2 * Convert AFS acls to NT acls and vice versa.
4 * Copyright (C) Volker Lendecke, 2003
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <http://www.gnu.org/licenses/>.
23 #define DBGC_CLASS DBGC_VFS
28 #include <afs/venus.h>
29 #include <afs/prs_fs.h>
33 extern const DOM_SID global_sid_World
;
34 extern const DOM_SID global_sid_Builtin_Administrators
;
35 extern const DOM_SID global_sid_Builtin_Backup_Operators
;
36 extern const DOM_SID global_sid_Authenticated_Users
;
37 extern const DOM_SID global_sid_NULL
;
39 static char space_replacement
= '%';
41 /* Do we expect SIDs as pts names? */
44 extern int afs_syscall(int, char *, int, char *, int);
50 enum lsa_SidType type
;
59 struct afs_ace
*acelist
;
64 uint16 in_size
, out_size
;
68 static bool init_afs_acl(struct afs_acl
*acl
)
71 acl
->ctx
= talloc_init("afs_acl");
72 if (acl
->ctx
== NULL
) {
73 DEBUG(10, ("Could not init afs_acl"));
79 static void free_afs_acl(struct afs_acl
*acl
)
82 talloc_destroy(acl
->ctx
);
88 static struct afs_ace
*clone_afs_ace(TALLOC_CTX
*mem_ctx
, struct afs_ace
*ace
)
90 struct afs_ace
*result
= TALLOC_P(mem_ctx
, struct afs_ace
);
98 result
->name
= talloc_strdup(mem_ctx
, ace
->name
);
100 if (result
->name
== NULL
) {
107 static struct afs_ace
*new_afs_ace(TALLOC_CTX
*mem_ctx
,
109 const char *name
, uint32 rights
)
112 enum lsa_SidType type
;
113 struct afs_ace
*result
;
115 if (strcmp(name
, "system:administrators") == 0) {
117 sid_copy(&sid
, &global_sid_Builtin_Administrators
);
118 type
= SID_NAME_ALIAS
;
120 } else if (strcmp(name
, "system:anyuser") == 0) {
122 sid_copy(&sid
, &global_sid_World
);
123 type
= SID_NAME_ALIAS
;
125 } else if (strcmp(name
, "system:authuser") == 0) {
127 sid_copy(&sid
, &global_sid_Authenticated_Users
);
128 type
= SID_NAME_WKN_GRP
;
130 } else if (strcmp(name
, "system:backup") == 0) {
132 sid_copy(&sid
, &global_sid_Builtin_Backup_Operators
);
133 type
= SID_NAME_ALIAS
;
136 /* All PTS users/groups are expressed as SIDs */
138 sid_copy(&sid
, &global_sid_NULL
);
139 type
= SID_NAME_UNKNOWN
;
141 if (string_to_sid(&sid
, name
)) {
142 const char *user
, *domain
;
143 /* We have to find the type, look up the SID */
144 lookup_sid(talloc_tos(), &sid
,
145 &domain
, &user
, &type
);
150 const char *domain
, *uname
;
153 p
= strchr_m(name
, *lp_winbind_separator());
158 if (!lookup_name(talloc_tos(), name
, LOOKUP_NAME_ALL
,
159 &domain
, &uname
, &sid
, &type
)) {
160 DEBUG(10, ("Could not find AFS user %s\n", name
));
162 sid_copy(&sid
, &global_sid_NULL
);
163 type
= SID_NAME_UNKNOWN
;
168 result
= TALLOC_P(mem_ctx
, struct afs_ace
);
170 if (result
== NULL
) {
171 DEBUG(0, ("Could not talloc AFS ace\n"));
175 result
->name
= talloc_strdup(mem_ctx
, name
);
176 if (result
->name
== NULL
) {
177 DEBUG(0, ("Could not talloc AFS ace name\n"));
184 result
->positive
= positive
;
185 result
->rights
= rights
;
190 static void add_afs_ace(struct afs_acl
*acl
,
192 const char *name
, uint32 rights
)
196 for (ace
= acl
->acelist
; ace
!= NULL
; ace
= ace
->next
) {
197 if ((ace
->positive
== positive
) &&
198 (strequal(ace
->name
, name
))) {
199 ace
->rights
|= rights
;
204 ace
= new_afs_ace(acl
->ctx
, positive
, name
, rights
);
206 ace
->next
= acl
->acelist
;
211 DEBUG(10, ("add_afs_ace: Added %s entry for %s with rights %d\n",
212 ace
->positive
?"positive":"negative",
213 ace
->name
, ace
->rights
));
218 /* AFS ACLs in string form are a long string of fields delimited with \n.
220 * First line: Number of positive entries
221 * Second line: Number of negative entries
222 * Third and following lines: The entries themselves
224 * An ACE is a line of two fields, delimited by \t.
227 * Second field: Rights
230 static bool parse_afs_acl(struct afs_acl
*acl
, const char *acl_str
)
238 strncpy(str
, acl_str
, MAXSIZE
);
240 if (sscanf(p
, "%d", &nplus
) != 1)
243 DEBUG(10, ("Found %d positive entries\n", nplus
));
245 if ((p
= strchr(p
, '\n')) == NULL
)
249 if (sscanf(p
, "%d", &nminus
) != 1)
252 DEBUG(10, ("Found %d negative entries\n", nminus
));
254 if ((p
= strchr(p
, '\n')) == NULL
)
258 for (aces
= nplus
+nminus
; aces
> 0; aces
--)
268 if ((p
= strchr(p
, '\t')) == NULL
)
273 if (sscanf(p
, "%d", &rights
) != 1)
276 if ((p
= strchr(p
, '\n')) == NULL
)
280 fstrcpy(name
, namep
);
282 while ((space
= strchr_m(name
, space_replacement
)) != NULL
)
285 add_afs_ace(acl
, nplus
>0, name
, rights
);
293 static bool unparse_afs_acl(struct afs_acl
*acl
, char *acl_str
)
295 /* TODO: String length checks!!!! */
303 struct afs_ace
*ace
= acl
->acelist
;
305 while (ace
!= NULL
) {
313 fstr_sprintf(line
, "%d\n", positives
);
314 safe_strcat(acl_str
, line
, MAXSIZE
);
316 fstr_sprintf(line
, "%d\n", negatives
);
317 safe_strcat(acl_str
, line
, MAXSIZE
);
321 while (ace
!= NULL
) {
322 fstr_sprintf(line
, "%s\t%d\n", ace
->name
, ace
->rights
);
323 safe_strcat(acl_str
, line
, MAXSIZE
);
329 static uint32
afs_to_nt_file_rights(uint32 rights
)
333 if (rights
& PRSFS_READ
)
334 result
|= FILE_READ_DATA
| FILE_READ_EA
|
335 FILE_EXECUTE
| FILE_READ_ATTRIBUTES
|
336 READ_CONTROL_ACCESS
| SYNCHRONIZE_ACCESS
;
338 if (rights
& PRSFS_WRITE
)
339 result
|= FILE_WRITE_DATA
| FILE_WRITE_ATTRIBUTES
|
340 FILE_WRITE_EA
| FILE_APPEND_DATA
;
342 if (rights
& PRSFS_LOCK
)
343 result
|= WRITE_OWNER_ACCESS
;
345 if (rights
& PRSFS_DELETE
)
346 result
|= DELETE_ACCESS
;
351 static void afs_to_nt_dir_rights(uint32 afs_rights
, uint32
*nt_rights
,
355 *flag
= SEC_ACE_FLAG_OBJECT_INHERIT
|
356 SEC_ACE_FLAG_CONTAINER_INHERIT
;
358 if (afs_rights
& PRSFS_INSERT
)
359 *nt_rights
|= FILE_ADD_FILE
| FILE_ADD_SUBDIRECTORY
;
361 if (afs_rights
& PRSFS_LOOKUP
)
362 *nt_rights
|= FILE_READ_DATA
| FILE_READ_EA
|
363 FILE_EXECUTE
| FILE_READ_ATTRIBUTES
|
364 READ_CONTROL_ACCESS
| SYNCHRONIZE_ACCESS
;
366 if (afs_rights
& PRSFS_WRITE
)
367 *nt_rights
|= FILE_WRITE_ATTRIBUTES
| FILE_WRITE_DATA
|
368 FILE_APPEND_DATA
| FILE_WRITE_EA
;
370 if ((afs_rights
& (PRSFS_INSERT
|PRSFS_LOOKUP
|PRSFS_DELETE
)) ==
371 (PRSFS_INSERT
|PRSFS_LOOKUP
|PRSFS_DELETE
))
372 *nt_rights
|= FILE_WRITE_ATTRIBUTES
| FILE_WRITE_EA
|
373 GENERIC_WRITE_ACCESS
;
375 if (afs_rights
& PRSFS_DELETE
)
376 *nt_rights
|= DELETE_ACCESS
;
378 if (afs_rights
& PRSFS_ADMINISTER
)
379 *nt_rights
|= FILE_DELETE_CHILD
| WRITE_DAC_ACCESS
|
382 if ( (afs_rights
& PRSFS_LOOKUP
) ==
383 (afs_rights
& (PRSFS_LOOKUP
|PRSFS_READ
)) ) {
384 /* Only lookup right */
385 *flag
= SEC_ACE_FLAG_CONTAINER_INHERIT
;
391 #define AFS_FILE_RIGHTS (PRSFS_READ|PRSFS_WRITE|PRSFS_LOCK)
392 #define AFS_DIR_RIGHTS (PRSFS_INSERT|PRSFS_LOOKUP|PRSFS_DELETE|PRSFS_ADMINISTER)
394 static void split_afs_acl(struct afs_acl
*acl
,
395 struct afs_acl
*dir_acl
,
396 struct afs_acl
*file_acl
)
400 init_afs_acl(dir_acl
);
401 init_afs_acl(file_acl
);
403 for (ace
= acl
->acelist
; ace
!= NULL
; ace
= ace
->next
) {
404 if (ace
->rights
& AFS_FILE_RIGHTS
) {
405 add_afs_ace(file_acl
, ace
->positive
, ace
->name
,
406 ace
->rights
& AFS_FILE_RIGHTS
);
409 if (ace
->rights
& AFS_DIR_RIGHTS
) {
410 add_afs_ace(dir_acl
, ace
->positive
, ace
->name
,
411 ace
->rights
& AFS_DIR_RIGHTS
);
417 static bool same_principal(struct afs_ace
*x
, struct afs_ace
*y
)
419 return ( (x
->positive
== y
->positive
) &&
420 (sid_compare(&x
->sid
, &y
->sid
) == 0) );
423 static void merge_afs_acls(struct afs_acl
*dir_acl
,
424 struct afs_acl
*file_acl
,
425 struct afs_acl
*target
)
429 init_afs_acl(target
);
431 for (ace
= dir_acl
->acelist
; ace
!= NULL
; ace
= ace
->next
) {
432 struct afs_ace
*file_ace
;
435 for (file_ace
= file_acl
->acelist
;
437 file_ace
= file_ace
->next
) {
438 if (!same_principal(ace
, file_ace
))
441 add_afs_ace(target
, ace
->positive
, ace
->name
,
442 ace
->rights
| file_ace
->rights
);
447 add_afs_ace(target
, ace
->positive
, ace
->name
,
451 for (ace
= file_acl
->acelist
; ace
!= NULL
; ace
= ace
->next
) {
452 struct afs_ace
*dir_ace
;
453 bool already_seen
= False
;
455 for (dir_ace
= dir_acl
->acelist
;
457 dir_ace
= dir_ace
->next
) {
458 if (!same_principal(ace
, dir_ace
))
464 add_afs_ace(target
, ace
->positive
, ace
->name
,
469 #define PERMS_READ 0x001200a9
470 #define PERMS_CHANGE 0x001301bf
471 #define PERMS_FULL 0x001f01ff
473 static struct static_dir_ace_mapping
{
481 { 0, SEC_ACE_FLAG_OBJECT_INHERIT
|SEC_ACE_FLAG_CONTAINER_INHERIT
,
482 PERMS_FULL
, 127 /* rlidwka */ },
485 { 0, SEC_ACE_FLAG_OBJECT_INHERIT
|SEC_ACE_FLAG_CONTAINER_INHERIT
,
486 PERMS_CHANGE
, 63 /* rlidwk */ },
488 /* Read (including list folder content) */
489 { 0, SEC_ACE_FLAG_OBJECT_INHERIT
|SEC_ACE_FLAG_CONTAINER_INHERIT
,
490 PERMS_READ
, 9 /* rl */ },
492 /* Read without list folder content -- same as "l" */
493 { 0, SEC_ACE_FLAG_OBJECT_INHERIT
|SEC_ACE_FLAG_CONTAINER_INHERIT
,
494 0x00120089, 8 /* l */ },
496 /* some stupid workaround for preventing fallbacks */
497 { 0, 0x3, 0x0012019F, 9 /* rl */ },
498 { 0, 0x13, PERMS_FULL
, 127 /* full */ },
500 /* read, delete and execute access plus synchronize */
501 { 0, 0x3, 0x001300A9, 9 /* should be rdl, set to rl */},
502 /* classical read list */
503 { 0, 0x13, 0x001200A9, 9 /* rl */},
504 /* almost full control, no delete */
505 { 0, 0x13, PERMS_CHANGE
, 63 /* rwidlk */},
508 { 0, SEC_ACE_FLAG_CONTAINER_INHERIT
,
509 PERMS_READ
, 8 /* l */ },
511 /* FULL without inheritance -- in all cases here we also get
512 the corresponding INHERIT_ONLY ACE in the same ACL */
513 { 0, 0, PERMS_FULL
, 127 /* rlidwka */ },
515 /* FULL inherit only -- counterpart to previous one */
516 { 0, SEC_ACE_FLAG_OBJECT_INHERIT
|SEC_ACE_FLAG_CONTAINER_INHERIT
|SEC_ACE_FLAG_INHERIT_ONLY
,
517 PERMS_FULL
| GENERIC_RIGHT_WRITE_ACCESS
, 127 /* rlidwka */ },
519 /* CHANGE without inheritance -- in all cases here we also get
520 the corresponding INHERIT_ONLY ACE in the same ACL */
521 { 0, 0, PERMS_CHANGE
, 63 /* rlidwk */ },
523 /* CHANGE inherit only -- counterpart to previous one */
524 { 0, SEC_ACE_FLAG_OBJECT_INHERIT
|SEC_ACE_FLAG_CONTAINER_INHERIT
|SEC_ACE_FLAG_INHERIT_ONLY
,
525 PERMS_CHANGE
| GENERIC_RIGHT_WRITE_ACCESS
, 63 /* rlidwk */ },
527 /* End marker, hopefully there's no afs right 9999 :-) */
531 static uint32
nt_to_afs_dir_rights(const char *filename
, const SEC_ACE
*ace
)
534 uint32 rights
= ace
->access_mask
;
535 uint8 flags
= ace
->flags
;
537 struct static_dir_ace_mapping
*m
;
539 for (m
= &ace_mappings
[0]; m
->afs_rights
!= 9999; m
++) {
540 if ( (ace
->type
== m
->type
) &&
541 (ace
->flags
== m
->flags
) &&
542 (ace
->access_mask
== m
->mask
) )
543 return m
->afs_rights
;
546 DEBUG(1, ("AFSACL FALLBACK: 0x%X 0x%X 0x%X %s %X\n",
547 ace
->type
, ace
->flags
, ace
->access_mask
, filename
, rights
));
549 if (rights
& (GENERIC_ALL_ACCESS
|WRITE_DAC_ACCESS
)) {
550 result
|= PRSFS_READ
| PRSFS_WRITE
| PRSFS_INSERT
|
551 PRSFS_LOOKUP
| PRSFS_DELETE
| PRSFS_LOCK
|
555 if (rights
& (GENERIC_READ_ACCESS
|FILE_READ_DATA
)) {
556 result
|= PRSFS_LOOKUP
;
557 if (flags
& SEC_ACE_FLAG_OBJECT_INHERIT
) {
558 result
|= PRSFS_READ
;
562 if (rights
& (GENERIC_WRITE_ACCESS
|FILE_WRITE_DATA
)) {
563 result
|= PRSFS_INSERT
| PRSFS_DELETE
;
564 if (flags
& SEC_ACE_FLAG_OBJECT_INHERIT
) {
565 result
|= PRSFS_WRITE
| PRSFS_LOCK
;
572 static uint32
nt_to_afs_file_rights(const char *filename
, const SEC_ACE
*ace
)
575 uint32 rights
= ace
->access_mask
;
577 if (rights
& (GENERIC_READ_ACCESS
|FILE_READ_DATA
)) {
578 result
|= PRSFS_READ
;
581 if (rights
& (GENERIC_WRITE_ACCESS
|FILE_WRITE_DATA
)) {
582 result
|= PRSFS_WRITE
| PRSFS_LOCK
;
588 static size_t afs_to_nt_acl_common(struct afs_acl
*afs_acl
,
589 SMB_STRUCT_STAT
*psbuf
,
590 uint32 security_info
,
591 struct security_descriptor
**ppdesc
)
593 SEC_ACE
*nt_ace_list
;
594 DOM_SID owner_sid
, group_sid
;
598 TALLOC_CTX
*mem_ctx
= talloc_tos();
600 struct afs_ace
*afs_ace
;
602 uid_to_sid(&owner_sid
, psbuf
->st_uid
);
603 gid_to_sid(&group_sid
, psbuf
->st_gid
);
605 if (afs_acl
->num_aces
) {
606 nt_ace_list
= TALLOC_ARRAY(mem_ctx
, SEC_ACE
, afs_acl
->num_aces
);
608 if (nt_ace_list
== NULL
)
614 afs_ace
= afs_acl
->acelist
;
617 while (afs_ace
!= NULL
) {
619 uint8 flag
= SEC_ACE_FLAG_OBJECT_INHERIT
|
620 SEC_ACE_FLAG_CONTAINER_INHERIT
;
622 if (afs_ace
->type
== SID_NAME_UNKNOWN
) {
623 DEBUG(10, ("Ignoring unknown name %s\n",
625 afs_ace
= afs_ace
->next
;
629 if (S_ISDIR(psbuf
->st_mode
))
630 afs_to_nt_dir_rights(afs_ace
->rights
, &nt_rights
,
633 nt_rights
= afs_to_nt_file_rights(afs_ace
->rights
);
635 init_sec_ace(&nt_ace_list
[good_aces
++], &(afs_ace
->sid
),
636 SEC_ACE_TYPE_ACCESS_ALLOWED
, nt_rights
, flag
);
637 afs_ace
= afs_ace
->next
;
640 psa
= make_sec_acl(mem_ctx
, NT4_ACL_REVISION
,
641 good_aces
, nt_ace_list
);
645 *ppdesc
= make_sec_desc(mem_ctx
, SEC_DESC_REVISION
,
646 SEC_DESC_SELF_RELATIVE
,
647 (security_info
& OWNER_SECURITY_INFORMATION
)
649 (security_info
& GROUP_SECURITY_INFORMATION
)
651 NULL
, psa
, &sd_size
);
656 static size_t afs_to_nt_acl(struct afs_acl
*afs_acl
,
657 struct connection_struct
*conn
,
659 uint32 security_info
,
660 struct security_descriptor
**ppdesc
)
662 SMB_STRUCT_STAT sbuf
;
664 /* Get the stat struct for the owner info. */
665 if(SMB_VFS_STAT(conn
, name
, &sbuf
) != 0) {
669 return afs_to_nt_acl_common(afs_acl
, &sbuf
, security_info
, ppdesc
);
672 static size_t afs_fto_nt_acl(struct afs_acl
*afs_acl
,
673 struct files_struct
*fsp
,
674 uint32 security_info
,
675 struct security_descriptor
**ppdesc
)
677 SMB_STRUCT_STAT sbuf
;
679 if (fsp
->is_directory
|| fsp
->fh
->fd
== -1) {
680 /* Get the stat struct for the owner info. */
681 return afs_to_nt_acl(afs_acl
, fsp
->conn
, fsp
->fsp_name
,
682 security_info
, ppdesc
);
685 if(SMB_VFS_FSTAT(fsp
, &sbuf
) != 0) {
689 return afs_to_nt_acl_common(afs_acl
, &sbuf
, security_info
, ppdesc
);
692 static bool mappable_sid(const DOM_SID
*sid
)
696 if (sid_compare(sid
, &global_sid_Builtin_Administrators
) == 0)
699 if (sid_compare(sid
, &global_sid_World
) == 0)
702 if (sid_compare(sid
, &global_sid_Authenticated_Users
) == 0)
705 if (sid_compare(sid
, &global_sid_Builtin_Backup_Operators
) == 0)
708 string_to_sid(&domain_sid
, "S-1-5-21");
710 if (sid_compare_domain(sid
, &domain_sid
) == 0)
716 static bool nt_to_afs_acl(const char *filename
,
717 uint32 security_info_sent
,
718 const struct security_descriptor
*psd
,
719 uint32 (*nt_to_afs_rights
)(const char *filename
,
721 struct afs_acl
*afs_acl
)
726 /* Currently we *only* look at the dacl */
728 if (((security_info_sent
& DACL_SECURITY_INFORMATION
) == 0) ||
732 if (!init_afs_acl(afs_acl
))
737 for (i
= 0; i
< dacl
->num_aces
; i
++) {
738 const SEC_ACE
*ace
= &(dacl
->aces
[i
]);
739 const char *dom_name
, *name
;
740 enum lsa_SidType name_type
;
743 if (ace
->type
!= SEC_ACE_TYPE_ACCESS_ALLOWED
) {
744 /* First cut: Only positive ACEs */
748 if (!mappable_sid(&ace
->trustee
)) {
749 DEBUG(10, ("Ignoring unmappable SID %s\n",
750 sid_string_dbg(&ace
->trustee
)));
754 if (sid_compare(&ace
->trustee
,
755 &global_sid_Builtin_Administrators
) == 0) {
757 name
= "system:administrators";
759 } else if (sid_compare(&ace
->trustee
,
760 &global_sid_World
) == 0) {
762 name
= "system:anyuser";
764 } else if (sid_compare(&ace
->trustee
,
765 &global_sid_Authenticated_Users
) == 0) {
767 name
= "system:authuser";
769 } else if (sid_compare(&ace
->trustee
,
770 &global_sid_Builtin_Backup_Operators
)
773 name
= "system:backup";
777 if (!lookup_sid(talloc_tos(), &ace
->trustee
,
778 &dom_name
, &name
, &name_type
)) {
779 DEBUG(1, ("AFSACL: Could not lookup SID %s on file %s\n",
780 sid_string_dbg(&ace
->trustee
),
785 if ( (name_type
== SID_NAME_USER
) ||
786 (name_type
== SID_NAME_DOM_GRP
) ||
787 (name_type
== SID_NAME_ALIAS
) ) {
789 tmp
= talloc_asprintf(talloc_tos(), "%s%s%s",
790 dom_name
, lp_winbind_separator(),
800 /* Expect all users/groups in pts as SIDs */
801 name
= talloc_strdup(
803 sid_string_tos(&ace
->trustee
));
810 while ((p
= strchr_m(name
, ' ')) != NULL
)
811 *p
= space_replacement
;
813 add_afs_ace(afs_acl
, True
, name
,
814 nt_to_afs_rights(filename
, ace
));
820 static bool afs_get_afs_acl(char *filename
, struct afs_acl
*acl
)
828 DEBUG(5, ("afs_get_afs_acl: %s\n", filename
));
831 iob
.out_size
= MAXSIZE
;
832 iob
.in
= iob
.out
= space
;
834 ret
= afs_syscall(AFSCALL_PIOCTL
, filename
, VIOCGETAL
,
838 DEBUG(1, ("got error from PIOCTL: %d\n", ret
));
842 if (!init_afs_acl(acl
))
845 if (!parse_afs_acl(acl
, space
)) {
846 DEBUG(1, ("Could not parse AFS acl\n"));
854 /* For setting an AFS ACL we have to take care of the ACEs we could
855 * not properly map to SIDs. Merge all of them into the new ACL. */
857 static void merge_unknown_aces(struct afs_acl
*src
, struct afs_acl
*dst
)
861 for (ace
= src
->acelist
; ace
!= NULL
; ace
= ace
->next
)
863 struct afs_ace
*copy
;
865 if (ace
->type
!= SID_NAME_UNKNOWN
) {
866 DEBUG(10, ("Not merging known ACE for %s\n",
871 DEBUG(10, ("Merging unknown ACE for %s\n", ace
->name
));
873 copy
= clone_afs_ace(dst
->ctx
, ace
);
876 DEBUG(0, ("Could not clone ACE for %s\n", ace
->name
));
880 copy
->next
= dst
->acelist
;
886 static NTSTATUS
afs_set_nt_acl(vfs_handle_struct
*handle
, files_struct
*fsp
,
887 uint32 security_info_sent
,
888 const struct security_descriptor
*psd
)
890 struct afs_acl old_afs_acl
, new_afs_acl
;
891 struct afs_acl dir_acl
, file_acl
;
892 char acl_string
[2049];
896 const char *fileacls
;
898 fileacls
= lp_parm_const_string(SNUM(handle
->conn
), "afsacl", "fileacls",
901 sidpts
= lp_parm_bool(SNUM(handle
->conn
), "afsacl", "sidpts", False
);
903 ZERO_STRUCT(old_afs_acl
);
904 ZERO_STRUCT(new_afs_acl
);
905 ZERO_STRUCT(dir_acl
);
906 ZERO_STRUCT(file_acl
);
908 name
= talloc_strdup(talloc_tos(), fsp
->fsp_name
);
910 return NT_STATUS_NO_MEMORY
;
913 if (!fsp
->is_directory
) {
914 /* We need to get the name of the directory containing the
915 * file, this is where the AFS acls live */
916 char *p
= strrchr(name
, '/');
920 name
= talloc_strdup(talloc_tos(), ".");
922 return NT_STATUS_NO_MEMORY
;
927 if (!afs_get_afs_acl(name
, &old_afs_acl
)) {
928 DEBUG(3, ("Could not get old ACL of %s\n", fsp
->fsp_name
));
932 split_afs_acl(&old_afs_acl
, &dir_acl
, &file_acl
);
934 if (fsp
->is_directory
) {
936 if (!strequal(fileacls
, "yes")) {
937 /* Throw away file acls, we depend on the
938 * inheritance ACEs that also give us file
940 free_afs_acl(&file_acl
);
943 free_afs_acl(&dir_acl
);
944 if (!nt_to_afs_acl(fsp
->fsp_name
, security_info_sent
, psd
,
945 nt_to_afs_dir_rights
, &dir_acl
))
948 if (strequal(fileacls
, "no")) {
953 if (strequal(fileacls
, "ignore")) {
958 free_afs_acl(&file_acl
);
959 if (!nt_to_afs_acl(fsp
->fsp_name
, security_info_sent
, psd
,
960 nt_to_afs_file_rights
, &file_acl
))
964 merge_afs_acls(&dir_acl
, &file_acl
, &new_afs_acl
);
966 merge_unknown_aces(&old_afs_acl
, &new_afs_acl
);
968 unparse_afs_acl(&new_afs_acl
, acl_string
);
971 iob
.in_size
= 1+strlen(iob
.in
);
975 DEBUG(10, ("trying to set acl '%s' on file %s\n", iob
.in
, name
));
977 ret
= afs_syscall(AFSCALL_PIOCTL
, name
, VIOCSETAL
, (char *)&iob
, 0);
980 DEBUG(10, ("VIOCSETAL returned %d\n", ret
));
984 free_afs_acl(&dir_acl
);
985 free_afs_acl(&file_acl
);
986 free_afs_acl(&old_afs_acl
);
987 free_afs_acl(&new_afs_acl
);
989 return (ret
== 0) ? NT_STATUS_OK
: NT_STATUS_ACCESS_DENIED
;
992 static NTSTATUS
afsacl_fget_nt_acl(struct vfs_handle_struct
*handle
,
993 struct files_struct
*fsp
,
994 uint32 security_info
,
995 struct security_descriptor
**ppdesc
)
1000 DEBUG(5, ("afsacl_fget_nt_acl: %s\n", fsp
->fsp_name
));
1002 sidpts
= lp_parm_bool(SNUM(fsp
->conn
), "afsacl", "sidpts", False
);
1004 if (!afs_get_afs_acl(fsp
->fsp_name
, &acl
)) {
1005 return NT_STATUS_ACCESS_DENIED
;
1008 sd_size
= afs_fto_nt_acl(&acl
, fsp
, security_info
, ppdesc
);
1012 return (sd_size
!= 0) ? NT_STATUS_OK
: NT_STATUS_ACCESS_DENIED
;
1015 static NTSTATUS
afsacl_get_nt_acl(struct vfs_handle_struct
*handle
,
1016 const char *name
, uint32 security_info
,
1017 struct security_descriptor
**ppdesc
)
1022 DEBUG(5, ("afsacl_get_nt_acl: %s\n", name
));
1024 sidpts
= lp_parm_bool(SNUM(handle
->conn
), "afsacl", "sidpts", False
);
1026 if (!afs_get_afs_acl(name
, &acl
)) {
1027 return NT_STATUS_ACCESS_DENIED
;
1030 sd_size
= afs_to_nt_acl(&acl
, handle
->conn
, name
, security_info
,
1035 return (sd_size
!= 0) ? NT_STATUS_OK
: NT_STATUS_ACCESS_DENIED
;
1038 NTSTATUS
afsacl_fset_nt_acl(vfs_handle_struct
*handle
,
1040 uint32 security_info_sent
,
1041 const SEC_DESC
*psd
)
1043 return afs_set_nt_acl(handle
, fsp
, security_info_sent
, psd
);
1046 static int afsacl_connect(vfs_handle_struct
*handle
,
1047 const char *service
,
1052 spc
= lp_parm_const_string(SNUM(handle
->conn
), "afsacl", "space", "%");
1055 space_replacement
= spc
[0];
1057 return SMB_VFS_NEXT_CONNECT(handle
, service
, user
);
1060 /* VFS operations structure */
1062 static vfs_op_tuple afsacl_ops
[] = {
1063 {SMB_VFS_OP(afsacl_connect
), SMB_VFS_OP_CONNECT
,
1064 SMB_VFS_LAYER_TRANSPARENT
},
1065 {SMB_VFS_OP(afsacl_fget_nt_acl
), SMB_VFS_OP_FGET_NT_ACL
,
1066 SMB_VFS_LAYER_TRANSPARENT
},
1067 {SMB_VFS_OP(afsacl_get_nt_acl
), SMB_VFS_OP_GET_NT_ACL
,
1068 SMB_VFS_LAYER_TRANSPARENT
},
1069 {SMB_VFS_OP(afsacl_fset_nt_acl
), SMB_VFS_OP_FSET_NT_ACL
,
1070 SMB_VFS_LAYER_TRANSPARENT
},
1071 {SMB_VFS_OP(NULL
), SMB_VFS_OP_NOOP
, SMB_VFS_LAYER_NOOP
}
1074 NTSTATUS
vfs_afsacl_init(void);
1075 NTSTATUS
vfs_afsacl_init(void)
1077 return smb_register_vfs(SMB_VFS_INTERFACE_VERSION
, "afsacl",