2 * Store Windows ACLs in data store - common functions.
3 * #included into modules/vfs_acl_xattr.c and modules/vfs_acl_tdb.c
5 * Copyright (C) Volker Lendecke, 2008
6 * Copyright (C) Jeremy Allison, 2009
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 3 of the License, or
11 * (at your option) any later version.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, see <http://www.gnu.org/licenses/>.
22 #include "smbd/smbd.h"
23 #include "system/filesys.h"
24 #include "../libcli/security/security.h"
25 #include "../librpc/gen_ndr/ndr_security.h"
26 #include "../lib/util/bitmap.h"
28 static NTSTATUS
create_acl_blob(const struct security_descriptor
*psd
,
31 uint8_t hash
[XATTR_SD_HASH_SIZE
]);
33 static NTSTATUS
get_acl_blob(TALLOC_CTX
*ctx
,
34 vfs_handle_struct
*handle
,
39 static NTSTATUS
store_acl_blob_fsp(vfs_handle_struct
*handle
,
43 #define HASH_SECURITY_INFO (SECINFO_OWNER | \
48 /*******************************************************************
49 Hash a security descriptor.
50 *******************************************************************/
52 static NTSTATUS
hash_blob_sha256(DATA_BLOB blob
,
57 memset(hash
, '\0', XATTR_SD_HASH_SIZE
);
59 samba_SHA256_Init(&tctx
);
60 samba_SHA256_Update(&tctx
, blob
.data
, blob
.length
);
61 samba_SHA256_Final(hash
, &tctx
);
66 /*******************************************************************
67 Hash a security descriptor.
68 *******************************************************************/
70 static NTSTATUS
hash_sd_sha256(struct security_descriptor
*psd
,
76 memset(hash
, '\0', XATTR_SD_HASH_SIZE
);
77 status
= create_acl_blob(psd
, &blob
, XATTR_SD_HASH_TYPE_SHA256
, hash
);
78 if (!NT_STATUS_IS_OK(status
)) {
81 return hash_blob_sha256(blob
, hash
);
84 /*******************************************************************
85 Parse out a struct security_descriptor from a DATA_BLOB.
86 *******************************************************************/
88 static NTSTATUS
parse_acl_blob(const DATA_BLOB
*pblob
,
90 struct security_descriptor
**ppdesc
,
91 uint16_t *p_hash_type
,
93 uint8_t hash
[XATTR_SD_HASH_SIZE
],
94 uint8_t sys_acl_hash
[XATTR_SD_HASH_SIZE
])
96 struct xattr_NTACL xacl
;
97 enum ndr_err_code ndr_err
;
99 TALLOC_CTX
*frame
= talloc_stackframe();
101 ndr_err
= ndr_pull_struct_blob(pblob
, frame
, &xacl
,
102 (ndr_pull_flags_fn_t
)ndr_pull_xattr_NTACL
);
104 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
105 DEBUG(5, ("parse_acl_blob: ndr_pull_xattr_NTACL failed: %s\n",
106 ndr_errstr(ndr_err
)));
108 return ndr_map_error2ntstatus(ndr_err
);
111 *p_version
= xacl
.version
;
113 switch (xacl
.version
) {
115 *ppdesc
= make_sec_desc(mem_ctx
, SD_REVISION
,
116 xacl
.info
.sd
->type
| SEC_DESC_SELF_RELATIVE
,
117 xacl
.info
.sd
->owner_sid
,
118 xacl
.info
.sd
->group_sid
,
122 /* No hash - null out. */
123 *p_hash_type
= XATTR_SD_HASH_TYPE_NONE
;
124 memset(hash
, '\0', XATTR_SD_HASH_SIZE
);
127 *ppdesc
= make_sec_desc(mem_ctx
, SD_REVISION
,
128 xacl
.info
.sd_hs2
->sd
->type
| SEC_DESC_SELF_RELATIVE
,
129 xacl
.info
.sd_hs2
->sd
->owner_sid
,
130 xacl
.info
.sd_hs2
->sd
->group_sid
,
131 xacl
.info
.sd_hs2
->sd
->sacl
,
132 xacl
.info
.sd_hs2
->sd
->dacl
,
134 /* No hash - null out. */
135 *p_hash_type
= XATTR_SD_HASH_TYPE_NONE
;
136 memset(hash
, '\0', XATTR_SD_HASH_SIZE
);
139 *ppdesc
= make_sec_desc(mem_ctx
, SD_REVISION
,
140 xacl
.info
.sd_hs3
->sd
->type
| SEC_DESC_SELF_RELATIVE
,
141 xacl
.info
.sd_hs3
->sd
->owner_sid
,
142 xacl
.info
.sd_hs3
->sd
->group_sid
,
143 xacl
.info
.sd_hs3
->sd
->sacl
,
144 xacl
.info
.sd_hs3
->sd
->dacl
,
146 *p_hash_type
= xacl
.info
.sd_hs3
->hash_type
;
147 /* Current version 3 (if no sys acl hash available). */
148 memcpy(hash
, xacl
.info
.sd_hs3
->hash
, XATTR_SD_HASH_SIZE
);
151 *ppdesc
= make_sec_desc(mem_ctx
, SD_REVISION
,
152 xacl
.info
.sd_hs4
->sd
->type
| SEC_DESC_SELF_RELATIVE
,
153 xacl
.info
.sd_hs4
->sd
->owner_sid
,
154 xacl
.info
.sd_hs4
->sd
->group_sid
,
155 xacl
.info
.sd_hs4
->sd
->sacl
,
156 xacl
.info
.sd_hs4
->sd
->dacl
,
158 *p_hash_type
= xacl
.info
.sd_hs4
->hash_type
;
159 /* Current version 4. */
160 memcpy(hash
, xacl
.info
.sd_hs4
->hash
, XATTR_SD_HASH_SIZE
);
161 memcpy(sys_acl_hash
, xacl
.info
.sd_hs4
->sys_acl_hash
, XATTR_SD_HASH_SIZE
);
165 return NT_STATUS_REVISION_MISMATCH
;
170 return (*ppdesc
!= NULL
) ? NT_STATUS_OK
: NT_STATUS_NO_MEMORY
;
173 /*******************************************************************
174 Create a DATA_BLOB from a hash of the security descriptor storead at
175 the system layer and the NT ACL we wish to preserve
176 *******************************************************************/
178 static NTSTATUS
create_acl_blob(const struct security_descriptor
*psd
,
181 uint8_t hash
[XATTR_SD_HASH_SIZE
])
183 struct xattr_NTACL xacl
;
184 struct security_descriptor_hash_v3 sd_hs3
;
185 enum ndr_err_code ndr_err
;
186 TALLOC_CTX
*ctx
= talloc_tos();
192 xacl
.info
.sd_hs3
= &sd_hs3
;
193 xacl
.info
.sd_hs3
->sd
= discard_const_p(struct security_descriptor
, psd
);
194 xacl
.info
.sd_hs3
->hash_type
= hash_type
;
195 memcpy(&xacl
.info
.sd_hs3
->hash
[0], hash
, XATTR_SD_HASH_SIZE
);
197 ndr_err
= ndr_push_struct_blob(
199 (ndr_push_flags_fn_t
)ndr_push_xattr_NTACL
);
201 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
202 DEBUG(5, ("create_acl_blob: ndr_push_xattr_NTACL failed: %s\n",
203 ndr_errstr(ndr_err
)));
204 return ndr_map_error2ntstatus(ndr_err
);
210 /*******************************************************************
211 Create a DATA_BLOB from a hash of the security descriptors
212 (system and NT) stored at the system layer and the NT ACL we wish
214 *******************************************************************/
216 static NTSTATUS
create_sys_acl_blob(const struct security_descriptor
*psd
,
219 uint8_t hash
[XATTR_SD_HASH_SIZE
],
220 const char *description
,
221 uint8_t sys_acl_hash
[XATTR_SD_HASH_SIZE
])
223 struct xattr_NTACL xacl
;
224 struct security_descriptor_hash_v4 sd_hs4
;
225 enum ndr_err_code ndr_err
;
226 TALLOC_CTX
*ctx
= talloc_tos();
228 struct timeval now
= timeval_current();
229 nttime_now
= timeval_to_nttime(&now
);
235 xacl
.info
.sd_hs4
= &sd_hs4
;
236 xacl
.info
.sd_hs4
->sd
= discard_const_p(struct security_descriptor
, psd
);
237 xacl
.info
.sd_hs4
->hash_type
= hash_type
;
238 memcpy(&xacl
.info
.sd_hs4
->hash
[0], hash
, XATTR_SD_HASH_SIZE
);
239 xacl
.info
.sd_hs4
->description
= description
;
240 xacl
.info
.sd_hs4
->time
= nttime_now
;
241 memcpy(&xacl
.info
.sd_hs4
->sys_acl_hash
[0], sys_acl_hash
, XATTR_SD_HASH_SIZE
);
243 ndr_err
= ndr_push_struct_blob(
245 (ndr_push_flags_fn_t
)ndr_push_xattr_NTACL
);
247 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
248 DEBUG(5, ("create_acl_blob: ndr_push_xattr_NTACL failed: %s\n",
249 ndr_errstr(ndr_err
)));
250 return ndr_map_error2ntstatus(ndr_err
);
256 /*******************************************************************
257 Add in 3 inheritable components for a non-inheritable directory ACL.
258 CREATOR_OWNER/CREATOR_GROUP/WORLD.
259 *******************************************************************/
261 static NTSTATUS
add_directory_inheritable_components(vfs_handle_struct
*handle
,
263 SMB_STRUCT_STAT
*psbuf
,
264 struct security_descriptor
*psd
)
266 struct connection_struct
*conn
= handle
->conn
;
267 int num_aces
= (psd
->dacl
? psd
->dacl
->num_aces
: 0);
268 struct smb_filename smb_fname
;
269 enum security_ace_type acltype
;
270 uint32_t access_mask
;
274 struct security_ace
*new_ace_list
;
277 new_ace_list
= talloc_zero_array(psd
->dacl
,
282 * make_sec_acl() at the bottom of this function
283 * dupliates new_ace_list
285 new_ace_list
= talloc_zero_array(talloc_tos(),
290 if (new_ace_list
== NULL
) {
291 return NT_STATUS_NO_MEMORY
;
294 /* Fake a quick smb_filename. */
295 ZERO_STRUCT(smb_fname
);
296 smb_fname
.st
= *psbuf
;
297 smb_fname
.base_name
= discard_const_p(char, name
);
299 dir_mode
= unix_mode(conn
,
300 FILE_ATTRIBUTE_DIRECTORY
, &smb_fname
, NULL
);
301 file_mode
= unix_mode(conn
,
302 FILE_ATTRIBUTE_ARCHIVE
, &smb_fname
, NULL
);
304 mode
= dir_mode
| file_mode
;
306 DEBUG(10, ("add_directory_inheritable_components: directory %s, "
309 (unsigned int)mode
));
312 memcpy(new_ace_list
, psd
->dacl
->aces
,
313 num_aces
* sizeof(struct security_ace
));
315 access_mask
= map_canon_ace_perms(SNUM(conn
), &acltype
,
318 init_sec_ace(&new_ace_list
[num_aces
],
319 &global_sid_Creator_Owner
,
322 SEC_ACE_FLAG_CONTAINER_INHERIT
|
323 SEC_ACE_FLAG_OBJECT_INHERIT
|
324 SEC_ACE_FLAG_INHERIT_ONLY
);
325 access_mask
= map_canon_ace_perms(SNUM(conn
), &acltype
,
326 (mode
<< 3) & 0700, false);
327 init_sec_ace(&new_ace_list
[num_aces
+1],
328 &global_sid_Creator_Group
,
331 SEC_ACE_FLAG_CONTAINER_INHERIT
|
332 SEC_ACE_FLAG_OBJECT_INHERIT
|
333 SEC_ACE_FLAG_INHERIT_ONLY
);
334 access_mask
= map_canon_ace_perms(SNUM(conn
), &acltype
,
335 (mode
<< 6) & 0700, false);
336 init_sec_ace(&new_ace_list
[num_aces
+2],
340 SEC_ACE_FLAG_CONTAINER_INHERIT
|
341 SEC_ACE_FLAG_OBJECT_INHERIT
|
342 SEC_ACE_FLAG_INHERIT_ONLY
);
344 psd
->dacl
->aces
= new_ace_list
;
345 psd
->dacl
->num_aces
+= 3;
347 psd
->dacl
= make_sec_acl(psd
,
351 if (psd
->dacl
== NULL
) {
352 return NT_STATUS_NO_MEMORY
;
358 /*******************************************************************
359 Pull a DATA_BLOB from an xattr given a pathname.
360 If the hash doesn't match, or doesn't exist - return the underlying
362 *******************************************************************/
364 static NTSTATUS
get_nt_acl_internal(vfs_handle_struct
*handle
,
367 uint32_t security_info
,
369 struct security_descriptor
**ppdesc
)
371 DATA_BLOB blob
= data_blob_null
;
373 uint16_t hash_type
= XATTR_SD_HASH_TYPE_NONE
;
374 uint16_t xattr_version
= 0;
375 uint8_t hash
[XATTR_SD_HASH_SIZE
];
376 uint8_t sys_acl_hash
[XATTR_SD_HASH_SIZE
];
377 uint8_t hash_tmp
[XATTR_SD_HASH_SIZE
];
378 uint8_t sys_acl_hash_tmp
[XATTR_SD_HASH_SIZE
];
379 struct security_descriptor
*psd
= NULL
;
380 struct security_descriptor
*pdesc_next
= NULL
;
381 bool ignore_file_system_acl
= lp_parm_bool(SNUM(handle
->conn
),
383 "ignore system acls",
385 TALLOC_CTX
*frame
= talloc_stackframe();
387 if (fsp
&& name
== NULL
) {
388 name
= fsp
->fsp_name
->base_name
;
391 DEBUG(10, ("get_nt_acl_internal: name=%s\n", name
));
393 status
= get_acl_blob(frame
, handle
, fsp
, name
, &blob
);
394 if (!NT_STATUS_IS_OK(status
)) {
395 DEBUG(10, ("get_nt_acl_internal: get_acl_blob returned %s\n",
400 status
= parse_acl_blob(&blob
, mem_ctx
, &psd
,
401 &hash_type
, &xattr_version
, &hash
[0], &sys_acl_hash
[0]);
402 if (!NT_STATUS_IS_OK(status
)) {
403 DEBUG(10, ("parse_acl_blob returned %s\n",
410 /* Ensure we don't leak psd if we don't choose it.
412 * We don't allocate it onto frame as it is preferred not to
413 * steal from a talloc pool.
415 talloc_steal(frame
, psd
);
417 /* determine which type of xattr we got */
418 switch (xattr_version
) {
421 /* These xattr types are unilatteral, they do not
422 * require confirmation of the hash. In particular,
423 * the NTVFS file server uses version 1, but
424 * 'samba-tool ntacl' can set these as well */
428 if (ignore_file_system_acl
) {
434 DEBUG(10, ("get_nt_acl_internal: ACL blob revision "
435 "mismatch (%u) for file %s\n",
436 (unsigned int)hash_type
,
443 /* determine which type of xattr we got */
444 if (hash_type
!= XATTR_SD_HASH_TYPE_SHA256
) {
445 DEBUG(10, ("get_nt_acl_internal: ACL blob hash type "
446 "(%u) unexpected for file %s\n",
447 (unsigned int)hash_type
,
454 /* determine which type of xattr we got */
455 switch (xattr_version
) {
459 char *sys_acl_blob_description
;
460 DATA_BLOB sys_acl_blob
;
462 /* Get the full underlying sd, then hash. */
463 ret
= SMB_VFS_NEXT_SYS_ACL_BLOB_GET_FD(handle
,
466 &sys_acl_blob_description
,
469 /* Get the full underlying sd, then hash. */
470 ret
= SMB_VFS_NEXT_SYS_ACL_BLOB_GET_FILE(handle
,
473 &sys_acl_blob_description
,
477 /* If we fail to get the ACL blob (for some reason) then this
478 * is not fatal, we just work based on the NT ACL only */
480 status
= hash_blob_sha256(sys_acl_blob
, sys_acl_hash_tmp
);
481 if (!NT_STATUS_IS_OK(status
)) {
486 if (memcmp(&sys_acl_hash
[0], &sys_acl_hash_tmp
[0],
487 XATTR_SD_HASH_SIZE
) == 0) {
488 /* Hash matches, return blob sd. */
489 DEBUG(10, ("get_nt_acl_internal: blob hash "
490 "matches for file %s\n",
496 /* Otherwise, fall though and see if the NT ACL hash matches */
499 /* Get the full underlying sd for the hash
500 or to return as backup. */
502 status
= SMB_VFS_NEXT_FGET_NT_ACL(handle
,
508 status
= SMB_VFS_NEXT_GET_NT_ACL(handle
,
515 if (!NT_STATUS_IS_OK(status
)) {
516 DEBUG(10, ("get_nt_acl_internal: get_next_acl for file %s "
524 /* Ensure we don't leak psd_next if we don't choose it.
526 * We don't allocate it onto frame as it is preferred not to
527 * steal from a talloc pool.
529 talloc_steal(frame
, pdesc_next
);
531 status
= hash_sd_sha256(pdesc_next
, hash_tmp
);
532 if (!NT_STATUS_IS_OK(status
)) {
538 if (memcmp(&hash
[0], &hash_tmp
[0], XATTR_SD_HASH_SIZE
) == 0) {
539 /* Hash matches, return blob sd. */
540 DEBUG(10, ("get_nt_acl_internal: blob hash "
541 "matches for file %s\n",
546 /* Hash doesn't match, return underlying sd. */
547 DEBUG(10, ("get_nt_acl_internal: blob hash "
548 "does not match for file %s - returning "
549 "file system SD mapping.\n",
552 if (DEBUGLEVEL
>= 10) {
553 DEBUG(10,("get_nt_acl_internal: acl for blob hash for %s is:\n",
555 NDR_PRINT_DEBUG(security_descriptor
, pdesc_next
);
564 /* Get the full underlying sd, as we failed to get the
565 * blob for the hash, or the revision/hash type wasn't
568 status
= SMB_VFS_NEXT_FGET_NT_ACL(handle
,
574 status
= SMB_VFS_NEXT_GET_NT_ACL(handle
,
581 if (!NT_STATUS_IS_OK(status
)) {
582 DEBUG(10, ("get_nt_acl_internal: get_next_acl for file %s "
590 /* Ensure we don't leak psd_next if we don't choose it.
592 * We don't allocate it onto frame as it is preferred not to
593 * steal from a talloc pool.
595 talloc_steal(frame
, pdesc_next
);
599 if (psd
!= pdesc_next
) {
600 /* We're returning the blob, throw
601 * away the filesystem SD. */
602 TALLOC_FREE(pdesc_next
);
604 SMB_STRUCT_STAT sbuf
;
605 SMB_STRUCT_STAT
*psbuf
= &sbuf
;
606 bool is_directory
= false;
608 * We're returning the underlying ACL from the
609 * filesystem. If it's a directory, and has no
610 * inheritable ACE entries we have to fake them.
613 status
= vfs_stat_fsp(fsp
);
614 if (!NT_STATUS_IS_OK(status
)) {
618 psbuf
= &fsp
->fsp_name
->st
;
621 * https://bugzilla.samba.org/show_bug.cgi?id=11249
623 * We are currently guaranteed that 'name' here is
624 * a smb_fname->base_name, which *cannot* contain
625 * a stream name (':'). vfs_stat_smb_fname() splits
626 * a name into a base name + stream name, which
627 * when we get here we know we've already done.
628 * So we have to call the stat or lstat VFS
629 * calls directly here. Else, a base_name that
630 * contains a ':' (from a demangled name) will
634 * This uglyness will go away once smb_fname
635 * is fully plumbed through the VFS.
637 int ret
= vfs_stat_smb_basename(handle
->conn
,
642 return map_nt_error_from_unix(errno
);
645 is_directory
= S_ISDIR(psbuf
->st_ex_mode
);
647 if (ignore_file_system_acl
) {
648 TALLOC_FREE(pdesc_next
);
649 status
= make_default_filesystem_acl(mem_ctx
,
653 if (!NT_STATUS_IS_OK(status
)) {
659 !sd_has_inheritable_components(psd
,
661 status
= add_directory_inheritable_components(
666 if (!NT_STATUS_IS_OK(status
)) {
671 /* The underlying POSIX module always sets
672 the ~SEC_DESC_DACL_PROTECTED bit, as ACLs
673 can't be inherited in this way under POSIX.
674 Remove it for Windows-style ACLs. */
675 psd
->type
&= ~SEC_DESC_DACL_PROTECTED
;
679 if (!(security_info
& SECINFO_OWNER
)) {
680 psd
->owner_sid
= NULL
;
682 if (!(security_info
& SECINFO_GROUP
)) {
683 psd
->group_sid
= NULL
;
685 if (!(security_info
& SECINFO_DACL
)) {
686 psd
->type
&= ~SEC_DESC_DACL_PRESENT
;
689 if (!(security_info
& SECINFO_SACL
)) {
690 psd
->type
&= ~SEC_DESC_SACL_PRESENT
;
694 TALLOC_FREE(blob
.data
);
696 if (DEBUGLEVEL
>= 10) {
697 DEBUG(10,("get_nt_acl_internal: returning acl for %s is:\n",
699 NDR_PRINT_DEBUG(security_descriptor
, psd
);
702 /* The VFS API is that the ACL is expected to be on mem_ctx */
703 *ppdesc
= talloc_move(mem_ctx
, &psd
);
709 /*********************************************************************
710 Fetch a security descriptor given an fsp.
711 *********************************************************************/
713 static NTSTATUS
fget_nt_acl_common(vfs_handle_struct
*handle
,
715 uint32_t security_info
,
717 struct security_descriptor
**ppdesc
)
719 return get_nt_acl_internal(handle
, fsp
,
720 NULL
, security_info
, mem_ctx
, ppdesc
);
723 /*********************************************************************
724 Fetch a security descriptor given a pathname.
725 *********************************************************************/
727 static NTSTATUS
get_nt_acl_common(vfs_handle_struct
*handle
,
729 uint32_t security_info
,
731 struct security_descriptor
**ppdesc
)
733 return get_nt_acl_internal(handle
, NULL
,
734 name
, security_info
, mem_ctx
, ppdesc
);
737 /*********************************************************************
738 Store a security descriptor given an fsp.
739 *********************************************************************/
741 static NTSTATUS
fset_nt_acl_common(vfs_handle_struct
*handle
, files_struct
*fsp
,
742 uint32_t security_info_sent
, const struct security_descriptor
*orig_psd
)
746 DATA_BLOB blob
, sys_acl_blob
;
747 struct security_descriptor
*pdesc_next
= NULL
;
748 struct security_descriptor
*psd
= NULL
;
749 uint8_t hash
[XATTR_SD_HASH_SIZE
];
750 uint8_t sys_acl_hash
[XATTR_SD_HASH_SIZE
];
751 bool chown_needed
= false;
752 char *sys_acl_description
;
753 TALLOC_CTX
*frame
= talloc_stackframe();
755 if (DEBUGLEVEL
>= 10) {
756 DEBUG(10,("fset_nt_acl_xattr: incoming sd for file %s\n",
758 NDR_PRINT_DEBUG(security_descriptor
,
759 discard_const_p(struct security_descriptor
, orig_psd
));
762 status
= get_nt_acl_internal(handle
, fsp
,
764 SECINFO_OWNER
|SECINFO_GROUP
|SECINFO_DACL
|SECINFO_SACL
,
768 if (!NT_STATUS_IS_OK(status
)) {
773 psd
->revision
= orig_psd
->revision
;
774 /* All our SD's are self relative. */
775 psd
->type
= orig_psd
->type
| SEC_DESC_SELF_RELATIVE
;
777 if ((security_info_sent
& SECINFO_OWNER
) && (orig_psd
->owner_sid
!= NULL
)) {
778 if (!dom_sid_equal(orig_psd
->owner_sid
, psd
->owner_sid
)) {
779 /* We're changing the owner. */
782 psd
->owner_sid
= orig_psd
->owner_sid
;
784 if ((security_info_sent
& SECINFO_GROUP
) && (orig_psd
->group_sid
!= NULL
)) {
785 if (!dom_sid_equal(orig_psd
->group_sid
, psd
->group_sid
)) {
786 /* We're changing the group. */
789 psd
->group_sid
= orig_psd
->group_sid
;
791 if (security_info_sent
& SECINFO_DACL
) {
792 psd
->dacl
= orig_psd
->dacl
;
793 psd
->type
|= SEC_DESC_DACL_PRESENT
;
795 if (security_info_sent
& SECINFO_SACL
) {
796 psd
->sacl
= orig_psd
->sacl
;
797 psd
->type
|= SEC_DESC_SACL_PRESENT
;
800 status
= SMB_VFS_NEXT_FSET_NT_ACL(handle
, fsp
, security_info_sent
, psd
);
801 if (!NT_STATUS_IS_OK(status
)) {
802 if (!NT_STATUS_EQUAL(status
, NT_STATUS_ACCESS_DENIED
)) {
806 /* We got access denied here. If we're already root,
807 or we didn't need to do a chown, or the fsp isn't
808 open with WRITE_OWNER access, just return. */
809 if (get_current_uid(handle
->conn
) == 0 ||
810 chown_needed
== false ||
811 !(fsp
->access_mask
& SEC_STD_WRITE_OWNER
)) {
813 return NT_STATUS_ACCESS_DENIED
;
816 DEBUG(10,("fset_nt_acl_common: overriding chown on file %s "
819 sid_string_tos(psd
->owner_sid
)
822 /* Ok, we failed to chown and we have
823 SEC_STD_WRITE_OWNER access - override. */
825 status
= SMB_VFS_NEXT_FSET_NT_ACL(handle
, fsp
,
826 security_info_sent
, psd
);
828 if (!NT_STATUS_IS_OK(status
)) {
834 /* Get the full underlying sd, then hash. */
835 status
= SMB_VFS_NEXT_FGET_NT_ACL(handle
,
841 if (!NT_STATUS_IS_OK(status
)) {
846 status
= hash_sd_sha256(pdesc_next
, hash
);
847 if (!NT_STATUS_IS_OK(status
)) {
852 /* Get the full underlying sd, then hash. */
853 ret
= SMB_VFS_NEXT_SYS_ACL_BLOB_GET_FD(handle
,
856 &sys_acl_description
,
859 /* If we fail to get the ACL blob (for some reason) then this
860 * is not fatal, we just work based on the NT ACL only */
862 if (DEBUGLEVEL
>= 10) {
863 DEBUG(10,("fset_nt_acl_xattr: storing xattr sd for file %s\n",
865 NDR_PRINT_DEBUG(security_descriptor
,
866 discard_const_p(struct security_descriptor
, psd
));
868 DEBUG(10,("fset_nt_acl_xattr: storing has in xattr sd based on \n"));
869 NDR_PRINT_DEBUG(security_descriptor
,
870 discard_const_p(struct security_descriptor
, pdesc_next
));
872 status
= create_acl_blob(psd
, &blob
, XATTR_SD_HASH_TYPE_SHA256
, hash
);
873 if (!NT_STATUS_IS_OK(status
)) {
874 DEBUG(10, ("fset_nt_acl_xattr: create_acl_blob failed\n"));
879 status
= store_acl_blob_fsp(handle
, fsp
, &blob
);
885 status
= hash_blob_sha256(sys_acl_blob
, sys_acl_hash
);
886 if (!NT_STATUS_IS_OK(status
)) {
891 if (DEBUGLEVEL
>= 10) {
892 DEBUG(10,("fset_nt_acl_xattr: storing xattr sd for file %s based on system ACL\n",
894 NDR_PRINT_DEBUG(security_descriptor
,
895 discard_const_p(struct security_descriptor
, psd
));
897 DEBUG(10,("fset_nt_acl_xattr: storing hash in xattr sd based on system ACL and:\n"));
898 NDR_PRINT_DEBUG(security_descriptor
,
899 discard_const_p(struct security_descriptor
, pdesc_next
));
902 /* We store hashes of both the sys ACL blob and the NT
903 * security desciptor mapped from that ACL so as to improve
904 * our chances against some inadvertant change breaking the
906 status
= create_sys_acl_blob(psd
, &blob
, XATTR_SD_HASH_TYPE_SHA256
, hash
,
907 sys_acl_description
, sys_acl_hash
);
908 if (!NT_STATUS_IS_OK(status
)) {
909 DEBUG(10, ("fset_nt_acl_xattr: create_sys_acl_blob failed\n"));
914 status
= store_acl_blob_fsp(handle
, fsp
, &blob
);
920 static int acl_common_remove_object(vfs_handle_struct
*handle
,
924 connection_struct
*conn
= handle
->conn
;
926 files_struct
*fsp
= NULL
;
928 char *parent_dir
= NULL
;
929 const char *final_component
= NULL
;
930 struct smb_filename local_fname
;
932 char *saved_dir
= NULL
;
934 saved_dir
= vfs_GetWd(talloc_tos(),conn
);
940 if (!parent_dirname(talloc_tos(), path
,
941 &parent_dir
, &final_component
)) {
942 saved_errno
= ENOMEM
;
946 DEBUG(10,("acl_common_remove_object: removing %s %s/%s\n",
947 is_directory
? "directory" : "file",
948 parent_dir
, final_component
));
950 /* cd into the parent dir to pin it. */
951 ret
= vfs_ChDir(conn
, parent_dir
);
957 ZERO_STRUCT(local_fname
);
958 local_fname
.base_name
= discard_const_p(char, final_component
);
960 /* Must use lstat here. */
961 ret
= SMB_VFS_LSTAT(conn
, &local_fname
);
967 /* Ensure we have this file open with DELETE access. */
968 id
= vfs_file_id_from_sbuf(conn
, &local_fname
.st
);
969 for (fsp
= file_find_di_first(conn
->sconn
, id
); fsp
;
970 fsp
= file_find_di_next(fsp
)) {
971 if (fsp
->access_mask
& DELETE_ACCESS
&&
972 fsp
->delete_on_close
) {
973 /* We did open this for delete,
974 * allow the delete as root.
981 DEBUG(10,("acl_common_remove_object: %s %s/%s "
982 "not an open file\n",
983 is_directory
? "directory" : "file",
984 parent_dir
, final_component
));
985 saved_errno
= EACCES
;
991 ret
= SMB_VFS_NEXT_RMDIR(handle
, final_component
);
993 ret
= SMB_VFS_NEXT_UNLINK(handle
, &local_fname
);
1003 TALLOC_FREE(parent_dir
);
1006 vfs_ChDir(conn
, saved_dir
);
1009 errno
= saved_errno
;
1014 static int rmdir_acl_common(struct vfs_handle_struct
*handle
,
1019 /* Try the normal rmdir first. */
1020 ret
= SMB_VFS_NEXT_RMDIR(handle
, path
);
1024 if (errno
== EACCES
|| errno
== EPERM
) {
1025 /* Failed due to access denied,
1026 see if we need to root override. */
1027 return acl_common_remove_object(handle
,
1032 DEBUG(10,("rmdir_acl_common: unlink of %s failed %s\n",
1038 static int unlink_acl_common(struct vfs_handle_struct
*handle
,
1039 const struct smb_filename
*smb_fname
)
1043 /* Try the normal unlink first. */
1044 ret
= SMB_VFS_NEXT_UNLINK(handle
, smb_fname
);
1048 if (errno
== EACCES
|| errno
== EPERM
) {
1049 /* Failed due to access denied,
1050 see if we need to root override. */
1052 /* Don't do anything fancy for streams. */
1053 if (smb_fname
->stream_name
) {
1056 return acl_common_remove_object(handle
,
1057 smb_fname
->base_name
,
1061 DEBUG(10,("unlink_acl_common: unlink of %s failed %s\n",
1062 smb_fname
->base_name
,
1067 static int chmod_acl_module_common(struct vfs_handle_struct
*handle
,
1068 const char *path
, mode_t mode
)
1070 if (lp_posix_pathnames()) {
1071 /* Only allow this on POSIX pathnames. */
1072 return SMB_VFS_NEXT_CHMOD(handle
, path
, mode
);
1077 static int fchmod_acl_module_common(struct vfs_handle_struct
*handle
,
1078 struct files_struct
*fsp
, mode_t mode
)
1080 if (fsp
->posix_open
) {
1081 /* Only allow this on POSIX opens. */
1082 return SMB_VFS_NEXT_FCHMOD(handle
, fsp
, mode
);
1087 static int chmod_acl_acl_module_common(struct vfs_handle_struct
*handle
,
1088 const char *name
, mode_t mode
)
1090 if (lp_posix_pathnames()) {
1091 /* Only allow this on POSIX pathnames. */
1092 return SMB_VFS_NEXT_CHMOD_ACL(handle
, name
, mode
);
1097 static int fchmod_acl_acl_module_common(struct vfs_handle_struct
*handle
,
1098 struct files_struct
*fsp
, mode_t mode
)
1100 if (fsp
->posix_open
) {
1101 /* Only allow this on POSIX opens. */
1102 return SMB_VFS_NEXT_FCHMOD_ACL(handle
, fsp
, mode
);