2 * Convert AFS acls to NT acls and vice versa.
4 * Copyright (C) Volker Lendecke, 2003
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <http://www.gnu.org/licenses/>.
23 #define DBGC_CLASS DBGC_VFS
28 #include <afs/venus.h>
29 #include <afs/prs_fs.h>
33 extern const struct dom_sid global_sid_World
;
34 extern const struct dom_sid global_sid_Builtin_Administrators
;
35 extern const struct dom_sid global_sid_Builtin_Backup_Operators
;
36 extern const struct dom_sid global_sid_Authenticated_Users
;
37 extern const struct dom_sid global_sid_NULL
;
39 static char space_replacement
= '%';
41 /* Do we expect SIDs as pts names? */
44 extern int afs_syscall(int, char *, int, char *, int);
50 enum lsa_SidType type
;
59 struct afs_ace
*acelist
;
64 uint16 in_size
, out_size
;
68 static bool init_afs_acl(struct afs_acl
*acl
)
71 acl
->ctx
= talloc_init("afs_acl");
72 if (acl
->ctx
== NULL
) {
73 DEBUG(10, ("Could not init afs_acl"));
79 static void free_afs_acl(struct afs_acl
*acl
)
82 talloc_destroy(acl
->ctx
);
88 static struct afs_ace
*clone_afs_ace(TALLOC_CTX
*mem_ctx
, struct afs_ace
*ace
)
90 struct afs_ace
*result
= TALLOC_P(mem_ctx
, struct afs_ace
);
98 result
->name
= talloc_strdup(mem_ctx
, ace
->name
);
100 if (result
->name
== NULL
) {
107 static struct afs_ace
*new_afs_ace(TALLOC_CTX
*mem_ctx
,
109 const char *name
, uint32 rights
)
112 enum lsa_SidType type
;
113 struct afs_ace
*result
;
115 if (strcmp(name
, "system:administrators") == 0) {
117 sid_copy(&sid
, &global_sid_Builtin_Administrators
);
118 type
= SID_NAME_ALIAS
;
120 } else if (strcmp(name
, "system:anyuser") == 0) {
122 sid_copy(&sid
, &global_sid_World
);
123 type
= SID_NAME_ALIAS
;
125 } else if (strcmp(name
, "system:authuser") == 0) {
127 sid_copy(&sid
, &global_sid_Authenticated_Users
);
128 type
= SID_NAME_WKN_GRP
;
130 } else if (strcmp(name
, "system:backup") == 0) {
132 sid_copy(&sid
, &global_sid_Builtin_Backup_Operators
);
133 type
= SID_NAME_ALIAS
;
136 /* All PTS users/groups are expressed as SIDs */
138 sid_copy(&sid
, &global_sid_NULL
);
139 type
= SID_NAME_UNKNOWN
;
141 if (string_to_sid(&sid
, name
)) {
142 const char *user
, *domain
;
143 /* We have to find the type, look up the SID */
144 lookup_sid(talloc_tos(), &sid
,
145 &domain
, &user
, &type
);
150 const char *domain
, *uname
;
153 p
= strchr_m(name
, *lp_winbind_separator());
158 if (!lookup_name(talloc_tos(), name
, LOOKUP_NAME_ALL
,
159 &domain
, &uname
, &sid
, &type
)) {
160 DEBUG(10, ("Could not find AFS user %s\n", name
));
162 sid_copy(&sid
, &global_sid_NULL
);
163 type
= SID_NAME_UNKNOWN
;
168 result
= TALLOC_P(mem_ctx
, struct afs_ace
);
170 if (result
== NULL
) {
171 DEBUG(0, ("Could not talloc AFS ace\n"));
175 result
->name
= talloc_strdup(mem_ctx
, name
);
176 if (result
->name
== NULL
) {
177 DEBUG(0, ("Could not talloc AFS ace name\n"));
184 result
->positive
= positive
;
185 result
->rights
= rights
;
190 static void add_afs_ace(struct afs_acl
*acl
,
192 const char *name
, uint32 rights
)
196 for (ace
= acl
->acelist
; ace
!= NULL
; ace
= ace
->next
) {
197 if ((ace
->positive
== positive
) &&
198 (strequal(ace
->name
, name
))) {
199 ace
->rights
|= rights
;
204 ace
= new_afs_ace(acl
->ctx
, positive
, name
, rights
);
206 ace
->next
= acl
->acelist
;
211 DEBUG(10, ("add_afs_ace: Added %s entry for %s with rights %d\n",
212 ace
->positive
?"positive":"negative",
213 ace
->name
, ace
->rights
));
218 /* AFS ACLs in string form are a long string of fields delimited with \n.
220 * First line: Number of positive entries
221 * Second line: Number of negative entries
222 * Third and following lines: The entries themselves
224 * An ACE is a line of two fields, delimited by \t.
227 * Second field: Rights
230 static bool parse_afs_acl(struct afs_acl
*acl
, const char *acl_str
)
238 strncpy(str
, acl_str
, MAXSIZE
);
240 if (sscanf(p
, "%d", &nplus
) != 1)
243 DEBUG(10, ("Found %d positive entries\n", nplus
));
245 if ((p
= strchr(p
, '\n')) == NULL
)
249 if (sscanf(p
, "%d", &nminus
) != 1)
252 DEBUG(10, ("Found %d negative entries\n", nminus
));
254 if ((p
= strchr(p
, '\n')) == NULL
)
258 for (aces
= nplus
+nminus
; aces
> 0; aces
--)
268 if ((p
= strchr(p
, '\t')) == NULL
)
273 if (sscanf(p
, "%d", &rights
) != 1)
276 if ((p
= strchr(p
, '\n')) == NULL
)
280 fstrcpy(name
, namep
);
282 while ((space
= strchr_m(name
, space_replacement
)) != NULL
)
285 add_afs_ace(acl
, nplus
>0, name
, rights
);
293 static bool unparse_afs_acl(struct afs_acl
*acl
, char *acl_str
)
295 /* TODO: String length checks!!!! */
303 struct afs_ace
*ace
= acl
->acelist
;
305 while (ace
!= NULL
) {
313 fstr_sprintf(line
, "%d\n", positives
);
314 safe_strcat(acl_str
, line
, MAXSIZE
);
316 fstr_sprintf(line
, "%d\n", negatives
);
317 safe_strcat(acl_str
, line
, MAXSIZE
);
321 while (ace
!= NULL
) {
322 fstr_sprintf(line
, "%s\t%d\n", ace
->name
, ace
->rights
);
323 safe_strcat(acl_str
, line
, MAXSIZE
);
329 static uint32
afs_to_nt_file_rights(uint32 rights
)
333 if (rights
& PRSFS_READ
)
334 result
|= FILE_READ_DATA
| FILE_READ_EA
|
335 FILE_EXECUTE
| FILE_READ_ATTRIBUTES
|
336 READ_CONTROL_ACCESS
| SYNCHRONIZE_ACCESS
;
338 if (rights
& PRSFS_WRITE
)
339 result
|= FILE_WRITE_DATA
| FILE_WRITE_ATTRIBUTES
|
340 FILE_WRITE_EA
| FILE_APPEND_DATA
;
342 if (rights
& PRSFS_LOCK
)
343 result
|= WRITE_OWNER_ACCESS
;
345 if (rights
& PRSFS_DELETE
)
346 result
|= DELETE_ACCESS
;
351 static void afs_to_nt_dir_rights(uint32 afs_rights
, uint32
*nt_rights
,
355 *flag
= SEC_ACE_FLAG_OBJECT_INHERIT
|
356 SEC_ACE_FLAG_CONTAINER_INHERIT
;
358 if (afs_rights
& PRSFS_INSERT
)
359 *nt_rights
|= FILE_ADD_FILE
| FILE_ADD_SUBDIRECTORY
;
361 if (afs_rights
& PRSFS_LOOKUP
)
362 *nt_rights
|= FILE_READ_DATA
| FILE_READ_EA
|
363 FILE_EXECUTE
| FILE_READ_ATTRIBUTES
|
364 READ_CONTROL_ACCESS
| SYNCHRONIZE_ACCESS
;
366 if (afs_rights
& PRSFS_WRITE
)
367 *nt_rights
|= FILE_WRITE_ATTRIBUTES
| FILE_WRITE_DATA
|
368 FILE_APPEND_DATA
| FILE_WRITE_EA
;
370 if ((afs_rights
& (PRSFS_INSERT
|PRSFS_LOOKUP
|PRSFS_DELETE
)) ==
371 (PRSFS_INSERT
|PRSFS_LOOKUP
|PRSFS_DELETE
))
372 *nt_rights
|= FILE_WRITE_ATTRIBUTES
| FILE_WRITE_EA
|
373 GENERIC_WRITE_ACCESS
;
375 if (afs_rights
& PRSFS_DELETE
)
376 *nt_rights
|= DELETE_ACCESS
;
378 if (afs_rights
& PRSFS_ADMINISTER
)
379 *nt_rights
|= FILE_DELETE_CHILD
| WRITE_DAC_ACCESS
|
382 if ( (afs_rights
& PRSFS_LOOKUP
) ==
383 (afs_rights
& (PRSFS_LOOKUP
|PRSFS_READ
)) ) {
384 /* Only lookup right */
385 *flag
= SEC_ACE_FLAG_CONTAINER_INHERIT
;
391 #define AFS_FILE_RIGHTS (PRSFS_READ|PRSFS_WRITE|PRSFS_LOCK)
392 #define AFS_DIR_RIGHTS (PRSFS_INSERT|PRSFS_LOOKUP|PRSFS_DELETE|PRSFS_ADMINISTER)
394 static void split_afs_acl(struct afs_acl
*acl
,
395 struct afs_acl
*dir_acl
,
396 struct afs_acl
*file_acl
)
400 init_afs_acl(dir_acl
);
401 init_afs_acl(file_acl
);
403 for (ace
= acl
->acelist
; ace
!= NULL
; ace
= ace
->next
) {
404 if (ace
->rights
& AFS_FILE_RIGHTS
) {
405 add_afs_ace(file_acl
, ace
->positive
, ace
->name
,
406 ace
->rights
& AFS_FILE_RIGHTS
);
409 if (ace
->rights
& AFS_DIR_RIGHTS
) {
410 add_afs_ace(dir_acl
, ace
->positive
, ace
->name
,
411 ace
->rights
& AFS_DIR_RIGHTS
);
417 static bool same_principal(struct afs_ace
*x
, struct afs_ace
*y
)
419 return ( (x
->positive
== y
->positive
) &&
420 (sid_compare(&x
->sid
, &y
->sid
) == 0) );
423 static void merge_afs_acls(struct afs_acl
*dir_acl
,
424 struct afs_acl
*file_acl
,
425 struct afs_acl
*target
)
429 init_afs_acl(target
);
431 for (ace
= dir_acl
->acelist
; ace
!= NULL
; ace
= ace
->next
) {
432 struct afs_ace
*file_ace
;
435 for (file_ace
= file_acl
->acelist
;
437 file_ace
= file_ace
->next
) {
438 if (!same_principal(ace
, file_ace
))
441 add_afs_ace(target
, ace
->positive
, ace
->name
,
442 ace
->rights
| file_ace
->rights
);
447 add_afs_ace(target
, ace
->positive
, ace
->name
,
451 for (ace
= file_acl
->acelist
; ace
!= NULL
; ace
= ace
->next
) {
452 struct afs_ace
*dir_ace
;
453 bool already_seen
= False
;
455 for (dir_ace
= dir_acl
->acelist
;
457 dir_ace
= dir_ace
->next
) {
458 if (!same_principal(ace
, dir_ace
))
464 add_afs_ace(target
, ace
->positive
, ace
->name
,
469 #define PERMS_READ 0x001200a9
470 #define PERMS_CHANGE 0x001301bf
471 #define PERMS_FULL 0x001f01ff
473 static struct static_dir_ace_mapping
{
481 { 0, SEC_ACE_FLAG_OBJECT_INHERIT
|SEC_ACE_FLAG_CONTAINER_INHERIT
,
482 PERMS_FULL
, 127 /* rlidwka */ },
485 { 0, SEC_ACE_FLAG_OBJECT_INHERIT
|SEC_ACE_FLAG_CONTAINER_INHERIT
,
486 PERMS_CHANGE
, 63 /* rlidwk */ },
488 /* Read (including list folder content) */
489 { 0, SEC_ACE_FLAG_OBJECT_INHERIT
|SEC_ACE_FLAG_CONTAINER_INHERIT
,
490 PERMS_READ
, 9 /* rl */ },
492 /* Read without list folder content -- same as "l" */
493 { 0, SEC_ACE_FLAG_OBJECT_INHERIT
|SEC_ACE_FLAG_CONTAINER_INHERIT
,
494 0x00120089, 8 /* l */ },
496 /* some stupid workaround for preventing fallbacks */
497 { 0, 0x3, 0x0012019F, 9 /* rl */ },
498 { 0, 0x13, PERMS_FULL
, 127 /* full */ },
500 /* read, delete and execute access plus synchronize */
501 { 0, 0x3, 0x001300A9, 9 /* should be rdl, set to rl */},
502 /* classical read list */
503 { 0, 0x13, 0x001200A9, 9 /* rl */},
504 /* almost full control, no delete */
505 { 0, 0x13, PERMS_CHANGE
, 63 /* rwidlk */},
508 { 0, SEC_ACE_FLAG_CONTAINER_INHERIT
,
509 PERMS_READ
, 8 /* l */ },
511 /* FULL without inheritance -- in all cases here we also get
512 the corresponding INHERIT_ONLY ACE in the same ACL */
513 { 0, 0, PERMS_FULL
, 127 /* rlidwka */ },
515 /* FULL inherit only -- counterpart to previous one */
516 { 0, SEC_ACE_FLAG_OBJECT_INHERIT
|SEC_ACE_FLAG_CONTAINER_INHERIT
|SEC_ACE_FLAG_INHERIT_ONLY
,
517 PERMS_FULL
| SEC_GENERIC_WRITE
, 127 /* rlidwka */ },
519 /* CHANGE without inheritance -- in all cases here we also get
520 the corresponding INHERIT_ONLY ACE in the same ACL */
521 { 0, 0, PERMS_CHANGE
, 63 /* rlidwk */ },
523 /* CHANGE inherit only -- counterpart to previous one */
524 { 0, SEC_ACE_FLAG_OBJECT_INHERIT
|SEC_ACE_FLAG_CONTAINER_INHERIT
|SEC_ACE_FLAG_INHERIT_ONLY
,
525 PERMS_CHANGE
| SEC_GENERIC_WRITE
, 63 /* rlidwk */ },
527 /* End marker, hopefully there's no afs right 9999 :-) */
531 static uint32
nt_to_afs_dir_rights(const char *filename
, const struct security_ace
*ace
)
534 uint32 rights
= ace
->access_mask
;
535 uint8 flags
= ace
->flags
;
537 struct static_dir_ace_mapping
*m
;
539 for (m
= &ace_mappings
[0]; m
->afs_rights
!= 9999; m
++) {
540 if ( (ace
->type
== m
->type
) &&
541 (ace
->flags
== m
->flags
) &&
542 (ace
->access_mask
== m
->mask
) )
543 return m
->afs_rights
;
546 DEBUG(1, ("AFSACL FALLBACK: 0x%X 0x%X 0x%X %s %X\n",
547 ace
->type
, ace
->flags
, ace
->access_mask
, filename
, rights
));
549 if (rights
& (GENERIC_ALL_ACCESS
|WRITE_DAC_ACCESS
)) {
550 result
|= PRSFS_READ
| PRSFS_WRITE
| PRSFS_INSERT
|
551 PRSFS_LOOKUP
| PRSFS_DELETE
| PRSFS_LOCK
|
555 if (rights
& (GENERIC_READ_ACCESS
|FILE_READ_DATA
)) {
556 result
|= PRSFS_LOOKUP
;
557 if (flags
& SEC_ACE_FLAG_OBJECT_INHERIT
) {
558 result
|= PRSFS_READ
;
562 if (rights
& (GENERIC_WRITE_ACCESS
|FILE_WRITE_DATA
)) {
563 result
|= PRSFS_INSERT
| PRSFS_DELETE
;
564 if (flags
& SEC_ACE_FLAG_OBJECT_INHERIT
) {
565 result
|= PRSFS_WRITE
| PRSFS_LOCK
;
572 static uint32
nt_to_afs_file_rights(const char *filename
, const struct security_ace
*ace
)
575 uint32 rights
= ace
->access_mask
;
577 if (rights
& (GENERIC_READ_ACCESS
|FILE_READ_DATA
)) {
578 result
|= PRSFS_READ
;
581 if (rights
& (GENERIC_WRITE_ACCESS
|FILE_WRITE_DATA
)) {
582 result
|= PRSFS_WRITE
| PRSFS_LOCK
;
588 static size_t afs_to_nt_acl_common(struct afs_acl
*afs_acl
,
589 SMB_STRUCT_STAT
*psbuf
,
590 uint32 security_info
,
591 struct security_descriptor
**ppdesc
)
593 struct security_ace
*nt_ace_list
;
594 struct dom_sid owner_sid
, group_sid
;
595 struct security_acl
*psa
= NULL
;
598 TALLOC_CTX
*mem_ctx
= talloc_tos();
600 struct afs_ace
*afs_ace
;
602 uid_to_sid(&owner_sid
, psbuf
->st_ex_uid
);
603 gid_to_sid(&group_sid
, psbuf
->st_ex_gid
);
605 if (afs_acl
->num_aces
) {
606 nt_ace_list
= TALLOC_ARRAY(mem_ctx
, struct security_ace
, afs_acl
->num_aces
);
608 if (nt_ace_list
== NULL
)
614 afs_ace
= afs_acl
->acelist
;
617 while (afs_ace
!= NULL
) {
619 uint8 flag
= SEC_ACE_FLAG_OBJECT_INHERIT
|
620 SEC_ACE_FLAG_CONTAINER_INHERIT
;
622 if (afs_ace
->type
== SID_NAME_UNKNOWN
) {
623 DEBUG(10, ("Ignoring unknown name %s\n",
625 afs_ace
= afs_ace
->next
;
629 if (S_ISDIR(psbuf
->st_ex_mode
))
630 afs_to_nt_dir_rights(afs_ace
->rights
, &nt_rights
,
633 nt_rights
= afs_to_nt_file_rights(afs_ace
->rights
);
635 init_sec_ace(&nt_ace_list
[good_aces
++], &(afs_ace
->sid
),
636 SEC_ACE_TYPE_ACCESS_ALLOWED
, nt_rights
, flag
);
637 afs_ace
= afs_ace
->next
;
640 psa
= make_sec_acl(mem_ctx
, NT4_ACL_REVISION
,
641 good_aces
, nt_ace_list
);
645 *ppdesc
= make_sec_desc(mem_ctx
, SD_REVISION
,
646 SEC_DESC_SELF_RELATIVE
,
647 (security_info
& SECINFO_OWNER
)
649 (security_info
& SECINFO_GROUP
)
651 NULL
, psa
, &sd_size
);
656 static size_t afs_to_nt_acl(struct afs_acl
*afs_acl
,
657 struct connection_struct
*conn
,
658 struct smb_filename
*smb_fname
,
659 uint32 security_info
,
660 struct security_descriptor
**ppdesc
)
664 /* Get the stat struct for the owner info. */
665 if (lp_posix_pathnames()) {
666 ret
= SMB_VFS_LSTAT(conn
, smb_fname
);
668 ret
= SMB_VFS_STAT(conn
, smb_fname
);
674 return afs_to_nt_acl_common(afs_acl
, &smb_fname
->st
, security_info
,
678 static size_t afs_fto_nt_acl(struct afs_acl
*afs_acl
,
679 struct files_struct
*fsp
,
680 uint32 security_info
,
681 struct security_descriptor
**ppdesc
)
683 SMB_STRUCT_STAT sbuf
;
685 if (fsp
->is_directory
|| fsp
->fh
->fd
== -1) {
686 /* Get the stat struct for the owner info. */
687 return afs_to_nt_acl(afs_acl
, fsp
->conn
, fsp
->fsp_name
,
688 security_info
, ppdesc
);
691 if(SMB_VFS_FSTAT(fsp
, &sbuf
) != 0) {
695 return afs_to_nt_acl_common(afs_acl
, &sbuf
, security_info
, ppdesc
);
698 static bool mappable_sid(const struct dom_sid
*sid
)
700 struct dom_sid domain_sid
;
702 if (sid_compare(sid
, &global_sid_Builtin_Administrators
) == 0)
705 if (sid_compare(sid
, &global_sid_World
) == 0)
708 if (sid_compare(sid
, &global_sid_Authenticated_Users
) == 0)
711 if (sid_compare(sid
, &global_sid_Builtin_Backup_Operators
) == 0)
714 string_to_sid(&domain_sid
, "S-1-5-21");
716 if (sid_compare_domain(sid
, &domain_sid
) == 0)
722 static bool nt_to_afs_acl(const char *filename
,
723 uint32 security_info_sent
,
724 const struct security_descriptor
*psd
,
725 uint32 (*nt_to_afs_rights
)(const char *filename
,
726 const struct security_ace
*ace
),
727 struct afs_acl
*afs_acl
)
729 const struct security_acl
*dacl
;
732 /* Currently we *only* look at the dacl */
734 if (((security_info_sent
& SECINFO_DACL
) == 0) ||
738 if (!init_afs_acl(afs_acl
))
743 for (i
= 0; i
< dacl
->num_aces
; i
++) {
744 const struct security_ace
*ace
= &(dacl
->aces
[i
]);
745 const char *dom_name
, *name
;
746 enum lsa_SidType name_type
;
749 if (ace
->type
!= SEC_ACE_TYPE_ACCESS_ALLOWED
) {
750 /* First cut: Only positive ACEs */
754 if (!mappable_sid(&ace
->trustee
)) {
755 DEBUG(10, ("Ignoring unmappable SID %s\n",
756 sid_string_dbg(&ace
->trustee
)));
760 if (sid_compare(&ace
->trustee
,
761 &global_sid_Builtin_Administrators
) == 0) {
763 name
= "system:administrators";
765 } else if (sid_compare(&ace
->trustee
,
766 &global_sid_World
) == 0) {
768 name
= "system:anyuser";
770 } else if (sid_compare(&ace
->trustee
,
771 &global_sid_Authenticated_Users
) == 0) {
773 name
= "system:authuser";
775 } else if (sid_compare(&ace
->trustee
,
776 &global_sid_Builtin_Backup_Operators
)
779 name
= "system:backup";
783 if (!lookup_sid(talloc_tos(), &ace
->trustee
,
784 &dom_name
, &name
, &name_type
)) {
785 DEBUG(1, ("AFSACL: Could not lookup SID %s on file %s\n",
786 sid_string_dbg(&ace
->trustee
),
791 if ( (name_type
== SID_NAME_USER
) ||
792 (name_type
== SID_NAME_DOM_GRP
) ||
793 (name_type
== SID_NAME_ALIAS
) ) {
795 tmp
= talloc_asprintf(talloc_tos(), "%s%s%s",
796 dom_name
, lp_winbind_separator(),
806 /* Expect all users/groups in pts as SIDs */
807 name
= talloc_strdup(
809 sid_string_tos(&ace
->trustee
));
816 while ((p
= strchr_m(name
, ' ')) != NULL
)
817 *p
= space_replacement
;
819 add_afs_ace(afs_acl
, True
, name
,
820 nt_to_afs_rights(filename
, ace
));
826 static bool afs_get_afs_acl(char *filename
, struct afs_acl
*acl
)
834 DEBUG(5, ("afs_get_afs_acl: %s\n", filename
));
837 iob
.out_size
= MAXSIZE
;
838 iob
.in
= iob
.out
= space
;
840 ret
= afs_syscall(AFSCALL_PIOCTL
, filename
, VIOCGETAL
,
844 DEBUG(1, ("got error from PIOCTL: %d\n", ret
));
848 if (!init_afs_acl(acl
))
851 if (!parse_afs_acl(acl
, space
)) {
852 DEBUG(1, ("Could not parse AFS acl\n"));
860 /* For setting an AFS ACL we have to take care of the ACEs we could
861 * not properly map to SIDs. Merge all of them into the new ACL. */
863 static void merge_unknown_aces(struct afs_acl
*src
, struct afs_acl
*dst
)
867 for (ace
= src
->acelist
; ace
!= NULL
; ace
= ace
->next
)
869 struct afs_ace
*copy
;
871 if (ace
->type
!= SID_NAME_UNKNOWN
) {
872 DEBUG(10, ("Not merging known ACE for %s\n",
877 DEBUG(10, ("Merging unknown ACE for %s\n", ace
->name
));
879 copy
= clone_afs_ace(dst
->ctx
, ace
);
882 DEBUG(0, ("Could not clone ACE for %s\n", ace
->name
));
886 copy
->next
= dst
->acelist
;
892 static NTSTATUS
afs_set_nt_acl(vfs_handle_struct
*handle
, files_struct
*fsp
,
893 uint32 security_info_sent
,
894 const struct security_descriptor
*psd
)
896 struct afs_acl old_afs_acl
, new_afs_acl
;
897 struct afs_acl dir_acl
, file_acl
;
898 char acl_string
[2049];
902 const char *fileacls
;
904 fileacls
= lp_parm_const_string(SNUM(handle
->conn
), "afsacl", "fileacls",
907 sidpts
= lp_parm_bool(SNUM(handle
->conn
), "afsacl", "sidpts", False
);
909 ZERO_STRUCT(old_afs_acl
);
910 ZERO_STRUCT(new_afs_acl
);
911 ZERO_STRUCT(dir_acl
);
912 ZERO_STRUCT(file_acl
);
914 name
= talloc_strdup(talloc_tos(), fsp
->fsp_name
->base_name
);
916 return NT_STATUS_NO_MEMORY
;
919 if (!fsp
->is_directory
) {
920 /* We need to get the name of the directory containing the
921 * file, this is where the AFS acls live */
922 char *p
= strrchr(name
, '/');
926 name
= talloc_strdup(talloc_tos(), ".");
928 return NT_STATUS_NO_MEMORY
;
933 if (!afs_get_afs_acl(name
, &old_afs_acl
)) {
934 DEBUG(3, ("Could not get old ACL of %s\n", fsp_str_dbg(fsp
)));
938 split_afs_acl(&old_afs_acl
, &dir_acl
, &file_acl
);
940 if (fsp
->is_directory
) {
942 if (!strequal(fileacls
, "yes")) {
943 /* Throw away file acls, we depend on the
944 * inheritance ACEs that also give us file
946 free_afs_acl(&file_acl
);
949 free_afs_acl(&dir_acl
);
950 if (!nt_to_afs_acl(fsp
->fsp_name
->base_name
,
951 security_info_sent
, psd
,
952 nt_to_afs_dir_rights
, &dir_acl
))
955 if (strequal(fileacls
, "no")) {
960 if (strequal(fileacls
, "ignore")) {
965 free_afs_acl(&file_acl
);
966 if (!nt_to_afs_acl(fsp
->fsp_name
->base_name
,
967 security_info_sent
, psd
,
968 nt_to_afs_file_rights
, &file_acl
))
972 merge_afs_acls(&dir_acl
, &file_acl
, &new_afs_acl
);
974 merge_unknown_aces(&old_afs_acl
, &new_afs_acl
);
976 unparse_afs_acl(&new_afs_acl
, acl_string
);
979 iob
.in_size
= 1+strlen(iob
.in
);
983 DEBUG(10, ("trying to set acl '%s' on file %s\n", iob
.in
, name
));
985 ret
= afs_syscall(AFSCALL_PIOCTL
, name
, VIOCSETAL
, (char *)&iob
, 0);
988 DEBUG(10, ("VIOCSETAL returned %d\n", ret
));
992 free_afs_acl(&dir_acl
);
993 free_afs_acl(&file_acl
);
994 free_afs_acl(&old_afs_acl
);
995 free_afs_acl(&new_afs_acl
);
997 return (ret
== 0) ? NT_STATUS_OK
: NT_STATUS_ACCESS_DENIED
;
1000 static NTSTATUS
afsacl_fget_nt_acl(struct vfs_handle_struct
*handle
,
1001 struct files_struct
*fsp
,
1002 uint32 security_info
,
1003 struct security_descriptor
**ppdesc
)
1008 DEBUG(5, ("afsacl_fget_nt_acl: %s\n", fsp_str_dbg(fsp
)));
1010 sidpts
= lp_parm_bool(SNUM(fsp
->conn
), "afsacl", "sidpts", False
);
1012 if (!afs_get_afs_acl(fsp
->fsp_name
->base_name
, &acl
)) {
1013 return NT_STATUS_ACCESS_DENIED
;
1016 sd_size
= afs_fto_nt_acl(&acl
, fsp
, security_info
, ppdesc
);
1020 return (sd_size
!= 0) ? NT_STATUS_OK
: NT_STATUS_ACCESS_DENIED
;
1023 static NTSTATUS
afsacl_get_nt_acl(struct vfs_handle_struct
*handle
,
1024 const char *name
, uint32 security_info
,
1025 struct security_descriptor
**ppdesc
)
1029 struct smb_filename
*smb_fname
= NULL
;
1032 DEBUG(5, ("afsacl_get_nt_acl: %s\n", name
));
1034 sidpts
= lp_parm_bool(SNUM(handle
->conn
), "afsacl", "sidpts", False
);
1036 if (!afs_get_afs_acl(name
, &acl
)) {
1037 return NT_STATUS_ACCESS_DENIED
;
1040 status
= create_synthetic_smb_fname(talloc_tos(), name
, NULL
, NULL
,
1042 if (!NT_STATUS_IS_OK(status
)) {
1047 sd_size
= afs_to_nt_acl(&acl
, handle
->conn
, smb_fname
, security_info
,
1049 TALLOC_FREE(smb_fname
);
1053 return (sd_size
!= 0) ? NT_STATUS_OK
: NT_STATUS_ACCESS_DENIED
;
1056 NTSTATUS
afsacl_fset_nt_acl(vfs_handle_struct
*handle
,
1058 uint32 security_info_sent
,
1059 const struct security_descriptor
*psd
)
1061 return afs_set_nt_acl(handle
, fsp
, security_info_sent
, psd
);
1064 static int afsacl_connect(vfs_handle_struct
*handle
,
1065 const char *service
,
1069 int ret
= SMB_VFS_NEXT_CONNECT(handle
, service
, user
);
1075 spc
= lp_parm_const_string(SNUM(handle
->conn
), "afsacl", "space", "%");
1078 space_replacement
= spc
[0];
1083 static struct vfs_fn_pointers vfs_afsacl_fns
= {
1084 .connect_fn
= afsacl_connect
,
1085 .fget_nt_acl
= afsacl_fget_nt_acl
,
1086 .get_nt_acl
= afsacl_get_nt_acl
,
1087 .fset_nt_acl
= afsacl_fset_nt_acl
1090 NTSTATUS
vfs_afsacl_init(void);
1091 NTSTATUS
vfs_afsacl_init(void)
1093 return smb_register_vfs(SMB_VFS_INTERFACE_VERSION
, "afsacl",