2006-02-03 22:19:41 +00:00
/*
* Unix SMB / Netbios implementation .
* SEC_DESC handling functions
* Copyright ( C ) Jeremy R . Allison 1995 - 2003.
*
* This program is free software ; you can redistribute it and / or modify
* it under the terms of the GNU General Public License as published by
2007-07-09 19:25:36 +00:00
* the Free Software Foundation ; either version 3 of the License , or
2006-02-03 22:19:41 +00:00
* ( at your option ) any later version .
*
* This program is distributed in the hope that it will be useful ,
* but WITHOUT ANY WARRANTY ; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
* GNU General Public License for more details .
*
* You should have received a copy of the GNU General Public License
2007-07-10 05:23:25 +00:00
* along with this program ; if not , see < http : //www.gnu.org/licenses/>.
2006-02-03 22:19:41 +00:00
*/
# include "includes.h"
/*******************************************************************
Create the share security tdb .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-03-27 23:10:57 +01:00
static struct db_context * share_db ; /* used for share security descriptors */
2006-02-03 22:19:41 +00:00
# define SHARE_DATABASE_VERSION_V1 1
# define SHARE_DATABASE_VERSION_V2 2 /* version id in little endian. */
/* Map generic permissions to file object specific permissions */
2008-09-08 16:23:36 +02:00
extern const struct generic_mapping file_generic_mapping ;
2006-02-03 22:19:41 +00:00
2008-03-27 23:10:57 +01:00
static int delete_fn ( struct db_record * rec , void * priv )
{
rec - > delete_rec ( rec ) ;
return 0 ;
}
2006-02-03 22:19:41 +00:00
2007-11-24 22:50:36 +01:00
static bool share_info_db_init ( void )
2006-02-03 22:19:41 +00:00
{
const char * vstring = " INFO/version " ;
int32 vers_id ;
2008-12-28 17:16:28 -08:00
2008-03-27 23:10:57 +01:00
if ( share_db ! = NULL ) {
2006-02-03 22:19:41 +00:00
return True ;
}
2008-08-07 16:20:05 +10:00
share_db = db_open ( NULL , state_path ( " share_info.tdb " ) , 0 ,
2008-03-28 08:27:11 +01:00
TDB_DEFAULT , O_RDWR | O_CREAT , 0600 ) ;
2008-03-27 23:10:57 +01:00
if ( share_db = = NULL ) {
2006-02-03 22:19:41 +00:00
DEBUG ( 0 , ( " Failed to open share info database %s (%s) \n " ,
2007-11-01 15:53:44 -04:00
state_path ( " share_info.tdb " ) , strerror ( errno ) ) ) ;
2006-02-03 22:19:41 +00:00
return False ;
}
2008-12-28 17:16:28 -08:00
2008-03-27 23:10:57 +01:00
vers_id = dbwrap_fetch_int32 ( share_db , vstring ) ;
if ( vers_id = = SHARE_DATABASE_VERSION_V2 ) {
return true ;
}
if ( share_db - > transaction_start ( share_db ) ! = 0 ) {
DEBUG ( 0 , ( " transaction_start failed \n " ) ) ;
TALLOC_FREE ( share_db ) ;
return false ;
}
vers_id = dbwrap_fetch_int32 ( share_db , vstring ) ;
if ( vers_id = = SHARE_DATABASE_VERSION_V2 ) {
/*
* Race condition
*/
if ( share_db - > transaction_cancel ( share_db ) ) {
smb_panic ( " transaction_cancel failed " ) ;
}
return true ;
}
2006-02-03 22:19:41 +00:00
/* Cope with byte-reversed older versions of the db. */
if ( ( vers_id = = SHARE_DATABASE_VERSION_V1 ) | | ( IREV ( vers_id ) = = SHARE_DATABASE_VERSION_V1 ) ) {
/* Written on a bigendian machine with old fetch_int code. Save as le. */
2008-03-27 23:10:57 +01:00
if ( dbwrap_store_int32 ( share_db , vstring ,
SHARE_DATABASE_VERSION_V2 ) ! = 0 ) {
DEBUG ( 0 , ( " dbwrap_store_int32 failed \n " ) ) ;
goto cancel ;
}
2006-02-03 22:19:41 +00:00
vers_id = SHARE_DATABASE_VERSION_V2 ;
}
if ( vers_id ! = SHARE_DATABASE_VERSION_V2 ) {
2008-04-15 00:18:34 +02:00
int ret ;
ret = share_db - > traverse ( share_db , delete_fn , NULL ) ;
if ( ret < 0 ) {
DEBUG ( 0 , ( " traverse failed \n " ) ) ;
2008-03-27 23:10:57 +01:00
goto cancel ;
}
if ( dbwrap_store_int32 ( share_db , vstring ,
SHARE_DATABASE_VERSION_V2 ) ! = 0 ) {
DEBUG ( 0 , ( " dbwrap_store_int32 failed \n " ) ) ;
goto cancel ;
}
2006-02-03 22:19:41 +00:00
}
2008-03-27 23:10:57 +01:00
if ( share_db - > transaction_commit ( share_db ) ! = 0 ) {
DEBUG ( 0 , ( " transaction_commit failed \n " ) ) ;
2008-08-08 11:42:06 +10:00
return false ;
2008-03-27 23:10:57 +01:00
}
return true ;
cancel :
if ( share_db - > transaction_cancel ( share_db ) ) {
smb_panic ( " transaction_cancel failed " ) ;
}
return false ;
2006-02-03 22:19:41 +00:00
}
/*******************************************************************
Fake up a Everyone , default access as a default .
def_access is a GENERIC_XXX access mode .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
SEC_DESC * get_share_security_default ( TALLOC_CTX * ctx , size_t * psize , uint32 def_access )
{
2008-10-09 09:49:03 -07:00
uint32_t sa ;
2006-02-03 22:19:41 +00:00
SEC_ACE ace ;
SEC_ACL * psa = NULL ;
SEC_DESC * psd = NULL ;
uint32 spec_access = def_access ;
se_map_generic ( & spec_access , & file_generic_mapping ) ;
2008-10-09 09:49:03 -07:00
sa = ( def_access | spec_access ) ;
2006-02-03 22:19:41 +00:00
init_sec_ace ( & ace , & global_sid_World , SEC_ACE_TYPE_ACCESS_ALLOWED , sa , 0 ) ;
if ( ( psa = make_sec_acl ( ctx , NT4_ACL_REVISION , 1 , & ace ) ) ! = NULL ) {
2007-12-20 22:27:01 +01:00
psd = make_sec_desc ( ctx , SECURITY_DESCRIPTOR_REVISION_1 ,
SEC_DESC_SELF_RELATIVE , NULL , NULL , NULL ,
psa , psize ) ;
2006-02-03 22:19:41 +00:00
}
if ( ! psd ) {
DEBUG ( 0 , ( " get_share_security: Failed to make SEC_DESC. \n " ) ) ;
return NULL ;
}
return psd ;
}
/*******************************************************************
Pull a security descriptor from the share tdb .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2006-07-14 17:46:06 +00:00
SEC_DESC * get_share_security ( TALLOC_CTX * ctx , const char * servicename ,
size_t * psize )
2006-02-03 22:19:41 +00:00
{
2007-10-07 12:56:43 +00:00
char * key ;
2006-02-03 22:19:41 +00:00
SEC_DESC * psd = NULL ;
2007-10-07 12:56:43 +00:00
TDB_DATA data ;
NTSTATUS status ;
2006-02-03 22:19:41 +00:00
if ( ! share_info_db_init ( ) ) {
return NULL ;
}
2007-10-07 12:56:43 +00:00
if ( ! ( key = talloc_asprintf ( ctx , " SECDESC/%s " , servicename ) ) ) {
DEBUG ( 0 , ( " talloc_asprintf failed \n " ) ) ;
return NULL ;
}
2006-02-03 22:19:41 +00:00
2008-03-27 23:10:57 +01:00
data = dbwrap_fetch_bystring ( share_db , talloc_tos ( ) , key ) ;
2007-10-07 12:56:43 +00:00
TALLOC_FREE ( key ) ;
if ( data . dptr = = NULL ) {
return get_share_security_default ( ctx , psize ,
GENERIC_ALL_ACCESS ) ;
}
status = unmarshall_sec_desc ( ctx , data . dptr , data . dsize , & psd ) ;
2008-03-27 23:10:57 +01:00
TALLOC_FREE ( data . dptr ) ;
2008-03-27 22:54:10 +01:00
2007-10-07 12:56:43 +00:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
DEBUG ( 0 , ( " unmarshall_sec_desc failed: %s \n " ,
nt_errstr ( status ) ) ) ;
return NULL ;
2006-02-03 22:19:41 +00:00
}
if ( psd )
2009-01-01 04:45:33 +01:00
* psize = ndr_size_security_descriptor ( psd , NULL , 0 ) ;
2006-02-03 22:19:41 +00:00
return psd ;
}
/*******************************************************************
Store a security descriptor in the share db .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2007-10-18 17:40:25 -07:00
bool set_share_security ( const char * share_name , SEC_DESC * psd )
2006-02-03 22:19:41 +00:00
{
2007-10-07 12:56:43 +00:00
TALLOC_CTX * frame ;
char * key ;
2007-10-18 17:40:25 -07:00
bool ret = False ;
2007-10-07 12:56:43 +00:00
TDB_DATA blob ;
NTSTATUS status ;
2006-02-03 22:19:41 +00:00
if ( ! share_info_db_init ( ) ) {
return False ;
}
2007-10-07 12:56:43 +00:00
frame = talloc_stackframe ( ) ;
2006-02-03 22:19:41 +00:00
2007-10-07 12:56:43 +00:00
status = marshall_sec_desc ( frame , psd , & blob . dptr , & blob . dsize ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
DEBUG ( 0 , ( " marshall_sec_desc failed: %s \n " ,
nt_errstr ( status ) ) ) ;
2006-02-03 22:19:41 +00:00
goto out ;
2007-10-07 12:56:43 +00:00
}
if ( ! ( key = talloc_asprintf ( frame , " SECDESC/%s " , share_name ) ) ) {
DEBUG ( 0 , ( " talloc_asprintf failed \n " ) ) ;
goto out ;
}
2008-03-28 11:53:00 +01:00
status = dbwrap_trans_store ( share_db , string_term_tdb_data ( key ) , blob ,
TDB_REPLACE ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
DEBUG ( 1 , ( " set_share_security: Failed to store secdesc for "
" %s: %s \n " , share_name , nt_errstr ( status ) ) ) ;
2007-10-07 12:56:43 +00:00
goto out ;
}
DEBUG ( 5 , ( " set_share_security: stored secdesc for %s \n " , share_name ) ) ;
ret = True ;
out :
TALLOC_FREE ( frame ) ;
2006-02-03 22:19:41 +00:00
return ret ;
}
/*******************************************************************
Delete a security descriptor .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2007-10-18 17:40:25 -07:00
bool delete_share_security ( const char * servicename )
2006-02-03 22:19:41 +00:00
{
TDB_DATA kbuf ;
2007-10-07 17:58:48 +00:00
char * key ;
2008-03-28 11:57:54 +01:00
NTSTATUS status ;
2006-02-03 22:19:41 +00:00
2008-12-28 17:16:28 -08:00
if ( ! share_info_db_init ( ) ) {
return False ;
}
2007-10-07 17:58:48 +00:00
if ( ! ( key = talloc_asprintf ( talloc_tos ( ) , " SECDESC/%s " ,
servicename ) ) ) {
return False ;
}
2007-03-29 07:30:22 +00:00
kbuf = string_term_tdb_data ( key ) ;
2006-02-03 22:19:41 +00:00
2008-03-28 11:57:54 +01:00
status = dbwrap_trans_delete ( share_db , kbuf ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
2007-10-07 17:58:48 +00:00
DEBUG ( 0 , ( " delete_share_security: Failed to delete entry for "
2008-03-28 11:57:54 +01:00
" share %s: %s \n " , servicename , nt_errstr ( status ) ) ) ;
2006-02-03 22:19:41 +00:00
return False ;
}
return True ;
}
2006-07-17 19:53:15 +00:00
/*******************************************************************
Can this user access with share with the required permissions ?
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2007-10-18 17:40:25 -07:00
bool share_access_check ( const NT_USER_TOKEN * token , const char * sharename ,
2006-07-17 19:53:15 +00:00
uint32 desired_access )
{
uint32 granted ;
NTSTATUS status ;
SEC_DESC * psd = NULL ;
size_t sd_size ;
2008-01-06 14:17:15 +01:00
psd = get_share_security ( talloc_tos ( ) , sharename , & sd_size ) ;
2006-07-17 19:53:15 +00:00
if ( ! psd ) {
return True ;
}
2008-10-31 10:51:45 -07:00
status = se_access_check ( psd , token , desired_access , & granted ) ;
2006-07-17 19:53:15 +00:00
2008-01-06 14:17:15 +01:00
TALLOC_FREE ( psd ) ;
2008-10-31 10:51:45 -07:00
return NT_STATUS_IS_OK ( status ) ;
2006-07-17 19:53:15 +00:00
}
2006-02-03 22:19:41 +00:00
/***************************************************************************
Parse the contents of an acl string from a usershare file .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2007-10-18 17:40:25 -07:00
bool parse_usershare_acl ( TALLOC_CTX * ctx , const char * acl_str , SEC_DESC * * ppsd )
2006-02-03 22:19:41 +00:00
{
size_t s_size = 0 ;
const char * pacl = acl_str ;
int num_aces = 0 ;
SEC_ACE * ace_list = NULL ;
SEC_ACL * psa = NULL ;
SEC_DESC * psd = NULL ;
size_t sd_size = 0 ;
int i ;
* ppsd = NULL ;
/* If the acl string is blank return "Everyone:R" */
if ( ! * acl_str ) {
SEC_DESC * default_psd = get_share_security_default ( ctx , & s_size , GENERIC_READ_ACCESS ) ;
if ( ! default_psd ) {
return False ;
}
* ppsd = default_psd ;
return True ;
}
num_aces = 1 ;
/* Add the number of ',' characters to get the number of aces. */
num_aces + = count_chars ( pacl , ' , ' ) ;
ace_list = TALLOC_ARRAY ( ctx , SEC_ACE , num_aces ) ;
if ( ! ace_list ) {
return False ;
}
for ( i = 0 ; i < num_aces ; i + + ) {
2008-10-09 09:49:03 -07:00
uint32_t sa ;
2006-02-03 22:19:41 +00:00
uint32 g_access ;
uint32 s_access ;
DOM_SID sid ;
2007-12-07 17:32:32 -08:00
char * sidstr ;
2007-12-20 22:27:01 +01:00
enum security_ace_type type = SEC_ACE_TYPE_ACCESS_ALLOWED ;
2006-02-03 22:19:41 +00:00
2007-12-07 17:32:32 -08:00
if ( ! next_token_talloc ( ctx , & pacl , & sidstr , " : " ) ) {
2006-02-03 22:19:41 +00:00
DEBUG ( 0 , ( " parse_usershare_acl: malformed usershare acl looking "
" for ':' in string '%s' \n " , pacl ) ) ;
return False ;
}
if ( ! string_to_sid ( & sid , sidstr ) ) {
DEBUG ( 0 , ( " parse_usershare_acl: failed to convert %s to sid. \n " ,
sidstr ) ) ;
return False ;
}
switch ( * pacl ) {
case ' F ' : /* Full Control, ie. R+W */
case ' f ' : /* Full Control, ie. R+W */
s_access = g_access = GENERIC_ALL_ACCESS ;
break ;
case ' R ' : /* Read only. */
case ' r ' : /* Read only. */
s_access = g_access = GENERIC_READ_ACCESS ;
break ;
case ' D ' : /* Deny all to this SID. */
case ' d ' : /* Deny all to this SID. */
type = SEC_ACE_TYPE_ACCESS_DENIED ;
s_access = g_access = GENERIC_ALL_ACCESS ;
break ;
default :
DEBUG ( 0 , ( " parse_usershare_acl: unknown acl type at %s. \n " ,
pacl ) ) ;
return False ;
}
pacl + + ;
if ( * pacl & & * pacl ! = ' , ' ) {
DEBUG ( 0 , ( " parse_usershare_acl: bad acl string at %s. \n " ,
pacl ) ) ;
return False ;
}
pacl + + ; /* Go past any ',' */
se_map_generic ( & s_access , & file_generic_mapping ) ;
2008-10-09 09:49:03 -07:00
sa = ( g_access | s_access ) ;
2006-02-03 22:19:41 +00:00
init_sec_ace ( & ace_list [ i ] , & sid , type , sa , 0 ) ;
}
if ( ( psa = make_sec_acl ( ctx , NT4_ACL_REVISION , num_aces , ace_list ) ) ! = NULL ) {
2007-12-20 22:27:01 +01:00
psd = make_sec_desc ( ctx , SECURITY_DESCRIPTOR_REVISION_1 ,
SEC_DESC_SELF_RELATIVE , NULL , NULL , NULL ,
psa , & sd_size ) ;
2006-02-03 22:19:41 +00:00
}
if ( ! psd ) {
DEBUG ( 0 , ( " parse_usershare_acl: Failed to make SEC_DESC. \n " ) ) ;
return False ;
}
* ppsd = psd ;
return True ;
}