767  we just remove it (to fail safe). We have already removed any duplicate ace
1768  entries. Treat an "Everyone" DENY_ACE as a special case - use it to mask all
1769  allow entries.
1770 ****************************************************************************/
1771
1772 static void process_deny_list( canon_ace **pp_ace_list )
1773 {
1774         canon_ace *ace_list = *pp_ace_list;
1775         canon_ace *curr_ace = NULL;
1776         canon_ace *curr_ace_next = NULL;
1777
1778         /* Pass 1 above - look for an Everyone, deny entry. */
1779
1780         for (curr_ace = ace_list; curr_ace; curr_ace = curr_ace_next) {
1781                 canon_ace *allow_ace_p;
1782
1783                 curr_ace_next = curr_ace->next; /* So we can't lose the link. */
1784
1785                 if (curr_ace->attr != DENY_ACE)
1786                         continue;
1787
1788                 if (curr_ace->perms == (mode_t)0) {
1789
1790                         /* Deny nothing entry - delete. */
1791
1792                         DLIST_REMOVE(ace_list, curr_ace);
1793                         continue;
1794                 }
1795
1796                 if (!sid_equal(&curr_ace->trustee, &global_sid_World))
1797                         continue;
1798
1799                 /* JRATEST - assert. */
1800                 SMB_ASSERT(curr_ace->owner_type == WORLD_ACE);
1801
1802                 if (curr_ace->perms == ALL_ACE_PERMS) {
1803
1804                         /*
1805                          * Optimisation. This is a DENY_ALL to Everyone. Truncate the
1806                          * list at this point including this entry.
1807                          */
1808
1809                         canon_ace *prev_entry = curr_ace->prev;
1810
1811                         free_canon_ace_list( curr_ace );
1812                         if (prev_entry)
1813                                 prev_entry->next = NULL;
1814                         else {
1815                                 /* We deleted the entire list. */
1816                                 ace_list = NULL;
1817                         }
1818                         break;
1819                 }
1820
1821                 for (allow_ace_p = curr_ace->next; allow_ace_p; allow_ace_p = allow_ace_p->next) {
1822
1823                         /* 
1824                          * Only mask off allow entries.
1825                          */
1826
1827                         if (allow_ace_p->attr != ALLOW_ACE)
1828                                 continue;
1829
1830                         allow_ace_p->perms &= ~curr_ace->perms;
1831                 }
1832
1833                 /*
1834                  * Now it's been applied, remove it.
1835                  */
1836
1837                 DLIST_REMOVE(ace_list, curr_ace);
1838         }
1839
1840         /* Pass 2 above - deal with deny user entries. */
1841
1842         for (curr_ace = ace_list; curr_ace; curr_ace = curr_ace_next) {
1843                 mode_t new_perms = (mode_t)0;
1844                 canon_ace *allow_ace_p;
1845
1846                 curr_ace_next = curr_ace->next; /* So we can't lose the link. */
1847
1848                 if (curr_ace->attr != DENY_ACE)
1849                         continue;
1850
1851                 if (curr_ace->owner_type != UID_ACE)
1852                         continue;
1853
1854                 if (curr_ace->perms == ALL_ACE_PERMS) {
1855
1856                         /*
1857                          * Optimisation - this is a deny everything to this user.
1858                          * Convert to an allow nothing and push to the end of the list.
1859                          */
1860
1861                         curr_ace->attr = ALLOW_ACE;
1862                         curr_ace->perms = (mode_t)0;
1863                         DLIST_DEMOTE(ace_list, curr_ace, canon_ace *);
1864                         continue;
1865                 }
1866
1867                 for (allow_ace_p = curr_ace->next; allow_ace_p; allow_ace_p = allow_ace_p->next) {
1868
1869                         if (allow_ace_p->attr != ALLOW_ACE)
1870                                 continue;
1871
1872                         /* We process GID_ACE and WORLD_ACE entries only. */
1873
1874                         if (allow_ace_p->owner_type == UID_ACE)
1875                                 continue;
1876
1877                         if (uid_entry_in_group( curr_ace, allow_ace_p))
1878                                 new_perms |= allow_ace_p->perms;
1879                 }
1880
1881                 /*
1882                  * Convert to a allow entry, modify the perms and push to the end
1883                  * of the list.
1884                  */
1885
1886                 curr_ace->attr = ALLOW_ACE;
1887                 curr_ace->perms = (new_perms & ~curr_ace->perms);
1888                 DLIST_DEMOTE(ace_list, curr_ace, canon_ace *);
1889         }
1890
1891         /* Pass 3 above - deal with deny group entries. */
1892
1893         for (curr_ace = ace_list; curr_ace; curr_ace = curr_ace_next) {
1894                 canon_ace *allow_ace_p;
1895                 canon_ace *allow_everyone_p = NULL;
1896
1897                 curr_ace_next = curr_ace->next; /* So we can't lose the link. */
1898
1899                 if (curr_ace->attr != DENY_ACE)
1900                         continue;
1901
1902                 if (curr_ace->owner_type != GID_ACE)
1903                         continue;
1904
1905                 for (allow_ace_p = curr_ace->next; allow_ace_p; allow_ace_p = allow_ace_p->next) {
1906
1907                         if (allow_ace_p->attr != ALLOW_ACE)
1908                                 continue;
1909
1910                         /* Store a pointer to the Everyone allow, if it exists. */
1911                         if (allow_ace_p->owner_type == WORLD_ACE)
1912                                 allow_everyone_p = allow_ace_p;
1913
1914                         /* We process UID_ACE entries only. */
1915
1916                         if (allow_ace_p->owner_type != UID_ACE)
1917                                 continue;
1918
1919                         /* Mask off the deny group perms. */
1920
1921                         if (uid_entry_in_group( allow_ace_p, curr_ace))
1922                                 allow_ace_p->perms &= ~curr_ace->perms;
1923                 }
1924
1925                 /*
1926                  * Convert the deny to an allow with the correct perms and
1927                  * push to the end of the list.
1928                  */
1929
1930                 curr_ace->attr = ALLOW_ACE;
1931                 if (allow_everyone_p)
1932                         curr_ace->perms = allow_everyone_p->perms & ~curr_ace->perms;
1933                 else
1934                         curr_ace->perms = (mode_t)0;
1935                 DLIST_DEMOTE(ace_list, curr_ace, canon_ace *);
1936         }
1937
1938         /* Doing this fourth pass allows Windows semantics to be layered
1939          * on top of POSIX semantics. I'm not sure if this is desirable.
1940          * For example, in W2K ACLs there is no way to say, "Group X no
1941          * access, user Y full access" if user Y is a member of group X.
1942          * This seems completely broken semantics to me.... JRA.
1943          */
1944
1945 #if 0
1946         /* Pass 4 above - deal with allow entries. */
1947
1948         for (curr_ace = ace_list; curr_ace; curr_ace = curr_ace_next) {
1949                 canon_ace *allow_ace_p;
1950
1951                 curr_ace_next = curr_ace->next; /* So we can't lose the link. */
1952
1953                 if (curr_ace->attr != ALLOW_ACE)
1954                         continue;
1955
1956                 if (curr_ace->owner_type != UID_ACE)
1957                         continue;
1958
1959                 for (allow_ace_p = ace_list; allow_ace_p; allow_ace_p = allow_ace_p->next) {
1960
1961                         if (allow_ace_p->attr != ALLOW_ACE)
1962                                 continue;
1963
1964                         /* We process GID_ACE entries only. */
1965
1966                         if (allow_ace_p->owner_type != GID_ACE)
1967                                 continue;
1968
1969                         /* OR in the group perms. */
1970
1971                         if (uid_entry_in_group( curr_ace, allow_ace_p))
1972                                 curr_ace->perms |= allow_ace_p->perms;
1973                 }
1974         }
1975 #endif
1976
1977         *pp_ace_list = ace_list;
1978 }
1979
1980 /****************************************************************************
1981  Create a default mode that will be used if a security descriptor entry has
1982  no user/group/world entries.
1983 ****************************************************************************/
1984
1985 static mode_t create_default_mode(files_struct *fsp, bool interitable_mode)
1986 {
1987         int snum = SNUM(fsp->conn);
1988         mode_t and_bits = (mode_t)0;
1989         mode_t or_bits = (mode_t)0;
1990         mode_t mode = interitable_mode
1991                 ? unix_mode( fsp->conn, FILE_ATTRIBUTE_ARCHIVE, fsp->fsp_name,
1992                              NULL )
1993                 : S_IRUSR;
1994
1995         if (fsp->is_directory)
1996                 mode |= (S_IWUSR|S_IXUSR);
1997
1998         /*
1999          * Now AND with the create mode/directory mode bits then OR with the
2000          * force create mode/force directory mode bits.
2001          */
2002
2003         if (fsp->is_directory) {
2004                 and_bits = lp_dir_security_mask(snum);
2005                 or_bits = lp_force_dir_security_mode(snum);
2006         } else {
2007                 and_bits = lp_security_mask(snum);
2008                 or_bits = lp_force_security_mode(snum);
2009         }
2010
2011         return ((mode & and_bits)|or_bits);
2012 }
2013
2014 /****************************************************************************
2015  Unpack a SEC_DESC into two canonical ace lists. We don't depend on this
2016  succeeding.
2017 ****************************************************************************/
2018
2019 static bool unpack_canon_ace(files_struct *fsp, 
2020                                                         SMB_STRUCT_STAT *pst,
2021                                                         DOM_SID *pfile_owner_sid,
2022                                                         DOM_SID *pfile_grp_sid,
2023                                                         canon_ace **ppfile_ace, canon_ace **ppdir_ace,
2024                                                         uint32 security_info_sent, SEC_DESC *psd)
2025 {
2026         canon_ace *file_ace = NULL;
2027         canon_ace *dir_ace = NULL;
2028
2029         *ppfile_ace = NULL;
2030         *ppdir_ace = NULL;
2031
2032         if(security_info_sent == 0) {
2033                 DEBUG(0,("unpack_canon_ace: no security info sent !\n"));
2034                 return False;
2035         }
2036
2037         /*
2038          * If no DACL then this is a chown only security descriptor.
2039          */
2040
2041         if(!(security_info_sent & DACL_SECURITY_INFORMATION) || !psd->dacl)
2042                 return True;
2043
2044         /*
2045          * Now go through the DACL and create the canon_ace lists.
2046          */
2047
2048         if (!create_canon_ace_lists( fsp, pst, pfile_owner_sid, pfile_grp_sid,
2049                                                                 &file_ace, &dir_ace, psd->dacl))
2050                 return False;
2051
2052         if ((file_ace == NULL) && (dir_ace == NULL)) {
2053                 /* W2K traverse DACL set - ignore. */
2054                 return True;
2055         }
2056
2057         /*
2058          * Go through the canon_ace list and merge entries
2059          * belonging to identical users of identical allow or deny type.
2060          * We can do this as all deny entries come first, followed by
2061          * all allow entries (we have mandated this before accepting this acl).
2062          */
2063
2064         print_canon_ace_list( "file ace - before merge", file_ace);
2065         merge_aces( &file_ace );
2066
2067         print_canon_ace_list( "dir ace - before merge", dir_ace);
2068         merge_aces( &dir_ace );
2069
2070         /*
2071          * NT ACLs are order dependent. Go through the acl lists and
2072          * process DENY entries by masking the allow entries.
2073          */
2074
2075         print_canon_ace_list( "file ace - before deny", file_ace);
2076         process_deny_list( &file_ace);
2077
2078         print_canon_ace_list( "dir ace - before deny", dir_ace);
2079         process_deny_list( &dir_ace);
2080
2081         /*
2082          * A well formed POSIX file or default ACL has at least 3 entries, a 
2083          * SMB_ACL_USER_OBJ, SMB_ACL_GROUP_OBJ, SMB_ACL_OTHER_OBJ
2084          * and optionally a mask entry. Ensure this is the case.
2085          */
2086
2087         print_canon_ace_list( "file ace - before valid", file_ace);
2088
2089         /*
2090          * A default 3 element mode entry for a file should be r-- --- ---.
2091          * A default 3 element mode entry for a directory should be rwx --- ---.
2092          */
2093
2094         pst->st_mode = create_default_mode(fsp, False);
2095
2096         if (!ensure_canon_entry_valid(&file_ace, fsp->conn->params, fsp->is_directory, pfile_owner_sid, pfile_grp_sid, pst, True)) {
2097                 free_canon_ace_list(file_ace);
2098                 free_canon_ace_list(dir_ace);
2099                 return False;
2100         }
2101
2102         print_canon_ace_list( "dir ace - before valid", dir_ace);
2103
2104         /*
2105          * A default inheritable 3 element mode entry for a directory should be the
2106          * mode Samba will use to create a file within. Ensure user rwx bits are set if
2107          * it's a directory.
2108          */
2109
2110         pst->st_mode = create_default_mode(fsp, True);
2111
2112         if (dir_ace && !ensure_canon_entry_valid(&dir_ace, fsp->conn->params, fsp->is_directory, pfile_owner_sid, pfile_grp_sid, pst, True)) {
2113                 free_canon_ace_list(file_ace);
2114                 free_canon_ace_list(dir_ace);
2115                 return False;
2116         }
2117
2118         print_canon_ace_list( "file ace - return", file_ace);
2119         print_canon_ace_list( "dir ace - return", dir_ace);
2120
2121         *ppfile_ace = file_ace;
2122         *ppdir_ace = dir_ace;
2123         return True;
2124
2125 }
2126
2127 /******************************************************************************
2128  When returning permissions, try and fit NT display
2129  semantics if possible. Note the the canon_entries here must have been malloced.
2130  The list format should be - first entry = owner, followed by group and other user
2131  entries, last entry = other.
2132
2133  Note that this doesn't exactly match the NT semantics for an ACL. As POSIX entries
2134  are not ordered, and match on the most specific entry rather than walking a list,
2135  then a simple POSIX permission of rw-r--r-- should really map to 5 entries,
2136
2137  Entry 0: owner : deny all except read and write.
2138  Entry 1: owner : allow read and write.
2139  Entry 2: group : deny all except read.
2140  Entry 3: group : allow read.
2141  Entry 4: Everyone : allow read.
2142
2143  But NT cannot display this in their ACL editor !
2144 ********************************************************************************/
2145
2146 static void arrange_posix_perms(const char *filename, canon_ace **pp_list_head)
2147 {
2148         canon_ace *list_head = *pp_list_head;
2149         canon_ace *owner_ace = NULL;
2150         canon_ace *other_ace = NULL;
2151         canon_ace *ace = NULL;
2152
2153         for (ace = list_head; ace; ace = ace->next) {
2154                 if (ace->type == SMB_ACL_USER_OBJ)
2155                         owner_ace = ace;
2156                 else if (ace->type == SMB_ACL_OTHER) {
2157                         /* Last ace - this is "other" */
2158                         other_ace = ace;
2159                 }
2160         }
2161                 
2162         if (!owner_ace || !other_ace) {
2163                 DEBUG(0,("arrange_posix_perms: Invalid POSIX permissions for file %s, missing owner or other.\n",
2164                         filename ));
2165                 return;
2166         }
2167
2168         /*
2169          * The POSIX algorithm applies to owner first, and other last,
2170          * so ensure they are arranged in this order.
2171          */
2172
2173         if (owner_ace) {
2174                 DLIST_PROMOTE(list_head, owner_ace);
2175         }
2176
2177         if (other_ace) {
2178                 DLIST_DEMOTE(list_head, other_ace, canon_ace *);
2179         }
2180
2181         /* We have probably changed the head of the list. */
2182
2183         *pp_list_head = list_head;
2184 }
2185                 
2186 /****************************************************************************
2187  Create a linked list of canonical ACE entries.
2188 ****************************************************************************/
2189
2190 static canon_ace *canonicalise_acl(struct connection_struct *conn,
2191                                    const char *fname, SMB_ACL_T posix_acl,
2192                                    const SMB_STRUCT_STAT *psbuf,
2193                                    const DOM_SID *powner, const DOM_SID *pgroup, struct pai_val *pal, SMB_ACL_TYPE_T the_acl_type)
2194 {
2195         mode_t acl_mask = (S_IRUSR|S_IWUSR|S_IXUSR);
2196         canon_ace *list_head = NULL;
2197         canon_ace *ace = NULL;
2198         canon_ace *next_ace = NULL;
2199         int entry_id = SMB_ACL_FIRST_ENTRY;
2200         SMB_ACL_ENTRY_T entry;
2201         size_t ace_count;
2202
2203         while ( posix_acl && (SMB_VFS_SYS_ACL_GET_ENTRY(conn, posix_acl, entry_id, &entry) == 1)) {
2204                 SMB_ACL_TAG_T tagtype;
2205                 SMB_ACL_PERMSET_T permset;
2206                 DOM_SID sid;
2207                 posix_id unix_ug;
2208                 enum ace_owner owner_type;
2209
2210                 entry_id = SMB_ACL_NEXT_ENTRY;
2211
2212                 /* Is this a MASK entry ? */
2213                 if (SMB_VFS_SYS_ACL_GET_TAG_TYPE(conn, entry, &tagtype) == -1)
2214                         continue;
2215
2216                 if (SMB_VFS_SYS_ACL_GET_PERMSET(conn, entry, &permset) == -1)
2217                         continue;
2218
2219                 /* Decide which SID to use based on the ACL type. */
2220                 switch(tagtype) {
2221                         case SMB_ACL_USER_OBJ:
2222                                 /* Get the SID from the owner. */
2223                                 sid_copy(&sid, powner);
2224                                 unix_ug.uid = psbuf->st_uid;
2225                                 owner_type = UID_ACE;
2226                                 break;
2227                         case SMB_ACL_USER:
2228                                 {
2229                                         uid_t *puid = (uid_t *)SMB_VFS_SYS_ACL_GET_QUALIFIER(conn, entry);
2230                                         if (puid == NULL) {
2231                                                 DEBUG(0,("canonicalise_acl: Failed to get uid.\n"));
2232                                                 continue;
2233                                         }
2234                                         /*
2235                                          * A SMB_ACL_USER entry for the owner is shadowed by the
2236                                          * SMB_ACL_USER_OBJ entry and Windows also cannot represent
2237                                          * that entry, so we ignore it. We also don't create such
2238                                          * entries out of the blue when setting ACLs, so a get/set
2239                                          * cycle will drop them.
2240                                          */
2241                                         if (the_acl_type == SMB_ACL_TYPE_ACCESS && *puid == psbuf->st_uid) {
2242                                                 SMB_VFS_SYS_ACL_FREE_QUALIFIER(conn, (void *)puid,tagtype);
2243                                                 continue;
2244                                         }
2245                                         uid_to_sid( &sid, *puid);
2246                                         unix_ug.uid = *puid;
2247                                         owner_type = UID_ACE;
2248                                         SMB_VFS_SYS_ACL_FREE_QUALIFIER(conn, (void *)puid,tagtype);
2249                                         break;
2250                                 }
2251                         case SMB_ACL_GROUP_OBJ:
2252                                 /* Get the SID from the owning group. */
2253                                 sid_copy(&sid, pgroup);
2254                                 unix_ug.gid = psbuf->st_gid;
2255                                 owner_type = GID_ACE;
2256                                 break;
2257                         case SMB_ACL_GROUP:
2258                                 {
2259                                         gid_t *pgid = (gid_t *)SMB_VFS_SYS_ACL_GET_QUALIFIER(conn, entry);
2260                                         if (pgid == NULL) {
2261                                                 DEBUG(0,("canonicalise_acl: Failed to get gid.\n"));
2262                                                 continue;
2263                                         }
2264                                         gid_to_sid( &sid, *pgid);
2265                                         unix_ug.gid = *pgid;
2266                                         owner_type = GID_ACE;
2267                                         SMB_VFS_SYS_ACL_FREE_QUALIFIER(conn, (void *)pgid,tagtype);
2268                                         break;
2269                                 }
2270                         case SMB_ACL_MASK:
2271                                 acl_mask = convert_permset_to_mode_t(conn, permset);
2272                                 continue; /* Don't count the mask as an entry. */
2273                         case SMB_ACL_OTHER:
2274                                 /* Use the Everyone SID */
2275                                 sid = global_sid_World;
2276                                 unix_ug.world = -1;
2277                                 owner_type = WORLD_ACE;
2278                                 break;
2279                         default:
2280                                 DEBUG(0,("canonicalise_acl: Unknown tagtype %u\n", (unsigned int)tagtype));
2281                                 continue;
2282                 }
2283
2284                 /*
2285                  * Add this entry to the list.
2286                  */
2287
2288                 if ((ace = SMB_MALLOC_P(canon_ace)) == NULL)
2289                         goto fail;
2290
2291                 ZERO_STRUCTP(ace);
2292                 ace->type = tagtype;
2293                 ace->perms = convert_permset_to_mode_t(conn, permset);
2294                 ace->attr = ALLOW_ACE;
2295                 ace->trustee = sid;
2296                 ace->unix_ug = unix_ug;
2297                 ace->owner_type = owner_type;
2298                 ace->inherited = get_inherited_flag(pal, ace, (the_acl_type == SMB_ACL_TYPE_DEFAULT));
2299
2300                 DLIST_ADD(list_head, ace);
2301         }
2302
2303         /*
2304          * This next call will ensure we have at least a user/group/world set.
2305          */
2306
2307         if (!ensure_canon_entry_valid(&list_head, conn->params,
2308                                       S_ISDIR(psbuf->st_mode), powner, pgroup,
2309                                       psbuf, False))
2310                 goto fail;
2311
2312         /*
2313          * Now go through the list, masking the permissions with the
2314          * acl_mask. Ensure all DENY Entries are at the start of the list.
2315          */
2316
2317         DEBUG(10,("canonicalise_acl: %s ace entries before arrange :\n", the_acl_type == SMB_ACL_TYPE_ACCESS ? "Access" : "Default" ));
2318
2319         for ( ace_count = 0, ace = list_head; ace; ace = next_ace, ace_count++) {
2320                 next_ace = ace->next;
2321
2322                 /* Masks are only applied to entries other than USER_OBJ and OTHER. */
2323                 if (ace->type != SMB_ACL_OTHER && ace->type != SMB_ACL_USER_OBJ)
2324                         ace->perms &= acl_mask;
2325
2326                 if (ace->perms == 0) {
2327                         DLIST_PROMOTE(list_head, ace);
2328                 }
2329
2330                 if( DEBUGLVL( 10 ) ) {
2331                         print_canon_ace(ace, ace_count);
2332                 }
2333         }
2334
2335         arrange_posix_perms(fname,&list_head );
2336
2337         print_canon_ace_list( "canonicalise_acl: ace entries after arrange", list_head );
2338
2339         return list_head;
2340
2341   fail:
2342
2343         free_canon_ace_list(list_head);
2344         return NULL;
2345 }
2346
2347 /****************************************************************************
2348  Check if the current user group list contains a given group.
2349 ****************************************************************************/
2350
2351 static bool current_user_in_group(gid_t gid)
2352 {
2353         int i;
2354
2355         for (i = 0; i < current_user.ut.ngroups; i++) {
2356                 if (current_user.ut.groups[i] == gid) {
2357                         return True;
2358                 }
2359         }
2360
2361         return False;
2362 }
2363
2364 /****************************************************************************
2365  Should we override a deny ? Check 'acl group control' and 'dos filemode'.
2366 ****************************************************************************/
2367
2368 static bool acl_group_override(connection_struct *conn,
2369                                 gid_t prim_gid,
2370                                 const char *fname)
2371 {
2372         SMB_STRUCT_STAT sbuf;
2373
2374         if ((errno != EPERM) && (errno != EACCES)) {
2375                 return false;
2376         }
2377
2378         /* file primary group == user primary or supplementary group */
2379         if (lp_acl_group_control(SNUM(conn)) &&
2380                         current_user_in_group(prim_gid)) {
2381                 return true;
2382         }
2383
2384         /* user has writeable permission */
2385         if (lp_dos_filemode(SNUM(conn)) &&
2386                         can_write_to_file(conn, fname, &sbuf)) {
2387                 return true;
2388         }
2389
2390         return false;
2391 }
2392
2393 /****************************************************************************
2394  Attempt to apply an ACL to a file or directory.
2395 ****************************************************************************/
2396
2397 static bool set_canon_ace_list(files_struct *fsp, canon_ace *the_ace, bool default_ace, gid_t prim_gid, bool *pacl_set_support)
2398 {
2399         connection_struct *conn = fsp->conn;
2400         bool ret = False;
2401         SMB_ACL_T the_acl = SMB_VFS_SYS_ACL_INIT(conn, (int)count_canon_ace_list(the_ace) + 1);
2402         canon_ace *p_ace;
2403         int i;
2404         SMB_ACL_ENTRY_T mask_entry;
2405         bool got_mask_entry = False;
2406         SMB_ACL_PERMSET_T mask_permset;
2407         SMB_ACL_TYPE_T the_acl_type = (default_ace ? SMB_ACL_TYPE_DEFAULT : SMB_ACL_TYPE_ACCESS);
2408         bool needs_mask = False;
2409         mode_t mask_perms = 0;
2410
2411 #if defined(POSIX_ACL_NEEDS_MASK)
2412         /* HP-UX always wants to have a mask (called "class" there). */
2413         needs_mask = True;
2414 #endif
2415
2416         if (the_acl == NULL) {
2417
2418                 if (!no_acl_syscall_error(errno)) {
2419                         /*
2420                          * Only print this error message if we have some kind of ACL
2421                          * support that's not working. Otherwise we would always get this.
2422                          */
2423                         DEBUG(0,("set_canon_ace_list: Unable to init %s ACL. (%s)\n",
2424                                 default_ace ? "default" : "file", strerror(errno) ));
2425                 }
2426                 *pacl_set_support = False;
2427                 return False;
2428         }
2429
2430         if( DEBUGLVL( 10 )) {
2431                 dbgtext("set_canon_ace_list: setting ACL:\n");
2432                 for (i = 0, p_ace = the_ace; p_ace; p_ace = p_ace->next, i++ ) {
2433                         print_canon_ace( p_ace, i);
2434                 }
2435         }
2436
2437         for (i = 0, p_ace = the_ace; p_ace; p_ace = p_ace->next, i++ ) {
2438                 SMB_ACL_ENTRY_T the_entry;
2439                 SMB_ACL_PERMSET_T the_permset;
2440
2441                 /*
2442                  * ACLs only "need" an ACL_MASK entry if there are any named user or
2443                  * named group entries. But if there is an ACL_MASK entry, it applies
2444                  * to ACL_USER, ACL_GROUP, and ACL_GROUP_OBJ entries. Set the mask
2445                  * so that it doesn't deny (i.e., mask off) any permissions.
2446                  */
2447
2448                 if (p_ace->type == SMB_ACL_USER || p_ace->type == SMB_ACL_GROUP) {
2449                         needs_mask = True;
2450                         mask_perms |= p_ace->perms;
2451                 } else if (p_ace->type == SMB_ACL_GROUP_OBJ) {
2452                         mask_perms |= p_ace->perms;
2453                 }
2454
2455                 /*
2456                  * Get the entry for this ACE.
2457                  */
2458
2459                 if (SMB_VFS_SYS_ACL_CREATE_ENTRY(conn, &the_acl, &the_entry) == -1) {
2460                         DEBUG(0,("set_canon_ace_list: Failed to create entry %d. (%s)\n",
2461                                 i, strerror(errno) ));
2462                         goto fail;
2463                 }
2464
2465                 if (p_ace->type == SMB_ACL_MASK) {
2466                         mask_entry = the_entry;
2467                         got_mask_entry = True;
2468                 }
2469
2470                 /*
2471                  * Ok - we now know the ACL calls should be working, don't
2472                  * allow fallback to chmod.
2473                  */
2474
2475                 *pacl_set_support = True;
2476
2477                 /*
2478                  * Initialise the entry from the canon_ace.
2479                  */
2480
2481                 /*
2482                  * First tell the entry what type of ACE this is.
2483                  */
2484
2485                 if (SMB_VFS_SYS_ACL_SET_TAG_TYPE(conn, the_entry, p_ace->type) == -1) {
2486                         DEBUG(0,("set_canon_ace_list: Failed to set tag type on entry %d. (%s)\n",
2487                                 i, strerror(errno) ));
2488                         goto fail;
2489                 }
2490
2491                 /*
2492                  * Only set the qualifier (user or group id) if the entry is a user
2493                  * or group id ACE.
2494                  */
2495
2496                 if ((p_ace->type == SMB_ACL_USER) || (p_ace->type == SMB_ACL_GROUP)) {
2497                         if (SMB_VFS_SYS_ACL_SET_QUALIFIER(conn, the_entry,(void *)&p_ace->unix_ug.uid) == -1) {
2498                                 DEBUG(0,("set_canon_ace_list: Failed to set qualifier on entry %d. (%s)\n",
2499                                         i, strerror(errno) ));
2500                                 goto fail;
2501                         }
2502                 }
2503
2504                 /*
2505                  * Convert the mode_t perms in the canon_ace to a POSIX permset.
2506                  */
2507
2508                 if (SMB_VFS_SYS_ACL_GET_PERMSET(conn, the_entry, &the_permset) == -1) {
2509                         DEBUG(0,("set_canon_ace_list: Failed to get permset on entry %d. (%s)\n",
2510                                 i, strerror(errno) ));
2511                         goto fail;
2512                 }
2513
2514                 if (map_acl_perms_to_permset(conn, p_ace->perms, &the_permset) == -1) {
2515                         DEBUG(0,("set_canon_ace_list: Failed to create permset for mode (%u) on entry %d. (%s)\n",
2516                                 (unsigned int)p_ace->perms, i, strerror(errno) ));
2517                         goto fail;
2518                 }
2519
2520                 /*
2521                  * ..and apply them to the entry.
2522                  */
2523
2524                 if (SMB_VFS_SYS_ACL_SET_PERMSET(conn, the_entry, the_permset) == -1) {
2525                         DEBUG(0,("set_canon_ace_list: Failed to add permset on entry %d. (%s)\n",
2526                                 i, strerror(errno) ));
2527                         goto fail;
2528                 }
2529
2530                 if( DEBUGLVL( 10 ))
2531                         print_canon_ace( p_ace, i);
2532
2533         }
2534
2535         if (needs_mask && !got_mask_entry) {
2536                 if (SMB_VFS_SYS_ACL_CREATE_ENTRY(conn, &the_acl, &mask_entry) == -1) {
2537                         DEBUG(0,("set_canon_ace_list: Failed to create mask entry. (%s)\n", strerror(errno) ));
2538                         goto fail;
2539                 }
2540
2541                 if (SMB_VFS_SYS_ACL_SET_TAG_TYPE(conn, mask_entry, SMB_ACL_MASK) == -1) {
2542                         DEBUG(0,("set_canon_ace_list: Failed to set tag type on mask entry. (%s)\n",strerror(errno) ));
2543                         goto fail;
2544                 }
2545
2546                 if (SMB_VFS_SYS_ACL_GET_PERMSET(conn, mask_entry, &mask_permset) == -1) {
2547                         DEBUG(0,("set_canon_ace_list: Failed to get mask permset. (%s)\n", strerror(errno) ));
2548                         goto fail;
2549                 }
2550
2551                 if (map_acl_perms_to_permset(conn, S_IRUSR|S_IWUSR|S_IXUSR, &mask_permset) == -1) {
2552                         DEBUG(0,("set_canon_ace_list: Failed to create mask permset. (%s)\n", strerror(errno) ));
2553                         goto fail;
2554                 }
2555
2556                 if (SMB_VFS_SYS_ACL_SET_PERMSET(conn, mask_entry, mask_permset) == -1) {
2557                         DEBUG(0,("set_canon_ace_list: Failed to add mask permset. (%s)\n", strerror(errno) ));
2558                         goto fail;
2559                 }
2560         }
2561
2562         /*
2563          * Finally apply it to the file or directory.
2564          */
2565
2566         if(default_ace || fsp->is_directory || fsp->fh->fd == -1) {
2567                 if (SMB_VFS_SYS_ACL_SET_FILE(conn, fsp->fsp_name, the_acl_type, the_acl) == -1) {
2568                         /*
2569                          * Some systems allow all the above calls and only fail with no ACL support
2570                          * when attempting to apply the acl. HPUX with HFS is an example of this. JRA.
2571                          */
2572                         if (no_acl_syscall_error(errno)) {
2573                                 *pacl_set_support = False;
2574                         }
2575
2576                         if (acl_group_override(conn, prim_gid, fsp->fsp_name)) {
2577                                 int sret;
2578
2579                                 DEBUG(5,("set_canon_ace_list: acl group control on and current user in file %s primary group.\n",
2580                                         fsp->fsp_name ));
2581
2582                                 become_root();
2583                                 sret = SMB_VFS_SYS_ACL_SET_FILE(conn, fsp->fsp_name, the_acl_type, the_acl);
2584                                 unbecome_root();
2585                                 if (sret == 0) {
2586                                         ret = True;     
2587                                 }
2588                         }
2589
2590                         if (ret == False) {
2591                                 DEBUG(2,("set_canon_ace_list: sys_acl_set_file type %s failed for file %s (%s).\n",
2592                                                 the_acl_type == SMB_ACL_TYPE_DEFAULT ? "directory default" : "file",
2593                                                 fsp->fsp_name, strerror(errno) ));
2594                                 goto fail;
2595                         }
2596                 }
2597         } else {
2598                 if (SMB_VFS_SYS_ACL_SET_FD(fsp, the_acl) == -1) {
2599                         /*
2600                          * Some systems allow all the above calls and only fail with no ACL support
2601                          * when attempting to apply the acl. HPUX with HFS is an example of this. JRA.
2602                          */
2603                         if (no_acl_syscall_error(errno)) {
2604                                 *pacl_set_support = False;
2605                         }
2606
2607                         if (acl_group_override(conn, prim_gid, fsp->fsp_name)) {
2608                                 int sret;
2609
2610                                 DEBUG(5,("set_canon_ace_list: acl group control on and current user in file %s primary group.\n",
2611                                         fsp->fsp_name ));
2612
2613                                 become_root();
2614                                 sret = SMB_VFS_SYS_ACL_SET_FD(fsp, the_acl);
2615                                 unbecome_root();
2616                                 if (sret == 0) {
2617                                         ret = True;
2618                                 }
2619                         }
2620
2621                         if (ret == False) {
2622                                 DEBUG(2,("set_canon_ace_list: sys_acl_set_file failed for file %s (%s).\n",
2623                                                 fsp->fsp_name, strerror(errno) ));
2624                                 goto fail;
2625                         }
2626                 }
2627         }
2628
2629         ret = True;
2630
2631   fail:
2632
2633         if (the_acl != NULL) {
2634                 SMB_VFS_SYS_ACL_FREE_ACL(conn, the_acl);
2635         }
2636
2637         return ret;
2638 }
2639
2640 /****************************************************************************
2641  Find a particular canon_ace entry.
2642 ****************************************************************************/
2643
2644 static struct canon_ace *canon_ace_entry_for(struct canon_ace *list, SMB_ACL_TAG_T type, posix_id *id)
2645 {
2646         while (list) {
2647                 if (list->type == type && ((type != SMB_ACL_USER && type != SMB_ACL_GROUP) ||
2648                                 (type == SMB_ACL_USER  && id && id->uid == list->unix_ug.uid) ||
2649                                 (type == SMB_ACL_GROUP && id && id->gid == list->unix_ug.gid)))
2650                         break;
2651                 list = list->next;
2652         }
2653         return list;
2654 }
2655
2656 /****************************************************************************
2657  
2658 ****************************************************************************/
2659
2660 SMB_ACL_T free_empty_sys_acl(connection_struct *conn, SMB_ACL_T the_acl)
2661 {
2662         SMB_ACL_ENTRY_T entry;
2663
2664         if (!the_acl)
2665                 return NULL;
2666         if (SMB_VFS_SYS_ACL_GET_ENTRY(conn, the_acl, SMB_ACL_FIRST_ENTRY, &entry) != 1) {
2667                 SMB_VFS_SYS_ACL_FREE_ACL(conn, the_acl);
2668                 return NULL;
2669         }
2670         return the_acl;
2671 }
2672
2673 /****************************************************************************
2674  Convert a canon_ace to a generic 3 element permission - if possible.
2675 ****************************************************************************/
2676
2677 #define MAP_PERM(p,mask,result) (((p) & (mask)) ? (result) : 0 )
2678
2679 static bool convert_canon_ace_to_posix_perms( files_struct *fsp, canon_ace *file_ace_list, mode_t *posix_perms)
2680 {
2681         int snum = SNUM(fsp->conn);
2682         size_t ace_count = count_canon_ace_list(file_ace_list);
2683         canon_ace *ace_p;
2684         canon_ace *owner_ace = NULL;
2685         canon_ace *group_ace = NULL;
2686         canon_ace *other_ace = NULL;
2687         mode_t and_bits;
2688         mode_t or_bits;
2689
2690         if (ace_count != 3) {
2691                 DEBUG(3,("convert_canon_ace_to_posix_perms: Too many ACE entries for file %s to convert to \
2692 posix perms.\n", fsp->fsp_name ));
2693                 return False;
2694         }
2695
2696         for (ace_p = file_ace_list; ace_p; ace_p = ace_p->next) {
2697                 if (ace_p->owner_type == UID_ACE)
2698                         owner_ace = ace_p;
2699                 else if (ace_p->owner_type == GID_ACE)
2700                         group_ace = ace_p;
2701                 else if (ace_p->owner_type == WORLD_ACE)
2702                         other_ace = ace_p;
2703         }
2704
2705         if (!owner_ace || !group_ace || !other_ace) {
2706                 DEBUG(3,("convert_canon_ace_to_posix_perms: Can't get standard entries for file %s.\n",
2707                                 fsp->fsp_name ));
2708                 return False;
2709         }
2710
2711         *posix_perms = (mode_t)0;
2712
2713         *posix_perms |= owner_ace->perms;
2714         *posix_perms |= MAP_PERM(group_ace->perms, S_IRUSR, S_IRGRP);
2715         *posix_perms |= MAP_PERM(group_ace->perms, S_IWUSR, S_IWGRP);
2716         *posix_perms |= MAP_PERM(group_ace->perms, S_IXUSR, S_IXGRP);
2717         *posix_perms |= MAP_PERM(other_ace->perms, S_IRUSR, S_IROTH);
2718         *posix_perms |= MAP_PERM(other_ace->perms, S_IWUSR, S_IWOTH);
2719         *posix_perms |= MAP_PERM(other_ace->perms, S_IXUSR, S_IXOTH);
2720
2721         /* The owner must have at least read access. */
2722
2723         *posix_perms |= S_IRUSR;
2724         if (fsp->is_directory)
2725                 *posix_perms |= (S_IWUSR|S_IXUSR);
2726
2727         /* If requested apply the masks. */
2728
2729         /* Get the initial bits to apply. */
2730
2731         if (fsp->is_directory) {
2732                 and_bits = lp_dir_security_mask(snum);
2733                 or_bits = lp_force_dir_security_mode(snum);
2734         } else {
2735                 and_bits = lp_security_mask(snum);
2736                 or_bits = lp_force_security_mode(snum);
2737         }
2738
2739         *posix_perms = (((*posix_perms) & and_bits)|or_bits);
2740
2741         DEBUG(10,("convert_canon_ace_to_posix_perms: converted u=%o,g=%o,w=%o to perm=0%o for file %s.\n",
2742                 (int)owner_ace->perms, (int)group_ace->perms, (int)other_ace->perms, (int)*posix_perms,
2743                 fsp->fsp_name ));
2744
2745         return True;
2746 }
2747
2748 /****************************************************************************
2749   Incoming NT ACLs on a directory can be split into a default POSIX acl (CI|OI|IO) and
2750   a normal POSIX acl. Win2k needs these split acls re-merging into one ACL
2751   with CI|OI set so it is inherited and also applies to the directory.
2752   Based on code from "Jim McDonough" <jmcd@us.ibm.com>.
2753 ****************************************************************************/
2754
2755 static size_t merge_default_aces( SEC_ACE *nt_ace_list, size_t num_aces)
2756 {
2757         size_t i, j;
2758
2759         for (i = 0; i < num_aces; i++) {
2760                 for (j = i+1; j < num_aces; j++) {
2761                         uint32 i_flags_ni = (nt_ace_list[i].flags & ~SEC_ACE_FLAG_INHERITED_ACE);
2762                         uint32 j_flags_ni = (nt_ace_list[j].flags & ~SEC_ACE_FLAG_INHERITED_ACE);
2763                         bool i_inh = (nt_ace_list[i].flags & SEC_ACE_FLAG_INHERITED_ACE) ? True : False;
2764                         bool j_inh = (nt_ace_list[j].flags & SEC_ACE_FLAG_INHERITED_ACE) ? True : False;
2765
2766                         /* We know the lower number ACE's are file entries. */
2767                         if ((nt_ace_list[i].type == nt_ace_list[j].type) &&
2768                                 (nt_ace_list[i].size == nt_ace_list[j].size) &&
2769                                 (nt_ace_list[i].access_mask == nt_ace_list[j].access_mask) &&
2770                                 sid_equal(&nt_ace_list[i].trustee, &nt_ace_list[j].trustee) &&
2771                                 (i_inh == j_inh) &&
2772                                 (i_flags_ni == 0) &&
2773                                 (j_flags_ni == (SEC_ACE_FLAG_OBJECT_INHERIT|
2774                                                   SEC_ACE_FLAG_CONTAINER_INHERIT|
2775                                                   SEC_ACE_FLAG_INHERIT_ONLY))) {
2776                                 /*
2777                                  * W2K wants to have access allowed zero access ACE's
2778                                  * at the end of the list. If the mask is zero, merge
2779                                  * the non-inherited ACE onto the inherited ACE.
2780                                  */
2781
2782                                 if (nt_ace_list[i].access_mask == 0) {
2783                                         nt_ace_list[j].flags = SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT|
2784                                                                 (i_inh ? SEC_ACE_FLAG_INHERITED_ACE : 0);
2785                                         if (num_aces - i - 1 > 0)
2786                                                 memmove(&nt_ace_list[i], &nt_ace_list[i+1], (num_aces-i-1) *
2787                                                                 sizeof(SEC_ACE));
2788
2789                                         DEBUG(10,("merge_default_aces: Merging zero access ACE %u onto ACE %u.\n",
2790                                                 (unsigned int)i, (unsigned int)j ));
2791                                 } else {
2792                                         /*
2793                                          * These are identical except for the flags.
2794                                          * Merge the inherited ACE onto the non-inherited ACE.
2795                                          */
2796
2797                                         nt_ace_list[i].flags = SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT|
2798                                                                 (i_inh ? SEC_ACE_FLAG_INHERITED_ACE : 0);
2799                                         if (num_aces - j - 1 > 0)
2800                                                 memmove(&nt_ace_list[j], &nt_ace_list[j+1], (num_aces-j-1) *
2801                                                                 sizeof(SEC_ACE));
2802
2803                                         DEBUG(10,("merge_default_aces: Merging ACE %u onto ACE %u.\n",
2804                                                 (unsigned int)j, (unsigned int)i ));
2805                                 }
2806                                 num_aces--;
2807                                 break;
2808                         }
2809                 }
2810         }
2811
2812         return num_aces;
2813 }
2814
2815 /****************************************************************************
2816  Reply to query a security descriptor from an fsp. If it succeeds it allocates
2817  the space for the return elements and returns the size needed to return the
2818  security descriptor. This should be the only external function needed for
2819  the UNIX style get ACL.
2820 ****************************************************************************/
2821
2822 static NTSTATUS posix_get_nt_acl_common(struct connection_struct *conn,
2823                                       const char *name,
2824                                       const SMB_STRUCT_STAT *sbuf,
2825                                       struct pai_val *pal,
2826                                       SMB_ACL_T posix_acl,
2827                                       SMB_ACL_T def_acl,
2828                                       uint32_t security_info,
2829                                       SEC_DESC **ppdesc)
2830 {
2831         DOM_SID owner_sid;
2832         DOM_SID group_sid;
2833         size_t sd_size = 0;
2834         SEC_ACL *psa = NULL;
2835         size_t num_acls = 0;
2836         size_t num_def_acls = 0;
2837         size_t num_aces = 0;
2838         canon_ace *file_ace = NULL;
2839         canon_ace *dir_ace = NULL;
2840         SEC_ACE *nt_ace_list = NULL;
2841         size_t num_profile_acls = 0;
2842         SEC_DESC *psd = NULL;
2843
2844         /*
2845          * Get the owner, group and world SIDs.
2846          */
2847
2848         if (lp_profile_acls(SNUM(conn))) {
2849                 /* For WXP SP1 the owner must be administrators. */
2850                 sid_copy(&owner_sid, &global_sid_Builtin_Administrators);
2851                 sid_copy(&group_sid, &global_sid_Builtin_Users);
2852                 num_profile_acls = 2;
2853         } else {
2854                 create_file_sids(sbuf, &owner_sid, &group_sid);
2855         }
2856
2857         if ((security_info & DACL_SECURITY_INFORMATION) && !(security_info & PROTECTED_DACL_SECURITY_INFORMATION)) {
2858
2859                 /*
2860                  * In the optimum case Creator Owner and Creator Group would be used for
2861                  * the ACL_USER_OBJ and ACL_GROUP_OBJ entries, respectively, but this
2862                  * would lead to usability problems under Windows: The Creator entries
2863                  * are only available in browse lists of directories and not for files;
2864                  * additionally the identity of the owning group couldn't be determined.
2865                  * We therefore use those identities only for Default ACLs. 
2866                  */
2867
2868                 /* Create the canon_ace lists. */
2869                 file_ace = canonicalise_acl(conn, name, posix_acl, sbuf,
2870                                             &owner_sid, &group_sid, pal,
2871                                             SMB_ACL_TYPE_ACCESS);
2872
2873                 /* We must have *some* ACLS. */
2874         
2875                 if (count_canon_ace_list(file_ace) == 0) {
2876                         DEBUG(0,("get_nt_acl : No ACLs on file (%s) !\n", name));
2877                         goto done;
2878                 }
2879
2880                 if (S_ISDIR(sbuf->st_mode) && def_acl) {
2881                         dir_ace = canonicalise_acl(conn, name, def_acl,
2882                                                    sbuf,
2883                                                    &global_sid_Creator_Owner,
2884                                                    &global_sid_Creator_Group,
2885                                                    pal, SMB_ACL_TYPE_DEFAULT);
2886                 }
2887
2888                 /*
2889                  * Create the NT ACE list from the canonical ace lists.
2890                  */
2891
2892                 {
2893                         canon_ace *ace;
2894                         enum security_ace_type nt_acl_type;
2895
2896                         if (nt4_compatible_acls() && dir_ace) {
2897                                 /*
2898                                  * NT 4 chokes if an ACL contains an INHERIT_ONLY entry
2899                                  * but no non-INHERIT_ONLY entry for one SID. So we only
2900                                  * remove entries from the Access ACL if the
2901                                  * corresponding Default ACL entries have also been
2902                                  * removed. ACEs for CREATOR-OWNER and CREATOR-GROUP
2903                                  * are exceptions. We can do nothing
2904                                  * intelligent if the Default ACL contains entries that
2905                                  * are not also contained in the Access ACL, so this
2906                                  * case will still fail under NT 4.
2907                                  */
2908
2909                                 ace = canon_ace_entry_for(dir_ace, SMB_ACL_OTHER, NULL);
2910                                 if (ace && !ace->perms) {
2911                                         DLIST_REMOVE(dir_ace, ace);
2912                                         SAFE_FREE(ace);
2913
2914                                         ace = canon_ace_entry_for(file_ace, SMB_ACL_OTHER, NULL);
2915                                         if (ace && !ace->perms) {
2916                                                 DLIST_REMOVE(file_ace, ace);
2917                                                 SAFE_FREE(ace);
2918                                         }
2919                                 }
2920
2921                                 /*
2922                                  * WinNT doesn't usually have Creator Group
2923                                  * in browse lists, so we send this entry to
2924                                  * WinNT even if it contains no relevant
2925                                  * permissions. Once we can add
2926                                  * Creator Group to browse lists we can
2927                                  * re-enable this.
2928                                  */
2929
2930 #if 0
2931                                 ace = canon_ace_entry_for(dir_ace, SMB_ACL_GROUP_OBJ, NULL);
2932                                 if (ace && !ace->perms) {
2933                                         DLIST_REMOVE(dir_ace, ace);
2934                                         SAFE_FREE(ace);
2935                                 }
2936 #endif
2937
2938                                 ace = canon_ace_entry_for(file_ace, SMB_ACL_GROUP_OBJ, NULL);
2939                                 if (ace && !ace->perms) {
2940                                         DLIST_REMOVE(file_ace, ace);
2941                                         SAFE_FREE(ace);
2942                                 }
2943                         }
2944
2945                         num_acls = count_canon_ace_list(file_ace);
2946                         num_def_acls = count_canon_ace_list(dir_ace);
2947
2948                         /* Allocate the ace list. */
2949                         if ((nt_ace_list = SMB_MALLOC_ARRAY(SEC_ACE,num_acls + num_profile_acls + num_def_acls)) == NULL) {
2950                                 DEBUG(0,("get_nt_acl: Unable to malloc space for nt_ace_list.\n"));
2951                                 goto done;
2952                         }
2953
2954                         memset(nt_ace_list, '\0', (num_acls + num_def_acls) * sizeof(SEC_ACE) );
2955
2956                         /*
2957                          * Create the NT ACE list from the canonical ace lists.
2958                          */
2959
2960                         for (ace = file_ace; ace != NULL; ace = ace->next) {
2961                                 SEC_ACCESS acc;
2962
2963                                 acc = map_canon_ace_perms(SNUM(conn),
2964                                                 &nt_acl_type,
2965                                                 ace->perms,
2966                                                 S_ISDIR(sbuf->st_mode));
2967                                 init_sec_ace(&nt_ace_list[num_aces++],
2968                                         &ace->trustee,
2969                                         nt_acl_type,
2970                                         acc,
2971                                         ace->inherited ?
2972                                                 SEC_ACE_FLAG_INHERITED_ACE : 0);
2973                         }
2974
2975                         /* The User must have access to a profile share - even
2976                          * if we can't map the SID. */
2977                         if (lp_profile_acls(SNUM(conn))) {
2978                                 SEC_ACCESS acc;
2979
2980                                 init_sec_access(&acc,FILE_GENERIC_ALL);
2981                                 init_sec_ace(&nt_ace_list[num_aces++],
2982                                                 &global_sid_Builtin_Users,
2983                                                 SEC_ACE_TYPE_ACCESS_ALLOWED,
2984                                                 acc, 0);
2985                         }
2986
2987                         for (ace = dir_ace; ace != NULL; ace = ace->next) {
2988                                 SEC_ACCESS acc;
2989
2990                                 acc = map_canon_ace_perms(SNUM(conn),
2991                                                 &nt_acl_type,
2992                                                 ace->perms,
2993                                                 S_ISDIR(sbuf->st_mode));
2994                                 init_sec_ace(&nt_ace_list[num_aces++],
2995                                         &ace->trustee,
2996                                         nt_acl_type,
2997                                         acc,
2998                                         SEC_ACE_FLAG_OBJECT_INHERIT|
2999                                         SEC_ACE_FLAG_CONTAINER_INHERIT|
3000                                         SEC_ACE_FLAG_INHERIT_ONLY|
3001                                         (ace->inherited ?
3002                                            SEC_ACE_FLAG_INHERITED_ACE : 0));
3003                         }
3004
3005                         /* The User must have access to a profile share - even
3006                          * if we can't map the SID. */
3007                         if (lp_profile_acls(SNUM(conn))) {
3008                                 SEC_ACCESS acc;
3009
3010                                 init_sec_access(&acc,FILE_GENERIC_ALL);
3011                                 init_sec_ace(&nt_ace_list[num_aces++], &global_sid_Builtin_Users, SEC_ACE_TYPE_ACCESS_ALLOWED, acc,
3012                                                 SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT|
3013                                                 SEC_ACE_FLAG_INHERIT_ONLY|0);
3014                         }
3015
3016                         /*
3017                          * Merge POSIX default ACLs and normal ACLs into one NT ACE.
3018                          * Win2K needs this to get the inheritance correct when replacing ACLs
3019                          * on a directory tree. Based on work by Jim @ IBM.
3020                          */
3021
3022                         num_aces = merge_default_aces(nt_ace_list, num_aces);
3023
3024                 }
3025
3026                 if (num_aces) {
3027                         if((psa = make_sec_acl( talloc_tos(), NT4_ACL_REVISION, num_aces, nt_ace_list)) == NULL) {
3028                                 DEBUG(0,("get_nt_acl: Unable to malloc space for acl.\n"));
3029                                 goto done;
3030                         }
3031                 }
3032         } /* security_info & DACL_SECURITY_INFORMATION */
3033
3034         psd = make_standard_sec_desc( talloc_tos(),
3035                         (security_info & OWNER_SECURITY_INFORMATION) ? &owner_sid : NULL,
3036                         (security_info & GROUP_SECURITY_INFORMATION) ? &group_sid : NULL,
3037                         psa,
3038                         &sd_size);
3039
3040         if(!psd) {
3041                 DEBUG(0,("get_nt_acl: Unable to malloc space for security descriptor.\n"));
3042                 sd_size = 0;
3043                 goto done;
3044         }
3045
3046         /*
3047          * Windows 2000: The DACL_PROTECTED flag in the security
3048          * descriptor marks the ACL as non-inheriting, i.e., no
3049          * ACEs from higher level directories propagate to this
3050          * ACL. In the POSIX ACL model permissions are only
3051          * inherited at file create time, so ACLs never contain
3052          * any ACEs that are inherited dynamically. The DACL_PROTECTED
3053          * flag doesn't seem to bother Windows NT.
3054          * Always set this if map acl inherit is turned off.
3055          */
3056         if (get_protected_flag(pal) || !lp_map_acl_inherit(SNUM(conn))) {
3057                 psd->type |= SE_DESC_DACL_PROTECTED;
3058         }
3059
3060         if (psd->dacl) {
3061                 dacl_sort_into_canonical_order(psd->dacl->aces, (unsigned int)psd->dacl->num_aces);
3062         }
3063
3064         *ppdesc = psd;
3065
3066  done:
3067
3068         if (posix_acl) {
3069                 SMB_VFS_SYS_ACL_FREE_ACL(conn, posix_acl);
3070         }
3071         if (def_acl) {
3072                 SMB_VFS_SYS_ACL_FREE_ACL(conn, def_acl);
3073         }
3074         free_canon_ace_list(file_ace);
3075         free_canon_ace_list(dir_ace);
3076         free_inherited_info(pal);
3077         SAFE_FREE(nt_ace_list);
3078
3079         return NT_STATUS_OK;
3080 }
3081
3082 NTSTATUS posix_fget_nt_acl(struct files_struct *fsp, uint32_t security_info,
3083                            SEC_DESC **ppdesc)
3084 {
3085         SMB_STRUCT_STAT sbuf;
3086         SMB_ACL_T posix_acl = NULL;
3087         struct pai_val *pal;
3088
3089         *ppdesc = NULL;
3090
3091         DEBUG(10,("posix_fget_nt_acl: called for file %s\n", fsp->fsp_name ));
3092
3093         /* can it happen that fsp_name == NULL ? */
3094         if (fsp->is_directory ||  fsp->fh->fd == -1) {
3095                 return posix_get_nt_acl(fsp->conn, fsp->fsp_name,
3096                                         security_info, ppdesc);
3097         }
3098
3099         /* Get the stat struct for the owner info. */
3100         if(SMB_VFS_FSTAT(fsp, &sbuf) != 0) {
3101                 return map_nt_error_from_unix(errno);
3102         }
3103
3104         /* Get the ACL from the fd. */
3105         posix_acl = SMB_VFS_SYS_ACL_GET_FD(fsp);
3106
3107         pal = fload_inherited_info(fsp);
3108
3109         return posix_get_nt_acl_common(fsp->conn, fsp->fsp_name, &sbuf, pal,
3110                                        posix_acl, NULL, security_info, ppdesc);
3111 }
3112
3113 NTSTATUS posix_get_nt_acl(struct connection_struct *conn, const char *name,
3114                           uint32_t security_info, SEC_DESC **ppdesc)
3115 {
3116         SMB_STRUCT_STAT sbuf;
3117         SMB_ACL_T posix_acl = NULL;
3118         SMB_ACL_T def_acl = NULL;
3119         struct pai_val *pal;
3120
3121         *ppdesc = NULL;
3122
3123         DEBUG(10,("posix_get_nt_acl: called for file %s\n", name ));
3124
3125         /* Get the stat struct for the owner info. */
3126         if(SMB_VFS_STAT(conn, name, &sbuf) != 0) {
3127                 return map_nt_error_from_unix(errno);
3128         }
3129
3130         /* Get the ACL from the path. */
3131         posix_acl = SMB_VFS_SYS_ACL_GET_FILE(conn, name, SMB_ACL_TYPE_ACCESS);
3132
3133         /* If it's a directory get the default POSIX ACL. */
3134         if(S_ISDIR(sbuf.st_mode)) {
3135                 def_acl = SMB_VFS_SYS_ACL_GET_FILE(conn, name, SMB_ACL_TYPE_DEFAULT);
3136                 def_acl = free_empty_sys_acl(conn, def_acl);
3137         }
3138
3139         pal = load_inherited_info(conn, name);
3140
3141         return posix_get_nt_acl_common(conn, name, &sbuf, pal, posix_acl,
3142                                        def_acl, security_info, ppdesc);
3143 }
3144
3145 /****************************************************************************
3146  Try to chown a file. We will be able to chown it under the following conditions.
3147
3148   1) If we have root privileges, then it will just work.
3149   2) If we have SeTakeOwnershipPrivilege we can change the user to the current user.
3150   3) If we have SeRestorePrivilege we can change the user to any other user. 
3151   4) If we have write permission to the file and dos_filemodes is set
3152      then allow chown to the currently authenticated user.
3153 ****************************************************************************/
3154
3155 int try_chown(connection_struct *conn, const char *fname, uid_t uid, gid_t gid)
3156 {
3157     &