search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Ensure get_nt_acl_internal() only looks at the ACL blobs, not
[Samba/fernandojvsilva.git] / source3 / modules / vfs_acl_common.c
blobff97a04c73cfc1ce74b3972b1f8dc4c99bcf7c05
1 /*
2 * Store Windows ACLs in data store - common functions.
3 * #included into modules/vfs_acl_xattr.c and modules/vfs_acl_tdb.c
4 *
5 * Copyright (C) Volker Lendecke, 2008
6 * Copyright (C) Jeremy Allison, 2009
7 *
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 3 of the License, or
11 * (at your option) any later version.
12 *
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
17 *
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, see <http://www.gnu.org/licenses/>.
20 */
21
22 static NTSTATUS create_acl_blob(const struct security_descriptor *psd,
23 DATA_BLOB *pblob,
24 uint16_t hash_type,
25 uint8_t hash[XATTR_SD_HASH_SIZE]);
26
27 static NTSTATUS get_acl_blob(TALLOC_CTX *ctx,
28 vfs_handle_struct *handle,
29 files_struct *fsp,
30 const char *name,
31 DATA_BLOB *pblob);
32
33 static NTSTATUS store_acl_blob_fsp(vfs_handle_struct *handle,
34 files_struct *fsp,
35 DATA_BLOB *pblob);
36
37 static NTSTATUS store_acl_blob_pathname(vfs_handle_struct *handle,
38 const char *fname,
39 DATA_BLOB *pblob);
40
41 #define HASH_SECURITY_INFO (OWNER_SECURITY_INFORMATION | \
42 GROUP_SECURITY_INFORMATION | \
43 DACL_SECURITY_INFORMATION | \
44 SACL_SECURITY_INFORMATION)
45
46 /*******************************************************************
47 Hash a security descriptor.
48 *******************************************************************/
49
50 static NTSTATUS hash_sd_sha256(struct security_descriptor *psd,
51 uint8_t *hash)
52 {
53 DATA_BLOB blob;
54 SHA256_CTX tctx;
55 NTSTATUS status;
56
57 memset(hash, '\0', XATTR_SD_HASH_SIZE);
58 status = create_acl_blob(psd, &blob, XATTR_SD_HASH_TYPE_SHA256, hash);
59 if (!NT_STATUS_IS_OK(status)) {
60 return status;
61 }
62
63 SHA256_Init(&tctx);
64 SHA256_Update(&tctx, blob.data, blob.length);
65 SHA256_Final(hash, &tctx);
66
67 return NT_STATUS_OK;
68 }
69
70 /*******************************************************************
71 Parse out a struct security_descriptor from a DATA_BLOB.
72 *******************************************************************/
73
74 static NTSTATUS parse_acl_blob(const DATA_BLOB *pblob,
75 struct security_descriptor **ppdesc,
76 uint16_t *p_hash_type,
77 uint8_t hash[XATTR_SD_HASH_SIZE])
78 {
79 TALLOC_CTX *ctx = talloc_tos();
80 struct xattr_NTACL xacl;
81 enum ndr_err_code ndr_err;
82 size_t sd_size;
83
84 ndr_err = ndr_pull_struct_blob(pblob, ctx, NULL, &xacl,
85 (ndr_pull_flags_fn_t)ndr_pull_xattr_NTACL);
86
87 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
88 DEBUG(5, ("parse_acl_blob: ndr_pull_xattr_NTACL failed: %s\n",
89 ndr_errstr(ndr_err)));
90 return ndr_map_error2ntstatus(ndr_err);;
91 }
92
93 switch (xacl.version) {
94 case 2:
95 *ppdesc = make_sec_desc(ctx, SEC_DESC_REVISION,
96 xacl.info.sd_hs2->sd->type | SEC_DESC_SELF_RELATIVE,
97 xacl.info.sd_hs2->sd->owner_sid,
98 xacl.info.sd_hs2->sd->group_sid,
99 xacl.info.sd_hs2->sd->sacl,
100 xacl.info.sd_hs2->sd->dacl,
101 &sd_size);
102 /* No hash - null out. */
103 *p_hash_type = XATTR_SD_HASH_TYPE_NONE;
104 memset(hash, '\0', XATTR_SD_HASH_SIZE);
105 break;
106 case 3:
107 *ppdesc = make_sec_desc(ctx, SEC_DESC_REVISION,
108 xacl.info.sd_hs3->sd->type | SEC_DESC_SELF_RELATIVE,
109 xacl.info.sd_hs3->sd->owner_sid,
110 xacl.info.sd_hs3->sd->group_sid,
111 xacl.info.sd_hs3->sd->sacl,
112 xacl.info.sd_hs3->sd->dacl,
113 &sd_size);
114 *p_hash_type = xacl.info.sd_hs3->hash_type;
115 /* Current version 3. */
116 memcpy(hash, xacl.info.sd_hs3->hash, XATTR_SD_HASH_SIZE);
117 break;
118 default:
119 return NT_STATUS_REVISION_MISMATCH;
120 }
121
122 TALLOC_FREE(xacl.info.sd);
123
124 return (*ppdesc != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
125 }
126
127 /*******************************************************************
128 Create a DATA_BLOB from a security descriptor.
129 *******************************************************************/
130
131 static NTSTATUS create_acl_blob(const struct security_descriptor *psd,
132 DATA_BLOB *pblob,
133 uint16_t hash_type,
134 uint8_t hash[XATTR_SD_HASH_SIZE])
135 {
136 struct xattr_NTACL xacl;
137 struct security_descriptor_hash_v3 sd_hs3;
138 enum ndr_err_code ndr_err;
139 TALLOC_CTX *ctx = talloc_tos();
140
141 ZERO_STRUCT(xacl);
142 ZERO_STRUCT(sd_hs3);
143
144 xacl.version = 3;
145 xacl.info.sd_hs3 = &sd_hs3;
146 xacl.info.sd_hs3->sd = CONST_DISCARD(struct security_descriptor *, psd);
147 xacl.info.sd_hs3->hash_type = hash_type;
148 memcpy(&xacl.info.sd_hs3->hash[0], hash, XATTR_SD_HASH_SIZE);
149
150 ndr_err = ndr_push_struct_blob(
151 pblob, ctx, NULL, &xacl,
152 (ndr_push_flags_fn_t)ndr_push_xattr_NTACL);
153
154 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
155 DEBUG(5, ("create_acl_blob: ndr_push_xattr_NTACL failed: %s\n",
156 ndr_errstr(ndr_err)));
157 return ndr_map_error2ntstatus(ndr_err);;
158 }
159
160 return NT_STATUS_OK;
161 }
162
163 /*******************************************************************
164 Pull a DATA_BLOB from an xattr given a pathname.
165 DOES NOT FALL BACK TO THE UNDERLYING ACLs ON THE FILESYSTEM.
166 *******************************************************************/
167
168 static NTSTATUS get_nt_acl_internal(vfs_handle_struct *handle,
169 files_struct *fsp,
170 const char *name,
171 uint32_t security_info,
172 struct security_descriptor **ppdesc)
173 {
174 DATA_BLOB blob;
175 NTSTATUS status;
176 uint16_t hash_type;
177 uint8_t hash[XATTR_SD_HASH_SIZE];
178 uint8_t hash_tmp[XATTR_SD_HASH_SIZE];
179 struct security_descriptor *pdesc_next = NULL;
180
181 if (fsp && name == NULL) {
182 name = fsp->fsp_name->base_name;
183 }
184
185 DEBUG(10, ("get_nt_acl_internal: name=%s\n", name));
186
187 status = get_acl_blob(talloc_tos(), handle, fsp, name, &blob);
188 if (!NT_STATUS_IS_OK(status)) {
189 DEBUG(10, ("get_nt_acl_internal: get_acl_blob returned %s\n",
190 nt_errstr(status)));
191 return status;
192 }
193
194 status = parse_acl_blob(&blob, ppdesc,
195 &hash_type, &hash[0]);
196 if (!NT_STATUS_IS_OK(status)) {
197 DEBUG(10, ("parse_acl_blob returned %s\n",
198 nt_errstr(status)));
199 return status;
200 }
201
202 /* Ensure the hash type is one we know. */
203 switch (hash_type) {
204 case XATTR_SD_HASH_TYPE_NONE:
205 /* No hash, goto return blob sd. */
206 goto out;
207 case XATTR_SD_HASH_TYPE_SHA256:
208 break;
209 default:
210 return NT_STATUS_REVISION_MISMATCH;
211 }
212
213 /* Get the full underlying sd, then hash. */
214 if (fsp) {
215 status = SMB_VFS_NEXT_FGET_NT_ACL(handle,
216 fsp,
217 HASH_SECURITY_INFO,
218 &pdesc_next);
219 } else {
220 status = SMB_VFS_NEXT_GET_NT_ACL(handle,
221 name,
222 HASH_SECURITY_INFO,
223 &pdesc_next);
224 }
225
226 if (!NT_STATUS_IS_OK(status)) {
227 goto out;
228 }
229
230 status = hash_sd_sha256(pdesc_next, hash_tmp);
231 if (!NT_STATUS_IS_OK(status)) {
232 goto out;
233 }
234
235 if (memcmp(&hash[0], &hash_tmp[0], XATTR_SD_HASH_SIZE) == 0) {
236 TALLOC_FREE(pdesc_next);
237 /* Hash matches, return blob sd. */
238 goto out;
239 }
240
241 /* Hash doesn't match, return underlying sd. */
242
243 if (!(security_info & OWNER_SECURITY_INFORMATION)) {
244 pdesc_next->owner_sid = NULL;
245 }
246 if (!(security_info & GROUP_SECURITY_INFORMATION)) {
247 pdesc_next->group_sid = NULL;
248 }
249 if (!(security_info & DACL_SECURITY_INFORMATION)) {
250 pdesc_next->dacl = NULL;
251 }
252 if (!(security_info & SACL_SECURITY_INFORMATION)) {
253 pdesc_next->sacl = NULL;
254 }
255
256 TALLOC_FREE(*ppdesc);
257 *ppdesc = pdesc_next;
258
259 out:
260
261 if (!(security_info & OWNER_SECURITY_INFORMATION)) {
262 (*ppdesc)->owner_sid = NULL;
263 }
264 if (!(security_info & GROUP_SECURITY_INFORMATION)) {
265 (*ppdesc)->group_sid = NULL;
266 }
267 if (!(security_info & DACL_SECURITY_INFORMATION)) {
268 (*ppdesc)->dacl = NULL;
269 }
270 if (!(security_info & SACL_SECURITY_INFORMATION)) {
271 (*ppdesc)->sacl = NULL;
272 }
273
274 TALLOC_FREE(blob.data);
275 return status;
276 }
277
278 /*********************************************************************
279 Create a default security descriptor for a file in case no inheritance
280 exists. All permissions to the owner and SYSTEM.
281 *********************************************************************/
282
283 static struct security_descriptor *default_file_sd(TALLOC_CTX *mem_ctx,
284 SMB_STRUCT_STAT *psbuf,
285 bool force_inherit)
286 {
287 struct dom_sid owner_sid, group_sid;
288 size_t sd_size;
289 struct security_ace *pace = NULL;
290 struct security_acl *pacl = NULL;
291
292 uid_to_sid(&owner_sid, psbuf->st_ex_uid);
293 gid_to_sid(&group_sid, psbuf->st_ex_gid);
294
295 pace = TALLOC_ARRAY(mem_ctx, struct security_ace, 2);
296 if (!pace) {
297 return NULL;
298 }
299
300 /* If force_inherit is set, this means we are initializing the ACEs for
301 * a container and we want the ACEs for owner_sid and "SYSTEM" to be
302 * inheritable by their children (See Bug #6802).
303 */
304
305 init_sec_ace(&pace[0], &owner_sid, SEC_ACE_TYPE_ACCESS_ALLOWED,
306 SEC_RIGHTS_FILE_ALL, (force_inherit ?
307 (SEC_ACE_FLAG_OBJECT_INHERIT|
308 SEC_ACE_FLAG_CONTAINER_INHERIT) :
309 0));
310
311 init_sec_ace(&pace[1], &global_sid_System, SEC_ACE_TYPE_ACCESS_ALLOWED,
312 SEC_RIGHTS_FILE_ALL, (force_inherit ?
313 (SEC_ACE_FLAG_OBJECT_INHERIT|
314 SEC_ACE_FLAG_CONTAINER_INHERIT) :
315 0));
316
317 pacl = make_sec_acl(mem_ctx,
318 NT4_ACL_REVISION,
319 2,
320 pace);
321 if (!pacl) {
322 return NULL;
323 }
324 return make_sec_desc(mem_ctx,
325 SECURITY_DESCRIPTOR_REVISION_1,
326 SEC_DESC_SELF_RELATIVE|SEC_DESC_DACL_PRESENT,
327 &owner_sid,
328 &group_sid,
329 NULL,
330 pacl,
331 &sd_size);
332 }
333
334 /*********************************************************************
335 *********************************************************************/
336
337 static NTSTATUS inherit_new_acl(vfs_handle_struct *handle,
338 struct smb_filename *smb_fname,
339 files_struct *fsp,
340 bool container)
341 {
342 TALLOC_CTX *ctx = talloc_tos();
343 NTSTATUS status;
344 struct security_descriptor *parent_desc = NULL;
345 struct security_descriptor *psd = NULL;
346 struct security_descriptor *pdesc_next = NULL;
347 DATA_BLOB blob;
348 size_t size;
349 char *parent_name;
350 bool force_inherit = false;
351 uint8_t hash[XATTR_SD_HASH_SIZE];
352
353 if (!parent_dirname(ctx, smb_fname->base_name, &parent_name, NULL)) {
354 return NT_STATUS_NO_MEMORY;
355 }
356
357 DEBUG(10,("inherit_new_acl: check directory %s\n",
358 parent_name));
359
360 status = get_nt_acl_internal(handle,
361 NULL,
362 parent_name,
363 (OWNER_SECURITY_INFORMATION |
364 GROUP_SECURITY_INFORMATION |
365 DACL_SECURITY_INFORMATION),
366 &parent_desc);
367 if (NT_STATUS_IS_OK(status)) {
368 /* Create an inherited descriptor from the parent. */
369
370 if (DEBUGLEVEL >= 10) {
371 DEBUG(10,("inherit_new_acl: parent acl is:\n"));
372 NDR_PRINT_DEBUG(security_descriptor, parent_desc);
373 }
374
375 status = se_create_child_secdesc(ctx,
376 &psd,
377 &size,
378 parent_desc,
379 &handle->conn->server_info->ptok->user_sids[PRIMARY_USER_SID_INDEX],
380 &handle->conn->server_info->ptok->user_sids[PRIMARY_GROUP_SID_INDEX],
381 container);
382 if (!NT_STATUS_IS_OK(status)) {
383 return status;
384 }
385
386 if (DEBUGLEVEL >= 10) {
387 DEBUG(10,("inherit_new_acl: child acl is:\n"));
388 NDR_PRINT_DEBUG(security_descriptor, psd);
389 }
390
391 } else {
392 DEBUG(10,("inherit_new_acl: directory %s failed "
393 "to get acl %s\n",
394 parent_name,
395 nt_errstr(status) ));
396 }
397
398 if (!psd || psd->dacl == NULL) {
399
400 TALLOC_FREE(psd);
401 if (fsp) {
402 status = vfs_stat_fsp(fsp);
403 smb_fname->st = fsp->fsp_name->st;
404 } else {
405 int ret;
406 if (lp_posix_pathnames()) {
407 ret = SMB_VFS_LSTAT(handle->conn, smb_fname);
408 } else {
409 ret = SMB_VFS_STAT(handle->conn, smb_fname);
410 }
411 if (ret == -1) {
412 status = map_nt_error_from_unix(errno);
413 }
414 }
415 if (!NT_STATUS_IS_OK(status)) {
416 return status;
417 }
418
419 /* If we get here, we could have the following possibilities:
420 * 1. No ACLs exist on the parent container.
421 * 2. ACLs exist on the parent container but they were
422 * not inheritable.
423 *
424 * Check to see if case #1 occurred.
425 *
426 */
427 if (container &&
428 (parent_desc == NULL || parent_desc->dacl == NULL)) {
429
430 /* If no parent descriptor exists, then there were
431 * no ACLs on the parent and then we must create
432 * the ACLs on this newly created folder so that they
433 * will be inherited by their children (See Bug #6802).
434 */
435
436 force_inherit = true;
437 }
438
439 psd = default_file_sd(ctx, &smb_fname->st, force_inherit);
440 if (!psd) {
441 return NT_STATUS_NO_MEMORY;
442 }
443
444 if (DEBUGLEVEL >= 10) {
445 DEBUG(10,("inherit_new_acl: default acl is:\n"));
446 NDR_PRINT_DEBUG(security_descriptor, psd);
447 }
448 }
449
450 /* Object exists. Read the current SD to get the hash. */
451 if (fsp) {
452 status = SMB_VFS_NEXT_FGET_NT_ACL(handle,
453 fsp,
454 HASH_SECURITY_INFO,
455 &pdesc_next);
456 } else {
457 status = SMB_VFS_NEXT_GET_NT_ACL(handle,
458 smb_fname->base_name,
459 HASH_SECURITY_INFO,
460 &pdesc_next);
461 }
462
463 if (!NT_STATUS_IS_OK(status)) {
464 return status;
465 }
466
467 status = hash_sd_sha256(pdesc_next, hash);
468 if (!NT_STATUS_IS_OK(status)) {
469 return status;
470 }
471 status = create_acl_blob(psd, &blob, XATTR_SD_HASH_TYPE_SHA256, hash);
472 if (!NT_STATUS_IS_OK(status)) {
473 return status;
474 }
475 if (fsp) {
476 return store_acl_blob_fsp(handle, fsp, &blob);
477 } else {
478 return store_acl_blob_pathname(handle, smb_fname->base_name,
479 &blob);
480 }
481 }
482
483 static NTSTATUS check_parent_acl_common(vfs_handle_struct *handle,
484 const char *path,
485 uint32_t access_mask)
486 {
487 char *parent_name = NULL;
488 struct security_descriptor *parent_desc = NULL;
489 uint32_t access_granted = 0;
490 NTSTATUS status;
491
492 if (!parent_dirname(talloc_tos(), path, &parent_name, NULL)) {
493 return NT_STATUS_NO_MEMORY;
494 }
495
496 status = SMB_VFS_GET_NT_ACL(handle->conn,
497 parent_name,
498 (OWNER_SECURITY_INFORMATION |
499 GROUP_SECURITY_INFORMATION |
500 DACL_SECURITY_INFORMATION),
501 &parent_desc);
502 if (!NT_STATUS_IS_OK(status)) {
503 DEBUG(10,("check_parent_acl_common: SMB_VFS_GET_NT_ACL "
504 "on directory %s for "
505 "path %s returned %s\n",
506 parent_name,
507 path,
508 nt_errstr(status) ));
509 return status;
510 }
511 status = smb1_file_se_access_check(parent_desc,
512 handle->conn->server_info->ptok,
513 access_mask,
514 &access_granted);
515 if(!NT_STATUS_IS_OK(status)) {
516 DEBUG(10,("check_parent_acl_common: access check "
517 "on directory %s for "
518 "path %s for mask 0x%x returned %s\n",
519 parent_name,
520 path,
521 access_mask,
522 nt_errstr(status) ));
523 return status;
524 }
525 return NT_STATUS_OK;
526 }
527
528 /*********************************************************************
529 Check ACL on open. For new files inherit from parent directory.
530 *********************************************************************/
531
532 static int open_acl_common(vfs_handle_struct *handle,
533 struct smb_filename *smb_fname,
534 files_struct *fsp,
535 int flags,
536 mode_t mode)
537 {
538 uint32_t access_granted = 0;
539 struct security_descriptor *pdesc = NULL;
540 bool file_existed = true;
541 char *fname = NULL;
542 NTSTATUS status;
543
544 if (fsp->base_fsp) {
545 /* Stream open. Base filename open already did the ACL check. */
546 DEBUG(10,("open_acl_common: stream open on %s\n",
547 smb_fname_str_dbg(smb_fname) ));
548 return SMB_VFS_NEXT_OPEN(handle, smb_fname, fsp, flags, mode);
549 }
550
551 status = get_full_smb_filename(talloc_tos(), smb_fname,
552 &fname);
553 if (!NT_STATUS_IS_OK(status)) {
554 goto err;
555 }
556
557 status = get_nt_acl_internal(handle,
558 NULL,
559 fname,
560 (OWNER_SECURITY_INFORMATION |
561 GROUP_SECURITY_INFORMATION |
562 DACL_SECURITY_INFORMATION),
563 &pdesc);
564 if (NT_STATUS_IS_OK(status)) {
565 /* See if we can access it. */
566 status = smb1_file_se_access_check(pdesc,
567 handle->conn->server_info->ptok,
568 fsp->access_mask,
569 &access_granted);
570 if (!NT_STATUS_IS_OK(status)) {
571 DEBUG(10,("open_acl_xattr: file %s open "
572 "refused with error %s\n",
573 smb_fname_str_dbg(smb_fname),
574 nt_errstr(status) ));
575 goto err;
576 }
577 } else if (NT_STATUS_EQUAL(status,NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
578 file_existed = false;
579 /*
580 * If O_CREAT is true then we're trying to create a file.
581 * Check the parent directory ACL will allow this.
582 */
583 if (flags & O_CREAT) {
584 status = check_parent_acl_common(handle, fname,
585 SEC_DIR_ADD_FILE);
586 if (!NT_STATUS_IS_OK(status)) {
587 goto err;
588 }
589 }
590 }
591
592 DEBUG(10,("open_acl_xattr: get_nt_acl_attr_internal for "
593 "file %s returned %s\n",
594 smb_fname_str_dbg(smb_fname),
595 nt_errstr(status) ));
596
597 fsp->fh->fd = SMB_VFS_NEXT_OPEN(handle, smb_fname, fsp, flags, mode);
598
599 if (!file_existed && fsp->fh->fd != -1) {
600 /* File was created. Inherit from parent directory. */
601 status = fsp_set_smb_fname(fsp, smb_fname);
602 if (!NT_STATUS_IS_OK(status)) {
603 goto err;
604 }
605 inherit_new_acl(handle, smb_fname, fsp, false);
606 }
607
608 return fsp->fh->fd;
609
610 err:
611
612 errno = map_errno_from_nt_status(status);
613 return -1;
614 }
615
616 static int mkdir_acl_common(vfs_handle_struct *handle, const char *path, mode_t mode)
617 {
618 struct smb_filename *smb_fname = NULL;
619 int ret;
620 NTSTATUS status;
621 SMB_STRUCT_STAT sbuf;
622
623 ret = vfs_stat_smb_fname(handle->conn, path, &sbuf);
624 if (ret == -1 && errno == ENOENT) {
625 /* We're creating a new directory. */
626 status = check_parent_acl_common(handle, path,
627 SEC_DIR_ADD_SUBDIR);
628 if (!NT_STATUS_IS_OK(status)) {
629 errno = map_errno_from_nt_status(status);
630 return -1;
631 }
632 }
633
634 ret = SMB_VFS_NEXT_MKDIR(handle, path, mode);
635 if (ret == -1) {
636 return ret;
637 }
638
639 status = create_synthetic_smb_fname(talloc_tos(), path, NULL, NULL,
640 &smb_fname);
641 if (!NT_STATUS_IS_OK(status)) {
642 errno = map_errno_from_nt_status(status);
643 return -1;
644 }
645
646 /* New directory - inherit from parent. */
647 inherit_new_acl(handle, smb_fname, NULL, true);
648 TALLOC_FREE(smb_fname);
649 return ret;
650 }
651
652 /*********************************************************************
653 Fetch a security descriptor given an fsp.
654 *********************************************************************/
655
656 static NTSTATUS fget_nt_acl_common(vfs_handle_struct *handle, files_struct *fsp,
657 uint32_t security_info, struct security_descriptor **ppdesc)
658 {
659 NTSTATUS status = get_nt_acl_internal(handle, fsp,
660 NULL, security_info, ppdesc);
661 if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
662 /* Pull the ACL from the underlying system. */
663 status = SMB_VFS_NEXT_FGET_NT_ACL(handle,
664 fsp,
665 security_info,
666 ppdesc);
667 }
668 return status;
669 }
670
671 /*********************************************************************
672 Fetch a security descriptor given a pathname.
673 *********************************************************************/
674
675 static NTSTATUS get_nt_acl_common(vfs_handle_struct *handle,
676 const char *name, uint32_t security_info, struct security_descriptor **ppdesc)
677 {
678 NTSTATUS status = get_nt_acl_internal(handle, NULL,
679 name, security_info, ppdesc);
680 if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
681 /* Pull the ACL from the underlying system. */
682 status = SMB_VFS_NEXT_GET_NT_ACL(handle,
683 name,
684 security_info,
685 ppdesc);
686 }
687 return status;
688 }
689
690 /*********************************************************************
691 Store a security descriptor given an fsp.
692 *********************************************************************/
693
694 static NTSTATUS fset_nt_acl_common(vfs_handle_struct *handle, files_struct *fsp,
695 uint32_t security_info_sent, const struct security_descriptor *psd)
696 {
697 NTSTATUS status;
698 DATA_BLOB blob;
699 struct security_descriptor *pdesc_next = NULL;
700 uint8_t hash[XATTR_SD_HASH_SIZE];
701
702 if (DEBUGLEVEL >= 10) {
703 DEBUG(10,("fset_nt_acl_xattr: incoming sd for file %s\n",
704 fsp_str_dbg(fsp)));
705 NDR_PRINT_DEBUG(security_descriptor,
706 CONST_DISCARD(struct security_descriptor *,psd));
707 }
708
709 /* Ensure we have OWNER/GROUP/DACL set. */
710
711 if ((security_info_sent & (OWNER_SECURITY_INFORMATION|
712 GROUP_SECURITY_INFORMATION|
713 DACL_SECURITY_INFORMATION)) !=
714 (OWNER_SECURITY_INFORMATION|
715 GROUP_SECURITY_INFORMATION|
716 DACL_SECURITY_INFORMATION)) {
717 /* No we don't - read from the existing SD. */
718 struct security_descriptor *nc_psd = NULL;
719
720 status = get_nt_acl_internal(handle, fsp,
721 NULL,
722 (OWNER_SECURITY_INFORMATION|
723 GROUP_SECURITY_INFORMATION|
724 DACL_SECURITY_INFORMATION),
725 &nc_psd);
726
727 if (!NT_STATUS_IS_OK(status)) {
728 return status;
729 }
730
731 /* This is safe as nc_psd is discarded at fn exit. */
732 if (security_info_sent & OWNER_SECURITY_INFORMATION) {
733 nc_psd->owner_sid = psd->owner_sid;
734 }
735 security_info_sent |= OWNER_SECURITY_INFORMATION;
736
737 if (security_info_sent & GROUP_SECURITY_INFORMATION) {
738 nc_psd->group_sid = psd->group_sid;
739 }
740 security_info_sent |= GROUP_SECURITY_INFORMATION;
741
742 if (security_info_sent & DACL_SECURITY_INFORMATION) {
743 nc_psd->dacl = dup_sec_acl(talloc_tos(), psd->dacl);
744 if (nc_psd->dacl == NULL) {
745 return NT_STATUS_NO_MEMORY;
746 }
747 }
748 security_info_sent |= DACL_SECURITY_INFORMATION;
749 psd = nc_psd;
750 }
751
752 status = SMB_VFS_NEXT_FSET_NT_ACL(handle, fsp, security_info_sent, psd);
753 if (!NT_STATUS_IS_OK(status)) {
754 return status;
755 }
756
757 /* Get the full underlying sd, then hash. */
758 status = SMB_VFS_NEXT_FGET_NT_ACL(handle,
759 fsp,
760 HASH_SECURITY_INFO,
761 &pdesc_next);
762
763 if (!NT_STATUS_IS_OK(status)) {
764 return status;
765 }
766
767 status = hash_sd_sha256(pdesc_next, hash);
768 if (!NT_STATUS_IS_OK(status)) {
769 return status;
770 }
771
772 if (DEBUGLEVEL >= 10) {
773 DEBUG(10,("fset_nt_acl_xattr: storing xattr sd for file %s\n",
774 fsp_str_dbg(fsp)));
775 NDR_PRINT_DEBUG(security_descriptor,
776 CONST_DISCARD(struct security_descriptor *,psd));
777 }
778 create_acl_blob(psd, &blob, XATTR_SD_HASH_TYPE_SHA256, hash);
779 store_acl_blob_fsp(handle, fsp, &blob);
780
781 return NT_STATUS_OK;
782 }
783
784 static SMB_STRUCT_DIR *opendir_acl_common(vfs_handle_struct *handle,
785 const char *fname, const char *mask, uint32 attr)
786 {
787 NTSTATUS status = check_parent_acl_common(handle, fname, SEC_DIR_LIST);
788
789 if (!NT_STATUS_IS_OK(status)) {
790 errno = map_errno_from_nt_status(status);
791 return NULL;
792 }
793 return SMB_VFS_NEXT_OPENDIR(handle, fname, mask, attr);
794 }
fernandojvsilva's samba4 branch