From 236977bf4642c035bb22cfcd1cee481c5f6c6da1 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 13 Nov 2012 12:48:53 -0800 Subject: Change get_nt_acl_no_snum() to return an NTSTATUS, not a struct security_descriptor *. Internally change the implementation to use SMB_VFS_GET_NT_ACL() instead of SMB_VFS_FGET_NT_ACL() with a faked-up file struct. Andrew Bartlett Reviewed by: Jeremy Allison --- source3/rpc_server/eventlog/srv_eventlog_nt.c | 11 +++-- source3/smbd/posix_acls.c | 62 ++++++++++----------------- source3/smbd/proto.h | 3 +- source3/smbd/pysmbd.c | 4 +- 4 files changed, 34 insertions(+), 46 deletions(-) diff --git a/source3/rpc_server/eventlog/srv_eventlog_nt.c b/source3/rpc_server/eventlog/srv_eventlog_nt.c index a05ea3fcbe..a3e719a38b 100644 --- a/source3/rpc_server/eventlog/srv_eventlog_nt.c +++ b/source3/rpc_server/eventlog/srv_eventlog_nt.c @@ -91,12 +91,15 @@ static bool elog_check_access( EVENTLOG_INFO *info, const struct security_token /* get the security descriptor for the file */ - sec_desc = get_nt_acl_no_snum( info, tdbname, SECINFO_OWNER | SECINFO_GROUP | SECINFO_DACL); + status = get_nt_acl_no_snum( info, + tdbname, + SECINFO_OWNER | SECINFO_GROUP | SECINFO_DACL, + &sec_desc); TALLOC_FREE( tdbname ); - if ( !sec_desc ) { - DEBUG(5,("elog_check_access: Unable to get NT ACL for %s\n", - tdbname)); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(5,("elog_check_access: Unable to get NT ACL for %s: %s\n", + tdbname, nt_errstr(status))); return False; } diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c index d46a16dbc1..74ea257d36 100644 --- a/source3/smbd/posix_acls.c +++ b/source3/smbd/posix_acls.c @@ -4963,30 +4963,34 @@ bool set_unix_posix_acl(connection_struct *conn, files_struct *fsp, const char * check. Caller is responsible for freeing the returned security descriptor via TALLOC_FREE(). This is designed for dealing with user space access checks in smbd outside of the VFS. For example, - checking access rights in OpenEventlog(). + checking access rights in OpenEventlog() or from python. - Assume we are dealing with files (for now) ********************************************************************/ -struct security_descriptor *get_nt_acl_no_snum( TALLOC_CTX *ctx, const char *fname, uint32 security_info_wanted) +NTSTATUS get_nt_acl_no_snum(TALLOC_CTX *ctx, const char *fname, + uint32 security_info_wanted, + struct security_descriptor **sd) { - struct security_descriptor *ret_sd; - connection_struct *conn; - files_struct finfo; - struct fd_handle fh; - NTSTATUS status; TALLOC_CTX *frame = talloc_stackframe(); + connection_struct *conn; + NTSTATUS status = NT_STATUS_OK; + + if (!posix_locking_init(false)) { + TALLOC_FREE(frame); + return NT_STATUS_NO_MEMORY; + } conn = talloc_zero(frame, connection_struct); if (conn == NULL) { + TALLOC_FREE(frame); DEBUG(0, ("talloc failed\n")); - return NULL; + return NT_STATUS_NO_MEMORY; } if (!(conn->params = talloc(conn, struct share_params))) { - DEBUG(0,("get_nt_acl_no_snum: talloc() failed!\n")); + DEBUG(0, ("talloc failed\n")); TALLOC_FREE(frame); - return NULL; + return NT_STATUS_NO_MEMORY; } conn->params->service = -1; @@ -4994,43 +4998,21 @@ struct security_descriptor *get_nt_acl_no_snum( TALLOC_CTX *ctx, const char *fna set_conn_connectpath(conn, "/"); if (!smbd_vfs_init(conn)) { - DEBUG(0,("get_nt_acl_no_snum: Unable to create a fake connection struct!\n")); - conn_free(conn); - TALLOC_FREE(frame); - return NULL; - } - - ZERO_STRUCT( finfo ); - ZERO_STRUCT( fh ); - - finfo.fnum = FNUM_FIELD_INVALID; - finfo.conn = conn; - finfo.fh = &fh; - finfo.fh->fd = -1; - - status = create_synthetic_smb_fname(frame, fname, NULL, NULL, - &finfo.fsp_name); - if (!NT_STATUS_IS_OK(status)) { - conn_free(conn); + DEBUG(0,("smbd_vfs_init() failed!\n")); TALLOC_FREE(frame); - return NULL; + return NT_STATUS_INTERNAL_ERROR; } - if (!NT_STATUS_IS_OK(SMB_VFS_FGET_NT_ACL( &finfo, - security_info_wanted, - ctx, &ret_sd))) { - DEBUG(0,("get_nt_acl_no_snum: get_nt_acl returned zero.\n")); - TALLOC_FREE(finfo.fsp_name); - conn_free(conn); - TALLOC_FREE(frame); - return NULL; + status = SMB_VFS_GET_NT_ACL(conn, fname, security_info_wanted, ctx, sd); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0,("set_nt_acl_no_snum: fset_nt_acl returned %s.\n", + nt_errstr(status))); } - TALLOC_FREE(finfo.fsp_name); conn_free(conn); TALLOC_FREE(frame); - return ret_sd; + return status; } /* Stolen shamelessly from pvfs_default_acl() in source4 :-). */ diff --git a/source3/smbd/proto.h b/source3/smbd/proto.h index 221499cead..aae4bd02db 100644 --- a/source3/smbd/proto.h +++ b/source3/smbd/proto.h @@ -732,7 +732,8 @@ bool set_unix_posix_default_acl(connection_struct *conn, const char *fname, const SMB_STRUCT_STAT *psbuf, uint16 num_def_acls, const char *pdata); bool set_unix_posix_acl(connection_struct *conn, files_struct *fsp, const char *fname, uint16 num_acls, const char *pdata); -struct security_descriptor *get_nt_acl_no_snum( TALLOC_CTX *ctx, const char *fname, uint32 security_info_wanted); +NTSTATUS get_nt_acl_no_snum( TALLOC_CTX *ctx, const char *fname, uint32 security_info_wanted, + struct security_descriptor **sd); NTSTATUS make_default_filesystem_acl(TALLOC_CTX *ctx, const char *name, SMB_STRUCT_STAT *psbuf, diff --git a/source3/smbd/pysmbd.c b/source3/smbd/pysmbd.c index 436e881b10..42694cb47c 100644 --- a/source3/smbd/pysmbd.c +++ b/source3/smbd/pysmbd.c @@ -495,11 +495,13 @@ static PyObject *py_smbd_get_nt_acl(PyObject *self, PyObject *args) PyObject *py_sd; struct security_descriptor *sd; TALLOC_CTX *tmp_ctx = talloc_new(NULL); + NTSTATUS status; if (!PyArg_ParseTuple(args, "si", &fname, &security_info_wanted)) return NULL; - sd = get_nt_acl_no_snum(tmp_ctx, fname, security_info_wanted); + status = get_nt_acl_no_snum(tmp_ctx, fname, security_info_wanted, &sd); + PyErr_NTSTATUS_IS_ERR_RAISE(status); py_sd = py_return_ndr_struct("samba.dcerpc.security", "descriptor", sd, sd); -- cgit