#include "trans2.h"
#include "passdb/lookup_sid.h"
#include "auth.h"
+#include "../librpc/gen_ndr/idmap.h"
+#include "lib/param/loadparm.h"
extern const struct generic_mapping file_generic_mapping;
enum ace_owner {UID_ACE, GID_ACE, WORLD_ACE};
enum ace_attribute {ALLOW_ACE, DENY_ACE}; /* Used for incoming NT ACLS. */
-typedef union posix_id {
- uid_t uid;
- gid_t gid;
- int world;
-} posix_id;
-
typedef struct canon_ace {
struct canon_ace *next, *prev;
SMB_ACL_TAG_T type;
struct dom_sid trustee;
enum ace_owner owner_type;
enum ace_attribute attr;
- posix_id unix_ug;
+ struct unixid unix_ug;
uint8_t ace_flags; /* From windows ACE entry. */
} canon_ace;
struct pai_entry *next, *prev;
uint8_t ace_flags;
enum ace_owner owner_type;
- posix_id unix_ug;
+ struct unixid unix_ug;
};
struct pai_val {
{
switch (paie->owner_type) {
case UID_ACE:
- DEBUG(10,("get_pai_entry_val: uid = %u\n", (unsigned int)paie->unix_ug.uid ));
- return (uint32_t)paie->unix_ug.uid;
+ DEBUG(10,("get_pai_entry_val: uid = %u\n", (unsigned int)paie->unix_ug.id ));
+ return (uint32_t)paie->unix_ug.id;
case GID_ACE:
- DEBUG(10,("get_pai_entry_val: gid = %u\n", (unsigned int)paie->unix_ug.gid ));
- return (uint32_t)paie->unix_ug.gid;
+ DEBUG(10,("get_pai_entry_val: gid = %u\n", (unsigned int)paie->unix_ug.id ));
+ return (uint32_t)paie->unix_ug.id;
case WORLD_ACE:
default:
DEBUG(10,("get_pai_entry_val: world ace\n"));
{
switch (ace_entry->owner_type) {
case UID_ACE:
- DEBUG(10,("get_entry_val: uid = %u\n", (unsigned int)ace_entry->unix_ug.uid ));
- return (uint32_t)ace_entry->unix_ug.uid;
+ DEBUG(10,("get_entry_val: uid = %u\n", (unsigned int)ace_entry->unix_ug.id ));
+ return (uint32_t)ace_entry->unix_ug.id;
case GID_ACE:
- DEBUG(10,("get_entry_val: gid = %u\n", (unsigned int)ace_entry->unix_ug.gid ));
- return (uint32_t)ace_entry->unix_ug.gid;
+ DEBUG(10,("get_entry_val: gid = %u\n", (unsigned int)ace_entry->unix_ug.id ));
+ return (uint32_t)ace_entry->unix_ug.id;
case WORLD_ACE:
default:
DEBUG(10,("get_entry_val: world ace\n"));
*store_size = PAI_V2_ENTRIES_BASE +
((num_entries + num_def_entries)*PAI_V2_ENTRY_LENGTH);
- pai_buf = (char *)SMB_MALLOC(*store_size);
+ pai_buf = talloc_array(talloc_tos(), char, *store_size);
if (!pai_buf) {
return NULL;
}
pai_buf, store_size, 0);
}
- SAFE_FREE(pai_buf);
+ TALLOC_FREE(pai_buf);
DEBUG(10,("store_inheritance_attribute: type 0x%x for file %s\n",
(unsigned int)sd_type,
struct pai_entry *paie, *paie_next;
for (paie = pal->entry_list; paie; paie = paie_next) {
paie_next = paie->next;
- SAFE_FREE(paie);
+ TALLOC_FREE(paie);
}
for (paie = pal->def_entry_list; paie; paie = paie_next) {
paie_next = paie->next;
- SAFE_FREE(paie);
+ TALLOC_FREE(paie);
}
- SAFE_FREE(pal);
+ TALLOC_FREE(pal);
}
}
paie->owner_type = (enum ace_owner)CVAL(entry_offset,0);
switch( paie->owner_type) {
case UID_ACE:
- paie->unix_ug.uid = (uid_t)IVAL(entry_offset,1);
+ paie->unix_ug.type = ID_TYPE_UID;
+ paie->unix_ug.id = (uid_t)IVAL(entry_offset,1);
DEBUG(10,("get_pai_owner_type: uid = %u\n",
- (unsigned int)paie->unix_ug.uid ));
+ (unsigned int)paie->unix_ug.id ));
break;
case GID_ACE:
- paie->unix_ug.gid = (gid_t)IVAL(entry_offset,1);
+ paie->unix_ug.type = ID_TYPE_GID;
+ paie->unix_ug.id = (gid_t)IVAL(entry_offset,1);
DEBUG(10,("get_pai_owner_type: gid = %u\n",
- (unsigned int)paie->unix_ug.gid ));
+ (unsigned int)paie->unix_ug.id ));
break;
case WORLD_ACE:
- paie->unix_ug.world = -1;
+ paie->unix_ug.type = ID_TYPE_NOT_SPECIFIED;
+ paie->unix_ug.id = -1;
DEBUG(10,("get_pai_owner_type: world ace\n"));
break;
default:
int i;
for (i = 0; i < paiv->num_entries; i++) {
- struct pai_entry *paie = SMB_MALLOC_P(struct pai_entry);
+ struct pai_entry *paie = talloc(talloc_tos(), struct pai_entry);
if (!paie) {
return NULL;
}
paie->ace_flags = SEC_ACE_FLAG_INHERITED_ACE;
if (!get_pai_owner_type(paie, entry_offset)) {
- SAFE_FREE(paie);
+ TALLOC_FREE(paie);
return NULL;
}
return NULL;
}
- paiv = SMB_MALLOC_P(struct pai_val);
+ paiv = talloc(talloc_tos(), struct pai_val);
if (!paiv) {
return NULL;
}
unsigned int i;
for (i = 0; i < num_entries; i++) {
- struct pai_entry *paie = SMB_MALLOC_P(struct pai_entry);
+ struct pai_entry *paie = talloc(talloc_tos(), struct pai_entry);
if (!paie) {
return NULL;
}
paie->ace_flags = CVAL(entry_offset,0);
if (!get_pai_owner_type(paie, entry_offset+1)) {
- SAFE_FREE(paie);
+ TALLOC_FREE(paie);
return NULL;
}
if (!def_entry) {
return NULL;
}
- paiv = SMB_MALLOC_P(struct pai_val);
+ paiv = talloc(talloc_tos(), struct pai_val);
if (!paiv) {
return NULL;
}
return NULL;
}
- if ((pai_buf = (char *)SMB_MALLOC(pai_buf_size)) == NULL) {
+ if ((pai_buf = talloc_array(talloc_tos(), char, pai_buf_size)) == NULL) {
return NULL;
}
}
/* Buffer too small - enlarge it. */
pai_buf_size *= 2;
- SAFE_FREE(pai_buf);
+ TALLOC_FREE(pai_buf);
if (pai_buf_size > 1024*1024) {
return NULL; /* Limit malloc to 1mb. */
}
- if ((pai_buf = (char *)SMB_MALLOC(pai_buf_size)) == NULL)
+ if ((pai_buf = talloc_array(talloc_tos(), char, pai_buf_size)) == NULL)
return NULL;
}
} while (ret == -1);
if (errno != ENOSYS)
DEBUG(10,("load_inherited_info: Error %s\n", strerror(errno) ));
#endif
- SAFE_FREE(pai_buf);
+ TALLOC_FREE(pai_buf);
return NULL;
}
(unsigned int)paiv->sd_type, fsp_str_dbg(fsp)));
}
- SAFE_FREE(pai_buf);
+ TALLOC_FREE(pai_buf);
return paiv;
}
return NULL;
}
- if ((pai_buf = (char *)SMB_MALLOC(pai_buf_size)) == NULL) {
+ if ((pai_buf = talloc_array(talloc_tos(), char, pai_buf_size)) == NULL) {
return NULL;
}
}
/* Buffer too small - enlarge it. */
pai_buf_size *= 2;
- SAFE_FREE(pai_buf);
+ TALLOC_FREE(pai_buf);
if (pai_buf_size > 1024*1024) {
return NULL; /* Limit malloc to 1mb. */
}
- if ((pai_buf = (char *)SMB_MALLOC(pai_buf_size)) == NULL)
+ if ((pai_buf = talloc_array(talloc_tos(), char, pai_buf_size)) == NULL)
return NULL;
}
} while (ret == -1);
if (errno != ENOSYS)
DEBUG(10,("load_inherited_info: Error %s\n", strerror(errno) ));
#endif
- SAFE_FREE(pai_buf);
+ TALLOC_FREE(pai_buf);
return NULL;
}
fname));
}
- SAFE_FREE(pai_buf);
+ TALLOC_FREE(pai_buf);
return paiv;
}
for (list = l_head; list; list = next) {
next = list->next;
DLIST_REMOVE(l_head, list);
- SAFE_FREE(list);
+ TALLOC_FREE(list);
}
}
static canon_ace *dup_canon_ace( canon_ace *src_ace)
{
- canon_ace *dst_ace = SMB_MALLOC_P(canon_ace);
+ canon_ace *dst_ace = talloc(talloc_tos(), canon_ace);
if (dst_ace == NULL)
return NULL;
dbgtext( "canon_ace index %d. Type = %s ", num, pace->attr == ALLOW_ACE ? "allow" : "deny" );
dbgtext( "SID = %s ", sid_string_dbg(&pace->trustee));
if (pace->owner_type == UID_ACE) {
- const char *u_name = uidtoname(pace->unix_ug.uid);
- dbgtext( "uid %u (%s) ", (unsigned int)pace->unix_ug.uid, u_name );
+ const char *u_name = uidtoname(pace->unix_ug.id);
+ dbgtext( "uid %u (%s) ", (unsigned int)pace->unix_ug.id, u_name );
} else if (pace->owner_type == GID_ACE) {
- char *g_name = gidtoname(pace->unix_ug.gid);
- dbgtext( "gid %u (%s) ", (unsigned int)pace->unix_ug.gid, g_name );
+ char *g_name = gidtoname(pace->unix_ug.id);
+ dbgtext( "gid %u (%s) ", (unsigned int)pace->unix_ug.id, g_name );
} else
dbgtext( "other ");
switch (pace->type) {
Map POSIX ACL perms to canon_ace permissions (a mode_t containing only S_(R|W|X)USR bits).
****************************************************************************/
-static mode_t convert_permset_to_mode_t(connection_struct *conn, SMB_ACL_PERMSET_T permset)
+static mode_t convert_permset_to_mode_t(SMB_ACL_PERMSET_T permset)
{
mode_t ret = 0;
- ret |= (SMB_VFS_SYS_ACL_GET_PERM(conn, permset, SMB_ACL_READ) ? S_IRUSR : 0);
- ret |= (SMB_VFS_SYS_ACL_GET_PERM(conn, permset, SMB_ACL_WRITE) ? S_IWUSR : 0);
- ret |= (SMB_VFS_SYS_ACL_GET_PERM(conn, permset, SMB_ACL_EXECUTE) ? S_IXUSR : 0);
+ ret |= (sys_acl_get_perm(permset, SMB_ACL_READ) ? S_IRUSR : 0);
+ ret |= (sys_acl_get_perm(permset, SMB_ACL_WRITE) ? S_IWUSR : 0);
+ ret |= (sys_acl_get_perm(permset, SMB_ACL_EXECUTE) ? S_IXUSR : 0);
return ret;
}
static int map_acl_perms_to_permset(connection_struct *conn, mode_t mode, SMB_ACL_PERMSET_T *p_permset)
{
- if (SMB_VFS_SYS_ACL_CLEAR_PERMS(conn, *p_permset) == -1)
+ if (sys_acl_clear_perms(*p_permset) == -1)
return -1;
if (mode & S_IRUSR) {
- if (SMB_VFS_SYS_ACL_ADD_PERM(conn, *p_permset, SMB_ACL_READ) == -1)
+ if (sys_acl_add_perm(*p_permset, SMB_ACL_READ) == -1)
return -1;
}
if (mode & S_IWUSR) {
- if (SMB_VFS_SYS_ACL_ADD_PERM(conn, *p_permset, SMB_ACL_WRITE) == -1)
+ if (sys_acl_add_perm(*p_permset, SMB_ACL_WRITE) == -1)
return -1;
}
if (mode & S_IXUSR) {
- if (SMB_VFS_SYS_ACL_ADD_PERM(conn, *p_permset, SMB_ACL_EXECUTE) == -1)
+ if (sys_acl_add_perm(*p_permset, SMB_ACL_EXECUTE) == -1)
return -1;
}
return 0;
}
/****************************************************************************
- Merge aces with a common sid - if both are allow or deny, OR the permissions together and
+ Merge aces with a common UID or GID - if both are allow or deny, OR the permissions together and
delete the second one. If the first is deny, mask the permissions off and delete the allow
if the permissions become zero, delete the deny if the permissions are non zero.
****************************************************************************/
/* For file ACLs we can merge if the SIDs and ALLOW/DENY
* types are the same. For directory acls we must also
- * ensure the POSIX ACL types are the same. */
+ * ensure the POSIX ACL types are the same.
+ *
+ * For the IDMAP_BOTH case, we must not merge
+ * the UID and GID ACE values for same SID
+ */
if (!dir_acl) {
- can_merge = (dom_sid_equal(&curr_ace->trustee, &curr_ace_outer->trustee) &&
- (curr_ace->attr == curr_ace_outer->attr));
+ can_merge = (curr_ace->unix_ug.id == curr_ace_outer->unix_ug.id &&
+ curr_ace->owner_type == curr_ace_outer->owner_type &&
+ (curr_ace->attr == curr_ace_outer->attr));
} else {
- can_merge = (dom_sid_equal(&curr_ace->trustee, &curr_ace_outer->trustee) &&
- (curr_ace->type == curr_ace_outer->type) &&
- (curr_ace->attr == curr_ace_outer->attr));
+ can_merge = (curr_ace->unix_ug.id == curr_ace_outer->unix_ug.id &&
+ curr_ace->owner_type == curr_ace_outer->owner_type &&
+ (curr_ace->type == curr_ace_outer->type) &&
+ (curr_ace->attr == curr_ace_outer->attr));
}
if (can_merge) {
curr_ace_outer->perms |= curr_ace->perms;
curr_ace_outer->ace_flags |= curr_ace->ace_flags;
DLIST_REMOVE(l_head, curr_ace);
- SAFE_FREE(curr_ace);
+ TALLOC_FREE(curr_ace);
curr_ace_outer_next = curr_ace_outer->next; /* We may have deleted the link. */
}
}
* we've put on the ACL, we know the deny must be the first one.
*/
- if (dom_sid_equal(&curr_ace->trustee, &curr_ace_outer->trustee) &&
- (curr_ace_outer->attr == DENY_ACE) && (curr_ace->attr == ALLOW_ACE)) {
+ if (curr_ace->unix_ug.id == curr_ace_outer->unix_ug.id &&
+ (curr_ace->owner_type == curr_ace_outer->owner_type) &&
+ (curr_ace_outer->attr == DENY_ACE) && (curr_ace->attr == ALLOW_ACE)) {
if( DEBUGLVL( 10 )) {
dbgtext("merge_aces: Masking ACE's\n");
*/
DLIST_REMOVE(l_head, curr_ace);
- SAFE_FREE(curr_ace);
+ TALLOC_FREE(curr_ace);
curr_ace_outer_next = curr_ace_outer->next; /* We may have deleted the link. */
} else {
*/
DLIST_REMOVE(l_head, curr_ace_outer);
- SAFE_FREE(curr_ace_outer);
+ TALLOC_FREE(curr_ace_outer);
break;
}
}
Map NT perms to a UNIX mode_t.
****************************************************************************/
-#define FILE_SPECIFIC_READ_BITS (FILE_READ_DATA|FILE_READ_EA|FILE_READ_ATTRIBUTES)
-#define FILE_SPECIFIC_WRITE_BITS (FILE_WRITE_DATA|FILE_APPEND_DATA|FILE_WRITE_EA|FILE_WRITE_ATTRIBUTES)
+#define FILE_SPECIFIC_READ_BITS (FILE_READ_DATA|FILE_READ_EA)
+#define FILE_SPECIFIC_WRITE_BITS (FILE_WRITE_DATA|FILE_APPEND_DATA|FILE_WRITE_EA)
#define FILE_SPECIFIC_EXECUTE_BITS (FILE_EXECUTE)
static mode_t map_nt_perms( uint32 *mask, int type)
/* Get the initial bits to apply. */
if (is_directory) {
- and_bits = lp_dir_security_mask(params->service);
- or_bits = lp_force_dir_security_mode(params->service);
+ and_bits = lp_dir_mask(params->service);
+ or_bits = lp_force_dir_mode(params->service);
} else {
- and_bits = lp_security_mask(params->service);
- or_bits = lp_force_security_mode(params->service);
+ and_bits = lp_create_mask(params->service);
+ or_bits = lp_force_create_mode(params->service);
}
/* Now bounce them into the S_USR space. */
static bool uid_entry_in_group(connection_struct *conn, canon_ace *uid_ace, canon_ace *group_ace )
{
- const char *u_name = NULL;
-
/* "Everyone" always matches every uid. */
if (dom_sid_equal(&group_ace->trustee, &global_sid_World))
* if it's the current user, we already have the unix token
* and don't need to do the complex user_in_group_sid() call
*/
- if (uid_ace->unix_ug.uid == get_current_uid(conn)) {
+ if (uid_ace->unix_ug.id == get_current_uid(conn)) {
const struct security_unix_token *curr_utok = NULL;
size_t i;
- if (group_ace->unix_ug.gid == get_current_gid(conn)) {
+ if (group_ace->unix_ug.id == get_current_gid(conn)) {
return True;
}
curr_utok = get_current_utok(conn);
for (i=0; i < curr_utok->ngroups; i++) {
- if (group_ace->unix_ug.gid == curr_utok->groups[i]) {
+ if (group_ace->unix_ug.id == curr_utok->groups[i]) {
return True;
}
}
}
- /* u_name talloc'ed off tos. */
- u_name = uidtoname(uid_ace->unix_ug.uid);
- if (!u_name) {
- return False;
- }
-
/*
- * user_in_group_sid() uses create_token_from_username()
+ * user_in_group_sid() uses create_token_from_sid()
* which creates an artificial NT token given just a username,
* so this is not reliable for users from foreign domains
* exported by winbindd!
*/
- return user_in_group_sid(u_name, &group_ace->trustee);
+ return user_sid_in_group_sid(&uid_ace->trustee, &group_ace->trustee);
}
/****************************************************************************
type.
****************************************************************************/
-static bool ensure_canon_entry_valid(connection_struct *conn, canon_ace **pp_ace,
- const struct share_params *params,
- const bool is_directory,
- const struct dom_sid *pfile_owner_sid,
- const struct dom_sid *pfile_grp_sid,
- const SMB_STRUCT_STAT *pst,
- bool setting_acl)
+static bool ensure_canon_entry_valid(connection_struct *conn,
+ canon_ace **pp_ace,
+ bool is_default_acl,
+ const struct share_params *params,
+ const bool is_directory,
+ const struct dom_sid *pfile_owner_sid,
+ const struct dom_sid *pfile_grp_sid,
+ const SMB_STRUCT_STAT *pst,
+ bool setting_acl)
{
canon_ace *pace;
- bool got_user = False;
- bool got_grp = False;
- bool got_other = False;
+ canon_ace *pace_user = NULL;
+ canon_ace *pace_group = NULL;
canon_ace *pace_other = NULL;
for (pace = *pp_ace; pace; pace = pace->next) {
if (pace->type == SMB_ACL_USER_OBJ) {
- if (setting_acl)
+ if (setting_acl && !is_default_acl) {
apply_default_perms(params, is_directory, pace, S_IRUSR);
- got_user = True;
+ }
+ pace_user = pace;
} else if (pace->type == SMB_ACL_GROUP_OBJ) {
* Ensure create mask/force create mode is respected on set.
*/
- if (setting_acl)
+ if (setting_acl && !is_default_acl) {
apply_default_perms(params, is_directory, pace, S_IRGRP);
- got_grp = True;
+ }
+ pace_group = pace;
} else if (pace->type == SMB_ACL_OTHER) {
* Ensure create mask/force create mode is respected on set.
*/
- if (setting_acl)
+ if (setting_acl && !is_default_acl) {
apply_default_perms(params, is_directory, pace, S_IROTH);
- got_other = True;
+ }
pace_other = pace;
+
+ } else if (pace->type == SMB_ACL_USER || pace->type == SMB_ACL_GROUP) {
+
+ /*
+ * Ensure create mask/force create mode is respected on set.
+ */
+
+ if (setting_acl && !is_default_acl) {
+ apply_default_perms(params, is_directory, pace, S_IRGRP);
+ }
}
}
- if (!got_user) {
- if ((pace = SMB_MALLOC_P(canon_ace)) == NULL) {
+ if (!pace_user) {
+ if ((pace = talloc(talloc_tos(), canon_ace)) == NULL) {
DEBUG(0,("ensure_canon_entry_valid: malloc fail.\n"));
return False;
}
ZERO_STRUCTP(pace);
pace->type = SMB_ACL_USER_OBJ;
pace->owner_type = UID_ACE;
- pace->unix_ug.uid = pst->st_ex_uid;
+ pace->unix_ug.type = ID_TYPE_UID;
+ pace->unix_ug.id = pst->st_ex_uid;
pace->trustee = *pfile_owner_sid;
pace->attr = ALLOW_ACE;
+ /* Start with existing permissions, principle of least
+ surprises for the user. */
+ pace->perms = pst->st_ex_mode;
if (setting_acl) {
/* See if the owning user is in any of the other groups in
- the ACE. If so, OR in the permissions from that group. */
+ the ACE, or if there's a matching user entry (by uid
+ or in the case of ID_TYPE_BOTH by SID).
+ If so, OR in the permissions from that entry. */
- bool group_matched = False;
canon_ace *pace_iter;
for (pace_iter = *pp_ace; pace_iter; pace_iter = pace_iter->next) {
- if (pace_iter->type == SMB_ACL_GROUP_OBJ || pace_iter->type == SMB_ACL_GROUP) {
- if (uid_entry_in_group(conn, pace, pace_iter)) {
+ if (pace_iter->type == SMB_ACL_USER &&
+ pace_iter->unix_ug.id == pace->unix_ug.id) {
+ pace->perms |= pace_iter->perms;
+ } else if (pace_iter->type == SMB_ACL_GROUP_OBJ || pace_iter->type == SMB_ACL_GROUP) {
+ if (dom_sid_equal(&pace->trustee, &pace_iter->trustee)) {
+ pace->perms |= pace_iter->perms;
+ } else if (uid_entry_in_group(conn, pace, pace_iter)) {
pace->perms |= pace_iter->perms;
- group_matched = True;
}
}
}
- /* If we only got an "everyone" perm, just use that. */
- if (!group_matched) {
- if (got_other)
+ if (pace->perms == 0) {
+ /* If we only got an "everyone" perm, just use that. */
+ if (pace_other)
pace->perms = pace_other->perms;
- else
- pace->perms = 0;
}
- apply_default_perms(params, is_directory, pace, S_IRUSR);
+ if (!is_default_acl) {
+ apply_default_perms(params, is_directory, pace, S_IRUSR);
+ }
} else {
pace->perms = unix_perms_to_acl_perms(pst->st_ex_mode, S_IRUSR, S_IWUSR, S_IXUSR);
}
DLIST_ADD(*pp_ace, pace);
+ pace_user = pace;
}
- if (!got_grp) {
- if ((pace = SMB_MALLOC_P(canon_ace)) == NULL) {
+ if (!pace_group) {
+ if ((pace = talloc(talloc_tos(), canon_ace)) == NULL) {
DEBUG(0,("ensure_canon_entry_valid: malloc fail.\n"));
return False;
}
ZERO_STRUCTP(pace);
pace->type = SMB_ACL_GROUP_OBJ;
pace->owner_type = GID_ACE;
- pace->unix_ug.uid = pst->st_ex_gid;
+ pace->unix_ug.type = ID_TYPE_GID;
+ pace->unix_ug.id = pst->st_ex_gid;
pace->trustee = *pfile_grp_sid;
pace->attr = ALLOW_ACE;
if (setting_acl) {
/* If we only got an "everyone" perm, just use that. */
- if (got_other)
+ if (pace_other)
pace->perms = pace_other->perms;
else
pace->perms = 0;
- apply_default_perms(params, is_directory, pace, S_IRGRP);
+ if (!is_default_acl) {
+ apply_default_perms(params, is_directory, pace, S_IRGRP);
+ }
} else {
pace->perms = unix_perms_to_acl_perms(pst->st_ex_mode, S_IRGRP, S_IWGRP, S_IXGRP);
}
DLIST_ADD(*pp_ace, pace);
+ pace_group = pace;
}
- if (!got_other) {
- if ((pace = SMB_MALLOC_P(canon_ace)) == NULL) {
+ if (!pace_other) {
+ if ((pace = talloc(talloc_tos(), canon_ace)) == NULL) {
DEBUG(0,("ensure_canon_entry_valid: malloc fail.\n"));
return False;
}
ZERO_STRUCTP(pace);
pace->type = SMB_ACL_OTHER;
pace->owner_type = WORLD_ACE;
- pace->unix_ug.world = -1;
+ pace->unix_ug.type = ID_TYPE_NOT_SPECIFIED;
+ pace->unix_ug.id = -1;
pace->trustee = global_sid_World;
pace->attr = ALLOW_ACE;
if (setting_acl) {
pace->perms = 0;
- apply_default_perms(params, is_directory, pace, S_IROTH);
+ if (!is_default_acl) {
+ apply_default_perms(params, is_directory, pace, S_IROTH);
+ }
} else
pace->perms = unix_perms_to_acl_perms(pst->st_ex_mode, S_IROTH, S_IWOTH, S_IXOTH);
DLIST_ADD(*pp_ace, pace);
+ pace_other = pace;
+ }
+
+ if (setting_acl) {
+ /* Ensure when setting a POSIX ACL, that the uid for a
+ SMB_ACL_USER_OBJ ACE (the owner ACE entry) has a duplicate
+ permission entry as an SMB_ACL_USER, and a gid for a
+ SMB_ACL_GROUP_OBJ ACE (the primary group ACE entry) also has
+ a duplicate permission entry as an SMB_ACL_GROUP. If not,
+ then if the ownership or group ownership of this file or
+ directory gets changed, the user or group can lose their
+ access. */
+ bool got_duplicate_user = false;
+ bool got_duplicate_group = false;
+
+ for (pace = *pp_ace; pace; pace = pace->next) {
+ if (pace->type == SMB_ACL_USER &&
+ pace->unix_ug.id == pace_user->unix_ug.id) {
+ /* Already got one. */
+ got_duplicate_user = true;
+ } else if (pace->type == SMB_ACL_GROUP &&
+ pace->unix_ug.id == pace_user->unix_ug.id) {
+ /* Already got one. */
+ got_duplicate_group = true;
+ } else if ((pace->type == SMB_ACL_GROUP)
+ && (dom_sid_equal(&pace->trustee, &pace_user->trustee))) {
+ /* If the SID owning the file appears
+ * in a group entry, then we have
+ * enough duplication, they will still
+ * have access */
+ got_duplicate_user = true;
+ }
+ }
+
+ /* If the SID is equal for the user and group that we need
+ to add the duplicate for, add only the group */
+ if (!got_duplicate_user && !got_duplicate_group
+ && dom_sid_equal(&pace_group->trustee,
+ &pace_user->trustee)) {
+ /* Add a duplicate SMB_ACL_GROUP entry, this
+ * will cover the owning SID as well, as it
+ * will always be mapped to both a uid and
+ * gid. */
+
+ if ((pace = talloc(talloc_tos(), canon_ace)) == NULL) {
+ DEBUG(0,("ensure_canon_entry_valid: talloc fail.\n"));
+ return false;
+ }
+
+ ZERO_STRUCTP(pace);
+ pace->type = SMB_ACL_GROUP;;
+ pace->owner_type = GID_ACE;
+ pace->unix_ug.type = ID_TYPE_GID;
+ pace->unix_ug.id = pace_group->unix_ug.id;
+ pace->trustee = pace_group->trustee;
+ pace->attr = pace_group->attr;
+ pace->perms = pace_group->perms;
+
+ DLIST_ADD(*pp_ace, pace);
+
+ /* We're done here, make sure the
+ statements below are not executed. */
+ got_duplicate_user = true;
+ got_duplicate_group = true;
+ }
+
+ if (!got_duplicate_user) {
+ /* Add a duplicate SMB_ACL_USER entry. */
+ if ((pace = talloc(talloc_tos(), canon_ace)) == NULL) {
+ DEBUG(0,("ensure_canon_entry_valid: talloc fail.\n"));
+ return false;
+ }
+
+ ZERO_STRUCTP(pace);
+ pace->type = SMB_ACL_USER;;
+ pace->owner_type = UID_ACE;
+ pace->unix_ug.type = ID_TYPE_UID;
+ pace->unix_ug.id = pace_user->unix_ug.id;
+ pace->trustee = pace_user->trustee;
+ pace->attr = pace_user->attr;
+ pace->perms = pace_user->perms;
+
+ DLIST_ADD(*pp_ace, pace);
+
+ got_duplicate_user = true;
+ }
+
+ if (!got_duplicate_group) {
+ /* Add a duplicate SMB_ACL_GROUP entry. */
+ if ((pace = talloc(talloc_tos(), canon_ace)) == NULL) {
+ DEBUG(0,("ensure_canon_entry_valid: talloc fail.\n"));
+ return false;
+ }
+
+ ZERO_STRUCTP(pace);
+ pace->type = SMB_ACL_GROUP;;
+ pace->owner_type = GID_ACE;
+ pace->unix_ug.type = ID_TYPE_GID;
+ pace->unix_ug.id = pace_group->unix_ug.id;
+ pace->trustee = pace_group->trustee;
+ pace->attr = pace_group->attr;
+ pace->perms = pace_group->perms;
+
+ DLIST_ADD(*pp_ace, pace);
+
+ got_duplicate_group = true;
+ }
+
}
return True;
Check if a POSIX ACL has the required SMB_ACL_USER_OBJ and SMB_ACL_GROUP_OBJ entries.
If it does not have them, check if there are any entries where the trustee is the
file owner or the owning group, and map these to SMB_ACL_USER_OBJ and SMB_ACL_GROUP_OBJ.
+ Note we must not do this to default directory ACLs.
****************************************************************************/
static void check_owning_objs(canon_ace *ace, struct dom_sid *pfile_owner_sid, struct dom_sid *pfile_grp_sid)
DEBUG(10,("check_owning_objs: ACL is missing an owning group entry.\n"));
}
-/****************************************************************************
- If an ACE entry is SMB_ACL_USER_OBJ and not CREATOR_OWNER, map to SMB_ACL_USER.
- If an ACE entry is SMB_ACL_GROUP_OBJ and not CREATOR_GROUP, map to SMB_ACL_GROUP
-****************************************************************************/
-
-static bool dup_owning_ace(canon_ace *dir_ace, canon_ace *ace)
+static bool add_current_ace_to_acl(files_struct *fsp, struct security_ace *psa,
+ canon_ace **file_ace, canon_ace **dir_ace,
+ bool *got_file_allow, bool *got_dir_allow,
+ bool *all_aces_are_inherit_only,
+ canon_ace *current_ace)
{
- /* dir ace must be followings.
- SMB_ACL_USER_OBJ : trustee(CREATOR_OWNER) -> Posix ACL d:u::perm
- SMB_ACL_USER : not trustee -> Posix ACL u:user:perm
- SMB_ACL_USER_OBJ : trustee -> convert to SMB_ACL_USER : trustee
- Posix ACL u:trustee:perm
-
- SMB_ACL_GROUP_OBJ: trustee(CREATOR_GROUP) -> Posix ACL d:g::perm
- SMB_ACL_GROUP : not trustee -> Posix ACL g:group:perm
- SMB_ACL_GROUP_OBJ: trustee -> convert to SMB_ACL_GROUP : trustee
- Posix ACL g:trustee:perm
- */
- if (ace->type == SMB_ACL_USER_OBJ &&
- !(dom_sid_equal(&ace->trustee, &global_sid_Creator_Owner))) {
- canon_ace *dup_ace = dup_canon_ace(ace);
+ /*
+ * Map the given NT permissions into a UNIX mode_t containing only
+ * S_I(R|W|X)USR bits.
+ */
- if (dup_ace == NULL) {
- return false;
+ current_ace->perms |= map_nt_perms( &psa->access_mask, S_IRUSR);
+ current_ace->attr = (psa->type == SEC_ACE_TYPE_ACCESS_ALLOWED) ? ALLOW_ACE : DENY_ACE;
+
+ /* Store the ace_flag. */
+ current_ace->ace_flags = psa->flags;
+
+ /*
+ * Now add the created ace to either the file list, the directory
+ * list, or both. We *MUST* preserve the order here (hence we use
+ * DLIST_ADD_END) as NT ACLs are order dependent.
+ */
+
+ if (fsp->is_directory) {
+
+ /*
+ * We can only add to the default POSIX ACE list if the ACE is
+ * designed to be inherited by both files and directories.
+ */
+
+ if ((psa->flags & (SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT)) ==
+ (SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT)) {
+
+ canon_ace *current_dir_ace = current_ace;
+ DLIST_ADD_END(*dir_ace, current_ace, canon_ace *);
+
+ /*
+ * Note if this was an allow ace. We can't process
+ * any further deny ace's after this.
+ */
+
+ if (current_ace->attr == ALLOW_ACE)
+ *got_dir_allow = True;
+
+ if ((current_ace->attr == DENY_ACE) && *got_dir_allow) {
+ DEBUG(0,("add_current_ace_to_acl: "
+ "malformed ACL in "
+ "inheritable ACL! Deny entry "
+ "after Allow entry. Failing "
+ "to set on file %s.\n",
+ fsp_str_dbg(fsp)));
+ return False;
+ }
+
+ if( DEBUGLVL( 10 )) {
+ dbgtext("add_current_ace_to_acl: adding dir ACL:\n");
+ print_canon_ace( current_ace, 0);
+ }
+
+ /*
+ * If this is not an inherit only ACE we need to add a duplicate
+ * to the file acl.
+ */
+
+ if (!(psa->flags & SEC_ACE_FLAG_INHERIT_ONLY)) {
+ canon_ace *dup_ace = dup_canon_ace(current_ace);
+
+ if (!dup_ace) {
+ DEBUG(0,("add_current_ace_to_acl: malloc fail !\n"));
+ return False;
+ }
+
+ /*
+ * We must not free current_ace here as its
+ * pointer is now owned by the dir_ace list.
+ */
+ current_ace = dup_ace;
+ /* We've essentially split this ace into two,
+ * and added the ace with inheritance request
+ * bits to the directory ACL. Drop those bits for
+ * the ACE we're adding to the file list. */
+ current_ace->ace_flags &= ~(SEC_ACE_FLAG_OBJECT_INHERIT|
+ SEC_ACE_FLAG_CONTAINER_INHERIT|
+ SEC_ACE_FLAG_INHERIT_ONLY);
+ } else {
+ /*
+ * We must not free current_ace here as its
+ * pointer is now owned by the dir_ace list.
+ */
+ current_ace = NULL;
+ }
+
+ /*
+ * current_ace is now either owned by file_ace
+ * or is NULL. We can safely operate on current_dir_ace
+ * to treat mapping for default acl entries differently
+ * than access acl entries.
+ */
+
+ if (current_dir_ace->owner_type == UID_ACE) {
+ /*
+ * We already decided above this is a uid,
+ * for default acls ace's only CREATOR_OWNER
+ * maps to ACL_USER_OBJ. All other uid
+ * ace's are ACL_USER.
+ */
+ if (dom_sid_equal(¤t_dir_ace->trustee,
+ &global_sid_Creator_Owner)) {
+ current_dir_ace->type = SMB_ACL_USER_OBJ;
+ } else {
+ current_dir_ace->type = SMB_ACL_USER;
+ }
+ }
+
+ if (current_dir_ace->owner_type == GID_ACE) {
+ /*
+ * We already decided above this is a gid,
+ * for default acls ace's only CREATOR_GROUP
+ * maps to ACL_GROUP_OBJ. All other uid
+ * ace's are ACL_GROUP.
+ */
+ if (dom_sid_equal(¤t_dir_ace->trustee,
+ &global_sid_Creator_Group)) {
+ current_dir_ace->type = SMB_ACL_GROUP_OBJ;
+ } else {
+ current_dir_ace->type = SMB_ACL_GROUP;
+ }
+ }
}
- dup_ace->type = SMB_ACL_USER;
- DLIST_ADD_END(dir_ace, dup_ace, canon_ace *);
}
- if (ace->type == SMB_ACL_GROUP_OBJ &&
- !(dom_sid_equal(&ace->trustee, &global_sid_Creator_Group))) {
- canon_ace *dup_ace = dup_canon_ace(ace);
+ /*
+ * Only add to the file ACL if not inherit only.
+ */
+
+ if (current_ace && !(psa->flags & SEC_ACE_FLAG_INHERIT_ONLY)) {
+ DLIST_ADD_END(*file_ace, current_ace, canon_ace *);
- if (dup_ace == NULL) {
- return false;
+ /*
+ * Note if this was an allow ace. We can't process
+ * any further deny ace's after this.
+ */
+
+ if (current_ace->attr == ALLOW_ACE)
+ *got_file_allow = True;
+
+ if ((current_ace->attr == DENY_ACE) && got_file_allow) {
+ DEBUG(0,("add_current_ace_to_acl: malformed "
+ "ACL in file ACL ! Deny entry after "
+ "Allow entry. Failing to set on file "
+ "%s.\n", fsp_str_dbg(fsp)));
+ return False;
}
- dup_ace->type = SMB_ACL_GROUP;
- DLIST_ADD_END(dir_ace, dup_ace, canon_ace *);
+
+ if( DEBUGLVL( 10 )) {
+ dbgtext("add_current_ace_to_acl: adding file ACL:\n");
+ print_canon_ace( current_ace, 0);
+ }
+ *all_aces_are_inherit_only = False;
+ /*
+ * We must not free current_ace here as its
+ * pointer is now owned by the file_ace list.
+ */
+ current_ace = NULL;
}
+ /*
+ * Free if ACE was not added.
+ */
+
+ TALLOC_FREE(current_ace);
return true;
}
* Create a canon_ace entry representing this NT DACL ACE.
*/
- if ((current_ace = SMB_MALLOC_P(canon_ace)) == NULL) {
+ if ((current_ace = talloc(talloc_tos(), canon_ace)) == NULL) {
free_canon_ace_list(file_ace);
free_canon_ace_list(dir_ace);
DEBUG(0,("create_canon_ace_lists: malloc fail.\n"));
if( dom_sid_equal(¤t_ace->trustee, &global_sid_World)) {
current_ace->owner_type = WORLD_ACE;
- current_ace->unix_ug.world = -1;
+ current_ace->unix_ug.type = ID_TYPE_NOT_SPECIFIED;
+ current_ace->unix_ug.id = -1;
current_ace->type = SMB_ACL_OTHER;
} else if (dom_sid_equal(¤t_ace->trustee, &global_sid_Creator_Owner)) {
current_ace->owner_type = UID_ACE;
- current_ace->unix_ug.uid = pst->st_ex_uid;
+ current_ace->unix_ug.type = ID_TYPE_UID;
+ current_ace->unix_ug.id = pst->st_ex_uid;
current_ace->type = SMB_ACL_USER_OBJ;
/*
} else if (dom_sid_equal(¤t_ace->trustee, &global_sid_Creator_Group)) {
current_ace->owner_type = GID_ACE;
- current_ace->unix_ug.gid = pst->st_ex_gid;
+ current_ace->unix_ug.type = ID_TYPE_GID;
+ current_ace->unix_ug.id = pst->st_ex_gid;
current_ace->type = SMB_ACL_GROUP_OBJ;
/*
*/
psa->flags |= SEC_ACE_FLAG_INHERIT_ONLY;
- } else if (sid_to_uid( ¤t_ace->trustee, ¤t_ace->unix_ug.uid)) {
- current_ace->owner_type = UID_ACE;
- /* If it's the owning user, this is a user_obj, not
- * a user. */
- if (current_ace->unix_ug.uid == pst->st_ex_uid) {
- current_ace->type = SMB_ACL_USER_OBJ;
- } else {
- current_ace->type = SMB_ACL_USER;
- }
- } else if (sid_to_gid( ¤t_ace->trustee, ¤t_ace->unix_ug.gid)) {
- current_ace->owner_type = GID_ACE;
- /* If it's the primary group, this is a group_obj, not
- * a group. */
- if (current_ace->unix_ug.gid == pst->st_ex_gid) {
- current_ace->type = SMB_ACL_GROUP_OBJ;
- } else {
- current_ace->type = SMB_ACL_GROUP;
- }
} else {
- /*
- * Silently ignore map failures in non-mappable SIDs (NT Authority, BUILTIN etc).
- */
+ struct unixid unixid;
- if (non_mappable_sid(&psa->trustee)) {
- DEBUG(10, ("create_canon_ace_lists: ignoring "
- "non-mappable SID %s\n",
- sid_string_dbg(&psa->trustee)));
- SAFE_FREE(current_ace);
- continue;
- }
-
- if (lp_force_unknown_acl_user(SNUM(fsp->conn))) {
- DEBUG(10, ("create_canon_ace_lists: ignoring "
- "unknown or foreign SID %s\n",
- sid_string_dbg(&psa->trustee)));
- SAFE_FREE(current_ace);
- continue;
+ if (!sids_to_unixids(¤t_ace->trustee, 1, &unixid)) {
+ free_canon_ace_list(file_ace);
+ free_canon_ace_list(dir_ace);
+ TALLOC_FREE(current_ace);
+ DEBUG(0, ("create_canon_ace_lists: sids_to_unixids "
+ "failed for %s (allocation failure)\n",
+ sid_string_dbg(¤t_ace->trustee)));
+ return false;
}
- free_canon_ace_list(file_ace);
- free_canon_ace_list(dir_ace);
- DEBUG(0, ("create_canon_ace_lists: unable to map SID "
- "%s to uid or gid.\n",
- sid_string_dbg(¤t_ace->trustee)));
- SAFE_FREE(current_ace);
- return False;
- }
-
- /*
- * Map the given NT permissions into a UNIX mode_t containing only
- * S_I(R|W|X)USR bits.
- */
-
- current_ace->perms |= map_nt_perms( &psa->access_mask, S_IRUSR);
- current_ace->attr = (psa->type == SEC_ACE_TYPE_ACCESS_ALLOWED) ? ALLOW_ACE : DENY_ACE;
-
- /* Store the ace_flag. */
- current_ace->ace_flags = psa->flags;
-
- /*
- * Now add the created ace to either the file list, the directory
- * list, or both. We *MUST* preserve the order here (hence we use
- * DLIST_ADD_END) as NT ACLs are order dependent.
- */
-
- if (fsp->is_directory) {
-
- /*
- * We can only add to the default POSIX ACE list if the ACE is
- * designed to be inherited by both files and directories.
- */
-
- if ((psa->flags & (SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT)) ==
- (SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT)) {
-
- DLIST_ADD_END(dir_ace, current_ace, canon_ace *);
-
- /*
- * Note if this was an allow ace. We can't process
- * any further deny ace's after this.
- */
-
- if (current_ace->attr == ALLOW_ACE)
- got_dir_allow = True;
+ if (unixid.type == ID_TYPE_BOTH) {
+ /* If it's the owning user, this is a
+ * user_obj, not a user. This way, we
+ * get a valid ACL for groups that own
+ * files, without putting user ACL
+ * entries in for groups otherwise */
+ if (unixid.id == pst->st_ex_uid) {
+ current_ace->owner_type = UID_ACE;
+ current_ace->unix_ug.type = ID_TYPE_UID;
+ current_ace->unix_ug.id = unixid.id;
+ current_ace->type = SMB_ACL_USER_OBJ;
+
+ /* Add the user object to the posix ACL,
+ and proceed to the group mapping
+ below. This handles the talloc_free
+ of current_ace if not added for some
+ reason */
+ if (!add_current_ace_to_acl(fsp,
+ psa,
+ &file_ace,
+ &dir_ace,
+ &got_file_allow,
+ &got_dir_allow,
+ &all_aces_are_inherit_only,
+ current_ace)) {
+ free_canon_ace_list(file_ace);
+ free_canon_ace_list(dir_ace);
+ return false;
+ }
- if ((current_ace->attr == DENY_ACE) && got_dir_allow) {
- DEBUG(0,("create_canon_ace_lists: "
- "malformed ACL in "
- "inheritable ACL! Deny entry "
- "after Allow entry. Failing "
- "to set on file %s.\n",
- fsp_str_dbg(fsp)));
- free_canon_ace_list(file_ace);
- free_canon_ace_list(dir_ace);
- return False;
- }
+ if ((current_ace = talloc(talloc_tos(),
+ canon_ace)) == NULL) {
+ free_canon_ace_list(file_ace);
+ free_canon_ace_list(dir_ace);
+ DEBUG(0,("create_canon_ace_lists: "
+ "malloc fail.\n"));
+ return False;
+ }
- if( DEBUGLVL( 10 )) {
- dbgtext("create_canon_ace_lists: adding dir ACL:\n");
- print_canon_ace( current_ace, 0);
+ ZERO_STRUCTP(current_ace);
}
- /*
- * We have a lossy mapping: directory ACE entries
- * CREATOR_OWNER ------\
- * (map to) +---> SMB_ACL_USER_OBJ
- * owning sid ------/
- *
- * CREATOR_GROUP ------\
- * (map to) +---> SMB_ACL_GROUP_OBJ
- * primary group sid --/
- *
- * on set. And on read of a directory ACL
- *
- * SMB_ACL_USER_OBJ ----> CREATOR_OWNER
- * SMB_ACL_GROUP_OBJ ---> CREATOR_GROUP.
- *
- * Deal with this on set by duplicating
- * owning sid and primary group sid ACE
- * entries into the directory ACL.
- * Fix from Tsukasa Hamano <hamano@osstech.co.jp>.
- */
+ sid_copy(¤t_ace->trustee, &psa->trustee);
- if (!dup_owning_ace(dir_ace, current_ace)) {
- DEBUG(0,("create_canon_ace_lists: malloc fail !\n"));
- free_canon_ace_list(file_ace);
- free_canon_ace_list(dir_ace);
- return false;
+ current_ace->unix_ug.type = ID_TYPE_GID;
+ current_ace->unix_ug.id = unixid.id;
+ current_ace->owner_type = GID_ACE;
+ /* If it's the primary group, this is a
+ group_obj, not a group. */
+ if (current_ace->unix_ug.id == pst->st_ex_gid) {
+ current_ace->type = SMB_ACL_GROUP_OBJ;
+ } else {
+ current_ace->type = SMB_ACL_GROUP;
}
+ } else if (unixid.type == ID_TYPE_UID) {
+ current_ace->owner_type = UID_ACE;
+ current_ace->unix_ug.type = ID_TYPE_UID;
+ current_ace->unix_ug.id = unixid.id;
+ /* If it's the owning user, this is a user_obj,
+ not a user. */
+ if (current_ace->unix_ug.id == pst->st_ex_uid) {
+ current_ace->type = SMB_ACL_USER_OBJ;
+ } else {
+ current_ace->type = SMB_ACL_USER;
+ }
+ } else if (unixid.type == ID_TYPE_GID) {
+ current_ace->unix_ug.type = ID_TYPE_GID;
+ current_ace->unix_ug.id = unixid.id;
+ current_ace->owner_type = GID_ACE;
+ /* If it's the primary group, this is a
+ group_obj, not a group. */
+ if (current_ace->unix_ug.id == pst->st_ex_gid) {
+ current_ace->type = SMB_ACL_GROUP_OBJ;
+ } else {
+ current_ace->type = SMB_ACL_GROUP;
+ }
+ } else {
/*
- * If this is not an inherit only ACE we need to add a duplicate
- * to the file acl.
+ * Silently ignore map failures in non-mappable SIDs (NT Authority, BUILTIN etc).
*/
- if (!(psa->flags & SEC_ACE_FLAG_INHERIT_ONLY)) {
- canon_ace *dup_ace = dup_canon_ace(current_ace);
-
- if (!dup_ace) {
- DEBUG(0,("create_canon_ace_lists: malloc fail !\n"));
- free_canon_ace_list(file_ace);
- free_canon_ace_list(dir_ace);
- return False;
- }
-
- /*
- * We must not free current_ace here as its
- * pointer is now owned by the dir_ace list.
- */
- current_ace = dup_ace;
- /* We've essentially split this ace into two,
- * and added the ace with inheritance request
- * bits to the directory ACL. Drop those bits for
- * the ACE we're adding to the file list. */
- current_ace->ace_flags &= ~(SEC_ACE_FLAG_OBJECT_INHERIT|
- SEC_ACE_FLAG_CONTAINER_INHERIT|
- SEC_ACE_FLAG_INHERIT_ONLY);
- } else {
- /*
- * We must not free current_ace here as its
- * pointer is now owned by the dir_ace list.
- */
- current_ace = NULL;
+ if (non_mappable_sid(&psa->trustee)) {
+ DEBUG(10, ("create_canon_ace_lists: ignoring "
+ "non-mappable SID %s\n",
+ sid_string_dbg(&psa->trustee)));
+ TALLOC_FREE(current_ace);
+ continue;
}
- }
- }
-
- /*
- * Only add to the file ACL if not inherit only.
- */
-
- if (current_ace && !(psa->flags & SEC_ACE_FLAG_INHERIT_ONLY)) {
- DLIST_ADD_END(file_ace, current_ace, canon_ace *);
-
- /*
- * Note if this was an allow ace. We can't process
- * any further deny ace's after this.
- */
- if (current_ace->attr == ALLOW_ACE)
- got_file_allow = True;
+ if (lp_force_unknown_acl_user(SNUM(fsp->conn))) {
+ DEBUG(10, ("create_canon_ace_lists: ignoring "
+ "unknown or foreign SID %s\n",
+ sid_string_dbg(&psa->trustee)));
+ TALLOC_FREE(current_ace);
+ continue;
+ }
- if ((current_ace->attr == DENY_ACE) && got_file_allow) {
- DEBUG(0,("create_canon_ace_lists: malformed "
- "ACL in file ACL ! Deny entry after "
- "Allow entry. Failing to set on file "
- "%s.\n", fsp_str_dbg(fsp)));
free_canon_ace_list(file_ace);
free_canon_ace_list(dir_ace);
- return False;
- }
-
- if( DEBUGLVL( 10 )) {
- dbgtext("create_canon_ace_lists: adding file ACL:\n");
- print_canon_ace( current_ace, 0);
+ DEBUG(0, ("create_canon_ace_lists: unable to map SID "
+ "%s to uid or gid.\n",
+ sid_string_dbg(¤t_ace->trustee)));
+ TALLOC_FREE(current_ace);
+ return false;
}
- all_aces_are_inherit_only = False;
- /*
- * We must not free current_ace here as its
- * pointer is now owned by the file_ace list.
- */
- current_ace = NULL;
}
- /*
- * Free if ACE was not added.
- */
-
- SAFE_FREE(current_ace);
+ /* handles the talloc_free of current_ace if not added for some reason */
+ if (!add_current_ace_to_acl(fsp, psa, &file_ace, &dir_ace,
+ &got_file_allow, &got_dir_allow,
+ &all_aces_are_inherit_only, current_ace)) {
+ free_canon_ace_list(file_ace);
+ free_canon_ace_list(dir_ace);
+ return false;
+ }
}
if (fsp->is_directory && all_aces_are_inherit_only) {
dir_ace = NULL;
} else {
/*
- * Check if we have SMB_ACL_USER_OBJ and SMB_ACL_GROUP_OBJ entries in each
- * ACL. If we don't have them, check if any SMB_ACL_USER/SMB_ACL_GROUP
- * entries can be converted to *_OBJ. Usually we will already have these
- * entries in the Default ACL, and the Access ACL will not have them.
+ * Check if we have SMB_ACL_USER_OBJ and SMB_ACL_GROUP_OBJ entries in
+ * the file ACL. If we don't have them, check if any SMB_ACL_USER/SMB_ACL_GROUP
+ * entries can be converted to *_OBJ. Don't do this for the default
+ * ACL, we will create them separately for this if needed inside
+ * ensure_canon_entry_valid().
*/
if (file_ace) {
check_owning_objs(file_ace, pfile_owner_sid, pfile_grp_sid);
}
- if (dir_ace) {
- check_owning_objs(dir_ace, pfile_owner_sid, pfile_grp_sid);
- }
}
*ppfile_ace = file_ace;
*pp_ace_list = ace_list;
}
-/****************************************************************************
- Create a default mode that will be used if a security descriptor entry has
- no user/group/world entries.
-****************************************************************************/
-
-static mode_t create_default_mode(files_struct *fsp, bool interitable_mode)
-{
- int snum = SNUM(fsp->conn);
- mode_t and_bits = (mode_t)0;
- mode_t or_bits = (mode_t)0;
- mode_t mode;
-
- if (interitable_mode) {
- mode = unix_mode(fsp->conn, FILE_ATTRIBUTE_ARCHIVE,
- fsp->fsp_name, NULL);
- } else {
- mode = S_IRUSR;
- }
-
- if (fsp->is_directory)
- mode |= (S_IWUSR|S_IXUSR);
-
- /*
- * Now AND with the create mode/directory mode bits then OR with the
- * force create mode/force directory mode bits.
- */
-
- if (fsp->is_directory) {
- and_bits = lp_dir_security_mask(snum);
- or_bits = lp_force_dir_security_mode(snum);
- } else {
- and_bits = lp_security_mask(snum);
- or_bits = lp_force_security_mode(snum);
- }
-
- return ((mode & and_bits)|or_bits);
-}
-
/****************************************************************************
Unpack a struct security_descriptor into two canonical ace lists. We don't depend on this
succeeding.
uint32 security_info_sent,
const struct security_descriptor *psd)
{
- SMB_STRUCT_STAT st;
canon_ace *file_ace = NULL;
canon_ace *dir_ace = NULL;
print_canon_ace_list( "file ace - before valid", file_ace);
- st = *pst;
-
- /*
- * A default 3 element mode entry for a file should be r-- --- ---.
- * A default 3 element mode entry for a directory should be rwx --- ---.
- */
-
- st.st_ex_mode = create_default_mode(fsp, False);
-
- if (!ensure_canon_entry_valid(fsp->conn, &file_ace, fsp->conn->params,
- fsp->is_directory, pfile_owner_sid, pfile_grp_sid, &st, True)) {
+ if (!ensure_canon_entry_valid(fsp->conn, &file_ace, false, fsp->conn->params,
+ fsp->is_directory, pfile_owner_sid, pfile_grp_sid, pst, True)) {
free_canon_ace_list(file_ace);
free_canon_ace_list(dir_ace);
return False;
print_canon_ace_list( "dir ace - before valid", dir_ace);
- /*
- * A default inheritable 3 element mode entry for a directory should be the
- * mode Samba will use to create a file within. Ensure user rwx bits are set if
- * it's a directory.
- */
-
- st.st_ex_mode = create_default_mode(fsp, True);
-
- if (dir_ace && !ensure_canon_entry_valid(fsp->conn, &dir_ace, fsp->conn->params,
- fsp->is_directory, pfile_owner_sid, pfile_grp_sid, &st, True)) {
+ if (dir_ace && !ensure_canon_entry_valid(fsp->conn, &dir_ace, true, fsp->conn->params,
+ fsp->is_directory, pfile_owner_sid, pfile_grp_sid, pst, True)) {
free_canon_ace_list(file_ace);
free_canon_ace_list(dir_ace);
return False;
canon_ace *ace = NULL;
canon_ace *next_ace = NULL;
int entry_id = SMB_ACL_FIRST_ENTRY;
+ bool is_default_acl = (the_acl_type == SMB_ACL_TYPE_DEFAULT);
SMB_ACL_ENTRY_T entry;
size_t ace_count;
- while ( posix_acl && (SMB_VFS_SYS_ACL_GET_ENTRY(conn, posix_acl, entry_id, &entry) == 1)) {
+ while ( posix_acl && (sys_acl_get_entry(posix_acl, entry_id, &entry) == 1)) {
SMB_ACL_TAG_T tagtype;
SMB_ACL_PERMSET_T permset;
struct dom_sid sid;
- posix_id unix_ug;
+ struct unixid unix_ug;
enum ace_owner owner_type;
entry_id = SMB_ACL_NEXT_ENTRY;
/* Is this a MASK entry ? */
- if (SMB_VFS_SYS_ACL_GET_TAG_TYPE(conn, entry, &tagtype) == -1)
+ if (sys_acl_get_tag_type(entry, &tagtype) == -1)
continue;
- if (SMB_VFS_SYS_ACL_GET_PERMSET(conn, entry, &permset) == -1)
+ if (sys_acl_get_permset(entry, &permset) == -1)
continue;
/* Decide which SID to use based on the ACL type. */
case SMB_ACL_USER_OBJ:
/* Get the SID from the owner. */
sid_copy(&sid, powner);
- unix_ug.uid = psbuf->st_ex_uid;
+ unix_ug.type = ID_TYPE_UID;
+ unix_ug.id = psbuf->st_ex_uid;
owner_type = UID_ACE;
break;
case SMB_ACL_USER:
{
- uid_t *puid = (uid_t *)SMB_VFS_SYS_ACL_GET_QUALIFIER(conn, entry);
+ uid_t *puid = (uid_t *)sys_acl_get_qualifier(entry);
if (puid == NULL) {
DEBUG(0,("canonicalise_acl: Failed to get uid.\n"));
continue;
}
uid_to_sid( &sid, *puid);
- unix_ug.uid = *puid;
+ unix_ug.type = ID_TYPE_UID;
+ unix_ug.id = *puid;
owner_type = UID_ACE;
- SMB_VFS_SYS_ACL_FREE_QUALIFIER(conn, (void *)puid,tagtype);
break;
}
case SMB_ACL_GROUP_OBJ:
/* Get the SID from the owning group. */
sid_copy(&sid, pgroup);
- unix_ug.gid = psbuf->st_ex_gid;
+ unix_ug.type = ID_TYPE_GID;
+ unix_ug.id = psbuf->st_ex_gid;
owner_type = GID_ACE;
break;
case SMB_ACL_GROUP:
{
- gid_t *pgid = (gid_t *)SMB_VFS_SYS_ACL_GET_QUALIFIER(conn, entry);
+ gid_t *pgid = (gid_t *)sys_acl_get_qualifier(entry);
if (pgid == NULL) {
DEBUG(0,("canonicalise_acl: Failed to get gid.\n"));
continue;
}
gid_to_sid( &sid, *pgid);
- unix_ug.gid = *pgid;
+ unix_ug.type = ID_TYPE_GID;
+ unix_ug.id = *pgid;
owner_type = GID_ACE;
- SMB_VFS_SYS_ACL_FREE_QUALIFIER(conn, (void *)pgid,tagtype);
break;
}
case SMB_ACL_MASK:
- acl_mask = convert_permset_to_mode_t(conn, permset);
+ acl_mask = convert_permset_to_mode_t(permset);
continue; /* Don't count the mask as an entry. */
case SMB_ACL_OTHER:
/* Use the Everyone SID */
sid = global_sid_World;
- unix_ug.world = -1;
+ unix_ug.type = ID_TYPE_NOT_SPECIFIED;
+ unix_ug.id = -1;
owner_type = WORLD_ACE;
break;
default:
* Add this entry to the list.
*/
- if ((ace = SMB_MALLOC_P(canon_ace)) == NULL)
+ if ((ace = talloc(talloc_tos(), canon_ace)) == NULL)
goto fail;
ZERO_STRUCTP(ace);
ace->type = tagtype;
- ace->perms = convert_permset_to_mode_t(conn, permset);
+ ace->perms = convert_permset_to_mode_t(permset);
ace->attr = ALLOW_ACE;
ace->trustee = sid;
ace->unix_ug = unix_ug;
ace->owner_type = owner_type;
- ace->ace_flags = get_pai_flags(pal, ace, (the_acl_type == SMB_ACL_TYPE_DEFAULT));
+ ace->ace_flags = get_pai_flags(pal, ace, is_default_acl);
DLIST_ADD(l_head, ace);
}
* This next call will ensure we have at least a user/group/world set.
*/
- if (!ensure_canon_entry_valid(conn, &l_head, conn->params,
+ if (!ensure_canon_entry_valid(conn, &l_head, is_default_acl, conn->params,
S_ISDIR(psbuf->st_ex_mode), powner, pgroup,
psbuf, False))
goto fail;
* acl_mask. Ensure all DENY Entries are at the start of the list.
*/
- DEBUG(10,("canonicalise_acl: %s ace entries before arrange :\n", the_acl_type == SMB_ACL_TYPE_ACCESS ? "Access" : "Default" ));
+ DEBUG(10,("canonicalise_acl: %s ace entries before arrange :\n", is_default_acl ? "Default" : "Access"));
for ( ace_count = 0, ace = l_head; ace; ace = next_ace, ace_count++) {
next_ace = ace->next;
{
connection_struct *conn = fsp->conn;
bool ret = False;
- SMB_ACL_T the_acl = SMB_VFS_SYS_ACL_INIT(conn, (int)count_canon_ace_list(the_ace) + 1);
+ SMB_ACL_T the_acl = sys_acl_init();
canon_ace *p_ace;
int i;
SMB_ACL_ENTRY_T mask_entry;
#endif
if (the_acl == NULL) {
-
- if (!no_acl_syscall_error(errno)) {
- /*
- * Only print this error message if we have some kind of ACL
- * support that's not working. Otherwise we would always get this.
- */
- DEBUG(0,("set_canon_ace_list: Unable to init %s ACL. (%s)\n",
- default_ace ? "default" : "file", strerror(errno) ));
- }
- *pacl_set_support = False;
- goto fail;
+ DEBUG(0, ("sys_acl_init failed to allocate an ACL\n"));
+ return false;
}
if( DEBUGLVL( 10 )) {
* Get the entry for this ACE.
*/
- if (SMB_VFS_SYS_ACL_CREATE_ENTRY(conn, &the_acl, &the_entry) == -1) {
+ if (sys_acl_create_entry(&the_acl, &the_entry) == -1) {
DEBUG(0,("set_canon_ace_list: Failed to create entry %d. (%s)\n",
i, strerror(errno) ));
goto fail;
* First tell the entry what type of ACE this is.
*/
- if (SMB_VFS_SYS_ACL_SET_TAG_TYPE(conn, the_entry, p_ace->type) == -1) {
+ if (sys_acl_set_tag_type(the_entry, p_ace->type) == -1) {
DEBUG(0,("set_canon_ace_list: Failed to set tag type on entry %d. (%s)\n",
i, strerror(errno) ));
goto fail;
*/
if ((p_ace->type == SMB_ACL_USER) || (p_ace->type == SMB_ACL_GROUP)) {
- if (SMB_VFS_SYS_ACL_SET_QUALIFIER(conn, the_entry,(void *)&p_ace->unix_ug.uid) == -1) {
+ if (sys_acl_set_qualifier(the_entry,(void *)&p_ace->unix_ug.id) == -1) {
DEBUG(0,("set_canon_ace_list: Failed to set qualifier on entry %d. (%s)\n",
i, strerror(errno) ));
goto fail;
* Convert the mode_t perms in the canon_ace to a POSIX permset.
*/
- if (SMB_VFS_SYS_ACL_GET_PERMSET(conn, the_entry, &the_permset) == -1) {
+ if (sys_acl_get_permset(the_entry, &the_permset) == -1) {
DEBUG(0,("set_canon_ace_list: Failed to get permset on entry %d. (%s)\n",
i, strerror(errno) ));
goto fail;
* ..and apply them to the entry.
*/
- if (SMB_VFS_SYS_ACL_SET_PERMSET(conn, the_entry, the_permset) == -1) {
+ if (sys_acl_set_permset(the_entry, the_permset) == -1) {
DEBUG(0,("set_canon_ace_list: Failed to add permset on entry %d. (%s)\n",
i, strerror(errno) ));
goto fail;
}
if (needs_mask && !got_mask_entry) {
- if (SMB_VFS_SYS_ACL_CREATE_ENTRY(conn, &the_acl, &mask_entry) == -1) {
+ if (sys_acl_create_entry(&the_acl, &mask_entry) == -1) {
DEBUG(0,("set_canon_ace_list: Failed to create mask entry. (%s)\n", strerror(errno) ));
goto fail;
}
- if (SMB_VFS_SYS_ACL_SET_TAG_TYPE(conn, mask_entry, SMB_ACL_MASK) == -1) {
+ if (sys_acl_set_tag_type(mask_entry, SMB_ACL_MASK) == -1) {
DEBUG(0,("set_canon_ace_list: Failed to set tag type on mask entry. (%s)\n",strerror(errno) ));
goto fail;
}
- if (SMB_VFS_SYS_ACL_GET_PERMSET(conn, mask_entry, &mask_permset) == -1) {
+ if (sys_acl_get_permset(mask_entry, &mask_permset) == -1) {
DEBUG(0,("set_canon_ace_list: Failed to get mask permset. (%s)\n", strerror(errno) ));
goto fail;
}
goto fail;
}
- if (SMB_VFS_SYS_ACL_SET_PERMSET(conn, mask_entry, mask_permset) == -1) {
+ if (sys_acl_set_permset(mask_entry, mask_permset) == -1) {
DEBUG(0,("set_canon_ace_list: Failed to add mask permset. (%s)\n", strerror(errno) ));
goto fail;
}
fail:
if (the_acl != NULL) {
- SMB_VFS_SYS_ACL_FREE_ACL(conn, the_acl);
+ TALLOC_FREE(the_acl);
}
return ret;
Find a particular canon_ace entry.
****************************************************************************/
-static struct canon_ace *canon_ace_entry_for(struct canon_ace *list, SMB_ACL_TAG_T type, posix_id *id)
+static struct canon_ace *canon_ace_entry_for(struct canon_ace *list, SMB_ACL_TAG_T type, struct unixid *id)
{
while (list) {
if (list->type == type && ((type != SMB_ACL_USER && type != SMB_ACL_GROUP) ||
- (type == SMB_ACL_USER && id && id->uid == list->unix_ug.uid) ||
- (type == SMB_ACL_GROUP && id && id->gid == list->unix_ug.gid)))
+ (type == SMB_ACL_USER && id && id->id == list->unix_ug.id) ||
+ (type == SMB_ACL_GROUP && id && id->id == list->unix_ug.id)))
break;
list = list->next;
}
if (!the_acl)
return NULL;
- if (SMB_VFS_SYS_ACL_GET_ENTRY(conn, the_acl, SMB_ACL_FIRST_ENTRY, &entry) != 1) {
- SMB_VFS_SYS_ACL_FREE_ACL(conn, the_acl);
+ if (sys_acl_get_entry(the_acl, SMB_ACL_FIRST_ENTRY, &entry) != 1) {
+ TALLOC_FREE(the_acl);
return NULL;
}
return the_acl;
/* Get the initial bits to apply. */
if (fsp->is_directory) {
- and_bits = lp_dir_security_mask(snum);
- or_bits = lp_force_dir_security_mode(snum);
+ and_bits = lp_dir_mask(snum);
+ or_bits = lp_force_dir_mode(snum);
} else {
- and_bits = lp_security_mask(snum);
- or_bits = lp_force_security_mode(snum);
+ and_bits = lp_create_mask(snum);
+ or_bits = lp_force_create_mode(snum);
}
*posix_perms = (((*posix_perms) & and_bits)|or_bits);
ace = canon_ace_entry_for(dir_ace, SMB_ACL_OTHER, NULL);
if (ace && !ace->perms) {
DLIST_REMOVE(dir_ace, ace);
- SAFE_FREE(ace);
+ TALLOC_FREE(ace);
ace = canon_ace_entry_for(file_ace, SMB_ACL_OTHER, NULL);
if (ace && !ace->perms) {
DLIST_REMOVE(file_ace, ace);
- SAFE_FREE(ace);
+ TALLOC_FREE(ace);
}
}
ace = canon_ace_entry_for(dir_ace, SMB_ACL_GROUP_OBJ, NULL);
if (ace && !ace->perms) {
DLIST_REMOVE(dir_ace, ace);
- SAFE_FREE(ace);
+ TALLOC_FREE(ace);
}
#endif
ace = canon_ace_entry_for(file_ace, SMB_ACL_GROUP_OBJ, NULL);
if (ace && !ace->perms) {
DLIST_REMOVE(file_ace, ace);
- SAFE_FREE(ace);
+ TALLOC_FREE(ace);
}
}
num_def_acls = count_canon_ace_list(dir_ace);
/* Allocate the ace list. */
- if ((nt_ace_list = SMB_MALLOC_ARRAY(struct security_ace,num_acls + num_profile_acls + num_def_acls)) == NULL) {
+ if ((nt_ace_list = talloc_array(talloc_tos(), struct security_ace,num_acls + num_profile_acls + num_def_acls)) == NULL) {
DEBUG(0,("get_nt_acl: Unable to malloc space for nt_ace_list.\n"));
goto done;
}
done:
if (posix_acl) {
- SMB_VFS_SYS_ACL_FREE_ACL(conn, posix_acl);
+ TALLOC_FREE(posix_acl);
}
if (def_acl) {
- SMB_VFS_SYS_ACL_FREE_ACL(conn, def_acl);
+ TALLOC_FREE(def_acl);
}
free_canon_ace_list(file_ace);
free_canon_ace_list(dir_ace);
free_inherited_info(pal);
- SAFE_FREE(nt_ace_list);
+ TALLOC_FREE(nt_ace_list);
return NT_STATUS_OK;
}
if (posix_acl == (SMB_ACL_T)NULL)
return -1;
- while (SMB_VFS_SYS_ACL_GET_ENTRY(conn, posix_acl, entry_id, &entry) == 1) {
+ while (sys_acl_get_entry(posix_acl, entry_id, &entry) == 1) {
SMB_ACL_TAG_T tagtype;
SMB_ACL_PERMSET_T permset;
entry_id = SMB_ACL_NEXT_ENTRY;
- if (SMB_VFS_SYS_ACL_GET_TAG_TYPE(conn, entry, &tagtype) ==-1)
+ if (sys_acl_get_tag_type(entry, &tagtype) ==-1)
break;
if (tagtype == SMB_ACL_GROUP_OBJ) {
- if (SMB_VFS_SYS_ACL_GET_PERMSET(conn, entry, &permset) == -1) {
+ if (sys_acl_get_permset(entry, &permset) == -1) {
break;
} else {
*mode &= ~(S_IRGRP|S_IWGRP|S_IXGRP);
- *mode |= (SMB_VFS_SYS_ACL_GET_PERM(conn, permset, SMB_ACL_READ) ? S_IRGRP : 0);
- *mode |= (SMB_VFS_SYS_ACL_GET_PERM(conn, permset, SMB_ACL_WRITE) ? S_IWGRP : 0);
- *mode |= (SMB_VFS_SYS_ACL_GET_PERM(conn, permset, SMB_ACL_EXECUTE) ? S_IXGRP : 0);
+ *mode |= (sys_acl_get_perm(permset, SMB_ACL_READ) ? S_IRGRP : 0);
+ *mode |= (sys_acl_get_perm(permset, SMB_ACL_WRITE) ? S_IWGRP : 0);
+ *mode |= (sys_acl_get_perm(permset, SMB_ACL_EXECUTE) ? S_IXGRP : 0);
result = 0;
break;
}
}
}
- SMB_VFS_SYS_ACL_FREE_ACL(conn, posix_acl);
+ TALLOC_FREE(posix_acl);
return result;
}
SMB_ACL_ENTRY_T entry;
int num_entries = 0;
- while ( SMB_VFS_SYS_ACL_GET_ENTRY(conn, posix_acl, entry_id, &entry) == 1) {
+ while ( sys_acl_get_entry(posix_acl, entry_id, &entry) == 1) {
SMB_ACL_TAG_T tagtype;
SMB_ACL_PERMSET_T permset;
mode_t perms;
entry_id = SMB_ACL_NEXT_ENTRY;
- if (SMB_VFS_SYS_ACL_GET_TAG_TYPE(conn, entry, &tagtype) == -1)
+ if (sys_acl_get_tag_type(entry, &tagtype) == -1)
return -1;
- if (SMB_VFS_SYS_ACL_GET_PERMSET(conn, entry, &permset) == -1)
+ if (sys_acl_get_permset(entry, &permset) == -1)
return -1;
num_entries++;
if (map_acl_perms_to_permset(conn, perms, &permset) == -1)
return -1;
- if (SMB_VFS_SYS_ACL_SET_PERMSET(conn, entry, permset) == -1)
+ if (sys_acl_set_permset(entry, permset) == -1)
return -1;
}
done:
- SMB_VFS_SYS_ACL_FREE_ACL(conn, posix_acl);
+ TALLOC_FREE(posix_acl);
return ret;
}
bool has_acl = False;
SMB_ACL_ENTRY_T entry;
- if (def_acl != NULL && (SMB_VFS_SYS_ACL_GET_ENTRY(conn, def_acl, SMB_ACL_FIRST_ENTRY, &entry) == 1)) {
+ if (def_acl != NULL && (sys_acl_get_entry(def_acl, SMB_ACL_FIRST_ENTRY, &entry) == 1)) {
has_acl = True;
}
if (def_acl) {
- SMB_VFS_SYS_ACL_FREE_ACL(conn, def_acl);
+ TALLOC_FREE(def_acl);
}
return has_acl;
}
done:
- SMB_VFS_SYS_ACL_FREE_ACL(conn, posix_acl);
+ TALLOC_FREE(posix_acl);
return ret;
}
return False;
}
- if (SMB_VFS_SYS_ACL_CLEAR_PERMS(conn, *p_permset) == -1) {
+ if (sys_acl_clear_perms(*p_permset) == -1) {
return False;
}
if (wire_perm & SMB_POSIX_ACL_READ) {
- if (SMB_VFS_SYS_ACL_ADD_PERM(conn, *p_permset, SMB_ACL_READ) == -1) {
+ if (sys_acl_add_perm(*p_permset, SMB_ACL_READ) == -1) {
return False;
}
}
if (wire_perm & SMB_POSIX_ACL_WRITE) {
- if (SMB_VFS_SYS_ACL_ADD_PERM(conn, *p_permset, SMB_ACL_WRITE) == -1) {
+ if (sys_acl_add_perm(*p_permset, SMB_ACL_WRITE) == -1) {
return False;
}
}
if (wire_perm & SMB_POSIX_ACL_EXECUTE) {
- if (SMB_VFS_SYS_ACL_ADD_PERM(conn, *p_permset, SMB_ACL_EXECUTE) == -1) {
+ if (sys_acl_add_perm(*p_permset, SMB_ACL_EXECUTE) == -1) {
return False;
}
}
static SMB_ACL_T create_posix_acl_from_wire(connection_struct *conn, uint16 num_acls, const char *pdata)
{
unsigned int i;
- SMB_ACL_T the_acl = SMB_VFS_SYS_ACL_INIT(conn, num_acls);
+ SMB_ACL_T the_acl = sys_acl_init();
if (the_acl == NULL) {
return NULL;
SMB_ACL_PERMSET_T the_permset;
SMB_ACL_TAG_T tag_type;
- if (SMB_VFS_SYS_ACL_CREATE_ENTRY(conn, &the_acl, &the_entry) == -1) {
+ if (sys_acl_create_entry(&the_acl, &the_entry) == -1) {
DEBUG(0,("create_posix_acl_from_wire: Failed to create entry %u. (%s)\n",
i, strerror(errno) ));
goto fail;
goto fail;
}
- if (SMB_VFS_SYS_ACL_SET_TAG_TYPE(conn, the_entry, tag_type) == -1) {
+ if (sys_acl_set_tag_type(the_entry, tag_type) == -1) {
DEBUG(0,("create_posix_acl_from_wire: Failed to set tagtype on entry %u. (%s)\n",
i, strerror(errno) ));
goto fail;
}
/* Get the permset pointer from the new ACL entry. */
- if (SMB_VFS_SYS_ACL_GET_PERMSET(conn, the_entry, &the_permset) == -1) {
+ if (sys_acl_get_permset(the_entry, &the_permset) == -1) {
DEBUG(0,("create_posix_acl_from_wire: Failed to get permset on entry %u. (%s)\n",
i, strerror(errno) ));
goto fail;
}
/* Now apply to the new ACL entry. */
- if (SMB_VFS_SYS_ACL_SET_PERMSET(conn, the_entry, the_permset) == -1) {
+ if (sys_acl_set_permset(the_entry, the_permset) == -1) {
DEBUG(0,("create_posix_acl_from_wire: Failed to add permset on entry %u. (%s)\n",
i, strerror(errno) ));
goto fail;
if (tag_type == SMB_ACL_USER) {
uint32 uidval = IVAL(pdata,(i*SMB_POSIX_ACL_ENTRY_SIZE)+2);
uid_t uid = (uid_t)uidval;
- if (SMB_VFS_SYS_ACL_SET_QUALIFIER(conn, the_entry,(void *)&uid) == -1) {
+ if (sys_acl_set_qualifier(the_entry,(void *)&uid) == -1) {
DEBUG(0,("create_posix_acl_from_wire: Failed to set uid %u on entry %u. (%s)\n",
(unsigned int)uid, i, strerror(errno) ));
goto fail;
if (tag_type == SMB_ACL_GROUP) {
uint32 gidval = IVAL(pdata,(i*SMB_POSIX_ACL_ENTRY_SIZE)+2);
gid_t gid = (uid_t)gidval;
- if (SMB_VFS_SYS_ACL_SET_QUALIFIER(conn, the_entry,(void *)&gid) == -1) {
+ if (sys_acl_set_qualifier(the_entry,(void *)&gid) == -1) {
DEBUG(0,("create_posix_acl_from_wire: Failed to set gid %u on entry %u. (%s)\n",
(unsigned int)gid, i, strerror(errno) ));
goto fail;
fail:
if (the_acl != NULL) {
- SMB_VFS_SYS_ACL_FREE_ACL(conn, the_acl);
+ TALLOC_FREE(the_acl);
}
return NULL;
}
if (SMB_VFS_SYS_ACL_SET_FILE(conn, fname, SMB_ACL_TYPE_DEFAULT, def_acl) == -1) {
DEBUG(5,("set_unix_posix_default_acl: acl_set_file failed on directory %s (%s)\n",
fname, strerror(errno) ));
- SMB_VFS_SYS_ACL_FREE_ACL(conn, def_acl);
+ TALLOC_FREE(def_acl);
return False;
}
DEBUG(10,("set_unix_posix_default_acl: set default acl for file %s\n", fname ));
- SMB_VFS_SYS_ACL_FREE_ACL(conn, def_acl);
+ TALLOC_FREE(def_acl);
return True;
}
SMB_ACL_ENTRY_T entry;
bool ret = False;
/* Create a new ACL with only 3 entries, u/g/w. */
- SMB_ACL_T new_file_acl = SMB_VFS_SYS_ACL_INIT(conn, 3);
+ SMB_ACL_T new_file_acl = sys_acl_init();
SMB_ACL_ENTRY_T user_ent = NULL;
SMB_ACL_ENTRY_T group_ent = NULL;
SMB_ACL_ENTRY_T other_ent = NULL;
}
/* Now create the u/g/w entries. */
- if (SMB_VFS_SYS_ACL_CREATE_ENTRY(conn, &new_file_acl, &user_ent) == -1) {
+ if (sys_acl_create_entry(&new_file_acl, &user_ent) == -1) {
DEBUG(5,("remove_posix_acl: Failed to create user entry for file %s. (%s)\n",
fname, strerror(errno) ));
goto done;
}
- if (SMB_VFS_SYS_ACL_SET_TAG_TYPE(conn, user_ent, SMB_ACL_USER_OBJ) == -1) {
+ if (sys_acl_set_tag_type(user_ent, SMB_ACL_USER_OBJ) == -1) {
DEBUG(5,("remove_posix_acl: Failed to set user entry for file %s. (%s)\n",
fname, strerror(errno) ));
goto done;
}
- if (SMB_VFS_SYS_ACL_CREATE_ENTRY(conn, &new_file_acl, &group_ent) == -1) {
+ if (sys_acl_create_entry(&new_file_acl, &group_ent) == -1) {
DEBUG(5,("remove_posix_acl: Failed to create group entry for file %s. (%s)\n",
fname, strerror(errno) ));
goto done;
}
- if (SMB_VFS_SYS_ACL_SET_TAG_TYPE(conn, group_ent, SMB_ACL_GROUP_OBJ) == -1) {
+ if (sys_acl_set_tag_type(group_ent, SMB_ACL_GROUP_OBJ) == -1) {
DEBUG(5,("remove_posix_acl: Failed to set group entry for file %s. (%s)\n",
fname, strerror(errno) ));
goto done;
}
- if (SMB_VFS_SYS_ACL_CREATE_ENTRY(conn, &new_file_acl, &other_ent) == -1) {
+ if (sys_acl_create_entry(&new_file_acl, &other_ent) == -1) {
DEBUG(5,("remove_posix_acl: Failed to create other entry for file %s. (%s)\n",
fname, strerror(errno) ));
goto done;
}
- if (SMB_VFS_SYS_ACL_SET_TAG_TYPE(conn, other_ent, SMB_ACL_OTHER) == -1) {
+ if (sys_acl_set_tag_type(other_ent, SMB_ACL_OTHER) == -1) {
DEBUG(5,("remove_posix_acl: Failed to set other entry for file %s. (%s)\n",
fname, strerror(errno) ));
goto done;
goto done;
}
- while ( SMB_VFS_SYS_ACL_GET_ENTRY(conn, file_acl, entry_id, &entry) == 1) {
+ while ( sys_acl_get_entry(file_acl, entry_id, &entry) == 1) {
SMB_ACL_TAG_T tagtype;
SMB_ACL_PERMSET_T permset;
entry_id = SMB_ACL_NEXT_ENTRY;
- if (SMB_VFS_SYS_ACL_GET_TAG_TYPE(conn, entry, &tagtype) == -1) {
+ if (sys_acl_get_tag_type(entry, &tagtype) == -1) {
DEBUG(5,("remove_posix_acl: failed to get tagtype from ACL on file %s (%s).\n",
fname, strerror(errno) ));
goto done;
}
- if (SMB_VFS_SYS_ACL_GET_PERMSET(conn, entry, &permset) == -1) {
+ if (sys_acl_get_permset(entry, &permset) == -1) {
DEBUG(5,("remove_posix_acl: failed to get permset from ACL on file %s (%s).\n",
fname, strerror(errno) ));
goto done;
}
if (tagtype == SMB_ACL_USER_OBJ) {
- if (SMB_VFS_SYS_ACL_SET_PERMSET(conn, user_ent, permset) == -1) {
+ if (sys_acl_set_permset(user_ent, permset) == -1) {
DEBUG(5,("remove_posix_acl: failed to set permset from ACL on file %s (%s).\n",
fname, strerror(errno) ));
}
} else if (tagtype == SMB_ACL_GROUP_OBJ) {
- if (SMB_VFS_SYS_ACL_SET_PERMSET(conn, group_ent, permset) == -1) {
+ if (sys_acl_set_permset(group_ent, permset) == -1) {
DEBUG(5,("remove_posix_acl: failed to set permset from ACL on file %s (%s).\n",
fname, strerror(errno) ));
}
} else if (tagtype == SMB_ACL_OTHER) {
- if (SMB_VFS_SYS_ACL_SET_PERMSET(conn, other_ent, permset) == -1) {
+ if (sys_acl_set_permset(other_ent, permset) == -1) {
DEBUG(5,("remove_posix_acl: failed to set permset from ACL on file %s (%s).\n",
fname, strerror(errno) ));
}
done:
if (file_acl) {
- SMB_VFS_SYS_ACL_FREE_ACL(conn, file_acl);
+ TALLOC_FREE(file_acl);
}
if (new_file_acl) {
- SMB_VFS_SYS_ACL_FREE_ACL(conn, new_file_acl);
+ TALLOC_FREE(new_file_acl);
}
return ret;
}
if (SMB_VFS_SYS_ACL_SET_FD(fsp, file_acl) == -1) {
DEBUG(5,("set_unix_posix_acl: acl_set_file failed on %s (%s)\n",
fname, strerror(errno) ));
- SMB_VFS_SYS_ACL_FREE_ACL(conn, file_acl);
+ TALLOC_FREE(file_acl);
return False;
}
} else {
if (SMB_VFS_SYS_ACL_SET_FILE(conn, fname, SMB_ACL_TYPE_ACCESS, file_acl) == -1) {
DEBUG(5,("set_unix_posix_acl: acl_set_file failed on %s (%s)\n",
fname, strerror(errno) ));
- SMB_VFS_SYS_ACL_FREE_ACL(conn, file_acl);
+ TALLOC_FREE(file_acl);
return False;
}
}
DEBUG(10,("set_unix_posix_acl: set acl for file %s\n", fname ));
- SMB_VFS_SYS_ACL_FREE_ACL(conn, file_acl);
+ TALLOC_FREE(file_acl);
return True;
}
Assume we are dealing with files (for now)
********************************************************************/
-struct security_descriptor *get_nt_acl_no_snum( TALLOC_CTX *ctx, const char *fname)
+struct security_descriptor *get_nt_acl_no_snum( TALLOC_CTX *ctx, const char *fname, uint32 security_info_wanted)
{
struct security_descriptor *psd, *ret_sd;
connection_struct *conn;
files_struct finfo;
struct fd_handle fh;
NTSTATUS status;
+ TALLOC_CTX *frame = talloc_stackframe();
- conn = talloc_zero(ctx, connection_struct);
+ conn = talloc_zero(frame, connection_struct);
if (conn == NULL) {
DEBUG(0, ("talloc failed\n"));
return NULL;
if (!(conn->params = talloc(conn, struct share_params))) {
DEBUG(0,("get_nt_acl_no_snum: talloc() failed!\n"));
- TALLOC_FREE(conn);
+ TALLOC_FREE(frame);
return NULL;
}
if (!smbd_vfs_init(conn)) {
DEBUG(0,("get_nt_acl_no_snum: Unable to create a fake connection struct!\n"));
conn_free(conn);
+ TALLOC_FREE(frame);
return NULL;
}
ZERO_STRUCT( finfo );
ZERO_STRUCT( fh );
- finfo.fnum = -1;
+ finfo.fnum = FNUM_FIELD_INVALID;
finfo.conn = conn;
finfo.fh = &fh;
finfo.fh->fd = -1;
- status = create_synthetic_smb_fname(talloc_tos(), fname, NULL, NULL,
+ status = create_synthetic_smb_fname(frame, fname, NULL, NULL,
&finfo.fsp_name);
if (!NT_STATUS_IS_OK(status)) {
conn_free(conn);
+ TALLOC_FREE(frame);
return NULL;
}
- if (!NT_STATUS_IS_OK(SMB_VFS_FGET_NT_ACL( &finfo, SECINFO_DACL, &psd))) {
+ if (!NT_STATUS_IS_OK(SMB_VFS_FGET_NT_ACL( &finfo, security_info_wanted, &psd))) {
DEBUG(0,("get_nt_acl_no_snum: get_nt_acl returned zero.\n"));
TALLOC_FREE(finfo.fsp_name);
conn_free(conn);
+ TALLOC_FREE(frame);
return NULL;
}
TALLOC_FREE(finfo.fsp_name);
conn_free(conn);
+ TALLOC_FREE(frame);
return ret_sd;
}