Start moving us closer to passing S4 RAW-ACL test using the vfs_acl_xattr module. Inheritance fails at the moment though.

Jeremy.

source3/include/proto.h

@@ -8317,6 +8317,7 @@ void reply_pipe_close(connection_struct *conn, struct smb_request *req);
 
 /* The following definitions come from smbd/posix_acls.c  */
 
+void create_file_sids(const SMB_STRUCT_STAT *psbuf, DOM_SID *powner_sid, DOM_SID *pgroup_sid);
 NTSTATUS unpack_nt_owners(int snum, uid_t *puser, gid_t *pgrp, uint32 security_info_sent, const SEC_DESC *psd);
 SMB_ACL_T free_empty_sys_acl(connection_struct *conn, SMB_ACL_T the_acl);
 NTSTATUS posix_fget_nt_acl(struct files_struct *fsp, uint32_t security_info,

source3/modules/vfs_acl_xattr.c

@@ -422,6 +422,11 @@ static NTSTATUS fget_nt_acl_xattr(vfs_handle_struct *handle, files_struct *fsp,
 	NTSTATUS status = get_nt_acl_xattr_internal(handle, fsp,
 				NULL, security_info, ppdesc);
 	if (NT_STATUS_IS_OK(status)) {
+		if (DEBUGLEVEL >= 10) {
+			DEBUG(10,("fget_nt_acl_xattr: returning xattr sd for file %s\n",
+				fsp->fsp_name));
+			NDR_PRINT_DEBUG(security_descriptor, *ppdesc);
+		}
 		return NT_STATUS_OK;
 	}
 	return SMB_VFS_NEXT_FGET_NT_ACL(handle, fsp,
@@ -434,6 +439,11 @@ static NTSTATUS get_nt_acl_xattr(vfs_handle_struct *handle,
 	NTSTATUS status = get_nt_acl_xattr_internal(handle, NULL,
 				name, security_info, ppdesc);
 	if (NT_STATUS_IS_OK(status)) {
+		if (DEBUGLEVEL >= 10) {
+			DEBUG(10,("get_nt_acl_xattr: returning xattr sd for file %s\n",
+				name));
+			NDR_PRINT_DEBUG(security_descriptor, *ppdesc);
+		}
 		return NT_STATUS_OK;
 	}
 	return SMB_VFS_NEXT_GET_NT_ACL(handle, name,
@@ -446,11 +456,46 @@ static NTSTATUS fset_nt_acl_xattr(vfs_handle_struct *handle, files_struct *fsp,
 	NTSTATUS status;
 	DATA_BLOB blob;
 
+	if (DEBUGLEVEL >= 10) {
+		DEBUG(10,("fset_nt_acl_xattr: incoming sd for file %s\n",
+			fsp->fsp_name));
+		NDR_PRINT_DEBUG(security_descriptor,
+			CONST_DISCARD(SEC_DESC *,psd));
+	}
+
 	status = SMB_VFS_NEXT_FSET_NT_ACL(handle, fsp, security_info_sent, psd);
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
 	}
 
+	/* Ensure owner and group are set. */
+	if (!psd->owner_sid || !psd->group_sid) {
+		int ret;
+		SMB_STRUCT_STAT sbuf;
+		DOM_SID owner_sid, group_sid;
+		SEC_DESC *nc_psd = dup_sec_desc(talloc_tos(), psd);
+
+		if (!nc_psd) {
+			return NT_STATUS_OK;
+		}
+		if (fsp->is_directory || fsp->fh->fd == -1) {
+			ret = SMB_VFS_STAT(fsp->conn,fsp->fsp_name, &sbuf);
+		} else {
+			ret = SMB_VFS_FSTAT(fsp, &sbuf);
+		}
+		if (ret == -1) {
+			/* Lower level acl set succeeded,
+			 * so still return OK. */
+			return NT_STATUS_OK;
+		}
+		create_file_sids(&sbuf, &owner_sid, &group_sid);
+		/* This is safe as nc_psd is discarded at fn exit. */
+		nc_psd->owner_sid = &owner_sid;
+		nc_psd->group_sid = &group_sid;
+		security_info_sent |= (OWNER_SECURITY_INFORMATION|GROUP_SECURITY_INFORMATION);
+		psd = nc_psd;
+	}
+
 	if ((security_info_sent & DACL_SECURITY_INFORMATION) &&
 			psd->dacl != NULL &&
 			(psd->type & (SE_DESC_DACL_AUTO_INHERITED|
@@ -467,6 +512,12 @@ static NTSTATUS fset_nt_acl_xattr(vfs_handle_struct *handle, files_struct *fsp,
 		psd = new_psd;
 	}
 
+	if (DEBUGLEVEL >= 10) {
+		DEBUG(10,("fset_nt_acl_xattr: storing xattr sd for file %s\n",
+			fsp->fsp_name));
+		NDR_PRINT_DEBUG(security_descriptor,
+			CONST_DISCARD(SEC_DESC *,psd));
+	}
 	create_acl_blob(psd, &blob);
 	store_acl_blob_fsp(fsp, &blob);
 

source3/smbd/open.c

@@ -1206,6 +1206,15 @@ NTSTATUS open_file_ntcreate(connection_struct *conn,
 		   create_disposition, create_options, unx_mode,
 		   oplock_request));
 
+	if ((access_mask & FILE_READ_DATA)||(access_mask & FILE_WRITE_DATA)) {
+		DEBUG(10, ("open_file_ntcreate: adding FILE_READ_ATTRIBUTES "
+			"to requested access_mask 0x%x, new mask 0x%x",
+			access_mask,
+			access_mask | FILE_READ_ATTRIBUTES ));
+
+		access_mask |= FILE_READ_ATTRIBUTES;
+	}
+
 	if ((req == NULL) && ((oplock_request & INTERNAL_OPEN_ONLY) == 0)) {
 		DEBUG(0, ("No smb request but not an internal only open!\n"));
 		return NT_STATUS_INTERNAL_ERROR;

source3/smbd/posix_acls.c

@@ -725,7 +725,7 @@ static int map_acl_perms_to_permset(connection_struct *conn, mode_t mode, SMB_AC
  Function to create owner and group SIDs from a SMB_STRUCT_STAT.
 ****************************************************************************/
 
-static void create_file_sids(const SMB_STRUCT_STAT *psbuf, DOM_SID *powner_sid, DOM_SID *pgroup_sid)
+void create_file_sids(const SMB_STRUCT_STAT *psbuf, DOM_SID *powner_sid, DOM_SID *pgroup_sid)
 {
 	uid_to_sid( powner_sid, psbuf->st_uid );
 	gid_to_sid( pgroup_sid, psbuf->st_gid );