Update vfs version as I've added a const to the security_descriptor paramter in fset_...
[jra/samba/.git] / source3 / smbd / posix_acls.c
1 /*
2    Unix SMB/CIFS implementation.
3    SMB NT Security Descriptor / Unix permission conversion.
4    Copyright (C) Jeremy Allison 1994-2000.
5    Copyright (C) Andreas Gruenbacher 2002.
6
7    This program is free software; you can redistribute it and/or modify
8    it under the terms of the GNU General Public License as published by
9    the Free Software Foundation; either version 3 of the License, or
10    (at your option) any later version.
11
12    This program is distributed in the hope that it will be useful,
13    but WITHOUT ANY WARRANTY; without even the implied warranty of
14    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
15    GNU General Public License for more details.
16
17    You should have received a copy of the GNU General Public License
18    along with this program.  If not, see <http://www.gnu.org/licenses/>.
19 */
20
21 #include "includes.h"
22
23 extern struct current_user current_user;
24 extern const struct generic_mapping file_generic_mapping;
25
26 #undef  DBGC_CLASS
27 #define DBGC_CLASS DBGC_ACLS
28
29 /****************************************************************************
30  Data structures representing the internal ACE format.
31 ****************************************************************************/
32
33 enum ace_owner {UID_ACE, GID_ACE, WORLD_ACE};
34 enum ace_attribute {ALLOW_ACE, DENY_ACE}; /* Used for incoming NT ACLS. */
35
36 typedef union posix_id {
37                 uid_t uid;
38                 gid_t gid;
39                 int world;
40 } posix_id;
41
42 typedef struct canon_ace {
43         struct canon_ace *next, *prev;
44         SMB_ACL_TAG_T type;
45         mode_t perms; /* Only use S_I(R|W|X)USR mode bits here. */
46         DOM_SID trustee;
47         enum ace_owner owner_type;
48         enum ace_attribute attr;
49         posix_id unix_ug;
50         bool inherited;
51 } canon_ace;
52
53 #define ALL_ACE_PERMS (S_IRUSR|S_IWUSR|S_IXUSR)
54
55 /*
56  * EA format of user.SAMBA_PAI (Samba_Posix_Acl_Interitance)
57  * attribute on disk.
58  *
59  * |  1   |  1   |   2         |         2           |  .... 
60  * +------+------+-------------+---------------------+-------------+--------------------+
61  * | vers | flag | num_entries | num_default_entries | ..entries.. | default_entries... |
62  * +------+------+-------------+---------------------+-------------+--------------------+
63  */
64
65 #define PAI_VERSION_OFFSET      0
66 #define PAI_FLAG_OFFSET         1
67 #define PAI_NUM_ENTRIES_OFFSET  2
68 #define PAI_NUM_DEFAULT_ENTRIES_OFFSET  4
69 #define PAI_ENTRIES_BASE        6
70
71 #define PAI_VERSION             1
72 #define PAI_ACL_FLAG_PROTECTED  0x1
73 #define PAI_ENTRY_LENGTH        5
74
75 /*
76  * In memory format of user.SAMBA_PAI attribute.
77  */
78
79 struct pai_entry {
80         struct pai_entry *next, *prev;
81         enum ace_owner owner_type;
82         posix_id unix_ug;
83 };
84
85 struct pai_val {
86         bool pai_protected;
87         unsigned int num_entries;
88         struct pai_entry *entry_list;
89         unsigned int num_def_entries;
90         struct pai_entry *def_entry_list;
91 };
92
93 /************************************************************************
94  Return a uint32 of the pai_entry principal.
95 ************************************************************************/
96
97 static uint32 get_pai_entry_val(struct pai_entry *paie)
98 {
99         switch (paie->owner_type) {
100                 case UID_ACE:
101                         DEBUG(10,("get_pai_entry_val: uid = %u\n", (unsigned int)paie->unix_ug.uid ));
102                         return (uint32)paie->unix_ug.uid;
103                 case GID_ACE:
104                         DEBUG(10,("get_pai_entry_val: gid = %u\n", (unsigned int)paie->unix_ug.gid ));
105                         return (uint32)paie->unix_ug.gid;
106                 case WORLD_ACE:
107                 default:
108                         DEBUG(10,("get_pai_entry_val: world ace\n"));
109                         return (uint32)-1;
110         }
111 }
112
113 /************************************************************************
114  Return a uint32 of the entry principal.
115 ************************************************************************/
116
117 static uint32 get_entry_val(canon_ace *ace_entry)
118 {
119         switch (ace_entry->owner_type) {
120                 case UID_ACE:
121                         DEBUG(10,("get_entry_val: uid = %u\n", (unsigned int)ace_entry->unix_ug.uid ));
122                         return (uint32)ace_entry->unix_ug.uid;
123                 case GID_ACE:
124                         DEBUG(10,("get_entry_val: gid = %u\n", (unsigned int)ace_entry->unix_ug.gid ));
125                         return (uint32)ace_entry->unix_ug.gid;
126                 case WORLD_ACE:
127                 default:
128                         DEBUG(10,("get_entry_val: world ace\n"));
129                         return (uint32)-1;
130         }
131 }
132
133 /************************************************************************
134  Count the inherited entries.
135 ************************************************************************/
136
137 static unsigned int num_inherited_entries(canon_ace *ace_list)
138 {
139         unsigned int num_entries = 0;
140
141         for (; ace_list; ace_list = ace_list->next)
142                 if (ace_list->inherited)
143                         num_entries++;
144         return num_entries;
145 }
146
147 /************************************************************************
148  Create the on-disk format. Caller must free.
149 ************************************************************************/
150
151 static char *create_pai_buf(canon_ace *file_ace_list, canon_ace *dir_ace_list, bool pai_protected, size_t *store_size)
152 {
153         char *pai_buf = NULL;
154         canon_ace *ace_list = NULL;
155         char *entry_offset = NULL;
156         unsigned int num_entries = 0;
157         unsigned int num_def_entries = 0;
158
159         for (ace_list = file_ace_list; ace_list; ace_list = ace_list->next)
160                 if (ace_list->inherited)
161                         num_entries++;
162
163         for (ace_list = dir_ace_list; ace_list; ace_list = ace_list->next)
164                 if (ace_list->inherited)
165                         num_def_entries++;
166
167         DEBUG(10,("create_pai_buf: num_entries = %u, num_def_entries = %u\n", num_entries, num_def_entries ));
168
169         *store_size = PAI_ENTRIES_BASE + ((num_entries + num_def_entries)*PAI_ENTRY_LENGTH);
170
171         pai_buf = (char *)SMB_MALLOC(*store_size);
172         if (!pai_buf) {
173                 return NULL;
174         }
175
176         /* Set up the header. */
177         memset(pai_buf, '\0', PAI_ENTRIES_BASE);
178         SCVAL(pai_buf,PAI_VERSION_OFFSET,PAI_VERSION);
179         SCVAL(pai_buf,PAI_FLAG_OFFSET,(pai_protected ? PAI_ACL_FLAG_PROTECTED : 0));
180         SSVAL(pai_buf,PAI_NUM_ENTRIES_OFFSET,num_entries);
181         SSVAL(pai_buf,PAI_NUM_DEFAULT_ENTRIES_OFFSET,num_def_entries);
182
183         entry_offset = pai_buf + PAI_ENTRIES_BASE;
184
185         for (ace_list = file_ace_list; ace_list; ace_list = ace_list->next) {
186                 if (ace_list->inherited) {
187                         uint8 type_val = (unsigned char)ace_list->owner_type;
188                         uint32 entry_val = get_entry_val(ace_list);
189
190                         SCVAL(entry_offset,0,type_val);
191                         SIVAL(entry_offset,1,entry_val);
192                         entry_offset += PAI_ENTRY_LENGTH;
193                 }
194         }
195
196         for (ace_list = dir_ace_list; ace_list; ace_list = ace_list->next) {
197                 if (ace_list->inherited) {
198                         uint8 type_val = (unsigned char)ace_list->owner_type;
199                         uint32 entry_val = get_entry_val(ace_list);
200
201                         SCVAL(entry_offset,0,type_val);
202                         SIVAL(entry_offset,1,entry_val);
203                         entry_offset += PAI_ENTRY_LENGTH;
204                 }
205         }
206
207         return pai_buf;
208 }
209
210 /************************************************************************
211  Store the user.SAMBA_PAI attribute on disk.
212 ************************************************************************/
213
214 static void store_inheritance_attributes(files_struct *fsp, canon_ace *file_ace_list,
215                                         canon_ace *dir_ace_list, bool pai_protected)
216 {
217         int ret;
218         size_t store_size;
219         char *pai_buf;
220
221         if (!lp_map_acl_inherit(SNUM(fsp->conn)))
222                 return;
223
224         /*
225          * Don't store if this ACL isn't protected and
226          * none of the entries in it are marked as inherited.
227          */
228
229         if (!pai_protected && num_inherited_entries(file_ace_list) == 0 && num_inherited_entries(dir_ace_list) == 0) {
230                 /* Instead just remove the attribute if it exists. */
231                 if (fsp->fh->fd != -1)
232                         SMB_VFS_FREMOVEXATTR(fsp, SAMBA_POSIX_INHERITANCE_EA_NAME);
233                 else
234                         SMB_VFS_REMOVEXATTR(fsp->conn, fsp->fsp_name, SAMBA_POSIX_INHERITANCE_EA_NAME);
235                 return;
236         }
237
238         pai_buf = create_pai_buf(file_ace_list, dir_ace_list, pai_protected, &store_size);
239
240         if (fsp->fh->fd != -1)
241                 ret = SMB_VFS_FSETXATTR(fsp, SAMBA_POSIX_INHERITANCE_EA_NAME,
242                                 pai_buf, store_size, 0);
243         else
244                 ret = SMB_VFS_SETXATTR(fsp->conn,fsp->fsp_name, SAMBA_POSIX_INHERITANCE_EA_NAME,
245                                 pai_buf, store_size, 0);
246
247         SAFE_FREE(pai_buf);
248
249         DEBUG(10,("store_inheritance_attribute:%s for file %s\n", pai_protected ? " (protected)" : "", fsp->fsp_name));
250         if (ret == -1 && !no_acl_syscall_error(errno))
251                 DEBUG(1,("store_inheritance_attribute: Error %s\n", strerror(errno) ));
252 }
253
254 /************************************************************************
255  Delete the in memory inheritance info.
256 ************************************************************************/
257
258 static void free_inherited_info(struct pai_val *pal)
259 {
260         if (pal) {
261                 struct pai_entry *paie, *paie_next;
262                 for (paie = pal->entry_list; paie; paie = paie_next) {
263                         paie_next = paie->next;
264                         SAFE_FREE(paie);
265                 }
266                 for (paie = pal->def_entry_list; paie; paie = paie_next) {
267                         paie_next = paie->next;
268                         SAFE_FREE(paie);
269                 }
270                 SAFE_FREE(pal);
271         }
272 }
273
274 /************************************************************************
275  Was this ACL protected ?
276 ************************************************************************/
277
278 static bool get_protected_flag(struct pai_val *pal)
279 {
280         if (!pal)
281                 return False;
282         return pal->pai_protected;
283 }
284
285 /************************************************************************
286  Was this ACE inherited ?
287 ************************************************************************/
288
289 static bool get_inherited_flag(struct pai_val *pal, canon_ace *ace_entry, bool default_ace)
290 {
291         struct pai_entry *paie;
292
293         if (!pal)
294                 return False;
295
296         /* If the entry exists it is inherited. */
297         for (paie = (default_ace ? pal->def_entry_list : pal->entry_list); paie; paie = paie->next) {
298                 if (ace_entry->owner_type == paie->owner_type &&
299                                 get_entry_val(ace_entry) == get_pai_entry_val(paie))
300                         return True;
301         }
302         return False;
303 }
304
305 /************************************************************************
306  Ensure an attribute just read is valid.
307 ************************************************************************/
308
309 static bool check_pai_ok(char *pai_buf, size_t pai_buf_data_size)
310 {
311         uint16 num_entries;
312         uint16 num_def_entries;
313
314         if (pai_buf_data_size < PAI_ENTRIES_BASE) {
315                 /* Corrupted - too small. */
316                 return False;
317         }
318
319         if (CVAL(pai_buf,PAI_VERSION_OFFSET) != PAI_VERSION)
320                 return False;
321
322         num_entries = SVAL(pai_buf,PAI_NUM_ENTRIES_OFFSET);
323         num_def_entries = SVAL(pai_buf,PAI_NUM_DEFAULT_ENTRIES_OFFSET);
324
325         /* Check the entry lists match. */
326         /* Each entry is 5 bytes (type plus 4 bytes of uid or gid). */
327
328         if (((num_entries + num_def_entries)*PAI_ENTRY_LENGTH) + PAI_ENTRIES_BASE != pai_buf_data_size)
329                 return False;
330
331         return True;
332 }
333
334
335 /************************************************************************
336  Convert to in-memory format.
337 ************************************************************************/
338
339 static struct pai_val *create_pai_val(char *buf, size_t size)
340 {
341         char *entry_offset;
342         struct pai_val *paiv = NULL;
343         int i;
344
345         if (!check_pai_ok(buf, size))
346                 return NULL;
347
348         paiv = SMB_MALLOC_P(struct pai_val);
349         if (!paiv)
350                 return NULL;
351
352         memset(paiv, '\0', sizeof(struct pai_val));
353
354         paiv->pai_protected = (CVAL(buf,PAI_FLAG_OFFSET) == PAI_ACL_FLAG_PROTECTED);
355
356         paiv->num_entries = SVAL(buf,PAI_NUM_ENTRIES_OFFSET);
357         paiv->num_def_entries = SVAL(buf,PAI_NUM_DEFAULT_ENTRIES_OFFSET);
358
359         entry_offset = buf + PAI_ENTRIES_BASE;
360
361         DEBUG(10,("create_pai_val:%s num_entries = %u, num_def_entries = %u\n",
362                         paiv->pai_protected ? " (pai_protected)" : "", paiv->num_entries, paiv->num_def_entries ));
363
364         for (i = 0; i < paiv->num_entries; i++) {
365                 struct pai_entry *paie;
366
367                 paie = SMB_MALLOC_P(struct pai_entry);
368                 if (!paie) {
369                         free_inherited_info(paiv);
370                         return NULL;
371                 }
372
373                 paie->owner_type = (enum ace_owner)CVAL(entry_offset,0);
374                 switch( paie->owner_type) {
375                         case UID_ACE:
376                                 paie->unix_ug.uid = (uid_t)IVAL(entry_offset,1);
377                                 DEBUG(10,("create_pai_val: uid = %u\n", (unsigned int)paie->unix_ug.uid ));
378                                 break;
379                         case GID_ACE:
380                                 paie->unix_ug.gid = (gid_t)IVAL(entry_offset,1);
381                                 DEBUG(10,("create_pai_val: gid = %u\n", (unsigned int)paie->unix_ug.gid ));
382                                 break;
383                         case WORLD_ACE:
384                                 paie->unix_ug.world = -1;
385                                 DEBUG(10,("create_pai_val: world ace\n"));
386                                 break;
387                         default:
388                                 free_inherited_info(paiv);
389                                 return NULL;
390                 }
391                 entry_offset += PAI_ENTRY_LENGTH;
392                 DLIST_ADD(paiv->entry_list, paie);
393         }
394
395         for (i = 0; i < paiv->num_def_entries; i++) {
396                 struct pai_entry *paie;
397
398                 paie = SMB_MALLOC_P(struct pai_entry);
399                 if (!paie) {
400                         free_inherited_info(paiv);
401                         return NULL;
402                 }
403
404                 paie->owner_type = (enum ace_owner)CVAL(entry_offset,0);
405                 switch( paie->owner_type) {
406                         case UID_ACE:
407                                 paie->unix_ug.uid = (uid_t)IVAL(entry_offset,1);
408                                 DEBUG(10,("create_pai_val: (def) uid = %u\n", (unsigned int)paie->unix_ug.uid ));
409                                 break;
410                         case GID_ACE:
411                                 paie->unix_ug.gid = (gid_t)IVAL(entry_offset,1);
412                                 DEBUG(10,("create_pai_val: (def) gid = %u\n", (unsigned int)paie->unix_ug.gid ));
413                                 break;
414                         case WORLD_ACE:
415                                 paie->unix_ug.world = -1;
416                                 DEBUG(10,("create_pai_val: (def) world ace\n"));
417                                 break;
418                         default:
419                                 free_inherited_info(paiv);
420                                 return NULL;
421                 }
422                 entry_offset += PAI_ENTRY_LENGTH;
423                 DLIST_ADD(paiv->def_entry_list, paie);
424         }
425
426         return paiv;
427 }
428
429 /************************************************************************
430  Load the user.SAMBA_PAI attribute.
431 ************************************************************************/
432
433 static struct pai_val *fload_inherited_info(files_struct *fsp)
434 {
435         char *pai_buf;
436         size_t pai_buf_size = 1024;
437         struct pai_val *paiv = NULL;
438         ssize_t ret;
439
440         if (!lp_map_acl_inherit(SNUM(fsp->conn)))
441                 return NULL;
442
443         if ((pai_buf = (char *)SMB_MALLOC(pai_buf_size)) == NULL)
444                 return NULL;
445
446         do {
447                 if (fsp->fh->fd != -1)
448                         ret = SMB_VFS_FGETXATTR(fsp, SAMBA_POSIX_INHERITANCE_EA_NAME,
449                                         pai_buf, pai_buf_size);
450                 else
451                         ret = SMB_VFS_GETXATTR(fsp->conn,fsp->fsp_name,SAMBA_POSIX_INHERITANCE_EA_NAME,
452                                         pai_buf, pai_buf_size);
453
454                 if (ret == -1) {
455                         if (errno != ERANGE) {
456                                 break;
457                         }
458                         /* Buffer too small - enlarge it. */
459                         pai_buf_size *= 2;
460                         SAFE_FREE(pai_buf);
461                         if (pai_buf_size > 1024*1024) {
462                                 return NULL; /* Limit malloc to 1mb. */
463                         }
464                         if ((pai_buf = (char *)SMB_MALLOC(pai_buf_size)) == NULL)
465                                 return NULL;
466                 }
467         } while (ret == -1);
468
469         DEBUG(10,("load_inherited_info: ret = %lu for file %s\n", (unsigned long)ret, fsp->fsp_name));
470
471         if (ret == -1) {
472                 /* No attribute or not supported. */
473 #if defined(ENOATTR)
474                 if (errno != ENOATTR)
475                         DEBUG(10,("load_inherited_info: Error %s\n", strerror(errno) ));
476 #else
477                 if (errno != ENOSYS)
478                         DEBUG(10,("load_inherited_info: Error %s\n", strerror(errno) ));
479 #endif
480                 SAFE_FREE(pai_buf);
481                 return NULL;
482         }
483
484         paiv = create_pai_val(pai_buf, ret);
485
486         if (paiv && paiv->pai_protected)
487                 DEBUG(10,("load_inherited_info: ACL is protected for file %s\n", fsp->fsp_name));
488
489         SAFE_FREE(pai_buf);
490         return paiv;
491 }
492
493 /************************************************************************
494  Load the user.SAMBA_PAI attribute.
495 ************************************************************************/
496
497 static struct pai_val *load_inherited_info(const struct connection_struct *conn,
498                                            const char *fname)
499 {
500         char *pai_buf;
501         size_t pai_buf_size = 1024;
502         struct pai_val *paiv = NULL;
503         ssize_t ret;
504
505         if (!lp_map_acl_inherit(SNUM(conn))) {
506                 return NULL;
507         }
508
509         if ((pai_buf = (char *)SMB_MALLOC(pai_buf_size)) == NULL) {
510                 return NULL;
511         }
512
513         do {
514                 ret = SMB_VFS_GETXATTR(conn, fname,
515                                        SAMBA_POSIX_INHERITANCE_EA_NAME,
516                                        pai_buf, pai_buf_size);
517
518                 if (ret == -1) {
519                         if (errno != ERANGE) {
520                                 break;
521                         }
522                         /* Buffer too small - enlarge it. */
523                         pai_buf_size *= 2;
524                         SAFE_FREE(pai_buf);
525                         if (pai_buf_size > 1024*1024) {
526                                 return NULL; /* Limit malloc to 1mb. */
527                         }
528                         if ((pai_buf = (char *)SMB_MALLOC(pai_buf_size)) == NULL)
529                                 return NULL;
530                 }
531         } while (ret == -1);
532
533         DEBUG(10,("load_inherited_info: ret = %lu for file %s\n", (unsigned long)ret, fname));
534
535         if (ret == -1) {
536                 /* No attribute or not supported. */
537 #if defined(ENOATTR)
538                 if (errno != ENOATTR)
539                         DEBUG(10,("load_inherited_info: Error %s\n", strerror(errno) ));
540 #else
541                 if (errno != ENOSYS)
542                         DEBUG(10,("load_inherited_info: Error %s\n", strerror(errno) ));
543 #endif
544                 SAFE_FREE(pai_buf);
545                 return NULL;
546         }
547
548         paiv = create_pai_val(pai_buf, ret);
549
550         if (paiv && paiv->pai_protected) {
551                 DEBUG(10,("load_inherited_info: ACL is protected for file %s\n", fname));
552         }
553
554         SAFE_FREE(pai_buf);
555         return paiv;
556 }
557
558 /****************************************************************************
559  Functions to manipulate the internal ACE format.
560 ****************************************************************************/
561
562 /****************************************************************************
563  Count a linked list of canonical ACE entries.
564 ****************************************************************************/
565
566 static size_t count_canon_ace_list( canon_ace *list_head )
567 {
568         size_t count = 0;
569         canon_ace *ace;
570
571         for (ace = list_head; ace; ace = ace->next)
572                 count++;
573
574         return count;
575 }
576
577 /****************************************************************************
578  Free a linked list of canonical ACE entries.
579 ****************************************************************************/
580
581 static void free_canon_ace_list( canon_ace *list_head )
582 {
583         canon_ace *list, *next;
584
585         for (list = list_head; list; list = next) {
586                 next = list->next;
587                 DLIST_REMOVE(list_head, list);
588                 SAFE_FREE(list);
589         }
590 }
591
592 /****************************************************************************
593  Function to duplicate a canon_ace entry.
594 ****************************************************************************/
595
596 static canon_ace *dup_canon_ace( canon_ace *src_ace)
597 {
598         canon_ace *dst_ace = SMB_MALLOC_P(canon_ace);
599
600         if (dst_ace == NULL)
601                 return NULL;
602
603         *dst_ace = *src_ace;
604         dst_ace->prev = dst_ace->next = NULL;
605         return dst_ace;
606 }
607
608 /****************************************************************************
609  Print out a canon ace.
610 ****************************************************************************/
611
612 static void print_canon_ace(canon_ace *pace, int num)
613 {
614         dbgtext( "canon_ace index %d. Type = %s ", num, pace->attr == ALLOW_ACE ? "allow" : "deny" );
615         dbgtext( "SID = %s ", sid_string_dbg(&pace->trustee));
616         if (pace->owner_type == UID_ACE) {
617                 const char *u_name = uidtoname(pace->unix_ug.uid);
618                 dbgtext( "uid %u (%s) ", (unsigned int)pace->unix_ug.uid, u_name );
619         } else if (pace->owner_type == GID_ACE) {
620                 char *g_name = gidtoname(pace->unix_ug.gid);
621                 dbgtext( "gid %u (%s) ", (unsigned int)pace->unix_ug.gid, g_name );
622         } else
623                 dbgtext( "other ");
624         switch (pace->type) {
625                 case SMB_ACL_USER:
626                         dbgtext( "SMB_ACL_USER ");
627                         break;
628                 case SMB_ACL_USER_OBJ:
629                         dbgtext( "SMB_ACL_USER_OBJ ");
630                         break;
631                 case SMB_ACL_GROUP:
632                         dbgtext( "SMB_ACL_GROUP ");
633                         break;
634                 case SMB_ACL_GROUP_OBJ:
635                         dbgtext( "SMB_ACL_GROUP_OBJ ");
636                         break;
637                 case SMB_ACL_OTHER:
638                         dbgtext( "SMB_ACL_OTHER ");
639                         break;
640                 default:
641                         dbgtext( "MASK " );
642                         break;
643         }
644         if (pace->inherited)
645                 dbgtext( "(inherited) ");
646         dbgtext( "perms ");
647         dbgtext( "%c", pace->perms & S_IRUSR ? 'r' : '-');
648         dbgtext( "%c", pace->perms & S_IWUSR ? 'w' : '-');
649         dbgtext( "%c\n", pace->perms & S_IXUSR ? 'x' : '-');
650 }
651
652 /****************************************************************************
653  Print out a canon ace list.
654 ****************************************************************************/
655
656 static void print_canon_ace_list(const char *name, canon_ace *ace_list)
657 {
658         int count = 0;
659
660         if( DEBUGLVL( 10 )) {
661                 dbgtext( "print_canon_ace_list: %s\n", name );
662                 for (;ace_list; ace_list = ace_list->next, count++)
663                         print_canon_ace(ace_list, count );
664         }
665 }
666
667 /****************************************************************************
668  Map POSIX ACL perms to canon_ace permissions (a mode_t containing only S_(R|W|X)USR bits).
669 ****************************************************************************/
670
671 static mode_t convert_permset_to_mode_t(connection_struct *conn, SMB_ACL_PERMSET_T permset)
672 {
673         mode_t ret = 0;
674
675         ret |= (SMB_VFS_SYS_ACL_GET_PERM(conn, permset, SMB_ACL_READ) ? S_IRUSR : 0);
676         ret |= (SMB_VFS_SYS_ACL_GET_PERM(conn, permset, SMB_ACL_WRITE) ? S_IWUSR : 0);
677         ret |= (SMB_VFS_SYS_ACL_GET_PERM(conn, permset, SMB_ACL_EXECUTE) ? S_IXUSR : 0);
678
679         return ret;
680 }
681
682 /****************************************************************************
683  Map generic UNIX permissions to canon_ace permissions (a mode_t containing only S_(R|W|X)USR bits).
684 ****************************************************************************/
685
686 static mode_t unix_perms_to_acl_perms(mode_t mode, int r_mask, int w_mask, int x_mask)
687 {
688         mode_t ret = 0;
689
690         if (mode & r_mask)
691                 ret |= S_IRUSR;
692         if (mode & w_mask)
693                 ret |= S_IWUSR;
694         if (mode & x_mask)
695                 ret |= S_IXUSR;
696
697         return ret;
698 }
699
700 /****************************************************************************
701  Map canon_ace permissions (a mode_t containing only S_(R|W|X)USR bits) to
702  an SMB_ACL_PERMSET_T.
703 ****************************************************************************/
704
705 static int map_acl_perms_to_permset(connection_struct *conn, mode_t mode, SMB_ACL_PERMSET_T *p_permset)
706 {
707         if (SMB_VFS_SYS_ACL_CLEAR_PERMS(conn, *p_permset) ==  -1)
708                 return -1;
709         if (mode & S_IRUSR) {
710                 if (SMB_VFS_SYS_ACL_ADD_PERM(conn, *p_permset, SMB_ACL_READ) == -1)
711                         return -1;
712         }
713         if (mode & S_IWUSR) {
714                 if (SMB_VFS_SYS_ACL_ADD_PERM(conn, *p_permset, SMB_ACL_WRITE) == -1)
715                         return -1;
716         }
717         if (mode & S_IXUSR) {
718                 if (SMB_VFS_SYS_ACL_ADD_PERM(conn, *p_permset, SMB_ACL_EXECUTE) == -1)
719                         return -1;
720         }
721         return 0;
722 }
723
724 /****************************************************************************
725  Function to create owner and group SIDs from a SMB_STRUCT_STAT.
726 ****************************************************************************/
727
728 static void create_file_sids(const SMB_STRUCT_STAT *psbuf, DOM_SID *powner_sid, DOM_SID *pgroup_sid)
729 {
730         uid_to_sid( powner_sid, psbuf->st_uid );
731         gid_to_sid( pgroup_sid, psbuf->st_gid );
732 }
733
734 /****************************************************************************
735  Is the identity in two ACEs equal ? Check both SID and uid/gid.
736 ****************************************************************************/
737
738 static bool identity_in_ace_equal(canon_ace *ace1, canon_ace *ace2)
739 {
740         if (sid_equal(&ace1->trustee, &ace2->trustee)) {
741                 return True;
742         }
743         if (ace1->owner_type == ace2->owner_type) {
744                 if (ace1->owner_type == UID_ACE &&
745                                 ace1->unix_ug.uid == ace2->unix_ug.uid) {
746                         return True;
747                 } else if (ace1->owner_type == GID_ACE &&
748                                 ace1->unix_ug.gid == ace2->unix_ug.gid) {
749                         return True;
750                 }
751         }
752         return False;
753 }
754
755 /****************************************************************************
756  Merge aces with a common sid - if both are allow or deny, OR the permissions together and
757  delete the second one. If the first is deny, mask the permissions off and delete the allow
758  if the permissions become zero, delete the deny if the permissions are non zero.
759 ****************************************************************************/
760
761 static void merge_aces( canon_ace **pp_list_head )
762 {
763         canon_ace *list_head = *pp_list_head;
764         canon_ace *curr_ace_outer;
765         canon_ace *curr_ace_outer_next;
766
767         /*
768          * First, merge allow entries with identical SIDs, and deny entries
769          * with identical SIDs.
770          */
771
772         for (curr_ace_outer = list_head; curr_ace_outer; curr_ace_outer = curr_ace_outer_next) {
773                 canon_ace *curr_ace;
774                 canon_ace *curr_ace_next;
775
776                 curr_ace_outer_next = curr_ace_outer->next; /* Save the link in case we delete. */
777
778                 for (curr_ace = curr_ace_outer->next; curr_ace; curr_ace = curr_ace_next) {
779
780                         curr_ace_next = curr_ace->next; /* Save the link in case of delete. */
781
782                         if (identity_in_ace_equal(curr_ace, curr_ace_outer) &&
783                                 (curr_ace->attr == curr_ace_outer->attr)) {
784
785                                 if( DEBUGLVL( 10 )) {
786                                         dbgtext("merge_aces: Merging ACE's\n");
787                                         print_canon_ace( curr_ace_outer, 0);
788                                         print_canon_ace( curr_ace, 0);
789                                 }
790
791                                 /* Merge two allow or two deny ACE's. */
792
793                                 curr_ace_outer->perms |= curr_ace->perms;
794                                 DLIST_REMOVE(list_head, curr_ace);
795                                 SAFE_FREE(curr_ace);
796                                 curr_ace_outer_next = curr_ace_outer->next; /* We may have deleted the link. */
797                         }
798                 }
799         }
800
801         /*
802          * Now go through and mask off allow permissions with deny permissions.
803          * We can delete either the allow or deny here as we know that each SID
804          * appears only once in the list.
805          */
806
807         for (curr_ace_outer = list_head; curr_ace_outer; curr_ace_outer = curr_ace_outer_next) {
808                 canon_ace *curr_ace;
809                 canon_ace *curr_ace_next;
810
811                 curr_ace_outer_next = curr_ace_outer->next; /* Save the link in case we delete. */
812
813                 for (curr_ace = curr_ace_outer->next; curr_ace; curr_ace = curr_ace_next) {
814
815                         curr_ace_next = curr_ace->next; /* Save the link in case of delete. */
816
817                         /*
818                          * Subtract ACE's with different entries. Due to the ordering constraints
819                          * we've put on the ACL, we know the deny must be the first one.
820                          */
821
822                         if (identity_in_ace_equal(curr_ace, curr_ace_outer) &&
823                                 (curr_ace_outer->attr == DENY_ACE) && (curr_ace->attr == ALLOW_ACE)) {
824
825                                 if( DEBUGLVL( 10 )) {
826                                         dbgtext("merge_aces: Masking ACE's\n");
827                                         print_canon_ace( curr_ace_outer, 0);
828                                         print_canon_ace( curr_ace, 0);
829                                 }
830
831                                 curr_ace->perms &= ~curr_ace_outer->perms;
832
833                                 if (curr_ace->perms == 0) {
834
835                                         /*
836                                          * The deny overrides the allow. Remove the allow.
837                                          */
838
839                                         DLIST_REMOVE(list_head, curr_ace);
840                                         SAFE_FREE(curr_ace);
841                                         curr_ace_outer_next = curr_ace_outer->next; /* We may have deleted the link. */
842
843                                 } else {
844
845                                         /*
846                                          * Even after removing permissions, there
847                                          * are still allow permissions - delete the deny.
848                                          * It is safe to delete the deny here,
849                                          * as we are guarenteed by the deny first
850                                          * ordering that all the deny entries for
851                                          * this SID have already been merged into one
852                                          * before we can get to an allow ace.
853                                          */
854
855                                         DLIST_REMOVE(list_head, curr_ace_outer);
856                                         SAFE_FREE(curr_ace_outer);
857                                         break;
858                                 }
859                         }
860
861                 } /* end for curr_ace */
862         } /* end for curr_ace_outer */
863
864         /* We may have modified the list. */
865
866         *pp_list_head = list_head;
867 }
868
869 /****************************************************************************
870  Check if we need to return NT4.x compatible ACL entries.
871 ****************************************************************************/
872
873 static bool nt4_compatible_acls(void)
874 {
875         int compat = lp_acl_compatibility();
876
877         if (compat == ACL_COMPAT_AUTO) {
878                 enum remote_arch_types ra_type = get_remote_arch();
879
880                 /* Automatically adapt to client */
881                 return (ra_type <= RA_WINNT);
882         } else
883                 return (compat == ACL_COMPAT_WINNT);
884 }
885
886
887 /****************************************************************************
888  Map canon_ace perms to permission bits NT.
889  The attr element is not used here - we only process deny entries on set,
890  not get. Deny entries are implicit on get with ace->perms = 0.
891 ****************************************************************************/
892
893 static SEC_ACCESS map_canon_ace_perms(int snum,
894                                 enum security_ace_type *pacl_type,
895                                 mode_t perms,
896                                 bool directory_ace)
897 {
898         SEC_ACCESS sa;
899         uint32 nt_mask = 0;
900
901         *pacl_type = SEC_ACE_TYPE_ACCESS_ALLOWED;
902
903         if (lp_acl_map_full_control(snum) && ((perms & ALL_ACE_PERMS) == ALL_ACE_PERMS)) {
904                 if (directory_ace) {
905                         nt_mask = UNIX_DIRECTORY_ACCESS_RWX;
906                 } else {
907                         nt_mask = (UNIX_ACCESS_RWX & ~DELETE_ACCESS);
908                 }
909         } else if ((perms & ALL_ACE_PERMS) == (mode_t)0) {
910                 /*
911                  * Windows NT refuses to display ACEs with no permissions in them (but
912                  * they are perfectly legal with Windows 2000). If the ACE has empty
913                  * permissions we cannot use 0, so we use the otherwise unused
914                  * WRITE_OWNER permission, which we ignore when we set an ACL.
915                  * We abstract this into a #define of UNIX_ACCESS_NONE to allow this
916                  * to be changed in the future.
917                  */
918
919                 if (nt4_compatible_acls())
920                         nt_mask = UNIX_ACCESS_NONE;
921                 else
922                         nt_mask = 0;
923         } else {
924                 if (directory_ace) {
925                         nt_mask |= ((perms & S_IRUSR) ? UNIX_DIRECTORY_ACCESS_R : 0 );
926                         nt_mask |= ((perms & S_IWUSR) ? UNIX_DIRECTORY_ACCESS_W : 0 );
927                         nt_mask |= ((perms & S_IXUSR) ? UNIX_DIRECTORY_ACCESS_X : 0 );
928                 } else {
929                         nt_mask |= ((perms & S_IRUSR) ? UNIX_ACCESS_R : 0 );
930                         nt_mask |= ((perms & S_IWUSR) ? UNIX_ACCESS_W : 0 );
931                         nt_mask |= ((perms & S_IXUSR) ? UNIX_ACCESS_X : 0 );
932                 }
933         }
934
935         DEBUG(10,("map_canon_ace_perms: Mapped (UNIX) %x to (NT) %x\n",
936                         (unsigned int)perms, (unsigned int)nt_mask ));
937
938         init_sec_access(&sa,nt_mask);
939         return sa;
940 }
941
942 /****************************************************************************
943  Map NT perms to a UNIX mode_t.
944 ****************************************************************************/
945
946 #define FILE_SPECIFIC_READ_BITS (FILE_READ_DATA|FILE_READ_EA|FILE_READ_ATTRIBUTES)
947 #define FILE_SPECIFIC_WRITE_BITS (FILE_WRITE_DATA|FILE_APPEND_DATA|FILE_WRITE_EA|FILE_WRITE_ATTRIBUTES)
948 #define FILE_SPECIFIC_EXECUTE_BITS (FILE_EXECUTE)
949
950 static mode_t map_nt_perms( uint32 *mask, int type)
951 {
952         mode_t mode = 0;
953
954         switch(type) {
955         case S_IRUSR:
956                 if((*mask) & GENERIC_ALL_ACCESS)
957                         mode = S_IRUSR|S_IWUSR|S_IXUSR;
958                 else {
959                         mode |= ((*mask) & (GENERIC_READ_ACCESS|FILE_SPECIFIC_READ_BITS)) ? S_IRUSR : 0;
960                         mode |= ((*mask) & (GENERIC_WRITE_ACCESS|FILE_SPECIFIC_WRITE_BITS)) ? S_IWUSR : 0;
961                         mode |= ((*mask) & (GENERIC_EXECUTE_ACCESS|FILE_SPECIFIC_EXECUTE_BITS)) ? S_IXUSR : 0;
962                 }
963                 break;
964         case S_IRGRP:
965                 if((*mask) & GENERIC_ALL_ACCESS)
966                         mode = S_IRGRP|S_IWGRP|S_IXGRP;
967                 else {
968                         mode |= ((*mask) & (GENERIC_READ_ACCESS|FILE_SPECIFIC_READ_BITS)) ? S_IRGRP : 0;
969                         mode |= ((*mask) & (GENERIC_WRITE_ACCESS|FILE_SPECIFIC_WRITE_BITS)) ? S_IWGRP : 0;
970                         mode |= ((*mask) & (GENERIC_EXECUTE_ACCESS|FILE_SPECIFIC_EXECUTE_BITS)) ? S_IXGRP : 0;
971                 }
972                 break;
973         case S_IROTH:
974                 if((*mask) & GENERIC_ALL_ACCESS)
975                         mode = S_IROTH|S_IWOTH|S_IXOTH;
976                 else {
977                         mode |= ((*mask) & (GENERIC_READ_ACCESS|FILE_SPECIFIC_READ_BITS)) ? S_IROTH : 0;
978                         mode |= ((*mask) & (GENERIC_WRITE_ACCESS|FILE_SPECIFIC_WRITE_BITS)) ? S_IWOTH : 0;
979                         mode |= ((*mask) & (GENERIC_EXECUTE_ACCESS|FILE_SPECIFIC_EXECUTE_BITS)) ? S_IXOTH : 0;
980                 }
981                 break;
982         }
983
984         return mode;
985 }
986
987 /****************************************************************************
988  Unpack a SEC_DESC into a UNIX owner and group.
989 ****************************************************************************/
990
991 NTSTATUS unpack_nt_owners(int snum, uid_t *puser, gid_t *pgrp, uint32 security_info_sent, const SEC_DESC *psd)
992 {
993         DOM_SID owner_sid;
994         DOM_SID grp_sid;
995
996         *puser = (uid_t)-1;
997         *pgrp = (gid_t)-1;
998
999         if(security_info_sent == 0) {
1000                 DEBUG(0,("unpack_nt_owners: no security info sent !\n"));
1001                 return NT_STATUS_OK;
1002         }
1003
1004         /*
1005          * Validate the owner and group SID's.
1006          */
1007
1008         memset(&owner_sid, '\0', sizeof(owner_sid));
1009         memset(&grp_sid, '\0', sizeof(grp_sid));
1010
1011         DEBUG(5,("unpack_nt_owners: validating owner_sids.\n"));
1012
1013         /*
1014          * Don't immediately fail if the owner sid cannot be validated.
1015          * This may be a group chown only set.
1016          */
1017
1018         if (security_info_sent & OWNER_SECURITY_INFORMATION) {
1019                 sid_copy(&owner_sid, psd->owner_sid);
1020                 if (!sid_to_uid(&owner_sid, puser)) {
1021                         if (lp_force_unknown_acl_user(snum)) {
1022                                 /* this allows take ownership to work
1023                                  * reasonably */
1024                                 *puser = current_user.ut.uid;
1025                         } else {
1026                                 DEBUG(3,("unpack_nt_owners: unable to validate"
1027                                          " owner sid for %s\n",
1028                                          sid_string_dbg(&owner_sid)));
1029                                 return NT_STATUS_INVALID_OWNER;
1030                         }
1031                 }
1032                 DEBUG(3,("unpack_nt_owners: owner sid mapped to uid %u\n",
1033                          (unsigned int)*puser ));
1034         }
1035
1036         /*
1037          * Don't immediately fail if the group sid cannot be validated.
1038          * This may be an owner chown only set.
1039          */
1040
1041         if (security_info_sent & GROUP_SECURITY_INFORMATION) {
1042                 sid_copy(&grp_sid, psd->group_sid);
1043                 if (!sid_to_gid( &grp_sid, pgrp)) {
1044                         if (lp_force_unknown_acl_user(snum)) {
1045                                 /* this allows take group ownership to work
1046                                  * reasonably */
1047                                 *pgrp = current_user.ut.gid;
1048                         } else {
1049                                 DEBUG(3,("unpack_nt_owners: unable to validate"
1050                                          " group sid.\n"));
1051                                 return NT_STATUS_INVALID_OWNER;
1052                         }
1053                 }
1054                 DEBUG(3,("unpack_nt_owners: group sid mapped to gid %u\n",
1055                          (unsigned int)*pgrp));
1056         }
1057
1058         DEBUG(5,("unpack_nt_owners: owner_sids validated.\n"));
1059
1060         return NT_STATUS_OK;
1061 }
1062
1063 /****************************************************************************
1064  Ensure the enforced permissions for this share apply.
1065 ****************************************************************************/
1066
1067 static void apply_default_perms(const struct share_params *params,
1068                                 const bool is_directory, canon_ace *pace,
1069                                 mode_t type)
1070 {
1071         mode_t and_bits = (mode_t)0;
1072         mode_t or_bits = (mode_t)0;
1073
1074         /* Get the initial bits to apply. */
1075
1076         if (is_directory) {
1077                 and_bits = lp_dir_security_mask(params->service);
1078                 or_bits = lp_force_dir_security_mode(params->service);
1079         } else {
1080                 and_bits = lp_security_mask(params->service);
1081                 or_bits = lp_force_security_mode(params->service);
1082         }
1083
1084         /* Now bounce them into the S_USR space. */     
1085         switch(type) {
1086         case S_IRUSR:
1087                 /* Ensure owner has read access. */
1088                 pace->perms |= S_IRUSR;
1089                 if (is_directory)
1090                         pace->perms |= (S_IWUSR|S_IXUSR);
1091                 and_bits = unix_perms_to_acl_perms(and_bits, S_IRUSR, S_IWUSR, S_IXUSR);
1092                 or_bits = unix_perms_to_acl_perms(or_bits, S_IRUSR, S_IWUSR, S_IXUSR);
1093                 break;
1094         case S_IRGRP:
1095                 and_bits = unix_perms_to_acl_perms(and_bits, S_IRGRP, S_IWGRP, S_IXGRP);
1096                 or_bits = unix_perms_to_acl_perms(or_bits, S_IRGRP, S_IWGRP, S_IXGRP);
1097                 break;
1098         case S_IROTH:
1099                 and_bits = unix_perms_to_acl_perms(and_bits, S_IROTH, S_IWOTH, S_IXOTH);
1100                 or_bits = unix_perms_to_acl_perms(or_bits, S_IROTH, S_IWOTH, S_IXOTH);
1101                 break;
1102         }
1103
1104         pace->perms = ((pace->perms & and_bits)|or_bits);
1105 }
1106
1107 /****************************************************************************
1108  Check if a given uid/SID is in a group gid/SID. This is probably very
1109  expensive and will need optimisation. A *lot* of optimisation :-). JRA.
1110 ****************************************************************************/
1111
1112 static bool uid_entry_in_group( canon_ace *uid_ace, canon_ace *group_ace )
1113 {
1114         const char *u_name = NULL;
1115
1116         /* "Everyone" always matches every uid. */
1117
1118         if (sid_equal(&group_ace->trustee, &global_sid_World))
1119                 return True;
1120
1121         /* Assume that the current user is in the current group (force group) */
1122
1123         if (uid_ace->unix_ug.uid == current_user.ut.uid && group_ace->unix_ug.gid == current_user.ut.gid)
1124                 return True;
1125
1126         /* u_name talloc'ed off tos. */
1127         u_name = uidtoname(uid_ace->unix_ug.uid);
1128         if (!u_name) {
1129                 return False;
1130         }
1131         return user_in_group_sid(u_name, &group_ace->trustee);
1132 }
1133
1134 /****************************************************************************
1135  A well formed POSIX file or default ACL has at least 3 entries, a 
1136  SMB_ACL_USER_OBJ, SMB_ACL_GROUP_OBJ, SMB_ACL_OTHER_OBJ.
1137  In addition, the owner must always have at least read access.
1138  When using this call on get_acl, the pst struct is valid and contains
1139  the mode of the file. When using this call on set_acl, the pst struct has
1140  been modified to have a mode containing the default for this file or directory
1141  type.
1142 ****************************************************************************/
1143
1144 static bool ensure_canon_entry_valid(canon_ace **pp_ace,
1145                                      const struct share_params *params,
1146                                      const bool is_directory,
1147                                                         const DOM_SID *pfile_owner_sid,
1148                                                         const DOM_SID *pfile_grp_sid,
1149                                                         const SMB_STRUCT_STAT *pst,
1150                                                         bool setting_acl)
1151 {
1152         canon_ace *pace;
1153         bool got_user = False;
1154         bool got_grp = False;
1155         bool got_other = False;
1156         canon_ace *pace_other = NULL;
1157
1158         for (pace = *pp_ace; pace; pace = pace->next) {
1159                 if (pace->type == SMB_ACL_USER_OBJ) {
1160
1161                         if (setting_acl)
1162                                 apply_default_perms(params, is_directory, pace, S_IRUSR);
1163                         got_user = True;
1164
1165                 } else if (pace->type == SMB_ACL_GROUP_OBJ) {
1166
1167                         /*
1168                          * Ensure create mask/force create mode is respected on set.
1169                          */
1170
1171                         if (setting_acl)
1172                                 apply_default_perms(params, is_directory, pace, S_IRGRP);
1173                         got_grp = True;
1174
1175                 } else if (pace->type == SMB_ACL_OTHER) {
1176
1177                         /*
1178                          * Ensure create mask/force create mode is respected on set.
1179                          */
1180
1181                         if (setting_acl)
1182                                 apply_default_perms(params, is_directory, pace, S_IROTH);
1183                         got_other = True;
1184                         pace_other = pace;
1185                 }
1186         }
1187
1188         if (!got_user) {
1189                 if ((pace = SMB_MALLOC_P(canon_ace)) == NULL) {
1190                         DEBUG(0,("ensure_canon_entry_valid: malloc fail.\n"));
1191                         return False;
1192                 }
1193
1194                 ZERO_STRUCTP(pace);
1195                 pace->type = SMB_ACL_USER_OBJ;
1196                 pace->owner_type = UID_ACE;
1197                 pace->unix_ug.uid = pst->st_uid;
1198                 pace->trustee = *pfile_owner_sid;
1199                 pace->attr = ALLOW_ACE;
1200
1201                 if (setting_acl) {
1202                         /* See if the owning user is in any of the other groups in
1203                            the ACE. If so, OR in the permissions from that group. */
1204
1205                         bool group_matched = False;
1206                         canon_ace *pace_iter;
1207
1208                         for (pace_iter = *pp_ace; pace_iter; pace_iter = pace_iter->next) {
1209                                 if (pace_iter->type == SMB_ACL_GROUP_OBJ || pace_iter->type == SMB_ACL_GROUP) {
1210                                         if (uid_entry_in_group(pace, pace_iter)) {
1211                                                 pace->perms |= pace_iter->perms;
1212                                                 group_matched = True;
1213                                         }
1214                                 }
1215                         }
1216
1217                         /* If we only got an "everyone" perm, just use that. */
1218                         if (!group_matched) {
1219                                 if (got_other)
1220                                         pace->perms = pace_other->perms;
1221                                 else
1222                                         pace->perms = 0;
1223                         }
1224
1225                         apply_default_perms(params, is_directory, pace, S_IRUSR);
1226                 } else {
1227                         pace->perms = unix_perms_to_acl_perms(pst->st_mode, S_IRUSR, S_IWUSR, S_IXUSR);
1228                 }
1229
1230                 DLIST_ADD(*pp_ace, pace);
1231         }
1232
1233         if (!got_grp) {
1234                 if ((pace = SMB_MALLOC_P(canon_ace)) == NULL) {
1235                         DEBUG(0,("ensure_canon_entry_valid: malloc fail.\n"));
1236                         return False;
1237                 }
1238
1239                 ZERO_STRUCTP(pace);
1240                 pace->type = SMB_ACL_GROUP_OBJ;
1241                 pace->owner_type = GID_ACE;
1242                 pace->unix_ug.uid = pst->st_gid;
1243                 pace->trustee = *pfile_grp_sid;
1244                 pace->attr = ALLOW_ACE;
1245                 if (setting_acl) {
1246                         /* If we only got an "everyone" perm, just use that. */
1247                         if (got_other)
1248                                 pace->perms = pace_other->perms;
1249                         else
1250                                 pace->perms = 0;
1251                         apply_default_perms(params, is_directory, pace, S_IRGRP);
1252                 } else {
1253                         pace->perms = unix_perms_to_acl_perms(pst->st_mode, S_IRGRP, S_IWGRP, S_IXGRP);
1254                 }
1255
1256                 DLIST_ADD(*pp_ace, pace);
1257         }
1258
1259         if (!got_other) {
1260                 if ((pace = SMB_MALLOC_P(canon_ace)) == NULL) {
1261                         DEBUG(0,("ensure_canon_entry_valid: malloc fail.\n"));
1262                         return False;
1263                 }
1264
1265                 ZERO_STRUCTP(pace);
1266                 pace->type = SMB_ACL_OTHER;
1267                 pace->owner_type = WORLD_ACE;
1268                 pace->unix_ug.world = -1;
1269                 pace->trustee = global_sid_World;
1270                 pace->attr = ALLOW_ACE;
1271                 if (setting_acl) {
1272                         pace->perms = 0;
1273                         apply_default_perms(params, is_directory, pace, S_IROTH);
1274                 } else
1275                         pace->perms = unix_perms_to_acl_perms(pst->st_mode, S_IROTH, S_IWOTH, S_IXOTH);
1276
1277                 DLIST_ADD(*pp_ace, pace);
1278         }
1279
1280         return True;
1281 }
1282
1283 /****************************************************************************
1284  Check if a POSIX ACL has the required SMB_ACL_USER_OBJ and SMB_ACL_GROUP_OBJ entries.
1285  If it does not have them, check if there are any entries where the trustee is the
1286  file owner or the owning group, and map these to SMB_ACL_USER_OBJ and SMB_ACL_GROUP_OBJ.
1287 ****************************************************************************/
1288
1289 static void check_owning_objs(canon_ace *ace, DOM_SID *pfile_owner_sid, DOM_SID *pfile_grp_sid)
1290 {
1291         bool got_user_obj, got_group_obj;
1292         canon_ace *current_ace;
1293         int i, entries;
1294
1295         entries = count_canon_ace_list(ace);
1296         got_user_obj = False;
1297         got_group_obj = False;
1298
1299         for (i=0, current_ace = ace; i < entries; i++, current_ace = current_ace->next) {
1300                 if (current_ace->type == SMB_ACL_USER_OBJ)
1301                         got_user_obj = True;
1302                 else if (current_ace->type == SMB_ACL_GROUP_OBJ)
1303                         got_group_obj = True;
1304         }
1305         if (got_user_obj && got_group_obj) {
1306                 DEBUG(10,("check_owning_objs: ACL had owning user/group entries.\n"));
1307                 return;
1308         }
1309
1310         for (i=0, current_ace = ace; i < entries; i++, current_ace = current_ace->next) {
1311                 if (!got_user_obj && current_ace->owner_type == UID_ACE &&
1312                                 sid_equal(&current_ace->trustee, pfile_owner_sid)) {
1313                         current_ace->type = SMB_ACL_USER_OBJ;
1314                         got_user_obj = True;
1315                 }
1316                 if (!got_group_obj && current_ace->owner_type == GID_ACE &&
1317                                 sid_equal(&current_ace->trustee, pfile_grp_sid)) {
1318                         current_ace->type = SMB_ACL_GROUP_OBJ;
1319                         got_group_obj = True;
1320                 }
1321         }
1322         if (!got_user_obj)
1323                 DEBUG(10,("check_owning_objs: ACL is missing an owner entry.\n"));
1324         if (!got_group_obj)
1325                 DEBUG(10,("check_owning_objs: ACL is missing an owning group entry.\n"));
1326 }
1327
1328 /****************************************************************************
1329  Unpack a SEC_DESC into two canonical ace lists.
1330 ****************************************************************************/
1331
1332 static bool create_canon_ace_lists(files_struct *fsp,
1333                                         SMB_STRUCT_STAT *pst,
1334                                         DOM_SID *pfile_owner_sid,
1335                                         DOM_SID *pfile_grp_sid,
1336                                         canon_ace **ppfile_ace,
1337                                         canon_ace **ppdir_ace,
1338                                         const SEC_ACL *dacl)
1339 {
1340         bool all_aces_are_inherit_only = (fsp->is_directory ? True : False);
1341         canon_ace *file_ace = NULL;
1342         canon_ace *dir_ace = NULL;
1343         canon_ace *current_ace = NULL;
1344         bool got_dir_allow = False;
1345         bool got_file_allow = False;
1346         int i, j;
1347
1348         *ppfile_ace = NULL;
1349         *ppdir_ace = NULL;
1350
1351         /*
1352          * Convert the incoming ACL into a more regular form.
1353          */
1354
1355         for(i = 0; i < dacl->num_aces; i++) {
1356                 SEC_ACE *psa = &dacl->aces[i];
1357
1358                 if((psa->type != SEC_ACE_TYPE_ACCESS_ALLOWED) && (psa->type != SEC_ACE_TYPE_ACCESS_DENIED)) {
1359                         DEBUG(3,("create_canon_ace_lists: unable to set anything but an ALLOW or DENY ACE.\n"));
1360                         return False;
1361                 }
1362
1363                 if (nt4_compatible_acls()) {
1364                         /*
1365                          * The security mask may be UNIX_ACCESS_NONE which should map into
1366                          * no permissions (we overload the WRITE_OWNER bit for this) or it
1367                          * should be one of the ALL/EXECUTE/READ/WRITE bits. Arrange for this
1368                          * to be so. Any other bits override the UNIX_ACCESS_NONE bit.
1369                          */
1370
1371                         /*
1372                          * Convert GENERIC bits to specific bits.
1373                          */
1374  
1375                         se_map_generic(&psa->access_mask, &file_generic_mapping);
1376
1377                         psa->access_mask &= (UNIX_ACCESS_NONE|FILE_ALL_ACCESS);
1378
1379                         if(psa->access_mask != UNIX_ACCESS_NONE)
1380                                 psa->access_mask &= ~UNIX_ACCESS_NONE;
1381                 }
1382         }
1383
1384         /*
1385          * Deal with the fact that NT 4.x re-writes the canonical format
1386          * that we return for default ACLs. If a directory ACE is identical
1387          * to a inherited directory ACE then NT changes the bits so that the
1388          * first ACE is set to OI|IO and the second ACE for this SID is set
1389          * to CI. We need to repair this. JRA.
1390          */
1391
1392         for(i = 0; i < dacl->num_aces; i++) {
1393                 SEC_ACE *psa1 = &dacl->aces[i];
1394
1395                 for (j = i + 1; j < dacl->num_aces; j++) {
1396                         SEC_ACE *psa2 = &dacl->aces[j];
1397
1398                         if (psa1->access_mask != psa2->access_mask)
1399                                 continue;
1400
1401                         if (!sid_equal(&psa1->trustee, &psa2->trustee))
1402                                 continue;
1403
1404                         /*
1405                          * Ok - permission bits and SIDs are equal.
1406                          * Check if flags were re-written.
1407                          */
1408
1409                         if (psa1->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
1410
1411                                 psa1->flags |= (psa2->flags & (SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT));
1412                                 psa2->flags &= ~(SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT);
1413
1414                         } else if (psa2->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
1415
1416                                 psa2->flags |= (psa1->flags & (SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT));
1417                                 psa1->flags &= ~(SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT);
1418
1419                         }
1420                 }
1421         }
1422
1423         for(i = 0; i < dacl->num_aces; i++) {
1424                 SEC_ACE *psa = &dacl->aces[i];
1425
1426                 /*
1427                  * Create a cannon_ace entry representing this NT DACL ACE.
1428                  */
1429
1430                 if ((current_ace = SMB_MALLOC_P(canon_ace)) == NULL) {
1431                         free_canon_ace_list(file_ace);
1432                         free_canon_ace_list(dir_ace);
1433                         DEBUG(0,("create_canon_ace_lists: malloc fail.\n"));
1434                         return False;
1435                 }
1436
1437                 ZERO_STRUCTP(current_ace);
1438
1439                 sid_copy(&current_ace->trustee, &psa->trustee);
1440
1441                 /*
1442                  * Try and work out if the SID is a user or group
1443                  * as we need to flag these differently for POSIX.
1444                  * Note what kind of a POSIX ACL this should map to.
1445                  */
1446
1447                 if( sid_equal(&current_ace->trustee, &global_sid_World)) {
1448                         current_ace->owner_type = WORLD_ACE;
1449                         current_ace->unix_ug.world = -1;
1450                         current_ace->type = SMB_ACL_OTHER;
1451                 } else if (sid_equal(&current_ace->trustee, &global_sid_Creator_Owner)) {
1452                         current_ace->owner_type = UID_ACE;
1453                         current_ace->unix_ug.uid = pst->st_uid;
1454                         current_ace->type = SMB_ACL_USER_OBJ;
1455
1456                         /*
1457                          * The Creator Owner entry only specifies inheritable permissions,
1458                          * never access permissions. WinNT doesn't always set the ACE to
1459                          *INHERIT_ONLY, though.
1460                          */
1461
1462                         if (nt4_compatible_acls())
1463                                 psa->flags |= SEC_ACE_FLAG_INHERIT_ONLY;
1464                 } else if (sid_equal(&current_ace->trustee, &global_sid_Creator_Group)) {
1465                         current_ace->owner_type = GID_ACE;
1466                         current_ace->unix_ug.gid = pst->st_gid;
1467                         current_ace->type = SMB_ACL_GROUP_OBJ;
1468
1469                         /*
1470                          * The Creator Group entry only specifies inheritable permissions,
1471                          * never access permissions. WinNT doesn't always set the ACE to
1472                          *INHERIT_ONLY, though.
1473                          */
1474                         if (nt4_compatible_acls())
1475                                 psa->flags |= SEC_ACE_FLAG_INHERIT_ONLY;
1476
1477                 } else if (sid_to_uid( &current_ace->trustee, &current_ace->unix_ug.uid)) {
1478                         current_ace->owner_type = UID_ACE;
1479                         /* If it's the owning user, this is a user_obj, not
1480                          * a user. */
1481                         if (current_ace->unix_ug.uid == pst->st_uid) {
1482                                 current_ace->type = SMB_ACL_USER_OBJ;
1483                         } else {
1484                                 current_ace->type = SMB_ACL_USER;
1485                         }
1486                 } else if (sid_to_gid( &current_ace->trustee, &current_ace->unix_ug.gid)) {
1487                         current_ace->owner_type = GID_ACE;
1488                         /* If it's the primary group, this is a group_obj, not
1489                          * a group. */
1490                         if (current_ace->unix_ug.gid == pst->st_gid) {
1491                                 current_ace->type = SMB_ACL_GROUP_OBJ;
1492                         } else {
1493                                 current_ace->type = SMB_ACL_GROUP;
1494                         }
1495                 } else {
1496                         /*
1497                          * Silently ignore map failures in non-mappable SIDs (NT Authority, BUILTIN etc).
1498                          */
1499
1500                         if (non_mappable_sid(&psa->trustee)) {
1501                                 DEBUG(10, ("create_canon_ace_lists: ignoring "
1502                                            "non-mappable SID %s\n",
1503                                            sid_string_dbg(&psa->trustee)));
1504                                 SAFE_FREE(current_ace);
1505                                 continue;
1506                         }
1507
1508                         free_canon_ace_list(file_ace);
1509                         free_canon_ace_list(dir_ace);
1510                         DEBUG(0, ("create_canon_ace_lists: unable to map SID "
1511                                   "%s to uid or gid.\n",
1512                                   sid_string_dbg(&current_ace->trustee)));
1513                         SAFE_FREE(current_ace);
1514                         return False;
1515                 }
1516
1517                 /*
1518                  * Map the given NT permissions into a UNIX mode_t containing only
1519                  * S_I(R|W|X)USR bits.
1520                  */
1521
1522                 current_ace->perms |= map_nt_perms( &psa->access_mask, S_IRUSR);
1523                 current_ace->attr = (psa->type == SEC_ACE_TYPE_ACCESS_ALLOWED) ? ALLOW_ACE : DENY_ACE;
1524                 current_ace->inherited = ((psa->flags & SEC_ACE_FLAG_INHERITED_ACE) ? True : False);
1525
1526                 /*
1527                  * Now add the created ace to either the file list, the directory
1528                  * list, or both. We *MUST* preserve the order here (hence we use
1529                  * DLIST_ADD_END) as NT ACLs are order dependent.
1530                  */
1531
1532                 if (fsp->is_directory) {
1533
1534                         /*
1535                          * We can only add to the default POSIX ACE list if the ACE is
1536                          * designed to be inherited by both files and directories.
1537                          */
1538
1539                         if ((psa->flags & (SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT)) ==
1540                                 (SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT)) {
1541
1542                                 DLIST_ADD_END(dir_ace, current_ace, canon_ace *);
1543
1544                                 /*
1545                                  * Note if this was an allow ace. We can't process
1546                                  * any further deny ace's after this.
1547                                  */
1548
1549                                 if (current_ace->attr == ALLOW_ACE)
1550                                         got_dir_allow = True;
1551
1552                                 if ((current_ace->attr == DENY_ACE) && got_dir_allow) {
1553                                         DEBUG(0,("create_canon_ace_lists: malformed ACL in inheritable ACL ! \
1554 Deny entry after Allow entry. Failing to set on file %s.\n", fsp->fsp_name ));
1555                                         free_canon_ace_list(file_ace);
1556                                         free_canon_ace_list(dir_ace);
1557                                         return False;
1558                                 }       
1559
1560                                 if( DEBUGLVL( 10 )) {
1561                                         dbgtext("create_canon_ace_lists: adding dir ACL:\n");
1562                                         print_canon_ace( current_ace, 0);
1563                                 }
1564
1565                                 /*
1566                                  * If this is not an inherit only ACE we need to add a duplicate
1567                                  * to the file acl.
1568                                  */
1569
1570                                 if (!(psa->flags & SEC_ACE_FLAG_INHERIT_ONLY)) {
1571                                         canon_ace *dup_ace = dup_canon_ace(current_ace);
1572
1573                                         if (!dup_ace) {
1574                                                 DEBUG(0,("create_canon_ace_lists: malloc fail !\n"));
1575                                                 free_canon_ace_list(file_ace);
1576                                                 free_canon_ace_list(dir_ace);
1577                                                 return False;
1578                                         }
1579
1580                                         /*
1581                                          * We must not free current_ace here as its
1582                                          * pointer is now owned by the dir_ace list.
1583                                          */
1584                                         current_ace = dup_ace;
1585                                 } else {
1586                                         /*
1587                                          * We must not free current_ace here as its
1588                                          * pointer is now owned by the dir_ace list.
1589                                          */
1590                                         current_ace = NULL;
1591                                 }
1592                         }
1593                 }
1594
1595                 /*
1596                  * Only add to the file ACL if not inherit only.
1597                  */
1598
1599                 if (current_ace && !(psa->flags & SEC_ACE_FLAG_INHERIT_ONLY)) {
1600                         DLIST_ADD_END(file_ace, current_ace, canon_ace *);
1601
1602                         /*
1603                          * Note if this was an allow ace. We can't process
1604                          * any further deny ace's after this.
1605                          */
1606
1607                         if (current_ace->attr == ALLOW_ACE)
1608                                 got_file_allow = True;
1609
1610                         if ((current_ace->attr == DENY_ACE) && got_file_allow) {
1611                                 DEBUG(0,("create_canon_ace_lists: malformed ACL in file ACL ! \
1612 Deny entry after Allow entry. Failing to set on file %s.\n", fsp->fsp_name ));
1613                                 free_canon_ace_list(file_ace);
1614                                 free_canon_ace_list(dir_ace);
1615                                 return False;
1616                         }       
1617
1618                         if( DEBUGLVL( 10 )) {
1619                                 dbgtext("create_canon_ace_lists: adding file ACL:\n");
1620                                 print_canon_ace( current_ace, 0);
1621                         }
1622                         all_aces_are_inherit_only = False;
1623                         /*
1624                          * We must not free current_ace here as its
1625                          * pointer is now owned by the file_ace list.
1626                          */
1627                         current_ace = NULL;
1628                 }
1629
1630                 /*
1631                  * Free if ACE was not added.
1632                  */
1633
1634                 SAFE_FREE(current_ace);
1635         }
1636
1637         if (fsp->is_directory && all_aces_are_inherit_only) {
1638                 /*
1639                  * Windows 2000 is doing one of these weird 'inherit acl'
1640                  * traverses to conserve NTFS ACL resources. Just pretend
1641                  * there was no DACL sent. JRA.
1642                  */
1643
1644                 DEBUG(10,("create_canon_ace_lists: Win2k inherit acl traverse. Ignoring DACL.\n"));
1645                 free_canon_ace_list(file_ace);
1646                 free_canon_ace_list(dir_ace);
1647                 file_ace = NULL;
1648                 dir_ace = NULL;
1649         } else {
1650                 /*
1651                  * Check if we have SMB_ACL_USER_OBJ and SMB_ACL_GROUP_OBJ entries in each
1652                  * ACL. If we don't have them, check if any SMB_ACL_USER/SMB_ACL_GROUP
1653                  * entries can be converted to *_OBJ. Usually we will already have these
1654                  * entries in the Default ACL, and the Access ACL will not have them.
1655                  */
1656                 if (file_ace) {
1657                         check_owning_objs(file_ace, pfile_owner_sid, pfile_grp_sid);
1658                 }
1659                 if (dir_ace) {
1660                         check_owning_objs(dir_ace, pfile_owner_sid, pfile_grp_sid);
1661                 }
1662         }
1663
1664         *ppfile_ace = file_ace;
1665         *ppdir_ace = dir_ace;
1666
1667         return True;
1668 }
1669
1670 /****************************************************************************
1671  ASCII art time again... JRA :-).
1672
1673  We have 4 cases to process when moving from an NT ACL to a POSIX ACL. Firstly,
1674  we insist the ACL is in canonical form (ie. all DENY entries preceede ALLOW
1675  entries). Secondly, the merge code has ensured that all duplicate SID entries for
1676  allow or deny have been merged, so the same SID can only appear once in the deny
1677  list or once in the allow list.
1678
1679  We then process as follows :
1680
1681  ---------------------------------------------------------------------------
1682  First pass - look for a Everyone DENY entry.
1683
1684  If it is deny all (rwx) trunate the list at this point.
1685  Else, walk the list from this point and use the deny permissions of this
1686  entry as a mask on all following allow entries. Finally, delete
1687  the Everyone DENY entry (we have applied it to everything possible).
1688
1689  In addition, in this pass we remove any DENY entries that have 
1690  no permissions (ie. they are a DENY nothing).
1691  ---------------------------------------------------------------------------
1692  Second pass - only deal with deny user entries.
1693
1694  DENY user1 (perms XXX)
1695
1696  new_perms = 0
1697  for all following allow group entries where user1 is in group
1698         new_perms |= group_perms;
1699
1700  user1 entry perms = new_perms & ~ XXX;
1701
1702  Convert the deny entry to an allow entry with the new perms and
1703  push to the end of the list. Note if the user was in no groups
1704  this maps to a specific allow nothing entry for this user.
1705
1706  The common case from the NT ACL choser (userX deny all) is
1707  optimised so we don't do the group lookup - we just map to
1708  an allow nothing entry.
1709
1710  What we're doing here is inferring the allow permissions the
1711  person setting the ACE on user1 wanted by looking at the allow
1712  permissions on the groups the user is currently in. This will
1713  be a snapshot, depending on group membership but is the best
1714  we can do and has the advantage of failing closed rather than
1715  open.
1716  ---------------------------------------------------------------------------
1717  Third pass - only deal with deny group entries.
1718
1719  DENY group1 (perms XXX)
1720
1721  for all following allow user entries where user is in group1
1722    user entry perms = user entry perms & ~ XXX;
1723
1724  If there is a group Everyone allow entry with permissions YYY,
1725  convert the group1 entry to an allow entry and modify its
1726  permissions to be :
1727
1728  new_perms = YYY & ~ XXX
1729
1730  and push to the end of the list.
1731
1732  If there is no group Everyone allow entry then convert the
1733  group1 entry to a allow nothing entry and push to the end of the list.
1734
1735  Note that the common case from the NT ACL choser (groupX deny all)
1736  cannot be optimised here as we need to modify user entries who are
1737  in the group to change them to a deny all also.
1738
1739  What we're doing here is modifying the allow permissions of
1740  user entries (which are more specific in POSIX ACLs) to mask
1741  out the explicit deny set on the group they are in. This will
1742  be a snapshot depending on current group membership but is the
1743  best we can do and has the advantage of failing closed rather
1744  than open.
1745  ---------------------------------------------------------------------------
1746  Fourth pass - cope with cumulative permissions.
1747
1748  for all allow user entries, if there exists an allow group entry with
1749  more permissive permissions, and the user is in that group, rewrite the
1750  allow user permissions to contain both sets of permissions.
1751
1752  Currently the code for this is #ifdef'ed out as these semantics make
1753  no sense to me. JRA.
1754  ---------------------------------------------------------------------------
1755
1756  Note we *MUST* do the deny user pass first as this will convert deny user
1757  entries into allow user entries which can then be processed by the deny
1758  group pass.
1759
1760  The above algorithm took a *lot* of thinking about - hence this
1761  explaination :-). JRA.
1762 ****************************************************************************/
1763
1764 /****************************************************************************
1765  Process a canon_ace list entries. This is very complex code. We need
1766  to go through and remove the "deny" permissions from any allow entry that matches
1767  the id of this entry. We have already refused any NT ACL that wasn't in correct
1768  order (DENY followed by ALLOW). If any allow entry ends up with zero permissions,
1769  we just remove it (to fail safe). We have already removed any duplicate ace
1770  entries. Treat an "Everyone" DENY_ACE as a special case - use it to mask all
1771  allow entries.
1772 ****************************************************************************/
1773
1774 static void process_deny_list( canon_ace **pp_ace_list )
1775 {
1776         canon_ace *ace_list = *pp_ace_list;
1777         canon_ace *curr_ace = NULL;
1778         canon_ace *curr_ace_next = NULL;
1779
1780         /* Pass 1 above - look for an Everyone, deny entry. */
1781
1782         for (curr_ace = ace_list; curr_ace; curr_ace = curr_ace_next) {
1783                 canon_ace *allow_ace_p;
1784
1785                 curr_ace_next = curr_ace->next; /* So we can't lose the link. */
1786
1787                 if (curr_ace->attr != DENY_ACE)
1788                         continue;
1789
1790                 if (curr_ace->perms == (mode_t)0) {
1791
1792                         /* Deny nothing entry - delete. */
1793
1794                         DLIST_REMOVE(ace_list, curr_ace);
1795                         continue;
1796                 }
1797
1798                 if (!sid_equal(&curr_ace->trustee, &global_sid_World))
1799                         continue;
1800
1801                 /* JRATEST - assert. */
1802                 SMB_ASSERT(curr_ace->owner_type == WORLD_ACE);
1803
1804                 if (curr_ace->perms == ALL_ACE_PERMS) {
1805
1806                         /*
1807                          * Optimisation. This is a DENY_ALL to Everyone. Truncate the
1808                          * list at this point including this entry.
1809                          */
1810
1811                         canon_ace *prev_entry = curr_ace->prev;
1812
1813                         free_canon_ace_list( curr_ace );
1814                         if (prev_entry)
1815                                 prev_entry->next = NULL;
1816                         else {
1817                                 /* We deleted the entire list. */
1818                                 ace_list = NULL;
1819                         }
1820                         break;
1821                 }
1822
1823                 for (allow_ace_p = curr_ace->next; allow_ace_p; allow_ace_p = allow_ace_p->next) {
1824
1825                         /* 
1826                          * Only mask off allow entries.
1827                          */
1828
1829                         if (allow_ace_p->attr != ALLOW_ACE)
1830                                 continue;
1831
1832                         allow_ace_p->perms &= ~curr_ace->perms;
1833                 }
1834
1835                 /*
1836                  * Now it's been applied, remove it.
1837                  */
1838
1839                 DLIST_REMOVE(ace_list, curr_ace);
1840         }
1841
1842         /* Pass 2 above - deal with deny user entries. */
1843
1844         for (curr_ace = ace_list; curr_ace; curr_ace = curr_ace_next) {
1845                 mode_t new_perms = (mode_t)0;
1846                 canon_ace *allow_ace_p;
1847
1848                 curr_ace_next = curr_ace->next; /* So we can't lose the link. */
1849
1850                 if (curr_ace->attr != DENY_ACE)
1851                         continue;
1852
1853                 if (curr_ace->owner_type != UID_ACE)
1854                         continue;
1855
1856                 if (curr_ace->perms == ALL_ACE_PERMS) {
1857
1858                         /*
1859                          * Optimisation - this is a deny everything to this user.
1860                          * Convert to an allow nothing and push to the end of the list.
1861                          */
1862
1863                         curr_ace->attr = ALLOW_ACE;
1864                         curr_ace->perms = (mode_t)0;
1865                         DLIST_DEMOTE(ace_list, curr_ace, canon_ace *);
1866                         continue;
1867                 }
1868
1869                 for (allow_ace_p = curr_ace->next; allow_ace_p; allow_ace_p = allow_ace_p->next) {
1870
1871                         if (allow_ace_p->attr != ALLOW_ACE)
1872                                 continue;
1873
1874                         /* We process GID_ACE and WORLD_ACE entries only. */
1875
1876                         if (allow_ace_p->owner_type == UID_ACE)
1877                                 continue;
1878
1879                         if (uid_entry_in_group( curr_ace, allow_ace_p))
1880                                 new_perms |= allow_ace_p->perms;
1881                 }
1882
1883                 /*
1884                  * Convert to a allow entry, modify the perms and push to the end
1885                  * of the list.
1886                  */
1887
1888                 curr_ace->attr = ALLOW_ACE;
1889                 curr_ace->perms = (new_perms & ~curr_ace->perms);
1890                 DLIST_DEMOTE(ace_list, curr_ace, canon_ace *);
1891         }
1892
1893         /* Pass 3 above - deal with deny group entries. */
1894
1895         for (curr_ace = ace_list; curr_ace; curr_ace = curr_ace_next) {
1896                 canon_ace *allow_ace_p;
1897                 canon_ace *allow_everyone_p = NULL;
1898
1899                 curr_ace_next = curr_ace->next; /* So we can't lose the link. */
1900
1901                 if (curr_ace->attr != DENY_ACE)
1902                         continue;
1903
1904                 if (curr_ace->owner_type != GID_ACE)
1905                         continue;
1906
1907                 for (allow_ace_p = curr_ace->next; allow_ace_p; allow_ace_p = allow_ace_p->next) {
1908
1909                         if (allow_ace_p->attr != ALLOW_ACE)
1910                                 continue;
1911
1912                         /* Store a pointer to the Everyone allow, if it exists. */
1913                         if (allow_ace_p->owner_type == WORLD_ACE)
1914                                 allow_everyone_p = allow_ace_p;
1915
1916                         /* We process UID_ACE entries only. */
1917
1918                         if (allow_ace_p->owner_type != UID_ACE)
1919                                 continue;
1920
1921                         /* Mask off the deny group perms. */
1922
1923                         if (uid_entry_in_group( allow_ace_p, curr_ace))
1924                                 allow_ace_p->perms &= ~curr_ace->perms;
1925                 }
1926
1927                 /*
1928                  * Convert the deny to an allow with the correct perms and
1929                  * push to the end of the list.
1930                  */
1931
1932                 curr_ace->attr = ALLOW_ACE;
1933                 if (allow_everyone_p)
1934                         curr_ace->perms = allow_everyone_p->perms & ~curr_ace->perms;
1935                 else
1936                         curr_ace->perms = (mode_t)0;
1937                 DLIST_DEMOTE(ace_list, curr_ace, canon_ace *);
1938         }
1939
1940         /* Doing this fourth pass allows Windows semantics to be layered
1941          * on top of POSIX semantics. I'm not sure if this is desirable.
1942          * For example, in W2K ACLs there is no way to say, "Group X no
1943          * access, user Y full access" if user Y is a member of group X.
1944          * This seems completely broken semantics to me.... JRA.
1945          */
1946
1947 #if 0
1948         /* Pass 4 above - deal with allow entries. */
1949
1950         for (curr_ace = ace_list; curr_ace; curr_ace = curr_ace_next) {
1951                 canon_ace *allow_ace_p;
1952
1953                 curr_ace_next = curr_ace->next; /* So we can't lose the link. */
1954
1955                 if (curr_ace->attr != ALLOW_ACE)
1956                         continue;
1957
1958                 if (curr_ace->owner_type != UID_ACE)
1959                         continue;
1960
1961                 for (allow_ace_p = ace_list; allow_ace_p; allow_ace_p = allow_ace_p->next) {
1962
1963                         if (allow_ace_p->attr != ALLOW_ACE)
1964                                 continue;
1965
1966                         /* We process GID_ACE entries only. */
1967
1968                         if (allow_ace_p->owner_type != GID_ACE)
1969                                 continue;
1970
1971                         /* OR in the group perms. */
1972
1973                         if (uid_entry_in_group( curr_ace, allow_ace_p))
1974                                 curr_ace->perms |= allow_ace_p->perms;
1975                 }
1976         }
1977 #endif
1978
1979         *pp_ace_list = ace_list;
1980 }
1981
1982 /****************************************************************************
1983  Create a default mode that will be used if a security descriptor entry has
1984  no user/group/world entries.
1985 ****************************************************************************/
1986
1987 static mode_t create_default_mode(files_struct *fsp, bool interitable_mode)
1988 {
1989         int snum = SNUM(fsp->conn);
1990         mode_t and_bits = (mode_t)0;
1991         mode_t or_bits = (mode_t)0;
1992         mode_t mode = interitable_mode
1993                 ? unix_mode( fsp->conn, FILE_ATTRIBUTE_ARCHIVE, fsp->fsp_name,
1994                              NULL )
1995                 : S_IRUSR;
1996
1997         if (fsp->is_directory)
1998                 mode |= (S_IWUSR|S_IXUSR);
1999
2000         /*
2001          * Now AND with the create mode/directory mode bits then OR with the
2002          * force create mode/force directory mode bits.
2003          */
2004
2005         if (fsp->is_directory) {
2006                 and_bits = lp_dir_security_mask(snum);
2007                 or_bits = lp_force_dir_security_mode(snum);
2008         } else {
2009                 and_bits = lp_security_mask(snum);
2010                 or_bits = lp_force_security_mode(snum);
2011         }
2012
2013         return ((mode & and_bits)|or_bits);
2014 }
2015
2016 /****************************************************************************
2017  Unpack a SEC_DESC into two canonical ace lists. We don't depend on this
2018  succeeding.
2019 ****************************************************************************/
2020
2021 static bool unpack_canon_ace(files_struct *fsp,
2022                                 SMB_STRUCT_STAT *pst,
2023                                 DOM_SID *pfile_owner_sid,
2024                                 DOM_SID *pfile_grp_sid,
2025                                 canon_ace **ppfile_ace,
2026                                 canon_ace **ppdir_ace,
2027                                 uint32 security_info_sent,
2028                                 const SEC_DESC *psd)
2029 {
2030         canon_ace *file_ace = NULL;
2031         canon_ace *dir_ace = NULL;
2032
2033         *ppfile_ace = NULL;
2034         *ppdir_ace = NULL;
2035
2036         if(security_info_sent == 0) {
2037                 DEBUG(0,("unpack_canon_ace: no security info sent !\n"));
2038                 return False;
2039         }
2040
2041         /*
2042          * If no DACL then this is a chown only security descriptor.
2043          */
2044
2045         if(!(security_info_sent & DACL_SECURITY_INFORMATION) || !psd->dacl)
2046                 return True;
2047
2048         /*
2049          * Now go through the DACL and create the canon_ace lists.
2050          */
2051
2052         if (!create_canon_ace_lists( fsp, pst, pfile_owner_sid, pfile_grp_sid,
2053                                                                 &file_ace, &dir_ace, psd->dacl))
2054                 return False;
2055
2056         if ((file_ace == NULL) && (dir_ace == NULL)) {
2057                 /* W2K traverse DACL set - ignore. */
2058                 return True;
2059         }
2060
2061         /*
2062          * Go through the canon_ace list and merge entries
2063          * belonging to identical users of identical allow or deny type.
2064          * We can do this as all deny entries come first, followed by
2065          * all allow entries (we have mandated this before accepting this acl).
2066          */
2067
2068         print_canon_ace_list( "file ace - before merge", file_ace);
2069         merge_aces( &file_ace );
2070
2071         print_canon_ace_list( "dir ace - before merge", dir_ace);
2072         merge_aces( &dir_ace );
2073
2074         /*
2075          * NT ACLs are order dependent. Go through the acl lists and
2076          * process DENY entries by masking the allow entries.
2077          */
2078
2079         print_canon_ace_list( "file ace - before deny", file_ace);
2080         process_deny_list( &file_ace);
2081
2082         print_canon_ace_list( "dir ace - before deny", dir_ace);
2083         process_deny_list( &dir_ace);
2084
2085         /*
2086          * A well formed POSIX file or default ACL has at least 3 entries, a 
2087          * SMB_ACL_USER_OBJ, SMB_ACL_GROUP_OBJ, SMB_ACL_OTHER_OBJ
2088          * and optionally a mask entry. Ensure this is the case.
2089          */
2090
2091         print_canon_ace_list( "file ace - before valid", file_ace);
2092
2093         /*
2094          * A default 3 element mode entry for a file should be r-- --- ---.
2095          * A default 3 element mode entry for a directory should be rwx --- ---.
2096          */
2097
2098         pst->st_mode = create_default_mode(fsp, False);
2099
2100         if (!ensure_canon_entry_valid(&file_ace, fsp->conn->params, fsp->is_directory, pfile_owner_sid, pfile_grp_sid, pst, True)) {
2101                 free_canon_ace_list(file_ace);
2102                 free_canon_ace_list(dir_ace);
2103                 return False;
2104         }
2105
2106         print_canon_ace_list( "dir ace - before valid", dir_ace);
2107
2108         /*
2109          * A default inheritable 3 element mode entry for a directory should be the
2110          * mode Samba will use to create a file within. Ensure user rwx bits are set if
2111          * it's a directory.
2112          */
2113
2114         pst->st_mode = create_default_mode(fsp, True);
2115
2116         if (dir_ace && !ensure_canon_entry_valid(&dir_ace, fsp->conn->params, fsp->is_directory, pfile_owner_sid, pfile_grp_sid, pst, True)) {
2117                 free_canon_ace_list(file_ace);
2118                 free_canon_ace_list(dir_ace);
2119                 return False;
2120         }
2121
2122         print_canon_ace_list( "file ace - return", file_ace);
2123         print_canon_ace_list( "dir ace - return", dir_ace);
2124
2125         *ppfile_ace = file_ace;
2126         *ppdir_ace = dir_ace;
2127         return True;
2128
2129 }
2130
2131 /******************************************************************************
2132  When returning permissions, try and fit NT display
2133  semantics if possible. Note the the canon_entries here must have been malloced.
2134  The list format should be - first entry = owner, followed by group and other user
2135  entries, last entry = other.
2136
2137  Note that this doesn't exactly match the NT semantics for an ACL. As POSIX entries
2138  are not ordered, and match on the most specific entry rather than walking a list,
2139  then a simple POSIX permission of rw-r--r-- should really map to 5 entries,
2140
2141  Entry 0: owner : deny all except read and write.
2142  Entry 1: owner : allow read and write.
2143  Entry 2: group : deny all except read.
2144  Entry 3: group : allow read.
2145  Entry 4: Everyone : allow read.
2146
2147  But NT cannot display this in their ACL editor !
2148 ********************************************************************************/
2149
2150 static void arrange_posix_perms(const char *filename, canon_ace **pp_list_head)
2151 {
2152         canon_ace *list_head = *pp_list_head;
2153         canon_ace *owner_ace = NULL;
2154         canon_ace *other_ace = NULL;
2155         canon_ace *ace = NULL;
2156
2157         for (ace = list_head; ace; ace = ace->next) {
2158                 if (ace->type == SMB_ACL_USER_OBJ)
2159                         owner_ace = ace;
2160                 else if (ace->type == SMB_ACL_OTHER) {
2161                         /* Last ace - this is "other" */
2162                         other_ace = ace;
2163                 }
2164         }
2165                 
2166         if (!owner_ace || !other_ace) {
2167                 DEBUG(0,("arrange_posix_perms: Invalid POSIX permissions for file %s, missing owner or other.\n",
2168                         filename ));
2169                 return;
2170         }
2171
2172         /*
2173          * The POSIX algorithm applies to owner first, and other last,
2174          * so ensure they are arranged in this order.
2175          */
2176
2177         if (owner_ace) {
2178                 DLIST_PROMOTE(list_head, owner_ace);
2179         }
2180
2181         if (other_ace) {
2182                 DLIST_DEMOTE(list_head, other_ace, canon_ace *);
2183         }
2184
2185         /* We have probably changed the head of the list. */
2186
2187         *pp_list_head = list_head;
2188 }
2189                 
2190 /****************************************************************************
2191  Create a linked list of canonical ACE entries.
2192 ****************************************************************************/
2193
2194 static canon_ace *canonicalise_acl(struct connection_struct *conn,
2195                                    const char *fname, SMB_ACL_T posix_acl,
2196                                    const SMB_STRUCT_STAT *psbuf,
2197                                    const DOM_SID *powner, const DOM_SID *pgroup, struct pai_val *pal, SMB_ACL_TYPE_T the_acl_type)
2198 {
2199         mode_t acl_mask = (S_IRUSR|S_IWUSR|S_IXUSR);
2200         canon_ace *list_head = NULL;
2201         canon_ace *ace = NULL;
2202         canon_ace *next_ace = NULL;
2203         int entry_id = SMB_ACL_FIRST_ENTRY;
2204         SMB_ACL_ENTRY_T entry;
2205         size_t ace_count;
2206
2207         while ( posix_acl && (SMB_VFS_SYS_ACL_GET_ENTRY(conn, posix_acl, entry_id, &entry) == 1)) {
2208                 SMB_ACL_TAG_T tagtype;
2209                 SMB_ACL_PERMSET_T permset;
2210                 DOM_SID sid;
2211                 posix_id unix_ug;
2212                 enum ace_owner owner_type;
2213
2214                 entry_id = SMB_ACL_NEXT_ENTRY;
2215
2216                 /* Is this a MASK entry ? */
2217                 if (SMB_VFS_SYS_ACL_GET_TAG_TYPE(conn, entry, &tagtype) == -1)
2218                         continue;
2219
2220                 if (SMB_VFS_SYS_ACL_GET_PERMSET(conn, entry, &permset) == -1)
2221                         continue;
2222
2223                 /* Decide which SID to use based on the ACL type. */
2224                 switch(tagtype) {
2225                         case SMB_ACL_USER_OBJ:
2226                                 /* Get the SID from the owner. */
2227                                 sid_copy(&sid, powner);
2228                                 unix_ug.uid = psbuf->st_uid;
2229                                 owner_type = UID_ACE;
2230                                 break;
2231                         case SMB_ACL_USER:
2232                                 {
2233                                         uid_t *puid = (uid_t *)SMB_VFS_SYS_ACL_GET_QUALIFIER(conn, entry);
2234                                         if (puid == NULL) {
2235                                                 DEBUG(0,("canonicalise_acl: Failed to get uid.\n"));
2236                                                 continue;
2237                                         }
2238                                         /*
2239                                          * A SMB_ACL_USER entry for the owner is shadowed by the
2240                                          * SMB_ACL_USER_OBJ entry and Windows also cannot represent
2241                                          * that entry, so we ignore it. We also don't create such
2242                                          * entries out of the blue when setting ACLs, so a get/set
2243                                          * cycle will drop them.
2244                                          */
2245                                         if (the_acl_type == SMB_ACL_TYPE_ACCESS && *puid == psbuf->st_uid) {
2246                                                 SMB_VFS_SYS_ACL_FREE_QUALIFIER(conn, (void *)puid,tagtype);
2247                                                 continue;
2248                                         }
2249                                         uid_to_sid( &sid, *puid);
2250                                         unix_ug.uid = *puid;
2251                                         owner_type = UID_ACE;
2252                                         SMB_VFS_SYS_ACL_FREE_QUALIFIER(conn, (void *)puid,tagtype);
2253                                         break;
2254                                 }
2255                         case SMB_ACL_GROUP_OBJ:
2256                                 /* Get the SID from the owning group. */
2257                                 sid_copy(&sid, pgroup);
2258                                 unix_ug.gid = psbuf->st_gid;
2259                                 owner_type = GID_ACE;
2260                                 break;
2261                         case SMB_ACL_GROUP:
2262                                 {
2263                                         gid_t *pgid = (gid_t *)SMB_VFS_SYS_ACL_GET_QUALIFIER(conn, entry);
2264                                         if (pgid == NULL) {
2265                                                 DEBUG(0,("canonicalise_acl: Failed to get gid.\n"));
2266                                                 continue;
2267                                         }
2268                                         gid_to_sid( &sid, *pgid);
2269                                         unix_ug.gid = *pgid;
2270                                         owner_type = GID_ACE;
2271                                         SMB_VFS_SYS_ACL_FREE_QUALIFIER(conn, (void *)pgid,tagtype);
2272                                         break;
2273                                 }
2274                         case SMB_ACL_MASK:
2275                                 acl_mask = convert_permset_to_mode_t(conn, permset);
2276                                 continue; /* Don't count the mask as an entry. */
2277                         case SMB_ACL_OTHER:
2278                                 /* Use the Everyone SID */
2279                                 sid = global_sid_World;
2280                                 unix_ug.world = -1;
2281                                 owner_type = WORLD_ACE;
2282                                 break;
2283                         default:
2284                                 DEBUG(0,("canonicalise_acl: Unknown tagtype %u\n", (unsigned int)tagtype));
2285                                 continue;
2286                 }
2287
2288                 /*
2289                  * Add this entry to the list.
2290                  */
2291
2292                 if ((ace = SMB_MALLOC_P(canon_ace)) == NULL)
2293                         goto fail;
2294
2295                 ZERO_STRUCTP(ace);
2296                 ace->type = tagtype;
2297                 ace->perms = convert_permset_to_mode_t(conn, permset);
2298                 ace->attr = ALLOW_ACE;
2299                 ace->trustee = sid;
2300                 ace->unix_ug = unix_ug;
2301                 ace->owner_type = owner_type;
2302                 ace->inherited = get_inherited_flag(pal, ace, (the_acl_type == SMB_ACL_TYPE_DEFAULT));
2303
2304                 DLIST_ADD(list_head, ace);
2305         }
2306
2307         /*
2308          * This next call will ensure we have at least a user/group/world set.
2309          */
2310
2311         if (!ensure_canon_entry_valid(&list_head, conn->params,
2312                                       S_ISDIR(psbuf->st_mode), powner, pgroup,
2313                                       psbuf, False))
2314                 goto fail;
2315
2316         /*
2317          * Now go through the list, masking the permissions with the
2318          * acl_mask. Ensure all DENY Entries are at the start of the list.
2319          */
2320
2321         DEBUG(10,("canonicalise_acl: %s ace entries before arrange :\n", the_acl_type == SMB_ACL_TYPE_ACCESS ? "Access" : "Default" ));
2322
2323         for ( ace_count = 0, ace = list_head; ace; ace = next_ace, ace_count++) {
2324                 next_ace = ace->next;
2325
2326                 /* Masks are only applied to entries other than USER_OBJ and OTHER. */
2327                 if (ace->type != SMB_ACL_OTHER && ace->type != SMB_ACL_USER_OBJ)
2328                         ace->perms &= acl_mask;
2329
2330                 if (ace->perms == 0) {
2331                         DLIST_PROMOTE(list_head, ace);
2332                 }
2333
2334                 if( DEBUGLVL( 10 ) ) {
2335                         print_canon_ace(ace, ace_count);
2336                 }
2337         }
2338
2339         arrange_posix_perms(fname,&list_head );
2340
2341         print_canon_ace_list( "canonicalise_acl: ace entries after arrange", list_head );
2342
2343         return list_head;
2344
2345   fail:
2346
2347         free_canon_ace_list(list_head);
2348         return NULL;
2349 }
2350
2351 /****************************************************************************
2352  Check if the current user group list contains a given group.
2353 ****************************************************************************/
2354
2355 static bool current_user_in_group(gid_t gid)
2356 {
2357         int i;
2358
2359         for (i = 0; i < current_user.ut.ngroups; i++) {
2360                 if (current_user.ut.groups[i] == gid) {
2361                         return True;
2362                 }
2363         }
2364
2365         return False;
2366 }
2367
2368 /****************************************************************************
2369  Should we override a deny ? Check 'acl group control' and 'dos filemode'.
2370 ****************************************************************************/
2371
2372 static bool acl_group_override(connection_struct *conn,
2373                                 gid_t prim_gid,
2374                                 const char *fname)
2375 {
2376         SMB_STRUCT_STAT sbuf;
2377
2378         if ((errno != EPERM) && (errno != EACCES)) {
2379                 return false;
2380         }
2381
2382         /* file primary group == user primary or supplementary group */
2383         if (lp_acl_group_control(SNUM(conn)) &&
2384                         current_user_in_group(prim_gid)) {
2385                 return true;
2386         }
2387
2388         /* user has writeable permission */
2389         if (lp_dos_filemode(SNUM(conn)) &&
2390                         can_write_to_file(conn, fname, &sbuf)) {
2391                 return true;
2392         }
2393
2394         return false;
2395 }
2396
2397 /****************************************************************************
2398  Attempt to apply an ACL to a file or directory.
2399 ****************************************************************************/
2400
2401 static bool set_canon_ace_list(files_struct *fsp, canon_ace *the_ace, bool default_ace, gid_t prim_gid, bool *pacl_set_support)
2402 {
2403         connection_struct *conn = fsp->conn;
2404         bool ret = False;
2405         SMB_ACL_T the_acl = SMB_VFS_SYS_ACL_INIT(conn, (int)count_canon_ace_list(the_ace) + 1);
2406         canon_ace *p_ace;
2407         int i;
2408         SMB_ACL_ENTRY_T mask_entry;
2409         bool got_mask_entry = False;
2410         SMB_ACL_PERMSET_T mask_permset;
2411         SMB_ACL_TYPE_T the_acl_type = (default_ace ? SMB_ACL_TYPE_DEFAULT : SMB_ACL_TYPE_ACCESS);
2412         bool needs_mask = False;
2413         mode_t mask_perms = 0;
2414
2415 #if defined(POSIX_ACL_NEEDS_MASK)
2416         /* HP-UX always wants to have a mask (called "class" there). */
2417         needs_mask = True;
2418 #endif
2419
2420         if (the_acl == NULL) {
2421
2422                 if (!no_acl_syscall_error(errno)) {
2423                         /*
2424                          * Only print this error message if we have some kind of ACL
2425                          * support that's not working. Otherwise we would always get this.
2426                          */
2427                         DEBUG(0,("set_canon_ace_list: Unable to init %s ACL. (%s)\n",
2428                                 default_ace ? "default" : "file", strerror(errno) ));
2429                 }
2430                 *pacl_set_support = False;
2431                 return False;
2432         }
2433
2434         if( DEBUGLVL( 10 )) {
2435                 dbgtext("set_canon_ace_list: setting ACL:\n");
2436                 for (i = 0, p_ace = the_ace; p_ace; p_ace = p_ace->next, i++ ) {
2437                         print_canon_ace( p_ace, i);
2438                 }
2439         }
2440
2441         for (i = 0, p_ace = the_ace; p_ace; p_ace = p_ace->next, i++ ) {
2442                 SMB_ACL_ENTRY_T the_entry;
2443                 SMB_ACL_PERMSET_T the_permset;
2444
2445                 /*
2446                  * ACLs only "need" an ACL_MASK entry if there are any named user or
2447                  * named group entries. But if there is an ACL_MASK entry, it applies
2448                  * to ACL_USER, ACL_GROUP, and ACL_GROUP_OBJ entries. Set the mask
2449                  * so that it doesn't deny (i.e., mask off) any permissions.
2450                  */
2451
2452                 if (p_ace->type == SMB_ACL_USER || p_ace->type == SMB_ACL_GROUP) {
2453                         needs_mask = True;
2454                         mask_perms |= p_ace->perms;
2455                 } else if (p_ace->type == SMB_ACL_GROUP_OBJ) {
2456                         mask_perms |= p_ace->perms;
2457                 }
2458
2459                 /*
2460                  * Get the entry for this ACE.
2461                  */
2462
2463                 if (SMB_VFS_SYS_ACL_CREATE_ENTRY(conn, &the_acl, &the_entry) == -1) {
2464                         DEBUG(0,("set_canon_ace_list: Failed to create entry %d. (%s)\n",
2465                                 i, strerror(errno) ));
2466                         goto fail;
2467                 }
2468
2469                 if (p_ace->type == SMB_ACL_MASK) {
2470                         mask_entry = the_entry;
2471                         got_mask_entry = True;
2472                 }
2473
2474                 /*
2475                  * Ok - we now know the ACL calls should be working, don't
2476                  * allow fallback to chmod.
2477                  */
2478
2479                 *pacl_set_support = True;
2480
2481                 /*
2482                  * Initialise the entry from the canon_ace.
2483                  */
2484
2485                 /*
2486                  * First tell the entry what type of ACE this is.
2487                  */
2488
2489                 if (SMB_VFS_SYS_ACL_SET_TAG_TYPE(conn, the_entry, p_ace->type) == -1) {
2490                         DEBUG(0,("set_canon_ace_list: Failed to set tag type on entry %d. (%s)\n",
2491                                 i, strerror(errno) ));
2492                         goto fail;
2493                 }
2494
2495                 /*
2496                  * Only set the qualifier (user or group id) if the entry is a user
2497                  * or group id ACE.
2498                  */
2499
2500                 if ((p_ace->type == SMB_ACL_USER) || (p_ace->type == SMB_ACL_GROUP)) {
2501                         if (SMB_VFS_SYS_ACL_SET_QUALIFIER(conn, the_entry,(void *)&p_ace->unix_ug.uid) == -1) {
2502                                 DEBUG(0,("set_canon_ace_list: Failed to set qualifier on entry %d. (%s)\n",
2503                                         i, strerror(errno) ));
2504                                 goto fail;
2505                         }
2506                 }
2507
2508                 /*
2509                  * Convert the mode_t perms in the canon_ace to a POSIX permset.
2510                  */
2511
2512                 if (SMB_VFS_SYS_ACL_GET_PERMSET(conn, the_entry, &the_permset) == -1) {
2513                         DEBUG(0,("set_canon_ace_list: Failed to get permset on entry %d. (%s)\n",
2514                                 i, strerror(errno) ));
2515                         goto fail;
2516                 }
2517
2518                 if (map_acl_perms_to_permset(conn, p_ace->perms, &the_permset) == -1) {
2519                         DEBUG(0,("set_canon_ace_list: Failed to create permset for mode (%u) on entry %d. (%s)\n",
2520                                 (unsigned int)p_ace->perms, i, strerror(errno) ));
2521                         goto fail;
2522                 }
2523
2524                 /*
2525                  * ..and apply them to the entry.
2526                  */
2527
2528                 if (SMB_VFS_SYS_ACL_SET_PERMSET(conn, the_entry, the_permset) == -1) {
2529                         DEBUG(0,("set_canon_ace_list: Failed to add permset on entry %d. (%s)\n",
2530                                 i, strerror(errno) ));
2531                         goto fail;
2532                 }
2533
2534                 if( DEBUGLVL( 10 ))
2535                         print_canon_ace( p_ace, i);
2536
2537         }
2538
2539         if (needs_mask && !got_mask_entry) {
2540                 if (SMB_VFS_SYS_ACL_CREATE_ENTRY(conn, &the_acl, &mask_entry) == -1) {
2541                         DEBUG(0,("set_canon_ace_list: Failed to create mask entry. (%s)\n", strerror(errno) ));
2542                         goto fail;
2543                 }
2544
2545                 if (SMB_VFS_SYS_ACL_SET_TAG_TYPE(conn, mask_entry, SMB_ACL_MASK) == -1) {
2546                         DEBUG(0,("set_canon_ace_list: Failed to set tag type on mask entry. (%s)\n",strerror(errno) ));
2547                         goto fail;
2548                 }
2549
2550                 if (SMB_VFS_SYS_ACL_GET_PERMSET(conn, mask_entry, &mask_permset) == -1) {
2551                         DEBUG(0,("set_canon_ace_list: Failed to get mask permset. (%s)\n", strerror(errno) ));
2552                         goto fail;
2553                 }
2554
2555                 if (map_acl_perms_to_permset(conn, S_IRUSR|S_IWUSR|S_IXUSR, &mask_permset) == -1) {
2556                         DEBUG(0,("set_canon_ace_list: Failed to create mask permset. (%s)\n", strerror(errno) ));
2557                         goto fail;
2558                 }
2559
2560                 if (SMB_VFS_SYS_ACL_SET_PERMSET(conn, mask_entry, mask_permset) == -1) {
2561                         DEBUG(0,("set_canon_ace_list: Failed to add mask permset. (%s)\n", strerror(errno) ));
2562                         goto fail;
2563                 }
2564         }
2565
2566         /*
2567          * Finally apply it to the file or directory.
2568          */
2569
2570         if(default_ace || fsp->is_directory || fsp->fh->fd == -1) {
2571                 if (SMB_VFS_SYS_ACL_SET_FILE(conn, fsp->fsp_name, the_acl_type, the_acl) == -1) {
2572                         /*
2573                          * Some systems allow all the above calls and only fail with no ACL support
2574                          * when attempting to apply the acl. HPUX with HFS is an example of this. JRA.
2575                          */
2576                         if (no_acl_syscall_error(errno)) {
2577                                 *pacl_set_support = False;
2578                         }
2579
2580                         if (acl_group_override(conn, prim_gid, fsp->fsp_name)) {
2581                                 int sret;
2582
2583                                 DEBUG(5,("set_canon_ace_list: acl group control on and current user in file %s primary group.\n",
2584                                         fsp->fsp_name ));
2585
2586                                 become_root();
2587                                 sret = SMB_VFS_SYS_ACL_SET_FILE(conn, fsp->fsp_name, the_acl_type, the_acl);
2588                                 unbecome_root();
2589                                 if (sret == 0) {
2590                                         ret = True;     
2591                                 }
2592                         }
2593
2594                         if (ret == False) {
2595                                 DEBUG(2,("set_canon_ace_list: sys_acl_set_file type %s failed for file %s (%s).\n",
2596                                                 the_acl_type == SMB_ACL_TYPE_DEFAULT ? "directory default" : "file",
2597                                                 fsp->fsp_name, strerror(errno) ));
2598                                 goto fail;
2599                         }
2600                 }
2601         } else {
2602                 if (SMB_VFS_SYS_ACL_SET_FD(fsp, the_acl) == -1) {
2603                         /*
2604                          * Some systems allow all the above calls and only fail with no ACL support
2605                          * when attempting to apply the acl. HPUX with HFS is an example of this. JRA.
2606                          */
2607                         if (no_acl_syscall_error(errno)) {
2608                                 *pacl_set_support = False;
2609                         }
2610
2611                         if (acl_group_override(conn, prim_gid, fsp->fsp_name)) {
2612                                 int sret;
2613
2614                                 DEBUG(5,("set_canon_ace_list: acl group control on and current user in file %s primary group.\n",
2615                                         fsp->fsp_name ));
2616
2617                                 become_root();
2618                                 sret = SMB_VFS_SYS_ACL_SET_FD(fsp, the_acl);
2619                                 unbecome_root();
2620                                 if (sret == 0) {
2621                                         ret = True;
2622                                 }
2623                         }
2624
2625                         if (ret == False) {
2626                                 DEBUG(2,("set_canon_ace_list: sys_acl_set_file failed for file %s (%s).\n",
2627                                                 fsp->fsp_name, strerror(errno) ));
2628                                 goto fail;
2629                         }
2630                 }
2631         }
2632
2633         ret = True;
2634
2635   fail:
2636
2637         if (the_acl != NULL) {
2638                 SMB_VFS_SYS_ACL_FREE_ACL(conn, the_acl);
2639         }
2640
2641         return ret;
2642 }
2643
2644 /****************************************************************************
2645  Find a particular canon_ace entry.
2646 ****************************************************************************/
2647
2648 static struct canon_ace *canon_ace_entry_for(struct canon_ace *list, SMB_ACL_TAG_T type, posix_id *id)
2649 {
2650         while (list) {
2651                 if (list->type == type && ((type != SMB_ACL_USER && type != SMB_ACL_GROUP) ||
2652                                 (type == SMB_ACL_USER  && id && id->uid == list->unix_ug.uid) ||
2653                                 (type == SMB_ACL_GROUP && id && id->gid == list->unix_ug.gid)))
2654                         break;
2655                 list = list->next;
2656         }
2657         return list;
2658 }
2659
2660 /****************************************************************************
2661  
2662 ****************************************************************************/
2663
2664 SMB_ACL_T free_empty_sys_acl(connection_struct *conn, SMB_ACL_T the_acl)
2665 {
2666         SMB_ACL_ENTRY_T entry;
2667
2668         if (!the_acl)
2669                 return NULL;
2670         if (SMB_VFS_SYS_ACL_GET_ENTRY(conn, the_acl, SMB_ACL_FIRST_ENTRY, &entry) != 1) {
2671                 SMB_VFS_SYS_ACL_FREE_ACL(conn, the_acl);
2672                 return NULL;
2673         }
2674         return the_acl;
2675 }
2676
2677 /****************************************************************************
2678  Convert a canon_ace to a generic 3 element permission - if possible.
2679 ****************************************************************************/
2680
2681 #define MAP_PERM(p,mask,result) (((p) & (mask)) ? (result) : 0 )
2682
2683 static bool convert_canon_ace_to_posix_perms( files_struct *fsp, canon_ace *file_ace_list, mode_t *posix_perms)
2684 {
2685         int snum = SNUM(fsp->conn);
2686         size_t ace_count = count_canon_ace_list(file_ace_list);
2687         canon_ace *ace_p;
2688         canon_ace *owner_ace = NULL;
2689         canon_ace *group_ace = NULL;
2690         canon_ace *other_ace = NULL;
2691         mode_t and_bits;
2692         mode_t or_bits;
2693
2694         if (ace_count != 3) {
2695                 DEBUG(3,("convert_canon_ace_to_posix_perms: Too many ACE entries for file %s to convert to \
2696 posix perms.\n", fsp->fsp_name ));
2697                 return False;
2698         }
2699
2700         for (ace_p = file_ace_list; ace_p; ace_p = ace_p->next) {
2701                 if (ace_p->owner_type == UID_ACE)
2702                         owner_ace = ace_p;
2703                 else if (ace_p->owner_type == GID_ACE)
2704                         group_ace = ace_p;
2705                 else if (ace_p->owner_type == WORLD_ACE)
2706                         other_ace = ace_p;
2707         }
2708
2709         if (!owner_ace || !group_ace || !other_ace) {
2710                 DEBUG(3,("convert_canon_ace_to_posix_perms: Can't get standard entries for file %s.\n",
2711                                 fsp->fsp_name ));
2712                 return False;
2713         }
2714
2715         *posix_perms = (mode_t)0;
2716
2717         *posix_perms |= owner_ace->perms;
2718         *posix_perms |= MAP_PERM(group_ace->perms, S_IRUSR, S_IRGRP);
2719         *posix_perms |= MAP_PERM(group_ace->perms, S_IWUSR, S_IWGRP);
2720         *posix_perms |= MAP_PERM(group_ace->perms, S_IXUSR, S_IXGRP);
2721         *posix_perms |= MAP_PERM(other_ace->perms, S_IRUSR, S_IROTH);
2722         *posix_perms |= MAP_PERM(other_ace->perms, S_IWUSR, S_IWOTH);
2723         *posix_perms |= MAP_PERM(other_ace->perms, S_IXUSR, S_IXOTH);
2724
2725         /* The owner must have at least read access. */
2726
2727         *posix_perms |= S_IRUSR;
2728         if (fsp->is_directory)
2729                 *posix_perms |= (S_IWUSR|S_IXUSR);
2730
2731         /* If requested apply the masks. */
2732
2733         /* Get the initial bits to apply. */
2734
2735         if (fsp->is_directory) {
2736                 and_bits = lp_dir_security_mask(snum);
2737                 or_bits = lp_force_dir_security_mode(snum);
2738         } else {
2739                 and_bits = lp_security_mask(snum);
2740                 or_bits = lp_force_security_mode(snum);
2741         }
2742
2743         *posix_perms = (((*posix_perms) & and_bits)|or_bits);
2744
2745         DEBUG(10,("convert_canon_ace_to_posix_perms: converted u=%o,g=%o,w=%o to perm=0%o for file %s.\n",
2746                 (int)owner_ace->perms, (int)group_ace->perms, (int)other_ace->perms, (int)*posix_perms,
2747                 fsp->fsp_name ));
2748
2749         return True;
2750 }
2751
2752 /****************************************************************************
2753   Incoming NT ACLs on a directory can be split into a default POSIX acl (CI|OI|IO) and
2754   a normal POSIX acl. Win2k needs these split acls re-merging into one ACL
2755   with CI|OI set so it is inherited and also applies to the directory.
2756   Based on code from "Jim McDonough" <jmcd@us.ibm.com>.
2757 ****************************************************************************/
2758
2759 static size_t merge_default_aces( SEC_ACE *nt_ace_list, size_t num_aces)
2760 {
2761         size_t i, j;
2762
2763         for (i = 0; i < num_aces; i++) {
2764                 for (j = i+1; j < num_aces; j++) {
2765                         uint32 i_flags_ni = (nt_ace_list[i].flags & ~SEC_ACE_FLAG_INHERITED_ACE);
2766                         uint32 j_flags_ni = (nt_ace_list[j].flags & ~SEC_ACE_FLAG_INHERITED_ACE);
2767                         bool i_inh = (nt_ace_list[i].flags & SEC_ACE_FLAG_INHERITED_ACE) ? True : False;
2768                         bool j_inh = (nt_ace_list[j].flags & SEC_ACE_FLAG_INHERITED_ACE) ? True : False;
2769
2770                         /* We know the lower number ACE's are file entries. */
2771                         if ((nt_ace_list[i].type == nt_ace_list[j].type) &&
2772                                 (nt_ace_list[i].size == nt_ace_list[j].size) &&
2773                                 (nt_ace_list[i].access_mask == nt_ace_list[j].access_mask) &&
2774                                 sid_equal(&nt_ace_list[i].trustee, &nt_ace_list[j].trustee) &&
2775                                 (i_inh == j_inh) &&
2776                                 (i_flags_ni == 0) &&
2777                                 (j_flags_ni == (SEC_ACE_FLAG_OBJECT_INHERIT|
2778                                                   SEC_ACE_FLAG_CONTAINER_INHERIT|
2779                                                   SEC_ACE_FLAG_INHERIT_ONLY))) {
2780                                 /*
2781                                  * W2K wants to have access allowed zero access ACE's
2782                                  * at the end of the list. If the mask is zero, merge
2783                                  * the non-inherited ACE onto the inherited ACE.
2784                                  */
2785
2786                                 if (nt_ace_list[i].access_mask == 0) {
2787                                         nt_ace_list[j].flags = SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT|
2788                                                                 (i_inh ? SEC_ACE_FLAG_INHERITED_ACE : 0);
2789                                         if (num_aces - i - 1 > 0)
2790                                                 memmove(&nt_ace_list[i], &nt_ace_list[i+1], (num_aces-i-1) *
2791                                                                 sizeof(SEC_ACE));
2792
2793                                         DEBUG(10,("merge_default_aces: Merging zero access ACE %u onto ACE %u.\n",
2794                                                 (unsigned int)i, (unsigned int)j ));
2795                                 } else {
2796                                         /*
2797                                          * These are identical except for the flags.
2798                                          * Merge the inherited ACE onto the non-inherited ACE.
2799                                          */
2800
2801                                         nt_ace_list[i].flags = SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT|
2802                                                                 (i_inh ? SEC_ACE_FLAG_INHERITED_ACE : 0);
2803                                         if (num_aces - j - 1 > 0)
2804                                                 memmove(&nt_ace_list[j], &nt_ace_list[j+1], (num_aces-j-1) *
2805                                                                 sizeof(SEC_ACE));
2806
2807                                         DEBUG(10,("merge_default_aces: Merging ACE %u onto ACE %u.\n",
2808                                                 (unsigned int)j, (unsigned int)i ));
2809                                 }
2810                                 num_aces--;
2811                                 break;
2812                         }
2813                 }
2814         }
2815
2816         return num_aces;
2817 }
2818
2819 /****************************************************************************
2820  Reply to query a security descriptor from an fsp. If it succeeds it allocates
2821  the space for the return elements and returns the size needed to return the
2822  security descriptor. This should be the only external function needed for
2823  the UNIX style get ACL.
2824 ****************************************************************************/
2825
2826 static NTSTATUS posix_get_nt_acl_common(struct connection_struct *conn,
2827                                       const char *name,
2828                                       const SMB_STRUCT_STAT *sbuf,
2829                                       struct pai_val *pal,
2830                                       SMB_ACL_T posix_acl,
2831                                       SMB_ACL_T def_acl,
2832                                       uint32_t security_info,
2833                                       SEC_DESC **ppdesc)
2834 {
2835         DOM_SID owner_sid;
2836         DOM_SID group_sid;
2837         size_t sd_size = 0;
2838         SEC_ACL *psa = NULL;
2839         size_t num_acls = 0;
2840         size_t num_def_acls = 0;
2841         size_t num_aces = 0;
2842         canon_ace *file_ace = NULL;
2843         canon_ace *dir_ace = NULL;
2844         SEC_ACE *nt_ace_list = NULL;
2845         size_t num_profile_acls = 0;
2846         SEC_DESC *psd = NULL;
2847
2848         /*
2849          * Get the owner, group and world SIDs.
2850          */
2851
2852         if (lp_profile_acls(SNUM(conn))) {
2853                 /* For WXP SP1 the owner must be administrators. */
2854                 sid_copy(&owner_sid, &global_sid_Builtin_Administrators);
2855                 sid_copy(&group_sid, &global_sid_Builtin_Users);
2856                 num_profile_acls = 2;
2857         } else {
2858                 create_file_sids(sbuf, &owner_sid, &group_sid);
2859         }
2860
2861         if ((security_info & DACL_SECURITY_INFORMATION) && !(security_info & PROTECTED_DACL_SECURITY_INFORMATION)) {
2862
2863                 /*
2864                  * In the optimum case Creator Owner and Creator Group would be used for
2865                  * the ACL_USER_OBJ and ACL_GROUP_OBJ entries, respectively, but this
2866                  * would lead to usability problems under Windows: The Creator entries
2867                  * are only available in browse lists of directories and not for files;
2868                  * additionally the identity of the owning group couldn't be determined.
2869                  * We therefore use those identities only for Default ACLs. 
2870                  */
2871
2872                 /* Create the canon_ace lists. */
2873                 file_ace = canonicalise_acl(conn, name, posix_acl, sbuf,
2874                                             &owner_sid, &group_sid, pal,
2875                                             SMB_ACL_TYPE_ACCESS);
2876
2877                 /* We must have *some* ACLS. */
2878         
2879                 if (count_canon_ace_list(file_ace) == 0) {
2880                         DEBUG(0,("get_nt_acl : No ACLs on file (%s) !\n", name));
2881                         goto done;
2882                 }
2883
2884                 if (S_ISDIR(sbuf->st_mode) && def_acl) {
2885                         dir_ace = canonicalise_acl(conn, name, def_acl,
2886                                                    sbuf,
2887                                                    &global_sid_Creator_Owner,
2888                                                    &global_sid_Creator_Group,
2889                                                    pal, SMB_ACL_TYPE_DEFAULT);
2890                 }
2891
2892                 /*
2893                  * Create the NT ACE list from the canonical ace lists.
2894                  */
2895
2896                 {
2897                         canon_ace *ace;
2898                         enum security_ace_type nt_acl_type;
2899
2900                         if (nt4_compatible_acls() && dir_ace) {
2901                                 /*
2902                                  * NT 4 chokes if an ACL contains an INHERIT_ONLY entry
2903                                  * but no non-INHERIT_ONLY entry for one SID. So we only
2904                                  * remove entries from the Access ACL if the
2905                                  * corresponding Default ACL entries have also been
2906                                  * removed. ACEs for CREATOR-OWNER and CREATOR-GROUP
2907                                  * are exceptions. We can do nothing
2908                                  * intelligent if the Default ACL contains entries that
2909                                  * are not also contained in the Access ACL, so this
2910                                  * case will still fail under NT 4.
2911                                  */
2912
2913                                 ace = canon_ace_entry_for(dir_ace, SMB_ACL_OTHER, NULL);
2914                                 if (ace && !ace->perms) {
2915                                         DLIST_REMOVE(dir_ace, ace);
2916                                         SAFE_FREE(ace);
2917
2918                                         ace = canon_ace_entry_for(file_ace, SMB_ACL_OTHER, NULL);
2919                                         if (ace && !ace->perms) {
2920                                                 DLIST_REMOVE(file_ace, ace);
2921                                                 SAFE_FREE(ace);
2922                                         }
2923                                 }
2924
2925                                 /*
2926                                  * WinNT doesn't usually have Creator Group
2927                                  * in browse lists, so we send this entry to
2928                                  * WinNT even if it contains no relevant
2929                                  * permissions. Once we can add
2930                                  * Creator Group to browse lists we can
2931                                  * re-enable this.
2932                                  */
2933
2934 #if 0
2935                                 ace = canon_ace_entry_for(dir_ace, SMB_ACL_GROUP_OBJ, NULL);
2936                                 if (ace && !ace->perms) {
2937                                         DLIST_REMOVE(dir_ace, ace);
2938                                         SAFE_FREE(ace);
2939                                 }
2940 #endif
2941
2942                                 ace = canon_ace_entry_for(file_ace, SMB_ACL_GROUP_OBJ, NULL);
2943                                 if (ace && !ace->perms) {
2944                                         DLIST_REMOVE(file_ace, ace);
2945                                         SAFE_FREE(ace);
2946                                 }
2947                         }
2948
2949                         num_acls = count_canon_ace_list(file_ace);
2950                         num_def_acls = count_canon_ace_list(dir_ace);
2951
2952                         /* Allocate the ace list. */
2953                         if ((nt_ace_list = SMB_MALLOC_ARRAY(SEC_ACE,num_acls + num_profile_acls + num_def_acls)) == NULL) {
2954                                 DEBUG(0,("get_nt_acl: Unable to malloc space for nt_ace_list.\n"));
2955                                 goto done;
2956                         }
2957
2958                         memset(nt_ace_list, '\0', (num_acls + num_def_acls) * sizeof(SEC_ACE) );
2959
2960                         /*
2961                          * Create the NT ACE list from the canonical ace lists.
2962                          */
2963
2964                         for (ace = file_ace; ace != NULL; ace = ace->next) {
2965                                 SEC_ACCESS acc;
2966
2967                                 acc = map_canon_ace_perms(SNUM(conn),
2968                                                 &nt_acl_type,
2969                                                 ace->perms,
2970                                                 S_ISDIR(sbuf->st_mode));
2971                                 init_sec_ace(&nt_ace_list[num_aces++],
2972                                         &ace->trustee,
2973                                         nt_acl_type,
2974                                         acc,
2975                                         ace->inherited ?
2976                                                 SEC_ACE_FLAG_INHERITED_ACE : 0);
2977                         }
2978
2979                         /* The User must have access to a profile share - even
2980                          * if we can't map the SID. */
2981                         if (lp_profile_acls(SNUM(conn))) {
2982                                 SEC_ACCESS acc;
2983
2984                                 init_sec_access(&acc,FILE_GENERIC_ALL);
2985                                 init_sec_ace(&nt_ace_list[num_aces++],
2986                                                 &global_sid_Builtin_Users,
2987                                                 SEC_ACE_TYPE_ACCESS_ALLOWED,
2988                                                 acc, 0);
2989                         }
2990
2991                         for (ace = dir_ace; ace != NULL; ace = ace->next) {
2992                                 SEC_ACCESS acc;
2993
2994                                 acc = map_canon_ace_perms(SNUM(conn),
2995                                                 &nt_acl_type,
2996                                                 ace->perms,
2997                                                 S_ISDIR(sbuf->st_mode));
2998                                 init_sec_ace(&nt_ace_list[num_aces++],
2999                                         &ace->trustee,
3000                                         nt_acl_type,
3001                                         acc,
3002                                         SEC_ACE_FLAG_OBJECT_INHERIT|
3003                                         SEC_ACE_FLAG_CONTAINER_INHERIT|
3004                                         SEC_ACE_FLAG_INHERIT_ONLY|
3005                                         (ace->inherited ?
3006                                            SEC_ACE_FLAG_INHERITED_ACE : 0));
3007                         }
3008
3009                         /* The User must have access to a profile share - even
3010                          * if we can't map the SID. */