r23663: Fix bug #4308 - Excel save operation corrupts file ACLs.
[ira/wip.git] / source3 / smbd / posix_acls.c
1 /*
2    Unix SMB/CIFS implementation.
3    SMB NT Security Descriptor / Unix permission conversion.
4    Copyright (C) Jeremy Allison 1994-2000.
5    Copyright (C) Andreas Gruenbacher 2002.
6
7    This program is free software; you can redistribute it and/or modify
8    it under the terms of the GNU General Public License as published by
9    the Free Software Foundation; either version 2 of the License, or
10    (at your option) any later version.
11
12    This program is distributed in the hope that it will be useful,
13    but WITHOUT ANY WARRANTY; without even the implied warranty of
14    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
15    GNU General Public License for more details.
16
17    You should have received a copy of the GNU General Public License
18    along with this program; if not, write to the Free Software
19    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
20 */
21
22 #include "includes.h"
23
24 extern struct current_user current_user;
25 extern struct generic_mapping file_generic_mapping;
26
27 #undef  DBGC_CLASS
28 #define DBGC_CLASS DBGC_ACLS
29
30 /****************************************************************************
31  Data structures representing the internal ACE format.
32 ****************************************************************************/
33
34 enum ace_owner {UID_ACE, GID_ACE, WORLD_ACE};
35 enum ace_attribute {ALLOW_ACE, DENY_ACE}; /* Used for incoming NT ACLS. */
36
37 typedef union posix_id {
38                 uid_t uid;
39                 gid_t gid;
40                 int world;
41 } posix_id;
42
43 typedef struct canon_ace {
44         struct canon_ace *next, *prev;
45         SMB_ACL_TAG_T type;
46         mode_t perms; /* Only use S_I(R|W|X)USR mode bits here. */
47         DOM_SID trustee;
48         enum ace_owner owner_type;
49         enum ace_attribute attr;
50         posix_id unix_ug;
51         BOOL inherited;
52 } canon_ace;
53
54 #define ALL_ACE_PERMS (S_IRUSR|S_IWUSR|S_IXUSR)
55
56 /*
57  * EA format of user.SAMBA_PAI (Samba_Posix_Acl_Interitance)
58  * attribute on disk.
59  *
60  * |  1   |  1   |   2         |         2           |  .... 
61  * +------+------+-------------+---------------------+-------------+--------------------+
62  * | vers | flag | num_entries | num_default_entries | ..entries.. | default_entries... |
63  * +------+------+-------------+---------------------+-------------+--------------------+
64  */
65
66 #define PAI_VERSION_OFFSET      0
67 #define PAI_FLAG_OFFSET         1
68 #define PAI_NUM_ENTRIES_OFFSET  2
69 #define PAI_NUM_DEFAULT_ENTRIES_OFFSET  4
70 #define PAI_ENTRIES_BASE        6
71
72 #define PAI_VERSION             1
73 #define PAI_ACL_FLAG_PROTECTED  0x1
74 #define PAI_ENTRY_LENGTH        5
75
76 /*
77  * In memory format of user.SAMBA_PAI attribute.
78  */
79
80 struct pai_entry {
81         struct pai_entry *next, *prev;
82         enum ace_owner owner_type;
83         posix_id unix_ug; 
84 };
85         
86 struct pai_val {
87         BOOL pai_protected;
88         unsigned int num_entries;
89         struct pai_entry *entry_list;
90         unsigned int num_def_entries;
91         struct pai_entry *def_entry_list;
92 };
93
94 /************************************************************************
95  Return a uint32 of the pai_entry principal.
96 ************************************************************************/
97
98 static uint32 get_pai_entry_val(struct pai_entry *paie)
99 {
100         switch (paie->owner_type) {
101                 case UID_ACE:
102                         DEBUG(10,("get_pai_entry_val: uid = %u\n", (unsigned int)paie->unix_ug.uid ));
103                         return (uint32)paie->unix_ug.uid;
104                 case GID_ACE:
105                         DEBUG(10,("get_pai_entry_val: gid = %u\n", (unsigned int)paie->unix_ug.gid ));
106                         return (uint32)paie->unix_ug.gid;
107                 case WORLD_ACE:
108                 default:
109                         DEBUG(10,("get_pai_entry_val: world ace\n"));
110                         return (uint32)-1;
111         }
112 }
113
114 /************************************************************************
115  Return a uint32 of the entry principal.
116 ************************************************************************/
117
118 static uint32 get_entry_val(canon_ace *ace_entry)
119 {
120         switch (ace_entry->owner_type) {
121                 case UID_ACE:
122                         DEBUG(10,("get_entry_val: uid = %u\n", (unsigned int)ace_entry->unix_ug.uid ));
123                         return (uint32)ace_entry->unix_ug.uid;
124                 case GID_ACE:
125                         DEBUG(10,("get_entry_val: gid = %u\n", (unsigned int)ace_entry->unix_ug.gid ));
126                         return (uint32)ace_entry->unix_ug.gid;
127                 case WORLD_ACE:
128                 default:
129                         DEBUG(10,("get_entry_val: world ace\n"));
130                         return (uint32)-1;
131         }
132 }
133
134 /************************************************************************
135  Count the inherited entries.
136 ************************************************************************/
137
138 static unsigned int num_inherited_entries(canon_ace *ace_list)
139 {
140         unsigned int num_entries = 0;
141
142         for (; ace_list; ace_list = ace_list->next)
143                 if (ace_list->inherited)
144                         num_entries++;
145         return num_entries;
146 }
147
148 /************************************************************************
149  Create the on-disk format. Caller must free.
150 ************************************************************************/
151
152 static char *create_pai_buf(canon_ace *file_ace_list, canon_ace *dir_ace_list, BOOL pai_protected, size_t *store_size)
153 {
154         char *pai_buf = NULL;
155         canon_ace *ace_list = NULL;
156         char *entry_offset = NULL;
157         unsigned int num_entries = 0;
158         unsigned int num_def_entries = 0;
159
160         for (ace_list = file_ace_list; ace_list; ace_list = ace_list->next)
161                 if (ace_list->inherited)
162                         num_entries++;
163
164         for (ace_list = dir_ace_list; ace_list; ace_list = ace_list->next)
165                 if (ace_list->inherited)
166                         num_def_entries++;
167
168         DEBUG(10,("create_pai_buf: num_entries = %u, num_def_entries = %u\n", num_entries, num_def_entries ));
169
170         *store_size = PAI_ENTRIES_BASE + ((num_entries + num_def_entries)*PAI_ENTRY_LENGTH);
171
172         pai_buf = (char *)SMB_MALLOC(*store_size);
173         if (!pai_buf) {
174                 return NULL;
175         }
176
177         /* Set up the header. */
178         memset(pai_buf, '\0', PAI_ENTRIES_BASE);
179         SCVAL(pai_buf,PAI_VERSION_OFFSET,PAI_VERSION);
180         SCVAL(pai_buf,PAI_FLAG_OFFSET,(pai_protected ? PAI_ACL_FLAG_PROTECTED : 0));
181         SSVAL(pai_buf,PAI_NUM_ENTRIES_OFFSET,num_entries);
182         SSVAL(pai_buf,PAI_NUM_DEFAULT_ENTRIES_OFFSET,num_def_entries);
183
184         entry_offset = pai_buf + PAI_ENTRIES_BASE;
185
186         for (ace_list = file_ace_list; ace_list; ace_list = ace_list->next) {
187                 if (ace_list->inherited) {
188                         uint8 type_val = (unsigned char)ace_list->owner_type;
189                         uint32 entry_val = get_entry_val(ace_list);
190
191                         SCVAL(entry_offset,0,type_val);
192                         SIVAL(entry_offset,1,entry_val);
193                         entry_offset += PAI_ENTRY_LENGTH;
194                 }
195         }
196
197         for (ace_list = dir_ace_list; ace_list; ace_list = ace_list->next) {
198                 if (ace_list->inherited) {
199                         uint8 type_val = (unsigned char)ace_list->owner_type;
200                         uint32 entry_val = get_entry_val(ace_list);
201
202                         SCVAL(entry_offset,0,type_val);
203                         SIVAL(entry_offset,1,entry_val);
204                         entry_offset += PAI_ENTRY_LENGTH;
205                 }
206         }
207
208         return pai_buf;
209 }
210
211 /************************************************************************
212  Store the user.SAMBA_PAI attribute on disk.
213 ************************************************************************/
214
215 static void store_inheritance_attributes(files_struct *fsp, canon_ace *file_ace_list,
216                                         canon_ace *dir_ace_list, BOOL pai_protected)
217 {
218         int ret;
219         size_t store_size;
220         char *pai_buf;
221
222         if (!lp_map_acl_inherit(SNUM(fsp->conn)))
223                 return;
224
225         /*
226          * Don't store if this ACL isn't protected and
227          * none of the entries in it are marked as inherited.
228          */
229
230         if (!pai_protected && num_inherited_entries(file_ace_list) == 0 && num_inherited_entries(dir_ace_list) == 0) {
231                 /* Instead just remove the attribute if it exists. */
232                 if (fsp->fh->fd != -1)
233                         SMB_VFS_FREMOVEXATTR(fsp, fsp->fh->fd, SAMBA_POSIX_INHERITANCE_EA_NAME);
234                 else
235                         SMB_VFS_REMOVEXATTR(fsp->conn, fsp->fsp_name, SAMBA_POSIX_INHERITANCE_EA_NAME);
236                 return;
237         }
238
239         pai_buf = create_pai_buf(file_ace_list, dir_ace_list, pai_protected, &store_size);
240
241         if (fsp->fh->fd != -1)
242                 ret = SMB_VFS_FSETXATTR(fsp, fsp->fh->fd, SAMBA_POSIX_INHERITANCE_EA_NAME,
243                                 pai_buf, store_size, 0);
244         else
245                 ret = SMB_VFS_SETXATTR(fsp->conn,fsp->fsp_name, SAMBA_POSIX_INHERITANCE_EA_NAME,
246                                 pai_buf, store_size, 0);
247
248         SAFE_FREE(pai_buf);
249
250         DEBUG(10,("store_inheritance_attribute:%s for file %s\n", pai_protected ? " (protected)" : "", fsp->fsp_name));
251         if (ret == -1 && !no_acl_syscall_error(errno))
252                 DEBUG(1,("store_inheritance_attribute: Error %s\n", strerror(errno) ));
253 }
254
255 /************************************************************************
256  Delete the in memory inheritance info.
257 ************************************************************************/
258
259 static void free_inherited_info(struct pai_val *pal)
260 {
261         if (pal) {
262                 struct pai_entry *paie, *paie_next;
263                 for (paie = pal->entry_list; paie; paie = paie_next) {
264                         paie_next = paie->next;
265                         SAFE_FREE(paie);
266                 }
267                 for (paie = pal->def_entry_list; paie; paie = paie_next) {
268                         paie_next = paie->next;
269                         SAFE_FREE(paie);
270                 }
271                 SAFE_FREE(pal);
272         }
273 }
274
275 /************************************************************************
276  Was this ACL protected ?
277 ************************************************************************/
278
279 static BOOL get_protected_flag(struct pai_val *pal)
280 {
281         if (!pal)
282                 return False;
283         return pal->pai_protected;
284 }
285
286 /************************************************************************
287  Was this ACE inherited ?
288 ************************************************************************/
289
290 static BOOL get_inherited_flag(struct pai_val *pal, canon_ace *ace_entry, BOOL default_ace)
291 {
292         struct pai_entry *paie;
293
294         if (!pal)
295                 return False;
296
297         /* If the entry exists it is inherited. */
298         for (paie = (default_ace ? pal->def_entry_list : pal->entry_list); paie; paie = paie->next) {
299                 if (ace_entry->owner_type == paie->owner_type &&
300                                 get_entry_val(ace_entry) == get_pai_entry_val(paie))
301                         return True;
302         }
303         return False;
304 }
305
306 /************************************************************************
307  Ensure an attribute just read is valid.
308 ************************************************************************/
309
310 static BOOL check_pai_ok(char *pai_buf, size_t pai_buf_data_size)
311 {
312         uint16 num_entries;
313         uint16 num_def_entries;
314
315         if (pai_buf_data_size < PAI_ENTRIES_BASE) {
316                 /* Corrupted - too small. */
317                 return False;
318         }
319
320         if (CVAL(pai_buf,PAI_VERSION_OFFSET) != PAI_VERSION)
321                 return False;
322
323         num_entries = SVAL(pai_buf,PAI_NUM_ENTRIES_OFFSET);
324         num_def_entries = SVAL(pai_buf,PAI_NUM_DEFAULT_ENTRIES_OFFSET);
325
326         /* Check the entry lists match. */
327         /* Each entry is 5 bytes (type plus 4 bytes of uid or gid). */
328
329         if (((num_entries + num_def_entries)*PAI_ENTRY_LENGTH) + PAI_ENTRIES_BASE != pai_buf_data_size)
330                 return False;
331
332         return True;
333 }
334
335
336 /************************************************************************
337  Convert to in-memory format.
338 ************************************************************************/
339
340 static struct pai_val *create_pai_val(char *buf, size_t size)
341 {
342         char *entry_offset;
343         struct pai_val *paiv = NULL;
344         int i;
345
346         if (!check_pai_ok(buf, size))
347                 return NULL;
348
349         paiv = SMB_MALLOC_P(struct pai_val);
350         if (!paiv)
351                 return NULL;
352
353         memset(paiv, '\0', sizeof(struct pai_val));
354
355         paiv->pai_protected = (CVAL(buf,PAI_FLAG_OFFSET) == PAI_ACL_FLAG_PROTECTED);
356
357         paiv->num_entries = SVAL(buf,PAI_NUM_ENTRIES_OFFSET);
358         paiv->num_def_entries = SVAL(buf,PAI_NUM_DEFAULT_ENTRIES_OFFSET);
359
360         entry_offset = buf + PAI_ENTRIES_BASE;
361
362         DEBUG(10,("create_pai_val:%s num_entries = %u, num_def_entries = %u\n",
363                         paiv->pai_protected ? " (pai_protected)" : "", paiv->num_entries, paiv->num_def_entries ));
364
365         for (i = 0; i < paiv->num_entries; i++) {
366                 struct pai_entry *paie;
367
368                 paie = SMB_MALLOC_P(struct pai_entry);
369                 if (!paie) {
370                         free_inherited_info(paiv);
371                         return NULL;
372                 }
373
374                 paie->owner_type = (enum ace_owner)CVAL(entry_offset,0);
375                 switch( paie->owner_type) {
376                         case UID_ACE:
377                                 paie->unix_ug.uid = (uid_t)IVAL(entry_offset,1);
378                                 DEBUG(10,("create_pai_val: uid = %u\n", (unsigned int)paie->unix_ug.uid ));
379                                 break;
380                         case GID_ACE:
381                                 paie->unix_ug.gid = (gid_t)IVAL(entry_offset,1);
382                                 DEBUG(10,("create_pai_val: gid = %u\n", (unsigned int)paie->unix_ug.gid ));
383                                 break;
384                         case WORLD_ACE:
385                                 paie->unix_ug.world = -1;
386                                 DEBUG(10,("create_pai_val: world ace\n"));
387                                 break;
388                         default:
389                                 free_inherited_info(paiv);
390                                 return NULL;
391                 }
392                 entry_offset += PAI_ENTRY_LENGTH;
393                 DLIST_ADD(paiv->entry_list, paie);
394         }
395
396         for (i = 0; i < paiv->num_def_entries; i++) {
397                 struct pai_entry *paie;
398
399                 paie = SMB_MALLOC_P(struct pai_entry);
400                 if (!paie) {
401                         free_inherited_info(paiv);
402                         return NULL;
403                 }
404
405                 paie->owner_type = (enum ace_owner)CVAL(entry_offset,0);
406                 switch( paie->owner_type) {
407                         case UID_ACE:
408                                 paie->unix_ug.uid = (uid_t)IVAL(entry_offset,1);
409                                 DEBUG(10,("create_pai_val: (def) uid = %u\n", (unsigned int)paie->unix_ug.uid ));
410                                 break;
411                         case GID_ACE:
412                                 paie->unix_ug.gid = (gid_t)IVAL(entry_offset,1);
413                                 DEBUG(10,("create_pai_val: (def) gid = %u\n", (unsigned int)paie->unix_ug.gid ));
414                                 break;
415                         case WORLD_ACE:
416                                 paie->unix_ug.world = -1;
417                                 DEBUG(10,("create_pai_val: (def) world ace\n"));
418                                 break;
419                         default:
420                                 free_inherited_info(paiv);
421                                 return NULL;
422                 }
423                 entry_offset += PAI_ENTRY_LENGTH;
424                 DLIST_ADD(paiv->def_entry_list, paie);
425         }
426
427         return paiv;
428 }
429
430 /************************************************************************
431  Load the user.SAMBA_PAI attribute.
432 ************************************************************************/
433
434 static struct pai_val *load_inherited_info(files_struct *fsp)
435 {
436         char *pai_buf;
437         size_t pai_buf_size = 1024;
438         struct pai_val *paiv = NULL;
439         ssize_t ret;
440
441         if (!lp_map_acl_inherit(SNUM(fsp->conn)))
442                 return NULL;
443
444         if ((pai_buf = (char *)SMB_MALLOC(pai_buf_size)) == NULL)
445                 return NULL;
446
447         do {
448                 if (fsp->fh->fd != -1)
449                         ret = SMB_VFS_FGETXATTR(fsp, fsp->fh->fd, SAMBA_POSIX_INHERITANCE_EA_NAME,
450                                         pai_buf, pai_buf_size);
451                 else
452                         ret = SMB_VFS_GETXATTR(fsp->conn,fsp->fsp_name,SAMBA_POSIX_INHERITANCE_EA_NAME,
453                                         pai_buf, pai_buf_size);
454
455                 if (ret == -1) {
456                         if (errno != ERANGE) {
457                                 break;
458                         }
459                         /* Buffer too small - enlarge it. */
460                         pai_buf_size *= 2;
461                         SAFE_FREE(pai_buf);
462                         if (pai_buf_size > 1024*1024) {
463                                 return NULL; /* Limit malloc to 1mb. */
464                         }
465                         if ((pai_buf = (char *)SMB_MALLOC(pai_buf_size)) == NULL)
466                                 return NULL;
467                 }
468         } while (ret == -1);
469
470         DEBUG(10,("load_inherited_info: ret = %lu for file %s\n", (unsigned long)ret, fsp->fsp_name));
471
472         if (ret == -1) {
473                 /* No attribute or not supported. */
474 #if defined(ENOATTR)
475                 if (errno != ENOATTR)
476                         DEBUG(10,("load_inherited_info: Error %s\n", strerror(errno) ));
477 #else
478                 if (errno != ENOSYS)
479                         DEBUG(10,("load_inherited_info: Error %s\n", strerror(errno) ));
480 #endif
481                 SAFE_FREE(pai_buf);
482                 return NULL;
483         }
484
485         paiv = create_pai_val(pai_buf, ret);
486
487         if (paiv && paiv->pai_protected)
488                 DEBUG(10,("load_inherited_info: ACL is protected for file %s\n", fsp->fsp_name));
489
490         SAFE_FREE(pai_buf);
491         return paiv;
492 }
493
494 /****************************************************************************
495  Functions to manipulate the internal ACE format.
496 ****************************************************************************/
497
498 /****************************************************************************
499  Count a linked list of canonical ACE entries.
500 ****************************************************************************/
501
502 static size_t count_canon_ace_list( canon_ace *list_head )
503 {
504         size_t count = 0;
505         canon_ace *ace;
506
507         for (ace = list_head; ace; ace = ace->next)
508                 count++;
509
510         return count;
511 }
512
513 /****************************************************************************
514  Free a linked list of canonical ACE entries.
515 ****************************************************************************/
516
517 static void free_canon_ace_list( canon_ace *list_head )
518 {
519         canon_ace *list, *next;
520
521         for (list = list_head; list; list = next) {
522                 next = list->next;
523                 DLIST_REMOVE(list_head, list);
524                 SAFE_FREE(list);
525         }
526 }
527
528 /****************************************************************************
529  Function to duplicate a canon_ace entry.
530 ****************************************************************************/
531
532 static canon_ace *dup_canon_ace( canon_ace *src_ace)
533 {
534         canon_ace *dst_ace = SMB_MALLOC_P(canon_ace);
535
536         if (dst_ace == NULL)
537                 return NULL;
538
539         *dst_ace = *src_ace;
540         dst_ace->prev = dst_ace->next = NULL;
541         return dst_ace;
542 }
543
544 /****************************************************************************
545  Print out a canon ace.
546 ****************************************************************************/
547
548 static void print_canon_ace(canon_ace *pace, int num)
549 {
550         fstring str;
551
552         dbgtext( "canon_ace index %d. Type = %s ", num, pace->attr == ALLOW_ACE ? "allow" : "deny" );
553         dbgtext( "SID = %s ", sid_to_string( str, &pace->trustee));
554         if (pace->owner_type == UID_ACE) {
555                 const char *u_name = uidtoname(pace->unix_ug.uid);
556                 dbgtext( "uid %u (%s) ", (unsigned int)pace->unix_ug.uid, u_name );
557         } else if (pace->owner_type == GID_ACE) {
558                 char *g_name = gidtoname(pace->unix_ug.gid);
559                 dbgtext( "gid %u (%s) ", (unsigned int)pace->unix_ug.gid, g_name );
560         } else
561                 dbgtext( "other ");
562         switch (pace->type) {
563                 case SMB_ACL_USER:
564                         dbgtext( "SMB_ACL_USER ");
565                         break;
566                 case SMB_ACL_USER_OBJ:
567                         dbgtext( "SMB_ACL_USER_OBJ ");
568                         break;
569                 case SMB_ACL_GROUP:
570                         dbgtext( "SMB_ACL_GROUP ");
571                         break;
572                 case SMB_ACL_GROUP_OBJ:
573                         dbgtext( "SMB_ACL_GROUP_OBJ ");
574                         break;
575                 case SMB_ACL_OTHER:
576                         dbgtext( "SMB_ACL_OTHER ");
577                         break;
578                 default:
579                         dbgtext( "MASK " );
580                         break;
581         }
582         if (pace->inherited)
583                 dbgtext( "(inherited) ");
584         dbgtext( "perms ");
585         dbgtext( "%c", pace->perms & S_IRUSR ? 'r' : '-');
586         dbgtext( "%c", pace->perms & S_IWUSR ? 'w' : '-');
587         dbgtext( "%c\n", pace->perms & S_IXUSR ? 'x' : '-');
588 }
589
590 /****************************************************************************
591  Print out a canon ace list.
592 ****************************************************************************/
593
594 static void print_canon_ace_list(const char *name, canon_ace *ace_list)
595 {
596         int count = 0;
597
598         if( DEBUGLVL( 10 )) {
599                 dbgtext( "print_canon_ace_list: %s\n", name );
600                 for (;ace_list; ace_list = ace_list->next, count++)
601                         print_canon_ace(ace_list, count );
602         }
603 }
604
605 /****************************************************************************
606  Map POSIX ACL perms to canon_ace permissions (a mode_t containing only S_(R|W|X)USR bits).
607 ****************************************************************************/
608
609 static mode_t convert_permset_to_mode_t(connection_struct *conn, SMB_ACL_PERMSET_T permset)
610 {
611         mode_t ret = 0;
612
613         ret |= (SMB_VFS_SYS_ACL_GET_PERM(conn, permset, SMB_ACL_READ) ? S_IRUSR : 0);
614         ret |= (SMB_VFS_SYS_ACL_GET_PERM(conn, permset, SMB_ACL_WRITE) ? S_IWUSR : 0);
615         ret |= (SMB_VFS_SYS_ACL_GET_PERM(conn, permset, SMB_ACL_EXECUTE) ? S_IXUSR : 0);
616
617         return ret;
618 }
619
620 /****************************************************************************
621  Map generic UNIX permissions to canon_ace permissions (a mode_t containing only S_(R|W|X)USR bits).
622 ****************************************************************************/
623
624 static mode_t unix_perms_to_acl_perms(mode_t mode, int r_mask, int w_mask, int x_mask)
625 {
626         mode_t ret = 0;
627
628         if (mode & r_mask)
629                 ret |= S_IRUSR;
630         if (mode & w_mask)
631                 ret |= S_IWUSR;
632         if (mode & x_mask)
633                 ret |= S_IXUSR;
634
635         return ret;
636 }
637
638 /****************************************************************************
639  Map canon_ace permissions (a mode_t containing only S_(R|W|X)USR bits) to
640  an SMB_ACL_PERMSET_T.
641 ****************************************************************************/
642
643 static int map_acl_perms_to_permset(connection_struct *conn, mode_t mode, SMB_ACL_PERMSET_T *p_permset)
644 {
645         if (SMB_VFS_SYS_ACL_CLEAR_PERMS(conn, *p_permset) ==  -1)
646                 return -1;
647         if (mode & S_IRUSR) {
648                 if (SMB_VFS_SYS_ACL_ADD_PERM(conn, *p_permset, SMB_ACL_READ) == -1)
649                         return -1;
650         }
651         if (mode & S_IWUSR) {
652                 if (SMB_VFS_SYS_ACL_ADD_PERM(conn, *p_permset, SMB_ACL_WRITE) == -1)
653                         return -1;
654         }
655         if (mode & S_IXUSR) {
656                 if (SMB_VFS_SYS_ACL_ADD_PERM(conn, *p_permset, SMB_ACL_EXECUTE) == -1)
657                         return -1;
658         }
659         return 0;
660 }
661
662 /****************************************************************************
663  Function to create owner and group SIDs from a SMB_STRUCT_STAT.
664 ****************************************************************************/
665
666 static void create_file_sids(SMB_STRUCT_STAT *psbuf, DOM_SID *powner_sid, DOM_SID *pgroup_sid)
667 {
668         uid_to_sid( powner_sid, psbuf->st_uid );
669         gid_to_sid( pgroup_sid, psbuf->st_gid );
670 }
671
672 /****************************************************************************
673  Is the identity in two ACEs equal ? Check both SID and uid/gid.
674 ****************************************************************************/
675
676 static BOOL identity_in_ace_equal(canon_ace *ace1, canon_ace *ace2)
677 {
678         if (sid_equal(&ace1->trustee, &ace2->trustee)) {
679                 return True;
680         }
681         if (ace1->owner_type == ace2->owner_type) {
682                 if (ace1->owner_type == UID_ACE &&
683                                 ace1->unix_ug.uid == ace2->unix_ug.uid) {
684                         return True;
685                 } else if (ace1->owner_type == GID_ACE &&
686                                 ace1->unix_ug.gid == ace2->unix_ug.gid) {
687                         return True;
688                 }
689         }
690         return False;
691 }
692
693 /****************************************************************************
694  Merge aces with a common sid - if both are allow or deny, OR the permissions together and
695  delete the second one. If the first is deny, mask the permissions off and delete the allow
696  if the permissions become zero, delete the deny if the permissions are non zero.
697 ****************************************************************************/
698
699 static void merge_aces( canon_ace **pp_list_head )
700 {
701         canon_ace *list_head = *pp_list_head;
702         canon_ace *curr_ace_outer;
703         canon_ace *curr_ace_outer_next;
704
705         /*
706          * First, merge allow entries with identical SIDs, and deny entries
707          * with identical SIDs.
708          */
709
710         for (curr_ace_outer = list_head; curr_ace_outer; curr_ace_outer = curr_ace_outer_next) {
711                 canon_ace *curr_ace;
712                 canon_ace *curr_ace_next;
713
714                 curr_ace_outer_next = curr_ace_outer->next; /* Save the link in case we delete. */
715
716                 for (curr_ace = curr_ace_outer->next; curr_ace; curr_ace = curr_ace_next) {
717
718                         curr_ace_next = curr_ace->next; /* Save the link in case of delete. */
719
720                         if (identity_in_ace_equal(curr_ace, curr_ace_outer) &&
721                                 (curr_ace->attr == curr_ace_outer->attr)) {
722
723                                 if( DEBUGLVL( 10 )) {
724                                         dbgtext("merge_aces: Merging ACE's\n");
725                                         print_canon_ace( curr_ace_outer, 0);
726                                         print_canon_ace( curr_ace, 0);
727                                 }
728
729                                 /* Merge two allow or two deny ACE's. */
730
731                                 curr_ace_outer->perms |= curr_ace->perms;
732                                 DLIST_REMOVE(list_head, curr_ace);
733                                 SAFE_FREE(curr_ace);
734                                 curr_ace_outer_next = curr_ace_outer->next; /* We may have deleted the link. */
735                         }
736                 }
737         }
738
739         /*
740          * Now go through and mask off allow permissions with deny permissions.
741          * We can delete either the allow or deny here as we know that each SID
742          * appears only once in the list.
743          */
744
745         for (curr_ace_outer = list_head; curr_ace_outer; curr_ace_outer = curr_ace_outer_next) {
746                 canon_ace *curr_ace;
747                 canon_ace *curr_ace_next;
748
749                 curr_ace_outer_next = curr_ace_outer->next; /* Save the link in case we delete. */
750
751                 for (curr_ace = curr_ace_outer->next; curr_ace; curr_ace = curr_ace_next) {
752
753                         curr_ace_next = curr_ace->next; /* Save the link in case of delete. */
754
755                         /*
756                          * Subtract ACE's with different entries. Due to the ordering constraints
757                          * we've put on the ACL, we know the deny must be the first one.
758                          */
759
760                         if (identity_in_ace_equal(curr_ace, curr_ace_outer) &&
761                                 (curr_ace_outer->attr == DENY_ACE) && (curr_ace->attr == ALLOW_ACE)) {
762
763                                 if( DEBUGLVL( 10 )) {
764                                         dbgtext("merge_aces: Masking ACE's\n");
765                                         print_canon_ace( curr_ace_outer, 0);
766                                         print_canon_ace( curr_ace, 0);
767                                 }
768
769                                 curr_ace->perms &= ~curr_ace_outer->perms;
770
771                                 if (curr_ace->perms == 0) {
772
773                                         /*
774                                          * The deny overrides the allow. Remove the allow.
775                                          */
776
777                                         DLIST_REMOVE(list_head, curr_ace);
778                                         SAFE_FREE(curr_ace);
779                                         curr_ace_outer_next = curr_ace_outer->next; /* We may have deleted the link. */
780
781                                 } else {
782
783                                         /*
784                                          * Even after removing permissions, there
785                                          * are still allow permissions - delete the deny.
786                                          * It is safe to delete the deny here,
787                                          * as we are guarenteed by the deny first
788                                          * ordering that all the deny entries for
789                                          * this SID have already been merged into one
790                                          * before we can get to an allow ace.
791                                          */
792
793                                         DLIST_REMOVE(list_head, curr_ace_outer);
794                                         SAFE_FREE(curr_ace_outer);
795                                         break;
796                                 }
797                         }
798
799                 } /* end for curr_ace */
800         } /* end for curr_ace_outer */
801
802         /* We may have modified the list. */
803
804         *pp_list_head = list_head;
805 }
806
807 /****************************************************************************
808  Check if we need to return NT4.x compatible ACL entries.
809 ****************************************************************************/
810
811 static BOOL nt4_compatible_acls(void)
812 {
813         int compat = lp_acl_compatibility();
814
815         if (compat == ACL_COMPAT_AUTO) {
816                 enum remote_arch_types ra_type = get_remote_arch();
817
818                 /* Automatically adapt to client */
819                 return (ra_type <= RA_WINNT);
820         } else
821                 return (compat == ACL_COMPAT_WINNT);
822 }
823
824
825 /****************************************************************************
826  Map canon_ace perms to permission bits NT.
827  The attr element is not used here - we only process deny entries on set,
828  not get. Deny entries are implicit on get with ace->perms = 0.
829 ****************************************************************************/
830
831 static SEC_ACCESS map_canon_ace_perms(int snum,
832                                 int *pacl_type,
833                                 mode_t perms,
834                                 BOOL directory_ace)
835 {
836         SEC_ACCESS sa;
837         uint32 nt_mask = 0;
838
839         *pacl_type = SEC_ACE_TYPE_ACCESS_ALLOWED;
840
841         if (lp_acl_map_full_control(snum) && ((perms & ALL_ACE_PERMS) == ALL_ACE_PERMS)) {
842                 if (directory_ace) {
843                         nt_mask = UNIX_DIRECTORY_ACCESS_RWX;
844                 } else {
845                         nt_mask = UNIX_ACCESS_RWX;
846                 }
847         } else if ((perms & ALL_ACE_PERMS) == (mode_t)0) {
848                 /*
849                  * Windows NT refuses to display ACEs with no permissions in them (but
850                  * they are perfectly legal with Windows 2000). If the ACE has empty
851                  * permissions we cannot use 0, so we use the otherwise unused
852                  * WRITE_OWNER permission, which we ignore when we set an ACL.
853                  * We abstract this into a #define of UNIX_ACCESS_NONE to allow this
854                  * to be changed in the future.
855                  */
856
857                 if (nt4_compatible_acls())
858                         nt_mask = UNIX_ACCESS_NONE;
859                 else
860                         nt_mask = 0;
861         } else {
862                 if (directory_ace) {
863                         nt_mask |= ((perms & S_IRUSR) ? UNIX_DIRECTORY_ACCESS_R : 0 );
864                         nt_mask |= ((perms & S_IWUSR) ? UNIX_DIRECTORY_ACCESS_W : 0 );
865                         nt_mask |= ((perms & S_IXUSR) ? UNIX_DIRECTORY_ACCESS_X : 0 );
866                 } else {
867                         nt_mask |= ((perms & S_IRUSR) ? UNIX_ACCESS_R : 0 );
868                         nt_mask |= ((perms & S_IWUSR) ? UNIX_ACCESS_W : 0 );
869                         nt_mask |= ((perms & S_IXUSR) ? UNIX_ACCESS_X : 0 );
870                 }
871         }
872
873         DEBUG(10,("map_canon_ace_perms: Mapped (UNIX) %x to (NT) %x\n",
874                         (unsigned int)perms, (unsigned int)nt_mask ));
875
876         init_sec_access(&sa,nt_mask);
877         return sa;
878 }
879
880 /****************************************************************************
881  Map NT perms to a UNIX mode_t.
882 ****************************************************************************/
883
884 #define FILE_SPECIFIC_READ_BITS (FILE_READ_DATA|FILE_READ_EA|FILE_READ_ATTRIBUTES)
885 #define FILE_SPECIFIC_WRITE_BITS (FILE_WRITE_DATA|FILE_APPEND_DATA|FILE_WRITE_EA|FILE_WRITE_ATTRIBUTES)
886 #define FILE_SPECIFIC_EXECUTE_BITS (FILE_EXECUTE)
887
888 static mode_t map_nt_perms( uint32 *mask, int type)
889 {
890         mode_t mode = 0;
891
892         switch(type) {
893         case S_IRUSR:
894                 if((*mask) & GENERIC_ALL_ACCESS)
895                         mode = S_IRUSR|S_IWUSR|S_IXUSR;
896                 else {
897                         mode |= ((*mask) & (GENERIC_READ_ACCESS|FILE_SPECIFIC_READ_BITS)) ? S_IRUSR : 0;
898                         mode |= ((*mask) & (GENERIC_WRITE_ACCESS|FILE_SPECIFIC_WRITE_BITS)) ? S_IWUSR : 0;
899                         mode |= ((*mask) & (GENERIC_EXECUTE_ACCESS|FILE_SPECIFIC_EXECUTE_BITS)) ? S_IXUSR : 0;
900                 }
901                 break;
902         case S_IRGRP:
903                 if((*mask) & GENERIC_ALL_ACCESS)
904                         mode = S_IRGRP|S_IWGRP|S_IXGRP;
905                 else {
906                         mode |= ((*mask) & (GENERIC_READ_ACCESS|FILE_SPECIFIC_READ_BITS)) ? S_IRGRP : 0;
907                         mode |= ((*mask) & (GENERIC_WRITE_ACCESS|FILE_SPECIFIC_WRITE_BITS)) ? S_IWGRP : 0;
908                         mode |= ((*mask) & (GENERIC_EXECUTE_ACCESS|FILE_SPECIFIC_EXECUTE_BITS)) ? S_IXGRP : 0;
909                 }
910                 break;
911         case S_IROTH:
912                 if((*mask) & GENERIC_ALL_ACCESS)
913                         mode = S_IROTH|S_IWOTH|S_IXOTH;
914                 else {
915                         mode |= ((*mask) & (GENERIC_READ_ACCESS|FILE_SPECIFIC_READ_BITS)) ? S_IROTH : 0;
916                         mode |= ((*mask) & (GENERIC_WRITE_ACCESS|FILE_SPECIFIC_WRITE_BITS)) ? S_IWOTH : 0;
917                         mode |= ((*mask) & (GENERIC_EXECUTE_ACCESS|FILE_SPECIFIC_EXECUTE_BITS)) ? S_IXOTH : 0;
918                 }
919                 break;
920         }
921
922         return mode;
923 }
924
925 /****************************************************************************
926  Unpack a SEC_DESC into a UNIX owner and group.
927 ****************************************************************************/
928
929 NTSTATUS unpack_nt_owners(int snum, uid_t *puser, gid_t *pgrp, uint32 security_info_sent, SEC_DESC *psd)
930 {
931         DOM_SID owner_sid;
932         DOM_SID grp_sid;
933
934         *puser = (uid_t)-1;
935         *pgrp = (gid_t)-1;
936
937         if(security_info_sent == 0) {
938                 DEBUG(0,("unpack_nt_owners: no security info sent !\n"));
939                 return NT_STATUS_OK;
940         }
941
942         /*
943          * Validate the owner and group SID's.
944          */
945
946         memset(&owner_sid, '\0', sizeof(owner_sid));
947         memset(&grp_sid, '\0', sizeof(grp_sid));
948
949         DEBUG(5,("unpack_nt_owners: validating owner_sids.\n"));
950
951         /*
952          * Don't immediately fail if the owner sid cannot be validated.
953          * This may be a group chown only set.
954          */
955
956         if (security_info_sent & OWNER_SECURITY_INFORMATION) {
957                 sid_copy(&owner_sid, psd->owner_sid);
958                 if (!sid_to_uid(&owner_sid, puser)) {
959                         if (lp_force_unknown_acl_user(snum)) {
960                                 /* this allows take ownership to work
961                                  * reasonably */
962                                 *puser = current_user.ut.uid;
963                         } else {
964                                 DEBUG(3,("unpack_nt_owners: unable to validate"
965                                          " owner sid for %s\n",
966                                          sid_string_static(&owner_sid)));
967                                 return NT_STATUS_INVALID_OWNER;
968                         }
969                 }
970                 DEBUG(3,("unpack_nt_owners: owner sid mapped to uid %u\n",
971                          (unsigned int)*puser ));
972         }
973
974         /*
975          * Don't immediately fail if the group sid cannot be validated.
976          * This may be an owner chown only set.
977          */
978
979         if (security_info_sent & GROUP_SECURITY_INFORMATION) {
980                 sid_copy(&grp_sid, psd->group_sid);
981                 if (!sid_to_gid( &grp_sid, pgrp)) {
982                         if (lp_force_unknown_acl_user(snum)) {
983                                 /* this allows take group ownership to work
984                                  * reasonably */
985                                 *pgrp = current_user.ut.gid;
986                         } else {
987                                 DEBUG(3,("unpack_nt_owners: unable to validate"
988                                          " group sid.\n"));
989                                 return NT_STATUS_INVALID_OWNER;
990                         }
991                 }
992                 DEBUG(3,("unpack_nt_owners: group sid mapped to gid %u\n",
993                          (unsigned int)*pgrp));
994         }
995
996         DEBUG(5,("unpack_nt_owners: owner_sids validated.\n"));
997
998         return NT_STATUS_OK;
999 }
1000
1001 /****************************************************************************
1002  Ensure the enforced permissions for this share apply.
1003 ****************************************************************************/
1004
1005 static void apply_default_perms(files_struct *fsp, canon_ace *pace, mode_t type)
1006 {
1007         int snum = SNUM(fsp->conn);
1008         mode_t and_bits = (mode_t)0;
1009         mode_t or_bits = (mode_t)0;
1010
1011         /* Get the initial bits to apply. */
1012
1013         if (fsp->is_directory) {
1014                 and_bits = lp_dir_security_mask(snum);
1015                 or_bits = lp_force_dir_security_mode(snum);
1016         } else {
1017                 and_bits = lp_security_mask(snum);
1018                 or_bits = lp_force_security_mode(snum);
1019         }
1020
1021         /* Now bounce them into the S_USR space. */     
1022         switch(type) {
1023         case S_IRUSR:
1024                 /* Ensure owner has read access. */
1025                 pace->perms |= S_IRUSR;
1026                 if (fsp->is_directory)
1027                         pace->perms |= (S_IWUSR|S_IXUSR);
1028                 and_bits = unix_perms_to_acl_perms(and_bits, S_IRUSR, S_IWUSR, S_IXUSR);
1029                 or_bits = unix_perms_to_acl_perms(or_bits, S_IRUSR, S_IWUSR, S_IXUSR);
1030                 break;
1031         case S_IRGRP:
1032                 and_bits = unix_perms_to_acl_perms(and_bits, S_IRGRP, S_IWGRP, S_IXGRP);
1033                 or_bits = unix_perms_to_acl_perms(or_bits, S_IRGRP, S_IWGRP, S_IXGRP);
1034                 break;
1035         case S_IROTH:
1036                 and_bits = unix_perms_to_acl_perms(and_bits, S_IROTH, S_IWOTH, S_IXOTH);
1037                 or_bits = unix_perms_to_acl_perms(or_bits, S_IROTH, S_IWOTH, S_IXOTH);
1038                 break;
1039         }
1040
1041         pace->perms = ((pace->perms & and_bits)|or_bits);
1042 }
1043
1044 /****************************************************************************
1045  Check if a given uid/SID is in a group gid/SID. This is probably very
1046  expensive and will need optimisation. A *lot* of optimisation :-). JRA.
1047 ****************************************************************************/
1048
1049 static BOOL uid_entry_in_group( canon_ace *uid_ace, canon_ace *group_ace )
1050 {
1051         fstring u_name;
1052
1053         /* "Everyone" always matches every uid. */
1054
1055         if (sid_equal(&group_ace->trustee, &global_sid_World))
1056                 return True;
1057
1058         /* Assume that the current user is in the current group (force group) */
1059
1060         if (uid_ace->unix_ug.uid == current_user.ut.uid && group_ace->unix_ug.gid == current_user.ut.gid)
1061                 return True;
1062
1063         fstrcpy(u_name, uidtoname(uid_ace->unix_ug.uid));
1064         return user_in_group_sid(u_name, &group_ace->trustee);
1065 }
1066
1067 /****************************************************************************
1068  A well formed POSIX file or default ACL has at least 3 entries, a 
1069  SMB_ACL_USER_OBJ, SMB_ACL_GROUP_OBJ, SMB_ACL_OTHER_OBJ.
1070  In addition, the owner must always have at least read access.
1071  When using this call on get_acl, the pst struct is valid and contains
1072  the mode of the file. When using this call on set_acl, the pst struct has
1073  been modified to have a mode containing the default for this file or directory
1074  type.
1075 ****************************************************************************/
1076
1077 static BOOL ensure_canon_entry_valid(canon_ace **pp_ace,
1078                                                         files_struct *fsp,
1079                                                         const DOM_SID *pfile_owner_sid,
1080                                                         const DOM_SID *pfile_grp_sid,
1081                                                         SMB_STRUCT_STAT *pst,
1082                                                         BOOL setting_acl)
1083 {
1084         canon_ace *pace;
1085         BOOL got_user = False;
1086         BOOL got_grp = False;
1087         BOOL got_other = False;
1088         canon_ace *pace_other = NULL;
1089
1090         for (pace = *pp_ace; pace; pace = pace->next) {
1091                 if (pace->type == SMB_ACL_USER_OBJ) {
1092
1093                         if (setting_acl)
1094                                 apply_default_perms(fsp, pace, S_IRUSR);
1095                         got_user = True;
1096
1097                 } else if (pace->type == SMB_ACL_GROUP_OBJ) {
1098
1099                         /*
1100                          * Ensure create mask/force create mode is respected on set.
1101                          */
1102
1103                         if (setting_acl)
1104                                 apply_default_perms(fsp, pace, S_IRGRP);
1105                         got_grp = True;
1106
1107                 } else if (pace->type == SMB_ACL_OTHER) {
1108
1109                         /*
1110                          * Ensure create mask/force create mode is respected on set.
1111                          */
1112
1113                         if (setting_acl)
1114                                 apply_default_perms(fsp, pace, S_IROTH);
1115                         got_other = True;
1116                         pace_other = pace;
1117                 }
1118         }
1119
1120         if (!got_user) {
1121                 if ((pace = SMB_MALLOC_P(canon_ace)) == NULL) {
1122                         DEBUG(0,("ensure_canon_entry_valid: malloc fail.\n"));
1123                         return False;
1124                 }
1125
1126                 ZERO_STRUCTP(pace);
1127                 pace->type = SMB_ACL_USER_OBJ;
1128                 pace->owner_type = UID_ACE;
1129                 pace->unix_ug.uid = pst->st_uid;
1130                 pace->trustee = *pfile_owner_sid;
1131                 pace->attr = ALLOW_ACE;
1132
1133                 if (setting_acl) {
1134                         /* See if the owning user is in any of the other groups in
1135                            the ACE. If so, OR in the permissions from that group. */
1136
1137                         BOOL group_matched = False;
1138                         canon_ace *pace_iter;
1139
1140                         for (pace_iter = *pp_ace; pace_iter; pace_iter = pace_iter->next) {
1141                                 if (pace_iter->type == SMB_ACL_GROUP_OBJ || pace_iter->type == SMB_ACL_GROUP) {
1142                                         if (uid_entry_in_group(pace, pace_iter)) {
1143                                                 pace->perms |= pace_iter->perms;
1144                                                 group_matched = True;
1145                                         }
1146                                 }
1147                         }
1148
1149                         /* If we only got an "everyone" perm, just use that. */
1150                         if (!group_matched) {
1151                                 if (got_other)
1152                                         pace->perms = pace_other->perms;
1153                                 else
1154                                         pace->perms = 0;
1155                         }
1156
1157                         apply_default_perms(fsp, pace, S_IRUSR);
1158                 } else {
1159                         pace->perms = unix_perms_to_acl_perms(pst->st_mode, S_IRUSR, S_IWUSR, S_IXUSR);
1160                 }
1161
1162                 DLIST_ADD(*pp_ace, pace);
1163         }
1164
1165         if (!got_grp) {
1166                 if ((pace = SMB_MALLOC_P(canon_ace)) == NULL) {
1167                         DEBUG(0,("ensure_canon_entry_valid: malloc fail.\n"));
1168                         return False;
1169                 }
1170
1171                 ZERO_STRUCTP(pace);
1172                 pace->type = SMB_ACL_GROUP_OBJ;
1173                 pace->owner_type = GID_ACE;
1174                 pace->unix_ug.uid = pst->st_gid;
1175                 pace->trustee = *pfile_grp_sid;
1176                 pace->attr = ALLOW_ACE;
1177                 if (setting_acl) {
1178                         /* If we only got an "everyone" perm, just use that. */
1179                         if (got_other)
1180                                 pace->perms = pace_other->perms;
1181                         else
1182                                 pace->perms = 0;
1183                         apply_default_perms(fsp, pace, S_IRGRP);
1184                 } else {
1185                         pace->perms = unix_perms_to_acl_perms(pst->st_mode, S_IRGRP, S_IWGRP, S_IXGRP);
1186                 }
1187
1188                 DLIST_ADD(*pp_ace, pace);
1189         }
1190
1191         if (!got_other) {
1192                 if ((pace = SMB_MALLOC_P(canon_ace)) == NULL) {
1193                         DEBUG(0,("ensure_canon_entry_valid: malloc fail.\n"));
1194                         return False;
1195                 }
1196
1197                 ZERO_STRUCTP(pace);
1198                 pace->type = SMB_ACL_OTHER;
1199                 pace->owner_type = WORLD_ACE;
1200                 pace->unix_ug.world = -1;
1201                 pace->trustee = global_sid_World;
1202                 pace->attr = ALLOW_ACE;
1203                 if (setting_acl) {
1204                         pace->perms = 0;
1205                         apply_default_perms(fsp, pace, S_IROTH);
1206                 } else
1207                         pace->perms = unix_perms_to_acl_perms(pst->st_mode, S_IROTH, S_IWOTH, S_IXOTH);
1208
1209                 DLIST_ADD(*pp_ace, pace);
1210         }
1211
1212         return True;
1213 }
1214
1215 /****************************************************************************
1216  Check if a POSIX ACL has the required SMB_ACL_USER_OBJ and SMB_ACL_GROUP_OBJ entries.
1217  If it does not have them, check if there are any entries where the trustee is the
1218  file owner or the owning group, and map these to SMB_ACL_USER_OBJ and SMB_ACL_GROUP_OBJ.
1219 ****************************************************************************/
1220
1221 static void check_owning_objs(canon_ace *ace, DOM_SID *pfile_owner_sid, DOM_SID *pfile_grp_sid)
1222 {
1223         BOOL got_user_obj, got_group_obj;
1224         canon_ace *current_ace;
1225         int i, entries;
1226
1227         entries = count_canon_ace_list(ace);
1228         got_user_obj = False;
1229         got_group_obj = False;
1230
1231         for (i=0, current_ace = ace; i < entries; i++, current_ace = current_ace->next) {
1232                 if (current_ace->type == SMB_ACL_USER_OBJ)
1233                         got_user_obj = True;
1234                 else if (current_ace->type == SMB_ACL_GROUP_OBJ)
1235                         got_group_obj = True;
1236         }
1237         if (got_user_obj && got_group_obj) {
1238                 DEBUG(10,("check_owning_objs: ACL had owning user/group entries.\n"));
1239                 return;
1240         }
1241
1242         for (i=0, current_ace = ace; i < entries; i++, current_ace = current_ace->next) {
1243                 if (!got_user_obj && current_ace->owner_type == UID_ACE &&
1244                                 sid_equal(&current_ace->trustee, pfile_owner_sid)) {
1245                         current_ace->type = SMB_ACL_USER_OBJ;
1246                         got_user_obj = True;
1247                 }
1248                 if (!got_group_obj && current_ace->owner_type == GID_ACE &&
1249                                 sid_equal(&current_ace->trustee, pfile_grp_sid)) {
1250                         current_ace->type = SMB_ACL_GROUP_OBJ;
1251                         got_group_obj = True;
1252                 }
1253         }
1254         if (!got_user_obj)
1255                 DEBUG(10,("check_owning_objs: ACL is missing an owner entry.\n"));
1256         if (!got_group_obj)
1257                 DEBUG(10,("check_owning_objs: ACL is missing an owning group entry.\n"));
1258 }
1259
1260 /****************************************************************************
1261  Unpack a SEC_DESC into two canonical ace lists.
1262 ****************************************************************************/
1263
1264 static BOOL create_canon_ace_lists(files_struct *fsp, SMB_STRUCT_STAT *pst,
1265                                                         DOM_SID *pfile_owner_sid,
1266                                                         DOM_SID *pfile_grp_sid,
1267                                                         canon_ace **ppfile_ace, canon_ace **ppdir_ace,
1268                                                         SEC_ACL *dacl)
1269 {
1270         BOOL all_aces_are_inherit_only = (fsp->is_directory ? True : False);
1271         canon_ace *file_ace = NULL;
1272         canon_ace *dir_ace = NULL;
1273         canon_ace *current_ace = NULL;
1274         BOOL got_dir_allow = False;
1275         BOOL got_file_allow = False;
1276         int i, j;
1277
1278         *ppfile_ace = NULL;
1279         *ppdir_ace = NULL;
1280
1281         /*
1282          * Convert the incoming ACL into a more regular form.
1283          */
1284
1285         for(i = 0; i < dacl->num_aces; i++) {
1286                 SEC_ACE *psa = &dacl->aces[i];
1287
1288                 if((psa->type != SEC_ACE_TYPE_ACCESS_ALLOWED) && (psa->type != SEC_ACE_TYPE_ACCESS_DENIED)) {
1289                         DEBUG(3,("create_canon_ace_lists: unable to set anything but an ALLOW or DENY ACE.\n"));
1290                         return False;
1291                 }
1292
1293                 if (nt4_compatible_acls()) {
1294                         /*
1295                          * The security mask may be UNIX_ACCESS_NONE which should map into
1296                          * no permissions (we overload the WRITE_OWNER bit for this) or it
1297                          * should be one of the ALL/EXECUTE/READ/WRITE bits. Arrange for this
1298                          * to be so. Any other bits override the UNIX_ACCESS_NONE bit.
1299                          */
1300
1301                         /*
1302                          * Convert GENERIC bits to specific bits.
1303                          */
1304  
1305                         se_map_generic(&psa->access_mask, &file_generic_mapping);
1306
1307                         psa->access_mask &= (UNIX_ACCESS_NONE|FILE_ALL_ACCESS);
1308
1309                         if(psa->access_mask != UNIX_ACCESS_NONE)
1310                                 psa->access_mask &= ~UNIX_ACCESS_NONE;
1311                 }
1312         }
1313
1314         /*
1315          * Deal with the fact that NT 4.x re-writes the canonical format
1316          * that we return for default ACLs. If a directory ACE is identical
1317          * to a inherited directory ACE then NT changes the bits so that the
1318          * first ACE is set to OI|IO and the second ACE for this SID is set
1319          * to CI. We need to repair this. JRA.
1320          */
1321
1322         for(i = 0; i < dacl->num_aces; i++) {
1323                 SEC_ACE *psa1 = &dacl->aces[i];
1324
1325                 for (j = i + 1; j < dacl->num_aces; j++) {
1326                         SEC_ACE *psa2 = &dacl->aces[j];
1327
1328                         if (psa1->access_mask != psa2->access_mask)
1329                                 continue;
1330
1331                         if (!sid_equal(&psa1->trustee, &psa2->trustee))
1332                                 continue;
1333
1334                         /*
1335                          * Ok - permission bits and SIDs are equal.
1336                          * Check if flags were re-written.
1337                          */
1338
1339                         if (psa1->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
1340
1341                                 psa1->flags |= (psa2->flags & (SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT));
1342                                 psa2->flags &= ~(SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT);
1343                                 
1344                         } else if (psa2->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
1345
1346                                 psa2->flags |= (psa1->flags & (SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT));
1347                                 psa1->flags &= ~(SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT);
1348                                 
1349                         }
1350                 }
1351         }
1352
1353         for(i = 0; i < dacl->num_aces; i++) {
1354                 SEC_ACE *psa = &dacl->aces[i];
1355
1356                 /*
1357                  * Create a cannon_ace entry representing this NT DACL ACE.
1358                  */
1359
1360                 if ((current_ace = SMB_MALLOC_P(canon_ace)) == NULL) {
1361                         free_canon_ace_list(file_ace);
1362                         free_canon_ace_list(dir_ace);
1363                         DEBUG(0,("create_canon_ace_lists: malloc fail.\n"));
1364                         return False;
1365                 }
1366
1367                 ZERO_STRUCTP(current_ace);
1368
1369                 sid_copy(&current_ace->trustee, &psa->trustee);
1370
1371                 /*
1372                  * Try and work out if the SID is a user or group
1373                  * as we need to flag these differently for POSIX.
1374                  * Note what kind of a POSIX ACL this should map to.
1375                  */
1376
1377                 if( sid_equal(&current_ace->trustee, &global_sid_World)) {
1378                         current_ace->owner_type = WORLD_ACE;
1379                         current_ace->unix_ug.world = -1;
1380                         current_ace->type = SMB_ACL_OTHER;
1381                 } else if (sid_equal(&current_ace->trustee, &global_sid_Creator_Owner)) {
1382                         current_ace->owner_type = UID_ACE;
1383                         current_ace->unix_ug.uid = pst->st_uid;
1384                         current_ace->type = SMB_ACL_USER_OBJ;
1385
1386                         /*
1387                          * The Creator Owner entry only specifies inheritable permissions,
1388                          * never access permissions. WinNT doesn't always set the ACE to
1389                          *INHERIT_ONLY, though.
1390                          */
1391
1392                         if (nt4_compatible_acls())
1393                                 psa->flags |= SEC_ACE_FLAG_INHERIT_ONLY;
1394                 } else if (sid_equal(&current_ace->trustee, &global_sid_Creator_Group)) {
1395                         current_ace->owner_type = GID_ACE;
1396                         current_ace->unix_ug.gid = pst->st_gid;
1397                         current_ace->type = SMB_ACL_GROUP_OBJ;
1398
1399                         /*
1400                          * The Creator Group entry only specifies inheritable permissions,
1401                          * never access permissions. WinNT doesn't always set the ACE to
1402                          *INHERIT_ONLY, though.
1403                          */
1404                         if (nt4_compatible_acls())
1405                                 psa->flags |= SEC_ACE_FLAG_INHERIT_ONLY;
1406
1407                 } else if (sid_to_uid( &current_ace->trustee, &current_ace->unix_ug.uid)) {
1408                         current_ace->owner_type = UID_ACE;
1409                         current_ace->type = SMB_ACL_USER;
1410                 } else if (sid_to_gid( &current_ace->trustee, &current_ace->unix_ug.gid)) {
1411                         current_ace->owner_type = GID_ACE;
1412                         current_ace->type = SMB_ACL_GROUP;
1413                 } else {
1414                         fstring str;
1415
1416                         /*
1417                          * Silently ignore map failures in non-mappable SIDs (NT Authority, BUILTIN etc).
1418                          */
1419
1420                         if (non_mappable_sid(&psa->trustee)) {
1421                                 DEBUG(10,("create_canon_ace_lists: ignoring non-mappable SID %s\n",
1422                                         sid_to_string(str, &psa->trustee) ));
1423                                 SAFE_FREE(current_ace);
1424                                 continue;
1425                         }
1426
1427                         free_canon_ace_list(file_ace);
1428                         free_canon_ace_list(dir_ace);
1429                         DEBUG(0,("create_canon_ace_lists: unable to map SID %s to uid or gid.\n",
1430                                 sid_to_string(str, &current_ace->trustee) ));
1431                         SAFE_FREE(current_ace);
1432                         return False;
1433                 }
1434
1435                 /*
1436                  * Map the given NT permissions into a UNIX mode_t containing only
1437                  * S_I(R|W|X)USR bits.
1438                  */
1439
1440                 current_ace->perms |= map_nt_perms( &psa->access_mask, S_IRUSR);
1441                 current_ace->attr = (psa->type == SEC_ACE_TYPE_ACCESS_ALLOWED) ? ALLOW_ACE : DENY_ACE;
1442                 current_ace->inherited = ((psa->flags & SEC_ACE_FLAG_INHERITED_ACE) ? True : False);
1443
1444                 /*
1445                  * Now add the created ace to either the file list, the directory
1446                  * list, or both. We *MUST* preserve the order here (hence we use
1447                  * DLIST_ADD_END) as NT ACLs are order dependent.
1448                  */
1449
1450                 if (fsp->is_directory) {
1451
1452                         /*
1453                          * We can only add to the default POSIX ACE list if the ACE is
1454                          * designed to be inherited by both files and directories.
1455                          */
1456
1457                         if ((psa->flags & (SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT)) ==
1458                                 (SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT)) {
1459
1460                                 DLIST_ADD_END(dir_ace, current_ace, canon_ace *);
1461
1462                                 /*
1463                                  * Note if this was an allow ace. We can't process
1464                                  * any further deny ace's after this.
1465                                  */
1466
1467                                 if (current_ace->attr == ALLOW_ACE)
1468                                         got_dir_allow = True;
1469
1470                                 if ((current_ace->attr == DENY_ACE) && got_dir_allow) {
1471                                         DEBUG(0,("create_canon_ace_lists: malformed ACL in inheritable ACL ! \
1472 Deny entry after Allow entry. Failing to set on file %s.\n", fsp->fsp_name ));
1473                                         free_canon_ace_list(file_ace);
1474                                         free_canon_ace_list(dir_ace);
1475                                         return False;
1476                                 }       
1477
1478                                 if( DEBUGLVL( 10 )) {
1479                                         dbgtext("create_canon_ace_lists: adding dir ACL:\n");
1480                                         print_canon_ace( current_ace, 0);
1481                                 }
1482
1483                                 /*
1484                                  * If this is not an inherit only ACE we need to add a duplicate
1485                                  * to the file acl.
1486                                  */
1487
1488                                 if (!(psa->flags & SEC_ACE_FLAG_INHERIT_ONLY)) {
1489                                         canon_ace *dup_ace = dup_canon_ace(current_ace);
1490
1491                                         if (!dup_ace) {
1492                                                 DEBUG(0,("create_canon_ace_lists: malloc fail !\n"));
1493                                                 free_canon_ace_list(file_ace);
1494                                                 free_canon_ace_list(dir_ace);
1495                                                 return False;
1496                                         }
1497
1498                                         /*
1499                                          * We must not free current_ace here as its
1500                                          * pointer is now owned by the dir_ace list.
1501                                          */
1502                                         current_ace = dup_ace;
1503                                 } else {
1504                                         /*
1505                                          * We must not free current_ace here as its
1506                                          * pointer is now owned by the dir_ace list.
1507                                          */
1508                                         current_ace = NULL;
1509                                 }
1510                         }
1511                 }
1512
1513                 /*
1514                  * Only add to the file ACL if not inherit only.
1515                  */
1516
1517                 if (current_ace && !(psa->flags & SEC_ACE_FLAG_INHERIT_ONLY)) {
1518                         DLIST_ADD_END(file_ace, current_ace, canon_ace *);
1519
1520                         /*
1521                          * Note if this was an allow ace. We can't process
1522                          * any further deny ace's after this.
1523                          */
1524
1525                         if (current_ace->attr == ALLOW_ACE)
1526                                 got_file_allow = True;
1527
1528                         if ((current_ace->attr == DENY_ACE) && got_file_allow) {
1529                                 DEBUG(0,("create_canon_ace_lists: malformed ACL in file ACL ! \
1530 Deny entry after Allow entry. Failing to set on file %s.\n", fsp->fsp_name ));
1531                                 free_canon_ace_list(file_ace);
1532                                 free_canon_ace_list(dir_ace);
1533                                 return False;
1534                         }       
1535
1536                         if( DEBUGLVL( 10 )) {
1537                                 dbgtext("create_canon_ace_lists: adding file ACL:\n");
1538                                 print_canon_ace( current_ace, 0);
1539                         }
1540                         all_aces_are_inherit_only = False;
1541                         /*
1542                          * We must not free current_ace here as its
1543                          * pointer is now owned by the file_ace list.
1544                          */
1545                         current_ace = NULL;
1546                 }
1547
1548                 /*
1549                  * Free if ACE was not added.
1550                  */
1551
1552                 SAFE_FREE(current_ace);
1553         }
1554
1555         if (fsp->is_directory && all_aces_are_inherit_only) {
1556                 /*
1557                  * Windows 2000 is doing one of these weird 'inherit acl'
1558                  * traverses to conserve NTFS ACL resources. Just pretend
1559                  * there was no DACL sent. JRA.
1560                  */
1561
1562                 DEBUG(10,("create_canon_ace_lists: Win2k inherit acl traverse. Ignoring DACL.\n"));
1563                 free_canon_ace_list(file_ace);
1564                 free_canon_ace_list(dir_ace);
1565                 file_ace = NULL;
1566                 dir_ace = NULL;
1567         } else {
1568                 /*
1569                  * Check if we have SMB_ACL_USER_OBJ and SMB_ACL_GROUP_OBJ entries in each
1570                  * ACL. If we don't have them, check if any SMB_ACL_USER/SMB_ACL_GROUP
1571                  * entries can be converted to *_OBJ. Usually we will already have these
1572                  * entries in the Default ACL, and the Access ACL will not have them.
1573                  */
1574                 if (file_ace) {
1575                         check_owning_objs(file_ace, pfile_owner_sid, pfile_grp_sid);
1576                 }
1577                 if (dir_ace) {
1578                         check_owning_objs(dir_ace, pfile_owner_sid, pfile_grp_sid);
1579                 }
1580         }
1581
1582         *ppfile_ace = file_ace;
1583         *ppdir_ace = dir_ace;
1584
1585         return True;
1586 }
1587
1588 /****************************************************************************
1589  ASCII art time again... JRA :-).
1590
1591  We have 4 cases to process when moving from an NT ACL to a POSIX ACL. Firstly,
1592  we insist the ACL is in canonical form (ie. all DENY entries preceede ALLOW
1593  entries). Secondly, the merge code has ensured that all duplicate SID entries for
1594  allow or deny have been merged, so the same SID can only appear once in the deny
1595  list or once in the allow list.
1596
1597  We then process as follows :
1598
1599  ---------------------------------------------------------------------------
1600  First pass - look for a Everyone DENY entry.
1601
1602  If it is deny all (rwx) trunate the list at this point.
1603  Else, walk the list from this point and use the deny permissions of this
1604  entry as a mask on all following allow entries. Finally, delete
1605  the Everyone DENY entry (we have applied it to everything possible).
1606
1607  In addition, in this pass we remove any DENY entries that have 
1608  no permissions (ie. they are a DENY nothing).
1609  ---------------------------------------------------------------------------
1610  Second pass - only deal with deny user entries.
1611
1612  DENY user1 (perms XXX)
1613
1614  new_perms = 0
1615  for all following allow group entries where user1 is in group
1616         new_perms |= group_perms;
1617
1618  user1 entry perms = new_perms & ~ XXX;
1619
1620  Convert the deny entry to an allow entry with the new perms and
1621  push to the end of the list. Note if the user was in no groups
1622  this maps to a specific allow nothing entry for this user.
1623
1624  The common case from the NT ACL choser (userX deny all) is
1625  optimised so we don't do the group lookup - we just map to
1626  an allow nothing entry.
1627
1628  What we're doing here is inferring the allow permissions the
1629  person setting the ACE on user1 wanted by looking at the allow
1630  permissions on the groups the user is currently in. This will
1631  be a snapshot, depending on group membership but is the best
1632  we can do and has the advantage of failing closed rather than
1633  open.
1634  ---------------------------------------------------------------------------
1635  Third pass - only deal with deny group entries.
1636
1637  DENY group1 (perms XXX)
1638
1639  for all following allow user entries where user is in group1
1640    user entry perms = user entry perms & ~ XXX;
1641
1642  If there is a group Everyone allow entry with permissions YYY,
1643  convert the group1 entry to an allow entry and modify its
1644  permissions to be :
1645
1646  new_perms = YYY & ~ XXX
1647
1648  and push to the end of the list.
1649
1650  If there is no group Everyone allow entry then convert the
1651  group1 entry to a allow nothing entry and push to the end of the list.
1652
1653  Note that the common case from the NT ACL choser (groupX deny all)
1654  cannot be optimised here as we need to modify user entries who are
1655  in the group to change them to a deny all also.
1656
1657  What we're doing here is modifying the allow permissions of
1658  user entries (which are more specific in POSIX ACLs) to mask
1659  out the explicit deny set on the group they are in. This will
1660  be a snapshot depending on current group membership but is the
1661  best we can do and has the advantage of failing closed rather
1662  than open.
1663  ---------------------------------------------------------------------------
1664  Fourth pass - cope with cumulative permissions.
1665
1666  for all allow user entries, if there exists an allow group entry with
1667  more permissive permissions, and the user is in that group, rewrite the
1668  allow user permissions to contain both sets of permissions.
1669
1670  Currently the code for this is #ifdef'ed out as these semantics make
1671  no sense to me. JRA.
1672  ---------------------------------------------------------------------------
1673
1674  Note we *MUST* do the deny user pass first as this will convert deny user
1675  entries into allow user entries which can then be processed by the deny
1676  group pass.
1677
1678  The above algorithm took a *lot* of thinking about - hence this
1679  explaination :-). JRA.
1680 ****************************************************************************/
1681
1682 /****************************************************************************
1683  Process a canon_ace list entries. This is very complex code. We need
1684  to go through and remove the "deny" permissions from any allow entry that matches
1685  the id of this entry. We have already refused any NT ACL that wasn't in correct
1686  order (DENY followed by ALLOW). If any allow entry ends up with zero permissions,
1687  we just remove it (to fail safe). We have already removed any duplicate ace
1688  entries. Treat an "Everyone" DENY_ACE as a special case - use it to mask all
1689  allow entries.
1690 ****************************************************************************/
1691
1692 static void process_deny_list( canon_ace **pp_ace_list )
1693 {
1694         canon_ace *ace_list = *pp_ace_list;
1695         canon_ace *curr_ace = NULL;
1696         canon_ace *curr_ace_next = NULL;
1697
1698         /* Pass 1 above - look for an Everyone, deny entry. */
1699
1700         for (curr_ace = ace_list; curr_ace; curr_ace = curr_ace_next) {
1701                 canon_ace *allow_ace_p;
1702
1703                 curr_ace_next = curr_ace->next; /* So we can't lose the link. */
1704
1705                 if (curr_ace->attr != DENY_ACE)
1706                         continue;
1707
1708                 if (curr_ace->perms == (mode_t)0) {
1709
1710                         /* Deny nothing entry - delete. */
1711
1712                         DLIST_REMOVE(ace_list, curr_ace);
1713                         continue;
1714                 }
1715
1716                 if (!sid_equal(&curr_ace->trustee, &global_sid_World))
1717                         continue;
1718
1719                 /* JRATEST - assert. */
1720                 SMB_ASSERT(curr_ace->owner_type == WORLD_ACE);
1721
1722                 if (curr_ace->perms == ALL_ACE_PERMS) {
1723
1724                         /*
1725                          * Optimisation. This is a DENY_ALL to Everyone. Truncate the
1726                          * list at this point including this entry.
1727                          */
1728
1729                         canon_ace *prev_entry = curr_ace->prev;
1730
1731                         free_canon_ace_list( curr_ace );
1732                         if (prev_entry)
1733                                 prev_entry->next = NULL;
1734                         else {
1735                                 /* We deleted the entire list. */
1736                                 ace_list = NULL;
1737                         }
1738                         break;
1739                 }
1740
1741                 for (allow_ace_p = curr_ace->next; allow_ace_p; allow_ace_p = allow_ace_p->next) {
1742
1743                         /* 
1744                          * Only mask off allow entries.
1745                          */
1746
1747                         if (allow_ace_p->attr != ALLOW_ACE)
1748                                 continue;
1749
1750                         allow_ace_p->perms &= ~curr_ace->perms;
1751                 }
1752
1753                 /*
1754                  * Now it's been applied, remove it.
1755                  */
1756
1757                 DLIST_REMOVE(ace_list, curr_ace);
1758         }
1759
1760         /* Pass 2 above - deal with deny user entries. */
1761
1762         for (curr_ace = ace_list; curr_ace; curr_ace = curr_ace_next) {
1763                 mode_t new_perms = (mode_t)0;
1764                 canon_ace *allow_ace_p;
1765
1766                 curr_ace_next = curr_ace->next; /* So we can't lose the link. */
1767
1768                 if (curr_ace->attr != DENY_ACE)
1769                         continue;
1770
1771                 if (curr_ace->owner_type != UID_ACE)
1772                         continue;
1773
1774                 if (curr_ace->perms == ALL_ACE_PERMS) {
1775
1776                         /*
1777                          * Optimisation - this is a deny everything to this user.
1778                          * Convert to an allow nothing and push to the end of the list.
1779                          */
1780
1781                         curr_ace->attr = ALLOW_ACE;
1782                         curr_ace->perms = (mode_t)0;
1783                         DLIST_DEMOTE(ace_list, curr_ace, canon_ace *);
1784                         continue;
1785                 }
1786
1787                 for (allow_ace_p = curr_ace->next; allow_ace_p; allow_ace_p = allow_ace_p->next) {
1788
1789                         if (allow_ace_p->attr != ALLOW_ACE)
1790                                 continue;
1791
1792                         /* We process GID_ACE and WORLD_ACE entries only. */
1793
1794                         if (allow_ace_p->owner_type == UID_ACE)
1795                                 continue;
1796
1797                         if (uid_entry_in_group( curr_ace, allow_ace_p))
1798                                 new_perms |= allow_ace_p->perms;
1799                 }
1800
1801                 /*
1802                  * Convert to a allow entry, modify the perms and push to the end
1803                  * of the list.
1804                  */
1805
1806                 curr_ace->attr = ALLOW_ACE;
1807                 curr_ace->perms = (new_perms & ~curr_ace->perms);
1808                 DLIST_DEMOTE(ace_list, curr_ace, canon_ace *);
1809         }
1810
1811         /* Pass 3 above - deal with deny group entries. */
1812
1813         for (curr_ace = ace_list; curr_ace; curr_ace = curr_ace_next) {
1814                 canon_ace *allow_ace_p;
1815                 canon_ace *allow_everyone_p = NULL;
1816
1817                 curr_ace_next = curr_ace->next; /* So we can't lose the link. */
1818
1819                 if (curr_ace->attr != DENY_ACE)
1820                         continue;
1821
1822                 if (curr_ace->owner_type != GID_ACE)
1823                         continue;
1824
1825                 for (allow_ace_p = curr_ace->next; allow_ace_p; allow_ace_p = allow_ace_p->next) {
1826
1827                         if (allow_ace_p->attr != ALLOW_ACE)
1828                                 continue;
1829
1830                         /* Store a pointer to the Everyone allow, if it exists. */
1831                         if (allow_ace_p->owner_type == WORLD_ACE)
1832                                 allow_everyone_p = allow_ace_p;
1833
1834                         /* We process UID_ACE entries only. */
1835
1836                         if (allow_ace_p->owner_type != UID_ACE)
1837                                 continue;
1838
1839                         /* Mask off the deny group perms. */
1840
1841                         if (uid_entry_in_group( allow_ace_p, curr_ace))
1842                                 allow_ace_p->perms &= ~curr_ace->perms;
1843                 }
1844
1845                 /*
1846                  * Convert the deny to an allow with the correct perms and
1847                  * push to the end of the list.
1848                  */
1849
1850                 curr_ace->attr = ALLOW_ACE;
1851                 if (allow_everyone_p)
1852                         curr_ace->perms = allow_everyone_p->perms & ~curr_ace->perms;
1853                 else
1854                         curr_ace->perms = (mode_t)0;
1855                 DLIST_DEMOTE(ace_list, curr_ace, canon_ace *);
1856         }
1857
1858         /* Doing this fourth pass allows Windows semantics to be layered
1859          * on top of POSIX semantics. I'm not sure if this is desirable.
1860          * For example, in W2K ACLs there is no way to say, "Group X no
1861          * access, user Y full access" if user Y is a member of group X.
1862          * This seems completely broken semantics to me.... JRA.
1863          */
1864
1865 #if 0
1866         /* Pass 4 above - deal with allow entries. */
1867
1868         for (curr_ace = ace_list; curr_ace; curr_ace = curr_ace_next) {
1869                 canon_ace *allow_ace_p;
1870
1871                 curr_ace_next = curr_ace->next; /* So we can't lose the link. */
1872
1873                 if (curr_ace->attr != ALLOW_ACE)
1874                         continue;
1875
1876                 if (curr_ace->owner_type != UID_ACE)
1877                         continue;
1878
1879                 for (allow_ace_p = ace_list; allow_ace_p; allow_ace_p = allow_ace_p->next) {
1880
1881                         if (allow_ace_p->attr != ALLOW_ACE)
1882                                 continue;
1883
1884                         /* We process GID_ACE entries only. */
1885
1886                         if (allow_ace_p->owner_type != GID_ACE)
1887                                 continue;
1888
1889                         /* OR in the group perms. */
1890
1891                         if (uid_entry_in_group( curr_ace, allow_ace_p))
1892                                 curr_ace->perms |= allow_ace_p->perms;
1893                 }
1894         }
1895 #endif
1896
1897         *pp_ace_list = ace_list;
1898 }
1899
1900 /****************************************************************************
1901  Create a default mode that will be used if a security descriptor entry has
1902  no user/group/world entries.
1903 ****************************************************************************/
1904
1905 static mode_t create_default_mode(files_struct *fsp, BOOL interitable_mode)
1906 {
1907         int snum = SNUM(fsp->conn);
1908         mode_t and_bits = (mode_t)0;
1909         mode_t or_bits = (mode_t)0;
1910         mode_t mode = interitable_mode
1911                 ? unix_mode( fsp->conn, FILE_ATTRIBUTE_ARCHIVE, fsp->fsp_name,
1912                              NULL )
1913                 : S_IRUSR;
1914
1915         if (fsp->is_directory)
1916                 mode |= (S_IWUSR|S_IXUSR);
1917
1918         /*
1919          * Now AND with the create mode/directory mode bits then OR with the
1920          * force create mode/force directory mode bits.
1921          */
1922
1923         if (fsp->is_directory) {
1924                 and_bits = lp_dir_security_mask(snum);
1925                 or_bits = lp_force_dir_security_mode(snum);
1926         } else {
1927                 and_bits = lp_security_mask(snum);
1928                 or_bits = lp_force_security_mode(snum);
1929         }
1930
1931         return ((mode & and_bits)|or_bits);
1932 }
1933
1934 /****************************************************************************
1935  Unpack a SEC_DESC into two canonical ace lists. We don't depend on this
1936  succeeding.
1937 ****************************************************************************/
1938
1939 static BOOL unpack_canon_ace(files_struct *fsp, 
1940                                                         SMB_STRUCT_STAT *pst,
1941                                                         DOM_SID *pfile_owner_sid,
1942                                                         DOM_SID *pfile_grp_sid,
1943                                                         canon_ace **ppfile_ace, canon_ace **ppdir_ace,
1944                                                         uint32 security_info_sent, SEC_DESC *psd)
1945 {
1946         canon_ace *file_ace = NULL;
1947         canon_ace *dir_ace = NULL;
1948
1949         *ppfile_ace = NULL;
1950         *ppdir_ace = NULL;
1951
1952         if(security_info_sent == 0) {
1953                 DEBUG(0,("unpack_canon_ace: no security info sent !\n"));
1954                 return False;
1955         }
1956
1957         /*
1958          * If no DACL then this is a chown only security descriptor.
1959          */
1960
1961         if(!(security_info_sent & DACL_SECURITY_INFORMATION) || !psd->dacl)
1962                 return True;
1963
1964         /*
1965          * Now go through the DACL and create the canon_ace lists.
1966          */
1967
1968         if (!create_canon_ace_lists( fsp, pst, pfile_owner_sid, pfile_grp_sid,
1969                                                                 &file_ace, &dir_ace, psd->dacl))
1970                 return False;
1971
1972         if ((file_ace == NULL) && (dir_ace == NULL)) {
1973                 /* W2K traverse DACL set - ignore. */
1974                 return True;
1975         }
1976
1977         /*
1978          * Go through the canon_ace list and merge entries
1979          * belonging to identical users of identical allow or deny type.
1980          * We can do this as all deny entries come first, followed by
1981          * all allow entries (we have mandated this before accepting this acl).
1982          */
1983
1984         print_canon_ace_list( "file ace - before merge", file_ace);
1985         merge_aces( &file_ace );
1986
1987         print_canon_ace_list( "dir ace - before merge", dir_ace);
1988         merge_aces( &dir_ace );
1989
1990         /*
1991          * NT ACLs are order dependent. Go through the acl lists and
1992          * process DENY entries by masking the allow entries.
1993          */
1994
1995         print_canon_ace_list( "file ace - before deny", file_ace);
1996         process_deny_list( &file_ace);
1997
1998         print_canon_ace_list( "dir ace - before deny", dir_ace);
1999         process_deny_list( &dir_ace);
2000
2001         /*
2002          * A well formed POSIX file or default ACL has at least 3 entries, a 
2003          * SMB_ACL_USER_OBJ, SMB_ACL_GROUP_OBJ, SMB_ACL_OTHER_OBJ
2004          * and optionally a mask entry. Ensure this is the case.
2005          */
2006
2007         print_canon_ace_list( "file ace - before valid", file_ace);
2008
2009         /*
2010          * A default 3 element mode entry for a file should be r-- --- ---.
2011          * A default 3 element mode entry for a directory should be rwx --- ---.
2012          */
2013
2014         pst->st_mode = create_default_mode(fsp, False);
2015
2016         if (!ensure_canon_entry_valid(&file_ace, fsp, pfile_owner_sid, pfile_grp_sid, pst, True)) {
2017                 free_canon_ace_list(file_ace);
2018                 free_canon_ace_list(dir_ace);
2019                 return False;
2020         }
2021
2022         print_canon_ace_list( "dir ace - before valid", dir_ace);
2023
2024         /*
2025          * A default inheritable 3 element mode entry for a directory should be the
2026          * mode Samba will use to create a file within. Ensure user rwx bits are set if
2027          * it's a directory.
2028          */
2029
2030         pst->st_mode = create_default_mode(fsp, True);
2031
2032         if (dir_ace && !ensure_canon_entry_valid(&dir_ace, fsp, pfile_owner_sid, pfile_grp_sid, pst, True)) {
2033                 free_canon_ace_list(file_ace);
2034                 free_canon_ace_list(dir_ace);
2035                 return False;
2036         }
2037
2038         print_canon_ace_list( "file ace - return", file_ace);
2039         print_canon_ace_list( "dir ace - return", dir_ace);
2040
2041         *ppfile_ace = file_ace;
2042         *ppdir_ace = dir_ace;
2043         return True;
2044
2045 }
2046
2047 /******************************************************************************
2048  When returning permissions, try and fit NT display
2049  semantics if possible. Note the the canon_entries here must have been malloced.
2050  The list format should be - first entry = owner, followed by group and other user
2051  entries, last entry = other.
2052
2053  Note that this doesn't exactly match the NT semantics for an ACL. As POSIX entries
2054  are not ordered, and match on the most specific entry rather than walking a list,
2055  then a simple POSIX permission of rw-r--r-- should really map to 5 entries,
2056
2057  Entry 0: owner : deny all except read and write.
2058  Entry 1: owner : allow read and write.
2059  Entry 2: group : deny all except read.
2060  Entry 3: group : allow read.
2061  Entry 4: Everyone : allow read.
2062
2063  But NT cannot display this in their ACL editor !
2064 ********************************************************************************/
2065
2066 static void arrange_posix_perms( char *filename, canon_ace **pp_list_head)
2067 {
2068         canon_ace *list_head = *pp_list_head;
2069         canon_ace *owner_ace = NULL;
2070         canon_ace *other_ace = NULL;
2071         canon_ace *ace = NULL;
2072
2073         for (ace = list_head; ace; ace = ace->next) {
2074                 if (ace->type == SMB_ACL_USER_OBJ)
2075                         owner_ace = ace;
2076                 else if (ace->type == SMB_ACL_OTHER) {
2077                         /* Last ace - this is "other" */
2078                         other_ace = ace;
2079                 }
2080         }
2081                 
2082         if (!owner_ace || !other_ace) {
2083                 DEBUG(0,("arrange_posix_perms: Invalid POSIX permissions for file %s, missing owner or other.\n",
2084                         filename ));
2085                 return;
2086         }
2087
2088         /*
2089          * The POSIX algorithm applies to owner first, and other last,
2090          * so ensure they are arranged in this order.
2091          */
2092
2093         if (owner_ace) {
2094                 DLIST_PROMOTE(list_head, owner_ace);
2095         }
2096
2097         if (other_ace) {
2098                 DLIST_DEMOTE(list_head, other_ace, canon_ace *);
2099         }
2100
2101         /* We have probably changed the head of the list. */
2102
2103         *pp_list_head = list_head;
2104 }
2105                 
2106 /****************************************************************************
2107  Create a linked list of canonical ACE entries.
2108 ****************************************************************************/
2109
2110 static canon_ace *canonicalise_acl( files_struct *fsp, SMB_ACL_T posix_acl, SMB_STRUCT_STAT *psbuf,
2111                                         const DOM_SID *powner, const DOM_SID *pgroup, struct pai_val *pal, SMB_ACL_TYPE_T the_acl_type)
2112 {
2113         connection_struct *conn = fsp->conn;
2114         mode_t acl_mask = (S_IRUSR|S_IWUSR|S_IXUSR);
2115         canon_ace *list_head = NULL;
2116         canon_ace *ace = NULL;
2117         canon_ace *next_ace = NULL;
2118         int entry_id = SMB_ACL_FIRST_ENTRY;
2119         SMB_ACL_ENTRY_T entry;
2120         size_t ace_count;
2121
2122         while ( posix_acl && (SMB_VFS_SYS_ACL_GET_ENTRY(conn, posix_acl, entry_id, &entry) == 1)) {
2123                 SMB_ACL_TAG_T tagtype;
2124                 SMB_ACL_PERMSET_T permset;
2125                 DOM_SID sid;
2126                 posix_id unix_ug;
2127                 enum ace_owner owner_type;
2128
2129                 /* get_next... */
2130                 if (entry_id == SMB_ACL_FIRST_ENTRY)
2131                         entry_id = SMB_ACL_NEXT_ENTRY;
2132
2133                 /* Is this a MASK entry ? */
2134                 if (SMB_VFS_SYS_ACL_GET_TAG_TYPE(conn, entry, &tagtype) == -1)
2135                         continue;
2136
2137                 if (SMB_VFS_SYS_ACL_GET_PERMSET(conn, entry, &permset) == -1)
2138                         continue;
2139
2140                 /* Decide which SID to use based on the ACL type. */
2141                 switch(tagtype) {
2142                         case SMB_ACL_USER_OBJ:
2143                                 /* Get the SID from the owner. */
2144                                 sid_copy(&sid, powner);
2145                                 unix_ug.uid = psbuf->st_uid;
2146                                 owner_type = UID_ACE;
2147                                 break;
2148                         case SMB_ACL_USER:
2149                                 {
2150                                         uid_t *puid = (uid_t *)SMB_VFS_SYS_ACL_GET_QUALIFIER(conn, entry);
2151                                         if (puid == NULL) {
2152                                                 DEBUG(0,("canonicalise_acl: Failed to get uid.\n"));
2153                                                 continue;
2154                                         }
2155                                         /*
2156                                          * A SMB_ACL_USER entry for the owner is shadowed by the
2157                                          * SMB_ACL_USER_OBJ entry and Windows also cannot represent
2158                                          * that entry, so we ignore it. We also don't create such
2159                                          * entries out of the blue when setting ACLs, so a get/set
2160                                          * cycle will drop them.
2161                                          */
2162                                         if (the_acl_type == SMB_ACL_TYPE_ACCESS && *puid == psbuf->st_uid) {
2163                                                 SMB_VFS_SYS_ACL_FREE_QUALIFIER(conn, (void *)puid,tagtype);
2164                                                 continue;
2165                                         }
2166                                         uid_to_sid( &sid, *puid);
2167                                         unix_ug.uid = *puid;
2168                                         owner_type = UID_ACE;
2169                                         SMB_VFS_SYS_ACL_FREE_QUALIFIER(conn, (void *)puid,tagtype);
2170                                         break;
2171                                 }
2172                         case SMB_ACL_GROUP_OBJ:
2173                                 /* Get the SID from the owning group. */
2174                                 sid_copy(&sid, pgroup);
2175                                 unix_ug.gid = psbuf->st_gid;
2176                                 owner_type = GID_ACE;
2177                                 break;
2178                         case SMB_ACL_GROUP:
2179                                 {
2180                                         gid_t *pgid = (gid_t *)SMB_VFS_SYS_ACL_GET_QUALIFIER(conn, entry);
2181                                         if (pgid == NULL) {
2182                                                 DEBUG(0,("canonicalise_acl: Failed to get gid.\n"));
2183                                                 continue;
2184                                         }
2185                                         gid_to_sid( &sid, *pgid);
2186                                         unix_ug.gid = *pgid;
2187                                         owner_type = GID_ACE;
2188                                         SMB_VFS_SYS_ACL_FREE_QUALIFIER(conn, (void *)pgid,tagtype);
2189                                         break;
2190                                 }
2191                         case SMB_ACL_MASK:
2192                                 acl_mask = convert_permset_to_mode_t(conn, permset);
2193                                 continue; /* Don't count the mask as an entry. */
2194                         case SMB_ACL_OTHER:
2195                                 /* Use the Everyone SID */
2196                                 sid = global_sid_World;
2197                                 unix_ug.world = -1;
2198                                 owner_type = WORLD_ACE;
2199                                 break;
2200                         default:
2201                                 DEBUG(0,("canonicalise_acl: Unknown tagtype %u\n", (unsigned int)tagtype));
2202                                 continue;
2203                 }
2204
2205                 /*
2206                  * Add this entry to the list.
2207                  */
2208
2209                 if ((ace = SMB_MALLOC_P(canon_ace)) == NULL)
2210                         goto fail;
2211
2212                 ZERO_STRUCTP(ace);
2213                 ace->type = tagtype;
2214                 ace->perms = convert_permset_to_mode_t(conn, permset);
2215                 ace->attr = ALLOW_ACE;
2216                 ace->trustee = sid;
2217                 ace->unix_ug = unix_ug;
2218                 ace->owner_type = owner_type;
2219                 ace->inherited = get_inherited_flag(pal, ace, (the_acl_type == SMB_ACL_TYPE_DEFAULT));
2220
2221                 DLIST_ADD(list_head, ace);
2222         }
2223
2224         /*
2225          * This next call will ensure we have at least a user/group/world set.
2226          */
2227
2228         if (!ensure_canon_entry_valid(&list_head, fsp, powner, pgroup, psbuf, False))
2229                 goto fail;
2230
2231         /*
2232          * Now go through the list, masking the permissions with the
2233          * acl_mask. Ensure all DENY Entries are at the start of the list.
2234          */
2235
2236         DEBUG(10,("canonicalise_acl: %s ace entries before arrange :\n", the_acl_type == SMB_ACL_TYPE_ACCESS ? "Access" : "Default" ));
2237
2238         for ( ace_count = 0, ace = list_head; ace; ace = next_ace, ace_count++) {
2239                 next_ace = ace->next;
2240
2241                 /* Masks are only applied to entries other than USER_OBJ and OTHER. */
2242                 if (ace->type != SMB_ACL_OTHER && ace->type != SMB_ACL_USER_OBJ)
2243                         ace->perms &= acl_mask;
2244
2245                 if (ace->perms == 0) {
2246                         DLIST_PROMOTE(list_head, ace);
2247                 }
2248
2249                 if( DEBUGLVL( 10 ) ) {
2250                         print_canon_ace(ace, ace_count);
2251                 }
2252         }
2253
2254         arrange_posix_perms(fsp->fsp_name,&list_head );
2255
2256         print_canon_ace_list( "canonicalise_acl: ace entries after arrange", list_head );
2257
2258         return list_head;
2259
2260   fail:
2261
2262         free_canon_ace_list(list_head);
2263         return NULL;
2264 }
2265
2266 /****************************************************************************
2267  Check if the current user group list contains a given group.
2268 ****************************************************************************/
2269
2270 static BOOL current_user_in_group(gid_t gid)
2271 {
2272         int i;
2273
2274         for (i = 0; i < current_user.ut.ngroups; i++) {
2275                 if (current_user.ut.groups[i] == gid) {
2276                         return True;
2277                 }
2278         }
2279
2280         return False;
2281 }
2282
2283 /****************************************************************************
2284  Should we override a deny ?  Check deprecated 'acl group control'
2285  and 'dos filemode'
2286 ****************************************************************************/
2287
2288 static BOOL acl_group_override(connection_struct *conn, gid_t prim_gid)
2289 {
2290         if ( (errno == EACCES || errno == EPERM) 
2291                 && (lp_acl_group_control(SNUM(conn)) || lp_dos_filemode(SNUM(conn)))
2292                 && current_user_in_group(prim_gid)) 
2293         {
2294                 return True;
2295         } 
2296
2297         return False;
2298 }
2299
2300 /****************************************************************************
2301  Attempt to apply an ACL to a file or directory.
2302 ****************************************************************************/
2303
2304 static BOOL set_canon_ace_list(files_struct *fsp, canon_ace *the_ace, BOOL default_ace, gid_t prim_gid, BOOL *pacl_set_support)
2305 {
2306         connection_struct *conn = fsp->conn;
2307         BOOL ret = False;
2308         SMB_ACL_T the_acl = SMB_VFS_SYS_ACL_INIT(conn, (int)count_canon_ace_list(the_ace) + 1);
2309         canon_ace *p_ace;
2310         int i;
2311         SMB_ACL_ENTRY_T mask_entry;
2312         BOOL got_mask_entry = False;
2313         SMB_ACL_PERMSET_T mask_permset;
2314         SMB_ACL_TYPE_T the_acl_type = (default_ace ? SMB_ACL_TYPE_DEFAULT : SMB_ACL_TYPE_ACCESS);
2315         BOOL needs_mask = False;
2316         mode_t mask_perms = 0;
2317
2318 #if defined(POSIX_ACL_NEEDS_MASK)
2319         /* HP-UX always wants to have a mask (called "class" there). */
2320         needs_mask = True;
2321 #endif
2322
2323         if (the_acl == NULL) {
2324
2325                 if (!no_acl_syscall_error(errno)) {
2326                         /*
2327                          * Only print this error message if we have some kind of ACL
2328                          * support that's not working. Otherwise we would always get this.
2329                          */
2330                         DEBUG(0,("set_canon_ace_list: Unable to init %s ACL. (%s)\n",
2331                                 default_ace ? "default" : "file", strerror(errno) ));
2332                 }
2333                 *pacl_set_support = False;
2334                 return False;
2335         }
2336
2337         if( DEBUGLVL( 10 )) {
2338                 dbgtext("set_canon_ace_list: setting ACL:\n");
2339                 for (i = 0, p_ace = the_ace; p_ace; p_ace = p_ace->next, i++ ) {
2340                         print_canon_ace( p_ace, i);
2341                 }
2342         }
2343
2344         for (i = 0, p_ace = the_ace; p_ace; p_ace = p_ace->next, i++ ) {
2345                 SMB_ACL_ENTRY_T the_entry;
2346                 SMB_ACL_PERMSET_T the_permset;
2347
2348                 /*
2349                  * ACLs only "need" an ACL_MASK entry if there are any named user or
2350                  * named group entries. But if there is an ACL_MASK entry, it applies
2351                  * to ACL_USER, ACL_GROUP, and ACL_GROUP_OBJ entries. Set the mask
2352                  * so that it doesn't deny (i.e., mask off) any permissions.
2353                  */
2354
2355                 if (p_ace->type == SMB_ACL_USER || p_ace->type == SMB_ACL_GROUP) {
2356                         needs_mask = True;
2357                         mask_perms |= p_ace->perms;
2358                 } else if (p_ace->type == SMB_ACL_GROUP_OBJ) {
2359                         mask_perms |= p_ace->perms;
2360                 }
2361
2362                 /*
2363                  * Get the entry for this ACE.
2364                  */
2365
2366                 if (SMB_VFS_SYS_ACL_CREATE_ENTRY(conn, &the_acl, &the_entry) == -1) {
2367                         DEBUG(0,("set_canon_ace_list: Failed to create entry %d. (%s)\n",
2368                                 i, strerror(errno) ));
2369                         goto fail;
2370                 }
2371
2372                 if (p_ace->type == SMB_ACL_MASK) {
2373                         mask_entry = the_entry;
2374                         got_mask_entry = True;
2375                 }
2376
2377                 /*
2378                  * Ok - we now know the ACL calls should be working, don't
2379                  * allow fallback to chmod.
2380                  */
2381
2382                 *pacl_set_support = True;
2383
2384                 /*
2385                  * Initialise the entry from the canon_ace.
2386                  */
2387
2388                 /*
2389                  * First tell the entry what type of ACE this is.
2390                  */
2391
2392                 if (SMB_VFS_SYS_ACL_SET_TAG_TYPE(conn, the_entry, p_ace->type) == -1) {
2393                         DEBUG(0,("set_canon_ace_list: Failed to set tag type on entry %d. (%s)\n",
2394                                 i, strerror(errno) ));
2395                         goto fail;
2396                 }
2397
2398                 /*
2399                  * Only set the qualifier (user or group id) if the entry is a user
2400                  * or group id ACE.
2401                  */
2402
2403                 if ((p_ace->type == SMB_ACL_USER) || (p_ace->type == SMB_ACL_GROUP)) {
2404                         if (SMB_VFS_SYS_ACL_SET_QUALIFIER(conn, the_entry,(void *)&p_ace->unix_ug.uid) == -1) {
2405                                 DEBUG(0,("set_canon_ace_list: Failed to set qualifier on entry %d. (%s)\n",
2406                                         i, strerror(errno) ));
2407                                 goto fail;
2408                         }
2409                 }
2410
2411                 /*
2412                  * Convert the mode_t perms in the canon_ace to a POSIX permset.
2413                  */
2414
2415                 if (SMB_VFS_SYS_ACL_GET_PERMSET(conn, the_entry, &the_permset) == -1) {
2416                         DEBUG(0,("set_canon_ace_list: Failed to get permset on entry %d. (%s)\n",
2417                                 i, strerror(errno) ));
2418                         goto fail;
2419                 }
2420
2421                 if (map_acl_perms_to_permset(conn, p_ace->perms, &the_permset) == -1) {
2422                         DEBUG(0,("set_canon_ace_list: Failed to create permset for mode (%u) on entry %d. (%s)\n",
2423                                 (unsigned int)p_ace->perms, i, strerror(errno) ));
2424                         goto fail;
2425                 }
2426
2427                 /*
2428                  * ..and apply them to the entry.
2429                  */
2430
2431                 if (SMB_VFS_SYS_ACL_SET_PERMSET(conn, the_entry, the_permset) == -1) {
2432                         DEBUG(0,("set_canon_ace_list: Failed to add permset on entry %d. (%s)\n",
2433                                 i, strerror(errno) ));
2434                         goto fail;
2435                 }
2436
2437                 if( DEBUGLVL( 10 ))
2438                         print_canon_ace( p_ace, i);
2439
2440         }
2441
2442         if (needs_mask && !got_mask_entry) {
2443                 if (SMB_VFS_SYS_ACL_CREATE_ENTRY(conn, &the_acl, &mask_entry) == -1) {
2444                         DEBUG(0,("set_canon_ace_list: Failed to create mask entry. (%s)\n", strerror(errno) ));
2445                         goto fail;
2446                 }
2447
2448                 if (SMB_VFS_SYS_ACL_SET_TAG_TYPE(conn, mask_entry, SMB_ACL_MASK) == -1) {
2449                         DEBUG(0,("set_canon_ace_list: Failed to set tag type on mask entry. (%s)\n",strerror(errno) ));
2450                         goto fail;
2451                 }
2452
2453                 if (SMB_VFS_SYS_ACL_GET_PERMSET(conn, mask_entry, &mask_permset) == -1) {
2454                         DEBUG(0,("set_canon_ace_list: Failed to get mask permset. (%s)\n", strerror(errno) ));
2455                         goto fail;
2456                 }
2457
2458                 if (map_acl_perms_to_permset(conn, S_IRUSR|S_IWUSR|S_IXUSR, &mask_permset) == -1) {
2459                         DEBUG(0,("set_canon_ace_list: Failed to create mask permset. (%s)\n", strerror(errno) ));
2460                         goto fail;
2461                 }
2462
2463                 if (SMB_VFS_SYS_ACL_SET_PERMSET(conn, mask_entry, mask_permset) == -1) {
2464                         DEBUG(0,("set_canon_ace_list: Failed to add mask permset. (%s)\n", strerror(errno) ));
2465                         goto fail;
2466                 }
2467         }
2468
2469         /*
2470          * Finally apply it to the file or directory.
2471          */
2472
2473         if(default_ace || fsp->is_directory || fsp->fh->fd == -1) {
2474                 if (SMB_VFS_SYS_ACL_SET_FILE(conn, fsp->fsp_name, the_acl_type, the_acl) == -1) {
2475                         /*
2476                          * Some systems allow all the above calls and only fail with no ACL support
2477                          * when attempting to apply the acl. HPUX with HFS is an example of this. JRA.
2478                          */
2479                         if (no_acl_syscall_error(errno)) {
2480                                 *pacl_set_support = False;
2481                         }
2482
2483                         if (acl_group_override(conn, prim_gid)) {
2484                                 int sret;
2485
2486                                 DEBUG(5,("set_canon_ace_list: acl group control on and current user in file %s primary group.\n",
2487                                         fsp->fsp_name ));
2488
2489                                 become_root();
2490                                 sret = SMB_VFS_SYS_ACL_SET_FILE(conn, fsp->fsp_name, the_acl_type, the_acl);
2491                                 unbecome_root();
2492                                 if (sret == 0) {
2493                                         ret = True;     
2494                                 }
2495                         }
2496
2497                         if (ret == False) {
2498                                 DEBUG(2,("set_canon_ace_list: sys_acl_set_file type %s failed for file %s (%s).\n",
2499                                                 the_acl_type == SMB_ACL_TYPE_DEFAULT ? "directory default" : "file",
2500                                                 fsp->fsp_name, strerror(errno) ));
2501                                 goto fail;
2502                         }
2503                 }
2504         } else {
2505                 if (SMB_VFS_SYS_ACL_SET_FD(fsp, fsp->fh->fd, the_acl) == -1) {
2506                         /*
2507                          * Some systems allow all the above calls and only fail with no ACL support
2508                          * when attempting to apply the acl. HPUX with HFS is an example of this. JRA.
2509                          */
2510                         if (no_acl_syscall_error(errno)) {
2511                                 *pacl_set_support = False;
2512                         }
2513
2514                         if (acl_group_override(conn, prim_gid)) {
2515                                 int sret;
2516
2517                                 DEBUG(5,("set_canon_ace_list: acl group control on and current user in file %s primary group.\n",
2518                                         fsp->fsp_name ));
2519
2520                                 become_root();
2521                                 sret = SMB_VFS_SYS_ACL_SET_FD(fsp, fsp->fh->fd, the_acl);
2522                                 unbecome_root();
2523                                 if (sret == 0) {
2524                                         ret = True;
2525                                 }
2526                         }
2527
2528                         if (ret == False) {
2529                                 DEBUG(2,("set_canon_ace_list: sys_acl_set_file failed for file %s (%s).\n",
2530                                                 fsp->fsp_name, strerror(errno) ));
2531                                 goto fail;
2532                         }
2533                 }
2534         }
2535
2536         ret = True;
2537
2538   fail:
2539
2540         if (the_acl != NULL) {
2541                 SMB_VFS_SYS_ACL_FREE_ACL(conn, the_acl);
2542         }
2543
2544         return ret;
2545 }
2546
2547 /****************************************************************************
2548  Find a particular canon_ace entry.
2549 ****************************************************************************/
2550
2551 static struct canon_ace *canon_ace_entry_for(struct canon_ace *list, SMB_ACL_TAG_T type, posix_id *id)
2552 {
2553         while (list) {
2554                 if (list->type == type && ((type != SMB_ACL_USER && type != SMB_ACL_GROUP) ||
2555                                 (type == SMB_ACL_USER  && id && id->uid == list->unix_ug.uid) ||
2556                                 (type == SMB_ACL_GROUP && id && id->gid == list->unix_ug.gid)))
2557                         break;
2558                 list = list->next;
2559         }
2560         return list;
2561 }
2562
2563 /****************************************************************************
2564  
2565 ****************************************************************************/
2566
2567 SMB_ACL_T free_empty_sys_acl(connection_struct *conn, SMB_ACL_T the_acl)
2568 {
2569         SMB_ACL_ENTRY_T entry;
2570
2571         if (!the_acl)
2572                 return NULL;
2573         if (SMB_VFS_SYS_ACL_GET_ENTRY(conn, the_acl, SMB_ACL_FIRST_ENTRY, &entry) != 1) {
2574                 SMB_VFS_SYS_ACL_FREE_ACL(conn, the_acl);
2575                 return NULL;
2576         }
2577         return the_acl;
2578 }
2579
2580 /****************************************************************************
2581  Convert a canon_ace to a generic 3 element permission - if possible.
2582 ****************************************************************************/
2583
2584 #define MAP_PERM(p,mask,result) (((p) & (mask)) ? (result) : 0 )
2585
2586 static BOOL convert_canon_ace_to_posix_perms( files_struct *fsp, canon_ace *file_ace_list, mode_t *posix_perms)
2587 {
2588         int snum = SNUM(fsp->conn);
2589         size_t ace_count = count_canon_ace_list(file_ace_list);
2590         canon_ace *ace_p;
2591         canon_ace *owner_ace = NULL;
2592         canon_ace *group_ace = NULL;
2593         canon_ace *other_ace = NULL;
2594         mode_t and_bits;
2595         mode_t or_bits;
2596
2597         if (ace_count != 3) {
2598                 DEBUG(3,("convert_canon_ace_to_posix_perms: Too many ACE entries for file %s to convert to \
2599 posix perms.\n", fsp->fsp_name ));
2600                 return False;
2601         }
2602
2603         for (ace_p = file_ace_list; ace_p; ace_p = ace_p->next) {
2604                 if (ace_p->owner_type == UID_ACE)
2605                         owner_ace = ace_p;
2606                 else if (ace_p->owner_type == GID_ACE)
2607                         group_ace = ace_p;
2608                 else if (ace_p->owner_type == WORLD_ACE)
2609                         other_ace = ace_p;
2610         }
2611
2612         if (!owner_ace || !group_ace || !other_ace) {
2613                 DEBUG(3,("convert_canon_ace_to_posix_perms: Can't get standard entries for file %s.\n",
2614                                 fsp->fsp_name ));
2615                 return False;
2616         }
2617
2618         *posix_perms = (mode_t)0;
2619
2620         *posix_perms |= owner_ace->perms;
2621         *posix_perms |= MAP_PERM(group_ace->perms, S_IRUSR, S_IRGRP);
2622         *posix_perms |= MAP_PERM(group_ace->perms, S_IWUSR, S_IWGRP);
2623         *posix_perms |= MAP_PERM(group_ace->perms, S_IXUSR, S_IXGRP);
2624         *posix_perms |= MAP_PERM(other_ace->perms, S_IRUSR, S_IROTH);
2625         *posix_perms |= MAP_PERM(other_ace->perms, S_IWUSR, S_IWOTH);
2626         *posix_perms |= MAP_PERM(other_ace->perms, S_IXUSR, S_IXOTH);
2627
2628         /* The owner must have at least read access. */
2629
2630         *posix_perms |= S_IRUSR;
2631         if (fsp->is_directory)
2632                 *posix_perms |= (S_IWUSR|S_IXUSR);
2633
2634         /* If requested apply the masks. */
2635
2636         /* Get the initial bits to apply. */
2637
2638         if (fsp->is_directory) {
2639                 and_bits = lp_dir_security_mask(snum);
2640                 or_bits = lp_force_dir_security_mode(snum);
2641         } else {
2642                 and_bits = lp_security_mask(snum);
2643                 or_bits = lp_force_security_mode(snum);
2644         }
2645
2646         *posix_perms = (((*posix_perms) & and_bits)|or_bits);
2647
2648         DEBUG(10,("convert_canon_ace_to_posix_perms: converted u=%o,g=%o,w=%o to perm=0%o for file %s.\n",
2649                 (int)owner_ace->perms, (int)group_ace->perms, (int)other_ace->perms, (int)*posix_perms,
2650                 fsp->fsp_name ));
2651
2652         return True;
2653 }
2654
2655 /****************************************************************************
2656   Incoming NT ACLs on a directory can be split into a default POSIX acl (CI|OI|IO) and
2657   a normal POSIX acl. Win2k needs these split acls re-merging into one ACL
2658   with CI|OI set so it is inherited and also applies to the directory.
2659   Based on code from "Jim McDonough" <jmcd@us.ibm.com>.
2660 ****************************************************************************/
2661
2662 static size_t merge_default_aces( SEC_ACE *nt_ace_list, size_t num_aces)
2663 {
2664         size_t i, j;
2665
2666         for (i = 0; i < num_aces; i++) {
2667                 for (j = i+1; j < num_aces; j++) {
2668                         uint32 i_flags_ni = (nt_ace_list[i].flags & ~SEC_ACE_FLAG_INHERITED_ACE);
2669                         uint32 j_flags_ni = (nt_ace_list[j].flags & ~SEC_ACE_FLAG_INHERITED_ACE);
2670                         BOOL i_inh = (nt_ace_list[i].flags & SEC_ACE_FLAG_INHERITED_ACE) ? True : False;
2671                         BOOL j_inh = (nt_ace_list[j].flags & SEC_ACE_FLAG_INHERITED_ACE) ? True : False;
2672
2673                         /* We know the lower number ACE's are file entries. */
2674                         if ((nt_ace_list[i].type == nt_ace_list[j].type) &&
2675                                 (nt_ace_list[i].size == nt_ace_list[j].size) &&
2676                                 (nt_ace_list[i].access_mask == nt_ace_list[j].access_mask) &&
2677                                 sid_equal(&nt_ace_list[i].trustee, &nt_ace_list[j].trustee) &&
2678                                 (i_inh == j_inh) &&
2679                                 (i_flags_ni == 0) &&
2680                                 (j_flags_ni == (SEC_ACE_FLAG_OBJECT_INHERIT|
2681                                                   SEC_ACE_FLAG_CONTAINER_INHERIT|
2682                                                   SEC_ACE_FLAG_INHERIT_ONLY))) {
2683                                 /*
2684                                  * W2K wants to have access allowed zero access ACE's
2685                                  * at the end of the list. If the mask is zero, merge
2686                                  * the non-inherited ACE onto the inherited ACE.
2687                                  */
2688
2689                                 if (nt_ace_list[i].access_mask == 0) {
2690                                         nt_ace_list[j].flags = SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT|
2691                                                                 (i_inh ? SEC_ACE_FLAG_INHERITED_ACE : 0);
2692                                         if (num_aces - i - 1 > 0)
2693                                                 memmove(&nt_ace_list[i], &nt_ace_list[i+1], (num_aces-i-1) *
2694                                                                 sizeof(SEC_ACE));
2695
2696                                         DEBUG(10,("merge_default_aces: Merging zero access ACE %u onto ACE %u.\n",
2697                                                 (unsigned int)i, (unsigned int)j ));
2698                                 } else {
2699                                         /*
2700                                          * These are identical except for the flags.
2701                                          * Merge the inherited ACE onto the non-inherited ACE.
2702                                          */
2703
2704                                         nt_ace_list[i].flags = SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT|
2705                                                                 (i_inh ? SEC_ACE_FLAG_INHERITED_ACE : 0);
2706                                         if (num_aces - j - 1 > 0)
2707                                                 memmove(&nt_ace_list[j], &nt_ace_list[j+1], (num_aces-j-1) *
2708                                                                 sizeof(SEC_ACE));
2709
2710                                         DEBUG(10,("merge_default_aces: Merging ACE %u onto ACE %u.\n",
2711                                                 (unsigned int)j, (unsigned int)i ));
2712                                 }
2713                                 num_aces--;
2714                                 break;
2715                         }
2716                 }
2717         }
2718
2719         return num_aces;
2720 }
2721 /****************************************************************************
2722  Reply to query a security descriptor from an fsp. If it succeeds it allocates
2723  the space for the return elements and returns the size needed to return the
2724  security descriptor. This should be the only external function needed for
2725  the UNIX style get ACL.
2726 ****************************************************************************/
2727
2728 size_t get_nt_acl(files_struct *fsp, uint32 security_info, SEC_DESC **ppdesc)
2729 {
2730         connection_struct *conn = fsp->conn;
2731         SMB_STRUCT_STAT sbuf;
2732         SEC_ACE *nt_ace_list = NULL;
2733         DOM_SID owner_sid;
2734         DOM_SID group_sid;
2735         size_t sd_size = 0;
2736         SEC_ACL *psa = NULL;
2737         size_t num_acls = 0;
2738         size_t num_def_acls = 0;
2739         size_t num_aces = 0;
2740         SMB_ACL_T posix_acl = NULL;
2741         SMB_ACL_T def_acl = NULL;
2742         canon_ace *file_ace = NULL;
2743         canon_ace *dir_ace = NULL;
2744         size_t num_profile_acls = 0;
2745         struct pai_val *pal = NULL;
2746         SEC_DESC *psd = NULL;
2747
2748         *ppdesc = NULL;
2749
2750         DEBUG(10,("get_nt_acl: called for file %s\n", fsp->fsp_name ));
2751
2752         if(fsp->is_directory || fsp->fh->fd == -1) {
2753
2754                 /* Get the stat struct for the owner info. */
2755                 if(SMB_VFS_STAT(fsp->conn,fsp->fsp_name, &sbuf) != 0) {
2756                         return 0;
2757                 }
2758                 /*
2759                  * Get the ACL from the path.
2760                  */
2761
2762                 posix_acl = SMB_VFS_SYS_ACL_GET_FILE(conn, fsp->fsp_name, SMB_ACL_TYPE_ACCESS);
2763
2764                 /*
2765                  * If it's a directory get the default POSIX ACL.
2766                  */
2767
2768                 if(fsp->is_directory) {
2769                         def_acl = SMB_VFS_SYS_ACL_GET_FILE(conn, fsp->fsp_name, SMB_ACL_TYPE_DEFAULT);
2770                         def_acl = free_empty_sys_acl(conn, def_acl);
2771                 }
2772
2773         } else {
2774
2775                 /* Get the stat struct for the owner info. */
2776                 if(SMB_VFS_FSTAT(fsp,fsp->fh->fd,&sbuf) != 0) {
2777                         return 0;
2778                 }
2779                 /*
2780                  * Get the ACL from the fd.
2781                  */
2782                 posix_acl = SMB_VFS_SYS_ACL_GET_FD(fsp, fsp->fh->fd);
2783         }
2784
2785         DEBUG(5,("get_nt_acl : file ACL %s, directory ACL %s\n",
2786                         posix_acl ? "present" :  "absent",
2787                         def_acl ? "present" :  "absent" ));
2788
2789         pal = load_inherited_info(fsp);
2790
2791         /*
2792          * Get the owner, group and world SIDs.
2793          */
2794
2795         if (lp_profile_acls(SNUM(conn))) {
2796                 /* For WXP SP1 the owner must be administrators. */
2797                 sid_copy(&owner_sid, &global_sid_Builtin_Administrators);
2798                 sid_copy(&group_sid, &global_sid_Builtin_Users);
2799                 num_profile_acls = 2;
2800         } else {
2801                 create_file_sids(&sbuf, &owner_sid, &group_sid);
2802         }
2803
2804         if ((security_info & DACL_SECURITY_INFORMATION) && !(security_info & PROTECTED_DACL_SECURITY_INFORMATION)) {
2805
2806                 /*
2807                  * In the optimum case Creator Owner and Creator Group would be used for
2808                  * the ACL_USER_OBJ and ACL_GROUP_OBJ entries, respectively, but this
2809                  * would lead to usability problems under Windows: The Creator entries
2810                  * are only available in browse lists of directories and not for files;
2811                  * additionally the identity of the owning group couldn't be determined.
2812                  * We therefore use those identities only for Default ACLs. 
2813                  */
2814
2815                 /* Create the canon_ace lists. */
2816                 file_ace = canonicalise_acl( fsp, posix_acl, &sbuf, &owner_sid, &group_sid, pal, SMB_ACL_TYPE_ACCESS );
2817
2818                 /* We must have *some* ACLS. */
2819         
2820                 if (count_canon_ace_list(file_ace) == 0) {
2821                         DEBUG(0,("get_nt_acl : No ACLs on file (%s) !\n", fsp->fsp_name ));
2822                         goto done;
2823                 }
2824
2825                 if (fsp->is_directory && def_acl) {
2826                         dir_ace = canonicalise_acl(fsp, def_acl, &sbuf,
2827                                         &global_sid_Creator_Owner,
2828                                         &global_sid_Creator_Group, pal, SMB_ACL_TYPE_DEFAULT );
2829                 }
2830
2831                 /*
2832                  * Create the NT ACE list from the canonical ace lists.
2833                  */
2834
2835                 {
2836                         canon_ace *ace;
2837                         int nt_acl_type;
2838                         int i;
2839
2840                         if (nt4_compatible_acls() && dir_ace) {
2841                                 /*
2842                                  * NT 4 chokes if an ACL contains an INHERIT_ONLY entry
2843                                  * but no non-INHERIT_ONLY entry for one SID. So we only
2844                                  * remove entries from the Access ACL if the
2845                                  * corresponding Default ACL entries have also been
2846                                  * removed. ACEs for CREATOR-OWNER and CREATOR-GROUP
2847                                  * are exceptions. We can do nothing
2848                                  * intelligent if the Default ACL contains entries that
2849                                  * are not also contained in the Access ACL, so this
2850                                  * case will still fail under NT 4.
2851                                  */
2852
2853                                 ace = canon_ace_entry_for(dir_ace, SMB_ACL_OTHER, NULL);
2854                                 if (ace && !ace->perms) {
2855                                         DLIST_REMOVE(dir_ace, ace);
2856                                         SAFE_FREE(ace);
2857
2858                                         ace = canon_ace_entry_for(file_ace, SMB_ACL_OTHER, NULL);
2859                                         if (ace && !ace->perms) {
2860                                                 DLIST_REMOVE(file_ace, ace);
2861                                                 SAFE_FREE(ace);
2862                                         }
2863                                 }
2864
2865                                 /*
2866                                  * WinNT doesn't usually have Creator Group
2867                                  * in browse lists, so we send this entry to
2868                                  * WinNT even if it contains no relevant
2869                                  * permissions. Once we can add
2870                                  * Creator Group to browse lists we can
2871                                  * re-enable this.
2872                                  */
2873
2874 #if 0
2875                                 ace = canon_ace_entry_for(dir_ace, SMB_ACL_GROUP_OBJ, NULL);
2876                                 if (ace && !ace->perms) {
2877                                         DLIST_REMOVE(dir_ace, ace);
2878                                         SAFE_FREE(ace);
2879                                 }
2880 #endif
2881
2882                                 ace = canon_ace_entry_for(file_ace, SMB_ACL_GROUP_OBJ, NULL);
2883                                 if (ace && !ace->perms) {
2884                                         DLIST_REMOVE(file_ace, ace);
2885                                         SAFE_FREE(ace);
2886                                 }
2887                         }
2888
2889                         num_acls = count_canon_ace_list(file_ace);
2890                         num_def_acls = count_canon_ace_list(dir_ace);
2891
2892                         /* Allocate the ace list. */
2893                         if ((nt_ace_list = SMB_MALLOC_ARRAY(SEC_ACE,num_acls + num_profile_acls + num_def_acls)) == NULL) {
2894                                 DEBUG(0,("get_nt_acl: Unable to malloc space for nt_ace_list.\n"));
2895                                 goto done;
2896                         }
2897
2898                         memset(nt_ace_list, '\0', (num_acls + num_def_acls) * sizeof(SEC_ACE) );
2899
2900                         /*
2901                          * Create the NT ACE list from the canonical ace lists.
2902                          */
2903
2904                         ace = file_ace;
2905
2906                         for (i = 0; i < num_acls; i++, ace = ace->next) {
2907                                 SEC_ACCESS acc;
2908
2909                                 acc = map_canon_ace_perms(SNUM(conn),
2910                                                 &nt_acl_type,
2911                                                 ace->perms,
2912                                                 fsp->is_directory);
2913                                 init_sec_ace(&nt_ace_list[num_aces++],
2914                                         &ace->trustee,
2915                                         nt_acl_type,
2916                                         acc,
2917                                         ace->inherited ?
2918                                                 SEC_ACE_FLAG_INHERITED_ACE : 0);
2919                         }
2920
2921                         /* The User must have access to a profile share - even
2922                          * if we can't map the SID. */
2923                         if (lp_profile_acls(SNUM(conn))) {
2924                                 SEC_ACCESS acc;
2925
2926                                 init_sec_access(&acc,FILE_GENERIC_ALL);
2927                                 init_sec_ace(&nt_ace_list[num_aces++],
2928                                                 &global_sid_Builtin_Users,
2929                                                 SEC_ACE_TYPE_ACCESS_ALLOWED,
2930                                                 acc, 0);
2931                         }
2932
2933                         ace = dir_ace;
2934
2935                         for (i = 0; i < num_def_acls; i++, ace = ace->next) {
2936                                 SEC_ACCESS acc;
2937
2938                                 acc = map_canon_ace_perms(SNUM(conn),
2939                                                 &nt_acl_type,
2940                                                 ace->perms,
2941                                                 fsp->is_directory);
2942                                 init_sec_ace(&nt_ace_list[num_aces++],
2943                                         &ace->trustee,
2944                                         nt_acl_type,
2945                                         acc,
2946                                         SEC_ACE_FLAG_OBJECT_INHERIT|
2947                                         SEC_ACE_FLAG_CONTAINER_INHERIT|
2948                                         SEC_ACE_FLAG_INHERIT_ONLY|
2949                                         (ace->inherited ?
2950                                            SEC_ACE_FLAG_INHERITED_ACE : 0));
2951                         }
2952
2953                         /* The User must have access to a profile share - even
2954                          * if we can't map the SID. */
2955                         if (lp_profile_acls(SNUM(conn))) {
2956                                 SEC_ACCESS acc;
2957
2958                                 init_sec_access(&acc,FILE_GENERIC_ALL);
2959                                 init_sec_ace(&nt_ace_list[num_aces++], &global_sid_Builtin_Users, SEC_ACE_TYPE_ACCESS_ALLOWED, acc,
2960                                                 SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT|
2961                                                 SEC_ACE_FLAG_INHERIT_ONLY|0);
2962                         }
2963
2964                         /*
2965                          * Merge POSIX default ACLs and normal ACLs into one NT ACE.
2966                          * Win2K needs this to get the inheritance correct when replacing ACLs
2967                          * on a directory tree. Based on work by Jim @ IBM.
2968                          */
2969
2970                         num_aces = merge_default_aces(nt_ace_list, num_aces);
2971
2972                 }
2973
2974                 if (num_aces) {
2975                         if((psa = make_sec_acl( main_loop_talloc_get(), NT4_ACL_REVISION, num_aces, nt_ace_list)) == NULL) {
2976                                 DEBUG(0,("get_nt_acl: Unable to malloc space for acl.\n"));
2977                                 goto done;
2978                         }
2979                 }
2980         } /* security_info & DACL_SECURITY_INFORMATION */
2981
2982         psd = make_standard_sec_desc( main_loop_talloc_get(),
2983                         (security_info & OWNER_SECURITY_INFORMATION) ? &owner_sid : NULL,
2984                         (security_info & GROUP_SECURITY_INFORMATION) ? &group_sid : NULL,
2985                         psa,
2986                         &sd_size);
2987
2988         if(!psd) {
2989                 DEBUG(0,("get_nt_acl: Unable to malloc space for security descriptor.\n"));
2990                 sd_size = 0;
2991                 goto done;
2992         }
2993
2994         /*
2995          * Windows 2000: The DACL_PROTECTED flag in the security
2996          * descriptor marks the ACL as non-inheriting, i.e., no
2997          * ACEs from higher level directories propagate to this
2998          * ACL. In the POSIX ACL model permissions are only
2999          * inherited at file create time, so ACLs never contain
3000          * any ACEs that are inherited dynamically. The DACL_PROTECTED
3001          * flag doesn't seem to bother Windows NT.
3002          * Always set this if map acl inherit is turned off.
3003          */
3004         if (get_protected_flag(pal) || !lp_map_acl_inherit(SNUM(conn))) {
3005                 psd->type |= SE_DESC_DACL_PROTECTED;
3006         }
3007
3008         if (psd->dacl) {
3009                 dacl_sort_into_canonical_order(psd->dacl->aces, (unsigned int)psd->dacl->num_aces);
3010         }
3011
3012         *ppdesc = psd;
3013
3014  done:
3015
3016         if (posix_acl) {
3017                 SMB_VFS_SYS_ACL_FREE_ACL(conn, posix_acl);
3018         }
3019         if (def_acl) {
3020                 SMB_VFS_SYS_ACL_FREE_ACL(conn, def_acl);
3021         }
3022         free_canon_ace_list(file_ace);
3023         free_canon_ace_list(dir_ace);
3024         free_inherited_info(pal);
3025         SAFE_FREE(nt_ace_list);
3026
3027         return sd_size;
3028 }
3029
3030 /****************************************************************************
3031  Try to chown a file. We will be able to chown it under the following conditions.
3032
3033   1) If we have root privileges, then it will just work.
3034   2) If we have SeTakeOwnershipPrivilege we can change the user to the current user.
3035   3) If we have SeRestorePrivilege we can change the user to any other user. 
3036   4) If we have write permission to the file and dos_filemodes is set
3037      then allow chown to the currently authenticated user.
3038 ****************************************************************************/
3039
3040 int try_chown(connection_struct *conn, const char *fname, uid_t uid, gid_t gid)
3041 {
3042         int ret;
3043         files_struct *fsp;
3044         SMB_STRUCT_STAT st;
3045
3046         if(!CAN_WRITE(conn)) {
3047                 return -1;
3048         }
3049
3050         /* Case (1). */
3051         /* try the direct way first */
3052         ret = SMB_VFS_CHOWN(conn, fname, uid, gid);
3053         if (ret == 0)
3054                 return 0;
3055
3056         /* Case (2) / (3) */
3057         if (lp_enable_privileges()) {
3058
3059                 BOOL has_take_ownership_priv = user_has_privileges(current_user.nt_user_token,
3060                                                               &se_take_ownership);
3061                 BOOL has_restore_priv = user_has_privileges(current_user.nt_user_token,
3062                                                        &se_restore);
3063
3064                 /* Case (2) */
3065                 if ( ( has_take_ownership_priv && ( uid == current_user.ut.uid ) ) ||
3066                 /* Case (3) */
3067                      ( has_restore_priv ) ) {
3068
3069                         become_root();
3070                         /* Keep the current file gid the same - take ownership doesn't imply group change. */
3071                         ret = SMB_VFS_CHOWN(conn, fname, uid, (gid_t)-1);
3072                         unbecome_root();
3073                         return ret;
3074                 }
3075         }
3076
3077         /* Case (4). */
3078         if (!lp_dos_filemode(SNUM(conn))) {
3079                 errno = EPERM;
3080                 return -1;
3081         }
3082
3083         if (SMB_VFS_STAT(conn,fname,&st)) {
3084                 return -1;
3085         }
3086
3087         if (!NT_STATUS_IS_OK(open_file_fchmod(conn,fname,&st,&fsp))) {
3088                 return -1;
3089         }
3090
3091         /* only allow chown to the current user. This is more secure,
3092            and also copes with the case where the SID in a take ownership ACL is
3093            a local SID on the users workstation 
3094         */
3095         uid = current_user.ut.uid;
3096
3097         become_root();
3098         /* Keep the current file gid the same. */
3099         ret = SMB_VFS_FCHOWN(fsp, fsp->fh->fd, uid, (gid_t)-1);
3100         unbecome_root();
3101
3102         close_file_fchmod(fsp);
3103
3104         return ret;
3105 }
3106
3107 static NTSTATUS append_ugw_ace(files_struct *fsp,
3108                         SMB_STRUCT_STAT *psbuf,
3109                         mode_t unx_mode,
3110                         int ugw,
3111                         SEC_ACE *se)
3112 {
3113         mode_t perms;
3114         SEC_ACCESS acc;
3115         int acl_type;
3116         DOM_SID trustee;
3117
3118         switch (ugw) {
3119                 case S_IRUSR:
3120                         perms = unix_perms_to_acl_perms(unx_mode,
3121                                                         S_IRUSR,
3122                                                         S_IWUSR,
3123                                                         S_IXUSR);
3124                         uid_to_sid(&trustee, psbuf->st_uid );
3125                         break;
3126                 case S_IRGRP:
3127                         perms = unix_perms_to_acl_perms(unx_mode,
3128                                                         S_IRGRP,
3129                                                         S_IWGRP,
3130                                                         S_IXGRP);
3131                         gid_to_sid(&trustee, psbuf->st_gid );
3132                         break;
3133                 case S_IROTH:
3134                         perms = unix_perms_to_acl_perms(unx_mode,
3135                                                         S_IROTH,
3136                                                         S_IWOTH,
3137                                                         S_IXOTH);
3138                         sid_copy(&trustee, &global_sid_World);
3139                         break;
3140                 default:
3141                         return NT_STATUS_INVALID_PARAMETER;
3142         }
3143         acc = map_canon_ace_perms(SNUM(fsp->conn),
3144                                 &acl_type,
3145                                 perms,
3146                                 fsp->is_directory);
3147
3148         init_sec_ace(se,
3149                 &trustee,
3150                 acl_type,
3151                 acc,
3152                 0);
3153         return NT_STATUS_OK;
3154 }
3155
3156 /****************************************************************************
3157  If this is an
3158 ****************************************************************************/
3159
3160 static NTSTATUS append_parent_acl(files_struct *fsp,
3161                                 SMB_STRUCT_STAT *psbuf,
3162                                 SEC_DESC *psd,
3163                                 SEC_DESC **pp_new_sd)
3164 {
3165         SEC_DESC *parent_sd = NULL;
3166         files_struct *parent_fsp = NULL;
3167         TALLOC_CTX *mem_ctx = talloc_parent(psd);
3168         char *parent_name = NULL;
3169         SEC_ACE *new_ace = NULL;
3170         unsigned int num_aces = psd->dacl->num_aces;
3171         SMB_STRUCT_STAT sbuf;
3172         NTSTATUS status;
3173         int info;
3174         size_t sd_size;
3175         unsigned int i, j;
3176         mode_t unx_mode;
3177
3178         ZERO_STRUCT(sbuf);
3179
3180         if (mem_ctx == NULL) {
3181                 return NT_STATUS_NO_MEMORY;
3182         }
3183
3184         if (!parent_dirname_talloc(mem_ctx,
3185                                 fsp->fsp_name,
3186                                 &parent_name,
3187                                 NULL)) {
3188                 return NT_STATUS_NO_MEMORY;
3189         }
3190
3191         /* Create a default mode for u/g/w. */
3192         unx_mode = unix_mode(fsp->conn,
3193                         aARCH | (fsp->is_directory ? aDIR : 0),
3194                         fsp->fsp_name,
3195                         parent_name);
3196
3197         status = open_directory(fsp->conn,
3198                                 parent_name,
3199                                 &sbuf,
3200                                 FILE_READ_ATTRIBUTES, /* Just a stat open */
3201                                 FILE_SHARE_NONE, /* Ignored for stat opens */
3202                                 FILE_OPEN,
3203                                 0,
3204                                 0,
3205                                 &info,
3206                                 &parent_fsp);
3207
3208         if (!NT_STATUS_IS_OK(status)) {
3209                 return status;
3210         }
3211
3212         sd_size = SMB_VFS_GET_NT_ACL(parent_fsp, parent_fsp->fsp_name,
3213                         DACL_SECURITY_INFORMATION, &parent_sd );
3214
3215         close_file(parent_fsp, NORMAL_CLOSE);
3216
3217         if (!sd_size) {
3218                 return NT_STATUS_ACCESS_DENIED;
3219         }
3220
3221         /*
3222          * Make room for potentially all the ACLs from
3223          * the parent, plus the user/group/other triple.
3224          */
3225
3226         num_aces += parent_sd->dacl->num_aces + 3;
3227
3228         if((new_ace = TALLOC_ZERO_ARRAY(mem_ctx, SEC_ACE,
3229                                         num_aces)) == NULL) {
3230                 return NT_STATUS_NO_MEMORY;
3231         }
3232
3233         DEBUG(10,("append_parent_acl: parent ACL has %u entries. New "
3234                 "ACL has %u entries\n",
3235                 parent_sd->dacl->num_aces, num_aces ));
3236
3237         /* Start by copying in all the given ACE entries. */
3238         for (i = 0; i < psd->dacl->num_aces; i++) {
3239                 sec_ace_copy(&new_ace[i], &psd->dacl->aces[i]);
3240         }
3241
3242         /*
3243          * Note that we're ignoring "inherit permissions" here
3244          * as that really only applies to newly created files. JRA.
3245          */
3246
3247          /*
3248           * Append u/g/w.
3249           */
3250
3251         status = append_ugw_ace(fsp, psbuf, unx_mode, S_IRUSR, &new_ace[i++]);
3252         if (!NT_STATUS_IS_OK(status)) {
3253                 return status;
3254         }
3255         status = append_ugw_ace(fsp, psbuf, unx_mode, S_IRGRP, &new_ace[i++]);
3256         if (!NT_STATUS_IS_OK(status)) {
3257                 return status;
3258         }
3259         status = append_ugw_ace(fsp, psbuf, unx_mode, S_IROTH, &new_ace[i++]);
3260         if (!NT_STATUS_IS_OK(status)) {
3261                 return status;
3262         }
3263
3264         /* Finally append any inherited ACEs. */
3265         for (j = 0; j < parent_sd->dacl->num_aces; j++) {
3266                 SEC_ACE *se = &parent_sd->dacl->aces[i];
3267                 uint32 i_flags = se->flags & (SEC_ACE_FLAG_OBJECT_INHERIT|
3268                                         SEC_ACE_FLAG_CONTAINER_INHERIT|
3269                                         SEC_ACE_FLAG_INHERIT_ONLY);
3270
3271                 if (fsp->is_directory) {
3272                         if (i_flags == SEC_ACE_FLAG_OBJECT_INHERIT) {
3273                                 /* Should only apply to a file - ignore. */
3274                                 continue;
3275                         }
3276                 } else {
3277                         if ((i_flags & (SEC_ACE_FLAG_OBJECT_INHERIT|
3278                                         SEC_ACE_FLAG_INHERIT_ONLY)) !=
3279                                         SEC_ACE_FLAG_OBJECT_INHERIT) {
3280                                 /* Should not apply to a file - ignore. */
3281                                 continue;
3282                         }
3283                 }
3284                 sec_ace_copy(&new_ace[i], se);
3285                 if (se->flags & SEC_ACE_FLAG_NO_PROPAGATE_INHERIT) {
3286                         new_ace[i].flags &= ~(SEC_ACE_FLAG_VALID_INHERIT);
3287                 }
3288                 new_ace[i].flags |= SEC_ACE_FLAG_INHERITED_ACE;
3289                 i++;
3290         }
3291
3292         parent_sd->dacl->aces = new_ace;
3293         parent_sd->dacl->num_aces = i;
3294
3295         *pp_new_sd = parent_sd;
3296         return status;
3297 }
3298
3299 /****************************************************************************
3300  Reply to set a security descriptor on an fsp. security_info_sent is the
3301  description of the following NT ACL.
3302  This should be the only external function needed for the UNIX style set ACL.
3303 ****************************************************************************/
3304
3305 NTSTATUS set_nt_acl(files_struct *fsp, uint32 security_info_sent, SEC_DESC *psd)
3306 {
3307         connection_struct *conn = fsp->conn;
3308         uid_t user = (uid_t)-1;
3309         gid_t grp = (gid_t)-1;
3310         SMB_STRUCT_STAT sbuf;
3311         DOM_SID file_owner_sid;
3312         DOM_SID file_grp_sid;
3313         canon_ace *file_ace_list = NULL;
3314         canon_ace *dir_ace_list = NULL;
3315         BOOL acl_perms = False;
3316         mode_t orig_mode = (mode_t)0;
3317         NTSTATUS status;
3318
3319         DEBUG(10,("set_nt_acl: called for file %s\n", fsp->fsp_name ));
3320
3321         if (!CAN_WRITE(conn)) {
3322                 DEBUG(10,("set acl rejected on read-only share\n"));
3323                 return NT_STATUS_MEDIA_WRITE_PROTECTED;
3324         }
3325
3326         /*
3327          * Get the current state of the file.
3328          */
3329
3330         if(fsp->is_directory || fsp->fh->fd == -1) {
3331                 if(SMB_VFS_STAT(fsp->conn,fsp->fsp_name, &sbuf) != 0)
3332                         return map_nt_error_from_unix(errno);
3333         } else {
3334                 if(SMB_VFS_FSTAT(fsp,fsp->fh->fd,&sbuf) != 0)
3335                         return map_nt_error_from_unix(errno);
3336         }
3337
3338         /* Save the original elements we check against. */
3339         orig_mode = sbuf.st_mode;
3340
3341         /*
3342          * Unpack the user/group/world id's.
3343          */
3344
3345         status = unpack_nt_owners( SNUM(conn), &user, &grp, security_info_sent, psd);
3346         if (!NT_STATUS_IS_OK(status)) {
3347                 return status;
3348         }
3349
3350         /*
3351          * Do we need to chown ?
3352          */
3353
3354         if (((user != (uid_t)-1) && (sbuf.st_uid != user)) || (( grp != (gid_t)-1) && (sbuf.st_gid != grp))) {
3355
3356                 DEBUG(3,("set_nt_acl: chown %s. uid = %u, gid = %u.\n",
3357                                 fsp->fsp_name, (unsigned int)user, (unsigned int)grp ));
3358
3359                 if(try_chown( fsp->conn, fsp->fsp_name, user, grp) == -1) {
3360                         DEBUG(3,("set_nt_acl: chown %s, %u, %u failed. Error = %s.\n",
3361                                 fsp->fsp_name, (unsigned int)user, (unsigned int)grp, strerror(errno) ));
3362                         if (errno == EPERM) {
3363                                 return NT_STATUS_INVALID_OWNER;
3364                         }
3365                         return map_nt_error_from_unix(errno);
3366                 }
3367
3368                 /*
3369                  * Recheck the current state of the file, which may have changed.
3370                  * (suid/sgid bits, for instance)
3371                  */
3372
3373                 if(fsp->is_directory) {
3374                         if(SMB_VFS_STAT(fsp->conn, fsp->fsp_name, &sbuf) != 0) {
3375                                 return map_nt_error_from_unix(errno);
3376                         }
3377                 } else {
3378
3379                         int ret;
3380
3381                         if(fsp->fh->fd == -1)
3382                                 ret = SMB_VFS_STAT(fsp->conn, fsp->fsp_name, &sbuf);
3383                         else
3384                                 ret = SMB_VFS_FSTAT(fsp,fsp->fh->fd,&sbuf);
3385
3386                         if(ret != 0)
3387                                 return map_nt_error_from_unix(errno);
3388                 }
3389
3390                 /* Save the original elements we check against. */
3391                 orig_mode = sbuf.st_mode;
3392         }
3393
3394         create_file_sids(&sbuf, &file_owner_sid, &file_grp_sid);
3395
3396         if ((security_info_sent & DACL_SECURITY_INFORMATION) &&
3397                 psd->dacl != NULL &&
3398                 (psd->type & (SE_DESC_DACL_AUTO_INHERITED|
3399                               SE_DESC_DACL_AUTO_INHERIT_REQ))==
3400                         (SE_DESC_DACL_AUTO_INHERITED|
3401                          SE_DESC_DACL_AUTO_INHERIT_REQ) ) {
3402                 status = append_parent_acl(fsp, &sbuf, psd, &psd);
3403                 if (!NT_STATUS_IS_OK(status)) {
3404                         return status;
3405                 }
3406         }
3407
3408         acl_perms = unpack_canon_ace( fsp, &sbuf, &file_owner_sid, &file_grp_sid,
3409                                         &file_ace_list, &dir_ace_list, security_info_sent, psd);
3410
3411         /* Ignore W2K traverse DACL set. */
3412         if (file_ace_list || dir_ace_list) {
3413
3414                 if (!acl_perms) {
3415                         DEBUG(3,("set_nt_acl: cannot set permissions\n"));
3416                         free_canon_ace_list(file_ace_list);
3417                         free_canon_ace_list(dir_ace_list); 
3418                         return NT_STATUS_ACCESS_DENIED;
3419                 }
3420
3421                 /*
3422                  * Only change security if we got a DACL.
3423                  */
3424
3425                 if((security_info_sent & DACL_SECURITY_INFORMATION) && (psd->dacl != NULL)) {
3426
3427                         BOOL acl_set_support = False;
3428                         BOOL ret = False;
3429
3430                         /*
3431                          * Try using the POSIX ACL set first. Fall back to chmod if
3432                          * we have no ACL support on this filesystem.
3433                          */
3434
3435                         if (acl_perms && file_ace_list) {
3436                                 ret = set_canon_ace_list(fsp, file_ace_list, False, sbuf.st_gid, &acl_set_support);
3437                                 if (acl_set_support && ret == False) {
3438                                         DEBUG(3,("set_nt_acl: failed to set file acl on file %s (%s).\n", fsp->fsp_name, strerror(errno) ));
3439                                         free_canon_ace_list(file_ace_list);
3440                                         free_canon_ace_list(dir_ace_list); 
3441                                         return map_nt_error_from_unix(errno);
3442                                 }
3443                         }
3444
3445                         if (acl_perms && acl_set_support && fsp->is_directory) {
3446                                 if (dir_ace_list) {
3447                                         if (!set_canon_ace_list(fsp, dir_ace_list, True, sbuf.st_gid, &acl_set_support)) {
3448                                                 DEBUG(3,("set_nt_acl: failed to set default acl on directory %s (%s).\n", fsp->fsp_name, strerror(errno) ));
3449                                                 free_canon_ace_list(file_ace_list);
3450                                                 free_canon_ace_list(dir_ace_list); 
3451                                                 return map_nt_error_from_unix(errno);
3452                                         }
3453                                 } else {
3454
3455                                         /*
3456                                          * No default ACL - delete one if it exists.
3457                                          */
3458
3459                                         if (SMB_VFS_SYS_ACL_DELETE_DEF_FILE(conn, fsp->fsp_name) == -1) {
3460                                                 int sret = -1;
3461
3462                                                 if (acl_group_override(conn, sbuf.st_gid)) {
3463                                                         DEBUG(5,("set_nt_acl: acl group control on and "
3464                                                                 "current user in file %s primary group. Override delete_def_acl\n",
3465                                                                 fsp->fsp_name ));
3466
3467                                                         become_root();
3468                                                         sret = SMB_VFS_SYS_ACL_DELETE_DEF_FILE(conn, fsp->fsp_name);
3469                                                         unbecome_root();
3470                                                 }
3471
3472                                                 if (sret == -1) {
3473                                                         DEBUG(3,("set_nt_acl: sys_acl_delete_def_file failed (%s)\n", strerror(errno)));
3474                                                         free_canon_ace_list(file_ace_list);
3475                                                         free_canon_ace_list(dir_ace_list);
3476                                                         return map_nt_error_from_unix(errno);
3477                                                 }
3478                                         }
3479                                 }
3480                         }
3481
3482                         if (acl_set_support) {
3483                                 store_inheritance_attributes(fsp, file_ace_list, dir_ace_list,
3484                                                 (psd->type & SE_DESC_DACL_PROTECTED) ? True : False);
3485                         }
3486
3487                         /*
3488                          * If we cannot set using POSIX ACLs we fall back to checking if we need to chmod.
3489                          */
3490
3491                         if(!acl_set_support && acl_perms) {
3492                                 mode_t posix_perms;
3493
3494                                 if (!convert_canon_ace_to_posix_perms( fsp, file_ace_list, &posix_perms)) {
3495                                         free_canon_ace_list(file_ace_list);
3496                                         free_canon_ace_list(dir_ace_list);
3497                                         DEBUG(3,("set_nt_acl: failed to convert file acl to posix permissions for file %s.\n",
3498                                                 fsp->fsp_name ));
3499                                         return NT_STATUS_ACCESS_DENIED;
3500                                 }
3501
3502                                 if (orig_mode != posix_perms) {
3503
3504                                         DEBUG(3,("set_nt_acl: chmod %s. perms = 0%o.\n",
3505                                                 fsp->fsp_name, (unsigned int)posix_perms ));
3506
3507                                         if(SMB_VFS_CHMOD(conn,fsp->fsp_name, posix_perms) == -1) {
3508                                                 int sret = -1;
3509                                                 if (acl_group_override(conn, sbuf.st_gid)) {
3510                                                         DEBUG(5,("set_nt_acl: acl group control on and "
3511                                                                 "current user in file %s primary group. Override chmod\n",
3512                                                                 fsp->fsp_name ));
3513
3514                                                         become_root();
3515                                                         sret = SMB_VFS_CHMOD(conn,fsp->fsp_name, posix_perms);
3516                                                         unbecome_root();
3517                                                 }
3518
3519                                                 if (sret == -1) {
3520                                                         DEBUG(3,("set_nt_acl: chmod %s, 0%o failed. Error = %s.\n",
3521                                                                 fsp->fsp_name, (unsigned int)posix_perms, strerror(errno) ));
3522                                                         free_canon_ace_list(file_ace_list);
3523                                                         free_canon_ace_list(dir_ace_list);
3524                                                         return map_nt_error_from_unix(errno);
3525                                                 }
3526                                         }
3527                                 }
3528                         }
3529                 }
3530
3531                 free_canon_ace_list(file_ace_list);
3532                 free_canon_ace_list(dir_ace_list); 
3533         }
3534
3535         return NT_STATUS_OK;
3536 }
3537
3538 /****************************************************************************
3539  Get the actual group bits stored on a file with an ACL. Has no effect if
3540  the file has no ACL. Needed in dosmode code where the stat() will return
3541  the mask bits, not the real group bits, for a file with an ACL.
3542 ****************************************************************************/
3543
3544 int get_acl_group_bits( connection_struct *conn, const char *fname, mode_t *mode )
3545 {
3546         int entry_id = SMB_ACL_FIRST_ENTRY;
3547         SMB_ACL_ENTRY_T entry;
3548         SMB_ACL_T posix_acl;
3549         int result = -1;
3550
3551         posix_acl = SMB_VFS_SYS_ACL_GET_FILE(conn, fname, SMB_ACL_TYPE_ACCESS);
3552         if (posix_acl == (SMB_ACL_T)NULL)
3553                 return -1;
3554
3555         while (SMB_VFS_SYS_ACL_GET_ENTRY(conn, posix_acl, entry_id, &entry) == 1) {
3556                 SMB_ACL_TAG_T tagtype;
3557                 SMB_ACL_PERMSET_T permset;
3558
3559                 /* get_next... */
3560                 if (entry_id == SMB_ACL_FIRST_ENTRY)
3561                         entry_id = SMB_ACL_NEXT_ENTRY;
3562
3563                 if (SMB_VFS_SYS_ACL_GET_TAG_TYPE(conn, entry, &tagtype) ==-1)
3564                         break;
3565
3566                 if (tagtype == SMB_ACL_GROUP_OBJ) {
3567                         if (SMB_VFS_SYS_ACL_GET_PERMSET(conn, entry, &permset) == -1) {
3568                                 break;
3569                         } else {
3570                                 *mode &= ~(S_IRGRP|S_IWGRP|S_IXGRP);
3571                                 *mode |= (SMB_VFS_SYS_ACL_GET_PERM(conn, permset, SMB_ACL_READ) ? S_IRGRP : 0);
3572                                 *mode |= (SMB_VFS_SYS_ACL_GET_PERM(conn, permset, SMB_ACL_WRITE) ? S_IWGRP : 0);
3573                                 *mode |= (SMB_VFS_SYS_ACL_GET_PERM(conn, permset, SMB_ACL_EXECUTE) ? S_IXGRP : 0);
3574                                 result = 0;
3575                                 break;
3576                         }
3577                 }
3578         }
3579         SMB_VFS_SYS_ACL_FREE_ACL(conn, posix_acl);
3580         return result;
3581 }
3582
3583 /****************************************************************************
3584  Do a chmod by setting the ACL USER_OBJ, GROUP_OBJ and OTHER bits in an ACL
3585  and set the mask to rwx. Needed to preserve complex ACLs set by NT.
3586 ****************************************************************************/
3587
3588 static int chmod_acl_internals( connection_struct *conn, SMB_ACL_T posix_acl, mode_t mode)
3589 {
3590         int entry_id = SMB_ACL_FIRST_ENTRY;
3591         SMB_ACL_ENTRY_T entry;
3592         int num_entries = 0;
3593
3594         while ( SMB_VFS_SYS_ACL_GET_ENTRY(conn, posix_acl, entry_id, &entry) == 1) {
3595                 SMB_ACL_TAG_T tagtype;
3596                 SMB_ACL_PERMSET_T permset;
3597                 mode_t perms;
3598
3599                 /* get_next... */
3600                 if (entry_id == SMB_ACL_FIRST_ENTRY)
3601                         entry_id = SMB_ACL_NEXT_ENTRY;
3602
3603                 if (SMB_VFS_SYS_ACL_GET_TAG_TYPE(conn, entry, &tagtype) == -1)
3604                         return -1;
3605
3606                 if (SMB_VFS_SYS_ACL_GET_PERMSET(conn, entry, &permset) == -1)
3607                         return -1;
3608
3609                 num_entries++;
3610
3611                 switch(tagtype) {
3612                         case SMB_ACL_USER_OBJ:
3613                                 perms = unix_perms_to_acl_perms(mode, S_IRUSR, S_IWUSR, S_IXUSR);
3614                                 break;
3615                         case SMB_ACL_GROUP_OBJ:
3616                                 perms = unix_perms_to_acl_perms(mode, S_IRGRP, S_IWGRP, S_IXGRP);
3617                                 break;
3618                         case SMB_ACL_MASK:
3619                                 /*
3620                                  * FIXME: The ACL_MASK entry permissions should really be set to
3621                                  * the union of the permissions of all ACL_USER,
3622                                  * ACL_GROUP_OBJ, and ACL_GROUP entries. That's what
3623                                  * acl_calc_mask() does, but Samba ACLs doesn't provide it.
3624                                  */
3625                                 perms = S_IRUSR|S_IWUSR|S_IXUSR;
3626                                 break;
3627                         case SMB_ACL_OTHER:
3628                                 perms = unix_perms_to_acl_perms(mode, S_IROTH, S_IWOTH, S_IXOTH);
3629                                 break;
3630                         default:
3631                                 continue;
3632                 }
3633
3634                 if (map_acl_perms_to_permset(conn, perms, &permset) == -1)
3635                         return -1;
3636
3637                 if (SMB_VFS_SYS_ACL_SET_PERMSET(conn, entry, permset) == -1)
3638                         return -1;
3639         }
3640
3641         /*
3642          * If this is a simple 3 element ACL or no elements then it's a standard
3643          * UNIX permission set. Just use chmod...       
3644          */
3645
3646         if ((num_entries == 3) || (num_entries == 0))
3647                 return -1;
3648
3649         return 0;
3650 }
3651
3652 /****************************************************************************
3653  Get the access ACL of FROM, do a chmod by setting the ACL USER_OBJ,
3654  GROUP_OBJ and OTHER bits in an ACL and set the mask to rwx. Set the
3655  resulting ACL on TO.  Note that name is in UNIX character set.
3656 ****************************************************************************/
3657
3658 static int copy_access_acl(connection_struct *conn, const char *from, const char *to, mode_t mode)
3659 {
3660         SMB_ACL_T posix_acl = NULL;
3661         int ret = -1;
3662
3663         if ((posix_acl = SMB_VFS_SYS_ACL_GET_FILE(conn, from, SMB_ACL_TYPE_ACCESS)) == NULL)
3664                 return -1;
3665
3666         if ((ret = chmod_acl_internals(conn, posix_acl, mode)) == -1)
3667                 goto done;
3668
3669         ret = SMB_VFS_SYS_ACL_SET_FILE(conn, to, SMB_ACL_TYPE_ACCESS, posix_acl);
3670
3671  done:
3672
3673         SMB_VFS_SYS_ACL_FREE_ACL(conn, posix_acl);
3674         return ret;
3675 }
3676
3677 /****************************************************************************
3678  Do a chmod by setting the ACL USER_OBJ, GROUP_OBJ and OTHER bits in an ACL
3679  and set the mask to rwx. Needed to preserve complex ACLs set by NT.
3680  Note that name is in UNIX character set.
3681 ****************************************************************************/
3682
3683 int chmod_acl(connection_struct *conn, const char *name, mode_t mode)
3684 {
3685         return copy_access_acl(conn, name, name, mode);
3686 }
3687
3688 /****************************************************************************
3689  If the parent directory has no default ACL but it does have an Access ACL,
3690  inherit this Access ACL to file name.
3691 ****************************************************************************/
3692
3693 int inherit_access_acl(connection_struct *conn, const char *inherit_from_dir,
3694                        const char *name, mode_t mode)
3695 {
3696         if (directory_has_default_acl(conn, inherit_from_dir))
3697                 return 0;
3698
3699         return copy_access_acl(conn, inherit_from_dir, name, mode);
3700 }
3701
3702 /****************************************************************************
3703  Do an fchmod by setting the ACL USER_OBJ, GROUP_OBJ and OTHER bits in an ACL
3704  and set the mask to rwx. Needed to preserve complex ACLs set by NT.
3705 ****************************************************************************/
3706
3707 int fchmod_acl(files_struct *fsp, int fd, mode_t mode)
3708 {
3709         connection_struct *conn = fsp->conn;
3710         SMB_ACL_T posix_acl = NULL;
3711         int ret = -1;
3712
3713         if ((posix_acl = SMB_VFS_SYS_ACL_GET_FD(fsp, fd)) == NULL)
3714                 return -1;
3715
3716         if ((ret = chmod_acl_internals(conn, posix_acl, mode)) == -1)
3717                 goto done;
3718
3719         ret = SMB_VFS_SYS_ACL_SET_FD(fsp, fd, posix_acl);
3720
3721   done:
3722
3723         SMB_VFS_SYS_ACL_FREE_ACL(conn, posix_acl);
3724         return ret;
3725 }
3726
3727 /****************************************************************************
3728  Check for an existing default POSIX ACL on a directory.
3729 ****************************************************************************/
3730
3731 BOOL directory_has_default_acl(connection_struct *conn, const char *fname)
3732 {
3733         SMB_ACL_T def_acl = SMB_VFS_SYS_ACL_GET_FILE( conn, fname, SMB_ACL_TYPE_DEFAULT);
3734         BOOL has_acl = False;
3735         SMB_ACL_ENTRY_T entry;
3736
3737         if (def_acl != NULL && (SMB_VFS_SYS_ACL_GET_ENTRY(conn, def_acl, SMB_ACL_FIRST_ENTRY, &entry) == 1)) {
3738                 has_acl = True;
3739         }
3740
3741         if (def_acl) {
3742                 SMB_VFS_SYS_ACL_FREE_ACL(conn, def_acl);
3743         }
3744         return has_acl;
3745 }
3746
3747 /****************************************************************************
3748  Map from wire type to permset.
3749 ****************************************************************************/
3750
3751 static BOOL unix_ex_wire_to_permset(connection_struct *conn, unsigned char wire_perm, SMB_ACL_PERMSET_T *p_permset)
3752 {
3753         if (wire_perm & ~(SMB_POSIX_ACL_READ|SMB_POSIX_ACL_WRITE|SMB_POSIX_ACL_EXECUTE)) {
3754                 return False;
3755         }
3756
3757         if (SMB_VFS_SYS_ACL_CLEAR_PERMS(conn, *p_permset) ==  -1) {
3758                 return False;
3759         }
3760
3761         if (wire_perm & SMB_POSIX_ACL_READ) {
3762                 if (SMB_VFS_SYS_ACL_ADD_PERM(conn, *p_permset, SMB_ACL_READ) == -1) {
3763                         return False;
3764                 }
3765         }
3766         if (wire_perm & SMB_POSIX_ACL_WRITE) {
3767                 if (SMB_VFS_SYS_ACL_ADD_PERM(conn, *p_permset, SMB_ACL_WRITE) == -1) {
3768                         return False;
3769                 }
3770         }
3771         if (wire_perm & SMB_POSIX_ACL_EXECUTE) {
3772                 if (SMB_VFS_SYS_ACL_ADD_PERM(conn, *p_permset, SMB_ACL_EXECUTE) == -1) {
3773                         return False;
3774                 }
3775         }
3776         return True;
3777 }
3778
3779 /****************************************************************************
3780  Map from wire type to tagtype.
3781 ****************************************************************************/
3782
3783 static BOOL unix_ex_wire_to_tagtype(unsigned char wire_tt, SMB_ACL_TAG_T *p_tt)
3784 {
3785         switch (wire_tt) {
3786                 case SMB_POSIX_ACL_USER_OBJ:
3787                         *p_tt = SMB_ACL_USER_OBJ;
3788                         break;
3789                 case SMB_POSIX_ACL_USER:
3790                         *p_tt = SMB_ACL_USER;
3791                         break;
3792                 case SMB_POSIX_ACL_GROUP_OBJ:
3793                         *p_tt = SMB_ACL_GROUP_OBJ;
3794                         break;
3795                 case SMB_POSIX_ACL_GROUP:
3796                         *p_tt = SMB_ACL_GROUP;
3797                         break;
3798                 case SMB_POSIX_ACL_MASK:
3799                         *p_tt = SMB_ACL_MASK;
3800                         break;
3801                 case SMB_POSIX_ACL_OTHER:
3802                         *p_tt = SMB_ACL_OTHER;
3803                         break;
3804                 default:
3805                         return False;
3806         }
3807         return True;
3808 }
3809
3810 /****************************************************************************
3811  Create a new POSIX acl from wire permissions.
3812  FIXME ! How does the share mask/mode fit into this.... ?
3813 ****************************************************************************/
3814
3815 static SMB_ACL_T create_posix_acl_from_wire(connection_struct *conn, uint16 num_acls, const char *pdata)
3816 {
3817         unsigned int i;
3818         SMB_ACL_T the_acl = SMB_VFS_SYS_ACL_INIT(conn, num_acls);
3819
3820         if (the_acl == NULL) {
3821                 return NULL;
3822         }
3823
3824         for (i = 0; i < num_acls; i++) {
3825                 SMB_ACL_ENTRY_T the_entry;
3826                 SMB_ACL_PERMSET_T the_permset;
3827                 SMB_ACL_TAG_T tag_type;
3828
3829                 if (SMB_VFS_SYS_ACL_CREATE_ENTRY(conn, &the_acl, &the_entry) == -1) {
3830                         DEBUG(0,("create_posix_acl_from_wire: Failed to create entry %u. (%s)\n",
3831                                 i, strerror(errno) ));
3832                         goto fail;
3833                 }
3834
3835                 if (!unix_ex_wire_to_tagtype(CVAL(pdata,(i*SMB_POSIX_ACL_ENTRY_SIZE)), &tag_type)) {
3836                         DEBUG(0,("create_posix_acl_from_wire: invalid wire tagtype %u on entry %u.\n",
3837                                 CVAL(pdata,(i*SMB_POSIX_ACL_ENTRY_SIZE)), i ));
3838                         goto fail;
3839                 }
3840
3841                 if (SMB_VFS_SYS_ACL_SET_TAG_TYPE(conn, the_entry, tag_type) == -1) {
3842                         DEBUG(0,("create_posix_acl_from_wire: Failed to set tagtype on entry %u. (%s)\n",
3843                                 i, strerror(errno) ));
3844                         goto fail;
3845                 }
3846
3847                 /* Get the permset pointer from the new ACL entry. */
3848                 if (SMB_VFS_SYS_ACL_GET_PERMSET(conn, the_entry, &the_permset) == -1) {
3849                         DEBUG(0,("create_posix_acl_from_wire: Failed to get permset on entry %u. (%s)\n",
3850                                 i, strerror(errno) ));
3851                         goto fail;
3852                 }
3853
3854                 /* Map from wire to permissions. */
3855                 if (!unix_ex_wire_to_permset(conn, CVAL(pdata,(i*SMB_POSIX_ACL_ENTRY_SIZE)+1), &the_permset)) {
3856                         DEBUG(0,("create_posix_acl_from_wire: invalid permset %u on entry %u.\n",
3857                                 CVAL(pdata,(i*SMB_POSIX_ACL_ENTRY_SIZE) + 1), i ));
3858                         goto fail;
3859                 }
3860
3861                 /* Now apply to the new ACL entry. */
3862                 if (SMB_VFS_SYS_ACL_SET_PERMSET(conn, the_entry, the_permset) == -1) {
3863                         DEBUG(0,("create_posix_acl_from_wire: Failed to add permset on entry %u. (%s)\n",
3864                                 i, strerror(errno) ));
3865                         goto fail;
3866                 }
3867
3868                 if (tag_type == SMB_ACL_USER) {
3869                         uint32 uidval = IVAL(pdata,(i*SMB_POSIX_ACL_ENTRY_SIZE)+2);
3870                         uid_t uid = (uid_t)uidval;
3871                         if (SMB_VFS_SYS_ACL_SET_QUALIFIER(conn, the_entry,(void *)&uid) == -1) {
3872                                 DEBUG(0,("create_posix_acl_from_wire: Failed to set uid %u on entry %u. (%s)\n",
3873                                         (unsigned int)uid, i, strerror(errno) ));
3874                                 goto fail;
3875                         }
3876                 }
3877
3878                 if (tag_type == SMB_ACL_GROUP) {
3879                         uint32 gidval = IVAL(pdata,(i*SMB_POSIX_ACL_ENTRY_SIZE)+2);
3880                         gid_t gid = (uid_t)gidval;
3881                         if (SMB_VFS_SYS_ACL_SET_QUALIFIER(conn, the_entry,(void *)&gid) == -1) {
3882                                 DEBUG(0,("create_posix_acl_from_wire: Failed to set gid %u on entry %u. (%s)\n",
3883                                         (unsigned int)gid, i, strerror(errno) ));
3884                                 goto fail;
3885                         }
3886                 }
3887         }
3888
3889         return the_acl;
3890
3891  fail:
3892
3893         if (the_acl != NULL) {
3894                 SMB_VFS_SYS_ACL_FREE_ACL(conn, the_acl);
3895         }
3896         return NULL;
3897 }
3898
3899 /****************************************************************************
3900  Calls from UNIX extensions - Default POSIX ACL set.
3901  If num_def_acls == 0 and not a directory just return. If it is a directory
3902  and num_def_acls == 0 then remove the default acl. Else set the default acl
3903  on the directory.
3904 ****************************************************************************/
3905
3906 BOOL set_unix_posix_default_acl(connection_struct *conn, const char *fname, SMB_STRUCT_STAT *psbuf,
3907                                 uint16 num_def_acls, const char *pdata)
3908 {
3909         SMB_ACL_T def_acl = NULL;
3910
3911         if (num_def_acls && !S_ISDIR(psbuf->st_mode)) {
3912                 DEBUG(5,("set_unix_posix_default_acl: Can't set default ACL on non-directory file %s\n", fname ));
3913                 errno = EISDIR;
3914                 return False;
3915         }
3916
3917         if (!num_def_acls) {
3918                 /* Remove the default ACL. */
3919                 if (SMB_VFS_SYS_ACL_DELETE_DEF_FILE(conn, fname) == -1) {
3920                         DEBUG(5,("set_unix_posix_default_acl: acl_delete_def_file failed on directory %s (%s)\n",
3921                                 fname, strerror(errno) ));
3922                         return False;
3923                 }
3924                 return True;
3925         }
3926
3927         if ((def_acl = create_posix_acl_from_wire(conn, num_def_acls, pdata)) == NULL) {
3928                 return False;
3929         }
3930
3931         if (SMB_VFS_SYS_ACL_SET_FILE(conn, fname, SMB_ACL_TYPE_DEFAULT, def_acl) == -1) {
3932                 DEBUG(5,("set_unix_posix_default_acl: acl_set_file failed on directory %s (%s)\n",
3933                         fname, strerror(errno) ));
3934                 SMB_VFS_SYS_ACL_FREE_ACL(conn, def_acl);
3935                 return False;
3936         }
3937
3938         DEBUG(10,("set_unix_posix_default_acl: set default acl for file %s\n", fname ));
3939         SMB_VFS_SYS_ACL_FREE_ACL(conn, def_acl);
3940         return True;
3941 }
3942
3943 /****************************************************************************
3944  Remove an ACL from a file. As we don't have acl_delete_entry() available
3945  we must read the current acl and copy all entries except MASK, USER and GROUP
3946  to a new acl, then set that. This (at least on Linux) causes any ACL to be
3947  removed.
3948  FIXME ! How does the share mask/mode fit into this.... ?
3949 ****************************************************************************/
3950
3951 static BOOL remove_posix_acl(connection_struct *conn, files_struct *fsp, const char *fname)
3952 {
3953         SMB_ACL_T file_acl = NULL;
3954         int entry_id = SMB_ACL_FIRST_ENTRY;
3955         SMB_ACL_ENTRY_T entry;
3956         BOOL ret = False;
3957         /* Create a new ACL with only 3 entries, u/g/w. */
3958         SMB_ACL_T new_file_acl = SMB_VFS_SYS_ACL_INIT(conn, 3);
3959         SMB_ACL_ENTRY_T user_ent = NULL;
3960         SMB_ACL_ENTRY_T group_ent = NULL;
3961         SMB_ACL_ENTRY_T other_ent = NULL;
3962
3963         if (new_file_acl == NULL) {
3964                 DEBUG(5,("remove_posix_acl: failed to init new ACL with 3 entries for file %s.\n", fname));
3965                 return False;
3966         }
3967
3968         /* Now create the u/g/w entries. */
3969         if (SMB_VFS_SYS_ACL_CREATE_ENTRY(conn, &new_file_acl, &user_ent) == -1) {
3970                 DEBUG(5,("remove_posix_acl: Failed to create user entry for file %s. (%s)\n",
3971                         fname, strerror(errno) ));
3972                 goto done;
3973         }
3974         if (SMB_VFS_SYS_ACL_SET_TAG_TYPE(conn, user_ent, SMB_ACL_USER_OBJ) == -1) {
3975                 DEBUG(5,("remove_posix_acl: Failed to set user entry for file %s. (%s)\n",
3976                         fname, strerror(errno) ));
3977                 goto done;
3978         }
3979
3980         if (SMB_VFS_SYS_ACL_CREATE_ENTRY(conn, &new_file_acl, &group_ent) == -1) {
3981                 DEBUG(5,("remove_posix_acl: Failed to create group entry for file %s. (%s)\n",
3982                         fname, strerror(errno) ));
3983                 goto done;
3984         }
3985         if (SMB_VFS_SYS_ACL_SET_TAG_TYPE(conn, group_ent, SMB_ACL_GROUP_OBJ) == -1) {
3986                 DEBUG(5,("remove_posix_acl: Failed to set group entry for file %s. (%s)\n",
3987                         fname, strerror(errno) ));
3988                 goto done;
3989         }
3990
3991         if (SMB_VFS_SYS_ACL_CREATE_ENTRY(conn, &new_file_acl, &other_ent) == -1) {
3992                 DEBUG(5,("remove_posix_acl: Failed to create other entry for file %s. (%s)\n",
3993                         fname, strerror(errno) ));
3994                 goto done;
3995         }
3996         if (SMB_VFS_SYS_ACL_SET_TAG_TYPE(conn, other_ent, SMB_ACL_OTHER) == -1) {
3997                 DEBUG(5,("remove_posix_acl: Failed to set other entry for file %s. (%s)\n",
3998                         fname, strerror(errno) ));
3999                 goto done;
4000         }
4001
4002         /* Get the current file ACL. */
4003         if (fsp && fsp->fh->fd != -1) {
4004                 file_acl = SMB_VFS_SYS_ACL_GET_FD(fsp, fsp->fh->fd);
4005         } else {
4006                 file_acl = SMB_VFS_SYS_ACL_GET_FILE( conn, fname, SMB_ACL_TYPE_ACCESS);
4007         }
4008
4009         if (file_acl == NULL) {
4010                 /* This is only returned if an error occurred. Even for a file with
4011                    no acl a u/g/w acl should be returned. */
4012                 DEBUG(5,("remove_posix_acl: failed to get ACL from file %s (%s).\n",
4013                         fname, strerror(errno) ));
4014                 goto done;
4015         }
4016
4017         while ( SMB_VFS_SYS_ACL_GET_ENTRY(conn, file_acl, entry_id, &entry) == 1) {
4018                 SMB_ACL_TAG_T tagtype;
4019                 SMB_ACL_PERMSET_T permset;
4020
4021                 /* get_next... */
4022                 if (entry_id == SMB_ACL_FIRST_ENTRY)
4023                         entry_id = SMB_ACL_NEXT_ENTRY;
4024
4025                 if (SMB_VFS_SYS_ACL_GET_TAG_TYPE(conn, entry, &tagtype) == -1) {
4026                         DEBUG(5,("remove_posix_acl: failed to get tagtype from ACL on file %s (%s).\n",
4027                                 fname, strerror(errno) ));
4028                         goto done;
4029                 }
4030
4031                 if (SMB_VFS_SYS_ACL_GET_PERMSET(conn, entry, &permset) == -1) {
4032                         DEBUG(5,("remove_posix_acl: failed to get permset from ACL on file %s (%s).\n",
4033                                 fname, strerror(errno) ));
4034                         goto done;
4035                 }
4036
4037                 if (tagtype == SMB_ACL_USER_OBJ) {
4038                         if (SMB_VFS_SYS_ACL_SET_PERMSET(conn, user_ent, permset) == -1) {
4039                                 DEBUG(5,("remove_posix_acl: failed to set permset from ACL on file %s (%s).\n",
4040                                         fname, strerror(errno) ));
4041                         }
4042                 } else if (tagtype == SMB_ACL_GROUP_OBJ) {
4043                         if (SMB_VFS_SYS_ACL_SET_PERMSET(conn, group_ent, permset) == -1) {
4044                                 DEBUG(5,("remove_posix_acl: failed to set permset from ACL on file %s (%s).\n",
4045                                         fname, strerror(errno) ));
4046                         }
4047                 } else if (tagtype == SMB_ACL_OTHER) {
4048                         if (SMB_VFS_SYS_ACL_SET_PERMSET(conn, other_ent, permset) == -1) {
4049                                 DEBUG(5,("remove_posix_acl: failed to set permset from ACL on file %s (%s).\n",
4050                                         fname, strerror(errno) ));
4051                         }
4052                 }
4053         }
4054
4055         /* Set the new empty file ACL. */
4056         if (fsp && fsp->fh->fd != -1) {
4057                 if (SMB_VFS_SYS_ACL_SET_FD(fsp, fsp->fh->fd, new_file_acl) == -1) {
4058                         DEBUG(5,("remove_posix_acl: acl_set_file failed on %s (%s)\n",
4059                                 fname, strerror(errno) ));
4060                         goto done;
4061                 }
4062         } else {
4063                 if (SMB_VFS_SYS_ACL_SET_FILE(conn, fname, SMB_ACL_TYPE_ACCESS, new_file_acl) == -1) {
4064                         DEBUG(5,("remove_posix_acl: acl_set_file failed on %s (%s)\n",
4065                                 fname, strerror(errno) ));
4066                         goto done;
4067                 }
4068         }
4069
4070         ret = True;
4071
4072  done:
4073
4074         if (file_acl) {
4075                 SMB_VFS_SYS_ACL_FREE_ACL(conn, file_acl);
4076         }
4077         if (new_file_acl) {
4078                 SMB_VFS_SYS_ACL_FREE_ACL(conn, new_file_acl);
4079         }
4080         return ret;
4081 }
4082
4083 /****************************************************************************
4084  Calls from UNIX extensions - POSIX ACL set.
4085  If num_def_acls == 0 then read/modify/write acl after removing all entries
4086  except SMB_ACL_USER_OBJ, SMB_ACL_GROUP_OBJ, SMB_ACL_OTHER.
4087 ****************************************************************************/
4088
4089 BOOL set_unix_posix_acl(connection_struct *conn, files_struct *fsp, const char *fname, uint16 num_acls, const char *pdata)
4090 {
4091         SMB_ACL_T file_acl = NULL;
4092
4093         if (!num_acls) {
4094                 /* Remove the ACL from the file. */
4095                 return remove_posix_acl(conn, fsp, fname);
4096         }
4097
4098         if ((file_acl = create_posix_acl_from_wire(conn, num_acls, pdata)) == NULL) {
4099                 return False;
4100         }
4101
4102         if (fsp && fsp->fh->fd != -1) {
4103                 /* The preferred way - use an open fd. */
4104                 if (SMB_VFS_SYS_ACL_SET_FD(fsp, fsp->fh->fd, file_acl) == -1) {
4105                         DEBUG(5,("set_unix_posix_acl: acl_set_file failed on %s (%s)\n",
4106                                 fname, strerror(errno) ));
4107                         SMB_VFS_SYS_ACL_FREE_ACL(conn, file_acl);
4108                         return False;
4109                 }
4110         } else {
4111                 if (SMB_VFS_SYS_ACL_SET_FILE(conn, fname, SMB_ACL_TYPE_ACCESS, file_acl) == -1) {
4112                         DEBUG(5,("set_unix_posix_acl: acl_set_file failed on %s (%s)\n",
4113                                 fname, strerror(errno) ));
4114                         SMB_VFS_SYS_ACL_FREE_ACL(conn, file_acl);
4115                         return False;
4116                 }
4117         }
4118
4119         DEBUG(10,("set_unix_posix_acl: set acl for file %s\n", fname ));
4120         SMB_VFS_SYS_ACL_FREE_ACL(conn, file_acl);
4121         return True;
4122 }
4123
4124 /****************************************************************************
4125  Check for POSIX group ACLs. If none use stat entry.
4126  Return -1 if no match, 0 if match and denied, 1 if match and allowed.
4127 ****************************************************************************/
4128
4129 static int check_posix_acl_group_access(connection_struct *conn, const char *fname, SMB_STRUCT_STAT *psbuf, uint32 access_mask)
4130 {
4131         SMB_ACL_T posix_acl = NULL;
4132         int entry_id = SMB_ACL_FIRST_ENTRY;
4133         SMB_ACL_ENTRY_T entry;
4134         int i;
4135         BOOL seen_mask = False;
4136         BOOL seen_owning_group = False;
4137         int ret = -1;
4138         gid_t cu_gid;
4139
4140         DEBUG(10,("check_posix_acl_group_access: requesting 0x%x on file %s\n",
4141                 (unsigned int)access_mask, fname ));
4142
4143         if ((posix_acl = SMB_VFS_SYS_ACL_GET_FILE(conn, fname, SMB_ACL_TYPE_ACCESS)) == NULL) {
4144                 goto check_stat;
4145         }
4146
4147         /* First ensure the group mask allows group access. */
4148         /* Also check any user entries (these take preference over group). */
4149
4150         while ( SMB_VFS_SYS_ACL_GET_ENTRY(conn, posix_acl, entry_id, &entry) == 1) {
4151                 SMB_ACL_TAG_T tagtype;
4152                 SMB_ACL_PERMSET_T permset;
4153                 int have_write = -1;
4154                 int have_read = -1;
4155
4156                 /* get_next... */
4157                 if (entry_id == SMB_ACL_FIRST_ENTRY)
4158                         entry_id = SMB_ACL_NEXT_ENTRY;
4159
4160                 if (SMB_VFS_SYS_ACL_GET_TAG_TYPE(conn, entry, &tagtype) == -1) {
4161                         goto check_stat;
4162                 }
4163
4164                 if (SMB_VFS_SYS_ACL_GET_PERMSET(conn, entry, &permset) == -1) {
4165                         goto check_stat;
4166                 }
4167
4168                 have_read = SMB_VFS_SYS_ACL_GET_PERM(conn, permset, SMB_ACL_READ);
4169                 if (have_read == -1) {
4170                         goto check_stat;
4171                 }
4172
4173                 have_write = SMB_VFS_SYS_ACL_GET_PERM(conn, permset, SMB_ACL_WRITE);
4174                 if (have_write == -1) {
4175                         goto check_stat;
4176                 }
4177
4178                 /*
4179                  * Solaris returns 2 for this if write is available.
4180                  * canonicalize to 0 or 1.
4181                  */     
4182                 have_write = (have_write ? 1 : 0);
4183                 have_read = (have_read ? 1 : 0);
4184
4185                 switch(tagtype) {
4186                         case SMB_ACL_MASK:
4187                                 seen_mask = True;
4188                                 switch (access_mask) {
4189                                         case FILE_READ_DATA:
4190                                                 if (!have_read) {
4191                                                         ret = -1;
4192                                                         DEBUG(10,("check_posix_acl_group_access: file %s "
4193                                                                 "refusing read due to mask.\n", fname));
4194                                                         goto done;
4195                                                 }
4196                                                 break;
4197                                         case FILE_WRITE_DATA:
4198                                                 if (!have_write) {
4199                                                         ret = -1;
4200                                                         DEBUG(10,("check_posix_acl_group_access: file %s "
4201                                                                 "refusing write due to mask.\n", fname));
4202                                                         goto done;
4203                                                 }
4204                                                 break;
4205                                         default: /* FILE_READ_DATA|FILE_WRITE_DATA */
4206                                                 if (!have_write || !have_read) {
4207                                                         ret = -1;
4208                                                         DEBUG(10,("check_posix_acl_group_access: file %s "
4209                                                                 "refusing read/write due to mask.\n", fname));
4210                                                         goto done;
4211                                                 }
4212                                                 break;
4213                                 }
4214                                 break;
4215                         case SMB_ACL_USER:
4216                         {
4217                                 /* Check against current_user.ut.uid. */
4218                                 uid_t *puid = (uid_t *)SMB_VFS_SYS_ACL_GET_QUALIFIER(conn, entry);
4219                                 if (puid == NULL) {
4220                                         goto check_stat;
4221                                 }
4222                                 if (current_user.ut.uid == *puid) {
4223                                         /* We have a uid match but we must ensure we have seen the acl mask. */
4224                                         switch (access_mask) {
4225                                                 case FILE_READ_DATA:
4226                                                         ret = have_read;
4227                                                         break;
4228                                                 case FILE_WRITE_DATA:
4229                                                         ret = have_write;
4230                                                         break;
4231                                                 default: /* FILE_READ_DATA|FILE_WRITE_DATA */
4232                                                         ret = (have_write & have_read);
4233                                                         break;
4234                                         }
4235                                         DEBUG(10,("check_posix_acl_group_access: file %s "
4236                                                 "match on user %u -> %s.\n",
4237                                                 fname, (unsigned int)*puid,
4238                                                 ret ? "can access" : "cannot access"));
4239                                         if (seen_mask) {
4240                                                 goto done;
4241                                         }
4242                                 }
4243                                 break;
4244                         }
4245                         default:
4246                                 continue;
4247                 }
4248         }
4249
4250         /* If ret is anything other than -1 we matched on a user entry. */
4251         if (ret != -1) {
4252                 goto done;
4253         }
4254
4255         /* Next check all group entries. */
4256         entry_id = SMB_ACL_FIRST_ENTRY;
4257         while ( SMB_VFS_SYS_ACL_GET_ENTRY(conn, posix_acl, entry_id, &entry) == 1) {
4258                 SMB_ACL_TAG_T tagtype;
4259                 SMB_ACL_PERMSET_T permset;
4260                 int have_write = -1;
4261                 int have_read = -1;
4262
4263                 /* get_next... */
4264                 if (entry_id == SMB_ACL_FIRST_ENTRY)
4265                         entry_id = SMB_ACL_NEXT_ENTRY;
4266
4267                 if (SMB_VFS_SYS_ACL_GET_TAG_TYPE(conn, entry, &tagtype) == -1) {
4268                         goto check_stat;
4269                 }
4270
4271                 if (SMB_VFS_SYS_ACL_GET_PERMSET(conn, entry, &permset) == -1) {
4272                         goto check_stat;
4273                 }
4274
4275                 have_read = SMB_VFS_SYS_ACL_GET_PERM(conn, permset, SMB_ACL_READ);
4276                 if (have_read == -1) {
4277                         goto check_stat;
4278                 }
4279
4280                 have_write = SMB_VFS_SYS_ACL_GET_PERM(conn, permset, SMB_ACL_WRITE);
4281                 if (have_write == -1) {
4282                         goto check_stat;
4283                 }
4284
4285                 /*
4286                  * Solaris returns 2 for this if write is available.
4287                  * canonicalize to 0 or 1.
4288                  */     
4289                 have_write = (have_write ? 1 : 0);
4290                 have_read = (have_read ? 1 : 0);
4291
4292                 switch(tagtype) {
4293                         case SMB_ACL_GROUP:
4294                         case SMB_ACL_GROUP_OBJ:
4295                         {
4296                                 gid_t *pgid = NULL;
4297
4298                                 if (tagtype == SMB_ACL_GROUP) {
4299                                         pgid = (gid_t *)SMB_VFS_SYS_ACL_GET_QUALIFIER(conn, entry);
4300                                 } else {
4301                                         seen_owning_group = True;
4302                                         pgid = &psbuf->st_gid;
4303                                 }
4304                                 if (pgid == NULL) {
4305                                         goto check_stat;
4306                                 }
4307
4308                                 /*
4309                                  * Does it match the current effective group
4310                                  * or supplementary groups ?
4311                                  */
4312                                 for (cu_gid = get_current_user_gid_first(&i); cu_gid != (gid_t)-1;
4313                                                         cu_gid = get_current_user_gid_next(&i)) {
4314                                         if (cu_gid == *pgid) {
4315                                                 switch (access_mask) {
4316                                                         case FILE_READ_DATA:
4317                                                                 ret = have_read;
4318                                                                 break;
4319                                                         case FILE_WRITE_DATA:
4320                                                                 ret = have_write;
4321                                                                 break;
4322                                                         default: /* FILE_READ_DATA|FILE_WRITE_DATA */
4323                                                                 ret = (have_write & have_read);
4324                                                                 break;
4325                                                 }
4326
4327                                                 DEBUG(10,("check_posix_acl_group_access: file %s "
4328                                                         "match on group %u -> can access.\n",
4329                                                         fname, (unsigned int)cu_gid ));
4330
4331                                                 /* If we don't have access permission this entry doesn't
4332                                                         terminate the enumeration of the entries. */
4333                                                 if (ret) {
4334                                                         goto done;
4335                                                 }
4336                                                 /* But does terminate the group iteration. */
4337                                                 break;
4338                                         }
4339                                 }
4340                                 break;
4341                         }
4342                         default:
4343                                 continue;
4344                 }
4345         }
4346
4347         /* If ret is -1 here we didn't match on the user entry or
4348            supplemental group entries. */
4349         
4350         DEBUG(10,("check_posix_acl_group_access: ret = %d before check_stat:\n", ret));
4351
4352   check_stat:
4353
4354         /*
4355          * We only check the S_I[RW]GRP permissions if we haven't already
4356          * seen an owning group SMB_ACL_GROUP_OBJ ace entry. If there is an
4357          * SMB_ACL_GROUP_OBJ ace entry then the group bits in st_gid are
4358          * the same as the SMB_ACL_MASK bits, not the SMB_ACL_GROUP_OBJ
4359          * bits. Thanks to Marc Cousin <mcousin@sigma.fr> for pointing
4360          * this out. JRA.
4361          */
4362
4363         if (!seen_owning_group) {
4364                 /* Do we match on the owning group entry ? */
4365                 /*
4366                  * Does it match the current effective group
4367                  * or supplementary groups ?
4368                  */
4369                 for (cu_gid = get_current_user_gid_first(&i); cu_gid != (gid_t)-1;
4370                                                 cu_gid = get_current_user_gid_next(&i)) {
4371                         if (cu_gid == psbuf->st_gid) {
4372                                 switch (access_mask) {
4373                                         case FILE_READ_DATA:
4374                                                 ret = (psbuf->st_mode & S_IRGRP) ? 1 : 0;
4375                                                 break;
4376                                         case FILE_WRITE_DATA:
4377                                                 ret = (psbuf->st_mode & S_IWGRP) ? 1 : 0;
4378                                                 break;
4379                                         default: /* FILE_READ_DATA|FILE_WRITE_DATA */
4380                                                 if ((psbuf->st_mode & (S_IWGRP|S_IRGRP)) == (S_IWGRP|S_IRGRP)) {
4381                                                         ret = 1;
4382                                                 } else {
4383                                                         ret = 0;
4384                                                 }
4385                                                 break;
4386                                 }
4387                                 DEBUG(10,("check_posix_acl_group_access: file %s "
4388                                         "match on owning group %u -> %s.\n",
4389                                         fname, (unsigned int)psbuf->st_gid,
4390                                         ret ? "can access" : "cannot access"));
4391                                 break;
4392                         }
4393                 }
4394
4395                 if (cu_gid == (gid_t)-1) {
4396                         DEBUG(10,("check_posix_acl_group_access: file %s "
4397                                 "failed to match on user or group in token (ret = %d).\n",
4398                                 fname, ret ));
4399                 }
4400         }
4401
4402   done:
4403
4404         if (posix_acl) {
4405                 SMB_VFS_SYS_ACL_FREE_ACL(conn, posix_acl);
4406         }
4407
4408         DEBUG(10,("check_posix_acl_group_access: file %s returning (ret = %d).\n", fname, ret ));
4409         return ret;
4410 }
4411
4412 /****************************************************************************
4413  Actually emulate the in-kernel access checking for delete access. We need
4414  this to successfully return ACCESS_DENIED on a file open for delete access.
4415 ****************************************************************************/
4416
4417 BOOL can_delete_file_in_directory(connection_struct *conn, const char *fname)
4418 {
4419         SMB_STRUCT_STAT sbuf;  
4420         pstring dname;
4421         int ret;
4422
4423         if (!CAN_WRITE(conn)) {
4424                 return False;
4425         }
4426
4427         /* Get the parent directory permission mask and owners. */
4428         pstrcpy(dname, parent_dirname(fname));
4429         if(SMB_VFS_STAT(conn, dname, &sbuf) != 0) {
4430                 return False;
4431         }
4432         if (!S_ISDIR(sbuf.st_mode)) {
4433                 return False;
4434         }
4435         if (current_user.ut.uid == 0 || conn->admin_user) {
4436                 /* I'm sorry sir, I didn't know you were root... */
4437                 return True;
4438         }
4439
4440         /* Check primary owner write access. */
4441         if (current_user.ut.uid == sbuf.st_uid) {
4442                 return (sbuf.st_mode & S_IWUSR) ? True : False;
4443         }
4444
4445 #ifdef S_ISVTX
4446         /* sticky bit means delete only by owner or root. */
4447         if (sbuf.st_mode & S_ISVTX) {
4448                 SMB_STRUCT_STAT sbuf_file;  
4449                 if(SMB_VFS_STAT(conn, fname, &sbuf_file) != 0) {
4450                         if (errno == ENOENT) {
4451                                 /* If the file doesn't already exist then
4452                                  * yes we'll be able to delete it. */
4453                                 return True;
4454                         }
4455                         return False;
4456                 }
4457                 /*
4458                  * Patch from SATOH Fumiyasu <fumiyas@miraclelinux.com>
4459                  * for bug #3348. Don't assume owning sticky bit
4460                  * directory means write access allowed.
4461                  */
4462                 if (current_user.ut.uid != sbuf_file.st_uid) {
4463                         return False;
4464                 }
4465         }
4466 #endif
4467
4468         /* Check group or explicit user acl entry write access. */
4469         ret = check_posix_acl_group_access(conn, dname, &sbuf, FILE_WRITE_DATA);
4470         if (ret == 0 || ret == 1) {
4471                 return ret ? True : False;
4472         }
4473
4474         /* Finally check other write access. */
4475         return (sbuf.st_mode & S_IWOTH) ? True : False;
4476 }
4477
4478 /****************************************************************************
4479  Actually emulate the in-kernel access checking for read/write access. We need
4480  this to successfully check for ability to write for dos filetimes.
4481  Note this doesn't take into account share write permissions.
4482 ****************************************************************************/
4483
4484 BOOL can_access_file(connection_struct *conn, const char *fname, SMB_STRUCT_STAT *psbuf, uint32 access_mask)
4485 {
4486         int ret;
4487
4488         if (!(access_mask & (FILE_READ_DATA|FILE_WRITE_DATA))) {
4489                 return False;
4490         }
4491         access_mask &= (FILE_READ_DATA|FILE_WRITE_DATA);
4492
4493         DEBUG(10,("can_access_file: requesting 0x%x on file %s\n",
4494                 (unsigned int)access_mask, fname ));
4495
4496         if (current_user.ut.uid == 0 || conn->admin_user) {
4497                 /* I'm sorry sir, I didn't know you were root... */
4498                 return True;
4499         }
4500
4501         if (!VALID_STAT(*psbuf)) {
4502                 /* Get the file permission mask and owners. */
4503                 if(SMB_VFS_STAT(conn, fname, psbuf) != 0) {
4504                         return False;
4505                 }
4506         }
4507
4508         /* Check primary owner access. */
4509         if (current_user.ut.uid == psbuf->st_uid) {
4510                 switch (access_mask) {
4511                         case FILE_READ_DATA:
4512                                 return (psbuf->st_mode & S_IRUSR) ? True : False;
4513
4514                         case FILE_WRITE_DATA:
4515                                 return (psbuf->st_mode & S_IWUSR) ? True : False;
4516
4517                         default: /* FILE_READ_DATA|FILE_WRITE_DATA */
4518
4519                                 if ((psbuf->st_mode & (S_IWUSR|S_IRUSR)) == (S_IWUSR|S_IRUSR)) {
4520                                         return True;
4521                                 } else {
4522                                         return False;
4523                                 }
4524                 }
4525         }
4526
4527         /* Check group or explicit user acl entry access. */
4528         ret = check_posix_acl_group_access(conn, fname, psbuf, access_mask);
4529         if (ret == 0 || ret == 1) {
4530                 return ret ? True : False;
4531         }
4532
4533         /* Finally check other access. */
4534         switch (access_mask) {
4535                 case FILE_READ_DATA:
4536                         return (psbuf->st_mode & S_IROTH) ? True : False;
4537
4538                 case FILE_WRITE_DATA:
4539                         return (psbuf->st_mode & S_IWOTH) ? True : False;
4540
4541                 default: /* FILE_READ_DATA|FILE_WRITE_DATA */
4542
4543                         if ((psbuf->st_mode & (S_IWOTH|S_IROTH)) == (S_IWOTH|S_IROTH)) {
4544                                 return True;
4545                         }
4546         }
4547         return False;
4548 }
4549
4550 /****************************************************************************
4551  Userspace check for write access.
4552  Note this doesn't take into account share write permissions.
4553 ****************************************************************************/
4554
4555 BOOL can_write_to_file(connection_struct *conn, const char *fname, SMB_STRUCT_STAT *psbuf)
4556 {
4557         return can_access_file(conn, fname, psbuf, FILE_WRITE_DATA);
4558 }
4559
4560 /********************************************************************
4561  Pull the NT ACL from a file on disk or the OpenEventlog() access
4562  check.  Caller is responsible for freeing the returned security
4563  descriptor via TALLOC_FREE().  This is designed for dealing with 
4564  user space access checks in smbd outside of the VFS.  For example,
4565  checking access rights in OpenEventlog().
4566  
4567  Assume we are dealing with files (for now)
4568 ********************************************************************/
4569
4570 SEC_DESC* get_nt_acl_no_snum( TALLOC_CTX *ctx, const char *fname)
4571 {
4572         SEC_DESC *psd, *ret_sd;
4573         connection_struct conn;
4574         files_struct finfo;
4575         struct fd_handle fh;
4576         pstring path;
4577         pstring filename;
4578         
4579         ZERO_STRUCT( conn );
4580         
4581         if ( !(conn.mem_ctx = talloc_init( "novfs_get_nt_acl" )) ) {
4582                 DEBUG(0,("get_nt_acl_no_snum: talloc() failed!\n"));
4583                 return NULL;
4584         }
4585
4586         if (!(conn.params = TALLOC_P(conn.mem_ctx, struct share_params))) {
4587                 DEBUG(0,("get_nt_acl_no_snum: talloc() failed!\n"));
4588                 TALLOC_FREE(conn.mem_ctx);
4589                 return NULL;
4590         }
4591
4592         conn.params->service = -1;
4593         
4594         pstrcpy( path, "/" );
4595         set_conn_connectpath(&conn, path);
4596         
4597         if (!smbd_vfs_init(&conn)) {
4598                 DEBUG(0,("get_nt_acl_no_snum: Unable to create a fake connection struct!\n"));
4599                 conn_free_internal( &conn );
4600                 return NULL;
4601         }
4602         
4603         ZERO_STRUCT( finfo );
4604         ZERO_STRUCT( fh );
4605         
4606         finfo.fnum = -1;
4607         finfo.conn = &conn;
4608         finfo.fh = &fh;
4609         finfo.fh->fd = -1;
4610         pstrcpy( filename, fname );
4611         finfo.fsp_name = filename;
4612         
4613         if (get_nt_acl( &finfo, DACL_SECURITY_INFORMATION, &psd ) == 0) {
4614                 DEBUG(0,("get_nt_acl_no_snum: get_nt_acl returned zero.\n"));
4615                 conn_free_internal( &conn );
4616                 return NULL;
4617         }
4618         
4619         ret_sd = dup_sec_desc( ctx, psd );
4620         
4621         conn_free_internal( &conn );
4622         
4623         return ret_sd;
4624 }