2006-09-18 02:27:48 +00:00
/*
* NFS4 ACL handling
*
* Copyright ( C ) Jim McDonough , 2006
*
* This program is free software ; you can redistribute it and / or modify
* it under the terms of the GNU General Public License as published by
2007-07-09 19:25:36 +00:00
* the Free Software Foundation ; either version 3 of the License , or
2006-09-18 02:27:48 +00:00
* ( at your option ) any later version .
*
* This program is distributed in the hope that it will be useful ,
* but WITHOUT ANY WARRANTY ; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
* GNU General Public License for more details .
*
* You should have received a copy of the GNU General Public License
2007-07-10 05:23:25 +00:00
* along with this program ; if not , see < http : //www.gnu.org/licenses/>.
2006-09-18 02:27:48 +00:00
*/
# include "includes.h"
2011-03-22 22:34:22 +01:00
# include "smbd/smbd.h"
2006-09-18 02:27:48 +00:00
# include "nfs4_acls.h"
2010-06-03 16:09:31 +02:00
# include "librpc/gen_ndr/ndr_security.h"
2010-09-26 21:04:39 +02:00
# include "../libcli/security/dom_sid.h"
2010-10-18 15:55:47 +02:00
# include "../libcli/security/security.h"
2011-07-07 17:42:08 +02:00
# include "dbwrap/dbwrap.h"
2011-07-06 16:40:21 +02:00
# include "dbwrap/dbwrap_open.h"
2011-02-25 23:20:06 +01:00
# include "system/filesys.h"
2011-03-22 16:50:02 +01:00
# include "passdb/lookup_sid.h"
2011-05-05 11:25:29 +02:00
# include "util_tdb.h"
2011-06-29 15:33:54 +10:00
# include "lib/param/loadparm.h"
2006-09-18 02:27:48 +00:00
2008-01-16 12:18:57 +03:00
# undef DBGC_CLASS
# define DBGC_CLASS DBGC_ACLS
2006-09-18 02:27:48 +00:00
# define SMBACL4_PARAM_TYPE_NAME "nfs4"
2008-09-08 16:42:06 +02:00
extern const struct generic_mapping file_generic_mapping ;
2006-09-18 02:27:48 +00:00
# define SMB_ACE4_INT_MAGIC 0x76F8A967
typedef struct _SMB_ACE4_INT_T
{
2015-05-02 20:11:02 -07:00
uint32_t magic ;
2006-09-18 02:27:48 +00:00
SMB_ACE4PROP_T prop ;
void * next ;
} SMB_ACE4_INT_T ;
# define SMB_ACL4_INT_MAGIC 0x29A3E792
typedef struct _SMB_ACL4_INT_T
{
2015-05-02 20:11:02 -07:00
uint32_t magic ;
2014-01-20 15:12:42 +01:00
uint16_t controlflags ;
2015-05-02 20:11:02 -07:00
uint32_t naces ;
2006-09-18 02:27:48 +00:00
SMB_ACE4_INT_T * first ;
SMB_ACE4_INT_T * last ;
} SMB_ACL4_INT_T ;
2013-04-15 16:08:46 +02:00
enum smbacl4_mode_enum { e_simple = 0 , e_special = 1 } ;
enum smbacl4_acedup_enum { e_dontcare = 0 , e_reject = 1 , e_ignore = 2 , e_merge = 3 } ;
typedef struct _smbacl4_vfs_params {
enum smbacl4_mode_enum mode ;
bool do_chown ;
enum smbacl4_acedup_enum acedup ;
2013-06-20 14:33:30 -07:00
bool map_full_control ;
2013-04-15 16:08:46 +02:00
} smbacl4_vfs_params ;
/*
* Gather special parameters for NFS4 ACL handling
*/
static int smbacl4_get_vfs_params (
const char * type_name ,
2012-07-26 17:11:03 +02:00
struct connection_struct * conn ,
2013-04-15 16:08:46 +02:00
smbacl4_vfs_params * params
)
{
static const struct enum_list enum_smbacl4_modes [ ] = {
{ e_simple , " simple " } ,
{ e_special , " special " } ,
{ - 1 , NULL }
} ;
static const struct enum_list enum_smbacl4_acedups [ ] = {
{ e_dontcare , " dontcare " } ,
{ e_reject , " reject " } ,
{ e_ignore , " ignore " } ,
{ e_merge , " merge " } ,
{ - 1 , NULL }
} ;
2013-11-10 11:48:17 +01:00
int enumval ;
2013-04-15 16:08:46 +02:00
memset ( params , 0 , sizeof ( smbacl4_vfs_params ) ) ;
2013-11-10 11:48:17 +01:00
enumval = lp_parm_enum ( SNUM ( conn ) , type_name , " mode " ,
enum_smbacl4_modes , e_simple ) ;
if ( enumval = = - 1 ) {
DEBUG ( 10 , ( " value for %s:mode unknown \n " , type_name ) ) ;
return - 1 ;
}
params - > mode = ( enum smbacl4_mode_enum ) enumval ;
2012-07-26 17:11:03 +02:00
params - > do_chown = lp_parm_bool ( SNUM ( conn ) , type_name ,
2013-04-15 16:08:46 +02:00
" chown " , true ) ;
2013-11-10 11:48:17 +01:00
enumval = lp_parm_enum ( SNUM ( conn ) , type_name , " acedup " ,
enum_smbacl4_acedups , e_dontcare ) ;
if ( enumval = = - 1 ) {
DEBUG ( 10 , ( " value for %s:acedup unknown \n " , type_name ) ) ;
return - 1 ;
}
params - > acedup = ( enum smbacl4_acedup_enum ) enumval ;
2013-06-20 14:33:30 -07:00
params - > map_full_control = lp_acl_map_full_control ( SNUM ( conn ) ) ;
2013-04-15 16:08:46 +02:00
2013-06-20 14:33:30 -07:00
DEBUG ( 10 , ( " mode:%s, do_chown:%s, acedup: %s map full control:%s \n " ,
2013-04-15 16:08:46 +02:00
enum_smbacl4_modes [ params - > mode ] . name ,
params - > do_chown ? " true " : " false " ,
2013-06-20 14:33:30 -07:00
enum_smbacl4_acedups [ params - > acedup ] . name ,
params - > map_full_control ? " true " : " false " ) ) ;
2013-04-15 16:08:46 +02:00
return 0 ;
}
2011-05-31 15:37:30 -07:00
/************************************************
Split the ACE flag mapping between nfs4 and Windows
into two separate functions rather than trying to do
it inline . Allows us to carefully control what flags
are mapped to what in one place .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2011-09-15 23:35:05 +02:00
static uint32_t map_nfs4_ace_flags_to_windows_ace_flags (
uint32_t nfs4_ace_flags )
2011-05-31 15:37:30 -07:00
{
uint32_t win_ace_flags = 0 ;
/* The nfs4 flags <= 0xf map perfectly. */
win_ace_flags = nfs4_ace_flags & ( SEC_ACE_FLAG_OBJECT_INHERIT |
SEC_ACE_FLAG_CONTAINER_INHERIT |
SEC_ACE_FLAG_NO_PROPAGATE_INHERIT |
SEC_ACE_FLAG_INHERIT_ONLY ) ;
/* flags greater than 0xf have diverged :-(. */
/* See the nfs4 ace flag definitions here:
http : //www.ietf.org/rfc/rfc3530.txt.
And the Windows ace flag definitions here :
librpc / idl / security . idl . */
if ( nfs4_ace_flags & SMB_ACE4_INHERITED_ACE ) {
win_ace_flags | = SEC_ACE_FLAG_INHERITED_ACE ;
}
return win_ace_flags ;
}
static uint32_t map_windows_ace_flags_to_nfs4_ace_flags ( uint32_t win_ace_flags )
{
uint32_t nfs4_ace_flags = 0 ;
/* The windows flags <= 0xf map perfectly. */
nfs4_ace_flags = win_ace_flags & ( SMB_ACE4_FILE_INHERIT_ACE |
SMB_ACE4_DIRECTORY_INHERIT_ACE |
SMB_ACE4_NO_PROPAGATE_INHERIT_ACE |
SMB_ACE4_INHERIT_ONLY_ACE ) ;
/* flags greater than 0xf have diverged :-(. */
/* See the nfs4 ace flag definitions here:
http : //www.ietf.org/rfc/rfc3530.txt.
And the Windows ace flag definitions here :
librpc / idl / security . idl . */
if ( win_ace_flags & SEC_ACE_FLAG_INHERITED_ACE ) {
nfs4_ace_flags | = SMB_ACE4_INHERITED_ACE ;
}
return nfs4_ace_flags ;
}
2009-02-23 15:03:29 -08:00
static SMB_ACL4_INT_T * get_validated_aclint ( SMB4ACL_T * theacl )
2006-09-18 02:27:48 +00:00
{
2009-02-23 15:03:29 -08:00
SMB_ACL4_INT_T * aclint = ( SMB_ACL4_INT_T * ) theacl ;
if ( theacl = = NULL )
2006-09-18 02:27:48 +00:00
{
DEBUG ( 2 , ( " acl is NULL \n " ) ) ;
errno = EINVAL ;
return NULL ;
}
if ( aclint - > magic ! = SMB_ACL4_INT_MAGIC )
{
DEBUG ( 2 , ( " aclint bad magic 0x%x \n " , aclint - > magic ) ) ;
errno = EINVAL ;
return NULL ;
}
return aclint ;
}
static SMB_ACE4_INT_T * get_validated_aceint ( SMB4ACE_T * ace )
{
SMB_ACE4_INT_T * aceint = ( SMB_ACE4_INT_T * ) ace ;
if ( ace = = NULL )
{
DEBUG ( 2 , ( " ace is NULL \n " ) ) ;
errno = EINVAL ;
return NULL ;
}
if ( aceint - > magic ! = SMB_ACE4_INT_MAGIC )
{
DEBUG ( 2 , ( " aceint bad magic 0x%x \n " , aceint - > magic ) ) ;
errno = EINVAL ;
return NULL ;
}
return aceint ;
}
2013-04-14 18:13:42 +10:00
SMB4ACL_T * smb_create_smb4acl ( TALLOC_CTX * mem_ctx )
2006-09-18 02:27:48 +00:00
{
2011-09-15 23:35:05 +02:00
SMB_ACL4_INT_T * theacl = ( SMB_ACL4_INT_T * ) TALLOC_ZERO_SIZE (
mem_ctx , sizeof ( SMB_ACL4_INT_T ) ) ;
2009-02-23 15:03:29 -08:00
if ( theacl = = NULL )
2006-09-18 02:27:48 +00:00
{
2007-04-27 23:18:41 +00:00
DEBUG ( 0 , ( " TALLOC_SIZE failed \n " ) ) ;
2006-09-18 02:27:48 +00:00
errno = ENOMEM ;
return NULL ;
}
2009-02-23 15:03:29 -08:00
theacl - > magic = SMB_ACL4_INT_MAGIC ;
2014-01-20 15:12:42 +01:00
theacl - > controlflags = SEC_DESC_SELF_RELATIVE ;
2009-02-23 15:03:29 -08:00
/* theacl->first, last = NULL not needed */
return ( SMB4ACL_T * ) theacl ;
2006-09-18 02:27:48 +00:00
}
2009-02-23 15:03:29 -08:00
SMB4ACE_T * smb_add_ace4 ( SMB4ACL_T * theacl , SMB_ACE4PROP_T * prop )
2006-09-18 02:27:48 +00:00
{
2009-02-23 15:03:29 -08:00
SMB_ACL4_INT_T * aclint = get_validated_aclint ( theacl ) ;
2006-09-18 02:27:48 +00:00
SMB_ACE4_INT_T * ace ;
2011-09-15 23:35:05 +02:00
ace = ( SMB_ACE4_INT_T * ) TALLOC_ZERO_SIZE (
2012-11-05 18:47:01 +01:00
theacl , sizeof ( SMB_ACE4_INT_T ) ) ;
2006-09-18 02:27:48 +00:00
if ( ace = = NULL )
{
2007-04-27 23:18:41 +00:00
DEBUG ( 0 , ( " TALLOC_SIZE failed \n " ) ) ;
2006-09-18 02:27:48 +00:00
errno = ENOMEM ;
return NULL ;
}
ace - > magic = SMB_ACE4_INT_MAGIC ;
/* ace->next = NULL not needed */
memcpy ( & ace - > prop , prop , sizeof ( SMB_ACE4PROP_T ) ) ;
if ( aclint - > first = = NULL )
{
aclint - > first = ace ;
aclint - > last = ace ;
} else {
aclint - > last - > next = ( void * ) ace ;
aclint - > last = ace ;
}
aclint - > naces + + ;
return ( SMB4ACE_T * ) ace ;
}
SMB_ACE4PROP_T * smb_get_ace4 ( SMB4ACE_T * ace )
{
SMB_ACE4_INT_T * aceint = get_validated_aceint ( ace ) ;
if ( aceint = = NULL )
return NULL ;
return & aceint - > prop ;
}
SMB4ACE_T * smb_next_ace4 ( SMB4ACE_T * ace )
{
SMB_ACE4_INT_T * aceint = get_validated_aceint ( ace ) ;
if ( aceint = = NULL )
return NULL ;
return ( SMB4ACE_T * ) aceint - > next ;
}
2009-02-23 15:03:29 -08:00
SMB4ACE_T * smb_first_ace4 ( SMB4ACL_T * theacl )
2006-09-18 02:27:48 +00:00
{
2009-02-23 15:03:29 -08:00
SMB_ACL4_INT_T * aclint = get_validated_aclint ( theacl ) ;
2006-09-18 02:27:48 +00:00
if ( aclint = = NULL )
return NULL ;
return ( SMB4ACE_T * ) aclint - > first ;
}
2015-05-02 20:11:02 -07:00
uint32_t smb_get_naces ( SMB4ACL_T * theacl )
2006-09-18 02:27:48 +00:00
{
2009-02-23 15:03:29 -08:00
SMB_ACL4_INT_T * aclint = get_validated_aclint ( theacl ) ;
2006-09-18 02:27:48 +00:00
if ( aclint = = NULL )
return 0 ;
return aclint - > naces ;
}
2014-01-20 15:12:42 +01:00
uint16_t smbacl4_get_controlflags ( SMB4ACL_T * theacl )
{
SMB_ACL4_INT_T * aclint = get_validated_aclint ( theacl ) ;
if ( aclint = = NULL )
return 0 ;
return aclint - > controlflags ;
}
bool smbacl4_set_controlflags ( SMB4ACL_T * theacl , uint16_t controlflags )
{
SMB_ACL4_INT_T * aclint = get_validated_aclint ( theacl ) ;
if ( aclint = = NULL )
return false ;
aclint - > controlflags = controlflags ;
return true ;
}
2007-11-09 01:01:55 +01:00
static int smbacl4_GetFileOwner ( struct connection_struct * conn ,
const char * filename ,
SMB_STRUCT_STAT * psbuf )
2006-09-18 02:27:48 +00:00
{
memset ( psbuf , 0 , sizeof ( SMB_STRUCT_STAT ) ) ;
2007-11-09 01:01:55 +01:00
/* Get the stat struct for the owner info. */
2015-05-01 13:09:36 -07:00
if ( vfs_stat_smb_basename ( conn , filename , psbuf ) ! = 0 )
2007-11-09 01:01:55 +01:00
{
2015-05-01 13:09:36 -07:00
DEBUG ( 8 , ( " vfs_stat_smb_basename failed with error %s \n " ,
2007-11-09 01:01:55 +01:00
strerror ( errno ) ) ) ;
return - 1 ;
}
return 0 ;
}
static int smbacl4_fGetFileOwner ( files_struct * fsp , SMB_STRUCT_STAT * psbuf )
{
memset ( psbuf , 0 , sizeof ( SMB_STRUCT_STAT ) ) ;
2011-02-07 20:46:36 -08:00
if ( fsp - > fh - > fd = = - 1 ) {
2009-07-10 18:11:32 -07:00
return smbacl4_GetFileOwner ( fsp - > conn ,
fsp - > fsp_name - > base_name , psbuf ) ;
2007-11-09 01:01:55 +01:00
}
2008-01-07 13:21:26 +01:00
if ( SMB_VFS_FSTAT ( fsp , psbuf ) ! = 0 )
2007-11-09 01:01:55 +01:00
{
DEBUG ( 8 , ( " SMB_VFS_FSTAT failed with error %s \n " ,
strerror ( errno ) ) ) ;
return - 1 ;
2006-09-18 02:27:48 +00:00
}
return 0 ;
}
2012-07-26 17:29:12 +02:00
static bool smbacl4_nfs42win ( TALLOC_CTX * mem_ctx ,
smbacl4_vfs_params * params ,
SMB4ACL_T * theacl , /* in */
2010-05-21 11:25:01 +10:00
struct dom_sid * psid_owner , /* in */
struct dom_sid * psid_group , /* in */
2009-02-20 08:23:52 -08:00
bool is_directory , /* in */
2010-05-18 03:25:38 +02:00
struct security_ace * * ppnt_ace_list , /* out */
2006-09-18 02:27:48 +00:00
int * pgood_aces /* out */
)
{
2009-02-23 15:03:29 -08:00
SMB_ACL4_INT_T * aclint = ( SMB_ACL4_INT_T * ) theacl ;
2006-09-18 02:27:48 +00:00
SMB_ACE4_INT_T * aceint ;
2010-05-18 03:25:38 +02:00
struct security_ace * nt_ace_list = NULL ;
2006-09-18 02:27:48 +00:00
int good_aces = 0 ;
2015-02-05 12:47:22 +01:00
DEBUG ( 10 , ( " %s entered \n " , __func__ ) ) ;
2006-09-18 02:27:48 +00:00
2009-02-23 15:03:29 -08:00
aclint = get_validated_aclint ( theacl ) ;
2013-08-22 15:01:17 +02:00
/* We do not check for theacl being NULL here
because this is already checked in smb_get_nt_acl_nfs4 ( ) .
2012-04-25 15:10:20 +02:00
We reserve twice the number of input aces because one nfs4
ace might result in 2 nt aces . */
2011-09-15 23:35:05 +02:00
nt_ace_list = ( struct security_ace * ) TALLOC_ZERO_SIZE (
2012-04-25 15:10:20 +02:00
mem_ctx , 2 * aclint - > naces * sizeof ( struct security_ace ) ) ;
2007-06-02 06:28:38 +00:00
if ( nt_ace_list = = NULL )
{
2013-10-29 16:20:04 +01:00
DEBUG ( 10 , ( " talloc error with %d aces " , aclint - > naces ) ) ;
2007-06-02 06:28:38 +00:00
errno = ENOMEM ;
2013-05-07 13:58:26 -07:00
return false ;
2006-09-18 02:27:48 +00:00
}
2011-09-15 23:35:05 +02:00
for ( aceint = aclint - > first ;
aceint ! = NULL ;
aceint = ( SMB_ACE4_INT_T * ) aceint - > next ) {
2008-10-09 09:49:03 -07:00
uint32_t mask ;
2010-05-21 11:25:01 +10:00
struct dom_sid sid ;
2006-09-18 02:27:48 +00:00
SMB_ACE4PROP_T * ace = & aceint - > prop ;
2011-05-31 15:37:30 -07:00
uint32_t win_ace_flags ;
2006-09-18 02:27:48 +00:00
2011-09-15 23:35:05 +02:00
DEBUG ( 10 , ( " magic: 0x%x, type: %d, iflags: %x, flags: %x, "
" mask: %x, who: %d \n " ,
aceint - > magic , ace - > aceType , ace - > flags ,
ace - > aceFlags , ace - > aceMask , ace - > who . id ) ) ;
2006-09-18 02:27:48 +00:00
SMB_ASSERT ( aceint - > magic = = SMB_ACE4_INT_MAGIC ) ;
if ( ace - > flags & SMB_ACE4_ID_SPECIAL ) {
switch ( ace - > who . special_id ) {
case SMB_ACE4_WHO_OWNER :
sid_copy ( & sid , psid_owner ) ;
break ;
case SMB_ACE4_WHO_GROUP :
sid_copy ( & sid , psid_group ) ;
break ;
case SMB_ACE4_WHO_EVERYONE :
sid_copy ( & sid , & global_sid_World ) ;
break ;
default :
DEBUG ( 8 , ( " invalid special who id %d "
" ignored \n " , ace - > who . special_id ) ) ;
2012-04-25 15:10:54 +02:00
continue ;
2006-09-18 02:27:48 +00:00
}
} else {
if ( ace - > aceFlags & SMB_ACE4_IDENTIFIER_GROUP ) {
gid_to_sid ( & sid , ace - > who . gid ) ;
} else {
uid_to_sid ( & sid , ace - > who . uid ) ;
}
}
DEBUG ( 10 , ( " mapped %d to %s \n " , ace - > who . id ,
2007-12-15 21:11:36 +01:00
sid_string_dbg ( & sid ) ) ) ;
2006-09-18 02:27:48 +00:00
2009-02-20 08:23:52 -08:00
if ( is_directory & & ( ace - > aceMask & SMB_ACE4_ADD_FILE ) ) {
ace - > aceMask | = SMB_ACE4_DELETE_CHILD ;
}
2013-06-20 14:33:30 -07:00
if ( ! is_directory & & params - > map_full_control ) {
/*
* Do we have all access except DELETE_CHILD
* ( not caring about the delete bit ) .
*/
uint32_t test_mask = ( ( ace - > aceMask | SMB_ACE4_DELETE | SMB_ACE4_DELETE_CHILD ) &
SMB_ACE4_ALL_MASKS ) ;
if ( test_mask = = SMB_ACE4_ALL_MASKS ) {
ace - > aceMask | = SMB_ACE4_DELETE_CHILD ;
}
}
2011-09-15 23:35:05 +02:00
win_ace_flags = map_nfs4_ace_flags_to_windows_ace_flags (
ace - > aceFlags ) ;
if ( ! is_directory & &
( win_ace_flags & ( SEC_ACE_FLAG_OBJECT_INHERIT |
SEC_ACE_FLAG_CONTAINER_INHERIT ) ) ) {
2009-08-10 18:18:19 +02:00
/*
* GPFS sets inherits dir_inhert and file_inherit flags
* to files , too , which confuses windows , and seems to
* be wrong anyways . = = > Map these bits away for files .
*/
DEBUG ( 10 , ( " removing inherit flags from nfs4 ace \n " ) ) ;
2011-09-15 23:35:05 +02:00
win_ace_flags & = ~ ( SEC_ACE_FLAG_OBJECT_INHERIT |
SEC_ACE_FLAG_CONTAINER_INHERIT ) ;
2009-08-10 18:18:19 +02:00
}
2011-05-31 15:37:30 -07:00
DEBUG ( 10 , ( " Windows mapped ace flags: 0x%x => 0x%x \n " ,
ace - > aceFlags , win_ace_flags ) ) ;
2009-08-10 18:18:19 +02:00
2011-09-07 14:57:11 -07:00
mask = ace - > aceMask ;
2011-01-13 10:16:13 -08:00
/* Windows clients expect SYNC on acls to
correctly allow rename . See bug # 7909. */
2011-09-07 14:57:11 -07:00
/* But not on DENY ace entries. See
bug # 8442. */
if ( ace - > aceType = = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE ) {
2011-09-07 12:24:22 -07:00
mask = ace - > aceMask | SMB_ACE4_SYNCHRONIZE ;
}
2012-04-25 15:10:20 +02:00
/* Mapping of owner@ and group@ to creator owner and
creator group . Keep old behavior in mode special . */
if ( params - > mode ! = e_special & &
ace - > flags & SMB_ACE4_ID_SPECIAL & &
( ace - > who . special_id = = SMB_ACE4_WHO_OWNER | |
ace - > who . special_id = = SMB_ACE4_WHO_GROUP ) ) {
DEBUG ( 10 , ( " Map special entry \n " ) ) ;
if ( ! ( win_ace_flags & SEC_ACE_FLAG_INHERIT_ONLY ) ) {
uint32_t win_ace_flags_current ;
2013-05-17 15:14:58 +02:00
DEBUG ( 10 , ( " Map current sid \n " ) ) ;
2012-04-25 15:10:20 +02:00
win_ace_flags_current = win_ace_flags &
~ ( SEC_ACE_FLAG_OBJECT_INHERIT |
SEC_ACE_FLAG_CONTAINER_INHERIT ) ;
init_sec_ace ( & nt_ace_list [ good_aces + + ] , & sid ,
ace - > aceType , mask ,
win_ace_flags_current ) ;
}
if ( ace - > who . special_id = = SMB_ACE4_WHO_OWNER & &
win_ace_flags & ( SEC_ACE_FLAG_OBJECT_INHERIT |
SEC_ACE_FLAG_CONTAINER_INHERIT ) ) {
uint32_t win_ace_flags_creator ;
DEBUG ( 10 , ( " Map creator owner \n " ) ) ;
win_ace_flags_creator = win_ace_flags |
SMB_ACE4_INHERIT_ONLY_ACE ;
init_sec_ace ( & nt_ace_list [ good_aces + + ] ,
& global_sid_Creator_Owner ,
ace - > aceType , mask ,
win_ace_flags_creator ) ;
}
if ( ace - > who . special_id = = SMB_ACE4_WHO_GROUP & &
win_ace_flags & ( SEC_ACE_FLAG_OBJECT_INHERIT |
SEC_ACE_FLAG_CONTAINER_INHERIT ) ) {
uint32_t win_ace_flags_creator ;
DEBUG ( 10 , ( " Map creator owner group \n " ) ) ;
win_ace_flags_creator = win_ace_flags |
SMB_ACE4_INHERIT_ONLY_ACE ;
init_sec_ace ( & nt_ace_list [ good_aces + + ] ,
& global_sid_Creator_Group ,
ace - > aceType , mask ,
win_ace_flags_creator ) ;
}
} else {
DEBUG ( 10 , ( " Map normal sid \n " ) ) ;
init_sec_ace ( & nt_ace_list [ good_aces + + ] , & sid ,
ace - > aceType , mask ,
win_ace_flags ) ;
}
}
2013-10-29 16:20:04 +01:00
nt_ace_list = ( struct security_ace * )
TALLOC_REALLOC ( mem_ctx , nt_ace_list ,
good_aces * sizeof ( struct security_ace ) ) ;
/* returns a NULL ace list when good_aces is zero. */
if ( good_aces & & nt_ace_list = = NULL ) {
DEBUG ( 10 , ( " realloc error with %d aces " , good_aces ) ) ;
2012-04-25 15:10:20 +02:00
errno = ENOMEM ;
return false ;
2006-09-18 02:27:48 +00:00
}
* ppnt_ace_list = nt_ace_list ;
* pgood_aces = good_aces ;
2013-05-07 13:58:26 -07:00
return true ;
2006-09-18 02:27:48 +00:00
}
2007-11-15 00:46:20 +01:00
static NTSTATUS smb_get_nt_acl_nfs4_common ( const SMB_STRUCT_STAT * sbuf ,
2012-07-26 17:29:12 +02:00
smbacl4_vfs_params * params ,
2015-05-02 20:11:02 -07:00
uint32_t security_info ,
2012-07-26 17:29:12 +02:00
TALLOC_CTX * mem_ctx ,
struct security_descriptor * * ppdesc ,
SMB4ACL_T * theacl )
2006-09-18 02:27:48 +00:00
{
2012-07-26 17:29:12 +02:00
int good_aces = 0 ;
2010-05-21 11:25:01 +10:00
struct dom_sid sid_owner , sid_group ;
2006-09-18 02:27:48 +00:00
size_t sd_size = 0 ;
2010-05-18 03:25:38 +02:00
struct security_ace * nt_ace_list = NULL ;
2010-05-18 03:30:40 +02:00
struct security_acl * psa = NULL ;
2012-10-10 11:50:27 +11:00
TALLOC_CTX * frame = talloc_stackframe ( ) ;
2006-09-18 02:27:48 +00:00
2013-08-22 15:01:17 +02:00
if ( theacl = = NULL ) {
2013-04-14 18:13:42 +10:00
TALLOC_FREE ( frame ) ;
2007-10-13 21:06:49 +02:00
return NT_STATUS_ACCESS_DENIED ; /* special because we
2013-08-22 15:01:17 +02:00
* need to think through
* the null case . */
2013-04-14 18:13:42 +10:00
}
2006-09-18 02:27:48 +00:00
2009-05-14 15:34:42 +02:00
uid_to_sid ( & sid_owner , sbuf - > st_ex_uid ) ;
gid_to_sid ( & sid_group , sbuf - > st_ex_gid ) ;
2006-09-18 02:27:48 +00:00
2012-07-26 17:29:12 +02:00
if ( smbacl4_nfs42win ( mem_ctx , params , theacl , & sid_owner , & sid_group ,
2009-05-14 15:34:42 +02:00
S_ISDIR ( sbuf - > st_ex_mode ) ,
2013-08-22 15:01:17 +02:00
& nt_ace_list , & good_aces ) = = false ) {
2006-09-18 02:27:48 +00:00
DEBUG ( 8 , ( " smbacl4_nfs42win failed \n " ) ) ;
2012-10-10 11:50:27 +11:00
TALLOC_FREE ( frame ) ;
2007-10-13 21:06:49 +02:00
return map_nt_error_from_unix ( errno ) ;
2006-09-18 02:27:48 +00:00
}
2012-10-10 11:50:27 +11:00
psa = make_sec_acl ( frame , NT4_ACL_REVISION , good_aces , nt_ace_list ) ;
2006-09-18 02:27:48 +00:00
if ( psa = = NULL ) {
DEBUG ( 2 , ( " make_sec_acl failed \n " ) ) ;
2012-10-10 11:50:27 +11:00
TALLOC_FREE ( frame ) ;
2007-10-13 21:06:49 +02:00
return NT_STATUS_NO_MEMORY ;
2006-09-18 02:27:48 +00:00
}
DEBUG ( 10 , ( " after make sec_acl \n " ) ) ;
2011-09-15 23:35:05 +02:00
* ppdesc = make_sec_desc (
2014-01-20 15:12:42 +01:00
mem_ctx , SD_REVISION , smbacl4_get_controlflags ( theacl ) ,
2011-09-15 23:35:05 +02:00
( security_info & SECINFO_OWNER ) ? & sid_owner : NULL ,
( security_info & SECINFO_GROUP ) ? & sid_group : NULL ,
NULL , psa , & sd_size ) ;
2006-09-18 02:27:48 +00:00
if ( * ppdesc = = NULL ) {
DEBUG ( 2 , ( " make_sec_desc failed \n " ) ) ;
2012-10-10 11:50:27 +11:00
TALLOC_FREE ( frame ) ;
2007-10-13 21:06:49 +02:00
return NT_STATUS_NO_MEMORY ;
2006-09-18 02:27:48 +00:00
}
2011-09-15 23:35:05 +02:00
DEBUG ( 10 , ( " smb_get_nt_acl_nfs4_common successfully exited with "
" sd_size %d \n " ,
2010-06-03 16:09:31 +02:00
( int ) ndr_size_security_descriptor ( * ppdesc , 0 ) ) ) ;
2007-10-13 21:06:49 +02:00
2012-10-10 11:50:27 +11:00
TALLOC_FREE ( frame ) ;
2007-10-13 21:06:49 +02:00
return NT_STATUS_OK ;
2006-09-18 02:27:48 +00:00
}
2007-11-15 00:46:20 +01:00
NTSTATUS smb_fget_nt_acl_nfs4 ( files_struct * fsp ,
2015-05-02 20:11:02 -07:00
uint32_t security_info ,
2012-10-10 11:50:27 +11:00
TALLOC_CTX * mem_ctx ,
2011-09-15 23:35:05 +02:00
struct security_descriptor * * ppdesc ,
SMB4ACL_T * theacl )
2007-11-15 00:46:20 +01:00
{
SMB_STRUCT_STAT sbuf ;
2012-07-26 17:29:12 +02:00
smbacl4_vfs_params params ;
2007-11-15 00:46:20 +01:00
2009-07-10 18:11:32 -07:00
DEBUG ( 10 , ( " smb_fget_nt_acl_nfs4 invoked for %s \n " , fsp_str_dbg ( fsp ) ) ) ;
2007-11-15 00:46:20 +01:00
if ( smbacl4_fGetFileOwner ( fsp , & sbuf ) ) {
return map_nt_error_from_unix ( errno ) ;
}
2012-07-26 17:29:12 +02:00
/* Special behaviours */
if ( smbacl4_get_vfs_params ( SMBACL4_PARAM_TYPE_NAME , fsp - > conn , & params ) ) {
return NT_STATUS_NO_MEMORY ;
}
return smb_get_nt_acl_nfs4_common ( & sbuf , & params , security_info ,
mem_ctx , ppdesc , theacl ) ;
2007-11-15 00:46:20 +01:00
}
NTSTATUS smb_get_nt_acl_nfs4 ( struct connection_struct * conn ,
2011-09-15 23:35:05 +02:00
const char * name ,
2015-05-02 20:11:02 -07:00
uint32_t security_info ,
2012-10-10 11:50:27 +11:00
TALLOC_CTX * mem_ctx ,
2011-09-15 23:35:05 +02:00
struct security_descriptor * * ppdesc ,
SMB4ACL_T * theacl )
2007-11-15 00:46:20 +01:00
{
SMB_STRUCT_STAT sbuf ;
2012-07-26 17:29:12 +02:00
smbacl4_vfs_params params ;
2007-11-15 00:46:20 +01:00
DEBUG ( 10 , ( " smb_get_nt_acl_nfs4 invoked for %s \n " , name ) ) ;
if ( smbacl4_GetFileOwner ( conn , name , & sbuf ) ) {
return map_nt_error_from_unix ( errno ) ;
}
2012-07-26 17:29:12 +02:00
/* Special behaviours */
if ( smbacl4_get_vfs_params ( SMBACL4_PARAM_TYPE_NAME , conn , & params ) ) {
return NT_STATUS_NO_MEMORY ;
}
return smb_get_nt_acl_nfs4_common ( & sbuf , & params , security_info ,
mem_ctx , ppdesc , theacl ) ;
2007-11-15 00:46:20 +01:00
}
2009-02-23 15:03:29 -08:00
static void smbacl4_dump_nfs4acl ( int level , SMB4ACL_T * theacl )
2006-09-18 02:27:48 +00:00
{
2009-02-23 15:03:29 -08:00
SMB_ACL4_INT_T * aclint = get_validated_aclint ( theacl ) ;
2006-09-18 02:27:48 +00:00
SMB_ACE4_INT_T * aceint ;
DEBUG ( level , ( " NFS4ACL: size=%d \n " , aclint - > naces ) ) ;
2011-09-15 23:35:05 +02:00
for ( aceint = aclint - > first ;
aceint ! = NULL ;
aceint = ( SMB_ACE4_INT_T * ) aceint - > next ) {
2006-09-18 02:27:48 +00:00
SMB_ACE4PROP_T * ace = & aceint - > prop ;
2011-09-15 23:35:05 +02:00
DEBUG ( level , ( " \t ACE: type=%d, flags=0x%x, fflags=0x%x, "
" mask=0x%x, id=%d \n " ,
ace - > aceType ,
ace - > aceFlags , ace - > flags ,
ace - > aceMask ,
ace - > who . id ) ) ;
2006-09-18 02:27:48 +00:00
}
}
2013-05-02 16:50:55 +02:00
/*
2006-09-18 02:27:48 +00:00
* Find 2 NFS4 who - special ACE property ( non - copy ! ! ! )
* match nonzero if " special " and who is equal
* return ace if found matching ; otherwise NULL
*/
static SMB_ACE4PROP_T * smbacl4_find_equal_special (
2009-02-23 15:03:29 -08:00
SMB4ACL_T * theacl ,
2006-09-18 02:27:48 +00:00
SMB_ACE4PROP_T * aceNew )
{
2009-02-23 15:03:29 -08:00
SMB_ACL4_INT_T * aclint = get_validated_aclint ( theacl ) ;
2006-09-18 02:27:48 +00:00
SMB_ACE4_INT_T * aceint ;
2011-09-15 23:35:05 +02:00
for ( aceint = aclint - > first ; aceint ! = NULL ;
aceint = ( SMB_ACE4_INT_T * ) aceint - > next ) {
2006-09-18 02:27:48 +00:00
SMB_ACE4PROP_T * ace = & aceint - > prop ;
2012-07-26 17:29:12 +02:00
DEBUG ( 10 , ( " ace type:0x%x flags:0x%x aceFlags:0x%x "
2009-07-05 16:03:15 +02:00
" new type:0x%x flags:0x%x aceFlags:0x%x \n " ,
ace - > aceType , ace - > flags , ace - > aceFlags ,
aceNew - > aceType , aceNew - > flags , aceNew - > aceFlags ) ) ;
2006-09-18 02:27:48 +00:00
if ( ace - > flags = = aceNew - > flags & &
ace - > aceType = = aceNew - > aceType & &
2011-07-28 09:49:34 +02:00
ace - > aceFlags = = aceNew - > aceFlags )
{
2006-09-18 02:27:48 +00:00
/* keep type safety; e.g. gid is an u.short */
if ( ace - > flags & SMB_ACE4_ID_SPECIAL )
{
2011-09-15 23:35:05 +02:00
if ( ace - > who . special_id = =
aceNew - > who . special_id )
2006-09-18 02:27:48 +00:00
return ace ;
} else {
if ( ace - > aceFlags & SMB_ACE4_IDENTIFIER_GROUP )
{
if ( ace - > who . gid = = aceNew - > who . gid )
return ace ;
} else {
if ( ace - > who . uid = = aceNew - > who . uid )
return ace ;
}
}
}
}
return NULL ;
}
2008-01-16 12:18:57 +03:00
static bool smbacl4_fill_ace4 (
2012-10-09 09:41:41 +02:00
const struct smb_filename * filename ,
2006-09-18 02:27:48 +00:00
smbacl4_vfs_params * params ,
uid_t ownerUID ,
gid_t ownerGID ,
2010-05-18 03:25:38 +02:00
const struct security_ace * ace_nt , /* input */
2006-09-18 02:27:48 +00:00
SMB_ACE4PROP_T * ace_v4 /* output */
)
{
2007-12-15 21:11:36 +01:00
DEBUG ( 10 , ( " got ace for %s \n " , sid_string_dbg ( & ace_nt - > trustee ) ) ) ;
2006-09-18 02:27:48 +00:00
memset ( ace_v4 , 0 , sizeof ( SMB_ACE4PROP_T ) ) ;
2011-09-15 23:35:05 +02:00
/* only ACCESS|DENY supported right now */
ace_v4 - > aceType = ace_nt - > type ;
ace_v4 - > aceFlags = map_windows_ace_flags_to_nfs4_ace_flags (
ace_nt - > flags ) ;
2012-09-25 03:25:36 +02:00
/* remove inheritance flags on files */
2012-10-09 09:41:41 +02:00
if ( VALID_STAT ( filename - > st ) & &
! S_ISDIR ( filename - > st . st_ex_mode ) ) {
2012-09-25 03:25:36 +02:00
DEBUG ( 10 , ( " Removing inheritance flags from a file \n " ) ) ;
ace_v4 - > aceFlags & = ~ ( SMB_ACE4_FILE_INHERIT_ACE |
SMB_ACE4_DIRECTORY_INHERIT_ACE |
SMB_ACE4_NO_PROPAGATE_INHERIT_ACE |
SMB_ACE4_INHERIT_ONLY_ACE ) ;
}
2006-09-21 14:17:00 +00:00
ace_v4 - > aceMask = ace_nt - > access_mask &
2010-06-03 10:36:05 +02:00
( SEC_STD_ALL | SEC_FILE_ALL ) ;
2006-09-18 02:27:48 +00:00
2008-09-08 16:42:06 +02:00
se_map_generic ( & ace_v4 - > aceMask , & file_generic_mapping ) ;
2006-09-18 02:27:48 +00:00
if ( ace_v4 - > aceFlags ! = ace_nt - > flags )
DEBUG ( 9 , ( " ace_v4->aceFlags(0x%x)!=ace_nt->flags(0x%x) \n " ,
ace_v4 - > aceFlags , ace_nt - > flags ) ) ;
2006-09-21 14:17:00 +00:00
if ( ace_v4 - > aceMask ! = ace_nt - > access_mask )
DEBUG ( 9 , ( " ace_v4->aceMask(0x%x)!=ace_nt->access_mask(0x%x) \n " ,
ace_v4 - > aceMask , ace_nt - > access_mask ) ) ;
2006-09-18 02:27:48 +00:00
2010-09-26 21:04:39 +02:00
if ( dom_sid_equal ( & ace_nt - > trustee , & global_sid_World ) ) {
2006-09-18 02:27:48 +00:00
ace_v4 - > who . special_id = SMB_ACE4_WHO_EVERYONE ;
ace_v4 - > flags | = SMB_ACE4_ID_SPECIAL ;
2012-05-10 14:19:41 +02:00
} else if ( params - > mode ! = e_special & &
dom_sid_equal ( & ace_nt - > trustee ,
& global_sid_Creator_Owner ) ) {
DEBUG ( 10 , ( " Map creator owner \n " ) ) ;
ace_v4 - > who . special_id = SMB_ACE4_WHO_OWNER ;
ace_v4 - > flags | = SMB_ACE4_ID_SPECIAL ;
/* A non inheriting creator owner entry has no effect. */
ace_v4 - > aceFlags | = SMB_ACE4_INHERIT_ONLY_ACE ;
if ( ! ( ace_v4 - > aceFlags & SMB_ACE4_DIRECTORY_INHERIT_ACE )
& & ! ( ace_v4 - > aceFlags & SMB_ACE4_FILE_INHERIT_ACE ) ) {
2013-05-07 13:58:26 -07:00
return false ;
2012-05-10 14:19:41 +02:00
}
} else if ( params - > mode ! = e_special & &
dom_sid_equal ( & ace_nt - > trustee ,
& global_sid_Creator_Group ) ) {
DEBUG ( 10 , ( " Map creator owner group \n " ) ) ;
ace_v4 - > who . special_id = SMB_ACE4_WHO_GROUP ;
ace_v4 - > flags | = SMB_ACE4_ID_SPECIAL ;
/* A non inheriting creator group entry has no effect. */
ace_v4 - > aceFlags | = SMB_ACE4_INHERIT_ONLY_ACE ;
if ( ! ( ace_v4 - > aceFlags & SMB_ACE4_DIRECTORY_INHERIT_ACE )
& & ! ( ace_v4 - > aceFlags & SMB_ACE4_FILE_INHERIT_ACE ) ) {
2013-05-07 13:58:26 -07:00
return false ;
2012-05-10 14:19:41 +02:00
}
2006-09-18 02:27:48 +00:00
} else {
2008-01-16 12:18:57 +03:00
uid_t uid ;
gid_t gid ;
2011-09-15 23:24:51 +02:00
2012-05-07 08:48:24 +10:00
if ( sid_to_gid ( & ace_nt - > trustee , & gid ) ) {
2006-09-18 02:27:48 +00:00
ace_v4 - > aceFlags | = SMB_ACE4_IDENTIFIER_GROUP ;
2013-07-09 17:14:08 +02:00
ace_v4 - > who . gid = gid ;
2012-05-07 08:48:24 +10:00
} else if ( sid_to_uid ( & ace_nt - > trustee , & uid ) ) {
2013-07-09 17:14:08 +02:00
ace_v4 - > who . uid = uid ;
2014-11-26 18:01:37 +01:00
} else if ( dom_sid_compare_domain ( & ace_nt - > trustee ,
& global_sid_Unix_NFS ) = = 0 ) {
return false ;
2012-05-07 08:48:24 +10:00
} else {
DEBUG ( 1 , ( " nfs4_acls.c: file [%s]: could not "
2012-10-09 09:41:41 +02:00
" convert %s to uid or gid \n " ,
filename - > base_name ,
2012-05-07 08:48:24 +10:00
sid_string_dbg ( & ace_nt - > trustee ) ) ) ;
2013-05-07 13:58:26 -07:00
return false ;
2006-09-18 02:27:48 +00:00
}
}
2013-05-07 13:58:26 -07:00
return true ; /* OK */
2006-09-18 02:27:48 +00:00
}
static int smbacl4_MergeIgnoreReject (
enum smbacl4_acedup_enum acedup ,
2009-02-23 15:03:29 -08:00
SMB4ACL_T * theacl , /* may modify it */
2006-09-18 02:27:48 +00:00
SMB_ACE4PROP_T * ace , /* the "new" ACE */
2007-10-18 17:40:25 -07:00
bool * paddNewACE ,
2006-09-18 02:27:48 +00:00
int i
)
{
int result = 0 ;
2009-02-23 15:03:29 -08:00
SMB_ACE4PROP_T * ace4found = smbacl4_find_equal_special ( theacl , ace ) ;
2006-09-18 02:27:48 +00:00
if ( ace4found )
{
switch ( acedup )
{
case e_merge : /* "merge" flags */
2013-05-07 13:58:26 -07:00
* paddNewACE = false ;
2006-09-18 02:27:48 +00:00
ace4found - > aceFlags | = ace - > aceFlags ;
ace4found - > aceMask | = ace - > aceMask ;
break ;
case e_ignore : /* leave out this record */
2013-05-07 13:58:26 -07:00
* paddNewACE = false ;
2006-09-18 02:27:48 +00:00
break ;
case e_reject : /* do an error */
DEBUG ( 8 , ( " ACL rejected by duplicate nt ace#%d \n " , i ) ) ;
errno = EINVAL ; /* SHOULD be set on any _real_ error */
result = - 1 ;
break ;
default :
break ;
}
}
return result ;
}
2013-05-02 16:50:55 +02:00
static int smbacl4_substitute_special (
SMB4ACL_T * theacl ,
uid_t ownerUID ,
gid_t ownerGID
)
{
SMB_ACL4_INT_T * aclint = get_validated_aclint ( theacl ) ;
SMB_ACE4_INT_T * aceint ;
for ( aceint = aclint - > first ; aceint ! = NULL ; aceint = ( SMB_ACE4_INT_T * ) aceint - > next ) {
SMB_ACE4PROP_T * ace = & aceint - > prop ;
DEBUG ( 10 , ( " ace type: %d, iflags: %x, flags: %x, "
" mask: %x, who: %d \n " ,
ace - > aceType , ace - > flags , ace - > aceFlags ,
ace - > aceMask , ace - > who . id ) ) ;
if ( ! ( ace - > flags & SMB_ACE4_ID_SPECIAL ) & &
! ( ace - > aceFlags & SMB_ACE4_IDENTIFIER_GROUP ) & &
ace - > who . uid = = ownerUID ) {
ace - > flags | = SMB_ACE4_ID_SPECIAL ;
ace - > who . special_id = SMB_ACE4_WHO_OWNER ;
DEBUG ( 10 , ( " replaced with special owner ace \n " ) ) ;
}
if ( ! ( ace - > flags & SMB_ACE4_ID_SPECIAL ) & &
ace - > aceFlags & SMB_ACE4_IDENTIFIER_GROUP & &
ace - > who . uid = = ownerGID ) {
ace - > flags | = SMB_ACE4_ID_SPECIAL ;
ace - > who . special_id = SMB_ACE4_WHO_GROUP ;
DEBUG ( 10 , ( " replaced with special group ace \n " ) ) ;
}
}
2013-05-07 13:58:26 -07:00
return true ; /* OK */
2013-05-02 16:50:55 +02:00
}
2013-05-02 16:53:35 +02:00
static int smbacl4_substitute_simple (
SMB4ACL_T * theacl ,
uid_t ownerUID ,
gid_t ownerGID
)
{
SMB_ACL4_INT_T * aclint = get_validated_aclint ( theacl ) ;
SMB_ACE4_INT_T * aceint ;
for ( aceint = aclint - > first ; aceint ! = NULL ; aceint = ( SMB_ACE4_INT_T * ) aceint - > next ) {
SMB_ACE4PROP_T * ace = & aceint - > prop ;
DEBUG ( 10 , ( " ace type: %d, iflags: %x, flags: %x, "
" mask: %x, who: %d \n " ,
ace - > aceType , ace - > flags , ace - > aceFlags ,
ace - > aceMask , ace - > who . id ) ) ;
if ( ! ( ace - > flags & SMB_ACE4_ID_SPECIAL ) & &
! ( ace - > aceFlags & SMB_ACE4_IDENTIFIER_GROUP ) & &
ace - > who . uid = = ownerUID & &
! ( ace - > aceFlags & SMB_ACE4_INHERIT_ONLY_ACE ) & &
! ( ace - > aceFlags & SMB_ACE4_FILE_INHERIT_ACE ) & &
! ( ace - > aceFlags & SMB_ACE4_DIRECTORY_INHERIT_ACE ) ) {
ace - > flags | = SMB_ACE4_ID_SPECIAL ;
ace - > who . special_id = SMB_ACE4_WHO_OWNER ;
DEBUG ( 10 , ( " replaced with special owner ace \n " ) ) ;
}
if ( ! ( ace - > flags & SMB_ACE4_ID_SPECIAL ) & &
ace - > aceFlags & SMB_ACE4_IDENTIFIER_GROUP & &
ace - > who . uid = = ownerGID & &
! ( ace - > aceFlags & SMB_ACE4_INHERIT_ONLY_ACE ) & &
! ( ace - > aceFlags & SMB_ACE4_FILE_INHERIT_ACE ) & &
! ( ace - > aceFlags & SMB_ACE4_DIRECTORY_INHERIT_ACE ) ) {
ace - > flags | = SMB_ACE4_ID_SPECIAL ;
ace - > who . special_id = SMB_ACE4_WHO_GROUP ;
DEBUG ( 10 , ( " replaced with special group ace \n " ) ) ;
}
}
2013-05-07 13:58:26 -07:00
return true ; /* OK */
2013-05-02 16:53:35 +02:00
}
2006-09-18 02:27:48 +00:00
static SMB4ACL_T * smbacl4_win2nfs4 (
2013-04-14 18:13:42 +10:00
TALLOC_CTX * mem_ctx ,
2012-09-25 01:34:04 +02:00
const files_struct * fsp ,
2010-05-18 03:30:40 +02:00
const struct security_acl * dacl ,
2006-09-18 02:27:48 +00:00
smbacl4_vfs_params * pparams ,
uid_t ownerUID ,
gid_t ownerGID
)
{
2009-02-23 15:03:29 -08:00
SMB4ACL_T * theacl ;
2015-05-02 20:11:02 -07:00
uint32_t i ;
2012-09-25 01:34:04 +02:00
const char * filename = fsp - > fsp_name - > base_name ;
2006-09-18 02:27:48 +00:00
DEBUG ( 10 , ( " smbacl4_win2nfs4 invoked \n " ) ) ;
2013-04-14 18:13:42 +10:00
theacl = smb_create_smb4acl ( mem_ctx ) ;
2009-02-23 15:03:29 -08:00
if ( theacl = = NULL )
2006-09-18 02:27:48 +00:00
return NULL ;
for ( i = 0 ; i < dacl - > num_aces ; i + + ) {
SMB_ACE4PROP_T ace_v4 ;
2013-05-07 13:58:26 -07:00
bool addNewACE = true ;
2006-09-18 02:27:48 +00:00
2012-11-05 18:49:54 +01:00
if ( ! smbacl4_fill_ace4 ( fsp - > fsp_name , pparams ,
2008-01-16 12:18:57 +03:00
ownerUID , ownerGID ,
dacl - > aces + i , & ace_v4 ) ) {
DEBUG ( 3 , ( " Could not fill ace for file %s, SID %s \n " ,
filename ,
sid_string_dbg ( & ( ( dacl - > aces + i ) - > trustee ) ) ) ) ;
continue ;
}
2006-09-18 02:27:48 +00:00
if ( pparams - > acedup ! = e_dontcare ) {
2009-02-23 15:03:29 -08:00
if ( smbacl4_MergeIgnoreReject ( pparams - > acedup , theacl ,
2006-09-18 02:27:48 +00:00
& ace_v4 , & addNewACE , i ) )
return NULL ;
}
if ( addNewACE )
2009-02-23 15:03:29 -08:00
smb_add_ace4 ( theacl , & ace_v4 ) ;
2006-09-18 02:27:48 +00:00
}
2013-05-02 16:53:35 +02:00
if ( pparams - > mode = = e_simple ) {
smbacl4_substitute_simple ( theacl , ownerUID , ownerGID ) ;
}
2013-05-02 16:50:55 +02:00
if ( pparams - > mode = = e_special ) {
smbacl4_substitute_special ( theacl , ownerUID , ownerGID ) ;
}
2009-02-23 15:03:29 -08:00
return theacl ;
2006-09-18 02:27:48 +00:00
}
2013-04-14 17:31:42 +10:00
NTSTATUS smb_set_nt_acl_nfs4 ( vfs_handle_struct * handle , files_struct * fsp ,
2015-05-02 20:11:02 -07:00
uint32_t security_info_sent ,
2010-05-18 10:29:34 +02:00
const struct security_descriptor * psd ,
2006-09-18 02:27:48 +00:00
set_nfs4acl_native_fn_t set_nfs4_native )
{
smbacl4_vfs_params params ;
2009-02-23 15:03:29 -08:00
SMB4ACL_T * theacl = NULL ;
2007-10-18 17:40:25 -07:00
bool result ;
2006-09-18 02:27:48 +00:00
SMB_STRUCT_STAT sbuf ;
2009-01-22 16:21:02 -08:00
bool set_acl_as_root = false ;
2006-09-18 02:27:48 +00:00
uid_t newUID = ( uid_t ) - 1 ;
gid_t newGID = ( gid_t ) - 1 ;
2009-01-22 16:21:02 -08:00
int saved_errno ;
2013-04-14 18:13:42 +10:00
TALLOC_CTX * frame = talloc_stackframe ( ) ;
2006-09-18 02:27:48 +00:00
2009-07-10 18:11:32 -07:00
DEBUG ( 10 , ( " smb_set_nt_acl_nfs4 invoked for %s \n " , fsp_str_dbg ( fsp ) ) ) ;
2006-09-18 02:27:48 +00:00
2010-06-02 23:35:44 +02:00
if ( ( security_info_sent & ( SECINFO_DACL |
2010-06-02 23:25:18 +02:00
SECINFO_GROUP | SECINFO_OWNER ) ) = = 0 )
2006-09-18 02:27:48 +00:00
{
DEBUG ( 9 , ( " security_info_sent (0x%x) ignored \n " ,
security_info_sent ) ) ;
2013-04-14 18:13:42 +10:00
TALLOC_FREE ( frame ) ;
2011-09-15 23:35:05 +02:00
return NT_STATUS_OK ; /* won't show error - later to be
* refined . . . */
2006-09-18 02:27:48 +00:00
}
/* Special behaviours */
2012-07-26 17:11:03 +02:00
if ( smbacl4_get_vfs_params ( SMBACL4_PARAM_TYPE_NAME ,
fsp - > conn , & params ) ) {
2013-04-14 18:13:42 +10:00
TALLOC_FREE ( frame ) ;
2007-06-26 22:49:10 +00:00
return NT_STATUS_NO_MEMORY ;
2013-04-14 18:13:42 +10:00
}
2006-09-18 02:27:48 +00:00
2013-04-14 18:13:42 +10:00
if ( smbacl4_fGetFileOwner ( fsp , & sbuf ) ) {
TALLOC_FREE ( frame ) ;
2007-06-26 22:49:10 +00:00
return map_nt_error_from_unix ( errno ) ;
2013-04-14 18:13:42 +10:00
}
2006-09-18 02:27:48 +00:00
2007-03-20 08:17:27 +00:00
if ( params . do_chown ) {
/* chown logic is a copy/paste from posix_acl.c:set_nt_acl */
2011-09-15 23:35:05 +02:00
NTSTATUS status = unpack_nt_owners ( fsp - > conn , & newUID , & newGID ,
security_info_sent , psd ) ;
2007-06-26 22:49:10 +00:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
2007-03-20 08:17:27 +00:00
DEBUG ( 8 , ( " unpack_nt_owners failed " ) ) ;
2013-04-14 18:13:42 +10:00
TALLOC_FREE ( frame ) ;
2007-06-26 22:49:10 +00:00
return status ;
2007-03-20 08:17:27 +00:00
}
2009-05-14 15:34:42 +02:00
if ( ( ( newUID ! = ( uid_t ) - 1 ) & & ( sbuf . st_ex_uid ! = newUID ) ) | |
( ( newGID ! = ( gid_t ) - 1 ) & & ( sbuf . st_ex_gid ! = newGID ) ) ) {
2009-07-08 12:24:03 -07:00
2011-02-04 17:48:10 -08:00
status = try_chown ( fsp , newUID , newGID ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
2009-07-10 18:11:32 -07:00
DEBUG ( 3 , ( " chown %s, %u, %u failed. Error = "
" %s. \n " , fsp_str_dbg ( fsp ) ,
( unsigned int ) newUID ,
( unsigned int ) newGID ,
2011-02-04 17:48:10 -08:00
nt_errstr ( status ) ) ) ;
2013-04-14 18:13:42 +10:00
TALLOC_FREE ( frame ) ;
2011-02-04 17:48:10 -08:00
return status ;
2006-09-18 02:27:48 +00:00
}
2009-01-22 16:21:02 -08:00
DEBUG ( 10 , ( " chown %s, %u, %u succeeded. \n " ,
2009-07-10 18:11:32 -07:00
fsp_str_dbg ( fsp ) , ( unsigned int ) newUID ,
( unsigned int ) newGID ) ) ;
if ( smbacl4_GetFileOwner ( fsp - > conn ,
fsp - > fsp_name - > base_name ,
2013-08-26 12:31:49 +05:30
& sbuf ) ) {
2013-04-14 18:13:42 +10:00
TALLOC_FREE ( frame ) ;
2009-01-22 16:21:02 -08:00
return map_nt_error_from_unix ( errno ) ;
2013-08-26 12:31:49 +05:30
}
2009-01-22 16:21:02 -08:00
/* If we successfully chowned, we know we must
* be able to set the acl , so do it as root .
*/
set_acl_as_root = true ;
2006-09-18 02:27:48 +00:00
}
}
2010-06-02 23:35:44 +02:00
if ( ! ( security_info_sent & SECINFO_DACL ) | | psd - > dacl = = NULL ) {
2011-09-15 23:35:05 +02:00
DEBUG ( 10 , ( " no dacl found; security_info_sent = 0x%x \n " ,
security_info_sent ) ) ;
2013-04-14 18:13:42 +10:00
TALLOC_FREE ( frame ) ;
2009-01-22 16:21:02 -08:00
return NT_STATUS_OK ;
}
2006-09-18 02:27:48 +00:00
2013-04-14 18:13:42 +10:00
theacl = smbacl4_win2nfs4 ( frame , fsp , psd - > dacl , & params ,
2009-05-24 22:17:58 +02:00
sbuf . st_ex_uid , sbuf . st_ex_gid ) ;
2013-04-14 18:13:42 +10:00
if ( ! theacl ) {
TALLOC_FREE ( frame ) ;
2009-01-22 16:21:02 -08:00
return map_nt_error_from_unix ( errno ) ;
2013-04-14 18:13:42 +10:00
}
2006-09-18 02:27:48 +00:00
2014-01-20 15:12:42 +01:00
smbacl4_set_controlflags ( theacl , psd - > type ) ;
2009-02-23 15:03:29 -08:00
smbacl4_dump_nfs4acl ( 10 , theacl ) ;
2006-09-18 02:27:48 +00:00
2009-01-22 16:21:02 -08:00
if ( set_acl_as_root ) {
become_root ( ) ;
}
2013-04-14 17:31:42 +10:00
result = set_nfs4_native ( handle , fsp , theacl ) ;
2009-01-22 16:21:02 -08:00
saved_errno = errno ;
if ( set_acl_as_root ) {
unbecome_root ( ) ;
}
2013-04-14 18:13:42 +10:00
TALLOC_FREE ( frame ) ;
2013-05-07 13:58:26 -07:00
if ( result ! = true ) {
2009-01-22 16:21:02 -08:00
errno = saved_errno ;
2011-09-15 23:35:05 +02:00
DEBUG ( 10 , ( " set_nfs4_native failed with %s \n " ,
strerror ( errno ) ) ) ;
2009-01-22 16:21:02 -08:00
return map_nt_error_from_unix ( errno ) ;
2008-01-16 12:18:57 +03:00
}
2006-09-18 02:27:48 +00:00
DEBUG ( 10 , ( " smb_set_nt_acl_nfs4 succeeded \n " ) ) ;
2007-06-26 22:49:10 +00:00
return NT_STATUS_OK ;
2006-09-18 02:27:48 +00:00
}