Added vfs_acl_tdb.c module to do ACLs completely in userspace. Passes all of RAW-ACLS except for the last test which uses a non-POSIX chown. More testing/documentation to follow.

Jeremy.

1 files changed, 54 insertions, 44 deletions

diff --git a/source3/modules/vfs_acl_xattr.c b/source3/modules/vfs_acl_xattr.c
index a5d93950f6..2b4e68bdea 100644
--- a/source3/modules/vfs_acl_xattr.c
+++ b/source3/modules/vfs_acl_xattr.c
@@ -27,8 +27,11 @@
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_VFS
 
+/*******************************************************************
+ Parse out a struct security_descriptor from a DATA_BLOB.
+*******************************************************************/
+
 static NTSTATUS parse_acl_blob(const DATA_BLOB *pblob,
-				const struct timespec cts,
 				uint32 security_info,
 				struct security_descriptor **ppdesc)
 {
@@ -50,30 +53,6 @@ static NTSTATUS parse_acl_blob(const DATA_BLOB *pblob,
 		return NT_STATUS_REVISION_MISMATCH;
 	}
 
-#if 0
-	{
-		struct timespec ts;
-		/* Arg. This doesn't work. Too many activities
-		 * change the ctime. May have to roll back to
-		 * version 1.
-		 */
-		/*
-		 * Check that the ctime timestamp is ealier
-		 * than the stored timestamp.
-		 */
-
-		ts = nt_time_to_unix_timespec(&xacl.info.sd_ts->last_changed);
-
-		if (timespec_compare(&cts, &ts) > 0) {
-			DEBUG(5, ("parse_acl_blob: stored ACL out of date "
-				"(%s > %s.\n",
-				timestring(ctx, cts.tv_sec),
-				timestring(ctx, ts.tv_sec)));
-			return NT_STATUS_EA_CORRUPT_ERROR;
-		}
-	}
-#endif
-
 	*ppdesc = make_sec_desc(ctx, SEC_DESC_REVISION, xacl.info.sd_ts->sd->type | SEC_DESC_SELF_RELATIVE,
 			(security_info & OWNER_SECURITY_INFORMATION)
 			? xacl.info.sd_ts->sd->owner_sid : NULL,
@@ -90,6 +69,10 @@ static NTSTATUS parse_acl_blob(const DATA_BLOB *pblob,
 	return (*ppdesc != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
 }
 
+/*******************************************************************
+ Pull a security descriptor into a DATA_BLOB from a xattr.
+*******************************************************************/
+
 static NTSTATUS get_acl_blob(TALLOC_CTX *ctx,
 			vfs_handle_struct *handle,
 			files_struct *fsp,
@@ -144,6 +127,10 @@ static NTSTATUS get_acl_blob(TALLOC_CTX *ctx,
 	return NT_STATUS_OK;
 }
 
+/*******************************************************************
+ Create a DATA_BLOB from a security descriptor.
+*******************************************************************/
+
 static NTSTATUS create_acl_blob(const struct security_descriptor *psd, DATA_BLOB *pblob)
 {
 	struct xattr_NTACL xacl;
@@ -182,7 +169,12 @@ static NTSTATUS create_acl_blob(const struct security_descriptor *psd, DATA_BLOB
 	return NT_STATUS_OK;
 }
 
-static NTSTATUS store_acl_blob_fsp(files_struct *fsp,
+/*******************************************************************
+ Store a DATA_BLOB into an xattr given an fsp pointer.
+*******************************************************************/
+
+static NTSTATUS store_acl_blob_fsp(vfs_handle_struct *handle,
+				files_struct *fsp,
 				DATA_BLOB *pblob)
 {
 	int ret;
@@ -215,10 +207,15 @@ static NTSTATUS store_acl_blob_fsp(files_struct *fsp,
 	return NT_STATUS_OK;
 }
 
-static NTSTATUS store_acl_blob_pathname(connection_struct *conn,
+/*******************************************************************
+ Store a DATA_BLOB into an xattr given a pathname.
+*******************************************************************/
+
+static NTSTATUS store_acl_blob_pathname(vfs_handle_struct *handle,
 					const char *fname,
 					DATA_BLOB *pblob)
 {
+	connection_struct *conn = handle->conn;
 	int ret;
 	int saved_errno = 0;
 
@@ -245,6 +242,9 @@ static NTSTATUS store_acl_blob_pathname(connection_struct *conn,
 	return NT_STATUS_OK;
 }
 
+/*******************************************************************
+ Store a DATA_BLOB into an xattr given a pathname.
+*******************************************************************/
 
 static NTSTATUS get_nt_acl_xattr_internal(vfs_handle_struct *handle,
 					files_struct *fsp,
@@ -254,7 +254,6 @@ static NTSTATUS get_nt_acl_xattr_internal(vfs_handle_struct *handle,
 {
 	TALLOC_CTX *ctx = talloc_tos();
 	DATA_BLOB blob;
-	SMB_STRUCT_STAT sbuf;
 	NTSTATUS status;
 
 	if (fsp && name == NULL) {
@@ -269,18 +268,7 @@ static NTSTATUS get_nt_acl_xattr_internal(vfs_handle_struct *handle,
 		return status;
 	}
 
-	if (fsp && fsp->fh->fd != -1) {
-		if (SMB_VFS_FSTAT(fsp, &sbuf) == -1) {
-			return map_nt_error_from_unix(errno);
-		}
-	} else {
-		if (SMB_VFS_STAT(handle->conn, name, &sbuf) == -1) {
-			return map_nt_error_from_unix(errno);
-		}
-	}
-
-	status = parse_acl_blob(&blob, get_ctimespec(&sbuf),
-			security_info, ppdesc);
+	status = parse_acl_blob(&blob, security_info, ppdesc);
 	if (!NT_STATUS_IS_OK(status)) {
 		DEBUG(10, ("parse_acl_blob returned %s\n",
 				nt_errstr(status)));
@@ -427,9 +415,9 @@ static NTSTATUS inherit_new_acl(vfs_handle_struct *handle,
 		return status;
 	}
 	if (fsp) {
-		return store_acl_blob_fsp(fsp, &blob);
+		return store_acl_blob_fsp(handle, fsp, &blob);
 	} else {
-		return store_acl_blob_pathname(handle->conn, fname, &blob);
+		return store_acl_blob_pathname(handle, fname, &blob);
 	}
 }
 
@@ -499,6 +487,10 @@ static int mkdir_acl_xattr(vfs_handle_struct *handle, const char *path, mode_t m
 	return ret;
 }
 
+/*********************************************************************
+ Fetch a security descriptor given an fsp.
+*********************************************************************/
+
 static NTSTATUS fget_nt_acl_xattr(vfs_handle_struct *handle, files_struct *fsp,
         uint32 security_info, struct security_descriptor **ppdesc)
 {
@@ -512,10 +504,19 @@ static NTSTATUS fget_nt_acl_xattr(vfs_handle_struct *handle, files_struct *fsp,
 		}
 		return NT_STATUS_OK;
 	}
+
+	DEBUG(10,("fget_nt_acl_xattr: failed to get xattr sd for file %s, Error %s\n",
+			fsp->fsp_name,
+			nt_errstr(status) ));
+
 	return SMB_VFS_NEXT_FGET_NT_ACL(handle, fsp,
 			security_info, ppdesc);
 }
 
+/*********************************************************************
+ Fetch a security descriptor given a pathname.
+*********************************************************************/
+
 static NTSTATUS get_nt_acl_xattr(vfs_handle_struct *handle,
         const char *name, uint32 security_info, struct security_descriptor **ppdesc)
 {
@@ -529,10 +530,19 @@ static NTSTATUS get_nt_acl_xattr(vfs_handle_struct *handle,
 		}
 		return NT_STATUS_OK;
 	}
+
+	DEBUG(10,("get_nt_acl_xattr: failed to get xattr sd for file %s, Error %s\n",
+			name,
+			nt_errstr(status) ));
+
 	return SMB_VFS_NEXT_GET_NT_ACL(handle, name,
 			security_info, ppdesc);
 }
 
+/*********************************************************************
+ Store a security descriptor given an fsp.
+*********************************************************************/
+
 static NTSTATUS fset_nt_acl_xattr(vfs_handle_struct *handle, files_struct *fsp,
         uint32 security_info_sent, const struct security_descriptor *psd)
 {
@@ -602,7 +612,7 @@ static NTSTATUS fset_nt_acl_xattr(vfs_handle_struct *handle, files_struct *fsp,
 			CONST_DISCARD(struct security_descriptor *,psd));
 	}
 	create_acl_blob(psd, &blob);
-	store_acl_blob_fsp(fsp, &blob);
+	store_acl_blob_fsp(handle, fsp, &blob);
 
 	return NT_STATUS_OK;
 }
@@ -620,7 +630,7 @@ static vfs_op_tuple skel_op_tuples[] =
 	{SMB_VFS_OP(get_nt_acl_xattr), SMB_VFS_OP_GET_NT_ACL, SMB_VFS_LAYER_TRANSPARENT},
 	{SMB_VFS_OP(fset_nt_acl_xattr),SMB_VFS_OP_FSET_NT_ACL,SMB_VFS_LAYER_TRANSPARENT},
 
-        {SMB_VFS_OP(NULL), SMB_VFS_OP_NOOP, SMB_VFS_LAYER_NOOP}
+	{SMB_VFS_OP(NULL), SMB_VFS_OP_NOOP, SMB_VFS_LAYER_NOOP}
 };
 
 NTSTATUS vfs_acl_xattr_init(void)