s3-talloc Change TALLOC_ZERO_P() to talloc_zero()
[nivanova/samba-autobuild/.git] / source3 / smbd / posix_acls.c
1 /*
2    Unix SMB/CIFS implementation.
3    SMB NT Security Descriptor / Unix permission conversion.
4    Copyright (C) Jeremy Allison 1994-2009.
5    Copyright (C) Andreas Gruenbacher 2002.
6    Copyright (C) Simo Sorce <idra@samba.org> 2009.
7
8    This program is free software; you can redistribute it and/or modify
9    it under the terms of the GNU General Public License as published by
10    the Free Software Foundation; either version 3 of the License, or
11    (at your option) any later version.
12
13    This program is distributed in the hope that it will be useful,
14    but WITHOUT ANY WARRANTY; without even the implied warranty of
15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
16    GNU General Public License for more details.
17
18    You should have received a copy of the GNU General Public License
19    along with this program.  If not, see <http://www.gnu.org/licenses/>.
20 */
21
22 #include "includes.h"
23 #include "smbd/smbd.h"
24 #include "system/filesys.h"
25 #include "../libcli/security/security.h"
26 #include "trans2.h"
27 #include "passdb/lookup_sid.h"
28 #include "auth.h"
29
30 extern const struct generic_mapping file_generic_mapping;
31
32 #undef  DBGC_CLASS
33 #define DBGC_CLASS DBGC_ACLS
34
35 /****************************************************************************
36  Data structures representing the internal ACE format.
37 ****************************************************************************/
38
39 enum ace_owner {UID_ACE, GID_ACE, WORLD_ACE};
40 enum ace_attribute {ALLOW_ACE, DENY_ACE}; /* Used for incoming NT ACLS. */
41
42 typedef union posix_id {
43                 uid_t uid;
44                 gid_t gid;
45                 int world;
46 } posix_id;
47
48 typedef struct canon_ace {
49         struct canon_ace *next, *prev;
50         SMB_ACL_TAG_T type;
51         mode_t perms; /* Only use S_I(R|W|X)USR mode bits here. */
52         struct dom_sid trustee;
53         enum ace_owner owner_type;
54         enum ace_attribute attr;
55         posix_id unix_ug;
56         uint8_t ace_flags; /* From windows ACE entry. */
57 } canon_ace;
58
59 #define ALL_ACE_PERMS (S_IRUSR|S_IWUSR|S_IXUSR)
60
61 /*
62  * EA format of user.SAMBA_PAI (Samba_Posix_Acl_Interitance)
63  * attribute on disk - version 1.
64  * All values are little endian.
65  *
66  * |  1   |  1   |   2         |         2           |  ....
67  * +------+------+-------------+---------------------+-------------+--------------------+
68  * | vers | flag | num_entries | num_default_entries | ..entries.. | default_entries... |
69  * +------+------+-------------+---------------------+-------------+--------------------+
70  *
71  * Entry format is :
72  *
73  * |  1   |       4           |
74  * +------+-------------------+
75  * | value|  uid/gid or world |
76  * | type |  value            |
77  * +------+-------------------+
78  *
79  * Version 2 format. Stores extra Windows metadata about an ACL.
80  *
81  * |  1   |  2       |   2         |         2           |  ....
82  * +------+----------+-------------+---------------------+-------------+--------------------+
83  * | vers | ace      | num_entries | num_default_entries | ..entries.. | default_entries... |
84  * |   2  |  type    |             |                     |             |                    |
85  * +------+----------+-------------+---------------------+-------------+--------------------+
86  *
87  * Entry format is :
88  *
89  * |  1   |  1   |       4           |
90  * +------+------+-------------------+
91  * | ace  | value|  uid/gid or world |
92  * | flag | type |  value            |
93  * +------+-------------------+------+
94  *
95  */
96
97 #define PAI_VERSION_OFFSET                      0
98
99 #define PAI_V1_FLAG_OFFSET                      1
100 #define PAI_V1_NUM_ENTRIES_OFFSET               2
101 #define PAI_V1_NUM_DEFAULT_ENTRIES_OFFSET       4
102 #define PAI_V1_ENTRIES_BASE                     6
103 #define PAI_V1_ACL_FLAG_PROTECTED               0x1
104 #define PAI_V1_ENTRY_LENGTH                     5
105
106 #define PAI_V1_VERSION                          1
107
108 #define PAI_V2_TYPE_OFFSET                      1
109 #define PAI_V2_NUM_ENTRIES_OFFSET               3
110 #define PAI_V2_NUM_DEFAULT_ENTRIES_OFFSET       5
111 #define PAI_V2_ENTRIES_BASE                     7
112 #define PAI_V2_ENTRY_LENGTH                     6
113
114 #define PAI_V2_VERSION                          2
115
116 /*
117  * In memory format of user.SAMBA_PAI attribute.
118  */
119
120 struct pai_entry {
121         struct pai_entry *next, *prev;
122         uint8_t ace_flags;
123         enum ace_owner owner_type;
124         posix_id unix_ug;
125 };
126
127 struct pai_val {
128         uint16_t sd_type;
129         unsigned int num_entries;
130         struct pai_entry *entry_list;
131         unsigned int num_def_entries;
132         struct pai_entry *def_entry_list;
133 };
134
135 /************************************************************************
136  Return a uint32 of the pai_entry principal.
137 ************************************************************************/
138
139 static uint32_t get_pai_entry_val(struct pai_entry *paie)
140 {
141         switch (paie->owner_type) {
142                 case UID_ACE:
143                         DEBUG(10,("get_pai_entry_val: uid = %u\n", (unsigned int)paie->unix_ug.uid ));
144                         return (uint32_t)paie->unix_ug.uid;
145                 case GID_ACE:
146                         DEBUG(10,("get_pai_entry_val: gid = %u\n", (unsigned int)paie->unix_ug.gid ));
147                         return (uint32_t)paie->unix_ug.gid;
148                 case WORLD_ACE:
149                 default:
150                         DEBUG(10,("get_pai_entry_val: world ace\n"));
151                         return (uint32_t)-1;
152         }
153 }
154
155 /************************************************************************
156  Return a uint32 of the entry principal.
157 ************************************************************************/
158
159 static uint32_t get_entry_val(canon_ace *ace_entry)
160 {
161         switch (ace_entry->owner_type) {
162                 case UID_ACE:
163                         DEBUG(10,("get_entry_val: uid = %u\n", (unsigned int)ace_entry->unix_ug.uid ));
164                         return (uint32_t)ace_entry->unix_ug.uid;
165                 case GID_ACE:
166                         DEBUG(10,("get_entry_val: gid = %u\n", (unsigned int)ace_entry->unix_ug.gid ));
167                         return (uint32_t)ace_entry->unix_ug.gid;
168                 case WORLD_ACE:
169                 default:
170                         DEBUG(10,("get_entry_val: world ace\n"));
171                         return (uint32_t)-1;
172         }
173 }
174
175 /************************************************************************
176  Create the on-disk format (always v2 now). Caller must free.
177 ************************************************************************/
178
179 static char *create_pai_buf_v2(canon_ace *file_ace_list,
180                                 canon_ace *dir_ace_list,
181                                 uint16_t sd_type,
182                                 size_t *store_size)
183 {
184         char *pai_buf = NULL;
185         canon_ace *ace_list = NULL;
186         char *entry_offset = NULL;
187         unsigned int num_entries = 0;
188         unsigned int num_def_entries = 0;
189         unsigned int i;
190
191         for (ace_list = file_ace_list; ace_list; ace_list = ace_list->next) {
192                 num_entries++;
193         }
194
195         for (ace_list = dir_ace_list; ace_list; ace_list = ace_list->next) {
196                 num_def_entries++;
197         }
198
199         DEBUG(10,("create_pai_buf_v2: num_entries = %u, num_def_entries = %u\n", num_entries, num_def_entries ));
200
201         *store_size = PAI_V2_ENTRIES_BASE +
202                 ((num_entries + num_def_entries)*PAI_V2_ENTRY_LENGTH);
203
204         pai_buf = (char *)SMB_MALLOC(*store_size);
205         if (!pai_buf) {
206                 return NULL;
207         }
208
209         /* Set up the header. */
210         memset(pai_buf, '\0', PAI_V2_ENTRIES_BASE);
211         SCVAL(pai_buf,PAI_VERSION_OFFSET,PAI_V2_VERSION);
212         SSVAL(pai_buf,PAI_V2_TYPE_OFFSET, sd_type);
213         SSVAL(pai_buf,PAI_V2_NUM_ENTRIES_OFFSET,num_entries);
214         SSVAL(pai_buf,PAI_V2_NUM_DEFAULT_ENTRIES_OFFSET,num_def_entries);
215
216         DEBUG(10,("create_pai_buf_v2: sd_type = 0x%x\n",
217                         (unsigned int)sd_type ));
218
219         entry_offset = pai_buf + PAI_V2_ENTRIES_BASE;
220
221         i = 0;
222         for (ace_list = file_ace_list; ace_list; ace_list = ace_list->next) {
223                 uint8_t type_val = (uint8_t)ace_list->owner_type;
224                 uint32_t entry_val = get_entry_val(ace_list);
225
226                 SCVAL(entry_offset,0,ace_list->ace_flags);
227                 SCVAL(entry_offset,1,type_val);
228                 SIVAL(entry_offset,2,entry_val);
229                 DEBUG(10,("create_pai_buf_v2: entry %u [0x%x] [0x%x] [0x%x]\n",
230                         i,
231                         (unsigned int)ace_list->ace_flags,
232                         (unsigned int)type_val,
233                         (unsigned int)entry_val ));
234                 i++;
235                 entry_offset += PAI_V2_ENTRY_LENGTH;
236         }
237
238         for (ace_list = dir_ace_list; ace_list; ace_list = ace_list->next) {
239                 uint8_t type_val = (uint8_t)ace_list->owner_type;
240                 uint32_t entry_val = get_entry_val(ace_list);
241
242                 SCVAL(entry_offset,0,ace_list->ace_flags);
243                 SCVAL(entry_offset,1,type_val);
244                 SIVAL(entry_offset,2,entry_val);
245                 DEBUG(10,("create_pai_buf_v2: entry %u [0x%x] [0x%x] [0x%x]\n",
246                         i,
247                         (unsigned int)ace_list->ace_flags,
248                         (unsigned int)type_val,
249                         (unsigned int)entry_val ));
250                 i++;
251                 entry_offset += PAI_V2_ENTRY_LENGTH;
252         }
253
254         return pai_buf;
255 }
256
257 /************************************************************************
258  Store the user.SAMBA_PAI attribute on disk.
259 ************************************************************************/
260
261 static void store_inheritance_attributes(files_struct *fsp,
262                                         canon_ace *file_ace_list,
263                                         canon_ace *dir_ace_list,
264                                         uint16_t sd_type)
265 {
266         int ret;
267         size_t store_size;
268         char *pai_buf;
269
270         if (!lp_map_acl_inherit(SNUM(fsp->conn))) {
271                 return;
272         }
273
274         pai_buf = create_pai_buf_v2(file_ace_list, dir_ace_list,
275                                 sd_type, &store_size);
276
277         if (fsp->fh->fd != -1) {
278                 ret = SMB_VFS_FSETXATTR(fsp, SAMBA_POSIX_INHERITANCE_EA_NAME,
279                                 pai_buf, store_size, 0);
280         } else {
281                 ret = SMB_VFS_SETXATTR(fsp->conn, fsp->fsp_name->base_name,
282                                        SAMBA_POSIX_INHERITANCE_EA_NAME,
283                                        pai_buf, store_size, 0);
284         }
285
286         SAFE_FREE(pai_buf);
287
288         DEBUG(10,("store_inheritance_attribute: type 0x%x for file %s\n",
289                 (unsigned int)sd_type,
290                 fsp_str_dbg(fsp)));
291
292         if (ret == -1 && !no_acl_syscall_error(errno)) {
293                 DEBUG(1,("store_inheritance_attribute: Error %s\n", strerror(errno) ));
294         }
295 }
296
297 /************************************************************************
298  Delete the in memory inheritance info.
299 ************************************************************************/
300
301 static void free_inherited_info(struct pai_val *pal)
302 {
303         if (pal) {
304                 struct pai_entry *paie, *paie_next;
305                 for (paie = pal->entry_list; paie; paie = paie_next) {
306                         paie_next = paie->next;
307                         SAFE_FREE(paie);
308                 }
309                 for (paie = pal->def_entry_list; paie; paie = paie_next) {
310                         paie_next = paie->next;
311                         SAFE_FREE(paie);
312                 }
313                 SAFE_FREE(pal);
314         }
315 }
316
317 /************************************************************************
318  Get any stored ACE flags.
319 ************************************************************************/
320
321 static uint16_t get_pai_flags(struct pai_val *pal, canon_ace *ace_entry, bool default_ace)
322 {
323         struct pai_entry *paie;
324
325         if (!pal) {
326                 return 0;
327         }
328
329         /* If the entry exists it is inherited. */
330         for (paie = (default_ace ? pal->def_entry_list : pal->entry_list); paie; paie = paie->next) {
331                 if (ace_entry->owner_type == paie->owner_type &&
332                                 get_entry_val(ace_entry) == get_pai_entry_val(paie))
333                         return paie->ace_flags;
334         }
335         return 0;
336 }
337
338 /************************************************************************
339  Ensure an attribute just read is valid - v1.
340 ************************************************************************/
341
342 static bool check_pai_ok_v1(const char *pai_buf, size_t pai_buf_data_size)
343 {
344         uint16 num_entries;
345         uint16 num_def_entries;
346
347         if (pai_buf_data_size < PAI_V1_ENTRIES_BASE) {
348                 /* Corrupted - too small. */
349                 return false;
350         }
351
352         if (CVAL(pai_buf,PAI_VERSION_OFFSET) != PAI_V1_VERSION) {
353                 return false;
354         }
355
356         num_entries = SVAL(pai_buf,PAI_V1_NUM_ENTRIES_OFFSET);
357         num_def_entries = SVAL(pai_buf,PAI_V1_NUM_DEFAULT_ENTRIES_OFFSET);
358
359         /* Check the entry lists match. */
360         /* Each entry is 5 bytes (type plus 4 bytes of uid or gid). */
361
362         if (((num_entries + num_def_entries)*PAI_V1_ENTRY_LENGTH) +
363                         PAI_V1_ENTRIES_BASE != pai_buf_data_size) {
364                 return false;
365         }
366
367         return true;
368 }
369
370 /************************************************************************
371  Ensure an attribute just read is valid - v2.
372 ************************************************************************/
373
374 static bool check_pai_ok_v2(const char *pai_buf, size_t pai_buf_data_size)
375 {
376         uint16 num_entries;
377         uint16 num_def_entries;
378
379         if (pai_buf_data_size < PAI_V2_ENTRIES_BASE) {
380                 /* Corrupted - too small. */
381                 return false;
382         }
383
384         if (CVAL(pai_buf,PAI_VERSION_OFFSET) != PAI_V2_VERSION) {
385                 return false;
386         }
387
388         num_entries = SVAL(pai_buf,PAI_V2_NUM_ENTRIES_OFFSET);
389         num_def_entries = SVAL(pai_buf,PAI_V2_NUM_DEFAULT_ENTRIES_OFFSET);
390
391         /* Check the entry lists match. */
392         /* Each entry is 6 bytes (flags + type + 4 bytes of uid or gid). */
393
394         if (((num_entries + num_def_entries)*PAI_V2_ENTRY_LENGTH) +
395                         PAI_V2_ENTRIES_BASE != pai_buf_data_size) {
396                 return false;
397         }
398
399         return true;
400 }
401
402 /************************************************************************
403  Decode the owner.
404 ************************************************************************/
405
406 static bool get_pai_owner_type(struct pai_entry *paie, const char *entry_offset)
407 {
408         paie->owner_type = (enum ace_owner)CVAL(entry_offset,0);
409         switch( paie->owner_type) {
410                 case UID_ACE:
411                         paie->unix_ug.uid = (uid_t)IVAL(entry_offset,1);
412                         DEBUG(10,("get_pai_owner_type: uid = %u\n",
413                                 (unsigned int)paie->unix_ug.uid ));
414                         break;
415                 case GID_ACE:
416                         paie->unix_ug.gid = (gid_t)IVAL(entry_offset,1);
417                         DEBUG(10,("get_pai_owner_type: gid = %u\n",
418                                 (unsigned int)paie->unix_ug.gid ));
419                         break;
420                 case WORLD_ACE:
421                         paie->unix_ug.world = -1;
422                         DEBUG(10,("get_pai_owner_type: world ace\n"));
423                         break;
424                 default:
425                         DEBUG(10,("get_pai_owner_type: unknown type %u\n",
426                                 (unsigned int)paie->owner_type ));
427                         return false;
428         }
429         return true;
430 }
431
432 /************************************************************************
433  Process v2 entries.
434 ************************************************************************/
435
436 static const char *create_pai_v1_entries(struct pai_val *paiv,
437                                 const char *entry_offset,
438                                 bool def_entry)
439 {
440         int i;
441
442         for (i = 0; i < paiv->num_entries; i++) {
443                 struct pai_entry *paie = SMB_MALLOC_P(struct pai_entry);
444                 if (!paie) {
445                         return NULL;
446                 }
447
448                 paie->ace_flags = SEC_ACE_FLAG_INHERITED_ACE;
449                 if (!get_pai_owner_type(paie, entry_offset)) {
450                         SAFE_FREE(paie);
451                         return NULL;
452                 }
453
454                 if (!def_entry) {
455                         DLIST_ADD(paiv->entry_list, paie);
456                 } else {
457                         DLIST_ADD(paiv->def_entry_list, paie);
458                 }
459                 entry_offset += PAI_V1_ENTRY_LENGTH;
460         }
461         return entry_offset;
462 }
463
464 /************************************************************************
465  Convert to in-memory format from version 1.
466 ************************************************************************/
467
468 static struct pai_val *create_pai_val_v1(const char *buf, size_t size)
469 {
470         const char *entry_offset;
471         struct pai_val *paiv = NULL;
472
473         if (!check_pai_ok_v1(buf, size)) {
474                 return NULL;
475         }
476
477         paiv = SMB_MALLOC_P(struct pai_val);
478         if (!paiv) {
479                 return NULL;
480         }
481
482         memset(paiv, '\0', sizeof(struct pai_val));
483
484         paiv->sd_type = (CVAL(buf,PAI_V1_FLAG_OFFSET) == PAI_V1_ACL_FLAG_PROTECTED) ?
485                         SEC_DESC_DACL_PROTECTED : 0;
486
487         paiv->num_entries = SVAL(buf,PAI_V1_NUM_ENTRIES_OFFSET);
488         paiv->num_def_entries = SVAL(buf,PAI_V1_NUM_DEFAULT_ENTRIES_OFFSET);
489
490         entry_offset = buf + PAI_V1_ENTRIES_BASE;
491
492         DEBUG(10,("create_pai_val: num_entries = %u, num_def_entries = %u\n",
493                         paiv->num_entries, paiv->num_def_entries ));
494
495         entry_offset = create_pai_v1_entries(paiv, entry_offset, false);
496         if (entry_offset == NULL) {
497                 free_inherited_info(paiv);
498                 return NULL;
499         }
500         entry_offset = create_pai_v1_entries(paiv, entry_offset, true);
501         if (entry_offset == NULL) {
502                 free_inherited_info(paiv);
503                 return NULL;
504         }
505
506         return paiv;
507 }
508
509 /************************************************************************
510  Process v2 entries.
511 ************************************************************************/
512
513 static const char *create_pai_v2_entries(struct pai_val *paiv,
514                                 unsigned int num_entries,
515                                 const char *entry_offset,
516                                 bool def_entry)
517 {
518         unsigned int i;
519
520         for (i = 0; i < num_entries; i++) {
521                 struct pai_entry *paie = SMB_MALLOC_P(struct pai_entry);
522                 if (!paie) {
523                         return NULL;
524                 }
525
526                 paie->ace_flags = CVAL(entry_offset,0);
527
528                 if (!get_pai_owner_type(paie, entry_offset+1)) {
529                         SAFE_FREE(paie);
530                         return NULL;
531                 }
532                 if (!def_entry) {
533                         DLIST_ADD(paiv->entry_list, paie);
534                 } else {
535                         DLIST_ADD(paiv->def_entry_list, paie);
536                 }
537                 entry_offset += PAI_V2_ENTRY_LENGTH;
538         }
539         return entry_offset;
540 }
541
542 /************************************************************************
543  Convert to in-memory format from version 2.
544 ************************************************************************/
545
546 static struct pai_val *create_pai_val_v2(const char *buf, size_t size)
547 {
548         const char *entry_offset;
549         struct pai_val *paiv = NULL;
550
551         if (!check_pai_ok_v2(buf, size)) {
552                 return NULL;
553         }
554
555         paiv = SMB_MALLOC_P(struct pai_val);
556         if (!paiv) {
557                 return NULL;
558         }
559
560         memset(paiv, '\0', sizeof(struct pai_val));
561
562         paiv->sd_type = SVAL(buf,PAI_V2_TYPE_OFFSET);
563
564         paiv->num_entries = SVAL(buf,PAI_V2_NUM_ENTRIES_OFFSET);
565         paiv->num_def_entries = SVAL(buf,PAI_V2_NUM_DEFAULT_ENTRIES_OFFSET);
566
567         entry_offset = buf + PAI_V2_ENTRIES_BASE;
568
569         DEBUG(10,("create_pai_val_v2: sd_type = 0x%x num_entries = %u, num_def_entries = %u\n",
570                         (unsigned int)paiv->sd_type,
571                         paiv->num_entries, paiv->num_def_entries ));
572
573         entry_offset = create_pai_v2_entries(paiv, paiv->num_entries,
574                                 entry_offset, false);
575         if (entry_offset == NULL) {
576                 free_inherited_info(paiv);
577                 return NULL;
578         }
579         entry_offset = create_pai_v2_entries(paiv, paiv->num_def_entries,
580                                 entry_offset, true);
581         if (entry_offset == NULL) {
582                 free_inherited_info(paiv);
583                 return NULL;
584         }
585
586         return paiv;
587 }
588
589 /************************************************************************
590  Convert to in-memory format - from either version 1 or 2.
591 ************************************************************************/
592
593 static struct pai_val *create_pai_val(const char *buf, size_t size)
594 {
595         if (size < 1) {
596                 return NULL;
597         }
598         if (CVAL(buf,PAI_VERSION_OFFSET) == PAI_V1_VERSION) {
599                 return create_pai_val_v1(buf, size);
600         } else if (CVAL(buf,PAI_VERSION_OFFSET) == PAI_V2_VERSION) {
601                 return create_pai_val_v2(buf, size);
602         } else {
603                 return NULL;
604         }
605 }
606
607 /************************************************************************
608  Load the user.SAMBA_PAI attribute.
609 ************************************************************************/
610
611 static struct pai_val *fload_inherited_info(files_struct *fsp)
612 {
613         char *pai_buf;
614         size_t pai_buf_size = 1024;
615         struct pai_val *paiv = NULL;
616         ssize_t ret;
617
618         if (!lp_map_acl_inherit(SNUM(fsp->conn))) {
619                 return NULL;
620         }
621
622         if ((pai_buf = (char *)SMB_MALLOC(pai_buf_size)) == NULL) {
623                 return NULL;
624         }
625
626         do {
627                 if (fsp->fh->fd != -1) {
628                         ret = SMB_VFS_FGETXATTR(fsp, SAMBA_POSIX_INHERITANCE_EA_NAME,
629                                         pai_buf, pai_buf_size);
630                 } else {
631                         ret = SMB_VFS_GETXATTR(fsp->conn,
632                                                fsp->fsp_name->base_name,
633                                                SAMBA_POSIX_INHERITANCE_EA_NAME,
634                                                pai_buf, pai_buf_size);
635                 }
636
637                 if (ret == -1) {
638                         if (errno != ERANGE) {
639                                 break;
640                         }
641                         /* Buffer too small - enlarge it. */
642                         pai_buf_size *= 2;
643                         SAFE_FREE(pai_buf);
644                         if (pai_buf_size > 1024*1024) {
645                                 return NULL; /* Limit malloc to 1mb. */
646                         }
647                         if ((pai_buf = (char *)SMB_MALLOC(pai_buf_size)) == NULL)
648                                 return NULL;
649                 }
650         } while (ret == -1);
651
652         DEBUG(10,("load_inherited_info: ret = %lu for file %s\n",
653                   (unsigned long)ret, fsp_str_dbg(fsp)));
654
655         if (ret == -1) {
656                 /* No attribute or not supported. */
657 #if defined(ENOATTR)
658                 if (errno != ENOATTR)
659                         DEBUG(10,("load_inherited_info: Error %s\n", strerror(errno) ));
660 #else
661                 if (errno != ENOSYS)
662                         DEBUG(10,("load_inherited_info: Error %s\n", strerror(errno) ));
663 #endif
664                 SAFE_FREE(pai_buf);
665                 return NULL;
666         }
667
668         paiv = create_pai_val(pai_buf, ret);
669
670         if (paiv) {
671                 DEBUG(10,("load_inherited_info: ACL type is 0x%x for file %s\n",
672                           (unsigned int)paiv->sd_type, fsp_str_dbg(fsp)));
673         }
674
675         SAFE_FREE(pai_buf);
676         return paiv;
677 }
678
679 /************************************************************************
680  Load the user.SAMBA_PAI attribute.
681 ************************************************************************/
682
683 static struct pai_val *load_inherited_info(const struct connection_struct *conn,
684                                            const char *fname)
685 {
686         char *pai_buf;
687         size_t pai_buf_size = 1024;
688         struct pai_val *paiv = NULL;
689         ssize_t ret;
690
691         if (!lp_map_acl_inherit(SNUM(conn))) {
692                 return NULL;
693         }
694
695         if ((pai_buf = (char *)SMB_MALLOC(pai_buf_size)) == NULL) {
696                 return NULL;
697         }
698
699         do {
700                 ret = SMB_VFS_GETXATTR(conn, fname,
701                                        SAMBA_POSIX_INHERITANCE_EA_NAME,
702                                        pai_buf, pai_buf_size);
703
704                 if (ret == -1) {
705                         if (errno != ERANGE) {
706                                 break;
707                         }
708                         /* Buffer too small - enlarge it. */
709                         pai_buf_size *= 2;
710                         SAFE_FREE(pai_buf);
711                         if (pai_buf_size > 1024*1024) {
712                                 return NULL; /* Limit malloc to 1mb. */
713                         }
714                         if ((pai_buf = (char *)SMB_MALLOC(pai_buf_size)) == NULL)
715                                 return NULL;
716                 }
717         } while (ret == -1);
718
719         DEBUG(10,("load_inherited_info: ret = %lu for file %s\n", (unsigned long)ret, fname));
720
721         if (ret == -1) {
722                 /* No attribute or not supported. */
723 #if defined(ENOATTR)
724                 if (errno != ENOATTR)
725                         DEBUG(10,("load_inherited_info: Error %s\n", strerror(errno) ));
726 #else
727                 if (errno != ENOSYS)
728                         DEBUG(10,("load_inherited_info: Error %s\n", strerror(errno) ));
729 #endif
730                 SAFE_FREE(pai_buf);
731                 return NULL;
732         }
733
734         paiv = create_pai_val(pai_buf, ret);
735
736         if (paiv) {
737                 DEBUG(10,("load_inherited_info: ACL type 0x%x for file %s\n",
738                         (unsigned int)paiv->sd_type,
739                         fname));
740         }
741
742         SAFE_FREE(pai_buf);
743         return paiv;
744 }
745
746 /****************************************************************************
747  Functions to manipulate the internal ACE format.
748 ****************************************************************************/
749
750 /****************************************************************************
751  Count a linked list of canonical ACE entries.
752 ****************************************************************************/
753
754 static size_t count_canon_ace_list( canon_ace *l_head )
755 {
756         size_t count = 0;
757         canon_ace *ace;
758
759         for (ace = l_head; ace; ace = ace->next)
760                 count++;
761
762         return count;
763 }
764
765 /****************************************************************************
766  Free a linked list of canonical ACE entries.
767 ****************************************************************************/
768
769 static void free_canon_ace_list( canon_ace *l_head )
770 {
771         canon_ace *list, *next;
772
773         for (list = l_head; list; list = next) {
774                 next = list->next;
775                 DLIST_REMOVE(l_head, list);
776                 SAFE_FREE(list);
777         }
778 }
779
780 /****************************************************************************
781  Function to duplicate a canon_ace entry.
782 ****************************************************************************/
783
784 static canon_ace *dup_canon_ace( canon_ace *src_ace)
785 {
786         canon_ace *dst_ace = SMB_MALLOC_P(canon_ace);
787
788         if (dst_ace == NULL)
789                 return NULL;
790
791         *dst_ace = *src_ace;
792         dst_ace->prev = dst_ace->next = NULL;
793         return dst_ace;
794 }
795
796 /****************************************************************************
797  Print out a canon ace.
798 ****************************************************************************/
799
800 static void print_canon_ace(canon_ace *pace, int num)
801 {
802         dbgtext( "canon_ace index %d. Type = %s ", num, pace->attr == ALLOW_ACE ? "allow" : "deny" );
803         dbgtext( "SID = %s ", sid_string_dbg(&pace->trustee));
804         if (pace->owner_type == UID_ACE) {
805                 const char *u_name = uidtoname(pace->unix_ug.uid);
806                 dbgtext( "uid %u (%s) ", (unsigned int)pace->unix_ug.uid, u_name );
807         } else if (pace->owner_type == GID_ACE) {
808                 char *g_name = gidtoname(pace->unix_ug.gid);
809                 dbgtext( "gid %u (%s) ", (unsigned int)pace->unix_ug.gid, g_name );
810         } else
811                 dbgtext( "other ");
812         switch (pace->type) {
813                 case SMB_ACL_USER:
814                         dbgtext( "SMB_ACL_USER ");
815                         break;
816                 case SMB_ACL_USER_OBJ:
817                         dbgtext( "SMB_ACL_USER_OBJ ");
818                         break;
819                 case SMB_ACL_GROUP:
820                         dbgtext( "SMB_ACL_GROUP ");
821                         break;
822                 case SMB_ACL_GROUP_OBJ:
823                         dbgtext( "SMB_ACL_GROUP_OBJ ");
824                         break;
825                 case SMB_ACL_OTHER:
826                         dbgtext( "SMB_ACL_OTHER ");
827                         break;
828                 default:
829                         dbgtext( "MASK " );
830                         break;
831         }
832
833         dbgtext( "ace_flags = 0x%x ", (unsigned int)pace->ace_flags);
834         dbgtext( "perms ");
835         dbgtext( "%c", pace->perms & S_IRUSR ? 'r' : '-');
836         dbgtext( "%c", pace->perms & S_IWUSR ? 'w' : '-');
837         dbgtext( "%c\n", pace->perms & S_IXUSR ? 'x' : '-');
838 }
839
840 /****************************************************************************
841  Print out a canon ace list.
842 ****************************************************************************/
843
844 static void print_canon_ace_list(const char *name, canon_ace *ace_list)
845 {
846         int count = 0;
847
848         if( DEBUGLVL( 10 )) {
849                 dbgtext( "print_canon_ace_list: %s\n", name );
850                 for (;ace_list; ace_list = ace_list->next, count++)
851                         print_canon_ace(ace_list, count );
852         }
853 }
854
855 /****************************************************************************
856  Map POSIX ACL perms to canon_ace permissions (a mode_t containing only S_(R|W|X)USR bits).
857 ****************************************************************************/
858
859 static mode_t convert_permset_to_mode_t(connection_struct *conn, SMB_ACL_PERMSET_T permset)
860 {
861         mode_t ret = 0;
862
863         ret |= (SMB_VFS_SYS_ACL_GET_PERM(conn, permset, SMB_ACL_READ) ? S_IRUSR : 0);
864         ret |= (SMB_VFS_SYS_ACL_GET_PERM(conn, permset, SMB_ACL_WRITE) ? S_IWUSR : 0);
865         ret |= (SMB_VFS_SYS_ACL_GET_PERM(conn, permset, SMB_ACL_EXECUTE) ? S_IXUSR : 0);
866
867         return ret;
868 }
869
870 /****************************************************************************
871  Map generic UNIX permissions to canon_ace permissions (a mode_t containing only S_(R|W|X)USR bits).
872 ****************************************************************************/
873
874 static mode_t unix_perms_to_acl_perms(mode_t mode, int r_mask, int w_mask, int x_mask)
875 {
876         mode_t ret = 0;
877
878         if (mode & r_mask)
879                 ret |= S_IRUSR;
880         if (mode & w_mask)
881                 ret |= S_IWUSR;
882         if (mode & x_mask)
883                 ret |= S_IXUSR;
884
885         return ret;
886 }
887
888 /****************************************************************************
889  Map canon_ace permissions (a mode_t containing only S_(R|W|X)USR bits) to
890  an SMB_ACL_PERMSET_T.
891 ****************************************************************************/
892
893 static int map_acl_perms_to_permset(connection_struct *conn, mode_t mode, SMB_ACL_PERMSET_T *p_permset)
894 {
895         if (SMB_VFS_SYS_ACL_CLEAR_PERMS(conn, *p_permset) ==  -1)
896                 return -1;
897         if (mode & S_IRUSR) {
898                 if (SMB_VFS_SYS_ACL_ADD_PERM(conn, *p_permset, SMB_ACL_READ) == -1)
899                         return -1;
900         }
901         if (mode & S_IWUSR) {
902                 if (SMB_VFS_SYS_ACL_ADD_PERM(conn, *p_permset, SMB_ACL_WRITE) == -1)
903                         return -1;
904         }
905         if (mode & S_IXUSR) {
906                 if (SMB_VFS_SYS_ACL_ADD_PERM(conn, *p_permset, SMB_ACL_EXECUTE) == -1)
907                         return -1;
908         }
909         return 0;
910 }
911
912 /****************************************************************************
913  Function to create owner and group SIDs from a SMB_STRUCT_STAT.
914 ****************************************************************************/
915
916 void create_file_sids(const SMB_STRUCT_STAT *psbuf, struct dom_sid *powner_sid, struct dom_sid *pgroup_sid)
917 {
918         uid_to_sid( powner_sid, psbuf->st_ex_uid );
919         gid_to_sid( pgroup_sid, psbuf->st_ex_gid );
920 }
921
922 /****************************************************************************
923  Merge aces with a common sid - if both are allow or deny, OR the permissions together and
924  delete the second one. If the first is deny, mask the permissions off and delete the allow
925  if the permissions become zero, delete the deny if the permissions are non zero.
926 ****************************************************************************/
927
928 static void merge_aces( canon_ace **pp_list_head, bool dir_acl)
929 {
930         canon_ace *l_head = *pp_list_head;
931         canon_ace *curr_ace_outer;
932         canon_ace *curr_ace_outer_next;
933
934         /*
935          * First, merge allow entries with identical SIDs, and deny entries
936          * with identical SIDs.
937          */
938
939         for (curr_ace_outer = l_head; curr_ace_outer; curr_ace_outer = curr_ace_outer_next) {
940                 canon_ace *curr_ace;
941                 canon_ace *curr_ace_next;
942
943                 curr_ace_outer_next = curr_ace_outer->next; /* Save the link in case we delete. */
944
945                 for (curr_ace = curr_ace_outer->next; curr_ace; curr_ace = curr_ace_next) {
946                         bool can_merge = false;
947
948                         curr_ace_next = curr_ace->next; /* Save the link in case of delete. */
949
950                         /* For file ACLs we can merge if the SIDs and ALLOW/DENY
951                          * types are the same. For directory acls we must also
952                          * ensure the POSIX ACL types are the same. */
953
954                         if (!dir_acl) {
955                                 can_merge = (dom_sid_equal(&curr_ace->trustee, &curr_ace_outer->trustee) &&
956                                                 (curr_ace->attr == curr_ace_outer->attr));
957                         } else {
958                                 can_merge = (dom_sid_equal(&curr_ace->trustee, &curr_ace_outer->trustee) &&
959                                                 (curr_ace->type == curr_ace_outer->type) &&
960                                                 (curr_ace->attr == curr_ace_outer->attr));
961                         }
962
963                         if (can_merge) {
964                                 if( DEBUGLVL( 10 )) {
965                                         dbgtext("merge_aces: Merging ACE's\n");
966                                         print_canon_ace( curr_ace_outer, 0);
967                                         print_canon_ace( curr_ace, 0);
968                                 }
969
970                                 /* Merge two allow or two deny ACE's. */
971
972                                 /* Theoretically we shouldn't merge a dir ACE if
973                                  * one ACE has the CI flag set, and the other
974                                  * ACE has the OI flag set, but this is rare
975                                  * enough we can ignore it. */
976
977                                 curr_ace_outer->perms |= curr_ace->perms;
978                                 curr_ace_outer->ace_flags |= curr_ace->ace_flags;
979                                 DLIST_REMOVE(l_head, curr_ace);
980                                 SAFE_FREE(curr_ace);
981                                 curr_ace_outer_next = curr_ace_outer->next; /* We may have deleted the link. */
982                         }
983                 }
984         }
985
986         /*
987          * Now go through and mask off allow permissions with deny permissions.
988          * We can delete either the allow or deny here as we know that each SID
989          * appears only once in the list.
990          */
991
992         for (curr_ace_outer = l_head; curr_ace_outer; curr_ace_outer = curr_ace_outer_next) {
993                 canon_ace *curr_ace;
994                 canon_ace *curr_ace_next;
995
996                 curr_ace_outer_next = curr_ace_outer->next; /* Save the link in case we delete. */
997
998                 for (curr_ace = curr_ace_outer->next; curr_ace; curr_ace = curr_ace_next) {
999
1000                         curr_ace_next = curr_ace->next; /* Save the link in case of delete. */
1001
1002                         /*
1003                          * Subtract ACE's with different entries. Due to the ordering constraints
1004                          * we've put on the ACL, we know the deny must be the first one.
1005                          */
1006
1007                         if (dom_sid_equal(&curr_ace->trustee, &curr_ace_outer->trustee) &&
1008                                 (curr_ace_outer->attr == DENY_ACE) && (curr_ace->attr == ALLOW_ACE)) {
1009
1010                                 if( DEBUGLVL( 10 )) {
1011                                         dbgtext("merge_aces: Masking ACE's\n");
1012                                         print_canon_ace( curr_ace_outer, 0);
1013                                         print_canon_ace( curr_ace, 0);
1014                                 }
1015
1016                                 curr_ace->perms &= ~curr_ace_outer->perms;
1017
1018                                 if (curr_ace->perms == 0) {
1019
1020                                         /*
1021                                          * The deny overrides the allow. Remove the allow.
1022                                          */
1023
1024                                         DLIST_REMOVE(l_head, curr_ace);
1025                                         SAFE_FREE(curr_ace);
1026                                         curr_ace_outer_next = curr_ace_outer->next; /* We may have deleted the link. */
1027
1028                                 } else {
1029
1030                                         /*
1031                                          * Even after removing permissions, there
1032                                          * are still allow permissions - delete the deny.
1033                                          * It is safe to delete the deny here,
1034                                          * as we are guarenteed by the deny first
1035                                          * ordering that all the deny entries for
1036                                          * this SID have already been merged into one
1037                                          * before we can get to an allow ace.
1038                                          */
1039
1040                                         DLIST_REMOVE(l_head, curr_ace_outer);
1041                                         SAFE_FREE(curr_ace_outer);
1042                                         break;
1043                                 }
1044                         }
1045
1046                 } /* end for curr_ace */
1047         } /* end for curr_ace_outer */
1048
1049         /* We may have modified the list. */
1050
1051         *pp_list_head = l_head;
1052 }
1053
1054 /****************************************************************************
1055  Check if we need to return NT4.x compatible ACL entries.
1056 ****************************************************************************/
1057
1058 bool nt4_compatible_acls(void)
1059 {
1060         int compat = lp_acl_compatibility();
1061
1062         if (compat == ACL_COMPAT_AUTO) {
1063                 enum remote_arch_types ra_type = get_remote_arch();
1064
1065                 /* Automatically adapt to client */
1066                 return (ra_type <= RA_WINNT);
1067         } else
1068                 return (compat == ACL_COMPAT_WINNT);
1069 }
1070
1071
1072 /****************************************************************************
1073  Map canon_ace perms to permission bits NT.
1074  The attr element is not used here - we only process deny entries on set,
1075  not get. Deny entries are implicit on get with ace->perms = 0.
1076 ****************************************************************************/
1077
1078 uint32_t map_canon_ace_perms(int snum,
1079                                 enum security_ace_type *pacl_type,
1080                                 mode_t perms,
1081                                 bool directory_ace)
1082 {
1083         uint32_t nt_mask = 0;
1084
1085         *pacl_type = SEC_ACE_TYPE_ACCESS_ALLOWED;
1086
1087         if (lp_acl_map_full_control(snum) && ((perms & ALL_ACE_PERMS) == ALL_ACE_PERMS)) {
1088                 if (directory_ace) {
1089                         nt_mask = UNIX_DIRECTORY_ACCESS_RWX;
1090                 } else {
1091                         nt_mask = (UNIX_ACCESS_RWX & ~DELETE_ACCESS);
1092                 }
1093         } else if ((perms & ALL_ACE_PERMS) == (mode_t)0) {
1094                 /*
1095                  * Windows NT refuses to display ACEs with no permissions in them (but
1096                  * they are perfectly legal with Windows 2000). If the ACE has empty
1097                  * permissions we cannot use 0, so we use the otherwise unused
1098                  * WRITE_OWNER permission, which we ignore when we set an ACL.
1099                  * We abstract this into a #define of UNIX_ACCESS_NONE to allow this
1100                  * to be changed in the future.
1101                  */
1102
1103                 if (nt4_compatible_acls())
1104                         nt_mask = UNIX_ACCESS_NONE;
1105                 else
1106                         nt_mask = 0;
1107         } else {
1108                 if (directory_ace) {
1109                         nt_mask |= ((perms & S_IRUSR) ? UNIX_DIRECTORY_ACCESS_R : 0 );
1110                         nt_mask |= ((perms & S_IWUSR) ? UNIX_DIRECTORY_ACCESS_W : 0 );
1111                         nt_mask |= ((perms & S_IXUSR) ? UNIX_DIRECTORY_ACCESS_X : 0 );
1112                 } else {
1113                         nt_mask |= ((perms & S_IRUSR) ? UNIX_ACCESS_R : 0 );
1114                         nt_mask |= ((perms & S_IWUSR) ? UNIX_ACCESS_W : 0 );
1115                         nt_mask |= ((perms & S_IXUSR) ? UNIX_ACCESS_X : 0 );
1116                 }
1117         }
1118
1119         if ((perms & S_IWUSR) && lp_dos_filemode(snum)) {
1120                 nt_mask |= (SEC_STD_WRITE_DAC|SEC_STD_WRITE_OWNER|DELETE_ACCESS);
1121         }
1122
1123         DEBUG(10,("map_canon_ace_perms: Mapped (UNIX) %x to (NT) %x\n",
1124                         (unsigned int)perms, (unsigned int)nt_mask ));
1125
1126         return nt_mask;
1127 }
1128
1129 /****************************************************************************
1130  Map NT perms to a UNIX mode_t.
1131 ****************************************************************************/
1132
1133 #define FILE_SPECIFIC_READ_BITS (FILE_READ_DATA|FILE_READ_EA|FILE_READ_ATTRIBUTES)
1134 #define FILE_SPECIFIC_WRITE_BITS (FILE_WRITE_DATA|FILE_APPEND_DATA|FILE_WRITE_EA|FILE_WRITE_ATTRIBUTES)
1135 #define FILE_SPECIFIC_EXECUTE_BITS (FILE_EXECUTE)
1136
1137 static mode_t map_nt_perms( uint32 *mask, int type)
1138 {
1139         mode_t mode = 0;
1140
1141         switch(type) {
1142         case S_IRUSR:
1143                 if((*mask) & GENERIC_ALL_ACCESS)
1144                         mode = S_IRUSR|S_IWUSR|S_IXUSR;
1145                 else {
1146                         mode |= ((*mask) & (GENERIC_READ_ACCESS|FILE_SPECIFIC_READ_BITS)) ? S_IRUSR : 0;
1147                         mode |= ((*mask) & (GENERIC_WRITE_ACCESS|FILE_SPECIFIC_WRITE_BITS)) ? S_IWUSR : 0;
1148                         mode |= ((*mask) & (GENERIC_EXECUTE_ACCESS|FILE_SPECIFIC_EXECUTE_BITS)) ? S_IXUSR : 0;
1149                 }
1150                 break;
1151         case S_IRGRP:
1152                 if((*mask) & GENERIC_ALL_ACCESS)
1153                         mode = S_IRGRP|S_IWGRP|S_IXGRP;
1154                 else {
1155                         mode |= ((*mask) & (GENERIC_READ_ACCESS|FILE_SPECIFIC_READ_BITS)) ? S_IRGRP : 0;
1156                         mode |= ((*mask) & (GENERIC_WRITE_ACCESS|FILE_SPECIFIC_WRITE_BITS)) ? S_IWGRP : 0;
1157                         mode |= ((*mask) & (GENERIC_EXECUTE_ACCESS|FILE_SPECIFIC_EXECUTE_BITS)) ? S_IXGRP : 0;
1158                 }
1159                 break;
1160         case S_IROTH:
1161                 if((*mask) & GENERIC_ALL_ACCESS)
1162                         mode = S_IROTH|S_IWOTH|S_IXOTH;
1163                 else {
1164                         mode |= ((*mask) & (GENERIC_READ_ACCESS|FILE_SPECIFIC_READ_BITS)) ? S_IROTH : 0;
1165                         mode |= ((*mask) & (GENERIC_WRITE_ACCESS|FILE_SPECIFIC_WRITE_BITS)) ? S_IWOTH : 0;
1166                         mode |= ((*mask) & (GENERIC_EXECUTE_ACCESS|FILE_SPECIFIC_EXECUTE_BITS)) ? S_IXOTH : 0;
1167                 }
1168                 break;
1169         }
1170
1171         return mode;
1172 }
1173
1174 /****************************************************************************
1175  Unpack a struct security_descriptor into a UNIX owner and group.
1176 ****************************************************************************/
1177
1178 NTSTATUS unpack_nt_owners(struct connection_struct *conn,
1179                         uid_t *puser, gid_t *pgrp,
1180                         uint32 security_info_sent, const struct
1181                         security_descriptor *psd)
1182 {
1183         struct dom_sid owner_sid;
1184         struct dom_sid grp_sid;
1185
1186         *puser = (uid_t)-1;
1187         *pgrp = (gid_t)-1;
1188
1189         if(security_info_sent == 0) {
1190                 DEBUG(0,("unpack_nt_owners: no security info sent !\n"));
1191                 return NT_STATUS_OK;
1192         }
1193
1194         /*
1195          * Validate the owner and group SID's.
1196          */
1197
1198         memset(&owner_sid, '\0', sizeof(owner_sid));
1199         memset(&grp_sid, '\0', sizeof(grp_sid));
1200
1201         DEBUG(5,("unpack_nt_owners: validating owner_sids.\n"));
1202
1203         /*
1204          * Don't immediately fail if the owner sid cannot be validated.
1205          * This may be a group chown only set.
1206          */
1207
1208         if (security_info_sent & SECINFO_OWNER) {
1209                 sid_copy(&owner_sid, psd->owner_sid);
1210                 if (!sid_to_uid(&owner_sid, puser)) {
1211                         if (lp_force_unknown_acl_user(SNUM(conn))) {
1212                                 /* this allows take ownership to work
1213                                  * reasonably */
1214                                 *puser = get_current_uid(conn);
1215                         } else {
1216                                 DEBUG(3,("unpack_nt_owners: unable to validate"
1217                                          " owner sid for %s\n",
1218                                          sid_string_dbg(&owner_sid)));
1219                                 return NT_STATUS_INVALID_OWNER;
1220                         }
1221                 }
1222                 DEBUG(3,("unpack_nt_owners: owner sid mapped to uid %u\n",
1223                          (unsigned int)*puser ));
1224         }
1225
1226         /*
1227          * Don't immediately fail if the group sid cannot be validated.
1228          * This may be an owner chown only set.
1229          */
1230
1231         if (security_info_sent & SECINFO_GROUP) {
1232                 sid_copy(&grp_sid, psd->group_sid);
1233                 if (!sid_to_gid( &grp_sid, pgrp)) {
1234                         if (lp_force_unknown_acl_user(SNUM(conn))) {
1235                                 /* this allows take group ownership to work
1236                                  * reasonably */
1237                                 *pgrp = get_current_gid(conn);
1238                         } else {
1239                                 DEBUG(3,("unpack_nt_owners: unable to validate"
1240                                          " group sid.\n"));
1241                                 return NT_STATUS_INVALID_OWNER;
1242                         }
1243                 }
1244                 DEBUG(3,("unpack_nt_owners: group sid mapped to gid %u\n",
1245                          (unsigned int)*pgrp));
1246         }
1247
1248         DEBUG(5,("unpack_nt_owners: owner_sids validated.\n"));
1249
1250         return NT_STATUS_OK;
1251 }
1252
1253 /****************************************************************************
1254  Ensure the enforced permissions for this share apply.
1255 ****************************************************************************/
1256
1257 static void apply_default_perms(const struct share_params *params,
1258                                 const bool is_directory, canon_ace *pace,
1259                                 mode_t type)
1260 {
1261         mode_t and_bits = (mode_t)0;
1262         mode_t or_bits = (mode_t)0;
1263
1264         /* Get the initial bits to apply. */
1265
1266         if (is_directory) {
1267                 and_bits = lp_dir_security_mask(params->service);
1268                 or_bits = lp_force_dir_security_mode(params->service);
1269         } else {
1270                 and_bits = lp_security_mask(params->service);
1271                 or_bits = lp_force_security_mode(params->service);
1272         }
1273
1274         /* Now bounce them into the S_USR space. */     
1275         switch(type) {
1276         case S_IRUSR:
1277                 /* Ensure owner has read access. */
1278                 pace->perms |= S_IRUSR;
1279                 if (is_directory)
1280                         pace->perms |= (S_IWUSR|S_IXUSR);
1281                 and_bits = unix_perms_to_acl_perms(and_bits, S_IRUSR, S_IWUSR, S_IXUSR);
1282                 or_bits = unix_perms_to_acl_perms(or_bits, S_IRUSR, S_IWUSR, S_IXUSR);
1283                 break;
1284         case S_IRGRP:
1285                 and_bits = unix_perms_to_acl_perms(and_bits, S_IRGRP, S_IWGRP, S_IXGRP);
1286                 or_bits = unix_perms_to_acl_perms(or_bits, S_IRGRP, S_IWGRP, S_IXGRP);
1287                 break;
1288         case S_IROTH:
1289                 and_bits = unix_perms_to_acl_perms(and_bits, S_IROTH, S_IWOTH, S_IXOTH);
1290                 or_bits = unix_perms_to_acl_perms(or_bits, S_IROTH, S_IWOTH, S_IXOTH);
1291                 break;
1292         }
1293
1294         pace->perms = ((pace->perms & and_bits)|or_bits);
1295 }
1296
1297 /****************************************************************************
1298  Check if a given uid/SID is in a group gid/SID. This is probably very
1299  expensive and will need optimisation. A *lot* of optimisation :-). JRA.
1300 ****************************************************************************/
1301
1302 static bool uid_entry_in_group(connection_struct *conn, canon_ace *uid_ace, canon_ace *group_ace )
1303 {
1304         const char *u_name = NULL;
1305
1306         /* "Everyone" always matches every uid. */
1307
1308         if (dom_sid_equal(&group_ace->trustee, &global_sid_World))
1309                 return True;
1310
1311         /*
1312          * if it's the current user, we already have the unix token
1313          * and don't need to do the complex user_in_group_sid() call
1314          */
1315         if (uid_ace->unix_ug.uid == get_current_uid(conn)) {
1316                 const struct security_unix_token *curr_utok = NULL;
1317                 size_t i;
1318
1319                 if (group_ace->unix_ug.gid == get_current_gid(conn)) {
1320                         return True;
1321                 }
1322
1323                 curr_utok = get_current_utok(conn);
1324                 for (i=0; i < curr_utok->ngroups; i++) {
1325                         if (group_ace->unix_ug.gid == curr_utok->groups[i]) {
1326                                 return True;
1327                         }
1328                 }
1329         }
1330
1331         /* u_name talloc'ed off tos. */
1332         u_name = uidtoname(uid_ace->unix_ug.uid);
1333         if (!u_name) {
1334                 return False;
1335         }
1336
1337         /*
1338          * user_in_group_sid() uses create_token_from_username()
1339          * which creates an artificial NT token given just a username,
1340          * so this is not reliable for users from foreign domains
1341          * exported by winbindd!
1342          */
1343         return user_in_group_sid(u_name, &group_ace->trustee);
1344 }
1345
1346 /****************************************************************************
1347  A well formed POSIX file or default ACL has at least 3 entries, a 
1348  SMB_ACL_USER_OBJ, SMB_ACL_GROUP_OBJ, SMB_ACL_OTHER_OBJ.
1349  In addition, the owner must always have at least read access.
1350  When using this call on get_acl, the pst struct is valid and contains
1351  the mode of the file. When using this call on set_acl, the pst struct has
1352  been modified to have a mode containing the default for this file or directory
1353  type.
1354 ****************************************************************************/
1355
1356 static bool ensure_canon_entry_valid(connection_struct *conn, canon_ace **pp_ace,
1357                                      const struct share_params *params,
1358                                      const bool is_directory,
1359                                                         const struct dom_sid *pfile_owner_sid,
1360                                                         const struct dom_sid *pfile_grp_sid,
1361                                                         const SMB_STRUCT_STAT *pst,
1362                                                         bool setting_acl)
1363 {
1364         canon_ace *pace;
1365         bool got_user = False;
1366         bool got_grp = False;
1367         bool got_other = False;
1368         canon_ace *pace_other = NULL;
1369
1370         for (pace = *pp_ace; pace; pace = pace->next) {
1371                 if (pace->type == SMB_ACL_USER_OBJ) {
1372
1373                         if (setting_acl)
1374                                 apply_default_perms(params, is_directory, pace, S_IRUSR);
1375                         got_user = True;
1376
1377                 } else if (pace->type == SMB_ACL_GROUP_OBJ) {
1378
1379                         /*
1380                          * Ensure create mask/force create mode is respected on set.
1381                          */
1382
1383                         if (setting_acl)
1384                                 apply_default_perms(params, is_directory, pace, S_IRGRP);
1385                         got_grp = True;
1386
1387                 } else if (pace->type == SMB_ACL_OTHER) {
1388
1389                         /*
1390                          * Ensure create mask/force create mode is respected on set.
1391                          */
1392
1393                         if (setting_acl)
1394                                 apply_default_perms(params, is_directory, pace, S_IROTH);
1395                         got_other = True;
1396                         pace_other = pace;
1397                 }
1398         }
1399
1400         if (!got_user) {
1401                 if ((pace = SMB_MALLOC_P(canon_ace)) == NULL) {
1402                         DEBUG(0,("ensure_canon_entry_valid: malloc fail.\n"));
1403                         return False;
1404                 }
1405
1406                 ZERO_STRUCTP(pace);
1407                 pace->type = SMB_ACL_USER_OBJ;
1408                 pace->owner_type = UID_ACE;
1409                 pace->unix_ug.uid = pst->st_ex_uid;
1410                 pace->trustee = *pfile_owner_sid;
1411                 pace->attr = ALLOW_ACE;
1412
1413                 if (setting_acl) {
1414                         /* See if the owning user is in any of the other groups in
1415                            the ACE. If so, OR in the permissions from that group. */
1416
1417                         bool group_matched = False;
1418                         canon_ace *pace_iter;
1419
1420                         for (pace_iter = *pp_ace; pace_iter; pace_iter = pace_iter->next) {
1421                                 if (pace_iter->type == SMB_ACL_GROUP_OBJ || pace_iter->type == SMB_ACL_GROUP) {
1422                                         if (uid_entry_in_group(conn, pace, pace_iter)) {
1423                                                 pace->perms |= pace_iter->perms;
1424                                                 group_matched = True;
1425                                         }
1426                                 }
1427                         }
1428
1429                         /* If we only got an "everyone" perm, just use that. */
1430                         if (!group_matched) {
1431                                 if (got_other)
1432                                         pace->perms = pace_other->perms;
1433                                 else
1434                                         pace->perms = 0;
1435                         }
1436
1437                         apply_default_perms(params, is_directory, pace, S_IRUSR);
1438                 } else {
1439                         pace->perms = unix_perms_to_acl_perms(pst->st_ex_mode, S_IRUSR, S_IWUSR, S_IXUSR);
1440                 }
1441
1442                 DLIST_ADD(*pp_ace, pace);
1443         }
1444
1445         if (!got_grp) {
1446                 if ((pace = SMB_MALLOC_P(canon_ace)) == NULL) {
1447                         DEBUG(0,("ensure_canon_entry_valid: malloc fail.\n"));
1448                         return False;
1449                 }
1450
1451                 ZERO_STRUCTP(pace);
1452                 pace->type = SMB_ACL_GROUP_OBJ;
1453                 pace->owner_type = GID_ACE;
1454                 pace->unix_ug.uid = pst->st_ex_gid;
1455                 pace->trustee = *pfile_grp_sid;
1456                 pace->attr = ALLOW_ACE;
1457                 if (setting_acl) {
1458                         /* If we only got an "everyone" perm, just use that. */
1459                         if (got_other)
1460                                 pace->perms = pace_other->perms;
1461                         else
1462                                 pace->perms = 0;
1463                         apply_default_perms(params, is_directory, pace, S_IRGRP);
1464                 } else {
1465                         pace->perms = unix_perms_to_acl_perms(pst->st_ex_mode, S_IRGRP, S_IWGRP, S_IXGRP);
1466                 }
1467
1468                 DLIST_ADD(*pp_ace, pace);
1469         }
1470
1471         if (!got_other) {
1472                 if ((pace = SMB_MALLOC_P(canon_ace)) == NULL) {
1473                         DEBUG(0,("ensure_canon_entry_valid: malloc fail.\n"));
1474                         return False;
1475                 }
1476
1477                 ZERO_STRUCTP(pace);
1478                 pace->type = SMB_ACL_OTHER;
1479                 pace->owner_type = WORLD_ACE;
1480                 pace->unix_ug.world = -1;
1481                 pace->trustee = global_sid_World;
1482                 pace->attr = ALLOW_ACE;
1483                 if (setting_acl) {
1484                         pace->perms = 0;
1485                         apply_default_perms(params, is_directory, pace, S_IROTH);
1486                 } else
1487                         pace->perms = unix_perms_to_acl_perms(pst->st_ex_mode, S_IROTH, S_IWOTH, S_IXOTH);
1488
1489                 DLIST_ADD(*pp_ace, pace);
1490         }
1491
1492         return True;
1493 }
1494
1495 /****************************************************************************
1496  Check if a POSIX ACL has the required SMB_ACL_USER_OBJ and SMB_ACL_GROUP_OBJ entries.
1497  If it does not have them, check if there are any entries where the trustee is the
1498  file owner or the owning group, and map these to SMB_ACL_USER_OBJ and SMB_ACL_GROUP_OBJ.
1499 ****************************************************************************/
1500
1501 static void check_owning_objs(canon_ace *ace, struct dom_sid *pfile_owner_sid, struct dom_sid *pfile_grp_sid)
1502 {
1503         bool got_user_obj, got_group_obj;
1504         canon_ace *current_ace;
1505         int i, entries;
1506
1507         entries = count_canon_ace_list(ace);
1508         got_user_obj = False;
1509         got_group_obj = False;
1510
1511         for (i=0, current_ace = ace; i < entries; i++, current_ace = current_ace->next) {
1512                 if (current_ace->type == SMB_ACL_USER_OBJ)
1513                         got_user_obj = True;
1514                 else if (current_ace->type == SMB_ACL_GROUP_OBJ)
1515                         got_group_obj = True;
1516         }
1517         if (got_user_obj && got_group_obj) {
1518                 DEBUG(10,("check_owning_objs: ACL had owning user/group entries.\n"));
1519                 return;
1520         }
1521
1522         for (i=0, current_ace = ace; i < entries; i++, current_ace = current_ace->next) {
1523                 if (!got_user_obj && current_ace->owner_type == UID_ACE &&
1524                                 dom_sid_equal(&current_ace->trustee, pfile_owner_sid)) {
1525                         current_ace->type = SMB_ACL_USER_OBJ;
1526                         got_user_obj = True;
1527                 }
1528                 if (!got_group_obj && current_ace->owner_type == GID_ACE &&
1529                                 dom_sid_equal(&current_ace->trustee, pfile_grp_sid)) {
1530                         current_ace->type = SMB_ACL_GROUP_OBJ;
1531                         got_group_obj = True;
1532                 }
1533         }
1534         if (!got_user_obj)
1535                 DEBUG(10,("check_owning_objs: ACL is missing an owner entry.\n"));
1536         if (!got_group_obj)
1537                 DEBUG(10,("check_owning_objs: ACL is missing an owning group entry.\n"));
1538 }
1539
1540 /****************************************************************************
1541  If an ACE entry is SMB_ACL_USER_OBJ and not CREATOR_OWNER, map to SMB_ACL_USER.
1542  If an ACE entry is SMB_ACL_GROUP_OBJ and not CREATOR_GROUP, map to SMB_ACL_GROUP
1543 ****************************************************************************/
1544
1545 static bool dup_owning_ace(canon_ace *dir_ace, canon_ace *ace)
1546 {
1547         /* dir ace must be followings.
1548            SMB_ACL_USER_OBJ : trustee(CREATOR_OWNER) -> Posix ACL d:u::perm
1549            SMB_ACL_USER     : not trustee    -> Posix ACL u:user:perm
1550            SMB_ACL_USER_OBJ : trustee -> convert to SMB_ACL_USER : trustee
1551            Posix ACL u:trustee:perm
1552
1553            SMB_ACL_GROUP_OBJ: trustee(CREATOR_GROUP) -> Posix ACL d:g::perm
1554            SMB_ACL_GROUP    : not trustee   -> Posix ACL g:group:perm
1555            SMB_ACL_GROUP_OBJ: trustee -> convert to SMB_ACL_GROUP : trustee
1556            Posix ACL g:trustee:perm
1557         */
1558
1559         if (ace->type == SMB_ACL_USER_OBJ &&
1560                         !(dom_sid_equal(&ace->trustee, &global_sid_Creator_Owner))) {
1561                 canon_ace *dup_ace = dup_canon_ace(ace);
1562
1563                 if (dup_ace == NULL) {
1564                         return false;
1565                 }
1566                 dup_ace->type = SMB_ACL_USER;
1567                 DLIST_ADD_END(dir_ace, dup_ace, canon_ace *);
1568         }
1569
1570         if (ace->type == SMB_ACL_GROUP_OBJ &&
1571                         !(dom_sid_equal(&ace->trustee, &global_sid_Creator_Group))) {
1572                 canon_ace *dup_ace = dup_canon_ace(ace);
1573
1574                 if (dup_ace == NULL) {
1575                         return false;
1576                 }
1577                 dup_ace->type = SMB_ACL_GROUP;
1578                 DLIST_ADD_END(dir_ace, dup_ace, canon_ace *);
1579         }
1580
1581         return true;
1582 }
1583
1584 /****************************************************************************
1585  Unpack a struct security_descriptor into two canonical ace lists.
1586 ****************************************************************************/
1587
1588 static bool create_canon_ace_lists(files_struct *fsp,
1589                                         const SMB_STRUCT_STAT *pst,
1590                                         struct dom_sid *pfile_owner_sid,
1591                                         struct dom_sid *pfile_grp_sid,
1592                                         canon_ace **ppfile_ace,
1593                                         canon_ace **ppdir_ace,
1594                                         const struct security_acl *dacl)
1595 {
1596         bool all_aces_are_inherit_only = (fsp->is_directory ? True : False);
1597         canon_ace *file_ace = NULL;
1598         canon_ace *dir_ace = NULL;
1599         canon_ace *current_ace = NULL;
1600         bool got_dir_allow = False;
1601         bool got_file_allow = False;
1602         int i, j;
1603
1604         *ppfile_ace = NULL;
1605         *ppdir_ace = NULL;
1606
1607         /*
1608          * Convert the incoming ACL into a more regular form.
1609          */
1610
1611         for(i = 0; i < dacl->num_aces; i++) {
1612                 struct security_ace *psa = &dacl->aces[i];
1613
1614                 if((psa->type != SEC_ACE_TYPE_ACCESS_ALLOWED) && (psa->type != SEC_ACE_TYPE_ACCESS_DENIED)) {
1615                         DEBUG(3,("create_canon_ace_lists: unable to set anything but an ALLOW or DENY ACE.\n"));
1616                         return False;
1617                 }
1618
1619                 if (nt4_compatible_acls()) {
1620                         /*
1621                          * The security mask may be UNIX_ACCESS_NONE which should map into
1622                          * no permissions (we overload the WRITE_OWNER bit for this) or it
1623                          * should be one of the ALL/EXECUTE/READ/WRITE bits. Arrange for this
1624                          * to be so. Any other bits override the UNIX_ACCESS_NONE bit.
1625                          */
1626
1627                         /*
1628                          * Convert GENERIC bits to specific bits.
1629                          */
1630  
1631                         se_map_generic(&psa->access_mask, &file_generic_mapping);
1632
1633                         psa->access_mask &= (UNIX_ACCESS_NONE|FILE_ALL_ACCESS);
1634
1635                         if(psa->access_mask != UNIX_ACCESS_NONE)
1636                                 psa->access_mask &= ~UNIX_ACCESS_NONE;
1637                 }
1638         }
1639
1640         /*
1641          * Deal with the fact that NT 4.x re-writes the canonical format
1642          * that we return for default ACLs. If a directory ACE is identical
1643          * to a inherited directory ACE then NT changes the bits so that the
1644          * first ACE is set to OI|IO and the second ACE for this SID is set
1645          * to CI. We need to repair this. JRA.
1646          */
1647
1648         for(i = 0; i < dacl->num_aces; i++) {
1649                 struct security_ace *psa1 = &dacl->aces[i];
1650
1651                 for (j = i + 1; j < dacl->num_aces; j++) {
1652                         struct security_ace *psa2 = &dacl->aces[j];
1653
1654                         if (psa1->access_mask != psa2->access_mask)
1655                                 continue;
1656
1657                         if (!dom_sid_equal(&psa1->trustee, &psa2->trustee))
1658                                 continue;
1659
1660                         /*
1661                          * Ok - permission bits and SIDs are equal.
1662                          * Check if flags were re-written.
1663                          */
1664
1665                         if (psa1->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
1666
1667                                 psa1->flags |= (psa2->flags & (SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT));
1668                                 psa2->flags &= ~(SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT);
1669
1670                         } else if (psa2->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
1671
1672                                 psa2->flags |= (psa1->flags & (SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT));
1673                                 psa1->flags &= ~(SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT);
1674
1675                         }
1676                 }
1677         }
1678
1679         for(i = 0; i < dacl->num_aces; i++) {
1680                 struct security_ace *psa = &dacl->aces[i];
1681
1682                 /*
1683                  * Create a canon_ace entry representing this NT DACL ACE.
1684                  */
1685
1686                 if ((current_ace = SMB_MALLOC_P(canon_ace)) == NULL) {
1687                         free_canon_ace_list(file_ace);
1688                         free_canon_ace_list(dir_ace);
1689                         DEBUG(0,("create_canon_ace_lists: malloc fail.\n"));
1690                         return False;
1691                 }
1692
1693                 ZERO_STRUCTP(current_ace);
1694
1695                 sid_copy(&current_ace->trustee, &psa->trustee);
1696
1697                 /*
1698                  * Try and work out if the SID is a user or group
1699                  * as we need to flag these differently for POSIX.
1700                  * Note what kind of a POSIX ACL this should map to.
1701                  */
1702
1703                 if( dom_sid_equal(&current_ace->trustee, &global_sid_World)) {
1704                         current_ace->owner_type = WORLD_ACE;
1705                         current_ace->unix_ug.world = -1;
1706                         current_ace->type = SMB_ACL_OTHER;
1707                 } else if (dom_sid_equal(&current_ace->trustee, &global_sid_Creator_Owner)) {
1708                         current_ace->owner_type = UID_ACE;
1709                         current_ace->unix_ug.uid = pst->st_ex_uid;
1710                         current_ace->type = SMB_ACL_USER_OBJ;
1711
1712                         /*
1713                          * The Creator Owner entry only specifies inheritable permissions,
1714                          * never access permissions. WinNT doesn't always set the ACE to
1715                          * INHERIT_ONLY, though.
1716                          */
1717
1718                         psa->flags |= SEC_ACE_FLAG_INHERIT_ONLY;
1719
1720                 } else if (dom_sid_equal(&current_ace->trustee, &global_sid_Creator_Group)) {
1721                         current_ace->owner_type = GID_ACE;
1722                         current_ace->unix_ug.gid = pst->st_ex_gid;
1723                         current_ace->type = SMB_ACL_GROUP_OBJ;
1724
1725                         /*
1726                          * The Creator Group entry only specifies inheritable permissions,
1727                          * never access permissions. WinNT doesn't always set the ACE to
1728                          * INHERIT_ONLY, though.
1729                          */
1730                         psa->flags |= SEC_ACE_FLAG_INHERIT_ONLY;
1731
1732                 } else if (sid_to_uid( &current_ace->trustee, &current_ace->unix_ug.uid)) {
1733                         current_ace->owner_type = UID_ACE;
1734                         /* If it's the owning user, this is a user_obj, not
1735                          * a user. */
1736                         if (current_ace->unix_ug.uid == pst->st_ex_uid) {
1737                                 current_ace->type = SMB_ACL_USER_OBJ;
1738                         } else {
1739                                 current_ace->type = SMB_ACL_USER;
1740                         }
1741                 } else if (sid_to_gid( &current_ace->trustee, &current_ace->unix_ug.gid)) {
1742                         current_ace->owner_type = GID_ACE;
1743                         /* If it's the primary group, this is a group_obj, not
1744                          * a group. */
1745                         if (current_ace->unix_ug.gid == pst->st_ex_gid) {
1746                                 current_ace->type = SMB_ACL_GROUP_OBJ;
1747                         } else {
1748                                 current_ace->type = SMB_ACL_GROUP;
1749                         }
1750                 } else {
1751                         /*
1752                          * Silently ignore map failures in non-mappable SIDs (NT Authority, BUILTIN etc).
1753                          */
1754
1755                         if (non_mappable_sid(&psa->trustee)) {
1756                                 DEBUG(10, ("create_canon_ace_lists: ignoring "
1757                                            "non-mappable SID %s\n",
1758                                            sid_string_dbg(&psa->trustee)));
1759                                 SAFE_FREE(current_ace);
1760                                 continue;
1761                         }
1762
1763                         if (lp_force_unknown_acl_user(SNUM(fsp->conn))) {
1764                                 DEBUG(10, ("create_canon_ace_lists: ignoring "
1765                                         "unknown or foreign SID %s\n",
1766                                         sid_string_dbg(&psa->trustee)));
1767                                 SAFE_FREE(current_ace);
1768                                 continue;
1769                         }
1770
1771                         free_canon_ace_list(file_ace);
1772                         free_canon_ace_list(dir_ace);
1773                         DEBUG(0, ("create_canon_ace_lists: unable to map SID "
1774                                   "%s to uid or gid.\n",
1775                                   sid_string_dbg(&current_ace->trustee)));
1776                         SAFE_FREE(current_ace);
1777                         return False;
1778                 }
1779
1780                 /*
1781                  * Map the given NT permissions into a UNIX mode_t containing only
1782                  * S_I(R|W|X)USR bits.
1783                  */
1784
1785                 current_ace->perms |= map_nt_perms( &psa->access_mask, S_IRUSR);
1786                 current_ace->attr = (psa->type == SEC_ACE_TYPE_ACCESS_ALLOWED) ? ALLOW_ACE : DENY_ACE;
1787
1788                 /* Store the ace_flag. */
1789                 current_ace->ace_flags = psa->flags;
1790
1791                 /*
1792                  * Now add the created ace to either the file list, the directory
1793                  * list, or both. We *MUST* preserve the order here (hence we use
1794                  * DLIST_ADD_END) as NT ACLs are order dependent.
1795                  */
1796
1797                 if (fsp->is_directory) {
1798
1799                         /*
1800                          * We can only add to the default POSIX ACE list if the ACE is
1801                          * designed to be inherited by both files and directories.
1802                          */
1803
1804                         if ((psa->flags & (SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT)) ==
1805                                 (SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT)) {
1806
1807                                 DLIST_ADD_END(dir_ace, current_ace, canon_ace *);
1808
1809                                 /*
1810                                  * Note if this was an allow ace. We can't process
1811                                  * any further deny ace's after this.
1812                                  */
1813
1814                                 if (current_ace->attr == ALLOW_ACE)
1815                                         got_dir_allow = True;
1816
1817                                 if ((current_ace->attr == DENY_ACE) && got_dir_allow) {
1818                                         DEBUG(0,("create_canon_ace_lists: "
1819                                                  "malformed ACL in "
1820                                                  "inheritable ACL! Deny entry "
1821                                                  "after Allow entry. Failing "
1822                                                  "to set on file %s.\n",
1823                                                  fsp_str_dbg(fsp)));
1824                                         free_canon_ace_list(file_ace);
1825                                         free_canon_ace_list(dir_ace);
1826                                         return False;
1827                                 }       
1828
1829                                 if( DEBUGLVL( 10 )) {
1830                                         dbgtext("create_canon_ace_lists: adding dir ACL:\n");
1831                                         print_canon_ace( current_ace, 0);
1832                                 }
1833
1834                                 /*
1835                                  * We have a lossy mapping: directory ACE entries
1836                                  * CREATOR_OWNER ------\
1837                                  *     (map to)         +---> SMB_ACL_USER_OBJ
1838                                  * owning sid    ------/
1839                                  *
1840                                  * CREATOR_GROUP ------\
1841                                  *     (map to)         +---> SMB_ACL_GROUP_OBJ
1842                                  * primary group sid --/
1843                                  *
1844                                  * on set. And on read of a directory ACL
1845                                  *
1846                                  * SMB_ACL_USER_OBJ ----> CREATOR_OWNER
1847                                  * SMB_ACL_GROUP_OBJ ---> CREATOR_GROUP.
1848                                  *
1849                                  * Deal with this on set by duplicating
1850                                  * owning sid and primary group sid ACE
1851                                  * entries into the directory ACL.
1852                                  * Fix from Tsukasa Hamano <hamano@osstech.co.jp>.
1853                                  */
1854
1855                                 if (!dup_owning_ace(dir_ace, current_ace)) {
1856                                         DEBUG(0,("create_canon_ace_lists: malloc fail !\n"));
1857                                         free_canon_ace_list(file_ace);
1858                                         free_canon_ace_list(dir_ace);
1859                                         return false;
1860                                 }
1861
1862                                 /*
1863                                  * If this is not an inherit only ACE we need to add a duplicate
1864                                  * to the file acl.
1865                                  */
1866
1867                                 if (!(psa->flags & SEC_ACE_FLAG_INHERIT_ONLY)) {
1868                                         canon_ace *dup_ace = dup_canon_ace(current_ace);
1869
1870                                         if (!dup_ace) {
1871                                                 DEBUG(0,("create_canon_ace_lists: malloc fail !\n"));
1872                                                 free_canon_ace_list(file_ace);
1873                                                 free_canon_ace_list(dir_ace);
1874                                                 return False;
1875                                         }
1876
1877                                         /*
1878                                          * We must not free current_ace here as its
1879                                          * pointer is now owned by the dir_ace list.
1880                                          */
1881                                         current_ace = dup_ace;
1882                                         /* We've essentially split this ace into two,
1883                                          * and added the ace with inheritance request
1884                                          * bits to the directory ACL. Drop those bits for
1885                                          * the ACE we're adding to the file list. */
1886                                         current_ace->ace_flags &= ~(SEC_ACE_FLAG_OBJECT_INHERIT|
1887                                                                 SEC_ACE_FLAG_CONTAINER_INHERIT|
1888                                                                 SEC_ACE_FLAG_INHERIT_ONLY);
1889                                 } else {
1890                                         /*
1891                                          * We must not free current_ace here as its
1892                                          * pointer is now owned by the dir_ace list.
1893                                          */
1894                                         current_ace = NULL;
1895                                 }
1896                         }
1897                 }
1898
1899                 /*
1900                  * Only add to the file ACL if not inherit only.
1901                  */
1902
1903                 if (current_ace && !(psa->flags & SEC_ACE_FLAG_INHERIT_ONLY)) {
1904                         DLIST_ADD_END(file_ace, current_ace, canon_ace *);
1905
1906                         /*
1907                          * Note if this was an allow ace. We can't process
1908                          * any further deny ace's after this.
1909                          */
1910
1911                         if (current_ace->attr == ALLOW_ACE)
1912                                 got_file_allow = True;
1913
1914                         if ((current_ace->attr == DENY_ACE) && got_file_allow) {
1915                                 DEBUG(0,("create_canon_ace_lists: malformed "
1916                                          "ACL in file ACL ! Deny entry after "
1917                                          "Allow entry. Failing to set on file "
1918                                          "%s.\n", fsp_str_dbg(fsp)));
1919                                 free_canon_ace_list(file_ace);
1920                                 free_canon_ace_list(dir_ace);
1921                                 return False;
1922                         }       
1923
1924                         if( DEBUGLVL( 10 )) {
1925                                 dbgtext("create_canon_ace_lists: adding file ACL:\n");
1926                                 print_canon_ace( current_ace, 0);
1927                         }
1928                         all_aces_are_inherit_only = False;
1929                         /*
1930                          * We must not free current_ace here as its
1931                          * pointer is now owned by the file_ace list.
1932                          */
1933                         current_ace = NULL;
1934                 }
1935
1936                 /*
1937                  * Free if ACE was not added.
1938                  */
1939
1940                 SAFE_FREE(current_ace);
1941         }
1942
1943         if (fsp->is_directory && all_aces_are_inherit_only) {
1944                 /*
1945                  * Windows 2000 is doing one of these weird 'inherit acl'
1946                  * traverses to conserve NTFS ACL resources. Just pretend
1947                  * there was no DACL sent. JRA.
1948                  */
1949
1950                 DEBUG(10,("create_canon_ace_lists: Win2k inherit acl traverse. Ignoring DACL.\n"));
1951                 free_canon_ace_list(file_ace);
1952                 free_canon_ace_list(dir_ace);
1953                 file_ace = NULL;
1954                 dir_ace = NULL;
1955         } else {
1956                 /*
1957                  * Check if we have SMB_ACL_USER_OBJ and SMB_ACL_GROUP_OBJ entries in each
1958                  * ACL. If we don't have them, check if any SMB_ACL_USER/SMB_ACL_GROUP
1959                  * entries can be converted to *_OBJ. Usually we will already have these
1960                  * entries in the Default ACL, and the Access ACL will not have them.
1961                  */
1962                 if (file_ace) {
1963                         check_owning_objs(file_ace, pfile_owner_sid, pfile_grp_sid);
1964                 }
1965                 if (dir_ace) {
1966                         check_owning_objs(dir_ace, pfile_owner_sid, pfile_grp_sid);
1967                 }
1968         }
1969
1970         *ppfile_ace = file_ace;
1971         *ppdir_ace = dir_ace;
1972
1973         return True;
1974 }
1975
1976 /****************************************************************************
1977  ASCII art time again... JRA :-).
1978
1979  We have 4 cases to process when moving from an NT ACL to a POSIX ACL. Firstly,
1980  we insist the ACL is in canonical form (ie. all DENY entries preceede ALLOW
1981  entries). Secondly, the merge code has ensured that all duplicate SID entries for
1982  allow or deny have been merged, so the same SID can only appear once in the deny
1983  list or once in the allow list.
1984
1985  We then process as follows :
1986
1987  ---------------------------------------------------------------------------
1988  First pass - look for a Everyone DENY entry.
1989
1990  If it is deny all (rwx) trunate the list at this point.
1991  Else, walk the list from this point and use the deny permissions of this
1992  entry as a mask on all following allow entries. Finally, delete
1993  the Everyone DENY entry (we have applied it to everything possible).
1994
1995  In addition, in this pass we remove any DENY entries that have 
1996  no permissions (ie. they are a DENY nothing).
1997  ---------------------------------------------------------------------------
1998  Second pass - only deal with deny user entries.
1999
2000  DENY user1 (perms XXX)
2001
2002  new_perms = 0
2003  for all following allow group entries where user1 is in group
2004         new_perms |= group_perms;
2005
2006  user1 entry perms = new_perms & ~ XXX;
2007
2008  Convert the deny entry to an allow entry with the new perms and
2009  push to the end of the list. Note if the user was in no groups
2010  this maps to a specific allow nothing entry for this user.
2011
2012  The common case from the NT ACL choser (userX deny all) is
2013  optimised so we don't do the group lookup - we just map to
2014  an allow nothing entry.
2015
2016  What we're doing here is inferring the allow permissions the
2017  person setting the ACE on user1 wanted by looking at the allow
2018  permissions on the groups the user is currently in. This will
2019  be a snapshot, depending on group membership but is the best
2020  we can do and has the advantage of failing closed rather than
2021  open.
2022  ---------------------------------------------------------------------------
2023  Third pass - only deal with deny group entries.
2024
2025  DENY group1 (perms XXX)
2026
2027  for all following allow user entries where user is in group1
2028    user entry perms = user entry perms & ~ XXX;
2029
2030  If there is a group Everyone allow entry with permissions YYY,
2031  convert the group1 entry to an allow entry and modify its
2032  permissions to be :
2033
2034  new_perms = YYY & ~ XXX
2035
2036  and push to the end of the list.
2037
2038  If there is no group Everyone allow entry then convert the
2039  group1 entry to a allow nothing entry and push to the end of the list.
2040
2041  Note that the common case from the NT ACL choser (groupX deny all)
2042  cannot be optimised here as we need to modify user entries who are
2043  in the group to change them to a deny all also.
2044
2045  What we're doing here is modifying the allow permissions of
2046  user entries (which are more specific in POSIX ACLs) to mask
2047  out the explicit deny set on the group they are in. This will
2048  be a snapshot depending on current group membership but is the
2049  best we can do and has the advantage of failing closed rather
2050  than open.
2051  ---------------------------------------------------------------------------
2052  Fourth pass - cope with cumulative permissions.
2053
2054  for all allow user entries, if there exists an allow group entry with
2055  more permissive permissions, and the user is in that group, rewrite the
2056  allow user permissions to contain both sets of permissions.
2057
2058  Currently the code for this is #ifdef'ed out as these semantics make
2059  no sense to me. JRA.
2060  ---------------------------------------------------------------------------
2061
2062  Note we *MUST* do the deny user pass first as this will convert deny user
2063  entries into allow user entries which can then be processed by the deny
2064  group pass.
2065
2066  The above algorithm took a *lot* of thinking about - hence this
2067  explaination :-). JRA.
2068 ****************************************************************************/
2069
2070 /****************************************************************************
2071  Process a canon_ace list entries. This is very complex code. We need
2072  to go through and remove the "deny" permissions from any allow entry that matches
2073  the id of this entry. We have already refused any NT ACL that wasn't in correct
2074  order (DENY followed by ALLOW). If any allow entry ends up with zero permissions,
2075  we just remove it (to fail safe). We have already removed any duplicate ace
2076  entries. Treat an "Everyone" DENY_ACE as a special case - use it to mask all
2077  allow entries.
2078 ****************************************************************************/
2079
2080 static void process_deny_list(connection_struct *conn, canon_ace **pp_ace_list )
2081 {
2082         canon_ace *ace_list = *pp_ace_list;
2083         canon_ace *curr_ace = NULL;
2084         canon_ace *curr_ace_next = NULL;
2085
2086         /* Pass 1 above - look for an Everyone, deny entry. */
2087
2088         for (curr_ace = ace_list; curr_ace; curr_ace = curr_ace_next) {
2089                 canon_ace *allow_ace_p;
2090
2091                 curr_ace_next = curr_ace->next; /* So we can't lose the link. */
2092
2093                 if (curr_ace->attr != DENY_ACE)
2094                         continue;
2095
2096                 if (curr_ace->perms == (mode_t)0) {
2097
2098                         /* Deny nothing entry - delete. */
2099
2100                         DLIST_REMOVE(ace_list, curr_ace);
2101                         continue;
2102                 }
2103
2104                 if (!dom_sid_equal(&curr_ace->trustee, &global_sid_World))
2105                         continue;
2106
2107                 /* JRATEST - assert. */
2108                 SMB_ASSERT(curr_ace->owner_type == WORLD_ACE);
2109
2110                 if (curr_ace->perms == ALL_ACE_PERMS) {
2111
2112                         /*
2113                          * Optimisation. This is a DENY_ALL to Everyone. Truncate the
2114                          * list at this point including this entry.
2115                          */
2116
2117                         canon_ace *prev_entry = DLIST_PREV(curr_ace);
2118
2119                         free_canon_ace_list( curr_ace );
2120                         if (prev_entry)
2121                                 DLIST_REMOVE(ace_list, prev_entry);
2122                         else {
2123                                 /* We deleted the entire list. */
2124                                 ace_list = NULL;
2125                         }
2126                         break;
2127                 }
2128
2129                 for (allow_ace_p = curr_ace->next; allow_ace_p; allow_ace_p = allow_ace_p->next) {
2130
2131                         /* 
2132                          * Only mask off allow entries.
2133                          */
2134
2135                         if (allow_ace_p->attr != ALLOW_ACE)
2136                                 continue;
2137
2138                         allow_ace_p->perms &= ~curr_ace->perms;
2139                 }
2140
2141                 /*
2142                  * Now it's been applied, remove it.
2143                  */
2144
2145                 DLIST_REMOVE(ace_list, curr_ace);
2146         }
2147
2148         /* Pass 2 above - deal with deny user entries. */
2149
2150         for (curr_ace = ace_list; curr_ace; curr_ace = curr_ace_next) {
2151                 mode_t new_perms = (mode_t)0;
2152                 canon_ace *allow_ace_p;
2153
2154                 curr_ace_next = curr_ace->next; /* So we can't lose the link. */
2155
2156                 if (curr_ace->attr != DENY_ACE)
2157                         continue;
2158
2159                 if (curr_ace->owner_type != UID_ACE)
2160                         continue;
2161
2162                 if (curr_ace->perms == ALL_ACE_PERMS) {
2163
2164                         /*
2165                          * Optimisation - this is a deny everything to this user.
2166                          * Convert to an allow nothing and push to the end of the list.
2167                          */
2168
2169                         curr_ace->attr = ALLOW_ACE;
2170                         curr_ace->perms = (mode_t)0;
2171                         DLIST_DEMOTE(ace_list, curr_ace, canon_ace *);
2172                         continue;
2173                 }
2174
2175                 for (allow_ace_p = curr_ace->next; allow_ace_p; allow_ace_p = allow_ace_p->next) {
2176
2177                         if (allow_ace_p->attr != ALLOW_ACE)
2178                                 continue;
2179
2180                         /* We process GID_ACE and WORLD_ACE entries only. */
2181
2182                         if (allow_ace_p->owner_type == UID_ACE)
2183                                 continue;
2184
2185                         if (uid_entry_in_group(conn, curr_ace, allow_ace_p))
2186                                 new_perms |= allow_ace_p->perms;
2187                 }
2188
2189                 /*
2190                  * Convert to a allow entry, modify the perms and push to the end
2191                  * of the list.
2192                  */
2193
2194                 curr_ace->attr = ALLOW_ACE;
2195                 curr_ace->perms = (new_perms & ~curr_ace->perms);
2196                 DLIST_DEMOTE(ace_list, curr_ace, canon_ace *);
2197         }
2198
2199         /* Pass 3 above - deal with deny group entries. */
2200
2201         for (curr_ace = ace_list; curr_ace; curr_ace = curr_ace_next) {
2202                 canon_ace *allow_ace_p;
2203                 canon_ace *allow_everyone_p = NULL;
2204
2205                 curr_ace_next = curr_ace->next; /* So we can't lose the link. */
2206
2207                 if (curr_ace->attr != DENY_ACE)
2208                         continue;
2209
2210                 if (curr_ace->owner_type != GID_ACE)
2211                         continue;
2212
2213                 for (allow_ace_p = curr_ace->next; allow_ace_p; allow_ace_p = allow_ace_p->next) {
2214
2215                         if (allow_ace_p->attr != ALLOW_ACE)
2216                                 continue;
2217
2218                         /* Store a pointer to the Everyone allow, if it exists. */
2219                         if (allow_ace_p->owner_type == WORLD_ACE)
2220                                 allow_everyone_p = allow_ace_p;
2221
2222                         /* We process UID_ACE entries only. */
2223
2224                         if (allow_ace_p->owner_type != UID_ACE)
2225                                 continue;
2226
2227                         /* Mask off the deny group perms. */
2228
2229                         if (uid_entry_in_group(conn, allow_ace_p, curr_ace))
2230                                 allow_ace_p->perms &= ~curr_ace->perms;
2231                 }
2232
2233                 /*
2234                  * Convert the deny to an allow with the correct perms and
2235                  * push to the end of the list.
2236                  */
2237
2238                 curr_ace->attr = ALLOW_ACE;
2239                 if (allow_everyone_p)
2240                         curr_ace->perms = allow_everyone_p->perms & ~curr_ace->perms;
2241                 else
2242                         curr_ace->perms = (mode_t)0;
2243                 DLIST_DEMOTE(ace_list, curr_ace, canon_ace *);
2244         }
2245
2246         /* Doing this fourth pass allows Windows semantics to be layered
2247          * on top of POSIX semantics. I'm not sure if this is desirable.
2248          * For example, in W2K ACLs there is no way to say, "Group X no
2249          * access, user Y full access" if user Y is a member of group X.
2250          * This seems completely broken semantics to me.... JRA.
2251          */
2252
2253 #if 0
2254         /* Pass 4 above - deal with allow entries. */
2255
2256         for (curr_ace = ace_list; curr_ace; curr_ace = curr_ace_next) {
2257                 canon_ace *allow_ace_p;
2258
2259                 curr_ace_next = curr_ace->next; /* So we can't lose the link. */
2260
2261                 if (curr_ace->attr != ALLOW_ACE)
2262                         continue;
2263
2264                 if (curr_ace->owner_type != UID_ACE)
2265                         continue;
2266
2267                 for (allow_ace_p = ace_list; allow_ace_p; allow_ace_p = allow_ace_p->next) {
2268
2269                         if (allow_ace_p->attr != ALLOW_ACE)
2270                                 continue;
2271
2272                         /* We process GID_ACE entries only. */
2273
2274                         if (allow_ace_p->owner_type != GID_ACE)
2275                                 continue;
2276
2277                         /* OR in the group perms. */
2278
2279                         if (uid_entry_in_group(conn, curr_ace, allow_ace_p))
2280                                 curr_ace->perms |= allow_ace_p->perms;
2281                 }
2282         }
2283 #endif
2284
2285         *pp_ace_list = ace_list;
2286 }
2287
2288 /****************************************************************************
2289  Create a default mode that will be used if a security descriptor entry has
2290  no user/group/world entries.
2291 ****************************************************************************/
2292
2293 static mode_t create_default_mode(files_struct *fsp, bool interitable_mode)
2294 {
2295         int snum = SNUM(fsp->conn);
2296         mode_t and_bits = (mode_t)0;
2297         mode_t or_bits = (mode_t)0;
2298         mode_t mode;
2299
2300         if (interitable_mode) {
2301                 mode = unix_mode(fsp->conn, FILE_ATTRIBUTE_ARCHIVE,
2302                                  fsp->fsp_name, NULL);
2303         } else {
2304                 mode = S_IRUSR;
2305         }
2306
2307         if (fsp->is_directory)
2308                 mode |= (S_IWUSR|S_IXUSR);
2309
2310         /*
2311          * Now AND with the create mode/directory mode bits then OR with the
2312          * force create mode/force directory mode bits.
2313          */
2314
2315         if (fsp->is_directory) {
2316                 and_bits = lp_dir_security_mask(snum);
2317                 or_bits = lp_force_dir_security_mode(snum);
2318         } else {
2319                 and_bits = lp_security_mask(snum);
2320                 or_bits = lp_force_security_mode(snum);
2321         }
2322
2323         return ((mode & and_bits)|or_bits);
2324 }
2325
2326 /****************************************************************************
2327  Unpack a struct security_descriptor into two canonical ace lists. We don't depend on this
2328  succeeding.
2329 ****************************************************************************/
2330
2331 static bool unpack_canon_ace(files_struct *fsp,
2332                                 const SMB_STRUCT_STAT *pst,
2333                                 struct dom_sid *pfile_owner_sid,
2334                                 struct dom_sid *pfile_grp_sid,
2335                                 canon_ace **ppfile_ace,
2336                                 canon_ace **ppdir_ace,
2337                                 uint32 security_info_sent,
2338                                 const struct security_descriptor *psd)
2339 {
2340         SMB_STRUCT_STAT st;
2341         canon_ace *file_ace = NULL;
2342         canon_ace *dir_ace = NULL;
2343
2344         *ppfile_ace = NULL;
2345         *ppdir_ace = NULL;
2346
2347         if(security_info_sent == 0) {
2348                 DEBUG(0,("unpack_canon_ace: no security info sent !\n"));
2349                 return False;
2350         }
2351
2352         /*
2353          * If no DACL then this is a chown only security descriptor.
2354          */
2355
2356         if(!(security_info_sent & SECINFO_DACL) || !psd->dacl)
2357                 return True;
2358
2359         /*
2360          * Now go through the DACL and create the canon_ace lists.
2361          */
2362
2363         if (!create_canon_ace_lists( fsp, pst, pfile_owner_sid, pfile_grp_sid,
2364                                                                 &file_ace, &dir_ace, psd->dacl))
2365                 return False;
2366
2367         if ((file_ace == NULL) && (dir_ace == NULL)) {
2368                 /* W2K traverse DACL set - ignore. */
2369                 return True;
2370         }
2371
2372         /*
2373          * Go through the canon_ace list and merge entries
2374          * belonging to identical users of identical allow or deny type.
2375          * We can do this as all deny entries come first, followed by
2376          * all allow entries (we have mandated this before accepting this acl).
2377          */
2378
2379         print_canon_ace_list( "file ace - before merge", file_ace);
2380         merge_aces( &file_ace, false);
2381
2382         print_canon_ace_list( "dir ace - before merge", dir_ace);
2383         merge_aces( &dir_ace, true);
2384
2385         /*
2386          * NT ACLs are order dependent. Go through the acl lists and
2387          * process DENY entries by masking the allow entries.
2388          */
2389
2390         print_canon_ace_list( "file ace - before deny", file_ace);
2391         process_deny_list(fsp->conn, &file_ace);
2392
2393         print_canon_ace_list( "dir ace - before deny", dir_ace);
2394         process_deny_list(fsp->conn, &dir_ace);
2395
2396         /*
2397          * A well formed POSIX file or default ACL has at least 3 entries, a 
2398          * SMB_ACL_USER_OBJ, SMB_ACL_GROUP_OBJ, SMB_ACL_OTHER_OBJ
2399          * and optionally a mask entry. Ensure this is the case.
2400          */
2401
2402         print_canon_ace_list( "file ace - before valid", file_ace);
2403
2404         st = *pst;
2405
2406         /*
2407          * A default 3 element mode entry for a file should be r-- --- ---.
2408          * A default 3 element mode entry for a directory should be rwx --- ---.
2409          */
2410
2411         st.st_ex_mode = create_default_mode(fsp, False);
2412
2413         if (!ensure_canon_entry_valid(fsp->conn, &file_ace, fsp->conn->params,
2414                         fsp->is_directory, pfile_owner_sid, pfile_grp_sid, &st, True)) {
2415                 free_canon_ace_list(file_ace);
2416                 free_canon_ace_list(dir_ace);
2417                 return False;
2418         }
2419
2420         print_canon_ace_list( "dir ace - before valid", dir_ace);
2421
2422         /*
2423          * A default inheritable 3 element mode entry for a directory should be the
2424          * mode Samba will use to create a file within. Ensure user rwx bits are set if
2425          * it's a directory.
2426          */
2427
2428         st.st_ex_mode = create_default_mode(fsp, True);
2429
2430         if (dir_ace && !ensure_canon_entry_valid(fsp->conn, &dir_ace, fsp->conn->params,
2431                         fsp->is_directory, pfile_owner_sid, pfile_grp_sid, &st, True)) {
2432                 free_canon_ace_list(file_ace);
2433                 free_canon_ace_list(dir_ace);
2434                 return False;
2435         }
2436
2437         print_canon_ace_list( "file ace - return", file_ace);
2438         print_canon_ace_list( "dir ace - return", dir_ace);
2439
2440         *ppfile_ace = file_ace;
2441         *ppdir_ace = dir_ace;
2442         return True;
2443
2444 }
2445
2446 /******************************************************************************
2447  When returning permissions, try and fit NT display
2448  semantics if possible. Note the the canon_entries here must have been malloced.
2449  The list format should be - first entry = owner, followed by group and other user
2450  entries, last entry = other.
2451
2452  Note that this doesn't exactly match the NT semantics for an ACL. As POSIX entries
2453  are not ordered, and match on the most specific entry rather than walking a list,
2454  then a simple POSIX permission of rw-r--r-- should really map to 5 entries,
2455
2456  Entry 0: owner : deny all except read and write.
2457  Entry 1: owner : allow read and write.
2458  Entry 2: group : deny all except read.
2459  Entry 3: group : allow read.
2460  Entry 4: Everyone : allow read.
2461
2462  But NT cannot display this in their ACL editor !
2463 ********************************************************************************/
2464
2465 static void arrange_posix_perms(const char *filename, canon_ace **pp_list_head)
2466 {
2467         canon_ace *l_head = *pp_list_head;
2468         canon_ace *owner_ace = NULL;
2469         canon_ace *other_ace = NULL;
2470         canon_ace *ace = NULL;
2471
2472         for (ace = l_head; ace; ace = ace->next) {
2473                 if (ace->type == SMB_ACL_USER_OBJ)
2474                         owner_ace = ace;
2475                 else if (ace->type == SMB_ACL_OTHER) {
2476                         /* Last ace - this is "other" */
2477                         other_ace = ace;
2478                 }
2479         }
2480
2481         if (!owner_ace || !other_ace) {
2482                 DEBUG(0,("arrange_posix_perms: Invalid POSIX permissions for file %s, missing owner or other.\n",
2483                         filename ));
2484                 return;
2485         }
2486
2487         /*
2488          * The POSIX algorithm applies to owner first, and other last,
2489          * so ensure they are arranged in this order.
2490          */
2491
2492         if (owner_ace) {
2493                 DLIST_PROMOTE(l_head, owner_ace);
2494         }
2495
2496         if (other_ace) {
2497                 DLIST_DEMOTE(l_head, other_ace, canon_ace *);
2498         }
2499
2500         /* We have probably changed the head of the list. */
2501
2502         *pp_list_head = l_head;
2503 }
2504
2505 /****************************************************************************
2506  Create a linked list of canonical ACE entries.
2507 ****************************************************************************/
2508
2509 static canon_ace *canonicalise_acl(struct connection_struct *conn,
2510                                    const char *fname, SMB_ACL_T posix_acl,
2511                                    const SMB_STRUCT_STAT *psbuf,
2512                                    const struct dom_sid *powner, const struct dom_sid *pgroup, struct pai_val *pal, SMB_ACL_TYPE_T the_acl_type)
2513 {
2514         mode_t acl_mask = (S_IRUSR|S_IWUSR|S_IXUSR);
2515         canon_ace *l_head = NULL;
2516         canon_ace *ace = NULL;
2517         canon_ace *next_ace = NULL;
2518         int entry_id = SMB_ACL_FIRST_ENTRY;
2519         SMB_ACL_ENTRY_T entry;
2520         size_t ace_count;
2521
2522         while ( posix_acl && (SMB_VFS_SYS_ACL_GET_ENTRY(conn, posix_acl, entry_id, &entry) == 1)) {
2523                 SMB_ACL_TAG_T tagtype;
2524                 SMB_ACL_PERMSET_T permset;
2525                 struct dom_sid sid;
2526                 posix_id unix_ug;
2527                 enum ace_owner owner_type;
2528
2529                 entry_id = SMB_ACL_NEXT_ENTRY;
2530
2531                 /* Is this a MASK entry ? */
2532                 if (SMB_VFS_SYS_ACL_GET_TAG_TYPE(conn, entry, &tagtype) == -1)
2533                         continue;
2534
2535                 if (SMB_VFS_SYS_ACL_GET_PERMSET(conn, entry, &permset) == -1)
2536                         continue;
2537
2538                 /* Decide which SID to use based on the ACL type. */
2539                 switch(tagtype) {
2540                         case SMB_ACL_USER_OBJ:
2541                                 /* Get the SID from the owner. */
2542                                 sid_copy(&sid, powner);
2543                                 unix_ug.uid = psbuf->st_ex_uid;
2544                                 owner_type = UID_ACE;
2545                                 break;
2546                         case SMB_ACL_USER:
2547                                 {
2548                                         uid_t *puid = (uid_t *)SMB_VFS_SYS_ACL_GET_QUALIFIER(conn, entry);
2549                                         if (puid == NULL) {
2550                                                 DEBUG(0,("canonicalise_acl: Failed to get uid.\n"));
2551                                                 continue;
2552                                         }
2553                                         uid_to_sid( &sid, *puid);
2554                                         unix_ug.uid = *puid;
2555                                         owner_type = UID_ACE;
2556                                         SMB_VFS_SYS_ACL_FREE_QUALIFIER(conn, (void *)puid,tagtype);
2557                                         break;
2558                                 }
2559                         case SMB_ACL_GROUP_OBJ:
2560                                 /* Get the SID from the owning group. */
2561                                 sid_copy(&sid, pgroup);
2562                                 unix_ug.gid = psbuf->st_ex_gid;
2563                                 owner_type = GID_ACE;
2564                                 break;
2565                         case SMB_ACL_GROUP:
2566                                 {
2567                                         gid_t *pgid = (gid_t *)SMB_VFS_SYS_ACL_GET_QUALIFIER(conn, entry);
2568                                         if (pgid == NULL) {
2569                                                 DEBUG(0,("canonicalise_acl: Failed to get gid.\n"));
2570                                                 continue;
2571                                         }
2572                                         gid_to_sid( &sid, *pgid);
2573                                         unix_ug.gid = *pgid;
2574                                         owner_type = GID_ACE;
2575                                         SMB_VFS_SYS_ACL_FREE_QUALIFIER(conn, (void *)pgid,tagtype);
2576                                         break;
2577                                 }
2578                         case SMB_ACL_MASK:
2579                                 acl_mask = convert_permset_to_mode_t(conn, permset);
2580                                 continue; /* Don't count the mask as an entry. */
2581                         case SMB_ACL_OTHER:
2582                                 /* Use the Everyone SID */
2583                                 sid = global_sid_World;
2584                                 unix_ug.world = -1;
2585                                 owner_type = WORLD_ACE;
2586                                 break;
2587                         default:
2588                                 DEBUG(0,("canonicalise_acl: Unknown tagtype %u\n", (unsigned int)tagtype));
2589                                 continue;
2590                 }
2591
2592                 /*
2593                  * Add this entry to the list.
2594                  */
2595
2596                 if ((ace = SMB_MALLOC_P(canon_ace)) == NULL)
2597                         goto fail;
2598
2599                 ZERO_STRUCTP(ace);
2600                 ace->type = tagtype;
2601                 ace->perms = convert_permset_to_mode_t(conn, permset);
2602                 ace->attr = ALLOW_ACE;
2603                 ace->trustee = sid;
2604                 ace->unix_ug = unix_ug;
2605                 ace->owner_type = owner_type;
2606                 ace->ace_flags = get_pai_flags(pal, ace, (the_acl_type == SMB_ACL_TYPE_DEFAULT));
2607
2608                 DLIST_ADD(l_head, ace);
2609         }
2610
2611         /*
2612          * This next call will ensure we have at least a user/group/world set.
2613          */
2614
2615         if (!ensure_canon_entry_valid(conn, &l_head, conn->params,
2616                                       S_ISDIR(psbuf->st_ex_mode), powner, pgroup,
2617                                       psbuf, False))
2618                 goto fail;
2619
2620         /*
2621          * Now go through the list, masking the permissions with the
2622          * acl_mask. Ensure all DENY Entries are at the start of the list.
2623          */
2624
2625         DEBUG(10,("canonicalise_acl: %s ace entries before arrange :\n", the_acl_type == SMB_ACL_TYPE_ACCESS ? "Access" : "Default" ));
2626
2627         for ( ace_count = 0, ace = l_head; ace; ace = next_ace, ace_count++) {
2628                 next_ace = ace->next;
2629
2630                 /* Masks are only applied to entries other than USER_OBJ and OTHER. */
2631                 if (ace->type != SMB_ACL_OTHER && ace->type != SMB_ACL_USER_OBJ)
2632                         ace->perms &= acl_mask;
2633
2634                 if (ace->perms == 0) {
2635                         DLIST_PROMOTE(l_head, ace);
2636                 }
2637
2638                 if( DEBUGLVL( 10 ) ) {
2639                         print_canon_ace(ace, ace_count);
2640                 }
2641         }
2642
2643         arrange_posix_perms(fname,&l_head );
2644
2645         print_canon_ace_list( "canonicalise_acl: ace entries after arrange", l_head );
2646
2647         return l_head;
2648
2649   fail:
2650
2651         free_canon_ace_list(l_head);
2652         return NULL;
2653 }
2654
2655 /****************************************************************************
2656  Check if the current user group list contains a given group.
2657 ****************************************************************************/
2658
2659 bool current_user_in_group(connection_struct *conn, gid_t gid)
2660 {
2661         int i;
2662         const struct security_unix_token *utok = get_current_utok(conn);
2663
2664         for (i = 0; i < utok->ngroups; i++) {
2665                 if (utok->groups[i] == gid) {
2666                         return True;
2667                 }
2668         }
2669
2670         return False;
2671 }
2672
2673 /****************************************************************************
2674  Should we override a deny ? Check 'acl group control' and 'dos filemode'.
2675 ****************************************************************************/
2676
2677 static bool acl_group_override(connection_struct *conn,
2678                                const struct smb_filename *smb_fname)
2679 {
2680         if ((errno != EPERM) && (errno != EACCES)) {
2681                 return false;
2682         }
2683
2684         /* file primary group == user primary or supplementary group */
2685         if (lp_acl_group_control(SNUM(conn)) &&
2686             current_user_in_group(conn, smb_fname->st.st_ex_gid)) {
2687                 return true;
2688         }
2689
2690         /* user has writeable permission */
2691         if (lp_dos_filemode(SNUM(conn)) &&
2692             can_write_to_file(conn, smb_fname)) {
2693                 return true;
2694         }
2695
2696         return false;
2697 }
2698
2699 /****************************************************************************
2700  Attempt to apply an ACL to a file or directory.
2701 ****************************************************************************/
2702
2703 static bool set_canon_ace_list(files_struct *fsp,
2704                                 canon_ace *the_ace,
2705                                 bool default_ace,
2706                                 const SMB_STRUCT_STAT *psbuf,
2707                                 bool *pacl_set_support)
2708 {
2709         connection_struct *conn = fsp->conn;
2710         bool ret = False;
2711         SMB_ACL_T the_acl = SMB_VFS_SYS_ACL_INIT(conn, (int)count_canon_ace_list(the_ace) + 1);
2712         canon_ace *p_ace;
2713         int i;
2714         SMB_ACL_ENTRY_T mask_entry;
2715         bool got_mask_entry = False;
2716         SMB_ACL_PERMSET_T mask_permset;
2717         SMB_ACL_TYPE_T the_acl_type = (default_ace ? SMB_ACL_TYPE_DEFAULT : SMB_ACL_TYPE_ACCESS);
2718         bool needs_mask = False;
2719         mode_t mask_perms = 0;
2720
2721         /* Use the psbuf that was passed in. */
2722         if (psbuf != &fsp->fsp_name->st) {
2723                 fsp->fsp_name->st = *psbuf;
2724         }
2725
2726 #if defined(POSIX_ACL_NEEDS_MASK)
2727         /* HP-UX always wants to have a mask (called "class" there). */
2728         needs_mask = True;
2729 #endif
2730
2731         if (the_acl == NULL) {
2732
2733                 if (!no_acl_syscall_error(errno)) {
2734                         /*
2735                          * Only print this error message if we have some kind of ACL
2736                          * support that's not working. Otherwise we would always get this.
2737                          */
2738                         DEBUG(0,("set_canon_ace_list: Unable to init %s ACL. (%s)\n",
2739                                 default_ace ? "default" : "file", strerror(errno) ));
2740                 }
2741                 *pacl_set_support = False;
2742                 goto fail;
2743         }
2744
2745         if( DEBUGLVL( 10 )) {
2746                 dbgtext("set_canon_ace_list: setting ACL:\n");
2747                 for (i = 0, p_ace = the_ace; p_ace; p_ace = p_ace->next, i++ ) {
2748                         print_canon_ace( p_ace, i);
2749                 }
2750         }
2751
2752         for (i = 0, p_ace = the_ace; p_ace; p_ace = p_ace->next, i++ ) {
2753                 SMB_ACL_ENTRY_T the_entry;
2754                 SMB_ACL_PERMSET_T the_permset;
2755
2756                 /*
2757                  * ACLs only "need" an ACL_MASK entry if there are any named user or
2758                  * named group entries. But if there is an ACL_MASK entry, it applies
2759                  * to ACL_USER, ACL_GROUP, and ACL_GROUP_OBJ entries. Set the mask
2760                  * so that it doesn't deny (i.e., mask off) any permissions.
2761                  */
2762
2763                 if (p_ace->type == SMB_ACL_USER || p_ace->type == SMB_ACL_GROUP) {
2764                         needs_mask = True;
2765                         mask_perms |= p_ace->perms;
2766                 } else if (p_ace->type == SMB_ACL_GROUP_OBJ) {
2767                         mask_perms |= p_ace->perms;
2768                 }
2769
2770                 /*
2771                  * Get the entry for this ACE.
2772                  */
2773
2774                 if (SMB_VFS_SYS_ACL_CREATE_ENTRY(conn, &the_acl, &the_entry) == -1) {
2775                         DEBUG(0,("set_canon_ace_list: Failed to create entry %d. (%s)\n",
2776                                 i, strerror(errno) ));
2777                         goto fail;
2778                 }
2779
2780                 if (p_ace->type == SMB_ACL_MASK) {
2781                         mask_entry = the_entry;
2782                         got_mask_entry = True;
2783                 }
2784
2785                 /*
2786                  * Ok - we now know the ACL calls should be working, don't
2787                  * allow fallback to chmod.
2788                  */
2789
2790                 *pacl_set_support = True;
2791
2792                 /*
2793                  * Initialise the entry from the canon_ace.
2794                  */
2795
2796                 /*
2797                  * First tell the entry what type of ACE this is.
2798                  */
2799
2800                 if (SMB_VFS_SYS_ACL_SET_TAG_TYPE(conn, the_entry, p_ace->type) == -1) {
2801                         DEBUG(0,("set_canon_ace_list: Failed to set tag type on entry %d. (%s)\n",
2802                                 i, strerror(errno) ));
2803                         goto fail;
2804                 }
2805
2806                 /*
2807                  * Only set the qualifier (user or group id) if the entry is a user
2808                  * or group id ACE.
2809                  */
2810
2811                 if ((p_ace->type == SMB_ACL_USER) || (p_ace->type == SMB_ACL_GROUP)) {
2812                         if (SMB_VFS_SYS_ACL_SET_QUALIFIER(conn, the_entry,(void *)&p_ace->unix_ug.uid) == -1) {
2813                                 DEBUG(0,("set_canon_ace_list: Failed to set qualifier on entry %d. (%s)\n",
2814                                         i, strerror(errno) ));
2815                                 goto fail;
2816                         }
2817                 }
2818
2819                 /*
2820                  * Convert the mode_t perms in the canon_ace to a POSIX permset.
2821                  */
2822
2823                 if (SMB_VFS_SYS_ACL_GET_PERMSET(conn, the_entry, &the_permset) == -1) {
2824                         DEBUG(0,("set_canon_ace_list: Failed to get permset on entry %d. (%s)\n",
2825                                 i, strerror(errno) ));
2826                         goto fail;
2827                 }
2828
2829                 if (map_acl_perms_to_permset(conn, p_ace->perms, &the_permset) == -1) {
2830                         DEBUG(0,("set_canon_ace_list: Failed to create permset for mode (%u) on entry %d. (%s)\n",
2831                                 (unsigned int)p_ace->perms, i, strerror(errno) ));
2832                         goto fail;
2833                 }
2834
2835                 /*
2836                  * ..and apply them to the entry.
2837                  */
2838
2839                 if (SMB_VFS_SYS_ACL_SET_PERMSET(conn, the_entry, the_permset) == -1) {
2840                         DEBUG(0,("set_canon_ace_list: Failed to add permset on entry %d. (%s)\n",
2841                                 i, strerror(errno) ));
2842                         goto fail;
2843                 }
2844
2845                 if( DEBUGLVL( 10 ))
2846                         print_canon_ace( p_ace, i);
2847
2848         }
2849
2850         if (needs_mask && !got_mask_entry) {
2851                 if (SMB_VFS_SYS_ACL_CREATE_ENTRY(conn, &the_acl, &mask_entry) == -1) {
2852                         DEBUG(0,("set_canon_ace_list: Failed to create mask entry. (%s)\n", strerror(errno) ));
2853                         goto fail;
2854                 }
2855
2856                 if (SMB_VFS_SYS_ACL_SET_TAG_TYPE(conn, mask_entry, SMB_ACL_MASK) == -1) {
2857                         DEBUG(0,("set_canon_ace_list: Failed to set tag type on mask entry. (%s)\n",strerror(errno) ));
2858                         goto fail;
2859                 }
2860
2861                 if (SMB_VFS_SYS_ACL_GET_PERMSET(conn, mask_entry, &mask_permset) == -1) {
2862                         DEBUG(0,("set_canon_ace_list: Failed to get mask permset. (%s)\n", strerror(errno) ));
2863                         goto fail;
2864                 }
2865
2866                 if (map_acl_perms_to_permset(conn, S_IRUSR|S_IWUSR|S_IXUSR, &mask_permset) == -1) {
2867                         DEBUG(0,("set_canon_ace_list: Failed to create mask permset. (%s)\n", strerror(errno) ));
2868                         goto fail;
2869                 }
2870
2871                 if (SMB_VFS_SYS_ACL_SET_PERMSET(conn, mask_entry, mask_permset) == -1) {
2872                         DEBUG(0,("set_canon_ace_list: Failed to add mask permset. (%s)\n", strerror(errno) ));
2873                         goto fail;
2874                 }
2875         }
2876
2877         /*
2878          * Finally apply it to the file or directory.
2879          */
2880
2881         if(default_ace || fsp->is_directory || fsp->fh->fd == -1) {
2882                 if (SMB_VFS_SYS_ACL_SET_FILE(conn, fsp->fsp_name->base_name,
2883                                              the_acl_type, the_acl) == -1) {
2884                         /*
2885                          * Some systems allow all the above calls and only fail with no ACL support
2886                          * when attempting to apply the acl. HPUX with HFS is an example of this. JRA.
2887                          */
2888                         if (no_acl_syscall_error(errno)) {
2889                                 *pacl_set_support = False;
2890                         }
2891
2892                         if (acl_group_override(conn, fsp->fsp_name)) {
2893                                 int sret;
2894
2895                                 DEBUG(5,("set_canon_ace_list: acl group "
2896                                          "control on and current user in file "
2897                                          "%s primary group.\n",
2898                                          fsp_str_dbg(fsp)));
2899
2900                                 become_root();
2901                                 sret = SMB_VFS_SYS_ACL_SET_FILE(conn,
2902                                     fsp->fsp_name->base_name, the_acl_type,
2903                                     the_acl);
2904                                 unbecome_root();
2905                                 if (sret == 0) {
2906                                         ret = True;     
2907                                 }
2908                         }
2909
2910                         if (ret == False) {
2911                                 DEBUG(2,("set_canon_ace_list: "
2912                                          "sys_acl_set_file type %s failed for "
2913                                          "file %s (%s).\n",
2914                                          the_acl_type == SMB_ACL_TYPE_DEFAULT ?
2915                                          "directory default" : "file",
2916                                          fsp_str_dbg(fsp), strerror(errno)));
2917                                 goto fail;
2918                         }
2919                 }
2920         } else {
2921                 if (SMB_VFS_SYS_ACL_SET_FD(fsp, the_acl) == -1) {
2922                         /*
2923                          * Some systems allow all the above calls and only fail with no ACL support
2924