2025-01-13 13:18:06 +03:00 · 0001-01-01 00:00:00 +00:00 · 0001-01-01 00:00:00 +00:00 · b90af886a9
commit b90af886a9
parent 7914e9351a
6 changed files with 160 additions and 38 deletions
--- a/source/include/rpc_secdes.h
+++ b/source/include/rpc_secdes.h
@ -74,14 +74,17 @@
 #define SACL_SECURITY_INFORMATION  0x00000008


-
+#ifndef _SEC_ACCESS
 /* SEC_ACCESS */
 typedef struct security_info_info
 {
 	uint32 mask;

 } SEC_ACCESS;
+#define _SEC_ACCESS
+#endif

+#ifndef _SEC_ACE
 /* SEC_ACE */
 typedef struct security_ace_info
 {
@ -93,9 +96,14 @@ typedef struct security_ace_info
 	DOM_SID sid;

 } SEC_ACE;
+#define _SEC_ACE
+#endif

+#ifndef ACL_REVISION
 #define ACL_REVISION 0x3
+#endif

+#ifndef _SEC_ACL
 /* SEC_ACL */
 typedef struct security_acl_info
 {
@ -106,9 +114,14 @@ typedef struct security_acl_info
 	SEC_ACE *ace;

 } SEC_ACL;
+#define _SEC_ACL
+#endif

+#ifndef SEC_DESC_REVISION
 #define SEC_DESC_REVISION 0x1
+#endif

+#ifndef _SEC_DESC
 /* SEC_DESC */
 typedef struct security_descriptor_info
 {
@ -126,7 +139,10 @@ typedef struct security_descriptor_info
 	DOM_SID *grp_sid;

 } SEC_DESC;
+#define _SEC_DESC
+#endif

+#ifndef _SEC_DESC_BUF
 /* SEC_DESC_BUF */
 typedef struct sec_desc_buf_info
 {
@ -137,5 +153,7 @@ typedef struct sec_desc_buf_info
 	SEC_DESC *sec;

 } SEC_DESC_BUF;
+#define _SEC_DESC_BUF
+#endif

 #endif /* _RPC_SECDES_H */
--- a/source/include/vfs.h
+++ b/source/include/vfs.h
@ -99,6 +99,74 @@ typedef struct sid_info
 #define _DOM_SID
 #endif

+#ifndef _SEC_ACCESS
+/* SEC_ACCESS */
+typedef struct security_info_info
+{
+    uint32 mask;
+
+} SEC_ACCESS;
+#define _SEC_ACCESS
+#endif
+
+#ifndef _SEC_ACE
+/* SEC_ACE */
+typedef struct security_ace_info
+{
+    uint8 type;  /* xxxx_xxxx_ACE_TYPE - e.g allowed / denied etc */
+    uint8 flags; /* xxxx_INHERIT_xxxx - e.g OBJECT_INHERIT_ACE */
+    uint16 size;
+
+    SEC_ACCESS info;
+    DOM_SID sid;
+
+} SEC_ACE;
+#define _SEC_ACE
+#endif
+
+#ifndef ACL_REVISION
+#define ACL_REVISION 0x3
+#endif
+
+#ifndef _SEC_ACL
+/* SEC_ACL */
+typedef struct security_acl_info
+{
+    uint16 revision; /* 0x0003 */
+    uint16 size; /* size in bytes of the entire ACL structure */
+    uint32 num_aces; /* number of Access Control Entries */
+
+    SEC_ACE *ace;
+
+} SEC_ACL;
+#define _SEC_ACL
+#endif
+
+#ifndef SEC_DESC_REVISION
+#define SEC_DESC_REVISION 0x1
+#endif
+
+#ifndef _SEC_DESC
+/* SEC_DESC */
+typedef struct security_descriptor_info
+{
+    uint16 revision; /* 0x0001 */
+    uint16 type;     /* SEC_DESC_xxxx flags */
+
+    uint32 off_owner_sid; /* offset to owner sid */
+    uint32 off_grp_sid  ; /* offset to group sid */
+    uint32 off_sacl     ; /* offset to system list of permissions */
+    uint32 off_dacl     ; /* offset to list of permissions */
+
+    SEC_ACL *dacl; /* user ACL */
+    SEC_ACL *sacl; /* system ACL */
+    DOM_SID *owner_sid;
+    DOM_SID *grp_sid;
+
+} SEC_DESC;
+#define _SEC_DESC
+#endif
+
 /*
 * The complete list of SIDS belonging to this user.
 * Created when a vuid is registered.
@ -112,6 +180,12 @@ typedef struct _nt_user_token {
 #define _NT_USER_TOKEN
 #endif

+/* Avoid conflict with an AIX include file */
+
+#ifdef vfs_ops
+#undef vfs_ops
+#endif
+
 /* Information from the connection_struct passed to the vfs layer */

 struct vfs_connection_struct {
@ -144,20 +218,13 @@ struct vfs_connection_struct {
 	NT_USER_TOKEN *nt_user_token;
 };

-/* Avoid conflict with an AIX include file */
-
-#ifdef vfs_ops
-#undef vfs_ops
-#endif
-
 /* VFS operations structure */

 struct vfs_ops {

    /* Disk operations */
    
-    int (*connect)(struct vfs_connection_struct *conn, char *service, 
-		   char *user);
+    int (*connect)(struct vfs_connection_struct *conn, char *service, char *user);
    void (*disconnect)(void);
    SMB_BIG_UINT (*disk_free)(char *path, BOOL small_query, SMB_BIG_UINT *bsize, 
 			      SMB_BIG_UINT *dfree, SMB_BIG_UINT *dsize);
@ -190,12 +257,11 @@ struct vfs_ops {
    int (*utime)(char *path, struct utimbuf *times);
 	int (*ftruncate)(int fd, SMB_OFF_T offset);
 	BOOL (*lock)(int fd, int op, SMB_OFF_T offset, SMB_OFF_T count, int type);
-#if 0
+
 	size_t (*fget_nt_acl)(int fd, SEC_DESC **ppdesc);
 	size_t (*get_nt_acl)(char *name, SEC_DESC **ppdesc);
 	BOOL (*fset_nt_acl)(int fd, uint32 security_info_sent, SEC_DESC *psd);
 	BOOL (*set_nt_acl)(char *name, uint32 security_info_sent, SEC_DESC *psd);
-#endif
 };

 struct vfs_options {
--- a/source/smbd/nttrans.c
+++ b/source/smbd/nttrans.c
@ -1611,6 +1611,7 @@ static int call_nt_transact_set_security_desc(connection_struct *conn,
  files_struct *fsp = NULL;
  uint32 security_info_sent = 0;
  TALLOC_CTX *mem_ctx;
+  BOOL ret;

  if(!lp_nt_acl_support())
    return(UNIXERROR(ERRDOS,ERRnoaccess));
@ -1659,7 +1660,9 @@ security descriptor.\n"));
    return(UNIXERROR(ERRDOS,ERRnoaccess));
  }

-  if (!set_nt_acl(fsp, security_info_sent, psd)) {
+  ret = set_nt_acl( fsp, security_info_sent, psd);
+
+  if (!ret) {
 	free_sec_desc(&psd);
    talloc_destroy(mem_ctx);
 	return(UNIXERROR(ERRDOS,ERRnoaccess));
--- a/source/smbd/unix_acls.c
+++ b/source/smbd/unix_acls.c
@ -59,6 +59,7 @@ static SEC_ACCESS map_unix_perms( int *pacl_type, mode_t perm, int r_mask, int w
 	return sa;
 }

+#if 0
 /****************************************************************************
 Validate a SID.
 ****************************************************************************/
@ -88,6 +89,7 @@ static BOOL validate_unix_sid( DOM_SID *psid, uint32 *prid, DOM_SID *sd_sid)

  return True;
 }
+#endif

 /****************************************************************************
 Map NT perms to UNIX.
@ -350,6 +352,15 @@ size_t get_nt_acl(files_struct *fsp, SEC_DESC **ppdesc)
    sid_copy( &group_sid, &global_sid_World);
  } else {

+    /*
+     * If there is a VFS redirect, use it.
+     */
+
+    if ((fsp->is_directory || fsp->fd == -1) && fsp->conn->vfs_ops.get_nt_acl)
+      return fsp->conn->vfs_ops.get_nt_acl(dos_to_unix(fsp->fsp_name, False), ppdesc);
+    else if (fsp->conn->vfs_ops.fget_nt_acl)
+      return fsp->conn->vfs_ops.fget_nt_acl(fsp->fd, ppdesc);
+
    if(fsp->is_directory || fsp->fd == -1) {
      if(vfs_stat(fsp->conn,fsp->fsp_name, &sbuf) != 0) {
        return 0;
@ -451,23 +462,24 @@ BOOL set_nt_acl(files_struct *fsp, uint32 security_info_sent, SEC_DESC *psd)
  SMB_STRUCT_STAT sbuf;  
  BOOL got_dacl = False;

+  /*
+   * If there is a VFS redirect, use it.
+   */
+
+  if ((fsp->is_directory || fsp->fd == -1) && fsp->conn->vfs_ops.set_nt_acl)
+    return fsp->conn->vfs_ops.set_nt_acl(dos_to_unix(fsp->fsp_name, False), security_info_sent, psd);
+  else if (fsp->conn->vfs_ops.fset_nt_acl)
+    return fsp->conn->vfs_ops.fset_nt_acl(fsp->fd, security_info_sent, psd);
+
  /*
   * Get the current state of the file.
   */

-  if(fsp->is_directory) {
+  if(fsp->is_directory || fsp->fd == -1) {
    if(vfs_stat(fsp->conn,fsp->fsp_name, &sbuf) != 0)
      return False;
  } else {
-
-    int ret;
-
-    if(fsp->fd == -1)
-      ret = vfs_stat(fsp->conn,fsp->fsp_name,&sbuf);
-    else
-      ret = conn->vfs_ops.fstat(fsp->fd,&sbuf);
-
-    if(ret != 0)
+    if(conn->vfs_ops.fstat(fsp->fd,&sbuf) != 0)
      return False;
  }

--- a/source/smbd/vfs-wrap.c
+++ b/source/smbd/vfs-wrap.c
@ -1,7 +1,7 @@
 /* 
   Unix SMB/Netbios implementation.
   Version 1.9.
-s   Wrap disk only vfs functions to sidestep dodgy compilers.
+   Wrap disk only vfs functions to sidestep dodgy compilers.
   Copyright (C) Tim Potter 1998
   
   This program is free software; you can redistribute it and/or modify
@ -346,13 +346,3 @@ BOOL vfswrap_lock(int fd, int op, SMB_OFF_T offset, SMB_OFF_T count, int type)
 {
 	return fcntl_lock(fd, op, offset, count,type);
 }
-
-#if 0
-size_t vfswrap_get_nt_acl(files_struct *fsp, SEC_DESC **ppdesc)
-{
-}
-
-BOOL vfswrap_set_nt_acl(files_struct *fsp, uint32 security_info_sent, SEC_DESC *psd)
-{
-}
-#endif
--- a/source/smbd/vfs.c
+++ b/source/smbd/vfs.c
@ -69,11 +69,11 @@ struct vfs_ops default_vfs_ops = {
    vfswrap_getwd,
    vfswrap_utime,
    vfswrap_ftruncate,
-	vfswrap_lock,
-#if 0
-	vfswrap_get_nt_acl,
-	vfswrap_set_nt_acl
-#endif
+    vfswrap_lock,
+    NULL, /* The 4 security descriptor functions are not defined by default. */
+    NULL,
+    NULL,
+    NULL
 };

 /****************************************************************************
@ -219,6 +219,14 @@ BOOL vfs_init_custom(connection_struct *conn)
 	conn->vfs_ops.chown = default_vfs_ops.chown;
    }
    
+    if (conn->vfs_ops.chdir == NULL) {
+	conn->vfs_ops.chdir = default_vfs_ops.chdir;
+    }
+
+    if (conn->vfs_ops.getwd == NULL) {
+	conn->vfs_ops.getwd = default_vfs_ops.getwd;
+    }
+    
    if (conn->vfs_ops.utime == NULL) {
 	conn->vfs_ops.utime = default_vfs_ops.utime;
    }
@ -230,6 +238,22 @@ BOOL vfs_init_custom(connection_struct *conn)
    if (conn->vfs_ops.lock == NULL) {
 	conn->vfs_ops.lock = default_vfs_ops.lock;
    }
+
+    if (conn->vfs_ops.fget_nt_acl == NULL) {
+	conn->vfs_ops.fget_nt_acl = default_vfs_ops.fget_nt_acl;
+    }
+
+    if (conn->vfs_ops.get_nt_acl == NULL) {
+	conn->vfs_ops.get_nt_acl = default_vfs_ops.get_nt_acl;
+    }
+
+    if (conn->vfs_ops.fset_nt_acl == NULL) {
+	conn->vfs_ops.fset_nt_acl = default_vfs_ops.fset_nt_acl;
+    }
+
+    if (conn->vfs_ops.set_nt_acl == NULL) {
+	conn->vfs_ops.set_nt_acl = default_vfs_ops.set_nt_acl;
+    }
    
    return True;
 }
@ -244,6 +268,15 @@ int vfs_stat(connection_struct *conn, char *fname, SMB_STRUCT_STAT *st)
 	return(conn->vfs_ops.stat(dos_to_unix(fname,False),st));
 } 

+/*******************************************************************
+ vfs fstat wrapper that calls dos_to_unix.
+********************************************************************/
+
+int vfs_fstat(connection_struct *conn, int fd, SMB_STRUCT_STAT *st)
+{
+	return(conn->vfs_ops.fstat(fd,st));
+} 
+
 /*******************************************************************
 Check if directory exists.
 ********************************************************************/