mirror of
https://github.com/samba-team/samba.git
synced 2025-01-12 09:18:10 +03:00
r3830: unified the query/set security descriptor code with the rest of the
queryfileinfo/setfileinfo logic, so querying/setting a security
descriptor is treated as just another file query/set operation.
This will allow NTVFS backends to see the query/set security
descriptor operations as RAW_FILEINFO_SEC_DESC and
RAW_SFILEINFO_SEC_DESC operations.
(This used to be commit f68a6b6b91
)
This commit is contained in:
parent
bbf009b46f
commit
012be92f0a
source4
client
include
libcli/raw
librpc/ndr
smb_server
torture/raw
@ -1793,7 +1793,7 @@ static int cmd_acl(const char **cmd_ptr)
|
||||
fstring buf;
|
||||
int ret = 0;
|
||||
TALLOC_CTX *mem_ctx;
|
||||
struct smb_query_secdesc query;
|
||||
union smb_fileinfo query;
|
||||
NTSTATUS status;
|
||||
int fnum;
|
||||
|
||||
@ -1813,17 +1813,18 @@ static int cmd_acl(const char **cmd_ptr)
|
||||
|
||||
mem_ctx = talloc_init("%s", fname);
|
||||
|
||||
query.in.fnum = fnum;
|
||||
query.in.secinfo_flags = 0x7;
|
||||
query.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
|
||||
query.query_secdesc.in.fnum = fnum;
|
||||
query.query_secdesc.in.secinfo_flags = 0x7;
|
||||
|
||||
status = smb_raw_query_secdesc(cli->tree, mem_ctx, &query);
|
||||
status = smb_raw_fileinfo(cli->tree, mem_ctx, &query);
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
d_printf("%s - %s\n", fname, nt_errstr(status));
|
||||
ret = 1;
|
||||
goto done;
|
||||
}
|
||||
|
||||
NDR_PRINT_DEBUG(security_descriptor, query.out.sd);
|
||||
NDR_PRINT_DEBUG(security_descriptor, query.query_secdesc.out.sd);
|
||||
|
||||
talloc_destroy(mem_ctx);
|
||||
|
||||
|
@ -179,7 +179,6 @@ extern int errno;
|
||||
#include "module.h"
|
||||
#include "mutex.h"
|
||||
#include "librpc/ndr/libndr.h"
|
||||
#include "librpc/ndr/ndr_sec.h"
|
||||
#include "librpc/gen_ndr/ndr_misc.h"
|
||||
#include "librpc/gen_ndr/ndr_dcerpc.h"
|
||||
#include "librpc/rpc/dcerpc.h"
|
||||
|
@ -42,6 +42,20 @@ typedef struct {
|
||||
} WIRE_STRING;
|
||||
|
||||
|
||||
/*
|
||||
use the same structure for dom_sid2 as dom_sid. A dom_sid2 is really
|
||||
just a dom sid, but with the sub_auths represented as a conformant
|
||||
array. As with all in-structure conformant arrays, the array length
|
||||
is placed before the start of the structure. That's what gives rise
|
||||
to the extra num_auths elemenent. We don't want the Samba code to
|
||||
have to bother with such esoteric NDR details, so its easier to just
|
||||
define it as a dom_sid and use pidl magic to make it all work. It
|
||||
just means you need to mark a sid as a "dom_sid2" in the IDL when you
|
||||
know it is of the conformant array variety
|
||||
*/
|
||||
#define dom_sid2 dom_sid
|
||||
|
||||
|
||||
/*
|
||||
this header defines the structures and unions used between the SMB
|
||||
parser and the backends.
|
||||
@ -296,6 +310,7 @@ enum smb_fileinfo_level {
|
||||
RAW_FILEINFO_GENERIC = 0xF000,
|
||||
RAW_FILEINFO_GETATTR, /* SMBgetatr */
|
||||
RAW_FILEINFO_GETATTRE, /* SMBgetattrE */
|
||||
RAW_FILEINFO_SEC_DESC, /* NT_TRANSACT_QUERY_SECURITY_DESC */
|
||||
RAW_FILEINFO_STANDARD = SMB_QFILEINFO_STANDARD,
|
||||
RAW_FILEINFO_EA_SIZE = SMB_QFILEINFO_EA_SIZE,
|
||||
RAW_FILEINFO_ALL_EAS = SMB_QFILEINFO_ALL_EAS,
|
||||
@ -661,6 +676,18 @@ union smb_fileinfo {
|
||||
uint32_t reparse_tag;
|
||||
} out;
|
||||
} attribute_tag_information;
|
||||
|
||||
/* RAW_FILEINFO_QUERY_SEC_DESC */
|
||||
struct {
|
||||
enum smb_fileinfo_level level;
|
||||
struct {
|
||||
uint16_t fnum;
|
||||
uint32_t secinfo_flags;
|
||||
} in;
|
||||
struct {
|
||||
struct security_descriptor *sd;
|
||||
} out;
|
||||
} query_secdesc;
|
||||
};
|
||||
|
||||
|
||||
@ -668,6 +695,7 @@ enum smb_setfileinfo_level {
|
||||
RAW_SFILEINFO_GENERIC = 0xF000,
|
||||
RAW_SFILEINFO_SETATTR, /* SMBsetatr */
|
||||
RAW_SFILEINFO_SETATTRE, /* SMBsetattrE */
|
||||
RAW_SFILEINFO_SEC_DESC, /* NT_TRANSACT_SET_SECURITY_DESC */
|
||||
RAW_SFILEINFO_STANDARD = SMB_SFILEINFO_STANDARD,
|
||||
RAW_SFILEINFO_EA_SET = SMB_SFILEINFO_EA_SET,
|
||||
RAW_SFILEINFO_BASIC_INFO = SMB_SFILEINFO_BASIC_INFO,
|
||||
@ -854,6 +882,16 @@ union smb_setfileinfo {
|
||||
const char *link_dest;
|
||||
} in;
|
||||
} unix_link, unix_hlink;
|
||||
|
||||
/* RAW_FILEINFO_SET_SEC_DESC */
|
||||
struct {
|
||||
enum smb_setfileinfo_level level;
|
||||
union setfileinfo_file file;
|
||||
struct {
|
||||
uint32_t secinfo_flags;
|
||||
struct security_descriptor *sd;
|
||||
} in;
|
||||
} set_secdesc;
|
||||
};
|
||||
|
||||
|
||||
|
@ -27,7 +27,7 @@
|
||||
fetch file ACL (async send)
|
||||
****************************************************************************/
|
||||
struct smbcli_request *smb_raw_query_secdesc_send(struct smbcli_tree *tree,
|
||||
struct smb_query_secdesc *query)
|
||||
union smb_fileinfo *io)
|
||||
{
|
||||
struct smb_nttrans nt;
|
||||
uint8_t params[8];
|
||||
@ -39,9 +39,9 @@ struct smbcli_request *smb_raw_query_secdesc_send(struct smbcli_tree *tree,
|
||||
nt.in.function = NT_TRANSACT_QUERY_SECURITY_DESC;
|
||||
nt.in.setup = NULL;
|
||||
|
||||
SSVAL(params, 0, query->in.fnum);
|
||||
SSVAL(params, 0, io->query_secdesc.in.fnum);
|
||||
SSVAL(params, 2, 0); /* padding */
|
||||
SIVAL(params, 4, query->in.secinfo_flags);
|
||||
SIVAL(params, 4, io->query_secdesc.in.secinfo_flags);
|
||||
|
||||
nt.in.params.data = params;
|
||||
nt.in.params.length = 8;
|
||||
@ -57,7 +57,7 @@ fetch file ACL (async recv)
|
||||
****************************************************************************/
|
||||
NTSTATUS smb_raw_query_secdesc_recv(struct smbcli_request *req,
|
||||
TALLOC_CTX *mem_ctx,
|
||||
struct smb_query_secdesc *query)
|
||||
union smb_fileinfo *io)
|
||||
{
|
||||
NTSTATUS status;
|
||||
struct smb_nttrans nt;
|
||||
@ -81,11 +81,12 @@ NTSTATUS smb_raw_query_secdesc_recv(struct smbcli_request *req,
|
||||
return NT_STATUS_INVALID_PARAMETER;
|
||||
}
|
||||
|
||||
query->out.sd = talloc_p(mem_ctx, struct security_descriptor);
|
||||
if (!query->out.sd) {
|
||||
io->query_secdesc.out.sd = talloc_p(mem_ctx, struct security_descriptor);
|
||||
if (!io->query_secdesc.out.sd) {
|
||||
return NT_STATUS_NO_MEMORY;
|
||||
}
|
||||
status = ndr_pull_security_descriptor(ndr, NDR_SCALARS|NDR_BUFFERS, query->out.sd);
|
||||
status = ndr_pull_security_descriptor(ndr, NDR_SCALARS|NDR_BUFFERS,
|
||||
io->query_secdesc.out.sd);
|
||||
|
||||
return status;
|
||||
}
|
||||
@ -96,10 +97,10 @@ fetch file ACL (sync interface)
|
||||
****************************************************************************/
|
||||
NTSTATUS smb_raw_query_secdesc(struct smbcli_tree *tree,
|
||||
TALLOC_CTX *mem_ctx,
|
||||
struct smb_query_secdesc *query)
|
||||
union smb_fileinfo *io)
|
||||
{
|
||||
struct smbcli_request *req = smb_raw_query_secdesc_send(tree, query);
|
||||
return smb_raw_query_secdesc_recv(req, mem_ctx, query);
|
||||
struct smbcli_request *req = smb_raw_query_secdesc_send(tree, io);
|
||||
return smb_raw_query_secdesc_recv(req, mem_ctx, io);
|
||||
}
|
||||
|
||||
|
||||
@ -108,7 +109,7 @@ NTSTATUS smb_raw_query_secdesc(struct smbcli_tree *tree,
|
||||
set file ACL (async send)
|
||||
****************************************************************************/
|
||||
struct smbcli_request *smb_raw_set_secdesc_send(struct smbcli_tree *tree,
|
||||
struct smb_set_secdesc *set)
|
||||
union smb_setfileinfo *io)
|
||||
{
|
||||
struct smb_nttrans nt;
|
||||
uint8_t params[8];
|
||||
@ -123,9 +124,9 @@ struct smbcli_request *smb_raw_set_secdesc_send(struct smbcli_tree *tree,
|
||||
nt.in.function = NT_TRANSACT_SET_SECURITY_DESC;
|
||||
nt.in.setup = NULL;
|
||||
|
||||
SSVAL(params, 0, set->in.fnum);
|
||||
SSVAL(params, 0, io->set_secdesc.file.fnum);
|
||||
SSVAL(params, 2, 0); /* padding */
|
||||
SIVAL(params, 4, set->in.secinfo_flags);
|
||||
SIVAL(params, 4, io->set_secdesc.in.secinfo_flags);
|
||||
|
||||
nt.in.params.data = params;
|
||||
nt.in.params.length = 8;
|
||||
@ -133,7 +134,7 @@ struct smbcli_request *smb_raw_set_secdesc_send(struct smbcli_tree *tree,
|
||||
ndr = ndr_push_init();
|
||||
if (!ndr) return NULL;
|
||||
|
||||
status = ndr_push_security_descriptor(ndr, NDR_SCALARS|NDR_BUFFERS, set->in.sd);
|
||||
status = ndr_push_security_descriptor(ndr, NDR_SCALARS|NDR_BUFFERS, io->set_secdesc.in.sd);
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
ndr_push_free(ndr);
|
||||
return NULL;
|
||||
@ -151,8 +152,8 @@ struct smbcli_request *smb_raw_set_secdesc_send(struct smbcli_tree *tree,
|
||||
set file ACL (sync interface)
|
||||
****************************************************************************/
|
||||
NTSTATUS smb_raw_set_secdesc(struct smbcli_tree *tree,
|
||||
struct smb_set_secdesc *set)
|
||||
union smb_setfileinfo *io)
|
||||
{
|
||||
struct smbcli_request *req = smb_raw_set_secdesc_send(tree, set);
|
||||
struct smbcli_request *req = smb_raw_set_secdesc_send(tree, io);
|
||||
return smbcli_request_simple_recv(req);
|
||||
}
|
||||
|
@ -48,6 +48,7 @@ static NTSTATUS smb_raw_info_backend(struct smbcli_session *session,
|
||||
case RAW_FILEINFO_GENERIC:
|
||||
case RAW_FILEINFO_GETATTR:
|
||||
case RAW_FILEINFO_GETATTRE:
|
||||
case RAW_FILEINFO_SEC_DESC:
|
||||
/* not handled here */
|
||||
return NT_STATUS_INVALID_LEVEL;
|
||||
|
||||
@ -460,12 +461,15 @@ failed:
|
||||
Query file info (async send)
|
||||
****************************************************************************/
|
||||
struct smbcli_request *smb_raw_fileinfo_send(struct smbcli_tree *tree,
|
||||
union smb_fileinfo *parms)
|
||||
union smb_fileinfo *parms)
|
||||
{
|
||||
/* pass off the non-trans2 level to specialised functions */
|
||||
if (parms->generic.level == RAW_FILEINFO_GETATTRE) {
|
||||
return smb_raw_getattrE_send(tree, parms);
|
||||
}
|
||||
if (parms->generic.level == RAW_FILEINFO_SEC_DESC) {
|
||||
return smb_raw_query_secdesc_send(tree, parms);
|
||||
}
|
||||
if (parms->generic.level >= RAW_FILEINFO_GENERIC) {
|
||||
return NULL;
|
||||
}
|
||||
@ -489,6 +493,9 @@ NTSTATUS smb_raw_fileinfo_recv(struct smbcli_request *req,
|
||||
if (parms->generic.level == RAW_FILEINFO_GETATTRE) {
|
||||
return smb_raw_getattrE_recv(req, parms);
|
||||
}
|
||||
if (parms->generic.level == RAW_FILEINFO_SEC_DESC) {
|
||||
return smb_raw_query_secdesc_recv(req, mem_ctx, parms);
|
||||
}
|
||||
if (parms->generic.level == RAW_FILEINFO_GETATTR) {
|
||||
return smb_raw_getattr_recv(req, parms);
|
||||
}
|
||||
|
@ -41,6 +41,7 @@ static BOOL smb_raw_setinfo_backend(struct smbcli_tree *tree,
|
||||
case RAW_SFILEINFO_GENERIC:
|
||||
case RAW_SFILEINFO_SETATTR:
|
||||
case RAW_SFILEINFO_SETATTRE:
|
||||
case RAW_SFILEINFO_SEC_DESC:
|
||||
/* not handled here */
|
||||
return False;
|
||||
|
||||
@ -262,6 +263,9 @@ struct smbcli_request *smb_raw_setfileinfo_send(struct smbcli_tree *tree,
|
||||
if (parms->generic.level == RAW_SFILEINFO_SETATTRE) {
|
||||
return smb_raw_setattrE_send(tree, parms);
|
||||
}
|
||||
if (parms->generic.level == RAW_SFILEINFO_SEC_DESC) {
|
||||
return smb_raw_set_secdesc_send(tree, parms);
|
||||
}
|
||||
if (parms->generic.level >= RAW_SFILEINFO_GENERIC) {
|
||||
return NULL;
|
||||
}
|
||||
|
@ -1,56 +0,0 @@
|
||||
/*
|
||||
Unix SMB/CIFS implementation.
|
||||
|
||||
definitions for marshalling/unmarshalling security descriptors
|
||||
and related structures
|
||||
|
||||
Copyright (C) Andrew Tridgell 2003
|
||||
|
||||
This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
the Free Software Foundation; either version 2 of the License, or
|
||||
(at your option) any later version.
|
||||
|
||||
This program is distributed in the hope that it will be useful,
|
||||
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
GNU General Public License for more details.
|
||||
|
||||
You should have received a copy of the GNU General Public License
|
||||
along with this program; if not, write to the Free Software
|
||||
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
|
||||
*/
|
||||
|
||||
|
||||
/*
|
||||
use the same structure for dom_sid2 as dom_sid. A dom_sid2 is really
|
||||
just a dom sid, but with the sub_auths represented as a conformant
|
||||
array. As with all in-structure conformant arrays, the array length
|
||||
is placed before the start of the structure. That's what gives rise
|
||||
to the extra num_auths elemenent. We don't want the Samba code to
|
||||
have to bother with such esoteric NDR details, so its easier to just
|
||||
define it as a dom_sid and use pidl magic to make it all work. It
|
||||
just means you need to mark a sid as a "dom_sid2" in the IDL when you
|
||||
know it is of the conformant array variety
|
||||
*/
|
||||
#define dom_sid2 dom_sid
|
||||
|
||||
/* query security descriptor */
|
||||
struct smb_query_secdesc {
|
||||
struct {
|
||||
uint16_t fnum;
|
||||
uint32_t secinfo_flags;
|
||||
} in;
|
||||
struct {
|
||||
struct security_descriptor *sd;
|
||||
} out;
|
||||
};
|
||||
|
||||
/* set security descriptor */
|
||||
struct smb_set_secdesc {
|
||||
struct {
|
||||
uint16_t fnum;
|
||||
uint32_t secinfo_flags;
|
||||
struct security_descriptor *sd;
|
||||
} in;
|
||||
};
|
@ -476,6 +476,7 @@ static NTSTATUS trans2_fileinfo_fill(struct smbsrv_request *req, struct smb_tran
|
||||
case RAW_FILEINFO_GENERIC:
|
||||
case RAW_FILEINFO_GETATTR:
|
||||
case RAW_FILEINFO_GETATTRE:
|
||||
case RAW_FILEINFO_SEC_DESC:
|
||||
/* handled elsewhere */
|
||||
return NT_STATUS_INVALID_LEVEL;
|
||||
|
||||
@ -777,6 +778,7 @@ static NTSTATUS trans2_parse_sfileinfo(struct smbsrv_request *req,
|
||||
case RAW_SFILEINFO_GENERIC:
|
||||
case RAW_SFILEINFO_SETATTR:
|
||||
case RAW_SFILEINFO_SETATTRE:
|
||||
case RAW_SFILEINFO_SEC_DESC:
|
||||
/* handled elsewhere */
|
||||
return NT_STATUS_INVALID_LEVEL;
|
||||
|
||||
|
@ -42,8 +42,8 @@ static BOOL test_sd(struct smbcli_state *cli, TALLOC_CTX *mem_ctx)
|
||||
const char *fname = BASEDIR "\\sd.txt";
|
||||
BOOL ret = True;
|
||||
int fnum;
|
||||
struct smb_query_secdesc q;
|
||||
struct smb_set_secdesc set;
|
||||
union smb_fileinfo q;
|
||||
union smb_setfileinfo set;
|
||||
struct security_ace ace;
|
||||
struct security_descriptor *sd;
|
||||
struct dom_sid *test_sid;
|
||||
@ -67,15 +67,16 @@ static BOOL test_sd(struct smbcli_state *cli, TALLOC_CTX *mem_ctx)
|
||||
status = smb_raw_open(cli->tree, mem_ctx, &io);
|
||||
CHECK_STATUS(status, NT_STATUS_OK);
|
||||
fnum = io.ntcreatex.out.fnum;
|
||||
|
||||
q.in.fnum = fnum;
|
||||
q.in.secinfo_flags =
|
||||
|
||||
q.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
|
||||
q.query_secdesc.in.fnum = fnum;
|
||||
q.query_secdesc.in.secinfo_flags =
|
||||
OWNER_SECURITY_INFORMATION |
|
||||
GROUP_SECURITY_INFORMATION |
|
||||
DACL_SECURITY_INFORMATION;
|
||||
status = smb_raw_query_secdesc(cli->tree, mem_ctx, &q);
|
||||
status = smb_raw_fileinfo(cli->tree, mem_ctx, &q);
|
||||
CHECK_STATUS(status, NT_STATUS_OK);
|
||||
sd = q.out.sd;
|
||||
sd = q.query_secdesc.out.sd;
|
||||
|
||||
printf("add a new ACE to the DACL\n");
|
||||
|
||||
@ -89,20 +90,21 @@ static BOOL test_sd(struct smbcli_state *cli, TALLOC_CTX *mem_ctx)
|
||||
status = security_descriptor_dacl_add(sd, &ace);
|
||||
CHECK_STATUS(status, NT_STATUS_OK);
|
||||
|
||||
set.in.fnum = fnum;
|
||||
set.in.secinfo_flags = q.in.secinfo_flags;
|
||||
set.in.sd = sd;
|
||||
set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
|
||||
set.set_secdesc.file.fnum = fnum;
|
||||
set.set_secdesc.in.secinfo_flags = q.query_secdesc.in.secinfo_flags;
|
||||
set.set_secdesc.in.sd = sd;
|
||||
|
||||
status = smb_raw_set_secdesc(cli->tree, &set);
|
||||
status = smb_raw_setfileinfo(cli->tree, &set);
|
||||
CHECK_STATUS(status, NT_STATUS_OK);
|
||||
|
||||
status = smb_raw_query_secdesc(cli->tree, mem_ctx, &q);
|
||||
status = smb_raw_fileinfo(cli->tree, mem_ctx, &q);
|
||||
CHECK_STATUS(status, NT_STATUS_OK);
|
||||
|
||||
if (!security_descriptor_equal(q.out.sd, sd)) {
|
||||
if (!security_descriptor_equal(q.query_secdesc.out.sd, sd)) {
|
||||
printf("security descriptors don't match!\n");
|
||||
printf("got:\n");
|
||||
NDR_PRINT_DEBUG(security_descriptor, q.out.sd);
|
||||
NDR_PRINT_DEBUG(security_descriptor, q.query_secdesc.out.sd);
|
||||
printf("expected:\n");
|
||||
NDR_PRINT_DEBUG(security_descriptor, sd);
|
||||
}
|
||||
@ -112,16 +114,16 @@ static BOOL test_sd(struct smbcli_state *cli, TALLOC_CTX *mem_ctx)
|
||||
status = security_descriptor_dacl_del(sd, test_sid);
|
||||
CHECK_STATUS(status, NT_STATUS_OK);
|
||||
|
||||
status = smb_raw_set_secdesc(cli->tree, &set);
|
||||
status = smb_raw_setfileinfo(cli->tree, &set);
|
||||
CHECK_STATUS(status, NT_STATUS_OK);
|
||||
|
||||
status = smb_raw_query_secdesc(cli->tree, mem_ctx, &q);
|
||||
status = smb_raw_fileinfo(cli->tree, mem_ctx, &q);
|
||||
CHECK_STATUS(status, NT_STATUS_OK);
|
||||
|
||||
if (!security_descriptor_equal(q.out.sd, sd)) {
|
||||
if (!security_descriptor_equal(q.query_secdesc.out.sd, sd)) {
|
||||
printf("security descriptors don't match!\n");
|
||||
printf("got:\n");
|
||||
NDR_PRINT_DEBUG(security_descriptor, q.out.sd);
|
||||
NDR_PRINT_DEBUG(security_descriptor, q.query_secdesc.out.sd);
|
||||
printf("expected:\n");
|
||||
NDR_PRINT_DEBUG(security_descriptor, sd);
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user