From 359cf872df35096aaf30a36612c62f42d7015378 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Wed, 29 Dec 2004 12:41:27 +0000 Subject: r4391: bring the default ACL inline with what w2k3 uses (This used to be commit 16967f7502ea6d2efa0fc08decc955a1516c3a02) --- source4/ntvfs/posix/pvfs_acl.c | 109 ++++++++++++------------------------ source4/ntvfs/posix/pvfs_fileinfo.c | 4 +- 2 files changed, 39 insertions(+), 74 deletions(-) (limited to 'source4/ntvfs') diff --git a/source4/ntvfs/posix/pvfs_acl.c b/source4/ntvfs/posix/pvfs_acl.c index 5302cc9524..970cddf6f7 100644 --- a/source4/ntvfs/posix/pvfs_acl.c +++ b/source4/ntvfs/posix/pvfs_acl.c @@ -69,10 +69,8 @@ static NTSTATUS pvfs_default_acl(struct pvfs_state *pvfs, { struct security_descriptor *sd; NTSTATUS status; - struct security_ace aces[4]; + struct security_ace ace; mode_t mode; - struct dom_sid *sid; - int i; sd = security_descriptor_initialise(req); if (sd == NULL) { @@ -90,97 +88,64 @@ static NTSTATUS pvfs_default_acl(struct pvfs_state *pvfs, sd->type |= SEC_DESC_DACL_PRESENT; + mode = name->st.st_mode; + /* - we provide 4 ACEs - - Administrator + we provide up to 4 ACEs - Owner - Group - Everyone + - Administrator */ - aces[0].access_mask = SEC_RIGHTS_FILE_ALL; - aces[1].access_mask = 0; - aces[2].access_mask = 0; - aces[3].access_mask = 0; - mode = name->st.st_mode; + + /* setup owner ACE */ + ace.type = SEC_ACE_TYPE_ACCESS_ALLOWED; + ace.flags = 0; + ace.trustee = *sd->owner_sid; + ace.access_mask = 0; if (mode & S_IRUSR) { - aces[1].access_mask |= - SEC_FILE_READ_DATA | - SEC_FILE_READ_EA | - SEC_FILE_READ_ATTRIBUTE | - SEC_FILE_EXECUTE | - SEC_STD_SYNCHRONIZE | - SEC_STD_READ_CONTROL; + ace.access_mask |= SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE; } if (mode & S_IWUSR) { - aces[1].access_mask |= - SEC_FILE_WRITE_DATA | - SEC_FILE_APPEND_DATA | - SEC_FILE_WRITE_EA | - SEC_FILE_WRITE_ATTRIBUTE | - SEC_STD_DELETE; + ace.access_mask |= SEC_RIGHTS_FILE_WRITE | SEC_STD_DELETE; + } + if (ace.access_mask) { + security_descriptor_dacl_add(sd, &ace); } + + /* setup group ACE */ + ace.trustee = *sd->group_sid; + ace.access_mask = 0; if (mode & S_IRGRP) { - aces[2].access_mask |= - SEC_FILE_READ_DATA | - SEC_FILE_READ_EA | - SEC_FILE_READ_ATTRIBUTE | - SEC_FILE_EXECUTE | - SEC_STD_SYNCHRONIZE | - SEC_STD_READ_CONTROL; + ace.access_mask |= SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE; } if (mode & S_IWGRP) { - aces[2].access_mask |= - SEC_FILE_WRITE_DATA | - SEC_FILE_APPEND_DATA | - SEC_FILE_WRITE_EA | - SEC_FILE_WRITE_ATTRIBUTE; + ace.access_mask |= SEC_RIGHTS_FILE_WRITE; + } + if (ace.access_mask) { + security_descriptor_dacl_add(sd, &ace); } + /* setup other ACE */ + ace.trustee = *dom_sid_parse_talloc(req, SID_WORLD); + ace.access_mask = 0; if (mode & S_IROTH) { - aces[3].access_mask |= - SEC_FILE_READ_DATA | - SEC_FILE_READ_EA | - SEC_FILE_READ_ATTRIBUTE | - SEC_FILE_EXECUTE | - SEC_STD_SYNCHRONIZE | - SEC_STD_READ_CONTROL; + ace.access_mask |= SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE; } if (mode & S_IWOTH) { - aces[3].access_mask |= - SEC_FILE_WRITE_DATA | - SEC_FILE_APPEND_DATA | - SEC_FILE_WRITE_EA | - SEC_FILE_WRITE_ATTRIBUTE; + ace.access_mask |= SEC_RIGHTS_FILE_WRITE; } - - sid = dom_sid_parse_talloc(sd, SID_BUILTIN_ADMINISTRATORS); - if (sid == NULL) return NT_STATUS_NO_MEMORY; - - aces[0].type = SEC_ACE_TYPE_ACCESS_ALLOWED; - aces[0].flags = 0; - aces[0].trustee = *sid; - - aces[1].type = SEC_ACE_TYPE_ACCESS_ALLOWED; - aces[1].flags = 0; - aces[1].trustee = *sd->owner_sid; - - aces[2].type = SEC_ACE_TYPE_ACCESS_ALLOWED; - aces[2].flags = 0; - aces[2].trustee = *sd->group_sid; - - sid = dom_sid_parse_talloc(sd, SID_WORLD); - if (sid == NULL) return NT_STATUS_NO_MEMORY; - - aces[3].type = SEC_ACE_TYPE_ACCESS_ALLOWED; - aces[3].flags = 0; - aces[3].trustee = *sid; - - for (i=0;i<4;i++) { - security_descriptor_dacl_add(sd, &aces[i]); + if (ace.access_mask) { + security_descriptor_dacl_add(sd, &ace); } + + /* setup system ACE */ + ace.trustee = *dom_sid_parse_talloc(req, SID_NT_SYSTEM); + ace.access_mask = SEC_RIGHTS_FILE_ALL; + security_descriptor_dacl_add(sd, &ace); acl->version = 1; acl->info.sd = sd; diff --git a/source4/ntvfs/posix/pvfs_fileinfo.c b/source4/ntvfs/posix/pvfs_fileinfo.c index 888d5f78c0..fc60aa6e89 100644 --- a/source4/ntvfs/posix/pvfs_fileinfo.c +++ b/source4/ntvfs/posix/pvfs_fileinfo.c @@ -99,10 +99,10 @@ NTSTATUS pvfs_fill_dos_info(struct pvfs_state *pvfs, struct pvfs_filename *name, */ mode_t pvfs_fileperms(struct pvfs_state *pvfs, uint32 attrib) { - mode_t mode = S_IRUSR | S_IRGRP | S_IROTH; + mode_t mode = S_IRUSR; if (attrib & FILE_ATTRIBUTE_DIRECTORY) { - mode |= S_IXUSR | S_IXGRP | S_IXOTH; + mode |= S_IXUSR; } if (!(attrib & FILE_ATTRIBUTE_READONLY) || -- cgit