s3: Modify direct callers of open_file_ntcreate and open_directory to call SMB_VFS_CR...
[samba.git] / source3 / smbd / posix_acls.c
1 /*
2    Unix SMB/CIFS implementation.
3    SMB NT Security Descriptor / Unix permission conversion.
4    Copyright (C) Jeremy Allison 1994-2000.
5    Copyright (C) Andreas Gruenbacher 2002.
6
7    This program is free software; you can redistribute it and/or modify
8    it under the terms of the GNU General Public License as published by
9    the Free Software Foundation; either version 3 of the License, or
10    (at your option) any later version.
11
12    This program is distributed in the hope that it will be useful,
13    but WITHOUT ANY WARRANTY; without even the implied warranty of
14    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
15    GNU General Public License for more details.
16
17    You should have received a copy of the GNU General Public License
18    along with this program.  If not, see <http://www.gnu.org/licenses/>.
19 */
20
21 #include "includes.h"
22
23 extern struct current_user current_user;
24 extern const struct generic_mapping file_generic_mapping;
25
26 #undef  DBGC_CLASS
27 #define DBGC_CLASS DBGC_ACLS
28
29 /****************************************************************************
30  Data structures representing the internal ACE format.
31 ****************************************************************************/
32
33 enum ace_owner {UID_ACE, GID_ACE, WORLD_ACE};
34 enum ace_attribute {ALLOW_ACE, DENY_ACE}; /* Used for incoming NT ACLS. */
35
36 typedef union posix_id {
37                 uid_t uid;
38                 gid_t gid;
39                 int world;
40 } posix_id;
41
42 typedef struct canon_ace {
43         struct canon_ace *next, *prev;
44         SMB_ACL_TAG_T type;
45         mode_t perms; /* Only use S_I(R|W|X)USR mode bits here. */
46         DOM_SID trustee;
47         enum ace_owner owner_type;
48         enum ace_attribute attr;
49         posix_id unix_ug;
50         bool inherited;
51 } canon_ace;
52
53 #define ALL_ACE_PERMS (S_IRUSR|S_IWUSR|S_IXUSR)
54
55 /*
56  * EA format of user.SAMBA_PAI (Samba_Posix_Acl_Interitance)
57  * attribute on disk.
58  *
59  * |  1   |  1   |   2         |         2           |  .... 
60  * +------+------+-------------+---------------------+-------------+--------------------+
61  * | vers | flag | num_entries | num_default_entries | ..entries.. | default_entries... |
62  * +------+------+-------------+---------------------+-------------+--------------------+
63  */
64
65 #define PAI_VERSION_OFFSET      0
66 #define PAI_FLAG_OFFSET         1
67 #define PAI_NUM_ENTRIES_OFFSET  2
68 #define PAI_NUM_DEFAULT_ENTRIES_OFFSET  4
69 #define PAI_ENTRIES_BASE        6
70
71 #define PAI_VERSION             1
72 #define PAI_ACL_FLAG_PROTECTED  0x1
73 #define PAI_ENTRY_LENGTH        5
74
75 /*
76  * In memory format of user.SAMBA_PAI attribute.
77  */
78
79 struct pai_entry {
80         struct pai_entry *next, *prev;
81         enum ace_owner owner_type;
82         posix_id unix_ug;
83 };
84
85 struct pai_val {
86         bool pai_protected;
87         unsigned int num_entries;
88         struct pai_entry *entry_list;
89         unsigned int num_def_entries;
90         struct pai_entry *def_entry_list;
91 };
92
93 /************************************************************************
94  Return a uint32 of the pai_entry principal.
95 ************************************************************************/
96
97 static uint32 get_pai_entry_val(struct pai_entry *paie)
98 {
99         switch (paie->owner_type) {
100                 case UID_ACE:
101                         DEBUG(10,("get_pai_entry_val: uid = %u\n", (unsigned int)paie->unix_ug.uid ));
102                         return (uint32)paie->unix_ug.uid;
103                 case GID_ACE:
104                         DEBUG(10,("get_pai_entry_val: gid = %u\n", (unsigned int)paie->unix_ug.gid ));
105                         return (uint32)paie->unix_ug.gid;
106                 case WORLD_ACE:
107                 default:
108                         DEBUG(10,("get_pai_entry_val: world ace\n"));
109                         return (uint32)-1;
110         }
111 }
112
113 /************************************************************************
114  Return a uint32 of the entry principal.
115 ************************************************************************/
116
117 static uint32 get_entry_val(canon_ace *ace_entry)
118 {
119         switch (ace_entry->owner_type) {
120                 case UID_ACE:
121                         DEBUG(10,("get_entry_val: uid = %u\n", (unsigned int)ace_entry->unix_ug.uid ));
122                         return (uint32)ace_entry->unix_ug.uid;
123                 case GID_ACE:
124                         DEBUG(10,("get_entry_val: gid = %u\n", (unsigned int)ace_entry->unix_ug.gid ));
125                         return (uint32)ace_entry->unix_ug.gid;
126                 case WORLD_ACE:
127                 default:
128                         DEBUG(10,("get_entry_val: world ace\n"));
129                         return (uint32)-1;
130         }
131 }
132
133 /************************************************************************
134  Count the inherited entries.
135 ************************************************************************/
136
137 static unsigned int num_inherited_entries(canon_ace *ace_list)
138 {
139         unsigned int num_entries = 0;
140
141         for (; ace_list; ace_list = ace_list->next)
142                 if (ace_list->inherited)
143                         num_entries++;
144         return num_entries;
145 }
146
147 /************************************************************************
148  Create the on-disk format. Caller must free.
149 ************************************************************************/
150
151 static char *create_pai_buf(canon_ace *file_ace_list, canon_ace *dir_ace_list, bool pai_protected, size_t *store_size)
152 {
153         char *pai_buf = NULL;
154         canon_ace *ace_list = NULL;
155         char *entry_offset = NULL;
156         unsigned int num_entries = 0;
157         unsigned int num_def_entries = 0;
158
159         for (ace_list = file_ace_list; ace_list; ace_list = ace_list->next)
160                 if (ace_list->inherited)
161                         num_entries++;
162
163         for (ace_list = dir_ace_list; ace_list; ace_list = ace_list->next)
164                 if (ace_list->inherited)
165                         num_def_entries++;
166
167         DEBUG(10,("create_pai_buf: num_entries = %u, num_def_entries = %u\n", num_entries, num_def_entries ));
168
169         *store_size = PAI_ENTRIES_BASE + ((num_entries + num_def_entries)*PAI_ENTRY_LENGTH);
170
171         pai_buf = (char *)SMB_MALLOC(*store_size);
172         if (!pai_buf) {
173                 return NULL;
174         }
175
176         /* Set up the header. */
177         memset(pai_buf, '\0', PAI_ENTRIES_BASE);
178         SCVAL(pai_buf,PAI_VERSION_OFFSET,PAI_VERSION);
179         SCVAL(pai_buf,PAI_FLAG_OFFSET,(pai_protected ? PAI_ACL_FLAG_PROTECTED : 0));
180         SSVAL(pai_buf,PAI_NUM_ENTRIES_OFFSET,num_entries);
181         SSVAL(pai_buf,PAI_NUM_DEFAULT_ENTRIES_OFFSET,num_def_entries);
182
183         entry_offset = pai_buf + PAI_ENTRIES_BASE;
184
185         for (ace_list = file_ace_list; ace_list; ace_list = ace_list->next) {
186                 if (ace_list->inherited) {
187                         uint8 type_val = (unsigned char)ace_list->owner_type;
188                         uint32 entry_val = get_entry_val(ace_list);
189
190                         SCVAL(entry_offset,0,type_val);
191                         SIVAL(entry_offset,1,entry_val);
192                         entry_offset += PAI_ENTRY_LENGTH;
193                 }
194         }
195
196         for (ace_list = dir_ace_list; ace_list; ace_list = ace_list->next) {
197                 if (ace_list->inherited) {
198                         uint8 type_val = (unsigned char)ace_list->owner_type;
199                         uint32 entry_val = get_entry_val(ace_list);
200
201                         SCVAL(entry_offset,0,type_val);
202                         SIVAL(entry_offset,1,entry_val);
203                         entry_offset += PAI_ENTRY_LENGTH;
204                 }
205         }
206
207         return pai_buf;
208 }
209
210 /************************************************************************
211  Store the user.SAMBA_PAI attribute on disk.
212 ************************************************************************/
213
214 static void store_inheritance_attributes(files_struct *fsp, canon_ace *file_ace_list,
215                                         canon_ace *dir_ace_list, bool pai_protected)
216 {
217         int ret;
218         size_t store_size;
219         char *pai_buf;
220
221         if (!lp_map_acl_inherit(SNUM(fsp->conn)))
222                 return;
223
224         /*
225          * Don't store if this ACL isn't protected and
226          * none of the entries in it are marked as inherited.
227          */
228
229         if (!pai_protected && num_inherited_entries(file_ace_list) == 0 && num_inherited_entries(dir_ace_list) == 0) {
230                 /* Instead just remove the attribute if it exists. */
231                 if (fsp->fh->fd != -1)
232                         SMB_VFS_FREMOVEXATTR(fsp, SAMBA_POSIX_INHERITANCE_EA_NAME);
233                 else
234                         SMB_VFS_REMOVEXATTR(fsp->conn, fsp->fsp_name, SAMBA_POSIX_INHERITANCE_EA_NAME);
235                 return;
236         }
237
238         pai_buf = create_pai_buf(file_ace_list, dir_ace_list, pai_protected, &store_size);
239
240         if (fsp->fh->fd != -1)
241                 ret = SMB_VFS_FSETXATTR(fsp, SAMBA_POSIX_INHERITANCE_EA_NAME,
242                                 pai_buf, store_size, 0);
243         else
244                 ret = SMB_VFS_SETXATTR(fsp->conn,fsp->fsp_name, SAMBA_POSIX_INHERITANCE_EA_NAME,
245                                 pai_buf, store_size, 0);
246
247         SAFE_FREE(pai_buf);
248
249         DEBUG(10,("store_inheritance_attribute:%s for file %s\n", pai_protected ? " (protected)" : "", fsp->fsp_name));
250         if (ret == -1 && !no_acl_syscall_error(errno))
251                 DEBUG(1,("store_inheritance_attribute: Error %s\n", strerror(errno) ));
252 }
253
254 /************************************************************************
255  Delete the in memory inheritance info.
256 ************************************************************************/
257
258 static void free_inherited_info(struct pai_val *pal)
259 {
260         if (pal) {
261                 struct pai_entry *paie, *paie_next;
262                 for (paie = pal->entry_list; paie; paie = paie_next) {
263                         paie_next = paie->next;
264                         SAFE_FREE(paie);
265                 }
266                 for (paie = pal->def_entry_list; paie; paie = paie_next) {
267                         paie_next = paie->next;
268                         SAFE_FREE(paie);
269                 }
270                 SAFE_FREE(pal);
271         }
272 }
273
274 /************************************************************************
275  Was this ACL protected ?
276 ************************************************************************/
277
278 static bool get_protected_flag(struct pai_val *pal)
279 {
280         if (!pal)
281                 return False;
282         return pal->pai_protected;
283 }
284
285 /************************************************************************
286  Was this ACE inherited ?
287 ************************************************************************/
288
289 static bool get_inherited_flag(struct pai_val *pal, canon_ace *ace_entry, bool default_ace)
290 {
291         struct pai_entry *paie;
292
293         if (!pal)
294                 return False;
295
296         /* If the entry exists it is inherited. */
297         for (paie = (default_ace ? pal->def_entry_list : pal->entry_list); paie; paie = paie->next) {
298                 if (ace_entry->owner_type == paie->owner_type &&
299                                 get_entry_val(ace_entry) == get_pai_entry_val(paie))
300                         return True;
301         }
302         return False;
303 }
304
305 /************************************************************************
306  Ensure an attribute just read is valid.
307 ************************************************************************/
308
309 static bool check_pai_ok(char *pai_buf, size_t pai_buf_data_size)
310 {
311         uint16 num_entries;
312         uint16 num_def_entries;
313
314         if (pai_buf_data_size < PAI_ENTRIES_BASE) {
315                 /* Corrupted - too small. */
316                 return False;
317         }
318
319         if (CVAL(pai_buf,PAI_VERSION_OFFSET) != PAI_VERSION)
320                 return False;
321
322         num_entries = SVAL(pai_buf,PAI_NUM_ENTRIES_OFFSET);
323         num_def_entries = SVAL(pai_buf,PAI_NUM_DEFAULT_ENTRIES_OFFSET);
324
325         /* Check the entry lists match. */
326         /* Each entry is 5 bytes (type plus 4 bytes of uid or gid). */
327
328         if (((num_entries + num_def_entries)*PAI_ENTRY_LENGTH) + PAI_ENTRIES_BASE != pai_buf_data_size)
329                 return False;
330
331         return True;
332 }
333
334
335 /************************************************************************
336  Convert to in-memory format.
337 ************************************************************************/
338
339 static struct pai_val *create_pai_val(char *buf, size_t size)
340 {
341         char *entry_offset;
342         struct pai_val *paiv = NULL;
343         int i;
344
345         if (!check_pai_ok(buf, size))
346                 return NULL;
347
348         paiv = SMB_MALLOC_P(struct pai_val);
349         if (!paiv)
350                 return NULL;
351
352         memset(paiv, '\0', sizeof(struct pai_val));
353
354         paiv->pai_protected = (CVAL(buf,PAI_FLAG_OFFSET) == PAI_ACL_FLAG_PROTECTED);
355
356         paiv->num_entries = SVAL(buf,PAI_NUM_ENTRIES_OFFSET);
357         paiv->num_def_entries = SVAL(buf,PAI_NUM_DEFAULT_ENTRIES_OFFSET);
358
359         entry_offset = buf + PAI_ENTRIES_BASE;
360
361         DEBUG(10,("create_pai_val:%s num_entries = %u, num_def_entries = %u\n",
362                         paiv->pai_protected ? " (pai_protected)" : "", paiv->num_entries, paiv->num_def_entries ));
363
364         for (i = 0; i < paiv->num_entries; i++) {
365                 struct pai_entry *paie;
366
367                 paie = SMB_MALLOC_P(struct pai_entry);
368                 if (!paie) {
369                         free_inherited_info(paiv);
370                         return NULL;
371                 }
372
373                 paie->owner_type = (enum ace_owner)CVAL(entry_offset,0);
374                 switch( paie->owner_type) {
375                         case UID_ACE:
376                                 paie->unix_ug.uid = (uid_t)IVAL(entry_offset,1);
377                                 DEBUG(10,("create_pai_val: uid = %u\n", (unsigned int)paie->unix_ug.uid ));
378                                 break;
379                         case GID_ACE:
380                                 paie->unix_ug.gid = (gid_t)IVAL(entry_offset,1);
381                                 DEBUG(10,("create_pai_val: gid = %u\n", (unsigned int)paie->unix_ug.gid ));
382                                 break;
383                         case WORLD_ACE:
384                                 paie->unix_ug.world = -1;
385                                 DEBUG(10,("create_pai_val: world ace\n"));
386                                 break;
387                         default:
388                                 free_inherited_info(paiv);
389                                 return NULL;
390                 }
391                 entry_offset += PAI_ENTRY_LENGTH;
392                 DLIST_ADD(paiv->entry_list, paie);
393         }
394
395         for (i = 0; i < paiv->num_def_entries; i++) {
396                 struct pai_entry *paie;
397
398                 paie = SMB_MALLOC_P(struct pai_entry);
399                 if (!paie) {
400                         free_inherited_info(paiv);
401                         return NULL;
402                 }
403
404                 paie->owner_type = (enum ace_owner)CVAL(entry_offset,0);
405                 switch( paie->owner_type) {
406                         case UID_ACE:
407                                 paie->unix_ug.uid = (uid_t)IVAL(entry_offset,1);
408                                 DEBUG(10,("create_pai_val: (def) uid = %u\n", (unsigned int)paie->unix_ug.uid ));
409                                 break;
410                         case GID_ACE:
411                                 paie->unix_ug.gid = (gid_t)IVAL(entry_offset,1);
412                                 DEBUG(10,("create_pai_val: (def) gid = %u\n", (unsigned int)paie->unix_ug.gid ));
413                                 break;
414                         case WORLD_ACE:
415                                 paie->unix_ug.world = -1;
416                                 DEBUG(10,("create_pai_val: (def) world ace\n"));
417                                 break;
418                         default:
419                                 free_inherited_info(paiv);
420                                 return NULL;
421                 }
422                 entry_offset += PAI_ENTRY_LENGTH;
423                 DLIST_ADD(paiv->def_entry_list, paie);
424         }
425
426         return paiv;
427 }
428
429 /************************************************************************
430  Load the user.SAMBA_PAI attribute.
431 ************************************************************************/
432
433 static struct pai_val *fload_inherited_info(files_struct *fsp)
434 {
435         char *pai_buf;
436         size_t pai_buf_size = 1024;
437         struct pai_val *paiv = NULL;
438         ssize_t ret;
439
440         if (!lp_map_acl_inherit(SNUM(fsp->conn)))
441                 return NULL;
442
443         if ((pai_buf = (char *)SMB_MALLOC(pai_buf_size)) == NULL)
444                 return NULL;
445
446         do {
447                 if (fsp->fh->fd != -1)
448                         ret = SMB_VFS_FGETXATTR(fsp, SAMBA_POSIX_INHERITANCE_EA_NAME,
449                                         pai_buf, pai_buf_size);
450                 else
451                         ret = SMB_VFS_GETXATTR(fsp->conn,fsp->fsp_name,SAMBA_POSIX_INHERITANCE_EA_NAME,
452                                         pai_buf, pai_buf_size);
453
454                 if (ret == -1) {
455                         if (errno != ERANGE) {
456                                 break;
457                         }
458                         /* Buffer too small - enlarge it. */
459                         pai_buf_size *= 2;
460                         SAFE_FREE(pai_buf);
461                         if (pai_buf_size > 1024*1024) {
462                                 return NULL; /* Limit malloc to 1mb. */
463                         }
464                         if ((pai_buf = (char *)SMB_MALLOC(pai_buf_size)) == NULL)
465                                 return NULL;
466                 }
467         } while (ret == -1);
468
469         DEBUG(10,("load_inherited_info: ret = %lu for file %s\n", (unsigned long)ret, fsp->fsp_name));
470
471         if (ret == -1) {
472                 /* No attribute or not supported. */
473 #if defined(ENOATTR)
474                 if (errno != ENOATTR)
475                         DEBUG(10,("load_inherited_info: Error %s\n", strerror(errno) ));
476 #else
477                 if (errno != ENOSYS)
478                         DEBUG(10,("load_inherited_info: Error %s\n", strerror(errno) ));
479 #endif
480                 SAFE_FREE(pai_buf);
481                 return NULL;
482         }
483
484         paiv = create_pai_val(pai_buf, ret);
485
486         if (paiv && paiv->pai_protected)
487                 DEBUG(10,("load_inherited_info: ACL is protected for file %s\n", fsp->fsp_name));
488
489         SAFE_FREE(pai_buf);
490         return paiv;
491 }
492
493 /************************************************************************
494  Load the user.SAMBA_PAI attribute.
495 ************************************************************************/
496
497 static struct pai_val *load_inherited_info(const struct connection_struct *conn,
498                                            const char *fname)
499 {
500         char *pai_buf;
501         size_t pai_buf_size = 1024;
502         struct pai_val *paiv = NULL;
503         ssize_t ret;
504
505         if (!lp_map_acl_inherit(SNUM(conn))) {
506                 return NULL;
507         }
508
509         if ((pai_buf = (char *)SMB_MALLOC(pai_buf_size)) == NULL) {
510                 return NULL;
511         }
512
513         do {
514                 ret = SMB_VFS_GETXATTR(conn, fname,
515                                        SAMBA_POSIX_INHERITANCE_EA_NAME,
516                                        pai_buf, pai_buf_size);
517
518                 if (ret == -1) {
519                         if (errno != ERANGE) {
520                                 break;
521                         }
522                         /* Buffer too small - enlarge it. */
523                         pai_buf_size *= 2;
524                         SAFE_FREE(pai_buf);
525                         if (pai_buf_size > 1024*1024) {
526                                 return NULL; /* Limit malloc to 1mb. */
527                         }
528                         if ((pai_buf = (char *)SMB_MALLOC(pai_buf_size)) == NULL)
529                                 return NULL;
530                 }
531         } while (ret == -1);
532
533         DEBUG(10,("load_inherited_info: ret = %lu for file %s\n", (unsigned long)ret, fname));
534
535         if (ret == -1) {
536                 /* No attribute or not supported. */
537 #if defined(ENOATTR)
538                 if (errno != ENOATTR)
539                         DEBUG(10,("load_inherited_info: Error %s\n", strerror(errno) ));
540 #else
541                 if (errno != ENOSYS)
542                         DEBUG(10,("load_inherited_info: Error %s\n", strerror(errno) ));
543 #endif
544                 SAFE_FREE(pai_buf);
545                 return NULL;
546         }
547
548         paiv = create_pai_val(pai_buf, ret);
549
550         if (paiv && paiv->pai_protected) {
551                 DEBUG(10,("load_inherited_info: ACL is protected for file %s\n", fname));
552         }
553
554         SAFE_FREE(pai_buf);
555         return paiv;
556 }
557
558 /****************************************************************************
559  Functions to manipulate the internal ACE format.
560 ****************************************************************************/
561
562 /****************************************************************************
563  Count a linked list of canonical ACE entries.
564 ****************************************************************************/
565
566 static size_t count_canon_ace_list( canon_ace *list_head )
567 {
568         size_t count = 0;
569         canon_ace *ace;
570
571         for (ace = list_head; ace; ace = ace->next)
572                 count++;
573
574         return count;
575 }
576
577 /****************************************************************************
578  Free a linked list of canonical ACE entries.
579 ****************************************************************************/
580
581 static void free_canon_ace_list( canon_ace *list_head )
582 {
583         canon_ace *list, *next;
584
585         for (list = list_head; list; list = next) {
586                 next = list->next;
587                 DLIST_REMOVE(list_head, list);
588                 SAFE_FREE(list);
589         }
590 }
591
592 /****************************************************************************
593  Function to duplicate a canon_ace entry.
594 ****************************************************************************/
595
596 static canon_ace *dup_canon_ace( canon_ace *src_ace)
597 {
598         canon_ace *dst_ace = SMB_MALLOC_P(canon_ace);
599
600         if (dst_ace == NULL)
601                 return NULL;
602
603         *dst_ace = *src_ace;
604         dst_ace->prev = dst_ace->next = NULL;
605         return dst_ace;
606 }
607
608 /****************************************************************************
609  Print out a canon ace.
610 ****************************************************************************/
611
612 static void print_canon_ace(canon_ace *pace, int num)
613 {
614         dbgtext( "canon_ace index %d. Type = %s ", num, pace->attr == ALLOW_ACE ? "allow" : "deny" );
615         dbgtext( "SID = %s ", sid_string_dbg(&pace->trustee));
616         if (pace->owner_type == UID_ACE) {
617                 const char *u_name = uidtoname(pace->unix_ug.uid);
618                 dbgtext( "uid %u (%s) ", (unsigned int)pace->unix_ug.uid, u_name );
619         } else if (pace->owner_type == GID_ACE) {
620                 char *g_name = gidtoname(pace->unix_ug.gid);
621                 dbgtext( "gid %u (%s) ", (unsigned int)pace->unix_ug.gid, g_name );
622         } else
623                 dbgtext( "other ");
624         switch (pace->type) {
625                 case SMB_ACL_USER:
626                         dbgtext( "SMB_ACL_USER ");
627                         break;
628                 case SMB_ACL_USER_OBJ:
629                         dbgtext( "SMB_ACL_USER_OBJ ");
630                         break;
631                 case SMB_ACL_GROUP:
632                         dbgtext( "SMB_ACL_GROUP ");
633                         break;
634                 case SMB_ACL_GROUP_OBJ:
635                         dbgtext( "SMB_ACL_GROUP_OBJ ");
636                         break;
637                 case SMB_ACL_OTHER:
638                         dbgtext( "SMB_ACL_OTHER ");
639                         break;
640                 default:
641                         dbgtext( "MASK " );
642                         break;
643         }
644         if (pace->inherited)
645                 dbgtext( "(inherited) ");
646         dbgtext( "perms ");
647         dbgtext( "%c", pace->perms & S_IRUSR ? 'r' : '-');
648         dbgtext( "%c", pace->perms & S_IWUSR ? 'w' : '-');
649         dbgtext( "%c\n", pace->perms & S_IXUSR ? 'x' : '-');
650 }
651
652 /****************************************************************************
653  Print out a canon ace list.
654 ****************************************************************************/
655
656 static void print_canon_ace_list(const char *name, canon_ace *ace_list)
657 {
658         int count = 0;
659
660         if( DEBUGLVL( 10 )) {
661                 dbgtext( "print_canon_ace_list: %s\n", name );
662                 for (;ace_list; ace_list = ace_list->next, count++)
663                         print_canon_ace(ace_list, count );
664         }
665 }
666
667 /****************************************************************************
668  Map POSIX ACL perms to canon_ace permissions (a mode_t containing only S_(R|W|X)USR bits).
669 ****************************************************************************/
670
671 static mode_t convert_permset_to_mode_t(connection_struct *conn, SMB_ACL_PERMSET_T permset)
672 {
673         mode_t ret = 0;
674
675         ret |= (SMB_VFS_SYS_ACL_GET_PERM(conn, permset, SMB_ACL_READ) ? S_IRUSR : 0);
676         ret |= (SMB_VFS_SYS_ACL_GET_PERM(conn, permset, SMB_ACL_WRITE) ? S_IWUSR : 0);
677         ret |= (SMB_VFS_SYS_ACL_GET_PERM(conn, permset, SMB_ACL_EXECUTE) ? S_IXUSR : 0);
678
679         return ret;
680 }
681
682 /****************************************************************************
683  Map generic UNIX permissions to canon_ace permissions (a mode_t containing only S_(R|W|X)USR bits).
684 ****************************************************************************/
685
686 static mode_t unix_perms_to_acl_perms(mode_t mode, int r_mask, int w_mask, int x_mask)
687 {
688         mode_t ret = 0;
689
690         if (mode & r_mask)
691                 ret |= S_IRUSR;
692         if (mode & w_mask)
693                 ret |= S_IWUSR;
694         if (mode & x_mask)
695                 ret |= S_IXUSR;
696
697         return ret;
698 }
699
700 /****************************************************************************
701  Map canon_ace permissions (a mode_t containing only S_(R|W|X)USR bits) to
702  an SMB_ACL_PERMSET_T.
703 ****************************************************************************/
704
705 static int map_acl_perms_to_permset(connection_struct *conn, mode_t mode, SMB_ACL_PERMSET_T *p_permset)
706 {
707         if (SMB_VFS_SYS_ACL_CLEAR_PERMS(conn, *p_permset) ==  -1)
708                 return -1;
709         if (mode & S_IRUSR) {
710                 if (SMB_VFS_SYS_ACL_ADD_PERM(conn, *p_permset, SMB_ACL_READ) == -1)
711                         return -1;
712         }
713         if (mode & S_IWUSR) {
714                 if (SMB_VFS_SYS_ACL_ADD_PERM(conn, *p_permset, SMB_ACL_WRITE) == -1)
715                         return -1;
716         }
717         if (mode & S_IXUSR) {
718                 if (SMB_VFS_SYS_ACL_ADD_PERM(conn, *p_permset, SMB_ACL_EXECUTE) == -1)
719                         return -1;
720         }
721         return 0;
722 }
723
724 /****************************************************************************
725  Function to create owner and group SIDs from a SMB_STRUCT_STAT.
726 ****************************************************************************/
727
728 void create_file_sids(const SMB_STRUCT_STAT *psbuf, DOM_SID *powner_sid, DOM_SID *pgroup_sid)
729 {
730         uid_to_sid( powner_sid, psbuf->st_uid );
731         gid_to_sid( pgroup_sid, psbuf->st_gid );
732 }
733
734 /****************************************************************************
735  Is the identity in two ACEs equal ? Check both SID and uid/gid.
736 ****************************************************************************/
737
738 static bool identity_in_ace_equal(canon_ace *ace1, canon_ace *ace2)
739 {
740         if (sid_equal(&ace1->trustee, &ace2->trustee)) {
741                 return True;
742         }
743         if (ace1->owner_type == ace2->owner_type) {
744                 if (ace1->owner_type == UID_ACE &&
745                                 ace1->unix_ug.uid == ace2->unix_ug.uid) {
746                         return True;
747                 } else if (ace1->owner_type == GID_ACE &&
748                                 ace1->unix_ug.gid == ace2->unix_ug.gid) {
749                         return True;
750                 }
751         }
752         return False;
753 }
754
755 /****************************************************************************
756  Merge aces with a common sid - if both are allow or deny, OR the permissions together and
757  delete the second one. If the first is deny, mask the permissions off and delete the allow
758  if the permissions become zero, delete the deny if the permissions are non zero.
759 ****************************************************************************/
760
761 static void merge_aces( canon_ace **pp_list_head )
762 {
763         canon_ace *list_head = *pp_list_head;
764         canon_ace *curr_ace_outer;
765         canon_ace *curr_ace_outer_next;
766
767         /*
768          * First, merge allow entries with identical SIDs, and deny entries
769          * with identical SIDs.
770          */
771
772         for (curr_ace_outer = list_head; curr_ace_outer; curr_ace_outer = curr_ace_outer_next) {
773                 canon_ace *curr_ace;
774                 canon_ace *curr_ace_next;
775
776                 curr_ace_outer_next = curr_ace_outer->next; /* Save the link in case we delete. */
777
778                 for (curr_ace = curr_ace_outer->next; curr_ace; curr_ace = curr_ace_next) {
779
780                         curr_ace_next = curr_ace->next; /* Save the link in case of delete. */
781
782                         if (identity_in_ace_equal(curr_ace, curr_ace_outer) &&
783                                 (curr_ace->attr == curr_ace_outer->attr)) {
784
785                                 if( DEBUGLVL( 10 )) {
786                                         dbgtext("merge_aces: Merging ACE's\n");
787                                         print_canon_ace( curr_ace_outer, 0);
788                                         print_canon_ace( curr_ace, 0);
789                                 }
790
791                                 /* Merge two allow or two deny ACE's. */
792
793                                 curr_ace_outer->perms |= curr_ace->perms;
794                                 DLIST_REMOVE(list_head, curr_ace);
795                                 SAFE_FREE(curr_ace);
796                                 curr_ace_outer_next = curr_ace_outer->next; /* We may have deleted the link. */
797                         }
798                 }
799         }
800
801         /*
802          * Now go through and mask off allow permissions with deny permissions.
803          * We can delete either the allow or deny here as we know that each SID
804          * appears only once in the list.
805          */
806
807         for (curr_ace_outer = list_head; curr_ace_outer; curr_ace_outer = curr_ace_outer_next) {
808                 canon_ace *curr_ace;
809                 canon_ace *curr_ace_next;
810
811                 curr_ace_outer_next = curr_ace_outer->next; /* Save the link in case we delete. */
812
813                 for (curr_ace = curr_ace_outer->next; curr_ace; curr_ace = curr_ace_next) {
814
815                         curr_ace_next = curr_ace->next; /* Save the link in case of delete. */
816
817                         /*
818                          * Subtract ACE's with different entries. Due to the ordering constraints
819                          * we've put on the ACL, we know the deny must be the first one.
820                          */
821
822                         if (identity_in_ace_equal(curr_ace, curr_ace_outer) &&
823                                 (curr_ace_outer->attr == DENY_ACE) && (curr_ace->attr == ALLOW_ACE)) {
824
825                                 if( DEBUGLVL( 10 )) {
826                                         dbgtext("merge_aces: Masking ACE's\n");
827                                         print_canon_ace( curr_ace_outer, 0);
828                                         print_canon_ace( curr_ace, 0);
829                                 }
830
831                                 curr_ace->perms &= ~curr_ace_outer->perms;
832
833                                 if (curr_ace->perms == 0) {
834
835                                         /*
836                                          * The deny overrides the allow. Remove the allow.
837                                          */
838
839                                         DLIST_REMOVE(list_head, curr_ace);
840                                         SAFE_FREE(curr_ace);
841                                         curr_ace_outer_next = curr_ace_outer->next; /* We may have deleted the link. */
842
843                                 } else {
844
845                                         /*
846                                          * Even after removing permissions, there
847                                          * are still allow permissions - delete the deny.
848                                          * It is safe to delete the deny here,
849                                          * as we are guarenteed by the deny first
850                                          * ordering that all the deny entries for
851                                          * this SID have already been merged into one
852                                          * before we can get to an allow ace.
853                                          */
854
855                                         DLIST_REMOVE(list_head, curr_ace_outer);
856                                         SAFE_FREE(curr_ace_outer);
857                                         break;
858                                 }
859                         }
860
861                 } /* end for curr_ace */
862         } /* end for curr_ace_outer */
863
864         /* We may have modified the list. */
865
866         *pp_list_head = list_head;
867 }
868
869 /****************************************************************************
870  Check if we need to return NT4.x compatible ACL entries.
871 ****************************************************************************/
872
873 bool nt4_compatible_acls(void)
874 {
875         int compat = lp_acl_compatibility();
876
877         if (compat == ACL_COMPAT_AUTO) {
878                 enum remote_arch_types ra_type = get_remote_arch();
879
880                 /* Automatically adapt to client */
881                 return (ra_type <= RA_WINNT);
882         } else
883                 return (compat == ACL_COMPAT_WINNT);
884 }
885
886
887 /****************************************************************************
888  Map canon_ace perms to permission bits NT.
889  The attr element is not used here - we only process deny entries on set,
890  not get. Deny entries are implicit on get with ace->perms = 0.
891 ****************************************************************************/
892
893 static uint32_t map_canon_ace_perms(int snum,
894                                 enum security_ace_type *pacl_type,
895                                 mode_t perms,
896                                 bool directory_ace)
897 {
898         uint32_t nt_mask = 0;
899
900         *pacl_type = SEC_ACE_TYPE_ACCESS_ALLOWED;
901
902         if (lp_acl_map_full_control(snum) && ((perms & ALL_ACE_PERMS) == ALL_ACE_PERMS)) {
903                 if (directory_ace) {
904                         nt_mask = UNIX_DIRECTORY_ACCESS_RWX;
905                 } else {
906                         nt_mask = (UNIX_ACCESS_RWX & ~DELETE_ACCESS);
907                 }
908         } else if ((perms & ALL_ACE_PERMS) == (mode_t)0) {
909                 /*
910                  * Windows NT refuses to display ACEs with no permissions in them (but
911                  * they are perfectly legal with Windows 2000). If the ACE has empty
912                  * permissions we cannot use 0, so we use the otherwise unused
913                  * WRITE_OWNER permission, which we ignore when we set an ACL.
914                  * We abstract this into a #define of UNIX_ACCESS_NONE to allow this
915                  * to be changed in the future.
916                  */
917
918                 if (nt4_compatible_acls())
919                         nt_mask = UNIX_ACCESS_NONE;
920                 else
921                         nt_mask = 0;
922         } else {
923                 if (directory_ace) {
924                         nt_mask |= ((perms & S_IRUSR) ? UNIX_DIRECTORY_ACCESS_R : 0 );
925                         nt_mask |= ((perms & S_IWUSR) ? UNIX_DIRECTORY_ACCESS_W : 0 );
926                         nt_mask |= ((perms & S_IXUSR) ? UNIX_DIRECTORY_ACCESS_X : 0 );
927                 } else {
928                         nt_mask |= ((perms & S_IRUSR) ? UNIX_ACCESS_R : 0 );
929                         nt_mask |= ((perms & S_IWUSR) ? UNIX_ACCESS_W : 0 );
930                         nt_mask |= ((perms & S_IXUSR) ? UNIX_ACCESS_X : 0 );
931                 }
932         }
933
934         DEBUG(10,("map_canon_ace_perms: Mapped (UNIX) %x to (NT) %x\n",
935                         (unsigned int)perms, (unsigned int)nt_mask ));
936
937         return nt_mask;
938 }
939
940 /****************************************************************************
941  Map NT perms to a UNIX mode_t.
942 ****************************************************************************/
943
944 #define FILE_SPECIFIC_READ_BITS (FILE_READ_DATA|FILE_READ_EA|FILE_READ_ATTRIBUTES)
945 #define FILE_SPECIFIC_WRITE_BITS (FILE_WRITE_DATA|FILE_APPEND_DATA|FILE_WRITE_EA|FILE_WRITE_ATTRIBUTES)
946 #define FILE_SPECIFIC_EXECUTE_BITS (FILE_EXECUTE)
947
948 static mode_t map_nt_perms( uint32 *mask, int type)
949 {
950         mode_t mode = 0;
951
952         switch(type) {
953         case S_IRUSR:
954                 if((*mask) & GENERIC_ALL_ACCESS)
955                         mode = S_IRUSR|S_IWUSR|S_IXUSR;
956                 else {
957                         mode |= ((*mask) & (GENERIC_READ_ACCESS|FILE_SPECIFIC_READ_BITS)) ? S_IRUSR : 0;
958                         mode |= ((*mask) & (GENERIC_WRITE_ACCESS|FILE_SPECIFIC_WRITE_BITS)) ? S_IWUSR : 0;
959                         mode |= ((*mask) & (GENERIC_EXECUTE_ACCESS|FILE_SPECIFIC_EXECUTE_BITS)) ? S_IXUSR : 0;
960                 }
961                 break;
962         case S_IRGRP:
963                 if((*mask) & GENERIC_ALL_ACCESS)
964                         mode = S_IRGRP|S_IWGRP|S_IXGRP;
965                 else {
966                         mode |= ((*mask) & (GENERIC_READ_ACCESS|FILE_SPECIFIC_READ_BITS)) ? S_IRGRP : 0;
967                         mode |= ((*mask) & (GENERIC_WRITE_ACCESS|FILE_SPECIFIC_WRITE_BITS)) ? S_IWGRP : 0;
968                         mode |= ((*mask) & (GENERIC_EXECUTE_ACCESS|FILE_SPECIFIC_EXECUTE_BITS)) ? S_IXGRP : 0;
969                 }
970                 break;
971         case S_IROTH:
972                 if((*mask) & GENERIC_ALL_ACCESS)
973                         mode = S_IROTH|S_IWOTH|S_IXOTH;
974                 else {
975                         mode |= ((*mask) & (GENERIC_READ_ACCESS|FILE_SPECIFIC_READ_BITS)) ? S_IROTH : 0;
976                         mode |= ((*mask) & (GENERIC_WRITE_ACCESS|FILE_SPECIFIC_WRITE_BITS)) ? S_IWOTH : 0;
977                         mode |= ((*mask) & (GENERIC_EXECUTE_ACCESS|FILE_SPECIFIC_EXECUTE_BITS)) ? S_IXOTH : 0;
978                 }
979                 break;
980         }
981
982         return mode;
983 }
984
985 /****************************************************************************
986  Unpack a SEC_DESC into a UNIX owner and group.
987 ****************************************************************************/
988
989 NTSTATUS unpack_nt_owners(int snum, uid_t *puser, gid_t *pgrp, uint32 security_info_sent, const SEC_DESC *psd)
990 {
991         DOM_SID owner_sid;
992         DOM_SID grp_sid;
993
994         *puser = (uid_t)-1;
995         *pgrp = (gid_t)-1;
996
997         if(security_info_sent == 0) {
998                 DEBUG(0,("unpack_nt_owners: no security info sent !\n"));
999                 return NT_STATUS_OK;
1000         }
1001
1002         /*
1003          * Validate the owner and group SID's.
1004          */
1005
1006         memset(&owner_sid, '\0', sizeof(owner_sid));
1007         memset(&grp_sid, '\0', sizeof(grp_sid));
1008
1009         DEBUG(5,("unpack_nt_owners: validating owner_sids.\n"));
1010
1011         /*
1012          * Don't immediately fail if the owner sid cannot be validated.
1013          * This may be a group chown only set.
1014          */
1015
1016         if (security_info_sent & OWNER_SECURITY_INFORMATION) {
1017                 sid_copy(&owner_sid, psd->owner_sid);
1018                 if (!sid_to_uid(&owner_sid, puser)) {
1019                         if (lp_force_unknown_acl_user(snum)) {
1020                                 /* this allows take ownership to work
1021                                  * reasonably */
1022                                 *puser = current_user.ut.uid;
1023                         } else {
1024                                 DEBUG(3,("unpack_nt_owners: unable to validate"
1025                                          " owner sid for %s\n",
1026                                          sid_string_dbg(&owner_sid)));
1027                                 return NT_STATUS_INVALID_OWNER;
1028                         }
1029                 }
1030                 DEBUG(3,("unpack_nt_owners: owner sid mapped to uid %u\n",
1031                          (unsigned int)*puser ));
1032         }
1033
1034         /*
1035          * Don't immediately fail if the group sid cannot be validated.
1036          * This may be an owner chown only set.
1037          */
1038
1039         if (security_info_sent & GROUP_SECURITY_INFORMATION) {
1040                 sid_copy(&grp_sid, psd->group_sid);
1041                 if (!sid_to_gid( &grp_sid, pgrp)) {
1042                         if (lp_force_unknown_acl_user(snum)) {
1043                                 /* this allows take group ownership to work
1044                                  * reasonably */
1045                                 *pgrp = current_user.ut.gid;
1046                         } else {
1047                                 DEBUG(3,("unpack_nt_owners: unable to validate"
1048                                          " group sid.\n"));
1049                                 return NT_STATUS_INVALID_OWNER;
1050                         }
1051                 }
1052                 DEBUG(3,("unpack_nt_owners: group sid mapped to gid %u\n",
1053                          (unsigned int)*pgrp));
1054         }
1055
1056         DEBUG(5,("unpack_nt_owners: owner_sids validated.\n"));
1057
1058         return NT_STATUS_OK;
1059 }
1060
1061 /****************************************************************************
1062  Ensure the enforced permissions for this share apply.
1063 ****************************************************************************/
1064
1065 static void apply_default_perms(const struct share_params *params,
1066                                 const bool is_directory, canon_ace *pace,
1067                                 mode_t type)
1068 {
1069         mode_t and_bits = (mode_t)0;
1070         mode_t or_bits = (mode_t)0;
1071
1072         /* Get the initial bits to apply. */
1073
1074         if (is_directory) {
1075                 and_bits = lp_dir_security_mask(params->service);
1076                 or_bits = lp_force_dir_security_mode(params->service);
1077         } else {
1078                 and_bits = lp_security_mask(params->service);
1079                 or_bits = lp_force_security_mode(params->service);
1080         }
1081
1082         /* Now bounce them into the S_USR space. */     
1083         switch(type) {
1084         case S_IRUSR:
1085                 /* Ensure owner has read access. */
1086                 pace->perms |= S_IRUSR;
1087                 if (is_directory)
1088                         pace->perms |= (S_IWUSR|S_IXUSR);
1089                 and_bits = unix_perms_to_acl_perms(and_bits, S_IRUSR, S_IWUSR, S_IXUSR);
1090                 or_bits = unix_perms_to_acl_perms(or_bits, S_IRUSR, S_IWUSR, S_IXUSR);
1091                 break;
1092         case S_IRGRP:
1093                 and_bits = unix_perms_to_acl_perms(and_bits, S_IRGRP, S_IWGRP, S_IXGRP);
1094                 or_bits = unix_perms_to_acl_perms(or_bits, S_IRGRP, S_IWGRP, S_IXGRP);
1095                 break;
1096         case S_IROTH:
1097                 and_bits = unix_perms_to_acl_perms(and_bits, S_IROTH, S_IWOTH, S_IXOTH);
1098                 or_bits = unix_perms_to_acl_perms(or_bits, S_IROTH, S_IWOTH, S_IXOTH);
1099                 break;
1100         }
1101
1102         pace->perms = ((pace->perms & and_bits)|or_bits);
1103 }
1104
1105 /****************************************************************************
1106  Check if a given uid/SID is in a group gid/SID. This is probably very
1107  expensive and will need optimisation. A *lot* of optimisation :-). JRA.
1108 ****************************************************************************/
1109
1110 static bool uid_entry_in_group( canon_ace *uid_ace, canon_ace *group_ace )
1111 {
1112         const char *u_name = NULL;
1113
1114         /* "Everyone" always matches every uid. */
1115
1116         if (sid_equal(&group_ace->trustee, &global_sid_World))
1117                 return True;
1118
1119         /* Assume that the current user is in the current group (force group) */
1120
1121         if (uid_ace->unix_ug.uid == current_user.ut.uid && group_ace->unix_ug.gid == current_user.ut.gid)
1122                 return True;
1123
1124         /* u_name talloc'ed off tos. */
1125         u_name = uidtoname(uid_ace->unix_ug.uid);
1126         if (!u_name) {
1127                 return False;
1128         }
1129         return user_in_group_sid(u_name, &group_ace->trustee);
1130 }
1131
1132 /****************************************************************************
1133  A well formed POSIX file or default ACL has at least 3 entries, a 
1134  SMB_ACL_USER_OBJ, SMB_ACL_GROUP_OBJ, SMB_ACL_OTHER_OBJ.
1135  In addition, the owner must always have at least read access.
1136  When using this call on get_acl, the pst struct is valid and contains
1137  the mode of the file. When using this call on set_acl, the pst struct has
1138  been modified to have a mode containing the default for this file or directory
1139  type.
1140 ****************************************************************************/
1141
1142 static bool ensure_canon_entry_valid(canon_ace **pp_ace,
1143                                      const struct share_params *params,
1144                                      const bool is_directory,
1145                                                         const DOM_SID *pfile_owner_sid,
1146                                                         const DOM_SID *pfile_grp_sid,
1147                                                         const SMB_STRUCT_STAT *pst,
1148                                                         bool setting_acl)
1149 {
1150         canon_ace *pace;
1151         bool got_user = False;
1152         bool got_grp = False;
1153         bool got_other = False;
1154         canon_ace *pace_other = NULL;
1155
1156         for (pace = *pp_ace; pace; pace = pace->next) {
1157                 if (pace->type == SMB_ACL_USER_OBJ) {
1158
1159                         if (setting_acl)
1160                                 apply_default_perms(params, is_directory, pace, S_IRUSR);
1161                         got_user = True;
1162
1163                 } else if (pace->type == SMB_ACL_GROUP_OBJ) {
1164
1165                         /*
1166                          * Ensure create mask/force create mode is respected on set.
1167                          */
1168
1169                         if (setting_acl)
1170                                 apply_default_perms(params, is_directory, pace, S_IRGRP);
1171                         got_grp = True;
1172
1173                 } else if (pace->type == SMB_ACL_OTHER) {
1174
1175                         /*
1176                          * Ensure create mask/force create mode is respected on set.
1177                          */
1178
1179                         if (setting_acl)
1180                                 apply_default_perms(params, is_directory, pace, S_IROTH);
1181                         got_other = True;
1182                         pace_other = pace;
1183                 }
1184         }
1185
1186         if (!got_user) {
1187                 if ((pace = SMB_MALLOC_P(canon_ace)) == NULL) {
1188                         DEBUG(0,("ensure_canon_entry_valid: malloc fail.\n"));
1189                         return False;
1190                 }
1191
1192                 ZERO_STRUCTP(pace);
1193                 pace->type = SMB_ACL_USER_OBJ;
1194                 pace->owner_type = UID_ACE;
1195                 pace->unix_ug.uid = pst->st_uid;
1196                 pace->trustee = *pfile_owner_sid;
1197                 pace->attr = ALLOW_ACE;
1198
1199                 if (setting_acl) {
1200                         /* See if the owning user is in any of the other groups in
1201                            the ACE. If so, OR in the permissions from that group. */
1202
1203                         bool group_matched = False;
1204                         canon_ace *pace_iter;
1205
1206                         for (pace_iter = *pp_ace; pace_iter; pace_iter = pace_iter->next) {
1207                                 if (pace_iter->type == SMB_ACL_GROUP_OBJ || pace_iter->type == SMB_ACL_GROUP) {
1208                                         if (uid_entry_in_group(pace, pace_iter)) {
1209                                                 pace->perms |= pace_iter->perms;
1210                                                 group_matched = True;
1211                                         }
1212                                 }
1213                         }
1214
1215                         /* If we only got an "everyone" perm, just use that. */
1216                         if (!group_matched) {
1217                                 if (got_other)
1218                                         pace->perms = pace_other->perms;
1219                                 else
1220                                         pace->perms = 0;
1221                         }
1222
1223                         apply_default_perms(params, is_directory, pace, S_IRUSR);
1224                 } else {
1225                         pace->perms = unix_perms_to_acl_perms(pst->st_mode, S_IRUSR, S_IWUSR, S_IXUSR);
1226                 }
1227
1228                 DLIST_ADD(*pp_ace, pace);
1229         }
1230
1231         if (!got_grp) {
1232                 if ((pace = SMB_MALLOC_P(canon_ace)) == NULL) {
1233                         DEBUG(0,("ensure_canon_entry_valid: malloc fail.\n"));
1234                         return False;
1235                 }
1236
1237                 ZERO_STRUCTP(pace);
1238                 pace->type = SMB_ACL_GROUP_OBJ;
1239                 pace->owner_type = GID_ACE;
1240                 pace->unix_ug.uid = pst->st_gid;
1241                 pace->trustee = *pfile_grp_sid;
1242                 pace->attr = ALLOW_ACE;
1243                 if (setting_acl) {
1244                         /* If we only got an "everyone" perm, just use that. */
1245                         if (got_other)
1246                                 pace->perms = pace_other->perms;
1247                         else
1248                                 pace->perms = 0;
1249                         apply_default_perms(params, is_directory, pace, S_IRGRP);
1250                 } else {
1251                         pace->perms = unix_perms_to_acl_perms(pst->st_mode, S_IRGRP, S_IWGRP, S_IXGRP);
1252                 }
1253
1254                 DLIST_ADD(*pp_ace, pace);
1255         }
1256
1257         if (!got_other) {
1258                 if ((pace = SMB_MALLOC_P(canon_ace)) == NULL) {
1259                         DEBUG(0,("ensure_canon_entry_valid: malloc fail.\n"));
1260                         return False;
1261                 }
1262
1263                 ZERO_STRUCTP(pace);
1264                 pace->type = SMB_ACL_OTHER;
1265                 pace->owner_type = WORLD_ACE;
1266                 pace->unix_ug.world = -1;
1267                 pace->trustee = global_sid_World;
1268                 pace->attr = ALLOW_ACE;
1269                 if (setting_acl) {
1270                         pace->perms = 0;
1271                         apply_default_perms(params, is_directory, pace, S_IROTH);
1272                 } else
1273                         pace->perms = unix_perms_to_acl_perms(pst->st_mode, S_IROTH, S_IWOTH, S_IXOTH);
1274
1275                 DLIST_ADD(*pp_ace, pace);
1276         }
1277
1278         return True;
1279 }
1280
1281 /****************************************************************************
1282  Check if a POSIX ACL has the required SMB_ACL_USER_OBJ and SMB_ACL_GROUP_OBJ entries.
1283  If it does not have them, check if there are any entries where the trustee is the
1284  file owner or the owning group, and map these to SMB_ACL_USER_OBJ and SMB_ACL_GROUP_OBJ.
1285 ****************************************************************************/
1286
1287 static void check_owning_objs(canon_ace *ace, DOM_SID *pfile_owner_sid, DOM_SID *pfile_grp_sid)
1288 {
1289         bool got_user_obj, got_group_obj;
1290         canon_ace *current_ace;
1291         int i, entries;
1292
1293         entries = count_canon_ace_list(ace);
1294         got_user_obj = False;
1295         got_group_obj = False;
1296
1297         for (i=0, current_ace = ace; i < entries; i++, current_ace = current_ace->next) {
1298                 if (current_ace->type == SMB_ACL_USER_OBJ)
1299                         got_user_obj = True;
1300                 else if (current_ace->type == SMB_ACL_GROUP_OBJ)
1301                         got_group_obj = True;
1302         }
1303         if (got_user_obj && got_group_obj) {
1304                 DEBUG(10,("check_owning_objs: ACL had owning user/group entries.\n"));
1305                 return;
1306         }
1307
1308         for (i=0, current_ace = ace; i < entries; i++, current_ace = current_ace->next) {
1309                 if (!got_user_obj && current_ace->owner_type == UID_ACE &&
1310                                 sid_equal(&current_ace->trustee, pfile_owner_sid)) {
1311                         current_ace->type = SMB_ACL_USER_OBJ;
1312                         got_user_obj = True;
1313                 }
1314                 if (!got_group_obj && current_ace->owner_type == GID_ACE &&
1315                                 sid_equal(&current_ace->trustee, pfile_grp_sid)) {
1316                         current_ace->type = SMB_ACL_GROUP_OBJ;
1317                         got_group_obj = True;
1318                 }
1319         }
1320         if (!got_user_obj)
1321                 DEBUG(10,("check_owning_objs: ACL is missing an owner entry.\n"));
1322         if (!got_group_obj)
1323                 DEBUG(10,("check_owning_objs: ACL is missing an owning group entry.\n"));
1324 }
1325
1326 /****************************************************************************
1327  Unpack a SEC_DESC into two canonical ace lists.
1328 ****************************************************************************/
1329
1330 static bool create_canon_ace_lists(files_struct *fsp,
1331                                         SMB_STRUCT_STAT *pst,
1332                                         DOM_SID *pfile_owner_sid,
1333                                         DOM_SID *pfile_grp_sid,
1334                                         canon_ace **ppfile_ace,
1335                                         canon_ace **ppdir_ace,
1336                                         const SEC_ACL *dacl)
1337 {
1338         bool all_aces_are_inherit_only = (fsp->is_directory ? True : False);
1339         canon_ace *file_ace = NULL;
1340         canon_ace *dir_ace = NULL;
1341         canon_ace *current_ace = NULL;
1342         bool got_dir_allow = False;
1343         bool got_file_allow = False;
1344         int i, j;
1345
1346         *ppfile_ace = NULL;
1347         *ppdir_ace = NULL;
1348
1349         /*
1350          * Convert the incoming ACL into a more regular form.
1351          */
1352
1353         for(i = 0; i < dacl->num_aces; i++) {
1354                 SEC_ACE *psa = &dacl->aces[i];
1355
1356                 if((psa->type != SEC_ACE_TYPE_ACCESS_ALLOWED) && (psa->type != SEC_ACE_TYPE_ACCESS_DENIED)) {
1357                         DEBUG(3,("create_canon_ace_lists: unable to set anything but an ALLOW or DENY ACE.\n"));
1358                         return False;
1359                 }
1360
1361                 if (nt4_compatible_acls()) {
1362                         /*
1363                          * The security mask may be UNIX_ACCESS_NONE which should map into
1364                          * no permissions (we overload the WRITE_OWNER bit for this) or it
1365                          * should be one of the ALL/EXECUTE/READ/WRITE bits. Arrange for this
1366                          * to be so. Any other bits override the UNIX_ACCESS_NONE bit.
1367                          */
1368
1369                         /*
1370                          * Convert GENERIC bits to specific bits.
1371                          */
1372  
1373                         se_map_generic(&psa->access_mask, &file_generic_mapping);
1374
1375                         psa->access_mask &= (UNIX_ACCESS_NONE|FILE_ALL_ACCESS);
1376
1377                         if(psa->access_mask != UNIX_ACCESS_NONE)
1378                                 psa->access_mask &= ~UNIX_ACCESS_NONE;
1379                 }
1380         }
1381
1382         /*
1383          * Deal with the fact that NT 4.x re-writes the canonical format
1384          * that we return for default ACLs. If a directory ACE is identical
1385          * to a inherited directory ACE then NT changes the bits so that the
1386          * first ACE is set to OI|IO and the second ACE for this SID is set
1387          * to CI. We need to repair this. JRA.
1388          */
1389
1390         for(i = 0; i < dacl->num_aces; i++) {
1391                 SEC_ACE *psa1 = &dacl->aces[i];
1392
1393                 for (j = i + 1; j < dacl->num_aces; j++) {
1394                         SEC_ACE *psa2 = &dacl->aces[j];
1395
1396                         if (psa1->access_mask != psa2->access_mask)
1397                                 continue;
1398
1399                         if (!sid_equal(&psa1->trustee, &psa2->trustee))
1400                                 continue;
1401
1402                         /*
1403                          * Ok - permission bits and SIDs are equal.
1404                          * Check if flags were re-written.
1405                          */
1406
1407                         if (psa1->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
1408
1409                                 psa1->flags |= (psa2->flags & (SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT));
1410                                 psa2->flags &= ~(SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT);
1411
1412                         } else if (psa2->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
1413
1414                                 psa2->flags |= (psa1->flags & (SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT));
1415                                 psa1->flags &= ~(SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT);
1416
1417                         }
1418                 }
1419         }
1420
1421         for(i = 0; i < dacl->num_aces; i++) {
1422                 SEC_ACE *psa = &dacl->aces[i];
1423
1424                 /*
1425                  * Create a cannon_ace entry representing this NT DACL ACE.
1426                  */
1427
1428                 if ((current_ace = SMB_MALLOC_P(canon_ace)) == NULL) {
1429                         free_canon_ace_list(file_ace);
1430                         free_canon_ace_list(dir_ace);
1431                         DEBUG(0,("create_canon_ace_lists: malloc fail.\n"));
1432                         return False;
1433                 }
1434
1435                 ZERO_STRUCTP(current_ace);
1436
1437                 sid_copy(&current_ace->trustee, &psa->trustee);
1438
1439                 /*
1440                  * Try and work out if the SID is a user or group
1441                  * as we need to flag these differently for POSIX.
1442                  * Note what kind of a POSIX ACL this should map to.
1443                  */
1444
1445                 if( sid_equal(&current_ace->trustee, &global_sid_World)) {
1446                         current_ace->owner_type = WORLD_ACE;
1447                         current_ace->unix_ug.world = -1;
1448                         current_ace->type = SMB_ACL_OTHER;
1449                 } else if (sid_equal(&current_ace->trustee, &global_sid_Creator_Owner)) {
1450                         current_ace->owner_type = UID_ACE;
1451                         current_ace->unix_ug.uid = pst->st_uid;
1452                         current_ace->type = SMB_ACL_USER_OBJ;
1453
1454                         /*
1455                          * The Creator Owner entry only specifies inheritable permissions,
1456                          * never access permissions. WinNT doesn't always set the ACE to
1457                          *INHERIT_ONLY, though.
1458                          */
1459
1460                         if (nt4_compatible_acls())
1461                                 psa->flags |= SEC_ACE_FLAG_INHERIT_ONLY;
1462                 } else if (sid_equal(&current_ace->trustee, &global_sid_Creator_Group)) {
1463                         current_ace->owner_type = GID_ACE;
1464                         current_ace->unix_ug.gid = pst->st_gid;
1465                         current_ace->type = SMB_ACL_GROUP_OBJ;
1466
1467                         /*
1468                          * The Creator Group entry only specifies inheritable permissions,
1469                          * never access permissions. WinNT doesn't always set the ACE to
1470                          *INHERIT_ONLY, though.
1471                          */
1472                         if (nt4_compatible_acls())
1473                                 psa->flags |= SEC_ACE_FLAG_INHERIT_ONLY;
1474
1475                 } else if (sid_to_uid( &current_ace->trustee, &current_ace->unix_ug.uid)) {
1476                         current_ace->owner_type = UID_ACE;
1477                         /* If it's the owning user, this is a user_obj, not
1478                          * a user. */
1479                         if (current_ace->unix_ug.uid == pst->st_uid) {
1480                                 current_ace->type = SMB_ACL_USER_OBJ;
1481                         } else {
1482                                 current_ace->type = SMB_ACL_USER;
1483                         }
1484                 } else if (sid_to_gid( &current_ace->trustee, &current_ace->unix_ug.gid)) {
1485                         current_ace->owner_type = GID_ACE;
1486                         /* If it's the primary group, this is a group_obj, not
1487                          * a group. */
1488                         if (current_ace->unix_ug.gid == pst->st_gid) {
1489                                 current_ace->type = SMB_ACL_GROUP_OBJ;
1490                         } else {
1491                                 current_ace->type = SMB_ACL_GROUP;
1492                         }
1493                 } else {
1494                         /*
1495                          * Silently ignore map failures in non-mappable SIDs (NT Authority, BUILTIN etc).
1496                          */
1497
1498                         if (non_mappable_sid(&psa->trustee)) {
1499                                 DEBUG(10, ("create_canon_ace_lists: ignoring "
1500                                            "non-mappable SID %s\n",
1501                                            sid_string_dbg(&psa->trustee)));
1502                                 SAFE_FREE(current_ace);
1503                                 continue;
1504                         }
1505
1506                         free_canon_ace_list(file_ace);
1507                         free_canon_ace_list(dir_ace);
1508                         DEBUG(0, ("create_canon_ace_lists: unable to map SID "
1509                                   "%s to uid or gid.\n",
1510                                   sid_string_dbg(&current_ace->trustee)));
1511                         SAFE_FREE(current_ace);
1512                         return False;
1513                 }
1514
1515                 /*
1516                  * Map the given NT permissions into a UNIX mode_t containing only
1517                  * S_I(R|W|X)USR bits.
1518                  */
1519
1520                 current_ace->perms |= map_nt_perms( &psa->access_mask, S_IRUSR);
1521                 current_ace->attr = (psa->type == SEC_ACE_TYPE_ACCESS_ALLOWED) ? ALLOW_ACE : DENY_ACE;
1522                 current_ace->inherited = ((psa->flags & SEC_ACE_FLAG_INHERITED_ACE) ? True : False);
1523
1524                 /*
1525                  * Now add the created ace to either the file list, the directory
1526                  * list, or both. We *MUST* preserve the order here (hence we use
1527                  * DLIST_ADD_END) as NT ACLs are order dependent.
1528                  */
1529
1530                 if (fsp->is_directory) {
1531
1532                         /*
1533                          * We can only add to the default POSIX ACE list if the ACE is
1534                          * designed to be inherited by both files and directories.
1535                          */
1536
1537                         if ((psa->flags & (SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT)) ==
1538                                 (SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT)) {
1539
1540                                 DLIST_ADD_END(dir_ace, current_ace, canon_ace *);
1541
1542                                 /*
1543                                  * Note if this was an allow ace. We can't process
1544                                  * any further deny ace's after this.
1545                                  */
1546
1547                                 if (current_ace->attr == ALLOW_ACE)
1548                                         got_dir_allow = True;
1549
1550                                 if ((current_ace->attr == DENY_ACE) && got_dir_allow) {
1551                                         DEBUG(0,("create_canon_ace_lists: malformed ACL in inheritable ACL ! \
1552 Deny entry after Allow entry. Failing to set on file %s.\n", fsp->fsp_name ));
1553                                         free_canon_ace_list(file_ace);
1554                                         free_canon_ace_list(dir_ace);
1555                                         return False;
1556                                 }       
1557
1558                                 if( DEBUGLVL( 10 )) {
1559                                         dbgtext("create_canon_ace_lists: adding dir ACL:\n");
1560                                         print_canon_ace( current_ace, 0);
1561                                 }
1562
1563                                 /*
1564                                  * If this is not an inherit only ACE we need to add a duplicate
1565                                  * to the file acl.
1566                                  */
1567
1568                                 if (!(psa->flags & SEC_ACE_FLAG_INHERIT_ONLY)) {
1569                                         canon_ace *dup_ace = dup_canon_ace(current_ace);
1570
1571                                         if (!dup_ace) {
1572                                                 DEBUG(0,("create_canon_ace_lists: malloc fail !\n"));
1573                                                 free_canon_ace_list(file_ace);
1574                                                 free_canon_ace_list(dir_ace);
1575                                                 return False;
1576                                         }
1577
1578                                         /*
1579                                          * We must not free current_ace here as its
1580                                          * pointer is now owned by the dir_ace list.
1581                                          */
1582                                         current_ace = dup_ace;
1583                                 } else {
1584                                         /*
1585                                          * We must not free current_ace here as its
1586                                          * pointer is now owned by the dir_ace list.
1587                                          */
1588                                         current_ace = NULL;
1589                                 }
1590                         }
1591                 }
1592
1593                 /*
1594                  * Only add to the file ACL if not inherit only.
1595                  */
1596
1597                 if (current_ace && !(psa->flags & SEC_ACE_FLAG_INHERIT_ONLY)) {
1598                         DLIST_ADD_END(file_ace, current_ace, canon_ace *);
1599
1600                         /*
1601                          * Note if this was an allow ace. We can't process
1602                          * any further deny ace's after this.
1603                          */
1604
1605                         if (current_ace->attr == ALLOW_ACE)
1606                                 got_file_allow = True;
1607
1608                         if ((current_ace->attr == DENY_ACE) && got_file_allow) {
1609                                 DEBUG(0,("create_canon_ace_lists: malformed ACL in file ACL ! \
1610 Deny entry after Allow entry. Failing to set on file %s.\n", fsp->fsp_name ));
1611                                 free_canon_ace_list(file_ace);
1612                                 free_canon_ace_list(dir_ace);
1613                                 return False;
1614                         }       
1615
1616                         if( DEBUGLVL( 10 )) {
1617                                 dbgtext("create_canon_ace_lists: adding file ACL:\n");
1618                                 print_canon_ace( current_ace, 0);
1619                         }
1620                         all_aces_are_inherit_only = False;
1621                         /*
1622                          * We must not free current_ace here as its
1623                          * pointer is now owned by the file_ace list.
1624                          */
1625                         current_ace = NULL;
1626                 }
1627
1628                 /*
1629                  * Free if ACE was not added.
1630                  */
1631
1632                 SAFE_FREE(current_ace);
1633         }
1634
1635         if (fsp->is_directory && all_aces_are_inherit_only) {
1636                 /*
1637                  * Windows 2000 is doing one of these weird 'inherit acl'
1638                  * traverses to conserve NTFS ACL resources. Just pretend
1639                  * there was no DACL sent. JRA.
1640                  */
1641
1642                 DEBUG(10,("create_canon_ace_lists: Win2k inherit acl traverse. Ignoring DACL.\n"));
1643                 free_canon_ace_list(file_ace);
1644                 free_canon_ace_list(dir_ace);
1645                 file_ace = NULL;
1646                 dir_ace = NULL;
1647         } else {
1648                 /*
1649                  * Check if we have SMB_ACL_USER_OBJ and SMB_ACL_GROUP_OBJ entries in each
1650                  * ACL. If we don't have them, check if any SMB_ACL_USER/SMB_ACL_GROUP
1651                  * entries can be converted to *_OBJ. Usually we will already have these
1652                  * entries in the Default ACL, and the Access ACL will not have them.
1653                  */
1654                 if (file_ace) {
1655                         check_owning_objs(file_ace, pfile_owner_sid, pfile_grp_sid);
1656                 }
1657                 if (dir_ace) {
1658                         check_owning_objs(dir_ace, pfile_owner_sid, pfile_grp_sid);
1659                 }
1660         }
1661
1662         *ppfile_ace = file_ace;
1663         *ppdir_ace = dir_ace;
1664
1665         return True;
1666 }
1667
1668 /****************************************************************************
1669  ASCII art time again... JRA :-).
1670
1671  We have 4 cases to process when moving from an NT ACL to a POSIX ACL. Firstly,
1672  we insist the ACL is in canonical form (ie. all DENY entries preceede ALLOW
1673  entries). Secondly, the merge code has ensured that all duplicate SID entries for
1674  allow or deny have been merged, so the same SID can only appear once in the deny
1675  list or once in the allow list.
1676
1677  We then process as follows :
1678
1679  ---------------------------------------------------------------------------
1680  First pass - look for a Everyone DENY entry.
1681
1682  If it is deny all (rwx) trunate the list at this point.
1683  Else, walk the list from this point and use the deny permissions of this
1684  entry as a mask on all following allow entries. Finally, delete
1685  the Everyone DENY entry (we have applied it to everything possible).
1686
1687  In addition, in this pass we remove any DENY entries that have 
1688  no permissions (ie. they are a DENY nothing).
1689  ---------------------------------------------------------------------------
1690  Second pass - only deal with deny user entries.
1691
1692  DENY user1 (perms XXX)
1693
1694  new_perms = 0
1695  for all following allow group entries where user1 is in group
1696         new_perms |= group_perms;
1697
1698  user1 entry perms = new_perms & ~ XXX;
1699
1700  Convert the deny entry to an allow entry with the new perms and
1701  push to the end of the list. Note if the user was in no groups
1702  this maps to a specific allow nothing entry for this user.
1703
1704  The common case from the NT ACL choser (userX deny all) is
1705  optimised so we don't do the group lookup - we just map to
1706  an allow nothing entry.
1707
1708  What we're doing here is inferring the allow permissions the
1709  person setting the ACE on user1 wanted by looking at the allow
1710  permissions on the groups the user is currently in. This will
1711  be a snapshot, depending on group membership but is the best
1712  we can do and has the advantage of failing closed rather than
1713  open.
1714  ---------------------------------------------------------------------------
1715  Third pass - only deal with deny group entries.
1716
1717  DENY group1 (perms XXX)
1718
1719  for all following allow user entries where user is in group1
1720    user entry perms = user entry perms & ~ XXX;
1721
1722  If there is a group Everyone allow entry with permissions YYY,
1723  convert the group1 entry to an allow entry and modify its
1724  permissions to be :
1725
1726  new_perms = YYY & ~ XXX
1727
1728  and push to the end of the list.
1729
1730  If there is no group Everyone allow entry then convert the
1731  group1 entry to a allow nothing entry and push to the end of the list.
1732
1733  Note that the common case from the NT ACL choser (groupX deny all)
1734  cannot be optimised here as we need to modify user entries who are
1735  in the group to change them to a deny all also.
1736
1737  What we're doing here is modifying the allow permissions of
1738  user entries (which are more specific in POSIX ACLs) to mask
1739  out the explicit deny set on the group they are in. This will
1740  be a snapshot depending on current group membership but is the
1741  best we can do and has the advantage of failing closed rather
1742  than open.
1743  ---------------------------------------------------------------------------
1744  Fourth pass - cope with cumulative permissions.
1745
1746  for all allow user entries, if there exists an allow group entry with
1747  more permissive permissions, and the user is in that group, rewrite the
1748  allow user permissions to contain both sets of permissions.
1749
1750  Currently the code for this is #ifdef'ed out as these semantics make
1751  no sense to me. JRA.
1752  ---------------------------------------------------------------------------
1753
1754  Note we *MUST* do the deny user pass first as this will convert deny user
1755  entries into allow user entries which can then be processed by the deny
1756  group pass.
1757
1758  The above algorithm took a *lot* of thinking about - hence this
1759  explaination :-). JRA.
1760 ****************************************************************************/
1761
1762 /****************************************************************************
1763  Process a canon_ace list entries. This is very complex code. We need
1764  to go through and remove the "deny" permissions from any allow entry that matches
1765  the id of this entry. We have already refused any NT ACL that wasn't in correct
1766  order (DENY followed by ALLOW). If any allow entry ends up with zero permissions,
1767  we just remove it (to fail safe). We have already removed any duplicate ace
1768  entries. Treat an "Everyone" DENY_ACE as a special case - use it to mask all
1769  allow entries.
1770 ****************************************************************************/
1771
1772 static void process_deny_list( canon_ace **pp_ace_list )
1773 {
1774         canon_ace *ace_list = *pp_ace_list;
1775         canon_ace *curr_ace = NULL;
1776         canon_ace *curr_ace_next = NULL;
1777
1778         /* Pass 1 above - look for an Everyone, deny entry. */
1779
1780         for (curr_ace = ace_list; curr_ace; curr_ace = curr_ace_next) {
1781                 canon_ace *allow_ace_p;
1782
1783                 curr_ace_next = curr_ace->next; /* So we can't lose the link. */
1784
1785                 if (curr_ace->attr != DENY_ACE)
1786                         continue;
1787
1788                 if (curr_ace->perms == (mode_t)0) {
1789
1790                         /* Deny nothing entry - delete. */
1791
1792                         DLIST_REMOVE(ace_list, curr_ace);
1793                         continue;
1794                 }
1795
1796                 if (!sid_equal(&curr_ace->trustee, &global_sid_World))
1797                         continue;
1798
1799                 /* JRATEST - assert. */
1800                 SMB_ASSERT(curr_ace->owner_type == WORLD_ACE);
1801
1802                 if (curr_ace->perms == ALL_ACE_PERMS) {
1803
1804                         /*
1805                          * Optimisation. This is a DENY_ALL to Everyone. Truncate the
1806                          * list at this point including this entry.
1807                          */
1808
1809                         canon_ace *prev_entry = curr_ace->prev;
1810
1811                         free_canon_ace_list( curr_ace );
1812                         if (prev_entry)
1813                                 prev_entry->next = NULL;
1814                         else {
1815                                 /* We deleted the entire list. */
1816                                 ace_list = NULL;
1817                         }
1818                         break;
1819                 }
1820
1821                 for (allow_ace_p = curr_ace->next; allow_ace_p; allow_ace_p = allow_ace_p->next) {
1822
1823                         /* 
1824                          * Only mask off allow entries.
1825                          */
1826
1827                         if (allow_ace_p->attr != ALLOW_ACE)
1828                                 continue;
1829
1830                         allow_ace_p->perms &= ~curr_ace->perms;
1831                 }
1832
1833                 /*
1834                  * Now it's been applied, remove it.
1835                  */
1836
1837                 DLIST_REMOVE(ace_list, curr_ace);
1838         }
1839
1840         /* Pass 2 above - deal with deny user entries. */
1841
1842         for (curr_ace = ace_list; curr_ace; curr_ace = curr_ace_next) {
1843                 mode_t new_perms = (mode_t)0;
1844                 canon_ace *allow_ace_p;
1845
1846                 curr_ace_next = curr_ace->next; /* So we can't lose the link. */
1847
1848                 if (curr_ace->attr != DENY_ACE)
1849                         continue;
1850
1851                 if (curr_ace->owner_type != UID_ACE)
1852                         continue;
1853
1854                 if (curr_ace->perms == ALL_ACE_PERMS) {
1855
1856                         /*
1857                          * Optimisation - this is a deny everything to this user.
1858                          * Convert to an allow nothing and push to the end of the list.
1859                          */
1860
1861                         curr_ace->attr = ALLOW_ACE;
1862                         curr_ace->perms = (mode_t)0;
1863                         DLIST_DEMOTE(ace_list, curr_ace, canon_ace *);
1864                         continue;
1865                 }
1866
1867                 for (allow_ace_p = curr_ace->next; allow_ace_p; allow_ace_p = allow_ace_p->next) {
1868
1869                         if (allow_ace_p->attr != ALLOW_ACE)
1870                                 continue;
1871
1872                         /* We process GID_ACE and WORLD_ACE entries only. */
1873
1874                         if (allow_ace_p->owner_type == UID_ACE)
1875                                 continue;
1876
1877                         if (uid_entry_in_group( curr_ace, allow_ace_p))
1878                                 new_perms |= allow_ace_p->perms;
1879                 }
1880
1881                 /*
1882                  * Convert to a allow entry, modify the perms and push to the end
1883                  * of the list.
1884                  */
1885
1886                 curr_ace->attr = ALLOW_ACE;
1887                 curr_ace->perms = (new_perms & ~curr_ace->perms);
1888                 DLIST_DEMOTE(ace_list, curr_ace, canon_ace *);
1889         }
1890
1891         /* Pass 3 above - deal with deny group entries. */
1892
1893         for (curr_ace = ace_list; curr_ace; curr_ace = curr_ace_next) {
1894                 canon_ace *allow_ace_p;
1895                 canon_ace *allow_everyone_p = NULL;
1896
1897                 curr_ace_next = curr_ace->next; /* So we can't lose the link. */
1898
1899                 if (curr_ace->attr != DENY_ACE)
1900                         continue;
1901
1902                 if (curr_ace->owner_type != GID_ACE)
1903                         continue;
1904
1905                 for (allow_ace_p = curr_ace->next; allow_ace_p; allow_ace_p = allow_ace_p->next) {
1906
1907                         if (allow_ace_p->attr != ALLOW_ACE)
1908                                 continue;
1909
1910                         /* Store a pointer to the Everyone allow, if it exists. */
1911                         if (allow_ace_p->owner_type == WORLD_ACE)
1912                                 allow_everyone_p = allow_ace_p;
1913
1914                         /* We process UID_ACE entries only. */
1915
1916                         if (allow_ace_p->owner_type != UID_ACE)
1917                                 continue;
1918
1919                         /* Mask off the deny group perms. */
1920
1921                         if (uid_entry_in_group( allow_ace_p, curr_ace))
1922                                 allow_ace_p->perms &= ~curr_ace->perms;
1923                 }
1924
1925                 /*
1926                  * Convert the deny to an allow with the correct perms and
1927                  * push to the end of the list.
1928                  */
1929
1930                 curr_ace->attr = ALLOW_ACE;
1931                 if (allow_everyone_p)
1932                         curr_ace->perms = allow_everyone_p->perms & ~curr_ace->perms;
1933                 else
1934                         curr_ace->perms = (mode_t)0;
1935                 DLIST_DEMOTE(ace_list, curr_ace, canon_ace *);
1936         }
1937
1938         /* Doing this fourth pass allows Windows semantics to be layered
1939          * on top of POSIX semantics. I'm not sure if this is desirable.
1940          * For example, in W2K ACLs there is no way to say, "Group X no
1941          * access, user Y full access" if user Y is a member of group X.
1942          * This seems completely broken semantics to me.... JRA.
1943          */
1944
1945 #if 0
1946         /* Pass 4 above - deal with allow entries. */
1947
1948         for (curr_ace = ace_list; curr_ace; curr_ace = curr_ace_next) {
1949                 canon_ace *allow_ace_p;
1950
1951                 curr_ace_next = curr_ace->next; /* So we can't lose the link. */
1952
1953                 if (curr_ace->attr != ALLOW_ACE)
1954                         continue;
1955
1956                 if (curr_ace->owner_type != UID_ACE)
1957                         continue;
1958
1959                 for (allow_ace_p = ace_list; allow_ace_p; allow_ace_p = allow_ace_p->next) {
1960
1961                         if (allow_ace_p->attr != ALLOW_ACE)
1962                                 continue;
1963
1964                         /* We process GID_ACE entries only. */
1965
1966                         if (allow_ace_p->owner_type != GID_ACE)
1967                                 continue;
1968
1969                         /* OR in the group perms. */
1970
1971                         if (uid_entry_in_group( curr_ace, allow_ace_p))
1972                                 curr_ace->perms |= allow_ace_p->perms;
1973                 }
1974         }
1975 #endif
1976
1977         *pp_ace_list = ace_list;
1978 }
1979
1980 /****************************************************************************
1981  Create a default mode that will be used if a security descriptor entry has
1982  no user/group/world entries.
1983 ****************************************************************************/
1984
1985 static mode_t create_default_mode(files_struct *fsp, bool interitable_mode)
1986 {
1987         int snum = SNUM(fsp->conn);
1988         mode_t and_bits = (mode_t)0;
1989         mode_t or_bits = (mode_t)0;
1990         mode_t mode = interitable_mode
1991                 ? unix_mode( fsp->conn, FILE_ATTRIBUTE_ARCHIVE, fsp->fsp_name,
1992                              NULL )
1993                 : S_IRUSR;
1994
1995         if (fsp->is_directory)
1996                 mode |= (S_IWUSR|S_IXUSR);
1997
1998         /*
1999          * Now AND with the create mode/directory mode bits then OR with the
2000          * force create mode/force directory mode bits.
2001          */
2002
2003         if (fsp->is_directory) {
2004                 and_bits = lp_dir_security_mask(snum);
2005                 or_bits = lp_force_dir_security_mode(snum);
2006         } else {
2007                 and_bits = lp_security_mask(snum);
2008                 or_bits = lp_force_security_mode(snum);
2009         }
2010
2011         return ((mode & and_bits)|or_bits);
2012 }
2013
2014 /****************************************************************************
2015  Unpack a SEC_DESC into two canonical ace lists. We don't depend on this
2016  succeeding.
2017 ****************************************************************************/
2018
2019 static bool unpack_canon_ace(files_struct *fsp,
2020                                 SMB_STRUCT_STAT *pst,
2021                                 DOM_SID *pfile_owner_sid,
2022                                 DOM_SID *pfile_grp_sid,
2023                                 canon_ace **ppfile_ace,
2024                                 canon_ace **ppdir_ace,
2025                                 uint32 security_info_sent,
2026                                 const SEC_DESC *psd)
2027 {
2028         canon_ace *file_ace = NULL;
2029         canon_ace *dir_ace = NULL;
2030
2031         *ppfile_ace = NULL;
2032         *ppdir_ace = NULL;
2033
2034         if(security_info_sent == 0) {
2035                 DEBUG(0,("unpack_canon_ace: no security info sent !\n"));
2036                 return False;
2037         }
2038
2039         /*
2040          * If no DACL then this is a chown only security descriptor.
2041          */
2042
2043         if(!(security_info_sent & DACL_SECURITY_INFORMATION) || !psd->dacl)
2044                 return True;
2045
2046         /*
2047          * Now go through the DACL and create the canon_ace lists.
2048          */
2049
2050         if (!create_canon_ace_lists( fsp, pst, pfile_owner_sid, pfile_grp_sid,
2051                                                                 &file_ace, &dir_ace, psd->dacl))
2052                 return False;
2053
2054         if ((file_ace == NULL) && (dir_ace == NULL)) {
2055                 /* W2K traverse DACL set - ignore. */
2056                 return True;
2057         }
2058
2059         /*
2060          * Go through the canon_ace list and merge entries
2061          * belonging to identical users of identical allow or deny type.
2062          * We can do this as all deny entries come first, followed by
2063          * all allow entries (we have mandated this before accepting this acl).
2064          */
2065
2066         print_canon_ace_list( "file ace - before merge", file_ace);
2067         merge_aces( &file_ace );
2068
2069         print_canon_ace_list( "dir ace - before merge", dir_ace);
2070         merge_aces( &dir_ace );
2071
2072         /*
2073          * NT ACLs are order dependent. Go through the acl lists and
2074          * process DENY entries by masking the allow entries.
2075          */
2076
2077         print_canon_ace_list( "file ace - before deny", file_ace);
2078         process_deny_list( &file_ace);
2079
2080         print_canon_ace_list( "dir ace - before deny", dir_ace);
2081         process_deny_list( &dir_ace);
2082
2083         /*
2084          * A well formed POSIX file or default ACL has at least 3 entries, a 
2085          * SMB_ACL_USER_OBJ, SMB_ACL_GROUP_OBJ, SMB_ACL_OTHER_OBJ
2086          * and optionally a mask entry. Ensure this is the case.
2087          */
2088
2089         print_canon_ace_list( "file ace - before valid", file_ace);
2090
2091         /*
2092          * A default 3 element mode entry for a file should be r-- --- ---.
2093          * A default 3 element mode entry for a directory should be rwx --- ---.
2094          */
2095
2096         pst->st_mode = create_default_mode(fsp, False);
2097
2098         if (!ensure_canon_entry_valid(&file_ace, fsp->conn->params, fsp->is_directory, pfile_owner_sid, pfile_grp_sid, pst, True)) {
2099                 free_canon_ace_list(file_ace);
2100                 free_canon_ace_list(dir_ace);
2101                 return False;
2102         }
2103
2104         print_canon_ace_list( "dir ace - before valid", dir_ace);
2105
2106         /*
2107          * A default inheritable 3 element mode entry for a directory should be the
2108          * mode Samba will use to create a file within. Ensure user rwx bits are set if
2109          * it's a directory.
2110          */
2111
2112         pst->st_mode = create_default_mode(fsp, True);
2113
2114         if (dir_ace && !ensure_canon_entry_valid(&dir_ace, fsp->conn->params, fsp->is_directory, pfile_owner_sid, pfile_grp_sid, pst, True)) {
2115                 free_canon_ace_list(file_ace);
2116                 free_canon_ace_list(dir_ace);
2117                 return False;
2118         }
2119
2120         print_canon_ace_list( "file ace - return", file_ace);
2121         print_canon_ace_list( "dir ace - return", dir_ace);
2122
2123         *ppfile_ace = file_ace;
2124         *ppdir_ace = dir_ace;
2125         return True;
2126
2127 }
2128
2129 /******************************************************************************
2130  When returning permissions, try and fit NT display
2131  semantics if possible. Note the the canon_entries here must have been malloced.
2132  The list format should be - first entry = owner, followed by group and other user
2133  entries, last entry = other.
2134
2135  Note that this doesn't exactly match the NT semantics for an ACL. As POSIX entries
2136  are not ordered, and match on the most specific entry rather than walking a list,
2137  then a simple POSIX permission of rw-r--r-- should really map to 5 entries,
2138
2139  Entry 0: owner : deny all except read and write.
2140  Entry 1: owner : allow read and write.
2141  Entry 2: group : deny all except read.
2142  Entry 3: group : allow read.
2143  Entry 4: Everyone : allow read.
2144
2145  But NT cannot display this in their ACL editor !
2146 ********************************************************************************/
2147
2148 static void arrange_posix_perms(const char *filename, canon_ace **pp_list_head)
2149 {
2150         canon_ace *list_head = *pp_list_head;
2151         canon_ace *owner_ace = NULL;
2152         canon_ace *other_ace = NULL;
2153         canon_ace *ace = NULL;
2154
2155         for (ace = list_head; ace; ace = ace->next) {
2156                 if (ace->type == SMB_ACL_USER_OBJ)
2157                         owner_ace = ace;
2158                 else if (ace->type == SMB_ACL_OTHER) {
2159                         /* Last ace - this is "other" */
2160                         other_ace = ace;
2161                 }
2162         }
2163                 
2164         if (!owner_ace || !other_ace) {
2165                 DEBUG(0,("arrange_posix_perms: Invalid POSIX permissions for file %s, missing owner or other.\n",
2166                         filename ));
2167                 return;
2168         }
2169
2170         /*
2171          * The POSIX algorithm applies to owner first, and other last,
2172          * so ensure they are arranged in this order.
2173          */
2174
2175         if (owner_ace) {
2176                 DLIST_PROMOTE(list_head, owner_ace);
2177         }
2178
2179         if (other_ace) {
2180                 DLIST_DEMOTE(list_head, other_ace, canon_ace *);
2181         }
2182
2183         /* We have probably changed the head of the list. */
2184
2185         *pp_list_head = list_head;
2186 }
2187                 
2188 /****************************************************************************
2189  Create a linked list of canonical ACE entries.
2190 ****************************************************************************/
2191
2192 static canon_ace *canonicalise_acl(struct connection_struct *conn,
2193                                    const char *fname, SMB_ACL_T posix_acl,
2194                                    const SMB_STRUCT_STAT *psbuf,
2195                                    const DOM_SID *powner, const DOM_SID *pgroup, struct pai_val *pal, SMB_ACL_TYPE_T the_acl_type)
2196 {
2197         mode_t acl_mask = (S_IRUSR|S_IWUSR|S_IXUSR);
2198         canon_ace *list_head = NULL;
2199         canon_ace *ace = NULL;
2200         canon_ace *next_ace = NULL;
2201         int entry_id = SMB_ACL_FIRST_ENTRY;
2202         SMB_ACL_ENTRY_T entry;
2203         size_t ace_count;
2204
2205         while ( posix_acl && (SMB_VFS_SYS_ACL_GET_ENTRY(conn, posix_acl, entry_id, &entry) == 1)) {
2206                 SMB_ACL_TAG_T tagtype;
2207                 SMB_ACL_PERMSET_T permset;
2208                 DOM_SID sid;
2209                 posix_id unix_ug;
2210                 enum ace_owner owner_type;
2211
2212                 entry_id = SMB_ACL_NEXT_ENTRY;
2213
2214                 /* Is this a MASK entry ? */
2215                 if (SMB_VFS_SYS_ACL_GET_TAG_TYPE(conn, entry, &tagtype) == -1)
2216                         continue;
2217
2218                 if (SMB_VFS_SYS_ACL_GET_PERMSET(conn, entry, &permset) == -1)
2219                         continue;
2220
2221                 /* Decide which SID to use based on the ACL type. */
2222                 switch(tagtype) {
2223                         case SMB_ACL_USER_OBJ:
2224                                 /* Get the SID from the owner. */
2225                                 sid_copy(&sid, powner);
2226                                 unix_ug.uid = psbuf->st_uid;
2227                                 owner_type = UID_ACE;
2228                                 break;
2229                         case SMB_ACL_USER:
2230                                 {
2231                                         uid_t *puid = (uid_t *)SMB_VFS_SYS_ACL_GET_QUALIFIER(conn, entry);
2232                                         if (puid == NULL) {
2233                                                 DEBUG(0,("canonicalise_acl: Failed to get uid.\n"));
2234                                                 continue;
2235                                         }
2236                                         /*
2237                                          * A SMB_ACL_USER entry for the owner is shadowed by the
2238                                          * SMB_ACL_USER_OBJ entry and Windows also cannot represent
2239                                          * that entry, so we ignore it. We also don't create such
2240                                          * entries out of the blue when setting ACLs, so a get/set
2241                                          * cycle will drop them.
2242                                          */
2243                                         if (the_acl_type == SMB_ACL_TYPE_ACCESS && *puid == psbuf->st_uid) {
2244                                                 SMB_VFS_SYS_ACL_FREE_QUALIFIER(conn, (void *)puid,tagtype);
2245                                                 continue;
2246                                         }
2247                                         uid_to_sid( &sid, *puid);
2248                                         unix_ug.uid = *puid;
2249                                         owner_type = UID_ACE;
2250                                         SMB_VFS_SYS_ACL_FREE_QUALIFIER(conn, (void *)puid,tagtype);
2251                                         break;
2252                                 }
2253                         case SMB_ACL_GROUP_OBJ:
2254                                 /* Get the SID from the owning group. */
2255                                 sid_copy(&sid, pgroup);
2256                                 unix_ug.gid = psbuf->st_gid;
2257                                 owner_type = GID_ACE;
2258                                 break;
2259                         case SMB_ACL_GROUP:
2260                                 {
2261                                         gid_t *pgid = (gid_t *)SMB_VFS_SYS_ACL_GET_QUALIFIER(conn, entry);
2262                                         if (pgid == NULL) {
2263                                                 DEBUG(0,("canonicalise_acl: Failed to get gid.\n"));
2264                                                 continue;
2265                                         }
2266                                         gid_to_sid( &sid, *pgid);
2267                                         unix_ug.gid = *pgid;
2268                                         owner_type = GID_ACE;
2269                                         SMB_VFS_SYS_ACL_FREE_QUALIFIER(conn, (void *)pgid,tagtype);
2270                                         break;
2271                                 }
2272                         case SMB_ACL_MASK:
2273                                 acl_mask = convert_permset_to_mode_t(conn, permset);
2274                                 continue; /* Don't count the mask as an entry. */
2275                         case SMB_ACL_OTHER:
2276                                 /* Use the Everyone SID */
2277                                 sid = global_sid_World;
2278                                 unix_ug.world = -1;
2279                                 owner_type = WORLD_ACE;
2280                                 break;
2281                         default:
2282                                 DEBUG(0,("canonicalise_acl: Unknown tagtype %u\n", (unsigned int)tagtype));
2283                                 continue;
2284                 }
2285
2286                 /*
2287                  * Add this entry to the list.
2288                  */
2289
2290                 if ((ace = SMB_MALLOC_P(canon_ace)) == NULL)
2291                         goto fail;
2292
2293                 ZERO_STRUCTP(ace);
2294                 ace->type = tagtype;
2295                 ace->perms = convert_permset_to_mode_t(conn, permset);
2296                 ace->attr = ALLOW_ACE;
2297                 ace->trustee = sid;
2298                 ace->unix_ug = unix_ug;
2299                 ace->owner_type = owner_type;
2300                 ace->inherited = get_inherited_flag(pal, ace, (the_acl_type == SMB_ACL_TYPE_DEFAULT));
2301
2302                 DLIST_ADD(list_head, ace);
2303         }
2304
2305         /*
2306          * This next call will ensure we have at least a user/group/world set.
2307          */
2308
2309         if (!ensure_canon_entry_valid(&list_head, conn->params,
2310                                       S_ISDIR(psbuf->st_mode), powner, pgroup,
2311                                       psbuf, False))
2312                 goto fail;
2313
2314         /*
2315          * Now go through the list, masking the permissions with the
2316          * acl_mask. Ensure all DENY Entries are at the start of the list.
2317          */
2318
2319         DEBUG(10,("canonicalise_acl: %s ace entries before arrange :\n", the_acl_type == SMB_ACL_TYPE_ACCESS ? "Access" : "Default" ));
2320
2321         for ( ace_count = 0, ace = list_head; ace; ace = next_ace, ace_count++) {
2322                 next_ace = ace->next;
2323
2324                 /* Masks are only applied to entries other than USER_OBJ and OTHER. */
2325                 if (ace->type != SMB_ACL_OTHER && ace->type != SMB_ACL_USER_OBJ)
2326                         ace->perms &= acl_mask;
2327
2328                 if (ace->perms == 0) {
2329                         DLIST_PROMOTE(list_head, ace);
2330                 }
2331
2332                 if( DEBUGLVL( 10 ) ) {
2333                         print_canon_ace(ace, ace_count);
2334                 }
2335         }
2336
2337         arrange_posix_perms(fname,&list_head );
2338
2339         print_canon_ace_list( "canonicalise_acl: ace entries after arrange", list_head );
2340
2341         return list_head;
2342
2343   fail:
2344
2345         free_canon_ace_list(list_head);
2346         return NULL;
2347 }
2348
2349 /****************************************************************************
2350  Check if the current user group list contains a given group.
2351 ****************************************************************************/
2352
2353 static bool current_user_in_group(gid_t gid)
2354 {
2355         int i;
2356
2357         for (i = 0; i < current_user.ut.ngroups; i++) {
2358                 if (current_user.ut.groups[i] == gid) {
2359                         return True;
2360                 }
2361         }
2362
2363         return False;
2364 }
2365
2366 /****************************************************************************
2367  Should we override a deny ? Check 'acl group control' and 'dos filemode'.
2368 ****************************************************************************/
2369
2370 static bool acl_group_override(connection_struct *conn,
2371                                 gid_t prim_gid,
2372                                 const char *fname)
2373 {
2374         SMB_STRUCT_STAT sbuf;
2375
2376         if ((errno != EPERM) && (errno != EACCES)) {
2377                 return false;
2378         }
2379
2380         /* file primary group == user primary or supplementary group */
2381         if (lp_acl_group_control(SNUM(conn)) &&
2382                         current_user_in_group(prim_gid)) {
2383                 return true;
2384         }
2385
2386         /* user has writeable permission */
2387         if (lp_dos_filemode(SNUM(conn)) &&
2388                         can_write_to_file(conn, fname, &sbuf)) {
2389                 return true;
2390         }
2391
2392         return false;
2393 }
2394
2395 /****************************************************************************
2396  Attempt to apply an ACL to a file or directory.
2397 ****************************************************************************/
2398
2399 static bool set_canon_ace_list(files_struct *fsp, canon_ace *the_ace, bool default_ace, gid_t prim_gid, bool *pacl_set_support)
2400 {
2401         connection_struct *conn = fsp->conn;
2402         bool ret = False;
2403         SMB_ACL_T the_acl = SMB_VFS_SYS_ACL_INIT(conn, (int)count_canon_ace_list(the_ace) + 1);
2404         canon_ace *p_ace;
2405         int i;
2406         SMB_ACL_ENTRY_T mask_entry;
2407         bool got_mask_entry = False;
2408         SMB_ACL_PERMSET_T mask_permset;
2409         SMB_ACL_TYPE_T the_acl_type = (default_ace ? SMB_ACL_TYPE_DEFAULT : SMB_ACL_TYPE_ACCESS);
2410         bool needs_mask = False;
2411         mode_t mask_perms = 0;
2412
2413 #if defined(POSIX_ACL_NEEDS_MASK)
2414         /* HP-UX always wants to have a mask (called "class" there). */
2415         needs_mask = True;
2416 #endif
2417
2418         if (the_acl == NULL) {
2419
2420                 if (!no_acl_syscall_error(errno)) {
2421                         /*
2422                          * Only print this error message if we have some kind of ACL
2423                          * support that's not working. Otherwise we would always get this.
2424                          */
2425                         DEBUG(0,("set_canon_ace_list: Unable to init %s ACL. (%s)\n",
2426                                 default_ace ? "default" : "file", strerror(errno) ));
2427                 }
2428                 *pacl_set_support = False;
2429                 return False;
2430         }
2431
2432         if( DEBUGLVL( 10 )) {
2433                 dbgtext("set_canon_ace_list: setting ACL:\n");
2434                 for (i = 0, p_ace = the_ace; p_ace; p_ace = p_ace->next, i++ ) {
2435                         print_canon_ace( p_ace, i);
2436                 }
2437         }
2438
2439         for (i = 0, p_ace = the_ace; p_ace; p_ace = p_ace->next, i++ ) {
2440                 SMB_ACL_ENTRY_T the_entry;
2441                 SMB_ACL_PERMSET_T the_permset;
2442
2443                 /*
2444                  * ACLs only "need" an ACL_MASK entry if there are any named user or
2445                  * named group entries. But if there is an ACL_MASK entry, it applies
2446                  * to ACL_USER, ACL_GROUP, and ACL_GROUP_OBJ entries. Set the mask
2447                  * so that it doesn't deny (i.e., mask off) any permissions.
2448                  */
2449
2450                 if (p_ace->type == SMB_ACL_USER || p_ace->type == SMB_ACL_GROUP) {
2451                         needs_mask = True;
2452                         mask_perms |= p_ace->perms;
2453                 } else if (p_ace->type == SMB_ACL_GROUP_OBJ) {
2454                         mask_perms |= p_ace->perms;
2455                 }
2456
2457                 /*
2458                  * Get the entry for this ACE.
2459                  */
2460
2461                 if (SMB_VFS_SYS_ACL_CREATE_ENTRY(conn, &the_acl, &the_entry) == -1) {
2462                         DEBUG(0,("set_canon_ace_list: Failed to create entry %d. (%s)\n",
2463                                 i, strerror(errno) ));
2464                         goto fail;
2465                 }
2466
2467                 if (p_ace->type == SMB_ACL_MASK) {
2468                         mask_entry = the_entry;
2469                         got_mask_entry = True;
2470                 }
2471
2472                 /*
2473                  * Ok - we now know the ACL calls should be working, don't
2474                  * allow fallback to chmod.
2475                  */
2476
2477                 *pacl_set_support = True;
2478
2479                 /*
2480                  * Initialise the entry from the canon_ace.
2481                  */
2482
2483                 /*
2484                  * First tell the entry what type of ACE this is.
2485                  */
2486
2487                 if (SMB_VFS_SYS_ACL_SET_TAG_TYPE(conn, the_entry, p_ace->type) == -1) {
2488                         DEBUG(0,("set_canon_ace_list: Failed to set tag type on entry %d. (%s)\n",
2489                                 i, strerror(errno) ));
2490                         goto fail;
2491                 }
2492
2493                 /*
2494                  * Only set the qualifier (user or group id) if the entry is a user
2495                  * or group id ACE.
2496                  */
2497
2498                 if ((p_ace->type == SMB_ACL_USER) || (p_ace->type == SMB_ACL_GROUP)) {
2499                         if (SMB_VFS_SYS_ACL_SET_QUALIFIER(conn, the_entry,(void *)&p_ace->unix_ug.uid) == -1) {
2500                                 DEBUG(0,("set_canon_ace_list: Failed to set qualifier on entry %d. (%s)\n",
2501                                         i, strerror(errno) ));
2502                                 goto fail;
2503                         }
2504                 }
2505
2506                 /*
2507                  * Convert the mode_t perms in the canon_ace to a POSIX permset.
2508                  */
2509
2510                 if (SMB_VFS_SYS_ACL_GET_PERMSET(conn, the_entry, &the_permset) == -1) {
2511                         DEBUG(0,("set_canon_ace_list: Failed to get permset on entry %d. (%s)\n",
2512                                 i, strerror(errno) ));
2513                         goto fail;
2514                 }
2515
2516                 if (map_acl_perms_to_permset(conn, p_ace->perms, &the_permset) == -1) {
2517                         DEBUG(0,("set_canon_ace_list: Failed to create permset for mode (%u) on entry %d. (%s)\n",
2518                                 (unsigned int)p_ace->perms, i, strerror(errno) ));
2519                         goto fail;
2520                 }
2521
2522                 /*
2523                  * ..and apply them to the entry.
2524                  */
2525
2526                 if (SMB_VFS_SYS_ACL_SET_PERMSET(conn, the_entry, the_permset) == -1) {
2527                         DEBUG(0,("set_canon_ace_list: Failed to add permset on entry %d. (%s)\n",
2528                                 i, strerror(errno) ));
2529                         goto fail;
2530                 }
2531
2532                 if( DEBUGLVL( 10 ))
2533                         print_canon_ace( p_ace, i);
2534
2535         }
2536
2537         if (needs_mask && !got_mask_entry) {
2538                 if (SMB_VFS_SYS_ACL_CREATE_ENTRY(conn, &the_acl, &mask_entry) == -1) {
2539                         DEBUG(0,("set_canon_ace_list: Failed to create mask entry. (%s)\n", strerror(errno) ));
2540                         goto fail;
2541                 }
2542
2543                 if (SMB_VFS_SYS_ACL_SET_TAG_TYPE(conn, mask_entry, SMB_ACL_MASK) == -1) {
2544                         DEBUG(0,("set_canon_ace_list: Failed to set tag type on mask entry. (%s)\n",strerror(errno) ));
2545                         goto fail;
2546                 }
2547
2548                 if (SMB_VFS_SYS_ACL_GET_PERMSET(conn, mask_entry, &mask_permset) == -1) {
2549                         DEBUG(0,("set_canon_ace_list: Failed to get mask permset. (%s)\n", strerror(errno) ));
2550                         goto fail;
2551                 }
2552
2553                 if (map_acl_perms_to_permset(conn, S_IRUSR|S_IWUSR|S_IXUSR, &mask_permset) == -1) {
2554                         DEBUG(0,("set_canon_ace_list: Failed to create mask permset. (%s)\n", strerror(errno) ));
2555                         goto fail;
2556                 }
2557
2558                 if (SMB_VFS_SYS_ACL_SET_PERMSET(conn, mask_entry, mask_permset) == -1) {
2559                         DEBUG(0,("set_canon_ace_list: Failed to add mask permset. (%s)\n", strerror(errno) ));
2560                         goto fail;
2561                 }
2562         }
2563
2564         /*
2565          * Finally apply it to the file or directory.
2566          */
2567
2568         if(default_ace || fsp->is_directory || fsp->fh->fd == -1) {
2569                 if (SMB_VFS_SYS_ACL_SET_FILE(conn, fsp->fsp_name, the_acl_type, the_acl) == -1) {
2570                         /*
2571                          * Some systems allow all the above calls and only fail with no ACL support
2572                          * when attempting to apply the acl. HPUX with HFS is an example of this. JRA.
2573                          */
2574                         if (no_acl_syscall_error(errno)) {
2575                                 *pacl_set_support = False;
2576                         }
2577
2578                         if (acl_group_override(conn, prim_gid, fsp->fsp_name)) {
2579                                 int sret;
2580
2581                                 DEBUG(5,("set_canon_ace_list: acl group control on and current user in file %s primary group.\n",
2582                                         fsp->fsp_name ));
2583
2584                                 become_root();
2585                                 sret = SMB_VFS_SYS_ACL_SET_FILE(conn, fsp->fsp_name, the_acl_type, the_acl);
2586                                 unbecome_root();
2587                                 if (sret == 0) {
2588                                         ret = True;     
2589                                 }
2590                         }
2591
2592                         if (ret == False) {
2593                                 DEBUG(2,("set_canon_ace_list: sys_acl_set_file type %s failed for file %s (%s).\n",
2594                                                 the_acl_type == SMB_ACL_TYPE_DEFAULT ? "directory default" : "file",
2595                                                 fsp->fsp_name, strerror(errno) ));
2596                                 goto fail;
2597                         }
2598                 }
2599         } else {
2600                 if (SMB_VFS_SYS_ACL_SET_FD(fsp, the_acl) == -1) {
2601                         /*
2602                          * Some systems allow all the above calls and only fail with no ACL support
2603                          * when attempting to apply the acl. HPUX with HFS is an example of this. JRA.
2604                          */
2605                         if (no_acl_syscall_error(errno)) {
2606                                 *pacl_set_support = False;
2607                         }
2608
2609                         if (acl_group_override(conn, prim_gid, fsp->fsp_name)) {
2610                                 int sret;
2611
2612                                 DEBUG(5,("set_canon_ace_list: acl group control on and current user in file %s primary group.\n",
2613                                         fsp->fsp_name ));
2614
2615                                 become_root();
2616                                 sret = SMB_VFS_SYS_ACL_SET_FD(fsp, the_acl);
2617                                 unbecome_root();
2618                                 if (sret == 0) {
2619                                         ret = True;
2620                                 }
2621                         }
2622
2623                         if (ret == False) {
2624                                 DEBUG(2,("set_canon_ace_list: sys_acl_set_file failed for file %s (%s).\n",
2625                                                 fsp->fsp_name, strerror(errno) ));
2626                                 goto fail;
2627                         }
2628                 }
2629         }
2630
2631         ret = True;
2632
2633   fail:
2634
2635         if (the_acl != NULL) {
2636                 SMB_VFS_SYS_ACL_FREE_ACL(conn, the_acl);
2637         }
2638
2639         return ret;
2640 }
2641
2642 /****************************************************************************
2643  Find a particular canon_ace entry.
2644 ****************************************************************************/
2645
2646 static struct canon_ace *canon_ace_entry_for(struct canon_ace *list, SMB_ACL_TAG_T type, posix_id *id)
2647 {
2648         while (list) {
2649                 if (list->type == type && ((type != SMB_ACL_USER && type != SMB_ACL_GROUP) ||
2650                                 (type == SMB_ACL_USER  && id && id->uid == list->unix_ug.uid) ||
2651                                 (type == SMB_ACL_GROUP && id && id->gid == list->unix_ug.gid)))
2652                         break;
2653                 list = list->next;
2654         }
2655         return list;
2656 }
2657
2658 /****************************************************************************
2659  
2660 ****************************************************************************/
2661
2662 SMB_ACL_T free_empty_sys_acl(connection_struct *conn, SMB_ACL_T the_acl)
2663 {
2664         SMB_ACL_ENTRY_T entry;
2665
2666         if (!the_acl)
2667                 return NULL;
2668         if (SMB_VFS_SYS_ACL_GET_ENTRY(conn, the_acl, SMB_ACL_FIRST_ENTRY, &entry) != 1) {
2669                 SMB_VFS_SYS_ACL_FREE_ACL(conn, the_acl);
2670                 return NULL;
2671         }
2672         return the_acl;
2673 }
2674
2675 /****************************************************************************
2676  Convert a canon_ace to a generic 3 element permission - if possible.
2677 ****************************************************************************/
2678
2679 #define MAP_PERM(p,mask,result) (((p) & (mask)) ? (result) : 0 )
2680
2681 static bool convert_canon_ace_to_posix_perms( files_struct *fsp, canon_ace *file_ace_list, mode_t *posix_perms)
2682 {
2683         int snum = SNUM(fsp->conn);
2684         size_t ace_count = count_canon_ace_list(file_ace_list);
2685         canon_ace *ace_p;
2686         canon_ace *owner_ace = NULL;
2687         canon_ace *group_ace = NULL;
2688         canon_ace *other_ace = NULL;
2689         mode_t and_bits;
2690         mode_t or_bits;
2691
2692         if (ace_count != 3) {
2693                 DEBUG(3,("convert_canon_ace_to_posix_perms: Too many ACE entries for file %s to convert to \
2694 posix perms.\n", fsp->fsp_name ));
2695                 return False;
2696         }
2697
2698         for (ace_p = file_ace_list; ace_p; ace_p = ace_p->next) {
2699                 if (ace_p->owner_type == UID_ACE)
2700                         owner_ace = ace_p;
2701                 else if (ace_p->owner_type == GID_ACE)
2702                         group_ace = ace_p;
2703                 else if (ace_p->owner_type == WORLD_ACE)
2704                         other_ace = ace_p;
2705         }
2706
2707         if (!owner_ace || !group_ace || !other_ace) {
2708                 DEBUG(3,("convert_canon_ace_to_posix_perms: Can't get standard entries for file %s.\n",
2709                                 fsp->fsp_name ));
2710                 return False;
2711         }
2712
2713         *posix_perms = (mode_t)0;
2714
2715         *posix_perms |= owner_ace->perms;
2716         *posix_perms |= MAP_PERM(group_ace->perms, S_IRUSR, S_IRGRP);
2717         *posix_perms |= MAP_PERM(group_ace->perms, S_IWUSR, S_IWGRP);
2718         *posix_perms |= MAP_PERM(group_ace->perms, S_IXUSR, S_IXGRP);
2719         *posix_perms |= MAP_PERM(other_ace->perms, S_IRUSR, S_IROTH);
2720         *posix_perms |= MAP_PERM(other_ace->perms, S_IWUSR, S_IWOTH);
2721         *posix_perms |= MAP_PERM(other_ace->perms, S_IXUSR, S_IXOTH);
2722
2723         /* The owner must have at least read access. */
2724
2725         *posix_perms |= S_IRUSR;
2726         if (fsp->is_directory)
2727                 *posix_perms |= (S_IWUSR|S_IXUSR);
2728
2729         /* If requested apply the masks. */
2730
2731         /* Get the initial bits to apply. */
2732
2733         if (fsp->is_directory) {
2734                 and_bits = lp_dir_security_mask(snum);
2735                 or_bits = lp_force_dir_security_mode(snum);
2736         } else {
2737                 and_bits = lp_security_mask(snum);
2738                 or_bits = lp_force_security_mode(snum);
2739         }
2740
2741         *posix_perms = (((*posix_perms) & and_bits)|or_bits);
2742
2743         DEBUG(10,("convert_canon_ace_to_posix_perms: converted u=%o,g=%o,w=%o to perm=0%o for file %s.\n",
2744                 (int)owner_ace->perms, (int)group_ace->perms, (int)other_ace->perms, (int)*posix_perms,
2745                 fsp->fsp_name ));
2746
2747         return True;
2748 }
2749
2750 /****************************************************************************
2751   Incoming NT ACLs on a directory can be split into a default POSIX acl (CI|OI|IO) and
2752   a normal POSIX acl. Win2k needs these split acls re-merging into one ACL
2753   with CI|OI set so it is inherited and also applies to the directory.
2754   Based on code from "Jim McDonough" <jmcd@us.ibm.com>.
2755 ****************************************************************************/
2756
2757 static size_t merge_default_aces( SEC_ACE *nt_ace_list, size_t num_aces)
2758 {
2759         size_t i, j;
2760
2761         for (i = 0; i < num_aces; i++) {
2762                 for (j = i+1; j < num_aces; j++) {
2763                         uint32 i_flags_ni = (nt_ace_list[i].flags & ~SEC_ACE_FLAG_INHERITED_ACE);
2764                         uint32 j_flags_ni = (nt_ace_list[j].flags & ~SEC_ACE_FLAG_INHERITED_ACE);
2765                         bool i_inh = (nt_ace_list[i].flags & SEC_ACE_FLAG_INHERITED_ACE) ? True : False;
2766                         bool j_inh = (nt_ace_list[j].flags & SEC_ACE_FLAG_INHERITED_ACE) ? True : False;
2767
2768                         /* We know the lower number ACE's are file entries. */
2769                         if ((nt_ace_list[i].type == nt_ace_list[j].type) &&
2770                                 (nt_ace_list[i].size == nt_ace_list[j].size) &&
2771                                 (nt_ace_list[i].access_mask == nt_ace_list[j].access_mask) &&
2772                                 sid_equal(&nt_ace_list[i].trustee, &nt_ace_list[j].trustee) &&
2773                                 (i_inh == j_inh) &&
2774                                 (i_flags_ni == 0) &&
2775                                 (j_flags_ni == (SEC_ACE_FLAG_OBJECT_INHERIT|
2776                                                   SEC_ACE_FLAG_CONTAINER_INHERIT|
2777                                                   SEC_ACE_FLAG_INHERIT_ONLY))) {
2778                                 /*
2779                                  * W2K wants to have access allowed zero access ACE's
2780                                  * at the end of the list. If the mask is zero, merge
2781                                  * the non-inherited ACE onto the inherited ACE.
2782                                  */
2783
2784                                 if (nt_ace_list[i].access_mask == 0) {
2785                                         nt_ace_list[j].flags = SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT|
2786                                                                 (i_inh ? SEC_ACE_FLAG_INHERITED_ACE : 0);
2787                                         if (num_aces - i - 1 > 0)
2788                                                 memmove(&nt_ace_list[i], &nt_ace_list[i+1], (num_aces-i-1) *
2789                                                                 sizeof(SEC_ACE));
2790
2791                                         DEBUG(10,("merge_default_aces: Merging zero access ACE %u onto ACE %u.\n",
2792                                                 (unsigned int)i, (unsigned int)j ));
2793                                 } else {
2794                                         /*
2795                                          * These are identical except for the flags.
2796                                          * Merge the inherited ACE onto the non-inherited ACE.
2797                                          */
2798
2799                                         nt_ace_list[i].flags = SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT|
2800                                                                 (i_inh ? SEC_ACE_FLAG_INHERITED_ACE : 0);
2801                                         if (num_aces - j - 1 > 0)
2802                                                 memmove(&nt_ace_list[j], &nt_ace_list[j+1], (num_aces-j-1) *
2803                                                                 sizeof(SEC_ACE));
2804
2805                                         DEBUG(10,("merge_default_aces: Merging ACE %u onto ACE %u.\n",
2806                                                 (unsigned int)j, (unsigned int)i ));
2807                                 }
2808                                 num_aces--;
2809                                 break;
2810                         }
2811                 }
2812         }
2813
2814         return num_aces;
2815 }
2816
2817 /****************************************************************************
2818  Reply to query a security descriptor from an fsp. If it succeeds it allocates
2819  the space for the return elements and returns the size needed to return the
2820  security descriptor. This should be the only external function needed for
2821  the UNIX style get ACL.
2822 ****************************************************************************/
2823
2824 static NTSTATUS posix_get_nt_acl_common(struct connection_struct *conn,
2825                                       const char *name,
2826                                       const SMB_STRUCT_STAT *sbuf,
2827                                       struct pai_val *pal,
2828                                       SMB_ACL_T posix_acl,
2829                                       SMB_ACL_T def_acl,
2830                                       uint32_t security_info,
2831                                       SEC_DESC **ppdesc)
2832 {
2833         DOM_SID owner_sid;
2834         DOM_SID group_sid;
2835         size_t sd_size = 0;
2836         SEC_ACL *psa = NULL;
2837         size_t num_acls = 0;
2838         size_t num_def_acls = 0;
2839         size_t num_aces = 0;
2840         canon_ace *file_ace = NULL;
2841         canon_ace *dir_ace = NULL;
2842         SEC_ACE *nt_ace_list = NULL;
2843         size_t num_profile_acls = 0;
2844         SEC_DESC *psd = NULL;
2845
2846         /*
2847          * Get the owner, group and world SIDs.
2848          */
2849
2850         if (lp_profile_acls(SNUM(conn))) {
2851                 /* For WXP SP1 the owner must be administrators. */
2852                 sid_copy(&owner_sid, &global_sid_Builtin_Administrators);
2853                 sid_copy(&group_sid, &global_sid_Builtin_Users);
2854                 num_profile_acls = 2;
2855         } else {
2856                 create_file_sids(sbuf, &owner_sid, &group_sid);
2857         }
2858
2859         if ((security_info & DACL_SECURITY_INFORMATION) && !(security_info & PROTECTED_DACL_SECURITY_INFORMATION)) {
2860
2861                 /*
2862                  * In the optimum case Creator Owner and Creator Group would be used for
2863                  * the ACL_USER_OBJ and ACL_GROUP_OBJ entries, respectively, but this
2864                  * would lead to usability problems under Windows: The Creator entries
2865                  * are only available in browse lists of directories and not for files;
2866                  * additionally the identity of the owning group couldn't be determined.
2867                  * We therefore use those identities only for Default ACLs. 
2868                  */
2869
2870                 /* Create the canon_ace lists. */
2871                 file_ace = canonicalise_acl(conn, name, posix_acl, sbuf,
2872                                             &owner_sid, &group_sid, pal,
2873                                             SMB_ACL_TYPE_ACCESS);
2874
2875                 /* We must have *some* ACLS. */
2876         
2877                 if (count_canon_ace_list(file_ace) == 0) {
2878                         DEBUG(0,("get_nt_acl : No ACLs on file (%s) !\n", name));
2879                         goto done;
2880                 }
2881
2882                 if (S_ISDIR(sbuf->st_mode) && def_acl) {
2883                         dir_ace = canonicalise_acl(conn, name, def_acl,
2884                                                    sbuf,
2885                                                    &global_sid_Creator_Owner,
2886                                                    &global_sid_Creator_Group,
2887                                                    pal, SMB_ACL_TYPE_DEFAULT);
2888                 }
2889
2890                 /*
2891                  * Create the NT ACE list from the canonical ace lists.
2892                  */
2893
2894                 {
2895                         canon_ace *ace;
2896                         enum security_ace_type nt_acl_type;
2897
2898                         if (nt4_compatible_acls() && dir_ace) {
2899                                 /*
2900                                  * NT 4 chokes if an ACL contains an INHERIT_ONLY entry
2901                                  * but no non-INHERIT_ONLY entry for one SID. So we only
2902                                  * remove entries from the Access ACL if the
2903                                  * corresponding Default ACL entries have also been
2904                                  * removed. ACEs for CREATOR-OWNER and CREATOR-GROUP
2905                                  * are exceptions. We can do nothing
2906                                  * intelligent if the Default ACL contains entries that
2907                                  * are not also contained in the Access ACL, so this
2908                                  * case will still fail under NT 4.
2909                                  */
2910
2911                                 ace = canon_ace_entry_for(dir_ace, SMB_ACL_OTHER, NULL);
2912                                 if (ace && !ace->perms) {
2913                                         DLIST_REMOVE(dir_ace, ace);
2914                                         SAFE_FREE(ace);
2915
2916                                         ace = canon_ace_entry_for(file_ace, SMB_ACL_OTHER, NULL);
2917                                         if (ace && !ace->perms) {
2918                                                 DLIST_REMOVE(file_ace, ace);
2919                                                 SAFE_FREE(ace);
2920                                         }
2921                                 }
2922
2923                                 /*
2924                                  * WinNT doesn't usually have Creator Group
2925                                  * in browse lists, so we send this entry to
2926                                  * WinNT even if it contains no relevant
2927                                  * permissions. Once we can add
2928                                  * Creator Group to browse lists we can
2929                                  * re-enable this.
2930                                  */
2931
2932 #if 0
2933                                 ace = canon_ace_entry_for(dir_ace, SMB_ACL_GROUP_OBJ, NULL);
2934                                 if (ace && !ace->perms) {
2935                                         DLIST_REMOVE(dir_ace, ace);
2936                                         SAFE_FREE(ace);
2937                                 }
2938 #endif
2939
2940                                 ace = canon_ace_entry_for(file_ace, SMB_ACL_GROUP_OBJ, NULL);
2941                                 if (ace && !ace->perms) {
2942                                         DLIST_REMOVE(file_ace, ace);
2943                                         SAFE_FREE(ace);
2944                                 }
2945                         }
2946
2947                         num_acls = count_canon_ace_list(file_ace);
2948                         num_def_acls = count_canon_ace_list(dir_ace);
2949
2950                         /* Allocate the ace list. */
2951                         if ((nt_ace_list = SMB_MALLOC_ARRAY(SEC_ACE,num_acls + num_profile_acls + num_def_acls)) == NULL) {
2952                                 DEBUG(0,("get_nt_acl: Unable to malloc space for nt_ace_list.\n"));
2953                                 goto done;
2954                         }
2955
2956                         memset(nt_ace_list, '\0', (num_acls + num_def_acls) * sizeof(SEC_ACE) );
2957
2958                         /*
2959                          * Create the NT ACE list from the canonical ace lists.
2960                          */
2961
2962                         for (ace = file_ace; ace != NULL; ace = ace->next) {
2963                                 uint32_t acc = map_canon_ace_perms(SNUM(conn),
2964                                                 &nt_acl_type,
2965                                                 ace->perms,
2966                                                 S_ISDIR(sbuf->st_mode));
2967                                 init_sec_ace(&nt_ace_list[num_aces++],
2968                                         &ace->trustee,
2969                                         nt_acl_type,
2970                                         acc,
2971                                         ace->inherited ?
2972                                                 SEC_ACE_FLAG_INHERITED_ACE : 0);
2973                         }
2974
2975                         /* The User must have access to a profile share - even
2976                          * if we can't map the SID. */
2977                         if (lp_profile_acls(SNUM(conn))) {
2978                                 init_sec_ace(&nt_ace_list[num_aces++],
2979                                                 &global_sid_Builtin_Users,
2980                                                 SEC_ACE_TYPE_ACCESS_ALLOWED,
2981                                                 FILE_GENERIC_ALL, 0);
2982                         }
2983
2984                         for (ace = dir_ace; ace != NULL; ace = ace->next) {
2985                                 uint32_t acc = map_canon_ace_perms(SNUM(conn),
2986                                                 &nt_acl_type,
2987                                                 ace->perms,
2988                                                 S_ISDIR(sbuf->st_mode));
2989                                 init_sec_ace(&nt_ace_list[num_aces++],
2990                                         &ace->trustee,
2991                                         nt_acl_type,
2992                                         acc,
2993                                         SEC_ACE_FLAG_OBJECT_INHERIT|
2994                                         SEC_ACE_FLAG_CONTAINER_INHERIT|
2995                                         SEC_ACE_FLAG_INHERIT_ONLY|
2996                                         (ace->inherited ?
2997                                            SEC_ACE_FLAG_INHERITED_ACE : 0));
2998                         }
2999
3000                         /* The User must have access to a profile share - even
3001                          * if we can't map the SID. */
3002                         if (lp_profile_acls(SNUM(conn))) {
3003                                 init_sec_ace(&nt_ace_list[num_aces++], &global_sid_Builtin_Users, SEC_ACE_TYPE_ACCESS_ALLOWED, FILE_GENERIC_ALL,
3004                                                 SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT|
3005                                                 SEC_ACE_FLAG_INHERIT_ONLY|0);
3006                         }
3007
3008                         /*
3009                          * Merge POSIX default ACLs and normal ACLs into one NT ACE.
3010                          * Win2K needs this to get the inheritance correct when replacing ACLs
3011                          * on a directory tree. Based on work by Jim @ IBM.
3012                          */
3013
3014                         num_aces = merge_default_aces(nt_ace_list, num_aces);
3015
3016                 }
3017
3018                 if (num_aces) {
3019                         if((psa = make_sec_acl( talloc_tos(), NT4_ACL_REVISION, num_aces, nt_ace_list)) == NULL) {
3020                                 DEBUG(0,("get_nt_acl: Unable to malloc space for acl.\n"));
3021                                 goto done;
3022                         }
3023                 }
3024         } /* security_info & DACL_SECURITY_INFORMATION */
3025
3026         psd = make_standard_sec_desc( talloc_tos(),
3027                         (security_info & OWNER_SECURITY_INFORMATION) ? &owner_sid : NULL,
3028                         (security_info & GROUP_SECURITY_INFORMATION) ? &group_sid : NULL,
3029                         psa,
3030                         &sd_size);
3031
3032         if(!psd) {
3033                 DEBUG(0,("get_nt_acl: Unable to malloc space for security descriptor.\n"));
3034                 sd_size = 0;
3035                 goto done;
3036         }
3037
3038         /*
3039          * Windows 2000: The DACL_PROTECTED flag in the security
3040          * descriptor marks the ACL as non-inheriting, i.e., no
3041          * ACEs from higher level directories propagate to this
3042          * ACL. In the POSIX ACL model permissions are only
3043          * inherited at file create time, so ACLs never contain
3044          * any ACEs that are inherited dynamically. The DACL_PROTECTED
3045          * flag doesn't seem to bother Windows NT.
3046          * Always set this if map acl inherit is turned off.
3047          */
3048         if (get_protected_flag(pal) || !lp_map_acl_inherit(SNUM(conn))) {
3049                 psd->type |= SE_DESC_DACL_PROTECTED;
3050         }
3051
3052         if (psd->dacl) {
3053                 dacl_sort_into_canonical_order(psd->dacl->aces, (unsigned int)psd->dacl->num_aces);
3054         }
3055
3056         *ppdesc = psd;
3057
3058  done:
3059
3060         if (posix_acl) {
3061                 SMB_VFS_SYS_ACL_FREE_ACL(conn, posix_acl);
3062         }
3063         if (def_acl) {
3064                 SMB_VFS_SYS_ACL_FREE_ACL(conn, def_acl);
3065         }
3066         free_canon_ace_list(file_ace);
3067         free_canon_ace_list(dir_ace);
3068         free_inherited_info(pal);
3069         SAFE_FREE(nt_ace_list);
3070
3071         return NT_STATUS_OK;
3072 }
3073
3074 NTSTATUS posix_fget_nt_acl(struct files_struct *fsp, uint32_t security_info,
3075                            SEC_DESC **ppdesc)
3076 {
3077         SMB_STRUCT_STAT sbuf;
3078         SMB_ACL_T posix_acl = NULL;
3079         struct pai_val *pal;
3080
3081         *ppdesc = NULL;
3082
3083         DEBUG(10,("posix_fget_nt_acl: called for file %s\n", fsp->fsp_name ));
3084
3085         /* can it happen that fsp_name == NULL ? */
3086         if (fsp->is_directory ||  fsp->fh->fd == -1) {
3087                 return posix_get_nt_acl(fsp->conn, fsp->fsp_name,
3088                                         security_info, ppdesc);
3089         }
3090
3091         /* Get the stat struct for the owner info. */
3092         if(SMB_VFS_FSTAT(fsp, &sbuf) != 0) {
3093                 return map_nt_error_from_unix(errno);
3094         }
3095
3096         /* Get the ACL from the fd. */
3097         posix_acl = SMB_VFS_SYS_ACL_GET_FD(fsp);
3098
3099         pal = fload_inherited_info(fsp);
3100
3101         return posix_get_nt_acl_common(fsp->conn, fsp->fsp_name, &sbuf, pal,
3102                                        posix_acl, NULL, security_info, ppdesc);
3103 }
3104
3105 NTSTATUS posix_get_nt_acl(struct connection_struct *conn, const char *name,
3106                           uint32_t security_info, SEC_DESC **ppdesc)
3107 {
3108         SMB_STRUCT_STAT sbuf;
3109         SMB_ACL_T posix_acl = NULL;
3110         SMB_ACL_T def_acl = NULL;
3111         struct pai_val *pal;
3112
3113         *ppdesc = NULL;
3114
3115         DEBUG(10,("posix_get_nt_acl: called for file %s\n", name ));
3116
3117         /* Get the stat struct for the owner info. */
3118         if(SMB_VFS_STAT(conn, name, &sbuf) != 0) {
3119                 return map_nt_error_from_unix(errno);
3120         }
3121
3122         /* Get the ACL from the path. */
3123         posix_acl = SMB_VFS_SYS_ACL_GET_FILE(conn, name, SMB_ACL_TYPE_ACCESS);
3124
3125         /* If it's a directory get the default POSIX ACL. */
3126         if(S_ISDIR(sbuf.st_mode)) {
3127                 def_acl = SMB_VFS_SYS_ACL_GET_FILE(conn, name, SMB_ACL_TYPE_DEFAULT);
3128                 def_acl = free_empty_sys_acl(conn, def_acl);
3129         }
3130
3131         pal = load_inherited_info(conn, name);
3132
3133         return posix_get_nt_acl_common(conn, name, &sbuf, pal, posix_acl,
3134                                        def_acl, security_info, ppdesc);
3135 }
3136
3137 /****************************************************************************
3138  Try to chown a file. We will be able to chown it under the following conditions.
3139
3140   1) If we have root privileges, then it will just work.
3141   2) If we have SeTakeOwnershipPrivilege we can change the user to the current user.
3142   3) If we have SeRestorePrivilege we can change the user to any other user. 
3143   4) If we have write permission to the file and dos_filemodes is set
3144      then allow chown to the currently authenticated user.
3145 ****************************************************************************/
3146
3147 int try_chown(connection_struct *conn, const char *fname, uid_t uid, gid_t gid)
3148 {
3149         int ret;
3150         files_struct *fsp;
3151         SMB_STRUCT_STAT st;
3152
3153         if(!CAN_WRITE(conn)) {
3154                 return -1;
3155         }
3156
3157         /* Case (1). */