to specific bits every time a security descriptor is set. The S4 torture suite proves
that generic bits are not returned when querying an ACL set using them (ie. only
the specific bits are stored on disk).
Jeremy.
/* The following definitions come from lib/util_seaccess.c */
void se_map_generic(uint32 *access_mask, const struct generic_mapping *mapping);
+void security_acl_map_generic(struct security_acl *sa, const struct generic_mapping *mapping);
void se_map_standard(uint32 *access_mask, struct standard_mapping *mapping);
bool se_access_check(const SEC_DESC *sd, const NT_USER_TOKEN *token,
uint32 acc_desired, uint32 *acc_granted,
}
}
+/* Map generic access rights to object specific rights for all the ACE's
+ * in a security_acl.
+ */
+
+void security_acl_map_generic(struct security_acl *sa,
+ const struct generic_mapping *mapping)
+{
+ unsigned int i;
+
+ if (!sa) {
+ return;
+ }
+
+ for (i = 0; i < sa->num_aces; i++) {
+ se_map_generic(&sa->aces[i].access_mask, mapping);
+ }
+}
+
/* Map standard access rights to object specific rights. This technique is
used to give meaning to assigning read, write, execute and all access to
objects. Each type of object has its own mapping of standard to object
connection_struct *conn = NULL;
int snum;
char *oldcwd = NULL;
+ struct security_descriptor *psd = NULL;
+ uint32_t security_info_sent = 0;
ZERO_STRUCT(st);
goto error_exit;
}
+ psd = r->in.sd_buf->sd;
+ security_info_sent = r->in.securityinformation;
+
+ if (psd->owner_sid==0) {
+ security_info_sent &= ~OWNER_SECURITY_INFORMATION;
+ }
+ if (psd->group_sid==0) {
+ security_info_sent &= ~GROUP_SECURITY_INFORMATION;
+ }
+ if (psd->sacl==0) {
+ security_info_sent &= ~SACL_SECURITY_INFORMATION;
+ }
+ if (psd->dacl==0) {
+ security_info_sent &= ~DACL_SECURITY_INFORMATION;
+ }
+
+ /* Convert all the generic bits. */
+ security_acl_map_generic(psd->dacl, &file_generic_mapping);
+ security_acl_map_generic(psd->sacl, &file_generic_mapping);
+
nt_status = SMB_VFS_FSET_NT_ACL(fsp,
- r->in.securityinformation,
- r->in.sd_buf->sd);
+ security_info_sent,
+ psd);
if (!NT_STATUS_IS_OK(nt_status) ) {
DEBUG(3,("_srvsvc_NetSetFileSecurity: Unable to set NT ACL "
static NTSTATUS set_sd(files_struct *fsp, uint8 *data, uint32 sd_len,
uint32 security_info_sent)
{
+ extern const struct generic_mapping file_generic_mapping;
SEC_DESC *psd = NULL;
NTSTATUS status;
security_info_sent &= ~DACL_SECURITY_INFORMATION;
}
+ /* Convert all the generic bits. */
+ security_acl_map_generic(psd->dacl, &file_generic_mapping);
+ security_acl_map_generic(psd->sacl, &file_generic_mapping);
+
status = SMB_VFS_FSET_NT_ACL(fsp, security_info_sent, psd);
TALLOC_FREE(psd);
fsp->access_mask = FILE_GENERIC_ALL;
+ /* Convert all the generic bits. */
+ security_acl_map_generic(sd->dacl, &file_generic_mapping);
+ security_acl_map_generic(sd->sacl, &file_generic_mapping);
+
status = SMB_VFS_FSET_NT_ACL(fsp, sec_info_sent, sd);
fsp->access_mask = saved_access_mask;