search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
r1861: syncing the DOS client fix, volker's vfs module, & updating release notes...
[Samba.git] / source / modules / vfs_afsacl.c
blobcd10dc71c2e29a8a2bc38db95f6b1cbe2bf4f68c
1 /*
2 * Convert AFS acls to NT acls and vice versa.
3 *
4 * Copyright (C) Volker Lendecke, 2003
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
19 */
20
21 #include "includes.h"
22
23 #undef DBGC_CLASS
24 #define DBGC_CLASS DBGC_VFS
25
26 #include <afs/stds.h>
27 #include <afs/afs.h>
28 #include <afs/auth.h>
29 #include <afs/venus.h>
30 #include <afs/prs_fs.h>
31
32 #define MAXSIZE 2048
33
34 extern DOM_SID global_sid_World;
35 extern DOM_SID global_sid_Builtin_Administrators;
36 extern DOM_SID global_sid_Builtin_Backup_Operators;
37 extern DOM_SID global_sid_Authenticated_Users;
38 extern DOM_SID global_sid_NULL;
39
40 extern int afs_syscall(int, char *, int, char *, int);
41
42 struct afs_ace {
43 BOOL positive;
44 char *name;
45 DOM_SID sid;
46 enum SID_NAME_USE type;
47 uint32 rights;
48 struct afs_ace *next;
49 };
50
51 struct afs_acl {
52 TALLOC_CTX *ctx;
53 int type;
54 int num_aces;
55 struct afs_ace *acelist;
56 };
57
58 struct afs_iob {
59 char *in, *out;
60 uint16 in_size, out_size;
61 };
62
63
64 static BOOL init_afs_acl(struct afs_acl *acl)
65 {
66 ZERO_STRUCT(*acl);
67 acl->ctx = talloc_init("afs_acl");
68 if (acl->ctx == NULL) {
69 DEBUG(10, ("Could not init afs_acl"));
70 return False;
71 }
72 return True;
73 }
74
75 static void free_afs_acl(struct afs_acl *acl)
76 {
77 if (acl->ctx != NULL)
78 talloc_destroy(acl->ctx);
79 acl->ctx = NULL;
80 acl->num_aces = 0;
81 acl->acelist = NULL;
82 }
83
84 static struct afs_ace *clone_afs_ace(TALLOC_CTX *mem_ctx, struct afs_ace *ace)
85 {
86 struct afs_ace *result = talloc(mem_ctx, sizeof(struct afs_ace));
87
88 if (result == NULL)
89 return NULL;
90
91 *result = *ace;
92
93 result->next = NULL;
94 result->name = talloc_strdup(mem_ctx, ace->name);
95
96 if (result->name == NULL) {
97 return NULL;
98 }
99
100 return result;
101 }
102
103
104 /* Ok, this is sort-of a hack. We assume here that we have winbind users in
105 * AFS. And yet another copy of parse_domain_user.... */
106
107 static BOOL parse_domain_user(const char *domuser, fstring domain,
108 fstring user)
109 {
110 char *p = strchr(domuser,*lp_winbind_separator());
111
112 if (p==NULL) {
113 return False;
114 }
115
116 fstrcpy(user, p+1);
117 fstrcpy(domain, domuser);
118 domain[PTR_DIFF(p, domuser)] = 0;
119 strupper_m(domain);
120
121 return True;
122 }
123
124 static struct afs_ace *new_afs_ace(TALLOC_CTX *mem_ctx,
125 BOOL positive,
126 const char *name, uint32 rights)
127 {
128 DOM_SID sid;
129 enum SID_NAME_USE type;
130 struct afs_ace *result;
131
132 if (strcmp(name, "system:administrators") == 0) {
133
134 sid_copy(&sid, &global_sid_Builtin_Administrators);
135 type = SID_NAME_ALIAS;
136
137 } else if (strcmp(name, "system:anyuser") == 0) {
138
139 sid_copy(&sid, &global_sid_World);
140 type = SID_NAME_ALIAS;
141
142 } else if (strcmp(name, "system:authuser") == 0) {
143
144 sid_copy(&sid, &global_sid_Authenticated_Users);
145 type = SID_NAME_WKN_GRP;
146
147 } else if (strcmp(name, "system:backup") == 0) {
148
149 sid_copy(&sid, &global_sid_Builtin_Backup_Operators);
150 type = SID_NAME_ALIAS;
151
152 } else {
153
154 fstring user, domain;
155
156 if (!parse_domain_user(name, domain, user)) {
157 fstrcpy(user, name);
158 fstrcpy(domain, lp_workgroup());
159 }
160
161 if (!lookup_name(domain, user, &sid, &type)) {
162 DEBUG(10, ("Could not find AFS user %s\n", name));
163
164 sid_copy(&sid, &global_sid_NULL);
165 type = SID_NAME_UNKNOWN;
166
167 }
168 }
169
170 result = talloc(mem_ctx, sizeof(struct afs_ace));
171
172 if (result == NULL) {
173 DEBUG(0, ("Could not talloc AFS ace\n"));
174 return NULL;
175 }
176
177 result->name = talloc_strdup(mem_ctx, name);
178 if (result->name == NULL) {
179 DEBUG(0, ("Could not talloc AFS ace name\n"));
180 return NULL;
181 }
182
183 result->sid = sid;
184 result->type = type;
185
186 result->positive = positive;
187 result->rights = rights;
188
189 return result;
190 }
191
192 static void add_afs_ace(struct afs_acl *acl,
193 BOOL positive,
194 const char *name, uint32 rights)
195 {
196 struct afs_ace *ace;
197
198 for (ace = acl->acelist; ace != NULL; ace = ace->next) {
199 if ((ace->positive == positive) &&
200 (strequal(ace->name, name))) {
201 ace->rights |= rights;
202 return;
203 }
204 }
205
206 ace = new_afs_ace(acl->ctx, positive, name, rights);
207
208 ace->next = acl->acelist;
209 acl->acelist = ace;
210
211 acl->num_aces += 1;
212
213 DEBUG(10, ("add_afs_ace: Added %s entry for %s with rights %d\n",
214 ace->positive?"positive":"negative",
215 ace->name, ace->rights));
216
217 return;
218 }
219
220 /* AFS ACLs in string form are a long string of fields delimited with \n.
221 *
222 * First line: Number of positive entries
223 * Second line: Number of negative entries
224 * Third and following lines: The entries themselves
225 *
226 * An ACE is a line of two fields, delimited by \t.
227 *
228 * First field: Name
229 * Second field: Rights
230 */
231
232 static BOOL parse_afs_acl(struct afs_acl *acl, const char *acl_str)
233 {
234 int nplus, nminus;
235 int aces;
236
237 char str[MAXSIZE+1];
238 char *p = str;
239
240 strncpy(str, acl_str, MAXSIZE);
241
242 if (sscanf(p, "%d", &nplus) != 1)
243 return False;
244
245 DEBUG(10, ("Found %d positive entries\n", nplus));
246
247 if ((p = strchr(p, '\n')) == NULL)
248 return False;
249 p += 1;
250
251 if (sscanf(p, "%d", &nminus) != 1)
252 return False;
253
254 DEBUG(10, ("Found %d negative entries\n", nminus));
255
256 if ((p = strchr(p, '\n')) == NULL)
257 return False;
258 p += 1;
259
260 for (aces = nplus+nminus; aces > 0; aces--)
261 {
262
263 const char *name;
264 uint32 rights;
265
266 name = p;
267
268 if ((p = strchr(p, '\t')) == NULL)
269 return False;
270 *p = '\0';
271 p += 1;
272
273 if (sscanf(p, "%d", &rights) != 1)
274 return False;
275
276 if ((p = strchr(p, '\n')) == NULL)
277 return False;
278 p += 1;
279
280 add_afs_ace(acl, nplus>0, name, rights);
281
282 nplus -= 1;
283 }
284
285 return True;
286 }
287
288 static BOOL unparse_afs_acl(struct afs_acl *acl, char *acl_str)
289 {
290 /* TODO: String length checks!!!! */
291
292 int positives = 0;
293 int negatives = 0;
294 fstring line;
295
296 *acl_str = 0;
297
298 struct afs_ace *ace = acl->acelist;
299
300 while (ace != NULL) {
301 if (ace->positive)
302 positives++;
303 else
304 negatives++;
305 ace = ace->next;
306 }
307
308 fstr_sprintf(line, "%d\n", positives);
309 safe_strcat(acl_str, line, MAXSIZE);
310
311 fstr_sprintf(line, "%d\n", negatives);
312 safe_strcat(acl_str, line, MAXSIZE);
313
314 ace = acl->acelist;
315
316 while (ace != NULL) {
317 fstr_sprintf(line, "%s\t%d\n", ace->name, ace->rights);
318 safe_strcat(acl_str, line, MAXSIZE);
319 ace = ace->next;
320 }
321 return True;
322 }
323
324 static uint32 afs_to_nt_file_rights(uint32 rights)
325 {
326 uint32 result = 0;
327
328 if (rights & PRSFS_READ)
329 result |= FILE_READ_DATA | FILE_READ_EA |
330 FILE_EXECUTE | FILE_READ_ATTRIBUTES |
331 READ_CONTROL_ACCESS | SYNCHRONIZE_ACCESS;
332
333 if (rights & PRSFS_WRITE)
334 result |= FILE_WRITE_DATA | FILE_WRITE_ATTRIBUTES |
335 FILE_WRITE_EA | FILE_APPEND_DATA;
336
337 if (rights & PRSFS_LOCK)
338 result |= WRITE_OWNER_ACCESS;
339
340 if (rights & PRSFS_DELETE)
341 result |= DELETE_ACCESS;
342
343 return result;
344 }
345
346 static void afs_to_nt_dir_rights(uint32 afs_rights, uint32 *nt_rights,
347 uint8 *flag)
348 {
349 *nt_rights = 0;
350 *flag = SEC_ACE_FLAG_OBJECT_INHERIT |
351 SEC_ACE_FLAG_CONTAINER_INHERIT;
352
353 if (afs_rights & PRSFS_INSERT)
354 *nt_rights |= FILE_ADD_FILE | FILE_ADD_SUBDIRECTORY;
355
356 if (afs_rights & PRSFS_LOOKUP)
357 *nt_rights |= FILE_READ_DATA | FILE_READ_EA |
358 FILE_EXECUTE | FILE_READ_ATTRIBUTES |
359 READ_CONTROL_ACCESS | SYNCHRONIZE_ACCESS;
360
361 if (afs_rights & PRSFS_WRITE)
362 *nt_rights |= FILE_WRITE_ATTRIBUTES | FILE_WRITE_DATA |
363 FILE_APPEND_DATA | FILE_WRITE_EA;
364
365 if ((afs_rights & (PRSFS_INSERT|PRSFS_LOOKUP|PRSFS_DELETE)) ==
366 (PRSFS_INSERT|PRSFS_LOOKUP|PRSFS_DELETE))
367 *nt_rights |= FILE_WRITE_ATTRIBUTES | FILE_WRITE_EA |
368 GENERIC_WRITE_ACCESS;
369
370 if (afs_rights & PRSFS_DELETE)
371 *nt_rights |= DELETE_ACCESS;
372
373 if (afs_rights & PRSFS_ADMINISTER)
374 *nt_rights |= FILE_DELETE_CHILD | WRITE_DAC_ACCESS |
375 WRITE_OWNER_ACCESS;
376
377 if ( (afs_rights & PRSFS_LOOKUP) ==
378 (afs_rights & (PRSFS_LOOKUP|PRSFS_READ)) ) {
379 /* Only lookup right */
380 *flag = SEC_ACE_FLAG_CONTAINER_INHERIT;
381 }
382
383 return;
384 }
385
386 #define AFS_FILE_RIGHTS (PRSFS_READ|PRSFS_WRITE|PRSFS_LOCK)
387 #define AFS_DIR_RIGHTS (PRSFS_INSERT|PRSFS_LOOKUP|PRSFS_DELETE|PRSFS_ADMINISTER)
388
389 static void split_afs_acl(struct afs_acl *acl,
390 struct afs_acl *dir_acl,
391 struct afs_acl *file_acl)
392 {
393 struct afs_ace *ace;
394
395 init_afs_acl(dir_acl);
396 init_afs_acl(file_acl);
397
398 for (ace = acl->acelist; ace != NULL; ace = ace->next) {
399 if (ace->rights & AFS_FILE_RIGHTS) {
400 add_afs_ace(file_acl, ace->positive, ace->name,
401 ace->rights & AFS_FILE_RIGHTS);
402 }
403
404 if (ace->rights & AFS_DIR_RIGHTS) {
405 add_afs_ace(dir_acl, ace->positive, ace->name,
406 ace->rights & AFS_DIR_RIGHTS);
407 }
408 }
409 return;
410 }
411
412 static BOOL same_principal(struct afs_ace *x, struct afs_ace *y)
413 {
414 return ( (x->positive == y->positive) &&
415 (sid_compare(&x->sid, &y->sid) == 0) );
416 }
417
418 static void merge_afs_acls(struct afs_acl *dir_acl,
419 struct afs_acl *file_acl,
420 struct afs_acl *target)
421 {
422 struct afs_ace *ace;
423
424 init_afs_acl(target);
425
426 for (ace = dir_acl->acelist; ace != NULL; ace = ace->next) {
427 struct afs_ace *file_ace;
428 BOOL found = False;
429
430 for (file_ace = file_acl->acelist;
431 file_ace != NULL;
432 file_ace = file_ace->next) {
433 if (!same_principal(ace, file_ace))
434 continue;
435
436 add_afs_ace(target, ace->positive, ace->name,
437 ace->rights | file_ace->rights);
438 found = True;
439 break;
440 }
441 if (!found)
442 add_afs_ace(target, ace->positive, ace->name,
443 ace->rights);
444 }
445
446 for (ace = file_acl->acelist; ace != NULL; ace = ace->next) {
447 struct afs_ace *dir_ace;
448 BOOL already_seen = False;
449
450 for (dir_ace = dir_acl->acelist;
451 dir_ace != NULL;
452 dir_ace = dir_ace->next) {
453 if (!same_principal(ace, dir_ace))
454 continue;
455 already_seen = True;
456 break;
457 }
458 if (!already_seen)
459 add_afs_ace(target, ace->positive, ace->name,
460 ace->rights);
461 }
462 }
463
464 #define PERMS_READ 0x001200a9
465 #define PERMS_CHANGE 0x001301bf
466 #define PERMS_FULL 0x001f01ff
467
468 static struct static_dir_ace_mapping {
469 uint8 type;
470 uint8 flags;
471 uint32 mask;
472 uint32 afs_rights;
473 } ace_mappings[] = {
474
475 /* Full control */
476 { 0, SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT,
477 PERMS_FULL, 127 /* rlidwka */ },
478
479 /* Change (write) */
480 { 0, SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT,
481 PERMS_CHANGE, 63 /* rlidwk */ },
482
483 /* Read (including list folder content) */
484 { 0, SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT,
485 PERMS_READ, 9 /* rl */ },
486
487 /* Read without list folder content -- same as "l" */
488 { 0, SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT,
489 0x00120089, 8 /* l */ },
490
491 /* List folder */
492 { 0, SEC_ACE_FLAG_CONTAINER_INHERIT,
493 PERMS_READ, 8 /* l */ },
494
495 /* FULL without inheritance -- in all cases here we also get
496 the corresponding INHERIT_ONLY ACE in the same ACL */
497 { 0, 0, PERMS_FULL, 127 /* rlidwka */ },
498
499 /* FULL inherit only -- counterpart to previous one */
500 { 0, SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_INHERIT_ONLY,
501 PERMS_FULL | GENERIC_RIGHT_WRITE_ACCESS, 127 /* rlidwka */ },
502
503 /* CHANGE without inheritance -- in all cases here we also get
504 the corresponding INHERIT_ONLY ACE in the same ACL */
505 { 0, 0, PERMS_CHANGE, 63 /* rlidwk */ },
506
507 /* CHANGE inherit only -- counterpart to previous one */
508 { 0, SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_INHERIT_ONLY,
509 PERMS_CHANGE | GENERIC_RIGHT_WRITE_ACCESS, 63 /* rlidwk */ },
510
511 /* End marker, hopefully there's no afs right 9999 :-) */
512 { 0, 0, 0, 9999 }
513 };
514
515 static uint32 nt_to_afs_dir_rights(const char *filename, const SEC_ACE *ace)
516 {
517 uint32 result = 0;
518 uint32 rights = ace->info.mask;
519 uint8 flags = ace->flags;
520
521 struct static_dir_ace_mapping *m;
522
523 for (m = &ace_mappings[0]; m->afs_rights != 9999; m++) {
524 if ( (ace->type == m->type) &&
525 (ace->flags == m->flags) &&
526 (ace->info.mask == m->mask) )
527 return m->afs_rights;
528 }
529
530 DEBUG(1, ("AFSACL FALLBACK: 0x%X 0x%X 0x%X %s\n",
531 ace->type, ace->flags, ace->info.mask, filename));
532
533 if (rights & (GENERIC_ALL_ACCESS|WRITE_DAC_ACCESS)) {
534 result |= PRSFS_READ | PRSFS_WRITE | PRSFS_INSERT |
535 PRSFS_LOOKUP | PRSFS_DELETE | PRSFS_LOCK |
536 PRSFS_ADMINISTER;
537 }
538
539 if (rights & (GENERIC_READ_ACCESS|FILE_READ_DATA)) {
540 result |= PRSFS_LOOKUP;
541 if (flags & SEC_ACE_FLAG_OBJECT_INHERIT) {
542 result |= PRSFS_READ;
543 }
544 }
545
546 if (rights & (GENERIC_WRITE_ACCESS|FILE_WRITE_DATA)) {
547 result |= PRSFS_INSERT | PRSFS_DELETE;
548 if (flags & SEC_ACE_FLAG_OBJECT_INHERIT) {
549 result |= PRSFS_WRITE | PRSFS_LOCK;
550 }
551 }
552
553 return result;
554 }
555
556 static uint32 nt_to_afs_file_rights(const char *filename, const SEC_ACE *ace)
557 {
558 uint32 result = 0;
559 uint32 rights = ace->info.mask;
560
561 if (rights & (GENERIC_READ_ACCESS|FILE_READ_DATA)) {
562 result |= PRSFS_READ;
563 }
564
565 if (rights & (GENERIC_WRITE_ACCESS|FILE_WRITE_DATA)) {
566 result |= PRSFS_WRITE | PRSFS_LOCK;
567 }
568
569 return result;
570 }
571
572 static size_t afs_to_nt_acl(struct afs_acl *afs_acl,
573 struct files_struct *fsp,
574 uint32 security_info,
575 struct security_descriptor_info **ppdesc)
576 {
577 SEC_ACE *nt_ace_list;
578 DOM_SID owner_sid, group_sid;
579 SEC_ACCESS mask;
580 SMB_STRUCT_STAT sbuf;
581 SEC_ACL *psa = NULL;
582 int good_aces;
583 size_t sd_size;
584 TALLOC_CTX *mem_ctx = main_loop_talloc_get();
585
586 struct afs_ace *afs_ace;
587
588 if (fsp->is_directory || fsp->fd == -1) {
589 /* Get the stat struct for the owner info. */
590 if(SMB_VFS_STAT(fsp->conn,fsp->fsp_name, &sbuf) != 0) {
591 return 0;
592 }
593 } else {
594 if(SMB_VFS_FSTAT(fsp,fsp->fd,&sbuf) != 0) {
595 return 0;
596 }
597 }
598
599 uid_to_sid(&owner_sid, sbuf.st_uid);
600 gid_to_sid(&group_sid, sbuf.st_gid);
601
602 nt_ace_list = (SEC_ACE *)malloc(afs_acl->num_aces * sizeof(SEC_ACE));
603
604 if (nt_ace_list == NULL)
605 return 0;
606
607 afs_ace = afs_acl->acelist;
608 good_aces = 0;
609
610 while (afs_ace != NULL) {
611 uint32 nt_rights;
612 uint8 flag = SEC_ACE_FLAG_OBJECT_INHERIT |
613 SEC_ACE_FLAG_CONTAINER_INHERIT;
614
615 if (afs_ace->type == SID_NAME_UNKNOWN) {
616 DEBUG(10, ("Ignoring unknown name %s\n",
617 afs_ace->name));
618 afs_ace = afs_ace->next;
619 continue;
620 }
621
622 if (fsp->is_directory)
623 afs_to_nt_dir_rights(afs_ace->rights, &nt_rights,
624 &flag);
625 else
626 nt_rights = afs_to_nt_file_rights(afs_ace->rights);
627
628 init_sec_access(&mask, nt_rights);
629 init_sec_ace(&nt_ace_list[good_aces++], &(afs_ace->sid),
630 SEC_ACE_TYPE_ACCESS_ALLOWED, mask, flag);
631 afs_ace = afs_ace->next;
632 }
633
634 psa = make_sec_acl(mem_ctx, NT4_ACL_REVISION,
635 good_aces, nt_ace_list);
636 if (psa == NULL)
637 return 0;
638
639
640 *ppdesc = make_sec_desc(mem_ctx, SEC_DESC_REVISION,
641 SEC_DESC_SELF_RELATIVE,
642 (security_info & OWNER_SECURITY_INFORMATION)
643 ? &owner_sid : NULL,
644 (security_info & GROUP_SECURITY_INFORMATION)
645 ? &group_sid : NULL,
646 NULL, psa, &sd_size);
647
648 return sd_size;
649 }
650
651 static BOOL mappable_sid(const DOM_SID *sid)
652 {
653 DOM_SID domain_sid;
654
655 if (sid_compare(sid, &global_sid_Builtin_Administrators) == 0)
656 return True;
657
658 if (sid_compare(sid, &global_sid_World) == 0)
659 return True;
660
661 if (sid_compare(sid, &global_sid_Authenticated_Users) == 0)
662 return True;
663
664 if (sid_compare(sid, &global_sid_Builtin_Backup_Operators) == 0)
665 return True;
666
667 string_to_sid(&domain_sid, "S-1-5-21");
668
669 if (sid_compare_domain(sid, &domain_sid) == 0)
670 return True;
671
672 return False;
673 }
674
675 static BOOL nt_to_afs_acl(const char *filename,
676 uint32 security_info_sent,
677 struct security_descriptor_info *psd,
678 uint32 (*nt_to_afs_rights)(const char *filename,
679 const SEC_ACE *ace),
680 struct afs_acl *afs_acl)
681 {
682 SEC_ACL *dacl;
683 int i;
684
685 /* Currently we *only* look at the dacl */
686
687 if (((security_info_sent & DACL_SECURITY_INFORMATION) == 0) ||
688 (psd->dacl == NULL))
689 return True;
690
691 if (!init_afs_acl(afs_acl))
692 return False;
693
694 dacl = psd->dacl;
695
696 for (i = 0; i < dacl->num_aces; i++) {
697 SEC_ACE *ace = &(dacl->ace[i]);
698 fstring dom_name;
699 fstring name;
700 enum SID_NAME_USE name_type;
701
702 if (ace->type != SEC_ACE_TYPE_ACCESS_ALLOWED) {
703 /* First cut: Only positive ACEs */
704 return False;
705 }
706
707 if (!mappable_sid(&ace->trustee)) {
708 DEBUG(10, ("Ignoring unmappable SID %s\n",
709 sid_string_static(&ace->trustee)));
710 continue;
711 }
712
713 if (sid_compare(&ace->trustee,
714 &global_sid_Builtin_Administrators) == 0) {
715
716 fstrcpy(name, "system:administrators");
717
718 } else if (sid_compare(&ace->trustee,
719 &global_sid_World) == 0) {
720
721 fstrcpy(name, "system:anyuser");
722
723 } else if (sid_compare(&ace->trustee,
724 &global_sid_Authenticated_Users) == 0) {
725
726 fstrcpy(name, "system:authuser");
727
728 } else if (sid_compare(&ace->trustee,
729 &global_sid_Builtin_Backup_Operators)
730 == 0) {
731
732 fstrcpy(name, "system:backup");
733
734 } else {
735
736 if (!lookup_sid(&ace->trustee,
737 dom_name, name, &name_type)) {
738 DEBUG(1, ("AFSACL: Could not lookup SID %s on file %s\n",
739 sid_string_static(&ace->trustee), filename));
740 continue;
741 }
742
743 if ( (name_type == SID_NAME_USER) ||
744 (name_type == SID_NAME_DOM_GRP) ||
745 (name_type == SID_NAME_ALIAS) ) {
746 fstring only_username;
747 fstrcpy(only_username, name);
748 fstr_sprintf(name, "%s%s%s",
749 dom_name, lp_winbind_separator(),
750 only_username);
751 strlower_m(name);
752 }
753 }
754
755 add_afs_ace(afs_acl, True, name,
756 nt_to_afs_rights(filename, ace));
757 }
758
759 return True;
760 }
761
762 static BOOL afs_get_afs_acl(char *filename, struct afs_acl *acl)
763 {
764 struct afs_iob iob;
765
766 int ret;
767
768 char space[MAXSIZE];
769
770 DEBUG(5, ("afs_get_afs_acl: %s\n", filename));
771
772 iob.in_size = 0;
773 iob.out_size = MAXSIZE;
774 iob.in = iob.out = space;
775
776 ret = afs_syscall(AFSCALL_PIOCTL, filename, VIOCGETAL,
777 (char *)&iob, 0);
778
779 if (ret) {
780 DEBUG(1, ("got error from PIOCTL: %d\n", ret));
781 return False;
782 }
783
784 if (!init_afs_acl(acl))
785 return False;
786
787 if (!parse_afs_acl(acl, space)) {
788 DEBUG(1, ("Could not parse AFS acl\n"));
789 free_afs_acl(acl);
790 return False;
791 }
792
793 return True;
794 }
795
796 static size_t afs_get_nt_acl(struct files_struct *fsp, uint32 security_info,
797 struct security_descriptor_info **ppdesc)
798 {
799 struct afs_acl acl;
800 size_t sd_size;
801
802 DEBUG(5, ("afs_get_nt_acl: %s\n", fsp->fsp_name));
803
804 if (!afs_get_afs_acl(fsp->fsp_name, &acl)) {
805 return 0;
806 }
807
808 sd_size = afs_to_nt_acl(&acl, fsp, security_info, ppdesc);
809
810 free_afs_acl(&acl);
811
812 return sd_size;
813 }
814
815 /* For setting an AFS ACL we have to take care of the ACEs we could
816 * not properly map to SIDs. Merge all of them into the new ACL. */
817
818 static void merge_unknown_aces(struct afs_acl *src, struct afs_acl *dst)
819 {
820 struct afs_ace *ace;
821
822 for (ace = src->acelist; ace != NULL; ace = ace->next)
823 {
824 struct afs_ace *copy;
825
826 if (ace->type != SID_NAME_UNKNOWN) {
827 DEBUG(10, ("Not merging known ACE for %s\n",
828 ace->name));
829 continue;
830 }
831
832 DEBUG(10, ("Merging unknown ACE for %s\n", ace->name));
833
834 copy = clone_afs_ace(dst->ctx, ace);
835
836 if (copy == NULL) {
837 DEBUG(0, ("Could not clone ACE for %s\n", ace->name));
838 continue;
839 }
840
841 copy->next = dst->acelist;
842 dst->acelist = copy;
843 dst->num_aces += 1;
844 }
845 }
846
847 static BOOL afs_set_nt_acl(vfs_handle_struct *handle, files_struct *fsp,
848 uint32 security_info_sent,
849 struct security_descriptor_info *psd)
850 {
851 struct afs_acl old_afs_acl, new_afs_acl;
852 struct afs_acl dir_acl, file_acl;
853 char acl_string[2049];
854 struct afs_iob iob;
855 int ret = -1;
856 pstring name;
857 const char *fileacls;
858
859 fileacls = lp_parm_const_string(SNUM(handle->conn), "afsacl", "fileacls",
860 "yes");
861
862 ZERO_STRUCT(old_afs_acl);
863 ZERO_STRUCT(new_afs_acl);
864 ZERO_STRUCT(dir_acl);
865 ZERO_STRUCT(file_acl);
866
867 pstr_sprintf(name, fsp->fsp_name);
868
869 if (!fsp->is_directory) {
870 char *p = strrchr(name, '/');
871 if (p == NULL) {
872 DEBUG(3, ("No / in file string\n"));
873 return False;
874 }
875 *p = '\0';
876 }
877
878 if (!afs_get_afs_acl(name, &old_afs_acl)) {
879 DEBUG(3, ("Could not get old ACL of %s\n", fsp->fsp_name));
880 goto done;
881 }
882
883 split_afs_acl(&old_afs_acl, &dir_acl, &file_acl);
884
885 if (fsp->is_directory) {
886
887 if (!strequal(fileacls, "yes")) {
888 /* Throw away file acls, we depend on the
889 * inheritance ACEs that also give us file
890 * permissions */
891 free_afs_acl(&file_acl);
892 }
893
894 free_afs_acl(&dir_acl);
895 if (!nt_to_afs_acl(fsp->fsp_name, security_info_sent, psd,
896 nt_to_afs_dir_rights, &dir_acl))
897 goto done;
898 } else {
899 if (strequal(fileacls, "no")) {
900 ret = -1;
901 goto done;
902 }
903
904 if (strequal(fileacls, "ignore")) {
905 ret = 0;
906 goto done;
907 }
908
909 free_afs_acl(&file_acl);
910 if (!nt_to_afs_acl(fsp->fsp_name, security_info_sent, psd,
911 nt_to_afs_file_rights, &file_acl))
912 goto done;
913 }
914
915 merge_afs_acls(&dir_acl, &file_acl, &new_afs_acl);
916
917 merge_unknown_aces(&old_afs_acl, &new_afs_acl);
918
919 unparse_afs_acl(&new_afs_acl, acl_string);
920
921 iob.in = acl_string;
922 iob.in_size = 1+strlen(iob.in);
923 iob.out = NULL;
924 iob.out_size = 0;
925
926 DEBUG(10, ("trying to set acl '%s' on file %s\n", iob.in, name));
927
928 ret = afs_syscall(AFSCALL_PIOCTL, name, VIOCSETAL, (char *)&iob, 0);
929
930 if (ret != 0) {
931 DEBUG(10, ("VIOCSETAL returned %d\n", ret));
932 }
933
934 done:
935 free_afs_acl(&dir_acl);
936 free_afs_acl(&file_acl);
937 free_afs_acl(&old_afs_acl);
938 free_afs_acl(&new_afs_acl);
939
940 return (ret == 0);
941 }
942
943 static size_t afsacl_fget_nt_acl(struct vfs_handle_struct *handle,
944 struct files_struct *fsp,
945 int fd, uint32 security_info,
946 struct security_descriptor_info **ppdesc)
947 {
948 return afs_get_nt_acl(fsp, security_info, ppdesc);
949 }
950 static size_t afsacl_get_nt_acl(struct vfs_handle_struct *handle,
951 struct files_struct *fsp,
952 const char *name, uint32 security_info,
953 struct security_descriptor_info **ppdesc)
954 {
955 return afs_get_nt_acl(fsp, security_info, ppdesc);
956 }
957
958 BOOL afsacl_fset_nt_acl(vfs_handle_struct *handle,
959 files_struct *fsp,
960 int fd, uint32 security_info_sent,
961 SEC_DESC *psd)
962 {
963 return afs_set_nt_acl(handle, fsp, security_info_sent, psd);
964 }
965
966 BOOL afsacl_set_nt_acl(vfs_handle_struct *handle,
967 files_struct *fsp,
968 const char *name, uint32 security_info_sent,
969 SEC_DESC *psd)
970 {
971 return afs_set_nt_acl(handle, fsp, security_info_sent, psd);
972 }
973
974 /* VFS operations structure */
975
976 static vfs_op_tuple afsacl_ops[] = {
977 {SMB_VFS_OP(afsacl_fget_nt_acl), SMB_VFS_OP_FGET_NT_ACL,
978 SMB_VFS_LAYER_TRANSPARENT},
979 {SMB_VFS_OP(afsacl_get_nt_acl), SMB_VFS_OP_GET_NT_ACL,
980 SMB_VFS_LAYER_TRANSPARENT},
981 {SMB_VFS_OP(afsacl_fset_nt_acl), SMB_VFS_OP_FSET_NT_ACL,
982 SMB_VFS_LAYER_TRANSPARENT},
983 {SMB_VFS_OP(afsacl_set_nt_acl), SMB_VFS_OP_SET_NT_ACL,
984 SMB_VFS_LAYER_TRANSPARENT},
985 {SMB_VFS_OP(NULL), SMB_VFS_OP_NOOP, SMB_VFS_LAYER_NOOP}
986 };
987
988 NTSTATUS vfs_afsacl_init(void)
989 {
990 return smb_register_vfs(SMB_VFS_INTERFACE_VERSION, "afsacl",
991 afsacl_ops);
992 }
Samba GIT mirror