64051d23b1291205734091d0b3ca2f76fe8cc338
[tprouty/samba.git] / source / smbd / posix_acls.c
1 /*
2    Unix SMB/CIFS implementation.
3    SMB NT Security Descriptor / Unix permission conversion.
4    Copyright (C) Jeremy Allison 1994-2000.
5    Copyright (C) Andreas Gruenbacher 2002.
6
7    This program is free software; you can redistribute it and/or modify
8    it under the terms of the GNU General Public License as published by
9    the Free Software Foundation; either version 3 of the License, or
10    (at your option) any later version.
11
12    This program is distributed in the hope that it will be useful,
13    but WITHOUT ANY WARRANTY; without even the implied warranty of
14    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
15    GNU General Public License for more details.
16
17    You should have received a copy of the GNU General Public License
18    along with this program.  If not, see <http://www.gnu.org/licenses/>.
19 */
20
21 #include "includes.h"
22
23 extern struct current_user current_user;
24 extern struct generic_mapping file_generic_mapping;
25
26 #undef  DBGC_CLASS
27 #define DBGC_CLASS DBGC_ACLS
28
29 /****************************************************************************
30  Data structures representing the internal ACE format.
31 ****************************************************************************/
32
33 enum ace_owner {UID_ACE, GID_ACE, WORLD_ACE};
34 enum ace_attribute {ALLOW_ACE, DENY_ACE}; /* Used for incoming NT ACLS. */
35
36 typedef union posix_id {
37                 uid_t uid;
38                 gid_t gid;
39                 int world;
40 } posix_id;
41
42 typedef struct canon_ace {
43         struct canon_ace *next, *prev;
44         SMB_ACL_TAG_T type;
45         mode_t perms; /* Only use S_I(R|W|X)USR mode bits here. */
46         DOM_SID trustee;
47         enum ace_owner owner_type;
48         enum ace_attribute attr;
49         posix_id unix_ug;
50         BOOL inherited;
51 } canon_ace;
52
53 #define ALL_ACE_PERMS (S_IRUSR|S_IWUSR|S_IXUSR)
54
55 /*
56  * EA format of user.SAMBA_PAI (Samba_Posix_Acl_Interitance)
57  * attribute on disk.
58  *
59  * |  1   |  1   |   2         |         2           |  .... 
60  * +------+------+-------------+---------------------+-------------+--------------------+
61  * | vers | flag | num_entries | num_default_entries | ..entries.. | default_entries... |
62  * +------+------+-------------+---------------------+-------------+--------------------+
63  */
64
65 #define PAI_VERSION_OFFSET      0
66 #define PAI_FLAG_OFFSET         1
67 #define PAI_NUM_ENTRIES_OFFSET  2
68 #define PAI_NUM_DEFAULT_ENTRIES_OFFSET  4
69 #define PAI_ENTRIES_BASE        6
70
71 #define PAI_VERSION             1
72 #define PAI_ACL_FLAG_PROTECTED  0x1
73 #define PAI_ENTRY_LENGTH        5
74
75 /*
76  * In memory format of user.SAMBA_PAI attribute.
77  */
78
79 struct pai_entry {
80         struct pai_entry *next, *prev;
81         enum ace_owner owner_type;
82         posix_id unix_ug; 
83 };
84         
85 struct pai_val {
86         BOOL pai_protected;
87         unsigned int num_entries;
88         struct pai_entry *entry_list;
89         unsigned int num_def_entries;
90         struct pai_entry *def_entry_list;
91 };
92
93 /************************************************************************
94  Return a uint32 of the pai_entry principal.
95 ************************************************************************/
96
97 static uint32 get_pai_entry_val(struct pai_entry *paie)
98 {
99         switch (paie->owner_type) {
100                 case UID_ACE:
101                         DEBUG(10,("get_pai_entry_val: uid = %u\n", (unsigned int)paie->unix_ug.uid ));
102                         return (uint32)paie->unix_ug.uid;
103                 case GID_ACE:
104                         DEBUG(10,("get_pai_entry_val: gid = %u\n", (unsigned int)paie->unix_ug.gid ));
105                         return (uint32)paie->unix_ug.gid;
106                 case WORLD_ACE:
107                 default:
108                         DEBUG(10,("get_pai_entry_val: world ace\n"));
109                         return (uint32)-1;
110         }
111 }
112
113 /************************************************************************
114  Return a uint32 of the entry principal.
115 ************************************************************************/
116
117 static uint32 get_entry_val(canon_ace *ace_entry)
118 {
119         switch (ace_entry->owner_type) {
120                 case UID_ACE:
121                         DEBUG(10,("get_entry_val: uid = %u\n", (unsigned int)ace_entry->unix_ug.uid ));
122                         return (uint32)ace_entry->unix_ug.uid;
123                 case GID_ACE:
124                         DEBUG(10,("get_entry_val: gid = %u\n", (unsigned int)ace_entry->unix_ug.gid ));
125                         return (uint32)ace_entry->unix_ug.gid;
126                 case WORLD_ACE:
127                 default:
128                         DEBUG(10,("get_entry_val: world ace\n"));
129                         return (uint32)-1;
130         }
131 }
132
133 /************************************************************************
134  Count the inherited entries.
135 ************************************************************************/
136
137 static unsigned int num_inherited_entries(canon_ace *ace_list)
138 {
139         unsigned int num_entries = 0;
140
141         for (; ace_list; ace_list = ace_list->next)
142                 if (ace_list->inherited)
143                         num_entries++;
144         return num_entries;
145 }
146
147 /************************************************************************
148  Create the on-disk format. Caller must free.
149 ************************************************************************/
150
151 static char *create_pai_buf(canon_ace *file_ace_list, canon_ace *dir_ace_list, BOOL pai_protected, size_t *store_size)
152 {
153         char *pai_buf = NULL;
154         canon_ace *ace_list = NULL;
155         char *entry_offset = NULL;
156         unsigned int num_entries = 0;
157         unsigned int num_def_entries = 0;
158
159         for (ace_list = file_ace_list; ace_list; ace_list = ace_list->next)
160                 if (ace_list->inherited)
161                         num_entries++;
162
163         for (ace_list = dir_ace_list; ace_list; ace_list = ace_list->next)
164                 if (ace_list->inherited)
165                         num_def_entries++;
166
167         DEBUG(10,("create_pai_buf: num_entries = %u, num_def_entries = %u\n", num_entries, num_def_entries ));
168
169         *store_size = PAI_ENTRIES_BASE + ((num_entries + num_def_entries)*PAI_ENTRY_LENGTH);
170
171         pai_buf = (char *)SMB_MALLOC(*store_size);
172         if (!pai_buf) {
173                 return NULL;
174         }
175
176         /* Set up the header. */
177         memset(pai_buf, '\0', PAI_ENTRIES_BASE);
178         SCVAL(pai_buf,PAI_VERSION_OFFSET,PAI_VERSION);
179         SCVAL(pai_buf,PAI_FLAG_OFFSET,(pai_protected ? PAI_ACL_FLAG_PROTECTED : 0));
180         SSVAL(pai_buf,PAI_NUM_ENTRIES_OFFSET,num_entries);
181         SSVAL(pai_buf,PAI_NUM_DEFAULT_ENTRIES_OFFSET,num_def_entries);
182
183         entry_offset = pai_buf + PAI_ENTRIES_BASE;
184
185         for (ace_list = file_ace_list; ace_list; ace_list = ace_list->next) {
186                 if (ace_list->inherited) {
187                         uint8 type_val = (unsigned char)ace_list->owner_type;
188                         uint32 entry_val = get_entry_val(ace_list);
189
190                         SCVAL(entry_offset,0,type_val);
191                         SIVAL(entry_offset,1,entry_val);
192                         entry_offset += PAI_ENTRY_LENGTH;
193                 }
194         }
195
196         for (ace_list = dir_ace_list; ace_list; ace_list = ace_list->next) {
197                 if (ace_list->inherited) {
198                         uint8 type_val = (unsigned char)ace_list->owner_type;
199                         uint32 entry_val = get_entry_val(ace_list);
200
201                         SCVAL(entry_offset,0,type_val);
202                         SIVAL(entry_offset,1,entry_val);
203                         entry_offset += PAI_ENTRY_LENGTH;
204                 }
205         }
206
207         return pai_buf;
208 }
209
210 /************************************************************************
211  Store the user.SAMBA_PAI attribute on disk.
212 ************************************************************************/
213
214 static void store_inheritance_attributes(files_struct *fsp, canon_ace *file_ace_list,
215                                         canon_ace *dir_ace_list, BOOL pai_protected)
216 {
217         int ret;
218         size_t store_size;
219         char *pai_buf;
220
221         if (!lp_map_acl_inherit(SNUM(fsp->conn)))
222                 return;
223
224         /*
225          * Don't store if this ACL isn't protected and
226          * none of the entries in it are marked as inherited.
227          */
228
229         if (!pai_protected && num_inherited_entries(file_ace_list) == 0 && num_inherited_entries(dir_ace_list) == 0) {
230                 /* Instead just remove the attribute if it exists. */
231                 if (fsp->fh->fd != -1)
232                         SMB_VFS_FREMOVEXATTR(fsp, fsp->fh->fd, SAMBA_POSIX_INHERITANCE_EA_NAME);
233                 else
234                         SMB_VFS_REMOVEXATTR(fsp->conn, fsp->fsp_name, SAMBA_POSIX_INHERITANCE_EA_NAME);
235                 return;
236         }
237
238         pai_buf = create_pai_buf(file_ace_list, dir_ace_list, pai_protected, &store_size);
239
240         if (fsp->fh->fd != -1)
241                 ret = SMB_VFS_FSETXATTR(fsp, fsp->fh->fd, SAMBA_POSIX_INHERITANCE_EA_NAME,
242                                 pai_buf, store_size, 0);
243         else
244                 ret = SMB_VFS_SETXATTR(fsp->conn,fsp->fsp_name, SAMBA_POSIX_INHERITANCE_EA_NAME,
245                                 pai_buf, store_size, 0);
246
247         SAFE_FREE(pai_buf);
248
249         DEBUG(10,("store_inheritance_attribute:%s for file %s\n", pai_protected ? " (protected)" : "", fsp->fsp_name));
250         if (ret == -1 && !no_acl_syscall_error(errno))
251                 DEBUG(1,("store_inheritance_attribute: Error %s\n", strerror(errno) ));
252 }
253
254 /************************************************************************
255  Delete the in memory inheritance info.
256 ************************************************************************/
257
258 static void free_inherited_info(struct pai_val *pal)
259 {
260         if (pal) {
261                 struct pai_entry *paie, *paie_next;
262                 for (paie = pal->entry_list; paie; paie = paie_next) {
263                         paie_next = paie->next;
264                         SAFE_FREE(paie);
265                 }
266                 for (paie = pal->def_entry_list; paie; paie = paie_next) {
267                         paie_next = paie->next;
268                         SAFE_FREE(paie);
269                 }
270                 SAFE_FREE(pal);
271         }
272 }
273
274 /************************************************************************
275  Was this ACL protected ?
276 ************************************************************************/
277
278 static BOOL get_protected_flag(struct pai_val *pal)
279 {
280         if (!pal)
281                 return False;
282         return pal->pai_protected;
283 }
284
285 /************************************************************************
286  Was this ACE inherited ?
287 ************************************************************************/
288
289 static BOOL get_inherited_flag(struct pai_val *pal, canon_ace *ace_entry, BOOL default_ace)
290 {
291         struct pai_entry *paie;
292
293         if (!pal)
294                 return False;
295
296         /* If the entry exists it is inherited. */
297         for (paie = (default_ace ? pal->def_entry_list : pal->entry_list); paie; paie = paie->next) {
298                 if (ace_entry->owner_type == paie->owner_type &&
299                                 get_entry_val(ace_entry) == get_pai_entry_val(paie))
300                         return True;
301         }
302         return False;
303 }
304
305 /************************************************************************
306  Ensure an attribute just read is valid.
307 ************************************************************************/
308
309 static BOOL check_pai_ok(char *pai_buf, size_t pai_buf_data_size)
310 {
311         uint16 num_entries;
312         uint16 num_def_entries;
313
314         if (pai_buf_data_size < PAI_ENTRIES_BASE) {
315                 /* Corrupted - too small. */
316                 return False;
317         }
318
319         if (CVAL(pai_buf,PAI_VERSION_OFFSET) != PAI_VERSION)
320                 return False;
321
322         num_entries = SVAL(pai_buf,PAI_NUM_ENTRIES_OFFSET);
323         num_def_entries = SVAL(pai_buf,PAI_NUM_DEFAULT_ENTRIES_OFFSET);
324
325         /* Check the entry lists match. */
326         /* Each entry is 5 bytes (type plus 4 bytes of uid or gid). */
327
328         if (((num_entries + num_def_entries)*PAI_ENTRY_LENGTH) + PAI_ENTRIES_BASE != pai_buf_data_size)
329                 return False;
330
331         return True;
332 }
333
334
335 /************************************************************************
336  Convert to in-memory format.
337 ************************************************************************/
338
339 static struct pai_val *create_pai_val(char *buf, size_t size)
340 {
341         char *entry_offset;
342         struct pai_val *paiv = NULL;
343         int i;
344
345         if (!check_pai_ok(buf, size))
346                 return NULL;
347
348         paiv = SMB_MALLOC_P(struct pai_val);
349         if (!paiv)
350                 return NULL;
351
352         memset(paiv, '\0', sizeof(struct pai_val));
353
354         paiv->pai_protected = (CVAL(buf,PAI_FLAG_OFFSET) == PAI_ACL_FLAG_PROTECTED);
355
356         paiv->num_entries = SVAL(buf,PAI_NUM_ENTRIES_OFFSET);
357         paiv->num_def_entries = SVAL(buf,PAI_NUM_DEFAULT_ENTRIES_OFFSET);
358
359         entry_offset = buf + PAI_ENTRIES_BASE;
360
361         DEBUG(10,("create_pai_val:%s num_entries = %u, num_def_entries = %u\n",
362                         paiv->pai_protected ? " (pai_protected)" : "", paiv->num_entries, paiv->num_def_entries ));
363
364         for (i = 0; i < paiv->num_entries; i++) {
365                 struct pai_entry *paie;
366
367                 paie = SMB_MALLOC_P(struct pai_entry);
368                 if (!paie) {
369                         free_inherited_info(paiv);
370                         return NULL;
371                 }
372
373                 paie->owner_type = (enum ace_owner)CVAL(entry_offset,0);
374                 switch( paie->owner_type) {
375                         case UID_ACE:
376                                 paie->unix_ug.uid = (uid_t)IVAL(entry_offset,1);
377                                 DEBUG(10,("create_pai_val: uid = %u\n", (unsigned int)paie->unix_ug.uid ));
378                                 break;
379                         case GID_ACE:
380                                 paie->unix_ug.gid = (gid_t)IVAL(entry_offset,1);
381                                 DEBUG(10,("create_pai_val: gid = %u\n", (unsigned int)paie->unix_ug.gid ));
382                                 break;
383                         case WORLD_ACE:
384                                 paie->unix_ug.world = -1;
385                                 DEBUG(10,("create_pai_val: world ace\n"));
386                                 break;
387                         default:
388                                 free_inherited_info(paiv);
389                                 return NULL;
390                 }
391                 entry_offset += PAI_ENTRY_LENGTH;
392                 DLIST_ADD(paiv->entry_list, paie);
393         }
394
395         for (i = 0; i < paiv->num_def_entries; i++) {
396                 struct pai_entry *paie;
397
398                 paie = SMB_MALLOC_P(struct pai_entry);
399                 if (!paie) {
400                         free_inherited_info(paiv);
401                         return NULL;
402                 }
403
404                 paie->owner_type = (enum ace_owner)CVAL(entry_offset,0);
405                 switch( paie->owner_type) {
406                         case UID_ACE:
407                                 paie->unix_ug.uid = (uid_t)IVAL(entry_offset,1);
408                                 DEBUG(10,("create_pai_val: (def) uid = %u\n", (unsigned int)paie->unix_ug.uid ));
409                                 break;
410                         case GID_ACE:
411                                 paie->unix_ug.gid = (gid_t)IVAL(entry_offset,1);
412                                 DEBUG(10,("create_pai_val: (def) gid = %u\n", (unsigned int)paie->unix_ug.gid ));
413                                 break;
414                         case WORLD_ACE:
415                                 paie->unix_ug.world = -1;
416                                 DEBUG(10,("create_pai_val: (def) world ace\n"));
417                                 break;
418                         default:
419                                 free_inherited_info(paiv);
420                                 return NULL;
421                 }
422                 entry_offset += PAI_ENTRY_LENGTH;
423                 DLIST_ADD(paiv->def_entry_list, paie);
424         }
425
426         return paiv;
427 }
428
429 /************************************************************************
430  Load the user.SAMBA_PAI attribute.
431 ************************************************************************/
432
433 static struct pai_val *load_inherited_info(files_struct *fsp)
434 {
435         char *pai_buf;
436         size_t pai_buf_size = 1024;
437         struct pai_val *paiv = NULL;
438         ssize_t ret;
439
440         if (!lp_map_acl_inherit(SNUM(fsp->conn)))
441                 return NULL;
442
443         if ((pai_buf = (char *)SMB_MALLOC(pai_buf_size)) == NULL)
444                 return NULL;
445
446         do {
447                 if (fsp->fh->fd != -1)
448                         ret = SMB_VFS_FGETXATTR(fsp, fsp->fh->fd, SAMBA_POSIX_INHERITANCE_EA_NAME,
449                                         pai_buf, pai_buf_size);
450                 else
451                         ret = SMB_VFS_GETXATTR(fsp->conn,fsp->fsp_name,SAMBA_POSIX_INHERITANCE_EA_NAME,
452                                         pai_buf, pai_buf_size);
453
454                 if (ret == -1) {
455                         if (errno != ERANGE) {
456                                 break;
457                         }
458                         /* Buffer too small - enlarge it. */
459                         pai_buf_size *= 2;
460                         SAFE_FREE(pai_buf);
461                         if (pai_buf_size > 1024*1024) {
462                                 return NULL; /* Limit malloc to 1mb. */
463                         }
464                         if ((pai_buf = (char *)SMB_MALLOC(pai_buf_size)) == NULL)
465                                 return NULL;
466                 }
467         } while (ret == -1);
468
469         DEBUG(10,("load_inherited_info: ret = %lu for file %s\n", (unsigned long)ret, fsp->fsp_name));
470
471         if (ret == -1) {
472                 /* No attribute or not supported. */
473 #if defined(ENOATTR)
474                 if (errno != ENOATTR)
475                         DEBUG(10,("load_inherited_info: Error %s\n", strerror(errno) ));
476 #else
477                 if (errno != ENOSYS)
478                         DEBUG(10,("load_inherited_info: Error %s\n", strerror(errno) ));
479 #endif
480                 SAFE_FREE(pai_buf);
481                 return NULL;
482         }
483
484         paiv = create_pai_val(pai_buf, ret);
485
486         if (paiv && paiv->pai_protected)
487                 DEBUG(10,("load_inherited_info: ACL is protected for file %s\n", fsp->fsp_name));
488
489         SAFE_FREE(pai_buf);
490         return paiv;
491 }
492
493 /****************************************************************************
494  Functions to manipulate the internal ACE format.
495 ****************************************************************************/
496
497 /****************************************************************************
498  Count a linked list of canonical ACE entries.
499 ****************************************************************************/
500
501 static size_t count_canon_ace_list( canon_ace *list_head )
502 {
503         size_t count = 0;
504         canon_ace *ace;
505
506         for (ace = list_head; ace; ace = ace->next)
507                 count++;
508
509         return count;
510 }
511
512 /****************************************************************************
513  Free a linked list of canonical ACE entries.
514 ****************************************************************************/
515
516 static void free_canon_ace_list( canon_ace *list_head )
517 {
518         canon_ace *list, *next;
519
520         for (list = list_head; list; list = next) {
521                 next = list->next;
522                 DLIST_REMOVE(list_head, list);
523                 SAFE_FREE(list);
524         }
525 }
526
527 /****************************************************************************
528  Function to duplicate a canon_ace entry.
529 ****************************************************************************/
530
531 static canon_ace *dup_canon_ace( canon_ace *src_ace)
532 {
533         canon_ace *dst_ace = SMB_MALLOC_P(canon_ace);
534
535         if (dst_ace == NULL)
536                 return NULL;
537
538         *dst_ace = *src_ace;
539         dst_ace->prev = dst_ace->next = NULL;
540         return dst_ace;
541 }
542
543 /****************************************************************************
544  Print out a canon ace.
545 ****************************************************************************/
546
547 static void print_canon_ace(canon_ace *pace, int num)
548 {
549         fstring str;
550
551         dbgtext( "canon_ace index %d. Type = %s ", num, pace->attr == ALLOW_ACE ? "allow" : "deny" );
552         dbgtext( "SID = %s ", sid_to_string( str, &pace->trustee));
553         if (pace->owner_type == UID_ACE) {
554                 const char *u_name = uidtoname(pace->unix_ug.uid);
555                 dbgtext( "uid %u (%s) ", (unsigned int)pace->unix_ug.uid, u_name );
556         } else if (pace->owner_type == GID_ACE) {
557                 char *g_name = gidtoname(pace->unix_ug.gid);
558                 dbgtext( "gid %u (%s) ", (unsigned int)pace->unix_ug.gid, g_name );
559         } else
560                 dbgtext( "other ");
561         switch (pace->type) {
562                 case SMB_ACL_USER:
563                         dbgtext( "SMB_ACL_USER ");
564                         break;
565                 case SMB_ACL_USER_OBJ:
566                         dbgtext( "SMB_ACL_USER_OBJ ");
567                         break;
568                 case SMB_ACL_GROUP:
569                         dbgtext( "SMB_ACL_GROUP ");
570                         break;
571                 case SMB_ACL_GROUP_OBJ:
572                         dbgtext( "SMB_ACL_GROUP_OBJ ");
573                         break;
574                 case SMB_ACL_OTHER:
575                         dbgtext( "SMB_ACL_OTHER ");
576                         break;
577                 default:
578                         dbgtext( "MASK " );
579                         break;
580         }
581         if (pace->inherited)
582                 dbgtext( "(inherited) ");
583         dbgtext( "perms ");
584         dbgtext( "%c", pace->perms & S_IRUSR ? 'r' : '-');
585         dbgtext( "%c", pace->perms & S_IWUSR ? 'w' : '-');
586         dbgtext( "%c\n", pace->perms & S_IXUSR ? 'x' : '-');
587 }
588
589 /****************************************************************************
590  Print out a canon ace list.
591 ****************************************************************************/
592
593 static void print_canon_ace_list(const char *name, canon_ace *ace_list)
594 {
595         int count = 0;
596
597         if( DEBUGLVL( 10 )) {
598                 dbgtext( "print_canon_ace_list: %s\n", name );
599                 for (;ace_list; ace_list = ace_list->next, count++)
600                         print_canon_ace(ace_list, count );
601         }
602 }
603
604 /****************************************************************************
605  Map POSIX ACL perms to canon_ace permissions (a mode_t containing only S_(R|W|X)USR bits).
606 ****************************************************************************/
607
608 static mode_t convert_permset_to_mode_t(connection_struct *conn, SMB_ACL_PERMSET_T permset)
609 {
610         mode_t ret = 0;
611
612         ret |= (SMB_VFS_SYS_ACL_GET_PERM(conn, permset, SMB_ACL_READ) ? S_IRUSR : 0);
613         ret |= (SMB_VFS_SYS_ACL_GET_PERM(conn, permset, SMB_ACL_WRITE) ? S_IWUSR : 0);
614         ret |= (SMB_VFS_SYS_ACL_GET_PERM(conn, permset, SMB_ACL_EXECUTE) ? S_IXUSR : 0);
615
616         return ret;
617 }
618
619 /****************************************************************************
620  Map generic UNIX permissions to canon_ace permissions (a mode_t containing only S_(R|W|X)USR bits).
621 ****************************************************************************/
622
623 static mode_t unix_perms_to_acl_perms(mode_t mode, int r_mask, int w_mask, int x_mask)
624 {
625         mode_t ret = 0;
626
627         if (mode & r_mask)
628                 ret |= S_IRUSR;
629         if (mode & w_mask)
630                 ret |= S_IWUSR;
631         if (mode & x_mask)
632                 ret |= S_IXUSR;
633
634         return ret;
635 }
636
637 /****************************************************************************
638  Map canon_ace permissions (a mode_t containing only S_(R|W|X)USR bits) to
639  an SMB_ACL_PERMSET_T.
640 ****************************************************************************/
641
642 static int map_acl_perms_to_permset(connection_struct *conn, mode_t mode, SMB_ACL_PERMSET_T *p_permset)
643 {
644         if (SMB_VFS_SYS_ACL_CLEAR_PERMS(conn, *p_permset) ==  -1)
645                 return -1;
646         if (mode & S_IRUSR) {
647                 if (SMB_VFS_SYS_ACL_ADD_PERM(conn, *p_permset, SMB_ACL_READ) == -1)
648                         return -1;
649         }
650         if (mode & S_IWUSR) {
651                 if (SMB_VFS_SYS_ACL_ADD_PERM(conn, *p_permset, SMB_ACL_WRITE) == -1)
652                         return -1;
653         }
654         if (mode & S_IXUSR) {
655                 if (SMB_VFS_SYS_ACL_ADD_PERM(conn, *p_permset, SMB_ACL_EXECUTE) == -1)
656                         return -1;
657         }
658         return 0;
659 }
660
661 /****************************************************************************
662  Function to create owner and group SIDs from a SMB_STRUCT_STAT.
663 ****************************************************************************/
664
665 static void create_file_sids(SMB_STRUCT_STAT *psbuf, DOM_SID *powner_sid, DOM_SID *pgroup_sid)
666 {
667         uid_to_sid( powner_sid, psbuf->st_uid );
668         gid_to_sid( pgroup_sid, psbuf->st_gid );
669 }
670
671 /****************************************************************************
672  Is the identity in two ACEs equal ? Check both SID and uid/gid.
673 ****************************************************************************/
674
675 static BOOL identity_in_ace_equal(canon_ace *ace1, canon_ace *ace2)
676 {
677         if (sid_equal(&ace1->trustee, &ace2->trustee)) {
678                 return True;
679         }
680         if (ace1->owner_type == ace2->owner_type) {
681                 if (ace1->owner_type == UID_ACE &&
682                                 ace1->unix_ug.uid == ace2->unix_ug.uid) {
683                         return True;
684                 } else if (ace1->owner_type == GID_ACE &&
685                                 ace1->unix_ug.gid == ace2->unix_ug.gid) {
686                         return True;
687                 }
688         }
689         return False;
690 }
691
692 /****************************************************************************
693  Merge aces with a common sid - if both are allow or deny, OR the permissions together and
694  delete the second one. If the first is deny, mask the permissions off and delete the allow
695  if the permissions become zero, delete the deny if the permissions are non zero.
696 ****************************************************************************/
697
698 static void merge_aces( canon_ace **pp_list_head )
699 {
700         canon_ace *list_head = *pp_list_head;
701         canon_ace *curr_ace_outer;
702         canon_ace *curr_ace_outer_next;
703
704         /*
705          * First, merge allow entries with identical SIDs, and deny entries
706          * with identical SIDs.
707          */
708
709         for (curr_ace_outer = list_head; curr_ace_outer; curr_ace_outer = curr_ace_outer_next) {
710                 canon_ace *curr_ace;
711                 canon_ace *curr_ace_next;
712
713                 curr_ace_outer_next = curr_ace_outer->next; /* Save the link in case we delete. */
714
715                 for (curr_ace = curr_ace_outer->next; curr_ace; curr_ace = curr_ace_next) {
716
717                         curr_ace_next = curr_ace->next; /* Save the link in case of delete. */
718
719                         if (identity_in_ace_equal(curr_ace, curr_ace_outer) &&
720                                 (curr_ace->attr == curr_ace_outer->attr)) {
721
722                                 if( DEBUGLVL( 10 )) {
723                                         dbgtext("merge_aces: Merging ACE's\n");
724                                         print_canon_ace( curr_ace_outer, 0);
725                                         print_canon_ace( curr_ace, 0);
726                                 }
727
728                                 /* Merge two allow or two deny ACE's. */
729
730                                 curr_ace_outer->perms |= curr_ace->perms;
731                                 DLIST_REMOVE(list_head, curr_ace);
732                                 SAFE_FREE(curr_ace);
733                                 curr_ace_outer_next = curr_ace_outer->next; /* We may have deleted the link. */
734                         }
735                 }
736         }
737
738         /*
739          * Now go through and mask off allow permissions with deny permissions.
740          * We can delete either the allow or deny here as we know that each SID
741          * appears only once in the list.
742          */
743
744         for (curr_ace_outer = list_head; curr_ace_outer; curr_ace_outer = curr_ace_outer_next) {
745                 canon_ace *curr_ace;
746                 canon_ace *curr_ace_next;
747
748                 curr_ace_outer_next = curr_ace_outer->next; /* Save the link in case we delete. */
749
750                 for (curr_ace = curr_ace_outer->next; curr_ace; curr_ace = curr_ace_next) {
751
752                         curr_ace_next = curr_ace->next; /* Save the link in case of delete. */
753
754                         /*
755                          * Subtract ACE's with different entries. Due to the ordering constraints
756                          * we've put on the ACL, we know the deny must be the first one.
757                          */
758
759                         if (identity_in_ace_equal(curr_ace, curr_ace_outer) &&
760                                 (curr_ace_outer->attr == DENY_ACE) && (curr_ace->attr == ALLOW_ACE)) {
761
762                                 if( DEBUGLVL( 10 )) {
763                                         dbgtext("merge_aces: Masking ACE's\n");
764                                         print_canon_ace( curr_ace_outer, 0);
765                                         print_canon_ace( curr_ace, 0);
766                                 }
767
768                                 curr_ace->perms &= ~curr_ace_outer->perms;
769
770                                 if (curr_ace->perms == 0) {
771
772                                         /*
773                                          * The deny overrides the allow. Remove the allow.
774                                          */
775
776                                         DLIST_REMOVE(list_head, curr_ace);
777                                         SAFE_FREE(curr_ace);
778                                         curr_ace_outer_next = curr_ace_outer->next; /* We may have deleted the link. */
779
780                                 } else {
781
782                                         /*
783                                          * Even after removing permissions, there
784                                          * are still allow permissions - delete the deny.
785                                          * It is safe to delete the deny here,
786                                          * as we are guarenteed by the deny first
787                                          * ordering that all the deny entries for
788                                          * this SID have already been merged into one
789                                          * before we can get to an allow ace.
790                                          */
791
792                                         DLIST_REMOVE(list_head, curr_ace_outer);
793                                         SAFE_FREE(curr_ace_outer);
794                                         break;
795                                 }
796                         }
797
798                 } /* end for curr_ace */
799         } /* end for curr_ace_outer */
800
801         /* We may have modified the list. */
802
803         *pp_list_head = list_head;
804 }
805
806 /****************************************************************************
807  Check if we need to return NT4.x compatible ACL entries.
808 ****************************************************************************/
809
810 static BOOL nt4_compatible_acls(void)
811 {
812         int compat = lp_acl_compatibility();
813
814         if (compat == ACL_COMPAT_AUTO) {
815                 enum remote_arch_types ra_type = get_remote_arch();
816
817                 /* Automatically adapt to client */
818                 return (ra_type <= RA_WINNT);
819         } else
820                 return (compat == ACL_COMPAT_WINNT);
821 }
822
823
824 /****************************************************************************
825  Map canon_ace perms to permission bits NT.
826  The attr element is not used here - we only process deny entries on set,
827  not get. Deny entries are implicit on get with ace->perms = 0.
828 ****************************************************************************/
829
830 static SEC_ACCESS map_canon_ace_perms(int snum,
831                                 int *pacl_type,
832                                 mode_t perms,
833                                 BOOL directory_ace)
834 {
835         SEC_ACCESS sa;
836         uint32 nt_mask = 0;
837
838         *pacl_type = SEC_ACE_TYPE_ACCESS_ALLOWED;
839
840         if (lp_acl_map_full_control(snum) && ((perms & ALL_ACE_PERMS) == ALL_ACE_PERMS)) {
841                 if (directory_ace) {
842                         nt_mask = UNIX_DIRECTORY_ACCESS_RWX;
843                 } else {
844                         nt_mask = UNIX_ACCESS_RWX;
845                 }
846         } else if ((perms & ALL_ACE_PERMS) == (mode_t)0) {
847                 /*
848                  * Windows NT refuses to display ACEs with no permissions in them (but
849                  * they are perfectly legal with Windows 2000). If the ACE has empty
850                  * permissions we cannot use 0, so we use the otherwise unused
851                  * WRITE_OWNER permission, which we ignore when we set an ACL.
852                  * We abstract this into a #define of UNIX_ACCESS_NONE to allow this
853                  * to be changed in the future.
854                  */
855
856                 if (nt4_compatible_acls())
857                         nt_mask = UNIX_ACCESS_NONE;
858                 else
859                         nt_mask = 0;
860         } else {
861                 if (directory_ace) {
862                         nt_mask |= ((perms & S_IRUSR) ? UNIX_DIRECTORY_ACCESS_R : 0 );
863                         nt_mask |= ((perms & S_IWUSR) ? UNIX_DIRECTORY_ACCESS_W : 0 );
864                         nt_mask |= ((perms & S_IXUSR) ? UNIX_DIRECTORY_ACCESS_X : 0 );
865                 } else {
866                         nt_mask |= ((perms & S_IRUSR) ? UNIX_ACCESS_R : 0 );
867                         nt_mask |= ((perms & S_IWUSR) ? UNIX_ACCESS_W : 0 );
868                         nt_mask |= ((perms & S_IXUSR) ? UNIX_ACCESS_X : 0 );
869                 }
870         }
871
872         DEBUG(10,("map_canon_ace_perms: Mapped (UNIX) %x to (NT) %x\n",
873                         (unsigned int)perms, (unsigned int)nt_mask ));
874
875         init_sec_access(&sa,nt_mask);
876         return sa;
877 }
878
879 /****************************************************************************
880  Map NT perms to a UNIX mode_t.
881 ****************************************************************************/
882
883 #define FILE_SPECIFIC_READ_BITS (FILE_READ_DATA|FILE_READ_EA|FILE_READ_ATTRIBUTES)
884 #define FILE_SPECIFIC_WRITE_BITS (FILE_WRITE_DATA|FILE_APPEND_DATA|FILE_WRITE_EA|FILE_WRITE_ATTRIBUTES)
885 #define FILE_SPECIFIC_EXECUTE_BITS (FILE_EXECUTE)
886
887 static mode_t map_nt_perms( uint32 *mask, int type)
888 {
889         mode_t mode = 0;
890
891         switch(type) {
892         case S_IRUSR:
893                 if((*mask) & GENERIC_ALL_ACCESS)
894                         mode = S_IRUSR|S_IWUSR|S_IXUSR;
895                 else {
896                         mode |= ((*mask) & (GENERIC_READ_ACCESS|FILE_SPECIFIC_READ_BITS)) ? S_IRUSR : 0;
897                         mode |= ((*mask) & (GENERIC_WRITE_ACCESS|FILE_SPECIFIC_WRITE_BITS)) ? S_IWUSR : 0;
898                         mode |= ((*mask) & (GENERIC_EXECUTE_ACCESS|FILE_SPECIFIC_EXECUTE_BITS)) ? S_IXUSR : 0;
899                 }
900                 break;
901         case S_IRGRP:
902                 if((*mask) & GENERIC_ALL_ACCESS)
903                         mode = S_IRGRP|S_IWGRP|S_IXGRP;
904                 else {
905                         mode |= ((*mask) & (GENERIC_READ_ACCESS|FILE_SPECIFIC_READ_BITS)) ? S_IRGRP : 0;
906                         mode |= ((*mask) & (GENERIC_WRITE_ACCESS|FILE_SPECIFIC_WRITE_BITS)) ? S_IWGRP : 0;
907                         mode |= ((*mask) & (GENERIC_EXECUTE_ACCESS|FILE_SPECIFIC_EXECUTE_BITS)) ? S_IXGRP : 0;
908                 }
909                 break;
910         case S_IROTH:
911                 if((*mask) & GENERIC_ALL_ACCESS)
912                         mode = S_IROTH|S_IWOTH|S_IXOTH;
913                 else {
914                         mode |= ((*mask) & (GENERIC_READ_ACCESS|FILE_SPECIFIC_READ_BITS)) ? S_IROTH : 0;
915                         mode |= ((*mask) & (GENERIC_WRITE_ACCESS|FILE_SPECIFIC_WRITE_BITS)) ? S_IWOTH : 0;
916                         mode |= ((*mask) & (GENERIC_EXECUTE_ACCESS|FILE_SPECIFIC_EXECUTE_BITS)) ? S_IXOTH : 0;
917                 }
918                 break;
919         }
920
921         return mode;
922 }
923
924 /****************************************************************************
925  Unpack a SEC_DESC into a UNIX owner and group.
926 ****************************************************************************/
927
928 NTSTATUS unpack_nt_owners(int snum, uid_t *puser, gid_t *pgrp, uint32 security_info_sent, SEC_DESC *psd)
929 {
930         DOM_SID owner_sid;
931         DOM_SID grp_sid;
932
933         *puser = (uid_t)-1;
934         *pgrp = (gid_t)-1;
935
936         if(security_info_sent == 0) {
937                 DEBUG(0,("unpack_nt_owners: no security info sent !\n"));
938                 return NT_STATUS_OK;
939         }
940
941         /*
942          * Validate the owner and group SID's.
943          */
944
945         memset(&owner_sid, '\0', sizeof(owner_sid));
946         memset(&grp_sid, '\0', sizeof(grp_sid));
947
948         DEBUG(5,("unpack_nt_owners: validating owner_sids.\n"));
949
950         /*
951          * Don't immediately fail if the owner sid cannot be validated.
952          * This may be a group chown only set.
953          */
954
955         if (security_info_sent & OWNER_SECURITY_INFORMATION) {
956                 sid_copy(&owner_sid, psd->owner_sid);
957                 if (!sid_to_uid(&owner_sid, puser)) {
958                         if (lp_force_unknown_acl_user(snum)) {
959                                 /* this allows take ownership to work
960                                  * reasonably */
961                                 *puser = current_user.ut.uid;
962                         } else {
963                                 DEBUG(3,("unpack_nt_owners: unable to validate"
964                                          " owner sid for %s\n",
965                                          sid_string_static(&owner_sid)));
966                                 return NT_STATUS_INVALID_OWNER;
967                         }
968                 }
969                 DEBUG(3,("unpack_nt_owners: owner sid mapped to uid %u\n",
970                          (unsigned int)*puser ));
971         }
972
973         /*
974          * Don't immediately fail if the group sid cannot be validated.
975          * This may be an owner chown only set.
976          */
977
978         if (security_info_sent & GROUP_SECURITY_INFORMATION) {
979                 sid_copy(&grp_sid, psd->group_sid);
980                 if (!sid_to_gid( &grp_sid, pgrp)) {
981                         if (lp_force_unknown_acl_user(snum)) {
982                                 /* this allows take group ownership to work
983                                  * reasonably */
984                                 *pgrp = current_user.ut.gid;
985                         } else {
986                                 DEBUG(3,("unpack_nt_owners: unable to validate"
987                                          " group sid.\n"));
988                                 return NT_STATUS_INVALID_OWNER;
989                         }
990                 }
991                 DEBUG(3,("unpack_nt_owners: group sid mapped to gid %u\n",
992                          (unsigned int)*pgrp));
993         }
994
995         DEBUG(5,("unpack_nt_owners: owner_sids validated.\n"));
996
997         return NT_STATUS_OK;
998 }
999
1000 /****************************************************************************
1001  Ensure the enforced permissions for this share apply.
1002 ****************************************************************************/
1003
1004 static void apply_default_perms(files_struct *fsp, canon_ace *pace, mode_t type)
1005 {
1006         int snum = SNUM(fsp->conn);
1007         mode_t and_bits = (mode_t)0;
1008         mode_t or_bits = (mode_t)0;
1009
1010         /* Get the initial bits to apply. */
1011
1012         if (fsp->is_directory) {
1013                 and_bits = lp_dir_security_mask(snum);
1014                 or_bits = lp_force_dir_security_mode(snum);
1015         } else {
1016                 and_bits = lp_security_mask(snum);
1017                 or_bits = lp_force_security_mode(snum);
1018         }
1019
1020         /* Now bounce them into the S_USR space. */     
1021         switch(type) {
1022         case S_IRUSR:
1023                 /* Ensure owner has read access. */
1024                 pace->perms |= S_IRUSR;
1025                 if (fsp->is_directory)
1026                         pace->perms |= (S_IWUSR|S_IXUSR);
1027                 and_bits = unix_perms_to_acl_perms(and_bits, S_IRUSR, S_IWUSR, S_IXUSR);
1028                 or_bits = unix_perms_to_acl_perms(or_bits, S_IRUSR, S_IWUSR, S_IXUSR);
1029                 break;
1030         case S_IRGRP:
1031                 and_bits = unix_perms_to_acl_perms(and_bits, S_IRGRP, S_IWGRP, S_IXGRP);
1032                 or_bits = unix_perms_to_acl_perms(or_bits, S_IRGRP, S_IWGRP, S_IXGRP);
1033                 break;
1034         case S_IROTH:
1035                 and_bits = unix_perms_to_acl_perms(and_bits, S_IROTH, S_IWOTH, S_IXOTH);
1036                 or_bits = unix_perms_to_acl_perms(or_bits, S_IROTH, S_IWOTH, S_IXOTH);
1037                 break;
1038         }
1039
1040         pace->perms = ((pace->perms & and_bits)|or_bits);
1041 }
1042
1043 /****************************************************************************
1044  Check if a given uid/SID is in a group gid/SID. This is probably very
1045  expensive and will need optimisation. A *lot* of optimisation :-). JRA.
1046 ****************************************************************************/
1047
1048 static BOOL uid_entry_in_group( canon_ace *uid_ace, canon_ace *group_ace )
1049 {
1050         fstring u_name;
1051
1052         /* "Everyone" always matches every uid. */
1053
1054         if (sid_equal(&group_ace->trustee, &global_sid_World))
1055                 return True;
1056
1057         /* Assume that the current user is in the current group (force group) */
1058
1059         if (uid_ace->unix_ug.uid == current_user.ut.uid && group_ace->unix_ug.gid == current_user.ut.gid)
1060                 return True;
1061
1062         fstrcpy(u_name, uidtoname(uid_ace->unix_ug.uid));
1063         return user_in_group_sid(u_name, &group_ace->trustee);
1064 }
1065
1066 /****************************************************************************
1067  A well formed POSIX file or default ACL has at least 3 entries, a 
1068  SMB_ACL_USER_OBJ, SMB_ACL_GROUP_OBJ, SMB_ACL_OTHER_OBJ.
1069  In addition, the owner must always have at least read access.
1070  When using this call on get_acl, the pst struct is valid and contains
1071  the mode of the file. When using this call on set_acl, the pst struct has
1072  been modified to have a mode containing the default for this file or directory
1073  type.
1074 ****************************************************************************/
1075
1076 static BOOL ensure_canon_entry_valid(canon_ace **pp_ace,
1077                                                         files_struct *fsp,
1078                                                         const DOM_SID *pfile_owner_sid,
1079                                                         const DOM_SID *pfile_grp_sid,
1080                                                         SMB_STRUCT_STAT *pst,
1081                                                         BOOL setting_acl)
1082 {
1083         canon_ace *pace;
1084         BOOL got_user = False;
1085         BOOL got_grp = False;
1086         BOOL got_other = False;
1087         canon_ace *pace_other = NULL;
1088
1089         for (pace = *pp_ace; pace; pace = pace->next) {
1090                 if (pace->type == SMB_ACL_USER_OBJ) {
1091
1092                         if (setting_acl)
1093                                 apply_default_perms(fsp, pace, S_IRUSR);
1094                         got_user = True;
1095
1096                 } else if (pace->type == SMB_ACL_GROUP_OBJ) {
1097
1098                         /*
1099                          * Ensure create mask/force create mode is respected on set.
1100                          */
1101
1102                         if (setting_acl)
1103                                 apply_default_perms(fsp, pace, S_IRGRP);
1104                         got_grp = True;
1105
1106                 } else if (pace->type == SMB_ACL_OTHER) {
1107
1108                         /*
1109                          * Ensure create mask/force create mode is respected on set.
1110                          */
1111
1112                         if (setting_acl)
1113                                 apply_default_perms(fsp, pace, S_IROTH);
1114                         got_other = True;
1115                         pace_other = pace;
1116                 }
1117         }
1118
1119         if (!got_user) {
1120                 if ((pace = SMB_MALLOC_P(canon_ace)) == NULL) {
1121                         DEBUG(0,("ensure_canon_entry_valid: malloc fail.\n"));
1122                         return False;
1123                 }
1124
1125                 ZERO_STRUCTP(pace);
1126                 pace->type = SMB_ACL_USER_OBJ;
1127                 pace->owner_type = UID_ACE;
1128                 pace->unix_ug.uid = pst->st_uid;
1129                 pace->trustee = *pfile_owner_sid;
1130                 pace->attr = ALLOW_ACE;
1131
1132                 if (setting_acl) {
1133                         /* See if the owning user is in any of the other groups in
1134                            the ACE. If so, OR in the permissions from that group. */
1135
1136                         BOOL group_matched = False;
1137                         canon_ace *pace_iter;
1138
1139                         for (pace_iter = *pp_ace; pace_iter; pace_iter = pace_iter->next) {
1140                                 if (pace_iter->type == SMB_ACL_GROUP_OBJ || pace_iter->type == SMB_ACL_GROUP) {
1141                                         if (uid_entry_in_group(pace, pace_iter)) {
1142                                                 pace->perms |= pace_iter->perms;
1143                                                 group_matched = True;
1144                                         }
1145                                 }
1146                         }
1147
1148                         /* If we only got an "everyone" perm, just use that. */
1149                         if (!group_matched) {
1150                                 if (got_other)
1151                                         pace->perms = pace_other->perms;
1152                                 else
1153                                         pace->perms = 0;
1154                         }
1155
1156                         apply_default_perms(fsp, pace, S_IRUSR);
1157                 } else {
1158                         pace->perms = unix_perms_to_acl_perms(pst->st_mode, S_IRUSR, S_IWUSR, S_IXUSR);
1159                 }
1160
1161                 DLIST_ADD(*pp_ace, pace);
1162         }
1163
1164         if (!got_grp) {
1165                 if ((pace = SMB_MALLOC_P(canon_ace)) == NULL) {
1166                         DEBUG(0,("ensure_canon_entry_valid: malloc fail.\n"));
1167                         return False;
1168                 }
1169
1170                 ZERO_STRUCTP(pace);
1171                 pace->type = SMB_ACL_GROUP_OBJ;
1172                 pace->owner_type = GID_ACE;
1173                 pace->unix_ug.uid = pst->st_gid;
1174                 pace->trustee = *pfile_grp_sid;
1175                 pace->attr = ALLOW_ACE;
1176                 if (setting_acl) {
1177                         /* If we only got an "everyone" perm, just use that. */
1178                         if (got_other)
1179                                 pace->perms = pace_other->perms;
1180                         else
1181                                 pace->perms = 0;
1182                         apply_default_perms(fsp, pace, S_IRGRP);
1183                 } else {
1184                         pace->perms = unix_perms_to_acl_perms(pst->st_mode, S_IRGRP, S_IWGRP, S_IXGRP);
1185                 }
1186
1187                 DLIST_ADD(*pp_ace, pace);
1188         }
1189
1190         if (!got_other) {
1191                 if ((pace = SMB_MALLOC_P(canon_ace)) == NULL) {
1192                         DEBUG(0,("ensure_canon_entry_valid: malloc fail.\n"));
1193                         return False;
1194                 }
1195
1196                 ZERO_STRUCTP(pace);
1197                 pace->type = SMB_ACL_OTHER;
1198                 pace->owner_type = WORLD_ACE;
1199                 pace->unix_ug.world = -1;
1200                 pace->trustee = global_sid_World;
1201                 pace->attr = ALLOW_ACE;
1202                 if (setting_acl) {
1203                         pace->perms = 0;
1204                         apply_default_perms(fsp, pace, S_IROTH);
1205                 } else
1206                         pace->perms = unix_perms_to_acl_perms(pst->st_mode, S_IROTH, S_IWOTH, S_IXOTH);
1207
1208                 DLIST_ADD(*pp_ace, pace);
1209         }
1210
1211         return True;
1212 }
1213
1214 /****************************************************************************
1215  Check if a POSIX ACL has the required SMB_ACL_USER_OBJ and SMB_ACL_GROUP_OBJ entries.
1216  If it does not have them, check if there are any entries where the trustee is the
1217  file owner or the owning group, and map these to SMB_ACL_USER_OBJ and SMB_ACL_GROUP_OBJ.
1218 ****************************************************************************/
1219
1220 static void check_owning_objs(canon_ace *ace, DOM_SID *pfile_owner_sid, DOM_SID *pfile_grp_sid)
1221 {
1222         BOOL got_user_obj, got_group_obj;
1223         canon_ace *current_ace;
1224         int i, entries;
1225
1226         entries = count_canon_ace_list(ace);
1227         got_user_obj = False;
1228         got_group_obj = False;
1229
1230         for (i=0, current_ace = ace; i < entries; i++, current_ace = current_ace->next) {
1231                 if (current_ace->type == SMB_ACL_USER_OBJ)
1232                         got_user_obj = True;
1233                 else if (current_ace->type == SMB_ACL_GROUP_OBJ)
1234                         got_group_obj = True;
1235         }
1236         if (got_user_obj && got_group_obj) {
1237                 DEBUG(10,("check_owning_objs: ACL had owning user/group entries.\n"));
1238                 return;
1239         }
1240
1241         for (i=0, current_ace = ace; i < entries; i++, current_ace = current_ace->next) {
1242                 if (!got_user_obj && current_ace->owner_type == UID_ACE &&
1243                                 sid_equal(&current_ace->trustee, pfile_owner_sid)) {
1244                         current_ace->type = SMB_ACL_USER_OBJ;
1245                         got_user_obj = True;
1246                 }
1247                 if (!got_group_obj && current_ace->owner_type == GID_ACE &&
1248                                 sid_equal(&current_ace->trustee, pfile_grp_sid)) {
1249                         current_ace->type = SMB_ACL_GROUP_OBJ;
1250                         got_group_obj = True;
1251                 }
1252         }
1253         if (!got_user_obj)
1254                 DEBUG(10,("check_owning_objs: ACL is missing an owner entry.\n"));
1255         if (!got_group_obj)
1256                 DEBUG(10,("check_owning_objs: ACL is missing an owning group entry.\n"));
1257 }
1258
1259 /****************************************************************************
1260  Unpack a SEC_DESC into two canonical ace lists.
1261 ****************************************************************************/
1262
1263 static BOOL create_canon_ace_lists(files_struct *fsp, SMB_STRUCT_STAT *pst,
1264                                                         DOM_SID *pfile_owner_sid,
1265                                                         DOM_SID *pfile_grp_sid,
1266                                                         canon_ace **ppfile_ace, canon_ace **ppdir_ace,
1267                                                         SEC_ACL *dacl)
1268 {
1269         BOOL all_aces_are_inherit_only = (fsp->is_directory ? True : False);
1270         canon_ace *file_ace = NULL;
1271         canon_ace *dir_ace = NULL;
1272         canon_ace *current_ace = NULL;
1273         BOOL got_dir_allow = False;
1274         BOOL got_file_allow = False;
1275         int i, j;
1276
1277         *ppfile_ace = NULL;
1278         *ppdir_ace = NULL;
1279
1280         /*
1281          * Convert the incoming ACL into a more regular form.
1282          */
1283
1284         for(i = 0; i < dacl->num_aces; i++) {
1285                 SEC_ACE *psa = &dacl->aces[i];
1286
1287                 if((psa->type != SEC_ACE_TYPE_ACCESS_ALLOWED) && (psa->type != SEC_ACE_TYPE_ACCESS_DENIED)) {
1288                         DEBUG(3,("create_canon_ace_lists: unable to set anything but an ALLOW or DENY ACE.\n"));
1289                         return False;
1290                 }
1291
1292                 if (nt4_compatible_acls()) {
1293                         /*
1294                          * The security mask may be UNIX_ACCESS_NONE which should map into
1295                          * no permissions (we overload the WRITE_OWNER bit for this) or it
1296                          * should be one of the ALL/EXECUTE/READ/WRITE bits. Arrange for this
1297                          * to be so. Any other bits override the UNIX_ACCESS_NONE bit.
1298                          */
1299
1300                         /*
1301                          * Convert GENERIC bits to specific bits.
1302                          */
1303  
1304                         se_map_generic(&psa->access_mask, &file_generic_mapping);
1305
1306                         psa->access_mask &= (UNIX_ACCESS_NONE|FILE_ALL_ACCESS);
1307
1308                         if(psa->access_mask != UNIX_ACCESS_NONE)
1309                                 psa->access_mask &= ~UNIX_ACCESS_NONE;
1310                 }
1311         }
1312
1313         /*
1314          * Deal with the fact that NT 4.x re-writes the canonical format
1315          * that we return for default ACLs. If a directory ACE is identical
1316          * to a inherited directory ACE then NT changes the bits so that the
1317          * first ACE is set to OI|IO and the second ACE for this SID is set
1318          * to CI. We need to repair this. JRA.
1319          */
1320
1321         for(i = 0; i < dacl->num_aces; i++) {
1322                 SEC_ACE *psa1 = &dacl->aces[i];
1323
1324                 for (j = i + 1; j < dacl->num_aces; j++) {
1325                         SEC_ACE *psa2 = &dacl->aces[j];
1326
1327                         if (psa1->access_mask != psa2->access_mask)
1328                                 continue;
1329
1330                         if (!sid_equal(&psa1->trustee, &psa2->trustee))
1331                                 continue;
1332
1333                         /*
1334                          * Ok - permission bits and SIDs are equal.
1335                          * Check if flags were re-written.
1336                          */
1337
1338                         if (psa1->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
1339
1340                                 psa1->flags |= (psa2->flags & (SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT));
1341                                 psa2->flags &= ~(SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT);
1342                                 
1343                         } else if (psa2->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
1344
1345                                 psa2->flags |= (psa1->flags & (SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT));
1346                                 psa1->flags &= ~(SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT);
1347                                 
1348                         }
1349                 }
1350         }
1351
1352         for(i = 0; i < dacl->num_aces; i++) {
1353                 SEC_ACE *psa = &dacl->aces[i];
1354
1355                 /*
1356                  * Create a cannon_ace entry representing this NT DACL ACE.
1357                  */
1358
1359                 if ((current_ace = SMB_MALLOC_P(canon_ace)) == NULL) {
1360                         free_canon_ace_list(file_ace);
1361                         free_canon_ace_list(dir_ace);
1362                         DEBUG(0,("create_canon_ace_lists: malloc fail.\n"));
1363                         return False;
1364                 }
1365
1366                 ZERO_STRUCTP(current_ace);
1367
1368                 sid_copy(&current_ace->trustee, &psa->trustee);
1369
1370                 /*
1371                  * Try and work out if the SID is a user or group
1372                  * as we need to flag these differently for POSIX.
1373                  * Note what kind of a POSIX ACL this should map to.
1374                  */
1375
1376                 if( sid_equal(&current_ace->trustee, &global_sid_World)) {
1377                         current_ace->owner_type = WORLD_ACE;
1378                         current_ace->unix_ug.world = -1;
1379                         current_ace->type = SMB_ACL_OTHER;
1380                 } else if (sid_equal(&current_ace->trustee, &global_sid_Creator_Owner)) {
1381                         current_ace->owner_type = UID_ACE;
1382                         current_ace->unix_ug.uid = pst->st_uid;
1383                         current_ace->type = SMB_ACL_USER_OBJ;
1384
1385                         /*
1386                          * The Creator Owner entry only specifies inheritable permissions,
1387                          * never access permissions. WinNT doesn't always set the ACE to
1388                          *INHERIT_ONLY, though.
1389                          */
1390
1391                         if (nt4_compatible_acls())
1392                                 psa->flags |= SEC_ACE_FLAG_INHERIT_ONLY;
1393                 } else if (sid_equal(&current_ace->trustee, &global_sid_Creator_Group)) {
1394                         current_ace->owner_type = GID_ACE;
1395                         current_ace->unix_ug.gid = pst->st_gid;
1396                         current_ace->type = SMB_ACL_GROUP_OBJ;
1397
1398                         /*
1399                          * The Creator Group entry only specifies inheritable permissions,
1400                          * never access permissions. WinNT doesn't always set the ACE to
1401                          *INHERIT_ONLY, though.
1402                          */
1403                         if (nt4_compatible_acls())
1404                                 psa->flags |= SEC_ACE_FLAG_INHERIT_ONLY;
1405
1406                 } else if (sid_to_uid( &current_ace->trustee, &current_ace->unix_ug.uid)) {
1407                         current_ace->owner_type = UID_ACE;
1408                         current_ace->type = SMB_ACL_USER;
1409                 } else if (sid_to_gid( &current_ace->trustee, &current_ace->unix_ug.gid)) {
1410                         current_ace->owner_type = GID_ACE;
1411                         current_ace->type = SMB_ACL_GROUP;
1412                 } else {
1413                         fstring str;
1414
1415                         /*
1416                          * Silently ignore map failures in non-mappable SIDs (NT Authority, BUILTIN etc).
1417                          */
1418
1419                         if (non_mappable_sid(&psa->trustee)) {
1420                                 DEBUG(10,("create_canon_ace_lists: ignoring non-mappable SID %s\n",
1421                                         sid_to_string(str, &psa->trustee) ));
1422                                 SAFE_FREE(current_ace);
1423                                 continue;
1424                         }
1425
1426                         free_canon_ace_list(file_ace);
1427                         free_canon_ace_list(dir_ace);
1428                         DEBUG(0,("create_canon_ace_lists: unable to map SID %s to uid or gid.\n",
1429                                 sid_to_string(str, &current_ace->trustee) ));
1430                         SAFE_FREE(current_ace);
1431                         return False;
1432                 }
1433
1434                 /*
1435                  * Map the given NT permissions into a UNIX mode_t containing only
1436                  * S_I(R|W|X)USR bits.
1437                  */
1438
1439                 current_ace->perms |= map_nt_perms( &psa->access_mask, S_IRUSR);
1440                 current_ace->attr = (psa->type == SEC_ACE_TYPE_ACCESS_ALLOWED) ? ALLOW_ACE : DENY_ACE;
1441                 current_ace->inherited = ((psa->flags & SEC_ACE_FLAG_INHERITED_ACE) ? True : False);
1442
1443                 /*
1444                  * Now add the created ace to either the file list, the directory
1445                  * list, or both. We *MUST* preserve the order here (hence we use
1446                  * DLIST_ADD_END) as NT ACLs are order dependent.
1447                  */
1448
1449                 if (fsp->is_directory) {
1450
1451                         /*
1452                          * We can only add to the default POSIX ACE list if the ACE is
1453                          * designed to be inherited by both files and directories.
1454                          */
1455
1456                         if ((psa->flags & (SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT)) ==
1457                                 (SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT)) {
1458
1459                                 DLIST_ADD_END(dir_ace, current_ace, canon_ace *);
1460
1461                                 /*
1462                                  * Note if this was an allow ace. We can't process
1463                                  * any further deny ace's after this.
1464                                  */
1465
1466                                 if (current_ace->attr == ALLOW_ACE)
1467                                         got_dir_allow = True;
1468
1469                                 if ((current_ace->attr == DENY_ACE) && got_dir_allow) {
1470                                         DEBUG(0,("create_canon_ace_lists: malformed ACL in inheritable ACL ! \
1471 Deny entry after Allow entry. Failing to set on file %s.\n", fsp->fsp_name ));
1472                                         free_canon_ace_list(file_ace);
1473                                         free_canon_ace_list(dir_ace);
1474                                         return False;
1475                                 }       
1476
1477                                 if( DEBUGLVL( 10 )) {
1478                                         dbgtext("create_canon_ace_lists: adding dir ACL:\n");
1479                                         print_canon_ace( current_ace, 0);
1480                                 }
1481
1482                                 /*
1483                                  * If this is not an inherit only ACE we need to add a duplicate
1484                                  * to the file acl.
1485                                  */
1486
1487                                 if (!(psa->flags & SEC_ACE_FLAG_INHERIT_ONLY)) {
1488                                         canon_ace *dup_ace = dup_canon_ace(current_ace);
1489
1490                                         if (!dup_ace) {
1491                                                 DEBUG(0,("create_canon_ace_lists: malloc fail !\n"));
1492                                                 free_canon_ace_list(file_ace);
1493                                                 free_canon_ace_list(dir_ace);
1494                                                 return False;
1495                                         }
1496
1497                                         /*
1498                                          * We must not free current_ace here as its
1499                                          * pointer is now owned by the dir_ace list.
1500                                          */
1501                                         current_ace = dup_ace;
1502                                 } else {
1503                                         /*
1504                                          * We must not free current_ace here as its
1505                                          * pointer is now owned by the dir_ace list.
1506                                          */
1507                                         current_ace = NULL;
1508                                 }
1509                         }
1510                 }
1511
1512                 /*
1513                  * Only add to the file ACL if not inherit only.
1514                  */
1515
1516                 if (current_ace && !(psa->flags & SEC_ACE_FLAG_INHERIT_ONLY)) {
1517                         DLIST_ADD_END(file_ace, current_ace, canon_ace *);
1518
1519                         /*
1520                          * Note if this was an allow ace. We can't process
1521                          * any further deny ace's after this.
1522                          */
1523
1524                         if (current_ace->attr == ALLOW_ACE)
1525                                 got_file_allow = True;
1526
1527                         if ((current_ace->attr == DENY_ACE) && got_file_allow) {
1528                                 DEBUG(0,("create_canon_ace_lists: malformed ACL in file ACL ! \
1529 Deny entry after Allow entry. Failing to set on file %s.\n", fsp->fsp_name ));
1530                                 free_canon_ace_list(file_ace);
1531                                 free_canon_ace_list(dir_ace);
1532                                 return False;
1533                         }       
1534
1535                         if( DEBUGLVL( 10 )) {
1536                                 dbgtext("create_canon_ace_lists: adding file ACL:\n");
1537                                 print_canon_ace( current_ace, 0);
1538                         }
1539                         all_aces_are_inherit_only = False;
1540                         /*
1541                          * We must not free current_ace here as its
1542                          * pointer is now owned by the file_ace list.
1543                          */
1544                         current_ace = NULL;
1545                 }
1546
1547                 /*
1548                  * Free if ACE was not added.
1549                  */
1550
1551                 SAFE_FREE(current_ace);
1552         }
1553
1554         if (fsp->is_directory && all_aces_are_inherit_only) {
1555                 /*
1556                  * Windows 2000 is doing one of these weird 'inherit acl'
1557                  * traverses to conserve NTFS ACL resources. Just pretend
1558                  * there was no DACL sent. JRA.
1559                  */
1560
1561                 DEBUG(10,("create_canon_ace_lists: Win2k inherit acl traverse. Ignoring DACL.\n"));
1562                 free_canon_ace_list(file_ace);
1563                 free_canon_ace_list(dir_ace);
1564                 file_ace = NULL;
1565                 dir_ace = NULL;
1566         } else {
1567                 /*
1568                  * Check if we have SMB_ACL_USER_OBJ and SMB_ACL_GROUP_OBJ entries in each
1569                  * ACL. If we don't have them, check if any SMB_ACL_USER/SMB_ACL_GROUP
1570                  * entries can be converted to *_OBJ. Usually we will already have these
1571                  * entries in the Default ACL, and the Access ACL will not have them.
1572                  */
1573                 if (file_ace) {
1574                         check_owning_objs(file_ace, pfile_owner_sid, pfile_grp_sid);
1575                 }
1576                 if (dir_ace) {
1577                         check_owning_objs(dir_ace, pfile_owner_sid, pfile_grp_sid);
1578                 }
1579         }
1580
1581         *ppfile_ace = file_ace;
1582         *ppdir_ace = dir_ace;
1583
1584         return True;
1585 }
1586
1587 /****************************************************************************
1588  ASCII art time again... JRA :-).
1589
1590  We have 4 cases to process when moving from an NT ACL to a POSIX ACL. Firstly,
1591  we insist the ACL is in canonical form (ie. all DENY entries preceede ALLOW
1592  entries). Secondly, the merge code has ensured that all duplicate SID entries for
1593  allow or deny have been merged, so the same SID can only appear once in the deny
1594  list or once in the allow list.
1595
1596  We then process as follows :
1597
1598  ---------------------------------------------------------------------------
1599  First pass - look for a Everyone DENY entry.
1600
1601  If it is deny all (rwx) trunate the list at this point.
1602  Else, walk the list from this point and use the deny permissions of this
1603  entry as a mask on all following allow entries. Finally, delete
1604  the Everyone DENY entry (we have applied it to everything possible).
1605
1606  In addition, in this pass we remove any DENY entries that have 
1607  no permissions (ie. they are a DENY nothing).
1608  ---------------------------------------------------------------------------
1609  Second pass - only deal with deny user entries.
1610
1611  DENY user1 (perms XXX)
1612
1613  new_perms = 0
1614  for all following allow group entries where user1 is in group
1615         new_perms |= group_perms;
1616
1617  user1 entry perms = new_perms & ~ XXX;
1618
1619  Convert the deny entry to an allow entry with the new perms and
1620  push to the end of the list. Note if the user was in no groups
1621  this maps to a specific allow nothing entry for this user.
1622
1623  The common case from the NT ACL choser (userX deny all) is
1624  optimised so we don't do the group lookup - we just map to
1625  an allow nothing entry.
1626
1627  What we're doing here is inferring the allow permissions the
1628  person setting the ACE on user1 wanted by looking at the allow
1629  permissions on the groups the user is currently in. This will
1630  be a snapshot, depending on group membership but is the best
1631  we can do and has the advantage of failing closed rather than
1632  open.
1633  ---------------------------------------------------------------------------
1634  Third pass - only deal with deny group entries.
1635
1636  DENY group1 (perms XXX)
1637
1638  for all following allow user entries where user is in group1
1639    user entry perms = user entry perms & ~ XXX;
1640
1641  If there is a group Everyone allow entry with permissions YYY,
1642  convert the group1 entry to an allow entry and modify its
1643  permissions to be :
1644
1645  new_perms = YYY & ~ XXX
1646
1647  and push to the end of the list.
1648
1649  If there is no group Everyone allow entry then convert the
1650  group1 entry to a allow nothing entry and push to the end of the list.
1651
1652  Note that the common case from the NT ACL choser (groupX deny all)
1653  cannot be optimised here as we need to modify user entries who are
1654  in the group to change them to a deny all also.
1655
1656  What we're doing here is modifying the allow permissions of
1657  user entries (which are more specific in POSIX ACLs) to mask
1658  out the explicit deny set on the group they are in. This will
1659  be a snapshot depending on current group membership but is the
1660  best we can do and has the advantage of failing closed rather
1661  than open.
1662  ---------------------------------------------------------------------------
1663  Fourth pass - cope with cumulative permissions.
1664
1665  for all allow user entries, if there exists an allow group entry with
1666  more permissive permissions, and the user is in that group, rewrite the
1667  allow user permissions to contain both sets of permissions.
1668
1669  Currently the code for this is #ifdef'ed out as these semantics make
1670  no sense to me. JRA.
1671  ---------------------------------------------------------------------------
1672
1673  Note we *MUST* do the deny user pass first as this will convert deny user
1674  entries into allow user entries which can then be processed by the deny
1675  group pass.
1676
1677  The above algorithm took a *lot* of thinking about - hence this
1678  explaination :-). JRA.
1679 ****************************************************************************/
1680
1681 /****************************************************************************
1682  Process a canon_ace list entries. This is very complex code. We need
1683  to go through and remove the "deny" permissions from any allow entry that matches
1684  the id of this entry. We have already refused any NT ACL that wasn't in correct
1685  order (DENY followed by ALLOW). If any allow entry ends up with zero permissions,
1686  we just remove it (to fail safe). We have already removed any duplicate ace
1687  entries. Treat an "Everyone" DENY_ACE as a special case - use it to mask all
1688  allow entries.
1689 ****************************************************************************/
1690
1691 static void process_deny_list( canon_ace **pp_ace_list )
1692 {
1693         canon_ace *ace_list = *pp_ace_list;
1694         canon_ace *curr_ace = NULL;
1695         canon_ace *curr_ace_next = NULL;
1696
1697         /* Pass 1 above - look for an Everyone, deny entry. */
1698
1699         for (curr_ace = ace_list; curr_ace; curr_ace = curr_ace_next) {
1700                 canon_ace *allow_ace_p;
1701
1702                 curr_ace_next = curr_ace->next; /* So we can't lose the link. */
1703
1704                 if (curr_ace->attr != DENY_ACE)
1705                         continue;
1706
1707                 if (curr_ace->perms == (mode_t)0) {
1708
1709                         /* Deny nothing entry - delete. */
1710
1711                         DLIST_REMOVE(ace_list, curr_ace);
1712                         continue;
1713                 }
1714
1715                 if (!sid_equal(&curr_ace->trustee, &global_sid_World))
1716                         continue;
1717
1718                 /* JRATEST - assert. */
1719                 SMB_ASSERT(curr_ace->owner_type == WORLD_ACE);
1720
1721                 if (curr_ace->perms == ALL_ACE_PERMS) {
1722
1723                         /*
1724                          * Optimisation. This is a DENY_ALL to Everyone. Truncate the
1725                          * list at this point including this entry.
1726                          */
1727
1728                         canon_ace *prev_entry = curr_ace->prev;
1729
1730                         free_canon_ace_list( curr_ace );
1731                         if (prev_entry)
1732                                 prev_entry->next = NULL;
1733                         else {
1734                                 /* We deleted the entire list. */
1735                                 ace_list = NULL;
1736                         }
1737                         break;
1738                 }
1739
1740                 for (allow_ace_p = curr_ace->next; allow_ace_p; allow_ace_p = allow_ace_p->next) {
1741
1742                         /* 
1743                          * Only mask off allow entries.
1744                          */
1745
1746                         if (allow_ace_p->attr != ALLOW_ACE)
1747                                 continue;
1748
1749                         allow_ace_p->perms &= ~curr_ace->perms;
1750                 }
1751
1752                 /*
1753                  * Now it's been applied, remove it.
1754                  */
1755
1756                 DLIST_REMOVE(ace_list, curr_ace);
1757         }
1758
1759         /* Pass 2 above - deal with deny user entries. */
1760
1761         for (curr_ace = ace_list; curr_ace; curr_ace = curr_ace_next) {
1762                 mode_t new_perms = (mode_t)0;
1763                 canon_ace *allow_ace_p;
1764
1765                 curr_ace_next = curr_ace->next; /* So we can't lose the link. */
1766
1767                 if (curr_ace->attr != DENY_ACE)
1768                         continue;
1769
1770                 if (curr_ace->owner_type != UID_ACE)
1771                         continue;
1772
1773                 if (curr_ace->perms == ALL_ACE_PERMS) {
1774
1775                         /*
1776                          * Optimisation - this is a deny everything to this user.
1777                          * Convert to an allow nothing and push to the end of the list.
1778                          */
1779
1780                         curr_ace->attr = ALLOW_ACE;
1781                         curr_ace->perms = (mode_t)0;
1782                         DLIST_DEMOTE(ace_list, curr_ace, canon_ace *);
1783                         continue;
1784                 }
1785
1786                 for (allow_ace_p = curr_ace->next; allow_ace_p; allow_ace_p = allow_ace_p->next) {
1787
1788                         if (allow_ace_p->attr != ALLOW_ACE)
1789                                 continue;
1790
1791                         /* We process GID_ACE and WORLD_ACE entries only. */
1792
1793                         if (allow_ace_p->owner_type == UID_ACE)
1794                                 continue;
1795
1796                         if (uid_entry_in_group( curr_ace, allow_ace_p))
1797                                 new_perms |= allow_ace_p->perms;
1798                 }
1799
1800                 /*
1801                  * Convert to a allow entry, modify the perms and push to the end
1802                  * of the list.
1803                  */
1804
1805                 curr_ace->attr = ALLOW_ACE;
1806                 curr_ace->perms = (new_perms & ~curr_ace->perms);
1807                 DLIST_DEMOTE(ace_list, curr_ace, canon_ace *);
1808         }
1809
1810         /* Pass 3 above - deal with deny group entries. */
1811
1812         for (curr_ace = ace_list; curr_ace; curr_ace = curr_ace_next) {
1813                 canon_ace *allow_ace_p;
1814                 canon_ace *allow_everyone_p = NULL;
1815
1816                 curr_ace_next = curr_ace->next; /* So we can't lose the link. */
1817
1818                 if (curr_ace->attr != DENY_ACE)
1819                         continue;
1820
1821                 if (curr_ace->owner_type != GID_ACE)
1822                         continue;
1823
1824                 for (allow_ace_p = curr_ace->next; allow_ace_p; allow_ace_p = allow_ace_p->next) {
1825
1826                         if (allow_ace_p->attr != ALLOW_ACE)
1827                                 continue;
1828
1829                         /* Store a pointer to the Everyone allow, if it exists. */
1830                         if (allow_ace_p->owner_type == WORLD_ACE)
1831                                 allow_everyone_p = allow_ace_p;
1832
1833                         /* We process UID_ACE entries only. */
1834
1835                         if (allow_ace_p->owner_type != UID_ACE)
1836                                 continue;
1837
1838                         /* Mask off the deny group perms. */
1839
1840                         if (uid_entry_in_group( allow_ace_p, curr_ace))
1841                                 allow_ace_p->perms &= ~curr_ace->perms;
1842                 }
1843
1844                 /*
1845                  * Convert the deny to an allow with the correct perms and
1846                  * push to the end of the list.
1847                  */
1848
1849                 curr_ace->attr = ALLOW_ACE;
1850                 if (allow_everyone_p)
1851                         curr_ace->perms = allow_everyone_p->perms & ~curr_ace->perms;
1852                 else
1853                         curr_ace->perms = (mode_t)0;
1854                 DLIST_DEMOTE(ace_list, curr_ace, canon_ace *);
1855         }
1856
1857         /* Doing this fourth pass allows Windows semantics to be layered
1858          * on top of POSIX semantics. I'm not sure if this is desirable.
1859          * For example, in W2K ACLs there is no way to say, "Group X no
1860          * access, user Y full access" if user Y is a member of group X.
1861          * This seems completely broken semantics to me.... JRA.
1862          */
1863
1864 #if 0
1865         /* Pass 4 above - deal with allow entries. */
1866
1867         for (curr_ace = ace_list; curr_ace; curr_ace = curr_ace_next) {
1868                 canon_ace *allow_ace_p;
1869
1870                 curr_ace_next = curr_ace->next; /* So we can't lose the link. */
1871
1872                 if (curr_ace->attr != ALLOW_ACE)
1873                         continue;
1874
1875                 if (curr_ace->owner_type != UID_ACE)
1876                         continue;
1877
1878                 for (allow_ace_p = ace_list; allow_ace_p; allow_ace_p = allow_ace_p->next) {
1879
1880                         if (allow_ace_p->attr != ALLOW_ACE)
1881                                 continue;
1882
1883                         /* We process GID_ACE entries only. */
1884
1885                         if (allow_ace_p->owner_type != GID_ACE)
1886                                 continue;
1887
1888                         /* OR in the group perms. */
1889
1890                         if (uid_entry_in_group( curr_ace, allow_ace_p))
1891                                 curr_ace->perms |= allow_ace_p->perms;
1892                 }
1893         }
1894 #endif
1895
1896         *pp_ace_list = ace_list;
1897 }
1898
1899 /****************************************************************************
1900  Create a default mode that will be used if a security descriptor entry has
1901  no user/group/world entries.
1902 ****************************************************************************/
1903
1904 static mode_t create_default_mode(files_struct *fsp, BOOL interitable_mode)
1905 {
1906         int snum = SNUM(fsp->conn);
1907         mode_t and_bits = (mode_t)0;
1908         mode_t or_bits = (mode_t)0;
1909         mode_t mode = interitable_mode
1910                 ? unix_mode( fsp->conn, FILE_ATTRIBUTE_ARCHIVE, fsp->fsp_name,
1911                              NULL )
1912                 : S_IRUSR;
1913
1914         if (fsp->is_directory)
1915                 mode |= (S_IWUSR|S_IXUSR);
1916
1917         /*
1918          * Now AND with the create mode/directory mode bits then OR with the
1919          * force create mode/force directory mode bits.
1920          */
1921
1922         if (fsp->is_directory) {
1923                 and_bits = lp_dir_security_mask(snum);
1924                 or_bits = lp_force_dir_security_mode(snum);
1925         } else {
1926                 and_bits = lp_security_mask(snum);
1927                 or_bits = lp_force_security_mode(snum);
1928         }
1929
1930         return ((mode & and_bits)|or_bits);
1931 }
1932
1933 /****************************************************************************
1934  Unpack a SEC_DESC into two canonical ace lists. We don't depend on this
1935  succeeding.
1936 ****************************************************************************/
1937
1938 static BOOL unpack_canon_ace(files_struct *fsp, 
1939                                                         SMB_STRUCT_STAT *pst,
1940                                                         DOM_SID *pfile_owner_sid,
1941                                                         DOM_SID *pfile_grp_sid,
1942                                                         canon_ace **ppfile_ace, canon_ace **ppdir_ace,
1943                                                         uint32 security_info_sent, SEC_DESC *psd)
1944 {
1945         canon_ace *file_ace = NULL;
1946         canon_ace *dir_ace = NULL;
1947
1948         *ppfile_ace = NULL;
1949         *ppdir_ace = NULL;
1950
1951         if(security_info_sent == 0) {
1952                 DEBUG(0,("unpack_canon_ace: no security info sent !\n"));
1953                 return False;
1954         }
1955
1956         /*
1957          * If no DACL then this is a chown only security descriptor.
1958          */
1959
1960         if(!(security_info_sent & DACL_SECURITY_INFORMATION) || !psd->dacl)
1961                 return True;
1962
1963         /*
1964          * Now go through the DACL and create the canon_ace lists.
1965          */
1966
1967         if (!create_canon_ace_lists( fsp, pst, pfile_owner_sid, pfile_grp_sid,
1968                                                                 &file_ace, &dir_ace, psd->dacl))
1969                 return False;
1970
1971         if ((file_ace == NULL) && (dir_ace == NULL)) {
1972                 /* W2K traverse DACL set - ignore. */
1973                 return True;
1974         }
1975
1976         /*
1977          * Go through the canon_ace list and merge entries
1978          * belonging to identical users of identical allow or deny type.
1979          * We can do this as all deny entries come first, followed by
1980          * all allow entries (we have mandated this before accepting this acl).
1981          */
1982
1983         print_canon_ace_list( "file ace - before merge", file_ace);
1984         merge_aces( &file_ace );
1985
1986         print_canon_ace_list( "dir ace - before merge", dir_ace);
1987         merge_aces( &dir_ace );
1988
1989         /*
1990          * NT ACLs are order dependent. Go through the acl lists and
1991          * process DENY entries by masking the allow entries.
1992          */
1993
1994         print_canon_ace_list( "file ace - before deny", file_ace);
1995         process_deny_list( &file_ace);
1996
1997         print_canon_ace_list( "dir ace - before deny", dir_ace);
1998         process_deny_list( &dir_ace);
1999
2000         /*
2001          * A well formed POSIX file or default ACL has at least 3 entries, a 
2002          * SMB_ACL_USER_OBJ, SMB_ACL_GROUP_OBJ, SMB_ACL_OTHER_OBJ
2003          * and optionally a mask entry. Ensure this is the case.
2004          */
2005
2006         print_canon_ace_list( "file ace - before valid", file_ace);
2007
2008         /*
2009          * A default 3 element mode entry for a file should be r-- --- ---.
2010          * A default 3 element mode entry for a directory should be rwx --- ---.
2011          */
2012
2013         pst->st_mode = create_default_mode(fsp, False);
2014
2015         if (!ensure_canon_entry_valid(&file_ace, fsp, pfile_owner_sid, pfile_grp_sid, pst, True)) {
2016                 free_canon_ace_list(file_ace);
2017                 free_canon_ace_list(dir_ace);
2018                 return False;
2019         }
2020
2021         print_canon_ace_list( "dir ace - before valid", dir_ace);
2022
2023         /*
2024          * A default inheritable 3 element mode entry for a directory should be the
2025          * mode Samba will use to create a file within. Ensure user rwx bits are set if
2026          * it's a directory.
2027          */
2028
2029         pst->st_mode = create_default_mode(fsp, True);
2030
2031         if (dir_ace && !ensure_canon_entry_valid(&dir_ace, fsp, pfile_owner_sid, pfile_grp_sid, pst, True)) {
2032                 free_canon_ace_list(file_ace);
2033                 free_canon_ace_list(dir_ace);
2034                 return False;
2035         }
2036
2037         print_canon_ace_list( "file ace - return", file_ace);
2038         print_canon_ace_list( "dir ace - return", dir_ace);
2039
2040         *ppfile_ace = file_ace;
2041         *ppdir_ace = dir_ace;
2042         return True;
2043
2044 }
2045
2046 /******************************************************************************
2047  When returning permissions, try and fit NT display
2048  semantics if possible. Note the the canon_entries here must have been malloced.
2049  The list format should be - first entry = owner, followed by group and other user
2050  entries, last entry = other.
2051
2052  Note that this doesn't exactly match the NT semantics for an ACL. As POSIX entries
2053  are not ordered, and match on the most specific entry rather than walking a list,
2054  then a simple POSIX permission of rw-r--r-- should really map to 5 entries,
2055
2056  Entry 0: owner : deny all except read and write.
2057  Entry 1: owner : allow read and write.
2058  Entry 2: group : deny all except read.
2059  Entry 3: group : allow read.
2060  Entry 4: Everyone : allow read.
2061
2062  But NT cannot display this in their ACL editor !
2063 ********************************************************************************/
2064
2065 static void arrange_posix_perms( char *filename, canon_ace **pp_list_head)
2066 {
2067         canon_ace *list_head = *pp_list_head;
2068         canon_ace *owner_ace = NULL;
2069         canon_ace *other_ace = NULL;
2070         canon_ace *ace = NULL;
2071
2072         for (ace = list_head; ace; ace = ace->next) {
2073                 if (ace->type == SMB_ACL_USER_OBJ)
2074                         owner_ace = ace;
2075                 else if (ace->type == SMB_ACL_OTHER) {
2076                         /* Last ace - this is "other" */
2077                         other_ace = ace;
2078                 }
2079         }
2080                 
2081         if (!owner_ace || !other_ace) {
2082                 DEBUG(0,("arrange_posix_perms: Invalid POSIX permissions for file %s, missing owner or other.\n",
2083                         filename ));
2084                 return;
2085         }
2086
2087         /*
2088          * The POSIX algorithm applies to owner first, and other last,
2089          * so ensure they are arranged in this order.
2090          */
2091
2092         if (owner_ace) {
2093                 DLIST_PROMOTE(list_head, owner_ace);
2094         }
2095
2096         if (other_ace) {
2097                 DLIST_DEMOTE(list_head, other_ace, canon_ace *);
2098         }
2099
2100         /* We have probably changed the head of the list. */
2101
2102         *pp_list_head = list_head;
2103 }
2104                 
2105 /****************************************************************************
2106  Create a linked list of canonical ACE entries.
2107 ****************************************************************************/
2108
2109 static canon_ace *canonicalise_acl( files_struct *fsp, SMB_ACL_T posix_acl, SMB_STRUCT_STAT *psbuf,
2110                                         const DOM_SID *powner, const DOM_SID *pgroup, struct pai_val *pal, SMB_ACL_TYPE_T the_acl_type)
2111 {
2112         connection_struct *conn = fsp->conn;
2113         mode_t acl_mask = (S_IRUSR|S_IWUSR|S_IXUSR);
2114         canon_ace *list_head = NULL;
2115         canon_ace *ace = NULL;
2116         canon_ace *next_ace = NULL;
2117         int entry_id = SMB_ACL_FIRST_ENTRY;
2118         SMB_ACL_ENTRY_T entry;
2119         size_t ace_count;
2120
2121         while ( posix_acl && (SMB_VFS_SYS_ACL_GET_ENTRY(conn, posix_acl, entry_id, &entry) == 1)) {
2122                 SMB_ACL_TAG_T tagtype;
2123                 SMB_ACL_PERMSET_T permset;
2124                 DOM_SID sid;
2125                 posix_id unix_ug;
2126                 enum ace_owner owner_type;
2127
2128                 /* get_next... */
2129                 if (entry_id == SMB_ACL_FIRST_ENTRY)
2130                         entry_id = SMB_ACL_NEXT_ENTRY;
2131
2132                 /* Is this a MASK entry ? */
2133                 if (SMB_VFS_SYS_ACL_GET_TAG_TYPE(conn, entry, &tagtype) == -1)
2134                         continue;
2135
2136                 if (SMB_VFS_SYS_ACL_GET_PERMSET(conn, entry, &permset) == -1)
2137                         continue;
2138
2139                 /* Decide which SID to use based on the ACL type. */
2140                 switch(tagtype) {
2141                         case SMB_ACL_USER_OBJ:
2142                                 /* Get the SID from the owner. */
2143                                 sid_copy(&sid, powner);
2144                                 unix_ug.uid = psbuf->st_uid;
2145                                 owner_type = UID_ACE;
2146                                 break;
2147                         case SMB_ACL_USER:
2148                                 {
2149                                         uid_t *puid = (uid_t *)SMB_VFS_SYS_ACL_GET_QUALIFIER(conn, entry);
2150                                         if (puid == NULL) {
2151                                                 DEBUG(0,("canonicalise_acl: Failed to get uid.\n"));
2152                                                 continue;
2153                                         }
2154                                         /*
2155                                          * A SMB_ACL_USER entry for the owner is shadowed by the
2156                                          * SMB_ACL_USER_OBJ entry and Windows also cannot represent
2157                                          * that entry, so we ignore it. We also don't create such
2158                                          * entries out of the blue when setting ACLs, so a get/set
2159                                          * cycle will drop them.
2160                                          */
2161                                         if (the_acl_type == SMB_ACL_TYPE_ACCESS && *puid == psbuf->st_uid) {
2162                                                 SMB_VFS_SYS_ACL_FREE_QUALIFIER(conn, (void *)puid,tagtype);
2163                                                 continue;
2164                                         }
2165                                         uid_to_sid( &sid, *puid);
2166                                         unix_ug.uid = *puid;
2167                                         owner_type = UID_ACE;
2168                                         SMB_VFS_SYS_ACL_FREE_QUALIFIER(conn, (void *)puid,tagtype);
2169                                         break;
2170                                 }
2171                         case SMB_ACL_GROUP_OBJ:
2172                                 /* Get the SID from the owning group. */
2173                                 sid_copy(&sid, pgroup);
2174                                 unix_ug.gid = psbuf->st_gid;
2175                                 owner_type = GID_ACE;
2176                                 break;
2177                         case SMB_ACL_GROUP:
2178                                 {
2179                                         gid_t *pgid = (gid_t *)SMB_VFS_SYS_ACL_GET_QUALIFIER(conn, entry);
2180                                         if (pgid == NULL) {
2181                                                 DEBUG(0,("canonicalise_acl: Failed to get gid.\n"));
2182                                                 continue;
2183                                         }
2184                                         gid_to_sid( &sid, *pgid);
2185                                         unix_ug.gid = *pgid;
2186                                         owner_type = GID_ACE;
2187                                         SMB_VFS_SYS_ACL_FREE_QUALIFIER(conn, (void *)pgid,tagtype);
2188                                         break;
2189                                 }
2190                         case SMB_ACL_MASK:
2191                                 acl_mask = convert_permset_to_mode_t(conn, permset);
2192                                 continue; /* Don't count the mask as an entry. */
2193                         case SMB_ACL_OTHER:
2194                                 /* Use the Everyone SID */
2195                                 sid = global_sid_World;
2196                                 unix_ug.world = -1;
2197                                 owner_type = WORLD_ACE;
2198                                 break;
2199                         default:
2200                                 DEBUG(0,("canonicalise_acl: Unknown tagtype %u\n", (unsigned int)tagtype));
2201                                 continue;
2202                 }
2203
2204                 /*
2205                  * Add this entry to the list.
2206                  */
2207
2208                 if ((ace = SMB_MALLOC_P(canon_ace)) == NULL)
2209                         goto fail;
2210
2211                 ZERO_STRUCTP(ace);
2212                 ace->type = tagtype;
2213                 ace->perms = convert_permset_to_mode_t(conn, permset);
2214                 ace->attr = ALLOW_ACE;
2215                 ace->trustee = sid;
2216                 ace->unix_ug = unix_ug;
2217                 ace->owner_type = owner_type;
2218                 ace->inherited = get_inherited_flag(pal, ace, (the_acl_type == SMB_ACL_TYPE_DEFAULT));
2219
2220                 DLIST_ADD(list_head, ace);
2221         }
2222
2223         /*
2224          * This next call will ensure we have at least a user/group/world set.
2225          */
2226
2227         if (!ensure_canon_entry_valid(&list_head, fsp, powner, pgroup, psbuf, False))
2228                 goto fail;
2229
2230         /*
2231          * Now go through the list, masking the permissions with the
2232          * acl_mask. Ensure all DENY Entries are at the start of the list.
2233          */
2234
2235         DEBUG(10,("canonicalise_acl: %s ace entries before arrange :\n", the_acl_type == SMB_ACL_TYPE_ACCESS ? "Access" : "Default" ));
2236
2237         for ( ace_count = 0, ace = list_head; ace; ace = next_ace, ace_count++) {
2238                 next_ace = ace->next;
2239
2240                 /* Masks are only applied to entries other than USER_OBJ and OTHER. */
2241                 if (ace->type != SMB_ACL_OTHER && ace->type != SMB_ACL_USER_OBJ)
2242                         ace->perms &= acl_mask;
2243
2244                 if (ace->perms == 0) {
2245                         DLIST_PROMOTE(list_head, ace);
2246                 }
2247
2248                 if( DEBUGLVL( 10 ) ) {
2249                         print_canon_ace(ace, ace_count);
2250                 }
2251         }
2252
2253         arrange_posix_perms(fsp->fsp_name,&list_head );
2254
2255         print_canon_ace_list( "canonicalise_acl: ace entries after arrange", list_head );
2256
2257         return list_head;
2258
2259   fail:
2260
2261         free_canon_ace_list(list_head);
2262         return NULL;
2263 }
2264
2265 /****************************************************************************
2266  Check if the current user group list contains a given group.
2267 ****************************************************************************/
2268
2269 static BOOL current_user_in_group(gid_t gid)
2270 {
2271         int i;
2272
2273         for (i = 0; i < current_user.ut.ngroups; i++) {
2274                 if (current_user.ut.groups[i] == gid) {
2275                         return True;
2276                 }
2277         }
2278
2279         return False;
2280 }
2281
2282 /****************************************************************************
2283  Should we override a deny ?  Check deprecated 'acl group control'
2284  and 'dos filemode'
2285 ****************************************************************************/
2286
2287 static BOOL acl_group_override(connection_struct *conn, gid_t prim_gid)
2288 {
2289         if ( (errno == EACCES || errno == EPERM) 
2290                 && (lp_acl_group_control(SNUM(conn)) || lp_dos_filemode(SNUM(conn)))
2291                 && current_user_in_group(prim_gid)) 
2292         {
2293                 return True;
2294         } 
2295
2296         return False;
2297 }
2298
2299 /****************************************************************************
2300  Attempt to apply an ACL to a file or directory.
2301 ****************************************************************************/
2302
2303 static BOOL set_canon_ace_list(files_struct *fsp, canon_ace *the_ace, BOOL default_ace, gid_t prim_gid, BOOL *pacl_set_support)
2304 {
2305         connection_struct *conn = fsp->conn;
2306         BOOL ret = False;
2307         SMB_ACL_T the_acl = SMB_VFS_SYS_ACL_INIT(conn, (int)count_canon_ace_list(the_ace) + 1);
2308         canon_ace *p_ace;
2309         int i;
2310         SMB_ACL_ENTRY_T mask_entry;
2311         BOOL got_mask_entry = False;
2312         SMB_ACL_PERMSET_T mask_permset;
2313         SMB_ACL_TYPE_T the_acl_type = (default_ace ? SMB_ACL_TYPE_DEFAULT : SMB_ACL_TYPE_ACCESS);
2314         BOOL needs_mask = False;
2315         mode_t mask_perms = 0;
2316
2317 #if defined(POSIX_ACL_NEEDS_MASK)
2318         /* HP-UX always wants to have a mask (called "class" there). */
2319         needs_mask = True;
2320 #endif
2321
2322         if (the_acl == NULL) {
2323
2324                 if (!no_acl_syscall_error(errno)) {
2325                         /*
2326                          * Only print this error message if we have some kind of ACL
2327                          * support that's not working. Otherwise we would always get this.
2328                          */
2329                         DEBUG(0,("set_canon_ace_list: Unable to init %s ACL. (%s)\n",
2330                                 default_ace ? "default" : "file", strerror(errno) ));
2331                 }
2332                 *pacl_set_support = False;
2333                 return False;
2334         }
2335
2336         if( DEBUGLVL( 10 )) {
2337                 dbgtext("set_canon_ace_list: setting ACL:\n");
2338                 for (i = 0, p_ace = the_ace; p_ace; p_ace = p_ace->next, i++ ) {
2339                         print_canon_ace( p_ace, i);
2340                 }
2341         }
2342
2343         for (i = 0, p_ace = the_ace; p_ace; p_ace = p_ace->next, i++ ) {
2344                 SMB_ACL_ENTRY_T the_entry;
2345                 SMB_ACL_PERMSET_T the_permset;
2346
2347                 /*
2348                  * ACLs only "need" an ACL_MASK entry if there are any named user or
2349                  * named group entries. But if there is an ACL_MASK entry, it applies
2350                  * to ACL_USER, ACL_GROUP, and ACL_GROUP_OBJ entries. Set the mask
2351                  * so that it doesn't deny (i.e., mask off) any permissions.
2352                  */
2353
2354                 if (p_ace->type == SMB_ACL_USER || p_ace->type == SMB_ACL_GROUP) {
2355                         needs_mask = True;
2356                         mask_perms |= p_ace->perms;
2357                 } else if (p_ace->type == SMB_ACL_GROUP_OBJ) {
2358                         mask_perms |= p_ace->perms;
2359                 }
2360
2361                 /*
2362                  * Get the entry for this ACE.
2363                  */
2364
2365                 if (SMB_VFS_SYS_ACL_CREATE_ENTRY(conn, &the_acl, &the_entry) == -1) {
2366                         DEBUG(0,("set_canon_ace_list: Failed to create entry %d. (%s)\n",
2367                                 i, strerror(errno) ));
2368                         goto fail;
2369                 }
2370
2371                 if (p_ace->type == SMB_ACL_MASK) {
2372                         mask_entry = the_entry;
2373                         got_mask_entry = True;
2374                 }
2375
2376                 /*
2377                  * Ok - we now know the ACL calls should be working, don't
2378                  * allow fallback to chmod.
2379                  */
2380
2381                 *pacl_set_support = True;
2382
2383                 /*
2384                  * Initialise the entry from the canon_ace.
2385                  */
2386
2387                 /*
2388                  * First tell the entry what type of ACE this is.
2389                  */
2390
2391                 if (SMB_VFS_SYS_ACL_SET_TAG_TYPE(conn, the_entry, p_ace->type) == -1) {
2392                         DEBUG(0,("set_canon_ace_list: Failed to set tag type on entry %d. (%s)\n",
2393                                 i, strerror(errno) ));
2394                         goto fail;
2395                 }
2396
2397                 /*
2398                  * Only set the qualifier (user or group id) if the entry is a user
2399                  * or group id ACE.
2400                  */
2401
2402                 if ((p_ace->type == SMB_ACL_USER) || (p_ace->type == SMB_ACL_GROUP)) {
2403                         if (SMB_VFS_SYS_ACL_SET_QUALIFIER(conn, the_entry,(void *)&p_ace->unix_ug.uid) == -1) {
2404                                 DEBUG(0,("set_canon_ace_list: Failed to set qualifier on entry %d. (%s)\n",
2405                                         i, strerror(errno) ));
2406                                 goto fail;
2407                         }
2408                 }
2409
2410                 /*
2411                  * Convert the mode_t perms in the canon_ace to a POSIX permset.
2412                  */
2413
2414                 if (SMB_VFS_SYS_ACL_GET_PERMSET(conn, the_entry, &the_permset) == -1) {
2415                         DEBUG(0,("set_canon_ace_list: Failed to get permset on entry %d. (%s)\n",
2416                                 i, strerror(errno) ));
2417                         goto fail;
2418                 }
2419
2420                 if (map_acl_perms_to_permset(conn, p_ace->perms, &the_permset) == -1) {
2421                         DEBUG(0,("set_canon_ace_list: Failed to create permset for mode (%u) on entry %d. (%s)\n",
2422                                 (unsigned int)p_ace->perms, i, strerror(errno) ));
2423                         goto fail;
2424                 }
2425
2426                 /*
2427                  * ..and apply them to the entry.
2428                  */
2429
2430                 if (SMB_VFS_SYS_ACL_SET_PERMSET(conn, the_entry, the_permset) == -1) {
2431                         DEBUG(0,("set_canon_ace_list: Failed to add permset on entry %d. (%s)\n",
2432                                 i, strerror(errno) ));
2433                         goto fail;
2434                 }
2435
2436                 if( DEBUGLVL( 10 ))
2437                         print_canon_ace( p_ace, i);
2438
2439         }
2440
2441         if (needs_mask && !got_mask_entry) {
2442                 if (SMB_VFS_SYS_ACL_CREATE_ENTRY(conn, &the_acl, &mask_entry) == -1) {
2443                         DEBUG(0,("set_canon_ace_list: Failed to create mask entry. (%s)\n", strerror(errno) ));
2444                         goto fail;
2445                 }
2446
2447                 if (SMB_VFS_SYS_ACL_SET_TAG_TYPE(conn, mask_entry, SMB_ACL_MASK) == -1) {
2448                         DEBUG(0,("set_canon_ace_list: Failed to set tag type on mask entry. (%s)\n",strerror(errno) ));
2449                         goto fail;
2450                 }
2451
2452                 if (SMB_VFS_SYS_ACL_GET_PERMSET(conn, mask_entry, &mask_permset) == -1) {
2453                         DEBUG(0,("set_canon_ace_list: Failed to get mask permset. (%s)\n", strerror(errno) ));
2454                         goto fail;
2455                 }
2456
2457                 if (map_acl_perms_to_permset(conn, S_IRUSR|S_IWUSR|S_IXUSR, &mask_permset) == -1) {
2458                         DEBUG(0,("set_canon_ace_list: Failed to create mask permset. (%s)\n", strerror(errno) ));
2459                         goto fail;
2460                 }
2461
2462                 if (SMB_VFS_SYS_ACL_SET_PERMSET(conn, mask_entry, mask_permset) == -1) {
2463                         DEBUG(0,("set_canon_ace_list: Failed to add mask permset. (%s)\n", strerror(errno) ));
2464                         goto fail;
2465                 }
2466         }
2467
2468         /*
2469          * Finally apply it to the file or directory.
2470          */
2471
2472         if(default_ace || fsp->is_directory || fsp->fh->fd == -1) {
2473                 if (SMB_VFS_SYS_ACL_SET_FILE(conn, fsp->fsp_name, the_acl_type, the_acl) == -1) {
2474                         /*
2475                          * Some systems allow all the above calls and only fail with no ACL support
2476                          * when attempting to apply the acl. HPUX with HFS is an example of this. JRA.
2477                          */
2478                         if (no_acl_syscall_error(errno)) {
2479                                 *pacl_set_support = False;
2480                         }
2481
2482                         if (acl_group_override(conn, prim_gid)) {
2483                                 int sret;
2484
2485                                 DEBUG(5,("set_canon_ace_list: acl group control on and current user in file %s primary group.\n",
2486                                         fsp->fsp_name ));
2487
2488                                 become_root();
2489                                 sret = SMB_VFS_SYS_ACL_SET_FILE(conn, fsp->fsp_name, the_acl_type, the_acl);
2490                                 unbecome_root();
2491                                 if (sret == 0) {
2492                                         ret = True;     
2493                                 }
2494                         }
2495
2496                         if (ret == False) {
2497                                 DEBUG(2,("set_canon_ace_list: sys_acl_set_file type %s failed for file %s (%s).\n",
2498                                                 the_acl_type == SMB_ACL_TYPE_DEFAULT ? "directory default" : "file",
2499                                                 fsp->fsp_name, strerror(errno) ));
2500                                 goto fail;
2501                         }
2502                 }
2503         } else {
2504                 if (SMB_VFS_SYS_ACL_SET_FD(fsp, fsp->fh->fd, the_acl) == -1) {
2505                         /*
2506                          * Some systems allow all the above calls and only fail with no ACL support
2507                          * when attempting to apply the acl. HPUX with HFS is an example of this. JRA.
2508                          */
2509                         if (no_acl_syscall_error(errno)) {
2510                                 *pacl_set_support = False;
2511                         }
2512
2513                         if (acl_group_override(conn, prim_gid)) {
2514                                 int sret;
2515
2516                                 DEBUG(5,("set_canon_ace_list: acl group control on and current user in file %s primary group.\n",
2517                                         fsp->fsp_name ));
2518
2519                                 become_root();
2520                                 sret = SMB_VFS_SYS_ACL_SET_FD(fsp, fsp->fh->fd, the_acl);
2521                                 unbecome_root();
2522                                 if (sret == 0) {
2523                                         ret = True;
2524                                 }
2525                         }
2526
2527                         if (ret == False) {
2528                                 DEBUG(2,("set_canon_ace_list: sys_acl_set_file failed for file %s (%s).\n",
2529                                                 fsp->fsp_name, strerror(errno) ));
2530                                 goto fail;
2531                         }
2532                 }
2533         }
2534
2535         ret = True;
2536
2537   fail:
2538
2539         if (the_acl != NULL) {
2540                 SMB_VFS_SYS_ACL_FREE_ACL(conn, the_acl);
2541         }
2542
2543         return ret;
2544 }
2545
2546 /****************************************************************************
2547  Find a particular canon_ace entry.
2548 ****************************************************************************/
2549
2550 static struct canon_ace *canon_ace_entry_for(struct canon_ace *list, SMB_ACL_TAG_T type, posix_id *id)
2551 {
2552         while (list) {
2553                 if (list->type == type && ((type != SMB_ACL_USER && type != SMB_ACL_GROUP) ||
2554                                 (type == SMB_ACL_USER  && id && id->uid == list->unix_ug.uid) ||
2555                                 (type == SMB_ACL_GROUP && id && id->gid == list->unix_ug.gid)))
2556                         break;
2557                 list = list->next;
2558         }
2559         return list;
2560 }
2561
2562 /****************************************************************************
2563  
2564 ****************************************************************************/
2565
2566 SMB_ACL_T free_empty_sys_acl(connection_struct *conn, SMB_ACL_T the_acl)
2567 {
2568         SMB_ACL_ENTRY_T entry;
2569
2570         if (!the_acl)
2571                 return NULL;
2572         if (SMB_VFS_SYS_ACL_GET_ENTRY(conn, the_acl, SMB_ACL_FIRST_ENTRY, &entry) != 1) {
2573                 SMB_VFS_SYS_ACL_FREE_ACL(conn, the_acl);
2574                 return NULL;
2575         }
2576         return the_acl;
2577 }
2578
2579 /****************************************************************************
2580  Convert a canon_ace to a generic 3 element permission - if possible.
2581 ****************************************************************************/
2582
2583 #define MAP_PERM(p,mask,result) (((p) & (mask)) ? (result) : 0 )
2584
2585 static BOOL convert_canon_ace_to_posix_perms( files_struct *fsp, canon_ace *file_ace_list, mode_t *posix_perms)
2586 {
2587         int snum = SNUM(fsp->conn);
2588         size_t ace_count = count_canon_ace_list(file_ace_list);
2589         canon_ace *ace_p;
2590         canon_ace *owner_ace = NULL;
2591         canon_ace *group_ace = NULL;
2592         canon_ace *other_ace = NULL;
2593         mode_t and_bits;
2594         mode_t or_bits;
2595
2596         if (ace_count != 3) {
2597                 DEBUG(3,("convert_canon_ace_to_posix_perms: Too many ACE entries for file %s to convert to \
2598 posix perms.\n", fsp->fsp_name ));
2599                 return False;
2600         }
2601
2602         for (ace_p = file_ace_list; ace_p; ace_p = ace_p->next) {
2603                 if (ace_p->owner_type == UID_ACE)
2604                         owner_ace = ace_p;
2605                 else if (ace_p->owner_type == GID_ACE)
2606                         group_ace = ace_p;
2607                 else if (ace_p->owner_type == WORLD_ACE)
2608                         other_ace = ace_p;
2609         }
2610
2611         if (!owner_ace || !group_ace || !other_ace) {
2612                 DEBUG(3,("convert_canon_ace_to_posix_perms: Can't get standard entries for file %s.\n",
2613                                 fsp->fsp_name ));
2614                 return False;
2615         }
2616
2617         *posix_perms = (mode_t)0;
2618
2619         *posix_perms |= owner_ace->perms;
2620         *posix_perms |= MAP_PERM(group_ace->perms, S_IRUSR, S_IRGRP);
2621         *posix_perms |= MAP_PERM(group_ace->perms, S_IWUSR, S_IWGRP);
2622         *posix_perms |= MAP_PERM(group_ace->perms, S_IXUSR, S_IXGRP);
2623         *posix_perms |= MAP_PERM(other_ace->perms, S_IRUSR, S_IROTH);
2624         *posix_perms |= MAP_PERM(other_ace->perms, S_IWUSR, S_IWOTH);
2625         *posix_perms |= MAP_PERM(other_ace->perms, S_IXUSR, S_IXOTH);
2626
2627         /* The owner must have at least read access. */
2628
2629         *posix_perms |= S_IRUSR;
2630         if (fsp->is_directory)
2631                 *posix_perms |= (S_IWUSR|S_IXUSR);
2632
2633         /* If requested apply the masks. */
2634
2635         /* Get the initial bits to apply. */
2636
2637         if (fsp->is_directory) {
2638                 and_bits = lp_dir_security_mask(snum);
2639                 or_bits = lp_force_dir_security_mode(snum);
2640         } else {
2641                 and_bits = lp_security_mask(snum);
2642                 or_bits = lp_force_security_mode(snum);
2643         }
2644
2645         *posix_perms = (((*posix_perms) & and_bits)|or_bits);
2646
2647         DEBUG(10,("convert_canon_ace_to_posix_perms: converted u=%o,g=%o,w=%o to perm=0%o for file %s.\n",
2648                 (int)owner_ace->perms, (int)group_ace->perms, (int)other_ace->perms, (int)*posix_perms,
2649                 fsp->fsp_name ));
2650
2651         return True;
2652 }
2653
2654 /****************************************************************************
2655   Incoming NT ACLs on a directory can be split into a default POSIX acl (CI|OI|IO) and
2656   a normal POSIX acl. Win2k needs these split acls re-merging into one ACL
2657   with CI|OI set so it is inherited and also applies to the directory.
2658   Based on code from "Jim McDonough" <jmcd@us.ibm.com>.
2659 ****************************************************************************/
2660
2661 static size_t merge_default_aces( SEC_ACE *nt_ace_list, size_t num_aces)
2662 {
2663         size_t i, j;
2664
2665         for (i = 0; i < num_aces; i++) {
2666                 for (j = i+1; j < num_aces; j++) {
2667                         uint32 i_flags_ni = (nt_ace_list[i].flags & ~SEC_ACE_FLAG_INHERITED_ACE);
2668                         uint32 j_flags_ni = (nt_ace_list[j].flags & ~SEC_ACE_FLAG_INHERITED_ACE);
2669                         BOOL i_inh = (nt_ace_list[i].flags & SEC_ACE_FLAG_INHERITED_ACE) ? True : False;
2670                         BOOL j_inh = (nt_ace_list[j].flags & SEC_ACE_FLAG_INHERITED_ACE) ? True : False;
2671
2672                         /* We know the lower number ACE's are file entries. */
2673                         if ((nt_ace_list[i].type == nt_ace_list[j].type) &&
2674                                 (nt_ace_list[i].size == nt_ace_list[j].size) &&
2675                                 (nt_ace_list[i].access_mask == nt_ace_list[j].access_mask) &&
2676                                 sid_equal(&nt_ace_list[i].trustee, &nt_ace_list[j].trustee) &&
2677                                 (i_inh == j_inh) &&
2678                                 (i_flags_ni == 0) &&
2679                                 (j_flags_ni == (SEC_ACE_FLAG_OBJECT_INHERIT|
2680                                                   SEC_ACE_FLAG_CONTAINER_INHERIT|
2681                                                   SEC_ACE_FLAG_INHERIT_ONLY))) {
2682                                 /*
2683                                  * W2K wants to have access allowed zero access ACE's
2684                                  * at the end of the list. If the mask is zero, merge
2685                                  * the non-inherited ACE onto the inherited ACE.
2686                                  */
2687
2688                                 if (nt_ace_list[i].access_mask == 0) {
2689                                         nt_ace_list[j].flags = SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT|
2690                                                                 (i_inh ? SEC_ACE_FLAG_INHERITED_ACE : 0);
2691                                         if (num_aces - i - 1 > 0)
2692                                                 memmove(&nt_ace_list[i], &nt_ace_list[i+1], (num_aces-i-1) *
2693                                                                 sizeof(SEC_ACE));
2694
2695                                         DEBUG(10,("merge_default_aces: Merging zero access ACE %u onto ACE %u.\n",
2696                                                 (unsigned int)i, (unsigned int)j ));
2697                                 } else {
2698                                         /*
2699                                          * These are identical except for the flags.
2700                                          * Merge the inherited ACE onto the non-inherited ACE.
2701                                          */
2702
2703                                         nt_ace_list[i].flags = SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT|
2704                                                                 (i_inh ? SEC_ACE_FLAG_INHERITED_ACE : 0);
2705                                         if (num_aces - j - 1 > 0)
2706                                                 memmove(&nt_ace_list[j], &nt_ace_list[j+1], (num_aces-j-1) *
2707                                                                 sizeof(SEC_ACE));
2708
2709                                         DEBUG(10,("merge_default_aces: Merging ACE %u onto ACE %u.\n",
2710                                                 (unsigned int)j, (unsigned int)i ));
2711                                 }
2712                                 num_aces--;
2713                                 break;
2714                         }
2715                 }
2716         }
2717
2718         return num_aces;
2719 }
2720 /****************************************************************************
2721  Reply to query a security descriptor from an fsp. If it succeeds it allocates
2722  the space for the return elements and returns the size needed to return the
2723  security descriptor. This should be the only external function needed for
2724  the UNIX style get ACL.
2725 ****************************************************************************/
2726
2727 size_t get_nt_acl(files_struct *fsp, uint32 security_info, SEC_DESC **ppdesc)
2728 {
2729         connection_struct *conn = fsp->conn;
2730         SMB_STRUCT_STAT sbuf;
2731         SEC_ACE *nt_ace_list = NULL;
2732         DOM_SID owner_sid;
2733         DOM_SID group_sid;
2734         size_t sd_size = 0;
2735         SEC_ACL *psa = NULL;
2736         size_t num_acls = 0;
2737         size_t num_def_acls = 0;
2738         size_t num_aces = 0;
2739         SMB_ACL_T posix_acl = NULL;
2740         SMB_ACL_T def_acl = NULL;
2741         canon_ace *file_ace = NULL;
2742         canon_ace *dir_ace = NULL;
2743         size_t num_profile_acls = 0;
2744         struct pai_val *pal = NULL;
2745         SEC_DESC *psd = NULL;
2746
2747         *ppdesc = NULL;
2748
2749         DEBUG(10,("get_nt_acl: called for file %s\n", fsp->fsp_name ));
2750
2751         if(fsp->is_directory || fsp->fh->fd == -1) {
2752
2753                 /* Get the stat struct for the owner info. */
2754                 if(SMB_VFS_STAT(fsp->conn,fsp->fsp_name, &sbuf) != 0) {
2755                         return 0;
2756                 }
2757                 /*
2758                  * Get the ACL from the path.
2759                  */
2760
2761                 posix_acl = SMB_VFS_SYS_ACL_GET_FILE(conn, fsp->fsp_name, SMB_ACL_TYPE_ACCESS);
2762
2763                 /*
2764                  * If it's a directory get the default POSIX ACL.
2765                  */
2766
2767                 if(fsp->is_directory) {
2768                         def_acl = SMB_VFS_SYS_ACL_GET_FILE(conn, fsp->fsp_name, SMB_ACL_TYPE_DEFAULT);
2769                         def_acl = free_empty_sys_acl(conn, def_acl);
2770                 }
2771
2772         } else {
2773
2774                 /* Get the stat struct for the owner info. */
2775                 if(SMB_VFS_FSTAT(fsp,fsp->fh->fd,&sbuf) != 0) {
2776                         return 0;
2777                 }
2778                 /*
2779                  * Get the ACL from the fd.
2780                  */
2781                 posix_acl = SMB_VFS_SYS_ACL_GET_FD(fsp, fsp->fh->fd);
2782         }
2783
2784         DEBUG(5,("get_nt_acl : file ACL %s, directory ACL %s\n",
2785                         posix_acl ? "present" :  "absent",
2786                         def_acl ? "present" :  "absent" ));
2787
2788         pal = load_inherited_info(fsp);
2789
2790         /*
2791          * Get the owner, group and world SIDs.
2792          */
2793
2794         if (lp_profile_acls(SNUM(conn))) {
2795                 /* For WXP SP1 the owner must be administrators. */
2796                 sid_copy(&owner_sid, &global_sid_Builtin_Administrators);
2797                 sid_copy(&group_sid, &global_sid_Builtin_Users);
2798                 num_profile_acls = 2;
2799         } else {
2800                 create_file_sids(&sbuf, &owner_sid, &group_sid);
2801         }
2802
2803         if ((security_info & DACL_SECURITY_INFORMATION) && !(security_info & PROTECTED_DACL_SECURITY_INFORMATION)) {
2804
2805                 /*
2806                  * In the optimum case Creator Owner and Creator Group would be used for
2807                  * the ACL_USER_OBJ and ACL_GROUP_OBJ entries, respectively, but this
2808                  * would lead to usability problems under Windows: The Creator entries
2809                  * are only available in browse lists of directories and not for files;
2810                  * additionally the identity of the owning group couldn't be determined.
2811                  * We therefore use those identities only for Default ACLs. 
2812                  */
2813
2814                 /* Create the canon_ace lists. */
2815                 file_ace = canonicalise_acl( fsp, posix_acl, &sbuf, &owner_sid, &group_sid, pal, SMB_ACL_TYPE_ACCESS );
2816
2817                 /* We must have *some* ACLS. */
2818         
2819                 if (count_canon_ace_list(file_ace) == 0) {
2820                         DEBUG(0,("get_nt_acl : No ACLs on file (%s) !\n", fsp->fsp_name ));
2821                         goto done;
2822                 }
2823
2824                 if (fsp->is_directory && def_acl) {
2825                         dir_ace = canonicalise_acl(fsp, def_acl, &sbuf,
2826                                         &global_sid_Creator_Owner,
2827                                         &global_sid_Creator_Group, pal, SMB_ACL_TYPE_DEFAULT );
2828                 }
2829
2830                 /*
2831                  * Create the NT ACE list from the canonical ace lists.
2832                  */
2833
2834                 {
2835                         canon_ace *ace;
2836                         int nt_acl_type;
2837                         int i;
2838
2839                         if (nt4_compatible_acls() && dir_ace) {
2840                                 /*
2841                                  * NT 4 chokes if an ACL contains an INHERIT_ONLY entry
2842                                  * but no non-INHERIT_ONLY entry for one SID. So we only
2843                                  * remove entries from the Access ACL if the
2844                                  * corresponding Default ACL entries have also been
2845                                  * removed. ACEs for CREATOR-OWNER and CREATOR-GROUP
2846                                  * are exceptions. We can do nothing
2847                                  * intelligent if the Default ACL contains entries that
2848                                  * are not also contained in the Access ACL, so this
2849                                  * case will still fail under NT 4.
2850                                  */
2851
2852                                 ace = canon_ace_entry_for(dir_ace, SMB_ACL_OTHER, NULL);
2853                                 if (ace && !ace->perms) {
2854                                         DLIST_REMOVE(dir_ace, ace);
2855                                         SAFE_FREE(ace);
2856
2857                                         ace = canon_ace_entry_for(file_ace, SMB_ACL_OTHER, NULL);
2858                                         if (ace && !ace->perms) {
2859                                                 DLIST_REMOVE(file_ace, ace);
2860                                                 SAFE_FREE(ace);
2861                                         }
2862                                 }
2863
2864                                 /*
2865                                  * WinNT doesn't usually have Creator Group
2866                                  * in browse lists, so we send this entry to
2867                                  * WinNT even if it contains no relevant
2868                                  * permissions. Once we can add
2869                                  * Creator Group to browse lists we can
2870                                  * re-enable this.
2871                                  */
2872
2873 #if 0
2874                                 ace = canon_ace_entry_for(dir_ace, SMB_ACL_GROUP_OBJ, NULL);
2875                                 if (ace && !ace->perms) {
2876                                         DLIST_REMOVE(dir_ace, ace);
2877                                         SAFE_FREE(ace);
2878                                 }
2879 #endif
2880
2881                                 ace = canon_ace_entry_for(file_ace, SMB_ACL_GROUP_OBJ, NULL);
2882                                 if (ace && !ace->perms) {
2883                                         DLIST_REMOVE(file_ace, ace);
2884                                         SAFE_FREE(ace);
2885                                 }
2886                         }
2887
2888                         num_acls = count_canon_ace_list(file_ace);
2889                         num_def_acls = count_canon_ace_list(dir_ace);
2890
2891                         /* Allocate the ace list. */
2892                         if ((nt_ace_list = SMB_MALLOC_ARRAY(SEC_ACE,num_acls + num_profile_acls + num_def_acls)) == NULL) {
2893                                 DEBUG(0,("get_nt_acl: Unable to malloc space for nt_ace_list.\n"));
2894                                 goto done;
2895                         }
2896
2897                         memset(nt_ace_list, '\0', (num_acls + num_def_acls) * sizeof(SEC_ACE) );
2898
2899                         /*
2900                          * Create the NT ACE list from the canonical ace lists.
2901                          */
2902
2903                         ace = file_ace;
2904
2905                         for (i = 0; i < num_acls; i++, ace = ace->next) {
2906                                 SEC_ACCESS acc;
2907
2908                                 acc = map_canon_ace_perms(SNUM(conn),
2909                                                 &nt_acl_type,
2910                                                 ace->perms,
2911                                                 fsp->is_directory);
2912                                 init_sec_ace(&nt_ace_list[num_aces++],
2913                                         &ace->trustee,
2914                                         nt_acl_type,
2915                                         acc,
2916                                         ace->inherited ?
2917                                                 SEC_ACE_FLAG_INHERITED_ACE : 0);
2918                         }
2919
2920                         /* The User must have access to a profile share - even
2921                          * if we can't map the SID. */
2922                         if (lp_profile_acls(SNUM(conn))) {
2923                                 SEC_ACCESS acc;
2924
2925                                 init_sec_access(&acc,FILE_GENERIC_ALL);
2926                                 init_sec_ace(&nt_ace_list[num_aces++],
2927                                                 &global_sid_Builtin_Users,
2928                                                 SEC_ACE_TYPE_ACCESS_ALLOWED,
2929                                                 acc, 0);
2930                         }
2931
2932                         ace = dir_ace;
2933
2934                         for (i = 0; i < num_def_acls; i++, ace = ace->next) {
2935                                 SEC_ACCESS acc;
2936
2937                                 acc = map_canon_ace_perms(SNUM(conn),
2938                                                 &nt_acl_type,
2939                                                 ace->perms,
2940                                                 fsp->is_directory);
2941                                 init_sec_ace(&nt_ace_list[num_aces++],
2942                                         &ace->trustee,
2943                                         nt_acl_type,
2944                                         acc,
2945                                         SEC_ACE_FLAG_OBJECT_INHERIT|
2946                                         SEC_ACE_FLAG_CONTAINER_INHERIT|
2947                                         SEC_ACE_FLAG_INHERIT_ONLY|
2948                                         (ace->inherited ?
2949                                            SEC_ACE_FLAG_INHERITED_ACE : 0));
2950                         }
2951
2952                         /* The User must have access to a profile share - even
2953                          * if we can't map the SID. */
2954                         if (lp_profile_acls(SNUM(conn))) {
2955                                 SEC_ACCESS acc;
2956
2957                                 init_sec_access(&acc,FILE_GENERIC_ALL);
2958                                 init_sec_ace(&nt_ace_list[num_aces++], &global_sid_Builtin_Users, SEC_ACE_TYPE_ACCESS_ALLOWED, acc,
2959                                                 SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT|
2960                                                 SEC_ACE_FLAG_INHERIT_ONLY|0);
2961                         }
2962
2963                         /*
2964                          * Merge POSIX default ACLs and normal ACLs into one NT ACE.
2965                          * Win2K needs this to get the inheritance correct when replacing ACLs
2966                          * on a directory tree. Based on work by Jim @ IBM.
2967                          */
2968
2969                         num_aces = merge_default_aces(nt_ace_list, num_aces);
2970
2971                 }
2972
2973                 if (num_aces) {
2974                         if((psa = make_sec_acl( talloc_tos(), NT4_ACL_REVISION, num_aces, nt_ace_list)) == NULL) {
2975                                 DEBUG(0,("get_nt_acl: Unable to malloc space for acl.\n"));
2976                                 goto done;
2977                         }
2978                 }
2979         } /* security_info & DACL_SECURITY_INFORMATION */
2980
2981         psd = make_standard_sec_desc( talloc_tos(),
2982                         (security_info & OWNER_SECURITY_INFORMATION) ? &owner_sid : NULL,
2983                         (security_info & GROUP_SECURITY_INFORMATION) ? &group_sid : NULL,
2984                         psa,
2985                         &sd_size);
2986
2987         if(!psd) {
2988                 DEBUG(0,("get_nt_acl: Unable to malloc space for security descriptor.\n"));
2989                 sd_size = 0;
2990                 goto done;
2991         }
2992
2993         /*
2994          * Windows 2000: The DACL_PROTECTED flag in the security
2995          * descriptor marks the ACL as non-inheriting, i.e., no
2996          * ACEs from higher level directories propagate to this
2997          * ACL. In the POSIX ACL model permissions are only
2998          * inherited at file create time, so ACLs never contain
2999          * any ACEs that are inherited dynamically. The DACL_PROTECTED
3000          * flag doesn't seem to bother Windows NT.
3001          * Always set this if map acl inherit is turned off.
3002          */
3003         if (get_protected_flag(pal) || !lp_map_acl_inherit(SNUM(conn))) {
3004                 psd->type |= SE_DESC_DACL_PROTECTED;
3005         }
3006
3007         if (psd->dacl) {
3008                 dacl_sort_into_canonical_order(psd->dacl->aces, (unsigned int)psd->dacl->num_aces);
3009         }
3010
3011         *ppdesc = psd;
3012
3013  done:
3014
3015         if (posix_acl) {
3016                 SMB_VFS_SYS_ACL_FREE_ACL(conn, posix_acl);
3017         }
3018         if (def_acl) {
3019                 SMB_VFS_SYS_ACL_FREE_ACL(conn, def_acl);
3020         }
3021         free_canon_ace_list(file_ace);
3022         free_canon_ace_list(dir_ace);
3023         free_inherited_info(pal);
3024         SAFE_FREE(nt_ace_list);
3025
3026         return sd_size;
3027 }
3028
3029 /****************************************************************************
3030  Try to chown a file. We will be able to chown it under the following conditions.
3031
3032   1) If we have root privileges, then it will just work.
3033   2) If we have SeTakeOwnershipPrivilege we can change the user to the current user.
3034   3) If we have SeRestorePrivilege we can change the user to any other user. 
3035   4) If we have write permission to the file and dos_filemodes is set
3036      then allow chown to the currently authenticated user.
3037 ****************************************************************************/
3038
3039 int try_chown(connection_struct *conn, const char *fname, uid_t uid, gid_t gid)
3040 {
3041         int ret;
3042         files_struct *fsp;
3043         SMB_STRUCT_STAT st;
3044
3045         if(!CAN_WRITE(conn)) {
3046                 return -1;
3047         }
3048
3049         /* Case (1). */
3050         /* try the direct way first */
3051         ret = SMB_VFS_CHOWN(conn, fname, uid, gid);
3052         if (ret == 0)
3053                 return 0;
3054
3055         /* Case (2) / (3) */
3056         if (lp_enable_privileges()) {
3057
3058                 BOOL has_take_ownership_priv = user_has_privileges(current_user.nt_user_token,
3059                                                               &se_take_ownership);
3060                 BOOL has_restore_priv = user_has_privileges(current_user.nt_user_token,
3061                                                        &se_restore);
3062
3063                 /* Case (2) */
3064                 if ( ( has_take_ownership_priv && ( uid == current_user.ut.uid ) ) ||
3065                 /* Case (3) */
3066                      ( has_restore_priv ) ) {
3067
3068                         become_root();
3069                         /* Keep the current file gid the same - take ownership doesn't imply group change. */
3070                         ret = SMB_VFS_CHOWN(conn, fname, uid, (gid_t)-1);
3071                         unbecome_root();
3072                         return ret;
3073                 }
3074         }
3075
3076         /* Case (4). */
3077         if (!lp_dos_filemode(SNUM(conn))) {
3078                 errno = EPERM;
3079                 return -1;
3080         }
3081
3082         if (SMB_VFS_STAT(conn,fname,&st)) {
3083                 return -1;
3084         }
3085
3086         if (!NT_STATUS_IS_OK(open_file_fchmod(conn,fname,&st,&fsp))) {
3087                 return -1;
3088         }
3089
3090         /* only allow chown to the current user. This is more secure,
3091            and also copes with the case where the SID in a take ownership ACL is
3092            a local SID on the users workstation 
3093         */
3094         uid = current_user.ut.uid;
3095
3096         become_root();
3097         /* Keep the current file gid the same. */
3098         ret = SMB_VFS_FCHOWN(fsp, fsp->fh->fd, uid, (gid_t)-1);
3099         unbecome_root();
3100
3101         close_file_fchmod(fsp);
3102
3103         return ret;
3104 }
3105
3106 static NTSTATUS append_ugw_ace(files_struct *fsp,
3107                         SMB_STRUCT_STAT *psbuf,
3108                         mode_t unx_mode,
3109                         int ugw,
3110                         SEC_ACE *se)
3111 {
3112         mode_t perms;
3113         SEC_ACCESS acc;
3114         int nt_acl_type;
3115         DOM_SID trustee;
3116
3117         switch (ugw) {
3118                 case S_IRUSR:
3119                         perms = unix_perms_to_acl_perms(unx_mode,
3120                                                         S_IRUSR,
3121                                                         S_IWUSR,
3122                                                         S_IXUSR);
3123                         uid_to_sid(&trustee, psbuf->st_uid );
3124                         break;
3125                 case S_IRGRP:
3126                         perms = unix_perms_to_acl_perms(unx_mode,
3127                                                         S_IRGRP,
3128                                                         S_IWGRP,
3129                                                         S_IXGRP);
3130                         gid_to_sid(&trustee, psbuf->st_gid );
3131                         break;
3132                 case S_IROTH:
3133                         perms = unix_perms_to_acl_perms(unx_mode,
3134                                                         S_IROTH,
3135                                                         S_IWOTH,
3136                                                         S_IXOTH);
3137                         sid_copy(&trustee, &global_sid_World);
3138                         break;
3139                 default:
3140                         return NT_STATUS_INVALID_PARAMETER;
3141         }
3142         acc = map_canon_ace_perms(SNUM(fsp->conn),
3143                                 &nt_acl_type,
3144                                 perms,
3145                                 fsp->is_directory);
3146
3147         init_sec_ace(se,
3148                 &trustee,
3149                 nt_acl_type,
3150                 acc,
3151                 0);
3152         return NT_STATUS_OK;
3153 }
3154
3155 /****************************************************************************
3156  If this is an
3157 ****************************************************************************/
3158
3159 static NTSTATUS append_parent_acl(files_struct *fsp,
3160                                 SMB_STRUCT_STAT *psbuf,
3161                                 SEC_DESC *psd,
3162                                 SEC_DESC **pp_new_sd)
3163 {
3164         SEC_DESC *parent_sd = NULL;
3165         files_struct *parent_fsp = NULL;
3166         TALLOC_CTX *mem_ctx = talloc_parent(psd);
3167         char *parent_name = NULL;
3168         SEC_ACE *new_ace = NULL;
3169         unsigned int num_aces = psd->dacl->num_aces;
3170         SMB_STRUCT_STAT sbuf;
3171         NTSTATUS status;
3172         int info;
3173         size_t sd_size;
3174         unsigned int i, j;
3175         mode_t unx_mode;
3176
3177         ZERO_STRUCT(sbuf);
3178
3179         if (mem_ctx == NULL) {
3180                 return NT_STATUS_NO_MEMORY;
3181         }
3182
3183         if (!parent_dirname_talloc(mem_ctx,
3184                                 fsp->fsp_name,
3185                                 &parent_name,
3186                                 NULL)) {
3187                 return NT_STATUS_NO_MEMORY;
3188         }
3189
3190         /* Create a default mode for u/g/w. */
3191         unx_mode = unix_mode(fsp->conn,
3192                         aARCH | (fsp->is_directory ? aDIR : 0),
3193                         fsp->fsp_name,
3194                         parent_name);
3195
3196         status = open_directory(fsp->conn,
3197                                 NULL,
3198                                 parent_name,
3199                                 &sbuf,
3200                                 FILE_READ_ATTRIBUTES, /* Just a stat open */
3201                                 FILE_SHARE_NONE, /* Ignored for stat opens */
3202                                 FILE_OPEN,
3203                                 0,
3204                                 INTERNAL_OPEN_ONLY,
3205                                 &info,
3206                                 &parent_fsp);
3207
3208         if (!NT_STATUS_IS_OK(status)) {
3209                 return status;
3210         }
3211
3212         sd_size = SMB_VFS_GET_NT_ACL(parent_fsp, parent_fsp->fsp_name,
3213                         DACL_SECURITY_INFORMATION, &parent_sd );
3214
3215         close_file(parent_fsp, NORMAL_CLOSE);
3216
3217         if (!sd_size) {
3218                 return NT_STATUS_ACCESS_DENIED;
3219         }
3220
3221         /*
3222          * Make room for potentially all the ACLs from
3223          * the parent, plus the user/group/other triple.
3224          */
3225
3226         num_aces += parent_sd->dacl->num_aces + 3;
3227
3228         if((new_ace = TALLOC_ZERO_ARRAY(mem_ctx, SEC_ACE,
3229                                         num_aces)) == NULL) {
3230                 return NT_STATUS_NO_MEMORY;
3231         }
3232
3233         DEBUG(10,("append_parent_acl: parent ACL has %u entries. New "
3234                 "ACL has %u entries\n",
3235                 parent_sd->dacl->num_aces, num_aces ));
3236
3237         /* Start by copying in all the given ACE entries. */
3238         for (i = 0; i < psd->dacl->num_aces; i++) {
3239                 sec_ace_copy(&new_ace[i], &psd->dacl->aces[i]);
3240         }
3241
3242         /*
3243          * Note that we're ignoring "inherit permissions" here
3244          * as that really only applies to newly created files. JRA.
3245          */
3246
3247          /*
3248           * Append u/g/w.
3249           */
3250
3251         status = append_ugw_ace(fsp, psbuf, unx_mode, S_IRUSR, &new_ace[i++]);
3252         if (!NT_STATUS_IS_OK(status)) {
3253                 return status;
3254         }
3255         status = append_ugw_ace(fsp, psbuf, unx_mode, S_IRGRP, &new_ace[i++]);
3256         if (!NT_STATUS_IS_OK(status)) {
3257                 return status;
3258         }
3259         status = append_ugw_ace(fsp, psbuf, unx_mode, S_IROTH, &new_ace[i++]);
3260         if (!NT_STATUS_IS_OK(status)) {
3261                 return status;
3262         }
3263
3264         /* Finally append any inherited ACEs. */
3265         for (j = 0; j < parent_sd->dacl->num_aces; j++) {
3266                 SEC_ACE *se = &parent_sd->dacl->aces[j];
3267                 uint32 i_flags = se->flags & (SEC_ACE_FLAG_OBJECT_INHERIT|
3268                                         SEC_ACE_FLAG_CONTAINER_INHERIT|
3269                                         SEC_ACE_FLAG_INHERIT_ONLY);
3270
3271                 if (fsp->is_directory) {
3272                         if (i_flags == SEC_ACE_FLAG_OBJECT_INHERIT) {
3273                                 /* Should only apply to a file - ignore. */
3274                                 continue;
3275                         }
3276                 } else {
3277                         if ((i_flags & (SEC_ACE_FLAG_OBJECT_INHERIT|
3278                                         SEC_ACE_FLAG_INHERIT_ONLY)) !=
3279                                         SEC_ACE_FLAG_OBJECT_INHERIT) {
3280                                 /* Should not apply to a file - ignore. */
3281                                 continue;
3282                         }
3283                 }
3284                 sec_ace_copy(&new_ace[i], se);
3285                 if (se->flags & SEC_ACE_FLAG_NO_PROPAGATE_INHERIT) {
3286                         new_ace[i].flags &= ~(SEC_ACE_FLAG_VALID_INHERIT);
3287                 }
3288                 new_ace[i].flags |= SEC_ACE_FLAG_INHERITED_ACE;
3289                 i++;
3290         }
3291
3292         parent_sd->dacl->aces = new_ace;
3293         parent_sd->dacl->num_aces = i;
3294
3295         *pp_new_sd = parent_sd;
3296         return status;
3297 }
3298
3299 /****************************************************************************
3300  Reply to set a security descriptor on an fsp. security_info_sent is the
3301  description of the following NT ACL.
3302  This should be the only external function needed for the UNIX style set ACL.
3303 ****************************************************************************/
3304
3305 NTSTATUS set_nt_acl(files_struct *fsp, uint32 security_info_sent, SEC_DESC *psd)
3306 {
3307         connection_struct *conn = fsp->conn;
3308         uid_t user = (uid_t)-1;
3309         gid_t grp = (gid_t)-1;
3310         SMB_STRUCT_STAT sbuf;
3311         DOM_SID file_owner_sid;
3312         DOM_SID file_grp_sid;
3313         canon_ace *file_ace_list = NULL;
3314         canon_ace *dir_ace_list = NULL;
3315         BOOL acl_perms = False;
3316         mode_t orig_mode = (mode_t)0;
3317         NTSTATUS status;
3318
3319         DEBUG(10,("set_nt_acl: called for file %s\n", fsp->fsp_name ));
3320
3321         if (!CAN_WRITE(conn)) {
3322                 DEBUG(10,("set acl rejected on read-only share\n"));
3323                 return NT_STATUS_MEDIA_WRITE_PROTECTED;
3324         }
3325
3326         /*
3327          * Get the current state of the file.
3328          */
3329
3330         if(fsp->is_directory || fsp->fh->fd == -1) {
3331                 if(SMB_VFS_STAT(fsp->conn,fsp->fsp_name, &sbuf) != 0)
3332                         return map_nt_error_from_unix(errno);
3333         } else {
3334                 if(SMB_VFS_FSTAT(fsp,fsp->fh->fd,&sbuf) != 0)
3335                         return map_nt_error_from_unix(errno);
3336         }
3337
3338         /* Save the original elements we check against. */
3339         orig_mode = sbuf.st_mode;
3340
3341         /*
3342          * Unpack the user/group/world id's.
3343          */
3344
3345         status = unpack_nt_owners( SNUM(conn), &user, &grp, security_info_sent, psd);
3346         if (!NT_STATUS_IS_OK(status)) {
3347                 return status;
3348         }
3349
3350         /*
3351          * Do we need to chown ?
3352          */
3353
3354         if (((user != (uid_t)-1) && (sbuf.st_uid != user)) || (( grp != (gid_t)-1) && (sbuf.st_gid != grp))) {
3355
3356                 DEBUG(3,("set_nt_acl: chown %s. uid = %u, gid = %u.\n",
3357                                 fsp->fsp_name, (unsigned int)user, (unsigned int)grp ));
3358
3359                 if(try_chown( fsp->conn, fsp->fsp_name, user, grp) == -1) {
3360                         DEBUG(3,("set_nt_acl: chown %s, %u, %u failed. Error = %s.\n",
3361                                 fsp->fsp_name, (unsigned int)user, (unsigned int)grp, strerror(errno) ));
3362                         if (errno == EPERM) {
3363                                 return NT_STATUS_INVALID_OWNER;
3364                         }
3365                         return map_nt_error_from_unix(errno);
3366                 }
3367
3368                 /*
3369                  * Recheck the current state of the file, which may have changed.
3370                  * (suid/sgid bits, for instance)
3371                  */
3372
3373                 if(fsp->is_directory) {
3374                         if(SMB_VFS_STAT(fsp->conn, fsp->fsp_name, &sbuf) != 0) {
3375                                 return map_nt_error_from_unix(errno);
3376                         }
3377                 } else {
3378
3379                         int ret;
3380
3381                         if(fsp->fh->fd == -1)
3382                                 ret = SMB_VFS_STAT(fsp->conn, fsp->fsp_name, &sbuf);
3383                         else
3384                                 ret = SMB_VFS_FSTAT(fsp,fsp->fh->fd,&sbuf);
3385
3386                         if(ret != 0)
3387                                 return map_nt_error_from_unix(errno);
3388                 }
3389
3390                 /* Save the original elements we check against. */
3391                 orig_mode = sbuf.st_mode;
3392         }
3393
3394         create_file_sids(&sbuf, &file_owner_sid, &file_grp_sid);
3395
3396         if ((security_info_sent & DACL_SECURITY_INFORMATION) &&
3397                 psd->dacl != NULL &&
3398                 (psd->type & (SE_DESC_DACL_AUTO_INHERITED|
3399                               SE_DESC_DACL_AUTO_INHERIT_REQ))==
3400                         (SE_DESC_DACL_AUTO_INHERITED|
3401                          SE_DESC_DACL_AUTO_INHERIT_REQ) ) {
3402                 status = append_parent_acl(fsp, &sbuf, psd, &psd);
3403                 if (!NT_STATUS_IS_OK(status)) {
3404                         return status;
3405                 }
3406         }
3407
3408         acl_perms = unpack_canon_ace( fsp, &sbuf, &file_owner_sid, &file_grp_sid,
3409                                         &file_ace_list, &dir_ace_list, security_info_sent, psd);
3410
3411         /* Ignore W2K traverse DACL set. */
3412         if (file_ace_list || dir_ace_list) {
3413
3414                 if (!acl_perms) {
3415                         DEBUG(3,("set_nt_acl: cannot set permissions\n"));
3416                         free_canon_ace_list(file_ace_list);
3417                         free_canon_ace_list(dir_ace_list); 
3418                         return NT_STATUS_ACCESS_DENIED;
3419                 }
3420
3421                 /*
3422                  * Only change security if we got a DACL.
3423                  */
3424
3425                 if((security_info_sent & DACL_SECURITY_INFORMATION) && (psd->dacl != NULL)) {
3426
3427                         BOOL acl_set_support = False;
3428                         BOOL ret = False;
3429
3430                         /*
3431                          * Try using the POSIX ACL set first. Fall back to chmod if
3432                          * we have no ACL support on this filesystem.
3433                          */
3434
3435                         if (acl_perms && file_ace_list) {
3436                                 ret = set_canon_ace_list(fsp, file_ace_list, False, sbuf.st_gid, &acl_set_support);
3437                                 if (acl_set_support && ret == False) {
3438                                         DEBUG(3,("set_nt_acl: failed to set file acl on file %s (%s).\n", fsp->fsp_name, strerror(errno) ));
3439                                         free_canon_ace_list(file_ace_list);
3440                                         free_canon_ace_list(dir_ace_list); 
3441                                         return map_nt_error_from_unix(errno);
3442                                 }
3443                        &n