search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
We need to split things up into a new helper function add_current_ace_to_acl() in...
[Samba/gebeck_regimport.git] / source3 / smbd / posix_acls.c
bloba833fbf1b758035aba68bd5f63efb5e8849edc99
1 /*
2 Unix SMB/CIFS implementation.
3 SMB NT Security Descriptor / Unix permission conversion.
4 Copyright (C) Jeremy Allison 1994-2009.
5 Copyright (C) Andreas Gruenbacher 2002.
6 Copyright (C) Simo Sorce <idra@samba.org> 2009.
7
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
12
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
17
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
20 */
21
22 #include "includes.h"
23 #include "smbd/smbd.h"
24 #include "system/filesys.h"
25 #include "../libcli/security/security.h"
26 #include "trans2.h"
27 #include "passdb/lookup_sid.h"
28 #include "auth.h"
29 #include "../librpc/gen_ndr/idmap.h"
30
31 extern const struct generic_mapping file_generic_mapping;
32
33 #undef DBGC_CLASS
34 #define DBGC_CLASS DBGC_ACLS
35
36 /****************************************************************************
37 Data structures representing the internal ACE format.
38 ****************************************************************************/
39
40 enum ace_owner {UID_ACE, GID_ACE, WORLD_ACE};
41 enum ace_attribute {ALLOW_ACE, DENY_ACE}; /* Used for incoming NT ACLS. */
42
43 typedef union posix_id {
44 uid_t uid;
45 gid_t gid;
46 int world;
47 } posix_id;
48
49 typedef struct canon_ace {
50 struct canon_ace *next, *prev;
51 SMB_ACL_TAG_T type;
52 mode_t perms; /* Only use S_I(R|W|X)USR mode bits here. */
53 struct dom_sid trustee;
54 enum ace_owner owner_type;
55 enum ace_attribute attr;
56 posix_id unix_ug;
57 uint8_t ace_flags; /* From windows ACE entry. */
58 } canon_ace;
59
60 #define ALL_ACE_PERMS (S_IRUSR|S_IWUSR|S_IXUSR)
61
62 /*
63 * EA format of user.SAMBA_PAI (Samba_Posix_Acl_Interitance)
64 * attribute on disk - version 1.
65 * All values are little endian.
66 *
67 * | 1 | 1 | 2 | 2 | ....
68 * +------+------+-------------+---------------------+-------------+--------------------+
69 * | vers | flag | num_entries | num_default_entries | ..entries.. | default_entries... |
70 * +------+------+-------------+---------------------+-------------+--------------------+
71 *
72 * Entry format is :
73 *
74 * | 1 | 4 |
75 * +------+-------------------+
76 * | value| uid/gid or world |
77 * | type | value |
78 * +------+-------------------+
79 *
80 * Version 2 format. Stores extra Windows metadata about an ACL.
81 *
82 * | 1 | 2 | 2 | 2 | ....
83 * +------+----------+-------------+---------------------+-------------+--------------------+
84 * | vers | ace | num_entries | num_default_entries | ..entries.. | default_entries... |
85 * | 2 | type | | | | |
86 * +------+----------+-------------+---------------------+-------------+--------------------+
87 *
88 * Entry format is :
89 *
90 * | 1 | 1 | 4 |
91 * +------+------+-------------------+
92 * | ace | value| uid/gid or world |
93 * | flag | type | value |
94 * +------+-------------------+------+
95 *
96 */
97
98 #define PAI_VERSION_OFFSET 0
99
100 #define PAI_V1_FLAG_OFFSET 1
101 #define PAI_V1_NUM_ENTRIES_OFFSET 2
102 #define PAI_V1_NUM_DEFAULT_ENTRIES_OFFSET 4
103 #define PAI_V1_ENTRIES_BASE 6
104 #define PAI_V1_ACL_FLAG_PROTECTED 0x1
105 #define PAI_V1_ENTRY_LENGTH 5
106
107 #define PAI_V1_VERSION 1
108
109 #define PAI_V2_TYPE_OFFSET 1
110 #define PAI_V2_NUM_ENTRIES_OFFSET 3
111 #define PAI_V2_NUM_DEFAULT_ENTRIES_OFFSET 5
112 #define PAI_V2_ENTRIES_BASE 7
113 #define PAI_V2_ENTRY_LENGTH 6
114
115 #define PAI_V2_VERSION 2
116
117 /*
118 * In memory format of user.SAMBA_PAI attribute.
119 */
120
121 struct pai_entry {
122 struct pai_entry *next, *prev;
123 uint8_t ace_flags;
124 enum ace_owner owner_type;
125 posix_id unix_ug;
126 };
127
128 struct pai_val {
129 uint16_t sd_type;
130 unsigned int num_entries;
131 struct pai_entry *entry_list;
132 unsigned int num_def_entries;
133 struct pai_entry *def_entry_list;
134 };
135
136 /************************************************************************
137 Return a uint32 of the pai_entry principal.
138 ************************************************************************/
139
140 static uint32_t get_pai_entry_val(struct pai_entry *paie)
141 {
142 switch (paie->owner_type) {
143 case UID_ACE:
144 DEBUG(10,("get_pai_entry_val: uid = %u\n", (unsigned int)paie->unix_ug.uid ));
145 return (uint32_t)paie->unix_ug.uid;
146 case GID_ACE:
147 DEBUG(10,("get_pai_entry_val: gid = %u\n", (unsigned int)paie->unix_ug.gid ));
148 return (uint32_t)paie->unix_ug.gid;
149 case WORLD_ACE:
150 default:
151 DEBUG(10,("get_pai_entry_val: world ace\n"));
152 return (uint32_t)-1;
153 }
154 }
155
156 /************************************************************************
157 Return a uint32 of the entry principal.
158 ************************************************************************/
159
160 static uint32_t get_entry_val(canon_ace *ace_entry)
161 {
162 switch (ace_entry->owner_type) {
163 case UID_ACE:
164 DEBUG(10,("get_entry_val: uid = %u\n", (unsigned int)ace_entry->unix_ug.uid ));
165 return (uint32_t)ace_entry->unix_ug.uid;
166 case GID_ACE:
167 DEBUG(10,("get_entry_val: gid = %u\n", (unsigned int)ace_entry->unix_ug.gid ));
168 return (uint32_t)ace_entry->unix_ug.gid;
169 case WORLD_ACE:
170 default:
171 DEBUG(10,("get_entry_val: world ace\n"));
172 return (uint32_t)-1;
173 }
174 }
175
176 /************************************************************************
177 Create the on-disk format (always v2 now). Caller must free.
178 ************************************************************************/
179
180 static char *create_pai_buf_v2(canon_ace *file_ace_list,
181 canon_ace *dir_ace_list,
182 uint16_t sd_type,
183 size_t *store_size)
184 {
185 char *pai_buf = NULL;
186 canon_ace *ace_list = NULL;
187 char *entry_offset = NULL;
188 unsigned int num_entries = 0;
189 unsigned int num_def_entries = 0;
190 unsigned int i;
191
192 for (ace_list = file_ace_list; ace_list; ace_list = ace_list->next) {
193 num_entries++;
194 }
195
196 for (ace_list = dir_ace_list; ace_list; ace_list = ace_list->next) {
197 num_def_entries++;
198 }
199
200 DEBUG(10,("create_pai_buf_v2: num_entries = %u, num_def_entries = %u\n", num_entries, num_def_entries ));
201
202 *store_size = PAI_V2_ENTRIES_BASE +
203 ((num_entries + num_def_entries)*PAI_V2_ENTRY_LENGTH);
204
205 pai_buf = talloc_array(talloc_tos(), char, *store_size);
206 if (!pai_buf) {
207 return NULL;
208 }
209
210 /* Set up the header. */
211 memset(pai_buf, '\0', PAI_V2_ENTRIES_BASE);
212 SCVAL(pai_buf,PAI_VERSION_OFFSET,PAI_V2_VERSION);
213 SSVAL(pai_buf,PAI_V2_TYPE_OFFSET, sd_type);
214 SSVAL(pai_buf,PAI_V2_NUM_ENTRIES_OFFSET,num_entries);
215 SSVAL(pai_buf,PAI_V2_NUM_DEFAULT_ENTRIES_OFFSET,num_def_entries);
216
217 DEBUG(10,("create_pai_buf_v2: sd_type = 0x%x\n",
218 (unsigned int)sd_type ));
219
220 entry_offset = pai_buf + PAI_V2_ENTRIES_BASE;
221
222 i = 0;
223 for (ace_list = file_ace_list; ace_list; ace_list = ace_list->next) {
224 uint8_t type_val = (uint8_t)ace_list->owner_type;
225 uint32_t entry_val = get_entry_val(ace_list);
226
227 SCVAL(entry_offset,0,ace_list->ace_flags);
228 SCVAL(entry_offset,1,type_val);
229 SIVAL(entry_offset,2,entry_val);
230 DEBUG(10,("create_pai_buf_v2: entry %u [0x%x] [0x%x] [0x%x]\n",
231 i,
232 (unsigned int)ace_list->ace_flags,
233 (unsigned int)type_val,
234 (unsigned int)entry_val ));
235 i++;
236 entry_offset += PAI_V2_ENTRY_LENGTH;
237 }
238
239 for (ace_list = dir_ace_list; ace_list; ace_list = ace_list->next) {
240 uint8_t type_val = (uint8_t)ace_list->owner_type;
241 uint32_t entry_val = get_entry_val(ace_list);
242
243 SCVAL(entry_offset,0,ace_list->ace_flags);
244 SCVAL(entry_offset,1,type_val);
245 SIVAL(entry_offset,2,entry_val);
246 DEBUG(10,("create_pai_buf_v2: entry %u [0x%x] [0x%x] [0x%x]\n",
247 i,
248 (unsigned int)ace_list->ace_flags,
249 (unsigned int)type_val,
250 (unsigned int)entry_val ));
251 i++;
252 entry_offset += PAI_V2_ENTRY_LENGTH;
253 }
254
255 return pai_buf;
256 }
257
258 /************************************************************************
259 Store the user.SAMBA_PAI attribute on disk.
260 ************************************************************************/
261
262 static void store_inheritance_attributes(files_struct *fsp,
263 canon_ace *file_ace_list,
264 canon_ace *dir_ace_list,
265 uint16_t sd_type)
266 {
267 int ret;
268 size_t store_size;
269 char *pai_buf;
270
271 if (!lp_map_acl_inherit(SNUM(fsp->conn))) {
272 return;
273 }
274
275 pai_buf = create_pai_buf_v2(file_ace_list, dir_ace_list,
276 sd_type, &store_size);
277
278 if (fsp->fh->fd != -1) {
279 ret = SMB_VFS_FSETXATTR(fsp, SAMBA_POSIX_INHERITANCE_EA_NAME,
280 pai_buf, store_size, 0);
281 } else {
282 ret = SMB_VFS_SETXATTR(fsp->conn, fsp->fsp_name->base_name,
283 SAMBA_POSIX_INHERITANCE_EA_NAME,
284 pai_buf, store_size, 0);
285 }
286
287 TALLOC_FREE(pai_buf);
288
289 DEBUG(10,("store_inheritance_attribute: type 0x%x for file %s\n",
290 (unsigned int)sd_type,
291 fsp_str_dbg(fsp)));
292
293 if (ret == -1 && !no_acl_syscall_error(errno)) {
294 DEBUG(1,("store_inheritance_attribute: Error %s\n", strerror(errno) ));
295 }
296 }
297
298 /************************************************************************
299 Delete the in memory inheritance info.
300 ************************************************************************/
301
302 static void free_inherited_info(struct pai_val *pal)
303 {
304 if (pal) {
305 struct pai_entry *paie, *paie_next;
306 for (paie = pal->entry_list; paie; paie = paie_next) {
307 paie_next = paie->next;
308 TALLOC_FREE(paie);
309 }
310 for (paie = pal->def_entry_list; paie; paie = paie_next) {
311 paie_next = paie->next;
312 TALLOC_FREE(paie);
313 }
314 TALLOC_FREE(pal);
315 }
316 }
317
318 /************************************************************************
319 Get any stored ACE flags.
320 ************************************************************************/
321
322 static uint16_t get_pai_flags(struct pai_val *pal, canon_ace *ace_entry, bool default_ace)
323 {
324 struct pai_entry *paie;
325
326 if (!pal) {
327 return 0;
328 }
329
330 /* If the entry exists it is inherited. */
331 for (paie = (default_ace ? pal->def_entry_list : pal->entry_list); paie; paie = paie->next) {
332 if (ace_entry->owner_type == paie->owner_type &&
333 get_entry_val(ace_entry) == get_pai_entry_val(paie))
334 return paie->ace_flags;
335 }
336 return 0;
337 }
338
339 /************************************************************************
340 Ensure an attribute just read is valid - v1.
341 ************************************************************************/
342
343 static bool check_pai_ok_v1(const char *pai_buf, size_t pai_buf_data_size)
344 {
345 uint16 num_entries;
346 uint16 num_def_entries;
347
348 if (pai_buf_data_size < PAI_V1_ENTRIES_BASE) {
349 /* Corrupted - too small. */
350 return false;
351 }
352
353 if (CVAL(pai_buf,PAI_VERSION_OFFSET) != PAI_V1_VERSION) {
354 return false;
355 }
356
357 num_entries = SVAL(pai_buf,PAI_V1_NUM_ENTRIES_OFFSET);
358 num_def_entries = SVAL(pai_buf,PAI_V1_NUM_DEFAULT_ENTRIES_OFFSET);
359
360 /* Check the entry lists match. */
361 /* Each entry is 5 bytes (type plus 4 bytes of uid or gid). */
362
363 if (((num_entries + num_def_entries)*PAI_V1_ENTRY_LENGTH) +
364 PAI_V1_ENTRIES_BASE != pai_buf_data_size) {
365 return false;
366 }
367
368 return true;
369 }
370
371 /************************************************************************
372 Ensure an attribute just read is valid - v2.
373 ************************************************************************/
374
375 static bool check_pai_ok_v2(const char *pai_buf, size_t pai_buf_data_size)
376 {
377 uint16 num_entries;
378 uint16 num_def_entries;
379
380 if (pai_buf_data_size < PAI_V2_ENTRIES_BASE) {
381 /* Corrupted - too small. */
382 return false;
383 }
384
385 if (CVAL(pai_buf,PAI_VERSION_OFFSET) != PAI_V2_VERSION) {
386 return false;
387 }
388
389 num_entries = SVAL(pai_buf,PAI_V2_NUM_ENTRIES_OFFSET);
390 num_def_entries = SVAL(pai_buf,PAI_V2_NUM_DEFAULT_ENTRIES_OFFSET);
391
392 /* Check the entry lists match. */
393 /* Each entry is 6 bytes (flags + type + 4 bytes of uid or gid). */
394
395 if (((num_entries + num_def_entries)*PAI_V2_ENTRY_LENGTH) +
396 PAI_V2_ENTRIES_BASE != pai_buf_data_size) {
397 return false;
398 }
399
400 return true;
401 }
402
403 /************************************************************************
404 Decode the owner.
405 ************************************************************************/
406
407 static bool get_pai_owner_type(struct pai_entry *paie, const char *entry_offset)
408 {
409 paie->owner_type = (enum ace_owner)CVAL(entry_offset,0);
410 switch( paie->owner_type) {
411 case UID_ACE:
412 paie->unix_ug.uid = (uid_t)IVAL(entry_offset,1);
413 DEBUG(10,("get_pai_owner_type: uid = %u\n",
414 (unsigned int)paie->unix_ug.uid ));
415 break;
416 case GID_ACE:
417 paie->unix_ug.gid = (gid_t)IVAL(entry_offset,1);
418 DEBUG(10,("get_pai_owner_type: gid = %u\n",
419 (unsigned int)paie->unix_ug.gid ));
420 break;
421 case WORLD_ACE:
422 paie->unix_ug.world = -1;
423 DEBUG(10,("get_pai_owner_type: world ace\n"));
424 break;
425 default:
426 DEBUG(10,("get_pai_owner_type: unknown type %u\n",
427 (unsigned int)paie->owner_type ));
428 return false;
429 }
430 return true;
431 }
432
433 /************************************************************************
434 Process v2 entries.
435 ************************************************************************/
436
437 static const char *create_pai_v1_entries(struct pai_val *paiv,
438 const char *entry_offset,
439 bool def_entry)
440 {
441 int i;
442
443 for (i = 0; i < paiv->num_entries; i++) {
444 struct pai_entry *paie = talloc(talloc_tos(), struct pai_entry);
445 if (!paie) {
446 return NULL;
447 }
448
449 paie->ace_flags = SEC_ACE_FLAG_INHERITED_ACE;
450 if (!get_pai_owner_type(paie, entry_offset)) {
451 TALLOC_FREE(paie);
452 return NULL;
453 }
454
455 if (!def_entry) {
456 DLIST_ADD(paiv->entry_list, paie);
457 } else {
458 DLIST_ADD(paiv->def_entry_list, paie);
459 }
460 entry_offset += PAI_V1_ENTRY_LENGTH;
461 }
462 return entry_offset;
463 }
464
465 /************************************************************************
466 Convert to in-memory format from version 1.
467 ************************************************************************/
468
469 static struct pai_val *create_pai_val_v1(const char *buf, size_t size)
470 {
471 const char *entry_offset;
472 struct pai_val *paiv = NULL;
473
474 if (!check_pai_ok_v1(buf, size)) {
475 return NULL;
476 }
477
478 paiv = talloc(talloc_tos(), struct pai_val);
479 if (!paiv) {
480 return NULL;
481 }
482
483 memset(paiv, '\0', sizeof(struct pai_val));
484
485 paiv->sd_type = (CVAL(buf,PAI_V1_FLAG_OFFSET) == PAI_V1_ACL_FLAG_PROTECTED) ?
486 SEC_DESC_DACL_PROTECTED : 0;
487
488 paiv->num_entries = SVAL(buf,PAI_V1_NUM_ENTRIES_OFFSET);
489 paiv->num_def_entries = SVAL(buf,PAI_V1_NUM_DEFAULT_ENTRIES_OFFSET);
490
491 entry_offset = buf + PAI_V1_ENTRIES_BASE;
492
493 DEBUG(10,("create_pai_val: num_entries = %u, num_def_entries = %u\n",
494 paiv->num_entries, paiv->num_def_entries ));
495
496 entry_offset = create_pai_v1_entries(paiv, entry_offset, false);
497 if (entry_offset == NULL) {
498 free_inherited_info(paiv);
499 return NULL;
500 }
501 entry_offset = create_pai_v1_entries(paiv, entry_offset, true);
502 if (entry_offset == NULL) {
503 free_inherited_info(paiv);
504 return NULL;
505 }
506
507 return paiv;
508 }
509
510 /************************************************************************
511 Process v2 entries.
512 ************************************************************************/
513
514 static const char *create_pai_v2_entries(struct pai_val *paiv,
515 unsigned int num_entries,
516 const char *entry_offset,
517 bool def_entry)
518 {
519 unsigned int i;
520
521 for (i = 0; i < num_entries; i++) {
522 struct pai_entry *paie = talloc(talloc_tos(), struct pai_entry);
523 if (!paie) {
524 return NULL;
525 }
526
527 paie->ace_flags = CVAL(entry_offset,0);
528
529 if (!get_pai_owner_type(paie, entry_offset+1)) {
530 TALLOC_FREE(paie);
531 return NULL;
532 }
533 if (!def_entry) {
534 DLIST_ADD(paiv->entry_list, paie);
535 } else {
536 DLIST_ADD(paiv->def_entry_list, paie);
537 }
538 entry_offset += PAI_V2_ENTRY_LENGTH;
539 }
540 return entry_offset;
541 }
542
543 /************************************************************************
544 Convert to in-memory format from version 2.
545 ************************************************************************/
546
547 static struct pai_val *create_pai_val_v2(const char *buf, size_t size)
548 {
549 const char *entry_offset;
550 struct pai_val *paiv = NULL;
551
552 if (!check_pai_ok_v2(buf, size)) {
553 return NULL;
554 }
555
556 paiv = talloc(talloc_tos(), struct pai_val);
557 if (!paiv) {
558 return NULL;
559 }
560
561 memset(paiv, '\0', sizeof(struct pai_val));
562
563 paiv->sd_type = SVAL(buf,PAI_V2_TYPE_OFFSET);
564
565 paiv->num_entries = SVAL(buf,PAI_V2_NUM_ENTRIES_OFFSET);
566 paiv->num_def_entries = SVAL(buf,PAI_V2_NUM_DEFAULT_ENTRIES_OFFSET);
567
568 entry_offset = buf + PAI_V2_ENTRIES_BASE;
569
570 DEBUG(10,("create_pai_val_v2: sd_type = 0x%x num_entries = %u, num_def_entries = %u\n",
571 (unsigned int)paiv->sd_type,
572 paiv->num_entries, paiv->num_def_entries ));
573
574 entry_offset = create_pai_v2_entries(paiv, paiv->num_entries,
575 entry_offset, false);
576 if (entry_offset == NULL) {
577 free_inherited_info(paiv);
578 return NULL;
579 }
580 entry_offset = create_pai_v2_entries(paiv, paiv->num_def_entries,
581 entry_offset, true);
582 if (entry_offset == NULL) {
583 free_inherited_info(paiv);
584 return NULL;
585 }
586
587 return paiv;
588 }
589
590 /************************************************************************
591 Convert to in-memory format - from either version 1 or 2.
592 ************************************************************************/
593
594 static struct pai_val *create_pai_val(const char *buf, size_t size)
595 {
596 if (size < 1) {
597 return NULL;
598 }
599 if (CVAL(buf,PAI_VERSION_OFFSET) == PAI_V1_VERSION) {
600 return create_pai_val_v1(buf, size);
601 } else if (CVAL(buf,PAI_VERSION_OFFSET) == PAI_V2_VERSION) {
602 return create_pai_val_v2(buf, size);
603 } else {
604 return NULL;
605 }
606 }
607
608 /************************************************************************
609 Load the user.SAMBA_PAI attribute.
610 ************************************************************************/
611
612 static struct pai_val *fload_inherited_info(files_struct *fsp)
613 {
614 char *pai_buf;
615 size_t pai_buf_size = 1024;
616 struct pai_val *paiv = NULL;
617 ssize_t ret;
618
619 if (!lp_map_acl_inherit(SNUM(fsp->conn))) {
620 return NULL;
621 }
622
623 if ((pai_buf = talloc_array(talloc_tos(), char, pai_buf_size)) == NULL) {
624 return NULL;
625 }
626
627 do {
628 if (fsp->fh->fd != -1) {
629 ret = SMB_VFS_FGETXATTR(fsp, SAMBA_POSIX_INHERITANCE_EA_NAME,
630 pai_buf, pai_buf_size);
631 } else {
632 ret = SMB_VFS_GETXATTR(fsp->conn,
633 fsp->fsp_name->base_name,
634 SAMBA_POSIX_INHERITANCE_EA_NAME,
635 pai_buf, pai_buf_size);
636 }
637
638 if (ret == -1) {
639 if (errno != ERANGE) {
640 break;
641 }
642 /* Buffer too small - enlarge it. */
643 pai_buf_size *= 2;
644 TALLOC_FREE(pai_buf);
645 if (pai_buf_size > 1024*1024) {
646 return NULL; /* Limit malloc to 1mb. */
647 }
648 if ((pai_buf = talloc_array(talloc_tos(), char, pai_buf_size)) == NULL)
649 return NULL;
650 }
651 } while (ret == -1);
652
653 DEBUG(10,("load_inherited_info: ret = %lu for file %s\n",
654 (unsigned long)ret, fsp_str_dbg(fsp)));
655
656 if (ret == -1) {
657 /* No attribute or not supported. */
658 #if defined(ENOATTR)
659 if (errno != ENOATTR)
660 DEBUG(10,("load_inherited_info: Error %s\n", strerror(errno) ));
661 #else
662 if (errno != ENOSYS)
663 DEBUG(10,("load_inherited_info: Error %s\n", strerror(errno) ));
664 #endif
665 TALLOC_FREE(pai_buf);
666 return NULL;
667 }
668
669 paiv = create_pai_val(pai_buf, ret);
670
671 if (paiv) {
672 DEBUG(10,("load_inherited_info: ACL type is 0x%x for file %s\n",
673 (unsigned int)paiv->sd_type, fsp_str_dbg(fsp)));
674 }
675
676 TALLOC_FREE(pai_buf);
677 return paiv;
678 }
679
680 /************************************************************************
681 Load the user.SAMBA_PAI attribute.
682 ************************************************************************/
683
684 static struct pai_val *load_inherited_info(const struct connection_struct *conn,
685 const char *fname)
686 {
687 char *pai_buf;
688 size_t pai_buf_size = 1024;
689 struct pai_val *paiv = NULL;
690 ssize_t ret;
691
692 if (!lp_map_acl_inherit(SNUM(conn))) {
693 return NULL;
694 }
695
696 if ((pai_buf = talloc_array(talloc_tos(), char, pai_buf_size)) == NULL) {
697 return NULL;
698 }
699
700 do {
701 ret = SMB_VFS_GETXATTR(conn, fname,
702 SAMBA_POSIX_INHERITANCE_EA_NAME,
703 pai_buf, pai_buf_size);
704
705 if (ret == -1) {
706 if (errno != ERANGE) {
707 break;
708 }
709 /* Buffer too small - enlarge it. */
710 pai_buf_size *= 2;
711 TALLOC_FREE(pai_buf);
712 if (pai_buf_size > 1024*1024) {
713 return NULL; /* Limit malloc to 1mb. */
714 }
715 if ((pai_buf = talloc_array(talloc_tos(), char, pai_buf_size)) == NULL)
716 return NULL;
717 }
718 } while (ret == -1);
719
720 DEBUG(10,("load_inherited_info: ret = %lu for file %s\n", (unsigned long)ret, fname));
721
722 if (ret == -1) {
723 /* No attribute or not supported. */
724 #if defined(ENOATTR)
725 if (errno != ENOATTR)
726 DEBUG(10,("load_inherited_info: Error %s\n", strerror(errno) ));
727 #else
728 if (errno != ENOSYS)
729 DEBUG(10,("load_inherited_info: Error %s\n", strerror(errno) ));
730 #endif
731 TALLOC_FREE(pai_buf);
732 return NULL;
733 }
734
735 paiv = create_pai_val(pai_buf, ret);
736
737 if (paiv) {
738 DEBUG(10,("load_inherited_info: ACL type 0x%x for file %s\n",
739 (unsigned int)paiv->sd_type,
740 fname));
741 }
742
743 TALLOC_FREE(pai_buf);
744 return paiv;
745 }
746
747 /****************************************************************************
748 Functions to manipulate the internal ACE format.
749 ****************************************************************************/
750
751 /****************************************************************************
752 Count a linked list of canonical ACE entries.
753 ****************************************************************************/
754
755 static size_t count_canon_ace_list( canon_ace *l_head )
756 {
757 size_t count = 0;
758 canon_ace *ace;
759
760 for (ace = l_head; ace; ace = ace->next)
761 count++;
762
763 return count;
764 }
765
766 /****************************************************************************
767 Free a linked list of canonical ACE entries.
768 ****************************************************************************/
769
770 static void free_canon_ace_list( canon_ace *l_head )
771 {
772 canon_ace *list, *next;
773
774 for (list = l_head; list; list = next) {
775 next = list->next;
776 DLIST_REMOVE(l_head, list);
777 TALLOC_FREE(list);
778 }
779 }
780
781 /****************************************************************************
782 Function to duplicate a canon_ace entry.
783 ****************************************************************************/
784
785 static canon_ace *dup_canon_ace( canon_ace *src_ace)
786 {
787 canon_ace *dst_ace = talloc(talloc_tos(), canon_ace);
788
789 if (dst_ace == NULL)
790 return NULL;
791
792 *dst_ace = *src_ace;
793 dst_ace->prev = dst_ace->next = NULL;
794 return dst_ace;
795 }
796
797 /****************************************************************************
798 Print out a canon ace.
799 ****************************************************************************/
800
801 static void print_canon_ace(canon_ace *pace, int num)
802 {
803 dbgtext( "canon_ace index %d. Type = %s ", num, pace->attr == ALLOW_ACE ? "allow" : "deny" );
804 dbgtext( "SID = %s ", sid_string_dbg(&pace->trustee));
805 if (pace->owner_type == UID_ACE) {
806 const char *u_name = uidtoname(pace->unix_ug.uid);
807 dbgtext( "uid %u (%s) ", (unsigned int)pace->unix_ug.uid, u_name );
808 } else if (pace->owner_type == GID_ACE) {
809 char *g_name = gidtoname(pace->unix_ug.gid);
810 dbgtext( "gid %u (%s) ", (unsigned int)pace->unix_ug.gid, g_name );
811 } else
812 dbgtext( "other ");
813 switch (pace->type) {
814 case SMB_ACL_USER:
815 dbgtext( "SMB_ACL_USER ");
816 break;
817 case SMB_ACL_USER_OBJ:
818 dbgtext( "SMB_ACL_USER_OBJ ");
819 break;
820 case SMB_ACL_GROUP:
821 dbgtext( "SMB_ACL_GROUP ");
822 break;
823 case SMB_ACL_GROUP_OBJ:
824 dbgtext( "SMB_ACL_GROUP_OBJ ");
825 break;
826 case SMB_ACL_OTHER:
827 dbgtext( "SMB_ACL_OTHER ");
828 break;
829 default:
830 dbgtext( "MASK " );
831 break;
832 }
833
834 dbgtext( "ace_flags = 0x%x ", (unsigned int)pace->ace_flags);
835 dbgtext( "perms ");
836 dbgtext( "%c", pace->perms & S_IRUSR ? 'r' : '-');
837 dbgtext( "%c", pace->perms & S_IWUSR ? 'w' : '-');
838 dbgtext( "%c\n", pace->perms & S_IXUSR ? 'x' : '-');
839 }
840
841 /****************************************************************************
842 Print out a canon ace list.
843 ****************************************************************************/
844
845 static void print_canon_ace_list(const char *name, canon_ace *ace_list)
846 {
847 int count = 0;
848
849 if( DEBUGLVL( 10 )) {
850 dbgtext( "print_canon_ace_list: %s\n", name );
851 for (;ace_list; ace_list = ace_list->next, count++)
852 print_canon_ace(ace_list, count );
853 }
854 }
855
856 /****************************************************************************
857 Map POSIX ACL perms to canon_ace permissions (a mode_t containing only S_(R|W|X)USR bits).
858 ****************************************************************************/
859
860 static mode_t convert_permset_to_mode_t(connection_struct *conn, SMB_ACL_PERMSET_T permset)
861 {
862 mode_t ret = 0;
863
864 ret |= (SMB_VFS_SYS_ACL_GET_PERM(conn, permset, SMB_ACL_READ) ? S_IRUSR : 0);
865 ret |= (SMB_VFS_SYS_ACL_GET_PERM(conn, permset, SMB_ACL_WRITE) ? S_IWUSR : 0);
866 ret |= (SMB_VFS_SYS_ACL_GET_PERM(conn, permset, SMB_ACL_EXECUTE) ? S_IXUSR : 0);
867
868 return ret;
869 }
870
871 /****************************************************************************
872 Map generic UNIX permissions to canon_ace permissions (a mode_t containing only S_(R|W|X)USR bits).
873 ****************************************************************************/
874
875 static mode_t unix_perms_to_acl_perms(mode_t mode, int r_mask, int w_mask, int x_mask)
876 {
877 mode_t ret = 0;
878
879 if (mode & r_mask)
880 ret |= S_IRUSR;
881 if (mode & w_mask)
882 ret |= S_IWUSR;
883 if (mode & x_mask)
884 ret |= S_IXUSR;
885
886 return ret;
887 }
888
889 /****************************************************************************
890 Map canon_ace permissions (a mode_t containing only S_(R|W|X)USR bits) to
891 an SMB_ACL_PERMSET_T.
892 ****************************************************************************/
893
894 static int map_acl_perms_to_permset(connection_struct *conn, mode_t mode, SMB_ACL_PERMSET_T *p_permset)
895 {
896 if (SMB_VFS_SYS_ACL_CLEAR_PERMS(conn, *p_permset) == -1)
897 return -1;
898 if (mode & S_IRUSR) {
899 if (SMB_VFS_SYS_ACL_ADD_PERM(conn, *p_permset, SMB_ACL_READ) == -1)
900 return -1;
901 }
902 if (mode & S_IWUSR) {
903 if (SMB_VFS_SYS_ACL_ADD_PERM(conn, *p_permset, SMB_ACL_WRITE) == -1)
904 return -1;
905 }
906 if (mode & S_IXUSR) {
907 if (SMB_VFS_SYS_ACL_ADD_PERM(conn, *p_permset, SMB_ACL_EXECUTE) == -1)
908 return -1;
909 }
910 return 0;
911 }
912
913 /****************************************************************************
914 Function to create owner and group SIDs from a SMB_STRUCT_STAT.
915 ****************************************************************************/
916
917 void create_file_sids(const SMB_STRUCT_STAT *psbuf, struct dom_sid *powner_sid, struct dom_sid *pgroup_sid)
918 {
919 uid_to_sid( powner_sid, psbuf->st_ex_uid );
920 gid_to_sid( pgroup_sid, psbuf->st_ex_gid );
921 }
922
923 /****************************************************************************
924 Merge aces with a common sid - if both are allow or deny, OR the permissions together and
925 delete the second one. If the first is deny, mask the permissions off and delete the allow
926 if the permissions become zero, delete the deny if the permissions are non zero.
927 ****************************************************************************/
928
929 static void merge_aces( canon_ace **pp_list_head, bool dir_acl)
930 {
931 canon_ace *l_head = *pp_list_head;
932 canon_ace *curr_ace_outer;
933 canon_ace *curr_ace_outer_next;
934
935 /*
936 * First, merge allow entries with identical SIDs, and deny entries
937 * with identical SIDs.
938 */
939
940 for (curr_ace_outer = l_head; curr_ace_outer; curr_ace_outer = curr_ace_outer_next) {
941 canon_ace *curr_ace;
942 canon_ace *curr_ace_next;
943
944 curr_ace_outer_next = curr_ace_outer->next; /* Save the link in case we delete. */
945
946 for (curr_ace = curr_ace_outer->next; curr_ace; curr_ace = curr_ace_next) {
947 bool can_merge = false;
948
949 curr_ace_next = curr_ace->next; /* Save the link in case of delete. */
950
951 /* For file ACLs we can merge if the SIDs and ALLOW/DENY
952 * types are the same. For directory acls we must also
953 * ensure the POSIX ACL types are the same.
954 *
955 * For the IDMAP_BOTH case, we must not merge
956 * the UID and GID ACE values for same SID
957 */
958
959 if (!dir_acl) {
960 can_merge = (dom_sid_equal(&curr_ace->trustee, &curr_ace_outer->trustee) &&
961 curr_ace->owner_type == curr_ace_outer->owner_type &&
962 (curr_ace->attr == curr_ace_outer->attr));
963 } else {
964 can_merge = (dom_sid_equal(&curr_ace->trustee, &curr_ace_outer->trustee) &&
965 curr_ace->owner_type == curr_ace_outer->owner_type &&
966 (curr_ace->type == curr_ace_outer->type) &&
967 (curr_ace->attr == curr_ace_outer->attr));
968 }
969
970 if (can_merge) {
971 if( DEBUGLVL( 10 )) {
972 dbgtext("merge_aces: Merging ACE's\n");
973 print_canon_ace( curr_ace_outer, 0);
974 print_canon_ace( curr_ace, 0);
975 }
976
977 /* Merge two allow or two deny ACE's. */
978
979 /* Theoretically we shouldn't merge a dir ACE if
980 * one ACE has the CI flag set, and the other
981 * ACE has the OI flag set, but this is rare
982 * enough we can ignore it. */
983
984 curr_ace_outer->perms |= curr_ace->perms;
985 curr_ace_outer->ace_flags |= curr_ace->ace_flags;
986 DLIST_REMOVE(l_head, curr_ace);
987 TALLOC_FREE(curr_ace);
988 curr_ace_outer_next = curr_ace_outer->next; /* We may have deleted the link. */
989 }
990 }
991 }
992
993 /*
994 * Now go through and mask off allow permissions with deny permissions.
995 * We can delete either the allow or deny here as we know that each SID
996 * appears only once in the list.
997 */
998
999 for (curr_ace_outer = l_head; curr_ace_outer; curr_ace_outer = curr_ace_outer_next) {
1000 canon_ace *curr_ace;
1001 canon_ace *curr_ace_next;
1002
1003 curr_ace_outer_next = curr_ace_outer->next; /* Save the link in case we delete. */
1004
1005 for (curr_ace = curr_ace_outer->next; curr_ace; curr_ace = curr_ace_next) {
1006
1007 curr_ace_next = curr_ace->next; /* Save the link in case of delete. */
1008
1009 /*
1010 * Subtract ACE's with different entries. Due to the ordering constraints
1011 * we've put on the ACL, we know the deny must be the first one.
1012 */
1013
1014 if (dom_sid_equal(&curr_ace->trustee, &curr_ace_outer->trustee) &&
1015 (curr_ace->owner_type == curr_ace_outer->owner_type) &&
1016 (curr_ace_outer->attr == DENY_ACE) && (curr_ace->attr == ALLOW_ACE)) {
1017
1018 if( DEBUGLVL( 10 )) {
1019 dbgtext("merge_aces: Masking ACE's\n");
1020 print_canon_ace( curr_ace_outer, 0);
1021 print_canon_ace( curr_ace, 0);
1022 }
1023
1024 curr_ace->perms &= ~curr_ace_outer->perms;
1025
1026 if (curr_ace->perms == 0) {
1027
1028 /*
1029 * The deny overrides the allow. Remove the allow.
1030 */
1031
1032 DLIST_REMOVE(l_head, curr_ace);
1033 TALLOC_FREE(curr_ace);
1034 curr_ace_outer_next = curr_ace_outer->next; /* We may have deleted the link. */
1035
1036 } else {
1037
1038 /*
1039 * Even after removing permissions, there
1040 * are still allow permissions - delete the deny.
1041 * It is safe to delete the deny here,
1042 * as we are guarenteed by the deny first
1043 * ordering that all the deny entries for
1044 * this SID have already been merged into one
1045 * before we can get to an allow ace.
1046 */
1047
1048 DLIST_REMOVE(l_head, curr_ace_outer);
1049 TALLOC_FREE(curr_ace_outer);
1050 break;
1051 }
1052 }
1053
1054 } /* end for curr_ace */
1055 } /* end for curr_ace_outer */
1056
1057 /* We may have modified the list. */
1058
1059 *pp_list_head = l_head;
1060 }
1061
1062 /****************************************************************************
1063 Check if we need to return NT4.x compatible ACL entries.
1064 ****************************************************************************/
1065
1066 bool nt4_compatible_acls(void)
1067 {
1068 int compat = lp_acl_compatibility();
1069
1070 if (compat == ACL_COMPAT_AUTO) {
1071 enum remote_arch_types ra_type = get_remote_arch();
1072
1073 /* Automatically adapt to client */
1074 return (ra_type <= RA_WINNT);
1075 } else
1076 return (compat == ACL_COMPAT_WINNT);
1077 }
1078
1079
1080 /****************************************************************************
1081 Map canon_ace perms to permission bits NT.
1082 The attr element is not used here - we only process deny entries on set,
1083 not get. Deny entries are implicit on get with ace->perms = 0.
1084 ****************************************************************************/
1085
1086 uint32_t map_canon_ace_perms(int snum,
1087 enum security_ace_type *pacl_type,
1088 mode_t perms,
1089 bool directory_ace)
1090 {
1091 uint32_t nt_mask = 0;
1092
1093 *pacl_type = SEC_ACE_TYPE_ACCESS_ALLOWED;
1094
1095 if (lp_acl_map_full_control(snum) && ((perms & ALL_ACE_PERMS) == ALL_ACE_PERMS)) {
1096 if (directory_ace) {
1097 nt_mask = UNIX_DIRECTORY_ACCESS_RWX;
1098 } else {
1099 nt_mask = (UNIX_ACCESS_RWX & ~DELETE_ACCESS);
1100 }
1101 } else if ((perms & ALL_ACE_PERMS) == (mode_t)0) {
1102 /*
1103 * Windows NT refuses to display ACEs with no permissions in them (but
1104 * they are perfectly legal with Windows 2000). If the ACE has empty
1105 * permissions we cannot use 0, so we use the otherwise unused
1106 * WRITE_OWNER permission, which we ignore when we set an ACL.
1107 * We abstract this into a #define of UNIX_ACCESS_NONE to allow this
1108 * to be changed in the future.
1109 */
1110
1111 if (nt4_compatible_acls())
1112 nt_mask = UNIX_ACCESS_NONE;
1113 else
1114 nt_mask = 0;
1115 } else {
1116 if (directory_ace) {
1117 nt_mask |= ((perms & S_IRUSR) ? UNIX_DIRECTORY_ACCESS_R : 0 );
1118 nt_mask |= ((perms & S_IWUSR) ? UNIX_DIRECTORY_ACCESS_W : 0 );
1119 nt_mask |= ((perms & S_IXUSR) ? UNIX_DIRECTORY_ACCESS_X : 0 );
1120 } else {
1121 nt_mask |= ((perms & S_IRUSR) ? UNIX_ACCESS_R : 0 );
1122 nt_mask |= ((perms & S_IWUSR) ? UNIX_ACCESS_W : 0 );
1123 nt_mask |= ((perms & S_IXUSR) ? UNIX_ACCESS_X : 0 );
1124 }
1125 }
1126
1127 if ((perms & S_IWUSR) && lp_dos_filemode(snum)) {
1128 nt_mask |= (SEC_STD_WRITE_DAC|SEC_STD_WRITE_OWNER|DELETE_ACCESS);
1129 }
1130
1131 DEBUG(10,("map_canon_ace_perms: Mapped (UNIX) %x to (NT) %x\n",
1132 (unsigned int)perms, (unsigned int)nt_mask ));
1133
1134 return nt_mask;
1135 }
1136
1137 /****************************************************************************
1138 Map NT perms to a UNIX mode_t.
1139 ****************************************************************************/
1140
1141 #define FILE_SPECIFIC_READ_BITS (FILE_READ_DATA|FILE_READ_EA)
1142 #define FILE_SPECIFIC_WRITE_BITS (FILE_WRITE_DATA|FILE_APPEND_DATA|FILE_WRITE_EA)
1143 #define FILE_SPECIFIC_EXECUTE_BITS (FILE_EXECUTE)
1144
1145 static mode_t map_nt_perms( uint32 *mask, int type)
1146 {
1147 mode_t mode = 0;
1148
1149 switch(type) {
1150 case S_IRUSR:
1151 if((*mask) & GENERIC_ALL_ACCESS)
1152 mode = S_IRUSR|S_IWUSR|S_IXUSR;
1153 else {
1154 mode |= ((*mask) & (GENERIC_READ_ACCESS|FILE_SPECIFIC_READ_BITS)) ? S_IRUSR : 0;
1155 mode |= ((*mask) & (GENERIC_WRITE_ACCESS|FILE_SPECIFIC_WRITE_BITS)) ? S_IWUSR : 0;
1156 mode |= ((*mask) & (GENERIC_EXECUTE_ACCESS|FILE_SPECIFIC_EXECUTE_BITS)) ? S_IXUSR : 0;
1157 }
1158 break;
1159 case S_IRGRP:
1160 if((*mask) & GENERIC_ALL_ACCESS)
1161 mode = S_IRGRP|S_IWGRP|S_IXGRP;
1162 else {
1163 mode |= ((*mask) & (GENERIC_READ_ACCESS|FILE_SPECIFIC_READ_BITS)) ? S_IRGRP : 0;
1164 mode |= ((*mask) & (GENERIC_WRITE_ACCESS|FILE_SPECIFIC_WRITE_BITS)) ? S_IWGRP : 0;
1165 mode |= ((*mask) & (GENERIC_EXECUTE_ACCESS|FILE_SPECIFIC_EXECUTE_BITS)) ? S_IXGRP : 0;
1166 }
1167 break;
1168 case S_IROTH:
1169 if((*mask) & GENERIC_ALL_ACCESS)
1170 mode = S_IROTH|S_IWOTH|S_IXOTH;
1171 else {
1172 mode |= ((*mask) & (GENERIC_READ_ACCESS|FILE_SPECIFIC_READ_BITS)) ? S_IROTH : 0;
1173 mode |= ((*mask) & (GENERIC_WRITE_ACCESS|FILE_SPECIFIC_WRITE_BITS)) ? S_IWOTH : 0;
1174 mode |= ((*mask) & (GENERIC_EXECUTE_ACCESS|FILE_SPECIFIC_EXECUTE_BITS)) ? S_IXOTH : 0;
1175 }
1176 break;
1177 }
1178
1179 return mode;
1180 }
1181
1182 /****************************************************************************
1183 Unpack a struct security_descriptor into a UNIX owner and group.
1184 ****************************************************************************/
1185
1186 NTSTATUS unpack_nt_owners(struct connection_struct *conn,
1187 uid_t *puser, gid_t *pgrp,
1188 uint32 security_info_sent, const struct
1189 security_descriptor *psd)
1190 {
1191 struct dom_sid owner_sid;
1192 struct dom_sid grp_sid;
1193
1194 *puser = (uid_t)-1;
1195 *pgrp = (gid_t)-1;
1196
1197 if(security_info_sent == 0) {
1198 DEBUG(0,("unpack_nt_owners: no security info sent !\n"));
1199 return NT_STATUS_OK;
1200 }
1201
1202 /*
1203 * Validate the owner and group SID's.
1204 */
1205
1206 memset(&owner_sid, '\0', sizeof(owner_sid));
1207 memset(&grp_sid, '\0', sizeof(grp_sid));
1208
1209 DEBUG(5,("unpack_nt_owners: validating owner_sids.\n"));
1210
1211 /*
1212 * Don't immediately fail if the owner sid cannot be validated.
1213 * This may be a group chown only set.
1214 */
1215
1216 if (security_info_sent & SECINFO_OWNER) {
1217 sid_copy(&owner_sid, psd->owner_sid);
1218 if (!sid_to_uid(&owner_sid, puser)) {
1219 if (lp_force_unknown_acl_user(SNUM(conn))) {
1220 /* this allows take ownership to work
1221 * reasonably */
1222 *puser = get_current_uid(conn);
1223 } else {
1224 DEBUG(3,("unpack_nt_owners: unable to validate"
1225 " owner sid for %s\n",
1226 sid_string_dbg(&owner_sid)));
1227 return NT_STATUS_INVALID_OWNER;
1228 }
1229 }
1230 DEBUG(3,("unpack_nt_owners: owner sid mapped to uid %u\n",
1231 (unsigned int)*puser ));
1232 }
1233
1234 /*
1235 * Don't immediately fail if the group sid cannot be validated.
1236 * This may be an owner chown only set.
1237 */
1238
1239 if (security_info_sent & SECINFO_GROUP) {
1240 sid_copy(&grp_sid, psd->group_sid);
1241 if (!sid_to_gid( &grp_sid, pgrp)) {
1242 if (lp_force_unknown_acl_user(SNUM(conn))) {
1243 /* this allows take group ownership to work
1244 * reasonably */
1245 *pgrp = get_current_gid(conn);
1246 } else {
1247 DEBUG(3,("unpack_nt_owners: unable to validate"
1248 " group sid.\n"));
1249 return NT_STATUS_INVALID_OWNER;
1250 }
1251 }
1252 DEBUG(3,("unpack_nt_owners: group sid mapped to gid %u\n",
1253 (unsigned int)*pgrp));
1254 }
1255
1256 DEBUG(5,("unpack_nt_owners: owner_sids validated.\n"));
1257
1258 return NT_STATUS_OK;
1259 }
1260
1261 /****************************************************************************
1262 Ensure the enforced permissions for this share apply.
1263 ****************************************************************************/
1264
1265 static void apply_default_perms(const struct share_params *params,
1266 const bool is_directory, canon_ace *pace,
1267 mode_t type)
1268 {
1269 mode_t and_bits = (mode_t)0;
1270 mode_t or_bits = (mode_t)0;
1271
1272 /* Get the initial bits to apply. */
1273
1274 if (is_directory) {
1275 and_bits = lp_dir_security_mask(params->service);
1276 or_bits = lp_force_dir_security_mode(params->service);
1277 } else {
1278 and_bits = lp_security_mask(params->service);
1279 or_bits = lp_force_security_mode(params->service);
1280 }
1281
1282 /* Now bounce them into the S_USR space. */
1283 switch(type) {
1284 case S_IRUSR:
1285 /* Ensure owner has read access. */
1286 pace->perms |= S_IRUSR;
1287 if (is_directory)
1288 pace->perms |= (S_IWUSR|S_IXUSR);
1289 and_bits = unix_perms_to_acl_perms(and_bits, S_IRUSR, S_IWUSR, S_IXUSR);
1290 or_bits = unix_perms_to_acl_perms(or_bits, S_IRUSR, S_IWUSR, S_IXUSR);
1291 break;
1292 case S_IRGRP:
1293 and_bits = unix_perms_to_acl_perms(and_bits, S_IRGRP, S_IWGRP, S_IXGRP);
1294 or_bits = unix_perms_to_acl_perms(or_bits, S_IRGRP, S_IWGRP, S_IXGRP);
1295 break;
1296 case S_IROTH:
1297 and_bits = unix_perms_to_acl_perms(and_bits, S_IROTH, S_IWOTH, S_IXOTH);
1298 or_bits = unix_perms_to_acl_perms(or_bits, S_IROTH, S_IWOTH, S_IXOTH);
1299 break;
1300 }
1301
1302 pace->perms = ((pace->perms & and_bits)|or_bits);
1303 }
1304
1305 /****************************************************************************
1306 Check if a given uid/SID is in a group gid/SID. This is probably very
1307 expensive and will need optimisation. A *lot* of optimisation :-). JRA.
1308 ****************************************************************************/
1309
1310 static bool uid_entry_in_group(connection_struct *conn, canon_ace *uid_ace, canon_ace *group_ace )
1311 {
1312 const char *u_name = NULL;
1313
1314 /* "Everyone" always matches every uid. */
1315
1316 if (dom_sid_equal(&group_ace->trustee, &global_sid_World))
1317 return True;
1318
1319 /*
1320 * if it's the current user, we already have the unix token
1321 * and don't need to do the complex user_in_group_sid() call
1322 */
1323 if (uid_ace->unix_ug.uid == get_current_uid(conn)) {
1324 const struct security_unix_token *curr_utok = NULL;
1325 size_t i;
1326
1327 if (group_ace->unix_ug.gid == get_current_gid(conn)) {
1328 return True;
1329 }
1330
1331 curr_utok = get_current_utok(conn);
1332 for (i=0; i < curr_utok->ngroups; i++) {
1333 if (group_ace->unix_ug.gid == curr_utok->groups[i]) {
1334 return True;
1335 }
1336 }
1337 }
1338
1339 /* u_name talloc'ed off tos. */
1340 u_name = uidtoname(uid_ace->unix_ug.uid);
1341 if (!u_name) {
1342 return False;
1343 }
1344
1345 /*
1346 * user_in_group_sid() uses create_token_from_username()
1347 * which creates an artificial NT token given just a username,
1348 * so this is not reliable for users from foreign domains
1349 * exported by winbindd!
1350 */
1351 return user_in_group_sid(u_name, &group_ace->trustee);
1352 }
1353
1354 /****************************************************************************
1355 A well formed POSIX file or default ACL has at least 3 entries, a
1356 SMB_ACL_USER_OBJ, SMB_ACL_GROUP_OBJ, SMB_ACL_OTHER_OBJ.
1357 In addition, the owner must always have at least read access.
1358 When using this call on get_acl, the pst struct is valid and contains
1359 the mode of the file. When using this call on set_acl, the pst struct has
1360 been modified to have a mode containing the default for this file or directory
1361 type.
1362 ****************************************************************************/
1363
1364 static bool ensure_canon_entry_valid(connection_struct *conn, canon_ace **pp_ace,
1365 const struct share_params *params,
1366 const bool is_directory,
1367 const struct dom_sid *pfile_owner_sid,
1368 const struct dom_sid *pfile_grp_sid,
1369 const SMB_STRUCT_STAT *pst,
1370 bool setting_acl)
1371 {
1372 canon_ace *pace;
1373 canon_ace *pace_user = NULL;
1374 canon_ace *pace_group = NULL;
1375 canon_ace *pace_other = NULL;
1376
1377 for (pace = *pp_ace; pace; pace = pace->next) {
1378 if (pace->type == SMB_ACL_USER_OBJ) {
1379
1380 if (setting_acl)
1381 apply_default_perms(params, is_directory, pace, S_IRUSR);
1382 pace_user = pace;
1383
1384 } else if (pace->type == SMB_ACL_GROUP_OBJ) {
1385
1386 /*
1387 * Ensure create mask/force create mode is respected on set.
1388 */
1389
1390 if (setting_acl)
1391 apply_default_perms(params, is_directory, pace, S_IRGRP);
1392 pace_group = pace;
1393
1394 } else if (pace->type == SMB_ACL_OTHER) {
1395
1396 /*
1397 * Ensure create mask/force create mode is respected on set.
1398 */
1399
1400 if (setting_acl)
1401 apply_default_perms(params, is_directory, pace, S_IROTH);
1402 pace_other = pace;
1403 }
1404 }
1405
1406 if (!pace_user) {
1407 if ((pace = talloc(talloc_tos(), canon_ace)) == NULL) {
1408 DEBUG(0,("ensure_canon_entry_valid: malloc fail.\n"));
1409 return False;
1410 }
1411
1412 ZERO_STRUCTP(pace);
1413 pace->type = SMB_ACL_USER_OBJ;
1414 pace->owner_type = UID_ACE;
1415 pace->unix_ug.uid = pst->st_ex_uid;
1416 pace->trustee = *pfile_owner_sid;
1417 pace->attr = ALLOW_ACE;
1418 /* Start with existing permissions, principle of least
1419 surprises for the user. */
1420 pace->perms = pst->st_ex_mode;
1421
1422 if (setting_acl) {
1423 /* See if the owning user is in any of the other groups in
1424 the ACE, or if there's a matching user entry (by uid
1425 or in the case of ID_TYPE_BOTH by SID).
1426 If so, OR in the permissions from that entry. */
1427
1428 canon_ace *pace_iter;
1429
1430 for (pace_iter = *pp_ace; pace_iter; pace_iter = pace_iter->next) {
1431 if (pace_iter->type == SMB_ACL_USER &&
1432 pace_iter->unix_ug.uid == pace->unix_ug.uid) {
1433 pace->perms |= pace_iter->perms;
1434 } else if (pace_iter->type == SMB_ACL_GROUP_OBJ || pace_iter->type == SMB_ACL_GROUP) {
1435 if (dom_sid_equal(&pace->trustee, &pace_iter->trustee)) {
1436 pace->perms |= pace_iter->perms;
1437 } else if (uid_entry_in_group(conn, pace, pace_iter)) {
1438 pace->perms |= pace_iter->perms;
1439 }
1440 }
1441 }
1442
1443 if (pace->perms == 0) {
1444 /* If we only got an "everyone" perm, just use that. */
1445 if (pace_other)
1446 pace->perms = pace_other->perms;
1447 }
1448
1449 apply_default_perms(params, is_directory, pace, S_IRUSR);
1450 } else {
1451 pace->perms = unix_perms_to_acl_perms(pst->st_ex_mode, S_IRUSR, S_IWUSR, S_IXUSR);
1452 }
1453
1454 DLIST_ADD(*pp_ace, pace);
1455 pace_user = pace;
1456 }
1457
1458 if (!pace_group) {
1459 if ((pace = talloc(talloc_tos(), canon_ace)) == NULL) {
1460 DEBUG(0,("ensure_canon_entry_valid: malloc fail.\n"));
1461 return False;
1462 }
1463
1464 ZERO_STRUCTP(pace);
1465 pace->type = SMB_ACL_GROUP_OBJ;
1466 pace->owner_type = GID_ACE;
1467 pace->unix_ug.gid = pst->st_ex_gid;
1468 pace->trustee = *pfile_grp_sid;
1469 pace->attr = ALLOW_ACE;
1470 if (setting_acl) {
1471 /* If we only got an "everyone" perm, just use that. */
1472 if (pace_other)
1473 pace->perms = pace_other->perms;
1474 else
1475 pace->perms = 0;
1476 apply_default_perms(params, is_directory, pace, S_IRGRP);
1477 } else {
1478 pace->perms = unix_perms_to_acl_perms(pst->st_ex_mode, S_IRGRP, S_IWGRP, S_IXGRP);
1479 }
1480
1481 DLIST_ADD(*pp_ace, pace);
1482 pace_group = pace;
1483 }
1484
1485 if (!pace_other) {
1486 if ((pace = talloc(talloc_tos(), canon_ace)) == NULL) {
1487 DEBUG(0,("ensure_canon_entry_valid: malloc fail.\n"));
1488 return False;
1489 }
1490
1491 ZERO_STRUCTP(pace);
1492 pace->type = SMB_ACL_OTHER;
1493 pace->owner_type = WORLD_ACE;
1494 pace->unix_ug.world = -1;
1495 pace->trustee = global_sid_World;
1496 pace->attr = ALLOW_ACE;
1497 if (setting_acl) {
1498 pace->perms = 0;
1499 apply_default_perms(params, is_directory, pace, S_IROTH);
1500 } else
1501 pace->perms = unix_perms_to_acl_perms(pst->st_ex_mode, S_IROTH, S_IWOTH, S_IXOTH);
1502
1503 DLIST_ADD(*pp_ace, pace);
1504 pace_other = pace;
1505 }
1506
1507 if (setting_acl) {
1508 /* Ensure when setting a POSIX ACL, that the uid for a
1509 SMB_ACL_USER_OBJ ACE (the owner ACE entry) has a duplicate
1510 permission entry as an SMB_ACL_USER, and a gid for a
1511 SMB_ACL_GROUP_OBJ ACE (the primary group ACE entry) also has
1512 a duplicate permission entry as an SMB_ACL_GROUP. If not,
1513 then if the ownership or group ownership of this file or
1514 directory gets changed, the user or group can lose their
1515 access. */
1516 bool got_duplicate_user = false;
1517 bool got_duplicate_group = false;
1518
1519 for (pace = *pp_ace; pace; pace = pace->next) {
1520 if (pace->type == SMB_ACL_USER &&
1521 pace->unix_ug.uid == pace_user->unix_ug.uid) {
1522 /* Already got one. */
1523 got_duplicate_user = true;
1524 } else if (pace->type == SMB_ACL_GROUP &&
1525 pace->unix_ug.gid == pace_user->unix_ug.gid) {
1526 /* Already got one. */
1527 got_duplicate_group = true;
1528 }
1529 }
1530
1531 if (!got_duplicate_user) {
1532 /* Add a duplicate SMB_ACL_USER entry. */
1533 if ((pace = talloc(talloc_tos(), canon_ace)) == NULL) {
1534 DEBUG(0,("ensure_canon_entry_valid: talloc fail.\n"));
1535 return false;
1536 }
1537
1538 ZERO_STRUCTP(pace);
1539 pace->type = SMB_ACL_USER;;
1540 pace->owner_type = UID_ACE;
1541 pace->unix_ug.uid = pace_user->unix_ug.uid;
1542 pace->trustee = pace_user->trustee;
1543 pace->attr = pace_user->attr;
1544 pace->perms = pace_user->perms;
1545
1546 DLIST_ADD(*pp_ace, pace);
1547 }
1548
1549 if (!got_duplicate_group) {
1550 /* Add a duplicate SMB_ACL_GROUP entry. */
1551 if ((pace = talloc(talloc_tos(), canon_ace)) == NULL) {
1552 DEBUG(0,("ensure_canon_entry_valid: talloc fail.\n"));
1553 return false;
1554 }
1555
1556 ZERO_STRUCTP(pace);
1557 pace->type = SMB_ACL_GROUP;;
1558 pace->owner_type = GID_ACE;
1559 pace->unix_ug.gid = pace_group->unix_ug.gid;
1560 pace->trustee = pace_group->trustee;
1561 pace->attr = pace_group->attr;
1562 pace->perms = pace_group->perms;
1563
1564 DLIST_ADD(*pp_ace, pace);
1565 }
1566
1567 }
1568
1569 return True;
1570 }
1571
1572 /****************************************************************************
1573 Check if a POSIX ACL has the required SMB_ACL_USER_OBJ and SMB_ACL_GROUP_OBJ entries.
1574 If it does not have them, check if there are any entries where the trustee is the
1575 file owner or the owning group, and map these to SMB_ACL_USER_OBJ and SMB_ACL_GROUP_OBJ.
1576 Note we must not do this to default directory ACLs.
1577 ****************************************************************************/
1578
1579 static void check_owning_objs(canon_ace *ace, struct dom_sid *pfile_owner_sid, struct dom_sid *pfile_grp_sid)
1580 {
1581 bool got_user_obj, got_group_obj;
1582 canon_ace *current_ace;
1583 int i, entries;
1584
1585 entries = count_canon_ace_list(ace);
1586 got_user_obj = False;
1587 got_group_obj = False;
1588
1589 for (i=0, current_ace = ace; i < entries; i++, current_ace = current_ace->next) {
1590 if (current_ace->type == SMB_ACL_USER_OBJ)
1591 got_user_obj = True;
1592 else if (current_ace->type == SMB_ACL_GROUP_OBJ)
1593 got_group_obj = True;
1594 }
1595 if (got_user_obj && got_group_obj) {
1596 DEBUG(10,("check_owning_objs: ACL had owning user/group entries.\n"));
1597 return;
1598 }
1599
1600 for (i=0, current_ace = ace; i < entries; i++, current_ace = current_ace->next) {
1601 if (!got_user_obj && current_ace->owner_type == UID_ACE &&
1602 dom_sid_equal(&current_ace->trustee, pfile_owner_sid)) {
1603 current_ace->type = SMB_ACL_USER_OBJ;
1604 got_user_obj = True;
1605 }
1606 if (!got_group_obj && current_ace->owner_type == GID_ACE &&
1607 dom_sid_equal(&current_ace->trustee, pfile_grp_sid)) {
1608 current_ace->type = SMB_ACL_GROUP_OBJ;
1609 got_group_obj = True;
1610 }
1611 }
1612 if (!got_user_obj)
1613 DEBUG(10,("check_owning_objs: ACL is missing an owner entry.\n"));
1614 if (!got_group_obj)
1615 DEBUG(10,("check_owning_objs: ACL is missing an owning group entry.\n"));
1616 }
1617
1618 static bool add_current_ace_to_acl(files_struct *fsp, struct security_ace *psa,
1619 canon_ace **file_ace, canon_ace **dir_ace,
1620 bool *got_file_allow, bool *got_dir_allow,
1621 bool *all_aces_are_inherit_only,
1622 canon_ace *current_ace)
1623 {
1624
1625 /*
1626 * Map the given NT permissions into a UNIX mode_t containing only
1627 * S_I(R|W|X)USR bits.
1628 */
1629
1630 current_ace->perms |= map_nt_perms( &psa->access_mask, S_IRUSR);
1631 current_ace->attr = (psa->type == SEC_ACE_TYPE_ACCESS_ALLOWED) ? ALLOW_ACE : DENY_ACE;
1632
1633 /* Store the ace_flag. */
1634 current_ace->ace_flags = psa->flags;
1635
1636 /*
1637 * Now add the created ace to either the file list, the directory
1638 * list, or both. We *MUST* preserve the order here (hence we use
1639 * DLIST_ADD_END) as NT ACLs are order dependent.
1640 */
1641
1642 if (fsp->is_directory) {
1643
1644 /*
1645 * We can only add to the default POSIX ACE list if the ACE is
1646 * designed to be inherited by both files and directories.
1647 */
1648
1649 if ((psa->flags & (SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT)) ==
1650 (SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT)) {
1651
1652 canon_ace *current_dir_ace = current_ace;
1653 DLIST_ADD_END(*dir_ace, current_ace, canon_ace *);
1654
1655 /*
1656 * Note if this was an allow ace. We can't process
1657 * any further deny ace's after this.
1658 */
1659
1660 if (current_ace->attr == ALLOW_ACE)
1661 *got_dir_allow = True;
1662
1663 if ((current_ace->attr == DENY_ACE) && *got_dir_allow) {
1664 DEBUG(0,("add_current_ace_to_acl: "
1665 "malformed ACL in "
1666 "inheritable ACL! Deny entry "
1667 "after Allow entry. Failing "
1668 "to set on file %s.\n",
1669 fsp_str_dbg(fsp)));
1670 return False;
1671 }
1672
1673 if( DEBUGLVL( 10 )) {
1674 dbgtext("add_current_ace_to_acl: adding dir ACL:\n");
1675 print_canon_ace( current_ace, 0);
1676 }
1677
1678 /*
1679 * If this is not an inherit only ACE we need to add a duplicate
1680 * to the file acl.
1681 */
1682
1683 if (!(psa->flags & SEC_ACE_FLAG_INHERIT_ONLY)) {
1684 canon_ace *dup_ace = dup_canon_ace(current_ace);
1685
1686 if (!dup_ace) {
1687 DEBUG(0,("add_current_ace_to_acl: malloc fail !\n"));
1688 return False;
1689 }
1690
1691 /*
1692 * We must not free current_ace here as its
1693 * pointer is now owned by the dir_ace list.
1694 */
1695 current_ace = dup_ace;
1696 /* We've essentially split this ace into two,
1697 * and added the ace with inheritance request
1698 * bits to the directory ACL. Drop those bits for
1699 * the ACE we're adding to the file list. */
1700 current_ace->ace_flags &= ~(SEC_ACE_FLAG_OBJECT_INHERIT|
1701 SEC_ACE_FLAG_CONTAINER_INHERIT|
1702 SEC_ACE_FLAG_INHERIT_ONLY);
1703 } else {
1704 /*
1705 * We must not free current_ace here as its
1706 * pointer is now owned by the dir_ace list.
1707 */
1708 current_ace = NULL;
1709 }
1710
1711 /*
1712 * current_ace is now either owned by file_ace
1713 * or is NULL. We can safely operate on current_dir_ace
1714 * to treat mapping for default acl entries differently
1715 * than access acl entries.
1716 */
1717
1718 if (current_dir_ace->owner_type == UID_ACE) {
1719 /*
1720 * We already decided above this is a uid,
1721 * for default acls ace's only CREATOR_OWNER
1722 * maps to ACL_USER_OBJ. All other uid
1723 * ace's are ACL_USER.
1724 */
1725 if (dom_sid_equal(&current_dir_ace->trustee,
1726 &global_sid_Creator_Owner)) {
1727 current_dir_ace->type = SMB_ACL_USER_OBJ;
1728 } else {
1729 current_dir_ace->type = SMB_ACL_USER;
1730 }
1731 }
1732
1733 if (current_dir_ace->owner_type == GID_ACE) {
1734 /*
1735 * We already decided above this is a gid,
1736 * for default acls ace's only CREATOR_GROUP
1737 * maps to ACL_GROUP_OBJ. All other uid
1738 * ace's are ACL_GROUP.
1739 */
1740 if (dom_sid_equal(&current_dir_ace->trustee,
1741 &global_sid_Creator_Group)) {
1742 current_dir_ace->type = SMB_ACL_GROUP_OBJ;
1743 } else {
1744 current_dir_ace->type = SMB_ACL_GROUP;
1745 }
1746 }
1747 }
1748 }
1749
1750 /*
1751 * Only add to the file ACL if not inherit only.
1752 */
1753
1754 if (current_ace && !(psa->flags & SEC_ACE_FLAG_INHERIT_ONLY)) {
1755 DLIST_ADD_END(*file_ace, current_ace, canon_ace *);
1756
1757 /*
1758 * Note if this was an allow ace. We can't process
1759 * any further deny ace's after this.
1760 */
1761
1762 if (current_ace->attr == ALLOW_ACE)
1763 *got_file_allow = True;
1764
1765 if ((current_ace->attr == DENY_ACE) && got_file_allow) {
1766 DEBUG(0,("add_current_ace_to_acl: malformed "
1767 "ACL in file ACL ! Deny entry after "
1768 "Allow entry. Failing to set on file "
1769 "%s.\n", fsp_str_dbg(fsp)));
1770 return False;
1771 }
1772
1773 if( DEBUGLVL( 10 )) {
1774 dbgtext("add_current_ace_to_acl: adding file ACL:\n");
1775 print_canon_ace( current_ace, 0);
1776 }
1777 *all_aces_are_inherit_only = False;
1778 /*
1779 * We must not free current_ace here as its
1780 * pointer is now owned by the file_ace list.
1781 */
1782 current_ace = NULL;
1783 }
1784
1785 /*
1786 * Free if ACE was not added.
1787 */
1788
1789 TALLOC_FREE(current_ace);
1790 return true;
1791 }
1792
1793 /****************************************************************************
1794 Unpack a struct security_descriptor into two canonical ace lists.
1795 ****************************************************************************/
1796
1797 static bool create_canon_ace_lists(files_struct *fsp,
1798 const SMB_STRUCT_STAT *pst,
1799 struct dom_sid *pfile_owner_sid,
1800 struct dom_sid *pfile_grp_sid,
1801 canon_ace **ppfile_ace,
1802 canon_ace **ppdir_ace,
1803 const struct security_acl *dacl)
1804 {
1805 bool all_aces_are_inherit_only = (fsp->is_directory ? True : False);
1806 canon_ace *file_ace = NULL;
1807 canon_ace *dir_ace = NULL;
1808 canon_ace *current_ace = NULL;
1809 bool got_dir_allow = False;
1810 bool got_file_allow = False;
1811 int i, j;
1812
1813 *ppfile_ace = NULL;
1814 *ppdir_ace = NULL;
1815
1816 /*
1817 * Convert the incoming ACL into a more regular form.
1818 */
1819
1820 for(i = 0; i < dacl->num_aces; i++) {
1821 struct security_ace *psa = &dacl->aces[i];
1822
1823 if((psa->type != SEC_ACE_TYPE_ACCESS_ALLOWED) && (psa->type != SEC_ACE_TYPE_ACCESS_DENIED)) {
1824 DEBUG(3,("create_canon_ace_lists: unable to set anything but an ALLOW or DENY ACE.\n"));
1825 return False;
1826 }
1827
1828 if (nt4_compatible_acls()) {
1829 /*
1830 * The security mask may be UNIX_ACCESS_NONE which should map into
1831 * no permissions (we overload the WRITE_OWNER bit for this) or it
1832 * should be one of the ALL/EXECUTE/READ/WRITE bits. Arrange for this
1833 * to be so. Any other bits override the UNIX_ACCESS_NONE bit.
1834 */
1835
1836 /*
1837 * Convert GENERIC bits to specific bits.
1838 */
1839
1840 se_map_generic(&psa->access_mask, &file_generic_mapping);
1841
1842 psa->access_mask &= (UNIX_ACCESS_NONE|FILE_ALL_ACCESS);
1843
1844 if(psa->access_mask != UNIX_ACCESS_NONE)
1845 psa->access_mask &= ~UNIX_ACCESS_NONE;
1846 }
1847 }
1848
1849 /*
1850 * Deal with the fact that NT 4.x re-writes the canonical format
1851 * that we return for default ACLs. If a directory ACE is identical
1852 * to a inherited directory ACE then NT changes the bits so that the
1853 * first ACE is set to OI|IO and the second ACE for this SID is set
1854 * to CI. We need to repair this. JRA.
1855 */
1856
1857 for(i = 0; i < dacl->num_aces; i++) {
1858 struct security_ace *psa1 = &dacl->aces[i];
1859
1860 for (j = i + 1; j < dacl->num_aces; j++) {
1861 struct security_ace *psa2 = &dacl->aces[j];
1862
1863 if (psa1->access_mask != psa2->access_mask)
1864 continue;
1865
1866 if (!dom_sid_equal(&psa1->trustee, &psa2->trustee))
1867 continue;
1868
1869 /*
1870 * Ok - permission bits and SIDs are equal.
1871 * Check if flags were re-written.
1872 */
1873
1874 if (psa1->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
1875
1876 psa1->flags |= (psa2->flags & (SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT));
1877 psa2->flags &= ~(SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT);
1878
1879 } else if (psa2->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
1880
1881 psa2->flags |= (psa1->flags & (SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT));
1882 psa1->flags &= ~(SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT);
1883
1884 }
1885 }
1886 }
1887
1888 for(i = 0; i < dacl->num_aces; i++) {
1889 struct security_ace *psa = &dacl->aces[i];
1890
1891 /*
1892 * Create a canon_ace entry representing this NT DACL ACE.
1893 */
1894
1895 if ((current_ace = talloc(talloc_tos(), canon_ace)) == NULL) {
1896 free_canon_ace_list(file_ace);
1897 free_canon_ace_list(dir_ace);
1898 DEBUG(0,("create_canon_ace_lists: malloc fail.\n"));
1899 return False;
1900 }
1901
1902 ZERO_STRUCTP(current_ace);
1903
1904 sid_copy(&current_ace->trustee, &psa->trustee);
1905
1906 /*
1907 * Try and work out if the SID is a user or group
1908 * as we need to flag these differently for POSIX.
1909 * Note what kind of a POSIX ACL this should map to.
1910 */
1911
1912 if( dom_sid_equal(&current_ace->trustee, &global_sid_World)) {
1913 current_ace->owner_type = WORLD_ACE;
1914 current_ace->unix_ug.world = -1;
1915 current_ace->type = SMB_ACL_OTHER;
1916 } else if (dom_sid_equal(&current_ace->trustee, &global_sid_Creator_Owner)) {
1917 current_ace->owner_type = UID_ACE;
1918 current_ace->unix_ug.uid = pst->st_ex_uid;
1919 current_ace->type = SMB_ACL_USER_OBJ;
1920
1921 /*
1922 * The Creator Owner entry only specifies inheritable permissions,
1923 * never access permissions. WinNT doesn't always set the ACE to
1924 * INHERIT_ONLY, though.
1925 */
1926
1927 psa->flags |= SEC_ACE_FLAG_INHERIT_ONLY;
1928
1929 } else if (dom_sid_equal(&current_ace->trustee, &global_sid_Creator_Group)) {
1930 current_ace->owner_type = GID_ACE;
1931 current_ace->unix_ug.gid = pst->st_ex_gid;
1932 current_ace->type = SMB_ACL_GROUP_OBJ;
1933
1934 /*
1935 * The Creator Group entry only specifies inheritable permissions,
1936 * never access permissions. WinNT doesn't always set the ACE to
1937 * INHERIT_ONLY, though.
1938 */
1939 psa->flags |= SEC_ACE_FLAG_INHERIT_ONLY;
1940
1941 } else if (sid_to_uid( &current_ace->trustee, &current_ace->unix_ug.uid)) {
1942 current_ace->owner_type = UID_ACE;
1943 /* If it's the owning user, this is a user_obj, not
1944 * a user. */
1945 if (current_ace->unix_ug.uid == pst->st_ex_uid) {
1946 current_ace->type = SMB_ACL_USER_OBJ;
1947 } else {
1948 current_ace->type = SMB_ACL_USER;
1949 }
1950 } else if (sid_to_gid( &current_ace->trustee, &current_ace->unix_ug.gid)) {
1951 current_ace->owner_type = GID_ACE;
1952 /* If it's the primary group, this is a group_obj, not
1953 * a group. */
1954 if (current_ace->unix_ug.gid == pst->st_ex_gid) {
1955 current_ace->type = SMB_ACL_GROUP_OBJ;
1956 } else {
1957 current_ace->type = SMB_ACL_GROUP;
1958 }
1959 } else {
1960 /*
1961 * Silently ignore map failures in non-mappable SIDs (NT Authority, BUILTIN etc).
1962 */
1963
1964 if (non_mappable_sid(&psa->trustee)) {
1965 DEBUG(10, ("create_canon_ace_lists: ignoring "
1966 "non-mappable SID %s\n",
1967 sid_string_dbg(&psa->trustee)));
1968 TALLOC_FREE(current_ace);
1969 continue;
1970 }
1971
1972 if (lp_force_unknown_acl_user(SNUM(fsp->conn))) {
1973 DEBUG(10, ("create_canon_ace_lists: ignoring "
1974 "unknown or foreign SID %s\n",
1975 sid_string_dbg(&psa->trustee)));
1976 TALLOC_FREE(current_ace);
1977 continue;
1978 }
1979
1980 free_canon_ace_list(file_ace);
1981 free_canon_ace_list(dir_ace);
1982 DEBUG(0, ("create_canon_ace_lists: unable to map SID "
1983 "%s to uid or gid.\n",
1984 sid_string_dbg(&current_ace->trustee)));
1985 TALLOC_FREE(current_ace);
1986 return false;
1987 }
1988 /* handles the talloc_free of current_ace if not added for some reason */
1989 if (!add_current_ace_to_acl(fsp, psa, &file_ace, &dir_ace,
1990 &got_file_allow, &got_dir_allow,
1991 &all_aces_are_inherit_only, current_ace)) {
1992 free_canon_ace_list(file_ace);
1993 free_canon_ace_list(dir_ace);
1994 return false;
1995 }
1996 }
1997
1998 if (fsp->is_directory && all_aces_are_inherit_only) {
1999 /*
2000 * Windows 2000 is doing one of these weird 'inherit acl'
2001 * traverses to conserve NTFS ACL resources. Just pretend
2002 * there was no DACL sent. JRA.
2003 */
2004
2005 DEBUG(10,("create_canon_ace_lists: Win2k inherit acl traverse. Ignoring DACL.\n"));
2006 free_canon_ace_list(file_ace);
2007 free_canon_ace_list(dir_ace);
2008 file_ace = NULL;
2009 dir_ace = NULL;
2010 } else {
2011 /*
2012 * Check if we have SMB_ACL_USER_OBJ and SMB_ACL_GROUP_OBJ entries in
2013 * the file ACL. If we don't have them, check if any SMB_ACL_USER/SMB_ACL_GROUP
2014 * entries can be converted to *_OBJ. Don't do this for the default
2015 * ACL, we will create them separately for this if needed inside
2016 * ensure_canon_entry_valid().
2017 */
2018 if (file_ace) {
2019 check_owning_objs(file_ace, pfile_owner_sid, pfile_grp_sid);
2020 }
2021 }
2022
2023 *ppfile_ace = file_ace;
2024 *ppdir_ace = dir_ace;
2025
2026 return True;
2027 }
2028
2029 /****************************************************************************
2030 ASCII art time again... JRA :-).
2031
2032 We have 4 cases to process when moving from an NT ACL to a POSIX ACL. Firstly,
2033 we insist the ACL is in canonical form (ie. all DENY entries preceede ALLOW
2034 entries). Secondly, the merge code has ensured that all duplicate SID entries for
2035 allow or deny have been merged, so the same SID can only appear once in the deny
2036 list or once in the allow list.
2037
2038 We then process as follows :
2039
2040 ---------------------------------------------------------------------------
2041 First pass - look for a Everyone DENY entry.
2042
2043 If it is deny all (rwx) trunate the list at this point.
2044 Else, walk the list from this point and use the deny permissions of this
2045 entry as a mask on all following allow entries. Finally, delete
2046 the Everyone DENY entry (we have applied it to everything possible).
2047
2048 In addition, in this pass we remove any DENY entries that have
2049 no permissions (ie. they are a DENY nothing).
2050 ---------------------------------------------------------------------------
2051 Second pass - only deal with deny user entries.
2052
2053 DENY user1 (perms XXX)
2054
2055 new_perms = 0
2056 for all following allow group entries where user1 is in group
2057 new_perms |= group_perms;
2058
2059 user1 entry perms = new_perms & ~ XXX;
2060
2061 Convert the deny entry to an allow entry with the new perms and
2062 push to the end of the list. Note if the user was in no groups
2063 this maps to a specific allow nothing entry for this user.
2064
2065 The common case from the NT ACL choser (userX deny all) is
2066 optimised so we don't do the group lookup - we just map to
2067 an allow nothing entry.
2068
2069 What we're doing here is inferring the allow permissions the
2070 person setting the ACE on user1 wanted by looking at the allow
2071 permissions on the groups the user is currently in. This will
2072 be a snapshot, depending on group membership but is the best
2073 we can do and has the advantage of failing closed rather than
2074 open.
2075 ---------------------------------------------------------------------------
2076 Third pass - only deal with deny group entries.
2077
2078 DENY group1 (perms XXX)
2079
2080 for all following allow user entries where user is in group1
2081 user entry perms = user entry perms & ~ XXX;
2082
2083 If there is a group Everyone allow entry with permissions YYY,
2084 convert the group1 entry to an allow entry and modify its
2085 permissions to be :
2086
2087 new_perms = YYY & ~ XXX
2088
2089 and push to the end of the list.
2090
2091 If there is no group Everyone allow entry then convert the
2092 group1 entry to a allow nothing entry and push to the end of the list.
2093
2094 Note that the common case from the NT ACL choser (groupX deny all)
2095 cannot be optimised here as we need to modify user entries who are
2096 in the group to change them to a deny all also.
2097
2098 What we're doing here is modifying the allow permissions of
2099 user entries (which are more specific in POSIX ACLs) to mask
2100 out the explicit deny set on the group they are in. This will
2101 be a snapshot depending on current group membership but is the
2102 best we can do and has the advantage of failing closed rather
2103 than open.
2104 ---------------------------------------------------------------------------
2105 Fourth pass - cope with cumulative permissions.
2106
2107 for all allow user entries, if there exists an allow group entry with
2108 more permissive permissions, and the user is in that group, rewrite the
2109 allow user permissions to contain both sets of permissions.
2110
2111 Currently the code for this is #ifdef'ed out as these semantics make
2112 no sense to me. JRA.
2113 ---------------------------------------------------------------------------
2114
2115 Note we *MUST* do the deny user pass first as this will convert deny user
2116 entries into allow user entries which can then be processed by the deny
2117 group pass.
2118
2119 The above algorithm took a *lot* of thinking about - hence this
2120 explaination :-). JRA.
2121 ****************************************************************************/
2122
2123 /****************************************************************************
2124 Process a canon_ace list entries. This is very complex code. We need
2125 to go through and remove the "deny" permissions from any allow entry that matches
2126 the id of this entry. We have already refused any NT ACL that wasn't in correct
2127 order (DENY followed by ALLOW). If any allow entry ends up with zero permissions,
2128 we just remove it (to fail safe). We have already removed any duplicate ace
2129 entries. Treat an "Everyone" DENY_ACE as a special case - use it to mask all
2130 allow entries.
2131 ****************************************************************************/
2132
2133 static void process_deny_list(connection_struct *conn, canon_ace **pp_ace_list )
2134 {
2135 canon_ace *ace_list = *pp_ace_list;
2136 canon_ace *curr_ace = NULL;
2137 canon_ace *curr_ace_next = NULL;
2138
2139 /* Pass 1 above - look for an Everyone, deny entry. */
2140
2141 for (curr_ace = ace_list; curr_ace; curr_ace = curr_ace_next) {
2142 canon_ace *allow_ace_p;
2143
2144 curr_ace_next = curr_ace->next; /* So we can't lose the link. */
2145
2146 if (curr_ace->attr != DENY_ACE)
2147 continue;
2148
2149 if (curr_ace->perms == (mode_t)0) {
2150
2151 /* Deny nothing entry - delete. */
2152
2153 DLIST_REMOVE(ace_list, curr_ace);
2154 continue;
2155 }
2156
2157 if (!dom_sid_equal(&curr_ace->trustee, &global_sid_World))
2158 continue;
2159
2160 /* JRATEST - assert. */
2161 SMB_ASSERT(curr_ace->owner_type == WORLD_ACE);
2162
2163 if (curr_ace->perms == ALL_ACE_PERMS) {
2164
2165 /*
2166 * Optimisation. This is a DENY_ALL to Everyone. Truncate the
2167 * list at this point including this entry.
2168 */
2169
2170 canon_ace *prev_entry = DLIST_PREV(curr_ace);
2171
2172 free_canon_ace_list( curr_ace );
2173 if (prev_entry)
2174 DLIST_REMOVE(ace_list, prev_entry);
2175 else {
2176 /* We deleted the entire list. */
2177 ace_list = NULL;
2178 }
2179 break;
2180 }
2181
2182 for (allow_ace_p = curr_ace->next; allow_ace_p; allow_ace_p = allow_ace_p->next) {
2183
2184 /*
2185 * Only mask off allow entries.
2186 */
2187
2188 if (allow_ace_p->attr != ALLOW_ACE)
2189 continue;
2190
2191 allow_ace_p->perms &= ~curr_ace->perms;
2192 }
2193
2194 /*
2195 * Now it's been applied, remove it.
2196 */
2197
2198 DLIST_REMOVE(ace_list, curr_ace);
2199 }
2200
2201 /* Pass 2 above - deal with deny user entries. */
2202
2203 for (curr_ace = ace_list; curr_ace; curr_ace = curr_ace_next) {
2204 mode_t new_perms = (mode_t)0;
2205 canon_ace *allow_ace_p;
2206
2207 curr_ace_next = curr_ace->next; /* So we can't lose the link. */
2208
2209 if (curr_ace->attr != DENY_ACE)
2210 continue;
2211
2212 if (curr_ace->owner_type != UID_ACE)
2213 continue;
2214
2215 if (curr_ace->perms == ALL_ACE_PERMS) {
2216
2217 /*
2218 * Optimisation - this is a deny everything to this user.
2219 * Convert to an allow nothing and push to the end of the list.
2220 */
2221
2222 curr_ace->attr = ALLOW_ACE;
2223 curr_ace->perms = (mode_t)0;
2224 DLIST_DEMOTE(ace_list, curr_ace, canon_ace *);
2225 continue;
2226 }
2227
2228 for (allow_ace_p = curr_ace->next; allow_ace_p; allow_ace_p = allow_ace_p->next) {
2229
2230 if (allow_ace_p->attr != ALLOW_ACE)
2231 continue;
2232
2233 /* We process GID_ACE and WORLD_ACE entries only. */
2234
2235 if (allow_ace_p->owner_type == UID_ACE)
2236 continue;
2237
2238 if (uid_entry_in_group(conn, curr_ace, allow_ace_p))
2239 new_perms |= allow_ace_p->perms;
2240 }
2241
2242 /*
2243 * Convert to a allow entry, modify the perms and push to the end
2244 * of the list.
2245 */
2246
2247 curr_ace->attr = ALLOW_ACE;
2248 curr_ace->perms = (new_perms & ~curr_ace->perms);
2249 DLIST_DEMOTE(ace_list, curr_ace, canon_ace *);
2250 }
2251
2252 /* Pass 3 above - deal with deny group entries. */
2253
2254 for (curr_ace = ace_list; curr_ace; curr_ace = curr_ace_next) {
2255 canon_ace *allow_ace_p;
2256 canon_ace *allow_everyone_p = NULL;
2257
2258 curr_ace_next = curr_ace->next; /* So we can't lose the link. */
2259
2260 if (curr_ace->attr != DENY_ACE)
2261 continue;
2262
2263 if (curr_ace->owner_type != GID_ACE)
2264 continue;
2265
2266 for (allow_ace_p = curr_ace->next; allow_ace_p; allow_ace_p = allow_ace_p->next) {
2267
2268 if (allow_ace_p->attr != ALLOW_ACE)
2269 continue;
2270
2271 /* Store a pointer to the Everyone allow, if it exists. */
2272 if (allow_ace_p->owner_type == WORLD_ACE)
2273 allow_everyone_p = allow_ace_p;
2274
2275 /* We process UID_ACE entries only. */
2276
2277 if (allow_ace_p->owner_type != UID_ACE)
2278 continue;
2279
2280 /* Mask off the deny group perms. */
2281
2282 if (uid_entry_in_group(conn, allow_ace_p, curr_ace))
2283 allow_ace_p->perms &= ~curr_ace->perms;
2284 }
2285
2286 /*
2287 * Convert the deny to an allow with the correct perms and
2288 * push to the end of the list.
2289 */
2290
2291 curr_ace->attr = ALLOW_ACE;
2292 if (allow_everyone_p)
2293 curr_ace->perms = allow_everyone_p->perms & ~curr_ace->perms;
2294 else
2295 curr_ace->perms = (mode_t)0;
2296 DLIST_DEMOTE(ace_list, curr_ace, canon_ace *);
2297 }
2298
2299 /* Doing this fourth pass allows Windows semantics to be layered
2300 * on top of POSIX semantics. I'm not sure if this is desirable.
2301 * For example, in W2K ACLs there is no way to say, "Group X no
2302 * access, user Y full access" if user Y is a member of group X.
2303 * This seems completely broken semantics to me.... JRA.
2304 */
2305
2306 #if 0
2307 /* Pass 4 above - deal with allow entries. */
2308
2309 for (curr_ace = ace_list; curr_ace; curr_ace = curr_ace_next) {
2310 canon_ace *allow_ace_p;
2311
2312 curr_ace_next = curr_ace->next; /* So we can't lose the link. */
2313
2314 if (curr_ace->attr != ALLOW_ACE)
2315 continue;
2316
2317 if (curr_ace->owner_type != UID_ACE)
2318 continue;
2319
2320 for (allow_ace_p = ace_list; allow_ace_p; allow_ace_p = allow_ace_p->next) {
2321
2322 if (allow_ace_p->attr != ALLOW_ACE)
2323 continue;
2324
2325 /* We process GID_ACE entries only. */
2326
2327 if (allow_ace_p->owner_type != GID_ACE)
2328 continue;
2329
2330 /* OR in the group perms. */
2331
2332 if (uid_entry_in_group(conn, curr_ace, allow_ace_p))
2333 curr_ace->perms |= allow_ace_p->perms;
2334 }
2335 }
2336 #endif
2337
2338 *pp_ace_list = ace_list;
2339 }
2340
2341 /****************************************************************************
2342 Unpack a struct security_descriptor into two canonical ace lists. We don't depend on this
2343 succeeding.
2344 ****************************************************************************/
2345
2346 static bool unpack_canon_ace(files_struct *fsp,
2347 const SMB_STRUCT_STAT *pst,
2348 struct dom_sid *pfile_owner_sid,
2349 struct dom_sid *pfile_grp_sid,
2350 canon_ace **ppfile_ace,
2351 canon_ace **ppdir_ace,
2352 uint32 security_info_sent,
2353 const struct security_descriptor *psd)
2354 {
2355 canon_ace *file_ace = NULL;
2356 canon_ace *dir_ace = NULL;
2357
2358 *ppfile_ace = NULL;
2359 *ppdir_ace = NULL;
2360
2361 if(security_info_sent == 0) {
2362 DEBUG(0,("unpack_canon_ace: no security info sent !\n"));
2363 return False;
2364 }
2365
2366 /*
2367 * If no DACL then this is a chown only security descriptor.
2368 */
2369
2370 if(!(security_info_sent & SECINFO_DACL) || !psd->dacl)
2371 return True;
2372
2373 /*
2374 * Now go through the DACL and create the canon_ace lists.
2375 */
2376
2377 if (!create_canon_ace_lists( fsp, pst, pfile_owner_sid, pfile_grp_sid,
2378 &file_ace, &dir_ace, psd->dacl))
2379 return False;
2380
2381 if ((file_ace == NULL) && (dir_ace == NULL)) {
2382 /* W2K traverse DACL set - ignore. */
2383 return True;
2384 }
2385
2386 /*
2387 * Go through the canon_ace list and merge entries
2388 * belonging to identical users of identical allow or deny type.
2389 * We can do this as all deny entries come first, followed by
2390 * all allow entries (we have mandated this before accepting this acl).
2391 */
2392
2393 print_canon_ace_list( "file ace - before merge", file_ace);
2394 merge_aces( &file_ace, false);
2395
2396 print_canon_ace_list( "dir ace - before merge", dir_ace);
2397 merge_aces( &dir_ace, true);
2398
2399 /*
2400 * NT ACLs are order dependent. Go through the acl lists and
2401 * process DENY entries by masking the allow entries.
2402 */
2403
2404 print_canon_ace_list( "file ace - before deny", file_ace);
2405 process_deny_list(fsp->conn, &file_ace);
2406
2407 print_canon_ace_list( "dir ace - before deny", dir_ace);
2408 process_deny_list(fsp->conn, &dir_ace);
2409
2410 /*
2411 * A well formed POSIX file or default ACL has at least 3 entries, a
2412 * SMB_ACL_USER_OBJ, SMB_ACL_GROUP_OBJ, SMB_ACL_OTHER_OBJ
2413 * and optionally a mask entry. Ensure this is the case.
2414 */
2415
2416 print_canon_ace_list( "file ace - before valid", file_ace);
2417
2418 if (!ensure_canon_entry_valid(fsp->conn, &file_ace, fsp->conn->params,
2419 fsp->is_directory, pfile_owner_sid, pfile_grp_sid, pst, True)) {
2420 free_canon_ace_list(file_ace);
2421 free_canon_ace_list(dir_ace);
2422 return False;
2423 }
2424
2425 print_canon_ace_list( "dir ace - before valid", dir_ace);
2426
2427 if (dir_ace && !ensure_canon_entry_valid(fsp->conn, &dir_ace, fsp->conn->params,
2428 fsp->is_directory, pfile_owner_sid, pfile_grp_sid, pst, True)) {
2429 free_canon_ace_list(file_ace);
2430 free_canon_ace_list(dir_ace);
2431 return False;
2432 }
2433
2434 print_canon_ace_list( "file ace - return", file_ace);
2435 print_canon_ace_list( "dir ace - return", dir_ace);
2436
2437 *ppfile_ace = file_ace;
2438 *ppdir_ace = dir_ace;
2439 return True;
2440
2441 }
2442
2443 /******************************************************************************
2444 When returning permissions, try and fit NT display
2445 semantics if possible. Note the the canon_entries here must have been malloced.
2446 The list format should be - first entry = owner, followed by group and other user
2447 entries, last entry = other.
2448
2449 Note that this doesn't exactly match the NT semantics for an ACL. As POSIX entries
2450 are not ordered, and match on the most specific entry rather than walking a list,
2451 then a simple POSIX permission of rw-r--r-- should really map to 5 entries,
2452
2453 Entry 0: owner : deny all except read and write.
2454 Entry 1: owner : allow read and write.
2455 Entry 2: group : deny all except read.
2456 Entry 3: group : allow read.
2457 Entry 4: Everyone : allow read.
2458
2459 But NT cannot display this in their ACL editor !
2460 ********************************************************************************/
2461
2462 static void arrange_posix_perms(const char *filename, canon_ace **pp_list_head)
2463 {
2464 canon_ace *l_head = *pp_list_head;
2465 canon_ace *owner_ace = NULL;
2466 canon_ace *other_ace = NULL;
2467 canon_ace *ace = NULL;
2468
2469 for (ace = l_head; ace; ace = ace->next) {
2470 if (ace->type == SMB_ACL_USER_OBJ)
2471 owner_ace = ace;
2472 else if (ace->type == SMB_ACL_OTHER) {
2473 /* Last ace - this is "other" */
2474 other_ace = ace;
2475 }
2476 }
2477
2478 if (!owner_ace || !other_ace) {
2479 DEBUG(0,("arrange_posix_perms: Invalid POSIX permissions for file %s, missing owner or other.\n",
2480 filename ));
2481 return;
2482 }
2483
2484 /*
2485 * The POSIX algorithm applies to owner first, and other last,
2486 * so ensure they are arranged in this order.
2487 */
2488
2489 if (owner_ace) {
2490 DLIST_PROMOTE(l_head, owner_ace);
2491 }
2492
2493 if (other_ace) {
2494 DLIST_DEMOTE(l_head, other_ace, canon_ace *);
2495 }
2496
2497 /* We have probably changed the head of the list. */
2498
2499 *pp_list_head = l_head;
2500 }
2501
2502 /****************************************************************************
2503 Create a linked list of canonical ACE entries.
2504 ****************************************************************************/
2505
2506 static canon_ace *canonicalise_acl(struct connection_struct *conn,
2507 const char *fname, SMB_ACL_T posix_acl,
2508 const SMB_STRUCT_STAT *psbuf,
2509 const struct dom_sid *powner, const struct dom_sid *pgroup, struct pai_val *pal, SMB_ACL_TYPE_T the_acl_type)
2510 {
2511 mode_t acl_mask = (S_IRUSR|S_IWUSR|S_IXUSR);
2512 canon_ace *l_head = NULL;
2513 canon_ace *ace = NULL;
2514 canon_ace *next_ace = NULL;
2515 int entry_id = SMB_ACL_FIRST_ENTRY;
2516 SMB_ACL_ENTRY_T entry;
2517 size_t ace_count;
2518
2519 while ( posix_acl && (SMB_VFS_SYS_ACL_GET_ENTRY(conn, posix_acl, entry_id, &entry) == 1)) {
2520 SMB_ACL_TAG_T tagtype;
2521 SMB_ACL_PERMSET_T permset;
2522 struct dom_sid sid;
2523 posix_id unix_ug;
2524 enum ace_owner owner_type;
2525
2526 entry_id = SMB_ACL_NEXT_ENTRY;
2527
2528 /* Is this a MASK entry ? */
2529 if (SMB_VFS_SYS_ACL_GET_TAG_TYPE(conn, entry, &tagtype) == -1)
2530 continue;
2531
2532 if (SMB_VFS_SYS_ACL_GET_PERMSET(conn, entry, &permset) == -1)
2533 continue;
2534
2535 /* Decide which SID to use based on the ACL type. */
2536 switch(tagtype) {
2537 case SMB_ACL_USER_OBJ:
2538 /* Get the SID from the owner. */
2539 sid_copy(&sid, powner);
2540 unix_ug.uid = psbuf->st_ex_uid;
2541 owner_type = UID_ACE;
2542 break;
2543 case SMB_ACL_USER:
2544 {
2545 uid_t *puid = (uid_t *)SMB_VFS_SYS_ACL_GET_QUALIFIER(conn, entry);
2546 if (puid == NULL) {
2547 DEBUG(0,("canonicalise_acl: Failed to get uid.\n"));
2548 continue;
2549 }
2550 uid_to_sid( &sid, *puid);
2551 unix_ug.uid = *puid;
2552 owner_type = UID_ACE;
2553 SMB_VFS_SYS_ACL_FREE_QUALIFIER(conn, (void *)puid,tagtype);
2554 break;
2555 }
2556 case SMB_ACL_GROUP_OBJ:
2557 /* Get the SID from the owning group. */
2558 sid_copy(&sid, pgroup);
2559 unix_ug.gid = psbuf->st_ex_gid;
2560 owner_type = GID_ACE;
2561 break;
2562 case SMB_ACL_GROUP:
2563 {
2564 gid_t *pgid = (gid_t *)SMB_VFS_SYS_ACL_GET_QUALIFIER(conn, entry);
2565 if (pgid == NULL) {
2566 DEBUG(0,("canonicalise_acl: Failed to get gid.\n"));
2567 continue;
2568 }
2569 gid_to_sid( &sid, *pgid);
2570 unix_ug.gid = *pgid;
2571 owner_type = GID_ACE;
2572 SMB_VFS_SYS_ACL_FREE_QUALIFIER(conn, (void *)pgid,tagtype);
2573 break;
2574 }
2575 case SMB_ACL_MASK:
2576 acl_mask = convert_permset_to_mode_t(conn, permset);
2577 continue; /* Don't count the mask as an entry. */
2578 case SMB_ACL_OTHER:
2579 /* Use the Everyone SID */
2580 sid = global_sid_World;
2581 unix_ug.world = -1;
2582 owner_type = WORLD_ACE;
2583 break;
2584 default:
2585 DEBUG(0,("canonicalise_acl: Unknown tagtype %u\n", (unsigned int)tagtype));
2586 continue;
2587 }
2588
2589 /*
2590 * Add this entry to the list.
2591 */
2592
2593 if ((ace = talloc(talloc_tos(), canon_ace)) == NULL)
2594 goto fail;
2595
2596 ZERO_STRUCTP(ace);
2597 ace->type = tagtype;
2598 ace->perms = convert_permset_to_mode_t(conn, permset);
2599 ace->attr = ALLOW_ACE;
2600 ace->trustee = sid;
2601 ace->unix_ug = unix_ug;
2602 ace->owner_type = owner_type;
2603 ace->ace_flags = get_pai_flags(pal, ace, (the_acl_type == SMB_ACL_TYPE_DEFAULT));
2604
2605 DLIST_ADD(l_head, ace);
2606 }
2607
2608 /*
2609 * This next call will ensure we have at least a user/group/world set.
2610 */
2611
2612 if (!ensure_canon_entry_valid(conn, &l_head, conn->params,
2613 S_ISDIR(psbuf->st_ex_mode), powner, pgroup,
2614 psbuf, False))
2615 goto fail;
2616
2617 /*
2618 * Now go through the list, masking the permissions with the
2619 * acl_mask. Ensure all DENY Entries are at the start of the list.
2620 */
2621
2622 DEBUG(10,("canonicalise_acl: %s ace entries before arrange :\n", the_acl_type == SMB_ACL_TYPE_ACCESS ? "Access" : "Default" ));
2623
2624 for ( ace_count = 0, ace = l_head; ace; ace = next_ace, ace_count++) {
2625 next_ace = ace->next;
2626
2627 /* Masks are only applied to entries other than USER_OBJ and OTHER. */
2628 if (ace->type != SMB_ACL_OTHER && ace->type != SMB_ACL_USER_OBJ)
2629 ace->perms &= acl_mask;
2630
2631 if (ace->perms == 0) {
2632 DLIST_PROMOTE(l_head, ace);
2633 }
2634
2635 if( DEBUGLVL( 10 ) ) {
2636 print_canon_ace(ace, ace_count);
2637 }
2638 }
2639
2640 arrange_posix_perms(fname,&l_head );
2641
2642 print_canon_ace_list( "canonicalise_acl: ace entries after arrange", l_head );
2643
2644 return l_head;
2645
2646 fail:
2647
2648 free_canon_ace_list(l_head);
2649 return NULL;
2650 }
2651
2652 /****************************************************************************
2653 Check if the current user group list contains a given group.
2654 ****************************************************************************/
2655
2656 bool current_user_in_group(connection_struct *conn, gid_t gid)
2657 {
2658 int i;
2659 const struct security_unix_token *utok = get_current_utok(conn);
2660
2661 for (i = 0; i < utok->ngroups; i++) {
2662 if (utok->groups[i] == gid) {
2663 return True;
2664 }
2665 }
2666
2667 return False;
2668 }
2669
2670 /****************************************************************************
2671 Should we override a deny ? Check 'acl group control' and 'dos filemode'.
2672 ****************************************************************************/
2673
2674 static bool acl_group_override(connection_struct *conn,
2675 const struct smb_filename *smb_fname)
2676 {
2677 if ((errno != EPERM) && (errno != EACCES)) {
2678 return false;
2679 }
2680
2681 /* file primary group == user primary or supplementary group */
2682 if (lp_acl_group_control(SNUM(conn)) &&
2683 current_user_in_group(conn, smb_fname->st.st_ex_gid)) {
2684 return true;
2685 }
2686
2687 /* user has writeable permission */
2688 if (lp_dos_filemode(SNUM(conn)) &&
2689 can_write_to_file(conn, smb_fname)) {
2690 return true;
2691 }
2692
2693 return false;
2694 }
2695
2696 /****************************************************************************
2697 Attempt to apply an ACL to a file or directory.
2698 ****************************************************************************/
2699
2700 static bool set_canon_ace_list(files_struct *fsp,
2701 canon_ace *the_ace,
2702 bool default_ace,
2703 const SMB_STRUCT_STAT *psbuf,
2704 bool *pacl_set_support)
2705 {
2706 connection_struct *conn = fsp->conn;
2707 bool ret = False;
2708 SMB_ACL_T the_acl = SMB_VFS_SYS_ACL_INIT(conn, (int)count_canon_ace_list(the_ace) + 1);
2709 canon_ace *p_ace;
2710 int i;
2711 SMB_ACL_ENTRY_T mask_entry;
2712 bool got_mask_entry = False;
2713 SMB_ACL_PERMSET_T mask_permset;
2714 SMB_ACL_TYPE_T the_acl_type = (default_ace ? SMB_ACL_TYPE_DEFAULT : SMB_ACL_TYPE_ACCESS);
2715 bool needs_mask = False;
2716 mode_t mask_perms = 0;
2717
2718 /* Use the psbuf that was passed in. */
2719 if (psbuf != &fsp->fsp_name->st) {
2720 fsp->fsp_name->st = *psbuf;
2721 }
2722
2723 #if defined(POSIX_ACL_NEEDS_MASK)
2724 /* HP-UX always wants to have a mask (called "class" there). */
2725 needs_mask = True;
2726 #endif
2727
2728 if (the_acl == NULL) {
2729
2730 if (!no_acl_syscall_error(errno)) {
2731 /*
2732 * Only print this error message if we have some kind of ACL
2733 * support that's not working. Otherwise we would always get this.
2734 */
2735 DEBUG(0,("set_canon_ace_list: Unable to init %s ACL. (%s)\n",
2736 default_ace ? "default" : "file", strerror(errno) ));
2737 }
2738 *pacl_set_support = False;
2739 goto fail;
2740 }
2741
2742 if( DEBUGLVL( 10 )) {
2743 dbgtext("set_canon_ace_list: setting ACL:\n");
2744 for (i = 0, p_ace = the_ace; p_ace; p_ace = p_ace->next, i++ ) {
2745 print_canon_ace( p_ace, i);
2746 }
2747 }
2748
2749 for (i = 0, p_ace = the_ace; p_ace; p_ace = p_ace->next, i++ ) {
2750 SMB_ACL_ENTRY_T the_entry;
2751 SMB_ACL_PERMSET_T the_permset;
2752
2753 /*
2754 * ACLs only "need" an ACL_MASK entry if there are any named user or
2755 * named group entries. But if there is an ACL_MASK entry, it applies
2756 * to ACL_USER, ACL_GROUP, and ACL_GROUP_OBJ entries. Set the mask
2757 * so that it doesn't deny (i.e., mask off) any permissions.
2758 */
2759
2760 if (p_ace->type == SMB_ACL_USER || p_ace->type == SMB_ACL_GROUP) {
2761 needs_mask = True;
2762 mask_perms |= p_ace->perms;
2763 } else if (p_ace->type == SMB_ACL_GROUP_OBJ) {
2764 mask_perms |= p_ace->perms;
2765 }
2766
2767 /*
2768 * Get the entry for this ACE.
2769 */
2770
2771 if (SMB_VFS_SYS_ACL_CREATE_ENTRY(conn, &the_acl, &the_entry) == -1) {
2772 DEBUG(0,("set_canon_ace_list: Failed to create entry %d. (%s)\n",
2773 i, strerror(errno) ));
2774 goto fail;
2775 }
2776
2777 if (p_ace->type == SMB_ACL_MASK) {
2778 mask_entry = the_entry;
2779 got_mask_entry = True;
2780 }
2781
2782 /*
2783 * Ok - we now know the ACL calls should be working, don't
2784 * allow fallback to chmod.
2785 */
2786
2787 *pacl_set_support = True;
2788
2789 /*
2790 * Initialise the entry from the canon_ace.
2791 */
2792
2793 /*
2794 * First tell the entry what type of ACE this is.
2795 */
2796
2797 if (SMB_VFS_SYS_ACL_SET_TAG_TYPE(conn, the_entry, p_ace->type) == -1) {
2798 DEBUG(0,("set_canon_ace_list: Failed to set tag type on entry %d. (%s)\n",
2799 i, strerror(errno) ));
2800 goto fail;
2801 }
2802
2803 /*
2804 * Only set the qualifier (user or group id) if the entry is a user
2805 * or group id ACE.
2806 */
2807
2808 if ((p_ace->type == SMB_ACL_USER) || (p_ace->type == SMB_ACL_GROUP)) {
2809 if (SMB_VFS_SYS_ACL_SET_QUALIFIER(conn, the_entry,(void *)&p_ace->unix_ug.uid) == -1) {
2810 DEBUG(0,("set_canon_ace_list: Failed to set qualifier on entry %d. (%s)\n",
2811 i, strerror(errno) ));
2812 goto fail;
2813 }
2814 }
2815
2816 /*
2817 * Convert the mode_t perms in the canon_ace to a POSIX permset.
2818 */
2819
2820 if (SMB_VFS_SYS_ACL_GET_PERMSET(conn, the_entry, &the_permset) == -1) {
2821 DEBUG(0,("set_canon_ace_list: Failed to get permset on entry %d. (%s)\n",
2822 i, strerror(errno) ));
2823 goto fail;
2824 }
2825
2826 if (map_acl_perms_to_permset(conn, p_ace->perms, &the_permset) == -1) {
2827 DEBUG(0,("set_canon_ace_list: Failed to create permset for mode (%u) on entry %d. (%s)\n",
2828 (unsigned int)p_ace->perms, i, strerror(errno) ));
2829 goto fail;
2830 }
2831
2832 /*
2833 * ..and apply them to the entry.
2834 */
2835
2836 if (SMB_VFS_SYS_ACL_SET_PERMSET(conn, the_entry, the_permset) == -1) {
2837 DEBUG(0,("set_canon_ace_list: Failed to add permset on entry %d. (%s)\n",
2838 i, strerror(errno) ));
2839 goto fail;
2840 }
2841
2842 if( DEBUGLVL( 10 ))
2843 print_canon_ace( p_ace, i);
2844
2845 }
2846
2847 if (needs_mask && !got_mask_entry) {
2848 if (SMB_VFS_SYS_ACL_CREATE_ENTRY(conn, &the_acl, &mask_entry) == -1) {
2849 DEBUG(0,("set_canon_ace_list: Failed to create mask entry. (%s)\n", strerror(errno) ));
2850 goto fail;
2851 }
2852
2853 if (SMB_VFS_SYS_ACL_SET_TAG_TYPE(conn, mask_entry, SMB_ACL_MASK) == -1) {
2854 DEBUG(0,("set_canon_ace_list: Failed to set tag type on mask entry. (%s)\n",strerror(errno) ));
2855 goto fail;
2856 }
2857
2858 if (SMB_VFS_SYS_ACL_GET_PERMSET(conn, mask_entry, &mask_permset) == -1) {
2859 DEBUG(0,("set_canon_ace_list: Failed to get mask permset. (%s)\n", strerror(errno) ));
2860 goto fail;
2861 }
2862
2863 if (map_acl_perms_to_permset(conn, S_IRUSR|S_IWUSR|S_IXUSR, &mask_permset) == -1) {
2864 DEBUG(0,("set_canon_ace_list: Failed to create mask permset. (%s)\n", strerror(errno) ));
2865 goto fail;
2866 }
2867
2868 if (SMB_VFS_SYS_ACL_SET_PERMSET(conn, mask_entry, mask_permset) == -1) {
2869 DEBUG(0,("set_canon_ace_list: Failed to add mask permset. (%s)\n", strerror(errno) ));
2870 goto fail;
2871 }
2872 }
2873
2874 /*
2875 * Finally apply it to the file or directory.
2876 */
2877
2878 if(default_ace || fsp->is_directory || fsp->fh->fd == -1) {
2879 if (SMB_VFS_SYS_ACL_SET_FILE(conn, fsp->fsp_name->base_name,
2880 the_acl_type, the_acl) == -1) {
2881 /*
2882 * Some systems allow all the above calls and only fail with no ACL support
2883 * when attempting to apply the acl. HPUX with HFS is an example of this. JRA.
2884 */
2885 if (no_acl_syscall_error(errno)) {
2886 *pacl_set_support = False;
2887 }
2888
2889 if (acl_group_override(conn, fsp->fsp_name)) {
2890 int sret;
2891
2892 DEBUG(5,("set_canon_ace_list: acl group "
2893 "control on and current user in file "
2894 "%s primary group.\n",
2895 fsp_str_dbg(fsp)));
2896
2897 become_root();
2898 sret = SMB_VFS_SYS_ACL_SET_FILE(conn,
2899 fsp->fsp_name->base_name, the_acl_type,
2900 the_acl);
2901 unbecome_root();
2902 if (sret == 0) {
2903 ret = True;
2904 }
2905 }
2906
2907 if (ret == False) {
2908 DEBUG(2,("set_canon_ace_list: "
2909 "sys_acl_set_file type %s failed for "
2910 "file %s (%s).\n",
2911 the_acl_type == SMB_ACL_TYPE_DEFAULT ?
2912 "directory default" : "file",
2913 fsp_str_dbg(fsp), strerror(errno)));
2914 goto fail;
2915 }
2916 }
2917 } else {
2918 if (SMB_VFS_SYS_ACL_SET_FD(fsp, the_acl) == -1) {
2919 /*
2920 * Some systems allow all the above calls and only fail with no ACL support
2921 * when attempting to apply the acl. HPUX with HFS is an example of this. JRA.
2922 */
2923 if (no_acl_syscall_error(errno)) {
2924 *pacl_set_support = False;
2925 }
2926
2927 if (acl_group_override(conn, fsp->fsp_name)) {
2928 int sret;
2929
2930 DEBUG(5,("set_canon_ace_list: acl group "
2931 "control on and current user in file "
2932 "%s primary group.\n",
2933 fsp_str_dbg(fsp)));
2934
2935 become_root();
2936 sret = SMB_VFS_SYS_ACL_SET_FD(fsp, the_acl);
2937 unbecome_root();
2938 if (sret == 0) {
2939 ret = True;
2940 }
2941 }
2942
2943 if (ret == False) {
2944 DEBUG(2,("set_canon_ace_list: "
2945 "sys_acl_set_file failed for file %s "
2946 "(%s).\n",
2947 fsp_str_dbg(fsp), strerror(errno)));
2948 goto fail;
2949 }
2950 }
2951 }
2952
2953 ret = True;
2954
2955 fail:
2956
2957 if (the_acl != NULL) {
2958 SMB_VFS_SYS_ACL_FREE_ACL(conn, the_acl);
2959 }
2960
2961 return ret;
2962 }
2963
2964 /****************************************************************************
2965 Find a particular canon_ace entry.
2966 ****************************************************************************/
2967
2968 static struct canon_ace *canon_ace_entry_for(struct canon_ace *list, SMB_ACL_TAG_T type, posix_id *id)
2969 {
2970 while (list) {
2971 if (list->type == type && ((type != SMB_ACL_USER && type != SMB_ACL_GROUP) ||
2972 (type == SMB_ACL_USER && id && id->uid == list->unix_ug.uid) ||
2973 (type == SMB_ACL_GROUP && id && id->gid == list->unix_ug.gid)))
2974 break;
2975 list = list->next;
2976 }
2977 return list;
2978 }
2979
2980 /****************************************************************************
2981
2982 ****************************************************************************/
2983
2984 SMB_ACL_T free_empty_sys_acl(connection_struct *conn, SMB_ACL_T the_acl)
2985 {
2986 SMB_ACL_ENTRY_T entry;
2987
2988 if (!the_acl)
2989 return NULL;
2990 if (SMB_VFS_SYS_ACL_GET_ENTRY(conn, the_acl, SMB_ACL_FIRST_ENTRY, &entry) != 1) {
2991 SMB_VFS_SYS_ACL_FREE_ACL(conn, the_acl);
2992 return NULL;
2993 }
2994 return the_acl;
2995 }
2996
2997 /****************************************************************************
2998 Convert a canon_ace to a generic 3 element permission - if possible.
2999 ****************************************************************************/
3000
3001 #define MAP_PERM(p,mask,result) (((p) & (mask)) ? (result) : 0 )
3002
3003 static bool convert_canon_ace_to_posix_perms( files_struct *fsp, canon_ace *file_ace_list, mode_t *posix_perms)
3004 {
3005 int snum = SNUM(fsp->conn);
3006 size_t ace_count = count_canon_ace_list(file_ace_list);
3007 canon_ace *ace_p;
3008 canon_ace *owner_ace = NULL;
3009 canon_ace *group_ace = NULL;
3010 canon_ace *other_ace = NULL;
3011 mode_t and_bits;
3012 mode_t or_bits;
3013
3014 if (ace_count != 3) {
3015 DEBUG(3,("convert_canon_ace_to_posix_perms: Too many ACE "
3016 "entries for file %s to convert to posix perms.\n",
3017 fsp_str_dbg(fsp)));
3018 return False;
3019 }
3020
3021 for (ace_p = file_ace_list; ace_p; ace_p = ace_p->next) {
3022 if (ace_p->owner_type == UID_ACE)
3023 owner_ace = ace_p;
3024 else if (ace_p->owner_type == GID_ACE)
3025 group_ace = ace_p;
3026 else if (ace_p->owner_type == WORLD_ACE)
3027 other_ace = ace_p;
3028 }
3029
3030 if (!owner_ace || !group_ace || !other_ace) {
3031 DEBUG(3,("convert_canon_ace_to_posix_perms: Can't get "
3032 "standard entries for file %s.\n", fsp_str_dbg(fsp)));
3033 return False;
3034 }
3035
3036 *posix_perms = (mode_t)0;
3037
3038 *posix_perms |= owner_ace->perms;
3039 *posix_perms |= MAP_PERM(group_ace->perms, S_IRUSR, S_IRGRP);
3040 *posix_perms |= MAP_PERM(group_ace->perms, S_IWUSR, S_IWGRP);
3041 *posix_perms |= MAP_PERM(group_ace->perms, S_IXUSR, S_IXGRP);
3042 *posix_perms |= MAP_PERM(other_ace->perms, S_IRUSR, S_IROTH);
3043 *posix_perms |= MAP_PERM(other_ace->perms, S_IWUSR, S_IWOTH);
3044 *posix_perms |= MAP_PERM(other_ace->perms, S_IXUSR, S_IXOTH);
3045
3046 /* The owner must have at least read access. */
3047
3048 *posix_perms |= S_IRUSR;
3049 if (fsp->is_directory)
3050 *posix_perms |= (S_IWUSR|S_IXUSR);
3051
3052 /* If requested apply the masks. */
3053
3054 /* Get the initial bits to apply. */
3055
3056 if (fsp->is_directory) {
3057 and_bits = lp_dir_security_mask(snum);
3058 or_bits = lp_force_dir_security_mode(snum);
3059 } else {
3060 and_bits = lp_security_mask(snum);
3061 or_bits = lp_force_security_mode(snum);
3062 }
3063
3064 *posix_perms = (((*posix_perms) & and_bits)|or_bits);
3065
3066 DEBUG(10,("convert_canon_ace_to_posix_perms: converted u=%o,g=%o,w=%o "
3067 "to perm=0%o for file %s.\n", (int)owner_ace->perms,
3068 (int)group_ace->perms, (int)other_ace->perms,
3069 (int)*posix_perms, fsp_str_dbg(fsp)));
3070
3071 return True;
3072 }
3073
3074 /****************************************************************************
3075 Incoming NT ACLs on a directory can be split into a default POSIX acl (CI|OI|IO) and
3076 a normal POSIX acl. Win2k needs these split acls re-merging into one ACL
3077 with CI|OI set so it is inherited and also applies to the directory.
3078 Based on code from "Jim McDonough" <jmcd@us.ibm.com>.
3079 ****************************************************************************/
3080
3081 static size_t merge_default_aces( struct security_ace *nt_ace_list, size_t num_aces)
3082 {
3083 size_t i, j;
3084
3085 for (i = 0; i < num_aces; i++) {
3086 for (j = i+1; j < num_aces; j++) {
3087 uint32 i_flags_ni = (nt_ace_list[i].flags & ~SEC_ACE_FLAG_INHERITED_ACE);
3088 uint32 j_flags_ni = (nt_ace_list[j].flags & ~SEC_ACE_FLAG_INHERITED_ACE);
3089 bool i_inh = (nt_ace_list[i].flags & SEC_ACE_FLAG_INHERITED_ACE) ? True : False;
3090 bool j_inh = (nt_ace_list[j].flags & SEC_ACE_FLAG_INHERITED_ACE) ? True : False;
3091
3092 /* We know the lower number ACE's are file entries. */
3093 if ((nt_ace_list[i].type == nt_ace_list[j].type) &&
3094 (nt_ace_list[i].size == nt_ace_list[j].size) &&
3095 (nt_ace_list[i].access_mask == nt_ace_list[j].access_mask) &&
3096 dom_sid_equal(&nt_ace_list[i].trustee, &nt_ace_list[j].trustee) &&
3097 (i_inh == j_inh) &&
3098 (i_flags_ni == 0) &&
3099 (j_flags_ni == (SEC_ACE_FLAG_OBJECT_INHERIT|
3100 SEC_ACE_FLAG_CONTAINER_INHERIT|
3101 SEC_ACE_FLAG_INHERIT_ONLY))) {
3102 /*
3103 * W2K wants to have access allowed zero access ACE's
3104 * at the end of the list. If the mask is zero, merge
3105 * the non-inherited ACE onto the inherited ACE.
3106 */
3107
3108 if (nt_ace_list[i].access_mask == 0) {
3109 nt_ace_list[j].flags = SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT|
3110 (i_inh ? SEC_ACE_FLAG_INHERITED_ACE : 0);
3111 if (num_aces - i - 1 > 0)
3112 memmove(&nt_ace_list[i], &nt_ace_list[i+1], (num_aces-i-1) *
3113 sizeof(struct security_ace));
3114
3115 DEBUG(10,("merge_default_aces: Merging zero access ACE %u onto ACE %u.\n",
3116 (unsigned int)i, (unsigned int)j ));
3117 } else {
3118 /*
3119 * These are identical except for the flags.
3120 * Merge the inherited ACE onto the non-inherited ACE.
3121 */
3122
3123 nt_ace_list[i].flags = SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT|
3124 (i_inh ? SEC_ACE_FLAG_INHERITED_ACE : 0);
3125 if (num_aces - j - 1 > 0)
3126 memmove(&nt_ace_list[j], &nt_ace_list[j+1], (num_aces-j-1) *
3127 sizeof(struct security_ace));
3128
3129 DEBUG(10,("merge_default_aces: Merging ACE %u onto ACE %u.\n",
3130 (unsigned int)j, (unsigned int)i ));
3131 }
3132 num_aces--;
3133 break;
3134 }
3135 }
3136 }
3137
3138 return num_aces;
3139 }
3140
3141 /*
3142 * Add or Replace ACE entry.
3143 * In some cases we need to add a specific ACE for compatibility reasons.
3144 * When doing that we must make sure we are not actually creating a duplicate
3145 * entry. So we need to search whether an ACE entry already exist and eventually
3146 * replacce the access mask, or add a completely new entry if none was found.
3147 *
3148 * This function assumes the array has enough space to add a new entry without
3149 * any reallocation of memory.
3150 */
3151
3152 static void add_or_replace_ace(struct security_ace *nt_ace_list, size_t *num_aces,
3153 const struct dom_sid *sid, enum security_ace_type type,
3154 uint32_t mask, uint8_t flags)
3155 {
3156 int i;
3157
3158 /* first search for a duplicate */
3159 for (i = 0; i < *num_aces; i++) {
3160 if (dom_sid_equal(&nt_ace_list[i].trustee, sid) &&
3161 (nt_ace_list[i].flags == flags)) break;
3162 }
3163
3164 if (i < *num_aces) { /* found */
3165 nt_ace_list[i].type = type;
3166 nt_ace_list[i].access_mask = mask;
3167 DEBUG(10, ("Replacing ACE %d with SID %s and flags %02x\n",
3168 i, sid_string_dbg(sid), flags));
3169 return;
3170 }
3171
3172 /* not found, append it */
3173 init_sec_ace(&nt_ace_list[(*num_aces)++], sid, type, mask, flags);
3174 }
3175
3176
3177 /****************************************************************************
3178 Reply to query a security descriptor from an fsp. If it succeeds it allocates
3179 the space for the return elements and returns the size needed to return the
3180 security descriptor. This should be the only external function needed for
3181 the UNIX style get ACL.
3182 ****************************************************************************/
3183
3184 static NTSTATUS posix_get_nt_acl_common(struct connection_struct *conn,
3185 const char *name,
3186 const SMB_STRUCT_STAT *sbuf,
3187 struct pai_val *pal,
3188 SMB_ACL_T posix_acl,
3189 SMB_ACL_T def_acl,
3190 uint32_t security_info,
3191 struct security_descriptor **ppdesc)
3192 {
3193 struct dom_sid owner_sid;
3194 struct dom_sid group_sid;
3195 size_t sd_size = 0;
3196 struct security_acl *psa = NULL;
3197 size_t num_acls = 0;
3198 size_t num_def_acls = 0;
3199 size_t num_aces = 0;
3200 canon_ace *file_ace = NULL;
3201 canon_ace *dir_ace = NULL;
3202 struct security_ace *nt_ace_list = NULL;
3203 size_t num_profile_acls = 0;
3204 struct dom_sid orig_owner_sid;
3205 struct security_descriptor *psd = NULL;
3206 int i;
3207
3208 /*
3209 * Get the owner, group and world SIDs.
3210 */
3211
3212 create_file_sids(sbuf, &owner_sid, &group_sid);
3213
3214 if (lp_profile_acls(SNUM(conn))) {
3215 /* For WXP SP1 the owner must be administrators. */
3216 sid_copy(&orig_owner_sid, &owner_sid);
3217 sid_copy(&owner_sid, &global_sid_Builtin_Administrators);
3218 sid_copy(&group_sid, &global_sid_Builtin_Users);
3219 num_profile_acls = 3;
3220 }
3221
3222 if ((security_info & SECINFO_DACL) && !(security_info & SECINFO_PROTECTED_DACL)) {
3223
3224 /*
3225 * In the optimum case Creator Owner and Creator Group would be used for
3226 * the ACL_USER_OBJ and ACL_GROUP_OBJ entries, respectively, but this
3227 * would lead to usability problems under Windows: The Creator entries
3228 * are only available in browse lists of directories and not for files;
3229 * additionally the identity of the owning group couldn't be determined.
3230 * We therefore use those identities only for Default ACLs.
3231 */
3232
3233 /* Create the canon_ace lists. */
3234 file_ace = canonicalise_acl(conn, name, posix_acl, sbuf,
3235 &owner_sid, &group_sid, pal,
3236 SMB_ACL_TYPE_ACCESS);
3237
3238 /* We must have *some* ACLS. */
3239
3240 if (count_canon_ace_list(file_ace) == 0) {
3241 DEBUG(0,("get_nt_acl : No ACLs on file (%s) !\n", name));
3242 goto done;
3243 }
3244
3245 if (S_ISDIR(sbuf->st_ex_mode) && def_acl) {
3246 dir_ace = canonicalise_acl(conn, name, def_acl,
3247 sbuf,
3248 &global_sid_Creator_Owner,
3249 &global_sid_Creator_Group,
3250 pal, SMB_ACL_TYPE_DEFAULT);
3251 }
3252
3253 /*
3254 * Create the NT ACE list from the canonical ace lists.
3255 */
3256
3257 {
3258 canon_ace *ace;
3259 enum security_ace_type nt_acl_type;
3260
3261 if (nt4_compatible_acls() && dir_ace) {
3262 /*
3263 * NT 4 chokes if an ACL contains an INHERIT_ONLY entry
3264 * but no non-INHERIT_ONLY entry for one SID. So we only
3265 * remove entries from the Access ACL if the
3266 * corresponding Default ACL entries have also been
3267 * removed. ACEs for CREATOR-OWNER and CREATOR-GROUP
3268 * are exceptions. We can do nothing
3269 * intelligent if the Default ACL contains entries that
3270 * are not also contained in the Access ACL, so this
3271 * case will still fail under NT 4.
3272 */
3273
3274 ace = canon_ace_entry_for(dir_ace, SMB_ACL_OTHER, NULL);
3275 if (ace && !ace->perms) {
3276 DLIST_REMOVE(dir_ace, ace);
3277 TALLOC_FREE(ace);
3278
3279 ace = canon_ace_entry_for(file_ace, SMB_ACL_OTHER, NULL);
3280 if (ace && !ace->perms) {
3281 DLIST_REMOVE(file_ace, ace);
3282 TALLOC_FREE(ace);
3283 }
3284 }
3285
3286 /*
3287 * WinNT doesn't usually have Creator Group
3288 * in browse lists, so we send this entry to
3289 * WinNT even if it contains no relevant
3290 * permissions. Once we can add
3291 * Creator Group to browse lists we can
3292 * re-enable this.
3293 */
3294
3295 #if 0
3296 ace = canon_ace_entry_for(dir_ace, SMB_ACL_GROUP_OBJ, NULL);
3297 if (ace && !ace->perms) {
3298 DLIST_REMOVE(dir_ace, ace);
3299 TALLOC_FREE(ace);
3300 }
3301 #endif
3302
3303 ace = canon_ace_entry_for(file_ace, SMB_ACL_GROUP_OBJ, NULL);
3304 if (ace && !ace->perms) {
3305 DLIST_REMOVE(file_ace, ace);
3306 TALLOC_FREE(ace);
3307 }
3308 }
3309
3310 num_acls = count_canon_ace_list(file_ace);
3311 num_def_acls = count_canon_ace_list(dir_ace);
3312
3313 /* Allocate the ace list. */
3314 if ((nt_ace_list = talloc_array(talloc_tos(), struct security_ace,num_acls + num_profile_acls + num_def_acls)) == NULL) {
3315 DEBUG(0,("get_nt_acl: Unable to malloc space for nt_ace_list.\n"));
3316 goto done;
3317 }
3318
3319 memset(nt_ace_list, '\0', (num_acls + num_def_acls) * sizeof(struct security_ace) );
3320
3321 /*
3322 * Create the NT ACE list from the canonical ace lists.
3323 */
3324
3325 for (ace = file_ace; ace != NULL; ace = ace->next) {
3326 uint32_t acc = map_canon_ace_perms(SNUM(conn),
3327 &nt_acl_type,
3328 ace->perms,
3329 S_ISDIR(sbuf->st_ex_mode));
3330 init_sec_ace(&nt_ace_list[num_aces++],
3331 &ace->trustee,
3332 nt_acl_type,
3333 acc,
3334 ace->ace_flags);
3335 }
3336
3337 /* The User must have access to a profile share - even
3338 * if we can't map the SID. */
3339 if (lp_profile_acls(SNUM(conn))) {
3340 add_or_replace_ace(nt_ace_list, &num_aces,
3341 &global_sid_Builtin_Users,
3342 SEC_ACE_TYPE_ACCESS_ALLOWED,
3343 FILE_GENERIC_ALL, 0);
3344 }
3345
3346 for (ace = dir_ace; ace != NULL; ace = ace->next) {
3347 uint32_t acc = map_canon_ace_perms(SNUM(conn),
3348 &nt_acl_type,
3349 ace->perms,
3350 S_ISDIR(sbuf->st_ex_mode));
3351 init_sec_ace(&nt_ace_list[num_aces++],
3352 &ace->trustee,
3353 nt_acl_type,
3354 acc,
3355 ace->ace_flags |
3356 SEC_ACE_FLAG_OBJECT_INHERIT|
3357 SEC_ACE_FLAG_CONTAINER_INHERIT|
3358 SEC_ACE_FLAG_INHERIT_ONLY);
3359 }
3360
3361 /* The User must have access to a profile share - even
3362 * if we can't map the SID. */
3363 if (lp_profile_acls(SNUM(conn))) {
3364 add_or_replace_ace(nt_ace_list, &num_aces,
3365 &global_sid_Builtin_Users,
3366 SEC_ACE_TYPE_ACCESS_ALLOWED,
3367 FILE_GENERIC_ALL,
3368 SEC_ACE_FLAG_OBJECT_INHERIT |
3369 SEC_ACE_FLAG_CONTAINER_INHERIT |
3370 SEC_ACE_FLAG_INHERIT_ONLY);
3371 }
3372
3373 /*
3374 * Merge POSIX default ACLs and normal ACLs into one NT ACE.
3375 * Win2K needs this to get the inheritance correct when replacing ACLs
3376 * on a directory tree. Based on work by Jim @ IBM.
3377 */
3378
3379 num_aces = merge_default_aces(nt_ace_list, num_aces);
3380
3381 if (lp_profile_acls(SNUM(conn))) {
3382 for (i = 0; i < num_aces; i++) {
3383 if (dom_sid_equal(&nt_ace_list[i].trustee, &owner_sid)) {
3384 add_or_replace_ace(nt_ace_list, &num_aces,
3385 &orig_owner_sid,
3386 nt_ace_list[i].type,
3387 nt_ace_list[i].access_mask,
3388 nt_ace_list[i].flags);
3389 break;
3390 }
3391 }
3392 }
3393 }
3394
3395 if (num_aces) {
3396 if((psa = make_sec_acl( talloc_tos(), NT4_ACL_REVISION, num_aces, nt_ace_list)) == NULL) {
3397 DEBUG(0,("get_nt_acl: Unable to malloc space for acl.\n"));
3398 goto done;
3399 }
3400 }
3401 } /* security_info & SECINFO_DACL */
3402
3403 psd = make_standard_sec_desc( talloc_tos(),
3404 (security_info & SECINFO_OWNER) ? &owner_sid : NULL,
3405 (security_info & SECINFO_GROUP) ? &group_sid : NULL,
3406 psa,
3407 &sd_size);
3408
3409 if(!psd) {
3410 DEBUG(0,("get_nt_acl: Unable to malloc space for security descriptor.\n"));
3411 sd_size = 0;
3412 goto done;
3413 }
3414
3415 /*
3416 * Windows 2000: The DACL_PROTECTED flag in the security
3417 * descriptor marks the ACL as non-inheriting, i.e., no
3418 * ACEs from higher level directories propagate to this
3419 * ACL. In the POSIX ACL model permissions are only
3420 * inherited at file create time, so ACLs never contain
3421 * any ACEs that are inherited dynamically. The DACL_PROTECTED
3422 * flag doesn't seem to bother Windows NT.
3423 * Always set this if map acl inherit is turned off.
3424 */
3425 if (pal == NULL || !lp_map_acl_inherit(SNUM(conn))) {
3426 psd->type |= SEC_DESC_DACL_PROTECTED;
3427 } else {
3428 psd->type |= pal->sd_type;
3429 }
3430
3431 if (psd->dacl) {
3432 dacl_sort_into_canonical_order(psd->dacl->aces, (unsigned int)psd->dacl->num_aces);
3433 }
3434
3435 *ppdesc = psd;
3436
3437 done:
3438
3439 if (posix_acl) {
3440 SMB_VFS_SYS_ACL_FREE_ACL(conn, posix_acl);
3441 }
3442 if (def_acl) {
3443 SMB_VFS_SYS_ACL_FREE_ACL(conn, def_acl);
3444 }
3445 free_canon_ace_list(file_ace);
3446 free_canon_ace_list(dir_ace);
3447 free_inherited_info(pal);
3448 TALLOC_FREE(nt_ace_list);
3449
3450 return NT_STATUS_OK;
3451 }
3452
3453 NTSTATUS posix_fget_nt_acl(struct files_struct *fsp, uint32_t security_info,
3454 struct security_descriptor **ppdesc)
3455 {
3456 SMB_STRUCT_STAT sbuf;
3457 SMB_ACL_T posix_acl = NULL;
3458 struct pai_val *pal;
3459
3460 *ppdesc = NULL;
3461
3462 DEBUG(10,("posix_fget_nt_acl: called for file %s\n",
3463 fsp_str_dbg(fsp)));
3464
3465 /* can it happen that fsp_name == NULL ? */
3466 if (fsp->is_directory || fsp->fh->fd == -1) {
3467 return posix_get_nt_acl(fsp->conn, fsp->fsp_name->base_name,
3468 security_info, ppdesc);
3469 }
3470
3471 /* Get the stat struct for the owner info. */
3472 if(SMB_VFS_FSTAT(fsp, &sbuf) != 0) {
3473 return map_nt_error_from_unix(errno);
3474 }
3475
3476 /* Get the ACL from the fd. */
3477 posix_acl = SMB_VFS_SYS_ACL_GET_FD(fsp);
3478
3479 pal = fload_inherited_info(fsp);
3480
3481 return posix_get_nt_acl_common(fsp->conn, fsp->fsp_name->base_name,
3482 &sbuf, pal, posix_acl, NULL,
3483 security_info, ppdesc);
3484 }
3485
3486 NTSTATUS posix_get_nt_acl(struct connection_struct *conn, const char *name,
3487 uint32_t security_info, struct security_descriptor **ppdesc)
3488 {
3489 SMB_ACL_T posix_acl = NULL;
3490 SMB_ACL_T def_acl = NULL;
3491 struct pai_val *pal;
3492 struct smb_filename smb_fname;
3493 int ret;
3494
3495 *ppdesc = NULL;
3496
3497 DEBUG(10,("posix_get_nt_acl: called for file %s\n", name ));
3498
3499 ZERO_STRUCT(smb_fname);
3500 smb_fname.base_name = discard_const_p(char, name);
3501
3502 /* Get the stat struct for the owner info. */
3503 if (lp_posix_pathnames()) {
3504 ret = SMB_VFS_LSTAT(conn, &smb_fname);
3505 } else {
3506 ret = SMB_VFS_STAT(conn, &smb_fname);
3507 }
3508
3509 if (ret == -1) {
3510 return map_nt_error_from_unix(errno);
3511 }
3512
3513 /* Get the ACL from the path. */
3514 posix_acl = SMB_VFS_SYS_ACL_GET_FILE(conn, name, SMB_ACL_TYPE_ACCESS);
3515
3516 /* If it's a directory get the default POSIX ACL. */
3517 if(S_ISDIR(smb_fname.st.st_ex_mode)) {
3518 def_acl = SMB_VFS_SYS_ACL_GET_FILE(conn, name, SMB_ACL_TYPE_DEFAULT);
3519 def_acl = free_empty_sys_acl(conn, def_acl);
3520 }
3521
3522 pal = load_inherited_info(conn, name);
3523
3524 return posix_get_nt_acl_common(conn, name, &smb_fname.st, pal,
3525 posix_acl, def_acl, security_info,
3526 ppdesc);
3527 }
3528
3529 /****************************************************************************
3530 Try to chown a file. We will be able to chown it under the following conditions.
3531
3532 1) If we have root privileges, then it will just work.
3533 2) If we have SeRestorePrivilege we can change the user + group to any other user.
3534 3) If we have SeTakeOwnershipPrivilege we can change the user to the current user.
3535 4) If we have write permission to the file and dos_filemodes is set
3536 then allow chown to the currently authenticated user.
3537 ****************************************************************************/
3538
3539 NTSTATUS try_chown(files_struct *fsp, uid_t uid, gid_t gid)
3540 {
3541 NTSTATUS status;
3542
3543 if(!CAN_WRITE(fsp->conn)) {
3544 return NT_STATUS_MEDIA_WRITE_PROTECTED;
3545 }
3546
3547 /* Case (1). */
3548 status = vfs_chown_fsp(fsp, uid, gid);
3549 if (NT_STATUS_IS_OK(status)) {
3550 return status;
3551 }
3552
3553 /* Case (2) / (3) */
3554 if (lp_enable_privileges()) {
3555 bool has_take_ownership_priv = security_token_has_privilege(
3556 get_current_nttok(fsp->conn),
3557 SEC_PRIV_TAKE_OWNERSHIP);
3558 bool has_restore_priv = security_token_has_privilege(
3559 get_current_nttok(fsp->conn),
3560 SEC_PRIV_RESTORE);
3561
3562 if (has_restore_priv) {
3563 ; /* Case (2) */
3564 } else if (has_take_ownership_priv) {
3565 /* Case (3) */
3566 if (uid == get_current_uid(fsp->conn)) {
3567 gid = (gid_t)-1;
3568 } else {
3569 has_take_ownership_priv = false;
3570 }
3571 }
3572
3573 if (has_take_ownership_priv || has_restore_priv) {
3574 become_root();
3575 status = vfs_chown_fsp(fsp, uid, gid);
3576 unbecome_root();
3577 return status;
3578 }
3579 }
3580
3581 /* Case (4). */
3582 if (!lp_dos_filemode(SNUM(fsp->conn))) {
3583 return NT_STATUS_ACCESS_DENIED;
3584 }
3585
3586 /* only allow chown to the current user. This is more secure,
3587 and also copes with the case where the SID in a take ownership ACL is
3588 a local SID on the users workstation
3589 */
3590 if (uid != get_current_uid(fsp->conn)) {
3591 return NT_STATUS_ACCESS_DENIED;
3592 }
3593
3594 become_root();
3595 /* Keep the current file gid the same. */
3596 status = vfs_chown_fsp(fsp, uid, (gid_t)-1);
3597 unbecome_root();
3598
3599 return status;
3600 }
3601
3602 #if 0
3603 /* Disable this - prevents ACL inheritance from the ACL editor. JRA. */
3604
3605 /****************************************************************************
3606 Take care of parent ACL inheritance.
3607 ****************************************************************************/
3608
3609 NTSTATUS append_parent_acl(files_struct *fsp,
3610 const struct security_descriptor *pcsd,
3611 struct security_descriptor **pp_new_sd)
3612 {
3613 struct smb_filename *smb_dname = NULL;
3614 struct security_descriptor *parent_sd = NULL;
3615 files_struct *parent_fsp = NULL;
3616 TALLOC_CTX *mem_ctx = talloc_tos();
3617 char *parent_name = NULL;
3618 struct security_ace *new_ace = NULL;
3619 unsigned int num_aces = pcsd->dacl->num_aces;
3620 NTSTATUS status;
3621 int info;
3622 unsigned int i, j;
3623 struct security_descriptor *psd = dup_sec_desc(talloc_tos(), pcsd);
3624 bool is_dacl_protected = (pcsd->type & SEC_DESC_DACL_PROTECTED);
3625
3626 if (psd == NULL) {
3627 return NT_STATUS_NO_MEMORY;
3628 }
3629
3630 if (!parent_dirname(mem_ctx, fsp->fsp_name->base_name, &parent_name,
3631 NULL)) {
3632 return NT_STATUS_NO_MEMORY;
3633 }
3634
3635 status = create_synthetic_smb_fname(mem_ctx, parent_name, NULL, NULL,
3636 &smb_dname);
3637 if (!NT_STATUS_IS_OK(status)) {
3638 goto fail;
3639 }
3640
3641 status = SMB_VFS_CREATE_FILE(
3642 fsp->conn, /* conn */
3643 NULL, /* req */
3644 0, /* root_dir_fid */
3645 smb_dname, /* fname */
3646 FILE_READ_ATTRIBUTES, /* access_mask */
3647 FILE_SHARE_NONE, /* share_access */
3648 FILE_OPEN, /* create_disposition*/
3649 FILE_DIRECTORY_FILE, /* create_options */
3650 0, /* file_attributes */
3651 INTERNAL_OPEN_ONLY, /* oplock_request */
3652 0, /* allocation_size */
3653 NULL, /* sd */
3654 NULL, /* ea_list */
3655 &parent_fsp, /* result */
3656 &info); /* pinfo */
3657
3658 if (!NT_STATUS_IS_OK(status)) {
3659 TALLOC_FREE(smb_dname);
3660 return status;
3661 }
3662
3663 status = SMB_VFS_GET_NT_ACL(parent_fsp->conn, smb_dname->base_name,
3664 SECINFO_DACL, &parent_sd );
3665
3666 close_file(NULL, parent_fsp, NORMAL_CLOSE);
3667 TALLOC_FREE(smb_dname);
3668
3669 if (!NT_STATUS_IS_OK(status)) {
3670 return status;
3671 }
3672
3673 /*
3674 * Make room for potentially all the ACLs from
3675 * the parent. We used to add the ugw triple here,
3676 * as we knew we were dealing with POSIX ACLs.
3677 * We no longer need to do so as we can guarentee
3678 * that a default ACL from the parent directory will
3679 * be well formed for POSIX ACLs if it came from a
3680 * POSIX ACL source, and if we're not writing to a
3681 * POSIX ACL sink then we don't care if it's not well
3682 * formed. JRA.
3683 */
3684
3685 num_aces += parent_sd->dacl->num_aces;
3686
3687 if((new_ace = talloc_zero_array(mem_ctx, struct security_ace,
3688 num_aces)) == NULL) {
3689 return NT_STATUS_NO_MEMORY;
3690 }
3691
3692 /* Start by copying in all the given ACE entries. */
3693 for (i = 0; i < psd->dacl->num_aces; i++) {
3694 sec_ace_copy(&new_ace[i], &psd->dacl->aces[i]);
3695 }
3696
3697 /*
3698 * Note that we're ignoring "inherit permissions" here
3699 * as that really only applies to newly created files. JRA.
3700 */
3701
3702 /* Finally append any inherited ACEs. */
3703 for (j = 0; j < parent_sd->dacl->num_aces; j++) {
3704 struct security_ace *se = &parent_sd->dacl->aces[j];
3705
3706 if (fsp->is_directory) {
3707 if (!(se->flags & SEC_ACE_FLAG_CONTAINER_INHERIT)) {
3708 /* Doesn't apply to a directory - ignore. */
3709 DEBUG(10,("append_parent_acl: directory %s "
3710 "ignoring non container "
3711 "inherit flags %u on ACE with sid %s "
3712 "from parent %s\n",
3713 fsp_str_dbg(fsp),
3714 (unsigned int)se->flags,
3715 sid_string_dbg(&se->trustee),
3716 parent_name));
3717 continue;
3718 }
3719 } else {
3720 if (!(se->flags & SEC_ACE_FLAG_OBJECT_INHERIT)) {
3721 /* Doesn't apply to a file - ignore. */
3722 DEBUG(10,("append_parent_acl: file %s "
3723 "ignoring non object "
3724 "inherit flags %u on ACE with sid %s "
3725 "from parent %s\n",
3726 fsp_str_dbg(fsp),
3727 (unsigned int)se->flags,
3728 sid_string_dbg(&se->trustee),
3729 parent_name));
3730 continue;
3731 }
3732 }
3733
3734 if (is_dacl_protected) {
3735 /* If the DACL is protected it means we must
3736 * not overwrite an existing ACE entry with the
3737 * same SID. This is order N^2. Ouch :-(. JRA. */
3738 unsigned int k;
3739 for (k = 0; k < psd->dacl->num_aces; k++) {
3740 if (dom_sid_equal(&psd->dacl->aces[k].trustee,
3741 &se->trustee)) {
3742 break;
3743 }
3744 }
3745 if (k < psd->dacl->num_aces) {
3746 /* SID matched. Ignore. */
3747 DEBUG(10,("append_parent_acl: path %s "
3748 "ignoring ACE with protected sid %s "
3749 "from parent %s\n",
3750 fsp_str_dbg(fsp),
3751 sid_string_dbg(&se->trustee),
3752 parent_name));
3753 continue;
3754 }
3755 }
3756
3757 sec_ace_copy(&new_ace[i], se);
3758 if (se->flags & SEC_ACE_FLAG_NO_PROPAGATE_INHERIT) {
3759 new_ace[i].flags &= ~(SEC_ACE_FLAG_VALID_INHERIT);
3760 }
3761 new_ace[i].flags |= SEC_ACE_FLAG_INHERITED_ACE;
3762
3763 if (fsp->is_directory) {
3764 /*
3765 * Strip off any inherit only. It's applied.
3766 */
3767 new_ace[i].flags &= ~(SEC_ACE_FLAG_INHERIT_ONLY);
3768 if (se->flags & SEC_ACE_FLAG_NO_PROPAGATE_INHERIT) {
3769 /* No further inheritance. */
3770 new_ace[i].flags &=
3771 ~(SEC_ACE_FLAG_CONTAINER_INHERIT|
3772 SEC_ACE_FLAG_OBJECT_INHERIT);
3773 }
3774 } else {
3775 /*
3776 * Strip off any container or inherit
3777 * flags, they can't apply to objects.
3778 */
3779 new_ace[i].flags &= ~(SEC_ACE_FLAG_CONTAINER_INHERIT|
3780 SEC_ACE_FLAG_INHERIT_ONLY|
3781 SEC_ACE_FLAG_NO_PROPAGATE_INHERIT);
3782 }
3783 i++;
3784
3785 DEBUG(10,("append_parent_acl: path %s "
3786 "inheriting ACE with sid %s "
3787 "from parent %s\n",
3788 fsp_str_dbg(fsp),
3789 sid_string_dbg(&se->trustee),
3790 parent_name));
3791 }
3792
3793 psd->dacl->aces = new_ace;
3794 psd->dacl->num_aces = i;
3795 psd->type &= ~(SEC_DESC_DACL_AUTO_INHERITED|
3796 SEC_DESC_DACL_AUTO_INHERIT_REQ);
3797
3798 *pp_new_sd = psd;
3799 return status;
3800 }
3801 #endif
3802
3803 /****************************************************************************
3804 Reply to set a security descriptor on an fsp. security_info_sent is the
3805 description of the following NT ACL.
3806 This should be the only external function needed for the UNIX style set ACL.
3807 We make a copy of psd_orig as internal functions modify the elements inside
3808 it, even though it's a const pointer.
3809 ****************************************************************************/
3810
3811 NTSTATUS set_nt_acl(files_struct *fsp, uint32 security_info_sent, const struct security_descriptor *psd_orig)
3812 {
3813 connection_struct *conn = fsp->conn;
3814 uid_t user = (uid_t)-1;
3815 gid_t grp = (gid_t)-1;
3816 struct dom_sid file_owner_sid;
3817 struct dom_sid file_grp_sid;
3818 canon_ace *file_ace_list = NULL;
3819 canon_ace *dir_ace_list = NULL;
3820 bool acl_perms = False;
3821 mode_t orig_mode = (mode_t)0;
3822 NTSTATUS status;
3823 bool set_acl_as_root = false;
3824 bool acl_set_support = false;
3825 bool ret = false;
3826 struct security_descriptor *psd = NULL;
3827
3828 DEBUG(10,("set_nt_acl: called for file %s\n",
3829 fsp_str_dbg(fsp)));
3830
3831 if (!CAN_WRITE(conn)) {
3832 DEBUG(10,("set acl rejected on read-only share\n"));
3833 return NT_STATUS_MEDIA_WRITE_PROTECTED;
3834 }
3835
3836 if (!psd_orig) {
3837 return NT_STATUS_INVALID_PARAMETER;
3838 }
3839
3840 psd = dup_sec_desc(talloc_tos(), psd_orig);
3841 if (!psd) {
3842 return NT_STATUS_NO_MEMORY;
3843 }
3844
3845 /*
3846 * Get the current state of the file.
3847 */
3848
3849 status = vfs_stat_fsp(fsp);
3850 if (!NT_STATUS_IS_OK(status)) {
3851 return status;
3852 }
3853
3854 /* Save the original element we check against. */
3855 orig_mode = fsp->fsp_name->st.st_ex_mode;
3856
3857 /*
3858 * Unpack the user/group/world id's.
3859 */
3860
3861 /* POSIX can't cope with missing owner/group. */
3862 if ((security_info_sent & SECINFO_OWNER) && (psd->owner_sid == NULL)) {
3863 security_info_sent &= ~SECINFO_OWNER;
3864 }
3865 if ((security_info_sent & SECINFO_GROUP) && (psd->group_sid == NULL)) {
3866 security_info_sent &= ~SECINFO_GROUP;
3867 }
3868
3869 status = unpack_nt_owners( conn, &user, &grp, security_info_sent, psd);
3870 if (!NT_STATUS_IS_OK(status)) {
3871 return status;
3872 }
3873
3874 /*
3875 * Do we need to chown ? If so this must be done first as the incoming
3876 * CREATOR_OWNER acl will be relative to the *new* owner, not the old.
3877 * Noticed by Simo.
3878 */
3879
3880 if (((user != (uid_t)-1) && (fsp->fsp_name->st.st_ex_uid != user)) ||
3881 (( grp != (gid_t)-1) && (fsp->fsp_name->st.st_ex_gid != grp))) {
3882
3883 DEBUG(3,("set_nt_acl: chown %s. uid = %u, gid = %u.\n",
3884 fsp_str_dbg(fsp), (unsigned int)user,
3885 (unsigned int)grp));
3886
3887 status = try_chown(fsp, user, grp);
3888 if(!NT_STATUS_IS_OK(status)) {
3889 DEBUG(3,("set_nt_acl: chown %s, %u, %u failed. Error "
3890 "= %s.\n", fsp_str_dbg(fsp),
3891 (unsigned int)user,
3892 (unsigned int)grp,
3893 nt_errstr(status)));
3894 return status;
3895 }
3896
3897 /*
3898 * Recheck the current state of the file, which may have changed.
3899 * (suid/sgid bits, for instance)
3900 */
3901
3902 status = vfs_stat_fsp(fsp);
3903 if (!NT_STATUS_IS_OK(status)) {
3904 return status;
3905 }
3906
3907 /* Save the original element we check against. */
3908 orig_mode = fsp->fsp_name->st.st_ex_mode;
3909
3910 /* If we successfully chowned, we know we must
3911 * be able to set the acl, so do it as root.
3912 */
3913 set_acl_as_root = true;
3914 }
3915
3916 create_file_sids(&fsp->fsp_name->st, &file_owner_sid, &file_grp_sid);
3917
3918 if((security_info_sent & SECINFO_DACL) &&
3919 (psd->type & SEC_DESC_DACL_PRESENT) &&
3920 (psd->dacl == NULL)) {
3921 struct security_ace ace[3];
3922
3923 /* We can't have NULL DACL in POSIX.
3924 Use owner/group/Everyone -> full access. */
3925
3926 init_sec_ace(&ace[0],
3927 &file_owner_sid,
3928 SEC_ACE_TYPE_ACCESS_ALLOWED,
3929 GENERIC_ALL_ACCESS,
3930 0);
3931 init_sec_ace(&ace[1],
3932 &file_grp_sid,
3933 SEC_ACE_TYPE_ACCESS_ALLOWED,
3934 GENERIC_ALL_ACCESS,
3935 0);
3936 init_sec_ace(&ace[2],
3937 &global_sid_World,
3938 SEC_ACE_TYPE_ACCESS_ALLOWED,
3939 GENERIC_ALL_ACCESS,
3940 0);
3941 psd->dacl = make_sec_acl(talloc_tos(),
3942 NT4_ACL_REVISION,
3943 3,
3944 ace);
3945 if (psd->dacl == NULL) {
3946 return NT_STATUS_NO_MEMORY;
3947 }
3948 security_acl_map_generic(psd->dacl, &file_generic_mapping);
3949 }
3950
3951 acl_perms = unpack_canon_ace(fsp, &fsp->fsp_name->st, &file_owner_sid,
3952 &file_grp_sid, &file_ace_list,
3953 &dir_ace_list, security_info_sent, psd);
3954
3955 /* Ignore W2K traverse DACL set. */
3956 if (!file_ace_list && !dir_ace_list) {
3957 return NT_STATUS_OK;
3958 }
3959
3960 if (!acl_perms) {
3961 DEBUG(3,("set_nt_acl: cannot set permissions\n"));
3962 free_canon_ace_list(file_ace_list);
3963 free_canon_ace_list(dir_ace_list);
3964 return NT_STATUS_ACCESS_DENIED;
3965 }
3966
3967 /*
3968 * Only change security if we got a DACL.
3969 */
3970
3971 if(!(security_info_sent & SECINFO_DACL) || (psd->dacl == NULL)) {
3972 free_canon_ace_list(file_ace_list);
3973 free_canon_ace_list(dir_ace_list);
3974 return NT_STATUS_OK;
3975 }
3976
3977 /*
3978 * Try using the POSIX ACL set first. Fall back to chmod if
3979 * we have no ACL support on this filesystem.
3980 */
3981
3982 if (acl_perms && file_ace_list) {
3983 if (set_acl_as_root) {
3984 become_root();
3985 }
3986 ret = set_canon_ace_list(fsp, file_ace_list, false,
3987 &fsp->fsp_name->st, &acl_set_support);
3988 if (set_acl_as_root) {
3989 unbecome_root();
3990 }
3991 if (acl_set_support && ret == false) {
3992 DEBUG(3,("set_nt_acl: failed to set file acl on file "
3993 "%s (%s).\n", fsp_str_dbg(fsp),
3994 strerror(errno)));
3995 free_canon_ace_list(file_ace_list);
3996 free_canon_ace_list(dir_ace_list);
3997 return map_nt_error_from_unix(errno);
3998 }
3999 }
4000
4001 if (acl_perms && acl_set_support && fsp->is_directory) {
4002 if (dir_ace_list) {
4003 if (set_acl_as_root) {
4004 become_root();
4005 }
4006 ret = set_canon_ace_list(fsp, dir_ace_list, true,
4007 &fsp->fsp_name->st,
4008 &acl_set_support);
4009 if (set_acl_as_root) {
4010 unbecome_root();
4011 }
4012 if (ret == false) {
4013 DEBUG(3,("set_nt_acl: failed to set default "
4014 "acl on directory %s (%s).\n",
4015 fsp_str_dbg(fsp), strerror(errno)));
4016 free_canon_ace_list(file_ace_list);
4017 free_canon_ace_list(dir_ace_list);
4018 return map_nt_error_from_unix(errno);
4019 }
4020 } else {
4021 int sret = -1;
4022
4023 /*
4024 * No default ACL - delete one if it exists.
4025 */
4026
4027 if (set_acl_as_root) {
4028 become_root();
4029 }
4030 sret = SMB_VFS_SYS_ACL_DELETE_DEF_FILE(conn,
4031 fsp->fsp_name->base_name);
4032 if (set_acl_as_root) {
4033 unbecome_root();
4034 }
4035 if (sret == -1) {
4036 if (acl_group_override(conn, fsp->fsp_name)) {
4037 DEBUG(5,("set_nt_acl: acl group "
4038 "control on and current user "
4039 "in file %s primary group. "
4040 "Override delete_def_acl\n",
4041 fsp_str_dbg(fsp)));
4042
4043 become_root();
4044 sret =
4045 SMB_VFS_SYS_ACL_DELETE_DEF_FILE(
4046 conn,
4047 fsp->fsp_name->base_name);
4048 unbecome_root();
4049 }
4050
4051 if (sret == -1) {
4052 DEBUG(3,("set_nt_acl: sys_acl_delete_def_file failed (%s)\n", strerror(errno)));
4053 free_canon_ace_list(file_ace_list);
4054 free_canon_ace_list(dir_ace_list);
4055 return map_nt_error_from_unix(errno);
4056 }
4057 }
4058 }
4059 }
4060
4061 if (acl_set_support) {
4062 if (set_acl_as_root) {
4063 become_root();
4064 }
4065 store_inheritance_attributes(fsp,
4066 file_ace_list,
4067 dir_ace_list,
4068 psd->type);
4069 if (set_acl_as_root) {
4070 unbecome_root();
4071 }
4072 }
4073
4074 /*
4075 * If we cannot set using POSIX ACLs we fall back to checking if we need to chmod.
4076 */
4077
4078 if(!acl_set_support && acl_perms) {
4079 mode_t posix_perms;
4080
4081 if (!convert_canon_ace_to_posix_perms( fsp, file_ace_list, &posix_perms)) {
4082 free_canon_ace_list(file_ace_list);
4083 free_canon_ace_list(dir_ace_list);
4084 DEBUG(3,("set_nt_acl: failed to convert file acl to "
4085 "posix permissions for file %s.\n",
4086 fsp_str_dbg(fsp)));
4087 return NT_STATUS_ACCESS_DENIED;
4088 }
4089
4090 if (orig_mode != posix_perms) {
4091 int sret = -1;
4092
4093 DEBUG(3,("set_nt_acl: chmod %s. perms = 0%o.\n",
4094 fsp_str_dbg(fsp), (unsigned int)posix_perms));
4095
4096 if (set_acl_as_root) {
4097 become_root();
4098 }
4099 sret = SMB_VFS_CHMOD(conn, fsp->fsp_name->base_name,
4100 posix_perms);
4101 if (set_acl_as_root) {
4102 unbecome_root();
4103 }
4104 if(sret == -1) {
4105 if (acl_group_override(conn, fsp->fsp_name)) {
4106 DEBUG(5,("set_nt_acl: acl group "
4107 "control on and current user "
4108 "in file %s primary group. "
4109 "Override chmod\n",
4110 fsp_str_dbg(fsp)));
4111
4112 become_root();
4113 sret = SMB_VFS_CHMOD(conn,
4114 fsp->fsp_name->base_name,
4115 posix_perms);
4116 unbecome_root();
4117 }
4118
4119 if (sret == -1) {
4120 DEBUG(3,("set_nt_acl: chmod %s, 0%o "
4121 "failed. Error = %s.\n",
4122 fsp_str_dbg(fsp),
4123 (unsigned int)posix_perms,
4124 strerror(errno)));
4125 free_canon_ace_list(file_ace_list);
4126 free_canon_ace_list(dir_ace_list);
4127 return map_nt_error_from_unix(errno);
4128 }
4129 }
4130 }
4131 }
4132
4133 free_canon_ace_list(file_ace_list);
4134 free_canon_ace_list(dir_ace_list);
4135
4136 /* Ensure the stat struct in the fsp is correct. */
4137 status = vfs_stat_fsp(fsp);
4138
4139 return NT_STATUS_OK;
4140 }
4141
4142 /****************************************************************************
4143 Get the actual group bits stored on a file with an ACL. Has no effect if
4144 the file has no ACL. Needed in dosmode code where the stat() will return
4145 the mask bits, not the real group bits, for a file with an ACL.
4146 ****************************************************************************/
4147
4148 int get_acl_group_bits( connection_struct *conn, const char *fname, mode_t *mode )
4149 {
4150 int entry_id = SMB_ACL_FIRST_ENTRY;
4151 SMB_ACL_ENTRY_T entry;
4152 SMB_ACL_T posix_acl;
4153 int result = -1;
4154
4155 posix_acl = SMB_VFS_SYS_ACL_GET_FILE(conn, fname, SMB_ACL_TYPE_ACCESS);
4156 if (posix_acl == (SMB_ACL_T)NULL)
4157 return -1;
4158
4159 while (SMB_VFS_SYS_ACL_GET_ENTRY(conn, posix_acl, entry_id, &entry) == 1) {
4160 SMB_ACL_TAG_T tagtype;
4161 SMB_ACL_PERMSET_T permset;
4162
4163 entry_id = SMB_ACL_NEXT_ENTRY;
4164
4165 if (SMB_VFS_SYS_ACL_GET_TAG_TYPE(conn, entry, &tagtype) ==-1)
4166 break;
4167
4168 if (tagtype == SMB_ACL_GROUP_OBJ) {
4169 if (SMB_VFS_SYS_ACL_GET_PERMSET(conn, entry, &permset) == -1) {
4170 break;
4171 } else {
4172 *mode &= ~(S_IRGRP|S_IWGRP|S_IXGRP);
4173 *mode |= (SMB_VFS_SYS_ACL_GET_PERM(conn, permset, SMB_ACL_READ) ? S_IRGRP : 0);
4174 *mode |= (SMB_VFS_SYS_ACL_GET_PERM(conn, permset, SMB_ACL_WRITE) ? S_IWGRP : 0);
4175 *mode |= (SMB_VFS_SYS_ACL_GET_PERM(conn, permset, SMB_ACL_EXECUTE) ? S_IXGRP : 0);
4176 result = 0;
4177 break;
4178 }
4179 }
4180 }
4181 SMB_VFS_SYS_ACL_FREE_ACL(conn, posix_acl);
4182 return result;
4183 }
4184
4185 /****************************************************************************
4186 Do a chmod by setting the ACL USER_OBJ, GROUP_OBJ and OTHER bits in an ACL
4187 and set the mask to rwx. Needed to preserve complex ACLs set by NT.
4188 ****************************************************************************/
4189
4190 static int chmod_acl_internals( connection_struct *conn, SMB_ACL_T posix_acl, mode_t mode)
4191 {
4192 int entry_id = SMB_ACL_FIRST_ENTRY;
4193 SMB_ACL_ENTRY_T entry;
4194 int num_entries = 0;
4195
4196 while ( SMB_VFS_SYS_ACL_GET_ENTRY(conn, posix_acl, entry_id, &entry) == 1) {
4197 SMB_ACL_TAG_T tagtype;
4198 SMB_ACL_PERMSET_T permset;
4199 mode_t perms;
4200
4201 entry_id = SMB_ACL_NEXT_ENTRY;
4202
4203 if (SMB_VFS_SYS_ACL_GET_TAG_TYPE(conn, entry, &tagtype) == -1)
4204 return -1;
4205
4206 if (SMB_VFS_SYS_ACL_GET_PERMSET(conn, entry, &permset) == -1)
4207 return -1;
4208
4209 num_entries++;
4210
4211 switch(tagtype) {
4212 case SMB_ACL_USER_OBJ:
4213 perms = unix_perms_to_acl_perms(mode, S_IRUSR, S_IWUSR, S_IXUSR);
4214 break;
4215 case SMB_ACL_GROUP_OBJ:
4216 perms = unix_perms_to_acl_perms(mode, S_IRGRP, S_IWGRP, S_IXGRP);
4217 break;
4218 case SMB_ACL_MASK:
4219 /*
4220 * FIXME: The ACL_MASK entry permissions should really be set to
4221 * the union of the permissions of all ACL_USER,
4222 * ACL_GROUP_OBJ, and ACL_GROUP entries. That's what
4223 * acl_calc_mask() does, but Samba ACLs doesn't provide it.
4224 */
4225 perms = S_IRUSR|S_IWUSR|S_IXUSR;
4226 break;
4227 case SMB_ACL_OTHER:
4228 perms = unix_perms_to_acl_perms(mode, S_IROTH, S_IWOTH, S_IXOTH);
4229 break;
4230 default:
4231 continue;
4232 }
4233
4234 if (map_acl_perms_to_permset(conn, perms, &permset) == -1)
4235 return -1;
4236
4237 if (SMB_VFS_SYS_ACL_SET_PERMSET(conn, entry, permset) == -1)
4238 return -1;
4239 }
4240
4241 /*
4242 * If this is a simple 3 element ACL or no elements then it's a standard
4243 * UNIX permission set. Just use chmod...
4244 */
4245
4246 if ((num_entries == 3) || (num_entries == 0))
4247 return -1;
4248
4249 return 0;
4250 }
4251
4252 /****************************************************************************
4253 Get the access ACL of FROM, do a chmod by setting the ACL USER_OBJ,
4254 GROUP_OBJ and OTHER bits in an ACL and set the mask to rwx. Set the
4255 resulting ACL on TO. Note that name is in UNIX character set.
4256 ****************************************************************************/
4257
4258 static int copy_access_posix_acl(connection_struct *conn, const char *from, const char *to, mode_t mode)
4259 {
4260 SMB_ACL_T posix_acl = NULL;
4261 int ret = -1;
4262
4263 if ((posix_acl = SMB_VFS_SYS_ACL_GET_FILE(conn, from, SMB_ACL_TYPE_ACCESS)) == NULL)
4264 return -1;
4265
4266 if ((ret = chmod_acl_internals(conn, posix_acl, mode)) == -1)
4267 goto done;
4268
4269 ret = SMB_VFS_SYS_ACL_SET_FILE(conn, to, SMB_ACL_TYPE_ACCESS, posix_acl);
4270
4271 done:
4272
4273 SMB_VFS_SYS_ACL_FREE_ACL(conn, posix_acl);
4274 return ret;
4275 }
4276
4277 /****************************************************************************
4278 Do a chmod by setting the ACL USER_OBJ, GROUP_OBJ and OTHER bits in an ACL
4279 and set the mask to rwx. Needed to preserve complex ACLs set by NT.
4280 Note that name is in UNIX character set.
4281 ****************************************************************************/
4282
4283 int chmod_acl(connection_struct *conn, const char *name, mode_t mode)
4284 {
4285 return copy_access_posix_acl(conn, name, name, mode);
4286 }
4287
4288 /****************************************************************************
4289 Check for an existing default POSIX ACL on a directory.
4290 ****************************************************************************/
4291
4292 static bool directory_has_default_posix_acl(connection_struct *conn, const char *fname)
4293 {
4294 SMB_ACL_T def_acl = SMB_VFS_SYS_ACL_GET_FILE( conn, fname, SMB_ACL_TYPE_DEFAULT);
4295 bool has_acl = False;
4296 SMB_ACL_ENTRY_T entry;
4297
4298 if (def_acl != NULL && (SMB_VFS_SYS_ACL_GET_ENTRY(conn, def_acl, SMB_ACL_FIRST_ENTRY, &entry) == 1)) {
4299 has_acl = True;
4300 }
4301
4302 if (def_acl) {
4303 SMB_VFS_SYS_ACL_FREE_ACL(conn, def_acl);
4304 }
4305 return has_acl;
4306 }
4307
4308 /****************************************************************************
4309 If the parent directory has no default ACL but it does have an Access ACL,
4310 inherit this Access ACL to file name.
4311 ****************************************************************************/
4312
4313 int inherit_access_posix_acl(connection_struct *conn, const char *inherit_from_dir,
4314 const char *name, mode_t mode)
4315 {
4316 if (directory_has_default_posix_acl(conn, inherit_from_dir))
4317 return 0;
4318
4319 return copy_access_posix_acl(conn, inherit_from_dir, name, mode);
4320 }
4321
4322 /****************************************************************************
4323 Do an fchmod by setting the ACL USER_OBJ, GROUP_OBJ and OTHER bits in an ACL
4324 and set the mask to rwx. Needed to preserve complex ACLs set by NT.
4325 ****************************************************************************/
4326
4327 int fchmod_acl(files_struct *fsp, mode_t mode)
4328 {
4329 connection_struct *conn = fsp->conn;
4330 SMB_ACL_T posix_acl = NULL;
4331 int ret = -1;
4332
4333 if ((posix_acl = SMB_VFS_SYS_ACL_GET_FD(fsp)) == NULL)
4334 return -1;
4335
4336 if ((ret = chmod_acl_internals(conn, posix_acl, mode)) == -1)
4337 goto done;
4338
4339 ret = SMB_VFS_SYS_ACL_SET_FD(fsp, posix_acl);
4340
4341 done:
4342
4343 SMB_VFS_SYS_ACL_FREE_ACL(conn, posix_acl);
4344 return ret;
4345 }
4346
4347 /****************************************************************************
4348 Map from wire type to permset.
4349 ****************************************************************************/
4350
4351 static bool unix_ex_wire_to_permset(connection_struct *conn, unsigned char wire_perm, SMB_ACL_PERMSET_T *p_permset)
4352 {
4353 if (wire_perm & ~(SMB_POSIX_ACL_READ|SMB_POSIX_ACL_WRITE|SMB_POSIX_ACL_EXECUTE)) {
4354 return False;
4355 }
4356
4357 if (SMB_VFS_SYS_ACL_CLEAR_PERMS(conn, *p_permset) == -1) {
4358 return False;
4359 }
4360
4361 if (wire_perm & SMB_POSIX_ACL_READ) {
4362 if (SMB_VFS_SYS_ACL_ADD_PERM(conn, *p_permset, SMB_ACL_READ) == -1) {
4363 return False;
4364 }
4365 }
4366 if (wire_perm & SMB_POSIX_ACL_WRITE) {
4367 if (SMB_VFS_SYS_ACL_ADD_PERM(conn, *p_permset, SMB_ACL_WRITE) == -1) {
4368 return False;
4369 }
4370 }
4371 if (wire_perm & SMB_POSIX_ACL_EXECUTE) {
4372 if (SMB_VFS_SYS_ACL_ADD_PERM(conn, *p_permset, SMB_ACL_EXECUTE) == -1) {
4373 return False;
4374 }
4375 }
4376 return True;
4377 }
4378
4379 /****************************************************************************
4380 Map from wire type to tagtype.
4381 ****************************************************************************/
4382
4383 static bool unix_ex_wire_to_tagtype(unsigned char wire_tt, SMB_ACL_TAG_T *p_tt)
4384 {
4385 switch (wire_tt) {
4386 case SMB_POSIX_ACL_USER_OBJ:
4387 *p_tt = SMB_ACL_USER_OBJ;
4388 break;
4389 case SMB_POSIX_ACL_USER:
4390 *p_tt = SMB_ACL_USER;
4391 break;
4392 case SMB_POSIX_ACL_GROUP_OBJ:
4393 *p_tt = SMB_ACL_GROUP_OBJ;
4394 break;
4395 case SMB_POSIX_ACL_GROUP:
4396 *p_tt = SMB_ACL_GROUP;
4397 break;
4398 case SMB_POSIX_ACL_MASK:
4399 *p_tt = SMB_ACL_MASK;
4400 break;
4401 case SMB_POSIX_ACL_OTHER:
4402 *p_tt = SMB_ACL_OTHER;
4403 break;
4404 default:
4405 return False;
4406 }
4407 return True;
4408 }
4409
4410 /****************************************************************************
4411 Create a new POSIX acl from wire permissions.
4412 FIXME ! How does the share mask/mode fit into this.... ?
4413 ****************************************************************************/
4414
4415 static SMB_ACL_T create_posix_acl_from_wire(connection_struct *conn, uint16 num_acls, const char *pdata)
4416 {
4417 unsigned int i;
4418 SMB_ACL_T the_acl = SMB_VFS_SYS_ACL_INIT(conn, num_acls);
4419
4420 if (the_acl == NULL) {
4421 return NULL;
4422 }
4423
4424 for (i = 0; i < num_acls; i++) {
4425 SMB_ACL_ENTRY_T the_entry;
4426 SMB_ACL_PERMSET_T the_permset;
4427 SMB_ACL_TAG_T tag_type;
4428
4429 if (SMB_VFS_SYS_ACL_CREATE_ENTRY(conn, &the_acl, &the_entry) == -1) {
4430 DEBUG(0,("create_posix_acl_from_wire: Failed to create entry %u. (%s)\n",
4431 i, strerror(errno) ));
4432 goto fail;
4433 }
4434
4435 if (!unix_ex_wire_to_tagtype(CVAL(pdata,(i*SMB_POSIX_ACL_ENTRY_SIZE)), &tag_type)) {
4436 DEBUG(0,("create_posix_acl_from_wire: invalid wire tagtype %u on entry %u.\n",
4437 CVAL(pdata,(i*SMB_POSIX_ACL_ENTRY_SIZE)), i ));
4438 goto fail;
4439 }
4440
4441 if (SMB_VFS_SYS_ACL_SET_TAG_TYPE(conn, the_entry, tag_type) == -1) {
4442 DEBUG(0,("create_posix_acl_from_wire: Failed to set tagtype on entry %u. (%s)\n",
4443 i, strerror(errno) ));
4444 goto fail;
4445 }
4446
4447 /* Get the permset pointer from the new ACL entry. */
4448 if (SMB_VFS_SYS_ACL_GET_PERMSET(conn, the_entry, &the_permset) == -1) {
4449 DEBUG(0,("create_posix_acl_from_wire: Failed to get permset on entry %u. (%s)\n",
4450 i, strerror(errno) ));
4451 goto fail;
4452 }
4453
4454 /* Map from wire to permissions. */
4455 if (!unix_ex_wire_to_permset(conn, CVAL(pdata,(i*SMB_POSIX_ACL_ENTRY_SIZE)+1), &the_permset)) {
4456 DEBUG(0,("create_posix_acl_from_wire: invalid permset %u on entry %u.\n",
4457 CVAL(pdata,(i*SMB_POSIX_ACL_ENTRY_SIZE) + 1), i ));
4458 goto fail;
4459 }
4460
4461 /* Now apply to the new ACL entry. */
4462 if (SMB_VFS_SYS_ACL_SET_PERMSET(conn, the_entry, the_permset) == -1) {
4463 DEBUG(0,("create_posix_acl_from_wire: Failed to add permset on entry %u. (%s)\n",
4464 i, strerror(errno) ));
4465 goto fail;
4466 }
4467
4468 if (tag_type == SMB_ACL_USER) {
4469 uint32 uidval = IVAL(pdata,(i*SMB_POSIX_ACL_ENTRY_SIZE)+2);
4470 uid_t uid = (uid_t)uidval;
4471 if (SMB_VFS_SYS_ACL_SET_QUALIFIER(conn, the_entry,(void *)&uid) == -1) {
4472 DEBUG(0,("create_posix_acl_from_wire: Failed to set uid %u on entry %u. (%s)\n",
4473 (unsigned int)uid, i, strerror(errno) ));
4474 goto fail;
4475 }
4476 }
4477
4478 if (tag_type == SMB_ACL_GROUP) {
4479 uint32 gidval = IVAL(pdata,(i*SMB_POSIX_ACL_ENTRY_SIZE)+2);
4480 gid_t gid = (uid_t)gidval;
4481 if (SMB_VFS_SYS_ACL_SET_QUALIFIER(conn, the_entry,(void *)&gid) == -1) {
4482 DEBUG(0,("create_posix_acl_from_wire: Failed to set gid %u on entry %u. (%s)\n",
4483 (unsigned int)gid, i, strerror(errno) ));
4484 goto fail;
4485 }
4486 }
4487 }
4488
4489 return the_acl;
4490
4491 fail:
4492
4493 if (the_acl != NULL) {
4494 SMB_VFS_SYS_ACL_FREE_ACL(conn, the_acl);
4495 }
4496 return NULL;
4497 }
4498
4499 /****************************************************************************
4500 Calls from UNIX extensions - Default POSIX ACL set.
4501 If num_def_acls == 0 and not a directory just return. If it is a directory
4502 and num_def_acls == 0 then remove the default acl. Else set the default acl
4503 on the directory.
4504 ****************************************************************************/
4505
4506 bool set_unix_posix_default_acl(connection_struct *conn, const char *fname, const SMB_STRUCT_STAT *psbuf,
4507 uint16 num_def_acls, const char *pdata)
4508 {
4509 SMB_ACL_T def_acl = NULL;
4510
4511 if (!S_ISDIR(psbuf->st_ex_mode)) {
4512 if (num_def_acls) {
4513 DEBUG(5,("set_unix_posix_default_acl: Can't set default ACL on non-directory file %s\n", fname ));
4514 errno = EISDIR;
4515 return False;
4516 } else {
4517 return True;
4518 }
4519 }
4520
4521 if (!num_def_acls) {
4522 /* Remove the default ACL. */
4523 if (SMB_VFS_SYS_ACL_DELETE_DEF_FILE(conn, fname) == -1) {
4524 DEBUG(5,("set_unix_posix_default_acl: acl_delete_def_file failed on directory %s (%s)\n",
4525 fname, strerror(errno) ));
4526 return False;
4527 }
4528 return True;
4529 }
4530
4531 if ((def_acl = create_posix_acl_from_wire(conn, num_def_acls, pdata)) == NULL) {
4532 return False;
4533 }
4534
4535 if (SMB_VFS_SYS_ACL_SET_FILE(conn, fname, SMB_ACL_TYPE_DEFAULT, def_acl) == -1) {
4536 DEBUG(5,("set_unix_posix_default_acl: acl_set_file failed on directory %s (%s)\n",
4537 fname, strerror(errno) ));
4538 SMB_VFS_SYS_ACL_FREE_ACL(conn, def_acl);
4539 return False;
4540 }
4541
4542 DEBUG(10,("set_unix_posix_default_acl: set default acl for file %s\n", fname ));
4543 SMB_VFS_SYS_ACL_FREE_ACL(conn, def_acl);
4544 return True;
4545 }
4546
4547 /****************************************************************************
4548 Remove an ACL from a file. As we don't have acl_delete_entry() available
4549 we must read the current acl and copy all entries except MASK, USER and GROUP
4550 to a new acl, then set that. This (at least on Linux) causes any ACL to be
4551 removed.
4552 FIXME ! How does the share mask/mode fit into this.... ?
4553 ****************************************************************************/
4554
4555 static bool remove_posix_acl(connection_struct *conn, files_struct *fsp, const char *fname)
4556 {
4557 SMB_ACL_T file_acl = NULL;
4558 int entry_id = SMB_ACL_FIRST_ENTRY;
4559 SMB_ACL_ENTRY_T entry;
4560 bool ret = False;
4561 /* Create a new ACL with only 3 entries, u/g/w. */
4562 SMB_ACL_T new_file_acl = SMB_VFS_SYS_ACL_INIT(conn, 3);
4563 SMB_ACL_ENTRY_T user_ent = NULL;
4564 SMB_ACL_ENTRY_T group_ent = NULL;
4565 SMB_ACL_ENTRY_T other_ent = NULL;
4566
4567 if (new_file_acl == NULL) {
4568 DEBUG(5,("remove_posix_acl: failed to init new ACL with 3 entries for file %s.\n", fname));
4569 return False;
4570 }
4571
4572 /* Now create the u/g/w entries. */
4573 if (SMB_VFS_SYS_ACL_CREATE_ENTRY(conn, &new_file_acl, &user_ent) == -1) {
4574 DEBUG(5,("remove_posix_acl: Failed to create user entry for file %s. (%s)\n",
4575 fname, strerror(errno) ));
4576 goto done;
4577 }
4578 if (SMB_VFS_SYS_ACL_SET_TAG_TYPE(conn, user_ent, SMB_ACL_USER_OBJ) == -1) {
4579 DEBUG(5,("remove_posix_acl: Failed to set user entry for file %s. (%s)\n",
4580 fname, strerror(errno) ));
4581 goto done;
4582 }
4583
4584 if (SMB_VFS_SYS_ACL_CREATE_ENTRY(conn, &new_file_acl, &group_ent) == -1) {
4585 DEBUG(5,("remove_posix_acl: Failed to create group entry for file %s. (%s)\n",
4586 fname, strerror(errno) ));
4587 goto done;
4588 }
4589 if (SMB_VFS_SYS_ACL_SET_TAG_TYPE(conn, group_ent, SMB_ACL_GROUP_OBJ) == -1) {
4590 DEBUG(5,("remove_posix_acl: Failed to set group entry for file %s. (%s)\n",
4591 fname, strerror(errno) ));
4592 goto done;
4593 }
4594
4595 if (SMB_VFS_SYS_ACL_CREATE_ENTRY(conn, &new_file_acl, &other_ent) == -1) {
4596 DEBUG(5,("remove_posix_acl: Failed to create other entry for file %s. (%s)\n",
4597 fname, strerror(errno) ));
4598 goto done;
4599 }
4600 if (SMB_VFS_SYS_ACL_SET_TAG_TYPE(conn, other_ent, SMB_ACL_OTHER) == -1) {
4601 DEBUG(5,("remove_posix_acl: Failed to set other entry for file %s. (%s)\n",
4602 fname, strerror(errno) ));
4603 goto done;
4604 }
4605
4606 /* Get the current file ACL. */
4607 if (fsp && fsp->fh->fd != -1) {
4608 file_acl = SMB_VFS_SYS_ACL_GET_FD(fsp);
4609 } else {
4610 file_acl = SMB_VFS_SYS_ACL_GET_FILE( conn, fname, SMB_ACL_TYPE_ACCESS);
4611 }
4612
4613 if (file_acl == NULL) {
4614 /* This is only returned if an error occurred. Even for a file with
4615 no acl a u/g/w acl should be returned. */
4616 DEBUG(5,("remove_posix_acl: failed to get ACL from file %s (%s).\n",
4617 fname, strerror(errno) ));
4618 goto done;
4619 }
4620
4621 while ( SMB_VFS_SYS_ACL_GET_ENTRY(conn, file_acl, entry_id, &entry) == 1) {
4622 SMB_ACL_TAG_T tagtype;
4623 SMB_ACL_PERMSET_T permset;
4624
4625 entry_id = SMB_ACL_NEXT_ENTRY;
4626
4627 if (SMB_VFS_SYS_ACL_GET_TAG_TYPE(conn, entry, &tagtype) == -1) {
4628 DEBUG(5,("remove_posix_acl: failed to get tagtype from ACL on file %s (%s).\n",
4629 fname, strerror(errno) ));
4630 goto done;
4631 }
4632
4633 if (SMB_VFS_SYS_ACL_GET_PERMSET(conn, entry, &permset) == -1) {
4634 DEBUG(5,("remove_posix_acl: failed to get permset from ACL on file %s (%s).\n",
4635 fname, strerror(errno) ));
4636 goto done;
4637 }
4638
4639 if (tagtype == SMB_ACL_USER_OBJ) {
4640 if (SMB_VFS_SYS_ACL_SET_PERMSET(conn, user_ent, permset) == -1) {
4641 DEBUG(5,("remove_posix_acl: failed to set permset from ACL on file %s (%s).\n",
4642 fname, strerror(errno) ));
4643 }
4644 } else if (tagtype == SMB_ACL_GROUP_OBJ) {
4645 if (SMB_VFS_SYS_ACL_SET_PERMSET(conn, group_ent, permset) == -1) {
4646 DEBUG(5,("remove_posix_acl: failed to set permset from ACL on file %s (%s).\n",
4647 fname, strerror(errno) ));
4648 }
4649 } else if (tagtype == SMB_ACL_OTHER) {
4650 if (SMB_VFS_SYS_ACL_SET_PERMSET(conn, other_ent, permset) == -1) {
4651 DEBUG(5,("remove_posix_acl: failed to set permset from ACL on file %s (%s).\n",
4652 fname, strerror(errno) ));
4653 }
4654 }
4655 }
4656
4657 /* Set the new empty file ACL. */
4658 if (fsp && fsp->fh->fd != -1) {
4659 if (SMB_VFS_SYS_ACL_SET_FD(fsp, new_file_acl) == -1) {
4660 DEBUG(5,("remove_posix_acl: acl_set_file failed on %s (%s)\n",
4661 fname, strerror(errno) ));
4662 goto done;
4663 }
4664 } else {
4665 if (SMB_VFS_SYS_ACL_SET_FILE(conn, fname, SMB_ACL_TYPE_ACCESS, new_file_acl) == -1) {
4666 DEBUG(5,("remove_posix_acl: acl_set_file failed on %s (%s)\n",
4667 fname, strerror(errno) ));
4668 goto done;
4669 }
4670 }
4671
4672 ret = True;
4673
4674 done:
4675
4676 if (file_acl) {
4677 SMB_VFS_SYS_ACL_FREE_ACL(conn, file_acl);
4678 }
4679 if (new_file_acl) {
4680 SMB_VFS_SYS_ACL_FREE_ACL(conn, new_file_acl);
4681 }
4682 return ret;
4683 }
4684
4685 /****************************************************************************
4686 Calls from UNIX extensions - POSIX ACL set.
4687 If num_def_acls == 0 then read/modify/write acl after removing all entries
4688 except SMB_ACL_USER_OBJ, SMB_ACL_GROUP_OBJ, SMB_ACL_OTHER.
4689 ****************************************************************************/
4690
4691 bool set_unix_posix_acl(connection_struct *conn, files_struct *fsp, const char *fname, uint16 num_acls, const char *pdata)
4692 {
4693 SMB_ACL_T file_acl = NULL;
4694
4695 if (!num_acls) {
4696 /* Remove the ACL from the file. */
4697 return remove_posix_acl(conn, fsp, fname);
4698 }
4699
4700 if ((file_acl = create_posix_acl_from_wire(conn, num_acls, pdata)) == NULL) {
4701 return False;
4702 }
4703
4704 if (fsp && fsp->fh->fd != -1) {
4705 /* The preferred way - use an open fd. */
4706 if (SMB_VFS_SYS_ACL_SET_FD(fsp, file_acl) == -1) {
4707 DEBUG(5,("set_unix_posix_acl: acl_set_file failed on %s (%s)\n",
4708 fname, strerror(errno) ));
4709 SMB_VFS_SYS_ACL_FREE_ACL(conn, file_acl);
4710 return False;
4711 }
4712 } else {
4713 if (SMB_VFS_SYS_ACL_SET_FILE(conn, fname, SMB_ACL_TYPE_ACCESS, file_acl) == -1) {
4714 DEBUG(5,("set_unix_posix_acl: acl_set_file failed on %s (%s)\n",
4715 fname, strerror(errno) ));
4716 SMB_VFS_SYS_ACL_FREE_ACL(conn, file_acl);
4717 return False;
4718 }
4719 }
4720
4721 DEBUG(10,("set_unix_posix_acl: set acl for file %s\n", fname ));
4722 SMB_VFS_SYS_ACL_FREE_ACL(conn, file_acl);
4723 return True;
4724 }
4725
4726 /********************************************************************
4727 Pull the NT ACL from a file on disk or the OpenEventlog() access
4728 check. Caller is responsible for freeing the returned security
4729 descriptor via TALLOC_FREE(). This is designed for dealing with
4730 user space access checks in smbd outside of the VFS. For example,
4731 checking access rights in OpenEventlog().
4732
4733 Assume we are dealing with files (for now)
4734 ********************************************************************/
4735
4736 struct security_descriptor *get_nt_acl_no_snum( TALLOC_CTX *ctx, const char *fname)
4737 {
4738 struct security_descriptor *psd, *ret_sd;
4739 connection_struct *conn;
4740 files_struct finfo;
4741 struct fd_handle fh;
4742 NTSTATUS status;
4743
4744 conn = talloc_zero(ctx, connection_struct);
4745 if (conn == NULL) {
4746 DEBUG(0, ("talloc failed\n"));
4747 return NULL;
4748 }
4749
4750 if (!(conn->params = talloc(conn, struct share_params))) {
4751 DEBUG(0,("get_nt_acl_no_snum: talloc() failed!\n"));
4752 TALLOC_FREE(conn);
4753 return NULL;
4754 }
4755
4756 conn->params->service = -1;
4757
4758 set_conn_connectpath(conn, "/");
4759
4760 if (!smbd_vfs_init(conn)) {
4761 DEBUG(0,("get_nt_acl_no_snum: Unable to create a fake connection struct!\n"));
4762 conn_free(conn);
4763 return NULL;
4764 }
4765
4766 ZERO_STRUCT( finfo );
4767 ZERO_STRUCT( fh );
4768
4769 finfo.fnum = -1;
4770 finfo.conn = conn;
4771 finfo.fh = &fh;
4772 finfo.fh->fd = -1;
4773
4774 status = create_synthetic_smb_fname(talloc_tos(), fname, NULL, NULL,
4775 &finfo.fsp_name);
4776 if (!NT_STATUS_IS_OK(status)) {
4777 conn_free(conn);
4778 return NULL;
4779 }
4780
4781 if (!NT_STATUS_IS_OK(SMB_VFS_FGET_NT_ACL( &finfo, SECINFO_DACL, &psd))) {
4782 DEBUG(0,("get_nt_acl_no_snum: get_nt_acl returned zero.\n"));
4783 TALLOC_FREE(finfo.fsp_name);
4784 conn_free(conn);
4785 return NULL;
4786 }
4787
4788 ret_sd = dup_sec_desc( ctx, psd );
4789
4790 TALLOC_FREE(finfo.fsp_name);
4791 conn_free(conn);
4792
4793 return ret_sd;
4794 }
4795
4796 /* Stolen shamelessly from pvfs_default_acl() in source4 :-). */
4797
4798 NTSTATUS make_default_filesystem_acl(TALLOC_CTX *ctx,
4799 const char *name,
4800 SMB_STRUCT_STAT *psbuf,
4801 struct security_descriptor **ppdesc)
4802 {
4803 struct dom_sid owner_sid, group_sid;
4804 size_t size = 0;
4805 struct security_ace aces[4];
4806 uint32_t access_mask = 0;
4807 mode_t mode = psbuf->st_ex_mode;
4808 struct security_acl *new_dacl = NULL;
4809 int idx = 0;
4810
4811 DEBUG(10,("make_default_filesystem_acl: file %s mode = 0%o\n",
4812 name, (int)mode ));
4813
4814 uid_to_sid(&owner_sid, psbuf->st_ex_uid);
4815 gid_to_sid(&group_sid, psbuf->st_ex_gid);
4816
4817 /*
4818 We provide up to 4 ACEs
4819 - Owner
4820 - Group
4821 - Everyone
4822 - NT System
4823 */
4824
4825 if (mode & S_IRUSR) {
4826 if (mode & S_IWUSR) {
4827 access_mask |= SEC_RIGHTS_FILE_ALL;
4828 } else {
4829 access_mask |= SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE;
4830 }
4831 }
4832 if (mode & S_IWUSR) {
4833 access_mask |= SEC_RIGHTS_FILE_WRITE | SEC_STD_DELETE;
4834 }
4835
4836 init_sec_ace(&aces[idx],
4837 &owner_sid,
4838 SEC_ACE_TYPE_ACCESS_ALLOWED,
4839 access_mask,
4840 0);
4841 idx++;
4842
4843 access_mask = 0;
4844 if (mode & S_IRGRP) {
4845 access_mask |= SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE;
4846 }
4847 if (mode & S_IWGRP) {
4848 /* note that delete is not granted - this matches posix behaviour */
4849 access_mask |= SEC_RIGHTS_FILE_WRITE;
4850 }
4851 if (access_mask) {
4852 init_sec_ace(&aces[idx],
4853 &group_sid,
4854 SEC_ACE_TYPE_ACCESS_ALLOWED,
4855 access_mask,
4856 0);
4857 idx++;
4858 }
4859
4860 access_mask = 0;
4861 if (mode & S_IROTH) {
4862 access_mask |= SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE;
4863 }
4864 if (mode & S_IWOTH) {
4865 access_mask |= SEC_RIGHTS_FILE_WRITE;
4866 }
4867 if (access_mask) {
4868 init_sec_ace(&aces[idx],
4869 &global_sid_World,
4870 SEC_ACE_TYPE_ACCESS_ALLOWED,
4871 access_mask,
4872 0);
4873 idx++;
4874 }
4875
4876 init_sec_ace(&aces[idx],
4877 &global_sid_System,
4878 SEC_ACE_TYPE_ACCESS_ALLOWED,
4879 SEC_RIGHTS_FILE_ALL,
4880 0);
4881 idx++;
4882
4883 new_dacl = make_sec_acl(ctx,
4884 NT4_ACL_REVISION,
4885 idx,
4886 aces);
4887
4888 if (!new_dacl) {
4889 return NT_STATUS_NO_MEMORY;
4890 }
4891
4892 *ppdesc = make_sec_desc(ctx,
4893 SECURITY_DESCRIPTOR_REVISION_1,
4894 SEC_DESC_SELF_RELATIVE|SEC_DESC_DACL_PRESENT,
4895 &owner_sid,
4896 &group_sid,
4897 NULL,
4898 new_dacl,
4899 &size);
4900 if (!*ppdesc) {
4901 return NT_STATUS_NO_MEMORY;
4902 }
4903 return NT_STATUS_OK;
4904 }
reg import