libcli/security Provide a common, top level libcli/security/security.h
[kai/samba.git] / source3 / smbd / posix_acls.c
1 /*
2    Unix SMB/CIFS implementation.
3    SMB NT Security Descriptor / Unix permission conversion.
4    Copyright (C) Jeremy Allison 1994-2009.
5    Copyright (C) Andreas Gruenbacher 2002.
6    Copyright (C) Simo Sorce <idra@samba.org> 2009.
7
8    This program is free software; you can redistribute it and/or modify
9    it under the terms of the GNU General Public License as published by
10    the Free Software Foundation; either version 3 of the License, or
11    (at your option) any later version.
12
13    This program is distributed in the hope that it will be useful,
14    but WITHOUT ANY WARRANTY; without even the implied warranty of
15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
16    GNU General Public License for more details.
17
18    You should have received a copy of the GNU General Public License
19    along with this program.  If not, see <http://www.gnu.org/licenses/>.
20 */
21
22 #include "includes.h"
23 #include "../libcli/security/security.h"
24
25 extern const struct generic_mapping file_generic_mapping;
26
27 #undef  DBGC_CLASS
28 #define DBGC_CLASS DBGC_ACLS
29
30 /****************************************************************************
31  Data structures representing the internal ACE format.
32 ****************************************************************************/
33
34 enum ace_owner {UID_ACE, GID_ACE, WORLD_ACE};
35 enum ace_attribute {ALLOW_ACE, DENY_ACE}; /* Used for incoming NT ACLS. */
36
37 typedef union posix_id {
38                 uid_t uid;
39                 gid_t gid;
40                 int world;
41 } posix_id;
42
43 typedef struct canon_ace {
44         struct canon_ace *next, *prev;
45         SMB_ACL_TAG_T type;
46         mode_t perms; /* Only use S_I(R|W|X)USR mode bits here. */
47         struct dom_sid trustee;
48         enum ace_owner owner_type;
49         enum ace_attribute attr;
50         posix_id unix_ug;
51         uint8_t ace_flags; /* From windows ACE entry. */
52 } canon_ace;
53
54 #define ALL_ACE_PERMS (S_IRUSR|S_IWUSR|S_IXUSR)
55
56 /*
57  * EA format of user.SAMBA_PAI (Samba_Posix_Acl_Interitance)
58  * attribute on disk - version 1.
59  * All values are little endian.
60  *
61  * |  1   |  1   |   2         |         2           |  ....
62  * +------+------+-------------+---------------------+-------------+--------------------+
63  * | vers | flag | num_entries | num_default_entries | ..entries.. | default_entries... |
64  * +------+------+-------------+---------------------+-------------+--------------------+
65  *
66  * Entry format is :
67  *
68  * |  1   |       4           |
69  * +------+-------------------+
70  * | value|  uid/gid or world |
71  * | type |  value            |
72  * +------+-------------------+
73  *
74  * Version 2 format. Stores extra Windows metadata about an ACL.
75  *
76  * |  1   |  2       |   2         |         2           |  ....
77  * +------+----------+-------------+---------------------+-------------+--------------------+
78  * | vers | ace      | num_entries | num_default_entries | ..entries.. | default_entries... |
79  * |   2  |  type    |             |                     |             |                    |
80  * +------+----------+-------------+---------------------+-------------+--------------------+
81  *
82  * Entry format is :
83  *
84  * |  1   |  1   |       4           |
85  * +------+------+-------------------+
86  * | ace  | value|  uid/gid or world |
87  * | flag | type |  value            |
88  * +------+-------------------+------+
89  *
90  */
91
92 #define PAI_VERSION_OFFSET                      0
93
94 #define PAI_V1_FLAG_OFFSET                      1
95 #define PAI_V1_NUM_ENTRIES_OFFSET               2
96 #define PAI_V1_NUM_DEFAULT_ENTRIES_OFFSET       4
97 #define PAI_V1_ENTRIES_BASE                     6
98 #define PAI_V1_ACL_FLAG_PROTECTED               0x1
99 #define PAI_V1_ENTRY_LENGTH                     5
100
101 #define PAI_V1_VERSION                          1
102
103 #define PAI_V2_TYPE_OFFSET                      1
104 #define PAI_V2_NUM_ENTRIES_OFFSET               3
105 #define PAI_V2_NUM_DEFAULT_ENTRIES_OFFSET       5
106 #define PAI_V2_ENTRIES_BASE                     7
107 #define PAI_V2_ENTRY_LENGTH                     6
108
109 #define PAI_V2_VERSION                          2
110
111 /*
112  * In memory format of user.SAMBA_PAI attribute.
113  */
114
115 struct pai_entry {
116         struct pai_entry *next, *prev;
117         uint8_t ace_flags;
118         enum ace_owner owner_type;
119         posix_id unix_ug;
120 };
121
122 struct pai_val {
123         uint16_t sd_type;
124         unsigned int num_entries;
125         struct pai_entry *entry_list;
126         unsigned int num_def_entries;
127         struct pai_entry *def_entry_list;
128 };
129
130 /************************************************************************
131  Return a uint32 of the pai_entry principal.
132 ************************************************************************/
133
134 static uint32_t get_pai_entry_val(struct pai_entry *paie)
135 {
136         switch (paie->owner_type) {
137                 case UID_ACE:
138                         DEBUG(10,("get_pai_entry_val: uid = %u\n", (unsigned int)paie->unix_ug.uid ));
139                         return (uint32_t)paie->unix_ug.uid;
140                 case GID_ACE:
141                         DEBUG(10,("get_pai_entry_val: gid = %u\n", (unsigned int)paie->unix_ug.gid ));
142                         return (uint32_t)paie->unix_ug.gid;
143                 case WORLD_ACE:
144                 default:
145                         DEBUG(10,("get_pai_entry_val: world ace\n"));
146                         return (uint32_t)-1;
147         }
148 }
149
150 /************************************************************************
151  Return a uint32 of the entry principal.
152 ************************************************************************/
153
154 static uint32_t get_entry_val(canon_ace *ace_entry)
155 {
156         switch (ace_entry->owner_type) {
157                 case UID_ACE:
158                         DEBUG(10,("get_entry_val: uid = %u\n", (unsigned int)ace_entry->unix_ug.uid ));
159                         return (uint32_t)ace_entry->unix_ug.uid;
160                 case GID_ACE:
161                         DEBUG(10,("get_entry_val: gid = %u\n", (unsigned int)ace_entry->unix_ug.gid ));
162                         return (uint32_t)ace_entry->unix_ug.gid;
163                 case WORLD_ACE:
164                 default:
165                         DEBUG(10,("get_entry_val: world ace\n"));
166                         return (uint32_t)-1;
167         }
168 }
169
170 /************************************************************************
171  Create the on-disk format (always v2 now). Caller must free.
172 ************************************************************************/
173
174 static char *create_pai_buf_v2(canon_ace *file_ace_list,
175                                 canon_ace *dir_ace_list,
176                                 uint16_t sd_type,
177                                 size_t *store_size)
178 {
179         char *pai_buf = NULL;
180         canon_ace *ace_list = NULL;
181         char *entry_offset = NULL;
182         unsigned int num_entries = 0;
183         unsigned int num_def_entries = 0;
184         unsigned int i;
185
186         for (ace_list = file_ace_list; ace_list; ace_list = ace_list->next) {
187                 num_entries++;
188         }
189
190         for (ace_list = dir_ace_list; ace_list; ace_list = ace_list->next) {
191                 num_def_entries++;
192         }
193
194         DEBUG(10,("create_pai_buf_v2: num_entries = %u, num_def_entries = %u\n", num_entries, num_def_entries ));
195
196         *store_size = PAI_V2_ENTRIES_BASE +
197                 ((num_entries + num_def_entries)*PAI_V2_ENTRY_LENGTH);
198
199         pai_buf = (char *)SMB_MALLOC(*store_size);
200         if (!pai_buf) {
201                 return NULL;
202         }
203
204         /* Set up the header. */
205         memset(pai_buf, '\0', PAI_V2_ENTRIES_BASE);
206         SCVAL(pai_buf,PAI_VERSION_OFFSET,PAI_V2_VERSION);
207         SSVAL(pai_buf,PAI_V2_TYPE_OFFSET, sd_type);
208         SSVAL(pai_buf,PAI_V2_NUM_ENTRIES_OFFSET,num_entries);
209         SSVAL(pai_buf,PAI_V2_NUM_DEFAULT_ENTRIES_OFFSET,num_def_entries);
210
211         DEBUG(10,("create_pai_buf_v2: sd_type = 0x%x\n",
212                         (unsigned int)sd_type ));
213
214         entry_offset = pai_buf + PAI_V2_ENTRIES_BASE;
215
216         i = 0;
217         for (ace_list = file_ace_list; ace_list; ace_list = ace_list->next) {
218                 uint8_t type_val = (uint8_t)ace_list->owner_type;
219                 uint32_t entry_val = get_entry_val(ace_list);
220
221                 SCVAL(entry_offset,0,ace_list->ace_flags);
222                 SCVAL(entry_offset,1,type_val);
223                 SIVAL(entry_offset,2,entry_val);
224                 DEBUG(10,("create_pai_buf_v2: entry %u [0x%x] [0x%x] [0x%x]\n",
225                         i,
226                         (unsigned int)ace_list->ace_flags,
227                         (unsigned int)type_val,
228                         (unsigned int)entry_val ));
229                 i++;
230                 entry_offset += PAI_V2_ENTRY_LENGTH;
231         }
232
233         for (ace_list = dir_ace_list; ace_list; ace_list = ace_list->next) {
234                 uint8_t type_val = (uint8_t)ace_list->owner_type;
235                 uint32_t entry_val = get_entry_val(ace_list);
236
237                 SCVAL(entry_offset,0,ace_list->ace_flags);
238                 SCVAL(entry_offset,1,type_val);
239                 SIVAL(entry_offset,2,entry_val);
240                 DEBUG(10,("create_pai_buf_v2: entry %u [0x%x] [0x%x] [0x%x]\n",
241                         i,
242                         (unsigned int)ace_list->ace_flags,
243                         (unsigned int)type_val,
244                         (unsigned int)entry_val ));
245                 i++;
246                 entry_offset += PAI_V2_ENTRY_LENGTH;
247         }
248
249         return pai_buf;
250 }
251
252 /************************************************************************
253  Store the user.SAMBA_PAI attribute on disk.
254 ************************************************************************/
255
256 static void store_inheritance_attributes(files_struct *fsp,
257                                         canon_ace *file_ace_list,
258                                         canon_ace *dir_ace_list,
259                                         uint16_t sd_type)
260 {
261         int ret;
262         size_t store_size;
263         char *pai_buf;
264
265         if (!lp_map_acl_inherit(SNUM(fsp->conn))) {
266                 return;
267         }
268
269         pai_buf = create_pai_buf_v2(file_ace_list, dir_ace_list,
270                                 sd_type, &store_size);
271
272         if (fsp->fh->fd != -1) {
273                 ret = SMB_VFS_FSETXATTR(fsp, SAMBA_POSIX_INHERITANCE_EA_NAME,
274                                 pai_buf, store_size, 0);
275         } else {
276                 ret = SMB_VFS_SETXATTR(fsp->conn, fsp->fsp_name->base_name,
277                                        SAMBA_POSIX_INHERITANCE_EA_NAME,
278                                        pai_buf, store_size, 0);
279         }
280
281         SAFE_FREE(pai_buf);
282
283         DEBUG(10,("store_inheritance_attribute: type 0x%x for file %s\n",
284                 (unsigned int)sd_type,
285                 fsp_str_dbg(fsp)));
286
287         if (ret == -1 && !no_acl_syscall_error(errno)) {
288                 DEBUG(1,("store_inheritance_attribute: Error %s\n", strerror(errno) ));
289         }
290 }
291
292 /************************************************************************
293  Delete the in memory inheritance info.
294 ************************************************************************/
295
296 static void free_inherited_info(struct pai_val *pal)
297 {
298         if (pal) {
299                 struct pai_entry *paie, *paie_next;
300                 for (paie = pal->entry_list; paie; paie = paie_next) {
301                         paie_next = paie->next;
302                         SAFE_FREE(paie);
303                 }
304                 for (paie = pal->def_entry_list; paie; paie = paie_next) {
305                         paie_next = paie->next;
306                         SAFE_FREE(paie);
307                 }
308                 SAFE_FREE(pal);
309         }
310 }
311
312 /************************************************************************
313  Get any stored ACE flags.
314 ************************************************************************/
315
316 static uint16_t get_pai_flags(struct pai_val *pal, canon_ace *ace_entry, bool default_ace)
317 {
318         struct pai_entry *paie;
319
320         if (!pal) {
321                 return 0;
322         }
323
324         /* If the entry exists it is inherited. */
325         for (paie = (default_ace ? pal->def_entry_list : pal->entry_list); paie; paie = paie->next) {
326                 if (ace_entry->owner_type == paie->owner_type &&
327                                 get_entry_val(ace_entry) == get_pai_entry_val(paie))
328                         return paie->ace_flags;
329         }
330         return 0;
331 }
332
333 /************************************************************************
334  Ensure an attribute just read is valid - v1.
335 ************************************************************************/
336
337 static bool check_pai_ok_v1(const char *pai_buf, size_t pai_buf_data_size)
338 {
339         uint16 num_entries;
340         uint16 num_def_entries;
341
342         if (pai_buf_data_size < PAI_V1_ENTRIES_BASE) {
343                 /* Corrupted - too small. */
344                 return false;
345         }
346
347         if (CVAL(pai_buf,PAI_VERSION_OFFSET) != PAI_V1_VERSION) {
348                 return false;
349         }
350
351         num_entries = SVAL(pai_buf,PAI_V1_NUM_ENTRIES_OFFSET);
352         num_def_entries = SVAL(pai_buf,PAI_V1_NUM_DEFAULT_ENTRIES_OFFSET);
353
354         /* Check the entry lists match. */
355         /* Each entry is 5 bytes (type plus 4 bytes of uid or gid). */
356
357         if (((num_entries + num_def_entries)*PAI_V1_ENTRY_LENGTH) +
358                         PAI_V1_ENTRIES_BASE != pai_buf_data_size) {
359                 return false;
360         }
361
362         return true;
363 }
364
365 /************************************************************************
366  Ensure an attribute just read is valid - v2.
367 ************************************************************************/
368
369 static bool check_pai_ok_v2(const char *pai_buf, size_t pai_buf_data_size)
370 {
371         uint16 num_entries;
372         uint16 num_def_entries;
373
374         if (pai_buf_data_size < PAI_V2_ENTRIES_BASE) {
375                 /* Corrupted - too small. */
376                 return false;
377         }
378
379         if (CVAL(pai_buf,PAI_VERSION_OFFSET) != PAI_V2_VERSION) {
380                 return false;
381         }
382
383         num_entries = SVAL(pai_buf,PAI_V2_NUM_ENTRIES_OFFSET);
384         num_def_entries = SVAL(pai_buf,PAI_V2_NUM_DEFAULT_ENTRIES_OFFSET);
385
386         /* Check the entry lists match. */
387         /* Each entry is 6 bytes (flags + type + 4 bytes of uid or gid). */
388
389         if (((num_entries + num_def_entries)*PAI_V2_ENTRY_LENGTH) +
390                         PAI_V2_ENTRIES_BASE != pai_buf_data_size) {
391                 return false;
392         }
393
394         return true;
395 }
396
397 /************************************************************************
398  Decode the owner.
399 ************************************************************************/
400
401 static bool get_pai_owner_type(struct pai_entry *paie, const char *entry_offset)
402 {
403         paie->owner_type = (enum ace_owner)CVAL(entry_offset,0);
404         switch( paie->owner_type) {
405                 case UID_ACE:
406                         paie->unix_ug.uid = (uid_t)IVAL(entry_offset,1);
407                         DEBUG(10,("get_pai_owner_type: uid = %u\n",
408                                 (unsigned int)paie->unix_ug.uid ));
409                         break;
410                 case GID_ACE:
411                         paie->unix_ug.gid = (gid_t)IVAL(entry_offset,1);
412                         DEBUG(10,("get_pai_owner_type: gid = %u\n",
413                                 (unsigned int)paie->unix_ug.gid ));
414                         break;
415                 case WORLD_ACE:
416                         paie->unix_ug.world = -1;
417                         DEBUG(10,("get_pai_owner_type: world ace\n"));
418                         break;
419                 default:
420                         DEBUG(10,("get_pai_owner_type: unknown type %u\n",
421                                 (unsigned int)paie->owner_type ));
422                         return false;
423         }
424         return true;
425 }
426
427 /************************************************************************
428  Process v2 entries.
429 ************************************************************************/
430
431 static const char *create_pai_v1_entries(struct pai_val *paiv,
432                                 const char *entry_offset,
433                                 bool def_entry)
434 {
435         int i;
436
437         for (i = 0; i < paiv->num_entries; i++) {
438                 struct pai_entry *paie = SMB_MALLOC_P(struct pai_entry);
439                 if (!paie) {
440                         return NULL;
441                 }
442
443                 paie->ace_flags = SEC_ACE_FLAG_INHERITED_ACE;
444                 if (!get_pai_owner_type(paie, entry_offset)) {
445                         return NULL;
446                 }
447
448                 if (!def_entry) {
449                         DLIST_ADD(paiv->entry_list, paie);
450                 } else {
451                         DLIST_ADD(paiv->def_entry_list, paie);
452                 }
453                 entry_offset += PAI_V1_ENTRY_LENGTH;
454         }
455         return entry_offset;
456 }
457
458 /************************************************************************
459  Convert to in-memory format from version 1.
460 ************************************************************************/
461
462 static struct pai_val *create_pai_val_v1(const char *buf, size_t size)
463 {
464         const char *entry_offset;
465         struct pai_val *paiv = NULL;
466
467         if (!check_pai_ok_v1(buf, size)) {
468                 return NULL;
469         }
470
471         paiv = SMB_MALLOC_P(struct pai_val);
472         if (!paiv) {
473                 return NULL;
474         }
475
476         memset(paiv, '\0', sizeof(struct pai_val));
477
478         paiv->sd_type = (CVAL(buf,PAI_V1_FLAG_OFFSET) == PAI_V1_ACL_FLAG_PROTECTED) ?
479                         SEC_DESC_DACL_PROTECTED : 0;
480
481         paiv->num_entries = SVAL(buf,PAI_V1_NUM_ENTRIES_OFFSET);
482         paiv->num_def_entries = SVAL(buf,PAI_V1_NUM_DEFAULT_ENTRIES_OFFSET);
483
484         entry_offset = buf + PAI_V1_ENTRIES_BASE;
485
486         DEBUG(10,("create_pai_val: num_entries = %u, num_def_entries = %u\n",
487                         paiv->num_entries, paiv->num_def_entries ));
488
489         entry_offset = create_pai_v1_entries(paiv, entry_offset, false);
490         if (entry_offset == NULL) {
491                 free_inherited_info(paiv);
492                 return NULL;
493         }
494         entry_offset = create_pai_v1_entries(paiv, entry_offset, true);
495         if (entry_offset == NULL) {
496                 free_inherited_info(paiv);
497                 return NULL;
498         }
499
500         return paiv;
501 }
502
503 /************************************************************************
504  Process v2 entries.
505 ************************************************************************/
506
507 static const char *create_pai_v2_entries(struct pai_val *paiv,
508                                 unsigned int num_entries,
509                                 const char *entry_offset,
510                                 bool def_entry)
511 {
512         unsigned int i;
513
514         for (i = 0; i < num_entries; i++) {
515                 struct pai_entry *paie = SMB_MALLOC_P(struct pai_entry);
516                 if (!paie) {
517                         return NULL;
518                 }
519
520                 paie->ace_flags = CVAL(entry_offset,0);
521
522                 if (!get_pai_owner_type(paie, entry_offset+1)) {
523                         return NULL;
524                 }
525                 if (!def_entry) {
526                         DLIST_ADD(paiv->entry_list, paie);
527                 } else {
528                         DLIST_ADD(paiv->def_entry_list, paie);
529                 }
530                 entry_offset += PAI_V2_ENTRY_LENGTH;
531         }
532         return entry_offset;
533 }
534
535 /************************************************************************
536  Convert to in-memory format from version 2.
537 ************************************************************************/
538
539 static struct pai_val *create_pai_val_v2(const char *buf, size_t size)
540 {
541         const char *entry_offset;
542         struct pai_val *paiv = NULL;
543
544         if (!check_pai_ok_v2(buf, size)) {
545                 return NULL;
546         }
547
548         paiv = SMB_MALLOC_P(struct pai_val);
549         if (!paiv) {
550                 return NULL;
551         }
552
553         memset(paiv, '\0', sizeof(struct pai_val));
554
555         paiv->sd_type = SVAL(buf,PAI_V2_TYPE_OFFSET);
556
557         paiv->num_entries = SVAL(buf,PAI_V2_NUM_ENTRIES_OFFSET);
558         paiv->num_def_entries = SVAL(buf,PAI_V2_NUM_DEFAULT_ENTRIES_OFFSET);
559
560         entry_offset = buf + PAI_V2_ENTRIES_BASE;
561
562         DEBUG(10,("create_pai_val_v2: sd_type = 0x%x num_entries = %u, num_def_entries = %u\n",
563                         (unsigned int)paiv->sd_type,
564                         paiv->num_entries, paiv->num_def_entries ));
565
566         entry_offset = create_pai_v2_entries(paiv, paiv->num_entries,
567                                 entry_offset, false);
568         if (entry_offset == NULL) {
569                 free_inherited_info(paiv);
570                 return NULL;
571         }
572         entry_offset = create_pai_v2_entries(paiv, paiv->num_def_entries,
573                                 entry_offset, true);
574         if (entry_offset == NULL) {
575                 free_inherited_info(paiv);
576                 return NULL;
577         }
578
579         return paiv;
580 }
581
582 /************************************************************************
583  Convert to in-memory format - from either version 1 or 2.
584 ************************************************************************/
585
586 static struct pai_val *create_pai_val(const char *buf, size_t size)
587 {
588         if (size < 1) {
589                 return NULL;
590         }
591         if (CVAL(buf,PAI_VERSION_OFFSET) == PAI_V1_VERSION) {
592                 return create_pai_val_v1(buf, size);
593         } else if (CVAL(buf,PAI_VERSION_OFFSET) == PAI_V2_VERSION) {
594                 return create_pai_val_v2(buf, size);
595         } else {
596                 return NULL;
597         }
598 }
599
600 /************************************************************************
601  Load the user.SAMBA_PAI attribute.
602 ************************************************************************/
603
604 static struct pai_val *fload_inherited_info(files_struct *fsp)
605 {
606         char *pai_buf;
607         size_t pai_buf_size = 1024;
608         struct pai_val *paiv = NULL;
609         ssize_t ret;
610
611         if (!lp_map_acl_inherit(SNUM(fsp->conn))) {
612                 return NULL;
613         }
614
615         if ((pai_buf = (char *)SMB_MALLOC(pai_buf_size)) == NULL) {
616                 return NULL;
617         }
618
619         do {
620                 if (fsp->fh->fd != -1) {
621                         ret = SMB_VFS_FGETXATTR(fsp, SAMBA_POSIX_INHERITANCE_EA_NAME,
622                                         pai_buf, pai_buf_size);
623                 } else {
624                         ret = SMB_VFS_GETXATTR(fsp->conn,
625                                                fsp->fsp_name->base_name,
626                                                SAMBA_POSIX_INHERITANCE_EA_NAME,
627                                                pai_buf, pai_buf_size);
628                 }
629
630                 if (ret == -1) {
631                         if (errno != ERANGE) {
632                                 break;
633                         }
634                         /* Buffer too small - enlarge it. */
635                         pai_buf_size *= 2;
636                         SAFE_FREE(pai_buf);
637                         if (pai_buf_size > 1024*1024) {
638                                 return NULL; /* Limit malloc to 1mb. */
639                         }
640                         if ((pai_buf = (char *)SMB_MALLOC(pai_buf_size)) == NULL)
641                                 return NULL;
642                 }
643         } while (ret == -1);
644
645         DEBUG(10,("load_inherited_info: ret = %lu for file %s\n",
646                   (unsigned long)ret, fsp_str_dbg(fsp)));
647
648         if (ret == -1) {
649                 /* No attribute or not supported. */
650 #if defined(ENOATTR)
651                 if (errno != ENOATTR)
652                         DEBUG(10,("load_inherited_info: Error %s\n", strerror(errno) ));
653 #else
654                 if (errno != ENOSYS)
655                         DEBUG(10,("load_inherited_info: Error %s\n", strerror(errno) ));
656 #endif
657                 SAFE_FREE(pai_buf);
658                 return NULL;
659         }
660
661         paiv = create_pai_val(pai_buf, ret);
662
663         if (paiv) {
664                 DEBUG(10,("load_inherited_info: ACL type is 0x%x for file %s\n",
665                           (unsigned int)paiv->sd_type, fsp_str_dbg(fsp)));
666         }
667
668         SAFE_FREE(pai_buf);
669         return paiv;
670 }
671
672 /************************************************************************
673  Load the user.SAMBA_PAI attribute.
674 ************************************************************************/
675
676 static struct pai_val *load_inherited_info(const struct connection_struct *conn,
677                                            const char *fname)
678 {
679         char *pai_buf;
680         size_t pai_buf_size = 1024;
681         struct pai_val *paiv = NULL;
682         ssize_t ret;
683
684         if (!lp_map_acl_inherit(SNUM(conn))) {
685                 return NULL;
686         }
687
688         if ((pai_buf = (char *)SMB_MALLOC(pai_buf_size)) == NULL) {
689                 return NULL;
690         }
691
692         do {
693                 ret = SMB_VFS_GETXATTR(conn, fname,
694                                        SAMBA_POSIX_INHERITANCE_EA_NAME,
695                                        pai_buf, pai_buf_size);
696
697                 if (ret == -1) {
698                         if (errno != ERANGE) {
699                                 break;
700                         }
701                         /* Buffer too small - enlarge it. */
702                         pai_buf_size *= 2;
703                         SAFE_FREE(pai_buf);
704                         if (pai_buf_size > 1024*1024) {
705                                 return NULL; /* Limit malloc to 1mb. */
706                         }
707                         if ((pai_buf = (char *)SMB_MALLOC(pai_buf_size)) == NULL)
708                                 return NULL;
709                 }
710         } while (ret == -1);
711
712         DEBUG(10,("load_inherited_info: ret = %lu for file %s\n", (unsigned long)ret, fname));
713
714         if (ret == -1) {
715                 /* No attribute or not supported. */
716 #if defined(ENOATTR)
717                 if (errno != ENOATTR)
718                         DEBUG(10,("load_inherited_info: Error %s\n", strerror(errno) ));
719 #else
720                 if (errno != ENOSYS)
721                         DEBUG(10,("load_inherited_info: Error %s\n", strerror(errno) ));
722 #endif
723                 SAFE_FREE(pai_buf);
724                 return NULL;
725         }
726
727         paiv = create_pai_val(pai_buf, ret);
728
729         if (paiv) {
730                 DEBUG(10,("load_inherited_info: ACL type 0x%x for file %s\n",
731                         (unsigned int)paiv->sd_type,
732                         fname));
733         }
734
735         SAFE_FREE(pai_buf);
736         return paiv;
737 }
738
739 /****************************************************************************
740  Functions to manipulate the internal ACE format.
741 ****************************************************************************/
742
743 /****************************************************************************
744  Count a linked list of canonical ACE entries.
745 ****************************************************************************/
746
747 static size_t count_canon_ace_list( canon_ace *l_head )
748 {
749         size_t count = 0;
750         canon_ace *ace;
751
752         for (ace = l_head; ace; ace = ace->next)
753                 count++;
754
755         return count;
756 }
757
758 /****************************************************************************
759  Free a linked list of canonical ACE entries.
760 ****************************************************************************/
761
762 static void free_canon_ace_list( canon_ace *l_head )
763 {
764         canon_ace *list, *next;
765
766         for (list = l_head; list; list = next) {
767                 next = list->next;
768                 DLIST_REMOVE(l_head, list);
769                 SAFE_FREE(list);
770         }
771 }
772
773 /****************************************************************************
774  Function to duplicate a canon_ace entry.
775 ****************************************************************************/
776
777 static canon_ace *dup_canon_ace( canon_ace *src_ace)
778 {
779         canon_ace *dst_ace = SMB_MALLOC_P(canon_ace);
780
781         if (dst_ace == NULL)
782                 return NULL;
783
784         *dst_ace = *src_ace;
785         dst_ace->prev = dst_ace->next = NULL;
786         return dst_ace;
787 }
788
789 /****************************************************************************
790  Print out a canon ace.
791 ****************************************************************************/
792
793 static void print_canon_ace(canon_ace *pace, int num)
794 {
795         dbgtext( "canon_ace index %d. Type = %s ", num, pace->attr == ALLOW_ACE ? "allow" : "deny" );
796         dbgtext( "SID = %s ", sid_string_dbg(&pace->trustee));
797         if (pace->owner_type == UID_ACE) {
798                 const char *u_name = uidtoname(pace->unix_ug.uid);
799                 dbgtext( "uid %u (%s) ", (unsigned int)pace->unix_ug.uid, u_name );
800         } else if (pace->owner_type == GID_ACE) {
801                 char *g_name = gidtoname(pace->unix_ug.gid);
802                 dbgtext( "gid %u (%s) ", (unsigned int)pace->unix_ug.gid, g_name );
803         } else
804                 dbgtext( "other ");
805         switch (pace->type) {
806                 case SMB_ACL_USER:
807                         dbgtext( "SMB_ACL_USER ");
808                         break;
809                 case SMB_ACL_USER_OBJ:
810                         dbgtext( "SMB_ACL_USER_OBJ ");
811                         break;
812                 case SMB_ACL_GROUP:
813                         dbgtext( "SMB_ACL_GROUP ");
814                         break;
815                 case SMB_ACL_GROUP_OBJ:
816                         dbgtext( "SMB_ACL_GROUP_OBJ ");
817                         break;
818                 case SMB_ACL_OTHER:
819                         dbgtext( "SMB_ACL_OTHER ");
820                         break;
821                 default:
822                         dbgtext( "MASK " );
823                         break;
824         }
825
826         dbgtext( "ace_flags = 0x%x ", (unsigned int)pace->ace_flags);
827         dbgtext( "perms ");
828         dbgtext( "%c", pace->perms & S_IRUSR ? 'r' : '-');
829         dbgtext( "%c", pace->perms & S_IWUSR ? 'w' : '-');
830         dbgtext( "%c\n", pace->perms & S_IXUSR ? 'x' : '-');
831 }
832
833 /****************************************************************************
834  Print out a canon ace list.
835 ****************************************************************************/
836
837 static void print_canon_ace_list(const char *name, canon_ace *ace_list)
838 {
839         int count = 0;
840
841         if( DEBUGLVL( 10 )) {
842                 dbgtext( "print_canon_ace_list: %s\n", name );
843                 for (;ace_list; ace_list = ace_list->next, count++)
844                         print_canon_ace(ace_list, count );
845         }
846 }
847
848 /****************************************************************************
849  Map POSIX ACL perms to canon_ace permissions (a mode_t containing only S_(R|W|X)USR bits).
850 ****************************************************************************/
851
852 static mode_t convert_permset_to_mode_t(connection_struct *conn, SMB_ACL_PERMSET_T permset)
853 {
854         mode_t ret = 0;
855
856         ret |= (SMB_VFS_SYS_ACL_GET_PERM(conn, permset, SMB_ACL_READ) ? S_IRUSR : 0);
857         ret |= (SMB_VFS_SYS_ACL_GET_PERM(conn, permset, SMB_ACL_WRITE) ? S_IWUSR : 0);
858         ret |= (SMB_VFS_SYS_ACL_GET_PERM(conn, permset, SMB_ACL_EXECUTE) ? S_IXUSR : 0);
859
860         return ret;
861 }
862
863 /****************************************************************************
864  Map generic UNIX permissions to canon_ace permissions (a mode_t containing only S_(R|W|X)USR bits).
865 ****************************************************************************/
866
867 static mode_t unix_perms_to_acl_perms(mode_t mode, int r_mask, int w_mask, int x_mask)
868 {
869         mode_t ret = 0;
870
871         if (mode & r_mask)
872                 ret |= S_IRUSR;
873         if (mode & w_mask)
874                 ret |= S_IWUSR;
875         if (mode & x_mask)
876                 ret |= S_IXUSR;
877
878         return ret;
879 }
880
881 /****************************************************************************
882  Map canon_ace permissions (a mode_t containing only S_(R|W|X)USR bits) to
883  an SMB_ACL_PERMSET_T.
884 ****************************************************************************/
885
886 static int map_acl_perms_to_permset(connection_struct *conn, mode_t mode, SMB_ACL_PERMSET_T *p_permset)
887 {
888         if (SMB_VFS_SYS_ACL_CLEAR_PERMS(conn, *p_permset) ==  -1)
889                 return -1;
890         if (mode & S_IRUSR) {
891                 if (SMB_VFS_SYS_ACL_ADD_PERM(conn, *p_permset, SMB_ACL_READ) == -1)
892                         return -1;
893         }
894         if (mode & S_IWUSR) {
895                 if (SMB_VFS_SYS_ACL_ADD_PERM(conn, *p_permset, SMB_ACL_WRITE) == -1)
896                         return -1;
897         }
898         if (mode & S_IXUSR) {
899                 if (SMB_VFS_SYS_ACL_ADD_PERM(conn, *p_permset, SMB_ACL_EXECUTE) == -1)
900                         return -1;
901         }
902         return 0;
903 }
904
905 /****************************************************************************
906  Function to create owner and group SIDs from a SMB_STRUCT_STAT.
907 ****************************************************************************/
908
909 void create_file_sids(const SMB_STRUCT_STAT *psbuf, struct dom_sid *powner_sid, struct dom_sid *pgroup_sid)
910 {
911         uid_to_sid( powner_sid, psbuf->st_ex_uid );
912         gid_to_sid( pgroup_sid, psbuf->st_ex_gid );
913 }
914
915 /****************************************************************************
916  Merge aces with a common sid - if both are allow or deny, OR the permissions together and
917  delete the second one. If the first is deny, mask the permissions off and delete the allow
918  if the permissions become zero, delete the deny if the permissions are non zero.
919 ****************************************************************************/
920
921 static void merge_aces( canon_ace **pp_list_head, bool dir_acl)
922 {
923         canon_ace *l_head = *pp_list_head;
924         canon_ace *curr_ace_outer;
925         canon_ace *curr_ace_outer_next;
926
927         /*
928          * First, merge allow entries with identical SIDs, and deny entries
929          * with identical SIDs.
930          */
931
932         for (curr_ace_outer = l_head; curr_ace_outer; curr_ace_outer = curr_ace_outer_next) {
933                 canon_ace *curr_ace;
934                 canon_ace *curr_ace_next;
935
936                 curr_ace_outer_next = curr_ace_outer->next; /* Save the link in case we delete. */
937
938                 for (curr_ace = curr_ace_outer->next; curr_ace; curr_ace = curr_ace_next) {
939                         bool can_merge = false;
940
941                         curr_ace_next = curr_ace->next; /* Save the link in case of delete. */
942
943                         /* For file ACLs we can merge if the SIDs and ALLOW/DENY
944                          * types are the same. For directory acls we must also
945                          * ensure the POSIX ACL types are the same. */
946
947                         if (!dir_acl) {
948                                 can_merge = (dom_sid_equal(&curr_ace->trustee, &curr_ace_outer->trustee) &&
949                                                 (curr_ace->attr == curr_ace_outer->attr));
950                         } else {
951                                 can_merge = (dom_sid_equal(&curr_ace->trustee, &curr_ace_outer->trustee) &&
952                                                 (curr_ace->type == curr_ace_outer->type) &&
953                                                 (curr_ace->attr == curr_ace_outer->attr));
954                         }
955
956                         if (can_merge) {
957                                 if( DEBUGLVL( 10 )) {
958                                         dbgtext("merge_aces: Merging ACE's\n");
959                                         print_canon_ace( curr_ace_outer, 0);
960                                         print_canon_ace( curr_ace, 0);
961                                 }
962
963                                 /* Merge two allow or two deny ACE's. */
964
965                                 /* Theoretically we shouldn't merge a dir ACE if
966                                  * one ACE has the CI flag set, and the other
967                                  * ACE has the OI flag set, but this is rare
968                                  * enough we can ignore it. */
969
970                                 curr_ace_outer->perms |= curr_ace->perms;
971                                 curr_ace_outer->ace_flags |= curr_ace->ace_flags;
972                                 DLIST_REMOVE(l_head, curr_ace);
973                                 SAFE_FREE(curr_ace);
974                                 curr_ace_outer_next = curr_ace_outer->next; /* We may have deleted the link. */
975                         }
976                 }
977         }
978
979         /*
980          * Now go through and mask off allow permissions with deny permissions.
981          * We can delete either the allow or deny here as we know that each SID
982          * appears only once in the list.
983          */
984
985         for (curr_ace_outer = l_head; curr_ace_outer; curr_ace_outer = curr_ace_outer_next) {
986                 canon_ace *curr_ace;
987                 canon_ace *curr_ace_next;
988
989                 curr_ace_outer_next = curr_ace_outer->next; /* Save the link in case we delete. */
990
991                 for (curr_ace = curr_ace_outer->next; curr_ace; curr_ace = curr_ace_next) {
992
993                         curr_ace_next = curr_ace->next; /* Save the link in case of delete. */
994
995                         /*
996                          * Subtract ACE's with different entries. Due to the ordering constraints
997                          * we've put on the ACL, we know the deny must be the first one.
998                          */
999
1000                         if (dom_sid_equal(&curr_ace->trustee, &curr_ace_outer->trustee) &&
1001                                 (curr_ace_outer->attr == DENY_ACE) && (curr_ace->attr == ALLOW_ACE)) {
1002
1003                                 if( DEBUGLVL( 10 )) {
1004                                         dbgtext("merge_aces: Masking ACE's\n");
1005                                         print_canon_ace( curr_ace_outer, 0);
1006                                         print_canon_ace( curr_ace, 0);
1007                                 }
1008
1009                                 curr_ace->perms &= ~curr_ace_outer->perms;
1010
1011                                 if (curr_ace->perms == 0) {
1012
1013                                         /*
1014                                          * The deny overrides the allow. Remove the allow.
1015                                          */
1016
1017                                         DLIST_REMOVE(l_head, curr_ace);
1018                                         SAFE_FREE(curr_ace);
1019                                         curr_ace_outer_next = curr_ace_outer->next; /* We may have deleted the link. */
1020
1021                                 } else {
1022
1023                                         /*
1024                                          * Even after removing permissions, there
1025                                          * are still allow permissions - delete the deny.
1026                                          * It is safe to delete the deny here,
1027                                          * as we are guarenteed by the deny first
1028                                          * ordering that all the deny entries for
1029                                          * this SID have already been merged into one
1030                                          * before we can get to an allow ace.
1031                                          */
1032
1033                                         DLIST_REMOVE(l_head, curr_ace_outer);
1034                                         SAFE_FREE(curr_ace_outer);
1035                                         break;
1036                                 }
1037                         }
1038
1039                 } /* end for curr_ace */
1040         } /* end for curr_ace_outer */
1041
1042         /* We may have modified the list. */
1043
1044         *pp_list_head = l_head;
1045 }
1046
1047 /****************************************************************************
1048  Check if we need to return NT4.x compatible ACL entries.
1049 ****************************************************************************/
1050
1051 bool nt4_compatible_acls(void)
1052 {
1053         int compat = lp_acl_compatibility();
1054
1055         if (compat == ACL_COMPAT_AUTO) {
1056                 enum remote_arch_types ra_type = get_remote_arch();
1057
1058                 /* Automatically adapt to client */
1059                 return (ra_type <= RA_WINNT);
1060         } else
1061                 return (compat == ACL_COMPAT_WINNT);
1062 }
1063
1064
1065 /****************************************************************************
1066  Map canon_ace perms to permission bits NT.
1067  The attr element is not used here - we only process deny entries on set,
1068  not get. Deny entries are implicit on get with ace->perms = 0.
1069 ****************************************************************************/
1070
1071 uint32_t map_canon_ace_perms(int snum,
1072                                 enum security_ace_type *pacl_type,
1073                                 mode_t perms,
1074                                 bool directory_ace)
1075 {
1076         uint32_t nt_mask = 0;
1077
1078         *pacl_type = SEC_ACE_TYPE_ACCESS_ALLOWED;
1079
1080         if (lp_acl_map_full_control(snum) && ((perms & ALL_ACE_PERMS) == ALL_ACE_PERMS)) {
1081                 if (directory_ace) {
1082                         nt_mask = UNIX_DIRECTORY_ACCESS_RWX;
1083                 } else {
1084                         nt_mask = (UNIX_ACCESS_RWX & ~DELETE_ACCESS);
1085                 }
1086         } else if ((perms & ALL_ACE_PERMS) == (mode_t)0) {
1087                 /*
1088                  * Windows NT refuses to display ACEs with no permissions in them (but
1089                  * they are perfectly legal with Windows 2000). If the ACE has empty
1090                  * permissions we cannot use 0, so we use the otherwise unused
1091                  * WRITE_OWNER permission, which we ignore when we set an ACL.
1092                  * We abstract this into a #define of UNIX_ACCESS_NONE to allow this
1093                  * to be changed in the future.
1094                  */
1095
1096                 if (nt4_compatible_acls())
1097                         nt_mask = UNIX_ACCESS_NONE;
1098                 else
1099                         nt_mask = 0;
1100         } else {
1101                 if (directory_ace) {
1102                         nt_mask |= ((perms & S_IRUSR) ? UNIX_DIRECTORY_ACCESS_R : 0 );
1103                         nt_mask |= ((perms & S_IWUSR) ? UNIX_DIRECTORY_ACCESS_W : 0 );
1104                         nt_mask |= ((perms & S_IXUSR) ? UNIX_DIRECTORY_ACCESS_X : 0 );
1105                 } else {
1106                         nt_mask |= ((perms & S_IRUSR) ? UNIX_ACCESS_R : 0 );
1107                         nt_mask |= ((perms & S_IWUSR) ? UNIX_ACCESS_W : 0 );
1108                         nt_mask |= ((perms & S_IXUSR) ? UNIX_ACCESS_X : 0 );
1109                 }
1110         }
1111
1112         if ((perms & S_IWUSR) && lp_dos_filemode(snum)) {
1113                 nt_mask |= (SEC_STD_WRITE_DAC|SEC_STD_WRITE_OWNER|DELETE_ACCESS);
1114         }
1115
1116         DEBUG(10,("map_canon_ace_perms: Mapped (UNIX) %x to (NT) %x\n",
1117                         (unsigned int)perms, (unsigned int)nt_mask ));
1118
1119         return nt_mask;
1120 }
1121
1122 /****************************************************************************
1123  Map NT perms to a UNIX mode_t.
1124 ****************************************************************************/
1125
1126 #define FILE_SPECIFIC_READ_BITS (FILE_READ_DATA|FILE_READ_EA|FILE_READ_ATTRIBUTES)
1127 #define FILE_SPECIFIC_WRITE_BITS (FILE_WRITE_DATA|FILE_APPEND_DATA|FILE_WRITE_EA|FILE_WRITE_ATTRIBUTES)
1128 #define FILE_SPECIFIC_EXECUTE_BITS (FILE_EXECUTE)
1129
1130 static mode_t map_nt_perms( uint32 *mask, int type)
1131 {
1132         mode_t mode = 0;
1133
1134         switch(type) {
1135         case S_IRUSR:
1136                 if((*mask) & GENERIC_ALL_ACCESS)
1137                         mode = S_IRUSR|S_IWUSR|S_IXUSR;
1138                 else {
1139                         mode |= ((*mask) & (GENERIC_READ_ACCESS|FILE_SPECIFIC_READ_BITS)) ? S_IRUSR : 0;
1140                         mode |= ((*mask) & (GENERIC_WRITE_ACCESS|FILE_SPECIFIC_WRITE_BITS)) ? S_IWUSR : 0;
1141                         mode |= ((*mask) & (GENERIC_EXECUTE_ACCESS|FILE_SPECIFIC_EXECUTE_BITS)) ? S_IXUSR : 0;
1142                 }
1143                 break;
1144         case S_IRGRP:
1145                 if((*mask) & GENERIC_ALL_ACCESS)
1146                         mode = S_IRGRP|S_IWGRP|S_IXGRP;
1147                 else {
1148                         mode |= ((*mask) & (GENERIC_READ_ACCESS|FILE_SPECIFIC_READ_BITS)) ? S_IRGRP : 0;
1149                         mode |= ((*mask) & (GENERIC_WRITE_ACCESS|FILE_SPECIFIC_WRITE_BITS)) ? S_IWGRP : 0;
1150                         mode |= ((*mask) & (GENERIC_EXECUTE_ACCESS|FILE_SPECIFIC_EXECUTE_BITS)) ? S_IXGRP : 0;
1151                 }
1152                 break;
1153         case S_IROTH:
1154                 if((*mask) & GENERIC_ALL_ACCESS)
1155                         mode = S_IROTH|S_IWOTH|S_IXOTH;
1156                 else {
1157                         mode |= ((*mask) & (GENERIC_READ_ACCESS|FILE_SPECIFIC_READ_BITS)) ? S_IROTH : 0;
1158                         mode |= ((*mask) & (GENERIC_WRITE_ACCESS|FILE_SPECIFIC_WRITE_BITS)) ? S_IWOTH : 0;
1159                         mode |= ((*mask) & (GENERIC_EXECUTE_ACCESS|FILE_SPECIFIC_EXECUTE_BITS)) ? S_IXOTH : 0;
1160                 }
1161                 break;
1162         }
1163
1164         return mode;
1165 }
1166
1167 /****************************************************************************
1168  Unpack a struct security_descriptor into a UNIX owner and group.
1169 ****************************************************************************/
1170
1171 NTSTATUS unpack_nt_owners(struct connection_struct *conn,
1172                         uid_t *puser, gid_t *pgrp,
1173                         uint32 security_info_sent, const struct
1174                         security_descriptor *psd)
1175 {
1176         struct dom_sid owner_sid;
1177         struct dom_sid grp_sid;
1178
1179         *puser = (uid_t)-1;
1180         *pgrp = (gid_t)-1;
1181
1182         if(security_info_sent == 0) {
1183                 DEBUG(0,("unpack_nt_owners: no security info sent !\n"));
1184                 return NT_STATUS_OK;
1185         }
1186
1187         /*
1188          * Validate the owner and group SID's.
1189          */
1190
1191         memset(&owner_sid, '\0', sizeof(owner_sid));
1192         memset(&grp_sid, '\0', sizeof(grp_sid));
1193
1194         DEBUG(5,("unpack_nt_owners: validating owner_sids.\n"));
1195
1196         /*
1197          * Don't immediately fail if the owner sid cannot be validated.
1198          * This may be a group chown only set.
1199          */
1200
1201         if (security_info_sent & SECINFO_OWNER) {
1202                 sid_copy(&owner_sid, psd->owner_sid);
1203                 if (!sid_to_uid(&owner_sid, puser)) {
1204                         if (lp_force_unknown_acl_user(SNUM(conn))) {
1205                                 /* this allows take ownership to work
1206                                  * reasonably */
1207                                 *puser = get_current_uid(conn);
1208                         } else {
1209                                 DEBUG(3,("unpack_nt_owners: unable to validate"
1210                                          " owner sid for %s\n",
1211                                          sid_string_dbg(&owner_sid)));
1212                                 return NT_STATUS_INVALID_OWNER;
1213                         }
1214                 }
1215                 DEBUG(3,("unpack_nt_owners: owner sid mapped to uid %u\n",
1216                          (unsigned int)*puser ));
1217         }
1218
1219         /*
1220          * Don't immediately fail if the group sid cannot be validated.
1221          * This may be an owner chown only set.
1222          */
1223
1224         if (security_info_sent & SECINFO_GROUP) {
1225                 sid_copy(&grp_sid, psd->group_sid);
1226                 if (!sid_to_gid( &grp_sid, pgrp)) {
1227                         if (lp_force_unknown_acl_user(SNUM(conn))) {
1228                                 /* this allows take group ownership to work
1229                                  * reasonably */
1230                                 *pgrp = get_current_gid(conn);
1231                         } else {
1232                                 DEBUG(3,("unpack_nt_owners: unable to validate"
1233                                          " group sid.\n"));
1234                                 return NT_STATUS_INVALID_OWNER;
1235                         }
1236                 }
1237                 DEBUG(3,("unpack_nt_owners: group sid mapped to gid %u\n",
1238                          (unsigned int)*pgrp));
1239         }
1240
1241         DEBUG(5,("unpack_nt_owners: owner_sids validated.\n"));
1242
1243         return NT_STATUS_OK;
1244 }
1245
1246 /****************************************************************************
1247  Ensure the enforced permissions for this share apply.
1248 ****************************************************************************/
1249
1250 static void apply_default_perms(const struct share_params *params,
1251                                 const bool is_directory, canon_ace *pace,
1252                                 mode_t type)
1253 {
1254         mode_t and_bits = (mode_t)0;
1255         mode_t or_bits = (mode_t)0;
1256
1257         /* Get the initial bits to apply. */
1258
1259         if (is_directory) {
1260                 and_bits = lp_dir_security_mask(params->service);
1261                 or_bits = lp_force_dir_security_mode(params->service);
1262         } else {
1263                 and_bits = lp_security_mask(params->service);
1264                 or_bits = lp_force_security_mode(params->service);
1265         }
1266
1267         /* Now bounce them into the S_USR space. */     
1268         switch(type) {
1269         case S_IRUSR:
1270                 /* Ensure owner has read access. */
1271                 pace->perms |= S_IRUSR;
1272                 if (is_directory)
1273                         pace->perms |= (S_IWUSR|S_IXUSR);
1274                 and_bits = unix_perms_to_acl_perms(and_bits, S_IRUSR, S_IWUSR, S_IXUSR);
1275                 or_bits = unix_perms_to_acl_perms(or_bits, S_IRUSR, S_IWUSR, S_IXUSR);
1276                 break;
1277         case S_IRGRP:
1278                 and_bits = unix_perms_to_acl_perms(and_bits, S_IRGRP, S_IWGRP, S_IXGRP);
1279                 or_bits = unix_perms_to_acl_perms(or_bits, S_IRGRP, S_IWGRP, S_IXGRP);
1280                 break;
1281         case S_IROTH:
1282                 and_bits = unix_perms_to_acl_perms(and_bits, S_IROTH, S_IWOTH, S_IXOTH);
1283                 or_bits = unix_perms_to_acl_perms(or_bits, S_IROTH, S_IWOTH, S_IXOTH);
1284                 break;
1285         }
1286
1287         pace->perms = ((pace->perms & and_bits)|or_bits);
1288 }
1289
1290 /****************************************************************************
1291  Check if a given uid/SID is in a group gid/SID. This is probably very
1292  expensive and will need optimisation. A *lot* of optimisation :-). JRA.
1293 ****************************************************************************/
1294
1295 static bool uid_entry_in_group(connection_struct *conn, canon_ace *uid_ace, canon_ace *group_ace )
1296 {
1297         const char *u_name = NULL;
1298
1299         /* "Everyone" always matches every uid. */
1300
1301         if (dom_sid_equal(&group_ace->trustee, &global_sid_World))
1302                 return True;
1303
1304         /*
1305          * if it's the current user, we already have the unix token
1306          * and don't need to do the complex user_in_group_sid() call
1307          */
1308         if (uid_ace->unix_ug.uid == get_current_uid(conn)) {
1309                 const UNIX_USER_TOKEN *curr_utok = NULL;
1310                 size_t i;
1311
1312                 if (group_ace->unix_ug.gid == get_current_gid(conn)) {
1313                         return True;
1314                 }
1315
1316                 curr_utok = get_current_utok(conn);
1317                 for (i=0; i < curr_utok->ngroups; i++) {
1318                         if (group_ace->unix_ug.gid == curr_utok->groups[i]) {
1319                                 return True;
1320                         }
1321                 }
1322         }
1323
1324         /* u_name talloc'ed off tos. */
1325         u_name = uidtoname(uid_ace->unix_ug.uid);
1326         if (!u_name) {
1327                 return False;
1328         }
1329
1330         /*
1331          * user_in_group_sid() uses create_token_from_username()
1332          * which creates an artificial NT token given just a username,
1333          * so this is not reliable for users from foreign domains
1334          * exported by winbindd!
1335          */
1336         return user_in_group_sid(u_name, &group_ace->trustee);
1337 }
1338
1339 /****************************************************************************
1340  A well formed POSIX file or default ACL has at least 3 entries, a 
1341  SMB_ACL_USER_OBJ, SMB_ACL_GROUP_OBJ, SMB_ACL_OTHER_OBJ.
1342  In addition, the owner must always have at least read access.
1343  When using this call on get_acl, the pst struct is valid and contains
1344  the mode of the file. When using this call on set_acl, the pst struct has
1345  been modified to have a mode containing the default for this file or directory
1346  type.
1347 ****************************************************************************/
1348
1349 static bool ensure_canon_entry_valid(connection_struct *conn, canon_ace **pp_ace,
1350                                      const struct share_params *params,
1351                                      const bool is_directory,
1352                                                         const struct dom_sid *pfile_owner_sid,
1353                                                         const struct dom_sid *pfile_grp_sid,
1354                                                         const SMB_STRUCT_STAT *pst,
1355                                                         bool setting_acl)
1356 {
1357         canon_ace *pace;
1358         bool got_user = False;
1359         bool got_grp = False;
1360         bool got_other = False;
1361         canon_ace *pace_other = NULL;
1362
1363         for (pace = *pp_ace; pace; pace = pace->next) {
1364                 if (pace->type == SMB_ACL_USER_OBJ) {
1365
1366                         if (setting_acl)
1367                                 apply_default_perms(params, is_directory, pace, S_IRUSR);
1368                         got_user = True;
1369
1370                 } else if (pace->type == SMB_ACL_GROUP_OBJ) {
1371
1372                         /*
1373                          * Ensure create mask/force create mode is respected on set.
1374                          */
1375
1376                         if (setting_acl)
1377                                 apply_default_perms(params, is_directory, pace, S_IRGRP);
1378                         got_grp = True;
1379
1380                 } else if (pace->type == SMB_ACL_OTHER) {
1381
1382                         /*
1383                          * Ensure create mask/force create mode is respected on set.
1384                          */
1385
1386                         if (setting_acl)
1387                                 apply_default_perms(params, is_directory, pace, S_IROTH);
1388                         got_other = True;
1389                         pace_other = pace;
1390                 }
1391         }
1392
1393         if (!got_user) {
1394                 if ((pace = SMB_MALLOC_P(canon_ace)) == NULL) {
1395                         DEBUG(0,("ensure_canon_entry_valid: malloc fail.\n"));
1396                         return False;
1397                 }
1398
1399                 ZERO_STRUCTP(pace);
1400                 pace->type = SMB_ACL_USER_OBJ;
1401                 pace->owner_type = UID_ACE;
1402                 pace->unix_ug.uid = pst->st_ex_uid;
1403                 pace->trustee = *pfile_owner_sid;
1404                 pace->attr = ALLOW_ACE;
1405
1406                 if (setting_acl) {
1407                         /* See if the owning user is in any of the other groups in
1408                            the ACE. If so, OR in the permissions from that group. */
1409
1410                         bool group_matched = False;
1411                         canon_ace *pace_iter;
1412
1413                         for (pace_iter = *pp_ace; pace_iter; pace_iter = pace_iter->next) {
1414                                 if (pace_iter->type == SMB_ACL_GROUP_OBJ || pace_iter->type == SMB_ACL_GROUP) {
1415                                         if (uid_entry_in_group(conn, pace, pace_iter)) {
1416                                                 pace->perms |= pace_iter->perms;
1417                                                 group_matched = True;
1418                                         }
1419                                 }
1420                         }
1421
1422                         /* If we only got an "everyone" perm, just use that. */
1423                         if (!group_matched) {
1424                                 if (got_other)
1425                                         pace->perms = pace_other->perms;
1426                                 else
1427                                         pace->perms = 0;
1428                         }
1429
1430                         apply_default_perms(params, is_directory, pace, S_IRUSR);
1431                 } else {
1432                         pace->perms = unix_perms_to_acl_perms(pst->st_ex_mode, S_IRUSR, S_IWUSR, S_IXUSR);
1433                 }
1434
1435                 DLIST_ADD(*pp_ace, pace);
1436         }
1437
1438         if (!got_grp) {
1439                 if ((pace = SMB_MALLOC_P(canon_ace)) == NULL) {
1440                         DEBUG(0,("ensure_canon_entry_valid: malloc fail.\n"));
1441                         return False;
1442                 }
1443
1444                 ZERO_STRUCTP(pace);
1445                 pace->type = SMB_ACL_GROUP_OBJ;
1446                 pace->owner_type = GID_ACE;
1447                 pace->unix_ug.uid = pst->st_ex_gid;
1448                 pace->trustee = *pfile_grp_sid;
1449                 pace->attr = ALLOW_ACE;
1450                 if (setting_acl) {
1451                         /* If we only got an "everyone" perm, just use that. */
1452                         if (got_other)
1453                                 pace->perms = pace_other->perms;
1454                         else
1455                                 pace->perms = 0;
1456                         apply_default_perms(params, is_directory, pace, S_IRGRP);
1457                 } else {
1458                         pace->perms = unix_perms_to_acl_perms(pst->st_ex_mode, S_IRGRP, S_IWGRP, S_IXGRP);
1459                 }
1460
1461                 DLIST_ADD(*pp_ace, pace);
1462         }
1463
1464         if (!got_other) {
1465                 if ((pace = SMB_MALLOC_P(canon_ace)) == NULL) {
1466                         DEBUG(0,("ensure_canon_entry_valid: malloc fail.\n"));
1467                         return False;
1468                 }
1469
1470                 ZERO_STRUCTP(pace);
1471                 pace->type = SMB_ACL_OTHER;
1472                 pace->owner_type = WORLD_ACE;
1473                 pace->unix_ug.world = -1;
1474                 pace->trustee = global_sid_World;
1475                 pace->attr = ALLOW_ACE;
1476                 if (setting_acl) {
1477                         pace->perms = 0;
1478                         apply_default_perms(params, is_directory, pace, S_IROTH);
1479                 } else
1480                         pace->perms = unix_perms_to_acl_perms(pst->st_ex_mode, S_IROTH, S_IWOTH, S_IXOTH);
1481
1482                 DLIST_ADD(*pp_ace, pace);
1483         }
1484
1485         return True;
1486 }
1487
1488 /****************************************************************************
1489  Check if a POSIX ACL has the required SMB_ACL_USER_OBJ and SMB_ACL_GROUP_OBJ entries.
1490  If it does not have them, check if there are any entries where the trustee is the
1491  file owner or the owning group, and map these to SMB_ACL_USER_OBJ and SMB_ACL_GROUP_OBJ.
1492 ****************************************************************************/
1493
1494 static void check_owning_objs(canon_ace *ace, struct dom_sid *pfile_owner_sid, struct dom_sid *pfile_grp_sid)
1495 {
1496         bool got_user_obj, got_group_obj;
1497         canon_ace *current_ace;
1498         int i, entries;
1499
1500         entries = count_canon_ace_list(ace);
1501         got_user_obj = False;
1502         got_group_obj = False;
1503
1504         for (i=0, current_ace = ace; i < entries; i++, current_ace = current_ace->next) {
1505                 if (current_ace->type == SMB_ACL_USER_OBJ)
1506                         got_user_obj = True;
1507                 else if (current_ace->type == SMB_ACL_GROUP_OBJ)
1508                         got_group_obj = True;
1509         }
1510         if (got_user_obj && got_group_obj) {
1511                 DEBUG(10,("check_owning_objs: ACL had owning user/group entries.\n"));
1512                 return;
1513         }
1514
1515         for (i=0, current_ace = ace; i < entries; i++, current_ace = current_ace->next) {
1516                 if (!got_user_obj && current_ace->owner_type == UID_ACE &&
1517                                 dom_sid_equal(&current_ace->trustee, pfile_owner_sid)) {
1518                         current_ace->type = SMB_ACL_USER_OBJ;
1519                         got_user_obj = True;
1520                 }
1521                 if (!got_group_obj && current_ace->owner_type == GID_ACE &&
1522                                 dom_sid_equal(&current_ace->trustee, pfile_grp_sid)) {
1523                         current_ace->type = SMB_ACL_GROUP_OBJ;
1524                         got_group_obj = True;
1525                 }
1526         }
1527         if (!got_user_obj)
1528                 DEBUG(10,("check_owning_objs: ACL is missing an owner entry.\n"));
1529         if (!got_group_obj)
1530                 DEBUG(10,("check_owning_objs: ACL is missing an owning group entry.\n"));
1531 }
1532
1533 /****************************************************************************
1534  If an ACE entry is SMB_ACL_USER_OBJ and not CREATOR_OWNER, map to SMB_ACL_USER.
1535  If an ACE entry is SMB_ACL_GROUP_OBJ and not CREATOR_GROUP, map to SMB_ACL_GROUP
1536 ****************************************************************************/
1537
1538 static bool dup_owning_ace(canon_ace *dir_ace, canon_ace *ace)
1539 {
1540         /* dir ace must be followings.
1541            SMB_ACL_USER_OBJ : trustee(CREATOR_OWNER) -> Posix ACL d:u::perm
1542            SMB_ACL_USER     : not trustee    -> Posix ACL u:user:perm
1543            SMB_ACL_USER_OBJ : trustee -> convert to SMB_ACL_USER : trustee
1544            Posix ACL u:trustee:perm
1545
1546            SMB_ACL_GROUP_OBJ: trustee(CREATOR_GROUP) -> Posix ACL d:g::perm
1547            SMB_ACL_GROUP    : not trustee   -> Posix ACL g:group:perm
1548            SMB_ACL_GROUP_OBJ: trustee -> convert to SMB_ACL_GROUP : trustee
1549            Posix ACL g:trustee:perm
1550         */
1551
1552         if (ace->type == SMB_ACL_USER_OBJ &&
1553                         !(dom_sid_equal(&ace->trustee, &global_sid_Creator_Owner))) {
1554                 canon_ace *dup_ace = dup_canon_ace(ace);
1555
1556                 if (dup_ace == NULL) {
1557                         return false;
1558                 }
1559                 dup_ace->type = SMB_ACL_USER;
1560                 DLIST_ADD_END(dir_ace, dup_ace, canon_ace *);
1561         }
1562
1563         if (ace->type == SMB_ACL_GROUP_OBJ &&
1564                         !(dom_sid_equal(&ace->trustee, &global_sid_Creator_Group))) {
1565                 canon_ace *dup_ace = dup_canon_ace(ace);
1566
1567                 if (dup_ace == NULL) {
1568                         return false;
1569                 }
1570                 dup_ace->type = SMB_ACL_GROUP;
1571                 DLIST_ADD_END(dir_ace, dup_ace, canon_ace *);
1572         }
1573
1574         return true;
1575 }
1576
1577 /****************************************************************************
1578  Unpack a struct security_descriptor into two canonical ace lists.
1579 ****************************************************************************/
1580
1581 static bool create_canon_ace_lists(files_struct *fsp,
1582                                         const SMB_STRUCT_STAT *pst,
1583                                         struct dom_sid *pfile_owner_sid,
1584                                         struct dom_sid *pfile_grp_sid,
1585                                         canon_ace **ppfile_ace,
1586                                         canon_ace **ppdir_ace,
1587                                         const struct security_acl *dacl)
1588 {
1589         bool all_aces_are_inherit_only = (fsp->is_directory ? True : False);
1590         canon_ace *file_ace = NULL;
1591         canon_ace *dir_ace = NULL;
1592         canon_ace *current_ace = NULL;
1593         bool got_dir_allow = False;
1594         bool got_file_allow = False;
1595         int i, j;
1596
1597         *ppfile_ace = NULL;
1598         *ppdir_ace = NULL;
1599
1600         /*
1601          * Convert the incoming ACL into a more regular form.
1602          */
1603
1604         for(i = 0; i < dacl->num_aces; i++) {
1605                 struct security_ace *psa = &dacl->aces[i];
1606
1607                 if((psa->type != SEC_ACE_TYPE_ACCESS_ALLOWED) && (psa->type != SEC_ACE_TYPE_ACCESS_DENIED)) {
1608                         DEBUG(3,("create_canon_ace_lists: unable to set anything but an ALLOW or DENY ACE.\n"));
1609                         return False;
1610                 }
1611
1612                 if (nt4_compatible_acls()) {
1613                         /*
1614                          * The security mask may be UNIX_ACCESS_NONE which should map into
1615                          * no permissions (we overload the WRITE_OWNER bit for this) or it
1616                          * should be one of the ALL/EXECUTE/READ/WRITE bits. Arrange for this
1617                          * to be so. Any other bits override the UNIX_ACCESS_NONE bit.
1618                          */
1619
1620                         /*
1621                          * Convert GENERIC bits to specific bits.
1622                          */
1623  
1624                         se_map_generic(&psa->access_mask, &file_generic_mapping);
1625
1626                         psa->access_mask &= (UNIX_ACCESS_NONE|FILE_ALL_ACCESS);
1627
1628                         if(psa->access_mask != UNIX_ACCESS_NONE)
1629                                 psa->access_mask &= ~UNIX_ACCESS_NONE;
1630                 }
1631         }
1632
1633         /*
1634          * Deal with the fact that NT 4.x re-writes the canonical format
1635          * that we return for default ACLs. If a directory ACE is identical
1636          * to a inherited directory ACE then NT changes the bits so that the
1637          * first ACE is set to OI|IO and the second ACE for this SID is set
1638          * to CI. We need to repair this. JRA.
1639          */
1640
1641         for(i = 0; i < dacl->num_aces; i++) {
1642                 struct security_ace *psa1 = &dacl->aces[i];
1643
1644                 for (j = i + 1; j < dacl->num_aces; j++) {
1645                         struct security_ace *psa2 = &dacl->aces[j];
1646
1647                         if (psa1->access_mask != psa2->access_mask)
1648                                 continue;
1649
1650                         if (!dom_sid_equal(&psa1->trustee, &psa2->trustee))
1651                                 continue;
1652
1653                         /*
1654                          * Ok - permission bits and SIDs are equal.
1655                          * Check if flags were re-written.
1656                          */
1657
1658                         if (psa1->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
1659
1660                                 psa1->flags |= (psa2->flags & (SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT));
1661                                 psa2->flags &= ~(SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT);
1662
1663                         } else if (psa2->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
1664
1665                                 psa2->flags |= (psa1->flags & (SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT));
1666                                 psa1->flags &= ~(SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT);
1667
1668                         }
1669                 }
1670         }
1671
1672         for(i = 0; i < dacl->num_aces; i++) {
1673                 struct security_ace *psa = &dacl->aces[i];
1674
1675                 /*
1676                  * Create a canon_ace entry representing this NT DACL ACE.
1677                  */
1678
1679                 if ((current_ace = SMB_MALLOC_P(canon_ace)) == NULL) {
1680                         free_canon_ace_list(file_ace);
1681                         free_canon_ace_list(dir_ace);
1682                         DEBUG(0,("create_canon_ace_lists: malloc fail.\n"));
1683                         return False;
1684                 }
1685
1686                 ZERO_STRUCTP(current_ace);
1687
1688                 sid_copy(&current_ace->trustee, &psa->trustee);
1689
1690                 /*
1691                  * Try and work out if the SID is a user or group
1692                  * as we need to flag these differently for POSIX.
1693                  * Note what kind of a POSIX ACL this should map to.
1694                  */
1695
1696                 if( dom_sid_equal(&current_ace->trustee, &global_sid_World)) {
1697                         current_ace->owner_type = WORLD_ACE;
1698                         current_ace->unix_ug.world = -1;
1699                         current_ace->type = SMB_ACL_OTHER;
1700                 } else if (dom_sid_equal(&current_ace->trustee, &global_sid_Creator_Owner)) {
1701                         current_ace->owner_type = UID_ACE;
1702                         current_ace->unix_ug.uid = pst->st_ex_uid;
1703                         current_ace->type = SMB_ACL_USER_OBJ;
1704
1705                         /*
1706                          * The Creator Owner entry only specifies inheritable permissions,
1707                          * never access permissions. WinNT doesn't always set the ACE to
1708                          * INHERIT_ONLY, though.
1709                          */
1710
1711                         psa->flags |= SEC_ACE_FLAG_INHERIT_ONLY;
1712
1713                 } else if (dom_sid_equal(&current_ace->trustee, &global_sid_Creator_Group)) {
1714                         current_ace->owner_type = GID_ACE;
1715                         current_ace->unix_ug.gid = pst->st_ex_gid;
1716                         current_ace->type = SMB_ACL_GROUP_OBJ;
1717
1718                         /*
1719                          * The Creator Group entry only specifies inheritable permissions,
1720                          * never access permissions. WinNT doesn't always set the ACE to
1721                          * INHERIT_ONLY, though.
1722                          */
1723                         psa->flags |= SEC_ACE_FLAG_INHERIT_ONLY;
1724
1725                 } else if (sid_to_uid( &current_ace->trustee, &current_ace->unix_ug.uid)) {
1726                         current_ace->owner_type = UID_ACE;
1727                         /* If it's the owning user, this is a user_obj, not
1728                          * a user. */
1729                         if (current_ace->unix_ug.uid == pst->st_ex_uid) {
1730                                 current_ace->type = SMB_ACL_USER_OBJ;
1731                         } else {
1732                                 current_ace->type = SMB_ACL_USER;
1733                         }
1734                 } else if (sid_to_gid( &current_ace->trustee, &current_ace->unix_ug.gid)) {
1735                         current_ace->owner_type = GID_ACE;
1736                         /* If it's the primary group, this is a group_obj, not
1737                          * a group. */
1738                         if (current_ace->unix_ug.gid == pst->st_ex_gid) {
1739                                 current_ace->type = SMB_ACL_GROUP_OBJ;
1740                         } else {
1741                                 current_ace->type = SMB_ACL_GROUP;
1742                         }
1743                 } else {
1744                         /*
1745                          * Silently ignore map failures in non-mappable SIDs (NT Authority, BUILTIN etc).
1746                          */
1747
1748                         if (non_mappable_sid(&psa->trustee)) {
1749                                 DEBUG(10, ("create_canon_ace_lists: ignoring "
1750                                            "non-mappable SID %s\n",
1751                                            sid_string_dbg(&psa->trustee)));
1752                                 SAFE_FREE(current_ace);
1753                                 continue;
1754                         }
1755
1756                         free_canon_ace_list(file_ace);
1757                         free_canon_ace_list(dir_ace);
1758                         DEBUG(0, ("create_canon_ace_lists: unable to map SID "
1759                                   "%s to uid or gid.\n",
1760                                   sid_string_dbg(&current_ace->trustee)));
1761                         SAFE_FREE(current_ace);
1762                         return False;
1763                 }
1764
1765                 /*
1766                  * Map the given NT permissions into a UNIX mode_t containing only
1767                  * S_I(R|W|X)USR bits.
1768                  */
1769
1770                 current_ace->perms |= map_nt_perms( &psa->access_mask, S_IRUSR);
1771                 current_ace->attr = (psa->type == SEC_ACE_TYPE_ACCESS_ALLOWED) ? ALLOW_ACE : DENY_ACE;
1772
1773                 /* Store the ace_flag. */
1774                 current_ace->ace_flags = psa->flags;
1775
1776                 /*
1777                  * Now add the created ace to either the file list, the directory
1778                  * list, or both. We *MUST* preserve the order here (hence we use
1779                  * DLIST_ADD_END) as NT ACLs are order dependent.
1780                  */
1781
1782                 if (fsp->is_directory) {
1783
1784                         /*
1785                          * We can only add to the default POSIX ACE list if the ACE is
1786                          * designed to be inherited by both files and directories.
1787                          */
1788
1789                         if ((psa->flags & (SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT)) ==
1790                                 (SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT)) {
1791
1792                                 DLIST_ADD_END(dir_ace, current_ace, canon_ace *);
1793
1794                                 /*
1795                                  * Note if this was an allow ace. We can't process
1796                                  * any further deny ace's after this.
1797                                  */
1798
1799                                 if (current_ace->attr == ALLOW_ACE)
1800                                         got_dir_allow = True;
1801
1802                                 if ((current_ace->attr == DENY_ACE) && got_dir_allow) {
1803                                         DEBUG(0,("create_canon_ace_lists: "
1804                                                  "malformed ACL in "
1805                                                  "inheritable ACL! Deny entry "
1806                                                  "after Allow entry. Failing "
1807                                                  "to set on file %s.\n",
1808                                                  fsp_str_dbg(fsp)));
1809                                         free_canon_ace_list(file_ace);
1810                                         free_canon_ace_list(dir_ace);
1811                                         return False;
1812                                 }       
1813
1814                                 if( DEBUGLVL( 10 )) {
1815                                         dbgtext("create_canon_ace_lists: adding dir ACL:\n");
1816                                         print_canon_ace( current_ace, 0);
1817                                 }
1818
1819                                 /*
1820                                  * We have a lossy mapping: directory ACE entries
1821                                  * CREATOR_OWNER ------\
1822                                  *     (map to)         +---> SMB_ACL_USER_OBJ
1823                                  * owning sid    ------/
1824                                  *
1825                                  * CREATOR_GROUP ------\
1826                                  *     (map to)         +---> SMB_ACL_GROUP_OBJ
1827                                  * primary group sid --/
1828                                  *
1829                                  * on set. And on read of a directory ACL
1830                                  *
1831                                  * SMB_ACL_USER_OBJ ----> CREATOR_OWNER
1832                                  * SMB_ACL_GROUP_OBJ ---> CREATOR_GROUP.
1833                                  *
1834                                  * Deal with this on set by duplicating
1835                                  * owning sid and primary group sid ACE
1836                                  * entries into the directory ACL.
1837                                  * Fix from Tsukasa Hamano <hamano@osstech.co.jp>.
1838                                  */
1839
1840                                 if (!dup_owning_ace(dir_ace, current_ace)) {
1841                                         DEBUG(0,("create_canon_ace_lists: malloc fail !\n"));
1842                                         free_canon_ace_list(file_ace);
1843                                         free_canon_ace_list(dir_ace);
1844                                         return false;
1845                                 }
1846
1847                                 /*
1848                                  * If this is not an inherit only ACE we need to add a duplicate
1849                                  * to the file acl.
1850                                  */
1851
1852                                 if (!(psa->flags & SEC_ACE_FLAG_INHERIT_ONLY)) {
1853                                         canon_ace *dup_ace = dup_canon_ace(current_ace);
1854
1855                                         if (!dup_ace) {
1856                                                 DEBUG(0,("create_canon_ace_lists: malloc fail !\n"));
1857                                                 free_canon_ace_list(file_ace);
1858                                                 free_canon_ace_list(dir_ace);
1859                                                 return False;
1860                                         }
1861
1862                                         /*
1863                                          * We must not free current_ace here as its
1864                                          * pointer is now owned by the dir_ace list.
1865                                          */
1866                                         current_ace = dup_ace;
1867                                         /* We've essentially split this ace into two,
1868                                          * and added the ace with inheritance request
1869                                          * bits to the directory ACL. Drop those bits for
1870                                          * the ACE we're adding to the file list. */
1871                                         current_ace->ace_flags &= ~(SEC_ACE_FLAG_OBJECT_INHERIT|
1872                                                                 SEC_ACE_FLAG_CONTAINER_INHERIT|
1873                                                                 SEC_ACE_FLAG_INHERIT_ONLY);
1874                                 } else {
1875                                         /*
1876                                          * We must not free current_ace here as its
1877                                          * pointer is now owned by the dir_ace list.
1878                                          */
1879                                         current_ace = NULL;
1880                                 }
1881                         }
1882                 }
1883
1884                 /*
1885                  * Only add to the file ACL if not inherit only.
1886                  */
1887
1888                 if (current_ace && !(psa->flags & SEC_ACE_FLAG_INHERIT_ONLY)) {
1889                         DLIST_ADD_END(file_ace, current_ace, canon_ace *);
1890
1891                         /*
1892                          * Note if this was an allow ace. We can't process
1893                          * any further deny ace's after this.
1894                          */
1895
1896                         if (current_ace->attr == ALLOW_ACE)
1897                                 got_file_allow = True;
1898
1899                         if ((current_ace->attr == DENY_ACE) && got_file_allow) {
1900                                 DEBUG(0,("create_canon_ace_lists: malformed "
1901                                          "ACL in file ACL ! Deny entry after "
1902                                          "Allow entry. Failing to set on file "
1903                                          "%s.\n", fsp_str_dbg(fsp)));
1904                                 free_canon_ace_list(file_ace);
1905                                 free_canon_ace_list(dir_ace);
1906                                 return False;
1907                         }       
1908
1909                         if( DEBUGLVL( 10 )) {
1910                                 dbgtext("create_canon_ace_lists: adding file ACL:\n");
1911                                 print_canon_ace( current_ace, 0);
1912                         }
1913                         all_aces_are_inherit_only = False;
1914                         /*
1915                          * We must not free current_ace here as its
1916                          * pointer is now owned by the file_ace list.
1917                          */
1918                         current_ace = NULL;
1919                 }
1920
1921                 /*
1922                  * Free if ACE was not added.
1923                  */
1924
1925                 SAFE_FREE(current_ace);
1926         }
1927
1928         if (fsp->is_directory && all_aces_are_inherit_only) {
1929                 /*
1930                  * Windows 2000 is doing one of these weird 'inherit acl'
1931                  * traverses to conserve NTFS ACL resources. Just pretend
1932                  * there was no DACL sent. JRA.
1933                  */
1934
1935                 DEBUG(10,("create_canon_ace_lists: Win2k inherit acl traverse. Ignoring DACL.\n"));
1936                 free_canon_ace_list(file_ace);
1937                 free_canon_ace_list(dir_ace);
1938                 file_ace = NULL;
1939                 dir_ace = NULL;
1940         } else {
1941                 /*
1942                  * Check if we have SMB_ACL_USER_OBJ and SMB_ACL_GROUP_OBJ entries in each
1943                  * ACL. If we don't have them, check if any SMB_ACL_USER/SMB_ACL_GROUP
1944                  * entries can be converted to *_OBJ. Usually we will already have these
1945                  * entries in the Default ACL, and the Access ACL will not have them.
1946                  */
1947                 if (file_ace) {
1948                         check_owning_objs(file_ace, pfile_owner_sid, pfile_grp_sid);
1949                 }
1950                 if (dir_ace) {
1951                         check_owning_objs(dir_ace, pfile_owner_sid, pfile_grp_sid);
1952                 }
1953         }
1954
1955         *ppfile_ace = file_ace;
1956         *ppdir_ace = dir_ace;
1957
1958         return True;
1959 }
1960
1961 /****************************************************************************
1962  ASCII art time again... JRA :-).
1963
1964  We have 4 cases to process when moving from an NT ACL to a POSIX ACL. Firstly,
1965  we insist the ACL is in canonical form (ie. all DENY entries preceede ALLOW
1966  entries). Secondly, the merge code has ensured that all duplicate SID entries for
1967  allow or deny have been merged, so the same SID can only appear once in the deny
1968  list or once in the allow list.
1969
1970  We then process as follows :
1971
1972  ---------------------------------------------------------------------------
1973  First pass - look for a Everyone DENY entry.
1974
1975  If it is deny all (rwx) trunate the list at this point.
1976  Else, walk the list from this point and use the deny permissions of this
1977  entry as a mask on all following allow entries. Finally, delete
1978  the Everyone DENY entry (we have applied it to everything possible).
1979
1980  In addition, in this pass we remove any DENY entries that have 
1981  no permissions (ie. they are a DENY nothing).
1982  ---------------------------------------------------------------------------
1983  Second pass - only deal with deny user entries.
1984
1985  DENY user1 (perms XXX)
1986
1987  new_perms = 0
1988  for all following allow group entries where user1 is in group
1989         new_perms |= group_perms;
1990
1991  user1 entry perms = new_perms & ~ XXX;
1992
1993  Convert the deny entry to an allow entry with the new perms and
1994  push to the end of the list. Note if the user was in no groups
1995  this maps to a specific allow nothing entry for this user.
1996
1997  The common case from the NT ACL choser (userX deny all) is
1998  optimised so we don't do the group lookup - we just map to
1999  an allow nothing entry.
2000
2001  What we're doing here is inferring the allow permissions the
2002  person setting the ACE on user1 wanted by looking at the allow
2003  permissions on the groups the user is currently in. This will
2004  be a snapshot, depending on group membership but is the best
2005  we can do and has the advantage of failing closed rather than
2006  open.
2007  ---------------------------------------------------------------------------
2008  Third pass - only deal with deny group entries.
2009
2010  DENY group1 (perms XXX)
2011
2012  for all following allow user entries where user is in group1
2013    user entry perms = user entry perms & ~ XXX;
2014
2015  If there is a group Everyone allow entry with permissions YYY,
2016  convert the group1 entry to an allow entry and modify its
2017  permissions to be :
2018
2019  new_perms = YYY & ~ XXX
2020
2021  and push to the end of the list.
2022
2023  If there is no group Everyone allow entry then convert the
2024  group1 entry to a allow nothing entry and push to the end of the list.
2025
2026  Note that the common case from the NT ACL choser (groupX deny all)
2027  cannot be optimised here as we need to modify user entries who are
2028  in the group to change them to a deny all also.
2029
2030  What we're doing here is modifying the allow permissions of
2031  user entries (which are more specific in POSIX ACLs) to mask
2032  out the explicit deny set on the group they are in. This will
2033  be a snapshot depending on current group membership but is the
2034  best we can do and has the advantage of failing closed rather
2035  than open.
2036  ---------------------------------------------------------------------------
2037  Fourth pass - cope with cumulative permissions.
2038
2039  for all allow user entries, if there exists an allow group entry with
2040  more permissive permissions, and the user is in that group, rewrite the
2041  allow user permissions to contain both sets of permissions.
2042
2043  Currently the code for this is #ifdef'ed out as these semantics make
2044  no sense to me. JRA.
2045  ---------------------------------------------------------------------------
2046
2047  Note we *MUST* do the deny user pass first as this will convert deny user
2048  entries into allow user entries which can then be processed by the deny
2049  group pass.
2050
2051  The above algorithm took a *lot* of thinking about - hence this
2052  explaination :-). JRA.
2053 ****************************************************************************/
2054
2055 /****************************************************************************
2056  Process a canon_ace list entries. This is very complex code. We need
2057  to go through and remove the "deny" permissions from any allow entry that matches
2058  the id of this entry. We have already refused any NT ACL that wasn't in correct
2059  order (DENY followed by ALLOW). If any allow entry ends up with zero permissions,
2060  we just remove it (to fail safe). We have already removed any duplicate ace
2061  entries. Treat an "Everyone" DENY_ACE as a special case - use it to mask all
2062  allow entries.
2063 ****************************************************************************/
2064
2065 static void process_deny_list(connection_struct *conn, canon_ace **pp_ace_list )
2066 {
2067         canon_ace *ace_list = *pp_ace_list;
2068         canon_ace *curr_ace = NULL;
2069         canon_ace *curr_ace_next = NULL;
2070
2071         /* Pass 1 above - look for an Everyone, deny entry. */
2072
2073         for (curr_ace = ace_list; curr_ace; curr_ace = curr_ace_next) {
2074                 canon_ace *allow_ace_p;
2075
2076                 curr_ace_next = curr_ace->next; /* So we can't lose the link. */
2077
2078                 if (curr_ace->attr != DENY_ACE)
2079                         continue;
2080
2081                 if (curr_ace->perms == (mode_t)0) {
2082
2083                         /* Deny nothing entry - delete. */
2084
2085                         DLIST_REMOVE(ace_list, curr_ace);
2086                         continue;
2087                 }
2088
2089                 if (!dom_sid_equal(&curr_ace->trustee, &global_sid_World))
2090                         continue;
2091
2092                 /* JRATEST - assert. */
2093                 SMB_ASSERT(curr_ace->owner_type == WORLD_ACE);
2094
2095                 if (curr_ace->perms == ALL_ACE_PERMS) {
2096
2097                         /*
2098                          * Optimisation. This is a DENY_ALL to Everyone. Truncate the
2099                          * list at this point including this entry.
2100                          */
2101
2102                         canon_ace *prev_entry = DLIST_PREV(curr_ace);
2103
2104                         free_canon_ace_list( curr_ace );
2105                         if (prev_entry)
2106                                 DLIST_REMOVE(ace_list, prev_entry);
2107                         else {
2108                                 /* We deleted the entire list. */
2109                                 ace_list = NULL;
2110                         }
2111                         break;
2112                 }
2113
2114                 for (allow_ace_p = curr_ace->next; allow_ace_p; allow_ace_p = allow_ace_p->next) {
2115
2116                         /* 
2117                          * Only mask off allow entries.
2118                          */
2119
2120                         if (allow_ace_p->attr != ALLOW_ACE)
2121                                 continue;
2122
2123                         allow_ace_p->perms &= ~curr_ace->perms;
2124                 }
2125
2126                 /*
2127                  * Now it's been applied, remove it.
2128                  */
2129
2130                 DLIST_REMOVE(ace_list, curr_ace);
2131         }
2132
2133         /* Pass 2 above - deal with deny user entries. */
2134
2135         for (curr_ace = ace_list; curr_ace; curr_ace = curr_ace_next) {
2136                 mode_t new_perms = (mode_t)0;
2137                 canon_ace *allow_ace_p;
2138
2139                 curr_ace_next = curr_ace->next; /* So we can't lose the link. */
2140
2141                 if (curr_ace->attr != DENY_ACE)
2142                         continue;
2143
2144                 if (curr_ace->owner_type != UID_ACE)
2145                         continue;
2146
2147                 if (curr_ace->perms == ALL_ACE_PERMS) {
2148
2149                         /*
2150                          * Optimisation - this is a deny everything to this user.
2151                          * Convert to an allow nothing and push to the end of the list.
2152                          */
2153
2154                         curr_ace->attr = ALLOW_ACE;
2155                         curr_ace->perms = (mode_t)0;
2156                         DLIST_DEMOTE(ace_list, curr_ace, canon_ace *);
2157                         continue;
2158                 }
2159
2160                 for (allow_ace_p = curr_ace->next; allow_ace_p; allow_ace_p = allow_ace_p->next) {
2161
2162                         if (allow_ace_p->attr != ALLOW_ACE)
2163                                 continue;
2164
2165                         /* We process GID_ACE and WORLD_ACE entries only. */
2166
2167                         if (allow_ace_p->owner_type == UID_ACE)
2168                                 continue;
2169
2170                         if (uid_entry_in_group(conn, curr_ace, allow_ace_p))
2171                                 new_perms |= allow_ace_p->perms;
2172                 }
2173
2174                 /*
2175                  * Convert to a allow entry, modify the perms and push to the end
2176                  * of the list.
2177                  */
2178
2179                 curr_ace->attr = ALLOW_ACE;
2180                 curr_ace->perms = (new_perms & ~curr_ace->perms);
2181                 DLIST_DEMOTE(ace_list, curr_ace, canon_ace *);
2182         }
2183
2184         /* Pass 3 above - deal with deny group entries. */
2185
2186         for (curr_ace = ace_list; curr_ace; curr_ace = curr_ace_next) {
2187                 canon_ace *allow_ace_p;
2188                 canon_ace *allow_everyone_p = NULL;
2189
2190                 curr_ace_next = curr_ace->next; /* So we can't lose the link. */
2191
2192                 if (curr_ace->attr != DENY_ACE)
2193                         continue;
2194
2195                 if (curr_ace->owner_type != GID_ACE)
2196                         continue;
2197
2198                 for (allow_ace_p = curr_ace->next; allow_ace_p; allow_ace_p = allow_ace_p->next) {
2199
2200                         if (allow_ace_p->attr != ALLOW_ACE)
2201                                 continue;
2202
2203                         /* Store a pointer to the Everyone allow, if it exists. */
2204                         if (allow_ace_p->owner_type == WORLD_ACE)
2205                                 allow_everyone_p = allow_ace_p;
2206
2207                         /* We process UID_ACE entries only. */
2208
2209                         if (allow_ace_p->owner_type != UID_ACE)
2210                                 continue;
2211
2212                         /* Mask off the deny group perms. */
2213
2214                         if (uid_entry_in_group(conn, allow_ace_p, curr_ace))
2215                                 allow_ace_p->perms &= ~curr_ace->perms;
2216                 }
2217
2218                 /*
2219                  * Convert the deny to an allow with the correct perms and
2220                  * push to the end of the list.
2221                  */
2222
2223                 curr_ace->attr = ALLOW_ACE;
2224                 if (allow_everyone_p)
2225                         curr_ace->perms = allow_everyone_p->perms & ~curr_ace->perms;
2226                 else
2227                         curr_ace->perms = (mode_t)0;
2228                 DLIST_DEMOTE(ace_list, curr_ace, canon_ace *);
2229         }
2230
2231         /* Doing this fourth pass allows Windows semantics to be layered
2232          * on top of POSIX semantics. I'm not sure if this is desirable.
2233          * For example, in W2K ACLs there is no way to say, "Group X no
2234          * access, user Y full access" if user Y is a member of group X.
2235          * This seems completely broken semantics to me.... JRA.
2236          */
2237
2238 #if 0
2239         /* Pass 4 above - deal with allow entries. */
2240
2241         for (curr_ace = ace_list; curr_ace; curr_ace = curr_ace_next) {
2242                 canon_ace *allow_ace_p;
2243
2244                 curr_ace_next = curr_ace->next; /* So we can't lose the link. */
2245
2246                 if (curr_ace->attr != ALLOW_ACE)
2247                         continue;
2248
2249                 if (curr_ace->owner_type != UID_ACE)
2250                         continue;
2251
2252                 for (allow_ace_p = ace_list; allow_ace_p; allow_ace_p = allow_ace_p->next) {
2253
2254                         if (allow_ace_p->attr != ALLOW_ACE)
2255                                 continue;
2256
2257                         /* We process GID_ACE entries only. */
2258
2259                         if (allow_ace_p->owner_type != GID_ACE)
2260                                 continue;
2261
2262                         /* OR in the group perms. */
2263
2264                         if (uid_entry_in_group(conn, curr_ace, allow_ace_p))
2265                                 curr_ace->perms |= allow_ace_p->perms;
2266                 }
2267         }
2268 #endif
2269
2270         *pp_ace_list = ace_list;
2271 }
2272
2273 /****************************************************************************
2274  Create a default mode that will be used if a security descriptor entry has
2275  no user/group/world entries.
2276 ****************************************************************************/
2277
2278 static mode_t create_default_mode(files_struct *fsp, bool interitable_mode)
2279 {
2280         int snum = SNUM(fsp->conn);
2281         mode_t and_bits = (mode_t)0;
2282         mode_t or_bits = (mode_t)0;
2283         mode_t mode;
2284
2285         if (interitable_mode) {
2286                 mode = unix_mode(fsp->conn, FILE_ATTRIBUTE_ARCHIVE,
2287                                  fsp->fsp_name, NULL);
2288         } else {
2289                 mode = S_IRUSR;
2290         }
2291
2292         if (fsp->is_directory)
2293                 mode |= (S_IWUSR|S_IXUSR);
2294
2295         /*
2296          * Now AND with the create mode/directory mode bits then OR with the
2297          * force create mode/force directory mode bits.
2298          */
2299
2300         if (fsp->is_directory) {
2301                 and_bits = lp_dir_security_mask(snum);
2302                 or_bits = lp_force_dir_security_mode(snum);
2303         } else {
2304                 and_bits = lp_security_mask(snum);
2305                 or_bits = lp_force_security_mode(snum);
2306         }
2307
2308         return ((mode & and_bits)|or_bits);
2309 }
2310
2311 /****************************************************************************
2312  Unpack a struct security_descriptor into two canonical ace lists. We don't depend on this
2313  succeeding.
2314 ****************************************************************************/
2315
2316 static bool unpack_canon_ace(files_struct *fsp,
2317                                 const SMB_STRUCT_STAT *pst,
2318                                 struct dom_sid *pfile_owner_sid,
2319                                 struct dom_sid *pfile_grp_sid,
2320                                 canon_ace **ppfile_ace,
2321                                 canon_ace **ppdir_ace,
2322                                 uint32 security_info_sent,
2323                                 const struct security_descriptor *psd)
2324 {
2325         SMB_STRUCT_STAT st;
2326         canon_ace *file_ace = NULL;
2327         canon_ace *dir_ace = NULL;
2328
2329         *ppfile_ace = NULL;
2330         *ppdir_ace = NULL;
2331
2332         if(security_info_sent == 0) {
2333                 DEBUG(0,("unpack_canon_ace: no security info sent !\n"));
2334                 return False;
2335         }
2336
2337         /*
2338          * If no DACL then this is a chown only security descriptor.
2339          */
2340
2341         if(!(security_info_sent & SECINFO_DACL) || !psd->dacl)
2342                 return True;
2343
2344         /*
2345          * Now go through the DACL and create the canon_ace lists.
2346          */
2347
2348         if (!create_canon_ace_lists( fsp, pst, pfile_owner_sid, pfile_grp_sid,
2349                                                                 &file_ace, &dir_ace, psd->dacl))
2350                 return False;
2351
2352         if ((file_ace == NULL) && (dir_ace == NULL)) {
2353                 /* W2K traverse DACL set - ignore. */
2354                 return True;
2355         }
2356
2357         /*
2358          * Go through the canon_ace list and merge entries
2359          * belonging to identical users of identical allow or deny type.
2360          * We can do this as all deny entries come first, followed by
2361          * all allow entries (we have mandated this before accepting this acl).
2362          */
2363
2364         print_canon_ace_list( "file ace - before merge", file_ace);
2365         merge_aces( &file_ace, false);
2366
2367         print_canon_ace_list( "dir ace - before merge", dir_ace);
2368         merge_aces( &dir_ace, true);
2369
2370         /*
2371          * NT ACLs are order dependent. Go through the acl lists and
2372          * process DENY entries by masking the allow entries.
2373          */
2374
2375         print_canon_ace_list( "file ace - before deny", file_ace);
2376         process_deny_list(fsp->conn, &file_ace);
2377
2378         print_canon_ace_list( "dir ace - before deny", dir_ace);
2379         process_deny_list(fsp->conn, &dir_ace);
2380
2381         /*
2382          * A well formed POSIX file or default ACL has at least 3 entries, a 
2383          * SMB_ACL_USER_OBJ, SMB_ACL_GROUP_OBJ, SMB_ACL_OTHER_OBJ
2384          * and optionally a mask entry. Ensure this is the case.
2385          */
2386
2387         print_canon_ace_list( "file ace - before valid", file_ace);
2388
2389         st = *pst;
2390
2391         /*
2392          * A default 3 element mode entry for a file should be r-- --- ---.
2393          * A default 3 element mode entry for a directory should be rwx --- ---.
2394          */
2395
2396         st.st_ex_mode = create_default_mode(fsp, False);
2397
2398         if (!ensure_canon_entry_valid(fsp->conn, &file_ace, fsp->conn->params,
2399                         fsp->is_directory, pfile_owner_sid, pfile_grp_sid, &st, True)) {
2400                 free_canon_ace_list(file_ace);
2401                 free_canon_ace_list(dir_ace);
2402                 return False;
2403         }
2404
2405         print_canon_ace_list( "dir ace - before valid", dir_ace);
2406
2407         /*
2408          * A default inheritable 3 element mode entry for a directory should be the
2409          * mode Samba will use to create a file within. Ensure user rwx bits are set if
2410          * it's a directory.
2411          */
2412
2413         st.st_ex_mode = create_default_mode(fsp, True);
2414
2415         if (dir_ace && !ensure_canon_entry_valid(fsp->conn, &dir_ace, fsp->conn->params,
2416                         fsp->is_directory, pfile_owner_sid, pfile_grp_sid, &st, True)) {
2417                 free_canon_ace_list(file_ace);
2418                 free_canon_ace_list(dir_ace);
2419                 return False;
2420         }
2421
2422         print_canon_ace_list( "file ace - return", file_ace);
2423         print_canon_ace_list( "dir ace - return", dir_ace);
2424
2425         *ppfile_ace = file_ace;
2426         *ppdir_ace = dir_ace;
2427         return True;
2428
2429 }
2430
2431 /******************************************************************************
2432  When returning permissions, try and fit NT display
2433  semantics if possible. Note the the canon_entries here must have been malloced.
2434  The list format should be - first entry = owner, followed by group and other user
2435  entries, last entry = other.
2436
2437  Note that this doesn't exactly match the NT semantics for an ACL. As POSIX entries
2438  are not ordered, and match on the most specific entry rather than walking a list,
2439  then a simple POSIX permission of rw-r--r-- should really map to 5 entries,
2440
2441  Entry 0: owner : deny all except read and write.
2442  Entry 1: owner : allow read and write.
2443  Entry 2: group : deny all except read.
2444  Entry 3: group : allow read.
2445  Entry 4: Everyone : allow read.
2446
2447  But NT cannot display this in their ACL editor !
2448 ********************************************************************************/
2449
2450 static void arrange_posix_perms(const char *filename, canon_ace **pp_list_head)
2451 {
2452         canon_ace *l_head = *pp_list_head;
2453         canon_ace *owner_ace = NULL;
2454         canon_ace *other_ace = NULL;
2455         canon_ace *ace = NULL;
2456
2457         for (ace = l_head; ace; ace = ace->next) {
2458                 if (ace->type == SMB_ACL_USER_OBJ)
2459                         owner_ace = ace;
2460                 else if (ace->type == SMB_ACL_OTHER) {
2461                         /* Last ace - this is "other" */
2462                         other_ace = ace;
2463                 }
2464         }
2465
2466         if (!owner_ace || !other_ace) {
2467                 DEBUG(0,("arrange_posix_perms: Invalid POSIX permissions for file %s, missing owner or other.\n",
2468                         filename ));
2469                 return;
2470         }
2471
2472         /*
2473          * The POSIX algorithm applies to owner first, and other last,
2474          * so ensure they are arranged in this order.
2475          */
2476
2477         if (owner_ace) {
2478                 DLIST_PROMOTE(l_head, owner_ace);
2479         }
2480
2481         if (other_ace) {
2482                 DLIST_DEMOTE(l_head, other_ace, canon_ace *);
2483         }
2484
2485         /* We have probably changed the head of the list. */
2486
2487         *pp_list_head = l_head;
2488 }
2489
2490 /****************************************************************************
2491  Create a linked list of canonical ACE entries.
2492 ****************************************************************************/
2493
2494 static canon_ace *canonicalise_acl(struct connection_struct *conn,
2495                                    const char *fname, SMB_ACL_T posix_acl,
2496                                    const SMB_STRUCT_STAT *psbuf,
2497                                    const struct dom_sid *powner, const struct dom_sid *pgroup, struct pai_val *pal, SMB_ACL_TYPE_T the_acl_type)
2498 {
2499         mode_t acl_mask = (S_IRUSR|S_IWUSR|S_IXUSR);
2500         canon_ace *l_head = NULL;
2501         canon_ace *ace = NULL;
2502         canon_ace *next_ace = NULL;
2503         int entry_id = SMB_ACL_FIRST_ENTRY;
2504         SMB_ACL_ENTRY_T entry;
2505         size_t ace_count;
2506
2507         while ( posix_acl && (SMB_VFS_SYS_ACL_GET_ENTRY(conn, posix_acl, entry_id, &entry) == 1)) {
2508                 SMB_ACL_TAG_T tagtype;
2509                 SMB_ACL_PERMSET_T permset;
2510                 struct dom_sid sid;
2511                 posix_id unix_ug;
2512                 enum ace_owner owner_type;
2513
2514                 entry_id = SMB_ACL_NEXT_ENTRY;
2515
2516                 /* Is this a MASK entry ? */
2517                 if (SMB_VFS_SYS_ACL_GET_TAG_TYPE(conn, entry, &tagtype) == -1)
2518                         continue;
2519
2520                 if (SMB_VFS_SYS_ACL_GET_PERMSET(conn, entry, &permset) == -1)
2521                         continue;
2522
2523                 /* Decide which SID to use based on the ACL type. */
2524                 switch(tagtype) {
2525                         case SMB_ACL_USER_OBJ:
2526                                 /* Get the SID from the owner. */
2527                                 sid_copy(&sid, powner);
2528                                 unix_ug.uid = psbuf->st_ex_uid;
2529                                 owner_type = UID_ACE;
2530                                 break;
2531                         case SMB_ACL_USER:
2532                                 {
2533                                         uid_t *puid = (uid_t *)SMB_VFS_SYS_ACL_GET_QUALIFIER(conn, entry);
2534                                         if (puid == NULL) {
2535                                                 DEBUG(0,("canonicalise_acl: Failed to get uid.\n"));
2536                                                 continue;
2537                                         }
2538                                         uid_to_sid( &sid, *puid);
2539                                         unix_ug.uid = *puid;
2540                                         owner_type = UID_ACE;
2541                                         SMB_VFS_SYS_ACL_FREE_QUALIFIER(conn, (void *)puid,tagtype);
2542                                         break;
2543                                 }
2544                         case SMB_ACL_GROUP_OBJ:
2545                                 /* Get the SID from the owning group. */
2546                                 sid_copy(&sid, pgroup);
2547                                 unix_ug.gid = psbuf->st_ex_gid;
2548                                 owner_type = GID_ACE;
2549                                 break;
2550                         case SMB_ACL_GROUP:
2551                                 {
2552                                         gid_t *pgid = (gid_t *)SMB_VFS_SYS_ACL_GET_QUALIFIER(conn, entry);
2553                                         if (pgid == NULL) {
2554                                                 DEBUG(0,("canonicalise_acl: Failed to get gid.\n"));
2555                                                 continue;
2556                                         }
2557                                         gid_to_sid( &sid, *pgid);
2558                                         unix_ug.gid = *pgid;
2559                                         owner_type = GID_ACE;
2560                                         SMB_VFS_SYS_ACL_FREE_QUALIFIER(conn, (void *)pgid,tagtype);
2561                                         break;
2562                                 }
2563                         case SMB_ACL_MASK:
2564                                 acl_mask = convert_permset_to_mode_t(conn, permset);
2565                                 continue; /* Don't count the mask as an entry. */
2566                         case SMB_ACL_OTHER:
2567                                 /* Use the Everyone SID */
2568                                 sid = global_sid_World;
2569                                 unix_ug.world = -1;
2570                                 owner_type = WORLD_ACE;
2571                                 break;
2572                         default:
2573                                 DEBUG(0,("canonicalise_acl: Unknown tagtype %u\n", (unsigned int)tagtype));
2574                                 continue;
2575                 }
2576
2577                 /*
2578                  * Add this entry to the list.
2579                  */
2580
2581                 if ((ace = SMB_MALLOC_P(canon_ace)) == NULL)
2582                         goto fail;
2583
2584                 ZERO_STRUCTP(ace);
2585                 ace->type = tagtype;
2586                 ace->perms = convert_permset_to_mode_t(conn, permset);
2587                 ace->attr = ALLOW_ACE;
2588                 ace->trustee = sid;
2589                 ace->unix_ug = unix_ug;
2590                 ace->owner_type = owner_type;
2591                 ace->ace_flags = get_pai_flags(pal, ace, (the_acl_type == SMB_ACL_TYPE_DEFAULT));
2592
2593                 DLIST_ADD(l_head, ace);
2594         }
2595
2596         /*
2597          * This next call will ensure we have at least a user/group/world set.
2598          */
2599
2600         if (!ensure_canon_entry_valid(conn, &l_head, conn->params,
2601                                       S_ISDIR(psbuf->st_ex_mode), powner, pgroup,
2602                                       psbuf, False))
2603                 goto fail;
2604
2605         /*
2606          * Now go through the list, masking the permissions with the
2607          * acl_mask. Ensure all DENY Entries are at the start of the list.
2608          */
2609
2610         DEBUG(10,("canonicalise_acl: %s ace entries before arrange :\n", the_acl_type == SMB_ACL_TYPE_ACCESS ? "Access" : "Default" ));
2611
2612         for ( ace_count = 0, ace = l_head; ace; ace = next_ace, ace_count++) {
2613                 next_ace = ace->next;
2614
2615                 /* Masks are only applied to entries other than USER_OBJ and OTHER. */
2616                 if (ace->type != SMB_ACL_OTHER && ace->type != SMB_ACL_USER_OBJ)
2617                         ace->perms &= acl_mask;
2618
2619                 if (ace->perms == 0) {
2620                         DLIST_PROMOTE(l_head, ace);
2621                 }
2622
2623                 if( DEBUGLVL( 10 ) ) {
2624                         print_canon_ace(ace, ace_count);
2625                 }
2626         }
2627
2628         arrange_posix_perms(fname,&l_head );
2629
2630         print_canon_ace_list( "canonicalise_acl: ace entries after arrange", l_head );
2631
2632         return l_head;
2633
2634   fail:
2635
2636         free_canon_ace_list(l_head);
2637         return NULL;
2638 }
2639
2640 /****************************************************************************
2641  Check if the current user group list contains a given group.
2642 ****************************************************************************/
2643
2644 static bool current_user_in_group(connection_struct *conn, gid_t gid)
2645 {
2646         int i;
2647         const UNIX_USER_TOKEN *utok = get_current_utok(conn);
2648
2649         for (i = 0; i < utok->ngroups; i++) {
2650                 if (utok->groups[i] == gid) {
2651                         return True;
2652                 }
2653         }
2654
2655         return False;
2656 }
2657
2658 /****************************************************************************
2659  Should we override a deny ? Check 'acl group control' and 'dos filemode'.
2660 ****************************************************************************/
2661
2662 static bool acl_group_override(connection_struct *conn,
2663                                const struct smb_filename *smb_fname)
2664 {
2665         if ((errno != EPERM) && (errno != EACCES)) {
2666                 return false;
2667         }
2668
2669         /* file primary group == user primary or supplementary group */
2670         if (lp_acl_group_control(SNUM(conn)) &&
2671             current_user_in_group(conn, smb_fname->st.st_ex_gid)) {
2672                 return true;
2673         }
2674
2675         /* user has writeable permission */
2676         if (lp_dos_filemode(SNUM(conn)) &&
2677             can_write_to_file(conn, smb_fname)) {
2678                 return true;
2679         }
2680
2681         return false;
2682 }
2683
2684 /****************************************************************************
2685  Attempt to apply an ACL to a file or directory.
2686 ****************************************************************************/
2687
2688 static bool set_canon_ace_list(files_struct *fsp,
2689                                 canon_ace *the_ace,
2690                                 bool default_ace,
2691                                 const SMB_STRUCT_STAT *psbuf,
2692                                 bool *pacl_set_support)
2693 {
2694         connection_struct *conn = fsp->conn;
2695         bool ret = False;
2696         SMB_ACL_T the_acl = SMB_VFS_SYS_ACL_INIT(conn, (int)count_canon_ace_list(the_ace) + 1);
2697         canon_ace *p_ace;
2698         int i;
2699         SMB_ACL_ENTRY_T mask_entry;
2700         bool got_mask_entry = False;
2701         SMB_ACL_PERMSET_T mask_permset;
2702         SMB_ACL_TYPE_T the_acl_type = (default_ace ? SMB_ACL_TYPE_DEFAULT : SMB_ACL_TYPE_ACCESS);
2703         bool needs_mask = False;
2704         mode_t mask_perms = 0;
2705
2706         /* Use the psbuf that was passed in. */
2707         if (psbuf != &fsp->fsp_name->st) {
2708                 fsp->fsp_name->st = *psbuf;
2709         }
2710
2711 #if defined(POSIX_ACL_NEEDS_MASK)
2712         /* HP-UX always wants to have a mask (called "class" there). */
2713         needs_mask = True;
2714 #endif
2715
2716         if (the_acl == NULL) {
2717
2718                 if (!no_acl_syscall_error(errno)) {
2719                         /*
2720                          * Only print this error message if we have some kind of ACL
2721                          * support that's not working. Otherwise we would always get this.
2722                          */
2723                         DEBUG(0,("set_canon_ace_list: Unable to init %s ACL. (%s)\n",
2724                                 default_ace ? "default" : "file", strerror(errno) ));
2725                 }
2726                 *pacl_set_support = False;
2727                 goto fail;
2728         }
2729
2730         if( DEBUGLVL( 10 )) {
2731                 dbgtext("set_canon_ace_list: setting ACL:\n");
2732                 for (i = 0, p_ace = the_ace; p_ace; p_ace = p_ace->next, i++ ) {
2733                         print_canon_ace( p_ace, i);
2734                 }
2735         }
2736
2737         for (i = 0, p_ace = the_ace; p_ace; p_ace = p_ace->next, i++ ) {
2738                 SMB_ACL_ENTRY_T the_entry;
2739                 SMB_ACL_PERMSET_T the_permset;
2740
2741                 /*
2742                  * ACLs only "need" an ACL_MASK entry if there are any named user or
2743                  * named group entries. But if there is an ACL_MASK entry, it applies
2744                  * to ACL_USER, ACL_GROUP, and ACL_GROUP_OBJ entries. Set the mask
2745                  * so that it doesn't deny (i.e., mask off) any permissions.
2746                  */
2747
2748                 if (p_ace->type == SMB_ACL_USER || p_ace->type == SMB_ACL_GROUP) {
2749                         needs_mask = True;
2750                         mask_perms |= p_ace->perms;
2751                 } else if (p_ace->type == SMB_ACL_GROUP_OBJ) {
2752                         mask_perms |= p_ace->perms;
2753                 }
2754
2755                 /*
2756                  * Get the entry for this ACE.
2757                  */
2758
2759                 if (SMB_VFS_SYS_ACL_CREATE_ENTRY(conn, &the_acl, &the_entry) == -1) {
2760                         DEBUG(0,("set_canon_ace_list: Failed to create entry %d. (%s)\n",
2761                                 i, strerror(errno) ));
2762                         goto fail;
2763                 }
2764
2765                 if (p_ace->type == SMB_ACL_MASK) {
2766                         mask_entry = the_entry;
2767                         got_mask_entry = True;
2768                 }
2769
2770                 /*
2771                  * Ok - we now know the ACL calls should be working, don't
2772                  * allow fallback to chmod.
2773                  */
2774
2775                 *pacl_set_support = True;
2776
2777                 /*
2778                  * Initialise the entry from the canon_ace.
2779                  */
2780
2781                 /*
2782                  * First tell the entry what type of ACE this is.
2783                  */
2784
2785                 if (SMB_VFS_SYS_ACL_SET_TAG_TYPE(conn, the_entry, p_ace->type) == -1) {
2786                         DEBUG(0,("set_canon_ace_list: Failed to set tag type on entry %d. (%s)\n",
2787                                 i, strerror(errno) ));
2788                         goto fail;
2789                 }
2790
2791                 /*
2792                  * Only set the qualifier (user or group id) if the entry is a user
2793                  * or group id ACE.
2794                  */
2795
2796                 if ((p_ace->type == SMB_ACL_USER) || (p_ace->type == SMB_ACL_GROUP)) {
2797                         if (SMB_VFS_SYS_ACL_SET_QUALIFIER(conn, the_entry,(void *)&p_ace->unix_ug.uid) == -1) {
2798                                 DEBUG(0,("set_canon_ace_list: Failed to set qualifier on entry %d. (%s)\n",
2799                                         i, strerror(errno) ));
2800                                 goto fail;
2801                         }
2802                 }
2803
2804                 /*
2805                  * Convert the mode_t perms in the canon_ace to a POSIX permset.
2806                  */
2807
2808                 if (SMB_VFS_SYS_ACL_GET_PERMSET(conn, the_entry, &the_permset) == -1) {
2809                         DEBUG(0,("set_canon_ace_list: Failed to get permset on entry %d. (%s)\n",
2810                                 i, strerror(errno) ));
2811                         goto fail;
2812                 }
2813
2814                 if (map_acl_perms_to_permset(conn, p_ace->perms, &the_permset) == -1) {
2815                         DEBUG(0,("set_canon_ace_list: Failed to create permset for mode (%u) on entry %d. (%s)\n",
2816                                 (unsigned int)p_ace->perms, i, strerror(errno) ));
2817                         goto fail;
2818                 }
2819
2820                 /*
2821                  * ..and apply them to the entry.
2822                  */
2823
2824                 if (SMB_VFS_SYS_ACL_SET_PERMSET(conn, the_entry, the_permset) == -1) {
2825                         DEBUG(0,("set_canon_ace_list: Failed to add permset on entry %d. (%s)\n",
2826                                 i, strerror(errno) ));
2827                         goto fail;
2828                 }
2829
2830                 if( DEBUGLVL( 10 ))
2831                         print_canon_ace( p_ace, i);
2832
2833         }
2834
2835         if (needs_mask && !got_mask_entry) {
2836                 if (SMB_VFS_SYS_ACL_CREATE_ENTRY(conn, &the_acl, &mask_entry) == -1) {
2837                         DEBUG(0,("set_canon_ace_list: Failed to create mask entry. (%s)\n", strerror(errno) ));
2838                         goto fail;
2839                 }
2840
2841                 if (SMB_VFS_SYS_ACL_SET_TAG_TYPE(conn, mask_entry, SMB_ACL_MASK) == -1) {
2842                         DEBUG(0,("set_canon_ace_list: Failed to set tag type on mask entry. (%s)\n",strerror(errno) ));
2843                         goto fail;
2844                 }
2845
2846                 if (SMB_VFS_SYS_ACL_GET_PERMSET(conn, mask_entry, &mask_permset) == -1) {
2847                         DEBUG(0,("set_canon_ace_list: Failed to get mask permset. (%s)\n", strerror(errno) ));
2848                         goto fail;
2849                 }
2850
2851                 if (map_acl_perms_to_permset(conn, S_IRUSR|S_IWUSR|S_IXUSR, &mask_permset) == -1) {
2852                         DEBUG(0,("set_canon_ace_list: Failed to create mask permset. (%s)\n", strerror(errno) ));
2853                         goto fail;
2854                 }
2855
2856                 if (SMB_VFS_SYS_ACL_SET_PERMSET(conn, mask_entry, mask_permset) == -1) {
2857                         DEBUG(0,("set_canon_ace_list: Failed to add mask permset. (%s)\n", strerror(errno) ));
2858                         goto fail;
2859                 }
2860         }
2861
2862         /*
2863          * Finally apply it to the file or directory.
2864          */
2865
2866         if(default_ace || fsp->is_directory || fsp->fh->fd == -1) {
2867                 if (SMB_VFS_SYS_ACL_SET_FILE(conn, fsp->fsp_name->base_name,
2868                                              the_acl_type, the_acl) == -1) {
2869                         /*
2870                          * Some systems allow all the above calls and only fail with no ACL support
2871                          * when attempting to apply the acl. HPUX with HFS is an example of this. JRA.
2872                          */
2873                         if (no_acl_syscall_error(errno)) {
2874                                 *pacl_set_support = False;
2875                         }
2876
2877                         if (acl_group_override(conn, fsp->fsp_name)) {
2878                                 int sret;
2879
2880                                 DEBUG(5,("set_canon_ace_list: acl group "
2881                                          "control on and current user in file "
2882                                          "%s primary group.\n",
2883                                          fsp_str_dbg(fsp)));
2884
2885                                 become_root();
2886                                 sret = SMB_VFS_SYS_ACL_SET_FILE(conn,
2887                                     fsp->fsp_name->base_name, the_acl_type,
2888                                     the_acl);
2889                                 unbecome_root();
2890                                 if (sret == 0) {
2891                                         ret = True;     
2892                                 }
2893                         }
2894
2895                         if (ret == False) {
2896                                 DEBUG(2,("set_canon_ace_list: "
2897                                          "sys_acl_set_file type %s failed for "
2898                                          "file %s (%s).\n",
2899                                          the_acl_type == SMB_ACL_TYPE_DEFAULT ?
2900                                          "directory default" : "file",
2901                                          fsp_str_dbg(fsp), strerror(errno)));
2902                                 goto fail;
2903                         }
2904                 }
2905         } else {
2906                 if (SMB_VFS_SYS_ACL_SET_FD(fsp, the_acl) == -1) {
2907                         /*
2908                          * Some systems allow all the above calls and only fail with no ACL support
2909                          * when attempting to apply the acl. HPUX with HFS is an example of this. JRA.
2910                          */
2911                         if (no_acl_syscall_error(errno)) {
2912                                 *pacl_set_support = False;
2913                         }
2914
2915                         if (acl_group_override(conn, fsp->fsp_name)) {
2916                                 int sret;
2917
2918                                 DEBUG(5,("set_canon_ace_list: acl group "
2919                                          "control on and current user in file "
2920                                          "%s primary group.\n",
2921                                          fsp_str_dbg(fsp)));
2922
2923                                 become_root();
2924                                 sret = SMB_VFS_SYS_ACL_SET_FD(fsp, the_acl);
2925                                 unbecome_root();
2926                                 if (sret == 0) {
2927                                         ret = True;
2928                                 }
2929                         }
2930
2931                         if (ret == False) {
2932                                 DEBUG(2,("set_canon_ace_list: "
2933                                          "sys_acl_set_file failed for file %s "
2934                                          "(%s).\n",
2935                                          fsp_str_dbg(fsp), strerror(errno)));
2936                                 goto fail;
2937                         }
2938                 }
2939         }
2940
2941         ret = True;
2942
2943   fail:
2944
2945         if (the_acl != NULL) {
2946                 SMB_VFS_SYS_ACL_FREE_ACL(conn, the_acl);
2947         }
2948
2949         return ret;
2950 }
2951
2952 /****************************************************************************
2953  Find a particular canon_ace entry.
2954 ****************************************************************************/
2955
2956 static struct canon_ace *canon_ace_entry_for(struct canon_ace *list, SMB_ACL_TAG_T type, posix_id *id)
2957 {
2958         while (list) {
2959                 if (list->type == type && ((type != SMB_ACL_USER && type != SMB_ACL_GROUP) ||
2960                                 (type == SMB_ACL_USER  && id && id->uid == list->unix_ug.uid) ||
2961                                 (type == SMB_ACL_GROUP && id && id->gid == list->unix_ug.gid)))
2962                         break;
2963                 list = list->next;
2964         }
2965         return list;
2966 }
2967
2968 /****************************************************************************
2969  
2970 ****************************************************************************/
2971
2972 SMB_ACL_T free_empty_sys_acl(connection_struct *conn, SMB_ACL_T the_acl)
2973 {
2974         SMB_ACL_ENTRY_T entry;
2975
2976         if (!the_acl)
2977                 return NULL;
2978         if (SMB_VFS_SYS_ACL_GET_ENTRY(conn, the_acl, SMB_ACL_FIRST_ENTRY, &entry) != 1) {
2979                 SMB_VFS_SYS_ACL_FREE_ACL(conn, the_acl);
2980                 return NULL;
2981         }
2982         return the_acl;
2983 }
2984
2985 /****************************************************************************
2986  Convert a canon_ace to a generic 3 element permission - if possible.
2987 ****************************************************************************/
2988
2989 #define MAP_PERM(p,mask,result) (((p) & (mask)) ? (result) : 0 )
2990
2991 static bool convert_canon_ace_to_posix_perms( files_struct *fsp, canon_ace *file_ace_list, mode_t *posix_perms)
2992 {
2993         int snum = SNUM(fsp->conn);
2994         size_t ace_count = count_canon_ace_list(file_ace_list);
2995         canon_ace *ace_p;
2996         canon_ace *owner_ace = NULL;
2997         canon_ace *group_ace = NULL;
2998         canon_ace *other_ace = NULL;
2999         mode_t and_bits;
3000         mode_t or_bits;
3001
3002         if (ace_count != 3) {
3003                 DEBUG(3,("convert_canon_ace_to_posix_perms: Too many ACE "
3004                          "entries for file %s to convert to posix perms.\n",
3005                          fsp_str_dbg(fsp)));
3006                 return False;
3007         }
3008
3009         for (ace_p = file_ace_list; ace_p; ace_p = ace_p->next) {
3010                 if (ace_p->owner_type == UID_ACE)
3011                         owner_ace = ace_p;
3012                 else if (ace_p->owner_type == GID_ACE)
3013                         group_ace = ace_p;
3014                 else if (ace_p->owner_type == WORLD_ACE)
3015                         other_ace = ace_p;
3016         }
3017
3018         if (!owner_ace || !group_ace || !other_ace) {
3019                 DEBUG(3,("convert_canon_ace_to_posix_perms: Can't get "
3020                          "standard entries for file %s.\n", fsp_str_dbg(fsp)));
3021                 return False;
3022         }
3023
3024         *posix_perms = (mode_t)0;
3025
3026         *posix_perms |= owner_ace->perms;
3027         *posix_perms |= MAP_PERM(group_ace->perms, S_IRUSR, S_IRGRP);
3028         *posix_perms |= MAP_PERM(group_ace->perms, S_IWUSR, S_IWGRP);
3029         *posix_perms |= MAP_PERM(group_ace->perms, S_IXUSR, S_IXGRP);
3030         *posix_perms |= MAP_PERM(other_ace->perms, S_IRUSR, S_IROTH);
3031         *posix_perms |= MAP_PERM(other_ace->perms, S_IWUSR, S_IWOTH);
3032         *posix_perms |= MAP_PERM(other_ace->perms, S_IXUSR, S_IXOTH);
3033
3034         /* The owner must have at least read access. */
3035
3036         *posix_perms |= S_IRUSR;
3037         if (fsp->is_directory)
3038                 *posix_perms |= (S_IWUSR|S_IXUSR);
3039
3040         /* If requested apply the masks. */
3041
3042         /* Get the initial bits to apply. */
3043
3044         if (fsp->is_directory) {
3045                 and_bits = lp_dir_security_mask(snum);
3046                 or_bits = lp_force_dir_security_mode(snum);
3047         } else {
3048                 and_bits = lp_security_mask(snum);
3049                 or_bits = lp_force_security_mode(snum);
3050         }
3051
3052         *posix_perms = (((*posix_perms) & and_bits)|or_bits);
3053
3054         DEBUG(10,("convert_canon_ace_to_posix_perms: converted u=%o,g=%o,w=%o "
3055                   "to perm=0%o for file %s.\n", (int)owner_ace->perms,
3056                   (int)group_ace->perms, (int)other_ace->perms,
3057                   (int)*posix_perms, fsp_str_dbg(fsp)));
3058
3059         return True;
3060 }
3061
3062 /****************************************************************************
3063   Incoming NT ACLs on a directory can be split into a default POSIX acl (CI|OI|IO) and
3064   a normal POSIX acl. Win2k needs these split acls re-merging into one ACL
3065   with CI|OI set so it is inherited and also applies to the directory.
3066   Based on code from "Jim McDonough" <jmcd@us.ibm.com>.
3067 ****************************************************************************/
3068