r3990: take advantage of the uid->sid and gid->sid code to create a much

better default NT ACL in pvfs
(This used to be commit 9ff6ecbdb6c08528193f7958d7ea7d9a8df6defd)

3 files changed, 97 insertions, 14 deletions

diff --git a/source4/ntvfs/posix/pvfs_acl.c b/source4/ntvfs/posix/pvfs_acl.c
index 216c9b4a71..f079857821 100644
--- a/source4/ntvfs/posix/pvfs_acl.c
+++ b/source4/ntvfs/posix/pvfs_acl.c
@@ -36,32 +36,109 @@ static NTSTATUS pvfs_default_acl(struct pvfs_state *pvfs,
 				 struct xattr_NTACL *acl)
 {
 	struct security_descriptor *sd;
-	struct nt_user_token *token = req->session->session_info->nt_user_token;
 	int i;
+	struct security_ace ace;
+	NTSTATUS status;
+	const char *sid_names[] = {
+		SID_BUILTIN_ADMINISTRATORS,
+		SID_CREATOR_OWNER,
+		SID_CREATOR_GROUP,
+		SID_WORLD
+	};
+	uint32_t access_masks[4];
+	mode_t mode;
 
 	sd = security_descriptor_initialise(req);
 	if (sd == NULL) {
 		return NT_STATUS_NO_MEMORY;
 	}
 
-	/* nasty hack to get a reasonable sec desc - should be based on posix uid/gid
-	   and perms */
-	if (token->num_sids > 0) {
-		sd->owner_sid = token->user_sids[0];
+	status = sidmap_uid_to_sid(pvfs->sidmap, sd, name->st.st_uid, &sd->owner_sid);
+	if (!NT_STATUS_IS_OK(status)) {
+		return status;
 	}
-	if (token->num_sids > 1) {
-		sd->group_sid = token->user_sids[1];
+	status = sidmap_gid_to_sid(pvfs->sidmap, sd, name->st.st_gid, &sd->group_sid);
+	if (!NT_STATUS_IS_OK(status)) {
+		return status;
 	}
+
 	sd->type |= SEC_DESC_DACL_PRESENT;
 
-	for (i=0;i<token->num_sids;i++) {
-		struct security_ace ace;
-		NTSTATUS status;
+	/*
+	  we provide 4 ACEs
+	    - Administrator
+	    - Owner
+	    - Group
+	    - Everyone
+	 */
+	access_masks[0] = SEC_RIGHTS_FULL_CTRL | STD_RIGHT_ALL_ACCESS;
+	access_masks[1] = 0;
+	access_masks[2] = 0;
+	access_masks[3] = 0;
+
+	mode = name->st.st_mode;
+
+	if (mode & S_IRUSR) {
+		access_masks[1] |= 
+			SA_RIGHT_FILE_READ_DATA | 
+			SA_RIGHT_FILE_READ_EA |
+			SA_RIGHT_FILE_READ_ATTRIBUTES |
+			SA_RIGHT_FILE_EXECUTE;
+	}
+	if (mode & S_IWUSR) {
+		access_masks[1] |= 
+			SA_RIGHT_FILE_WRITE_DATA | 
+			SA_RIGHT_FILE_APPEND_DATA |
+			SA_RIGHT_FILE_WRITE_EA |
+			SA_RIGHT_FILE_DELETE_CHILD |
+			SA_RIGHT_FILE_WRITE_ATTRIBUTES;
+	}
+
+	if (mode & S_IRGRP) {
+		access_masks[2] |= 
+			SA_RIGHT_FILE_READ_DATA | 
+			SA_RIGHT_FILE_READ_EA |
+			SA_RIGHT_FILE_READ_ATTRIBUTES |
+			SA_RIGHT_FILE_EXECUTE;
+	}
+	if (mode & S_IWGRP) {
+		access_masks[2] |= 
+			SA_RIGHT_FILE_WRITE_DATA | 
+			SA_RIGHT_FILE_APPEND_DATA |
+			SA_RIGHT_FILE_WRITE_EA |
+			SA_RIGHT_FILE_DELETE_CHILD |
+			SA_RIGHT_FILE_WRITE_ATTRIBUTES;
+	}
+
+	if (mode & S_IROTH) {
+		access_masks[3] |= 
+			SA_RIGHT_FILE_READ_DATA | 
+			SA_RIGHT_FILE_READ_EA |
+			SA_RIGHT_FILE_READ_ATTRIBUTES |
+			SA_RIGHT_FILE_EXECUTE;
+	}
+	if (mode & S_IWOTH) {
+		access_masks[3] |= 
+			SA_RIGHT_FILE_WRITE_DATA | 
+			SA_RIGHT_FILE_APPEND_DATA |
+			SA_RIGHT_FILE_WRITE_EA |
+			SA_RIGHT_FILE_DELETE_CHILD |
+			SA_RIGHT_FILE_WRITE_ATTRIBUTES;
+	}
+
+	ace.type = SEC_ACE_TYPE_ACCESS_ALLOWED;
+	ace.flags = 0;
+
+	for (i=0;i<ARRAY_SIZE(sid_names);i++) {
+		struct dom_sid *sid;
 
-		ace.type = SEC_ACE_TYPE_ACCESS_ALLOWED;
-		ace.flags = 0;
-		ace.access_mask = SEC_RIGHTS_FULL_CTRL | STD_RIGHT_ALL_ACCESS;
-		ace.trustee = *token->user_sids[i];
+		ace.access_mask = access_masks[i];
+
+		sid = dom_sid_parse_talloc(sd, sid_names[i]);
+		if (sid == NULL) {
+			return NT_STATUS_NO_MEMORY;
+		}
+		ace.trustee = *sid;
 
 		status = security_descriptor_dacl_add(sd, &ace);
 		if (!NT_STATUS_IS_OK(status)) {
diff --git a/source4/ntvfs/posix/vfs_posix.c b/source4/ntvfs/posix/vfs_posix.c
index e340e8cbf6..ff3d3448f2 100644
--- a/source4/ntvfs/posix/vfs_posix.c
+++ b/source4/ntvfs/posix/vfs_posix.c
@@ -130,6 +130,11 @@ static NTSTATUS pvfs_connect(struct ntvfs_module_context *ntvfs,
 		return NT_STATUS_INTERNAL_DB_CORRUPTION;
 	}
 
+	pvfs->sidmap = sidmap_open(pvfs);
+	if (pvfs->sidmap == NULL) {
+		return NT_STATUS_INTERNAL_DB_CORRUPTION;
+	}
+
 	/* allocate the fnum id -> ptr tree */
 	pvfs->idtree_fnum = idr_init(pvfs);
 	if (pvfs->idtree_fnum == NULL) {
diff --git a/source4/ntvfs/posix/vfs_posix.h b/source4/ntvfs/posix/vfs_posix.h
index 1ae552b116..16c6f807e9 100644
--- a/source4/ntvfs/posix/vfs_posix.h
+++ b/source4/ntvfs/posix/vfs_posix.h
@@ -40,6 +40,7 @@ struct pvfs_state {
 
 	struct brl_context *brl_context;
 	struct odb_context *odb_context;
+	struct sidmap_context *sidmap;
 
 	/* an id tree mapping open search ID to a pvfs_search_state structure */
 	struct idr_context *idtree_search;