2 * Store Windows ACLs in data store - common functions.
3 * #included into modules/vfs_acl_xattr.c and modules/vfs_acl_tdb.c
5 * Copyright (C) Volker Lendecke, 2008
6 * Copyright (C) Jeremy Allison, 2009
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 3 of the License, or
11 * (at your option) any later version.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, see <http://www.gnu.org/licenses/>.
22 static NTSTATUS
create_acl_blob(const struct security_descriptor
*psd
,
25 uint8_t hash
[XATTR_SD_HASH_SIZE
]);
27 static NTSTATUS
get_acl_blob(TALLOC_CTX
*ctx
,
28 vfs_handle_struct
*handle
,
33 static NTSTATUS
store_acl_blob_fsp(vfs_handle_struct
*handle
,
37 #define HASH_SECURITY_INFO (OWNER_SECURITY_INFORMATION | \
38 GROUP_SECURITY_INFORMATION | \
39 DACL_SECURITY_INFORMATION | \
40 SACL_SECURITY_INFORMATION)
42 /*******************************************************************
43 Hash a security descriptor.
44 *******************************************************************/
46 static NTSTATUS
hash_sd_sha256(struct security_descriptor
*psd
,
53 memset(hash
, '\0', XATTR_SD_HASH_SIZE
);
54 status
= create_acl_blob(psd
, &blob
, XATTR_SD_HASH_TYPE_SHA256
, hash
);
55 if (!NT_STATUS_IS_OK(status
)) {
60 SHA256_Update(&tctx
, blob
.data
, blob
.length
);
61 SHA256_Final(hash
, &tctx
);
66 /*******************************************************************
67 Parse out a struct security_descriptor from a DATA_BLOB.
68 *******************************************************************/
70 static NTSTATUS
parse_acl_blob(const DATA_BLOB
*pblob
,
71 struct security_descriptor
**ppdesc
,
72 uint16_t *p_hash_type
,
73 uint8_t hash
[XATTR_SD_HASH_SIZE
])
75 TALLOC_CTX
*ctx
= talloc_tos();
76 struct xattr_NTACL xacl
;
77 enum ndr_err_code ndr_err
;
80 ndr_err
= ndr_pull_struct_blob(pblob
, ctx
, NULL
, &xacl
,
81 (ndr_pull_flags_fn_t
)ndr_pull_xattr_NTACL
);
83 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
84 DEBUG(5, ("parse_acl_blob: ndr_pull_xattr_NTACL failed: %s\n",
85 ndr_errstr(ndr_err
)));
86 return ndr_map_error2ntstatus(ndr_err
);;
89 switch (xacl
.version
) {
91 *ppdesc
= make_sec_desc(ctx
, SEC_DESC_REVISION
,
92 xacl
.info
.sd_hs2
->sd
->type
| SEC_DESC_SELF_RELATIVE
,
93 xacl
.info
.sd_hs2
->sd
->owner_sid
,
94 xacl
.info
.sd_hs2
->sd
->group_sid
,
95 xacl
.info
.sd_hs2
->sd
->sacl
,
96 xacl
.info
.sd_hs2
->sd
->dacl
,
98 /* No hash - null out. */
99 *p_hash_type
= XATTR_SD_HASH_TYPE_NONE
;
100 memset(hash
, '\0', XATTR_SD_HASH_SIZE
);
103 *ppdesc
= make_sec_desc(ctx
, SEC_DESC_REVISION
,
104 xacl
.info
.sd_hs3
->sd
->type
| SEC_DESC_SELF_RELATIVE
,
105 xacl
.info
.sd_hs3
->sd
->owner_sid
,
106 xacl
.info
.sd_hs3
->sd
->group_sid
,
107 xacl
.info
.sd_hs3
->sd
->sacl
,
108 xacl
.info
.sd_hs3
->sd
->dacl
,
110 *p_hash_type
= xacl
.info
.sd_hs3
->hash_type
;
111 /* Current version 3. */
112 memcpy(hash
, xacl
.info
.sd_hs3
->hash
, XATTR_SD_HASH_SIZE
);
115 return NT_STATUS_REVISION_MISMATCH
;
118 TALLOC_FREE(xacl
.info
.sd
);
120 return (*ppdesc
!= NULL
) ? NT_STATUS_OK
: NT_STATUS_NO_MEMORY
;
123 /*******************************************************************
124 Create a DATA_BLOB from a security descriptor.
125 *******************************************************************/
127 static NTSTATUS
create_acl_blob(const struct security_descriptor
*psd
,
130 uint8_t hash
[XATTR_SD_HASH_SIZE
])
132 struct xattr_NTACL xacl
;
133 struct security_descriptor_hash_v3 sd_hs3
;
134 enum ndr_err_code ndr_err
;
135 TALLOC_CTX
*ctx
= talloc_tos();
141 xacl
.info
.sd_hs3
= &sd_hs3
;
142 xacl
.info
.sd_hs3
->sd
= CONST_DISCARD(struct security_descriptor
*, psd
);
143 xacl
.info
.sd_hs3
->hash_type
= hash_type
;
144 memcpy(&xacl
.info
.sd_hs3
->hash
[0], hash
, XATTR_SD_HASH_SIZE
);
146 ndr_err
= ndr_push_struct_blob(
147 pblob
, ctx
, NULL
, &xacl
,
148 (ndr_push_flags_fn_t
)ndr_push_xattr_NTACL
);
150 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
151 DEBUG(5, ("create_acl_blob: ndr_push_xattr_NTACL failed: %s\n",
152 ndr_errstr(ndr_err
)));
153 return ndr_map_error2ntstatus(ndr_err
);;
159 /*******************************************************************
160 Add in 3 inheritable components for a non-inheritable directory ACL.
161 CREATOR_OWNER/CREATOR_GROUP/WORLD.
162 *******************************************************************/
164 static void add_directory_inheritable_components(vfs_handle_struct
*handle
,
166 SMB_STRUCT_STAT
*psbuf
,
167 struct security_descriptor
*psd
)
169 struct connection_struct
*conn
= handle
->conn
;
170 int num_aces
= (psd
->dacl
? psd
->dacl
->num_aces
: 0);
171 struct smb_filename smb_fname
;
172 enum security_ace_type acltype
;
173 uint32_t access_mask
;
177 struct security_ace
*new_ace_list
= TALLOC_ZERO_ARRAY(talloc_tos(),
181 if (new_ace_list
== NULL
) {
185 /* Fake a quick smb_filename. */
186 ZERO_STRUCT(smb_fname
);
187 smb_fname
.st
= *psbuf
;
188 smb_fname
.base_name
= CONST_DISCARD(char *, name
);
190 dir_mode
= unix_mode(conn
,
191 FILE_ATTRIBUTE_DIRECTORY
, &smb_fname
, NULL
);
192 file_mode
= unix_mode(conn
,
193 FILE_ATTRIBUTE_ARCHIVE
, &smb_fname
, NULL
);
195 mode
= dir_mode
| file_mode
;
197 DEBUG(10, ("add_directory_inheritable_components: directory %s, "
200 (unsigned int)mode
));
203 memcpy(new_ace_list
, psd
->dacl
->aces
,
204 num_aces
* sizeof(struct security_ace
));
206 access_mask
= map_canon_ace_perms(SNUM(conn
), &acltype
,
209 init_sec_ace(&new_ace_list
[num_aces
],
210 &global_sid_Creator_Owner
,
213 SEC_ACE_FLAG_CONTAINER_INHERIT
|
214 SEC_ACE_FLAG_OBJECT_INHERIT
|
215 SEC_ACE_FLAG_INHERIT_ONLY
);
216 access_mask
= map_canon_ace_perms(SNUM(conn
), &acltype
,
217 (mode
<< 3) & 0700, false);
218 init_sec_ace(&new_ace_list
[num_aces
+1],
219 &global_sid_Creator_Group
,
222 SEC_ACE_FLAG_CONTAINER_INHERIT
|
223 SEC_ACE_FLAG_OBJECT_INHERIT
|
224 SEC_ACE_FLAG_INHERIT_ONLY
);
225 access_mask
= map_canon_ace_perms(SNUM(conn
), &acltype
,
226 (mode
<< 6) & 0700, false);
227 init_sec_ace(&new_ace_list
[num_aces
+2],
231 SEC_ACE_FLAG_CONTAINER_INHERIT
|
232 SEC_ACE_FLAG_OBJECT_INHERIT
|
233 SEC_ACE_FLAG_INHERIT_ONLY
);
234 psd
->dacl
->aces
= new_ace_list
;
235 psd
->dacl
->num_aces
+= 3;
238 /*******************************************************************
239 Pull a DATA_BLOB from an xattr given a pathname.
240 If the hash doesn't match, or doesn't exist - return the underlying
242 *******************************************************************/
244 static NTSTATUS
get_nt_acl_internal(vfs_handle_struct
*handle
,
247 uint32_t security_info
,
248 struct security_descriptor
**ppdesc
)
250 DATA_BLOB blob
= data_blob_null
;
253 uint8_t hash
[XATTR_SD_HASH_SIZE
];
254 uint8_t hash_tmp
[XATTR_SD_HASH_SIZE
];
255 struct security_descriptor
*psd
= NULL
;
256 struct security_descriptor
*pdesc_next
= NULL
;
257 bool ignore_file_system_acl
= lp_parm_bool(SNUM(handle
->conn
),
259 "ignore system acls",
262 if (fsp
&& name
== NULL
) {
263 name
= fsp
->fsp_name
->base_name
;
266 DEBUG(10, ("get_nt_acl_internal: name=%s\n", name
));
268 /* Get the full underlying sd for the hash
269 or to return as backup. */
271 status
= SMB_VFS_NEXT_FGET_NT_ACL(handle
,
276 status
= SMB_VFS_NEXT_GET_NT_ACL(handle
,
282 if (!NT_STATUS_IS_OK(status
)) {
283 DEBUG(10, ("get_nt_acl_internal: get_next_acl for file %s "
290 status
= get_acl_blob(talloc_tos(), handle
, fsp
, name
, &blob
);
291 if (!NT_STATUS_IS_OK(status
)) {
292 DEBUG(10, ("get_nt_acl_internal: get_acl_blob returned %s\n",
298 status
= parse_acl_blob(&blob
, &psd
,
299 &hash_type
, &hash
[0]);
300 if (!NT_STATUS_IS_OK(status
)) {
301 DEBUG(10, ("parse_acl_blob returned %s\n",
307 /* Ensure the hash type is one we know. */
309 case XATTR_SD_HASH_TYPE_NONE
:
310 /* No hash, just return blob sd. */
312 case XATTR_SD_HASH_TYPE_SHA256
:
315 DEBUG(10, ("get_nt_acl_internal: ACL blob revision "
316 "mismatch (%u) for file %s\n",
317 (unsigned int)hash_type
,
324 if (ignore_file_system_acl
) {
328 status
= hash_sd_sha256(pdesc_next
, hash_tmp
);
329 if (!NT_STATUS_IS_OK(status
)) {
335 if (memcmp(&hash
[0], &hash_tmp
[0], XATTR_SD_HASH_SIZE
) == 0) {
336 /* Hash matches, return blob sd. */
337 DEBUG(10, ("get_nt_acl_internal: blob hash "
338 "matches for file %s\n",
343 /* Hash doesn't match, return underlying sd. */
349 if (psd
!= pdesc_next
) {
350 /* We're returning the blob, throw
351 * away the filesystem SD. */
352 TALLOC_FREE(pdesc_next
);
354 SMB_STRUCT_STAT sbuf
;
355 SMB_STRUCT_STAT
*psbuf
= &sbuf
;
356 bool is_directory
= false;
358 * We're returning the underlying ACL from the
359 * filesystem. If it's a directory, and has no
360 * inheritable ACE entries we have to fake them.
363 status
= vfs_stat_fsp(fsp
);
364 if (!NT_STATUS_IS_OK(status
)) {
367 psbuf
= &fsp
->fsp_name
->st
;
369 int ret
= vfs_stat_smb_fname(handle
->conn
,
373 return map_nt_error_from_unix(errno
);
376 is_directory
= S_ISDIR(psbuf
->st_ex_mode
);
378 if (ignore_file_system_acl
) {
379 TALLOC_FREE(pdesc_next
);
380 status
= make_default_filesystem_acl(talloc_tos(),
384 if (!NT_STATUS_IS_OK(status
)) {
389 !sd_has_inheritable_components(psd
,
391 add_directory_inheritable_components(handle
,
396 /* The underlying POSIX module always sets
397 the ~SEC_DESC_DACL_PROTECTED bit, as ACLs
398 can't be inherited in this way under POSIX.
399 Remove it for Windows-style ACLs. */
400 psd
->type
&= ~SEC_DESC_DACL_PROTECTED
;
404 if (!(security_info
& OWNER_SECURITY_INFORMATION
)) {
405 psd
->owner_sid
= NULL
;
407 if (!(security_info
& GROUP_SECURITY_INFORMATION
)) {
408 psd
->group_sid
= NULL
;
410 if (!(security_info
& DACL_SECURITY_INFORMATION
)) {
411 psd
->type
&= ~SEC_DESC_DACL_PRESENT
;
414 if (!(security_info
& SACL_SECURITY_INFORMATION
)) {
415 psd
->type
&= ~SEC_DESC_SACL_PRESENT
;
419 TALLOC_FREE(blob
.data
);
422 if (DEBUGLEVEL
>= 10) {
423 DEBUG(10,("get_nt_acl_internal: returning acl for %s is:\n",
425 NDR_PRINT_DEBUG(security_descriptor
, psd
);
431 /*********************************************************************
432 Create a default ACL by inheriting from the parent. If no inheritance
433 from the parent available, don't set anything. This will leave the actual
434 permissions the new file or directory already got from the filesystem
435 as the NT ACL when read.
436 *********************************************************************/
438 static NTSTATUS
inherit_new_acl(vfs_handle_struct
*handle
,
440 struct security_descriptor
*parent_desc
,
443 TALLOC_CTX
*ctx
= talloc_tos();
444 NTSTATUS status
= NT_STATUS_OK
;
445 struct security_descriptor
*psd
= NULL
;
446 struct dom_sid
*owner_sid
= NULL
;
447 struct dom_sid
*group_sid
= NULL
;
448 uint32_t security_info_sent
= (OWNER_SECURITY_INFORMATION
| GROUP_SECURITY_INFORMATION
| DACL_SECURITY_INFORMATION
);
450 bool inherit_owner
= lp_inherit_owner(SNUM(handle
->conn
));
451 bool inheritable_components
= sd_has_inheritable_components(parent_desc
,
454 if (!inheritable_components
&& !inherit_owner
) {
455 /* Nothing to inherit and not setting owner. */
459 /* Create an inherited descriptor from the parent. */
461 if (DEBUGLEVEL
>= 10) {
462 DEBUG(10,("inherit_new_acl: parent acl for %s is:\n",
464 NDR_PRINT_DEBUG(security_descriptor
, parent_desc
);
467 /* Inherit from parent descriptor if "inherit owner" set. */
469 owner_sid
= parent_desc
->owner_sid
;
470 group_sid
= parent_desc
->group_sid
;
473 if (owner_sid
== NULL
) {
474 owner_sid
= &handle
->conn
->server_info
->ptok
->user_sids
[PRIMARY_USER_SID_INDEX
];
476 if (group_sid
== NULL
) {
477 group_sid
= &handle
->conn
->server_info
->ptok
->user_sids
[PRIMARY_GROUP_SID_INDEX
];
480 status
= se_create_child_secdesc(ctx
,
487 if (!NT_STATUS_IS_OK(status
)) {
491 /* If inheritable_components == false,
492 se_create_child_secdesc()
493 creates a security desriptor with a NULL dacl
494 entry, but with SEC_DESC_DACL_PRESENT. We need
495 to remove that flag. */
497 if (!inheritable_components
) {
498 security_info_sent
&= ~SECINFO_DACL
;
499 psd
->type
&= ~SEC_DESC_DACL_PRESENT
;
502 if (DEBUGLEVEL
>= 10) {
503 DEBUG(10,("inherit_new_acl: child acl for %s is:\n",
505 NDR_PRINT_DEBUG(security_descriptor
, psd
);
509 /* We need to be root to force this. */
512 status
= SMB_VFS_FSET_NT_ACL(fsp
,
521 static NTSTATUS
get_parent_acl_common(vfs_handle_struct
*handle
,
523 struct security_descriptor
**pp_parent_desc
)
525 char *parent_name
= NULL
;
528 if (!parent_dirname(talloc_tos(), path
, &parent_name
, NULL
)) {
529 return NT_STATUS_NO_MEMORY
;
532 status
= get_nt_acl_internal(handle
,
541 if (!NT_STATUS_IS_OK(status
)) {
542 DEBUG(10,("get_parent_acl_common: get_nt_acl_internal "
543 "on directory %s for "
544 "path %s returned %s\n",
547 nt_errstr(status
) ));
552 static NTSTATUS
check_parent_acl_common(vfs_handle_struct
*handle
,
554 uint32_t access_mask
,
555 struct security_descriptor
**pp_parent_desc
)
557 char *parent_name
= NULL
;
558 struct security_descriptor
*parent_desc
= NULL
;
559 uint32_t access_granted
= 0;
562 status
= get_parent_acl_common(handle
, path
, &parent_desc
);
563 if (!NT_STATUS_IS_OK(status
)) {
566 if (pp_parent_desc
) {
567 *pp_parent_desc
= parent_desc
;
569 status
= smb1_file_se_access_check(handle
->conn
,
571 handle
->conn
->server_info
->ptok
,
574 if(!NT_STATUS_IS_OK(status
)) {
575 DEBUG(10,("check_parent_acl_common: access check "
576 "on directory %s for "
577 "path %s for mask 0x%x returned %s\n",
581 nt_errstr(status
) ));
587 /*********************************************************************
588 Check ACL on open. For new files inherit from parent directory.
589 *********************************************************************/
591 static int open_acl_common(vfs_handle_struct
*handle
,
592 struct smb_filename
*smb_fname
,
597 uint32_t access_granted
= 0;
598 struct security_descriptor
*pdesc
= NULL
;
599 bool file_existed
= true;
604 /* Stream open. Base filename open already did the ACL check. */
605 DEBUG(10,("open_acl_common: stream open on %s\n",
607 return SMB_VFS_NEXT_OPEN(handle
, smb_fname
, fsp
, flags
, mode
);
610 status
= get_full_smb_filename(talloc_tos(), smb_fname
,
612 if (!NT_STATUS_IS_OK(status
)) {
616 status
= get_nt_acl_internal(handle
,
619 (OWNER_SECURITY_INFORMATION
|
620 GROUP_SECURITY_INFORMATION
|
621 DACL_SECURITY_INFORMATION
|
622 SACL_SECURITY_INFORMATION
),
624 if (NT_STATUS_IS_OK(status
)) {
625 /* See if we can access it. */
626 status
= smb1_file_se_access_check(handle
->conn
,
628 handle
->conn
->server_info
->ptok
,
631 if (!NT_STATUS_IS_OK(status
)) {
632 DEBUG(10,("open_acl_xattr: %s open "
633 "for access 0x%x (0x%x) "
634 "refused with error %s\n",
636 (unsigned int)fsp
->access_mask
,
637 (unsigned int)access_granted
,
638 nt_errstr(status
) ));
641 } else if (NT_STATUS_EQUAL(status
,NT_STATUS_OBJECT_NAME_NOT_FOUND
)) {
642 file_existed
= false;
644 * If O_CREAT is true then we're trying to create a file.
645 * Check the parent directory ACL will allow this.
647 if (flags
& O_CREAT
) {
648 struct security_descriptor
*parent_desc
= NULL
;
649 struct security_descriptor
**pp_psd
= NULL
;
651 status
= check_parent_acl_common(handle
, fname
,
652 SEC_DIR_ADD_FILE
, &parent_desc
);
653 if (!NT_STATUS_IS_OK(status
)) {
657 /* Cache the parent security descriptor for
660 pp_psd
= VFS_ADD_FSP_EXTENSION(handle
,
662 struct security_descriptor
*,
665 status
= NT_STATUS_NO_MEMORY
;
669 *pp_psd
= parent_desc
;
670 status
= NT_STATUS_OK
;
674 DEBUG(10,("open_acl_xattr: get_nt_acl_attr_internal for "
677 nt_errstr(status
) ));
679 fsp
->fh
->fd
= SMB_VFS_NEXT_OPEN(handle
, smb_fname
, fsp
, flags
, mode
);
684 errno
= map_errno_from_nt_status(status
);
688 static int mkdir_acl_common(vfs_handle_struct
*handle
, const char *path
, mode_t mode
)
692 SMB_STRUCT_STAT sbuf
;
694 ret
= vfs_stat_smb_fname(handle
->conn
, path
, &sbuf
);
695 if (ret
== -1 && errno
== ENOENT
) {
696 /* We're creating a new directory. */
697 status
= check_parent_acl_common(handle
, path
,
698 SEC_DIR_ADD_SUBDIR
, NULL
);
699 if (!NT_STATUS_IS_OK(status
)) {
700 errno
= map_errno_from_nt_status(status
);
705 return SMB_VFS_NEXT_MKDIR(handle
, path
, mode
);
708 /*********************************************************************
709 Fetch a security descriptor given an fsp.
710 *********************************************************************/
712 static NTSTATUS
fget_nt_acl_common(vfs_handle_struct
*handle
, files_struct
*fsp
,
713 uint32_t security_info
, struct security_descriptor
**ppdesc
)
715 return get_nt_acl_internal(handle
, fsp
,
716 NULL
, security_info
, ppdesc
);
719 /*********************************************************************
720 Fetch a security descriptor given a pathname.
721 *********************************************************************/
723 static NTSTATUS
get_nt_acl_common(vfs_handle_struct
*handle
,
724 const char *name
, uint32_t security_info
, struct security_descriptor
**ppdesc
)
726 return get_nt_acl_internal(handle
, NULL
,
727 name
, security_info
, ppdesc
);
730 /*********************************************************************
731 Store a security descriptor given an fsp.
732 *********************************************************************/
734 static NTSTATUS
fset_nt_acl_common(vfs_handle_struct
*handle
, files_struct
*fsp
,
735 uint32_t security_info_sent
, const struct security_descriptor
*orig_psd
)
739 struct security_descriptor
*pdesc_next
= NULL
;
740 struct security_descriptor
*psd
= NULL
;
741 uint8_t hash
[XATTR_SD_HASH_SIZE
];
743 if (DEBUGLEVEL
>= 10) {
744 DEBUG(10,("fset_nt_acl_xattr: incoming sd for file %s\n",
746 NDR_PRINT_DEBUG(security_descriptor
,
747 CONST_DISCARD(struct security_descriptor
*,orig_psd
));
750 status
= get_nt_acl_internal(handle
, fsp
,
752 SECINFO_OWNER
|SECINFO_GROUP
|SECINFO_DACL
|SECINFO_SACL
,
755 if (!NT_STATUS_IS_OK(status
)) {
759 psd
->revision
= orig_psd
->revision
;
760 /* All our SD's are self relative. */
761 psd
->type
= orig_psd
->type
| SEC_DESC_SELF_RELATIVE
;
763 if ((security_info_sent
& SECINFO_OWNER
) && (orig_psd
->owner_sid
!= NULL
)) {
764 psd
->owner_sid
= orig_psd
->owner_sid
;
766 if ((security_info_sent
& SECINFO_GROUP
) && (orig_psd
->group_sid
!= NULL
)) {
767 psd
->group_sid
= orig_psd
->group_sid
;
769 if (security_info_sent
& SECINFO_DACL
) {
770 psd
->dacl
= orig_psd
->dacl
;
771 psd
->type
|= SEC_DESC_DACL_PRESENT
;
773 if (security_info_sent
& SECINFO_SACL
) {
774 psd
->sacl
= orig_psd
->sacl
;
775 psd
->type
|= SEC_DESC_SACL_PRESENT
;
778 status
= SMB_VFS_NEXT_FSET_NT_ACL(handle
, fsp
, security_info_sent
, psd
);
779 if (!NT_STATUS_IS_OK(status
)) {
783 /* Get the full underlying sd, then hash. */
784 status
= SMB_VFS_NEXT_FGET_NT_ACL(handle
,
789 if (!NT_STATUS_IS_OK(status
)) {
793 status
= hash_sd_sha256(pdesc_next
, hash
);
794 if (!NT_STATUS_IS_OK(status
)) {
798 if (DEBUGLEVEL
>= 10) {
799 DEBUG(10,("fset_nt_acl_xattr: storing xattr sd for file %s\n",
801 NDR_PRINT_DEBUG(security_descriptor
,
802 CONST_DISCARD(struct security_descriptor
*,psd
));
804 create_acl_blob(psd
, &blob
, XATTR_SD_HASH_TYPE_SHA256
, hash
);
805 store_acl_blob_fsp(handle
, fsp
, &blob
);
810 static SMB_STRUCT_DIR
*opendir_acl_common(vfs_handle_struct
*handle
,
811 const char *fname
, const char *mask
, uint32 attr
)
813 NTSTATUS status
= check_parent_acl_common(handle
, fname
,
816 if (!NT_STATUS_IS_OK(status
)) {
817 errno
= map_errno_from_nt_status(status
);
820 return SMB_VFS_NEXT_OPENDIR(handle
, fname
, mask
, attr
);
823 static int acl_common_remove_object(vfs_handle_struct
*handle
,
827 connection_struct
*conn
= handle
->conn
;
829 files_struct
*fsp
= NULL
;
831 char *parent_dir
= NULL
;
832 const char *final_component
= NULL
;
833 struct smb_filename local_fname
;
835 char *saved_dir
= NULL
;
837 saved_dir
= vfs_GetWd(talloc_tos(),conn
);
843 if (!parent_dirname(talloc_tos(), path
,
844 &parent_dir
, &final_component
)) {
845 saved_errno
= ENOMEM
;
849 DEBUG(10,("acl_common_remove_object: removing %s %s/%s\n",
850 is_directory
? "directory" : "file",
851 parent_dir
, final_component
));
853 /* cd into the parent dir to pin it. */
854 ret
= vfs_ChDir(conn
, parent_dir
);
860 ZERO_STRUCT(local_fname
);
861 local_fname
.base_name
= CONST_DISCARD(char *,final_component
);
863 /* Must use lstat here. */
864 ret
= SMB_VFS_LSTAT(conn
, &local_fname
);
870 /* Ensure we have this file open with DELETE access. */
871 id
= vfs_file_id_from_sbuf(conn
, &local_fname
.st
);
872 for (fsp
= file_find_di_first(id
); fsp
; fsp
= file_find_di_next(fsp
)) {
873 if (fsp
->access_mask
& DELETE_ACCESS
&&
874 fsp
->delete_on_close
) {
875 /* We did open this for delete,
876 * allow the delete as root.
883 DEBUG(10,("acl_common_remove_object: %s %s/%s "
884 "not an open file\n",
885 is_directory
? "directory" : "file",
886 parent_dir
, final_component
));
887 saved_errno
= EACCES
;
893 ret
= SMB_VFS_NEXT_RMDIR(handle
, final_component
);
895 ret
= SMB_VFS_NEXT_UNLINK(handle
, &local_fname
);
905 TALLOC_FREE(parent_dir
);
908 vfs_ChDir(conn
, saved_dir
);
916 static int rmdir_acl_common(struct vfs_handle_struct
*handle
,
921 /* Try the normal rmdir first. */
922 ret
= SMB_VFS_NEXT_RMDIR(handle
, path
);
926 if (errno
== EACCES
|| errno
== EPERM
) {
927 /* Failed due to access denied,
928 see if we need to root override. */
929 return acl_common_remove_object(handle
,
934 DEBUG(10,("rmdir_acl_common: unlink of %s failed %s\n",
940 static NTSTATUS
create_file_acl_common(struct vfs_handle_struct
*handle
,
941 struct smb_request
*req
,
942 uint16_t root_dir_fid
,
943 struct smb_filename
*smb_fname
,
944 uint32_t access_mask
,
945 uint32_t share_access
,
946 uint32_t create_disposition
,
947 uint32_t create_options
,
948 uint32_t file_attributes
,
949 uint32_t oplock_request
,
950 uint64_t allocation_size
,
951 struct security_descriptor
*sd
,
952 struct ea_list
*ea_list
,
953 files_struct
**result
,
956 NTSTATUS status
, status1
;
957 files_struct
*fsp
= NULL
;
959 struct security_descriptor
*parent_sd
= NULL
;
960 struct security_descriptor
**pp_parent_sd
= NULL
;
962 status
= SMB_VFS_NEXT_CREATE_FILE(handle
,
978 if (!NT_STATUS_IS_OK(status
)) {
982 if (info
!= FILE_WAS_CREATED
) {
983 /* File/directory was opened, not created. */
990 /* Only handle success. */
995 /* Security descriptor already set. */
1004 /* See if we have a cached parent sd, if so, use it. */
1005 pp_parent_sd
= (struct security_descriptor
**)VFS_FETCH_FSP_EXTENSION(handle
, fsp
);
1006 if (!pp_parent_sd
) {
1007 /* Must be a directory, fetch again (sigh). */
1008 status
= get_parent_acl_common(handle
,
1009 fsp
->fsp_name
->base_name
,
1011 if (!NT_STATUS_IS_OK(status
)) {
1015 parent_sd
= *pp_parent_sd
;
1022 /* New directory - inherit from parent. */
1023 status1
= inherit_new_acl(handle
, fsp
, parent_sd
, fsp
->is_directory
);
1025 if (!NT_STATUS_IS_OK(status1
)) {
1026 DEBUG(1,("create_file_acl_common: error setting "
1029 nt_errstr(status1
) ));
1035 VFS_REMOVE_FSP_EXTENSION(handle
, fsp
);
1038 if (NT_STATUS_IS_OK(status
) && pinfo
) {
1045 smb_panic("create_file_acl_common: logic error.\n");
1050 static int unlink_acl_common(struct vfs_handle_struct
*handle
,
1051 const struct smb_filename
*smb_fname
)
1055 /* Try the normal unlink first. */
1056 ret
= SMB_VFS_NEXT_UNLINK(handle
, smb_fname
);
1060 if (errno
== EACCES
|| errno
== EPERM
) {
1061 /* Failed due to access denied,
1062 see if we need to root override. */
1064 /* Don't do anything fancy for streams. */
1065 if (smb_fname
->stream_name
) {
1068 return acl_common_remove_object(handle
,
1069 smb_fname
->base_name
,
1073 DEBUG(10,("unlink_acl_common: unlink of %s failed %s\n",
1074 smb_fname
->base_name
,
1079 static int chmod_acl_module_common(struct vfs_handle_struct
*handle
,
1080 const char *path
, mode_t mode
)
1082 if (lp_posix_pathnames()) {
1083 /* Only allow this on POSIX pathnames. */
1084 return SMB_VFS_NEXT_CHMOD(handle
, path
, mode
);
1089 static int fchmod_acl_module_common(struct vfs_handle_struct
*handle
,
1090 struct files_struct
*fsp
, mode_t mode
)
1092 if (fsp
->posix_open
) {
1093 /* Only allow this on POSIX opens. */
1094 return SMB_VFS_NEXT_FCHMOD(handle
, fsp
, mode
);
1099 static int chmod_acl_acl_module_common(struct vfs_handle_struct
*handle
,
1100 const char *name
, mode_t mode
)
1102 if (lp_posix_pathnames()) {
1103 /* Only allow this on POSIX pathnames. */
1104 return SMB_VFS_NEXT_CHMOD_ACL(handle
, name
, mode
);
1109 static int fchmod_acl_acl_module_common(struct vfs_handle_struct
*handle
,
1110 struct files_struct
*fsp
, mode_t mode
)
1112 if (fsp
->posix_open
) {
1113 /* Only allow this on POSIX opens. */
1114 return SMB_VFS_NEXT_FCHMOD_ACL(handle
, fsp
, mode
);