mirror of
https://github.com/samba-team/samba.git
synced 2025-02-24 13:57:43 +03:00
Remove the setting of the inherited ACL on new files/directories. This is
now done correctly in the main codepath. The vfs_acl_XXXX modules are now thin shims that simply store/retrieve ACLs as they should be.
This commit is contained in:
Jeremy Allison
parent
de3ab9bd05
commit
7ef4d08a98
@ -444,126 +444,6 @@ static NTSTATUS get_nt_acl_internal(vfs_handle_struct *handle,
|
||||
return NT_STATUS_OK;
|
||||
}
|
||||
|
||||
/*********************************************************************
|
||||
Create a default ACL by inheriting from the parent. If no inheritance
|
||||
from the parent available, don't set anything. This will leave the actual
|
||||
permissions the new file or directory already got from the filesystem
|
||||
as the NT ACL when read.
|
||||
*********************************************************************/
|
||||
|
||||
static NTSTATUS inherit_new_acl(vfs_handle_struct *handle,
|
||||
files_struct *fsp,
|
||||
struct security_descriptor *parent_desc,
|
||||
bool is_directory)
|
||||
{
|
||||
TALLOC_CTX *ctx = talloc_tos();
|
||||
NTSTATUS status = NT_STATUS_OK;
|
||||
struct security_descriptor *psd = NULL;
|
||||
struct dom_sid *owner_sid = NULL;
|
||||
struct dom_sid *group_sid = NULL;
|
||||
uint32_t security_info_sent = (SECINFO_OWNER | SECINFO_GROUP | SECINFO_DACL);
|
||||
bool inherit_owner = lp_inherit_owner(SNUM(handle->conn));
|
||||
bool inheritable_components = sd_has_inheritable_components(parent_desc,
|
||||
is_directory);
|
||||
size_t size;
|
||||
|
||||
if (!inheritable_components && !inherit_owner) {
|
||||
/* Nothing to inherit and not setting owner. */
|
||||
return NT_STATUS_OK;
|
||||
}
|
||||
|
||||
/* Create an inherited descriptor from the parent. */
|
||||
|
||||
if (DEBUGLEVEL >= 10) {
|
||||
DEBUG(10,("inherit_new_acl: parent acl for %s is:\n",
|
||||
fsp_str_dbg(fsp) ));
|
||||
NDR_PRINT_DEBUG(security_descriptor, parent_desc);
|
||||
}
|
||||
|
||||
/* Inherit from parent descriptor if "inherit owner" set. */
|
||||
if (inherit_owner) {
|
||||
owner_sid = parent_desc->owner_sid;
|
||||
group_sid = parent_desc->group_sid;
|
||||
}
|
||||
|
||||
if (owner_sid == NULL) {
|
||||
owner_sid = &handle->conn->session_info->security_token->sids[PRIMARY_USER_SID_INDEX];
|
||||
}
|
||||
if (group_sid == NULL) {
|
||||
group_sid = &handle->conn->session_info->security_token->sids[PRIMARY_GROUP_SID_INDEX];
|
||||
}
|
||||
|
||||
status = se_create_child_secdesc(ctx,
|
||||
&psd,
|
||||
&size,
|
||||
parent_desc,
|
||||
owner_sid,
|
||||
group_sid,
|
||||
is_directory);
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
return status;
|
||||
}
|
||||
|
||||
/* If inheritable_components == false,
|
||||
se_create_child_secdesc()
|
||||
creates a security desriptor with a NULL dacl
|
||||
entry, but with SEC_DESC_DACL_PRESENT. We need
|
||||
to remove that flag. */
|
||||
|
||||
if (!inheritable_components) {
|
||||
security_info_sent &= ~SECINFO_DACL;
|
||||
psd->type &= ~SEC_DESC_DACL_PRESENT;
|
||||
}
|
||||
|
||||
if (DEBUGLEVEL >= 10) {
|
||||
DEBUG(10,("inherit_new_acl: child acl for %s is:\n",
|
||||
fsp_str_dbg(fsp) ));
|
||||
NDR_PRINT_DEBUG(security_descriptor, psd);
|
||||
}
|
||||
|
||||
if (inherit_owner) {
|
||||
/* We need to be root to force this. */
|
||||
become_root();
|
||||
}
|
||||
status = SMB_VFS_FSET_NT_ACL(fsp,
|
||||
security_info_sent,
|
||||
psd);
|
||||
if (inherit_owner) {
|
||||
unbecome_root();
|
||||
}
|
||||
return status;
|
||||
}
|
||||
|
||||
static NTSTATUS get_parent_acl_common(vfs_handle_struct *handle,
|
||||
const char *path,
|
||||
struct security_descriptor **pp_parent_desc)
|
||||
{
|
||||
char *parent_name = NULL;
|
||||
NTSTATUS status;
|
||||
|
||||
if (!parent_dirname(talloc_tos(), path, &parent_name, NULL)) {
|
||||
return NT_STATUS_NO_MEMORY;
|
||||
}
|
||||
|
||||
status = get_nt_acl_internal(handle,
|
||||
NULL,
|
||||
parent_name,
|
||||
(SECINFO_OWNER |
|
||||
SECINFO_GROUP |
|
||||
SECINFO_DACL),
|
||||
pp_parent_desc);
|
||||
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
DEBUG(10,("get_parent_acl_common: get_nt_acl_internal "
|
||||
"on directory %s for "
|
||||
"path %s returned %s\n",
|
||||
parent_name,
|
||||
path,
|
||||
nt_errstr(status) ));
|
||||
}
|
||||
return status;
|
||||
}
|
||||
|
||||
/*********************************************************************
|
||||
Fetch a security descriptor given an fsp.
|
||||
*********************************************************************/
|
||||
@ -778,108 +658,6 @@ static int rmdir_acl_common(struct vfs_handle_struct *handle,
|
||||
true);
|
||||
}
|
||||
|
||||
static NTSTATUS create_file_acl_common(struct vfs_handle_struct *handle,
|
||||
struct smb_request *req,
|
||||
uint16_t root_dir_fid,
|
||||
struct smb_filename *smb_fname,
|
||||
uint32_t access_mask,
|
||||
uint32_t share_access,
|
||||
uint32_t create_disposition,
|
||||
uint32_t create_options,
|
||||
uint32_t file_attributes,
|
||||
uint32_t oplock_request,
|
||||
uint64_t allocation_size,
|
||||
uint32_t private_flags,
|
||||
struct security_descriptor *sd,
|
||||
struct ea_list *ea_list,
|
||||
files_struct **result,
|
||||
int *pinfo)
|
||||
{
|
||||
NTSTATUS status, status1;
|
||||
files_struct *fsp = NULL;
|
||||
int info;
|
||||
struct security_descriptor *parent_sd = NULL;
|
||||
|
||||
status = SMB_VFS_NEXT_CREATE_FILE(handle,
|
||||
req,
|
||||
root_dir_fid,
|
||||
smb_fname,
|
||||
access_mask,
|
||||
share_access,
|
||||
create_disposition,
|
||||
create_options,
|
||||
file_attributes,
|
||||
oplock_request,
|
||||
allocation_size,
|
||||
private_flags,
|
||||
sd,
|
||||
ea_list,
|
||||
result,
|
||||
&info);
|
||||
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
goto out;
|
||||
}
|
||||
|
||||
if (info != FILE_WAS_CREATED) {
|
||||
/* File/directory was opened, not created. */
|
||||
goto out;
|
||||
}
|
||||
|
||||
fsp = *result;
|
||||
|
||||
if (fsp == NULL) {
|
||||
/* Only handle success. */
|
||||
goto out;
|
||||
}
|
||||
|
||||
if (sd) {
|
||||
/* Security descriptor already set. */
|
||||
goto out;
|
||||
}
|
||||
|
||||
if (fsp->base_fsp) {
|
||||
/* Stream open. */
|
||||
goto out;
|
||||
}
|
||||
|
||||
status = get_parent_acl_common(handle,
|
||||
fsp->fsp_name->base_name,
|
||||
&parent_sd);
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
goto out;
|
||||
}
|
||||
|
||||
if (!parent_sd) {
|
||||
goto err;
|
||||
}
|
||||
|
||||
/* New directory - inherit from parent. */
|
||||
status1 = inherit_new_acl(handle, fsp, parent_sd, fsp->is_directory);
|
||||
|
||||
if (!NT_STATUS_IS_OK(status1)) {
|
||||
DEBUG(1,("create_file_acl_common: error setting "
|
||||
"sd for %s (%s)\n",
|
||||
fsp_str_dbg(fsp),
|
||||
nt_errstr(status1) ));
|
||||
}
|
||||
|
||||
out:
|
||||
|
||||
TALLOC_FREE(parent_sd);
|
||||
|
||||
if (NT_STATUS_IS_OK(status) && pinfo) {
|
||||
*pinfo = info;
|
||||
}
|
||||
return status;
|
||||
|
||||
err:
|
||||
|
||||
smb_panic("create_file_acl_common: logic error.\n");
|
||||
/* NOTREACHED */
|
||||
return status;
|
||||
}
|
||||
|
||||
static int unlink_acl_common(struct vfs_handle_struct *handle,
|
||||
const struct smb_filename *smb_fname)
|
||||
{
|
||||
|
||||
@ -401,7 +401,6 @@ static struct vfs_fn_pointers vfs_acl_tdb_fns = {
|
||||
.connect_fn = connect_acl_tdb,
|
||||
.disconnect = disconnect_acl_tdb,
|
||||
.rmdir = rmdir_acl_tdb,
|
||||
.create_file = create_file_acl_common,
|
||||
.unlink = unlink_acl_tdb,
|
||||
.chmod = chmod_acl_module_common,
|
||||
.fchmod = fchmod_acl_module_common,
|
||||
|
||||
@ -202,7 +202,6 @@ static int connect_acl_xattr(struct vfs_handle_struct *handle,
|
||||
static struct vfs_fn_pointers vfs_acl_xattr_fns = {
|
||||
.connect_fn = connect_acl_xattr,
|
||||
.rmdir = rmdir_acl_common,
|
||||
.create_file = create_file_acl_common,
|
||||
.unlink = unlink_acl_common,
|
||||
.chmod = chmod_acl_module_common,
|
||||
.fchmod = fchmod_acl_module_common,
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user