c4eeb9c4bd921aae442b6b8225a2b720e1e582ba
[samba.git] / source3 / smbd / posix_acls.c
1 /*
2    Unix SMB/CIFS implementation.
3    SMB NT Security Descriptor / Unix permission conversion.
4    Copyright (C) Jeremy Allison 1994-2009.
5    Copyright (C) Andreas Gruenbacher 2002.
6    Copyright (C) Simo Sorce <idra@samba.org> 2009.
7
8    This program is free software; you can redistribute it and/or modify
9    it under the terms of the GNU General Public License as published by
10    the Free Software Foundation; either version 3 of the License, or
11    (at your option) any later version.
12
13    This program is distributed in the hope that it will be useful,
14    but WITHOUT ANY WARRANTY; without even the implied warranty of
15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
16    GNU General Public License for more details.
17
18    You should have received a copy of the GNU General Public License
19    along with this program.  If not, see <http://www.gnu.org/licenses/>.
20 */
21
22 #include "includes.h"
23 #include "smbd/smbd.h"
24 #include "system/filesys.h"
25 #include "../libcli/security/security.h"
26 #include "trans2.h"
27 #include "passdb/lookup_sid.h"
28 #include "auth.h"
29 #include "../librpc/gen_ndr/idmap.h"
30 #include "../librpc/gen_ndr/ndr_smb_acl.h"
31 #include "lib/param/loadparm.h"
32
33 extern const struct generic_mapping file_generic_mapping;
34
35 #undef  DBGC_CLASS
36 #define DBGC_CLASS DBGC_ACLS
37
38 /****************************************************************************
39  Data structures representing the internal ACE format.
40 ****************************************************************************/
41
42 enum ace_owner {UID_ACE, GID_ACE, WORLD_ACE};
43 enum ace_attribute {ALLOW_ACE, DENY_ACE}; /* Used for incoming NT ACLS. */
44
45 typedef struct canon_ace {
46         struct canon_ace *next, *prev;
47         SMB_ACL_TAG_T type;
48         mode_t perms; /* Only use S_I(R|W|X)USR mode bits here. */
49         struct dom_sid trustee;
50         enum ace_owner owner_type;
51         enum ace_attribute attr;
52         struct unixid unix_ug;
53         uint8_t ace_flags; /* From windows ACE entry. */
54 } canon_ace;
55
56 #define ALL_ACE_PERMS (S_IRUSR|S_IWUSR|S_IXUSR)
57
58 /*
59  * EA format of user.SAMBA_PAI (Samba_Posix_Acl_Interitance)
60  * attribute on disk - version 1.
61  * All values are little endian.
62  *
63  * |  1   |  1   |   2         |         2           |  ....
64  * +------+------+-------------+---------------------+-------------+--------------------+
65  * | vers | flag | num_entries | num_default_entries | ..entries.. | default_entries... |
66  * +------+------+-------------+---------------------+-------------+--------------------+
67  *
68  * Entry format is :
69  *
70  * |  1   |       4           |
71  * +------+-------------------+
72  * | value|  uid/gid or world |
73  * | type |  value            |
74  * +------+-------------------+
75  *
76  * Version 2 format. Stores extra Windows metadata about an ACL.
77  *
78  * |  1   |  2       |   2         |         2           |  ....
79  * +------+----------+-------------+---------------------+-------------+--------------------+
80  * | vers | ace      | num_entries | num_default_entries | ..entries.. | default_entries... |
81  * |   2  |  type    |             |                     |             |                    |
82  * +------+----------+-------------+---------------------+-------------+--------------------+
83  *
84  * Entry format is :
85  *
86  * |  1   |  1   |       4           |
87  * +------+------+-------------------+
88  * | ace  | value|  uid/gid or world |
89  * | flag | type |  value            |
90  * +------+-------------------+------+
91  *
92  */
93
94 #define PAI_VERSION_OFFSET                      0
95
96 #define PAI_V1_FLAG_OFFSET                      1
97 #define PAI_V1_NUM_ENTRIES_OFFSET               2
98 #define PAI_V1_NUM_DEFAULT_ENTRIES_OFFSET       4
99 #define PAI_V1_ENTRIES_BASE                     6
100 #define PAI_V1_ACL_FLAG_PROTECTED               0x1
101 #define PAI_V1_ENTRY_LENGTH                     5
102
103 #define PAI_V1_VERSION                          1
104
105 #define PAI_V2_TYPE_OFFSET                      1
106 #define PAI_V2_NUM_ENTRIES_OFFSET               3
107 #define PAI_V2_NUM_DEFAULT_ENTRIES_OFFSET       5
108 #define PAI_V2_ENTRIES_BASE                     7
109 #define PAI_V2_ENTRY_LENGTH                     6
110
111 #define PAI_V2_VERSION                          2
112
113 /*
114  * In memory format of user.SAMBA_PAI attribute.
115  */
116
117 struct pai_entry {
118         struct pai_entry *next, *prev;
119         uint8_t ace_flags;
120         enum ace_owner owner_type;
121         struct unixid unix_ug;
122 };
123
124 struct pai_val {
125         uint16_t sd_type;
126         unsigned int num_entries;
127         struct pai_entry *entry_list;
128         unsigned int num_def_entries;
129         struct pai_entry *def_entry_list;
130 };
131
132 /************************************************************************
133  Return a uint32_t of the pai_entry principal.
134 ************************************************************************/
135
136 static uint32_t get_pai_entry_val(struct pai_entry *paie)
137 {
138         switch (paie->owner_type) {
139                 case UID_ACE:
140                         DEBUG(10,("get_pai_entry_val: uid = %u\n", (unsigned int)paie->unix_ug.id ));
141                         return (uint32_t)paie->unix_ug.id;
142                 case GID_ACE:
143                         DEBUG(10,("get_pai_entry_val: gid = %u\n", (unsigned int)paie->unix_ug.id ));
144                         return (uint32_t)paie->unix_ug.id;
145                 case WORLD_ACE:
146                 default:
147                         DEBUG(10,("get_pai_entry_val: world ace\n"));
148                         return (uint32_t)-1;
149         }
150 }
151
152 /************************************************************************
153  Return a uint32_t of the entry principal.
154 ************************************************************************/
155
156 static uint32_t get_entry_val(canon_ace *ace_entry)
157 {
158         switch (ace_entry->owner_type) {
159                 case UID_ACE:
160                         DEBUG(10,("get_entry_val: uid = %u\n", (unsigned int)ace_entry->unix_ug.id ));
161                         return (uint32_t)ace_entry->unix_ug.id;
162                 case GID_ACE:
163                         DEBUG(10,("get_entry_val: gid = %u\n", (unsigned int)ace_entry->unix_ug.id ));
164                         return (uint32_t)ace_entry->unix_ug.id;
165                 case WORLD_ACE:
166                 default:
167                         DEBUG(10,("get_entry_val: world ace\n"));
168                         return (uint32_t)-1;
169         }
170 }
171
172 /************************************************************************
173  Create the on-disk format (always v2 now). Caller must free.
174 ************************************************************************/
175
176 static char *create_pai_buf_v2(canon_ace *file_ace_list,
177                                 canon_ace *dir_ace_list,
178                                 uint16_t sd_type,
179                                 size_t *store_size)
180 {
181         char *pai_buf = NULL;
182         canon_ace *ace_list = NULL;
183         char *entry_offset = NULL;
184         unsigned int num_entries = 0;
185         unsigned int num_def_entries = 0;
186         unsigned int i;
187
188         for (ace_list = file_ace_list; ace_list; ace_list = ace_list->next) {
189                 num_entries++;
190         }
191
192         for (ace_list = dir_ace_list; ace_list; ace_list = ace_list->next) {
193                 num_def_entries++;
194         }
195
196         DEBUG(10,("create_pai_buf_v2: num_entries = %u, num_def_entries = %u\n", num_entries, num_def_entries ));
197
198         *store_size = PAI_V2_ENTRIES_BASE +
199                 ((num_entries + num_def_entries)*PAI_V2_ENTRY_LENGTH);
200
201         pai_buf = talloc_array(talloc_tos(), char, *store_size);
202         if (!pai_buf) {
203                 return NULL;
204         }
205
206         /* Set up the header. */
207         memset(pai_buf, '\0', PAI_V2_ENTRIES_BASE);
208         SCVAL(pai_buf,PAI_VERSION_OFFSET,PAI_V2_VERSION);
209         SSVAL(pai_buf,PAI_V2_TYPE_OFFSET, sd_type);
210         SSVAL(pai_buf,PAI_V2_NUM_ENTRIES_OFFSET,num_entries);
211         SSVAL(pai_buf,PAI_V2_NUM_DEFAULT_ENTRIES_OFFSET,num_def_entries);
212
213         DEBUG(10,("create_pai_buf_v2: sd_type = 0x%x\n",
214                         (unsigned int)sd_type ));
215
216         entry_offset = pai_buf + PAI_V2_ENTRIES_BASE;
217
218         i = 0;
219         for (ace_list = file_ace_list; ace_list; ace_list = ace_list->next) {
220                 uint8_t type_val = (uint8_t)ace_list->owner_type;
221                 uint32_t entry_val = get_entry_val(ace_list);
222
223                 SCVAL(entry_offset,0,ace_list->ace_flags);
224                 SCVAL(entry_offset,1,type_val);
225                 SIVAL(entry_offset,2,entry_val);
226                 DEBUG(10,("create_pai_buf_v2: entry %u [0x%x] [0x%x] [0x%x]\n",
227                         i,
228                         (unsigned int)ace_list->ace_flags,
229                         (unsigned int)type_val,
230                         (unsigned int)entry_val ));
231                 i++;
232                 entry_offset += PAI_V2_ENTRY_LENGTH;
233         }
234
235         for (ace_list = dir_ace_list; ace_list; ace_list = ace_list->next) {
236                 uint8_t type_val = (uint8_t)ace_list->owner_type;
237                 uint32_t entry_val = get_entry_val(ace_list);
238
239                 SCVAL(entry_offset,0,ace_list->ace_flags);
240                 SCVAL(entry_offset,1,type_val);
241                 SIVAL(entry_offset,2,entry_val);
242                 DEBUG(10,("create_pai_buf_v2: entry %u [0x%x] [0x%x] [0x%x]\n",
243                         i,
244                         (unsigned int)ace_list->ace_flags,
245                         (unsigned int)type_val,
246                         (unsigned int)entry_val ));
247                 i++;
248                 entry_offset += PAI_V2_ENTRY_LENGTH;
249         }
250
251         return pai_buf;
252 }
253
254 /************************************************************************
255  Store the user.SAMBA_PAI attribute on disk.
256 ************************************************************************/
257
258 static void store_inheritance_attributes(files_struct *fsp,
259                                         canon_ace *file_ace_list,
260                                         canon_ace *dir_ace_list,
261                                         uint16_t sd_type)
262 {
263         int ret;
264         size_t store_size;
265         char *pai_buf;
266
267         if (!lp_map_acl_inherit(SNUM(fsp->conn))) {
268                 return;
269         }
270
271         pai_buf = create_pai_buf_v2(file_ace_list, dir_ace_list,
272                                 sd_type, &store_size);
273
274         if (fsp->fh->fd != -1) {
275                 ret = SMB_VFS_FSETXATTR(fsp, SAMBA_POSIX_INHERITANCE_EA_NAME,
276                                 pai_buf, store_size, 0);
277         } else {
278                 ret = SMB_VFS_SETXATTR(fsp->conn, fsp->fsp_name->base_name,
279                                        SAMBA_POSIX_INHERITANCE_EA_NAME,
280                                        pai_buf, store_size, 0);
281         }
282
283         TALLOC_FREE(pai_buf);
284
285         DEBUG(10,("store_inheritance_attribute: type 0x%x for file %s\n",
286                 (unsigned int)sd_type,
287                 fsp_str_dbg(fsp)));
288
289         if (ret == -1 && !no_acl_syscall_error(errno)) {
290                 DEBUG(1,("store_inheritance_attribute: Error %s\n", strerror(errno) ));
291         }
292 }
293
294 /************************************************************************
295  Delete the in memory inheritance info.
296 ************************************************************************/
297
298 static void free_inherited_info(struct pai_val *pal)
299 {
300         if (pal) {
301                 struct pai_entry *paie, *paie_next;
302                 for (paie = pal->entry_list; paie; paie = paie_next) {
303                         paie_next = paie->next;
304                         TALLOC_FREE(paie);
305                 }
306                 for (paie = pal->def_entry_list; paie; paie = paie_next) {
307                         paie_next = paie->next;
308                         TALLOC_FREE(paie);
309                 }
310                 TALLOC_FREE(pal);
311         }
312 }
313
314 /************************************************************************
315  Get any stored ACE flags.
316 ************************************************************************/
317
318 static uint16_t get_pai_flags(struct pai_val *pal, canon_ace *ace_entry, bool default_ace)
319 {
320         struct pai_entry *paie;
321
322         if (!pal) {
323                 return 0;
324         }
325
326         /* If the entry exists it is inherited. */
327         for (paie = (default_ace ? pal->def_entry_list : pal->entry_list); paie; paie = paie->next) {
328                 if (ace_entry->owner_type == paie->owner_type &&
329                                 get_entry_val(ace_entry) == get_pai_entry_val(paie))
330                         return paie->ace_flags;
331         }
332         return 0;
333 }
334
335 /************************************************************************
336  Ensure an attribute just read is valid - v1.
337 ************************************************************************/
338
339 static bool check_pai_ok_v1(const char *pai_buf, size_t pai_buf_data_size)
340 {
341         uint16_t num_entries;
342         uint16_t num_def_entries;
343
344         if (pai_buf_data_size < PAI_V1_ENTRIES_BASE) {
345                 /* Corrupted - too small. */
346                 return false;
347         }
348
349         if (CVAL(pai_buf,PAI_VERSION_OFFSET) != PAI_V1_VERSION) {
350                 return false;
351         }
352
353         num_entries = SVAL(pai_buf,PAI_V1_NUM_ENTRIES_OFFSET);
354         num_def_entries = SVAL(pai_buf,PAI_V1_NUM_DEFAULT_ENTRIES_OFFSET);
355
356         /* Check the entry lists match. */
357         /* Each entry is 5 bytes (type plus 4 bytes of uid or gid). */
358
359         if (((num_entries + num_def_entries)*PAI_V1_ENTRY_LENGTH) +
360                         PAI_V1_ENTRIES_BASE != pai_buf_data_size) {
361                 return false;
362         }
363
364         return true;
365 }
366
367 /************************************************************************
368  Ensure an attribute just read is valid - v2.
369 ************************************************************************/
370
371 static bool check_pai_ok_v2(const char *pai_buf, size_t pai_buf_data_size)
372 {
373         uint16_t num_entries;
374         uint16_t num_def_entries;
375
376         if (pai_buf_data_size < PAI_V2_ENTRIES_BASE) {
377                 /* Corrupted - too small. */
378                 return false;
379         }
380
381         if (CVAL(pai_buf,PAI_VERSION_OFFSET) != PAI_V2_VERSION) {
382                 return false;
383         }
384
385         num_entries = SVAL(pai_buf,PAI_V2_NUM_ENTRIES_OFFSET);
386         num_def_entries = SVAL(pai_buf,PAI_V2_NUM_DEFAULT_ENTRIES_OFFSET);
387
388         /* Check the entry lists match. */
389         /* Each entry is 6 bytes (flags + type + 4 bytes of uid or gid). */
390
391         if (((num_entries + num_def_entries)*PAI_V2_ENTRY_LENGTH) +
392                         PAI_V2_ENTRIES_BASE != pai_buf_data_size) {
393                 return false;
394         }
395
396         return true;
397 }
398
399 /************************************************************************
400  Decode the owner.
401 ************************************************************************/
402
403 static bool get_pai_owner_type(struct pai_entry *paie, const char *entry_offset)
404 {
405         paie->owner_type = (enum ace_owner)CVAL(entry_offset,0);
406         switch( paie->owner_type) {
407                 case UID_ACE:
408                         paie->unix_ug.type = ID_TYPE_UID;
409                         paie->unix_ug.id = (uid_t)IVAL(entry_offset,1);
410                         DEBUG(10,("get_pai_owner_type: uid = %u\n",
411                                 (unsigned int)paie->unix_ug.id ));
412                         break;
413                 case GID_ACE:
414                         paie->unix_ug.type = ID_TYPE_GID;
415                         paie->unix_ug.id = (gid_t)IVAL(entry_offset,1);
416                         DEBUG(10,("get_pai_owner_type: gid = %u\n",
417                                 (unsigned int)paie->unix_ug.id ));
418                         break;
419                 case WORLD_ACE:
420                         paie->unix_ug.type = ID_TYPE_NOT_SPECIFIED;
421                         paie->unix_ug.id = -1;
422                         DEBUG(10,("get_pai_owner_type: world ace\n"));
423                         break;
424                 default:
425                         DEBUG(10,("get_pai_owner_type: unknown type %u\n",
426                                 (unsigned int)paie->owner_type ));
427                         return false;
428         }
429         return true;
430 }
431
432 /************************************************************************
433  Process v2 entries.
434 ************************************************************************/
435
436 static const char *create_pai_v1_entries(struct pai_val *paiv,
437                                 const char *entry_offset,
438                                 bool def_entry)
439 {
440         int i;
441
442         for (i = 0; i < paiv->num_entries; i++) {
443                 struct pai_entry *paie = talloc(talloc_tos(), struct pai_entry);
444                 if (!paie) {
445                         return NULL;
446                 }
447
448                 paie->ace_flags = SEC_ACE_FLAG_INHERITED_ACE;
449                 if (!get_pai_owner_type(paie, entry_offset)) {
450                         TALLOC_FREE(paie);
451                         return NULL;
452                 }
453
454                 if (!def_entry) {
455                         DLIST_ADD(paiv->entry_list, paie);
456                 } else {
457                         DLIST_ADD(paiv->def_entry_list, paie);
458                 }
459                 entry_offset += PAI_V1_ENTRY_LENGTH;
460         }
461         return entry_offset;
462 }
463
464 /************************************************************************
465  Convert to in-memory format from version 1.
466 ************************************************************************/
467
468 static struct pai_val *create_pai_val_v1(const char *buf, size_t size)
469 {
470         const char *entry_offset;
471         struct pai_val *paiv = NULL;
472
473         if (!check_pai_ok_v1(buf, size)) {
474                 return NULL;
475         }
476
477         paiv = talloc(talloc_tos(), struct pai_val);
478         if (!paiv) {
479                 return NULL;
480         }
481
482         memset(paiv, '\0', sizeof(struct pai_val));
483
484         paiv->sd_type = (CVAL(buf,PAI_V1_FLAG_OFFSET) == PAI_V1_ACL_FLAG_PROTECTED) ?
485                         SEC_DESC_DACL_PROTECTED : 0;
486
487         paiv->num_entries = SVAL(buf,PAI_V1_NUM_ENTRIES_OFFSET);
488         paiv->num_def_entries = SVAL(buf,PAI_V1_NUM_DEFAULT_ENTRIES_OFFSET);
489
490         entry_offset = buf + PAI_V1_ENTRIES_BASE;
491
492         DEBUG(10,("create_pai_val: num_entries = %u, num_def_entries = %u\n",
493                         paiv->num_entries, paiv->num_def_entries ));
494
495         entry_offset = create_pai_v1_entries(paiv, entry_offset, false);
496         if (entry_offset == NULL) {
497                 free_inherited_info(paiv);
498                 return NULL;
499         }
500         entry_offset = create_pai_v1_entries(paiv, entry_offset, true);
501         if (entry_offset == NULL) {
502                 free_inherited_info(paiv);
503                 return NULL;
504         }
505
506         return paiv;
507 }
508
509 /************************************************************************
510  Process v2 entries.
511 ************************************************************************/
512
513 static const char *create_pai_v2_entries(struct pai_val *paiv,
514                                 unsigned int num_entries,
515                                 const char *entry_offset,
516                                 bool def_entry)
517 {
518         unsigned int i;
519
520         for (i = 0; i < num_entries; i++) {
521                 struct pai_entry *paie = talloc(talloc_tos(), struct pai_entry);
522                 if (!paie) {
523                         return NULL;
524                 }
525
526                 paie->ace_flags = CVAL(entry_offset,0);
527
528                 if (!get_pai_owner_type(paie, entry_offset+1)) {
529                         TALLOC_FREE(paie);
530                         return NULL;
531                 }
532                 if (!def_entry) {
533                         DLIST_ADD(paiv->entry_list, paie);
534                 } else {
535                         DLIST_ADD(paiv->def_entry_list, paie);
536                 }
537                 entry_offset += PAI_V2_ENTRY_LENGTH;
538         }
539         return entry_offset;
540 }
541
542 /************************************************************************
543  Convert to in-memory format from version 2.
544 ************************************************************************/
545
546 static struct pai_val *create_pai_val_v2(const char *buf, size_t size)
547 {
548         const char *entry_offset;
549         struct pai_val *paiv = NULL;
550
551         if (!check_pai_ok_v2(buf, size)) {
552                 return NULL;
553         }
554
555         paiv = talloc(talloc_tos(), struct pai_val);
556         if (!paiv) {
557                 return NULL;
558         }
559
560         memset(paiv, '\0', sizeof(struct pai_val));
561
562         paiv->sd_type = SVAL(buf,PAI_V2_TYPE_OFFSET);
563
564         paiv->num_entries = SVAL(buf,PAI_V2_NUM_ENTRIES_OFFSET);
565         paiv->num_def_entries = SVAL(buf,PAI_V2_NUM_DEFAULT_ENTRIES_OFFSET);
566
567         entry_offset = buf + PAI_V2_ENTRIES_BASE;
568
569         DEBUG(10,("create_pai_val_v2: sd_type = 0x%x num_entries = %u, num_def_entries = %u\n",
570                         (unsigned int)paiv->sd_type,
571                         paiv->num_entries, paiv->num_def_entries ));
572
573         entry_offset = create_pai_v2_entries(paiv, paiv->num_entries,
574                                 entry_offset, false);
575         if (entry_offset == NULL) {
576                 free_inherited_info(paiv);
577                 return NULL;
578         }
579         entry_offset = create_pai_v2_entries(paiv, paiv->num_def_entries,
580                                 entry_offset, true);
581         if (entry_offset == NULL) {
582                 free_inherited_info(paiv);
583                 return NULL;
584         }
585
586         return paiv;
587 }
588
589 /************************************************************************
590  Convert to in-memory format - from either version 1 or 2.
591 ************************************************************************/
592
593 static struct pai_val *create_pai_val(const char *buf, size_t size)
594 {
595         if (size < 1) {
596                 return NULL;
597         }
598         if (CVAL(buf,PAI_VERSION_OFFSET) == PAI_V1_VERSION) {
599                 return create_pai_val_v1(buf, size);
600         } else if (CVAL(buf,PAI_VERSION_OFFSET) == PAI_V2_VERSION) {
601                 return create_pai_val_v2(buf, size);
602         } else {
603                 return NULL;
604         }
605 }
606
607 /************************************************************************
608  Load the user.SAMBA_PAI attribute.
609 ************************************************************************/
610
611 static struct pai_val *fload_inherited_info(files_struct *fsp)
612 {
613         char *pai_buf;
614         size_t pai_buf_size = 1024;
615         struct pai_val *paiv = NULL;
616         ssize_t ret;
617
618         if (!lp_map_acl_inherit(SNUM(fsp->conn))) {
619                 return NULL;
620         }
621
622         if ((pai_buf = talloc_array(talloc_tos(), char, pai_buf_size)) == NULL) {
623                 return NULL;
624         }
625
626         do {
627                 if (fsp->fh->fd != -1) {
628                         ret = SMB_VFS_FGETXATTR(fsp, SAMBA_POSIX_INHERITANCE_EA_NAME,
629                                         pai_buf, pai_buf_size);
630                 } else {
631                         ret = SMB_VFS_GETXATTR(fsp->conn,
632                                                fsp->fsp_name->base_name,
633                                                SAMBA_POSIX_INHERITANCE_EA_NAME,
634                                                pai_buf, pai_buf_size);
635                 }
636
637                 if (ret == -1) {
638                         if (errno != ERANGE) {
639                                 break;
640                         }
641                         /* Buffer too small - enlarge it. */
642                         pai_buf_size *= 2;
643                         TALLOC_FREE(pai_buf);
644                         if (pai_buf_size > 1024*1024) {
645                                 return NULL; /* Limit malloc to 1mb. */
646                         }
647                         if ((pai_buf = talloc_array(talloc_tos(), char, pai_buf_size)) == NULL)
648                                 return NULL;
649                 }
650         } while (ret == -1);
651
652         DEBUG(10,("load_inherited_info: ret = %lu for file %s\n",
653                   (unsigned long)ret, fsp_str_dbg(fsp)));
654
655         if (ret == -1) {
656                 /* No attribute or not supported. */
657 #if defined(ENOATTR)
658                 if (errno != ENOATTR)
659                         DEBUG(10,("load_inherited_info: Error %s\n", strerror(errno) ));
660 #else
661                 if (errno != ENOSYS)
662                         DEBUG(10,("load_inherited_info: Error %s\n", strerror(errno) ));
663 #endif
664                 TALLOC_FREE(pai_buf);
665                 return NULL;
666         }
667
668         paiv = create_pai_val(pai_buf, ret);
669
670         if (paiv) {
671                 DEBUG(10,("load_inherited_info: ACL type is 0x%x for file %s\n",
672                           (unsigned int)paiv->sd_type, fsp_str_dbg(fsp)));
673         }
674
675         TALLOC_FREE(pai_buf);
676         return paiv;
677 }
678
679 /************************************************************************
680  Load the user.SAMBA_PAI attribute.
681 ************************************************************************/
682
683 static struct pai_val *load_inherited_info(const struct connection_struct *conn,
684                                            const char *fname)
685 {
686         char *pai_buf;
687         size_t pai_buf_size = 1024;
688         struct pai_val *paiv = NULL;
689         ssize_t ret;
690
691         if (!lp_map_acl_inherit(SNUM(conn))) {
692                 return NULL;
693         }
694
695         if ((pai_buf = talloc_array(talloc_tos(), char, pai_buf_size)) == NULL) {
696                 return NULL;
697         }
698
699         do {
700                 ret = SMB_VFS_GETXATTR(conn, fname,
701                                        SAMBA_POSIX_INHERITANCE_EA_NAME,
702                                        pai_buf, pai_buf_size);
703
704                 if (ret == -1) {
705                         if (errno != ERANGE) {
706                                 break;
707                         }
708                         /* Buffer too small - enlarge it. */
709                         pai_buf_size *= 2;
710                         TALLOC_FREE(pai_buf);
711                         if (pai_buf_size > 1024*1024) {
712                                 return NULL; /* Limit malloc to 1mb. */
713                         }
714                         if ((pai_buf = talloc_array(talloc_tos(), char, pai_buf_size)) == NULL)
715                                 return NULL;
716                 }
717         } while (ret == -1);
718
719         DEBUG(10,("load_inherited_info: ret = %lu for file %s\n", (unsigned long)ret, fname));
720
721         if (ret == -1) {
722                 /* No attribute or not supported. */
723 #if defined(ENOATTR)
724                 if (errno != ENOATTR)
725                         DEBUG(10,("load_inherited_info: Error %s\n", strerror(errno) ));
726 #else
727                 if (errno != ENOSYS)
728                         DEBUG(10,("load_inherited_info: Error %s\n", strerror(errno) ));
729 #endif
730                 TALLOC_FREE(pai_buf);
731                 return NULL;
732         }
733
734         paiv = create_pai_val(pai_buf, ret);
735
736         if (paiv) {
737                 DEBUG(10,("load_inherited_info: ACL type 0x%x for file %s\n",
738                         (unsigned int)paiv->sd_type,
739                         fname));
740         }
741
742         TALLOC_FREE(pai_buf);
743         return paiv;
744 }
745
746 /****************************************************************************
747  Functions to manipulate the internal ACE format.
748 ****************************************************************************/
749
750 /****************************************************************************
751  Count a linked list of canonical ACE entries.
752 ****************************************************************************/
753
754 static size_t count_canon_ace_list( canon_ace *l_head )
755 {
756         size_t count = 0;
757         canon_ace *ace;
758
759         for (ace = l_head; ace; ace = ace->next)
760                 count++;
761
762         return count;
763 }
764
765 /****************************************************************************
766  Free a linked list of canonical ACE entries.
767 ****************************************************************************/
768
769 static void free_canon_ace_list( canon_ace *l_head )
770 {
771         canon_ace *list, *next;
772
773         for (list = l_head; list; list = next) {
774                 next = list->next;
775                 DLIST_REMOVE(l_head, list);
776                 TALLOC_FREE(list);
777         }
778 }
779
780 /****************************************************************************
781  Function to duplicate a canon_ace entry.
782 ****************************************************************************/
783
784 static canon_ace *dup_canon_ace( canon_ace *src_ace)
785 {
786         canon_ace *dst_ace = talloc(talloc_tos(), canon_ace);
787
788         if (dst_ace == NULL)
789                 return NULL;
790
791         *dst_ace = *src_ace;
792         dst_ace->prev = dst_ace->next = NULL;
793         return dst_ace;
794 }
795
796 /****************************************************************************
797  Print out a canon ace.
798 ****************************************************************************/
799
800 static void print_canon_ace(canon_ace *pace, int num)
801 {
802         dbgtext( "canon_ace index %d. Type = %s ", num, pace->attr == ALLOW_ACE ? "allow" : "deny" );
803         dbgtext( "SID = %s ", sid_string_dbg(&pace->trustee));
804         if (pace->owner_type == UID_ACE) {
805                 const char *u_name = uidtoname(pace->unix_ug.id);
806                 dbgtext( "uid %u (%s) ", (unsigned int)pace->unix_ug.id, u_name );
807         } else if (pace->owner_type == GID_ACE) {
808                 char *g_name = gidtoname(pace->unix_ug.id);
809                 dbgtext( "gid %u (%s) ", (unsigned int)pace->unix_ug.id, g_name );
810         } else
811                 dbgtext( "other ");
812         switch (pace->type) {
813                 case SMB_ACL_USER:
814                         dbgtext( "SMB_ACL_USER ");
815                         break;
816                 case SMB_ACL_USER_OBJ:
817                         dbgtext( "SMB_ACL_USER_OBJ ");
818                         break;
819                 case SMB_ACL_GROUP:
820                         dbgtext( "SMB_ACL_GROUP ");
821                         break;
822                 case SMB_ACL_GROUP_OBJ:
823                         dbgtext( "SMB_ACL_GROUP_OBJ ");
824                         break;
825                 case SMB_ACL_OTHER:
826                         dbgtext( "SMB_ACL_OTHER ");
827                         break;
828                 default:
829                         dbgtext( "MASK " );
830                         break;
831         }
832
833         dbgtext( "ace_flags = 0x%x ", (unsigned int)pace->ace_flags);
834         dbgtext( "perms ");
835         dbgtext( "%c", pace->perms & S_IRUSR ? 'r' : '-');
836         dbgtext( "%c", pace->perms & S_IWUSR ? 'w' : '-');
837         dbgtext( "%c\n", pace->perms & S_IXUSR ? 'x' : '-');
838 }
839
840 /****************************************************************************
841  Print out a canon ace list.
842 ****************************************************************************/
843
844 static void print_canon_ace_list(const char *name, canon_ace *ace_list)
845 {
846         int count = 0;
847
848         if( DEBUGLVL( 10 )) {
849                 dbgtext( "print_canon_ace_list: %s\n", name );
850                 for (;ace_list; ace_list = ace_list->next, count++)
851                         print_canon_ace(ace_list, count );
852         }
853 }
854
855 /****************************************************************************
856  Map POSIX ACL perms to canon_ace permissions (a mode_t containing only S_(R|W|X)USR bits).
857 ****************************************************************************/
858
859 static mode_t convert_permset_to_mode_t(SMB_ACL_PERMSET_T permset)
860 {
861         mode_t ret = 0;
862
863         ret |= (sys_acl_get_perm(permset, SMB_ACL_READ) ? S_IRUSR : 0);
864         ret |= (sys_acl_get_perm(permset, SMB_ACL_WRITE) ? S_IWUSR : 0);
865         ret |= (sys_acl_get_perm(permset, SMB_ACL_EXECUTE) ? S_IXUSR : 0);
866
867         return ret;
868 }
869
870 /****************************************************************************
871  Map generic UNIX permissions to canon_ace permissions (a mode_t containing only S_(R|W|X)USR bits).
872 ****************************************************************************/
873
874 static mode_t unix_perms_to_acl_perms(mode_t mode, int r_mask, int w_mask, int x_mask)
875 {
876         mode_t ret = 0;
877
878         if (mode & r_mask)
879                 ret |= S_IRUSR;
880         if (mode & w_mask)
881                 ret |= S_IWUSR;
882         if (mode & x_mask)
883                 ret |= S_IXUSR;
884
885         return ret;
886 }
887
888 /****************************************************************************
889  Map canon_ace permissions (a mode_t containing only S_(R|W|X)USR bits) to
890  an SMB_ACL_PERMSET_T.
891 ****************************************************************************/
892
893 static int map_acl_perms_to_permset(connection_struct *conn, mode_t mode, SMB_ACL_PERMSET_T *p_permset)
894 {
895         if (sys_acl_clear_perms(*p_permset) ==  -1)
896                 return -1;
897         if (mode & S_IRUSR) {
898                 if (sys_acl_add_perm(*p_permset, SMB_ACL_READ) == -1)
899                         return -1;
900         }
901         if (mode & S_IWUSR) {
902                 if (sys_acl_add_perm(*p_permset, SMB_ACL_WRITE) == -1)
903                         return -1;
904         }
905         if (mode & S_IXUSR) {
906                 if (sys_acl_add_perm(*p_permset, SMB_ACL_EXECUTE) == -1)
907                         return -1;
908         }
909         return 0;
910 }
911
912 /****************************************************************************
913  Function to create owner and group SIDs from a SMB_STRUCT_STAT.
914 ****************************************************************************/
915
916 void create_file_sids(const SMB_STRUCT_STAT *psbuf, struct dom_sid *powner_sid, struct dom_sid *pgroup_sid)
917 {
918         uid_to_sid( powner_sid, psbuf->st_ex_uid );
919         gid_to_sid( pgroup_sid, psbuf->st_ex_gid );
920 }
921
922 /****************************************************************************
923  Merge aces with a common UID or GID - if both are allow or deny, OR the permissions together and
924  delete the second one. If the first is deny, mask the permissions off and delete the allow
925  if the permissions become zero, delete the deny if the permissions are non zero.
926 ****************************************************************************/
927
928 static void merge_aces( canon_ace **pp_list_head, bool dir_acl)
929 {
930         canon_ace *l_head = *pp_list_head;
931         canon_ace *curr_ace_outer;
932         canon_ace *curr_ace_outer_next;
933
934         /*
935          * First, merge allow entries with identical SIDs, and deny entries
936          * with identical SIDs.
937          */
938
939         for (curr_ace_outer = l_head; curr_ace_outer; curr_ace_outer = curr_ace_outer_next) {
940                 canon_ace *curr_ace;
941                 canon_ace *curr_ace_next;
942
943                 curr_ace_outer_next = curr_ace_outer->next; /* Save the link in case we delete. */
944
945                 for (curr_ace = curr_ace_outer->next; curr_ace; curr_ace = curr_ace_next) {
946                         bool can_merge = false;
947
948                         curr_ace_next = curr_ace->next; /* Save the link in case of delete. */
949
950                         /* For file ACLs we can merge if the SIDs and ALLOW/DENY
951                          * types are the same. For directory acls we must also
952                          * ensure the POSIX ACL types are the same.
953                          *
954                          * For the IDMAP_BOTH case, we must not merge
955                          * the UID and GID ACE values for same SID
956                          */
957
958                         if (!dir_acl) {
959                                 can_merge = (curr_ace->unix_ug.id == curr_ace_outer->unix_ug.id &&
960                                              curr_ace->owner_type == curr_ace_outer->owner_type &&
961                                              (curr_ace->attr == curr_ace_outer->attr));
962                         } else {
963                                 can_merge = (curr_ace->unix_ug.id == curr_ace_outer->unix_ug.id &&
964                                              curr_ace->owner_type == curr_ace_outer->owner_type &&
965                                              (curr_ace->type == curr_ace_outer->type) &&
966                                              (curr_ace->attr == curr_ace_outer->attr));
967                         }
968
969                         if (can_merge) {
970                                 if( DEBUGLVL( 10 )) {
971                                         dbgtext("merge_aces: Merging ACE's\n");
972                                         print_canon_ace( curr_ace_outer, 0);
973                                         print_canon_ace( curr_ace, 0);
974                                 }
975
976                                 /* Merge two allow or two deny ACE's. */
977
978                                 /* Theoretically we shouldn't merge a dir ACE if
979                                  * one ACE has the CI flag set, and the other
980                                  * ACE has the OI flag set, but this is rare
981                                  * enough we can ignore it. */
982
983                                 curr_ace_outer->perms |= curr_ace->perms;
984                                 curr_ace_outer->ace_flags |= curr_ace->ace_flags;
985                                 DLIST_REMOVE(l_head, curr_ace);
986                                 TALLOC_FREE(curr_ace);
987                                 curr_ace_outer_next = curr_ace_outer->next; /* We may have deleted the link. */
988                         }
989                 }
990         }
991
992         /*
993          * Now go through and mask off allow permissions with deny permissions.
994          * We can delete either the allow or deny here as we know that each SID
995          * appears only once in the list.
996          */
997
998         for (curr_ace_outer = l_head; curr_ace_outer; curr_ace_outer = curr_ace_outer_next) {
999                 canon_ace *curr_ace;
1000                 canon_ace *curr_ace_next;
1001
1002                 curr_ace_outer_next = curr_ace_outer->next; /* Save the link in case we delete. */
1003
1004                 for (curr_ace = curr_ace_outer->next; curr_ace; curr_ace = curr_ace_next) {
1005
1006                         curr_ace_next = curr_ace->next; /* Save the link in case of delete. */
1007
1008                         /*
1009                          * Subtract ACE's with different entries. Due to the ordering constraints
1010                          * we've put on the ACL, we know the deny must be the first one.
1011                          */
1012
1013                         if (curr_ace->unix_ug.id == curr_ace_outer->unix_ug.id &&
1014                             (curr_ace->owner_type == curr_ace_outer->owner_type) &&
1015                             (curr_ace_outer->attr == DENY_ACE) && (curr_ace->attr == ALLOW_ACE)) {
1016
1017                                 if( DEBUGLVL( 10 )) {
1018                                         dbgtext("merge_aces: Masking ACE's\n");
1019                                         print_canon_ace( curr_ace_outer, 0);
1020                                         print_canon_ace( curr_ace, 0);
1021                                 }
1022
1023                                 curr_ace->perms &= ~curr_ace_outer->perms;
1024
1025                                 if (curr_ace->perms == 0) {
1026
1027                                         /*
1028                                          * The deny overrides the allow. Remove the allow.
1029                                          */
1030
1031                                         DLIST_REMOVE(l_head, curr_ace);
1032                                         TALLOC_FREE(curr_ace);
1033                                         curr_ace_outer_next = curr_ace_outer->next; /* We may have deleted the link. */
1034
1035                                 } else {
1036
1037                                         /*
1038                                          * Even after removing permissions, there
1039                                          * are still allow permissions - delete the deny.
1040                                          * It is safe to delete the deny here,
1041                                          * as we are guarenteed by the deny first
1042                                          * ordering that all the deny entries for
1043                                          * this SID have already been merged into one
1044                                          * before we can get to an allow ace.
1045                                          */
1046
1047                                         DLIST_REMOVE(l_head, curr_ace_outer);
1048                                         TALLOC_FREE(curr_ace_outer);
1049                                         break;
1050                                 }
1051                         }
1052
1053                 } /* end for curr_ace */
1054         } /* end for curr_ace_outer */
1055
1056         /* We may have modified the list. */
1057
1058         *pp_list_head = l_head;
1059 }
1060
1061 /****************************************************************************
1062  Map canon_ace perms to permission bits NT.
1063  The attr element is not used here - we only process deny entries on set,
1064  not get. Deny entries are implicit on get with ace->perms = 0.
1065 ****************************************************************************/
1066
1067 uint32_t map_canon_ace_perms(int snum,
1068                                 enum security_ace_type *pacl_type,
1069                                 mode_t perms,
1070                                 bool directory_ace)
1071 {
1072         uint32_t nt_mask = 0;
1073
1074         *pacl_type = SEC_ACE_TYPE_ACCESS_ALLOWED;
1075
1076         if (lp_acl_map_full_control(snum) && ((perms & ALL_ACE_PERMS) == ALL_ACE_PERMS)) {
1077                 if (directory_ace) {
1078                         nt_mask = UNIX_DIRECTORY_ACCESS_RWX;
1079                 } else {
1080                         nt_mask = (UNIX_ACCESS_RWX & ~DELETE_ACCESS);
1081                 }
1082         } else if ((perms & ALL_ACE_PERMS) == (mode_t)0) {
1083                 /*
1084                  * Windows NT refuses to display ACEs with no permissions in them (but
1085                  * they are perfectly legal with Windows 2000). If the ACE has empty
1086                  * permissions we cannot use 0, so we use the otherwise unused
1087                  * WRITE_OWNER permission, which we ignore when we set an ACL.
1088                  * We abstract this into a #define of UNIX_ACCESS_NONE to allow this
1089                  * to be changed in the future.
1090                  */
1091
1092                 nt_mask = 0;
1093         } else {
1094                 if (directory_ace) {
1095                         nt_mask |= ((perms & S_IRUSR) ? UNIX_DIRECTORY_ACCESS_R : 0 );
1096                         nt_mask |= ((perms & S_IWUSR) ? UNIX_DIRECTORY_ACCESS_W : 0 );
1097                         nt_mask |= ((perms & S_IXUSR) ? UNIX_DIRECTORY_ACCESS_X : 0 );
1098                 } else {
1099                         nt_mask |= ((perms & S_IRUSR) ? UNIX_ACCESS_R : 0 );
1100                         nt_mask |= ((perms & S_IWUSR) ? UNIX_ACCESS_W : 0 );
1101                         nt_mask |= ((perms & S_IXUSR) ? UNIX_ACCESS_X : 0 );
1102                 }
1103         }
1104
1105         if ((perms & S_IWUSR) && lp_dos_filemode(snum)) {
1106                 nt_mask |= (SEC_STD_WRITE_DAC|SEC_STD_WRITE_OWNER|DELETE_ACCESS);
1107         }
1108
1109         DEBUG(10,("map_canon_ace_perms: Mapped (UNIX) %x to (NT) %x\n",
1110                         (unsigned int)perms, (unsigned int)nt_mask ));
1111
1112         return nt_mask;
1113 }
1114
1115 /****************************************************************************
1116  Map NT perms to a UNIX mode_t.
1117 ****************************************************************************/
1118
1119 #define FILE_SPECIFIC_READ_BITS (FILE_READ_DATA|FILE_READ_EA)
1120 #define FILE_SPECIFIC_WRITE_BITS (FILE_WRITE_DATA|FILE_APPEND_DATA|FILE_WRITE_EA)
1121 #define FILE_SPECIFIC_EXECUTE_BITS (FILE_EXECUTE)
1122
1123 static mode_t map_nt_perms( uint32_t *mask, int type)
1124 {
1125         mode_t mode = 0;
1126
1127         switch(type) {
1128         case S_IRUSR:
1129                 if((*mask) & GENERIC_ALL_ACCESS)
1130                         mode = S_IRUSR|S_IWUSR|S_IXUSR;
1131                 else {
1132                         mode |= ((*mask) & (GENERIC_READ_ACCESS|FILE_SPECIFIC_READ_BITS)) ? S_IRUSR : 0;
1133                         mode |= ((*mask) & (GENERIC_WRITE_ACCESS|FILE_SPECIFIC_WRITE_BITS)) ? S_IWUSR : 0;
1134                         mode |= ((*mask) & (GENERIC_EXECUTE_ACCESS|FILE_SPECIFIC_EXECUTE_BITS)) ? S_IXUSR : 0;
1135                 }
1136                 break;
1137         case S_IRGRP:
1138                 if((*mask) & GENERIC_ALL_ACCESS)
1139                         mode = S_IRGRP|S_IWGRP|S_IXGRP;
1140                 else {
1141                         mode |= ((*mask) & (GENERIC_READ_ACCESS|FILE_SPECIFIC_READ_BITS)) ? S_IRGRP : 0;
1142                         mode |= ((*mask) & (GENERIC_WRITE_ACCESS|FILE_SPECIFIC_WRITE_BITS)) ? S_IWGRP : 0;
1143                         mode |= ((*mask) & (GENERIC_EXECUTE_ACCESS|FILE_SPECIFIC_EXECUTE_BITS)) ? S_IXGRP : 0;
1144                 }
1145                 break;
1146         case S_IROTH:
1147                 if((*mask) & GENERIC_ALL_ACCESS)
1148                         mode = S_IROTH|S_IWOTH|S_IXOTH;
1149                 else {
1150                         mode |= ((*mask) & (GENERIC_READ_ACCESS|FILE_SPECIFIC_READ_BITS)) ? S_IROTH : 0;
1151                         mode |= ((*mask) & (GENERIC_WRITE_ACCESS|FILE_SPECIFIC_WRITE_BITS)) ? S_IWOTH : 0;
1152                         mode |= ((*mask) & (GENERIC_EXECUTE_ACCESS|FILE_SPECIFIC_EXECUTE_BITS)) ? S_IXOTH : 0;
1153                 }
1154                 break;
1155         }
1156
1157         return mode;
1158 }
1159
1160 /****************************************************************************
1161  Unpack a struct security_descriptor into a UNIX owner and group.
1162 ****************************************************************************/
1163
1164 NTSTATUS unpack_nt_owners(struct connection_struct *conn,
1165                         uid_t *puser, gid_t *pgrp,
1166                         uint32_t security_info_sent, const struct
1167                         security_descriptor *psd)
1168 {
1169         *puser = (uid_t)-1;
1170         *pgrp = (gid_t)-1;
1171
1172         if(security_info_sent == 0) {
1173                 DEBUG(0,("unpack_nt_owners: no security info sent !\n"));
1174                 return NT_STATUS_OK;
1175         }
1176
1177         /*
1178          * Validate the owner and group SID's.
1179          */
1180
1181         DEBUG(5,("unpack_nt_owners: validating owner_sids.\n"));
1182
1183         /*
1184          * Don't immediately fail if the owner sid cannot be validated.
1185          * This may be a group chown only set.
1186          */
1187
1188         if (security_info_sent & SECINFO_OWNER) {
1189                 if (!sid_to_uid(psd->owner_sid, puser)) {
1190                         if (lp_force_unknown_acl_user(SNUM(conn))) {
1191                                 /* this allows take ownership to work
1192                                  * reasonably */
1193                                 *puser = get_current_uid(conn);
1194                         } else {
1195                                 DEBUG(3,("unpack_nt_owners: unable to validate"
1196                                          " owner sid for %s\n",
1197                                          sid_string_dbg(psd->owner_sid)));
1198                                 return NT_STATUS_INVALID_OWNER;
1199                         }
1200                 }
1201                 DEBUG(3,("unpack_nt_owners: owner sid mapped to uid %u\n",
1202                          (unsigned int)*puser ));
1203         }
1204
1205         /*
1206          * Don't immediately fail if the group sid cannot be validated.
1207          * This may be an owner chown only set.
1208          */
1209
1210         if (security_info_sent & SECINFO_GROUP) {
1211                 if (!sid_to_gid(psd->group_sid, pgrp)) {
1212                         if (lp_force_unknown_acl_user(SNUM(conn))) {
1213                                 /* this allows take group ownership to work
1214                                  * reasonably */
1215                                 *pgrp = get_current_gid(conn);
1216                         } else {
1217                                 DEBUG(3,("unpack_nt_owners: unable to validate"
1218                                          " group sid.\n"));
1219                                 return NT_STATUS_INVALID_OWNER;
1220                         }
1221                 }
1222                 DEBUG(3,("unpack_nt_owners: group sid mapped to gid %u\n",
1223                          (unsigned int)*pgrp));
1224         }
1225
1226         DEBUG(5,("unpack_nt_owners: owner_sids validated.\n"));
1227
1228         return NT_STATUS_OK;
1229 }
1230
1231
1232 static void trim_ace_perms(canon_ace *pace)
1233 {
1234         pace->perms = pace->perms & (S_IXUSR|S_IWUSR|S_IRUSR);
1235 }
1236
1237 static void ensure_minimal_owner_ace_perms(const bool is_directory,
1238                                            canon_ace *pace)
1239 {
1240         pace->perms |= S_IRUSR;
1241         if (is_directory) {
1242                 pace->perms |= (S_IWUSR|S_IXUSR);
1243         }
1244 }
1245
1246 /****************************************************************************
1247  Check if a given uid/SID is in a group gid/SID. This is probably very
1248  expensive and will need optimisation. A *lot* of optimisation :-). JRA.
1249 ****************************************************************************/
1250
1251 static bool uid_entry_in_group(connection_struct *conn, canon_ace *uid_ace, canon_ace *group_ace )
1252 {
1253         /* "Everyone" always matches every uid. */
1254
1255         if (dom_sid_equal(&group_ace->trustee, &global_sid_World))
1256                 return True;
1257
1258         /*
1259          * if it's the current user, we already have the unix token
1260          * and don't need to do the complex user_in_group_sid() call
1261          */
1262         if (uid_ace->unix_ug.id == get_current_uid(conn)) {
1263                 const struct security_unix_token *curr_utok = NULL;
1264                 size_t i;
1265
1266                 if (group_ace->unix_ug.id == get_current_gid(conn)) {
1267                         return True;
1268                 }
1269
1270                 curr_utok = get_current_utok(conn);
1271                 for (i=0; i < curr_utok->ngroups; i++) {
1272                         if (group_ace->unix_ug.id == curr_utok->groups[i]) {
1273                                 return True;
1274                         }
1275                 }
1276         }
1277
1278         /*
1279          * user_in_group_sid() uses create_token_from_sid()
1280          * which creates an artificial NT token given just a username,
1281          * so this is not reliable for users from foreign domains
1282          * exported by winbindd!
1283          */
1284         return user_sid_in_group_sid(&uid_ace->trustee, &group_ace->trustee);
1285 }
1286
1287 /****************************************************************************
1288  A well formed POSIX file or default ACL has at least 3 entries, a
1289  SMB_ACL_USER_OBJ, SMB_ACL_GROUP_OBJ, SMB_ACL_OTHER_OBJ.
1290  In addition, the owner must always have at least read access.
1291  When using this call on get_acl, the pst struct is valid and contains
1292  the mode of the file.
1293 ****************************************************************************/
1294
1295 static bool ensure_canon_entry_valid_on_get(connection_struct *conn,
1296                                         canon_ace **pp_ace,
1297                                         const struct dom_sid *pfile_owner_sid,
1298                                         const struct dom_sid *pfile_grp_sid,
1299                                         const SMB_STRUCT_STAT *pst)
1300 {
1301         canon_ace *pace;
1302         bool got_user = false;
1303         bool got_group = false;
1304         bool got_other = false;
1305
1306         for (pace = *pp_ace; pace; pace = pace->next) {
1307                 if (pace->type == SMB_ACL_USER_OBJ) {
1308                         got_user = true;
1309                 } else if (pace->type == SMB_ACL_GROUP_OBJ) {
1310                         got_group = true;
1311                 } else if (pace->type == SMB_ACL_OTHER) {
1312                         got_other = true;
1313                 }
1314         }
1315
1316         if (!got_user) {
1317                 if ((pace = talloc(talloc_tos(), canon_ace)) == NULL) {
1318                         DEBUG(0,("malloc fail.\n"));
1319                         return false;
1320                 }
1321
1322                 ZERO_STRUCTP(pace);
1323                 pace->type = SMB_ACL_USER_OBJ;
1324                 pace->owner_type = UID_ACE;
1325                 pace->unix_ug.type = ID_TYPE_UID;
1326                 pace->unix_ug.id = pst->st_ex_uid;
1327                 pace->trustee = *pfile_owner_sid;
1328                 pace->attr = ALLOW_ACE;
1329                 pace->perms = unix_perms_to_acl_perms(pst->st_ex_mode, S_IRUSR, S_IWUSR, S_IXUSR);
1330                 DLIST_ADD(*pp_ace, pace);
1331         }
1332
1333         if (!got_group) {
1334                 if ((pace = talloc(talloc_tos(), canon_ace)) == NULL) {
1335                         DEBUG(0,("malloc fail.\n"));
1336                         return false;
1337                 }
1338
1339                 ZERO_STRUCTP(pace);
1340                 pace->type = SMB_ACL_GROUP_OBJ;
1341                 pace->owner_type = GID_ACE;
1342                 pace->unix_ug.type = ID_TYPE_GID;
1343                 pace->unix_ug.id = pst->st_ex_gid;
1344                 pace->trustee = *pfile_grp_sid;
1345                 pace->attr = ALLOW_ACE;
1346                 pace->perms = unix_perms_to_acl_perms(pst->st_ex_mode, S_IRGRP, S_IWGRP, S_IXGRP);
1347                 DLIST_ADD(*pp_ace, pace);
1348         }
1349
1350         if (!got_other) {
1351                 if ((pace = talloc(talloc_tos(), canon_ace)) == NULL) {
1352                         DEBUG(0,("malloc fail.\n"));
1353                         return false;
1354                 }
1355
1356                 ZERO_STRUCTP(pace);
1357                 pace->type = SMB_ACL_OTHER;
1358                 pace->owner_type = WORLD_ACE;
1359                 pace->unix_ug.type = ID_TYPE_NOT_SPECIFIED;
1360                 pace->unix_ug.id = -1;
1361                 pace->trustee = global_sid_World;
1362                 pace->attr = ALLOW_ACE;
1363                 pace->perms = unix_perms_to_acl_perms(pst->st_ex_mode, S_IROTH, S_IWOTH, S_IXOTH);
1364                 DLIST_ADD(*pp_ace, pace);
1365         }
1366
1367         return true;
1368 }
1369
1370 /****************************************************************************
1371  A well formed POSIX file or default ACL has at least 3 entries, a
1372  SMB_ACL_USER_OBJ, SMB_ACL_GROUP_OBJ, SMB_ACL_OTHER_OBJ.
1373  In addition, the owner must always have at least read access.
1374  When using this call on set_acl, the pst struct has
1375  been modified to have a mode containing the default for this file or directory
1376  type.
1377 ****************************************************************************/
1378
1379 static bool ensure_canon_entry_valid_on_set(connection_struct *conn,
1380                                         canon_ace **pp_ace,
1381                                         bool is_default_acl,
1382                                         const struct share_params *params,
1383                                         const bool is_directory,
1384                                         const struct dom_sid *pfile_owner_sid,
1385                                         const struct dom_sid *pfile_grp_sid,
1386                                         const SMB_STRUCT_STAT *pst)
1387 {
1388         canon_ace *pace;
1389         canon_ace *pace_user = NULL;
1390         canon_ace *pace_group = NULL;
1391         canon_ace *pace_other = NULL;
1392         bool got_duplicate_user = false;
1393         bool got_duplicate_group = false;
1394
1395         for (pace = *pp_ace; pace; pace = pace->next) {
1396                 trim_ace_perms(pace);
1397                 if (pace->type == SMB_ACL_USER_OBJ) {
1398                         ensure_minimal_owner_ace_perms(is_directory, pace);
1399                         pace_user = pace;
1400                 } else if (pace->type == SMB_ACL_GROUP_OBJ) {
1401                         pace_group = pace;
1402                 } else if (pace->type == SMB_ACL_OTHER) {
1403                         pace_other = pace;
1404                 }
1405         }
1406
1407         if (!pace_user) {
1408                 canon_ace *pace_iter;
1409
1410                 if ((pace = talloc(talloc_tos(), canon_ace)) == NULL) {
1411                         DEBUG(0,("talloc fail.\n"));
1412                         return false;
1413                 }
1414
1415                 ZERO_STRUCTP(pace);
1416                 pace->type = SMB_ACL_USER_OBJ;
1417                 pace->owner_type = UID_ACE;
1418                 pace->unix_ug.type = ID_TYPE_UID;
1419                 pace->unix_ug.id = pst->st_ex_uid;
1420                 pace->trustee = *pfile_owner_sid;
1421                 pace->attr = ALLOW_ACE;
1422                 /* Start with existing user permissions, principle of least
1423                    surprises for the user. */
1424                 pace->perms = unix_perms_to_acl_perms(pst->st_ex_mode, S_IRUSR, S_IWUSR, S_IXUSR);
1425
1426                 /* See if the owning user is in any of the other groups in
1427                    the ACE, or if there's a matching user entry (by uid
1428                    or in the case of ID_TYPE_BOTH by SID).
1429                    If so, OR in the permissions from that entry. */
1430
1431
1432                 for (pace_iter = *pp_ace; pace_iter; pace_iter = pace_iter->next) {
1433                         if (pace_iter->type == SMB_ACL_USER &&
1434                                         pace_iter->unix_ug.id == pace->unix_ug.id) {
1435                                 pace->perms |= pace_iter->perms;
1436                         } else if (pace_iter->type == SMB_ACL_GROUP_OBJ || pace_iter->type == SMB_ACL_GROUP) {
1437                                 if (dom_sid_equal(&pace->trustee, &pace_iter->trustee)) {
1438                                         pace->perms |= pace_iter->perms;
1439                                 } else if (uid_entry_in_group(conn, pace, pace_iter)) {
1440                                         pace->perms |= pace_iter->perms;
1441                                 }
1442                         }
1443                 }
1444
1445                 if (pace->perms == 0) {
1446                         /* If we only got an "everyone" perm, just use that. */
1447                         if (pace_other)
1448                                 pace->perms = pace_other->perms;
1449                 }
1450
1451                 /*
1452                  * Ensure we have default parameters for the
1453                  * user (owner) even on default ACLs.
1454                  */
1455                 ensure_minimal_owner_ace_perms(is_directory, pace);
1456
1457                 DLIST_ADD(*pp_ace, pace);
1458                 pace_user = pace;
1459         }
1460
1461         if (!pace_group) {
1462                 if ((pace = talloc(talloc_tos(), canon_ace)) == NULL) {
1463                         DEBUG(0,("talloc fail.\n"));
1464                         return false;
1465                 }
1466
1467                 ZERO_STRUCTP(pace);
1468                 pace->type = SMB_ACL_GROUP_OBJ;
1469                 pace->owner_type = GID_ACE;
1470                 pace->unix_ug.type = ID_TYPE_GID;
1471                 pace->unix_ug.id = pst->st_ex_gid;
1472                 pace->trustee = *pfile_grp_sid;
1473                 pace->attr = ALLOW_ACE;
1474
1475                 /* If we only got an "everyone" perm, just use that. */
1476                 if (pace_other) {
1477                         pace->perms = pace_other->perms;
1478                 } else {
1479                         pace->perms = 0;
1480                 }
1481
1482                 DLIST_ADD(*pp_ace, pace);
1483                 pace_group = pace;
1484         }
1485
1486         if (!pace_other) {
1487                 if ((pace = talloc(talloc_tos(), canon_ace)) == NULL) {
1488                         DEBUG(0,("talloc fail.\n"));
1489                         return false;
1490                 }
1491
1492                 ZERO_STRUCTP(pace);
1493                 pace->type = SMB_ACL_OTHER;
1494                 pace->owner_type = WORLD_ACE;
1495                 pace->unix_ug.type = ID_TYPE_NOT_SPECIFIED;
1496                 pace->unix_ug.id = -1;
1497                 pace->trustee = global_sid_World;
1498                 pace->attr = ALLOW_ACE;
1499                 pace->perms = 0;
1500
1501                 DLIST_ADD(*pp_ace, pace);
1502                 pace_other = pace;
1503         }
1504
1505         /* Ensure when setting a POSIX ACL, that the uid for a
1506            SMB_ACL_USER_OBJ ACE (the owner ACE entry) has a duplicate
1507            permission entry as an SMB_ACL_USER, and a gid for a
1508            SMB_ACL_GROUP_OBJ ACE (the primary group ACE entry) also has
1509            a duplicate permission entry as an SMB_ACL_GROUP. If not,
1510            then if the ownership or group ownership of this file or
1511            directory gets changed, the user or group can lose their
1512            access. */
1513
1514         for (pace = *pp_ace; pace; pace = pace->next) {
1515                 if (pace->type == SMB_ACL_USER &&
1516                                 pace->unix_ug.id == pace_user->unix_ug.id) {
1517                         /* Already got one. */
1518                         got_duplicate_user = true;
1519                 } else if (pace->type == SMB_ACL_GROUP &&
1520                                 pace->unix_ug.id == pace_group->unix_ug.id) {
1521                         /* Already got one. */
1522                         got_duplicate_group = true;
1523                 } else if ((pace->type == SMB_ACL_GROUP)
1524                            && (dom_sid_equal(&pace->trustee, &pace_user->trustee))) {
1525                         /* If the SID owning the file appears
1526                          * in a group entry, then we have
1527                          * enough duplication, they will still
1528                          * have access */
1529                         got_duplicate_user = true;
1530                 }
1531         }
1532
1533         /* If the SID is equal for the user and group that we need
1534            to add the duplicate for, add only the group */
1535         if (!got_duplicate_user && !got_duplicate_group
1536                         && dom_sid_equal(&pace_group->trustee,
1537                                         &pace_user->trustee)) {
1538                 /* Add a duplicate SMB_ACL_GROUP entry, this
1539                  * will cover the owning SID as well, as it
1540                  * will always be mapped to both a uid and
1541                  * gid. */
1542
1543                 if ((pace = talloc(talloc_tos(), canon_ace)) == NULL) {
1544                         DEBUG(0,("talloc fail.\n"));
1545                         return false;
1546                 }
1547
1548                 ZERO_STRUCTP(pace);
1549                 pace->type = SMB_ACL_GROUP;;
1550                 pace->owner_type = GID_ACE;
1551                 pace->unix_ug.type = ID_TYPE_GID;
1552                 pace->unix_ug.id = pace_group->unix_ug.id;
1553                 pace->trustee = pace_group->trustee;
1554                 pace->attr = pace_group->attr;
1555                 pace->perms = pace_group->perms;
1556
1557                 DLIST_ADD(*pp_ace, pace);
1558
1559                 /* We're done here, make sure the
1560                    statements below are not executed. */
1561                 got_duplicate_user = true;
1562                 got_duplicate_group = true;
1563         }
1564
1565         if (!got_duplicate_user) {
1566                 /* Add a duplicate SMB_ACL_USER entry. */
1567                 if ((pace = talloc(talloc_tos(), canon_ace)) == NULL) {
1568                         DEBUG(0,("talloc fail.\n"));
1569                         return false;
1570                 }
1571
1572                 ZERO_STRUCTP(pace);
1573                 pace->type = SMB_ACL_USER;;
1574                 pace->owner_type = UID_ACE;
1575                 pace->unix_ug.type = ID_TYPE_UID;
1576                 pace->unix_ug.id = pace_user->unix_ug.id;
1577                 pace->trustee = pace_user->trustee;
1578                 pace->attr = pace_user->attr;
1579                 pace->perms = pace_user->perms;
1580
1581                 DLIST_ADD(*pp_ace, pace);
1582
1583                 got_duplicate_user = true;
1584         }
1585
1586         if (!got_duplicate_group) {
1587                 /* Add a duplicate SMB_ACL_GROUP entry. */
1588                 if ((pace = talloc(talloc_tos(), canon_ace)) == NULL) {
1589                         DEBUG(0,("talloc fail.\n"));
1590                         return false;
1591                 }
1592
1593                 ZERO_STRUCTP(pace);
1594                 pace->type = SMB_ACL_GROUP;;
1595                 pace->owner_type = GID_ACE;
1596                 pace->unix_ug.type = ID_TYPE_GID;
1597                 pace->unix_ug.id = pace_group->unix_ug.id;
1598                 pace->trustee = pace_group->trustee;
1599                 pace->attr = pace_group->attr;
1600                 pace->perms = pace_group->perms;
1601
1602                 DLIST_ADD(*pp_ace, pace);
1603
1604                 got_duplicate_group = true;
1605         }
1606
1607         return true;
1608 }
1609
1610 /****************************************************************************
1611  Check if a POSIX ACL has the required SMB_ACL_USER_OBJ and SMB_ACL_GROUP_OBJ entries.
1612  If it does not have them, check if there are any entries where the trustee is the
1613  file owner or the owning group, and map these to SMB_ACL_USER_OBJ and SMB_ACL_GROUP_OBJ.
1614  Note we must not do this to default directory ACLs.
1615 ****************************************************************************/
1616
1617 static void check_owning_objs(canon_ace *ace, struct dom_sid *pfile_owner_sid, struct dom_sid *pfile_grp_sid)
1618 {
1619         bool got_user_obj, got_group_obj;
1620         canon_ace *current_ace;
1621         int i, entries;
1622
1623         entries = count_canon_ace_list(ace);
1624         got_user_obj = False;
1625         got_group_obj = False;
1626
1627         for (i=0, current_ace = ace; i < entries; i++, current_ace = current_ace->next) {
1628                 if (current_ace->type == SMB_ACL_USER_OBJ)
1629                         got_user_obj = True;
1630                 else if (current_ace->type == SMB_ACL_GROUP_OBJ)
1631                         got_group_obj = True;
1632         }
1633         if (got_user_obj && got_group_obj) {
1634                 DEBUG(10,("check_owning_objs: ACL had owning user/group entries.\n"));
1635                 return;
1636         }
1637
1638         for (i=0, current_ace = ace; i < entries; i++, current_ace = current_ace->next) {
1639                 if (!got_user_obj && current_ace->owner_type == UID_ACE &&
1640                                 dom_sid_equal(&current_ace->trustee, pfile_owner_sid)) {
1641                         current_ace->type = SMB_ACL_USER_OBJ;
1642                         got_user_obj = True;
1643                 }
1644                 if (!got_group_obj && current_ace->owner_type == GID_ACE &&
1645                                 dom_sid_equal(&current_ace->trustee, pfile_grp_sid)) {
1646                         current_ace->type = SMB_ACL_GROUP_OBJ;
1647                         got_group_obj = True;
1648                 }
1649         }
1650         if (!got_user_obj)
1651                 DEBUG(10,("check_owning_objs: ACL is missing an owner entry.\n"));
1652         if (!got_group_obj)
1653                 DEBUG(10,("check_owning_objs: ACL is missing an owning group entry.\n"));
1654 }
1655
1656 static bool add_current_ace_to_acl(files_struct *fsp, struct security_ace *psa,
1657                                    canon_ace **file_ace, canon_ace **dir_ace,
1658                                    bool *got_file_allow, bool *got_dir_allow,
1659                                    bool *all_aces_are_inherit_only,
1660                                    canon_ace *current_ace)
1661 {
1662
1663         /*
1664          * Map the given NT permissions into a UNIX mode_t containing only
1665          * S_I(R|W|X)USR bits.
1666          */
1667
1668         current_ace->perms |= map_nt_perms( &psa->access_mask, S_IRUSR);
1669         current_ace->attr = (psa->type == SEC_ACE_TYPE_ACCESS_ALLOWED) ? ALLOW_ACE : DENY_ACE;
1670
1671         /* Store the ace_flag. */
1672         current_ace->ace_flags = psa->flags;
1673
1674         /*
1675          * Now add the created ace to either the file list, the directory
1676          * list, or both. We *MUST* preserve the order here (hence we use
1677          * DLIST_ADD_END) as NT ACLs are order dependent.
1678          */
1679
1680         if (fsp->is_directory) {
1681
1682                 /*
1683                  * We can only add to the default POSIX ACE list if the ACE is
1684                  * designed to be inherited by both files and directories.
1685                  */
1686
1687                 if ((psa->flags & (SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT)) ==
1688                     (SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT)) {
1689
1690                         canon_ace *current_dir_ace = current_ace;
1691                         DLIST_ADD_END(*dir_ace, current_ace);
1692
1693                         /*
1694                          * Note if this was an allow ace. We can't process
1695                          * any further deny ace's after this.
1696                          */
1697
1698                         if (current_ace->attr == ALLOW_ACE)
1699                                 *got_dir_allow = True;
1700
1701                         if ((current_ace->attr == DENY_ACE) && *got_dir_allow) {
1702                                 DEBUG(0,("add_current_ace_to_acl: "
1703                                          "malformed ACL in "
1704                                          "inheritable ACL! Deny entry "
1705                                          "after Allow entry. Failing "
1706                                          "to set on file %s.\n",
1707                                          fsp_str_dbg(fsp)));
1708                                 return False;
1709                         }
1710
1711                         if( DEBUGLVL( 10 )) {
1712                                 dbgtext("add_current_ace_to_acl: adding dir ACL:\n");
1713                                 print_canon_ace( current_ace, 0);
1714                         }
1715
1716                         /*
1717                          * If this is not an inherit only ACE we need to add a duplicate
1718                          * to the file acl.
1719                          */
1720
1721                         if (!(psa->flags & SEC_ACE_FLAG_INHERIT_ONLY)) {
1722                                 canon_ace *dup_ace = dup_canon_ace(current_ace);
1723
1724                                 if (!dup_ace) {
1725                                         DEBUG(0,("add_current_ace_to_acl: malloc fail !\n"));
1726                                         return False;
1727                                 }
1728
1729                                 /*
1730                                  * We must not free current_ace here as its
1731                                  * pointer is now owned by the dir_ace list.
1732                                  */
1733                                 current_ace = dup_ace;
1734                                 /* We've essentially split this ace into two,
1735                                  * and added the ace with inheritance request
1736                                  * bits to the directory ACL. Drop those bits for
1737                                  * the ACE we're adding to the file list. */
1738                                 current_ace->ace_flags &= ~(SEC_ACE_FLAG_OBJECT_INHERIT|
1739                                                             SEC_ACE_FLAG_CONTAINER_INHERIT|
1740                                                             SEC_ACE_FLAG_INHERIT_ONLY);
1741                         } else {
1742                                 /*
1743                                  * We must not free current_ace here as its
1744                                  * pointer is now owned by the dir_ace list.
1745                                  */
1746                                 current_ace = NULL;
1747                         }
1748
1749                         /*
1750                          * current_ace is now either owned by file_ace
1751                          * or is NULL. We can safely operate on current_dir_ace
1752                          * to treat mapping for default acl entries differently
1753                          * than access acl entries.
1754                          */
1755
1756                         if (current_dir_ace->owner_type == UID_ACE) {
1757                                 /*
1758                                  * We already decided above this is a uid,
1759                                  * for default acls ace's only CREATOR_OWNER
1760                                  * maps to ACL_USER_OBJ. All other uid
1761                                  * ace's are ACL_USER.
1762                                  */
1763                                 if (dom_sid_equal(&current_dir_ace->trustee,
1764                                                   &global_sid_Creator_Owner)) {
1765                                         current_dir_ace->type = SMB_ACL_USER_OBJ;
1766                                 } else {
1767                                         current_dir_ace->type = SMB_ACL_USER;
1768                                 }
1769                         }
1770
1771                         if (current_dir_ace->owner_type == GID_ACE) {
1772                                 /*
1773                                  * We already decided above this is a gid,
1774                                  * for default acls ace's only CREATOR_GROUP
1775                                  * maps to ACL_GROUP_OBJ. All other uid
1776                                  * ace's are ACL_GROUP.
1777                                  */
1778                                 if (dom_sid_equal(&current_dir_ace->trustee,
1779                                                   &global_sid_Creator_Group)) {
1780                                         current_dir_ace->type = SMB_ACL_GROUP_OBJ;
1781                                 } else {
1782                                         current_dir_ace->type = SMB_ACL_GROUP;
1783                                 }
1784                         }
1785                 }
1786         }
1787
1788         /*
1789          * Only add to the file ACL if not inherit only.
1790          */
1791
1792         if (current_ace && !(psa->flags & SEC_ACE_FLAG_INHERIT_ONLY)) {
1793                 DLIST_ADD_END(*file_ace, current_ace);
1794
1795                 /*
1796                  * Note if this was an allow ace. We can't process
1797                  * any further deny ace's after this.
1798                  */
1799
1800                 if (current_ace->attr == ALLOW_ACE)
1801                         *got_file_allow = True;
1802
1803                 if ((current_ace->attr == DENY_ACE) && *got_file_allow) {
1804                         DEBUG(0,("add_current_ace_to_acl: malformed "
1805                                  "ACL in file ACL ! Deny entry after "
1806                                  "Allow entry. Failing to set on file "
1807                                  "%s.\n", fsp_str_dbg(fsp)));
1808                         return False;
1809                 }
1810
1811                 if( DEBUGLVL( 10 )) {
1812                         dbgtext("add_current_ace_to_acl: adding file ACL:\n");
1813                         print_canon_ace( current_ace, 0);
1814                 }
1815                 *all_aces_are_inherit_only = False;
1816                 /*
1817                  * We must not free current_ace here as its
1818                  * pointer is now owned by the file_ace list.
1819                  */
1820                 current_ace = NULL;
1821         }
1822
1823         /*
1824          * Free if ACE was not added.
1825          */
1826
1827         TALLOC_FREE(current_ace);
1828         return true;
1829 }
1830
1831 /****************************************************************************
1832  Unpack a struct security_descriptor into two canonical ace lists.
1833 ****************************************************************************/
1834
1835 static bool create_canon_ace_lists(files_struct *fsp,
1836                                         const SMB_STRUCT_STAT *pst,
1837                                         struct dom_sid *pfile_owner_sid,
1838                                         struct dom_sid *pfile_grp_sid,
1839                                         canon_ace **ppfile_ace,
1840                                         canon_ace **ppdir_ace,
1841                                         const struct security_acl *dacl)
1842 {
1843         bool all_aces_are_inherit_only = (fsp->is_directory ? True : False);
1844         canon_ace *file_ace = NULL;
1845         canon_ace *dir_ace = NULL;
1846         canon_ace *current_ace = NULL;
1847         bool got_dir_allow = False;
1848         bool got_file_allow = False;
1849         int i, j;
1850
1851         *ppfile_ace = NULL;
1852         *ppdir_ace = NULL;
1853
1854         /*
1855          * Convert the incoming ACL into a more regular form.
1856          */
1857
1858         for(i = 0; i < dacl->num_aces; i++) {
1859                 struct security_ace *psa = &dacl->aces[i];
1860
1861                 if((psa->type != SEC_ACE_TYPE_ACCESS_ALLOWED) && (psa->type != SEC_ACE_TYPE_ACCESS_DENIED)) {
1862                         DEBUG(3,("create_canon_ace_lists: unable to set anything but an ALLOW or DENY ACE.\n"));
1863                         return False;
1864                 }
1865         }
1866
1867         /*
1868          * Deal with the fact that NT 4.x re-writes the canonical format
1869          * that we return for default ACLs. If a directory ACE is identical
1870          * to a inherited directory ACE then NT changes the bits so that the
1871          * first ACE is set to OI|IO and the second ACE for this SID is set
1872          * to CI. We need to repair this. JRA.
1873          */
1874
1875         for(i = 0; i < dacl->num_aces; i++) {
1876                 struct security_ace *psa1 = &dacl->aces[i];
1877
1878                 for (j = i + 1; j < dacl->num_aces; j++) {
1879                         struct security_ace *psa2 = &dacl->aces[j];
1880
1881                         if (psa1->access_mask != psa2->access_mask)
1882                                 continue;
1883
1884                         if (!dom_sid_equal(&psa1->trustee, &psa2->trustee))
1885                                 continue;
1886
1887                         /*
1888                          * Ok - permission bits and SIDs are equal.
1889                          * Check if flags were re-written.
1890                          */
1891
1892                         if (psa1->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
1893
1894                                 psa1->flags |= (psa2->flags & (SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT));
1895                                 psa2->flags &= ~(SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT);
1896
1897                         } else if (psa2->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
1898
1899                                 psa2->flags |= (psa1->flags & (SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT));
1900                                 psa1->flags &= ~(SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT);
1901
1902                         }
1903                 }
1904         }
1905
1906         for(i = 0; i < dacl->num_aces; i++) {
1907                 struct security_ace *psa = &dacl->aces[i];
1908
1909                 /*
1910                  * Create a canon_ace entry representing this NT DACL ACE.
1911                  */
1912
1913                 if ((current_ace = talloc(talloc_tos(), canon_ace)) == NULL) {
1914                         free_canon_ace_list(file_ace);
1915                         free_canon_ace_list(dir_ace);
1916                         DEBUG(0,("create_canon_ace_lists: malloc fail.\n"));
1917                         return False;
1918                 }
1919
1920                 ZERO_STRUCTP(current_ace);
1921
1922                 sid_copy(&current_ace->trustee, &psa->trustee);
1923
1924                 /*
1925                  * Try and work out if the SID is a user or group
1926                  * as we need to flag these differently for POSIX.
1927                  * Note what kind of a POSIX ACL this should map to.
1928                  */
1929
1930                 if( dom_sid_equal(&current_ace->trustee, &global_sid_World)) {
1931                         current_ace->owner_type = WORLD_ACE;
1932                         current_ace->unix_ug.type = ID_TYPE_NOT_SPECIFIED;
1933                         current_ace->unix_ug.id = -1;
1934                         current_ace->type = SMB_ACL_OTHER;
1935                 } else if (dom_sid_equal(&current_ace->trustee, &global_sid_Creator_Owner)) {
1936                         current_ace->owner_type = UID_ACE;
1937                         current_ace->unix_ug.type = ID_TYPE_UID;
1938                         current_ace->unix_ug.id = pst->st_ex_uid;
1939                         current_ace->type = SMB_ACL_USER_OBJ;
1940
1941                         /*
1942                          * The Creator Owner entry only specifies inheritable permissions,
1943                          * never access permissions. WinNT doesn't always set the ACE to
1944                          * INHERIT_ONLY, though.
1945                          */
1946
1947                         psa->flags |= SEC_ACE_FLAG_INHERIT_ONLY;
1948
1949                 } else if (dom_sid_equal(&current_ace->trustee, &global_sid_Creator_Group)) {
1950                         current_ace->owner_type = GID_ACE;
1951                         current_ace->unix_ug.type = ID_TYPE_GID;
1952                         current_ace->unix_ug.id = pst->st_ex_gid;
1953                         current_ace->type = SMB_ACL_GROUP_OBJ;
1954
1955                         /*
1956                          * The Creator Group entry only specifies inheritable permissions,
1957                          * never access permissions. WinNT doesn't always set the ACE to
1958                          * INHERIT_ONLY, though.
1959                          */
1960                         psa->flags |= SEC_ACE_FLAG_INHERIT_ONLY;
1961
1962                 } else {
1963                         struct unixid unixid;
1964
1965                         if (!sids_to_unixids(&current_ace->trustee, 1, &unixid)) {
1966                                 free_canon_ace_list(file_ace);
1967                                 free_canon_ace_list(dir_ace);
1968                                 TALLOC_FREE(current_ace);
1969                                 DEBUG(0, ("create_canon_ace_lists: sids_to_unixids "
1970                                         "failed for %s (allocation failure)\n",
1971                                         sid_string_dbg(&current_ace->trustee)));
1972                                 return false;
1973                         }
1974
1975                         if (unixid.type == ID_TYPE_BOTH) {
1976                                 /*
1977                                  * We must add both a user and group
1978                                  * entry POSIX_ACL.
1979                                  * This is due to the fact that in POSIX
1980                                  * user entries are more specific than
1981                                  * groups.
1982                                  */
1983                                 current_ace->owner_type = UID_ACE;
1984                                 current_ace->unix_ug.type = ID_TYPE_UID;
1985                                 current_ace->unix_ug.id = unixid.id;
1986                                 current_ace->type =
1987                                         (unixid.id == pst->st_ex_uid) ?
1988                                                 SMB_ACL_USER_OBJ :
1989                                                 SMB_ACL_USER;
1990
1991                                 /* Add the user object to the posix ACL,
1992                                    and proceed to the group mapping
1993                                    below. This handles the talloc_free
1994                                    of current_ace if not added for some
1995                                    reason */
1996                                 if (!add_current_ace_to_acl(fsp,
1997                                                 psa,
1998                                                 &file_ace,
1999                                                 &dir_ace,
2000                                                 &got_file_allow,
2001                                                 &got_dir_allow,
2002                                                 &all_aces_are_inherit_only,
2003                                                 current_ace)) {
2004                                         free_canon_ace_list(file_ace);
2005                                         free_canon_ace_list(dir_ace);
2006                                         return false;
2007                                 }
2008
2009                                 if ((current_ace = talloc(talloc_tos(),
2010                                                 canon_ace)) == NULL) {
2011                                         free_canon_ace_list(file_ace);
2012                                         free_canon_ace_list(dir_ace);
2013                                         DEBUG(0,("create_canon_ace_lists: "
2014                                                 "malloc fail.\n"));
2015                                         return False;
2016                                 }
2017
2018                                 ZERO_STRUCTP(current_ace);
2019
2020                                 sid_copy(&current_ace->trustee, &psa->trustee);
2021
2022                                 current_ace->unix_ug.type = ID_TYPE_GID;
2023                                 current_ace->unix_ug.id = unixid.id;
2024                                 current_ace->owner_type = GID_ACE;
2025                                 /* If it's the primary group, this is a
2026                                    group_obj, not a group. */
2027                                 if (current_ace->unix_ug.id == pst->st_ex_gid) {
2028                                         current_ace->type = SMB_ACL_GROUP_OBJ;
2029                                 } else {
2030                                         current_ace->type = SMB_ACL_GROUP;
2031                                 }
2032
2033                         } else if (unixid.type == ID_TYPE_UID) {
2034                                 current_ace->owner_type = UID_ACE;
2035                                 current_ace->unix_ug.type = ID_TYPE_UID;
2036                                 current_ace->unix_ug.id = unixid.id;
2037                                 /* If it's the owning user, this is a user_obj,
2038                                    not a user. */
2039                                 if (current_ace->unix_ug.id == pst->st_ex_uid) {
2040                                         current_ace->type = SMB_ACL_USER_OBJ;
2041                                 } else {
2042                                         current_ace->type = SMB_ACL_USER;
2043                                 }
2044                         } else if (unixid.type == ID_TYPE_GID) {
2045                                 current_ace->unix_ug.type = ID_TYPE_GID;
2046                                 current_ace->unix_ug.id = unixid.id;
2047                                 current_ace->owner_type = GID_ACE;
2048                                 /* If it's the primary group, this is a
2049                                    group_obj, not a group. */
2050                                 if (current_ace->unix_ug.id == pst->st_ex_gid) {
2051                                         current_ace->type = SMB_ACL_GROUP_OBJ;
2052                                 } else {
2053                                         current_ace->type = SMB_ACL_GROUP;
2054                                 }
2055                         } else {
2056                                 /*
2057                                  * Silently ignore map failures in non-mappable SIDs (NT Authority, BUILTIN etc).
2058                                  */
2059
2060                                 if (non_mappable_sid(&psa->trustee)) {
2061                                         DEBUG(10, ("create_canon_ace_lists: ignoring "
2062                                                    "non-mappable SID %s\n",
2063                                                    sid_string_dbg(&psa->trustee)));
2064                                         TALLOC_FREE(current_ace);
2065                                         continue;
2066                                 }
2067
2068                                 if (lp_force_unknown_acl_user(SNUM(fsp->conn))) {
2069                                         DEBUG(10, ("create_canon_ace_lists: ignoring "
2070                                                 "unknown or foreign SID %s\n",
2071                                                 sid_string_dbg(&psa->trustee)));
2072                                         TALLOC_FREE(current_ace);
2073                                         continue;
2074                                 }
2075
2076                                 free_canon_ace_list(file_ace);
2077                                 free_canon_ace_list(dir_ace);
2078                                 DEBUG(0, ("create_canon_ace_lists: unable to map SID "
2079                                           "%s to uid or gid.\n",
2080                                           sid_string_dbg(&current_ace->trustee)));
2081                                 TALLOC_FREE(current_ace);
2082                                 return false;
2083                         }
2084                 }
2085
2086                 /* handles the talloc_free of current_ace if not added for some reason */
2087                 if (!add_current_ace_to_acl(fsp, psa, &file_ace, &dir_ace,
2088                                             &got_file_allow, &got_dir_allow,
2089                                             &all_aces_are_inherit_only, current_ace)) {
2090                         free_canon_ace_list(file_ace);
2091                         free_canon_ace_list(dir_ace);
2092                         return false;
2093                 }
2094         }
2095
2096         if (fsp->is_directory && all_aces_are_inherit_only) {
2097                 /*
2098                  * Windows 2000 is doing one of these weird 'inherit acl'
2099                  * traverses to conserve NTFS ACL resources. Just pretend
2100                  * there was no DACL sent. JRA.
2101                  */
2102
2103                 DEBUG(10,("create_canon_ace_lists: Win2k inherit acl traverse. Ignoring DACL.\n"));
2104                 free_canon_ace_list(file_ace);
2105                 free_canon_ace_list(dir_ace);
2106                 file_ace = NULL;
2107                 dir_ace = NULL;
2108         } else {
2109                 /*
2110                  * Check if we have SMB_ACL_USER_OBJ and SMB_ACL_GROUP_OBJ entries in
2111                  * the file ACL. If we don't have them, check if any SMB_ACL_USER/SMB_ACL_GROUP
2112                  * entries can be converted to *_OBJ. Don't do this for the default
2113                  * ACL, we will create them separately for this if needed inside
2114                  * ensure_canon_entry_valid_on_set().
2115                  */
2116                 if (file_ace) {
2117                         check_owning_objs(file_ace, pfile_owner_sid, pfile_grp_sid);
2118                 }
2119         }
2120
2121         *ppfile_ace = file_ace;
2122         *ppdir_ace = dir_ace;
2123
2124         return True;
2125 }
2126
2127 /****************************************************************************
2128  ASCII art time again... JRA :-).
2129
2130  We have 4 cases to process when moving from an NT ACL to a POSIX ACL. Firstly,
2131  we insist the ACL is in canonical form (ie. all DENY entries preceede ALLOW
2132  entries). Secondly, the merge code has ensured that all duplicate SID entries for
2133  allow or deny have been merged, so the same SID can only appear once in the deny
2134  list or once in the allow list.
2135
2136  We then process as follows :
2137
2138  ---------------------------------------------------------------------------
2139  First pass - look for a Everyone DENY entry.
2140
2141  If it is deny all (rwx) trunate the list at this point.
2142  Else, walk the list from this point and use the deny permissions of this
2143  entry as a mask on all following allow entries. Finally, delete
2144  the Everyone DENY entry (we have applied it to everything possible).
2145
2146  In addition, in this pass we remove any DENY entries that have 
2147  no permissions (ie. they are a DENY nothing).
2148  ---------------------------------------------------------------------------
2149  Second pass - only deal with deny user entries.
2150
2151  DENY user1 (perms XXX)
2152
2153  new_perms = 0
2154  for all following allow group entries where user1 is in group
2155         new_perms |= group_perms;
2156
2157  user1 entry perms = new_perms & ~ XXX;
2158
2159  Convert the deny entry to an allow entry with the new perms and
2160  push to the end of the list. Note if the user was in no groups
2161  this maps to a specific allow nothing entry for this user.
2162
2163  The common case from the NT ACL choser (userX deny all) is
2164  optimised so we don't do the group lookup - we just map to
2165  an allow nothing entry.
2166
2167  What we're doing here is inferring the allow permissions the
2168  person setting the ACE on user1 wanted by looking at the allow
2169  permissions on the groups the user is currently in. This will
2170  be a snapshot, depending on group membership but is the best
2171  we can do and has the advantage of failing closed rather than
2172  open.
2173  ---------------------------------------------------------------------------
2174  Third pass - only deal with deny group entries.
2175
2176  DENY group1 (perms XXX)
2177
2178  for all following allow user entries where user is in group1
2179    user entry perms = user entry perms & ~ XXX;
2180
2181  If there is a group Everyone allow entry with permissions YYY,
2182  convert the group1 entry to an allow entry and modify its
2183  permissions to be :
2184
2185  new_perms = YYY & ~ XXX
2186
2187  and push to the end of the list.
2188
2189  If there is no group Everyone allow entry then convert the
2190  group1 entry to a allow nothing entry and push to the end of the list.
2191
2192  Note that the common case from the NT ACL choser (groupX deny all)
2193  cannot be optimised here as we need to modify user entries who are
2194  in the group to change them to a deny all also.
2195
2196  What we're doing here is modifying the allow permissions of
2197  user entries (which are more specific in POSIX ACLs) to mask
2198  out the explicit deny set on the group they are in. This will
2199  be a snapshot depending on current group membership but is the
2200  best we can do and has the advantage of failing closed rather
2201  than open.
2202  ---------------------------------------------------------------------------
2203  Fourth pass - cope with cumulative permissions.
2204
2205  for all allow user entries, if there exists an allow group entry with
2206  more permissive permissions, and the user is in that group, rewrite the
2207  allow user permissions to contain both sets of permissions.
2208
2209  Currently the code for this is #ifdef'ed out as these semantics make
2210  no sense to me. JRA.
2211  ---------------------------------------------------------------------------
2212
2213  Note we *MUST* do the deny user pass first as this will convert deny user
2214  entries into allow user entries which can then be processed by the deny
2215  group pass.
2216
2217  The above algorithm took a *lot* of thinking about - hence this
2218  explaination :-). JRA.
2219 ****************************************************************************/
2220
2221 /****************************************************************************
2222  Process a canon_ace list entries. This is very complex code. We need
2223  to go through and remove the "deny" permissions from any allow entry that matches
2224  the id of this entry. We have already refused any NT ACL that wasn't in correct
2225  order (DENY followed by ALLOW). If any allow entry ends up with zero permissions,
2226  we just remove it (to fail safe). We have already removed any duplicate ace
2227  entries. Treat an "Everyone" DENY_ACE as a special case - use it to mask all
2228  allow entries.
2229 ****************************************************************************/
2230
2231 static void process_deny_list(connection_struct *conn, canon_ace **pp_ace_list )
2232 {
2233         canon_ace *ace_list = *pp_ace_list;
2234         canon_ace *curr_ace = NULL;
2235         canon_ace *curr_ace_next = NULL;
2236
2237         /* Pass 1 above - look for an Everyone, deny entry. */
2238
2239         for (curr_ace = ace_list; curr_ace; curr_ace = curr_ace_next) {
2240                 canon_ace *allow_ace_p;
2241
2242                 curr_ace_next = curr_ace->next; /* So we can't lose the link. */
2243
2244                 if (curr_ace->attr != DENY_ACE)
2245                         continue;
2246
2247                 if (curr_ace->perms == (mode_t)0) {
2248
2249                         /* Deny nothing entry - delete. */
2250
2251                         DLIST_REMOVE(ace_list, curr_ace);
2252                         continue;
2253                 }
2254
2255                 if (!dom_sid_equal(&curr_ace->trustee, &global_sid_World))
2256                         continue;
2257
2258                 /* JRATEST - assert. */
2259                 SMB_ASSERT(curr_ace->owner_type == WORLD_ACE);
2260
2261                 if (curr_ace->perms == ALL_ACE_PERMS) {
2262
2263                         /*
2264                          * Optimisation. This is a DENY_ALL to Everyone. Truncate the
2265                          * list at this point including this entry.
2266                          */
2267
2268                         canon_ace *prev_entry = DLIST_PREV(curr_ace);
2269
2270                         free_canon_ace_list( curr_ace );
2271                         if (prev_entry)
2272                                 DLIST_REMOVE(ace_list, prev_entry);
2273                         else {
2274                                 /* We deleted the entire list. */
2275                                 ace_list = NULL;
2276                         }
2277                         break;
2278                 }
2279
2280                 for (allow_ace_p = curr_ace->next; allow_ace_p; allow_ace_p = allow_ace_p->next) {
2281
2282                         /* 
2283                          * Only mask off allow entries.
2284                          */
2285
2286                         if (allow_ace_p->attr != ALLOW_ACE)
2287                                 continue;
2288
2289                         allow_ace_p->perms &= ~curr_ace->perms;
2290                 }
2291
2292                 /*
2293                  * Now it's been applied, remove it.
2294                  */
2295
2296                 DLIST_REMOVE(ace_list, curr_ace);
2297         }
2298
2299         /* Pass 2 above - deal with deny user entries. */
2300
2301         for (curr_ace = ace_list; curr_ace; curr_ace = curr_ace_next) {
2302                 mode_t new_perms = (mode_t)0;
2303                 canon_ace *allow_ace_p;
2304
2305                 curr_ace_next = curr_ace->next; /* So we can't lose the link. */
2306
2307                 if (curr_ace->attr != DENY_ACE)
2308                         continue;
2309
2310                 if (curr_ace->owner_type != UID_ACE)
2311                         continue;
2312
2313                 if (curr_ace->perms == ALL_ACE_PERMS) {
2314
2315                         /*
2316                          * Optimisation - this is a deny everything to this user.
2317                          * Convert to an allow nothing and push to the end of the list.
2318                          */
2319
2320                         curr_ace->attr = ALLOW_ACE;
2321                         curr_ace->perms = (mode_t)0;
2322                         DLIST_DEMOTE(ace_list, curr_ace);
2323                         continue;
2324                 }
2325
2326                 for (allow_ace_p = curr_ace->next; allow_ace_p; allow_ace_p = allow_ace_p->next) {
2327
2328                         if (allow_ace_p->attr != ALLOW_ACE)
2329                                 continue;
2330
2331                         /* We process GID_ACE and WORLD_ACE entries only. */
2332
2333                         if (allow_ace_p->owner_type == UID_ACE)
2334                                 continue;
2335
2336                         if (uid_entry_in_group(conn, curr_ace, allow_ace_p))
2337                                 new_perms |= allow_ace_p->perms;
2338                 }
2339
2340                 /*
2341                  * Convert to a allow entry, modify the perms and push to the end
2342                  * of the list.
2343                  */
2344
2345                 curr_ace->attr = ALLOW_ACE;
2346                 curr_ace->perms = (new_perms & ~curr_ace->perms);
2347                 DLIST_DEMOTE(ace_list, curr_ace);
2348         }
2349
2350         /* Pass 3 above - deal with deny group entries. */
2351
2352         for (curr_ace = ace_list; curr_ace; curr_ace = curr_ace_next) {
2353                 canon_ace *allow_ace_p;
2354                 canon_ace *allow_everyone_p = NULL;
2355
2356                 curr_ace_next = curr_ace->next; /* So we can't lose the link. */
2357
2358                 if (curr_ace->attr != DENY_ACE)
2359                         continue;
2360
2361                 if (curr_ace->owner_type != GID_ACE)
2362                         continue;
2363
2364                 for (allow_ace_p = curr_ace->next; allow_ace_p; allow_ace_p = allow_ace_p->next) {
2365
2366                         if (allow_ace_p->attr != ALLOW_ACE)
2367                                 continue;
2368
2369                         /* Store a pointer to the Everyone allow, if it exists. */
2370                         if (allow_ace_p->owner_type == WORLD_ACE)
2371                                 allow_everyone_p = allow_ace_p;
2372
2373                         /* We process UID_ACE entries only. */
2374
2375                         if (allow_ace_p->owner_type != UID_ACE)
2376                                 continue;
2377
2378                         /* Mask off the deny group perms. */
2379
2380                         if (uid_entry_in_group(conn, allow_ace_p, curr_ace))
2381                                 allow_ace_p->perms &= ~curr_ace->perms;
2382                 }
2383
2384                 /*
2385                  * Convert the deny to an allow with the correct perms and
2386                  * push to the end of the list.
2387                  */
2388
2389                 curr_ace->attr = ALLOW_ACE;
2390                 if (allow_everyone_p)
2391                         curr_ace->perms = allow_everyone_p->perms & ~curr_ace->perms;
2392                 else
2393                         curr_ace->perms = (mode_t)0;
2394                 DLIST_DEMOTE(ace_list, curr_ace);
2395         }
2396
2397         /* Doing this fourth pass allows Windows semantics to be layered
2398          * on top of POSIX semantics. I'm not sure if this is desirable.
2399          * For example, in W2K ACLs there is no way to say, "Group X no
2400          * access, user Y full access" if user Y is a member of group X.
2401          * This seems completely broken semantics to me.... JRA.
2402          */
2403
2404 #if 0
2405         /* Pass 4 above - deal with allow entries. */
2406
2407         for (curr_ace = ace_list; curr_ace; curr_ace = curr_ace_next) {
2408                 canon_ace *allow_ace_p;
2409
2410                 curr_ace_next = curr_ace->next; /* So we can't lose the link. */
2411
2412                 if (curr_ace->attr != ALLOW_ACE)
2413                         continue;
2414
2415                 if (curr_ace->owner_type != UID_ACE)
2416                         continue;
2417
2418                 for (allow_ace_p = ace_list; allow_ace_p; allow_ace_p = allow_ace_p->next) {
2419
2420                         if (allow_ace_p->attr != ALLOW_ACE)
2421                                 continue;
2422
2423                         /* We process GID_ACE entries only. */
2424
2425                         if (allow_ace_p->owner_type != GID_ACE)
2426                                 continue;
2427
2428                         /* OR in the group perms. */
2429
2430                         if (uid_entry_in_group(conn, curr_ace, allow_ace_p))
2431                                 curr_ace->perms |= allow_ace_p->perms;
2432                 }
2433         }
2434 #endif
2435
2436         *pp_ace_list = ace_list;
2437 }
2438
2439 /****************************************************************************
2440  Unpack a struct security_descriptor into two canonical ace lists. We don't depend on this
2441  succeeding.
2442 ****************************************************************************/
2443
2444 static bool unpack_canon_ace(files_struct *fsp,
2445                                 const SMB_STRUCT_STAT *pst,
2446                                 struct dom_sid *pfile_owner_sid,
2447                                 struct dom_sid *pfile_grp_sid,
2448                                 canon_ace **ppfile_ace,
2449                                 canon_ace **ppdir_ace,
2450                                 uint32_t security_info_sent,
2451                                 const struct security_descriptor *psd)
2452 {
2453         canon_ace *file_ace = NULL;
2454         canon_ace *dir_ace = NULL;
2455
2456         *ppfile_ace = NULL;
2457         *ppdir_ace = NULL;
2458
2459         if(security_info_sent == 0) {
2460                 DEBUG(0,("unpack_canon_ace: no security info sent !\n"));
2461                 return False;
2462         }
2463
2464         /*
2465          * If no DACL then this is a chown only security descriptor.
2466          */
2467
2468         if(!(security_info_sent & SECINFO_DACL) || !psd->dacl)
2469                 return True;
2470
2471         /*
2472          * Now go through the DACL and create the canon_ace lists.
2473          */
2474
2475         if (!create_canon_ace_lists( fsp, pst, pfile_owner_sid, pfile_grp_sid,
2476                                                                 &file_ace, &dir_ace, psd->dacl))
2477                 return False;
2478
2479         if ((file_ace == NULL) && (dir_ace == NULL)) {
2480                 /* W2K traverse DACL set - ignore. */
2481                 return True;
2482         }
2483
2484         /*
2485          * Go through the canon_ace list and merge entries
2486          * belonging to identical users of identical allow or deny type.
2487          * We can do this as all deny entries come first, followed by
2488          * all allow entries (we have mandated this before accepting this acl).
2489          */
2490
2491         print_canon_ace_list( "file ace - before merge", file_ace);
2492         merge_aces( &file_ace, false);
2493
2494         print_canon_ace_list( "dir ace - before merge", dir_ace);
2495         merge_aces( &dir_ace, true);
2496
2497         /*
2498          * NT ACLs are order dependent. Go through the acl lists and
2499          * process DENY entries by masking the allow entries.
2500          */
2501
2502         print_canon_ace_list( "file ace - before deny", file_ace);
2503         process_deny_list(fsp->conn, &file_ace);
2504
2505         print_canon_ace_list( "dir ace - before deny", dir_ace);
2506         process_deny_list(fsp->conn, &dir_ace);
2507
2508         /*
2509          * A well formed POSIX file or default ACL has at least 3 entries, a 
2510          * SMB_ACL_USER_OBJ, SMB_ACL_GROUP_OBJ, SMB_ACL_OTHER_OBJ
2511          * and optionally a mask entry. Ensure this is the case.
2512          */
2513
2514         print_canon_ace_list( "file ace - before valid", file_ace);
2515
2516         if (!ensure_canon_entry_valid_on_set(fsp->conn, &file_ace, false, fsp->conn->params,
2517                         fsp->is_directory, pfile_owner_sid, pfile_grp_sid, pst)) {
2518                 free_canon_ace_list(file_ace);
2519                 free_canon_ace_list(dir_ace);
2520                 return False;
2521         }
2522
2523         print_canon_ace_list( "dir ace - before valid", dir_ace);
2524
2525         if (dir_ace && !ensure_canon_entry_valid_on_set(fsp->conn, &dir_ace, true, fsp->conn->params,
2526                         fsp->is_directory, pfile_owner_sid, pfile_grp_sid, pst)) {
2527                 free_canon_ace_list(file_ace);
2528                 free_canon_ace_list(dir_ace);
2529                 return False;
2530         }
2531
2532         print_canon_ace_list( "file ace - return", file_ace);
2533         print_canon_ace_list( "dir ace - return", dir_ace);
2534
2535         *ppfile_ace = file_ace;
2536         *ppdir_ace = dir_ace;
2537         return True;
2538
2539 }
2540
2541 /******************************************************************************
2542  When returning permissions, try and fit NT display
2543  semantics if possible. Note the the canon_entries here must have been malloced.
2544  The list format should be - first entry = owner, followed by group and other user
2545  entries, last entry = other.
2546
2547  Note that this doesn't exactly match the NT semantics for an ACL. As POSIX entries
2548  are not ordered, and match on the most specific entry rather than walking a list,
2549  then a simple POSIX permission of rw-r--r-- should really map to 5 entries,
2550
2551  Entry 0: owner : deny all except read and write.
2552  Entry 1: owner : allow read and write.
2553  Entry 2: group : deny all except read.
2554  Entry 3: group : allow read.
2555  Entry 4: Everyone : allow read.
2556
2557  But NT cannot display this in their ACL editor !
2558 ********************************************************************************/
2559
2560 static void arrange_posix_perms(const char *filename, canon_ace **pp_list_head)
2561 {
2562         canon_ace *l_head = *pp_list_head;
2563         canon_ace *owner_ace = NULL;
2564         canon_ace *other_ace = NULL;
2565         canon_ace *ace = NULL;
2566
2567         for (ace = l_head; ace; ace = ace->next) {
2568                 if (ace->type == SMB_ACL_USER_OBJ)
2569                         owner_ace = ace;
2570                 else if (ace->type == SMB_ACL_OTHER) {
2571                         /* Last ace - this is "other" */
2572                         other_ace = ace;
2573                 }
2574         }
2575
2576         if (!owner_ace || !other_ace) {
2577                 DEBUG(0,("arrange_posix_perms: Invalid POSIX permissions for file %s, missing owner or other.\n",
2578                         filename ));
2579                 return;
2580         }
2581
2582         /*
2583          * The POSIX algorithm applies to owner first, and other last,
2584          * so ensure they are arranged in this order.
2585          */
2586
2587         if (owner_ace) {
2588                 DLIST_PROMOTE(l_head, owner_ace);
2589         }
2590
2591         if (other_ace) {
2592                 DLIST_DEMOTE(l_head, other_ace);
2593         }
2594
2595         /* We have probably changed the head of the list. */
2596
2597         *pp_list_head = l_head;
2598 }
2599
2600 /****************************************************************************
2601  Create a linked list of canonical ACE entries.
2602 ****************************************************************************/
2603
2604 static canon_ace *canonicalise_acl(struct connection_struct *conn,
2605                                    const char *fname, SMB_ACL_T posix_acl,
2606                                    const SMB_STRUCT_STAT *psbuf,
2607                                    const struct dom_sid *powner, const struct dom_sid *pgroup, struct pai_val *pal, SMB_ACL_TYPE_T the_acl_type)
2608 {
2609         mode_t acl_mask = (S_IRUSR|S_IWUSR|S_IXUSR);
2610         canon_ace *l_head = NULL;
2611         canon_ace *ace = NULL;
2612         canon_ace *next_ace = NULL;
2613         int entry_id = SMB_ACL_FIRST_ENTRY;
2614         bool is_default_acl = (the_acl_type == SMB_ACL_TYPE_DEFAULT);
2615         SMB_ACL_ENTRY_T entry;
2616         size_t ace_count;
2617
2618         while ( posix_acl && (sys_acl_get_entry(posix_acl, entry_id, &entry) == 1)) {
2619                 SMB_ACL_TAG_T tagtype;
2620                 SMB_ACL_PERMSET_T permset;
2621                 struct dom_sid sid;
2622                 struct unixid unix_ug;
2623                 enum ace_owner owner_type;
2624
2625                 entry_id = SMB_ACL_NEXT_ENTRY;
2626
2627                 if (sys_acl_get_tag_type(entry, &tagtype) == -1)
2628                         continue;
2629
2630                 if (sys_acl_get_permset(entry, &permset) == -1)
2631                         continue;
2632
2633                 /* Decide which SID to use based on the ACL type. */
2634                 switch(tagtype) {
2635                         case SMB_ACL_USER_OBJ:
2636                                 /* Get the SID from the owner. */
2637                                 sid_copy(&sid, powner);
2638                                 unix_ug.type = ID_TYPE_UID;
2639                                 unix_ug.id = psbuf->st_ex_uid;
2640                                 owner_type = UID_ACE;
2641                                 break;
2642                         case SMB_ACL_USER:
2643                                 {
2644                                         uid_t *puid = (uid_t *)sys_acl_get_qualifier(entry);
2645                                         if (puid == NULL) {
2646                                                 DEBUG(0,("canonicalise_acl: Failed to get uid.\n"));
2647                                                 continue;
2648                                         }
2649                                         uid_to_sid( &sid, *puid);
2650                                         unix_ug.type = ID_TYPE_UID;
2651                                         unix_ug.id = *puid;
2652                                         owner_type = UID_ACE;
2653                                         break;
2654                                 }
2655                         case SMB_ACL_GROUP_OBJ:
2656                                 /* Get the SID from the owning group. */
2657                                 sid_copy(&sid, pgroup);
2658                                 unix_ug.type = ID_TYPE_GID;
2659                                 unix_ug.id = psbuf->st_ex_gid;
2660                                 owner_type = GID_ACE;
2661                                 break;
2662                         case SMB_ACL_GROUP:
2663                                 {
2664                                         gid_t *pgid = (gid_t *)sys_acl_get_qualifier(entry);
2665                                         if (pgid == NULL) {
2666                                                 DEBUG(0,("canonicalise_acl: Failed to get gid.\n"));
2667                                                 continue;
2668                                         }
2669                                         gid_to_sid( &sid, *pgid);
2670                                         unix_ug.type = ID_TYPE_GID;
2671                                         unix_ug.id = *pgid;
2672                                         owner_type = GID_ACE;
2673                                         break;
2674                                 }
2675                         case SMB_ACL_MASK:
2676                                 acl_mask = convert_permset_to_mode_t(permset);
2677                                 continue; /* Don't count the mask as an entry. */
2678                         case SMB_ACL_OTHER:
2679                                 /* Use the Everyone SID */
2680                                 sid = global_sid_World;
2681                                 unix_ug.type = ID_TYPE_NOT_SPECIFIED;
2682                                 unix_ug.id = -1;
2683                                 owner_type = WORLD_ACE;
2684                                 break;
2685                         default:
2686                                 DEBUG(0,("canonicalise_acl: Unknown tagtype %u\n", (unsigned int)tagtype));
2687                                 continue;
2688                 }
2689
2690                 /*
2691                  * Add this entry to the list.
2692                  */
2693
2694                 if ((ace = talloc(talloc_tos(), canon_ace)) == NULL)
2695                         goto fail;
2696
2697                 *ace = (canon_ace) {
2698                         .type = tagtype,
2699                         .perms = convert_permset_to_mode_t(permset),
2700                         .attr = ALLOW_ACE,
2701                         .trustee = sid,
2702                         .unix_ug = unix_ug,
2703                         .owner_type = owner_type,
2704                         .ace_flags = get_pai_flags(pal, ace, is_default_acl)
2705                 };
2706
2707                 DLIST_ADD(l_head, ace);
2708         }
2709
2710         /*
2711          * This next call will ensure we have at least a user/group/world set.
2712          */
2713
2714         if (!ensure_canon_entry_valid_on_get(conn, &l_head,
2715                                       powner, pgroup,
2716                                       psbuf))
2717                 goto fail;
2718
2719         /*
2720          * Now go through the list, masking the permissions with the
2721          * acl_mask. Ensure all DENY Entries are at the start of the list.
2722          */
2723
2724         DEBUG(10,("canonicalise_acl: %s ace entries before arrange :\n", is_default_acl ?  "Default" : "Access"));
2725
2726         for ( ace_count = 0, ace = l_head; ace; ace = next_ace, ace_count++) {
2727                 next_ace = ace->next;
2728
2729                 /* Masks are only applied to entries other than USER_OBJ and OTHER. */
2730                 if (ace->type != SMB_ACL_OTHER && ace->type != SMB_ACL_USER_OBJ)
2731                         ace->perms &= acl_mask;
2732
2733                 if (ace->perms == 0) {
2734                         DLIST_PROMOTE(l_head, ace);
2735                 }
2736
2737                 if( DEBUGLVL( 10 ) ) {
2738                         print_canon_ace(ace, ace_count);
2739                 }
2740         }
2741
2742         arrange_posix_perms(fname,&l_head );
2743
2744         print_canon_ace_list( "canonicalise_acl: ace entries after arrange", l_head );
2745
2746         return l_head;
2747
2748   fail:
2749
2750         free_canon_ace_list(l_head);
2751         return NULL;
2752 }
2753
2754 /****************************************************************************
2755  Check if the current user group list contains a given group.
2756 ****************************************************************************/
2757
2758 bool current_user_in_group(connection_struct *conn, gid_t gid)
2759 {
2760         int i;
2761         const struct security_unix_token *utok = get_current_utok(conn);
2762
2763         for (i = 0; i < utok->ngroups; i++) {
2764                 if (utok->groups[i] == gid) {
2765                         return True;
2766                 }
2767         }
2768
2769         return False;
2770 }
2771
2772 /****************************************************************************
2773  Should we override a deny ? Check 'acl group control' and 'dos filemode'.
2774 ****************************************************************************/
2775
2776 static bool acl_group_override(connection_struct *conn,
2777                                const struct smb_filename *smb_fname)
2778 {
2779         if ((errno != EPERM) && (errno != EACCES)) {
2780                 return false;
2781         }
2782
2783         /* file primary group == user primary or supplementary group */
2784         if (lp_acl_group_control(SNUM(conn)) &&
2785             current_user_in_group(conn, smb_fname->st.st_ex_gid)) {
2786                 return true;
2787         }
2788
2789         /* user has writeable permission */
2790         if (lp_dos_filemode(SNUM(conn)) &&
2791             can_write_to_file(conn, smb_fname)) {
2792                 return true;
2793         }
2794
2795         return false;
2796 }
2797
2798 /****************************************************************************
2799  Attempt to apply an ACL to a file or directory.
2800 ****************************************************************************/
2801
2802 static bool set_canon_ace_list(files_struct *fsp,
2803                                 canon_ace *the_ace,
2804                                 bool default_ace,
2805                                 const SMB_STRUCT_STAT *psbuf,
2806                                 bool *pacl_set_support)
2807 {
2808         connection_struct *conn = fsp->conn;
2809         bool ret = False;
2810         SMB_ACL_T the_acl = sys_acl_init(talloc_tos());
2811         canon_ace *p_ace;
2812         int i;
2813         SMB_ACL_ENTRY_T mask_entry;
2814         bool got_mask_entry = False;
2815         SMB_ACL_PERMSET_T mask_permset;
2816         SMB_ACL_TYPE_T the_acl_type = (default_ace ? SMB_ACL_TYPE_DEFAULT : SMB_ACL_TYPE_ACCESS);
2817         bool needs_mask = False;
2818         mode_t mask_perms = 0;
2819
2820         /* Use the psbuf that was passed in. */
2821         if (psbuf != &fsp->fsp_name->st) {
2822                 fsp->fsp_name->st = *psbuf;
2823         }
2824
2825 #if defined(POSIX_ACL_NEEDS_MASK)
2826         /* HP-UX always wants to have a mask (called "class" there). */
2827         needs_mask = True;
2828 #endif
2829
2830         if (the_acl == NULL) {
2831                 DEBUG(0, ("sys_acl_init failed to allocate an ACL\n"));
2832                 return false;
2833         }
2834
2835         if( DEBUGLVL( 10 )) {
2836                 dbgtext("set_canon_ace_list: setting ACL:\n");
2837                 for (i = 0, p_ace = the_ace; p_ace; p_ace = p_ace->next, i++ ) {
2838                         print_canon_ace( p_ace, i);
2839                 }
2840         }
2841
2842         for (i = 0, p_ace = the_ace; p_ace; p_ace = p_ace->next, i++ ) {
2843                 SMB_ACL_ENTRY_T the_entry;
2844                 SMB_ACL_PERMSET_T the_permset;
2845
2846                 /*
2847                  * ACLs only "need" an ACL_MASK entry if there are any named user or
2848                  * named group entries. But if there is an ACL_MASK entry, it applies
2849                  * to ACL_USER, ACL_GROUP, and ACL_GROUP_OBJ entries. Set the mask
2850                  * so that it doesn't deny (i.e., mask off) any permissions.
2851                  */
2852
2853                 if (p_ace->type == SMB_ACL_USER || p_ace->type == SMB_ACL_GROUP) {
2854                         needs_mask = True;
2855                         mask_perms |= p_ace->perms;
2856                 } else if (p_ace->type == SMB_ACL_GROUP_OBJ) {
2857                         mask_perms |= p_ace->perms;
2858                 }
2859
2860                 /*
2861                  * Get the entry for this ACE.
2862                  */
2863
2864                 if (sys_acl_create_entry(&the_acl, &the_entry) == -1) {
2865                         DEBUG(0,("set_canon_ace_list: Failed to create entry %d. (%s)\n",
2866                                 i, strerror(errno) ));
2867                         goto fail;
2868                 }
2869
2870                 if (p_ace->type == SMB_ACL_MASK) {
2871                         mask_entry = the_entry;
2872                         got_mask_entry = True;
2873                 }
2874
2875                 /*
2876                  * Ok - we now know the ACL calls should be working, don't
2877                  * allow fallback to chmod.
2878                  */
2879
2880                 *pacl_set_support = True;
2881
2882                 /*
2883                  * Initialise the entry from the canon_ace.
2884                  */
2885
2886                 /*
2887                  * First tell the entry what type of ACE this is.
2888                  */
2889
2890                 if (sys_acl_set_tag_type(the_entry, p_ace->type) == -1) {
2891                         DEBUG(0,("set_canon_ace_list: Failed to set tag type on entry %d. (%s)\n",
2892                                 i, strerror(errno) ));
2893                         goto fail;
2894                 }
2895
2896                 /*
2897                  * Only set the qualifier (user or group id) if the entry is a user
2898                  * or group id ACE.
2899                  */
2900
2901                 if ((p_ace->type == SMB_ACL_USER) || (p_ace->type == SMB_ACL_GROUP)) {
2902                         if (sys_acl_set_qualifier(the_entry,(void *)&p_ace->unix_ug.id) == -1) {
2903                                 DEBUG(0,("set_canon_ace_list: Failed to set qualifier on entry %d. (%s)\n",
2904                                         i, strerror(errno) ));
2905                                 goto fail;
2906                         }
2907                 }
2908
2909                 /*
2910                  * Convert the mode_t perms in the canon_ace to a POSIX permset.
2911                  */
2912
2913                 if (sys_acl_get_permset(the_entry, &the_permset) == -1) {
2914                         DEBUG(0,("set_canon_ace_list: Failed to get permset on entry %d. (%s)\n",
2915                                 i, strerror(errno) ));
2916                         goto fail;
2917                 }
2918
2919                 if (map_acl_perms_to_permset(conn, p_ace->perms, &the_permset) == -1) {
2920                         DEBUG(0,("set_canon_ace_list: Failed to create permset for mode (%u) on entry %d. (%s)\n",
2921                                 (unsigned int)p_ace->perms, i, strerror(errno) ));
2922                         goto fail;
2923                 }
2924
2925                 /*
2926                  * ..and apply them to the entry.
2927                  */
2928
2929                 if (sys_acl_set_permset(the_entry, the_permset) == -1) {
2930                         DEBUG(0,("set_canon_ace_list: Failed to add permset on entry %d. (%s)\n",
2931                                 i, strerror(errno) ));
2932                         goto fail;
2933                 }
2934
2935                 if( DEBUGLVL( 10 ))
2936                         print_canon_ace( p_ace, i);
2937
2938         }
2939
2940         if (needs_mask && !got_mask_entry) {
2941                 if (sys_acl_create_entry(&the_acl, &mask_entry) == -1) {
2942                         DEBUG(0,("set_canon_ace_list: Failed to create mask entry. (%s)\n", strerror(errno) ));
2943                         goto fail;
2944                 }
2945
2946                 if (sys_acl_set_tag_type(mask_entry, SMB_ACL_MASK) == -1) {
2947                         DEBUG(0,("set_canon_ace_list: Failed to set tag type on mask entry. (%s)\n",strerror(errno) ));
2948                         goto fail;
2949                 }
2950
2951                 if (sys_acl_get_permset(mask_entry, &mask_permset) == -1) {
2952                         DEBUG(0,("set_canon_ace_list: Failed to get mask permset. (%s)\n", strerror(errno) ));
2953                         goto fail;
2954                 }
2955
2956                 if (map_acl_perms_to_permset(conn, S_IRUSR|S_IWUSR|S_IXUSR, &mask_permset) == -1) {
2957                         DEBUG(0,("set_canon_ace_list: Failed to create mask permset. (%s)\n", strerror(errno) ));
2958                         goto fail;
2959                 }
2960
2961                 if (sys_acl_set_permset(mask_entry, mask_permset) == -1) {
2962                         DEBUG(0,("set_canon_ace_list: Failed to add mask permset. (%s)\n", strerror(errno) ));
2963                         goto fail;
2964                 }
2965         }
2966
2967         /*
2968          * Finally apply it to the file or directory.
2969          */
2970
2971         if(default_ace || fsp->is_directory || fsp->fh->fd == -1) {
2972                 if (SMB_VFS_SYS_ACL_SET_FILE(conn, fsp->fsp_name->base_name,
2973                                              the_acl_type, the_acl) == -1) {
2974                         /*
2975                          * Some systems allow all the above calls and only fail with no ACL support
2976                          * when attempting to apply the acl. HPUX with HFS is an example of this. JRA.
2977                          */
2978                         if (no_acl_syscall_error(errno)) {
2979                                 *pacl_set_support = False;
2980                         }
2981
2982                         if (acl_group_override(conn, fsp->fsp_name)) {
2983                                 int sret;
2984
2985                                 DEBUG(5,("set_canon_ace_list: acl group "
2986                                          "control on and current user in file "
2987                                          "%s primary group.\n",
2988                                          fsp_str_dbg(fsp)));
2989
2990                                 become_root();
2991                                 sret = SMB_VFS_SYS_ACL_SET_FILE(conn,
2992                                     fsp->fsp_name->base_name, the_acl_type,
2993                                     the_acl);
2994                                 unbecome_root();
2995                                 if (sret == 0) {
2996                                         ret = True;     
2997                                 }
2998                         }
2999
3000                         if (ret == False) {
3001                                 DEBUG(2,("set_canon_ace_list: "
3002                                          "sys_acl_set_file type %s failed for "
3003                                          "file %s (%s).\n",
3004                                          the_acl_type == SMB_ACL_TYPE_DEFAULT ?
3005                                          "directory default" : "file",
3006                                          fsp_str_dbg(fsp), strerror(errno)));
3007                                 goto fail;
3008                         }
3009                 }
3010         } else {
3011                 if (SMB_VFS_SYS_ACL_SET_FD(fsp, the_acl) == -1) {
3012                         /*
3013                          * Some systems allow all the above calls and only fail with no ACL support
3014                          * when attempting to apply the acl. HPUX with HFS is an example of this. JRA.
3015                          */
3016                         if (no_acl_syscall_error(errno)) {
3017                                 *pacl_set_support = False;
3018                         }
3019
3020                         if (acl_group_override(conn, fsp->fsp_name)) {
3021                                 int sret;
3022
3023                                 DEBUG(5,("set_canon_ace_list: acl group "
3024                                          "control on and current user in file "
3025                                          "%s primary group.\n",
3026                                          fsp_str_dbg(fsp)));
3027
3028                                 become_root();
3029                                 sret = SMB_VFS_SYS_ACL_SET_FD(fsp, the_acl);
3030                                 unbecome_root();
3031                                 if (sret == 0) {
3032                                         ret = True;
3033                                 }
3034                         }
3035
3036                         if (ret == False) {
3037                                 DEBUG(2,("set_canon_ace_list: "
3038                                          "sys_acl_set_file failed for file %s "
3039                                          "(%s).\n",
3040                                          fsp_str_dbg(fsp), strerror(errno)));
3041                                 goto fail;
3042                         }
3043                 }
3044         }
3045
3046         ret = True;
3047
3048   fail:
3049
3050         if (the_acl != NULL) {
3051                 TALLOC_FREE(the_acl);
3052         }
3053
3054         return ret;
3055 }
3056
3057 /****************************************************************************
3058  
3059 ****************************************************************************/
3060
3061 SMB_ACL_T free_empty_sys_acl(connection_struct *conn, SMB_ACL_T the_acl)
3062 {
3063         SMB_ACL_ENTRY_T entry;
3064
3065         if (!the_acl)
3066                 return NULL;
3067         if (sys_acl_get_entry(the_acl, SMB_ACL_FIRST_ENTRY, &entry) != 1) {
3068                 TALLOC_FREE(the_acl);
3069                 return NULL;
3070         }
3071         return the_acl;
3072 }
3073
3074 /****************************************************************************
3075  Convert a canon_ace to a generic 3 element permission - if possible.
3076 ****************************************************************************/
3077
3078 #define MAP_PERM(p,mask,result) (((p) & (mask)) ? (result) : 0 )
3079
3080 static bool convert_canon_ace_to_posix_perms( files_struct *fsp, canon_ace *file_ace_list, mode_t *posix_perms)
3081 {
3082         size_t ace_count = count_canon_ace_list(file_ace_list);
3083         canon_ace *ace_p;
3084         canon_ace *owner_ace = NULL;
3085         canon_ace *group_ace = NULL;
3086         canon_ace *other_ace = NULL;
3087
3088         if (ace_count > 5) {
3089                 DEBUG(3,("convert_canon_ace_to_posix_perms: Too many ACE "
3090                          "entries for file %s to convert to posix perms.\n",
3091                          fsp_str_dbg(fsp)));
3092                 return False;
3093         }
3094
3095         for (ace_p = file_ace_list; ace_p; ace_p = ace_p->next) {
3096                 if (ace_p->owner_type == UID_ACE)
3097                         owner_ace = ace_p;
3098                 else if (ace_p->owner_type == GID_ACE)
3099                         group_ace = ace_p;
3100                 else if (ace_p->owner_type == WORLD_ACE)
3101                         other_ace = ace_p;
3102         }
3103
3104         if (!owner_ace || !group_ace || !other_ace) {
3105                 DEBUG(3,("convert_canon_ace_to_posix_perms: Can't get "
3106                          "standard entries for file %s.\n", fsp_str_dbg(fsp)));
3107                 return False;
3108         }
3109
3110         /*
3111          * Ensure all ACE entries are owner, group or other.
3112          * We can't set if there are any other SIDs.
3113          */
3114         for (ace_p = file_ace_list; ace_p; ace_p = ace_p->next) {
3115                 if (ace_p == owner_ace || ace_p == group_ace ||
3116                                 ace_p == other_ace) {
3117                         continue;
3118                 }
3119                 if (ace_p->owner_type == UID_ACE) {
3120                         if (ace_p->unix_ug.id != owner_ace->unix_ug.id) {
3121                                 DEBUG(3,("Invalid uid %u in ACE for file %s.\n",
3122                                         (unsigned int)ace_p->unix_ug.id,
3123                                         fsp_str_dbg(fsp)));
3124                                 return false;
3125                         }
3126                 } else if (ace_p->owner_type == GID_ACE) {
3127                         if (ace_p->unix_ug.id != group_ace->unix_ug.id) {
3128                                 DEBUG(3,("Invalid gid %u in ACE for file %s.\n",
3129                                         (unsigned int)ace_p->unix_ug.id,
3130                                         fsp_str_dbg(fsp)));
3131                                 return false;
3132                         }
3133                 } else {
3134                         /*
3135                          * There should be no duplicate WORLD_ACE entries.
3136                          */
3137
3138                         DEBUG(3,("Invalid type %u, uid %u in "
3139                                 "ACE for file %s.\n",
3140                                 (unsigned int)ace_p->owner_type,
3141                                 (unsigned int)ace_p->unix_ug.id,
3142                                 fsp_str_dbg(fsp)));
3143                         return false;
3144                 }
3145         }
3146
3147         *posix_perms = (mode_t)0;
3148
3149         *posix_perms |= owner_ace->perms;
3150         *posix_perms |= MAP_PERM(group_ace->perms, S_IRUSR, S_IRGRP);
3151         *posix_perms |= MAP_PERM(group_ace->perms, S_IWUSR, S_IWGRP);
3152         *posix_perms |= MAP_PERM(group_ace->perms, S_IXUSR, S_IXGRP);
3153         *posix_perms |= MAP_PERM(other_ace->perms, S_IRUSR, S_IROTH);
3154         *posix_perms |= MAP_PERM(other_ace->perms, S_IWUSR, S_IWOTH);
3155         *posix_perms |= MAP_PERM(other_ace->perms, S_IXUSR, S_IXOTH);
3156
3157         /* The owner must have at least read access. */
3158
3159         *posix_perms |= S_IRUSR;
3160         if (fsp->is_directory)
3161                 *posix_perms |= (S_IWUSR|S_IXUSR);
3162
3163         DEBUG(10,("convert_canon_ace_to_posix_perms: converted u=%o,g=%o,w=%o "
3164                   "to perm=0%o for file %s.\n", (int)owner_ace->perms,
3165                   (int)group_ace->perms, (int)other_ace->perms,
3166                   (int)*posix_perms, fsp_str_dbg(fsp)));
3167
3168         return True;
3169 }
3170
3171 /****************************************************************************
3172   Incoming NT ACLs on a directory can be split into a default POSIX acl (CI|OI|IO) and
3173   a normal POSIX acl. Win2k needs these split acls re-merging into one ACL
3174   with CI|OI set so it is inherited and also applies to the directory.
3175   Based on code from "Jim McDonough" <jmcd@us.ibm.com>.
3176 ****************************************************************************/
3177
3178 static size_t merge_default_aces( struct security_ace *nt_ace_list, size_t num_aces)
3179 {
3180         size_t i, j;
3181
3182         for (i = 0; i < num_aces; i++) {
3183                 for (j = i+1; j < num_aces; j++) {
3184                         uint32_t i_flags_ni = (nt_ace_list[i].flags & ~SEC_ACE_FLAG_INHERITED_ACE);
3185                         uint32_t j_flags_ni = (nt_ace_list[j].flags & ~SEC_ACE_FLAG_INHERITED_ACE);
3186                         bool i_inh = (nt_ace_list[i].flags & SEC_ACE_FLAG_INHERITED_ACE) ? True : False;
3187                         bool j_inh = (nt_ace_list[j].flags & SEC_ACE_FLAG_INHERITED_ACE) ? True : False;
3188
3189                         /* We know the lower number ACE's are file entries. */
3190                         if ((nt_ace_list[i].type == nt_ace_list[j].type) &&
3191                                 (nt_ace_list[i].size == nt_ace_list[j].size) &&
3192                                 (nt_ace_list[i].access_mask == nt_ace_list[j].access_mask) &&
3193                                 dom_sid_equal(&nt_ace_list[i].trustee, &nt_ace_list[j].trustee) &&
3194                                 (i_inh == j_inh) &&
3195                                 (i_flags_ni == 0) &&
3196                                 (j_flags_ni == (SEC_ACE_FLAG_OBJECT_INHERIT|
3197                                                   SEC_ACE_FLAG_CONTAINER_INHERIT|
3198                                                   SEC_ACE_FLAG_INHERIT_ONLY))) {
3199                                 /*
3200                                  * W2K wants to have access allowed zero access ACE's
3201                                  * at the end of the list. If the mask is zero, merge
3202                                  * the non-inherited ACE onto the inherited ACE.
3203                                  */
3204
3205                                 if (nt_ace_list[i].access_mask == 0) {
3206                                         nt_ace_list[j].flags = SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT|
3207                                                                 (i_inh ? SEC_ACE_FLAG_INHERITED_ACE : 0);
3208                                         if (num_aces - i - 1 > 0)
3209                                                 memmove(&nt_ace_list[i], &nt_ace_list[i+1], (num_aces-i-1) *
3210                                                                 sizeof(struct security_ace));
3211
3212                                         DEBUG(10,("merge_default_aces: Merging zero access ACE %u onto ACE %u.\n",
3213                                                 (unsigned int)i, (unsigned int)j ));
3214                                 } else {
3215                                         /*
3216                                          * These are identical except for the flags.
3217                                          * Merge the inherited ACE onto the non-inherited ACE.
3218                                          */
3219
3220                                         nt_ace_list[i].flags = SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT|
3221                                                                 (i_inh ? SEC_ACE_FLAG_INHERITED_ACE : 0);
3222                                         if (num_aces - j - 1 > 0)
3223                                                 memmove(&nt_ace_list[j], &nt_ace_list[j+1], (num_aces-j-1) *
3224                                                                 sizeof(struct security_ace));
3225
3226                                         DEBUG(10,("merge_default_aces: Merging ACE %u onto ACE %u.\n",
3227                                                 (unsigned int)j, (unsigned int)i ));
3228                                 }
3229                                 num_aces--;
3230                                 break;
3231                         }
3232                 }
3233         }
3234
3235         return num_aces;
3236 }
3237
3238 /*
3239  * Add or Replace ACE entry.
3240  * In some cases we need to add a specific ACE for compatibility reasons.
3241  * When doing that we must make sure we are not actually creating a duplicate
3242  * entry. So we need to search whether an ACE entry already exist and eventually
3243  * replacce the access mask, or add a completely new entry if none was found.
3244  *
3245  * This function assumes the array has enough space to add a new entry without
3246  * any reallocation of memory.
3247  */
3248
3249 static void add_or_replace_ace(struct security_ace *nt_ace_list, size_t *num_aces,
3250                                 const struct dom_sid *sid, enum security_ace_type type,
3251                                 uint32_t mask, uint8_t flags)
3252 {
3253         int i;
3254
3255         /* first search for a duplicate */
3256         for (i = 0; i < *num_aces; i++) {
3257                 if (dom_sid_equal(&nt_ace_list[i].trustee, sid) &&
3258                     (nt_ace_list[i].flags == flags)) break;
3259         }
3260
3261         if (i < *num_aces) { /* found */
3262                 nt_ace_list[i].type = type;
3263                 nt_ace_list[i].access_mask = mask;
3264                 DEBUG(10, ("Replacing ACE %d with SID %s and flags %02x\n",
3265                            i, sid_string_dbg(sid), flags));
3266                 return;
3267         }
3268
3269         /* not found, append it */
3270         init_sec_ace(&nt_ace_list[(*num_aces)++], sid, type, mask, flags);
3271 }
3272
3273
3274 /****************************************************************************
3275  Reply to query a security descriptor from an fsp. If it succeeds it allocates
3276  the space for the return elements and returns the size needed to return the
3277  security descriptor. This should be the only external function needed for
3278  the UNIX style get ACL.
3279 ****************************************************************************/
3280
3281 static NTSTATUS posix_get_nt_acl_common(struct connection_struct *conn,
3282                                       const char *name,
3283                                       const SMB_STRUCT_STAT *sbuf,
3284                                       struct pai_val *pal,
3285                                       SMB_ACL_T posix_acl,
3286                                       SMB_ACL_T def_acl,
3287                                       uint32_t security_info,
3288                                       TALLOC_CTX *mem_ctx,
3289                                       struct security_descriptor **ppdesc)
3290 {
3291         struct dom_sid owner_sid;
3292         struct dom_sid group_sid;
3293         size_t sd_size = 0;
3294         struct security_acl *psa = NULL;
3295         size_t num_acls = 0;
3296         size_t num_def_acls = 0;
3297         size_t num_aces = 0;
3298         canon_ace *file_ace = NULL;
3299         canon_ace *dir_ace = NULL;
3300         struct security_ace *nt_ace_list = NULL;
3301         size_t num_profile_acls = 0;
3302         struct dom_sid orig_owner_sid;
3303         struct security_descriptor *psd = NULL;
3304         int i;
3305
3306         /*
3307          * Get the owner, group and world SIDs.
3308          */
3309
3310         create_file_sids(sbuf, &owner_sid, &group_sid);
3311
3312         if (lp_profile_acls(SNUM(conn))) {
3313                 /* For WXP SP1 the owner must be administrators. */
3314                 sid_copy(&orig_owner_sid, &owner_sid);
3315                 sid_copy(&owner_sid, &global_sid_Builtin_Administrators);
3316                 sid_copy(&group_sid, &global_sid_Builtin_Users);
3317                 num_profile_acls = 3;
3318         }
3319
3320         if (security_info & SECINFO_DACL) {
3321
3322                 /*
3323                  * In the optimum case Creator Owner and Creator Group would be used for
3324                  * the ACL_USER_OBJ and ACL_GROUP_OBJ entries, respectively, but this
3325                  * would lead to usability problems under Windows: The Creator entries
3326                  * are only available in browse lists of directories and not for files;
3327                  * additionally the identity of the owning group couldn't be determined.
3328                  * We therefore use those identities only for Default ACLs. 
3329                  */
3330
3331                 /* Create the canon_ace lists. */
3332                 file_ace = canonicalise_acl(conn, name, posix_acl, sbuf,
3333                                             &owner_sid, &group_sid, pal,
3334                                             SMB_ACL_TYPE_ACCESS);
3335
3336                 /* We must have *some* ACLS. */
3337         
3338                 if (count_canon_ace_list(file_ace) == 0) {
3339                         DEBUG(0,("get_nt_acl : No ACLs on file (%s) !\n", name));
3340                         goto done;
3341                 }
3342
3343                 if (S_ISDIR(sbuf->st_ex_mode) && def_acl) {
3344                         dir_ace = canonicalise_acl(conn, name, def_acl,
3345                                                    sbuf,
3346                                                    &global_sid_Creator_Owner,
3347                                                    &global_sid_Creator_Group,
3348                                                    pal, SMB_ACL_TYPE_DEFAULT);
3349                 }
3350
3351                 /*
3352                  * Create the NT ACE list from the canonical ace lists.
3353                  */
3354
3355                 {
3356                         canon_ace *ace;
3357                         enum security_ace_type nt_acl_type;
3358
3359                         num_acls = count_canon_ace_list(file_ace);
3360                         num_def_acls = count_canon_ace_list(dir_ace);
3361
3362                         /* Allocate the ace list. */
3363                         if ((nt_ace_list = talloc_array(talloc_tos(), struct security_ace,num_acls + num_profile_acls + num_def_acls)) == NULL) {
3364                                 DEBUG(0,("get_nt_acl: Unable to malloc space for nt_ace_list.\n"));
3365                                 goto done;
3366                         }
3367
3368                         memset(nt_ace_list, '\0', (num_acls + num_def_acls) * sizeof(struct security_ace) );
3369
3370                         /*
3371                          * Create the NT ACE list from the canonical ace lists.
3372                          */
3373
3374                         for (ace = file_ace; ace != NULL; ace = ace->next) {
3375                                 uint32_t acc = map_canon_ace_perms(SNUM(conn),
3376                                                 &nt_acl_type,
3377                                                 ace->perms,
3378                                                 S_ISDIR(sbuf->st_ex_mode));
3379                                 init_sec_ace(&nt_ace_list[num_aces++],
3380                                         &ace->trustee,
3381                                         nt_acl_type,
3382                                         acc,
3383                                         ace->ace_flags);
3384                         }
3385
3386                         /* The User must have access to a profile share - even
3387                          * if we can't map the SID. */
3388                         if (lp_profile_acls(SNUM(conn))) {
3389                                 add_or_replace_ace(nt_ace_list, &num_aces,
3390                                                    &global_sid_Builtin_Users,
3391                                                    SEC_ACE_TYPE_ACCESS_ALLOWED,
3392                                                    FILE_GENERIC_ALL, 0);
3393                         }
3394
3395                         for (ace = dir_ace; ace != NULL; ace = ace->next) {
3396                                 uint32_t acc = map_canon_ace_perms(SNUM(conn),
3397                                                 &nt_acl_type,
3398                                                 ace->perms,
3399                                                 S_ISDIR(sbuf->st_ex_mode));
3400                                 init_sec_ace(&nt_ace_list[num_aces++],
3401                                         &ace->trustee,
3402                                         nt_acl_type,
3403                                         acc,
3404                                         ace->ace_flags |
3405                                         SEC_ACE_FLAG_OBJECT_INHERIT|
3406                                         SEC_ACE_FLAG_CONTAINER_INHERIT|
3407                                         SEC_ACE_FLAG_INHERIT_ONLY);
3408                         }
3409
3410                         /* The User must have access to a profile share - even
3411                          * if we can't map the SID. */
3412                         if (lp_profile_acls(SNUM(conn))) {
3413                                 add_or_replace_ace(nt_ace_list, &num_aces,
3414                                                 &global_sid_Builtin_Users,
3415                                                 SEC_ACE_TYPE_ACCESS_ALLOWED,
3416                                                 FILE_GENERIC_ALL,
3417                                                 SEC_ACE_FLAG_OBJECT_INHERIT |
3418                                                 SEC_ACE_FLAG_CONTAINER_INHERIT |
3419                                                 SEC_ACE_FLAG_INHERIT_ONLY);
3420                         }
3421
3422                         /*
3423                          * Merge POSIX default ACLs and normal ACLs into one NT ACE.
3424                          * Win2K needs this to get the inheritance correct when replacing ACLs
3425                          * on a directory tree. Based on work by Jim @ IBM.
3426                          */
3427
3428                         num_aces = merge_default_aces(nt_ace_list, num_aces);
3429
3430                         if (lp_profile_acls(SNUM(conn))) {
3431                                 for (i = 0; i < num_aces; i++) {
3432                                         if (dom_sid_equal(&nt_ace_list[i].trustee, &owner_sid)) {
3433                                                 add_or_replace_ace(nt_ace_list, &num_aces,
3434                                                                    &orig_owner_sid,
3435                                                                    nt_ace_list[i].type,
3436                                                                    nt_ace_list[i].access_mask,
3437                                                                    nt_ace_list[i].flags);
3438                                                 break;
3439                                         }
3440                                 }
3441                         }
3442                 }
3443
3444                 if (num_aces) {
3445                         if((psa = make_sec_acl( talloc_tos(), NT4_ACL_REVISION, num_aces, nt_ace_list)) == NULL) {
3446                                 DEBUG(0,("get_nt_acl: Unable to malloc space for acl.\n"));
3447                                 goto done;
3448                         }
3449                 }
3450         } /* security_info & SECINFO_DACL */
3451
3452         psd = make_standard_sec_desc(mem_ctx,
3453                         (security_info & SECINFO_OWNER) ? &owner_sid : NULL,
3454                         (security_info & SECINFO_GROUP) ? &group_sid : NULL,
3455                         psa,
3456                         &sd_size);
3457
3458         if(!psd) {
3459                 DEBUG(0,("get_nt_acl: Unable to malloc space for security descriptor.\n"));
3460                 sd_size = 0;
3461                 goto done;
3462         }
3463
3464         /*
3465          * Windows 2000: The DACL_PROTECTED flag in the security
3466          * descriptor marks the ACL as non-inheriting, i.e., no
3467          * ACEs from higher level directories propagate to this
3468          * ACL. In the POSIX ACL model permissions are only
3469          * inherited at file create time, so ACLs never contain
3470          * any ACEs that are inherited dynamically. The DACL_PROTECTED
3471          * flag doesn't seem to bother Windows NT.
3472          * Always set this if map acl inherit is turned off.
3473          */
3474         if (pal == NULL || !lp_map_acl_inherit(SNUM(conn))) {
3475                 psd->type |= SEC_DESC_DACL_PROTECTED;
3476         } else {
3477                 psd->type |= pal->sd_type;
3478         }
3479
3480         if (psd->dacl) {
3481                 dacl_sort_into_canonical_order(psd->dacl->aces, (unsigned int)psd->dacl->num_aces);
3482         }
3483
3484         *ppdesc = psd;
3485
3486  done:
3487
3488         if (posix_acl) {
3489                 TALLOC_FREE(posix_acl);
3490         }
3491         if (def_acl) {
3492                 TALLOC_FREE(def_acl);
3493         }
3494         free_canon_ace_list(file_ace);
3495         free_canon_ace_list(dir_ace);
3496         free_inherited_info(pal);
3497         TALLOC_FREE(nt_ace_list);
3498
3499         return NT_STATUS_OK;
3500 }
3501
3502 NTSTATUS posix_fget_nt_acl(struct files_struct *fsp, uint32_t security_info,
3503                            TALLOC_CTX *mem_ctx,
3504                            struct security_descriptor **ppdesc)
3505 {
3506         SMB_STRUCT_STAT sbuf;
3507         SMB_ACL_T posix_acl = NULL;
3508         struct pai_val *pal;
3509         TALLOC_CTX *frame = talloc_stackframe();
3510         NTSTATUS status;
3511
3512         *ppdesc = NULL;
3513
3514         DEBUG(10,("posix_fget_nt_acl: called for file %s\n",
3515                   fsp_str_dbg(fsp)));
3516
3517         /* can it happen that fsp_name == NULL ? */
3518         if (fsp->is_directory ||  fsp->fh->fd == -1) {
3519                 status = posix_get_nt_acl(fsp->conn, fsp->fsp_name,
3520                                           security_info, mem_ctx, ppdesc);
3521                 TALLOC_FREE(frame);
3522                 return status;
3523         }
3524
3525         /* Get the stat struct for the owner info. */
3526         if(SMB_VFS_FSTAT(fsp, &sbuf) != 0) {
3527                 TALLOC_FREE(frame);
3528                 return map_nt_error_from_unix(errno);
3529         }
3530
3531         /* Get the ACL from the fd. */
3532         posix_acl = SMB_VFS_SYS_ACL_GET_FD(fsp, frame);
3533
3534         pal = fload_inherited_info(fsp);
3535
3536         status = posix_get_nt_acl_common(fsp->conn, fsp->fsp_name->base_name,
3537                                          &sbuf, pal, posix_acl, NULL,
3538                                          security_info, mem_ctx, ppdesc);
3539         TALLOC_FREE(frame);
3540         return status;
3541 }
3542
3543 NTSTATUS posix_get_nt_acl(struct connection_struct *conn,
3544                         const struct smb_filename *smb_fname_in,
3545                         uint32_t security_info,
3546                         TALLOC_CTX *mem_ctx,
3547                         struct security_descriptor **ppdesc)
3548 {
3549         SMB_ACL_T posix_acl = NULL;
3550         SMB_ACL_T def_acl = NULL;
3551         struct pai_val *pal;
3552         struct smb_filename *smb_fname = NULL;
3553         int ret;
3554         TALLOC_CTX *frame = talloc_stackframe();
3555         NTSTATUS status;
3556
3557         *ppdesc = NULL;
3558
3559         DEBUG(10,("posix_get_nt_acl: called for file %s\n",
3560                 smb_fname_in->base_name ));
3561
3562         smb_fname = cp_smb_filename(talloc_tos(), smb_fname_in);
3563         if (smb_fname == NULL) {
3564                 TALLOC_FREE(frame);
3565                 return NT_STATUS_NO_MEMORY;
3566         }
3567
3568         /* Get the stat struct for the owner info. */
3569         if (lp_posix_pathnames()) {
3570                 ret = SMB_VFS_LSTAT(conn, smb_fname);
3571         } else {
3572                 ret = SMB_VFS_STAT(conn, smb_fname);
3573         }
3574
3575         if (ret == -1) {
3576                 TALLOC_FREE(frame);
3577                 return map_nt_error_from_unix(errno);
3578         }
3579
3580         /* Get the ACL from the path. */
3581         posix_acl = SMB_VFS_SYS_ACL_GET_FILE(conn, smb_fname->base_name,
3582                                              SMB_ACL_TYPE_ACCESS, frame);
3583
3584         /* If it's a directory get the default POSIX ACL. */
3585         if(S_ISDIR(smb_fname->st.st_ex_mode)) {
3586                 def_acl = SMB_VFS_SYS_ACL_GET_FILE(conn, smb_fname->base_name,
3587                                                    SMB_ACL_TYPE_DEFAULT, frame);
3588                 def_acl = free_empty_sys_acl(conn, def_acl);
3589         }
3590
3591         pal = load_inherited_info(conn, smb_fname->base_name);
3592
3593         status = posix_get_nt_acl_common(conn,
3594                                         smb_fname->base_name,
3595                                         &smb_fname->st,
3596                                         pal,
3597                                         posix_acl,
3598                                         def_acl,
3599                                         security_info,
3600                                         mem_ctx,
3601                                         ppdesc);
3602         TALLOC_FREE(frame);
3603         return status;
3604 }
3605
3606 /****************************************************************************
3607  Try to chown a file. We will be able to chown it under the following conditions.
3608