summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source3/modules/onefs.h5
-rw-r--r--source3/modules/onefs_acl.c31
-rw-r--r--source3/modules/onefs_open.c10
-rw-r--r--source3/modules/onefs_system.c14
4 files changed, 36 insertions, 24 deletions
diff --git a/source3/modules/onefs.h b/source3/modules/onefs.h
index bb7695800e..9d63021f42 100644
--- a/source3/modules/onefs.h
+++ b/source3/modules/onefs.h
@@ -136,8 +136,9 @@ NTSTATUS onefs_fset_nt_acl(vfs_handle_struct *handle, files_struct *fsp,
* Utility functions
*/
struct ifs_security_descriptor;
-NTSTATUS onefs_samba_sd_to_sd(uint32 security_info_sent, SEC_DESC *psd,
- struct ifs_security_descriptor *sd, int snum);
+NTSTATUS onefs_samba_sd_to_sd(uint32_t security_info_sent, SEC_DESC *psd,
+ struct ifs_security_descriptor *sd, int snum,
+ uint32_t *security_info_effective);
NTSTATUS onefs_split_ntfs_stream_name(TALLOC_CTX *mem_ctx, const char *fname,
char **pbase, char **pstream);
diff --git a/source3/modules/onefs_acl.c b/source3/modules/onefs_acl.c
index 8ee31abc88..d66e5d65fa 100644
--- a/source3/modules/onefs_acl.c
+++ b/source3/modules/onefs_acl.c
@@ -810,8 +810,9 @@ onefs_get_nt_acl(vfs_handle_struct *handle, const char* name,
*
* @return NTSTATUS_OK if successful
*/
-NTSTATUS onefs_samba_sd_to_sd(uint32 security_info_sent, SEC_DESC *psd,
- struct ifs_security_descriptor *sd, int snum)
+NTSTATUS onefs_samba_sd_to_sd(uint32_t security_info_sent, SEC_DESC *psd,
+ struct ifs_security_descriptor *sd, int snum,
+ uint32_t *security_info_effective)
{
struct ifs_security_acl *daclp, *saclp;
struct ifs_identity owner, group, *ownerp, *groupp;
@@ -822,6 +823,8 @@ NTSTATUS onefs_samba_sd_to_sd(uint32 security_info_sent, SEC_DESC *psd,
daclp = NULL;
saclp = NULL;
+ *security_info_effective = security_info_sent;
+
/* Setup owner */
if (security_info_sent & OWNER_SECURITY_INFORMATION) {
if (!onefs_og_to_identity(psd->owner_sid, &owner, false, snum))
@@ -849,7 +852,7 @@ NTSTATUS onefs_samba_sd_to_sd(uint32 security_info_sent, SEC_DESC *psd,
return NT_STATUS_ACCESS_DENIED;
if (ignore_aces == true)
- security_info_sent &= ~DACL_SECURITY_INFORMATION;
+ *security_info_effective &= ~DACL_SECURITY_INFORMATION;
}
/* Setup SACL */
@@ -857,8 +860,8 @@ NTSTATUS onefs_samba_sd_to_sd(uint32 security_info_sent, SEC_DESC *psd,
if (lp_parm_bool(snum, PARM_ONEFS_TYPE,
PARM_IGNORE_SACLS, PARM_IGNORE_SACLS_DEFAULT)) {
- DEBUG(5, ("Ignoring SACLs.\n"));
- security_info_sent &= ~SACL_SECURITY_INFORMATION;
+ DEBUG(5, ("Ignoring SACL.\n"));
+ *security_info_effective &= ~SACL_SECURITY_INFORMATION;
} else {
if (psd->sacl) {
if (!onefs_samba_acl_to_acl(psd->sacl,
@@ -866,7 +869,7 @@ NTSTATUS onefs_samba_sd_to_sd(uint32 security_info_sent, SEC_DESC *psd,
return NT_STATUS_ACCESS_DENIED;
if (ignore_aces == true) {
- security_info_sent &=
+ *security_info_effective &=
~SACL_SECURITY_INFORMATION;
}
}
@@ -879,6 +882,9 @@ NTSTATUS onefs_samba_sd_to_sd(uint32 security_info_sent, SEC_DESC *psd,
(daclp ? &daclp : NULL), (saclp ? &saclp : NULL), false))
return NT_STATUS_ACCESS_DENIED;
+ DEBUG(10, ("sec_info_sent: 0x%x, sec_info_effective: 0x%x.\n",
+ security_info_sent, *security_info_effective));
+
return NT_STATUS_OK;
}
@@ -890,19 +896,20 @@ NTSTATUS onefs_samba_sd_to_sd(uint32 security_info_sent, SEC_DESC *psd,
*/
NTSTATUS
onefs_fset_nt_acl(vfs_handle_struct *handle, files_struct *fsp,
- uint32 security_info_sent, SEC_DESC *psd)
+ uint32_t sec_info_sent, SEC_DESC *psd)
{
struct ifs_security_descriptor sd = {};
int fd = -1;
bool fopened = false;
NTSTATUS status;
+ uint32_t sec_info_effective = 0;
START_PROFILE(syscall_set_sd);
DEBUG(5,("Setting SD on file %s.\n", fsp->fsp_name ));
- status = onefs_samba_sd_to_sd(security_info_sent, psd, &sd,
- SNUM(handle->conn));
+ status = onefs_samba_sd_to_sd(sec_info_sent, psd, &sd,
+ SNUM(handle->conn), &sec_info_effective);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(3, ("SD initialization failure: %s\n", nt_errstr(status)));
@@ -911,6 +918,7 @@ onefs_fset_nt_acl(vfs_handle_struct *handle, files_struct *fsp,
fd = fsp->fh->fd;
if (fd == -1) {
+ DEBUG(10,("Reopening file %s.\n", fsp->fsp_name));
if ((fd = onefs_sys_create_file(handle->conn,
-1,
fsp->fsp_name,
@@ -934,8 +942,9 @@ onefs_fset_nt_acl(vfs_handle_struct *handle, files_struct *fsp,
}
errno = 0;
- if (ifs_set_security_descriptor(fd, security_info_sent, &sd)) {
- DEBUG(0, ("Error setting security descriptor = %d\n", errno));
+ if (ifs_set_security_descriptor(fd, sec_info_effective, &sd)) {
+ DEBUG(0, ("Error setting security descriptor = %s\n",
+ strerror(errno)));
status = map_nt_error_from_unix(errno);
goto out;
}
diff --git a/source3/modules/onefs_open.c b/source3/modules/onefs_open.c
index f315b34c8b..5d7b42281c 100644
--- a/source3/modules/onefs_open.c
+++ b/source3/modules/onefs_open.c
@@ -719,11 +719,6 @@ NTSTATUS onefs_open_file_ntcreate(connection_struct *conn,
open_access_mask |= FILE_WRITE_DATA;
}
- if (lp_parm_bool(SNUM(fsp->conn), PARM_ONEFS_TYPE,
- PARM_IGNORE_SACLS, PARM_IGNORE_SACLS_DEFAULT)) {
- access_mask &= ~SYSTEM_SECURITY_ACCESS;
- }
-
DEBUG(10, ("onefs_open_file_ntcreate: fname=%s, after mapping "
"open_access_mask=%#x, access_mask=0x%x\n",
fname, open_access_mask, access_mask));
@@ -1684,6 +1679,11 @@ static NTSTATUS onefs_create_file_unixpath(connection_struct *conn,
}
}
+ if (lp_parm_bool(SNUM(conn), PARM_ONEFS_TYPE,
+ PARM_IGNORE_SACLS, PARM_IGNORE_SACLS_DEFAULT)) {
+ access_mask &= ~SYSTEM_SECURITY_ACCESS;
+ }
+
if ((conn->fs_capabilities & FILE_NAMED_STREAMS)
&& (access_mask & DELETE_ACCESS)
&& !is_ntfs_stream_name(fname)) {
diff --git a/source3/modules/onefs_system.c b/source3/modules/onefs_system.c
index 22ef2f481b..3e51c6cd85 100644
--- a/source3/modules/onefs_system.c
+++ b/source3/modules/onefs_system.c
@@ -94,7 +94,7 @@ int onefs_sys_create_file(connection_struct *conn,
enum oplock_type onefs_oplock;
enum oplock_type onefs_granted_oplock = OPLOCK_NONE;
struct ifs_security_descriptor ifs_sd = {}, *pifs_sd = NULL;
- int secinfo = 0;
+ uint32_t sec_info_effective = 0;
int ret_fd = -1;
uint32_t onefs_dos_attributes;
struct ifs_createfile_flags cf_flags = CF_FLAGS_NONE;
@@ -104,10 +104,12 @@ int onefs_sys_create_file(connection_struct *conn,
/* Setup security descriptor and get secinfo. */
if (sd != NULL) {
NTSTATUS status;
+ uint32_t sec_info_sent = 0;
- secinfo = (get_sec_info(sd) & IFS_SEC_INFO_KNOWN_MASK);
+ sec_info_sent = (get_sec_info(sd) & IFS_SEC_INFO_KNOWN_MASK);
- status = onefs_samba_sd_to_sd(secinfo, sd, &ifs_sd, SNUM(conn));
+ status = onefs_samba_sd_to_sd(sec_info_sent, sd, &ifs_sd,
+ SNUM(conn), &sec_info_effective);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("SD initialization failure: %s\n",
@@ -172,7 +174,7 @@ int onefs_sys_create_file(connection_struct *conn,
(unsigned int)mode,
onefs_oplock_str(onefs_oplock),
(unsigned int)id,
- (unsigned int)secinfo, sd,
+ sec_info_effective, sd,
(unsigned int)onefs_dos_attributes, path,
cf_flags_and_bool(cf_flags, CF_FLAGS_DEFAULT_ACL) ?
"true" : "false"));
@@ -188,8 +190,8 @@ int onefs_sys_create_file(connection_struct *conn,
ret_fd = ifs_createfile(base_fd, path,
(enum ifs_ace_rights)open_access_mask, flags & ~O_ACCMODE, mode,
- onefs_oplock, id, psml, secinfo, pifs_sd, onefs_dos_attributes,
- cf_flags, &onefs_granted_oplock);
+ onefs_oplock, id, psml, sec_info_effective, pifs_sd,
+ onefs_dos_attributes, cf_flags, &onefs_granted_oplock);
DEBUG(10,("onefs_sys_create_file(%s): ret_fd = %d, "
"onefs_granted_oplock = %s\n",