2 * Convert ZFS/NFSv4 acls to NT acls and vice versa.
4 * Copyright (C) Jiri Sasek, 2007
5 * based on the foobar.c module which is copyrighted by Volker Lendecke
7 * Many thanks to Axel Apitz for help to fix the special ace's handling
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License as published by
12 * the Free Software Foundation; either version 3 of the License, or
13 * (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, see <http://www.gnu.org/licenses/>.
26 #include "system/filesys.h"
27 #include "smbd/smbd.h"
28 #include "nfs4_acls.h"
30 #ifdef HAVE_FREEBSD_SUNACL_H
35 #define DBGC_CLASS DBGC_VFS
37 #define ZFSACL_MODULE_NAME "zfsacl"
39 struct zfsacl_config_data {
40 struct smbacl4_vfs_params nfs4_params;
41 bool zfsacl_denymissingspecial;
45 * read the local file's acls and return it in NT form
46 * using the NFSv4 format conversion
48 static NTSTATUS zfs_get_nt_acl_common(struct connection_struct *conn,
50 const struct smb_filename *smb_fname,
51 struct SMB4ACL_T **ppacl,
52 struct zfsacl_config_data *config)
56 struct SMB4ACL_T *pacl;
58 const SMB_STRUCT_STAT *psbuf = NULL;
62 if (VALID_STAT(smb_fname->st)) {
63 psbuf = &smb_fname->st;
67 ret = vfs_stat_smb_basename(conn, smb_fname, &sbuf);
69 DBG_INFO("stat [%s]failed: %s\n",
70 smb_fname_str_dbg(smb_fname), strerror(errno));
71 return map_nt_error_from_unix(errno);
75 is_dir = S_ISDIR(psbuf->st_ex_mode);
77 /* read the number of file aces */
78 if((naces = acl(smb_fname->base_name, ACE_GETACLCNT, 0, NULL)) == -1) {
80 DEBUG(9, ("acl(ACE_GETACLCNT, %s): Operation is not "
81 "supported on the filesystem where the file "
82 "reside\n", smb_fname->base_name));
84 DEBUG(9, ("acl(ACE_GETACLCNT, %s): %s ", smb_fname->base_name,
87 return map_nt_error_from_unix(errno);
89 /* allocate the field of ZFS aces */
90 mem_ctx = talloc_tos();
91 acebuf = (ace_t *) talloc_size(mem_ctx, sizeof(ace_t)*naces);
93 return NT_STATUS_NO_MEMORY;
95 /* read the aces into the field */
96 if(acl(smb_fname->base_name, ACE_GETACL, naces, acebuf) < 0) {
97 DEBUG(9, ("acl(ACE_GETACL, %s): %s ", smb_fname->base_name,
99 return map_nt_error_from_unix(errno);
101 /* create SMB4ACL data */
102 if((pacl = smb_create_smb4acl(mem_ctx)) == NULL) {
103 return NT_STATUS_NO_MEMORY;
105 for(i=0; i<naces; i++) {
106 SMB_ACE4PROP_T aceprop;
108 aceprop.aceType = (uint32_t) acebuf[i].a_type;
109 aceprop.aceFlags = (uint32_t) acebuf[i].a_flags;
110 aceprop.aceMask = (uint32_t) acebuf[i].a_access_mask;
111 aceprop.who.id = (uint32_t) acebuf[i].a_who;
114 * Windows clients expect SYNC on acls to correctly allow
115 * rename, cf bug #7909. But not on DENY ace entries, cf bug
118 if (aceprop.aceType == SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE) {
119 aceprop.aceMask |= SMB_ACE4_SYNCHRONIZE;
122 if (is_dir && (aceprop.aceMask & SMB_ACE4_ADD_FILE)) {
123 aceprop.aceMask |= SMB_ACE4_DELETE_CHILD;
126 if(aceprop.aceFlags & ACE_OWNER) {
127 aceprop.flags = SMB_ACE4_ID_SPECIAL;
128 aceprop.who.special_id = SMB_ACE4_WHO_OWNER;
129 } else if(aceprop.aceFlags & ACE_GROUP) {
130 aceprop.flags = SMB_ACE4_ID_SPECIAL;
131 aceprop.who.special_id = SMB_ACE4_WHO_GROUP;
132 } else if(aceprop.aceFlags & ACE_EVERYONE) {
133 aceprop.flags = SMB_ACE4_ID_SPECIAL;
134 aceprop.who.special_id = SMB_ACE4_WHO_EVERYONE;
138 if(smb_add_ace4(pacl, &aceprop) == NULL)
139 return NT_STATUS_NO_MEMORY;
146 /* call-back function processing the NT acl -> ZFS acl using NFSv4 conv. */
147 static bool zfs_process_smbacl(vfs_handle_struct *handle, files_struct *fsp,
148 struct SMB4ACL_T *smbacl)
150 int naces = smb_get_naces(smbacl), i;
152 struct SMB4ACE_T *smbace;
154 bool have_special_id = false;
155 struct zfsacl_config_data *config = NULL;
157 SMB_VFS_HANDLE_GET_DATA(handle, config,
158 struct zfsacl_config_data,
161 /* allocate the field of ZFS aces */
162 mem_ctx = talloc_tos();
163 acebuf = (ace_t *) talloc_size(mem_ctx, sizeof(ace_t)*naces);
168 /* handle all aces */
169 for(smbace = smb_first_ace4(smbacl), i = 0;
171 smbace = smb_next_ace4(smbace), i++) {
172 SMB_ACE4PROP_T *aceprop = smb_get_ace4(smbace);
174 acebuf[i].a_type = aceprop->aceType;
175 acebuf[i].a_flags = aceprop->aceFlags;
176 acebuf[i].a_access_mask = aceprop->aceMask;
177 /* SYNC on acls is a no-op on ZFS.
179 acebuf[i].a_access_mask &= ~SMB_ACE4_SYNCHRONIZE;
180 acebuf[i].a_who = aceprop->who.id;
181 if(aceprop->flags & SMB_ACE4_ID_SPECIAL) {
182 switch(aceprop->who.special_id) {
183 case SMB_ACE4_WHO_EVERYONE:
184 acebuf[i].a_flags |= ACE_EVERYONE;
186 case SMB_ACE4_WHO_OWNER:
187 acebuf[i].a_flags |= ACE_OWNER;
189 case SMB_ACE4_WHO_GROUP:
190 acebuf[i].a_flags |= ACE_GROUP|ACE_IDENTIFIER_GROUP;
193 DEBUG(8, ("unsupported special_id %d\n", \
194 aceprop->who.special_id));
195 continue; /* don't add it !!! */
197 have_special_id = true;
201 if (!have_special_id && config->zfsacl_denymissingspecial) {
206 SMB_ASSERT(i == naces);
209 if(acl(fsp->fsp_name->base_name, ACE_SETACL, naces, acebuf)) {
210 if(errno == ENOSYS) {
211 DEBUG(9, ("acl(ACE_SETACL, %s): Operation is not "
212 "supported on the filesystem where the file "
213 "reside", fsp_str_dbg(fsp)));
215 DEBUG(9, ("acl(ACE_SETACL, %s): %s ", fsp_str_dbg(fsp),
225 * set the local file's acls obtaining it in NT form
226 * using the NFSv4 format conversion
228 static NTSTATUS zfs_set_nt_acl(vfs_handle_struct *handle, files_struct *fsp,
229 uint32_t security_info_sent,
230 const struct security_descriptor *psd)
232 struct zfsacl_config_data *config = NULL;
234 SMB_VFS_HANDLE_GET_DATA(handle, config,
235 struct zfsacl_config_data,
236 return NT_STATUS_INTERNAL_ERROR);
238 return smb_set_nt_acl_nfs4(handle,
240 &config->nfs4_params,
246 static NTSTATUS zfsacl_fget_nt_acl(struct vfs_handle_struct *handle,
247 struct files_struct *fsp,
248 uint32_t security_info,
250 struct security_descriptor **ppdesc)
252 struct SMB4ACL_T *pacl;
254 struct zfsacl_config_data *config = NULL;
256 SMB_VFS_HANDLE_GET_DATA(handle, config,
257 struct zfsacl_config_data,
258 return NT_STATUS_INTERNAL_ERROR);
260 TALLOC_CTX *frame = talloc_stackframe();
262 status = zfs_get_nt_acl_common(handle->conn, frame,
263 fsp->fsp_name, &pacl, config);
264 if (!NT_STATUS_IS_OK(status)) {
266 if (!NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) {
270 status = make_default_filesystem_acl(mem_ctx,
272 fsp->fsp_name->base_name,
275 if (!NT_STATUS_IS_OK(status)) {
278 (*ppdesc)->type |= SEC_DESC_DACL_PROTECTED;
282 status = smb_fget_nt_acl_nfs4(fsp, NULL, security_info, mem_ctx,
288 static NTSTATUS zfsacl_get_nt_acl(struct vfs_handle_struct *handle,
289 const struct smb_filename *smb_fname,
290 uint32_t security_info,
292 struct security_descriptor **ppdesc)
294 struct SMB4ACL_T *pacl;
296 struct zfsacl_config_data *config = NULL;
297 SMB_VFS_HANDLE_GET_DATA(handle, config,
298 struct zfsacl_config_data,
299 return NT_STATUS_INTERNAL_ERROR);
301 TALLOC_CTX *frame = talloc_stackframe();
303 status = zfs_get_nt_acl_common(handle->conn, frame, smb_fname, &pacl, config);
304 if (!NT_STATUS_IS_OK(status)) {
306 if (!NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) {
310 if (!VALID_STAT(smb_fname->st)) {
311 DBG_ERR("No stat info for [%s]\n",
312 smb_fname_str_dbg(smb_fname));
313 return NT_STATUS_INTERNAL_ERROR;
316 status = make_default_filesystem_acl(mem_ctx,
318 smb_fname->base_name,
321 if (!NT_STATUS_IS_OK(status)) {
324 (*ppdesc)->type |= SEC_DESC_DACL_PROTECTED;
328 status = smb_get_nt_acl_nfs4(handle->conn,
339 static NTSTATUS zfsacl_fset_nt_acl(vfs_handle_struct *handle,
341 uint32_t security_info_sent,
342 const struct security_descriptor *psd)
344 return zfs_set_nt_acl(handle, fsp, security_info_sent, psd);
347 /* nils.goroll@hamburg.de 2008-06-16 :
350 - https://bugzilla.samba.org/show_bug.cgi?id=5446
351 - http://bugs.opensolaris.org/view_bug.do?bug_id=6688240
353 Solaris supports NFSv4 and ZFS ACLs through a common system call, acl(2)
354 with ACE_SETACL / ACE_GETACL / ACE_GETACLCNT, which is being wrapped for
355 use by samba in this module.
357 As the acl(2) interface is identical for ZFS and for NFS, this module,
358 vfs_zfsacl, can not only be used for ZFS, but also for sharing NFSv4
361 But while "traditional" POSIX DRAFT ACLs (using acl(2) with SETACL
362 / GETACL / GETACLCNT) fail for ZFS, the Solaris NFS client
363 implemets a compatibility wrapper, which will make calls to
364 traditional ACL calls though vfs_solarisacl succeed. As the
365 compatibility wrapper's implementation is (by design) incomplete,
366 we want to make sure that it is never being called.
368 As long as Samba does not support an exiplicit method for a module
369 to define conflicting vfs methods, we should override all conflicting
372 For this to work, we need to make sure that this module is initialised
373 *after* vfs_solarisacl
375 Function declarations taken from vfs_solarisacl
378 static SMB_ACL_T zfsacl_fail__sys_acl_get_file(vfs_handle_struct *handle,
379 const struct smb_filename *smb_fname,
383 return (SMB_ACL_T)NULL;
386 static SMB_ACL_T zfsacl_fail__sys_acl_get_fd(vfs_handle_struct *handle,
390 return (SMB_ACL_T)NULL;
393 static int zfsacl_fail__sys_acl_set_file(vfs_handle_struct *handle,
394 const struct smb_filename *smb_fname,
401 static int zfsacl_fail__sys_acl_set_fd(vfs_handle_struct *handle,
408 static int zfsacl_fail__sys_acl_delete_def_file(vfs_handle_struct *handle,
409 const struct smb_filename *smb_fname)
414 static int zfsacl_fail__sys_acl_blob_get_file(vfs_handle_struct *handle,
415 const struct smb_filename *smb_fname,
417 char **blob_description,
423 static int zfsacl_fail__sys_acl_blob_get_fd(vfs_handle_struct *handle, files_struct *fsp, TALLOC_CTX *mem_ctx, char **blob_description, DATA_BLOB *blob)
428 static int zfsacl_connect(struct vfs_handle_struct *handle,
429 const char *service, const char *user)
431 struct zfsacl_config_data *config = NULL;
434 ret = SMB_VFS_NEXT_CONNECT(handle, service, user);
439 config = talloc_zero(handle->conn, struct zfsacl_config_data);
441 DBG_ERR("talloc_zero() failed\n");
446 config->zfsacl_denymissingspecial = lp_parm_bool(SNUM(handle->conn),
447 "zfsacl", "denymissingspecial", false);
449 ret = smbacl4_get_vfs_params(handle->conn, &config->nfs4_params);
455 SMB_VFS_HANDLE_SET_DATA(handle, config,
456 NULL, struct zfsacl_config_data,
462 /* VFS operations structure */
464 static struct vfs_fn_pointers zfsacl_fns = {
465 .connect_fn = zfsacl_connect,
466 .sys_acl_get_file_fn = zfsacl_fail__sys_acl_get_file,
467 .sys_acl_get_fd_fn = zfsacl_fail__sys_acl_get_fd,
468 .sys_acl_blob_get_file_fn = zfsacl_fail__sys_acl_blob_get_file,
469 .sys_acl_blob_get_fd_fn = zfsacl_fail__sys_acl_blob_get_fd,
470 .sys_acl_set_file_fn = zfsacl_fail__sys_acl_set_file,
471 .sys_acl_set_fd_fn = zfsacl_fail__sys_acl_set_fd,
472 .sys_acl_delete_def_file_fn = zfsacl_fail__sys_acl_delete_def_file,
473 .fget_nt_acl_fn = zfsacl_fget_nt_acl,
474 .get_nt_acl_fn = zfsacl_get_nt_acl,
475 .fset_nt_acl_fn = zfsacl_fset_nt_acl,
479 NTSTATUS vfs_zfsacl_init(TALLOC_CTX *ctx)
481 return smb_register_vfs(SMB_VFS_INTERFACE_VERSION, "zfsacl",