diff options
-rw-r--r-- | source3/modules/onefs.h | 5 | ||||
-rw-r--r-- | source3/modules/onefs_acl.c | 31 | ||||
-rw-r--r-- | source3/modules/onefs_open.c | 10 | ||||
-rw-r--r-- | source3/modules/onefs_system.c | 14 |
4 files changed, 36 insertions, 24 deletions
diff --git a/source3/modules/onefs.h b/source3/modules/onefs.h index bb7695800e..9d63021f42 100644 --- a/source3/modules/onefs.h +++ b/source3/modules/onefs.h @@ -136,8 +136,9 @@ NTSTATUS onefs_fset_nt_acl(vfs_handle_struct *handle, files_struct *fsp, * Utility functions */ struct ifs_security_descriptor; -NTSTATUS onefs_samba_sd_to_sd(uint32 security_info_sent, SEC_DESC *psd, - struct ifs_security_descriptor *sd, int snum); +NTSTATUS onefs_samba_sd_to_sd(uint32_t security_info_sent, SEC_DESC *psd, + struct ifs_security_descriptor *sd, int snum, + uint32_t *security_info_effective); NTSTATUS onefs_split_ntfs_stream_name(TALLOC_CTX *mem_ctx, const char *fname, char **pbase, char **pstream); diff --git a/source3/modules/onefs_acl.c b/source3/modules/onefs_acl.c index 8ee31abc88..d66e5d65fa 100644 --- a/source3/modules/onefs_acl.c +++ b/source3/modules/onefs_acl.c @@ -810,8 +810,9 @@ onefs_get_nt_acl(vfs_handle_struct *handle, const char* name, * * @return NTSTATUS_OK if successful */ -NTSTATUS onefs_samba_sd_to_sd(uint32 security_info_sent, SEC_DESC *psd, - struct ifs_security_descriptor *sd, int snum) +NTSTATUS onefs_samba_sd_to_sd(uint32_t security_info_sent, SEC_DESC *psd, + struct ifs_security_descriptor *sd, int snum, + uint32_t *security_info_effective) { struct ifs_security_acl *daclp, *saclp; struct ifs_identity owner, group, *ownerp, *groupp; @@ -822,6 +823,8 @@ NTSTATUS onefs_samba_sd_to_sd(uint32 security_info_sent, SEC_DESC *psd, daclp = NULL; saclp = NULL; + *security_info_effective = security_info_sent; + /* Setup owner */ if (security_info_sent & OWNER_SECURITY_INFORMATION) { if (!onefs_og_to_identity(psd->owner_sid, &owner, false, snum)) @@ -849,7 +852,7 @@ NTSTATUS onefs_samba_sd_to_sd(uint32 security_info_sent, SEC_DESC *psd, return NT_STATUS_ACCESS_DENIED; if (ignore_aces == true) - security_info_sent &= ~DACL_SECURITY_INFORMATION; + *security_info_effective &= ~DACL_SECURITY_INFORMATION; } /* Setup SACL */ @@ -857,8 +860,8 @@ NTSTATUS onefs_samba_sd_to_sd(uint32 security_info_sent, SEC_DESC *psd, if (lp_parm_bool(snum, PARM_ONEFS_TYPE, PARM_IGNORE_SACLS, PARM_IGNORE_SACLS_DEFAULT)) { - DEBUG(5, ("Ignoring SACLs.\n")); - security_info_sent &= ~SACL_SECURITY_INFORMATION; + DEBUG(5, ("Ignoring SACL.\n")); + *security_info_effective &= ~SACL_SECURITY_INFORMATION; } else { if (psd->sacl) { if (!onefs_samba_acl_to_acl(psd->sacl, @@ -866,7 +869,7 @@ NTSTATUS onefs_samba_sd_to_sd(uint32 security_info_sent, SEC_DESC *psd, return NT_STATUS_ACCESS_DENIED; if (ignore_aces == true) { - security_info_sent &= + *security_info_effective &= ~SACL_SECURITY_INFORMATION; } } @@ -879,6 +882,9 @@ NTSTATUS onefs_samba_sd_to_sd(uint32 security_info_sent, SEC_DESC *psd, (daclp ? &daclp : NULL), (saclp ? &saclp : NULL), false)) return NT_STATUS_ACCESS_DENIED; + DEBUG(10, ("sec_info_sent: 0x%x, sec_info_effective: 0x%x.\n", + security_info_sent, *security_info_effective)); + return NT_STATUS_OK; } @@ -890,19 +896,20 @@ NTSTATUS onefs_samba_sd_to_sd(uint32 security_info_sent, SEC_DESC *psd, */ NTSTATUS onefs_fset_nt_acl(vfs_handle_struct *handle, files_struct *fsp, - uint32 security_info_sent, SEC_DESC *psd) + uint32_t sec_info_sent, SEC_DESC *psd) { struct ifs_security_descriptor sd = {}; int fd = -1; bool fopened = false; NTSTATUS status; + uint32_t sec_info_effective = 0; START_PROFILE(syscall_set_sd); DEBUG(5,("Setting SD on file %s.\n", fsp->fsp_name )); - status = onefs_samba_sd_to_sd(security_info_sent, psd, &sd, - SNUM(handle->conn)); + status = onefs_samba_sd_to_sd(sec_info_sent, psd, &sd, + SNUM(handle->conn), &sec_info_effective); if (!NT_STATUS_IS_OK(status)) { DEBUG(3, ("SD initialization failure: %s\n", nt_errstr(status))); @@ -911,6 +918,7 @@ onefs_fset_nt_acl(vfs_handle_struct *handle, files_struct *fsp, fd = fsp->fh->fd; if (fd == -1) { + DEBUG(10,("Reopening file %s.\n", fsp->fsp_name)); if ((fd = onefs_sys_create_file(handle->conn, -1, fsp->fsp_name, @@ -934,8 +942,9 @@ onefs_fset_nt_acl(vfs_handle_struct *handle, files_struct *fsp, } errno = 0; - if (ifs_set_security_descriptor(fd, security_info_sent, &sd)) { - DEBUG(0, ("Error setting security descriptor = %d\n", errno)); + if (ifs_set_security_descriptor(fd, sec_info_effective, &sd)) { + DEBUG(0, ("Error setting security descriptor = %s\n", + strerror(errno))); status = map_nt_error_from_unix(errno); goto out; } diff --git a/source3/modules/onefs_open.c b/source3/modules/onefs_open.c index f315b34c8b..5d7b42281c 100644 --- a/source3/modules/onefs_open.c +++ b/source3/modules/onefs_open.c @@ -719,11 +719,6 @@ NTSTATUS onefs_open_file_ntcreate(connection_struct *conn, open_access_mask |= FILE_WRITE_DATA; } - if (lp_parm_bool(SNUM(fsp->conn), PARM_ONEFS_TYPE, - PARM_IGNORE_SACLS, PARM_IGNORE_SACLS_DEFAULT)) { - access_mask &= ~SYSTEM_SECURITY_ACCESS; - } - DEBUG(10, ("onefs_open_file_ntcreate: fname=%s, after mapping " "open_access_mask=%#x, access_mask=0x%x\n", fname, open_access_mask, access_mask)); @@ -1684,6 +1679,11 @@ static NTSTATUS onefs_create_file_unixpath(connection_struct *conn, } } + if (lp_parm_bool(SNUM(conn), PARM_ONEFS_TYPE, + PARM_IGNORE_SACLS, PARM_IGNORE_SACLS_DEFAULT)) { + access_mask &= ~SYSTEM_SECURITY_ACCESS; + } + if ((conn->fs_capabilities & FILE_NAMED_STREAMS) && (access_mask & DELETE_ACCESS) && !is_ntfs_stream_name(fname)) { diff --git a/source3/modules/onefs_system.c b/source3/modules/onefs_system.c index 22ef2f481b..3e51c6cd85 100644 --- a/source3/modules/onefs_system.c +++ b/source3/modules/onefs_system.c @@ -94,7 +94,7 @@ int onefs_sys_create_file(connection_struct *conn, enum oplock_type onefs_oplock; enum oplock_type onefs_granted_oplock = OPLOCK_NONE; struct ifs_security_descriptor ifs_sd = {}, *pifs_sd = NULL; - int secinfo = 0; + uint32_t sec_info_effective = 0; int ret_fd = -1; uint32_t onefs_dos_attributes; struct ifs_createfile_flags cf_flags = CF_FLAGS_NONE; @@ -104,10 +104,12 @@ int onefs_sys_create_file(connection_struct *conn, /* Setup security descriptor and get secinfo. */ if (sd != NULL) { NTSTATUS status; + uint32_t sec_info_sent = 0; - secinfo = (get_sec_info(sd) & IFS_SEC_INFO_KNOWN_MASK); + sec_info_sent = (get_sec_info(sd) & IFS_SEC_INFO_KNOWN_MASK); - status = onefs_samba_sd_to_sd(secinfo, sd, &ifs_sd, SNUM(conn)); + status = onefs_samba_sd_to_sd(sec_info_sent, sd, &ifs_sd, + SNUM(conn), &sec_info_effective); if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("SD initialization failure: %s\n", @@ -172,7 +174,7 @@ int onefs_sys_create_file(connection_struct *conn, (unsigned int)mode, onefs_oplock_str(onefs_oplock), (unsigned int)id, - (unsigned int)secinfo, sd, + sec_info_effective, sd, (unsigned int)onefs_dos_attributes, path, cf_flags_and_bool(cf_flags, CF_FLAGS_DEFAULT_ACL) ? "true" : "false")); @@ -188,8 +190,8 @@ int onefs_sys_create_file(connection_struct *conn, ret_fd = ifs_createfile(base_fd, path, (enum ifs_ace_rights)open_access_mask, flags & ~O_ACCMODE, mode, - onefs_oplock, id, psml, secinfo, pifs_sd, onefs_dos_attributes, - cf_flags, &onefs_granted_oplock); + onefs_oplock, id, psml, sec_info_effective, pifs_sd, + onefs_dos_attributes, cf_flags, &onefs_granted_oplock); DEBUG(10,("onefs_sys_create_file(%s): ret_fd = %d, " "onefs_granted_oplock = %s\n", |