sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-03-24 10:50:22 +03:00
Code

Working code to read POSIX ACLs on a Linux system using the bestbits

Browse Source 
ACL patch from http://acl.bestbits.at/.
configure support needs more work (just assumes correct headers at
the moment). ACL writing needs adding.
Jeremy.
(This used to be commit 6ae63e502e6adf3666a34aa87860c74e106fdb84)
This commit is contained in:
Jeremy Allison 2000-12-07 05:38:01 +00:00
parent 70922b9bbe
commit 423227d7ca
8 changed files with 832 additions and 701 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
source3/acconfig.h
View File

@ -137,3 +137,4 @@
#undef INTEL_SPINLOCKS
#undef MIPS_SPINLOCKS
#undef POWERPC_SPINLOCKS
#undef HAVE_POSIX_ACLS

1344
source3/configure vendored
View File

File diff suppressed because it is too large Load Diff

25
source3/configure.in
View File

@ -1885,7 +1885,7 @@ fi
# If we don't have all of these then disable large
# file support.
#
echo "checking if large file support can be enabled"
AC_MSG_CHECKING([checking if large file support can be enabled])
AC_TRY_COMPILE([
#if defined(HAVE_LONGLONG) && (defined(HAVE_OFF64_T) || (defined(SIZEOF_OFF_T) && (SIZEOF_OFF_T == 8)))
#include <sys/types.h>
@ -1896,10 +1896,10 @@ __COMPILE_ERROR_
[int i],
samba_cv_HAVE_EXPLICIT_LARGEFILE_SUPPORT=yes,samba_cv_HAVE_EXPLICIT_LARGEFILE_SUPPORT=no)
if test x"$samba_cv_HAVE_EXPLICIT_LARGEFILE_SUPPORT" = x"yes"; then
echo "yes"
AC_MSG_RESULT(yes)
AC_DEFINE(HAVE_EXPLICIT_LARGEFILE_SUPPORT)
else
echo "no"
AC_MSG_RESULT(no)
fi
AC_ARG_WITH(spinlocks, [ --with-spinlocks use spin locks instead of fcntl locks ])
@ -1925,6 +1925,25 @@ if test "x$with_spinlocks" = "xyes"; then
esac
fi
#################################################
# check for POSIX ACL support
AC_MSG_CHECKING(whether to support POSIX ACLs)
AC_ARG_WITH(posix-acls,
[ --with-posix-acls Include POSIX ACL support
--without-posix-acls Don't include POSIX ACL support (default)],
[ case "$withval" in
yes)
AC_MSG_RESULT(yes)
AC_DEFINE(HAVE_POSIX_ACLS)
;;
*)
AC_MSG_RESULT(no)
;;
esac ],
AC_MSG_RESULT(no)
)
echo "checking configure summary"
AC_TRY_RUN([#include "${srcdir-.}/tests/summary.c"],
echo "configure OK";,

1
source3/include/config.h.in
View File

@ -200,6 +200,7 @@
#undef INTEL_SPINLOCKS
#undef MIPS_SPINLOCKS
#undef POWERPC_SPINLOCKS
#undef HAVE_POSIX_ACLS
/* The number of bytes in a int. */
#undef SIZEOF_INT

8
source3/include/proto.h
View File

@ -249,6 +249,10 @@ void *sys_acl_get_qualifier( SMB_ACL_ENTRY_T entry_d);
SMB_ACL_T sys_acl_get_file( const char *path_p, SMB_ACL_TYPE_T type);
SMB_ACL_T sys_acl_get_fd(int fd);
int sys_acl_free( void *obj_p);
int sys_acl_clear_perms(SMB_ACL_PERMSET_T permset);
int sys_acl_add_perm( SMB_ACL_PERMSET_T permset, SMB_ACL_PERM_T perm);
int sys_acl_get_perm( SMB_ACL_PERMSET_T permset, SMB_ACL_PERM_T perm);
char *sys_acl_to_text( SMB_ACL_T acl, ssize_t *plen);
int sys_acl_get_entry( SMB_ACL_T acl, int entry_id, SMB_ACL_ENTRY_T *entry_p);
int sys_acl_get_tag_type( SMB_ACL_ENTRY_T entry_d, SMB_ACL_TAG_T *tag_type_p);
int sys_acl_get_permset( SMB_ACL_ENTRY_T entry_d, SMB_ACL_PERMSET_T *permset_p);
@ -256,6 +260,10 @@ void *sys_acl_get_qualifier( SMB_ACL_ENTRY_T entry_d);
SMB_ACL_T sys_acl_get_file( const char *path_p, SMB_ACL_TYPE_T type);
SMB_ACL_T sys_acl_get_fd(int fd);
int sys_acl_free( void *obj_p);
int sys_acl_clear_perms(SMB_ACL_PERMSET_T permset);
int sys_acl_add_perm( SMB_ACL_PERMSET_T permset, SMB_ACL_PERM_T perm);
int sys_acl_get_perm( SMB_ACL_PERMSET_T permset, SMB_ACL_PERM_T perm);
char *sys_acl_to_text( SMB_ACL_T acl, ssize_t *plen);
/*The following definitions come from lib/system.c */

6
source3/include/smb_acls.h
View File

@ -31,6 +31,7 @@
#define SMB_ACL_TAG_T acl_tag_t
#define SMB_ACL_TYPE_T acl_type_t
#define SMB_ACL_PERMSET_T acl_permset_t
#define SMB_ACL_PERM_T acl_perm_t
#define SMB_ACL_READ ACL_READ
#define SMB_ACL_WRITE ACL_WRITE
#define SMB_ACL_EXECUTE ACL_EXECUTE
@ -40,7 +41,7 @@
#define SMB_ACL_USER_OBJ ACL_USER_OBJ
#define SMB_ACL_GROUP ACL_GROUP
#define SMB_ACL_GROUP_OBJ ACL_GROUP_OBJ
#define SMB_ACL_OTHER_OBJ ACL_OTHER_OBJ
#define SMB_ACL_OTHER ACL_OTHER
#define SMB_ACL_MASK ACL_MASK
#define SMB_ACL_T acl_t
@ -63,6 +64,7 @@
#define SMB_ACL_TAG_T int
#define SMB_ACL_TYPE_T int
#define SMB_ACL_PERMSET_T mode_t
#define SMB_ACL_PERM_T mode_t
#define SMB_ACL_READ S_IRUSR
#define SMB_ACL_WRITE S_IWUSR
#define SMB_ACL_EXECUTE S_IXUSR
@ -72,7 +74,7 @@
#define SMB_ACL_USER_OBJ 1
#define SMB_ACL_GROUP 2
#define SMB_ACL_GROUP_OBJ 3
#define SMB_ACL_OTHER_OBJ 4
#define SMB_ACL_OTHER 4
#define SMB_ACL_MASK 5
typedef struct SMB_ACL_T {

51
source3/lib/sysacls.c
View File

@ -37,7 +37,14 @@ extern int DEBUGLEVEL;
SMB_ACL_T sys_acl_get_file( const char *path_p, SMB_ACL_TYPE_T type)
SMB_ACL_T sys_acl_get_fd(int fd)
int sys_acl_free( void *obj_p)
int sys_acl_clear_perms(SMB_ACL_PERMSET_T permset);
int sys_acl_add_perm( SMB_ACL_PERMSET_T permset, SMB_ACL_PERM_T perm);
char *sys_acl_to_text( SMB_ACL_T acl, ssize_t *plen)
This next one is not POSIX complient - but we *have* to have it !
More POSIX braindamage.
int sys_acl_get_perm( SMB_ACL_PERMSET_T permset, SMB_ACL_PERM_T perm)
*/
#if defined(HAVE_POSIX_ACLS)
@ -66,7 +73,7 @@ void *sys_acl_get_qualifier( SMB_ACL_ENTRY_T entry_d)
SMB_ACL_T sys_acl_get_file( const char *path_p, SMB_ACL_TYPE_T type)
{
sys_acl_get_file( const char *path_p, SMB_ACL_TYPE_T type)
return sys_acl_get_file( path_p, type);
}
SMB_ACL_T sys_acl_get_fd(int fd)
@ -79,6 +86,26 @@ int sys_acl_free( void *obj_p)
return acl_free(obj_p);
}
int sys_acl_clear_perms(SMB_ACL_PERMSET_T permset)
{
return acl_clear_perms(permset);
}
int sys_acl_add_perm( SMB_ACL_PERMSET_T permset, SMB_ACL_PERM_T perm)
{
return acl_add_perm(permset, perm);
}
int sys_acl_get_perm( SMB_ACL_PERMSET_T permset, SMB_ACL_PERM_T perm)
{
return acl_get_perm(permset, perm);
}
char *sys_acl_to_text( SMB_ACL_T acl, ssize_t *plen)
{
return acl_to_text( acl, plen);
}
#elif defined(HAVE_SOLARIS_ACLS)
#elif defined(HAVE_IRIX_ACLS)
@ -119,4 +146,24 @@ int sys_acl_free( void *obj_p)
{
return -1;
}
int sys_acl_clear_perms(SMB_ACL_PERMSET_T permset)
{
return -1;
}
int sys_acl_add_perm( SMB_ACL_PERMSET_T permset, SMB_ACL_PERM_T perm)
{
return -1;
}
int sys_acl_get_perm( SMB_ACL_PERMSET_T permset, SMB_ACL_PERM_T perm)
{
return (permset & perm) ? 1 : 0;
}
char *sys_acl_to_text( SMB_ACL_T acl, ssize_t *plen)
{
return NULL;
}
#endif /* No ACLs. */

97
source3/smbd/posix_acls.c
View File

@ -25,7 +25,7 @@
typedef struct canon_ace {
struct canon_ace *next, *prev;
SMB_ACL_TAG_T type;
SMB_ACL_PERMSET_T perms;
mode_t perms;
DOM_SID sid;
} canon_ace;
@ -50,9 +50,9 @@ static SEC_ACCESS map_canon_ace_perms(int *pacl_type, DOM_SID *powner_sid, canon
*pacl_type = SEC_ACE_TYPE_ACCESS_ALLOWED;
if((ace->perms & (SMB_ACL_READ|SMB_ACL_WRITE|SMB_ACL_EXECUTE)) == (SMB_ACL_READ|SMB_ACL_WRITE|SMB_ACL_EXECUTE)) {
nt_mask = UNIX_ACCESS_RWX;
} else if((ace->perms & (SMB_ACL_READ|SMB_ACL_WRITE|SMB_ACL_EXECUTE)) == 0) {
if((ace->perms & (S_IRWXU|S_IWUSR|S_IXUSR)) == (S_IRWXU|S_IWUSR|S_IXUSR)) {
nt_mask = UNIX_ACCESS_RWX;
} else if((ace->perms & (S_IRWXU|S_IWUSR|S_IXUSR)) == 0) {
/*
* Here we differentiate between the owner and any other user.
*/
@ -63,10 +63,14 @@ static SEC_ACCESS map_canon_ace_perms(int *pacl_type, DOM_SID *powner_sid, canon
nt_mask = 0;
}
} else {
nt_mask |= (ace->perms & SMB_ACL_READ) ? UNIX_ACCESS_R : 0;
nt_mask |= (ace->perms & SMB_ACL_WRITE) ? UNIX_ACCESS_W : 0;
nt_mask |= (ace->perms & SMB_ACL_EXECUTE) ? UNIX_ACCESS_X : 0;
nt_mask |= ((ace->perms & S_IRWXU) ? UNIX_ACCESS_R : 0 );
nt_mask |= ((ace->perms & S_IWUSR) ? UNIX_ACCESS_W : 0 );
nt_mask |= ((ace->perms & S_IXUSR) ? UNIX_ACCESS_X : 0 );
}
DEBUG(10,("map_canon_ace_perms: Mapped (UNIX) %x to (NT) %x\n",
(unsigned int)ace->perms, (unsigned int)nt_mask ));
init_sec_access(&sa,nt_mask);
return sa;
}
@ -305,13 +309,31 @@ static BOOL unpack_nt_permissions(SMB_STRUCT_STAT *psbuf, uid_t *puser, gid_t *p
Map generic UNIX permissions to POSIX ACL perms.
****************************************************************************/
static SMB_ACL_PERMSET_T unix_perms_to_acl_perms(mode_t mode, int r_mask, int w_mask, int x_mask)
static mode_t convert_permset_to_mode_t(SMB_ACL_PERMSET_T permset)
{
SMB_ACL_PERMSET_T ret = 0;
mode_t ret = 0;
ret |= (mode & r_mask) ? SMB_ACL_READ : 0;
ret |= (mode & w_mask) ? SMB_ACL_WRITE : 0;
ret |= (mode & x_mask) ? SMB_ACL_EXECUTE : 0;
ret |= (sys_acl_get_perm(permset, SMB_ACL_READ) ? S_IRUSR : 0);
ret |= (sys_acl_get_perm(permset, SMB_ACL_WRITE) ? S_IWUSR : 0);
ret |= (sys_acl_get_perm(permset, SMB_ACL_EXECUTE) ? S_IXUSR : 0);
return ret;
}
/****************************************************************************
Map generic UNIX permissions to POSIX ACL perms.
****************************************************************************/
static mode_t unix_perms_to_acl_perms(mode_t mode, int r_mask, int w_mask, int x_mask)
{
mode_t ret = 0;
if (mode & r_mask)
ret |= S_IRUSR;
if (mode & w_mask)
ret |= S_IWUSR;
if (mode & x_mask)
ret |= S_IXUSR;
return ret;
}
@ -380,7 +402,7 @@ static canon_ace *unix_canonicalise_acl(files_struct *fsp, SMB_STRUCT_STAT *psbu
group_ace->type = SMB_ACL_GROUP_OBJ;
group_ace->sid = *pgroup;
other_ace->type = SMB_ACL_OTHER_OBJ;
other_ace->type = SMB_ACL_OTHER;
other_ace->sid = global_sid_World;
if (!fsp->is_directory) {
@ -418,7 +440,7 @@ static canon_ace *unix_canonicalise_acl(files_struct *fsp, SMB_STRUCT_STAT *psbu
static canon_ace *canonicalise_acl( SMB_ACL_T posix_acl, SMB_STRUCT_STAT *psbuf)
{
extern DOM_SID global_sid_World;
SMB_ACL_PERMSET_T acl_mask = (SMB_ACL_READ|SMB_ACL_WRITE|SMB_ACL_EXECUTE);
mode_t acl_mask = (S_IRUSR|S_IWUSR|S_IXUSR);
canon_ace *list_head = NULL;
canon_ace *ace = NULL;
canon_ace *next_ace = NULL;
@ -472,16 +494,16 @@ static canon_ace *canonicalise_acl( SMB_ACL_T posix_acl, SMB_STRUCT_STAT *psbuf)
break;
}
case SMB_ACL_MASK:
acl_mask = permset;
acl_mask = convert_permset_to_mode_t(permset);
continue; /* Don't count the mask as an entry. */
case SMB_ACL_OTHER_OBJ:
case SMB_ACL_OTHER:
/* Use the Everyone SID */
sid = global_sid_World;
break;
default:
DEBUG(0,("canonicalise_acl: Unknown tagtype %u\n", (unsigned int)tagtype));
continue;
}
}
/*
* Add this entry to the list.
@ -492,7 +514,7 @@ static canon_ace *canonicalise_acl( SMB_ACL_T posix_acl, SMB_STRUCT_STAT *psbuf)
ZERO_STRUCTP(ace);
ace->type = tagtype;
ace->perms = permset;
ace->perms = convert_permset_to_mode_t(permset);
ace->sid = sid;
DLIST_ADD(list_head, ace);
@ -500,30 +522,27 @@ static canon_ace *canonicalise_acl( SMB_ACL_T posix_acl, SMB_STRUCT_STAT *psbuf)
/*
* Now go through the list, masking the permissions with the
* acl_mask. If the permissions are 0 and the type is ACL_USER
* or ACL_GROUP then it's a DENY entry and should be listed
* first. If the permissions are 0 and the type is ACL_USER_OBJ,
* ACL_GROUP_OBJ or ACL_OTHER_OBJ then remove the entry as they
* can never apply.
* acl_mask. If the permissions are 0 it should be listed
* first.
*/
for ( ace = list_head; ace; ace = next_ace) {
next_ace = ace->next;
ace->perms &= acl_mask;
if (ace->perms == 0) {
switch (ace->type) {
case SMB_ACL_USER_OBJ:
case SMB_ACL_GROUP_OBJ:
case SMB_ACL_OTHER_OBJ:
DLIST_REMOVE(list_head, ace);
break;
case SMB_ACL_USER:
case SMB_ACL_GROUP:
DLIST_PROMOTE(list_head, ace);
break;
}
}
/* Masks are only applied to entries other than USER_OBJ and OTHER. */
if (ace->type != SMB_ACL_OTHER && ace->type != SMB_ACL_USER_OBJ)
ace->perms &= acl_mask;
if (ace->perms == 0)
DLIST_PROMOTE(list_head, ace);
}
if( DEBUGLVL( 10 ) ) {
char *acl_text = sys_acl_to_text( posix_acl, NULL);
dbgtext("canonicalize_acl: processed acl %s\n", acl_text == NULL ? "NULL" : acl_text );
if (acl_text)
sys_acl_free(acl_text);
}
return list_head;
@ -590,6 +609,10 @@ size_t get_nt_acl(files_struct *fsp, SEC_DESC **ppdesc)
posix_acl = sys_acl_get_fd(fsp->fd);
}
DEBUG(5,("get_nt_acl : file ACL %s, directory ACL %s\n",
posix_acl ? "present" : "absent",
dir_acl ? "present" : "absent" ));
/*
* Get the owner, group and world SIDs.
*/