#include "vfs_posix.h"
#include "librpc/gen_ndr/xattr.h"
#include "libcli/security/security.h"
+#include "param/param.h"
/* the list of currently registered ACL backends */
backends = talloc_realloc(talloc_autofree_context(), backends, struct pvfs_acl_backend, num_backends+1);
NT_STATUS_HAVE_NO_MEMORY(backends);
- new_ops = talloc_memdup(backends, ops, sizeof(*ops));
+ new_ops = (struct pvfs_acl_ops *)talloc_memdup(backends, ops, sizeof(*ops));
new_ops->name = talloc_strdup(new_ops, ops->name);
backends[num_backends].ops = new_ops;
return NULL;
}
+NTSTATUS pvfs_acl_init(struct loadparm_context *lp_ctx)
+{
+ static bool initialized = false;
+ extern NTSTATUS pvfs_acl_nfs4_init(void);
+ extern NTSTATUS pvfs_acl_xattr_init(void);
+ init_module_fn static_init[] = { STATIC_pvfs_acl_MODULES };
+ init_module_fn *shared_init;
+
+ if (initialized) return NT_STATUS_OK;
+ initialized = true;
+
+ shared_init = load_samba_modules(NULL, lp_ctx, "pvfs_acl");
+
+ run_init_functions(static_init);
+ run_init_functions(shared_init);
+
+ talloc_free(shared_init);
+
+ return NT_STATUS_OK;
+}
+
/*
map a single access_mask from generic to specific bits for files/dirs
max_bits |= SEC_STD_ALL;
}
+ if (!uwrap_enabled()) {
+ /* when running with the uid wrapper, files will be created
+ owned by the ruid, but we may have a different simulated
+ euid. We need to force the permission bits as though the
+ files owner matches the euid */
+ max_bits |= SEC_STD_ALL;
+ }
+
if (*access_mask == SEC_FLAG_MAXIMUM_ALLOWED) {
*access_mask = max_bits;
return NT_STATUS_OK;
}
if (uid != 0 && (*access_mask & SEC_FLAG_SYSTEM_SECURITY)) {
- return NT_STATUS_PRIVILEGE_NOT_HELD;
+ return NT_STATUS_ACCESS_DENIED;
}
if (*access_mask & ~max_bits) {
return NT_STATUS_ACCESS_DENIED;
}
- *access_mask |= SEC_FILE_READ_ATTRIBUTE;
+ if (pvfs->ntvfs->ctx->protocol != PROTOCOL_SMB2) {
+ /* on SMB, this bit is always granted, even if not
+ asked for */
+ *access_mask |= SEC_FILE_READ_ATTRIBUTE;
+ }
return NT_STATUS_OK;
}
NTSTATUS status;
struct security_descriptor *sd;
+ /* on SMB2 a blank access mask is always denied */
+ if (pvfs->ntvfs->ctx->protocol == PROTOCOL_SMB2 &&
+ *access_mask == 0) {
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
if (pvfs_read_only(pvfs, *access_mask)) {
return NT_STATUS_ACCESS_DENIED;
}
/* expand the generic access bits to file specific bits */
*access_mask = pvfs_translate_mask(*access_mask);
- *access_mask &= ~SEC_FILE_READ_ATTRIBUTE;
+ if (pvfs->ntvfs->ctx->protocol != PROTOCOL_SMB2) {
+ *access_mask &= ~SEC_FILE_READ_ATTRIBUTE;
+ }
status = pvfs_acl_load(pvfs, name, -1, acl);
if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
/* check the acl against the required access mask */
status = sec_access_check(sd, token, *access_mask, access_mask);
- /* this bit is always granted, even if not asked for */
- *access_mask |= SEC_FILE_READ_ATTRIBUTE;
+ if (pvfs->ntvfs->ctx->protocol != PROTOCOL_SMB2) {
+ /* on SMB, this bit is always granted, even if not
+ asked for */
+ *access_mask |= SEC_FILE_READ_ATTRIBUTE;
+ }
talloc_free(acl);
return status;
}
+
+/*
+ return the maximum allowed access mask
+*/
+NTSTATUS pvfs_access_maximal_allowed(struct pvfs_state *pvfs,
+ struct ntvfs_request *req,
+ struct pvfs_filename *name,
+ uint32_t *maximal_access)
+{
+ *maximal_access = SEC_FLAG_MAXIMUM_ALLOWED;
+ return pvfs_access_check(pvfs, req, name, maximal_access);
+}