summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--examples/VFS/skel_opaque.c2
-rw-r--r--examples/VFS/skel_transparent.c2
-rw-r--r--source3/include/proto.h4
-rw-r--r--source3/include/vfs.h5
-rw-r--r--source3/modules/nfs4_acls.c10
-rw-r--r--source3/modules/vfs_acl_xattr.c4
-rw-r--r--source3/modules/vfs_afsacl.c10
-rw-r--r--source3/modules/vfs_aixacl2.c4
-rw-r--r--source3/modules/vfs_default.c2
-rw-r--r--source3/modules/vfs_full_audit.c4
-rw-r--r--source3/modules/vfs_gpfs.c4
-rw-r--r--source3/modules/vfs_zfsacl.c4
-rw-r--r--source3/smbd/posix_acls.c51
13 files changed, 52 insertions, 54 deletions
diff --git a/examples/VFS/skel_opaque.c b/examples/VFS/skel_opaque.c
index 89d8ce5239..3df1fcd5bf 100644
--- a/examples/VFS/skel_opaque.c
+++ b/examples/VFS/skel_opaque.c
@@ -315,7 +315,7 @@ static size_t skel_get_nt_acl(vfs_handle_struct *handle,
}
static NTSTATUS skel_fset_nt_acl(vfs_handle_struct *handle, files_struct *fsp,
- uint32 security_info_sent, SEC_DESC *psd)
+ uint32 security_info_sent, const SEC_DESC *psd)
{
errno = ENOSYS;
return NT_STATUS_NOT_IMPLEMENTED;
diff --git a/examples/VFS/skel_transparent.c b/examples/VFS/skel_transparent.c
index ea8530d855..e6dee97775 100644
--- a/examples/VFS/skel_transparent.c
+++ b/examples/VFS/skel_transparent.c
@@ -302,7 +302,7 @@ static NTSTATUS skel_get_nt_acl(vfs_handle_struct *handle,
}
static NTSTATUS skel_fset_nt_acl(vfs_handle_struct *handle, files_struct *fsp,
- uint32 security_info_sent, SEC_DESC *psd)
+ uint32 security_info_sent, const SEC_DESC *psd)
{
return SMB_VFS_NEXT_FSET_NT_ACL(handle, fsp, security_info_sent, psd);
}
diff --git a/source3/include/proto.h b/source3/include/proto.h
index d7acdcb910..efa29be16d 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -9923,14 +9923,14 @@ void reply_pipe_close(connection_struct *conn, struct smb_request *req);
/* The following definitions come from smbd/posix_acls.c */
-NTSTATUS unpack_nt_owners(int snum, uid_t *puser, gid_t *pgrp, uint32 security_info_sent, SEC_DESC *psd);
+NTSTATUS unpack_nt_owners(int snum, uid_t *puser, gid_t *pgrp, uint32 security_info_sent, const SEC_DESC *psd);
SMB_ACL_T free_empty_sys_acl(connection_struct *conn, SMB_ACL_T the_acl);
NTSTATUS posix_fget_nt_acl(struct files_struct *fsp, uint32_t security_info,
SEC_DESC **ppdesc);
NTSTATUS posix_get_nt_acl(struct connection_struct *conn, const char *name,
uint32_t security_info, SEC_DESC **ppdesc);
int try_chown(connection_struct *conn, const char *fname, uid_t uid, gid_t gid);
-NTSTATUS set_nt_acl(files_struct *fsp, uint32 security_info_sent, SEC_DESC *psd);
+NTSTATUS set_nt_acl(files_struct *fsp, uint32 security_info_sent, const SEC_DESC *psd);
int get_acl_group_bits( connection_struct *conn, const char *fname, mode_t *mode );
int chmod_acl(connection_struct *conn, const char *name, mode_t mode);
int inherit_access_posix_acl(connection_struct *conn, const char *inherit_from_dir,
diff --git a/source3/include/vfs.h b/source3/include/vfs.h
index 9b72f69328..a3d38f6a25 100644
--- a/source3/include/vfs.h
+++ b/source3/include/vfs.h
@@ -108,8 +108,9 @@
/* Leave at 22 - not yet released. Remove parameter fd from close_fn. - obnox */
/* Changed to version 23 - remove set_nt_acl call. This can only be done via an
open handle. JRA. */
+/* Changed to version 24 - make security descriptor const in fset_nt_acl. JRA. */
-#define SMB_VFS_INTERFACE_VERSION 23
+#define SMB_VFS_INTERFACE_VERSION 24
/* to bug old modules which are trying to compile with the old functions */
@@ -365,7 +366,7 @@ struct vfs_ops {
NTSTATUS (*fset_nt_acl)(struct vfs_handle_struct *handle,
struct files_struct *fsp,
uint32 security_info_sent,
- struct security_descriptor *psd);
+ const struct security_descriptor *psd);
/* POSIX ACL operations. */
diff --git a/source3/modules/nfs4_acls.c b/source3/modules/nfs4_acls.c
index 9e28db8b39..f1b8cfffce 100644
--- a/source3/modules/nfs4_acls.c
+++ b/source3/modules/nfs4_acls.c
@@ -44,10 +44,6 @@ typedef struct _SMB_ACL4_INT_T
SMB_ACE4_INT_T *last;
} SMB_ACL4_INT_T;
-extern int try_chown(connection_struct *conn, const char *fname, uid_t uid, gid_t gid);
-extern NTSTATUS unpack_nt_owners(int snum, uid_t *puser, gid_t *pgrp,
- uint32 security_info_sent, SEC_DESC *psd);
-
static SMB_ACL4_INT_T *get_validated_aclint(SMB4ACL_T *acl)
{
SMB_ACL4_INT_T *aclint = (SMB_ACL4_INT_T *)acl;
@@ -518,7 +514,7 @@ static bool smbacl4_fill_ace4(
smbacl4_vfs_params *params,
uid_t ownerUID,
gid_t ownerGID,
- SEC_ACE *ace_nt, /* input */
+ const SEC_ACE *ace_nt, /* input */
SMB_ACE4PROP_T *ace_v4 /* output */
)
{
@@ -650,7 +646,7 @@ static int smbacl4_MergeIgnoreReject(
static SMB4ACL_T *smbacl4_win2nfs4(
const char *filename,
- SEC_ACL *dacl,
+ const SEC_ACL *dacl,
smbacl4_vfs_params *pparams,
uid_t ownerUID,
gid_t ownerGID
@@ -694,7 +690,7 @@ static SMB4ACL_T *smbacl4_win2nfs4(
NTSTATUS smb_set_nt_acl_nfs4(files_struct *fsp,
uint32 security_info_sent,
- SEC_DESC *psd,
+ const SEC_DESC *psd,
set_nfs4acl_native_fn_t set_nfs4_native)
{
smbacl4_vfs_params params;
diff --git a/source3/modules/vfs_acl_xattr.c b/source3/modules/vfs_acl_xattr.c
index 80e44e51fc..2b3fc2ebb2 100644
--- a/source3/modules/vfs_acl_xattr.c
+++ b/source3/modules/vfs_acl_xattr.c
@@ -238,7 +238,7 @@ static NTSTATUS get_nt_acl_xattr(vfs_handle_struct *handle,
security_info, ppdesc);
}
-static NTSTATUS create_acl_blob(SEC_DESC *psd, DATA_BLOB *pblob)
+static NTSTATUS create_acl_blob(const SEC_DESC *psd, DATA_BLOB *pblob)
{
struct xattr_NTACL xacl;
struct security_descriptor_timestamp sd_ts;
@@ -307,7 +307,7 @@ static NTSTATUS store_acl_blob(files_struct *fsp,
}
static NTSTATUS fset_nt_acl_xattr(vfs_handle_struct *handle, files_struct *fsp,
- uint32 security_info_sent, SEC_DESC *psd)
+ uint32 security_info_sent, const SEC_DESC *psd)
{
NTSTATUS status;
DATA_BLOB blob;
diff --git a/source3/modules/vfs_afsacl.c b/source3/modules/vfs_afsacl.c
index 9409f3fa20..c78369ac13 100644
--- a/source3/modules/vfs_afsacl.c
+++ b/source3/modules/vfs_afsacl.c
@@ -717,12 +717,12 @@ static bool mappable_sid(const DOM_SID *sid)
static bool nt_to_afs_acl(const char *filename,
uint32 security_info_sent,
- struct security_descriptor *psd,
+ const struct security_descriptor *psd,
uint32 (*nt_to_afs_rights)(const char *filename,
const SEC_ACE *ace),
struct afs_acl *afs_acl)
{
- SEC_ACL *dacl;
+ const SEC_ACL *dacl;
int i;
/* Currently we *only* look at the dacl */
@@ -737,7 +737,7 @@ static bool nt_to_afs_acl(const char *filename,
dacl = psd->dacl;
for (i = 0; i < dacl->num_aces; i++) {
- SEC_ACE *ace = &(dacl->aces[i]);
+ const SEC_ACE *ace = &(dacl->aces[i]);
const char *dom_name, *name;
enum lsa_SidType name_type;
char *p;
@@ -887,7 +887,7 @@ static void merge_unknown_aces(struct afs_acl *src, struct afs_acl *dst)
static NTSTATUS afs_set_nt_acl(vfs_handle_struct *handle, files_struct *fsp,
uint32 security_info_sent,
- struct security_descriptor *psd)
+ const struct security_descriptor *psd)
{
struct afs_acl old_afs_acl, new_afs_acl;
struct afs_acl dir_acl, file_acl;
@@ -1040,7 +1040,7 @@ static NTSTATUS afsacl_get_nt_acl(struct vfs_handle_struct *handle,
NTSTATUS afsacl_fset_nt_acl(vfs_handle_struct *handle,
files_struct *fsp,
uint32 security_info_sent,
- SEC_DESC *psd)
+ const SEC_DESC *psd)
{
return afs_set_nt_acl(handle, fsp, security_info_sent, psd);
}
diff --git a/source3/modules/vfs_aixacl2.c b/source3/modules/vfs_aixacl2.c
index 23c4d88134..a078b9f9f6 100644
--- a/source3/modules/vfs_aixacl2.c
+++ b/source3/modules/vfs_aixacl2.c
@@ -371,7 +371,7 @@ static bool aixjfs2_process_smbacl(files_struct *fsp, SMB4ACL_T *smbacl)
return True;
}
-static NTSTATUS aixjfs2_set_nt_acl_common(files_struct *fsp, uint32 security_info_sent, SEC_DESC *psd)
+static NTSTATUS aixjfs2_set_nt_acl_common(files_struct *fsp, uint32 security_info_sent, const SEC_DESC *psd)
{
acl_type_t acl_type_info;
NTSTATUS result = NT_STATUS_ACCESS_DENIED;
@@ -395,7 +395,7 @@ static NTSTATUS aixjfs2_set_nt_acl_common(files_struct *fsp, uint32 security_inf
return result;
}
-NTSTATUS aixjfs2_fset_nt_acl(vfs_handle_struct *handle, files_struct *fsp, uint32 security_info_sent, SEC_DESC *psd)
+NTSTATUS aixjfs2_fset_nt_acl(vfs_handle_struct *handle, files_struct *fsp, uint32 security_info_sent, const SEC_DESC *psd)
{
return aixjfs2_set_nt_acl_common(fsp, security_info_sent, psd);
}
diff --git a/source3/modules/vfs_default.c b/source3/modules/vfs_default.c
index 381aa18561..372cdf2d53 100644
--- a/source3/modules/vfs_default.c
+++ b/source3/modules/vfs_default.c
@@ -1036,7 +1036,7 @@ static NTSTATUS vfswrap_get_nt_acl(vfs_handle_struct *handle,
return result;
}
-static NTSTATUS vfswrap_fset_nt_acl(vfs_handle_struct *handle, files_struct *fsp, uint32 security_info_sent, SEC_DESC *psd)
+static NTSTATUS vfswrap_fset_nt_acl(vfs_handle_struct *handle, files_struct *fsp, uint32 security_info_sent, const SEC_DESC *psd)
{
NTSTATUS result;
diff --git a/source3/modules/vfs_full_audit.c b/source3/modules/vfs_full_audit.c
index 1224ec3edb..9fadcd9e0c 100644
--- a/source3/modules/vfs_full_audit.c
+++ b/source3/modules/vfs_full_audit.c
@@ -202,7 +202,7 @@ static NTSTATUS smb_full_audit_get_nt_acl(vfs_handle_struct *handle,
SEC_DESC **ppdesc);
static NTSTATUS smb_full_audit_fset_nt_acl(vfs_handle_struct *handle, files_struct *fsp,
uint32 security_info_sent,
- SEC_DESC *psd);
+ const SEC_DESC *psd);
static int smb_full_audit_chmod_acl(vfs_handle_struct *handle,
const char *path, mode_t mode);
static int smb_full_audit_fchmod_acl(vfs_handle_struct *handle, files_struct *fsp,
@@ -1582,7 +1582,7 @@ static NTSTATUS smb_full_audit_get_nt_acl(vfs_handle_struct *handle,
static NTSTATUS smb_full_audit_fset_nt_acl(vfs_handle_struct *handle, files_struct *fsp,
uint32 security_info_sent,
- SEC_DESC *psd)
+ const SEC_DESC *psd)
{
NTSTATUS result;
diff --git a/source3/modules/vfs_gpfs.c b/source3/modules/vfs_gpfs.c
index 39d2bb6c38..29ea7f0abe 100644
--- a/source3/modules/vfs_gpfs.c
+++ b/source3/modules/vfs_gpfs.c
@@ -365,7 +365,7 @@ static bool gpfsacl_process_smbacl(files_struct *fsp, SMB4ACL_T *smbacl)
return True;
}
-static NTSTATUS gpfsacl_set_nt_acl_internal(files_struct *fsp, uint32 security_info_sent, SEC_DESC *psd)
+static NTSTATUS gpfsacl_set_nt_acl_internal(files_struct *fsp, uint32 security_info_sent, const SEC_DESC *psd)
{
struct gpfs_acl *acl;
NTSTATUS result = NT_STATUS_ACCESS_DENIED;
@@ -386,7 +386,7 @@ static NTSTATUS gpfsacl_set_nt_acl_internal(files_struct *fsp, uint32 security_i
return result;
}
-static NTSTATUS gpfsacl_fset_nt_acl(vfs_handle_struct *handle, files_struct *fsp, uint32 security_info_sent, SEC_DESC *psd)
+static NTSTATUS gpfsacl_fset_nt_acl(vfs_handle_struct *handle, files_struct *fsp, uint32 security_info_sent, const SEC_DESC *psd)
{
return gpfsacl_set_nt_acl_internal(fsp, security_info_sent, psd);
}
diff --git a/source3/modules/vfs_zfsacl.c b/source3/modules/vfs_zfsacl.c
index e933e47317..3688b2386e 100644
--- a/source3/modules/vfs_zfsacl.c
+++ b/source3/modules/vfs_zfsacl.c
@@ -166,7 +166,7 @@ static bool zfs_process_smbacl(files_struct *fsp, SMB4ACL_T *smbacl)
*/
static NTSTATUS zfs_set_nt_acl(vfs_handle_struct *handle, files_struct *fsp,
uint32 security_info_sent,
- struct security_descriptor *psd)
+ const struct security_descriptor *psd)
{
return smb_set_nt_acl_nfs4(fsp, security_info_sent, psd,
zfs_process_smbacl);
@@ -207,7 +207,7 @@ static NTSTATUS zfsacl_get_nt_acl(struct vfs_handle_struct *handle,
static NTSTATUS zfsacl_fset_nt_acl(vfs_handle_struct *handle,
files_struct *fsp,
uint32 security_info_sent,
- SEC_DESC *psd)
+ const SEC_DESC *psd)
{
return zfs_set_nt_acl(handle, fsp, security_info_sent, psd);
}
diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c
index 7479aea076..48ea993e28 100644
--- a/source3/smbd/posix_acls.c
+++ b/source3/smbd/posix_acls.c
@@ -988,7 +988,7 @@ static mode_t map_nt_perms( uint32 *mask, int type)
Unpack a SEC_DESC into a UNIX owner and group.
****************************************************************************/
-NTSTATUS unpack_nt_owners(int snum, uid_t *puser, gid_t *pgrp, uint32 security_info_sent, SEC_DESC *psd)
+NTSTATUS unpack_nt_owners(int snum, uid_t *puser, gid_t *pgrp, uint32 security_info_sent, const SEC_DESC *psd)
{
DOM_SID owner_sid;
DOM_SID grp_sid;
@@ -1329,11 +1329,13 @@ static void check_owning_objs(canon_ace *ace, DOM_SID *pfile_owner_sid, DOM_SID
Unpack a SEC_DESC into two canonical ace lists.
****************************************************************************/
-static bool create_canon_ace_lists(files_struct *fsp, SMB_STRUCT_STAT *pst,
- DOM_SID *pfile_owner_sid,
- DOM_SID *pfile_grp_sid,
- canon_ace **ppfile_ace, canon_ace **ppdir_ace,
- SEC_ACL *dacl)
+static bool create_canon_ace_lists(files_struct *fsp,
+ SMB_STRUCT_STAT *pst,
+ DOM_SID *pfile_owner_sid,
+ DOM_SID *pfile_grp_sid,
+ canon_ace **ppfile_ace,
+ canon_ace **ppdir_ace,
+ const SEC_ACL *dacl)
{
bool all_aces_are_inherit_only = (fsp->is_directory ? True : False);
canon_ace *file_ace = NULL;
@@ -2016,12 +2018,14 @@ static mode_t create_default_mode(files_struct *fsp, bool interitable_mode)
succeeding.
****************************************************************************/
-static bool unpack_canon_ace(files_struct *fsp,
- SMB_STRUCT_STAT *pst,
- DOM_SID *pfile_owner_sid,
- DOM_SID *pfile_grp_sid,
- canon_ace **ppfile_ace, canon_ace **ppdir_ace,
- uint32 security_info_sent, SEC_DESC *psd)
+static bool unpack_canon_ace(files_struct *fsp,
+ SMB_STRUCT_STAT *pst,
+ DOM_SID *pfile_owner_sid,
+ DOM_SID *pfile_grp_sid,
+ canon_ace **ppfile_ace,
+ canon_ace **ppdir_ace,
+ uint32 security_info_sent,
+ const SEC_DESC *psd)
{
canon_ace *file_ace = NULL;
canon_ace *dir_ace = NULL;
@@ -3224,25 +3228,25 @@ int try_chown(connection_struct *conn, const char *fname, uid_t uid, gid_t gid)
****************************************************************************/
static NTSTATUS append_parent_acl(files_struct *fsp,
- SMB_STRUCT_STAT *psbuf,
- SEC_DESC *psd,
+ const SEC_DESC *pcsd,
SEC_DESC **pp_new_sd)
{
SEC_DESC *parent_sd = NULL;
files_struct *parent_fsp = NULL;
- TALLOC_CTX *mem_ctx = talloc_parent(psd);
+ TALLOC_CTX *mem_ctx = talloc_tos();
char *parent_name = NULL;
SEC_ACE *new_ace = NULL;
- unsigned int num_aces = psd->dacl->num_aces;
+ unsigned int num_aces = pcsd->dacl->num_aces;
SMB_STRUCT_STAT sbuf;
NTSTATUS status;
int info;
unsigned int i, j;
- bool is_dacl_protected = (psd->type & SE_DESC_DACL_PROTECTED);
+ SEC_DESC *psd = dup_sec_desc(talloc_tos(), pcsd);
+ bool is_dacl_protected = (pcsd->type & SE_DESC_DACL_PROTECTED);
ZERO_STRUCT(sbuf);
- if (mem_ctx == NULL) {
+ if (psd == NULL) {
return NT_STATUS_NO_MEMORY;
}
@@ -3398,11 +3402,6 @@ static NTSTATUS append_parent_acl(files_struct *fsp,
parent_name));
}
- /* This sucks. psd should be const and we should
- * be doing a deep-copy here. We're getting away
- * with is as we know parent_sd is talloced off
- * talloc_tos() as well as psd. JRA. */
-
psd->dacl->aces = new_ace;
psd->dacl->num_aces = i;
psd->type &= ~(SE_DESC_DACL_AUTO_INHERITED|
@@ -3418,7 +3417,7 @@ static NTSTATUS append_parent_acl(files_struct *fsp,
This should be the only external function needed for the UNIX style set ACL.
****************************************************************************/
-NTSTATUS set_nt_acl(files_struct *fsp, uint32 security_info_sent, SEC_DESC *psd)
+NTSTATUS set_nt_acl(files_struct *fsp, uint32 security_info_sent, const SEC_DESC *psd)
{
connection_struct *conn = fsp->conn;
uid_t user = (uid_t)-1;
@@ -3529,10 +3528,12 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32 security_info_sent, SEC_DESC *psd)
SE_DESC_DACL_AUTO_INHERIT_REQ))==
(SE_DESC_DACL_AUTO_INHERITED|
SE_DESC_DACL_AUTO_INHERIT_REQ) ) {
- status = append_parent_acl(fsp, &sbuf, psd, &psd);
+ SEC_DESC *new_sd = NULL;
+ status = append_parent_acl(fsp, psd, &new_sd);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
+ psd = new_sd;
}
acl_perms = unpack_canon_ace( fsp, &sbuf, &file_owner_sid, &file_grp_sid,