2 * Unix SMB/CIFS implementation.
4 * Support for OneFS native NTFS ACLs
6 * Copyright (C) Steven Danneman, 2008
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 3 of the License, or
11 * (at your option) any later version.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, see <http://www.gnu.org/licenses/>.
24 #include "onefs_config.h"
26 #include <isi_acl/isi_acl_util.h>
27 #include <ifs/ifs_syscalls.h>
28 #include <sys/isi_acl.h>
30 const struct enum_list enum_onefs_acl_wire_format
[] = {
31 {ACL_FORMAT_RAW
, "No Format"},
32 {ACL_FORMAT_WINDOWS_SD
, "Format Windows SD"},
33 {ACL_FORMAT_ALWAYS
, "Always Format SD"},
38 * Turn SID into UID/GID and setup a struct ifs_identity
41 onefs_sid_to_identity(const struct dom_sid
*sid
, struct ifs_identity
*id
,
44 enum ifs_identity_type type
= IFS_ID_TYPE_LAST
+1;
48 if (!sid
|| sid_equal(sid
, &global_sid_NULL
))
49 type
= IFS_ID_TYPE_NULL
;
50 else if (sid_equal(sid
, &global_sid_World
))
51 type
= IFS_ID_TYPE_EVERYONE
;
52 else if (sid_equal(sid
, &global_sid_Creator_Owner
))
53 type
= IFS_ID_TYPE_CREATOR_OWNER
;
54 else if (sid_equal(sid
, &global_sid_Creator_Group
))
55 type
= IFS_ID_TYPE_CREATOR_GROUP
;
57 if (!sid_to_gid(sid
, &gid
))
59 type
= IFS_ID_TYPE_GID
;
61 if (sid_to_uid(sid
, &uid
))
62 type
= IFS_ID_TYPE_UID
;
63 else if (sid_to_gid(sid
, &gid
))
64 type
= IFS_ID_TYPE_GID
;
69 if (aclu_initialize_identity(id
, type
, uid
, gid
, is_group
)) {
70 DEBUG(3, ("Call to aclu_initialize_identity failed! id=%x, "
71 "type=%d, uid=%u, gid=%u, is_group=%d\n",
72 (unsigned int)id
, type
, uid
, gid
, is_group
));
80 * Turn struct ifs_identity into SID
83 onefs_identity_to_sid(struct ifs_identity
*id
, struct dom_sid
*sid
)
88 if (id
->type
>= IFS_ID_TYPE_LAST
)
93 uid_to_sid(sid
, id
->id
.uid
);
96 gid_to_sid(sid
, id
->id
.gid
);
98 case IFS_ID_TYPE_EVERYONE
:
99 sid_copy(sid
, &global_sid_World
);
101 case IFS_ID_TYPE_NULL
:
102 sid_copy(sid
, &global_sid_NULL
);
104 case IFS_ID_TYPE_CREATOR_OWNER
:
105 sid_copy(sid
, &global_sid_Creator_Owner
);
107 case IFS_ID_TYPE_CREATOR_GROUP
:
108 sid_copy(sid
, &global_sid_Creator_Group
);
111 DEBUG(0, ("Unknown identity type: %d\n", id
->type
));
119 onefs_og_to_identity(struct dom_sid
*sid
, struct ifs_identity
* ident
,
120 bool is_group
, int snum
)
122 const struct dom_sid
*b_admin_sid
= &global_sid_Builtin_Administrators
;
124 if (!onefs_sid_to_identity(sid
, ident
, is_group
)) {
125 if (!lp_parm_bool(snum
, PARM_ONEFS_TYPE
,
126 PARM_UNMAPPABLE_SIDS_IGNORE
,
127 PARM_UNMAPPABLE_SIDS_IGNORE_DEFAULT
)) {
128 DEBUG(3, ("Unresolvable SID (%s) found.\n",
129 sid_string_dbg(sid
)));
132 if (!onefs_sid_to_identity(b_admin_sid
, ident
, is_group
)) {
135 DEBUG(3, ("Mapping unresolvable owner SID (%s) to Builtin "
136 "Administrators group.\n",
137 sid_string_dbg(sid
)));
143 sid_in_ignore_list(struct dom_sid
* sid
, int snum
)
145 const char ** sid_list
= NULL
;
146 struct dom_sid match
;
148 sid_list
= lp_parm_string_list(snum
, PARM_ONEFS_TYPE
,
149 PARM_UNMAPPABLE_SIDS_IGNORE_LIST
,
150 PARM_UNMAPPABLE_SIDS_IGNORE_LIST_DEFAULT
);
152 /* Fast path a NULL list */
153 if (!sid_list
|| *sid_list
== NULL
)
157 if (string_to_sid(&match
, *sid_list
))
158 if (sid_equal(sid
, &match
))
167 * Convert a trustee to a struct identity
170 onefs_samba_ace_to_ace(struct security_ace
* samba_ace
, struct ifs_ace
* ace
,
171 bool *mapped
, int snum
)
173 struct ifs_identity ident
= {.type
=IFS_ID_TYPE_LAST
, .id
.uid
=0};
177 SMB_ASSERT(samba_ace
);
179 if (onefs_sid_to_identity(&samba_ace
->trustee
, &ident
, false)) {
183 SMB_ASSERT(ident
.id
.uid
>= 0);
185 /* Ignore the sid if it's in the list */
186 if (sid_in_ignore_list(&samba_ace
->trustee
, snum
)) {
187 DEBUG(3, ("Silently failing to set ACE for SID (%s) "
188 "because it is in the ignore sids list\n",
189 sid_string_dbg(&samba_ace
->trustee
)));
191 } else if ((samba_ace
->type
== SEC_ACE_TYPE_ACCESS_DENIED
) &&
192 lp_parm_bool(snum
, PARM_ONEFS_TYPE
,
193 PARM_UNMAPPABLE_SIDS_DENY_EVERYONE
,
194 PARM_UNMAPPABLE_SIDS_DENY_EVERYONE_DEFAULT
)) {
195 /* If the ace is deny translated to Everyone */
196 DEBUG(3, ("Mapping unresolvable deny ACE SID (%s) "
198 sid_string_dbg(&samba_ace
->trustee
)));
199 if (aclu_initialize_identity(&ident
,
200 IFS_ID_TYPE_EVERYONE
, 0, 0, False
) != 0) {
201 DEBUG(2, ("aclu_initialize_identity() "
202 "failed making Everyone\n"));
206 } else if (lp_parm_bool(snum
, PARM_ONEFS_TYPE
,
207 PARM_UNMAPPABLE_SIDS_IGNORE
,
208 PARM_UNMAPPABLE_SIDS_IGNORE_DEFAULT
)) {
209 DEBUG(3, ("Silently failing to set ACE for SID (%s) "
210 "because it is unresolvable\n",
211 sid_string_dbg(&samba_ace
->trustee
)));
214 /* Fail for lack of a better option */
220 if (aclu_initialize_ace(ace
, samba_ace
->type
,
221 samba_ace
->access_mask
, samba_ace
->flags
, 0,
225 if ((ace
->trustee
.type
== IFS_ID_TYPE_CREATOR_OWNER
||
226 ace
->trustee
.type
== IFS_ID_TYPE_CREATOR_GROUP
) &&
227 nt4_compatible_acls())
228 ace
->flags
|= SEC_ACE_FLAG_INHERIT_ONLY
;
235 * Convert a struct security_acl to a struct ifs_security_acl
238 onefs_samba_acl_to_acl(struct security_acl
*samba_acl
, struct ifs_security_acl
**acl
,
239 bool * ignore_aces
, int snum
)
242 struct ifs_ace
*aces
= NULL
;
243 struct security_ace
*samba_aces
;
247 SMB_ASSERT(ignore_aces
);
249 if ((!acl
) || (!samba_acl
))
252 samba_aces
= samba_acl
->aces
;
254 if (samba_acl
->num_aces
> 0 && samba_aces
) {
256 num_aces
= samba_acl
->num_aces
;
257 aces
= SMB_MALLOC_ARRAY(struct ifs_ace
, num_aces
);
259 for (i
= 0, j
= 0; j
< num_aces
; i
++, j
++) {
260 if (!onefs_samba_ace_to_ace(&samba_aces
[j
],
261 &aces
[i
], &mapped
, snum
))
270 /* If aces are given but we cannot apply them due to the reasons
271 * above we do not change the SD. However, if we are told to
272 * explicitly set an SD with 0 aces we honor this operation */
273 *ignore_aces
= samba_acl
->num_aces
> 0 && num_aces
< 1;
275 if (*ignore_aces
== false)
276 if (aclu_initialize_acl(acl
, aces
, num_aces
))
279 /* Currently aclu_initialize_acl should copy the aces over, allowing
280 * us to immediately free */
290 * Convert a struct ifs_security_acl to a struct security_acl
293 onefs_acl_to_samba_acl(struct ifs_security_acl
*acl
, struct security_acl
**samba_acl
)
295 struct security_ace
*samba_aces
= NULL
;
296 struct security_acl
*tmp_samba_acl
= NULL
;
308 /* Determine number of aces in ACL */
312 num_aces
= acl
->num_aces
;
314 /* Allocate the ace list. */
316 if ((samba_aces
= SMB_MALLOC_ARRAY(struct security_ace
, num_aces
)) == NULL
)
318 DEBUG(0, ("Unable to malloc space for %d aces.\n",
322 memset(samba_aces
, '\0', (num_aces
) * sizeof(struct security_ace
));
325 for (i
= 0; i
< num_aces
; i
++) {
328 if (!onefs_identity_to_sid(&acl
->aces
[i
].trustee
, &sid
))
331 init_sec_ace(&samba_aces
[i
], &sid
, acl
->aces
[i
].type
,
332 acl
->aces
[i
].access_mask
, acl
->aces
[i
].flags
);
335 if ((tmp_samba_acl
= make_sec_acl(talloc_tos(), acl
->revision
, num_aces
,
336 samba_aces
)) == NULL
) {
337 DEBUG(0, ("Unable to malloc space for acl.\n"));
341 *samba_acl
= tmp_samba_acl
;
342 SAFE_FREE(samba_aces
);
345 SAFE_FREE(samba_aces
);
350 * @brief Reorder ACLs into the "correct" order for Windows Explorer.
352 * Windows Explorer expects ACLs to be in a standard order (inherited first,
353 * then deny, then permit.) When ACLs are composed from POSIX file permissions
354 * bits, they may not match these expectations, generating an annoying warning
355 * dialog for the user. This function will, if configured appropriately,
356 * reorder the ACLs for these "synthetic" (POSIX-derived) descriptors to prevent
357 * this. The list is changed within the security descriptor passed in.
359 * @param fsp files_struct with service configs; must not be NULL
360 * @param sd security descriptor being normalized;
361 * sd->dacl->aces is rewritten in-place, so must not be NULL
362 * @return true on success, errno will be set on error
364 * @bug Although Windows Explorer likes the reordering, they seem to cause
365 * problems with Excel and Word sending back the reordered ACLs to us and
366 * changing policy; see Isilon bug 30165.
369 onefs_canon_acl(files_struct
*fsp
, struct ifs_security_descriptor
*sd
)
373 struct ifs_ace
*new_aces
= NULL
;
374 int new_aces_count
= 0;
375 SMB_STRUCT_STAT sbuf
;
377 if (sd
== NULL
|| sd
->dacl
== NULL
|| sd
->dacl
->num_aces
== 0)
381 * Find out if this is a windows bit, and if the smb policy wants us to
384 SMB_ASSERT(fsp
!= NULL
);
385 switch (lp_parm_enum(SNUM(fsp
->conn
), PARM_ONEFS_TYPE
,
386 PARM_ACL_WIRE_FORMAT
, enum_onefs_acl_wire_format
,
387 PARM_ACL_WIRE_FORMAT_DEFAULT
)) {
391 case ACL_FORMAT_WINDOWS_SD
:
392 error
= SMB_VFS_FSTAT(fsp
, &sbuf
);
396 if ((sbuf
.st_ex_flags
& SF_HASNTFSACL
) != 0) {
397 DEBUG(10, ("Did not canonicalize ACLs because a "
398 "Windows ACL set was found for file %s\n",
404 case ACL_FORMAT_ALWAYS
:
412 new_aces
= SMB_MALLOC_ARRAY(struct ifs_ace
, sd
->dacl
->num_aces
);
413 if (new_aces
== NULL
)
417 * By walking down the list 3 separate times, we can avoid the need
418 * to create multiple temp buffers and extra copies.
421 /* Explict deny aces first */
422 for (cur
= 0; cur
< sd
->dacl
->num_aces
; cur
++) {
423 if (!(sd
->dacl
->aces
[cur
].flags
& IFS_ACE_FLAG_INHERITED_ACE
) &&
424 (sd
->dacl
->aces
[cur
].type
== IFS_ACE_TYPE_ACCESS_DENIED
))
425 new_aces
[new_aces_count
++] = sd
->dacl
->aces
[cur
];
428 /* Explict allow aces second */
429 for (cur
= 0; cur
< sd
->dacl
->num_aces
; cur
++) {
430 if (!(sd
->dacl
->aces
[cur
].flags
& IFS_ACE_FLAG_INHERITED_ACE
) &&
431 !(sd
->dacl
->aces
[cur
].type
== IFS_ACE_TYPE_ACCESS_DENIED
))
432 new_aces
[new_aces_count
++] = sd
->dacl
->aces
[cur
];
435 /* Inherited deny/allow aces third */
436 for (cur
= 0; cur
< sd
->dacl
->num_aces
; cur
++) {
437 if ((sd
->dacl
->aces
[cur
].flags
& IFS_ACE_FLAG_INHERITED_ACE
))
438 new_aces
[new_aces_count
++] = sd
->dacl
->aces
[cur
];
441 SMB_ASSERT(new_aces_count
== sd
->dacl
->num_aces
);
442 DEBUG(10, ("Performed canonicalization of ACLs for file %s\n",
446 * At this point you would think we could just do this:
447 * SAFE_FREE(sd->dacl->aces);
448 * sd->dacl->aces = new_aces;
449 * However, in some cases the existing aces pointer does not point
450 * to the beginning of an allocated block. So we have to do a more
453 memcpy(sd
->dacl
->aces
, new_aces
,
454 sizeof(struct ifs_ace
) * new_aces_count
);
462 * This enum is a helper for onefs_fget_nt_acl() to communicate with
465 enum mode_ident
{ USR
, GRP
, OTH
};
468 * Initializes an ACE for addition to a synthetic ACL.
470 static struct ifs_ace
onefs_init_ace(struct connection_struct
*conn
,
473 enum mode_ident ident
)
475 struct ifs_ace result
;
476 enum ifs_ace_rights r
,w
,x
;
478 r
= isdir
? UNIX_DIRECTORY_ACCESS_R
: UNIX_ACCESS_R
;
479 w
= isdir
? UNIX_DIRECTORY_ACCESS_W
: UNIX_ACCESS_W
;
480 x
= isdir
? UNIX_DIRECTORY_ACCESS_X
: UNIX_ACCESS_X
;
482 result
.type
= IFS_ACE_TYPE_ACCESS_ALLOWED
;
483 result
.ifs_flags
= 0;
484 result
.flags
= isdir
? IFS_ACE_FLAG_CONTAINER_INHERIT
:
485 IFS_ACE_FLAG_OBJECT_INHERIT
;
486 result
.flags
|= IFS_ACE_FLAG_INHERIT_ONLY
;
491 ((mode
& S_IRUSR
) ? r
: 0 ) |
492 ((mode
& S_IWUSR
) ? w
: 0 ) |
493 ((mode
& S_IXUSR
) ? x
: 0 );
494 if (lp_parm_bool(SNUM(conn
), PARM_ONEFS_TYPE
,
495 PARM_CREATOR_OWNER_GETS_FULL_CONTROL
,
496 PARM_CREATOR_OWNER_GETS_FULL_CONTROL_DEFAULT
))
497 result
.access_mask
|= GENERIC_ALL_ACCESS
;
498 result
.trustee
.type
= IFS_ID_TYPE_CREATOR_OWNER
;
502 ((mode
& S_IRGRP
) ? r
: 0 ) |
503 ((mode
& S_IWGRP
) ? w
: 0 ) |
504 ((mode
& S_IXGRP
) ? x
: 0 );
505 result
.trustee
.type
= IFS_ID_TYPE_CREATOR_GROUP
;
509 ((mode
& S_IROTH
) ? r
: 0 ) |
510 ((mode
& S_IWOTH
) ? w
: 0 ) |
511 ((mode
& S_IXOTH
) ? x
: 0 );
512 result
.trustee
.type
= IFS_ID_TYPE_EVERYONE
;
520 * This adds inheritable ACEs to the end of the DACL, with the ACEs
521 * being derived from the mode bits. This is useful for clients that have the
522 * MoveSecurityAttributes regkey set to 0 or are in Simple File Sharing Mode.
524 * On these clients, when copying files from one folder to another inside the
525 * same volume/share, the DACL is explicitely cleared. Without inheritable
526 * aces on the target folder the mode bits of the copied file are set to 000.
528 * See Isilon Bug 27990
530 * Note: This function allocates additional memory onto sd->dacl->aces, that
531 * must be freed by the caller.
533 static bool add_sfs_aces(files_struct
*fsp
, struct ifs_security_descriptor
*sd
)
536 SMB_STRUCT_STAT sbuf
;
538 error
= SMB_VFS_FSTAT(fsp
, &sbuf
);
540 DEBUG(0, ("Failed to stat %s in simple files sharing "
541 "compatibility mode. errno=%d\n",
542 fsp_str_dbg(fsp
), errno
));
546 /* Only continue if this is a synthetic ACL and a directory. */
547 if (S_ISDIR(sbuf
.st_ex_mode
) &&
548 (sbuf
.st_ex_flags
& SF_HASNTFSACL
) == 0) {
549 struct ifs_ace new_aces
[6];
550 struct ifs_ace
*old_aces
;
551 int i
, num_aces_to_add
= 0;
552 mode_t file_mode
= 0, dir_mode
= 0;
554 /* Use existing samba logic to derive the mode bits. */
555 file_mode
= unix_mode(fsp
->conn
, 0, fsp
->fsp_name
, NULL
);
556 dir_mode
= unix_mode(fsp
->conn
, aDIR
, fsp
->fsp_name
, NULL
);
558 /* Initialize ACEs. */
559 new_aces
[0] = onefs_init_ace(fsp
->conn
, file_mode
, false, USR
);
560 new_aces
[1] = onefs_init_ace(fsp
->conn
, file_mode
, false, GRP
);
561 new_aces
[2] = onefs_init_ace(fsp
->conn
, file_mode
, false, OTH
);
562 new_aces
[3] = onefs_init_ace(fsp
->conn
, dir_mode
, true, USR
);
563 new_aces
[4] = onefs_init_ace(fsp
->conn
, dir_mode
, true, GRP
);
564 new_aces
[5] = onefs_init_ace(fsp
->conn
, dir_mode
, true, OTH
);
566 for (i
= 0; i
< 6; i
++)
567 if (new_aces
[i
].access_mask
!= 0)
570 /* Expand the ACEs array */
571 if (num_aces_to_add
!= 0) {
572 old_aces
= sd
->dacl
->aces
;
574 sd
->dacl
->aces
= SMB_MALLOC_ARRAY(struct ifs_ace
,
575 sd
->dacl
->num_aces
+ num_aces_to_add
);
576 if (!sd
->dacl
->aces
) {
577 DEBUG(0, ("Unable to malloc space for "
579 sd
->dacl
->num_aces
+ num_aces_to_add
));
582 memcpy(sd
->dacl
->aces
, old_aces
,
583 sizeof(struct ifs_ace
) * sd
->dacl
->num_aces
);
585 /* Add the new ACEs to the DACL. */
586 for (i
= 0; i
< 6; i
++) {
587 if (new_aces
[i
].access_mask
!= 0) {
588 sd
->dacl
->aces
[sd
->dacl
->num_aces
] =
590 sd
->dacl
->num_aces
++;
599 * Isilon-specific function for getting an NTFS ACL from an open file.
601 * @param[out] ppdesc SecDesc to allocate and fill in
603 * @return NTSTATUS based off errno on error
606 onefs_fget_nt_acl(vfs_handle_struct
*handle
, files_struct
*fsp
,
607 uint32 security_info
, struct security_descriptor
**ppdesc
)
610 uint32_t sd_size
= 0;
612 struct ifs_security_descriptor
*sd
= NULL
;
613 struct dom_sid owner_sid
, group_sid
;
614 struct dom_sid
*ownerp
, *groupp
;
615 struct security_acl
*dacl
, *sacl
;
616 struct security_descriptor
*pdesc
;
617 bool alloced
= false;
618 bool new_aces_alloced
= false;
619 bool fopened
= false;
620 NTSTATUS status
= NT_STATUS_OK
;
622 START_PROFILE(syscall_get_sd
);
626 DEBUG(5, ("Getting sd for file %s. security_info=%u\n",
627 fsp_str_dbg(fsp
), security_info
));
629 if (lp_parm_bool(SNUM(fsp
->conn
), PARM_ONEFS_TYPE
,
630 PARM_IGNORE_SACLS
, PARM_IGNORE_SACLS_DEFAULT
)) {
631 DEBUG(5, ("Ignoring SACL on %s.\n", fsp_str_dbg(fsp
)));
632 security_info
&= ~SECINFO_SACL
;
635 if (fsp
->fh
->fd
== -1) {
636 if ((fsp
->fh
->fd
= onefs_sys_create_file(handle
->conn
,
638 fsp
->fsp_name
->base_name
,
650 DEBUG(0, ("Error opening file %s. errno=%d (%s)\n",
651 fsp_str_dbg(fsp
), errno
, strerror(errno
)));
652 status
= map_nt_error_from_unix(errno
);
658 /* Get security descriptor */
661 /* Allocate memory for get_security_descriptor */
663 sd
= SMB_REALLOC(sd
, sd_size
);
665 DEBUG(0, ("Unable to malloc %u bytes of space "
666 "for security descriptor.\n", sd_size
));
667 status
= map_nt_error_from_unix(errno
);
674 error
= ifs_get_security_descriptor(fsp
->fh
->fd
, security_info
,
675 sd_size
, &sd_size
, sd
);
676 if (error
&& (errno
!= EMSGSIZE
)) {
677 DEBUG(0, ("Failed getting size of security descriptor! "
678 "errno=%d\n", errno
));
679 status
= map_nt_error_from_unix(errno
);
684 DEBUG(5, ("Got sd, size=%u:\n", sd_size
));
686 if (lp_parm_bool(SNUM(fsp
->conn
),
688 PARM_SIMPLE_FILE_SHARING_COMPATIBILITY_MODE
,
689 PARM_SIMPLE_FILE_SHARING_COMPATIBILITY_MODE_DEFAULT
) &&
691 if(!(new_aces_alloced
= add_sfs_aces(fsp
, sd
)))
695 if (!(onefs_canon_acl(fsp
, sd
))) {
696 status
= map_nt_error_from_unix(errno
);
700 DEBUG(5, ("Finished canonicalizing ACL\n"));
707 /* Copy owner into ppdesc */
708 if (security_info
& SECINFO_OWNER
) {
709 if (!onefs_identity_to_sid(sd
->owner
, &owner_sid
)) {
710 status
= NT_STATUS_INVALID_PARAMETER
;
717 /* Copy group into ppdesc */
718 if (security_info
& SECINFO_GROUP
) {
719 if (!onefs_identity_to_sid(sd
->group
, &group_sid
)) {
720 status
= NT_STATUS_INVALID_PARAMETER
;
727 /* Copy DACL into ppdesc */
728 if (security_info
& SECINFO_DACL
) {
729 if (!onefs_acl_to_samba_acl(sd
->dacl
, &dacl
)) {
730 status
= NT_STATUS_INVALID_PARAMETER
;
735 /* Copy SACL into ppdesc */
736 if (security_info
& SECINFO_SACL
) {
737 if (!onefs_acl_to_samba_acl(sd
->sacl
, &sacl
)) {
738 status
= NT_STATUS_INVALID_PARAMETER
;
743 /* AUTO_INHERIT_REQ bits are not returned over the wire so strip them
744 * off. Eventually we should stop storing these in the kernel
745 * all together. See Isilon bug 40364 */
746 sd
->control
&= ~(IFS_SD_CTRL_DACL_AUTO_INHERIT_REQ
|
747 IFS_SD_CTRL_SACL_AUTO_INHERIT_REQ
);
749 pdesc
= make_sec_desc(talloc_tos(), sd
->revision
, sd
->control
,
750 ownerp
, groupp
, sacl
, dacl
, &size
);
753 DEBUG(0, ("Problem with make_sec_desc. Memory?\n"));
754 status
= map_nt_error_from_unix(errno
);
760 DEBUG(5, ("Finished retrieving/canonicalizing SD!\n"));
764 END_PROFILE(syscall_get_sd
);
767 if (new_aces_alloced
&& sd
->dacl
->aces
)
768 SAFE_FREE(sd
->dacl
->aces
);
782 * Isilon-specific function for getting an NTFS ACL from a file path.
784 * Since onefs_fget_nt_acl() needs to open a filepath if the fd is invalid,
785 * we just mock up a files_struct with the path and bad fd and call into it.
787 * @param[out] ppdesc SecDesc to allocate and fill in
789 * @return NTSTATUS based off errno on error
792 onefs_get_nt_acl(vfs_handle_struct
*handle
, const char* name
,
793 uint32 security_info
, struct security_descriptor
**ppdesc
)
803 finfo
.conn
= handle
->conn
;
806 status
= create_synthetic_smb_fname(talloc_tos(), name
, NULL
, NULL
,
808 if (!NT_STATUS_IS_OK(status
)) {
812 status
= onefs_fget_nt_acl(handle
, &finfo
, security_info
, ppdesc
);
814 TALLOC_FREE(finfo
.fsp_name
);
819 * Isilon-specific function for setting up an ifs_security_descriptor, given a
820 * samba struct security_descriptor
822 * @param[out] sd ifs_security_descriptor to fill in
824 * @return NTSTATUS_OK if successful
826 NTSTATUS
onefs_samba_sd_to_sd(uint32_t security_info_sent
,
827 const struct security_descriptor
*psd
,
828 struct ifs_security_descriptor
*sd
, int snum
,
829 uint32_t *security_info_effective
)
831 struct ifs_security_acl
*daclp
, *saclp
;
832 struct ifs_identity owner
, group
, *ownerp
, *groupp
;
840 *security_info_effective
= security_info_sent
;
843 if (security_info_sent
& SECINFO_OWNER
) {
844 if (!onefs_og_to_identity(psd
->owner_sid
, &owner
, false, snum
))
845 return NT_STATUS_ACCESS_DENIED
;
847 SMB_ASSERT(owner
.id
.uid
>= 0);
853 if (security_info_sent
& SECINFO_GROUP
) {
854 if (!onefs_og_to_identity(psd
->group_sid
, &group
, true, snum
))
855 return NT_STATUS_ACCESS_DENIED
;
857 SMB_ASSERT(group
.id
.gid
>= 0);
863 if ((security_info_sent
& SECINFO_DACL
) && (psd
->dacl
)) {
864 if (!onefs_samba_acl_to_acl(psd
->dacl
, &daclp
, &ignore_aces
,
866 return NT_STATUS_ACCESS_DENIED
;
868 if (ignore_aces
== true)
869 *security_info_effective
&= ~SECINFO_DACL
;
873 if (security_info_sent
& SECINFO_SACL
) {
875 if (lp_parm_bool(snum
, PARM_ONEFS_TYPE
,
876 PARM_IGNORE_SACLS
, PARM_IGNORE_SACLS_DEFAULT
)) {
877 DEBUG(5, ("Ignoring SACL.\n"));
878 *security_info_effective
&= ~SECINFO_SACL
;
881 if (!onefs_samba_acl_to_acl(psd
->sacl
,
882 &saclp
, &ignore_aces
, snum
))
883 return NT_STATUS_ACCESS_DENIED
;
885 if (ignore_aces
== true) {
886 *security_info_effective
&=
893 /* Setup ifs_security_descriptor */
894 DEBUG(5,("Setting up SD\n"));
895 if (aclu_initialize_sd(sd
, psd
->type
, ownerp
, groupp
,
896 (daclp
? &daclp
: NULL
), (saclp
? &saclp
: NULL
), false))
897 return NT_STATUS_ACCESS_DENIED
;
899 DEBUG(10, ("sec_info_sent: 0x%x, sec_info_effective: 0x%x.\n",
900 security_info_sent
, *security_info_effective
));
906 * Isilon-specific function for setting an NTFS ACL on an open file.
908 * @return NT_STATUS_UNSUCCESSFUL for userspace errors, NTSTATUS based off
909 * errno on syscall errors
912 onefs_fset_nt_acl(vfs_handle_struct
*handle
, files_struct
*fsp
,
913 uint32_t sec_info_sent
, const struct security_descriptor
*psd
)
915 struct ifs_security_descriptor sd
= {};
917 bool fopened
= false;
919 uint32_t sec_info_effective
= 0;
921 START_PROFILE(syscall_set_sd
);
923 DEBUG(5,("Setting SD on file %s.\n", fsp_str_dbg(fsp
)));
925 status
= onefs_samba_sd_to_sd(sec_info_sent
, psd
, &sd
,
926 SNUM(handle
->conn
), &sec_info_effective
);
928 if (!NT_STATUS_IS_OK(status
)) {
929 DEBUG(3, ("SD initialization failure: %s\n", nt_errstr(status
)));
935 DEBUG(10,("Reopening file %s.\n", fsp_str_dbg(fsp
)));
936 if ((fd
= onefs_sys_create_file(handle
->conn
,
938 fsp
->fsp_name
->base_name
,
950 DEBUG(0, ("Error opening file %s. errno=%d (%s)\n",
951 fsp_str_dbg(fsp
), errno
, strerror(errno
)));
952 status
= map_nt_error_from_unix(errno
);
959 if (ifs_set_security_descriptor(fd
, sec_info_effective
, &sd
)) {
960 DEBUG(0, ("Error setting security descriptor = %s\n",
962 status
= map_nt_error_from_unix(errno
);
966 DEBUG(5, ("Security descriptor set correctly!\n"));
967 status
= NT_STATUS_OK
;
971 END_PROFILE(syscall_set_sd
);
976 aclu_free_sd(&sd
, false);