2 * Convert ZFS/NFSv4 acls to NT acls and vice versa.
4 * Copyright (C) Jiri Sasek, 2007
5 * based on the foobar.c module which is copyrighted by Volker Lendecke
7 * Many thanks to Axel Apitz for help to fix the special ace's handling
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License as published by
12 * the Free Software Foundation; either version 3 of the License, or
13 * (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, see <http://www.gnu.org/licenses/>.
26 #include "system/filesys.h"
27 #include "smbd/smbd.h"
28 #include "nfs4_acls.h"
30 #ifdef HAVE_FREEBSD_SUNACL_H
35 #define DBGC_CLASS DBGC_VFS
37 #define ZFSACL_MODULE_NAME "zfsacl"
39 struct zfsacl_config_data {
40 struct smbacl4_vfs_params nfs4_params;
41 bool zfsacl_map_dacl_protected;
42 bool zfsacl_denymissingspecial;
43 bool zfsacl_block_special;
47 * read the local file's acls and return it in NT form
48 * using the NFSv4 format conversion
50 static NTSTATUS zfs_get_nt_acl_common(struct connection_struct *conn,
52 const struct smb_filename *smb_fname,
55 struct SMB4ACL_T **ppacl,
56 struct zfsacl_config_data *config)
59 struct SMB4ACL_T *pacl;
61 const SMB_STRUCT_STAT *psbuf = NULL;
63 bool inherited_is_present = false;
66 if (VALID_STAT(smb_fname->st)) {
67 psbuf = &smb_fname->st;
71 ret = vfs_stat_smb_basename(conn, smb_fname, &sbuf);
73 DBG_INFO("stat [%s]failed: %s\n",
74 smb_fname_str_dbg(smb_fname), strerror(errno));
75 return map_nt_error_from_unix(errno);
79 is_dir = S_ISDIR(psbuf->st_ex_mode);
81 mem_ctx = talloc_tos();
83 /* create SMB4ACL data */
84 if((pacl = smb_create_smb4acl(mem_ctx)) == NULL) {
85 return NT_STATUS_NO_MEMORY;
87 for(i=0; i<naces; i++) {
88 SMB_ACE4PROP_T aceprop;
91 aceprop.aceType = (uint32_t) acebuf[i].a_type;
92 aceprop.aceFlags = (uint32_t) acebuf[i].a_flags;
93 aceprop.aceMask = (uint32_t) acebuf[i].a_access_mask;
94 aceprop.who.id = (uint32_t) acebuf[i].a_who;
96 if (config->zfsacl_block_special &&
97 (aceprop.aceMask == 0) &&
98 (aceprop.aceFlags & ACE_EVERYONE) &&
99 (aceprop.aceFlags & ACE_INHERITED_ACE))
104 * Windows clients expect SYNC on acls to correctly allow
105 * rename, cf bug #7909. But not on DENY ace entries, cf bug
108 if (aceprop.aceType == SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE) {
109 aceprop.aceMask |= SMB_ACE4_SYNCHRONIZE;
112 special = acebuf[i].a_flags & (ACE_OWNER|ACE_GROUP|ACE_EVERYONE);
115 (aceprop.aceMask & SMB_ACE4_ADD_FILE) &&
118 aceprop.aceMask |= SMB_ACE4_DELETE_CHILD;
121 #ifdef ACE_INHERITED_ACE
122 if (aceprop.aceFlags & ACE_INHERITED_ACE) {
123 inherited_is_present = true;
128 aceprop.flags = SMB_ACE4_ID_SPECIAL;
129 aceprop.who.special_id = SMB_ACE4_WHO_OWNER;
132 aceprop.flags = SMB_ACE4_ID_SPECIAL;
133 aceprop.who.special_id = SMB_ACE4_WHO_GROUP;
136 aceprop.flags = SMB_ACE4_ID_SPECIAL;
137 aceprop.who.special_id = SMB_ACE4_WHO_EVERYONE;
142 if (smb_add_ace4(pacl, &aceprop) == NULL) {
143 return NT_STATUS_NO_MEMORY;
147 #ifdef ACE_INHERITED_ACE
148 if (!inherited_is_present && config->zfsacl_map_dacl_protected) {
149 DBG_DEBUG("Setting SEC_DESC_DACL_PROTECTED on [%s]\n",
150 smb_fname_str_dbg(smb_fname));
151 smbacl4_set_controlflags(pacl,
152 SEC_DESC_DACL_PROTECTED |
153 SEC_DESC_SELF_RELATIVE);
160 /* call-back function processing the NT acl -> ZFS acl using NFSv4 conv. */
161 static bool zfs_process_smbacl(vfs_handle_struct *handle, files_struct *fsp,
162 struct SMB4ACL_T *smbacl)
164 int naces = smb_get_naces(smbacl), i, rv;
166 struct SMB4ACE_T *smbace;
168 bool have_special_id = false;
169 bool must_add_empty_ace = false;
170 struct zfsacl_config_data *config = NULL;
173 SMB_VFS_HANDLE_GET_DATA(handle, config,
174 struct zfsacl_config_data,
177 if (config->zfsacl_block_special && S_ISDIR(fsp->fsp_name->st.st_ex_mode)) {
179 must_add_empty_ace = true;
181 /* allocate the field of ZFS aces */
182 mem_ctx = talloc_tos();
183 acebuf = (ace_t *) talloc_size(mem_ctx, sizeof(ace_t)*naces);
188 /* handle all aces */
189 for(smbace = smb_first_ace4(smbacl), i = 0;
191 smbace = smb_next_ace4(smbace), i++) {
192 SMB_ACE4PROP_T *aceprop = smb_get_ace4(smbace);
194 acebuf[i].a_type = aceprop->aceType;
195 acebuf[i].a_flags = aceprop->aceFlags;
196 acebuf[i].a_access_mask = aceprop->aceMask;
197 /* SYNC on acls is a no-op on ZFS.
199 acebuf[i].a_access_mask &= ~SMB_ACE4_SYNCHRONIZE;
200 acebuf[i].a_who = aceprop->who.id;
201 if(aceprop->flags & SMB_ACE4_ID_SPECIAL) {
202 switch(aceprop->who.special_id) {
203 case SMB_ACE4_WHO_EVERYONE:
204 acebuf[i].a_flags |= ACE_EVERYONE;
206 case SMB_ACE4_WHO_OWNER:
207 acebuf[i].a_flags |= ACE_OWNER;
209 case SMB_ACE4_WHO_GROUP:
210 acebuf[i].a_flags |= ACE_GROUP|ACE_IDENTIFIER_GROUP;
213 DEBUG(8, ("unsupported special_id %d\n", \
214 aceprop->who.special_id));
215 continue; /* don't add it !!! */
217 have_special_id = true;
220 if (must_add_empty_ace) {
221 acebuf[i].a_type = SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE;
222 acebuf[i].a_flags = SMB_ACE4_DIRECTORY_INHERIT_ACE |
223 SMB_ACE4_FILE_INHERIT_ACE |
226 acebuf[i].a_access_mask = 0;
230 if (!have_special_id && config->zfsacl_denymissingspecial) {
235 SMB_ASSERT(i == naces);
238 fd = fsp_get_pathref_fd(fsp);
243 rv = facl(fd, ACE_SETACL, naces, acebuf);
245 if(errno == ENOSYS) {
246 DEBUG(9, ("acl(ACE_SETACL, %s): Operation is not "
247 "supported on the filesystem where the file "
248 "reside", fsp_str_dbg(fsp)));
250 DEBUG(9, ("acl(ACE_SETACL, %s): %s ", fsp_str_dbg(fsp),
260 * set the local file's acls obtaining it in NT form
261 * using the NFSv4 format conversion
263 static NTSTATUS zfs_set_nt_acl(vfs_handle_struct *handle, files_struct *fsp,
264 uint32_t security_info_sent,
265 const struct security_descriptor *psd)
267 struct zfsacl_config_data *config = NULL;
269 SMB_VFS_HANDLE_GET_DATA(handle, config,
270 struct zfsacl_config_data,
271 return NT_STATUS_INTERNAL_ERROR);
273 return smb_set_nt_acl_nfs4(handle,
275 &config->nfs4_params,
281 static int fget_zfsacl(TALLOC_CTX *mem_ctx,
282 struct files_struct *fsp,
286 ace_t *acebuf = NULL;
289 fd = fsp_get_pathref_fd(fsp);
294 naces = facl(fd, ACE_GETACLCNT, 0, NULL);
298 if (errno == ENOSYS) {
301 DEBUG(dbg_level, ("facl(ACE_GETACLCNT, %s): %s ",
302 fsp_str_dbg(fsp), strerror(errno)));
306 acebuf = talloc_size(mem_ctx, sizeof(ace_t)*naces);
307 if (acebuf == NULL) {
312 rv = facl(fd, ACE_GETACL, naces, acebuf);
314 DBG_DEBUG("acl(ACE_GETACL, %s): %s ",
315 fsp_str_dbg(fsp), strerror(errno));
323 static NTSTATUS zfsacl_fget_nt_acl(struct vfs_handle_struct *handle,
324 struct files_struct *fsp,
325 uint32_t security_info,
327 struct security_descriptor **ppdesc)
329 struct SMB4ACL_T *pacl;
331 struct zfsacl_config_data *config = NULL;
332 ace_t *acebuf = NULL;
335 SMB_VFS_HANDLE_GET_DATA(handle, config,
336 struct zfsacl_config_data,
337 return NT_STATUS_INTERNAL_ERROR);
339 TALLOC_CTX *frame = talloc_stackframe();
341 naces = fget_zfsacl(talloc_tos(), fsp, &acebuf);
343 status = map_nt_error_from_unix(errno);
345 if (!NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) {
349 status = make_default_filesystem_acl(mem_ctx,
351 fsp->fsp_name->base_name,
354 if (!NT_STATUS_IS_OK(status)) {
357 (*ppdesc)->type |= SEC_DESC_DACL_PROTECTED;
361 status = zfs_get_nt_acl_common(handle->conn,
368 if (!NT_STATUS_IS_OK(status)) {
373 status = smb_fget_nt_acl_nfs4(fsp, NULL, security_info, mem_ctx,
379 static NTSTATUS zfsacl_fset_nt_acl(vfs_handle_struct *handle,
381 uint32_t security_info_sent,
382 const struct security_descriptor *psd)
384 return zfs_set_nt_acl(handle, fsp, security_info_sent, psd);
387 /* nils.goroll@hamburg.de 2008-06-16 :
390 - https://bugzilla.samba.org/show_bug.cgi?id=5446
391 - http://bugs.opensolaris.org/view_bug.do?bug_id=6688240
393 Solaris supports NFSv4 and ZFS ACLs through a common system call, acl(2)
394 with ACE_SETACL / ACE_GETACL / ACE_GETACLCNT, which is being wrapped for
395 use by samba in this module.
397 As the acl(2) interface is identical for ZFS and for NFS, this module,
398 vfs_zfsacl, can not only be used for ZFS, but also for sharing NFSv4
401 But while "traditional" POSIX DRAFT ACLs (using acl(2) with SETACL
402 / GETACL / GETACLCNT) fail for ZFS, the Solaris NFS client
403 implements a compatibility wrapper, which will make calls to
404 traditional ACL calls though vfs_solarisacl succeed. As the
405 compatibility wrapper's implementation is (by design) incomplete,
406 we want to make sure that it is never being called.
408 As long as Samba does not support an explicit method for a module
409 to define conflicting vfs methods, we should override all conflicting
412 For this to work, we need to make sure that this module is initialised
413 *after* vfs_solarisacl
415 Function declarations taken from vfs_solarisacl
418 static SMB_ACL_T zfsacl_fail__sys_acl_get_fd(vfs_handle_struct *handle,
423 return (SMB_ACL_T)NULL;
426 static int zfsacl_fail__sys_acl_set_fd(vfs_handle_struct *handle,
434 static int zfsacl_fail__sys_acl_delete_def_fd(vfs_handle_struct *handle,
440 static int zfsacl_fail__sys_acl_blob_get_fd(vfs_handle_struct *handle, files_struct *fsp, TALLOC_CTX *mem_ctx, char **blob_description, DATA_BLOB *blob)
445 static int zfsacl_connect(struct vfs_handle_struct *handle,
446 const char *service, const char *user)
448 struct zfsacl_config_data *config = NULL;
451 ret = SMB_VFS_NEXT_CONNECT(handle, service, user);
456 config = talloc_zero(handle->conn, struct zfsacl_config_data);
458 DBG_ERR("talloc_zero() failed\n");
463 config->zfsacl_map_dacl_protected = lp_parm_bool(SNUM(handle->conn),
464 "zfsacl", "map_dacl_protected", false);
466 config->zfsacl_denymissingspecial = lp_parm_bool(SNUM(handle->conn),
467 "zfsacl", "denymissingspecial", false);
469 config->zfsacl_block_special = lp_parm_bool(SNUM(handle->conn),
470 "zfsacl", "block_special", true);
472 ret = smbacl4_get_vfs_params(handle->conn, &config->nfs4_params);
478 SMB_VFS_HANDLE_SET_DATA(handle, config,
479 NULL, struct zfsacl_config_data,
485 /* VFS operations structure */
487 static struct vfs_fn_pointers zfsacl_fns = {
488 .connect_fn = zfsacl_connect,
489 .sys_acl_get_fd_fn = zfsacl_fail__sys_acl_get_fd,
490 .sys_acl_blob_get_fd_fn = zfsacl_fail__sys_acl_blob_get_fd,
491 .sys_acl_set_fd_fn = zfsacl_fail__sys_acl_set_fd,
492 .sys_acl_delete_def_fd_fn = zfsacl_fail__sys_acl_delete_def_fd,
493 .fget_nt_acl_fn = zfsacl_fget_nt_acl,
494 .fset_nt_acl_fn = zfsacl_fset_nt_acl,
498 NTSTATUS vfs_zfsacl_init(TALLOC_CTX *ctx)
500 return smb_register_vfs(SMB_VFS_INTERFACE_VERSION, "zfsacl",