From b90af886a951b7b049ed7a42e6d99c332e43897b Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 5 Oct 2000 19:04:41 +0000 Subject: [PATCH] Vector get_nt_acl/set_nt_acl via vfs. POSIX ACL support should be added above this layer. Jeremy. --- source/include/rpc_secdes.h | 20 ++++++++- source/include/vfs.h | 86 ++++++++++++++++++++++++++++++++----- source/smbd/nttrans.c | 5 ++- source/smbd/unix_acls.c | 32 +++++++++----- source/smbd/vfs-wrap.c | 12 +----- source/smbd/vfs.c | 43 ++++++++++++++++--- 6 files changed, 160 insertions(+), 38 deletions(-) diff --git a/source/include/rpc_secdes.h b/source/include/rpc_secdes.h index 9acc4511e89..a5c5758434f 100644 --- a/source/include/rpc_secdes.h +++ b/source/include/rpc_secdes.h @@ -74,14 +74,17 @@ #define SACL_SECURITY_INFORMATION 0x00000008 - +#ifndef _SEC_ACCESS /* SEC_ACCESS */ typedef struct security_info_info { uint32 mask; } SEC_ACCESS; +#define _SEC_ACCESS +#endif +#ifndef _SEC_ACE /* SEC_ACE */ typedef struct security_ace_info { @@ -93,9 +96,14 @@ typedef struct security_ace_info DOM_SID sid; } SEC_ACE; +#define _SEC_ACE +#endif +#ifndef ACL_REVISION #define ACL_REVISION 0x3 +#endif +#ifndef _SEC_ACL /* SEC_ACL */ typedef struct security_acl_info { @@ -106,9 +114,14 @@ typedef struct security_acl_info SEC_ACE *ace; } SEC_ACL; +#define _SEC_ACL +#endif +#ifndef SEC_DESC_REVISION #define SEC_DESC_REVISION 0x1 +#endif +#ifndef _SEC_DESC /* SEC_DESC */ typedef struct security_descriptor_info { @@ -126,7 +139,10 @@ typedef struct security_descriptor_info DOM_SID *grp_sid; } SEC_DESC; +#define _SEC_DESC +#endif +#ifndef _SEC_DESC_BUF /* SEC_DESC_BUF */ typedef struct sec_desc_buf_info { @@ -137,5 +153,7 @@ typedef struct sec_desc_buf_info SEC_DESC *sec; } SEC_DESC_BUF; +#define _SEC_DESC_BUF +#endif #endif /* _RPC_SECDES_H */ diff --git a/source/include/vfs.h b/source/include/vfs.h index 840377627b7..bb2239bf285 100644 --- a/source/include/vfs.h +++ b/source/include/vfs.h @@ -99,6 +99,74 @@ typedef struct sid_info #define _DOM_SID #endif +#ifndef _SEC_ACCESS +/* SEC_ACCESS */ +typedef struct security_info_info +{ + uint32 mask; + +} SEC_ACCESS; +#define _SEC_ACCESS +#endif + +#ifndef _SEC_ACE +/* SEC_ACE */ +typedef struct security_ace_info +{ + uint8 type; /* xxxx_xxxx_ACE_TYPE - e.g allowed / denied etc */ + uint8 flags; /* xxxx_INHERIT_xxxx - e.g OBJECT_INHERIT_ACE */ + uint16 size; + + SEC_ACCESS info; + DOM_SID sid; + +} SEC_ACE; +#define _SEC_ACE +#endif + +#ifndef ACL_REVISION +#define ACL_REVISION 0x3 +#endif + +#ifndef _SEC_ACL +/* SEC_ACL */ +typedef struct security_acl_info +{ + uint16 revision; /* 0x0003 */ + uint16 size; /* size in bytes of the entire ACL structure */ + uint32 num_aces; /* number of Access Control Entries */ + + SEC_ACE *ace; + +} SEC_ACL; +#define _SEC_ACL +#endif + +#ifndef SEC_DESC_REVISION +#define SEC_DESC_REVISION 0x1 +#endif + +#ifndef _SEC_DESC +/* SEC_DESC */ +typedef struct security_descriptor_info +{ + uint16 revision; /* 0x0001 */ + uint16 type; /* SEC_DESC_xxxx flags */ + + uint32 off_owner_sid; /* offset to owner sid */ + uint32 off_grp_sid ; /* offset to group sid */ + uint32 off_sacl ; /* offset to system list of permissions */ + uint32 off_dacl ; /* offset to list of permissions */ + + SEC_ACL *dacl; /* user ACL */ + SEC_ACL *sacl; /* system ACL */ + DOM_SID *owner_sid; + DOM_SID *grp_sid; + +} SEC_DESC; +#define _SEC_DESC +#endif + /* * The complete list of SIDS belonging to this user. * Created when a vuid is registered. @@ -112,6 +180,12 @@ typedef struct _nt_user_token { #define _NT_USER_TOKEN #endif +/* Avoid conflict with an AIX include file */ + +#ifdef vfs_ops +#undef vfs_ops +#endif + /* Information from the connection_struct passed to the vfs layer */ struct vfs_connection_struct { @@ -144,20 +218,13 @@ struct vfs_connection_struct { NT_USER_TOKEN *nt_user_token; }; -/* Avoid conflict with an AIX include file */ - -#ifdef vfs_ops -#undef vfs_ops -#endif - /* VFS operations structure */ struct vfs_ops { /* Disk operations */ - int (*connect)(struct vfs_connection_struct *conn, char *service, - char *user); + int (*connect)(struct vfs_connection_struct *conn, char *service, char *user); void (*disconnect)(void); SMB_BIG_UINT (*disk_free)(char *path, BOOL small_query, SMB_BIG_UINT *bsize, SMB_BIG_UINT *dfree, SMB_BIG_UINT *dsize); @@ -190,12 +257,11 @@ struct vfs_ops { int (*utime)(char *path, struct utimbuf *times); int (*ftruncate)(int fd, SMB_OFF_T offset); BOOL (*lock)(int fd, int op, SMB_OFF_T offset, SMB_OFF_T count, int type); -#if 0 + size_t (*fget_nt_acl)(int fd, SEC_DESC **ppdesc); size_t (*get_nt_acl)(char *name, SEC_DESC **ppdesc); BOOL (*fset_nt_acl)(int fd, uint32 security_info_sent, SEC_DESC *psd); BOOL (*set_nt_acl)(char *name, uint32 security_info_sent, SEC_DESC *psd); -#endif }; struct vfs_options { diff --git a/source/smbd/nttrans.c b/source/smbd/nttrans.c index 1599f01aa5b..95010cddc84 100644 --- a/source/smbd/nttrans.c +++ b/source/smbd/nttrans.c @@ -1611,6 +1611,7 @@ static int call_nt_transact_set_security_desc(connection_struct *conn, files_struct *fsp = NULL; uint32 security_info_sent = 0; TALLOC_CTX *mem_ctx; + BOOL ret; if(!lp_nt_acl_support()) return(UNIXERROR(ERRDOS,ERRnoaccess)); @@ -1659,7 +1660,9 @@ security descriptor.\n")); return(UNIXERROR(ERRDOS,ERRnoaccess)); } - if (!set_nt_acl(fsp, security_info_sent, psd)) { + ret = set_nt_acl( fsp, security_info_sent, psd); + + if (!ret) { free_sec_desc(&psd); talloc_destroy(mem_ctx); return(UNIXERROR(ERRDOS,ERRnoaccess)); diff --git a/source/smbd/unix_acls.c b/source/smbd/unix_acls.c index 48f6163596d..a564ec9ee5a 100644 --- a/source/smbd/unix_acls.c +++ b/source/smbd/unix_acls.c @@ -59,6 +59,7 @@ static SEC_ACCESS map_unix_perms( int *pacl_type, mode_t perm, int r_mask, int w return sa; } +#if 0 /**************************************************************************** Validate a SID. ****************************************************************************/ @@ -88,6 +89,7 @@ static BOOL validate_unix_sid( DOM_SID *psid, uint32 *prid, DOM_SID *sd_sid) return True; } +#endif /**************************************************************************** Map NT perms to UNIX. @@ -350,6 +352,15 @@ size_t get_nt_acl(files_struct *fsp, SEC_DESC **ppdesc) sid_copy( &group_sid, &global_sid_World); } else { + /* + * If there is a VFS redirect, use it. + */ + + if ((fsp->is_directory || fsp->fd == -1) && fsp->conn->vfs_ops.get_nt_acl) + return fsp->conn->vfs_ops.get_nt_acl(dos_to_unix(fsp->fsp_name, False), ppdesc); + else if (fsp->conn->vfs_ops.fget_nt_acl) + return fsp->conn->vfs_ops.fget_nt_acl(fsp->fd, ppdesc); + if(fsp->is_directory || fsp->fd == -1) { if(vfs_stat(fsp->conn,fsp->fsp_name, &sbuf) != 0) { return 0; @@ -451,23 +462,24 @@ BOOL set_nt_acl(files_struct *fsp, uint32 security_info_sent, SEC_DESC *psd) SMB_STRUCT_STAT sbuf; BOOL got_dacl = False; + /* + * If there is a VFS redirect, use it. + */ + + if ((fsp->is_directory || fsp->fd == -1) && fsp->conn->vfs_ops.set_nt_acl) + return fsp->conn->vfs_ops.set_nt_acl(dos_to_unix(fsp->fsp_name, False), security_info_sent, psd); + else if (fsp->conn->vfs_ops.fset_nt_acl) + return fsp->conn->vfs_ops.fset_nt_acl(fsp->fd, security_info_sent, psd); + /* * Get the current state of the file. */ - if(fsp->is_directory) { + if(fsp->is_directory || fsp->fd == -1) { if(vfs_stat(fsp->conn,fsp->fsp_name, &sbuf) != 0) return False; } else { - - int ret; - - if(fsp->fd == -1) - ret = vfs_stat(fsp->conn,fsp->fsp_name,&sbuf); - else - ret = conn->vfs_ops.fstat(fsp->fd,&sbuf); - - if(ret != 0) + if(conn->vfs_ops.fstat(fsp->fd,&sbuf) != 0) return False; } diff --git a/source/smbd/vfs-wrap.c b/source/smbd/vfs-wrap.c index 12ba9bda841..d19be7fb71d 100644 --- a/source/smbd/vfs-wrap.c +++ b/source/smbd/vfs-wrap.c @@ -1,7 +1,7 @@ /* Unix SMB/Netbios implementation. Version 1.9. -s Wrap disk only vfs functions to sidestep dodgy compilers. + Wrap disk only vfs functions to sidestep dodgy compilers. Copyright (C) Tim Potter 1998 This program is free software; you can redistribute it and/or modify @@ -346,13 +346,3 @@ BOOL vfswrap_lock(int fd, int op, SMB_OFF_T offset, SMB_OFF_T count, int type) { return fcntl_lock(fd, op, offset, count,type); } - -#if 0 -size_t vfswrap_get_nt_acl(files_struct *fsp, SEC_DESC **ppdesc) -{ -} - -BOOL vfswrap_set_nt_acl(files_struct *fsp, uint32 security_info_sent, SEC_DESC *psd) -{ -} -#endif diff --git a/source/smbd/vfs.c b/source/smbd/vfs.c index 097f51d2173..4a4b1b2cfa4 100644 --- a/source/smbd/vfs.c +++ b/source/smbd/vfs.c @@ -69,11 +69,11 @@ struct vfs_ops default_vfs_ops = { vfswrap_getwd, vfswrap_utime, vfswrap_ftruncate, - vfswrap_lock, -#if 0 - vfswrap_get_nt_acl, - vfswrap_set_nt_acl -#endif + vfswrap_lock, + NULL, /* The 4 security descriptor functions are not defined by default. */ + NULL, + NULL, + NULL }; /**************************************************************************** @@ -219,6 +219,14 @@ BOOL vfs_init_custom(connection_struct *conn) conn->vfs_ops.chown = default_vfs_ops.chown; } + if (conn->vfs_ops.chdir == NULL) { + conn->vfs_ops.chdir = default_vfs_ops.chdir; + } + + if (conn->vfs_ops.getwd == NULL) { + conn->vfs_ops.getwd = default_vfs_ops.getwd; + } + if (conn->vfs_ops.utime == NULL) { conn->vfs_ops.utime = default_vfs_ops.utime; } @@ -230,6 +238,22 @@ BOOL vfs_init_custom(connection_struct *conn) if (conn->vfs_ops.lock == NULL) { conn->vfs_ops.lock = default_vfs_ops.lock; } + + if (conn->vfs_ops.fget_nt_acl == NULL) { + conn->vfs_ops.fget_nt_acl = default_vfs_ops.fget_nt_acl; + } + + if (conn->vfs_ops.get_nt_acl == NULL) { + conn->vfs_ops.get_nt_acl = default_vfs_ops.get_nt_acl; + } + + if (conn->vfs_ops.fset_nt_acl == NULL) { + conn->vfs_ops.fset_nt_acl = default_vfs_ops.fset_nt_acl; + } + + if (conn->vfs_ops.set_nt_acl == NULL) { + conn->vfs_ops.set_nt_acl = default_vfs_ops.set_nt_acl; + } return True; } @@ -244,6 +268,15 @@ int vfs_stat(connection_struct *conn, char *fname, SMB_STRUCT_STAT *st) return(conn->vfs_ops.stat(dos_to_unix(fname,False),st)); } +/******************************************************************* + vfs fstat wrapper that calls dos_to_unix. +********************************************************************/ + +int vfs_fstat(connection_struct *conn, int fd, SMB_STRUCT_STAT *st) +{ + return(conn->vfs_ops.fstat(fd,st)); +} + /******************************************************************* Check if directory exists. ********************************************************************/