search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
debug: Set close-on-exec for the main log file FD
[Samba.git] / source3 / modules / nfs4_acls.c
blob500cb4772a364e3740f1c4afac73a487ffa48bb9
1 /*
2 * NFS4 ACL handling
3 *
4 * Copyright (C) Jim McDonough, 2006
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <http://www.gnu.org/licenses/>.
18 */
19
20 #include "includes.h"
21 #include "smbd/smbd.h"
22 #include "nfs4_acls.h"
23 #include "librpc/gen_ndr/ndr_security.h"
24 #include "../libcli/security/dom_sid.h"
25 #include "../libcli/security/security.h"
26 #include "dbwrap/dbwrap.h"
27 #include "dbwrap/dbwrap_open.h"
28 #include "system/filesys.h"
29 #include "passdb/lookup_sid.h"
30 #include "util_tdb.h"
31 #include "lib/param/loadparm.h"
32
33 #undef DBGC_CLASS
34 #define DBGC_CLASS DBGC_ACLS
35
36 #define SMBACL4_PARAM_TYPE_NAME "nfs4"
37
38 extern const struct generic_mapping file_generic_mapping;
39
40 #define SMB_ACE4_INT_MAGIC 0x76F8A967
41 typedef struct _SMB_ACE4_INT_T
42 {
43 uint32 magic;
44 SMB_ACE4PROP_T prop;
45 void *next;
46 } SMB_ACE4_INT_T;
47
48 #define SMB_ACL4_INT_MAGIC 0x29A3E792
49 typedef struct _SMB_ACL4_INT_T
50 {
51 uint32 magic;
52 uint32 naces;
53 SMB_ACE4_INT_T *first;
54 SMB_ACE4_INT_T *last;
55 } SMB_ACL4_INT_T;
56
57 enum smbacl4_mode_enum {e_simple=0, e_special=1};
58 enum smbacl4_acedup_enum {e_dontcare=0, e_reject=1, e_ignore=2, e_merge=3};
59
60 typedef struct _smbacl4_vfs_params {
61 enum smbacl4_mode_enum mode;
62 bool do_chown;
63 enum smbacl4_acedup_enum acedup;
64 bool map_full_control;
65 } smbacl4_vfs_params;
66
67 /*
68 * Gather special parameters for NFS4 ACL handling
69 */
70 static int smbacl4_get_vfs_params(
71 const char *type_name,
72 struct connection_struct *conn,
73 smbacl4_vfs_params *params
74 )
75 {
76 static const struct enum_list enum_smbacl4_modes[] = {
77 { e_simple, "simple" },
78 { e_special, "special" },
79 { -1 , NULL }
80 };
81 static const struct enum_list enum_smbacl4_acedups[] = {
82 { e_dontcare, "dontcare" },
83 { e_reject, "reject" },
84 { e_ignore, "ignore" },
85 { e_merge, "merge" },
86 { -1 , NULL }
87 };
88
89 memset(params, 0, sizeof(smbacl4_vfs_params));
90 params->mode = (enum smbacl4_mode_enum)lp_parm_enum(
91 SNUM(conn), type_name,
92 "mode", enum_smbacl4_modes, e_simple);
93 params->do_chown = lp_parm_bool(SNUM(conn), type_name,
94 "chown", true);
95 params->acedup = (enum smbacl4_acedup_enum)lp_parm_enum(
96 SNUM(conn), type_name,
97 "acedup", enum_smbacl4_acedups, e_dontcare);
98 params->map_full_control = lp_acl_map_full_control(SNUM(conn));
99
100 DEBUG(10, ("mode:%s, do_chown:%s, acedup: %s map full control:%s\n",
101 enum_smbacl4_modes[params->mode].name,
102 params->do_chown ? "true" : "false",
103 enum_smbacl4_acedups[params->acedup].name,
104 params->map_full_control ? "true" : "false"));
105
106 return 0;
107 }
108
109 /************************************************
110 Split the ACE flag mapping between nfs4 and Windows
111 into two separate functions rather than trying to do
112 it inline. Allows us to carefully control what flags
113 are mapped to what in one place.
114 ************************************************/
115
116 static uint32_t map_nfs4_ace_flags_to_windows_ace_flags(
117 uint32_t nfs4_ace_flags)
118 {
119 uint32_t win_ace_flags = 0;
120
121 /* The nfs4 flags <= 0xf map perfectly. */
122 win_ace_flags = nfs4_ace_flags & (SEC_ACE_FLAG_OBJECT_INHERIT|
123 SEC_ACE_FLAG_CONTAINER_INHERIT|
124 SEC_ACE_FLAG_NO_PROPAGATE_INHERIT|
125 SEC_ACE_FLAG_INHERIT_ONLY);
126
127 /* flags greater than 0xf have diverged :-(. */
128 /* See the nfs4 ace flag definitions here:
129 http://www.ietf.org/rfc/rfc3530.txt.
130 And the Windows ace flag definitions here:
131 librpc/idl/security.idl. */
132 if (nfs4_ace_flags & SMB_ACE4_INHERITED_ACE) {
133 win_ace_flags |= SEC_ACE_FLAG_INHERITED_ACE;
134 }
135
136 return win_ace_flags;
137 }
138
139 static uint32_t map_windows_ace_flags_to_nfs4_ace_flags(uint32_t win_ace_flags)
140 {
141 uint32_t nfs4_ace_flags = 0;
142
143 /* The windows flags <= 0xf map perfectly. */
144 nfs4_ace_flags = win_ace_flags & (SMB_ACE4_FILE_INHERIT_ACE|
145 SMB_ACE4_DIRECTORY_INHERIT_ACE|
146 SMB_ACE4_NO_PROPAGATE_INHERIT_ACE|
147 SMB_ACE4_INHERIT_ONLY_ACE);
148
149 /* flags greater than 0xf have diverged :-(. */
150 /* See the nfs4 ace flag definitions here:
151 http://www.ietf.org/rfc/rfc3530.txt.
152 And the Windows ace flag definitions here:
153 librpc/idl/security.idl. */
154 if (win_ace_flags & SEC_ACE_FLAG_INHERITED_ACE) {
155 nfs4_ace_flags |= SMB_ACE4_INHERITED_ACE;
156 }
157
158 return nfs4_ace_flags;
159 }
160
161 static SMB_ACL4_INT_T *get_validated_aclint(SMB4ACL_T *theacl)
162 {
163 SMB_ACL4_INT_T *aclint = (SMB_ACL4_INT_T *)theacl;
164 if (theacl==NULL)
165 {
166 DEBUG(2, ("acl is NULL\n"));
167 errno = EINVAL;
168 return NULL;
169 }
170 if (aclint->magic!=SMB_ACL4_INT_MAGIC)
171 {
172 DEBUG(2, ("aclint bad magic 0x%x\n", aclint->magic));
173 errno = EINVAL;
174 return NULL;
175 }
176 return aclint;
177 }
178
179 static SMB_ACE4_INT_T *get_validated_aceint(SMB4ACE_T *ace)
180 {
181 SMB_ACE4_INT_T *aceint = (SMB_ACE4_INT_T *)ace;
182 if (ace==NULL)
183 {
184 DEBUG(2, ("ace is NULL\n"));
185 errno = EINVAL;
186 return NULL;
187 }
188 if (aceint->magic!=SMB_ACE4_INT_MAGIC)
189 {
190 DEBUG(2, ("aceint bad magic 0x%x\n", aceint->magic));
191 errno = EINVAL;
192 return NULL;
193 }
194 return aceint;
195 }
196
197 SMB4ACL_T *smb_create_smb4acl(TALLOC_CTX *mem_ctx)
198 {
199 SMB_ACL4_INT_T *theacl = (SMB_ACL4_INT_T *)TALLOC_ZERO_SIZE(
200 mem_ctx, sizeof(SMB_ACL4_INT_T));
201 if (theacl==NULL)
202 {
203 DEBUG(0, ("TALLOC_SIZE failed\n"));
204 errno = ENOMEM;
205 return NULL;
206 }
207 theacl->magic = SMB_ACL4_INT_MAGIC;
208 /* theacl->first, last = NULL not needed */
209 return (SMB4ACL_T *)theacl;
210 }
211
212 SMB4ACE_T *smb_add_ace4(SMB4ACL_T *theacl, SMB_ACE4PROP_T *prop)
213 {
214 SMB_ACL4_INT_T *aclint = get_validated_aclint(theacl);
215 SMB_ACE4_INT_T *ace;
216
217 ace = (SMB_ACE4_INT_T *)TALLOC_ZERO_SIZE(
218 theacl, sizeof(SMB_ACE4_INT_T));
219 if (ace==NULL)
220 {
221 DEBUG(0, ("TALLOC_SIZE failed\n"));
222 errno = ENOMEM;
223 return NULL;
224 }
225 ace->magic = SMB_ACE4_INT_MAGIC;
226 /* ace->next = NULL not needed */
227 memcpy(&ace->prop, prop, sizeof(SMB_ACE4PROP_T));
228
229 if (aclint->first==NULL)
230 {
231 aclint->first = ace;
232 aclint->last = ace;
233 } else {
234 aclint->last->next = (void *)ace;
235 aclint->last = ace;
236 }
237 aclint->naces++;
238
239 return (SMB4ACE_T *)ace;
240 }
241
242 SMB_ACE4PROP_T *smb_get_ace4(SMB4ACE_T *ace)
243 {
244 SMB_ACE4_INT_T *aceint = get_validated_aceint(ace);
245 if (aceint==NULL)
246 return NULL;
247
248 return &aceint->prop;
249 }
250
251 SMB4ACE_T *smb_next_ace4(SMB4ACE_T *ace)
252 {
253 SMB_ACE4_INT_T *aceint = get_validated_aceint(ace);
254 if (aceint==NULL)
255 return NULL;
256
257 return (SMB4ACE_T *)aceint->next;
258 }
259
260 SMB4ACE_T *smb_first_ace4(SMB4ACL_T *theacl)
261 {
262 SMB_ACL4_INT_T *aclint = get_validated_aclint(theacl);
263 if (aclint==NULL)
264 return NULL;
265
266 return (SMB4ACE_T *)aclint->first;
267 }
268
269 uint32 smb_get_naces(SMB4ACL_T *theacl)
270 {
271 SMB_ACL4_INT_T *aclint = get_validated_aclint(theacl);
272 if (aclint==NULL)
273 return 0;
274
275 return aclint->naces;
276 }
277
278 static int smbacl4_GetFileOwner(struct connection_struct *conn,
279 const char *filename,
280 SMB_STRUCT_STAT *psbuf)
281 {
282 memset(psbuf, 0, sizeof(SMB_STRUCT_STAT));
283
284 /* Get the stat struct for the owner info. */
285 if (vfs_stat_smb_fname(conn, filename, psbuf) != 0)
286 {
287 DEBUG(8, ("vfs_stat_smb_fname failed with error %s\n",
288 strerror(errno)));
289 return -1;
290 }
291
292 return 0;
293 }
294
295 static int smbacl4_fGetFileOwner(files_struct *fsp, SMB_STRUCT_STAT *psbuf)
296 {
297 memset(psbuf, 0, sizeof(SMB_STRUCT_STAT));
298
299 if (fsp->fh->fd == -1) {
300 return smbacl4_GetFileOwner(fsp->conn,
301 fsp->fsp_name->base_name, psbuf);
302 }
303 if (SMB_VFS_FSTAT(fsp, psbuf) != 0)
304 {
305 DEBUG(8, ("SMB_VFS_FSTAT failed with error %s\n",
306 strerror(errno)));
307 return -1;
308 }
309
310 return 0;
311 }
312
313 static bool smbacl4_nfs42win(TALLOC_CTX *mem_ctx,
314 smbacl4_vfs_params *params,
315 SMB4ACL_T *theacl, /* in */
316 struct dom_sid *psid_owner, /* in */
317 struct dom_sid *psid_group, /* in */
318 bool is_directory, /* in */
319 struct security_ace **ppnt_ace_list, /* out */
320 int *pgood_aces /* out */
321 )
322 {
323 SMB_ACL4_INT_T *aclint = (SMB_ACL4_INT_T *)theacl;
324 SMB_ACE4_INT_T *aceint;
325 struct security_ace *nt_ace_list = NULL;
326 int good_aces = 0;
327
328 DEBUG(10, ("smbacl_nfs42win entered\n"));
329
330 aclint = get_validated_aclint(theacl);
331 /* We do not check for naces being 0 or theacl being NULL here
332 because it is done upstream in smb_get_nt_acl_nfs4().
333 We reserve twice the number of input aces because one nfs4
334 ace might result in 2 nt aces.*/
335 nt_ace_list = (struct security_ace *)TALLOC_ZERO_SIZE(
336 mem_ctx, 2 * aclint->naces * sizeof(struct security_ace));
337 if (nt_ace_list==NULL)
338 {
339 DEBUG(10, ("talloc error"));
340 errno = ENOMEM;
341 return false;
342 }
343
344 for (aceint=aclint->first;
345 aceint!=NULL;
346 aceint=(SMB_ACE4_INT_T *)aceint->next) {
347 uint32_t mask;
348 struct dom_sid sid;
349 SMB_ACE4PROP_T *ace = &aceint->prop;
350 uint32_t win_ace_flags;
351
352 DEBUG(10, ("magic: 0x%x, type: %d, iflags: %x, flags: %x, "
353 "mask: %x, who: %d\n",
354 aceint->magic, ace->aceType, ace->flags,
355 ace->aceFlags, ace->aceMask, ace->who.id));
356
357 SMB_ASSERT(aceint->magic==SMB_ACE4_INT_MAGIC);
358
359 if (ace->flags & SMB_ACE4_ID_SPECIAL) {
360 switch (ace->who.special_id) {
361 case SMB_ACE4_WHO_OWNER:
362 sid_copy(&sid, psid_owner);
363 break;
364 case SMB_ACE4_WHO_GROUP:
365 sid_copy(&sid, psid_group);
366 break;
367 case SMB_ACE4_WHO_EVERYONE:
368 sid_copy(&sid, &global_sid_World);
369 break;
370 default:
371 DEBUG(8, ("invalid special who id %d "
372 "ignored\n", ace->who.special_id));
373 continue;
374 }
375 } else {
376 if (ace->aceFlags & SMB_ACE4_IDENTIFIER_GROUP) {
377 gid_to_sid(&sid, ace->who.gid);
378 } else {
379 uid_to_sid(&sid, ace->who.uid);
380 }
381 }
382 DEBUG(10, ("mapped %d to %s\n", ace->who.id,
383 sid_string_dbg(&sid)));
384
385 if (is_directory && (ace->aceMask & SMB_ACE4_ADD_FILE)) {
386 ace->aceMask |= SMB_ACE4_DELETE_CHILD;
387 }
388
389 if (!is_directory && params->map_full_control) {
390 /*
391 * Do we have all access except DELETE_CHILD
392 * (not caring about the delete bit).
393 */
394 uint32_t test_mask = ((ace->aceMask|SMB_ACE4_DELETE|SMB_ACE4_DELETE_CHILD) &
395 SMB_ACE4_ALL_MASKS);
396 if (test_mask == SMB_ACE4_ALL_MASKS) {
397 ace->aceMask |= SMB_ACE4_DELETE_CHILD;
398 }
399 }
400
401 win_ace_flags = map_nfs4_ace_flags_to_windows_ace_flags(
402 ace->aceFlags);
403 if (!is_directory &&
404 (win_ace_flags & (SEC_ACE_FLAG_OBJECT_INHERIT|
405 SEC_ACE_FLAG_CONTAINER_INHERIT))) {
406 /*
407 * GPFS sets inherits dir_inhert and file_inherit flags
408 * to files, too, which confuses windows, and seems to
409 * be wrong anyways. ==> Map these bits away for files.
410 */
411 DEBUG(10, ("removing inherit flags from nfs4 ace\n"));
412 win_ace_flags &= ~(SEC_ACE_FLAG_OBJECT_INHERIT|
413 SEC_ACE_FLAG_CONTAINER_INHERIT);
414 }
415 DEBUG(10, ("Windows mapped ace flags: 0x%x => 0x%x\n",
416 ace->aceFlags, win_ace_flags));
417
418 mask = ace->aceMask;
419 /* Windows clients expect SYNC on acls to
420 correctly allow rename. See bug #7909. */
421 /* But not on DENY ace entries. See
422 bug #8442. */
423 if(ace->aceType == SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE) {
424 mask = ace->aceMask | SMB_ACE4_SYNCHRONIZE;
425 }
426
427 /* Mapping of owner@ and group@ to creator owner and
428 creator group. Keep old behavior in mode special. */
429 if (params->mode != e_special &&
430 ace->flags & SMB_ACE4_ID_SPECIAL &&
431 (ace->who.special_id == SMB_ACE4_WHO_OWNER ||
432 ace->who.special_id == SMB_ACE4_WHO_GROUP)) {
433 DEBUG(10, ("Map special entry\n"));
434 if (!(win_ace_flags & SEC_ACE_FLAG_INHERIT_ONLY)) {
435 uint32_t win_ace_flags_current;
436 DEBUG(10, ("Map current sid\n"));
437 win_ace_flags_current = win_ace_flags &
438 ~(SEC_ACE_FLAG_OBJECT_INHERIT |
439 SEC_ACE_FLAG_CONTAINER_INHERIT);
440 init_sec_ace(&nt_ace_list[good_aces++], &sid,
441 ace->aceType, mask,
442 win_ace_flags_current);
443 }
444 if (ace->who.special_id == SMB_ACE4_WHO_OWNER &&
445 win_ace_flags & (SEC_ACE_FLAG_OBJECT_INHERIT |
446 SEC_ACE_FLAG_CONTAINER_INHERIT)) {
447 uint32_t win_ace_flags_creator;
448 DEBUG(10, ("Map creator owner\n"));
449 win_ace_flags_creator = win_ace_flags |
450 SMB_ACE4_INHERIT_ONLY_ACE;
451 init_sec_ace(&nt_ace_list[good_aces++],
452 &global_sid_Creator_Owner,
453 ace->aceType, mask,
454 win_ace_flags_creator);
455 }
456 if (ace->who.special_id == SMB_ACE4_WHO_GROUP &&
457 win_ace_flags & (SEC_ACE_FLAG_OBJECT_INHERIT |
458 SEC_ACE_FLAG_CONTAINER_INHERIT)) {
459 uint32_t win_ace_flags_creator;
460 DEBUG(10, ("Map creator owner group\n"));
461 win_ace_flags_creator = win_ace_flags |
462 SMB_ACE4_INHERIT_ONLY_ACE;
463 init_sec_ace(&nt_ace_list[good_aces++],
464 &global_sid_Creator_Group,
465 ace->aceType, mask,
466 win_ace_flags_creator);
467 }
468 } else {
469 DEBUG(10, ("Map normal sid\n"));
470 init_sec_ace(&nt_ace_list[good_aces++], &sid,
471 ace->aceType, mask,
472 win_ace_flags);
473 }
474 }
475
476 nt_ace_list = (struct security_ace *)TALLOC_REALLOC(mem_ctx,
477 nt_ace_list,
478 good_aces * sizeof(struct security_ace));
479 if (nt_ace_list == NULL) {
480 errno = ENOMEM;
481 return false;
482 }
483
484 *ppnt_ace_list = nt_ace_list;
485 *pgood_aces = good_aces;
486
487 return true;
488 }
489
490 static NTSTATUS smb_get_nt_acl_nfs4_common(const SMB_STRUCT_STAT *sbuf,
491 smbacl4_vfs_params *params,
492 uint32 security_info,
493 TALLOC_CTX *mem_ctx,
494 struct security_descriptor **ppdesc,
495 SMB4ACL_T *theacl)
496 {
497 int good_aces = 0;
498 struct dom_sid sid_owner, sid_group;
499 size_t sd_size = 0;
500 struct security_ace *nt_ace_list = NULL;
501 struct security_acl *psa = NULL;
502 TALLOC_CTX *frame = talloc_stackframe();
503
504 if (theacl==NULL || smb_get_naces(theacl)==0) {
505 TALLOC_FREE(frame);
506 return NT_STATUS_ACCESS_DENIED; /* special because we
507 * shouldn't alloc 0 for
508 * win */
509 }
510
511 uid_to_sid(&sid_owner, sbuf->st_ex_uid);
512 gid_to_sid(&sid_group, sbuf->st_ex_gid);
513
514 if (smbacl4_nfs42win(mem_ctx, params, theacl, &sid_owner, &sid_group,
515 S_ISDIR(sbuf->st_ex_mode),
516 &nt_ace_list, &good_aces)==false) {
517 DEBUG(8,("smbacl4_nfs42win failed\n"));
518 TALLOC_FREE(frame);
519 return map_nt_error_from_unix(errno);
520 }
521
522 psa = make_sec_acl(frame, NT4_ACL_REVISION, good_aces, nt_ace_list);
523 if (psa == NULL) {
524 DEBUG(2,("make_sec_acl failed\n"));
525 TALLOC_FREE(frame);
526 return NT_STATUS_NO_MEMORY;
527 }
528
529 DEBUG(10,("after make sec_acl\n"));
530 *ppdesc = make_sec_desc(
531 mem_ctx, SD_REVISION, SEC_DESC_SELF_RELATIVE,
532 (security_info & SECINFO_OWNER) ? &sid_owner : NULL,
533 (security_info & SECINFO_GROUP) ? &sid_group : NULL,
534 NULL, psa, &sd_size);
535 if (*ppdesc==NULL) {
536 DEBUG(2,("make_sec_desc failed\n"));
537 TALLOC_FREE(frame);
538 return NT_STATUS_NO_MEMORY;
539 }
540
541 DEBUG(10, ("smb_get_nt_acl_nfs4_common successfully exited with "
542 "sd_size %d\n",
543 (int)ndr_size_security_descriptor(*ppdesc, 0)));
544
545 TALLOC_FREE(frame);
546 return NT_STATUS_OK;
547 }
548
549 NTSTATUS smb_fget_nt_acl_nfs4(files_struct *fsp,
550 uint32 security_info,
551 TALLOC_CTX *mem_ctx,
552 struct security_descriptor **ppdesc,
553 SMB4ACL_T *theacl)
554 {
555 SMB_STRUCT_STAT sbuf;
556 smbacl4_vfs_params params;
557
558 DEBUG(10, ("smb_fget_nt_acl_nfs4 invoked for %s\n", fsp_str_dbg(fsp)));
559
560 if (smbacl4_fGetFileOwner(fsp, &sbuf)) {
561 return map_nt_error_from_unix(errno);
562 }
563
564 /* Special behaviours */
565 if (smbacl4_get_vfs_params(SMBACL4_PARAM_TYPE_NAME, fsp->conn, &params)) {
566 return NT_STATUS_NO_MEMORY;
567 }
568
569 return smb_get_nt_acl_nfs4_common(&sbuf, &params, security_info,
570 mem_ctx, ppdesc, theacl);
571 }
572
573 NTSTATUS smb_get_nt_acl_nfs4(struct connection_struct *conn,
574 const char *name,
575 uint32 security_info,
576 TALLOC_CTX *mem_ctx,
577 struct security_descriptor **ppdesc,
578 SMB4ACL_T *theacl)
579 {
580 SMB_STRUCT_STAT sbuf;
581 smbacl4_vfs_params params;
582
583 DEBUG(10, ("smb_get_nt_acl_nfs4 invoked for %s\n", name));
584
585 if (smbacl4_GetFileOwner(conn, name, &sbuf)) {
586 return map_nt_error_from_unix(errno);
587 }
588
589 /* Special behaviours */
590 if (smbacl4_get_vfs_params(SMBACL4_PARAM_TYPE_NAME, conn, &params)) {
591 return NT_STATUS_NO_MEMORY;
592 }
593
594 return smb_get_nt_acl_nfs4_common(&sbuf, &params, security_info,
595 mem_ctx, ppdesc, theacl);
596 }
597
598 static void smbacl4_dump_nfs4acl(int level, SMB4ACL_T *theacl)
599 {
600 SMB_ACL4_INT_T *aclint = get_validated_aclint(theacl);
601 SMB_ACE4_INT_T *aceint;
602
603 DEBUG(level, ("NFS4ACL: size=%d\n", aclint->naces));
604
605 for (aceint = aclint->first;
606 aceint!=NULL;
607 aceint=(SMB_ACE4_INT_T *)aceint->next) {
608 SMB_ACE4PROP_T *ace = &aceint->prop;
609
610 DEBUG(level, ("\tACE: type=%d, flags=0x%x, fflags=0x%x, "
611 "mask=0x%x, id=%d\n",
612 ace->aceType,
613 ace->aceFlags, ace->flags,
614 ace->aceMask,
615 ace->who.id));
616 }
617 }
618
619 /*
620 * Find 2 NFS4 who-special ACE property (non-copy!!!)
621 * match nonzero if "special" and who is equal
622 * return ace if found matching; otherwise NULL
623 */
624 static SMB_ACE4PROP_T *smbacl4_find_equal_special(
625 SMB4ACL_T *theacl,
626 SMB_ACE4PROP_T *aceNew)
627 {
628 SMB_ACL4_INT_T *aclint = get_validated_aclint(theacl);
629 SMB_ACE4_INT_T *aceint;
630
631 for (aceint = aclint->first; aceint != NULL;
632 aceint=(SMB_ACE4_INT_T *)aceint->next) {
633 SMB_ACE4PROP_T *ace = &aceint->prop;
634
635 DEBUG(10,("ace type:0x%x flags:0x%x aceFlags:0x%x "
636 "new type:0x%x flags:0x%x aceFlags:0x%x\n",
637 ace->aceType, ace->flags, ace->aceFlags,
638 aceNew->aceType, aceNew->flags,aceNew->aceFlags));
639
640 if (ace->flags == aceNew->flags &&
641 ace->aceType==aceNew->aceType &&
642 ace->aceFlags==aceNew->aceFlags)
643 {
644 /* keep type safety; e.g. gid is an u.short */
645 if (ace->flags & SMB_ACE4_ID_SPECIAL)
646 {
647 if (ace->who.special_id ==
648 aceNew->who.special_id)
649 return ace;
650 } else {
651 if (ace->aceFlags & SMB_ACE4_IDENTIFIER_GROUP)
652 {
653 if (ace->who.gid==aceNew->who.gid)
654 return ace;
655 } else {
656 if (ace->who.uid==aceNew->who.uid)
657 return ace;
658 }
659 }
660 }
661 }
662
663 return NULL;
664 }
665
666
667 static bool smbacl4_fill_ace4(
668 const struct smb_filename *filename,
669 smbacl4_vfs_params *params,
670 uid_t ownerUID,
671 gid_t ownerGID,
672 const struct security_ace *ace_nt, /* input */
673 SMB_ACE4PROP_T *ace_v4 /* output */
674 )
675 {
676 DEBUG(10, ("got ace for %s\n", sid_string_dbg(&ace_nt->trustee)));
677
678 memset(ace_v4, 0, sizeof(SMB_ACE4PROP_T));
679
680 /* only ACCESS|DENY supported right now */
681 ace_v4->aceType = ace_nt->type;
682
683 ace_v4->aceFlags = map_windows_ace_flags_to_nfs4_ace_flags(
684 ace_nt->flags);
685
686 /* remove inheritance flags on files */
687 if (VALID_STAT(filename->st) &&
688 !S_ISDIR(filename->st.st_ex_mode)) {
689 DEBUG(10, ("Removing inheritance flags from a file\n"));
690 ace_v4->aceFlags &= ~(SMB_ACE4_FILE_INHERIT_ACE|
691 SMB_ACE4_DIRECTORY_INHERIT_ACE|
692 SMB_ACE4_NO_PROPAGATE_INHERIT_ACE|
693 SMB_ACE4_INHERIT_ONLY_ACE);
694 }
695
696 ace_v4->aceMask = ace_nt->access_mask &
697 (SEC_STD_ALL | SEC_FILE_ALL);
698
699 se_map_generic(&ace_v4->aceMask, &file_generic_mapping);
700
701 if (ace_v4->aceFlags!=ace_nt->flags)
702 DEBUG(9, ("ace_v4->aceFlags(0x%x)!=ace_nt->flags(0x%x)\n",
703 ace_v4->aceFlags, ace_nt->flags));
704
705 if (ace_v4->aceMask!=ace_nt->access_mask)
706 DEBUG(9, ("ace_v4->aceMask(0x%x)!=ace_nt->access_mask(0x%x)\n",
707 ace_v4->aceMask, ace_nt->access_mask));
708
709 if (dom_sid_equal(&ace_nt->trustee, &global_sid_World)) {
710 ace_v4->who.special_id = SMB_ACE4_WHO_EVERYONE;
711 ace_v4->flags |= SMB_ACE4_ID_SPECIAL;
712 } else if (params->mode!=e_special &&
713 dom_sid_equal(&ace_nt->trustee,
714 &global_sid_Creator_Owner)) {
715 DEBUG(10, ("Map creator owner\n"));
716 ace_v4->who.special_id = SMB_ACE4_WHO_OWNER;
717 ace_v4->flags |= SMB_ACE4_ID_SPECIAL;
718 /* A non inheriting creator owner entry has no effect. */
719 ace_v4->aceFlags |= SMB_ACE4_INHERIT_ONLY_ACE;
720 if (!(ace_v4->aceFlags & SMB_ACE4_DIRECTORY_INHERIT_ACE)
721 && !(ace_v4->aceFlags & SMB_ACE4_FILE_INHERIT_ACE)) {
722 return false;
723 }
724 } else if (params->mode!=e_special &&
725 dom_sid_equal(&ace_nt->trustee,
726 &global_sid_Creator_Group)) {
727 DEBUG(10, ("Map creator owner group\n"));
728 ace_v4->who.special_id = SMB_ACE4_WHO_GROUP;
729 ace_v4->flags |= SMB_ACE4_ID_SPECIAL;
730 /* A non inheriting creator group entry has no effect. */
731 ace_v4->aceFlags |= SMB_ACE4_INHERIT_ONLY_ACE;
732 if (!(ace_v4->aceFlags & SMB_ACE4_DIRECTORY_INHERIT_ACE)
733 && !(ace_v4->aceFlags & SMB_ACE4_FILE_INHERIT_ACE)) {
734 return false;
735 }
736 } else {
737 uid_t uid;
738 gid_t gid;
739
740 if (sid_to_gid(&ace_nt->trustee, &gid)) {
741 ace_v4->aceFlags |= SMB_ACE4_IDENTIFIER_GROUP;
742 ace_v4->who.gid = gid;
743 } else if (sid_to_uid(&ace_nt->trustee, &uid)) {
744 ace_v4->who.uid = uid;
745 } else {
746 DEBUG(1, ("nfs4_acls.c: file [%s]: could not "
747 "convert %s to uid or gid\n",
748 filename->base_name,
749 sid_string_dbg(&ace_nt->trustee)));
750 return false;
751 }
752 }
753
754 return true; /* OK */
755 }
756
757 static int smbacl4_MergeIgnoreReject(
758 enum smbacl4_acedup_enum acedup,
759 SMB4ACL_T *theacl, /* may modify it */
760 SMB_ACE4PROP_T *ace, /* the "new" ACE */
761 bool *paddNewACE,
762 int i
763 )
764 {
765 int result = 0;
766 SMB_ACE4PROP_T *ace4found = smbacl4_find_equal_special(theacl, ace);
767 if (ace4found)
768 {
769 switch(acedup)
770 {
771 case e_merge: /* "merge" flags */
772 *paddNewACE = false;
773 ace4found->aceFlags |= ace->aceFlags;
774 ace4found->aceMask |= ace->aceMask;
775 break;
776 case e_ignore: /* leave out this record */
777 *paddNewACE = false;
778 break;
779 case e_reject: /* do an error */
780 DEBUG(8, ("ACL rejected by duplicate nt ace#%d\n", i));
781 errno = EINVAL; /* SHOULD be set on any _real_ error */
782 result = -1;
783 break;
784 default:
785 break;
786 }
787 }
788 return result;
789 }
790
791 static int smbacl4_substitute_special(
792 SMB4ACL_T *theacl,
793 uid_t ownerUID,
794 gid_t ownerGID
795 )
796 {
797 SMB_ACL4_INT_T *aclint = get_validated_aclint(theacl);
798 SMB_ACE4_INT_T *aceint;
799
800 for(aceint = aclint->first; aceint!=NULL; aceint=(SMB_ACE4_INT_T *)aceint->next) {
801 SMB_ACE4PROP_T *ace = &aceint->prop;
802
803 DEBUG(10,("ace type: %d, iflags: %x, flags: %x, "
804 "mask: %x, who: %d\n",
805 ace->aceType, ace->flags, ace->aceFlags,
806 ace->aceMask, ace->who.id));
807
808 if (!(ace->flags & SMB_ACE4_ID_SPECIAL) &&
809 !(ace->aceFlags & SMB_ACE4_IDENTIFIER_GROUP) &&
810 ace->who.uid == ownerUID) {
811 ace->flags |= SMB_ACE4_ID_SPECIAL;
812 ace->who.special_id = SMB_ACE4_WHO_OWNER;
813 DEBUG(10,("replaced with special owner ace\n"));
814 }
815
816 if (!(ace->flags & SMB_ACE4_ID_SPECIAL) &&
817 ace->aceFlags & SMB_ACE4_IDENTIFIER_GROUP &&
818 ace->who.uid == ownerGID) {
819 ace->flags |= SMB_ACE4_ID_SPECIAL;
820 ace->who.special_id = SMB_ACE4_WHO_GROUP;
821 DEBUG(10,("replaced with special group ace\n"));
822 }
823 }
824 return true; /* OK */
825 }
826
827 static int smbacl4_substitute_simple(
828 SMB4ACL_T *theacl,
829 uid_t ownerUID,
830 gid_t ownerGID
831 )
832 {
833 SMB_ACL4_INT_T *aclint = get_validated_aclint(theacl);
834 SMB_ACE4_INT_T *aceint;
835
836 for(aceint = aclint->first; aceint!=NULL; aceint=(SMB_ACE4_INT_T *)aceint->next) {
837 SMB_ACE4PROP_T *ace = &aceint->prop;
838
839 DEBUG(10,("ace type: %d, iflags: %x, flags: %x, "
840 "mask: %x, who: %d\n",
841 ace->aceType, ace->flags, ace->aceFlags,
842 ace->aceMask, ace->who.id));
843
844 if (!(ace->flags & SMB_ACE4_ID_SPECIAL) &&
845 !(ace->aceFlags & SMB_ACE4_IDENTIFIER_GROUP) &&
846 ace->who.uid == ownerUID &&
847 !(ace->aceFlags & SMB_ACE4_INHERIT_ONLY_ACE) &&
848 !(ace->aceFlags & SMB_ACE4_FILE_INHERIT_ACE) &&
849 !(ace->aceFlags & SMB_ACE4_DIRECTORY_INHERIT_ACE)) {
850 ace->flags |= SMB_ACE4_ID_SPECIAL;
851 ace->who.special_id = SMB_ACE4_WHO_OWNER;
852 DEBUG(10,("replaced with special owner ace\n"));
853 }
854
855 if (!(ace->flags & SMB_ACE4_ID_SPECIAL) &&
856 ace->aceFlags & SMB_ACE4_IDENTIFIER_GROUP &&
857 ace->who.uid == ownerGID &&
858 !(ace->aceFlags & SMB_ACE4_INHERIT_ONLY_ACE) &&
859 !(ace->aceFlags & SMB_ACE4_FILE_INHERIT_ACE) &&
860 !(ace->aceFlags & SMB_ACE4_DIRECTORY_INHERIT_ACE)) {
861 ace->flags |= SMB_ACE4_ID_SPECIAL;
862 ace->who.special_id = SMB_ACE4_WHO_GROUP;
863 DEBUG(10,("replaced with special group ace\n"));
864 }
865 }
866 return true; /* OK */
867 }
868
869 static SMB4ACL_T *smbacl4_win2nfs4(
870 TALLOC_CTX *mem_ctx,
871 const files_struct *fsp,
872 const struct security_acl *dacl,
873 smbacl4_vfs_params *pparams,
874 uid_t ownerUID,
875 gid_t ownerGID
876 )
877 {
878 SMB4ACL_T *theacl;
879 uint32 i;
880 const char *filename = fsp->fsp_name->base_name;
881
882 DEBUG(10, ("smbacl4_win2nfs4 invoked\n"));
883
884 theacl = smb_create_smb4acl(mem_ctx);
885 if (theacl==NULL)
886 return NULL;
887
888 for(i=0; i<dacl->num_aces; i++) {
889 SMB_ACE4PROP_T ace_v4;
890 bool addNewACE = true;
891
892 if (!smbacl4_fill_ace4(fsp->fsp_name, pparams,
893 ownerUID, ownerGID,
894 dacl->aces + i, &ace_v4)) {
895 DEBUG(3, ("Could not fill ace for file %s, SID %s\n",
896 filename,
897 sid_string_dbg(&((dacl->aces+i)->trustee))));
898 continue;
899 }
900
901 if (pparams->acedup!=e_dontcare) {
902 if (smbacl4_MergeIgnoreReject(pparams->acedup, theacl,
903 &ace_v4, &addNewACE, i))
904 return NULL;
905 }
906
907 if (addNewACE)
908 smb_add_ace4(theacl, &ace_v4);
909 }
910
911 if (pparams->mode==e_simple) {
912 smbacl4_substitute_simple(theacl, ownerUID, ownerGID);
913 }
914
915 if (pparams->mode==e_special) {
916 smbacl4_substitute_special(theacl, ownerUID, ownerGID);
917 }
918
919 return theacl;
920 }
921
922 NTSTATUS smb_set_nt_acl_nfs4(vfs_handle_struct *handle, files_struct *fsp,
923 uint32 security_info_sent,
924 const struct security_descriptor *psd,
925 set_nfs4acl_native_fn_t set_nfs4_native)
926 {
927 smbacl4_vfs_params params;
928 SMB4ACL_T *theacl = NULL;
929 bool result;
930
931 SMB_STRUCT_STAT sbuf;
932 bool set_acl_as_root = false;
933 uid_t newUID = (uid_t)-1;
934 gid_t newGID = (gid_t)-1;
935 int saved_errno;
936 TALLOC_CTX *frame = talloc_stackframe();
937
938 DEBUG(10, ("smb_set_nt_acl_nfs4 invoked for %s\n", fsp_str_dbg(fsp)));
939
940 if ((security_info_sent & (SECINFO_DACL |
941 SECINFO_GROUP | SECINFO_OWNER)) == 0)
942 {
943 DEBUG(9, ("security_info_sent (0x%x) ignored\n",
944 security_info_sent));
945 TALLOC_FREE(frame);
946 return NT_STATUS_OK; /* won't show error - later to be
947 * refined... */
948 }
949
950 /* Special behaviours */
951 if (smbacl4_get_vfs_params(SMBACL4_PARAM_TYPE_NAME,
952 fsp->conn, &params)) {
953 TALLOC_FREE(frame);
954 return NT_STATUS_NO_MEMORY;
955 }
956
957 if (smbacl4_fGetFileOwner(fsp, &sbuf)) {
958 TALLOC_FREE(frame);
959 return map_nt_error_from_unix(errno);
960 }
961
962 if (params.do_chown) {
963 /* chown logic is a copy/paste from posix_acl.c:set_nt_acl */
964 NTSTATUS status = unpack_nt_owners(fsp->conn, &newUID, &newGID,
965 security_info_sent, psd);
966 if (!NT_STATUS_IS_OK(status)) {
967 DEBUG(8, ("unpack_nt_owners failed"));
968 TALLOC_FREE(frame);
969 return status;
970 }
971 if (((newUID != (uid_t)-1) && (sbuf.st_ex_uid != newUID)) ||
972 ((newGID != (gid_t)-1) && (sbuf.st_ex_gid != newGID))) {
973
974 status = try_chown(fsp, newUID, newGID);
975 if (!NT_STATUS_IS_OK(status)) {
976 DEBUG(3,("chown %s, %u, %u failed. Error = "
977 "%s.\n", fsp_str_dbg(fsp),
978 (unsigned int)newUID,
979 (unsigned int)newGID,
980 nt_errstr(status)));
981 TALLOC_FREE(frame);
982 return status;
983 }
984
985 DEBUG(10,("chown %s, %u, %u succeeded.\n",
986 fsp_str_dbg(fsp), (unsigned int)newUID,
987 (unsigned int)newGID));
988 if (smbacl4_GetFileOwner(fsp->conn,
989 fsp->fsp_name->base_name,
990 &sbuf)){
991 TALLOC_FREE(frame);
992 return map_nt_error_from_unix(errno);
993 }
994
995 /* If we successfully chowned, we know we must
996 * be able to set the acl, so do it as root.
997 */
998 set_acl_as_root = true;
999 }
1000 }
1001
1002 if (!(security_info_sent & SECINFO_DACL) || psd->dacl ==NULL) {
1003 DEBUG(10, ("no dacl found; security_info_sent = 0x%x\n",
1004 security_info_sent));
1005 TALLOC_FREE(frame);
1006 return NT_STATUS_OK;
1007 }
1008
1009 theacl = smbacl4_win2nfs4(frame, fsp, psd->dacl, &params,
1010 sbuf.st_ex_uid, sbuf.st_ex_gid);
1011 if (!theacl) {
1012 TALLOC_FREE(frame);
1013 return map_nt_error_from_unix(errno);
1014 }
1015
1016 smbacl4_dump_nfs4acl(10, theacl);
1017
1018 if (set_acl_as_root) {
1019 become_root();
1020 }
1021 result = set_nfs4_native(handle, fsp, theacl);
1022 saved_errno = errno;
1023 if (set_acl_as_root) {
1024 unbecome_root();
1025 }
1026
1027 TALLOC_FREE(frame);
1028
1029 if (result!=true) {
1030 errno = saved_errno;
1031 DEBUG(10, ("set_nfs4_native failed with %s\n",
1032 strerror(errno)));
1033 return map_nt_error_from_unix(errno);
1034 }
1035
1036 DEBUG(10, ("smb_set_nt_acl_nfs4 succeeded\n"));
1037 return NT_STATUS_OK;
1038 }
Samba GIT mirror