From: Jeremy Allison Date: Thu, 30 Oct 2008 20:51:28 +0000 (-0700) Subject: Inherit Windows ACLs on a new directory. X-Git-Tag: samba-4.0.0alpha6~604^2 X-Git-Url: http://git.samba.org/samba.git/?p=ira%2Fwip.git;a=commitdiff_plain;h=782f309df35cba41c9e5b65db242b961bacbbf87 Inherit Windows ACLs on a new directory. Jeremy. --- diff --git a/source3/lib/secdesc.c b/source3/lib/secdesc.c index 6afc165c0f6..1da2b3ec935 100644 --- a/source3/lib/secdesc.c +++ b/source3/lib/secdesc.c @@ -527,9 +527,9 @@ NTSTATUS se_create_child_secdesc(TALLOC_CTX *ctx, if (creator && container && (new_flags & SEC_ACE_FLAG_CONTAINER_INHERIT)) { - /* First add the regular ACE entry with flags = 0. */ + /* First add the regular ACE entry. */ init_sec_ace(new_ace, ptrustee, ace->type, - ace->access_mask, 0); + ace->access_mask, SEC_ACE_FLAG_INHERITED_ACE); DEBUG(5,("se_create_child_secdesc(): %s:%d/0x%02x/0x%08x" " inherited as %s:%d/0x%02x/0x%08x\n", @@ -549,7 +549,7 @@ NTSTATUS se_create_child_secdesc(TALLOC_CTX *ctx, } init_sec_ace(new_ace, ptrustee, ace->type, - ace->access_mask, new_flags); + ace->access_mask, new_flags | SEC_ACE_FLAG_INHERITED_ACE); DEBUG(5, ("se_create_child_secdesc(): %s:%d/0x%02x/0x%08x " " inherited as %s:%d/0x%02x/0x%08x\n", diff --git a/source3/modules/vfs_acl_xattr.c b/source3/modules/vfs_acl_xattr.c index a802dac554b..0baa990ad66 100644 --- a/source3/modules/vfs_acl_xattr.c +++ b/source3/modules/vfs_acl_xattr.c @@ -182,13 +182,13 @@ static NTSTATUS create_acl_blob(const SEC_DESC *psd, DATA_BLOB *pblob) return NT_STATUS_OK; } -static NTSTATUS store_acl_blob(files_struct *fsp, +static NTSTATUS store_acl_blob_fsp(files_struct *fsp, DATA_BLOB *pblob) { int ret; int saved_errno = 0; - DEBUG(10,("store_acl_blob: storing blob length %u on file %s\n", + DEBUG(10,("store_acl_blob_fsp: storing blob length %u on file %s\n", (unsigned int)pblob->length, fsp->fsp_name)); become_root(); @@ -206,7 +206,7 @@ static NTSTATUS store_acl_blob(files_struct *fsp, unbecome_root(); if (ret) { errno = saved_errno; - DEBUG(5, ("store_acl_blob: setting attr failed for file %s" + DEBUG(5, ("store_acl_blob_fsp: setting attr failed for file %s" "with error %s\n", fsp->fsp_name, strerror(errno) )); @@ -215,6 +215,36 @@ static NTSTATUS store_acl_blob(files_struct *fsp, return NT_STATUS_OK; } +static NTSTATUS store_acl_blob_pathname(connection_struct *conn, + const char *fname, + DATA_BLOB *pblob) +{ + int ret; + int saved_errno = 0; + + DEBUG(10,("store_acl_blob_pathname: storing blob " + "length %u on file %s\n", + (unsigned int)pblob->length, fname)); + + become_root(); + ret = SMB_VFS_SETXATTR(conn, fname, + XATTR_NTACL_NAME, + pblob->data, pblob->length, 0); + if (ret) { + saved_errno = errno; + } + unbecome_root(); + if (ret) { + errno = saved_errno; + DEBUG(5, ("store_acl_blob_pathname: setting attr failed " + "for file %s with error %s\n", + fname, + strerror(errno) )); + return map_nt_error_from_unix(errno); + } + return NT_STATUS_OK; +} + static NTSTATUS get_nt_acl_xattr_internal(vfs_handle_struct *handle, files_struct *fsp, @@ -261,11 +291,6 @@ static NTSTATUS get_nt_acl_xattr_internal(vfs_handle_struct *handle, return status; } -static int mkdir_acl_xattr(vfs_handle_struct *handle, const char *path, mode_t mode) -{ - return SMB_VFS_NEXT_MKDIR(handle, path, mode); -} - /********************************************************************* * Currently this only works for existing files. Need to work on * inheritance for new files. @@ -273,7 +298,8 @@ static int mkdir_acl_xattr(vfs_handle_struct *handle, const char *path, mode_t static NTSTATUS inherit_new_acl(vfs_handle_struct *handle, const char *fname, - files_struct *fsp) + files_struct *fsp, + bool container) { TALLOC_CTX *ctx = talloc_tos(); NTSTATUS status; @@ -313,7 +339,7 @@ static NTSTATUS inherit_new_acl(vfs_handle_struct *handle, parent_desc, &handle->conn->server_info->ptok->user_sids[PRIMARY_USER_SID_INDEX], &handle->conn->server_info->ptok->user_sids[PRIMARY_GROUP_SID_INDEX], - false); + container); if (!NT_STATUS_IS_OK(status)) { return status; } @@ -321,7 +347,11 @@ static NTSTATUS inherit_new_acl(vfs_handle_struct *handle, if (!NT_STATUS_IS_OK(status)) { return status; } - return store_acl_blob(fsp, &blob); + if (fsp) { + return store_acl_blob_fsp(fsp, &blob); + } else { + return store_acl_blob_pathname(handle->conn, fname, &blob); + } } /********************************************************************* @@ -368,12 +398,24 @@ static int open_acl_xattr(vfs_handle_struct *handle, if (!file_existed && fsp->fh->fd != -1) { /* File was created. Inherit from parent directory. */ string_set(&fsp->fsp_name, fname); - inherit_new_acl(handle, fname, fsp); + inherit_new_acl(handle, fname, fsp, false); } return fsp->fh->fd; } +static int mkdir_acl_xattr(vfs_handle_struct *handle, const char *path, mode_t mode) +{ + int ret = SMB_VFS_NEXT_MKDIR(handle, path, mode); + + if (ret == -1) { + return ret; + } + /* New directory - inherit from parent. */ + inherit_new_acl(handle, path, NULL, true); + return ret; +} + static NTSTATUS fget_nt_acl_xattr(vfs_handle_struct *handle, files_struct *fsp, uint32 security_info, SEC_DESC **ppdesc) { @@ -426,7 +468,7 @@ static NTSTATUS fset_nt_acl_xattr(vfs_handle_struct *handle, files_struct *fsp, } create_acl_blob(psd, &blob); - store_acl_blob(fsp, &blob); + store_acl_blob_fsp(fsp, &blob); return NT_STATUS_OK; }