diff options
Diffstat (limited to 'source3/smbd/posix_acls.c')
| -rw-r--r-- | source3/smbd/posix_acls.c | 89 |
1 files changed, 41 insertions, 48 deletions
diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c index 7479aea076..848d3e4a6d 100644 --- a/source3/smbd/posix_acls.c +++ b/source3/smbd/posix_acls.c @@ -890,13 +890,12 @@ static bool nt4_compatible_acls(void) not get. Deny entries are implicit on get with ace->perms = 0. ****************************************************************************/ -static SEC_ACCESS map_canon_ace_perms(int snum, +static uint32_t map_canon_ace_perms(int snum, enum security_ace_type *pacl_type, mode_t perms, bool directory_ace) { - SEC_ACCESS sa; - uint32 nt_mask = 0; + uint32_t nt_mask = 0; *pacl_type = SEC_ACE_TYPE_ACCESS_ALLOWED; @@ -935,8 +934,7 @@ static SEC_ACCESS map_canon_ace_perms(int snum, DEBUG(10,("map_canon_ace_perms: Mapped (UNIX) %x to (NT) %x\n", (unsigned int)perms, (unsigned int)nt_mask )); - init_sec_access(&sa,nt_mask); - return sa; + return nt_mask; } /**************************************************************************** @@ -988,7 +986,7 @@ static mode_t map_nt_perms( uint32 *mask, int type) Unpack a SEC_DESC into a UNIX owner and group. ****************************************************************************/ -NTSTATUS unpack_nt_owners(int snum, uid_t *puser, gid_t *pgrp, uint32 security_info_sent, SEC_DESC *psd) +NTSTATUS unpack_nt_owners(int snum, uid_t *puser, gid_t *pgrp, uint32 security_info_sent, const SEC_DESC *psd) { DOM_SID owner_sid; DOM_SID grp_sid; @@ -1329,11 +1327,13 @@ static void check_owning_objs(canon_ace *ace, DOM_SID *pfile_owner_sid, DOM_SID Unpack a SEC_DESC into two canonical ace lists. ****************************************************************************/ -static bool create_canon_ace_lists(files_struct *fsp, SMB_STRUCT_STAT *pst, - DOM_SID *pfile_owner_sid, - DOM_SID *pfile_grp_sid, - canon_ace **ppfile_ace, canon_ace **ppdir_ace, - SEC_ACL *dacl) +static bool create_canon_ace_lists(files_struct *fsp, + SMB_STRUCT_STAT *pst, + DOM_SID *pfile_owner_sid, + DOM_SID *pfile_grp_sid, + canon_ace **ppfile_ace, + canon_ace **ppdir_ace, + const SEC_ACL *dacl) { bool all_aces_are_inherit_only = (fsp->is_directory ? True : False); canon_ace *file_ace = NULL; @@ -2016,12 +2016,14 @@ static mode_t create_default_mode(files_struct *fsp, bool interitable_mode) succeeding. ****************************************************************************/ -static bool unpack_canon_ace(files_struct *fsp, - SMB_STRUCT_STAT *pst, - DOM_SID *pfile_owner_sid, - DOM_SID *pfile_grp_sid, - canon_ace **ppfile_ace, canon_ace **ppdir_ace, - uint32 security_info_sent, SEC_DESC *psd) +static bool unpack_canon_ace(files_struct *fsp, + SMB_STRUCT_STAT *pst, + DOM_SID *pfile_owner_sid, + DOM_SID *pfile_grp_sid, + canon_ace **ppfile_ace, + canon_ace **ppdir_ace, + uint32 security_info_sent, + const SEC_DESC *psd) { canon_ace *file_ace = NULL; canon_ace *dir_ace = NULL; @@ -2958,9 +2960,7 @@ static NTSTATUS posix_get_nt_acl_common(struct connection_struct *conn, */ for (ace = file_ace; ace != NULL; ace = ace->next) { - SEC_ACCESS acc; - - acc = map_canon_ace_perms(SNUM(conn), + uint32_t acc = map_canon_ace_perms(SNUM(conn), &nt_acl_type, ace->perms, S_ISDIR(sbuf->st_mode)); @@ -2975,19 +2975,14 @@ static NTSTATUS posix_get_nt_acl_common(struct connection_struct *conn, /* The User must have access to a profile share - even * if we can't map the SID. */ if (lp_profile_acls(SNUM(conn))) { - SEC_ACCESS acc; - - init_sec_access(&acc,FILE_GENERIC_ALL); init_sec_ace(&nt_ace_list[num_aces++], &global_sid_Builtin_Users, SEC_ACE_TYPE_ACCESS_ALLOWED, - acc, 0); + FILE_GENERIC_ALL, 0); } for (ace = dir_ace; ace != NULL; ace = ace->next) { - SEC_ACCESS acc; - - acc = map_canon_ace_perms(SNUM(conn), + uint32_t acc = map_canon_ace_perms(SNUM(conn), &nt_acl_type, ace->perms, S_ISDIR(sbuf->st_mode)); @@ -3005,10 +3000,7 @@ static NTSTATUS posix_get_nt_acl_common(struct connection_struct *conn, /* The User must have access to a profile share - even * if we can't map the SID. */ if (lp_profile_acls(SNUM(conn))) { - SEC_ACCESS acc; - - init_sec_access(&acc,FILE_GENERIC_ALL); - init_sec_ace(&nt_ace_list[num_aces++], &global_sid_Builtin_Users, SEC_ACE_TYPE_ACCESS_ALLOWED, acc, + init_sec_ace(&nt_ace_list[num_aces++], &global_sid_Builtin_Users, SEC_ACE_TYPE_ACCESS_ALLOWED, FILE_GENERIC_ALL, SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT| SEC_ACE_FLAG_INHERIT_ONLY|0); } @@ -3199,7 +3191,7 @@ int try_chown(connection_struct *conn, const char *fname, uid_t uid, gid_t gid) return -1; } - if (!NT_STATUS_IS_OK(open_file_fchmod(conn,fname,&st,&fsp))) { + if (!NT_STATUS_IS_OK(open_file_fchmod(NULL, conn, fname, &st, &fsp))) { return -1; } @@ -3214,7 +3206,7 @@ int try_chown(connection_struct *conn, const char *fname, uid_t uid, gid_t gid) ret = SMB_VFS_FCHOWN(fsp, uid, (gid_t)-1); unbecome_root(); - close_file_fchmod(fsp); + close_file_fchmod(NULL, fsp); return ret; } @@ -3223,26 +3215,26 @@ int try_chown(connection_struct *conn, const char *fname, uid_t uid, gid_t gid) Take care of parent ACL inheritance. ****************************************************************************/ -static NTSTATUS append_parent_acl(files_struct *fsp, - SMB_STRUCT_STAT *psbuf, - SEC_DESC *psd, +NTSTATUS append_parent_acl(files_struct *fsp, + const SEC_DESC *pcsd, SEC_DESC **pp_new_sd) { SEC_DESC *parent_sd = NULL; files_struct *parent_fsp = NULL; - TALLOC_CTX *mem_ctx = talloc_parent(psd); + TALLOC_CTX *mem_ctx = talloc_tos(); char *parent_name = NULL; SEC_ACE *new_ace = NULL; - unsigned int num_aces = psd->dacl->num_aces; + unsigned int num_aces = pcsd->dacl->num_aces; SMB_STRUCT_STAT sbuf; NTSTATUS status; int info; unsigned int i, j; - bool is_dacl_protected = (psd->type & SE_DESC_DACL_PROTECTED); + SEC_DESC *psd = dup_sec_desc(talloc_tos(), pcsd); + bool is_dacl_protected = (pcsd->type & SE_DESC_DACL_PROTECTED); ZERO_STRUCT(sbuf); - if (mem_ctx == NULL) { + if (psd == NULL) { return NT_STATUS_NO_MEMORY; } @@ -3272,7 +3264,7 @@ static NTSTATUS append_parent_acl(files_struct *fsp, status = SMB_VFS_GET_NT_ACL(parent_fsp->conn, parent_fsp->fsp_name, DACL_SECURITY_INFORMATION, &parent_sd ); - close_file(parent_fsp, NORMAL_CLOSE); + close_file(NULL, parent_fsp, NORMAL_CLOSE); if (!NT_STATUS_IS_OK(status)) { return status; @@ -3398,11 +3390,6 @@ static NTSTATUS append_parent_acl(files_struct *fsp, parent_name)); } - /* This sucks. psd should be const and we should - * be doing a deep-copy here. We're getting away - * with is as we know parent_sd is talloced off - * talloc_tos() as well as psd. JRA. */ - psd->dacl->aces = new_ace; psd->dacl->num_aces = i; psd->type &= ~(SE_DESC_DACL_AUTO_INHERITED| @@ -3418,7 +3405,7 @@ static NTSTATUS append_parent_acl(files_struct *fsp, This should be the only external function needed for the UNIX style set ACL. ****************************************************************************/ -NTSTATUS set_nt_acl(files_struct *fsp, uint32 security_info_sent, SEC_DESC *psd) +NTSTATUS set_nt_acl(files_struct *fsp, uint32 security_info_sent, const SEC_DESC *psd) { connection_struct *conn = fsp->conn; uid_t user = (uid_t)-1; @@ -3523,16 +3510,22 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32 security_info_sent, SEC_DESC *psd) create_file_sids(&sbuf, &file_owner_sid, &file_grp_sid); + /* See here: http://www.codeproject.com/KB/winsdk/accessctrl2.aspx + * for details. JRA. + */ + if ((security_info_sent & DACL_SECURITY_INFORMATION) && psd->dacl != NULL && (psd->type & (SE_DESC_DACL_AUTO_INHERITED| SE_DESC_DACL_AUTO_INHERIT_REQ))== (SE_DESC_DACL_AUTO_INHERITED| SE_DESC_DACL_AUTO_INHERIT_REQ) ) { - status = append_parent_acl(fsp, &sbuf, psd, &psd); + SEC_DESC *new_sd = NULL; + status = append_parent_acl(fsp, psd, &new_sd); if (!NT_STATUS_IS_OK(status)) { return status; } + psd = new_sd; } acl_perms = unpack_canon_ace( fsp, &sbuf, &file_owner_sid, &file_grp_sid, |