2 * Store Windows ACLs in data store - common functions.
3 * #included into modules/vfs_acl_xattr.c and modules/vfs_acl_tdb.c
5 * Copyright (C) Volker Lendecke, 2008
6 * Copyright (C) Jeremy Allison, 2009
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 3 of the License, or
11 * (at your option) any later version.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, see <http://www.gnu.org/licenses/>.
22 #include "smbd/smbd.h"
23 #include "system/filesys.h"
24 #include "../libcli/security/security.h"
25 #include "../librpc/gen_ndr/ndr_security.h"
26 #include "../lib/util/bitmap.h"
28 static NTSTATUS
create_acl_blob(const struct security_descriptor
*psd
,
31 uint8_t hash
[XATTR_SD_HASH_SIZE
]);
33 static NTSTATUS
get_acl_blob(TALLOC_CTX
*ctx
,
34 vfs_handle_struct
*handle
,
39 static NTSTATUS
store_acl_blob_fsp(vfs_handle_struct
*handle
,
43 #define HASH_SECURITY_INFO (SECINFO_OWNER | \
48 /*******************************************************************
49 Hash a security descriptor.
50 *******************************************************************/
52 static NTSTATUS
hash_blob_sha256(DATA_BLOB blob
,
57 memset(hash
, '\0', XATTR_SD_HASH_SIZE
);
59 samba_SHA256_Init(&tctx
);
60 samba_SHA256_Update(&tctx
, blob
.data
, blob
.length
);
61 samba_SHA256_Final(hash
, &tctx
);
66 /*******************************************************************
67 Hash a security descriptor.
68 *******************************************************************/
70 static NTSTATUS
hash_sd_sha256(struct security_descriptor
*psd
,
76 memset(hash
, '\0', XATTR_SD_HASH_SIZE
);
77 status
= create_acl_blob(psd
, &blob
, XATTR_SD_HASH_TYPE_SHA256
, hash
);
78 if (!NT_STATUS_IS_OK(status
)) {
81 return hash_blob_sha256(blob
, hash
);
84 /*******************************************************************
85 Parse out a struct security_descriptor from a DATA_BLOB.
86 *******************************************************************/
88 static NTSTATUS
parse_acl_blob(const DATA_BLOB
*pblob
,
90 struct security_descriptor
**ppdesc
,
91 uint16_t *p_hash_type
,
93 uint8_t hash
[XATTR_SD_HASH_SIZE
],
94 uint8_t sys_acl_hash
[XATTR_SD_HASH_SIZE
])
96 struct xattr_NTACL xacl
;
97 enum ndr_err_code ndr_err
;
99 TALLOC_CTX
*frame
= talloc_stackframe();
101 ndr_err
= ndr_pull_struct_blob(pblob
, frame
, &xacl
,
102 (ndr_pull_flags_fn_t
)ndr_pull_xattr_NTACL
);
104 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
105 DEBUG(5, ("parse_acl_blob: ndr_pull_xattr_NTACL failed: %s\n",
106 ndr_errstr(ndr_err
)));
108 return ndr_map_error2ntstatus(ndr_err
);
111 *p_version
= xacl
.version
;
113 switch (xacl
.version
) {
115 *ppdesc
= make_sec_desc(mem_ctx
, SD_REVISION
,
116 xacl
.info
.sd
->type
| SEC_DESC_SELF_RELATIVE
,
117 xacl
.info
.sd
->owner_sid
,
118 xacl
.info
.sd
->group_sid
,
122 /* No hash - null out. */
123 *p_hash_type
= XATTR_SD_HASH_TYPE_NONE
;
124 memset(hash
, '\0', XATTR_SD_HASH_SIZE
);
127 *ppdesc
= make_sec_desc(mem_ctx
, SD_REVISION
,
128 xacl
.info
.sd_hs2
->sd
->type
| SEC_DESC_SELF_RELATIVE
,
129 xacl
.info
.sd_hs2
->sd
->owner_sid
,
130 xacl
.info
.sd_hs2
->sd
->group_sid
,
131 xacl
.info
.sd_hs2
->sd
->sacl
,
132 xacl
.info
.sd_hs2
->sd
->dacl
,
134 /* No hash - null out. */
135 *p_hash_type
= XATTR_SD_HASH_TYPE_NONE
;
136 memset(hash
, '\0', XATTR_SD_HASH_SIZE
);
139 *ppdesc
= make_sec_desc(mem_ctx
, SD_REVISION
,
140 xacl
.info
.sd_hs3
->sd
->type
| SEC_DESC_SELF_RELATIVE
,
141 xacl
.info
.sd_hs3
->sd
->owner_sid
,
142 xacl
.info
.sd_hs3
->sd
->group_sid
,
143 xacl
.info
.sd_hs3
->sd
->sacl
,
144 xacl
.info
.sd_hs3
->sd
->dacl
,
146 *p_hash_type
= xacl
.info
.sd_hs3
->hash_type
;
147 /* Current version 3 (if no sys acl hash available). */
148 memcpy(hash
, xacl
.info
.sd_hs3
->hash
, XATTR_SD_HASH_SIZE
);
151 *ppdesc
= make_sec_desc(mem_ctx
, SD_REVISION
,
152 xacl
.info
.sd_hs4
->sd
->type
| SEC_DESC_SELF_RELATIVE
,
153 xacl
.info
.sd_hs4
->sd
->owner_sid
,
154 xacl
.info
.sd_hs4
->sd
->group_sid
,
155 xacl
.info
.sd_hs4
->sd
->sacl
,
156 xacl
.info
.sd_hs4
->sd
->dacl
,
158 *p_hash_type
= xacl
.info
.sd_hs4
->hash_type
;
159 /* Current version 4. */
160 memcpy(hash
, xacl
.info
.sd_hs4
->hash
, XATTR_SD_HASH_SIZE
);
161 memcpy(sys_acl_hash
, xacl
.info
.sd_hs4
->sys_acl_hash
, XATTR_SD_HASH_SIZE
);
165 return NT_STATUS_REVISION_MISMATCH
;
170 return (*ppdesc
!= NULL
) ? NT_STATUS_OK
: NT_STATUS_NO_MEMORY
;
173 /*******************************************************************
174 Create a DATA_BLOB from a hash of the security descriptor storead at
175 the system layer and the NT ACL we wish to preserve
176 *******************************************************************/
178 static NTSTATUS
create_acl_blob(const struct security_descriptor
*psd
,
181 uint8_t hash
[XATTR_SD_HASH_SIZE
])
183 struct xattr_NTACL xacl
;
184 struct security_descriptor_hash_v3 sd_hs3
;
185 enum ndr_err_code ndr_err
;
186 TALLOC_CTX
*ctx
= talloc_tos();
192 xacl
.info
.sd_hs3
= &sd_hs3
;
193 xacl
.info
.sd_hs3
->sd
= discard_const_p(struct security_descriptor
, psd
);
194 xacl
.info
.sd_hs3
->hash_type
= hash_type
;
195 memcpy(&xacl
.info
.sd_hs3
->hash
[0], hash
, XATTR_SD_HASH_SIZE
);
197 ndr_err
= ndr_push_struct_blob(
199 (ndr_push_flags_fn_t
)ndr_push_xattr_NTACL
);
201 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
202 DEBUG(5, ("create_acl_blob: ndr_push_xattr_NTACL failed: %s\n",
203 ndr_errstr(ndr_err
)));
204 return ndr_map_error2ntstatus(ndr_err
);
210 /*******************************************************************
211 Create a DATA_BLOB from a hash of the security descriptors
212 (system and NT) stored at the system layer and the NT ACL we wish
214 *******************************************************************/
216 static NTSTATUS
create_sys_acl_blob(const struct security_descriptor
*psd
,
219 uint8_t hash
[XATTR_SD_HASH_SIZE
],
220 const char *description
,
221 uint8_t sys_acl_hash
[XATTR_SD_HASH_SIZE
])
223 struct xattr_NTACL xacl
;
224 struct security_descriptor_hash_v4 sd_hs4
;
225 enum ndr_err_code ndr_err
;
226 TALLOC_CTX
*ctx
= talloc_tos();
228 struct timeval now
= timeval_current();
229 nttime_now
= timeval_to_nttime(&now
);
235 xacl
.info
.sd_hs4
= &sd_hs4
;
236 xacl
.info
.sd_hs4
->sd
= discard_const_p(struct security_descriptor
, psd
);
237 xacl
.info
.sd_hs4
->hash_type
= hash_type
;
238 memcpy(&xacl
.info
.sd_hs4
->hash
[0], hash
, XATTR_SD_HASH_SIZE
);
239 xacl
.info
.sd_hs4
->description
= description
;
240 xacl
.info
.sd_hs4
->time
= nttime_now
;
241 memcpy(&xacl
.info
.sd_hs4
->sys_acl_hash
[0], sys_acl_hash
, XATTR_SD_HASH_SIZE
);
243 ndr_err
= ndr_push_struct_blob(
245 (ndr_push_flags_fn_t
)ndr_push_xattr_NTACL
);
247 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
248 DEBUG(5, ("create_acl_blob: ndr_push_xattr_NTACL failed: %s\n",
249 ndr_errstr(ndr_err
)));
250 return ndr_map_error2ntstatus(ndr_err
);
256 /*******************************************************************
257 Add in 3 inheritable components for a non-inheritable directory ACL.
258 CREATOR_OWNER/CREATOR_GROUP/WORLD.
259 *******************************************************************/
261 static NTSTATUS
add_directory_inheritable_components(vfs_handle_struct
*handle
,
263 SMB_STRUCT_STAT
*psbuf
,
264 struct security_descriptor
*psd
)
266 struct connection_struct
*conn
= handle
->conn
;
267 int num_aces
= (psd
->dacl
? psd
->dacl
->num_aces
: 0);
268 struct smb_filename smb_fname
;
269 enum security_ace_type acltype
;
270 uint32_t access_mask
;
274 struct security_ace
*new_ace_list
;
277 new_ace_list
= talloc_zero_array(psd
->dacl
,
282 * make_sec_acl() at the bottom of this function
283 * dupliates new_ace_list
285 new_ace_list
= talloc_zero_array(talloc_tos(),
290 if (new_ace_list
== NULL
) {
291 return NT_STATUS_NO_MEMORY
;
294 /* Fake a quick smb_filename. */
295 ZERO_STRUCT(smb_fname
);
296 smb_fname
.st
= *psbuf
;
297 smb_fname
.base_name
= discard_const_p(char, name
);
299 dir_mode
= unix_mode(conn
,
300 FILE_ATTRIBUTE_DIRECTORY
, &smb_fname
, NULL
);
301 file_mode
= unix_mode(conn
,
302 FILE_ATTRIBUTE_ARCHIVE
, &smb_fname
, NULL
);
304 mode
= dir_mode
| file_mode
;
306 DEBUG(10, ("add_directory_inheritable_components: directory %s, "
309 (unsigned int)mode
));
312 memcpy(new_ace_list
, psd
->dacl
->aces
,
313 num_aces
* sizeof(struct security_ace
));
315 access_mask
= map_canon_ace_perms(SNUM(conn
), &acltype
,
318 init_sec_ace(&new_ace_list
[num_aces
],
319 &global_sid_Creator_Owner
,
322 SEC_ACE_FLAG_CONTAINER_INHERIT
|
323 SEC_ACE_FLAG_OBJECT_INHERIT
|
324 SEC_ACE_FLAG_INHERIT_ONLY
);
325 access_mask
= map_canon_ace_perms(SNUM(conn
), &acltype
,
326 (mode
<< 3) & 0700, false);
327 init_sec_ace(&new_ace_list
[num_aces
+1],
328 &global_sid_Creator_Group
,
331 SEC_ACE_FLAG_CONTAINER_INHERIT
|
332 SEC_ACE_FLAG_OBJECT_INHERIT
|
333 SEC_ACE_FLAG_INHERIT_ONLY
);
334 access_mask
= map_canon_ace_perms(SNUM(conn
), &acltype
,
335 (mode
<< 6) & 0700, false);
336 init_sec_ace(&new_ace_list
[num_aces
+2],
340 SEC_ACE_FLAG_CONTAINER_INHERIT
|
341 SEC_ACE_FLAG_OBJECT_INHERIT
|
342 SEC_ACE_FLAG_INHERIT_ONLY
);
344 psd
->dacl
->aces
= new_ace_list
;
345 psd
->dacl
->num_aces
+= 3;
346 psd
->dacl
->size
+= new_ace_list
[num_aces
].size
+
347 new_ace_list
[num_aces
+1].size
+
348 new_ace_list
[num_aces
+2].size
;
350 psd
->dacl
= make_sec_acl(psd
,
354 if (psd
->dacl
== NULL
) {
355 return NT_STATUS_NO_MEMORY
;
361 /*******************************************************************
362 Pull a DATA_BLOB from an xattr given a pathname.
363 If the hash doesn't match, or doesn't exist - return the underlying
365 *******************************************************************/
367 static NTSTATUS
get_nt_acl_internal(vfs_handle_struct
*handle
,
370 uint32_t security_info
,
372 struct security_descriptor
**ppdesc
)
374 DATA_BLOB blob
= data_blob_null
;
376 uint16_t hash_type
= XATTR_SD_HASH_TYPE_NONE
;
377 uint16_t xattr_version
= 0;
378 uint8_t hash
[XATTR_SD_HASH_SIZE
];
379 uint8_t sys_acl_hash
[XATTR_SD_HASH_SIZE
];
380 uint8_t hash_tmp
[XATTR_SD_HASH_SIZE
];
381 uint8_t sys_acl_hash_tmp
[XATTR_SD_HASH_SIZE
];
382 struct security_descriptor
*psd
= NULL
;
383 struct security_descriptor
*pdesc_next
= NULL
;
384 bool ignore_file_system_acl
= lp_parm_bool(SNUM(handle
->conn
),
386 "ignore system acls",
388 TALLOC_CTX
*frame
= talloc_stackframe();
390 if (fsp
&& name
== NULL
) {
391 name
= fsp
->fsp_name
->base_name
;
394 DEBUG(10, ("get_nt_acl_internal: name=%s\n", name
));
396 status
= get_acl_blob(frame
, handle
, fsp
, name
, &blob
);
397 if (!NT_STATUS_IS_OK(status
)) {
398 DEBUG(10, ("get_nt_acl_internal: get_acl_blob returned %s\n",
403 status
= parse_acl_blob(&blob
, mem_ctx
, &psd
,
404 &hash_type
, &xattr_version
, &hash
[0], &sys_acl_hash
[0]);
405 if (!NT_STATUS_IS_OK(status
)) {
406 DEBUG(10, ("parse_acl_blob returned %s\n",
413 /* Ensure we don't leak psd if we don't choose it.
415 * We don't allocate it onto frame as it is preferred not to
416 * steal from a talloc pool.
418 talloc_steal(frame
, psd
);
420 /* determine which type of xattr we got */
421 switch (xattr_version
) {
424 /* These xattr types are unilatteral, they do not
425 * require confirmation of the hash. In particular,
426 * the NTVFS file server uses version 1, but
427 * 'samba-tool ntacl' can set these as well */
431 if (ignore_file_system_acl
) {
437 DEBUG(10, ("get_nt_acl_internal: ACL blob revision "
438 "mismatch (%u) for file %s\n",
439 (unsigned int)hash_type
,
446 /* determine which type of xattr we got */
447 if (hash_type
!= XATTR_SD_HASH_TYPE_SHA256
) {
448 DEBUG(10, ("get_nt_acl_internal: ACL blob hash type "
449 "(%u) unexpected for file %s\n",
450 (unsigned int)hash_type
,
457 /* determine which type of xattr we got */
458 switch (xattr_version
) {
462 char *sys_acl_blob_description
;
463 DATA_BLOB sys_acl_blob
;
465 /* Get the full underlying sd, then hash. */
466 ret
= SMB_VFS_NEXT_SYS_ACL_BLOB_GET_FD(handle
,
469 &sys_acl_blob_description
,
472 /* Get the full underlying sd, then hash. */
473 ret
= SMB_VFS_NEXT_SYS_ACL_BLOB_GET_FILE(handle
,
476 &sys_acl_blob_description
,
480 /* If we fail to get the ACL blob (for some reason) then this
481 * is not fatal, we just work based on the NT ACL only */
483 status
= hash_blob_sha256(sys_acl_blob
, sys_acl_hash_tmp
);
484 if (!NT_STATUS_IS_OK(status
)) {
489 if (memcmp(&sys_acl_hash
[0], &sys_acl_hash_tmp
[0],
490 XATTR_SD_HASH_SIZE
) == 0) {
491 /* Hash matches, return blob sd. */
492 DEBUG(10, ("get_nt_acl_internal: blob hash "
493 "matches for file %s\n",
499 /* Otherwise, fall though and see if the NT ACL hash matches */
502 /* Get the full underlying sd for the hash
503 or to return as backup. */
505 status
= SMB_VFS_NEXT_FGET_NT_ACL(handle
,
511 status
= SMB_VFS_NEXT_GET_NT_ACL(handle
,
518 if (!NT_STATUS_IS_OK(status
)) {
519 DEBUG(10, ("get_nt_acl_internal: get_next_acl for file %s "
527 /* Ensure we don't leak psd_next if we don't choose it.
529 * We don't allocate it onto frame as it is preferred not to
530 * steal from a talloc pool.
532 talloc_steal(frame
, pdesc_next
);
534 status
= hash_sd_sha256(pdesc_next
, hash_tmp
);
535 if (!NT_STATUS_IS_OK(status
)) {
541 if (memcmp(&hash
[0], &hash_tmp
[0], XATTR_SD_HASH_SIZE
) == 0) {
542 /* Hash matches, return blob sd. */
543 DEBUG(10, ("get_nt_acl_internal: blob hash "
544 "matches for file %s\n",
549 /* Hash doesn't match, return underlying sd. */
550 DEBUG(10, ("get_nt_acl_internal: blob hash "
551 "does not match for file %s - returning "
552 "file system SD mapping.\n",
555 if (DEBUGLEVEL
>= 10) {
556 DEBUG(10,("get_nt_acl_internal: acl for blob hash for %s is:\n",
558 NDR_PRINT_DEBUG(security_descriptor
, pdesc_next
);
567 /* Get the full underlying sd, as we failed to get the
568 * blob for the hash, or the revision/hash type wasn't
571 status
= SMB_VFS_NEXT_FGET_NT_ACL(handle
,
577 status
= SMB_VFS_NEXT_GET_NT_ACL(handle
,
584 if (!NT_STATUS_IS_OK(status
)) {
585 DEBUG(10, ("get_nt_acl_internal: get_next_acl for file %s "
593 /* Ensure we don't leak psd_next if we don't choose it.
595 * We don't allocate it onto frame as it is preferred not to
596 * steal from a talloc pool.
598 talloc_steal(frame
, pdesc_next
);
602 if (psd
!= pdesc_next
) {
603 /* We're returning the blob, throw
604 * away the filesystem SD. */
605 TALLOC_FREE(pdesc_next
);
607 SMB_STRUCT_STAT sbuf
;
608 SMB_STRUCT_STAT
*psbuf
= &sbuf
;
609 bool is_directory
= false;
611 * We're returning the underlying ACL from the
612 * filesystem. If it's a directory, and has no
613 * inheritable ACE entries we have to fake them.
616 status
= vfs_stat_fsp(fsp
);
617 if (!NT_STATUS_IS_OK(status
)) {
621 psbuf
= &fsp
->fsp_name
->st
;
623 int ret
= vfs_stat_smb_fname(handle
->conn
,
628 return map_nt_error_from_unix(errno
);
631 is_directory
= S_ISDIR(psbuf
->st_ex_mode
);
633 if (ignore_file_system_acl
) {
634 TALLOC_FREE(pdesc_next
);
635 status
= make_default_filesystem_acl(mem_ctx
,
639 if (!NT_STATUS_IS_OK(status
)) {
645 !sd_has_inheritable_components(psd
,
647 status
= add_directory_inheritable_components(
652 if (!NT_STATUS_IS_OK(status
)) {
657 /* The underlying POSIX module always sets
658 the ~SEC_DESC_DACL_PROTECTED bit, as ACLs
659 can't be inherited in this way under POSIX.
660 Remove it for Windows-style ACLs. */
661 psd
->type
&= ~SEC_DESC_DACL_PROTECTED
;
665 if (!(security_info
& SECINFO_OWNER
)) {
666 psd
->owner_sid
= NULL
;
668 if (!(security_info
& SECINFO_GROUP
)) {
669 psd
->group_sid
= NULL
;
671 if (!(security_info
& SECINFO_DACL
)) {
672 psd
->type
&= ~SEC_DESC_DACL_PRESENT
;
675 if (!(security_info
& SECINFO_SACL
)) {
676 psd
->type
&= ~SEC_DESC_SACL_PRESENT
;
680 TALLOC_FREE(blob
.data
);
682 if (DEBUGLEVEL
>= 10) {
683 DEBUG(10,("get_nt_acl_internal: returning acl for %s is:\n",
685 NDR_PRINT_DEBUG(security_descriptor
, psd
);
688 /* The VFS API is that the ACL is expected to be on mem_ctx */
689 *ppdesc
= talloc_move(mem_ctx
, &psd
);
695 /*********************************************************************
696 Fetch a security descriptor given an fsp.
697 *********************************************************************/
699 static NTSTATUS
fget_nt_acl_common(vfs_handle_struct
*handle
,
701 uint32_t security_info
,
703 struct security_descriptor
**ppdesc
)
705 return get_nt_acl_internal(handle
, fsp
,
706 NULL
, security_info
, mem_ctx
, ppdesc
);
709 /*********************************************************************
710 Fetch a security descriptor given a pathname.
711 *********************************************************************/
713 static NTSTATUS
get_nt_acl_common(vfs_handle_struct
*handle
,
715 uint32_t security_info
,
717 struct security_descriptor
**ppdesc
)
719 return get_nt_acl_internal(handle
, NULL
,
720 name
, security_info
, mem_ctx
, ppdesc
);
723 /*********************************************************************
724 Store a security descriptor given an fsp.
725 *********************************************************************/
727 static NTSTATUS
fset_nt_acl_common(vfs_handle_struct
*handle
, files_struct
*fsp
,
728 uint32_t security_info_sent
, const struct security_descriptor
*orig_psd
)
732 DATA_BLOB blob
, sys_acl_blob
;
733 struct security_descriptor
*pdesc_next
= NULL
;
734 struct security_descriptor
*psd
= NULL
;
735 uint8_t hash
[XATTR_SD_HASH_SIZE
];
736 uint8_t sys_acl_hash
[XATTR_SD_HASH_SIZE
];
737 bool chown_needed
= false;
738 char *sys_acl_description
;
739 TALLOC_CTX
*frame
= talloc_stackframe();
741 if (DEBUGLEVEL
>= 10) {
742 DEBUG(10,("fset_nt_acl_xattr: incoming sd for file %s\n",
744 NDR_PRINT_DEBUG(security_descriptor
,
745 discard_const_p(struct security_descriptor
, orig_psd
));
748 status
= get_nt_acl_internal(handle
, fsp
,
750 SECINFO_OWNER
|SECINFO_GROUP
|SECINFO_DACL
|SECINFO_SACL
,
754 if (!NT_STATUS_IS_OK(status
)) {
759 psd
->revision
= orig_psd
->revision
;
760 /* All our SD's are self relative. */
761 psd
->type
= orig_psd
->type
| SEC_DESC_SELF_RELATIVE
;
763 if ((security_info_sent
& SECINFO_OWNER
) && (orig_psd
->owner_sid
!= NULL
)) {
764 if (!dom_sid_equal(orig_psd
->owner_sid
, psd
->owner_sid
)) {
765 /* We're changing the owner. */
768 psd
->owner_sid
= orig_psd
->owner_sid
;
770 if ((security_info_sent
& SECINFO_GROUP
) && (orig_psd
->group_sid
!= NULL
)) {
771 if (!dom_sid_equal(orig_psd
->group_sid
, psd
->group_sid
)) {
772 /* We're changing the group. */
775 psd
->group_sid
= orig_psd
->group_sid
;
777 if (security_info_sent
& SECINFO_DACL
) {
778 psd
->dacl
= orig_psd
->dacl
;
779 psd
->type
|= SEC_DESC_DACL_PRESENT
;
781 if (security_info_sent
& SECINFO_SACL
) {
782 psd
->sacl
= orig_psd
->sacl
;
783 psd
->type
|= SEC_DESC_SACL_PRESENT
;
786 status
= SMB_VFS_NEXT_FSET_NT_ACL(handle
, fsp
, security_info_sent
, psd
);
787 if (!NT_STATUS_IS_OK(status
)) {
788 if (!NT_STATUS_EQUAL(status
, NT_STATUS_ACCESS_DENIED
)) {
792 /* We got access denied here. If we're already root,
793 or we didn't need to do a chown, or the fsp isn't
794 open with WRITE_OWNER access, just return. */
795 if (get_current_uid(handle
->conn
) == 0 ||
796 chown_needed
== false ||
797 !(fsp
->access_mask
& SEC_STD_WRITE_OWNER
)) {
799 return NT_STATUS_ACCESS_DENIED
;
802 DEBUG(10,("fset_nt_acl_common: overriding chown on file %s "
805 sid_string_tos(psd
->owner_sid
)
808 /* Ok, we failed to chown and we have
809 SEC_STD_WRITE_OWNER access - override. */
811 status
= SMB_VFS_NEXT_FSET_NT_ACL(handle
, fsp
,
812 security_info_sent
, psd
);
814 if (!NT_STATUS_IS_OK(status
)) {
820 /* Get the full underlying sd, then hash. */
821 status
= SMB_VFS_NEXT_FGET_NT_ACL(handle
,
827 if (!NT_STATUS_IS_OK(status
)) {
832 status
= hash_sd_sha256(pdesc_next
, hash
);
833 if (!NT_STATUS_IS_OK(status
)) {
838 /* Get the full underlying sd, then hash. */
839 ret
= SMB_VFS_NEXT_SYS_ACL_BLOB_GET_FD(handle
,
842 &sys_acl_description
,
845 /* If we fail to get the ACL blob (for some reason) then this
846 * is not fatal, we just work based on the NT ACL only */
848 if (DEBUGLEVEL
>= 10) {
849 DEBUG(10,("fset_nt_acl_xattr: storing xattr sd for file %s\n",
851 NDR_PRINT_DEBUG(security_descriptor
,
852 discard_const_p(struct security_descriptor
, psd
));
854 DEBUG(10,("fset_nt_acl_xattr: storing has in xattr sd based on \n"));
855 NDR_PRINT_DEBUG(security_descriptor
,
856 discard_const_p(struct security_descriptor
, pdesc_next
));
858 status
= create_acl_blob(psd
, &blob
, XATTR_SD_HASH_TYPE_SHA256
, hash
);
859 if (!NT_STATUS_IS_OK(status
)) {
860 DEBUG(10, ("fset_nt_acl_xattr: create_acl_blob failed\n"));
865 status
= store_acl_blob_fsp(handle
, fsp
, &blob
);
871 status
= hash_blob_sha256(sys_acl_blob
, sys_acl_hash
);
872 if (!NT_STATUS_IS_OK(status
)) {
877 if (DEBUGLEVEL
>= 10) {
878 DEBUG(10,("fset_nt_acl_xattr: storing xattr sd for file %s based on system ACL\n",
880 NDR_PRINT_DEBUG(security_descriptor
,
881 discard_const_p(struct security_descriptor
, psd
));
883 DEBUG(10,("fset_nt_acl_xattr: storing hash in xattr sd based on system ACL and:\n"));
884 NDR_PRINT_DEBUG(security_descriptor
,
885 discard_const_p(struct security_descriptor
, pdesc_next
));
888 /* We store hashes of both the sys ACL blob and the NT
889 * security desciptor mapped from that ACL so as to improve
890 * our chances against some inadvertant change breaking the
892 status
= create_sys_acl_blob(psd
, &blob
, XATTR_SD_HASH_TYPE_SHA256
, hash
,
893 sys_acl_description
, sys_acl_hash
);
894 if (!NT_STATUS_IS_OK(status
)) {
895 DEBUG(10, ("fset_nt_acl_xattr: create_sys_acl_blob failed\n"));
900 status
= store_acl_blob_fsp(handle
, fsp
, &blob
);
906 static int acl_common_remove_object(vfs_handle_struct
*handle
,
910 connection_struct
*conn
= handle
->conn
;
912 files_struct
*fsp
= NULL
;
914 char *parent_dir
= NULL
;
915 const char *final_component
= NULL
;
916 struct smb_filename local_fname
;
918 char *saved_dir
= NULL
;
920 saved_dir
= vfs_GetWd(talloc_tos(),conn
);
926 if (!parent_dirname(talloc_tos(), path
,
927 &parent_dir
, &final_component
)) {
928 saved_errno
= ENOMEM
;
932 DEBUG(10,("acl_common_remove_object: removing %s %s/%s\n",
933 is_directory
? "directory" : "file",
934 parent_dir
, final_component
));
936 /* cd into the parent dir to pin it. */
937 ret
= vfs_ChDir(conn
, parent_dir
);
943 ZERO_STRUCT(local_fname
);
944 local_fname
.base_name
= discard_const_p(char, final_component
);
946 /* Must use lstat here. */
947 ret
= SMB_VFS_LSTAT(conn
, &local_fname
);
953 /* Ensure we have this file open with DELETE access. */
954 id
= vfs_file_id_from_sbuf(conn
, &local_fname
.st
);
955 for (fsp
= file_find_di_first(conn
->sconn
, id
); fsp
;
956 fsp
= file_find_di_next(fsp
)) {
957 if (fsp
->access_mask
& DELETE_ACCESS
&&
958 fsp
->delete_on_close
) {
959 /* We did open this for delete,
960 * allow the delete as root.
967 DEBUG(10,("acl_common_remove_object: %s %s/%s "
968 "not an open file\n",
969 is_directory
? "directory" : "file",
970 parent_dir
, final_component
));
971 saved_errno
= EACCES
;
977 ret
= SMB_VFS_NEXT_RMDIR(handle
, final_component
);
979 ret
= SMB_VFS_NEXT_UNLINK(handle
, &local_fname
);
989 TALLOC_FREE(parent_dir
);
992 vfs_ChDir(conn
, saved_dir
);
1000 static int rmdir_acl_common(struct vfs_handle_struct
*handle
,
1005 /* Try the normal rmdir first. */
1006 ret
= SMB_VFS_NEXT_RMDIR(handle
, path
);
1010 if (errno
== EACCES
|| errno
== EPERM
) {
1011 /* Failed due to access denied,
1012 see if we need to root override. */
1013 return acl_common_remove_object(handle
,
1018 DEBUG(10,("rmdir_acl_common: unlink of %s failed %s\n",
1024 static int unlink_acl_common(struct vfs_handle_struct
*handle
,
1025 const struct smb_filename
*smb_fname
)
1029 /* Try the normal unlink first. */
1030 ret
= SMB_VFS_NEXT_UNLINK(handle
, smb_fname
);
1034 if (errno
== EACCES
|| errno
== EPERM
) {
1035 /* Failed due to access denied,
1036 see if we need to root override. */
1038 /* Don't do anything fancy for streams. */
1039 if (smb_fname
->stream_name
) {
1042 return acl_common_remove_object(handle
,
1043 smb_fname
->base_name
,
1047 DEBUG(10,("unlink_acl_common: unlink of %s failed %s\n",
1048 smb_fname
->base_name
,
1053 static int chmod_acl_module_common(struct vfs_handle_struct
*handle
,
1054 const char *path
, mode_t mode
)
1056 if (lp_posix_pathnames()) {
1057 /* Only allow this on POSIX pathnames. */
1058 return SMB_VFS_NEXT_CHMOD(handle
, path
, mode
);
1063 static int fchmod_acl_module_common(struct vfs_handle_struct
*handle
,
1064 struct files_struct
*fsp
, mode_t mode
)
1066 if (fsp
->posix_open
) {
1067 /* Only allow this on POSIX opens. */
1068 return SMB_VFS_NEXT_FCHMOD(handle
, fsp
, mode
);
1073 static int chmod_acl_acl_module_common(struct vfs_handle_struct
*handle
,
1074 const char *name
, mode_t mode
)
1076 if (lp_posix_pathnames()) {
1077 /* Only allow this on POSIX pathnames. */
1078 return SMB_VFS_NEXT_CHMOD_ACL(handle
, name
, mode
);
1083 static int fchmod_acl_acl_module_common(struct vfs_handle_struct
*handle
,
1084 struct files_struct
*fsp
, mode_t mode
)
1086 if (fsp
->posix_open
) {
1087 /* Only allow this on POSIX opens. */
1088 return SMB_VFS_NEXT_FCHMOD_ACL(handle
, fsp
, mode
);