pai_buf, pai_buf_size);
} else {
ret = SMB_VFS_GETXATTR(fsp->conn,
- fsp->fsp_name->base_name,
+ fsp->fsp_name,
SAMBA_POSIX_INHERITANCE_EA_NAME,
pai_buf, pai_buf_size);
}
************************************************************************/
static struct pai_val *load_inherited_info(const struct connection_struct *conn,
- const char *fname)
+ const struct smb_filename *smb_fname)
{
char *pai_buf;
size_t pai_buf_size = 1024;
}
do {
- ret = SMB_VFS_GETXATTR(conn, fname,
+ ret = SMB_VFS_GETXATTR(conn, smb_fname,
SAMBA_POSIX_INHERITANCE_EA_NAME,
pai_buf, pai_buf_size);
}
} while (ret == -1);
- DEBUG(10,("load_inherited_info: ret = %lu for file %s\n", (unsigned long)ret, fname));
+ DEBUG(10,("load_inherited_info: ret = %lu for file %s\n",
+ (unsigned long)ret, smb_fname->base_name));
if (ret == -1) {
/* No attribute or not supported. */
if (paiv) {
DEBUG(10,("load_inherited_info: ACL type 0x%x for file %s\n",
(unsigned int)paiv->sd_type,
- fname));
+ smb_fname->base_name));
}
TALLOC_FREE(pai_buf);
static void print_canon_ace(canon_ace *pace, int num)
{
+ struct dom_sid_buf buf;
dbgtext( "canon_ace index %d. Type = %s ", num, pace->attr == ALLOW_ACE ? "allow" : "deny" );
- dbgtext( "SID = %s ", sid_string_dbg(&pace->trustee));
+ dbgtext( "SID = %s ", dom_sid_str_buf(&pace->trustee, &buf));
if (pace->owner_type == UID_ACE) {
dbgtext( "uid %u ", (unsigned int)pace->unix_ug.id);
} else if (pace->owner_type == GID_ACE) {
Map generic UNIX permissions to canon_ace permissions (a mode_t containing only S_(R|W|X)USR bits).
****************************************************************************/
-static mode_t unix_perms_to_acl_perms(mode_t mode, int r_mask, int w_mask, int x_mask)
+mode_t unix_perms_to_acl_perms(mode_t mode, int r_mask, int w_mask, int x_mask)
{
mode_t ret = 0;
an SMB_ACL_PERMSET_T.
****************************************************************************/
-static int map_acl_perms_to_permset(connection_struct *conn, mode_t mode, SMB_ACL_PERMSET_T *p_permset)
+int map_acl_perms_to_permset(mode_t mode, SMB_ACL_PERMSET_T *p_permset)
{
if (sys_acl_clear_perms(*p_permset) == -1)
return -1;
* reasonably */
*puser = get_current_uid(conn);
} else {
- DEBUG(3,("unpack_nt_owners: unable to validate"
- " owner sid for %s\n",
- sid_string_dbg(psd->owner_sid)));
+ struct dom_sid_buf buf;
+ DBG_NOTICE("unable to validate"
+ " owner sid for %s\n",
+ dom_sid_str_buf(psd->owner_sid,
+ &buf));
return NT_STATUS_INVALID_OWNER;
}
}
static bool uid_entry_in_group(connection_struct *conn, canon_ace *uid_ace, canon_ace *group_ace )
{
+ bool is_sid = false;
+ bool has_sid = false;
+ struct security_token *security_token = NULL;
+
/* "Everyone" always matches every uid. */
if (dom_sid_equal(&group_ace->trustee, &global_sid_World))
return True;
+ /*
+ * if we have session info in conn, we already have the (SID
+ * based) NT token and don't need to do the complex
+ * user_in_group_sid() call
+ */
+ if (conn->session_info) {
+ security_token = conn->session_info->security_token;
+ /* security_token should not be NULL */
+ SMB_ASSERT(security_token);
+ is_sid = security_token_is_sid(security_token,
+ &uid_ace->trustee);
+ if (is_sid) {
+ has_sid = security_token_has_sid(security_token,
+ &group_ace->trustee);
+
+ if (has_sid) {
+ return true;
+ }
+ }
+
+ }
+
/*
* if it's the current user, we already have the unix token
* and don't need to do the complex user_in_group_sid() call
* DLIST_ADD_END) as NT ACLs are order dependent.
*/
- if (fsp->is_directory) {
+ if (fsp->fsp_flags.is_directory) {
/*
* We can only add to the default POSIX ACE list if the ACE is
canon_ace **ppdir_ace,
const struct security_acl *dacl)
{
- bool all_aces_are_inherit_only = (fsp->is_directory ? True : False);
+ bool all_aces_are_inherit_only = (fsp->fsp_flags.is_directory);
canon_ace *file_ace = NULL;
canon_ace *dir_ace = NULL;
canon_ace *current_ace = NULL;
struct unixid unixid;
if (!sids_to_unixids(¤t_ace->trustee, 1, &unixid)) {
+ struct dom_sid_buf buf;
free_canon_ace_list(file_ace);
free_canon_ace_list(dir_ace);
TALLOC_FREE(current_ace);
- DEBUG(0, ("create_canon_ace_lists: sids_to_unixids "
- "failed for %s (allocation failure)\n",
- sid_string_dbg(¤t_ace->trustee)));
+ DBG_ERR("sids_to_unixids failed for %s "
+ "(allocation failure)\n",
+ dom_sid_str_buf(¤t_ace->trustee,
+ &buf));
return false;
}
current_ace->type = SMB_ACL_GROUP;
}
} else {
+ struct dom_sid_buf buf;
/*
* Silently ignore map failures in non-mappable SIDs (NT Authority, BUILTIN etc).
*/
if (non_mappable_sid(&psa->trustee)) {
- DEBUG(10, ("create_canon_ace_lists: ignoring "
- "non-mappable SID %s\n",
- sid_string_dbg(&psa->trustee)));
+ DBG_DEBUG("ignoring "
+ "non-mappable SID %s\n",
+ dom_sid_str_buf(
+ &psa->trustee,
+ &buf));
TALLOC_FREE(current_ace);
continue;
}
if (lp_force_unknown_acl_user(SNUM(fsp->conn))) {
- DEBUG(10, ("create_canon_ace_lists: ignoring "
- "unknown or foreign SID %s\n",
- sid_string_dbg(&psa->trustee)));
+ DBG_DEBUG("ignoring unknown or "
+ "foreign SID %s\n",
+ dom_sid_str_buf(
+ &psa->trustee,
+ &buf));
TALLOC_FREE(current_ace);
continue;
}
free_canon_ace_list(file_ace);
free_canon_ace_list(dir_ace);
- DEBUG(0, ("create_canon_ace_lists: unable to map SID "
- "%s to uid or gid.\n",
- sid_string_dbg(¤t_ace->trustee)));
+ DBG_ERR("unable to map SID %s to uid or "
+ "gid.\n",
+ dom_sid_str_buf(¤t_ace->trustee,
+ &buf));
TALLOC_FREE(current_ace);
return false;
}
}
}
- if (fsp->is_directory && all_aces_are_inherit_only) {
+ if (fsp->fsp_flags.is_directory && all_aces_are_inherit_only) {
/*
* Windows 2000 is doing one of these weird 'inherit acl'
* traverses to conserve NTFS ACL resources. Just pretend
{
canon_ace *file_ace = NULL;
canon_ace *dir_ace = NULL;
+ bool ok;
*ppfile_ace = NULL;
*ppdir_ace = NULL;
print_canon_ace_list( "file ace - before valid", file_ace);
- if (!ensure_canon_entry_valid_on_set(fsp->conn, &file_ace, false, fsp->conn->params,
- fsp->is_directory, pfile_owner_sid, pfile_grp_sid, pst)) {
+ ok = ensure_canon_entry_valid_on_set(
+ fsp->conn,
+ &file_ace,
+ false,
+ fsp->conn->params,
+ fsp->fsp_flags.is_directory,
+ pfile_owner_sid,
+ pfile_grp_sid,
+ pst);
+ if (!ok) {
free_canon_ace_list(file_ace);
free_canon_ace_list(dir_ace);
return False;
print_canon_ace_list( "dir ace - before valid", dir_ace);
- if (dir_ace && !ensure_canon_entry_valid_on_set(fsp->conn, &dir_ace, true, fsp->conn->params,
- fsp->is_directory, pfile_owner_sid, pfile_grp_sid, pst)) {
- free_canon_ace_list(file_ace);
- free_canon_ace_list(dir_ace);
- return False;
+ if (dir_ace != NULL) {
+ ok = ensure_canon_entry_valid_on_set(
+ fsp->conn,
+ &dir_ace,
+ true,
+ fsp->conn->params,
+ fsp->fsp_flags.is_directory,
+ pfile_owner_sid,
+ pfile_grp_sid,
+ pst);
+ if (!ok) {
+ free_canon_ace_list(file_ace);
+ free_canon_ace_list(dir_ace);
+ return False;
+ }
}
print_canon_ace_list( "file ace - return", file_ace);
/* user has writeable permission */
if (lp_dos_filemode(SNUM(conn)) &&
- can_write_to_file(conn, smb_fname)) {
+ can_write_to_file(conn,
+ smb_fname))
+ {
return true;
}
goto fail;
}
- if (map_acl_perms_to_permset(conn, p_ace->perms, &the_permset) == -1) {
+ if (map_acl_perms_to_permset(p_ace->perms, &the_permset) == -1) {
DEBUG(0,("set_canon_ace_list: Failed to create permset for mode (%u) on entry %d. (%s)\n",
(unsigned int)p_ace->perms, i, strerror(errno) ));
goto fail;
goto fail;
}
- if (map_acl_perms_to_permset(conn, S_IRUSR|S_IWUSR|S_IXUSR, &mask_permset) == -1) {
+ if (map_acl_perms_to_permset(S_IRUSR|S_IWUSR|S_IXUSR, &mask_permset) == -1) {
DEBUG(0,("set_canon_ace_list: Failed to create mask permset. (%s)\n", strerror(errno) ));
goto fail;
}
* Finally apply it to the file or directory.
*/
- if(default_ace || fsp->is_directory || fsp->fh->fd == -1) {
+ if (default_ace || fsp->fsp_flags.is_directory || fsp->fh->fd == -1) {
if (SMB_VFS_SYS_ACL_SET_FILE(conn, fsp->fsp_name,
the_acl_type, the_acl) == -1) {
/*
/* The owner must have at least read access. */
*posix_perms |= S_IRUSR;
- if (fsp->is_directory)
+ if (fsp->fsp_flags.is_directory)
*posix_perms |= (S_IWUSR|S_IXUSR);
DEBUG(10,("convert_canon_ace_to_posix_perms: converted u=%o,g=%o,w=%o "
if (nt_ace_list[i].access_mask == 0) {
nt_ace_list[j].flags = SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT|
(i_inh ? SEC_ACE_FLAG_INHERITED_ACE : 0);
- if (num_aces - i - 1 > 0)
- memmove(&nt_ace_list[i], &nt_ace_list[i+1], (num_aces-i-1) *
- sizeof(struct security_ace));
+ ARRAY_DEL_ELEMENT(nt_ace_list, i, num_aces);
DEBUG(10,("merge_default_aces: Merging zero access ACE %u onto ACE %u.\n",
(unsigned int)i, (unsigned int)j ));
nt_ace_list[i].flags = SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT|
(i_inh ? SEC_ACE_FLAG_INHERITED_ACE : 0);
- if (num_aces - j - 1 > 0)
- memmove(&nt_ace_list[j], &nt_ace_list[j+1], (num_aces-j-1) *
- sizeof(struct security_ace));
+ ARRAY_DEL_ELEMENT(nt_ace_list, j, num_aces);
DEBUG(10,("merge_default_aces: Merging ACE %u onto ACE %u.\n",
(unsigned int)j, (unsigned int)i ));
return num_aces;
}
-/*
- * Add or Replace ACE entry.
- * In some cases we need to add a specific ACE for compatibility reasons.
- * When doing that we must make sure we are not actually creating a duplicate
- * entry. So we need to search whether an ACE entry already exist and eventually
- * replacce the access mask, or add a completely new entry if none was found.
- *
- * This function assumes the array has enough space to add a new entry without
- * any reallocation of memory.
- */
-
-static void add_or_replace_ace(struct security_ace *nt_ace_list, size_t *num_aces,
- const struct dom_sid *sid, enum security_ace_type type,
- uint32_t mask, uint8_t flags)
-{
- size_t i;
-
- /* first search for a duplicate */
- for (i = 0; i < *num_aces; i++) {
- if (dom_sid_equal(&nt_ace_list[i].trustee, sid) &&
- (nt_ace_list[i].flags == flags)) break;
- }
-
- if (i < *num_aces) { /* found */
- nt_ace_list[i].type = type;
- nt_ace_list[i].access_mask = mask;
- DEBUG(10, ("Replacing ACE %zu with SID %s and flags %02x\n",
- i, sid_string_dbg(sid), flags));
- return;
- }
-
- /* not found, append it */
- init_sec_ace(&nt_ace_list[(*num_aces)++], sid, type, mask, flags);
-}
-
/****************************************************************************
Reply to query a security descriptor from an fsp. If it succeeds it allocates
canon_ace *file_ace = NULL;
canon_ace *dir_ace = NULL;
struct security_ace *nt_ace_list = NULL;
- size_t num_profile_acls = 0;
- struct dom_sid orig_owner_sid;
struct security_descriptor *psd = NULL;
/*
create_file_sids(sbuf, &owner_sid, &group_sid);
- if (lp_profile_acls(SNUM(conn))) {
- /* For WXP SP1 the owner must be administrators. */
- sid_copy(&orig_owner_sid, &owner_sid);
- sid_copy(&owner_sid, &global_sid_Builtin_Administrators);
- sid_copy(&group_sid, &global_sid_Builtin_Users);
- num_profile_acls = 3;
- }
-
if (security_info & SECINFO_DACL) {
/*
nt_ace_list = talloc_zero_array(
talloc_tos(), struct security_ace,
- num_acls + num_profile_acls + num_def_acls);
+ num_acls + num_def_acls);
if (nt_ace_list == NULL) {
DEBUG(0,("get_nt_acl: Unable to malloc space for nt_ace_list.\n"));
ace->ace_flags);
}
- /* The User must have access to a profile share - even
- * if we can't map the SID. */
- if (lp_profile_acls(SNUM(conn))) {
- add_or_replace_ace(nt_ace_list, &num_aces,
- &global_sid_Builtin_Users,
- SEC_ACE_TYPE_ACCESS_ALLOWED,
- FILE_GENERIC_ALL, 0);
- }
-
for (ace = dir_ace; ace != NULL; ace = ace->next) {
uint32_t acc = map_canon_ace_perms(SNUM(conn),
&nt_acl_type,
SEC_ACE_FLAG_INHERIT_ONLY);
}
- /* The User must have access to a profile share - even
- * if we can't map the SID. */
- if (lp_profile_acls(SNUM(conn))) {
- add_or_replace_ace(nt_ace_list, &num_aces,
- &global_sid_Builtin_Users,
- SEC_ACE_TYPE_ACCESS_ALLOWED,
- FILE_GENERIC_ALL,
- SEC_ACE_FLAG_OBJECT_INHERIT |
- SEC_ACE_FLAG_CONTAINER_INHERIT |
- SEC_ACE_FLAG_INHERIT_ONLY);
- }
-
/*
* Merge POSIX default ACLs and normal ACLs into one NT ACE.
* Win2K needs this to get the inheritance correct when replacing ACLs
*/
num_aces = merge_default_aces(nt_ace_list, num_aces);
-
- if (lp_profile_acls(SNUM(conn))) {
- size_t i;
-
- for (i = 0; i < num_aces; i++) {
- if (dom_sid_equal(&nt_ace_list[i].trustee, &owner_sid)) {
- add_or_replace_ace(nt_ace_list, &num_aces,
- &orig_owner_sid,
- nt_ace_list[i].type,
- nt_ace_list[i].access_mask,
- nt_ace_list[i].flags);
- break;
- }
- }
- }
}
if (num_aces) {
DEBUG(10,("posix_fget_nt_acl: called for file %s\n",
fsp_str_dbg(fsp)));
- /* can it happen that fsp_name == NULL ? */
- if (fsp->is_directory || fsp->fh->fd == -1) {
- status = posix_get_nt_acl(fsp->conn, fsp->fsp_name,
- security_info, mem_ctx, ppdesc);
- TALLOC_FREE(frame);
- return status;
- }
-
/* Get the stat struct for the owner info. */
if(SMB_VFS_FSTAT(fsp, &sbuf) != 0) {
TALLOC_FREE(frame);
def_acl = free_empty_sys_acl(conn, def_acl);
}
- pal = load_inherited_info(conn, smb_fname->base_name);
+ pal = load_inherited_info(conn, smb_fname);
status = posix_get_nt_acl_common(conn,
smb_fname->base_name,
NTSTATUS try_chown(files_struct *fsp, uid_t uid, gid_t gid)
{
NTSTATUS status;
+ int ret;
if(!CAN_WRITE(fsp->conn)) {
return NT_STATUS_MEDIA_WRITE_PROTECTED;
}
/* Case (1). */
- status = vfs_chown_fsp(fsp, uid, gid);
- if (NT_STATUS_IS_OK(status)) {
- return status;
+ ret = SMB_VFS_FCHOWN(fsp, uid, gid);
+ if (ret == 0) {
+ return NT_STATUS_OK;
}
/* Case (2) / (3) */
}
if (has_take_ownership_priv || has_restore_priv) {
+ status = NT_STATUS_OK;
become_root();
- status = vfs_chown_fsp(fsp, uid, gid);
+ ret = SMB_VFS_FCHOWN(fsp, uid, gid);
+ if (ret != 0) {
+ status = map_nt_error_from_unix(errno);
+ }
unbecome_root();
return status;
}
a local SID on the users workstation
*/
if (uid != get_current_uid(fsp->conn)) {
- return NT_STATUS_ACCESS_DENIED;
+ return NT_STATUS_INVALID_OWNER;
}
+ status = NT_STATUS_OK;
become_root();
/* Keep the current file gid the same. */
- status = vfs_chown_fsp(fsp, uid, (gid_t)-1);
+ ret = SMB_VFS_FCHOWN(fsp, uid, (gid_t)-1);
+ if (ret != 0) {
+ status = map_nt_error_from_unix(errno);
+ }
unbecome_root();
return status;
}
}
- if (acl_perms && acl_set_support && fsp->is_directory) {
+ if (acl_perms && acl_set_support && fsp->fsp_flags.is_directory) {
if (dir_ace_list) {
if (set_acl_as_root) {
become_root();
if (set_acl_as_root) {
become_root();
}
- sret = SMB_VFS_CHMOD(conn, fsp->fsp_name,
- posix_perms);
+ sret = SMB_VFS_FCHMOD(fsp, posix_perms);
if (set_acl_as_root) {
unbecome_root();
}
fsp_str_dbg(fsp)));
become_root();
- sret = SMB_VFS_CHMOD(conn,
- fsp->fsp_name,
- posix_perms);
+ sret = SMB_VFS_FCHMOD(fsp, posix_perms);
unbecome_root();
}
continue;
}
- if (map_acl_perms_to_permset(conn, perms, &permset) == -1)
+ if (map_acl_perms_to_permset(perms, &permset) == -1)
return -1;
if (sys_acl_set_permset(entry, permset) == -1)
return ret;
}
-/****************************************************************************
- Do a chmod by setting the ACL USER_OBJ, GROUP_OBJ and OTHER bits in an ACL
- and set the mask to rwx. Needed to preserve complex ACLs set by NT.
- Note that name is in UNIX character set.
-****************************************************************************/
-
-int chmod_acl(connection_struct *conn,
- const struct smb_filename *smb_fname,
- mode_t mode)
-{
- return copy_access_posix_acl(conn, smb_fname, smb_fname, mode);
-}
-
/****************************************************************************
Check for an existing default POSIX ACL on a directory.
****************************************************************************/
****************************************************************************/
int inherit_access_posix_acl(connection_struct *conn,
- const char *inherit_from_dir,
+ struct smb_filename *inherit_from_dir,
const struct smb_filename *smb_fname,
mode_t mode)
{
- struct smb_filename *inherit_from_fname =
- synthetic_smb_fname(talloc_tos(),
- smb_fname->base_name,
- NULL,
- NULL,
- smb_fname->flags);
- if (inherit_from_fname == NULL) {
- return-1;
- }
-
- if (directory_has_default_posix_acl(conn, inherit_from_fname))
+ if (directory_has_default_posix_acl(conn, inherit_from_dir))
return 0;
- return copy_access_posix_acl(conn, inherit_from_fname, smb_fname, mode);
-}
-
-/****************************************************************************
- Do an fchmod by setting the ACL USER_OBJ, GROUP_OBJ and OTHER bits in an ACL
- and set the mask to rwx. Needed to preserve complex ACLs set by NT.
-****************************************************************************/
-
-int fchmod_acl(files_struct *fsp, mode_t mode)
-{
- connection_struct *conn = fsp->conn;
- SMB_ACL_T posix_acl = NULL;
- int ret = -1;
-
- if ((posix_acl = SMB_VFS_SYS_ACL_GET_FD(fsp, talloc_tos())) == NULL)
- return -1;
-
- if ((ret = chmod_acl_internals(conn, posix_acl, mode)) == -1)
- goto done;
-
- ret = SMB_VFS_SYS_ACL_SET_FD(fsp, posix_acl);
-
- done:
-
- TALLOC_FREE(posix_acl);
- return ret;
+ return copy_access_posix_acl(conn, inherit_from_dir, smb_fname, mode);
}
/****************************************************************************
on the directory.
****************************************************************************/
-bool set_unix_posix_default_acl(connection_struct *conn,
- const struct smb_filename *smb_fname,
+NTSTATUS set_unix_posix_default_acl(connection_struct *conn,
+ files_struct *fsp,
uint16_t num_def_acls,
const char *pdata)
{
SMB_ACL_T def_acl = NULL;
+ NTSTATUS status;
+ int ret;
- if (!S_ISDIR(smb_fname->st.st_ex_mode)) {
- if (num_def_acls) {
- DEBUG(5,("set_unix_posix_default_acl: Can't "
- "set default ACL on non-directory file %s\n",
- smb_fname->base_name ));
- errno = EISDIR;
- return False;
- } else {
- return True;
- }
+ if (!fsp->fsp_flags.is_directory) {
+ return NT_STATUS_INVALID_HANDLE;
}
if (!num_def_acls) {
/* Remove the default ACL. */
- if (SMB_VFS_SYS_ACL_DELETE_DEF_FILE(conn, smb_fname) == -1) {
- DEBUG(5,("set_unix_posix_default_acl: acl_delete_def_file failed on directory %s (%s)\n",
- smb_fname->base_name, strerror(errno) ));
- return False;
+ ret = SMB_VFS_SYS_ACL_DELETE_DEF_FILE(conn, fsp->fsp_name);
+ if (ret == -1) {
+ status = map_nt_error_from_unix(errno);
+ DBG_INFO("acl_delete_def_file failed on "
+ "directory %s (%s)\n",
+ fsp_str_dbg(fsp),
+ strerror(errno));
+ return status;
}
- return True;
+ return NT_STATUS_OK;
}
- if ((def_acl = create_posix_acl_from_wire(conn, num_def_acls,
- pdata,
- talloc_tos())) == NULL) {
- return False;
+ def_acl = create_posix_acl_from_wire(conn,
+ num_def_acls,
+ pdata,
+ talloc_tos());
+ if (def_acl == NULL) {
+ return map_nt_error_from_unix(errno);
}
- if (SMB_VFS_SYS_ACL_SET_FILE(conn, smb_fname,
- SMB_ACL_TYPE_DEFAULT, def_acl) == -1) {
- DEBUG(5,("set_unix_posix_default_acl: acl_set_file failed on directory %s (%s)\n",
- smb_fname->base_name, strerror(errno) ));
+ ret = SMB_VFS_SYS_ACL_SET_FILE(conn,
+ fsp->fsp_name,
+ SMB_ACL_TYPE_DEFAULT,
+ def_acl);
+ if (ret == -1) {
+ status = map_nt_error_from_unix(errno);
+ DBG_INFO("acl_set_file failed on directory %s (%s)\n",
+ fsp_str_dbg(fsp),
+ strerror(errno));
TALLOC_FREE(def_acl);
- return False;
+ return status;
}
- DEBUG(10,("set_unix_posix_default_acl: set default acl for file %s\n",
- smb_fname->base_name ));
+ DBG_DEBUG("set default acl for file %s\n",
+ fsp_str_dbg(fsp));
TALLOC_FREE(def_acl);
- return True;
+ return NT_STATUS_OK;
}
/****************************************************************************
FIXME ! How does the share mask/mode fit into this.... ?
****************************************************************************/
-static bool remove_posix_acl(connection_struct *conn,
- files_struct *fsp,
- const struct smb_filename *smb_fname)
+static NTSTATUS remove_posix_acl(connection_struct *conn,
+ files_struct *fsp)
{
SMB_ACL_T file_acl = NULL;
int entry_id = SMB_ACL_FIRST_ENTRY;
SMB_ACL_ENTRY_T entry;
- bool ret = False;
- const char *fname = smb_fname->base_name;
/* Create a new ACL with only 3 entries, u/g/w. */
- SMB_ACL_T new_file_acl = sys_acl_init(talloc_tos());
+ SMB_ACL_T new_file_acl = NULL;
SMB_ACL_ENTRY_T user_ent = NULL;
SMB_ACL_ENTRY_T group_ent = NULL;
SMB_ACL_ENTRY_T other_ent = NULL;
+ NTSTATUS status;
+ int ret;
+ new_file_acl = sys_acl_init(talloc_tos());
if (new_file_acl == NULL) {
- DEBUG(5,("remove_posix_acl: failed to init new ACL with 3 entries for file %s.\n", fname));
- return False;
+ status = map_nt_error_from_unix(errno);
+ DBG_INFO("failed to init new ACL with 3 entries "
+ "for file %s %s.\n",
+ fsp_str_dbg(fsp),
+ strerror(errno));
+ goto done;
}
/* Now create the u/g/w entries. */
- if (sys_acl_create_entry(&new_file_acl, &user_ent) == -1) {
- DEBUG(5,("remove_posix_acl: Failed to create user entry for file %s. (%s)\n",
- fname, strerror(errno) ));
+ ret = sys_acl_create_entry(&new_file_acl, &user_ent);
+ if (ret == -1) {
+ status = map_nt_error_from_unix(errno);
+ DBG_INFO("Failed to create user entry for file %s. (%s)\n",
+ fsp_str_dbg(fsp),
+ strerror(errno));
goto done;
}
- if (sys_acl_set_tag_type(user_ent, SMB_ACL_USER_OBJ) == -1) {
- DEBUG(5,("remove_posix_acl: Failed to set user entry for file %s. (%s)\n",
- fname, strerror(errno) ));
+ ret = sys_acl_set_tag_type(user_ent, SMB_ACL_USER_OBJ);
+ if (ret == -1) {
+ status = map_nt_error_from_unix(errno);
+ DBG_INFO("Failed to set user entry for file %s. (%s)\n",
+ fsp_str_dbg(fsp),
+ strerror(errno));
goto done;
}
- if (sys_acl_create_entry(&new_file_acl, &group_ent) == -1) {
- DEBUG(5,("remove_posix_acl: Failed to create group entry for file %s. (%s)\n",
- fname, strerror(errno) ));
+ ret = sys_acl_create_entry(&new_file_acl, &group_ent);
+ if (ret == -1) {
+ status = map_nt_error_from_unix(errno);
+ DBG_INFO("Failed to create group entry for file %s. (%s)\n",
+ fsp_str_dbg(fsp),
+ strerror(errno));
goto done;
}
- if (sys_acl_set_tag_type(group_ent, SMB_ACL_GROUP_OBJ) == -1) {
- DEBUG(5,("remove_posix_acl: Failed to set group entry for file %s. (%s)\n",
- fname, strerror(errno) ));
+ ret = sys_acl_set_tag_type(group_ent, SMB_ACL_GROUP_OBJ);
+ if (ret == -1) {
+ status = map_nt_error_from_unix(errno);
+ DBG_INFO("Failed to set group entry for file %s. (%s)\n",
+ fsp_str_dbg(fsp),
+ strerror(errno));
goto done;
}
- if (sys_acl_create_entry(&new_file_acl, &other_ent) == -1) {
- DEBUG(5,("remove_posix_acl: Failed to create other entry for file %s. (%s)\n",
- fname, strerror(errno) ));
+ ret = sys_acl_create_entry(&new_file_acl, &other_ent);
+ if (ret == -1) {
+ status = map_nt_error_from_unix(errno);
+ DBG_INFO("Failed to create other entry for file %s. (%s)\n",
+ fsp_str_dbg(fsp),
+ strerror(errno));
goto done;
}
- if (sys_acl_set_tag_type(other_ent, SMB_ACL_OTHER) == -1) {
- DEBUG(5,("remove_posix_acl: Failed to set other entry for file %s. (%s)\n",
- fname, strerror(errno) ));
+ ret = sys_acl_set_tag_type(other_ent, SMB_ACL_OTHER);
+ if (ret == -1) {
+ status = map_nt_error_from_unix(errno);
+ DBG_INFO("Failed to set other entry for file %s. (%s)\n",
+ fsp_str_dbg(fsp),
+ strerror(errno));
goto done;
}
/* Get the current file ACL. */
- if (fsp && fsp->fh->fd != -1) {
- file_acl = SMB_VFS_SYS_ACL_GET_FD(fsp, talloc_tos());
- } else {
- file_acl = SMB_VFS_SYS_ACL_GET_FILE(conn, smb_fname,
- SMB_ACL_TYPE_ACCESS,
- talloc_tos());
- }
+ file_acl = SMB_VFS_SYS_ACL_GET_FD(fsp, talloc_tos());
if (file_acl == NULL) {
+ status = map_nt_error_from_unix(errno);
/* This is only returned if an error occurred. Even for a file with
no acl a u/g/w acl should be returned. */
- DEBUG(5,("remove_posix_acl: failed to get ACL from file %s (%s).\n",
- fname, strerror(errno) ));
+ DBG_INFO("failed to get ACL from file %s (%s).\n",
+ fsp_str_dbg(fsp),
+ strerror(errno));
goto done;
}
entry_id = SMB_ACL_NEXT_ENTRY;
- if (sys_acl_get_tag_type(entry, &tagtype) == -1) {
- DEBUG(5,("remove_posix_acl: failed to get tagtype from ACL on file %s (%s).\n",
- fname, strerror(errno) ));
+ ret = sys_acl_get_tag_type(entry, &tagtype);
+ if (ret == -1) {
+ status = map_nt_error_from_unix(errno);
+ DBG_INFO("failed to get tagtype from ACL "
+ "on file %s (%s).\n",
+ fsp_str_dbg(fsp),
+ strerror(errno));
goto done;
}
- if (sys_acl_get_permset(entry, &permset) == -1) {
- DEBUG(5,("remove_posix_acl: failed to get permset from ACL on file %s (%s).\n",
- fname, strerror(errno) ));
+ ret = sys_acl_get_permset(entry, &permset);
+ if (ret == -1) {
+ status = map_nt_error_from_unix(errno);
+ DBG_INFO("failed to get permset from ACL "
+ "on file %s (%s).\n",
+ fsp_str_dbg(fsp),
+ strerror(errno));
goto done;
}
if (tagtype == SMB_ACL_USER_OBJ) {
- if (sys_acl_set_permset(user_ent, permset) == -1) {
- DEBUG(5,("remove_posix_acl: failed to set permset from ACL on file %s (%s).\n",
- fname, strerror(errno) ));
+ ret = sys_acl_set_permset(user_ent, permset);
+ if (ret == -1) {
+ status = map_nt_error_from_unix(errno);
+ DBG_INFO("failed to set permset from ACL "
+ "on file %s (%s).\n",
+ fsp_str_dbg(fsp),
+ strerror(errno));
+ goto done;
}
} else if (tagtype == SMB_ACL_GROUP_OBJ) {
- if (sys_acl_set_permset(group_ent, permset) == -1) {
- DEBUG(5,("remove_posix_acl: failed to set permset from ACL on file %s (%s).\n",
- fname, strerror(errno) ));
+ ret = sys_acl_set_permset(group_ent, permset);
+ if (ret == -1) {
+ status = map_nt_error_from_unix(errno);
+ DBG_INFO("failed to set permset from ACL "
+ "on file %s (%s).\n",
+ fsp_str_dbg(fsp),
+ strerror(errno));
+ goto done;
}
} else if (tagtype == SMB_ACL_OTHER) {
- if (sys_acl_set_permset(other_ent, permset) == -1) {
- DEBUG(5,("remove_posix_acl: failed to set permset from ACL on file %s (%s).\n",
- fname, strerror(errno) ));
+ ret = sys_acl_set_permset(other_ent, permset);
+ if (ret == -1) {
+ status = map_nt_error_from_unix(errno);
+ DBG_INFO("failed to set permset from ACL "
+ "on file %s (%s).\n",
+ fsp_str_dbg(fsp),
+ strerror(errno));
+ goto done;
}
}
}
/* Set the new empty file ACL. */
- if (fsp && fsp->fh->fd != -1) {
- if (SMB_VFS_SYS_ACL_SET_FD(fsp, new_file_acl) == -1) {
- DEBUG(5,("remove_posix_acl: acl_set_file failed on %s (%s)\n",
- fname, strerror(errno) ));
- goto done;
- }
- } else {
- if (SMB_VFS_SYS_ACL_SET_FILE(conn,
- smb_fname,
- SMB_ACL_TYPE_ACCESS,
- new_file_acl) == -1) {
- DEBUG(5,("remove_posix_acl: acl_set_file failed on %s (%s)\n",
- fname, strerror(errno) ));
- goto done;
- }
+ ret = SMB_VFS_SYS_ACL_SET_FD(fsp, new_file_acl);
+ if (ret == -1) {
+ status = map_nt_error_from_unix(errno);
+ DBG_INFO("acl_set_file failed on %s (%s)\n",
+ fsp_str_dbg(fsp),
+ strerror(errno));
+ goto done;
}
- ret = True;
+ status = NT_STATUS_OK;
done:
- if (file_acl) {
- TALLOC_FREE(file_acl);
- }
- if (new_file_acl) {
- TALLOC_FREE(new_file_acl);
- }
- return ret;
+ TALLOC_FREE(file_acl);
+ TALLOC_FREE(new_file_acl);
+ return status;
}
/****************************************************************************
except SMB_ACL_USER_OBJ, SMB_ACL_GROUP_OBJ, SMB_ACL_OTHER.
****************************************************************************/
-bool set_unix_posix_acl(connection_struct *conn, files_struct *fsp,
- const struct smb_filename *smb_fname,
+NTSTATUS set_unix_posix_acl(connection_struct *conn,
+ files_struct *fsp,
uint16_t num_acls,
const char *pdata)
{
SMB_ACL_T file_acl = NULL;
- const char *fname = smb_fname->base_name;
+ int ret;
+ NTSTATUS status;
if (!num_acls) {
/* Remove the ACL from the file. */
- return remove_posix_acl(conn, fsp, smb_fname);
- }
-
- if ((file_acl = create_posix_acl_from_wire(conn, num_acls,
- pdata,
- talloc_tos())) == NULL) {
- return False;
- }
-
- if (fsp && fsp->fh->fd != -1) {
- /* The preferred way - use an open fd. */
- if (SMB_VFS_SYS_ACL_SET_FD(fsp, file_acl) == -1) {
- DEBUG(5,("set_unix_posix_acl: acl_set_file failed on %s (%s)\n",
- fname, strerror(errno) ));
- TALLOC_FREE(file_acl);
- return False;
- }
- } else {
- if (SMB_VFS_SYS_ACL_SET_FILE(conn, smb_fname,
- SMB_ACL_TYPE_ACCESS, file_acl) == -1) {
- DEBUG(5,("set_unix_posix_acl: acl_set_file failed on %s (%s)\n",
- fname, strerror(errno) ));
- TALLOC_FREE(file_acl);
- return False;
- }
+ return remove_posix_acl(conn, fsp);
}
- DEBUG(10,("set_unix_posix_acl: set acl for file %s\n", fname ));
- TALLOC_FREE(file_acl);
- return True;
-}
-
-/********************************************************************
- Pull the NT ACL from a file on disk or the OpenEventlog() access
- check. Caller is responsible for freeing the returned security
- descriptor via TALLOC_FREE(). This is designed for dealing with
- user space access checks in smbd outside of the VFS. For example,
- checking access rights in OpenEventlog() or from python.
-
-********************************************************************/
-
-NTSTATUS get_nt_acl_no_snum(TALLOC_CTX *ctx, const char *fname,
- uint32_t security_info_wanted,
- struct security_descriptor **sd)
-{
- TALLOC_CTX *frame = talloc_stackframe();
- connection_struct *conn;
- NTSTATUS status = NT_STATUS_OK;
- struct smb_filename *smb_fname = synthetic_smb_fname(talloc_tos(),
- fname,
- NULL,
- NULL,
- 0);
-
- if (smb_fname == NULL) {
- TALLOC_FREE(frame);
- return NT_STATUS_NO_MEMORY;
- }
-
- if (!posix_locking_init(false)) {
- TALLOC_FREE(frame);
- return NT_STATUS_NO_MEMORY;
+ file_acl = create_posix_acl_from_wire(conn,
+ num_acls,
+ pdata,
+ talloc_tos());
+ if (file_acl == NULL) {
+ return map_nt_error_from_unix(errno);
}
- status = create_conn_struct(ctx,
- server_event_context(),
- server_messaging_context(),
- &conn,
- -1,
- "/",
- NULL);
-
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0,("create_conn_struct returned %s.\n",
- nt_errstr(status)));
- TALLOC_FREE(frame);
+ ret = SMB_VFS_SYS_ACL_SET_FD(fsp, file_acl);
+ if (ret == -1) {
+ status = map_nt_error_from_unix(errno);
+ DBG_INFO("acl_set_file failed on %s (%s)\n",
+ fsp_str_dbg(fsp),
+ strerror(errno));
+ TALLOC_FREE(file_acl);
return status;
}
- status = SMB_VFS_GET_NT_ACL(conn,
- smb_fname,
- security_info_wanted,
- ctx,
- sd);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0, ("get_nt_acl_no_snum: SMB_VFS_GET_NT_ACL returned %s.\n",
- nt_errstr(status)));
- }
-
- conn_free(conn);
- TALLOC_FREE(frame);
+ DBG_DEBUG("set acl for file %s\n",
+ fsp_str_dbg(fsp));
- return status;
+ TALLOC_FREE(file_acl);
+ return NT_STATUS_OK;
}
int posix_sys_acl_blob_get_file(vfs_handle_struct *handle,
int ret;
/* This ensures that we also consider the default ACL */
- if (fsp->is_directory || fsp->fh->fd == -1) {
+ if (fsp->fsp_flags.is_directory || fsp->fh->fd == -1) {
return posix_sys_acl_blob_get_file(handle,
fsp->fsp_name,
mem_ctx,
TALLOC_FREE(frame);
return 0;
}
+
+static NTSTATUS make_default_acl_posix(TALLOC_CTX *ctx,
+ const char *name,
+ const SMB_STRUCT_STAT *psbuf,
+ struct security_descriptor **ppdesc)
+{
+ struct dom_sid owner_sid, group_sid;
+ size_t size = 0;
+ struct security_ace aces[4];
+ uint32_t access_mask = 0;
+ mode_t mode = psbuf->st_ex_mode;
+ struct security_acl *new_dacl = NULL;
+ int idx = 0;
+
+ DBG_DEBUG("file %s mode = 0%o\n",name, (int)mode);
+
+ uid_to_sid(&owner_sid, psbuf->st_ex_uid);
+ gid_to_sid(&group_sid, psbuf->st_ex_gid);
+
+ /*
+ We provide up to 4 ACEs
+ - Owner
+ - Group
+ - Everyone
+ - NT System
+ */
+
+ if (mode & S_IRUSR) {
+ if (mode & S_IWUSR) {
+ access_mask |= SEC_RIGHTS_FILE_ALL;
+ } else {
+ access_mask |= SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE;
+ }
+ }
+ if (mode & S_IWUSR) {
+ access_mask |= SEC_RIGHTS_FILE_WRITE | SEC_STD_DELETE;
+ }
+
+ init_sec_ace(&aces[idx],
+ &owner_sid,
+ SEC_ACE_TYPE_ACCESS_ALLOWED,
+ access_mask,
+ 0);
+ idx++;
+
+ access_mask = 0;
+ if (mode & S_IRGRP) {
+ access_mask |= SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE;
+ }
+ if (mode & S_IWGRP) {
+ /* note that delete is not granted - this matches posix behaviour */
+ access_mask |= SEC_RIGHTS_FILE_WRITE;
+ }
+ if (access_mask) {
+ init_sec_ace(&aces[idx],
+ &group_sid,
+ SEC_ACE_TYPE_ACCESS_ALLOWED,
+ access_mask,
+ 0);
+ idx++;
+ }
+
+ access_mask = 0;
+ if (mode & S_IROTH) {
+ access_mask |= SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE;
+ }
+ if (mode & S_IWOTH) {
+ access_mask |= SEC_RIGHTS_FILE_WRITE;
+ }
+ if (access_mask) {
+ init_sec_ace(&aces[idx],
+ &global_sid_World,
+ SEC_ACE_TYPE_ACCESS_ALLOWED,
+ access_mask,
+ 0);
+ idx++;
+ }
+
+ init_sec_ace(&aces[idx],
+ &global_sid_System,
+ SEC_ACE_TYPE_ACCESS_ALLOWED,
+ SEC_RIGHTS_FILE_ALL,
+ 0);
+ idx++;
+
+ new_dacl = make_sec_acl(ctx,
+ NT4_ACL_REVISION,
+ idx,
+ aces);
+
+ if (!new_dacl) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ *ppdesc = make_sec_desc(ctx,
+ SECURITY_DESCRIPTOR_REVISION_1,
+ SEC_DESC_SELF_RELATIVE|SEC_DESC_DACL_PRESENT,
+ &owner_sid,
+ &group_sid,
+ NULL,
+ new_dacl,
+ &size);
+ if (!*ppdesc) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ return NT_STATUS_OK;
+}
+
+static NTSTATUS make_default_acl_windows(TALLOC_CTX *ctx,
+ const char *name,
+ const SMB_STRUCT_STAT *psbuf,
+ struct security_descriptor **ppdesc)
+{
+ struct dom_sid owner_sid, group_sid;
+ size_t size = 0;
+ struct security_ace aces[4];
+ uint32_t access_mask = 0;
+ mode_t mode = psbuf->st_ex_mode;
+ struct security_acl *new_dacl = NULL;
+ int idx = 0;
+
+ DBG_DEBUG("file [%s] mode [0%o]\n", name, (int)mode);
+
+ uid_to_sid(&owner_sid, psbuf->st_ex_uid);
+ gid_to_sid(&group_sid, psbuf->st_ex_gid);
+
+ /*
+ * We provide 2 ACEs:
+ * - Owner
+ * - NT System
+ */
+
+ if (mode & S_IRUSR) {
+ if (mode & S_IWUSR) {
+ access_mask |= SEC_RIGHTS_FILE_ALL;
+ } else {
+ access_mask |= SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE;
+ }
+ }
+ if (mode & S_IWUSR) {
+ access_mask |= SEC_RIGHTS_FILE_WRITE | SEC_STD_DELETE;
+ }
+
+ init_sec_ace(&aces[idx],
+ &owner_sid,
+ SEC_ACE_TYPE_ACCESS_ALLOWED,
+ access_mask,
+ 0);
+ idx++;
+
+ init_sec_ace(&aces[idx],
+ &global_sid_System,
+ SEC_ACE_TYPE_ACCESS_ALLOWED,
+ SEC_RIGHTS_FILE_ALL,
+ 0);
+ idx++;
+
+ new_dacl = make_sec_acl(ctx,
+ NT4_ACL_REVISION,
+ idx,
+ aces);
+
+ if (!new_dacl) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ *ppdesc = make_sec_desc(ctx,
+ SECURITY_DESCRIPTOR_REVISION_1,
+ SEC_DESC_SELF_RELATIVE|SEC_DESC_DACL_PRESENT,
+ &owner_sid,
+ &group_sid,
+ NULL,
+ new_dacl,
+ &size);
+ if (!*ppdesc) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ return NT_STATUS_OK;
+}
+
+static NTSTATUS make_default_acl_everyone(TALLOC_CTX *ctx,
+ const char *name,
+ const SMB_STRUCT_STAT *psbuf,
+ struct security_descriptor **ppdesc)
+{
+ struct dom_sid owner_sid, group_sid;
+ size_t size = 0;
+ struct security_ace aces[1];
+ mode_t mode = psbuf->st_ex_mode;
+ struct security_acl *new_dacl = NULL;
+ int idx = 0;
+
+ DBG_DEBUG("file [%s] mode [0%o]\n", name, (int)mode);
+
+ uid_to_sid(&owner_sid, psbuf->st_ex_uid);
+ gid_to_sid(&group_sid, psbuf->st_ex_gid);
+
+ /*
+ * We provide one ACEs: full access for everyone
+ */
+
+ init_sec_ace(&aces[idx],
+ &global_sid_World,
+ SEC_ACE_TYPE_ACCESS_ALLOWED,
+ SEC_RIGHTS_FILE_ALL,
+ 0);
+ idx++;
+
+ new_dacl = make_sec_acl(ctx,
+ NT4_ACL_REVISION,
+ idx,
+ aces);
+
+ if (!new_dacl) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ *ppdesc = make_sec_desc(ctx,
+ SECURITY_DESCRIPTOR_REVISION_1,
+ SEC_DESC_SELF_RELATIVE|SEC_DESC_DACL_PRESENT,
+ &owner_sid,
+ &group_sid,
+ NULL,
+ new_dacl,
+ &size);
+ if (!*ppdesc) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ return NT_STATUS_OK;
+}
+
+static const struct enum_list default_acl_style_list[] = {
+ {DEFAULT_ACL_POSIX, "posix"},
+ {DEFAULT_ACL_WINDOWS, "windows"},
+ {DEFAULT_ACL_EVERYONE, "everyone"},
+};
+
+const struct enum_list *get_default_acl_style_list(void)
+{
+ return default_acl_style_list;
+}
+
+NTSTATUS make_default_filesystem_acl(
+ TALLOC_CTX *ctx,
+ enum default_acl_style acl_style,
+ const char *name,
+ const SMB_STRUCT_STAT *psbuf,
+ struct security_descriptor **ppdesc)
+{
+ NTSTATUS status;
+
+ switch (acl_style) {
+ case DEFAULT_ACL_POSIX:
+ status = make_default_acl_posix(ctx, name, psbuf, ppdesc);
+ break;
+
+ case DEFAULT_ACL_WINDOWS:
+ status = make_default_acl_windows(ctx, name, psbuf, ppdesc);
+ break;
+
+ case DEFAULT_ACL_EVERYONE:
+ status = make_default_acl_everyone(ctx, name, psbuf, ppdesc);
+ break;
+
+ default:
+ DBG_ERR("unknown acl style %d", acl_style);
+ status = NT_STATUS_INTERNAL_ERROR;
+ break;
+ }
+
+ return status;
+}
git.samba.org / samba.git / blobdiff