2025-01-11 05:18:09 +03:00 · 2008-11-01 03:15:59 +01:00 · 2008-11-01 03:15:59 +01:00 · c165770f94
commit c165770f94
parent 2c81fd70ca 54eaf2de74
11 changed files with 141 additions and 49 deletions
--- a/librpc/idl/security.idl
+++ b/librpc/idl/security.idl
@ -138,9 +138,9 @@ interface security

 	/* combinations of standard masks. */
 	const int STANDARD_RIGHTS_ALL_ACCESS		= SEC_STD_ALL; /* 0x001f0000 */
-	const int STANDARD_RIGHTS_MODIFY_ACCESS		= SEC_STD_READ_CONTROLS; /* 0x00020000 */
-	const int STANDARD_RIGHTS_EXECUTE_ACCESS	= SEC_STD_READ_CONTROLS; /* 0x00020000 */
-	const int STANDARD_RIGHTS_READ_ACCESS		= SEC_STD_READ_CONTROLS; /* 0x00020000 */
+	const int STANDARD_RIGHTS_MODIFY_ACCESS		= SEC_STD_READ_CONTROL; /* 0x00020000 */
+	const int STANDARD_RIGHTS_EXECUTE_ACCESS	= SEC_STD_READ_CONTROL; /* 0x00020000 */
+	const int STANDARD_RIGHTS_READ_ACCESS		= SEC_STD_READ_CONTROL; /* 0x00020000 */
 	const int STANDARD_RIGHTS_WRITE_ACCESS =
 		(SEC_STD_WRITE_OWNER		|
 		 SEC_STD_WRITE_DAC		|
--- a/source3/include/rpc_secdes.h
+++ b/source3/include/rpc_secdes.h
@ -146,21 +146,6 @@ struct standard_mapping {

 #define STD_RIGHT_ALL_ACCESS		0x001F0000

-/* Combinations of standard masks. */
-#define STANDARD_RIGHTS_ALL_ACCESS	STD_RIGHT_ALL_ACCESS /* 0x001f0000 */
-#define STANDARD_RIGHTS_MODIFY_ACCESS	STD_RIGHT_READ_CONTROL_ACCESS /* 0x00020000 */
-#define STANDARD_RIGHTS_EXECUTE_ACCESS	STD_RIGHT_READ_CONTROL_ACCESS /* 0x00020000 */
-#define STANDARD_RIGHTS_READ_ACCESS	STD_RIGHT_READ_CONTROL_ACCESS /* 0x00020000 */
-#define STANDARD_RIGHTS_WRITE_ACCESS \
-		(STD_RIGHT_WRITE_OWNER_ACCESS	| \
-		 STD_RIGHT_WRITE_DAC_ACCESS	| \
-		 STD_RIGHT_DELETE_ACCESS)	/* 0x000d0000 */
-#define STANDARD_RIGHTS_REQUIRED_ACCESS \
-		(STD_RIGHT_DELETE_ACCESS	| \
-		STD_RIGHT_READ_CONTROL_ACCESS	| \
-		STD_RIGHT_WRITE_DAC_ACCESS	| \
-		STD_RIGHT_WRITE_OWNER_ACCESS)	/* 0x000f0000 */
-
 /* File Object specific access rights */

 #define SA_RIGHT_FILE_READ_DATA		0x00000001
--- a/source3/include/smb.h
+++ b/source3/include/smb.h
@ -1228,7 +1228,7 @@ struct bitmap {
 #define FILE_GENERIC_WRITE (STD_RIGHT_READ_CONTROL_ACCESS|FILE_WRITE_DATA|FILE_WRITE_ATTRIBUTES|\
 							FILE_WRITE_EA|FILE_APPEND_DATA|SYNCHRONIZE_ACCESS)

-#define FILE_GENERIC_EXECUTE (STANDARD_RIGHTS_EXECUTE_ACCESS|\
+#define FILE_GENERIC_EXECUTE (STANDARD_RIGHTS_EXECUTE_ACCESS|FILE_READ_ATTRIBUTES|\
 								FILE_EXECUTE|SYNCHRONIZE_ACCESS)

 /* Share specific rights. */
--- a/source3/lib/secdesc.c
+++ b/source3/lib/secdesc.c
@ -529,7 +529,7 @@ NTSTATUS se_create_child_secdesc(TALLOC_CTX *ctx,

 			/* First add the regular ACE entry. */
 			init_sec_ace(new_ace, ptrustee, ace->type,
-			     	ace->access_mask, SEC_ACE_FLAG_INHERITED_ACE);
+			     	ace->access_mask, 0);

 			DEBUG(5,("se_create_child_secdesc(): %s:%d/0x%02x/0x%08x"
 				" inherited as %s:%d/0x%02x/0x%08x\n",
@ -549,7 +549,7 @@ NTSTATUS se_create_child_secdesc(TALLOC_CTX *ctx,
 		}

 		init_sec_ace(new_ace, ptrustee, ace->type,
-			     ace->access_mask, new_flags | SEC_ACE_FLAG_INHERITED_ACE);
+			     ace->access_mask, new_flags);

 		DEBUG(5, ("se_create_child_secdesc(): %s:%d/0x%02x/0x%08x "
 			  " inherited as %s:%d/0x%02x/0x%08x\n",
@ -565,7 +565,7 @@ NTSTATUS se_create_child_secdesc(TALLOC_CTX *ctx,
 	/* Create child security descriptor to return */

 	new_dacl = make_sec_acl(ctx,
-				ACL_REVISION,
+				NT4_ACL_REVISION,
 				new_ace_list_ndx,
 				new_ace_list);

--- a/source3/lib/util_seaccess.c
+++ b/source3/lib/util_seaccess.c
@ -110,7 +110,7 @@ static uint32_t access_check_max_allowed(const struct security_descriptor *sd,
 {
 	uint32_t denied = 0, granted = 0;
 	unsigned i;
-	
+
 	if (is_sid_in_token(token, sd->owner_sid)) {
 		granted |= SEC_STD_WRITE_DAC | SEC_STD_READ_CONTROL | SEC_STD_DELETE;
 	} else if (user_has_privileges(token, &se_restore)) {
@ -120,7 +120,7 @@ static uint32_t access_check_max_allowed(const struct security_descriptor *sd,
 	if (sd->dacl == NULL) {
 		return granted & ~denied;
 	}
-	
+
 	for (i = 0;i<sd->dacl->num_aces; i++) {
 		struct security_ace *ace = &sd->dacl->aces[i];

--- a/source3/librpc/gen_ndr/security.h
+++ b/source3/librpc/gen_ndr/security.h
@ -68,6 +68,12 @@
 #define SEC_RIGHTS_DIR_WRITE	( SEC_RIGHTS_FILE_WRITE )
 #define SEC_RIGHTS_DIR_EXECUTE	( SEC_RIGHTS_FILE_EXECUTE )
 #define SEC_RIGHTS_DIR_ALL	( SEC_RIGHTS_FILE_ALL )
+#define STANDARD_RIGHTS_ALL_ACCESS	( SEC_STD_ALL )
+#define STANDARD_RIGHTS_MODIFY_ACCESS	( SEC_STD_READ_CONTROL )
+#define STANDARD_RIGHTS_EXECUTE_ACCESS	( SEC_STD_READ_CONTROL )
+#define STANDARD_RIGHTS_READ_ACCESS	( SEC_STD_READ_CONTROL )
+#define STANDARD_RIGHTS_WRITE_ACCESS	( (SEC_STD_WRITE_OWNER|SEC_STD_WRITE_DAC|SEC_STD_DELETE) )
+#define STANDARD_RIGHTS_REQUIRED_ACCESS	( (SEC_STD_DELETE|SEC_STD_READ_CONTROL|SEC_STD_WRITE_DAC|SEC_STD_WRITE_OWNER) )
 #define SID_NULL	( "S-1-0-0" )
 #define NAME_WORLD	( "WORLD" )
 #define SID_WORLD_DOMAIN	( "S-1-1" )
--- a/source3/modules/vfs_acl_xattr.c
+++ b/source3/modules/vfs_acl_xattr.c
@ -144,7 +144,7 @@ static NTSTATUS get_acl_blob(TALLOC_CTX *ctx,
 	return NT_STATUS_OK;
 }

-static NTSTATUS create_acl_blob(const SEC_DESC *psd, DATA_BLOB *pblob)
+static NTSTATUS create_acl_blob(const struct security_descriptor *psd, DATA_BLOB *pblob)
 {
 	struct xattr_NTACL xacl;
 	struct security_descriptor_timestamp sd_ts;
@ -163,7 +163,7 @@ static NTSTATUS create_acl_blob(const SEC_DESC *psd, DATA_BLOB *pblob)

 	xacl.version = 2;
 	xacl.info.sd_ts = &sd_ts;
-	xacl.info.sd_ts->sd = CONST_DISCARD(SEC_DESC *, psd);
+	xacl.info.sd_ts->sd = CONST_DISCARD(struct security_descriptor *, psd);
 	unix_timespec_to_nt_time(&xacl.info.sd_ts->last_changed, curr);

 	DEBUG(10, ("create_acl_blob: timestamp stored as %s\n",
@ -250,7 +250,7 @@ static NTSTATUS get_nt_acl_xattr_internal(vfs_handle_struct *handle,
 					files_struct *fsp,
 					const char *name,
 				        uint32 security_info,
-					SEC_DESC **ppdesc)
+					struct security_descriptor **ppdesc)
 {
 	TALLOC_CTX *ctx = talloc_tos();
 	DATA_BLOB blob;
@ -292,8 +292,50 @@ static NTSTATUS get_nt_acl_xattr_internal(vfs_handle_struct *handle,
 }

 /*********************************************************************
- * Currently this only works for existing files. Need to work on
- * inheritance for new files.
+ Create a default security descriptor for a file in case no inheritance
+ exists. All permissions to the owner and SYSTEM.
+*********************************************************************/
+
+static struct security_descriptor *default_file_sd(TALLOC_CTX *mem_ctx,
+						SMB_STRUCT_STAT *psbuf)
+{
+	struct dom_sid owner_sid, group_sid;
+	size_t sd_size;
+	struct security_ace *pace = NULL;
+	struct security_acl *pacl = NULL;
+
+	uid_to_sid(&owner_sid, psbuf->st_uid);
+	gid_to_sid(&group_sid, psbuf->st_gid);
+
+	pace = TALLOC_ARRAY(mem_ctx, struct security_ace, 2);
+	if (!pace) {
+		return NULL;
+	}
+
+	init_sec_ace(&pace[0], &owner_sid, SEC_ACE_TYPE_ACCESS_ALLOWED,
+			SEC_RIGHTS_FILE_ALL, 0);
+	init_sec_ace(&pace[1], &global_sid_System, SEC_ACE_TYPE_ACCESS_ALLOWED,
+			SEC_RIGHTS_FILE_ALL, 0);
+
+	pacl = make_sec_acl(mem_ctx,
+				NT4_ACL_REVISION,
+				2,
+				pace);
+	if (!pacl) {
+		return NULL;
+	}
+	return make_sec_desc(mem_ctx,
+			SECURITY_DESCRIPTOR_REVISION_1,
+			SEC_DESC_SELF_RELATIVE|SEC_DESC_DACL_PRESENT|
+				SEC_DESC_DACL_DEFAULTED,
+			&owner_sid,
+			&group_sid,
+			NULL,
+                        pacl,
+			&sd_size);
+}
+
+/*********************************************************************
 *********************************************************************/

 static NTSTATUS inherit_new_acl(vfs_handle_struct *handle,
@ -303,8 +345,8 @@ static NTSTATUS inherit_new_acl(vfs_handle_struct *handle,
 {
 	TALLOC_CTX *ctx = talloc_tos();
 	NTSTATUS status;
-	SEC_DESC *parent_desc = NULL;
-	SEC_DESC *psd = NULL;
+	struct security_descriptor *parent_desc = NULL;
+	struct security_descriptor *psd = NULL;
 	DATA_BLOB blob;
 	size_t size;
 	char *parent_name;
@ -343,6 +385,25 @@ static NTSTATUS inherit_new_acl(vfs_handle_struct *handle,
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
 	}
+	if (psd->dacl == NULL) {
+		SMB_STRUCT_STAT sbuf;
+		int ret;
+
+		TALLOC_FREE(psd);
+		if (fsp && !fsp->is_directory && fsp->fh->fd != -1) {
+			ret = SMB_VFS_FSTAT(fsp, &sbuf);
+		} else {
+			ret = SMB_VFS_STAT(fsp->conn,fsp->fsp_name, &sbuf);
+		}
+		if (ret == -1) {
+			return map_nt_error_from_unix(errno);
+		}
+		psd = default_file_sd(ctx, &sbuf);
+		if (!psd) {
+			return NT_STATUS_NO_MEMORY;
+		}
+	}
+
 	status = create_acl_blob(psd, &blob);
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
@ -365,7 +426,7 @@ static int open_acl_xattr(vfs_handle_struct *handle,
 					mode_t mode)
 {
 	uint32_t access_granted = 0;
-	SEC_DESC *pdesc = NULL;
+	struct security_descriptor *pdesc = NULL;
 	bool file_existed = true;
 	NTSTATUS status = get_nt_acl_xattr_internal(handle,
 					NULL,
@ -417,7 +478,7 @@ static int mkdir_acl_xattr(vfs_handle_struct *handle, const char *path, mode_t m
 }

 static NTSTATUS fget_nt_acl_xattr(vfs_handle_struct *handle, files_struct *fsp,
-        uint32 security_info, SEC_DESC **ppdesc)
+        uint32 security_info, struct security_descriptor **ppdesc)
 {
 	NTSTATUS status = get_nt_acl_xattr_internal(handle, fsp,
 				NULL, security_info, ppdesc);
@ -434,7 +495,7 @@ static NTSTATUS fget_nt_acl_xattr(vfs_handle_struct *handle, files_struct *fsp,
 }

 static NTSTATUS get_nt_acl_xattr(vfs_handle_struct *handle,
-        const char *name, uint32 security_info, SEC_DESC **ppdesc)
+        const char *name, uint32 security_info, struct security_descriptor **ppdesc)
 {
 	NTSTATUS status = get_nt_acl_xattr_internal(handle, NULL,
 				name, security_info, ppdesc);
@ -451,7 +512,7 @@ static NTSTATUS get_nt_acl_xattr(vfs_handle_struct *handle,
 }

 static NTSTATUS fset_nt_acl_xattr(vfs_handle_struct *handle, files_struct *fsp,
-        uint32 security_info_sent, const SEC_DESC *psd)
+        uint32 security_info_sent, const struct security_descriptor *psd)
 {
 	NTSTATUS status;
 	DATA_BLOB blob;
@ -460,7 +521,7 @@ static NTSTATUS fset_nt_acl_xattr(vfs_handle_struct *handle, files_struct *fsp,
 		DEBUG(10,("fset_nt_acl_xattr: incoming sd for file %s\n",
 			fsp->fsp_name));
 		NDR_PRINT_DEBUG(security_descriptor,
-			CONST_DISCARD(SEC_DESC *,psd));
+			CONST_DISCARD(struct security_descriptor *,psd));
 	}

 	status = SMB_VFS_NEXT_FSET_NT_ACL(handle, fsp, security_info_sent, psd);
@ -473,7 +534,7 @@ static NTSTATUS fset_nt_acl_xattr(vfs_handle_struct *handle, files_struct *fsp,
 		int ret;
 		SMB_STRUCT_STAT sbuf;
 		DOM_SID owner_sid, group_sid;
-		SEC_DESC *nc_psd = dup_sec_desc(talloc_tos(), psd);
+		struct security_descriptor *nc_psd = dup_sec_desc(talloc_tos(), psd);

 		if (!nc_psd) {
 			return NT_STATUS_OK;
@ -502,7 +563,7 @@ static NTSTATUS fset_nt_acl_xattr(vfs_handle_struct *handle, files_struct *fsp,
 				SE_DESC_DACL_AUTO_INHERIT_REQ))==
 				(SE_DESC_DACL_AUTO_INHERITED|
 				SE_DESC_DACL_AUTO_INHERIT_REQ) ) {
-		SEC_DESC *new_psd = NULL;
+		struct security_descriptor *new_psd = NULL;
 		status = append_parent_acl(fsp, psd, &new_psd);
 		if (!NT_STATUS_IS_OK(status)) {
 			/* Lower level acl set succeeded,
@ -516,7 +577,7 @@ static NTSTATUS fset_nt_acl_xattr(vfs_handle_struct *handle, files_struct *fsp,
 		DEBUG(10,("fset_nt_acl_xattr: storing xattr sd for file %s\n",
 			fsp->fsp_name));
 		NDR_PRINT_DEBUG(security_descriptor,
-			CONST_DISCARD(SEC_DESC *,psd));
+			CONST_DISCARD(struct security_descriptor *,psd));
 	}
 	create_acl_blob(psd, &blob);
 	store_acl_blob_fsp(fsp, &blob);
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@ -1370,16 +1370,53 @@ NTSTATUS open_file_ntcreate(connection_struct *conn,
 		}
 	}

-	/* This is a nasty hack - must fix... JRA. */
-	if (access_mask == MAXIMUM_ALLOWED_ACCESS) {
-		open_access_mask = access_mask = FILE_GENERIC_ALL;
-	}
-
 	/*
 	 * Convert GENERIC bits to specific bits.
 	 */

 	se_map_generic(&access_mask, &file_generic_mapping);
+
+	/* Calculate MAXIMUM_ALLOWED_ACCESS if requested. */
+	if (access_mask & MAXIMUM_ALLOWED_ACCESS) {
+		if (file_existed) {
+			struct security_descriptor *sd;
+			uint32_t access_granted = 0;
+
+			status = SMB_VFS_GET_NT_ACL(conn, fname,
+					(OWNER_SECURITY_INFORMATION |
+					GROUP_SECURITY_INFORMATION |
+					DACL_SECURITY_INFORMATION),&sd);
+
+			if (!NT_STATUS_IS_OK(status)) {
+				DEBUG(10, ("open_file_ntcreate: Could not get acl "
+					"on file %s: %s\n",
+					fname,
+					nt_errstr(status)));
+				return NT_STATUS_ACCESS_DENIED;
+			}
+
+			status = se_access_check(sd, conn->server_info->ptok,
+					access_mask, &access_granted);
+
+			TALLOC_FREE(sd);
+
+			if (!NT_STATUS_IS_OK(status)) {
+				DEBUG(10, ("open_file_ntcreate: Access denied on "
+					"file %s: when calculating maximum access\n",
+					fname));
+				return NT_STATUS_ACCESS_DENIED;
+			}
+
+			access_mask = access_granted;
+			/*
+			 * According to Samba4, SEC_FILE_READ_ATTRIBUTE is always granted,
+			 */
+			access_mask |= FILE_READ_ATTRIBUTES;
+		} else {
+			access_mask = FILE_GENERIC_ALL;
+		}
+	}
+
 	open_access_mask = access_mask;

 	if ((flags2 & O_TRUNC) || (oplock_request & FORCE_OPLOCK_BREAK_TO_NONE)) {
--- a/source3/smbd/trans2.c
+++ b/source3/smbd/trans2.c
@ -3846,7 +3846,6 @@ static void call_trans2qfilepathinfo(connection_struct *conn,
 	files_struct *fsp = NULL;
 	struct file_id fileid;
 	struct ea_list *ea_list = NULL;
-	uint32 access_mask = 0x12019F; /* Default - GENERIC_EXECUTE mapping from Windows */
 	char *lock_data = NULL;
 	bool ms_dfs_link = false;
 	TALLOC_CTX *ctx = talloc_tos();
@ -3939,7 +3938,6 @@ static void call_trans2qfilepathinfo(connection_struct *conn,
 			pos = fsp->fh->position_information;
 			fileid = vfs_file_id_from_sbuf(conn, &sbuf);
 			get_file_infos(fileid, &delete_pending, &write_time_ts);
-			access_mask = fsp->access_mask;
 		}

 	} else {
@ -4403,7 +4401,12 @@ total_data=%u (should be %u)\n", (unsigned int)total_data, (unsigned int)IVAL(pd

 		case SMB_FILE_ACCESS_INFORMATION:
 			DEBUG(10,("call_trans2qfilepathinfo: SMB_FILE_ACCESS_INFORMATION\n"));
-			SIVAL(pdata,0,access_mask);
+			if (fsp) {
+				SIVAL(pdata,0,fsp->access_mask);
+			} else {
+				/* GENERIC_EXECUTE mapping from Windows */
+				SIVAL(pdata,0,0x12019F);
+			}
 			data_size = 4;
 			break;

--- a/source3/utils/net_dns.c
+++ b/source3/utils/net_dns.c
@ -169,7 +169,7 @@ int get_my_ip_address( struct sockaddr_storage **pp_ss )
 			continue;

 		/* Don't register loopback addresses */
-		if (is_loopback_addr(nic_sa_storage)) {
+		if (is_loopback_addr((struct sockaddr *)nic_sa_storage)) {
 			continue;
 		}

--- a/source4/torture/rpc/samlogon.c
+++ b/source4/torture/rpc/samlogon.c
@ -1567,7 +1567,7 @@ bool torture_rpc_samlogon(struct torture_context *torture)

 	old_user_password = user_password;

-	test_ChangePasswordUser3(torture_join_samr_pipe(user_ctx), mem_ctx,
+	test_ChangePasswordUser3(torture_join_samr_pipe(user_ctx), torture,
 				 TEST_USER_NAME, 16 /* > 14 */, &user_password, 
 				 NULL, 0, false);