2 * Store Windows ACLs in data store - common functions.
3 * #included into modules/vfs_acl_xattr.c and modules/vfs_acl_tdb.c
5 * Copyright (C) Volker Lendecke, 2008
6 * Copyright (C) Jeremy Allison, 2009
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 3 of the License, or
11 * (at your option) any later version.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, see <http://www.gnu.org/licenses/>.
22 #include "smbd/smbd.h"
23 #include "system/filesys.h"
24 #include "../libcli/security/security.h"
25 #include "../librpc/gen_ndr/ndr_security.h"
26 #include "../lib/util/bitmap.h"
28 static NTSTATUS create_acl_blob(const struct security_descriptor *psd,
31 uint8_t hash[XATTR_SD_HASH_SIZE]);
33 static NTSTATUS get_acl_blob(TALLOC_CTX *ctx,
34 vfs_handle_struct *handle,
39 static NTSTATUS store_acl_blob_fsp(vfs_handle_struct *handle,
43 #define HASH_SECURITY_INFO (SECINFO_OWNER | \
48 /*******************************************************************
49 Hash a security descriptor.
50 *******************************************************************/
52 static NTSTATUS hash_sd_sha256(struct security_descriptor *psd,
59 memset(hash, '\0', XATTR_SD_HASH_SIZE);
60 status = create_acl_blob(psd, &blob, XATTR_SD_HASH_TYPE_SHA256, hash);
61 if (!NT_STATUS_IS_OK(status)) {
65 samba_SHA256_Init(&tctx);
66 samba_SHA256_Update(&tctx, blob.data, blob.length);
67 samba_SHA256_Final(hash, &tctx);
72 /*******************************************************************
73 Parse out a struct security_descriptor from a DATA_BLOB.
74 *******************************************************************/
76 static NTSTATUS parse_acl_blob(const DATA_BLOB *pblob,
77 struct security_descriptor **ppdesc,
78 uint16_t *p_hash_type,
79 uint8_t hash[XATTR_SD_HASH_SIZE])
81 TALLOC_CTX *ctx = talloc_tos();
82 struct xattr_NTACL xacl;
83 enum ndr_err_code ndr_err;
86 ndr_err = ndr_pull_struct_blob(pblob, ctx, &xacl,
87 (ndr_pull_flags_fn_t)ndr_pull_xattr_NTACL);
89 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
90 DEBUG(5, ("parse_acl_blob: ndr_pull_xattr_NTACL failed: %s\n",
91 ndr_errstr(ndr_err)));
92 return ndr_map_error2ntstatus(ndr_err);
95 switch (xacl.version) {
97 *ppdesc = make_sec_desc(ctx, SD_REVISION,
98 xacl.info.sd->type | SEC_DESC_SELF_RELATIVE,
99 xacl.info.sd->owner_sid,
100 xacl.info.sd->group_sid,
104 /* No hash - null out. */
105 *p_hash_type = XATTR_SD_HASH_TYPE_NONE;
106 memset(hash, '\0', XATTR_SD_HASH_SIZE);
109 *ppdesc = make_sec_desc(ctx, SD_REVISION,
110 xacl.info.sd_hs2->sd->type | SEC_DESC_SELF_RELATIVE,
111 xacl.info.sd_hs2->sd->owner_sid,
112 xacl.info.sd_hs2->sd->group_sid,
113 xacl.info.sd_hs2->sd->sacl,
114 xacl.info.sd_hs2->sd->dacl,
116 /* No hash - null out. */
117 *p_hash_type = XATTR_SD_HASH_TYPE_NONE;
118 memset(hash, '\0', XATTR_SD_HASH_SIZE);
121 *ppdesc = make_sec_desc(ctx, SD_REVISION,
122 xacl.info.sd_hs3->sd->type | SEC_DESC_SELF_RELATIVE,
123 xacl.info.sd_hs3->sd->owner_sid,
124 xacl.info.sd_hs3->sd->group_sid,
125 xacl.info.sd_hs3->sd->sacl,
126 xacl.info.sd_hs3->sd->dacl,
128 *p_hash_type = xacl.info.sd_hs3->hash_type;
129 /* Current version 3. */
130 memcpy(hash, xacl.info.sd_hs3->hash, XATTR_SD_HASH_SIZE);
133 return NT_STATUS_REVISION_MISMATCH;
136 TALLOC_FREE(xacl.info.sd);
138 return (*ppdesc != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
141 /*******************************************************************
142 Create a DATA_BLOB from a security descriptor.
143 *******************************************************************/
145 static NTSTATUS create_acl_blob(const struct security_descriptor *psd,
148 uint8_t hash[XATTR_SD_HASH_SIZE])
150 struct xattr_NTACL xacl;
151 struct security_descriptor_hash_v3 sd_hs3;
152 enum ndr_err_code ndr_err;
153 TALLOC_CTX *ctx = talloc_tos();
159 xacl.info.sd_hs3 = &sd_hs3;
160 xacl.info.sd_hs3->sd = discard_const_p(struct security_descriptor, psd);
161 xacl.info.sd_hs3->hash_type = hash_type;
162 memcpy(&xacl.info.sd_hs3->hash[0], hash, XATTR_SD_HASH_SIZE);
164 ndr_err = ndr_push_struct_blob(
166 (ndr_push_flags_fn_t)ndr_push_xattr_NTACL);
168 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
169 DEBUG(5, ("create_acl_blob: ndr_push_xattr_NTACL failed: %s\n",
170 ndr_errstr(ndr_err)));
171 return ndr_map_error2ntstatus(ndr_err);
177 /*******************************************************************
178 Add in 3 inheritable components for a non-inheritable directory ACL.
179 CREATOR_OWNER/CREATOR_GROUP/WORLD.
180 *******************************************************************/
182 static NTSTATUS add_directory_inheritable_components(vfs_handle_struct *handle,
184 SMB_STRUCT_STAT *psbuf,
185 struct security_descriptor *psd)
187 struct connection_struct *conn = handle->conn;
188 int num_aces = (psd->dacl ? psd->dacl->num_aces : 0);
189 struct smb_filename smb_fname;
190 enum security_ace_type acltype;
191 uint32_t access_mask;
195 struct security_ace *new_ace_list = talloc_zero_array(talloc_tos(),
199 if (new_ace_list == NULL) {
200 return NT_STATUS_NO_MEMORY;
203 /* Fake a quick smb_filename. */
204 ZERO_STRUCT(smb_fname);
205 smb_fname.st = *psbuf;
206 smb_fname.base_name = discard_const_p(char, name);
208 dir_mode = unix_mode(conn,
209 FILE_ATTRIBUTE_DIRECTORY, &smb_fname, NULL);
210 file_mode = unix_mode(conn,
211 FILE_ATTRIBUTE_ARCHIVE, &smb_fname, NULL);
213 mode = dir_mode | file_mode;
215 DEBUG(10, ("add_directory_inheritable_components: directory %s, "
218 (unsigned int)mode ));
221 memcpy(new_ace_list, psd->dacl->aces,
222 num_aces * sizeof(struct security_ace));
224 access_mask = map_canon_ace_perms(SNUM(conn), &acltype,
227 init_sec_ace(&new_ace_list[num_aces],
228 &global_sid_Creator_Owner,
231 SEC_ACE_FLAG_CONTAINER_INHERIT|
232 SEC_ACE_FLAG_OBJECT_INHERIT|
233 SEC_ACE_FLAG_INHERIT_ONLY);
234 access_mask = map_canon_ace_perms(SNUM(conn), &acltype,
235 (mode << 3) & 0700, false);
236 init_sec_ace(&new_ace_list[num_aces+1],
237 &global_sid_Creator_Group,
240 SEC_ACE_FLAG_CONTAINER_INHERIT|
241 SEC_ACE_FLAG_OBJECT_INHERIT|
242 SEC_ACE_FLAG_INHERIT_ONLY);
243 access_mask = map_canon_ace_perms(SNUM(conn), &acltype,
244 (mode << 6) & 0700, false);
245 init_sec_ace(&new_ace_list[num_aces+2],
249 SEC_ACE_FLAG_CONTAINER_INHERIT|
250 SEC_ACE_FLAG_OBJECT_INHERIT|
251 SEC_ACE_FLAG_INHERIT_ONLY);
253 psd->dacl->aces = new_ace_list;
254 psd->dacl->num_aces += 3;
256 psd->dacl = make_sec_acl(talloc_tos(),
260 if (psd->dacl == NULL) {
261 return NT_STATUS_NO_MEMORY;
267 /*******************************************************************
268 Pull a DATA_BLOB from an xattr given a pathname.
269 If the hash doesn't match, or doesn't exist - return the underlying
271 *******************************************************************/
273 static NTSTATUS get_nt_acl_internal(vfs_handle_struct *handle,
276 uint32_t security_info,
277 struct security_descriptor **ppdesc)
279 DATA_BLOB blob = data_blob_null;
281 uint16_t hash_type = XATTR_SD_HASH_TYPE_NONE;
282 uint8_t hash[XATTR_SD_HASH_SIZE];
283 uint8_t hash_tmp[XATTR_SD_HASH_SIZE];
284 struct security_descriptor *psd = NULL;
285 struct security_descriptor *pdesc_next = NULL;
286 bool ignore_file_system_acl = lp_parm_bool(SNUM(handle->conn),
288 "ignore system acls",
291 if (fsp && name == NULL) {
292 name = fsp->fsp_name->base_name;
295 DEBUG(10, ("get_nt_acl_internal: name=%s\n", name));
297 /* Get the full underlying sd for the hash
298 or to return as backup. */
300 status = SMB_VFS_NEXT_FGET_NT_ACL(handle,
305 status = SMB_VFS_NEXT_GET_NT_ACL(handle,
311 if (!NT_STATUS_IS_OK(status)) {
312 DEBUG(10, ("get_nt_acl_internal: get_next_acl for file %s "
319 status = get_acl_blob(talloc_tos(), handle, fsp, name, &blob);
320 if (!NT_STATUS_IS_OK(status)) {
321 DEBUG(10, ("get_nt_acl_internal: get_acl_blob returned %s\n",
327 status = parse_acl_blob(&blob, &psd,
328 &hash_type, &hash[0]);
329 if (!NT_STATUS_IS_OK(status)) {
330 DEBUG(10, ("parse_acl_blob returned %s\n",
336 /* Ensure the hash type is one we know. */
338 case XATTR_SD_HASH_TYPE_NONE:
339 /* No hash, just return blob sd. */
341 case XATTR_SD_HASH_TYPE_SHA256:
344 DEBUG(10, ("get_nt_acl_internal: ACL blob revision "
345 "mismatch (%u) for file %s\n",
346 (unsigned int)hash_type,
353 if (ignore_file_system_acl) {
357 status = hash_sd_sha256(pdesc_next, hash_tmp);
358 if (!NT_STATUS_IS_OK(status)) {
364 if (memcmp(&hash[0], &hash_tmp[0], XATTR_SD_HASH_SIZE) == 0) {
365 /* Hash matches, return blob sd. */
366 DEBUG(10, ("get_nt_acl_internal: blob hash "
367 "matches for file %s\n",
372 /* Hash doesn't match, return underlying sd. */
378 if (psd != pdesc_next) {
379 /* We're returning the blob, throw
380 * away the filesystem SD. */
381 TALLOC_FREE(pdesc_next);
383 SMB_STRUCT_STAT sbuf;
384 SMB_STRUCT_STAT *psbuf = &sbuf;
385 bool is_directory = false;
387 * We're returning the underlying ACL from the
388 * filesystem. If it's a directory, and has no
389 * inheritable ACE entries we have to fake them.
392 status = vfs_stat_fsp(fsp);
393 if (!NT_STATUS_IS_OK(status)) {
396 psbuf = &fsp->fsp_name->st;
398 int ret = vfs_stat_smb_fname(handle->conn,
402 return map_nt_error_from_unix(errno);
405 is_directory = S_ISDIR(psbuf->st_ex_mode);
407 if (ignore_file_system_acl) {
408 TALLOC_FREE(pdesc_next);
409 status = make_default_filesystem_acl(talloc_tos(),
413 if (!NT_STATUS_IS_OK(status)) {
418 !sd_has_inheritable_components(psd,
420 status = add_directory_inheritable_components(
425 if (!NT_STATUS_IS_OK(status)) {
429 /* The underlying POSIX module always sets
430 the ~SEC_DESC_DACL_PROTECTED bit, as ACLs
431 can't be inherited in this way under POSIX.
432 Remove it for Windows-style ACLs. */
433 psd->type &= ~SEC_DESC_DACL_PROTECTED;
437 if (!(security_info & SECINFO_OWNER)) {
438 psd->owner_sid = NULL;
440 if (!(security_info & SECINFO_GROUP)) {
441 psd->group_sid = NULL;
443 if (!(security_info & SECINFO_DACL)) {
444 psd->type &= ~SEC_DESC_DACL_PRESENT;
447 if (!(security_info & SECINFO_SACL)) {
448 psd->type &= ~SEC_DESC_SACL_PRESENT;
452 TALLOC_FREE(blob.data);
455 if (DEBUGLEVEL >= 10) {
456 DEBUG(10,("get_nt_acl_internal: returning acl for %s is:\n",
458 NDR_PRINT_DEBUG(security_descriptor, psd);
464 /*********************************************************************
465 Fetch a security descriptor given an fsp.
466 *********************************************************************/
468 static NTSTATUS fget_nt_acl_common(vfs_handle_struct *handle, files_struct *fsp,
469 uint32_t security_info, struct security_descriptor **ppdesc)
471 return get_nt_acl_internal(handle, fsp,
472 NULL, security_info, ppdesc);
475 /*********************************************************************
476 Fetch a security descriptor given a pathname.
477 *********************************************************************/
479 static NTSTATUS get_nt_acl_common(vfs_handle_struct *handle,
480 const char *name, uint32_t security_info, struct security_descriptor **ppdesc)
482 return get_nt_acl_internal(handle, NULL,
483 name, security_info, ppdesc);
486 /*********************************************************************
487 Store a security descriptor given an fsp.
488 *********************************************************************/
490 static NTSTATUS fset_nt_acl_common(vfs_handle_struct *handle, files_struct *fsp,
491 uint32_t security_info_sent, const struct security_descriptor *orig_psd)
495 struct security_descriptor *pdesc_next = NULL;
496 struct security_descriptor *psd = NULL;
497 uint8_t hash[XATTR_SD_HASH_SIZE];
498 bool chown_needed = false;
500 if (DEBUGLEVEL >= 10) {
501 DEBUG(10,("fset_nt_acl_xattr: incoming sd for file %s\n",
503 NDR_PRINT_DEBUG(security_descriptor,
504 discard_const_p(struct security_descriptor, orig_psd));
507 status = get_nt_acl_internal(handle, fsp,
509 SECINFO_OWNER|SECINFO_GROUP|SECINFO_DACL|SECINFO_SACL,
512 if (!NT_STATUS_IS_OK(status)) {
516 psd->revision = orig_psd->revision;
517 /* All our SD's are self relative. */
518 psd->type = orig_psd->type | SEC_DESC_SELF_RELATIVE;
520 if ((security_info_sent & SECINFO_OWNER) && (orig_psd->owner_sid != NULL)) {
521 if (!dom_sid_equal(orig_psd->owner_sid, psd->owner_sid)) {
522 /* We're changing the owner. */
525 psd->owner_sid = orig_psd->owner_sid;
527 if ((security_info_sent & SECINFO_GROUP) && (orig_psd->group_sid != NULL)) {
528 if (!dom_sid_equal(orig_psd->group_sid, psd->group_sid)) {
529 /* We're changing the group. */
532 psd->group_sid = orig_psd->group_sid;
534 if (security_info_sent & SECINFO_DACL) {
535 psd->dacl = orig_psd->dacl;
536 psd->type |= SEC_DESC_DACL_PRESENT;
538 if (security_info_sent & SECINFO_SACL) {
539 psd->sacl = orig_psd->sacl;
540 psd->type |= SEC_DESC_SACL_PRESENT;
543 status = SMB_VFS_NEXT_FSET_NT_ACL(handle, fsp, security_info_sent, psd);
544 if (!NT_STATUS_IS_OK(status)) {
545 if (!NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
548 /* We got access denied here. If we're already root,
549 or we didn't need to do a chown, or the fsp isn't
550 open with WRITE_OWNER access, just return. */
551 if (get_current_uid(handle->conn) == 0 ||
552 chown_needed == false ||
553 !(fsp->access_mask & SEC_STD_WRITE_OWNER)) {
554 return NT_STATUS_ACCESS_DENIED;
557 DEBUG(10,("fset_nt_acl_common: overriding chown on file %s "
560 sid_string_tos(psd->owner_sid)
563 /* Ok, we failed to chown and we have
564 SEC_STD_WRITE_OWNER access - override. */
566 status = SMB_VFS_NEXT_FSET_NT_ACL(handle, fsp,
567 security_info_sent, psd);
569 if (!NT_STATUS_IS_OK(status)) {
574 /* Get the full underlying sd, then hash. */
575 status = SMB_VFS_NEXT_FGET_NT_ACL(handle,
580 if (!NT_STATUS_IS_OK(status)) {
584 status = hash_sd_sha256(pdesc_next, hash);
585 if (!NT_STATUS_IS_OK(status)) {
589 if (DEBUGLEVEL >= 10) {
590 DEBUG(10,("fset_nt_acl_xattr: storing xattr sd for file %s\n",
592 NDR_PRINT_DEBUG(security_descriptor,
593 discard_const_p(struct security_descriptor, psd));
595 create_acl_blob(psd, &blob, XATTR_SD_HASH_TYPE_SHA256, hash);
596 store_acl_blob_fsp(handle, fsp, &blob);
601 static int acl_common_remove_object(vfs_handle_struct *handle,
605 connection_struct *conn = handle->conn;
607 files_struct *fsp = NULL;
609 char *parent_dir = NULL;
610 const char *final_component = NULL;
611 struct smb_filename local_fname;
613 char *saved_dir = NULL;
615 saved_dir = vfs_GetWd(talloc_tos(),conn);
621 if (!parent_dirname(talloc_tos(), path,
622 &parent_dir, &final_component)) {
623 saved_errno = ENOMEM;
627 DEBUG(10,("acl_common_remove_object: removing %s %s/%s\n",
628 is_directory ? "directory" : "file",
629 parent_dir, final_component ));
631 /* cd into the parent dir to pin it. */
632 ret = vfs_ChDir(conn, parent_dir);
638 ZERO_STRUCT(local_fname);
639 local_fname.base_name = discard_const_p(char, final_component);
641 /* Must use lstat here. */
642 ret = SMB_VFS_LSTAT(conn, &local_fname);
648 /* Ensure we have this file open with DELETE access. */
649 id = vfs_file_id_from_sbuf(conn, &local_fname.st);
650 for (fsp = file_find_di_first(conn->sconn, id); fsp;
651 fsp = file_find_di_next(fsp)) {
652 if (fsp->access_mask & DELETE_ACCESS &&
653 fsp->delete_on_close) {
654 /* We did open this for delete,
655 * allow the delete as root.
662 DEBUG(10,("acl_common_remove_object: %s %s/%s "
663 "not an open file\n",
664 is_directory ? "directory" : "file",
665 parent_dir, final_component ));
666 saved_errno = EACCES;
672 ret = SMB_VFS_NEXT_RMDIR(handle, final_component);
674 ret = SMB_VFS_NEXT_UNLINK(handle, &local_fname);
684 TALLOC_FREE(parent_dir);
687 vfs_ChDir(conn, saved_dir);
695 static int rmdir_acl_common(struct vfs_handle_struct *handle,
700 /* Try the normal rmdir first. */
701 ret = SMB_VFS_NEXT_RMDIR(handle, path);
705 if (errno == EACCES || errno == EPERM) {
706 /* Failed due to access denied,
707 see if we need to root override. */
708 return acl_common_remove_object(handle,
713 DEBUG(10,("rmdir_acl_common: unlink of %s failed %s\n",
719 static int unlink_acl_common(struct vfs_handle_struct *handle,
720 const struct smb_filename *smb_fname)
724 /* Try the normal unlink first. */
725 ret = SMB_VFS_NEXT_UNLINK(handle, smb_fname);
729 if (errno == EACCES || errno == EPERM) {
730 /* Failed due to access denied,
731 see if we need to root override. */
733 /* Don't do anything fancy for streams. */
734 if (smb_fname->stream_name) {
737 return acl_common_remove_object(handle,
738 smb_fname->base_name,
742 DEBUG(10,("unlink_acl_common: unlink of %s failed %s\n",
743 smb_fname->base_name,
748 static int chmod_acl_module_common(struct vfs_handle_struct *handle,
749 const char *path, mode_t mode)
751 if (lp_posix_pathnames()) {
752 /* Only allow this on POSIX pathnames. */
753 return SMB_VFS_NEXT_CHMOD(handle, path, mode);
758 static int fchmod_acl_module_common(struct vfs_handle_struct *handle,
759 struct files_struct *fsp, mode_t mode)
761 if (fsp->posix_open) {
762 /* Only allow this on POSIX opens. */
763 return SMB_VFS_NEXT_FCHMOD(handle, fsp, mode);
768 static int chmod_acl_acl_module_common(struct vfs_handle_struct *handle,
769 const char *name, mode_t mode)
771 if (lp_posix_pathnames()) {
772 /* Only allow this on POSIX pathnames. */
773 return SMB_VFS_NEXT_CHMOD_ACL(handle, name, mode);
778 static int fchmod_acl_acl_module_common(struct vfs_handle_struct *handle,
779 struct files_struct *fsp, mode_t mode)
781 if (fsp->posix_open) {
782 /* Only allow this on POSIX opens. */
783 return SMB_VFS_NEXT_FCHMOD_ACL(handle, fsp, mode);