diff options
| -rw-r--r-- | source3/include/rpc_secdes.h | 20 | ||||
| -rw-r--r-- | source3/include/vfs.h | 86 | ||||
| -rw-r--r-- | source3/smbd/nttrans.c | 5 | ||||
| -rw-r--r-- | source3/smbd/unix_acls.c | 32 | ||||
| -rw-r--r-- | source3/smbd/vfs-wrap.c | 12 | ||||
| -rw-r--r-- | source3/smbd/vfs.c | 43 | 
6 files changed, 160 insertions, 38 deletions
| diff --git a/source3/include/rpc_secdes.h b/source3/include/rpc_secdes.h index 9acc4511e8..a5c5758434 100644 --- a/source3/include/rpc_secdes.h +++ b/source3/include/rpc_secdes.h @@ -74,14 +74,17 @@  #define SACL_SECURITY_INFORMATION  0x00000008 - +#ifndef _SEC_ACCESS  /* SEC_ACCESS */  typedef struct security_info_info  {  	uint32 mask;  } SEC_ACCESS; +#define _SEC_ACCESS +#endif +#ifndef _SEC_ACE  /* SEC_ACE */  typedef struct security_ace_info  { @@ -93,9 +96,14 @@ typedef struct security_ace_info  	DOM_SID sid;  } SEC_ACE; +#define _SEC_ACE +#endif +#ifndef ACL_REVISION  #define ACL_REVISION 0x3 +#endif +#ifndef _SEC_ACL  /* SEC_ACL */  typedef struct security_acl_info  { @@ -106,9 +114,14 @@ typedef struct security_acl_info  	SEC_ACE *ace;  } SEC_ACL; +#define _SEC_ACL +#endif +#ifndef SEC_DESC_REVISION  #define SEC_DESC_REVISION 0x1 +#endif +#ifndef _SEC_DESC  /* SEC_DESC */  typedef struct security_descriptor_info  { @@ -126,7 +139,10 @@ typedef struct security_descriptor_info  	DOM_SID *grp_sid;  } SEC_DESC; +#define _SEC_DESC +#endif +#ifndef _SEC_DESC_BUF  /* SEC_DESC_BUF */  typedef struct sec_desc_buf_info  { @@ -137,5 +153,7 @@ typedef struct sec_desc_buf_info  	SEC_DESC *sec;  } SEC_DESC_BUF; +#define _SEC_DESC_BUF +#endif  #endif /* _RPC_SECDES_H */ diff --git a/source3/include/vfs.h b/source3/include/vfs.h index 840377627b..bb2239bf28 100644 --- a/source3/include/vfs.h +++ b/source3/include/vfs.h @@ -99,6 +99,74 @@ typedef struct sid_info  #define _DOM_SID  #endif +#ifndef _SEC_ACCESS +/* SEC_ACCESS */ +typedef struct security_info_info +{ +    uint32 mask; + +} SEC_ACCESS; +#define _SEC_ACCESS +#endif + +#ifndef _SEC_ACE +/* SEC_ACE */ +typedef struct security_ace_info +{ +    uint8 type;  /* xxxx_xxxx_ACE_TYPE - e.g allowed / denied etc */ +    uint8 flags; /* xxxx_INHERIT_xxxx - e.g OBJECT_INHERIT_ACE */ +    uint16 size; + +    SEC_ACCESS info; +    DOM_SID sid; + +} SEC_ACE; +#define _SEC_ACE +#endif + +#ifndef ACL_REVISION +#define ACL_REVISION 0x3 +#endif + +#ifndef _SEC_ACL +/* SEC_ACL */ +typedef struct security_acl_info +{ +    uint16 revision; /* 0x0003 */ +    uint16 size; /* size in bytes of the entire ACL structure */ +    uint32 num_aces; /* number of Access Control Entries */ + +    SEC_ACE *ace; + +} SEC_ACL; +#define _SEC_ACL +#endif + +#ifndef SEC_DESC_REVISION +#define SEC_DESC_REVISION 0x1 +#endif + +#ifndef _SEC_DESC +/* SEC_DESC */ +typedef struct security_descriptor_info +{ +    uint16 revision; /* 0x0001 */ +    uint16 type;     /* SEC_DESC_xxxx flags */ + +    uint32 off_owner_sid; /* offset to owner sid */ +    uint32 off_grp_sid  ; /* offset to group sid */ +    uint32 off_sacl     ; /* offset to system list of permissions */ +    uint32 off_dacl     ; /* offset to list of permissions */ + +    SEC_ACL *dacl; /* user ACL */ +    SEC_ACL *sacl; /* system ACL */ +    DOM_SID *owner_sid; +    DOM_SID *grp_sid; + +} SEC_DESC; +#define _SEC_DESC +#endif +  /*   * The complete list of SIDS belonging to this user.   * Created when a vuid is registered. @@ -112,6 +180,12 @@ typedef struct _nt_user_token {  #define _NT_USER_TOKEN  #endif +/* Avoid conflict with an AIX include file */ + +#ifdef vfs_ops +#undef vfs_ops +#endif +  /* Information from the connection_struct passed to the vfs layer */  struct vfs_connection_struct { @@ -144,20 +218,13 @@ struct vfs_connection_struct {  	NT_USER_TOKEN *nt_user_token;  }; -/* Avoid conflict with an AIX include file */ - -#ifdef vfs_ops -#undef vfs_ops -#endif -  /* VFS operations structure */  struct vfs_ops {      /* Disk operations */ -    int (*connect)(struct vfs_connection_struct *conn, char *service,  -		   char *user); +    int (*connect)(struct vfs_connection_struct *conn, char *service, char *user);      void (*disconnect)(void);      SMB_BIG_UINT (*disk_free)(char *path, BOOL small_query, SMB_BIG_UINT *bsize,   			      SMB_BIG_UINT *dfree, SMB_BIG_UINT *dsize); @@ -190,12 +257,11 @@ struct vfs_ops {      int (*utime)(char *path, struct utimbuf *times);  	int (*ftruncate)(int fd, SMB_OFF_T offset);  	BOOL (*lock)(int fd, int op, SMB_OFF_T offset, SMB_OFF_T count, int type); -#if 0 +  	size_t (*fget_nt_acl)(int fd, SEC_DESC **ppdesc);  	size_t (*get_nt_acl)(char *name, SEC_DESC **ppdesc);  	BOOL (*fset_nt_acl)(int fd, uint32 security_info_sent, SEC_DESC *psd);  	BOOL (*set_nt_acl)(char *name, uint32 security_info_sent, SEC_DESC *psd); -#endif  };  struct vfs_options { diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c index 1599f01aa5..95010cddc8 100644 --- a/source3/smbd/nttrans.c +++ b/source3/smbd/nttrans.c @@ -1611,6 +1611,7 @@ static int call_nt_transact_set_security_desc(connection_struct *conn,    files_struct *fsp = NULL;    uint32 security_info_sent = 0;    TALLOC_CTX *mem_ctx; +  BOOL ret;    if(!lp_nt_acl_support())      return(UNIXERROR(ERRDOS,ERRnoaccess)); @@ -1659,7 +1660,9 @@ security descriptor.\n"));      return(UNIXERROR(ERRDOS,ERRnoaccess));    } -  if (!set_nt_acl(fsp, security_info_sent, psd)) { +  ret = set_nt_acl( fsp, security_info_sent, psd); + +  if (!ret) {  	free_sec_desc(&psd);      talloc_destroy(mem_ctx);  	return(UNIXERROR(ERRDOS,ERRnoaccess)); diff --git a/source3/smbd/unix_acls.c b/source3/smbd/unix_acls.c index 48f6163596..a564ec9ee5 100644 --- a/source3/smbd/unix_acls.c +++ b/source3/smbd/unix_acls.c @@ -59,6 +59,7 @@ static SEC_ACCESS map_unix_perms( int *pacl_type, mode_t perm, int r_mask, int w  	return sa;  } +#if 0  /****************************************************************************   Validate a SID.  ****************************************************************************/ @@ -88,6 +89,7 @@ static BOOL validate_unix_sid( DOM_SID *psid, uint32 *prid, DOM_SID *sd_sid)    return True;  } +#endif  /****************************************************************************   Map NT perms to UNIX. @@ -350,6 +352,15 @@ size_t get_nt_acl(files_struct *fsp, SEC_DESC **ppdesc)      sid_copy( &group_sid, &global_sid_World);    } else { +    /* +     * If there is a VFS redirect, use it. +     */ + +    if ((fsp->is_directory || fsp->fd == -1) && fsp->conn->vfs_ops.get_nt_acl) +      return fsp->conn->vfs_ops.get_nt_acl(dos_to_unix(fsp->fsp_name, False), ppdesc); +    else if (fsp->conn->vfs_ops.fget_nt_acl) +      return fsp->conn->vfs_ops.fget_nt_acl(fsp->fd, ppdesc); +      if(fsp->is_directory || fsp->fd == -1) {        if(vfs_stat(fsp->conn,fsp->fsp_name, &sbuf) != 0) {          return 0; @@ -452,22 +463,23 @@ BOOL set_nt_acl(files_struct *fsp, uint32 security_info_sent, SEC_DESC *psd)    BOOL got_dacl = False;    /* +   * If there is a VFS redirect, use it. +   */ + +  if ((fsp->is_directory || fsp->fd == -1) && fsp->conn->vfs_ops.set_nt_acl) +    return fsp->conn->vfs_ops.set_nt_acl(dos_to_unix(fsp->fsp_name, False), security_info_sent, psd); +  else if (fsp->conn->vfs_ops.fset_nt_acl) +    return fsp->conn->vfs_ops.fset_nt_acl(fsp->fd, security_info_sent, psd); + +  /*     * Get the current state of the file.     */ -  if(fsp->is_directory) { +  if(fsp->is_directory || fsp->fd == -1) {      if(vfs_stat(fsp->conn,fsp->fsp_name, &sbuf) != 0)        return False;    } else { - -    int ret; - -    if(fsp->fd == -1) -      ret = vfs_stat(fsp->conn,fsp->fsp_name,&sbuf); -    else -      ret = conn->vfs_ops.fstat(fsp->fd,&sbuf); - -    if(ret != 0) +    if(conn->vfs_ops.fstat(fsp->fd,&sbuf) != 0)        return False;    } diff --git a/source3/smbd/vfs-wrap.c b/source3/smbd/vfs-wrap.c index 12ba9bda84..d19be7fb71 100644 --- a/source3/smbd/vfs-wrap.c +++ b/source3/smbd/vfs-wrap.c @@ -1,7 +1,7 @@  /*      Unix SMB/Netbios implementation.     Version 1.9. -s   Wrap disk only vfs functions to sidestep dodgy compilers. +   Wrap disk only vfs functions to sidestep dodgy compilers.     Copyright (C) Tim Potter 1998     This program is free software; you can redistribute it and/or modify @@ -346,13 +346,3 @@ BOOL vfswrap_lock(int fd, int op, SMB_OFF_T offset, SMB_OFF_T count, int type)  {  	return fcntl_lock(fd, op, offset, count,type);  } - -#if 0 -size_t vfswrap_get_nt_acl(files_struct *fsp, SEC_DESC **ppdesc) -{ -} - -BOOL vfswrap_set_nt_acl(files_struct *fsp, uint32 security_info_sent, SEC_DESC *psd) -{ -} -#endif diff --git a/source3/smbd/vfs.c b/source3/smbd/vfs.c index 097f51d217..4a4b1b2cfa 100644 --- a/source3/smbd/vfs.c +++ b/source3/smbd/vfs.c @@ -69,11 +69,11 @@ struct vfs_ops default_vfs_ops = {      vfswrap_getwd,      vfswrap_utime,      vfswrap_ftruncate, -	vfswrap_lock, -#if 0 -	vfswrap_get_nt_acl, -	vfswrap_set_nt_acl -#endif +    vfswrap_lock, +    NULL, /* The 4 security descriptor functions are not defined by default. */ +    NULL, +    NULL, +    NULL  };  /**************************************************************************** @@ -219,6 +219,14 @@ BOOL vfs_init_custom(connection_struct *conn)  	conn->vfs_ops.chown = default_vfs_ops.chown;      } +    if (conn->vfs_ops.chdir == NULL) { +	conn->vfs_ops.chdir = default_vfs_ops.chdir; +    } + +    if (conn->vfs_ops.getwd == NULL) { +	conn->vfs_ops.getwd = default_vfs_ops.getwd; +    } +          if (conn->vfs_ops.utime == NULL) {  	conn->vfs_ops.utime = default_vfs_ops.utime;      } @@ -230,6 +238,22 @@ BOOL vfs_init_custom(connection_struct *conn)      if (conn->vfs_ops.lock == NULL) {  	conn->vfs_ops.lock = default_vfs_ops.lock;      } + +    if (conn->vfs_ops.fget_nt_acl == NULL) { +	conn->vfs_ops.fget_nt_acl = default_vfs_ops.fget_nt_acl; +    } + +    if (conn->vfs_ops.get_nt_acl == NULL) { +	conn->vfs_ops.get_nt_acl = default_vfs_ops.get_nt_acl; +    } + +    if (conn->vfs_ops.fset_nt_acl == NULL) { +	conn->vfs_ops.fset_nt_acl = default_vfs_ops.fset_nt_acl; +    } + +    if (conn->vfs_ops.set_nt_acl == NULL) { +	conn->vfs_ops.set_nt_acl = default_vfs_ops.set_nt_acl; +    }      return True;  } @@ -245,6 +269,15 @@ int vfs_stat(connection_struct *conn, char *fname, SMB_STRUCT_STAT *st)  }   /******************************************************************* + vfs fstat wrapper that calls dos_to_unix. +********************************************************************/ + +int vfs_fstat(connection_struct *conn, int fd, SMB_STRUCT_STAT *st) +{ +	return(conn->vfs_ops.fstat(fd,st)); +}  + +/*******************************************************************   Check if directory exists.  ********************************************************************/ | 
