2 * Unix SMB/CIFS implementation.
4 * Support for OneFS native NTFS ACLs
6 * Copyright (C) Steven Danneman, 2008
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 3 of the License, or
11 * (at your option) any later version.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, see <http://www.gnu.org/licenses/>.
24 #include <isi_acl/isi_acl_util.h>
25 #include <ifs/ifs_syscalls.h>
27 const struct enum_list enum_onefs_acl_wire_format
[] = {
28 {ACL_FORMAT_RAW
, "No Format"},
29 {ACL_FORMAT_WINDOWS_SD
, "Format Windows SD"},
30 {ACL_FORMAT_ALWAYS
, "Always Format SD"},
35 * Turn SID into UID/GID and setup a struct ifs_identity
38 onefs_sid_to_identity(const DOM_SID
*sid
, struct ifs_identity
*id
, bool is_group
)
40 enum ifs_identity_type type
= IFS_ID_TYPE_LAST
+1;
44 if (!sid
|| sid_equal(sid
, &global_sid_NULL
))
45 type
= IFS_ID_TYPE_NULL
;
46 else if (sid_equal(sid
, &global_sid_World
))
47 type
= IFS_ID_TYPE_EVERYONE
;
48 else if (sid_equal(sid
, &global_sid_Creator_Owner
))
49 type
= IFS_ID_TYPE_CREATOR_OWNER
;
50 else if (sid_equal(sid
, &global_sid_Creator_Group
))
51 type
= IFS_ID_TYPE_CREATOR_GROUP
;
53 if (!sid_to_gid(sid
, &gid
))
55 type
= IFS_ID_TYPE_GID
;
57 if (sid_to_uid(sid
, &uid
))
58 type
= IFS_ID_TYPE_UID
;
59 else if (sid_to_gid(sid
, &gid
))
60 type
= IFS_ID_TYPE_GID
;
65 if (aclu_initialize_identity(id
, type
, uid
, gid
, is_group
)) {
66 DEBUG(3, ("Call to aclu_initialize_identity failed! id=%x, "
67 "type=%d, uid=%u, gid=%u, is_group=%d\n",
68 (unsigned int)id
, type
, uid
, gid
, is_group
));
76 * Turn struct ifs_identity into SID
79 onefs_identity_to_sid(struct ifs_identity
*id
, DOM_SID
*sid
)
84 if (id
->type
>= IFS_ID_TYPE_LAST
)
89 uid_to_sid(sid
, id
->id
.uid
);
92 gid_to_sid(sid
, id
->id
.gid
);
94 case IFS_ID_TYPE_EVERYONE
:
95 sid_copy(sid
, &global_sid_World
);
97 case IFS_ID_TYPE_NULL
:
98 sid_copy(sid
, &global_sid_NULL
);
100 case IFS_ID_TYPE_CREATOR_OWNER
:
101 sid_copy(sid
, &global_sid_Creator_Owner
);
103 case IFS_ID_TYPE_CREATOR_GROUP
:
104 sid_copy(sid
, &global_sid_Creator_Group
);
107 DEBUG(0, ("Unknown identity type: %d\n", id
->type
));
115 * Convert a SEC_ACL to a struct ifs_security_acl
118 onefs_samba_acl_to_acl(SEC_ACL
*samba_acl
, struct ifs_security_acl
**acl
)
121 struct ifs_ace
*aces
= NULL
;
122 struct ifs_identity temp
;
126 if ((!acl
) || (!samba_acl
))
129 samba_aces
= samba_acl
->aces
;
131 if (samba_acl
->num_aces
> 0 && samba_aces
) {
133 num_aces
= samba_acl
->num_aces
;
134 aces
= SMB_MALLOC_ARRAY(struct ifs_ace
, num_aces
);
136 for (i
= 0, j
= 0; j
< num_aces
; i
++, j
++) {
137 if (!onefs_sid_to_identity(&samba_aces
[j
].trustee
,
142 * XXX Act like we did pre-Thai: Silently fail setting
143 * ACEs for BUILTIN accounts.
145 if (temp
.id
.uid
== -1) {
146 DEBUG(3, ("Silently failing to set ACE "
147 "because our id was == -1.\n"));
152 if (aclu_initialize_ace(&aces
[i
], samba_aces
[i
].type
,
153 samba_aces
[i
].access_mask
, samba_aces
[i
].flags
,
157 if ((aces
[i
].trustee
.type
== IFS_ID_TYPE_CREATOR_OWNER
||
158 aces
[i
].trustee
.type
== IFS_ID_TYPE_CREATOR_GROUP
) &&
159 nt4_compatible_acls())
160 aces
[i
].flags
|= IFS_ACE_FLAG_INHERIT_ONLY
;
165 if (aclu_initialize_acl(acl
, aces
, num_aces
))
168 /* Currently aclu_initialize_acl should copy the aces over, allowing us
169 * to immediately free */
179 * Convert a struct ifs_security_acl to a SEC_ACL
182 onefs_acl_to_samba_acl(struct ifs_security_acl
*acl
, SEC_ACL
**samba_acl
)
184 SEC_ACE
*samba_aces
= NULL
;
185 SEC_ACL
*tmp_samba_acl
= NULL
;
197 /* Determine number of aces in ACL */
201 num_aces
= acl
->num_aces
;
203 /* Allocate the ace list. */
205 if ((samba_aces
= SMB_MALLOC_ARRAY(SEC_ACE
, num_aces
)) == NULL
)
207 DEBUG(0, ("Unable to malloc space for %d aces.\n",
211 memset(samba_aces
, '\0', (num_aces
) * sizeof(SEC_ACE
));
214 for (i
= 0; i
< num_aces
; i
++) {
217 if (!onefs_identity_to_sid(&acl
->aces
[i
].trustee
, &sid
))
220 init_sec_ace(&samba_aces
[i
], &sid
, acl
->aces
[i
].type
,
221 acl
->aces
[i
].access_mask
, acl
->aces
[i
].flags
);
224 if ((tmp_samba_acl
= make_sec_acl(talloc_tos(), acl
->revision
, num_aces
,
225 samba_aces
)) == NULL
) {
226 DEBUG(0, ("Unable to malloc space for acl.\n"));
230 *samba_acl
= tmp_samba_acl
;
231 SAFE_FREE(samba_aces
);
234 SAFE_FREE(samba_aces
);
239 * @brief Reorder ACLs into the "correct" order for Windows Explorer.
241 * Windows Explorer expects ACLs to be in a standard order (inherited first,
242 * then deny, then permit.) When ACLs are composed from POSIX file permissions
243 * bits, they may not match these expectations, generating an annoying warning
244 * dialog for the user. This function will, if configured appropriately,
245 * reorder the ACLs for these "synthetic" (POSIX-derived) descriptors to prevent
246 * this. The list is changed within the security descriptor passed in.
248 * @param fsp files_struct with service configs; must not be NULL
249 * @param sd security descriptor being normalized;
250 * sd->dacl->aces is rewritten in-place, so must not be NULL
251 * @return true on success, errno will be set on error
253 * @bug Although Windows Explorer likes the reordering, they seem to cause
254 * problems with Excel and Word sending back the reordered ACLs to us and
255 * changing policy; see Isilon bug 30165.
258 onefs_canon_acl(files_struct
*fsp
, struct ifs_security_descriptor
*sd
)
262 struct ifs_ace
*new_aces
= NULL
;
263 int new_aces_count
= 0;
264 SMB_STRUCT_STAT sbuf
;
266 if (sd
== NULL
|| sd
->dacl
== NULL
|| sd
->dacl
->num_aces
== 0)
270 * Find out if this is a windows bit, and if the smb policy wants us to
273 SMB_ASSERT(fsp
!= NULL
);
274 switch (lp_parm_enum(SNUM(fsp
->conn
), PARM_ONEFS_TYPE
,
275 PARM_ACL_WIRE_FORMAT
, enum_onefs_acl_wire_format
,
276 PARM_ACL_WIRE_FORMAT_DEFAULT
)) {
280 case ACL_FORMAT_WINDOWS_SD
:
281 error
= SMB_VFS_FSTAT(fsp
, &sbuf
);
285 if ((sbuf
.st_flags
& SF_HASNTFSACL
) != 0) {
286 DEBUG(10, ("Did not canonicalize ACLs because a "
287 "Windows ACL set was found for file %s\n",
293 case ACL_FORMAT_ALWAYS
:
301 new_aces
= SMB_MALLOC_ARRAY(struct ifs_ace
, sd
->dacl
->num_aces
);
302 if (new_aces
== NULL
)
306 * By walking down the list 3 separate times, we can avoid the need
307 * to create multiple temp buffers and extra copies.
309 for (cur
= 0; cur
< sd
->dacl
->num_aces
; cur
++) {
310 if (sd
->dacl
->aces
[cur
].flags
& IFS_ACE_FLAG_INHERITED_ACE
)
311 new_aces
[new_aces_count
++] = sd
->dacl
->aces
[cur
];
314 for (cur
= 0; cur
< sd
->dacl
->num_aces
; cur
++) {
315 if (!(sd
->dacl
->aces
[cur
].flags
& IFS_ACE_FLAG_INHERITED_ACE
) &&
316 (sd
->dacl
->aces
[cur
].type
== IFS_ACE_TYPE_ACCESS_DENIED
))
317 new_aces
[new_aces_count
++] = sd
->dacl
->aces
[cur
];
320 for (cur
= 0; cur
< sd
->dacl
->num_aces
; cur
++) {
321 if (!(sd
->dacl
->aces
[cur
].flags
& IFS_ACE_FLAG_INHERITED_ACE
) &&
322 !(sd
->dacl
->aces
[cur
].type
== IFS_ACE_TYPE_ACCESS_DENIED
))
323 new_aces
[new_aces_count
++] = sd
->dacl
->aces
[cur
];
326 SMB_ASSERT(new_aces_count
== sd
->dacl
->num_aces
);
327 DEBUG(10, ("Performed canonicalization of ACLs for file %s\n",
331 * At this point you would think we could just do this:
332 * SAFE_FREE(sd->dacl->aces);
333 * sd->dacl->aces = new_aces;
334 * However, in some cases the existing aces pointer does not point
335 * to the beginning of an allocated block. So we have to do a more
338 memcpy(sd
->dacl
->aces
, new_aces
,
339 sizeof(struct ifs_ace
) * new_aces_count
);
347 * This enum is a helper for onefs_fget_nt_acl() to communicate with
350 enum mode_ident
{ USR
, GRP
, OTH
};
353 * Initializes an ACE for addition to a synthetic ACL.
355 static struct ifs_ace
onefs_init_ace(struct connection_struct
*conn
,
358 enum mode_ident ident
)
360 struct ifs_ace result
;
361 enum ifs_ace_rights r
,w
,x
;
363 r
= isdir
? UNIX_DIRECTORY_ACCESS_R
: UNIX_ACCESS_R
;
364 w
= isdir
? UNIX_DIRECTORY_ACCESS_W
: UNIX_ACCESS_W
;
365 x
= isdir
? UNIX_DIRECTORY_ACCESS_X
: UNIX_ACCESS_X
;
367 result
.type
= IFS_ACE_TYPE_ACCESS_ALLOWED
;
368 result
.ifs_flags
= 0;
369 result
.flags
= isdir
? IFS_ACE_FLAG_CONTAINER_INHERIT
:
370 IFS_ACE_FLAG_OBJECT_INHERIT
;
371 result
.flags
|= IFS_ACE_FLAG_INHERIT_ONLY
;
376 ((mode
& S_IRUSR
) ? r
: 0 ) |
377 ((mode
& S_IWUSR
) ? w
: 0 ) |
378 ((mode
& S_IXUSR
) ? x
: 0 );
379 if (lp_parm_bool(SNUM(conn
), PARM_ONEFS_TYPE
,
380 PARM_CREATOR_OWNER_GETS_FULL_CONTROL
,
381 PARM_CREATOR_OWNER_GETS_FULL_CONTROL_DEFAULT
))
382 result
.access_mask
|= GENERIC_ALL_ACCESS
;
383 result
.trustee
.type
= IFS_ID_TYPE_CREATOR_OWNER
;
387 ((mode
& S_IRGRP
) ? r
: 0 ) |
388 ((mode
& S_IWGRP
) ? w
: 0 ) |
389 ((mode
& S_IXGRP
) ? x
: 0 );
390 result
.trustee
.type
= IFS_ID_TYPE_CREATOR_GROUP
;
394 ((mode
& S_IROTH
) ? r
: 0 ) |
395 ((mode
& S_IWOTH
) ? w
: 0 ) |
396 ((mode
& S_IXOTH
) ? x
: 0 );
397 result
.trustee
.type
= IFS_ID_TYPE_EVERYONE
;
405 * This adds inheritable ACEs to the end of the DACL, with the ACEs
406 * being derived from the mode bits. This is useful for clients that have the
407 * MoveSecurityAttributes regkey set to 0 or are in Simple File Sharing Mode.
409 * On these clients, when copying files from one folder to another inside the
410 * same volume/share, the DACL is explicitely cleared. Without inheritable
411 * aces on the target folder the mode bits of the copied file are set to 000.
413 * See Isilon Bug 27990
415 * Note: This function allocates additional memory onto sd->dacl->aces, that
416 * must be freed by the caller.
418 static bool add_sfs_aces(files_struct
*fsp
, struct ifs_security_descriptor
*sd
)
421 SMB_STRUCT_STAT sbuf
;
423 error
= SMB_VFS_FSTAT(fsp
, &sbuf
);
425 DEBUG(0, ("Failed to stat %s in simple files sharing "
426 "compatibility mode. errno=%d\n",
427 fsp
->fsp_name
, errno
));
431 /* Only continue if this is a synthetic ACL and a directory. */
432 if (S_ISDIR(sbuf
.st_mode
) && (sbuf
.st_flags
& SF_HASNTFSACL
) == 0) {
433 struct ifs_ace new_aces
[6];
434 struct ifs_ace
*old_aces
;
435 int i
, num_aces_to_add
= 0;
436 mode_t file_mode
= 0, dir_mode
= 0;
438 /* Use existing samba logic to derive the mode bits. */
439 file_mode
= unix_mode(fsp
->conn
, 0, fsp
->fsp_name
, false);
440 dir_mode
= unix_mode(fsp
->conn
, aDIR
, fsp
->fsp_name
, false);
442 /* Initialize ACEs. */
443 new_aces
[0] = onefs_init_ace(fsp
->conn
, file_mode
, false, USR
);
444 new_aces
[1] = onefs_init_ace(fsp
->conn
, file_mode
, false, GRP
);
445 new_aces
[2] = onefs_init_ace(fsp
->conn
, file_mode
, false, OTH
);
446 new_aces
[3] = onefs_init_ace(fsp
->conn
, dir_mode
, true, USR
);
447 new_aces
[4] = onefs_init_ace(fsp
->conn
, dir_mode
, true, GRP
);
448 new_aces
[5] = onefs_init_ace(fsp
->conn
, dir_mode
, true, OTH
);
450 for (i
= 0; i
< 6; i
++)
451 if (new_aces
[i
].access_mask
!= 0)
454 /* Expand the ACEs array */
455 if (num_aces_to_add
!= 0) {
456 old_aces
= sd
->dacl
->aces
;
458 sd
->dacl
->aces
= SMB_MALLOC_ARRAY(struct ifs_ace
,
459 sd
->dacl
->num_aces
+ num_aces_to_add
);
460 if (!sd
->dacl
->aces
) {
461 DEBUG(0, ("Unable to malloc space for "
463 sd
->dacl
->num_aces
+ num_aces_to_add
));
466 memcpy(sd
->dacl
->aces
, old_aces
,
467 sizeof(struct ifs_ace
) * sd
->dacl
->num_aces
);
469 /* Add the new ACEs to the DACL. */
470 for (i
= 0; i
< 6; i
++) {
471 if (new_aces
[i
].access_mask
!= 0) {
472 sd
->dacl
->aces
[sd
->dacl
->num_aces
] =
474 sd
->dacl
->num_aces
++;
483 * Isilon-specific function for getting an NTFS ACL from an open file.
485 * @param[out] ppdesc SecDesc to allocate and fill in
487 * @return NTSTATUS based off errno on error
490 onefs_fget_nt_acl(vfs_handle_struct
*handle
, files_struct
*fsp
,
491 uint32 security_info
, SEC_DESC
**ppdesc
)
494 uint32_t sd_size
= 0;
496 struct ifs_security_descriptor
*sd
= NULL
;
497 DOM_SID owner_sid
, group_sid
;
498 DOM_SID
*ownerp
, *groupp
;
499 SEC_ACL
*dacl
, *sacl
;
501 bool alloced
= false;
502 bool new_aces_alloced
= false;
503 bool fopened
= false;
504 NTSTATUS status
= NT_STATUS_OK
;
508 DEBUG(5, ("Getting sd for file %s. security_info=%u\n",
509 fsp
->fsp_name
, security_info
));
511 if (fsp
->fh
->fd
== -1) {
512 enum ifs_ace_rights desired_access
= 0;
514 if (security_info
& (OWNER_SECURITY_INFORMATION
|
515 GROUP_SECURITY_INFORMATION
| DACL_SECURITY_INFORMATION
))
516 desired_access
|= IFS_RTS_STD_READ_CONTROL
;
517 if (security_info
& SACL_SECURITY_INFORMATION
)
518 desired_access
|= IFS_RTS_SACL_ACCESS
;
520 if ((fsp
->fh
->fd
= onefs_sys_create_file(handle
->conn
,
534 DEBUG(0, ("Error opening file %s. errno=%d (%s)\n",
535 fsp
->fsp_name
, errno
, strerror(errno
)));
536 status
= map_nt_error_from_unix(errno
);
542 /* Get security descriptor */
545 /* Allocate memory for get_security_descriptor */
547 sd
= SMB_REALLOC(sd
, sd_size
);
549 DEBUG(0, ("Unable to malloc %u bytes of space "
550 "for security descriptor.\n", sd_size
));
551 status
= map_nt_error_from_unix(errno
);
558 error
= ifs_get_security_descriptor(fsp
->fh
->fd
, security_info
,
560 if (error
&& (errno
!= EMSGSIZE
)) {
561 DEBUG(0, ("Failed getting size of security descriptor! "
562 "errno=%d\n", errno
));
563 status
= map_nt_error_from_unix(errno
);
568 DEBUG(5, ("Got sd, size=%u:\n", sd_size
));
570 if (lp_parm_bool(SNUM(fsp
->conn
),
572 PARM_SIMPLE_FILE_SHARING_COMPATIBILITY_MODE
,
573 PARM_SIMPLE_FILE_SHARING_COMPATIBILITY_MODE_DEFAULT
) &&
575 if(!(new_aces_alloced
= add_sfs_aces(fsp
, sd
)))
579 if (!(onefs_canon_acl(fsp
, sd
))) {
580 status
= map_nt_error_from_unix(errno
);
584 DEBUG(5, ("Finished canonicalizing ACL\n"));
591 /* Copy owner into ppdesc */
592 if (security_info
& OWNER_SECURITY_INFORMATION
) {
593 if (!onefs_identity_to_sid(sd
->owner
, &owner_sid
)) {
594 status
= NT_STATUS_INVALID_PARAMETER
;
601 /* Copy group into ppdesc */
602 if (security_info
& GROUP_SECURITY_INFORMATION
) {
603 if (!onefs_identity_to_sid(sd
->group
, &group_sid
)) {
604 status
= NT_STATUS_INVALID_PARAMETER
;
611 /* Copy DACL into ppdesc */
612 if (security_info
& DACL_SECURITY_INFORMATION
) {
613 if (!onefs_acl_to_samba_acl(sd
->dacl
, &dacl
)) {
614 status
= NT_STATUS_INVALID_PARAMETER
;
619 /* Copy SACL into ppdesc */
620 if (security_info
& SACL_SECURITY_INFORMATION
) {
621 if (!onefs_acl_to_samba_acl(sd
->sacl
, &sacl
)) {
622 status
= NT_STATUS_INVALID_PARAMETER
;
627 /* AUTO_INHERIT_REQ bits are not returned over the wire so strip them
628 * off. Eventually we should stop storing these in the kernel
629 * all together. See Isilon bug 40364 */
630 sd
->control
&= ~(IFS_SD_CTRL_DACL_AUTO_INHERIT_REQ
|
631 IFS_SD_CTRL_SACL_AUTO_INHERIT_REQ
);
633 pdesc
= make_sec_desc(talloc_tos(), sd
->revision
, sd
->control
,
634 ownerp
, groupp
, sacl
, dacl
, &size
);
637 DEBUG(0, ("Problem with make_sec_desc. Memory?\n"));
638 status
= map_nt_error_from_unix(errno
);
644 DEBUG(5, ("Finished retrieving/canonicalizing SD!\n"));
648 if (new_aces_alloced
&& sd
->dacl
->aces
)
649 SAFE_FREE(sd
->dacl
->aces
);
663 * Isilon-specific function for getting an NTFS ACL from a file path.
665 * Since onefs_fget_nt_acl() needs to open a filepath if the fd is invalid,
666 * we just mock up a files_struct with the path and bad fd and call into it.
668 * @param[out] ppdesc SecDesc to allocate and fill in
670 * @return NTSTATUS based off errno on error
673 onefs_get_nt_acl(vfs_handle_struct
*handle
, const char* name
,
674 uint32 security_info
, SEC_DESC
**ppdesc
)
683 finfo
.conn
= handle
->conn
;
686 finfo
.fsp_name
= CONST_DISCARD(char *, name
);
688 return onefs_fget_nt_acl(handle
, &finfo
, security_info
, ppdesc
);
692 * Isilon-specific function for setting up an ifs_security_descriptor, given a
695 * @param[out] sd ifs_security_descriptor to fill in
697 * @return NTSTATUS_OK if successful
699 NTSTATUS
onefs_setup_sd(uint32 security_info_sent
, SEC_DESC
*psd
,
700 struct ifs_security_descriptor
*sd
)
702 struct ifs_security_acl dacl
, sacl
, *daclp
, *saclp
;
703 struct ifs_identity owner
, group
, *ownerp
, *groupp
;
711 if (security_info_sent
& OWNER_SECURITY_INFORMATION
) {
712 if (!onefs_sid_to_identity(psd
->owner_sid
, &owner
, false))
713 return NT_STATUS_UNSUCCESSFUL
;
716 * XXX Act like we did pre-Thai: Silently fail setting the
717 * owner to a BUILTIN account.
719 if (owner
.id
.uid
== -1) {
720 DEBUG(3, ("Silently failing to set owner because our "
722 security_info_sent
&= ~OWNER_SECURITY_INFORMATION
;
723 if (!security_info_sent
)
731 if (security_info_sent
& GROUP_SECURITY_INFORMATION
) {
732 if (!onefs_sid_to_identity(psd
->group_sid
, &group
, true))
733 return NT_STATUS_UNSUCCESSFUL
;
736 * XXX Act like we did pre-Thai: Silently fail setting the
737 * group to a BUILTIN account.
739 if (group
.id
.gid
== -1) {
740 DEBUG(3, ("Silently failing to set group because our "
742 security_info_sent
&= ~GROUP_SECURITY_INFORMATION
;
743 if (!security_info_sent
)
751 if ((security_info_sent
& DACL_SECURITY_INFORMATION
) && (psd
->dacl
)) {
754 if (!onefs_samba_acl_to_acl(psd
->dacl
, &daclp
))
755 return NT_STATUS_UNSUCCESSFUL
;
759 if ((security_info_sent
& SACL_SECURITY_INFORMATION
) && (psd
->sacl
)) {
762 if (!onefs_samba_acl_to_acl(psd
->sacl
, &saclp
))
763 return NT_STATUS_UNSUCCESSFUL
;
766 /* Setup ifs_security_descriptor */
767 DEBUG(5,("Setting up SD\n"));
768 if (aclu_initialize_sd(sd
, psd
->type
, ownerp
, groupp
,
769 (daclp
? &daclp
: NULL
), (saclp
? &saclp
: NULL
), false))
770 return NT_STATUS_UNSUCCESSFUL
;
776 * Isilon-specific function for setting an NTFS ACL on an open file.
778 * @return NT_STATUS_UNSUCCESSFUL for userspace errors, NTSTATUS based off
779 * errno on syscall errors
782 onefs_fset_nt_acl(vfs_handle_struct
*handle
, files_struct
*fsp
,
783 uint32 security_info_sent
, SEC_DESC
*psd
)
785 struct ifs_security_descriptor sd
= {};
787 bool fopened
= false;
790 DEBUG(5,("Setting SD on file %s.\n", fsp
->fsp_name
));
792 status
= onefs_setup_sd(security_info_sent
, psd
, &sd
);
794 if (!NT_STATUS_IS_OK(status
)) {
795 DEBUG(3, ("SD initialization failure: %s", nt_errstr(status
)));
801 enum ifs_ace_rights desired_access
= 0;
803 if (security_info_sent
&
804 (OWNER_SECURITY_INFORMATION
| GROUP_SECURITY_INFORMATION
))
805 desired_access
|= IFS_RTS_STD_WRITE_OWNER
;
806 if (security_info_sent
& DACL_SECURITY_INFORMATION
)
807 desired_access
|= IFS_RTS_STD_WRITE_DAC
;
808 if (security_info_sent
& SACL_SECURITY_INFORMATION
)
809 desired_access
|= IFS_RTS_SACL_ACCESS
;
811 if ((fd
= onefs_sys_create_file(handle
->conn
,
825 DEBUG(0, ("Error opening file %s. errno=%d (%s)\n",
826 fsp
->fsp_name
, errno
, strerror(errno
)));
827 status
= map_nt_error_from_unix(errno
);
834 if (ifs_set_security_descriptor(fd
, security_info_sent
, &sd
)) {
835 DEBUG(0, ("Error setting security descriptor = %d\n", errno
));
836 status
= map_nt_error_from_unix(errno
);
840 DEBUG(5, ("Security descriptor set correctly!\n"));
841 status
= NT_STATUS_OK
;
848 aclu_free_sd(&sd
, false);