s4:registry - "LDB backend" - don't test for "0" as string termination on binary...
[Samba/gebeck_regimport.git] / source3 / libsmb / libsmb_xattr.c
blobcbdca4e748c032aa9996300fc0d369cac7ebe4c7
1 /*
2 Unix SMB/Netbios implementation.
3 SMB client library implementation
4 Copyright (C) Andrew Tridgell 1998
5 Copyright (C) Richard Sharpe 2000, 2002
6 Copyright (C) John Terpstra 2000
7 Copyright (C) Tom Jansen (Ninja ISD) 2002
8 Copyright (C) Derrell Lipman 2003-2008
9 Copyright (C) Jeremy Allison 2007, 2008
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 3 of the License, or
14 (at your option) any later version.
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
21 You should have received a copy of the GNU General Public License
22 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 #include "includes.h"
26 #include "libsmbclient.h"
27 #include "libsmb_internal.h"
31 * Find an lsa pipe handle associated with a cli struct.
33 static struct rpc_pipe_client *
34 find_lsa_pipe_hnd(struct cli_state *ipc_cli)
36 struct rpc_pipe_client *pipe_hnd;
38 for (pipe_hnd = ipc_cli->pipe_list;
39 pipe_hnd;
40 pipe_hnd = pipe_hnd->next) {
41 if (ndr_syntax_id_equal(&pipe_hnd->abstract_syntax,
42 &ndr_table_lsarpc.syntax_id)) {
43 return pipe_hnd;
46 return NULL;
50 * Sort ACEs according to the documentation at
51 * http://support.microsoft.com/kb/269175, at least as far as it defines the
52 * order.
55 static int
56 ace_compare(SEC_ACE *ace1,
57 SEC_ACE *ace2)
59 bool b1;
60 bool b2;
62 /* If the ACEs are equal, we have nothing more to do. */
63 if (sec_ace_equal(ace1, ace2)) {
64 return 0;
67 /* Inherited follow non-inherited */
68 b1 = ((ace1->flags & SEC_ACE_FLAG_INHERITED_ACE) != 0);
69 b2 = ((ace2->flags & SEC_ACE_FLAG_INHERITED_ACE) != 0);
70 if (b1 != b2) {
71 return (b1 ? 1 : -1);
75 * What shall we do with AUDITs and ALARMs? It's undefined. We'll
76 * sort them after DENY and ALLOW.
78 b1 = (ace1->type != SEC_ACE_TYPE_ACCESS_ALLOWED &&
79 ace1->type != SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT &&
80 ace1->type != SEC_ACE_TYPE_ACCESS_DENIED &&
81 ace1->type != SEC_ACE_TYPE_ACCESS_DENIED_OBJECT);
82 b2 = (ace2->type != SEC_ACE_TYPE_ACCESS_ALLOWED &&
83 ace2->type != SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT &&
84 ace2->type != SEC_ACE_TYPE_ACCESS_DENIED &&
85 ace2->type != SEC_ACE_TYPE_ACCESS_DENIED_OBJECT);
86 if (b1 != b2) {
87 return (b1 ? 1 : -1);
90 /* Allowed ACEs follow denied ACEs */
91 b1 = (ace1->type == SEC_ACE_TYPE_ACCESS_ALLOWED ||
92 ace1->type == SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT);
93 b2 = (ace2->type == SEC_ACE_TYPE_ACCESS_ALLOWED ||
94 ace2->type == SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT);
95 if (b1 != b2) {
96 return (b1 ? 1 : -1);
100 * ACEs applying to an entity's object follow those applying to the
101 * entity itself
103 b1 = (ace1->type == SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT ||
104 ace1->type == SEC_ACE_TYPE_ACCESS_DENIED_OBJECT);
105 b2 = (ace2->type == SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT ||
106 ace2->type == SEC_ACE_TYPE_ACCESS_DENIED_OBJECT);
107 if (b1 != b2) {
108 return (b1 ? 1 : -1);
112 * If we get this far, the ACEs are similar as far as the
113 * characteristics we typically care about (those defined by the
114 * referenced MS document). We'll now sort by characteristics that
115 * just seems reasonable.
118 if (ace1->type != ace2->type) {
119 return ace2->type - ace1->type;
122 if (sid_compare(&ace1->trustee, &ace2->trustee)) {
123 return sid_compare(&ace1->trustee, &ace2->trustee);
126 if (ace1->flags != ace2->flags) {
127 return ace1->flags - ace2->flags;
130 if (ace1->access_mask != ace2->access_mask) {
131 return ace1->access_mask - ace2->access_mask;
134 if (ace1->size != ace2->size) {
135 return ace1->size - ace2->size;
138 return memcmp(ace1, ace2, sizeof(SEC_ACE));
142 static void
143 sort_acl(SEC_ACL *the_acl)
145 uint32 i;
146 if (!the_acl) return;
148 TYPESAFE_QSORT(the_acl->aces, the_acl->num_aces, ace_compare);
150 for (i=1;i<the_acl->num_aces;) {
151 if (sec_ace_equal(&the_acl->aces[i-1], &the_acl->aces[i])) {
152 int j;
153 for (j=i; j<the_acl->num_aces-1; j++) {
154 the_acl->aces[j] = the_acl->aces[j+1];
156 the_acl->num_aces--;
157 } else {
158 i++;
163 /* convert a SID to a string, either numeric or username/group */
164 static void
165 convert_sid_to_string(struct cli_state *ipc_cli,
166 struct policy_handle *pol,
167 fstring str,
168 bool numeric,
169 DOM_SID *sid)
171 char **domains = NULL;
172 char **names = NULL;
173 enum lsa_SidType *types = NULL;
174 struct rpc_pipe_client *pipe_hnd = find_lsa_pipe_hnd(ipc_cli);
175 TALLOC_CTX *ctx;
177 sid_to_fstring(str, sid);
179 if (numeric) {
180 return; /* no lookup desired */
183 if (!pipe_hnd) {
184 return;
187 /* Ask LSA to convert the sid to a name */
189 ctx = talloc_stackframe();
191 if (!NT_STATUS_IS_OK(rpccli_lsa_lookup_sids(pipe_hnd, ctx,
192 pol, 1, sid, &domains,
193 &names, &types)) ||
194 !domains || !domains[0] || !names || !names[0]) {
195 TALLOC_FREE(ctx);
196 return;
199 /* Converted OK */
201 slprintf(str, sizeof(fstring) - 1, "%s%s%s",
202 domains[0], lp_winbind_separator(),
203 names[0]);
205 TALLOC_FREE(ctx);
208 /* convert a string to a SID, either numeric or username/group */
209 static bool
210 convert_string_to_sid(struct cli_state *ipc_cli,
211 struct policy_handle *pol,
212 bool numeric,
213 DOM_SID *sid,
214 const char *str)
216 enum lsa_SidType *types = NULL;
217 DOM_SID *sids = NULL;
218 bool result = True;
219 TALLOC_CTX *ctx = NULL;
220 struct rpc_pipe_client *pipe_hnd = find_lsa_pipe_hnd(ipc_cli);
222 if (!pipe_hnd) {
223 return False;
226 if (numeric) {
227 if (strncmp(str, "S-", 2) == 0) {
228 return string_to_sid(sid, str);
231 result = False;
232 goto done;
235 ctx = talloc_stackframe();
236 if (!NT_STATUS_IS_OK(rpccli_lsa_lookup_names(pipe_hnd, ctx,
237 pol, 1, &str,
238 NULL, 1, &sids,
239 &types))) {
240 result = False;
241 goto done;
244 sid_copy(sid, &sids[0]);
245 done:
246 TALLOC_FREE(ctx);
247 return result;
251 /* parse an ACE in the same format as print_ace() */
252 static bool
253 parse_ace(struct cli_state *ipc_cli,
254 struct policy_handle *pol,
255 SEC_ACE *ace,
256 bool numeric,
257 char *str)
259 char *p;
260 const char *cp;
261 char *tok;
262 unsigned int atype;
263 unsigned int aflags;
264 unsigned int amask;
265 DOM_SID sid;
266 uint32_t mask;
267 const struct perm_value *v;
268 struct perm_value {
269 const char perm[7];
270 uint32 mask;
272 TALLOC_CTX *frame = talloc_stackframe();
274 /* These values discovered by inspection */
275 static const struct perm_value special_values[] = {
276 { "R", 0x00120089 },
277 { "W", 0x00120116 },
278 { "X", 0x001200a0 },
279 { "D", 0x00010000 },
280 { "P", 0x00040000 },
281 { "O", 0x00080000 },
282 { "", 0 },
285 static const struct perm_value standard_values[] = {
286 { "READ", 0x001200a9 },
287 { "CHANGE", 0x001301bf },
288 { "FULL", 0x001f01ff },
289 { "", 0 },
292 ZERO_STRUCTP(ace);
293 p = strchr_m(str,':');
294 if (!p) {
295 TALLOC_FREE(frame);
296 return False;
298 *p = '\0';
299 p++;
300 /* Try to parse numeric form */
302 if (sscanf(p, "%i/%i/%i", &atype, &aflags, &amask) == 3 &&
303 convert_string_to_sid(ipc_cli, pol, numeric, &sid, str)) {
304 goto done;
307 /* Try to parse text form */
309 if (!convert_string_to_sid(ipc_cli, pol, numeric, &sid, str)) {
310 TALLOC_FREE(frame);
311 return false;
314 cp = p;
315 if (!next_token_talloc(frame, &cp, &tok, "/")) {
316 TALLOC_FREE(frame);
317 return false;
320 if (StrnCaseCmp(tok, "ALLOWED", strlen("ALLOWED")) == 0) {
321 atype = SEC_ACE_TYPE_ACCESS_ALLOWED;
322 } else if (StrnCaseCmp(tok, "DENIED", strlen("DENIED")) == 0) {
323 atype = SEC_ACE_TYPE_ACCESS_DENIED;
324 } else {
325 TALLOC_FREE(frame);
326 return false;
329 /* Only numeric form accepted for flags at present */
331 if (!(next_token_talloc(frame, &cp, &tok, "/") &&
332 sscanf(tok, "%i", &aflags))) {
333 TALLOC_FREE(frame);
334 return false;
337 if (!next_token_talloc(frame, &cp, &tok, "/")) {
338 TALLOC_FREE(frame);
339 return false;
342 if (strncmp(tok, "0x", 2) == 0) {
343 if (sscanf(tok, "%i", &amask) != 1) {
344 TALLOC_FREE(frame);
345 return false;
347 goto done;
350 for (v = standard_values; v->perm; v++) {
351 if (strcmp(tok, v->perm) == 0) {
352 amask = v->mask;
353 goto done;
357 p = tok;
359 while(*p) {
360 bool found = False;
362 for (v = special_values; v->perm; v++) {
363 if (v->perm[0] == *p) {
364 amask |= v->mask;
365 found = True;
369 if (!found) {
370 TALLOC_FREE(frame);
371 return false;
373 p++;
376 if (*p) {
377 TALLOC_FREE(frame);
378 return false;
381 done:
382 mask = amask;
383 init_sec_ace(ace, &sid, atype, mask, aflags);
384 TALLOC_FREE(frame);
385 return true;
388 /* add an ACE to a list of ACEs in a SEC_ACL */
389 static bool
390 add_ace(SEC_ACL **the_acl,
391 SEC_ACE *ace,
392 TALLOC_CTX *ctx)
394 SEC_ACL *newacl;
395 SEC_ACE *aces;
397 if (! *the_acl) {
398 (*the_acl) = make_sec_acl(ctx, 3, 1, ace);
399 return True;
402 if ((aces = SMB_CALLOC_ARRAY(SEC_ACE,
403 1+(*the_acl)->num_aces)) == NULL) {
404 return False;
406 memcpy(aces, (*the_acl)->aces, (*the_acl)->num_aces * sizeof(SEC_ACE));
407 memcpy(aces+(*the_acl)->num_aces, ace, sizeof(SEC_ACE));
408 newacl = make_sec_acl(ctx, (*the_acl)->revision,
409 1+(*the_acl)->num_aces, aces);
410 SAFE_FREE(aces);
411 (*the_acl) = newacl;
412 return True;
416 /* parse a ascii version of a security descriptor */
417 static SEC_DESC *
418 sec_desc_parse(TALLOC_CTX *ctx,
419 struct cli_state *ipc_cli,
420 struct policy_handle *pol,
421 bool numeric,
422 const char *str)
424 const char *p = str;
425 char *tok;
426 SEC_DESC *ret = NULL;
427 size_t sd_size;
428 DOM_SID *group_sid=NULL;
429 DOM_SID *owner_sid=NULL;
430 SEC_ACL *dacl=NULL;
431 int revision=1;
433 while (next_token_talloc(ctx, &p, &tok, "\t,\r\n")) {
435 if (StrnCaseCmp(tok,"REVISION:", 9) == 0) {
436 revision = strtol(tok+9, NULL, 16);
437 continue;
440 if (StrnCaseCmp(tok,"OWNER:", 6) == 0) {
441 if (owner_sid) {
442 DEBUG(5,("OWNER specified more than once!\n"));
443 goto done;
445 owner_sid = SMB_CALLOC_ARRAY(DOM_SID, 1);
446 if (!owner_sid ||
447 !convert_string_to_sid(ipc_cli, pol,
448 numeric,
449 owner_sid, tok+6)) {
450 DEBUG(5, ("Failed to parse owner sid\n"));
451 goto done;
453 continue;
456 if (StrnCaseCmp(tok,"OWNER+:", 7) == 0) {
457 if (owner_sid) {
458 DEBUG(5,("OWNER specified more than once!\n"));
459 goto done;
461 owner_sid = SMB_CALLOC_ARRAY(DOM_SID, 1);
462 if (!owner_sid ||
463 !convert_string_to_sid(ipc_cli, pol,
464 False,
465 owner_sid, tok+7)) {
466 DEBUG(5, ("Failed to parse owner sid\n"));
467 goto done;
469 continue;
472 if (StrnCaseCmp(tok,"GROUP:", 6) == 0) {
473 if (group_sid) {
474 DEBUG(5,("GROUP specified more than once!\n"));
475 goto done;
477 group_sid = SMB_CALLOC_ARRAY(DOM_SID, 1);
478 if (!group_sid ||
479 !convert_string_to_sid(ipc_cli, pol,
480 numeric,
481 group_sid, tok+6)) {
482 DEBUG(5, ("Failed to parse group sid\n"));
483 goto done;
485 continue;
488 if (StrnCaseCmp(tok,"GROUP+:", 7) == 0) {
489 if (group_sid) {
490 DEBUG(5,("GROUP specified more than once!\n"));
491 goto done;
493 group_sid = SMB_CALLOC_ARRAY(DOM_SID, 1);
494 if (!group_sid ||
495 !convert_string_to_sid(ipc_cli, pol,
496 False,
497 group_sid, tok+6)) {
498 DEBUG(5, ("Failed to parse group sid\n"));
499 goto done;
501 continue;
504 if (StrnCaseCmp(tok,"ACL:", 4) == 0) {
505 SEC_ACE ace;
506 if (!parse_ace(ipc_cli, pol, &ace, numeric, tok+4)) {
507 DEBUG(5, ("Failed to parse ACL %s\n", tok));
508 goto done;
510 if(!add_ace(&dacl, &ace, ctx)) {
511 DEBUG(5, ("Failed to add ACL %s\n", tok));
512 goto done;
514 continue;
517 if (StrnCaseCmp(tok,"ACL+:", 5) == 0) {
518 SEC_ACE ace;
519 if (!parse_ace(ipc_cli, pol, &ace, False, tok+5)) {
520 DEBUG(5, ("Failed to parse ACL %s\n", tok));
521 goto done;
523 if(!add_ace(&dacl, &ace, ctx)) {
524 DEBUG(5, ("Failed to add ACL %s\n", tok));
525 goto done;
527 continue;
530 DEBUG(5, ("Failed to parse security descriptor\n"));
531 goto done;
534 ret = make_sec_desc(ctx, revision, SEC_DESC_SELF_RELATIVE,
535 owner_sid, group_sid, NULL, dacl, &sd_size);
537 done:
538 SAFE_FREE(group_sid);
539 SAFE_FREE(owner_sid);
540 return ret;
544 /* Obtain the current dos attributes */
545 static DOS_ATTR_DESC *
546 dos_attr_query(SMBCCTX *context,
547 TALLOC_CTX *ctx,
548 const char *filename,
549 SMBCSRV *srv)
551 struct timespec create_time_ts;
552 struct timespec write_time_ts;
553 struct timespec access_time_ts;
554 struct timespec change_time_ts;
555 SMB_OFF_T size = 0;
556 uint16 mode = 0;
557 SMB_INO_T inode = 0;
558 DOS_ATTR_DESC *ret;
560 ret = TALLOC_P(ctx, DOS_ATTR_DESC);
561 if (!ret) {
562 errno = ENOMEM;
563 return NULL;
566 /* Obtain the DOS attributes */
567 if (!SMBC_getatr(context, srv, CONST_DISCARD(char *, filename),
568 &mode, &size,
569 &create_time_ts,
570 &access_time_ts,
571 &write_time_ts,
572 &change_time_ts,
573 &inode)) {
574 errno = SMBC_errno(context, srv->cli);
575 DEBUG(5, ("dos_attr_query Failed to query old attributes\n"));
576 return NULL;
579 ret->mode = mode;
580 ret->size = size;
581 ret->create_time = convert_timespec_to_time_t(create_time_ts);
582 ret->access_time = convert_timespec_to_time_t(access_time_ts);
583 ret->write_time = convert_timespec_to_time_t(write_time_ts);
584 ret->change_time = convert_timespec_to_time_t(change_time_ts);
585 ret->inode = inode;
587 return ret;
591 /* parse a ascii version of a security descriptor */
592 static void
593 dos_attr_parse(SMBCCTX *context,
594 DOS_ATTR_DESC *dad,
595 SMBCSRV *srv,
596 char *str)
598 int n;
599 const char *p = str;
600 char *tok = NULL;
601 TALLOC_CTX *frame = NULL;
602 struct {
603 const char * create_time_attr;
604 const char * access_time_attr;
605 const char * write_time_attr;
606 const char * change_time_attr;
607 } attr_strings;
609 /* Determine whether to use old-style or new-style attribute names */
610 if (context->internal->full_time_names) {
611 /* new-style names */
612 attr_strings.create_time_attr = "CREATE_TIME";
613 attr_strings.access_time_attr = "ACCESS_TIME";
614 attr_strings.write_time_attr = "WRITE_TIME";
615 attr_strings.change_time_attr = "CHANGE_TIME";
616 } else {
617 /* old-style names */
618 attr_strings.create_time_attr = NULL;
619 attr_strings.access_time_attr = "A_TIME";
620 attr_strings.write_time_attr = "M_TIME";
621 attr_strings.change_time_attr = "C_TIME";
624 /* if this is to set the entire ACL... */
625 if (*str == '*') {
626 /* ... then increment past the first colon if there is one */
627 if ((p = strchr(str, ':')) != NULL) {
628 ++p;
629 } else {
630 p = str;
634 frame = talloc_stackframe();
635 while (next_token_talloc(frame, &p, &tok, "\t,\r\n")) {
636 if (StrnCaseCmp(tok, "MODE:", 5) == 0) {
637 long request = strtol(tok+5, NULL, 16);
638 if (request == 0) {
639 dad->mode = (request |
640 (IS_DOS_DIR(dad->mode)
641 ? FILE_ATTRIBUTE_DIRECTORY
642 : FILE_ATTRIBUTE_NORMAL));
643 } else {
644 dad->mode = request;
646 continue;
649 if (StrnCaseCmp(tok, "SIZE:", 5) == 0) {
650 dad->size = (SMB_OFF_T)atof(tok+5);
651 continue;
654 n = strlen(attr_strings.access_time_attr);
655 if (StrnCaseCmp(tok, attr_strings.access_time_attr, n) == 0) {
656 dad->access_time = (time_t)strtol(tok+n+1, NULL, 10);
657 continue;
660 n = strlen(attr_strings.change_time_attr);
661 if (StrnCaseCmp(tok, attr_strings.change_time_attr, n) == 0) {
662 dad->change_time = (time_t)strtol(tok+n+1, NULL, 10);
663 continue;
666 n = strlen(attr_strings.write_time_attr);
667 if (StrnCaseCmp(tok, attr_strings.write_time_attr, n) == 0) {
668 dad->write_time = (time_t)strtol(tok+n+1, NULL, 10);
669 continue;
672 if (attr_strings.create_time_attr != NULL) {
673 n = strlen(attr_strings.create_time_attr);
674 if (StrnCaseCmp(tok, attr_strings.create_time_attr,
675 n) == 0) {
676 dad->create_time = (time_t)strtol(tok+n+1,
677 NULL, 10);
678 continue;
682 if (StrnCaseCmp(tok, "INODE:", 6) == 0) {
683 dad->inode = (SMB_INO_T)atof(tok+6);
684 continue;
687 TALLOC_FREE(frame);
690 /*****************************************************
691 Retrieve the acls for a file.
692 *******************************************************/
694 static int
695 cacl_get(SMBCCTX *context,
696 TALLOC_CTX *ctx,
697 SMBCSRV *srv,
698 struct cli_state *ipc_cli,
699 struct policy_handle *pol,
700 char *filename,
701 char *attr_name,
702 char *buf,
703 int bufsize)
705 uint32 i;
706 int n = 0;
707 int n_used;
708 bool all;
709 bool all_nt;
710 bool all_nt_acls;
711 bool all_dos;
712 bool some_nt;
713 bool some_dos;
714 bool exclude_nt_revision = False;
715 bool exclude_nt_owner = False;
716 bool exclude_nt_group = False;
717 bool exclude_nt_acl = False;
718 bool exclude_dos_mode = False;
719 bool exclude_dos_size = False;
720 bool exclude_dos_create_time = False;
721 bool exclude_dos_access_time = False;
722 bool exclude_dos_write_time = False;
723 bool exclude_dos_change_time = False;
724 bool exclude_dos_inode = False;
725 bool numeric = True;
726 bool determine_size = (bufsize == 0);
727 uint16_t fnum;
728 SEC_DESC *sd;
729 fstring sidstr;
730 fstring name_sandbox;
731 char *name;
732 char *pExclude;
733 char *p;
734 struct timespec create_time_ts;
735 struct timespec write_time_ts;
736 struct timespec access_time_ts;
737 struct timespec change_time_ts;
738 time_t create_time = (time_t)0;
739 time_t write_time = (time_t)0;
740 time_t access_time = (time_t)0;
741 time_t change_time = (time_t)0;
742 SMB_OFF_T size = 0;
743 uint16 mode = 0;
744 SMB_INO_T ino = 0;
745 struct cli_state *cli = srv->cli;
746 struct {
747 const char * create_time_attr;
748 const char * access_time_attr;
749 const char * write_time_attr;
750 const char * change_time_attr;
751 } attr_strings;
752 struct {
753 const char * create_time_attr;
754 const char * access_time_attr;
755 const char * write_time_attr;
756 const char * change_time_attr;
757 } excl_attr_strings;
759 /* Determine whether to use old-style or new-style attribute names */
760 if (context->internal->full_time_names) {
761 /* new-style names */
762 attr_strings.create_time_attr = "CREATE_TIME";
763 attr_strings.access_time_attr = "ACCESS_TIME";
764 attr_strings.write_time_attr = "WRITE_TIME";
765 attr_strings.change_time_attr = "CHANGE_TIME";
767 excl_attr_strings.create_time_attr = "CREATE_TIME";
768 excl_attr_strings.access_time_attr = "ACCESS_TIME";
769 excl_attr_strings.write_time_attr = "WRITE_TIME";
770 excl_attr_strings.change_time_attr = "CHANGE_TIME";
771 } else {
772 /* old-style names */
773 attr_strings.create_time_attr = NULL;
774 attr_strings.access_time_attr = "A_TIME";
775 attr_strings.write_time_attr = "M_TIME";
776 attr_strings.change_time_attr = "C_TIME";
778 excl_attr_strings.create_time_attr = NULL;
779 excl_attr_strings.access_time_attr = "dos_attr.A_TIME";
780 excl_attr_strings.write_time_attr = "dos_attr.M_TIME";
781 excl_attr_strings.change_time_attr = "dos_attr.C_TIME";
784 /* Copy name so we can strip off exclusions (if any are specified) */
785 strncpy(name_sandbox, attr_name, sizeof(name_sandbox) - 1);
787 /* Ensure name is null terminated */
788 name_sandbox[sizeof(name_sandbox) - 1] = '\0';
790 /* Play in the sandbox */
791 name = name_sandbox;
793 /* If there are any exclusions, point to them and mask them from name */
794 if ((pExclude = strchr(name, '!')) != NULL)
796 *pExclude++ = '\0';
799 all = (StrnCaseCmp(name, "system.*", 8) == 0);
800 all_nt = (StrnCaseCmp(name, "system.nt_sec_desc.*", 20) == 0);
801 all_nt_acls = (StrnCaseCmp(name, "system.nt_sec_desc.acl.*", 24) == 0);
802 all_dos = (StrnCaseCmp(name, "system.dos_attr.*", 17) == 0);
803 some_nt = (StrnCaseCmp(name, "system.nt_sec_desc.", 19) == 0);
804 some_dos = (StrnCaseCmp(name, "system.dos_attr.", 16) == 0);
805 numeric = (* (name + strlen(name) - 1) != '+');
807 /* Look for exclusions from "all" requests */
808 if (all || all_nt || all_dos) {
809 /* Exclusions are delimited by '!' */
810 for (;
811 pExclude != NULL;
812 pExclude = (p == NULL ? NULL : p + 1)) {
814 /* Find end of this exclusion name */
815 if ((p = strchr(pExclude, '!')) != NULL)
817 *p = '\0';
820 /* Which exclusion name is this? */
821 if (StrCaseCmp(pExclude,
822 "nt_sec_desc.revision") == 0) {
823 exclude_nt_revision = True;
825 else if (StrCaseCmp(pExclude,
826 "nt_sec_desc.owner") == 0) {
827 exclude_nt_owner = True;
829 else if (StrCaseCmp(pExclude,
830 "nt_sec_desc.group") == 0) {
831 exclude_nt_group = True;
833 else if (StrCaseCmp(pExclude,
834 "nt_sec_desc.acl") == 0) {
835 exclude_nt_acl = True;
837 else if (StrCaseCmp(pExclude,
838 "dos_attr.mode") == 0) {
839 exclude_dos_mode = True;
841 else if (StrCaseCmp(pExclude,
842 "dos_attr.size") == 0) {
843 exclude_dos_size = True;
845 else if (excl_attr_strings.create_time_attr != NULL &&
846 StrCaseCmp(pExclude,
847 excl_attr_strings.change_time_attr) == 0) {
848 exclude_dos_create_time = True;
850 else if (StrCaseCmp(pExclude,
851 excl_attr_strings.access_time_attr) == 0) {
852 exclude_dos_access_time = True;
854 else if (StrCaseCmp(pExclude,
855 excl_attr_strings.write_time_attr) == 0) {
856 exclude_dos_write_time = True;
858 else if (StrCaseCmp(pExclude,
859 excl_attr_strings.change_time_attr) == 0) {
860 exclude_dos_change_time = True;
862 else if (StrCaseCmp(pExclude, "dos_attr.inode") == 0) {
863 exclude_dos_inode = True;
865 else {
866 DEBUG(5, ("cacl_get received unknown exclusion: %s\n",
867 pExclude));
868 errno = ENOATTR;
869 return -1;
874 n_used = 0;
877 * If we are (possibly) talking to an NT or new system and some NT
878 * attributes have been requested...
880 if (ipc_cli && (all || some_nt || all_nt_acls)) {
881 char *targetpath = NULL;
882 struct cli_state *targetcli = NULL;
884 /* Point to the portion after "system.nt_sec_desc." */
885 name += 19; /* if (all) this will be invalid but unused */
887 if (!cli_resolve_path(ctx, "", context->internal->auth_info,
888 cli, filename,
889 &targetcli, &targetpath)) {
890 DEBUG(5, ("cacl_get Could not resolve %s\n",
891 filename));
892 errno = ENOENT;
893 return -1;
896 /* ... then obtain any NT attributes which were requested */
897 if (!NT_STATUS_IS_OK(cli_ntcreate(targetcli, targetpath, 0, CREATE_ACCESS_READ, 0,
898 FILE_SHARE_READ|FILE_SHARE_WRITE, FILE_OPEN, 0x0, 0x0, &fnum))) {
899 DEBUG(5, ("cacl_get failed to open %s: %s\n",
900 targetpath, cli_errstr(targetcli)));
901 errno = 0;
902 return -1;
905 sd = cli_query_secdesc(targetcli, fnum, ctx);
907 if (!sd) {
908 DEBUG(5,
909 ("cacl_get Failed to query old descriptor\n"));
910 errno = 0;
911 return -1;
914 cli_close(targetcli, fnum);
916 if (! exclude_nt_revision) {
917 if (all || all_nt) {
918 if (determine_size) {
919 p = talloc_asprintf(ctx,
920 "REVISION:%d",
921 sd->revision);
922 if (!p) {
923 errno = ENOMEM;
924 return -1;
926 n = strlen(p);
927 } else {
928 n = snprintf(buf, bufsize,
929 "REVISION:%d",
930 sd->revision);
932 } else if (StrCaseCmp(name, "revision") == 0) {
933 if (determine_size) {
934 p = talloc_asprintf(ctx, "%d",
935 sd->revision);
936 if (!p) {
937 errno = ENOMEM;
938 return -1;
940 n = strlen(p);
941 } else {
942 n = snprintf(buf, bufsize, "%d",
943 sd->revision);
947 if (!determine_size && n > bufsize) {
948 errno = ERANGE;
949 return -1;
951 buf += n;
952 n_used += n;
953 bufsize -= n;
954 n = 0;
957 if (! exclude_nt_owner) {
958 /* Get owner and group sid */
959 if (sd->owner_sid) {
960 convert_sid_to_string(ipc_cli, pol,
961 sidstr,
962 numeric,
963 sd->owner_sid);
964 } else {
965 fstrcpy(sidstr, "");
968 if (all || all_nt) {
969 if (determine_size) {
970 p = talloc_asprintf(ctx, ",OWNER:%s",
971 sidstr);
972 if (!p) {
973 errno = ENOMEM;
974 return -1;
976 n = strlen(p);
977 } else if (sidstr[0] != '\0') {
978 n = snprintf(buf, bufsize,
979 ",OWNER:%s", sidstr);
981 } else if (StrnCaseCmp(name, "owner", 5) == 0) {
982 if (determine_size) {
983 p = talloc_asprintf(ctx, "%s", sidstr);
984 if (!p) {
985 errno = ENOMEM;
986 return -1;
988 n = strlen(p);
989 } else {
990 n = snprintf(buf, bufsize, "%s",
991 sidstr);
995 if (!determine_size && n > bufsize) {
996 errno = ERANGE;
997 return -1;
999 buf += n;
1000 n_used += n;
1001 bufsize -= n;
1002 n = 0;
1005 if (! exclude_nt_group) {
1006 if (sd->group_sid) {
1007 convert_sid_to_string(ipc_cli, pol,
1008 sidstr, numeric,
1009 sd->group_sid);
1010 } else {
1011 fstrcpy(sidstr, "");
1014 if (all || all_nt) {
1015 if (determine_size) {
1016 p = talloc_asprintf(ctx, ",GROUP:%s",
1017 sidstr);
1018 if (!p) {
1019 errno = ENOMEM;
1020 return -1;
1022 n = strlen(p);
1023 } else if (sidstr[0] != '\0') {
1024 n = snprintf(buf, bufsize,
1025 ",GROUP:%s", sidstr);
1027 } else if (StrnCaseCmp(name, "group", 5) == 0) {
1028 if (determine_size) {
1029 p = talloc_asprintf(ctx, "%s", sidstr);
1030 if (!p) {
1031 errno = ENOMEM;
1032 return -1;
1034 n = strlen(p);
1035 } else {
1036 n = snprintf(buf, bufsize,
1037 "%s", sidstr);
1041 if (!determine_size && n > bufsize) {
1042 errno = ERANGE;
1043 return -1;
1045 buf += n;
1046 n_used += n;
1047 bufsize -= n;
1048 n = 0;
1051 if (! exclude_nt_acl) {
1052 /* Add aces to value buffer */
1053 for (i = 0; sd->dacl && i < sd->dacl->num_aces; i++) {
1055 SEC_ACE *ace = &sd->dacl->aces[i];
1056 convert_sid_to_string(ipc_cli, pol,
1057 sidstr, numeric,
1058 &ace->trustee);
1060 if (all || all_nt) {
1061 if (determine_size) {
1062 p = talloc_asprintf(
1063 ctx,
1064 ",ACL:"
1065 "%s:%d/%d/0x%08x",
1066 sidstr,
1067 ace->type,
1068 ace->flags,
1069 ace->access_mask);
1070 if (!p) {
1071 errno = ENOMEM;
1072 return -1;
1074 n = strlen(p);
1075 } else {
1076 n = snprintf(
1077 buf, bufsize,
1078 ",ACL:%s:%d/%d/0x%08x",
1079 sidstr,
1080 ace->type,
1081 ace->flags,
1082 ace->access_mask);
1084 } else if ((StrnCaseCmp(name, "acl", 3) == 0 &&
1085 StrCaseCmp(name+3, sidstr) == 0) ||
1086 (StrnCaseCmp(name, "acl+", 4) == 0 &&
1087 StrCaseCmp(name+4, sidstr) == 0)) {
1088 if (determine_size) {
1089 p = talloc_asprintf(
1090 ctx,
1091 "%d/%d/0x%08x",
1092 ace->type,
1093 ace->flags,
1094 ace->access_mask);
1095 if (!p) {
1096 errno = ENOMEM;
1097 return -1;
1099 n = strlen(p);
1100 } else {
1101 n = snprintf(buf, bufsize,
1102 "%d/%d/0x%08x",
1103 ace->type,
1104 ace->flags,
1105 ace->access_mask);
1107 } else if (all_nt_acls) {
1108 if (determine_size) {
1109 p = talloc_asprintf(
1110 ctx,
1111 "%s%s:%d/%d/0x%08x",
1112 i ? "," : "",
1113 sidstr,
1114 ace->type,
1115 ace->flags,
1116 ace->access_mask);
1117 if (!p) {
1118 errno = ENOMEM;
1119 return -1;
1121 n = strlen(p);
1122 } else {
1123 n = snprintf(buf, bufsize,
1124 "%s%s:%d/%d/0x%08x",
1125 i ? "," : "",
1126 sidstr,
1127 ace->type,
1128 ace->flags,
1129 ace->access_mask);
1132 if (!determine_size && n > bufsize) {
1133 errno = ERANGE;
1134 return -1;
1136 buf += n;
1137 n_used += n;
1138 bufsize -= n;
1139 n = 0;
1143 /* Restore name pointer to its original value */
1144 name -= 19;
1147 if (all || some_dos) {
1148 /* Point to the portion after "system.dos_attr." */
1149 name += 16; /* if (all) this will be invalid but unused */
1151 /* Obtain the DOS attributes */
1152 if (!SMBC_getatr(context, srv, filename, &mode, &size,
1153 &create_time_ts,
1154 &access_time_ts,
1155 &write_time_ts,
1156 &change_time_ts,
1157 &ino)) {
1159 errno = SMBC_errno(context, srv->cli);
1160 return -1;
1163 create_time = convert_timespec_to_time_t(create_time_ts);
1164 access_time = convert_timespec_to_time_t(access_time_ts);
1165 write_time = convert_timespec_to_time_t(write_time_ts);
1166 change_time = convert_timespec_to_time_t(change_time_ts);
1168 if (! exclude_dos_mode) {
1169 if (all || all_dos) {
1170 if (determine_size) {
1171 p = talloc_asprintf(ctx,
1172 "%sMODE:0x%x",
1173 (ipc_cli &&
1174 (all || some_nt)
1175 ? ","
1176 : ""),
1177 mode);
1178 if (!p) {
1179 errno = ENOMEM;
1180 return -1;
1182 n = strlen(p);
1183 } else {
1184 n = snprintf(buf, bufsize,
1185 "%sMODE:0x%x",
1186 (ipc_cli &&
1187 (all || some_nt)
1188 ? ","
1189 : ""),
1190 mode);
1192 } else if (StrCaseCmp(name, "mode") == 0) {
1193 if (determine_size) {
1194 p = talloc_asprintf(ctx, "0x%x", mode);
1195 if (!p) {
1196 errno = ENOMEM;
1197 return -1;
1199 n = strlen(p);
1200 } else {
1201 n = snprintf(buf, bufsize,
1202 "0x%x", mode);
1206 if (!determine_size && n > bufsize) {
1207 errno = ERANGE;
1208 return -1;
1210 buf += n;
1211 n_used += n;
1212 bufsize -= n;
1213 n = 0;
1216 if (! exclude_dos_size) {
1217 if (all || all_dos) {
1218 if (determine_size) {
1219 p = talloc_asprintf(
1220 ctx,
1221 ",SIZE:%.0f",
1222 (double)size);
1223 if (!p) {
1224 errno = ENOMEM;
1225 return -1;
1227 n = strlen(p);
1228 } else {
1229 n = snprintf(buf, bufsize,
1230 ",SIZE:%.0f",
1231 (double)size);
1233 } else if (StrCaseCmp(name, "size") == 0) {
1234 if (determine_size) {
1235 p = talloc_asprintf(
1236 ctx,
1237 "%.0f",
1238 (double)size);
1239 if (!p) {
1240 errno = ENOMEM;
1241 return -1;
1243 n = strlen(p);
1244 } else {
1245 n = snprintf(buf, bufsize,
1246 "%.0f",
1247 (double)size);
1251 if (!determine_size && n > bufsize) {
1252 errno = ERANGE;
1253 return -1;
1255 buf += n;
1256 n_used += n;
1257 bufsize -= n;
1258 n = 0;
1261 if (! exclude_dos_create_time &&
1262 attr_strings.create_time_attr != NULL) {
1263 if (all || all_dos) {
1264 if (determine_size) {
1265 p = talloc_asprintf(ctx,
1266 ",%s:%lu",
1267 attr_strings.create_time_attr,
1268 (unsigned long) create_time);
1269 if (!p) {
1270 errno = ENOMEM;
1271 return -1;
1273 n = strlen(p);
1274 } else {
1275 n = snprintf(buf, bufsize,
1276 ",%s:%lu",
1277 attr_strings.create_time_attr,
1278 (unsigned long) create_time);
1280 } else if (StrCaseCmp(name, attr_strings.create_time_attr) == 0) {
1281 if (determine_size) {
1282 p = talloc_asprintf(ctx, "%lu", (unsigned long) create_time);
1283 if (!p) {
1284 errno = ENOMEM;
1285 return -1;
1287 n = strlen(p);
1288 } else {
1289 n = snprintf(buf, bufsize,
1290 "%lu", (unsigned long) create_time);
1294 if (!determine_size && n > bufsize) {
1295 errno = ERANGE;
1296 return -1;
1298 buf += n;
1299 n_used += n;
1300 bufsize -= n;
1301 n = 0;
1304 if (! exclude_dos_access_time) {
1305 if (all || all_dos) {
1306 if (determine_size) {
1307 p = talloc_asprintf(ctx,
1308 ",%s:%lu",
1309 attr_strings.access_time_attr,
1310 (unsigned long) access_time);
1311 if (!p) {
1312 errno = ENOMEM;
1313 return -1;
1315 n = strlen(p);
1316 } else {
1317 n = snprintf(buf, bufsize,
1318 ",%s:%lu",
1319 attr_strings.access_time_attr,
1320 (unsigned long) access_time);
1322 } else if (StrCaseCmp(name, attr_strings.access_time_attr) == 0) {
1323 if (determine_size) {
1324 p = talloc_asprintf(ctx, "%lu", (unsigned long) access_time);
1325 if (!p) {
1326 errno = ENOMEM;
1327 return -1;
1329 n = strlen(p);
1330 } else {
1331 n = snprintf(buf, bufsize,
1332 "%lu", (unsigned long) access_time);
1336 if (!determine_size && n > bufsize) {
1337 errno = ERANGE;
1338 return -1;
1340 buf += n;
1341 n_used += n;
1342 bufsize -= n;
1343 n = 0;
1346 if (! exclude_dos_write_time) {
1347 if (all || all_dos) {
1348 if (determine_size) {
1349 p = talloc_asprintf(ctx,
1350 ",%s:%lu",
1351 attr_strings.write_time_attr,
1352 (unsigned long) write_time);
1353 if (!p) {
1354 errno = ENOMEM;
1355 return -1;
1357 n = strlen(p);
1358 } else {
1359 n = snprintf(buf, bufsize,
1360 ",%s:%lu",
1361 attr_strings.write_time_attr,
1362 (unsigned long) write_time);
1364 } else if (StrCaseCmp(name, attr_strings.write_time_attr) == 0) {
1365 if (determine_size) {
1366 p = talloc_asprintf(ctx, "%lu", (unsigned long) write_time);
1367 if (!p) {
1368 errno = ENOMEM;
1369 return -1;
1371 n = strlen(p);
1372 } else {
1373 n = snprintf(buf, bufsize,
1374 "%lu", (unsigned long) write_time);
1378 if (!determine_size && n > bufsize) {
1379 errno = ERANGE;
1380 return -1;
1382 buf += n;
1383 n_used += n;
1384 bufsize -= n;
1385 n = 0;
1388 if (! exclude_dos_change_time) {
1389 if (all || all_dos) {
1390 if (determine_size) {
1391 p = talloc_asprintf(ctx,
1392 ",%s:%lu",
1393 attr_strings.change_time_attr,
1394 (unsigned long) change_time);
1395 if (!p) {
1396 errno = ENOMEM;
1397 return -1;
1399 n = strlen(p);
1400 } else {
1401 n = snprintf(buf, bufsize,
1402 ",%s:%lu",
1403 attr_strings.change_time_attr,
1404 (unsigned long) change_time);
1406 } else if (StrCaseCmp(name, attr_strings.change_time_attr) == 0) {
1407 if (determine_size) {
1408 p = talloc_asprintf(ctx, "%lu", (unsigned long) change_time);
1409 if (!p) {
1410 errno = ENOMEM;
1411 return -1;
1413 n = strlen(p);
1414 } else {
1415 n = snprintf(buf, bufsize,
1416 "%lu", (unsigned long) change_time);
1420 if (!determine_size && n > bufsize) {
1421 errno = ERANGE;
1422 return -1;
1424 buf += n;
1425 n_used += n;
1426 bufsize -= n;
1427 n = 0;
1430 if (! exclude_dos_inode) {
1431 if (all || all_dos) {
1432 if (determine_size) {
1433 p = talloc_asprintf(
1434 ctx,
1435 ",INODE:%.0f",
1436 (double)ino);
1437 if (!p) {
1438 errno = ENOMEM;
1439 return -1;
1441 n = strlen(p);
1442 } else {
1443 n = snprintf(buf, bufsize,
1444 ",INODE:%.0f",
1445 (double) ino);
1447 } else if (StrCaseCmp(name, "inode") == 0) {
1448 if (determine_size) {
1449 p = talloc_asprintf(
1450 ctx,
1451 "%.0f",
1452 (double) ino);
1453 if (!p) {
1454 errno = ENOMEM;
1455 return -1;
1457 n = strlen(p);
1458 } else {
1459 n = snprintf(buf, bufsize,
1460 "%.0f",
1461 (double) ino);
1465 if (!determine_size && n > bufsize) {
1466 errno = ERANGE;
1467 return -1;
1469 buf += n;
1470 n_used += n;
1471 bufsize -= n;
1472 n = 0;
1475 /* Restore name pointer to its original value */
1476 name -= 16;
1479 if (n_used == 0) {
1480 errno = ENOATTR;
1481 return -1;
1484 return n_used;
1487 /*****************************************************
1488 set the ACLs on a file given an ascii description
1489 *******************************************************/
1490 static int
1491 cacl_set(SMBCCTX *context,
1492 TALLOC_CTX *ctx,
1493 struct cli_state *cli,
1494 struct cli_state *ipc_cli,
1495 struct policy_handle *pol,
1496 const char *filename,
1497 char *the_acl,
1498 int mode,
1499 int flags)
1501 uint16_t fnum = (uint16_t)-1;
1502 int err = 0;
1503 SEC_DESC *sd = NULL, *old;
1504 SEC_ACL *dacl = NULL;
1505 DOM_SID *owner_sid = NULL;
1506 DOM_SID *group_sid = NULL;
1507 uint32 i, j;
1508 size_t sd_size;
1509 int ret = 0;
1510 char *p;
1511 bool numeric = True;
1512 char *targetpath = NULL;
1513 struct cli_state *targetcli = NULL;
1515 /* the_acl will be null for REMOVE_ALL operations */
1516 if (the_acl) {
1517 numeric = ((p = strchr(the_acl, ':')) != NULL &&
1518 p > the_acl &&
1519 p[-1] != '+');
1521 /* if this is to set the entire ACL... */
1522 if (*the_acl == '*') {
1523 /* ... then increment past the first colon */
1524 the_acl = p + 1;
1527 sd = sec_desc_parse(ctx, ipc_cli, pol, numeric, the_acl);
1528 if (!sd) {
1529 errno = EINVAL;
1530 return -1;
1534 /* SMBC_XATTR_MODE_REMOVE_ALL is the only caller
1535 that doesn't deref sd */
1537 if (!sd && (mode != SMBC_XATTR_MODE_REMOVE_ALL)) {
1538 errno = EINVAL;
1539 return -1;
1542 if (!cli_resolve_path(ctx, "", context->internal->auth_info,
1543 cli, filename,
1544 &targetcli, &targetpath)) {
1545 DEBUG(5,("cacl_set: Could not resolve %s\n", filename));
1546 errno = ENOENT;
1547 return -1;
1550 /* The desired access below is the only one I could find that works
1551 with NT4, W2KP and Samba */
1553 if (!NT_STATUS_IS_OK(cli_ntcreate(targetcli, targetpath, 0, CREATE_ACCESS_READ, 0,
1554 FILE_SHARE_READ|FILE_SHARE_WRITE, FILE_OPEN, 0x0, 0x0, &fnum))) {
1555 DEBUG(5, ("cacl_set failed to open %s: %s\n",
1556 targetpath, cli_errstr(targetcli)));
1557 errno = 0;
1558 return -1;
1561 old = cli_query_secdesc(targetcli, fnum, ctx);
1563 if (!old) {
1564 DEBUG(5, ("cacl_set Failed to query old descriptor\n"));
1565 errno = 0;
1566 return -1;
1569 cli_close(targetcli, fnum);
1571 switch (mode) {
1572 case SMBC_XATTR_MODE_REMOVE_ALL:
1573 old->dacl->num_aces = 0;
1574 dacl = old->dacl;
1575 break;
1577 case SMBC_XATTR_MODE_REMOVE:
1578 for (i=0;sd->dacl && i<sd->dacl->num_aces;i++) {
1579 bool found = False;
1581 for (j=0;old->dacl && j<old->dacl->num_aces;j++) {
1582 if (sec_ace_equal(&sd->dacl->aces[i],
1583 &old->dacl->aces[j])) {
1584 uint32 k;
1585 for (k=j; k<old->dacl->num_aces-1;k++) {
1586 old->dacl->aces[k] =
1587 old->dacl->aces[k+1];
1589 old->dacl->num_aces--;
1590 found = True;
1591 dacl = old->dacl;
1592 break;
1596 if (!found) {
1597 err = ENOATTR;
1598 ret = -1;
1599 goto failed;
1602 break;
1604 case SMBC_XATTR_MODE_ADD:
1605 for (i=0;sd->dacl && i<sd->dacl->num_aces;i++) {
1606 bool found = False;
1608 for (j=0;old->dacl && j<old->dacl->num_aces;j++) {
1609 if (sid_equal(&sd->dacl->aces[i].trustee,
1610 &old->dacl->aces[j].trustee)) {
1611 if (!(flags & SMBC_XATTR_FLAG_CREATE)) {
1612 err = EEXIST;
1613 ret = -1;
1614 goto failed;
1616 old->dacl->aces[j] = sd->dacl->aces[i];
1617 ret = -1;
1618 found = True;
1622 if (!found && (flags & SMBC_XATTR_FLAG_REPLACE)) {
1623 err = ENOATTR;
1624 ret = -1;
1625 goto failed;
1628 for (i=0;sd->dacl && i<sd->dacl->num_aces;i++) {
1629 add_ace(&old->dacl, &sd->dacl->aces[i], ctx);
1632 dacl = old->dacl;
1633 break;
1635 case SMBC_XATTR_MODE_SET:
1636 old = sd;
1637 owner_sid = old->owner_sid;
1638 group_sid = old->group_sid;
1639 dacl = old->dacl;
1640 break;
1642 case SMBC_XATTR_MODE_CHOWN:
1643 owner_sid = sd->owner_sid;
1644 break;
1646 case SMBC_XATTR_MODE_CHGRP:
1647 group_sid = sd->group_sid;
1648 break;
1651 /* Denied ACE entries must come before allowed ones */
1652 sort_acl(old->dacl);
1654 /* Create new security descriptor and set it */
1655 sd = make_sec_desc(ctx, old->revision, SEC_DESC_SELF_RELATIVE,
1656 owner_sid, group_sid, NULL, dacl, &sd_size);
1658 if (!NT_STATUS_IS_OK(cli_ntcreate(targetcli, targetpath, 0,
1659 WRITE_DAC_ACCESS | WRITE_OWNER_ACCESS, 0,
1660 FILE_SHARE_READ|FILE_SHARE_WRITE, FILE_OPEN, 0x0, 0x0, &fnum))) {
1661 DEBUG(5, ("cacl_set failed to open %s: %s\n",
1662 targetpath, cli_errstr(targetcli)));
1663 errno = 0;
1664 return -1;
1667 if (!cli_set_secdesc(targetcli, fnum, sd)) {
1668 DEBUG(5, ("ERROR: secdesc set failed: %s\n",
1669 cli_errstr(targetcli)));
1670 ret = -1;
1673 /* Clean up */
1675 failed:
1676 cli_close(targetcli, fnum);
1678 if (err != 0) {
1679 errno = err;
1682 return ret;
1687 SMBC_setxattr_ctx(SMBCCTX *context,
1688 const char *fname,
1689 const char *name,
1690 const void *value,
1691 size_t size,
1692 int flags)
1694 int ret;
1695 int ret2;
1696 SMBCSRV *srv = NULL;
1697 SMBCSRV *ipc_srv = NULL;
1698 char *server = NULL;
1699 char *share = NULL;
1700 char *user = NULL;
1701 char *password = NULL;
1702 char *workgroup = NULL;
1703 char *path = NULL;
1704 DOS_ATTR_DESC *dad = NULL;
1705 struct {
1706 const char * create_time_attr;
1707 const char * access_time_attr;
1708 const char * write_time_attr;
1709 const char * change_time_attr;
1710 } attr_strings;
1711 TALLOC_CTX *frame = talloc_stackframe();
1713 if (!context || !context->internal->initialized) {
1714 errno = EINVAL; /* Best I can think of ... */
1715 TALLOC_FREE(frame);
1716 return -1;
1719 if (!fname) {
1720 errno = EINVAL;
1721 TALLOC_FREE(frame);
1722 return -1;
1725 DEBUG(4, ("smbc_setxattr(%s, %s, %.*s)\n",
1726 fname, name, (int) size, (const char*)value));
1728 if (SMBC_parse_path(frame,
1729 context,
1730 fname,
1731 &workgroup,
1732 &server,
1733 &share,
1734 &path,
1735 &user,
1736 &password,
1737 NULL)) {
1738 errno = EINVAL;
1739 TALLOC_FREE(frame);
1740 return -1;
1743 if (!user || user[0] == (char)0) {
1744 user = talloc_strdup(frame, smbc_getUser(context));
1745 if (!user) {
1746 errno = ENOMEM;
1747 TALLOC_FREE(frame);
1748 return -1;
1752 srv = SMBC_server(frame, context, True,
1753 server, share, &workgroup, &user, &password);
1754 if (!srv) {
1755 TALLOC_FREE(frame);
1756 return -1; /* errno set by SMBC_server */
1759 if (! srv->no_nt_session) {
1760 ipc_srv = SMBC_attr_server(frame, context, server, share,
1761 &workgroup, &user, &password);
1762 if (! ipc_srv) {
1763 srv->no_nt_session = True;
1765 } else {
1766 ipc_srv = NULL;
1770 * Are they asking to set the entire set of known attributes?
1772 if (StrCaseCmp(name, "system.*") == 0 ||
1773 StrCaseCmp(name, "system.*+") == 0) {
1774 /* Yup. */
1775 char *namevalue =
1776 talloc_asprintf(talloc_tos(), "%s:%s",
1777 name+7, (const char *) value);
1778 if (! namevalue) {
1779 errno = ENOMEM;
1780 ret = -1;
1781 TALLOC_FREE(frame);
1782 return -1;
1785 if (ipc_srv) {
1786 ret = cacl_set(context, talloc_tos(), srv->cli,
1787 ipc_srv->cli, &ipc_srv->pol, path,
1788 namevalue,
1789 (*namevalue == '*'
1790 ? SMBC_XATTR_MODE_SET
1791 : SMBC_XATTR_MODE_ADD),
1792 flags);
1793 } else {
1794 ret = 0;
1797 /* get a DOS Attribute Descriptor with current attributes */
1798 dad = dos_attr_query(context, talloc_tos(), path, srv);
1799 if (dad) {
1800 /* Overwrite old with new, using what was provided */
1801 dos_attr_parse(context, dad, srv, namevalue);
1803 /* Set the new DOS attributes */
1804 if (! SMBC_setatr(context, srv, path,
1805 dad->create_time,
1806 dad->access_time,
1807 dad->write_time,
1808 dad->change_time,
1809 dad->mode)) {
1811 /* cause failure if NT failed too */
1812 dad = NULL;
1816 /* we only fail if both NT and DOS sets failed */
1817 if (ret < 0 && ! dad) {
1818 ret = -1; /* in case dad was null */
1820 else {
1821 ret = 0;
1824 TALLOC_FREE(frame);
1825 return ret;
1829 * Are they asking to set an access control element or to set
1830 * the entire access control list?
1832 if (StrCaseCmp(name, "system.nt_sec_desc.*") == 0 ||
1833 StrCaseCmp(name, "system.nt_sec_desc.*+") == 0 ||
1834 StrCaseCmp(name, "system.nt_sec_desc.revision") == 0 ||
1835 StrnCaseCmp(name, "system.nt_sec_desc.acl", 22) == 0 ||
1836 StrnCaseCmp(name, "system.nt_sec_desc.acl+", 23) == 0) {
1838 /* Yup. */
1839 char *namevalue =
1840 talloc_asprintf(talloc_tos(), "%s:%s",
1841 name+19, (const char *) value);
1843 if (! ipc_srv) {
1844 ret = -1; /* errno set by SMBC_server() */
1846 else if (! namevalue) {
1847 errno = ENOMEM;
1848 ret = -1;
1849 } else {
1850 ret = cacl_set(context, talloc_tos(), srv->cli,
1851 ipc_srv->cli, &ipc_srv->pol, path,
1852 namevalue,
1853 (*namevalue == '*'
1854 ? SMBC_XATTR_MODE_SET
1855 : SMBC_XATTR_MODE_ADD),
1856 flags);
1858 TALLOC_FREE(frame);
1859 return ret;
1863 * Are they asking to set the owner?
1865 if (StrCaseCmp(name, "system.nt_sec_desc.owner") == 0 ||
1866 StrCaseCmp(name, "system.nt_sec_desc.owner+") == 0) {
1868 /* Yup. */
1869 char *namevalue =
1870 talloc_asprintf(talloc_tos(), "%s:%s",
1871 name+19, (const char *) value);
1873 if (! ipc_srv) {
1874 ret = -1; /* errno set by SMBC_server() */
1876 else if (! namevalue) {
1877 errno = ENOMEM;
1878 ret = -1;
1879 } else {
1880 ret = cacl_set(context, talloc_tos(), srv->cli,
1881 ipc_srv->cli, &ipc_srv->pol, path,
1882 namevalue, SMBC_XATTR_MODE_CHOWN, 0);
1884 TALLOC_FREE(frame);
1885 return ret;
1889 * Are they asking to set the group?
1891 if (StrCaseCmp(name, "system.nt_sec_desc.group") == 0 ||
1892 StrCaseCmp(name, "system.nt_sec_desc.group+") == 0) {
1894 /* Yup. */
1895 char *namevalue =
1896 talloc_asprintf(talloc_tos(), "%s:%s",
1897 name+19, (const char *) value);
1899 if (! ipc_srv) {
1900 /* errno set by SMBC_server() */
1901 ret = -1;
1903 else if (! namevalue) {
1904 errno = ENOMEM;
1905 ret = -1;
1906 } else {
1907 ret = cacl_set(context, talloc_tos(), srv->cli,
1908 ipc_srv->cli, &ipc_srv->pol, path,
1909 namevalue, SMBC_XATTR_MODE_CHGRP, 0);
1911 TALLOC_FREE(frame);
1912 return ret;
1915 /* Determine whether to use old-style or new-style attribute names */
1916 if (context->internal->full_time_names) {
1917 /* new-style names */
1918 attr_strings.create_time_attr = "system.dos_attr.CREATE_TIME";
1919 attr_strings.access_time_attr = "system.dos_attr.ACCESS_TIME";
1920 attr_strings.write_time_attr = "system.dos_attr.WRITE_TIME";
1921 attr_strings.change_time_attr = "system.dos_attr.CHANGE_TIME";
1922 } else {
1923 /* old-style names */
1924 attr_strings.create_time_attr = NULL;
1925 attr_strings.access_time_attr = "system.dos_attr.A_TIME";
1926 attr_strings.write_time_attr = "system.dos_attr.M_TIME";
1927 attr_strings.change_time_attr = "system.dos_attr.C_TIME";
1931 * Are they asking to set a DOS attribute?
1933 if (StrCaseCmp(name, "system.dos_attr.*") == 0 ||
1934 StrCaseCmp(name, "system.dos_attr.mode") == 0 ||
1935 (attr_strings.create_time_attr != NULL &&
1936 StrCaseCmp(name, attr_strings.create_time_attr) == 0) ||
1937 StrCaseCmp(name, attr_strings.access_time_attr) == 0 ||
1938 StrCaseCmp(name, attr_strings.write_time_attr) == 0 ||
1939 StrCaseCmp(name, attr_strings.change_time_attr) == 0) {
1941 /* get a DOS Attribute Descriptor with current attributes */
1942 dad = dos_attr_query(context, talloc_tos(), path, srv);
1943 if (dad) {
1944 char *namevalue =
1945 talloc_asprintf(talloc_tos(), "%s:%s",
1946 name+16, (const char *) value);
1947 if (! namevalue) {
1948 errno = ENOMEM;
1949 ret = -1;
1950 } else {
1951 /* Overwrite old with provided new params */
1952 dos_attr_parse(context, dad, srv, namevalue);
1954 /* Set the new DOS attributes */
1955 ret2 = SMBC_setatr(context, srv, path,
1956 dad->create_time,
1957 dad->access_time,
1958 dad->write_time,
1959 dad->change_time,
1960 dad->mode);
1962 /* ret2 has True (success) / False (failure) */
1963 if (ret2) {
1964 ret = 0;
1965 } else {
1966 ret = -1;
1969 } else {
1970 ret = -1;
1973 TALLOC_FREE(frame);
1974 return ret;
1977 /* Unsupported attribute name */
1978 errno = EINVAL;
1979 TALLOC_FREE(frame);
1980 return -1;
1984 SMBC_getxattr_ctx(SMBCCTX *context,
1985 const char *fname,
1986 const char *name,
1987 const void *value,
1988 size_t size)
1990 int ret;
1991 SMBCSRV *srv = NULL;
1992 SMBCSRV *ipc_srv = NULL;
1993 char *server = NULL;
1994 char *share = NULL;
1995 char *user = NULL;
1996 char *password = NULL;
1997 char *workgroup = NULL;
1998 char *path = NULL;
1999 struct {
2000 const char * create_time_attr;
2001 const char * access_time_attr;
2002 const char * write_time_attr;
2003 const char * change_time_attr;
2004 } attr_strings;
2005 TALLOC_CTX *frame = talloc_stackframe();
2007 if (!context || !context->internal->initialized) {
2008 errno = EINVAL; /* Best I can think of ... */
2009 TALLOC_FREE(frame);
2010 return -1;
2013 if (!fname) {
2014 errno = EINVAL;
2015 TALLOC_FREE(frame);
2016 return -1;
2019 DEBUG(4, ("smbc_getxattr(%s, %s)\n", fname, name));
2021 if (SMBC_parse_path(frame,
2022 context,
2023 fname,
2024 &workgroup,
2025 &server,
2026 &share,
2027 &path,
2028 &user,
2029 &password,
2030 NULL)) {
2031 errno = EINVAL;
2032 TALLOC_FREE(frame);
2033 return -1;
2036 if (!user || user[0] == (char)0) {
2037 user = talloc_strdup(frame, smbc_getUser(context));
2038 if (!user) {
2039 errno = ENOMEM;
2040 TALLOC_FREE(frame);
2041 return -1;
2045 srv = SMBC_server(frame, context, True,
2046 server, share, &workgroup, &user, &password);
2047 if (!srv) {
2048 TALLOC_FREE(frame);
2049 return -1; /* errno set by SMBC_server */
2052 if (! srv->no_nt_session) {
2053 ipc_srv = SMBC_attr_server(frame, context, server, share,
2054 &workgroup, &user, &password);
2055 if (! ipc_srv) {
2056 srv->no_nt_session = True;
2058 } else {
2059 ipc_srv = NULL;
2062 /* Determine whether to use old-style or new-style attribute names */
2063 if (context->internal->full_time_names) {
2064 /* new-style names */
2065 attr_strings.create_time_attr = "system.dos_attr.CREATE_TIME";
2066 attr_strings.access_time_attr = "system.dos_attr.ACCESS_TIME";
2067 attr_strings.write_time_attr = "system.dos_attr.WRITE_TIME";
2068 attr_strings.change_time_attr = "system.dos_attr.CHANGE_TIME";
2069 } else {
2070 /* old-style names */
2071 attr_strings.create_time_attr = NULL;
2072 attr_strings.access_time_attr = "system.dos_attr.A_TIME";
2073 attr_strings.write_time_attr = "system.dos_attr.M_TIME";
2074 attr_strings.change_time_attr = "system.dos_attr.C_TIME";
2077 /* Are they requesting a supported attribute? */
2078 if (StrCaseCmp(name, "system.*") == 0 ||
2079 StrnCaseCmp(name, "system.*!", 9) == 0 ||
2080 StrCaseCmp(name, "system.*+") == 0 ||
2081 StrnCaseCmp(name, "system.*+!", 10) == 0 ||
2082 StrCaseCmp(name, "system.nt_sec_desc.*") == 0 ||
2083 StrnCaseCmp(name, "system.nt_sec_desc.*!", 21) == 0 ||
2084 StrCaseCmp(name, "system.nt_sec_desc.*+") == 0 ||
2085 StrnCaseCmp(name, "system.nt_sec_desc.*+!", 22) == 0 ||
2086 StrCaseCmp(name, "system.nt_sec_desc.revision") == 0 ||
2087 StrCaseCmp(name, "system.nt_sec_desc.owner") == 0 ||
2088 StrCaseCmp(name, "system.nt_sec_desc.owner+") == 0 ||
2089 StrCaseCmp(name, "system.nt_sec_desc.group") == 0 ||
2090 StrCaseCmp(name, "system.nt_sec_desc.group+") == 0 ||
2091 StrnCaseCmp(name, "system.nt_sec_desc.acl", 22) == 0 ||
2092 StrnCaseCmp(name, "system.nt_sec_desc.acl+", 23) == 0 ||
2093 StrCaseCmp(name, "system.dos_attr.*") == 0 ||
2094 StrnCaseCmp(name, "system.dos_attr.*!", 18) == 0 ||
2095 StrCaseCmp(name, "system.dos_attr.mode") == 0 ||
2096 StrCaseCmp(name, "system.dos_attr.size") == 0 ||
2097 (attr_strings.create_time_attr != NULL &&
2098 StrCaseCmp(name, attr_strings.create_time_attr) == 0) ||
2099 StrCaseCmp(name, attr_strings.access_time_attr) == 0 ||
2100 StrCaseCmp(name, attr_strings.write_time_attr) == 0 ||
2101 StrCaseCmp(name, attr_strings.change_time_attr) == 0 ||
2102 StrCaseCmp(name, "system.dos_attr.inode") == 0) {
2104 /* Yup. */
2105 char *filename = (char *) name;
2106 ret = cacl_get(context, talloc_tos(), srv,
2107 ipc_srv == NULL ? NULL : ipc_srv->cli,
2108 &ipc_srv->pol, path,
2109 filename,
2110 CONST_DISCARD(char *, value),
2111 size);
2112 if (ret < 0 && errno == 0) {
2113 errno = SMBC_errno(context, srv->cli);
2115 TALLOC_FREE(frame);
2116 return ret;
2119 /* Unsupported attribute name */
2120 errno = EINVAL;
2121 TALLOC_FREE(frame);
2122 return -1;
2127 SMBC_removexattr_ctx(SMBCCTX *context,
2128 const char *fname,
2129 const char *name)
2131 int ret;
2132 SMBCSRV *srv = NULL;
2133 SMBCSRV *ipc_srv = NULL;
2134 char *server = NULL;
2135 char *share = NULL;
2136 char *user = NULL;
2137 char *password = NULL;
2138 char *workgroup = NULL;
2139 char *path = NULL;
2140 TALLOC_CTX *frame = talloc_stackframe();
2142 if (!context || !context->internal->initialized) {
2143 errno = EINVAL; /* Best I can think of ... */
2144 TALLOC_FREE(frame);
2145 return -1;
2148 if (!fname) {
2149 errno = EINVAL;
2150 TALLOC_FREE(frame);
2151 return -1;
2154 DEBUG(4, ("smbc_removexattr(%s, %s)\n", fname, name));
2156 if (SMBC_parse_path(frame,
2157 context,
2158 fname,
2159 &workgroup,
2160 &server,
2161 &share,
2162 &path,
2163 &user,
2164 &password,
2165 NULL)) {
2166 errno = EINVAL;
2167 TALLOC_FREE(frame);
2168 return -1;
2171 if (!user || user[0] == (char)0) {
2172 user = talloc_strdup(frame, smbc_getUser(context));
2173 if (!user) {
2174 errno = ENOMEM;
2175 TALLOC_FREE(frame);
2176 return -1;
2180 srv = SMBC_server(frame, context, True,
2181 server, share, &workgroup, &user, &password);
2182 if (!srv) {
2183 TALLOC_FREE(frame);
2184 return -1; /* errno set by SMBC_server */
2187 if (! srv->no_nt_session) {
2188 ipc_srv = SMBC_attr_server(frame, context, server, share,
2189 &workgroup, &user, &password);
2190 if (! ipc_srv) {
2191 srv->no_nt_session = True;
2193 } else {
2194 ipc_srv = NULL;
2197 if (! ipc_srv) {
2198 TALLOC_FREE(frame);
2199 return -1; /* errno set by SMBC_attr_server */
2202 /* Are they asking to set the entire ACL? */
2203 if (StrCaseCmp(name, "system.nt_sec_desc.*") == 0 ||
2204 StrCaseCmp(name, "system.nt_sec_desc.*+") == 0) {
2206 /* Yup. */
2207 ret = cacl_set(context, talloc_tos(), srv->cli,
2208 ipc_srv->cli, &ipc_srv->pol, path,
2209 NULL, SMBC_XATTR_MODE_REMOVE_ALL, 0);
2210 TALLOC_FREE(frame);
2211 return ret;
2215 * Are they asking to remove one or more spceific security descriptor
2216 * attributes?
2218 if (StrCaseCmp(name, "system.nt_sec_desc.revision") == 0 ||
2219 StrCaseCmp(name, "system.nt_sec_desc.owner") == 0 ||
2220 StrCaseCmp(name, "system.nt_sec_desc.owner+") == 0 ||
2221 StrCaseCmp(name, "system.nt_sec_desc.group") == 0 ||
2222 StrCaseCmp(name, "system.nt_sec_desc.group+") == 0 ||
2223 StrnCaseCmp(name, "system.nt_sec_desc.acl", 22) == 0 ||
2224 StrnCaseCmp(name, "system.nt_sec_desc.acl+", 23) == 0) {
2226 /* Yup. */
2227 ret = cacl_set(context, talloc_tos(), srv->cli,
2228 ipc_srv->cli, &ipc_srv->pol, path,
2229 CONST_DISCARD(char *, name) + 19,
2230 SMBC_XATTR_MODE_REMOVE, 0);
2231 TALLOC_FREE(frame);
2232 return ret;
2235 /* Unsupported attribute name */
2236 errno = EINVAL;
2237 TALLOC_FREE(frame);
2238 return -1;
2242 SMBC_listxattr_ctx(SMBCCTX *context,
2243 const char *fname,
2244 char *list,
2245 size_t size)
2248 * This isn't quite what listxattr() is supposed to do. This returns
2249 * the complete set of attribute names, always, rather than only those
2250 * attribute names which actually exist for a file. Hmmm...
2252 size_t retsize;
2253 const char supported_old[] =
2254 "system.*\0"
2255 "system.*+\0"
2256 "system.nt_sec_desc.revision\0"
2257 "system.nt_sec_desc.owner\0"
2258 "system.nt_sec_desc.owner+\0"
2259 "system.nt_sec_desc.group\0"
2260 "system.nt_sec_desc.group+\0"
2261 "system.nt_sec_desc.acl.*\0"
2262 "system.nt_sec_desc.acl\0"
2263 "system.nt_sec_desc.acl+\0"
2264 "system.nt_sec_desc.*\0"
2265 "system.nt_sec_desc.*+\0"
2266 "system.dos_attr.*\0"
2267 "system.dos_attr.mode\0"
2268 "system.dos_attr.c_time\0"
2269 "system.dos_attr.a_time\0"
2270 "system.dos_attr.m_time\0"
2272 const char supported_new[] =
2273 "system.*\0"
2274 "system.*+\0"
2275 "system.nt_sec_desc.revision\0"
2276 "system.nt_sec_desc.owner\0"
2277 "system.nt_sec_desc.owner+\0"
2278 "system.nt_sec_desc.group\0"
2279 "system.nt_sec_desc.group+\0"
2280 "system.nt_sec_desc.acl.*\0"
2281 "system.nt_sec_desc.acl\0"
2282 "system.nt_sec_desc.acl+\0"
2283 "system.nt_sec_desc.*\0"
2284 "system.nt_sec_desc.*+\0"
2285 "system.dos_attr.*\0"
2286 "system.dos_attr.mode\0"
2287 "system.dos_attr.create_time\0"
2288 "system.dos_attr.access_time\0"
2289 "system.dos_attr.write_time\0"
2290 "system.dos_attr.change_time\0"
2292 const char * supported;
2294 if (context->internal->full_time_names) {
2295 supported = supported_new;
2296 retsize = sizeof(supported_new);
2297 } else {
2298 supported = supported_old;
2299 retsize = sizeof(supported_old);
2302 if (size == 0) {
2303 return retsize;
2306 if (retsize > size) {
2307 errno = ERANGE;
2308 return -1;
2311 /* this can't be strcpy() because there are embedded null characters */
2312 memcpy(list, supported, retsize);
2313 return retsize;