2 * Store Windows ACLs in data store - common functions.
3 * #included into modules/vfs_acl_xattr.c and modules/vfs_acl_tdb.c
5 * Copyright (C) Volker Lendecke, 2008
6 * Copyright (C) Jeremy Allison, 2009
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 3 of the License, or
11 * (at your option) any later version.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, see <http://www.gnu.org/licenses/>.
22 #include "smbd/smbd.h"
23 #include "system/filesys.h"
24 #include "../libcli/security/security.h"
25 #include "../librpc/gen_ndr/ndr_security.h"
27 static NTSTATUS create_acl_blob(const struct security_descriptor *psd,
30 uint8_t hash[XATTR_SD_HASH_SIZE]);
32 static NTSTATUS get_acl_blob(TALLOC_CTX *ctx,
33 vfs_handle_struct *handle,
38 static NTSTATUS store_acl_blob_fsp(vfs_handle_struct *handle,
42 #define HASH_SECURITY_INFO (SECINFO_OWNER | \
47 /*******************************************************************
48 Hash a security descriptor.
49 *******************************************************************/
51 static NTSTATUS hash_sd_sha256(struct security_descriptor *psd,
58 memset(hash, '\0', XATTR_SD_HASH_SIZE);
59 status = create_acl_blob(psd, &blob, XATTR_SD_HASH_TYPE_SHA256, hash);
60 if (!NT_STATUS_IS_OK(status)) {
64 samba_SHA256_Init(&tctx);
65 samba_SHA256_Update(&tctx, blob.data, blob.length);
66 samba_SHA256_Final(hash, &tctx);
71 /*******************************************************************
72 Parse out a struct security_descriptor from a DATA_BLOB.
73 *******************************************************************/
75 static NTSTATUS parse_acl_blob(const DATA_BLOB *pblob,
76 struct security_descriptor **ppdesc,
77 uint16_t *p_hash_type,
78 uint8_t hash[XATTR_SD_HASH_SIZE])
80 TALLOC_CTX *ctx = talloc_tos();
81 struct xattr_NTACL xacl;
82 enum ndr_err_code ndr_err;
85 ndr_err = ndr_pull_struct_blob(pblob, ctx, &xacl,
86 (ndr_pull_flags_fn_t)ndr_pull_xattr_NTACL);
88 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
89 DEBUG(5, ("parse_acl_blob: ndr_pull_xattr_NTACL failed: %s\n",
90 ndr_errstr(ndr_err)));
91 return ndr_map_error2ntstatus(ndr_err);
94 switch (xacl.version) {
96 *ppdesc = make_sec_desc(ctx, SD_REVISION,
97 xacl.info.sd_hs2->sd->type | SEC_DESC_SELF_RELATIVE,
98 xacl.info.sd_hs2->sd->owner_sid,
99 xacl.info.sd_hs2->sd->group_sid,
100 xacl.info.sd_hs2->sd->sacl,
101 xacl.info.sd_hs2->sd->dacl,
103 /* No hash - null out. */
104 *p_hash_type = XATTR_SD_HASH_TYPE_NONE;
105 memset(hash, '\0', XATTR_SD_HASH_SIZE);
108 *ppdesc = make_sec_desc(ctx, SD_REVISION,
109 xacl.info.sd_hs3->sd->type | SEC_DESC_SELF_RELATIVE,
110 xacl.info.sd_hs3->sd->owner_sid,
111 xacl.info.sd_hs3->sd->group_sid,
112 xacl.info.sd_hs3->sd->sacl,
113 xacl.info.sd_hs3->sd->dacl,
115 *p_hash_type = xacl.info.sd_hs3->hash_type;
116 /* Current version 3. */
117 memcpy(hash, xacl.info.sd_hs3->hash, XATTR_SD_HASH_SIZE);
120 return NT_STATUS_REVISION_MISMATCH;
123 TALLOC_FREE(xacl.info.sd);
125 return (*ppdesc != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
128 /*******************************************************************
129 Create a DATA_BLOB from a security descriptor.
130 *******************************************************************/
132 static NTSTATUS create_acl_blob(const struct security_descriptor *psd,
135 uint8_t hash[XATTR_SD_HASH_SIZE])
137 struct xattr_NTACL xacl;
138 struct security_descriptor_hash_v3 sd_hs3;
139 enum ndr_err_code ndr_err;
140 TALLOC_CTX *ctx = talloc_tos();
146 xacl.info.sd_hs3 = &sd_hs3;
147 xacl.info.sd_hs3->sd = discard_const_p(struct security_descriptor, psd);
148 xacl.info.sd_hs3->hash_type = hash_type;
149 memcpy(&xacl.info.sd_hs3->hash[0], hash, XATTR_SD_HASH_SIZE);
151 ndr_err = ndr_push_struct_blob(
153 (ndr_push_flags_fn_t)ndr_push_xattr_NTACL);
155 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
156 DEBUG(5, ("create_acl_blob: ndr_push_xattr_NTACL failed: %s\n",
157 ndr_errstr(ndr_err)));
158 return ndr_map_error2ntstatus(ndr_err);
164 /*******************************************************************
165 Add in 3 inheritable components for a non-inheritable directory ACL.
166 CREATOR_OWNER/CREATOR_GROUP/WORLD.
167 *******************************************************************/
169 static void add_directory_inheritable_components(vfs_handle_struct *handle,
171 SMB_STRUCT_STAT *psbuf,
172 struct security_descriptor *psd)
174 struct connection_struct *conn = handle->conn;
175 int num_aces = (psd->dacl ? psd->dacl->num_aces : 0);
176 struct smb_filename smb_fname;
177 enum security_ace_type acltype;
178 uint32_t access_mask;
182 struct security_ace *new_ace_list = talloc_zero_array(talloc_tos(),
186 if (new_ace_list == NULL) {
190 /* Fake a quick smb_filename. */
191 ZERO_STRUCT(smb_fname);
192 smb_fname.st = *psbuf;
193 smb_fname.base_name = discard_const_p(char, name);
195 dir_mode = unix_mode(conn,
196 FILE_ATTRIBUTE_DIRECTORY, &smb_fname, NULL);
197 file_mode = unix_mode(conn,
198 FILE_ATTRIBUTE_ARCHIVE, &smb_fname, NULL);
200 mode = dir_mode | file_mode;
202 DEBUG(10, ("add_directory_inheritable_components: directory %s, "
205 (unsigned int)mode ));
208 memcpy(new_ace_list, psd->dacl->aces,
209 num_aces * sizeof(struct security_ace));
211 access_mask = map_canon_ace_perms(SNUM(conn), &acltype,
214 init_sec_ace(&new_ace_list[num_aces],
215 &global_sid_Creator_Owner,
218 SEC_ACE_FLAG_CONTAINER_INHERIT|
219 SEC_ACE_FLAG_OBJECT_INHERIT|
220 SEC_ACE_FLAG_INHERIT_ONLY);
221 access_mask = map_canon_ace_perms(SNUM(conn), &acltype,
222 (mode << 3) & 0700, false);
223 init_sec_ace(&new_ace_list[num_aces+1],
224 &global_sid_Creator_Group,
227 SEC_ACE_FLAG_CONTAINER_INHERIT|
228 SEC_ACE_FLAG_OBJECT_INHERIT|
229 SEC_ACE_FLAG_INHERIT_ONLY);
230 access_mask = map_canon_ace_perms(SNUM(conn), &acltype,
231 (mode << 6) & 0700, false);
232 init_sec_ace(&new_ace_list[num_aces+2],
236 SEC_ACE_FLAG_CONTAINER_INHERIT|
237 SEC_ACE_FLAG_OBJECT_INHERIT|
238 SEC_ACE_FLAG_INHERIT_ONLY);
239 psd->dacl->aces = new_ace_list;
240 psd->dacl->num_aces += 3;
243 /*******************************************************************
244 Pull a DATA_BLOB from an xattr given a pathname.
245 If the hash doesn't match, or doesn't exist - return the underlying
247 *******************************************************************/
249 static NTSTATUS get_nt_acl_internal(vfs_handle_struct *handle,
252 uint32_t security_info,
253 struct security_descriptor **ppdesc)
257 uint16_t hash_type = XATTR_SD_HASH_TYPE_NONE;
258 uint8_t hash[XATTR_SD_HASH_SIZE];
259 uint8_t hash_tmp[XATTR_SD_HASH_SIZE];
260 struct security_descriptor *psd = NULL;
261 struct security_descriptor *pdesc_next = NULL;
262 bool ignore_file_system_acl = lp_parm_bool(SNUM(handle->conn),
264 "ignore system acls",
267 if (fsp && name == NULL) {
268 name = fsp->fsp_name->base_name;
271 DEBUG(10, ("get_nt_acl_internal: name=%s\n", name));
273 /* Get the full underlying sd for the hash
274 or to return as backup. */
276 status = SMB_VFS_NEXT_FGET_NT_ACL(handle,
281 status = SMB_VFS_NEXT_GET_NT_ACL(handle,
287 if (!NT_STATUS_IS_OK(status)) {
288 DEBUG(10, ("get_nt_acl_internal: get_next_acl for file %s "
295 status = get_acl_blob(talloc_tos(), handle, fsp, name, &blob);
296 if (!NT_STATUS_IS_OK(status)) {
297 DEBUG(10, ("get_nt_acl_internal: get_acl_blob returned %s\n",
303 status = parse_acl_blob(&blob, &psd,
304 &hash_type, &hash[0]);
305 if (!NT_STATUS_IS_OK(status)) {
306 DEBUG(10, ("parse_acl_blob returned %s\n",
312 /* Ensure the hash type is one we know. */
314 case XATTR_SD_HASH_TYPE_NONE:
315 /* No hash, just return blob sd. */
317 case XATTR_SD_HASH_TYPE_SHA256:
320 DEBUG(10, ("get_nt_acl_internal: ACL blob revision "
321 "mismatch (%u) for file %s\n",
322 (unsigned int)hash_type,
329 if (ignore_file_system_acl) {
333 status = hash_sd_sha256(pdesc_next, hash_tmp);
334 if (!NT_STATUS_IS_OK(status)) {
340 if (memcmp(&hash[0], &hash_tmp[0], XATTR_SD_HASH_SIZE) == 0) {
341 /* Hash matches, return blob sd. */
342 DEBUG(10, ("get_nt_acl_internal: blob hash "
343 "matches for file %s\n",
348 /* Hash doesn't match, return underlying sd. */
354 if (psd != pdesc_next) {
355 /* We're returning the blob, throw
356 * away the filesystem SD. */
357 TALLOC_FREE(pdesc_next);
359 SMB_STRUCT_STAT sbuf;
360 SMB_STRUCT_STAT *psbuf = &sbuf;
361 bool is_directory = false;
363 * We're returning the underlying ACL from the
364 * filesystem. If it's a directory, and has no
365 * inheritable ACE entries we have to fake them.
368 status = vfs_stat_fsp(fsp);
369 if (!NT_STATUS_IS_OK(status)) {
372 psbuf = &fsp->fsp_name->st;
374 int ret = vfs_stat_smb_fname(handle->conn,
378 return map_nt_error_from_unix(errno);
381 is_directory = S_ISDIR(sbuf.st_ex_mode);
383 if (ignore_file_system_acl) {
384 TALLOC_FREE(pdesc_next);
385 status = make_default_filesystem_acl(talloc_tos(),
389 if (!NT_STATUS_IS_OK(status)) {
394 !sd_has_inheritable_components(psd,
396 add_directory_inheritable_components(handle,
401 /* The underlying POSIX module always sets
402 the ~SEC_DESC_DACL_PROTECTED bit, as ACLs
403 can't be inherited in this way under POSIX.
404 Remove it for Windows-style ACLs. */
405 psd->type &= ~SEC_DESC_DACL_PROTECTED;
409 if (!(security_info & SECINFO_OWNER)) {
410 psd->owner_sid = NULL;
412 if (!(security_info & SECINFO_GROUP)) {
413 psd->group_sid = NULL;
415 if (!(security_info & SECINFO_DACL)) {
418 if (!(security_info & SECINFO_SACL)) {
422 TALLOC_FREE(blob.data);
425 if (DEBUGLEVEL >= 10) {
426 DEBUG(10,("get_nt_acl_internal: returning acl for %s is:\n",
428 NDR_PRINT_DEBUG(security_descriptor, psd);
434 /*********************************************************************
435 Create a default ACL by inheriting from the parent. If no inheritance
436 from the parent available, don't set anything. This will leave the actual
437 permissions the new file or directory already got from the filesystem
438 as the NT ACL when read.
439 *********************************************************************/
441 static NTSTATUS inherit_new_acl(vfs_handle_struct *handle,
443 struct security_descriptor *parent_desc,
446 TALLOC_CTX *ctx = talloc_tos();
447 NTSTATUS status = NT_STATUS_OK;
448 struct security_descriptor *psd = NULL;
449 struct dom_sid *owner_sid = NULL;
450 struct dom_sid *group_sid = NULL;
451 uint32_t security_info_sent = (SECINFO_OWNER | SECINFO_GROUP | SECINFO_DACL);
452 bool inherit_owner = lp_inherit_owner(SNUM(handle->conn));
453 bool inheritable_components = sd_has_inheritable_components(parent_desc,
457 if (!inheritable_components && !inherit_owner) {
458 /* Nothing to inherit and not setting owner. */
462 /* Create an inherited descriptor from the parent. */
464 if (DEBUGLEVEL >= 10) {
465 DEBUG(10,("inherit_new_acl: parent acl for %s is:\n",
467 NDR_PRINT_DEBUG(security_descriptor, parent_desc);
470 /* Inherit from parent descriptor if "inherit owner" set. */
472 owner_sid = parent_desc->owner_sid;
473 group_sid = parent_desc->group_sid;
476 if (owner_sid == NULL) {
477 owner_sid = &handle->conn->session_info->security_token->sids[PRIMARY_USER_SID_INDEX];
479 if (group_sid == NULL) {
480 group_sid = &handle->conn->session_info->security_token->sids[PRIMARY_GROUP_SID_INDEX];
483 status = se_create_child_secdesc(ctx,
490 if (!NT_STATUS_IS_OK(status)) {
494 /* If inheritable_components == false,
495 se_create_child_secdesc()
496 creates a security desriptor with a NULL dacl
497 entry, but with SEC_DESC_DACL_PRESENT. We need
498 to remove that flag. */
500 if (!inheritable_components) {
501 security_info_sent &= ~SECINFO_DACL;
502 psd->type &= ~SEC_DESC_DACL_PRESENT;
505 if (DEBUGLEVEL >= 10) {
506 DEBUG(10,("inherit_new_acl: child acl for %s is:\n",
508 NDR_PRINT_DEBUG(security_descriptor, psd);
512 /* We need to be root to force this. */
515 status = SMB_VFS_FSET_NT_ACL(fsp,
524 static NTSTATUS get_parent_acl_common(vfs_handle_struct *handle,
526 struct security_descriptor **pp_parent_desc)
528 char *parent_name = NULL;
531 if (!parent_dirname(talloc_tos(), path, &parent_name, NULL)) {
532 return NT_STATUS_NO_MEMORY;
535 status = get_nt_acl_internal(handle,
543 if (!NT_STATUS_IS_OK(status)) {
544 DEBUG(10,("get_parent_acl_common: get_nt_acl_internal "
545 "on directory %s for "
546 "path %s returned %s\n",
549 nt_errstr(status) ));
554 static NTSTATUS check_parent_acl_common(vfs_handle_struct *handle,
556 uint32_t access_mask,
557 struct security_descriptor **pp_parent_desc)
559 char *parent_name = NULL;
560 struct security_descriptor *parent_desc = NULL;
561 uint32_t access_granted = 0;
564 status = get_parent_acl_common(handle, path, &parent_desc);
565 if (!NT_STATUS_IS_OK(status)) {
568 if (pp_parent_desc) {
569 *pp_parent_desc = parent_desc;
571 status = smb1_file_se_access_check(handle->conn,
573 get_current_nttok(handle->conn),
576 if(!NT_STATUS_IS_OK(status)) {
577 DEBUG(10,("check_parent_acl_common: access check "
578 "on directory %s for "
579 "path %s for mask 0x%x returned %s\n",
583 nt_errstr(status) ));
589 /*********************************************************************
590 Check ACL on open. For new files inherit from parent directory.
591 *********************************************************************/
593 static int open_acl_common(vfs_handle_struct *handle,
594 struct smb_filename *smb_fname,
599 uint32_t access_granted = 0;
600 struct security_descriptor *pdesc = NULL;
601 bool file_existed = true;
606 /* Stream open. Base filename open already did the ACL check. */
607 DEBUG(10,("open_acl_common: stream open on %s\n",
609 return SMB_VFS_NEXT_OPEN(handle, smb_fname, fsp, flags, mode);
612 status = get_full_smb_filename(talloc_tos(), smb_fname,
614 if (!NT_STATUS_IS_OK(status)) {
618 status = get_nt_acl_internal(handle,
625 if (NT_STATUS_IS_OK(status)) {
626 /* See if we can access it. */
627 status = smb1_file_se_access_check(handle->conn,
629 get_current_nttok(handle->conn),
632 if (!NT_STATUS_IS_OK(status)) {
633 DEBUG(10,("open_acl_xattr: %s open "
634 "refused with error %s\n",
636 nt_errstr(status) ));
639 } else if (NT_STATUS_EQUAL(status,NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
640 file_existed = false;
642 * If O_CREAT is true then we're trying to create a file.
643 * Check the parent directory ACL will allow this.
645 if (flags & O_CREAT) {
646 struct security_descriptor *parent_desc = NULL;
647 struct security_descriptor **pp_psd = NULL;
649 status = check_parent_acl_common(handle, fname,
650 SEC_DIR_ADD_FILE, &parent_desc);
651 if (!NT_STATUS_IS_OK(status)) {
655 /* Cache the parent security descriptor for
658 pp_psd = VFS_ADD_FSP_EXTENSION(handle,
660 struct security_descriptor *,
663 status = NT_STATUS_NO_MEMORY;
667 *pp_psd = parent_desc;
668 status = NT_STATUS_OK;
672 DEBUG(10,("open_acl_xattr: get_nt_acl_attr_internal for "
675 nt_errstr(status) ));
677 fsp->fh->fd = SMB_VFS_NEXT_OPEN(handle, smb_fname, fsp, flags, mode);
682 errno = map_errno_from_nt_status(status);
686 static int mkdir_acl_common(vfs_handle_struct *handle, const char *path, mode_t mode)
690 SMB_STRUCT_STAT sbuf;
692 ret = vfs_stat_smb_fname(handle->conn, path, &sbuf);
693 if (ret == -1 && errno == ENOENT) {
694 /* We're creating a new directory. */
695 status = check_parent_acl_common(handle, path,
696 SEC_DIR_ADD_SUBDIR, NULL);
697 if (!NT_STATUS_IS_OK(status)) {
698 errno = map_errno_from_nt_status(status);
703 return SMB_VFS_NEXT_MKDIR(handle, path, mode);
706 /*********************************************************************
707 Fetch a security descriptor given an fsp.
708 *********************************************************************/
710 static NTSTATUS fget_nt_acl_common(vfs_handle_struct *handle, files_struct *fsp,
711 uint32_t security_info, struct security_descriptor **ppdesc)
713 return get_nt_acl_internal(handle, fsp,
714 NULL, security_info, ppdesc);
717 /*********************************************************************
718 Fetch a security descriptor given a pathname.
719 *********************************************************************/
721 static NTSTATUS get_nt_acl_common(vfs_handle_struct *handle,
722 const char *name, uint32_t security_info, struct security_descriptor **ppdesc)
724 return get_nt_acl_internal(handle, NULL,
725 name, security_info, ppdesc);
728 /*********************************************************************
729 Store a security descriptor given an fsp.
730 *********************************************************************/
732 static NTSTATUS fset_nt_acl_common(vfs_handle_struct *handle, files_struct *fsp,
733 uint32_t security_info_sent, const struct security_descriptor *orig_psd)
737 struct security_descriptor *pdesc_next = NULL;
738 struct security_descriptor *psd = NULL;
739 uint8_t hash[XATTR_SD_HASH_SIZE];
741 if (DEBUGLEVEL >= 10) {
742 DEBUG(10,("fset_nt_acl_xattr: incoming sd for file %s\n",
744 NDR_PRINT_DEBUG(security_descriptor,
745 discard_const_p(struct security_descriptor, orig_psd));
748 status = get_nt_acl_internal(handle, fsp,
750 SECINFO_OWNER|SECINFO_GROUP|SECINFO_DACL|SECINFO_SACL,
753 if (!NT_STATUS_IS_OK(status)) {
757 psd->revision = orig_psd->revision;
758 /* All our SD's are self relative. */
759 psd->type = orig_psd->type | SEC_DESC_SELF_RELATIVE;
761 if ((security_info_sent & SECINFO_OWNER) && (orig_psd->owner_sid != NULL)) {
762 psd->owner_sid = orig_psd->owner_sid;
764 if ((security_info_sent & SECINFO_GROUP) && (orig_psd->group_sid != NULL)) {
765 psd->group_sid = orig_psd->group_sid;
767 if (security_info_sent & SECINFO_DACL) {
768 psd->dacl = orig_psd->dacl;
769 psd->type |= SEC_DESC_DACL_PRESENT;
771 if (security_info_sent & SECINFO_SACL) {
772 psd->sacl = orig_psd->sacl;
773 psd->type |= SEC_DESC_SACL_PRESENT;
776 status = SMB_VFS_NEXT_FSET_NT_ACL(handle, fsp, security_info_sent, psd);
777 if (!NT_STATUS_IS_OK(status)) {
781 /* Get the full underlying sd, then hash. */
782 status = SMB_VFS_NEXT_FGET_NT_ACL(handle,
787 if (!NT_STATUS_IS_OK(status)) {
791 status = hash_sd_sha256(pdesc_next, hash);
792 if (!NT_STATUS_IS_OK(status)) {
796 if (DEBUGLEVEL >= 10) {
797 DEBUG(10,("fset_nt_acl_xattr: storing xattr sd for file %s\n",
799 NDR_PRINT_DEBUG(security_descriptor,
800 discard_const_p(struct security_descriptor, psd));
802 create_acl_blob(psd, &blob, XATTR_SD_HASH_TYPE_SHA256, hash);
803 store_acl_blob_fsp(handle, fsp, &blob);
808 static SMB_STRUCT_DIR *opendir_acl_common(vfs_handle_struct *handle,
809 const char *fname, const char *mask, uint32 attr)
811 NTSTATUS status = check_parent_acl_common(handle, fname,
814 if (!NT_STATUS_IS_OK(status)) {
815 errno = map_errno_from_nt_status(status);
818 return SMB_VFS_NEXT_OPENDIR(handle, fname, mask, attr);
821 static int acl_common_remove_object(vfs_handle_struct *handle,
825 connection_struct *conn = handle->conn;
827 files_struct *fsp = NULL;
829 char *parent_dir = NULL;
830 const char *final_component = NULL;
831 struct smb_filename local_fname;
834 if (!parent_dirname(talloc_tos(), path,
835 &parent_dir, &final_component)) {
836 saved_errno = ENOMEM;
840 DEBUG(10,("acl_common_remove_object: removing %s %s/%s\n",
841 is_directory ? "directory" : "file",
842 parent_dir, final_component ));
844 /* cd into the parent dir to pin it. */
845 ret = SMB_VFS_CHDIR(conn, parent_dir);
851 ZERO_STRUCT(local_fname);
852 local_fname.base_name = discard_const_p(char, final_component);
854 /* Must use lstat here. */
855 ret = SMB_VFS_LSTAT(conn, &local_fname);
861 /* Ensure we have this file open with DELETE access. */
862 id = vfs_file_id_from_sbuf(conn, &local_fname.st);
863 for (fsp = file_find_di_first(conn->sconn, id); fsp;
864 file_find_di_next(fsp)) {
865 if (fsp->access_mask & DELETE_ACCESS &&
866 fsp->delete_on_close) {
867 /* We did open this for delete,
868 * allow the delete as root.
875 DEBUG(10,("acl_common_remove_object: %s %s/%s "
876 "not an open file\n",
877 is_directory ? "directory" : "file",
878 parent_dir, final_component ));
879 saved_errno = EACCES;
885 ret = SMB_VFS_NEXT_RMDIR(handle, final_component);
887 ret = SMB_VFS_NEXT_UNLINK(handle, &local_fname);
897 TALLOC_FREE(parent_dir);
899 vfs_ChDir(conn, conn->connectpath);
906 static int rmdir_acl_common(struct vfs_handle_struct *handle,
911 ret = SMB_VFS_NEXT_RMDIR(handle, path);
912 if (!(ret == -1 && (errno == EACCES || errno == EPERM))) {
913 DEBUG(10,("rmdir_acl_common: unlink of %s failed %s\n",
919 return acl_common_remove_object(handle,
924 static NTSTATUS create_file_acl_common(struct vfs_handle_struct *handle,
925 struct smb_request *req,
926 uint16_t root_dir_fid,
927 struct smb_filename *smb_fname,
928 uint32_t access_mask,
929 uint32_t share_access,
930 uint32_t create_disposition,
931 uint32_t create_options,
932 uint32_t file_attributes,
933 uint32_t oplock_request,
934 uint64_t allocation_size,
935 uint32_t private_flags,
936 struct security_descriptor *sd,
937 struct ea_list *ea_list,
938 files_struct **result,
941 NTSTATUS status, status1;
942 files_struct *fsp = NULL;
944 struct security_descriptor *parent_sd = NULL;
945 struct security_descriptor **pp_parent_sd = NULL;
947 status = SMB_VFS_NEXT_CREATE_FILE(handle,
964 if (!NT_STATUS_IS_OK(status)) {
968 if (info != FILE_WAS_CREATED) {
969 /* File/directory was opened, not created. */
976 /* Only handle success. */
981 /* Security descriptor already set. */
990 /* See if we have a cached parent sd, if so, use it. */
991 pp_parent_sd = (struct security_descriptor **)VFS_FETCH_FSP_EXTENSION(handle, fsp);
993 /* Must be a directory, fetch again (sigh). */
994 status = get_parent_acl_common(handle,
995 fsp->fsp_name->base_name,
997 if (!NT_STATUS_IS_OK(status)) {
1001 parent_sd = *pp_parent_sd;
1008 /* New directory - inherit from parent. */
1009 status1 = inherit_new_acl(handle, fsp, parent_sd, fsp->is_directory);
1011 if (!NT_STATUS_IS_OK(status1)) {
1012 DEBUG(1,("create_file_acl_common: error setting "
1015 nt_errstr(status1) ));
1021 VFS_REMOVE_FSP_EXTENSION(handle, fsp);
1024 if (NT_STATUS_IS_OK(status) && pinfo) {
1031 smb_panic("create_file_acl_common: logic error.\n");
1036 static int unlink_acl_common(struct vfs_handle_struct *handle,
1037 const struct smb_filename *smb_fname)
1041 ret = SMB_VFS_NEXT_UNLINK(handle, smb_fname);
1042 if (!(ret == -1 && (errno == EACCES || errno == EPERM))) {
1043 DEBUG(10,("unlink_acl_common: unlink of %s failed %s\n",
1044 smb_fname->base_name,
1048 /* Don't do anything fancy for streams. */
1049 if (smb_fname->stream_name) {
1053 return acl_common_remove_object(handle,
1054 smb_fname->base_name,
1058 static int chmod_acl_module_common(struct vfs_handle_struct *handle,
1059 const char *path, mode_t mode)
1061 if (lp_posix_pathnames()) {
1062 /* Only allow this on POSIX pathnames. */
1063 return SMB_VFS_NEXT_CHMOD(handle, path, mode);
1068 static int fchmod_acl_module_common(struct vfs_handle_struct *handle,
1069 struct files_struct *fsp, mode_t mode)
1071 if (fsp->posix_open) {
1072 /* Only allow this on POSIX opens. */
1073 return SMB_VFS_NEXT_FCHMOD(handle, fsp, mode);
1078 static int chmod_acl_acl_module_common(struct vfs_handle_struct *handle,
1079 const char *name, mode_t mode)
1081 if (lp_posix_pathnames()) {
1082 /* Only allow this on POSIX pathnames. */
1083 return SMB_VFS_NEXT_CHMOD_ACL(handle, name, mode);
1088 static int fchmod_acl_acl_module_common(struct vfs_handle_struct *handle,
1089 struct files_struct *fsp, mode_t mode)
1091 if (fsp->posix_open) {
1092 /* Only allow this on POSIX opens. */
1093 return SMB_VFS_NEXT_FCHMOD_ACL(handle, fsp, mode);
git.samba.org / kai / samba-autobuild / .git / blob