Changeset 124 for branches/samba-3.0/source/smbd/posix_acls.c
- Timestamp:
- Mar 12, 2008, 9:08:18 AM (17 years ago)
- File:
-
- 1 edited
-
branches/samba-3.0/source/smbd/posix_acls.c (modified) (9 diffs)
Legend:
- Unmodified
- Added
- Removed
-
branches/samba-3.0/source/smbd/posix_acls.c
r105 r124 1337 1337 psa1->flags |= (psa2->flags & (SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT)); 1338 1338 psa2->flags &= ~(SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT); 1339 1339 1340 1340 } else if (psa2->flags & SEC_ACE_FLAG_INHERIT_ONLY) { 1341 1341 1342 1342 psa2->flags |= (psa1->flags & (SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT)); 1343 1343 psa1->flags &= ~(SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT); 1344 1344 1345 1345 } 1346 1346 } … … 1403 1403 } else if (sid_to_uid( ¤t_ace->trustee, ¤t_ace->unix_ug.uid)) { 1404 1404 current_ace->owner_type = UID_ACE; 1405 current_ace->type = SMB_ACL_USER; 1405 /* If it's the owning user, this is a user_obj, not 1406 * a user. */ 1407 if (current_ace->unix_ug.uid == pst->st_uid) { 1408 current_ace->type = SMB_ACL_USER_OBJ; 1409 } else { 1410 current_ace->type = SMB_ACL_USER; 1411 } 1406 1412 } else if (sid_to_gid( ¤t_ace->trustee, ¤t_ace->unix_ug.gid)) { 1407 1413 current_ace->owner_type = GID_ACE; 1408 current_ace->type = SMB_ACL_GROUP; 1414 /* If it's the primary group, this is a group_obj, not 1415 * a group. */ 1416 if (current_ace->unix_ug.gid == pst->st_gid) { 1417 current_ace->type = SMB_ACL_GROUP_OBJ; 1418 } else { 1419 current_ace->type = SMB_ACL_GROUP; 1420 } 1409 1421 } else { 1410 1422 fstring str; … … 3100 3112 } 3101 3113 3102 static NTSTATUS append_ugw_ace(files_struct *fsp, 3103 SMB_STRUCT_STAT *psbuf, 3104 mode_t unx_mode, 3105 int ugw, 3106 SEC_ACE *se) 3107 { 3108 mode_t perms; 3109 SEC_ACCESS acc; 3110 int nt_acl_type; /* Tru64 has "acl_type" as a macro.. */ 3111 DOM_SID trustee; 3112 3113 switch (ugw) { 3114 case S_IRUSR: 3115 perms = unix_perms_to_acl_perms(unx_mode, 3116 S_IRUSR, 3117 S_IWUSR, 3118 S_IXUSR); 3119 uid_to_sid(&trustee, psbuf->st_uid ); 3120 break; 3121 case S_IRGRP: 3122 perms = unix_perms_to_acl_perms(unx_mode, 3123 S_IRGRP, 3124 S_IWGRP, 3125 S_IXGRP); 3126 gid_to_sid(&trustee, psbuf->st_gid ); 3127 break; 3128 case S_IROTH: 3129 perms = unix_perms_to_acl_perms(unx_mode, 3130 S_IROTH, 3131 S_IWOTH, 3132 S_IXOTH); 3133 sid_copy(&trustee, &global_sid_World); 3134 break; 3135 default: 3136 return NT_STATUS_INVALID_PARAMETER; 3137 } 3138 acc = map_canon_ace_perms(SNUM(fsp->conn), 3139 &nt_acl_type, 3140 perms, 3141 fsp->is_directory); 3142 3143 init_sec_ace(se, 3144 &trustee, 3145 nt_acl_type, 3146 acc, 3147 0); 3148 return NT_STATUS_OK; 3149 } 3150 3151 /**************************************************************************** 3152 If this is an 3114 /**************************************************************************** 3115 Take care of parent ACL inheritance. 3153 3116 ****************************************************************************/ 3154 3117 … … 3169 3132 size_t sd_size; 3170 3133 unsigned int i, j; 3171 mode_t unx_mode;3134 BOOL is_dacl_protected = (psd->type & SE_DESC_DACL_PROTECTED); 3172 3135 3173 3136 ZERO_STRUCT(sbuf); … … 3183 3146 return NT_STATUS_NO_MEMORY; 3184 3147 } 3185 3186 /* Create a default mode for u/g/w. */3187 unx_mode = unix_mode(fsp->conn,3188 aARCH | (fsp->is_directory ? aDIR : 0),3189 fsp->fsp_name,3190 parent_name);3191 3148 3192 3149 status = open_directory(fsp->conn, … … 3214 3171 } 3215 3172 3216 3173 /* 3217 3174 * Make room for potentially all the ACLs from 3218 * the parent, plus the user/group/other triple. 3175 * the parent. We used to add the ugw triple here, 3176 * as we knew we were dealing with POSIX ACLs. 3177 * We no longer need to do so as we can guarentee 3178 * that a default ACL from the parent directory will 3179 * be well formed for POSIX ACLs if it came from a 3180 * POSIX ACL source, and if we're not writing to a 3181 * POSIX ACL sink then we don't care if it's not well 3182 * formed. JRA. 3219 3183 */ 3220 3184 3221 num_aces += parent_sd->dacl->num_aces + 3;3185 num_aces += parent_sd->dacl->num_aces; 3222 3186 3223 3187 if((new_ace = TALLOC_ZERO_ARRAY(mem_ctx, SEC_ACE, … … 3225 3189 return NT_STATUS_NO_MEMORY; 3226 3190 } 3227 3228 DEBUG(10,("append_parent_acl: parent ACL has %u entries. New "3229 "ACL has %u entries\n",3230 parent_sd->dacl->num_aces, num_aces ));3231 3191 3232 3192 /* Start by copying in all the given ACE entries. */ … … 3240 3200 */ 3241 3201 3242 /*3243 * Append u/g/w.3244 */3245 3246 status = append_ugw_ace(fsp, psbuf, unx_mode, S_IRUSR, &new_ace[i++]);3247 if (!NT_STATUS_IS_OK(status)) {3248 return status;3249 }3250 status = append_ugw_ace(fsp, psbuf, unx_mode, S_IRGRP, &new_ace[i++]);3251 if (!NT_STATUS_IS_OK(status)) {3252 return status;3253 }3254 status = append_ugw_ace(fsp, psbuf, unx_mode, S_IROTH, &new_ace[i++]);3255 if (!NT_STATUS_IS_OK(status)) {3256 return status;3257 }3258 3259 3202 /* Finally append any inherited ACEs. */ 3260 3203 for (j = 0; j < parent_sd->dacl->num_aces; j++) { 3261 3204 SEC_ACE *se = &parent_sd->dacl->aces[j]; 3262 uint32 i_flags = se->flags & (SEC_ACE_FLAG_OBJECT_INHERIT|3263 SEC_ACE_FLAG_CONTAINER_INHERIT|3264 SEC_ACE_FLAG_INHERIT_ONLY);3265 3205 3266 3206 if (fsp->is_directory) { 3267 if (i_flags == SEC_ACE_FLAG_OBJECT_INHERIT) { 3268 /* Should only apply to a file - ignore. */ 3207 if (!(se->flags & SEC_ACE_FLAG_CONTAINER_INHERIT)) { 3208 /* Doesn't apply to a directory - ignore. */ 3209 DEBUG(10,("append_parent_acl: directory %s " 3210 "ignoring non container " 3211 "inherit flags %u on ACE with sid %s " 3212 "from parent %s\n", 3213 fsp->fsp_name, 3214 (unsigned int)se->flags, 3215 sid_string_static(&se->trustee), 3216 parent_name)); 3269 3217 continue; 3270 3218 } 3271 3219 } else { 3272 if ((i_flags & (SEC_ACE_FLAG_OBJECT_INHERIT| 3273 SEC_ACE_FLAG_INHERIT_ONLY)) != 3274 SEC_ACE_FLAG_OBJECT_INHERIT) { 3275 /* Should not apply to a file - ignore. */ 3220 if (!(se->flags & SEC_ACE_FLAG_OBJECT_INHERIT)) { 3221 /* Doesn't apply to a file - ignore. */ 3222 DEBUG(10,("append_parent_acl: file %s " 3223 "ignoring non object " 3224 "inherit flags %u on ACE with sid %s " 3225 "from parent %s\n", 3226 fsp->fsp_name, 3227 (unsigned int)se->flags, 3228 sid_string_static(&se->trustee), 3229 parent_name)); 3276 3230 continue; 3277 3231 } 3278 3232 } 3233 3234 if (is_dacl_protected) { 3235 /* If the DACL is protected it means we must 3236 * not overwrite an existing ACE entry with the 3237 * same SID. This is order N^2. Ouch :-(. JRA. */ 3238 unsigned int k; 3239 for (k = 0; k < psd->dacl->num_aces; k++) { 3240 if (sid_equal(&psd->dacl->aces[k].trustee, 3241 &se->trustee)) { 3242 break; 3243 } 3244 } 3245 if (k < psd->dacl->num_aces) { 3246 /* SID matched. Ignore. */ 3247 DEBUG(10,("append_parent_acl: path %s " 3248 "ignoring ACE with protected sid %s " 3249 "from parent %s\n", 3250 fsp->fsp_name, 3251 sid_string_static(&se->trustee), 3252 parent_name)); 3253 continue; 3254 } 3255 } 3256 3279 3257 sec_ace_copy(&new_ace[i], se); 3280 3258 if (se->flags & SEC_ACE_FLAG_NO_PROPAGATE_INHERIT) { … … 3282 3260 } 3283 3261 new_ace[i].flags |= SEC_ACE_FLAG_INHERITED_ACE; 3262 3263 if (fsp->is_directory) { 3264 /* 3265 * Strip off any inherit only. It's applied. 3266 */ 3267 new_ace[i].flags &= ~(SEC_ACE_FLAG_INHERIT_ONLY); 3268 if (se->flags & SEC_ACE_FLAG_NO_PROPAGATE_INHERIT) { 3269 /* No further inheritance. */ 3270 new_ace[i].flags &= 3271 ~(SEC_ACE_FLAG_CONTAINER_INHERIT| 3272 SEC_ACE_FLAG_OBJECT_INHERIT); 3273 } 3274 } else { 3275 /* 3276 * Strip off any container or inherit 3277 * flags, they can't apply to objects. 3278 */ 3279 new_ace[i].flags &= ~(SEC_ACE_FLAG_CONTAINER_INHERIT| 3280 SEC_ACE_FLAG_INHERIT_ONLY| 3281 SEC_ACE_FLAG_NO_PROPAGATE_INHERIT); 3282 } 3283 3284 3284 i++; 3285 3286 DEBUG(10,("append_parent_acl: path %s " 3287 "inheriting ACE with sid %s " 3288 "from parent %s\n", 3289 fsp->fsp_name, 3290 sid_string_static(&se->trustee), 3291 parent_name)); 3292 3285 3293 } 3286 3294
Note:
See TracChangeset
for help on using the changeset viewer.
