2 * Store Windows ACLs in data store - common functions.
3 * #included into modules/vfs_acl_xattr.c and modules/vfs_acl_tdb.c
5 * Copyright (C) Volker Lendecke, 2008
6 * Copyright (C) Jeremy Allison, 2009
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 3 of the License, or
11 * (at your option) any later version.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, see <http://www.gnu.org/licenses/>.
22 #include "../libcli/security/security.h"
23 #include "../librpc/gen_ndr/ndr_security.h"
25 static NTSTATUS create_acl_blob(const struct security_descriptor *psd,
28 uint8_t hash[XATTR_SD_HASH_SIZE]);
30 static NTSTATUS get_acl_blob(TALLOC_CTX *ctx,
31 vfs_handle_struct *handle,
36 static NTSTATUS store_acl_blob_fsp(vfs_handle_struct *handle,
40 #define HASH_SECURITY_INFO (SECINFO_OWNER | \
45 /*******************************************************************
46 Hash a security descriptor.
47 *******************************************************************/
49 static NTSTATUS hash_sd_sha256(struct security_descriptor *psd,
56 memset(hash, '\0', XATTR_SD_HASH_SIZE);
57 status = create_acl_blob(psd, &blob, XATTR_SD_HASH_TYPE_SHA256, hash);
58 if (!NT_STATUS_IS_OK(status)) {
63 SHA256_Update(&tctx, blob.data, blob.length);
64 SHA256_Final(hash, &tctx);
69 /*******************************************************************
70 Parse out a struct security_descriptor from a DATA_BLOB.
71 *******************************************************************/
73 static NTSTATUS parse_acl_blob(const DATA_BLOB *pblob,
74 struct security_descriptor **ppdesc,
75 uint16_t *p_hash_type,
76 uint8_t hash[XATTR_SD_HASH_SIZE])
78 TALLOC_CTX *ctx = talloc_tos();
79 struct xattr_NTACL xacl;
80 enum ndr_err_code ndr_err;
83 ndr_err = ndr_pull_struct_blob(pblob, ctx, &xacl,
84 (ndr_pull_flags_fn_t)ndr_pull_xattr_NTACL);
86 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
87 DEBUG(5, ("parse_acl_blob: ndr_pull_xattr_NTACL failed: %s\n",
88 ndr_errstr(ndr_err)));
89 return ndr_map_error2ntstatus(ndr_err);;
92 switch (xacl.version) {
94 *ppdesc = make_sec_desc(ctx, SD_REVISION,
95 xacl.info.sd_hs2->sd->type | SEC_DESC_SELF_RELATIVE,
96 xacl.info.sd_hs2->sd->owner_sid,
97 xacl.info.sd_hs2->sd->group_sid,
98 xacl.info.sd_hs2->sd->sacl,
99 xacl.info.sd_hs2->sd->dacl,
101 /* No hash - null out. */
102 *p_hash_type = XATTR_SD_HASH_TYPE_NONE;
103 memset(hash, '\0', XATTR_SD_HASH_SIZE);
106 *ppdesc = make_sec_desc(ctx, SD_REVISION,
107 xacl.info.sd_hs3->sd->type | SEC_DESC_SELF_RELATIVE,
108 xacl.info.sd_hs3->sd->owner_sid,
109 xacl.info.sd_hs3->sd->group_sid,
110 xacl.info.sd_hs3->sd->sacl,
111 xacl.info.sd_hs3->sd->dacl,
113 *p_hash_type = xacl.info.sd_hs3->hash_type;
114 /* Current version 3. */
115 memcpy(hash, xacl.info.sd_hs3->hash, XATTR_SD_HASH_SIZE);
118 return NT_STATUS_REVISION_MISMATCH;
121 TALLOC_FREE(xacl.info.sd);
123 return (*ppdesc != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
126 /*******************************************************************
127 Create a DATA_BLOB from a security descriptor.
128 *******************************************************************/
130 static NTSTATUS create_acl_blob(const struct security_descriptor *psd,
133 uint8_t hash[XATTR_SD_HASH_SIZE])
135 struct xattr_NTACL xacl;
136 struct security_descriptor_hash_v3 sd_hs3;
137 enum ndr_err_code ndr_err;
138 TALLOC_CTX *ctx = talloc_tos();
144 xacl.info.sd_hs3 = &sd_hs3;
145 xacl.info.sd_hs3->sd = CONST_DISCARD(struct security_descriptor *, psd);
146 xacl.info.sd_hs3->hash_type = hash_type;
147 memcpy(&xacl.info.sd_hs3->hash[0], hash, XATTR_SD_HASH_SIZE);
149 ndr_err = ndr_push_struct_blob(
151 (ndr_push_flags_fn_t)ndr_push_xattr_NTACL);
153 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
154 DEBUG(5, ("create_acl_blob: ndr_push_xattr_NTACL failed: %s\n",
155 ndr_errstr(ndr_err)));
156 return ndr_map_error2ntstatus(ndr_err);;
162 /*******************************************************************
163 Add in 3 inheritable components for a non-inheritable directory ACL.
164 CREATOR_OWNER/CREATOR_GROUP/WORLD.
165 *******************************************************************/
167 static void add_directory_inheritable_components(vfs_handle_struct *handle,
169 SMB_STRUCT_STAT *psbuf,
170 struct security_descriptor *psd)
172 struct connection_struct *conn = handle->conn;
173 int num_aces = (psd->dacl ? psd->dacl->num_aces : 0);
174 struct smb_filename smb_fname;
175 enum security_ace_type acltype;
176 uint32_t access_mask;
180 struct security_ace *new_ace_list = TALLOC_ZERO_ARRAY(talloc_tos(),
184 if (new_ace_list == NULL) {
188 /* Fake a quick smb_filename. */
189 ZERO_STRUCT(smb_fname);
190 smb_fname.st = *psbuf;
191 smb_fname.base_name = CONST_DISCARD(char *, name);
193 dir_mode = unix_mode(conn,
194 FILE_ATTRIBUTE_DIRECTORY, &smb_fname, NULL);
195 file_mode = unix_mode(conn,
196 FILE_ATTRIBUTE_ARCHIVE, &smb_fname, NULL);
198 mode = dir_mode | file_mode;
200 DEBUG(10, ("add_directory_inheritable_components: directory %s, "
203 (unsigned int)mode ));
206 memcpy(new_ace_list, psd->dacl->aces,
207 num_aces * sizeof(struct security_ace));
209 access_mask = map_canon_ace_perms(SNUM(conn), &acltype,
212 init_sec_ace(&new_ace_list[num_aces],
213 &global_sid_Creator_Owner,
216 SEC_ACE_FLAG_CONTAINER_INHERIT|
217 SEC_ACE_FLAG_OBJECT_INHERIT|
218 SEC_ACE_FLAG_INHERIT_ONLY);
219 access_mask = map_canon_ace_perms(SNUM(conn), &acltype,
220 (mode << 3) & 0700, false);
221 init_sec_ace(&new_ace_list[num_aces+1],
222 &global_sid_Creator_Group,
225 SEC_ACE_FLAG_CONTAINER_INHERIT|
226 SEC_ACE_FLAG_OBJECT_INHERIT|
227 SEC_ACE_FLAG_INHERIT_ONLY);
228 access_mask = map_canon_ace_perms(SNUM(conn), &acltype,
229 (mode << 6) & 0700, false);
230 init_sec_ace(&new_ace_list[num_aces+2],
234 SEC_ACE_FLAG_CONTAINER_INHERIT|
235 SEC_ACE_FLAG_OBJECT_INHERIT|
236 SEC_ACE_FLAG_INHERIT_ONLY);
237 psd->dacl->aces = new_ace_list;
238 psd->dacl->num_aces += 3;
241 /*******************************************************************
242 Pull a DATA_BLOB from an xattr given a pathname.
243 If the hash doesn't match, or doesn't exist - return the underlying
245 *******************************************************************/
247 static NTSTATUS get_nt_acl_internal(vfs_handle_struct *handle,
250 uint32_t security_info,
251 struct security_descriptor **ppdesc)
255 uint16_t hash_type = XATTR_SD_HASH_TYPE_NONE;
256 uint8_t hash[XATTR_SD_HASH_SIZE];
257 uint8_t hash_tmp[XATTR_SD_HASH_SIZE];
258 struct security_descriptor *psd = NULL;
259 struct security_descriptor *pdesc_next = NULL;
261 if (fsp && name == NULL) {
262 name = fsp->fsp_name->base_name;
265 DEBUG(10, ("get_nt_acl_internal: name=%s\n", name));
267 /* Get the full underlying sd for the hash
268 or to return as backup. */
270 status = SMB_VFS_NEXT_FGET_NT_ACL(handle,
275 status = SMB_VFS_NEXT_GET_NT_ACL(handle,
281 if (!NT_STATUS_IS_OK(status)) {
282 DEBUG(10, ("get_nt_acl_internal: get_next_acl for file %s "
289 status = get_acl_blob(talloc_tos(), handle, fsp, name, &blob);
290 if (!NT_STATUS_IS_OK(status)) {
291 DEBUG(10, ("get_nt_acl_internal: get_acl_blob returned %s\n",
297 status = parse_acl_blob(&blob, &psd,
298 &hash_type, &hash[0]);
299 if (!NT_STATUS_IS_OK(status)) {
300 DEBUG(10, ("parse_acl_blob returned %s\n",
306 /* Ensure the hash type is one we know. */
308 case XATTR_SD_HASH_TYPE_NONE:
309 /* No hash, just return blob sd. */
311 case XATTR_SD_HASH_TYPE_SHA256:
314 DEBUG(10, ("get_nt_acl_internal: ACL blob revision "
315 "mismatch (%u) for file %s\n",
316 (unsigned int)hash_type,
324 status = hash_sd_sha256(pdesc_next, hash_tmp);
325 if (!NT_STATUS_IS_OK(status)) {
331 if (memcmp(&hash[0], &hash_tmp[0], XATTR_SD_HASH_SIZE) == 0) {
332 /* Hash matches, return blob sd. */
333 DEBUG(10, ("get_nt_acl_internal: blob hash "
334 "matches for file %s\n",
339 /* Hash doesn't match, return underlying sd. */
345 if (psd != pdesc_next) {
346 /* We're returning the blob, throw
347 * away the filesystem SD. */
348 TALLOC_FREE(pdesc_next);
350 SMB_STRUCT_STAT sbuf;
351 SMB_STRUCT_STAT *psbuf = &sbuf;
352 bool is_directory = false;
354 * We're returning the underlying ACL from the
355 * filesystem. If it's a directory, and has no
356 * inheritable ACE entries we have to fake them.
359 is_directory = fsp->is_directory;
360 psbuf = &fsp->fsp_name->st;
362 if (vfs_stat_smb_fname(handle->conn,
365 is_directory = S_ISDIR(sbuf.st_ex_mode);
369 !sd_has_inheritable_components(psd,
371 add_directory_inheritable_components(handle,
376 /* The underlying POSIX module always sets
377 the ~SEC_DESC_DACL_PROTECTED bit, as ACLs
378 can't be inherited in this way under POSIX.
379 Remove it for Windows-style ACLs. */
380 psd->type &= ~SEC_DESC_DACL_PROTECTED;
383 if (!(security_info & SECINFO_OWNER)) {
384 psd->owner_sid = NULL;
386 if (!(security_info & SECINFO_GROUP)) {
387 psd->group_sid = NULL;
389 if (!(security_info & SECINFO_DACL)) {
392 if (!(security_info & SECINFO_SACL)) {
396 TALLOC_FREE(blob.data);
401 /*********************************************************************
402 Create a default ACL by inheriting from the parent. If no inheritance
403 from the parent available, don't set anything. This will leave the actual
404 permissions the new file or directory already got from the filesystem
405 as the NT ACL when read.
406 *********************************************************************/
408 static NTSTATUS inherit_new_acl(vfs_handle_struct *handle,
410 struct security_descriptor *parent_desc,
413 TALLOC_CTX *ctx = talloc_tos();
414 NTSTATUS status = NT_STATUS_OK;
415 struct security_descriptor *psd = NULL;
418 if (!sd_has_inheritable_components(parent_desc, is_directory)) {
422 /* Create an inherited descriptor from the parent. */
424 if (DEBUGLEVEL >= 10) {
425 DEBUG(10,("inherit_new_acl: parent acl for %s is:\n",
427 NDR_PRINT_DEBUG(security_descriptor, parent_desc);
430 status = se_create_child_secdesc(ctx,
434 &handle->conn->server_info->ptok->sids[PRIMARY_USER_SID_INDEX],
435 &handle->conn->server_info->ptok->sids[PRIMARY_GROUP_SID_INDEX],
437 if (!NT_STATUS_IS_OK(status)) {
441 if (DEBUGLEVEL >= 10) {
442 DEBUG(10,("inherit_new_acl: child acl for %s is:\n",
444 NDR_PRINT_DEBUG(security_descriptor, parent_desc);
447 return SMB_VFS_FSET_NT_ACL(fsp,
454 static NTSTATUS check_parent_acl_common(vfs_handle_struct *handle,
456 uint32_t access_mask,
457 struct security_descriptor **pp_parent_desc)
459 char *parent_name = NULL;
460 struct security_descriptor *parent_desc = NULL;
461 uint32_t access_granted = 0;
464 if (!parent_dirname(talloc_tos(), path, &parent_name, NULL)) {
465 return NT_STATUS_NO_MEMORY;
468 status = get_nt_acl_internal(handle,
476 if (!NT_STATUS_IS_OK(status)) {
477 DEBUG(10,("check_parent_acl_common: get_nt_acl_internal "
478 "on directory %s for "
479 "path %s returned %s\n",
482 nt_errstr(status) ));
485 if (pp_parent_desc) {
486 *pp_parent_desc = parent_desc;
488 status = smb1_file_se_access_check(handle->conn,
490 get_current_nttok(handle->conn),
493 if(!NT_STATUS_IS_OK(status)) {
494 DEBUG(10,("check_parent_acl_common: access check "
495 "on directory %s for "
496 "path %s for mask 0x%x returned %s\n",
500 nt_errstr(status) ));
506 static void free_sd_common(void **ptr)
511 /*********************************************************************
512 Check ACL on open. For new files inherit from parent directory.
513 *********************************************************************/
515 static int open_acl_common(vfs_handle_struct *handle,
516 struct smb_filename *smb_fname,
521 uint32_t access_granted = 0;
522 struct security_descriptor *pdesc = NULL;
523 struct security_descriptor *parent_desc = NULL;
524 bool file_existed = true;
529 /* Stream open. Base filename open already did the ACL check. */
530 DEBUG(10,("open_acl_common: stream open on %s\n",
532 return SMB_VFS_NEXT_OPEN(handle, smb_fname, fsp, flags, mode);
535 status = get_full_smb_filename(talloc_tos(), smb_fname,
537 if (!NT_STATUS_IS_OK(status)) {
541 status = get_nt_acl_internal(handle,
548 if (NT_STATUS_IS_OK(status)) {
549 /* See if we can access it. */
550 status = smb1_file_se_access_check(handle->conn,
552 get_current_nttok(handle->conn),
555 if (!NT_STATUS_IS_OK(status)) {
556 DEBUG(10,("open_acl_xattr: %s open "
557 "refused with error %s\n",
559 nt_errstr(status) ));
562 } else if (NT_STATUS_EQUAL(status,NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
563 file_existed = false;
565 * If O_CREAT is true then we're trying to create a file.
566 * Check the parent directory ACL will allow this.
568 if (flags & O_CREAT) {
569 struct security_descriptor *psd = NULL;
571 status = check_parent_acl_common(handle, fname,
572 SEC_DIR_ADD_FILE, &parent_desc);
573 if (!NT_STATUS_IS_OK(status)) {
576 /* Cache the parent security descriptor for
577 * later use. We do have an fsp here, but to
578 * keep the code consistent with the directory
579 * case which doesn't, use the handle. */
581 /* Attach this to the conn, move from talloc_tos(). */
582 psd = (struct security_descriptor *)talloc_move(handle->conn,
586 status = NT_STATUS_NO_MEMORY;
589 status = NT_STATUS_NO_MEMORY;
590 SMB_VFS_HANDLE_SET_DATA(handle, psd, free_sd_common,
591 struct security_descriptor *, goto err);
592 status = NT_STATUS_OK;
596 DEBUG(10,("open_acl_xattr: get_nt_acl_attr_internal for "
599 nt_errstr(status) ));
601 fsp->fh->fd = SMB_VFS_NEXT_OPEN(handle, smb_fname, fsp, flags, mode);
606 errno = map_errno_from_nt_status(status);
610 static int mkdir_acl_common(vfs_handle_struct *handle, const char *path, mode_t mode)
614 SMB_STRUCT_STAT sbuf;
616 ret = vfs_stat_smb_fname(handle->conn, path, &sbuf);
617 if (ret == -1 && errno == ENOENT) {
618 struct security_descriptor *parent_desc = NULL;
619 struct security_descriptor *psd = NULL;
621 /* We're creating a new directory. */
622 status = check_parent_acl_common(handle, path,
623 SEC_DIR_ADD_SUBDIR, &parent_desc);
624 if (!NT_STATUS_IS_OK(status)) {
625 errno = map_errno_from_nt_status(status);
629 /* Cache the parent security descriptor for
630 * later use. We don't have an fsp here so
633 /* Attach this to the conn, move from talloc_tos(). */
634 psd = (struct security_descriptor *)talloc_move(handle->conn,
640 SMB_VFS_HANDLE_SET_DATA(handle, psd, free_sd_common,
641 struct security_descriptor *, return -1);
644 return SMB_VFS_NEXT_MKDIR(handle, path, mode);
647 /*********************************************************************
648 Fetch a security descriptor given an fsp.
649 *********************************************************************/
651 static NTSTATUS fget_nt_acl_common(vfs_handle_struct *handle, files_struct *fsp,
652 uint32_t security_info, struct security_descriptor **ppdesc)
654 return get_nt_acl_internal(handle, fsp,
655 NULL, security_info, ppdesc);
658 /*********************************************************************
659 Fetch a security descriptor given a pathname.
660 *********************************************************************/
662 static NTSTATUS get_nt_acl_common(vfs_handle_struct *handle,
663 const char *name, uint32_t security_info, struct security_descriptor **ppdesc)
665 return get_nt_acl_internal(handle, NULL,
666 name, security_info, ppdesc);
669 /*********************************************************************
670 Store a security descriptor given an fsp.
671 *********************************************************************/
673 static NTSTATUS fset_nt_acl_common(vfs_handle_struct *handle, files_struct *fsp,
674 uint32_t security_info_sent, const struct security_descriptor *orig_psd)
678 struct security_descriptor *pdesc_next = NULL;
679 struct security_descriptor *psd = NULL;
680 uint8_t hash[XATTR_SD_HASH_SIZE];
682 if (DEBUGLEVEL >= 10) {
683 DEBUG(10,("fset_nt_acl_xattr: incoming sd for file %s\n",
685 NDR_PRINT_DEBUG(security_descriptor,
686 CONST_DISCARD(struct security_descriptor *,orig_psd));
689 status = get_nt_acl_internal(handle, fsp,
691 SECINFO_OWNER|SECINFO_GROUP|SECINFO_DACL|SECINFO_SACL,
694 if (!NT_STATUS_IS_OK(status)) {
698 if ((security_info_sent & SECINFO_OWNER) && (orig_psd->owner_sid != NULL)) {
699 psd->owner_sid = orig_psd->owner_sid;
701 if ((security_info_sent & SECINFO_GROUP) && (orig_psd->group_sid != NULL)) {
702 psd->group_sid = orig_psd->group_sid;
704 if (security_info_sent & SECINFO_DACL) {
705 psd->dacl = orig_psd->dacl;
707 if (security_info_sent & SECINFO_SACL) {
708 psd->sacl = orig_psd->sacl;
711 status = SMB_VFS_NEXT_FSET_NT_ACL(handle, fsp, security_info_sent, psd);
712 if (!NT_STATUS_IS_OK(status)) {
716 /* Get the full underlying sd, then hash. */
717 status = SMB_VFS_NEXT_FGET_NT_ACL(handle,
722 if (!NT_STATUS_IS_OK(status)) {
726 status = hash_sd_sha256(pdesc_next, hash);
727 if (!NT_STATUS_IS_OK(status)) {
731 if (DEBUGLEVEL >= 10) {
732 DEBUG(10,("fset_nt_acl_xattr: storing xattr sd for file %s\n",
734 NDR_PRINT_DEBUG(security_descriptor,
735 CONST_DISCARD(struct security_descriptor *,psd));
737 create_acl_blob(psd, &blob, XATTR_SD_HASH_TYPE_SHA256, hash);
738 store_acl_blob_fsp(handle, fsp, &blob);
743 static SMB_STRUCT_DIR *opendir_acl_common(vfs_handle_struct *handle,
744 const char *fname, const char *mask, uint32 attr)
746 NTSTATUS status = check_parent_acl_common(handle, fname,
749 if (!NT_STATUS_IS_OK(status)) {
750 errno = map_errno_from_nt_status(status);
753 return SMB_VFS_NEXT_OPENDIR(handle, fname, mask, attr);
756 static int acl_common_remove_object(vfs_handle_struct *handle,
760 connection_struct *conn = handle->conn;
762 files_struct *fsp = NULL;
764 char *parent_dir = NULL;
765 const char *final_component = NULL;
766 struct smb_filename local_fname;
769 if (!parent_dirname(talloc_tos(), path,
770 &parent_dir, &final_component)) {
771 saved_errno = ENOMEM;
775 DEBUG(10,("acl_common_remove_object: removing %s %s/%s\n",
776 is_directory ? "directory" : "file",
777 parent_dir, final_component ));
779 /* cd into the parent dir to pin it. */
780 ret = SMB_VFS_CHDIR(conn, parent_dir);
786 ZERO_STRUCT(local_fname);
787 local_fname.base_name = CONST_DISCARD(char *,final_component);
789 /* Must use lstat here. */
790 ret = SMB_VFS_LSTAT(conn, &local_fname);
796 /* Ensure we have this file open with DELETE access. */
797 id = vfs_file_id_from_sbuf(conn, &local_fname.st);
798 for (fsp = file_find_di_first(conn->sconn, id); fsp;
799 file_find_di_next(fsp)) {
800 if (fsp->access_mask & DELETE_ACCESS &&
801 fsp->delete_on_close) {
802 /* We did open this for delete,
803 * allow the delete as root.
810 DEBUG(10,("acl_common_remove_object: %s %s/%s "
811 "not an open file\n",
812 is_directory ? "directory" : "file",
813 parent_dir, final_component ));
814 saved_errno = EACCES;
820 ret = SMB_VFS_NEXT_RMDIR(handle, final_component);
822 ret = SMB_VFS_NEXT_UNLINK(handle, &local_fname);
832 TALLOC_FREE(parent_dir);
834 vfs_ChDir(conn, conn->connectpath);
841 static int rmdir_acl_common(struct vfs_handle_struct *handle,
846 ret = SMB_VFS_NEXT_RMDIR(handle, path);
847 if (!(ret == -1 && (errno == EACCES || errno == EPERM))) {
848 DEBUG(10,("rmdir_acl_common: unlink of %s failed %s\n",
854 return acl_common_remove_object(handle,
859 static NTSTATUS create_file_acl_common(struct vfs_handle_struct *handle,
860 struct smb_request *req,
861 uint16_t root_dir_fid,
862 struct smb_filename *smb_fname,
863 uint32_t access_mask,
864 uint32_t share_access,
865 uint32_t create_disposition,
866 uint32_t create_options,
867 uint32_t file_attributes,
868 uint32_t oplock_request,
869 uint64_t allocation_size,
870 uint32_t private_flags,
871 struct security_descriptor *sd,
872 struct ea_list *ea_list,
873 files_struct **result,
876 NTSTATUS status, status1;
877 files_struct *fsp = NULL;
879 struct security_descriptor *parent_sd = NULL;
881 status = SMB_VFS_NEXT_CREATE_FILE(handle,
898 if (!NT_STATUS_IS_OK(status)) {
902 if (info != FILE_WAS_CREATED) {
903 /* File/directory was opened, not created. */
910 /* Only handle success. */
915 /* Security descriptor already set. */
925 /* We must have a cached parent sd in this case.
926 * attached to the handle. */
928 SMB_VFS_HANDLE_GET_DATA(handle, parent_sd,
929 struct security_descriptor,
936 /* New directory - inherit from parent. */
937 status1 = inherit_new_acl(handle, fsp, parent_sd, fsp->is_directory);
939 if (!NT_STATUS_IS_OK(status1)) {
940 DEBUG(1,("create_file_acl_common: error setting "
943 nt_errstr(status1) ));
948 /* Ensure we never leave attached data around. */
949 SMB_VFS_HANDLE_FREE_DATA(handle);
951 if (NT_STATUS_IS_OK(status) && pinfo) {
958 smb_panic("create_file_acl_common: logic error.\n");
963 static int unlink_acl_common(struct vfs_handle_struct *handle,
964 const struct smb_filename *smb_fname)
968 ret = SMB_VFS_NEXT_UNLINK(handle, smb_fname);
969 if (!(ret == -1 && (errno == EACCES || errno == EPERM))) {
970 DEBUG(10,("unlink_acl_common: unlink of %s failed %s\n",
971 smb_fname->base_name,
975 /* Don't do anything fancy for streams. */
976 if (smb_fname->stream_name) {
980 return acl_common_remove_object(handle,
981 smb_fname->base_name,
git.samba.org / garming / samba-autobuild / .git / blob