1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-12 09:18:10 +03:00

r3830: unified the query/set security descriptor code with the rest of the

queryfileinfo/setfileinfo logic, so querying/setting a security
descriptor is treated as just another file query/set operation.

This will allow NTVFS backends to see the query/set security
descriptor operations as RAW_FILEINFO_SEC_DESC and
RAW_SFILEINFO_SEC_DESC operations.
(This used to be commit f68a6b6b91)
This commit is contained in:
Andrew Tridgell 2004-11-18 01:41:43 +00:00 committed by Gerald (Jerry) Carter
parent bbf009b46f
commit 012be92f0a
9 changed files with 95 additions and 97 deletions

View File

@ -1793,7 +1793,7 @@ static int cmd_acl(const char **cmd_ptr)
fstring buf;
int ret = 0;
TALLOC_CTX *mem_ctx;
struct smb_query_secdesc query;
union smb_fileinfo query;
NTSTATUS status;
int fnum;
@ -1813,17 +1813,18 @@ static int cmd_acl(const char **cmd_ptr)
mem_ctx = talloc_init("%s", fname);
query.in.fnum = fnum;
query.in.secinfo_flags = 0x7;
query.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
query.query_secdesc.in.fnum = fnum;
query.query_secdesc.in.secinfo_flags = 0x7;
status = smb_raw_query_secdesc(cli->tree, mem_ctx, &query);
status = smb_raw_fileinfo(cli->tree, mem_ctx, &query);
if (!NT_STATUS_IS_OK(status)) {
d_printf("%s - %s\n", fname, nt_errstr(status));
ret = 1;
goto done;
}
NDR_PRINT_DEBUG(security_descriptor, query.out.sd);
NDR_PRINT_DEBUG(security_descriptor, query.query_secdesc.out.sd);
talloc_destroy(mem_ctx);

View File

@ -179,7 +179,6 @@ extern int errno;
#include "module.h"
#include "mutex.h"
#include "librpc/ndr/libndr.h"
#include "librpc/ndr/ndr_sec.h"
#include "librpc/gen_ndr/ndr_misc.h"
#include "librpc/gen_ndr/ndr_dcerpc.h"
#include "librpc/rpc/dcerpc.h"

View File

@ -42,6 +42,20 @@ typedef struct {
} WIRE_STRING;
/*
use the same structure for dom_sid2 as dom_sid. A dom_sid2 is really
just a dom sid, but with the sub_auths represented as a conformant
array. As with all in-structure conformant arrays, the array length
is placed before the start of the structure. That's what gives rise
to the extra num_auths elemenent. We don't want the Samba code to
have to bother with such esoteric NDR details, so its easier to just
define it as a dom_sid and use pidl magic to make it all work. It
just means you need to mark a sid as a "dom_sid2" in the IDL when you
know it is of the conformant array variety
*/
#define dom_sid2 dom_sid
/*
this header defines the structures and unions used between the SMB
parser and the backends.
@ -296,6 +310,7 @@ enum smb_fileinfo_level {
RAW_FILEINFO_GENERIC = 0xF000,
RAW_FILEINFO_GETATTR, /* SMBgetatr */
RAW_FILEINFO_GETATTRE, /* SMBgetattrE */
RAW_FILEINFO_SEC_DESC, /* NT_TRANSACT_QUERY_SECURITY_DESC */
RAW_FILEINFO_STANDARD = SMB_QFILEINFO_STANDARD,
RAW_FILEINFO_EA_SIZE = SMB_QFILEINFO_EA_SIZE,
RAW_FILEINFO_ALL_EAS = SMB_QFILEINFO_ALL_EAS,
@ -661,6 +676,18 @@ union smb_fileinfo {
uint32_t reparse_tag;
} out;
} attribute_tag_information;
/* RAW_FILEINFO_QUERY_SEC_DESC */
struct {
enum smb_fileinfo_level level;
struct {
uint16_t fnum;
uint32_t secinfo_flags;
} in;
struct {
struct security_descriptor *sd;
} out;
} query_secdesc;
};
@ -668,6 +695,7 @@ enum smb_setfileinfo_level {
RAW_SFILEINFO_GENERIC = 0xF000,
RAW_SFILEINFO_SETATTR, /* SMBsetatr */
RAW_SFILEINFO_SETATTRE, /* SMBsetattrE */
RAW_SFILEINFO_SEC_DESC, /* NT_TRANSACT_SET_SECURITY_DESC */
RAW_SFILEINFO_STANDARD = SMB_SFILEINFO_STANDARD,
RAW_SFILEINFO_EA_SET = SMB_SFILEINFO_EA_SET,
RAW_SFILEINFO_BASIC_INFO = SMB_SFILEINFO_BASIC_INFO,
@ -854,6 +882,16 @@ union smb_setfileinfo {
const char *link_dest;
} in;
} unix_link, unix_hlink;
/* RAW_FILEINFO_SET_SEC_DESC */
struct {
enum smb_setfileinfo_level level;
union setfileinfo_file file;
struct {
uint32_t secinfo_flags;
struct security_descriptor *sd;
} in;
} set_secdesc;
};

View File

@ -27,7 +27,7 @@
fetch file ACL (async send)
****************************************************************************/
struct smbcli_request *smb_raw_query_secdesc_send(struct smbcli_tree *tree,
struct smb_query_secdesc *query)
union smb_fileinfo *io)
{
struct smb_nttrans nt;
uint8_t params[8];
@ -39,9 +39,9 @@ struct smbcli_request *smb_raw_query_secdesc_send(struct smbcli_tree *tree,
nt.in.function = NT_TRANSACT_QUERY_SECURITY_DESC;
nt.in.setup = NULL;
SSVAL(params, 0, query->in.fnum);
SSVAL(params, 0, io->query_secdesc.in.fnum);
SSVAL(params, 2, 0); /* padding */
SIVAL(params, 4, query->in.secinfo_flags);
SIVAL(params, 4, io->query_secdesc.in.secinfo_flags);
nt.in.params.data = params;
nt.in.params.length = 8;
@ -57,7 +57,7 @@ fetch file ACL (async recv)
****************************************************************************/
NTSTATUS smb_raw_query_secdesc_recv(struct smbcli_request *req,
TALLOC_CTX *mem_ctx,
struct smb_query_secdesc *query)
union smb_fileinfo *io)
{
NTSTATUS status;
struct smb_nttrans nt;
@ -81,11 +81,12 @@ NTSTATUS smb_raw_query_secdesc_recv(struct smbcli_request *req,
return NT_STATUS_INVALID_PARAMETER;
}
query->out.sd = talloc_p(mem_ctx, struct security_descriptor);
if (!query->out.sd) {
io->query_secdesc.out.sd = talloc_p(mem_ctx, struct security_descriptor);
if (!io->query_secdesc.out.sd) {
return NT_STATUS_NO_MEMORY;
}
status = ndr_pull_security_descriptor(ndr, NDR_SCALARS|NDR_BUFFERS, query->out.sd);
status = ndr_pull_security_descriptor(ndr, NDR_SCALARS|NDR_BUFFERS,
io->query_secdesc.out.sd);
return status;
}
@ -96,10 +97,10 @@ fetch file ACL (sync interface)
****************************************************************************/
NTSTATUS smb_raw_query_secdesc(struct smbcli_tree *tree,
TALLOC_CTX *mem_ctx,
struct smb_query_secdesc *query)
union smb_fileinfo *io)
{
struct smbcli_request *req = smb_raw_query_secdesc_send(tree, query);
return smb_raw_query_secdesc_recv(req, mem_ctx, query);
struct smbcli_request *req = smb_raw_query_secdesc_send(tree, io);
return smb_raw_query_secdesc_recv(req, mem_ctx, io);
}
@ -108,7 +109,7 @@ NTSTATUS smb_raw_query_secdesc(struct smbcli_tree *tree,
set file ACL (async send)
****************************************************************************/
struct smbcli_request *smb_raw_set_secdesc_send(struct smbcli_tree *tree,
struct smb_set_secdesc *set)
union smb_setfileinfo *io)
{
struct smb_nttrans nt;
uint8_t params[8];
@ -123,9 +124,9 @@ struct smbcli_request *smb_raw_set_secdesc_send(struct smbcli_tree *tree,
nt.in.function = NT_TRANSACT_SET_SECURITY_DESC;
nt.in.setup = NULL;
SSVAL(params, 0, set->in.fnum);
SSVAL(params, 0, io->set_secdesc.file.fnum);
SSVAL(params, 2, 0); /* padding */
SIVAL(params, 4, set->in.secinfo_flags);
SIVAL(params, 4, io->set_secdesc.in.secinfo_flags);
nt.in.params.data = params;
nt.in.params.length = 8;
@ -133,7 +134,7 @@ struct smbcli_request *smb_raw_set_secdesc_send(struct smbcli_tree *tree,
ndr = ndr_push_init();
if (!ndr) return NULL;
status = ndr_push_security_descriptor(ndr, NDR_SCALARS|NDR_BUFFERS, set->in.sd);
status = ndr_push_security_descriptor(ndr, NDR_SCALARS|NDR_BUFFERS, io->set_secdesc.in.sd);
if (!NT_STATUS_IS_OK(status)) {
ndr_push_free(ndr);
return NULL;
@ -151,8 +152,8 @@ struct smbcli_request *smb_raw_set_secdesc_send(struct smbcli_tree *tree,
set file ACL (sync interface)
****************************************************************************/
NTSTATUS smb_raw_set_secdesc(struct smbcli_tree *tree,
struct smb_set_secdesc *set)
union smb_setfileinfo *io)
{
struct smbcli_request *req = smb_raw_set_secdesc_send(tree, set);
struct smbcli_request *req = smb_raw_set_secdesc_send(tree, io);
return smbcli_request_simple_recv(req);
}

View File

@ -48,6 +48,7 @@ static NTSTATUS smb_raw_info_backend(struct smbcli_session *session,
case RAW_FILEINFO_GENERIC:
case RAW_FILEINFO_GETATTR:
case RAW_FILEINFO_GETATTRE:
case RAW_FILEINFO_SEC_DESC:
/* not handled here */
return NT_STATUS_INVALID_LEVEL;
@ -460,12 +461,15 @@ failed:
Query file info (async send)
****************************************************************************/
struct smbcli_request *smb_raw_fileinfo_send(struct smbcli_tree *tree,
union smb_fileinfo *parms)
union smb_fileinfo *parms)
{
/* pass off the non-trans2 level to specialised functions */
if (parms->generic.level == RAW_FILEINFO_GETATTRE) {
return smb_raw_getattrE_send(tree, parms);
}
if (parms->generic.level == RAW_FILEINFO_SEC_DESC) {
return smb_raw_query_secdesc_send(tree, parms);
}
if (parms->generic.level >= RAW_FILEINFO_GENERIC) {
return NULL;
}
@ -489,6 +493,9 @@ NTSTATUS smb_raw_fileinfo_recv(struct smbcli_request *req,
if (parms->generic.level == RAW_FILEINFO_GETATTRE) {
return smb_raw_getattrE_recv(req, parms);
}
if (parms->generic.level == RAW_FILEINFO_SEC_DESC) {
return smb_raw_query_secdesc_recv(req, mem_ctx, parms);
}
if (parms->generic.level == RAW_FILEINFO_GETATTR) {
return smb_raw_getattr_recv(req, parms);
}

View File

@ -41,6 +41,7 @@ static BOOL smb_raw_setinfo_backend(struct smbcli_tree *tree,
case RAW_SFILEINFO_GENERIC:
case RAW_SFILEINFO_SETATTR:
case RAW_SFILEINFO_SETATTRE:
case RAW_SFILEINFO_SEC_DESC:
/* not handled here */
return False;
@ -262,6 +263,9 @@ struct smbcli_request *smb_raw_setfileinfo_send(struct smbcli_tree *tree,
if (parms->generic.level == RAW_SFILEINFO_SETATTRE) {
return smb_raw_setattrE_send(tree, parms);
}
if (parms->generic.level == RAW_SFILEINFO_SEC_DESC) {
return smb_raw_set_secdesc_send(tree, parms);
}
if (parms->generic.level >= RAW_SFILEINFO_GENERIC) {
return NULL;
}

View File

@ -1,56 +0,0 @@
/*
Unix SMB/CIFS implementation.
definitions for marshalling/unmarshalling security descriptors
and related structures
Copyright (C) Andrew Tridgell 2003
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
/*
use the same structure for dom_sid2 as dom_sid. A dom_sid2 is really
just a dom sid, but with the sub_auths represented as a conformant
array. As with all in-structure conformant arrays, the array length
is placed before the start of the structure. That's what gives rise
to the extra num_auths elemenent. We don't want the Samba code to
have to bother with such esoteric NDR details, so its easier to just
define it as a dom_sid and use pidl magic to make it all work. It
just means you need to mark a sid as a "dom_sid2" in the IDL when you
know it is of the conformant array variety
*/
#define dom_sid2 dom_sid
/* query security descriptor */
struct smb_query_secdesc {
struct {
uint16_t fnum;
uint32_t secinfo_flags;
} in;
struct {
struct security_descriptor *sd;
} out;
};
/* set security descriptor */
struct smb_set_secdesc {
struct {
uint16_t fnum;
uint32_t secinfo_flags;
struct security_descriptor *sd;
} in;
};

View File

@ -476,6 +476,7 @@ static NTSTATUS trans2_fileinfo_fill(struct smbsrv_request *req, struct smb_tran
case RAW_FILEINFO_GENERIC:
case RAW_FILEINFO_GETATTR:
case RAW_FILEINFO_GETATTRE:
case RAW_FILEINFO_SEC_DESC:
/* handled elsewhere */
return NT_STATUS_INVALID_LEVEL;
@ -777,6 +778,7 @@ static NTSTATUS trans2_parse_sfileinfo(struct smbsrv_request *req,
case RAW_SFILEINFO_GENERIC:
case RAW_SFILEINFO_SETATTR:
case RAW_SFILEINFO_SETATTRE:
case RAW_SFILEINFO_SEC_DESC:
/* handled elsewhere */
return NT_STATUS_INVALID_LEVEL;

View File

@ -42,8 +42,8 @@ static BOOL test_sd(struct smbcli_state *cli, TALLOC_CTX *mem_ctx)
const char *fname = BASEDIR "\\sd.txt";
BOOL ret = True;
int fnum;
struct smb_query_secdesc q;
struct smb_set_secdesc set;
union smb_fileinfo q;
union smb_setfileinfo set;
struct security_ace ace;
struct security_descriptor *sd;
struct dom_sid *test_sid;
@ -67,15 +67,16 @@ static BOOL test_sd(struct smbcli_state *cli, TALLOC_CTX *mem_ctx)
status = smb_raw_open(cli->tree, mem_ctx, &io);
CHECK_STATUS(status, NT_STATUS_OK);
fnum = io.ntcreatex.out.fnum;
q.in.fnum = fnum;
q.in.secinfo_flags =
q.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
q.query_secdesc.in.fnum = fnum;
q.query_secdesc.in.secinfo_flags =
OWNER_SECURITY_INFORMATION |
GROUP_SECURITY_INFORMATION |
DACL_SECURITY_INFORMATION;
status = smb_raw_query_secdesc(cli->tree, mem_ctx, &q);
status = smb_raw_fileinfo(cli->tree, mem_ctx, &q);
CHECK_STATUS(status, NT_STATUS_OK);
sd = q.out.sd;
sd = q.query_secdesc.out.sd;
printf("add a new ACE to the DACL\n");
@ -89,20 +90,21 @@ static BOOL test_sd(struct smbcli_state *cli, TALLOC_CTX *mem_ctx)
status = security_descriptor_dacl_add(sd, &ace);
CHECK_STATUS(status, NT_STATUS_OK);
set.in.fnum = fnum;
set.in.secinfo_flags = q.in.secinfo_flags;
set.in.sd = sd;
set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
set.set_secdesc.file.fnum = fnum;
set.set_secdesc.in.secinfo_flags = q.query_secdesc.in.secinfo_flags;
set.set_secdesc.in.sd = sd;
status = smb_raw_set_secdesc(cli->tree, &set);
status = smb_raw_setfileinfo(cli->tree, &set);
CHECK_STATUS(status, NT_STATUS_OK);
status = smb_raw_query_secdesc(cli->tree, mem_ctx, &q);
status = smb_raw_fileinfo(cli->tree, mem_ctx, &q);
CHECK_STATUS(status, NT_STATUS_OK);
if (!security_descriptor_equal(q.out.sd, sd)) {
if (!security_descriptor_equal(q.query_secdesc.out.sd, sd)) {
printf("security descriptors don't match!\n");
printf("got:\n");
NDR_PRINT_DEBUG(security_descriptor, q.out.sd);
NDR_PRINT_DEBUG(security_descriptor, q.query_secdesc.out.sd);
printf("expected:\n");
NDR_PRINT_DEBUG(security_descriptor, sd);
}
@ -112,16 +114,16 @@ static BOOL test_sd(struct smbcli_state *cli, TALLOC_CTX *mem_ctx)
status = security_descriptor_dacl_del(sd, test_sid);
CHECK_STATUS(status, NT_STATUS_OK);
status = smb_raw_set_secdesc(cli->tree, &set);
status = smb_raw_setfileinfo(cli->tree, &set);
CHECK_STATUS(status, NT_STATUS_OK);
status = smb_raw_query_secdesc(cli->tree, mem_ctx, &q);
status = smb_raw_fileinfo(cli->tree, mem_ctx, &q);
CHECK_STATUS(status, NT_STATUS_OK);
if (!security_descriptor_equal(q.out.sd, sd)) {
if (!security_descriptor_equal(q.query_secdesc.out.sd, sd)) {
printf("security descriptors don't match!\n");
printf("got:\n");
NDR_PRINT_DEBUG(security_descriptor, q.out.sd);
NDR_PRINT_DEBUG(security_descriptor, q.query_secdesc.out.sd);
printf("expected:\n");
NDR_PRINT_DEBUG(security_descriptor, sd);
}