2009-07-24 17:06:41 -07:00
/*
* Store Windows ACLs in data store - common functions .
2009-07-27 12:09:40 -07:00
* # included into modules / vfs_acl_xattr . c and modules / vfs_acl_tdb . c
2009-07-24 17:06:41 -07:00
*
* Copyright ( C ) Volker Lendecke , 2008
* Copyright ( C ) Jeremy Allison , 2009
2016-08-30 12:01:00 -07:00
* Copyright ( C ) Ralph Böhme , 2016
2009-07-24 17:06:41 -07:00
*
* This program is free software ; you can redistribute it and / or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation ; either version 3 of the License , or
* ( at your option ) any later version .
*
* This program is distributed in the hope that it will be useful ,
* but WITHOUT ANY WARRANTY ; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
* GNU General Public License for more details .
*
* You should have received a copy of the GNU General Public License
* along with this program ; if not , see < http : //www.gnu.org/licenses/>.
*/
2017-08-18 14:41:57 +02:00
# include "includes.h"
# include "vfs_acl_common.h"
2011-03-22 22:34:22 +01:00
# include "smbd/smbd.h"
2011-02-25 23:20:06 +01:00
# include "system/filesys.h"
2017-08-18 14:41:57 +02:00
# include "librpc/gen_ndr/ndr_xattr.h"
2010-10-12 15:27:50 +11:00
# include "../libcli/security/security.h"
2010-05-28 02:19:32 +02:00
# include "../librpc/gen_ndr/ndr_security.h"
2011-07-07 21:04:31 +10:00
# include "../lib/util/bitmap.h"
2017-08-18 14:41:57 +02:00
# include "lib/crypto/sha256.h"
2016-07-15 17:48:19 +02:00
# include "passdb/lookup_sid.h"
2010-05-28 02:19:32 +02:00
2009-07-24 17:06:41 -07:00
static NTSTATUS create_acl_blob ( const struct security_descriptor * psd ,
DATA_BLOB * pblob ,
uint16_t hash_type ,
uint8_t hash [ XATTR_SD_HASH_SIZE ] ) ;
2010-06-02 23:22:12 +02:00
# define HASH_SECURITY_INFO (SECINFO_OWNER | \
2010-06-02 23:25:18 +02:00
SECINFO_GROUP | \
2010-06-02 23:35:44 +02:00
SECINFO_DACL | \
2010-06-02 23:29:16 +02:00
SECINFO_SACL )
2009-07-24 17:06:41 -07:00
2017-08-18 14:41:57 +02:00
bool init_acl_common_config ( vfs_handle_struct * handle ,
const char * module_name )
2016-08-24 10:01:17 +02:00
{
struct acl_common_config * config = NULL ;
2017-09-28 07:53:48 +02:00
const struct enum_list * default_acl_style_list = NULL ;
default_acl_style_list = get_default_acl_style_list ( ) ;
2016-08-24 10:01:17 +02:00
config = talloc_zero ( handle - > conn , struct acl_common_config ) ;
if ( config = = NULL ) {
DBG_ERR ( " talloc_zero() failed \n " ) ;
errno = ENOMEM ;
return false ;
}
config - > ignore_system_acls = lp_parm_bool ( SNUM ( handle - > conn ) ,
2017-08-18 14:41:57 +02:00
module_name ,
2016-08-24 10:01:17 +02:00
" ignore system acls " ,
false ) ;
2016-08-24 20:31:00 +02:00
config - > default_acl_style = lp_parm_enum ( SNUM ( handle - > conn ) ,
2017-08-18 14:41:57 +02:00
module_name ,
2016-08-24 20:31:00 +02:00
" default acl style " ,
2017-09-28 07:53:48 +02:00
default_acl_style_list ,
2016-08-24 20:31:00 +02:00
DEFAULT_ACL_POSIX ) ;
2016-08-24 10:01:17 +02:00
SMB_VFS_HANDLE_SET_DATA ( handle , config , NULL ,
struct acl_common_config ,
return false ) ;
return true ;
}
2009-07-24 17:06:41 -07:00
/*******************************************************************
Hash a security descriptor .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2013-01-21 12:43:00 +11:00
static NTSTATUS hash_blob_sha256 ( DATA_BLOB blob ,
uint8_t * hash )
{
SHA256_CTX tctx ;
memset ( hash , ' \0 ' , XATTR_SD_HASH_SIZE ) ;
samba_SHA256_Init ( & tctx ) ;
samba_SHA256_Update ( & tctx , blob . data , blob . length ) ;
samba_SHA256_Final ( hash , & tctx ) ;
return NT_STATUS_OK ;
}
/*******************************************************************
Hash a security descriptor .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2009-07-24 17:06:41 -07:00
static NTSTATUS hash_sd_sha256 ( struct security_descriptor * psd ,
uint8_t * hash )
{
DATA_BLOB blob ;
NTSTATUS status ;
memset ( hash , ' \0 ' , XATTR_SD_HASH_SIZE ) ;
status = create_acl_blob ( psd , & blob , XATTR_SD_HASH_TYPE_SHA256 , hash ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
}
2013-01-21 12:43:00 +11:00
return hash_blob_sha256 ( blob , hash ) ;
2009-07-24 17:06:41 -07:00
}
/*******************************************************************
Parse out a struct security_descriptor from a DATA_BLOB .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
static NTSTATUS parse_acl_blob ( const DATA_BLOB * pblob ,
2012-10-10 11:50:27 +11:00
TALLOC_CTX * mem_ctx ,
2012-10-10 16:36:47 +11:00
struct security_descriptor * * ppdesc ,
uint16_t * p_hash_type ,
uint16_t * p_version ,
uint8_t hash [ XATTR_SD_HASH_SIZE ] ,
uint8_t sys_acl_hash [ XATTR_SD_HASH_SIZE ] )
2009-07-24 17:06:41 -07:00
{
struct xattr_NTACL xacl ;
enum ndr_err_code ndr_err ;
size_t sd_size ;
2012-10-10 11:50:27 +11:00
TALLOC_CTX * frame = talloc_stackframe ( ) ;
2009-07-24 17:06:41 -07:00
2012-10-10 11:50:27 +11:00
ndr_err = ndr_pull_struct_blob ( pblob , frame , & xacl ,
2009-07-24 17:06:41 -07:00
( ndr_pull_flags_fn_t ) ndr_pull_xattr_NTACL ) ;
if ( ! NDR_ERR_CODE_IS_SUCCESS ( ndr_err ) ) {
2016-08-27 10:11:14 +02:00
DBG_INFO ( " ndr_pull_xattr_NTACL failed: %s \n " ,
ndr_errstr ( ndr_err ) ) ;
2012-10-10 11:50:27 +11:00
TALLOC_FREE ( frame ) ;
2011-02-02 12:50:42 +01:00
return ndr_map_error2ntstatus ( ndr_err ) ;
2009-07-24 17:06:41 -07:00
}
2012-10-10 16:36:47 +11:00
* p_version = xacl . version ;
2009-07-24 17:06:41 -07:00
switch ( xacl . version ) {
2011-10-11 12:37:56 +02:00
case 1 :
2012-10-10 11:50:27 +11:00
* ppdesc = make_sec_desc ( mem_ctx , SD_REVISION ,
2011-10-11 12:37:56 +02:00
xacl . info . sd - > type | SEC_DESC_SELF_RELATIVE ,
xacl . info . sd - > owner_sid ,
xacl . info . sd - > group_sid ,
xacl . info . sd - > sacl ,
xacl . info . sd - > dacl ,
& sd_size ) ;
/* No hash - null out. */
* p_hash_type = XATTR_SD_HASH_TYPE_NONE ;
memset ( hash , ' \0 ' , XATTR_SD_HASH_SIZE ) ;
break ;
2009-07-24 17:06:41 -07:00
case 2 :
2012-10-10 11:50:27 +11:00
* ppdesc = make_sec_desc ( mem_ctx , SD_REVISION ,
2009-07-24 17:06:41 -07:00
xacl . info . sd_hs2 - > sd - > type | SEC_DESC_SELF_RELATIVE ,
xacl . info . sd_hs2 - > sd - > owner_sid ,
xacl . info . sd_hs2 - > sd - > group_sid ,
xacl . info . sd_hs2 - > sd - > sacl ,
xacl . info . sd_hs2 - > sd - > dacl ,
& sd_size ) ;
/* No hash - null out. */
* p_hash_type = XATTR_SD_HASH_TYPE_NONE ;
memset ( hash , ' \0 ' , XATTR_SD_HASH_SIZE ) ;
break ;
case 3 :
2012-10-10 11:50:27 +11:00
* ppdesc = make_sec_desc ( mem_ctx , SD_REVISION ,
2009-07-24 17:06:41 -07:00
xacl . info . sd_hs3 - > sd - > type | SEC_DESC_SELF_RELATIVE ,
xacl . info . sd_hs3 - > sd - > owner_sid ,
xacl . info . sd_hs3 - > sd - > group_sid ,
xacl . info . sd_hs3 - > sd - > sacl ,
xacl . info . sd_hs3 - > sd - > dacl ,
& sd_size ) ;
* p_hash_type = xacl . info . sd_hs3 - > hash_type ;
2012-10-10 16:36:47 +11:00
/* Current version 3 (if no sys acl hash available). */
2009-07-24 17:06:41 -07:00
memcpy ( hash , xacl . info . sd_hs3 - > hash , XATTR_SD_HASH_SIZE ) ;
break ;
2012-10-10 16:36:47 +11:00
case 4 :
* ppdesc = make_sec_desc ( mem_ctx , SD_REVISION ,
xacl . info . sd_hs4 - > sd - > type | SEC_DESC_SELF_RELATIVE ,
xacl . info . sd_hs4 - > sd - > owner_sid ,
xacl . info . sd_hs4 - > sd - > group_sid ,
xacl . info . sd_hs4 - > sd - > sacl ,
xacl . info . sd_hs4 - > sd - > dacl ,
& sd_size ) ;
* p_hash_type = xacl . info . sd_hs4 - > hash_type ;
/* Current version 4. */
memcpy ( hash , xacl . info . sd_hs4 - > hash , XATTR_SD_HASH_SIZE ) ;
memcpy ( sys_acl_hash , xacl . info . sd_hs4 - > sys_acl_hash , XATTR_SD_HASH_SIZE ) ;
break ;
2009-07-24 17:06:41 -07:00
default :
2012-10-10 11:50:27 +11:00
TALLOC_FREE ( frame ) ;
2009-07-24 17:06:41 -07:00
return NT_STATUS_REVISION_MISMATCH ;
}
2012-10-10 11:50:27 +11:00
TALLOC_FREE ( frame ) ;
2009-07-24 17:06:41 -07:00
return ( * ppdesc ! = NULL ) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY ;
}
/*******************************************************************
2012-10-10 16:36:47 +11:00
Create a DATA_BLOB from a hash of the security descriptor storead at
the system layer and the NT ACL we wish to preserve
2009-07-24 17:06:41 -07:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
static NTSTATUS create_acl_blob ( const struct security_descriptor * psd ,
DATA_BLOB * pblob ,
uint16_t hash_type ,
uint8_t hash [ XATTR_SD_HASH_SIZE ] )
{
struct xattr_NTACL xacl ;
struct security_descriptor_hash_v3 sd_hs3 ;
enum ndr_err_code ndr_err ;
TALLOC_CTX * ctx = talloc_tos ( ) ;
ZERO_STRUCT ( xacl ) ;
ZERO_STRUCT ( sd_hs3 ) ;
xacl . version = 3 ;
xacl . info . sd_hs3 = & sd_hs3 ;
2011-05-05 16:19:49 -07:00
xacl . info . sd_hs3 - > sd = discard_const_p ( struct security_descriptor , psd ) ;
2009-07-24 17:06:41 -07:00
xacl . info . sd_hs3 - > hash_type = hash_type ;
memcpy ( & xacl . info . sd_hs3 - > hash [ 0 ] , hash , XATTR_SD_HASH_SIZE ) ;
ndr_err = ndr_push_struct_blob (
2010-05-10 00:42:06 +02:00
pblob , ctx , & xacl ,
2009-07-24 17:06:41 -07:00
( ndr_push_flags_fn_t ) ndr_push_xattr_NTACL ) ;
if ( ! NDR_ERR_CODE_IS_SUCCESS ( ndr_err ) ) {
2016-08-27 10:11:14 +02:00
DBG_INFO ( " ndr_push_xattr_NTACL failed: %s \n " ,
ndr_errstr ( ndr_err ) ) ;
2011-02-02 12:50:42 +01:00
return ndr_map_error2ntstatus ( ndr_err ) ;
2009-07-24 17:06:41 -07:00
}
return NT_STATUS_OK ;
}
2012-10-10 16:36:47 +11:00
/*******************************************************************
Create a DATA_BLOB from a hash of the security descriptors
( system and NT ) stored at the system layer and the NT ACL we wish
to preserve .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
static NTSTATUS create_sys_acl_blob ( const struct security_descriptor * psd ,
DATA_BLOB * pblob ,
uint16_t hash_type ,
uint8_t hash [ XATTR_SD_HASH_SIZE ] ,
const char * description ,
uint8_t sys_acl_hash [ XATTR_SD_HASH_SIZE ] )
{
struct xattr_NTACL xacl ;
struct security_descriptor_hash_v4 sd_hs4 ;
enum ndr_err_code ndr_err ;
TALLOC_CTX * ctx = talloc_tos ( ) ;
NTTIME nttime_now ;
struct timeval now = timeval_current ( ) ;
nttime_now = timeval_to_nttime ( & now ) ;
ZERO_STRUCT ( xacl ) ;
ZERO_STRUCT ( sd_hs4 ) ;
xacl . version = 4 ;
xacl . info . sd_hs4 = & sd_hs4 ;
xacl . info . sd_hs4 - > sd = discard_const_p ( struct security_descriptor , psd ) ;
xacl . info . sd_hs4 - > hash_type = hash_type ;
memcpy ( & xacl . info . sd_hs4 - > hash [ 0 ] , hash , XATTR_SD_HASH_SIZE ) ;
xacl . info . sd_hs4 - > description = description ;
xacl . info . sd_hs4 - > time = nttime_now ;
memcpy ( & xacl . info . sd_hs4 - > sys_acl_hash [ 0 ] , sys_acl_hash , XATTR_SD_HASH_SIZE ) ;
ndr_err = ndr_push_struct_blob (
pblob , ctx , & xacl ,
( ndr_push_flags_fn_t ) ndr_push_xattr_NTACL ) ;
if ( ! NDR_ERR_CODE_IS_SUCCESS ( ndr_err ) ) {
2016-08-27 10:11:14 +02:00
DBG_INFO ( " ndr_push_xattr_NTACL failed: %s \n " ,
ndr_errstr ( ndr_err ) ) ;
2012-10-10 16:36:47 +11:00
return ndr_map_error2ntstatus ( ndr_err ) ;
}
return NT_STATUS_OK ;
}
2009-12-23 17:19:22 -08:00
/*******************************************************************
Add in 3 inheritable components for a non - inheritable directory ACL .
CREATOR_OWNER / CREATOR_GROUP / WORLD .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2012-03-16 15:26:57 -07:00
static NTSTATUS add_directory_inheritable_components ( vfs_handle_struct * handle ,
2009-12-23 17:19:22 -08:00
const char * name ,
SMB_STRUCT_STAT * psbuf ,
struct security_descriptor * psd )
{
struct connection_struct * conn = handle - > conn ;
int num_aces = ( psd - > dacl ? psd - > dacl - > num_aces : 0 ) ;
struct smb_filename smb_fname ;
2010-02-07 20:10:57 +01:00
enum security_ace_type acltype ;
2009-12-23 17:19:22 -08:00
uint32_t access_mask ;
mode_t dir_mode ;
mode_t file_mode ;
mode_t mode ;
2012-11-01 09:51:28 +11:00
struct security_ace * new_ace_list ;
if ( psd - > dacl ) {
new_ace_list = talloc_zero_array ( psd - > dacl ,
struct security_ace ,
num_aces + 3 ) ;
} else {
/*
* make_sec_acl ( ) at the bottom of this function
* dupliates new_ace_list
*/
new_ace_list = talloc_zero_array ( talloc_tos ( ) ,
struct security_ace ,
num_aces + 3 ) ;
}
2009-12-23 17:19:22 -08:00
if ( new_ace_list = = NULL ) {
2012-03-16 15:26:57 -07:00
return NT_STATUS_NO_MEMORY ;
2009-12-23 17:19:22 -08:00
}
/* Fake a quick smb_filename. */
ZERO_STRUCT ( smb_fname ) ;
smb_fname . st = * psbuf ;
2011-05-05 16:19:49 -07:00
smb_fname . base_name = discard_const_p ( char , name ) ;
2009-12-23 17:19:22 -08:00
dir_mode = unix_mode ( conn ,
FILE_ATTRIBUTE_DIRECTORY , & smb_fname , NULL ) ;
file_mode = unix_mode ( conn ,
FILE_ATTRIBUTE_ARCHIVE , & smb_fname , NULL ) ;
mode = dir_mode | file_mode ;
2016-08-27 10:11:14 +02:00
DBG_DEBUG ( " directory %s, mode = 0%o \n " , name , ( unsigned int ) mode ) ;
2009-12-23 17:19:22 -08:00
if ( num_aces ) {
memcpy ( new_ace_list , psd - > dacl - > aces ,
num_aces * sizeof ( struct security_ace ) ) ;
}
2010-02-07 20:10:57 +01:00
access_mask = map_canon_ace_perms ( SNUM ( conn ) , & acltype ,
2009-12-23 17:19:22 -08:00
mode & 0700 , false ) ;
init_sec_ace ( & new_ace_list [ num_aces ] ,
& global_sid_Creator_Owner ,
2010-02-07 20:10:57 +01:00
acltype ,
2009-12-23 17:19:22 -08:00
access_mask ,
SEC_ACE_FLAG_CONTAINER_INHERIT |
SEC_ACE_FLAG_OBJECT_INHERIT |
SEC_ACE_FLAG_INHERIT_ONLY ) ;
2010-02-07 20:10:57 +01:00
access_mask = map_canon_ace_perms ( SNUM ( conn ) , & acltype ,
2009-12-23 17:19:22 -08:00
( mode < < 3 ) & 0700 , false ) ;
init_sec_ace ( & new_ace_list [ num_aces + 1 ] ,
& global_sid_Creator_Group ,
2010-02-07 20:10:57 +01:00
acltype ,
2009-12-23 17:19:22 -08:00
access_mask ,
SEC_ACE_FLAG_CONTAINER_INHERIT |
SEC_ACE_FLAG_OBJECT_INHERIT |
SEC_ACE_FLAG_INHERIT_ONLY ) ;
2010-02-07 20:10:57 +01:00
access_mask = map_canon_ace_perms ( SNUM ( conn ) , & acltype ,
2009-12-23 17:19:22 -08:00
( mode < < 6 ) & 0700 , false ) ;
init_sec_ace ( & new_ace_list [ num_aces + 2 ] ,
& global_sid_World ,
2010-02-07 20:10:57 +01:00
acltype ,
2009-12-23 17:19:22 -08:00
access_mask ,
SEC_ACE_FLAG_CONTAINER_INHERIT |
SEC_ACE_FLAG_OBJECT_INHERIT |
SEC_ACE_FLAG_INHERIT_ONLY ) ;
2012-03-16 15:26:57 -07:00
if ( psd - > dacl ) {
psd - > dacl - > aces = new_ace_list ;
psd - > dacl - > num_aces + = 3 ;
2014-09-08 20:53:44 +02:00
psd - > dacl - > size + = new_ace_list [ num_aces ] . size +
new_ace_list [ num_aces + 1 ] . size +
new_ace_list [ num_aces + 2 ] . size ;
2012-03-16 15:26:57 -07:00
} else {
2012-11-01 09:51:28 +11:00
psd - > dacl = make_sec_acl ( psd ,
2012-03-16 15:26:57 -07:00
NT4_ACL_REVISION ,
3 ,
new_ace_list ) ;
if ( psd - > dacl = = NULL ) {
return NT_STATUS_NO_MEMORY ;
}
}
return NT_STATUS_OK ;
2009-12-23 17:19:22 -08:00
}
2016-08-23 22:32:57 +02:00
/**
* Validate an ACL blob
*
* This validates an ACL blob against the underlying filesystem ACL . If this
* function returns NT_STATUS_OK ppsd can be
*
* 1. the ACL from the blob ( psd_from_fs = false ) , or
* 2. the ACL from the fs ( psd_from_fs = true ) , or
* 3. NULL ( ! )
*
* If the return value is anything else then NT_STATUS_OK , ppsd is set to NULL
* and psd_from_fs set to false .
*
* Returning the underlying filesystem ACL in case no . 2 is really just an
* optimisation , because some validations have to fetch the filesytem ACL as
* part of the validation , so we already have it available and callers might
* need it as well .
* */
static NTSTATUS validate_nt_acl_blob ( TALLOC_CTX * mem_ctx ,
vfs_handle_struct * handle ,
files_struct * fsp ,
const struct smb_filename * smb_fname ,
const DATA_BLOB * blob ,
struct security_descriptor * * ppsd ,
bool * psd_is_from_fs )
2009-07-24 17:06:41 -07:00
{
NTSTATUS status ;
2010-08-01 20:15:57 +02:00
uint16_t hash_type = XATTR_SD_HASH_TYPE_NONE ;
2012-10-10 16:36:47 +11:00
uint16_t xattr_version = 0 ;
2009-07-24 17:06:41 -07:00
uint8_t hash [ XATTR_SD_HASH_SIZE ] ;
2012-10-10 16:36:47 +11:00
uint8_t sys_acl_hash [ XATTR_SD_HASH_SIZE ] ;
2009-07-24 17:06:41 -07:00
uint8_t hash_tmp [ XATTR_SD_HASH_SIZE ] ;
2012-10-10 16:36:47 +11:00
uint8_t sys_acl_hash_tmp [ XATTR_SD_HASH_SIZE ] ;
2016-08-23 17:07:20 +02:00
struct security_descriptor * psd = NULL ;
2016-08-23 13:08:12 +02:00
struct security_descriptor * psd_blob = NULL ;
2016-08-23 13:11:24 +02:00
struct security_descriptor * psd_fs = NULL ;
2016-08-23 22:32:57 +02:00
char * sys_acl_blob_description = NULL ;
DATA_BLOB sys_acl_blob = { 0 } ;
2016-08-24 10:01:17 +02:00
struct acl_common_config * config = NULL ;
2009-07-24 17:06:41 -07:00
2016-08-23 22:32:57 +02:00
* ppsd = NULL ;
* psd_is_from_fs = false ;
2009-07-24 17:06:41 -07:00
2016-08-24 10:01:17 +02:00
SMB_VFS_HANDLE_GET_DATA ( handle , config ,
struct acl_common_config ,
return NT_STATUS_UNSUCCESSFUL ) ;
2016-08-23 22:32:57 +02:00
status = parse_acl_blob ( blob ,
mem_ctx ,
& psd_blob ,
& hash_type ,
& xattr_version ,
& hash [ 0 ] ,
& sys_acl_hash [ 0 ] ) ;
2009-07-24 17:06:41 -07:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
2016-08-23 22:32:57 +02:00
DBG_DEBUG ( " parse_acl_blob returned %s \n " , nt_errstr ( status ) ) ;
goto fail ;
2009-07-24 17:06:41 -07:00
}
2012-10-10 16:36:47 +11:00
/* determine which type of xattr we got */
switch ( xattr_version ) {
case 1 :
case 2 :
/* These xattr types are unilatteral, they do not
* require confirmation of the hash . In particular ,
* the NTVFS file server uses version 1 , but
* ' samba - tool ntacl ' can set these as well */
2016-08-23 22:32:57 +02:00
* ppsd = psd_blob ;
return NT_STATUS_OK ;
2012-10-10 16:36:47 +11:00
case 3 :
case 4 :
2016-08-24 10:01:17 +02:00
if ( config - > ignore_system_acls ) {
2016-08-23 22:32:57 +02:00
* ppsd = psd_blob ;
return NT_STATUS_OK ;
2012-10-10 16:36:47 +11:00
}
2009-07-24 17:06:41 -07:00
2012-10-10 16:36:47 +11:00
break ;
default :
2016-08-23 22:32:57 +02:00
DBG_DEBUG ( " ACL blob revision mismatch (%u) for file %s \n " ,
( unsigned int ) hash_type , smb_fname - > base_name ) ;
2016-08-23 13:08:12 +02:00
TALLOC_FREE ( psd_blob ) ;
2016-08-23 22:32:57 +02:00
return NT_STATUS_OK ;
2010-10-15 15:56:09 -07:00
}
2009-07-24 17:06:41 -07:00
2012-10-10 16:36:47 +11:00
/* determine which type of xattr we got */
if ( hash_type ! = XATTR_SD_HASH_TYPE_SHA256 ) {
2016-08-23 22:32:57 +02:00
DBG_DEBUG ( " ACL blob hash type (%u) unexpected for file %s \n " ,
( unsigned int ) hash_type , smb_fname - > base_name ) ;
2016-08-23 13:08:12 +02:00
TALLOC_FREE ( psd_blob ) ;
2016-08-23 22:32:57 +02:00
return NT_STATUS_OK ;
2009-07-24 17:06:41 -07:00
}
2012-10-10 16:36:47 +11:00
/* determine which type of xattr we got */
switch ( xattr_version ) {
case 4 :
{
int ret ;
if ( fsp ) {
/* Get the full underlying sd, then hash. */
ret = SMB_VFS_NEXT_SYS_ACL_BLOB_GET_FD ( handle ,
fsp ,
2016-08-23 17:07:20 +02:00
mem_ctx ,
2012-10-10 16:36:47 +11:00
& sys_acl_blob_description ,
& sys_acl_blob ) ;
} else {
/* Get the full underlying sd, then hash. */
ret = SMB_VFS_NEXT_SYS_ACL_BLOB_GET_FILE ( handle ,
2017-05-23 17:35:59 -07:00
smb_fname ,
2016-08-23 17:07:20 +02:00
mem_ctx ,
2016-03-11 15:50:57 -08:00
& sys_acl_blob_description ,
& sys_acl_blob ) ;
2012-10-10 16:36:47 +11:00
}
/* If we fail to get the ACL blob (for some reason) then this
* is not fatal , we just work based on the NT ACL only */
if ( ret = = 0 ) {
status = hash_blob_sha256 ( sys_acl_blob , sys_acl_hash_tmp ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
2016-08-23 17:07:20 +02:00
goto fail ;
2012-10-10 16:36:47 +11:00
}
2009-07-24 17:06:41 -07:00
2016-08-23 17:07:20 +02:00
TALLOC_FREE ( sys_acl_blob_description ) ;
TALLOC_FREE ( sys_acl_blob . data ) ;
2012-10-10 16:36:47 +11:00
if ( memcmp ( & sys_acl_hash [ 0 ] , & sys_acl_hash_tmp [ 0 ] ,
XATTR_SD_HASH_SIZE ) = = 0 ) {
/* Hash matches, return blob sd. */
2016-08-23 22:32:57 +02:00
DBG_DEBUG ( " blob hash matches for file %s \n " ,
smb_fname - > base_name ) ;
* ppsd = psd_blob ;
return NT_STATUS_OK ;
2012-10-10 16:36:47 +11:00
}
}
2012-07-17 10:04:03 -07:00
2012-10-10 16:36:47 +11:00
/* Otherwise, fall though and see if the NT ACL hash matches */
2017-07-26 17:53:45 +02:00
FALL_THROUGH ;
2012-09-10 08:43:09 +10:00
}
2012-10-10 16:36:47 +11:00
case 3 :
2012-10-24 17:03:41 +11:00
/* Get the full underlying sd for the hash
or to return as backup . */
if ( fsp ) {
status = SMB_VFS_NEXT_FGET_NT_ACL ( handle ,
fsp ,
HASH_SECURITY_INFO ,
mem_ctx ,
2016-08-23 13:11:24 +02:00
& psd_fs ) ;
2012-10-24 17:03:41 +11:00
} else {
status = SMB_VFS_NEXT_GET_NT_ACL ( handle ,
2016-02-12 10:30:10 -08:00
smb_fname ,
2012-10-24 17:03:41 +11:00
HASH_SECURITY_INFO ,
mem_ctx ,
2016-08-23 13:11:24 +02:00
& psd_fs ) ;
2012-10-24 17:03:41 +11:00
}
if ( ! NT_STATUS_IS_OK ( status ) ) {
2016-08-23 22:32:57 +02:00
DBG_DEBUG ( " get_next_acl for file %s returned %s \n " ,
smb_fname - > base_name , nt_errstr ( status ) ) ;
2016-08-23 17:07:20 +02:00
goto fail ;
2012-10-24 17:03:41 +11:00
}
2016-08-23 13:11:24 +02:00
status = hash_sd_sha256 ( psd_fs , hash_tmp ) ;
2012-10-10 16:36:47 +11:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
2016-08-23 13:08:12 +02:00
TALLOC_FREE ( psd_blob ) ;
2016-08-23 22:32:57 +02:00
* ppsd = psd_fs ;
* psd_is_from_fs = true ;
return NT_STATUS_OK ;
2012-10-10 16:36:47 +11:00
}
2012-09-10 08:43:09 +10:00
2012-10-10 16:36:47 +11:00
if ( memcmp ( & hash [ 0 ] , & hash_tmp [ 0 ] , XATTR_SD_HASH_SIZE ) = = 0 ) {
/* Hash matches, return blob sd. */
2016-08-23 22:32:57 +02:00
DBG_DEBUG ( " blob hash matches for file %s \n " ,
smb_fname - > base_name ) ;
* ppsd = psd_blob ;
return NT_STATUS_OK ;
2012-10-10 16:36:47 +11:00
}
2009-07-24 17:06:41 -07:00
2012-10-10 16:36:47 +11:00
/* Hash doesn't match, return underlying sd. */
2016-08-23 22:32:57 +02:00
DBG_DEBUG ( " blob hash does not match for file %s - returning "
" file system SD mapping. \n " ,
smb_fname - > base_name ) ;
2012-10-10 16:36:47 +11:00
if ( DEBUGLEVEL > = 10 ) {
2016-08-23 22:32:57 +02:00
DBG_DEBUG ( " acl for blob hash for %s is: \n " ,
smb_fname - > base_name ) ;
2016-08-23 13:11:24 +02:00
NDR_PRINT_DEBUG ( security_descriptor , psd_fs ) ;
2012-10-10 16:36:47 +11:00
}
2016-08-23 13:08:12 +02:00
TALLOC_FREE ( psd_blob ) ;
2016-08-23 22:32:57 +02:00
* ppsd = psd_fs ;
* psd_is_from_fs = true ;
}
return NT_STATUS_OK ;
fail :
TALLOC_FREE ( psd ) ;
TALLOC_FREE ( psd_blob ) ;
TALLOC_FREE ( psd_fs ) ;
TALLOC_FREE ( sys_acl_blob_description ) ;
TALLOC_FREE ( sys_acl_blob . data ) ;
return status ;
}
2016-08-24 10:30:15 +02:00
static NTSTATUS stat_fsp_or_smb_fname ( vfs_handle_struct * handle ,
files_struct * fsp ,
const struct smb_filename * smb_fname ,
SMB_STRUCT_STAT * sbuf ,
SMB_STRUCT_STAT * * psbuf )
{
NTSTATUS status ;
int ret ;
if ( fsp ) {
status = vfs_stat_fsp ( fsp ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
}
* psbuf = & fsp - > fsp_name - > st ;
} else {
/*
* https : //bugzilla.samba.org/show_bug.cgi?id=11249
*
* We are currently guaranteed that ' name ' here is a
* smb_fname - > base_name , which * cannot * contain a stream name
* ( ' : ' ) . vfs_stat_smb_fname ( ) splits a name into a base name +
* stream name , which when we get here we know we ' ve already
* done . So we have to call the stat or lstat VFS calls
* directly here . Else , a base_name that contains a ' : ' ( from a
* demangled name ) will get split again .
*
* FIXME .
* This uglyness will go away once smb_fname is fully plumbed
* through the VFS .
*/
ret = vfs_stat_smb_basename ( handle - > conn ,
smb_fname ,
sbuf ) ;
if ( ret = = - 1 ) {
return map_nt_error_from_unix ( errno ) ;
}
}
return NT_STATUS_OK ;
}
2016-08-23 22:32:57 +02:00
/*******************************************************************
Pull a DATA_BLOB from an xattr given a pathname .
If the hash doesn ' t match , or doesn ' t exist - return the underlying
filesystem sd .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2017-08-18 14:41:57 +02:00
NTSTATUS get_nt_acl_common (
2017-08-18 13:46:14 +02:00
NTSTATUS ( * get_acl_blob_fn ) ( TALLOC_CTX * ctx ,
vfs_handle_struct * handle ,
2016-08-23 22:32:57 +02:00
files_struct * fsp ,
2017-08-18 13:46:14 +02:00
const struct smb_filename * smb_fname ,
DATA_BLOB * pblob ) ,
vfs_handle_struct * handle ,
files_struct * fsp ,
const struct smb_filename * smb_fname_in ,
uint32_t security_info ,
TALLOC_CTX * mem_ctx ,
struct security_descriptor * * ppdesc )
2016-08-23 22:32:57 +02:00
{
DATA_BLOB blob = data_blob_null ;
NTSTATUS status ;
struct security_descriptor * psd = NULL ;
const struct smb_filename * smb_fname = NULL ;
bool psd_is_from_fs = false ;
2016-08-24 10:01:17 +02:00
struct acl_common_config * config = NULL ;
SMB_VFS_HANDLE_GET_DATA ( handle , config ,
struct acl_common_config ,
return NT_STATUS_UNSUCCESSFUL ) ;
2016-08-23 22:32:57 +02:00
if ( fsp & & smb_fname_in = = NULL ) {
smb_fname = fsp - > fsp_name ;
} else {
smb_fname = smb_fname_in ;
}
2016-08-27 10:11:14 +02:00
DBG_DEBUG ( " name=%s \n " , smb_fname - > base_name ) ;
2016-08-23 22:32:57 +02:00
2017-08-18 13:46:14 +02:00
status = get_acl_blob_fn ( mem_ctx , handle , fsp , smb_fname , & blob ) ;
2016-08-23 22:32:57 +02:00
if ( NT_STATUS_IS_OK ( status ) ) {
status = validate_nt_acl_blob ( mem_ctx ,
handle ,
fsp ,
smb_fname ,
& blob ,
& psd ,
& psd_is_from_fs ) ;
TALLOC_FREE ( blob . data ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
DBG_DEBUG ( " ACL validation for [%s] failed \n " ,
smb_fname - > base_name ) ;
goto fail ;
}
2012-10-10 16:36:47 +11:00
}
2009-07-24 17:06:41 -07:00
2016-08-23 17:07:20 +02:00
if ( psd = = NULL ) {
2012-10-24 17:03:41 +11:00
/* Get the full underlying sd, as we failed to get the
* blob for the hash , or the revision / hash type wasn ' t
* known */
2016-08-24 10:43:47 +02:00
if ( config - > ignore_system_acls ) {
SMB_STRUCT_STAT sbuf ;
SMB_STRUCT_STAT * psbuf = & sbuf ;
status = stat_fsp_or_smb_fname ( handle , fsp , smb_fname ,
& sbuf , & psbuf ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
goto fail ;
}
status = make_default_filesystem_acl (
mem_ctx ,
2017-09-28 07:48:59 +02:00
config - > default_acl_style ,
2016-08-24 10:43:47 +02:00
smb_fname - > base_name ,
psbuf ,
& psd ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
goto fail ;
}
2012-10-24 17:03:41 +11:00
} else {
2016-08-24 10:43:47 +02:00
if ( fsp ) {
status = SMB_VFS_NEXT_FGET_NT_ACL ( handle ,
fsp ,
security_info ,
mem_ctx ,
& psd ) ;
} else {
status = SMB_VFS_NEXT_GET_NT_ACL ( handle ,
smb_fname ,
security_info ,
mem_ctx ,
& psd ) ;
}
2012-10-24 17:03:41 +11:00
2016-08-24 10:43:47 +02:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
DBG_DEBUG ( " get_next_acl for file %s "
" returned %s \n " ,
smb_fname - > base_name ,
nt_errstr ( status ) ) ;
goto fail ;
}
2012-10-24 17:03:41 +11:00
2016-08-24 10:43:47 +02:00
psd_is_from_fs = true ;
}
2012-10-24 17:03:41 +11:00
}
2016-08-23 17:07:20 +02:00
if ( psd_is_from_fs ) {
2009-12-23 17:19:22 -08:00
SMB_STRUCT_STAT sbuf ;
SMB_STRUCT_STAT * psbuf = & sbuf ;
bool is_directory = false ;
2016-08-24 10:43:47 +02:00
2009-12-23 17:19:22 -08:00
/*
* We ' re returning the underlying ACL from the
* filesystem . If it ' s a directory , and has no
* inheritable ACE entries we have to fake them .
*/
2016-08-24 10:30:15 +02:00
status = stat_fsp_or_smb_fname ( handle , fsp , smb_fname ,
& sbuf , & psbuf ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
goto fail ;
2009-12-23 17:19:22 -08:00
}
2016-08-24 10:30:15 +02:00
2011-12-02 10:55:40 -08:00
is_directory = S_ISDIR ( psbuf - > st_ex_mode ) ;
2010-10-15 15:56:09 -07:00
2016-08-24 10:43:47 +02:00
if ( is_directory & & ! sd_has_inheritable_components ( psd , true ) ) {
status = add_directory_inheritable_components (
handle ,
smb_fname - > base_name ,
psbuf ,
psd ) ;
2010-10-15 15:56:09 -07:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
2016-08-23 17:07:20 +02:00
goto fail ;
2010-10-15 15:56:09 -07:00
}
2009-12-23 17:19:22 -08:00
}
2016-08-24 10:43:47 +02:00
/*
* The underlying POSIX module always sets the
* ~ SEC_DESC_DACL_PROTECTED bit , as ACLs can ' t be inherited in
* this way under POSIX . Remove it for Windows - style ACLs .
*/
psd - > type & = ~ SEC_DESC_DACL_PROTECTED ;
2009-12-02 15:02:28 -08:00
}
2010-06-02 23:22:12 +02:00
if ( ! ( security_info & SECINFO_OWNER ) ) {
2016-08-23 17:07:20 +02:00
psd - > owner_sid = NULL ;
2009-07-24 17:06:41 -07:00
}
2010-06-02 23:25:18 +02:00
if ( ! ( security_info & SECINFO_GROUP ) ) {
2016-08-23 17:07:20 +02:00
psd - > group_sid = NULL ;
2009-07-24 17:06:41 -07:00
}
2010-06-02 23:35:44 +02:00
if ( ! ( security_info & SECINFO_DACL ) ) {
2016-08-23 17:07:20 +02:00
psd - > type & = ~ SEC_DESC_DACL_PRESENT ;
psd - > dacl = NULL ;
2009-07-24 17:06:41 -07:00
}
2010-06-02 23:29:16 +02:00
if ( ! ( security_info & SECINFO_SACL ) ) {
2016-08-23 17:07:20 +02:00
psd - > type & = ~ SEC_DESC_SACL_PRESENT ;
psd - > sacl = NULL ;
2009-07-24 17:06:41 -07:00
}
2010-10-15 14:18:22 -07:00
if ( DEBUGLEVEL > = 10 ) {
2016-08-27 10:11:14 +02:00
DBG_DEBUG ( " returning acl for %s is: \n " ,
smb_fname - > base_name ) ;
2016-08-23 17:07:20 +02:00
NDR_PRINT_DEBUG ( security_descriptor , psd ) ;
2010-10-15 14:18:22 -07:00
}
2016-08-23 17:07:20 +02:00
* ppdesc = psd ;
2012-10-10 16:36:47 +11:00
2009-12-02 15:02:28 -08:00
return NT_STATUS_OK ;
2016-08-23 17:07:20 +02:00
fail :
TALLOC_FREE ( psd ) ;
return status ;
2009-07-24 17:06:41 -07:00
}
2016-03-21 23:04:24 +02:00
/*********************************************************************
Set the underlying ACL ( e . g . POSIX ACLS , POSIX owner , etc )
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
static NTSTATUS set_underlying_acl ( vfs_handle_struct * handle , files_struct * fsp ,
struct security_descriptor * psd ,
uint32_t security_info_sent ,
bool chown_needed )
{
2017-10-04 12:51:29 +02:00
NTSTATUS status ;
2017-10-04 22:27:24 +02:00
const struct security_token * token = NULL ;
2017-10-04 12:51:29 +02:00
status = SMB_VFS_NEXT_FSET_NT_ACL ( handle , fsp , security_info_sent , psd ) ;
2016-03-21 23:04:24 +02:00
if ( ! NT_STATUS_EQUAL ( status , NT_STATUS_ACCESS_DENIED ) ) {
return status ;
}
/* We got access denied here. If we're already root,
or we didn ' t need to do a chown , or the fsp isn ' t
open with WRITE_OWNER access , just return . */
if ( get_current_uid ( handle - > conn ) = = 0 | | chown_needed = = false | |
! ( fsp - > access_mask & SEC_STD_WRITE_OWNER ) ) {
return NT_STATUS_ACCESS_DENIED ;
}
2017-10-04 22:27:24 +02:00
/*
* Only allow take - ownership , not give - ownership . That ' s the way Windows
* implements SEC_STD_WRITE_OWNER . MS - FSA 2.1 .5 .16 just states : If
* InputBuffer . OwnerSid is not a valid owner SID for a file in the
* objectstore , as determined in an implementation specific manner , the
* object store MUST return STATUS_INVALID_OWNER .
*/
token = get_current_nttok ( fsp - > conn ) ;
if ( ! security_token_is_sid ( token , psd - > owner_sid ) ) {
return NT_STATUS_INVALID_OWNER ;
}
2016-08-27 10:11:14 +02:00
DBG_DEBUG ( " overriding chown on file %s for sid %s \n " ,
fsp_str_dbg ( fsp ) , sid_string_tos ( psd - > owner_sid ) ) ;
2016-03-21 23:04:24 +02:00
/* Ok, we failed to chown and we have
SEC_STD_WRITE_OWNER access - override . */
become_root ( ) ;
status = SMB_VFS_NEXT_FSET_NT_ACL ( handle , fsp , security_info_sent , psd ) ;
unbecome_root ( ) ;
return status ;
}
/*********************************************************************
Store a v3 security descriptor
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2017-08-18 13:52:31 +02:00
static NTSTATUS store_v3_blob (
NTSTATUS ( * store_acl_blob_fsp_fn ) ( vfs_handle_struct * handle ,
files_struct * fsp ,
DATA_BLOB * pblob ) ,
vfs_handle_struct * handle , files_struct * fsp ,
struct security_descriptor * psd ,
struct security_descriptor * pdesc_next ,
uint8_t hash [ XATTR_SD_HASH_SIZE ] )
2016-03-21 23:04:24 +02:00
{
NTSTATUS status ;
DATA_BLOB blob ;
if ( DEBUGLEVEL > = 10 ) {
2016-08-27 10:11:14 +02:00
DBG_DEBUG ( " storing xattr sd for file %s \n " ,
fsp_str_dbg ( fsp ) ) ;
2016-03-21 23:04:24 +02:00
NDR_PRINT_DEBUG (
security_descriptor ,
discard_const_p ( struct security_descriptor , psd ) ) ;
if ( pdesc_next ! = NULL ) {
2016-08-27 10:11:14 +02:00
DBG_DEBUG ( " storing xattr sd based on \n " ) ;
2016-03-21 23:04:24 +02:00
NDR_PRINT_DEBUG (
security_descriptor ,
discard_const_p ( struct security_descriptor ,
pdesc_next ) ) ;
} else {
2016-08-27 10:11:14 +02:00
DBG_DEBUG ( " ignoring underlying sd \n " ) ;
2016-03-21 23:04:24 +02:00
}
}
status = create_acl_blob ( psd , & blob , XATTR_SD_HASH_TYPE_SHA256 , hash ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
2016-08-27 10:11:14 +02:00
DBG_DEBUG ( " create_acl_blob failed \n " ) ;
2016-03-21 23:04:24 +02:00
return status ;
}
2017-08-18 13:52:31 +02:00
status = store_acl_blob_fsp_fn ( handle , fsp , & blob ) ;
2016-03-21 23:04:24 +02:00
return status ;
}
2009-07-24 17:06:41 -07:00
/*********************************************************************
Store a security descriptor given an fsp .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2017-08-18 14:41:57 +02:00
NTSTATUS fset_nt_acl_common (
NTSTATUS ( * get_acl_blob_fn ) ( TALLOC_CTX * ctx ,
vfs_handle_struct * handle ,
files_struct * fsp ,
const struct smb_filename * smb_fname ,
DATA_BLOB * pblob ) ,
NTSTATUS ( * store_acl_blob_fsp_fn ) ( vfs_handle_struct * handle ,
files_struct * fsp ,
DATA_BLOB * pblob ) ,
const char * module_name ,
vfs_handle_struct * handle , files_struct * fsp ,
uint32_t security_info_sent ,
const struct security_descriptor * orig_psd )
2009-07-24 17:06:41 -07:00
{
NTSTATUS status ;
2012-10-10 16:36:47 +11:00
int ret ;
DATA_BLOB blob , sys_acl_blob ;
2009-07-24 17:06:41 -07:00
struct security_descriptor * pdesc_next = NULL ;
2010-10-11 17:15:39 -07:00
struct security_descriptor * psd = NULL ;
2009-07-24 17:06:41 -07:00
uint8_t hash [ XATTR_SD_HASH_SIZE ] ;
2012-10-10 16:36:47 +11:00
uint8_t sys_acl_hash [ XATTR_SD_HASH_SIZE ] ;
2012-02-03 14:55:34 -08:00
bool chown_needed = false ;
2012-10-10 16:36:47 +11:00
char * sys_acl_description ;
2012-10-10 11:50:27 +11:00
TALLOC_CTX * frame = talloc_stackframe ( ) ;
2016-03-21 23:04:24 +02:00
bool ignore_file_system_acl = lp_parm_bool (
2017-08-18 14:41:57 +02:00
SNUM ( handle - > conn ) , module_name , " ignore system acls " , false ) ;
2009-07-24 17:06:41 -07:00
if ( DEBUGLEVEL > = 10 ) {
2016-08-27 10:11:14 +02:00
DBG_DEBUG ( " incoming sd for file %s \n " , fsp_str_dbg ( fsp ) ) ;
2009-07-24 17:06:41 -07:00
NDR_PRINT_DEBUG ( security_descriptor ,
2011-05-05 16:19:49 -07:00
discard_const_p ( struct security_descriptor , orig_psd ) ) ;
2009-07-24 17:06:41 -07:00
}
2017-08-18 14:41:57 +02:00
status = get_nt_acl_common ( get_acl_blob_fn , handle , fsp ,
2010-10-11 17:15:39 -07:00
NULL ,
SECINFO_OWNER | SECINFO_GROUP | SECINFO_DACL | SECINFO_SACL ,
2012-10-10 11:50:27 +11:00
frame ,
2010-10-11 17:15:39 -07:00
& psd ) ;
2009-11-25 10:20:38 -08:00
2010-10-11 17:15:39 -07:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
2012-10-10 11:50:27 +11:00
TALLOC_FREE ( frame ) ;
2010-10-11 17:15:39 -07:00
return status ;
}
2009-11-25 10:20:38 -08:00
2010-11-23 14:31:43 -08:00
psd - > revision = orig_psd - > revision ;
2018-05-10 12:29:35 +02:00
if ( security_info_sent & SECINFO_DACL ) {
psd - > type = orig_psd - > type ;
/* All our SD's are self relative. */
psd - > type | = SEC_DESC_SELF_RELATIVE ;
}
2010-11-23 14:31:43 -08:00
2010-10-11 17:15:39 -07:00
if ( ( security_info_sent & SECINFO_OWNER ) & & ( orig_psd - > owner_sid ! = NULL ) ) {
2012-02-03 14:55:34 -08:00
if ( ! dom_sid_equal ( orig_psd - > owner_sid , psd - > owner_sid ) ) {
/* We're changing the owner. */
chown_needed = true ;
}
2010-10-11 17:15:39 -07:00
psd - > owner_sid = orig_psd - > owner_sid ;
}
if ( ( security_info_sent & SECINFO_GROUP ) & & ( orig_psd - > group_sid ! = NULL ) ) {
2012-02-03 14:55:34 -08:00
if ( ! dom_sid_equal ( orig_psd - > group_sid , psd - > group_sid ) ) {
/* We're changing the group. */
chown_needed = true ;
}
2010-10-11 17:15:39 -07:00
psd - > group_sid = orig_psd - > group_sid ;
}
if ( security_info_sent & SECINFO_DACL ) {
2014-11-26 18:01:37 +01:00
if ( security_descriptor_with_ms_nfs ( orig_psd ) ) {
/*
* If the sd contains a MS NFS SID , do
* nothing , it ' s a chmod ( ) request from OS X
* with AAPL context .
*/
TALLOC_FREE ( frame ) ;
return NT_STATUS_OK ;
}
2010-10-11 17:15:39 -07:00
psd - > dacl = orig_psd - > dacl ;
2010-11-23 14:31:43 -08:00
psd - > type | = SEC_DESC_DACL_PRESENT ;
2010-10-11 17:15:39 -07:00
}
if ( security_info_sent & SECINFO_SACL ) {
psd - > sacl = orig_psd - > sacl ;
2010-11-23 14:31:43 -08:00
psd - > type | = SEC_DESC_SACL_PRESENT ;
2009-07-24 17:06:41 -07:00
}
2016-03-21 23:04:24 +02:00
if ( ignore_file_system_acl ) {
if ( chown_needed ) {
/* send only ownership stuff to lower layer */
security_info_sent & = ( SECINFO_OWNER | SECINFO_GROUP ) ;
status = set_underlying_acl ( handle , fsp , psd ,
security_info_sent , true ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
TALLOC_FREE ( frame ) ;
return status ;
}
2012-02-03 14:55:34 -08:00
}
2016-03-21 23:04:24 +02:00
ZERO_ARRAY ( hash ) ;
2017-08-18 14:41:57 +02:00
status = store_v3_blob ( store_acl_blob_fsp_fn , handle , fsp , psd ,
2017-08-18 13:52:31 +02:00
NULL , hash ) ;
2012-02-03 14:55:34 -08:00
2016-03-21 23:04:24 +02:00
TALLOC_FREE ( frame ) ;
return status ;
}
status = set_underlying_acl ( handle , fsp , psd , security_info_sent ,
chown_needed ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
TALLOC_FREE ( frame ) ;
return status ;
2009-07-24 17:06:41 -07:00
}
/* Get the full underlying sd, then hash. */
status = SMB_VFS_NEXT_FGET_NT_ACL ( handle ,
2012-10-10 11:50:27 +11:00
fsp ,
HASH_SECURITY_INFO ,
frame ,
& pdesc_next ) ;
2009-07-24 17:06:41 -07:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
2012-10-10 11:50:27 +11:00
TALLOC_FREE ( frame ) ;
2009-07-24 17:06:41 -07:00
return status ;
}
status = hash_sd_sha256 ( pdesc_next , hash ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
2012-10-10 11:50:27 +11:00
TALLOC_FREE ( frame ) ;
2009-07-24 17:06:41 -07:00
return status ;
}
2012-10-10 16:36:47 +11:00
/* Get the full underlying sd, then hash. */
ret = SMB_VFS_NEXT_SYS_ACL_BLOB_GET_FD ( handle ,
fsp ,
frame ,
& sys_acl_description ,
& sys_acl_blob ) ;
/* If we fail to get the ACL blob (for some reason) then this
* is not fatal , we just work based on the NT ACL only */
if ( ret ! = 0 ) {
2017-08-18 14:41:57 +02:00
status = store_v3_blob ( store_acl_blob_fsp_fn , handle , fsp , psd ,
2017-08-18 13:52:31 +02:00
pdesc_next , hash ) ;
2012-10-10 16:36:47 +11:00
TALLOC_FREE ( frame ) ;
return status ;
}
status = hash_blob_sha256 ( sys_acl_blob , sys_acl_hash ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
TALLOC_FREE ( frame ) ;
return status ;
}
2009-07-24 17:06:41 -07:00
if ( DEBUGLEVEL > = 10 ) {
2016-08-27 10:11:14 +02:00
DBG_DEBUG ( " storing xattr sd for file %s based on system ACL \n " ,
fsp_str_dbg ( fsp ) ) ;
2009-07-24 17:06:41 -07:00
NDR_PRINT_DEBUG ( security_descriptor ,
2012-10-10 16:36:47 +11:00
discard_const_p ( struct security_descriptor , psd ) ) ;
2012-09-10 08:43:09 +10:00
2016-08-27 10:11:14 +02:00
DBG_DEBUG ( " storing hash in xattr sd based on system ACL and: \n " ) ;
2012-09-10 08:43:09 +10:00
NDR_PRINT_DEBUG ( security_descriptor ,
2012-10-10 16:36:47 +11:00
discard_const_p ( struct security_descriptor , pdesc_next ) ) ;
2009-07-24 17:06:41 -07:00
}
2012-10-10 16:36:47 +11:00
/* We store hashes of both the sys ACL blob and the NT
* security desciptor mapped from that ACL so as to improve
* our chances against some inadvertant change breaking the
* hash used */
status = create_sys_acl_blob ( psd , & blob , XATTR_SD_HASH_TYPE_SHA256 , hash ,
sys_acl_description , sys_acl_hash ) ;
2012-05-16 20:21:34 -07:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
2016-08-27 10:11:14 +02:00
DBG_DEBUG ( " create_sys_acl_blob failed \n " ) ;
2012-10-10 11:50:27 +11:00
TALLOC_FREE ( frame ) ;
2012-05-16 20:21:34 -07:00
return status ;
}
2017-08-18 14:41:57 +02:00
status = store_acl_blob_fsp_fn ( handle , fsp , & blob ) ;
2009-07-24 17:06:41 -07:00
2012-10-10 11:50:27 +11:00
TALLOC_FREE ( frame ) ;
2012-05-15 07:47:14 -07:00
return status ;
2009-07-24 17:06:41 -07:00
}
2009-11-30 16:50:34 -08:00
2010-01-12 16:04:44 -08:00
static int acl_common_remove_object ( vfs_handle_struct * handle ,
2017-06-29 11:29:33 -07:00
const struct smb_filename * smb_fname ,
2010-01-12 16:04:44 -08:00
bool is_directory )
{
connection_struct * conn = handle - > conn ;
struct file_id id ;
files_struct * fsp = NULL ;
int ret = 0 ;
char * parent_dir = NULL ;
const char * final_component = NULL ;
2017-06-29 11:29:33 -07:00
struct smb_filename local_fname = { 0 } ;
struct smb_filename parent_dir_fname = { 0 } ;
2010-01-12 16:04:44 -08:00
int saved_errno = 0 ;
2017-06-29 14:32:47 -07:00
struct smb_filename * saved_dir_fname = NULL ;
2011-08-18 14:11:45 -07:00
2017-06-29 14:32:47 -07:00
saved_dir_fname = vfs_GetWd ( talloc_tos ( ) , conn ) ;
if ( saved_dir_fname = = NULL ) {
2011-08-18 14:11:45 -07:00
saved_errno = errno ;
goto out ;
}
2010-01-12 16:04:44 -08:00
2017-06-29 11:29:33 -07:00
if ( ! parent_dirname ( talloc_tos ( ) , smb_fname - > base_name ,
2010-01-12 16:04:44 -08:00
& parent_dir , & final_component ) ) {
saved_errno = ENOMEM ;
goto out ;
}
2016-08-27 10:11:14 +02:00
DBG_DEBUG ( " removing %s %s/%s \n " , is_directory ? " directory " : " file " ,
parent_dir , final_component ) ;
2010-01-12 16:04:44 -08:00
2017-06-29 11:29:33 -07:00
parent_dir_fname = ( struct smb_filename ) { . base_name = parent_dir } ;
2010-01-12 16:04:44 -08:00
/* cd into the parent dir to pin it. */
2017-06-29 11:29:33 -07:00
ret = vfs_ChDir ( conn , & parent_dir_fname ) ;
2010-01-12 16:04:44 -08:00
if ( ret = = - 1 ) {
saved_errno = errno ;
goto out ;
}
2011-05-05 16:19:49 -07:00
local_fname . base_name = discard_const_p ( char , final_component ) ;
2010-01-12 16:04:44 -08:00
/* Must use lstat here. */
ret = SMB_VFS_LSTAT ( conn , & local_fname ) ;
if ( ret = = - 1 ) {
saved_errno = errno ;
goto out ;
}
/* Ensure we have this file open with DELETE access. */
id = vfs_file_id_from_sbuf ( conn , & local_fname . st ) ;
2010-09-27 04:05:25 +02:00
for ( fsp = file_find_di_first ( conn - > sconn , id ) ; fsp ;
2011-08-29 16:46:15 -07:00
fsp = file_find_di_next ( fsp ) ) {
2010-01-12 16:04:44 -08:00
if ( fsp - > access_mask & DELETE_ACCESS & &
fsp - > delete_on_close ) {
/* We did open this for delete,
* allow the delete as root .
*/
break ;
}
}
if ( ! fsp ) {
2016-08-27 10:11:14 +02:00
DBG_DEBUG ( " %s %s/%s not an open file \n " ,
is_directory ? " directory " : " file " ,
parent_dir , final_component ) ;
2010-01-12 16:04:44 -08:00
saved_errno = EACCES ;
goto out ;
}
2010-01-16 17:03:06 -08:00
become_root ( ) ;
2010-01-12 16:04:44 -08:00
if ( is_directory ) {
2016-02-24 14:02:45 -08:00
ret = SMB_VFS_NEXT_RMDIR ( handle , & local_fname ) ;
2010-01-12 16:04:44 -08:00
} else {
ret = SMB_VFS_NEXT_UNLINK ( handle , & local_fname ) ;
}
2010-01-16 17:03:06 -08:00
unbecome_root ( ) ;
2010-01-12 16:04:44 -08:00
if ( ret = = - 1 ) {
saved_errno = errno ;
}
out :
TALLOC_FREE ( parent_dir ) ;
2017-06-29 14:32:47 -07:00
if ( saved_dir_fname ) {
vfs_ChDir ( conn , saved_dir_fname ) ;
TALLOC_FREE ( saved_dir_fname ) ;
2011-08-18 14:11:45 -07:00
}
2010-01-12 16:04:44 -08:00
if ( saved_errno ) {
errno = saved_errno ;
}
return ret ;
}
2017-08-18 14:41:57 +02:00
int rmdir_acl_common ( struct vfs_handle_struct * handle ,
const struct smb_filename * smb_fname )
2010-01-12 16:04:44 -08:00
{
int ret ;
2012-01-10 12:52:01 -08:00
/* Try the normal rmdir first. */
2016-02-24 14:02:45 -08:00
ret = SMB_VFS_NEXT_RMDIR ( handle , smb_fname ) ;
2012-01-10 12:52:01 -08:00
if ( ret = = 0 ) {
return 0 ;
}
if ( errno = = EACCES | | errno = = EPERM ) {
/* Failed due to access denied,
see if we need to root override . */
return acl_common_remove_object ( handle ,
2017-06-29 11:29:33 -07:00
smb_fname ,
2012-01-10 12:52:01 -08:00
true ) ;
2010-01-12 16:04:44 -08:00
}
2016-08-27 10:11:14 +02:00
DBG_DEBUG ( " unlink of %s failed %s \n " ,
smb_fname - > base_name ,
strerror ( errno ) ) ;
2012-01-10 12:52:01 -08:00
return - 1 ;
2010-01-12 16:04:44 -08:00
}
2017-08-18 14:41:57 +02:00
int unlink_acl_common ( struct vfs_handle_struct * handle ,
2010-01-12 16:04:44 -08:00
const struct smb_filename * smb_fname )
{
int ret ;
2012-01-10 12:52:01 -08:00
/* Try the normal unlink first. */
2010-01-12 16:04:44 -08:00
ret = SMB_VFS_NEXT_UNLINK ( handle , smb_fname ) ;
2012-01-10 12:52:01 -08:00
if ( ret = = 0 ) {
return 0 ;
2010-01-12 16:04:44 -08:00
}
2012-01-10 12:52:01 -08:00
if ( errno = = EACCES | | errno = = EPERM ) {
/* Failed due to access denied,
see if we need to root override . */
2010-01-12 16:04:44 -08:00
2012-01-10 12:52:01 -08:00
/* Don't do anything fancy for streams. */
if ( smb_fname - > stream_name ) {
return - 1 ;
}
return acl_common_remove_object ( handle ,
2017-06-29 11:29:33 -07:00
smb_fname ,
2010-01-12 16:04:44 -08:00
false ) ;
2012-01-10 12:52:01 -08:00
}
2016-08-27 10:11:14 +02:00
DBG_DEBUG ( " unlink of %s failed %s \n " ,
smb_fname - > base_name ,
strerror ( errno ) ) ;
2012-01-10 12:52:01 -08:00
return - 1 ;
2010-01-12 16:04:44 -08:00
}
2011-04-01 16:50:28 -07:00
2017-08-18 14:41:57 +02:00
int chmod_acl_module_common ( struct vfs_handle_struct * handle ,
const struct smb_filename * smb_fname ,
mode_t mode )
2011-04-01 16:50:28 -07:00
{
2016-03-18 21:58:20 -07:00
if ( smb_fname - > flags & SMB_FILENAME_POSIX_PATH ) {
2011-04-01 16:50:28 -07:00
/* Only allow this on POSIX pathnames. */
2016-03-01 16:20:25 -08:00
return SMB_VFS_NEXT_CHMOD ( handle , smb_fname , mode ) ;
2011-04-01 16:50:28 -07:00
}
return 0 ;
}
2017-08-18 14:41:57 +02:00
int fchmod_acl_module_common ( struct vfs_handle_struct * handle ,
struct files_struct * fsp , mode_t mode )
2011-04-01 16:50:28 -07:00
{
2015-11-27 18:29:55 +01:00
if ( fsp - > posix_flags & FSP_POSIX_FLAGS_OPEN ) {
2011-04-01 16:50:28 -07:00
/* Only allow this on POSIX opens. */
return SMB_VFS_NEXT_FCHMOD ( handle , fsp , mode ) ;
}
return 0 ;
}