* along with this program; if not, see <http://www.gnu.org/licenses/>.
*/
+#include "includes.h"
+#include "vfs_acl_common.h"
#include "smbd/smbd.h"
#include "system/filesys.h"
+#include "librpc/gen_ndr/ndr_xattr.h"
#include "../libcli/security/security.h"
#include "../librpc/gen_ndr/ndr_security.h"
#include "../lib/util/bitmap.h"
+#include "lib/crypto/sha256.h"
#include "passdb/lookup_sid.h"
static NTSTATUS create_acl_blob(const struct security_descriptor *psd,
uint16_t hash_type,
uint8_t hash[XATTR_SD_HASH_SIZE]);
-static NTSTATUS get_acl_blob(TALLOC_CTX *ctx,
- vfs_handle_struct *handle,
- files_struct *fsp,
- const struct smb_filename *smb_fname,
- DATA_BLOB *pblob);
-
-static NTSTATUS store_acl_blob_fsp(vfs_handle_struct *handle,
- files_struct *fsp,
- DATA_BLOB *pblob);
-
#define HASH_SECURITY_INFO (SECINFO_OWNER | \
SECINFO_GROUP | \
SECINFO_DACL | \
SECINFO_SACL)
-enum default_acl_style {DEFAULT_ACL_POSIX, DEFAULT_ACL_WINDOWS};
-
-static const struct enum_list default_acl_style[] = {
- {DEFAULT_ACL_POSIX, "posix"},
- {DEFAULT_ACL_WINDOWS, "windows"}
-};
-
-struct acl_common_config {
- bool ignore_system_acls;
- enum default_acl_style default_acl_style;
-};
-
-static bool init_acl_common_config(vfs_handle_struct *handle)
+bool init_acl_common_config(vfs_handle_struct *handle,
+ const char *module_name)
{
struct acl_common_config *config = NULL;
+ const struct enum_list *default_acl_style_list = NULL;
+
+ default_acl_style_list = get_default_acl_style_list();
config = talloc_zero(handle->conn, struct acl_common_config);
if (config == NULL) {
}
config->ignore_system_acls = lp_parm_bool(SNUM(handle->conn),
- ACL_MODULE_NAME,
+ module_name,
"ignore system acls",
false);
config->default_acl_style = lp_parm_enum(SNUM(handle->conn),
- ACL_MODULE_NAME,
+ module_name,
"default acl style",
- default_acl_style,
+ default_acl_style_list,
DEFAULT_ACL_POSIX);
SMB_VFS_HANDLE_SET_DATA(handle, config, NULL,
return NT_STATUS_OK;
}
-static NTSTATUS make_default_acl_posix(TALLOC_CTX *ctx,
- const char *name,
- SMB_STRUCT_STAT *psbuf,
- struct security_descriptor **ppdesc)
-{
- struct dom_sid owner_sid, group_sid;
- size_t size = 0;
- struct security_ace aces[4];
- uint32_t access_mask = 0;
- mode_t mode = psbuf->st_ex_mode;
- struct security_acl *new_dacl = NULL;
- int idx = 0;
-
- DBG_DEBUG("file %s mode = 0%o\n",name, (int)mode);
-
- uid_to_sid(&owner_sid, psbuf->st_ex_uid);
- gid_to_sid(&group_sid, psbuf->st_ex_gid);
-
- /*
- We provide up to 4 ACEs
- - Owner
- - Group
- - Everyone
- - NT System
- */
-
- if (mode & S_IRUSR) {
- if (mode & S_IWUSR) {
- access_mask |= SEC_RIGHTS_FILE_ALL;
- } else {
- access_mask |= SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE;
- }
- }
- if (mode & S_IWUSR) {
- access_mask |= SEC_RIGHTS_FILE_WRITE | SEC_STD_DELETE;
- }
-
- init_sec_ace(&aces[idx],
- &owner_sid,
- SEC_ACE_TYPE_ACCESS_ALLOWED,
- access_mask,
- 0);
- idx++;
-
- access_mask = 0;
- if (mode & S_IRGRP) {
- access_mask |= SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE;
- }
- if (mode & S_IWGRP) {
- /* note that delete is not granted - this matches posix behaviour */
- access_mask |= SEC_RIGHTS_FILE_WRITE;
- }
- if (access_mask) {
- init_sec_ace(&aces[idx],
- &group_sid,
- SEC_ACE_TYPE_ACCESS_ALLOWED,
- access_mask,
- 0);
- idx++;
- }
-
- access_mask = 0;
- if (mode & S_IROTH) {
- access_mask |= SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE;
- }
- if (mode & S_IWOTH) {
- access_mask |= SEC_RIGHTS_FILE_WRITE;
- }
- if (access_mask) {
- init_sec_ace(&aces[idx],
- &global_sid_World,
- SEC_ACE_TYPE_ACCESS_ALLOWED,
- access_mask,
- 0);
- idx++;
- }
-
- init_sec_ace(&aces[idx],
- &global_sid_System,
- SEC_ACE_TYPE_ACCESS_ALLOWED,
- SEC_RIGHTS_FILE_ALL,
- 0);
- idx++;
-
- new_dacl = make_sec_acl(ctx,
- NT4_ACL_REVISION,
- idx,
- aces);
-
- if (!new_dacl) {
- return NT_STATUS_NO_MEMORY;
- }
-
- *ppdesc = make_sec_desc(ctx,
- SECURITY_DESCRIPTOR_REVISION_1,
- SEC_DESC_SELF_RELATIVE|SEC_DESC_DACL_PRESENT,
- &owner_sid,
- &group_sid,
- NULL,
- new_dacl,
- &size);
- if (!*ppdesc) {
- return NT_STATUS_NO_MEMORY;
- }
- return NT_STATUS_OK;
-}
-
-static NTSTATUS make_default_acl_windows(TALLOC_CTX *ctx,
- const char *name,
- SMB_STRUCT_STAT *psbuf,
- struct security_descriptor **ppdesc)
-{
- struct dom_sid owner_sid, group_sid;
- size_t size = 0;
- struct security_ace aces[4];
- uint32_t access_mask = 0;
- mode_t mode = psbuf->st_ex_mode;
- struct security_acl *new_dacl = NULL;
- int idx = 0;
-
- DBG_DEBUG("file [%s] mode [0%o]\n", name, (int)mode);
-
- uid_to_sid(&owner_sid, psbuf->st_ex_uid);
- gid_to_sid(&group_sid, psbuf->st_ex_gid);
-
- /*
- * We provide 2 ACEs:
- * - Owner
- * - NT System
- */
-
- if (mode & S_IRUSR) {
- if (mode & S_IWUSR) {
- access_mask |= SEC_RIGHTS_FILE_ALL;
- } else {
- access_mask |= SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE;
- }
- }
- if (mode & S_IWUSR) {
- access_mask |= SEC_RIGHTS_FILE_WRITE | SEC_STD_DELETE;
- }
-
- init_sec_ace(&aces[idx],
- &owner_sid,
- SEC_ACE_TYPE_ACCESS_ALLOWED,
- access_mask,
- 0);
- idx++;
-
- init_sec_ace(&aces[idx],
- &global_sid_System,
- SEC_ACE_TYPE_ACCESS_ALLOWED,
- SEC_RIGHTS_FILE_ALL,
- 0);
- idx++;
-
- new_dacl = make_sec_acl(ctx,
- NT4_ACL_REVISION,
- idx,
- aces);
-
- if (!new_dacl) {
- return NT_STATUS_NO_MEMORY;
- }
-
- *ppdesc = make_sec_desc(ctx,
- SECURITY_DESCRIPTOR_REVISION_1,
- SEC_DESC_SELF_RELATIVE|SEC_DESC_DACL_PRESENT,
- &owner_sid,
- &group_sid,
- NULL,
- new_dacl,
- &size);
- if (!*ppdesc) {
- return NT_STATUS_NO_MEMORY;
- }
- return NT_STATUS_OK;
-}
-
-static NTSTATUS make_default_filesystem_acl(TALLOC_CTX *ctx,
- struct acl_common_config *config,
- const char *name,
- SMB_STRUCT_STAT *psbuf,
- struct security_descriptor **ppdesc)
-{
- NTSTATUS status;
-
- switch (config->default_acl_style) {
-
- case DEFAULT_ACL_POSIX:
- status = make_default_acl_posix(ctx, name, psbuf, ppdesc);
- break;
-
- case DEFAULT_ACL_WINDOWS:
- status = make_default_acl_windows(ctx, name, psbuf, ppdesc);
- break;
-
- default:
- DBG_ERR("unknown acl style %d", config->default_acl_style);
- status = NT_STATUS_INTERNAL_ERROR;
- break;
- }
-
- return status;
-}
-
/**
* Validate an ACL blob
*
} else {
/* Get the full underlying sd, then hash. */
ret = SMB_VFS_NEXT_SYS_ACL_BLOB_GET_FILE(handle,
- smb_fname->base_name,
+ smb_fname,
mem_ctx,
&sys_acl_blob_description,
&sys_acl_blob);
}
/* Otherwise, fall though and see if the NT ACL hash matches */
+ FALL_THROUGH;
}
case 3:
/* Get the full underlying sd for the hash
filesystem sd.
*******************************************************************/
-static NTSTATUS get_nt_acl_internal(vfs_handle_struct *handle,
+NTSTATUS get_nt_acl_common(
+ NTSTATUS (*get_acl_blob_fn)(TALLOC_CTX *ctx,
+ vfs_handle_struct *handle,
files_struct *fsp,
- const struct smb_filename *smb_fname_in,
- uint32_t security_info,
- TALLOC_CTX *mem_ctx,
- struct security_descriptor **ppdesc)
+ const struct smb_filename *smb_fname,
+ DATA_BLOB *pblob),
+ vfs_handle_struct *handle,
+ files_struct *fsp,
+ const struct smb_filename *smb_fname_in,
+ uint32_t security_info,
+ TALLOC_CTX *mem_ctx,
+ struct security_descriptor **ppdesc)
{
DATA_BLOB blob = data_blob_null;
NTSTATUS status;
DBG_DEBUG("name=%s\n", smb_fname->base_name);
- status = get_acl_blob(mem_ctx, handle, fsp, smb_fname, &blob);
+ status = get_acl_blob_fn(mem_ctx, handle, fsp, smb_fname, &blob);
if (NT_STATUS_IS_OK(status)) {
status = validate_nt_acl_blob(mem_ctx,
handle,
status = make_default_filesystem_acl(
mem_ctx,
- config,
+ config->default_acl_style,
smb_fname->base_name,
psbuf,
&psd);
return status;
}
-/*********************************************************************
- Fetch a security descriptor given an fsp.
-*********************************************************************/
-
-static NTSTATUS fget_nt_acl_common(vfs_handle_struct *handle,
- files_struct *fsp,
- uint32_t security_info,
- TALLOC_CTX *mem_ctx,
- struct security_descriptor **ppdesc)
-{
- return get_nt_acl_internal(handle, fsp,
- NULL, security_info, mem_ctx, ppdesc);
-}
-
-/*********************************************************************
- Fetch a security descriptor given a pathname.
-*********************************************************************/
-
-static NTSTATUS get_nt_acl_common(vfs_handle_struct *handle,
- const struct smb_filename *smb_fname,
- uint32_t security_info,
- TALLOC_CTX *mem_ctx,
- struct security_descriptor **ppdesc)
-{
- return get_nt_acl_internal(handle,
- NULL,
- smb_fname,
- security_info,
- mem_ctx,
- ppdesc);
-}
-
/*********************************************************************
Set the underlying ACL (e.g. POSIX ACLS, POSIX owner, etc)
*********************************************************************/
uint32_t security_info_sent,
bool chown_needed)
{
- NTSTATUS status =
- SMB_VFS_NEXT_FSET_NT_ACL(handle, fsp, security_info_sent, psd);
+ NTSTATUS status;
+ const struct security_token *token = NULL;
+ struct dom_sid_buf buf;
+
+ status = SMB_VFS_NEXT_FSET_NT_ACL(handle, fsp, security_info_sent, psd);
if (!NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
return status;
}
return NT_STATUS_ACCESS_DENIED;
}
+ /*
+ * Only allow take-ownership, not give-ownership. That's the way Windows
+ * implements SEC_STD_WRITE_OWNER. MS-FSA 2.1.5.16 just states: If
+ * InputBuffer.OwnerSid is not a valid owner SID for a file in the
+ * objectstore, as determined in an implementation specific manner, the
+ * object store MUST return STATUS_INVALID_OWNER.
+ */
+ token = get_current_nttok(fsp->conn);
+ if (!security_token_is_sid(token, psd->owner_sid)) {
+ return NT_STATUS_INVALID_OWNER;
+ }
+
DBG_DEBUG("overriding chown on file %s for sid %s\n",
- fsp_str_dbg(fsp), sid_string_tos(psd->owner_sid));
+ fsp_str_dbg(fsp),
+ dom_sid_str_buf(psd->owner_sid, &buf));
/* Ok, we failed to chown and we have
SEC_STD_WRITE_OWNER access - override. */
/*********************************************************************
Store a v3 security descriptor
*********************************************************************/
-static NTSTATUS store_v3_blob(vfs_handle_struct *handle, files_struct *fsp,
- struct security_descriptor *psd,
- struct security_descriptor *pdesc_next,
- uint8_t hash[XATTR_SD_HASH_SIZE])
+static NTSTATUS store_v3_blob(
+ NTSTATUS (*store_acl_blob_fsp_fn)(vfs_handle_struct *handle,
+ files_struct *fsp,
+ DATA_BLOB *pblob),
+ vfs_handle_struct *handle, files_struct *fsp,
+ struct security_descriptor *psd,
+ struct security_descriptor *pdesc_next,
+ uint8_t hash[XATTR_SD_HASH_SIZE])
{
NTSTATUS status;
DATA_BLOB blob;
return status;
}
- status = store_acl_blob_fsp(handle, fsp, &blob);
+ status = store_acl_blob_fsp_fn(handle, fsp, &blob);
return status;
}
Store a security descriptor given an fsp.
*********************************************************************/
-static NTSTATUS fset_nt_acl_common(vfs_handle_struct *handle, files_struct *fsp,
- uint32_t security_info_sent, const struct security_descriptor *orig_psd)
+NTSTATUS fset_nt_acl_common(
+ NTSTATUS (*get_acl_blob_fn)(TALLOC_CTX *ctx,
+ vfs_handle_struct *handle,
+ files_struct *fsp,
+ const struct smb_filename *smb_fname,
+ DATA_BLOB *pblob),
+ NTSTATUS (*store_acl_blob_fsp_fn)(vfs_handle_struct *handle,
+ files_struct *fsp,
+ DATA_BLOB *pblob),
+ const char *module_name,
+ vfs_handle_struct *handle, files_struct *fsp,
+ uint32_t security_info_sent,
+ const struct security_descriptor *orig_psd)
{
NTSTATUS status;
int ret;
char *sys_acl_description;
TALLOC_CTX *frame = talloc_stackframe();
bool ignore_file_system_acl = lp_parm_bool(
- SNUM(handle->conn), ACL_MODULE_NAME, "ignore system acls", false);
+ SNUM(handle->conn), module_name, "ignore system acls", false);
if (DEBUGLEVEL >= 10) {
DBG_DEBUG("incoming sd for file %s\n", fsp_str_dbg(fsp));
discard_const_p(struct security_descriptor, orig_psd));
}
- status = get_nt_acl_internal(handle, fsp,
+ status = get_nt_acl_common(get_acl_blob_fn, handle, fsp,
NULL,
SECINFO_OWNER|SECINFO_GROUP|SECINFO_DACL|SECINFO_SACL,
frame,
}
psd->revision = orig_psd->revision;
- /* All our SD's are self relative. */
- psd->type = orig_psd->type | SEC_DESC_SELF_RELATIVE;
+ if (security_info_sent & SECINFO_DACL) {
+ psd->type = orig_psd->type;
+ /* All our SD's are self relative. */
+ psd->type |= SEC_DESC_SELF_RELATIVE;
+ }
if ((security_info_sent & SECINFO_OWNER) && (orig_psd->owner_sid != NULL)) {
if (!dom_sid_equal(orig_psd->owner_sid, psd->owner_sid)) {
}
}
ZERO_ARRAY(hash);
- status = store_v3_blob(handle, fsp, psd, NULL, hash);
+ status = store_v3_blob(store_acl_blob_fsp_fn, handle, fsp, psd,
+ NULL, hash);
TALLOC_FREE(frame);
return status;
/* If we fail to get the ACL blob (for some reason) then this
* is not fatal, we just work based on the NT ACL only */
if (ret != 0) {
- status = store_v3_blob(handle, fsp, psd, pdesc_next, hash);
+ status = store_v3_blob(store_acl_blob_fsp_fn, handle, fsp, psd,
+ pdesc_next, hash);
TALLOC_FREE(frame);
return status;
return status;
}
- status = store_acl_blob_fsp(handle, fsp, &blob);
+ status = store_acl_blob_fsp_fn(handle, fsp, &blob);
TALLOC_FREE(frame);
return status;
}
static int acl_common_remove_object(vfs_handle_struct *handle,
- const char *path,
+ const struct smb_filename *smb_fname,
bool is_directory)
{
connection_struct *conn = handle->conn;
int ret = 0;
char *parent_dir = NULL;
const char *final_component = NULL;
- struct smb_filename local_fname;
+ struct smb_filename local_fname = {0};
+ struct smb_filename parent_dir_fname = {0};
int saved_errno = 0;
- char *saved_dir = NULL;
+ struct smb_filename *saved_dir_fname = NULL;
- saved_dir = vfs_GetWd(talloc_tos(),conn);
- if (!saved_dir) {
+ saved_dir_fname = vfs_GetWd(talloc_tos(),conn);
+ if (saved_dir_fname == NULL) {
saved_errno = errno;
goto out;
}
- if (!parent_dirname(talloc_tos(), path,
+ if (!parent_dirname(talloc_tos(), smb_fname->base_name,
&parent_dir, &final_component)) {
saved_errno = ENOMEM;
goto out;
DBG_DEBUG("removing %s %s/%s\n", is_directory ? "directory" : "file",
parent_dir, final_component);
+ parent_dir_fname = (struct smb_filename) { .base_name = parent_dir };
+
/* cd into the parent dir to pin it. */
- ret = vfs_ChDir(conn, parent_dir);
+ ret = vfs_ChDir(conn, &parent_dir_fname);
if (ret == -1) {
saved_errno = errno;
goto out;
}
- ZERO_STRUCT(local_fname);
local_fname.base_name = discard_const_p(char, final_component);
/* Must use lstat here. */
TALLOC_FREE(parent_dir);
- if (saved_dir) {
- vfs_ChDir(conn, saved_dir);
+ if (saved_dir_fname) {
+ vfs_ChDir(conn, saved_dir_fname);
+ TALLOC_FREE(saved_dir_fname);
}
if (saved_errno) {
errno = saved_errno;
return ret;
}
-static int rmdir_acl_common(struct vfs_handle_struct *handle,
- const struct smb_filename *smb_fname)
+int rmdir_acl_common(struct vfs_handle_struct *handle,
+ const struct smb_filename *smb_fname)
{
int ret;
/* Failed due to access denied,
see if we need to root override. */
return acl_common_remove_object(handle,
- smb_fname->base_name,
+ smb_fname,
true);
}
return -1;
}
-static int unlink_acl_common(struct vfs_handle_struct *handle,
+int unlink_acl_common(struct vfs_handle_struct *handle,
const struct smb_filename *smb_fname)
{
int ret;
return -1;
}
return acl_common_remove_object(handle,
- smb_fname->base_name,
+ smb_fname,
false);
}
return -1;
}
-static int chmod_acl_module_common(struct vfs_handle_struct *handle,
- const struct smb_filename *smb_fname,
- mode_t mode)
+int chmod_acl_module_common(struct vfs_handle_struct *handle,
+ const struct smb_filename *smb_fname,
+ mode_t mode)
{
if (smb_fname->flags & SMB_FILENAME_POSIX_PATH) {
/* Only allow this on POSIX pathnames. */
return 0;
}
-static int fchmod_acl_module_common(struct vfs_handle_struct *handle,
- struct files_struct *fsp, mode_t mode)
+int fchmod_acl_module_common(struct vfs_handle_struct *handle,
+ struct files_struct *fsp, mode_t mode)
{
if (fsp->posix_flags & FSP_POSIX_FLAGS_OPEN) {
/* Only allow this on POSIX opens. */
}
return 0;
}
-
-static int chmod_acl_acl_module_common(struct vfs_handle_struct *handle,
- const struct smb_filename *smb_fname,
- mode_t mode)
-{
- if (smb_fname->flags & SMB_FILENAME_POSIX_PATH) {
- /* Only allow this on POSIX pathnames. */
- return SMB_VFS_NEXT_CHMOD_ACL(handle, smb_fname, mode);
- }
- return 0;
-}
-
-static int fchmod_acl_acl_module_common(struct vfs_handle_struct *handle,
- struct files_struct *fsp, mode_t mode)
-{
- if (fsp->posix_flags & FSP_POSIX_FLAGS_OPEN) {
- /* Only allow this on POSIX opens. */
- return SMB_VFS_NEXT_FCHMOD_ACL(handle, fsp, mode);
- }
- return 0;
-}