summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeremy Allison <jra@samba.org>2002-09-25 05:11:25 +0000
committerJeremy Allison <jra@samba.org>2002-09-25 05:11:25 +0000
commitb952ddfbe6e6527892cabf0076e16a4c14f952b8 (patch)
treef70403a16cf8e207f3eda7bb46ee40403d30a83f
parent4912dd90eeebc0c35240703cdae8ce98e572a47b (diff)
downloadsamba-b952ddfbe6e6527892cabf0076e16a4c14f952b8.tar.gz
samba-b952ddfbe6e6527892cabf0076e16a4c14f952b8.tar.bz2
samba-b952ddfbe6e6527892cabf0076e16a4c14f952b8.zip
Merge of "profile acls" code.
Jeremy. (This used to be commit cfd1bf250b417f3ba3ad21ff681ab282311bb7eb)
-rw-r--r--source3/lib/util_sid.c9
-rw-r--r--source3/param/loadparm.c6
-rw-r--r--source3/smbd/posix_acls.c30
3 files changed, 41 insertions, 4 deletions
diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c
index 8bb06e8866..e9635fc7f8 100644
--- a/source3/lib/util_sid.c
+++ b/source3/lib/util_sid.c
@@ -30,13 +30,11 @@ extern fstring global_myworkgroup;
* Some useful sids
*/
-DOM_SID global_sid_Builtin; /* Local well-known domain */
DOM_SID global_sid_World_Domain; /* Everyone domain */
DOM_SID global_sid_World; /* Everyone */
DOM_SID global_sid_Creator_Owner_Domain; /* Creator Owner domain */
DOM_SID global_sid_NT_Authority; /* NT Authority */
DOM_SID global_sid_NULL; /* NULL sid */
-DOM_SID global_sid_Builtin_Guests; /* Builtin guest users */
DOM_SID global_sid_Authenticated_Users; /* All authenticated rids */
DOM_SID global_sid_Network; /* Network rids */
@@ -44,6 +42,11 @@ static DOM_SID global_sid_Creator_Owner; /* Creator Owner */
static DOM_SID global_sid_Creator_Group; /* Creator Group */
static DOM_SID global_sid_Anonymous; /* Anonymous login */
+DOM_SID global_sid_Builtin; /* Local well-known domain */
+DOM_SID global_sid_Builtin_Administrators;
+DOM_SID global_sid_Builtin_Users;
+DOM_SID global_sid_Builtin_Guests; /* Builtin guest users */
+
/*
* An NT compatible anonymous token.
*/
@@ -99,6 +102,8 @@ const char *sid_type_lookup(uint32 sid_type)
void generate_wellknown_sids(void)
{
string_to_sid(&global_sid_Builtin, "S-1-5-32");
+ string_to_sid(&global_sid_Builtin_Administrators, "S-1-5-32-544");
+ string_to_sid(&global_sid_Builtin_Users, "S-1-5-32-545");
string_to_sid(&global_sid_Builtin_Guests, "S-1-5-32-546");
string_to_sid(&global_sid_World_Domain, "S-1-1");
string_to_sid(&global_sid_World, "S-1-1-0");
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index f95c03dcdb..7b8efbd5bc 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -388,6 +388,8 @@ typedef struct
#ifdef WITH_SENDFILE
BOOL bUseSendfile;
#endif
+ BOOL bProfileAcls;
+
char dummy[3]; /* for alignment */
}
service;
@@ -510,6 +512,7 @@ static service sDefault = {
#ifdef WITH_SENDFILE
False, /* bUseSendfile */
#endif
+ False, /* bProfileAcls */
"" /* dummy */
};
@@ -811,6 +814,8 @@ static struct parm_struct parm_table[] = {
{"nt pipe support", P_BOOL, P_GLOBAL, &Globals.bNTPipeSupport, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
{"nt acl support", P_BOOL, P_LOCAL, &sDefault.bNTAclSupport, NULL, NULL, FLAG_GLOBAL | FLAG_SHARE | FLAG_ADVANCED | FLAG_WIZARD},
{"nt status support", P_BOOL, P_GLOBAL, &Globals.bNTStatusSupport, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
+ {"profile acls", P_BOOL, P_LOCAL, &sDefault.bProfileAcls, NULL, NULL, FLAG_GLOBAL | FLAG_SHARE | FLAG_ADVANCED | FLAG_WIZARD},
+
{"announce version", P_STRING, P_GLOBAL, &Globals.szAnnounceVersion, NULL, NULL, FLAG_DEVELOPER},
{"announce as", P_ENUM, P_GLOBAL, &Globals.announce_as, NULL, enum_announce_as, FLAG_DEVELOPER},
{"max mux", P_INTEGER, P_GLOBAL, &Globals.max_mux, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
@@ -1742,6 +1747,7 @@ FN_LOCAL_BOOL(lp_nt_acl_support, bNTAclSupport)
#ifdef WITH_SENDFILE
FN_LOCAL_BOOL(lp_use_sendfile, bUseSendfile)
#endif
+FN_LOCAL_BOOL(lp_profile_acls, bProfileAcls)
FN_LOCAL_INTEGER(lp_create_mask, iCreate_mask)
FN_LOCAL_INTEGER(lp_force_create_mode, iCreate_force_mode)
FN_LOCAL_INTEGER(lp_security_mask, iSecurity_mask)
diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c
index 043e33e836..e6ae1c7d79 100644
--- a/source3/smbd/posix_acls.c
+++ b/source3/smbd/posix_acls.c
@@ -1881,6 +1881,8 @@ static int nt_ace_comp( SEC_ACE *a1, SEC_ACE *a2)
size_t get_nt_acl(files_struct *fsp, SEC_DESC **ppdesc)
{
+ extern DOM_SID global_sid_Builtin_Administrators;
+ extern DOM_SID global_sid_Builtin_Users;
connection_struct *conn = fsp->conn;
SMB_STRUCT_STAT sbuf;
SEC_ACE *nt_ace_list = NULL;
@@ -1895,6 +1897,7 @@ size_t get_nt_acl(files_struct *fsp, SEC_DESC **ppdesc)
SMB_ACL_T dir_acl = NULL;
canon_ace *file_ace = NULL;
canon_ace *dir_ace = NULL;
+ size_t num_profile_acls = 0;
*ppdesc = NULL;
@@ -1939,7 +1942,14 @@ size_t get_nt_acl(files_struct *fsp, SEC_DESC **ppdesc)
* Get the owner, group and world SIDs.
*/
- create_file_sids(&sbuf, &owner_sid, &group_sid);
+ if (lp_profile_acls(SNUM(fsp->conn))) {
+ /* For WXP SP1 the owner must be administrators. */
+ sid_copy(&owner_sid, &global_sid_Builtin_Administrators);
+ sid_copy(&group_sid, &global_sid_Builtin_Users);
+ num_profile_acls = 2;
+ } else {
+ create_file_sids(&sbuf, &owner_sid, &group_sid);
+ }
/* Create the canon_ace lists. */
file_ace = canonicalise_acl( fsp, posix_acl, &sbuf, &owner_sid, &group_sid);
@@ -1963,7 +1973,7 @@ size_t get_nt_acl(files_struct *fsp, SEC_DESC **ppdesc)
}
/* Allocate the ace list. */
- if ((nt_ace_list = (SEC_ACE *)malloc((num_acls + num_dir_acls)* sizeof(SEC_ACE))) == NULL) {
+ if ((nt_ace_list = (SEC_ACE *)malloc((num_acls + num_profile_acls + num_dir_acls)* sizeof(SEC_ACE))) == NULL) {
DEBUG(0,("get_nt_acl: Unable to malloc space for nt_ace_list.\n"));
goto done;
}
@@ -1986,6 +1996,13 @@ size_t get_nt_acl(files_struct *fsp, SEC_DESC **ppdesc)
init_sec_ace(&nt_ace_list[num_aces++], &ace->trustee, nt_acl_type, acc, 0);
}
+ /* The User must have access to a profile share - even if we can't map the SID. */
+ if (lp_profile_acls(SNUM(fsp->conn))) {
+ SEC_ACCESS acc;
+ init_sec_access(&acc,FILE_GENERIC_ALL);
+ init_sec_ace(&nt_ace_list[num_aces++], &global_sid_Builtin_Users, SEC_ACE_TYPE_ACCESS_ALLOWED, acc, 0);
+ }
+
ace = dir_ace;
for (i = 0; i < num_dir_acls; i++, ace = ace->next) {
@@ -1994,6 +2011,15 @@ size_t get_nt_acl(files_struct *fsp, SEC_DESC **ppdesc)
SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_INHERIT_ONLY);
}
+ /* The User must have access to a profile share - even if we can't map the SID. */
+ if (lp_profile_acls(SNUM(fsp->conn))) {
+ SEC_ACCESS acc;
+ init_sec_access(&acc,FILE_GENERIC_ALL);
+ init_sec_ace(&nt_ace_list[num_aces++], &global_sid_Builtin_Users, SEC_ACE_TYPE_ACCESS_ALLOWED, acc,
+ SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT|
+ SEC_ACE_FLAG_INHERIT_ONLY);
+ }
+
/*
* Sort to force deny entries to the front.
*/