Reformat spacing to be even.
[Samba/gebeck_regimport.git] / source3 / smbd / posix_acls.c
blob531313be9076dd33122bda724ab09151e52fb5d9
1 /*
2 Unix SMB/CIFS implementation.
3 SMB NT Security Descriptor / Unix permission conversion.
4 Copyright (C) Jeremy Allison 1994-2009.
5 Copyright (C) Andreas Gruenbacher 2002.
6 Copyright (C) Simo Sorce <idra@samba.org> 2009.
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 #include "includes.h"
23 #include "smbd/smbd.h"
24 #include "system/filesys.h"
25 #include "../libcli/security/security.h"
26 #include "trans2.h"
27 #include "passdb/lookup_sid.h"
28 #include "auth.h"
29 #include "../librpc/gen_ndr/idmap.h"
30 #include "lib/param/loadparm.h"
32 extern const struct generic_mapping file_generic_mapping;
34 #undef DBGC_CLASS
35 #define DBGC_CLASS DBGC_ACLS
37 /****************************************************************************
38 Data structures representing the internal ACE format.
39 ****************************************************************************/
41 enum ace_owner {UID_ACE, GID_ACE, WORLD_ACE};
42 enum ace_attribute {ALLOW_ACE, DENY_ACE}; /* Used for incoming NT ACLS. */
44 typedef struct canon_ace {
45 struct canon_ace *next, *prev;
46 SMB_ACL_TAG_T type;
47 mode_t perms; /* Only use S_I(R|W|X)USR mode bits here. */
48 struct dom_sid trustee;
49 enum ace_owner owner_type;
50 enum ace_attribute attr;
51 struct unixid unix_ug;
52 uint8_t ace_flags; /* From windows ACE entry. */
53 } canon_ace;
55 #define ALL_ACE_PERMS (S_IRUSR|S_IWUSR|S_IXUSR)
58 * EA format of user.SAMBA_PAI (Samba_Posix_Acl_Interitance)
59 * attribute on disk - version 1.
60 * All values are little endian.
62 * | 1 | 1 | 2 | 2 | ....
63 * +------+------+-------------+---------------------+-------------+--------------------+
64 * | vers | flag | num_entries | num_default_entries | ..entries.. | default_entries... |
65 * +------+------+-------------+---------------------+-------------+--------------------+
67 * Entry format is :
69 * | 1 | 4 |
70 * +------+-------------------+
71 * | value| uid/gid or world |
72 * | type | value |
73 * +------+-------------------+
75 * Version 2 format. Stores extra Windows metadata about an ACL.
77 * | 1 | 2 | 2 | 2 | ....
78 * +------+----------+-------------+---------------------+-------------+--------------------+
79 * | vers | ace | num_entries | num_default_entries | ..entries.. | default_entries... |
80 * | 2 | type | | | | |
81 * +------+----------+-------------+---------------------+-------------+--------------------+
83 * Entry format is :
85 * | 1 | 1 | 4 |
86 * +------+------+-------------------+
87 * | ace | value| uid/gid or world |
88 * | flag | type | value |
89 * +------+-------------------+------+
93 #define PAI_VERSION_OFFSET 0
95 #define PAI_V1_FLAG_OFFSET 1
96 #define PAI_V1_NUM_ENTRIES_OFFSET 2
97 #define PAI_V1_NUM_DEFAULT_ENTRIES_OFFSET 4
98 #define PAI_V1_ENTRIES_BASE 6
99 #define PAI_V1_ACL_FLAG_PROTECTED 0x1
100 #define PAI_V1_ENTRY_LENGTH 5
102 #define PAI_V1_VERSION 1
104 #define PAI_V2_TYPE_OFFSET 1
105 #define PAI_V2_NUM_ENTRIES_OFFSET 3
106 #define PAI_V2_NUM_DEFAULT_ENTRIES_OFFSET 5
107 #define PAI_V2_ENTRIES_BASE 7
108 #define PAI_V2_ENTRY_LENGTH 6
110 #define PAI_V2_VERSION 2
113 * In memory format of user.SAMBA_PAI attribute.
116 struct pai_entry {
117 struct pai_entry *next, *prev;
118 uint8_t ace_flags;
119 enum ace_owner owner_type;
120 struct unixid unix_ug;
123 struct pai_val {
124 uint16_t sd_type;
125 unsigned int num_entries;
126 struct pai_entry *entry_list;
127 unsigned int num_def_entries;
128 struct pai_entry *def_entry_list;
131 /************************************************************************
132 Return a uint32 of the pai_entry principal.
133 ************************************************************************/
135 static uint32_t get_pai_entry_val(struct pai_entry *paie)
137 switch (paie->owner_type) {
138 case UID_ACE:
139 DEBUG(10,("get_pai_entry_val: uid = %u\n", (unsigned int)paie->unix_ug.id ));
140 return (uint32_t)paie->unix_ug.id;
141 case GID_ACE:
142 DEBUG(10,("get_pai_entry_val: gid = %u\n", (unsigned int)paie->unix_ug.id ));
143 return (uint32_t)paie->unix_ug.id;
144 case WORLD_ACE:
145 default:
146 DEBUG(10,("get_pai_entry_val: world ace\n"));
147 return (uint32_t)-1;
151 /************************************************************************
152 Return a uint32 of the entry principal.
153 ************************************************************************/
155 static uint32_t get_entry_val(canon_ace *ace_entry)
157 switch (ace_entry->owner_type) {
158 case UID_ACE:
159 DEBUG(10,("get_entry_val: uid = %u\n", (unsigned int)ace_entry->unix_ug.id ));
160 return (uint32_t)ace_entry->unix_ug.id;
161 case GID_ACE:
162 DEBUG(10,("get_entry_val: gid = %u\n", (unsigned int)ace_entry->unix_ug.id ));
163 return (uint32_t)ace_entry->unix_ug.id;
164 case WORLD_ACE:
165 default:
166 DEBUG(10,("get_entry_val: world ace\n"));
167 return (uint32_t)-1;
171 /************************************************************************
172 Create the on-disk format (always v2 now). Caller must free.
173 ************************************************************************/
175 static char *create_pai_buf_v2(canon_ace *file_ace_list,
176 canon_ace *dir_ace_list,
177 uint16_t sd_type,
178 size_t *store_size)
180 char *pai_buf = NULL;
181 canon_ace *ace_list = NULL;
182 char *entry_offset = NULL;
183 unsigned int num_entries = 0;
184 unsigned int num_def_entries = 0;
185 unsigned int i;
187 for (ace_list = file_ace_list; ace_list; ace_list = ace_list->next) {
188 num_entries++;
191 for (ace_list = dir_ace_list; ace_list; ace_list = ace_list->next) {
192 num_def_entries++;
195 DEBUG(10,("create_pai_buf_v2: num_entries = %u, num_def_entries = %u\n", num_entries, num_def_entries ));
197 *store_size = PAI_V2_ENTRIES_BASE +
198 ((num_entries + num_def_entries)*PAI_V2_ENTRY_LENGTH);
200 pai_buf = talloc_array(talloc_tos(), char, *store_size);
201 if (!pai_buf) {
202 return NULL;
205 /* Set up the header. */
206 memset(pai_buf, '\0', PAI_V2_ENTRIES_BASE);
207 SCVAL(pai_buf,PAI_VERSION_OFFSET,PAI_V2_VERSION);
208 SSVAL(pai_buf,PAI_V2_TYPE_OFFSET, sd_type);
209 SSVAL(pai_buf,PAI_V2_NUM_ENTRIES_OFFSET,num_entries);
210 SSVAL(pai_buf,PAI_V2_NUM_DEFAULT_ENTRIES_OFFSET,num_def_entries);
212 DEBUG(10,("create_pai_buf_v2: sd_type = 0x%x\n",
213 (unsigned int)sd_type ));
215 entry_offset = pai_buf + PAI_V2_ENTRIES_BASE;
217 i = 0;
218 for (ace_list = file_ace_list; ace_list; ace_list = ace_list->next) {
219 uint8_t type_val = (uint8_t)ace_list->owner_type;
220 uint32_t entry_val = get_entry_val(ace_list);
222 SCVAL(entry_offset,0,ace_list->ace_flags);
223 SCVAL(entry_offset,1,type_val);
224 SIVAL(entry_offset,2,entry_val);
225 DEBUG(10,("create_pai_buf_v2: entry %u [0x%x] [0x%x] [0x%x]\n",
227 (unsigned int)ace_list->ace_flags,
228 (unsigned int)type_val,
229 (unsigned int)entry_val ));
230 i++;
231 entry_offset += PAI_V2_ENTRY_LENGTH;
234 for (ace_list = dir_ace_list; ace_list; ace_list = ace_list->next) {
235 uint8_t type_val = (uint8_t)ace_list->owner_type;
236 uint32_t entry_val = get_entry_val(ace_list);
238 SCVAL(entry_offset,0,ace_list->ace_flags);
239 SCVAL(entry_offset,1,type_val);
240 SIVAL(entry_offset,2,entry_val);
241 DEBUG(10,("create_pai_buf_v2: entry %u [0x%x] [0x%x] [0x%x]\n",
243 (unsigned int)ace_list->ace_flags,
244 (unsigned int)type_val,
245 (unsigned int)entry_val ));
246 i++;
247 entry_offset += PAI_V2_ENTRY_LENGTH;
250 return pai_buf;
253 /************************************************************************
254 Store the user.SAMBA_PAI attribute on disk.
255 ************************************************************************/
257 static void store_inheritance_attributes(files_struct *fsp,
258 canon_ace *file_ace_list,
259 canon_ace *dir_ace_list,
260 uint16_t sd_type)
262 int ret;
263 size_t store_size;
264 char *pai_buf;
266 if (!lp_map_acl_inherit(SNUM(fsp->conn))) {
267 return;
270 pai_buf = create_pai_buf_v2(file_ace_list, dir_ace_list,
271 sd_type, &store_size);
273 if (fsp->fh->fd != -1) {
274 ret = SMB_VFS_FSETXATTR(fsp, SAMBA_POSIX_INHERITANCE_EA_NAME,
275 pai_buf, store_size, 0);
276 } else {
277 ret = SMB_VFS_SETXATTR(fsp->conn, fsp->fsp_name->base_name,
278 SAMBA_POSIX_INHERITANCE_EA_NAME,
279 pai_buf, store_size, 0);
282 TALLOC_FREE(pai_buf);
284 DEBUG(10,("store_inheritance_attribute: type 0x%x for file %s\n",
285 (unsigned int)sd_type,
286 fsp_str_dbg(fsp)));
288 if (ret == -1 && !no_acl_syscall_error(errno)) {
289 DEBUG(1,("store_inheritance_attribute: Error %s\n", strerror(errno) ));
293 /************************************************************************
294 Delete the in memory inheritance info.
295 ************************************************************************/
297 static void free_inherited_info(struct pai_val *pal)
299 if (pal) {
300 struct pai_entry *paie, *paie_next;
301 for (paie = pal->entry_list; paie; paie = paie_next) {
302 paie_next = paie->next;
303 TALLOC_FREE(paie);
305 for (paie = pal->def_entry_list; paie; paie = paie_next) {
306 paie_next = paie->next;
307 TALLOC_FREE(paie);
309 TALLOC_FREE(pal);
313 /************************************************************************
314 Get any stored ACE flags.
315 ************************************************************************/
317 static uint16_t get_pai_flags(struct pai_val *pal, canon_ace *ace_entry, bool default_ace)
319 struct pai_entry *paie;
321 if (!pal) {
322 return 0;
325 /* If the entry exists it is inherited. */
326 for (paie = (default_ace ? pal->def_entry_list : pal->entry_list); paie; paie = paie->next) {
327 if (ace_entry->owner_type == paie->owner_type &&
328 get_entry_val(ace_entry) == get_pai_entry_val(paie))
329 return paie->ace_flags;
331 return 0;
334 /************************************************************************
335 Ensure an attribute just read is valid - v1.
336 ************************************************************************/
338 static bool check_pai_ok_v1(const char *pai_buf, size_t pai_buf_data_size)
340 uint16 num_entries;
341 uint16 num_def_entries;
343 if (pai_buf_data_size < PAI_V1_ENTRIES_BASE) {
344 /* Corrupted - too small. */
345 return false;
348 if (CVAL(pai_buf,PAI_VERSION_OFFSET) != PAI_V1_VERSION) {
349 return false;
352 num_entries = SVAL(pai_buf,PAI_V1_NUM_ENTRIES_OFFSET);
353 num_def_entries = SVAL(pai_buf,PAI_V1_NUM_DEFAULT_ENTRIES_OFFSET);
355 /* Check the entry lists match. */
356 /* Each entry is 5 bytes (type plus 4 bytes of uid or gid). */
358 if (((num_entries + num_def_entries)*PAI_V1_ENTRY_LENGTH) +
359 PAI_V1_ENTRIES_BASE != pai_buf_data_size) {
360 return false;
363 return true;
366 /************************************************************************
367 Ensure an attribute just read is valid - v2.
368 ************************************************************************/
370 static bool check_pai_ok_v2(const char *pai_buf, size_t pai_buf_data_size)
372 uint16 num_entries;
373 uint16 num_def_entries;
375 if (pai_buf_data_size < PAI_V2_ENTRIES_BASE) {
376 /* Corrupted - too small. */
377 return false;
380 if (CVAL(pai_buf,PAI_VERSION_OFFSET) != PAI_V2_VERSION) {
381 return false;
384 num_entries = SVAL(pai_buf,PAI_V2_NUM_ENTRIES_OFFSET);
385 num_def_entries = SVAL(pai_buf,PAI_V2_NUM_DEFAULT_ENTRIES_OFFSET);
387 /* Check the entry lists match. */
388 /* Each entry is 6 bytes (flags + type + 4 bytes of uid or gid). */
390 if (((num_entries + num_def_entries)*PAI_V2_ENTRY_LENGTH) +
391 PAI_V2_ENTRIES_BASE != pai_buf_data_size) {
392 return false;
395 return true;
398 /************************************************************************
399 Decode the owner.
400 ************************************************************************/
402 static bool get_pai_owner_type(struct pai_entry *paie, const char *entry_offset)
404 paie->owner_type = (enum ace_owner)CVAL(entry_offset,0);
405 switch( paie->owner_type) {
406 case UID_ACE:
407 paie->unix_ug.type = ID_TYPE_UID;
408 paie->unix_ug.id = (uid_t)IVAL(entry_offset,1);
409 DEBUG(10,("get_pai_owner_type: uid = %u\n",
410 (unsigned int)paie->unix_ug.id ));
411 break;
412 case GID_ACE:
413 paie->unix_ug.type = ID_TYPE_GID;
414 paie->unix_ug.id = (gid_t)IVAL(entry_offset,1);
415 DEBUG(10,("get_pai_owner_type: gid = %u\n",
416 (unsigned int)paie->unix_ug.id ));
417 break;
418 case WORLD_ACE:
419 paie->unix_ug.type = ID_TYPE_NOT_SPECIFIED;
420 paie->unix_ug.id = -1;
421 DEBUG(10,("get_pai_owner_type: world ace\n"));
422 break;
423 default:
424 DEBUG(10,("get_pai_owner_type: unknown type %u\n",
425 (unsigned int)paie->owner_type ));
426 return false;
428 return true;
431 /************************************************************************
432 Process v2 entries.
433 ************************************************************************/
435 static const char *create_pai_v1_entries(struct pai_val *paiv,
436 const char *entry_offset,
437 bool def_entry)
439 int i;
441 for (i = 0; i < paiv->num_entries; i++) {
442 struct pai_entry *paie = talloc(talloc_tos(), struct pai_entry);
443 if (!paie) {
444 return NULL;
447 paie->ace_flags = SEC_ACE_FLAG_INHERITED_ACE;
448 if (!get_pai_owner_type(paie, entry_offset)) {
449 TALLOC_FREE(paie);
450 return NULL;
453 if (!def_entry) {
454 DLIST_ADD(paiv->entry_list, paie);
455 } else {
456 DLIST_ADD(paiv->def_entry_list, paie);
458 entry_offset += PAI_V1_ENTRY_LENGTH;
460 return entry_offset;
463 /************************************************************************
464 Convert to in-memory format from version 1.
465 ************************************************************************/
467 static struct pai_val *create_pai_val_v1(const char *buf, size_t size)
469 const char *entry_offset;
470 struct pai_val *paiv = NULL;
472 if (!check_pai_ok_v1(buf, size)) {
473 return NULL;
476 paiv = talloc(talloc_tos(), struct pai_val);
477 if (!paiv) {
478 return NULL;
481 memset(paiv, '\0', sizeof(struct pai_val));
483 paiv->sd_type = (CVAL(buf,PAI_V1_FLAG_OFFSET) == PAI_V1_ACL_FLAG_PROTECTED) ?
484 SEC_DESC_DACL_PROTECTED : 0;
486 paiv->num_entries = SVAL(buf,PAI_V1_NUM_ENTRIES_OFFSET);
487 paiv->num_def_entries = SVAL(buf,PAI_V1_NUM_DEFAULT_ENTRIES_OFFSET);
489 entry_offset = buf + PAI_V1_ENTRIES_BASE;
491 DEBUG(10,("create_pai_val: num_entries = %u, num_def_entries = %u\n",
492 paiv->num_entries, paiv->num_def_entries ));
494 entry_offset = create_pai_v1_entries(paiv, entry_offset, false);
495 if (entry_offset == NULL) {
496 free_inherited_info(paiv);
497 return NULL;
499 entry_offset = create_pai_v1_entries(paiv, entry_offset, true);
500 if (entry_offset == NULL) {
501 free_inherited_info(paiv);
502 return NULL;
505 return paiv;
508 /************************************************************************
509 Process v2 entries.
510 ************************************************************************/
512 static const char *create_pai_v2_entries(struct pai_val *paiv,
513 unsigned int num_entries,
514 const char *entry_offset,
515 bool def_entry)
517 unsigned int i;
519 for (i = 0; i < num_entries; i++) {
520 struct pai_entry *paie = talloc(talloc_tos(), struct pai_entry);
521 if (!paie) {
522 return NULL;
525 paie->ace_flags = CVAL(entry_offset,0);
527 if (!get_pai_owner_type(paie, entry_offset+1)) {
528 TALLOC_FREE(paie);
529 return NULL;
531 if (!def_entry) {
532 DLIST_ADD(paiv->entry_list, paie);
533 } else {
534 DLIST_ADD(paiv->def_entry_list, paie);
536 entry_offset += PAI_V2_ENTRY_LENGTH;
538 return entry_offset;
541 /************************************************************************
542 Convert to in-memory format from version 2.
543 ************************************************************************/
545 static struct pai_val *create_pai_val_v2(const char *buf, size_t size)
547 const char *entry_offset;
548 struct pai_val *paiv = NULL;
550 if (!check_pai_ok_v2(buf, size)) {
551 return NULL;
554 paiv = talloc(talloc_tos(), struct pai_val);
555 if (!paiv) {
556 return NULL;
559 memset(paiv, '\0', sizeof(struct pai_val));
561 paiv->sd_type = SVAL(buf,PAI_V2_TYPE_OFFSET);
563 paiv->num_entries = SVAL(buf,PAI_V2_NUM_ENTRIES_OFFSET);
564 paiv->num_def_entries = SVAL(buf,PAI_V2_NUM_DEFAULT_ENTRIES_OFFSET);
566 entry_offset = buf + PAI_V2_ENTRIES_BASE;
568 DEBUG(10,("create_pai_val_v2: sd_type = 0x%x num_entries = %u, num_def_entries = %u\n",
569 (unsigned int)paiv->sd_type,
570 paiv->num_entries, paiv->num_def_entries ));
572 entry_offset = create_pai_v2_entries(paiv, paiv->num_entries,
573 entry_offset, false);
574 if (entry_offset == NULL) {
575 free_inherited_info(paiv);
576 return NULL;
578 entry_offset = create_pai_v2_entries(paiv, paiv->num_def_entries,
579 entry_offset, true);
580 if (entry_offset == NULL) {
581 free_inherited_info(paiv);
582 return NULL;
585 return paiv;
588 /************************************************************************
589 Convert to in-memory format - from either version 1 or 2.
590 ************************************************************************/
592 static struct pai_val *create_pai_val(const char *buf, size_t size)
594 if (size < 1) {
595 return NULL;
597 if (CVAL(buf,PAI_VERSION_OFFSET) == PAI_V1_VERSION) {
598 return create_pai_val_v1(buf, size);
599 } else if (CVAL(buf,PAI_VERSION_OFFSET) == PAI_V2_VERSION) {
600 return create_pai_val_v2(buf, size);
601 } else {
602 return NULL;
606 /************************************************************************
607 Load the user.SAMBA_PAI attribute.
608 ************************************************************************/
610 static struct pai_val *fload_inherited_info(files_struct *fsp)
612 char *pai_buf;
613 size_t pai_buf_size = 1024;
614 struct pai_val *paiv = NULL;
615 ssize_t ret;
617 if (!lp_map_acl_inherit(SNUM(fsp->conn))) {
618 return NULL;
621 if ((pai_buf = talloc_array(talloc_tos(), char, pai_buf_size)) == NULL) {
622 return NULL;
625 do {
626 if (fsp->fh->fd != -1) {
627 ret = SMB_VFS_FGETXATTR(fsp, SAMBA_POSIX_INHERITANCE_EA_NAME,
628 pai_buf, pai_buf_size);
629 } else {
630 ret = SMB_VFS_GETXATTR(fsp->conn,
631 fsp->fsp_name->base_name,
632 SAMBA_POSIX_INHERITANCE_EA_NAME,
633 pai_buf, pai_buf_size);
636 if (ret == -1) {
637 if (errno != ERANGE) {
638 break;
640 /* Buffer too small - enlarge it. */
641 pai_buf_size *= 2;
642 TALLOC_FREE(pai_buf);
643 if (pai_buf_size > 1024*1024) {
644 return NULL; /* Limit malloc to 1mb. */
646 if ((pai_buf = talloc_array(talloc_tos(), char, pai_buf_size)) == NULL)
647 return NULL;
649 } while (ret == -1);
651 DEBUG(10,("load_inherited_info: ret = %lu for file %s\n",
652 (unsigned long)ret, fsp_str_dbg(fsp)));
654 if (ret == -1) {
655 /* No attribute or not supported. */
656 #if defined(ENOATTR)
657 if (errno != ENOATTR)
658 DEBUG(10,("load_inherited_info: Error %s\n", strerror(errno) ));
659 #else
660 if (errno != ENOSYS)
661 DEBUG(10,("load_inherited_info: Error %s\n", strerror(errno) ));
662 #endif
663 TALLOC_FREE(pai_buf);
664 return NULL;
667 paiv = create_pai_val(pai_buf, ret);
669 if (paiv) {
670 DEBUG(10,("load_inherited_info: ACL type is 0x%x for file %s\n",
671 (unsigned int)paiv->sd_type, fsp_str_dbg(fsp)));
674 TALLOC_FREE(pai_buf);
675 return paiv;
678 /************************************************************************
679 Load the user.SAMBA_PAI attribute.
680 ************************************************************************/
682 static struct pai_val *load_inherited_info(const struct connection_struct *conn,
683 const char *fname)
685 char *pai_buf;
686 size_t pai_buf_size = 1024;
687 struct pai_val *paiv = NULL;
688 ssize_t ret;
690 if (!lp_map_acl_inherit(SNUM(conn))) {
691 return NULL;
694 if ((pai_buf = talloc_array(talloc_tos(), char, pai_buf_size)) == NULL) {
695 return NULL;
698 do {
699 ret = SMB_VFS_GETXATTR(conn, fname,
700 SAMBA_POSIX_INHERITANCE_EA_NAME,
701 pai_buf, pai_buf_size);
703 if (ret == -1) {
704 if (errno != ERANGE) {
705 break;
707 /* Buffer too small - enlarge it. */
708 pai_buf_size *= 2;
709 TALLOC_FREE(pai_buf);
710 if (pai_buf_size > 1024*1024) {
711 return NULL; /* Limit malloc to 1mb. */
713 if ((pai_buf = talloc_array(talloc_tos(), char, pai_buf_size)) == NULL)
714 return NULL;
716 } while (ret == -1);
718 DEBUG(10,("load_inherited_info: ret = %lu for file %s\n", (unsigned long)ret, fname));
720 if (ret == -1) {
721 /* No attribute or not supported. */
722 #if defined(ENOATTR)
723 if (errno != ENOATTR)
724 DEBUG(10,("load_inherited_info: Error %s\n", strerror(errno) ));
725 #else
726 if (errno != ENOSYS)
727 DEBUG(10,("load_inherited_info: Error %s\n", strerror(errno) ));
728 #endif
729 TALLOC_FREE(pai_buf);
730 return NULL;
733 paiv = create_pai_val(pai_buf, ret);
735 if (paiv) {
736 DEBUG(10,("load_inherited_info: ACL type 0x%x for file %s\n",
737 (unsigned int)paiv->sd_type,
738 fname));
741 TALLOC_FREE(pai_buf);
742 return paiv;
745 /****************************************************************************
746 Functions to manipulate the internal ACE format.
747 ****************************************************************************/
749 /****************************************************************************
750 Count a linked list of canonical ACE entries.
751 ****************************************************************************/
753 static size_t count_canon_ace_list( canon_ace *l_head )
755 size_t count = 0;
756 canon_ace *ace;
758 for (ace = l_head; ace; ace = ace->next)
759 count++;
761 return count;
764 /****************************************************************************
765 Free a linked list of canonical ACE entries.
766 ****************************************************************************/
768 static void free_canon_ace_list( canon_ace *l_head )
770 canon_ace *list, *next;
772 for (list = l_head; list; list = next) {
773 next = list->next;
774 DLIST_REMOVE(l_head, list);
775 TALLOC_FREE(list);
779 /****************************************************************************
780 Function to duplicate a canon_ace entry.
781 ****************************************************************************/
783 static canon_ace *dup_canon_ace( canon_ace *src_ace)
785 canon_ace *dst_ace = talloc(talloc_tos(), canon_ace);
787 if (dst_ace == NULL)
788 return NULL;
790 *dst_ace = *src_ace;
791 dst_ace->prev = dst_ace->next = NULL;
792 return dst_ace;
795 /****************************************************************************
796 Print out a canon ace.
797 ****************************************************************************/
799 static void print_canon_ace(canon_ace *pace, int num)
801 dbgtext( "canon_ace index %d. Type = %s ", num, pace->attr == ALLOW_ACE ? "allow" : "deny" );
802 dbgtext( "SID = %s ", sid_string_dbg(&pace->trustee));
803 if (pace->owner_type == UID_ACE) {
804 const char *u_name = uidtoname(pace->unix_ug.id);
805 dbgtext( "uid %u (%s) ", (unsigned int)pace->unix_ug.id, u_name );
806 } else if (pace->owner_type == GID_ACE) {
807 char *g_name = gidtoname(pace->unix_ug.id);
808 dbgtext( "gid %u (%s) ", (unsigned int)pace->unix_ug.id, g_name );
809 } else
810 dbgtext( "other ");
811 switch (pace->type) {
812 case SMB_ACL_USER:
813 dbgtext( "SMB_ACL_USER ");
814 break;
815 case SMB_ACL_USER_OBJ:
816 dbgtext( "SMB_ACL_USER_OBJ ");
817 break;
818 case SMB_ACL_GROUP:
819 dbgtext( "SMB_ACL_GROUP ");
820 break;
821 case SMB_ACL_GROUP_OBJ:
822 dbgtext( "SMB_ACL_GROUP_OBJ ");
823 break;
824 case SMB_ACL_OTHER:
825 dbgtext( "SMB_ACL_OTHER ");
826 break;
827 default:
828 dbgtext( "MASK " );
829 break;
832 dbgtext( "ace_flags = 0x%x ", (unsigned int)pace->ace_flags);
833 dbgtext( "perms ");
834 dbgtext( "%c", pace->perms & S_IRUSR ? 'r' : '-');
835 dbgtext( "%c", pace->perms & S_IWUSR ? 'w' : '-');
836 dbgtext( "%c\n", pace->perms & S_IXUSR ? 'x' : '-');
839 /****************************************************************************
840 Print out a canon ace list.
841 ****************************************************************************/
843 static void print_canon_ace_list(const char *name, canon_ace *ace_list)
845 int count = 0;
847 if( DEBUGLVL( 10 )) {
848 dbgtext( "print_canon_ace_list: %s\n", name );
849 for (;ace_list; ace_list = ace_list->next, count++)
850 print_canon_ace(ace_list, count );
854 /****************************************************************************
855 Map POSIX ACL perms to canon_ace permissions (a mode_t containing only S_(R|W|X)USR bits).
856 ****************************************************************************/
858 static mode_t convert_permset_to_mode_t(SMB_ACL_PERMSET_T permset)
860 mode_t ret = 0;
862 ret |= (sys_acl_get_perm(permset, SMB_ACL_READ) ? S_IRUSR : 0);
863 ret |= (sys_acl_get_perm(permset, SMB_ACL_WRITE) ? S_IWUSR : 0);
864 ret |= (sys_acl_get_perm(permset, SMB_ACL_EXECUTE) ? S_IXUSR : 0);
866 return ret;
869 /****************************************************************************
870 Map generic UNIX permissions to canon_ace permissions (a mode_t containing only S_(R|W|X)USR bits).
871 ****************************************************************************/
873 static mode_t unix_perms_to_acl_perms(mode_t mode, int r_mask, int w_mask, int x_mask)
875 mode_t ret = 0;
877 if (mode & r_mask)
878 ret |= S_IRUSR;
879 if (mode & w_mask)
880 ret |= S_IWUSR;
881 if (mode & x_mask)
882 ret |= S_IXUSR;
884 return ret;
887 /****************************************************************************
888 Map canon_ace permissions (a mode_t containing only S_(R|W|X)USR bits) to
889 an SMB_ACL_PERMSET_T.
890 ****************************************************************************/
892 static int map_acl_perms_to_permset(connection_struct *conn, mode_t mode, SMB_ACL_PERMSET_T *p_permset)
894 if (sys_acl_clear_perms(*p_permset) == -1)
895 return -1;
896 if (mode & S_IRUSR) {
897 if (sys_acl_add_perm(*p_permset, SMB_ACL_READ) == -1)
898 return -1;
900 if (mode & S_IWUSR) {
901 if (sys_acl_add_perm(*p_permset, SMB_ACL_WRITE) == -1)
902 return -1;
904 if (mode & S_IXUSR) {
905 if (sys_acl_add_perm(*p_permset, SMB_ACL_EXECUTE) == -1)
906 return -1;
908 return 0;
911 /****************************************************************************
912 Function to create owner and group SIDs from a SMB_STRUCT_STAT.
913 ****************************************************************************/
915 void create_file_sids(const SMB_STRUCT_STAT *psbuf, struct dom_sid *powner_sid, struct dom_sid *pgroup_sid)
917 uid_to_sid( powner_sid, psbuf->st_ex_uid );
918 gid_to_sid( pgroup_sid, psbuf->st_ex_gid );
921 /****************************************************************************
922 Merge aces with a common UID or GID - if both are allow or deny, OR the permissions together and
923 delete the second one. If the first is deny, mask the permissions off and delete the allow
924 if the permissions become zero, delete the deny if the permissions are non zero.
925 ****************************************************************************/
927 static void merge_aces( canon_ace **pp_list_head, bool dir_acl)
929 canon_ace *l_head = *pp_list_head;
930 canon_ace *curr_ace_outer;
931 canon_ace *curr_ace_outer_next;
934 * First, merge allow entries with identical SIDs, and deny entries
935 * with identical SIDs.
938 for (curr_ace_outer = l_head; curr_ace_outer; curr_ace_outer = curr_ace_outer_next) {
939 canon_ace *curr_ace;
940 canon_ace *curr_ace_next;
942 curr_ace_outer_next = curr_ace_outer->next; /* Save the link in case we delete. */
944 for (curr_ace = curr_ace_outer->next; curr_ace; curr_ace = curr_ace_next) {
945 bool can_merge = false;
947 curr_ace_next = curr_ace->next; /* Save the link in case of delete. */
949 /* For file ACLs we can merge if the SIDs and ALLOW/DENY
950 * types are the same. For directory acls we must also
951 * ensure the POSIX ACL types are the same.
953 * For the IDMAP_BOTH case, we must not merge
954 * the UID and GID ACE values for same SID
957 if (!dir_acl) {
958 can_merge = (curr_ace->unix_ug.id == curr_ace_outer->unix_ug.id &&
959 curr_ace->owner_type == curr_ace_outer->owner_type &&
960 (curr_ace->attr == curr_ace_outer->attr));
961 } else {
962 can_merge = (curr_ace->unix_ug.id == curr_ace_outer->unix_ug.id &&
963 curr_ace->owner_type == curr_ace_outer->owner_type &&
964 (curr_ace->type == curr_ace_outer->type) &&
965 (curr_ace->attr == curr_ace_outer->attr));
968 if (can_merge) {
969 if( DEBUGLVL( 10 )) {
970 dbgtext("merge_aces: Merging ACE's\n");
971 print_canon_ace( curr_ace_outer, 0);
972 print_canon_ace( curr_ace, 0);
975 /* Merge two allow or two deny ACE's. */
977 /* Theoretically we shouldn't merge a dir ACE if
978 * one ACE has the CI flag set, and the other
979 * ACE has the OI flag set, but this is rare
980 * enough we can ignore it. */
982 curr_ace_outer->perms |= curr_ace->perms;
983 curr_ace_outer->ace_flags |= curr_ace->ace_flags;
984 DLIST_REMOVE(l_head, curr_ace);
985 TALLOC_FREE(curr_ace);
986 curr_ace_outer_next = curr_ace_outer->next; /* We may have deleted the link. */
992 * Now go through and mask off allow permissions with deny permissions.
993 * We can delete either the allow or deny here as we know that each SID
994 * appears only once in the list.
997 for (curr_ace_outer = l_head; curr_ace_outer; curr_ace_outer = curr_ace_outer_next) {
998 canon_ace *curr_ace;
999 canon_ace *curr_ace_next;
1001 curr_ace_outer_next = curr_ace_outer->next; /* Save the link in case we delete. */
1003 for (curr_ace = curr_ace_outer->next; curr_ace; curr_ace = curr_ace_next) {
1005 curr_ace_next = curr_ace->next; /* Save the link in case of delete. */
1008 * Subtract ACE's with different entries. Due to the ordering constraints
1009 * we've put on the ACL, we know the deny must be the first one.
1012 if (curr_ace->unix_ug.id == curr_ace_outer->unix_ug.id &&
1013 (curr_ace->owner_type == curr_ace_outer->owner_type) &&
1014 (curr_ace_outer->attr == DENY_ACE) && (curr_ace->attr == ALLOW_ACE)) {
1016 if( DEBUGLVL( 10 )) {
1017 dbgtext("merge_aces: Masking ACE's\n");
1018 print_canon_ace( curr_ace_outer, 0);
1019 print_canon_ace( curr_ace, 0);
1022 curr_ace->perms &= ~curr_ace_outer->perms;
1024 if (curr_ace->perms == 0) {
1027 * The deny overrides the allow. Remove the allow.
1030 DLIST_REMOVE(l_head, curr_ace);
1031 TALLOC_FREE(curr_ace);
1032 curr_ace_outer_next = curr_ace_outer->next; /* We may have deleted the link. */
1034 } else {
1037 * Even after removing permissions, there
1038 * are still allow permissions - delete the deny.
1039 * It is safe to delete the deny here,
1040 * as we are guarenteed by the deny first
1041 * ordering that all the deny entries for
1042 * this SID have already been merged into one
1043 * before we can get to an allow ace.
1046 DLIST_REMOVE(l_head, curr_ace_outer);
1047 TALLOC_FREE(curr_ace_outer);
1048 break;
1052 } /* end for curr_ace */
1053 } /* end for curr_ace_outer */
1055 /* We may have modified the list. */
1057 *pp_list_head = l_head;
1060 /****************************************************************************
1061 Check if we need to return NT4.x compatible ACL entries.
1062 ****************************************************************************/
1064 bool nt4_compatible_acls(void)
1066 int compat = lp_acl_compatibility();
1068 if (compat == ACL_COMPAT_AUTO) {
1069 enum remote_arch_types ra_type = get_remote_arch();
1071 /* Automatically adapt to client */
1072 return (ra_type <= RA_WINNT);
1073 } else
1074 return (compat == ACL_COMPAT_WINNT);
1078 /****************************************************************************
1079 Map canon_ace perms to permission bits NT.
1080 The attr element is not used here - we only process deny entries on set,
1081 not get. Deny entries are implicit on get with ace->perms = 0.
1082 ****************************************************************************/
1084 uint32_t map_canon_ace_perms(int snum,
1085 enum security_ace_type *pacl_type,
1086 mode_t perms,
1087 bool directory_ace)
1089 uint32_t nt_mask = 0;
1091 *pacl_type = SEC_ACE_TYPE_ACCESS_ALLOWED;
1093 if (lp_acl_map_full_control(snum) && ((perms & ALL_ACE_PERMS) == ALL_ACE_PERMS)) {
1094 if (directory_ace) {
1095 nt_mask = UNIX_DIRECTORY_ACCESS_RWX;
1096 } else {
1097 nt_mask = (UNIX_ACCESS_RWX & ~DELETE_ACCESS);
1099 } else if ((perms & ALL_ACE_PERMS) == (mode_t)0) {
1101 * Windows NT refuses to display ACEs with no permissions in them (but
1102 * they are perfectly legal with Windows 2000). If the ACE has empty
1103 * permissions we cannot use 0, so we use the otherwise unused
1104 * WRITE_OWNER permission, which we ignore when we set an ACL.
1105 * We abstract this into a #define of UNIX_ACCESS_NONE to allow this
1106 * to be changed in the future.
1109 if (nt4_compatible_acls())
1110 nt_mask = UNIX_ACCESS_NONE;
1111 else
1112 nt_mask = 0;
1113 } else {
1114 if (directory_ace) {
1115 nt_mask |= ((perms & S_IRUSR) ? UNIX_DIRECTORY_ACCESS_R : 0 );
1116 nt_mask |= ((perms & S_IWUSR) ? UNIX_DIRECTORY_ACCESS_W : 0 );
1117 nt_mask |= ((perms & S_IXUSR) ? UNIX_DIRECTORY_ACCESS_X : 0 );
1118 } else {
1119 nt_mask |= ((perms & S_IRUSR) ? UNIX_ACCESS_R : 0 );
1120 nt_mask |= ((perms & S_IWUSR) ? UNIX_ACCESS_W : 0 );
1121 nt_mask |= ((perms & S_IXUSR) ? UNIX_ACCESS_X : 0 );
1125 if ((perms & S_IWUSR) && lp_dos_filemode(snum)) {
1126 nt_mask |= (SEC_STD_WRITE_DAC|SEC_STD_WRITE_OWNER|DELETE_ACCESS);
1129 DEBUG(10,("map_canon_ace_perms: Mapped (UNIX) %x to (NT) %x\n",
1130 (unsigned int)perms, (unsigned int)nt_mask ));
1132 return nt_mask;
1135 /****************************************************************************
1136 Map NT perms to a UNIX mode_t.
1137 ****************************************************************************/
1139 #define FILE_SPECIFIC_READ_BITS (FILE_READ_DATA|FILE_READ_EA)
1140 #define FILE_SPECIFIC_WRITE_BITS (FILE_WRITE_DATA|FILE_APPEND_DATA|FILE_WRITE_EA)
1141 #define FILE_SPECIFIC_EXECUTE_BITS (FILE_EXECUTE)
1143 static mode_t map_nt_perms( uint32 *mask, int type)
1145 mode_t mode = 0;
1147 switch(type) {
1148 case S_IRUSR:
1149 if((*mask) & GENERIC_ALL_ACCESS)
1150 mode = S_IRUSR|S_IWUSR|S_IXUSR;
1151 else {
1152 mode |= ((*mask) & (GENERIC_READ_ACCESS|FILE_SPECIFIC_READ_BITS)) ? S_IRUSR : 0;
1153 mode |= ((*mask) & (GENERIC_WRITE_ACCESS|FILE_SPECIFIC_WRITE_BITS)) ? S_IWUSR : 0;
1154 mode |= ((*mask) & (GENERIC_EXECUTE_ACCESS|FILE_SPECIFIC_EXECUTE_BITS)) ? S_IXUSR : 0;
1156 break;
1157 case S_IRGRP:
1158 if((*mask) & GENERIC_ALL_ACCESS)
1159 mode = S_IRGRP|S_IWGRP|S_IXGRP;
1160 else {
1161 mode |= ((*mask) & (GENERIC_READ_ACCESS|FILE_SPECIFIC_READ_BITS)) ? S_IRGRP : 0;
1162 mode |= ((*mask) & (GENERIC_WRITE_ACCESS|FILE_SPECIFIC_WRITE_BITS)) ? S_IWGRP : 0;
1163 mode |= ((*mask) & (GENERIC_EXECUTE_ACCESS|FILE_SPECIFIC_EXECUTE_BITS)) ? S_IXGRP : 0;
1165 break;
1166 case S_IROTH:
1167 if((*mask) & GENERIC_ALL_ACCESS)
1168 mode = S_IROTH|S_IWOTH|S_IXOTH;
1169 else {
1170 mode |= ((*mask) & (GENERIC_READ_ACCESS|FILE_SPECIFIC_READ_BITS)) ? S_IROTH : 0;
1171 mode |= ((*mask) & (GENERIC_WRITE_ACCESS|FILE_SPECIFIC_WRITE_BITS)) ? S_IWOTH : 0;
1172 mode |= ((*mask) & (GENERIC_EXECUTE_ACCESS|FILE_SPECIFIC_EXECUTE_BITS)) ? S_IXOTH : 0;
1174 break;
1177 return mode;
1180 /****************************************************************************
1181 Unpack a struct security_descriptor into a UNIX owner and group.
1182 ****************************************************************************/
1184 NTSTATUS unpack_nt_owners(struct connection_struct *conn,
1185 uid_t *puser, gid_t *pgrp,
1186 uint32 security_info_sent, const struct
1187 security_descriptor *psd)
1189 struct dom_sid owner_sid;
1190 struct dom_sid grp_sid;
1192 *puser = (uid_t)-1;
1193 *pgrp = (gid_t)-1;
1195 if(security_info_sent == 0) {
1196 DEBUG(0,("unpack_nt_owners: no security info sent !\n"));
1197 return NT_STATUS_OK;
1201 * Validate the owner and group SID's.
1204 memset(&owner_sid, '\0', sizeof(owner_sid));
1205 memset(&grp_sid, '\0', sizeof(grp_sid));
1207 DEBUG(5,("unpack_nt_owners: validating owner_sids.\n"));
1210 * Don't immediately fail if the owner sid cannot be validated.
1211 * This may be a group chown only set.
1214 if (security_info_sent & SECINFO_OWNER) {
1215 sid_copy(&owner_sid, psd->owner_sid);
1216 if (!sid_to_uid(&owner_sid, puser)) {
1217 if (lp_force_unknown_acl_user(SNUM(conn))) {
1218 /* this allows take ownership to work
1219 * reasonably */
1220 *puser = get_current_uid(conn);
1221 } else {
1222 DEBUG(3,("unpack_nt_owners: unable to validate"
1223 " owner sid for %s\n",
1224 sid_string_dbg(&owner_sid)));
1225 return NT_STATUS_INVALID_OWNER;
1228 DEBUG(3,("unpack_nt_owners: owner sid mapped to uid %u\n",
1229 (unsigned int)*puser ));
1233 * Don't immediately fail if the group sid cannot be validated.
1234 * This may be an owner chown only set.
1237 if (security_info_sent & SECINFO_GROUP) {
1238 sid_copy(&grp_sid, psd->group_sid);
1239 if (!sid_to_gid( &grp_sid, pgrp)) {
1240 if (lp_force_unknown_acl_user(SNUM(conn))) {
1241 /* this allows take group ownership to work
1242 * reasonably */
1243 *pgrp = get_current_gid(conn);
1244 } else {
1245 DEBUG(3,("unpack_nt_owners: unable to validate"
1246 " group sid.\n"));
1247 return NT_STATUS_INVALID_OWNER;
1250 DEBUG(3,("unpack_nt_owners: group sid mapped to gid %u\n",
1251 (unsigned int)*pgrp));
1254 DEBUG(5,("unpack_nt_owners: owner_sids validated.\n"));
1256 return NT_STATUS_OK;
1259 /****************************************************************************
1260 Ensure the enforced permissions for this share apply.
1261 ****************************************************************************/
1263 static void apply_default_perms(const struct share_params *params,
1264 const bool is_directory, canon_ace *pace,
1265 mode_t type)
1267 mode_t and_bits = (mode_t)0;
1268 mode_t or_bits = (mode_t)0;
1270 /* Get the initial bits to apply. */
1272 if (is_directory) {
1273 and_bits = lp_dir_security_mask(params->service);
1274 or_bits = lp_force_dir_security_mode(params->service);
1275 } else {
1276 and_bits = lp_security_mask(params->service);
1277 or_bits = lp_force_security_mode(params->service);
1280 /* Now bounce them into the S_USR space. */
1281 switch(type) {
1282 case S_IRUSR:
1283 /* Ensure owner has read access. */
1284 pace->perms |= S_IRUSR;
1285 if (is_directory)
1286 pace->perms |= (S_IWUSR|S_IXUSR);
1287 and_bits = unix_perms_to_acl_perms(and_bits, S_IRUSR, S_IWUSR, S_IXUSR);
1288 or_bits = unix_perms_to_acl_perms(or_bits, S_IRUSR, S_IWUSR, S_IXUSR);
1289 break;
1290 case S_IRGRP:
1291 and_bits = unix_perms_to_acl_perms(and_bits, S_IRGRP, S_IWGRP, S_IXGRP);
1292 or_bits = unix_perms_to_acl_perms(or_bits, S_IRGRP, S_IWGRP, S_IXGRP);
1293 break;
1294 case S_IROTH:
1295 and_bits = unix_perms_to_acl_perms(and_bits, S_IROTH, S_IWOTH, S_IXOTH);
1296 or_bits = unix_perms_to_acl_perms(or_bits, S_IROTH, S_IWOTH, S_IXOTH);
1297 break;
1300 pace->perms = ((pace->perms & and_bits)|or_bits);
1303 /****************************************************************************
1304 Check if a given uid/SID is in a group gid/SID. This is probably very
1305 expensive and will need optimisation. A *lot* of optimisation :-). JRA.
1306 ****************************************************************************/
1308 static bool uid_entry_in_group(connection_struct *conn, canon_ace *uid_ace, canon_ace *group_ace )
1310 /* "Everyone" always matches every uid. */
1312 if (dom_sid_equal(&group_ace->trustee, &global_sid_World))
1313 return True;
1316 * if it's the current user, we already have the unix token
1317 * and don't need to do the complex user_in_group_sid() call
1319 if (uid_ace->unix_ug.id == get_current_uid(conn)) {
1320 const struct security_unix_token *curr_utok = NULL;
1321 size_t i;
1323 if (group_ace->unix_ug.id == get_current_gid(conn)) {
1324 return True;
1327 curr_utok = get_current_utok(conn);
1328 for (i=0; i < curr_utok->ngroups; i++) {
1329 if (group_ace->unix_ug.id == curr_utok->groups[i]) {
1330 return True;
1336 * user_in_group_sid() uses create_token_from_sid()
1337 * which creates an artificial NT token given just a username,
1338 * so this is not reliable for users from foreign domains
1339 * exported by winbindd!
1341 return user_sid_in_group_sid(&uid_ace->trustee, &group_ace->trustee);
1344 /****************************************************************************
1345 A well formed POSIX file or default ACL has at least 3 entries, a
1346 SMB_ACL_USER_OBJ, SMB_ACL_GROUP_OBJ, SMB_ACL_OTHER_OBJ.
1347 In addition, the owner must always have at least read access.
1348 When using this call on get_acl, the pst struct is valid and contains
1349 the mode of the file. When using this call on set_acl, the pst struct has
1350 been modified to have a mode containing the default for this file or directory
1351 type.
1352 ****************************************************************************/
1354 static bool ensure_canon_entry_valid(connection_struct *conn,
1355 canon_ace **pp_ace,
1356 const struct share_params *params,
1357 const bool is_directory,
1358 const struct dom_sid *pfile_owner_sid,
1359 const struct dom_sid *pfile_grp_sid,
1360 const SMB_STRUCT_STAT *pst,
1361 bool setting_acl)
1363 canon_ace *pace;
1364 canon_ace *pace_user = NULL;
1365 canon_ace *pace_group = NULL;
1366 canon_ace *pace_other = NULL;
1368 for (pace = *pp_ace; pace; pace = pace->next) {
1369 if (pace->type == SMB_ACL_USER_OBJ) {
1371 if (setting_acl)
1372 apply_default_perms(params, is_directory, pace, S_IRUSR);
1373 pace_user = pace;
1375 } else if (pace->type == SMB_ACL_GROUP_OBJ) {
1378 * Ensure create mask/force create mode is respected on set.
1381 if (setting_acl)
1382 apply_default_perms(params, is_directory, pace, S_IRGRP);
1383 pace_group = pace;
1385 } else if (pace->type == SMB_ACL_OTHER) {
1388 * Ensure create mask/force create mode is respected on set.
1391 if (setting_acl)
1392 apply_default_perms(params, is_directory, pace, S_IROTH);
1393 pace_other = pace;
1397 if (!pace_user) {
1398 if ((pace = talloc(talloc_tos(), canon_ace)) == NULL) {
1399 DEBUG(0,("ensure_canon_entry_valid: malloc fail.\n"));
1400 return False;
1403 ZERO_STRUCTP(pace);
1404 pace->type = SMB_ACL_USER_OBJ;
1405 pace->owner_type = UID_ACE;
1406 pace->unix_ug.type = ID_TYPE_UID;
1407 pace->unix_ug.id = pst->st_ex_uid;
1408 pace->trustee = *pfile_owner_sid;
1409 pace->attr = ALLOW_ACE;
1410 /* Start with existing permissions, principle of least
1411 surprises for the user. */
1412 pace->perms = pst->st_ex_mode;
1414 if (setting_acl) {
1415 /* See if the owning user is in any of the other groups in
1416 the ACE, or if there's a matching user entry (by uid
1417 or in the case of ID_TYPE_BOTH by SID).
1418 If so, OR in the permissions from that entry. */
1420 canon_ace *pace_iter;
1422 for (pace_iter = *pp_ace; pace_iter; pace_iter = pace_iter->next) {
1423 if (pace_iter->type == SMB_ACL_USER &&
1424 pace_iter->unix_ug.id == pace->unix_ug.id) {
1425 pace->perms |= pace_iter->perms;
1426 } else if (pace_iter->type == SMB_ACL_GROUP_OBJ || pace_iter->type == SMB_ACL_GROUP) {
1427 if (dom_sid_equal(&pace->trustee, &pace_iter->trustee)) {
1428 pace->perms |= pace_iter->perms;
1429 } else if (uid_entry_in_group(conn, pace, pace_iter)) {
1430 pace->perms |= pace_iter->perms;
1435 if (pace->perms == 0) {
1436 /* If we only got an "everyone" perm, just use that. */
1437 if (pace_other)
1438 pace->perms = pace_other->perms;
1441 apply_default_perms(params, is_directory, pace, S_IRUSR);
1442 } else {
1443 pace->perms = unix_perms_to_acl_perms(pst->st_ex_mode, S_IRUSR, S_IWUSR, S_IXUSR);
1446 DLIST_ADD(*pp_ace, pace);
1447 pace_user = pace;
1450 if (!pace_group) {
1451 if ((pace = talloc(talloc_tos(), canon_ace)) == NULL) {
1452 DEBUG(0,("ensure_canon_entry_valid: malloc fail.\n"));
1453 return False;
1456 ZERO_STRUCTP(pace);
1457 pace->type = SMB_ACL_GROUP_OBJ;
1458 pace->owner_type = GID_ACE;
1459 pace->unix_ug.type = ID_TYPE_GID;
1460 pace->unix_ug.id = pst->st_ex_gid;
1461 pace->trustee = *pfile_grp_sid;
1462 pace->attr = ALLOW_ACE;
1463 if (setting_acl) {
1464 /* If we only got an "everyone" perm, just use that. */
1465 if (pace_other)
1466 pace->perms = pace_other->perms;
1467 else
1468 pace->perms = 0;
1469 apply_default_perms(params, is_directory, pace, S_IRGRP);
1470 } else {
1471 pace->perms = unix_perms_to_acl_perms(pst->st_ex_mode, S_IRGRP, S_IWGRP, S_IXGRP);
1474 DLIST_ADD(*pp_ace, pace);
1475 pace_group = pace;
1478 if (!pace_other) {
1479 if ((pace = talloc(talloc_tos(), canon_ace)) == NULL) {
1480 DEBUG(0,("ensure_canon_entry_valid: malloc fail.\n"));
1481 return False;
1484 ZERO_STRUCTP(pace);
1485 pace->type = SMB_ACL_OTHER;
1486 pace->owner_type = WORLD_ACE;
1487 pace->unix_ug.type = ID_TYPE_NOT_SPECIFIED;
1488 pace->unix_ug.id = -1;
1489 pace->trustee = global_sid_World;
1490 pace->attr = ALLOW_ACE;
1491 if (setting_acl) {
1492 pace->perms = 0;
1493 apply_default_perms(params, is_directory, pace, S_IROTH);
1494 } else
1495 pace->perms = unix_perms_to_acl_perms(pst->st_ex_mode, S_IROTH, S_IWOTH, S_IXOTH);
1497 DLIST_ADD(*pp_ace, pace);
1498 pace_other = pace;
1501 if (setting_acl) {
1502 /* Ensure when setting a POSIX ACL, that the uid for a
1503 SMB_ACL_USER_OBJ ACE (the owner ACE entry) has a duplicate
1504 permission entry as an SMB_ACL_USER, and a gid for a
1505 SMB_ACL_GROUP_OBJ ACE (the primary group ACE entry) also has
1506 a duplicate permission entry as an SMB_ACL_GROUP. If not,
1507 then if the ownership or group ownership of this file or
1508 directory gets changed, the user or group can lose their
1509 access. */
1510 bool got_duplicate_user = false;
1511 bool got_duplicate_group = false;
1513 for (pace = *pp_ace; pace; pace = pace->next) {
1514 if (pace->type == SMB_ACL_USER &&
1515 pace->unix_ug.id == pace_user->unix_ug.id) {
1516 /* Already got one. */
1517 got_duplicate_user = true;
1518 } else if (pace->type == SMB_ACL_GROUP &&
1519 pace->unix_ug.id == pace_user->unix_ug.id) {
1520 /* Already got one. */
1521 got_duplicate_group = true;
1522 } else if ((pace->type == SMB_ACL_GROUP)
1523 && (dom_sid_equal(&pace->trustee, &pace_user->trustee))) {
1524 /* If the SID owning the file appears
1525 * in a group entry, then we have
1526 * enough duplication, they will still
1527 * have access */
1528 got_duplicate_user = true;
1532 /* If the SID is equal for the user and group that we need
1533 to add the duplicate for, add only the group */
1534 if (!got_duplicate_user && !got_duplicate_group
1535 && dom_sid_equal(&pace_group->trustee,
1536 &pace_user->trustee)) {
1537 /* Add a duplicate SMB_ACL_GROUP entry, this
1538 * will cover the owning SID as well, as it
1539 * will always be mapped to both a uid and
1540 * gid. */
1542 if ((pace = talloc(talloc_tos(), canon_ace)) == NULL) {
1543 DEBUG(0,("ensure_canon_entry_valid: talloc fail.\n"));
1544 return false;
1547 ZERO_STRUCTP(pace);
1548 pace->type = SMB_ACL_GROUP;;
1549 pace->owner_type = GID_ACE;
1550 pace->unix_ug.type = ID_TYPE_GID;
1551 pace->unix_ug.id = pace_group->unix_ug.id;
1552 pace->trustee = pace_group->trustee;
1553 pace->attr = pace_group->attr;
1554 pace->perms = pace_group->perms;
1556 DLIST_ADD(*pp_ace, pace);
1558 /* We're done here, make sure the
1559 statements below are not executed. */
1560 got_duplicate_user = true;
1561 got_duplicate_group = true;
1564 if (!got_duplicate_user) {
1565 /* Add a duplicate SMB_ACL_USER entry. */
1566 if ((pace = talloc(talloc_tos(), canon_ace)) == NULL) {
1567 DEBUG(0,("ensure_canon_entry_valid: talloc fail.\n"));
1568 return false;
1571 ZERO_STRUCTP(pace);
1572 pace->type = SMB_ACL_USER;;
1573 pace->owner_type = UID_ACE;
1574 pace->unix_ug.type = ID_TYPE_UID;
1575 pace->unix_ug.id = pace_user->unix_ug.id;
1576 pace->trustee = pace_user->trustee;
1577 pace->attr = pace_user->attr;
1578 pace->perms = pace_user->perms;
1580 DLIST_ADD(*pp_ace, pace);
1582 got_duplicate_user = true;
1585 if (!got_duplicate_group) {
1586 /* Add a duplicate SMB_ACL_GROUP entry. */
1587 if ((pace = talloc(talloc_tos(), canon_ace)) == NULL) {
1588 DEBUG(0,("ensure_canon_entry_valid: talloc fail.\n"));
1589 return false;
1592 ZERO_STRUCTP(pace);
1593 pace->type = SMB_ACL_GROUP;;
1594 pace->owner_type = GID_ACE;
1595 pace->unix_ug.type = ID_TYPE_GID;
1596 pace->unix_ug.id = pace_group->unix_ug.id;
1597 pace->trustee = pace_group->trustee;
1598 pace->attr = pace_group->attr;
1599 pace->perms = pace_group->perms;
1601 DLIST_ADD(*pp_ace, pace);
1603 got_duplicate_group = true;
1608 return True;
1611 /****************************************************************************
1612 Check if a POSIX ACL has the required SMB_ACL_USER_OBJ and SMB_ACL_GROUP_OBJ entries.
1613 If it does not have them, check if there are any entries where the trustee is the
1614 file owner or the owning group, and map these to SMB_ACL_USER_OBJ and SMB_ACL_GROUP_OBJ.
1615 Note we must not do this to default directory ACLs.
1616 ****************************************************************************/
1618 static void check_owning_objs(canon_ace *ace, struct dom_sid *pfile_owner_sid, struct dom_sid *pfile_grp_sid)
1620 bool got_user_obj, got_group_obj;
1621 canon_ace *current_ace;
1622 int i, entries;
1624 entries = count_canon_ace_list(ace);
1625 got_user_obj = False;
1626 got_group_obj = False;
1628 for (i=0, current_ace = ace; i < entries; i++, current_ace = current_ace->next) {
1629 if (current_ace->type == SMB_ACL_USER_OBJ)
1630 got_user_obj = True;
1631 else if (current_ace->type == SMB_ACL_GROUP_OBJ)
1632 got_group_obj = True;
1634 if (got_user_obj && got_group_obj) {
1635 DEBUG(10,("check_owning_objs: ACL had owning user/group entries.\n"));
1636 return;
1639 for (i=0, current_ace = ace; i < entries; i++, current_ace = current_ace->next) {
1640 if (!got_user_obj && current_ace->owner_type == UID_ACE &&
1641 dom_sid_equal(&current_ace->trustee, pfile_owner_sid)) {
1642 current_ace->type = SMB_ACL_USER_OBJ;
1643 got_user_obj = True;
1645 if (!got_group_obj && current_ace->owner_type == GID_ACE &&
1646 dom_sid_equal(&current_ace->trustee, pfile_grp_sid)) {
1647 current_ace->type = SMB_ACL_GROUP_OBJ;
1648 got_group_obj = True;
1651 if (!got_user_obj)
1652 DEBUG(10,("check_owning_objs: ACL is missing an owner entry.\n"));
1653 if (!got_group_obj)
1654 DEBUG(10,("check_owning_objs: ACL is missing an owning group entry.\n"));
1657 static bool add_current_ace_to_acl(files_struct *fsp, struct security_ace *psa,
1658 canon_ace **file_ace, canon_ace **dir_ace,
1659 bool *got_file_allow, bool *got_dir_allow,
1660 bool *all_aces_are_inherit_only,
1661 canon_ace *current_ace)
1665 * Map the given NT permissions into a UNIX mode_t containing only
1666 * S_I(R|W|X)USR bits.
1669 current_ace->perms |= map_nt_perms( &psa->access_mask, S_IRUSR);
1670 current_ace->attr = (psa->type == SEC_ACE_TYPE_ACCESS_ALLOWED) ? ALLOW_ACE : DENY_ACE;
1672 /* Store the ace_flag. */
1673 current_ace->ace_flags = psa->flags;
1676 * Now add the created ace to either the file list, the directory
1677 * list, or both. We *MUST* preserve the order here (hence we use
1678 * DLIST_ADD_END) as NT ACLs are order dependent.
1681 if (fsp->is_directory) {
1684 * We can only add to the default POSIX ACE list if the ACE is
1685 * designed to be inherited by both files and directories.
1688 if ((psa->flags & (SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT)) ==
1689 (SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT)) {
1691 canon_ace *current_dir_ace = current_ace;
1692 DLIST_ADD_END(*dir_ace, current_ace, canon_ace *);
1695 * Note if this was an allow ace. We can't process
1696 * any further deny ace's after this.
1699 if (current_ace->attr == ALLOW_ACE)
1700 *got_dir_allow = True;
1702 if ((current_ace->attr == DENY_ACE) && *got_dir_allow) {
1703 DEBUG(0,("add_current_ace_to_acl: "
1704 "malformed ACL in "
1705 "inheritable ACL! Deny entry "
1706 "after Allow entry. Failing "
1707 "to set on file %s.\n",
1708 fsp_str_dbg(fsp)));
1709 return False;
1712 if( DEBUGLVL( 10 )) {
1713 dbgtext("add_current_ace_to_acl: adding dir ACL:\n");
1714 print_canon_ace( current_ace, 0);
1718 * If this is not an inherit only ACE we need to add a duplicate
1719 * to the file acl.
1722 if (!(psa->flags & SEC_ACE_FLAG_INHERIT_ONLY)) {
1723 canon_ace *dup_ace = dup_canon_ace(current_ace);
1725 if (!dup_ace) {
1726 DEBUG(0,("add_current_ace_to_acl: malloc fail !\n"));
1727 return False;
1731 * We must not free current_ace here as its
1732 * pointer is now owned by the dir_ace list.
1734 current_ace = dup_ace;
1735 /* We've essentially split this ace into two,
1736 * and added the ace with inheritance request
1737 * bits to the directory ACL. Drop those bits for
1738 * the ACE we're adding to the file list. */
1739 current_ace->ace_flags &= ~(SEC_ACE_FLAG_OBJECT_INHERIT|
1740 SEC_ACE_FLAG_CONTAINER_INHERIT|
1741 SEC_ACE_FLAG_INHERIT_ONLY);
1742 } else {
1744 * We must not free current_ace here as its
1745 * pointer is now owned by the dir_ace list.
1747 current_ace = NULL;
1751 * current_ace is now either owned by file_ace
1752 * or is NULL. We can safely operate on current_dir_ace
1753 * to treat mapping for default acl entries differently
1754 * than access acl entries.
1757 if (current_dir_ace->owner_type == UID_ACE) {
1759 * We already decided above this is a uid,
1760 * for default acls ace's only CREATOR_OWNER
1761 * maps to ACL_USER_OBJ. All other uid
1762 * ace's are ACL_USER.
1764 if (dom_sid_equal(&current_dir_ace->trustee,
1765 &global_sid_Creator_Owner)) {
1766 current_dir_ace->type = SMB_ACL_USER_OBJ;
1767 } else {
1768 current_dir_ace->type = SMB_ACL_USER;
1772 if (current_dir_ace->owner_type == GID_ACE) {
1774 * We already decided above this is a gid,
1775 * for default acls ace's only CREATOR_GROUP
1776 * maps to ACL_GROUP_OBJ. All other uid
1777 * ace's are ACL_GROUP.
1779 if (dom_sid_equal(&current_dir_ace->trustee,
1780 &global_sid_Creator_Group)) {
1781 current_dir_ace->type = SMB_ACL_GROUP_OBJ;
1782 } else {
1783 current_dir_ace->type = SMB_ACL_GROUP;
1790 * Only add to the file ACL if not inherit only.
1793 if (current_ace && !(psa->flags & SEC_ACE_FLAG_INHERIT_ONLY)) {
1794 DLIST_ADD_END(*file_ace, current_ace, canon_ace *);
1797 * Note if this was an allow ace. We can't process
1798 * any further deny ace's after this.
1801 if (current_ace->attr == ALLOW_ACE)
1802 *got_file_allow = True;
1804 if ((current_ace->attr == DENY_ACE) && got_file_allow) {
1805 DEBUG(0,("add_current_ace_to_acl: malformed "
1806 "ACL in file ACL ! Deny entry after "
1807 "Allow entry. Failing to set on file "
1808 "%s.\n", fsp_str_dbg(fsp)));
1809 return False;
1812 if( DEBUGLVL( 10 )) {
1813 dbgtext("add_current_ace_to_acl: adding file ACL:\n");
1814 print_canon_ace( current_ace, 0);
1816 *all_aces_are_inherit_only = False;
1818 * We must not free current_ace here as its
1819 * pointer is now owned by the file_ace list.
1821 current_ace = NULL;
1825 * Free if ACE was not added.
1828 TALLOC_FREE(current_ace);
1829 return true;
1832 /****************************************************************************
1833 Unpack a struct security_descriptor into two canonical ace lists.
1834 ****************************************************************************/
1836 static bool create_canon_ace_lists(files_struct *fsp,
1837 const SMB_STRUCT_STAT *pst,
1838 struct dom_sid *pfile_owner_sid,
1839 struct dom_sid *pfile_grp_sid,
1840 canon_ace **ppfile_ace,
1841 canon_ace **ppdir_ace,
1842 const struct security_acl *dacl)
1844 bool all_aces_are_inherit_only = (fsp->is_directory ? True : False);
1845 canon_ace *file_ace = NULL;
1846 canon_ace *dir_ace = NULL;
1847 canon_ace *current_ace = NULL;
1848 bool got_dir_allow = False;
1849 bool got_file_allow = False;
1850 int i, j;
1852 *ppfile_ace = NULL;
1853 *ppdir_ace = NULL;
1856 * Convert the incoming ACL into a more regular form.
1859 for(i = 0; i < dacl->num_aces; i++) {
1860 struct security_ace *psa = &dacl->aces[i];
1862 if((psa->type != SEC_ACE_TYPE_ACCESS_ALLOWED) && (psa->type != SEC_ACE_TYPE_ACCESS_DENIED)) {
1863 DEBUG(3,("create_canon_ace_lists: unable to set anything but an ALLOW or DENY ACE.\n"));
1864 return False;
1867 if (nt4_compatible_acls()) {
1869 * The security mask may be UNIX_ACCESS_NONE which should map into
1870 * no permissions (we overload the WRITE_OWNER bit for this) or it
1871 * should be one of the ALL/EXECUTE/READ/WRITE bits. Arrange for this
1872 * to be so. Any other bits override the UNIX_ACCESS_NONE bit.
1876 * Convert GENERIC bits to specific bits.
1879 se_map_generic(&psa->access_mask, &file_generic_mapping);
1881 psa->access_mask &= (UNIX_ACCESS_NONE|FILE_ALL_ACCESS);
1883 if(psa->access_mask != UNIX_ACCESS_NONE)
1884 psa->access_mask &= ~UNIX_ACCESS_NONE;
1889 * Deal with the fact that NT 4.x re-writes the canonical format
1890 * that we return for default ACLs. If a directory ACE is identical
1891 * to a inherited directory ACE then NT changes the bits so that the
1892 * first ACE is set to OI|IO and the second ACE for this SID is set
1893 * to CI. We need to repair this. JRA.
1896 for(i = 0; i < dacl->num_aces; i++) {
1897 struct security_ace *psa1 = &dacl->aces[i];
1899 for (j = i + 1; j < dacl->num_aces; j++) {
1900 struct security_ace *psa2 = &dacl->aces[j];
1902 if (psa1->access_mask != psa2->access_mask)
1903 continue;
1905 if (!dom_sid_equal(&psa1->trustee, &psa2->trustee))
1906 continue;
1909 * Ok - permission bits and SIDs are equal.
1910 * Check if flags were re-written.
1913 if (psa1->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
1915 psa1->flags |= (psa2->flags & (SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT));
1916 psa2->flags &= ~(SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT);
1918 } else if (psa2->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
1920 psa2->flags |= (psa1->flags & (SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT));
1921 psa1->flags &= ~(SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT);
1927 for(i = 0; i < dacl->num_aces; i++) {
1928 struct security_ace *psa = &dacl->aces[i];
1931 * Create a canon_ace entry representing this NT DACL ACE.
1934 if ((current_ace = talloc(talloc_tos(), canon_ace)) == NULL) {
1935 free_canon_ace_list(file_ace);
1936 free_canon_ace_list(dir_ace);
1937 DEBUG(0,("create_canon_ace_lists: malloc fail.\n"));
1938 return False;
1941 ZERO_STRUCTP(current_ace);
1943 sid_copy(&current_ace->trustee, &psa->trustee);
1946 * Try and work out if the SID is a user or group
1947 * as we need to flag these differently for POSIX.
1948 * Note what kind of a POSIX ACL this should map to.
1951 if( dom_sid_equal(&current_ace->trustee, &global_sid_World)) {
1952 current_ace->owner_type = WORLD_ACE;
1953 current_ace->unix_ug.type = ID_TYPE_NOT_SPECIFIED;
1954 current_ace->unix_ug.id = -1;
1955 current_ace->type = SMB_ACL_OTHER;
1956 } else if (dom_sid_equal(&current_ace->trustee, &global_sid_Creator_Owner)) {
1957 current_ace->owner_type = UID_ACE;
1958 current_ace->unix_ug.type = ID_TYPE_UID;
1959 current_ace->unix_ug.id = pst->st_ex_uid;
1960 current_ace->type = SMB_ACL_USER_OBJ;
1963 * The Creator Owner entry only specifies inheritable permissions,
1964 * never access permissions. WinNT doesn't always set the ACE to
1965 * INHERIT_ONLY, though.
1968 psa->flags |= SEC_ACE_FLAG_INHERIT_ONLY;
1970 } else if (dom_sid_equal(&current_ace->trustee, &global_sid_Creator_Group)) {
1971 current_ace->owner_type = GID_ACE;
1972 current_ace->unix_ug.type = ID_TYPE_GID;
1973 current_ace->unix_ug.id = pst->st_ex_gid;
1974 current_ace->type = SMB_ACL_GROUP_OBJ;
1977 * The Creator Group entry only specifies inheritable permissions,
1978 * never access permissions. WinNT doesn't always set the ACE to
1979 * INHERIT_ONLY, though.
1981 psa->flags |= SEC_ACE_FLAG_INHERIT_ONLY;
1983 } else {
1984 struct unixid unixid;
1986 if (!sids_to_unixids(&current_ace->trustee, 1, &unixid)) {
1987 free_canon_ace_list(file_ace);
1988 free_canon_ace_list(dir_ace);
1989 TALLOC_FREE(current_ace);
1990 DEBUG(0, ("create_canon_ace_lists: sids_to_unixids "
1991 "failed for %s (allocation failure)\n",
1992 sid_string_dbg(&current_ace->trustee)));
1993 return false;
1996 if (unixid.type == ID_TYPE_BOTH) {
1997 /* If it's the owning user, this is a
1998 * user_obj, not a user. This way, we
1999 * get a valid ACL for groups that own
2000 * files, without putting user ACL
2001 * entries in for groups otherwise */
2002 if (unixid.id == pst->st_ex_uid) {
2003 current_ace->owner_type = UID_ACE;
2004 current_ace->unix_ug.type = ID_TYPE_UID;
2005 current_ace->unix_ug.id = unixid.id;
2006 current_ace->type = SMB_ACL_USER_OBJ;
2008 /* Add the user object to the posix ACL,
2009 and proceed to the group mapping
2010 below. This handles the talloc_free
2011 of current_ace if not added for some
2012 reason */
2013 if (!add_current_ace_to_acl(fsp,
2014 psa,
2015 &file_ace,
2016 &dir_ace,
2017 &got_file_allow,
2018 &got_dir_allow,
2019 &all_aces_are_inherit_only,
2020 current_ace)) {
2021 free_canon_ace_list(file_ace);
2022 free_canon_ace_list(dir_ace);
2023 return false;
2026 if ((current_ace = talloc(talloc_tos(),
2027 canon_ace)) == NULL) {
2028 free_canon_ace_list(file_ace);
2029 free_canon_ace_list(dir_ace);
2030 DEBUG(0,("create_canon_ace_lists: "
2031 "malloc fail.\n"));
2032 return False;
2035 ZERO_STRUCTP(current_ace);
2038 sid_copy(&current_ace->trustee, &psa->trustee);
2040 current_ace->unix_ug.type = ID_TYPE_GID;
2041 current_ace->unix_ug.id = unixid.id;
2042 current_ace->owner_type = GID_ACE;
2043 /* If it's the primary group, this is a
2044 group_obj, not a group. */
2045 if (current_ace->unix_ug.id == pst->st_ex_gid) {
2046 current_ace->type = SMB_ACL_GROUP_OBJ;
2047 } else {
2048 current_ace->type = SMB_ACL_GROUP;
2051 } else if (unixid.type == ID_TYPE_UID) {
2052 current_ace->owner_type = UID_ACE;
2053 current_ace->unix_ug.type = ID_TYPE_UID;
2054 current_ace->unix_ug.id = unixid.id;
2055 /* If it's the owning user, this is a user_obj,
2056 not a user. */
2057 if (current_ace->unix_ug.id == pst->st_ex_uid) {
2058 current_ace->type = SMB_ACL_USER_OBJ;
2059 } else {
2060 current_ace->type = SMB_ACL_USER;
2062 } else if (unixid.type == ID_TYPE_GID) {
2063 current_ace->unix_ug.type = ID_TYPE_GID;
2064 current_ace->unix_ug.id = unixid.id;
2065 current_ace->owner_type = GID_ACE;
2066 /* If it's the primary group, this is a
2067 group_obj, not a group. */
2068 if (current_ace->unix_ug.id == pst->st_ex_gid) {
2069 current_ace->type = SMB_ACL_GROUP_OBJ;
2070 } else {
2071 current_ace->type = SMB_ACL_GROUP;
2073 } else {
2075 * Silently ignore map failures in non-mappable SIDs (NT Authority, BUILTIN etc).
2078 if (non_mappable_sid(&psa->trustee)) {
2079 DEBUG(10, ("create_canon_ace_lists: ignoring "
2080 "non-mappable SID %s\n",
2081 sid_string_dbg(&psa->trustee)));
2082 TALLOC_FREE(current_ace);
2083 continue;
2086 if (lp_force_unknown_acl_user(SNUM(fsp->conn))) {
2087 DEBUG(10, ("create_canon_ace_lists: ignoring "
2088 "unknown or foreign SID %s\n",
2089 sid_string_dbg(&psa->trustee)));
2090 TALLOC_FREE(current_ace);
2091 continue;
2094 free_canon_ace_list(file_ace);
2095 free_canon_ace_list(dir_ace);
2096 DEBUG(0, ("create_canon_ace_lists: unable to map SID "
2097 "%s to uid or gid.\n",
2098 sid_string_dbg(&current_ace->trustee)));
2099 TALLOC_FREE(current_ace);
2100 return false;
2104 /* handles the talloc_free of current_ace if not added for some reason */
2105 if (!add_current_ace_to_acl(fsp, psa, &file_ace, &dir_ace,
2106 &got_file_allow, &got_dir_allow,
2107 &all_aces_are_inherit_only, current_ace)) {
2108 free_canon_ace_list(file_ace);
2109 free_canon_ace_list(dir_ace);
2110 return false;
2114 if (fsp->is_directory && all_aces_are_inherit_only) {
2116 * Windows 2000 is doing one of these weird 'inherit acl'
2117 * traverses to conserve NTFS ACL resources. Just pretend
2118 * there was no DACL sent. JRA.
2121 DEBUG(10,("create_canon_ace_lists: Win2k inherit acl traverse. Ignoring DACL.\n"));
2122 free_canon_ace_list(file_ace);
2123 free_canon_ace_list(dir_ace);
2124 file_ace = NULL;
2125 dir_ace = NULL;
2126 } else {
2128 * Check if we have SMB_ACL_USER_OBJ and SMB_ACL_GROUP_OBJ entries in
2129 * the file ACL. If we don't have them, check if any SMB_ACL_USER/SMB_ACL_GROUP
2130 * entries can be converted to *_OBJ. Don't do this for the default
2131 * ACL, we will create them separately for this if needed inside
2132 * ensure_canon_entry_valid().
2134 if (file_ace) {
2135 check_owning_objs(file_ace, pfile_owner_sid, pfile_grp_sid);
2139 *ppfile_ace = file_ace;
2140 *ppdir_ace = dir_ace;
2142 return True;
2145 /****************************************************************************
2146 ASCII art time again... JRA :-).
2148 We have 4 cases to process when moving from an NT ACL to a POSIX ACL. Firstly,
2149 we insist the ACL is in canonical form (ie. all DENY entries preceede ALLOW
2150 entries). Secondly, the merge code has ensured that all duplicate SID entries for
2151 allow or deny have been merged, so the same SID can only appear once in the deny
2152 list or once in the allow list.
2154 We then process as follows :
2156 ---------------------------------------------------------------------------
2157 First pass - look for a Everyone DENY entry.
2159 If it is deny all (rwx) trunate the list at this point.
2160 Else, walk the list from this point and use the deny permissions of this
2161 entry as a mask on all following allow entries. Finally, delete
2162 the Everyone DENY entry (we have applied it to everything possible).
2164 In addition, in this pass we remove any DENY entries that have
2165 no permissions (ie. they are a DENY nothing).
2166 ---------------------------------------------------------------------------
2167 Second pass - only deal with deny user entries.
2169 DENY user1 (perms XXX)
2171 new_perms = 0
2172 for all following allow group entries where user1 is in group
2173 new_perms |= group_perms;
2175 user1 entry perms = new_perms & ~ XXX;
2177 Convert the deny entry to an allow entry with the new perms and
2178 push to the end of the list. Note if the user was in no groups
2179 this maps to a specific allow nothing entry for this user.
2181 The common case from the NT ACL choser (userX deny all) is
2182 optimised so we don't do the group lookup - we just map to
2183 an allow nothing entry.
2185 What we're doing here is inferring the allow permissions the
2186 person setting the ACE on user1 wanted by looking at the allow
2187 permissions on the groups the user is currently in. This will
2188 be a snapshot, depending on group membership but is the best
2189 we can do and has the advantage of failing closed rather than
2190 open.
2191 ---------------------------------------------------------------------------
2192 Third pass - only deal with deny group entries.
2194 DENY group1 (perms XXX)
2196 for all following allow user entries where user is in group1
2197 user entry perms = user entry perms & ~ XXX;
2199 If there is a group Everyone allow entry with permissions YYY,
2200 convert the group1 entry to an allow entry and modify its
2201 permissions to be :
2203 new_perms = YYY & ~ XXX
2205 and push to the end of the list.
2207 If there is no group Everyone allow entry then convert the
2208 group1 entry to a allow nothing entry and push to the end of the list.
2210 Note that the common case from the NT ACL choser (groupX deny all)
2211 cannot be optimised here as we need to modify user entries who are
2212 in the group to change them to a deny all also.
2214 What we're doing here is modifying the allow permissions of
2215 user entries (which are more specific in POSIX ACLs) to mask
2216 out the explicit deny set on the group they are in. This will
2217 be a snapshot depending on current group membership but is the
2218 best we can do and has the advantage of failing closed rather
2219 than open.
2220 ---------------------------------------------------------------------------
2221 Fourth pass - cope with cumulative permissions.
2223 for all allow user entries, if there exists an allow group entry with
2224 more permissive permissions, and the user is in that group, rewrite the
2225 allow user permissions to contain both sets of permissions.
2227 Currently the code for this is #ifdef'ed out as these semantics make
2228 no sense to me. JRA.
2229 ---------------------------------------------------------------------------
2231 Note we *MUST* do the deny user pass first as this will convert deny user
2232 entries into allow user entries which can then be processed by the deny
2233 group pass.
2235 The above algorithm took a *lot* of thinking about - hence this
2236 explaination :-). JRA.
2237 ****************************************************************************/
2239 /****************************************************************************
2240 Process a canon_ace list entries. This is very complex code. We need
2241 to go through and remove the "deny" permissions from any allow entry that matches
2242 the id of this entry. We have already refused any NT ACL that wasn't in correct
2243 order (DENY followed by ALLOW). If any allow entry ends up with zero permissions,
2244 we just remove it (to fail safe). We have already removed any duplicate ace
2245 entries. Treat an "Everyone" DENY_ACE as a special case - use it to mask all
2246 allow entries.
2247 ****************************************************************************/
2249 static void process_deny_list(connection_struct *conn, canon_ace **pp_ace_list )
2251 canon_ace *ace_list = *pp_ace_list;
2252 canon_ace *curr_ace = NULL;
2253 canon_ace *curr_ace_next = NULL;
2255 /* Pass 1 above - look for an Everyone, deny entry. */
2257 for (curr_ace = ace_list; curr_ace; curr_ace = curr_ace_next) {
2258 canon_ace *allow_ace_p;
2260 curr_ace_next = curr_ace->next; /* So we can't lose the link. */
2262 if (curr_ace->attr != DENY_ACE)
2263 continue;
2265 if (curr_ace->perms == (mode_t)0) {
2267 /* Deny nothing entry - delete. */
2269 DLIST_REMOVE(ace_list, curr_ace);
2270 continue;
2273 if (!dom_sid_equal(&curr_ace->trustee, &global_sid_World))
2274 continue;
2276 /* JRATEST - assert. */
2277 SMB_ASSERT(curr_ace->owner_type == WORLD_ACE);
2279 if (curr_ace->perms == ALL_ACE_PERMS) {
2282 * Optimisation. This is a DENY_ALL to Everyone. Truncate the
2283 * list at this point including this entry.
2286 canon_ace *prev_entry = DLIST_PREV(curr_ace);
2288 free_canon_ace_list( curr_ace );
2289 if (prev_entry)
2290 DLIST_REMOVE(ace_list, prev_entry);
2291 else {
2292 /* We deleted the entire list. */
2293 ace_list = NULL;
2295 break;
2298 for (allow_ace_p = curr_ace->next; allow_ace_p; allow_ace_p = allow_ace_p->next) {
2301 * Only mask off allow entries.
2304 if (allow_ace_p->attr != ALLOW_ACE)
2305 continue;
2307 allow_ace_p->perms &= ~curr_ace->perms;
2311 * Now it's been applied, remove it.
2314 DLIST_REMOVE(ace_list, curr_ace);
2317 /* Pass 2 above - deal with deny user entries. */
2319 for (curr_ace = ace_list; curr_ace; curr_ace = curr_ace_next) {
2320 mode_t new_perms = (mode_t)0;
2321 canon_ace *allow_ace_p;
2323 curr_ace_next = curr_ace->next; /* So we can't lose the link. */
2325 if (curr_ace->attr != DENY_ACE)
2326 continue;
2328 if (curr_ace->owner_type != UID_ACE)
2329 continue;
2331 if (curr_ace->perms == ALL_ACE_PERMS) {
2334 * Optimisation - this is a deny everything to this user.
2335 * Convert to an allow nothing and push to the end of the list.
2338 curr_ace->attr = ALLOW_ACE;
2339 curr_ace->perms = (mode_t)0;
2340 DLIST_DEMOTE(ace_list, curr_ace, canon_ace *);
2341 continue;
2344 for (allow_ace_p = curr_ace->next; allow_ace_p; allow_ace_p = allow_ace_p->next) {
2346 if (allow_ace_p->attr != ALLOW_ACE)
2347 continue;
2349 /* We process GID_ACE and WORLD_ACE entries only. */
2351 if (allow_ace_p->owner_type == UID_ACE)
2352 continue;
2354 if (uid_entry_in_group(conn, curr_ace, allow_ace_p))
2355 new_perms |= allow_ace_p->perms;
2359 * Convert to a allow entry, modify the perms and push to the end
2360 * of the list.
2363 curr_ace->attr = ALLOW_ACE;
2364 curr_ace->perms = (new_perms & ~curr_ace->perms);
2365 DLIST_DEMOTE(ace_list, curr_ace, canon_ace *);
2368 /* Pass 3 above - deal with deny group entries. */
2370 for (curr_ace = ace_list; curr_ace; curr_ace = curr_ace_next) {
2371 canon_ace *allow_ace_p;
2372 canon_ace *allow_everyone_p = NULL;
2374 curr_ace_next = curr_ace->next; /* So we can't lose the link. */
2376 if (curr_ace->attr != DENY_ACE)
2377 continue;
2379 if (curr_ace->owner_type != GID_ACE)
2380 continue;
2382 for (allow_ace_p = curr_ace->next; allow_ace_p; allow_ace_p = allow_ace_p->next) {
2384 if (allow_ace_p->attr != ALLOW_ACE)
2385 continue;
2387 /* Store a pointer to the Everyone allow, if it exists. */
2388 if (allow_ace_p->owner_type == WORLD_ACE)
2389 allow_everyone_p = allow_ace_p;
2391 /* We process UID_ACE entries only. */
2393 if (allow_ace_p->owner_type != UID_ACE)
2394 continue;
2396 /* Mask off the deny group perms. */
2398 if (uid_entry_in_group(conn, allow_ace_p, curr_ace))
2399 allow_ace_p->perms &= ~curr_ace->perms;
2403 * Convert the deny to an allow with the correct perms and
2404 * push to the end of the list.
2407 curr_ace->attr = ALLOW_ACE;
2408 if (allow_everyone_p)
2409 curr_ace->perms = allow_everyone_p->perms & ~curr_ace->perms;
2410 else
2411 curr_ace->perms = (mode_t)0;
2412 DLIST_DEMOTE(ace_list, curr_ace, canon_ace *);
2415 /* Doing this fourth pass allows Windows semantics to be layered
2416 * on top of POSIX semantics. I'm not sure if this is desirable.
2417 * For example, in W2K ACLs there is no way to say, "Group X no
2418 * access, user Y full access" if user Y is a member of group X.
2419 * This seems completely broken semantics to me.... JRA.
2422 #if 0
2423 /* Pass 4 above - deal with allow entries. */
2425 for (curr_ace = ace_list; curr_ace; curr_ace = curr_ace_next) {
2426 canon_ace *allow_ace_p;
2428 curr_ace_next = curr_ace->next; /* So we can't lose the link. */
2430 if (curr_ace->attr != ALLOW_ACE)
2431 continue;
2433 if (curr_ace->owner_type != UID_ACE)
2434 continue;
2436 for (allow_ace_p = ace_list; allow_ace_p; allow_ace_p = allow_ace_p->next) {
2438 if (allow_ace_p->attr != ALLOW_ACE)
2439 continue;
2441 /* We process GID_ACE entries only. */
2443 if (allow_ace_p->owner_type != GID_ACE)
2444 continue;
2446 /* OR in the group perms. */
2448 if (uid_entry_in_group(conn, curr_ace, allow_ace_p))
2449 curr_ace->perms |= allow_ace_p->perms;
2452 #endif
2454 *pp_ace_list = ace_list;
2457 /****************************************************************************
2458 Unpack a struct security_descriptor into two canonical ace lists. We don't depend on this
2459 succeeding.
2460 ****************************************************************************/
2462 static bool unpack_canon_ace(files_struct *fsp,
2463 const SMB_STRUCT_STAT *pst,
2464 struct dom_sid *pfile_owner_sid,
2465 struct dom_sid *pfile_grp_sid,
2466 canon_ace **ppfile_ace,
2467 canon_ace **ppdir_ace,
2468 uint32 security_info_sent,
2469 const struct security_descriptor *psd)
2471 canon_ace *file_ace = NULL;
2472 canon_ace *dir_ace = NULL;
2474 *ppfile_ace = NULL;
2475 *ppdir_ace = NULL;
2477 if(security_info_sent == 0) {
2478 DEBUG(0,("unpack_canon_ace: no security info sent !\n"));
2479 return False;
2483 * If no DACL then this is a chown only security descriptor.
2486 if(!(security_info_sent & SECINFO_DACL) || !psd->dacl)
2487 return True;
2490 * Now go through the DACL and create the canon_ace lists.
2493 if (!create_canon_ace_lists( fsp, pst, pfile_owner_sid, pfile_grp_sid,
2494 &file_ace, &dir_ace, psd->dacl))
2495 return False;
2497 if ((file_ace == NULL) && (dir_ace == NULL)) {
2498 /* W2K traverse DACL set - ignore. */
2499 return True;
2503 * Go through the canon_ace list and merge entries
2504 * belonging to identical users of identical allow or deny type.
2505 * We can do this as all deny entries come first, followed by
2506 * all allow entries (we have mandated this before accepting this acl).
2509 print_canon_ace_list( "file ace - before merge", file_ace);
2510 merge_aces( &file_ace, false);
2512 print_canon_ace_list( "dir ace - before merge", dir_ace);
2513 merge_aces( &dir_ace, true);
2516 * NT ACLs are order dependent. Go through the acl lists and
2517 * process DENY entries by masking the allow entries.
2520 print_canon_ace_list( "file ace - before deny", file_ace);
2521 process_deny_list(fsp->conn, &file_ace);
2523 print_canon_ace_list( "dir ace - before deny", dir_ace);
2524 process_deny_list(fsp->conn, &dir_ace);
2527 * A well formed POSIX file or default ACL has at least 3 entries, a
2528 * SMB_ACL_USER_OBJ, SMB_ACL_GROUP_OBJ, SMB_ACL_OTHER_OBJ
2529 * and optionally a mask entry. Ensure this is the case.
2532 print_canon_ace_list( "file ace - before valid", file_ace);
2534 if (!ensure_canon_entry_valid(fsp->conn, &file_ace, fsp->conn->params,
2535 fsp->is_directory, pfile_owner_sid, pfile_grp_sid, pst, True)) {
2536 free_canon_ace_list(file_ace);
2537 free_canon_ace_list(dir_ace);
2538 return False;
2541 print_canon_ace_list( "dir ace - before valid", dir_ace);
2543 if (dir_ace && !ensure_canon_entry_valid(fsp->conn, &dir_ace, fsp->conn->params,
2544 fsp->is_directory, pfile_owner_sid, pfile_grp_sid, pst, True)) {
2545 free_canon_ace_list(file_ace);
2546 free_canon_ace_list(dir_ace);
2547 return False;
2550 print_canon_ace_list( "file ace - return", file_ace);
2551 print_canon_ace_list( "dir ace - return", dir_ace);
2553 *ppfile_ace = file_ace;
2554 *ppdir_ace = dir_ace;
2555 return True;
2559 /******************************************************************************
2560 When returning permissions, try and fit NT display
2561 semantics if possible. Note the the canon_entries here must have been malloced.
2562 The list format should be - first entry = owner, followed by group and other user
2563 entries, last entry = other.
2565 Note that this doesn't exactly match the NT semantics for an ACL. As POSIX entries
2566 are not ordered, and match on the most specific entry rather than walking a list,
2567 then a simple POSIX permission of rw-r--r-- should really map to 5 entries,
2569 Entry 0: owner : deny all except read and write.
2570 Entry 1: owner : allow read and write.
2571 Entry 2: group : deny all except read.
2572 Entry 3: group : allow read.
2573 Entry 4: Everyone : allow read.
2575 But NT cannot display this in their ACL editor !
2576 ********************************************************************************/
2578 static void arrange_posix_perms(const char *filename, canon_ace **pp_list_head)
2580 canon_ace *l_head = *pp_list_head;
2581 canon_ace *owner_ace = NULL;
2582 canon_ace *other_ace = NULL;
2583 canon_ace *ace = NULL;
2585 for (ace = l_head; ace; ace = ace->next) {
2586 if (ace->type == SMB_ACL_USER_OBJ)
2587 owner_ace = ace;
2588 else if (ace->type == SMB_ACL_OTHER) {
2589 /* Last ace - this is "other" */
2590 other_ace = ace;
2594 if (!owner_ace || !other_ace) {
2595 DEBUG(0,("arrange_posix_perms: Invalid POSIX permissions for file %s, missing owner or other.\n",
2596 filename ));
2597 return;
2601 * The POSIX algorithm applies to owner first, and other last,
2602 * so ensure they are arranged in this order.
2605 if (owner_ace) {
2606 DLIST_PROMOTE(l_head, owner_ace);
2609 if (other_ace) {
2610 DLIST_DEMOTE(l_head, other_ace, canon_ace *);
2613 /* We have probably changed the head of the list. */
2615 *pp_list_head = l_head;
2618 /****************************************************************************
2619 Create a linked list of canonical ACE entries.
2620 ****************************************************************************/
2622 static canon_ace *canonicalise_acl(struct connection_struct *conn,
2623 const char *fname, SMB_ACL_T posix_acl,
2624 const SMB_STRUCT_STAT *psbuf,
2625 const struct dom_sid *powner, const struct dom_sid *pgroup, struct pai_val *pal, SMB_ACL_TYPE_T the_acl_type)
2627 mode_t acl_mask = (S_IRUSR|S_IWUSR|S_IXUSR);
2628 canon_ace *l_head = NULL;
2629 canon_ace *ace = NULL;
2630 canon_ace *next_ace = NULL;
2631 int entry_id = SMB_ACL_FIRST_ENTRY;
2632 SMB_ACL_ENTRY_T entry;
2633 size_t ace_count;
2635 while ( posix_acl && (sys_acl_get_entry(posix_acl, entry_id, &entry) == 1)) {
2636 SMB_ACL_TAG_T tagtype;
2637 SMB_ACL_PERMSET_T permset;
2638 struct dom_sid sid;
2639 struct unixid unix_ug;
2640 enum ace_owner owner_type;
2642 entry_id = SMB_ACL_NEXT_ENTRY;
2644 /* Is this a MASK entry ? */
2645 if (sys_acl_get_tag_type(entry, &tagtype) == -1)
2646 continue;
2648 if (sys_acl_get_permset(entry, &permset) == -1)
2649 continue;
2651 /* Decide which SID to use based on the ACL type. */
2652 switch(tagtype) {
2653 case SMB_ACL_USER_OBJ:
2654 /* Get the SID from the owner. */
2655 sid_copy(&sid, powner);
2656 unix_ug.type = ID_TYPE_UID;
2657 unix_ug.id = psbuf->st_ex_uid;
2658 owner_type = UID_ACE;
2659 break;
2660 case SMB_ACL_USER:
2662 uid_t *puid = (uid_t *)sys_acl_get_qualifier(entry);
2663 if (puid == NULL) {
2664 DEBUG(0,("canonicalise_acl: Failed to get uid.\n"));
2665 continue;
2667 uid_to_sid( &sid, *puid);
2668 unix_ug.type = ID_TYPE_UID;
2669 unix_ug.id = *puid;
2670 owner_type = UID_ACE;
2671 break;
2673 case SMB_ACL_GROUP_OBJ:
2674 /* Get the SID from the owning group. */
2675 sid_copy(&sid, pgroup);
2676 unix_ug.type = ID_TYPE_GID;
2677 unix_ug.id = psbuf->st_ex_gid;
2678 owner_type = GID_ACE;
2679 break;
2680 case SMB_ACL_GROUP:
2682 gid_t *pgid = (gid_t *)sys_acl_get_qualifier(entry);
2683 if (pgid == NULL) {
2684 DEBUG(0,("canonicalise_acl: Failed to get gid.\n"));
2685 continue;
2687 gid_to_sid( &sid, *pgid);
2688 unix_ug.type = ID_TYPE_GID;
2689 unix_ug.id = *pgid;
2690 owner_type = GID_ACE;
2691 break;
2693 case SMB_ACL_MASK:
2694 acl_mask = convert_permset_to_mode_t(permset);
2695 continue; /* Don't count the mask as an entry. */
2696 case SMB_ACL_OTHER:
2697 /* Use the Everyone SID */
2698 sid = global_sid_World;
2699 unix_ug.type = ID_TYPE_NOT_SPECIFIED;
2700 unix_ug.id = -1;
2701 owner_type = WORLD_ACE;
2702 break;
2703 default:
2704 DEBUG(0,("canonicalise_acl: Unknown tagtype %u\n", (unsigned int)tagtype));
2705 continue;
2709 * Add this entry to the list.
2712 if ((ace = talloc(talloc_tos(), canon_ace)) == NULL)
2713 goto fail;
2715 ZERO_STRUCTP(ace);
2716 ace->type = tagtype;
2717 ace->perms = convert_permset_to_mode_t(permset);
2718 ace->attr = ALLOW_ACE;
2719 ace->trustee = sid;
2720 ace->unix_ug = unix_ug;
2721 ace->owner_type = owner_type;
2722 ace->ace_flags = get_pai_flags(pal, ace, (the_acl_type == SMB_ACL_TYPE_DEFAULT));
2724 DLIST_ADD(l_head, ace);
2728 * This next call will ensure we have at least a user/group/world set.
2731 if (!ensure_canon_entry_valid(conn, &l_head, conn->params,
2732 S_ISDIR(psbuf->st_ex_mode), powner, pgroup,
2733 psbuf, False))
2734 goto fail;
2737 * Now go through the list, masking the permissions with the
2738 * acl_mask. Ensure all DENY Entries are at the start of the list.
2741 DEBUG(10,("canonicalise_acl: %s ace entries before arrange :\n", the_acl_type == SMB_ACL_TYPE_ACCESS ? "Access" : "Default" ));
2743 for ( ace_count = 0, ace = l_head; ace; ace = next_ace, ace_count++) {
2744 next_ace = ace->next;
2746 /* Masks are only applied to entries other than USER_OBJ and OTHER. */
2747 if (ace->type != SMB_ACL_OTHER && ace->type != SMB_ACL_USER_OBJ)
2748 ace->perms &= acl_mask;
2750 if (ace->perms == 0) {
2751 DLIST_PROMOTE(l_head, ace);
2754 if( DEBUGLVL( 10 ) ) {
2755 print_canon_ace(ace, ace_count);
2759 arrange_posix_perms(fname,&l_head );
2761 print_canon_ace_list( "canonicalise_acl: ace entries after arrange", l_head );
2763 return l_head;
2765 fail:
2767 free_canon_ace_list(l_head);
2768 return NULL;
2771 /****************************************************************************
2772 Check if the current user group list contains a given group.
2773 ****************************************************************************/
2775 bool current_user_in_group(connection_struct *conn, gid_t gid)
2777 int i;
2778 const struct security_unix_token *utok = get_current_utok(conn);
2780 for (i = 0; i < utok->ngroups; i++) {
2781 if (utok->groups[i] == gid) {
2782 return True;
2786 return False;
2789 /****************************************************************************
2790 Should we override a deny ? Check 'acl group control' and 'dos filemode'.
2791 ****************************************************************************/
2793 static bool acl_group_override(connection_struct *conn,
2794 const struct smb_filename *smb_fname)
2796 if ((errno != EPERM) && (errno != EACCES)) {
2797 return false;
2800 /* file primary group == user primary or supplementary group */
2801 if (lp_acl_group_control(SNUM(conn)) &&
2802 current_user_in_group(conn, smb_fname->st.st_ex_gid)) {
2803 return true;
2806 /* user has writeable permission */
2807 if (lp_dos_filemode(SNUM(conn)) &&
2808 can_write_to_file(conn, smb_fname)) {
2809 return true;
2812 return false;
2815 /****************************************************************************
2816 Attempt to apply an ACL to a file or directory.
2817 ****************************************************************************/
2819 static bool set_canon_ace_list(files_struct *fsp,
2820 canon_ace *the_ace,
2821 bool default_ace,
2822 const SMB_STRUCT_STAT *psbuf,
2823 bool *pacl_set_support)
2825 connection_struct *conn = fsp->conn;
2826 bool ret = False;
2827 SMB_ACL_T the_acl = sys_acl_init();
2828 canon_ace *p_ace;
2829 int i;
2830 SMB_ACL_ENTRY_T mask_entry;
2831 bool got_mask_entry = False;
2832 SMB_ACL_PERMSET_T mask_permset;
2833 SMB_ACL_TYPE_T the_acl_type = (default_ace ? SMB_ACL_TYPE_DEFAULT : SMB_ACL_TYPE_ACCESS);
2834 bool needs_mask = False;
2835 mode_t mask_perms = 0;
2837 /* Use the psbuf that was passed in. */
2838 if (psbuf != &fsp->fsp_name->st) {
2839 fsp->fsp_name->st = *psbuf;
2842 #if defined(POSIX_ACL_NEEDS_MASK)
2843 /* HP-UX always wants to have a mask (called "class" there). */
2844 needs_mask = True;
2845 #endif
2847 if (the_acl == NULL) {
2848 DEBUG(0, ("sys_acl_init failed to allocate an ACL\n"));
2849 return false;
2852 if( DEBUGLVL( 10 )) {
2853 dbgtext("set_canon_ace_list: setting ACL:\n");
2854 for (i = 0, p_ace = the_ace; p_ace; p_ace = p_ace->next, i++ ) {
2855 print_canon_ace( p_ace, i);
2859 for (i = 0, p_ace = the_ace; p_ace; p_ace = p_ace->next, i++ ) {
2860 SMB_ACL_ENTRY_T the_entry;
2861 SMB_ACL_PERMSET_T the_permset;
2864 * ACLs only "need" an ACL_MASK entry if there are any named user or
2865 * named group entries. But if there is an ACL_MASK entry, it applies
2866 * to ACL_USER, ACL_GROUP, and ACL_GROUP_OBJ entries. Set the mask
2867 * so that it doesn't deny (i.e., mask off) any permissions.
2870 if (p_ace->type == SMB_ACL_USER || p_ace->type == SMB_ACL_GROUP) {
2871 needs_mask = True;
2872 mask_perms |= p_ace->perms;
2873 } else if (p_ace->type == SMB_ACL_GROUP_OBJ) {
2874 mask_perms |= p_ace->perms;
2878 * Get the entry for this ACE.
2881 if (sys_acl_create_entry(&the_acl, &the_entry) == -1) {
2882 DEBUG(0,("set_canon_ace_list: Failed to create entry %d. (%s)\n",
2883 i, strerror(errno) ));
2884 goto fail;
2887 if (p_ace->type == SMB_ACL_MASK) {
2888 mask_entry = the_entry;
2889 got_mask_entry = True;
2893 * Ok - we now know the ACL calls should be working, don't
2894 * allow fallback to chmod.
2897 *pacl_set_support = True;
2900 * Initialise the entry from the canon_ace.
2904 * First tell the entry what type of ACE this is.
2907 if (sys_acl_set_tag_type(the_entry, p_ace->type) == -1) {
2908 DEBUG(0,("set_canon_ace_list: Failed to set tag type on entry %d. (%s)\n",
2909 i, strerror(errno) ));
2910 goto fail;
2914 * Only set the qualifier (user or group id) if the entry is a user
2915 * or group id ACE.
2918 if ((p_ace->type == SMB_ACL_USER) || (p_ace->type == SMB_ACL_GROUP)) {
2919 if (sys_acl_set_qualifier(the_entry,(void *)&p_ace->unix_ug.id) == -1) {
2920 DEBUG(0,("set_canon_ace_list: Failed to set qualifier on entry %d. (%s)\n",
2921 i, strerror(errno) ));
2922 goto fail;
2927 * Convert the mode_t perms in the canon_ace to a POSIX permset.
2930 if (sys_acl_get_permset(the_entry, &the_permset) == -1) {
2931 DEBUG(0,("set_canon_ace_list: Failed to get permset on entry %d. (%s)\n",
2932 i, strerror(errno) ));
2933 goto fail;
2936 if (map_acl_perms_to_permset(conn, p_ace->perms, &the_permset) == -1) {
2937 DEBUG(0,("set_canon_ace_list: Failed to create permset for mode (%u) on entry %d. (%s)\n",
2938 (unsigned int)p_ace->perms, i, strerror(errno) ));
2939 goto fail;
2943 * ..and apply them to the entry.
2946 if (sys_acl_set_permset(the_entry, the_permset) == -1) {
2947 DEBUG(0,("set_canon_ace_list: Failed to add permset on entry %d. (%s)\n",
2948 i, strerror(errno) ));
2949 goto fail;
2952 if( DEBUGLVL( 10 ))
2953 print_canon_ace( p_ace, i);
2957 if (needs_mask && !got_mask_entry) {
2958 if (sys_acl_create_entry(&the_acl, &mask_entry) == -1) {
2959 DEBUG(0,("set_canon_ace_list: Failed to create mask entry. (%s)\n", strerror(errno) ));
2960 goto fail;
2963 if (sys_acl_set_tag_type(mask_entry, SMB_ACL_MASK) == -1) {
2964 DEBUG(0,("set_canon_ace_list: Failed to set tag type on mask entry. (%s)\n",strerror(errno) ));
2965 goto fail;
2968 if (sys_acl_get_permset(mask_entry, &mask_permset) == -1) {
2969 DEBUG(0,("set_canon_ace_list: Failed to get mask permset. (%s)\n", strerror(errno) ));
2970 goto fail;
2973 if (map_acl_perms_to_permset(conn, S_IRUSR|S_IWUSR|S_IXUSR, &mask_permset) == -1) {
2974 DEBUG(0,("set_canon_ace_list: Failed to create mask permset. (%s)\n", strerror(errno) ));
2975 goto fail;
2978 if (sys_acl_set_permset(mask_entry, mask_permset) == -1) {
2979 DEBUG(0,("set_canon_ace_list: Failed to add mask permset. (%s)\n", strerror(errno) ));
2980 goto fail;
2985 * Finally apply it to the file or directory.
2988 if(default_ace || fsp->is_directory || fsp->fh->fd == -1) {
2989 if (SMB_VFS_SYS_ACL_SET_FILE(conn, fsp->fsp_name->base_name,
2990 the_acl_type, the_acl) == -1) {
2992 * Some systems allow all the above calls and only fail with no ACL support
2993 * when attempting to apply the acl. HPUX with HFS is an example of this. JRA.
2995 if (no_acl_syscall_error(errno)) {
2996 *pacl_set_support = False;
2999 if (acl_group_override(conn, fsp->fsp_name)) {
3000 int sret;
3002 DEBUG(5,("set_canon_ace_list: acl group "
3003 "control on and current user in file "
3004 "%s primary group.\n",
3005 fsp_str_dbg(fsp)));
3007 become_root();
3008 sret = SMB_VFS_SYS_ACL_SET_FILE(conn,
3009 fsp->fsp_name->base_name, the_acl_type,
3010 the_acl);
3011 unbecome_root();
3012 if (sret == 0) {
3013 ret = True;
3017 if (ret == False) {
3018 DEBUG(2,("set_canon_ace_list: "
3019 "sys_acl_set_file type %s failed for "
3020 "file %s (%s).\n",
3021 the_acl_type == SMB_ACL_TYPE_DEFAULT ?
3022 "directory default" : "file",
3023 fsp_str_dbg(fsp), strerror(errno)));
3024 goto fail;
3027 } else {
3028 if (SMB_VFS_SYS_ACL_SET_FD(fsp, the_acl) == -1) {
3030 * Some systems allow all the above calls and only fail with no ACL support
3031 * when attempting to apply the acl. HPUX with HFS is an example of this. JRA.
3033 if (no_acl_syscall_error(errno)) {
3034 *pacl_set_support = False;
3037 if (acl_group_override(conn, fsp->fsp_name)) {
3038 int sret;
3040 DEBUG(5,("set_canon_ace_list: acl group "
3041 "control on and current user in file "
3042 "%s primary group.\n",
3043 fsp_str_dbg(fsp)));
3045 become_root();
3046 sret = SMB_VFS_SYS_ACL_SET_FD(fsp, the_acl);
3047 unbecome_root();
3048 if (sret == 0) {
3049 ret = True;
3053 if (ret == False) {
3054 DEBUG(2,("set_canon_ace_list: "
3055 "sys_acl_set_file failed for file %s "
3056 "(%s).\n",
3057 fsp_str_dbg(fsp), strerror(errno)));
3058 goto fail;
3063 ret = True;
3065 fail:
3067 if (the_acl != NULL) {
3068 TALLOC_FREE(the_acl);
3071 return ret;
3074 /****************************************************************************
3075 Find a particular canon_ace entry.
3076 ****************************************************************************/
3078 static struct canon_ace *canon_ace_entry_for(struct canon_ace *list, SMB_ACL_TAG_T type, struct unixid *id)
3080 while (list) {
3081 if (list->type == type && ((type != SMB_ACL_USER && type != SMB_ACL_GROUP) ||
3082 (type == SMB_ACL_USER && id && id->id == list->unix_ug.id) ||
3083 (type == SMB_ACL_GROUP && id && id->id == list->unix_ug.id)))
3084 break;
3085 list = list->next;
3087 return list;
3090 /****************************************************************************
3092 ****************************************************************************/
3094 SMB_ACL_T free_empty_sys_acl(connection_struct *conn, SMB_ACL_T the_acl)
3096 SMB_ACL_ENTRY_T entry;
3098 if (!the_acl)
3099 return NULL;
3100 if (sys_acl_get_entry(the_acl, SMB_ACL_FIRST_ENTRY, &entry) != 1) {
3101 TALLOC_FREE(the_acl);
3102 return NULL;
3104 return the_acl;
3107 /****************************************************************************
3108 Convert a canon_ace to a generic 3 element permission - if possible.
3109 ****************************************************************************/
3111 #define MAP_PERM(p,mask,result) (((p) & (mask)) ? (result) : 0 )
3113 static bool convert_canon_ace_to_posix_perms( files_struct *fsp, canon_ace *file_ace_list, mode_t *posix_perms)
3115 int snum = SNUM(fsp->conn);
3116 size_t ace_count = count_canon_ace_list(file_ace_list);
3117 canon_ace *ace_p;
3118 canon_ace *owner_ace = NULL;
3119 canon_ace *group_ace = NULL;
3120 canon_ace *other_ace = NULL;
3121 mode_t and_bits;
3122 mode_t or_bits;
3124 if (ace_count != 3) {
3125 DEBUG(3,("convert_canon_ace_to_posix_perms: Too many ACE "
3126 "entries for file %s to convert to posix perms.\n",
3127 fsp_str_dbg(fsp)));
3128 return False;
3131 for (ace_p = file_ace_list; ace_p; ace_p = ace_p->next) {
3132 if (ace_p->owner_type == UID_ACE)
3133 owner_ace = ace_p;
3134 else if (ace_p->owner_type == GID_ACE)
3135 group_ace = ace_p;
3136 else if (ace_p->owner_type == WORLD_ACE)
3137 other_ace = ace_p;
3140 if (!owner_ace || !group_ace || !other_ace) {
3141 DEBUG(3,("convert_canon_ace_to_posix_perms: Can't get "
3142 "standard entries for file %s.\n", fsp_str_dbg(fsp)));
3143 return False;
3146 *posix_perms = (mode_t)0;
3148 *posix_perms |= owner_ace->perms;
3149 *posix_perms |= MAP_PERM(group_ace->perms, S_IRUSR, S_IRGRP);
3150 *posix_perms |= MAP_PERM(group_ace->perms, S_IWUSR, S_IWGRP);
3151 *posix_perms |= MAP_PERM(group_ace->perms, S_IXUSR, S_IXGRP);
3152 *posix_perms |= MAP_PERM(other_ace->perms, S_IRUSR, S_IROTH);
3153 *posix_perms |= MAP_PERM(other_ace->perms, S_IWUSR, S_IWOTH);
3154 *posix_perms |= MAP_PERM(other_ace->perms, S_IXUSR, S_IXOTH);
3156 /* The owner must have at least read access. */
3158 *posix_perms |= S_IRUSR;
3159 if (fsp->is_directory)
3160 *posix_perms |= (S_IWUSR|S_IXUSR);
3162 /* If requested apply the masks. */
3164 /* Get the initial bits to apply. */
3166 if (fsp->is_directory) {
3167 and_bits = lp_dir_security_mask(snum);
3168 or_bits = lp_force_dir_security_mode(snum);
3169 } else {
3170 and_bits = lp_security_mask(snum);
3171 or_bits = lp_force_security_mode(snum);
3174 *posix_perms = (((*posix_perms) & and_bits)|or_bits);
3176 DEBUG(10,("convert_canon_ace_to_posix_perms: converted u=%o,g=%o,w=%o "
3177 "to perm=0%o for file %s.\n", (int)owner_ace->perms,
3178 (int)group_ace->perms, (int)other_ace->perms,
3179 (int)*posix_perms, fsp_str_dbg(fsp)));
3181 return True;
3184 /****************************************************************************
3185 Incoming NT ACLs on a directory can be split into a default POSIX acl (CI|OI|IO) and
3186 a normal POSIX acl. Win2k needs these split acls re-merging into one ACL
3187 with CI|OI set so it is inherited and also applies to the directory.
3188 Based on code from "Jim McDonough" <jmcd@us.ibm.com>.
3189 ****************************************************************************/
3191 static size_t merge_default_aces( struct security_ace *nt_ace_list, size_t num_aces)
3193 size_t i, j;
3195 for (i = 0; i < num_aces; i++) {
3196 for (j = i+1; j < num_aces; j++) {
3197 uint32 i_flags_ni = (nt_ace_list[i].flags & ~SEC_ACE_FLAG_INHERITED_ACE);
3198 uint32 j_flags_ni = (nt_ace_list[j].flags & ~SEC_ACE_FLAG_INHERITED_ACE);
3199 bool i_inh = (nt_ace_list[i].flags & SEC_ACE_FLAG_INHERITED_ACE) ? True : False;
3200 bool j_inh = (nt_ace_list[j].flags & SEC_ACE_FLAG_INHERITED_ACE) ? True : False;
3202 /* We know the lower number ACE's are file entries. */
3203 if ((nt_ace_list[i].type == nt_ace_list[j].type) &&
3204 (nt_ace_list[i].size == nt_ace_list[j].size) &&
3205 (nt_ace_list[i].access_mask == nt_ace_list[j].access_mask) &&
3206 dom_sid_equal(&nt_ace_list[i].trustee, &nt_ace_list[j].trustee) &&
3207 (i_inh == j_inh) &&
3208 (i_flags_ni == 0) &&
3209 (j_flags_ni == (SEC_ACE_FLAG_OBJECT_INHERIT|
3210 SEC_ACE_FLAG_CONTAINER_INHERIT|
3211 SEC_ACE_FLAG_INHERIT_ONLY))) {
3213 * W2K wants to have access allowed zero access ACE's
3214 * at the end of the list. If the mask is zero, merge
3215 * the non-inherited ACE onto the inherited ACE.
3218 if (nt_ace_list[i].access_mask == 0) {
3219 nt_ace_list[j].flags = SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT|
3220 (i_inh ? SEC_ACE_FLAG_INHERITED_ACE : 0);
3221 if (num_aces - i - 1 > 0)
3222 memmove(&nt_ace_list[i], &nt_ace_list[i+1], (num_aces-i-1) *
3223 sizeof(struct security_ace));
3225 DEBUG(10,("merge_default_aces: Merging zero access ACE %u onto ACE %u.\n",
3226 (unsigned int)i, (unsigned int)j ));
3227 } else {
3229 * These are identical except for the flags.
3230 * Merge the inherited ACE onto the non-inherited ACE.
3233 nt_ace_list[i].flags = SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT|
3234 (i_inh ? SEC_ACE_FLAG_INHERITED_ACE : 0);
3235 if (num_aces - j - 1 > 0)
3236 memmove(&nt_ace_list[j], &nt_ace_list[j+1], (num_aces-j-1) *
3237 sizeof(struct security_ace));
3239 DEBUG(10,("merge_default_aces: Merging ACE %u onto ACE %u.\n",
3240 (unsigned int)j, (unsigned int)i ));
3242 num_aces--;
3243 break;
3248 return num_aces;
3252 * Add or Replace ACE entry.
3253 * In some cases we need to add a specific ACE for compatibility reasons.
3254 * When doing that we must make sure we are not actually creating a duplicate
3255 * entry. So we need to search whether an ACE entry already exist and eventually
3256 * replacce the access mask, or add a completely new entry if none was found.
3258 * This function assumes the array has enough space to add a new entry without
3259 * any reallocation of memory.
3262 static void add_or_replace_ace(struct security_ace *nt_ace_list, size_t *num_aces,
3263 const struct dom_sid *sid, enum security_ace_type type,
3264 uint32_t mask, uint8_t flags)
3266 int i;
3268 /* first search for a duplicate */
3269 for (i = 0; i < *num_aces; i++) {
3270 if (dom_sid_equal(&nt_ace_list[i].trustee, sid) &&
3271 (nt_ace_list[i].flags == flags)) break;
3274 if (i < *num_aces) { /* found */
3275 nt_ace_list[i].type = type;
3276 nt_ace_list[i].access_mask = mask;
3277 DEBUG(10, ("Replacing ACE %d with SID %s and flags %02x\n",
3278 i, sid_string_dbg(sid), flags));
3279 return;
3282 /* not found, append it */
3283 init_sec_ace(&nt_ace_list[(*num_aces)++], sid, type, mask, flags);
3287 /****************************************************************************
3288 Reply to query a security descriptor from an fsp. If it succeeds it allocates
3289 the space for the return elements and returns the size needed to return the
3290 security descriptor. This should be the only external function needed for
3291 the UNIX style get ACL.
3292 ****************************************************************************/
3294 static NTSTATUS posix_get_nt_acl_common(struct connection_struct *conn,
3295 const char *name,
3296 const SMB_STRUCT_STAT *sbuf,
3297 struct pai_val *pal,
3298 SMB_ACL_T posix_acl,
3299 SMB_ACL_T def_acl,
3300 uint32_t security_info,
3301 struct security_descriptor **ppdesc)
3303 struct dom_sid owner_sid;
3304 struct dom_sid group_sid;
3305 size_t sd_size = 0;
3306 struct security_acl *psa = NULL;
3307 size_t num_acls = 0;
3308 size_t num_def_acls = 0;
3309 size_t num_aces = 0;
3310 canon_ace *file_ace = NULL;
3311 canon_ace *dir_ace = NULL;
3312 struct security_ace *nt_ace_list = NULL;
3313 size_t num_profile_acls = 0;
3314 struct dom_sid orig_owner_sid;
3315 struct security_descriptor *psd = NULL;
3316 int i;
3319 * Get the owner, group and world SIDs.
3322 create_file_sids(sbuf, &owner_sid, &group_sid);
3324 if (lp_profile_acls(SNUM(conn))) {
3325 /* For WXP SP1 the owner must be administrators. */
3326 sid_copy(&orig_owner_sid, &owner_sid);
3327 sid_copy(&owner_sid, &global_sid_Builtin_Administrators);
3328 sid_copy(&group_sid, &global_sid_Builtin_Users);
3329 num_profile_acls = 3;
3332 if ((security_info & SECINFO_DACL) && !(security_info & SECINFO_PROTECTED_DACL)) {
3335 * In the optimum case Creator Owner and Creator Group would be used for
3336 * the ACL_USER_OBJ and ACL_GROUP_OBJ entries, respectively, but this
3337 * would lead to usability problems under Windows: The Creator entries
3338 * are only available in browse lists of directories and not for files;
3339 * additionally the identity of the owning group couldn't be determined.
3340 * We therefore use those identities only for Default ACLs.
3343 /* Create the canon_ace lists. */
3344 file_ace = canonicalise_acl(conn, name, posix_acl, sbuf,
3345 &owner_sid, &group_sid, pal,
3346 SMB_ACL_TYPE_ACCESS);
3348 /* We must have *some* ACLS. */
3350 if (count_canon_ace_list(file_ace) == 0) {
3351 DEBUG(0,("get_nt_acl : No ACLs on file (%s) !\n", name));
3352 goto done;
3355 if (S_ISDIR(sbuf->st_ex_mode) && def_acl) {
3356 dir_ace = canonicalise_acl(conn, name, def_acl,
3357 sbuf,
3358 &global_sid_Creator_Owner,
3359 &global_sid_Creator_Group,
3360 pal, SMB_ACL_TYPE_DEFAULT);
3364 * Create the NT ACE list from the canonical ace lists.
3368 canon_ace *ace;
3369 enum security_ace_type nt_acl_type;
3371 if (nt4_compatible_acls() && dir_ace) {
3373 * NT 4 chokes if an ACL contains an INHERIT_ONLY entry
3374 * but no non-INHERIT_ONLY entry for one SID. So we only
3375 * remove entries from the Access ACL if the
3376 * corresponding Default ACL entries have also been
3377 * removed. ACEs for CREATOR-OWNER and CREATOR-GROUP
3378 * are exceptions. We can do nothing
3379 * intelligent if the Default ACL contains entries that
3380 * are not also contained in the Access ACL, so this
3381 * case will still fail under NT 4.
3384 ace = canon_ace_entry_for(dir_ace, SMB_ACL_OTHER, NULL);
3385 if (ace && !ace->perms) {
3386 DLIST_REMOVE(dir_ace, ace);
3387 TALLOC_FREE(ace);
3389 ace = canon_ace_entry_for(file_ace, SMB_ACL_OTHER, NULL);
3390 if (ace && !ace->perms) {
3391 DLIST_REMOVE(file_ace, ace);
3392 TALLOC_FREE(ace);
3397 * WinNT doesn't usually have Creator Group
3398 * in browse lists, so we send this entry to
3399 * WinNT even if it contains no relevant
3400 * permissions. Once we can add
3401 * Creator Group to browse lists we can
3402 * re-enable this.
3405 #if 0
3406 ace = canon_ace_entry_for(dir_ace, SMB_ACL_GROUP_OBJ, NULL);
3407 if (ace && !ace->perms) {
3408 DLIST_REMOVE(dir_ace, ace);
3409 TALLOC_FREE(ace);
3411 #endif
3413 ace = canon_ace_entry_for(file_ace, SMB_ACL_GROUP_OBJ, NULL);
3414 if (ace && !ace->perms) {
3415 DLIST_REMOVE(file_ace, ace);
3416 TALLOC_FREE(ace);
3420 num_acls = count_canon_ace_list(file_ace);
3421 num_def_acls = count_canon_ace_list(dir_ace);
3423 /* Allocate the ace list. */
3424 if ((nt_ace_list = talloc_array(talloc_tos(), struct security_ace,num_acls + num_profile_acls + num_def_acls)) == NULL) {
3425 DEBUG(0,("get_nt_acl: Unable to malloc space for nt_ace_list.\n"));
3426 goto done;
3429 memset(nt_ace_list, '\0', (num_acls + num_def_acls) * sizeof(struct security_ace) );
3432 * Create the NT ACE list from the canonical ace lists.
3435 for (ace = file_ace; ace != NULL; ace = ace->next) {
3436 uint32_t acc = map_canon_ace_perms(SNUM(conn),
3437 &nt_acl_type,
3438 ace->perms,
3439 S_ISDIR(sbuf->st_ex_mode));
3440 init_sec_ace(&nt_ace_list[num_aces++],
3441 &ace->trustee,
3442 nt_acl_type,
3443 acc,
3444 ace->ace_flags);
3447 /* The User must have access to a profile share - even
3448 * if we can't map the SID. */
3449 if (lp_profile_acls(SNUM(conn))) {
3450 add_or_replace_ace(nt_ace_list, &num_aces,
3451 &global_sid_Builtin_Users,
3452 SEC_ACE_TYPE_ACCESS_ALLOWED,
3453 FILE_GENERIC_ALL, 0);
3456 for (ace = dir_ace; ace != NULL; ace = ace->next) {
3457 uint32_t acc = map_canon_ace_perms(SNUM(conn),
3458 &nt_acl_type,
3459 ace->perms,
3460 S_ISDIR(sbuf->st_ex_mode));
3461 init_sec_ace(&nt_ace_list[num_aces++],
3462 &ace->trustee,
3463 nt_acl_type,
3464 acc,
3465 ace->ace_flags |
3466 SEC_ACE_FLAG_OBJECT_INHERIT|
3467 SEC_ACE_FLAG_CONTAINER_INHERIT|
3468 SEC_ACE_FLAG_INHERIT_ONLY);
3471 /* The User must have access to a profile share - even
3472 * if we can't map the SID. */
3473 if (lp_profile_acls(SNUM(conn))) {
3474 add_or_replace_ace(nt_ace_list, &num_aces,
3475 &global_sid_Builtin_Users,
3476 SEC_ACE_TYPE_ACCESS_ALLOWED,
3477 FILE_GENERIC_ALL,
3478 SEC_ACE_FLAG_OBJECT_INHERIT |
3479 SEC_ACE_FLAG_CONTAINER_INHERIT |
3480 SEC_ACE_FLAG_INHERIT_ONLY);
3484 * Merge POSIX default ACLs and normal ACLs into one NT ACE.
3485 * Win2K needs this to get the inheritance correct when replacing ACLs
3486 * on a directory tree. Based on work by Jim @ IBM.
3489 num_aces = merge_default_aces(nt_ace_list, num_aces);
3491 if (lp_profile_acls(SNUM(conn))) {
3492 for (i = 0; i < num_aces; i++) {
3493 if (dom_sid_equal(&nt_ace_list[i].trustee, &owner_sid)) {
3494 add_or_replace_ace(nt_ace_list, &num_aces,
3495 &orig_owner_sid,
3496 nt_ace_list[i].type,
3497 nt_ace_list[i].access_mask,
3498 nt_ace_list[i].flags);
3499 break;
3505 if (num_aces) {
3506 if((psa = make_sec_acl( talloc_tos(), NT4_ACL_REVISION, num_aces, nt_ace_list)) == NULL) {
3507 DEBUG(0,("get_nt_acl: Unable to malloc space for acl.\n"));
3508 goto done;
3511 } /* security_info & SECINFO_DACL */
3513 psd = make_standard_sec_desc( talloc_tos(),
3514 (security_info & SECINFO_OWNER) ? &owner_sid : NULL,
3515 (security_info & SECINFO_GROUP) ? &group_sid : NULL,
3516 psa,
3517 &sd_size);
3519 if(!psd) {
3520 DEBUG(0,("get_nt_acl: Unable to malloc space for security descriptor.\n"));
3521 sd_size = 0;
3522 goto done;
3526 * Windows 2000: The DACL_PROTECTED flag in the security
3527 * descriptor marks the ACL as non-inheriting, i.e., no
3528 * ACEs from higher level directories propagate to this
3529 * ACL. In the POSIX ACL model permissions are only
3530 * inherited at file create time, so ACLs never contain
3531 * any ACEs that are inherited dynamically. The DACL_PROTECTED
3532 * flag doesn't seem to bother Windows NT.
3533 * Always set this if map acl inherit is turned off.
3535 if (pal == NULL || !lp_map_acl_inherit(SNUM(conn))) {
3536 psd->type |= SEC_DESC_DACL_PROTECTED;
3537 } else {
3538 psd->type |= pal->sd_type;
3541 if (psd->dacl) {
3542 dacl_sort_into_canonical_order(psd->dacl->aces, (unsigned int)psd->dacl->num_aces);
3545 *ppdesc = psd;
3547 done:
3549 if (posix_acl) {
3550 TALLOC_FREE(posix_acl);
3552 if (def_acl) {
3553 TALLOC_FREE(def_acl);
3555 free_canon_ace_list(file_ace);
3556 free_canon_ace_list(dir_ace);
3557 free_inherited_info(pal);
3558 TALLOC_FREE(nt_ace_list);
3560 return NT_STATUS_OK;
3563 NTSTATUS posix_fget_nt_acl(struct files_struct *fsp, uint32_t security_info,
3564 struct security_descriptor **ppdesc)
3566 SMB_STRUCT_STAT sbuf;
3567 SMB_ACL_T posix_acl = NULL;
3568 struct pai_val *pal;
3570 *ppdesc = NULL;
3572 DEBUG(10,("posix_fget_nt_acl: called for file %s\n",
3573 fsp_str_dbg(fsp)));
3575 /* can it happen that fsp_name == NULL ? */
3576 if (fsp->is_directory || fsp->fh->fd == -1) {
3577 return posix_get_nt_acl(fsp->conn, fsp->fsp_name->base_name,
3578 security_info, ppdesc);
3581 /* Get the stat struct for the owner info. */
3582 if(SMB_VFS_FSTAT(fsp, &sbuf) != 0) {
3583 return map_nt_error_from_unix(errno);
3586 /* Get the ACL from the fd. */
3587 posix_acl = SMB_VFS_SYS_ACL_GET_FD(fsp);
3589 pal = fload_inherited_info(fsp);
3591 return posix_get_nt_acl_common(fsp->conn, fsp->fsp_name->base_name,
3592 &sbuf, pal, posix_acl, NULL,
3593 security_info, ppdesc);
3596 NTSTATUS posix_get_nt_acl(struct connection_struct *conn, const char *name,
3597 uint32_t security_info, struct security_descriptor **ppdesc)
3599 SMB_ACL_T posix_acl = NULL;
3600 SMB_ACL_T def_acl = NULL;
3601 struct pai_val *pal;
3602 struct smb_filename smb_fname;
3603 int ret;
3605 *ppdesc = NULL;
3607 DEBUG(10,("posix_get_nt_acl: called for file %s\n", name ));
3609 ZERO_STRUCT(smb_fname);
3610 smb_fname.base_name = discard_const_p(char, name);
3612 /* Get the stat struct for the owner info. */
3613 if (lp_posix_pathnames()) {
3614 ret = SMB_VFS_LSTAT(conn, &smb_fname);
3615 } else {
3616 ret = SMB_VFS_STAT(conn, &smb_fname);
3619 if (ret == -1) {
3620 return map_nt_error_from_unix(errno);
3623 /* Get the ACL from the path. */
3624 posix_acl = SMB_VFS_SYS_ACL_GET_FILE(conn, name, SMB_ACL_TYPE_ACCESS);
3626 /* If it's a directory get the default POSIX ACL. */
3627 if(S_ISDIR(smb_fname.st.st_ex_mode)) {
3628 def_acl = SMB_VFS_SYS_ACL_GET_FILE(conn, name, SMB_ACL_TYPE_DEFAULT);
3629 def_acl = free_empty_sys_acl(conn, def_acl);
3632 pal =