From 8c1a90c2e319270cb2cab7ed995a61a9902c884d Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 30 Oct 2008 16:13:03 -0700 Subject: Start moving us closer to passing S4 RAW-ACL test using the vfs_acl_xattr module. Inheritance fails at the moment though. Jeremy. --- source3/include/proto.h | 1 + source3/modules/vfs_acl_xattr.c | 51 +++++++++++++++++++++++++++++++++++++++++ source3/smbd/open.c | 9 ++++++++ source3/smbd/posix_acls.c | 2 +- 4 files changed, 62 insertions(+), 1 deletion(-) diff --git a/source3/include/proto.h b/source3/include/proto.h index b227a30f00..f982f43a7f 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -8317,6 +8317,7 @@ void reply_pipe_close(connection_struct *conn, struct smb_request *req); /* The following definitions come from smbd/posix_acls.c */ +void create_file_sids(const SMB_STRUCT_STAT *psbuf, DOM_SID *powner_sid, DOM_SID *pgroup_sid); NTSTATUS unpack_nt_owners(int snum, uid_t *puser, gid_t *pgrp, uint32 security_info_sent, const SEC_DESC *psd); SMB_ACL_T free_empty_sys_acl(connection_struct *conn, SMB_ACL_T the_acl); NTSTATUS posix_fget_nt_acl(struct files_struct *fsp, uint32_t security_info, diff --git a/source3/modules/vfs_acl_xattr.c b/source3/modules/vfs_acl_xattr.c index 0baa990ad6..6932d522d4 100644 --- a/source3/modules/vfs_acl_xattr.c +++ b/source3/modules/vfs_acl_xattr.c @@ -422,6 +422,11 @@ static NTSTATUS fget_nt_acl_xattr(vfs_handle_struct *handle, files_struct *fsp, NTSTATUS status = get_nt_acl_xattr_internal(handle, fsp, NULL, security_info, ppdesc); if (NT_STATUS_IS_OK(status)) { + if (DEBUGLEVEL >= 10) { + DEBUG(10,("fget_nt_acl_xattr: returning xattr sd for file %s\n", + fsp->fsp_name)); + NDR_PRINT_DEBUG(security_descriptor, *ppdesc); + } return NT_STATUS_OK; } return SMB_VFS_NEXT_FGET_NT_ACL(handle, fsp, @@ -434,6 +439,11 @@ static NTSTATUS get_nt_acl_xattr(vfs_handle_struct *handle, NTSTATUS status = get_nt_acl_xattr_internal(handle, NULL, name, security_info, ppdesc); if (NT_STATUS_IS_OK(status)) { + if (DEBUGLEVEL >= 10) { + DEBUG(10,("get_nt_acl_xattr: returning xattr sd for file %s\n", + name)); + NDR_PRINT_DEBUG(security_descriptor, *ppdesc); + } return NT_STATUS_OK; } return SMB_VFS_NEXT_GET_NT_ACL(handle, name, @@ -446,11 +456,46 @@ static NTSTATUS fset_nt_acl_xattr(vfs_handle_struct *handle, files_struct *fsp, NTSTATUS status; DATA_BLOB blob; + if (DEBUGLEVEL >= 10) { + DEBUG(10,("fset_nt_acl_xattr: incoming sd for file %s\n", + fsp->fsp_name)); + NDR_PRINT_DEBUG(security_descriptor, + CONST_DISCARD(SEC_DESC *,psd)); + } + status = SMB_VFS_NEXT_FSET_NT_ACL(handle, fsp, security_info_sent, psd); if (!NT_STATUS_IS_OK(status)) { return status; } + /* Ensure owner and group are set. */ + if (!psd->owner_sid || !psd->group_sid) { + int ret; + SMB_STRUCT_STAT sbuf; + DOM_SID owner_sid, group_sid; + SEC_DESC *nc_psd = dup_sec_desc(talloc_tos(), psd); + + if (!nc_psd) { + return NT_STATUS_OK; + } + if (fsp->is_directory || fsp->fh->fd == -1) { + ret = SMB_VFS_STAT(fsp->conn,fsp->fsp_name, &sbuf); + } else { + ret = SMB_VFS_FSTAT(fsp, &sbuf); + } + if (ret == -1) { + /* Lower level acl set succeeded, + * so still return OK. */ + return NT_STATUS_OK; + } + create_file_sids(&sbuf, &owner_sid, &group_sid); + /* This is safe as nc_psd is discarded at fn exit. */ + nc_psd->owner_sid = &owner_sid; + nc_psd->group_sid = &group_sid; + security_info_sent |= (OWNER_SECURITY_INFORMATION|GROUP_SECURITY_INFORMATION); + psd = nc_psd; + } + if ((security_info_sent & DACL_SECURITY_INFORMATION) && psd->dacl != NULL && (psd->type & (SE_DESC_DACL_AUTO_INHERITED| @@ -467,6 +512,12 @@ static NTSTATUS fset_nt_acl_xattr(vfs_handle_struct *handle, files_struct *fsp, psd = new_psd; } + if (DEBUGLEVEL >= 10) { + DEBUG(10,("fset_nt_acl_xattr: storing xattr sd for file %s\n", + fsp->fsp_name)); + NDR_PRINT_DEBUG(security_descriptor, + CONST_DISCARD(SEC_DESC *,psd)); + } create_acl_blob(psd, &blob); store_acl_blob_fsp(fsp, &blob); diff --git a/source3/smbd/open.c b/source3/smbd/open.c index d858fb969f..1564525005 100644 --- a/source3/smbd/open.c +++ b/source3/smbd/open.c @@ -1206,6 +1206,15 @@ NTSTATUS open_file_ntcreate(connection_struct *conn, create_disposition, create_options, unx_mode, oplock_request)); + if ((access_mask & FILE_READ_DATA)||(access_mask & FILE_WRITE_DATA)) { + DEBUG(10, ("open_file_ntcreate: adding FILE_READ_ATTRIBUTES " + "to requested access_mask 0x%x, new mask 0x%x", + access_mask, + access_mask | FILE_READ_ATTRIBUTES )); + + access_mask |= FILE_READ_ATTRIBUTES; + } + if ((req == NULL) && ((oplock_request & INTERNAL_OPEN_ONLY) == 0)) { DEBUG(0, ("No smb request but not an internal only open!\n")); return NT_STATUS_INTERNAL_ERROR; diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c index 848d3e4a6d..cccf3087f7 100644 --- a/source3/smbd/posix_acls.c +++ b/source3/smbd/posix_acls.c @@ -725,7 +725,7 @@ static int map_acl_perms_to_permset(connection_struct *conn, mode_t mode, SMB_AC Function to create owner and group SIDs from a SMB_STRUCT_STAT. ****************************************************************************/ -static void create_file_sids(const SMB_STRUCT_STAT *psbuf, DOM_SID *powner_sid, DOM_SID *pgroup_sid) +void create_file_sids(const SMB_STRUCT_STAT *psbuf, DOM_SID *powner_sid, DOM_SID *pgroup_sid) { uid_to_sid( powner_sid, psbuf->st_uid ); gid_to_sid( pgroup_sid, psbuf->st_gid ); -- cgit