s3/posix_acls: add default ACL style "everyone"

This synthesizes an ACL with a single ACE with full permissions for
everyone. Not used for now, this comes later.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

diff --git a/docs-xml/manpages/vfs_acl_tdb.8.xml b/docs-xml/manpages/vfs_acl_tdb.8.xml
index e36ccd91aa251435cf38e06a4a5db1645954d3fc..58cc0914c22daf7d255e9774b1799b7fb6c59a9c 100644 (file)
--- a/docs-xml/manpages/vfs_acl_tdb.8.xml
+++ b/docs-xml/manpages/vfs_acl_tdb.8.xml
@@ -89,7 +89,7 @@
                </varlistentry>
 
                <varlistentry>
-               <term>acl_tdb:default acl style = [posix|windows]</term>
+               <term>acl_tdb:default acl style = [posix|windows|everyone]</term>
                <listitem>
                <para>
                This parameter determines the type of ACL that is synthesized in
@@ -108,6 +108,10 @@
                owner and <emphasis>NT Authority\SYSTEM</emphasis>.
                </para>
                <para>
+               When set to <emphasis>everyone</emphasis>, an ACL is synthesized
+               giving full permissions to everyone (S-1-1-0).
+               </para>
+               <para>
                The default for this option is <emphasis>posix</emphasis>.
                </para>
                </listitem>

diff --git a/docs-xml/manpages/vfs_acl_xattr.8.xml b/docs-xml/manpages/vfs_acl_xattr.8.xml
index 43731f7ee92927521854ecee953c5b879eaf3d01..f70e17c6ffea1647a55a7cce5ec0c585ebbae5b1 100644 (file)
--- a/docs-xml/manpages/vfs_acl_xattr.8.xml
+++ b/docs-xml/manpages/vfs_acl_xattr.8.xml
@@ -93,7 +93,7 @@
                </varlistentry>
 
                <varlistentry>
-               <term>acl_xattr:default acl style = [posix|windows]</term>
+               <term>acl_xattr:default acl style = [posix|windows|everyone]</term>
                <listitem>
                <para>
                This parameter determines the type of ACL that is synthesized in
@@ -112,6 +112,10 @@
                owner and <emphasis>NT Authority\SYSTEM</emphasis>.
                </para>
                <para>
+               When set to <emphasis>everyone</emphasis>, an ACL is synthesized
+               giving full permissions to everyone (S-1-1-0).
+               </para>
+               <para>
                The default for this option is <emphasis>posix</emphasis>.
                </para>
                </listitem>

diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c
index 7337c5e8ecb31a210b327a9286219dcf32bf6f3c..e4b16b9c3b408605fca399cf367c2c79545758a9 100644 (file)
--- a/source3/smbd/posix_acls.c
+++ b/source3/smbd/posix_acls.c
@@ -5037,9 +5037,61 @@ static NTSTATUS make_default_acl_windows(TALLOC_CTX *ctx,
        return NT_STATUS_OK;
 }
 
+static NTSTATUS make_default_acl_everyone(TALLOC_CTX *ctx,
+                                         const char *name,
+                                         SMB_STRUCT_STAT *psbuf,
+                                         struct security_descriptor **ppdesc)
+{
+       struct dom_sid owner_sid, group_sid;
+       size_t size = 0;
+       struct security_ace aces[1];
+       mode_t mode = psbuf->st_ex_mode;
+       struct security_acl *new_dacl = NULL;
+       int idx = 0;
+
+       DBG_DEBUG("file [%s] mode [0%o]\n", name, (int)mode);
+
+       uid_to_sid(&owner_sid, psbuf->st_ex_uid);
+       gid_to_sid(&group_sid, psbuf->st_ex_gid);
+
+       /*
+        * We provide one ACEs: full access for everyone
+        */
+
+       init_sec_ace(&aces[idx],
+                    &global_sid_World,
+                    SEC_ACE_TYPE_ACCESS_ALLOWED,
+                    SEC_RIGHTS_FILE_ALL,
+                    0);
+       idx++;
+
+       new_dacl = make_sec_acl(ctx,
+                               NT4_ACL_REVISION,
+                               idx,
+                               aces);
+
+       if (!new_dacl) {
+               return NT_STATUS_NO_MEMORY;
+       }
+
+       *ppdesc = make_sec_desc(ctx,
+                               SECURITY_DESCRIPTOR_REVISION_1,
+                               SEC_DESC_SELF_RELATIVE|SEC_DESC_DACL_PRESENT,
+                               &owner_sid,
+                               &group_sid,
+                               NULL,
+                               new_dacl,
+                               &size);
+       if (!*ppdesc) {
+               return NT_STATUS_NO_MEMORY;
+       }
+       return NT_STATUS_OK;
+}
+
 static const struct enum_list default_acl_style_list[] = {
        {DEFAULT_ACL_POSIX,     "posix"},
-       {DEFAULT_ACL_WINDOWS,   "windows"}
+       {DEFAULT_ACL_WINDOWS,   "windows"},
+       {DEFAULT_ACL_EVERYONE,  "everyone"},
 };
 
 const struct enum_list *get_default_acl_style_list(void)
@@ -5065,6 +5117,10 @@ NTSTATUS make_default_filesystem_acl(
                status =  make_default_acl_windows(ctx, name, psbuf, ppdesc);
                break;
 
+       case DEFAULT_ACL_EVERYONE:
+               status =  make_default_acl_everyone(ctx, name, psbuf, ppdesc);
+               break;
+
        default:
                DBG_ERR("unknown acl style %d", acl_style);
                status = NT_STATUS_INTERNAL_ERROR;

diff --git a/source3/smbd/proto.h b/source3/smbd/proto.h
index 2e40711df41e3ce7ced8dc9ccf3c442bf3d82ce6..c85a6cccd5b02d555af336d3a636b5931a2e3a8a 100644 (file)
--- a/source3/smbd/proto.h
+++ b/source3/smbd/proto.h
@@ -806,7 +806,7 @@ int posix_sys_acl_blob_get_fd(vfs_handle_struct *handle,
                              char **blob_description,
                              DATA_BLOB *blob);
 
-enum default_acl_style {DEFAULT_ACL_POSIX, DEFAULT_ACL_WINDOWS};
+enum default_acl_style {DEFAULT_ACL_POSIX, DEFAULT_ACL_WINDOWS, DEFAULT_ACL_EVERYONE};
 
 const struct enum_list *get_default_acl_style_list(void);