2 * Convert AFS acls to NT acls and vice versa.
4 * Copyright (C) Volker Lendecke, 2003
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
24 #define DBGC_CLASS DBGC_VFS
29 #include <afs/venus.h>
30 #include <afs/prs_fs.h>
34 extern const DOM_SID global_sid_World
;
35 extern const DOM_SID global_sid_Builtin_Administrators
;
36 extern const DOM_SID global_sid_Builtin_Backup_Operators
;
37 extern const DOM_SID global_sid_Authenticated_Users
;
38 extern const DOM_SID global_sid_NULL
;
40 static char space_replacement
= '%';
42 /* Do we expect SIDs as pts names? */
45 extern int afs_syscall(int, char *, int, char *, int);
51 enum SID_NAME_USE type
;
60 struct afs_ace
*acelist
;
65 uint16 in_size
, out_size
;
69 static BOOL
init_afs_acl(struct afs_acl
*acl
)
72 acl
->ctx
= talloc_init("afs_acl");
73 if (acl
->ctx
== NULL
) {
74 DEBUG(10, ("Could not init afs_acl"));
80 static void free_afs_acl(struct afs_acl
*acl
)
83 talloc_destroy(acl
->ctx
);
89 static struct afs_ace
*clone_afs_ace(TALLOC_CTX
*mem_ctx
, struct afs_ace
*ace
)
91 struct afs_ace
*result
= TALLOC_P(mem_ctx
, struct afs_ace
);
99 result
->name
= talloc_strdup(mem_ctx
, ace
->name
);
101 if (result
->name
== NULL
) {
108 static struct afs_ace
*new_afs_ace(TALLOC_CTX
*mem_ctx
,
110 const char *name
, uint32 rights
)
113 enum SID_NAME_USE type
;
114 struct afs_ace
*result
;
116 if (strcmp(name
, "system:administrators") == 0) {
118 sid_copy(&sid
, &global_sid_Builtin_Administrators
);
119 type
= SID_NAME_ALIAS
;
121 } else if (strcmp(name
, "system:anyuser") == 0) {
123 sid_copy(&sid
, &global_sid_World
);
124 type
= SID_NAME_ALIAS
;
126 } else if (strcmp(name
, "system:authuser") == 0) {
128 sid_copy(&sid
, &global_sid_Authenticated_Users
);
129 type
= SID_NAME_WKN_GRP
;
131 } else if (strcmp(name
, "system:backup") == 0) {
133 sid_copy(&sid
, &global_sid_Builtin_Backup_Operators
);
134 type
= SID_NAME_ALIAS
;
137 /* All PTS users/groups are expressed as SIDs */
139 sid_copy(&sid
, &global_sid_NULL
);
140 type
= SID_NAME_UNKNOWN
;
142 if (string_to_sid(&sid
, name
)) {
143 const char *user
, *domain
;
144 /* We have to find the type, look up the SID */
145 lookup_sid(tmp_talloc_ctx(), &sid
,
146 &domain
, &user
, &type
);
151 const char *domain
, *uname
;
154 p
= strchr_m(name
, *lp_winbind_separator());
159 if (!lookup_name(tmp_talloc_ctx(), name
, LOOKUP_NAME_ALL
,
160 &domain
, &uname
, &sid
, &type
)) {
161 DEBUG(10, ("Could not find AFS user %s\n", name
));
163 sid_copy(&sid
, &global_sid_NULL
);
164 type
= SID_NAME_UNKNOWN
;
169 result
= TALLOC_P(mem_ctx
, struct afs_ace
);
171 if (result
== NULL
) {
172 DEBUG(0, ("Could not talloc AFS ace\n"));
176 result
->name
= talloc_strdup(mem_ctx
, name
);
177 if (result
->name
== NULL
) {
178 DEBUG(0, ("Could not talloc AFS ace name\n"));
185 result
->positive
= positive
;
186 result
->rights
= rights
;
191 static void add_afs_ace(struct afs_acl
*acl
,
193 const char *name
, uint32 rights
)
197 for (ace
= acl
->acelist
; ace
!= NULL
; ace
= ace
->next
) {
198 if ((ace
->positive
== positive
) &&
199 (strequal(ace
->name
, name
))) {
200 ace
->rights
|= rights
;
205 ace
= new_afs_ace(acl
->ctx
, positive
, name
, rights
);
207 ace
->next
= acl
->acelist
;
212 DEBUG(10, ("add_afs_ace: Added %s entry for %s with rights %d\n",
213 ace
->positive
?"positive":"negative",
214 ace
->name
, ace
->rights
));
219 /* AFS ACLs in string form are a long string of fields delimited with \n.
221 * First line: Number of positive entries
222 * Second line: Number of negative entries
223 * Third and following lines: The entries themselves
225 * An ACE is a line of two fields, delimited by \t.
228 * Second field: Rights
231 static BOOL
parse_afs_acl(struct afs_acl
*acl
, const char *acl_str
)
239 strncpy(str
, acl_str
, MAXSIZE
);
241 if (sscanf(p
, "%d", &nplus
) != 1)
244 DEBUG(10, ("Found %d positive entries\n", nplus
));
246 if ((p
= strchr(p
, '\n')) == NULL
)
250 if (sscanf(p
, "%d", &nminus
) != 1)
253 DEBUG(10, ("Found %d negative entries\n", nminus
));
255 if ((p
= strchr(p
, '\n')) == NULL
)
259 for (aces
= nplus
+nminus
; aces
> 0; aces
--)
269 if ((p
= strchr(p
, '\t')) == NULL
)
274 if (sscanf(p
, "%d", &rights
) != 1)
277 if ((p
= strchr(p
, '\n')) == NULL
)
281 fstrcpy(name
, namep
);
283 while ((space
= strchr_m(name
, space_replacement
)) != NULL
)
286 add_afs_ace(acl
, nplus
>0, name
, rights
);
294 static BOOL
unparse_afs_acl(struct afs_acl
*acl
, char *acl_str
)
296 /* TODO: String length checks!!!! */
304 struct afs_ace
*ace
= acl
->acelist
;
306 while (ace
!= NULL
) {
314 fstr_sprintf(line
, "%d\n", positives
);
315 safe_strcat(acl_str
, line
, MAXSIZE
);
317 fstr_sprintf(line
, "%d\n", negatives
);
318 safe_strcat(acl_str
, line
, MAXSIZE
);
322 while (ace
!= NULL
) {
323 fstr_sprintf(line
, "%s\t%d\n", ace
->name
, ace
->rights
);
324 safe_strcat(acl_str
, line
, MAXSIZE
);
330 static uint32
afs_to_nt_file_rights(uint32 rights
)
334 if (rights
& PRSFS_READ
)
335 result
|= FILE_READ_DATA
| FILE_READ_EA
|
336 FILE_EXECUTE
| FILE_READ_ATTRIBUTES
|
337 READ_CONTROL_ACCESS
| SYNCHRONIZE_ACCESS
;
339 if (rights
& PRSFS_WRITE
)
340 result
|= FILE_WRITE_DATA
| FILE_WRITE_ATTRIBUTES
|
341 FILE_WRITE_EA
| FILE_APPEND_DATA
;
343 if (rights
& PRSFS_LOCK
)
344 result
|= WRITE_OWNER_ACCESS
;
346 if (rights
& PRSFS_DELETE
)
347 result
|= DELETE_ACCESS
;
352 static void afs_to_nt_dir_rights(uint32 afs_rights
, uint32
*nt_rights
,
356 *flag
= SEC_ACE_FLAG_OBJECT_INHERIT
|
357 SEC_ACE_FLAG_CONTAINER_INHERIT
;
359 if (afs_rights
& PRSFS_INSERT
)
360 *nt_rights
|= FILE_ADD_FILE
| FILE_ADD_SUBDIRECTORY
;
362 if (afs_rights
& PRSFS_LOOKUP
)
363 *nt_rights
|= FILE_READ_DATA
| FILE_READ_EA
|
364 FILE_EXECUTE
| FILE_READ_ATTRIBUTES
|
365 READ_CONTROL_ACCESS
| SYNCHRONIZE_ACCESS
;
367 if (afs_rights
& PRSFS_WRITE
)
368 *nt_rights
|= FILE_WRITE_ATTRIBUTES
| FILE_WRITE_DATA
|
369 FILE_APPEND_DATA
| FILE_WRITE_EA
;
371 if ((afs_rights
& (PRSFS_INSERT
|PRSFS_LOOKUP
|PRSFS_DELETE
)) ==
372 (PRSFS_INSERT
|PRSFS_LOOKUP
|PRSFS_DELETE
))
373 *nt_rights
|= FILE_WRITE_ATTRIBUTES
| FILE_WRITE_EA
|
374 GENERIC_WRITE_ACCESS
;
376 if (afs_rights
& PRSFS_DELETE
)
377 *nt_rights
|= DELETE_ACCESS
;
379 if (afs_rights
& PRSFS_ADMINISTER
)
380 *nt_rights
|= FILE_DELETE_CHILD
| WRITE_DAC_ACCESS
|
383 if ( (afs_rights
& PRSFS_LOOKUP
) ==
384 (afs_rights
& (PRSFS_LOOKUP
|PRSFS_READ
)) ) {
385 /* Only lookup right */
386 *flag
= SEC_ACE_FLAG_CONTAINER_INHERIT
;
392 #define AFS_FILE_RIGHTS (PRSFS_READ|PRSFS_WRITE|PRSFS_LOCK)
393 #define AFS_DIR_RIGHTS (PRSFS_INSERT|PRSFS_LOOKUP|PRSFS_DELETE|PRSFS_ADMINISTER)
395 static void split_afs_acl(struct afs_acl
*acl
,
396 struct afs_acl
*dir_acl
,
397 struct afs_acl
*file_acl
)
401 init_afs_acl(dir_acl
);
402 init_afs_acl(file_acl
);
404 for (ace
= acl
->acelist
; ace
!= NULL
; ace
= ace
->next
) {
405 if (ace
->rights
& AFS_FILE_RIGHTS
) {
406 add_afs_ace(file_acl
, ace
->positive
, ace
->name
,
407 ace
->rights
& AFS_FILE_RIGHTS
);
410 if (ace
->rights
& AFS_DIR_RIGHTS
) {
411 add_afs_ace(dir_acl
, ace
->positive
, ace
->name
,
412 ace
->rights
& AFS_DIR_RIGHTS
);
418 static BOOL
same_principal(struct afs_ace
*x
, struct afs_ace
*y
)
420 return ( (x
->positive
== y
->positive
) &&
421 (sid_compare(&x
->sid
, &y
->sid
) == 0) );
424 static void merge_afs_acls(struct afs_acl
*dir_acl
,
425 struct afs_acl
*file_acl
,
426 struct afs_acl
*target
)
430 init_afs_acl(target
);
432 for (ace
= dir_acl
->acelist
; ace
!= NULL
; ace
= ace
->next
) {
433 struct afs_ace
*file_ace
;
436 for (file_ace
= file_acl
->acelist
;
438 file_ace
= file_ace
->next
) {
439 if (!same_principal(ace
, file_ace
))
442 add_afs_ace(target
, ace
->positive
, ace
->name
,
443 ace
->rights
| file_ace
->rights
);
448 add_afs_ace(target
, ace
->positive
, ace
->name
,
452 for (ace
= file_acl
->acelist
; ace
!= NULL
; ace
= ace
->next
) {
453 struct afs_ace
*dir_ace
;
454 BOOL already_seen
= False
;
456 for (dir_ace
= dir_acl
->acelist
;
458 dir_ace
= dir_ace
->next
) {
459 if (!same_principal(ace
, dir_ace
))
465 add_afs_ace(target
, ace
->positive
, ace
->name
,
470 #define PERMS_READ 0x001200a9
471 #define PERMS_CHANGE 0x001301bf
472 #define PERMS_FULL 0x001f01ff
474 static struct static_dir_ace_mapping
{
482 { 0, SEC_ACE_FLAG_OBJECT_INHERIT
|SEC_ACE_FLAG_CONTAINER_INHERIT
,
483 PERMS_FULL
, 127 /* rlidwka */ },
486 { 0, SEC_ACE_FLAG_OBJECT_INHERIT
|SEC_ACE_FLAG_CONTAINER_INHERIT
,
487 PERMS_CHANGE
, 63 /* rlidwk */ },
489 /* Read (including list folder content) */
490 { 0, SEC_ACE_FLAG_OBJECT_INHERIT
|SEC_ACE_FLAG_CONTAINER_INHERIT
,
491 PERMS_READ
, 9 /* rl */ },
493 /* Read without list folder content -- same as "l" */
494 { 0, SEC_ACE_FLAG_OBJECT_INHERIT
|SEC_ACE_FLAG_CONTAINER_INHERIT
,
495 0x00120089, 8 /* l */ },
497 /* some stupid workaround for preventing fallbacks */
498 { 0, 0x3, 0x0012019F, 9 /* rl */ },
499 { 0, 0x13, PERMS_FULL
, 127 /* full */ },
501 /* read, delete and execute access plus synchronize */
502 { 0, 0x3, 0x001300A9, 9 /* should be rdl, set to rl */},
503 /* classical read list */
504 { 0, 0x13, 0x001200A9, 9 /* rl */},
505 /* almost full control, no delete */
506 { 0, 0x13, PERMS_CHANGE
, 63 /* rwidlk */},
509 { 0, SEC_ACE_FLAG_CONTAINER_INHERIT
,
510 PERMS_READ
, 8 /* l */ },
512 /* FULL without inheritance -- in all cases here we also get
513 the corresponding INHERIT_ONLY ACE in the same ACL */
514 { 0, 0, PERMS_FULL
, 127 /* rlidwka */ },
516 /* FULL inherit only -- counterpart to previous one */
517 { 0, SEC_ACE_FLAG_OBJECT_INHERIT
|SEC_ACE_FLAG_CONTAINER_INHERIT
|SEC_ACE_FLAG_INHERIT_ONLY
,
518 PERMS_FULL
| GENERIC_RIGHT_WRITE_ACCESS
, 127 /* rlidwka */ },
520 /* CHANGE without inheritance -- in all cases here we also get
521 the corresponding INHERIT_ONLY ACE in the same ACL */
522 { 0, 0, PERMS_CHANGE
, 63 /* rlidwk */ },
524 /* CHANGE inherit only -- counterpart to previous one */
525 { 0, SEC_ACE_FLAG_OBJECT_INHERIT
|SEC_ACE_FLAG_CONTAINER_INHERIT
|SEC_ACE_FLAG_INHERIT_ONLY
,
526 PERMS_CHANGE
| GENERIC_RIGHT_WRITE_ACCESS
, 63 /* rlidwk */ },
528 /* End marker, hopefully there's no afs right 9999 :-) */
532 static uint32
nt_to_afs_dir_rights(const char *filename
, const SEC_ACE
*ace
)
535 uint32 rights
= ace
->info
.mask
;
536 uint8 flags
= ace
->flags
;
538 struct static_dir_ace_mapping
*m
;
540 for (m
= &ace_mappings
[0]; m
->afs_rights
!= 9999; m
++) {
541 if ( (ace
->type
== m
->type
) &&
542 (ace
->flags
== m
->flags
) &&
543 (ace
->info
.mask
== m
->mask
) )
544 return m
->afs_rights
;
547 DEBUG(1, ("AFSACL FALLBACK: 0x%X 0x%X 0x%X %s %X\n",
548 ace
->type
, ace
->flags
, ace
->info
.mask
, filename
, rights
));
550 if (rights
& (GENERIC_ALL_ACCESS
|WRITE_DAC_ACCESS
)) {
551 result
|= PRSFS_READ
| PRSFS_WRITE
| PRSFS_INSERT
|
552 PRSFS_LOOKUP
| PRSFS_DELETE
| PRSFS_LOCK
|
556 if (rights
& (GENERIC_READ_ACCESS
|FILE_READ_DATA
)) {
557 result
|= PRSFS_LOOKUP
;
558 if (flags
& SEC_ACE_FLAG_OBJECT_INHERIT
) {
559 result
|= PRSFS_READ
;
563 if (rights
& (GENERIC_WRITE_ACCESS
|FILE_WRITE_DATA
)) {
564 result
|= PRSFS_INSERT
| PRSFS_DELETE
;
565 if (flags
& SEC_ACE_FLAG_OBJECT_INHERIT
) {
566 result
|= PRSFS_WRITE
| PRSFS_LOCK
;
573 static uint32
nt_to_afs_file_rights(const char *filename
, const SEC_ACE
*ace
)
576 uint32 rights
= ace
->info
.mask
;
578 if (rights
& (GENERIC_READ_ACCESS
|FILE_READ_DATA
)) {
579 result
|= PRSFS_READ
;
582 if (rights
& (GENERIC_WRITE_ACCESS
|FILE_WRITE_DATA
)) {
583 result
|= PRSFS_WRITE
| PRSFS_LOCK
;
589 static size_t afs_to_nt_acl(struct afs_acl
*afs_acl
,
590 struct files_struct
*fsp
,
591 uint32 security_info
,
592 struct security_descriptor_info
**ppdesc
)
594 SEC_ACE
*nt_ace_list
;
595 DOM_SID owner_sid
, group_sid
;
597 SMB_STRUCT_STAT sbuf
;
601 TALLOC_CTX
*mem_ctx
= main_loop_talloc_get();
603 struct afs_ace
*afs_ace
;
605 if (fsp
->is_directory
|| fsp
->fh
->fd
== -1) {
606 /* Get the stat struct for the owner info. */
607 if(SMB_VFS_STAT(fsp
->conn
,fsp
->fsp_name
, &sbuf
) != 0) {
611 if(SMB_VFS_FSTAT(fsp
,fsp
->fh
->fd
,&sbuf
) != 0) {
616 uid_to_sid(&owner_sid
, sbuf
.st_uid
);
617 gid_to_sid(&group_sid
, sbuf
.st_gid
);
619 nt_ace_list
= TALLOC_ARRAY(mem_ctx
, SEC_ACE
, afs_acl
->num_aces
);
621 if (nt_ace_list
== NULL
)
624 afs_ace
= afs_acl
->acelist
;
627 while (afs_ace
!= NULL
) {
629 uint8 flag
= SEC_ACE_FLAG_OBJECT_INHERIT
|
630 SEC_ACE_FLAG_CONTAINER_INHERIT
;
632 if (afs_ace
->type
== SID_NAME_UNKNOWN
) {
633 DEBUG(10, ("Ignoring unknown name %s\n",
635 afs_ace
= afs_ace
->next
;
639 if (fsp
->is_directory
)
640 afs_to_nt_dir_rights(afs_ace
->rights
, &nt_rights
,
643 nt_rights
= afs_to_nt_file_rights(afs_ace
->rights
);
645 init_sec_access(&mask
, nt_rights
);
646 init_sec_ace(&nt_ace_list
[good_aces
++], &(afs_ace
->sid
),
647 SEC_ACE_TYPE_ACCESS_ALLOWED
, mask
, flag
);
648 afs_ace
= afs_ace
->next
;
651 psa
= make_sec_acl(mem_ctx
, NT4_ACL_REVISION
,
652 good_aces
, nt_ace_list
);
657 *ppdesc
= make_sec_desc(mem_ctx
, SEC_DESC_REVISION
,
658 SEC_DESC_SELF_RELATIVE
,
659 (security_info
& OWNER_SECURITY_INFORMATION
)
661 (security_info
& GROUP_SECURITY_INFORMATION
)
663 NULL
, psa
, &sd_size
);
668 static BOOL
mappable_sid(const DOM_SID
*sid
)
672 if (sid_compare(sid
, &global_sid_Builtin_Administrators
) == 0)
675 if (sid_compare(sid
, &global_sid_World
) == 0)
678 if (sid_compare(sid
, &global_sid_Authenticated_Users
) == 0)
681 if (sid_compare(sid
, &global_sid_Builtin_Backup_Operators
) == 0)
684 string_to_sid(&domain_sid
, "S-1-5-21");
686 if (sid_compare_domain(sid
, &domain_sid
) == 0)
692 static BOOL
nt_to_afs_acl(const char *filename
,
693 uint32 security_info_sent
,
694 struct security_descriptor_info
*psd
,
695 uint32 (*nt_to_afs_rights
)(const char *filename
,
697 struct afs_acl
*afs_acl
)
702 /* Currently we *only* look at the dacl */
704 if (((security_info_sent
& DACL_SECURITY_INFORMATION
) == 0) ||
708 if (!init_afs_acl(afs_acl
))
713 for (i
= 0; i
< dacl
->num_aces
; i
++) {
714 SEC_ACE
*ace
= &(dacl
->ace
[i
]);
715 const char *dom_name
, *name
;
716 enum SID_NAME_USE name_type
;
719 if (ace
->type
!= SEC_ACE_TYPE_ACCESS_ALLOWED
) {
720 /* First cut: Only positive ACEs */
724 if (!mappable_sid(&ace
->trustee
)) {
725 DEBUG(10, ("Ignoring unmappable SID %s\n",
726 sid_string_static(&ace
->trustee
)));
730 if (sid_compare(&ace
->trustee
,
731 &global_sid_Builtin_Administrators
) == 0) {
733 name
= "system:administrators";
735 } else if (sid_compare(&ace
->trustee
,
736 &global_sid_World
) == 0) {
738 name
= "system:anyuser";
740 } else if (sid_compare(&ace
->trustee
,
741 &global_sid_Authenticated_Users
) == 0) {
743 name
= "system:authuser";
745 } else if (sid_compare(&ace
->trustee
,
746 &global_sid_Builtin_Backup_Operators
)
749 name
= "system:backup";
753 if (!lookup_sid(tmp_talloc_ctx(), &ace
->trustee
,
754 &dom_name
, &name
, &name_type
)) {
755 DEBUG(1, ("AFSACL: Could not lookup SID %s on file %s\n",
756 sid_string_static(&ace
->trustee
), filename
));
760 if ( (name_type
== SID_NAME_USER
) ||
761 (name_type
== SID_NAME_DOM_GRP
) ||
762 (name_type
== SID_NAME_ALIAS
) ) {
764 tmp
= talloc_asprintf(tmp_talloc_ctx(), "%s%s%s",
765 dom_name
, lp_winbind_separator(),
775 /* Expect all users/groups in pts as SIDs */
776 name
= talloc_strdup(
778 sid_string_static(&ace
->trustee
));
785 while ((p
= strchr_m(name
, ' ')) != NULL
)
786 *p
= space_replacement
;
788 add_afs_ace(afs_acl
, True
, name
,
789 nt_to_afs_rights(filename
, ace
));
795 static BOOL
afs_get_afs_acl(char *filename
, struct afs_acl
*acl
)
803 DEBUG(5, ("afs_get_afs_acl: %s\n", filename
));
806 iob
.out_size
= MAXSIZE
;
807 iob
.in
= iob
.out
= space
;
809 ret
= afs_syscall(AFSCALL_PIOCTL
, filename
, VIOCGETAL
,
813 DEBUG(1, ("got error from PIOCTL: %d\n", ret
));
817 if (!init_afs_acl(acl
))
820 if (!parse_afs_acl(acl
, space
)) {
821 DEBUG(1, ("Could not parse AFS acl\n"));
829 static size_t afs_get_nt_acl(struct files_struct
*fsp
, uint32 security_info
,
830 struct security_descriptor_info
**ppdesc
)
835 DEBUG(5, ("afs_get_nt_acl: %s\n", fsp
->fsp_name
));
837 sidpts
= lp_parm_bool(SNUM(fsp
->conn
), "afsacl", "sidpts", False
);
839 if (!afs_get_afs_acl(fsp
->fsp_name
, &acl
)) {
843 sd_size
= afs_to_nt_acl(&acl
, fsp
, security_info
, ppdesc
);
850 /* For setting an AFS ACL we have to take care of the ACEs we could
851 * not properly map to SIDs. Merge all of them into the new ACL. */
853 static void merge_unknown_aces(struct afs_acl
*src
, struct afs_acl
*dst
)
857 for (ace
= src
->acelist
; ace
!= NULL
; ace
= ace
->next
)
859 struct afs_ace
*copy
;
861 if (ace
->type
!= SID_NAME_UNKNOWN
) {
862 DEBUG(10, ("Not merging known ACE for %s\n",
867 DEBUG(10, ("Merging unknown ACE for %s\n", ace
->name
));
869 copy
= clone_afs_ace(dst
->ctx
, ace
);
872 DEBUG(0, ("Could not clone ACE for %s\n", ace
->name
));
876 copy
->next
= dst
->acelist
;
882 static BOOL
afs_set_nt_acl(vfs_handle_struct
*handle
, files_struct
*fsp
,
883 uint32 security_info_sent
,
884 struct security_descriptor_info
*psd
)
886 struct afs_acl old_afs_acl
, new_afs_acl
;
887 struct afs_acl dir_acl
, file_acl
;
888 char acl_string
[2049];
892 const char *fileacls
;
894 fileacls
= lp_parm_const_string(SNUM(handle
->conn
), "afsacl", "fileacls",
897 sidpts
= lp_parm_bool(SNUM(handle
->conn
), "afsacl", "sidpts", False
);
899 ZERO_STRUCT(old_afs_acl
);
900 ZERO_STRUCT(new_afs_acl
);
901 ZERO_STRUCT(dir_acl
);
902 ZERO_STRUCT(file_acl
);
904 pstr_sprintf(name
, fsp
->fsp_name
);
906 if (!fsp
->is_directory
) {
907 /* We need to get the name of the directory containing the
908 * file, this is where the AFS acls live */
909 char *p
= strrchr(name
, '/');
917 if (!afs_get_afs_acl(name
, &old_afs_acl
)) {
918 DEBUG(3, ("Could not get old ACL of %s\n", fsp
->fsp_name
));
922 split_afs_acl(&old_afs_acl
, &dir_acl
, &file_acl
);
924 if (fsp
->is_directory
) {
926 if (!strequal(fileacls
, "yes")) {
927 /* Throw away file acls, we depend on the
928 * inheritance ACEs that also give us file
930 free_afs_acl(&file_acl
);
933 free_afs_acl(&dir_acl
);
934 if (!nt_to_afs_acl(fsp
->fsp_name
, security_info_sent
, psd
,
935 nt_to_afs_dir_rights
, &dir_acl
))
938 if (strequal(fileacls
, "no")) {
943 if (strequal(fileacls
, "ignore")) {
948 free_afs_acl(&file_acl
);
949 if (!nt_to_afs_acl(fsp
->fsp_name
, security_info_sent
, psd
,
950 nt_to_afs_file_rights
, &file_acl
))
954 merge_afs_acls(&dir_acl
, &file_acl
, &new_afs_acl
);
956 merge_unknown_aces(&old_afs_acl
, &new_afs_acl
);
958 unparse_afs_acl(&new_afs_acl
, acl_string
);
961 iob
.in_size
= 1+strlen(iob
.in
);
965 DEBUG(10, ("trying to set acl '%s' on file %s\n", iob
.in
, name
));
967 ret
= afs_syscall(AFSCALL_PIOCTL
, name
, VIOCSETAL
, (char *)&iob
, 0);
970 DEBUG(10, ("VIOCSETAL returned %d\n", ret
));
974 free_afs_acl(&dir_acl
);
975 free_afs_acl(&file_acl
);
976 free_afs_acl(&old_afs_acl
);
977 free_afs_acl(&new_afs_acl
);
982 static size_t afsacl_fget_nt_acl(struct vfs_handle_struct
*handle
,
983 struct files_struct
*fsp
,
984 int fd
, uint32 security_info
,
985 struct security_descriptor_info
**ppdesc
)
987 return afs_get_nt_acl(fsp
, security_info
, ppdesc
);
989 static size_t afsacl_get_nt_acl(struct vfs_handle_struct
*handle
,
990 struct files_struct
*fsp
,
991 const char *name
, uint32 security_info
,
992 struct security_descriptor_info
**ppdesc
)
994 return afs_get_nt_acl(fsp
, security_info
, ppdesc
);
997 BOOL
afsacl_fset_nt_acl(vfs_handle_struct
*handle
,
999 int fd
, uint32 security_info_sent
,
1002 return afs_set_nt_acl(handle
, fsp
, security_info_sent
, psd
);
1005 BOOL
afsacl_set_nt_acl(vfs_handle_struct
*handle
,
1007 const char *name
, uint32 security_info_sent
,
1010 return afs_set_nt_acl(handle
, fsp
, security_info_sent
, psd
);
1013 static int afsacl_connect(vfs_handle_struct
*handle
,
1014 connection_struct
*conn
,
1015 const char *service
,
1020 spc
= lp_parm_const_string(SNUM(handle
->conn
), "afsacl", "space", "%");
1023 space_replacement
= spc
[0];
1025 return SMB_VFS_NEXT_CONNECT(handle
, conn
, service
, user
);
1028 /* VFS operations structure */
1030 static vfs_op_tuple afsacl_ops
[] = {
1031 {SMB_VFS_OP(afsacl_connect
), SMB_VFS_OP_CONNECT
,
1032 SMB_VFS_LAYER_TRANSPARENT
},
1033 {SMB_VFS_OP(afsacl_fget_nt_acl
), SMB_VFS_OP_FGET_NT_ACL
,
1034 SMB_VFS_LAYER_TRANSPARENT
},
1035 {SMB_VFS_OP(afsacl_get_nt_acl
), SMB_VFS_OP_GET_NT_ACL
,
1036 SMB_VFS_LAYER_TRANSPARENT
},
1037 {SMB_VFS_OP(afsacl_fset_nt_acl
), SMB_VFS_OP_FSET_NT_ACL
,
1038 SMB_VFS_LAYER_TRANSPARENT
},
1039 {SMB_VFS_OP(afsacl_set_nt_acl
), SMB_VFS_OP_SET_NT_ACL
,
1040 SMB_VFS_LAYER_TRANSPARENT
},
1041 {SMB_VFS_OP(NULL
), SMB_VFS_OP_NOOP
, SMB_VFS_LAYER_NOOP
}
1044 NTSTATUS
vfs_afsacl_init(void)
1046 return smb_register_vfs(SMB_VFS_INTERFACE_VERSION
, "afsacl",