2 * Store Windows ACLs in data store - common functions.
3 * #included into modules/vfs_acl_xattr.c and modules/vfs_acl_tdb.c
5 * Copyright (C) Volker Lendecke, 2008
6 * Copyright (C) Jeremy Allison, 2009
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 3 of the License, or
11 * (at your option) any later version.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, see <http://www.gnu.org/licenses/>.
22 static NTSTATUS create_acl_blob(const struct security_descriptor *psd,
25 uint8_t hash[XATTR_SD_HASH_SIZE]);
27 static NTSTATUS get_acl_blob(TALLOC_CTX *ctx,
28 vfs_handle_struct *handle,
33 static NTSTATUS store_acl_blob_fsp(vfs_handle_struct *handle,
37 #define HASH_SECURITY_INFO (OWNER_SECURITY_INFORMATION | \
38 GROUP_SECURITY_INFORMATION | \
39 DACL_SECURITY_INFORMATION | \
40 SACL_SECURITY_INFORMATION)
42 /*******************************************************************
43 Hash a security descriptor.
44 *******************************************************************/
46 static NTSTATUS hash_sd_sha256(struct security_descriptor *psd,
53 memset(hash, '\0', XATTR_SD_HASH_SIZE);
54 status = create_acl_blob(psd, &blob, XATTR_SD_HASH_TYPE_SHA256, hash);
55 if (!NT_STATUS_IS_OK(status)) {
60 SHA256_Update(&tctx, blob.data, blob.length);
61 SHA256_Final(hash, &tctx);
66 /*******************************************************************
67 Parse out a struct security_descriptor from a DATA_BLOB.
68 *******************************************************************/
70 static NTSTATUS parse_acl_blob(const DATA_BLOB *pblob,
71 struct security_descriptor **ppdesc,
72 uint16_t *p_hash_type,
73 uint8_t hash[XATTR_SD_HASH_SIZE])
75 TALLOC_CTX *ctx = talloc_tos();
76 struct xattr_NTACL xacl;
77 enum ndr_err_code ndr_err;
80 ndr_err = ndr_pull_struct_blob(pblob, ctx, NULL, &xacl,
81 (ndr_pull_flags_fn_t)ndr_pull_xattr_NTACL);
83 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
84 DEBUG(5, ("parse_acl_blob: ndr_pull_xattr_NTACL failed: %s\n",
85 ndr_errstr(ndr_err)));
86 return ndr_map_error2ntstatus(ndr_err);;
89 switch (xacl.version) {
91 *ppdesc = make_sec_desc(ctx, SEC_DESC_REVISION,
92 xacl.info.sd_hs2->sd->type | SEC_DESC_SELF_RELATIVE,
93 xacl.info.sd_hs2->sd->owner_sid,
94 xacl.info.sd_hs2->sd->group_sid,
95 xacl.info.sd_hs2->sd->sacl,
96 xacl.info.sd_hs2->sd->dacl,
98 /* No hash - null out. */
99 *p_hash_type = XATTR_SD_HASH_TYPE_NONE;
100 memset(hash, '\0', XATTR_SD_HASH_SIZE);
103 *ppdesc = make_sec_desc(ctx, SEC_DESC_REVISION,
104 xacl.info.sd_hs3->sd->type | SEC_DESC_SELF_RELATIVE,
105 xacl.info.sd_hs3->sd->owner_sid,
106 xacl.info.sd_hs3->sd->group_sid,
107 xacl.info.sd_hs3->sd->sacl,
108 xacl.info.sd_hs3->sd->dacl,
110 *p_hash_type = xacl.info.sd_hs3->hash_type;
111 /* Current version 3. */
112 memcpy(hash, xacl.info.sd_hs3->hash, XATTR_SD_HASH_SIZE);
115 return NT_STATUS_REVISION_MISMATCH;
118 TALLOC_FREE(xacl.info.sd);
120 return (*ppdesc != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
123 /*******************************************************************
124 Create a DATA_BLOB from a security descriptor.
125 *******************************************************************/
127 static NTSTATUS create_acl_blob(const struct security_descriptor *psd,
130 uint8_t hash[XATTR_SD_HASH_SIZE])
132 struct xattr_NTACL xacl;
133 struct security_descriptor_hash_v3 sd_hs3;
134 enum ndr_err_code ndr_err;
135 TALLOC_CTX *ctx = talloc_tos();
141 xacl.info.sd_hs3 = &sd_hs3;
142 xacl.info.sd_hs3->sd = CONST_DISCARD(struct security_descriptor *, psd);
143 xacl.info.sd_hs3->hash_type = hash_type;
144 memcpy(&xacl.info.sd_hs3->hash[0], hash, XATTR_SD_HASH_SIZE);
146 ndr_err = ndr_push_struct_blob(
147 pblob, ctx, NULL, &xacl,
148 (ndr_push_flags_fn_t)ndr_push_xattr_NTACL);
150 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
151 DEBUG(5, ("create_acl_blob: ndr_push_xattr_NTACL failed: %s\n",
152 ndr_errstr(ndr_err)));
153 return ndr_map_error2ntstatus(ndr_err);;
159 /*******************************************************************
160 Add in 3 inheritable components for a non-inheritable directory ACL.
161 CREATOR_OWNER/CREATOR_GROUP/WORLD.
162 *******************************************************************/
164 static void add_directory_inheritable_components(vfs_handle_struct *handle,
166 SMB_STRUCT_STAT *psbuf,
167 struct security_descriptor *psd)
169 struct connection_struct *conn = handle->conn;
170 int num_aces = (psd->dacl ? psd->dacl->num_aces : 0);
171 struct smb_filename smb_fname;
172 enum security_ace_type acltype;
173 uint32_t access_mask;
177 struct security_ace *new_ace_list = TALLOC_ZERO_ARRAY(talloc_tos(),
181 if (new_ace_list == NULL) {
185 /* Fake a quick smb_filename. */
186 ZERO_STRUCT(smb_fname);
187 smb_fname.st = *psbuf;
188 smb_fname.base_name = CONST_DISCARD(char *, name);
190 dir_mode = unix_mode(conn,
191 FILE_ATTRIBUTE_DIRECTORY, &smb_fname, NULL);
192 file_mode = unix_mode(conn,
193 FILE_ATTRIBUTE_ARCHIVE, &smb_fname, NULL);
195 mode = dir_mode | file_mode;
197 DEBUG(10, ("add_directory_inheritable_components: directory %s, "
200 (unsigned int)mode ));
203 memcpy(new_ace_list, psd->dacl->aces,
204 num_aces * sizeof(struct security_ace));
206 access_mask = map_canon_ace_perms(SNUM(conn), &acltype,
209 init_sec_ace(&new_ace_list[num_aces],
210 &global_sid_Creator_Owner,
213 SEC_ACE_FLAG_CONTAINER_INHERIT|
214 SEC_ACE_FLAG_OBJECT_INHERIT|
215 SEC_ACE_FLAG_INHERIT_ONLY);
216 access_mask = map_canon_ace_perms(SNUM(conn), &acltype,
217 (mode << 3) & 0700, false);
218 init_sec_ace(&new_ace_list[num_aces+1],
219 &global_sid_Creator_Group,
222 SEC_ACE_FLAG_CONTAINER_INHERIT|
223 SEC_ACE_FLAG_OBJECT_INHERIT|
224 SEC_ACE_FLAG_INHERIT_ONLY);
225 access_mask = map_canon_ace_perms(SNUM(conn), &acltype,
226 (mode << 6) & 0700, false);
227 init_sec_ace(&new_ace_list[num_aces+2],
231 SEC_ACE_FLAG_CONTAINER_INHERIT|
232 SEC_ACE_FLAG_OBJECT_INHERIT|
233 SEC_ACE_FLAG_INHERIT_ONLY);
234 psd->dacl->aces = new_ace_list;
235 psd->dacl->num_aces += 3;
238 /*******************************************************************
239 Pull a DATA_BLOB from an xattr given a pathname.
240 If the hash doesn't match, or doesn't exist - return the underlying
242 *******************************************************************/
244 static NTSTATUS get_nt_acl_internal(vfs_handle_struct *handle,
247 uint32_t security_info,
248 struct security_descriptor **ppdesc)
253 uint8_t hash[XATTR_SD_HASH_SIZE];
254 uint8_t hash_tmp[XATTR_SD_HASH_SIZE];
255 struct security_descriptor *psd = NULL;
256 struct security_descriptor *pdesc_next = NULL;
257 bool ignore_file_system_acl = lp_parm_bool(SNUM(handle->conn),
259 "ignore system acls",
262 if (fsp && name == NULL) {
263 name = fsp->fsp_name->base_name;
266 DEBUG(10, ("get_nt_acl_internal: name=%s\n", name));
268 /* Get the full underlying sd for the hash
269 or to return as backup. */
271 status = SMB_VFS_NEXT_FGET_NT_ACL(handle,
276 status = SMB_VFS_NEXT_GET_NT_ACL(handle,
282 if (!NT_STATUS_IS_OK(status)) {
283 DEBUG(10, ("get_nt_acl_internal: get_next_acl for file %s "
290 status = get_acl_blob(talloc_tos(), handle, fsp, name, &blob);
291 if (!NT_STATUS_IS_OK(status)) {
292 DEBUG(10, ("get_nt_acl_internal: get_acl_blob returned %s\n",
298 status = parse_acl_blob(&blob, &psd,
299 &hash_type, &hash[0]);
300 if (!NT_STATUS_IS_OK(status)) {
301 DEBUG(10, ("parse_acl_blob returned %s\n",
307 /* Ensure the hash type is one we know. */
309 case XATTR_SD_HASH_TYPE_NONE:
310 /* No hash, just return blob sd. */
312 case XATTR_SD_HASH_TYPE_SHA256:
315 DEBUG(10, ("get_nt_acl_internal: ACL blob revision "
316 "mismatch (%u) for file %s\n",
317 (unsigned int)hash_type,
324 if (ignore_file_system_acl) {
328 status = hash_sd_sha256(pdesc_next, hash_tmp);
329 if (!NT_STATUS_IS_OK(status)) {
335 if (memcmp(&hash[0], &hash_tmp[0], XATTR_SD_HASH_SIZE) == 0) {
336 /* Hash matches, return blob sd. */
337 DEBUG(10, ("get_nt_acl_internal: blob hash "
338 "matches for file %s\n",
343 /* Hash doesn't match, return underlying sd. */
349 if (psd != pdesc_next) {
350 /* We're returning the blob, throw
351 * away the filesystem SD. */
352 TALLOC_FREE(pdesc_next);
354 SMB_STRUCT_STAT sbuf;
355 SMB_STRUCT_STAT *psbuf = &sbuf;
356 bool is_directory = false;
358 * We're returning the underlying ACL from the
359 * filesystem. If it's a directory, and has no
360 * inheritable ACE entries we have to fake them.
363 status = vfs_stat_fsp(fsp);
364 if (!NT_STATUS_IS_OK(status)) {
367 psbuf = &fsp->fsp_name->st;
369 int ret = vfs_stat_smb_fname(handle->conn,
373 return map_nt_error_from_unix(errno);
376 is_directory = S_ISDIR(sbuf.st_ex_mode);
378 if (ignore_file_system_acl) {
379 TALLOC_FREE(pdesc_next);
380 status = make_default_filesystem_acl(talloc_tos(),
384 if (!NT_STATUS_IS_OK(status)) {
389 !sd_has_inheritable_components(psd,
391 add_directory_inheritable_components(handle,
396 /* The underlying POSIX module always sets
397 the ~SEC_DESC_DACL_PROTECTED bit, as ACLs
398 can't be inherited in this way under POSIX.
399 Remove it for Windows-style ACLs. */
400 psd->type &= ~SEC_DESC_DACL_PROTECTED;
404 if (!(security_info & OWNER_SECURITY_INFORMATION)) {
405 psd->owner_sid = NULL;
407 if (!(security_info & GROUP_SECURITY_INFORMATION)) {
408 psd->group_sid = NULL;
410 if (!(security_info & DACL_SECURITY_INFORMATION)) {
413 if (!(security_info & SACL_SECURITY_INFORMATION)) {
417 TALLOC_FREE(blob.data);
420 if (DEBUGLEVEL >= 10) {
421 DEBUG(10,("get_nt_acl_internal: returning acl for %s is:\n",
423 NDR_PRINT_DEBUG(security_descriptor, psd);
429 /*********************************************************************
430 Create a default ACL by inheriting from the parent. If no inheritance
431 from the parent available, don't set anything. This will leave the actual
432 permissions the new file or directory already got from the filesystem
433 as the NT ACL when read.
434 *********************************************************************/
436 static NTSTATUS inherit_new_acl(vfs_handle_struct *handle,
438 struct security_descriptor *parent_desc,
441 TALLOC_CTX *ctx = talloc_tos();
442 NTSTATUS status = NT_STATUS_OK;
443 struct security_descriptor *psd = NULL;
444 struct dom_sid *owner_sid = NULL;
445 struct dom_sid *group_sid = NULL;
446 uint32_t security_info_sent = (OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION);
448 bool inherit_owner = lp_inherit_owner(SNUM(handle->conn));
449 bool inheritable_components = sd_has_inheritable_components(parent_desc,
452 if (!inheritable_components && !inherit_owner) {
453 /* Nothing to inherit and not setting owner. */
457 /* Create an inherited descriptor from the parent. */
459 if (DEBUGLEVEL >= 10) {
460 DEBUG(10,("inherit_new_acl: parent acl for %s is:\n",
462 NDR_PRINT_DEBUG(security_descriptor, parent_desc);
465 /* Inherit from parent descriptor if "inherit owner" set. */
467 owner_sid = parent_desc->owner_sid;
468 group_sid = parent_desc->group_sid;
471 if (owner_sid == NULL) {
472 owner_sid = &handle->conn->server_info->ptok->user_sids[PRIMARY_USER_SID_INDEX];
474 if (group_sid == NULL) {
475 group_sid = &handle->conn->server_info->ptok->user_sids[PRIMARY_GROUP_SID_INDEX];
478 status = se_create_child_secdesc(ctx,
485 if (!NT_STATUS_IS_OK(status)) {
489 /* If inheritable_components == false,
490 se_create_child_secdesc()
491 creates a security desriptor with a NULL dacl
492 entry, but with SEC_DESC_DACL_PRESENT. We need
493 to remove that flag. */
495 if (!inheritable_components) {
496 security_info_sent &= ~SECINFO_DACL;
497 psd->type &= ~SEC_DESC_DACL_PRESENT;
500 if (DEBUGLEVEL >= 10) {
501 DEBUG(10,("inherit_new_acl: child acl for %s is:\n",
503 NDR_PRINT_DEBUG(security_descriptor, psd);
507 /* We need to be root to force this. */
510 status = SMB_VFS_FSET_NT_ACL(fsp,
519 static NTSTATUS get_parent_acl_common(vfs_handle_struct *handle,
521 struct security_descriptor **pp_parent_desc)
523 char *parent_name = NULL;
526 if (!parent_dirname(talloc_tos(), path, &parent_name, NULL)) {
527 return NT_STATUS_NO_MEMORY;
530 status = get_nt_acl_internal(handle,
538 if (!NT_STATUS_IS_OK(status)) {
539 DEBUG(10,("get_parent_acl_common: get_nt_acl_internal "
540 "on directory %s for "
541 "path %s returned %s\n",
544 nt_errstr(status) ));
549 static NTSTATUS check_parent_acl_common(vfs_handle_struct *handle,
551 uint32_t access_mask,
552 struct security_descriptor **pp_parent_desc)
554 char *parent_name = NULL;
555 struct security_descriptor *parent_desc = NULL;
556 uint32_t access_granted = 0;
559 status = get_parent_acl_common(handle, path, &parent_desc);
560 if (!NT_STATUS_IS_OK(status)) {
563 if (pp_parent_desc) {
564 *pp_parent_desc = parent_desc;
566 status = smb1_file_se_access_check(handle->conn,
568 handle->conn->server_info->ptok,
571 if(!NT_STATUS_IS_OK(status)) {
572 DEBUG(10,("check_parent_acl_common: access check "
573 "on directory %s for "
574 "path %s for mask 0x%x returned %s\n",
578 nt_errstr(status) ));
584 /*********************************************************************
585 Check ACL on open. For new files inherit from parent directory.
586 *********************************************************************/
588 static int open_acl_common(vfs_handle_struct *handle,
589 struct smb_filename *smb_fname,
594 uint32_t access_granted = 0;
595 struct security_descriptor *pdesc = NULL;
596 bool file_existed = true;
601 /* Stream open. Base filename open already did the ACL check. */
602 DEBUG(10,("open_acl_common: stream open on %s\n",
604 return SMB_VFS_NEXT_OPEN(handle, smb_fname, fsp, flags, mode);
607 status = get_full_smb_filename(talloc_tos(), smb_fname,
609 if (!NT_STATUS_IS_OK(status)) {
613 status = get_nt_acl_internal(handle,
616 (OWNER_SECURITY_INFORMATION |
617 GROUP_SECURITY_INFORMATION |
618 DACL_SECURITY_INFORMATION),
620 if (NT_STATUS_IS_OK(status)) {
621 /* See if we can access it. */
622 status = smb1_file_se_access_check(handle->conn,
624 handle->conn->server_info->ptok,
627 if (!NT_STATUS_IS_OK(status)) {
628 DEBUG(10,("open_acl_xattr: %s open "
629 "refused with error %s\n",
631 nt_errstr(status) ));
634 } else if (NT_STATUS_EQUAL(status,NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
635 file_existed = false;
637 * If O_CREAT is true then we're trying to create a file.
638 * Check the parent directory ACL will allow this.
640 if (flags & O_CREAT) {
641 struct security_descriptor *parent_desc = NULL;
642 struct security_descriptor **pp_psd = NULL;
644 status = check_parent_acl_common(handle, fname,
645 SEC_DIR_ADD_FILE, &parent_desc);
646 if (!NT_STATUS_IS_OK(status)) {
650 /* Cache the parent security descriptor for
653 pp_psd = VFS_ADD_FSP_EXTENSION(handle,
655 struct security_descriptor *,
658 status = NT_STATUS_NO_MEMORY;
662 *pp_psd = parent_desc;
663 status = NT_STATUS_OK;
667 DEBUG(10,("open_acl_xattr: get_nt_acl_attr_internal for "
670 nt_errstr(status) ));
672 fsp->fh->fd = SMB_VFS_NEXT_OPEN(handle, smb_fname, fsp, flags, mode);
677 errno = map_errno_from_nt_status(status);
681 static int mkdir_acl_common(vfs_handle_struct *handle, const char *path, mode_t mode)
685 SMB_STRUCT_STAT sbuf;
687 ret = vfs_stat_smb_fname(handle->conn, path, &sbuf);
688 if (ret == -1 && errno == ENOENT) {
689 /* We're creating a new directory. */
690 status = check_parent_acl_common(handle, path,
691 SEC_DIR_ADD_SUBDIR, NULL);
692 if (!NT_STATUS_IS_OK(status)) {
693 errno = map_errno_from_nt_status(status);
698 return SMB_VFS_NEXT_MKDIR(handle, path, mode);
701 /*********************************************************************
702 Fetch a security descriptor given an fsp.
703 *********************************************************************/
705 static NTSTATUS fget_nt_acl_common(vfs_handle_struct *handle, files_struct *fsp,
706 uint32_t security_info, struct security_descriptor **ppdesc)
708 return get_nt_acl_internal(handle, fsp,
709 NULL, security_info, ppdesc);
712 /*********************************************************************
713 Fetch a security descriptor given a pathname.
714 *********************************************************************/
716 static NTSTATUS get_nt_acl_common(vfs_handle_struct *handle,
717 const char *name, uint32_t security_info, struct security_descriptor **ppdesc)
719 return get_nt_acl_internal(handle, NULL,
720 name, security_info, ppdesc);
723 /*********************************************************************
724 Store a security descriptor given an fsp.
725 *********************************************************************/
727 static NTSTATUS fset_nt_acl_common(vfs_handle_struct *handle, files_struct *fsp,
728 uint32_t security_info_sent, const struct security_descriptor *orig_psd)
732 struct security_descriptor *pdesc_next = NULL;
733 struct security_descriptor *psd = NULL;
734 uint8_t hash[XATTR_SD_HASH_SIZE];
736 if (DEBUGLEVEL >= 10) {
737 DEBUG(10,("fset_nt_acl_xattr: incoming sd for file %s\n",
739 NDR_PRINT_DEBUG(security_descriptor,
740 CONST_DISCARD(struct security_descriptor *,orig_psd));
743 status = get_nt_acl_internal(handle, fsp,
745 SECINFO_OWNER|SECINFO_GROUP|SECINFO_DACL|SECINFO_SACL,
748 if (!NT_STATUS_IS_OK(status)) {
752 psd->revision = orig_psd->revision;
753 /* All our SD's are self relative. */
754 psd->type = orig_psd->type | SEC_DESC_SELF_RELATIVE;
756 if ((security_info_sent & SECINFO_OWNER) && (orig_psd->owner_sid != NULL)) {
757 psd->owner_sid = orig_psd->owner_sid;
759 if ((security_info_sent & SECINFO_GROUP) && (orig_psd->group_sid != NULL)) {
760 psd->group_sid = orig_psd->group_sid;
762 if (security_info_sent & SECINFO_DACL) {
763 psd->dacl = orig_psd->dacl;
764 psd->type |= SEC_DESC_DACL_PRESENT;
766 if (security_info_sent & SECINFO_SACL) {
767 psd->sacl = orig_psd->sacl;
768 psd->type |= SEC_DESC_SACL_PRESENT;
771 status = SMB_VFS_NEXT_FSET_NT_ACL(handle, fsp, security_info_sent, psd);
772 if (!NT_STATUS_IS_OK(status)) {
776 /* Get the full underlying sd, then hash. */
777 status = SMB_VFS_NEXT_FGET_NT_ACL(handle,
782 if (!NT_STATUS_IS_OK(status)) {
786 status = hash_sd_sha256(pdesc_next, hash);
787 if (!NT_STATUS_IS_OK(status)) {
791 if (DEBUGLEVEL >= 10) {
792 DEBUG(10,("fset_nt_acl_xattr: storing xattr sd for file %s\n",
794 NDR_PRINT_DEBUG(security_descriptor,
795 CONST_DISCARD(struct security_descriptor *,psd));
797 create_acl_blob(psd, &blob, XATTR_SD_HASH_TYPE_SHA256, hash);
798 store_acl_blob_fsp(handle, fsp, &blob);
803 static SMB_STRUCT_DIR *opendir_acl_common(vfs_handle_struct *handle,
804 const char *fname, const char *mask, uint32 attr)
806 NTSTATUS status = check_parent_acl_common(handle, fname,
809 if (!NT_STATUS_IS_OK(status)) {
810 errno = map_errno_from_nt_status(status);
813 return SMB_VFS_NEXT_OPENDIR(handle, fname, mask, attr);
816 static int acl_common_remove_object(vfs_handle_struct *handle,
820 connection_struct *conn = handle->conn;
822 files_struct *fsp = NULL;
824 char *parent_dir = NULL;
825 const char *final_component = NULL;
826 struct smb_filename local_fname;
828 char *saved_dir = NULL;
830 saved_dir = vfs_GetWd(talloc_tos(),conn);
836 if (!parent_dirname(talloc_tos(), path,
837 &parent_dir, &final_component)) {
838 saved_errno = ENOMEM;
842 DEBUG(10,("acl_common_remove_object: removing %s %s/%s\n",
843 is_directory ? "directory" : "file",
844 parent_dir, final_component ));
846 /* cd into the parent dir to pin it. */
847 ret = vfs_ChDir(conn, parent_dir);
853 ZERO_STRUCT(local_fname);
854 local_fname.base_name = CONST_DISCARD(char *,final_component);
856 /* Must use lstat here. */
857 ret = SMB_VFS_LSTAT(conn, &local_fname);
863 /* Ensure we have this file open with DELETE access. */
864 id = vfs_file_id_from_sbuf(conn, &local_fname.st);
865 for (fsp = file_find_di_first(id); fsp; file_find_di_next(fsp)) {
866 if (fsp->access_mask & DELETE_ACCESS &&
867 fsp->delete_on_close) {
868 /* We did open this for delete,
869 * allow the delete as root.
876 DEBUG(10,("acl_common_remove_object: %s %s/%s "
877 "not an open file\n",
878 is_directory ? "directory" : "file",
879 parent_dir, final_component ));
880 saved_errno = EACCES;
886 ret = SMB_VFS_NEXT_RMDIR(handle, final_component);
888 ret = SMB_VFS_NEXT_UNLINK(handle, &local_fname);
898 TALLOC_FREE(parent_dir);
901 vfs_ChDir(conn, saved_dir);
909 static int rmdir_acl_common(struct vfs_handle_struct *handle,
914 ret = SMB_VFS_NEXT_RMDIR(handle, path);
915 if (!(ret == -1 && (errno == EACCES || errno == EPERM))) {
916 DEBUG(10,("rmdir_acl_common: unlink of %s failed %s\n",
922 return acl_common_remove_object(handle,
927 static NTSTATUS create_file_acl_common(struct vfs_handle_struct *handle,
928 struct smb_request *req,
929 uint16_t root_dir_fid,
930 struct smb_filename *smb_fname,
931 uint32_t access_mask,
932 uint32_t share_access,
933 uint32_t create_disposition,
934 uint32_t create_options,
935 uint32_t file_attributes,
936 uint32_t oplock_request,
937 uint64_t allocation_size,
938 struct security_descriptor *sd,
939 struct ea_list *ea_list,
940 files_struct **result,
943 NTSTATUS status, status1;
944 files_struct *fsp = NULL;
946 struct security_descriptor *parent_sd = NULL;
947 struct security_descriptor **pp_parent_sd = NULL;
949 status = SMB_VFS_NEXT_CREATE_FILE(handle,
965 if (!NT_STATUS_IS_OK(status)) {
969 if (info != FILE_WAS_CREATED) {
970 /* File/directory was opened, not created. */
977 /* Only handle success. */
982 /* Security descriptor already set. */
991 /* See if we have a cached parent sd, if so, use it. */
992 pp_parent_sd = (struct security_descriptor **)VFS_FETCH_FSP_EXTENSION(handle, fsp);
994 /* Must be a directory, fetch again (sigh). */
995 status = get_parent_acl_common(handle,
996 fsp->fsp_name->base_name,
998 if (!NT_STATUS_IS_OK(status)) {
1002 parent_sd = *pp_parent_sd;
1009 /* New directory - inherit from parent. */
1010 status1 = inherit_new_acl(handle, fsp, parent_sd, fsp->is_directory);
1012 if (!NT_STATUS_IS_OK(status1)) {
1013 DEBUG(1,("create_file_acl_common: error setting "
1016 nt_errstr(status1) ));
1022 VFS_REMOVE_FSP_EXTENSION(handle, fsp);
1025 if (NT_STATUS_IS_OK(status) && pinfo) {
1032 smb_panic("create_file_acl_common: logic error.\n");
1037 static int unlink_acl_common(struct vfs_handle_struct *handle,
1038 const struct smb_filename *smb_fname)
1042 ret = SMB_VFS_NEXT_UNLINK(handle, smb_fname);
1043 if (!(ret == -1 && (errno == EACCES || errno == EPERM))) {
1044 DEBUG(10,("unlink_acl_common: unlink of %s failed %s\n",
1045 smb_fname->base_name,
1049 /* Don't do anything fancy for streams. */
1050 if (smb_fname->stream_name) {
1054 return acl_common_remove_object(handle,
1055 smb_fname->base_name,
1059 static int chmod_acl_module_common(struct vfs_handle_struct *handle,
1060 const char *path, mode_t mode)
1062 if (lp_posix_pathnames()) {
1063 /* Only allow this on POSIX pathnames. */
1064 return SMB_VFS_NEXT_CHMOD(handle, path, mode);
1069 static int fchmod_acl_module_common(struct vfs_handle_struct *handle,
1070 struct files_struct *fsp, mode_t mode)
1072 if (fsp->posix_open) {
1073 /* Only allow this on POSIX opens. */
1074 return SMB_VFS_NEXT_FCHMOD(handle, fsp, mode);
1079 static int chmod_acl_acl_module_common(struct vfs_handle_struct *handle,
1080 const char *name, mode_t mode)
1082 if (lp_posix_pathnames()) {
1083 /* Only allow this on POSIX pathnames. */
1084 return SMB_VFS_NEXT_CHMOD_ACL(handle, name, mode);
1089 static int fchmod_acl_acl_module_common(struct vfs_handle_struct *handle,
1090 struct files_struct *fsp, mode_t mode)
1092 if (fsp->posix_open) {
1093 /* Only allow this on POSIX opens. */
1094 return SMB_VFS_NEXT_FCHMOD_ACL(handle, fsp, mode);
git.samba.org / samba.git / blob