/*
- * Store Windows ACLs in xattrs, or a tdb if configured that way.
+ * Store Windows ACLs in a tdb.
*
* Copyright (C) Volker Lendecke, 2008
* Copyright (C) Jeremy Allison, 2008
static bool acl_tdb_init(struct db_context **pp_db)
{
- const char *dbname;
+ char *dbname;
if (acl_db) {
*pp_db = acl_db;
return true;
}
- dbname = lock_path("file_ntacls.tdb");
+ dbname = state_path("file_ntacls.tdb");
if (dbname == NULL) {
errno = ENOSYS;
#else
errno = ENOSYS;
#endif
+ TALLOC_FREE(dbname);
return false;
}
ref_count++;
+ TALLOC_FREE(dbname);
return true;
}
Lower ref count and close acl_db if zero.
*******************************************************************/
-static void free_acl_xattr_data(void **pptr)
+static void free_acl_tdb_data(void **pptr)
{
struct db_context **pp_db = (struct db_context **)pptr;
Fetch_lock the tdb acl record for a file
*******************************************************************/
-static struct db_record *acl_xattr_tdb_lock(TALLOC_CTX *mem_ctx,
+static struct db_record *acl_tdb_lock(TALLOC_CTX *mem_ctx,
struct db_context *db,
const struct file_id *id)
{
uint8 id_buf[16];
+
+ /* For backwards compatibility only store the dev/inode. */
push_file_id_16((char *)id_buf, id);
return db->fetch_locked(db,
mem_ctx,
sizeof(id_buf)));
}
+/*******************************************************************
+ Delete the tdb acl record for a file
+*******************************************************************/
+
+static NTSTATUS acl_tdb_delete(vfs_handle_struct *handle,
+ struct db_context *db,
+ SMB_STRUCT_STAT *psbuf)
+{
+ NTSTATUS status;
+ struct file_id id = vfs_file_id_from_sbuf(handle->conn, psbuf);
+ struct db_record *rec = acl_tdb_lock(talloc_tos(), db, &id);
+
+ /*
+ * If rec == NULL there's not much we can do about it
+ */
+
+ if (rec == NULL) {
+ DEBUG(10,("acl_tdb_delete: rec == NULL\n"));
+ TALLOC_FREE(rec);
+ return NT_STATUS_OK;
+ }
+
+ status = rec->delete_rec(rec);
+ TALLOC_FREE(rec);
+ return status;
+}
+
/*******************************************************************
Parse out a struct security_descriptor from a DATA_BLOB.
*******************************************************************/
return NT_STATUS_REVISION_MISMATCH;
}
- *ppdesc = make_sec_desc(ctx, SEC_DESC_REVISION, xacl.info.sd_ts->sd->type | SEC_DESC_SELF_RELATIVE,
+ *ppdesc = make_sec_desc(ctx, SEC_DESC_REVISION, xacl.info.sd_hs->sd->type | SEC_DESC_SELF_RELATIVE,
(security_info & OWNER_SECURITY_INFORMATION)
- ? xacl.info.sd_ts->sd->owner_sid : NULL,
+ ? xacl.info.sd_hs->sd->owner_sid : NULL,
(security_info & GROUP_SECURITY_INFORMATION)
- ? xacl.info.sd_ts->sd->group_sid : NULL,
+ ? xacl.info.sd_hs->sd->group_sid : NULL,
(security_info & SACL_SECURITY_INFORMATION)
- ? xacl.info.sd_ts->sd->sacl : NULL,
+ ? xacl.info.sd_hs->sd->sacl : NULL,
(security_info & DACL_SECURITY_INFORMATION)
- ? xacl.info.sd_ts->sd->dacl : NULL,
+ ? xacl.info.sd_hs->sd->dacl : NULL,
&sd_size);
TALLOC_FREE(xacl.info.sd);
}
id = vfs_file_id_from_sbuf(handle->conn, &sbuf);
+ /* For backwards compatibility only store the dev/inode. */
push_file_id_16((char *)id_buf, &id);
if (db->fetch(db,
static NTSTATUS create_acl_blob(const struct security_descriptor *psd, DATA_BLOB *pblob)
{
struct xattr_NTACL xacl;
- struct security_descriptor_timestamp sd_ts;
+ struct security_descriptor_hash sd_hs;
enum ndr_err_code ndr_err;
TALLOC_CTX *ctx = talloc_tos();
- struct timespec curr = timespec_current();
ZERO_STRUCT(xacl);
- ZERO_STRUCT(sd_ts);
-
- /* Horrid hack as setting an xattr changes the ctime
- * on Linux. This gives a race of 1 second during
- * which we would not see a POSIX ACL set.
- */
- curr.tv_sec += 1;
+ ZERO_STRUCT(sd_hs);
xacl.version = 2;
- xacl.info.sd_ts = &sd_ts;
- xacl.info.sd_ts->sd = CONST_DISCARD(struct security_descriptor *, psd);
- unix_timespec_to_nt_time(&xacl.info.sd_ts->last_changed, curr);
-
- DEBUG(10, ("create_acl_blob: timestamp stored as %s\n",
- timestring(ctx, curr.tv_sec) ));
+ xacl.info.sd_hs = &sd_hs;
+ xacl.info.sd_hs->sd = CONST_DISCARD(struct security_descriptor *, psd);
+ memset(&xacl.info.sd_hs->hash[0], '\0', 16);
ndr_err = ndr_push_struct_blob(
pblob, ctx, NULL, &xacl,
}
id = vfs_file_id_from_sbuf(handle->conn, &sbuf);
+ /* For backwards compatibility only store the dev/inode. */
push_file_id_16((char *)id_buf, &id);
rec = db->fetch_locked(db, talloc_tos(),
make_tdb_data(id_buf,
}
id = vfs_file_id_from_sbuf(handle->conn, &sbuf);
+
+ /* For backwards compatibility only store the dev/inode. */
push_file_id_16((char *)id_buf, &id);
rec = db->fetch_locked(db, talloc_tos(),
}
/*******************************************************************
- Store a DATA_BLOB into an xattr given a pathname.
+ Store a DATA_BLOB into an tdb given a pathname.
*******************************************************************/
-static NTSTATUS get_nt_acl_xattr_internal(vfs_handle_struct *handle,
+static NTSTATUS get_nt_acl_tdb_internal(vfs_handle_struct *handle,
files_struct *fsp,
const char *name,
uint32 security_info,
name = fsp->fsp_name;
}
- DEBUG(10, ("get_nt_acl_xattr_internal: name=%s\n", name));
+ DEBUG(10, ("get_nt_acl_tdb_internal: name=%s\n", name));
status = get_acl_blob(ctx, handle, fsp, name, &blob);
if (!NT_STATUS_IS_OK(status)) {
size_t size;
char *parent_name;
- if (!parent_dirname_talloc(ctx,
- fname,
- &parent_name,
- NULL)) {
+ if (!parent_dirname(ctx, fname, &parent_name, NULL)) {
return NT_STATUS_NO_MEMORY;
}
DEBUG(10,("inherit_new_acl: check directory %s\n",
parent_name));
- status = get_nt_acl_xattr_internal(handle,
+ status = get_nt_acl_tdb_internal(handle,
NULL,
parent_name,
(OWNER_SECURITY_INFORMATION |
Check ACL on open. For new files inherit from parent directory.
*********************************************************************/
-static int open_acl_xattr(vfs_handle_struct *handle,
+static int open_acl_tdb(vfs_handle_struct *handle,
const char *fname,
files_struct *fsp,
int flags,
uint32_t access_granted = 0;
struct security_descriptor *pdesc = NULL;
bool file_existed = true;
- NTSTATUS status = get_nt_acl_xattr_internal(handle,
+ NTSTATUS status = get_nt_acl_tdb_internal(handle,
NULL,
fname,
(OWNER_SECURITY_INFORMATION |
fsp->access_mask,
&access_granted);
if (!NT_STATUS_IS_OK(status)) {
- DEBUG(10,("open_acl_xattr: file %s open "
+ DEBUG(10,("open_acl_tdb: file %s open "
"refused with error %s\n",
fname,
nt_errstr(status) ));
file_existed = false;
}
- DEBUG(10,("open_acl_xattr: get_nt_acl_attr_internal for "
+ DEBUG(10,("open_acl_tdb: get_nt_acl_attr_internal for "
"file %s returned %s\n",
fname,
nt_errstr(status) ));
On unlink we need to delete the tdb record (if using tdb).
*********************************************************************/
-static int unlink_acl_xattr(vfs_handle_struct *handle, const char *path)
+static int unlink_acl_tdb(vfs_handle_struct *handle, const char *path)
{
SMB_STRUCT_STAT sbuf;
- struct file_id id;
struct db_context *db;
- struct db_record *rec;
int ret;
SMB_VFS_HANDLE_GET_DATA(handle, db, struct db_context, return -1);
return -1;
}
- id = vfs_file_id_from_sbuf(handle->conn, &sbuf);
-
- rec = acl_xattr_tdb_lock(talloc_tos(), db, &id);
-
- /*
- * If rec == NULL there's not much we can do about it
- */
-
- if (rec == NULL) {
- DEBUG(10,("unlink_acl_xattr: path %s rec == NULL\n",
- path ));
- TALLOC_FREE(rec);
- return 0;
- }
-
- rec->delete_rec(rec);
- TALLOC_FREE(rec);
-
+ acl_tdb_delete(handle, db, &sbuf);
return 0;
}
Store an inherited SD on mkdir.
*********************************************************************/
-static int mkdir_acl_xattr(vfs_handle_struct *handle, const char *path, mode_t mode)
+static int mkdir_acl_tdb(vfs_handle_struct *handle, const char *path, mode_t mode)
{
int ret = SMB_VFS_NEXT_MKDIR(handle, path, mode);
On rmdir we need to delete the tdb record (if using tdb).
*********************************************************************/
-static int rmdir_acl_xattr(vfs_handle_struct *handle, const char *path)
+static int rmdir_acl_tdb(vfs_handle_struct *handle, const char *path)
{
+
SMB_STRUCT_STAT sbuf;
- struct file_id id;
struct db_context *db;
- struct db_record *rec;
int ret;
SMB_VFS_HANDLE_GET_DATA(handle, db, struct db_context, return -1);
}
ret = SMB_VFS_NEXT_RMDIR(handle, path);
-
if (ret == -1) {
return -1;
}
- id = vfs_file_id_from_sbuf(handle->conn, &sbuf);
-
- rec = acl_xattr_tdb_lock(talloc_tos(), db, &id);
-
- /*
- * If rec == NULL there's not much we can do about it
- */
-
- if (rec == NULL) {
- DEBUG(10,("rmdir_acl_xattr: path %s rec == NULL\n",
- path ));
- TALLOC_FREE(rec);
- return 0;
- }
-
- rec->delete_rec(rec);
- TALLOC_FREE(rec);
-
+ acl_tdb_delete(handle, db, &sbuf);
return 0;
}
Fetch a security descriptor given an fsp.
*********************************************************************/
-static NTSTATUS fget_nt_acl_xattr(vfs_handle_struct *handle, files_struct *fsp,
+static NTSTATUS fget_nt_acl_tdb(vfs_handle_struct *handle, files_struct *fsp,
uint32 security_info, struct security_descriptor **ppdesc)
{
- NTSTATUS status = get_nt_acl_xattr_internal(handle, fsp,
+ NTSTATUS status = get_nt_acl_tdb_internal(handle, fsp,
NULL, security_info, ppdesc);
if (NT_STATUS_IS_OK(status)) {
if (DEBUGLEVEL >= 10) {
- DEBUG(10,("fget_nt_acl_xattr: returning xattr sd for file %s\n",
+ DEBUG(10,("fget_nt_acl_tdb: returning tdb sd for file %s\n",
fsp->fsp_name));
NDR_PRINT_DEBUG(security_descriptor, *ppdesc);
}
return NT_STATUS_OK;
}
- DEBUG(10,("fget_nt_acl_xattr: failed to get xattr sd for file %s, Error %s\n",
+ DEBUG(10,("fget_nt_acl_tdb: failed to get tdb sd for file %s, Error %s\n",
fsp->fsp_name,
nt_errstr(status) ));
Fetch a security descriptor given a pathname.
*********************************************************************/
-static NTSTATUS get_nt_acl_xattr(vfs_handle_struct *handle,
+static NTSTATUS get_nt_acl_tdb(vfs_handle_struct *handle,
const char *name, uint32 security_info, struct security_descriptor **ppdesc)
{
- NTSTATUS status = get_nt_acl_xattr_internal(handle, NULL,
+ NTSTATUS status = get_nt_acl_tdb_internal(handle, NULL,
name, security_info, ppdesc);
if (NT_STATUS_IS_OK(status)) {
if (DEBUGLEVEL >= 10) {
- DEBUG(10,("get_nt_acl_xattr: returning xattr sd for file %s\n",
+ DEBUG(10,("get_nt_acl_tdb: returning tdb sd for file %s\n",
name));
NDR_PRINT_DEBUG(security_descriptor, *ppdesc);
}
return NT_STATUS_OK;
}
- DEBUG(10,("get_nt_acl_xattr: failed to get xattr sd for file %s, Error %s\n",
+ DEBUG(10,("get_nt_acl_tdb: failed to get tdb sd for file %s, Error %s\n",
name,
nt_errstr(status) ));
Store a security descriptor given an fsp.
*********************************************************************/
-static NTSTATUS fset_nt_acl_xattr(vfs_handle_struct *handle, files_struct *fsp,
+static NTSTATUS fset_nt_acl_tdb(vfs_handle_struct *handle, files_struct *fsp,
uint32 security_info_sent, const struct security_descriptor *psd)
{
NTSTATUS status;
DATA_BLOB blob;
if (DEBUGLEVEL >= 10) {
- DEBUG(10,("fset_nt_acl_xattr: incoming sd for file %s\n",
+ DEBUG(10,("fset_nt_acl_tdb: incoming sd for file %s\n",
fsp->fsp_name));
NDR_PRINT_DEBUG(security_descriptor,
CONST_DISCARD(struct security_descriptor *,psd));
psd = nc_psd;
}
+#if 0
if ((security_info_sent & DACL_SECURITY_INFORMATION) &&
psd->dacl != NULL &&
(psd->type & (SE_DESC_DACL_AUTO_INHERITED|
}
psd = new_psd;
}
+#endif
if (DEBUGLEVEL >= 10) {
- DEBUG(10,("fset_nt_acl_xattr: storing xattr sd for file %s\n",
+ DEBUG(10,("fset_nt_acl_tdb: storing tdb sd for file %s\n",
fsp->fsp_name));
NDR_PRINT_DEBUG(security_descriptor,
CONST_DISCARD(struct security_descriptor *,psd));
Handle opening the storage tdb if so configured.
*******************************************************************/
-static int connect_acl_xattr(struct vfs_handle_struct *handle,
+static int connect_acl_tdb(struct vfs_handle_struct *handle,
const char *service,
const char *user)
{
return -1;
}
- SMB_VFS_HANDLE_SET_DATA(handle, db, free_acl_xattr_data,
+ SMB_VFS_HANDLE_SET_DATA(handle, db, free_acl_tdb_data,
struct db_context, return -1);
return 0;
}
+/*********************************************************************
+ Remove a Windows ACL - we're setting the underlying POSIX ACL.
+*********************************************************************/
+
+static int sys_acl_set_file_tdb(vfs_handle_struct *handle,
+ const char *path,
+ SMB_ACL_TYPE_T type,
+ SMB_ACL_T theacl)
+{
+ SMB_STRUCT_STAT sbuf;
+ struct db_context *db;
+ int ret;
+
+ SMB_VFS_HANDLE_GET_DATA(handle, db, struct db_context, return -1);
+
+ if (SMB_VFS_STAT(handle->conn, path, &sbuf) == -1) {
+ return -1;
+ }
+
+ ret = SMB_VFS_NEXT_SYS_ACL_SET_FILE(handle,
+ path,
+ type,
+ theacl);
+ if (ret == -1) {
+ return -1;
+ }
+
+ acl_tdb_delete(handle, db, &sbuf);
+ return 0;
+}
+
+/*********************************************************************
+ Remove a Windows ACL - we're setting the underlying POSIX ACL.
+*********************************************************************/
+
+static int sys_acl_set_fd_tdb(vfs_handle_struct *handle,
+ files_struct *fsp,
+ SMB_ACL_T theacl)
+{
+ SMB_STRUCT_STAT sbuf;
+ struct db_context *db;
+ int ret;
+
+ SMB_VFS_HANDLE_GET_DATA(handle, db, struct db_context, return -1);
+
+ if (fsp->is_directory || fsp->fh->fd == -1) {
+ ret = SMB_VFS_STAT(fsp->conn,fsp->fsp_name, &sbuf);
+ } else {
+ ret = SMB_VFS_FSTAT(fsp, &sbuf);
+ }
+ if (ret == -1) {
+ return -1;
+ }
+
+ ret = SMB_VFS_NEXT_SYS_ACL_SET_FD(handle,
+ fsp,
+ theacl);
+ if (ret == -1) {
+ return -1;
+ }
+
+ acl_tdb_delete(handle, db, &sbuf);
+ return 0;
+}
+
/* VFS operations structure */
static vfs_op_tuple skel_op_tuples[] =
{
- {SMB_VFS_OP(connect_acl_xattr), SMB_VFS_OP_CONNECT, SMB_VFS_LAYER_TRANSPARENT},
+ {SMB_VFS_OP(connect_acl_tdb), SMB_VFS_OP_CONNECT, SMB_VFS_LAYER_TRANSPARENT},
- {SMB_VFS_OP(mkdir_acl_xattr), SMB_VFS_OP_MKDIR, SMB_VFS_LAYER_TRANSPARENT},
- {SMB_VFS_OP(rmdir_acl_xattr), SMB_VFS_OP_RMDIR, SMB_VFS_LAYER_TRANSPARENT},
+ {SMB_VFS_OP(mkdir_acl_tdb), SMB_VFS_OP_MKDIR, SMB_VFS_LAYER_TRANSPARENT},
+ {SMB_VFS_OP(rmdir_acl_tdb), SMB_VFS_OP_RMDIR, SMB_VFS_LAYER_TRANSPARENT},
- {SMB_VFS_OP(open_acl_xattr), SMB_VFS_OP_OPEN, SMB_VFS_LAYER_TRANSPARENT},
- {SMB_VFS_OP(unlink_acl_xattr), SMB_VFS_OP_UNLINK, SMB_VFS_LAYER_TRANSPARENT},
+ {SMB_VFS_OP(open_acl_tdb), SMB_VFS_OP_OPEN, SMB_VFS_LAYER_TRANSPARENT},
+ {SMB_VFS_OP(unlink_acl_tdb), SMB_VFS_OP_UNLINK, SMB_VFS_LAYER_TRANSPARENT},
/* NT File ACL operations */
- {SMB_VFS_OP(fget_nt_acl_xattr),SMB_VFS_OP_FGET_NT_ACL,SMB_VFS_LAYER_TRANSPARENT},
- {SMB_VFS_OP(get_nt_acl_xattr), SMB_VFS_OP_GET_NT_ACL, SMB_VFS_LAYER_TRANSPARENT},
- {SMB_VFS_OP(fset_nt_acl_xattr),SMB_VFS_OP_FSET_NT_ACL,SMB_VFS_LAYER_TRANSPARENT},
+ {SMB_VFS_OP(fget_nt_acl_tdb),SMB_VFS_OP_FGET_NT_ACL,SMB_VFS_LAYER_TRANSPARENT},
+ {SMB_VFS_OP(get_nt_acl_tdb), SMB_VFS_OP_GET_NT_ACL, SMB_VFS_LAYER_TRANSPARENT},
+ {SMB_VFS_OP(fset_nt_acl_tdb),SMB_VFS_OP_FSET_NT_ACL,SMB_VFS_LAYER_TRANSPARENT},
+
+ /* POSIX ACL operations. */
+ {SMB_VFS_OP(sys_acl_set_file_tdb), SMB_VFS_OP_SYS_ACL_SET_FILE, SMB_VFS_LAYER_TRANSPARENT},
+ {SMB_VFS_OP(sys_acl_set_fd_tdb), SMB_VFS_OP_SYS_ACL_SET_FD, SMB_VFS_LAYER_TRANSPARENT},
{SMB_VFS_OP(NULL), SMB_VFS_OP_NOOP, SMB_VFS_LAYER_NOOP}
};
-NTSTATUS vfs_acl_xattr_init(void)
+NTSTATUS vfs_acl_tdb_init(void)
{
return smb_register_vfs(SMB_VFS_INTERFACE_VERSION, "acl_tdb", skel_op_tuples);
}