2 Unix SMB/CIFS implementation.
4 POSIX NTVFS backend - ACL support
6 Copyright (C) Andrew Tridgell 2004
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 #include "auth/auth.h"
24 #include "vfs_posix.h"
25 #include "librpc/gen_ndr/xattr.h"
26 #include "libcli/security/security.h"
27 #include "param/param.h"
30 /* the list of currently registered ACL backends */
31 static struct pvfs_acl_backend {
32 const struct pvfs_acl_ops *ops;
34 static int num_backends;
37 register a pvfs acl backend.
39 The 'name' can be later used by other backends to find the operations
40 structure for this backend.
42 NTSTATUS pvfs_acl_register(const struct pvfs_acl_ops *ops)
44 struct pvfs_acl_ops *new_ops;
46 if (pvfs_acl_backend_byname(ops->name) != NULL) {
47 DEBUG(0,("pvfs acl backend '%s' already registered\n", ops->name));
48 return NT_STATUS_OBJECT_NAME_COLLISION;
51 backends = talloc_realloc(talloc_autofree_context(), backends, struct pvfs_acl_backend, num_backends+1);
52 NT_STATUS_HAVE_NO_MEMORY(backends);
54 new_ops = talloc_memdup(backends, ops, sizeof(*ops));
55 new_ops->name = talloc_strdup(new_ops, ops->name);
57 backends[num_backends].ops = new_ops;
61 DEBUG(3,("NTVFS backend '%s' registered\n", ops->name));
68 return the operations structure for a named backend
70 const struct pvfs_acl_ops *pvfs_acl_backend_byname(const char *name)
74 for (i=0;i<num_backends;i++) {
75 if (strcmp(backends[i].ops->name, name) == 0) {
76 return backends[i].ops;
83 NTSTATUS pvfs_acl_init(struct loadparm_context *lp_ctx)
85 static bool initialized = false;
86 extern NTSTATUS pvfs_acl_nfs4_init(void);
87 extern NTSTATUS pvfs_acl_xattr_init(void);
88 init_module_fn static_init[] = { STATIC_pvfs_acl_MODULES };
89 init_module_fn *shared_init;
91 if (initialized) return NT_STATUS_OK;
94 shared_init = load_samba_modules(NULL, lp_ctx, "pvfs_acl");
96 run_init_functions(static_init);
97 run_init_functions(shared_init);
99 talloc_free(shared_init);
106 map a single access_mask from generic to specific bits for files/dirs
108 static uint32_t pvfs_translate_mask(uint32_t access_mask)
110 if (access_mask & SEC_MASK_GENERIC) {
111 if (access_mask & SEC_GENERIC_READ) access_mask |= SEC_RIGHTS_FILE_READ;
112 if (access_mask & SEC_GENERIC_WRITE) access_mask |= SEC_RIGHTS_FILE_WRITE;
113 if (access_mask & SEC_GENERIC_EXECUTE) access_mask |= SEC_RIGHTS_FILE_EXECUTE;
114 if (access_mask & SEC_GENERIC_ALL) access_mask |= SEC_RIGHTS_FILE_ALL;
115 access_mask &= ~SEC_MASK_GENERIC;
122 map any generic access bits in the given acl
123 this relies on the fact that the mappings for files and directories
126 static void pvfs_translate_generic_bits(struct security_acl *acl)
132 for (i=0;i<acl->num_aces;i++) {
133 struct security_ace *ace = &acl->aces[i];
134 ace->access_mask = pvfs_translate_mask(ace->access_mask);
140 setup a default ACL for a file
142 static NTSTATUS pvfs_default_acl(struct pvfs_state *pvfs,
143 struct ntvfs_request *req,
144 struct pvfs_filename *name, int fd,
145 struct security_descriptor **psd)
147 struct security_descriptor *sd;
149 struct security_ace ace;
151 struct id_mapping *ids;
152 struct composite_context *ctx;
154 *psd = security_descriptor_initialise(req);
156 return NT_STATUS_NO_MEMORY;
160 ids = talloc_zero_array(sd, struct id_mapping, 2);
161 NT_STATUS_HAVE_NO_MEMORY(ids);
163 ids[0].unixid = talloc(ids, struct unixid);
164 NT_STATUS_HAVE_NO_MEMORY(ids[0].unixid);
166 ids[0].unixid->id = name->st.st_uid;
167 ids[0].unixid->type = ID_TYPE_UID;
170 ids[1].unixid = talloc(ids, struct unixid);
171 NT_STATUS_HAVE_NO_MEMORY(ids[1].unixid);
173 ids[1].unixid->id = name->st.st_gid;
174 ids[1].unixid->type = ID_TYPE_GID;
177 ctx = wbc_xids_to_sids_send(pvfs->wbc_ctx, ids, 2, ids);
178 NT_STATUS_HAVE_NO_MEMORY(ctx);
180 status = wbc_xids_to_sids_recv(ctx, &ids);
181 NT_STATUS_NOT_OK_RETURN(status);
183 sd->owner_sid = talloc_steal(sd, ids[0].sid);
184 sd->group_sid = talloc_steal(sd, ids[1].sid);
187 sd->type |= SEC_DESC_DACL_PRESENT;
189 mode = name->st.st_mode;
192 we provide up to 4 ACEs
200 /* setup owner ACE */
201 ace.type = SEC_ACE_TYPE_ACCESS_ALLOWED;
203 ace.trustee = *sd->owner_sid;
206 if (mode & S_IRUSR) {
207 if (mode & S_IWUSR) {
208 ace.access_mask |= SEC_RIGHTS_FILE_ALL;
210 ace.access_mask |= SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE;
213 if (mode & S_IWUSR) {
214 ace.access_mask |= SEC_RIGHTS_FILE_WRITE | SEC_STD_DELETE;
216 if (ace.access_mask) {
217 security_descriptor_dacl_add(sd, &ace);
221 /* setup group ACE */
222 ace.trustee = *sd->group_sid;
224 if (mode & S_IRGRP) {
225 ace.access_mask |= SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE;
227 if (mode & S_IWGRP) {
228 /* note that delete is not granted - this matches posix behaviour */
229 ace.access_mask |= SEC_RIGHTS_FILE_WRITE;
231 if (ace.access_mask) {
232 security_descriptor_dacl_add(sd, &ace);
235 /* setup other ACE */
236 ace.trustee = *dom_sid_parse_talloc(req, SID_WORLD);
238 if (mode & S_IROTH) {
239 ace.access_mask |= SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE;
241 if (mode & S_IWOTH) {
242 ace.access_mask |= SEC_RIGHTS_FILE_WRITE;
244 if (ace.access_mask) {
245 security_descriptor_dacl_add(sd, &ace);
248 /* setup system ACE */
249 ace.trustee = *dom_sid_parse_talloc(req, SID_NT_SYSTEM);
250 ace.access_mask = SEC_RIGHTS_FILE_ALL;
251 security_descriptor_dacl_add(sd, &ace);
258 omit any security_descriptor elements not specified in the given
261 static void normalise_sd_flags(struct security_descriptor *sd, uint32_t secinfo_flags)
263 if (!(secinfo_flags & SECINFO_OWNER)) {
264 sd->owner_sid = NULL;
266 if (!(secinfo_flags & SECINFO_GROUP)) {
267 sd->group_sid = NULL;
269 if (!(secinfo_flags & SECINFO_DACL)) {
272 if (!(secinfo_flags & SECINFO_SACL)) {
278 answer a setfileinfo for an ACL
280 NTSTATUS pvfs_acl_set(struct pvfs_state *pvfs,
281 struct ntvfs_request *req,
282 struct pvfs_filename *name, int fd,
283 uint32_t access_mask,
284 union smb_setfileinfo *info)
286 uint32_t secinfo_flags = info->set_secdesc.in.secinfo_flags;
287 struct security_descriptor *new_sd, *sd, orig_sd;
288 NTSTATUS status = NT_STATUS_NOT_FOUND;
293 struct id_mapping *ids;
294 struct composite_context *ctx;
296 if (pvfs->acl_ops != NULL) {
297 status = pvfs->acl_ops->acl_load(pvfs, name, fd, req, &sd);
299 if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
300 status = pvfs_default_acl(pvfs, req, name, fd, &sd);
302 if (!NT_STATUS_IS_OK(status)) {
306 ids = talloc(req, struct id_mapping);
307 NT_STATUS_HAVE_NO_MEMORY(ids);
310 ids->status = NT_STATUS_NONE_MAPPED;
312 new_sd = info->set_secdesc.in.sd;
315 old_uid = name->st.st_uid;
316 old_gid = name->st.st_gid;
318 /* only set the elements that have been specified */
319 if (secinfo_flags & SECINFO_OWNER) {
320 if (!(access_mask & SEC_STD_WRITE_OWNER)) {
321 return NT_STATUS_ACCESS_DENIED;
323 if (!dom_sid_equal(sd->owner_sid, new_sd->owner_sid)) {
324 ids->sid = new_sd->owner_sid;
325 ctx = wbc_sids_to_xids_send(pvfs->wbc_ctx, ids, 1, ids);
326 NT_STATUS_HAVE_NO_MEMORY(ctx);
327 status = wbc_sids_to_xids_recv(ctx, &ids);
328 NT_STATUS_NOT_OK_RETURN(status);
330 if (ids->unixid->type == ID_TYPE_BOTH ||
331 ids->unixid->type == ID_TYPE_UID) {
332 new_uid = ids->unixid->id;
335 sd->owner_sid = new_sd->owner_sid;
337 if (secinfo_flags & SECINFO_GROUP) {
338 if (!(access_mask & SEC_STD_WRITE_OWNER)) {
339 return NT_STATUS_ACCESS_DENIED;
341 if (!dom_sid_equal(sd->group_sid, new_sd->group_sid)) {
342 ids->sid = new_sd->group_sid;
343 ctx = wbc_sids_to_xids_send(pvfs->wbc_ctx, ids, 1, ids);
344 NT_STATUS_HAVE_NO_MEMORY(ctx);
345 status = wbc_sids_to_xids_recv(ctx, &ids);
346 NT_STATUS_NOT_OK_RETURN(status);
348 if (ids->unixid->type == ID_TYPE_BOTH ||
349 ids->unixid->type == ID_TYPE_GID) {
350 new_gid = ids->unixid->id;
354 sd->group_sid = new_sd->group_sid;
356 if (secinfo_flags & SECINFO_DACL) {
357 if (!(access_mask & SEC_STD_WRITE_DAC)) {
358 return NT_STATUS_ACCESS_DENIED;
360 sd->dacl = new_sd->dacl;
361 pvfs_translate_generic_bits(sd->dacl);
363 if (secinfo_flags & SECINFO_SACL) {
364 if (!(access_mask & SEC_FLAG_SYSTEM_SECURITY)) {
365 return NT_STATUS_ACCESS_DENIED;
367 sd->sacl = new_sd->sacl;
368 pvfs_translate_generic_bits(sd->sacl);
371 if (new_uid == old_uid) {
375 if (new_gid == old_gid) {
379 /* if there's something to change try it */
380 if (new_uid != -1 || new_gid != -1) {
383 ret = chown(name->full_name, new_uid, new_gid);
385 ret = fchown(fd, new_uid, new_gid);
388 return pvfs_map_errno(pvfs, errno);
392 /* we avoid saving if the sd is the same. This means when clients
393 copy files and end up copying the default sd that we don't
394 needlessly use xattrs */
395 if (!security_descriptor_equal(sd, &orig_sd) && pvfs->acl_ops) {
396 status = pvfs->acl_ops->acl_save(pvfs, name, fd, sd);
404 answer a fileinfo query for the ACL
406 NTSTATUS pvfs_acl_query(struct pvfs_state *pvfs,
407 struct ntvfs_request *req,
408 struct pvfs_filename *name, int fd,
409 union smb_fileinfo *info)
411 NTSTATUS status = NT_STATUS_NOT_FOUND;
412 struct security_descriptor *sd;
415 status = pvfs->acl_ops->acl_load(pvfs, name, fd, req, &sd);
417 if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
418 status = pvfs_default_acl(pvfs, req, name, fd, &sd);
420 if (!NT_STATUS_IS_OK(status)) {
424 normalise_sd_flags(sd, info->query_secdesc.in.secinfo_flags);
426 info->query_secdesc.out.sd = sd;
433 check the read only bit against any of the write access bits
435 static bool pvfs_read_only(struct pvfs_state *pvfs, uint32_t access_mask)
437 if ((pvfs->flags & PVFS_FLAG_READONLY) &&
438 (access_mask & (SEC_FILE_WRITE_DATA |
439 SEC_FILE_APPEND_DATA |
441 SEC_FILE_WRITE_ATTRIBUTE |
444 SEC_STD_WRITE_OWNER |
445 SEC_DIR_DELETE_CHILD))) {
452 default access check function based on unix permissions
453 doing this saves on building a full security descriptor
454 for the common case of access check on files with no
457 NTSTATUS pvfs_access_check_unix(struct pvfs_state *pvfs,
458 struct ntvfs_request *req,
459 struct pvfs_filename *name,
460 uint32_t *access_mask)
462 uid_t uid = geteuid();
463 uint32_t max_bits = SEC_RIGHTS_FILE_READ | SEC_FILE_ALL;
465 if (pvfs_read_only(pvfs, *access_mask)) {
466 return NT_STATUS_ACCESS_DENIED;
469 /* owner and root get extra permissions */
471 max_bits |= SEC_STD_ALL | SEC_FLAG_SYSTEM_SECURITY;
472 } else if (uid == name->st.st_uid) {
473 max_bits |= SEC_STD_ALL;
476 if (*access_mask == SEC_FLAG_MAXIMUM_ALLOWED) {
477 *access_mask = max_bits;
481 if (uid != 0 && (*access_mask & SEC_FLAG_SYSTEM_SECURITY)) {
482 return NT_STATUS_ACCESS_DENIED;
485 if (*access_mask & ~max_bits) {
486 return NT_STATUS_ACCESS_DENIED;
489 if (pvfs->ntvfs->ctx->protocol != PROTOCOL_SMB2) {
490 /* on SMB, this bit is always granted, even if not
492 *access_mask |= SEC_FILE_READ_ATTRIBUTE;
500 check the security descriptor on a file, if any
502 *access_mask is modified with the access actually granted
504 NTSTATUS pvfs_access_check(struct pvfs_state *pvfs,
505 struct ntvfs_request *req,
506 struct pvfs_filename *name,
507 uint32_t *access_mask)
509 struct security_token *token = req->session_info->security_token;
510 struct xattr_NTACL *acl;
512 struct security_descriptor *sd;
514 if (*access_mask == 0) {
515 return NT_STATUS_ACCESS_DENIED;
518 if (pvfs_read_only(pvfs, *access_mask)) {
519 return NT_STATUS_ACCESS_DENIED;
522 acl = talloc(req, struct xattr_NTACL);
524 return NT_STATUS_NO_MEMORY;
527 /* expand the generic access bits to file specific bits */
528 *access_mask = pvfs_translate_mask(*access_mask);
529 if (pvfs->ntvfs->ctx->protocol != PROTOCOL_SMB2) {
530 *access_mask &= ~SEC_FILE_READ_ATTRIBUTE;
533 status = pvfs_acl_load(pvfs, name, -1, acl);
534 if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
536 return pvfs_access_check_unix(pvfs, req, name, access_mask);
538 if (!NT_STATUS_IS_OK(status)) {
542 switch (acl->version) {
547 return NT_STATUS_INVALID_ACL;
550 /* check the acl against the required access mask */
551 status = sec_access_check(sd, token, *access_mask, access_mask);
553 if (pvfs->ntvfs->ctx->protocol != PROTOCOL_SMB2) {
554 /* on SMB, this bit is always granted, even if not
556 *access_mask |= SEC_FILE_READ_ATTRIBUTE;
566 a simplified interface to access check, designed for calls that
567 do not take or return an access check mask
569 NTSTATUS pvfs_access_check_simple(struct pvfs_state *pvfs,
570 struct ntvfs_request *req,
571 struct pvfs_filename *name,
572 uint32_t access_needed)
574 if (access_needed == 0) {
577 return pvfs_access_check(pvfs, req, name, &access_needed);
581 access check for creating a new file/directory
583 NTSTATUS pvfs_access_check_create(struct pvfs_state *pvfs,
584 struct ntvfs_request *req,
585 struct pvfs_filename *name,
586 uint32_t *access_mask)
588 struct pvfs_filename *parent;
591 status = pvfs_resolve_parent(pvfs, req, name, &parent);
592 if (!NT_STATUS_IS_OK(status)) {
596 status = pvfs_access_check(pvfs, req, parent, access_mask);
597 if (!NT_STATUS_IS_OK(status)) {
601 if (! ((*access_mask) & SEC_DIR_ADD_FILE)) {
602 return pvfs_access_check_simple(pvfs, req, parent, SEC_DIR_ADD_FILE);
609 access check for creating a new file/directory - no access mask supplied
611 NTSTATUS pvfs_access_check_parent(struct pvfs_state *pvfs,
612 struct ntvfs_request *req,
613 struct pvfs_filename *name,
614 uint32_t access_mask)
616 struct pvfs_filename *parent;
619 status = pvfs_resolve_parent(pvfs, req, name, &parent);
620 if (!NT_STATUS_IS_OK(status)) {
624 return pvfs_access_check_simple(pvfs, req, parent, access_mask);
629 determine if an ACE is inheritable
631 static bool pvfs_inheritable_ace(struct pvfs_state *pvfs,
632 const struct security_ace *ace,
636 return (ace->flags & SEC_ACE_FLAG_OBJECT_INHERIT) != 0;
639 if (ace->flags & SEC_ACE_FLAG_CONTAINER_INHERIT) {
643 if ((ace->flags & SEC_ACE_FLAG_OBJECT_INHERIT) &&
644 !(ace->flags & SEC_ACE_FLAG_NO_PROPAGATE_INHERIT)) {
652 this is the core of ACL inheritance. It copies any inheritable
653 aces from the parent SD to the child SD. Note that the algorithm
654 depends on whether the child is a container or not
656 static NTSTATUS pvfs_acl_inherit_aces(struct pvfs_state *pvfs,
657 struct security_descriptor *parent_sd,
658 struct security_descriptor *sd,
663 for (i=0;i<parent_sd->dacl->num_aces;i++) {
664 struct security_ace ace = parent_sd->dacl->aces[i];
666 const struct dom_sid *creator = NULL, *new_id = NULL;
669 if (!pvfs_inheritable_ace(pvfs, &ace, container)) {
673 orig_flags = ace.flags;
675 /* see the RAW-ACLS inheritance test for details on these rules */
679 ace.flags &= ~SEC_ACE_FLAG_INHERIT_ONLY;
681 if (!(ace.flags & SEC_ACE_FLAG_CONTAINER_INHERIT)) {
682 ace.flags |= SEC_ACE_FLAG_INHERIT_ONLY;
684 if (ace.flags & SEC_ACE_FLAG_NO_PROPAGATE_INHERIT) {
689 /* the CREATOR sids are special when inherited */
690 if (dom_sid_equal(&ace.trustee, pvfs->sid_cache.creator_owner)) {
691 creator = pvfs->sid_cache.creator_owner;
692 new_id = sd->owner_sid;
693 } else if (dom_sid_equal(&ace.trustee, pvfs->sid_cache.creator_group)) {
694 creator = pvfs->sid_cache.creator_group;
695 new_id = sd->group_sid;
697 new_id = &ace.trustee;
700 if (creator && container &&
701 (ace.flags & SEC_ACE_FLAG_CONTAINER_INHERIT)) {
702 uint32_t flags = ace.flags;
704 ace.trustee = *new_id;
706 status = security_descriptor_dacl_add(sd, &ace);
707 if (!NT_STATUS_IS_OK(status)) {
711 ace.trustee = *creator;
712 ace.flags = flags | SEC_ACE_FLAG_INHERIT_ONLY;
713 status = security_descriptor_dacl_add(sd, &ace);
714 } else if (container &&
715 !(orig_flags & SEC_ACE_FLAG_NO_PROPAGATE_INHERIT)) {
716 status = security_descriptor_dacl_add(sd, &ace);
718 ace.trustee = *new_id;
719 status = security_descriptor_dacl_add(sd, &ace);
722 if (!NT_STATUS_IS_OK(status)) {
733 setup an ACL on a new file/directory based on the inherited ACL from
734 the parent. If there is no inherited ACL then we don't set anything,
735 as the default ACL applies anyway
737 NTSTATUS pvfs_acl_inherit(struct pvfs_state *pvfs,
738 struct ntvfs_request *req,
739 struct pvfs_filename *name,
742 struct xattr_NTACL *acl;
744 struct pvfs_filename *parent;
745 struct security_descriptor *parent_sd, *sd;
747 struct id_mapping *ids;
748 struct composite_context *ctx;
750 /* form the parents path */
751 status = pvfs_resolve_parent(pvfs, req, name, &parent);
752 if (!NT_STATUS_IS_OK(status)) {
756 acl = talloc(req, struct xattr_NTACL);
758 return NT_STATUS_NO_MEMORY;
761 status = pvfs_acl_load(pvfs, parent, -1, acl);
762 if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
765 if (!NT_STATUS_IS_OK(status)) {
769 switch (acl->version) {
771 parent_sd = acl->info.sd;
774 return NT_STATUS_INVALID_ACL;
777 if (parent_sd == NULL ||
778 parent_sd->dacl == NULL ||
779 parent_sd->dacl->num_aces == 0) {
780 /* go with the default ACL */
784 /* create the new sd */
785 sd = security_descriptor_initialise(req);
787 return NT_STATUS_NO_MEMORY;
790 ids = talloc_array(sd, struct id_mapping, 2);
791 NT_STATUS_HAVE_NO_MEMORY(ids);
793 ids[0].unixid = talloc(ids, struct unixid);
794 NT_STATUS_HAVE_NO_MEMORY(ids[0].unixid);
795 ids[0].unixid->id = name->st.st_uid;
796 ids[0].unixid->type = ID_TYPE_UID;
798 ids[0].status = NT_STATUS_NONE_MAPPED;
800 ids[1].unixid = talloc(ids, struct unixid);
801 NT_STATUS_HAVE_NO_MEMORY(ids[1].unixid);
802 ids[1].unixid->id = name->st.st_gid;
803 ids[1].unixid->type = ID_TYPE_GID;
805 ids[1].status = NT_STATUS_NONE_MAPPED;
807 ctx = wbc_xids_to_sids_send(pvfs->wbc_ctx, ids, 2, ids);
808 NT_STATUS_HAVE_NO_MEMORY(ctx);
810 status = wbc_xids_to_sids_recv(ctx, &ids);
811 NT_STATUS_NOT_OK_RETURN(status);
813 sd->owner_sid = talloc_steal(sd, ids[0].sid);
814 sd->group_sid = talloc_steal(sd, ids[1].sid);
816 sd->type |= SEC_DESC_DACL_PRESENT;
818 container = (name->dos.attrib & FILE_ATTRIBUTE_DIRECTORY) ? true:false;
820 /* fill in the aces from the parent */
821 status = pvfs_acl_inherit_aces(pvfs, parent_sd, sd, container);
822 if (!NT_STATUS_IS_OK(status)) {
826 /* if there is nothing to inherit then we fallback to the
828 if (sd->dacl == NULL || sd->dacl->num_aces == 0) {
834 status = pvfs_acl_save(pvfs, name, fd, acl);
840 return the maximum allowed access mask
842 NTSTATUS pvfs_access_maximal_allowed(struct pvfs_state *pvfs,
843 struct ntvfs_request *req,
844 struct pvfs_filename *name,
845 uint32_t *maximal_access)
847 *maximal_access = SEC_FLAG_MAXIMUM_ALLOWED;
848 return pvfs_access_check(pvfs, req, name, maximal_access);
git.samba.org / kai / samba.git / blob