2 Unix SMB/CIFS implementation.
3 SMB NT Security Descriptor / Unix permission conversion.
4 Copyright (C) Jeremy Allison 1994-2009.
5 Copyright (C) Andreas Gruenbacher 2002.
6 Copyright (C) Simo Sorce <idra@samba.org> 2009.
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 #include "system/filesys.h"
24 #include "../libcli/security/security.h"
27 extern const struct generic_mapping file_generic_mapping;
30 #define DBGC_CLASS DBGC_ACLS
32 /****************************************************************************
33 Data structures representing the internal ACE format.
34 ****************************************************************************/
36 enum ace_owner {UID_ACE, GID_ACE, WORLD_ACE};
37 enum ace_attribute {ALLOW_ACE, DENY_ACE}; /* Used for incoming NT ACLS. */
39 typedef union posix_id {
45 typedef struct canon_ace {
46 struct canon_ace *next, *prev;
48 mode_t perms; /* Only use S_I(R|W|X)USR mode bits here. */
49 struct dom_sid trustee;
50 enum ace_owner owner_type;
51 enum ace_attribute attr;
53 uint8_t ace_flags; /* From windows ACE entry. */
56 #define ALL_ACE_PERMS (S_IRUSR|S_IWUSR|S_IXUSR)
59 * EA format of user.SAMBA_PAI (Samba_Posix_Acl_Interitance)
60 * attribute on disk - version 1.
61 * All values are little endian.
63 * | 1 | 1 | 2 | 2 | ....
64 * +------+------+-------------+---------------------+-------------+--------------------+
65 * | vers | flag | num_entries | num_default_entries | ..entries.. | default_entries... |
66 * +------+------+-------------+---------------------+-------------+--------------------+
71 * +------+-------------------+
72 * | value| uid/gid or world |
74 * +------+-------------------+
76 * Version 2 format. Stores extra Windows metadata about an ACL.
78 * | 1 | 2 | 2 | 2 | ....
79 * +------+----------+-------------+---------------------+-------------+--------------------+
80 * | vers | ace | num_entries | num_default_entries | ..entries.. | default_entries... |
81 * | 2 | type | | | | |
82 * +------+----------+-------------+---------------------+-------------+--------------------+
87 * +------+------+-------------------+
88 * | ace | value| uid/gid or world |
89 * | flag | type | value |
90 * +------+-------------------+------+
94 #define PAI_VERSION_OFFSET 0
96 #define PAI_V1_FLAG_OFFSET 1
97 #define PAI_V1_NUM_ENTRIES_OFFSET 2
98 #define PAI_V1_NUM_DEFAULT_ENTRIES_OFFSET 4
99 #define PAI_V1_ENTRIES_BASE 6
100 #define PAI_V1_ACL_FLAG_PROTECTED 0x1
101 #define PAI_V1_ENTRY_LENGTH 5
103 #define PAI_V1_VERSION 1
105 #define PAI_V2_TYPE_OFFSET 1
106 #define PAI_V2_NUM_ENTRIES_OFFSET 3
107 #define PAI_V2_NUM_DEFAULT_ENTRIES_OFFSET 5
108 #define PAI_V2_ENTRIES_BASE 7
109 #define PAI_V2_ENTRY_LENGTH 6
111 #define PAI_V2_VERSION 2
114 * In memory format of user.SAMBA_PAI attribute.
118 struct pai_entry *next, *prev;
120 enum ace_owner owner_type;
126 unsigned int num_entries;
127 struct pai_entry *entry_list;
128 unsigned int num_def_entries;
129 struct pai_entry *def_entry_list;
132 /************************************************************************
133 Return a uint32 of the pai_entry principal.
134 ************************************************************************/
136 static uint32_t get_pai_entry_val(struct pai_entry *paie)
138 switch (paie->owner_type) {
140 DEBUG(10,("get_pai_entry_val: uid = %u\n", (unsigned int)paie->unix_ug.uid ));
141 return (uint32_t)paie->unix_ug.uid;
143 DEBUG(10,("get_pai_entry_val: gid = %u\n", (unsigned int)paie->unix_ug.gid ));
144 return (uint32_t)paie->unix_ug.gid;
147 DEBUG(10,("get_pai_entry_val: world ace\n"));
152 /************************************************************************
153 Return a uint32 of the entry principal.
154 ************************************************************************/
156 static uint32_t get_entry_val(canon_ace *ace_entry)
158 switch (ace_entry->owner_type) {
160 DEBUG(10,("get_entry_val: uid = %u\n", (unsigned int)ace_entry->unix_ug.uid ));
161 return (uint32_t)ace_entry->unix_ug.uid;
163 DEBUG(10,("get_entry_val: gid = %u\n", (unsigned int)ace_entry->unix_ug.gid ));
164 return (uint32_t)ace_entry->unix_ug.gid;
167 DEBUG(10,("get_entry_val: world ace\n"));
172 /************************************************************************
173 Create the on-disk format (always v2 now). Caller must free.
174 ************************************************************************/
176 static char *create_pai_buf_v2(canon_ace *file_ace_list,
177 canon_ace *dir_ace_list,
181 char *pai_buf = NULL;
182 canon_ace *ace_list = NULL;
183 char *entry_offset = NULL;
184 unsigned int num_entries = 0;
185 unsigned int num_def_entries = 0;
188 for (ace_list = file_ace_list; ace_list; ace_list = ace_list->next) {
192 for (ace_list = dir_ace_list; ace_list; ace_list = ace_list->next) {
196 DEBUG(10,("create_pai_buf_v2: num_entries = %u, num_def_entries = %u\n", num_entries, num_def_entries ));
198 *store_size = PAI_V2_ENTRIES_BASE +
199 ((num_entries + num_def_entries)*PAI_V2_ENTRY_LENGTH);
201 pai_buf = (char *)SMB_MALLOC(*store_size);
206 /* Set up the header. */
207 memset(pai_buf, '\0', PAI_V2_ENTRIES_BASE);
208 SCVAL(pai_buf,PAI_VERSION_OFFSET,PAI_V2_VERSION);
209 SSVAL(pai_buf,PAI_V2_TYPE_OFFSET, sd_type);
210 SSVAL(pai_buf,PAI_V2_NUM_ENTRIES_OFFSET,num_entries);
211 SSVAL(pai_buf,PAI_V2_NUM_DEFAULT_ENTRIES_OFFSET,num_def_entries);
213 DEBUG(10,("create_pai_buf_v2: sd_type = 0x%x\n",
214 (unsigned int)sd_type ));
216 entry_offset = pai_buf + PAI_V2_ENTRIES_BASE;
219 for (ace_list = file_ace_list; ace_list; ace_list = ace_list->next) {
220 uint8_t type_val = (uint8_t)ace_list->owner_type;
221 uint32_t entry_val = get_entry_val(ace_list);
223 SCVAL(entry_offset,0,ace_list->ace_flags);
224 SCVAL(entry_offset,1,type_val);
225 SIVAL(entry_offset,2,entry_val);
226 DEBUG(10,("create_pai_buf_v2: entry %u [0x%x] [0x%x] [0x%x]\n",
228 (unsigned int)ace_list->ace_flags,
229 (unsigned int)type_val,
230 (unsigned int)entry_val ));
232 entry_offset += PAI_V2_ENTRY_LENGTH;
235 for (ace_list = dir_ace_list; ace_list; ace_list = ace_list->next) {
236 uint8_t type_val = (uint8_t)ace_list->owner_type;
237 uint32_t entry_val = get_entry_val(ace_list);
239 SCVAL(entry_offset,0,ace_list->ace_flags);
240 SCVAL(entry_offset,1,type_val);
241 SIVAL(entry_offset,2,entry_val);
242 DEBUG(10,("create_pai_buf_v2: entry %u [0x%x] [0x%x] [0x%x]\n",
244 (unsigned int)ace_list->ace_flags,
245 (unsigned int)type_val,
246 (unsigned int)entry_val ));
248 entry_offset += PAI_V2_ENTRY_LENGTH;
254 /************************************************************************
255 Store the user.SAMBA_PAI attribute on disk.
256 ************************************************************************/
258 static void store_inheritance_attributes(files_struct *fsp,
259 canon_ace *file_ace_list,
260 canon_ace *dir_ace_list,
267 if (!lp_map_acl_inherit(SNUM(fsp->conn))) {
271 pai_buf = create_pai_buf_v2(file_ace_list, dir_ace_list,
272 sd_type, &store_size);
274 if (fsp->fh->fd != -1) {
275 ret = SMB_VFS_FSETXATTR(fsp, SAMBA_POSIX_INHERITANCE_EA_NAME,
276 pai_buf, store_size, 0);
278 ret = SMB_VFS_SETXATTR(fsp->conn, fsp->fsp_name->base_name,
279 SAMBA_POSIX_INHERITANCE_EA_NAME,
280 pai_buf, store_size, 0);
285 DEBUG(10,("store_inheritance_attribute: type 0x%x for file %s\n",
286 (unsigned int)sd_type,
289 if (ret == -1 && !no_acl_syscall_error(errno)) {
290 DEBUG(1,("store_inheritance_attribute: Error %s\n", strerror(errno) ));
294 /************************************************************************
295 Delete the in memory inheritance info.
296 ************************************************************************/
298 static void free_inherited_info(struct pai_val *pal)
301 struct pai_entry *paie, *paie_next;
302 for (paie = pal->entry_list; paie; paie = paie_next) {
303 paie_next = paie->next;
306 for (paie = pal->def_entry_list; paie; paie = paie_next) {
307 paie_next = paie->next;
314 /************************************************************************
315 Get any stored ACE flags.
316 ************************************************************************/
318 static uint16_t get_pai_flags(struct pai_val *pal, canon_ace *ace_entry, bool default_ace)
320 struct pai_entry *paie;
326 /* If the entry exists it is inherited. */
327 for (paie = (default_ace ? pal->def_entry_list : pal->entry_list); paie; paie = paie->next) {
328 if (ace_entry->owner_type == paie->owner_type &&
329 get_entry_val(ace_entry) == get_pai_entry_val(paie))
330 return paie->ace_flags;
335 /************************************************************************
336 Ensure an attribute just read is valid - v1.
337 ************************************************************************/
339 static bool check_pai_ok_v1(const char *pai_buf, size_t pai_buf_data_size)
342 uint16 num_def_entries;
344 if (pai_buf_data_size < PAI_V1_ENTRIES_BASE) {
345 /* Corrupted - too small. */
349 if (CVAL(pai_buf,PAI_VERSION_OFFSET) != PAI_V1_VERSION) {
353 num_entries = SVAL(pai_buf,PAI_V1_NUM_ENTRIES_OFFSET);
354 num_def_entries = SVAL(pai_buf,PAI_V1_NUM_DEFAULT_ENTRIES_OFFSET);
356 /* Check the entry lists match. */
357 /* Each entry is 5 bytes (type plus 4 bytes of uid or gid). */
359 if (((num_entries + num_def_entries)*PAI_V1_ENTRY_LENGTH) +
360 PAI_V1_ENTRIES_BASE != pai_buf_data_size) {
367 /************************************************************************
368 Ensure an attribute just read is valid - v2.
369 ************************************************************************/
371 static bool check_pai_ok_v2(const char *pai_buf, size_t pai_buf_data_size)
374 uint16 num_def_entries;
376 if (pai_buf_data_size < PAI_V2_ENTRIES_BASE) {
377 /* Corrupted - too small. */
381 if (CVAL(pai_buf,PAI_VERSION_OFFSET) != PAI_V2_VERSION) {
385 num_entries = SVAL(pai_buf,PAI_V2_NUM_ENTRIES_OFFSET);
386 num_def_entries = SVAL(pai_buf,PAI_V2_NUM_DEFAULT_ENTRIES_OFFSET);
388 /* Check the entry lists match. */
389 /* Each entry is 6 bytes (flags + type + 4 bytes of uid or gid). */
391 if (((num_entries + num_def_entries)*PAI_V2_ENTRY_LENGTH) +
392 PAI_V2_ENTRIES_BASE != pai_buf_data_size) {
399 /************************************************************************
401 ************************************************************************/
403 static bool get_pai_owner_type(struct pai_entry *paie, const char *entry_offset)
405 paie->owner_type = (enum ace_owner)CVAL(entry_offset,0);
406 switch( paie->owner_type) {
408 paie->unix_ug.uid = (uid_t)IVAL(entry_offset,1);
409 DEBUG(10,("get_pai_owner_type: uid = %u\n",
410 (unsigned int)paie->unix_ug.uid ));
413 paie->unix_ug.gid = (gid_t)IVAL(entry_offset,1);
414 DEBUG(10,("get_pai_owner_type: gid = %u\n",
415 (unsigned int)paie->unix_ug.gid ));
418 paie->unix_ug.world = -1;
419 DEBUG(10,("get_pai_owner_type: world ace\n"));
422 DEBUG(10,("get_pai_owner_type: unknown type %u\n",
423 (unsigned int)paie->owner_type ));
429 /************************************************************************
431 ************************************************************************/
433 static const char *create_pai_v1_entries(struct pai_val *paiv,
434 const char *entry_offset,
439 for (i = 0; i < paiv->num_entries; i++) {
440 struct pai_entry *paie = SMB_MALLOC_P(struct pai_entry);
445 paie->ace_flags = SEC_ACE_FLAG_INHERITED_ACE;
446 if (!get_pai_owner_type(paie, entry_offset)) {
452 DLIST_ADD(paiv->entry_list, paie);
454 DLIST_ADD(paiv->def_entry_list, paie);
456 entry_offset += PAI_V1_ENTRY_LENGTH;
461 /************************************************************************
462 Convert to in-memory format from version 1.
463 ************************************************************************/
465 static struct pai_val *create_pai_val_v1(const char *buf, size_t size)
467 const char *entry_offset;
468 struct pai_val *paiv = NULL;
470 if (!check_pai_ok_v1(buf, size)) {
474 paiv = SMB_MALLOC_P(struct pai_val);
479 memset(paiv, '\0', sizeof(struct pai_val));
481 paiv->sd_type = (CVAL(buf,PAI_V1_FLAG_OFFSET) == PAI_V1_ACL_FLAG_PROTECTED) ?
482 SEC_DESC_DACL_PROTECTED : 0;
484 paiv->num_entries = SVAL(buf,PAI_V1_NUM_ENTRIES_OFFSET);
485 paiv->num_def_entries = SVAL(buf,PAI_V1_NUM_DEFAULT_ENTRIES_OFFSET);
487 entry_offset = buf + PAI_V1_ENTRIES_BASE;
489 DEBUG(10,("create_pai_val: num_entries = %u, num_def_entries = %u\n",
490 paiv->num_entries, paiv->num_def_entries ));
492 entry_offset = create_pai_v1_entries(paiv, entry_offset, false);
493 if (entry_offset == NULL) {
494 free_inherited_info(paiv);
497 entry_offset = create_pai_v1_entries(paiv, entry_offset, true);
498 if (entry_offset == NULL) {
499 free_inherited_info(paiv);
506 /************************************************************************
508 ************************************************************************/
510 static const char *create_pai_v2_entries(struct pai_val *paiv,
511 unsigned int num_entries,
512 const char *entry_offset,
517 for (i = 0; i < num_entries; i++) {
518 struct pai_entry *paie = SMB_MALLOC_P(struct pai_entry);
523 paie->ace_flags = CVAL(entry_offset,0);
525 if (!get_pai_owner_type(paie, entry_offset+1)) {
530 DLIST_ADD(paiv->entry_list, paie);
532 DLIST_ADD(paiv->def_entry_list, paie);
534 entry_offset += PAI_V2_ENTRY_LENGTH;
539 /************************************************************************
540 Convert to in-memory format from version 2.
541 ************************************************************************/
543 static struct pai_val *create_pai_val_v2(const char *buf, size_t size)
545 const char *entry_offset;
546 struct pai_val *paiv = NULL;
548 if (!check_pai_ok_v2(buf, size)) {
552 paiv = SMB_MALLOC_P(struct pai_val);
557 memset(paiv, '\0', sizeof(struct pai_val));
559 paiv->sd_type = SVAL(buf,PAI_V2_TYPE_OFFSET);
561 paiv->num_entries = SVAL(buf,PAI_V2_NUM_ENTRIES_OFFSET);
562 paiv->num_def_entries = SVAL(buf,PAI_V2_NUM_DEFAULT_ENTRIES_OFFSET);
564 entry_offset = buf + PAI_V2_ENTRIES_BASE;
566 DEBUG(10,("create_pai_val_v2: sd_type = 0x%x num_entries = %u, num_def_entries = %u\n",
567 (unsigned int)paiv->sd_type,
568 paiv->num_entries, paiv->num_def_entries ));
570 entry_offset = create_pai_v2_entries(paiv, paiv->num_entries,
571 entry_offset, false);
572 if (entry_offset == NULL) {
573 free_inherited_info(paiv);
576 entry_offset = create_pai_v2_entries(paiv, paiv->num_def_entries,
578 if (entry_offset == NULL) {
579 free_inherited_info(paiv);
586 /************************************************************************
587 Convert to in-memory format - from either version 1 or 2.
588 ************************************************************************/
590 static struct pai_val *create_pai_val(const char *buf, size_t size)
595 if (CVAL(buf,PAI_VERSION_OFFSET) == PAI_V1_VERSION) {
596 return create_pai_val_v1(buf, size);
597 } else if (CVAL(buf,PAI_VERSION_OFFSET) == PAI_V2_VERSION) {
598 return create_pai_val_v2(buf, size);
604 /************************************************************************
605 Load the user.SAMBA_PAI attribute.
606 ************************************************************************/
608 static struct pai_val *fload_inherited_info(files_struct *fsp)
611 size_t pai_buf_size = 1024;
612 struct pai_val *paiv = NULL;
615 if (!lp_map_acl_inherit(SNUM(fsp->conn))) {
619 if ((pai_buf = (char *)SMB_MALLOC(pai_buf_size)) == NULL) {
624 if (fsp->fh->fd != -1) {
625 ret = SMB_VFS_FGETXATTR(fsp, SAMBA_POSIX_INHERITANCE_EA_NAME,
626 pai_buf, pai_buf_size);
628 ret = SMB_VFS_GETXATTR(fsp->conn,
629 fsp->fsp_name->base_name,
630 SAMBA_POSIX_INHERITANCE_EA_NAME,
631 pai_buf, pai_buf_size);
635 if (errno != ERANGE) {
638 /* Buffer too small - enlarge it. */
641 if (pai_buf_size > 1024*1024) {
642 return NULL; /* Limit malloc to 1mb. */
644 if ((pai_buf = (char *)SMB_MALLOC(pai_buf_size)) == NULL)
649 DEBUG(10,("load_inherited_info: ret = %lu for file %s\n",
650 (unsigned long)ret, fsp_str_dbg(fsp)));
653 /* No attribute or not supported. */
655 if (errno != ENOATTR)
656 DEBUG(10,("load_inherited_info: Error %s\n", strerror(errno) ));
659 DEBUG(10,("load_inherited_info: Error %s\n", strerror(errno) ));
665 paiv = create_pai_val(pai_buf, ret);
668 DEBUG(10,("load_inherited_info: ACL type is 0x%x for file %s\n",
669 (unsigned int)paiv->sd_type, fsp_str_dbg(fsp)));
676 /************************************************************************
677 Load the user.SAMBA_PAI attribute.
678 ************************************************************************/
680 static struct pai_val *load_inherited_info(const struct connection_struct *conn,
684 size_t pai_buf_size = 1024;
685 struct pai_val *paiv = NULL;
688 if (!lp_map_acl_inherit(SNUM(conn))) {
692 if ((pai_buf = (char *)SMB_MALLOC(pai_buf_size)) == NULL) {
697 ret = SMB_VFS_GETXATTR(conn, fname,
698 SAMBA_POSIX_INHERITANCE_EA_NAME,
699 pai_buf, pai_buf_size);
702 if (errno != ERANGE) {
705 /* Buffer too small - enlarge it. */
708 if (pai_buf_size > 1024*1024) {
709 return NULL; /* Limit malloc to 1mb. */
711 if ((pai_buf = (char *)SMB_MALLOC(pai_buf_size)) == NULL)
716 DEBUG(10,("load_inherited_info: ret = %lu for file %s\n", (unsigned long)ret, fname));
719 /* No attribute or not supported. */
721 if (errno != ENOATTR)
722 DEBUG(10,("load_inherited_info: Error %s\n", strerror(errno) ));
725 DEBUG(10,("load_inherited_info: Error %s\n", strerror(errno) ));
731 paiv = create_pai_val(pai_buf, ret);
734 DEBUG(10,("load_inherited_info: ACL type 0x%x for file %s\n",
735 (unsigned int)paiv->sd_type,
743 /****************************************************************************
744 Functions to manipulate the internal ACE format.
745 ****************************************************************************/
747 /****************************************************************************
748 Count a linked list of canonical ACE entries.
749 ****************************************************************************/
751 static size_t count_canon_ace_list( canon_ace *l_head )
756 for (ace = l_head; ace; ace = ace->next)
762 /****************************************************************************
763 Free a linked list of canonical ACE entries.
764 ****************************************************************************/
766 static void free_canon_ace_list( canon_ace *l_head )
768 canon_ace *list, *next;
770 for (list = l_head; list; list = next) {
772 DLIST_REMOVE(l_head, list);
777 /****************************************************************************
778 Function to duplicate a canon_ace entry.
779 ****************************************************************************/
781 static canon_ace *dup_canon_ace( canon_ace *src_ace)
783 canon_ace *dst_ace = SMB_MALLOC_P(canon_ace);
789 dst_ace->prev = dst_ace->next = NULL;
793 /****************************************************************************
794 Print out a canon ace.
795 ****************************************************************************/
797 static void print_canon_ace(canon_ace *pace, int num)
799 dbgtext( "canon_ace index %d. Type = %s ", num, pace->attr == ALLOW_ACE ? "allow" : "deny" );
800 dbgtext( "SID = %s ", sid_string_dbg(&pace->trustee));
801 if (pace->owner_type == UID_ACE) {
802 const char *u_name = uidtoname(pace->unix_ug.uid);
803 dbgtext( "uid %u (%s) ", (unsigned int)pace->unix_ug.uid, u_name );
804 } else if (pace->owner_type == GID_ACE) {
805 char *g_name = gidtoname(pace->unix_ug.gid);
806 dbgtext( "gid %u (%s) ", (unsigned int)pace->unix_ug.gid, g_name );
809 switch (pace->type) {
811 dbgtext( "SMB_ACL_USER ");
813 case SMB_ACL_USER_OBJ:
814 dbgtext( "SMB_ACL_USER_OBJ ");
817 dbgtext( "SMB_ACL_GROUP ");
819 case SMB_ACL_GROUP_OBJ:
820 dbgtext( "SMB_ACL_GROUP_OBJ ");
823 dbgtext( "SMB_ACL_OTHER ");
830 dbgtext( "ace_flags = 0x%x ", (unsigned int)pace->ace_flags);
832 dbgtext( "%c", pace->perms & S_IRUSR ? 'r' : '-');
833 dbgtext( "%c", pace->perms & S_IWUSR ? 'w' : '-');
834 dbgtext( "%c\n", pace->perms & S_IXUSR ? 'x' : '-');
837 /****************************************************************************
838 Print out a canon ace list.
839 ****************************************************************************/
841 static void print_canon_ace_list(const char *name, canon_ace *ace_list)
845 if( DEBUGLVL( 10 )) {
846 dbgtext( "print_canon_ace_list: %s\n", name );
847 for (;ace_list; ace_list = ace_list->next, count++)
848 print_canon_ace(ace_list, count );
852 /****************************************************************************
853 Map POSIX ACL perms to canon_ace permissions (a mode_t containing only S_(R|W|X)USR bits).
854 ****************************************************************************/
856 static mode_t convert_permset_to_mode_t(connection_struct *conn, SMB_ACL_PERMSET_T permset)
860 ret |= (SMB_VFS_SYS_ACL_GET_PERM(conn, permset, SMB_ACL_READ) ? S_IRUSR : 0);
861 ret |= (SMB_VFS_SYS_ACL_GET_PERM(conn, permset, SMB_ACL_WRITE) ? S_IWUSR : 0);
862 ret |= (SMB_VFS_SYS_ACL_GET_PERM(conn, permset, SMB_ACL_EXECUTE) ? S_IXUSR : 0);
867 /****************************************************************************
868 Map generic UNIX permissions to canon_ace permissions (a mode_t containing only S_(R|W|X)USR bits).
869 ****************************************************************************/
871 static mode_t unix_perms_to_acl_perms(mode_t mode, int r_mask, int w_mask, int x_mask)
885 /****************************************************************************
886 Map canon_ace permissions (a mode_t containing only S_(R|W|X)USR bits) to
887 an SMB_ACL_PERMSET_T.
888 ****************************************************************************/
890 static int map_acl_perms_to_permset(connection_struct *conn, mode_t mode, SMB_ACL_PERMSET_T *p_permset)
892 if (SMB_VFS_SYS_ACL_CLEAR_PERMS(conn, *p_permset) == -1)
894 if (mode & S_IRUSR) {
895 if (SMB_VFS_SYS_ACL_ADD_PERM(conn, *p_permset, SMB_ACL_READ) == -1)
898 if (mode & S_IWUSR) {
899 if (SMB_VFS_SYS_ACL_ADD_PERM(conn, *p_permset, SMB_ACL_WRITE) == -1)
902 if (mode & S_IXUSR) {
903 if (SMB_VFS_SYS_ACL_ADD_PERM(conn, *p_permset, SMB_ACL_EXECUTE) == -1)
909 /****************************************************************************
910 Function to create owner and group SIDs from a SMB_STRUCT_STAT.
911 ****************************************************************************/
913 void create_file_sids(const SMB_STRUCT_STAT *psbuf, struct dom_sid *powner_sid, struct dom_sid *pgroup_sid)
915 uid_to_sid( powner_sid, psbuf->st_ex_uid );
916 gid_to_sid( pgroup_sid, psbuf->st_ex_gid );
919 /****************************************************************************
920 Merge aces with a common sid - if both are allow or deny, OR the permissions together and
921 delete the second one. If the first is deny, mask the permissions off and delete the allow
922 if the permissions become zero, delete the deny if the permissions are non zero.
923 ****************************************************************************/
925 static void merge_aces( canon_ace **pp_list_head, bool dir_acl)
927 canon_ace *l_head = *pp_list_head;
928 canon_ace *curr_ace_outer;
929 canon_ace *curr_ace_outer_next;
932 * First, merge allow entries with identical SIDs, and deny entries
933 * with identical SIDs.
936 for (curr_ace_outer = l_head; curr_ace_outer; curr_ace_outer = curr_ace_outer_next) {
938 canon_ace *curr_ace_next;
940 curr_ace_outer_next = curr_ace_outer->next; /* Save the link in case we delete. */
942 for (curr_ace = curr_ace_outer->next; curr_ace; curr_ace = curr_ace_next) {
943 bool can_merge = false;
945 curr_ace_next = curr_ace->next; /* Save the link in case of delete. */
947 /* For file ACLs we can merge if the SIDs and ALLOW/DENY
948 * types are the same. For directory acls we must also
949 * ensure the POSIX ACL types are the same. */
952 can_merge = (dom_sid_equal(&curr_ace->trustee, &curr_ace_outer->trustee) &&
953 (curr_ace->attr == curr_ace_outer->attr));
955 can_merge = (dom_sid_equal(&curr_ace->trustee, &curr_ace_outer->trustee) &&
956 (curr_ace->type == curr_ace_outer->type) &&
957 (curr_ace->attr == curr_ace_outer->attr));
961 if( DEBUGLVL( 10 )) {
962 dbgtext("merge_aces: Merging ACE's\n");
963 print_canon_ace( curr_ace_outer, 0);
964 print_canon_ace( curr_ace, 0);
967 /* Merge two allow or two deny ACE's. */
969 /* Theoretically we shouldn't merge a dir ACE if
970 * one ACE has the CI flag set, and the other
971 * ACE has the OI flag set, but this is rare
972 * enough we can ignore it. */
974 curr_ace_outer->perms |= curr_ace->perms;
975 curr_ace_outer->ace_flags |= curr_ace->ace_flags;
976 DLIST_REMOVE(l_head, curr_ace);
978 curr_ace_outer_next = curr_ace_outer->next; /* We may have deleted the link. */
984 * Now go through and mask off allow permissions with deny permissions.
985 * We can delete either the allow or deny here as we know that each SID
986 * appears only once in the list.
989 for (curr_ace_outer = l_head; curr_ace_outer; curr_ace_outer = curr_ace_outer_next) {
991 canon_ace *curr_ace_next;
993 curr_ace_outer_next = curr_ace_outer->next; /* Save the link in case we delete. */
995 for (curr_ace = curr_ace_outer->next; curr_ace; curr_ace = curr_ace_next) {
997 curr_ace_next = curr_ace->next; /* Save the link in case of delete. */
1000 * Subtract ACE's with different entries. Due to the ordering constraints
1001 * we've put on the ACL, we know the deny must be the first one.
1004 if (dom_sid_equal(&curr_ace->trustee, &curr_ace_outer->trustee) &&
1005 (curr_ace_outer->attr == DENY_ACE) && (curr_ace->attr == ALLOW_ACE)) {
1007 if( DEBUGLVL( 10 )) {
1008 dbgtext("merge_aces: Masking ACE's\n");
1009 print_canon_ace( curr_ace_outer, 0);
1010 print_canon_ace( curr_ace, 0);
1013 curr_ace->perms &= ~curr_ace_outer->perms;
1015 if (curr_ace->perms == 0) {
1018 * The deny overrides the allow. Remove the allow.
1021 DLIST_REMOVE(l_head, curr_ace);
1022 SAFE_FREE(curr_ace);
1023 curr_ace_outer_next = curr_ace_outer->next; /* We may have deleted the link. */
1028 * Even after removing permissions, there
1029 * are still allow permissions - delete the deny.
1030 * It is safe to delete the deny here,
1031 * as we are guarenteed by the deny first
1032 * ordering that all the deny entries for
1033 * this SID have already been merged into one
1034 * before we can get to an allow ace.
1037 DLIST_REMOVE(l_head, curr_ace_outer);
1038 SAFE_FREE(curr_ace_outer);
1043 } /* end for curr_ace */
1044 } /* end for curr_ace_outer */
1046 /* We may have modified the list. */
1048 *pp_list_head = l_head;
1051 /****************************************************************************
1052 Check if we need to return NT4.x compatible ACL entries.
1053 ****************************************************************************/
1055 bool nt4_compatible_acls(void)
1057 int compat = lp_acl_compatibility();
1059 if (compat == ACL_COMPAT_AUTO) {
1060 enum remote_arch_types ra_type = get_remote_arch();
1062 /* Automatically adapt to client */
1063 return (ra_type <= RA_WINNT);
1065 return (compat == ACL_COMPAT_WINNT);
1069 /****************************************************************************
1070 Map canon_ace perms to permission bits NT.
1071 The attr element is not used here - we only process deny entries on set,
1072 not get. Deny entries are implicit on get with ace->perms = 0.
1073 ****************************************************************************/
1075 uint32_t map_canon_ace_perms(int snum,
1076 enum security_ace_type *pacl_type,
1080 uint32_t nt_mask = 0;
1082 *pacl_type = SEC_ACE_TYPE_ACCESS_ALLOWED;
1084 if (lp_acl_map_full_control(snum) && ((perms & ALL_ACE_PERMS) == ALL_ACE_PERMS)) {
1085 if (directory_ace) {
1086 nt_mask = UNIX_DIRECTORY_ACCESS_RWX;
1088 nt_mask = (UNIX_ACCESS_RWX & ~DELETE_ACCESS);
1090 } else if ((perms & ALL_ACE_PERMS) == (mode_t)0) {
1092 * Windows NT refuses to display ACEs with no permissions in them (but
1093 * they are perfectly legal with Windows 2000). If the ACE has empty
1094 * permissions we cannot use 0, so we use the otherwise unused
1095 * WRITE_OWNER permission, which we ignore when we set an ACL.
1096 * We abstract this into a #define of UNIX_ACCESS_NONE to allow this
1097 * to be changed in the future.
1100 if (nt4_compatible_acls())
1101 nt_mask = UNIX_ACCESS_NONE;
1105 if (directory_ace) {
1106 nt_mask |= ((perms & S_IRUSR) ? UNIX_DIRECTORY_ACCESS_R : 0 );
1107 nt_mask |= ((perms & S_IWUSR) ? UNIX_DIRECTORY_ACCESS_W : 0 );
1108 nt_mask |= ((perms & S_IXUSR) ? UNIX_DIRECTORY_ACCESS_X : 0 );
1110 nt_mask |= ((perms & S_IRUSR) ? UNIX_ACCESS_R : 0 );
1111 nt_mask |= ((perms & S_IWUSR) ? UNIX_ACCESS_W : 0 );
1112 nt_mask |= ((perms & S_IXUSR) ? UNIX_ACCESS_X : 0 );
1116 if ((perms & S_IWUSR) && lp_dos_filemode(snum)) {
1117 nt_mask |= (SEC_STD_WRITE_DAC|SEC_STD_WRITE_OWNER|DELETE_ACCESS);
1120 DEBUG(10,("map_canon_ace_perms: Mapped (UNIX) %x to (NT) %x\n",
1121 (unsigned int)perms, (unsigned int)nt_mask ));
1126 /****************************************************************************
1127 Map NT perms to a UNIX mode_t.
1128 ****************************************************************************/
1130 #define FILE_SPECIFIC_READ_BITS (FILE_READ_DATA|FILE_READ_EA|FILE_READ_ATTRIBUTES)
1131 #define FILE_SPECIFIC_WRITE_BITS (FILE_WRITE_DATA|FILE_APPEND_DATA|FILE_WRITE_EA|FILE_WRITE_ATTRIBUTES)
1132 #define FILE_SPECIFIC_EXECUTE_BITS (FILE_EXECUTE)
1134 static mode_t map_nt_perms( uint32 *mask, int type)
1140 if((*mask) & GENERIC_ALL_ACCESS)
1141 mode = S_IRUSR|S_IWUSR|S_IXUSR;
1143 mode |= ((*mask) & (GENERIC_READ_ACCESS|FILE_SPECIFIC_READ_BITS)) ? S_IRUSR : 0;
1144 mode |= ((*mask) & (GENERIC_WRITE_ACCESS|FILE_SPECIFIC_WRITE_BITS)) ? S_IWUSR : 0;
1145 mode |= ((*mask) & (GENERIC_EXECUTE_ACCESS|FILE_SPECIFIC_EXECUTE_BITS)) ? S_IXUSR : 0;
1149 if((*mask) & GENERIC_ALL_ACCESS)
1150 mode = S_IRGRP|S_IWGRP|S_IXGRP;
1152 mode |= ((*mask) & (GENERIC_READ_ACCESS|FILE_SPECIFIC_READ_BITS)) ? S_IRGRP : 0;
1153 mode |= ((*mask) & (GENERIC_WRITE_ACCESS|FILE_SPECIFIC_WRITE_BITS)) ? S_IWGRP : 0;
1154 mode |= ((*mask) & (GENERIC_EXECUTE_ACCESS|FILE_SPECIFIC_EXECUTE_BITS)) ? S_IXGRP : 0;
1158 if((*mask) & GENERIC_ALL_ACCESS)
1159 mode = S_IROTH|S_IWOTH|S_IXOTH;
1161 mode |= ((*mask) & (GENERIC_READ_ACCESS|FILE_SPECIFIC_READ_BITS)) ? S_IROTH : 0;
1162 mode |= ((*mask) & (GENERIC_WRITE_ACCESS|FILE_SPECIFIC_WRITE_BITS)) ? S_IWOTH : 0;
1163 mode |= ((*mask) & (GENERIC_EXECUTE_ACCESS|FILE_SPECIFIC_EXECUTE_BITS)) ? S_IXOTH : 0;
1171 /****************************************************************************
1172 Unpack a struct security_descriptor into a UNIX owner and group.
1173 ****************************************************************************/
1175 NTSTATUS unpack_nt_owners(struct connection_struct *conn,
1176 uid_t *puser, gid_t *pgrp,
1177 uint32 security_info_sent, const struct
1178 security_descriptor *psd)
1180 struct dom_sid owner_sid;
1181 struct dom_sid grp_sid;
1186 if(security_info_sent == 0) {
1187 DEBUG(0,("unpack_nt_owners: no security info sent !\n"));
1188 return NT_STATUS_OK;
1192 * Validate the owner and group SID's.
1195 memset(&owner_sid, '\0', sizeof(owner_sid));
1196 memset(&grp_sid, '\0', sizeof(grp_sid));
1198 DEBUG(5,("unpack_nt_owners: validating owner_sids.\n"));
1201 * Don't immediately fail if the owner sid cannot be validated.
1202 * This may be a group chown only set.
1205 if (security_info_sent & SECINFO_OWNER) {
1206 sid_copy(&owner_sid, psd->owner_sid);
1207 if (!sid_to_uid(&owner_sid, puser)) {
1208 if (lp_force_unknown_acl_user(SNUM(conn))) {
1209 /* this allows take ownership to work
1211 *puser = get_current_uid(conn);
1213 DEBUG(3,("unpack_nt_owners: unable to validate"
1214 " owner sid for %s\n",
1215 sid_string_dbg(&owner_sid)));
1216 return NT_STATUS_INVALID_OWNER;
1219 DEBUG(3,("unpack_nt_owners: owner sid mapped to uid %u\n",
1220 (unsigned int)*puser ));
1224 * Don't immediately fail if the group sid cannot be validated.
1225 * This may be an owner chown only set.
1228 if (security_info_sent & SECINFO_GROUP) {
1229 sid_copy(&grp_sid, psd->group_sid);
1230 if (!sid_to_gid( &grp_sid, pgrp)) {
1231 if (lp_force_unknown_acl_user(SNUM(conn))) {
1232 /* this allows take group ownership to work
1234 *pgrp = get_current_gid(conn);
1236 DEBUG(3,("unpack_nt_owners: unable to validate"
1238 return NT_STATUS_INVALID_OWNER;
1241 DEBUG(3,("unpack_nt_owners: group sid mapped to gid %u\n",
1242 (unsigned int)*pgrp));
1245 DEBUG(5,("unpack_nt_owners: owner_sids validated.\n"));
1247 return NT_STATUS_OK;
1250 /****************************************************************************
1251 Ensure the enforced permissions for this share apply.
1252 ****************************************************************************/
1254 static void apply_default_perms(const struct share_params *params,
1255 const bool is_directory, canon_ace *pace,
1258 mode_t and_bits = (mode_t)0;
1259 mode_t or_bits = (mode_t)0;
1261 /* Get the initial bits to apply. */
1264 and_bits = lp_dir_security_mask(params->service);
1265 or_bits = lp_force_dir_security_mode(params->service);
1267 and_bits = lp_security_mask(params->service);
1268 or_bits = lp_force_security_mode(params->service);
1271 /* Now bounce them into the S_USR space. */
1274 /* Ensure owner has read access. */
1275 pace->perms |= S_IRUSR;
1277 pace->perms |= (S_IWUSR|S_IXUSR);
1278 and_bits = unix_perms_to_acl_perms(and_bits, S_IRUSR, S_IWUSR, S_IXUSR);
1279 or_bits = unix_perms_to_acl_perms(or_bits, S_IRUSR, S_IWUSR, S_IXUSR);
1282 and_bits = unix_perms_to_acl_perms(and_bits, S_IRGRP, S_IWGRP, S_IXGRP);
1283 or_bits = unix_perms_to_acl_perms(or_bits, S_IRGRP, S_IWGRP, S_IXGRP);
1286 and_bits = unix_perms_to_acl_perms(and_bits, S_IROTH, S_IWOTH, S_IXOTH);
1287 or_bits = unix_perms_to_acl_perms(or_bits, S_IROTH, S_IWOTH, S_IXOTH);
1291 pace->perms = ((pace->perms & and_bits)|or_bits);
1294 /****************************************************************************
1295 Check if a given uid/SID is in a group gid/SID. This is probably very
1296 expensive and will need optimisation. A *lot* of optimisation :-). JRA.
1297 ****************************************************************************/
1299 static bool uid_entry_in_group(connection_struct *conn, canon_ace *uid_ace, canon_ace *group_ace )
1301 const char *u_name = NULL;
1303 /* "Everyone" always matches every uid. */
1305 if (dom_sid_equal(&group_ace->trustee, &global_sid_World))
1309 * if it's the current user, we already have the unix token
1310 * and don't need to do the complex user_in_group_sid() call
1312 if (uid_ace->unix_ug.uid == get_current_uid(conn)) {
1313 const struct security_unix_token *curr_utok = NULL;
1316 if (group_ace->unix_ug.gid == get_current_gid(conn)) {
1320 curr_utok = get_current_utok(conn);
1321 for (i=0; i < curr_utok->ngroups; i++) {
1322 if (group_ace->unix_ug.gid == curr_utok->groups[i]) {
1328 /* u_name talloc'ed off tos. */
1329 u_name = uidtoname(uid_ace->unix_ug.uid);
1335 * user_in_group_sid() uses create_token_from_username()
1336 * which creates an artificial NT token given just a username,
1337 * so this is not reliable for users from foreign domains
1338 * exported by winbindd!
1340 return user_in_group_sid(u_name, &group_ace->trustee);
1343 /****************************************************************************
1344 A well formed POSIX file or default ACL has at least 3 entries, a
1345 SMB_ACL_USER_OBJ, SMB_ACL_GROUP_OBJ, SMB_ACL_OTHER_OBJ.
1346 In addition, the owner must always have at least read access.
1347 When using this call on get_acl, the pst struct is valid and contains
1348 the mode of the file. When using this call on set_acl, the pst struct has
1349 been modified to have a mode containing the default for this file or directory
1351 ****************************************************************************/
1353 static bool ensure_canon_entry_valid(connection_struct *conn, canon_ace **pp_ace,
1354 const struct share_params *params,
1355 const bool is_directory,
1356 const struct dom_sid *pfile_owner_sid,
1357 const struct dom_sid *pfile_grp_sid,
1358 const SMB_STRUCT_STAT *pst,
1362 bool got_user = False;
1363 bool got_grp = False;
1364 bool got_other = False;
1365 canon_ace *pace_other = NULL;
1367 for (pace = *pp_ace; pace; pace = pace->next) {
1368 if (pace->type == SMB_ACL_USER_OBJ) {
1371 apply_default_perms(params, is_directory, pace, S_IRUSR);
1374 } else if (pace->type == SMB_ACL_GROUP_OBJ) {
1377 * Ensure create mask/force create mode is respected on set.
1381 apply_default_perms(params, is_directory, pace, S_IRGRP);
1384 } else if (pace->type == SMB_ACL_OTHER) {
1387 * Ensure create mask/force create mode is respected on set.
1391 apply_default_perms(params, is_directory, pace, S_IROTH);
1398 if ((pace = SMB_MALLOC_P(canon_ace)) == NULL) {
1399 DEBUG(0,("ensure_canon_entry_valid: malloc fail.\n"));
1404 pace->type = SMB_ACL_USER_OBJ;
1405 pace->owner_type = UID_ACE;
1406 pace->unix_ug.uid = pst->st_ex_uid;
1407 pace->trustee = *pfile_owner_sid;
1408 pace->attr = ALLOW_ACE;
1411 /* See if the owning user is in any of the other groups in
1412 the ACE. If so, OR in the permissions from that group. */
1414 bool group_matched = False;
1415 canon_ace *pace_iter;
1417 for (pace_iter = *pp_ace; pace_iter; pace_iter = pace_iter->next) {
1418 if (pace_iter->type == SMB_ACL_GROUP_OBJ || pace_iter->type == SMB_ACL_GROUP) {
1419 if (uid_entry_in_group(conn, pace, pace_iter)) {
1420 pace->perms |= pace_iter->perms;
1421 group_matched = True;
1426 /* If we only got an "everyone" perm, just use that. */
1427 if (!group_matched) {
1429 pace->perms = pace_other->perms;
1434 apply_default_perms(params, is_directory, pace, S_IRUSR);
1436 pace->perms = unix_perms_to_acl_perms(pst->st_ex_mode, S_IRUSR, S_IWUSR, S_IXUSR);
1439 DLIST_ADD(*pp_ace, pace);
1443 if ((pace = SMB_MALLOC_P(canon_ace)) == NULL) {
1444 DEBUG(0,("ensure_canon_entry_valid: malloc fail.\n"));
1449 pace->type = SMB_ACL_GROUP_OBJ;
1450 pace->owner_type = GID_ACE;
1451 pace->unix_ug.uid = pst->st_ex_gid;
1452 pace->trustee = *pfile_grp_sid;
1453 pace->attr = ALLOW_ACE;
1455 /* If we only got an "everyone" perm, just use that. */
1457 pace->perms = pace_other->perms;
1460 apply_default_perms(params, is_directory, pace, S_IRGRP);
1462 pace->perms = unix_perms_to_acl_perms(pst->st_ex_mode, S_IRGRP, S_IWGRP, S_IXGRP);
1465 DLIST_ADD(*pp_ace, pace);
1469 if ((pace = SMB_MALLOC_P(canon_ace)) == NULL) {
1470 DEBUG(0,("ensure_canon_entry_valid: malloc fail.\n"));
1475 pace->type = SMB_ACL_OTHER;
1476 pace->owner_type = WORLD_ACE;
1477 pace->unix_ug.world = -1;
1478 pace->trustee = global_sid_World;
1479 pace->attr = ALLOW_ACE;
1482 apply_default_perms(params, is_directory, pace, S_IROTH);
1484 pace->perms = unix_perms_to_acl_perms(pst->st_ex_mode, S_IROTH, S_IWOTH, S_IXOTH);
1486 DLIST_ADD(*pp_ace, pace);
1492 /****************************************************************************
1493 Check if a POSIX ACL has the required SMB_ACL_USER_OBJ and SMB_ACL_GROUP_OBJ entries.
1494 If it does not have them, check if there are any entries where the trustee is the
1495 file owner or the owning group, and map these to SMB_ACL_USER_OBJ and SMB_ACL_GROUP_OBJ.
1496 ****************************************************************************/
1498 static void check_owning_objs(canon_ace *ace, struct dom_sid *pfile_owner_sid, struct dom_sid *pfile_grp_sid)
1500 bool got_user_obj, got_group_obj;
1501 canon_ace *current_ace;
1504 entries = count_canon_ace_list(ace);
1505 got_user_obj = False;
1506 got_group_obj = False;
1508 for (i=0, current_ace = ace; i < entries; i++, current_ace = current_ace->next) {
1509 if (current_ace->type == SMB_ACL_USER_OBJ)
1510 got_user_obj = True;
1511 else if (current_ace->type == SMB_ACL_GROUP_OBJ)
1512 got_group_obj = True;
1514 if (got_user_obj && got_group_obj) {
1515 DEBUG(10,("check_owning_objs: ACL had owning user/group entries.\n"));
1519 for (i=0, current_ace = ace; i < entries; i++, current_ace = current_ace->next) {
1520 if (!got_user_obj && current_ace->owner_type == UID_ACE &&
1521 dom_sid_equal(¤t_ace->trustee, pfile_owner_sid)) {
1522 current_ace->type = SMB_ACL_USER_OBJ;
1523 got_user_obj = True;
1525 if (!got_group_obj && current_ace->owner_type == GID_ACE &&
1526 dom_sid_equal(¤t_ace->trustee, pfile_grp_sid)) {
1527 current_ace->type = SMB_ACL_GROUP_OBJ;
1528 got_group_obj = True;
1532 DEBUG(10,("check_owning_objs: ACL is missing an owner entry.\n"));
1534 DEBUG(10,("check_owning_objs: ACL is missing an owning group entry.\n"));
1537 /****************************************************************************
1538 If an ACE entry is SMB_ACL_USER_OBJ and not CREATOR_OWNER, map to SMB_ACL_USER.
1539 If an ACE entry is SMB_ACL_GROUP_OBJ and not CREATOR_GROUP, map to SMB_ACL_GROUP
1540 ****************************************************************************/
1542 static bool dup_owning_ace(canon_ace *dir_ace, canon_ace *ace)
1544 /* dir ace must be followings.
1545 SMB_ACL_USER_OBJ : trustee(CREATOR_OWNER) -> Posix ACL d:u::perm
1546 SMB_ACL_USER : not trustee -> Posix ACL u:user:perm
1547 SMB_ACL_USER_OBJ : trustee -> convert to SMB_ACL_USER : trustee
1548 Posix ACL u:trustee:perm
1550 SMB_ACL_GROUP_OBJ: trustee(CREATOR_GROUP) -> Posix ACL d:g::perm
1551 SMB_ACL_GROUP : not trustee -> Posix ACL g:group:perm
1552 SMB_ACL_GROUP_OBJ: trustee -> convert to SMB_ACL_GROUP : trustee
1553 Posix ACL g:trustee:perm
1556 if (ace->type == SMB_ACL_USER_OBJ &&
1557 !(dom_sid_equal(&ace->trustee, &global_sid_Creator_Owner))) {
1558 canon_ace *dup_ace = dup_canon_ace(ace);
1560 if (dup_ace == NULL) {
1563 dup_ace->type = SMB_ACL_USER;
1564 DLIST_ADD_END(dir_ace, dup_ace, canon_ace *);
1567 if (ace->type == SMB_ACL_GROUP_OBJ &&
1568 !(dom_sid_equal(&ace->trustee, &global_sid_Creator_Group))) {
1569 canon_ace *dup_ace = dup_canon_ace(ace);
1571 if (dup_ace == NULL) {
1574 dup_ace->type = SMB_ACL_GROUP;
1575 DLIST_ADD_END(dir_ace, dup_ace, canon_ace *);
1581 /****************************************************************************
1582 Unpack a struct security_descriptor into two canonical ace lists.
1583 ****************************************************************************/
1585 static bool create_canon_ace_lists(files_struct *fsp,
1586 const SMB_STRUCT_STAT *pst,
1587 struct dom_sid *pfile_owner_sid,
1588 struct dom_sid *pfile_grp_sid,
1589 canon_ace **ppfile_ace,
1590 canon_ace **ppdir_ace,
1591 const struct security_acl *dacl)
1593 bool all_aces_are_inherit_only = (fsp->is_directory ? True : False);
1594 canon_ace *file_ace = NULL;
1595 canon_ace *dir_ace = NULL;
1596 canon_ace *current_ace = NULL;
1597 bool got_dir_allow = False;
1598 bool got_file_allow = False;
1605 * Convert the incoming ACL into a more regular form.
1608 for(i = 0; i < dacl->num_aces; i++) {
1609 struct security_ace *psa = &dacl->aces[i];
1611 if((psa->type != SEC_ACE_TYPE_ACCESS_ALLOWED) && (psa->type != SEC_ACE_TYPE_ACCESS_DENIED)) {
1612 DEBUG(3,("create_canon_ace_lists: unable to set anything but an ALLOW or DENY ACE.\n"));
1616 if (nt4_compatible_acls()) {
1618 * The security mask may be UNIX_ACCESS_NONE which should map into
1619 * no permissions (we overload the WRITE_OWNER bit for this) or it
1620 * should be one of the ALL/EXECUTE/READ/WRITE bits. Arrange for this
1621 * to be so. Any other bits override the UNIX_ACCESS_NONE bit.
1625 * Convert GENERIC bits to specific bits.
1628 se_map_generic(&psa->access_mask, &file_generic_mapping);
1630 psa->access_mask &= (UNIX_ACCESS_NONE|FILE_ALL_ACCESS);
1632 if(psa->access_mask != UNIX_ACCESS_NONE)
1633 psa->access_mask &= ~UNIX_ACCESS_NONE;
1638 * Deal with the fact that NT 4.x re-writes the canonical format
1639 * that we return for default ACLs. If a directory ACE is identical
1640 * to a inherited directory ACE then NT changes the bits so that the
1641 * first ACE is set to OI|IO and the second ACE for this SID is set
1642 * to CI. We need to repair this. JRA.
1645 for(i = 0; i < dacl->num_aces; i++) {
1646 struct security_ace *psa1 = &dacl->aces[i];
1648 for (j = i + 1; j < dacl->num_aces; j++) {
1649 struct security_ace *psa2 = &dacl->aces[j];
1651 if (psa1->access_mask != psa2->access_mask)
1654 if (!dom_sid_equal(&psa1->trustee, &psa2->trustee))
1658 * Ok - permission bits and SIDs are equal.
1659 * Check if flags were re-written.
1662 if (psa1->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
1664 psa1->flags |= (psa2->flags & (SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT));
1665 psa2->flags &= ~(SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT);
1667 } else if (psa2->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
1669 psa2->flags |= (psa1->flags & (SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT));
1670 psa1->flags &= ~(SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT);
1676 for(i = 0; i < dacl->num_aces; i++) {
1677 struct security_ace *psa = &dacl->aces[i];
1680 * Create a canon_ace entry representing this NT DACL ACE.
1683 if ((current_ace = SMB_MALLOC_P(canon_ace)) == NULL) {
1684 free_canon_ace_list(file_ace);
1685 free_canon_ace_list(dir_ace);
1686 DEBUG(0,("create_canon_ace_lists: malloc fail.\n"));
1690 ZERO_STRUCTP(current_ace);
1692 sid_copy(¤t_ace->trustee, &psa->trustee);
1695 * Try and work out if the SID is a user or group
1696 * as we need to flag these differently for POSIX.
1697 * Note what kind of a POSIX ACL this should map to.
1700 if( dom_sid_equal(¤t_ace->trustee, &global_sid_World)) {
1701 current_ace->owner_type = WORLD_ACE;
1702 current_ace->unix_ug.world = -1;
1703 current_ace->type = SMB_ACL_OTHER;
1704 } else if (dom_sid_equal(¤t_ace->trustee, &global_sid_Creator_Owner)) {
1705 current_ace->owner_type = UID_ACE;
1706 current_ace->unix_ug.uid = pst->st_ex_uid;
1707 current_ace->type = SMB_ACL_USER_OBJ;
1710 * The Creator Owner entry only specifies inheritable permissions,
1711 * never access permissions. WinNT doesn't always set the ACE to
1712 * INHERIT_ONLY, though.
1715 psa->flags |= SEC_ACE_FLAG_INHERIT_ONLY;
1717 } else if (dom_sid_equal(¤t_ace->trustee, &global_sid_Creator_Group)) {
1718 current_ace->owner_type = GID_ACE;
1719 current_ace->unix_ug.gid = pst->st_ex_gid;
1720 current_ace->type = SMB_ACL_GROUP_OBJ;
1723 * The Creator Group entry only specifies inheritable permissions,
1724 * never access permissions. WinNT doesn't always set the ACE to
1725 * INHERIT_ONLY, though.
1727 psa->flags |= SEC_ACE_FLAG_INHERIT_ONLY;
1729 } else if (sid_to_uid( ¤t_ace->trustee, ¤t_ace->unix_ug.uid)) {
1730 current_ace->owner_type = UID_ACE;
1731 /* If it's the owning user, this is a user_obj, not
1733 if (current_ace->unix_ug.uid == pst->st_ex_uid) {
1734 current_ace->type = SMB_ACL_USER_OBJ;
1736 current_ace->type = SMB_ACL_USER;
1738 } else if (sid_to_gid( ¤t_ace->trustee, ¤t_ace->unix_ug.gid)) {
1739 current_ace->owner_type = GID_ACE;
1740 /* If it's the primary group, this is a group_obj, not
1742 if (current_ace->unix_ug.gid == pst->st_ex_gid) {
1743 current_ace->type = SMB_ACL_GROUP_OBJ;
1745 current_ace->type = SMB_ACL_GROUP;
1749 * Silently ignore map failures in non-mappable SIDs (NT Authority, BUILTIN etc).
1752 if (non_mappable_sid(&psa->trustee)) {
1753 DEBUG(10, ("create_canon_ace_lists: ignoring "
1754 "non-mappable SID %s\n",
1755 sid_string_dbg(&psa->trustee)));
1756 SAFE_FREE(current_ace);
1760 if (lp_force_unknown_acl_user(SNUM(fsp->conn))) {
1761 DEBUG(10, ("create_canon_ace_lists: ignoring "
1762 "unknown or foreign SID %s\n",
1763 sid_string_dbg(&psa->trustee)));
1764 SAFE_FREE(current_ace);
1768 free_canon_ace_list(file_ace);
1769 free_canon_ace_list(dir_ace);
1770 DEBUG(0, ("create_canon_ace_lists: unable to map SID "
1771 "%s to uid or gid.\n",
1772 sid_string_dbg(¤t_ace->trustee)));
1773 SAFE_FREE(current_ace);
1778 * Map the given NT permissions into a UNIX mode_t containing only
1779 * S_I(R|W|X)USR bits.
1782 current_ace->perms |= map_nt_perms( &psa->access_mask, S_IRUSR);
1783 current_ace->attr = (psa->type == SEC_ACE_TYPE_ACCESS_ALLOWED) ? ALLOW_ACE : DENY_ACE;
1785 /* Store the ace_flag. */
1786 current_ace->ace_flags = psa->flags;
1789 * Now add the created ace to either the file list, the directory
1790 * list, or both. We *MUST* preserve the order here (hence we use
1791 * DLIST_ADD_END) as NT ACLs are order dependent.
1794 if (fsp->is_directory) {
1797 * We can only add to the default POSIX ACE list if the ACE is
1798 * designed to be inherited by both files and directories.
1801 if ((psa->flags & (SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT)) ==
1802 (SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT)) {
1804 DLIST_ADD_END(dir_ace, current_ace, canon_ace *);
1807 * Note if this was an allow ace. We can't process
1808 * any further deny ace's after this.
1811 if (current_ace->attr == ALLOW_ACE)
1812 got_dir_allow = True;
1814 if ((current_ace->attr == DENY_ACE) && got_dir_allow) {
1815 DEBUG(0,("create_canon_ace_lists: "
1817 "inheritable ACL! Deny entry "
1818 "after Allow entry. Failing "
1819 "to set on file %s.\n",
1821 free_canon_ace_list(file_ace);
1822 free_canon_ace_list(dir_ace);
1826 if( DEBUGLVL( 10 )) {
1827 dbgtext("create_canon_ace_lists: adding dir ACL:\n");
1828 print_canon_ace( current_ace, 0);
1832 * We have a lossy mapping: directory ACE entries
1833 * CREATOR_OWNER ------\
1834 * (map to) +---> SMB_ACL_USER_OBJ
1835 * owning sid ------/
1837 * CREATOR_GROUP ------\
1838 * (map to) +---> SMB_ACL_GROUP_OBJ
1839 * primary group sid --/
1841 * on set. And on read of a directory ACL
1843 * SMB_ACL_USER_OBJ ----> CREATOR_OWNER
1844 * SMB_ACL_GROUP_OBJ ---> CREATOR_GROUP.
1846 * Deal with this on set by duplicating
1847 * owning sid and primary group sid ACE
1848 * entries into the directory ACL.
1849 * Fix from Tsukasa Hamano <hamano@osstech.co.jp>.
1852 if (!dup_owning_ace(dir_ace, current_ace)) {
1853 DEBUG(0,("create_canon_ace_lists: malloc fail !\n"));
1854 free_canon_ace_list(file_ace);
1855 free_canon_ace_list(dir_ace);
1860 * If this is not an inherit only ACE we need to add a duplicate
1864 if (!(psa->flags & SEC_ACE_FLAG_INHERIT_ONLY)) {
1865 canon_ace *dup_ace = dup_canon_ace(current_ace);
1868 DEBUG(0,("create_canon_ace_lists: malloc fail !\n"));
1869 free_canon_ace_list(file_ace);
1870 free_canon_ace_list(dir_ace);
1875 * We must not free current_ace here as its
1876 * pointer is now owned by the dir_ace list.
1878 current_ace = dup_ace;
1879 /* We've essentially split this ace into two,
1880 * and added the ace with inheritance request
1881 * bits to the directory ACL. Drop those bits for
1882 * the ACE we're adding to the file list. */
1883 current_ace->ace_flags &= ~(SEC_ACE_FLAG_OBJECT_INHERIT|
1884 SEC_ACE_FLAG_CONTAINER_INHERIT|
1885 SEC_ACE_FLAG_INHERIT_ONLY);
1888 * We must not free current_ace here as its
1889 * pointer is now owned by the dir_ace list.
1897 * Only add to the file ACL if not inherit only.
1900 if (current_ace && !(psa->flags & SEC_ACE_FLAG_INHERIT_ONLY)) {
1901 DLIST_ADD_END(file_ace, current_ace, canon_ace *);
1904 * Note if this was an allow ace. We can't process
1905 * any further deny ace's after this.
1908 if (current_ace->attr == ALLOW_ACE)
1909 got_file_allow = True;
1911 if ((current_ace->attr == DENY_ACE) && got_file_allow) {
1912 DEBUG(0,("create_canon_ace_lists: malformed "
1913 "ACL in file ACL ! Deny entry after "
1914 "Allow entry. Failing to set on file "
1915 "%s.\n", fsp_str_dbg(fsp)));
1916 free_canon_ace_list(file_ace);
1917 free_canon_ace_list(dir_ace);
1921 if( DEBUGLVL( 10 )) {
1922 dbgtext("create_canon_ace_lists: adding file ACL:\n");
1923 print_canon_ace( current_ace, 0);
1925 all_aces_are_inherit_only = False;
1927 * We must not free current_ace here as its
1928 * pointer is now owned by the file_ace list.
1934 * Free if ACE was not added.
1937 SAFE_FREE(current_ace);
1940 if (fsp->is_directory && all_aces_are_inherit_only) {
1942 * Windows 2000 is doing one of these weird 'inherit acl'
1943 * traverses to conserve NTFS ACL resources. Just pretend
1944 * there was no DACL sent. JRA.
1947 DEBUG(10,("create_canon_ace_lists: Win2k inherit acl traverse. Ignoring DACL.\n"));
1948 free_canon_ace_list(file_ace);
1949 free_canon_ace_list(dir_ace);
1954 * Check if we have SMB_ACL_USER_OBJ and SMB_ACL_GROUP_OBJ entries in each
1955 * ACL. If we don't have them, check if any SMB_ACL_USER/SMB_ACL_GROUP
1956 * entries can be converted to *_OBJ. Usually we will already have these
1957 * entries in the Default ACL, and the Access ACL will not have them.
1960 check_owning_objs(file_ace, pfile_owner_sid, pfile_grp_sid);
1963 check_owning_objs(dir_ace, pfile_owner_sid, pfile_grp_sid);
1967 *ppfile_ace = file_ace;
1968 *ppdir_ace = dir_ace;
1973 /****************************************************************************
1974 ASCII art time again... JRA :-).
1976 We have 4 cases to process when moving from an NT ACL to a POSIX ACL. Firstly,
1977 we insist the ACL is in canonical form (ie. all DENY entries preceede ALLOW
1978 entries). Secondly, the merge code has ensured that all duplicate SID entries for
1979 allow or deny have been merged, so the same SID can only appear once in the deny
1980 list or once in the allow list.
1982 We then process as follows :
1984 ---------------------------------------------------------------------------
1985 First pass - look for a Everyone DENY entry.
1987 If it is deny all (rwx) trunate the list at this point.
1988 Else, walk the list from this point and use the deny permissions of this
1989 entry as a mask on all following allow entries. Finally, delete
1990 the Everyone DENY entry (we have applied it to everything possible).
1992 In addition, in this pass we remove any DENY entries that have
1993 no permissions (ie. they are a DENY nothing).
1994 ---------------------------------------------------------------------------
1995 Second pass - only deal with deny user entries.
1997 DENY user1 (perms XXX)
2000 for all following allow group entries where user1 is in group
2001 new_perms |= group_perms;
2003 user1 entry perms = new_perms & ~ XXX;
2005 Convert the deny entry to an allow entry with the new perms and
2006 push to the end of the list. Note if the user was in no groups
2007 this maps to a specific allow nothing entry for this user.
2009 The common case from the NT ACL choser (userX deny all) is
2010 optimised so we don't do the group lookup - we just map to
2011 an allow nothing entry.
2013 What we're doing here is inferring the allow permissions the
2014 person setting the ACE on user1 wanted by looking at the allow
2015 permissions on the groups the user is currently in. This will
2016 be a snapshot, depending on group membership but is the best
2017 we can do and has the advantage of failing closed rather than
2019 ---------------------------------------------------------------------------
2020 Third pass - only deal with deny group entries.
2022 DENY group1 (perms XXX)
2024 for all following allow user entries where user is in group1
2025 user entry perms = user entry perms & ~ XXX;
2027 If there is a group Everyone allow entry with permissions YYY,
2028 convert the group1 entry to an allow entry and modify its
2031 new_perms = YYY & ~ XXX
2033 and push to the end of the list.
2035 If there is no group Everyone allow entry then convert the
2036 group1 entry to a allow nothing entry and push to the end of the list.
2038 Note that the common case from the NT ACL choser (groupX deny all)
2039 cannot be optimised here as we need to modify user entries who are
2040 in the group to change them to a deny all also.
2042 What we're doing here is modifying the allow permissions of
2043 user entries (which are more specific in POSIX ACLs) to mask
2044 out the explicit deny set on the group they are in. This will
2045 be a snapshot depending on current group membership but is the
2046 best we can do and has the advantage of failing closed rather
2048 ---------------------------------------------------------------------------
2049 Fourth pass - cope with cumulative permissions.
2051 for all allow user entries, if there exists an allow group entry with
2052 more permissive permissions, and the user is in that group, rewrite the
2053 allow user permissions to contain both sets of permissions.
2055 Currently the code for this is #ifdef'ed out as these semantics make
2056 no sense to me. JRA.
2057 ---------------------------------------------------------------------------
2059 Note we *MUST* do the deny user pass first as this will convert deny user
2060 entries into allow user entries which can then be processed by the deny
2063 The above algorithm took a *lot* of thinking about - hence this
2064 explaination :-). JRA.
2065 ****************************************************************************/
2067 /****************************************************************************
2068 Process a canon_ace list entries. This is very complex code. We need
2069 to go through and remove the "deny" permissions from any allow entry that matches
2070 the id of this entry. We have already refused any NT ACL that wasn't in correct
2071 order (DENY followed by ALLOW). If any allow entry ends up with zero permissions,
2072 we just remove it (to fail safe). We have already removed any duplicate ace
2073 entries. Treat an "Everyone" DENY_ACE as a special case - use it to mask all
2075 ****************************************************************************/
2077 static void process_deny_list(connection_struct *conn, canon_ace **pp_ace_list )
2079 canon_ace *ace_list = *pp_ace_list;
2080 canon_ace *curr_ace = NULL;
2081 canon_ace *curr_ace_next = NULL;
2083 /* Pass 1 above - look for an Everyone, deny entry. */
2085 for (curr_ace = ace_list; curr_ace; curr_ace = curr_ace_next) {
2086 canon_ace *allow_ace_p;
2088 curr_ace_next = curr_ace->next; /* So we can't lose the link. */
2090 if (curr_ace->attr != DENY_ACE)
2093 if (curr_ace->perms == (mode_t)0) {
2095 /* Deny nothing entry - delete. */
2097 DLIST_REMOVE(ace_list, curr_ace);
2101 if (!dom_sid_equal(&curr_ace->trustee, &global_sid_World))
2104 /* JRATEST - assert. */
2105 SMB_ASSERT(curr_ace->owner_type == WORLD_ACE);
2107 if (curr_ace->perms == ALL_ACE_PERMS) {
2110 * Optimisation. This is a DENY_ALL to Everyone. Truncate the
2111 * list at this point including this entry.
2114 canon_ace *prev_entry = DLIST_PREV(curr_ace);
2116 free_canon_ace_list( curr_ace );
2118 DLIST_REMOVE(ace_list, prev_entry);
2120 /* We deleted the entire list. */
2126 for (allow_ace_p = curr_ace->next; allow_ace_p; allow_ace_p = allow_ace_p->next) {
2129 * Only mask off allow entries.
2132 if (allow_ace_p->attr != ALLOW_ACE)
2135 allow_ace_p->perms &= ~curr_ace->perms;
2139 * Now it's been applied, remove it.
2142 DLIST_REMOVE(ace_list, curr_ace);
2145 /* Pass 2 above - deal with deny user entries. */
2147 for (curr_ace = ace_list; curr_ace; curr_ace = curr_ace_next) {
2148 mode_t new_perms = (mode_t)0;
2149 canon_ace *allow_ace_p;
2151 curr_ace_next = curr_ace->next; /* So we can't lose the link. */
2153 if (curr_ace->attr != DENY_ACE)
2156 if (curr_ace->owner_type != UID_ACE)
2159 if (curr_ace->perms == ALL_ACE_PERMS) {
2162 * Optimisation - this is a deny everything to this user.
2163 * Convert to an allow nothing and push to the end of the list.
2166 curr_ace->attr = ALLOW_ACE;
2167 curr_ace->perms = (mode_t)0;
2168 DLIST_DEMOTE(ace_list, curr_ace, canon_ace *);
2172 for (allow_ace_p = curr_ace->next; allow_ace_p; allow_ace_p = allow_ace_p->next) {
2174 if (allow_ace_p->attr != ALLOW_ACE)
2177 /* We process GID_ACE and WORLD_ACE entries only. */
2179 if (allow_ace_p->owner_type == UID_ACE)
2182 if (uid_entry_in_group(conn, curr_ace, allow_ace_p))
2183 new_perms |= allow_ace_p->perms;
2187 * Convert to a allow entry, modify the perms and push to the end
2191 curr_ace->attr = ALLOW_ACE;
2192 curr_ace->perms = (new_perms & ~curr_ace->perms);
2193 DLIST_DEMOTE(ace_list, curr_ace, canon_ace *);
2196 /* Pass 3 above - deal with deny group entries. */
2198 for (curr_ace = ace_list; curr_ace; curr_ace = curr_ace_next) {
2199 canon_ace *allow_ace_p;
2200 canon_ace *allow_everyone_p = NULL;
2202 curr_ace_next = curr_ace->next; /* So we can't lose the link. */
2204 if (curr_ace->attr != DENY_ACE)
2207 if (curr_ace->owner_type != GID_ACE)
2210 for (allow_ace_p = curr_ace->next; allow_ace_p; allow_ace_p = allow_ace_p->next) {
2212 if (allow_ace_p->attr != ALLOW_ACE)
2215 /* Store a pointer to the Everyone allow, if it exists. */
2216 if (allow_ace_p->owner_type == WORLD_ACE)
2217 allow_everyone_p = allow_ace_p;
2219 /* We process UID_ACE entries only. */
2221 if (allow_ace_p->owner_type != UID_ACE)
2224 /* Mask off the deny group perms. */
2226 if (uid_entry_in_group(conn, allow_ace_p, curr_ace))
2227 allow_ace_p->perms &= ~curr_ace->perms;
2231 * Convert the deny to an allow with the correct perms and
2232 * push to the end of the list.
2235 curr_ace->attr = ALLOW_ACE;
2236 if (allow_everyone_p)
2237 curr_ace->perms = allow_everyone_p->perms & ~curr_ace->perms;
2239 curr_ace->perms = (mode_t)0;
2240 DLIST_DEMOTE(ace_list, curr_ace, canon_ace *);
2243 /* Doing this fourth pass allows Windows semantics to be layered
2244 * on top of POSIX semantics. I'm not sure if this is desirable.
2245 * For example, in W2K ACLs there is no way to say, "Group X no
2246 * access, user Y full access" if user Y is a member of group X.
2247 * This seems completely broken semantics to me.... JRA.
2251 /* Pass 4 above - deal with allow entries. */
2253 for (curr_ace = ace_list; curr_ace; curr_ace = curr_ace_next) {
2254 canon_ace *allow_ace_p;
2256 curr_ace_next = curr_ace->next; /* So we can't lose the link. */
2258 if (curr_ace->attr != ALLOW_ACE)
2261 if (curr_ace->owner_type != UID_ACE)
2264 for (allow_ace_p = ace_list; allow_ace_p; allow_ace_p = allow_ace_p->next) {
2266 if (allow_ace_p->attr != ALLOW_ACE)
2269 /* We process GID_ACE entries only. */
2271 if (allow_ace_p->owner_type != GID_ACE)
2274 /* OR in the group perms. */
2276 if (uid_entry_in_group(conn, curr_ace, allow_ace_p))
2277 curr_ace->perms |= allow_ace_p->perms;
2282 *pp_ace_list = ace_list;
2285 /****************************************************************************
2286 Create a default mode that will be used if a security descriptor entry has
2287 no user/group/world entries.
2288 ****************************************************************************/
2290 static mode_t create_default_mode(files_struct *fsp, bool interitable_mode)
2292 int snum = SNUM(fsp->conn);
2293 mode_t and_bits = (mode_t)0;
2294 mode_t or_bits = (mode_t)0;
2297 if (interitable_mode) {
2298 mode = unix_mode(fsp->conn, FILE_ATTRIBUTE_ARCHIVE,
2299 fsp->fsp_name, NULL);
2304 if (fsp->is_directory)
2305 mode |= (S_IWUSR|S_IXUSR);
2308 * Now AND with the create mode/directory mode bits then OR with the
2309 * force create mode/force directory mode bits.
2312 if (fsp->is_directory) {
2313 and_bits = lp_dir_security_mask(snum);
2314 or_bits = lp_force_dir_security_mode(snum);
2316 and_bits = lp_security_mask(snum);
2317 or_bits = lp_force_security_mode(snum);
2320 return ((mode & and_bits)|or_bits);
2323 /****************************************************************************
2324 Unpack a struct security_descriptor into two canonical ace lists. We don't depend on this
2326 ****************************************************************************/
2328 static bool unpack_canon_ace(files_struct *fsp,
2329 const SMB_STRUCT_STAT *pst,
2330 struct dom_sid *pfile_owner_sid,
2331 struct dom_sid *pfile_grp_sid,
2332 canon_ace **ppfile_ace,
2333 canon_ace **ppdir_ace,
2334 uint32 security_info_sent,
2335 const struct security_descriptor *psd)
2338 canon_ace *file_ace = NULL;
2339 canon_ace *dir_ace = NULL;
2344 if(security_info_sent == 0) {
2345 DEBUG(0,("unpack_canon_ace: no security info sent !\n"));
2350 * If no DACL then this is a chown only security descriptor.
2353 if(!(security_info_sent & SECINFO_DACL) || !psd->dacl)
2357 * Now go through the DACL and create the canon_ace lists.
2360 if (!create_canon_ace_lists( fsp, pst, pfile_owner_sid, pfile_grp_sid,
2361 &file_ace, &dir_ace, psd->dacl))
2364 if ((file_ace == NULL) && (dir_ace == NULL)) {
2365 /* W2K traverse DACL set - ignore. */
2370 * Go through the canon_ace list and merge entries
2371 * belonging to identical users of identical allow or deny type.
2372 * We can do this as all deny entries come first, followed by
2373 * all allow entries (we have mandated this before accepting this acl).
2376 print_canon_ace_list( "file ace - before merge", file_ace);
2377 merge_aces( &file_ace, false);
2379 print_canon_ace_list( "dir ace - before merge", dir_ace);
2380 merge_aces( &dir_ace, true);
2383 * NT ACLs are order dependent. Go through the acl lists and
2384 * process DENY entries by masking the allow entries.
2387 print_canon_ace_list( "file ace - before deny", file_ace);
2388 process_deny_list(fsp->conn, &file_ace);
2390 print_canon_ace_list( "dir ace - before deny", dir_ace);
2391 process_deny_list(fsp->conn, &dir_ace);
2394 * A well formed POSIX file or default ACL has at least 3 entries, a
2395 * SMB_ACL_USER_OBJ, SMB_ACL_GROUP_OBJ, SMB_ACL_OTHER_OBJ
2396 * and optionally a mask entry. Ensure this is the case.
2399 print_canon_ace_list( "file ace - before valid", file_ace);
2404 * A default 3 element mode entry for a file should be r-- --- ---.
2405 * A default 3 element mode entry for a directory should be rwx --- ---.
2408 st.st_ex_mode = create_default_mode(fsp, False);
2410 if (!ensure_canon_entry_valid(fsp->conn, &file_ace, fsp->conn->params,
2411 fsp->is_directory, pfile_owner_sid, pfile_grp_sid, &st, True)) {
2412 free_canon_ace_list(file_ace);
2413 free_canon_ace_list(dir_ace);
2417 print_canon_ace_list( "dir ace - before valid", dir_ace);
2420 * A default inheritable 3 element mode entry for a directory should be the
2421 * mode Samba will use to create a file within. Ensure user rwx bits are set if
2425 st.st_ex_mode = create_default_mode(fsp, True);
2427 if (dir_ace && !ensure_canon_entry_valid(fsp->conn, &dir_ace, fsp->conn->params,
2428 fsp->is_directory, pfile_owner_sid, pfile_grp_sid, &st, True)) {
2429 free_canon_ace_list(file_ace);
2430 free_canon_ace_list(dir_ace);
2434 print_canon_ace_list( "file ace - return", file_ace);
2435 print_canon_ace_list( "dir ace - return", dir_ace);
2437 *ppfile_ace = file_ace;
2438 *ppdir_ace = dir_ace;
2443 /******************************************************************************
2444 When returning permissions, try and fit NT display
2445 semantics if possible. Note the the canon_entries here must have been malloced.
2446 The list format should be - first entry = owner, followed by group and other user
2447 entries, last entry = other.
2449 Note that this doesn't exactly match the NT semantics for an ACL. As POSIX entries
2450 are not ordered, and match on the most specific entry rather than walking a list,
2451 then a simple POSIX permission of rw-r--r-- should really map to 5 entries,
2453 Entry 0: owner : deny all except read and write.
2454 Entry 1: owner : allow read and write.
2455 Entry 2: group : deny all except read.
2456 Entry 3: group : allow read.
2457 Entry 4: Everyone : allow read.
2459 But NT cannot display this in their ACL editor !
2460 ********************************************************************************/
2462 static void arrange_posix_perms(const char *filename, canon_ace **pp_list_head)
2464 canon_ace *l_head = *pp_list_head;
2465 canon_ace *owner_ace = NULL;
2466 canon_ace *other_ace = NULL;
2467 canon_ace *ace = NULL;
2469 for (ace = l_head; ace; ace = ace->next) {
2470 if (ace->type == SMB_ACL_USER_OBJ)
2472 else if (ace->type == SMB_ACL_OTHER) {
2473 /* Last ace - this is "other" */
2478 if (!owner_ace || !other_ace) {
2479 DEBUG(0,("arrange_posix_perms: Invalid POSIX permissions for file %s, missing owner or other.\n",
2485 * The POSIX algorithm applies to owner first, and other last,
2486 * so ensure they are arranged in this order.
2490 DLIST_PROMOTE(l_head, owner_ace);
2494 DLIST_DEMOTE(l_head, other_ace, canon_ace *);
2497 /* We have probably changed the head of the list. */
2499 *pp_list_head = l_head;
2502 /****************************************************************************
2503 Create a linked list of canonical ACE entries.
2504 ****************************************************************************/
2506 static canon_ace *canonicalise_acl(struct connection_struct *conn,
2507 const char *fname, SMB_ACL_T posix_acl,
2508 const SMB_STRUCT_STAT *psbuf,
2509 const struct dom_sid *powner, const struct dom_sid *pgroup, struct pai_val *pal, SMB_ACL_TYPE_T the_acl_type)
2511 mode_t acl_mask = (S_IRUSR|S_IWUSR|S_IXUSR);
2512 canon_ace *l_head = NULL;
2513 canon_ace *ace = NULL;
2514 canon_ace *next_ace = NULL;
2515 int entry_id = SMB_ACL_FIRST_ENTRY;
2516 SMB_ACL_ENTRY_T entry;
2519 while ( posix_acl && (SMB_VFS_SYS_ACL_GET_ENTRY(conn, posix_acl, entry_id, &entry) == 1)) {
2520 SMB_ACL_TAG_T tagtype;
2521 SMB_ACL_PERMSET_T permset;
2524 enum ace_owner owner_type;
2526 entry_id = SMB_ACL_NEXT_ENTRY;
2528 /* Is this a MASK entry ? */
2529 if (SMB_VFS_SYS_ACL_GET_TAG_TYPE(conn, entry, &tagtype) == -1)
2532 if (SMB_VFS_SYS_ACL_GET_PERMSET(conn, entry, &permset) == -1)
2535 /* Decide which SID to use based on the ACL type. */
2537 case SMB_ACL_USER_OBJ:
2538 /* Get the SID from the owner. */
2539 sid_copy(&sid, powner);
2540 unix_ug.uid = psbuf->st_ex_uid;
2541 owner_type = UID_ACE;
2545 uid_t *puid = (uid_t *)SMB_VFS_SYS_ACL_GET_QUALIFIER(conn, entry);
2547 DEBUG(0,("canonicalise_acl: Failed to get uid.\n"));
2550 uid_to_sid( &sid, *puid);
2551 unix_ug.uid = *puid;
2552 owner_type = UID_ACE;
2553 SMB_VFS_SYS_ACL_FREE_QUALIFIER(conn, (void *)puid,tagtype);
2556 case SMB_ACL_GROUP_OBJ:
2557 /* Get the SID from the owning group. */
2558 sid_copy(&sid, pgroup);
2559 unix_ug.gid = psbuf->st_ex_gid;
2560 owner_type = GID_ACE;
2564 gid_t *pgid = (gid_t *)SMB_VFS_SYS_ACL_GET_QUALIFIER(conn, entry);
2566 DEBUG(0,("canonicalise_acl: Failed to get gid.\n"));
2569 gid_to_sid( &sid, *pgid);
2570 unix_ug.gid = *pgid;
2571 owner_type = GID_ACE;
2572 SMB_VFS_SYS_ACL_FREE_QUALIFIER(conn, (void *)pgid,tagtype);
2576 acl_mask = convert_permset_to_mode_t(conn, permset);
2577 continue; /* Don't count the mask as an entry. */
2579 /* Use the Everyone SID */
2580 sid = global_sid_World;
2582 owner_type = WORLD_ACE;
2585 DEBUG(0,("canonicalise_acl: Unknown tagtype %u\n", (unsigned int)tagtype));
2590 * Add this entry to the list.
2593 if ((ace = SMB_MALLOC_P(canon_ace)) == NULL)
2597 ace->type = tagtype;
2598 ace->perms = convert_permset_to_mode_t(conn, permset);
2599 ace->attr = ALLOW_ACE;
2601 ace->unix_ug = unix_ug;
2602 ace->owner_type = owner_type;
2603 ace->ace_flags = get_pai_flags(pal, ace, (the_acl_type == SMB_ACL_TYPE_DEFAULT));
2605 DLIST_ADD(l_head, ace);
2609 * This next call will ensure we have at least a user/group/world set.
2612 if (!ensure_canon_entry_valid(conn, &l_head, conn->params,
2613 S_ISDIR(psbuf->st_ex_mode), powner, pgroup,
2618 * Now go through the list, masking the permissions with the
2619 * acl_mask. Ensure all DENY Entries are at the start of the list.
2622 DEBUG(10,("canonicalise_acl: %s ace entries before arrange :\n", the_acl_type == SMB_ACL_TYPE_ACCESS ? "Access" : "Default" ));
2624 for ( ace_count = 0, ace = l_head; ace; ace = next_ace, ace_count++) {
2625 next_ace = ace->next;
2627 /* Masks are only applied to entries other than USER_OBJ and OTHER. */
2628 if (ace->type != SMB_ACL_OTHER && ace->type != SMB_ACL_USER_OBJ)
2629 ace->perms &= acl_mask;
2631 if (ace->perms == 0) {
2632 DLIST_PROMOTE(l_head, ace);
2635 if( DEBUGLVL( 10 ) ) {
2636 print_canon_ace(ace, ace_count);
2640 arrange_posix_perms(fname,&l_head );
2642 print_canon_ace_list( "canonicalise_acl: ace entries after arrange", l_head );
2648 free_canon_ace_list(l_head);
2652 /****************************************************************************
2653 Check if the current user group list contains a given group.
2654 ****************************************************************************/
2656 static bool current_user_in_group(connection_struct *conn, gid_t gid)
2659 const struct security_unix_token *utok = get_current_utok(conn);
2661 for (i = 0; i < utok->ngroups; i++) {
2662 if (utok->groups[i] == gid) {
2670 /****************************************************************************
2671 Should we override a deny ? Check 'acl group control' and 'dos filemode'.
2672 ****************************************************************************/
2674 static bool acl_group_override(connection_struct *conn,
2675 const struct smb_filename *smb_fname)
2677 if ((errno != EPERM) && (errno != EACCES)) {
2681 /* file primary group == user primary or supplementary group */
2682 if (lp_acl_group_control(SNUM(conn)) &&
2683 current_user_in_group(conn, smb_fname->st.st_ex_gid)) {
2687 /* user has writeable permission */
2688 if (lp_dos_filemode(SNUM(conn)) &&
2689 can_write_to_file(conn, smb_fname)) {
2696 /****************************************************************************
2697 Attempt to apply an ACL to a file or directory.
2698 ****************************************************************************/
2700 static bool set_canon_ace_list(files_struct *fsp,
2703 const SMB_STRUCT_STAT *psbuf,
2704 bool *pacl_set_support)
2706 connection_struct *conn = fsp->conn;
2708 SMB_ACL_T the_acl = SMB_VFS_SYS_ACL_INIT(conn, (int)count_canon_ace_list(the_ace) + 1);
2711 SMB_ACL_ENTRY_T mask_entry;
2712 bool got_mask_entry = False;
2713 SMB_ACL_PERMSET_T mask_permset;
2714 SMB_ACL_TYPE_T the_acl_type = (default_ace ? SMB_ACL_TYPE_DEFAULT : SMB_ACL_TYPE_ACCESS);
2715 bool needs_mask = False;
2716 mode_t mask_perms = 0;
2718 /* Use the psbuf that was passed in. */
2719 if (psbuf != &fsp->fsp_name->st) {
2720 fsp->fsp_name->st = *psbuf;
2723 #if defined(POSIX_ACL_NEEDS_MASK)
2724 /* HP-UX always wants to have a mask (called "class" there). */
2728 if (the_acl == NULL) {
2730 if (!no_acl_syscall_error(errno)) {
2732 * Only print this error message if we have some kind of ACL
2733 * support that's not working. Otherwise we would always get this.
2735 DEBUG(0,("set_canon_ace_list: Unable to init %s ACL. (%s)\n",
2736 default_ace ? "default" : "file", strerror(errno) ));
2738 *pacl_set_support = False;
2742 if( DEBUGLVL( 10 )) {
2743 dbgtext("set_canon_ace_list: setting ACL:\n");
2744 for (i = 0, p_ace = the_ace; p_ace; p_ace = p_ace->next, i++ ) {
2745 print_canon_ace( p_ace, i);
2749 for (i = 0, p_ace = the_ace; p_ace; p_ace = p_ace->next, i++ ) {
2750 SMB_ACL_ENTRY_T the_entry;
2751 SMB_ACL_PERMSET_T the_permset;
2754 * ACLs only "need" an ACL_MASK entry if there are any named user or
2755 * named group entries. But if there is an ACL_MASK entry, it applies
2756 * to ACL_USER, ACL_GROUP, and ACL_GROUP_OBJ entries. Set the mask
2757 * so that it doesn't deny (i.e., mask off) any permissions.
2760 if (p_ace->type == SMB_ACL_USER || p_ace->type == SMB_ACL_GROUP) {
2762 mask_perms |= p_ace->perms;
2763 } else if (p_ace->type == SMB_ACL_GROUP_OBJ) {
2764 mask_perms |= p_ace->perms;
2768 * Get the entry for this ACE.
2771 if (SMB_VFS_SYS_ACL_CREATE_ENTRY(conn, &the_acl, &the_entry) == -1) {
2772 DEBUG(0,("set_canon_ace_list: Failed to create entry %d. (%s)\n",
2773 i, strerror(errno) ));
2777 if (p_ace->type == SMB_ACL_MASK) {
2778 mask_entry = the_entry;
2779 got_mask_entry = True;
2783 * Ok - we now know the ACL calls should be working, don't
2784 * allow fallback to chmod.
2787 *pacl_set_support = True;
2790 * Initialise the entry from the canon_ace.
2794 * First tell the entry what type of ACE this is.
2797 if (SMB_VFS_SYS_ACL_SET_TAG_TYPE(conn, the_entry, p_ace->type) == -1) {
2798 DEBUG(0,("set_canon_ace_list: Failed to set tag type on entry %d. (%s)\n",
2799 i, strerror(errno) ));
2804 * Only set the qualifier (user or group id) if the entry is a user
2808 if ((p_ace->type == SMB_ACL_USER) || (p_ace->type == SMB_ACL_GROUP)) {
2809 if (SMB_VFS_SYS_ACL_SET_QUALIFIER(conn, the_entry,(void *)&p_ace->unix_ug.uid) == -1) {
2810 DEBUG(0,("set_canon_ace_list: Failed to set qualifier on entry %d. (%s)\n",
2811 i, strerror(errno) ));
2817 * Convert the mode_t perms in the canon_ace to a POSIX permset.
2820 if (SMB_VFS_SYS_ACL_GET_PERMSET(conn, the_entry, &the_permset) == -1) {
2821 DEBUG(0,("set_canon_ace_list: Failed to get permset on entry %d. (%s)\n",
2822 i, strerror(errno) ));
2826 if (map_acl_perms_to_permset(conn, p_ace->perms, &the_permset) == -1) {
2827 DEBUG(0,("set_canon_ace_list: Failed to create permset for mode (%u) on entry %d. (%s)\n",
2828 (unsigned int)p_ace->perms, i, strerror(errno) ));
2833 * ..and apply them to the entry.
2836 if (SMB_VFS_SYS_ACL_SET_PERMSET(conn, the_entry, the_permset) == -1) {
2837 DEBUG(0,("set_canon_ace_list: Failed to add permset on entry %d. (%s)\n",
2838 i, strerror(errno) ));
2843 print_canon_ace( p_ace, i);
2847 if (needs_mask && !got_mask_entry) {
2848 if (SMB_VFS_SYS_ACL_CREATE_ENTRY(conn, &the_acl, &mask_entry) == -1) {
2849 DEBUG(0,("set_canon_ace_list: Failed to create mask entry. (%s)\n", strerror(errno) ));
2853 if (SMB_VFS_SYS_ACL_SET_TAG_TYPE(conn, mask_entry, SMB_ACL_MASK) == -1) {
2854 DEBUG(0,("set_canon_ace_list: Failed to set tag type on mask entry. (%s)\n",strerror(errno) ));
2858 if (SMB_VFS_SYS_ACL_GET_PERMSET(conn, mask_entry, &mask_permset) == -1) {
2859 DEBUG(0,("set_canon_ace_list: Failed to get mask permset. (%s)\n", strerror(errno) ));
2863 if (map_acl_perms_to_permset(conn, S_IRUSR|S_IWUSR|S_IXUSR, &mask_permset) == -1) {
2864 DEBUG(0,("set_canon_ace_list: Failed to create mask permset. (%s)\n", strerror(errno) ));
2868 if (SMB_VFS_SYS_ACL_SET_PERMSET(conn, mask_entry, mask_permset) == -1) {
2869 DEBUG(0,("set_canon_ace_list: Failed to add mask permset. (%s)\n", strerror(errno) ));
2875 * Finally apply it to the file or directory.
2878 if(default_ace || fsp->is_directory || fsp->fh->fd == -1) {
2879 if (SMB_VFS_SYS_ACL_SET_FILE(conn, fsp->fsp_name->base_name,
2880 the_acl_type, the_acl) == -1) {
2882 * Some systems allow all the above calls and only fail with no ACL support
2883 * when attempting to apply the acl. HPUX with HFS is an example of this. JRA.
2885 if (no_acl_syscall_error(errno)) {
2886 *pacl_set_support = False;
2889 if (acl_group_override(conn, fsp->fsp_name)) {
2892 DEBUG(5,("set_canon_ace_list: acl group "
2893 "control on and current user in file "
2894 "%s primary group.\n",
2898 sret = SMB_VFS_SYS_ACL_SET_FILE(conn,
2899 fsp->fsp_name->base_name, the_acl_type,
2908 DEBUG(2,("set_canon_ace_list: "
2909 "sys_acl_set_file type %s failed for "
2911 the_acl_type == SMB_ACL_TYPE_DEFAULT ?
2912 "directory default" : "file",
2913 fsp_str_dbg(fsp), strerror(errno)));
2918 if (SMB_VFS_SYS_ACL_SET_FD(fsp, the_acl) == -1) {
2920 * Some systems allow all the above calls and only fail with no ACL support
2921 * when attempting to apply the acl. HPUX with HFS is an example of this. JRA.
2923 if (no_acl_syscall_error(errno)) {
2924 *pacl_set_support = False;
2927 if (acl_group_override(conn, fsp->fsp_name)) {
2930 DEBUG(5,("set_canon_ace_list: acl group "
2931 "control on and current user in file "
2932 "%s primary group.\n",
2936 sret = SMB_VFS_SYS_ACL_SET_FD(fsp, the_acl);
2944 DEBUG(2,("set_canon_ace_list: "
2945 "sys_acl_set_file failed for file %s "
2947 fsp_str_dbg(fsp), strerror(errno)));
2957 if (the_acl != NULL) {
2958 SMB_VFS_SYS_ACL_FREE_ACL(conn, the_acl);
2964 /****************************************************************************
2965 Find a particular canon_ace entry.
2966 ****************************************************************************/
2968 static struct canon_ace *canon_ace_entry_for(struct canon_ace *list, SMB_ACL_TAG_T type, posix_id *id)
2971 if (list->type == type && ((type != SMB_ACL_USER && type != SMB_ACL_GROUP) ||
2972 (type == SMB_ACL_USER && id && id->uid == list->unix_ug.uid) ||
2973 (type == SMB_ACL_GROUP && id && id->gid == list->unix_ug.gid)))
2980 /****************************************************************************
2982 ****************************************************************************/
2984 SMB_ACL_T free_empty_sys_acl(connection_struct *conn, SMB_ACL_T the_acl)
2986 SMB_ACL_ENTRY_T entry;
2990 if (SMB_VFS_SYS_ACL_GET_ENTRY(conn, the_acl, SMB_ACL_FIRST_ENTRY, &entry) != 1) {
2991 SMB_VFS_SYS_ACL_FREE_ACL(conn, the_acl);
2997 /****************************************************************************
2998 Convert a canon_ace to a generic 3 element permission - if possible.
2999 ****************************************************************************/
3001 #define MAP_PERM(p,mask,result) (((p) & (mask)) ? (result) : 0 )
3003 static bool convert_canon_ace_to_posix_perms( files_struct *fsp, canon_ace *file_ace_list, mode_t *posix_perms)
3005 int snum = SNUM(fsp->conn);
3006 size_t ace_count = count_canon_ace_list(file_ace_list);
3008 canon_ace *owner_ace = NULL;
3009 canon_ace *group_ace = NULL;
3010 canon_ace *other_ace = NULL;
3014 if (ace_count != 3) {
3015 DEBUG(3,("convert_canon_ace_to_posix_perms: Too many ACE "
3016 "entries for file %s to convert to posix perms.\n",
3021 for (ace_p = file_ace_list; ace_p; ace_p = ace_p->next) {
3022 if (ace_p->owner_type == UID_ACE)
3024 else if (ace_p->owner_type == GID_ACE)
3026 else if (ace_p->owner_type == WORLD_ACE)
3030 if (!owner_ace || !group_ace || !other_ace) {
3031 DEBUG(3,("convert_canon_ace_to_posix_perms: Can't get "
3032 "standard entries for file %s.\n", fsp_str_dbg(fsp)));
3036 *posix_perms = (mode_t)0;
3038 *posix_perms |= owner_ace->perms;
3039 *posix_perms |= MAP_PERM(group_ace->perms, S_IRUSR, S_IRGRP);
3040 *posix_perms |= MAP_PERM(group_ace->perms, S_IWUSR, S_IWGRP);
3041 *posix_perms |= MAP_PERM(group_ace->perms, S_IXUSR, S_IXGRP);
3042 *posix_perms |= MAP_PERM(other_ace->perms, S_IRUSR, S_IROTH);
3043 *posix_perms |= MAP_PERM(other_ace->perms, S_IWUSR, S_IWOTH);
3044 *posix_perms |= MAP_PERM(other_ace->perms, S_IXUSR, S_IXOTH);
3046 /* The owner must have at least read access. */
3048 *posix_perms |= S_IRUSR;
3049 if (fsp->is_directory)
3050 *posix_perms |= (S_IWUSR|S_IXUSR);
3052 /* If requested apply the masks. */
3054 /* Get the initial bits to apply. */
3056 if (fsp->is_directory) {
3057 and_bits = lp_dir_security_mask(snum);
3058 or_bits = lp_force_dir_security_mode(snum);
3060 and_bits = lp_security_mask(snum);
3061 or_bits = lp_force_security_mode(snum);
3064 *posix_perms = (((*posix_perms) & and_bits)|or_bits);
3066 DEBUG(10,("convert_canon_ace_to_posix_perms: converted u=%o,g=%o,w=%o "
3067 "to perm=0%o for file %s.\n", (int)owner_ace->perms,
3068 (int)group_ace->perms, (int)other_ace->perms,
3069 (int)*posix_perms, fsp_str_dbg(fsp)));
3074 /****************************************************************************
3075 Incoming NT ACLs on a directory can be split into a default POSIX acl (CI|OI|IO) and
3076 a normal POSIX acl. Win2k needs these split acls re-merging into one ACL
3077 with CI|OI set so it is inherited and also applies to the directory.
3078 Based on code from "Jim McDonough" <jmcd@us.ibm.com>.
3079 ****************************************************************************/
3081 static size_t merge_default_aces( struct security_ace *nt_ace_list, size_t num_aces)
3085 for (i = 0; i < num_aces; i++) {
3086 for (j = i+1; j < num_aces; j++) {
3087 uint32 i_flags_ni = (nt_ace_list[i].flags & ~SEC_ACE_FLAG_INHERITED_ACE);
3088 uint32 j_flags_ni = (nt_ace_list[j].flags & ~SEC_ACE_FLAG_INHERITED_ACE);
3089 bool i_inh = (nt_ace_list[i].flags & SEC_ACE_FLAG_INHERITED_ACE) ? True : False;
3090 bool j_inh = (nt_ace_list[j].flags & SEC_ACE_FLAG_INHERITED_ACE) ? True : False;
3092 /* We know the lower number ACE's are file entries. */
3093 if ((nt_ace_list[i].type == nt_ace_list[j].type) &&
3094 (nt_ace_list[i].size == nt_ace_list[j].size) &&
3095 (nt_ace_list[i].access_mask == nt_ace_list[j].access_mask) &&
3096 dom_sid_equal(&nt_ace_list[i].trustee, &nt_ace_list[j].trustee) &&
3098 (i_flags_ni == 0) &&
3099 (j_flags_ni == (SEC_ACE_FLAG_OBJECT_INHERIT|
3100 SEC_ACE_FLAG_CONTAINER_INHERIT|
3101 SEC_ACE_FLAG_INHERIT_ONLY))) {
3103 * W2K wants to have access allowed zero access ACE's
3104 * at the end of the list. If the mask is zero, merge
3105 * the non-inherited ACE onto the inherited ACE.
3108 if (nt_ace_list[i].access_mask == 0) {
3109 nt_ace_list[j].flags = SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT|
3110 (i_inh ? SEC_ACE_FLAG_INHERITED_ACE : 0);
3111 if (num_aces - i - 1 > 0)
3112 memmove(&nt_ace_list[i], &nt_ace_list[i+1], (num_aces-i-1) *
3113 sizeof(struct security_ace));
3115 DEBUG(10,("merge_default_aces: Merging zero access ACE %u onto ACE %u.\n",
3116 (unsigned int)i, (unsigned int)j ));
3119 * These are identical except for the flags.
3120 * Merge the inherited ACE onto the non-inherited ACE.
3123 nt_ace_list[i].flags = SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT|
3124 (i_inh ? SEC_ACE_FLAG_INHERITED_ACE : 0);
3125 if (num_aces - j - 1 > 0)
3126 memmove(&nt_ace_list[j], &nt_ace_list[j+1], (num_aces-j-1) *
3127 sizeof(struct security_ace));
3129 DEBUG(10,("merge_default_aces: Merging ACE %u onto ACE %u.\n",
3130 (unsigned int)j, (unsigned int)i ));
3142 * Add or Replace ACE entry.
3143 * In some cases we need to add a specific ACE for compatibility reasons.
3144 * When doing that we must make sure we are not actually creating a duplicate
3145 * entry. So we need to search whether an ACE entry already exist and eventually
3146 * replacce the access mask, or add a completely new entry if none was found.
3148 * This function assumes the array has enough space to add a new entry without
3149 * any reallocation of memory.
3152 static void add_or_replace_ace(struct security_ace *nt_ace_list, size_t *num_aces,
3153 const struct dom_sid *sid, enum security_ace_type type,
3154 uint32_t mask, uint8_t flags)
3158 /* first search for a duplicate */
3159 for (i = 0; i < *num_aces; i++) {
3160 if (dom_sid_equal(&nt_ace_list[i].trustee, sid) &&
3161 (nt_ace_list[i].flags == flags)) break;
3164 if (i < *num_aces) { /* found */
3165 nt_ace_list[i].type = type;
3166 nt_ace_list[i].access_mask = mask;
3167 DEBUG(10, ("Replacing ACE %d with SID %s and flags %02x\n",
3168 i, sid_string_dbg(sid), flags));
3172 /* not found, append it */
3173 init_sec_ace(&nt_ace_list[(*num_aces)++], sid, type, mask, flags);
3177 /****************************************************************************
3178 Reply to query a security descriptor from an fsp. If it succeeds it allocates
3179 the space for the return elements and returns the size needed to return the
3180 security descriptor. This should be the only external function needed for
3181 the UNIX style get ACL.
3182 ****************************************************************************/
3184 static NTSTATUS posix_get_nt_acl_common(struct connection_struct *conn,
3186 const SMB_STRUCT_STAT *sbuf,
3187 struct pai_val *pal,
3188 SMB_ACL_T posix_acl,
3190 uint32_t security_info,
3191 struct security_descriptor **ppdesc)
3193 struct dom_sid owner_sid;
3194 struct dom_sid group_sid;
3196 struct security_acl *psa = NULL;
3197 size_t num_acls = 0;
3198 size_t num_def_acls = 0;
3199 size_t num_aces = 0;
3200 canon_ace *file_ace = NULL;
3201 canon_ace *dir_ace = NULL;
3202 struct security_ace *nt_ace_list = NULL;
3203 size_t num_profile_acls = 0;
3204 struct dom_sid orig_owner_sid;
3205 struct security_descriptor *psd = NULL;
3209 * Get the owner, group and world SIDs.
3212 create_file_sids(sbuf, &owner_sid, &group_sid);
3214 if (lp_profile_acls(SNUM(conn))) {
3215 /* For WXP SP1 the owner must be administrators. */
3216 sid_copy(&orig_owner_sid, &owner_sid);
3217 sid_copy(&owner_sid, &global_sid_Builtin_Administrators);
3218 sid_copy(&group_sid, &global_sid_Builtin_Users);
3219 num_profile_acls = 3;
3222 if ((security_info & SECINFO_DACL) && !(security_info & SECINFO_PROTECTED_DACL)) {
3225 * In the optimum case Creator Owner and Creator Group would be used for
3226 * the ACL_USER_OBJ and ACL_GROUP_OBJ entries, respectively, but this
3227 * would lead to usability problems under Windows: The Creator entries
3228 * are only available in browse lists of directories and not for files;
3229 * additionally the identity of the owning group couldn't be determined.
3230 * We therefore use those identities only for Default ACLs.
3233 /* Create the canon_ace lists. */
3234 file_ace = canonicalise_acl(conn, name, posix_acl, sbuf,
3235 &owner_sid, &group_sid, pal,
3236 SMB_ACL_TYPE_ACCESS);
3238 /* We must have *some* ACLS. */
3240 if (count_canon_ace_list(file_ace) == 0) {
3241 DEBUG(0,("get_nt_acl : No ACLs on file (%s) !\n", name));
3245 if (S_ISDIR(sbuf->st_ex_mode) && def_acl) {
3246 dir_ace = canonicalise_acl(conn, name, def_acl,
3248 &global_sid_Creator_Owner,
3249 &global_sid_Creator_Group,
3250 pal, SMB_ACL_TYPE_DEFAULT);
3254 * Create the NT ACE list from the canonical ace lists.
3259 enum security_ace_type nt_acl_type;
3261 if (nt4_compatible_acls() && dir_ace) {
3263 * NT 4 chokes if an ACL contains an INHERIT_ONLY entry
3264 * but no non-INHERIT_ONLY entry for one SID. So we only
3265 * remove entries from the Access ACL if the
3266 * corresponding Default ACL entries have also been
3267 * removed. ACEs for CREATOR-OWNER and CREATOR-GROUP
3268 * are exceptions. We can do nothing
3269 * intelligent if the Default ACL contains entries that
3270 * are not also contained in the Access ACL, so this
3271 * case will still fail under NT 4.
3274 ace = canon_ace_entry_for(dir_ace, SMB_ACL_OTHER, NULL);
3275 if (ace && !ace->perms) {
3276 DLIST_REMOVE(dir_ace, ace);
3279 ace = canon_ace_entry_for(file_ace, SMB_ACL_OTHER, NULL);
3280 if (ace && !ace->perms) {
3281 DLIST_REMOVE(file_ace, ace);
3287 * WinNT doesn't usually have Creator Group
3288 * in browse lists, so we send this entry to
3289 * WinNT even if it contains no relevant
3290 * permissions. Once we can add
3291 * Creator Group to browse lists we can
3296 ace = canon_ace_entry_for(dir_ace, SMB_ACL_GROUP_OBJ, NULL);
3297 if (ace && !ace->perms) {
3298 DLIST_REMOVE(dir_ace, ace);
3303 ace = canon_ace_entry_for(file_ace, SMB_ACL_GROUP_OBJ, NULL);
3304 if (ace && !ace->perms) {
3305 DLIST_REMOVE(file_ace, ace);
3310 num_acls = count_canon_ace_list(file_ace);
3311 num_def_acls = count_canon_ace_list(dir_ace);
3313 /* Allocate the ace list. */
3314 if ((nt_ace_list = SMB_MALLOC_ARRAY(struct security_ace,num_acls + num_profile_acls + num_def_acls)) == NULL) {
3315 DEBUG(0,("get_nt_acl: Unable to malloc space for nt_ace_list.\n"));
3319 memset(nt_ace_list, '\0', (num_acls + num_def_acls) * sizeof(struct security_ace) );
3322 * Create the NT ACE list from the canonical ace lists.
3325 for (ace = file_ace; ace != NULL; ace = ace->next) {
3326 uint32_t acc = map_canon_ace_perms(SNUM(conn),
3329 S_ISDIR(sbuf->st_ex_mode));
3330 init_sec_ace(&nt_ace_list[num_aces++],
3337 /* The User must have access to a profile share - even
3338 * if we can't map the SID. */
3339 if (lp_profile_acls(SNUM(conn))) {
3340 add_or_replace_ace(nt_ace_list, &num_aces,
3341 &global_sid_Builtin_Users,
3342 SEC_ACE_TYPE_ACCESS_ALLOWED,
3343 FILE_GENERIC_ALL, 0);
3346 for (ace = dir_ace; ace != NULL; ace = ace->next) {
3347 uint32_t acc = map_canon_ace_perms(SNUM(conn),
3350 S_ISDIR(sbuf->st_ex_mode));
3351 init_sec_ace(&nt_ace_list[num_aces++],
3356 SEC_ACE_FLAG_OBJECT_INHERIT|
3357 SEC_ACE_FLAG_CONTAINER_INHERIT|
3358 SEC_ACE_FLAG_INHERIT_ONLY);
3361 /* The User must have access to a profile share - even
3362 * if we can't map the SID. */
3363 if (lp_profile_acls(SNUM(conn))) {
3364 add_or_replace_ace(nt_ace_list, &num_aces,
3365 &global_sid_Builtin_Users,
3366 SEC_ACE_TYPE_ACCESS_ALLOWED,
3368 SEC_ACE_FLAG_OBJECT_INHERIT |
3369 SEC_ACE_FLAG_CONTAINER_INHERIT |
3370 SEC_ACE_FLAG_INHERIT_ONLY);
3374 * Merge POSIX default ACLs and normal ACLs into one NT ACE.
3375 * Win2K needs this to get the inheritance correct when replacing ACLs
3376 * on a directory tree. Based on work by Jim @ IBM.
3379 num_aces = merge_default_aces(nt_ace_list, num_aces);
3381 if (lp_profile_acls(SNUM(conn))) {
3382 for (i = 0; i < num_aces; i++) {
3383 if (dom_sid_equal(&nt_ace_list[i].trustee, &owner_sid)) {
3384 add_or_replace_ace(nt_ace_list, &num_aces,
3386 nt_ace_list[i].type,
3387 nt_ace_list[i].access_mask,
3388 nt_ace_list[i].flags);
3396 if((psa = make_sec_acl( talloc_tos(), NT4_ACL_REVISION, num_aces, nt_ace_list)) == NULL) {
3397 DEBUG(0,("get_nt_acl: Unable to malloc space for acl.\n"));
3401 } /* security_info & SECINFO_DACL */
3403 psd = make_standard_sec_desc( talloc_tos(),
3404 (security_info & SECINFO_OWNER) ? &owner_sid : NULL,
3405 (security_info & SECINFO_GROUP) ? &group_sid : NULL,
3410 DEBUG(0,("get_nt_acl: Unable to malloc space for security descriptor.\n"));
3416 * Windows 2000: The DACL_PROTECTED flag in the security
3417 * descriptor marks the ACL as non-inheriting, i.e., no
3418 * ACEs from higher level directories propagate to this
3419 * ACL. In the POSIX ACL model permissions are only
3420 * inherited at file create time, so ACLs never contain
3421 * any ACEs that are inherited dynamically. The DACL_PROTECTED
3422 * flag doesn't seem to bother Windows NT.
3423 * Always set this if map acl inherit is turned off.
3425 if (pal == NULL || !lp_map_acl_inherit(SNUM(conn))) {
3426 psd->type |= SEC_DESC_DACL_PROTECTED;
3428 psd->type |= pal->sd_type;
3432 dacl_sort_into_canonical_order(psd->dacl->aces, (unsigned int)psd->dacl->num_aces);
3440 SMB_VFS_SYS_ACL_FREE_ACL(conn, posix_acl);
3443 SMB_VFS_SYS_ACL_FREE_ACL(conn, def_acl);
3445 free_canon_ace_list(file_ace);
3446 free_canon_ace_list(dir_ace);
3447 free_inherited_info(pal);
3448 SAFE_FREE(nt_ace_list);
3450 return NT_STATUS_OK;
3453 NTSTATUS posix_fget_nt_acl(struct files_struct *fsp, uint32_t security_info,
3454 struct security_descriptor **ppdesc)
3456 SMB_STRUCT_STAT sbuf;
3457 SMB_ACL_T posix_acl = NULL;
3458 struct pai_val *pal;
3462 DEBUG(10,("posix_fget_nt_acl: called for file %s\n",
3465 /* can it happen that fsp_name == NULL ? */
3466 if (fsp->is_directory || fsp->fh->fd == -1) {
3467 return posix_get_nt_acl(fsp->conn, fsp->fsp_name->base_name,
3468 security_info, ppdesc);
3471 /* Get the stat struct for the owner info. */
3472 if(SMB_VFS_FSTAT(fsp, &sbuf) != 0) {
3473 return map_nt_error_from_unix(errno);
3476 /* Get the ACL from the fd. */
3477 posix_acl = SMB_VFS_SYS_ACL_GET_FD(fsp);
3479 pal = fload_inherited_info(fsp);
3481 return posix_get_nt_acl_common(fsp->conn, fsp->fsp_name->base_name,
3482 &sbuf, pal, posix_acl, NULL,
3483 security_info, ppdesc);
3486 NTSTATUS posix_get_nt_acl(struct connection_struct *conn, const char *name,
3487 uint32_t security_info, struct security_descriptor **ppdesc)
3489 SMB_ACL_T posix_acl = NULL;
3490 SMB_ACL_T def_acl = NULL;
3491 struct pai_val *pal;
3492 struct smb_filename smb_fname;
3497 DEBUG(10,("posix_get_nt_acl: called for file %s\n", name ));
3499 ZERO_STRUCT(smb_fname);
3500 smb_fname.base_name = discard_const_p(char, name);
3502 /* Get the stat struct for the owner info. */
3503 if (lp_posix_pathnames()) {
3504 ret = SMB_VFS_LSTAT(conn, &smb_fname);
3506 ret = SMB_VFS_STAT(conn, &smb_fname);
3510 return map_nt_error_from_unix(errno);
3513 /* Get the ACL from the path. */
3514 posix_acl = SMB_VFS_SYS_ACL_GET_FILE(conn, name, SMB_ACL_TYPE_ACCESS);
3516 /* If it's a directory get the default POSIX ACL. */
3517 if(S_ISDIR(smb_fname.st.st_ex_mode)) {
3518 def_acl = SMB_VFS_SYS_ACL_GET_FILE(conn, name, SMB_ACL_TYPE_DEFAULT);
3519 def_acl = free_empty_sys_acl(conn, def_acl);
3522 pal = load_inherited_info(conn, name);
3524 return posix_get_nt_acl_common(conn, name, &smb_fname.st, pal,
3525 posix_acl, def_acl, security_info,
3529 /****************************************************************************
3530 Try to chown a file. We will be able to chown it under the following conditions.
3532 1) If we have root privileges, then it will just work.
3533 2) If we have SeRestorePrivilege we can change the user + group to any other user.
3534 3) If we have SeTakeOwnershipPrivilege we can change the user to the current user.
3535 4) If we have write permission to the file and dos_filemodes is set
3536 then allow chown to the currently authenticated user.
3537 ****************************************************************************/
3539 NTSTATUS try_chown(files_struct *fsp, uid_t uid, gid_t gid)
3543 if(!CAN_WRITE(fsp->conn)) {
3544 return NT_STATUS_MEDIA_WRITE_PROTECTED;
3548 status = vfs_chown_fsp(fsp, uid, gid);
3549 if (NT_STATUS_IS_OK(status)) {
3553 /* Case (2) / (3) */
3554 if (lp_enable_privileges()) {
3555 bool has_take_ownership_priv = security_token_has_privilege(
3556 get_current_nttok(fsp->conn),
3557 SEC_PRIV_TAKE_OWNERSHIP);
3558 bool has_restore_priv = security_token_has_privilege(
3559 get_current_nttok(fsp->conn),
3562 if (has_restore_priv) {
3564 } else if (has_take_ownership_priv) {
3566 if (uid == get_current_uid(fsp->conn)) {
3569 has_take_ownership_priv = false;
3573 if (has_take_ownership_priv || has_restore_priv) {
3575 status = vfs_chown_fsp(fsp, uid, gid);
3582 if (!lp_dos_filemode(SNUM(fsp->conn))) {
3583 return NT_STATUS_ACCESS_DENIED;
3586 /* only allow chown to the current user. This is more secure,
3587 and also copes with the case where the SID in a take ownership ACL is
3588 a local SID on the users workstation
3590 if (uid != get_current_uid(fsp->conn)) {
3591 return NT_STATUS_ACCESS_DENIED;
3595 /* Keep the current file gid the same. */
3596 status = vfs_chown_fsp(fsp, uid, (gid_t)-1);
3603 /* Disable this - prevents ACL inheritance from the ACL editor. JRA. */
3605 /****************************************************************************
3606 Take care of parent ACL inheritance.
3607 ****************************************************************************/
3609 NTSTATUS append_parent_acl(files_struct *fsp,
3610 const struct security_descriptor *pcsd,
3611 struct security_descriptor **pp_new_sd)
3613 struct smb_filename *smb_dname = NULL;
3614 struct security_descriptor *parent_sd = NULL;
3615 files_struct *parent_fsp = NULL;
3616 TALLOC_CTX *mem_ctx = talloc_tos();
3617 char *parent_name = NULL;
3618 struct security_ace *new_ace = NULL;
3619 unsigned int num_aces = pcsd->dacl->num_aces;
3623 struct security_descriptor *psd = dup_sec_desc(talloc_tos(), pcsd);
3624 bool is_dacl_protected = (pcsd->type & SEC_DESC_DACL_PROTECTED);
3627 return NT_STATUS_NO_MEMORY;
3630 if (!parent_dirname(mem_ctx, fsp->fsp_name->base_name, &parent_name,
3632 return NT_STATUS_NO_MEMORY;
3635 status = create_synthetic_smb_fname(mem_ctx, parent_name, NULL, NULL,
3637 if (!NT_STATUS_IS_OK(status)) {
3641 status = SMB_VFS_CREATE_FILE(
3642 fsp->conn, /* conn */
3644 0, /* root_dir_fid */
3645 smb_dname, /* fname */
3646 FILE_READ_ATTRIBUTES, /* access_mask */
3647 FILE_SHARE_NONE, /* share_access */
3648 FILE_OPEN, /* create_disposition*/
3649 FILE_DIRECTORY_FILE, /* create_options */
3650 0, /* file_attributes */
3651 INTERNAL_OPEN_ONLY, /* oplock_request */
3652 0, /* allocation_size */
3655 &parent_fsp, /* result */
3658 if (!NT_STATUS_IS_OK(status)) {
3659 TALLOC_FREE(smb_dname);
3663 status = SMB_VFS_GET_NT_ACL(parent_fsp->conn, smb_dname->base_name,
3664 SECINFO_DACL, &parent_sd );
3666 close_file(NULL, parent_fsp, NORMAL_CLOSE);
3667 TALLOC_FREE(smb_dname);
3669 if (!NT_STATUS_IS_OK(status)) {
3674 * Make room for potentially all the ACLs from
3675 * the parent. We used to add the ugw triple here,
3676 * as we knew we were dealing with POSIX ACLs.
3677 * We no longer need to do so as we can guarentee
3678 * that a default ACL from the parent directory will
3679 * be well formed for POSIX ACLs if it came from a
3680 * POSIX ACL source, and if we're not writing to a
3681 * POSIX ACL sink then we don't care if it's not well
3685 num_aces += parent_sd->dacl->num_aces;
3687 if((new_ace = TALLOC_ZERO_ARRAY(mem_ctx, struct security_ace,
3688 num_aces)) == NULL) {
3689 return NT_STATUS_NO_MEMORY;
3692 /* Start by copying in all the given ACE entries. */
3693 for (i = 0; i < psd->dacl->num_aces; i++) {
3694 sec_ace_copy(&new_ace[i], &psd->dacl->aces[i]);
3698 * Note that we're ignoring "inherit permissions" here
3699 * as that really only applies to newly created files. JRA.
3702 /* Finally append any inherited ACEs. */
3703 for (j = 0; j < parent_sd->dacl->num_aces; j++) {
3704 struct security_ace *se = &parent_sd->dacl->aces[j];
3706 if (fsp->is_directory) {
3707 if (!(se->flags & SEC_ACE_FLAG_CONTAINER_INHERIT)) {
3708 /* Doesn't apply to a directory - ignore. */
3709 DEBUG(10,("append_parent_acl: directory %s "
3710 "ignoring non container "
3711 "inherit flags %u on ACE with sid %s "
3714 (unsigned int)se->flags,
3715 sid_string_dbg(&se->trustee),
3720 if (!(se->flags & SEC_ACE_FLAG_OBJECT_INHERIT)) {
3721 /* Doesn't apply to a file - ignore. */
3722 DEBUG(10,("append_parent_acl: file %s "
3723 "ignoring non object "
3724 "inherit flags %u on ACE with sid %s "
3727 (unsigned int)se->flags,
3728 sid_string_dbg(&se->trustee),
3734 if (is_dacl_protected) {
3735 /* If the DACL is protected it means we must
3736 * not overwrite an existing ACE entry with the
3737 * same SID. This is order N^2. Ouch :-(. JRA. */
3739 for (k = 0; k < psd->dacl->num_aces; k++) {
3740 if (dom_sid_equal(&psd->dacl->aces[k].trustee,
3745 if (k < psd->dacl->num_aces) {
3746 /* SID matched. Ignore. */
3747 DEBUG(10,("append_parent_acl: path %s "
3748 "ignoring ACE with protected sid %s "
3751 sid_string_dbg(&se->trustee),
3757 sec_ace_copy(&new_ace[i], se);
3758 if (se->flags & SEC_ACE_FLAG_NO_PROPAGATE_INHERIT) {
3759 new_ace[i].flags &= ~(SEC_ACE_FLAG_VALID_INHERIT);
3761 new_ace[i].flags |= SEC_ACE_FLAG_INHERITED_ACE;
3763 if (fsp->is_directory) {
3765 * Strip off any inherit only. It's applied.
3767 new_ace[i].flags &= ~(SEC_ACE_FLAG_INHERIT_ONLY);
3768 if (se->flags & SEC_ACE_FLAG_NO_PROPAGATE_INHERIT) {
3769 /* No further inheritance. */
3771 ~(SEC_ACE_FLAG_CONTAINER_INHERIT|
3772 SEC_ACE_FLAG_OBJECT_INHERIT);
3776 * Strip off any container or inherit
3777 * flags, they can't apply to objects.
3779 new_ace[i].flags &= ~(SEC_ACE_FLAG_CONTAINER_INHERIT|
3780 SEC_ACE_FLAG_INHERIT_ONLY|
3781 SEC_ACE_FLAG_NO_PROPAGATE_INHERIT);
3785 DEBUG(10,("append_parent_acl: path %s "
3786 "inheriting ACE with sid %s "
3789 sid_string_dbg(&se->trustee),
3793 psd->dacl->aces = new_ace;
3794 psd->dacl->num_aces = i;
3795 psd->type &= ~(SEC_DESC_DACL_AUTO_INHERITED|
3796 SEC_DESC_DACL_AUTO_INHERIT_REQ);
3803 /****************************************************************************
3804 Reply to set a security descriptor on an fsp. security_info_sent is the
3805 description of the following NT ACL.
3806 This should be the only external function needed for the UNIX style set ACL.
3807 We make a copy of psd_orig as internal functions modify the elements inside
3808 it, even though it's a const pointer.
3809 ****************************************************************************/
3811 NTSTATUS set_nt_acl(files_struct *fsp, uint32 security_info_sent, const struct security_descriptor *psd_orig)
3813 connection_struct *conn = fsp->conn;
3814 uid_t user = (uid_t)-1;
3815 gid_t grp = (gid_t)-1;
3816 struct dom_sid file_owner_sid;
3817 struct dom_sid file_grp_sid;
3818 canon_ace *file_ace_list = NULL;
3819 canon_ace *dir_ace_list = NULL;
3820 bool acl_perms = False;
3821 mode_t orig_mode = (mode_t)0;
3823 bool set_acl_as_root = false;
3824 bool acl_set_support = false;
3826 struct security_descriptor *psd = NULL;
3828 DEBUG(10,("set_nt_acl: called for file %s\n",
3831 if (!CAN_WRITE(conn)) {
3832 DEBUG(10,("set acl rejected on read-only share\n"));
3833 return NT_STATUS_MEDIA_WRITE_PROTECTED;
3837 return NT_STATUS_INVALID_PARAMETER;
3840 psd = dup_sec_desc(talloc_tos(), psd_orig);
3842 return NT_STATUS_NO_MEMORY;
3846 * Get the current state of the file.
3849 status = vfs_stat_fsp(fsp);
3850 if (!NT_STATUS_IS_OK(status)) {
3854 /* Save the original element we check against. */
3855 orig_mode = fsp->fsp_name->st.st_ex_mode;
3858 * Unpack the user/group/world id's.
3861 /* POSIX can't cope with missing owner/group. */
3862 if ((security_info_sent & SECINFO_OWNER) && (psd->owner_sid == NULL)) {
3863 security_info_sent &= ~SECINFO_OWNER;
3865 if ((security_info_sent & SECINFO_GROUP) && (psd->group_sid == NULL)) {
3866 security_info_sent &= ~SECINFO_GROUP;
3869 status = unpack_nt_owners( conn, &user, &grp, security_info_sent, psd);
3870 if (!NT_STATUS_IS_OK(status)) {
3875 * Do we need to chown ? If so this must be done first as the incoming
3876 * CREATOR_OWNER acl will be relative to the *new* owner, not the old.
3880 if (((user != (uid_t)-1) && (fsp->fsp_name->st.st_ex_uid != user)) ||
3881 (( grp != (gid_t)-1) && (fsp->fsp_name->st.st_ex_gid != grp))) {
3883 DEBUG(3,("set_nt_acl: chown %s. uid = %u, gid = %u.\n",
3884 fsp_str_dbg(fsp), (unsigned int)user,
3885 (unsigned int)grp));
3887 status = try_chown(fsp, user, grp);
3888 if(!NT_STATUS_IS_OK(status)) {
3889 DEBUG(3,("set_nt_acl: chown %s, %u, %u failed. Error "
3890 "= %s.\n", fsp_str_dbg(fsp),
3893 nt_errstr(status)));
3898 * Recheck the current state of the file, which may have changed.
3899 * (suid/sgid bits, for instance)
3902 status = vfs_stat_fsp(fsp);
3903 if (!NT_STATUS_IS_OK(status)) {
3907 /* Save the original element we check against. */
3908 orig_mode = fsp->fsp_name->st.st_ex_mode;
3910 /* If we successfully chowned, we know we must
3911 * be able to set the acl, so do it as root.
3913 set_acl_as_root = true;
3916 create_file_sids(&fsp->fsp_name->st, &file_owner_sid, &file_grp_sid);
3918 if((security_info_sent & SECINFO_DACL) &&
3919 (psd->type & SEC_DESC_DACL_PRESENT) &&
3920 (psd->dacl == NULL)) {
3921 struct security_ace ace[3];
3923 /* We can't have NULL DACL in POSIX.
3924 Use owner/group/Everyone -> full access. */
3926 init_sec_ace(&ace[0],
3928 SEC_ACE_TYPE_ACCESS_ALLOWED,
3931 init_sec_ace(&ace[1],
3933 SEC_ACE_TYPE_ACCESS_ALLOWED,
3936 init_sec_ace(&ace[2],
3938 SEC_ACE_TYPE_ACCESS_ALLOWED,
3941 psd->dacl = make_sec_acl(talloc_tos(),
3945 if (psd->dacl == NULL) {
3946 return NT_STATUS_NO_MEMORY;
3948 security_acl_map_generic(psd->dacl, &file_generic_mapping);
3951 acl_perms = unpack_canon_ace(fsp, &fsp->fsp_name->st, &file_owner_sid,
3952 &file_grp_sid, &file_ace_list,
3953 &dir_ace_list, security_info_sent, psd);
3955 /* Ignore W2K traverse DACL set. */
3956 if (!file_ace_list && !dir_ace_list) {
3957 return NT_STATUS_OK;
3961 DEBUG(3,("set_nt_acl: cannot set permissions\n"));
3962 free_canon_ace_list(file_ace_list);
3963 free_canon_ace_list(dir_ace_list);
3964 return NT_STATUS_ACCESS_DENIED;
3968 * Only change security if we got a DACL.
3971 if(!(security_info_sent & SECINFO_DACL) || (psd->dacl == NULL)) {
3972 free_canon_ace_list(file_ace_list);
3973 free_canon_ace_list(dir_ace_list);
3974 return NT_STATUS_OK;
3978 * Try using the POSIX ACL set first. Fall back to chmod if
3979 * we have no ACL support on this filesystem.
3982 if (acl_perms && file_ace_list) {
3983 if (set_acl_as_root) {
3986 ret = set_canon_ace_list(fsp, file_ace_list, false,
3987 &fsp->fsp_name->st, &acl_set_support);
3988 if (set_acl_as_root) {
3991 if (acl_set_support && ret == false) {
3992 DEBUG(3,("set_nt_acl: failed to set file acl on file "
3993 "%s (%s).\n", fsp_str_dbg(fsp),
3995 free_canon_ace_list(file_ace_list);
3996 free_canon_ace_list(dir_ace_list);
3997 return map_nt_error_from_unix(errno);
4001 if (acl_perms && acl_set_support && fsp->is_directory) {
4003 if (set_acl_as_root) {
4006 ret = set_canon_ace_list(fsp, dir_ace_list, true,
4009 if (set_acl_as_root) {
4013 DEBUG(3,("set_nt_acl: failed to set default "
4014 "acl on directory %s (%s).\n",
4015 fsp_str_dbg(fsp), strerror(errno)));
4016 free_canon_ace_list(file_ace_list);
4017 free_canon_ace_list(dir_ace_list);
4018 return map_nt_error_from_unix(errno);
4024 * No default ACL - delete one if it exists.
4027 if (set_acl_as_root) {
4030 sret = SMB_VFS_SYS_ACL_DELETE_DEF_FILE(conn,
4031 fsp->fsp_name->base_name);
4032 if (set_acl_as_root) {
4036 if (acl_group_override(conn, fsp->fsp_name)) {
4037 DEBUG(5,("set_nt_acl: acl group "
4038 "control on and current user "
4039 "in file %s primary group. "
4040 "Override delete_def_acl\n",
4045 SMB_VFS_SYS_ACL_DELETE_DEF_FILE(
4047 fsp->fsp_name->base_name);
4052 DEBUG(3,("set_nt_acl: sys_acl_delete_def_file failed (%s)\n", strerror(errno)));
4053 free_canon_ace_list(file_ace_list);
4054 free_canon_ace_list(dir_ace_list);
4055 return map_nt_error_from_unix(errno);
4061 if (acl_set_support) {
4062 if (set_acl_as_root) {
4065 store_inheritance_attributes(fsp,
4069 if (set_acl_as_root) {
4075 * If we cannot set using POSIX ACLs we fall back to checking if we need to chmod.
4078 if(!acl_set_support && acl_perms) {
4081 if (!convert_canon_ace_to_posix_perms( fsp, file_ace_list, &posix_perms)) {
4082 free_canon_ace_list(file_ace_list);
4083 free_canon_ace_list(dir_ace_list);
4084 DEBUG(3,("set_nt_acl: failed to convert file acl to "
4085 "posix permissions for file %s.\n",
4087 return NT_STATUS_ACCESS_DENIED;
4090 if (orig_mode != posix_perms) {
4093 DEBUG(3,("set_nt_acl: chmod %s. perms = 0%o.\n",
4094 fsp_str_dbg(fsp), (unsigned int)posix_perms));
4096 if (set_acl_as_root) {
4099 sret = SMB_VFS_CHMOD(conn, fsp->fsp_name->base_name,
4101 if (set_acl_as_root) {
4105 if (acl_group_override(conn, fsp->fsp_name)) {
4106 DEBUG(5,("set_nt_acl: acl group "
4107 "control on and current user "
4108 "in file %s primary group. "
4113 sret = SMB_VFS_CHMOD(conn,
4114 fsp->fsp_name->base_name,
4120 DEBUG(3,("set_nt_acl: chmod %s, 0%o "
4121 "failed. Error = %s.\n",
4123 (unsigned int)posix_perms,
4125 free_canon_ace_list(file_ace_list);
4126 free_canon_ace_list(dir_ace_list);
4127 return map_nt_error_from_unix(errno);
4133 free_canon_ace_list(file_ace_list);
4134 free_canon_ace_list(dir_ace_list);
4136 /* Ensure the stat struct in the fsp is correct. */
4137 status = vfs_stat_fsp(fsp);
4139 return NT_STATUS_OK;
4142 /****************************************************************************
4143 Get the actual group bits stored on a file with an ACL. Has no effect if
4144 the file has no ACL. Needed in dosmode code where the stat() will return
4145 the mask bits, not the real group bits, for a file with an ACL.
4146 ****************************************************************************/
4148 int get_acl_group_bits( connection_struct *conn, const char *fname, mode_t *mode )
4150 int entry_id = SMB_ACL_FIRST_ENTRY;
4151 SMB_ACL_ENTRY_T entry;
4152 SMB_ACL_T posix_acl;
4155 posix_acl = SMB_VFS_SYS_ACL_GET_FILE(conn, fname, SMB_ACL_TYPE_ACCESS);
4156 if (posix_acl == (SMB_ACL_T)NULL)
4159 while (SMB_VFS_SYS_ACL_GET_ENTRY(conn, posix_acl, entry_id, &entry) == 1) {
4160 SMB_ACL_TAG_T tagtype;
4161 SMB_ACL_PERMSET_T permset;
4163 entry_id = SMB_ACL_NEXT_ENTRY;
4165 if (SMB_VFS_SYS_ACL_GET_TAG_TYPE(conn, entry, &tagtype) ==-1)
4168 if (tagtype == SMB_ACL_GROUP_OBJ) {
4169 if (SMB_VFS_SYS_ACL_GET_PERMSET(conn, entry, &permset) == -1) {
4172 *mode &= ~(S_IRGRP|S_IWGRP|S_IXGRP);
4173 *mode |= (SMB_VFS_SYS_ACL_GET_PERM(conn, permset, SMB_ACL_READ) ? S_IRGRP : 0);
4174 *mode |= (SMB_VFS_SYS_ACL_GET_PERM(conn, permset, SMB_ACL_WRITE) ? S_IWGRP : 0);
4175 *mode |= (SMB_VFS_SYS_ACL_GET_PERM(conn, permset, SMB_ACL_EXECUTE) ? S_IXGRP : 0);
4181 SMB_VFS_SYS_ACL_FREE_ACL(conn, posix_acl);
4185 /****************************************************************************
4186 Do a chmod by setting the ACL USER_OBJ, GROUP_OBJ and OTHER bits in an ACL
4187 and set the mask to rwx. Needed to preserve complex ACLs set by NT.
4188 ****************************************************************************/
4190 static int chmod_acl_internals( connection_struct *conn, SMB_ACL_T posix_acl, mode_t mode)
4192 int entry_id = SMB_ACL_FIRST_ENTRY;
4193 SMB_ACL_ENTRY_T entry;
4194 int num_entries = 0;
4196 while ( SMB_VFS_SYS_ACL_GET_ENTRY(conn, posix_acl, entry_id, &entry) == 1) {
4197 SMB_ACL_TAG_T tagtype;
4198 SMB_ACL_PERMSET_T permset;
4201 entry_id = SMB_ACL_NEXT_ENTRY;
4203 if (SMB_VFS_SYS_ACL_GET_TAG_TYPE(conn, entry, &tagtype) == -1)
4206 if (SMB_VFS_SYS_ACL_GET_PERMSET(conn, entry, &permset) == -1)
4212 case SMB_ACL_USER_OBJ:
4213 perms = unix_perms_to_acl_perms(mode, S_IRUSR, S_IWUSR, S_IXUSR);
4215 case SMB_ACL_GROUP_OBJ:
4216 perms = unix_perms_to_acl_perms(mode, S_IRGRP, S_IWGRP, S_IXGRP);
4220 * FIXME: The ACL_MASK entry permissions should really be set to
4221 * the union of the permissions of all ACL_USER,
4222 * ACL_GROUP_OBJ, and ACL_GROUP entries. That's what
4223 * acl_calc_mask() does, but Samba ACLs doesn't provide it.
4225 perms = S_IRUSR|S_IWUSR|S_IXUSR;
4228 perms = unix_perms_to_acl_perms(mode, S_IROTH, S_IWOTH, S_IXOTH);
4234 if (map_acl_perms_to_permset(conn, perms, &permset) == -1)
4237 if (SMB_VFS_SYS_ACL_SET_PERMSET(conn, entry, permset) == -1)
4242 * If this is a simple 3 element ACL or no elements then it's a standard
4243 * UNIX permission set. Just use chmod...
4246 if ((num_entries == 3) || (num_entries == 0))
4252 /****************************************************************************
4253 Get the access ACL of FROM, do a chmod by setting the ACL USER_OBJ,
4254 GROUP_OBJ and OTHER bits in an ACL and set the mask to rwx. Set the
4255 resulting ACL on TO. Note that name is in UNIX character set.
4256 ****************************************************************************/
4258 static int copy_access_posix_acl(connection_struct *conn, const char *from, const char *to, mode_t mode)
4260 SMB_ACL_T posix_acl = NULL;
4263 if ((posix_acl = SMB_VFS_SYS_ACL_GET_FILE(conn, from, SMB_ACL_TYPE_ACCESS)) == NULL)
4266 if ((ret = chmod_acl_internals(conn, posix_acl, mode)) == -1)
4269 ret = SMB_VFS_SYS_ACL_SET_FILE(conn, to, SMB_ACL_TYPE_ACCESS, posix_acl);
4273 SMB_VFS_SYS_ACL_FREE_ACL(conn, posix_acl);
4277 /****************************************************************************
4278 Do a chmod by setting the ACL USER_OBJ, GROUP_OBJ and OTHER bits in an ACL
4279 and set the mask to rwx. Needed to preserve complex ACLs set by NT.
4280 Note that name is in UNIX character set.
4281 ****************************************************************************/
4283 int chmod_acl(connection_struct *conn, const char *name, mode_t mode)
4285 return copy_access_posix_acl(conn, name, name, mode);
4288 /****************************************************************************
4289 Check for an existing default POSIX ACL on a directory.
4290 ****************************************************************************/
4292 static bool directory_has_default_posix_acl(connection_struct *conn, const char *fname)
4294 SMB_ACL_T def_acl = SMB_VFS_SYS_ACL_GET_FILE( conn, fname, SMB_ACL_TYPE_DEFAULT);
4295 bool has_acl = False;
4296 SMB_ACL_ENTRY_T entry;
4298 if (def_acl != NULL && (SMB_VFS_SYS_ACL_GET_ENTRY(conn, def_acl, SMB_ACL_FIRST_ENTRY, &entry) == 1)) {
4303 SMB_VFS_SYS_ACL_FREE_ACL(conn, def_acl);
4308 /****************************************************************************
4309 If the parent directory has no default ACL but it does have an Access ACL,
4310 inherit this Access ACL to file name.
4311 ****************************************************************************/
4313 int inherit_access_posix_acl(connection_struct *conn, const char *inherit_from_dir,
4314 const char *name, mode_t mode)
4316 if (directory_has_default_posix_acl(conn, inherit_from_dir))
4319 return copy_access_posix_acl(conn, inherit_from_dir, name, mode);
4322 /****************************************************************************
4323 Do an fchmod by setting the ACL USER_OBJ, GROUP_OBJ and OTHER bits in an ACL
4324 and set the mask to rwx. Needed to preserve complex ACLs set by NT.
4325 ****************************************************************************/
4327 int fchmod_acl(files_struct *fsp, mode_t mode)
4329 connection_struct *conn = fsp->conn;
4330 SMB_ACL_T posix_acl = NULL;
4333 if ((posix_acl = SMB_VFS_SYS_ACL_GET_FD(fsp)) == NULL)
4336 if ((ret = chmod_acl_internals(conn, posix_acl, mode)) == -1)
4339 ret = SMB_VFS_SYS_ACL_SET_FD(fsp, posix_acl);
4343 SMB_VFS_SYS_ACL_FREE_ACL(conn, posix_acl);
4347 /****************************************************************************
4348 Map from wire type to permset.
4349 ****************************************************************************/
4351 static bool unix_ex_wire_to_permset(connection_struct *conn, unsigned char wire_perm, SMB_ACL_PERMSET_T *p_permset)
4353 if (wire_perm & ~(SMB_POSIX_ACL_READ|SMB_POSIX_ACL_WRITE|SMB_POSIX_ACL_EXECUTE)) {
4357 if (SMB_VFS_SYS_ACL_CLEAR_PERMS(conn, *p_permset) == -1) {
4361 if (wire_perm & SMB_POSIX_ACL_READ) {
4362 if (SMB_VFS_SYS_ACL_ADD_PERM(conn, *p_permset, SMB_ACL_READ) == -1) {
4366 if (wire_perm & SMB_POSIX_ACL_WRITE) {
4367 if (SMB_VFS_SYS_ACL_ADD_PERM(conn, *p_permset, SMB_ACL_WRITE) == -1) {
4371 if (wire_perm & SMB_POSIX_ACL_EXECUTE) {
4372 if (SMB_VFS_SYS_ACL_ADD_PERM(conn, *p_permset, SMB_ACL_EXECUTE) == -1) {
4379 /****************************************************************************
4380 Map from wire type to tagtype.
4381 ****************************************************************************/
4383 static bool unix_ex_wire_to_tagtype(unsigned char wire_tt, SMB_ACL_TAG_T *p_tt)
4386 case SMB_POSIX_ACL_USER_OBJ:
4387 *p_tt = SMB_ACL_USER_OBJ;
4389 case SMB_POSIX_ACL_USER:
4390 *p_tt = SMB_ACL_USER;
4392 case SMB_POSIX_ACL_GROUP_OBJ:
4393 *p_tt = SMB_ACL_GROUP_OBJ;
4395 case SMB_POSIX_ACL_GROUP:
4396 *p_tt = SMB_ACL_GROUP;
4398 case SMB_POSIX_ACL_MASK:
4399 *p_tt = SMB_ACL_MASK;
4401 case SMB_POSIX_ACL_OTHER:
4402 *p_tt = SMB_ACL_OTHER;
4410 /****************************************************************************
4411 Create a new POSIX acl from wire permissions.
4412 FIXME ! How does the share mask/mode fit into this.... ?
4413 ****************************************************************************/
4415 static SMB_ACL_T create_posix_acl_from_wire(connection_struct *conn, uint16 num_acls, const char *pdata)
4418 SMB_ACL_T the_acl = SMB_VFS_SYS_ACL_INIT(conn, num_acls);
4420 if (the_acl == NULL) {
4424 for (i = 0; i < num_acls; i++) {
4425 SMB_ACL_ENTRY_T the_entry;
4426 SMB_ACL_PERMSET_T the_permset;
4427 SMB_ACL_TAG_T tag_type;
4429 if (SMB_VFS_SYS_ACL_CREATE_ENTRY(conn, &the_acl, &the_entry) == -1) {
4430 DEBUG(0,("create_posix_acl_from_wire: Failed to create entry %u. (%s)\n",
4431 i, strerror(errno) ));
4435 if (!unix_ex_wire_to_tagtype(CVAL(pdata,(i*SMB_POSIX_ACL_ENTRY_SIZE)), &tag_type)) {
4436 DEBUG(0,("create_posix_acl_from_wire: invalid wire tagtype %u on entry %u.\n",
4437 CVAL(pdata,(i*SMB_POSIX_ACL_ENTRY_SIZE)), i ));
4441 if (SMB_VFS_SYS_ACL_SET_TAG_TYPE(conn, the_entry, tag_type) == -1) {
4442 DEBUG(0,("create_posix_acl_from_wire: Failed to set tagtype on entry %u. (%s)\n",
4443 i, strerror(errno) ));
4447 /* Get the permset pointer from the new ACL entry. */
4448 if (SMB_VFS_SYS_ACL_GET_PERMSET(conn, the_entry, &the_permset) == -1) {
4449 DEBUG(0,("create_posix_acl_from_wire: Failed to get permset on entry %u. (%s)\n",
4450 i, strerror(errno) ));
4454 /* Map from wire to permissions. */
4455 if (!unix_ex_wire_to_permset(conn, CVAL(pdata,(i*SMB_POSIX_ACL_ENTRY_SIZE)+1), &the_permset)) {
4456 DEBUG(0,("create_posix_acl_from_wire: invalid permset %u on entry %u.\n",
4457 CVAL(pdata,(i*SMB_POSIX_ACL_ENTRY_SIZE) + 1), i ));
4461 /* Now apply to the new ACL entry. */
4462 if (SMB_VFS_SYS_ACL_SET_PERMSET(conn, the_entry, the_permset) == -1) {
4463 DEBUG(0,("create_posix_acl_from_wire: Failed to add permset on entry %u. (%s)\n",
4464 i, strerror(errno) ));
4468 if (tag_type == SMB_ACL_USER) {
4469 uint32 uidval = IVAL(pdata,(i*SMB_POSIX_ACL_ENTRY_SIZE)+2);
4470 uid_t uid = (uid_t)uidval;
4471 if (SMB_VFS_SYS_ACL_SET_QUALIFIER(conn, the_entry,(void *)&uid) == -1) {
4472 DEBUG(0,("create_posix_acl_from_wire: Failed to set uid %u on entry %u. (%s)\n",
4473 (unsigned int)uid, i, strerror(errno) ));
4478 if (tag_type == SMB_ACL_GROUP) {
4479 uint32 gidval = IVAL(pdata,(i*SMB_POSIX_ACL_ENTRY_SIZE)+2);
4480 gid_t gid = (uid_t)gidval;
4481 if (SMB_VFS_SYS_ACL_SET_QUALIFIER(conn, the_entry,(void *)&gid) == -1) {
4482 DEBUG(0,("create_posix_acl_from_wire: Failed to set gid %u on entry %u. (%s)\n",
4483 (unsigned int)gid, i, strerror(errno) ));
4493 if (the_acl != NULL) {
4494 SMB_VFS_SYS_ACL_FREE_ACL(conn, the_acl);
4499 /****************************************************************************
4500 Calls from UNIX extensions - Default POSIX ACL set.
4501 If num_def_acls == 0 and not a directory just return. If it is a directory
4502 and num_def_acls == 0 then remove the default acl. Else set the default acl
4504 ****************************************************************************/
4506 bool set_unix_posix_default_acl(connection_struct *conn, const char *fname, const SMB_STRUCT_STAT *psbuf,
4507 uint16 num_def_acls, const char *pdata)
4509 SMB_ACL_T def_acl = NULL;
4511 if (!S_ISDIR(psbuf->st_ex_mode)) {
4513 DEBUG(5,("set_unix_posix_default_acl: Can't set default ACL on non-directory file %s\n", fname ));
4521 if (!num_def_acls) {
4522 /* Remove the default ACL. */
4523 if (SMB_VFS_SYS_ACL_DELETE_DEF_FILE(conn, fname) == -1) {
4524 DEBUG(5,("set_unix_posix_default_acl: acl_delete_def_file failed on directory %s (%s)\n",
4525 fname, strerror(errno) ));
4531 if ((def_acl = create_posix_acl_from_wire(conn, num_def_acls, pdata)) == NULL) {
4535 if (SMB_VFS_SYS_ACL_SET_FILE(conn, fname, SMB_ACL_TYPE_DEFAULT, def_acl) == -1) {
4536 DEBUG(5,("set_unix_posix_default_acl: acl_set_file failed on directory %s (%s)\n",
4537 fname, strerror(errno) ));
4538 SMB_VFS_SYS_ACL_FREE_ACL(conn, def_acl);
4542 DEBUG(10,("set_unix_posix_default_acl: set default acl for file %s\n", fname ));
4543 SMB_VFS_SYS_ACL_FREE_ACL(conn, def_acl);
4547 /****************************************************************************
4548 Remove an ACL from a file. As we don't have acl_delete_entry() available
4549 we must read the current acl and copy all entries except MASK, USER and GROUP
4550 to a new acl, then set that. This (at least on Linux) causes any ACL to be
4552 FIXME ! How does the share mask/mode fit into this.... ?
4553 ****************************************************************************/
4555 static bool remove_posix_acl(connection_struct *conn, files_struct *fsp, const char *fname)
4557 SMB_ACL_T file_acl = NULL;
4558 int entry_id = SMB_ACL_FIRST_ENTRY;
4559 SMB_ACL_ENTRY_T entry;
4561 /* Create a new ACL with only 3 entries, u/g/w. */
4562 SMB_ACL_T new_file_acl = SMB_VFS_SYS_ACL_INIT(conn, 3);
4563 SMB_ACL_ENTRY_T user_ent = NULL;
4564 SMB_ACL_ENTRY_T group_ent = NULL;
4565 SMB_ACL_ENTRY_T other_ent = NULL;
4567 if (new_file_acl == NULL) {
4568 DEBUG(5,("remove_posix_acl: failed to init new ACL with 3 entries for file %s.\n", fname));
4572 /* Now create the u/g/w entries. */
4573 if (SMB_VFS_SYS_ACL_CREATE_ENTRY(conn, &new_file_acl, &user_ent) == -1) {
4574 DEBUG(5,("remove_posix_acl: Failed to create user entry for file %s. (%s)\n",
4575 fname, strerror(errno) ));
4578 if (SMB_VFS_SYS_ACL_SET_TAG_TYPE(conn, user_ent, SMB_ACL_USER_OBJ) == -1) {
4579 DEBUG(5,("remove_posix_acl: Failed to set user entry for file %s. (%s)\n",
4580 fname, strerror(errno) ));
4584 if (SMB_VFS_SYS_ACL_CREATE_ENTRY(conn, &new_file_acl, &group_ent) == -1) {
4585 DEBUG(5,("remove_posix_acl: Failed to create group entry for file %s. (%s)\n",
4586 fname, strerror(errno) ));
4589 if (SMB_VFS_SYS_ACL_SET_TAG_TYPE(conn, group_ent, SMB_ACL_GROUP_OBJ) == -1) {
4590 DEBUG(5,("remove_posix_acl: Failed to set group entry for file %s. (%s)\n",
4591 fname, strerror(errno) ));
4595 if (SMB_VFS_SYS_ACL_CREATE_ENTRY(conn, &new_file_acl, &other_ent) == -1) {
4596 DEBUG(5,("remove_posix_acl: Failed to create other entry for file %s. (%s)\n",
4597 fname, strerror(errno) ));
4600 if (SMB_VFS_SYS_ACL_SET_TAG_TYPE(conn, other_ent, SMB_ACL_OTHER) == -1) {
4601 DEBUG(5,("remove_posix_acl: Failed to set other entry for file %s. (%s)\n",
4602 fname, strerror(errno) ));
4606 /* Get the current file ACL. */
4607 if (fsp && fsp->fh->fd != -1) {
4608 file_acl = SMB_VFS_SYS_ACL_GET_FD(fsp);
4610 file_acl = SMB_VFS_SYS_ACL_GET_FILE( conn, fname, SMB_ACL_TYPE_ACCESS);
4613 if (file_acl == NULL) {
4614 /* This is only returned if an error occurred. Even for a file with
4615 no acl a u/g/w acl should be returned. */
4616 DEBUG(5,("remove_posix_acl: failed to get ACL from file %s (%s).\n",
4617 fname, strerror(errno) ));
4621 while ( SMB_VFS_SYS_ACL_GET_ENTRY(conn, file_acl, entry_id, &entry) == 1) {
4622 SMB_ACL_TAG_T tagtype;
4623 SMB_ACL_PERMSET_T permset;
4625 entry_id = SMB_ACL_NEXT_ENTRY;
4627 if (SMB_VFS_SYS_ACL_GET_TAG_TYPE(conn, entry, &tagtype) == -1) {
4628 DEBUG(5,("remove_posix_acl: failed to get tagtype from ACL on file %s (%s).\n",
4629 fname, strerror(errno) ));
4633 if (SMB_VFS_SYS_ACL_GET_PERMSET(conn, entry, &permset) == -1) {
4634 DEBUG(5,("remove_posix_acl: failed to get permset from ACL on file %s (%s).\n",
4635 fname, strerror(errno) ));
4639 if (tagtype == SMB_ACL_USER_OBJ) {
4640 if (SMB_VFS_SYS_ACL_SET_PERMSET(conn, user_ent, permset) == -1) {
4641 DEBUG(5,("remove_posix_acl: failed to set permset from ACL on file %s (%s).\n",
4642 fname, strerror(errno) ));
4644 } else if (tagtype == SMB_ACL_GROUP_OBJ) {
4645 if (SMB_VFS_SYS_ACL_SET_PERMSET(conn, group_ent, permset) == -1) {
4646 DEBUG(5,("remove_posix_acl: failed to set permset from ACL on file %s (%s).\n",
4647 fname, strerror(errno) ));
4649 } else if (tagtype == SMB_ACL_OTHER) {
4650 if (SMB_VFS_SYS_ACL_SET_PERMSET(conn, other_ent, permset) == -1) {
4651 DEBUG(5,("remove_posix_acl: failed to set permset from ACL on file %s (%s).\n",
4652 fname, strerror(errno) ));
4657 /* Set the new empty file ACL. */
4658 if (fsp && fsp->fh->fd != -1) {
4659 if (SMB_VFS_SYS_ACL_SET_FD(fsp, new_file_acl) == -1) {
4660 DEBUG(5,("remove_posix_acl: acl_set_file failed on %s (%s)\n",
4661 fname, strerror(errno) ));
4665 if (SMB_VFS_SYS_ACL_SET_FILE(conn, fname, SMB_ACL_TYPE_ACCESS, new_file_acl) == -1) {
4666 DEBUG(5,("remove_posix_acl: acl_set_file failed on %s (%s)\n",
4667 fname, strerror(errno) ));
4677 SMB_VFS_SYS_ACL_FREE_ACL(conn, file_acl);
4680 SMB_VFS_SYS_ACL_FREE_ACL(conn, new_file_acl);
4685 /****************************************************************************
4686 Calls from UNIX extensions - POSIX ACL set.
4687 If num_def_acls == 0 then read/modify/write acl after removing all entries
4688 except SMB_ACL_USER_OBJ, SMB_ACL_GROUP_OBJ, SMB_ACL_OTHER.
4689 ****************************************************************************/
4691 bool set_unix_posix_acl(connection_struct *conn, files_struct *fsp, const char *fname, uint16 num_acls, const char *pdata)
4693 SMB_ACL_T file_acl = NULL;
4696 /* Remove the ACL from the file. */
4697 return remove_posix_acl(conn, fsp, fname);
4700 if ((file_acl = create_posix_acl_from_wire(conn, num_acls, pdata)) == NULL) {
4704 if (fsp && fsp->fh->fd != -1) {
4705 /* The preferred way - use an open fd. */
4706 if (SMB_VFS_SYS_ACL_SET_FD(fsp, file_acl) == -1) {
4707 DEBUG(5,("set_unix_posix_acl: acl_set_file failed on %s (%s)\n",
4708 fname, strerror(errno) ));
4709 SMB_VFS_SYS_ACL_FREE_ACL(conn, file_acl);
4713 if (SMB_VFS_SYS_ACL_SET_FILE(conn, fname, SMB_ACL_TYPE_ACCESS, file_acl) == -1) {
4714 DEBUG(5,("set_unix_posix_acl: acl_set_file failed on %s (%s)\n",
4715 fname, strerror(errno) ));
4716 SMB_VFS_SYS_ACL_FREE_ACL(conn, file_acl);
4721 DEBUG(10,("set_unix_posix_acl: set acl for file %s\n", fname ));
4722 SMB_VFS_SYS_ACL_FREE_ACL(conn, file_acl);
4726 /********************************************************************
4727 Pull the NT ACL from a file on disk or the OpenEventlog() access
4728 check. Caller is responsible for freeing the returned security
4729 descriptor via TALLOC_FREE(). This is designed for dealing with
4730 user space access checks in smbd outside of the VFS. For example,
4731 checking access rights in OpenEventlog().
4733 Assume we are dealing with files (for now)
4734 ********************************************************************/
4736 struct security_descriptor *get_nt_acl_no_snum( TALLOC_CTX *ctx, const char *fname)
4738 struct security_descriptor *psd, *ret_sd;
4739 connection_struct *conn;
4741 struct fd_handle fh;
4744 conn = TALLOC_ZERO_P(ctx, connection_struct);
4746 DEBUG(0, ("talloc failed\n"));
4750 if (!(conn->params = TALLOC_P(conn, struct share_params))) {
4751 DEBUG(0,("get_nt_acl_no_snum: talloc() failed!\n"));
4756 conn->params->service = -1;
4758 set_conn_connectpath(conn, "/");
4760 if (!smbd_vfs_init(conn)) {
4761 DEBUG(0,("get_nt_acl_no_snum: Unable to create a fake connection struct!\n"));
4766 ZERO_STRUCT( finfo );
4774 status = create_synthetic_smb_fname(talloc_tos(), fname, NULL, NULL,
4776 if (!NT_STATUS_IS_OK(status)) {
4781 if (!NT_STATUS_IS_OK(SMB_VFS_FGET_NT_ACL( &finfo, SECINFO_DACL, &psd))) {
4782 DEBUG(0,("get_nt_acl_no_snum: get_nt_acl returned zero.\n"));
4783 TALLOC_FREE(finfo.fsp_name);
4788 ret_sd = dup_sec_desc( ctx, psd );
4790 TALLOC_FREE(finfo.fsp_name);
4796 /* Stolen shamelessly from pvfs_default_acl() in source4 :-). */
4798 NTSTATUS make_default_filesystem_acl(TALLOC_CTX *ctx,
4800 SMB_STRUCT_STAT *psbuf,
4801 struct security_descriptor **ppdesc)
4803 struct dom_sid owner_sid, group_sid;
4805 struct security_ace aces[4];
4806 uint32_t access_mask = 0;
4807 mode_t mode = psbuf->st_ex_mode;
4808 struct security_acl *new_dacl = NULL;
4811 DEBUG(10,("make_default_filesystem_acl: file %s mode = 0%o\n",
4814 uid_to_sid(&owner_sid, psbuf->st_ex_uid);
4815 gid_to_sid(&group_sid, psbuf->st_ex_gid);
4818 We provide up to 4 ACEs
4825 if (mode & S_IRUSR) {
4826 if (mode & S_IWUSR) {
4827 access_mask |= SEC_RIGHTS_FILE_ALL;
4829 access_mask |= SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE;
4832 if (mode & S_IWUSR) {
4833 access_mask |= SEC_RIGHTS_FILE_WRITE | SEC_STD_DELETE;
4836 init_sec_ace(&aces[idx],
4838 SEC_ACE_TYPE_ACCESS_ALLOWED,
4844 if (mode & S_IRGRP) {
4845 access_mask |= SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE;
4847 if (mode & S_IWGRP) {
4848 /* note that delete is not granted - this matches posix behaviour */
4849 access_mask |= SEC_RIGHTS_FILE_WRITE;
4852 init_sec_ace(&aces[idx],
4854 SEC_ACE_TYPE_ACCESS_ALLOWED,
4861 if (mode & S_IROTH) {
4862 access_mask |= SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE;
4864 if (mode & S_IWOTH) {
4865 access_mask |= SEC_RIGHTS_FILE_WRITE;
4868 init_sec_ace(&aces[idx],
4870 SEC_ACE_TYPE_ACCESS_ALLOWED,
4876 init_sec_ace(&aces[idx],
4878 SEC_ACE_TYPE_ACCESS_ALLOWED,
4879 SEC_RIGHTS_FILE_ALL,
4883 new_dacl = make_sec_acl(ctx,
4889 return NT_STATUS_NO_MEMORY;
4892 *ppdesc = make_sec_desc(ctx,
4893 SECURITY_DESCRIPTOR_REVISION_1,
4894 SEC_DESC_SELF_RELATIVE|SEC_DESC_DACL_PRESENT,
4901 return NT_STATUS_NO_MEMORY;
4903 return NT_STATUS_OK;