summaryrefslogtreecommitdiff
path: root/source3/smbd/posix_acls.c
diff options
context:
space:
mode:
Diffstat (limited to 'source3/smbd/posix_acls.c')
-rw-r--r--source3/smbd/posix_acls.c89
1 files changed, 41 insertions, 48 deletions
diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c
index 7479aea076..848d3e4a6d 100644
--- a/source3/smbd/posix_acls.c
+++ b/source3/smbd/posix_acls.c
@@ -890,13 +890,12 @@ static bool nt4_compatible_acls(void)
not get. Deny entries are implicit on get with ace->perms = 0.
****************************************************************************/
-static SEC_ACCESS map_canon_ace_perms(int snum,
+static uint32_t map_canon_ace_perms(int snum,
enum security_ace_type *pacl_type,
mode_t perms,
bool directory_ace)
{
- SEC_ACCESS sa;
- uint32 nt_mask = 0;
+ uint32_t nt_mask = 0;
*pacl_type = SEC_ACE_TYPE_ACCESS_ALLOWED;
@@ -935,8 +934,7 @@ static SEC_ACCESS map_canon_ace_perms(int snum,
DEBUG(10,("map_canon_ace_perms: Mapped (UNIX) %x to (NT) %x\n",
(unsigned int)perms, (unsigned int)nt_mask ));
- init_sec_access(&sa,nt_mask);
- return sa;
+ return nt_mask;
}
/****************************************************************************
@@ -988,7 +986,7 @@ static mode_t map_nt_perms( uint32 *mask, int type)
Unpack a SEC_DESC into a UNIX owner and group.
****************************************************************************/
-NTSTATUS unpack_nt_owners(int snum, uid_t *puser, gid_t *pgrp, uint32 security_info_sent, SEC_DESC *psd)
+NTSTATUS unpack_nt_owners(int snum, uid_t *puser, gid_t *pgrp, uint32 security_info_sent, const SEC_DESC *psd)
{
DOM_SID owner_sid;
DOM_SID grp_sid;
@@ -1329,11 +1327,13 @@ static void check_owning_objs(canon_ace *ace, DOM_SID *pfile_owner_sid, DOM_SID
Unpack a SEC_DESC into two canonical ace lists.
****************************************************************************/
-static bool create_canon_ace_lists(files_struct *fsp, SMB_STRUCT_STAT *pst,
- DOM_SID *pfile_owner_sid,
- DOM_SID *pfile_grp_sid,
- canon_ace **ppfile_ace, canon_ace **ppdir_ace,
- SEC_ACL *dacl)
+static bool create_canon_ace_lists(files_struct *fsp,
+ SMB_STRUCT_STAT *pst,
+ DOM_SID *pfile_owner_sid,
+ DOM_SID *pfile_grp_sid,
+ canon_ace **ppfile_ace,
+ canon_ace **ppdir_ace,
+ const SEC_ACL *dacl)
{
bool all_aces_are_inherit_only = (fsp->is_directory ? True : False);
canon_ace *file_ace = NULL;
@@ -2016,12 +2016,14 @@ static mode_t create_default_mode(files_struct *fsp, bool interitable_mode)
succeeding.
****************************************************************************/
-static bool unpack_canon_ace(files_struct *fsp,
- SMB_STRUCT_STAT *pst,
- DOM_SID *pfile_owner_sid,
- DOM_SID *pfile_grp_sid,
- canon_ace **ppfile_ace, canon_ace **ppdir_ace,
- uint32 security_info_sent, SEC_DESC *psd)
+static bool unpack_canon_ace(files_struct *fsp,
+ SMB_STRUCT_STAT *pst,
+ DOM_SID *pfile_owner_sid,
+ DOM_SID *pfile_grp_sid,
+ canon_ace **ppfile_ace,
+ canon_ace **ppdir_ace,
+ uint32 security_info_sent,
+ const SEC_DESC *psd)
{
canon_ace *file_ace = NULL;
canon_ace *dir_ace = NULL;
@@ -2958,9 +2960,7 @@ static NTSTATUS posix_get_nt_acl_common(struct connection_struct *conn,
*/
for (ace = file_ace; ace != NULL; ace = ace->next) {
- SEC_ACCESS acc;
-
- acc = map_canon_ace_perms(SNUM(conn),
+ uint32_t acc = map_canon_ace_perms(SNUM(conn),
&nt_acl_type,
ace->perms,
S_ISDIR(sbuf->st_mode));
@@ -2975,19 +2975,14 @@ static NTSTATUS posix_get_nt_acl_common(struct connection_struct *conn,
/* The User must have access to a profile share - even
* if we can't map the SID. */
if (lp_profile_acls(SNUM(conn))) {
- SEC_ACCESS acc;
-
- init_sec_access(&acc,FILE_GENERIC_ALL);
init_sec_ace(&nt_ace_list[num_aces++],
&global_sid_Builtin_Users,
SEC_ACE_TYPE_ACCESS_ALLOWED,
- acc, 0);
+ FILE_GENERIC_ALL, 0);
}
for (ace = dir_ace; ace != NULL; ace = ace->next) {
- SEC_ACCESS acc;
-
- acc = map_canon_ace_perms(SNUM(conn),
+ uint32_t acc = map_canon_ace_perms(SNUM(conn),
&nt_acl_type,
ace->perms,
S_ISDIR(sbuf->st_mode));
@@ -3005,10 +3000,7 @@ static NTSTATUS posix_get_nt_acl_common(struct connection_struct *conn,
/* The User must have access to a profile share - even
* if we can't map the SID. */
if (lp_profile_acls(SNUM(conn))) {
- SEC_ACCESS acc;
-
- init_sec_access(&acc,FILE_GENERIC_ALL);
- init_sec_ace(&nt_ace_list[num_aces++], &global_sid_Builtin_Users, SEC_ACE_TYPE_ACCESS_ALLOWED, acc,
+ init_sec_ace(&nt_ace_list[num_aces++], &global_sid_Builtin_Users, SEC_ACE_TYPE_ACCESS_ALLOWED, FILE_GENERIC_ALL,
SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT|
SEC_ACE_FLAG_INHERIT_ONLY|0);
}
@@ -3199,7 +3191,7 @@ int try_chown(connection_struct *conn, const char *fname, uid_t uid, gid_t gid)
return -1;
}
- if (!NT_STATUS_IS_OK(open_file_fchmod(conn,fname,&st,&fsp))) {
+ if (!NT_STATUS_IS_OK(open_file_fchmod(NULL, conn, fname, &st, &fsp))) {
return -1;
}
@@ -3214,7 +3206,7 @@ int try_chown(connection_struct *conn, const char *fname, uid_t uid, gid_t gid)
ret = SMB_VFS_FCHOWN(fsp, uid, (gid_t)-1);
unbecome_root();
- close_file_fchmod(fsp);
+ close_file_fchmod(NULL, fsp);
return ret;
}
@@ -3223,26 +3215,26 @@ int try_chown(connection_struct *conn, const char *fname, uid_t uid, gid_t gid)
Take care of parent ACL inheritance.
****************************************************************************/
-static NTSTATUS append_parent_acl(files_struct *fsp,
- SMB_STRUCT_STAT *psbuf,
- SEC_DESC *psd,
+NTSTATUS append_parent_acl(files_struct *fsp,
+ const SEC_DESC *pcsd,
SEC_DESC **pp_new_sd)
{
SEC_DESC *parent_sd = NULL;
files_struct *parent_fsp = NULL;
- TALLOC_CTX *mem_ctx = talloc_parent(psd);
+ TALLOC_CTX *mem_ctx = talloc_tos();
char *parent_name = NULL;
SEC_ACE *new_ace = NULL;
- unsigned int num_aces = psd->dacl->num_aces;
+ unsigned int num_aces = pcsd->dacl->num_aces;
SMB_STRUCT_STAT sbuf;
NTSTATUS status;
int info;
unsigned int i, j;
- bool is_dacl_protected = (psd->type & SE_DESC_DACL_PROTECTED);
+ SEC_DESC *psd = dup_sec_desc(talloc_tos(), pcsd);
+ bool is_dacl_protected = (pcsd->type & SE_DESC_DACL_PROTECTED);
ZERO_STRUCT(sbuf);
- if (mem_ctx == NULL) {
+ if (psd == NULL) {
return NT_STATUS_NO_MEMORY;
}
@@ -3272,7 +3264,7 @@ static NTSTATUS append_parent_acl(files_struct *fsp,
status = SMB_VFS_GET_NT_ACL(parent_fsp->conn, parent_fsp->fsp_name,
DACL_SECURITY_INFORMATION, &parent_sd );
- close_file(parent_fsp, NORMAL_CLOSE);
+ close_file(NULL, parent_fsp, NORMAL_CLOSE);
if (!NT_STATUS_IS_OK(status)) {
return status;
@@ -3398,11 +3390,6 @@ static NTSTATUS append_parent_acl(files_struct *fsp,
parent_name));
}
- /* This sucks. psd should be const and we should
- * be doing a deep-copy here. We're getting away
- * with is as we know parent_sd is talloced off
- * talloc_tos() as well as psd. JRA. */
-
psd->dacl->aces = new_ace;
psd->dacl->num_aces = i;
psd->type &= ~(SE_DESC_DACL_AUTO_INHERITED|
@@ -3418,7 +3405,7 @@ static NTSTATUS append_parent_acl(files_struct *fsp,
This should be the only external function needed for the UNIX style set ACL.
****************************************************************************/
-NTSTATUS set_nt_acl(files_struct *fsp, uint32 security_info_sent, SEC_DESC *psd)
+NTSTATUS set_nt_acl(files_struct *fsp, uint32 security_info_sent, const SEC_DESC *psd)
{
connection_struct *conn = fsp->conn;
uid_t user = (uid_t)-1;
@@ -3523,16 +3510,22 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32 security_info_sent, SEC_DESC *psd)
create_file_sids(&sbuf, &file_owner_sid, &file_grp_sid);
+ /* See here: http://www.codeproject.com/KB/winsdk/accessctrl2.aspx
+ * for details. JRA.
+ */
+
if ((security_info_sent & DACL_SECURITY_INFORMATION) &&
psd->dacl != NULL &&
(psd->type & (SE_DESC_DACL_AUTO_INHERITED|
SE_DESC_DACL_AUTO_INHERIT_REQ))==
(SE_DESC_DACL_AUTO_INHERITED|
SE_DESC_DACL_AUTO_INHERIT_REQ) ) {
- status = append_parent_acl(fsp, &sbuf, psd, &psd);
+ SEC_DESC *new_sd = NULL;
+ status = append_parent_acl(fsp, psd, &new_sd);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
+ psd = new_sd;
}
acl_perms = unpack_canon_ace( fsp, &sbuf, &file_owner_sid, &file_grp_sid,