search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s4 dns: Add a simple dns lookup helper
[Samba/gebeck_regimport.git] / source4 / ntvfs / posix / pvfs_acl.c
blob1519631769dfd28e133465b434c12c6cd93b8461
1 /*
2 Unix SMB/CIFS implementation.
3
4 POSIX NTVFS backend - ACL support
5
6 Copyright (C) Andrew Tridgell 2004
7
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
12
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
17
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
20 */
21
22 #include "includes.h"
23 #include "system/passwd.h"
24 #include "auth/auth.h"
25 #include "vfs_posix.h"
26 #include "librpc/gen_ndr/xattr.h"
27 #include "libcli/security/security.h"
28 #include "param/param.h"
29 #include "../lib/util/unix_privs.h"
30 #include "lib/util/samba_modules.h"
31
32 /* the list of currently registered ACL backends */
33 static struct pvfs_acl_backend {
34 const struct pvfs_acl_ops *ops;
35 } *backends = NULL;
36 static int num_backends;
37
38 /*
39 register a pvfs acl backend.
40
41 The 'name' can be later used by other backends to find the operations
42 structure for this backend.
43 */
44 NTSTATUS pvfs_acl_register(const struct pvfs_acl_ops *ops)
45 {
46 struct pvfs_acl_ops *new_ops;
47
48 if (pvfs_acl_backend_byname(ops->name) != NULL) {
49 DEBUG(0,("pvfs acl backend '%s' already registered\n", ops->name));
50 return NT_STATUS_OBJECT_NAME_COLLISION;
51 }
52
53 backends = talloc_realloc(talloc_autofree_context(), backends, struct pvfs_acl_backend, num_backends+1);
54 NT_STATUS_HAVE_NO_MEMORY(backends);
55
56 new_ops = (struct pvfs_acl_ops *)talloc_memdup(backends, ops, sizeof(*ops));
57 new_ops->name = talloc_strdup(new_ops, ops->name);
58
59 backends[num_backends].ops = new_ops;
60
61 num_backends++;
62
63 DEBUG(3,("NTVFS backend '%s' registered\n", ops->name));
64
65 return NT_STATUS_OK;
66 }
67
68
69 /*
70 return the operations structure for a named backend
71 */
72 const struct pvfs_acl_ops *pvfs_acl_backend_byname(const char *name)
73 {
74 int i;
75
76 for (i=0;i<num_backends;i++) {
77 if (strcmp(backends[i].ops->name, name) == 0) {
78 return backends[i].ops;
79 }
80 }
81
82 return NULL;
83 }
84
85 NTSTATUS pvfs_acl_init(void)
86 {
87 static bool initialized = false;
88 #define _MODULE_PROTO(init) extern NTSTATUS init(void);
89 STATIC_pvfs_acl_MODULES_PROTO;
90 init_module_fn static_init[] = { STATIC_pvfs_acl_MODULES };
91 init_module_fn *shared_init;
92
93 if (initialized) return NT_STATUS_OK;
94 initialized = true;
95
96 shared_init = load_samba_modules(NULL, "pvfs_acl");
97
98 run_init_functions(static_init);
99 run_init_functions(shared_init);
100
101 talloc_free(shared_init);
102
103 return NT_STATUS_OK;
104 }
105
106
107 /*
108 map a single access_mask from generic to specific bits for files/dirs
109 */
110 static uint32_t pvfs_translate_mask(uint32_t access_mask)
111 {
112 if (access_mask & SEC_MASK_GENERIC) {
113 if (access_mask & SEC_GENERIC_READ) access_mask |= SEC_RIGHTS_FILE_READ;
114 if (access_mask & SEC_GENERIC_WRITE) access_mask |= SEC_RIGHTS_FILE_WRITE;
115 if (access_mask & SEC_GENERIC_EXECUTE) access_mask |= SEC_RIGHTS_FILE_EXECUTE;
116 if (access_mask & SEC_GENERIC_ALL) access_mask |= SEC_RIGHTS_FILE_ALL;
117 access_mask &= ~SEC_MASK_GENERIC;
118 }
119 return access_mask;
120 }
121
122
123 /*
124 map any generic access bits in the given acl
125 this relies on the fact that the mappings for files and directories
126 are the same
127 */
128 static void pvfs_translate_generic_bits(struct security_acl *acl)
129 {
130 unsigned i;
131
132 if (!acl) return;
133
134 for (i=0;i<acl->num_aces;i++) {
135 struct security_ace *ace = &acl->aces[i];
136 ace->access_mask = pvfs_translate_mask(ace->access_mask);
137 }
138 }
139
140
141 /*
142 setup a default ACL for a file
143 */
144 static NTSTATUS pvfs_default_acl(struct pvfs_state *pvfs,
145 struct ntvfs_request *req,
146 struct pvfs_filename *name, int fd,
147 struct security_descriptor **psd)
148 {
149 struct security_descriptor *sd;
150 NTSTATUS status;
151 struct security_ace ace;
152 mode_t mode;
153 struct id_map *ids;
154 struct composite_context *ctx;
155
156 *psd = security_descriptor_initialise(req);
157 if (*psd == NULL) {
158 return NT_STATUS_NO_MEMORY;
159 }
160 sd = *psd;
161
162 ids = talloc_zero_array(sd, struct id_map, 2);
163 NT_STATUS_HAVE_NO_MEMORY(ids);
164
165 ids[0].xid.id = name->st.st_uid;
166 ids[0].xid.type = ID_TYPE_UID;
167 ids[0].sid = NULL;
168
169 ids[1].xid.id = name->st.st_gid;
170 ids[1].xid.type = ID_TYPE_GID;
171 ids[1].sid = NULL;
172
173 ctx = wbc_xids_to_sids_send(pvfs->wbc_ctx, ids, 2, ids);
174 NT_STATUS_HAVE_NO_MEMORY(ctx);
175
176 status = wbc_xids_to_sids_recv(ctx, &ids);
177 NT_STATUS_NOT_OK_RETURN(status);
178
179 sd->owner_sid = talloc_steal(sd, ids[0].sid);
180 sd->group_sid = talloc_steal(sd, ids[1].sid);
181
182 talloc_free(ids);
183 sd->type |= SEC_DESC_DACL_PRESENT;
184
185 mode = name->st.st_mode;
186
187 /*
188 we provide up to 4 ACEs
189 - Owner
190 - Group
191 - Everyone
192 - Administrator
193 */
194
195
196 /* setup owner ACE */
197 ace.type = SEC_ACE_TYPE_ACCESS_ALLOWED;
198 ace.flags = 0;
199 ace.trustee = *sd->owner_sid;
200 ace.access_mask = 0;
201
202 if (mode & S_IRUSR) {
203 if (mode & S_IWUSR) {
204 ace.access_mask |= SEC_RIGHTS_FILE_ALL;
205 } else {
206 ace.access_mask |= SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE;
207 }
208 }
209 if (mode & S_IWUSR) {
210 ace.access_mask |= SEC_RIGHTS_FILE_WRITE | SEC_STD_DELETE;
211 }
212 if (ace.access_mask) {
213 security_descriptor_dacl_add(sd, &ace);
214 }
215
216
217 /* setup group ACE */
218 ace.trustee = *sd->group_sid;
219 ace.access_mask = 0;
220 if (mode & S_IRGRP) {
221 ace.access_mask |= SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE;
222 }
223 if (mode & S_IWGRP) {
224 /* note that delete is not granted - this matches posix behaviour */
225 ace.access_mask |= SEC_RIGHTS_FILE_WRITE;
226 }
227 if (ace.access_mask) {
228 security_descriptor_dacl_add(sd, &ace);
229 }
230
231 /* setup other ACE */
232 ace.trustee = *dom_sid_parse_talloc(req, SID_WORLD);
233 ace.access_mask = 0;
234 if (mode & S_IROTH) {
235 ace.access_mask |= SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE;
236 }
237 if (mode & S_IWOTH) {
238 ace.access_mask |= SEC_RIGHTS_FILE_WRITE;
239 }
240 if (ace.access_mask) {
241 security_descriptor_dacl_add(sd, &ace);
242 }
243
244 /* setup system ACE */
245 ace.trustee = *dom_sid_parse_talloc(req, SID_NT_SYSTEM);
246 ace.access_mask = SEC_RIGHTS_FILE_ALL;
247 security_descriptor_dacl_add(sd, &ace);
248
249 return NT_STATUS_OK;
250 }
251
252
253 /*
254 omit any security_descriptor elements not specified in the given
255 secinfo flags
256 */
257 static void normalise_sd_flags(struct security_descriptor *sd, uint32_t secinfo_flags)
258 {
259 if (!(secinfo_flags & SECINFO_OWNER)) {
260 sd->owner_sid = NULL;
261 }
262 if (!(secinfo_flags & SECINFO_GROUP)) {
263 sd->group_sid = NULL;
264 }
265 if (!(secinfo_flags & SECINFO_DACL)) {
266 sd->dacl = NULL;
267 }
268 if (!(secinfo_flags & SECINFO_SACL)) {
269 sd->sacl = NULL;
270 }
271 }
272
273 /*
274 answer a setfileinfo for an ACL
275 */
276 NTSTATUS pvfs_acl_set(struct pvfs_state *pvfs,
277 struct ntvfs_request *req,
278 struct pvfs_filename *name, int fd,
279 uint32_t access_mask,
280 union smb_setfileinfo *info)
281 {
282 uint32_t secinfo_flags = info->set_secdesc.in.secinfo_flags;
283 struct security_descriptor *new_sd, *sd, orig_sd;
284 NTSTATUS status = NT_STATUS_NOT_FOUND;
285 uid_t old_uid = -1;
286 gid_t old_gid = -1;
287 uid_t new_uid = -1;
288 gid_t new_gid = -1;
289 struct id_map *ids;
290 struct composite_context *ctx;
291
292 if (pvfs->acl_ops != NULL) {
293 status = pvfs->acl_ops->acl_load(pvfs, name, fd, req, &sd);
294 }
295 if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
296 status = pvfs_default_acl(pvfs, req, name, fd, &sd);
297 }
298 if (!NT_STATUS_IS_OK(status)) {
299 return status;
300 }
301
302 ids = talloc(req, struct id_map);
303 NT_STATUS_HAVE_NO_MEMORY(ids);
304 ZERO_STRUCT(ids->xid);
305 ids->sid = NULL;
306 ids->status = ID_UNKNOWN;
307
308 new_sd = info->set_secdesc.in.sd;
309 orig_sd = *sd;
310
311 old_uid = name->st.st_uid;
312 old_gid = name->st.st_gid;
313
314 /* only set the elements that have been specified */
315 if (secinfo_flags & SECINFO_OWNER) {
316 if (!(access_mask & SEC_STD_WRITE_OWNER)) {
317 return NT_STATUS_ACCESS_DENIED;
318 }
319 if (!dom_sid_equal(sd->owner_sid, new_sd->owner_sid)) {
320 ids->sid = new_sd->owner_sid;
321 ctx = wbc_sids_to_xids_send(pvfs->wbc_ctx, ids, 1, ids);
322 NT_STATUS_HAVE_NO_MEMORY(ctx);
323 status = wbc_sids_to_xids_recv(ctx, &ids);
324 NT_STATUS_NOT_OK_RETURN(status);
325
326 if (ids->xid.type == ID_TYPE_BOTH ||
327 ids->xid.type == ID_TYPE_UID) {
328 new_uid = ids->xid.id;
329 }
330 }
331 sd->owner_sid = new_sd->owner_sid;
332 }
333 if (secinfo_flags & SECINFO_GROUP) {
334 if (!(access_mask & SEC_STD_WRITE_OWNER)) {
335 return NT_STATUS_ACCESS_DENIED;
336 }
337 if (!dom_sid_equal(sd->group_sid, new_sd->group_sid)) {
338 ids->sid = new_sd->group_sid;
339 ctx = wbc_sids_to_xids_send(pvfs->wbc_ctx, ids, 1, ids);
340 NT_STATUS_HAVE_NO_MEMORY(ctx);
341 status = wbc_sids_to_xids_recv(ctx, &ids);
342 NT_STATUS_NOT_OK_RETURN(status);
343
344 if (ids->xid.type == ID_TYPE_BOTH ||
345 ids->xid.type == ID_TYPE_GID) {
346 new_gid = ids->xid.id;
347 }
348
349 }
350 sd->group_sid = new_sd->group_sid;
351 }
352 if (secinfo_flags & SECINFO_DACL) {
353 if (!(access_mask & SEC_STD_WRITE_DAC)) {
354 return NT_STATUS_ACCESS_DENIED;
355 }
356 sd->dacl = new_sd->dacl;
357 pvfs_translate_generic_bits(sd->dacl);
358 }
359 if (secinfo_flags & SECINFO_SACL) {
360 if (!(access_mask & SEC_FLAG_SYSTEM_SECURITY)) {
361 return NT_STATUS_ACCESS_DENIED;
362 }
363 sd->sacl = new_sd->sacl;
364 pvfs_translate_generic_bits(sd->sacl);
365 }
366
367 if (new_uid == old_uid) {
368 new_uid = -1;
369 }
370
371 if (new_gid == old_gid) {
372 new_gid = -1;
373 }
374
375 /* if there's something to change try it */
376 if (new_uid != -1 || new_gid != -1) {
377 int ret;
378 if (fd == -1) {
379 ret = chown(name->full_name, new_uid, new_gid);
380 } else {
381 ret = fchown(fd, new_uid, new_gid);
382 }
383 if (errno == EPERM) {
384 if (uwrap_enabled()) {
385 ret = 0;
386 } else {
387 /* try again as root if we have SEC_PRIV_RESTORE or
388 SEC_PRIV_TAKE_OWNERSHIP */
389 if (security_token_has_privilege(req->session_info->security_token,
390 SEC_PRIV_RESTORE) ||
391 security_token_has_privilege(req->session_info->security_token,
392 SEC_PRIV_TAKE_OWNERSHIP)) {
393 void *privs;
394 privs = root_privileges();
395 if (fd == -1) {
396 ret = chown(name->full_name, new_uid, new_gid);
397 } else {
398 ret = fchown(fd, new_uid, new_gid);
399 }
400 talloc_free(privs);
401 }
402 }
403 }
404 if (ret == -1) {
405 return pvfs_map_errno(pvfs, errno);
406 }
407 }
408
409 /* we avoid saving if the sd is the same. This means when clients
410 copy files and end up copying the default sd that we don't
411 needlessly use xattrs */
412 if (!security_descriptor_equal(sd, &orig_sd) && pvfs->acl_ops) {
413 status = pvfs->acl_ops->acl_save(pvfs, name, fd, sd);
414 }
415
416 return status;
417 }
418
419
420 /*
421 answer a fileinfo query for the ACL
422 */
423 NTSTATUS pvfs_acl_query(struct pvfs_state *pvfs,
424 struct ntvfs_request *req,
425 struct pvfs_filename *name, int fd,
426 union smb_fileinfo *info)
427 {
428 NTSTATUS status = NT_STATUS_NOT_FOUND;
429 struct security_descriptor *sd;
430
431 if (pvfs->acl_ops) {
432 status = pvfs->acl_ops->acl_load(pvfs, name, fd, req, &sd);
433 }
434 if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
435 status = pvfs_default_acl(pvfs, req, name, fd, &sd);
436 }
437 if (!NT_STATUS_IS_OK(status)) {
438 return status;
439 }
440
441 normalise_sd_flags(sd, info->query_secdesc.in.secinfo_flags);
442
443 info->query_secdesc.out.sd = sd;
444
445 return NT_STATUS_OK;
446 }
447
448
449 /*
450 check the read only bit against any of the write access bits
451 */
452 static bool pvfs_read_only(struct pvfs_state *pvfs, uint32_t access_mask)
453 {
454 if ((pvfs->flags & PVFS_FLAG_READONLY) &&
455 (access_mask & (SEC_FILE_WRITE_DATA |
456 SEC_FILE_APPEND_DATA |
457 SEC_FILE_WRITE_EA |
458 SEC_FILE_WRITE_ATTRIBUTE |
459 SEC_STD_DELETE |
460 SEC_STD_WRITE_DAC |
461 SEC_STD_WRITE_OWNER |
462 SEC_DIR_DELETE_CHILD))) {
463 return true;
464 }
465 return false;
466 }
467
468 /*
469 see if we are a member of the appropriate unix group
470 */
471 static bool pvfs_group_member(struct pvfs_state *pvfs, gid_t gid)
472 {
473 int i, ngroups;
474 gid_t *groups;
475 if (getegid() == gid) {
476 return true;
477 }
478 ngroups = getgroups(0, NULL);
479 if (ngroups == 0) {
480 return false;
481 }
482 groups = talloc_array(pvfs, gid_t, ngroups);
483 if (groups == NULL) {
484 return false;
485 }
486 if (getgroups(ngroups, groups) != ngroups) {
487 talloc_free(groups);
488 return false;
489 }
490 for (i=0; i<ngroups; i++) {
491 if (groups[i] == gid) break;
492 }
493 talloc_free(groups);
494 return i < ngroups;
495 }
496
497 /*
498 default access check function based on unix permissions
499 doing this saves on building a full security descriptor
500 for the common case of access check on files with no
501 specific NT ACL
502
503 If name is NULL then treat as a new file creation
504 */
505 static NTSTATUS pvfs_access_check_unix(struct pvfs_state *pvfs,
506 struct ntvfs_request *req,
507 struct pvfs_filename *name,
508 uint32_t *access_mask)
509 {
510 uid_t uid = geteuid();
511 uint32_t max_bits = 0;
512 struct security_token *token = req->session_info->security_token;
513
514 if (pvfs_read_only(pvfs, *access_mask)) {
515 return NT_STATUS_ACCESS_DENIED;
516 }
517
518 if (name == NULL) {
519 max_bits |= SEC_RIGHTS_FILE_ALL | SEC_STD_ALL;
520 } else if (uid == name->st.st_uid || uwrap_enabled()) {
521 /* use the IxUSR bits */
522 if ((name->st.st_mode & S_IWUSR)) {
523 max_bits |= SEC_RIGHTS_FILE_ALL | SEC_STD_ALL;
524 } else if ((name->st.st_mode & (S_IRUSR | S_IXUSR))) {
525 max_bits |= SEC_RIGHTS_FILE_READ | SEC_RIGHTS_FILE_EXECUTE | SEC_STD_ALL;
526 }
527 } else if (pvfs_group_member(pvfs, name->st.st_gid)) {
528 /* use the IxGRP bits */
529 if ((name->st.st_mode & S_IWGRP)) {
530 max_bits |= SEC_RIGHTS_FILE_ALL | SEC_STD_ALL;
531 } else if ((name->st.st_mode & (S_IRGRP | S_IXGRP))) {
532 max_bits |= SEC_RIGHTS_FILE_READ | SEC_RIGHTS_FILE_EXECUTE | SEC_STD_ALL;
533 }
534 } else {
535 /* use the IxOTH bits */
536 if ((name->st.st_mode & S_IWOTH)) {
537 max_bits |= SEC_RIGHTS_FILE_ALL | SEC_STD_ALL;
538 } else if ((name->st.st_mode & (S_IROTH | S_IXOTH))) {
539 max_bits |= SEC_RIGHTS_FILE_READ | SEC_RIGHTS_FILE_EXECUTE | SEC_STD_ALL;
540 }
541 }
542
543 if (*access_mask & SEC_FLAG_MAXIMUM_ALLOWED) {
544 *access_mask |= max_bits;
545 *access_mask &= ~SEC_FLAG_MAXIMUM_ALLOWED;
546 }
547
548 if ((*access_mask & SEC_FLAG_SYSTEM_SECURITY) &&
549 security_token_has_privilege(token, SEC_PRIV_SECURITY)) {
550 max_bits |= SEC_FLAG_SYSTEM_SECURITY;
551 }
552
553 if (((*access_mask & ~max_bits) & SEC_RIGHTS_PRIV_RESTORE) &&
554 security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
555 max_bits |= ~(SEC_RIGHTS_PRIV_RESTORE);
556 }
557 if (((*access_mask & ~max_bits) & SEC_RIGHTS_PRIV_BACKUP) &&
558 security_token_has_privilege(token, SEC_PRIV_BACKUP)) {
559 max_bits |= ~(SEC_RIGHTS_PRIV_BACKUP);
560 }
561
562 if (*access_mask & ~max_bits) {
563 DEBUG(5,(__location__ " denied access to '%s' - wanted 0x%08x but got 0x%08x (missing 0x%08x)\n",
564 name?name->full_name:"(new file)", *access_mask, max_bits, *access_mask & ~max_bits));
565 return NT_STATUS_ACCESS_DENIED;
566 }
567
568 if (pvfs->ntvfs->ctx->protocol < PROTOCOL_SMB2_02) {
569 /* on SMB, this bit is always granted, even if not
570 asked for */
571 *access_mask |= SEC_FILE_READ_ATTRIBUTE;
572 }
573
574 return NT_STATUS_OK;
575 }
576
577
578 /*
579 check the security descriptor on a file, if any
580
581 *access_mask is modified with the access actually granted
582 */
583 NTSTATUS pvfs_access_check(struct pvfs_state *pvfs,
584 struct ntvfs_request *req,
585 struct pvfs_filename *name,
586 uint32_t *access_mask)
587 {
588 struct security_token *token = req->session_info->security_token;
589 struct xattr_NTACL *acl;
590 NTSTATUS status;
591 struct security_descriptor *sd;
592 bool allow_delete = false;
593
594 /* on SMB2 a blank access mask is always denied */
595 if (pvfs->ntvfs->ctx->protocol >= PROTOCOL_SMB2_02 &&
596 *access_mask == 0) {
597 return NT_STATUS_ACCESS_DENIED;
598 }
599
600 if (pvfs_read_only(pvfs, *access_mask)) {
601 return NT_STATUS_ACCESS_DENIED;
602 }
603
604 if (*access_mask & SEC_FLAG_MAXIMUM_ALLOWED ||
605 *access_mask & SEC_STD_DELETE) {
606 status = pvfs_access_check_parent(pvfs, req,
607 name, SEC_DIR_DELETE_CHILD);
608 if (NT_STATUS_IS_OK(status)) {
609 allow_delete = true;
610 *access_mask &= ~SEC_STD_DELETE;
611 }
612 }
613
614 acl = talloc(req, struct xattr_NTACL);
615 if (acl == NULL) {
616 return NT_STATUS_NO_MEMORY;
617 }
618
619 /* expand the generic access bits to file specific bits */
620 *access_mask = pvfs_translate_mask(*access_mask);
621 if (pvfs->ntvfs->ctx->protocol < PROTOCOL_SMB2_02) {
622 *access_mask &= ~SEC_FILE_READ_ATTRIBUTE;
623 }
624
625 status = pvfs_acl_load(pvfs, name, -1, acl);
626 if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
627 talloc_free(acl);
628 status = pvfs_access_check_unix(pvfs, req, name, access_mask);
629 goto done;
630 }
631 if (!NT_STATUS_IS_OK(status)) {
632 return status;
633 }
634
635 switch (acl->version) {
636 case 1:
637 sd = acl->info.sd;
638 break;
639 default:
640 return NT_STATUS_INVALID_ACL;
641 }
642
643 /* check the acl against the required access mask */
644 status = se_access_check(sd, token, *access_mask, access_mask);
645 talloc_free(acl);
646
647 /* if we used a NT acl, then allow access override if the
648 share allows for posix permission override
649 */
650 if (NT_STATUS_IS_OK(status)) {
651 name->allow_override = (pvfs->flags & PVFS_FLAG_PERM_OVERRIDE) != 0;
652 }
653
654 done:
655 if (pvfs->ntvfs->ctx->protocol < PROTOCOL_SMB2_02) {
656 /* on SMB, this bit is always granted, even if not
657 asked for */
658 *access_mask |= SEC_FILE_READ_ATTRIBUTE;
659 }
660
661 if (allow_delete) {
662 *access_mask |= SEC_STD_DELETE;
663 }
664
665 return status;
666 }
667
668
669 /*
670 a simplified interface to access check, designed for calls that
671 do not take or return an access check mask
672 */
673 NTSTATUS pvfs_access_check_simple(struct pvfs_state *pvfs,
674 struct ntvfs_request *req,
675 struct pvfs_filename *name,
676 uint32_t access_needed)
677 {
678 if (access_needed == 0) {
679 return NT_STATUS_OK;
680 }
681 return pvfs_access_check(pvfs, req, name, &access_needed);
682 }
683
684 /*
685 access check for creating a new file/directory
686 */
687 NTSTATUS pvfs_access_check_create(struct pvfs_state *pvfs,
688 struct ntvfs_request *req,
689 struct pvfs_filename *name,
690 uint32_t *access_mask,
691 bool container,
692 struct security_descriptor **sd)
693 {
694 struct pvfs_filename *parent;
695 NTSTATUS status;
696 uint32_t parent_mask;
697 bool allow_delete = false;
698
699 if (pvfs_read_only(pvfs, *access_mask)) {
700 return NT_STATUS_ACCESS_DENIED;
701 }
702
703 status = pvfs_resolve_parent(pvfs, req, name, &parent);
704 NT_STATUS_NOT_OK_RETURN(status);
705
706 if (container) {
707 parent_mask = SEC_DIR_ADD_SUBDIR;
708 } else {
709 parent_mask = SEC_DIR_ADD_FILE;
710 }
711 if (*access_mask & SEC_FLAG_MAXIMUM_ALLOWED ||
712 *access_mask & SEC_STD_DELETE) {
713 parent_mask |= SEC_DIR_DELETE_CHILD;
714 }
715
716 status = pvfs_access_check(pvfs, req, parent, &parent_mask);
717 if (NT_STATUS_IS_OK(status)) {
718 if (parent_mask & SEC_DIR_DELETE_CHILD) {
719 allow_delete = true;
720 }
721 } else if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
722 /*
723 * on ACCESS_DENIED we get the rejected bits
724 * remove the non critical SEC_DIR_DELETE_CHILD
725 * and check if something else was rejected.
726 */
727 parent_mask &= ~SEC_DIR_DELETE_CHILD;
728 if (parent_mask != 0) {
729 return NT_STATUS_ACCESS_DENIED;
730 }
731 status = NT_STATUS_OK;
732 } else {
733 return status;
734 }
735
736 if (*sd == NULL) {
737 status = pvfs_acl_inherited_sd(pvfs, req, req, parent, container, sd);
738 }
739
740 talloc_free(parent);
741 if (!NT_STATUS_IS_OK(status)) {
742 return status;
743 }
744
745 /* expand the generic access bits to file specific bits */
746 *access_mask = pvfs_translate_mask(*access_mask);
747
748 if (*access_mask & SEC_FLAG_MAXIMUM_ALLOWED) {
749 *access_mask |= SEC_RIGHTS_FILE_ALL;
750 *access_mask &= ~SEC_FLAG_MAXIMUM_ALLOWED;
751 }
752
753 if (pvfs->ntvfs->ctx->protocol < PROTOCOL_SMB2_02) {
754 /* on SMB, this bit is always granted, even if not
755 asked for */
756 *access_mask |= SEC_FILE_READ_ATTRIBUTE;
757 }
758
759 if (allow_delete) {
760 *access_mask |= SEC_STD_DELETE;
761 }
762
763 return NT_STATUS_OK;
764 }
765
766 /*
767 access check for creating a new file/directory - no access mask supplied
768 */
769 NTSTATUS pvfs_access_check_parent(struct pvfs_state *pvfs,
770 struct ntvfs_request *req,
771 struct pvfs_filename *name,
772 uint32_t access_mask)
773 {
774 struct pvfs_filename *parent;
775 NTSTATUS status;
776
777 status = pvfs_resolve_parent(pvfs, req, name, &parent);
778 if (!NT_STATUS_IS_OK(status)) {
779 return status;
780 }
781
782 status = pvfs_access_check_simple(pvfs, req, parent, access_mask);
783 if (NT_STATUS_IS_OK(status) && parent->allow_override) {
784 name->allow_override = true;
785 }
786 return status;
787 }
788
789
790 /*
791 determine if an ACE is inheritable
792 */
793 static bool pvfs_inheritable_ace(struct pvfs_state *pvfs,
794 const struct security_ace *ace,
795 bool container)
796 {
797 if (!container) {
798 return (ace->flags & SEC_ACE_FLAG_OBJECT_INHERIT) != 0;
799 }
800
801 if (ace->flags & SEC_ACE_FLAG_CONTAINER_INHERIT) {
802 return true;
803 }
804
805 if ((ace->flags & SEC_ACE_FLAG_OBJECT_INHERIT) &&
806 !(ace->flags & SEC_ACE_FLAG_NO_PROPAGATE_INHERIT)) {
807 return true;
808 }
809
810 return false;
811 }
812
813 /*
814 this is the core of ACL inheritance. It copies any inheritable
815 aces from the parent SD to the child SD. Note that the algorithm
816 depends on whether the child is a container or not
817 */
818 static NTSTATUS pvfs_acl_inherit_aces(struct pvfs_state *pvfs,
819 struct security_descriptor *parent_sd,
820 struct security_descriptor *sd,
821 bool container)
822 {
823 int i;
824
825 for (i=0;i<parent_sd->dacl->num_aces;i++) {
826 struct security_ace ace = parent_sd->dacl->aces[i];
827 NTSTATUS status;
828 const struct dom_sid *creator = NULL, *new_id = NULL;
829 uint32_t orig_flags;
830
831 if (!pvfs_inheritable_ace(pvfs, &ace, container)) {
832 continue;
833 }
834
835 orig_flags = ace.flags;
836
837 /* see the RAW-ACLS inheritance test for details on these rules */
838 if (!container) {
839 ace.flags = 0;
840 } else {
841 ace.flags &= ~SEC_ACE_FLAG_INHERIT_ONLY;
842
843 if (!(ace.flags & SEC_ACE_FLAG_CONTAINER_INHERIT)) {
844 ace.flags |= SEC_ACE_FLAG_INHERIT_ONLY;
845 }
846 if (ace.flags & SEC_ACE_FLAG_NO_PROPAGATE_INHERIT) {
847 ace.flags = 0;
848 }
849 }
850
851 /* the CREATOR sids are special when inherited */
852 if (dom_sid_equal(&ace.trustee, pvfs->sid_cache.creator_owner)) {
853 creator = pvfs->sid_cache.creator_owner;
854 new_id = sd->owner_sid;
855 } else if (dom_sid_equal(&ace.trustee, pvfs->sid_cache.creator_group)) {
856 creator = pvfs->sid_cache.creator_group;
857 new_id = sd->group_sid;
858 } else {
859 new_id = &ace.trustee;
860 }
861
862 if (creator && container &&
863 (ace.flags & SEC_ACE_FLAG_CONTAINER_INHERIT)) {
864 uint32_t flags = ace.flags;
865
866 ace.trustee = *new_id;
867 ace.flags = 0;
868 status = security_descriptor_dacl_add(sd, &ace);
869 if (!NT_STATUS_IS_OK(status)) {
870 return status;
871 }
872
873 ace.trustee = *creator;
874 ace.flags = flags | SEC_ACE_FLAG_INHERIT_ONLY;
875 status = security_descriptor_dacl_add(sd, &ace);
876 } else if (container &&
877 !(orig_flags & SEC_ACE_FLAG_NO_PROPAGATE_INHERIT)) {
878 status = security_descriptor_dacl_add(sd, &ace);
879 } else {
880 ace.trustee = *new_id;
881 status = security_descriptor_dacl_add(sd, &ace);
882 }
883
884 if (!NT_STATUS_IS_OK(status)) {
885 return status;
886 }
887 }
888
889 return NT_STATUS_OK;
890 }
891
892
893
894 /*
895 calculate the ACL on a new file/directory based on the inherited ACL
896 from the parent. If there is no inherited ACL then return a NULL
897 ACL, which means the default ACL should be used
898 */
899 NTSTATUS pvfs_acl_inherited_sd(struct pvfs_state *pvfs,
900 TALLOC_CTX *mem_ctx,
901 struct ntvfs_request *req,
902 struct pvfs_filename *parent,
903 bool container,
904 struct security_descriptor **ret_sd)
905 {
906 struct xattr_NTACL *acl;
907 NTSTATUS status;
908 struct security_descriptor *parent_sd, *sd;
909 struct id_map *ids;
910 struct composite_context *ctx;
911 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
912
913 *ret_sd = NULL;
914
915 acl = talloc(req, struct xattr_NTACL);
916 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(acl, tmp_ctx);
917
918 status = pvfs_acl_load(pvfs, parent, -1, acl);
919 if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
920 talloc_free(tmp_ctx);
921 return NT_STATUS_OK;
922 }
923 NT_STATUS_NOT_OK_RETURN_AND_FREE(status, tmp_ctx);
924
925 switch (acl->version) {
926 case 1:
927 parent_sd = acl->info.sd;
928 break;
929 default:
930 talloc_free(tmp_ctx);
931 return NT_STATUS_INVALID_ACL;
932 }
933
934 if (parent_sd == NULL ||
935 parent_sd->dacl == NULL ||
936 parent_sd->dacl->num_aces == 0) {
937 /* go with the default ACL */
938 talloc_free(tmp_ctx);
939 return NT_STATUS_OK;
940 }
941
942 /* create the new sd */
943 sd = security_descriptor_initialise(req);
944 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(sd, tmp_ctx);
945
946 ids = talloc_array(sd, struct id_map, 2);
947 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(ids, tmp_ctx);
948
949 ids[0].xid.id = geteuid();
950 ids[0].xid.type = ID_TYPE_UID;
951 ids[0].sid = NULL;
952 ids[0].status = ID_UNKNOWN;
953
954 ids[1].xid.id = getegid();
955 ids[1].xid.type = ID_TYPE_GID;
956 ids[1].sid = NULL;
957 ids[1].status = ID_UNKNOWN;
958
959 ctx = wbc_xids_to_sids_send(pvfs->wbc_ctx, ids, 2, ids);
960 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(ctx, tmp_ctx);
961
962 status = wbc_xids_to_sids_recv(ctx, &ids);
963 NT_STATUS_NOT_OK_RETURN_AND_FREE(status, tmp_ctx);
964
965 sd->owner_sid = talloc_steal(sd, ids[0].sid);
966 sd->group_sid = talloc_steal(sd, ids[1].sid);
967
968 sd->type |= SEC_DESC_DACL_PRESENT;
969
970 /* fill in the aces from the parent */
971 status = pvfs_acl_inherit_aces(pvfs, parent_sd, sd, container);
972 NT_STATUS_NOT_OK_RETURN_AND_FREE(status, tmp_ctx);
973
974 /* if there is nothing to inherit then we fallback to the
975 default acl */
976 if (sd->dacl == NULL || sd->dacl->num_aces == 0) {
977 talloc_free(tmp_ctx);
978 return NT_STATUS_OK;
979 }
980
981 *ret_sd = talloc_steal(mem_ctx, sd);
982
983 talloc_free(tmp_ctx);
984 return NT_STATUS_OK;
985 }
986
987
988 /*
989 setup an ACL on a new file/directory based on the inherited ACL from
990 the parent. If there is no inherited ACL then we don't set anything,
991 as the default ACL applies anyway
992 */
993 NTSTATUS pvfs_acl_inherit(struct pvfs_state *pvfs,
994 struct ntvfs_request *req,
995 struct pvfs_filename *name,
996 int fd)
997 {
998 struct xattr_NTACL acl;
999 NTSTATUS status;
1000 struct security_descriptor *sd;
1001 struct pvfs_filename *parent;
1002 bool container;
1003
1004 /* form the parents path */
1005 status = pvfs_resolve_parent(pvfs, req, name, &parent);
1006 NT_STATUS_NOT_OK_RETURN(status);
1007
1008 container = (name->dos.attrib & FILE_ATTRIBUTE_DIRECTORY) ? true:false;
1009
1010 status = pvfs_acl_inherited_sd(pvfs, req, req, parent, container, &sd);
1011 if (!NT_STATUS_IS_OK(status)) {
1012 talloc_free(parent);
1013 return status;
1014 }
1015
1016 if (sd == NULL) {
1017 return NT_STATUS_OK;
1018 }
1019
1020 acl.version = 1;
1021 acl.info.sd = sd;
1022
1023 status = pvfs_acl_save(pvfs, name, fd, &acl);
1024 talloc_free(sd);
1025 talloc_free(parent);
1026
1027 return status;
1028 }
1029
1030 /*
1031 return the maximum allowed access mask
1032 */
1033 NTSTATUS pvfs_access_maximal_allowed(struct pvfs_state *pvfs,
1034 struct ntvfs_request *req,
1035 struct pvfs_filename *name,
1036 uint32_t *maximal_access)
1037 {
1038 *maximal_access = SEC_FLAG_MAXIMUM_ALLOWED;
1039 return pvfs_access_check(pvfs, req, name, maximal_access);
1040 }
reg import