Prevent reallocs of the talloc pool itself
[ira/wip.git] / source3 / smbd / posix_acls.c
1 /*
2    Unix SMB/CIFS implementation.
3    SMB NT Security Descriptor / Unix permission conversion.
4    Copyright (C) Jeremy Allison 1994-2009.
5    Copyright (C) Andreas Gruenbacher 2002.
6
7    This program is free software; you can redistribute it and/or modify
8    it under the terms of the GNU General Public License as published by
9    the Free Software Foundation; either version 3 of the License, or
10    (at your option) any later version.
11
12    This program is distributed in the hope that it will be useful,
13    but WITHOUT ANY WARRANTY; without even the implied warranty of
14    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
15    GNU General Public License for more details.
16
17    You should have received a copy of the GNU General Public License
18    along with this program.  If not, see <http://www.gnu.org/licenses/>.
19 */
20
21 #include "includes.h"
22
23 extern struct current_user current_user;
24 extern const struct generic_mapping file_generic_mapping;
25
26 #undef  DBGC_CLASS
27 #define DBGC_CLASS DBGC_ACLS
28
29 /****************************************************************************
30  Data structures representing the internal ACE format.
31 ****************************************************************************/
32
33 enum ace_owner {UID_ACE, GID_ACE, WORLD_ACE};
34 enum ace_attribute {ALLOW_ACE, DENY_ACE}; /* Used for incoming NT ACLS. */
35
36 typedef union posix_id {
37                 uid_t uid;
38                 gid_t gid;
39                 int world;
40 } posix_id;
41
42 typedef struct canon_ace {
43         struct canon_ace *next, *prev;
44         SMB_ACL_TAG_T type;
45         mode_t perms; /* Only use S_I(R|W|X)USR mode bits here. */
46         DOM_SID trustee;
47         enum ace_owner owner_type;
48         enum ace_attribute attr;
49         posix_id unix_ug;
50         uint8_t ace_flags; /* From windows ACE entry. */
51 } canon_ace;
52
53 #define ALL_ACE_PERMS (S_IRUSR|S_IWUSR|S_IXUSR)
54
55 /*
56  * EA format of user.SAMBA_PAI (Samba_Posix_Acl_Interitance)
57  * attribute on disk - version 1.
58  * All values are little endian.
59  *
60  * |  1   |  1   |   2         |         2           |  ....
61  * +------+------+-------------+---------------------+-------------+--------------------+
62  * | vers | flag | num_entries | num_default_entries | ..entries.. | default_entries... |
63  * +------+------+-------------+---------------------+-------------+--------------------+
64  *
65  * Entry format is :
66  *
67  * |  1   |       4           |
68  * +------+-------------------+
69  * | value|  uid/gid or world |
70  * | type |  value            |
71  * +------+-------------------+
72  *
73  * Version 2 format. Stores extra Windows metadata about an ACL.
74  *
75  * |  1   |  2       |   2         |         2           |  ....
76  * +------+----------+-------------+---------------------+-------------+--------------------+
77  * | vers | ace      | num_entries | num_default_entries | ..entries.. | default_entries... |
78  * |   2  |  type    |             |                     |             |                    |
79  * +------+----------+-------------+---------------------+-------------+--------------------+
80  *
81  * Entry format is :
82  *
83  * |  1   |  1   |       4           |
84  * +------+------+-------------------+
85  * | ace  | value|  uid/gid or world |
86  * | flag | type |  value            |
87  * +------+-------------------+------+
88  *
89  */
90
91 #define PAI_VERSION_OFFSET                      0
92
93 #define PAI_V1_FLAG_OFFSET                      1
94 #define PAI_V1_NUM_ENTRIES_OFFSET               2
95 #define PAI_V1_NUM_DEFAULT_ENTRIES_OFFSET       4
96 #define PAI_V1_ENTRIES_BASE                     6
97 #define PAI_V1_ACL_FLAG_PROTECTED               0x1
98 #define PAI_V1_ENTRY_LENGTH                     5
99
100 #define PAI_V1_VERSION                          1
101
102 #define PAI_V2_TYPE_OFFSET                      1
103 #define PAI_V2_NUM_ENTRIES_OFFSET               3
104 #define PAI_V2_NUM_DEFAULT_ENTRIES_OFFSET       5
105 #define PAI_V2_ENTRIES_BASE                     7
106 #define PAI_V2_ENTRY_LENGTH                     6
107
108 #define PAI_V2_VERSION                          2
109
110 /*
111  * In memory format of user.SAMBA_PAI attribute.
112  */
113
114 struct pai_entry {
115         struct pai_entry *next, *prev;
116         uint8_t ace_flags;
117         enum ace_owner owner_type;
118         posix_id unix_ug;
119 };
120
121 struct pai_val {
122         uint16_t sd_type;
123         unsigned int num_entries;
124         struct pai_entry *entry_list;
125         unsigned int num_def_entries;
126         struct pai_entry *def_entry_list;
127 };
128
129 /************************************************************************
130  Return a uint32 of the pai_entry principal.
131 ************************************************************************/
132
133 static uint32_t get_pai_entry_val(struct pai_entry *paie)
134 {
135         switch (paie->owner_type) {
136                 case UID_ACE:
137                         DEBUG(10,("get_pai_entry_val: uid = %u\n", (unsigned int)paie->unix_ug.uid ));
138                         return (uint32_t)paie->unix_ug.uid;
139                 case GID_ACE:
140                         DEBUG(10,("get_pai_entry_val: gid = %u\n", (unsigned int)paie->unix_ug.gid ));
141                         return (uint32_t)paie->unix_ug.gid;
142                 case WORLD_ACE:
143                 default:
144                         DEBUG(10,("get_pai_entry_val: world ace\n"));
145                         return (uint32_t)-1;
146         }
147 }
148
149 /************************************************************************
150  Return a uint32 of the entry principal.
151 ************************************************************************/
152
153 static uint32_t get_entry_val(canon_ace *ace_entry)
154 {
155         switch (ace_entry->owner_type) {
156                 case UID_ACE:
157                         DEBUG(10,("get_entry_val: uid = %u\n", (unsigned int)ace_entry->unix_ug.uid ));
158                         return (uint32_t)ace_entry->unix_ug.uid;
159                 case GID_ACE:
160                         DEBUG(10,("get_entry_val: gid = %u\n", (unsigned int)ace_entry->unix_ug.gid ));
161                         return (uint32_t)ace_entry->unix_ug.gid;
162                 case WORLD_ACE:
163                 default:
164                         DEBUG(10,("get_entry_val: world ace\n"));
165                         return (uint32_t)-1;
166         }
167 }
168
169 /************************************************************************
170  Create the on-disk format (always v2 now). Caller must free.
171 ************************************************************************/
172
173 static char *create_pai_buf_v2(canon_ace *file_ace_list,
174                                 canon_ace *dir_ace_list,
175                                 uint16_t sd_type,
176                                 size_t *store_size)
177 {
178         char *pai_buf = NULL;
179         canon_ace *ace_list = NULL;
180         char *entry_offset = NULL;
181         unsigned int num_entries = 0;
182         unsigned int num_def_entries = 0;
183
184         for (ace_list = file_ace_list; ace_list; ace_list = ace_list->next) {
185                 num_entries++;
186         }
187
188         for (ace_list = dir_ace_list; ace_list; ace_list = ace_list->next) {
189                 num_def_entries++;
190         }
191
192         DEBUG(10,("create_pai_buf_v2: num_entries = %u, num_def_entries = %u\n", num_entries, num_def_entries ));
193
194         *store_size = PAI_V2_ENTRIES_BASE +
195                 ((num_entries + num_def_entries)*PAI_V2_ENTRY_LENGTH);
196
197         pai_buf = (char *)SMB_MALLOC(*store_size);
198         if (!pai_buf) {
199                 return NULL;
200         }
201
202         /* Set up the header. */
203         memset(pai_buf, '\0', PAI_V2_ENTRIES_BASE);
204         SCVAL(pai_buf,PAI_VERSION_OFFSET,PAI_V2_VERSION);
205         SSVAL(pai_buf,PAI_V2_TYPE_OFFSET, sd_type);
206         SSVAL(pai_buf,PAI_V2_NUM_ENTRIES_OFFSET,num_entries);
207         SSVAL(pai_buf,PAI_V2_NUM_DEFAULT_ENTRIES_OFFSET,num_def_entries);
208
209         entry_offset = pai_buf + PAI_V2_ENTRIES_BASE;
210
211         for (ace_list = file_ace_list; ace_list; ace_list = ace_list->next) {
212                 uint8_t type_val = (uint8_t)ace_list->owner_type;
213                 uint32_t entry_val = get_entry_val(ace_list);
214
215                 SCVAL(entry_offset,0,ace_list->ace_flags);
216                 SCVAL(entry_offset,1,type_val);
217                 SIVAL(entry_offset,2,entry_val);
218                 entry_offset += PAI_V2_ENTRY_LENGTH;
219         }
220
221         for (ace_list = dir_ace_list; ace_list; ace_list = ace_list->next) {
222                 uint8_t type_val = (uint8_t)ace_list->owner_type;
223                 uint32_t entry_val = get_entry_val(ace_list);
224
225                 SCVAL(entry_offset,0,ace_list->ace_flags);
226                 SCVAL(entry_offset,1,type_val);
227                 SIVAL(entry_offset,2,entry_val);
228                 entry_offset += PAI_V2_ENTRY_LENGTH;
229         }
230
231         return pai_buf;
232 }
233
234 /************************************************************************
235  Store the user.SAMBA_PAI attribute on disk.
236 ************************************************************************/
237
238 static void store_inheritance_attributes(files_struct *fsp,
239                                         canon_ace *file_ace_list,
240                                         canon_ace *dir_ace_list,
241                                         uint16_t sd_type)
242 {
243         int ret;
244         size_t store_size;
245         char *pai_buf;
246
247         if (!lp_map_acl_inherit(SNUM(fsp->conn))) {
248                 return;
249         }
250
251         pai_buf = create_pai_buf_v2(file_ace_list, dir_ace_list,
252                                 sd_type, &store_size);
253
254         if (fsp->fh->fd != -1) {
255                 ret = SMB_VFS_FSETXATTR(fsp, SAMBA_POSIX_INHERITANCE_EA_NAME,
256                                 pai_buf, store_size, 0);
257         } else {
258                 ret = SMB_VFS_SETXATTR(fsp->conn,fsp->fsp_name, SAMBA_POSIX_INHERITANCE_EA_NAME,
259                                 pai_buf, store_size, 0);
260         }
261
262         SAFE_FREE(pai_buf);
263
264         DEBUG(10,("store_inheritance_attribute: type 0x%x for file %s\n",
265                 (unsigned int)sd_type,
266                 fsp->fsp_name));
267
268         if (ret == -1 && !no_acl_syscall_error(errno)) {
269                 DEBUG(1,("store_inheritance_attribute: Error %s\n", strerror(errno) ));
270         }
271 }
272
273 /************************************************************************
274  Delete the in memory inheritance info.
275 ************************************************************************/
276
277 static void free_inherited_info(struct pai_val *pal)
278 {
279         if (pal) {
280                 struct pai_entry *paie, *paie_next;
281                 for (paie = pal->entry_list; paie; paie = paie_next) {
282                         paie_next = paie->next;
283                         SAFE_FREE(paie);
284                 }
285                 for (paie = pal->def_entry_list; paie; paie = paie_next) {
286                         paie_next = paie->next;
287                         SAFE_FREE(paie);
288                 }
289                 SAFE_FREE(pal);
290         }
291 }
292
293 /************************************************************************
294  Get any stored ACE flags.
295 ************************************************************************/
296
297 static uint16_t get_pai_flags(struct pai_val *pal, canon_ace *ace_entry, bool default_ace)
298 {
299         struct pai_entry *paie;
300
301         if (!pal) {
302                 return 0;
303         }
304
305         /* If the entry exists it is inherited. */
306         for (paie = (default_ace ? pal->def_entry_list : pal->entry_list); paie; paie = paie->next) {
307                 if (ace_entry->owner_type == paie->owner_type &&
308                                 get_entry_val(ace_entry) == get_pai_entry_val(paie))
309                         return paie->ace_flags;
310         }
311         return 0;
312 }
313
314 /************************************************************************
315  Ensure an attribute just read is valid - v1.
316 ************************************************************************/
317
318 static bool check_pai_ok_v1(const char *pai_buf, size_t pai_buf_data_size)
319 {
320         uint16 num_entries;
321         uint16 num_def_entries;
322
323         if (pai_buf_data_size < PAI_V1_ENTRIES_BASE) {
324                 /* Corrupted - too small. */
325                 return false;
326         }
327
328         if (CVAL(pai_buf,PAI_VERSION_OFFSET) != PAI_V1_VERSION) {
329                 return false;
330         }
331
332         num_entries = SVAL(pai_buf,PAI_V1_NUM_ENTRIES_OFFSET);
333         num_def_entries = SVAL(pai_buf,PAI_V1_NUM_DEFAULT_ENTRIES_OFFSET);
334
335         /* Check the entry lists match. */
336         /* Each entry is 5 bytes (type plus 4 bytes of uid or gid). */
337
338         if (((num_entries + num_def_entries)*PAI_V1_ENTRY_LENGTH) +
339                         PAI_V1_ENTRIES_BASE != pai_buf_data_size) {
340                 return false;
341         }
342
343         return true;
344 }
345
346 /************************************************************************
347  Ensure an attribute just read is valid - v2.
348 ************************************************************************/
349
350 static bool check_pai_ok_v2(const char *pai_buf, size_t pai_buf_data_size)
351 {
352         uint16 num_entries;
353         uint16 num_def_entries;
354
355         if (pai_buf_data_size < PAI_V2_ENTRIES_BASE) {
356                 /* Corrupted - too small. */
357                 return false;
358         }
359
360         if (CVAL(pai_buf,PAI_VERSION_OFFSET) != PAI_V2_VERSION) {
361                 return false;
362         }
363
364         num_entries = SVAL(pai_buf,PAI_V2_NUM_ENTRIES_OFFSET);
365         num_def_entries = SVAL(pai_buf,PAI_V2_NUM_DEFAULT_ENTRIES_OFFSET);
366
367         /* Check the entry lists match. */
368         /* Each entry is 6 bytes (flags + type + 4 bytes of uid or gid). */
369
370         if (((num_entries + num_def_entries)*PAI_V2_ENTRY_LENGTH) +
371                         PAI_V2_ENTRIES_BASE != pai_buf_data_size) {
372                 return false;
373         }
374
375         return true;
376 }
377
378 /************************************************************************
379  Decode the owner.
380 ************************************************************************/
381
382 static bool get_pai_owner_type(struct pai_entry *paie, const char *entry_offset)
383 {
384         paie->owner_type = (enum ace_owner)CVAL(entry_offset,0);
385         switch( paie->owner_type) {
386                 case UID_ACE:
387                         paie->unix_ug.uid = (uid_t)IVAL(entry_offset,1);
388                         DEBUG(10,("get_pai_owner_type: uid = %u\n",
389                                 (unsigned int)paie->unix_ug.uid ));
390                         break;
391                 case GID_ACE:
392                         paie->unix_ug.gid = (gid_t)IVAL(entry_offset,1);
393                         DEBUG(10,("get_pai_owner_type: gid = %u\n",
394                                 (unsigned int)paie->unix_ug.gid ));
395                         break;
396                 case WORLD_ACE:
397                         paie->unix_ug.world = -1;
398                         DEBUG(10,("get_pai_owner_type: world ace\n"));
399                         break;
400                 default:
401                         return false;
402         }
403         return true;
404 }
405
406 /************************************************************************
407  Process v2 entries.
408 ************************************************************************/
409
410 static const char *create_pai_v1_entries(struct pai_val *paiv,
411                                 const char *entry_offset,
412                                 bool def_entry)
413 {
414         int i;
415
416         for (i = 0; i < paiv->num_entries; i++) {
417                 struct pai_entry *paie = SMB_MALLOC_P(struct pai_entry);
418                 if (!paie) {
419                         return NULL;
420                 }
421
422                 paie->ace_flags = SEC_ACE_FLAG_INHERITED_ACE;
423                 if (!get_pai_owner_type(paie, entry_offset)) {
424                         return NULL;
425                 }
426
427                 if (!def_entry) {
428                         DLIST_ADD(paiv->entry_list, paie);
429                 } else {
430                         DLIST_ADD(paiv->def_entry_list, paie);
431                 }
432                 entry_offset += PAI_V1_ENTRY_LENGTH;
433         }
434         return entry_offset;
435 }
436
437 /************************************************************************
438  Convert to in-memory format from version 1.
439 ************************************************************************/
440
441 static struct pai_val *create_pai_val_v1(const char *buf, size_t size)
442 {
443         const char *entry_offset;
444         struct pai_val *paiv = NULL;
445
446         if (!check_pai_ok_v1(buf, size)) {
447                 return NULL;
448         }
449
450         paiv = SMB_MALLOC_P(struct pai_val);
451         if (!paiv) {
452                 return NULL;
453         }
454
455         memset(paiv, '\0', sizeof(struct pai_val));
456
457         paiv->sd_type = (CVAL(buf,PAI_V1_FLAG_OFFSET) == PAI_V1_ACL_FLAG_PROTECTED) ?
458                         SE_DESC_DACL_PROTECTED : 0;
459
460         paiv->num_entries = SVAL(buf,PAI_V1_NUM_ENTRIES_OFFSET);
461         paiv->num_def_entries = SVAL(buf,PAI_V1_NUM_DEFAULT_ENTRIES_OFFSET);
462
463         entry_offset = buf + PAI_V1_ENTRIES_BASE;
464
465         DEBUG(10,("create_pai_val: num_entries = %u, num_def_entries = %u\n",
466                         paiv->num_entries, paiv->num_def_entries ));
467
468         entry_offset = create_pai_v1_entries(paiv, entry_offset, false);
469         if (entry_offset == NULL) {
470                 free_inherited_info(paiv);
471                 return NULL;
472         }
473         entry_offset = create_pai_v1_entries(paiv, entry_offset, true);
474         if (entry_offset == NULL) {
475                 free_inherited_info(paiv);
476                 return NULL;
477         }
478
479         return paiv;
480 }
481
482 /************************************************************************
483  Process v2 entries.
484 ************************************************************************/
485
486 static const char *create_pai_v2_entries(struct pai_val *paiv,
487                                 const char *entry_offset,
488                                 bool def_entry)
489 {
490         int i;
491
492         for (i = 0; i < paiv->num_entries; i++) {
493                 struct pai_entry *paie = SMB_MALLOC_P(struct pai_entry);
494                 if (!paie) {
495                         return NULL;
496                 }
497
498                 paie->ace_flags = CVAL(entry_offset,0);
499
500                 entry_offset++;
501
502                 if (!get_pai_owner_type(paie, entry_offset)) {
503                         return NULL;
504                 }
505                 if (!def_entry) {
506                         DLIST_ADD(paiv->entry_list, paie);
507                 } else {
508                         DLIST_ADD(paiv->def_entry_list, paie);
509                 }
510                 entry_offset += PAI_V2_ENTRY_LENGTH;
511         }
512         return entry_offset;
513 }
514
515 /************************************************************************
516  Convert to in-memory format from version 2.
517 ************************************************************************/
518
519 static struct pai_val *create_pai_val_v2(const char *buf, size_t size)
520 {
521         const char *entry_offset;
522         struct pai_val *paiv = NULL;
523
524         if (!check_pai_ok_v2(buf, size)) {
525                 return NULL;
526         }
527
528         paiv = SMB_MALLOC_P(struct pai_val);
529         if (!paiv) {
530                 return NULL;
531         }
532
533         memset(paiv, '\0', sizeof(struct pai_val));
534
535         paiv->sd_type = SVAL(buf,PAI_V2_TYPE_OFFSET);
536
537         paiv->num_entries = SVAL(buf,PAI_V2_NUM_ENTRIES_OFFSET);
538         paiv->num_def_entries = SVAL(buf,PAI_V2_NUM_DEFAULT_ENTRIES_OFFSET);
539
540         entry_offset = buf + PAI_V2_ENTRIES_BASE;
541
542         DEBUG(10,("create_pai_val_v2: num_entries = %u, num_def_entries = %u\n",
543                         paiv->num_entries, paiv->num_def_entries ));
544
545         entry_offset = create_pai_v2_entries(paiv, entry_offset, false);
546         if (entry_offset == NULL) {
547                 free_inherited_info(paiv);
548                 return NULL;
549         }
550         entry_offset = create_pai_v2_entries(paiv, entry_offset, true);
551         if (entry_offset == NULL) {
552                 free_inherited_info(paiv);
553                 return NULL;
554         }
555
556         return paiv;
557 }
558
559 /************************************************************************
560  Convert to in-memory format - from either version 1 or 2.
561 ************************************************************************/
562
563 static struct pai_val *create_pai_val(const char *buf, size_t size)
564 {
565         if (size < 1) {
566                 return NULL;
567         }
568         if (CVAL(buf,PAI_VERSION_OFFSET) == PAI_V1_VERSION) {
569                 return create_pai_val_v1(buf, size);
570         } else if (CVAL(buf,PAI_VERSION_OFFSET) == PAI_V2_VERSION) {
571                 return create_pai_val_v2(buf, size);
572         } else {
573                 return NULL;
574         }
575 }
576
577 /************************************************************************
578  Load the user.SAMBA_PAI attribute.
579 ************************************************************************/
580
581 static struct pai_val *fload_inherited_info(files_struct *fsp)
582 {
583         char *pai_buf;
584         size_t pai_buf_size = 1024;
585         struct pai_val *paiv = NULL;
586         ssize_t ret;
587
588         if (!lp_map_acl_inherit(SNUM(fsp->conn))) {
589                 return NULL;
590         }
591
592         if ((pai_buf = (char *)SMB_MALLOC(pai_buf_size)) == NULL) {
593                 return NULL;
594         }
595
596         do {
597                 if (fsp->fh->fd != -1) {
598                         ret = SMB_VFS_FGETXATTR(fsp, SAMBA_POSIX_INHERITANCE_EA_NAME,
599                                         pai_buf, pai_buf_size);
600                 } else {
601                         ret = SMB_VFS_GETXATTR(fsp->conn,fsp->fsp_name,SAMBA_POSIX_INHERITANCE_EA_NAME,
602                                         pai_buf, pai_buf_size);
603                 }
604
605                 if (ret == -1) {
606                         if (errno != ERANGE) {
607                                 break;
608                         }
609                         /* Buffer too small - enlarge it. */
610                         pai_buf_size *= 2;
611                         SAFE_FREE(pai_buf);
612                         if (pai_buf_size > 1024*1024) {
613                                 return NULL; /* Limit malloc to 1mb. */
614                         }
615                         if ((pai_buf = (char *)SMB_MALLOC(pai_buf_size)) == NULL)
616                                 return NULL;
617                 }
618         } while (ret == -1);
619
620         DEBUG(10,("load_inherited_info: ret = %lu for file %s\n", (unsigned long)ret, fsp->fsp_name));
621
622         if (ret == -1) {
623                 /* No attribute or not supported. */
624 #if defined(ENOATTR)
625                 if (errno != ENOATTR)
626                         DEBUG(10,("load_inherited_info: Error %s\n", strerror(errno) ));
627 #else
628                 if (errno != ENOSYS)
629                         DEBUG(10,("load_inherited_info: Error %s\n", strerror(errno) ));
630 #endif
631                 SAFE_FREE(pai_buf);
632                 return NULL;
633         }
634
635         paiv = create_pai_val(pai_buf, ret);
636
637         if (paiv) {
638                 DEBUG(10,("load_inherited_info: ACL type is 0x%x for file %s\n",
639                         (unsigned int)paiv->sd_type,
640                         fsp->fsp_name));
641         }
642
643         SAFE_FREE(pai_buf);
644         return paiv;
645 }
646
647 /************************************************************************
648  Load the user.SAMBA_PAI attribute.
649 ************************************************************************/
650
651 static struct pai_val *load_inherited_info(const struct connection_struct *conn,
652                                            const char *fname)
653 {
654         char *pai_buf;
655         size_t pai_buf_size = 1024;
656         struct pai_val *paiv = NULL;
657         ssize_t ret;
658
659         if (!lp_map_acl_inherit(SNUM(conn))) {
660                 return NULL;
661         }
662
663         if ((pai_buf = (char *)SMB_MALLOC(pai_buf_size)) == NULL) {
664                 return NULL;
665         }
666
667         do {
668                 ret = SMB_VFS_GETXATTR(conn, fname,
669                                        SAMBA_POSIX_INHERITANCE_EA_NAME,
670                                        pai_buf, pai_buf_size);
671
672                 if (ret == -1) {
673                         if (errno != ERANGE) {
674                                 break;
675                         }
676                         /* Buffer too small - enlarge it. */
677                         pai_buf_size *= 2;
678                         SAFE_FREE(pai_buf);
679                         if (pai_buf_size > 1024*1024) {
680                                 return NULL; /* Limit malloc to 1mb. */
681                         }
682                         if ((pai_buf = (char *)SMB_MALLOC(pai_buf_size)) == NULL)
683                                 return NULL;
684                 }
685         } while (ret == -1);
686
687         DEBUG(10,("load_inherited_info: ret = %lu for file %s\n", (unsigned long)ret, fname));
688
689         if (ret == -1) {
690                 /* No attribute or not supported. */
691 #if defined(ENOATTR)
692                 if (errno != ENOATTR)
693                         DEBUG(10,("load_inherited_info: Error %s\n", strerror(errno) ));
694 #else
695                 if (errno != ENOSYS)
696                         DEBUG(10,("load_inherited_info: Error %s\n", strerror(errno) ));
697 #endif
698                 SAFE_FREE(pai_buf);
699                 return NULL;
700         }
701
702         paiv = create_pai_val(pai_buf, ret);
703
704         if (paiv) {
705                 DEBUG(10,("load_inherited_info: ACL type 0x%x for file %s\n",
706                         (unsigned int)paiv->sd_type,
707                         fname));
708         }
709
710         SAFE_FREE(pai_buf);
711         return paiv;
712 }
713
714 /****************************************************************************
715  Functions to manipulate the internal ACE format.
716 ****************************************************************************/
717
718 /****************************************************************************
719  Count a linked list of canonical ACE entries.
720 ****************************************************************************/
721
722 static size_t count_canon_ace_list( canon_ace *l_head )
723 {
724         size_t count = 0;
725         canon_ace *ace;
726
727         for (ace = l_head; ace; ace = ace->next)
728                 count++;
729
730         return count;
731 }
732
733 /****************************************************************************
734  Free a linked list of canonical ACE entries.
735 ****************************************************************************/
736
737 static void free_canon_ace_list( canon_ace *l_head )
738 {
739         canon_ace *list, *next;
740
741         for (list = l_head; list; list = next) {
742                 next = list->next;
743                 DLIST_REMOVE(l_head, list);
744                 SAFE_FREE(list);
745         }
746 }
747
748 /****************************************************************************
749  Function to duplicate a canon_ace entry.
750 ****************************************************************************/
751
752 static canon_ace *dup_canon_ace( canon_ace *src_ace)
753 {
754         canon_ace *dst_ace = SMB_MALLOC_P(canon_ace);
755
756         if (dst_ace == NULL)
757                 return NULL;
758
759         *dst_ace = *src_ace;
760         dst_ace->prev = dst_ace->next = NULL;
761         return dst_ace;
762 }
763
764 /****************************************************************************
765  Print out a canon ace.
766 ****************************************************************************/
767
768 static void print_canon_ace(canon_ace *pace, int num)
769 {
770         dbgtext( "canon_ace index %d. Type = %s ", num, pace->attr == ALLOW_ACE ? "allow" : "deny" );
771         dbgtext( "SID = %s ", sid_string_dbg(&pace->trustee));
772         if (pace->owner_type == UID_ACE) {
773                 const char *u_name = uidtoname(pace->unix_ug.uid);
774                 dbgtext( "uid %u (%s) ", (unsigned int)pace->unix_ug.uid, u_name );
775         } else if (pace->owner_type == GID_ACE) {
776                 char *g_name = gidtoname(pace->unix_ug.gid);
777                 dbgtext( "gid %u (%s) ", (unsigned int)pace->unix_ug.gid, g_name );
778         } else
779                 dbgtext( "other ");
780         switch (pace->type) {
781                 case SMB_ACL_USER:
782                         dbgtext( "SMB_ACL_USER ");
783                         break;
784                 case SMB_ACL_USER_OBJ:
785                         dbgtext( "SMB_ACL_USER_OBJ ");
786                         break;
787                 case SMB_ACL_GROUP:
788                         dbgtext( "SMB_ACL_GROUP ");
789                         break;
790                 case SMB_ACL_GROUP_OBJ:
791                         dbgtext( "SMB_ACL_GROUP_OBJ ");
792                         break;
793                 case SMB_ACL_OTHER:
794                         dbgtext( "SMB_ACL_OTHER ");
795                         break;
796                 default:
797                         dbgtext( "MASK " );
798                         break;
799         }
800
801         dbgtext( "ace_flags = 0x%x ", (unsigned int)pace->ace_flags);
802         dbgtext( "perms ");
803         dbgtext( "%c", pace->perms & S_IRUSR ? 'r' : '-');
804         dbgtext( "%c", pace->perms & S_IWUSR ? 'w' : '-');
805         dbgtext( "%c\n", pace->perms & S_IXUSR ? 'x' : '-');
806 }
807
808 /****************************************************************************
809  Print out a canon ace list.
810 ****************************************************************************/
811
812 static void print_canon_ace_list(const char *name, canon_ace *ace_list)
813 {
814         int count = 0;
815
816         if( DEBUGLVL( 10 )) {
817                 dbgtext( "print_canon_ace_list: %s\n", name );
818                 for (;ace_list; ace_list = ace_list->next, count++)
819                         print_canon_ace(ace_list, count );
820         }
821 }
822
823 /****************************************************************************
824  Map POSIX ACL perms to canon_ace permissions (a mode_t containing only S_(R|W|X)USR bits).
825 ****************************************************************************/
826
827 static mode_t convert_permset_to_mode_t(connection_struct *conn, SMB_ACL_PERMSET_T permset)
828 {
829         mode_t ret = 0;
830
831         ret |= (SMB_VFS_SYS_ACL_GET_PERM(conn, permset, SMB_ACL_READ) ? S_IRUSR : 0);
832         ret |= (SMB_VFS_SYS_ACL_GET_PERM(conn, permset, SMB_ACL_WRITE) ? S_IWUSR : 0);
833         ret |= (SMB_VFS_SYS_ACL_GET_PERM(conn, permset, SMB_ACL_EXECUTE) ? S_IXUSR : 0);
834
835         return ret;
836 }
837
838 /****************************************************************************
839  Map generic UNIX permissions to canon_ace permissions (a mode_t containing only S_(R|W|X)USR bits).
840 ****************************************************************************/
841
842 static mode_t unix_perms_to_acl_perms(mode_t mode, int r_mask, int w_mask, int x_mask)
843 {
844         mode_t ret = 0;
845
846         if (mode & r_mask)
847                 ret |= S_IRUSR;
848         if (mode & w_mask)
849                 ret |= S_IWUSR;
850         if (mode & x_mask)
851                 ret |= S_IXUSR;
852
853         return ret;
854 }
855
856 /****************************************************************************
857  Map canon_ace permissions (a mode_t containing only S_(R|W|X)USR bits) to
858  an SMB_ACL_PERMSET_T.
859 ****************************************************************************/
860
861 static int map_acl_perms_to_permset(connection_struct *conn, mode_t mode, SMB_ACL_PERMSET_T *p_permset)
862 {
863         if (SMB_VFS_SYS_ACL_CLEAR_PERMS(conn, *p_permset) ==  -1)
864                 return -1;
865         if (mode & S_IRUSR) {
866                 if (SMB_VFS_SYS_ACL_ADD_PERM(conn, *p_permset, SMB_ACL_READ) == -1)
867                         return -1;
868         }
869         if (mode & S_IWUSR) {
870                 if (SMB_VFS_SYS_ACL_ADD_PERM(conn, *p_permset, SMB_ACL_WRITE) == -1)
871                         return -1;
872         }
873         if (mode & S_IXUSR) {
874                 if (SMB_VFS_SYS_ACL_ADD_PERM(conn, *p_permset, SMB_ACL_EXECUTE) == -1)
875                         return -1;
876         }
877         return 0;
878 }
879
880 /****************************************************************************
881  Function to create owner and group SIDs from a SMB_STRUCT_STAT.
882 ****************************************************************************/
883
884 void create_file_sids(const SMB_STRUCT_STAT *psbuf, DOM_SID *powner_sid, DOM_SID *pgroup_sid)
885 {
886         uid_to_sid( powner_sid, psbuf->st_uid );
887         gid_to_sid( pgroup_sid, psbuf->st_gid );
888 }
889
890 /****************************************************************************
891  Is the identity in two ACEs equal ? Check both SID and uid/gid.
892 ****************************************************************************/
893
894 static bool identity_in_ace_equal(canon_ace *ace1, canon_ace *ace2)
895 {
896         if (sid_equal(&ace1->trustee, &ace2->trustee)) {
897                 return True;
898         }
899         if (ace1->owner_type == ace2->owner_type) {
900                 if (ace1->owner_type == UID_ACE &&
901                                 ace1->unix_ug.uid == ace2->unix_ug.uid) {
902                         return True;
903                 } else if (ace1->owner_type == GID_ACE &&
904                                 ace1->unix_ug.gid == ace2->unix_ug.gid) {
905                         return True;
906                 }
907         }
908         return False;
909 }
910
911 /****************************************************************************
912  Merge aces with a common sid - if both are allow or deny, OR the permissions together and
913  delete the second one. If the first is deny, mask the permissions off and delete the allow
914  if the permissions become zero, delete the deny if the permissions are non zero.
915 ****************************************************************************/
916
917 static void merge_aces( canon_ace **pp_list_head )
918 {
919         canon_ace *l_head = *pp_list_head;
920         canon_ace *curr_ace_outer;
921         canon_ace *curr_ace_outer_next;
922
923         /*
924          * First, merge allow entries with identical SIDs, and deny entries
925          * with identical SIDs.
926          */
927
928         for (curr_ace_outer = l_head; curr_ace_outer; curr_ace_outer = curr_ace_outer_next) {
929                 canon_ace *curr_ace;
930                 canon_ace *curr_ace_next;
931
932                 curr_ace_outer_next = curr_ace_outer->next; /* Save the link in case we delete. */
933
934                 for (curr_ace = curr_ace_outer->next; curr_ace; curr_ace = curr_ace_next) {
935
936                         curr_ace_next = curr_ace->next; /* Save the link in case of delete. */
937
938                         if (identity_in_ace_equal(curr_ace, curr_ace_outer) &&
939                                 (curr_ace->attr == curr_ace_outer->attr)) {
940
941                                 if( DEBUGLVL( 10 )) {
942                                         dbgtext("merge_aces: Merging ACE's\n");
943                                         print_canon_ace( curr_ace_outer, 0);
944                                         print_canon_ace( curr_ace, 0);
945                                 }
946
947                                 /* Merge two allow or two deny ACE's. */
948
949                                 curr_ace_outer->perms |= curr_ace->perms;
950                                 DLIST_REMOVE(l_head, curr_ace);
951                                 SAFE_FREE(curr_ace);
952                                 curr_ace_outer_next = curr_ace_outer->next; /* We may have deleted the link. */
953                         }
954                 }
955         }
956
957         /*
958          * Now go through and mask off allow permissions with deny permissions.
959          * We can delete either the allow or deny here as we know that each SID
960          * appears only once in the list.
961          */
962
963         for (curr_ace_outer = l_head; curr_ace_outer; curr_ace_outer = curr_ace_outer_next) {
964                 canon_ace *curr_ace;
965                 canon_ace *curr_ace_next;
966
967                 curr_ace_outer_next = curr_ace_outer->next; /* Save the link in case we delete. */
968
969                 for (curr_ace = curr_ace_outer->next; curr_ace; curr_ace = curr_ace_next) {
970
971                         curr_ace_next = curr_ace->next; /* Save the link in case of delete. */
972
973                         /*
974                          * Subtract ACE's with different entries. Due to the ordering constraints
975                          * we've put on the ACL, we know the deny must be the first one.
976                          */
977
978                         if (identity_in_ace_equal(curr_ace, curr_ace_outer) &&
979                                 (curr_ace_outer->attr == DENY_ACE) && (curr_ace->attr == ALLOW_ACE)) {
980
981                                 if( DEBUGLVL( 10 )) {
982                                         dbgtext("merge_aces: Masking ACE's\n");
983                                         print_canon_ace( curr_ace_outer, 0);
984                                         print_canon_ace( curr_ace, 0);
985                                 }
986
987                                 curr_ace->perms &= ~curr_ace_outer->perms;
988
989                                 if (curr_ace->perms == 0) {
990
991                                         /*
992                                          * The deny overrides the allow. Remove the allow.
993                                          */
994
995                                         DLIST_REMOVE(l_head, curr_ace);
996                                         SAFE_FREE(curr_ace);
997                                         curr_ace_outer_next = curr_ace_outer->next; /* We may have deleted the link. */
998
999                                 } else {
1000
1001                                         /*
1002                                          * Even after removing permissions, there
1003                                          * are still allow permissions - delete the deny.
1004                                          * It is safe to delete the deny here,
1005                                          * as we are guarenteed by the deny first
1006                                          * ordering that all the deny entries for
1007                                          * this SID have already been merged into one
1008                                          * before we can get to an allow ace.
1009                                          */
1010
1011                                         DLIST_REMOVE(l_head, curr_ace_outer);
1012                                         SAFE_FREE(curr_ace_outer);
1013                                         break;
1014                                 }
1015                         }
1016
1017                 } /* end for curr_ace */
1018         } /* end for curr_ace_outer */
1019
1020         /* We may have modified the list. */
1021
1022         *pp_list_head = l_head;
1023 }
1024
1025 /****************************************************************************
1026  Check if we need to return NT4.x compatible ACL entries.
1027 ****************************************************************************/
1028
1029 bool nt4_compatible_acls(void)
1030 {
1031         int compat = lp_acl_compatibility();
1032
1033         if (compat == ACL_COMPAT_AUTO) {
1034                 enum remote_arch_types ra_type = get_remote_arch();
1035
1036                 /* Automatically adapt to client */
1037                 return (ra_type <= RA_WINNT);
1038         } else
1039                 return (compat == ACL_COMPAT_WINNT);
1040 }
1041
1042
1043 /****************************************************************************
1044  Map canon_ace perms to permission bits NT.
1045  The attr element is not used here - we only process deny entries on set,
1046  not get. Deny entries are implicit on get with ace->perms = 0.
1047 ****************************************************************************/
1048
1049 static uint32_t map_canon_ace_perms(int snum,
1050                                 enum security_ace_type *pacl_type,
1051                                 mode_t perms,
1052                                 bool directory_ace)
1053 {
1054         uint32_t nt_mask = 0;
1055
1056         *pacl_type = SEC_ACE_TYPE_ACCESS_ALLOWED;
1057
1058         if (lp_acl_map_full_control(snum) && ((perms & ALL_ACE_PERMS) == ALL_ACE_PERMS)) {
1059                 if (directory_ace) {
1060                         nt_mask = UNIX_DIRECTORY_ACCESS_RWX;
1061                 } else {
1062                         nt_mask = (UNIX_ACCESS_RWX & ~DELETE_ACCESS);
1063                 }
1064         } else if ((perms & ALL_ACE_PERMS) == (mode_t)0) {
1065                 /*
1066                  * Windows NT refuses to display ACEs with no permissions in them (but
1067                  * they are perfectly legal with Windows 2000). If the ACE has empty
1068                  * permissions we cannot use 0, so we use the otherwise unused
1069                  * WRITE_OWNER permission, which we ignore when we set an ACL.
1070                  * We abstract this into a #define of UNIX_ACCESS_NONE to allow this
1071                  * to be changed in the future.
1072                  */
1073
1074                 if (nt4_compatible_acls())
1075                         nt_mask = UNIX_ACCESS_NONE;
1076                 else
1077                         nt_mask = 0;
1078         } else {
1079                 if (directory_ace) {
1080                         nt_mask |= ((perms & S_IRUSR) ? UNIX_DIRECTORY_ACCESS_R : 0 );
1081                         nt_mask |= ((perms & S_IWUSR) ? UNIX_DIRECTORY_ACCESS_W : 0 );
1082                         nt_mask |= ((perms & S_IXUSR) ? UNIX_DIRECTORY_ACCESS_X : 0 );
1083                 } else {
1084                         nt_mask |= ((perms & S_IRUSR) ? UNIX_ACCESS_R : 0 );
1085                         nt_mask |= ((perms & S_IWUSR) ? UNIX_ACCESS_W : 0 );
1086                         nt_mask |= ((perms & S_IXUSR) ? UNIX_ACCESS_X : 0 );
1087                 }
1088         }
1089
1090         DEBUG(10,("map_canon_ace_perms: Mapped (UNIX) %x to (NT) %x\n",
1091                         (unsigned int)perms, (unsigned int)nt_mask ));
1092
1093         return nt_mask;
1094 }
1095
1096 /****************************************************************************
1097  Map NT perms to a UNIX mode_t.
1098 ****************************************************************************/
1099
1100 #define FILE_SPECIFIC_READ_BITS (FILE_READ_DATA|FILE_READ_EA|FILE_READ_ATTRIBUTES)
1101 #define FILE_SPECIFIC_WRITE_BITS (FILE_WRITE_DATA|FILE_APPEND_DATA|FILE_WRITE_EA|FILE_WRITE_ATTRIBUTES)
1102 #define FILE_SPECIFIC_EXECUTE_BITS (FILE_EXECUTE)
1103
1104 static mode_t map_nt_perms( uint32 *mask, int type)
1105 {
1106         mode_t mode = 0;
1107
1108         switch(type) {
1109         case S_IRUSR:
1110                 if((*mask) & GENERIC_ALL_ACCESS)
1111                         mode = S_IRUSR|S_IWUSR|S_IXUSR;
1112                 else {
1113                         mode |= ((*mask) & (GENERIC_READ_ACCESS|FILE_SPECIFIC_READ_BITS)) ? S_IRUSR : 0;
1114                         mode |= ((*mask) & (GENERIC_WRITE_ACCESS|FILE_SPECIFIC_WRITE_BITS)) ? S_IWUSR : 0;
1115                         mode |= ((*mask) & (GENERIC_EXECUTE_ACCESS|FILE_SPECIFIC_EXECUTE_BITS)) ? S_IXUSR : 0;
1116                 }
1117                 break;
1118         case S_IRGRP:
1119                 if((*mask) & GENERIC_ALL_ACCESS)
1120                         mode = S_IRGRP|S_IWGRP|S_IXGRP;
1121                 else {
1122                         mode |= ((*mask) & (GENERIC_READ_ACCESS|FILE_SPECIFIC_READ_BITS)) ? S_IRGRP : 0;
1123                         mode |= ((*mask) & (GENERIC_WRITE_ACCESS|FILE_SPECIFIC_WRITE_BITS)) ? S_IWGRP : 0;
1124                         mode |= ((*mask) & (GENERIC_EXECUTE_ACCESS|FILE_SPECIFIC_EXECUTE_BITS)) ? S_IXGRP : 0;
1125                 }
1126                 break;
1127         case S_IROTH:
1128                 if((*mask) & GENERIC_ALL_ACCESS)
1129                         mode = S_IROTH|S_IWOTH|S_IXOTH;
1130                 else {
1131                         mode |= ((*mask) & (GENERIC_READ_ACCESS|FILE_SPECIFIC_READ_BITS)) ? S_IROTH : 0;
1132                         mode |= ((*mask) & (GENERIC_WRITE_ACCESS|FILE_SPECIFIC_WRITE_BITS)) ? S_IWOTH : 0;
1133                         mode |= ((*mask) & (GENERIC_EXECUTE_ACCESS|FILE_SPECIFIC_EXECUTE_BITS)) ? S_IXOTH : 0;
1134                 }
1135                 break;
1136         }
1137
1138         return mode;
1139 }
1140
1141 /****************************************************************************
1142  Unpack a SEC_DESC into a UNIX owner and group.
1143 ****************************************************************************/
1144
1145 NTSTATUS unpack_nt_owners(int snum, uid_t *puser, gid_t *pgrp, uint32 security_info_sent, const SEC_DESC *psd)
1146 {
1147         DOM_SID owner_sid;
1148         DOM_SID grp_sid;
1149
1150         *puser = (uid_t)-1;
1151         *pgrp = (gid_t)-1;
1152
1153         if(security_info_sent == 0) {
1154                 DEBUG(0,("unpack_nt_owners: no security info sent !\n"));
1155                 return NT_STATUS_OK;
1156         }
1157
1158         /*
1159          * Validate the owner and group SID's.
1160          */
1161
1162         memset(&owner_sid, '\0', sizeof(owner_sid));
1163         memset(&grp_sid, '\0', sizeof(grp_sid));
1164
1165         DEBUG(5,("unpack_nt_owners: validating owner_sids.\n"));
1166
1167         /*
1168          * Don't immediately fail if the owner sid cannot be validated.
1169          * This may be a group chown only set.
1170          */
1171
1172         if (security_info_sent & OWNER_SECURITY_INFORMATION) {
1173                 sid_copy(&owner_sid, psd->owner_sid);
1174                 if (!sid_to_uid(&owner_sid, puser)) {
1175                         if (lp_force_unknown_acl_user(snum)) {
1176                                 /* this allows take ownership to work
1177                                  * reasonably */
1178                                 *puser = current_user.ut.uid;
1179                         } else {
1180                                 DEBUG(3,("unpack_nt_owners: unable to validate"
1181                                          " owner sid for %s\n",
1182                                          sid_string_dbg(&owner_sid)));
1183                                 return NT_STATUS_INVALID_OWNER;
1184                         }
1185                 }
1186                 DEBUG(3,("unpack_nt_owners: owner sid mapped to uid %u\n",
1187                          (unsigned int)*puser ));
1188         }
1189
1190         /*
1191          * Don't immediately fail if the group sid cannot be validated.
1192          * This may be an owner chown only set.
1193          */
1194
1195         if (security_info_sent & GROUP_SECURITY_INFORMATION) {
1196                 sid_copy(&grp_sid, psd->group_sid);
1197                 if (!sid_to_gid( &grp_sid, pgrp)) {
1198                         if (lp_force_unknown_acl_user(snum)) {
1199                                 /* this allows take group ownership to work
1200                                  * reasonably */
1201                                 *pgrp = current_user.ut.gid;
1202                         } else {
1203                                 DEBUG(3,("unpack_nt_owners: unable to validate"
1204                                          " group sid.\n"));
1205                                 return NT_STATUS_INVALID_OWNER;
1206                         }
1207                 }
1208                 DEBUG(3,("unpack_nt_owners: group sid mapped to gid %u\n",
1209                          (unsigned int)*pgrp));
1210         }
1211
1212         DEBUG(5,("unpack_nt_owners: owner_sids validated.\n"));
1213
1214         return NT_STATUS_OK;
1215 }
1216
1217 /****************************************************************************
1218  Ensure the enforced permissions for this share apply.
1219 ****************************************************************************/
1220
1221 static void apply_default_perms(const struct share_params *params,
1222                                 const bool is_directory, canon_ace *pace,
1223                                 mode_t type)
1224 {
1225         mode_t and_bits = (mode_t)0;
1226         mode_t or_bits = (mode_t)0;
1227
1228         /* Get the initial bits to apply. */
1229
1230         if (is_directory) {
1231                 and_bits = lp_dir_security_mask(params->service);
1232                 or_bits = lp_force_dir_security_mode(params->service);
1233         } else {
1234                 and_bits = lp_security_mask(params->service);
1235                 or_bits = lp_force_security_mode(params->service);
1236         }
1237
1238         /* Now bounce them into the S_USR space. */     
1239         switch(type) {
1240         case S_IRUSR:
1241                 /* Ensure owner has read access. */
1242                 pace->perms |= S_IRUSR;
1243                 if (is_directory)
1244                         pace->perms |= (S_IWUSR|S_IXUSR);
1245                 and_bits = unix_perms_to_acl_perms(and_bits, S_IRUSR, S_IWUSR, S_IXUSR);
1246                 or_bits = unix_perms_to_acl_perms(or_bits, S_IRUSR, S_IWUSR, S_IXUSR);
1247                 break;
1248         case S_IRGRP:
1249                 and_bits = unix_perms_to_acl_perms(and_bits, S_IRGRP, S_IWGRP, S_IXGRP);
1250                 or_bits = unix_perms_to_acl_perms(or_bits, S_IRGRP, S_IWGRP, S_IXGRP);
1251                 break;
1252         case S_IROTH:
1253                 and_bits = unix_perms_to_acl_perms(and_bits, S_IROTH, S_IWOTH, S_IXOTH);
1254                 or_bits = unix_perms_to_acl_perms(or_bits, S_IROTH, S_IWOTH, S_IXOTH);
1255                 break;
1256         }
1257
1258         pace->perms = ((pace->perms & and_bits)|or_bits);
1259 }
1260
1261 /****************************************************************************
1262  Check if a given uid/SID is in a group gid/SID. This is probably very
1263  expensive and will need optimisation. A *lot* of optimisation :-). JRA.
1264 ****************************************************************************/
1265
1266 static bool uid_entry_in_group( canon_ace *uid_ace, canon_ace *group_ace )
1267 {
1268         const char *u_name = NULL;
1269
1270         /* "Everyone" always matches every uid. */
1271
1272         if (sid_equal(&group_ace->trustee, &global_sid_World))
1273                 return True;
1274
1275         /* Assume that the current user is in the current group (force group) */
1276
1277         if (uid_ace->unix_ug.uid == current_user.ut.uid && group_ace->unix_ug.gid == current_user.ut.gid)
1278                 return True;
1279
1280         /* u_name talloc'ed off tos. */
1281         u_name = uidtoname(uid_ace->unix_ug.uid);
1282         if (!u_name) {
1283                 return False;
1284         }
1285         return user_in_group_sid(u_name, &group_ace->trustee);
1286 }
1287
1288 /****************************************************************************
1289  A well formed POSIX file or default ACL has at least 3 entries, a 
1290  SMB_ACL_USER_OBJ, SMB_ACL_GROUP_OBJ, SMB_ACL_OTHER_OBJ.
1291  In addition, the owner must always have at least read access.
1292  When using this call on get_acl, the pst struct is valid and contains
1293  the mode of the file. When using this call on set_acl, the pst struct has
1294  been modified to have a mode containing the default for this file or directory
1295  type.
1296 ****************************************************************************/
1297
1298 static bool ensure_canon_entry_valid(canon_ace **pp_ace,
1299                                      const struct share_params *params,
1300                                      const bool is_directory,
1301                                                         const DOM_SID *pfile_owner_sid,
1302                                                         const DOM_SID *pfile_grp_sid,
1303                                                         const SMB_STRUCT_STAT *pst,
1304                                                         bool setting_acl)
1305 {
1306         canon_ace *pace;
1307         bool got_user = False;
1308         bool got_grp = False;
1309         bool got_other = False;
1310         canon_ace *pace_other = NULL;
1311
1312         for (pace = *pp_ace; pace; pace = pace->next) {
1313                 if (pace->type == SMB_ACL_USER_OBJ) {
1314
1315                         if (setting_acl)
1316                                 apply_default_perms(params, is_directory, pace, S_IRUSR);
1317                         got_user = True;
1318
1319                 } else if (pace->type == SMB_ACL_GROUP_OBJ) {
1320
1321                         /*
1322                          * Ensure create mask/force create mode is respected on set.
1323                          */
1324
1325                         if (setting_acl)
1326                                 apply_default_perms(params, is_directory, pace, S_IRGRP);
1327                         got_grp = True;
1328
1329                 } else if (pace->type == SMB_ACL_OTHER) {
1330
1331                         /*
1332                          * Ensure create mask/force create mode is respected on set.
1333                          */
1334
1335                         if (setting_acl)
1336                                 apply_default_perms(params, is_directory, pace, S_IROTH);
1337                         got_other = True;
1338                         pace_other = pace;
1339                 }
1340         }
1341
1342         if (!got_user) {
1343                 if ((pace = SMB_MALLOC_P(canon_ace)) == NULL) {
1344                         DEBUG(0,("ensure_canon_entry_valid: malloc fail.\n"));
1345                         return False;
1346                 }
1347
1348                 ZERO_STRUCTP(pace);
1349                 pace->type = SMB_ACL_USER_OBJ;
1350                 pace->owner_type = UID_ACE;
1351                 pace->unix_ug.uid = pst->st_uid;
1352                 pace->trustee = *pfile_owner_sid;
1353                 pace->attr = ALLOW_ACE;
1354
1355                 if (setting_acl) {
1356                         /* See if the owning user is in any of the other groups in
1357                            the ACE. If so, OR in the permissions from that group. */
1358
1359                         bool group_matched = False;
1360                         canon_ace *pace_iter;
1361
1362                         for (pace_iter = *pp_ace; pace_iter; pace_iter = pace_iter->next) {
1363                                 if (pace_iter->type == SMB_ACL_GROUP_OBJ || pace_iter->type == SMB_ACL_GROUP) {
1364                                         if (uid_entry_in_group(pace, pace_iter)) {
1365                                                 pace->perms |= pace_iter->perms;
1366                                                 group_matched = True;
1367                                         }
1368                                 }
1369                         }
1370
1371                         /* If we only got an "everyone" perm, just use that. */
1372                         if (!group_matched) {
1373                                 if (got_other)
1374                                         pace->perms = pace_other->perms;
1375                                 else
1376                                         pace->perms = 0;
1377                         }
1378
1379                         apply_default_perms(params, is_directory, pace, S_IRUSR);
1380                 } else {
1381                         pace->perms = unix_perms_to_acl_perms(pst->st_mode, S_IRUSR, S_IWUSR, S_IXUSR);
1382                 }
1383
1384                 DLIST_ADD(*pp_ace, pace);
1385         }
1386
1387         if (!got_grp) {
1388                 if ((pace = SMB_MALLOC_P(canon_ace)) == NULL) {
1389                         DEBUG(0,("ensure_canon_entry_valid: malloc fail.\n"));
1390                         return False;
1391                 }
1392
1393                 ZERO_STRUCTP(pace);
1394                 pace->type = SMB_ACL_GROUP_OBJ;
1395                 pace->owner_type = GID_ACE;
1396                 pace->unix_ug.uid = pst->st_gid;
1397                 pace->trustee = *pfile_grp_sid;
1398                 pace->attr = ALLOW_ACE;
1399                 if (setting_acl) {
1400                         /* If we only got an "everyone" perm, just use that. */
1401                         if (got_other)
1402                                 pace->perms = pace_other->perms;
1403                         else
1404                                 pace->perms = 0;
1405                         apply_default_perms(params, is_directory, pace, S_IRGRP);
1406                 } else {
1407                         pace->perms = unix_perms_to_acl_perms(pst->st_mode, S_IRGRP, S_IWGRP, S_IXGRP);
1408                 }
1409
1410                 DLIST_ADD(*pp_ace, pace);
1411         }
1412
1413         if (!got_other) {
1414                 if ((pace = SMB_MALLOC_P(canon_ace)) == NULL) {
1415                         DEBUG(0,("ensure_canon_entry_valid: malloc fail.\n"));
1416                         return False;
1417                 }
1418
1419                 ZERO_STRUCTP(pace);
1420                 pace->type = SMB_ACL_OTHER;
1421                 pace->owner_type = WORLD_ACE;
1422                 pace->unix_ug.world = -1;
1423                 pace->trustee = global_sid_World;
1424                 pace->attr = ALLOW_ACE;
1425                 if (setting_acl) {
1426                         pace->perms = 0;
1427                         apply_default_perms(params, is_directory, pace, S_IROTH);
1428                 } else
1429                         pace->perms = unix_perms_to_acl_perms(pst->st_mode, S_IROTH, S_IWOTH, S_IXOTH);
1430
1431                 DLIST_ADD(*pp_ace, pace);
1432         }
1433
1434         return True;
1435 }
1436
1437 /****************************************************************************
1438  Check if a POSIX ACL has the required SMB_ACL_USER_OBJ and SMB_ACL_GROUP_OBJ entries.
1439  If it does not have them, check if there are any entries where the trustee is the
1440  file owner or the owning group, and map these to SMB_ACL_USER_OBJ and SMB_ACL_GROUP_OBJ.
1441 ****************************************************************************/
1442
1443 static void check_owning_objs(canon_ace *ace, DOM_SID *pfile_owner_sid, DOM_SID *pfile_grp_sid)
1444 {
1445         bool got_user_obj, got_group_obj;
1446         canon_ace *current_ace;
1447         int i, entries;
1448
1449         entries = count_canon_ace_list(ace);
1450         got_user_obj = False;
1451         got_group_obj = False;
1452
1453         for (i=0, current_ace = ace; i < entries; i++, current_ace = current_ace->next) {
1454                 if (current_ace->type == SMB_ACL_USER_OBJ)
1455                         got_user_obj = True;
1456                 else if (current_ace->type == SMB_ACL_GROUP_OBJ)
1457                         got_group_obj = True;
1458         }
1459         if (got_user_obj && got_group_obj) {
1460                 DEBUG(10,("check_owning_objs: ACL had owning user/group entries.\n"));
1461                 return;
1462         }
1463
1464         for (i=0, current_ace = ace; i < entries; i++, current_ace = current_ace->next) {
1465                 if (!got_user_obj && current_ace->owner_type == UID_ACE &&
1466                                 sid_equal(&current_ace->trustee, pfile_owner_sid)) {
1467                         current_ace->type = SMB_ACL_USER_OBJ;
1468                         got_user_obj = True;
1469                 }
1470                 if (!got_group_obj && current_ace->owner_type == GID_ACE &&
1471                                 sid_equal(&current_ace->trustee, pfile_grp_sid)) {
1472                         current_ace->type = SMB_ACL_GROUP_OBJ;
1473                         got_group_obj = True;
1474                 }
1475         }
1476         if (!got_user_obj)
1477                 DEBUG(10,("check_owning_objs: ACL is missing an owner entry.\n"));
1478         if (!got_group_obj)
1479                 DEBUG(10,("check_owning_objs: ACL is missing an owning group entry.\n"));
1480 }
1481
1482 /****************************************************************************
1483  Unpack a SEC_DESC into two canonical ace lists.
1484 ****************************************************************************/
1485
1486 static bool create_canon_ace_lists(files_struct *fsp,
1487                                         SMB_STRUCT_STAT *pst,
1488                                         DOM_SID *pfile_owner_sid,
1489                                         DOM_SID *pfile_grp_sid,
1490                                         canon_ace **ppfile_ace,
1491                                         canon_ace **ppdir_ace,
1492                                         const SEC_ACL *dacl)
1493 {
1494         bool all_aces_are_inherit_only = (fsp->is_directory ? True : False);
1495         canon_ace *file_ace = NULL;
1496         canon_ace *dir_ace = NULL;
1497         canon_ace *current_ace = NULL;
1498         bool got_dir_allow = False;
1499         bool got_file_allow = False;
1500         int i, j;
1501
1502         *ppfile_ace = NULL;
1503         *ppdir_ace = NULL;
1504
1505         /*
1506          * Convert the incoming ACL into a more regular form.
1507          */
1508
1509         for(i = 0; i < dacl->num_aces; i++) {
1510                 SEC_ACE *psa = &dacl->aces[i];
1511
1512                 if((psa->type != SEC_ACE_TYPE_ACCESS_ALLOWED) && (psa->type != SEC_ACE_TYPE_ACCESS_DENIED)) {
1513                         DEBUG(3,("create_canon_ace_lists: unable to set anything but an ALLOW or DENY ACE.\n"));
1514                         return False;
1515                 }
1516
1517                 if (nt4_compatible_acls()) {
1518                         /*
1519                          * The security mask may be UNIX_ACCESS_NONE which should map into
1520                          * no permissions (we overload the WRITE_OWNER bit for this) or it
1521                          * should be one of the ALL/EXECUTE/READ/WRITE bits. Arrange for this
1522                          * to be so. Any other bits override the UNIX_ACCESS_NONE bit.
1523                          */
1524
1525                         /*
1526                          * Convert GENERIC bits to specific bits.
1527                          */
1528  
1529                         se_map_generic(&psa->access_mask, &file_generic_mapping);
1530
1531                         psa->access_mask &= (UNIX_ACCESS_NONE|FILE_ALL_ACCESS);
1532
1533                         if(psa->access_mask != UNIX_ACCESS_NONE)
1534                                 psa->access_mask &= ~UNIX_ACCESS_NONE;
1535                 }
1536         }
1537
1538         /*
1539          * Deal with the fact that NT 4.x re-writes the canonical format
1540          * that we return for default ACLs. If a directory ACE is identical
1541          * to a inherited directory ACE then NT changes the bits so that the
1542          * first ACE is set to OI|IO and the second ACE for this SID is set
1543          * to CI. We need to repair this. JRA.
1544          */
1545
1546         for(i = 0; i < dacl->num_aces; i++) {
1547                 SEC_ACE *psa1 = &dacl->aces[i];
1548
1549                 for (j = i + 1; j < dacl->num_aces; j++) {
1550                         SEC_ACE *psa2 = &dacl->aces[j];
1551
1552                         if (psa1->access_mask != psa2->access_mask)
1553                                 continue;
1554
1555                         if (!sid_equal(&psa1->trustee, &psa2->trustee))
1556                                 continue;
1557
1558                         /*
1559                          * Ok - permission bits and SIDs are equal.
1560                          * Check if flags were re-written.
1561                          */
1562
1563                         if (psa1->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
1564
1565                                 psa1->flags |= (psa2->flags & (SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT));
1566                                 psa2->flags &= ~(SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT);
1567
1568                         } else if (psa2->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
1569
1570                                 psa2->flags |= (psa1->flags & (SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT));
1571                                 psa1->flags &= ~(SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT);
1572
1573                         }
1574                 }
1575         }
1576
1577         for(i = 0; i < dacl->num_aces; i++) {
1578                 SEC_ACE *psa = &dacl->aces[i];
1579
1580                 /*
1581                  * Create a cannon_ace entry representing this NT DACL ACE.
1582                  */
1583
1584                 if ((current_ace = SMB_MALLOC_P(canon_ace)) == NULL) {
1585                         free_canon_ace_list(file_ace);
1586                         free_canon_ace_list(dir_ace);
1587                         DEBUG(0,("create_canon_ace_lists: malloc fail.\n"));
1588                         return False;
1589                 }
1590
1591                 ZERO_STRUCTP(current_ace);
1592
1593                 sid_copy(&current_ace->trustee, &psa->trustee);
1594
1595                 /*
1596                  * Try and work out if the SID is a user or group
1597                  * as we need to flag these differently for POSIX.
1598                  * Note what kind of a POSIX ACL this should map to.
1599                  */
1600
1601                 if( sid_equal(&current_ace->trustee, &global_sid_World)) {
1602                         current_ace->owner_type = WORLD_ACE;
1603                         current_ace->unix_ug.world = -1;
1604                         current_ace->type = SMB_ACL_OTHER;
1605                 } else if (sid_equal(&current_ace->trustee, &global_sid_Creator_Owner)) {
1606                         current_ace->owner_type = UID_ACE;
1607                         current_ace->unix_ug.uid = pst->st_uid;
1608                         current_ace->type = SMB_ACL_USER_OBJ;
1609
1610                         /*
1611                          * The Creator Owner entry only specifies inheritable permissions,
1612                          * never access permissions. WinNT doesn't always set the ACE to
1613                          *INHERIT_ONLY, though.
1614                          */
1615
1616                         if (nt4_compatible_acls())
1617                                 psa->flags |= SEC_ACE_FLAG_INHERIT_ONLY;
1618                 } else if (sid_equal(&current_ace->trustee, &global_sid_Creator_Group)) {
1619                         current_ace->owner_type = GID_ACE;
1620                         current_ace->unix_ug.gid = pst->st_gid;
1621                         current_ace->type = SMB_ACL_GROUP_OBJ;
1622
1623                         /*
1624                          * The Creator Group entry only specifies inheritable permissions,
1625                          * never access permissions. WinNT doesn't always set the ACE to
1626                          *INHERIT_ONLY, though.
1627                          */
1628                         if (nt4_compatible_acls())
1629                                 psa->flags |= SEC_ACE_FLAG_INHERIT_ONLY;
1630
1631                 } else if (sid_to_uid( &current_ace->trustee, &current_ace->unix_ug.uid)) {
1632                         current_ace->owner_type = UID_ACE;
1633                         /* If it's the owning user, this is a user_obj, not
1634                          * a user. */
1635                         if (current_ace->unix_ug.uid == pst->st_uid) {
1636                                 current_ace->type = SMB_ACL_USER_OBJ;
1637                         } else {
1638                                 current_ace->type = SMB_ACL_USER;
1639                         }
1640                 } else if (sid_to_gid( &current_ace->trustee, &current_ace->unix_ug.gid)) {
1641                         current_ace->owner_type = GID_ACE;
1642                         /* If it's the primary group, this is a group_obj, not
1643                          * a group. */
1644                         if (current_ace->unix_ug.gid == pst->st_gid) {
1645                                 current_ace->type = SMB_ACL_GROUP_OBJ;
1646                         } else {
1647                                 current_ace->type = SMB_ACL_GROUP;
1648                         }
1649                 } else {
1650                         /*
1651                          * Silently ignore map failures in non-mappable SIDs (NT Authority, BUILTIN etc).
1652                          */
1653
1654                         if (non_mappable_sid(&psa->trustee)) {
1655                                 DEBUG(10, ("create_canon_ace_lists: ignoring "
1656                                            "non-mappable SID %s\n",
1657                                            sid_string_dbg(&psa->trustee)));
1658                                 SAFE_FREE(current_ace);
1659                                 continue;
1660                         }
1661
1662                         free_canon_ace_list(file_ace);
1663                         free_canon_ace_list(dir_ace);
1664                         DEBUG(0, ("create_canon_ace_lists: unable to map SID "
1665                                   "%s to uid or gid.\n",
1666                                   sid_string_dbg(&current_ace->trustee)));
1667                         SAFE_FREE(current_ace);
1668                         return False;
1669                 }
1670
1671                 /*
1672                  * Map the given NT permissions into a UNIX mode_t containing only
1673                  * S_I(R|W|X)USR bits.
1674                  */
1675
1676                 current_ace->perms |= map_nt_perms( &psa->access_mask, S_IRUSR);
1677                 current_ace->attr = (psa->type == SEC_ACE_TYPE_ACCESS_ALLOWED) ? ALLOW_ACE : DENY_ACE;
1678
1679                 /* Store the ace_flag. */
1680                 current_ace->ace_flags = psa->flags;
1681
1682                 /*
1683                  * Now add the created ace to either the file list, the directory
1684                  * list, or both. We *MUST* preserve the order here (hence we use
1685                  * DLIST_ADD_END) as NT ACLs are order dependent.
1686                  */
1687
1688                 if (fsp->is_directory) {
1689
1690                         /*
1691                          * We can only add to the default POSIX ACE list if the ACE is
1692                          * designed to be inherited by both files and directories.
1693                          */
1694
1695                         if ((psa->flags & (SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT)) ==
1696                                 (SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT)) {
1697
1698                                 DLIST_ADD_END(dir_ace, current_ace, canon_ace *);
1699
1700                                 /*
1701                                  * Note if this was an allow ace. We can't process
1702                                  * any further deny ace's after this.
1703                                  */
1704
1705                                 if (current_ace->attr == ALLOW_ACE)
1706                                         got_dir_allow = True;
1707
1708                                 if ((current_ace->attr == DENY_ACE) && got_dir_allow) {
1709                                         DEBUG(0,("create_canon_ace_lists: malformed ACL in inheritable ACL ! \
1710 Deny entry after Allow entry. Failing to set on file %s.\n", fsp->fsp_name ));
1711                                         free_canon_ace_list(file_ace);
1712                                         free_canon_ace_list(dir_ace);
1713                                         return False;
1714                                 }       
1715
1716                                 if( DEBUGLVL( 10 )) {
1717                                         dbgtext("create_canon_ace_lists: adding dir ACL:\n");
1718                                         print_canon_ace( current_ace, 0);
1719                                 }
1720
1721                                 /*
1722                                  * If this is not an inherit only ACE we need to add a duplicate
1723                                  * to the file acl.
1724                                  */
1725
1726                                 if (!(psa->flags & SEC_ACE_FLAG_INHERIT_ONLY)) {
1727                                         canon_ace *dup_ace = dup_canon_ace(current_ace);
1728
1729                                         if (!dup_ace) {
1730                                                 DEBUG(0,("create_canon_ace_lists: malloc fail !\n"));
1731                                                 free_canon_ace_list(file_ace);
1732                                                 free_canon_ace_list(dir_ace);
1733                                                 return False;
1734                                         }
1735
1736                                         /*
1737                                          * We must not free current_ace here as its
1738                                          * pointer is now owned by the dir_ace list.
1739                                          */
1740                                         current_ace = dup_ace;
1741                                 } else {
1742                                         /*
1743                                          * We must not free current_ace here as its
1744                                          * pointer is now owned by the dir_ace list.
1745                                          */
1746                                         current_ace = NULL;
1747                                 }
1748                         }
1749                 }
1750
1751                 /*
1752                  * Only add to the file ACL if not inherit only.
1753                  */
1754
1755                 if (current_ace && !(psa->flags & SEC_ACE_FLAG_INHERIT_ONLY)) {
1756                         DLIST_ADD_END(file_ace, current_ace, canon_ace *);
1757
1758                         /*
1759                          * Note if this was an allow ace. We can't process
1760                          * any further deny ace's after this.
1761                          */
1762
1763                         if (current_ace->attr == ALLOW_ACE)
1764                                 got_file_allow = True;
1765
1766                         if ((current_ace->attr == DENY_ACE) && got_file_allow) {
1767                                 DEBUG(0,("create_canon_ace_lists: malformed ACL in file ACL ! \
1768 Deny entry after Allow entry. Failing to set on file %s.\n", fsp->fsp_name ));
1769                                 free_canon_ace_list(file_ace);
1770                                 free_canon_ace_list(dir_ace);
1771                                 return False;
1772                         }       
1773
1774                         if( DEBUGLVL( 10 )) {
1775                                 dbgtext("create_canon_ace_lists: adding file ACL:\n");
1776                                 print_canon_ace( current_ace, 0);
1777                         }
1778                         all_aces_are_inherit_only = False;
1779                         /*
1780                          * We must not free current_ace here as its
1781                          * pointer is now owned by the file_ace list.
1782                          */
1783                         current_ace = NULL;
1784                 }
1785
1786                 /*
1787                  * Free if ACE was not added.
1788                  */
1789
1790                 SAFE_FREE(current_ace);
1791         }
1792
1793         if (fsp->is_directory && all_aces_are_inherit_only) {
1794                 /*
1795                  * Windows 2000 is doing one of these weird 'inherit acl'
1796                  * traverses to conserve NTFS ACL resources. Just pretend
1797                  * there was no DACL sent. JRA.
1798                  */
1799
1800                 DEBUG(10,("create_canon_ace_lists: Win2k inherit acl traverse. Ignoring DACL.\n"));
1801                 free_canon_ace_list(file_ace);
1802                 free_canon_ace_list(dir_ace);
1803                 file_ace = NULL;
1804                 dir_ace = NULL;
1805         } else {
1806                 /*
1807                  * Check if we have SMB_ACL_USER_OBJ and SMB_ACL_GROUP_OBJ entries in each
1808                  * ACL. If we don't have them, check if any SMB_ACL_USER/SMB_ACL_GROUP
1809                  * entries can be converted to *_OBJ. Usually we will already have these
1810                  * entries in the Default ACL, and the Access ACL will not have them.
1811                  */
1812                 if (file_ace) {
1813                         check_owning_objs(file_ace, pfile_owner_sid, pfile_grp_sid);
1814                 }
1815                 if (dir_ace) {
1816                         check_owning_objs(dir_ace, pfile_owner_sid, pfile_grp_sid);
1817                 }
1818         }
1819
1820         *ppfile_ace = file_ace;
1821         *ppdir_ace = dir_ace;
1822
1823         return True;
1824 }
1825
1826 /****************************************************************************
1827  ASCII art time again... JRA :-).
1828
1829  We have 4 cases to process when moving from an NT ACL to a POSIX ACL. Firstly,
1830  we insist the ACL is in canonical form (ie. all DENY entries preceede ALLOW
1831  entries). Secondly, the merge code has ensured that all duplicate SID entries for
1832  allow or deny have been merged, so the same SID can only appear once in the deny
1833  list or once in the allow list.
1834
1835  We then process as follows :
1836
1837  ---------------------------------------------------------------------------
1838  First pass - look for a Everyone DENY entry.
1839
1840  If it is deny all (rwx) trunate the list at this point.
1841  Else, walk the list from this point and use the deny permissions of this
1842  entry as a mask on all following allow entries. Finally, delete
1843  the Everyone DENY entry (we have applied it to everything possible).
1844
1845  In addition, in this pass we remove any DENY entries that have 
1846  no permissions (ie. they are a DENY nothing).
1847  ---------------------------------------------------------------------------
1848  Second pass - only deal with deny user entries.
1849
1850  DENY user1 (perms XXX)
1851
1852  new_perms = 0
1853  for all following allow group entries where user1 is in group
1854         new_perms |= group_perms;
1855
1856  user1 entry perms = new_perms & ~ XXX;
1857
1858  Convert the deny entry to an allow entry with the new perms and
1859  push to the end of the list. Note if the user was in no groups
1860  this maps to a specific allow nothing entry for this user.
1861
1862  The common case from the NT ACL choser (userX deny all) is
1863  optimised so we don't do the group lookup - we just map to
1864  an allow nothing entry.
1865
1866  What we're doing here is inferring the allow permissions the
1867  person setting the ACE on user1 wanted by looking at the allow
1868  permissions on the groups the user is currently in. This will
1869  be a snapshot, depending on group membership but is the best
1870  we can do and has the advantage of failing closed rather than
1871  open.
1872  ---------------------------------------------------------------------------
1873  Third pass - only deal with deny group entries.
1874
1875  DENY group1 (perms XXX)
1876
1877  for all following allow user entries where user is in group1
1878    user entry perms = user entry perms & ~ XXX;
1879
1880  If there is a group Everyone allow entry with permissions YYY,
1881  convert the group1 entry to an allow entry and modify its
1882  permissions to be :
1883
1884  new_perms = YYY & ~ XXX
1885
1886  and push to the end of the list.
1887
1888  If there is no group Everyone allow entry then convert the
1889  group1 entry to a allow nothing entry and push to the end of the list.
1890
1891  Note that the common case from the NT ACL choser (groupX deny all)
1892  cannot be optimised here as we need to modify user entries who are
1893  in the group to change them to a deny all also.
1894
1895  What we're doing here is modifying the allow permissions of
1896  user entries (which are more specific in POSIX ACLs) to mask
1897  out the explicit deny set on the group they are in. This will
1898  be a snapshot depending on current group membership but is the
1899  best we can do and has the advantage of failing closed rather
1900  than open.
1901  ---------------------------------------------------------------------------
1902  Fourth pass - cope with cumulative permissions.
1903
1904  for all allow user entries, if there exists an allow group entry with
1905  more permissive permissions, and the user is in that group, rewrite the
1906  allow user permissions to contain both sets of permissions.
1907
1908  Currently the code for this is #ifdef'ed out as these semantics make
1909  no sense to me. JRA.
1910  ---------------------------------------------------------------------------
1911
1912  Note we *MUST* do the deny user pass first as this will convert deny user
1913  entries into allow user entries which can then be processed by the deny
1914  group pass.
1915
1916  The above algorithm took a *lot* of thinking about - hence this
1917  explaination :-). JRA.
1918 ****************************************************************************/
1919
1920 /****************************************************************************
1921  Process a canon_ace list entries. This is very complex code. We need
1922  to go through and remove the "deny" permissions from any allow entry that matches
1923  the id of this entry. We have already refused any NT ACL that wasn't in correct
1924  order (DENY followed by ALLOW). If any allow entry ends up with zero permissions,
1925  we just remove it (to fail safe). We have already removed any duplicate ace
1926  entries. Treat an "Everyone" DENY_ACE as a special case - use it to mask all
1927  allow entries.
1928 ****************************************************************************/
1929
1930 static void process_deny_list( canon_ace **pp_ace_list )
1931 {
1932         canon_ace *ace_list = *pp_ace_list;
1933         canon_ace *curr_ace = NULL;
1934         canon_ace *curr_ace_next = NULL;
1935
1936         /* Pass 1 above - look for an Everyone, deny entry. */
1937
1938         for (curr_ace = ace_list; curr_ace; curr_ace = curr_ace_next) {
1939                 canon_ace *allow_ace_p;
1940
1941                 curr_ace_next = curr_ace->next; /* So we can't lose the link. */
1942
1943                 if (curr_ace->attr != DENY_ACE)
1944                         continue;
1945
1946                 if (curr_ace->perms == (mode_t)0) {
1947
1948                         /* Deny nothing entry - delete. */
1949
1950                         DLIST_REMOVE(ace_list, curr_ace);
1951                         continue;
1952                 }
1953
1954                 if (!sid_equal(&curr_ace->trustee, &global_sid_World))
1955                         continue;
1956
1957                 /* JRATEST - assert. */
1958                 SMB_ASSERT(curr_ace->owner_type == WORLD_ACE);
1959
1960                 if (curr_ace->perms == ALL_ACE_PERMS) {
1961
1962                         /*
1963                          * Optimisation. This is a DENY_ALL to Everyone. Truncate the
1964                          * list at this point including this entry.
1965                          */
1966
1967                         canon_ace *prev_entry = curr_ace->prev;
1968
1969                         free_canon_ace_list( curr_ace );
1970                         if (prev_entry)
1971                                 prev_entry->next = NULL;
1972                         else {
1973                                 /* We deleted the entire list. */
1974                                 ace_list = NULL;
1975                         }
1976                         break;
1977                 }
1978
1979                 for (allow_ace_p = curr_ace->next; allow_ace_p; allow_ace_p = allow_ace_p->next) {
1980
1981                         /* 
1982                          * Only mask off allow entries.
1983                          */
1984
1985                         if (allow_ace_p->attr != ALLOW_ACE)
1986                                 continue;
1987
1988                         allow_ace_p->perms &= ~curr_ace->perms;
1989                 }
1990
1991                 /*
1992                  * Now it's been applied, remove it.
1993                  */
1994
1995                 DLIST_REMOVE(ace_list, curr_ace);
1996         }
1997
1998         /* Pass 2 above - deal with deny user entries. */
1999
2000         for (curr_ace = ace_list; curr_ace; curr_ace = curr_ace_next) {
2001                 mode_t new_perms = (mode_t)0;
2002                 canon_ace *allow_ace_p;
2003
2004                 curr_ace_next = curr_ace->next; /* So we can't lose the link. */
2005
2006                 if (curr_ace->attr != DENY_ACE)
2007                         continue;
2008
2009                 if (curr_ace->owner_type != UID_ACE)
2010                         continue;
2011
2012                 if (curr_ace->perms == ALL_ACE_PERMS) {
2013
2014                         /*
2015                          * Optimisation - this is a deny everything to this user.
2016                          * Convert to an allow nothing and push to the end of the list.
2017                          */
2018
2019                         curr_ace->attr = ALLOW_ACE;
2020                         curr_ace->perms = (mode_t)0;
2021                         DLIST_DEMOTE(ace_list, curr_ace, canon_ace *);
2022                         continue;
2023                 }
2024
2025                 for (allow_ace_p = curr_ace->next; allow_ace_p; allow_ace_p = allow_ace_p->next) {
2026
2027                         if (allow_ace_p->attr != ALLOW_ACE)
2028                                 continue;
2029
2030                         /* We process GID_ACE and WORLD_ACE entries only. */
2031
2032                         if (allow_ace_p->owner_type == UID_ACE)
2033                                 continue;
2034
2035                         if (uid_entry_in_group( curr_ace, allow_ace_p))
2036                                 new_perms |= allow_ace_p->perms;
2037                 }
2038
2039                 /*
2040                  * Convert to a allow entry, modify the perms and push to the end
2041                  * of the list.
2042                  */
2043
2044                 curr_ace->attr = ALLOW_ACE;
2045                 curr_ace->perms = (new_perms & ~curr_ace->perms);
2046                 DLIST_DEMOTE(ace_list, curr_ace, canon_ace *);
2047         }
2048
2049         /* Pass 3 above - deal with deny group entries. */
2050
2051         for (curr_ace = ace_list; curr_ace; curr_ace = curr_ace_next) {
2052                 canon_ace *allow_ace_p;
2053                 canon_ace *allow_everyone_p = NULL;
2054
2055                 curr_ace_next = curr_ace->next; /* So we can't lose the link. */
2056
2057                 if (curr_ace->attr != DENY_ACE)
2058                         continue;
2059
2060                 if (curr_ace->owner_type != GID_ACE)
2061                         continue;
2062
2063                 for (allow_ace_p = curr_ace->next; allow_ace_p; allow_ace_p = allow_ace_p->next) {
2064
2065                         if (allow_ace_p->attr != ALLOW_ACE)
2066                                 continue;
2067
2068                         /* Store a pointer to the Everyone allow, if it exists. */
2069                         if (allow_ace_p->owner_type == WORLD_ACE)
2070                                 allow_everyone_p = allow_ace_p;
2071
2072                         /* We process UID_ACE entries only. */
2073
2074                         if (allow_ace_p->owner_type != UID_ACE)
2075                                 continue;
2076
2077                         /* Mask off the deny group perms. */
2078
2079                         if (uid_entry_in_group( allow_ace_p, curr_ace))
2080                                 allow_ace_p->perms &= ~curr_ace->perms;
2081                 }
2082
2083                 /*
2084                  * Convert the deny to an allow with the correct perms and
2085                  * push to the end of the list.
2086                  */
2087
2088                 curr_ace->attr = ALLOW_ACE;
2089                 if (allow_everyone_p)
2090                         curr_ace->perms = allow_everyone_p->perms & ~curr_ace->perms;
2091                 else
2092                         curr_ace->perms = (mode_t)0;
2093                 DLIST_DEMOTE(ace_list, curr_ace, canon_ace *);
2094         }
2095
2096         /* Doing this fourth pass allows Windows semantics to be layered
2097          * on top of POSIX semantics. I'm not sure if this is desirable.
2098          * For example, in W2K ACLs there is no way to say, "Group X no
2099          * access, user Y full access" if user Y is a member of group X.
2100          * This seems completely broken semantics to me.... JRA.
2101          */
2102
2103 #if 0
2104         /* Pass 4 above - deal with allow entries. */
2105
2106         for (curr_ace = ace_list; curr_ace; curr_ace = curr_ace_next) {
2107                 canon_ace *allow_ace_p;
2108
2109                 curr_ace_next = curr_ace->next; /* So we can't lose the link. */
2110
2111                 if (curr_ace->attr != ALLOW_ACE)
2112                         continue;
2113
2114                 if (curr_ace->owner_type != UID_ACE)
2115                         continue;
2116
2117                 for (allow_ace_p = ace_list; allow_ace_p; allow_ace_p = allow_ace_p->next) {
2118
2119                         if (allow_ace_p->attr != ALLOW_ACE)
2120                                 continue;
2121
2122                         /* We process GID_ACE entries only. */
2123
2124                         if (allow_ace_p->owner_type != GID_ACE)
2125                                 continue;
2126
2127                         /* OR in the group perms. */
2128
2129                         if (uid_entry_in_group( curr_ace, allow_ace_p))
2130                                 curr_ace->perms |= allow_ace_p->perms;
2131                 }
2132         }
2133 #endif
2134
2135         *pp_ace_list = ace_list;
2136 }
2137
2138 /****************************************************************************
2139  Create a default mode that will be used if a security descriptor entry has
2140  no user/group/world entries.
2141 ****************************************************************************/
2142
2143 static mode_t create_default_mode(files_struct *fsp, bool interitable_mode)
2144 {
2145         int snum = SNUM(fsp->conn);
2146         mode_t and_bits = (mode_t)0;
2147         mode_t or_bits = (mode_t)0;
2148         mode_t mode = interitable_mode
2149                 ? unix_mode( fsp->conn, FILE_ATTRIBUTE_ARCHIVE, fsp->fsp_name,
2150                              NULL )
2151                 : S_IRUSR;
2152
2153         if (fsp->is_directory)
2154                 mode |= (S_IWUSR|S_IXUSR);
2155
2156         /*
2157          * Now AND with the create mode/directory mode bits then OR with the
2158          * force create mode/force directory mode bits.
2159          */
2160
2161         if (fsp->is_directory) {
2162                 and_bits = lp_dir_security_mask(snum);
2163                 or_bits = lp_force_dir_security_mode(snum);
2164         } else {
2165                 and_bits = lp_security_mask(snum);
2166                 or_bits = lp_force_security_mode(snum);
2167         }
2168
2169         return ((mode & and_bits)|or_bits);
2170 }
2171
2172 /****************************************************************************
2173  Unpack a SEC_DESC into two canonical ace lists. We don't depend on this
2174  succeeding.
2175 ****************************************************************************/
2176
2177 static bool unpack_canon_ace(files_struct *fsp,
2178                                 SMB_STRUCT_STAT *pst,
2179                                 DOM_SID *pfile_owner_sid,
2180                                 DOM_SID *pfile_grp_sid,
2181                                 canon_ace **ppfile_ace,
2182                                 canon_ace **ppdir_ace,
2183                                 uint32 security_info_sent,
2184                                 const SEC_DESC *psd)
2185 {
2186         canon_ace *file_ace = NULL;
2187         canon_ace *dir_ace = NULL;
2188
2189         *ppfile_ace = NULL;
2190         *ppdir_ace = NULL;
2191
2192         if(security_info_sent == 0) {
2193                 DEBUG(0,("unpack_canon_ace: no security info sent !\n"));
2194                 return False;
2195         }
2196
2197         /*
2198          * If no DACL then this is a chown only security descriptor.
2199          */
2200
2201         if(!(security_info_sent & DACL_SECURITY_INFORMATION) || !psd->dacl)
2202                 return True;
2203
2204         /*
2205          * Now go through the DACL and create the canon_ace lists.
2206          */
2207
2208         if (!create_canon_ace_lists( fsp, pst, pfile_owner_sid, pfile_grp_sid,
2209                                                                 &file_ace, &dir_ace, psd->dacl))
2210                 return False;
2211
2212         if ((file_ace == NULL) && (dir_ace == NULL)) {
2213                 /* W2K traverse DACL set - ignore. */
2214                 return True;
2215         }
2216
2217         /*
2218          * Go through the canon_ace list and merge entries
2219          * belonging to identical users of identical allow or deny type.
2220          * We can do this as all deny entries come first, followed by
2221          * all allow entries (we have mandated this before accepting this acl).
2222          */
2223
2224         print_canon_ace_list( "file ace - before merge", file_ace);
2225         merge_aces( &file_ace );
2226
2227         print_canon_ace_list( "dir ace - before merge", dir_ace);
2228         merge_aces( &dir_ace );
2229
2230         /*
2231          * NT ACLs are order dependent. Go through the acl lists and
2232          * process DENY entries by masking the allow entries.
2233          */
2234
2235         print_canon_ace_list( "file ace - before deny", file_ace);
2236         process_deny_list( &file_ace);
2237
2238         print_canon_ace_list( "dir ace - before deny", dir_ace);
2239         process_deny_list( &dir_ace);
2240
2241         /*
2242          * A well formed POSIX file or default ACL has at least 3 entries, a 
2243          * SMB_ACL_USER_OBJ, SMB_ACL_GROUP_OBJ, SMB_ACL_OTHER_OBJ
2244          * and optionally a mask entry. Ensure this is the case.
2245          */
2246
2247         print_canon_ace_list( "file ace - before valid", file_ace);
2248
2249         /*
2250          * A default 3 element mode entry for a file should be r-- --- ---.
2251          * A default 3 element mode entry for a directory should be rwx --- ---.
2252          */
2253
2254         pst->st_mode = create_default_mode(fsp, False);
2255
2256         if (!ensure_canon_entry_valid(&file_ace, fsp->conn->params, fsp->is_directory, pfile_owner_sid, pfile_grp_sid, pst, True)) {
2257                 free_canon_ace_list(file_ace);
2258                 free_canon_ace_list(dir_ace);
2259                 return False;
2260         }
2261
2262         print_canon_ace_list( "dir ace - before valid", dir_ace);
2263
2264         /*
2265          * A default inheritable 3 element mode entry for a directory should be the
2266          * mode Samba will use to create a file within. Ensure user rwx bits are set if
2267          * it's a directory.
2268          */
2269
2270         pst->st_mode = create_default_mode(fsp, True);
2271
2272         if (dir_ace && !ensure_canon_entry_valid(&dir_ace, fsp->conn->params, fsp->is_directory, pfile_owner_sid, pfile_grp_sid, pst, True)) {
2273                 free_canon_ace_list(file_ace);
2274                 free_canon_ace_list(dir_ace);
2275                 return False;
2276         }
2277
2278         print_canon_ace_list( "file ace - return", file_ace);
2279         print_canon_ace_list( "dir ace - return", dir_ace);
2280
2281         *ppfile_ace = file_ace;
2282         *ppdir_ace = dir_ace;
2283         return True;
2284
2285 }
2286
2287 /******************************************************************************
2288  When returning permissions, try and fit NT display
2289  semantics if possible. Note the the canon_entries here must have been malloced.
2290  The list format should be - first entry = owner, followed by group and other user
2291  entries, last entry = other.
2292
2293  Note that this doesn't exactly match the NT semantics for an ACL. As POSIX entries
2294  are not ordered, and match on the most specific entry rather than walking a list,
2295  then a simple POSIX permission of rw-r--r-- should really map to 5 entries,
2296
2297  Entry 0: owner : deny all except read and write.
2298  Entry 1: owner : allow read and write.
2299  Entry 2: group : deny all except read.
2300  Entry 3: group : allow read.
2301  Entry 4: Everyone : allow read.
2302
2303  But NT cannot display this in their ACL editor !
2304 ********************************************************************************/
2305
2306 static void arrange_posix_perms(const char *filename, canon_ace **pp_list_head)
2307 {
2308         canon_ace *l_head = *pp_list_head;
2309         canon_ace *owner_ace = NULL;
2310         canon_ace *other_ace = NULL;
2311         canon_ace *ace = NULL;
2312
2313         for (ace = l_head; ace; ace = ace->next) {
2314                 if (ace->type == SMB_ACL_USER_OBJ)
2315                         owner_ace = ace;
2316                 else if (ace->type == SMB_ACL_OTHER) {
2317                         /* Last ace - this is "other" */
2318                         other_ace = ace;
2319                 }
2320         }
2321
2322         if (!owner_ace || !other_ace) {
2323                 DEBUG(0,("arrange_posix_perms: Invalid POSIX permissions for file %s, missing owner or other.\n",
2324                         filename ));
2325                 return;
2326         }
2327
2328         /*
2329          * The POSIX algorithm applies to owner first, and other last,
2330          * so ensure they are arranged in this order.
2331          */
2332
2333         if (owner_ace) {
2334                 DLIST_PROMOTE(l_head, owner_ace);
2335         }
2336
2337         if (other_ace) {
2338                 DLIST_DEMOTE(l_head, other_ace, canon_ace *);
2339         }
2340
2341         /* We have probably changed the head of the list. */
2342
2343         *pp_list_head = l_head;
2344 }
2345
2346 /****************************************************************************
2347  Create a linked list of canonical ACE entries.
2348 ****************************************************************************/
2349
2350 static canon_ace *canonicalise_acl(struct connection_struct *conn,
2351                                    const char *fname, SMB_ACL_T posix_acl,
2352                                    const SMB_STRUCT_STAT *psbuf,
2353                                    const DOM_SID *powner, const DOM_SID *pgroup, struct pai_val *pal, SMB_ACL_TYPE_T the_acl_type)
2354 {
2355         mode_t acl_mask = (S_IRUSR|S_IWUSR|S_IXUSR);
2356         canon_ace *l_head = NULL;
2357         canon_ace *ace = NULL;
2358         canon_ace *next_ace = NULL;
2359         int entry_id = SMB_ACL_FIRST_ENTRY;
2360         SMB_ACL_ENTRY_T entry;
2361         size_t ace_count;
2362
2363         while ( posix_acl && (SMB_VFS_SYS_ACL_GET_ENTRY(conn, posix_acl, entry_id, &entry) == 1)) {
2364                 SMB_ACL_TAG_T tagtype;
2365                 SMB_ACL_PERMSET_T permset;
2366                 DOM_SID sid;
2367                 posix_id unix_ug;
2368                 enum ace_owner owner_type;
2369
2370                 entry_id = SMB_ACL_NEXT_ENTRY;
2371
2372                 /* Is this a MASK entry ? */
2373                 if (SMB_VFS_SYS_ACL_GET_TAG_TYPE(conn, entry, &tagtype) == -1)
2374                         continue;
2375
2376                 if (SMB_VFS_SYS_ACL_GET_PERMSET(conn, entry, &permset) == -1)
2377                         continue;
2378
2379                 /* Decide which SID to use based on the ACL type. */
2380                 switch(tagtype) {
2381                         case SMB_ACL_USER_OBJ:
2382                                 /* Get the SID from the owner. */
2383                                 sid_copy(&sid, powner);
2384                                 unix_ug.uid = psbuf->st_uid;
2385                                 owner_type = UID_ACE;
2386                                 break;
2387                         case SMB_ACL_USER:
2388                                 {
2389                                         uid_t *puid = (uid_t *)SMB_VFS_SYS_ACL_GET_QUALIFIER(conn, entry);
2390                                         if (puid == NULL) {
2391                                                 DEBUG(0,("canonicalise_acl: Failed to get uid.\n"));
2392                                                 continue;
2393                                         }
2394                                         /*
2395                                          * A SMB_ACL_USER entry for the owner is shadowed by the
2396                                          * SMB_ACL_USER_OBJ entry and Windows also cannot represent
2397                                          * that entry, so we ignore it. We also don't create such
2398                                          * entries out of the blue when setting ACLs, so a get/set
2399                                          * cycle will drop them.
2400                                          */
2401                                         if (the_acl_type == SMB_ACL_TYPE_ACCESS && *puid == psbuf->st_uid) {
2402                                                 SMB_VFS_SYS_ACL_FREE_QUALIFIER(conn, (void *)puid,tagtype);
2403                                                 continue;
2404                                         }
2405                                         uid_to_sid( &sid, *puid);
2406                                         unix_ug.uid = *puid;
2407                                         owner_type = UID_ACE;
2408                                         SMB_VFS_SYS_ACL_FREE_QUALIFIER(conn, (void *)puid,tagtype);
2409                                         break;
2410                                 }
2411                         case SMB_ACL_GROUP_OBJ:
2412                                 /* Get the SID from the owning group. */
2413                                 sid_copy(&sid, pgroup);
2414                                 unix_ug.gid = psbuf->st_gid;
2415                                 owner_type = GID_ACE;
2416                                 break;
2417                         case SMB_ACL_GROUP:
2418                                 {
2419                                         gid_t *pgid = (gid_t *)SMB_VFS_SYS_ACL_GET_QUALIFIER(conn, entry);
2420                                         if (pgid == NULL) {
2421                                                 DEBUG(0,("canonicalise_acl: Failed to get gid.\n"));
2422                                                 continue;
2423                                         }
2424                                         gid_to_sid( &sid, *pgid);
2425                                         unix_ug.gid = *pgid;
2426                                         owner_type = GID_ACE;
2427                                         SMB_VFS_SYS_ACL_FREE_QUALIFIER(conn, (void *)pgid,tagtype);
2428                                         break;
2429                                 }
2430                         case SMB_ACL_MASK:
2431                                 acl_mask = convert_permset_to_mode_t(conn, permset);
2432                                 continue; /* Don't count the mask as an entry. */
2433                         case SMB_ACL_OTHER:
2434                                 /* Use the Everyone SID */
2435                                 sid = global_sid_World;
2436                                 unix_ug.world = -1;
2437                                 owner_type = WORLD_ACE;
2438                                 break;
2439                         default:
2440                                 DEBUG(0,("canonicalise_acl: Unknown tagtype %u\n", (unsigned int)tagtype));
2441                                 continue;
2442                 }
2443
2444                 /*
2445                  * Add this entry to the list.
2446                  */
2447
2448                 if ((ace = SMB_MALLOC_P(canon_ace)) == NULL)
2449                         goto fail;
2450
2451                 ZERO_STRUCTP(ace);
2452                 ace->type = tagtype;
2453                 ace->perms = convert_permset_to_mode_t(conn, permset);
2454                 ace->attr = ALLOW_ACE;
2455                 ace->trustee = sid;
2456                 ace->unix_ug = unix_ug;
2457                 ace->owner_type = owner_type;
2458                 ace->ace_flags = get_pai_flags(pal, ace, (the_acl_type == SMB_ACL_TYPE_DEFAULT));
2459
2460                 DLIST_ADD(l_head, ace);
2461         }
2462
2463         /*
2464          * This next call will ensure we have at least a user/group/world set.
2465          */
2466
2467         if (!ensure_canon_entry_valid(&l_head, conn->params,
2468                                       S_ISDIR(psbuf->st_mode), powner, pgroup,
2469                                       psbuf, False))
2470                 goto fail;
2471
2472         /*
2473          * Now go through the list, masking the permissions with the
2474          * acl_mask. Ensure all DENY Entries are at the start of the list.
2475          */
2476
2477         DEBUG(10,("canonicalise_acl: %s ace entries before arrange :\n", the_acl_type == SMB_ACL_TYPE_ACCESS ? "Access" : "Default" ));
2478
2479         for ( ace_count = 0, ace = l_head; ace; ace = next_ace, ace_count++) {
2480                 next_ace = ace->next;
2481
2482                 /* Masks are only applied to entries other than USER_OBJ and OTHER. */
2483                 if (ace->type != SMB_ACL_OTHER && ace->type != SMB_ACL_USER_OBJ)
2484                         ace->perms &= acl_mask;
2485
2486                 if (ace->perms == 0) {
2487                         DLIST_PROMOTE(l_head, ace);
2488                 }
2489
2490                 if( DEBUGLVL( 10 ) ) {
2491                         print_canon_ace(ace, ace_count);
2492                 }
2493         }
2494
2495         arrange_posix_perms(fname,&l_head );
2496
2497         print_canon_ace_list( "canonicalise_acl: ace entries after arrange", l_head );
2498
2499         return l_head;
2500
2501   fail:
2502
2503         free_canon_ace_list(l_head);
2504         return NULL;
2505 }
2506
2507 /****************************************************************************
2508  Check if the current user group list contains a given group.
2509 ****************************************************************************/
2510
2511 static bool current_user_in_group(gid_t gid)
2512 {
2513         int i;
2514
2515         for (i = 0; i < current_user.ut.ngroups; i++) {
2516                 if (current_user.ut.groups[i] == gid) {
2517                         return True;
2518                 }
2519         }
2520
2521         return False;
2522 }
2523
2524 /****************************************************************************
2525  Should we override a deny ? Check 'acl group control' and 'dos filemode'.
2526 ****************************************************************************/
2527
2528 static bool acl_group_override(connection_struct *conn,
2529                                 gid_t prim_gid,
2530                                 const char *fname)
2531 {
2532         SMB_STRUCT_STAT sbuf;
2533
2534         if ((errno != EPERM) && (errno != EACCES)) {
2535                 return false;
2536         }
2537
2538         /* file primary group == user primary or supplementary group */
2539         if (lp_acl_group_control(SNUM(conn)) &&
2540                         current_user_in_group(prim_gid)) {
2541                 return true;
2542         }
2543
2544         /* user has writeable permission */
2545         if (lp_dos_filemode(SNUM(conn)) &&
2546                         can_write_to_file(conn, fname, &sbuf)) {
2547                 return true;
2548         }
2549
2550         return false;
2551 }
2552
2553 /****************************************************************************
2554  Attempt to apply an ACL to a file or directory.
2555 ****************************************************************************/
2556
2557 static bool set_canon_ace_list(files_struct *fsp, canon_ace *the_ace, bool default_ace, gid_t prim_gid, bool *pacl_set_support)
2558 {
2559         connection_struct *conn = fsp->conn;
2560         bool ret = False;
2561         SMB_ACL_T the_acl = SMB_VFS_SYS_ACL_INIT(conn, (int)count_canon_ace_list(the_ace) + 1);
2562         canon_ace *p_ace;
2563         int i;
2564         SMB_ACL_ENTRY_T mask_entry;
2565         bool got_mask_entry = False;
2566         SMB_ACL_PERMSET_T mask_permset;
2567         SMB_ACL_TYPE_T the_acl_type = (default_ace ? SMB_ACL_TYPE_DEFAULT : SMB_ACL_TYPE_ACCESS);
2568         bool needs_mask = False;
2569         mode_t mask_perms = 0;
2570
2571 #if defined(POSIX_ACL_NEEDS_MASK)
2572         /* HP-UX always wants to have a mask (called "class" there). */
2573         needs_mask = True;
2574 #endif
2575
2576         if (the_acl == NULL) {
2577
2578                 if (!no_acl_syscall_error(errno)) {
2579                         /*
2580                          * Only print this error message if we have some kind of ACL
2581                          * support that's not working. Otherwise we would always get this.
2582                          */
2583                         DEBUG(0,("set_canon_ace_list: Unable to init %s ACL. (%s)\n",
2584                                 default_ace ? "default" : "file", strerror(errno) ));
2585                 }
2586                 *pacl_set_support = False;
2587                 return False;
2588         }
2589
2590         if( DEBUGLVL( 10 )) {
2591                 dbgtext("set_canon_ace_list: setting ACL:\n");
2592                 for (i = 0, p_ace = the_ace; p_ace; p_ace = p_ace->next, i++ ) {
2593                         print_canon_ace( p_ace, i);
2594                 }
2595         }
2596
2597         for (i = 0, p_ace = the_ace; p_ace; p_ace = p_ace->next, i++ ) {
2598                 SMB_ACL_ENTRY_T the_entry;
2599                 SMB_ACL_PERMSET_T the_permset;
2600
2601                 /*
2602                  * ACLs only "need" an ACL_MASK entry if there are any named user or
2603                  * named group entries. But if there is an ACL_MASK entry, it applies
2604                  * to ACL_USER, ACL_GROUP, and ACL_GROUP_OBJ entries. Set the mask
2605                  * so that it doesn't deny (i.e., mask off) any permissions.
2606                  */
2607
2608                 if (p_ace->type == SMB_ACL_USER || p_ace->type == SMB_ACL_GROUP) {
2609                         needs_mask = True;
2610                         mask_perms |= p_ace->perms;
2611                 } else if (p_ace->type == SMB_ACL_GROUP_OBJ) {
2612                         mask_perms |= p_ace->perms;
2613                 }
2614
2615                 /*
2616                  * Get the entry for this ACE.
2617                  */
2618
2619                 if (SMB_VFS_SYS_ACL_CREATE_ENTRY(conn, &the_acl, &the_entry) == -1) {
2620                         DEBUG(0,("set_canon_ace_list: Failed to create entry %d. (%s)\n",
2621                                 i, strerror(errno) ));
2622                         goto fail;
2623                 }
2624
2625                 if (p_ace->type == SMB_ACL_MASK) {
2626                         mask_entry = the_entry;
2627                         got_mask_entry = True;
2628                 }
2629
2630                 /*
2631                  * Ok - we now know the ACL calls should be working, don't
2632                  * allow fallback to chmod.
2633                  */
2634
2635                 *pacl_set_support = True;
2636
2637                 /*
2638                  * Initialise the entry from the canon_ace.
2639                  */
2640
2641                 /*
2642                  * First tell the entry what type of ACE this is.
2643                  */
2644
2645                 if (SMB_VFS_SYS_ACL_SET_TAG_TYPE(conn, the_entry, p_ace->type) == -1) {
2646                         DEBUG(0,("set_canon_ace_list: Failed to set tag type on entry %d. (%s)\n",
2647                                 i, strerror(errno) ));
2648                         goto fail;
2649                 }
2650
2651                 /*
2652                  * Only set the qualifier (user or group id) if the entry is a user
2653                  * or group id ACE.
2654                  */
2655
2656                 if ((p_ace->type == SMB_ACL_USER) || (p_ace->type == SMB_ACL_GROUP)) {
2657                         if (SMB_VFS_SYS_ACL_SET_QUALIFIER(conn, the_entry,(void *)&p_ace->unix_ug.uid) == -1) {
2658                                 DEBUG(0,("set_canon_ace_list: Failed to set qualifier on entry %d. (%s)\n",
2659                                         i, strerror(errno) ));
2660                                 goto fail;
2661                         }
2662                 }
2663
2664                 /*
2665                  * Convert the mode_t perms in the canon_ace to a POSIX permset.
2666                  */
2667
2668                 if (SMB_VFS_SYS_ACL_GET_PERMSET(conn, the_entry, &the_permset) == -1) {
2669                         DEBUG(0,("set_canon_ace_list: Failed to get permset on entry %d. (%s)\n",
2670                                 i, strerror(errno) ));
2671                         goto fail;
2672                 }
2673
2674                 if (map_acl_perms_to_permset(conn, p_ace->perms, &the_permset) == -1) {
2675                         DEBUG(0,("set_canon_ace_list: Failed to create permset for mode (%u) on entry %d. (%s)\n",
2676                                 (unsigned int)p_ace->perms, i, strerror(errno) ));
2677                         goto fail;
2678                 }
2679
2680                 /*
2681                  * ..and apply them to the entry.
2682                  */
2683
2684                 if (SMB_VFS_SYS_ACL_SET_PERMSET(conn, the_entry, the_permset) == -1) {
2685                         DEBUG(0,("set_canon_ace_list: Failed to add permset on entry %d. (%s)\n",
2686                                 i, strerror(errno) ));
2687                         goto fail;
2688                 }
2689
2690                 if( DEBUGLVL( 10 ))
2691                         print_canon_ace( p_ace, i);
2692
2693         }
2694
2695         if (needs_mask && !got_mask_entry) {
2696                 if (SMB_VFS_SYS_ACL_CREATE_ENTRY(conn, &the_acl, &mask_entry) == -1) {
2697                         DEBUG(0,("set_canon_ace_list: Failed to create mask entry. (%s)\n", strerror(errno) ));
2698                         goto fail;
2699                 }
2700
2701                 if (SMB_VFS_SYS_ACL_SET_TAG_TYPE(conn, mask_entry, SMB_ACL_MASK) == -1) {
2702                         DEBUG(0,("set_canon_ace_list: Failed to set tag type on mask entry. (%s)\n",strerror(errno) ));
2703                         goto fail;
2704                 }
2705
2706                 if (SMB_VFS_SYS_ACL_GET_PERMSET(conn, mask_entry, &mask_permset) == -1) {
2707                         DEBUG(0,("set_canon_ace_list: Failed to get mask permset. (%s)\n", strerror(errno) ));
2708                         goto fail;
2709                 }
2710
2711                 if (map_acl_perms_to_permset(conn, S_IRUSR|S_IWUSR|S_IXUSR, &mask_permset) == -1) {
2712                         DEBUG(0,("set_canon_ace_list: Failed to create mask permset. (%s)\n", strerror(errno) ));
2713                         goto fail;
2714                 }
2715
2716                 if (SMB_VFS_SYS_ACL_SET_PERMSET(conn, mask_entry, mask_permset) == -1) {
2717                         DEBUG(0,("set_canon_ace_list: Failed to add mask permset. (%s)\n", strerror(errno) ));
2718                         goto fail;
2719                 }
2720         }
2721
2722         /*
2723          * Finally apply it to the file or directory.
2724          */
2725
2726         if(default_ace || fsp->is_directory || fsp->fh->fd == -1) {
2727                 if (SMB_VFS_SYS_ACL_SET_FILE(conn, fsp->fsp_name, the_acl_type, the_acl) == -1) {
2728                         /*
2729                          * Some systems allow all the above calls and only fail with no ACL support
2730                          * when attempting to apply the acl. HPUX with HFS is an example of this. JRA.
2731                          */
2732                         if (no_acl_syscall_error(errno)) {
2733                                 *pacl_set_support = False;
2734                         }
2735
2736                         if (acl_group_override(conn, prim_gid, fsp->fsp_name)) {
2737                                 int sret;
2738
2739                                 DEBUG(5,("set_canon_ace_list: acl group control on and current user in file %s primary group.\n",
2740                                         fsp->fsp_name ));
2741
2742                                 become_root();
2743                                 sret = SMB_VFS_SYS_ACL_SET_FILE(conn, fsp->fsp_name, the_acl_type, the_acl);
2744                                 unbecome_root();
2745                                 if (sret == 0) {
2746                                         ret = True;     
2747                                 }
2748                         }
2749
2750                         if (ret == False) {
2751                                 DEBUG(2,("set_canon_ace_list: sys_acl_set_file type %s failed for file %s (%s).\n",
2752                                                 the_acl_type == SMB_ACL_TYPE_DEFAULT ? "directory default" : "file",
2753                                                 fsp->fsp_name, strerror(errno) ));
2754                                 goto fail;
2755                         }
2756                 }
2757         } else {
2758                 if (SMB_VFS_SYS_ACL_SET_FD(fsp, the_acl) == -1) {
2759                         /*
2760                          * Some systems allow all the above calls and only fail with no ACL support
2761                          * when attempting to apply the acl. HPUX with HFS is an example of this. JRA.
2762                          */
2763                         if (no_acl_syscall_error(errno)) {
2764                                 *pacl_set_support = False;
2765                         }
2766
2767                         if (acl_group_override(conn, prim_gid, fsp->fsp_name)) {
2768                                 int sret;
2769
2770                                 DEBUG(5,("set_canon_ace_list: acl group control on and current user in file %s primary group.\n",
2771                                         fsp->fsp_name ));
2772
2773                                 become_root();
2774                                 sret = SMB_VFS_SYS_ACL_SET_FD(fsp, the_acl);
2775                                 unbecome_root();
2776                                 if (sret == 0) {
2777                                         ret = True;
2778                                 }
2779                         }
2780
2781                         if (ret == False) {
2782                                 DEBUG(2,("set_canon_ace_list: sys_acl_set_file failed for file %s (%s).\n",
2783                                                 fsp->fsp_name, strerror(errno) ));
2784                                 goto fail;
2785                         }
2786                 }
2787         }
2788
2789         ret = True;
2790
2791   fail:
2792
2793         if (the_acl != NULL) {
2794                 SMB_VFS_SYS_ACL_FREE_ACL(conn, the_acl);
2795         }
2796
2797         return ret;
2798 }
2799
2800 /****************************************************************************
2801  Find a particular canon_ace entry.
2802 ****************************************************************************/
2803
2804 static struct canon_ace *canon_ace_entry_for(struct canon_ace *list, SMB_ACL_TAG_T type, posix_id *id)
2805 {
2806         while (list) {
2807                 if (list->type == type && ((type != SMB_ACL_USER && type != SMB_ACL_GROUP) ||
2808                                 (type == SMB_ACL_USER  && id && id->uid == list->unix_ug.uid) ||
2809                                 (type == SMB_ACL_GROUP && id && id->gid == list->unix_ug.gid)))
2810                         break;
2811                 list = list->next;
2812         }
2813         return list;
2814 }
2815
2816 /****************************************************************************
2817  
2818 ****************************************************************************/
2819
2820 SMB_ACL_T free_empty_sys_acl(connection_struct *conn, SMB_ACL_T the_acl)
2821 {
2822         SMB_ACL_ENTRY_T entry;
2823
2824         if (!the_acl)
2825                 return NULL;
2826         if (SMB_VFS_SYS_ACL_GET_ENTRY(conn, the_acl, SMB_ACL_FIRST_ENTRY, &entry) != 1) {
2827                 SMB_VFS_SYS_ACL_FREE_ACL(conn, the_acl);
2828                 return NULL;
2829         }
2830         return the_acl;
2831 }
2832
2833 /****************************************************************************
2834  Convert a canon_ace to a generic 3 element permission - if possible.
2835 ****************************************************************************/
2836
2837 #define MAP_PERM(p,mask,result) (((p) & (mask)) ? (result) : 0 )
2838
2839 static bool convert_canon_ace_to_posix_perms( files_struct *fsp, canon_ace *file_ace_list, mode_t *posix_perms)
2840 {
2841         int snum = SNUM(fsp->conn);
2842         size_t ace_count = count_canon_ace_list(file_ace_list);
2843         canon_ace *ace_p;
2844         canon_ace *owner_ace = NULL;
2845         canon_ace *group_ace = NULL;
2846         canon_ace *other_ace = NULL;
2847         mode_t and_bits;
2848         mode_t or_bits;
2849
2850         if (ace_count != 3) {
2851                 DEBUG(3,("convert_canon_ace_to_posix_perms: Too many ACE entries for file %s to convert to \
2852 posix perms.\n", fsp->fsp_name ));
2853                 return False;
2854         }
2855
2856         for (ace_p = file_ace_list; ace_p; ace_p = ace_p->next) {
2857                 if (ace_p->owner_type == UID_ACE)
2858                         owner_ace = ace_p;
2859                 else if (ace_p->owner_type == GID_ACE)
2860                         group_ace = ace_p;
2861                 else if (ace_p->owner_type == WORLD_ACE)
2862                         other_ace = ace_p;
2863         }
2864
2865         if (!owner_ace || !group_ace || !other_ace) {
2866                 DEBUG(3,("convert_canon_ace_to_posix_perms: Can't get standard entries for file %s.\n",
2867                                 fsp->fsp_name ));
2868                 return False;
2869         }
2870
2871         *posix_perms = (mode_t)0;
2872
2873         *posix_perms |= owner_ace->perms;
2874         *posix_perms |= MAP_PERM(group_ace->perms, S_IRUSR, S_IRGRP);
2875         *posix_perms |= MAP_PERM(group_ace->perms, S_IWUSR, S_IWGRP);
2876         *posix_perms |= MAP_PERM(group_ace->perms, S_IXUSR, S_IXGRP);
2877         *posix_perms |= MAP_PERM(other_ace->perms, S_IRUSR, S_IROTH);
2878         *posix_perms |= MAP_PERM(other_ace->perms, S_IWUSR, S_IWOTH);
2879         *posix_perms |= MAP_PERM(other_ace->perms, S_IXUSR, S_IXOTH);
2880
2881         /* The owner must have at least read access. */
2882
2883         *posix_perms |= S_IRUSR;
2884         if (fsp->is_directory)
2885                 *posix_perms |= (S_IWUSR|S_IXUSR);
2886
2887         /* If requested apply the masks. */
2888
2889         /* Get the initial bits to apply. */
2890
2891         if (fsp->is_directory) {
2892                 and_bits = lp_dir_security_mask(snum);
2893                 or_bits = lp_force_dir_security_mode(snum);
2894         } else {
2895                 and_bits = lp_security_mask(snum);
2896                 or_bits = lp_force_security_mode(snum);
2897         }
2898
2899         *posix_perms = (((*posix_perms) & and_bits)|or_bits);
2900
2901         DEBUG(10,("convert_canon_ace_to_posix_perms: converted u=%o,g=%o,w=%o to perm=0%o for file %s.\n",
2902                 (int)owner_ace->perms, (int)group_ace->perms, (int)other_ace->perms, (int)*posix_perms,
2903                 fsp->fsp_name ));
2904
2905         return True;
2906 }
2907
2908 /****************************************************************************
2909   Incoming NT ACLs on a directory can be split into a default POSIX acl (CI|OI|IO) and
2910   a normal POSIX acl. Win2k needs these split acls re-merging into one ACL
2911   with CI|OI set so it is inherited and also applies to the directory.
2912   Based on code from "Jim McDonough" <jmcd@us.ibm.com>.
2913 ****************************************************************************/
2914
2915 static size_t merge_default_aces( SEC_ACE *nt_ace_list, size_t num_aces)
2916 {
2917         size_t i, j;
2918
2919         for (i = 0; i < num_aces; i++) {
2920                 for (j = i+1; j < num_aces; j++) {
2921                         uint32 i_flags_ni = (nt_ace_list[i].flags & ~SEC_ACE_FLAG_INHERITED_ACE);
2922                         uint32 j_flags_ni = (nt_ace_list[j].flags & ~SEC_ACE_FLAG_INHERITED_ACE);
2923                         bool i_inh = (nt_ace_list[i].flags & SEC_ACE_FLAG_INHERITED_ACE) ? True : False;
2924                         bool j_inh = (nt_ace_list[j].flags & SEC_ACE_FLAG_INHERITED_ACE) ? True : False;
2925
2926                         /* We know the lower number ACE's are file entries. */
2927                         if ((nt_ace_list[i].type == nt_ace_list[j].type) &&
2928                                 (nt_ace_list[i].size == nt_ace_list[j].size) &&
2929                                 (nt_ace_list[i].access_mask == nt_ace_list[j].access_mask) &&
2930                                 sid_equal(&nt_ace_list[i].trustee, &nt_ace_list[j].trustee) &&
2931                                 (i_inh == j_inh) &&
2932                                 (i_flags_ni == 0) &&
2933                                 (j_flags_ni == (SEC_ACE_FLAG_OBJECT_INHERIT|
2934                                                   SEC_ACE_FLAG_CONTAINER_INHERIT|
2935                                                   SEC_ACE_FLAG_INHERIT_ONLY))) {
2936                                 /*
2937                                  * W2K wants to have access allowed zero access ACE's
2938                                  * at the end of the list. If the mask is zero, merge
2939                                  * the non-inherited ACE onto the inherited ACE.
2940                                  */
2941
2942                                 if (nt_ace_list[i].access_mask == 0) {
2943                                         nt_ace_list[j].flags = SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT|
2944                                                                 (i_inh ? SEC_ACE_FLAG_INHERITED_ACE : 0);
2945                                         if (num_aces - i - 1 > 0)
2946                                                 memmove(&nt_ace_list[i], &nt_ace_list[i+1], (num_aces-i-1) *
2947                                                                 sizeof(SEC_ACE));
2948
2949                                         DEBUG(10,("merge_default_aces: Merging zero access ACE %u onto ACE %u.\n",
2950                                                 (unsigned int)i, (unsigned int)j ));
2951                                 } else {
2952                                         /*
2953                                          * These are identical except for the flags.
2954                                          * Merge the inherited ACE onto the non-inherited ACE.
2955                                          */
2956
2957                                         nt_ace_list[i].flags = SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT|
2958                                                                 (i_inh ? SEC_ACE_FLAG_INHERITED_ACE : 0);
2959                                         if (num_aces - j - 1 > 0)
2960                                                 memmove(&nt_ace_list[j], &nt_ace_list[j+1], (num_aces-j-1) *
2961                                                                 sizeof(SEC_ACE));
2962
2963                                         DEBUG(10,("merge_default_aces: Merging ACE %u onto ACE %u.\n",
2964                                                 (unsigned int)j, (unsigned int)i ));
2965                                 }
2966                                 num_aces--;
2967                                 break;
2968                         }
2969                 }
2970         }
2971
2972         return num_aces;
2973 }
2974
2975 /****************************************************************************
2976  Reply to query a security descriptor from an fsp. If it succeeds it allocates
2977  the space for the return elements and returns the size needed to return the
2978  security descriptor. This should be the only external function needed for
2979  the UNIX style get ACL.
2980 ****************************************************************************/
2981
2982 static NTSTATUS posix_get_nt_acl_common(struct connection_struct *conn,
2983                                       const char *name,
2984                                       const SMB_STRUCT_STAT *sbuf,
2985                                       struct pai_val *pal,
2986                                       SMB_ACL_T posix_acl,
2987                                       SMB_ACL_T def_acl,
2988                                       uint32_t security_info,
2989                                       SEC_DESC **ppdesc)
2990 {
2991         DOM_SID owner_sid;
2992         DOM_SID group_sid;
2993         size_t sd_size = 0;
2994         SEC_ACL *psa = NULL;
2995         size_t num_acls = 0;
2996         size_t num_def_acls = 0;
2997         size_t num_aces = 0;
2998         canon_ace *file_ace = NULL;
2999         canon_ace *dir_ace = NULL;
3000         SEC_ACE *nt_ace_list = NULL;
3001         size_t num_profile_acls = 0;
3002         SEC_DESC *psd = NULL;
3003
3004         /*
3005          * Get the owner, group and world SIDs.
3006          */
3007
3008         if (lp_profile_acls(SNUM(conn))) {
3009                 /* For WXP SP1 the owner must be administrators. */
3010                 sid_copy(&owner_sid, &global_sid_Builtin_Administrators);
3011                 sid_copy(&group_sid, &global_sid_Builtin_Users);
3012                 num_profile_acls = 2;
3013         } else {
3014                 create_file_sids(sbuf, &owner_sid, &group_sid);
3015         }
3016
3017         if ((security_info & DACL_SECURITY_INFORMATION) && !(security_info & PROTECTED_DACL_SECURITY_INFORMATION)) {
3018
3019                 /*
3020                  * In the optimum case Creator Owner and Creator Group would be used for
3021                  * the ACL_USER_OBJ and ACL_GROUP_OBJ entries, respectively, but this
3022                  * would lead to usability problems under Windows: The Creator entries
3023                  * are only available in browse lists of directories and not for files;
3024                  * additionally the identity of the owning group couldn't be determined.
3025                  * We therefore use those identities only for Default ACLs. 
3026                  */
3027
3028                 /* Create the canon_ace lists. */
3029                 file_ace = canonicalise_acl(conn, name, posix_acl, sbuf,
3030                                             &owner_sid, &group_sid, pal,
3031                                             SMB_ACL_TYPE_ACCESS);
3032
3033                 /* We must have *some* ACLS. */
3034         
3035                 if (count_canon_ace_list(file_ace) == 0) {
3036                         DEBUG(0,("get_nt_acl : No ACLs on file (%s) !\n", name));
3037                         goto done;
3038                 }
3039
3040                 if (S_ISDIR(sbuf->st_mode) && def_acl) {
3041                         dir_ace = canonicalise_acl(conn, name, def_acl,
3042                                                    sbuf,
3043                                                    &global_sid_Creator_Owner,
3044                                                    &global_sid_Creator_Group,
3045                                                    pal, SMB_ACL_TYPE_DEFAULT);
3046                 }
3047
3048                 /*
3049                  * Create the NT ACE list from the canonical ace lists.
3050                  */
3051
3052                 {
3053                         canon_ace *ace;
3054                         enum security_ace_type nt_acl_type;
3055
3056                         if (nt4_compatible_acls() && dir_ace) {
3057                                 /*
3058                                  * NT 4 chokes if an ACL contains an INHERIT_ONLY entry
3059                                  * but no non-INHERIT_ONLY entry for one SID. So we only
3060                                  * remove entries from the Access ACL if the
3061                                  * corresponding Default ACL entries have also been
3062                                  * removed. ACEs for CREATOR-OWNER and CREATOR-GROUP
3063                                  * are exceptions. We can do nothing
3064                                  * intelligent if the Default ACL contains entries that
3065                                  * are not also contained in the Access ACL, so this
3066                                  * case will still fail under NT 4.
3067                                  */
3068
3069                                 ace = canon_ace_entry_for(dir_ace, SMB_ACL_OTHER, NULL);
3070                                 if (ace && !ace->perms) {
3071                                         DLIST_REMOVE(dir_ace, ace);
3072                                         SAFE_FREE(ace);
3073
3074                                         ace = canon_ace_entry_for(file_ace, SMB_ACL_OTHER, NULL);
3075                                         if (ace && !ace->perms) {
3076                                                 DLIST_REMOVE(file_ace, ace);
3077                                                 SAFE_FREE(ace);
3078                                         }
3079                                 }
3080
3081                                 /*
3082