summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source4/include/rpc_secdes.h3
-rw-r--r--source4/include/structs.h1
-rw-r--r--source4/libcli/security/security_descriptor.c2
-rw-r--r--source4/librpc/idl/xattr.idl23
-rw-r--r--source4/ntvfs/posix/config.mk1
-rw-r--r--source4/ntvfs/posix/pvfs_acl.c193
-rw-r--r--source4/ntvfs/posix/pvfs_qfileinfo.c10
-rw-r--r--source4/ntvfs/posix/pvfs_setfileinfo.c3
-rw-r--r--source4/ntvfs/posix/pvfs_xattr.c43
-rw-r--r--source4/ntvfs/posix/vfs_posix.c3
-rw-r--r--source4/ntvfs/unixuid/vfs_unixuid.c4
11 files changed, 281 insertions, 5 deletions
diff --git a/source4/include/rpc_secdes.h b/source4/include/rpc_secdes.h
index 9cf899a59a..1a7e56974a 100644
--- a/source4/include/rpc_secdes.h
+++ b/source4/include/rpc_secdes.h
@@ -54,11 +54,12 @@ typedef struct security_descriptor SEC_DESC;
/* Don't know what this means. */
-/* security information */
+/* security information flags used in query_secdesc and set_secdesc */
#define OWNER_SECURITY_INFORMATION 0x00000001
#define GROUP_SECURITY_INFORMATION 0x00000002
#define DACL_SECURITY_INFORMATION 0x00000004
#define SACL_SECURITY_INFORMATION 0x00000008
+
/* Extra W2K flags. */
#define UNPROTECTED_SACL_SECURITY_INFORMATION 0x10000000
#define UNPROTECTED_DACL_SECURITY_INFORMATION 0x20000000
diff --git a/source4/include/structs.h b/source4/include/structs.h
index 61749111d9..d2f86e2e8a 100644
--- a/source4/include/structs.h
+++ b/source4/include/structs.h
@@ -112,6 +112,7 @@ struct file_info;
struct xattr_DosEAs;
struct xattr_DosStreams;
+struct xattr_DosAcl;
struct test_join;
diff --git a/source4/libcli/security/security_descriptor.c b/source4/libcli/security/security_descriptor.c
index 671174a824..00857de1c6 100644
--- a/source4/libcli/security/security_descriptor.c
+++ b/source4/libcli/security/security_descriptor.c
@@ -108,7 +108,7 @@ NTSTATUS security_check_dacl(struct security_token *st,
add an ACE to the DACL of a security_descriptor
*/
NTSTATUS security_descriptor_dacl_add(struct security_descriptor *sd,
- struct security_ace *ace)
+ const struct security_ace *ace)
{
if (sd->dacl == NULL) {
sd->dacl = talloc_p(sd, struct security_acl);
diff --git a/source4/librpc/idl/xattr.idl b/source4/librpc/idl/xattr.idl
index 703fb2325b..153561ac1a 100644
--- a/source4/librpc/idl/xattr.idl
+++ b/source4/librpc/idl/xattr.idl
@@ -8,6 +8,9 @@
about a file in a architecture independent manner
*/
+[
+ depends(security)
+]
interface xattr
{
const string XATTR_DOSATTRIB_NAME = "user.DosAttrib";
@@ -72,4 +75,24 @@ interface xattr
uint32 num_streams;
[size_is(num_streams)] xattr_DosStream *streams;
} xattr_DosStreams;
+
+
+ /* we store the NT ACL a DosAcl xattr. It is versioned so we
+ can later add other acl attribs (such as posix acl
+ mapping)
+
+ we put this xattr in the security namespace to ensure that
+ only trusted users can write to the ACL
+ */
+ const string XATTR_DOSACL_NAME = "security.DosAcl";
+
+ typedef union {
+ [case(1)] security_descriptor *sd;
+ } xattr_DosAclInfo;
+
+ typedef [public] struct {
+ uint16 version;
+ [switch_is(version)] xattr_DosAclInfo info;
+ } xattr_DosAcl;
+
}
diff --git a/source4/ntvfs/posix/config.mk b/source4/ntvfs/posix/config.mk
index 1d33d8b381..7999a32741 100644
--- a/source4/ntvfs/posix/config.mk
+++ b/source4/ntvfs/posix/config.mk
@@ -28,6 +28,7 @@ ADD_OBJ_FILES = \
ntvfs/posix/pvfs_ioctl.o \
ntvfs/posix/pvfs_xattr.o \
ntvfs/posix/pvfs_streams.o \
+ ntvfs/posix/pvfs_acl.o \
ntvfs/common/opendb.o \
ntvfs/common/brlock.o
# End MODULE ntvfs_posix
diff --git a/source4/ntvfs/posix/pvfs_acl.c b/source4/ntvfs/posix/pvfs_acl.c
new file mode 100644
index 0000000000..2885604311
--- /dev/null
+++ b/source4/ntvfs/posix/pvfs_acl.c
@@ -0,0 +1,193 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ POSIX NTVFS backend - ACL support
+
+ Copyright (C) Andrew Tridgell 2004
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+#include "includes.h"
+#include "auth/auth.h"
+#include "system/filesys.h"
+#include "vfs_posix.h"
+#include "librpc/gen_ndr/ndr_xattr.h"
+
+
+/*
+ setup a default ACL for a file
+*/
+static NTSTATUS pvfs_default_acl(struct pvfs_state *pvfs,
+ struct smbsrv_request *req,
+ struct pvfs_filename *name, int fd,
+ struct xattr_DosAcl *acl)
+{
+ struct security_descriptor *sd;
+ struct nt_user_token *token = req->session->session_info->nt_user_token;
+ int i;
+
+ sd = security_descriptor_initialise(req);
+ if (sd == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ /* nasty hack to get a reasonable sec desc - should be based on posix uid/gid
+ and perms */
+ if (token->num_sids > 0) {
+ sd->owner_sid = token->user_sids[0];
+ }
+ if (token->num_sids > 1) {
+ sd->group_sid = token->user_sids[1];
+ }
+
+ for (i=0;i<token->num_sids;i++) {
+ struct security_ace ace;
+ NTSTATUS status;
+
+ ace.type = SEC_ACE_TYPE_ACCESS_ALLOWED;
+ ace.flags = 0;
+ ace.access_mask = SEC_RIGHTS_FULL_CTRL | STD_RIGHT_ALL_ACCESS;
+ ace.trustee = *token->user_sids[i];
+
+ status = security_descriptor_dacl_add(sd, &ace);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+ }
+
+ acl->version = 1;
+ acl->info.sd = sd;
+
+ return NT_STATUS_OK;
+}
+
+
+/*
+ omit any security_descriptor elements not specified in the given
+ secinfo flags
+*/
+static void normalise_sd_flags(struct security_descriptor *sd, uint32_t secinfo_flags)
+{
+ if (!(secinfo_flags & OWNER_SECURITY_INFORMATION)) {
+ sd->owner_sid = NULL;
+ }
+ if (!(secinfo_flags & GROUP_SECURITY_INFORMATION)) {
+ sd->group_sid = NULL;
+ }
+ if (!(secinfo_flags & DACL_SECURITY_INFORMATION)) {
+ sd->dacl = NULL;
+ }
+ if (!(secinfo_flags & SACL_SECURITY_INFORMATION)) {
+ sd->sacl = NULL;
+ }
+}
+
+/*
+ answer a setfileinfo for an ACL
+*/
+NTSTATUS pvfs_acl_set(struct pvfs_state *pvfs,
+ struct smbsrv_request *req,
+ struct pvfs_filename *name, int fd,
+ union smb_setfileinfo *info)
+{
+ struct xattr_DosAcl *acl;
+ uint32_t secinfo_flags = info->set_secdesc.in.secinfo_flags;
+ struct security_descriptor *new_sd, *sd;
+ NTSTATUS status;
+
+ acl = talloc_p(req, struct xattr_DosAcl);
+ if (acl == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ status = pvfs_acl_load(pvfs, name, fd, acl);
+ if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
+ status = pvfs_default_acl(pvfs, req, name, fd, acl);
+ }
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ switch (acl->version) {
+ case 1:
+ sd = acl->info.sd;
+ break;
+ default:
+ return NT_STATUS_INVALID_LEVEL;
+ }
+
+ new_sd = info->set_secdesc.in.sd;
+
+ /* only set the elements that have been specified */
+ if (secinfo_flags & OWNER_SECURITY_INFORMATION) {
+ sd->owner_sid = new_sd->owner_sid;
+ }
+ if (secinfo_flags & GROUP_SECURITY_INFORMATION) {
+ sd->group_sid = new_sd->group_sid;
+ }
+ if (secinfo_flags & DACL_SECURITY_INFORMATION) {
+ sd->dacl = new_sd->dacl;
+ }
+ if (secinfo_flags & SACL_SECURITY_INFORMATION) {
+ sd->sacl = new_sd->sacl;
+ }
+
+ status = pvfs_acl_save(pvfs, name, fd, acl);
+
+ return status;
+}
+
+
+/*
+ answer a fileinfo query for the ACL
+*/
+NTSTATUS pvfs_acl_query(struct pvfs_state *pvfs,
+ struct smbsrv_request *req,
+ struct pvfs_filename *name, int fd,
+ union smb_fileinfo *info)
+{
+ struct xattr_DosAcl *acl;
+ NTSTATUS status;
+ struct security_descriptor *sd;
+
+ acl = talloc_p(req, struct xattr_DosAcl);
+ if (acl == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ status = pvfs_acl_load(pvfs, name, fd, acl);
+ if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
+ status = pvfs_default_acl(pvfs, req, name, fd, acl);
+ }
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ switch (acl->version) {
+ case 1:
+ sd = acl->info.sd;
+ break;
+ default:
+ return NT_STATUS_INVALID_LEVEL;
+ }
+
+ normalise_sd_flags(sd, info->query_secdesc.in.secinfo_flags);
+
+ info->query_secdesc.out.sd = sd;
+
+ return NT_STATUS_OK;
+}
+
diff --git a/source4/ntvfs/posix/pvfs_qfileinfo.c b/source4/ntvfs/posix/pvfs_qfileinfo.c
index f6e1288b1d..fe53b0a415 100644
--- a/source4/ntvfs/posix/pvfs_qfileinfo.c
+++ b/source4/ntvfs/posix/pvfs_qfileinfo.c
@@ -56,7 +56,8 @@ static NTSTATUS pvfs_query_all_eas(struct pvfs_state *pvfs, TALLOC_CTX *mem_ctx,
/*
approximately map a struct pvfs_filename to a generic fileinfo struct
*/
-static NTSTATUS pvfs_map_fileinfo(struct pvfs_state *pvfs, TALLOC_CTX *mem_ctx,
+static NTSTATUS pvfs_map_fileinfo(struct pvfs_state *pvfs,
+ struct smbsrv_request *req,
struct pvfs_filename *name, union smb_fileinfo *info,
int fd)
{
@@ -91,7 +92,7 @@ static NTSTATUS pvfs_map_fileinfo(struct pvfs_state *pvfs, TALLOC_CTX *mem_ctx,
return NT_STATUS_OK;
case RAW_FILEINFO_ALL_EAS:
- return pvfs_query_all_eas(pvfs, mem_ctx, name, fd, &info->all_eas.out);
+ return pvfs_query_all_eas(pvfs, req, name, fd, &info->all_eas.out);
case RAW_FILEINFO_IS_NAME_VALID:
return NT_STATUS_OK;
@@ -149,7 +150,7 @@ static NTSTATUS pvfs_map_fileinfo(struct pvfs_state *pvfs, TALLOC_CTX *mem_ctx,
case RAW_FILEINFO_STREAM_INFO:
case RAW_FILEINFO_STREAM_INFORMATION:
- return pvfs_stream_information(pvfs, mem_ctx, name, fd, &info->stream_info.out);
+ return pvfs_stream_information(pvfs, req, name, fd, &info->stream_info.out);
case RAW_FILEINFO_COMPRESSION_INFO:
case RAW_FILEINFO_COMPRESSION_INFORMATION:
@@ -194,6 +195,9 @@ static NTSTATUS pvfs_map_fileinfo(struct pvfs_state *pvfs, TALLOC_CTX *mem_ctx,
info->attribute_tag_information.out.attrib = name->dos.attrib;
info->attribute_tag_information.out.reparse_tag = 0;
return NT_STATUS_OK;
+
+ case RAW_FILEINFO_SEC_DESC:
+ return pvfs_acl_query(pvfs, req, name, fd, info);
}
return NT_STATUS_INVALID_LEVEL;
diff --git a/source4/ntvfs/posix/pvfs_setfileinfo.c b/source4/ntvfs/posix/pvfs_setfileinfo.c
index d31bcac337..cc1b69b8ea 100644
--- a/source4/ntvfs/posix/pvfs_setfileinfo.c
+++ b/source4/ntvfs/posix/pvfs_setfileinfo.c
@@ -301,6 +301,9 @@ NTSTATUS pvfs_setfileinfo(struct ntvfs_module_context *ntvfs,
return pvfs_setfileinfo_rename(pvfs, req, h->name,
&info->rename_information.in);
+ case RAW_SFILEINFO_SEC_DESC:
+ return pvfs_acl_set(pvfs, req, h->name, h->fd, info);
+
default:
return NT_STATUS_INVALID_LEVEL;
}
diff --git a/source4/ntvfs/posix/pvfs_xattr.c b/source4/ntvfs/posix/pvfs_xattr.c
index 6984c2d284..a50348ef04 100644
--- a/source4/ntvfs/posix/pvfs_xattr.c
+++ b/source4/ntvfs/posix/pvfs_xattr.c
@@ -348,6 +348,49 @@ NTSTATUS pvfs_streams_save(struct pvfs_state *pvfs, struct pvfs_filename *name,
(ndr_push_flags_fn_t)ndr_push_xattr_DosStreams);
}
+
+/*
+ load the current ACL from extended attributes
+*/
+NTSTATUS pvfs_acl_load(struct pvfs_state *pvfs, struct pvfs_filename *name, int fd,
+ struct xattr_DosAcl *acl)
+{
+ NTSTATUS status;
+ ZERO_STRUCTP(acl);
+ if (!(pvfs->flags & PVFS_FLAG_XATTR_ENABLE)) {
+ return NT_STATUS_OK;
+ }
+ status = pvfs_xattr_ndr_load(pvfs, acl, name->full_name, fd,
+ XATTR_DOSACL_NAME,
+ acl,
+ (ndr_pull_flags_fn_t)ndr_pull_xattr_DosAcl);
+ return status;
+}
+
+/*
+ save the acl for a file into filesystem xattr
+*/
+NTSTATUS pvfs_acl_save(struct pvfs_state *pvfs, struct pvfs_filename *name, int fd,
+ struct xattr_DosAcl *acl)
+{
+ NTSTATUS status;
+ void *privs;
+
+ if (!(pvfs->flags & PVFS_FLAG_XATTR_ENABLE)) {
+ return NT_STATUS_OK;
+ }
+
+ /* this xattr is in the "system" namespace, so we need
+ admin privileges to set it */
+ privs = root_privileges();
+ status = pvfs_xattr_ndr_save(pvfs, name->full_name, fd,
+ XATTR_DOSACL_NAME,
+ acl,
+ (ndr_push_flags_fn_t)ndr_push_xattr_DosAcl);
+ talloc_free(privs);
+ return status;
+}
+
/*
create a zero length xattr with the given name
*/
diff --git a/source4/ntvfs/posix/vfs_posix.c b/source4/ntvfs/posix/vfs_posix.c
index e02bd7aa32..e19b0739c7 100644
--- a/source4/ntvfs/posix/vfs_posix.c
+++ b/source4/ntvfs/posix/vfs_posix.c
@@ -65,6 +65,9 @@ static void pvfs_setup_options(struct pvfs_state *pvfs)
if (pvfs->flags & PVFS_FLAG_XATTR_ENABLE) {
pvfs->fs_attribs |= FS_ATTR_NAMED_STREAMS;
}
+ if (pvfs->flags & PVFS_FLAG_XATTR_ENABLE) {
+ pvfs->fs_attribs |= FS_ATTR_PERSISTANT_ACLS;
+ }
}
diff --git a/source4/ntvfs/unixuid/vfs_unixuid.c b/source4/ntvfs/unixuid/vfs_unixuid.c
index 4520df59fc..674ce3e5cf 100644
--- a/source4/ntvfs/unixuid/vfs_unixuid.c
+++ b/source4/ntvfs/unixuid/vfs_unixuid.c
@@ -294,6 +294,10 @@ static NTSTATUS unixuid_setup_security(struct ntvfs_module_context *ntvfs,
struct unix_sec_ctx *newsec;
NTSTATUS status;
+ if (req->session == NULL) {
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
*sec = save_unix_security(req);
if (*sec == NULL) {
return NT_STATUS_NO_MEMORY;