summaryrefslogtreecommitdiff
path: root/source3/smbd/posix_acls.c
AgeCommit message (Collapse)AuthorFilesLines
2003-05-01*id_to_*id call reshape to return NTSTATUS errorsSimo Sorce1-4/+4
plus internal fixes 1st stage (This used to be commit 6d036761e565bc93964bb3c939d5b7d78d5778a3)
2003-04-29This is a nice rewrite:Simo Sorce1-6/+4
SAM_ACCOUNT does not have anymore uid and gid fields all the code that used them has been fixed to use the proper idmap calls fix to idmap_tdb for first time idmap.tdb initialization. auth_serversupplied_info structure has now an uid and gid field few other fixes to make the system behave correctly with idmap tested only with tdbsam, but smbpasswd and nisplus should be ok have not tested ldap ! (This used to be commit 6a6f6032467e55aa9b76390e035623976477ba42)
2003-04-19use gid_t for gids not uid_tSimo Sorce1-1/+1
(This used to be commit dd8009bf599a6111440cd807dcc022039f19de15)
2003-04-01changed the order of checking whether a SID is a UID or a GID in posixAndrew Tridgell1-3/+3
acls. This is needed because sid_to_uid always claims that the sid is a user, due ot a change I made some months back. This change was suggested by Chere Zhou, but is really an interim measure. Chere is looking at a longer term solution. (This used to be commit b3edfa91964d2edfd1692fa58f98de00405e14c4)
2003-03-07Missed parentheses around complex logic.Jeremy Allison1-1/+2
Jeremy. (This used to be commit e81427c2d69be166afad94bc083e750e8f48fba7)
2003-03-07Patch from Michael Steffens. In his own words :Jeremy Allison1-78/+199
------------------------------------------------------------------------- I think there are basically two problem: 1. Windows clients do not always send ACEs for SMB_ACL_USER_OBJ, SMB_ACL_GROUP_OBJ, and SMB_ACL_OTHER. The function ensure_canon_entry_valid() is prepared for that, but tries to "guess" values from group or other permissions, respectively, otherwise falling back to minimum r-- for the owner. Even if the owner had full permissions before setting ACL. This is the problem with W2k clients. 2. Function set_nt_acl() always chowns *before* attempting to set POSIX ACLs. This is ok in a take-ownership situation, but must fail if the file is to be given away. This is the problem with XP clients, trying to transfer ownership of the original file to the temp file. The problem with NT4 clients (no ACEs are transferred to the temp file, thus are lost after moving the temp file to the original name) is a client problem. It simply doesn't attempt to. I have played around with that using posic_acls.c from 3.0 merged into 2.2. As a result I can now present two patches, one for each branch. They basically modify: 1. Interpret missing SMB_ACL_USER_OBJ, SMB_ACL_GROUP_OBJ, or SMB_ACL_OTHER as "preserve current value" instead of attempting to build one ourself. The original code is still in, but only as fallback in case current values can't be retrieved. 2. Rearrange set_nt_acl() such that chown is only done before setting ACLs if there is either no change of owning user, or change of owning user is towards the current user. Otherwise chown is done after setting ACLs. It now seems to produce reasonable results. (Well, as far as it can. If NT4 doesn't even try to transfer ACEs, only deliberate use of named default ACEs and/or "force group" or the crystal ball can help :) ------------------------------------------------------------------------- Jeremy. (This used to be commit 8ec20cbae7ca7e685b1a4186d8482c7405915dc3)
2003-02-21Added comments to make it clearer when we're assigning a pointer that itJeremy Allison1-0/+12
must not be freed afterwards. Jeremy. (This used to be commit 80bad908c0235a57446c70b9632d3415c9d2fcf5)
2003-02-19Fix from Corny.Bondad@hp.com for missing if (setting_acls) on defaultJeremy Allison1-3/+3
perms. Jeremy. (This used to be commit ac96fa173cc3bd1c3226634154d6f99e4034179f)
2003-02-17This patch fixes one of my longest-standing pet hates with Samba :-).Andrew Bartlett1-1/+1
When we look see if a user is in a list, and we try to 'expand' an @group, we should lookup the user's own list of groups, rather than looking for all the members of a group. I'm sure this will fix some nasty performance issues, particularly on large domains etc. In particular, this avoids contacting winbind at all, if the group is not a winbind group. (This caused a deadlock on my winbind-on-PDC setup). The groups list always includes the user's primary group, as per the getgrouplist manpage, and my recent changes to our implementation. Andrew Bartlett (This used to be commit 9be21976f7662ebe6eb92fff7cecbdb352eca334)
2003-02-04Patch from Edmund Lam <epl@unimelb.edu.au> to fix braindead Tru64 behaviour:Andrew Bartlett1-2/+2
Apparently acl_type is #defined to acl_common.entry_type in their acl.h.... Andrew Bartlett (This used to be commit 3dfdaa0208ee538631378aa921300d95c596b70c)
2002-10-23First cut of new ACL mapping code from Andreas Gruenbacher <agruen@suse.de>.Jeremy Allison1-106/+419
This is not 100% the same as what SuSE shipped in their Samba, there is a crash bug fix, a race condition fix, and a few logic changes I'd like to discuss with Andreas. Added Andreas to (C) notices for posix_acls.c Jeremy. (This used to be commit a81d700ae9c82d4b7ea631ab7862162a2ed3d512)
2002-10-08Fix based on Jim McDonough's code for ACL inheritance problem.Jeremy Allison1-9/+60
Jeremy. (This used to be commit a6b3acfc7b98066de6f4b0b6044772a4d56795cd)
2002-10-07Fix from Andreas Gruenbacher <agruen@suse.de> to prevent ACL set on read-onlyJeremy Allison1-0/+5
share. Jeremy. (This used to be commit 80d30dbfec03d1d1e82c9e177ff66aa44b4ea993)
2002-09-25Merge of "profile acls" code.Jeremy Allison1-2/+28
Jeremy. (This used to be commit cfd1bf250b417f3ba3ad21ff681ab282311bb7eb)
2002-07-17Lanman print jobs are *16* bits, not 32. arggggh. Map them....Jeremy Allison1-1/+1
Jeremy. (This used to be commit 2b06fd305be10fa8a8629adb4a99ccd3960786da)
2002-07-08Kill off const warnings - add a pile of const to various places.Andrew Bartlett1-1/+1
(This used to be commit 1de04ec4735c19ec21cdef6e679cea17c734c5f6)
2002-06-07Ensure when allowing fchown with write access and dos filemodes thatJeremy Allison1-7/+7
we leave the gid alone. Jeremy. (This used to be commit 3f72910cf954b127c0cc06d6616ca2b8cd0d41ad)
2002-05-20Merge from 2.2.Jeremy Allison1-1/+2
Jeremy. (This used to be commit 174df5d914b149e52bf260e6502f2436c2720958)
2002-05-16Fix bug where creating a file and setting a security descriptor atomicallyJeremy Allison1-47/+68
that only contains an "everyone" DACL doesn't apply this to user and group entries also. Jeremy. (This used to be commit 2f67f39d219bbe110d52ed2680fd8ac57946756f)
2002-04-20try to cope better with the take ownership operation for foreign SIDsAndrew Tridgell1-1/+59
what we do is map to the authenticated user when the sid is unmappable and dos filemodes are enabled (This used to be commit b6c2ef4f54e7b42125f8c89ee5a62b0ba6b52f59)
2002-03-12Added POSIX ACL layer into the vfs.Jeremy Allison1-60/+64
Jeremy. (This used to be commit 7d59445b6962547a8938928a9371651a09e26516)
2002-03-11Implemented default ACL patch (set inherit acls = true on a per share basis).Jeremy Allison1-0/+13
Based on code donated by Olaf Frączyk <olaf@cbk.poznan.pl>. Further commit will change to sending via vfs interface. Jeremy. (This used to be commit d85133e2697eb22f1573c78447b57791ae63dd6b)
2002-03-09a more informitive debug message when a SID can't be validatedAndrew Tridgell1-1/+2
(This used to be commit c55737fb25dfed4697b93a600e3bd770f84bf464)
2002-01-30Removed version number from file header.Tim Potter1-2/+1
Changed "SMB/Netbios" to "SMB/CIFS" in file header. (This used to be commit 6a58c9bd06d0d7502a24bf5ce5a2faf0a146edfa)
2002-01-25merge from 2.2Gerald Carter1-1/+1
(This used to be commit 7dc1c34145d66f4bbc5c6ce0bca4b224088366af)
2002-01-11fixed a crash in merge_aces()Andrew Tridgell1-0/+1
when we free curr_ace_outer we need to not try to use it again :) (This used to be commit 1c5e19a418136c0ae524e62a4907501212ebac3d)
2001-12-19Allow ACL set to fail gracefully on HP HFS filesystems.Jeremy Allison1-0/+12
Jeremy. (This used to be commit 2d7b81e692ac2bcfd6e31223d3f8545c255cb47c)
2001-12-04Stop using getgrgid() - a very expensive call with winbindd, to look upJeremy Allison1-13/+10
a group name. Jeremy. (This used to be commit b926660e73d4c94c30ec5a365027770acdafe25e)
2001-11-30Renamed sid field in SEC_ACE to trustee to be more in line with MS'sTim Potter1-23/+23
definitions. (This used to be commit 9712d3f15a47155f558d0034ef71fd06afb11301)
2001-09-25Log sys_acl_set_XX at level 2 not zero.Jeremy Allison1-2/+2
Jeremy. (This used to be commit 4a54a633c59a18b387427e89266e294bdddf8574)
2001-09-22Ignore unmappable (NT Authority, BUILTIN etc.) SIDs in an ACL set.Jeremy Allison1-0/+11
Jeremy. (This used to be commit bc7963bd643422cce081b6284e3bdd49ae3a02ab)
2001-09-17move to SAFE_FREE()Simo Sorce1-11/+9
(This used to be commit a95943fde0ad89ae3f2deca2f7ba9cb5ab612b74)
2001-09-07Don't fail if no owner/group owner set. Use existing owners.Jeremy Allison1-3/+7
Jeremy. (This used to be commit 9961c4c1a3b2dbf8d1062bc1fa103488c0d0ba79)
2001-08-30if no ACL elements then use chmod - fixes ability to set read-only bitHerb Lewis1-2/+2
on files that do not have an ACL (This used to be commit 65ea13420c78cf0a8c01f14c08815e4b44ca4abc)
2001-07-26Fix from Michael Davidson <md@caldera.com> for DEC OSF/1 ACLs (ie.Jeremy Allison1-2/+2
Digital UNIX). Jeremy. (This used to be commit 324ba0512ec84bb173c72be3dfd2447e0dc30e26)
2001-07-04The big character set handling changeover!Andrew Tridgell1-6/+6
This commit gets rid of all our old codepage handling and replaces it with iconv. All internal strings in Samba are now in "unix" charset, which may be multi-byte. See internals.doc and my posting to samba-technical for a more complete explanation. (This used to be commit debb471267960e56005a741817ebd227ecfc512a)
2001-06-12lib/util_getent.c: removed debug code.Jeremy Allison1-4/+49
smbd/posix_acls.c: Attempt to fix the "lose default acl" problem in Solaris. Needs testing. lib/sysacls.c: Typo fix. Jeremy. (This used to be commit d989f8bd3e1524183a24fb67be1af05b3289f648)
2001-06-09*Wonderful* patch from Andrew Bartlett that will help ensure tdb's areJeremy Allison1-6/+19
cleaned on clients abending connections. Thanks Andrew ! Jeremy. (This used to be commit 1b3977c5367a0b713b194f369abd9872ae01ac2a)
2001-05-10Fixed nasty little bug found by Gerald where we were corrupting the modeJeremy Allison1-2/+15
bits before checking if we should change them on non-acl systems. Jeremy. (This used to be commit aba243ca0867a0787f9f7c7b2cda6143bcc53087)
2001-05-10Made "security XXX" masks apply to ACL set. By default they have no effect.Jeremy Allison1-29/+19
Removed "restrict acl with mask" - redundent. Jeremy. (This used to be commit 0db8a61d71f25ffa0e5c585e02e2fce973867156)
2001-05-07Fix for bad profile perms. Ensure r on files and rwx on directories.Jeremy Allison1-8/+28
Jeremy. (This used to be commit f100e091abc57a9ba983e7c3cf84bfda2dbc2e18)
2001-05-03Fixed SHM_R/SHM_W warnings by moving sys/ipc.h and sys/shm.h into includes.hJeremy Allison1-0/+6
and using autoconf tests. Added "restrict acl with mask" parameter. Jeremy. (This used to be commit 7792e32ba7fd734cc68b354f31c382ac11521fe8)
2001-04-27Tidy up args to DEBUG Statements - found by gcc on Solaris.Jeremy Allison1-1/+1
Jeremy. (This used to be commit a60ecb4e53a6c8a3a6a37a89042ae943202263fe)
2001-04-25Sync with default perm changes in 2.2.Jeremy Allison1-27/+122
Jeremy. (This used to be commit f02e67a096b3bcf84615c4a6949c5e6283e07af0)
2001-04-13Michael Davidson <md@sco.COM> pointed out that acl_get_qualifier can potentiallyJeremy Allison1-0/+2
return a malloced area so added sys_acl_free_qualifier() calls to all supported ACL interfaces to code with this (only Linux needs actual free call). Jeremy. (This used to be commit 5870e6019b82d2088b99acdc0f84e9e4847a1fa5)
2001-03-30Fixed extern ref typo for file generic perms. 2am coding strikes again :-).Jeremy Allison1-1/+1
Jeremy. (This used to be commit fe38692643ad7c163c30d9c031a8bd3dec81ffee)
2001-03-30This is a big, rather ugly patch. Whilst investigating the files not truncatedJeremy Allison1-2/+8
when copying to a full disk problem, I discovered that we were not allowing the delete on close flag to be set properly, this led to other things, and after investigation of the proper delete on close semantics and their relationship to the file_share_delete flag I discovered there were some cases where we weren't doing the deny modes properly. And this after only 5 years working on them..... :-) :-). So here's the latest attempt. I realised the delete on close flag needs to be set across all smbds with a dev/ino pair open - in addition, the delete on close flag, allow share delete and delete access requested all need to be stored in the share mode tdb. The "delete_on_close" entry in the fsp struct is now redundant and should really be removed. This may also mean we can get rid of the "iterate_fsp" calls that I didn't like adding in the first place. Whilst doing this patch, I also discovered we needed to do the se_map_generic() call for file opens and POSIX ACL mapping, so I added that also. This code, although ugly, now passes the deny mode torture tests plus the delete on close tests I added. I do need to add one more multiple connection delete on close test to make sure I got the semantics exactly right, plus we should also (as Andrew suggested) move to random testing here. The good news is that NT should now correctly delete the file on disk full error when copying to a disk :-). Jeremy. (This used to be commit 51987684bd231c744da2e5f3705fd236d5616173)
2001-03-28Fixed the problem Gerald reported. Unfortunately we need to go back toJeremy Allison1-194/+110
reporting imaginary "default" inheritable ACLs on directories, otherwise, when you add an entry and click on apply without noticing there's no default entry associated with it, it applies a null acl on the files within the directory (hey, that's what you told NT you wanted, right ! :-). Also ensure that minimum permissions for a directory are r-x for owner, not just r--. Jeremy. (This used to be commit 4fa8cf68c3921f93a27d290d6dd1ed4423dfcf1c)
2001-03-26smbd/posix_acls.c: Saving and restoring errno here is the wrong place. Moved itJeremy Allison1-11/+2
to the places where [f]chmod_acl is called instead. Jeremy. (This used to be commit 641ada44ae6429761c1fd0dbcafabc69f897fac7)
2001-03-26smbd/posix_acls.c: Sync up with 2.2 changes - don't return deny ACE's.Jeremy Allison1-67/+14
smbd/vfs.c: Don't call [f]chmod_acl if no acl support. Jeremy. (This used to be commit 83f52394e688b4be3ac4cef67d8980a5b8ed3192)