From 012be92f0a771d8437f783dc8ed14f38c669893c Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Thu, 18 Nov 2004 01:41:43 +0000 Subject: r3830: unified the query/set security descriptor code with the rest of the queryfileinfo/setfileinfo logic, so querying/setting a security descriptor is treated as just another file query/set operation. This will allow NTVFS backends to see the query/set security descriptor operations as RAW_FILEINFO_SEC_DESC and RAW_SFILEINFO_SEC_DESC operations. (This used to be commit f68a6b6b915c37e48c42390c1e74c2d1c2636fa9) --- source4/client/client.c | 11 ++++---- source4/include/includes.h | 1 - source4/include/smb_interfaces.h | 38 +++++++++++++++++++++++++ source4/libcli/raw/rawacl.c | 33 +++++++++++----------- source4/libcli/raw/rawfileinfo.c | 9 +++++- source4/libcli/raw/rawsetfileinfo.c | 4 +++ source4/librpc/ndr/ndr_sec.h | 56 ------------------------------------- source4/smb_server/trans2.c | 2 ++ source4/torture/raw/acls.c | 38 +++++++++++++------------ 9 files changed, 95 insertions(+), 97 deletions(-) delete mode 100644 source4/librpc/ndr/ndr_sec.h (limited to 'source4') diff --git a/source4/client/client.c b/source4/client/client.c index 81bf2a7930..f73bacbcbc 100644 --- a/source4/client/client.c +++ b/source4/client/client.c @@ -1793,7 +1793,7 @@ static int cmd_acl(const char **cmd_ptr) fstring buf; int ret = 0; TALLOC_CTX *mem_ctx; - struct smb_query_secdesc query; + union smb_fileinfo query; NTSTATUS status; int fnum; @@ -1813,17 +1813,18 @@ static int cmd_acl(const char **cmd_ptr) mem_ctx = talloc_init("%s", fname); - query.in.fnum = fnum; - query.in.secinfo_flags = 0x7; + query.query_secdesc.level = RAW_FILEINFO_SEC_DESC; + query.query_secdesc.in.fnum = fnum; + query.query_secdesc.in.secinfo_flags = 0x7; - status = smb_raw_query_secdesc(cli->tree, mem_ctx, &query); + status = smb_raw_fileinfo(cli->tree, mem_ctx, &query); if (!NT_STATUS_IS_OK(status)) { d_printf("%s - %s\n", fname, nt_errstr(status)); ret = 1; goto done; } - NDR_PRINT_DEBUG(security_descriptor, query.out.sd); + NDR_PRINT_DEBUG(security_descriptor, query.query_secdesc.out.sd); talloc_destroy(mem_ctx); diff --git a/source4/include/includes.h b/source4/include/includes.h index 10516f8989..c5842f84da 100644 --- a/source4/include/includes.h +++ b/source4/include/includes.h @@ -179,7 +179,6 @@ extern int errno; #include "module.h" #include "mutex.h" #include "librpc/ndr/libndr.h" -#include "librpc/ndr/ndr_sec.h" #include "librpc/gen_ndr/ndr_misc.h" #include "librpc/gen_ndr/ndr_dcerpc.h" #include "librpc/rpc/dcerpc.h" diff --git a/source4/include/smb_interfaces.h b/source4/include/smb_interfaces.h index 1f0912a149..c447b39b08 100644 --- a/source4/include/smb_interfaces.h +++ b/source4/include/smb_interfaces.h @@ -42,6 +42,20 @@ typedef struct { } WIRE_STRING; +/* + use the same structure for dom_sid2 as dom_sid. A dom_sid2 is really + just a dom sid, but with the sub_auths represented as a conformant + array. As with all in-structure conformant arrays, the array length + is placed before the start of the structure. That's what gives rise + to the extra num_auths elemenent. We don't want the Samba code to + have to bother with such esoteric NDR details, so its easier to just + define it as a dom_sid and use pidl magic to make it all work. It + just means you need to mark a sid as a "dom_sid2" in the IDL when you + know it is of the conformant array variety +*/ +#define dom_sid2 dom_sid + + /* this header defines the structures and unions used between the SMB parser and the backends. @@ -296,6 +310,7 @@ enum smb_fileinfo_level { RAW_FILEINFO_GENERIC = 0xF000, RAW_FILEINFO_GETATTR, /* SMBgetatr */ RAW_FILEINFO_GETATTRE, /* SMBgetattrE */ + RAW_FILEINFO_SEC_DESC, /* NT_TRANSACT_QUERY_SECURITY_DESC */ RAW_FILEINFO_STANDARD = SMB_QFILEINFO_STANDARD, RAW_FILEINFO_EA_SIZE = SMB_QFILEINFO_EA_SIZE, RAW_FILEINFO_ALL_EAS = SMB_QFILEINFO_ALL_EAS, @@ -661,6 +676,18 @@ union smb_fileinfo { uint32_t reparse_tag; } out; } attribute_tag_information; + + /* RAW_FILEINFO_QUERY_SEC_DESC */ + struct { + enum smb_fileinfo_level level; + struct { + uint16_t fnum; + uint32_t secinfo_flags; + } in; + struct { + struct security_descriptor *sd; + } out; + } query_secdesc; }; @@ -668,6 +695,7 @@ enum smb_setfileinfo_level { RAW_SFILEINFO_GENERIC = 0xF000, RAW_SFILEINFO_SETATTR, /* SMBsetatr */ RAW_SFILEINFO_SETATTRE, /* SMBsetattrE */ + RAW_SFILEINFO_SEC_DESC, /* NT_TRANSACT_SET_SECURITY_DESC */ RAW_SFILEINFO_STANDARD = SMB_SFILEINFO_STANDARD, RAW_SFILEINFO_EA_SET = SMB_SFILEINFO_EA_SET, RAW_SFILEINFO_BASIC_INFO = SMB_SFILEINFO_BASIC_INFO, @@ -854,6 +882,16 @@ union smb_setfileinfo { const char *link_dest; } in; } unix_link, unix_hlink; + + /* RAW_FILEINFO_SET_SEC_DESC */ + struct { + enum smb_setfileinfo_level level; + union setfileinfo_file file; + struct { + uint32_t secinfo_flags; + struct security_descriptor *sd; + } in; + } set_secdesc; }; diff --git a/source4/libcli/raw/rawacl.c b/source4/libcli/raw/rawacl.c index 2e05002491..253a3cbbe7 100644 --- a/source4/libcli/raw/rawacl.c +++ b/source4/libcli/raw/rawacl.c @@ -27,7 +27,7 @@ fetch file ACL (async send) ****************************************************************************/ struct smbcli_request *smb_raw_query_secdesc_send(struct smbcli_tree *tree, - struct smb_query_secdesc *query) + union smb_fileinfo *io) { struct smb_nttrans nt; uint8_t params[8]; @@ -39,9 +39,9 @@ struct smbcli_request *smb_raw_query_secdesc_send(struct smbcli_tree *tree, nt.in.function = NT_TRANSACT_QUERY_SECURITY_DESC; nt.in.setup = NULL; - SSVAL(params, 0, query->in.fnum); + SSVAL(params, 0, io->query_secdesc.in.fnum); SSVAL(params, 2, 0); /* padding */ - SIVAL(params, 4, query->in.secinfo_flags); + SIVAL(params, 4, io->query_secdesc.in.secinfo_flags); nt.in.params.data = params; nt.in.params.length = 8; @@ -57,7 +57,7 @@ fetch file ACL (async recv) ****************************************************************************/ NTSTATUS smb_raw_query_secdesc_recv(struct smbcli_request *req, TALLOC_CTX *mem_ctx, - struct smb_query_secdesc *query) + union smb_fileinfo *io) { NTSTATUS status; struct smb_nttrans nt; @@ -81,11 +81,12 @@ NTSTATUS smb_raw_query_secdesc_recv(struct smbcli_request *req, return NT_STATUS_INVALID_PARAMETER; } - query->out.sd = talloc_p(mem_ctx, struct security_descriptor); - if (!query->out.sd) { + io->query_secdesc.out.sd = talloc_p(mem_ctx, struct security_descriptor); + if (!io->query_secdesc.out.sd) { return NT_STATUS_NO_MEMORY; } - status = ndr_pull_security_descriptor(ndr, NDR_SCALARS|NDR_BUFFERS, query->out.sd); + status = ndr_pull_security_descriptor(ndr, NDR_SCALARS|NDR_BUFFERS, + io->query_secdesc.out.sd); return status; } @@ -96,10 +97,10 @@ fetch file ACL (sync interface) ****************************************************************************/ NTSTATUS smb_raw_query_secdesc(struct smbcli_tree *tree, TALLOC_CTX *mem_ctx, - struct smb_query_secdesc *query) + union smb_fileinfo *io) { - struct smbcli_request *req = smb_raw_query_secdesc_send(tree, query); - return smb_raw_query_secdesc_recv(req, mem_ctx, query); + struct smbcli_request *req = smb_raw_query_secdesc_send(tree, io); + return smb_raw_query_secdesc_recv(req, mem_ctx, io); } @@ -108,7 +109,7 @@ NTSTATUS smb_raw_query_secdesc(struct smbcli_tree *tree, set file ACL (async send) ****************************************************************************/ struct smbcli_request *smb_raw_set_secdesc_send(struct smbcli_tree *tree, - struct smb_set_secdesc *set) + union smb_setfileinfo *io) { struct smb_nttrans nt; uint8_t params[8]; @@ -123,9 +124,9 @@ struct smbcli_request *smb_raw_set_secdesc_send(struct smbcli_tree *tree, nt.in.function = NT_TRANSACT_SET_SECURITY_DESC; nt.in.setup = NULL; - SSVAL(params, 0, set->in.fnum); + SSVAL(params, 0, io->set_secdesc.file.fnum); SSVAL(params, 2, 0); /* padding */ - SIVAL(params, 4, set->in.secinfo_flags); + SIVAL(params, 4, io->set_secdesc.in.secinfo_flags); nt.in.params.data = params; nt.in.params.length = 8; @@ -133,7 +134,7 @@ struct smbcli_request *smb_raw_set_secdesc_send(struct smbcli_tree *tree, ndr = ndr_push_init(); if (!ndr) return NULL; - status = ndr_push_security_descriptor(ndr, NDR_SCALARS|NDR_BUFFERS, set->in.sd); + status = ndr_push_security_descriptor(ndr, NDR_SCALARS|NDR_BUFFERS, io->set_secdesc.in.sd); if (!NT_STATUS_IS_OK(status)) { ndr_push_free(ndr); return NULL; @@ -151,8 +152,8 @@ struct smbcli_request *smb_raw_set_secdesc_send(struct smbcli_tree *tree, set file ACL (sync interface) ****************************************************************************/ NTSTATUS smb_raw_set_secdesc(struct smbcli_tree *tree, - struct smb_set_secdesc *set) + union smb_setfileinfo *io) { - struct smbcli_request *req = smb_raw_set_secdesc_send(tree, set); + struct smbcli_request *req = smb_raw_set_secdesc_send(tree, io); return smbcli_request_simple_recv(req); } diff --git a/source4/libcli/raw/rawfileinfo.c b/source4/libcli/raw/rawfileinfo.c index c844f923b8..6f875f51a7 100644 --- a/source4/libcli/raw/rawfileinfo.c +++ b/source4/libcli/raw/rawfileinfo.c @@ -48,6 +48,7 @@ static NTSTATUS smb_raw_info_backend(struct smbcli_session *session, case RAW_FILEINFO_GENERIC: case RAW_FILEINFO_GETATTR: case RAW_FILEINFO_GETATTRE: + case RAW_FILEINFO_SEC_DESC: /* not handled here */ return NT_STATUS_INVALID_LEVEL; @@ -460,12 +461,15 @@ failed: Query file info (async send) ****************************************************************************/ struct smbcli_request *smb_raw_fileinfo_send(struct smbcli_tree *tree, - union smb_fileinfo *parms) + union smb_fileinfo *parms) { /* pass off the non-trans2 level to specialised functions */ if (parms->generic.level == RAW_FILEINFO_GETATTRE) { return smb_raw_getattrE_send(tree, parms); } + if (parms->generic.level == RAW_FILEINFO_SEC_DESC) { + return smb_raw_query_secdesc_send(tree, parms); + } if (parms->generic.level >= RAW_FILEINFO_GENERIC) { return NULL; } @@ -489,6 +493,9 @@ NTSTATUS smb_raw_fileinfo_recv(struct smbcli_request *req, if (parms->generic.level == RAW_FILEINFO_GETATTRE) { return smb_raw_getattrE_recv(req, parms); } + if (parms->generic.level == RAW_FILEINFO_SEC_DESC) { + return smb_raw_query_secdesc_recv(req, mem_ctx, parms); + } if (parms->generic.level == RAW_FILEINFO_GETATTR) { return smb_raw_getattr_recv(req, parms); } diff --git a/source4/libcli/raw/rawsetfileinfo.c b/source4/libcli/raw/rawsetfileinfo.c index 0c263ac082..76756971ae 100644 --- a/source4/libcli/raw/rawsetfileinfo.c +++ b/source4/libcli/raw/rawsetfileinfo.c @@ -41,6 +41,7 @@ static BOOL smb_raw_setinfo_backend(struct smbcli_tree *tree, case RAW_SFILEINFO_GENERIC: case RAW_SFILEINFO_SETATTR: case RAW_SFILEINFO_SETATTRE: + case RAW_SFILEINFO_SEC_DESC: /* not handled here */ return False; @@ -262,6 +263,9 @@ struct smbcli_request *smb_raw_setfileinfo_send(struct smbcli_tree *tree, if (parms->generic.level == RAW_SFILEINFO_SETATTRE) { return smb_raw_setattrE_send(tree, parms); } + if (parms->generic.level == RAW_SFILEINFO_SEC_DESC) { + return smb_raw_set_secdesc_send(tree, parms); + } if (parms->generic.level >= RAW_SFILEINFO_GENERIC) { return NULL; } diff --git a/source4/librpc/ndr/ndr_sec.h b/source4/librpc/ndr/ndr_sec.h deleted file mode 100644 index d5e7288fe2..0000000000 --- a/source4/librpc/ndr/ndr_sec.h +++ /dev/null @@ -1,56 +0,0 @@ -/* - Unix SMB/CIFS implementation. - - definitions for marshalling/unmarshalling security descriptors - and related structures - - Copyright (C) Andrew Tridgell 2003 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. -*/ - - -/* - use the same structure for dom_sid2 as dom_sid. A dom_sid2 is really - just a dom sid, but with the sub_auths represented as a conformant - array. As with all in-structure conformant arrays, the array length - is placed before the start of the structure. That's what gives rise - to the extra num_auths elemenent. We don't want the Samba code to - have to bother with such esoteric NDR details, so its easier to just - define it as a dom_sid and use pidl magic to make it all work. It - just means you need to mark a sid as a "dom_sid2" in the IDL when you - know it is of the conformant array variety -*/ -#define dom_sid2 dom_sid - -/* query security descriptor */ -struct smb_query_secdesc { - struct { - uint16_t fnum; - uint32_t secinfo_flags; - } in; - struct { - struct security_descriptor *sd; - } out; -}; - -/* set security descriptor */ -struct smb_set_secdesc { - struct { - uint16_t fnum; - uint32_t secinfo_flags; - struct security_descriptor *sd; - } in; -}; diff --git a/source4/smb_server/trans2.c b/source4/smb_server/trans2.c index 1d5c93cf18..13fffb4487 100644 --- a/source4/smb_server/trans2.c +++ b/source4/smb_server/trans2.c @@ -476,6 +476,7 @@ static NTSTATUS trans2_fileinfo_fill(struct smbsrv_request *req, struct smb_tran case RAW_FILEINFO_GENERIC: case RAW_FILEINFO_GETATTR: case RAW_FILEINFO_GETATTRE: + case RAW_FILEINFO_SEC_DESC: /* handled elsewhere */ return NT_STATUS_INVALID_LEVEL; @@ -777,6 +778,7 @@ static NTSTATUS trans2_parse_sfileinfo(struct smbsrv_request *req, case RAW_SFILEINFO_GENERIC: case RAW_SFILEINFO_SETATTR: case RAW_SFILEINFO_SETATTRE: + case RAW_SFILEINFO_SEC_DESC: /* handled elsewhere */ return NT_STATUS_INVALID_LEVEL; diff --git a/source4/torture/raw/acls.c b/source4/torture/raw/acls.c index 1562af55ca..6c88b60855 100644 --- a/source4/torture/raw/acls.c +++ b/source4/torture/raw/acls.c @@ -42,8 +42,8 @@ static BOOL test_sd(struct smbcli_state *cli, TALLOC_CTX *mem_ctx) const char *fname = BASEDIR "\\sd.txt"; BOOL ret = True; int fnum; - struct smb_query_secdesc q; - struct smb_set_secdesc set; + union smb_fileinfo q; + union smb_setfileinfo set; struct security_ace ace; struct security_descriptor *sd; struct dom_sid *test_sid; @@ -67,15 +67,16 @@ static BOOL test_sd(struct smbcli_state *cli, TALLOC_CTX *mem_ctx) status = smb_raw_open(cli->tree, mem_ctx, &io); CHECK_STATUS(status, NT_STATUS_OK); fnum = io.ntcreatex.out.fnum; - - q.in.fnum = fnum; - q.in.secinfo_flags = + + q.query_secdesc.level = RAW_FILEINFO_SEC_DESC; + q.query_secdesc.in.fnum = fnum; + q.query_secdesc.in.secinfo_flags = OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION; - status = smb_raw_query_secdesc(cli->tree, mem_ctx, &q); + status = smb_raw_fileinfo(cli->tree, mem_ctx, &q); CHECK_STATUS(status, NT_STATUS_OK); - sd = q.out.sd; + sd = q.query_secdesc.out.sd; printf("add a new ACE to the DACL\n"); @@ -89,20 +90,21 @@ static BOOL test_sd(struct smbcli_state *cli, TALLOC_CTX *mem_ctx) status = security_descriptor_dacl_add(sd, &ace); CHECK_STATUS(status, NT_STATUS_OK); - set.in.fnum = fnum; - set.in.secinfo_flags = q.in.secinfo_flags; - set.in.sd = sd; + set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC; + set.set_secdesc.file.fnum = fnum; + set.set_secdesc.in.secinfo_flags = q.query_secdesc.in.secinfo_flags; + set.set_secdesc.in.sd = sd; - status = smb_raw_set_secdesc(cli->tree, &set); + status = smb_raw_setfileinfo(cli->tree, &set); CHECK_STATUS(status, NT_STATUS_OK); - status = smb_raw_query_secdesc(cli->tree, mem_ctx, &q); + status = smb_raw_fileinfo(cli->tree, mem_ctx, &q); CHECK_STATUS(status, NT_STATUS_OK); - if (!security_descriptor_equal(q.out.sd, sd)) { + if (!security_descriptor_equal(q.query_secdesc.out.sd, sd)) { printf("security descriptors don't match!\n"); printf("got:\n"); - NDR_PRINT_DEBUG(security_descriptor, q.out.sd); + NDR_PRINT_DEBUG(security_descriptor, q.query_secdesc.out.sd); printf("expected:\n"); NDR_PRINT_DEBUG(security_descriptor, sd); } @@ -112,16 +114,16 @@ static BOOL test_sd(struct smbcli_state *cli, TALLOC_CTX *mem_ctx) status = security_descriptor_dacl_del(sd, test_sid); CHECK_STATUS(status, NT_STATUS_OK); - status = smb_raw_set_secdesc(cli->tree, &set); + status = smb_raw_setfileinfo(cli->tree, &set); CHECK_STATUS(status, NT_STATUS_OK); - status = smb_raw_query_secdesc(cli->tree, mem_ctx, &q); + status = smb_raw_fileinfo(cli->tree, mem_ctx, &q); CHECK_STATUS(status, NT_STATUS_OK); - if (!security_descriptor_equal(q.out.sd, sd)) { + if (!security_descriptor_equal(q.query_secdesc.out.sd, sd)) { printf("security descriptors don't match!\n"); printf("got:\n"); - NDR_PRINT_DEBUG(security_descriptor, q.out.sd); + NDR_PRINT_DEBUG(security_descriptor, q.query_secdesc.out.sd); printf("expected:\n"); NDR_PRINT_DEBUG(security_descriptor, sd); } -- cgit