source: vendor/3.6.9/source3/smbd/posix_acls.c

Last change on this file was 746, checked in by Silvan Scherrer, 13 years ago

Samba Server: updated vendor to 3.6.9
File size: 142.9 KB
Line 
1/*
2 Unix SMB/CIFS implementation.
3 SMB NT Security Descriptor / Unix permission conversion.
4 Copyright (C) Jeremy Allison 1994-2009.
5 Copyright (C) Andreas Gruenbacher 2002.
6 Copyright (C) Simo Sorce <idra@samba.org> 2009.
7
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
12
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
17
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
20*/
21
22#include "includes.h"
23#include "smbd/smbd.h"
24#include "system/filesys.h"
25#include "../libcli/security/security.h"
26#include "trans2.h"
27#include "passdb/lookup_sid.h"
28#include "auth.h"
29
30extern const struct generic_mapping file_generic_mapping;
31
32#undef DBGC_CLASS
33#define DBGC_CLASS DBGC_ACLS
34
35/****************************************************************************
36 Data structures representing the internal ACE format.
37****************************************************************************/
38
39enum ace_owner {UID_ACE, GID_ACE, WORLD_ACE};
40enum ace_attribute {ALLOW_ACE, DENY_ACE}; /* Used for incoming NT ACLS. */
41
42typedef union posix_id {
43 uid_t uid;
44 gid_t gid;
45 int world;
46} posix_id;
47
48typedef struct canon_ace {
49 struct canon_ace *next, *prev;
50 SMB_ACL_TAG_T type;
51 mode_t perms; /* Only use S_I(R|W|X)USR mode bits here. */
52 struct dom_sid trustee;
53 enum ace_owner owner_type;
54 enum ace_attribute attr;
55 posix_id unix_ug;
56 uint8_t ace_flags; /* From windows ACE entry. */
57} canon_ace;
58
59#define ALL_ACE_PERMS (S_IRUSR|S_IWUSR|S_IXUSR)
60
61/*
62 * EA format of user.SAMBA_PAI (Samba_Posix_Acl_Interitance)
63 * attribute on disk - version 1.
64 * All values are little endian.
65 *
66 * | 1 | 1 | 2 | 2 | ....
67 * +------+------+-------------+---------------------+-------------+--------------------+
68 * | vers | flag | num_entries | num_default_entries | ..entries.. | default_entries... |
69 * +------+------+-------------+---------------------+-------------+--------------------+
70 *
71 * Entry format is :
72 *
73 * | 1 | 4 |
74 * +------+-------------------+
75 * | value| uid/gid or world |
76 * | type | value |
77 * +------+-------------------+
78 *
79 * Version 2 format. Stores extra Windows metadata about an ACL.
80 *
81 * | 1 | 2 | 2 | 2 | ....
82 * +------+----------+-------------+---------------------+-------------+--------------------+
83 * | vers | ace | num_entries | num_default_entries | ..entries.. | default_entries... |
84 * | 2 | type | | | | |
85 * +------+----------+-------------+---------------------+-------------+--------------------+
86 *
87 * Entry format is :
88 *
89 * | 1 | 1 | 4 |
90 * +------+------+-------------------+
91 * | ace | value| uid/gid or world |
92 * | flag | type | value |
93 * +------+-------------------+------+
94 *
95 */
96
97#define PAI_VERSION_OFFSET 0
98
99#define PAI_V1_FLAG_OFFSET 1
100#define PAI_V1_NUM_ENTRIES_OFFSET 2
101#define PAI_V1_NUM_DEFAULT_ENTRIES_OFFSET 4
102#define PAI_V1_ENTRIES_BASE 6
103#define PAI_V1_ACL_FLAG_PROTECTED 0x1
104#define PAI_V1_ENTRY_LENGTH 5
105
106#define PAI_V1_VERSION 1
107
108#define PAI_V2_TYPE_OFFSET 1
109#define PAI_V2_NUM_ENTRIES_OFFSET 3
110#define PAI_V2_NUM_DEFAULT_ENTRIES_OFFSET 5
111#define PAI_V2_ENTRIES_BASE 7
112#define PAI_V2_ENTRY_LENGTH 6
113
114#define PAI_V2_VERSION 2
115
116/*
117 * In memory format of user.SAMBA_PAI attribute.
118 */
119
120struct pai_entry {
121 struct pai_entry *next, *prev;
122 uint8_t ace_flags;
123 enum ace_owner owner_type;
124 posix_id unix_ug;
125};
126
127struct pai_val {
128 uint16_t sd_type;
129 unsigned int num_entries;
130 struct pai_entry *entry_list;
131 unsigned int num_def_entries;
132 struct pai_entry *def_entry_list;
133};
134
135/************************************************************************
136 Return a uint32 of the pai_entry principal.
137************************************************************************/
138
139static uint32_t get_pai_entry_val(struct pai_entry *paie)
140{
141 switch (paie->owner_type) {
142 case UID_ACE:
143 DEBUG(10,("get_pai_entry_val: uid = %u\n", (unsigned int)paie->unix_ug.uid ));
144 return (uint32_t)paie->unix_ug.uid;
145 case GID_ACE:
146 DEBUG(10,("get_pai_entry_val: gid = %u\n", (unsigned int)paie->unix_ug.gid ));
147 return (uint32_t)paie->unix_ug.gid;
148 case WORLD_ACE:
149 default:
150 DEBUG(10,("get_pai_entry_val: world ace\n"));
151 return (uint32_t)-1;
152 }
153}
154
155/************************************************************************
156 Return a uint32 of the entry principal.
157************************************************************************/
158
159static uint32_t get_entry_val(canon_ace *ace_entry)
160{
161 switch (ace_entry->owner_type) {
162 case UID_ACE:
163 DEBUG(10,("get_entry_val: uid = %u\n", (unsigned int)ace_entry->unix_ug.uid ));
164 return (uint32_t)ace_entry->unix_ug.uid;
165 case GID_ACE:
166 DEBUG(10,("get_entry_val: gid = %u\n", (unsigned int)ace_entry->unix_ug.gid ));
167 return (uint32_t)ace_entry->unix_ug.gid;
168 case WORLD_ACE:
169 default:
170 DEBUG(10,("get_entry_val: world ace\n"));
171 return (uint32_t)-1;
172 }
173}
174
175/************************************************************************
176 Create the on-disk format (always v2 now). Caller must free.
177************************************************************************/
178
179static char *create_pai_buf_v2(canon_ace *file_ace_list,
180 canon_ace *dir_ace_list,
181 uint16_t sd_type,
182 size_t *store_size)
183{
184 char *pai_buf = NULL;
185 canon_ace *ace_list = NULL;
186 char *entry_offset = NULL;
187 unsigned int num_entries = 0;
188 unsigned int num_def_entries = 0;
189 unsigned int i;
190
191 for (ace_list = file_ace_list; ace_list; ace_list = ace_list->next) {
192 num_entries++;
193 }
194
195 for (ace_list = dir_ace_list; ace_list; ace_list = ace_list->next) {
196 num_def_entries++;
197 }
198
199 DEBUG(10,("create_pai_buf_v2: num_entries = %u, num_def_entries = %u\n", num_entries, num_def_entries ));
200
201 *store_size = PAI_V2_ENTRIES_BASE +
202 ((num_entries + num_def_entries)*PAI_V2_ENTRY_LENGTH);
203
204 pai_buf = (char *)SMB_MALLOC(*store_size);
205 if (!pai_buf) {
206 return NULL;
207 }
208
209 /* Set up the header. */
210 memset(pai_buf, '\0', PAI_V2_ENTRIES_BASE);
211 SCVAL(pai_buf,PAI_VERSION_OFFSET,PAI_V2_VERSION);
212 SSVAL(pai_buf,PAI_V2_TYPE_OFFSET, sd_type);
213 SSVAL(pai_buf,PAI_V2_NUM_ENTRIES_OFFSET,num_entries);
214 SSVAL(pai_buf,PAI_V2_NUM_DEFAULT_ENTRIES_OFFSET,num_def_entries);
215
216 DEBUG(10,("create_pai_buf_v2: sd_type = 0x%x\n",
217 (unsigned int)sd_type ));
218
219 entry_offset = pai_buf + PAI_V2_ENTRIES_BASE;
220
221 i = 0;
222 for (ace_list = file_ace_list; ace_list; ace_list = ace_list->next) {
223 uint8_t type_val = (uint8_t)ace_list->owner_type;
224 uint32_t entry_val = get_entry_val(ace_list);
225
226 SCVAL(entry_offset,0,ace_list->ace_flags);
227 SCVAL(entry_offset,1,type_val);
228 SIVAL(entry_offset,2,entry_val);
229 DEBUG(10,("create_pai_buf_v2: entry %u [0x%x] [0x%x] [0x%x]\n",
230 i,
231 (unsigned int)ace_list->ace_flags,
232 (unsigned int)type_val,
233 (unsigned int)entry_val ));
234 i++;
235 entry_offset += PAI_V2_ENTRY_LENGTH;
236 }
237
238 for (ace_list = dir_ace_list; ace_list; ace_list = ace_list->next) {
239 uint8_t type_val = (uint8_t)ace_list->owner_type;
240 uint32_t entry_val = get_entry_val(ace_list);
241
242 SCVAL(entry_offset,0,ace_list->ace_flags);
243 SCVAL(entry_offset,1,type_val);
244 SIVAL(entry_offset,2,entry_val);
245 DEBUG(10,("create_pai_buf_v2: entry %u [0x%x] [0x%x] [0x%x]\n",
246 i,
247 (unsigned int)ace_list->ace_flags,
248 (unsigned int)type_val,
249 (unsigned int)entry_val ));
250 i++;
251 entry_offset += PAI_V2_ENTRY_LENGTH;
252 }
253
254 return pai_buf;
255}
256
257/************************************************************************
258 Store the user.SAMBA_PAI attribute on disk.
259************************************************************************/
260
261static void store_inheritance_attributes(files_struct *fsp,
262 canon_ace *file_ace_list,
263 canon_ace *dir_ace_list,
264 uint16_t sd_type)
265{
266 int ret;
267 size_t store_size;
268 char *pai_buf;
269
270 if (!lp_map_acl_inherit(SNUM(fsp->conn))) {
271 return;
272 }
273
274 pai_buf = create_pai_buf_v2(file_ace_list, dir_ace_list,
275 sd_type, &store_size);
276
277 if (fsp->fh->fd != -1) {
278 ret = SMB_VFS_FSETXATTR(fsp, SAMBA_POSIX_INHERITANCE_EA_NAME,
279 pai_buf, store_size, 0);
280 } else {
281 ret = SMB_VFS_SETXATTR(fsp->conn, fsp->fsp_name->base_name,
282 SAMBA_POSIX_INHERITANCE_EA_NAME,
283 pai_buf, store_size, 0);
284 }
285
286 SAFE_FREE(pai_buf);
287
288 DEBUG(10,("store_inheritance_attribute: type 0x%x for file %s\n",
289 (unsigned int)sd_type,
290 fsp_str_dbg(fsp)));
291
292 if (ret == -1 && !no_acl_syscall_error(errno)) {
293 DEBUG(1,("store_inheritance_attribute: Error %s\n", strerror(errno) ));
294 }
295}
296
297/************************************************************************
298 Delete the in memory inheritance info.
299************************************************************************/
300
301static void free_inherited_info(struct pai_val *pal)
302{
303 if (pal) {
304 struct pai_entry *paie, *paie_next;
305 for (paie = pal->entry_list; paie; paie = paie_next) {
306 paie_next = paie->next;
307 SAFE_FREE(paie);
308 }
309 for (paie = pal->def_entry_list; paie; paie = paie_next) {
310 paie_next = paie->next;
311 SAFE_FREE(paie);
312 }
313 SAFE_FREE(pal);
314 }
315}
316
317/************************************************************************
318 Get any stored ACE flags.
319************************************************************************/
320
321static uint16_t get_pai_flags(struct pai_val *pal, canon_ace *ace_entry, bool default_ace)
322{
323 struct pai_entry *paie;
324
325 if (!pal) {
326 return 0;
327 }
328
329 /* If the entry exists it is inherited. */
330 for (paie = (default_ace ? pal->def_entry_list : pal->entry_list); paie; paie = paie->next) {
331 if (ace_entry->owner_type == paie->owner_type &&
332 get_entry_val(ace_entry) == get_pai_entry_val(paie))
333 return paie->ace_flags;
334 }
335 return 0;
336}
337
338/************************************************************************
339 Ensure an attribute just read is valid - v1.
340************************************************************************/
341
342static bool check_pai_ok_v1(const char *pai_buf, size_t pai_buf_data_size)
343{
344 uint16 num_entries;
345 uint16 num_def_entries;
346
347 if (pai_buf_data_size < PAI_V1_ENTRIES_BASE) {
348 /* Corrupted - too small. */
349 return false;
350 }
351
352 if (CVAL(pai_buf,PAI_VERSION_OFFSET) != PAI_V1_VERSION) {
353 return false;
354 }
355
356 num_entries = SVAL(pai_buf,PAI_V1_NUM_ENTRIES_OFFSET);
357 num_def_entries = SVAL(pai_buf,PAI_V1_NUM_DEFAULT_ENTRIES_OFFSET);
358
359 /* Check the entry lists match. */
360 /* Each entry is 5 bytes (type plus 4 bytes of uid or gid). */
361
362 if (((num_entries + num_def_entries)*PAI_V1_ENTRY_LENGTH) +
363 PAI_V1_ENTRIES_BASE != pai_buf_data_size) {
364 return false;
365 }
366
367 return true;
368}
369
370/************************************************************************
371 Ensure an attribute just read is valid - v2.
372************************************************************************/
373
374static bool check_pai_ok_v2(const char *pai_buf, size_t pai_buf_data_size)
375{
376 uint16 num_entries;
377 uint16 num_def_entries;
378
379 if (pai_buf_data_size < PAI_V2_ENTRIES_BASE) {
380 /* Corrupted - too small. */
381 return false;
382 }
383
384 if (CVAL(pai_buf,PAI_VERSION_OFFSET) != PAI_V2_VERSION) {
385 return false;
386 }
387
388 num_entries = SVAL(pai_buf,PAI_V2_NUM_ENTRIES_OFFSET);
389 num_def_entries = SVAL(pai_buf,PAI_V2_NUM_DEFAULT_ENTRIES_OFFSET);
390
391 /* Check the entry lists match. */
392 /* Each entry is 6 bytes (flags + type + 4 bytes of uid or gid). */
393
394 if (((num_entries + num_def_entries)*PAI_V2_ENTRY_LENGTH) +
395 PAI_V2_ENTRIES_BASE != pai_buf_data_size) {
396 return false;
397 }
398
399 return true;
400}
401
402/************************************************************************
403 Decode the owner.
404************************************************************************/
405
406static bool get_pai_owner_type(struct pai_entry *paie, const char *entry_offset)
407{
408 paie->owner_type = (enum ace_owner)CVAL(entry_offset,0);
409 switch( paie->owner_type) {
410 case UID_ACE:
411 paie->unix_ug.uid = (uid_t)IVAL(entry_offset,1);
412 DEBUG(10,("get_pai_owner_type: uid = %u\n",
413 (unsigned int)paie->unix_ug.uid ));
414 break;
415 case GID_ACE:
416 paie->unix_ug.gid = (gid_t)IVAL(entry_offset,1);
417 DEBUG(10,("get_pai_owner_type: gid = %u\n",
418 (unsigned int)paie->unix_ug.gid ));
419 break;
420 case WORLD_ACE:
421 paie->unix_ug.world = -1;
422 DEBUG(10,("get_pai_owner_type: world ace\n"));
423 break;
424 default:
425 DEBUG(10,("get_pai_owner_type: unknown type %u\n",
426 (unsigned int)paie->owner_type ));
427 return false;
428 }
429 return true;
430}
431
432/************************************************************************
433 Process v2 entries.
434************************************************************************/
435
436static const char *create_pai_v1_entries(struct pai_val *paiv,
437 const char *entry_offset,
438 bool def_entry)
439{
440 int i;
441
442 for (i = 0; i < paiv->num_entries; i++) {
443 struct pai_entry *paie = SMB_MALLOC_P(struct pai_entry);
444 if (!paie) {
445 return NULL;
446 }
447
448 paie->ace_flags = SEC_ACE_FLAG_INHERITED_ACE;
449 if (!get_pai_owner_type(paie, entry_offset)) {
450 SAFE_FREE(paie);
451 return NULL;
452 }
453
454 if (!def_entry) {
455 DLIST_ADD(paiv->entry_list, paie);
456 } else {
457 DLIST_ADD(paiv->def_entry_list, paie);
458 }
459 entry_offset += PAI_V1_ENTRY_LENGTH;
460 }
461 return entry_offset;
462}
463
464/************************************************************************
465 Convert to in-memory format from version 1.
466************************************************************************/
467
468static struct pai_val *create_pai_val_v1(const char *buf, size_t size)
469{
470 const char *entry_offset;
471 struct pai_val *paiv = NULL;
472
473 if (!check_pai_ok_v1(buf, size)) {
474 return NULL;
475 }
476
477 paiv = SMB_MALLOC_P(struct pai_val);
478 if (!paiv) {
479 return NULL;
480 }
481
482 memset(paiv, '\0', sizeof(struct pai_val));
483
484 paiv->sd_type = (CVAL(buf,PAI_V1_FLAG_OFFSET) == PAI_V1_ACL_FLAG_PROTECTED) ?
485 SEC_DESC_DACL_PROTECTED : 0;
486
487 paiv->num_entries = SVAL(buf,PAI_V1_NUM_ENTRIES_OFFSET);
488 paiv->num_def_entries = SVAL(buf,PAI_V1_NUM_DEFAULT_ENTRIES_OFFSET);
489
490 entry_offset = buf + PAI_V1_ENTRIES_BASE;
491
492 DEBUG(10,("create_pai_val: num_entries = %u, num_def_entries = %u\n",
493 paiv->num_entries, paiv->num_def_entries ));
494
495 entry_offset = create_pai_v1_entries(paiv, entry_offset, false);
496 if (entry_offset == NULL) {
497 free_inherited_info(paiv);
498 return NULL;
499 }
500 entry_offset = create_pai_v1_entries(paiv, entry_offset, true);
501 if (entry_offset == NULL) {
502 free_inherited_info(paiv);
503 return NULL;
504 }
505
506 return paiv;
507}
508
509/************************************************************************
510 Process v2 entries.
511************************************************************************/
512
513static const char *create_pai_v2_entries(struct pai_val *paiv,
514 unsigned int num_entries,
515 const char *entry_offset,
516 bool def_entry)
517{
518 unsigned int i;
519
520 for (i = 0; i < num_entries; i++) {
521 struct pai_entry *paie = SMB_MALLOC_P(struct pai_entry);
522 if (!paie) {
523 return NULL;
524 }
525
526 paie->ace_flags = CVAL(entry_offset,0);
527
528 if (!get_pai_owner_type(paie, entry_offset+1)) {
529 SAFE_FREE(paie);
530 return NULL;
531 }
532 if (!def_entry) {
533 DLIST_ADD(paiv->entry_list, paie);
534 } else {
535 DLIST_ADD(paiv->def_entry_list, paie);
536 }
537 entry_offset += PAI_V2_ENTRY_LENGTH;
538 }
539 return entry_offset;
540}
541
542/************************************************************************
543 Convert to in-memory format from version 2.
544************************************************************************/
545
546static struct pai_val *create_pai_val_v2(const char *buf, size_t size)
547{
548 const char *entry_offset;
549 struct pai_val *paiv = NULL;
550
551 if (!check_pai_ok_v2(buf, size)) {
552 return NULL;
553 }
554
555 paiv = SMB_MALLOC_P(struct pai_val);
556 if (!paiv) {
557 return NULL;
558 }
559
560 memset(paiv, '\0', sizeof(struct pai_val));
561
562 paiv->sd_type = SVAL(buf,PAI_V2_TYPE_OFFSET);
563
564 paiv->num_entries = SVAL(buf,PAI_V2_NUM_ENTRIES_OFFSET);
565 paiv->num_def_entries = SVAL(buf,PAI_V2_NUM_DEFAULT_ENTRIES_OFFSET);
566
567 entry_offset = buf + PAI_V2_ENTRIES_BASE;
568
569 DEBUG(10,("create_pai_val_v2: sd_type = 0x%x num_entries = %u, num_def_entries = %u\n",
570 (unsigned int)paiv->sd_type,
571 paiv->num_entries, paiv->num_def_entries ));
572
573 entry_offset = create_pai_v2_entries(paiv, paiv->num_entries,
574 entry_offset, false);
575 if (entry_offset == NULL) {
576 free_inherited_info(paiv);
577 return NULL;
578 }
579 entry_offset = create_pai_v2_entries(paiv, paiv->num_def_entries,
580 entry_offset, true);
581 if (entry_offset == NULL) {
582 free_inherited_info(paiv);
583 return NULL;
584 }
585
586 return paiv;
587}
588
589/************************************************************************
590 Convert to in-memory format - from either version 1 or 2.
591************************************************************************/
592
593static struct pai_val *create_pai_val(const char *buf, size_t size)
594{
595 if (size < 1) {
596 return NULL;
597 }
598 if (CVAL(buf,PAI_VERSION_OFFSET) == PAI_V1_VERSION) {
599 return create_pai_val_v1(buf, size);
600 } else if (CVAL(buf,PAI_VERSION_OFFSET) == PAI_V2_VERSION) {
601 return create_pai_val_v2(buf, size);
602 } else {
603 return NULL;
604 }
605}
606
607/************************************************************************
608 Load the user.SAMBA_PAI attribute.
609************************************************************************/
610
611static struct pai_val *fload_inherited_info(files_struct *fsp)
612{
613 char *pai_buf;
614 size_t pai_buf_size = 1024;
615 struct pai_val *paiv = NULL;
616 ssize_t ret;
617
618 if (!lp_map_acl_inherit(SNUM(fsp->conn))) {
619 return NULL;
620 }
621
622 if ((pai_buf = (char *)SMB_MALLOC(pai_buf_size)) == NULL) {
623 return NULL;
624 }
625
626 do {
627 if (fsp->fh->fd != -1) {
628 ret = SMB_VFS_FGETXATTR(fsp, SAMBA_POSIX_INHERITANCE_EA_NAME,
629 pai_buf, pai_buf_size);
630 } else {
631 ret = SMB_VFS_GETXATTR(fsp->conn,
632 fsp->fsp_name->base_name,
633 SAMBA_POSIX_INHERITANCE_EA_NAME,
634 pai_buf, pai_buf_size);
635 }
636
637 if (ret == -1) {
638 if (errno != ERANGE) {
639 break;
640 }
641 /* Buffer too small - enlarge it. */
642 pai_buf_size *= 2;
643 SAFE_FREE(pai_buf);
644 if (pai_buf_size > 1024*1024) {
645 return NULL; /* Limit malloc to 1mb. */
646 }
647 if ((pai_buf = (char *)SMB_MALLOC(pai_buf_size)) == NULL)
648 return NULL;
649 }
650 } while (ret == -1);
651
652 DEBUG(10,("load_inherited_info: ret = %lu for file %s\n",
653 (unsigned long)ret, fsp_str_dbg(fsp)));
654
655 if (ret == -1) {
656 /* No attribute or not supported. */
657#if defined(ENOATTR)
658 if (errno != ENOATTR)
659 DEBUG(10,("load_inherited_info: Error %s\n", strerror(errno) ));
660#else
661 if (errno != ENOSYS)
662 DEBUG(10,("load_inherited_info: Error %s\n", strerror(errno) ));
663#endif
664 SAFE_FREE(pai_buf);
665 return NULL;
666 }
667
668 paiv = create_pai_val(pai_buf, ret);
669
670 if (paiv) {
671 DEBUG(10,("load_inherited_info: ACL type is 0x%x for file %s\n",
672 (unsigned int)paiv->sd_type, fsp_str_dbg(fsp)));
673 }
674
675 SAFE_FREE(pai_buf);
676 return paiv;
677}
678
679/************************************************************************
680 Load the user.SAMBA_PAI attribute.
681************************************************************************/
682
683static struct pai_val *load_inherited_info(const struct connection_struct *conn,
684 const char *fname)
685{
686 char *pai_buf;
687 size_t pai_buf_size = 1024;
688 struct pai_val *paiv = NULL;
689 ssize_t ret;
690
691 if (!lp_map_acl_inherit(SNUM(conn))) {
692 return NULL;
693 }
694
695 if ((pai_buf = (char *)SMB_MALLOC(pai_buf_size)) == NULL) {
696 return NULL;
697 }
698
699 do {
700 ret = SMB_VFS_GETXATTR(conn, fname,
701 SAMBA_POSIX_INHERITANCE_EA_NAME,
702 pai_buf, pai_buf_size);
703
704 if (ret == -1) {
705 if (errno != ERANGE) {
706 break;
707 }
708 /* Buffer too small - enlarge it. */
709 pai_buf_size *= 2;
710 SAFE_FREE(pai_buf);
711 if (pai_buf_size > 1024*1024) {
712 return NULL; /* Limit malloc to 1mb. */
713 }
714 if ((pai_buf = (char *)SMB_MALLOC(pai_buf_size)) == NULL)
715 return NULL;
716 }
717 } while (ret == -1);
718
719 DEBUG(10,("load_inherited_info: ret = %lu for file %s\n", (unsigned long)ret, fname));
720
721 if (ret == -1) {
722 /* No attribute or not supported. */
723#if defined(ENOATTR)
724 if (errno != ENOATTR)
725 DEBUG(10,("load_inherited_info: Error %s\n", strerror(errno) ));
726#else
727 if (errno != ENOSYS)
728 DEBUG(10,("load_inherited_info: Error %s\n", strerror(errno) ));
729#endif
730 SAFE_FREE(pai_buf);
731 return NULL;
732 }
733
734 paiv = create_pai_val(pai_buf, ret);
735
736 if (paiv) {
737 DEBUG(10,("load_inherited_info: ACL type 0x%x for file %s\n",
738 (unsigned int)paiv->sd_type,
739 fname));
740 }
741
742 SAFE_FREE(pai_buf);
743 return paiv;
744}
745
746/****************************************************************************
747 Functions to manipulate the internal ACE format.
748****************************************************************************/
749
750/****************************************************************************
751 Count a linked list of canonical ACE entries.
752****************************************************************************/
753
754static size_t count_canon_ace_list( canon_ace *l_head )
755{
756 size_t count = 0;
757 canon_ace *ace;
758
759 for (ace = l_head; ace; ace = ace->next)
760 count++;
761
762 return count;
763}
764
765/****************************************************************************
766 Free a linked list of canonical ACE entries.
767****************************************************************************/
768
769static void free_canon_ace_list( canon_ace *l_head )
770{
771 canon_ace *list, *next;
772
773 for (list = l_head; list; list = next) {
774 next = list->next;
775 DLIST_REMOVE(l_head, list);
776 SAFE_FREE(list);
777 }
778}
779
780/****************************************************************************
781 Function to duplicate a canon_ace entry.
782****************************************************************************/
783
784static canon_ace *dup_canon_ace( canon_ace *src_ace)
785{
786 canon_ace *dst_ace = SMB_MALLOC_P(canon_ace);
787
788 if (dst_ace == NULL)
789 return NULL;
790
791 *dst_ace = *src_ace;
792 dst_ace->prev = dst_ace->next = NULL;
793 return dst_ace;
794}
795
796/****************************************************************************
797 Print out a canon ace.
798****************************************************************************/
799
800static void print_canon_ace(canon_ace *pace, int num)
801{
802 dbgtext( "canon_ace index %d. Type = %s ", num, pace->attr == ALLOW_ACE ? "allow" : "deny" );
803 dbgtext( "SID = %s ", sid_string_dbg(&pace->trustee));
804 if (pace->owner_type == UID_ACE) {
805 const char *u_name = uidtoname(pace->unix_ug.uid);
806 dbgtext( "uid %u (%s) ", (unsigned int)pace->unix_ug.uid, u_name );
807 } else if (pace->owner_type == GID_ACE) {
808 char *g_name = gidtoname(pace->unix_ug.gid);
809 dbgtext( "gid %u (%s) ", (unsigned int)pace->unix_ug.gid, g_name );
810 } else
811 dbgtext( "other ");
812 switch (pace->type) {
813 case SMB_ACL_USER:
814 dbgtext( "SMB_ACL_USER ");
815 break;
816 case SMB_ACL_USER_OBJ:
817 dbgtext( "SMB_ACL_USER_OBJ ");
818 break;
819 case SMB_ACL_GROUP:
820 dbgtext( "SMB_ACL_GROUP ");
821 break;
822 case SMB_ACL_GROUP_OBJ:
823 dbgtext( "SMB_ACL_GROUP_OBJ ");
824 break;
825 case SMB_ACL_OTHER:
826 dbgtext( "SMB_ACL_OTHER ");
827 break;
828 default:
829 dbgtext( "MASK " );
830 break;
831 }
832
833 dbgtext( "ace_flags = 0x%x ", (unsigned int)pace->ace_flags);
834 dbgtext( "perms ");
835 dbgtext( "%c", pace->perms & S_IRUSR ? 'r' : '-');
836 dbgtext( "%c", pace->perms & S_IWUSR ? 'w' : '-');
837 dbgtext( "%c\n", pace->perms & S_IXUSR ? 'x' : '-');
838}
839
840/****************************************************************************
841 Print out a canon ace list.
842****************************************************************************/
843
844static void print_canon_ace_list(const char *name, canon_ace *ace_list)
845{
846 int count = 0;
847
848 if( DEBUGLVL( 10 )) {
849 dbgtext( "print_canon_ace_list: %s\n", name );
850 for (;ace_list; ace_list = ace_list->next, count++)
851 print_canon_ace(ace_list, count );
852 }
853}
854
855/****************************************************************************
856 Map POSIX ACL perms to canon_ace permissions (a mode_t containing only S_(R|W|X)USR bits).
857****************************************************************************/
858
859static mode_t convert_permset_to_mode_t(connection_struct *conn, SMB_ACL_PERMSET_T permset)
860{
861 mode_t ret = 0;
862
863 ret |= (SMB_VFS_SYS_ACL_GET_PERM(conn, permset, SMB_ACL_READ) ? S_IRUSR : 0);
864 ret |= (SMB_VFS_SYS_ACL_GET_PERM(conn, permset, SMB_ACL_WRITE) ? S_IWUSR : 0);
865 ret |= (SMB_VFS_SYS_ACL_GET_PERM(conn, permset, SMB_ACL_EXECUTE) ? S_IXUSR : 0);
866
867 return ret;
868}
869
870/****************************************************************************
871 Map generic UNIX permissions to canon_ace permissions (a mode_t containing only S_(R|W|X)USR bits).
872****************************************************************************/
873
874static mode_t unix_perms_to_acl_perms(mode_t mode, int r_mask, int w_mask, int x_mask)
875{
876 mode_t ret = 0;
877
878 if (mode & r_mask)
879 ret |= S_IRUSR;
880 if (mode & w_mask)
881 ret |= S_IWUSR;
882 if (mode & x_mask)
883 ret |= S_IXUSR;
884
885 return ret;
886}
887
888/****************************************************************************
889 Map canon_ace permissions (a mode_t containing only S_(R|W|X)USR bits) to
890 an SMB_ACL_PERMSET_T.
891****************************************************************************/
892
893static int map_acl_perms_to_permset(connection_struct *conn, mode_t mode, SMB_ACL_PERMSET_T *p_permset)
894{
895 if (SMB_VFS_SYS_ACL_CLEAR_PERMS(conn, *p_permset) == -1)
896 return -1;
897 if (mode & S_IRUSR) {
898 if (SMB_VFS_SYS_ACL_ADD_PERM(conn, *p_permset, SMB_ACL_READ) == -1)
899 return -1;
900 }
901 if (mode & S_IWUSR) {
902 if (SMB_VFS_SYS_ACL_ADD_PERM(conn, *p_permset, SMB_ACL_WRITE) == -1)
903 return -1;
904 }
905 if (mode & S_IXUSR) {
906 if (SMB_VFS_SYS_ACL_ADD_PERM(conn, *p_permset, SMB_ACL_EXECUTE) == -1)
907 return -1;
908 }
909 return 0;
910}
911
912/****************************************************************************
913 Function to create owner and group SIDs from a SMB_STRUCT_STAT.
914****************************************************************************/
915
916void create_file_sids(const SMB_STRUCT_STAT *psbuf, struct dom_sid *powner_sid, struct dom_sid *pgroup_sid)
917{
918 uid_to_sid( powner_sid, psbuf->st_ex_uid );
919 gid_to_sid( pgroup_sid, psbuf->st_ex_gid );
920}
921
922/****************************************************************************
923 Merge aces with a common sid - if both are allow or deny, OR the permissions together and
924 delete the second one. If the first is deny, mask the permissions off and delete the allow
925 if the permissions become zero, delete the deny if the permissions are non zero.
926****************************************************************************/
927
928static void merge_aces( canon_ace **pp_list_head, bool dir_acl)
929{
930 canon_ace *l_head = *pp_list_head;
931 canon_ace *curr_ace_outer;
932 canon_ace *curr_ace_outer_next;
933
934 /*
935 * First, merge allow entries with identical SIDs, and deny entries
936 * with identical SIDs.
937 */
938
939 for (curr_ace_outer = l_head; curr_ace_outer; curr_ace_outer = curr_ace_outer_next) {
940 canon_ace *curr_ace;
941 canon_ace *curr_ace_next;
942
943 curr_ace_outer_next = curr_ace_outer->next; /* Save the link in case we delete. */
944
945 for (curr_ace = curr_ace_outer->next; curr_ace; curr_ace = curr_ace_next) {
946 bool can_merge = false;
947
948 curr_ace_next = curr_ace->next; /* Save the link in case of delete. */
949
950 /* For file ACLs we can merge if the SIDs and ALLOW/DENY
951 * types are the same. For directory acls we must also
952 * ensure the POSIX ACL types are the same. */
953
954 if (!dir_acl) {
955 can_merge = (dom_sid_equal(&curr_ace->trustee, &curr_ace_outer->trustee) &&
956 (curr_ace->attr == curr_ace_outer->attr));
957 } else {
958 can_merge = (dom_sid_equal(&curr_ace->trustee, &curr_ace_outer->trustee) &&
959 (curr_ace->type == curr_ace_outer->type) &&
960 (curr_ace->attr == curr_ace_outer->attr));
961 }
962
963 if (can_merge) {
964 if( DEBUGLVL( 10 )) {
965 dbgtext("merge_aces: Merging ACE's\n");
966 print_canon_ace( curr_ace_outer, 0);
967 print_canon_ace( curr_ace, 0);
968 }
969
970 /* Merge two allow or two deny ACE's. */
971
972 /* Theoretically we shouldn't merge a dir ACE if
973 * one ACE has the CI flag set, and the other
974 * ACE has the OI flag set, but this is rare
975 * enough we can ignore it. */
976
977 curr_ace_outer->perms |= curr_ace->perms;
978 curr_ace_outer->ace_flags |= curr_ace->ace_flags;
979 DLIST_REMOVE(l_head, curr_ace);
980 SAFE_FREE(curr_ace);
981 curr_ace_outer_next = curr_ace_outer->next; /* We may have deleted the link. */
982 }
983 }
984 }
985
986 /*
987 * Now go through and mask off allow permissions with deny permissions.
988 * We can delete either the allow or deny here as we know that each SID
989 * appears only once in the list.
990 */
991
992 for (curr_ace_outer = l_head; curr_ace_outer; curr_ace_outer = curr_ace_outer_next) {
993 canon_ace *curr_ace;
994 canon_ace *curr_ace_next;
995
996 curr_ace_outer_next = curr_ace_outer->next; /* Save the link in case we delete. */
997
998 for (curr_ace = curr_ace_outer->next; curr_ace; curr_ace = curr_ace_next) {
999
1000 curr_ace_next = curr_ace->next; /* Save the link in case of delete. */
1001
1002 /*
1003 * Subtract ACE's with different entries. Due to the ordering constraints
1004 * we've put on the ACL, we know the deny must be the first one.
1005 */
1006
1007 if (dom_sid_equal(&curr_ace->trustee, &curr_ace_outer->trustee) &&
1008 (curr_ace_outer->attr == DENY_ACE) && (curr_ace->attr == ALLOW_ACE)) {
1009
1010 if( DEBUGLVL( 10 )) {
1011 dbgtext("merge_aces: Masking ACE's\n");
1012 print_canon_ace( curr_ace_outer, 0);
1013 print_canon_ace( curr_ace, 0);
1014 }
1015
1016 curr_ace->perms &= ~curr_ace_outer->perms;
1017
1018 if (curr_ace->perms == 0) {
1019
1020 /*
1021 * The deny overrides the allow. Remove the allow.
1022 */
1023
1024 DLIST_REMOVE(l_head, curr_ace);
1025 SAFE_FREE(curr_ace);
1026 curr_ace_outer_next = curr_ace_outer->next; /* We may have deleted the link. */
1027
1028 } else {
1029
1030 /*
1031 * Even after removing permissions, there
1032 * are still allow permissions - delete the deny.
1033 * It is safe to delete the deny here,
1034 * as we are guarenteed by the deny first
1035 * ordering that all the deny entries for
1036 * this SID have already been merged into one
1037 * before we can get to an allow ace.
1038 */
1039
1040 DLIST_REMOVE(l_head, curr_ace_outer);
1041 SAFE_FREE(curr_ace_outer);
1042 break;
1043 }
1044 }
1045
1046 } /* end for curr_ace */
1047 } /* end for curr_ace_outer */
1048
1049 /* We may have modified the list. */
1050
1051 *pp_list_head = l_head;
1052}
1053
1054/****************************************************************************
1055 Check if we need to return NT4.x compatible ACL entries.
1056****************************************************************************/
1057
1058bool nt4_compatible_acls(void)
1059{
1060 int compat = lp_acl_compatibility();
1061
1062 if (compat == ACL_COMPAT_AUTO) {
1063 enum remote_arch_types ra_type = get_remote_arch();
1064
1065 /* Automatically adapt to client */
1066 return (ra_type <= RA_WINNT);
1067 } else
1068 return (compat == ACL_COMPAT_WINNT);
1069}
1070
1071
1072/****************************************************************************
1073 Map canon_ace perms to permission bits NT.
1074 The attr element is not used here - we only process deny entries on set,
1075 not get. Deny entries are implicit on get with ace->perms = 0.
1076****************************************************************************/
1077
1078uint32_t map_canon_ace_perms(int snum,
1079 enum security_ace_type *pacl_type,
1080 mode_t perms,
1081 bool directory_ace)
1082{
1083 uint32_t nt_mask = 0;
1084
1085 *pacl_type = SEC_ACE_TYPE_ACCESS_ALLOWED;
1086
1087 if (lp_acl_map_full_control(snum) && ((perms & ALL_ACE_PERMS) == ALL_ACE_PERMS)) {
1088 if (directory_ace) {
1089 nt_mask = UNIX_DIRECTORY_ACCESS_RWX;
1090 } else {
1091 nt_mask = (UNIX_ACCESS_RWX & ~DELETE_ACCESS);
1092 }
1093 } else if ((perms & ALL_ACE_PERMS) == (mode_t)0) {
1094 /*
1095 * Windows NT refuses to display ACEs with no permissions in them (but
1096 * they are perfectly legal with Windows 2000). If the ACE has empty
1097 * permissions we cannot use 0, so we use the otherwise unused
1098 * WRITE_OWNER permission, which we ignore when we set an ACL.
1099 * We abstract this into a #define of UNIX_ACCESS_NONE to allow this
1100 * to be changed in the future.
1101 */
1102
1103 if (nt4_compatible_acls())
1104 nt_mask = UNIX_ACCESS_NONE;
1105 else
1106 nt_mask = 0;
1107 } else {
1108 if (directory_ace) {
1109 nt_mask |= ((perms & S_IRUSR) ? UNIX_DIRECTORY_ACCESS_R : 0 );
1110 nt_mask |= ((perms & S_IWUSR) ? UNIX_DIRECTORY_ACCESS_W : 0 );
1111 nt_mask |= ((perms & S_IXUSR) ? UNIX_DIRECTORY_ACCESS_X : 0 );
1112 } else {
1113 nt_mask |= ((perms & S_IRUSR) ? UNIX_ACCESS_R : 0 );
1114 nt_mask |= ((perms & S_IWUSR) ? UNIX_ACCESS_W : 0 );
1115 nt_mask |= ((perms & S_IXUSR) ? UNIX_ACCESS_X : 0 );
1116 }
1117 }
1118
1119 if ((perms & S_IWUSR) && lp_dos_filemode(snum)) {
1120 nt_mask |= (SEC_STD_WRITE_DAC|SEC_STD_WRITE_OWNER|DELETE_ACCESS);
1121 }
1122
1123 DEBUG(10,("map_canon_ace_perms: Mapped (UNIX) %x to (NT) %x\n",
1124 (unsigned int)perms, (unsigned int)nt_mask ));
1125
1126 return nt_mask;
1127}
1128
1129/****************************************************************************
1130 Map NT perms to a UNIX mode_t.
1131****************************************************************************/
1132
1133#define FILE_SPECIFIC_READ_BITS (FILE_READ_DATA|FILE_READ_EA)
1134#define FILE_SPECIFIC_WRITE_BITS (FILE_WRITE_DATA|FILE_APPEND_DATA|FILE_WRITE_EA)
1135#define FILE_SPECIFIC_EXECUTE_BITS (FILE_EXECUTE)
1136
1137static mode_t map_nt_perms( uint32 *mask, int type)
1138{
1139 mode_t mode = 0;
1140
1141 switch(type) {
1142 case S_IRUSR:
1143 if((*mask) & GENERIC_ALL_ACCESS)
1144 mode = S_IRUSR|S_IWUSR|S_IXUSR;
1145 else {
1146 mode |= ((*mask) & (GENERIC_READ_ACCESS|FILE_SPECIFIC_READ_BITS)) ? S_IRUSR : 0;
1147 mode |= ((*mask) & (GENERIC_WRITE_ACCESS|FILE_SPECIFIC_WRITE_BITS)) ? S_IWUSR : 0;
1148 mode |= ((*mask) & (GENERIC_EXECUTE_ACCESS|FILE_SPECIFIC_EXECUTE_BITS)) ? S_IXUSR : 0;
1149 }
1150 break;
1151 case S_IRGRP:
1152 if((*mask) & GENERIC_ALL_ACCESS)
1153 mode = S_IRGRP|S_IWGRP|S_IXGRP;
1154 else {
1155 mode |= ((*mask) & (GENERIC_READ_ACCESS|FILE_SPECIFIC_READ_BITS)) ? S_IRGRP : 0;
1156 mode |= ((*mask) & (GENERIC_WRITE_ACCESS|FILE_SPECIFIC_WRITE_BITS)) ? S_IWGRP : 0;
1157 mode |= ((*mask) & (GENERIC_EXECUTE_ACCESS|FILE_SPECIFIC_EXECUTE_BITS)) ? S_IXGRP : 0;
1158 }
1159 break;
1160 case S_IROTH:
1161 if((*mask) & GENERIC_ALL_ACCESS)
1162 mode = S_IROTH|S_IWOTH|S_IXOTH;
1163 else {
1164 mode |= ((*mask) & (GENERIC_READ_ACCESS|FILE_SPECIFIC_READ_BITS)) ? S_IROTH : 0;
1165 mode |= ((*mask) & (GENERIC_WRITE_ACCESS|FILE_SPECIFIC_WRITE_BITS)) ? S_IWOTH : 0;
1166 mode |= ((*mask) & (GENERIC_EXECUTE_ACCESS|FILE_SPECIFIC_EXECUTE_BITS)) ? S_IXOTH : 0;
1167 }
1168 break;
1169 }
1170
1171 return mode;
1172}
1173
1174/****************************************************************************
1175 Unpack a struct security_descriptor into a UNIX owner and group.
1176****************************************************************************/
1177
1178NTSTATUS unpack_nt_owners(struct connection_struct *conn,
1179 uid_t *puser, gid_t *pgrp,
1180 uint32 security_info_sent, const struct
1181 security_descriptor *psd)
1182{
1183 struct dom_sid owner_sid;
1184 struct dom_sid grp_sid;
1185
1186 *puser = (uid_t)-1;
1187 *pgrp = (gid_t)-1;
1188
1189 if(security_info_sent == 0) {
1190 DEBUG(0,("unpack_nt_owners: no security info sent !\n"));
1191 return NT_STATUS_OK;
1192 }
1193
1194 /*
1195 * Validate the owner and group SID's.
1196 */
1197
1198 memset(&owner_sid, '\0', sizeof(owner_sid));
1199 memset(&grp_sid, '\0', sizeof(grp_sid));
1200
1201 DEBUG(5,("unpack_nt_owners: validating owner_sids.\n"));
1202
1203 /*
1204 * Don't immediately fail if the owner sid cannot be validated.
1205 * This may be a group chown only set.
1206 */
1207
1208 if (security_info_sent & SECINFO_OWNER) {
1209 sid_copy(&owner_sid, psd->owner_sid);
1210 if (!sid_to_uid(&owner_sid, puser)) {
1211 if (lp_force_unknown_acl_user(SNUM(conn))) {
1212 /* this allows take ownership to work
1213 * reasonably */
1214 *puser = get_current_uid(conn);
1215 } else {
1216 DEBUG(3,("unpack_nt_owners: unable to validate"
1217 " owner sid for %s\n",
1218 sid_string_dbg(&owner_sid)));
1219 return NT_STATUS_INVALID_OWNER;
1220 }
1221 }
1222 DEBUG(3,("unpack_nt_owners: owner sid mapped to uid %u\n",
1223 (unsigned int)*puser ));
1224 }
1225
1226 /*
1227 * Don't immediately fail if the group sid cannot be validated.
1228 * This may be an owner chown only set.
1229 */
1230
1231 if (security_info_sent & SECINFO_GROUP) {
1232 sid_copy(&grp_sid, psd->group_sid);
1233 if (!sid_to_gid( &grp_sid, pgrp)) {
1234 if (lp_force_unknown_acl_user(SNUM(conn))) {
1235 /* this allows take group ownership to work
1236 * reasonably */
1237 *pgrp = get_current_gid(conn);
1238 } else {
1239 DEBUG(3,("unpack_nt_owners: unable to validate"
1240 " group sid.\n"));
1241 return NT_STATUS_INVALID_OWNER;
1242 }
1243 }
1244 DEBUG(3,("unpack_nt_owners: group sid mapped to gid %u\n",
1245 (unsigned int)*pgrp));
1246 }
1247
1248 DEBUG(5,("unpack_nt_owners: owner_sids validated.\n"));
1249
1250 return NT_STATUS_OK;
1251}
1252
1253/****************************************************************************
1254 Ensure the enforced permissions for this share apply.
1255****************************************************************************/
1256
1257static void apply_default_perms(const struct share_params *params,
1258 const bool is_directory, canon_ace *pace,
1259 mode_t type)
1260{
1261 mode_t and_bits = (mode_t)0;
1262 mode_t or_bits = (mode_t)0;
1263
1264 /* Get the initial bits to apply. */
1265
1266 if (is_directory) {
1267 and_bits = lp_dir_security_mask(params->service);
1268 or_bits = lp_force_dir_security_mode(params->service);
1269 } else {
1270 and_bits = lp_security_mask(params->service);
1271 or_bits = lp_force_security_mode(params->service);
1272 }
1273
1274 /* Now bounce them into the S_USR space. */
1275 switch(type) {
1276 case S_IRUSR:
1277 /* Ensure owner has read access. */
1278 pace->perms |= S_IRUSR;
1279 if (is_directory)
1280 pace->perms |= (S_IWUSR|S_IXUSR);
1281 and_bits = unix_perms_to_acl_perms(and_bits, S_IRUSR, S_IWUSR, S_IXUSR);
1282 or_bits = unix_perms_to_acl_perms(or_bits, S_IRUSR, S_IWUSR, S_IXUSR);
1283 break;
1284 case S_IRGRP:
1285 and_bits = unix_perms_to_acl_perms(and_bits, S_IRGRP, S_IWGRP, S_IXGRP);
1286 or_bits = unix_perms_to_acl_perms(or_bits, S_IRGRP, S_IWGRP, S_IXGRP);
1287 break;
1288 case S_IROTH:
1289 and_bits = unix_perms_to_acl_perms(and_bits, S_IROTH, S_IWOTH, S_IXOTH);
1290 or_bits = unix_perms_to_acl_perms(or_bits, S_IROTH, S_IWOTH, S_IXOTH);
1291 break;
1292 }
1293
1294 pace->perms = ((pace->perms & and_bits)|or_bits);
1295}
1296
1297/****************************************************************************
1298 Check if a given uid/SID is in a group gid/SID. This is probably very
1299 expensive and will need optimisation. A *lot* of optimisation :-). JRA.
1300****************************************************************************/
1301
1302static bool uid_entry_in_group(connection_struct *conn, canon_ace *uid_ace, canon_ace *group_ace )
1303{
1304 const char *u_name = NULL;
1305
1306 /* "Everyone" always matches every uid. */
1307
1308 if (dom_sid_equal(&group_ace->trustee, &global_sid_World))
1309 return True;
1310
1311 /*
1312 * if it's the current user, we already have the unix token
1313 * and don't need to do the complex user_in_group_sid() call
1314 */
1315 if (uid_ace->unix_ug.uid == get_current_uid(conn)) {
1316 const struct security_unix_token *curr_utok = NULL;
1317 size_t i;
1318
1319 if (group_ace->unix_ug.gid == get_current_gid(conn)) {
1320 return True;
1321 }
1322
1323 curr_utok = get_current_utok(conn);
1324 for (i=0; i < curr_utok->ngroups; i++) {
1325 if (group_ace->unix_ug.gid == curr_utok->groups[i]) {
1326 return True;
1327 }
1328 }
1329 }
1330
1331 /* u_name talloc'ed off tos. */
1332 u_name = uidtoname(uid_ace->unix_ug.uid);
1333 if (!u_name) {
1334 return False;
1335 }
1336
1337 /*
1338 * user_in_group_sid() uses create_token_from_username()
1339 * which creates an artificial NT token given just a username,
1340 * so this is not reliable for users from foreign domains
1341 * exported by winbindd!
1342 */
1343 return user_in_group_sid(u_name, &group_ace->trustee);
1344}
1345
1346/****************************************************************************
1347 A well formed POSIX file or default ACL has at least 3 entries, a
1348 SMB_ACL_USER_OBJ, SMB_ACL_GROUP_OBJ, SMB_ACL_OTHER_OBJ.
1349 In addition, the owner must always have at least read access.
1350 When using this call on get_acl, the pst struct is valid and contains
1351 the mode of the file. When using this call on set_acl, the pst struct has
1352 been modified to have a mode containing the default for this file or directory
1353 type.
1354****************************************************************************/
1355
1356static bool ensure_canon_entry_valid(connection_struct *conn,
1357 canon_ace **pp_ace,
1358 bool is_default_acl,
1359 const struct share_params *params,
1360 const bool is_directory,
1361 const struct dom_sid *pfile_owner_sid,
1362 const struct dom_sid *pfile_grp_sid,
1363 const SMB_STRUCT_STAT *pst,
1364 bool setting_acl)
1365{
1366 canon_ace *pace;
1367 bool got_user = False;
1368 bool got_grp = False;
1369 bool got_other = False;
1370 canon_ace *pace_other = NULL;
1371
1372 for (pace = *pp_ace; pace; pace = pace->next) {
1373 if (pace->type == SMB_ACL_USER_OBJ) {
1374
1375 if (setting_acl && !is_default_acl) {
1376 apply_default_perms(params, is_directory, pace, S_IRUSR);
1377 }
1378 got_user = True;
1379
1380 } else if (pace->type == SMB_ACL_GROUP_OBJ) {
1381
1382 /*
1383 * Ensure create mask/force create mode is respected on set.
1384 */
1385
1386 if (setting_acl && !is_default_acl) {
1387 apply_default_perms(params, is_directory, pace, S_IRGRP);
1388 }
1389 got_grp = True;
1390
1391 } else if (pace->type == SMB_ACL_OTHER) {
1392
1393 /*
1394 * Ensure create mask/force create mode is respected on set.
1395 */
1396
1397 if (setting_acl && !is_default_acl) {
1398 apply_default_perms(params, is_directory, pace, S_IROTH);
1399 }
1400 got_other = True;
1401 pace_other = pace;
1402
1403 } else if (pace->type == SMB_ACL_USER || pace->type == SMB_ACL_GROUP) {
1404
1405 /*
1406 * Ensure create mask/force create mode is respected on set.
1407 */
1408
1409 if (setting_acl && !is_default_acl) {
1410 apply_default_perms(params, is_directory, pace, S_IRGRP);
1411 }
1412 }
1413 }
1414
1415 if (!got_user) {
1416 if ((pace = SMB_MALLOC_P(canon_ace)) == NULL) {
1417 DEBUG(0,("ensure_canon_entry_valid: malloc fail.\n"));
1418 return False;
1419 }
1420
1421 ZERO_STRUCTP(pace);
1422 pace->type = SMB_ACL_USER_OBJ;
1423 pace->owner_type = UID_ACE;
1424 pace->unix_ug.uid = pst->st_ex_uid;
1425 pace->trustee = *pfile_owner_sid;
1426 pace->attr = ALLOW_ACE;
1427 /* Start with existing permissions, principle of least
1428 surprises for the user. */
1429 pace->perms = pst->st_ex_mode;
1430
1431 if (setting_acl) {
1432 /* See if the owning user is in any of the other groups in
1433 the ACE, or if there's a matching user entry.
1434 If so, OR in the permissions from that entry. */
1435
1436 canon_ace *pace_iter;
1437
1438 for (pace_iter = *pp_ace; pace_iter; pace_iter = pace_iter->next) {
1439 if (pace_iter->type == SMB_ACL_USER &&
1440 pace_iter->unix_ug.uid == pace->unix_ug.uid) {
1441 pace->perms |= pace_iter->perms;
1442 } else if (pace_iter->type == SMB_ACL_GROUP_OBJ || pace_iter->type == SMB_ACL_GROUP) {
1443 if (uid_entry_in_group(conn, pace, pace_iter)) {
1444 pace->perms |= pace_iter->perms;
1445 }
1446 }
1447 }
1448
1449 if (pace->perms == 0) {
1450 /* If we only got an "everyone" perm, just use that. */
1451 if (got_other)
1452 pace->perms = pace_other->perms;
1453 }
1454
1455 if (!is_default_acl) {
1456 apply_default_perms(params, is_directory, pace, S_IRUSR);
1457 }
1458 } else {
1459 pace->perms = unix_perms_to_acl_perms(pst->st_ex_mode, S_IRUSR, S_IWUSR, S_IXUSR);
1460 }
1461
1462 DLIST_ADD(*pp_ace, pace);
1463 }
1464
1465 if (!got_grp) {
1466 if ((pace = SMB_MALLOC_P(canon_ace)) == NULL) {
1467 DEBUG(0,("ensure_canon_entry_valid: malloc fail.\n"));
1468 return False;
1469 }
1470
1471 ZERO_STRUCTP(pace);
1472 pace->type = SMB_ACL_GROUP_OBJ;
1473 pace->owner_type = GID_ACE;
1474 pace->unix_ug.uid = pst->st_ex_gid;
1475 pace->trustee = *pfile_grp_sid;
1476 pace->attr = ALLOW_ACE;
1477 if (setting_acl) {
1478 /* If we only got an "everyone" perm, just use that. */
1479 if (got_other)
1480 pace->perms = pace_other->perms;
1481 else
1482 pace->perms = 0;
1483 if (!is_default_acl) {
1484 apply_default_perms(params, is_directory, pace, S_IRGRP);
1485 }
1486 } else {
1487 pace->perms = unix_perms_to_acl_perms(pst->st_ex_mode, S_IRGRP, S_IWGRP, S_IXGRP);
1488 }
1489
1490 DLIST_ADD(*pp_ace, pace);
1491 }
1492
1493 if (!got_other) {
1494 if ((pace = SMB_MALLOC_P(canon_ace)) == NULL) {
1495 DEBUG(0,("ensure_canon_entry_valid: malloc fail.\n"));
1496 return False;
1497 }
1498
1499 ZERO_STRUCTP(pace);
1500 pace->type = SMB_ACL_OTHER;
1501 pace->owner_type = WORLD_ACE;
1502 pace->unix_ug.world = -1;
1503 pace->trustee = global_sid_World;
1504 pace->attr = ALLOW_ACE;
1505 if (setting_acl) {
1506 pace->perms = 0;
1507 if (!is_default_acl) {
1508 apply_default_perms(params, is_directory, pace, S_IROTH);
1509 }
1510 } else
1511 pace->perms = unix_perms_to_acl_perms(pst->st_ex_mode, S_IROTH, S_IWOTH, S_IXOTH);
1512
1513 DLIST_ADD(*pp_ace, pace);
1514 }
1515
1516 return True;
1517}
1518
1519/****************************************************************************
1520 Check if a POSIX ACL has the required SMB_ACL_USER_OBJ and SMB_ACL_GROUP_OBJ entries.
1521 If it does not have them, check if there are any entries where the trustee is the
1522 file owner or the owning group, and map these to SMB_ACL_USER_OBJ and SMB_ACL_GROUP_OBJ.
1523 Note we must not do this to default directory ACLs.
1524****************************************************************************/
1525
1526static void check_owning_objs(canon_ace *ace, struct dom_sid *pfile_owner_sid, struct dom_sid *pfile_grp_sid)
1527{
1528 bool got_user_obj, got_group_obj;
1529 canon_ace *current_ace;
1530 int i, entries;
1531
1532 entries = count_canon_ace_list(ace);
1533 got_user_obj = False;
1534 got_group_obj = False;
1535
1536 for (i=0, current_ace = ace; i < entries; i++, current_ace = current_ace->next) {
1537 if (current_ace->type == SMB_ACL_USER_OBJ)
1538 got_user_obj = True;
1539 else if (current_ace->type == SMB_ACL_GROUP_OBJ)
1540 got_group_obj = True;
1541 }
1542 if (got_user_obj && got_group_obj) {
1543 DEBUG(10,("check_owning_objs: ACL had owning user/group entries.\n"));
1544 return;
1545 }
1546
1547 for (i=0, current_ace = ace; i < entries; i++, current_ace = current_ace->next) {
1548 if (!got_user_obj && current_ace->owner_type == UID_ACE &&
1549 dom_sid_equal(&current_ace->trustee, pfile_owner_sid)) {
1550 current_ace->type = SMB_ACL_USER_OBJ;
1551 got_user_obj = True;
1552 }
1553 if (!got_group_obj && current_ace->owner_type == GID_ACE &&
1554 dom_sid_equal(&current_ace->trustee, pfile_grp_sid)) {
1555 current_ace->type = SMB_ACL_GROUP_OBJ;
1556 got_group_obj = True;
1557 }
1558 }
1559 if (!got_user_obj)
1560 DEBUG(10,("check_owning_objs: ACL is missing an owner entry.\n"));
1561 if (!got_group_obj)
1562 DEBUG(10,("check_owning_objs: ACL is missing an owning group entry.\n"));
1563}
1564
1565/****************************************************************************
1566 Unpack a struct security_descriptor into two canonical ace lists.
1567****************************************************************************/
1568
1569static bool create_canon_ace_lists(files_struct *fsp,
1570 const SMB_STRUCT_STAT *pst,
1571 struct dom_sid *pfile_owner_sid,
1572 struct dom_sid *pfile_grp_sid,
1573 canon_ace **ppfile_ace,
1574 canon_ace **ppdir_ace,
1575 const struct security_acl *dacl)
1576{
1577 bool all_aces_are_inherit_only = (fsp->is_directory ? True : False);
1578 canon_ace *file_ace = NULL;
1579 canon_ace *dir_ace = NULL;
1580 canon_ace *current_ace = NULL;
1581 bool got_dir_allow = False;
1582 bool got_file_allow = False;
1583 int i, j;
1584
1585 *ppfile_ace = NULL;
1586 *ppdir_ace = NULL;
1587
1588 /*
1589 * Convert the incoming ACL into a more regular form.
1590 */
1591
1592 for(i = 0; i < dacl->num_aces; i++) {
1593 struct security_ace *psa = &dacl->aces[i];
1594
1595 if((psa->type != SEC_ACE_TYPE_ACCESS_ALLOWED) && (psa->type != SEC_ACE_TYPE_ACCESS_DENIED)) {
1596 DEBUG(3,("create_canon_ace_lists: unable to set anything but an ALLOW or DENY ACE.\n"));
1597 return False;
1598 }
1599
1600 if (nt4_compatible_acls()) {
1601 /*
1602 * The security mask may be UNIX_ACCESS_NONE which should map into
1603 * no permissions (we overload the WRITE_OWNER bit for this) or it
1604 * should be one of the ALL/EXECUTE/READ/WRITE bits. Arrange for this
1605 * to be so. Any other bits override the UNIX_ACCESS_NONE bit.
1606 */
1607
1608 /*
1609 * Convert GENERIC bits to specific bits.
1610 */
1611
1612 se_map_generic(&psa->access_mask, &file_generic_mapping);
1613
1614 psa->access_mask &= (UNIX_ACCESS_NONE|FILE_ALL_ACCESS);
1615
1616 if(psa->access_mask != UNIX_ACCESS_NONE)
1617 psa->access_mask &= ~UNIX_ACCESS_NONE;
1618 }
1619 }
1620
1621 /*
1622 * Deal with the fact that NT 4.x re-writes the canonical format
1623 * that we return for default ACLs. If a directory ACE is identical
1624 * to a inherited directory ACE then NT changes the bits so that the
1625 * first ACE is set to OI|IO and the second ACE for this SID is set
1626 * to CI. We need to repair this. JRA.
1627 */
1628
1629 for(i = 0; i < dacl->num_aces; i++) {
1630 struct security_ace *psa1 = &dacl->aces[i];
1631
1632 for (j = i + 1; j < dacl->num_aces; j++) {
1633 struct security_ace *psa2 = &dacl->aces[j];
1634
1635 if (psa1->access_mask != psa2->access_mask)
1636 continue;
1637
1638 if (!dom_sid_equal(&psa1->trustee, &psa2->trustee))
1639 continue;
1640
1641 /*
1642 * Ok - permission bits and SIDs are equal.
1643 * Check if flags were re-written.
1644 */
1645
1646 if (psa1->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
1647
1648 psa1->flags |= (psa2->flags & (SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT));
1649 psa2->flags &= ~(SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT);
1650
1651 } else if (psa2->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
1652
1653 psa2->flags |= (psa1->flags & (SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT));
1654 psa1->flags &= ~(SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT);
1655
1656 }
1657 }
1658 }
1659
1660 for(i = 0; i < dacl->num_aces; i++) {
1661 struct security_ace *psa = &dacl->aces[i];
1662
1663 /*
1664 * Create a canon_ace entry representing this NT DACL ACE.
1665 */
1666
1667 if ((current_ace = SMB_MALLOC_P(canon_ace)) == NULL) {
1668 free_canon_ace_list(file_ace);
1669 free_canon_ace_list(dir_ace);
1670 DEBUG(0,("create_canon_ace_lists: malloc fail.\n"));
1671 return False;
1672 }
1673
1674 ZERO_STRUCTP(current_ace);
1675
1676 sid_copy(&current_ace->trustee, &psa->trustee);
1677
1678 /*
1679 * Try and work out if the SID is a user or group
1680 * as we need to flag these differently for POSIX.
1681 * Note what kind of a POSIX ACL this should map to.
1682 */
1683
1684 if( dom_sid_equal(&current_ace->trustee, &global_sid_World)) {
1685 current_ace->owner_type = WORLD_ACE;
1686 current_ace->unix_ug.world = -1;
1687 current_ace->type = SMB_ACL_OTHER;
1688 } else if (dom_sid_equal(&current_ace->trustee, &global_sid_Creator_Owner)) {
1689 current_ace->owner_type = UID_ACE;
1690 current_ace->unix_ug.uid = pst->st_ex_uid;
1691 current_ace->type = SMB_ACL_USER_OBJ;
1692
1693 /*
1694 * The Creator Owner entry only specifies inheritable permissions,
1695 * never access permissions. WinNT doesn't always set the ACE to
1696 * INHERIT_ONLY, though.
1697 */
1698
1699 psa->flags |= SEC_ACE_FLAG_INHERIT_ONLY;
1700
1701 } else if (dom_sid_equal(&current_ace->trustee, &global_sid_Creator_Group)) {
1702 current_ace->owner_type = GID_ACE;
1703 current_ace->unix_ug.gid = pst->st_ex_gid;
1704 current_ace->type = SMB_ACL_GROUP_OBJ;
1705
1706 /*
1707 * The Creator Group entry only specifies inheritable permissions,
1708 * never access permissions. WinNT doesn't always set the ACE to
1709 * INHERIT_ONLY, though.
1710 */
1711 psa->flags |= SEC_ACE_FLAG_INHERIT_ONLY;
1712
1713 } else if (sid_to_uid( &current_ace->trustee, &current_ace->unix_ug.uid)) {
1714 current_ace->owner_type = UID_ACE;
1715 /* If it's the owning user, this is a user_obj, not
1716 * a user. */
1717 if (current_ace->unix_ug.uid == pst->st_ex_uid) {
1718 current_ace->type = SMB_ACL_USER_OBJ;
1719 } else {
1720 current_ace->type = SMB_ACL_USER;
1721 }
1722 } else if (sid_to_gid( &current_ace->trustee, &current_ace->unix_ug.gid)) {
1723 current_ace->owner_type = GID_ACE;
1724 /* If it's the primary group, this is a group_obj, not
1725 * a group. */
1726 if (current_ace->unix_ug.gid == pst->st_ex_gid) {
1727 current_ace->type = SMB_ACL_GROUP_OBJ;
1728 } else {
1729 current_ace->type = SMB_ACL_GROUP;
1730 }
1731 } else {
1732 /*
1733 * Silently ignore map failures in non-mappable SIDs (NT Authority, BUILTIN etc).
1734 */
1735
1736 if (non_mappable_sid(&psa->trustee)) {
1737 DEBUG(10, ("create_canon_ace_lists: ignoring "
1738 "non-mappable SID %s\n",
1739 sid_string_dbg(&psa->trustee)));
1740 SAFE_FREE(current_ace);
1741 continue;
1742 }
1743
1744 if (lp_force_unknown_acl_user(SNUM(fsp->conn))) {
1745 DEBUG(10, ("create_canon_ace_lists: ignoring "
1746 "unknown or foreign SID %s\n",
1747 sid_string_dbg(&psa->trustee)));
1748 SAFE_FREE(current_ace);
1749 continue;
1750 }
1751
1752 free_canon_ace_list(file_ace);
1753 free_canon_ace_list(dir_ace);
1754 DEBUG(0, ("create_canon_ace_lists: unable to map SID "
1755 "%s to uid or gid.\n",
1756 sid_string_dbg(&current_ace->trustee)));
1757 SAFE_FREE(current_ace);
1758 return False;
1759 }
1760
1761 /*
1762 * Map the given NT permissions into a UNIX mode_t containing only
1763 * S_I(R|W|X)USR bits.
1764 */
1765
1766 current_ace->perms |= map_nt_perms( &psa->access_mask, S_IRUSR);
1767 current_ace->attr = (psa->type == SEC_ACE_TYPE_ACCESS_ALLOWED) ? ALLOW_ACE : DENY_ACE;
1768
1769 /* Store the ace_flag. */
1770 current_ace->ace_flags = psa->flags;
1771
1772 /*
1773 * Now add the created ace to either the file list, the directory
1774 * list, or both. We *MUST* preserve the order here (hence we use
1775 * DLIST_ADD_END) as NT ACLs are order dependent.
1776 */
1777
1778 if (fsp->is_directory) {
1779
1780 /*
1781 * We can only add to the default POSIX ACE list if the ACE is
1782 * designed to be inherited by both files and directories.
1783 */
1784
1785 if ((psa->flags & (SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT)) ==
1786 (SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT)) {
1787
1788 canon_ace *current_dir_ace = current_ace;
1789 DLIST_ADD_END(dir_ace, current_ace, canon_ace *);
1790
1791 /*
1792 * Note if this was an allow ace. We can't process
1793 * any further deny ace's after this.
1794 */
1795
1796 if (current_ace->attr == ALLOW_ACE)
1797 got_dir_allow = True;
1798
1799 if ((current_ace->attr == DENY_ACE) && got_dir_allow) {
1800 DEBUG(0,("create_canon_ace_lists: "
1801 "malformed ACL in "
1802 "inheritable ACL! Deny entry "
1803 "after Allow entry. Failing "
1804 "to set on file %s.\n",
1805 fsp_str_dbg(fsp)));
1806 free_canon_ace_list(file_ace);
1807 free_canon_ace_list(dir_ace);
1808 return False;
1809 }
1810
1811 if( DEBUGLVL( 10 )) {
1812 dbgtext("create_canon_ace_lists: adding dir ACL:\n");
1813 print_canon_ace( current_ace, 0);
1814 }
1815
1816 /*
1817 * If this is not an inherit only ACE we need to add a duplicate
1818 * to the file acl.
1819 */
1820
1821 if (!(psa->flags & SEC_ACE_FLAG_INHERIT_ONLY)) {
1822 canon_ace *dup_ace = dup_canon_ace(current_ace);
1823
1824 if (!dup_ace) {
1825 DEBUG(0,("create_canon_ace_lists: malloc fail !\n"));
1826 free_canon_ace_list(file_ace);
1827 free_canon_ace_list(dir_ace);
1828 return False;
1829 }
1830
1831 /*
1832 * We must not free current_ace here as its
1833 * pointer is now owned by the dir_ace list.
1834 */
1835 current_ace = dup_ace;
1836 /* We've essentially split this ace into two,
1837 * and added the ace with inheritance request
1838 * bits to the directory ACL. Drop those bits for
1839 * the ACE we're adding to the file list. */
1840 current_ace->ace_flags &= ~(SEC_ACE_FLAG_OBJECT_INHERIT|
1841 SEC_ACE_FLAG_CONTAINER_INHERIT|
1842 SEC_ACE_FLAG_INHERIT_ONLY);
1843 } else {
1844 /*
1845 * We must not free current_ace here as its
1846 * pointer is now owned by the dir_ace list.
1847 */
1848 current_ace = NULL;
1849 }
1850
1851 /*
1852 * current_ace is now either owned by file_ace
1853 * or is NULL. We can safely operate on current_dir_ace
1854 * to treat mapping for default acl entries differently
1855 * than access acl entries.
1856 */
1857
1858 if (current_dir_ace->owner_type == UID_ACE) {
1859 /*
1860 * We already decided above this is a uid,
1861 * for default acls ace's only CREATOR_OWNER
1862 * maps to ACL_USER_OBJ. All other uid
1863 * ace's are ACL_USER.
1864 */
1865 if (dom_sid_equal(&current_dir_ace->trustee,
1866 &global_sid_Creator_Owner)) {
1867 current_dir_ace->type = SMB_ACL_USER_OBJ;
1868 } else {
1869 current_dir_ace->type = SMB_ACL_USER;
1870 }
1871 }
1872
1873 if (current_dir_ace->owner_type == GID_ACE) {
1874 /*
1875 * We already decided above this is a gid,
1876 * for default acls ace's only CREATOR_GROUP
1877 * maps to ACL_GROUP_OBJ. All other uid
1878 * ace's are ACL_GROUP.
1879 */
1880 if (dom_sid_equal(&current_dir_ace->trustee,
1881 &global_sid_Creator_Group)) {
1882 current_dir_ace->type = SMB_ACL_GROUP_OBJ;
1883 } else {
1884 current_dir_ace->type = SMB_ACL_GROUP;
1885 }
1886 }
1887 }
1888 }
1889
1890 /*
1891 * Only add to the file ACL if not inherit only.
1892 */
1893
1894 if (current_ace && !(psa->flags & SEC_ACE_FLAG_INHERIT_ONLY)) {
1895 DLIST_ADD_END(file_ace, current_ace, canon_ace *);
1896
1897 /*
1898 * Note if this was an allow ace. We can't process
1899 * any further deny ace's after this.
1900 */
1901
1902 if (current_ace->attr == ALLOW_ACE)
1903 got_file_allow = True;
1904
1905 if ((current_ace->attr == DENY_ACE) && got_file_allow) {
1906 DEBUG(0,("create_canon_ace_lists: malformed "
1907 "ACL in file ACL ! Deny entry after "
1908 "Allow entry. Failing to set on file "
1909 "%s.\n", fsp_str_dbg(fsp)));
1910 free_canon_ace_list(file_ace);
1911 free_canon_ace_list(dir_ace);
1912 return False;
1913 }
1914
1915 if( DEBUGLVL( 10 )) {
1916 dbgtext("create_canon_ace_lists: adding file ACL:\n");
1917 print_canon_ace( current_ace, 0);
1918 }
1919 all_aces_are_inherit_only = False;
1920 /*
1921 * We must not free current_ace here as its
1922 * pointer is now owned by the file_ace list.
1923 */
1924 current_ace = NULL;
1925 }
1926
1927 /*
1928 * Free if ACE was not added.
1929 */
1930
1931 SAFE_FREE(current_ace);
1932 }
1933
1934 if (fsp->is_directory && all_aces_are_inherit_only) {
1935 /*
1936 * Windows 2000 is doing one of these weird 'inherit acl'
1937 * traverses to conserve NTFS ACL resources. Just pretend
1938 * there was no DACL sent. JRA.
1939 */
1940
1941 DEBUG(10,("create_canon_ace_lists: Win2k inherit acl traverse. Ignoring DACL.\n"));
1942 free_canon_ace_list(file_ace);
1943 free_canon_ace_list(dir_ace);
1944 file_ace = NULL;
1945 dir_ace = NULL;
1946 } else {
1947 /*
1948 * Check if we have SMB_ACL_USER_OBJ and SMB_ACL_GROUP_OBJ entries in
1949 * the file ACL. If we don't have them, check if any SMB_ACL_USER/SMB_ACL_GROUP
1950 * entries can be converted to *_OBJ. Don't do this for the default
1951 * ACL, we will create them separately for this if needed inside
1952 * ensure_canon_entry_valid().
1953 */
1954 if (file_ace) {
1955 check_owning_objs(file_ace, pfile_owner_sid, pfile_grp_sid);
1956 }
1957 }
1958
1959 *ppfile_ace = file_ace;
1960 *ppdir_ace = dir_ace;
1961
1962 return True;
1963}
1964
1965/****************************************************************************
1966 ASCII art time again... JRA :-).
1967
1968 We have 4 cases to process when moving from an NT ACL to a POSIX ACL. Firstly,
1969 we insist the ACL is in canonical form (ie. all DENY entries preceede ALLOW
1970 entries). Secondly, the merge code has ensured that all duplicate SID entries for
1971 allow or deny have been merged, so the same SID can only appear once in the deny
1972 list or once in the allow list.
1973
1974 We then process as follows :
1975
1976 ---------------------------------------------------------------------------
1977 First pass - look for a Everyone DENY entry.
1978
1979 If it is deny all (rwx) trunate the list at this point.
1980 Else, walk the list from this point and use the deny permissions of this
1981 entry as a mask on all following allow entries. Finally, delete
1982 the Everyone DENY entry (we have applied it to everything possible).
1983
1984 In addition, in this pass we remove any DENY entries that have
1985 no permissions (ie. they are a DENY nothing).
1986 ---------------------------------------------------------------------------
1987 Second pass - only deal with deny user entries.
1988
1989 DENY user1 (perms XXX)
1990
1991 new_perms = 0
1992 for all following allow group entries where user1 is in group
1993 new_perms |= group_perms;
1994
1995 user1 entry perms = new_perms & ~ XXX;
1996
1997 Convert the deny entry to an allow entry with the new perms and
1998 push to the end of the list. Note if the user was in no groups
1999 this maps to a specific allow nothing entry for this user.
2000
2001 The common case from the NT ACL choser (userX deny all) is
2002 optimised so we don't do the group lookup - we just map to
2003 an allow nothing entry.
2004
2005 What we're doing here is inferring the allow permissions the
2006 person setting the ACE on user1 wanted by looking at the allow
2007 permissions on the groups the user is currently in. This will
2008 be a snapshot, depending on group membership but is the best
2009 we can do and has the advantage of failing closed rather than
2010 open.
2011 ---------------------------------------------------------------------------
2012 Third pass - only deal with deny group entries.
2013
2014 DENY group1 (perms XXX)
2015
2016 for all following allow user entries where user is in group1
2017 user entry perms = user entry perms & ~ XXX;
2018
2019 If there is a group Everyone allow entry with permissions YYY,
2020 convert the group1 entry to an allow entry and modify its
2021 permissions to be :
2022
2023 new_perms = YYY & ~ XXX
2024
2025 and push to the end of the list.
2026
2027 If there is no group Everyone allow entry then convert the
2028 group1 entry to a allow nothing entry and push to the end of the list.
2029
2030 Note that the common case from the NT ACL choser (groupX deny all)
2031 cannot be optimised here as we need to modify user entries who are
2032 in the group to change them to a deny all also.
2033
2034 What we're doing here is modifying the allow permissions of
2035 user entries (which are more specific in POSIX ACLs) to mask
2036 out the explicit deny set on the group they are in. This will
2037 be a snapshot depending on current group membership but is the
2038 best we can do and has the advantage of failing closed rather
2039 than open.
2040 ---------------------------------------------------------------------------
2041 Fourth pass - cope with cumulative permissions.
2042
2043 for all allow user entries, if there exists an allow group entry with
2044 more permissive permissions, and the user is in that group, rewrite the
2045 allow user permissions to contain both sets of permissions.
2046
2047 Currently the code for this is #ifdef'ed out as these semantics make
2048 no sense to me. JRA.
2049 ---------------------------------------------------------------------------
2050
2051 Note we *MUST* do the deny user pass first as this will convert deny user
2052 entries into allow user entries which can then be processed by the deny
2053 group pass.
2054
2055 The above algorithm took a *lot* of thinking about - hence this
2056 explaination :-). JRA.
2057****************************************************************************/
2058
2059/****************************************************************************
2060 Process a canon_ace list entries. This is very complex code. We need
2061 to go through and remove the "deny" permissions from any allow entry that matches
2062 the id of this entry. We have already refused any NT ACL that wasn't in correct
2063 order (DENY followed by ALLOW). If any allow entry ends up with zero permissions,
2064 we just remove it (to fail safe). We have already removed any duplicate ace
2065 entries. Treat an "Everyone" DENY_ACE as a special case - use it to mask all
2066 allow entries.
2067****************************************************************************/
2068
2069static void process_deny_list(connection_struct *conn, canon_ace **pp_ace_list )
2070{
2071 canon_ace *ace_list = *pp_ace_list;
2072 canon_ace *curr_ace = NULL;
2073 canon_ace *curr_ace_next = NULL;
2074
2075 /* Pass 1 above - look for an Everyone, deny entry. */
2076
2077 for (curr_ace = ace_list; curr_ace; curr_ace = curr_ace_next) {
2078 canon_ace *allow_ace_p;
2079
2080 curr_ace_next = curr_ace->next; /* So we can't lose the link. */
2081
2082 if (curr_ace->attr != DENY_ACE)
2083 continue;
2084
2085 if (curr_ace->perms == (mode_t)0) {
2086
2087 /* Deny nothing entry - delete. */
2088
2089 DLIST_REMOVE(ace_list, curr_ace);
2090 continue;
2091 }
2092
2093 if (!dom_sid_equal(&curr_ace->trustee, &global_sid_World))
2094 continue;
2095
2096 /* JRATEST - assert. */
2097 SMB_ASSERT(curr_ace->owner_type == WORLD_ACE);
2098
2099 if (curr_ace->perms == ALL_ACE_PERMS) {
2100
2101 /*
2102 * Optimisation. This is a DENY_ALL to Everyone. Truncate the
2103 * list at this point including this entry.
2104 */
2105
2106 canon_ace *prev_entry = DLIST_PREV(curr_ace);
2107
2108 free_canon_ace_list( curr_ace );
2109 if (prev_entry)
2110 DLIST_REMOVE(ace_list, prev_entry);
2111 else {
2112 /* We deleted the entire list. */
2113 ace_list = NULL;
2114 }
2115 break;
2116 }
2117
2118 for (allow_ace_p = curr_ace->next; allow_ace_p; allow_ace_p = allow_ace_p->next) {
2119
2120 /*
2121 * Only mask off allow entries.
2122 */
2123
2124 if (allow_ace_p->attr != ALLOW_ACE)
2125 continue;
2126
2127 allow_ace_p->perms &= ~curr_ace->perms;
2128 }
2129
2130 /*
2131 * Now it's been applied, remove it.
2132 */
2133
2134 DLIST_REMOVE(ace_list, curr_ace);
2135 }
2136
2137 /* Pass 2 above - deal with deny user entries. */
2138
2139 for (curr_ace = ace_list; curr_ace; curr_ace = curr_ace_next) {
2140 mode_t new_perms = (mode_t)0;
2141 canon_ace *allow_ace_p;
2142
2143 curr_ace_next = curr_ace->next; /* So we can't lose the link. */
2144
2145 if (curr_ace->attr != DENY_ACE)
2146 continue;
2147
2148 if (curr_ace->owner_type != UID_ACE)
2149 continue;
2150
2151 if (curr_ace->perms == ALL_ACE_PERMS) {
2152
2153 /*
2154 * Optimisation - this is a deny everything to this user.
2155 * Convert to an allow nothing and push to the end of the list.
2156 */
2157
2158 curr_ace->attr = ALLOW_ACE;
2159 curr_ace->perms = (mode_t)0;
2160 DLIST_DEMOTE(ace_list, curr_ace, canon_ace *);
2161 continue;
2162 }
2163
2164 for (allow_ace_p = curr_ace->next; allow_ace_p; allow_ace_p = allow_ace_p->next) {
2165
2166 if (allow_ace_p->attr != ALLOW_ACE)
2167 continue;
2168
2169 /* We process GID_ACE and WORLD_ACE entries only. */
2170
2171 if (allow_ace_p->owner_type == UID_ACE)
2172 continue;
2173
2174 if (uid_entry_in_group(conn, curr_ace, allow_ace_p))
2175 new_perms |= allow_ace_p->perms;
2176 }
2177
2178 /*
2179 * Convert to a allow entry, modify the perms and push to the end
2180 * of the list.
2181 */
2182
2183 curr_ace->attr = ALLOW_ACE;
2184 curr_ace->perms = (new_perms & ~curr_ace->perms);
2185 DLIST_DEMOTE(ace_list, curr_ace, canon_ace *);
2186 }
2187
2188 /* Pass 3 above - deal with deny group entries. */
2189
2190 for (curr_ace = ace_list; curr_ace; curr_ace = curr_ace_next) {
2191 canon_ace *allow_ace_p;
2192 canon_ace *allow_everyone_p = NULL;
2193
2194 curr_ace_next = curr_ace->next; /* So we can't lose the link. */
2195
2196 if (curr_ace->attr != DENY_ACE)
2197 continue;
2198
2199 if (curr_ace->owner_type != GID_ACE)
2200 continue;
2201
2202 for (allow_ace_p = curr_ace->next; allow_ace_p; allow_ace_p = allow_ace_p->next) {
2203
2204 if (allow_ace_p->attr != ALLOW_ACE)
2205 continue;
2206
2207 /* Store a pointer to the Everyone allow, if it exists. */
2208 if (allow_ace_p->owner_type == WORLD_ACE)
2209 allow_everyone_p = allow_ace_p;
2210
2211 /* We process UID_ACE entries only. */
2212
2213 if (allow_ace_p->owner_type != UID_ACE)
2214 continue;
2215
2216 /* Mask off the deny group perms. */
2217
2218 if (uid_entry_in_group(conn, allow_ace_p, curr_ace))
2219 allow_ace_p->perms &= ~curr_ace->perms;
2220 }
2221
2222 /*
2223 * Convert the deny to an allow with the correct perms and
2224 * push to the end of the list.
2225 */
2226
2227 curr_ace->attr = ALLOW_ACE;
2228 if (allow_everyone_p)
2229 curr_ace->perms = allow_everyone_p->perms & ~curr_ace->perms;
2230 else
2231 curr_ace->perms = (mode_t)0;
2232 DLIST_DEMOTE(ace_list, curr_ace, canon_ace *);
2233 }
2234
2235 /* Doing this fourth pass allows Windows semantics to be layered
2236 * on top of POSIX semantics. I'm not sure if this is desirable.
2237 * For example, in W2K ACLs there is no way to say, "Group X no
2238 * access, user Y full access" if user Y is a member of group X.
2239 * This seems completely broken semantics to me.... JRA.
2240 */
2241
2242#if 0
2243 /* Pass 4 above - deal with allow entries. */
2244
2245 for (curr_ace = ace_list; curr_ace; curr_ace = curr_ace_next) {
2246 canon_ace *allow_ace_p;
2247
2248 curr_ace_next = curr_ace->next; /* So we can't lose the link. */
2249
2250 if (curr_ace->attr != ALLOW_ACE)
2251 continue;
2252
2253 if (curr_ace->owner_type != UID_ACE)
2254 continue;
2255
2256 for (allow_ace_p = ace_list; allow_ace_p; allow_ace_p = allow_ace_p->next) {
2257
2258 if (allow_ace_p->attr != ALLOW_ACE)
2259 continue;
2260
2261 /* We process GID_ACE entries only. */
2262
2263 if (allow_ace_p->owner_type != GID_ACE)
2264 continue;
2265
2266 /* OR in the group perms. */
2267
2268 if (uid_entry_in_group(conn, curr_ace, allow_ace_p))
2269 curr_ace->perms |= allow_ace_p->perms;
2270 }
2271 }
2272#endif
2273
2274 *pp_ace_list = ace_list;
2275}
2276
2277/****************************************************************************
2278 Unpack a struct security_descriptor into two canonical ace lists. We don't depend on this
2279 succeeding.
2280****************************************************************************/
2281
2282static bool unpack_canon_ace(files_struct *fsp,
2283 const SMB_STRUCT_STAT *pst,
2284 struct dom_sid *pfile_owner_sid,
2285 struct dom_sid *pfile_grp_sid,
2286 canon_ace **ppfile_ace,
2287 canon_ace **ppdir_ace,
2288 uint32 security_info_sent,
2289 const struct security_descriptor *psd)
2290{
2291 canon_ace *file_ace = NULL;
2292 canon_ace *dir_ace = NULL;
2293
2294 *ppfile_ace = NULL;
2295 *ppdir_ace = NULL;
2296
2297 if(security_info_sent == 0) {
2298 DEBUG(0,("unpack_canon_ace: no security info sent !\n"));
2299 return False;
2300 }
2301
2302 /*
2303 * If no DACL then this is a chown only security descriptor.
2304 */
2305
2306 if(!(security_info_sent & SECINFO_DACL) || !psd->dacl)
2307 return True;
2308
2309 /*
2310 * Now go through the DACL and create the canon_ace lists.
2311 */
2312
2313 if (!create_canon_ace_lists( fsp, pst, pfile_owner_sid, pfile_grp_sid,
2314 &file_ace, &dir_ace, psd->dacl))
2315 return False;
2316
2317 if ((file_ace == NULL) && (dir_ace == NULL)) {
2318 /* W2K traverse DACL set - ignore. */
2319 return True;
2320 }
2321
2322 /*
2323 * Go through the canon_ace list and merge entries
2324 * belonging to identical users of identical allow or deny type.
2325 * We can do this as all deny entries come first, followed by
2326 * all allow entries (we have mandated this before accepting this acl).
2327 */
2328
2329 print_canon_ace_list( "file ace - before merge", file_ace);
2330 merge_aces( &file_ace, false);
2331
2332 print_canon_ace_list( "dir ace - before merge", dir_ace);
2333 merge_aces( &dir_ace, true);
2334
2335 /*
2336 * NT ACLs are order dependent. Go through the acl lists and
2337 * process DENY entries by masking the allow entries.
2338 */
2339
2340 print_canon_ace_list( "file ace - before deny", file_ace);
2341 process_deny_list(fsp->conn, &file_ace);
2342
2343 print_canon_ace_list( "dir ace - before deny", dir_ace);
2344 process_deny_list(fsp->conn, &dir_ace);
2345
2346 /*
2347 * A well formed POSIX file or default ACL has at least 3 entries, a
2348 * SMB_ACL_USER_OBJ, SMB_ACL_GROUP_OBJ, SMB_ACL_OTHER_OBJ
2349 * and optionally a mask entry. Ensure this is the case.
2350 */
2351
2352 print_canon_ace_list( "file ace - before valid", file_ace);
2353
2354 if (!ensure_canon_entry_valid(fsp->conn, &file_ace, false, fsp->conn->params,
2355 fsp->is_directory, pfile_owner_sid, pfile_grp_sid, pst, True)) {
2356 free_canon_ace_list(file_ace);
2357 free_canon_ace_list(dir_ace);
2358 return False;
2359 }
2360
2361 print_canon_ace_list( "dir ace - before valid", dir_ace);
2362
2363 if (dir_ace && !ensure_canon_entry_valid(fsp->conn, &dir_ace, true, fsp->conn->params,
2364 fsp->is_directory, pfile_owner_sid, pfile_grp_sid, pst, True)) {
2365 free_canon_ace_list(file_ace);
2366 free_canon_ace_list(dir_ace);
2367 return False;
2368 }
2369
2370 print_canon_ace_list( "file ace - return", file_ace);
2371 print_canon_ace_list( "dir ace - return", dir_ace);
2372
2373 *ppfile_ace = file_ace;
2374 *ppdir_ace = dir_ace;
2375 return True;
2376
2377}
2378
2379/******************************************************************************
2380 When returning permissions, try and fit NT display
2381 semantics if possible. Note the the canon_entries here must have been malloced.
2382 The list format should be - first entry = owner, followed by group and other user
2383 entries, last entry = other.
2384
2385 Note that this doesn't exactly match the NT semantics for an ACL. As POSIX entries
2386 are not ordered, and match on the most specific entry rather than walking a list,
2387 then a simple POSIX permission of rw-r--r-- should really map to 5 entries,
2388
2389 Entry 0: owner : deny all except read and write.
2390 Entry 1: owner : allow read and write.
2391 Entry 2: group : deny all except read.
2392 Entry 3: group : allow read.
2393 Entry 4: Everyone : allow read.
2394
2395 But NT cannot display this in their ACL editor !
2396********************************************************************************/
2397
2398static void arrange_posix_perms(const char *filename, canon_ace **pp_list_head)
2399{
2400 canon_ace *l_head = *pp_list_head;
2401 canon_ace *owner_ace = NULL;
2402 canon_ace *other_ace = NULL;
2403 canon_ace *ace = NULL;
2404
2405 for (ace = l_head; ace; ace = ace->next) {
2406 if (ace->type == SMB_ACL_USER_OBJ)
2407 owner_ace = ace;
2408 else if (ace->type == SMB_ACL_OTHER) {
2409 /* Last ace - this is "other" */
2410 other_ace = ace;
2411 }
2412 }
2413
2414 if (!owner_ace || !other_ace) {
2415 DEBUG(0,("arrange_posix_perms: Invalid POSIX permissions for file %s, missing owner or other.\n",
2416 filename ));
2417 return;
2418 }
2419
2420 /*
2421 * The POSIX algorithm applies to owner first, and other last,
2422 * so ensure they are arranged in this order.
2423 */
2424
2425 if (owner_ace) {
2426 DLIST_PROMOTE(l_head, owner_ace);
2427 }
2428
2429 if (other_ace) {
2430 DLIST_DEMOTE(l_head, other_ace, canon_ace *);
2431 }
2432
2433 /* We have probably changed the head of the list. */
2434
2435 *pp_list_head = l_head;
2436}
2437
2438/****************************************************************************
2439 Create a linked list of canonical ACE entries.
2440****************************************************************************/
2441
2442static canon_ace *canonicalise_acl(struct connection_struct *conn,
2443 const char *fname, SMB_ACL_T posix_acl,
2444 const SMB_STRUCT_STAT *psbuf,
2445 const struct dom_sid *powner, const struct dom_sid *pgroup, struct pai_val *pal, SMB_ACL_TYPE_T the_acl_type)
2446{
2447 mode_t acl_mask = (S_IRUSR|S_IWUSR|S_IXUSR);
2448 canon_ace *l_head = NULL;
2449 canon_ace *ace = NULL;
2450 canon_ace *next_ace = NULL;
2451 int entry_id = SMB_ACL_FIRST_ENTRY;
2452 bool is_default_acl = (the_acl_type == SMB_ACL_TYPE_DEFAULT);
2453 SMB_ACL_ENTRY_T entry;
2454 size_t ace_count;
2455
2456 while ( posix_acl && (SMB_VFS_SYS_ACL_GET_ENTRY(conn, posix_acl, entry_id, &entry) == 1)) {
2457 SMB_ACL_TAG_T tagtype;
2458 SMB_ACL_PERMSET_T permset;
2459 struct dom_sid sid;
2460 posix_id unix_ug;
2461 enum ace_owner owner_type;
2462
2463 entry_id = SMB_ACL_NEXT_ENTRY;
2464
2465 /* Is this a MASK entry ? */
2466 if (SMB_VFS_SYS_ACL_GET_TAG_TYPE(conn, entry, &tagtype) == -1)
2467 continue;
2468
2469 if (SMB_VFS_SYS_ACL_GET_PERMSET(conn, entry, &permset) == -1)
2470 continue;
2471
2472 /* Decide which SID to use based on the ACL type. */
2473 switch(tagtype) {
2474 case SMB_ACL_USER_OBJ:
2475 /* Get the SID from the owner. */
2476 sid_copy(&sid, powner);
2477 unix_ug.uid = psbuf->st_ex_uid;
2478 owner_type = UID_ACE;
2479 break;
2480 case SMB_ACL_USER:
2481 {
2482 uid_t *puid = (uid_t *)SMB_VFS_SYS_ACL_GET_QUALIFIER(conn, entry);
2483 if (puid == NULL) {
2484 DEBUG(0,("canonicalise_acl: Failed to get uid.\n"));
2485 continue;
2486 }
2487 uid_to_sid( &sid, *puid);
2488 unix_ug.uid = *puid;
2489 owner_type = UID_ACE;
2490 SMB_VFS_SYS_ACL_FREE_QUALIFIER(conn, (void *)puid,tagtype);
2491 break;
2492 }
2493 case SMB_ACL_GROUP_OBJ:
2494 /* Get the SID from the owning group. */
2495 sid_copy(&sid, pgroup);
2496 unix_ug.gid = psbuf->st_ex_gid;
2497 owner_type = GID_ACE;
2498 break;
2499 case SMB_ACL_GROUP:
2500 {
2501 gid_t *pgid = (gid_t *)SMB_VFS_SYS_ACL_GET_QUALIFIER(conn, entry);
2502 if (pgid == NULL) {
2503 DEBUG(0,("canonicalise_acl: Failed to get gid.\n"));
2504 continue;
2505 }
2506 gid_to_sid( &sid, *pgid);
2507 unix_ug.gid = *pgid;
2508 owner_type = GID_ACE;
2509 SMB_VFS_SYS_ACL_FREE_QUALIFIER(conn, (void *)pgid,tagtype);
2510 break;
2511 }
2512 case SMB_ACL_MASK:
2513 acl_mask = convert_permset_to_mode_t(conn, permset);
2514 continue; /* Don't count the mask as an entry. */
2515 case SMB_ACL_OTHER:
2516 /* Use the Everyone SID */
2517 sid = global_sid_World;
2518 unix_ug.world = -1;
2519 owner_type = WORLD_ACE;
2520 break;
2521 default:
2522 DEBUG(0,("canonicalise_acl: Unknown tagtype %u\n", (unsigned int)tagtype));
2523 continue;
2524 }
2525
2526 /*
2527 * Add this entry to the list.
2528 */
2529
2530 if ((ace = SMB_MALLOC_P(canon_ace)) == NULL)
2531 goto fail;
2532
2533 ZERO_STRUCTP(ace);
2534 ace->type = tagtype;
2535 ace->perms = convert_permset_to_mode_t(conn, permset);
2536 ace->attr = ALLOW_ACE;
2537 ace->trustee = sid;
2538 ace->unix_ug = unix_ug;
2539 ace->owner_type = owner_type;
2540 ace->ace_flags = get_pai_flags(pal, ace, is_default_acl);
2541
2542 DLIST_ADD(l_head, ace);
2543 }
2544
2545 /*
2546 * This next call will ensure we have at least a user/group/world set.
2547 */
2548
2549 if (!ensure_canon_entry_valid(conn, &l_head, is_default_acl, conn->params,
2550 S_ISDIR(psbuf->st_ex_mode), powner, pgroup,
2551 psbuf, False))
2552 goto fail;
2553
2554 /*
2555 * Now go through the list, masking the permissions with the
2556 * acl_mask. Ensure all DENY Entries are at the start of the list.
2557 */
2558
2559 DEBUG(10,("canonicalise_acl: %s ace entries before arrange :\n", is_default_acl ? "Default" : "Access"));
2560
2561 for ( ace_count = 0, ace = l_head; ace; ace = next_ace, ace_count++) {
2562 next_ace = ace->next;
2563
2564 /* Masks are only applied to entries other than USER_OBJ and OTHER. */
2565 if (ace->type != SMB_ACL_OTHER && ace->type != SMB_ACL_USER_OBJ)
2566 ace->perms &= acl_mask;
2567
2568 if (ace->perms == 0) {
2569 DLIST_PROMOTE(l_head, ace);
2570 }
2571
2572 if( DEBUGLVL( 10 ) ) {
2573 print_canon_ace(ace, ace_count);
2574 }
2575 }
2576
2577 arrange_posix_perms(fname,&l_head );
2578
2579 print_canon_ace_list( "canonicalise_acl: ace entries after arrange", l_head );
2580
2581 return l_head;
2582
2583 fail:
2584
2585 free_canon_ace_list(l_head);
2586 return NULL;
2587}
2588
2589/****************************************************************************
2590 Check if the current user group list contains a given group.
2591****************************************************************************/
2592
2593bool current_user_in_group(connection_struct *conn, gid_t gid)
2594{
2595 int i;
2596 const struct security_unix_token *utok = get_current_utok(conn);
2597
2598 for (i = 0; i < utok->ngroups; i++) {
2599 if (utok->groups[i] == gid) {
2600 return True;
2601 }
2602 }
2603
2604 return False;
2605}
2606
2607/****************************************************************************
2608 Should we override a deny ? Check 'acl group control' and 'dos filemode'.
2609****************************************************************************/
2610
2611static bool acl_group_override(connection_struct *conn,
2612 const struct smb_filename *smb_fname)
2613{
2614 if ((errno != EPERM) && (errno != EACCES)) {
2615 return false;
2616 }
2617
2618 /* file primary group == user primary or supplementary group */
2619 if (lp_acl_group_control(SNUM(conn)) &&
2620 current_user_in_group(conn, smb_fname->st.st_ex_gid)) {
2621 return true;
2622 }
2623
2624 /* user has writeable permission */
2625 if (lp_dos_filemode(SNUM(conn)) &&
2626 can_write_to_file(conn, smb_fname)) {
2627 return true;
2628 }
2629
2630 return false;
2631}
2632
2633/****************************************************************************
2634 Attempt to apply an ACL to a file or directory.
2635****************************************************************************/
2636
2637static bool set_canon_ace_list(files_struct *fsp,
2638 canon_ace *the_ace,
2639 bool default_ace,
2640 const SMB_STRUCT_STAT *psbuf,
2641 bool *pacl_set_support)
2642{
2643 connection_struct *conn = fsp->conn;
2644 bool ret = False;
2645 SMB_ACL_T the_acl = SMB_VFS_SYS_ACL_INIT(conn, (int)count_canon_ace_list(the_ace) + 1);
2646 canon_ace *p_ace;
2647 int i;
2648 SMB_ACL_ENTRY_T mask_entry;
2649 bool got_mask_entry = False;
2650 SMB_ACL_PERMSET_T mask_permset;
2651 SMB_ACL_TYPE_T the_acl_type = (default_ace ? SMB_ACL_TYPE_DEFAULT : SMB_ACL_TYPE_ACCESS);
2652 bool needs_mask = False;
2653 mode_t mask_perms = 0;
2654
2655 /* Use the psbuf that was passed in. */
2656 if (psbuf != &fsp->fsp_name->st) {
2657 fsp->fsp_name->st = *psbuf;
2658 }
2659
2660#if defined(POSIX_ACL_NEEDS_MASK)
2661 /* HP-UX always wants to have a mask (called "class" there). */
2662 needs_mask = True;
2663#endif
2664
2665 if (the_acl == NULL) {
2666
2667 if (!no_acl_syscall_error(errno)) {
2668 /*
2669 * Only print this error message if we have some kind of ACL
2670 * support that's not working. Otherwise we would always get this.
2671 */
2672 DEBUG(0,("set_canon_ace_list: Unable to init %s ACL. (%s)\n",
2673 default_ace ? "default" : "file", strerror(errno) ));
2674 }
2675 *pacl_set_support = False;
2676 goto fail;
2677 }
2678
2679 if( DEBUGLVL( 10 )) {
2680 dbgtext("set_canon_ace_list: setting ACL:\n");
2681 for (i = 0, p_ace = the_ace; p_ace; p_ace = p_ace->next, i++ ) {
2682 print_canon_ace( p_ace, i);
2683 }
2684 }
2685
2686 for (i = 0, p_ace = the_ace; p_ace; p_ace = p_ace->next, i++ ) {
2687 SMB_ACL_ENTRY_T the_entry;
2688 SMB_ACL_PERMSET_T the_permset;
2689
2690 /*
2691 * ACLs only "need" an ACL_MASK entry if there are any named user or
2692 * named group entries. But if there is an ACL_MASK entry, it applies
2693 * to ACL_USER, ACL_GROUP, and ACL_GROUP_OBJ entries. Set the mask
2694 * so that it doesn't deny (i.e., mask off) any permissions.
2695 */
2696
2697 if (p_ace->type == SMB_ACL_USER || p_ace->type == SMB_ACL_GROUP) {
2698 needs_mask = True;
2699 mask_perms |= p_ace->perms;
2700 } else if (p_ace->type == SMB_ACL_GROUP_OBJ) {
2701 mask_perms |= p_ace->perms;
2702 }
2703
2704 /*
2705 * Get the entry for this ACE.
2706 */
2707
2708 if (SMB_VFS_SYS_ACL_CREATE_ENTRY(conn, &the_acl, &the_entry) == -1) {
2709 DEBUG(0,("set_canon_ace_list: Failed to create entry %d. (%s)\n",
2710 i, strerror(errno) ));
2711 goto fail;
2712 }
2713
2714 if (p_ace->type == SMB_ACL_MASK) {
2715 mask_entry = the_entry;
2716 got_mask_entry = True;
2717 }
2718
2719 /*
2720 * Ok - we now know the ACL calls should be working, don't
2721 * allow fallback to chmod.
2722 */
2723
2724 *pacl_set_support = True;
2725
2726 /*
2727 * Initialise the entry from the canon_ace.
2728 */
2729
2730 /*
2731 * First tell the entry what type of ACE this is.
2732 */
2733
2734 if (SMB_VFS_SYS_ACL_SET_TAG_TYPE(conn, the_entry, p_ace->type) == -1) {
2735 DEBUG(0,("set_canon_ace_list: Failed to set tag type on entry %d. (%s)\n",
2736 i, strerror(errno) ));
2737 goto fail;
2738 }
2739
2740 /*
2741 * Only set the qualifier (user or group id) if the entry is a user
2742 * or group id ACE.
2743 */
2744
2745 if ((p_ace->type == SMB_ACL_USER) || (p_ace->type == SMB_ACL_GROUP)) {
2746 if (SMB_VFS_SYS_ACL_SET_QUALIFIER(conn, the_entry,(void *)&p_ace->unix_ug.uid) == -1) {
2747 DEBUG(0,("set_canon_ace_list: Failed to set qualifier on entry %d. (%s)\n",
2748 i, strerror(errno) ));
2749 goto fail;
2750 }
2751 }
2752
2753 /*
2754 * Convert the mode_t perms in the canon_ace to a POSIX permset.
2755 */
2756
2757 if (SMB_VFS_SYS_ACL_GET_PERMSET(conn, the_entry, &the_permset) == -1) {
2758 DEBUG(0,("set_canon_ace_list: Failed to get permset on entry %d. (%s)\n",
2759 i, strerror(errno) ));
2760 goto fail;
2761 }
2762
2763 if (map_acl_perms_to_permset(conn, p_ace->perms, &the_permset) == -1) {
2764 DEBUG(0,("set_canon_ace_list: Failed to create permset for mode (%u) on entry %d. (%s)\n",
2765 (unsigned int)p_ace->perms, i, strerror(errno) ));
2766 goto fail;
2767 }
2768
2769 /*
2770 * ..and apply them to the entry.
2771 */
2772
2773 if (SMB_VFS_SYS_ACL_SET_PERMSET(conn, the_entry, the_permset) == -1) {
2774 DEBUG(0,("set_canon_ace_list: Failed to add permset on entry %d. (%s)\n",
2775 i, strerror(errno) ));
2776 goto fail;
2777 }
2778
2779 if( DEBUGLVL( 10 ))
2780 print_canon_ace( p_ace, i);
2781
2782 }
2783
2784 if (needs_mask && !got_mask_entry) {
2785 if (SMB_VFS_SYS_ACL_CREATE_ENTRY(conn, &the_acl, &mask_entry) == -1) {
2786 DEBUG(0,("set_canon_ace_list: Failed to create mask entry. (%s)\n", strerror(errno) ));
2787 goto fail;
2788 }
2789
2790 if (SMB_VFS_SYS_ACL_SET_TAG_TYPE(conn, mask_entry, SMB_ACL_MASK) == -1) {
2791 DEBUG(0,("set_canon_ace_list: Failed to set tag type on mask entry. (%s)\n",strerror(errno) ));
2792 goto fail;
2793 }
2794
2795 if (SMB_VFS_SYS_ACL_GET_PERMSET(conn, mask_entry, &mask_permset) == -1) {
2796 DEBUG(0,("set_canon_ace_list: Failed to get mask permset. (%s)\n", strerror(errno) ));
2797 goto fail;
2798 }
2799
2800 if (map_acl_perms_to_permset(conn, S_IRUSR|S_IWUSR|S_IXUSR, &mask_permset) == -1) {
2801 DEBUG(0,("set_canon_ace_list: Failed to create mask permset. (%s)\n", strerror(errno) ));
2802 goto fail;
2803 }
2804
2805 if (SMB_VFS_SYS_ACL_SET_PERMSET(conn, mask_entry, mask_permset) == -1) {
2806 DEBUG(0,("set_canon_ace_list: Failed to add mask permset. (%s)\n", strerror(errno) ));
2807 goto fail;
2808 }
2809 }
2810
2811 /*
2812 * Finally apply it to the file or directory.
2813 */
2814
2815 if(default_ace || fsp->is_directory || fsp->fh->fd == -1) {
2816 if (SMB_VFS_SYS_ACL_SET_FILE(conn, fsp->fsp_name->base_name,
2817 the_acl_type, the_acl) == -1) {
2818 /*
2819 * Some systems allow all the above calls and only fail with no ACL support
2820 * when attempting to apply the acl. HPUX with HFS is an example of this. JRA.
2821 */
2822 if (no_acl_syscall_error(errno)) {
2823 *pacl_set_support = False;
2824 }
2825
2826 if (acl_group_override(conn, fsp->fsp_name)) {
2827 int sret;
2828
2829 DEBUG(5,("set_canon_ace_list: acl group "
2830 "control on and current user in file "
2831 "%s primary group.\n",
2832 fsp_str_dbg(fsp)));
2833
2834 become_root();
2835 sret = SMB_VFS_SYS_ACL_SET_FILE(conn,
2836 fsp->fsp_name->base_name, the_acl_type,
2837 the_acl);
2838 unbecome_root();
2839 if (sret == 0) {
2840 ret = True;
2841 }
2842 }
2843
2844 if (ret == False) {
2845 DEBUG(2,("set_canon_ace_list: "
2846 "sys_acl_set_file type %s failed for "
2847 "file %s (%s).\n",
2848 the_acl_type == SMB_ACL_TYPE_DEFAULT ?
2849 "directory default" : "file",
2850 fsp_str_dbg(fsp), strerror(errno)));
2851 goto fail;
2852 }
2853 }
2854 } else {
2855 if (SMB_VFS_SYS_ACL_SET_FD(fsp, the_acl) == -1) {
2856 /*
2857 * Some systems allow all the above calls and only fail with no ACL support
2858 * when attempting to apply the acl. HPUX with HFS is an example of this. JRA.
2859 */
2860 if (no_acl_syscall_error(errno)) {
2861 *pacl_set_support = False;
2862 }
2863
2864 if (acl_group_override(conn, fsp->fsp_name)) {
2865 int sret;
2866
2867 DEBUG(5,("set_canon_ace_list: acl group "
2868 "control on and current user in file "
2869 "%s primary group.\n",
2870 fsp_str_dbg(fsp)));
2871
2872 become_root();
2873 sret = SMB_VFS_SYS_ACL_SET_FD(fsp, the_acl);
2874 unbecome_root();
2875 if (sret == 0) {
2876 ret = True;
2877 }
2878 }
2879
2880 if (ret == False) {
2881 DEBUG(2,("set_canon_ace_list: "
2882 "sys_acl_set_file failed for file %s "
2883 "(%s).\n",
2884 fsp_str_dbg(fsp), strerror(errno)));
2885 goto fail;
2886 }
2887 }
2888 }
2889
2890 ret = True;
2891
2892 fail:
2893
2894 if (the_acl != NULL) {
2895 SMB_VFS_SYS_ACL_FREE_ACL(conn, the_acl);
2896 }
2897
2898 return ret;
2899}
2900
2901/****************************************************************************
2902 Find a particular canon_ace entry.
2903****************************************************************************/
2904
2905static struct canon_ace *canon_ace_entry_for(struct canon_ace *list, SMB_ACL_TAG_T type, posix_id *id)
2906{
2907 while (list) {
2908 if (list->type == type && ((type != SMB_ACL_USER && type != SMB_ACL_GROUP) ||
2909 (type == SMB_ACL_USER && id && id->uid == list->unix_ug.uid) ||
2910 (type == SMB_ACL_GROUP && id && id->gid == list->unix_ug.gid)))
2911 break;
2912 list = list->next;
2913 }
2914 return list;
2915}
2916
2917/****************************************************************************
2918
2919****************************************************************************/
2920
2921SMB_ACL_T free_empty_sys_acl(connection_struct *conn, SMB_ACL_T the_acl)
2922{
2923 SMB_ACL_ENTRY_T entry;
2924
2925 if (!the_acl)
2926 return NULL;
2927 if (SMB_VFS_SYS_ACL_GET_ENTRY(conn, the_acl, SMB_ACL_FIRST_ENTRY, &entry) != 1) {
2928 SMB_VFS_SYS_ACL_FREE_ACL(conn, the_acl);
2929 return NULL;
2930 }
2931 return the_acl;
2932}
2933
2934/****************************************************************************
2935 Convert a canon_ace to a generic 3 element permission - if possible.
2936****************************************************************************/
2937
2938#define MAP_PERM(p,mask,result) (((p) & (mask)) ? (result) : 0 )
2939
2940static bool convert_canon_ace_to_posix_perms( files_struct *fsp, canon_ace *file_ace_list, mode_t *posix_perms)
2941{
2942 int snum = SNUM(fsp->conn);
2943 size_t ace_count = count_canon_ace_list(file_ace_list);
2944 canon_ace *ace_p;
2945 canon_ace *owner_ace = NULL;
2946 canon_ace *group_ace = NULL;
2947 canon_ace *other_ace = NULL;
2948 mode_t and_bits;
2949 mode_t or_bits;
2950
2951 if (ace_count != 3) {
2952 DEBUG(3,("convert_canon_ace_to_posix_perms: Too many ACE "
2953 "entries for file %s to convert to posix perms.\n",
2954 fsp_str_dbg(fsp)));
2955 return False;
2956 }
2957
2958 for (ace_p = file_ace_list; ace_p; ace_p = ace_p->next) {
2959 if (ace_p->owner_type == UID_ACE)
2960 owner_ace = ace_p;
2961 else if (ace_p->owner_type == GID_ACE)
2962 group_ace = ace_p;
2963 else if (ace_p->owner_type == WORLD_ACE)
2964 other_ace = ace_p;
2965 }
2966
2967 if (!owner_ace || !group_ace || !other_ace) {
2968 DEBUG(3,("convert_canon_ace_to_posix_perms: Can't get "
2969 "standard entries for file %s.\n", fsp_str_dbg(fsp)));
2970 return False;
2971 }
2972
2973 *posix_perms = (mode_t)0;
2974
2975 *posix_perms |= owner_ace->perms;
2976 *posix_perms |= MAP_PERM(group_ace->perms, S_IRUSR, S_IRGRP);
2977 *posix_perms |= MAP_PERM(group_ace->perms, S_IWUSR, S_IWGRP);
2978 *posix_perms |= MAP_PERM(group_ace->perms, S_IXUSR, S_IXGRP);
2979 *posix_perms |= MAP_PERM(other_ace->perms, S_IRUSR, S_IROTH);
2980 *posix_perms |= MAP_PERM(other_ace->perms, S_IWUSR, S_IWOTH);
2981 *posix_perms |= MAP_PERM(other_ace->perms, S_IXUSR, S_IXOTH);
2982
2983 /* The owner must have at least read access. */
2984
2985 *posix_perms |= S_IRUSR;
2986 if (fsp->is_directory)
2987 *posix_perms |= (S_IWUSR|S_IXUSR);
2988
2989 /* If requested apply the masks. */
2990
2991 /* Get the initial bits to apply. */
2992
2993 if (fsp->is_directory) {
2994 and_bits = lp_dir_security_mask(snum);
2995 or_bits = lp_force_dir_security_mode(snum);
2996 } else {
2997 and_bits = lp_security_mask(snum);
2998 or_bits = lp_force_security_mode(snum);
2999 }
3000
3001 *posix_perms = (((*posix_perms) & and_bits)|or_bits);
3002
3003 DEBUG(10,("convert_canon_ace_to_posix_perms: converted u=%o,g=%o,w=%o "
3004 "to perm=0%o for file %s.\n", (int)owner_ace->perms,
3005 (int)group_ace->perms, (int)other_ace->perms,
3006 (int)*posix_perms, fsp_str_dbg(fsp)));
3007
3008 return True;
3009}
3010
3011/****************************************************************************
3012 Incoming NT ACLs on a directory can be split into a default POSIX acl (CI|OI|IO) and
3013 a normal POSIX acl. Win2k needs these split acls re-merging into one ACL
3014 with CI|OI set so it is inherited and also applies to the directory.
3015 Based on code from "Jim McDonough" <jmcd@us.ibm.com>.
3016****************************************************************************/
3017
3018static size_t merge_default_aces( struct security_ace *nt_ace_list, size_t num_aces)
3019{
3020 size_t i, j;
3021
3022 for (i = 0; i < num_aces; i++) {
3023 for (j = i+1; j < num_aces; j++) {
3024 uint32 i_flags_ni = (nt_ace_list[i].flags & ~SEC_ACE_FLAG_INHERITED_ACE);
3025 uint32 j_flags_ni = (nt_ace_list[j].flags & ~SEC_ACE_FLAG_INHERITED_ACE);
3026 bool i_inh = (nt_ace_list[i].flags & SEC_ACE_FLAG_INHERITED_ACE) ? True : False;
3027 bool j_inh = (nt_ace_list[j].flags & SEC_ACE_FLAG_INHERITED_ACE) ? True : False;
3028
3029 /* We know the lower number ACE's are file entries. */
3030 if ((nt_ace_list[i].type == nt_ace_list[j].type) &&
3031 (nt_ace_list[i].size == nt_ace_list[j].size) &&
3032 (nt_ace_list[i].access_mask == nt_ace_list[j].access_mask) &&
3033 dom_sid_equal(&nt_ace_list[i].trustee, &nt_ace_list[j].trustee) &&
3034 (i_inh == j_inh) &&
3035 (i_flags_ni == 0) &&
3036 (j_flags_ni == (SEC_ACE_FLAG_OBJECT_INHERIT|
3037 SEC_ACE_FLAG_CONTAINER_INHERIT|
3038 SEC_ACE_FLAG_INHERIT_ONLY))) {
3039 /*
3040 * W2K wants to have access allowed zero access ACE's
3041 * at the end of the list. If the mask is zero, merge
3042 * the non-inherited ACE onto the inherited ACE.
3043 */
3044
3045 if (nt_ace_list[i].access_mask == 0) {
3046 nt_ace_list[j].flags = SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT|
3047 (i_inh ? SEC_ACE_FLAG_INHERITED_ACE : 0);
3048 if (num_aces - i - 1 > 0)
3049 memmove(&nt_ace_list[i], &nt_ace_list[i+1], (num_aces-i-1) *
3050 sizeof(struct security_ace));
3051
3052 DEBUG(10,("merge_default_aces: Merging zero access ACE %u onto ACE %u.\n",
3053 (unsigned int)i, (unsigned int)j ));
3054 } else {
3055 /*
3056 * These are identical except for the flags.
3057 * Merge the inherited ACE onto the non-inherited ACE.
3058 */
3059
3060 nt_ace_list[i].flags = SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT|
3061 (i_inh ? SEC_ACE_FLAG_INHERITED_ACE : 0);
3062 if (num_aces - j - 1 > 0)
3063 memmove(&nt_ace_list[j], &nt_ace_list[j+1], (num_aces-j-1) *
3064 sizeof(struct security_ace));
3065
3066 DEBUG(10,("merge_default_aces: Merging ACE %u onto ACE %u.\n",
3067 (unsigned int)j, (unsigned int)i ));
3068 }
3069 num_aces--;
3070 break;
3071 }
3072 }
3073 }
3074
3075 return num_aces;
3076}
3077
3078/*
3079 * Add or Replace ACE entry.
3080 * In some cases we need to add a specific ACE for compatibility reasons.
3081 * When doing that we must make sure we are not actually creating a duplicate
3082 * entry. So we need to search whether an ACE entry already exist and eventually
3083 * replacce the access mask, or add a completely new entry if none was found.
3084 *
3085 * This function assumes the array has enough space to add a new entry without
3086 * any reallocation of memory.
3087 */
3088
3089static void add_or_replace_ace(struct security_ace *nt_ace_list, size_t *num_aces,
3090 const struct dom_sid *sid, enum security_ace_type type,
3091 uint32_t mask, uint8_t flags)
3092{
3093 int i;
3094
3095 /* first search for a duplicate */
3096 for (i = 0; i < *num_aces; i++) {
3097 if (dom_sid_equal(&nt_ace_list[i].trustee, sid) &&
3098 (nt_ace_list[i].flags == flags)) break;
3099 }
3100
3101 if (i < *num_aces) { /* found */
3102 nt_ace_list[i].type = type;
3103 nt_ace_list[i].access_mask = mask;
3104 DEBUG(10, ("Replacing ACE %d with SID %s and flags %02x\n",
3105 i, sid_string_dbg(sid), flags));
3106 return;
3107 }
3108
3109 /* not found, append it */
3110 init_sec_ace(&nt_ace_list[(*num_aces)++], sid, type, mask, flags);
3111}
3112
3113
3114/****************************************************************************
3115 Reply to query a security descriptor from an fsp. If it succeeds it allocates
3116 the space for the return elements and returns the size needed to return the
3117 security descriptor. This should be the only external function needed for
3118 the UNIX style get ACL.
3119****************************************************************************/
3120
3121static NTSTATUS posix_get_nt_acl_common(struct connection_struct *conn,
3122 const char *name,
3123 const SMB_STRUCT_STAT *sbuf,
3124 struct pai_val *pal,
3125 SMB_ACL_T posix_acl,
3126 SMB_ACL_T def_acl,
3127 uint32_t security_info,
3128 struct security_descriptor **ppdesc)
3129{
3130 struct dom_sid owner_sid;
3131 struct dom_sid group_sid;
3132 size_t sd_size = 0;
3133 struct security_acl *psa = NULL;
3134 size_t num_acls = 0;
3135 size_t num_def_acls = 0;
3136 size_t num_aces = 0;
3137 canon_ace *file_ace = NULL;
3138 canon_ace *dir_ace = NULL;
3139 struct security_ace *nt_ace_list = NULL;
3140 size_t num_profile_acls = 0;
3141 struct dom_sid orig_owner_sid;
3142 struct security_descriptor *psd = NULL;
3143 int i;
3144
3145 /*
3146 * Get the owner, group and world SIDs.
3147 */
3148
3149 create_file_sids(sbuf, &owner_sid, &group_sid);
3150
3151 if (lp_profile_acls(SNUM(conn))) {
3152 /* For WXP SP1 the owner must be administrators. */
3153 sid_copy(&orig_owner_sid, &owner_sid);
3154 sid_copy(&owner_sid, &global_sid_Builtin_Administrators);
3155 sid_copy(&group_sid, &global_sid_Builtin_Users);
3156 num_profile_acls = 3;
3157 }
3158
3159 if ((security_info & SECINFO_DACL) && !(security_info & SECINFO_PROTECTED_DACL)) {
3160
3161 /*
3162 * In the optimum case Creator Owner and Creator Group would be used for
3163 * the ACL_USER_OBJ and ACL_GROUP_OBJ entries, respectively, but this
3164 * would lead to usability problems under Windows: The Creator entries
3165 * are only available in browse lists of directories and not for files;
3166 * additionally the identity of the owning group couldn't be determined.
3167 * We therefore use those identities only for Default ACLs.
3168 */
3169
3170 /* Create the canon_ace lists. */
3171 file_ace = canonicalise_acl(conn, name, posix_acl, sbuf,
3172 &owner_sid, &group_sid, pal,
3173 SMB_ACL_TYPE_ACCESS);
3174
3175 /* We must have *some* ACLS. */
3176
3177 if (count_canon_ace_list(file_ace) == 0) {
3178 DEBUG(0,("get_nt_acl : No ACLs on file (%s) !\n", name));
3179 goto done;
3180 }
3181
3182 if (S_ISDIR(sbuf->st_ex_mode) && def_acl) {
3183 dir_ace = canonicalise_acl(conn, name, def_acl,
3184 sbuf,
3185 &global_sid_Creator_Owner,
3186 &global_sid_Creator_Group,
3187 pal, SMB_ACL_TYPE_DEFAULT);
3188 }
3189
3190 /*
3191 * Create the NT ACE list from the canonical ace lists.
3192 */
3193
3194 {
3195 canon_ace *ace;
3196 enum security_ace_type nt_acl_type;
3197
3198 if (nt4_compatible_acls() && dir_ace) {
3199 /*
3200 * NT 4 chokes if an ACL contains an INHERIT_ONLY entry
3201 * but no non-INHERIT_ONLY entry for one SID. So we only
3202 * remove entries from the Access ACL if the
3203 * corresponding Default ACL entries have also been
3204 * removed. ACEs for CREATOR-OWNER and CREATOR-GROUP
3205 * are exceptions. We can do nothing
3206 * intelligent if the Default ACL contains entries that
3207 * are not also contained in the Access ACL, so this
3208 * case will still fail under NT 4.
3209 */
3210
3211 ace = canon_ace_entry_for(dir_ace, SMB_ACL_OTHER, NULL);
3212 if (ace && !ace->perms) {
3213 DLIST_REMOVE(dir_ace, ace);
3214 SAFE_FREE(ace);
3215
3216 ace = canon_ace_entry_for(file_ace, SMB_ACL_OTHER, NULL);
3217 if (ace && !ace->perms) {
3218 DLIST_REMOVE(file_ace, ace);
3219 SAFE_FREE(ace);
3220 }
3221 }
3222
3223 /*
3224 * WinNT doesn't usually have Creator Group
3225 * in browse lists, so we send this entry to
3226 * WinNT even if it contains no relevant
3227 * permissions. Once we can add
3228 * Creator Group to browse lists we can
3229 * re-enable this.
3230 */
3231
3232#if 0
3233 ace = canon_ace_entry_for(dir_ace, SMB_ACL_GROUP_OBJ, NULL);
3234 if (ace && !ace->perms) {
3235 DLIST_REMOVE(dir_ace, ace);
3236 SAFE_FREE(ace);
3237 }
3238#endif
3239
3240 ace = canon_ace_entry_for(file_ace, SMB_ACL_GROUP_OBJ, NULL);
3241 if (ace && !ace->perms) {
3242 DLIST_REMOVE(file_ace, ace);
3243 SAFE_FREE(ace);
3244 }
3245 }
3246
3247 num_acls = count_canon_ace_list(file_ace);
3248 num_def_acls = count_canon_ace_list(dir_ace);
3249
3250 /* Allocate the ace list. */
3251 if ((nt_ace_list = SMB_MALLOC_ARRAY(struct security_ace,num_acls + num_profile_acls + num_def_acls)) == NULL) {
3252 DEBUG(0,("get_nt_acl: Unable to malloc space for nt_ace_list.\n"));
3253 goto done;
3254 }
3255
3256 memset(nt_ace_list, '\0', (num_acls + num_def_acls) * sizeof(struct security_ace) );
3257
3258 /*
3259 * Create the NT ACE list from the canonical ace lists.
3260 */
3261
3262 for (ace = file_ace; ace != NULL; ace = ace->next) {
3263 uint32_t acc = map_canon_ace_perms(SNUM(conn),
3264 &nt_acl_type,
3265 ace->perms,
3266 S_ISDIR(sbuf->st_ex_mode));
3267 init_sec_ace(&nt_ace_list[num_aces++],
3268 &ace->trustee,
3269 nt_acl_type,
3270 acc,
3271 ace->ace_flags);
3272 }
3273
3274 /* The User must have access to a profile share - even
3275 * if we can't map the SID. */
3276 if (lp_profile_acls(SNUM(conn))) {
3277 add_or_replace_ace(nt_ace_list, &num_aces,
3278 &global_sid_Builtin_Users,
3279 SEC_ACE_TYPE_ACCESS_ALLOWED,
3280 FILE_GENERIC_ALL, 0);
3281 }
3282
3283 for (ace = dir_ace; ace != NULL; ace = ace->next) {
3284 uint32_t acc = map_canon_ace_perms(SNUM(conn),
3285 &nt_acl_type,
3286 ace->perms,
3287 S_ISDIR(sbuf->st_ex_mode));
3288 init_sec_ace(&nt_ace_list[num_aces++],
3289 &ace->trustee,
3290 nt_acl_type,
3291 acc,
3292 ace->ace_flags |
3293 SEC_ACE_FLAG_OBJECT_INHERIT|
3294 SEC_ACE_FLAG_CONTAINER_INHERIT|
3295 SEC_ACE_FLAG_INHERIT_ONLY);
3296 }
3297
3298 /* The User must have access to a profile share - even
3299 * if we can't map the SID. */
3300 if (lp_profile_acls(SNUM(conn))) {
3301 add_or_replace_ace(nt_ace_list, &num_aces,
3302 &global_sid_Builtin_Users,
3303 SEC_ACE_TYPE_ACCESS_ALLOWED,
3304 FILE_GENERIC_ALL,
3305 SEC_ACE_FLAG_OBJECT_INHERIT |
3306 SEC_ACE_FLAG_CONTAINER_INHERIT |
3307 SEC_ACE_FLAG_INHERIT_ONLY);
3308 }
3309
3310 /*
3311 * Merge POSIX default ACLs and normal ACLs into one NT ACE.
3312 * Win2K needs this to get the inheritance correct when replacing ACLs
3313 * on a directory tree. Based on work by Jim @ IBM.
3314 */
3315
3316 num_aces = merge_default_aces(nt_ace_list, num_aces);
3317
3318 if (lp_profile_acls(SNUM(conn))) {
3319 for (i = 0; i < num_aces; i++) {
3320 if (dom_sid_equal(&nt_ace_list[i].trustee, &owner_sid)) {
3321 add_or_replace_ace(nt_ace_list, &num_aces,
3322 &orig_owner_sid,
3323 nt_ace_list[i].type,
3324 nt_ace_list[i].access_mask,
3325 nt_ace_list[i].flags);
3326 break;
3327 }
3328 }
3329 }
3330 }
3331
3332 if (num_aces) {
3333 if((psa = make_sec_acl( talloc_tos(), NT4_ACL_REVISION, num_aces, nt_ace_list)) == NULL) {
3334 DEBUG(0,("get_nt_acl: Unable to malloc space for acl.\n"));
3335 goto done;
3336 }
3337 }
3338 } /* security_info & SECINFO_DACL */
3339
3340 psd = make_standard_sec_desc( talloc_tos(),
3341 (security_info & SECINFO_OWNER) ? &owner_sid : NULL,
3342 (security_info & SECINFO_GROUP) ? &group_sid : NULL,
3343 psa,
3344 &sd_size);
3345
3346 if(!psd) {
3347 DEBUG(0,("get_nt_acl: Unable to malloc space for security descriptor.\n"));
3348 sd_size = 0;
3349 goto done;
3350 }
3351
3352 /*
3353 * Windows 2000: The DACL_PROTECTED flag in the security
3354 * descriptor marks the ACL as non-inheriting, i.e., no
3355 * ACEs from higher level directories propagate to this
3356 * ACL. In the POSIX ACL model permissions are only
3357 * inherited at file create time, so ACLs never contain
3358 * any ACEs that are inherited dynamically. The DACL_PROTECTED
3359 * flag doesn't seem to bother Windows NT.
3360 * Always set this if map acl inherit is turned off.
3361 */
3362 if (pal == NULL || !lp_map_acl_inherit(SNUM(conn))) {
3363 psd->type |= SEC_DESC_DACL_PROTECTED;
3364 } else {
3365 psd->type |= pal->sd_type;
3366 }
3367
3368 if (psd->dacl) {
3369 dacl_sort_into_canonical_order(psd->dacl->aces, (unsigned int)psd->dacl->num_aces);
3370 }
3371
3372 *ppdesc = psd;
3373
3374 done:
3375
3376 if (posix_acl) {
3377 SMB_VFS_SYS_ACL_FREE_ACL(conn, posix_acl);
3378 }
3379 if (def_acl) {
3380 SMB_VFS_SYS_ACL_FREE_ACL(conn, def_acl);
3381 }
3382 free_canon_ace_list(file_ace);
3383 free_canon_ace_list(dir_ace);
3384 free_inherited_info(pal);
3385 SAFE_FREE(nt_ace_list);
3386
3387 return NT_STATUS_OK;
3388}
3389
3390NTSTATUS posix_fget_nt_acl(struct files_struct *fsp, uint32_t security_info,
3391 struct security_descriptor **ppdesc)
3392{
3393 SMB_STRUCT_STAT sbuf;
3394 SMB_ACL_T posix_acl = NULL;
3395 struct pai_val *pal;
3396
3397 *ppdesc = NULL;
3398
3399 DEBUG(10,("posix_fget_nt_acl: called for file %s\n",
3400 fsp_str_dbg(fsp)));
3401
3402 /* can it happen that fsp_name == NULL ? */
3403 if (fsp->is_directory || fsp->fh->fd == -1) {
3404 return posix_get_nt_acl(fsp->conn, fsp->fsp_name->base_name,
3405 security_info, ppdesc);
3406 }
3407
3408 /* Get the stat struct for the owner info. */
3409 if(SMB_VFS_FSTAT(fsp, &sbuf) != 0) {
3410 return map_nt_error_from_unix(errno);
3411 }
3412
3413 /* Get the ACL from the fd. */
3414 posix_acl = SMB_VFS_SYS_ACL_GET_FD(fsp);
3415
3416 pal = fload_inherited_info(fsp);
3417
3418 return posix_get_nt_acl_common(fsp->conn, fsp->fsp_name->base_name,
3419 &sbuf, pal, posix_acl, NULL,
3420 security_info, ppdesc);
3421}
3422
3423NTSTATUS posix_get_nt_acl(struct connection_struct *conn, const char *name,
3424 uint32_t security_info, struct security_descriptor **ppdesc)
3425{
3426 SMB_ACL_T posix_acl = NULL;
3427 SMB_ACL_T def_acl = NULL;
3428 struct pai_val *pal;
3429 struct smb_filename smb_fname;
3430 int ret;
3431
3432 *ppdesc = NULL;
3433
3434 DEBUG(10,("posix_get_nt_acl: called for file %s\n", name ));
3435
3436 ZERO_STRUCT(smb_fname);
3437 smb_fname.base_name = discard_const_p(char, name);
3438
3439 /* Get the stat struct for the owner info. */
3440 if (lp_posix_pathnames()) {
3441 ret = SMB_VFS_LSTAT(conn, &smb_fname);
3442 } else {
3443 ret = SMB_VFS_STAT(conn, &smb_fname);
3444 }
3445
3446 if (ret == -1) {
3447 return map_nt_error_from_unix(errno);
3448 }
3449
3450 /* Get the ACL from the path. */
3451 posix_acl = SMB_VFS_SYS_ACL_GET_FILE(conn, name, SMB_ACL_TYPE_ACCESS);
3452
3453 /* If it's a directory get the default POSIX ACL. */
3454 if(S_ISDIR(smb_fname.st.st_ex_mode)) {
3455 def_acl = SMB_VFS_SYS_ACL_GET_FILE(conn, name, SMB_ACL_TYPE_DEFAULT);
3456 def_acl = free_empty_sys_acl(conn, def_acl);
3457 }
3458
3459 pal = load_inherited_info(conn, name);
3460
3461 return posix_get_nt_acl_common(conn, name, &smb_fname.st, pal,
3462 posix_acl, def_acl, security_info,
3463 ppdesc);
3464}
3465
3466/****************************************************************************
3467 Try to chown a file. We will be able to chown it under the following conditions.
3468
3469 1) If we have root privileges, then it will just work.
3470 2) If we have SeRestorePrivilege we can change the user + group to any other user.
3471 3) If we have SeTakeOwnershipPrivilege we can change the user to the current user.
3472 4) If we have write permission to the file and dos_filemodes is set
3473 then allow chown to the currently authenticated user.
3474****************************************************************************/
3475
3476NTSTATUS try_chown(files_struct *fsp, uid_t uid, gid_t gid)
3477{
3478 NTSTATUS status;
3479
3480 if(!CAN_WRITE(fsp->conn)) {
3481 return NT_STATUS_MEDIA_WRITE_PROTECTED;
3482 }
3483
3484 /* Case (1). */
3485 status = vfs_chown_fsp(fsp, uid, gid);
3486 if (NT_STATUS_IS_OK(status)) {
3487 return status;
3488 }
3489
3490 /* Case (2) / (3) */
3491 if (lp_enable_privileges()) {
3492 bool has_take_ownership_priv = security_token_has_privilege(
3493 get_current_nttok(fsp->conn),
3494 SEC_PRIV_TAKE_OWNERSHIP);
3495 bool has_restore_priv = security_token_has_privilege(
3496 get_current_nttok(fsp->conn),
3497 SEC_PRIV_RESTORE);
3498
3499 if (has_restore_priv) {
3500 ; /* Case (2) */
3501 } else if (has_take_ownership_priv) {
3502 /* Case (3) */
3503 if (uid == get_current_uid(fsp->conn)) {
3504 gid = (gid_t)-1;
3505 } else {
3506 has_take_ownership_priv = false;
3507 }
3508 }
3509
3510 if (has_take_ownership_priv || has_restore_priv) {
3511 become_root();
3512 status = vfs_chown_fsp(fsp, uid, gid);
3513 unbecome_root();
3514 return status;
3515 }
3516 }
3517
3518 /* Case (4). */
3519 if (!lp_dos_filemode(SNUM(fsp->conn))) {
3520 return NT_STATUS_ACCESS_DENIED;
3521 }
3522
3523 /* only allow chown to the current user. This is more secure,
3524 and also copes with the case where the SID in a take ownership ACL is
3525 a local SID on the users workstation
3526 */
3527 if (uid != get_current_uid(fsp->conn)) {
3528 return NT_STATUS_ACCESS_DENIED;
3529 }
3530
3531 become_root();
3532 /* Keep the current file gid the same. */
3533 status = vfs_chown_fsp(fsp, uid, (gid_t)-1);
3534 unbecome_root();
3535
3536 return status;
3537}
3538
3539#if 0
3540/* Disable this - prevents ACL inheritance from the ACL editor. JRA. */
3541
3542/****************************************************************************
3543 Take care of parent ACL inheritance.
3544****************************************************************************/
3545
3546NTSTATUS append_parent_acl(files_struct *fsp,
3547 const struct security_descriptor *pcsd,
3548 struct security_descriptor **pp_new_sd)
3549{
3550 struct smb_filename *smb_dname = NULL;
3551 struct security_descriptor *parent_sd = NULL;
3552 files_struct *parent_fsp = NULL;
3553 TALLOC_CTX *mem_ctx = talloc_tos();
3554 char *parent_name = NULL;
3555 struct security_ace *new_ace = NULL;
3556 unsigned int num_aces = pcsd->dacl->num_aces;
3557 NTSTATUS status;
3558 int info;
3559 unsigned int i, j;
3560 struct security_descriptor *psd = dup_sec_desc(talloc_tos(), pcsd);
3561 bool is_dacl_protected = (pcsd->type & SEC_DESC_DACL_PROTECTED);
3562
3563 if (psd == NULL) {
3564 return NT_STATUS_NO_MEMORY;
3565 }
3566
3567 if (!parent_dirname(mem_ctx, fsp->fsp_name->base_name, &parent_name,
3568 NULL)) {
3569 return NT_STATUS_NO_MEMORY;
3570 }
3571
3572 status = create_synthetic_smb_fname(mem_ctx, parent_name, NULL, NULL,
3573 &smb_dname);
3574 if (!NT_STATUS_IS_OK(status)) {
3575 goto fail;
3576 }
3577
3578 status = SMB_VFS_CREATE_FILE(
3579 fsp->conn, /* conn */
3580 NULL, /* req */
3581 0, /* root_dir_fid */
3582 smb_dname, /* fname */
3583 FILE_READ_ATTRIBUTES, /* access_mask */
3584 FILE_SHARE_NONE, /* share_access */
3585 FILE_OPEN, /* create_disposition*/
3586 FILE_DIRECTORY_FILE, /* create_options */
3587 0, /* file_attributes */
3588 INTERNAL_OPEN_ONLY, /* oplock_request */
3589 0, /* allocation_size */
3590 NULL, /* sd */
3591 NULL, /* ea_list */
3592 &parent_fsp, /* result */
3593 &info); /* pinfo */
3594
3595 if (!NT_STATUS_IS_OK(status)) {
3596 TALLOC_FREE(smb_dname);
3597 return status;
3598 }
3599
3600 status = SMB_VFS_GET_NT_ACL(parent_fsp->conn, smb_dname->base_name,
3601 SECINFO_DACL, &parent_sd );
3602
3603 close_file(NULL, parent_fsp, NORMAL_CLOSE);
3604 TALLOC_FREE(smb_dname);
3605
3606 if (!NT_STATUS_IS_OK(status)) {
3607 return status;
3608 }
3609
3610 /*
3611 * Make room for potentially all the ACLs from
3612 * the parent. We used to add the ugw triple here,
3613 * as we knew we were dealing with POSIX ACLs.
3614 * We no longer need to do so as we can guarentee
3615 * that a default ACL from the parent directory will
3616 * be well formed for POSIX ACLs if it came from a
3617 * POSIX ACL source, and if we're not writing to a
3618 * POSIX ACL sink then we don't care if it's not well
3619 * formed. JRA.
3620 */
3621
3622 num_aces += parent_sd->dacl->num_aces;
3623
3624 if((new_ace = TALLOC_ZERO_ARRAY(mem_ctx, struct security_ace,
3625 num_aces)) == NULL) {
3626 return NT_STATUS_NO_MEMORY;
3627 }
3628
3629 /* Start by copying in all the given ACE entries. */
3630 for (i = 0; i < psd->dacl->num_aces; i++) {
3631 sec_ace_copy(&new_ace[i], &psd->dacl->aces[i]);
3632 }
3633
3634 /*
3635 * Note that we're ignoring "inherit permissions" here
3636 * as that really only applies to newly created files. JRA.
3637 */
3638
3639 /* Finally append any inherited ACEs. */
3640 for (j = 0; j < parent_sd->dacl->num_aces; j++) {
3641 struct security_ace *se = &parent_sd->dacl->aces[j];
3642
3643 if (fsp->is_directory) {
3644 if (!(se->flags & SEC_ACE_FLAG_CONTAINER_INHERIT)) {
3645 /* Doesn't apply to a directory - ignore. */
3646 DEBUG(10,("append_parent_acl: directory %s "
3647 "ignoring non container "
3648 "inherit flags %u on ACE with sid %s "
3649 "from parent %s\n",
3650 fsp_str_dbg(fsp),
3651 (unsigned int)se->flags,
3652 sid_string_dbg(&se->trustee),
3653 parent_name));
3654 continue;
3655 }
3656 } else {
3657 if (!(se->flags & SEC_ACE_FLAG_OBJECT_INHERIT)) {
3658 /* Doesn't apply to a file - ignore. */
3659 DEBUG(10,("append_parent_acl: file %s "
3660 "ignoring non object "
3661 "inherit flags %u on ACE with sid %s "
3662 "from parent %s\n",
3663 fsp_str_dbg(fsp),
3664 (unsigned int)se->flags,
3665 sid_string_dbg(&se->trustee),
3666 parent_name));
3667 continue;
3668 }
3669 }
3670
3671 if (is_dacl_protected) {
3672 /* If the DACL is protected it means we must
3673 * not overwrite an existing ACE entry with the
3674 * same SID. This is order N^2. Ouch :-(. JRA. */
3675 unsigned int k;
3676 for (k = 0; k < psd->dacl->num_aces; k++) {
3677 if (dom_sid_equal(&psd->dacl->aces[k].trustee,
3678 &se->trustee)) {
3679 break;
3680 }
3681 }
3682 if (k < psd->dacl->num_aces) {
3683 /* SID matched. Ignore. */
3684 DEBUG(10,("append_parent_acl: path %s "
3685 "ignoring ACE with protected sid %s "
3686 "from parent %s\n",
3687 fsp_str_dbg(fsp),
3688 sid_string_dbg(&se->trustee),
3689 parent_name));
3690 continue;
3691 }
3692 }
3693
3694 sec_ace_copy(&new_ace[i], se);
3695 if (se->flags & SEC_ACE_FLAG_NO_PROPAGATE_INHERIT) {
3696 new_ace[i].flags &= ~(SEC_ACE_FLAG_VALID_INHERIT);
3697 }
3698 new_ace[i].flags |= SEC_ACE_FLAG_INHERITED_ACE;
3699
3700 if (fsp->is_directory) {
3701 /*
3702 * Strip off any inherit only. It's applied.
3703 */
3704 new_ace[i].flags &= ~(SEC_ACE_FLAG_INHERIT_ONLY);
3705 if (se->flags & SEC_ACE_FLAG_NO_PROPAGATE_INHERIT) {
3706 /* No further inheritance. */
3707 new_ace[i].flags &=
3708 ~(SEC_ACE_FLAG_CONTAINER_INHERIT|
3709 SEC_ACE_FLAG_OBJECT_INHERIT);
3710 }
3711 } else {
3712 /*
3713 * Strip off any container or inherit
3714 * flags, they can't apply to objects.
3715 */
3716 new_ace[i].flags &= ~(SEC_ACE_FLAG_CONTAINER_INHERIT|
3717 SEC_ACE_FLAG_INHERIT_ONLY|
3718 SEC_ACE_FLAG_NO_PROPAGATE_INHERIT);
3719 }
3720 i++;
3721
3722 DEBUG(10,("append_parent_acl: path %s "
3723 "inheriting ACE with sid %s "
3724 "from parent %s\n",
3725 fsp_str_dbg(fsp),
3726 sid_string_dbg(&se->trustee),
3727 parent_name));
3728 }
3729
3730 psd->dacl->aces = new_ace;
3731 psd->dacl->num_aces = i;
3732 psd->type &= ~(SEC_DESC_DACL_AUTO_INHERITED|
3733 SEC_DESC_DACL_AUTO_INHERIT_REQ);
3734
3735 *pp_new_sd = psd;
3736 return status;
3737}
3738#endif
3739
3740/****************************************************************************
3741 Reply to set a security descriptor on an fsp. security_info_sent is the
3742 description of the following NT ACL.
3743 This should be the only external function needed for the UNIX style set ACL.
3744 We make a copy of psd_orig as internal functions modify the elements inside
3745 it, even though it's a const pointer.
3746****************************************************************************/
3747
3748NTSTATUS set_nt_acl(files_struct *fsp, uint32 security_info_sent, const struct security_descriptor *psd_orig)
3749{
3750 connection_struct *conn = fsp->conn;
3751 uid_t user = (uid_t)-1;
3752 gid_t grp = (gid_t)-1;
3753 struct dom_sid file_owner_sid;
3754 struct dom_sid file_grp_sid;
3755 canon_ace *file_ace_list = NULL;
3756 canon_ace *dir_ace_list = NULL;
3757 bool acl_perms = False;
3758 mode_t orig_mode = (mode_t)0;
3759 NTSTATUS status;
3760 bool set_acl_as_root = false;
3761 bool acl_set_support = false;
3762 bool ret = false;
3763 struct security_descriptor *psd = NULL;
3764
3765 DEBUG(10,("set_nt_acl: called for file %s\n",
3766 fsp_str_dbg(fsp)));
3767
3768 if (!CAN_WRITE(conn)) {
3769 DEBUG(10,("set acl rejected on read-only share\n"));
3770 return NT_STATUS_MEDIA_WRITE_PROTECTED;
3771 }
3772
3773 if (!psd_orig) {
3774 return NT_STATUS_INVALID_PARAMETER;
3775 }
3776
3777 psd = dup_sec_desc(talloc_tos(), psd_orig);
3778 if (!psd) {
3779 return NT_STATUS_NO_MEMORY;
3780 }
3781
3782 /*
3783 * Get the current state of the file.
3784 */
3785
3786 status = vfs_stat_fsp(fsp);
3787 if (!NT_STATUS_IS_OK(status)) {
3788 return status;
3789 }
3790
3791 /* Save the original element we check against. */
3792 orig_mode = fsp->fsp_name->st.st_ex_mode;
3793
3794 /*
3795 * Unpack the user/group/world id's.
3796 */
3797
3798 /* POSIX can't cope with missing owner/group. */
3799 if ((security_info_sent & SECINFO_OWNER) && (psd->owner_sid == NULL)) {
3800 security_info_sent &= ~SECINFO_OWNER;
3801 }
3802 if ((security_info_sent & SECINFO_GROUP) && (psd->group_sid == NULL)) {
3803 security_info_sent &= ~SECINFO_GROUP;
3804 }
3805
3806 status = unpack_nt_owners( conn, &user, &grp, security_info_sent, psd);
3807 if (!NT_STATUS_IS_OK(status)) {
3808 return status;
3809 }
3810
3811 /*
3812 * Do we need to chown ? If so this must be done first as the incoming
3813 * CREATOR_OWNER acl will be relative to the *new* owner, not the old.
3814 * Noticed by Simo.
3815 */
3816
3817 if (((user != (uid_t)-1) && (fsp->fsp_name->st.st_ex_uid != user)) ||
3818 (( grp != (gid_t)-1) && (fsp->fsp_name->st.st_ex_gid != grp))) {
3819
3820 DEBUG(3,("set_nt_acl: chown %s. uid = %u, gid = %u.\n",
3821 fsp_str_dbg(fsp), (unsigned int)user,
3822 (unsigned int)grp));
3823
3824 status = try_chown(fsp, user, grp);
3825 if(!NT_STATUS_IS_OK(status)) {
3826 DEBUG(3,("set_nt_acl: chown %s, %u, %u failed. Error "
3827 "= %s.\n", fsp_str_dbg(fsp),
3828 (unsigned int)user,
3829 (unsigned int)grp,
3830 nt_errstr(status)));
3831 return status;
3832 }
3833
3834 /*
3835 * Recheck the current state of the file, which may have changed.
3836 * (suid/sgid bits, for instance)
3837 */
3838
3839 status = vfs_stat_fsp(fsp);
3840 if (!NT_STATUS_IS_OK(status)) {
3841 return status;
3842 }
3843
3844 /* Save the original element we check against. */
3845 orig_mode = fsp->fsp_name->st.st_ex_mode;
3846
3847 /* If we successfully chowned, we know we must
3848 * be able to set the acl, so do it as root.
3849 */
3850 set_acl_as_root = true;
3851 }
3852
3853 create_file_sids(&fsp->fsp_name->st, &file_owner_sid, &file_grp_sid);
3854
3855 if((security_info_sent & SECINFO_DACL) &&
3856 (psd->type & SEC_DESC_DACL_PRESENT) &&
3857 (psd->dacl == NULL)) {
3858 struct security_ace ace[3];
3859
3860 /* We can't have NULL DACL in POSIX.
3861 Use owner/group/Everyone -> full access. */
3862
3863 init_sec_ace(&ace[0],
3864 &file_owner_sid,
3865 SEC_ACE_TYPE_ACCESS_ALLOWED,
3866 GENERIC_ALL_ACCESS,
3867 0);
3868 init_sec_ace(&ace[1],
3869 &file_grp_sid,
3870 SEC_ACE_TYPE_ACCESS_ALLOWED,
3871 GENERIC_ALL_ACCESS,
3872 0);
3873 init_sec_ace(&ace[2],
3874 &global_sid_World,
3875 SEC_ACE_TYPE_ACCESS_ALLOWED,
3876 GENERIC_ALL_ACCESS,
3877 0);
3878 psd->dacl = make_sec_acl(talloc_tos(),
3879 NT4_ACL_REVISION,
3880 3,
3881 ace);
3882 if (psd->dacl == NULL) {
3883 return NT_STATUS_NO_MEMORY;
3884 }
3885 security_acl_map_generic(psd->dacl, &file_generic_mapping);
3886 }
3887
3888 acl_perms = unpack_canon_ace(fsp, &fsp->fsp_name->st, &file_owner_sid,
3889 &file_grp_sid, &file_ace_list,
3890 &dir_ace_list, security_info_sent, psd);
3891
3892 /* Ignore W2K traverse DACL set. */
3893 if (!file_ace_list && !dir_ace_list) {
3894 return NT_STATUS_OK;
3895 }
3896
3897 if (!acl_perms) {
3898 DEBUG(3,("set_nt_acl: cannot set permissions\n"));
3899 free_canon_ace_list(file_ace_list);
3900 free_canon_ace_list(dir_ace_list);
3901 return NT_STATUS_ACCESS_DENIED;
3902 }
3903
3904 /*
3905 * Only change security if we got a DACL.
3906 */
3907
3908 if(!(security_info_sent & SECINFO_DACL) || (psd->dacl == NULL)) {
3909 free_canon_ace_list(file_ace_list);
3910 free_canon_ace_list(dir_ace_list);
3911 return NT_STATUS_OK;
3912 }
3913
3914 /*
3915 * Try using the POSIX ACL set first. Fall back to chmod if
3916 * we have no ACL support on this filesystem.
3917 */
3918
3919 if (acl_perms && file_ace_list) {
3920 if (set_acl_as_root) {
3921 become_root();
3922 }
3923 ret = set_canon_ace_list(fsp, file_ace_list, false,
3924 &fsp->fsp_name->st, &acl_set_support);
3925 if (set_acl_as_root) {
3926 unbecome_root();
3927 }
3928 if (acl_set_support && ret == false) {
3929 DEBUG(3,("set_nt_acl: failed to set file acl on file "
3930 "%s (%s).\n", fsp_str_dbg(fsp),
3931 strerror(errno)));
3932 free_canon_ace_list(file_ace_list);
3933 free_canon_ace_list(dir_ace_list);
3934 return map_nt_error_from_unix(errno);
3935 }
3936 }
3937
3938 if (acl_perms && acl_set_support && fsp->is_directory) {
3939 if (dir_ace_list) {
3940 if (set_acl_as_root) {
3941 become_root();
3942 }
3943 ret = set_canon_ace_list(fsp, dir_ace_list, true,
3944 &fsp->fsp_name->st,
3945 &acl_set_support);
3946 if (set_acl_as_root) {
3947 unbecome_root();
3948 }
3949 if (ret == false) {
3950 DEBUG(3,("set_nt_acl: failed to set default "
3951 "acl on directory %s (%s).\n",
3952 fsp_str_dbg(fsp), strerror(errno)));
3953 free_canon_ace_list(file_ace_list);
3954 free_canon_ace_list(dir_ace_list);
3955 return map_nt_error_from_unix(errno);
3956 }
3957 } else {
3958 int sret = -1;
3959
3960 /*
3961 * No default ACL - delete one if it exists.
3962 */
3963
3964 if (set_acl_as_root) {
3965 become_root();
3966 }
3967 sret = SMB_VFS_SYS_ACL_DELETE_DEF_FILE(conn,
3968 fsp->fsp_name->base_name);
3969 if (set_acl_as_root) {
3970 unbecome_root();
3971 }
3972 if (sret == -1) {
3973 if (acl_group_override(conn, fsp->fsp_name)) {
3974 DEBUG(5,("set_nt_acl: acl group "
3975 "control on and current user "
3976 "in file %s primary group. "
3977 "Override delete_def_acl\n",
3978 fsp_str_dbg(fsp)));
3979
3980 become_root();
3981 sret =
3982 SMB_VFS_SYS_ACL_DELETE_DEF_FILE(
3983 conn,
3984 fsp->fsp_name->base_name);
3985 unbecome_root();
3986 }
3987
3988 if (sret == -1) {
3989 DEBUG(3,("set_nt_acl: sys_acl_delete_def_file failed (%s)\n", strerror(errno)));
3990 free_canon_ace_list(file_ace_list);
3991 free_canon_ace_list(dir_ace_list);
3992 return map_nt_error_from_unix(errno);
3993 }
3994 }
3995 }
3996 }
3997
3998 if (acl_set_support) {
3999 if (set_acl_as_root) {
4000 become_root();
4001 }
4002 store_inheritance_attributes(fsp,
4003 file_ace_list,
4004 dir_ace_list,
4005 psd->type);
4006 if (set_acl_as_root) {
4007 unbecome_root();
4008 }
4009 }
4010
4011 /*
4012 * If we cannot set using POSIX ACLs we fall back to checking if we need to chmod.
4013 */
4014
4015 if(!acl_set_support && acl_perms) {
4016 mode_t posix_perms;
4017
4018 if (!convert_canon_ace_to_posix_perms( fsp, file_ace_list, &posix_perms)) {
4019 free_canon_ace_list(file_ace_list);
4020 free_canon_ace_list(dir_ace_list);
4021 DEBUG(3,("set_nt_acl: failed to convert file acl to "
4022 "posix permissions for file %s.\n",
4023 fsp_str_dbg(fsp)));
4024 return NT_STATUS_ACCESS_DENIED;
4025 }
4026
4027 if (orig_mode != posix_perms) {
4028 int sret = -1;
4029
4030 DEBUG(3,("set_nt_acl: chmod %s. perms = 0%o.\n",
4031 fsp_str_dbg(fsp), (unsigned int)posix_perms));
4032
4033 if (set_acl_as_root) {
4034 become_root();
4035 }
4036 sret = SMB_VFS_CHMOD(conn, fsp->fsp_name->base_name,
4037 posix_perms);
4038 if (set_acl_as_root) {
4039 unbecome_root();
4040 }
4041 if(sret == -1) {
4042 if (acl_group_override(conn, fsp->fsp_name)) {
4043 DEBUG(5,("set_nt_acl: acl group "
4044 "control on and current user "
4045 "in file %s primary group. "
4046 "Override chmod\n",
4047 fsp_str_dbg(fsp)));
4048
4049 become_root();
4050 sret = SMB_VFS_CHMOD(conn,
4051 fsp->fsp_name->base_name,
4052 posix_perms);
4053 unbecome_root();
4054 }
4055
4056 if (sret == -1) {
4057 DEBUG(3,("set_nt_acl: chmod %s, 0%o "
4058 "failed. Error = %s.\n",
4059 fsp_str_dbg(fsp),
4060 (unsigned int)posix_perms,
4061 strerror(errno)));
4062 free_canon_ace_list(file_ace_list);
4063 free_canon_ace_list(dir_ace_list);
4064 return map_nt_error_from_unix(errno);
4065 }
4066 }
4067 }
4068 }
4069
4070 free_canon_ace_list(file_ace_list);
4071 free_canon_ace_list(dir_ace_list);
4072
4073 /* Ensure the stat struct in the fsp is correct. */
4074 status = vfs_stat_fsp(fsp);
4075
4076 return NT_STATUS_OK;
4077}
4078
4079/****************************************************************************
4080 Get the actual group bits stored on a file with an ACL. Has no effect if
4081 the file has no ACL. Needed in dosmode code where the stat() will return
4082 the mask bits, not the real group bits, for a file with an ACL.
4083****************************************************************************/
4084
4085int get_acl_group_bits( connection_struct *conn, const char *fname, mode_t *mode )
4086{
4087 int entry_id = SMB_ACL_FIRST_ENTRY;
4088 SMB_ACL_ENTRY_T entry;
4089 SMB_ACL_T posix_acl;
4090 int result = -1;
4091
4092 posix_acl = SMB_VFS_SYS_ACL_GET_FILE(conn, fname, SMB_ACL_TYPE_ACCESS);
4093 if (posix_acl == (SMB_ACL_T)NULL)
4094 return -1;
4095
4096 while (SMB_VFS_SYS_ACL_GET_ENTRY(conn, posix_acl, entry_id, &entry) == 1) {
4097 SMB_ACL_TAG_T tagtype;
4098 SMB_ACL_PERMSET_T permset;
4099
4100 entry_id = SMB_ACL_NEXT_ENTRY;
4101
4102 if (SMB_VFS_SYS_ACL_GET_TAG_TYPE(conn, entry, &tagtype) ==-1)
4103 break;
4104
4105 if (tagtype == SMB_ACL_GROUP_OBJ) {
4106 if (SMB_VFS_SYS_ACL_GET_PERMSET(conn, entry, &permset) == -1) {
4107 break;
4108 } else {
4109 *mode &= ~(S_IRGRP|S_IWGRP|S_IXGRP);
4110 *mode |= (SMB_VFS_SYS_ACL_GET_PERM(conn, permset, SMB_ACL_READ) ? S_IRGRP : 0);
4111 *mode |= (SMB_VFS_SYS_ACL_GET_PERM(conn, permset, SMB_ACL_WRITE) ? S_IWGRP : 0);
4112 *mode |= (SMB_VFS_SYS_ACL_GET_PERM(conn, permset, SMB_ACL_EXECUTE) ? S_IXGRP : 0);
4113 result = 0;
4114 break;
4115 }
4116 }
4117 }
4118 SMB_VFS_SYS_ACL_FREE_ACL(conn, posix_acl);
4119 return result;
4120}
4121
4122/****************************************************************************
4123 Do a chmod by setting the ACL USER_OBJ, GROUP_OBJ and OTHER bits in an ACL
4124 and set the mask to rwx. Needed to preserve complex ACLs set by NT.
4125****************************************************************************/
4126
4127static int chmod_acl_internals( connection_struct *conn, SMB_ACL_T posix_acl, mode_t mode)
4128{
4129 int entry_id = SMB_ACL_FIRST_ENTRY;
4130 SMB_ACL_ENTRY_T entry;
4131 int num_entries = 0;
4132
4133 while ( SMB_VFS_SYS_ACL_GET_ENTRY(conn, posix_acl, entry_id, &entry) == 1) {
4134 SMB_ACL_TAG_T tagtype;
4135 SMB_ACL_PERMSET_T permset;
4136 mode_t perms;
4137
4138 entry_id = SMB_ACL_NEXT_ENTRY;
4139
4140 if (SMB_VFS_SYS_ACL_GET_TAG_TYPE(conn, entry, &tagtype) == -1)
4141 return -1;
4142
4143 if (SMB_VFS_SYS_ACL_GET_PERMSET(conn, entry, &permset) == -1)
4144 return -1;
4145
4146 num_entries++;
4147
4148 switch(tagtype) {
4149 case SMB_ACL_USER_OBJ:
4150 perms = unix_perms_to_acl_perms(mode, S_IRUSR, S_IWUSR, S_IXUSR);
4151 break;
4152 case SMB_ACL_GROUP_OBJ:
4153 perms = unix_perms_to_acl_perms(mode, S_IRGRP, S_IWGRP, S_IXGRP);
4154 break;
4155 case SMB_ACL_MASK:
4156 /*
4157 * FIXME: The ACL_MASK entry permissions should really be set to
4158 * the union of the permissions of all ACL_USER,
4159 * ACL_GROUP_OBJ, and ACL_GROUP entries. That's what
4160 * acl_calc_mask() does, but Samba ACLs doesn't provide it.
4161 */
4162 perms = S_IRUSR|S_IWUSR|S_IXUSR;
4163 break;
4164 case SMB_ACL_OTHER:
4165 perms = unix_perms_to_acl_perms(mode, S_IROTH, S_IWOTH, S_IXOTH);
4166 break;
4167 default:
4168 continue;
4169 }
4170
4171 if (map_acl_perms_to_permset(conn, perms, &permset) == -1)
4172 return -1;
4173
4174 if (SMB_VFS_SYS_ACL_SET_PERMSET(conn, entry, permset) == -1)
4175 return -1;
4176 }
4177
4178 /*
4179 * If this is a simple 3 element ACL or no elements then it's a standard
4180 * UNIX permission set. Just use chmod...
4181 */
4182
4183 if ((num_entries == 3) || (num_entries == 0))
4184 return -1;
4185
4186 return 0;
4187}
4188
4189/****************************************************************************
4190 Get the access ACL of FROM, do a chmod by setting the ACL USER_OBJ,
4191 GROUP_OBJ and OTHER bits in an ACL and set the mask to rwx. Set the
4192 resulting ACL on TO. Note that name is in UNIX character set.
4193****************************************************************************/
4194
4195static int copy_access_posix_acl(connection_struct *conn, const char *from, const char *to, mode_t mode)
4196{
4197 SMB_ACL_T posix_acl = NULL;
4198 int ret = -1;
4199
4200 if ((posix_acl = SMB_VFS_SYS_ACL_GET_FILE(conn, from, SMB_ACL_TYPE_ACCESS)) == NULL)
4201 return -1;
4202
4203 if ((ret = chmod_acl_internals(conn, posix_acl, mode)) == -1)
4204 goto done;
4205
4206 ret = SMB_VFS_SYS_ACL_SET_FILE(conn, to, SMB_ACL_TYPE_ACCESS, posix_acl);
4207
4208 done:
4209
4210 SMB_VFS_SYS_ACL_FREE_ACL(conn, posix_acl);
4211 return ret;
4212}
4213
4214/****************************************************************************
4215 Do a chmod by setting the ACL USER_OBJ, GROUP_OBJ and OTHER bits in an ACL
4216 and set the mask to rwx. Needed to preserve complex ACLs set by NT.
4217 Note that name is in UNIX character set.
4218****************************************************************************/
4219
4220int chmod_acl(connection_struct *conn, const char *name, mode_t mode)
4221{
4222 return copy_access_posix_acl(conn, name, name, mode);
4223}
4224
4225/****************************************************************************
4226 Check for an existing default POSIX ACL on a directory.
4227****************************************************************************/
4228
4229static bool directory_has_default_posix_acl(connection_struct *conn, const char *fname)
4230{
4231 SMB_ACL_T def_acl = SMB_VFS_SYS_ACL_GET_FILE( conn, fname, SMB_ACL_TYPE_DEFAULT);
4232 bool has_acl = False;
4233 SMB_ACL_ENTRY_T entry;
4234
4235 if (def_acl != NULL && (SMB_VFS_SYS_ACL_GET_ENTRY(conn, def_acl, SMB_ACL_FIRST_ENTRY, &entry) == 1)) {
4236 has_acl = True;
4237 }
4238
4239 if (def_acl) {
4240 SMB_VFS_SYS_ACL_FREE_ACL(conn, def_acl);
4241 }
4242 return has_acl;
4243}
4244
4245/****************************************************************************
4246 If the parent directory has no default ACL but it does have an Access ACL,
4247 inherit this Access ACL to file name.
4248****************************************************************************/
4249
4250int inherit_access_posix_acl(connection_struct *conn, const char *inherit_from_dir,
4251 const char *name, mode_t mode)
4252{
4253 if (directory_has_default_posix_acl(conn, inherit_from_dir))
4254 return 0;
4255
4256 return copy_access_posix_acl(conn, inherit_from_dir, name, mode);
4257}
4258
4259/****************************************************************************
4260 Do an fchmod by setting the ACL USER_OBJ, GROUP_OBJ and OTHER bits in an ACL
4261 and set the mask to rwx. Needed to preserve complex ACLs set by NT.
4262****************************************************************************/
4263
4264int fchmod_acl(files_struct *fsp, mode_t mode)
4265{
4266 connection_struct *conn = fsp->conn;
4267 SMB_ACL_T posix_acl = NULL;
4268 int ret = -1;
4269
4270 if ((posix_acl = SMB_VFS_SYS_ACL_GET_FD(fsp)) == NULL)
4271 return -1;
4272
4273 if ((ret = chmod_acl_internals(conn, posix_acl, mode)) == -1)
4274 goto done;
4275
4276 ret = SMB_VFS_SYS_ACL_SET_FD(fsp, posix_acl);
4277
4278 done:
4279
4280 SMB_VFS_SYS_ACL_FREE_ACL(conn, posix_acl);
4281 return ret;
4282}
4283
4284/****************************************************************************
4285 Map from wire type to permset.
4286****************************************************************************/
4287
4288static bool unix_ex_wire_to_permset(connection_struct *conn, unsigned char wire_perm, SMB_ACL_PERMSET_T *p_permset)
4289{
4290 if (wire_perm & ~(SMB_POSIX_ACL_READ|SMB_POSIX_ACL_WRITE|SMB_POSIX_ACL_EXECUTE)) {
4291 return False;
4292 }
4293
4294 if (SMB_VFS_SYS_ACL_CLEAR_PERMS(conn, *p_permset) == -1) {
4295 return False;
4296 }
4297
4298 if (wire_perm & SMB_POSIX_ACL_READ) {
4299 if (SMB_VFS_SYS_ACL_ADD_PERM(conn, *p_permset, SMB_ACL_READ) == -1) {
4300 return False;
4301 }
4302 }
4303 if (wire_perm & SMB_POSIX_ACL_WRITE) {
4304 if (SMB_VFS_SYS_ACL_ADD_PERM(conn, *p_permset, SMB_ACL_WRITE) == -1) {
4305 return False;
4306 }
4307 }
4308 if (wire_perm & SMB_POSIX_ACL_EXECUTE) {
4309 if (SMB_VFS_SYS_ACL_ADD_PERM(conn, *p_permset, SMB_ACL_EXECUTE) == -1) {
4310 return False;
4311 }
4312 }
4313 return True;
4314}
4315
4316/****************************************************************************
4317 Map from wire type to tagtype.
4318****************************************************************************/
4319
4320static bool unix_ex_wire_to_tagtype(unsigned char wire_tt, SMB_ACL_TAG_T *p_tt)
4321{
4322 switch (wire_tt) {
4323 case SMB_POSIX_ACL_USER_OBJ:
4324 *p_tt = SMB_ACL_USER_OBJ;
4325 break;
4326 case SMB_POSIX_ACL_USER:
4327 *p_tt = SMB_ACL_USER;
4328 break;
4329 case SMB_POSIX_ACL_GROUP_OBJ:
4330 *p_tt = SMB_ACL_GROUP_OBJ;
4331 break;
4332 case SMB_POSIX_ACL_GROUP:
4333 *p_tt = SMB_ACL_GROUP;
4334 break;
4335 case SMB_POSIX_ACL_MASK:
4336 *p_tt = SMB_ACL_MASK;
4337 break;
4338 case SMB_POSIX_ACL_OTHER:
4339 *p_tt = SMB_ACL_OTHER;
4340 break;
4341 default:
4342 return False;
4343 }
4344 return True;
4345}
4346
4347/****************************************************************************
4348 Create a new POSIX acl from wire permissions.
4349 FIXME ! How does the share mask/mode fit into this.... ?
4350****************************************************************************/
4351
4352static SMB_ACL_T create_posix_acl_from_wire(connection_struct *conn, uint16 num_acls, const char *pdata)
4353{
4354 unsigned int i;
4355 SMB_ACL_T the_acl = SMB_VFS_SYS_ACL_INIT(conn, num_acls);
4356
4357 if (the_acl == NULL) {
4358 return NULL;
4359 }
4360
4361 for (i = 0; i < num_acls; i++) {
4362 SMB_ACL_ENTRY_T the_entry;
4363 SMB_ACL_PERMSET_T the_permset;
4364 SMB_ACL_TAG_T tag_type;
4365
4366 if (SMB_VFS_SYS_ACL_CREATE_ENTRY(conn, &the_acl, &the_entry) == -1) {
4367 DEBUG(0,("create_posix_acl_from_wire: Failed to create entry %u. (%s)\n",
4368 i, strerror(errno) ));
4369 goto fail;
4370 }
4371
4372 if (!unix_ex_wire_to_tagtype(CVAL(pdata,(i*SMB_POSIX_ACL_ENTRY_SIZE)), &tag_type)) {
4373 DEBUG(0,("create_posix_acl_from_wire: invalid wire tagtype %u on entry %u.\n",
4374 CVAL(pdata,(i*SMB_POSIX_ACL_ENTRY_SIZE)), i ));
4375 goto fail;
4376 }
4377
4378 if (SMB_VFS_SYS_ACL_SET_TAG_TYPE(conn, the_entry, tag_type) == -1) {
4379 DEBUG(0,("create_posix_acl_from_wire: Failed to set tagtype on entry %u. (%s)\n",
4380 i, strerror(errno) ));
4381 goto fail;
4382 }
4383
4384 /* Get the permset pointer from the new ACL entry. */
4385 if (SMB_VFS_SYS_ACL_GET_PERMSET(conn, the_entry, &the_permset) == -1) {
4386 DEBUG(0,("create_posix_acl_from_wire: Failed to get permset on entry %u. (%s)\n",
4387 i, strerror(errno) ));
4388 goto fail;
4389 }
4390
4391 /* Map from wire to permissions. */
4392 if (!unix_ex_wire_to_permset(conn, CVAL(pdata,(i*SMB_POSIX_ACL_ENTRY_SIZE)+1), &the_permset)) {
4393 DEBUG(0,("create_posix_acl_from_wire: invalid permset %u on entry %u.\n",
4394 CVAL(pdata,(i*SMB_POSIX_ACL_ENTRY_SIZE) + 1), i ));
4395 goto fail;
4396 }
4397
4398 /* Now apply to the new ACL entry. */
4399 if (SMB_VFS_SYS_ACL_SET_PERMSET(conn, the_entry, the_permset) == -1) {
4400 DEBUG(0,("create_posix_acl_from_wire: Failed to add permset on entry %u. (%s)\n",
4401 i, strerror(errno) ));
4402 goto fail;
4403 }
4404
4405 if (tag_type == SMB_ACL_USER) {
4406 uint32 uidval = IVAL(pdata,(i*SMB_POSIX_ACL_ENTRY_SIZE)+2);
4407 uid_t uid = (uid_t)uidval;
4408 if (SMB_VFS_SYS_ACL_SET_QUALIFIER(conn, the_entry,(void *)&uid) == -1) {
4409 DEBUG(0,("create_posix_acl_from_wire: Failed to set uid %u on entry %u. (%s)\n",
4410 (unsigned int)uid, i, strerror(errno) ));
4411 goto fail;
4412 }
4413 }
4414
4415 if (tag_type == SMB_ACL_GROUP) {
4416 uint32 gidval = IVAL(pdata,(i*SMB_POSIX_ACL_ENTRY_SIZE)+2);
4417 gid_t gid = (uid_t)gidval;
4418 if (SMB_VFS_SYS_ACL_SET_QUALIFIER(conn, the_entry,(void *)&gid) == -1) {
4419 DEBUG(0,("create_posix_acl_from_wire: Failed to set gid %u on entry %u. (%s)\n",
4420 (unsigned int)gid, i, strerror(errno) ));
4421 goto fail;
4422 }
4423 }
4424 }
4425
4426 return the_acl;
4427
4428 fail:
4429
4430 if (the_acl != NULL) {
4431 SMB_VFS_SYS_ACL_FREE_ACL(conn, the_acl);
4432 }
4433 return NULL;
4434}
4435
4436/****************************************************************************
4437 Calls from UNIX extensions - Default POSIX ACL set.
4438 If num_def_acls == 0 and not a directory just return. If it is a directory
4439 and num_def_acls == 0 then remove the default acl. Else set the default acl
4440 on the directory.
4441****************************************************************************/
4442
4443bool set_unix_posix_default_acl(connection_struct *conn, const char *fname, const SMB_STRUCT_STAT *psbuf,
4444 uint16 num_def_acls, const char *pdata)
4445{
4446 SMB_ACL_T def_acl = NULL;
4447
4448 if (!S_ISDIR(psbuf->st_ex_mode)) {
4449 if (num_def_acls) {
4450 DEBUG(5,("set_unix_posix_default_acl: Can't set default ACL on non-directory file %s\n", fname ));
4451 errno = EISDIR;
4452 return False;
4453 } else {
4454 return True;
4455 }
4456 }
4457
4458 if (!num_def_acls) {
4459 /* Remove the default ACL. */
4460 if (SMB_VFS_SYS_ACL_DELETE_DEF_FILE(conn, fname) == -1) {
4461 DEBUG(5,("set_unix_posix_default_acl: acl_delete_def_file failed on directory %s (%s)\n",
4462 fname, strerror(errno) ));
4463 return False;
4464 }
4465 return True;
4466 }
4467
4468 if ((def_acl = create_posix_acl_from_wire(conn, num_def_acls, pdata)) == NULL) {
4469 return False;
4470 }
4471
4472 if (SMB_VFS_SYS_ACL_SET_FILE(conn, fname, SMB_ACL_TYPE_DEFAULT, def_acl) == -1) {
4473 DEBUG(5,("set_unix_posix_default_acl: acl_set_file failed on directory %s (%s)\n",
4474 fname, strerror(errno) ));
4475 SMB_VFS_SYS_ACL_FREE_ACL(conn, def_acl);
4476 return False;
4477 }
4478
4479 DEBUG(10,("set_unix_posix_default_acl: set default acl for file %s\n", fname ));
4480 SMB_VFS_SYS_ACL_FREE_ACL(conn, def_acl);
4481 return True;
4482}
4483
4484/****************************************************************************
4485 Remove an ACL from a file. As we don't have acl_delete_entry() available
4486 we must read the current acl and copy all entries except MASK, USER and GROUP
4487 to a new acl, then set that. This (at least on Linux) causes any ACL to be
4488 removed.
4489 FIXME ! How does the share mask/mode fit into this.... ?
4490****************************************************************************/
4491
4492static bool remove_posix_acl(connection_struct *conn, files_struct *fsp, const char *fname)
4493{
4494 SMB_ACL_T file_acl = NULL;
4495 int entry_id = SMB_ACL_FIRST_ENTRY;
4496 SMB_ACL_ENTRY_T entry;
4497 bool ret = False;
4498 /* Create a new ACL with only 3 entries, u/g/w. */
4499 SMB_ACL_T new_file_acl = SMB_VFS_SYS_ACL_INIT(conn, 3);
4500 SMB_ACL_ENTRY_T user_ent = NULL;
4501 SMB_ACL_ENTRY_T group_ent = NULL;
4502 SMB_ACL_ENTRY_T other_ent = NULL;
4503
4504 if (new_file_acl == NULL) {
4505 DEBUG(5,("remove_posix_acl: failed to init new ACL with 3 entries for file %s.\n", fname));
4506 return False;
4507 }
4508
4509 /* Now create the u/g/w entries. */
4510 if (SMB_VFS_SYS_ACL_CREATE_ENTRY(conn, &new_file_acl, &user_ent) == -1) {
4511 DEBUG(5,("remove_posix_acl: Failed to create user entry for file %s. (%s)\n",
4512 fname, strerror(errno) ));
4513 goto done;
4514 }
4515 if (SMB_VFS_SYS_ACL_SET_TAG_TYPE(conn, user_ent, SMB_ACL_USER_OBJ) == -1) {
4516 DEBUG(5,("remove_posix_acl: Failed to set user entry for file %s. (%s)\n",
4517 fname, strerror(errno) ));
4518 goto done;
4519 }
4520
4521 if (SMB_VFS_SYS_ACL_CREATE_ENTRY(conn, &new_file_acl, &group_ent) == -1) {
4522 DEBUG(5,("remove_posix_acl: Failed to create group entry for file %s. (%s)\n",
4523 fname, strerror(errno) ));
4524 goto done;
4525 }
4526 if (SMB_VFS_SYS_ACL_SET_TAG_TYPE(conn, group_ent, SMB_ACL_GROUP_OBJ) == -1) {
4527 DEBUG(5,("remove_posix_acl: Failed to set group entry for file %s. (%s)\n",
4528 fname, strerror(errno) ));
4529 goto done;
4530 }
4531
4532 if (SMB_VFS_SYS_ACL_CREATE_ENTRY(conn, &new_file_acl, &other_ent) == -1) {
4533 DEBUG(5,("remove_posix_acl: Failed to create other entry for file %s. (%s)\n",
4534 fname, strerror(errno) ));
4535 goto done;
4536 }
4537 if (SMB_VFS_SYS_ACL_SET_TAG_TYPE(conn, other_ent, SMB_ACL_OTHER) == -1) {
4538 DEBUG(5,("remove_posix_acl: Failed to set other entry for file %s. (%s)\n",
4539 fname, strerror(errno) ));
4540 goto done;
4541 }
4542
4543 /* Get the current file ACL. */
4544 if (fsp && fsp->fh->fd != -1) {
4545 file_acl = SMB_VFS_SYS_ACL_GET_FD(fsp);
4546 } else {
4547 file_acl = SMB_VFS_SYS_ACL_GET_FILE( conn, fname, SMB_ACL_TYPE_ACCESS);
4548 }
4549
4550 if (file_acl == NULL) {
4551 /* This is only returned if an error occurred. Even for a file with
4552 no acl a u/g/w acl should be returned. */
4553 DEBUG(5,("remove_posix_acl: failed to get ACL from file %s (%s).\n",
4554 fname, strerror(errno) ));
4555 goto done;
4556 }
4557
4558 while ( SMB_VFS_SYS_ACL_GET_ENTRY(conn, file_acl, entry_id, &entry) == 1) {
4559 SMB_ACL_TAG_T tagtype;
4560 SMB_ACL_PERMSET_T permset;
4561
4562 entry_id = SMB_ACL_NEXT_ENTRY;
4563
4564 if (SMB_VFS_SYS_ACL_GET_TAG_TYPE(conn, entry, &tagtype) == -1) {
4565 DEBUG(5,("remove_posix_acl: failed to get tagtype from ACL on file %s (%s).\n",
4566 fname, strerror(errno) ));
4567 goto done;
4568 }
4569
4570 if (SMB_VFS_SYS_ACL_GET_PERMSET(conn, entry, &permset) == -1) {
4571 DEBUG(5,("remove_posix_acl: failed to get permset from ACL on file %s (%s).\n",
4572 fname, strerror(errno) ));
4573 goto done;
4574 }
4575
4576 if (tagtype == SMB_ACL_USER_OBJ) {
4577 if (SMB_VFS_SYS_ACL_SET_PERMSET(conn, user_ent, permset) == -1) {
4578 DEBUG(5,("remove_posix_acl: failed to set permset from ACL on file %s (%s).\n",
4579 fname, strerror(errno) ));
4580 }
4581 } else if (tagtype == SMB_ACL_GROUP_OBJ) {
4582 if (SMB_VFS_SYS_ACL_SET_PERMSET(conn, group_ent, permset) == -1) {
4583 DEBUG(5,("remove_posix_acl: failed to set permset from ACL on file %s (%s).\n",
4584 fname, strerror(errno) ));
4585 }
4586 } else if (tagtype == SMB_ACL_OTHER) {
4587 if (SMB_VFS_SYS_ACL_SET_PERMSET(conn, other_ent, permset) == -1) {
4588 DEBUG(5,("remove_posix_acl: failed to set permset from ACL on file %s (%s).\n",
4589 fname, strerror(errno) ));
4590 }
4591 }
4592 }
4593
4594 /* Set the new empty file ACL. */
4595 if (fsp && fsp->fh->fd != -1) {
4596 if (SMB_VFS_SYS_ACL_SET_FD(fsp, new_file_acl) == -1) {
4597 DEBUG(5,("remove_posix_acl: acl_set_file failed on %s (%s)\n",
4598 fname, strerror(errno) ));
4599 goto done;
4600 }
4601 } else {
4602 if (SMB_VFS_SYS_ACL_SET_FILE(conn, fname, SMB_ACL_TYPE_ACCESS, new_file_acl) == -1) {
4603 DEBUG(5,("remove_posix_acl: acl_set_file failed on %s (%s)\n",
4604 fname, strerror(errno) ));
4605 goto done;
4606 }
4607 }
4608
4609 ret = True;
4610
4611 done:
4612
4613 if (file_acl) {
4614 SMB_VFS_SYS_ACL_FREE_ACL(conn, file_acl);
4615 }
4616 if (new_file_acl) {
4617 SMB_VFS_SYS_ACL_FREE_ACL(conn, new_file_acl);
4618 }
4619 return ret;
4620}
4621
4622/****************************************************************************
4623 Calls from UNIX extensions - POSIX ACL set.
4624 If num_def_acls == 0 then read/modify/write acl after removing all entries
4625 except SMB_ACL_USER_OBJ, SMB_ACL_GROUP_OBJ, SMB_ACL_OTHER.
4626****************************************************************************/
4627
4628bool set_unix_posix_acl(connection_struct *conn, files_struct *fsp, const char *fname, uint16 num_acls, const char *pdata)
4629{
4630 SMB_ACL_T file_acl = NULL;
4631
4632 if (!num_acls) {
4633 /* Remove the ACL from the file. */
4634 return remove_posix_acl(conn, fsp, fname);
4635 }
4636
4637 if ((file_acl = create_posix_acl_from_wire(conn, num_acls, pdata)) == NULL) {
4638 return False;
4639 }
4640
4641 if (fsp && fsp->fh->fd != -1) {
4642 /* The preferred way - use an open fd. */
4643 if (SMB_VFS_SYS_ACL_SET_FD(fsp, file_acl) == -1) {
4644 DEBUG(5,("set_unix_posix_acl: acl_set_file failed on %s (%s)\n",
4645 fname, strerror(errno) ));
4646 SMB_VFS_SYS_ACL_FREE_ACL(conn, file_acl);
4647 return False;
4648 }
4649 } else {
4650 if (SMB_VFS_SYS_ACL_SET_FILE(conn, fname, SMB_ACL_TYPE_ACCESS, file_acl) == -1) {
4651 DEBUG(5,("set_unix_posix_acl: acl_set_file failed on %s (%s)\n",
4652 fname, strerror(errno) ));
4653 SMB_VFS_SYS_ACL_FREE_ACL(conn, file_acl);
4654 return False;
4655 }
4656 }
4657
4658 DEBUG(10,("set_unix_posix_acl: set acl for file %s\n", fname ));
4659 SMB_VFS_SYS_ACL_FREE_ACL(conn, file_acl);
4660 return True;
4661}
4662
4663/********************************************************************
4664 Pull the NT ACL from a file on disk or the OpenEventlog() access
4665 check. Caller is responsible for freeing the returned security
4666 descriptor via TALLOC_FREE(). This is designed for dealing with
4667 user space access checks in smbd outside of the VFS. For example,
4668 checking access rights in OpenEventlog().
4669
4670 Assume we are dealing with files (for now)
4671********************************************************************/
4672
4673struct security_descriptor *get_nt_acl_no_snum( TALLOC_CTX *ctx, const char *fname)
4674{
4675 struct security_descriptor *psd, *ret_sd;
4676 connection_struct *conn;
4677 files_struct finfo;
4678 struct fd_handle fh;
4679 NTSTATUS status;
4680
4681 conn = TALLOC_ZERO_P(ctx, connection_struct);
4682 if (conn == NULL) {
4683 DEBUG(0, ("talloc failed\n"));
4684 return NULL;
4685 }
4686
4687 if (!(conn->params = TALLOC_P(conn, struct share_params))) {
4688 DEBUG(0,("get_nt_acl_no_snum: talloc() failed!\n"));
4689 TALLOC_FREE(conn);
4690 return NULL;
4691 }
4692
4693 conn->params->service = -1;
4694
4695 set_conn_connectpath(conn, "/");
4696
4697 if (!smbd_vfs_init(conn)) {
4698 DEBUG(0,("get_nt_acl_no_snum: Unable to create a fake connection struct!\n"));
4699 conn_free(conn);
4700 return NULL;
4701 }
4702
4703 ZERO_STRUCT( finfo );
4704 ZERO_STRUCT( fh );
4705
4706 finfo.fnum = -1;
4707 finfo.conn = conn;
4708 finfo.fh = &fh;
4709 finfo.fh->fd = -1;
4710
4711 status = create_synthetic_smb_fname(talloc_tos(), fname, NULL, NULL,
4712 &finfo.fsp_name);
4713 if (!NT_STATUS_IS_OK(status)) {
4714 conn_free(conn);
4715 return NULL;
4716 }
4717
4718 if (!NT_STATUS_IS_OK(SMB_VFS_FGET_NT_ACL( &finfo, SECINFO_DACL, &psd))) {
4719 DEBUG(0,("get_nt_acl_no_snum: get_nt_acl returned zero.\n"));
4720 TALLOC_FREE(finfo.fsp_name);
4721 conn_free(conn);
4722 return NULL;
4723 }
4724
4725 ret_sd = dup_sec_desc( ctx, psd );
4726
4727 TALLOC_FREE(finfo.fsp_name);
4728 conn_free(conn);
4729
4730 return ret_sd;
4731}
4732
4733/* Stolen shamelessly from pvfs_default_acl() in source4 :-). */
4734
4735NTSTATUS make_default_filesystem_acl(TALLOC_CTX *ctx,
4736 const char *name,
4737 SMB_STRUCT_STAT *psbuf,
4738 struct security_descriptor **ppdesc)
4739{
4740 struct dom_sid owner_sid, group_sid;
4741 size_t size = 0;
4742 struct security_ace aces[4];
4743 uint32_t access_mask = 0;
4744 mode_t mode = psbuf->st_ex_mode;
4745 struct security_acl *new_dacl = NULL;
4746 int idx = 0;
4747
4748 DEBUG(10,("make_default_filesystem_acl: file %s mode = 0%o\n",
4749 name, (int)mode ));
4750
4751 uid_to_sid(&owner_sid, psbuf->st_ex_uid);
4752 gid_to_sid(&group_sid, psbuf->st_ex_gid);
4753
4754 /*
4755 We provide up to 4 ACEs
4756 - Owner
4757 - Group
4758 - Everyone
4759 - NT System
4760 */
4761
4762 if (mode & S_IRUSR) {
4763 if (mode & S_IWUSR) {
4764 access_mask |= SEC_RIGHTS_FILE_ALL;
4765 } else {
4766 access_mask |= SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE;
4767 }
4768 }
4769 if (mode & S_IWUSR) {
4770 access_mask |= SEC_RIGHTS_FILE_WRITE | SEC_STD_DELETE;
4771 }
4772
4773 init_sec_ace(&aces[idx],
4774 &owner_sid,
4775 SEC_ACE_TYPE_ACCESS_ALLOWED,
4776 access_mask,
4777 0);
4778 idx++;
4779
4780 access_mask = 0;
4781 if (mode & S_IRGRP) {
4782 access_mask |= SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE;
4783 }
4784 if (mode & S_IWGRP) {
4785 /* note that delete is not granted - this matches posix behaviour */
4786 access_mask |= SEC_RIGHTS_FILE_WRITE;
4787 }
4788 if (access_mask) {
4789 init_sec_ace(&aces[idx],
4790 &group_sid,
4791 SEC_ACE_TYPE_ACCESS_ALLOWED,
4792 access_mask,
4793 0);
4794 idx++;
4795 }
4796
4797 access_mask = 0;
4798 if (mode & S_IROTH) {
4799 access_mask |= SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE;
4800 }
4801 if (mode & S_IWOTH) {
4802 access_mask |= SEC_RIGHTS_FILE_WRITE;
4803 }
4804 if (access_mask) {
4805 init_sec_ace(&aces[idx],
4806 &global_sid_World,
4807 SEC_ACE_TYPE_ACCESS_ALLOWED,
4808 access_mask,
4809 0);
4810 idx++;
4811 }
4812
4813 init_sec_ace(&aces[idx],
4814 &global_sid_System,
4815 SEC_ACE_TYPE_ACCESS_ALLOWED,
4816 SEC_RIGHTS_FILE_ALL,
4817 0);
4818 idx++;
4819
4820 new_dacl = make_sec_acl(ctx,
4821 NT4_ACL_REVISION,
4822 idx,
4823 aces);
4824
4825 if (!new_dacl) {
4826 return NT_STATUS_NO_MEMORY;
4827 }
4828
4829 *ppdesc = make_sec_desc(ctx,
4830 SECURITY_DESCRIPTOR_REVISION_1,
4831 SEC_DESC_SELF_RELATIVE|SEC_DESC_DACL_PRESENT,
4832 &owner_sid,
4833 &group_sid,
4834 NULL,
4835 new_dacl,
4836 &size);
4837 if (!*ppdesc) {
4838 return NT_STATUS_NO_MEMORY;
4839 }
4840 return NT_STATUS_OK;
4841}
Note: See TracBrowser for help on using the repository browser.