diff options
-rw-r--r-- | source3/smbd/posix_acls.c | 201 | ||||
-rw-r--r-- | source3/smbd/proto.h | 3 |
2 files changed, 0 insertions, 204 deletions
diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c index bca5304eff..9a136c00c0 100644 --- a/source3/smbd/posix_acls.c +++ b/source3/smbd/posix_acls.c @@ -3717,207 +3717,6 @@ NTSTATUS try_chown(files_struct *fsp, uid_t uid, gid_t gid) return status; } -#if 0 -/* Disable this - prevents ACL inheritance from the ACL editor. JRA. */ - -/**************************************************************************** - Take care of parent ACL inheritance. -****************************************************************************/ - -NTSTATUS append_parent_acl(files_struct *fsp, - const struct security_descriptor *pcsd, - struct security_descriptor **pp_new_sd) -{ - struct smb_filename *smb_dname = NULL; - struct security_descriptor *parent_sd = NULL; - files_struct *parent_fsp = NULL; - TALLOC_CTX *mem_ctx = talloc_tos(); - char *parent_name = NULL; - struct security_ace *new_ace = NULL; - unsigned int num_aces = pcsd->dacl->num_aces; - NTSTATUS status; - int info; - unsigned int i, j; - struct security_descriptor *psd = dup_sec_desc(talloc_tos(), pcsd); - bool is_dacl_protected = (pcsd->type & SEC_DESC_DACL_PROTECTED); - - if (psd == NULL) { - return NT_STATUS_NO_MEMORY; - } - - if (!parent_dirname(mem_ctx, fsp->fsp_name->base_name, &parent_name, - NULL)) { - return NT_STATUS_NO_MEMORY; - } - - status = create_synthetic_smb_fname(mem_ctx, parent_name, NULL, NULL, - &smb_dname); - if (!NT_STATUS_IS_OK(status)) { - goto fail; - } - - status = SMB_VFS_CREATE_FILE( - fsp->conn, /* conn */ - NULL, /* req */ - 0, /* root_dir_fid */ - smb_dname, /* fname */ - FILE_READ_ATTRIBUTES, /* access_mask */ - FILE_SHARE_NONE, /* share_access */ - FILE_OPEN, /* create_disposition*/ - FILE_DIRECTORY_FILE, /* create_options */ - 0, /* file_attributes */ - INTERNAL_OPEN_ONLY, /* oplock_request */ - 0, /* allocation_size */ - NULL, /* sd */ - NULL, /* ea_list */ - &parent_fsp, /* result */ - &info); /* pinfo */ - - if (!NT_STATUS_IS_OK(status)) { - TALLOC_FREE(smb_dname); - return status; - } - - status = SMB_VFS_GET_NT_ACL(parent_fsp->conn, smb_dname->base_name, - SECINFO_DACL, &parent_sd ); - - close_file(NULL, parent_fsp, NORMAL_CLOSE); - TALLOC_FREE(smb_dname); - - if (!NT_STATUS_IS_OK(status)) { - return status; - } - - /* - * Make room for potentially all the ACLs from - * the parent. We used to add the ugw triple here, - * as we knew we were dealing with POSIX ACLs. - * We no longer need to do so as we can guarentee - * that a default ACL from the parent directory will - * be well formed for POSIX ACLs if it came from a - * POSIX ACL source, and if we're not writing to a - * POSIX ACL sink then we don't care if it's not well - * formed. JRA. - */ - - num_aces += parent_sd->dacl->num_aces; - - if((new_ace = talloc_zero_array(mem_ctx, struct security_ace, - num_aces)) == NULL) { - return NT_STATUS_NO_MEMORY; - } - - /* Start by copying in all the given ACE entries. */ - for (i = 0; i < psd->dacl->num_aces; i++) { - sec_ace_copy(&new_ace[i], &psd->dacl->aces[i]); - } - - /* - * Note that we're ignoring "inherit permissions" here - * as that really only applies to newly created files. JRA. - */ - - /* Finally append any inherited ACEs. */ - for (j = 0; j < parent_sd->dacl->num_aces; j++) { - struct security_ace *se = &parent_sd->dacl->aces[j]; - - if (fsp->is_directory) { - if (!(se->flags & SEC_ACE_FLAG_CONTAINER_INHERIT)) { - /* Doesn't apply to a directory - ignore. */ - DEBUG(10,("append_parent_acl: directory %s " - "ignoring non container " - "inherit flags %u on ACE with sid %s " - "from parent %s\n", - fsp_str_dbg(fsp), - (unsigned int)se->flags, - sid_string_dbg(&se->trustee), - parent_name)); - continue; - } - } else { - if (!(se->flags & SEC_ACE_FLAG_OBJECT_INHERIT)) { - /* Doesn't apply to a file - ignore. */ - DEBUG(10,("append_parent_acl: file %s " - "ignoring non object " - "inherit flags %u on ACE with sid %s " - "from parent %s\n", - fsp_str_dbg(fsp), - (unsigned int)se->flags, - sid_string_dbg(&se->trustee), - parent_name)); - continue; - } - } - - if (is_dacl_protected) { - /* If the DACL is protected it means we must - * not overwrite an existing ACE entry with the - * same SID. This is order N^2. Ouch :-(. JRA. */ - unsigned int k; - for (k = 0; k < psd->dacl->num_aces; k++) { - if (dom_sid_equal(&psd->dacl->aces[k].trustee, - &se->trustee)) { - break; - } - } - if (k < psd->dacl->num_aces) { - /* SID matched. Ignore. */ - DEBUG(10,("append_parent_acl: path %s " - "ignoring ACE with protected sid %s " - "from parent %s\n", - fsp_str_dbg(fsp), - sid_string_dbg(&se->trustee), - parent_name)); - continue; - } - } - - sec_ace_copy(&new_ace[i], se); - if (se->flags & SEC_ACE_FLAG_NO_PROPAGATE_INHERIT) { - new_ace[i].flags &= ~(SEC_ACE_FLAG_VALID_INHERIT); - } - new_ace[i].flags |= SEC_ACE_FLAG_INHERITED_ACE; - - if (fsp->is_directory) { - /* - * Strip off any inherit only. It's applied. - */ - new_ace[i].flags &= ~(SEC_ACE_FLAG_INHERIT_ONLY); - if (se->flags & SEC_ACE_FLAG_NO_PROPAGATE_INHERIT) { - /* No further inheritance. */ - new_ace[i].flags &= - ~(SEC_ACE_FLAG_CONTAINER_INHERIT| - SEC_ACE_FLAG_OBJECT_INHERIT); - } - } else { - /* - * Strip off any container or inherit - * flags, they can't apply to objects. - */ - new_ace[i].flags &= ~(SEC_ACE_FLAG_CONTAINER_INHERIT| - SEC_ACE_FLAG_INHERIT_ONLY| - SEC_ACE_FLAG_NO_PROPAGATE_INHERIT); - } - i++; - - DEBUG(10,("append_parent_acl: path %s " - "inheriting ACE with sid %s " - "from parent %s\n", - fsp_str_dbg(fsp), - sid_string_dbg(&se->trustee), - parent_name)); - } - - psd->dacl->aces = new_ace; - psd->dacl->num_aces = i; - psd->type &= ~(SEC_DESC_DACL_AUTO_INHERITED| - SEC_DESC_DACL_AUTO_INHERIT_REQ); - - *pp_new_sd = psd; - return status; -} -#endif - /**************************************************************************** Reply to set a security descriptor on an fsp. security_info_sent is the description of the following NT ACL. diff --git a/source3/smbd/proto.h b/source3/smbd/proto.h index f95fddd0c6..9a9a010671 100644 --- a/source3/smbd/proto.h +++ b/source3/smbd/proto.h @@ -718,9 +718,6 @@ NTSTATUS posix_get_nt_acl(struct connection_struct *conn, const char *name, TALLOC_CTX *mem_ctx, struct security_descriptor **ppdesc); NTSTATUS try_chown(files_struct *fsp, uid_t uid, gid_t gid); -NTSTATUS append_parent_acl(files_struct *fsp, - const struct security_descriptor *pcsd, - struct security_descriptor **pp_new_sd); NTSTATUS set_nt_acl(files_struct *fsp, uint32 security_info_sent, const struct security_descriptor *psd); int get_acl_group_bits( connection_struct *conn, const char *fname, mode_t *mode ); int chmod_acl(connection_struct *conn, const char *name, mode_t mode); |