summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source3/lib/util_sid.c200
-rw-r--r--source3/param/loadparm.c21
-rw-r--r--source3/rpc_server/srv_samr_nt.c2
-rw-r--r--source3/smbd/open.c6
-rw-r--r--source3/smbd/posix_acls.c525
-rw-r--r--source3/smbd/trans2.c2
-rw-r--r--source3/smbd/uid.c2
-rw-r--r--source3/smbd/vfs.c3
8 files changed, 559 insertions, 202 deletions
diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c
index f01479f1cc..f0daf9787e 100644
--- a/source3/lib/util_sid.c
+++ b/source3/lib/util_sid.c
@@ -40,9 +40,9 @@ DOM_SID global_sid_NULL; /* NULL sid */
DOM_SID global_sid_Authenticated_Users; /* All authenticated rids */
DOM_SID global_sid_Network; /* Network rids */
-static DOM_SID global_sid_Creator_Owner; /* Creator Owner */
-static DOM_SID global_sid_Creator_Group; /* Creator Group */
-static DOM_SID global_sid_Anonymous; /* Anonymous login */
+DOM_SID global_sid_Creator_Owner; /* Creator Owner */
+DOM_SID global_sid_Creator_Group; /* Creator Group */
+DOM_SID global_sid_Anonymous; /* Anonymous login */
DOM_SID global_sid_Builtin; /* Local well-known domain */
DOM_SID global_sid_Builtin_Administrators; /* Builtin administrators */
@@ -166,6 +166,10 @@ void generate_wellknown_sids(void)
initialised = True;
}
+/**************************************************************************
+ Create the SYSTEM token.
+***************************************************************************/
+
NT_USER_TOKEN *get_system_token(void)
{
generate_wellknown_sids(); /* The token is initialised here */
@@ -239,7 +243,10 @@ char *sid_to_string(fstring sidstr_out, const DOM_SID *sid)
return sidstr_out;
}
- /* BIG NOTE: this function only does SIDS where the identauth is not >= 2^32 */
+ /*
+ * BIG NOTE: this function only does SIDS where the identauth is not >= 2^32
+ * in a range of 2^48.
+ */
ia = (sid->id_auth[5]) +
(sid->id_auth[4] << 8 ) +
(sid->id_auth[3] << 16) +
@@ -272,63 +279,63 @@ const char *sid_string_static(const DOM_SID *sid)
BOOL string_to_sid(DOM_SID *sidout, const char *sidstr)
{
- pstring tok;
- char *p, *q;
- /* BIG NOTE: this function only does SIDS where the identauth is not >= 2^32 */
- uint32 ia;
+ pstring tok;
+ char *p, *q;
+ /* BIG NOTE: this function only does SIDS where the identauth is not >= 2^32 */
+ uint32 ia;
- if (StrnCaseCmp( sidstr, "S-", 2)) {
- DEBUG(0,("string_to_sid: Sid %s does not start with 'S-'.\n", sidstr));
- return False;
- }
-
- memset((char *)sidout, '\0', sizeof(DOM_SID));
-
- q = p = strdup(sidstr + 2);
- if (p == NULL) {
- DEBUG(0, ("string_to_sid: out of memory!\n"));
- return False;
- }
-
- if (!next_token(&p, tok, "-", sizeof(tok))) {
- DEBUG(0,("string_to_sid: Sid %s is not in a valid format.\n", sidstr));
- SAFE_FREE(q);
- return False;
- }
-
- /* Get the revision number. */
- sidout->sid_rev_num = (uint8)strtoul(tok, NULL, 10);
-
- if (!next_token(&p, tok, "-", sizeof(tok))) {
- DEBUG(0,("string_to_sid: Sid %s is not in a valid format.\n", sidstr));
- SAFE_FREE(q);
- return False;
- }
-
- /* identauth in decimal should be < 2^32 */
- ia = (uint32)strtoul(tok, NULL, 10);
-
- /* NOTE - the ia value is in big-endian format. */
- sidout->id_auth[0] = 0;
- sidout->id_auth[1] = 0;
- sidout->id_auth[2] = (ia & 0xff000000) >> 24;
- sidout->id_auth[3] = (ia & 0x00ff0000) >> 16;
- sidout->id_auth[4] = (ia & 0x0000ff00) >> 8;
- sidout->id_auth[5] = (ia & 0x000000ff);
-
- sidout->num_auths = 0;
-
- while(next_token(&p, tok, "-", sizeof(tok)) &&
- sidout->num_auths < MAXSUBAUTHS) {
- /*
- * NOTE - the subauths are in native machine-endian format. They
- * are converted to little-endian when linearized onto the wire.
- */
- sid_append_rid(sidout, (uint32)strtoul(tok, NULL, 10));
- }
-
- SAFE_FREE(q);
- return True;
+ if (StrnCaseCmp( sidstr, "S-", 2)) {
+ DEBUG(0,("string_to_sid: Sid %s does not start with 'S-'.\n", sidstr));
+ return False;
+ }
+
+ memset((char *)sidout, '\0', sizeof(DOM_SID));
+
+ q = p = strdup(sidstr + 2);
+ if (p == NULL) {
+ DEBUG(0, ("string_to_sid: out of memory!\n"));
+ return False;
+ }
+
+ if (!next_token(&p, tok, "-", sizeof(tok))) {
+ DEBUG(0,("string_to_sid: Sid %s is not in a valid format.\n", sidstr));
+ SAFE_FREE(q);
+ return False;
+ }
+
+ /* Get the revision number. */
+ sidout->sid_rev_num = (uint8)strtoul(tok, NULL, 10);
+
+ if (!next_token(&p, tok, "-", sizeof(tok))) {
+ DEBUG(0,("string_to_sid: Sid %s is not in a valid format.\n", sidstr));
+ SAFE_FREE(q);
+ return False;
+ }
+
+ /* identauth in decimal should be < 2^32 */
+ ia = (uint32)strtoul(tok, NULL, 10);
+
+ /* NOTE - the ia value is in big-endian format. */
+ sidout->id_auth[0] = 0;
+ sidout->id_auth[1] = 0;
+ sidout->id_auth[2] = (ia & 0xff000000) >> 24;
+ sidout->id_auth[3] = (ia & 0x00ff0000) >> 16;
+ sidout->id_auth[4] = (ia & 0x0000ff00) >> 8;
+ sidout->id_auth[5] = (ia & 0x000000ff);
+
+ sidout->num_auths = 0;
+
+ while(next_token(&p, tok, "-", sizeof(tok)) &&
+ sidout->num_auths < MAXSUBAUTHS) {
+ /*
+ * NOTE - the subauths are in native machine-endian format. They
+ * are converted to little-endian when linearized onto the wire.
+ */
+ sid_append_rid(sidout, (uint32)strtoul(tok, NULL, 10));
+ }
+
+ SAFE_FREE(q);
+ return True;
}
/*****************************************************************
@@ -412,10 +419,10 @@ void sid_copy(DOM_SID *dst, const DOM_SID *src)
dst->sub_auths[i] = src->sub_auths[i];
}
-
/*****************************************************************
Write a sid out into on-the-wire format.
*****************************************************************/
+
BOOL sid_linearize(char *outbuf, size_t len, const DOM_SID *sid)
{
size_t i;
@@ -433,36 +440,41 @@ BOOL sid_linearize(char *outbuf, size_t len, const DOM_SID *sid)
}
/*****************************************************************
- parse a on-the-wire SID to a DOM_SID
+ Parse a on-the-wire SID to a DOM_SID.
*****************************************************************/
+
BOOL sid_parse(const char *inbuf, size_t len, DOM_SID *sid)
{
int i;
- if (len < 8) return False;
+ if (len < 8)
+ return False;
ZERO_STRUCTP(sid);
sid->sid_rev_num = CVAL(inbuf, 0);
sid->num_auths = CVAL(inbuf, 1);
memcpy(sid->id_auth, inbuf+2, 6);
- if (len < 8 + sid->num_auths*4) return False;
- for (i=0;i<sid->num_auths;i++) {
+ if (len < 8 + sid->num_auths*4)
+ return False;
+ for (i=0;i<sid->num_auths;i++)
sid->sub_auths[i] = IVAL(inbuf, 8+i*4);
- }
return True;
}
-
/*****************************************************************
Compare the auth portion of two sids.
*****************************************************************/
+
static int sid_compare_auth(const DOM_SID *sid1, const DOM_SID *sid2)
{
int i;
- if (sid1 == sid2) return 0;
- if (!sid1) return -1;
- if (!sid2) return 1;
+ if (sid1 == sid2)
+ return 0;
+ if (!sid1)
+ return -1;
+ if (!sid2)
+ return 1;
if (sid1->sid_rev_num != sid2->sid_rev_num)
return sid1->sid_rev_num - sid2->sid_rev_num;
@@ -477,15 +489,19 @@ static int sid_compare_auth(const DOM_SID *sid1, const DOM_SID *sid2)
/*****************************************************************
Compare two sids.
*****************************************************************/
+
int sid_compare(const DOM_SID *sid1, const DOM_SID *sid2)
{
int i;
- if (sid1 == sid2) return 0;
- if (!sid1) return -1;
- if (!sid2) return 1;
+ if (sid1 == sid2)
+ return 0;
+ if (!sid1)
+ return -1;
+ if (!sid2)
+ return 1;
- /* compare most likely different rids, first: i.e start at end */
+ /* Compare most likely different rids, first: i.e start at end */
if (sid1->num_auths != sid2->num_auths)
return sid1->num_auths - sid2->num_auths;
@@ -497,9 +513,10 @@ int sid_compare(const DOM_SID *sid1, const DOM_SID *sid2)
}
/*****************************************************************
-see if 2 SIDs are in the same domain
-this just compares the leading sub-auths
+ See if 2 SIDs are in the same domain
+ this just compares the leading sub-auths
*****************************************************************/
+
int sid_compare_domain(const DOM_SID *sid1, const DOM_SID *sid2)
{
int n, i;
@@ -516,25 +533,25 @@ int sid_compare_domain(const DOM_SID *sid1, const DOM_SID *sid2)
/*****************************************************************
Compare two sids.
*****************************************************************/
+
BOOL sid_equal(const DOM_SID *sid1, const DOM_SID *sid2)
{
return sid_compare(sid1, sid2) == 0;
}
-
-
/*****************************************************************
Check if the SID is the builtin SID (S-1-5-32).
*****************************************************************/
+
BOOL sid_check_is_builtin(const DOM_SID *sid)
{
return sid_equal(sid, &global_sid_Builtin);
}
-
/*****************************************************************
- Check if the SID is our domain SID (S-1-5-21-x-y-z).
+ Check if the SID is one of the builtin SIDs (S-1-5-32-a).
*****************************************************************/
+
BOOL sid_check_is_in_builtin(const DOM_SID *sid)
{
DOM_SID dom_sid;
@@ -546,7 +563,6 @@ BOOL sid_check_is_in_builtin(const DOM_SID *sid)
return sid_equal(&dom_sid, &global_sid_Builtin);
}
-
/*****************************************************************
Calculates size of a sid.
*****************************************************************/
@@ -574,25 +590,24 @@ BOOL non_mappable_sid(DOM_SID *sid)
if (sid_equal(&dom, &global_sid_Builtin))
return True;
- if (sid_equal(&dom, &global_sid_Creator_Owner_Domain))
- return True;
-
if (sid_equal(&dom, &global_sid_NT_Authority))
return True;
return False;
}
-/*
- return the binary string representation of a DOM_SID
- caller must free
-*/
+/*****************************************************************
+ Return the binary string representation of a DOM_SID.
+ Caller must free.
+*****************************************************************/
+
char *sid_binstring(const DOM_SID *sid)
{
char *buf, *s;
int len = sid_size(sid);
buf = malloc(len);
- if (!buf) return NULL;
+ if (!buf)
+ return NULL;
sid_linearize(buf, len, sid);
s = binary_string(buf, len);
free(buf);
@@ -600,9 +615,10 @@ char *sid_binstring(const DOM_SID *sid)
}
-/*
- print a GUID structure for debugging
-*/
+/*****************************************************************
+ Print a GUID structure for debugging.
+*****************************************************************/
+
void print_guid(GUID *guid)
{
int i;
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index effbb7af68..c54281332b 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -216,6 +216,7 @@ typedef struct
char *szLdapSuffix;
char *szLdapFilter;
char *szLdapAdminDn;
+ char *szAclCompat;
int ldap_passwd_sync;
BOOL bMsAddPrinterWizard;
BOOL bDNSproxy;
@@ -536,6 +537,8 @@ static BOOL handle_ldap_machine_suffix ( char *pszParmValue, char **ptr );
static BOOL handle_ldap_user_suffix ( char *pszParmValue, char **ptr );
static BOOL handle_ldap_suffix ( char *pszParmValue, char **ptr );
+static BOOL handle_acl_compatibility(char *pszParmValue, char **ptr);
+
static void set_server_role(void);
static void set_default_server_announce_type(void);
@@ -820,8 +823,9 @@ static struct parm_struct parm_table[] = {
{"write raw", P_BOOL, P_GLOBAL, &Globals.bWriteRaw, NULL, NULL, FLAG_DEVELOPER},
{"disable netbios", P_BOOL, P_GLOBAL, &Globals.bDisableNetbios, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
+ {"acl compatibility", P_STRING, P_GLOBAL, &Globals.szAclCompat, handle_acl_compatibility, NULL, FLAG_SHARE | FLAG_GLOBAL | FLAG_ADVANCED},
+ {"nt acl support", P_BOOL, P_LOCAL, &sDefault.bNTAclSupport, NULL, NULL, FLAG_GLOBAL | FLAG_SHARE | FLAG_ADVANCED | FLAG_WIZARD},
{"nt pipe support", P_BOOL, P_GLOBAL, &Globals.bNTPipeSupport, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
- {"nt acl support", P_BOOL, P_LOCAL, &sDefault.bNTAclSupport, NULL, NULL, FLAG_GLOBAL | FLAG_SHARE | FLAG_ADVANCED | FLAG_WIZARD},
{"nt status support", P_BOOL, P_GLOBAL, &Globals.bNTStatusSupport, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
{"profile acls", P_BOOL, P_LOCAL, &sDefault.bProfileAcls, NULL, NULL, FLAG_GLOBAL | FLAG_SHARE | FLAG_ADVANCED | FLAG_WIZARD},
@@ -1407,6 +1411,7 @@ static void init_globals(void)
string_set(&Globals.szTemplateShell, "/bin/false");
string_set(&Globals.szTemplateHomedir, "/home/%D/%U");
string_set(&Globals.szWinbindSeparator, "\\");
+ string_set(&Globals.szAclCompat, "");
Globals.winbind_cache_time = 15;
Globals.bWinbindEnumUsers = True;
@@ -1579,6 +1584,7 @@ FN_GLOBAL_STRING(lp_wins_partners, &Globals.szWINSPartners)
FN_GLOBAL_STRING(lp_template_homedir, &Globals.szTemplateHomedir)
FN_GLOBAL_STRING(lp_template_shell, &Globals.szTemplateShell)
FN_GLOBAL_STRING(lp_winbind_separator, &Globals.szWinbindSeparator)
+FN_GLOBAL_STRING(lp_acl_compatibility, &Globals.szAclCompat)
FN_GLOBAL_BOOL(lp_winbind_enum_users, &Globals.bWinbindEnumUsers)
FN_GLOBAL_BOOL(lp_winbind_enum_groups, &Globals.bWinbindEnumGroups)
FN_GLOBAL_BOOL(lp_winbind_use_default_domain, &Globals.bWinbindUseDefaultDomain)
@@ -2771,6 +2777,19 @@ static BOOL handle_ldap_suffix( char *pszParmValue, char **ptr)
return True;
}
+static BOOL handle_acl_compatibility(char *pszParmValue, char **ptr)
+{
+ if (strequal(pszParmValue, "auto"))
+ string_set(ptr, "");
+ else if (strequal(pszParmValue, "winnt"))
+ string_set(ptr, "winnt");
+ else if (strequal(pszParmValue, "win2k"))
+ string_set(ptr, "win2k");
+ else
+ return False;
+
+ return True;
+}
/***************************************************************************
initialise a copymap
***************************************************************************/
diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c
index 1bdfefff65..6ef2fcd67d 100644
--- a/source3/rpc_server/srv_samr_nt.c
+++ b/source3/rpc_server/srv_samr_nt.c
@@ -884,7 +884,7 @@ static NTSTATUS get_group_alias_entries(TALLOC_CTX *ctx, DOMAIN_GRP **d_grp, DOM
uint32 num_entries = 0;
int i;
GROUP_MAP smap;
- GROUP_MAP *map;
+ GROUP_MAP *map = NULL;
sid_to_string(sid_str, sid);
DEBUG(5, ("get_group_alias_entries: enumerating aliases on SID: %s\n", sid_str));
diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index a95793a050..417a9dd039 100644
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -165,9 +165,13 @@ static BOOL open_file(files_struct *fsp,connection_struct *conn,
local_flags |= O_NONBLOCK;
#endif
- /* actually do the open */
+ /* Actually do the open */
fsp->fd = fd_open(conn, fname, local_flags, mode);
+ /* Inherit the ACL if the file was created. */
+ if ((local_flags & O_CREAT) && !VALID_STAT(*psbuf))
+ inherit_access_acl(conn, fname, mode);
+
if (fsp->fd == -1) {
DEBUG(3,("Error opening file %s (%s) (local_flags=%d) (flags=%d)\n",
fname,strerror(errno),local_flags,flags));
diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c
index 87ebddf35a..22bb7fe76b 100644
--- a/source3/smbd/posix_acls.c
+++ b/source3/smbd/posix_acls.c
@@ -1,7 +1,8 @@
/*
Unix SMB/CIFS implementation.
SMB NT Security Descriptor / Unix permission conversion.
- Copyright (C) Jeremy Allison 1994-2000
+ Copyright (C) Jeremy Allison 1994-2000.
+ Copyright (C) Andreas Gruenbacher 2002.
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -330,6 +331,24 @@ static void merge_aces( canon_ace **pp_list_head )
}
/****************************************************************************
+ Check if we need to return NT4.x compatible ACL entries.
+****************************************************************************/
+
+static BOOL nt4_compatible_acls(void)
+{
+ const char *compat = lp_acl_compatibility();
+
+ if (*compat == '\0') {
+ enum remote_arch_types ra_type = get_remote_arch();
+
+ /* Automatically adapt to client */
+ return (ra_type <= RA_WINNT);
+ } else
+ return (strequal(compat, "winnt"));
+}
+
+
+/****************************************************************************
Map canon_ace perms to permission bits NT.
The attr element is not used here - we only process deny entries on set,
not get. Deny entries are implicit on get with ace->perms = 0.
@@ -345,7 +364,19 @@ static SEC_ACCESS map_canon_ace_perms(int *pacl_type, DOM_SID *powner_sid, canon
if ((ace->perms & ALL_ACE_PERMS) == ALL_ACE_PERMS) {
nt_mask = UNIX_ACCESS_RWX;
} else if ((ace->perms & ALL_ACE_PERMS) == (mode_t)0) {
- nt_mask = UNIX_ACCESS_NONE;
+ /*
+ * Windows NT refuses to display ACEs with no permissions in them (but
+ * they are perfectly legal with Windows 2000). If the ACE has empty
+ * permissions we cannot use 0, so we use the otherwise unused
+ * WRITE_OWNER permission, which we ignore when we set an ACL.
+ * We abstract this into a #define of UNIX_ACCESS_NONE to allow this
+ * to be changed in the future.
+ */
+
+ if (nt4_compatible_acls())
+ nt_mask = UNIX_ACCESS_NONE;
+ else
+ nt_mask = 0;
} else {
nt_mask |= ((ace->perms & S_IRUSR) ? UNIX_ACCESS_R : 0 );
nt_mask |= ((ace->perms & S_IWUSR) ? UNIX_ACCESS_W : 0 );
@@ -621,7 +652,7 @@ static BOOL ensure_canon_entry_valid(canon_ace **pp_ace,
else if (got_grp && uid_entry_in_group(pace, pace_group))
pace->perms = pace_group->perms;
else
- pace->perms = unix_perms_to_acl_perms(pst->st_mode, S_IRUSR, S_IWUSR, S_IXUSR);
+ pace->perms = 0;
apply_default_perms(fsp, pace, S_IRUSR);
} else {
pace->perms = unix_perms_to_acl_perms(pst->st_mode, S_IRUSR, S_IWUSR, S_IXUSR);
@@ -668,7 +699,10 @@ static BOOL ensure_canon_entry_valid(canon_ace **pp_ace,
pace->unix_ug.world = -1;
pace->trustee = global_sid_World;
pace->attr = ALLOW_ACE;
- pace->perms = unix_perms_to_acl_perms(pst->st_mode, S_IROTH, S_IWOTH, S_IXOTH);
+ if (setting_acl)
+ pace->perms = 0;
+ else
+ pace->perms = unix_perms_to_acl_perms(pst->st_mode, S_IROTH, S_IWOTH, S_IXOTH);
apply_default_perms(fsp, pace, S_IROTH);
DLIST_ADD(*pp_ace, pace);
@@ -678,6 +712,51 @@ static BOOL ensure_canon_entry_valid(canon_ace **pp_ace,
}
/****************************************************************************
+ Check if a POSIX ACL has the required SMB_ACL_USER_OBJ and SMB_ACL_GROUP_OBJ entries.
+ If it does not have them, check if there are any entries where the trustee is the
+ file owner or the owning group, and map these to SMB_ACL_USER_OBJ and SMB_ACL_GROUP_OBJ.
+****************************************************************************/
+
+static void check_owning_objs(canon_ace *ace, DOM_SID *pfile_owner_sid, DOM_SID *pfile_grp_sid)
+{
+ BOOL got_user_obj, got_group_obj;
+ canon_ace *current_ace;
+ int i, entries;
+
+ entries = count_canon_ace_list(ace);
+ got_user_obj = False;
+ got_group_obj = False;
+
+ for (i=0, current_ace = ace; i < entries; i++, current_ace = current_ace->next) {
+ if (current_ace->type == SMB_ACL_USER_OBJ)
+ got_user_obj = True;
+ else if (current_ace->type == SMB_ACL_GROUP_OBJ)
+ got_group_obj = True;
+ }
+ if (got_user_obj && got_group_obj) {
+ DEBUG(10,("check_owning_objs: ACL had owning user/group entries.\n"));
+ return;
+ }
+
+ for (i=0, current_ace = ace; i < entries; i++, current_ace = current_ace->next) {
+ if (!got_user_obj && current_ace->owner_type == UID_ACE &&
+ sid_equal(&current_ace->trustee, pfile_owner_sid)) {
+ current_ace->type = SMB_ACL_USER_OBJ;
+ got_user_obj = True;
+ }
+ if (!got_group_obj && current_ace->owner_type == GID_ACE &&
+ sid_equal(&current_ace->trustee, pfile_grp_sid)) {
+ current_ace->type = SMB_ACL_GROUP_OBJ;
+ got_group_obj = True;
+ }
+ }
+ if (!got_user_obj)
+ DEBUG(10,("check_owning_objs: ACL is missing an owner entry.\n"));
+ if (!got_group_obj)
+ DEBUG(10,("check_owning_objs: ACL is missing an owning group entry.\n"));
+}
+
+/****************************************************************************
Unpack a SEC_DESC into two canonical ace lists.
****************************************************************************/
@@ -687,6 +766,8 @@ static BOOL create_canon_ace_lists(files_struct *fsp,
canon_ace **ppfile_ace, canon_ace **ppdir_ace,
SEC_ACL *dacl)
{
+ extern DOM_SID global_sid_Creator_Owner;
+ extern DOM_SID global_sid_Creator_Group;
extern DOM_SID global_sid_World;
extern struct generic_mapping file_generic_mapping;
BOOL all_aces_are_inherit_only = (fsp->is_directory ? True : False);
@@ -713,23 +794,25 @@ static BOOL create_canon_ace_lists(files_struct *fsp,
return False;
}
- /*
- * The security mask may be UNIX_ACCESS_NONE which should map into
- * no permissions (we overload the WRITE_OWNER bit for this) or it
- * should be one of the ALL/EXECUTE/READ/WRITE bits. Arrange for this
- * to be so. Any other bits override the UNIX_ACCESS_NONE bit.
- */
+ if (nt4_compatible_acls()) {
+ /*
+ * The security mask may be UNIX_ACCESS_NONE which should map into
+ * no permissions (we overload the WRITE_OWNER bit for this) or it
+ * should be one of the ALL/EXECUTE/READ/WRITE bits. Arrange for this
+ * to be so. Any other bits override the UNIX_ACCESS_NONE bit.
+ */
- /*
- * Convert GENERIC bits to specific bits.
- */
+ /*
+ * Convert GENERIC bits to specific bits.
+ */
- se_map_generic(&psa->info.mask, &file_generic_mapping);
+ se_map_generic(&psa->info.mask, &file_generic_mapping);
- psa->info.mask &= (UNIX_ACCESS_NONE|FILE_ALL_ACCESS);
+ psa->info.mask &= (UNIX_ACCESS_NONE|FILE_ALL_ACCESS);
- if(psa->info.mask != UNIX_ACCESS_NONE)
- psa->info.mask &= ~UNIX_ACCESS_NONE;
+ if(psa->info.mask != UNIX_ACCESS_NONE)
+ psa->info.mask &= ~UNIX_ACCESS_NONE;
+ }
}
/*
@@ -804,15 +887,45 @@ static BOOL create_canon_ace_lists(files_struct *fsp,
/*
* Try and work out if the SID is a user or group
* as we need to flag these differently for POSIX.
+ * Note what kind of a POSIX ACL this should map to.
*/
if( sid_equal(&current_ace->trustee, &global_sid_World)) {
current_ace->owner_type = WORLD_ACE;
current_ace->unix_ug.world = -1;
+ current_ace->type = SMB_ACL_OTHER;
+ } else if (sid_equal(&current_ace->trustee, &global_sid_Creator_Owner)) {
+ current_ace->owner_type = UID_ACE;
+ current_ace->unix_ug.world = -1;
+ current_ace->type = SMB_ACL_USER_OBJ;
+
+ /*
+ * The Creator Owner entry only specifies inheritable permissions,
+ * never access permissions. WinNT doesn't always set the ACE to
+ *INHERIT_ONLY, though.
+ */
+
+ if (nt4_compatible_acls())
+ psa->flags |= SEC_ACE_FLAG_INHERIT_ONLY;
+ } else if (sid_equal(&current_ace->trustee, &global_sid_Creator_Group)) {
+ current_ace->owner_type = GID_ACE;
+ current_ace->unix_ug.world = -1;
+ current_ace->type = SMB_ACL_GROUP_OBJ;
+
+ /*
+ * The Creator Group entry only specifies inheritable permissions,
+ * never access permissions. WinNT doesn't always set the ACE to
+ *INHERIT_ONLY, though.
+ */
+ if (nt4_compatible_acls())
+ psa->flags |= SEC_ACE_FLAG_INHERIT_ONLY;
+
} else if (sid_to_uid( &current_ace->trustee, &current_ace->unix_ug.uid, &sid_type)) {
current_ace->owner_type = UID_ACE;
+ current_ace->type = SMB_ACL_USER;
} else if (sid_to_gid( &current_ace->trustee, &current_ace->unix_ug.gid, &sid_type)) {
current_ace->owner_type = GID_ACE;
+ current_ace->type = SMB_ACL_GROUP;
} else {
fstring str;
@@ -833,31 +946,6 @@ static BOOL create_canon_ace_lists(files_struct *fsp,
current_ace->attr = (psa->type == SEC_ACE_TYPE_ACCESS_ALLOWED) ? ALLOW_ACE : DENY_ACE;
/*
- * Now note what kind of a POSIX ACL this should map to.
- */
-
- if(sid_equal(&current_ace->trustee, pfile_owner_sid)) {
-
- current_ace->type = SMB_ACL_USER_OBJ;
-
- } else if( sid_equal(&current_ace->trustee, pfile_grp_sid)) {
-
- current_ace->type = SMB_ACL_GROUP_OBJ;
-
- } else if( sid_equal(&current_ace->trustee, &global_sid_World)) {
-
- current_ace->type = SMB_ACL_OTHER;
-
- } else {
- /*
- * Could be a SMB_ACL_USER or SMB_ACL_GROUP. Check by
- * looking at owner_type.
- */
-
- current_ace->type = (current_ace->owner_type == UID_ACE) ? SMB_ACL_USER : SMB_ACL_GROUP;
- }
-
- /*
* Now add the created ace to either the file list, the directory
* list, or both. We *MUST* preserve the order here (hence we use
* DLIST_ADD_END) as NT ACLs are order dependent.
@@ -970,6 +1058,15 @@ Deny entry after Allow entry. Failing to set on file %s.\n", fsp->fsp_name ));
free_canon_ace_list(dir_ace);
file_ace = NULL;
dir_ace = NULL;
+ } else {
+ /*
+ * Check if we have SMB_ACL_USER_OBJ and SMB_ACL_GROUP_OBJ entries in each
+ * ACL. If we don't have them, check if any SMB_ACL_USER/SMB_ACL_GROUP
+ * entries can be converted to *_OBJ. Usually we will already have these
+ * entries in the Default ACL, and the Access ACL will not have them.
+ */
+ check_owning_objs(file_ace, pfile_owner_sid, pfile_grp_sid);
+ check_owning_objs(dir_ace, pfile_owner_sid, pfile_grp_sid);
}
*ppfile_ace = file_ace;
@@ -1375,7 +1472,7 @@ static BOOL unpack_canon_ace(files_struct *fsp,
pst->st_mode = create_default_mode(fsp, True);
- if (!ensure_canon_entry_valid(&dir_ace, fsp, pfile_owner_sid, pfile_grp_sid, pst, True)) {
+ if (dir_ace && !ensure_canon_entry_valid(&dir_ace, fsp, pfile_owner_sid, pfile_grp_sid, pst, True)) {
free_canon_ace_list(file_ace);
free_canon_ace_list(dir_ace);
return False;
@@ -1398,14 +1495,13 @@ static BOOL unpack_canon_ace(files_struct *fsp,
Note that this doesn't exactly match the NT semantics for an ACL. As POSIX entries
are not ordered, and match on the most specific entry rather than walking a list,
- then a simple POSIX permission of rw-r--r-- should really map to 6 entries,
+ then a simple POSIX permission of rw-r--r-- should really map to 5 entries,
Entry 0: owner : deny all except read and write.
Entry 1: group : deny all except read.
- Entry 2: Everyone : deny all except read.
- Entry 3: owner : allow read and write.
- Entry 4: group : allow read.
- Entry 5: Everyone : allow read.
+ Entry 2: owner : allow read and write.
+ Entry 3: group : allow read.
+ Entry 4: Everyone : allow read.
But NT cannot display this in their ACL editor !
********************************************************************************/
@@ -1455,7 +1551,7 @@ static void arrange_posix_perms( char *filename, canon_ace **pp_list_head)
****************************************************************************/
static canon_ace *canonicalise_acl( files_struct *fsp, SMB_ACL_T posix_acl, SMB_STRUCT_STAT *psbuf,
- DOM_SID *powner, DOM_SID *pgroup)
+ DOM_SID *powner, DOM_SID *pgroup, SMB_ACL_TYPE_T acl_type)
{
extern DOM_SID global_sid_World;
connection_struct *conn = fsp->conn;
@@ -1489,7 +1585,7 @@ static canon_ace *canonicalise_acl( files_struct *fsp, SMB_ACL_T posix_acl, SMB_
switch(tagtype) {
case SMB_ACL_USER_OBJ:
/* Get the SID from the owner. */
- uid_to_sid( &sid, psbuf->st_uid );
+ sid_copy(&sid, powner);
unix_ug.uid = psbuf->st_uid;
owner_type = UID_ACE;
break;
@@ -1500,6 +1596,15 @@ static canon_ace *canonicalise_acl( files_struct *fsp, SMB_ACL_T posix_acl, SMB_
DEBUG(0,("canonicalise_acl: Failed to get uid.\n"));
continue;
}
+ /*
+ * A SMB_ACL_USER entry for the owner is shadowed by the
+ * SMB_ACL_USER_OBJ entry and Windows also cannot represent
+ * that entry, so we ignore it. We also don't create such
+ * entries out of the blue when setting ACLs, so a get/set
+ * cycle will drop them.
+ */
+ if (acl_type == SMB_ACL_TYPE_ACCESS && *puid == psbuf->st_uid)
+ continue;
uid_to_sid( &sid, *puid);
unix_ug.uid = *puid;
owner_type = UID_ACE;
@@ -1508,7 +1613,7 @@ static canon_ace *canonicalise_acl( files_struct *fsp, SMB_ACL_T posix_acl, SMB_
}
case SMB_ACL_GROUP_OBJ:
/* Get the SID from the owning group. */
- gid_to_sid( &sid, psbuf->st_gid );
+ sid_copy(&sid, pgroup);
unix_ug.gid = psbuf->st_gid;
owner_type = GID_ACE;
break;
@@ -1611,8 +1716,11 @@ static BOOL set_canon_ace_list(files_struct *fsp, canon_ace *the_ace, BOOL defau
canon_ace *p_ace;
int i;
SMB_ACL_ENTRY_T mask_entry;
+ BOOL got_mask_entry = False;
SMB_ACL_PERMSET_T mask_permset;
SMB_ACL_TYPE_T the_acl_type = (default_ace ? SMB_ACL_TYPE_DEFAULT : SMB_ACL_TYPE_ACCESS);
+ BOOL needs_mask = False;
+ mode_t mask_perms = 0;
if (the_acl == NULL) {
@@ -1633,6 +1741,20 @@ static BOOL set_canon_ace_list(files_struct *fsp, canon_ace *the_ace, BOOL defau
SMB_ACL_PERMSET_T the_permset;
/*
+ * ACLs only "need" an ACL_MASK entry if there are any named user or
+ * named group entries. But if there is an ACL_MASK entry, it applies
+ * to ACL_USER, ACL_GROUP, and ACL_GROUP_OBJ entries. Set the mask
+ * so that it doesn't deny (i.e., mask off) any permissions.
+ */
+
+ if (p_ace->type == SMB_ACL_USER || p_ace->type == SMB_ACL_GROUP) {
+ needs_mask = True;
+ mask_perms |= p_ace->perms;
+ } else if (p_ace->type == SMB_ACL_GROUP_OBJ) {
+ mask_perms |= p_ace->perms;
+ }
+
+ /*
* Get the entry for this ACE.
*/
@@ -1642,6 +1764,11 @@ static BOOL set_canon_ace_list(files_struct *fsp, canon_ace *the_ace, BOOL defau
goto done;
}
+ if (p_ace->type == SMB_ACL_MASK) {
+ mask_entry = the_entry;
+ got_mask_entry = True;
+ }
+
/*
* Ok - we now know the ACL calls should be working, don't
* allow fallback to chmod.
@@ -1706,33 +1833,31 @@ static BOOL set_canon_ace_list(files_struct *fsp, canon_ace *the_ace, BOOL defau
print_canon_ace( p_ace, i);
}
- /*
- * Add in a mask of rwx.
- */
-
- if (conn->vfs_ops.sys_acl_create_entry( conn, &the_acl, &mask_entry) == -1) {
- DEBUG(0,("set_canon_ace_list: Failed to create mask entry. (%s)\n", strerror(errno) ));
- goto done;
- }
+ if (needs_mask && !got_mask_entry) {
+ if (conn->vfs_ops.sys_acl_create_entry(conn, &the_acl, &mask_entry) == -1) {
+ DEBUG(0,("set_canon_ace_list: Failed to create mask entry. (%s)\n", strerror(errno) ));
+ goto done;
+ }
- if (conn->vfs_ops.sys_acl_set_tag_type(conn, mask_entry, SMB_ACL_MASK) == -1) {
- DEBUG(0,("set_canon_ace_list: Failed to set tag type on mask entry. (%s)\n",strerror(errno) ));
- goto done;
- }
+ if (conn->vfs_ops.sys_acl_set_tag_type(conn, mask_entry, SMB_ACL_MASK) == -1) {
+ DEBUG(0,("set_canon_ace_list: Failed to set tag type on mask entry. (%s)\n",strerror(errno) ));
+ goto done;
+ }
- if (conn->vfs_ops.sys_acl_get_permset(conn, mask_entry, &mask_permset) == -1) {
- DEBUG(0,("set_canon_ace_list: Failed to get mask permset. (%s)\n", strerror(errno) ));
- goto done;
- }
+ if (conn->vfs_ops.sys_acl_get_permset(conn, mask_entry, &mask_permset) == -1) {
+ DEBUG(0,("set_canon_ace_list: Failed to get mask permset. (%s)\n", strerror(errno) ));
+ goto done;
+ }
- if (map_acl_perms_to_permset(conn, S_IRUSR|S_IWUSR|S_IXUSR, &mask_permset) == -1) {
- DEBUG(0,("set_canon_ace_list: Failed to create mask permset. (%s)\n", strerror(errno) ));
- goto done;
- }
+ if (map_acl_perms_to_permset(conn, S_IRUSR|S_IWUSR|S_IXUSR, &mask_permset) == -1) {
+ DEBUG(0,("set_canon_ace_list: Failed to create mask permset. (%s)\n", strerror(errno) ));
+ goto done;
+ }
- if (conn->vfs_ops.sys_acl_set_permset(conn, mask_entry, mask_permset) == -1) {
- DEBUG(0,("set_canon_ace_list: Failed to add mask permset. (%s)\n", strerror(errno) ));
- goto done;
+ if (conn->vfs_ops.sys_acl_set_permset(conn, mask_entry, mask_permset) == -1) {
+ DEBUG(0,("set_canon_ace_list: Failed to add mask permset. (%s)\n", strerror(errno) ));
+ goto done;
+ }
}
/*
@@ -1758,6 +1883,12 @@ static BOOL set_canon_ace_list(files_struct *fsp, canon_ace *the_ace, BOOL defau
*/
if (errno == ENOSYS)
*pacl_set_support = False;
+
+#ifdef ENOTSUP
+ if (errno == ENOTSUP)
+ *pacl_set_support = False;
+#endif
+
DEBUG(2,("set_canon_ace_list: sys_acl_set_file type %s failed for file %s (%s).\n",
the_acl_type == SMB_ACL_TYPE_DEFAULT ? "directory default" : "file",
fsp->fsp_name, strerror(errno) ));
@@ -1771,6 +1902,12 @@ static BOOL set_canon_ace_list(files_struct *fsp, canon_ace *the_ace, BOOL defau
*/
if (errno == ENOSYS)
*pacl_set_support = False;
+
+#ifdef ENOTSUP
+ if (errno == ENOTSUP)
+ *pacl_set_support = False;
+#endif
+
DEBUG(2,("set_canon_ace_list: sys_acl_set_file failed for file %s (%s).\n",
fsp->fsp_name, strerror(errno) ));
goto done;
@@ -1788,6 +1925,39 @@ static BOOL set_canon_ace_list(files_struct *fsp, canon_ace *the_ace, BOOL defau
}
/****************************************************************************
+ Find a particular canon_ace entry.
+****************************************************************************/
+
+static struct canon_ace *canon_ace_entry_for(struct canon_ace *list, SMB_ACL_TAG_T type, posix_id *id)
+{
+ while (list) {
+ if (list->type == type && ((type != SMB_ACL_USER && type != SMB_ACL_GROUP) ||
+ (type == SMB_ACL_USER && id && id->uid == list->unix_ug.uid) ||
+ (type == SMB_ACL_GROUP && id && id->gid == list->unix_ug.gid)))
+ break;
+ list = list->next;
+ }
+ return list;
+}
+
+/****************************************************************************
+
+****************************************************************************/
+
+SMB_ACL_T free_empty_sys_acl(connection_struct *conn, SMB_ACL_T acl)
+{
+ SMB_ACL_ENTRY_T entry;
+
+ if (!acl)
+ return NULL;
+ if (conn->vfs_ops.sys_acl_get_entry(conn, acl, SMB_ACL_FIRST_ENTRY, &entry) != 1) {
+ conn->vfs_ops.sys_acl_free_acl(conn, acl);
+ return NULL;
+ }
+ return acl;
+}
+
+/****************************************************************************
Convert a canon_ace to a generic 3 element permission - if possible.
****************************************************************************/
@@ -1922,6 +2092,8 @@ size_t get_nt_acl(files_struct *fsp, SEC_DESC **ppdesc)
{
extern DOM_SID global_sid_Builtin_Administrators;
extern DOM_SID global_sid_Builtin_Users;
+ extern DOM_SID global_sid_Creator_Owner;
+ extern DOM_SID global_sid_Creator_Group;
connection_struct *conn = fsp->conn;
SMB_STRUCT_STAT sbuf;
SEC_ACE *nt_ace_list = NULL;
@@ -1958,8 +2130,10 @@ size_t get_nt_acl(files_struct *fsp, SEC_DESC **ppdesc)
* If it's a directory get the default POSIX ACL.
*/
- if(fsp->is_directory)
+ if(fsp->is_directory) {
dir_acl = conn->vfs_ops.sys_acl_get_file(conn, fsp->fsp_name, SMB_ACL_TYPE_DEFAULT);
+ dir_acl = free_empty_sys_acl(conn, dir_acl);
+ }
} else {
@@ -1990,35 +2164,31 @@ size_t get_nt_acl(files_struct *fsp, SEC_DESC **ppdesc)
create_file_sids(&sbuf, &owner_sid, &group_sid);
}
+ /*
+ * In the optimum case Creator Owner and Creator Group would be used for
+ * the ACL_USER_OBJ and ACL_GROUP_OBJ entries, respectively, but this
+ * would lead to usability problems under Windows: The Creator entries
+ * are only available in browse lists of directories and not for files;
+ * additionally the identity of the owning group couldn't be determined.
+ * We therefore use those identities only for Default ACLs.
+ */
+
/* Create the canon_ace lists. */
- file_ace = canonicalise_acl( fsp, posix_acl, &sbuf, &owner_sid, &group_sid);
- num_acls = count_canon_ace_list(file_ace);
+ file_ace = canonicalise_acl( fsp, posix_acl, &sbuf, &owner_sid, &group_sid, SMB_ACL_TYPE_ACCESS );
/* We must have *some* ACLS. */
- if (num_acls == 0) {
+ if (count_canon_ace_list(file_ace) == 0) {
DEBUG(0,("get_nt_acl : No ACLs on file (%s) !\n", fsp->fsp_name ));
return 0;
}
- if (fsp->is_directory) {
- /*
- * If we have to fake a default ACL then this is the mode to use.
- */
- sbuf.st_mode = unix_mode( fsp->conn, FILE_ATTRIBUTE_ARCHIVE, fsp->fsp_name);
-
- dir_ace = canonicalise_acl(fsp, dir_acl, &sbuf, &owner_sid, &group_sid);
- num_dir_acls = count_canon_ace_list(dir_ace);
- }
-
- /* Allocate the ace list. */
- if ((nt_ace_list = (SEC_ACE *)malloc((num_acls + num_profile_acls + num_dir_acls)* sizeof(SEC_ACE))) == NULL) {
- DEBUG(0,("get_nt_acl: Unable to malloc space for nt_ace_list.\n"));
- goto done;
+ if (fsp->is_directory && dir_acl) {
+ dir_ace = canonicalise_acl(fsp, dir_acl, &sbuf,
+ &global_sid_Creator_Owner,
+ &global_sid_Creator_Group, SMB_ACL_TYPE_DEFAULT );
}
- memset(nt_ace_list, '\0', (num_acls + num_profile_acls + num_dir_acls) * sizeof(SEC_ACE) );
-
/*
* Create the NT ACE list from the canonical ace lists.
*/
@@ -2028,16 +2198,112 @@ size_t get_nt_acl(files_struct *fsp, SEC_DESC **ppdesc)
int nt_acl_type;
int i;
+ if (nt4_compatible_acls()) {
+ /*
+ * NT 4 chokes if an ACL contains an INHERIT_ONLY entry
+ * but no non-INHERIT_ONLY entry for one SID. So we only
+ * remove entries from the Access ACL if the
+ * corresponding Default ACL entries have also been
+ * removed. ACEs for CREATOR-OWNER and CREATOR-GROUP
+ * are exceptions. We can do nothing
+ * intelligent if the Default ACL contains entries that
+ * are not also contained in the Access ACL, so this
+ * case will still fail under NT 4.
+ */
+
+ if (!dir_ace)
+ goto simplify_file_ace_only;
+
+ ace = canon_ace_entry_for(dir_ace, SMB_ACL_OTHER, NULL);
+ if (ace && !ace->perms) {
+ DLIST_REMOVE(dir_ace, ace);
+ SAFE_FREE(ace);
+
+ ace = canon_ace_entry_for(file_ace, SMB_ACL_OTHER, NULL);
+ if (ace && !ace->perms) {
+ DLIST_REMOVE(file_ace, ace);
+ SAFE_FREE(ace);
+ }
+ }
+
+ /*
+ * WinNT doesn't usually have Creator Group
+ * in browse lists, so we send this entry to
+ * WinNT even if it contains no relevant
+ * permissions. Once we can add
+ * Creator Group to browse lists we can
+ * re-enable this.
+ */
+
+#if 0
+ ace = canon_ace_entry_for(dir_ace, SMB_ACL_GROUP_OBJ, NULL);
+ if (ace && !ace->perms) {
+ DLIST_REMOVE(dir_ace, ace);
+ SAFE_FREE(ace);
+ }
+#endif
+
+ ace = canon_ace_entry_for(file_ace, SMB_ACL_GROUP_OBJ, NULL);
+ if (ace && !ace->perms) {
+ DLIST_REMOVE(file_ace, ace);
+ SAFE_FREE(ace);
+ }
+ } else {
+
+ ace = canon_ace_entry_for(dir_ace, SMB_ACL_OTHER, NULL);
+ if (ace && !ace->perms) {
+ DLIST_REMOVE(dir_ace, ace);
+ SAFE_FREE(ace);
+ }
+ ace = canon_ace_entry_for(dir_ace, SMB_ACL_GROUP_OBJ, NULL);
+ if (ace && !ace->perms) {
+ DLIST_REMOVE(dir_ace, ace);
+ SAFE_FREE(ace);
+ }
+
+ simplify_file_ace_only:
+
+ ace = canon_ace_entry_for(file_ace, SMB_ACL_OTHER, NULL);
+ if (ace && !ace->perms) {
+ DLIST_REMOVE(file_ace, ace);
+ SAFE_FREE(ace);
+ }
+
+ ace = canon_ace_entry_for(file_ace, SMB_ACL_GROUP_OBJ, NULL);
+ if (ace && !ace->perms) {
+ DLIST_REMOVE(file_ace, ace);
+ SAFE_FREE(ace);
+ }
+ }
+
+ num_acls = count_canon_ace_list(file_ace);
+ num_dir_acls = count_canon_ace_list(dir_ace);
+
+ /* Allocate the ace list. */
+ if ((nt_ace_list = (SEC_ACE *)malloc((num_acls + num_profile_acls + num_dir_acls)* sizeof(SEC_ACE))) == NULL) {
+ DEBUG(0,("get_nt_acl: Unable to malloc space for nt_ace_list.\n"));
+ goto done;
+ }
+
+ memset(nt_ace_list, '\0', (num_acls + num_dir_acls) * sizeof(SEC_ACE) );
+
+ /*
+ * Create the NT ACE list from the canonical ace lists.
+ */
+
ace = file_ace;
for (i = 0; i < num_acls; i++, ace = ace->next) {
- SEC_ACCESS acc = map_canon_ace_perms(&nt_acl_type, &owner_sid, ace );
+ SEC_ACCESS acc;
+
+ acc = map_canon_ace_perms(&nt_acl_type, &owner_sid, ace );
init_sec_ace(&nt_ace_list[num_aces++], &ace->trustee, nt_acl_type, acc, 0);
}
/* The User must have access to a profile share - even if we can't map the SID. */
if (lp_profile_acls(SNUM(fsp->conn))) {
SEC_ACCESS acc;
+
init_sec_access(&acc,FILE_GENERIC_ALL);
init_sec_ace(&nt_ace_list[num_aces++], &global_sid_Builtin_Users, SEC_ACE_TYPE_ACCESS_ALLOWED, acc, 0);
}
@@ -2045,14 +2311,17 @@ size_t get_nt_acl(files_struct *fsp, SEC_DESC **ppdesc)
ace = dir_ace;
for (i = 0; i < num_dir_acls; i++, ace = ace->next) {
- SEC_ACCESS acc = map_canon_ace_perms(&nt_acl_type, &owner_sid, ace );
- init_sec_ace(&nt_ace_list[num_aces++], &ace->trustee, nt_acl_type, acc,
+ SEC_ACCESS acc;
+
+ acc = map_canon_ace_perms(&nt_acl_type, &owner_sid, ace );
+ init_sec_ace(&nt_ace_list[num_aces++], &ace->trustee, nt_acl_type, acc,
SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_INHERIT_ONLY);
}
/* The User must have access to a profile share - even if we can't map the SID. */
if (lp_profile_acls(SNUM(fsp->conn))) {
SEC_ACCESS acc;
+
init_sec_access(&acc,FILE_GENERIC_ALL);
init_sec_ace(&nt_ace_list[num_aces++], &global_sid_Builtin_Users, SEC_ACE_TYPE_ACCESS_ALLOWED, acc,
SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT|
@@ -2087,11 +2356,22 @@ size_t get_nt_acl(files_struct *fsp, SEC_DESC **ppdesc)
if(!*ppdesc) {
DEBUG(0,("get_nt_acl: Unable to malloc space for security descriptor.\n"));
sd_size = 0;
+ } else {
+ /*
+ * Windows 2000: The DACL_PROTECTED flag in the security
+ * descriptor marks the ACL as non-inheriting, i.e., no
+ * ACEs from higher level directories propagate to this
+ * ACL. In the POSIX ACL model permissions are only
+ * inherited at file create time, so ACLs never contain
+ * any ACEs that are inherited dynamically. The DACL_PROTECTED
+ * flag doesn't seem to bother Windows NT.
+ */
+ (*ppdesc)->type |= SE_DESC_DACL_PROTECTED;
}
- done:
+ done:
- if (posix_acl)
+ if (posix_acl)
conn->vfs_ops.sys_acl_free_acl(conn, posix_acl);
if (dir_acl)
conn->vfs_ops.sys_acl_free_acl(conn, dir_acl);
@@ -2379,6 +2659,12 @@ static int chmod_acl_internals( connection_struct *conn, SMB_ACL_T posix_acl, mo
perms = unix_perms_to_acl_perms(mode, S_IRGRP, S_IWGRP, S_IXGRP);
break;
case SMB_ACL_MASK:
+ /*
+ * FIXME: The ACL_MASK entry permissions should really be set to
+ * the union of the permissions of all ACL_USER,
+ * ACL_GROUP_OBJ, and ACL_GROUP entries. That's what
+ * acl_calc_mask() does, but Samba ACLs doesn't provide it.
+ */
perms = S_IRUSR|S_IWUSR|S_IXUSR;
break;
case SMB_ACL_OTHER:
@@ -2407,31 +2693,58 @@ static int chmod_acl_internals( connection_struct *conn, SMB_ACL_T posix_acl, mo
}
/****************************************************************************
- Do a chmod by setting the ACL USER_OBJ, GROUP_OBJ and OTHER bits in an ACL
- and set the mask to rwx. Needed to preserve complex ACLs set by NT.
- Note that name is in UNIX character set.
+ Get the access ACL of FROM, do a chmod by setting the ACL USER_OBJ,
+ GROUP_OBJ and OTHER bits in an ACL and set the mask to rwx. Set the
+ resulting ACL on TO. Note that name is in UNIX character set.
****************************************************************************/
-int chmod_acl(connection_struct *conn, const char *name, mode_t mode)
+static int copy_access_acl(connection_struct *conn, const char *from, const char *to, mode_t mode)
{
SMB_ACL_T posix_acl = NULL;
int ret = -1;
- if ((posix_acl = conn->vfs_ops.sys_acl_get_file(conn, name, SMB_ACL_TYPE_ACCESS)) == NULL)
+ if ((posix_acl = conn->vfs_ops.sys_acl_get_file(conn, from, SMB_ACL_TYPE_ACCESS)) == NULL)
return -1;
if ((ret = chmod_acl_internals(conn, posix_acl, mode)) == -1)
goto done;
- ret = conn->vfs_ops.sys_acl_set_file(conn, name, SMB_ACL_TYPE_ACCESS, posix_acl);
+ ret = conn->vfs_ops.sys_acl_set_file(conn, to, SMB_ACL_TYPE_ACCESS, posix_acl);
- done:
+ done:
conn->vfs_ops.sys_acl_free_acl(conn, posix_acl);
return ret;
}
/****************************************************************************
+ Do a chmod by setting the ACL USER_OBJ, GROUP_OBJ and OTHER bits in an ACL
+ and set the mask to rwx. Needed to preserve complex ACLs set by NT.
+ Note that name is in UNIX character set.
+****************************************************************************/
+
+int chmod_acl(connection_struct *conn, const char *name, mode_t mode)
+{
+ return copy_access_acl(conn, name, name, mode);
+}
+
+/****************************************************************************
+ If "inherit permissions" is set and the parent directory has no default
+ ACL but it does have an Access ACL, inherit this Access ACL to file name.
+****************************************************************************/
+
+int inherit_access_acl(connection_struct *conn, const char *name, mode_t mode)
+{
+ pstring dirname;
+ pstrcpy(dirname, parent_dirname(name));
+
+ if (!lp_inherit_perms(SNUM(conn)) || directory_has_default_acl(conn, dirname))
+ return 0;
+
+ return copy_access_acl(conn, dirname, name, mode);
+}
+
+/****************************************************************************
Do an fchmod by setting the ACL USER_OBJ, GROUP_OBJ and OTHER bits in an ACL
and set the mask to rwx. Needed to preserve complex ACLs set by NT.
****************************************************************************/
diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
index de65cda2d0..8b9728d513 100644
--- a/source3/smbd/trans2.c
+++ b/source3/smbd/trans2.c
@@ -2622,6 +2622,8 @@ size = %.0f, uid = %u, gid = %u, raw perms = 0%o\n",
if (conn->vfs_ops.mknod(conn,dos_to_unix_static(fname), unixmode, dev) != 0)
return(UNIXERROR(ERRDOS,ERRnoaccess));
+ inherit_access_acl(conn, fname, unixmode);
+
SSVAL(params,0,0);
send_trans2_replies(outbuf, bufsize, params, 2, *ppdata, 0);
return(-1);
diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c
index 2bda26aa51..9a38d6e9e2 100644
--- a/source3/smbd/uid.c
+++ b/source3/smbd/uid.c
@@ -456,7 +456,7 @@ BOOL lookup_name(const char *domain, const char *name, DOM_SID *psid, enum SID_N
if (strequal(global_myname, domain)) {
local_lookup = True;
} else if (lp_server_role() == ROLE_DOMAIN_PDC ||
- lp_server_role() == ROLE_DOMAIN_PDC) {
+ lp_server_role() == ROLE_DOMAIN_BDC) {
if (strequal(domain, global_myworkgroup)) {
local_lookup = True;
}
diff --git a/source3/smbd/vfs.c b/source3/smbd/vfs.c
index a0a7b920b8..f6dad7b6e7 100644
--- a/source3/smbd/vfs.c
+++ b/source3/smbd/vfs.c
@@ -319,6 +319,9 @@ int vfs_mkdir(connection_struct *conn, const char *name, mode_t mode)
SMB_STRUCT_STAT sbuf;
if(!(ret=conn->vfs_ops.mkdir(conn,name,mode))) {
+
+ inherit_access_acl(conn, name, mode);
+
/*
* Check if high bits should have been set,
* then (if bits are missing): add them.