Merge branch 'master' of ssh://git.samba.org/data/git/samba into abartlet-devel
[mat/samba.git] / source3 / smbd / posix_acls.c
1 /*
2    Unix SMB/CIFS implementation.
3    SMB NT Security Descriptor / Unix permission conversion.
4    Copyright (C) Jeremy Allison 1994-2009.
5    Copyright (C) Andreas Gruenbacher 2002.
6    Copyright (C) Simo Sorce <idra@samba.org> 2009.
7
8    This program is free software; you can redistribute it and/or modify
9    it under the terms of the GNU General Public License as published by
10    the Free Software Foundation; either version 3 of the License, or
11    (at your option) any later version.
12
13    This program is distributed in the hope that it will be useful,
14    but WITHOUT ANY WARRANTY; without even the implied warranty of
15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
16    GNU General Public License for more details.
17
18    You should have received a copy of the GNU General Public License
19    along with this program.  If not, see <http://www.gnu.org/licenses/>.
20 */
21
22 #include "includes.h"
23
24 extern struct current_user current_user;
25 extern const struct generic_mapping file_generic_mapping;
26
27 #undef  DBGC_CLASS
28 #define DBGC_CLASS DBGC_ACLS
29
30 /****************************************************************************
31  Data structures representing the internal ACE format.
32 ****************************************************************************/
33
34 enum ace_owner {UID_ACE, GID_ACE, WORLD_ACE};
35 enum ace_attribute {ALLOW_ACE, DENY_ACE}; /* Used for incoming NT ACLS. */
36
37 typedef union posix_id {
38                 uid_t uid;
39                 gid_t gid;
40                 int world;
41 } posix_id;
42
43 typedef struct canon_ace {
44         struct canon_ace *next, *prev;
45         SMB_ACL_TAG_T type;
46         mode_t perms; /* Only use S_I(R|W|X)USR mode bits here. */
47         DOM_SID trustee;
48         enum ace_owner owner_type;
49         enum ace_attribute attr;
50         posix_id unix_ug;
51         uint8_t ace_flags; /* From windows ACE entry. */
52 } canon_ace;
53
54 #define ALL_ACE_PERMS (S_IRUSR|S_IWUSR|S_IXUSR)
55
56 /*
57  * EA format of user.SAMBA_PAI (Samba_Posix_Acl_Interitance)
58  * attribute on disk - version 1.
59  * All values are little endian.
60  *
61  * |  1   |  1   |   2         |         2           |  ....
62  * +------+------+-------------+---------------------+-------------+--------------------+
63  * | vers | flag | num_entries | num_default_entries | ..entries.. | default_entries... |
64  * +------+------+-------------+---------------------+-------------+--------------------+
65  *
66  * Entry format is :
67  *
68  * |  1   |       4           |
69  * +------+-------------------+
70  * | value|  uid/gid or world |
71  * | type |  value            |
72  * +------+-------------------+
73  *
74  * Version 2 format. Stores extra Windows metadata about an ACL.
75  *
76  * |  1   |  2       |   2         |         2           |  ....
77  * +------+----------+-------------+---------------------+-------------+--------------------+
78  * | vers | ace      | num_entries | num_default_entries | ..entries.. | default_entries... |
79  * |   2  |  type    |             |                     |             |                    |
80  * +------+----------+-------------+---------------------+-------------+--------------------+
81  *
82  * Entry format is :
83  *
84  * |  1   |  1   |       4           |
85  * +------+------+-------------------+
86  * | ace  | value|  uid/gid or world |
87  * | flag | type |  value            |
88  * +------+-------------------+------+
89  *
90  */
91
92 #define PAI_VERSION_OFFSET                      0
93
94 #define PAI_V1_FLAG_OFFSET                      1
95 #define PAI_V1_NUM_ENTRIES_OFFSET               2
96 #define PAI_V1_NUM_DEFAULT_ENTRIES_OFFSET       4
97 #define PAI_V1_ENTRIES_BASE                     6
98 #define PAI_V1_ACL_FLAG_PROTECTED               0x1
99 #define PAI_V1_ENTRY_LENGTH                     5
100
101 #define PAI_V1_VERSION                          1
102
103 #define PAI_V2_TYPE_OFFSET                      1
104 #define PAI_V2_NUM_ENTRIES_OFFSET               3
105 #define PAI_V2_NUM_DEFAULT_ENTRIES_OFFSET       5
106 #define PAI_V2_ENTRIES_BASE                     7
107 #define PAI_V2_ENTRY_LENGTH                     6
108
109 #define PAI_V2_VERSION                          2
110
111 /*
112  * In memory format of user.SAMBA_PAI attribute.
113  */
114
115 struct pai_entry {
116         struct pai_entry *next, *prev;
117         uint8_t ace_flags;
118         enum ace_owner owner_type;
119         posix_id unix_ug;
120 };
121
122 struct pai_val {
123         uint16_t sd_type;
124         unsigned int num_entries;
125         struct pai_entry *entry_list;
126         unsigned int num_def_entries;
127         struct pai_entry *def_entry_list;
128 };
129
130 /************************************************************************
131  Return a uint32 of the pai_entry principal.
132 ************************************************************************/
133
134 static uint32_t get_pai_entry_val(struct pai_entry *paie)
135 {
136         switch (paie->owner_type) {
137                 case UID_ACE:
138                         DEBUG(10,("get_pai_entry_val: uid = %u\n", (unsigned int)paie->unix_ug.uid ));
139                         return (uint32_t)paie->unix_ug.uid;
140                 case GID_ACE:
141                         DEBUG(10,("get_pai_entry_val: gid = %u\n", (unsigned int)paie->unix_ug.gid ));
142                         return (uint32_t)paie->unix_ug.gid;
143                 case WORLD_ACE:
144                 default:
145                         DEBUG(10,("get_pai_entry_val: world ace\n"));
146                         return (uint32_t)-1;
147         }
148 }
149
150 /************************************************************************
151  Return a uint32 of the entry principal.
152 ************************************************************************/
153
154 static uint32_t get_entry_val(canon_ace *ace_entry)
155 {
156         switch (ace_entry->owner_type) {
157                 case UID_ACE:
158                         DEBUG(10,("get_entry_val: uid = %u\n", (unsigned int)ace_entry->unix_ug.uid ));
159                         return (uint32_t)ace_entry->unix_ug.uid;
160                 case GID_ACE:
161                         DEBUG(10,("get_entry_val: gid = %u\n", (unsigned int)ace_entry->unix_ug.gid ));
162                         return (uint32_t)ace_entry->unix_ug.gid;
163                 case WORLD_ACE:
164                 default:
165                         DEBUG(10,("get_entry_val: world ace\n"));
166                         return (uint32_t)-1;
167         }
168 }
169
170 /************************************************************************
171  Create the on-disk format (always v2 now). Caller must free.
172 ************************************************************************/
173
174 static char *create_pai_buf_v2(canon_ace *file_ace_list,
175                                 canon_ace *dir_ace_list,
176                                 uint16_t sd_type,
177                                 size_t *store_size)
178 {
179         char *pai_buf = NULL;
180         canon_ace *ace_list = NULL;
181         char *entry_offset = NULL;
182         unsigned int num_entries = 0;
183         unsigned int num_def_entries = 0;
184
185         for (ace_list = file_ace_list; ace_list; ace_list = ace_list->next) {
186                 num_entries++;
187         }
188
189         for (ace_list = dir_ace_list; ace_list; ace_list = ace_list->next) {
190                 num_def_entries++;
191         }
192
193         DEBUG(10,("create_pai_buf_v2: num_entries = %u, num_def_entries = %u\n", num_entries, num_def_entries ));
194
195         *store_size = PAI_V2_ENTRIES_BASE +
196                 ((num_entries + num_def_entries)*PAI_V2_ENTRY_LENGTH);
197
198         pai_buf = (char *)SMB_MALLOC(*store_size);
199         if (!pai_buf) {
200                 return NULL;
201         }
202
203         /* Set up the header. */
204         memset(pai_buf, '\0', PAI_V2_ENTRIES_BASE);
205         SCVAL(pai_buf,PAI_VERSION_OFFSET,PAI_V2_VERSION);
206         SSVAL(pai_buf,PAI_V2_TYPE_OFFSET, sd_type);
207         SSVAL(pai_buf,PAI_V2_NUM_ENTRIES_OFFSET,num_entries);
208         SSVAL(pai_buf,PAI_V2_NUM_DEFAULT_ENTRIES_OFFSET,num_def_entries);
209
210         entry_offset = pai_buf + PAI_V2_ENTRIES_BASE;
211
212         for (ace_list = file_ace_list; ace_list; ace_list = ace_list->next) {
213                 uint8_t type_val = (uint8_t)ace_list->owner_type;
214                 uint32_t entry_val = get_entry_val(ace_list);
215
216                 SCVAL(entry_offset,0,ace_list->ace_flags);
217                 SCVAL(entry_offset,1,type_val);
218                 SIVAL(entry_offset,2,entry_val);
219                 entry_offset += PAI_V2_ENTRY_LENGTH;
220         }
221
222         for (ace_list = dir_ace_list; ace_list; ace_list = ace_list->next) {
223                 uint8_t type_val = (uint8_t)ace_list->owner_type;
224                 uint32_t entry_val = get_entry_val(ace_list);
225
226                 SCVAL(entry_offset,0,ace_list->ace_flags);
227                 SCVAL(entry_offset,1,type_val);
228                 SIVAL(entry_offset,2,entry_val);
229                 entry_offset += PAI_V2_ENTRY_LENGTH;
230         }
231
232         return pai_buf;
233 }
234
235 /************************************************************************
236  Store the user.SAMBA_PAI attribute on disk.
237 ************************************************************************/
238
239 static void store_inheritance_attributes(files_struct *fsp,
240                                         canon_ace *file_ace_list,
241                                         canon_ace *dir_ace_list,
242                                         uint16_t sd_type)
243 {
244         int ret;
245         size_t store_size;
246         char *pai_buf;
247
248         if (!lp_map_acl_inherit(SNUM(fsp->conn))) {
249                 return;
250         }
251
252         pai_buf = create_pai_buf_v2(file_ace_list, dir_ace_list,
253                                 sd_type, &store_size);
254
255         if (fsp->fh->fd != -1) {
256                 ret = SMB_VFS_FSETXATTR(fsp, SAMBA_POSIX_INHERITANCE_EA_NAME,
257                                 pai_buf, store_size, 0);
258         } else {
259                 ret = SMB_VFS_SETXATTR(fsp->conn,fsp->fsp_name, SAMBA_POSIX_INHERITANCE_EA_NAME,
260                                 pai_buf, store_size, 0);
261         }
262
263         SAFE_FREE(pai_buf);
264
265         DEBUG(10,("store_inheritance_attribute: type 0x%x for file %s\n",
266                 (unsigned int)sd_type,
267                 fsp->fsp_name));
268
269         if (ret == -1 && !no_acl_syscall_error(errno)) {
270                 DEBUG(1,("store_inheritance_attribute: Error %s\n", strerror(errno) ));
271         }
272 }
273
274 /************************************************************************
275  Delete the in memory inheritance info.
276 ************************************************************************/
277
278 static void free_inherited_info(struct pai_val *pal)
279 {
280         if (pal) {
281                 struct pai_entry *paie, *paie_next;
282                 for (paie = pal->entry_list; paie; paie = paie_next) {
283                         paie_next = paie->next;
284                         SAFE_FREE(paie);
285                 }
286                 for (paie = pal->def_entry_list; paie; paie = paie_next) {
287                         paie_next = paie->next;
288                         SAFE_FREE(paie);
289                 }
290                 SAFE_FREE(pal);
291         }
292 }
293
294 /************************************************************************
295  Get any stored ACE flags.
296 ************************************************************************/
297
298 static uint16_t get_pai_flags(struct pai_val *pal, canon_ace *ace_entry, bool default_ace)
299 {
300         struct pai_entry *paie;
301
302         if (!pal) {
303                 return 0;
304         }
305
306         /* If the entry exists it is inherited. */
307         for (paie = (default_ace ? pal->def_entry_list : pal->entry_list); paie; paie = paie->next) {
308                 if (ace_entry->owner_type == paie->owner_type &&
309                                 get_entry_val(ace_entry) == get_pai_entry_val(paie))
310                         return paie->ace_flags;
311         }
312         return 0;
313 }
314
315 /************************************************************************
316  Ensure an attribute just read is valid - v1.
317 ************************************************************************/
318
319 static bool check_pai_ok_v1(const char *pai_buf, size_t pai_buf_data_size)
320 {
321         uint16 num_entries;
322         uint16 num_def_entries;
323
324         if (pai_buf_data_size < PAI_V1_ENTRIES_BASE) {
325                 /* Corrupted - too small. */
326                 return false;
327         }
328
329         if (CVAL(pai_buf,PAI_VERSION_OFFSET) != PAI_V1_VERSION) {
330                 return false;
331         }
332
333         num_entries = SVAL(pai_buf,PAI_V1_NUM_ENTRIES_OFFSET);
334         num_def_entries = SVAL(pai_buf,PAI_V1_NUM_DEFAULT_ENTRIES_OFFSET);
335
336         /* Check the entry lists match. */
337         /* Each entry is 5 bytes (type plus 4 bytes of uid or gid). */
338
339         if (((num_entries + num_def_entries)*PAI_V1_ENTRY_LENGTH) +
340                         PAI_V1_ENTRIES_BASE != pai_buf_data_size) {
341                 return false;
342         }
343
344         return true;
345 }
346
347 /************************************************************************
348  Ensure an attribute just read is valid - v2.
349 ************************************************************************/
350
351 static bool check_pai_ok_v2(const char *pai_buf, size_t pai_buf_data_size)
352 {
353         uint16 num_entries;
354         uint16 num_def_entries;
355
356         if (pai_buf_data_size < PAI_V2_ENTRIES_BASE) {
357                 /* Corrupted - too small. */
358                 return false;
359         }
360
361         if (CVAL(pai_buf,PAI_VERSION_OFFSET) != PAI_V2_VERSION) {
362                 return false;
363         }
364
365         num_entries = SVAL(pai_buf,PAI_V2_NUM_ENTRIES_OFFSET);
366         num_def_entries = SVAL(pai_buf,PAI_V2_NUM_DEFAULT_ENTRIES_OFFSET);
367
368         /* Check the entry lists match. */
369         /* Each entry is 6 bytes (flags + type + 4 bytes of uid or gid). */
370
371         if (((num_entries + num_def_entries)*PAI_V2_ENTRY_LENGTH) +
372                         PAI_V2_ENTRIES_BASE != pai_buf_data_size) {
373                 return false;
374         }
375
376         return true;
377 }
378
379 /************************************************************************
380  Decode the owner.
381 ************************************************************************/
382
383 static bool get_pai_owner_type(struct pai_entry *paie, const char *entry_offset)
384 {
385         paie->owner_type = (enum ace_owner)CVAL(entry_offset,0);
386         switch( paie->owner_type) {
387                 case UID_ACE:
388                         paie->unix_ug.uid = (uid_t)IVAL(entry_offset,1);
389                         DEBUG(10,("get_pai_owner_type: uid = %u\n",
390                                 (unsigned int)paie->unix_ug.uid ));
391                         break;
392                 case GID_ACE:
393                         paie->unix_ug.gid = (gid_t)IVAL(entry_offset,1);
394                         DEBUG(10,("get_pai_owner_type: gid = %u\n",
395                                 (unsigned int)paie->unix_ug.gid ));
396                         break;
397                 case WORLD_ACE:
398                         paie->unix_ug.world = -1;
399                         DEBUG(10,("get_pai_owner_type: world ace\n"));
400                         break;
401                 default:
402                         return false;
403         }
404         return true;
405 }
406
407 /************************************************************************
408  Process v2 entries.
409 ************************************************************************/
410
411 static const char *create_pai_v1_entries(struct pai_val *paiv,
412                                 const char *entry_offset,
413                                 bool def_entry)
414 {
415         int i;
416
417         for (i = 0; i < paiv->num_entries; i++) {
418                 struct pai_entry *paie = SMB_MALLOC_P(struct pai_entry);
419                 if (!paie) {
420                         return NULL;
421                 }
422
423                 paie->ace_flags = SEC_ACE_FLAG_INHERITED_ACE;
424                 if (!get_pai_owner_type(paie, entry_offset)) {
425                         return NULL;
426                 }
427
428                 if (!def_entry) {
429                         DLIST_ADD(paiv->entry_list, paie);
430                 } else {
431                         DLIST_ADD(paiv->def_entry_list, paie);
432                 }
433                 entry_offset += PAI_V1_ENTRY_LENGTH;
434         }
435         return entry_offset;
436 }
437
438 /************************************************************************
439  Convert to in-memory format from version 1.
440 ************************************************************************/
441
442 static struct pai_val *create_pai_val_v1(const char *buf, size_t size)
443 {
444         const char *entry_offset;
445         struct pai_val *paiv = NULL;
446
447         if (!check_pai_ok_v1(buf, size)) {
448                 return NULL;
449         }
450
451         paiv = SMB_MALLOC_P(struct pai_val);
452         if (!paiv) {
453                 return NULL;
454         }
455
456         memset(paiv, '\0', sizeof(struct pai_val));
457
458         paiv->sd_type = (CVAL(buf,PAI_V1_FLAG_OFFSET) == PAI_V1_ACL_FLAG_PROTECTED) ?
459                         SE_DESC_DACL_PROTECTED : 0;
460
461         paiv->num_entries = SVAL(buf,PAI_V1_NUM_ENTRIES_OFFSET);
462         paiv->num_def_entries = SVAL(buf,PAI_V1_NUM_DEFAULT_ENTRIES_OFFSET);
463
464         entry_offset = buf + PAI_V1_ENTRIES_BASE;
465
466         DEBUG(10,("create_pai_val: num_entries = %u, num_def_entries = %u\n",
467                         paiv->num_entries, paiv->num_def_entries ));
468
469         entry_offset = create_pai_v1_entries(paiv, entry_offset, false);
470         if (entry_offset == NULL) {
471                 free_inherited_info(paiv);
472                 return NULL;
473         }
474         entry_offset = create_pai_v1_entries(paiv, entry_offset, true);
475         if (entry_offset == NULL) {
476                 free_inherited_info(paiv);
477                 return NULL;
478         }
479
480         return paiv;
481 }
482
483 /************************************************************************
484  Process v2 entries.
485 ************************************************************************/
486
487 static const char *create_pai_v2_entries(struct pai_val *paiv,
488                                 const char *entry_offset,
489                                 bool def_entry)
490 {
491         int i;
492
493         for (i = 0; i < paiv->num_entries; i++) {
494                 struct pai_entry *paie = SMB_MALLOC_P(struct pai_entry);
495                 if (!paie) {
496                         return NULL;
497                 }
498
499                 paie->ace_flags = CVAL(entry_offset,0);
500
501                 entry_offset++;
502
503                 if (!get_pai_owner_type(paie, entry_offset)) {
504                         return NULL;
505                 }
506                 if (!def_entry) {
507                         DLIST_ADD(paiv->entry_list, paie);
508                 } else {
509                         DLIST_ADD(paiv->def_entry_list, paie);
510                 }
511                 entry_offset += PAI_V2_ENTRY_LENGTH;
512         }
513         return entry_offset;
514 }
515
516 /************************************************************************
517  Convert to in-memory format from version 2.
518 ************************************************************************/
519
520 static struct pai_val *create_pai_val_v2(const char *buf, size_t size)
521 {
522         const char *entry_offset;
523         struct pai_val *paiv = NULL;
524
525         if (!check_pai_ok_v2(buf, size)) {
526                 return NULL;
527         }
528
529         paiv = SMB_MALLOC_P(struct pai_val);
530         if (!paiv) {
531                 return NULL;
532         }
533
534         memset(paiv, '\0', sizeof(struct pai_val));
535
536         paiv->sd_type = SVAL(buf,PAI_V2_TYPE_OFFSET);
537
538         paiv->num_entries = SVAL(buf,PAI_V2_NUM_ENTRIES_OFFSET);
539         paiv->num_def_entries = SVAL(buf,PAI_V2_NUM_DEFAULT_ENTRIES_OFFSET);
540
541         entry_offset = buf + PAI_V2_ENTRIES_BASE;
542
543         DEBUG(10,("create_pai_val_v2: num_entries = %u, num_def_entries = %u\n",
544                         paiv->num_entries, paiv->num_def_entries ));
545
546         entry_offset = create_pai_v2_entries(paiv, entry_offset, false);
547         if (entry_offset == NULL) {
548                 free_inherited_info(paiv);
549                 return NULL;
550         }
551         entry_offset = create_pai_v2_entries(paiv, entry_offset, true);
552         if (entry_offset == NULL) {
553                 free_inherited_info(paiv);
554                 return NULL;
555         }
556
557         return paiv;
558 }
559
560 /************************************************************************
561  Convert to in-memory format - from either version 1 or 2.
562 ************************************************************************/
563
564 static struct pai_val *create_pai_val(const char *buf, size_t size)
565 {
566         if (size < 1) {
567                 return NULL;
568         }
569         if (CVAL(buf,PAI_VERSION_OFFSET) == PAI_V1_VERSION) {
570                 return create_pai_val_v1(buf, size);
571         } else if (CVAL(buf,PAI_VERSION_OFFSET) == PAI_V2_VERSION) {
572                 return create_pai_val_v2(buf, size);
573         } else {
574                 return NULL;
575         }
576 }
577
578 /************************************************************************
579  Load the user.SAMBA_PAI attribute.
580 ************************************************************************/
581
582 static struct pai_val *fload_inherited_info(files_struct *fsp)
583 {
584         char *pai_buf;
585         size_t pai_buf_size = 1024;
586         struct pai_val *paiv = NULL;
587         ssize_t ret;
588
589         if (!lp_map_acl_inherit(SNUM(fsp->conn))) {
590                 return NULL;
591         }
592
593         if ((pai_buf = (char *)SMB_MALLOC(pai_buf_size)) == NULL) {
594                 return NULL;
595         }
596
597         do {
598                 if (fsp->fh->fd != -1) {
599                         ret = SMB_VFS_FGETXATTR(fsp, SAMBA_POSIX_INHERITANCE_EA_NAME,
600                                         pai_buf, pai_buf_size);
601                 } else {
602                         ret = SMB_VFS_GETXATTR(fsp->conn,fsp->fsp_name,SAMBA_POSIX_INHERITANCE_EA_NAME,
603                                         pai_buf, pai_buf_size);
604                 }
605
606                 if (ret == -1) {
607                         if (errno != ERANGE) {
608                                 break;
609                         }
610                         /* Buffer too small - enlarge it. */
611                         pai_buf_size *= 2;
612                         SAFE_FREE(pai_buf);
613                         if (pai_buf_size > 1024*1024) {
614                                 return NULL; /* Limit malloc to 1mb. */
615                         }
616                         if ((pai_buf = (char *)SMB_MALLOC(pai_buf_size)) == NULL)
617                                 return NULL;
618                 }
619         } while (ret == -1);
620
621         DEBUG(10,("load_inherited_info: ret = %lu for file %s\n", (unsigned long)ret, fsp->fsp_name));
622
623         if (ret == -1) {
624                 /* No attribute or not supported. */
625 #if defined(ENOATTR)
626                 if (errno != ENOATTR)
627                         DEBUG(10,("load_inherited_info: Error %s\n", strerror(errno) ));
628 #else
629                 if (errno != ENOSYS)
630                         DEBUG(10,("load_inherited_info: Error %s\n", strerror(errno) ));
631 #endif
632                 SAFE_FREE(pai_buf);
633                 return NULL;
634         }
635
636         paiv = create_pai_val(pai_buf, ret);
637
638         if (paiv) {
639                 DEBUG(10,("load_inherited_info: ACL type is 0x%x for file %s\n",
640                         (unsigned int)paiv->sd_type,
641                         fsp->fsp_name));
642         }
643
644         SAFE_FREE(pai_buf);
645         return paiv;
646 }
647
648 /************************************************************************
649  Load the user.SAMBA_PAI attribute.
650 ************************************************************************/
651
652 static struct pai_val *load_inherited_info(const struct connection_struct *conn,
653                                            const char *fname)
654 {
655         char *pai_buf;
656         size_t pai_buf_size = 1024;
657         struct pai_val *paiv = NULL;
658         ssize_t ret;
659
660         if (!lp_map_acl_inherit(SNUM(conn))) {
661                 return NULL;
662         }
663
664         if ((pai_buf = (char *)SMB_MALLOC(pai_buf_size)) == NULL) {
665                 return NULL;
666         }
667
668         do {
669                 ret = SMB_VFS_GETXATTR(conn, fname,
670                                        SAMBA_POSIX_INHERITANCE_EA_NAME,
671                                        pai_buf, pai_buf_size);
672
673                 if (ret == -1) {
674                         if (errno != ERANGE) {
675                                 break;
676                         }
677                         /* Buffer too small - enlarge it. */
678                         pai_buf_size *= 2;
679                         SAFE_FREE(pai_buf);
680                         if (pai_buf_size > 1024*1024) {
681                                 return NULL; /* Limit malloc to 1mb. */
682                         }
683                         if ((pai_buf = (char *)SMB_MALLOC(pai_buf_size)) == NULL)
684                                 return NULL;
685                 }
686         } while (ret == -1);
687
688         DEBUG(10,("load_inherited_info: ret = %lu for file %s\n", (unsigned long)ret, fname));
689
690         if (ret == -1) {
691                 /* No attribute or not supported. */
692 #if defined(ENOATTR)
693                 if (errno != ENOATTR)
694                         DEBUG(10,("load_inherited_info: Error %s\n", strerror(errno) ));
695 #else
696                 if (errno != ENOSYS)
697                         DEBUG(10,("load_inherited_info: Error %s\n", strerror(errno) ));
698 #endif
699                 SAFE_FREE(pai_buf);
700                 return NULL;
701         }
702
703         paiv = create_pai_val(pai_buf, ret);
704
705         if (paiv) {
706                 DEBUG(10,("load_inherited_info: ACL type 0x%x for file %s\n",
707                         (unsigned int)paiv->sd_type,
708                         fname));
709         }
710
711         SAFE_FREE(pai_buf);
712         return paiv;
713 }
714
715 /****************************************************************************
716  Functions to manipulate the internal ACE format.
717 ****************************************************************************/
718
719 /****************************************************************************
720  Count a linked list of canonical ACE entries.
721 ****************************************************************************/
722
723 static size_t count_canon_ace_list( canon_ace *l_head )
724 {
725         size_t count = 0;
726         canon_ace *ace;
727
728         for (ace = l_head; ace; ace = ace->next)
729                 count++;
730
731         return count;
732 }
733
734 /****************************************************************************
735  Free a linked list of canonical ACE entries.
736 ****************************************************************************/
737
738 static void free_canon_ace_list( canon_ace *l_head )
739 {
740         canon_ace *list, *next;
741
742         for (list = l_head; list; list = next) {
743                 next = list->next;
744                 DLIST_REMOVE(l_head, list);
745                 SAFE_FREE(list);
746         }
747 }
748
749 /****************************************************************************
750  Function to duplicate a canon_ace entry.
751 ****************************************************************************/
752
753 static canon_ace *dup_canon_ace( canon_ace *src_ace)
754 {
755         canon_ace *dst_ace = SMB_MALLOC_P(canon_ace);
756
757         if (dst_ace == NULL)
758                 return NULL;
759
760         *dst_ace = *src_ace;
761         dst_ace->prev = dst_ace->next = NULL;
762         return dst_ace;
763 }
764
765 /****************************************************************************
766  Print out a canon ace.
767 ****************************************************************************/
768
769 static void print_canon_ace(canon_ace *pace, int num)
770 {
771         dbgtext( "canon_ace index %d. Type = %s ", num, pace->attr == ALLOW_ACE ? "allow" : "deny" );
772         dbgtext( "SID = %s ", sid_string_dbg(&pace->trustee));
773         if (pace->owner_type == UID_ACE) {
774                 const char *u_name = uidtoname(pace->unix_ug.uid);
775                 dbgtext( "uid %u (%s) ", (unsigned int)pace->unix_ug.uid, u_name );
776         } else if (pace->owner_type == GID_ACE) {
777                 char *g_name = gidtoname(pace->unix_ug.gid);
778                 dbgtext( "gid %u (%s) ", (unsigned int)pace->unix_ug.gid, g_name );
779         } else
780                 dbgtext( "other ");
781         switch (pace->type) {
782                 case SMB_ACL_USER:
783                         dbgtext( "SMB_ACL_USER ");
784                         break;
785                 case SMB_ACL_USER_OBJ:
786                         dbgtext( "SMB_ACL_USER_OBJ ");
787                         break;
788                 case SMB_ACL_GROUP:
789                         dbgtext( "SMB_ACL_GROUP ");
790                         break;
791                 case SMB_ACL_GROUP_OBJ:
792                         dbgtext( "SMB_ACL_GROUP_OBJ ");
793                         break;
794                 case SMB_ACL_OTHER:
795                         dbgtext( "SMB_ACL_OTHER ");
796                         break;
797                 default:
798                         dbgtext( "MASK " );
799                         break;
800         }
801
802         dbgtext( "ace_flags = 0x%x ", (unsigned int)pace->ace_flags);
803         dbgtext( "perms ");
804         dbgtext( "%c", pace->perms & S_IRUSR ? 'r' : '-');
805         dbgtext( "%c", pace->perms & S_IWUSR ? 'w' : '-');
806         dbgtext( "%c\n", pace->perms & S_IXUSR ? 'x' : '-');
807 }
808
809 /****************************************************************************
810  Print out a canon ace list.
811 ****************************************************************************/
812
813 static void print_canon_ace_list(const char *name, canon_ace *ace_list)
814 {
815         int count = 0;
816
817         if( DEBUGLVL( 10 )) {
818                 dbgtext( "print_canon_ace_list: %s\n", name );
819                 for (;ace_list; ace_list = ace_list->next, count++)
820                         print_canon_ace(ace_list, count );
821         }
822 }
823
824 /****************************************************************************
825  Map POSIX ACL perms to canon_ace permissions (a mode_t containing only S_(R|W|X)USR bits).
826 ****************************************************************************/
827
828 static mode_t convert_permset_to_mode_t(connection_struct *conn, SMB_ACL_PERMSET_T permset)
829 {
830         mode_t ret = 0;
831
832         ret |= (SMB_VFS_SYS_ACL_GET_PERM(conn, permset, SMB_ACL_READ) ? S_IRUSR : 0);
833         ret |= (SMB_VFS_SYS_ACL_GET_PERM(conn, permset, SMB_ACL_WRITE) ? S_IWUSR : 0);
834         ret |= (SMB_VFS_SYS_ACL_GET_PERM(conn, permset, SMB_ACL_EXECUTE) ? S_IXUSR : 0);
835
836         return ret;
837 }
838
839 /****************************************************************************
840  Map generic UNIX permissions to canon_ace permissions (a mode_t containing only S_(R|W|X)USR bits).
841 ****************************************************************************/
842
843 static mode_t unix_perms_to_acl_perms(mode_t mode, int r_mask, int w_mask, int x_mask)
844 {
845         mode_t ret = 0;
846
847         if (mode & r_mask)
848                 ret |= S_IRUSR;
849         if (mode & w_mask)
850                 ret |= S_IWUSR;
851         if (mode & x_mask)
852                 ret |= S_IXUSR;
853
854         return ret;
855 }
856
857 /****************************************************************************
858  Map canon_ace permissions (a mode_t containing only S_(R|W|X)USR bits) to
859  an SMB_ACL_PERMSET_T.
860 ****************************************************************************/
861
862 static int map_acl_perms_to_permset(connection_struct *conn, mode_t mode, SMB_ACL_PERMSET_T *p_permset)
863 {
864         if (SMB_VFS_SYS_ACL_CLEAR_PERMS(conn, *p_permset) ==  -1)
865                 return -1;
866         if (mode & S_IRUSR) {
867                 if (SMB_VFS_SYS_ACL_ADD_PERM(conn, *p_permset, SMB_ACL_READ) == -1)
868                         return -1;
869         }
870         if (mode & S_IWUSR) {
871                 if (SMB_VFS_SYS_ACL_ADD_PERM(conn, *p_permset, SMB_ACL_WRITE) == -1)
872                         return -1;
873         }
874         if (mode & S_IXUSR) {
875                 if (SMB_VFS_SYS_ACL_ADD_PERM(conn, *p_permset, SMB_ACL_EXECUTE) == -1)
876                         return -1;
877         }
878         return 0;
879 }
880
881 /****************************************************************************
882  Function to create owner and group SIDs from a SMB_STRUCT_STAT.
883 ****************************************************************************/
884
885 void create_file_sids(const SMB_STRUCT_STAT *psbuf, DOM_SID *powner_sid, DOM_SID *pgroup_sid)
886 {
887         uid_to_sid( powner_sid, psbuf->st_uid );
888         gid_to_sid( pgroup_sid, psbuf->st_gid );
889 }
890
891 /****************************************************************************
892  Is the identity in two ACEs equal ? Check both SID and uid/gid.
893 ****************************************************************************/
894
895 static bool identity_in_ace_equal(canon_ace *ace1, canon_ace *ace2)
896 {
897         if (sid_equal(&ace1->trustee, &ace2->trustee)) {
898                 return True;
899         }
900         if (ace1->owner_type == ace2->owner_type) {
901                 if (ace1->owner_type == UID_ACE &&
902                                 ace1->unix_ug.uid == ace2->unix_ug.uid) {
903                         return True;
904                 } else if (ace1->owner_type == GID_ACE &&
905                                 ace1->unix_ug.gid == ace2->unix_ug.gid) {
906                         return True;
907                 }
908         }
909         return False;
910 }
911
912 /****************************************************************************
913  Merge aces with a common sid - if both are allow or deny, OR the permissions together and
914  delete the second one. If the first is deny, mask the permissions off and delete the allow
915  if the permissions become zero, delete the deny if the permissions are non zero.
916 ****************************************************************************/
917
918 static void merge_aces( canon_ace **pp_list_head )
919 {
920         canon_ace *l_head = *pp_list_head;
921         canon_ace *curr_ace_outer;
922         canon_ace *curr_ace_outer_next;
923
924         /*
925          * First, merge allow entries with identical SIDs, and deny entries
926          * with identical SIDs.
927          */
928
929         for (curr_ace_outer = l_head; curr_ace_outer; curr_ace_outer = curr_ace_outer_next) {
930                 canon_ace *curr_ace;
931                 canon_ace *curr_ace_next;
932
933                 curr_ace_outer_next = curr_ace_outer->next; /* Save the link in case we delete. */
934
935                 for (curr_ace = curr_ace_outer->next; curr_ace; curr_ace = curr_ace_next) {
936
937                         curr_ace_next = curr_ace->next; /* Save the link in case of delete. */
938
939                         if (identity_in_ace_equal(curr_ace, curr_ace_outer) &&
940                                 (curr_ace->attr == curr_ace_outer->attr)) {
941
942                                 if( DEBUGLVL( 10 )) {
943                                         dbgtext("merge_aces: Merging ACE's\n");
944                                         print_canon_ace( curr_ace_outer, 0);
945                                         print_canon_ace( curr_ace, 0);
946                                 }
947
948                                 /* Merge two allow or two deny ACE's. */
949
950                                 curr_ace_outer->perms |= curr_ace->perms;
951                                 DLIST_REMOVE(l_head, curr_ace);
952                                 SAFE_FREE(curr_ace);
953                                 curr_ace_outer_next = curr_ace_outer->next; /* We may have deleted the link. */
954                         }
955                 }
956         }
957
958         /*
959          * Now go through and mask off allow permissions with deny permissions.
960          * We can delete either the allow or deny here as we know that each SID
961          * appears only once in the list.
962          */
963
964         for (curr_ace_outer = l_head; curr_ace_outer; curr_ace_outer = curr_ace_outer_next) {
965                 canon_ace *curr_ace;
966                 canon_ace *curr_ace_next;
967
968                 curr_ace_outer_next = curr_ace_outer->next; /* Save the link in case we delete. */
969
970                 for (curr_ace = curr_ace_outer->next; curr_ace; curr_ace = curr_ace_next) {
971
972                         curr_ace_next = curr_ace->next; /* Save the link in case of delete. */
973
974                         /*
975                          * Subtract ACE's with different entries. Due to the ordering constraints
976                          * we've put on the ACL, we know the deny must be the first one.
977                          */
978
979                         if (identity_in_ace_equal(curr_ace, curr_ace_outer) &&
980                                 (curr_ace_outer->attr == DENY_ACE) && (curr_ace->attr == ALLOW_ACE)) {
981
982                                 if( DEBUGLVL( 10 )) {
983                                         dbgtext("merge_aces: Masking ACE's\n");
984                                         print_canon_ace( curr_ace_outer, 0);
985                                         print_canon_ace( curr_ace, 0);
986                                 }
987
988                                 curr_ace->perms &= ~curr_ace_outer->perms;
989
990                                 if (curr_ace->perms == 0) {
991
992                                         /*
993                                          * The deny overrides the allow. Remove the allow.
994                                          */
995
996                                         DLIST_REMOVE(l_head, curr_ace);
997                                         SAFE_FREE(curr_ace);
998                                         curr_ace_outer_next = curr_ace_outer->next; /* We may have deleted the link. */
999
1000                                 } else {
1001
1002                                         /*
1003                                          * Even after removing permissions, there
1004                                          * are still allow permissions - delete the deny.
1005                                          * It is safe to delete the deny here,
1006                                          * as we are guarenteed by the deny first
1007                                          * ordering that all the deny entries for
1008                                          * this SID have already been merged into one
1009                                          * before we can get to an allow ace.
1010                                          */
1011
1012                                         DLIST_REMOVE(l_head, curr_ace_outer);
1013                                         SAFE_FREE(curr_ace_outer);
1014                                         break;
1015                                 }
1016                         }
1017
1018                 } /* end for curr_ace */
1019         } /* end for curr_ace_outer */
1020
1021         /* We may have modified the list. */
1022
1023         *pp_list_head = l_head;
1024 }
1025
1026 /****************************************************************************
1027  Check if we need to return NT4.x compatible ACL entries.
1028 ****************************************************************************/
1029
1030 bool nt4_compatible_acls(void)
1031 {
1032         int compat = lp_acl_compatibility();
1033
1034         if (compat == ACL_COMPAT_AUTO) {
1035                 enum remote_arch_types ra_type = get_remote_arch();
1036
1037                 /* Automatically adapt to client */
1038                 return (ra_type <= RA_WINNT);
1039         } else
1040                 return (compat == ACL_COMPAT_WINNT);
1041 }
1042
1043
1044 /****************************************************************************
1045  Map canon_ace perms to permission bits NT.
1046  The attr element is not used here - we only process deny entries on set,
1047  not get. Deny entries are implicit on get with ace->perms = 0.
1048 ****************************************************************************/
1049
1050 static uint32_t map_canon_ace_perms(int snum,
1051                                 enum security_ace_type *pacl_type,
1052                                 mode_t perms,
1053                                 bool directory_ace)
1054 {
1055         uint32_t nt_mask = 0;
1056
1057         *pacl_type = SEC_ACE_TYPE_ACCESS_ALLOWED;
1058
1059         if (lp_acl_map_full_control(snum) && ((perms & ALL_ACE_PERMS) == ALL_ACE_PERMS)) {
1060                 if (directory_ace) {
1061                         nt_mask = UNIX_DIRECTORY_ACCESS_RWX;
1062                 } else {
1063                         nt_mask = (UNIX_ACCESS_RWX & ~DELETE_ACCESS);
1064                 }
1065         } else if ((perms & ALL_ACE_PERMS) == (mode_t)0) {
1066                 /*
1067                  * Windows NT refuses to display ACEs with no permissions in them (but
1068                  * they are perfectly legal with Windows 2000). If the ACE has empty
1069                  * permissions we cannot use 0, so we use the otherwise unused
1070                  * WRITE_OWNER permission, which we ignore when we set an ACL.
1071                  * We abstract this into a #define of UNIX_ACCESS_NONE to allow this
1072                  * to be changed in the future.
1073                  */
1074
1075                 if (nt4_compatible_acls())
1076                         nt_mask = UNIX_ACCESS_NONE;
1077                 else
1078                         nt_mask = 0;
1079         } else {
1080                 if (directory_ace) {
1081                         nt_mask |= ((perms & S_IRUSR) ? UNIX_DIRECTORY_ACCESS_R : 0 );
1082                         nt_mask |= ((perms & S_IWUSR) ? UNIX_DIRECTORY_ACCESS_W : 0 );
1083                         nt_mask |= ((perms & S_IXUSR) ? UNIX_DIRECTORY_ACCESS_X : 0 );
1084                 } else {
1085                         nt_mask |= ((perms & S_IRUSR) ? UNIX_ACCESS_R : 0 );
1086                         nt_mask |= ((perms & S_IWUSR) ? UNIX_ACCESS_W : 0 );
1087                         nt_mask |= ((perms & S_IXUSR) ? UNIX_ACCESS_X : 0 );
1088                 }
1089         }
1090
1091         DEBUG(10,("map_canon_ace_perms: Mapped (UNIX) %x to (NT) %x\n",
1092                         (unsigned int)perms, (unsigned int)nt_mask ));
1093
1094         return nt_mask;
1095 }
1096
1097 /****************************************************************************
1098  Map NT perms to a UNIX mode_t.
1099 ****************************************************************************/
1100
1101 #define FILE_SPECIFIC_READ_BITS (FILE_READ_DATA|FILE_READ_EA|FILE_READ_ATTRIBUTES)
1102 #define FILE_SPECIFIC_WRITE_BITS (FILE_WRITE_DATA|FILE_APPEND_DATA|FILE_WRITE_EA|FILE_WRITE_ATTRIBUTES)
1103 #define FILE_SPECIFIC_EXECUTE_BITS (FILE_EXECUTE)
1104
1105 static mode_t map_nt_perms( uint32 *mask, int type)
1106 {
1107         mode_t mode = 0;
1108
1109         switch(type) {
1110         case S_IRUSR:
1111                 if((*mask) & GENERIC_ALL_ACCESS)
1112                         mode = S_IRUSR|S_IWUSR|S_IXUSR;
1113                 else {
1114                         mode |= ((*mask) & (GENERIC_READ_ACCESS|FILE_SPECIFIC_READ_BITS)) ? S_IRUSR : 0;
1115                         mode |= ((*mask) & (GENERIC_WRITE_ACCESS|FILE_SPECIFIC_WRITE_BITS)) ? S_IWUSR : 0;
1116                         mode |= ((*mask) & (GENERIC_EXECUTE_ACCESS|FILE_SPECIFIC_EXECUTE_BITS)) ? S_IXUSR : 0;
1117                 }
1118                 break;
1119         case S_IRGRP:
1120                 if((*mask) & GENERIC_ALL_ACCESS)
1121                         mode = S_IRGRP|S_IWGRP|S_IXGRP;
1122                 else {
1123                         mode |= ((*mask) & (GENERIC_READ_ACCESS|FILE_SPECIFIC_READ_BITS)) ? S_IRGRP : 0;
1124                         mode |= ((*mask) & (GENERIC_WRITE_ACCESS|FILE_SPECIFIC_WRITE_BITS)) ? S_IWGRP : 0;
1125                         mode |= ((*mask) & (GENERIC_EXECUTE_ACCESS|FILE_SPECIFIC_EXECUTE_BITS)) ? S_IXGRP : 0;
1126                 }
1127                 break;
1128         case S_IROTH:
1129                 if((*mask) & GENERIC_ALL_ACCESS)
1130                         mode = S_IROTH|S_IWOTH|S_IXOTH;
1131                 else {
1132                         mode |= ((*mask) & (GENERIC_READ_ACCESS|FILE_SPECIFIC_READ_BITS)) ? S_IROTH : 0;
1133                         mode |= ((*mask) & (GENERIC_WRITE_ACCESS|FILE_SPECIFIC_WRITE_BITS)) ? S_IWOTH : 0;
1134                         mode |= ((*mask) & (GENERIC_EXECUTE_ACCESS|FILE_SPECIFIC_EXECUTE_BITS)) ? S_IXOTH : 0;
1135                 }
1136                 break;
1137         }
1138
1139         return mode;
1140 }
1141
1142 /****************************************************************************
1143  Unpack a SEC_DESC into a UNIX owner and group.
1144 ****************************************************************************/
1145
1146 NTSTATUS unpack_nt_owners(int snum, uid_t *puser, gid_t *pgrp, uint32 security_info_sent, const SEC_DESC *psd)
1147 {
1148         DOM_SID owner_sid;
1149         DOM_SID grp_sid;
1150
1151         *puser = (uid_t)-1;
1152         *pgrp = (gid_t)-1;
1153
1154         if(security_info_sent == 0) {
1155                 DEBUG(0,("unpack_nt_owners: no security info sent !\n"));
1156                 return NT_STATUS_OK;
1157         }
1158
1159         /*
1160          * Validate the owner and group SID's.
1161          */
1162
1163         memset(&owner_sid, '\0', sizeof(owner_sid));
1164         memset(&grp_sid, '\0', sizeof(grp_sid));
1165
1166         DEBUG(5,("unpack_nt_owners: validating owner_sids.\n"));
1167
1168         /*
1169          * Don't immediately fail if the owner sid cannot be validated.
1170          * This may be a group chown only set.
1171          */
1172
1173         if (security_info_sent & OWNER_SECURITY_INFORMATION) {
1174                 sid_copy(&owner_sid, psd->owner_sid);
1175                 if (!sid_to_uid(&owner_sid, puser)) {
1176                         if (lp_force_unknown_acl_user(snum)) {
1177                                 /* this allows take ownership to work
1178                                  * reasonably */
1179                                 *puser = current_user.ut.uid;
1180                         } else {
1181                                 DEBUG(3,("unpack_nt_owners: unable to validate"
1182                                          " owner sid for %s\n",
1183                                          sid_string_dbg(&owner_sid)));
1184                                 return NT_STATUS_INVALID_OWNER;
1185                         }
1186                 }
1187                 DEBUG(3,("unpack_nt_owners: owner sid mapped to uid %u\n",
1188                          (unsigned int)*puser ));
1189         }
1190
1191         /*
1192          * Don't immediately fail if the group sid cannot be validated.
1193          * This may be an owner chown only set.
1194          */
1195
1196         if (security_info_sent & GROUP_SECURITY_INFORMATION) {
1197                 sid_copy(&grp_sid, psd->group_sid);
1198                 if (!sid_to_gid( &grp_sid, pgrp)) {
1199                         if (lp_force_unknown_acl_user(snum)) {
1200                                 /* this allows take group ownership to work
1201                                  * reasonably */
1202                                 *pgrp = current_user.ut.gid;
1203                         } else {
1204                                 DEBUG(3,("unpack_nt_owners: unable to validate"
1205                                          " group sid.\n"));
1206                                 return NT_STATUS_INVALID_OWNER;
1207                         }
1208                 }
1209                 DEBUG(3,("unpack_nt_owners: group sid mapped to gid %u\n",
1210                          (unsigned int)*pgrp));
1211         }
1212
1213         DEBUG(5,("unpack_nt_owners: owner_sids validated.\n"));
1214
1215         return NT_STATUS_OK;
1216 }
1217
1218 /****************************************************************************
1219  Ensure the enforced permissions for this share apply.
1220 ****************************************************************************/
1221
1222 static void apply_default_perms(const struct share_params *params,
1223                                 const bool is_directory, canon_ace *pace,
1224                                 mode_t type)
1225 {
1226         mode_t and_bits = (mode_t)0;
1227         mode_t or_bits = (mode_t)0;
1228
1229         /* Get the initial bits to apply. */
1230
1231         if (is_directory) {
1232                 and_bits = lp_dir_security_mask(params->service);
1233                 or_bits = lp_force_dir_security_mode(params->service);
1234         } else {
1235                 and_bits = lp_security_mask(params->service);
1236                 or_bits = lp_force_security_mode(params->service);
1237         }
1238
1239         /* Now bounce them into the S_USR space. */     
1240         switch(type) {
1241         case S_IRUSR:
1242                 /* Ensure owner has read access. */
1243                 pace->perms |= S_IRUSR;
1244                 if (is_directory)
1245                         pace->perms |= (S_IWUSR|S_IXUSR);
1246                 and_bits = unix_perms_to_acl_perms(and_bits, S_IRUSR, S_IWUSR, S_IXUSR);
1247                 or_bits = unix_perms_to_acl_perms(or_bits, S_IRUSR, S_IWUSR, S_IXUSR);
1248                 break;
1249         case S_IRGRP:
1250                 and_bits = unix_perms_to_acl_perms(and_bits, S_IRGRP, S_IWGRP, S_IXGRP);
1251                 or_bits = unix_perms_to_acl_perms(or_bits, S_IRGRP, S_IWGRP, S_IXGRP);
1252                 break;
1253         case S_IROTH:
1254                 and_bits = unix_perms_to_acl_perms(and_bits, S_IROTH, S_IWOTH, S_IXOTH);
1255                 or_bits = unix_perms_to_acl_perms(or_bits, S_IROTH, S_IWOTH, S_IXOTH);
1256                 break;
1257         }
1258
1259         pace->perms = ((pace->perms & and_bits)|or_bits);
1260 }
1261
1262 /****************************************************************************
1263  Check if a given uid/SID is in a group gid/SID. This is probably very
1264  expensive and will need optimisation. A *lot* of optimisation :-). JRA.
1265 ****************************************************************************/
1266
1267 static bool uid_entry_in_group( canon_ace *uid_ace, canon_ace *group_ace )
1268 {
1269         const char *u_name = NULL;
1270
1271         /* "Everyone" always matches every uid. */
1272
1273         if (sid_equal(&group_ace->trustee, &global_sid_World))
1274                 return True;
1275
1276         /* Assume that the current user is in the current group (force group) */
1277
1278         if (uid_ace->unix_ug.uid == current_user.ut.uid && group_ace->unix_ug.gid == current_user.ut.gid)
1279                 return True;
1280
1281         /* u_name talloc'ed off tos. */
1282         u_name = uidtoname(uid_ace->unix_ug.uid);
1283         if (!u_name) {
1284                 return False;
1285         }
1286         return user_in_group_sid(u_name, &group_ace->trustee);
1287 }
1288
1289 /****************************************************************************
1290  A well formed POSIX file or default ACL has at least 3 entries, a 
1291  SMB_ACL_USER_OBJ, SMB_ACL_GROUP_OBJ, SMB_ACL_OTHER_OBJ.
1292  In addition, the owner must always have at least read access.
1293  When using this call on get_acl, the pst struct is valid and contains
1294  the mode of the file. When using this call on set_acl, the pst struct has
1295  been modified to have a mode containing the default for this file or directory
1296  type.
1297 ****************************************************************************/
1298
1299 static bool ensure_canon_entry_valid(canon_ace **pp_ace,
1300                                      const struct share_params *params,
1301                                      const bool is_directory,
1302                                                         const DOM_SID *pfile_owner_sid,
1303                                                         const DOM_SID *pfile_grp_sid,
1304                                                         const SMB_STRUCT_STAT *pst,
1305                                                         bool setting_acl)
1306 {
1307         canon_ace *pace;
1308         bool got_user = False;
1309         bool got_grp = False;
1310         bool got_other = False;
1311         canon_ace *pace_other = NULL;
1312
1313         for (pace = *pp_ace; pace; pace = pace->next) {
1314                 if (pace->type == SMB_ACL_USER_OBJ) {
1315
1316                         if (setting_acl)
1317                                 apply_default_perms(params, is_directory, pace, S_IRUSR);
1318                         got_user = True;
1319
1320                 } else if (pace->type == SMB_ACL_GROUP_OBJ) {
1321
1322                         /*
1323                          * Ensure create mask/force create mode is respected on set.
1324                          */
1325
1326                         if (setting_acl)
1327                                 apply_default_perms(params, is_directory, pace, S_IRGRP);
1328                         got_grp = True;
1329
1330                 } else if (pace->type == SMB_ACL_OTHER) {
1331
1332                         /*
1333                          * Ensure create mask/force create mode is respected on set.
1334                          */
1335
1336                         if (setting_acl)
1337                                 apply_default_perms(params, is_directory, pace, S_IROTH);
1338                         got_other = True;
1339                         pace_other = pace;
1340                 }
1341         }
1342
1343         if (!got_user) {
1344                 if ((pace = SMB_MALLOC_P(canon_ace)) == NULL) {
1345                         DEBUG(0,("ensure_canon_entry_valid: malloc fail.\n"));
1346                         return False;
1347                 }
1348
1349                 ZERO_STRUCTP(pace);
1350                 pace->type = SMB_ACL_USER_OBJ;
1351                 pace->owner_type = UID_ACE;
1352                 pace->unix_ug.uid = pst->st_uid;
1353                 pace->trustee = *pfile_owner_sid;
1354                 pace->attr = ALLOW_ACE;
1355
1356                 if (setting_acl) {
1357                         /* See if the owning user is in any of the other groups in
1358                            the ACE. If so, OR in the permissions from that group. */
1359
1360                         bool group_matched = False;
1361                         canon_ace *pace_iter;
1362
1363                         for (pace_iter = *pp_ace; pace_iter; pace_iter = pace_iter->next) {
1364                                 if (pace_iter->type == SMB_ACL_GROUP_OBJ || pace_iter->type == SMB_ACL_GROUP) {
1365                                         if (uid_entry_in_group(pace, pace_iter)) {
1366                                                 pace->perms |= pace_iter->perms;
1367                                                 group_matched = True;
1368                                         }
1369                                 }
1370                         }
1371
1372                         /* If we only got an "everyone" perm, just use that. */
1373                         if (!group_matched) {
1374                                 if (got_other)
1375                                         pace->perms = pace_other->perms;
1376                                 else
1377                                         pace->perms = 0;
1378                         }
1379
1380                         apply_default_perms(params, is_directory, pace, S_IRUSR);
1381                 } else {
1382                         pace->perms = unix_perms_to_acl_perms(pst->st_mode, S_IRUSR, S_IWUSR, S_IXUSR);
1383                 }
1384
1385                 DLIST_ADD(*pp_ace, pace);
1386         }
1387
1388         if (!got_grp) {
1389                 if ((pace = SMB_MALLOC_P(canon_ace)) == NULL) {
1390                         DEBUG(0,("ensure_canon_entry_valid: malloc fail.\n"));
1391                         return False;
1392                 }
1393
1394                 ZERO_STRUCTP(pace);
1395                 pace->type = SMB_ACL_GROUP_OBJ;
1396                 pace->owner_type = GID_ACE;
1397                 pace->unix_ug.uid = pst->st_gid;
1398                 pace->trustee = *pfile_grp_sid;
1399                 pace->attr = ALLOW_ACE;
1400                 if (setting_acl) {
1401                         /* If we only got an "everyone" perm, just use that. */
1402                         if (got_other)
1403                                 pace->perms = pace_other->perms;
1404                         else
1405                                 pace->perms = 0;
1406                         apply_default_perms(params, is_directory, pace, S_IRGRP);
1407                 } else {
1408                         pace->perms = unix_perms_to_acl_perms(pst->st_mode, S_IRGRP, S_IWGRP, S_IXGRP);
1409                 }
1410
1411                 DLIST_ADD(*pp_ace, pace);
1412         }
1413
1414         if (!got_other) {
1415                 if ((pace = SMB_MALLOC_P(canon_ace)) == NULL) {
1416                         DEBUG(0,("ensure_canon_entry_valid: malloc fail.\n"));
1417                         return False;
1418                 }
1419
1420                 ZERO_STRUCTP(pace);
1421                 pace->type = SMB_ACL_OTHER;
1422                 pace->owner_type = WORLD_ACE;
1423                 pace->unix_ug.world = -1;
1424                 pace->trustee = global_sid_World;
1425                 pace->attr = ALLOW_ACE;
1426                 if (setting_acl) {
1427                         pace->perms = 0;
1428                         apply_default_perms(params, is_directory, pace, S_IROTH);
1429                 } else
1430                         pace->perms = unix_perms_to_acl_perms(pst->st_mode, S_IROTH, S_IWOTH, S_IXOTH);
1431
1432                 DLIST_ADD(*pp_ace, pace);
1433         }
1434
1435         return True;
1436 }
1437
1438 /****************************************************************************
1439  Check if a POSIX ACL has the required SMB_ACL_USER_OBJ and SMB_ACL_GROUP_OBJ entries.
1440  If it does not have them, check if there are any entries where the trustee is the
1441  file owner or the owning group, and map these to SMB_ACL_USER_OBJ and SMB_ACL_GROUP_OBJ.
1442 ****************************************************************************/
1443
1444 static void check_owning_objs(canon_ace *ace, DOM_SID *pfile_owner_sid, DOM_SID *pfile_grp_sid)
1445 {
1446         bool got_user_obj, got_group_obj;
1447         canon_ace *current_ace;
1448         int i, entries;
1449
1450         entries = count_canon_ace_list(ace);
1451         got_user_obj = False;
1452         got_group_obj = False;
1453
1454         for (i=0, current_ace = ace; i < entries; i++, current_ace = current_ace->next) {
1455                 if (current_ace->type == SMB_ACL_USER_OBJ)
1456                         got_user_obj = True;
1457                 else if (current_ace->type == SMB_ACL_GROUP_OBJ)
1458                         got_group_obj = True;
1459         }
1460         if (got_user_obj && got_group_obj) {
1461                 DEBUG(10,("check_owning_objs: ACL had owning user/group entries.\n"));
1462                 return;
1463         }
1464
1465         for (i=0, current_ace = ace; i < entries; i++, current_ace = current_ace->next) {
1466                 if (!got_user_obj && current_ace->owner_type == UID_ACE &&
1467                                 sid_equal(&current_ace->trustee, pfile_owner_sid)) {
1468                         current_ace->type = SMB_ACL_USER_OBJ;
1469                         got_user_obj = True;
1470                 }
1471                 if (!got_group_obj && current_ace->owner_type == GID_ACE &&
1472                                 sid_equal(&current_ace->trustee, pfile_grp_sid)) {
1473                         current_ace->type = SMB_ACL_GROUP_OBJ;
1474                         got_group_obj = True;
1475                 }
1476         }
1477         if (!got_user_obj)
1478                 DEBUG(10,("check_owning_objs: ACL is missing an owner entry.\n"));
1479         if (!got_group_obj)
1480                 DEBUG(10,("check_owning_objs: ACL is missing an owning group entry.\n"));
1481 }
1482
1483 /****************************************************************************
1484  Unpack a SEC_DESC into two canonical ace lists.
1485 ****************************************************************************/
1486
1487 static bool create_canon_ace_lists(files_struct *fsp,
1488                                         SMB_STRUCT_STAT *pst,
1489                                         DOM_SID *pfile_owner_sid,
1490                                         DOM_SID *pfile_grp_sid,
1491                                         canon_ace **ppfile_ace,
1492                                         canon_ace **ppdir_ace,
1493                                         const SEC_ACL *dacl)
1494 {
1495         bool all_aces_are_inherit_only = (fsp->is_directory ? True : False);
1496         canon_ace *file_ace = NULL;
1497         canon_ace *dir_ace = NULL;
1498         canon_ace *current_ace = NULL;
1499         bool got_dir_allow = False;
1500         bool got_file_allow = False;
1501         int i, j;
1502
1503         *ppfile_ace = NULL;
1504         *ppdir_ace = NULL;
1505
1506         /*
1507          * Convert the incoming ACL into a more regular form.
1508          */
1509
1510         for(i = 0; i < dacl->num_aces; i++) {
1511                 SEC_ACE *psa = &dacl->aces[i];
1512
1513                 if((psa->type != SEC_ACE_TYPE_ACCESS_ALLOWED) && (psa->type != SEC_ACE_TYPE_ACCESS_DENIED)) {
1514                         DEBUG(3,("create_canon_ace_lists: unable to set anything but an ALLOW or DENY ACE.\n"));
1515                         return False;
1516                 }
1517
1518                 if (nt4_compatible_acls()) {
1519                         /*
1520                          * The security mask may be UNIX_ACCESS_NONE which should map into
1521                          * no permissions (we overload the WRITE_OWNER bit for this) or it
1522                          * should be one of the ALL/EXECUTE/READ/WRITE bits. Arrange for this
1523                          * to be so. Any other bits override the UNIX_ACCESS_NONE bit.
1524                          */
1525
1526                         /*
1527                          * Convert GENERIC bits to specific bits.
1528                          */
1529  
1530                         se_map_generic(&psa->access_mask, &file_generic_mapping);
1531
1532                         psa->access_mask &= (UNIX_ACCESS_NONE|FILE_ALL_ACCESS);
1533
1534                         if(psa->access_mask != UNIX_ACCESS_NONE)
1535                                 psa->access_mask &= ~UNIX_ACCESS_NONE;
1536                 }
1537         }
1538
1539         /*
1540          * Deal with the fact that NT 4.x re-writes the canonical format
1541          * that we return for default ACLs. If a directory ACE is identical
1542          * to a inherited directory ACE then NT changes the bits so that the
1543          * first ACE is set to OI|IO and the second ACE for this SID is set
1544          * to CI. We need to repair this. JRA.
1545          */
1546
1547         for(i = 0; i < dacl->num_aces; i++) {
1548                 SEC_ACE *psa1 = &dacl->aces[i];
1549
1550                 for (j = i + 1; j < dacl->num_aces; j++) {
1551                         SEC_ACE *psa2 = &dacl->aces[j];
1552
1553                         if (psa1->access_mask != psa2->access_mask)
1554                                 continue;
1555
1556                         if (!sid_equal(&psa1->trustee, &psa2->trustee))
1557                                 continue;
1558
1559                         /*
1560                          * Ok - permission bits and SIDs are equal.
1561                          * Check if flags were re-written.
1562                          */
1563
1564                         if (psa1->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
1565
1566                                 psa1->flags |= (psa2->flags & (SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT));
1567                                 psa2->flags &= ~(SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT);
1568
1569                         } else if (psa2->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
1570
1571                                 psa2->flags |= (psa1->flags & (SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT));
1572                                 psa1->flags &= ~(SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT);
1573
1574                         }
1575                 }
1576         }
1577
1578         for(i = 0; i < dacl->num_aces; i++) {
1579                 SEC_ACE *psa = &dacl->aces[i];
1580
1581                 /*
1582                  * Create a cannon_ace entry representing this NT DACL ACE.
1583                  */
1584
1585                 if ((current_ace = SMB_MALLOC_P(canon_ace)) == NULL) {
1586                         free_canon_ace_list(file_ace);
1587                         free_canon_ace_list(dir_ace);
1588                         DEBUG(0,("create_canon_ace_lists: malloc fail.\n"));
1589                         return False;
1590                 }
1591
1592                 ZERO_STRUCTP(current_ace);
1593
1594                 sid_copy(&current_ace->trustee, &psa->trustee);
1595
1596                 /*
1597                  * Try and work out if the SID is a user or group
1598                  * as we need to flag these differently for POSIX.
1599                  * Note what kind of a POSIX ACL this should map to.
1600                  */
1601
1602                 if( sid_equal(&current_ace->trustee, &global_sid_World)) {
1603                         current_ace->owner_type = WORLD_ACE;
1604                         current_ace->unix_ug.world = -1;
1605                         current_ace->type = SMB_ACL_OTHER;
1606                 } else if (sid_equal(&current_ace->trustee, &global_sid_Creator_Owner)) {
1607                         current_ace->owner_type = UID_ACE;
1608                         current_ace->unix_ug.uid = pst->st_uid;
1609                         current_ace->type = SMB_ACL_USER_OBJ;
1610
1611                         /*
1612                          * The Creator Owner entry only specifies inheritable permissions,
1613                          * never access permissions. WinNT doesn't always set the ACE to
1614                          *INHERIT_ONLY, though.
1615                          */
1616
1617                         if (nt4_compatible_acls())
1618                                 psa->flags |= SEC_ACE_FLAG_INHERIT_ONLY;
1619                 } else if (sid_equal(&current_ace->trustee, &global_sid_Creator_Group)) {
1620                         current_ace->owner_type = GID_ACE;
1621                         current_ace->unix_ug.gid = pst->st_gid;
1622                         current_ace->type = SMB_ACL_GROUP_OBJ;
1623
1624                         /*
1625                          * The Creator Group entry only specifies inheritable permissions,
1626                          * never access permissions. WinNT doesn't always set the ACE to
1627                          *INHERIT_ONLY, though.
1628                          */
1629                         if (nt4_compatible_acls())
1630                                 psa->flags |= SEC_ACE_FLAG_INHERIT_ONLY;
1631
1632                 } else if (sid_to_uid( &current_ace->trustee, &current_ace->unix_ug.uid)) {
1633                         current_ace->owner_type = UID_ACE;
1634                         /* If it's the owning user, this is a user_obj, not
1635                          * a user. */
1636                         if (current_ace->unix_ug.uid == pst->st_uid) {
1637                                 current_ace->type = SMB_ACL_USER_OBJ;
1638                         } else {
1639                                 current_ace->type = SMB_ACL_USER;
1640                         }
1641                 } else if (sid_to_gid( &current_ace->trustee, &current_ace->unix_ug.gid)) {
1642                         current_ace->owner_type = GID_ACE;
1643                         /* If it's the primary group, this is a group_obj, not
1644                          * a group. */
1645                         if (current_ace->unix_ug.gid == pst->st_gid) {
1646                                 current_ace->type = SMB_ACL_GROUP_OBJ;
1647                         } else {
1648                                 current_ace->type = SMB_ACL_GROUP;
1649                         }
1650                 } else {
1651                         /*
1652                          * Silently ignore map failures in non-mappable SIDs (NT Authority, BUILTIN etc).
1653                          */
1654
1655                         if (non_mappable_sid(&psa->trustee)) {
1656                                 DEBUG(10, ("create_canon_ace_lists: ignoring "
1657                                            "non-mappable SID %s\n",
1658                                            sid_string_dbg(&psa->trustee)));
1659                                 SAFE_FREE(current_ace);
1660                                 continue;
1661                         }
1662
1663                         free_canon_ace_list(file_ace);
1664                         free_canon_ace_list(dir_ace);
1665                         DEBUG(0, ("create_canon_ace_lists: unable to map SID "
1666                                   "%s to uid or gid.\n",
1667                                   sid_string_dbg(&current_ace->trustee)));
1668                         SAFE_FREE(current_ace);
1669                         return False;
1670                 }
1671
1672                 /*
1673                  * Map the given NT permissions into a UNIX mode_t containing only
1674                  * S_I(R|W|X)USR bits.
1675                  */
1676
1677                 current_ace->perms |= map_nt_perms( &psa->access_mask, S_IRUSR);
1678                 current_ace->attr = (psa->type == SEC_ACE_TYPE_ACCESS_ALLOWED) ? ALLOW_ACE : DENY_ACE;
1679
1680                 /* Store the ace_flag. */
1681                 current_ace->ace_flags = psa->flags;
1682
1683                 /*
1684                  * Now add the created ace to either the file list, the directory
1685                  * list, or both. We *MUST* preserve the order here (hence we use
1686                  * DLIST_ADD_END) as NT ACLs are order dependent.
1687                  */
1688
1689                 if (fsp->is_directory) {
1690
1691                         /*
1692                          * We can only add to the default POSIX ACE list if the ACE is
1693                          * designed to be inherited by both files and directories.
1694                          */
1695
1696                         if ((psa->flags & (SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT)) ==
1697                                 (SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT)) {
1698
1699                                 DLIST_ADD_END(dir_ace, current_ace, canon_ace *);
1700
1701                                 /*
1702                                  * Note if this was an allow ace. We can't process
1703                                  * any further deny ace's after this.
1704                                  */
1705
1706                                 if (current_ace->attr == ALLOW_ACE)
1707                                         got_dir_allow = True;
1708
1709                                 if ((current_ace->attr == DENY_ACE) && got_dir_allow) {
1710                                         DEBUG(0,("create_canon_ace_lists: malformed ACL in inheritable ACL ! \
1711 Deny entry after Allow entry. Failing to set on file %s.\n", fsp->fsp_name ));
1712                                         free_canon_ace_list(file_ace);
1713                                         free_canon_ace_list(dir_ace);
1714                                         return False;
1715                                 }       
1716
1717                                 if( DEBUGLVL( 10 )) {
1718                                         dbgtext("create_canon_ace_lists: adding dir ACL:\n");
1719                                         print_canon_ace( current_ace, 0);
1720                                 }
1721
1722                                 /*
1723                                  * If this is not an inherit only ACE we need to add a duplicate
1724                                  * to the file acl.
1725                                  */
1726
1727                                 if (!(psa->flags & SEC_ACE_FLAG_INHERIT_ONLY)) {
1728                                         canon_ace *dup_ace = dup_canon_ace(current_ace);
1729
1730                                         if (!dup_ace) {
1731                                                 DEBUG(0,("create_canon_ace_lists: malloc fail !\n"));
1732                                                 free_canon_ace_list(file_ace);
1733                                                 free_canon_ace_list(dir_ace);
1734                                                 return False;
1735                                         }
1736
1737                                         /*
1738                                          * We must not free current_ace here as its
1739                                          * pointer is now owned by the dir_ace list.
1740                                          */
1741                                         current_ace = dup_ace;
1742                                 } else {
1743                                         /*
1744                                          * We must not free current_ace here as its
1745                                          * pointer is now owned by the dir_ace list.
1746                                          */
1747                                         current_ace = NULL;
1748                                 }
1749                         }
1750                 }
1751
1752                 /*
1753                  * Only add to the file ACL if not inherit only.
1754                  */
1755
1756                 if (current_ace && !(psa->flags & SEC_ACE_FLAG_INHERIT_ONLY)) {
1757                         DLIST_ADD_END(file_ace, current_ace, canon_ace *);
1758
1759                         /*
1760                          * Note if this was an allow ace. We can't process
1761                          * any further deny ace's after this.
1762                          */
1763
1764                         if (current_ace->attr == ALLOW_ACE)
1765                                 got_file_allow = True;
1766
1767                         if ((current_ace->attr == DENY_ACE) && got_file_allow) {
1768                                 DEBUG(0,("create_canon_ace_lists: malformed ACL in file ACL ! \
1769 Deny entry after Allow entry. Failing to set on file %s.\n", fsp->fsp_name ));
1770                                 free_canon_ace_list(file_ace);
1771                                 free_canon_ace_list(dir_ace);
1772                                 return False;
1773                         }       
1774
1775                         if( DEBUGLVL( 10 )) {
1776                                 dbgtext("create_canon_ace_lists: adding file ACL:\n");
1777                                 print_canon_ace( current_ace, 0);
1778                         }
1779                         all_aces_are_inherit_only = False;
1780                         /*
1781                          * We must not free current_ace here as its
1782                          * pointer is now owned by the file_ace list.
1783                          */
1784                         current_ace = NULL;
1785                 }
1786
1787                 /*
1788                  * Free if ACE was not added.
1789                  */
1790
1791                 SAFE_FREE(current_ace);
1792         }
1793
1794         if (fsp->is_directory && all_aces_are_inherit_only) {
1795                 /*
1796                  * Windows 2000 is doing one of these weird 'inherit acl'
1797                  * traverses to conserve NTFS ACL resources. Just pretend
1798                  * there was no DACL sent. JRA.
1799                  */
1800
1801                 DEBUG(10,("create_canon_ace_lists: Win2k inherit acl traverse. Ignoring DACL.\n"));
1802                 free_canon_ace_list(file_ace);
1803                 free_canon_ace_list(dir_ace);
1804                 file_ace = NULL;
1805                 dir_ace = NULL;
1806         } else {
1807                 /*
1808                  * Check if we have SMB_ACL_USER_OBJ and SMB_ACL_GROUP_OBJ entries in each
1809                  * ACL. If we don't have them, check if any SMB_ACL_USER/SMB_ACL_GROUP
1810                  * entries can be converted to *_OBJ. Usually we will already have these
1811                  * entries in the Default ACL, and the Access ACL will not have them.
1812                  */
1813                 if (file_ace) {
1814                         check_owning_objs(file_ace, pfile_owner_sid, pfile_grp_sid);
1815                 }
1816                 if (dir_ace) {
1817                         check_owning_objs(dir_ace, pfile_owner_sid, pfile_grp_sid);
1818                 }
1819         }
1820
1821         *ppfile_ace = file_ace;
1822         *ppdir_ace = dir_ace;
1823
1824         return True;
1825 }
1826
1827 /****************************************************************************
1828  ASCII art time again... JRA :-).
1829
1830  We have 4 cases to process when moving from an NT ACL to a POSIX ACL. Firstly,
1831  we insist the ACL is in canonical form (ie. all DENY entries preceede ALLOW
1832  entries). Secondly, the merge code has ensured that all duplicate SID entries for
1833  allow or deny have been merged, so the same SID can only appear once in the deny
1834  list or once in the allow list.
1835
1836  We then process as follows :
1837
1838  ---------------------------------------------------------------------------
1839  First pass - look for a Everyone DENY entry.
1840
1841  If it is deny all (rwx) trunate the list at this point.
1842  Else, walk the list from this point and use the deny permissions of this
1843  entry as a mask on all following allow entries. Finally, delete
1844  the Everyone DENY entry (we have applied it to everything possible).
1845
1846  In addition, in this pass we remove any DENY entries that have 
1847  no permissions (ie. they are a DENY nothing).
1848  ---------------------------------------------------------------------------
1849  Second pass - only deal with deny user entries.
1850
1851  DENY user1 (perms XXX)
1852
1853  new_perms = 0
1854  for all following allow group entries where user1 is in group
1855         new_perms |= group_perms;
1856
1857  user1 entry perms = new_perms & ~ XXX;
1858
1859  Convert the deny entry to an allow entry with the new perms and
1860  push to the end of the list. Note if the user was in no groups
1861  this maps to a specific allow nothing entry for this user.
1862
1863  The common case from the NT ACL choser (userX deny all) is
1864  optimised so we don't do the group lookup - we just map to
1865  an allow nothing entry.
1866
1867  What we're doing here is inferring the allow permissions the
1868  person setting the ACE on user1 wanted by looking at the allow
1869  permissions on the groups the user is currently in. This will
1870  be a snapshot, depending on group membership but is the best
1871  we can do and has the advantage of failing closed rather than
1872  open.
1873  ---------------------------------------------------------------------------
1874  Third pass - only deal with deny group entries.
1875
1876  DENY group1 (perms XXX)
1877
1878  for all following allow user entries where user is in group1
1879    user entry perms = user entry perms & ~ XXX;
1880
1881  If there is a group Everyone allow entry with permissions YYY,
1882  convert the group1 entry to an allow entry and modify its
1883  permissions to be :
1884
1885  new_perms = YYY & ~ XXX
1886
1887  and push to the end of the list.
1888
1889  If there is no group Everyone allow entry then convert the
1890  group1 entry to a allow nothing entry and push to the end of the list.
1891
1892  Note that the common case from the NT ACL choser (groupX deny all)
1893  cannot be optimised here as we need to modify user entries who are
1894  in the group to change them to a deny all also.
1895
1896  What we're doing here is modifying the allow permissions of
1897  user entries (which are more specific in POSIX ACLs) to mask
1898  out the explicit deny set on the group they are in. This will
1899  be a snapshot depending on current group membership but is the
1900  best we can do and has the advantage of failing closed rather
1901  than open.
1902  ---------------------------------------------------------------------------
1903  Fourth pass - cope with cumulative permissions.
1904
1905  for all allow user entries, if there exists an allow group entry with
1906  more permissive permissions, and the user is in that group, rewrite the
1907  allow user permissions to contain both sets of permissions.
1908
1909  Currently the code for this is #ifdef'ed out as these semantics make
1910  no sense to me. JRA.
1911  ---------------------------------------------------------------------------
1912
1913  Note we *MUST* do the deny user pass first as this will convert deny user
1914  entries into allow user entries which can then be processed by the deny
1915  group pass.
1916
1917  The above algorithm took a *lot* of thinking about - hence this
1918  explaination :-). JRA.
1919 ****************************************************************************/
1920
1921 /****************************************************************************
1922  Process a canon_ace list entries. This is very complex code. We need
1923  to go through and remove the "deny" permissions from any allow entry that matches
1924  the id of this entry. We have already refused any NT ACL that wasn't in correct
1925  order (DENY followed by ALLOW). If any allow entry ends up with zero permissions,
1926  we just remove it (to fail safe). We have already removed any duplicate ace
1927  entries. Treat an "Everyone" DENY_ACE as a special case - use it to mask all
1928  allow entries.
1929 ****************************************************************************/
1930
1931 static void process_deny_list( canon_ace **pp_ace_list )
1932 {
1933         canon_ace *ace_list = *pp_ace_list;
1934         canon_ace *curr_ace = NULL;
1935         canon_ace *curr_ace_next = NULL;
1936
1937         /* Pass 1 above - look for an Everyone, deny entry. */
1938
1939         for (curr_ace = ace_list; curr_ace; curr_ace = curr_ace_next) {
1940                 canon_ace *allow_ace_p;
1941
1942                 curr_ace_next = curr_ace->next; /* So we can't lose the link. */
1943
1944                 if (curr_ace->attr != DENY_ACE)
1945                         continue;
1946
1947                 if (curr_ace->perms == (mode_t)0) {
1948
1949                         /* Deny nothing entry - delete. */
1950
1951                         DLIST_REMOVE(ace_list, curr_ace);
1952                         continue;
1953                 }
1954
1955                 if (!sid_equal(&curr_ace->trustee, &global_sid_World))
1956                         continue;
1957
1958                 /* JRATEST - assert. */
1959                 SMB_ASSERT(curr_ace->owner_type == WORLD_ACE);
1960
1961                 if (curr_ace->perms == ALL_ACE_PERMS) {
1962
1963                         /*
1964                          * Optimisation. This is a DENY_ALL to Everyone. Truncate the
1965                          * list at this point including this entry.
1966                          */
1967
1968                         canon_ace *prev_entry = curr_ace->prev;
1969
1970                         free_canon_ace_list( curr_ace );
1971                         if (prev_entry)
1972                                 prev_entry->next = NULL;
1973                         else {
1974                                 /* We deleted the entire list. */
1975                                 ace_list = NULL;
1976                         }
1977                         break;
1978                 }
1979
1980                 for (allow_ace_p = curr_ace->next; allow_ace_p; allow_ace_p = allow_ace_p->next) {
1981
1982                         /* 
1983                          * Only mask off allow entries.
1984                          */
1985
1986                         if (allow_ace_p->attr != ALLOW_ACE)
1987                                 continue;
1988
1989                         allow_ace_p->perms &= ~curr_ace->perms;
1990                 }
1991
1992                 /*
1993                  * Now it's been applied, remove it.
1994                  */
1995
1996                 DLIST_REMOVE(ace_list, curr_ace);
1997         }
1998
1999         /* Pass 2 above - deal with deny user entries. */
2000
2001         for (curr_ace = ace_list; curr_ace; curr_ace = curr_ace_next) {
2002                 mode_t new_perms = (mode_t)0;
2003                 canon_ace *allow_ace_p;
2004
2005                 curr_ace_next = curr_ace->next; /* So we can't lose the link. */
2006
2007                 if (curr_ace->attr != DENY_ACE)
2008                         continue;
2009
2010                 if (curr_ace->owner_type != UID_ACE)
2011                         continue;
2012
2013                 if (curr_ace->perms == ALL_ACE_PERMS) {
2014
2015                         /*
2016                          * Optimisation - this is a deny everything to this user.
2017                          * Convert to an allow nothing and push to the end of the list.
2018                          */
2019
2020                         curr_ace->attr = ALLOW_ACE;
2021                         curr_ace->perms = (mode_t)0;
2022                         DLIST_DEMOTE(ace_list, curr_ace, canon_ace *);
2023                         continue;
2024                 }
2025
2026                 for (allow_ace_p = curr_ace->next; allow_ace_p; allow_ace_p = allow_ace_p->next) {
2027
2028                         if (allow_ace_p->attr != ALLOW_ACE)
2029                                 continue;
2030
2031                         /* We process GID_ACE and WORLD_ACE entries only. */
2032
2033                         if (allow_ace_p->owner_type == UID_ACE)
2034                                 continue;
2035
2036                         if (uid_entry_in_group( curr_ace, allow_ace_p))
2037                                 new_perms |= allow_ace_p->perms;
2038                 }
2039
2040                 /*
2041                  * Convert to a allow entry, modify the perms and push to the end
2042                  * of the list.
2043                  */
2044
2045                 curr_ace->attr = ALLOW_ACE;
2046                 curr_ace->perms = (new_perms & ~curr_ace->perms);
2047                 DLIST_DEMOTE(ace_list, curr_ace, canon_ace *);
2048         }
2049
2050         /* Pass 3 above - deal with deny group entries. */
2051
2052         for (curr_ace = ace_list; curr_ace; curr_ace = curr_ace_next) {
2053                 canon_ace *allow_ace_p;
2054                 canon_ace *allow_everyone_p = NULL;
2055
2056                 curr_ace_next = curr_ace->next; /* So we can't lose the link. */
2057
2058                 if (curr_ace->attr != DENY_ACE)
2059                         continue;
2060
2061                 if (curr_ace->owner_type != GID_ACE)
2062                         continue;
2063
2064                 for (allow_ace_p = curr_ace->next; allow_ace_p; allow_ace_p = allow_ace_p->next) {
2065
2066                         if (allow_ace_p->attr != ALLOW_ACE)
2067                                 continue;
2068
2069                         /* Store a pointer to the Everyone allow, if it exists. */
2070                         if (allow_ace_p->owner_type == WORLD_ACE)
2071                                 allow_everyone_p = allow_ace_p;
2072
2073                         /* We process UID_ACE entries only. */
2074
2075                         if (allow_ace_p->owner_type != UID_ACE)
2076                                 continue;
2077
2078                         /* Mask off the deny group perms. */
2079
2080                         if (uid_entry_in_group( allow_ace_p, curr_ace))
2081                                 allow_ace_p->perms &= ~curr_ace->perms;
2082                 }
2083
2084                 /*
2085                  * Convert the deny to an allow with the correct perms and
2086                  * push to the end of the list.
2087                  */
2088
2089                 curr_ace->attr = ALLOW_ACE;
2090                 if (allow_everyone_p)
2091                         curr_ace->perms = allow_everyone_p->perms & ~curr_ace->perms;
2092                 else
2093                         curr_ace->perms = (mode_t)0;
2094                 DLIST_DEMOTE(ace_list, curr_ace, canon_ace *);
2095         }
2096
2097         /* Doing this fourth pass allows Windows semantics to be layered
2098          * on top of POSIX semantics. I'm not sure if this is desirable.
2099          * For example, in W2K ACLs there is no way to say, "Group X no
2100          * access, user Y full access" if user Y is a member of group X.
2101          * This seems completely broken semantics to me.... JRA.
2102          */
2103
2104 #if 0
2105         /* Pass 4 above - deal with allow entries. */
2106
2107         for (curr_ace = ace_list; curr_ace; curr_ace = curr_ace_next) {
2108                 canon_ace *allow_ace_p;
2109
2110                 curr_ace_next = curr_ace->next; /* So we can't lose the link. */
2111
2112                 if (curr_ace->attr != ALLOW_ACE)
2113                         continue;
2114
2115                 if (curr_ace->owner_type != UID_ACE)
2116                         continue;
2117
2118                 for (allow_ace_p = ace_list; allow_ace_p; allow_ace_p = allow_ace_p->next) {
2119
2120                         if (allow_ace_p->attr != ALLOW_ACE)
2121                                 continue;
2122
2123                         /* We process GID_ACE entries only. */
2124
2125                         if (allow_ace_p->owner_type != GID_ACE)
2126                                 continue;
2127
2128                         /* OR in the group perms. */
2129
2130                         if (uid_entry_in_group( curr_ace, allow_ace_p))
2131                                 curr_ace->perms |= allow_ace_p->perms;
2132                 }
2133         }
2134 #endif
2135
2136         *pp_ace_list = ace_list;
2137 }
2138
2139 /****************************************************************************
2140  Create a default mode that will be used if a security descriptor entry has
2141  no user/group/world entries.
2142 ****************************************************************************/
2143
2144 static mode_t create_default_mode(files_struct *fsp, bool interitable_mode)
2145 {
2146         int snum = SNUM(fsp->conn);
2147         mode_t and_bits = (mode_t)0;
2148         mode_t or_bits = (mode_t)0;
2149         mode_t mode = interitable_mode
2150                 ? unix_mode( fsp->conn, FILE_ATTRIBUTE_ARCHIVE, fsp->fsp_name,
2151                              NULL )
2152                 : S_IRUSR;
2153
2154         if (fsp->is_directory)
2155                 mode |= (S_IWUSR|S_IXUSR);
2156
2157         /*
2158          * Now AND with the create mode/directory mode bits then OR with the
2159          * force create mode/force directory mode bits.
2160          */
2161
2162         if (fsp->is_directory) {
2163                 and_bits = lp_dir_security_mask(snum);
2164                 or_bits = lp_force_dir_security_mode(snum);
2165         } else {
2166                 and_bits = lp_security_mask(snum);
2167                 or_bits = lp_force_security_mode(snum);
2168         }
2169
2170         return ((mode & and_bits)|or_bits);
2171 }
2172
2173 /****************************************************************************
2174  Unpack a SEC_DESC into two canonical ace lists. We don't depend on this
2175  succeeding.
2176 ****************************************************************************/
2177
2178 static bool unpack_canon_ace(files_struct *fsp,
2179                                 SMB_STRUCT_STAT *pst,
2180                                 DOM_SID *pfile_owner_sid,
2181                                 DOM_SID *pfile_grp_sid,
2182                                 canon_ace **ppfile_ace,
2183                                 canon_ace **ppdir_ace,
2184                                 uint32 security_info_sent,
2185                                 const SEC_DESC *psd)
2186 {
2187         canon_ace *file_ace = NULL;
2188         canon_ace *dir_ace = NULL;
2189
2190         *ppfile_ace = NULL;
2191         *ppdir_ace = NULL;
2192
2193         if(security_info_sent == 0) {
2194                 DEBUG(0,("unpack_canon_ace: no security info sent !\n"));
2195                 return False;
2196         }
2197
2198         /*
2199          * If no DACL then this is a chown only security descriptor.
2200          */
2201
2202         if(!(security_info_sent & DACL_SECURITY_INFORMATION) || !psd->dacl)
2203                 return True;
2204
2205         /*
2206          * Now go through the DACL and create the canon_ace lists.
2207          */
2208
2209         if (!create_canon_ace_lists( fsp, pst, pfile_owner_sid, pfile_grp_sid,
2210                                                                 &file_ace, &dir_ace, psd->dacl))
2211                 return False;
2212
2213         if ((file_ace == NULL) && (dir_ace == NULL)) {
2214                 /* W2K traverse DACL set - ignore. */
2215                 return True;
2216         }
2217
2218         /*
2219          * Go through the canon_ace list and merge entries
2220          * belonging to identical users of identical allow or deny type.
2221          * We can do this as all deny entries come first, followed by
2222          * all allow entries (we have mandated this before accepting this acl).
2223          */
2224
2225         print_canon_ace_list( "file ace - before merge", file_ace);
2226         merge_aces( &file_ace );
2227
2228         print_canon_ace_list( "dir ace - before merge", dir_ace);
2229         merge_aces( &dir_ace );
2230
2231         /*
2232          * NT ACLs are order dependent. Go through the acl lists and
2233          * process DENY entries by masking the allow entries.
2234          */
2235
2236         print_canon_ace_list( "file ace - before deny", file_ace);
2237         process_deny_list( &file_ace);
2238
2239         print_canon_ace_list( "dir ace - before deny", dir_ace);
2240         process_deny_list( &dir_ace);
2241
2242         /*
2243          * A well formed POSIX file or default ACL has at least 3 entries, a 
2244          * SMB_ACL_USER_OBJ, SMB_ACL_GROUP_OBJ, SMB_ACL_OTHER_OBJ
2245          * and optionally a mask entry. Ensure this is the case.
2246          */
2247
2248         print_canon_ace_list( "file ace - before valid", file_ace);
2249
2250         /*
2251          * A default 3 element mode entry for a file should be r-- --- ---.
2252          * A default 3 element mode entry for a directory should be rwx --- ---.
2253          */
2254
2255         pst->st_mode = create_default_mode(fsp, False);
2256
2257         if (!ensure_canon_entry_valid(&file_ace, fsp->conn->params, fsp->is_directory, pfile_owner_sid, pfile_grp_sid, pst, True)) {
2258                 free_canon_ace_list(file_ace);
2259                 free_canon_ace_list(dir_ace);
2260                 return False;
2261         }
2262
2263         print_canon_ace_list( "dir ace - before valid", dir_ace);
2264
2265         /*
2266          * A default inheritable 3 element mode entry for a directory should be the
2267          * mode Samba will use to create a file within. Ensure user rwx bits are set if
2268          * it's a directory.
2269          */
2270
2271         pst->st_mode = create_default_mode(fsp, True);
2272
2273         if (dir_ace && !ensure_canon_entry_valid(&dir_ace, fsp->conn->params, fsp->is_directory, pfile_owner_sid, pfile_grp_sid, pst, True)) {
2274                 free_canon_ace_list(file_ace);
2275                 free_canon_ace_list(dir_ace);
2276                 return False;
2277         }
2278
2279         print_canon_ace_list( "file ace - return", file_ace);
2280         print_canon_ace_list( "dir ace - return", dir_ace);
2281
2282         *ppfile_ace = file_ace;
2283         *ppdir_ace = dir_ace;
2284         return True;
2285
2286 }
2287
2288 /******************************************************************************
2289  When returning permissions, try and fit NT display
2290  semantics if possible. Note the the canon_entries here must have been malloced.
2291  The list format should be - first entry = owner, followed by group and other user
2292  entries, last entry = other.
2293
2294  Note that this doesn't exactly match the NT semantics for an ACL. As POSIX entries
2295  are not ordered, and match on the most specific entry rather than walking a list,
2296  then a simple POSIX permission of rw-r--r-- should really map to 5 entries,
2297
2298  Entry 0: owner : deny all except read and write.
2299  Entry 1: owner : allow read and write.
2300  Entry 2: group : deny all except read.
2301  Entry 3: group : allow read.
2302  Entry 4: Everyone : allow read.
2303
2304  But NT cannot display this in their ACL editor !
2305 ********************************************************************************/
2306
2307 static void arrange_posix_perms(const char *filename, canon_ace **pp_list_head)
2308 {
2309         canon_ace *l_head = *pp_list_head;
2310         canon_ace *owner_ace = NULL;
2311         canon_ace *other_ace = NULL;
2312         canon_ace *ace = NULL;
2313
2314         for (ace = l_head; ace; ace = ace->next) {
2315                 if (ace->type == SMB_ACL_USER_OBJ)
2316                         owner_ace = ace;
2317                 else if (ace->type == SMB_ACL_OTHER) {
2318                         /* Last ace - this is "other" */
2319                         other_ace = ace;
2320                 }
2321         }
2322
2323         if (!owner_ace || !other_ace) {
2324                 DEBUG(0,("arrange_posix_perms: Invalid POSIX permissions for file %s, missing owner or other.\n",
2325                         filename ));
2326                 return;
2327         }
2328
2329         /*
2330          * The POSIX algorithm applies to owner first, and other last,
2331          * so ensure they are arranged in this order.
2332          */
2333
2334         if (owner_ace) {
2335                 DLIST_PROMOTE(l_head, owner_ace);
2336         }
2337
2338         if (other_ace) {
2339                 DLIST_DEMOTE(l_head, other_ace, canon_ace *);
2340         }
2341
2342         /* We have probably changed the head of the list. */
2343
2344         *pp_list_head = l_head;
2345 }
2346
2347 /****************************************************************************
2348  Create a linked list of canonical ACE entries.
2349 ****************************************************************************/
2350
2351 static canon_ace *canonicalise_acl(struct connection_struct *conn,
2352                                    const char *fname, SMB_ACL_T posix_acl,
2353                                    const SMB_STRUCT_STAT *psbuf,
2354                                    const DOM_SID *powner, const DOM_SID *pgroup, struct pai_val *pal, SMB_ACL_TYPE_T the_acl_type)
2355 {
2356         mode_t acl_mask = (S_IRUSR|S_IWUSR|S_IXUSR);
2357         canon_ace *l_head = NULL;
2358         canon_ace *ace = NULL;
2359         canon_ace *next_ace = NULL;
2360         int entry_id = SMB_ACL_FIRST_ENTRY;
2361         SMB_ACL_ENTRY_T entry;
2362         size_t ace_count;
2363
2364         while ( posix_acl && (SMB_VFS_SYS_ACL_GET_ENTRY(conn, posix_acl, entry_id, &entry) == 1)) {
2365                 SMB_ACL_TAG_T tagtype;
2366                 SMB_ACL_PERMSET_T permset;
2367                 DOM_SID sid;
2368                 posix_id unix_ug;
2369                 enum ace_owner owner_type;
2370
2371                 entry_id = SMB_ACL_NEXT_ENTRY;
2372
2373                 /* Is this a MASK entry ? */
2374                 if (SMB_VFS_SYS_ACL_GET_TAG_TYPE(conn, entry, &tagtype) == -1)
2375                         continue;
2376
2377                 if (SMB_VFS_SYS_ACL_GET_PERMSET(conn, entry, &permset) == -1)
2378                         continue;
2379
2380                 /* Decide which SID to use based on the ACL type. */
2381                 switch(tagtype) {
2382                         case SMB_ACL_USER_OBJ:
2383                                 /* Get the SID from the owner. */
2384                                 sid_copy(&sid, powner);
2385                                 unix_ug.uid = psbuf->st_uid;
2386                                 owner_type = UID_ACE;
2387                                 break;
2388                         case SMB_ACL_USER:
2389                                 {
2390                                         uid_t *puid = (uid_t *)SMB_VFS_SYS_ACL_GET_QUALIFIER(conn, entry);
2391                                         if (puid == NULL) {
2392                                                 DEBUG(0,("canonicalise_acl: Failed to get uid.\n"));
2393                                                 continue;
2394                                         }
2395                                         /*
2396                                          * A SMB_ACL_USER entry for the owner is shadowed by the
2397                                          * SMB_ACL_USER_OBJ entry and Windows also cannot represent
2398                                          * that entry, so we ignore it. We also don't create such
2399                                          * entries out of the blue when setting ACLs, so a get/set
2400                                          * cycle will drop them.
2401                                          */
2402                                         if (the_acl_type == SMB_ACL_TYPE_ACCESS && *puid == psbuf->st_uid) {
2403                                                 SMB_VFS_SYS_ACL_FREE_QUALIFIER(conn, (void *)puid,tagtype);
2404                                                 continue;
2405                                         }
2406                                         uid_to_sid( &sid, *puid);
2407                                         unix_ug.uid = *puid;
2408                                         owner_type = UID_ACE;
2409                                         SMB_VFS_SYS_ACL_FREE_QUALIFIER(conn, (void *)puid,tagtype);
2410                                         break;
2411                                 }
2412                         case SMB_ACL_GROUP_OBJ:
2413                                 /* Get the SID from the owning group. */
2414                                 sid_copy(&sid, pgroup);
2415                                 unix_ug.gid = psbuf->st_gid;
2416                                 owner_type = GID_ACE;
2417                                 break;
2418                         case SMB_ACL_GROUP:
2419                                 {
2420                                         gid_t *pgid = (gid_t *)SMB_VFS_SYS_ACL_GET_QUALIFIER(conn, entry);
2421                                         if (pgid == NULL) {
2422                                                 DEBUG(0,("canonicalise_acl: Failed to get gid.\n"));
2423                                                 continue;
2424                                         }
2425                                         gid_to_sid( &sid, *pgid);
2426                                         unix_ug.gid = *pgid;
2427                                         owner_type = GID_ACE;
2428                                         SMB_VFS_SYS_ACL_FREE_QUALIFIER(conn, (void *)pgid,tagtype);
2429                                         break;
2430                                 }
2431                         case SMB_ACL_MASK:
2432                                 acl_mask = convert_permset_to_mode_t(conn, permset);
2433                                 continue; /* Don't count the mask as an entry. */
2434                         case SMB_ACL_OTHER:
2435                                 /* Use the Everyone SID */
2436                                 sid = global_sid_World;
2437                                 unix_ug.world = -1;
2438                                 owner_type = WORLD_ACE;
2439                                 break;
2440                         default:
2441                                 DEBUG(0,("canonicalise_acl: Unknown tagtype %u\n", (unsigned int)tagtype));
2442                                 continue;
2443                 }
2444
2445                 /*
2446                  * Add this entry to the list.
2447                  */
2448
2449                 if ((ace = SMB_MALLOC_P(canon_ace)) == NULL)
2450                         goto fail;
2451
2452                 ZERO_STRUCTP(ace);
2453                 ace->type = tagtype;
2454                 ace->perms = convert_permset_to_mode_t(conn, permset);
2455                 ace->attr = ALLOW_ACE;
2456                 ace->trustee = sid;
2457                 ace->unix_ug = unix_ug;
2458                 ace->owner_type = owner_type;
2459                 ace->ace_flags = get_pai_flags(pal, ace, (the_acl_type == SMB_ACL_TYPE_DEFAULT));
2460
2461                 DLIST_ADD(l_head, ace);
2462         }
2463
2464         /*
2465          * This next call will ensure we have at least a user/group/world set.
2466          */
2467
2468         if (!ensure_canon_entry_valid(&l_head, conn->params,
2469                                       S_ISDIR(psbuf->st_mode), powner, pgroup,
2470                                       psbuf, False))
2471                 goto fail;
2472
2473         /*
2474          * Now go through the list, masking the permissions with the
2475          * acl_mask. Ensure all DENY Entries are at the start of the list.
2476          */
2477
2478         DEBUG(10,("canonicalise_acl: %s ace entries before arrange :\n", the_acl_type == SMB_ACL_TYPE_ACCESS ? "Access" : "Default" ));
2479
2480         for ( ace_count = 0, ace = l_head; ace; ace = next_ace, ace_count++) {
2481                 next_ace = ace->next;
2482
2483                 /* Masks are only applied to entries other than USER_OBJ and OTHER. */
2484                 if (ace->type != SMB_ACL_OTHER && ace->type != SMB_ACL_USER_OBJ)
2485                         ace->perms &= acl_mask;
2486
2487                 if (ace->perms == 0) {
2488                         DLIST_PROMOTE(l_head, ace);
2489                 }
2490
2491                 if( DEBUGLVL( 10 ) ) {
2492                         print_canon_ace(ace, ace_count);
2493                 }
2494         }
2495
2496         arrange_posix_perms(fname,&l_head );
2497
2498         print_canon_ace_list( "canonicalise_acl: ace entries after arrange", l_head );
2499
2500         return l_head;
2501
2502   fail:
2503
2504         free_canon_ace_list(l_head);
2505         return NULL;
2506 }
2507
2508 /****************************************************************************
2509  Check if the current user group list contains a given group.
2510 ****************************************************************************/
2511
2512 static bool current_user_in_group(gid_t gid)
2513 {
2514         int i;
2515
2516         for (i = 0; i < current_user.ut.ngroups; i++) {
2517                 if (current_user.ut.groups[i] == gid) {
2518                         return True;
2519                 }
2520         }
2521
2522         return False;
2523 }
2524
2525 /****************************************************************************
2526  Should we override a deny ? Check 'acl group control' and 'dos filemode'.
2527 ****************************************************************************/
2528
2529 static bool acl_group_override(connection_struct *conn,
2530                                 gid_t prim_gid,
2531                                 const char *fname)
2532 {
2533         SMB_STRUCT_STAT sbuf;
2534
2535         if ((errno != EPERM) && (errno != EACCES)) {
2536                 return false;
2537         }
2538
2539         /* file primary group == user primary or supplementary group */
2540         if (lp_acl_group_control(SNUM(conn)) &&
2541                         current_user_in_group(prim_gid)) {
2542                 return true;
2543         }
2544
2545         /* user has writeable permission */
2546         if (lp_dos_filemode(SNUM(conn)) &&
2547                         can_write_to_file(conn, fname, &sbuf)) {
2548                 return true;
2549         }
2550
2551         return false;
2552 }
2553
2554 /****************************************************************************
2555  Attempt to apply an ACL to a file or directory.
2556 ****************************************************************************/
2557
2558 static bool set_canon_ace_list(files_struct *fsp, canon_ace *the_ace, bool default_ace, gid_t prim_gid, bool *pacl_set_support)
2559 {
2560         connection_struct *conn = fsp->conn;
2561         bool ret = False;
2562         SMB_ACL_T the_acl = SMB_VFS_SYS_ACL_INIT(conn, (int)count_canon_ace_list(the_ace) + 1);
2563         canon_ace *p_ace;
2564         int i;
2565         SMB_ACL_ENTRY_T mask_entry;
2566         bool got_mask_entry = False;
2567         SMB_ACL_PERMSET_T mask_permset;
2568         SMB_ACL_TYPE_T the_acl_type = (default_ace ? SMB_ACL_TYPE_DEFAULT : SMB_ACL_TYPE_ACCESS);
2569         bool needs_mask = False;
2570         mode_t mask_perms = 0;
2571
2572 #if defined(POSIX_ACL_NEEDS_MASK)
2573         /* HP-UX always wants to have a mask (called "class" there). */
2574         needs_mask = True;
2575 #endif
2576
2577         if (the_acl == NULL) {
2578
2579                 if (!no_acl_syscall_error(errno)) {
2580                         /*
2581                          * Only print this error message if we have some kind of ACL
2582                          * support that's not working. Otherwise we would always get this.
2583                          */
2584                         DEBUG(0,("set_canon_ace_list: Unable to init %s ACL. (%s)\n",
2585                                 default_ace ? "default" : "file", strerror(errno) ));
2586                 }
2587                 *pacl_set_support = False;
2588                 return False;
2589         }
2590
2591         if( DEBUGLVL( 10 )) {
2592                 dbgtext("set_canon_ace_list: setting ACL:\n");
2593                 for (i = 0, p_ace = the_ace; p_ace; p_ace = p_ace->next, i++ ) {
2594                         print_canon_ace( p_ace, i);
2595                 }
2596         }
2597
2598         for (i = 0, p_ace = the_ace; p_ace; p_ace = p_ace->next, i++ ) {
2599                 SMB_ACL_ENTRY_T the_entry;
2600                 SMB_ACL_PERMSET_T the_permset;
2601
2602                 /*
2603                  * ACLs only "need" an ACL_MASK entry if there are any named user or
2604                  * named group entries. But if there is an ACL_MASK entry, it applies
2605                  * to ACL_USER, ACL_GROUP, and ACL_GROUP_OBJ entries. Set the mask
2606                  * so that it doesn't deny (i.e., mask off) any permissions.
2607                  */
2608
2609                 if (p_ace->type == SMB_ACL_USER || p_ace->type == SMB_ACL_GROUP) {
2610                         needs_mask = True;
2611                         mask_perms |= p_ace->perms;
2612                 } else if (p_ace->type == SMB_ACL_GROUP_OBJ) {
2613                         mask_perms |= p_ace->perms;
2614                 }
2615
2616                 /*
2617                  * Get the entry for this ACE.
2618                  */
2619
2620                 if (SMB_VFS_SYS_ACL_CREATE_ENTRY(conn, &the_acl, &the_entry) == -1) {
2621                         DEBUG(0,("set_canon_ace_list: Failed to create entry %d. (%s)\n",
2622                                 i, strerror(errno) ));
2623                         goto fail;
2624                 }
2625
2626                 if (p_ace->type == SMB_ACL_MASK) {
2627                         mask_entry = the_entry;
2628                         got_mask_entry = True;
2629                 }
2630
2631                 /*
2632                  * Ok - we now know the ACL calls should be working, don't
2633                  * allow fallback to chmod.
2634                  */
2635
2636                 *pacl_set_support = True;
2637
2638                 /*
2639                  * Initialise the entry from the canon_ace.
2640                  */
2641
2642                 /*
2643                  * First tell the entry what type of ACE this is.
2644                  */
2645
2646                 if (SMB_VFS_SYS_ACL_SET_TAG_TYPE(conn, the_entry, p_ace->type) == -1) {
2647                         DEBUG(0,("set_canon_ace_list: Failed to set tag type on entry %d. (%s)\n",
2648                                 i, strerror(errno) ));
2649                         goto fail;
2650                 }
2651
2652                 /*
2653                  * Only set the qualifier (user or group id) if the entry is a user
2654                  * or group id ACE.
2655                  */
2656
2657                 if ((p_ace->type == SMB_ACL_USER) || (p_ace->type == SMB_ACL_GROUP)) {
2658                         if (SMB_VFS_SYS_ACL_SET_QUALIFIER(conn, the_entry,(void *)&p_ace->unix_ug.uid) == -1) {
2659                                 DEBUG(0,("set_canon_ace_list: Failed to set qualifier on entry %d. (%s)\n",
2660                                         i, strerror(errno) ));
2661                                 goto fail;
2662                         }
2663                 }
2664
2665                 /*
2666                  * Convert the mode_t perms in the canon_ace to a POSIX permset.
2667                  */
2668
2669                 if (SMB_VFS_SYS_ACL_GET_PERMSET(conn, the_entry, &the_permset) == -1) {
2670                         DEBUG(0,("set_canon_ace_list: Failed to get permset on entry %d. (%s)\n",
2671                                 i, strerror(errno) ));
2672                         goto fail;
2673                 }
2674
2675                 if (map_acl_perms_to_permset(conn, p_ace->perms, &the_permset) == -1) {
2676                         DEBUG(0,("set_canon_ace_list: Failed to create permset for mode (%u) on entry %d. (%s)\n",
2677                                 (unsigned int)p_ace->perms, i, strerror(errno) ));
2678                         goto fail;
2679                 }
2680
2681                 /*
2682                  * ..and apply them to the entry.
2683                  */
2684
2685                 if (SMB_VFS_SYS_ACL_SET_PERMSET(conn, the_entry, the_permset) == -1) {
2686                         DEBUG(0,("set_canon_ace_list: Failed to add permset on entry %d. (%s)\n",
2687                                 i, strerror(errno) ));
2688                         goto fail;
2689                 }
2690
2691                 if( DEBUGLVL( 10 ))
2692                         print_canon_ace( p_ace, i);
2693
2694         }
2695
2696         if (needs_mask && !got_mask_entry) {
2697                 if (SMB_VFS_SYS_ACL_CREATE_ENTRY(conn, &the_acl, &mask_entry) == -1) {
2698                         DEBUG(0,("set_canon_ace_list: Failed to create mask entry. (%s)\n", strerror(errno) ));
2699                         goto fail;
2700                 }
2701
2702                 if (SMB_VFS_SYS_ACL_SET_TAG_TYPE(conn, mask_entry, SMB_ACL_MASK) == -1) {
2703                         DEBUG(0,("set_canon_ace_list: Failed to set tag type on mask entry. (%s)\n",strerror(errno) ));
2704                         goto fail;
2705                 }
2706
2707                 if (SMB_VFS_SYS_ACL_GET_PERMSET(conn, mask_entry, &mask_permset) == -1) {
2708                         DEBUG(0,("set_canon_ace_list: Failed to get mask permset. (%s)\n", strerror(errno) ));
2709                         goto fail;
2710                 }
2711
2712                 if (map_acl_perms_to_permset(conn, S_IRUSR|S_IWUSR|S_IXUSR, &mask_permset) == -1) {
2713                         DEBUG(0,("set_canon_ace_list: Failed to create mask permset. (%s)\n", strerror(errno) ));
2714                         goto fail;
2715                 }
2716
2717                 if (SMB_VFS_SYS_ACL_SET_PERMSET(conn, mask_entry, mask_permset) == -1) {
2718                         DEBUG(0,("set_canon_ace_list: Failed to add mask permset. (%s)\n", strerror(errno) ));
2719                         goto fail;
2720                 }
2721         }
2722
2723         /*
2724          * Finally apply it to the file or directory.
2725          */
2726
2727         if(default_ace || fsp->is_directory || fsp->fh->fd == -1) {
2728                 if (SMB_VFS_SYS_ACL_SET_FILE(conn, fsp->fsp_name, the_acl_type, the_acl) == -1) {
2729                         /*
2730                          * Some systems allow all the above calls and only fail with no ACL support
2731                          * when attempting to apply the acl. HPUX with HFS is an example of this. JRA.
2732                          */
2733                         if (no_acl_syscall_error(errno)) {
2734                                 *pacl_set_support = False;
2735                         }
2736
2737                         if (acl_group_override(conn, prim_gid, fsp->fsp_name)) {
2738                                 int sret;
2739
2740                                 DEBUG(5,("set_canon_ace_list: acl group control on and current user in file %s primary group.\n",
2741                                         fsp->fsp_name ));
2742
2743                                 become_root();
2744                                 sret = SMB_VFS_SYS_ACL_SET_FILE(conn, fsp->fsp_name, the_acl_type, the_acl);
2745                                 unbecome_root();
2746                                 if (sret == 0) {
2747                                         ret = True;     
2748                                 }
2749                         }
2750
2751                         if (ret == False) {
2752                                 DEBUG(2,("set_canon_ace_list: sys_acl_set_file type %s failed for file %s (%s).\n",
2753                                                 the_acl_type == SMB_ACL_TYPE_DEFAULT ? "directory default" : "file",
2754                                                 fsp->fsp_name, strerror(errno) ));
2755                                 goto fail;
2756                         }
2757                 }
2758         } else {
2759                 if (SMB_VFS_SYS_ACL_SET_FD(fsp, the_acl) == -1) {
2760                         /*
2761                          * Some systems allow all the above calls and only fail with no ACL support
2762                          * when attempting to apply the acl. HPUX with HFS is an example of this. JRA.
2763                          */
2764                         if (no_acl_syscall_error(errno)) {
2765                                 *pacl_set_support = False;
2766                         }
2767
2768                         if (acl_group_override(conn, prim_gid, fsp->fsp_name)) {
2769                                 int sret;
2770
2771                                 DEBUG(5,("set_canon_ace_list: acl group control on and current user in file %s primary group.\n",
2772                                         fsp->fsp_name ));
2773
2774                                 become_root();
2775                                 sret = SMB_VFS_SYS_ACL_SET_FD(fsp, the_acl);
2776                                 unbecome_root();
2777                                 if (sret == 0) {
2778                                         ret = True;
2779                                 }
2780                         }
2781
2782                         if (ret == False) {
2783                                 DEBUG(2,("set_canon_ace_list: sys_acl_set_file failed for file %s (%s).\n",
2784                                                 fsp->fsp_name, strerror(errno) ));
2785                                 goto fail;
2786                         }
2787                 }
2788         }
2789
2790         ret = True;
2791
2792   fail:
2793
2794         if (the_acl != NULL) {
2795                 SMB_VFS_SYS_ACL_FREE_ACL(conn, the_acl);
2796         }
2797
2798         return ret;
2799 }
2800
2801 /****************************************************************************
2802  Find a particular canon_ace entry.
2803 ****************************************************************************/
2804
2805 static struct canon_ace *canon_ace_entry_for(struct canon_ace *list, SMB_ACL_TAG_T type, posix_id *id)
2806 {
2807         while (list) {
2808                 if (list->type == type && ((type != SMB_ACL_USER && type != SMB_ACL_GROUP) ||
2809                                 (type == SMB_ACL_USER  && id && id->uid == list->unix_ug.uid) ||
2810                                 (type == SMB_ACL_GROUP && id && id->gid == list->unix_ug.gid)))
2811                         break;
2812                 list = list->next;
2813         }
2814         return list;
2815 }
2816
2817 /****************************************************************************
2818  
2819 ****************************************************************************/
2820
2821 SMB_ACL_T free_empty_sys_acl(connection_struct *conn, SMB_ACL_T the_acl)
2822 {
2823         SMB_ACL_ENTRY_T entry;
2824
2825         if (!the_acl)
2826                 return NULL;
2827         if (SMB_VFS_SYS_ACL_GET_ENTRY(conn, the_acl, SMB_ACL_FIRST_ENTRY, &entry) != 1) {
2828                 SMB_VFS_SYS_ACL_FREE_ACL(conn, the_acl);
2829                 return NULL;
2830         }
2831         return the_acl;
2832 }
2833
2834 /****************************************************************************
2835  Convert a canon_ace to a generic 3 element permission - if possible.
2836 ****************************************************************************/
2837
2838 #define MAP_PERM(p,mask,result) (((p) & (mask)) ? (result) : 0 )
2839
2840 static bool convert_canon_ace_to_posix_perms( files_struct *fsp, canon_ace *file_ace_list, mode_t *posix_perms)
2841 {
2842         int snum = SNUM(fsp->conn);
2843         size_t ace_count = count_canon_ace_list(file_ace_list);
2844         canon_ace *ace_p;
2845         canon_ace *owner_ace = NULL;
2846         canon_ace *group_ace = NULL;
2847         canon_ace *other_ace = NULL;
2848         mode_t and_bits;
2849         mode_t or_bits;
2850
2851         if (ace_count != 3) {
2852                 DEBUG(3,("convert_canon_ace_to_posix_perms: Too many ACE entries for file %s to convert to \
2853 posix perms.\n", fsp->fsp_name ));
2854                 return False;
2855         }
2856
2857         for (ace_p = file_ace_list; ace_p; ace_p = ace_p->next) {
2858                 if (ace_p->owner_type == UID_ACE)
2859                         owner_ace = ace_p;
2860                 else if (ace_p->owner_type == GID_ACE)
2861                         group_ace = ace_p;
2862                 else if (ace_p->owner_type == WORLD_ACE)
2863                         other_ace = ace_p;
2864         }
2865
2866         if (!owner_ace || !group_ace || !other_ace) {
2867                 DEBUG(3,("convert_canon_ace_to_posix_perms: Can't get standard entries for file %s.\n",
2868                                 fsp->fsp_name ));
2869                 return False;
2870         }
2871
2872         *posix_perms = (mode_t)0;
2873
2874         *posix_perms |= owner_ace->perms;
2875         *posix_perms |= MAP_PERM(group_ace->perms, S_IRUSR, S_IRGRP);
2876         *posix_perms |= MAP_PERM(group_ace->perms, S_IWUSR, S_IWGRP);
2877         *posix_perms |= MAP_PERM(group_ace->perms, S_IXUSR, S_IXGRP);
2878         *posix_perms |= MAP_PERM(other_ace->perms, S_IRUSR, S_IROTH);
2879         *posix_perms |= MAP_PERM(other_ace->perms, S_IWUSR, S_IWOTH);
2880         *posix_perms |= MAP_PERM(other_ace->perms, S_IXUSR, S_IXOTH);
2881
2882         /* The owner must have at least read access. */
2883
2884         *posix_perms |= S_IRUSR;
2885         if (fsp->is_directory)
2886                 *posix_perms |= (S_IWUSR|S_IXUSR);
2887
2888         /* If requested apply the masks. */
2889
2890         /* Get the initial bits to apply. */
2891
2892         if (fsp->is_directory) {
2893                 and_bits = lp_dir_security_mask(snum);
2894                 or_bits = lp_force_dir_security_mode(snum);
2895         } else {
2896                 and_bits = lp_security_mask(snum);
2897                 or_bits = lp_force_security_mode(snum);
2898         }
2899
2900         *posix_perms = (((*posix_perms) & and_bits)|or_bits);
2901
2902         DEBUG(10,("convert_canon_ace_to_posix_perms: converted u=%o,g=%o,w=%o to perm=0%o for file %s.\n",
2903                 (int)owner_ace->perms, (int)group_ace->perms, (int)other_ace->perms, (int)*posix_perms,
2904                 fsp->fsp_name ));
2905
2906         return True;
2907 }
2908
2909 /****************************************************************************
2910   Incoming NT ACLs on a directory can be split into a default POSIX acl (CI|OI|IO) and
2911   a normal POSIX acl. Win2k needs these split acls re-merging into one ACL
2912   with CI|OI set so it is inherited and also applies to the directory.
2913   Based on code from "Jim McDonough" <jmcd@us.ibm.com>.
2914 ****************************************************************************/
2915
2916 static size_t merge_default_aces( SEC_ACE *nt_ace_list, size_t num_aces)
2917 {
2918         size_t i, j;
2919
2920         for (i = 0; i < num_aces; i++) {
2921                 for (j = i+1; j < num_aces; j++) {
2922                         uint32 i_flags_ni = (nt_ace_list[i].flags & ~SEC_ACE_FLAG_INHERITED_ACE);
2923                         uint32 j_flags_ni = (nt_ace_list[j].flags & ~SEC_ACE_FLAG_INHERITED_ACE);
2924                         bool i_inh = (nt_ace_list[i].flags & SEC_ACE_FLAG_INHERITED_ACE) ? True : False;
2925                         bool j_inh = (nt_ace_list[j].flags & SEC_ACE_FLAG_INHERITED_ACE) ? True : False;
2926
2927                         /* We know the lower number ACE's are file entries. */
2928                         if ((nt_ace_list[i].type == nt_ace_list[j].type) &&
2929                                 (nt_ace_list[i].size == nt_ace_list[j].size) &&
2930                                 (nt_ace_list[i].access_mask == nt_ace_list[j].access_mask) &&
2931                                 sid_equal(&nt_ace_list[i].trustee, &nt_ace_list[j].trustee) &&
2932                                 (i_inh == j_inh) &&
2933                                 (i_flags_ni == 0) &&
2934                                 (j_flags_ni == (SEC_ACE_FLAG_OBJECT_INHERIT|
2935                                                   SEC_ACE_FLAG_CONTAINER_INHERIT|
2936                                                   SEC_ACE_FLAG_INHERIT_ONLY))) {
2937                                 /*
2938                                  * W2K wants to have access allowed zero access ACE's
2939                                  * at the end of the list. If the mask is zero, merge
2940                                  * the non-inherited ACE onto the inherited ACE.
2941                                  */
2942
2943                                 if (nt_ace_list[i].access_mask == 0) {
2944                                         nt_ace_list[j].flags = SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT|
2945                                                                 (i_inh ? SEC_ACE_FLAG_INHERITED_ACE : 0);
2946                                         if (num_aces - i - 1 > 0)
2947                                                 memmove(&nt_ace_list[i], &nt_ace_list[i+1], (num_aces-i-1) *
2948                                                                 sizeof(SEC_ACE));
2949
2950                                         DEBUG(10,("merge_default_aces: Merging zero access ACE %u onto ACE %u.\n",
2951                                                 (unsigned int)i, (unsigned int)j ));
2952                                 } else {
2953                                         /*
2954                                          * These are identical except for the flags.
2955                                          * Merge the inherited ACE onto the non-inherited ACE.
2956                                          */
2957
2958                                         nt_ace_list[i].flags = SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT|
2959                                                                 (i_inh ? SEC_ACE_FLAG_INHERITED_ACE : 0);
2960                                         if (num_aces - j - 1 > 0)
2961                                                 memmove(&nt_ace_list[j], &nt_ace_list[j+1], (num_aces-j-1) *
2962                                                                 sizeof(SEC_ACE));
2963
2964                                         DEBUG(10,("merge_default_aces: Merging ACE %u onto ACE %u.\n",
2965                                                 (unsigned int)j, (unsigned int)i ));
2966                                 }
2967                                 num_aces--;
2968                                 break;
2969                         }
2970                 }
2971         }
2972
2973         return num_aces;
2974 }
2975
2976 /*
2977  * Add or Replace ACE entry.
2978  * In some cases we need to add a specific ACE for compatibility reasons.
2979  * When doing that we must make sure we are not actually creating a duplicate
2980  * entry. So we need to search whether an ACE entry already exist and eventually
2981  * replacce the access mask, or add a completely new entry if none was found.
2982  *
2983  * This function assumes the array has enough space to add a new entry without
2984  * any reallocation of memory.
2985  */
2986
2987 static void add_or_replace_ace(SEC_ACE *nt_ace_list, size_t *num_aces,
2988                                 const DOM_SID *sid, enum security_ace_type type,
2989                                 uint32_t mask, uint8_t flags)
2990 {
2991         int i;
2992
2993         /* first search for a duplicate */
2994         for (i = 0; i < *num_aces; i++) {
2995                 if (sid_equal(&nt_ace_list[i].trustee, sid) &&
2996                     (nt_ace_list[i].flags == flags)) break;
2997         }
2998
2999         if (i < *num_aces) { /* found */
3000                 nt_ace_list[i].type = type;
3001                 nt_ace_list[i].access_mask = mask;
3002                 DEBUG(10, ("Replacing ACE %d with SID %s and flags %02x\n",
3003                            i, sid_string_dbg(sid), flags));
3004                 return;
3005         }
3006
3007         /* not found, append it */
3008         init_sec_ace(&nt_ace_list[(*num_aces)++], sid, type, mask, flags);
3009 }
3010
3011
3012 /****************************************************************************
3013  Reply to query a security descriptor from an fsp. If it succeeds it allocates
3014  the space for the return elements and returns the size needed to return the
3015  security descriptor. This should be the only external function needed for
3016  the UNIX style get ACL.
3017 ****************************************************************************/
3018
3019 static NTSTATUS posix_get_nt_acl_common(struct connection_struct *conn,
3020                                       const char *name,
3021                                       const SMB_STRUCT_STAT *sbuf,
3022                                       struct pai_val *pal,
3023                                       SMB_ACL_T posix_acl,
3024                                       SMB_ACL_T def_acl,
3025                                       uint32_t security_info,
3026                                       SEC_DESC **ppdesc)
3027 {
3028         DOM_SID owner_sid;
3029         DOM_SID group_sid;
3030         size_t sd_size = 0;
3031         SEC_ACL *psa = NULL;
3032         size_t num_acls = 0;
3033         size_t num_def_acls = 0;
3034         size_t num_aces = 0;
3035         canon_ace *file_ace = NULL;
3036         canon_ace *dir_ace = NULL;
3037         SEC_ACE *nt_ace_list = NULL;
3038         size_t num_profile_acls = 0;
3039         DOM_SID orig_owner_sid;
3040         SEC_DESC *psd = NULL;
3041         int i;
3042
3043         /*
3044          * Get the owner, group and world SIDs.
3045          */
3046
3047         create_file_sids(sbuf, &owner_sid, &group_sid);
3048
3049         if (lp_profile_acls(SNUM(conn))) {
3050                 /* For WXP SP1 the owner must be administrators. */
3051                 sid_copy(&orig_owner_sid, &owner_sid);
3052                 sid_copy(&owner_sid, &global_sid_Builtin_Administrators);
3053                 sid_copy(&group_sid, &global_sid_Builtin_Users);
3054                 num_profile_acls = 3;
3055         }
3056
3057         if ((security_info & DACL_SECURITY_INFORMATION) && !(security_info & PROTECTED_DACL_SECURITY_INFORMATION)) {
3058
3059                 /*
3060                  * In the optimum case Creator Owner and Creator Group would be used for
3061                  * the ACL_USER_OBJ and ACL_GROUP_OBJ entries, respectively, but this
3062                  * would lead to usability problems under Windows: The Creator entries
3063                  * are only available in browse lists of directories and not for files;
3064                  * additionally the identity of the owning group couldn't be determined.
3065                  * We therefore use those identities only for Default ACLs. 
3066                  */
3067
3068                 /* Create the canon_ace lists. */
3069                 file_ace = canonicalise_acl(conn, name, posix_acl, sbuf,
3070                                             &owner_sid, &group_sid, pal,
3071                                             SMB_ACL_TYPE_ACCESS);
3072
3073                 /* We must have *some* ACLS. */
3074         
3075                 if (count_canon_ace_list(file_ace) == 0) {
3076                         DEBUG(0,("get_nt_acl : No ACLs on file (%s) !\n", name));
3077                         goto done;
3078                 }
3079
3080                 if (S_ISDIR(sbuf->st_mode) && def_acl) {
3081                         dir_ace = canonicalise_acl(conn, name, def_acl,
3082                                                    sbuf,
3083                                                    &global_sid_Creator_Owner,
3084                                                    &global_sid_Creator_Group,
3085                                                    pal, SMB_ACL_TYPE_DEFAULT);
3086                 }
3087
3088                 /*
3089                  * Create the NT ACE list from the canonical ace lists.
3090                  */
3091
3092                 {
3093                         canon_ace *ace;
3094                         enum security_ace_type nt_acl_type;
3095
3096                         if (nt4_compatible_acls() && dir_ace) {
3097                                 /*
3098                                  * NT 4 chokes if an ACL contains an INHERIT_ONLY entry
3099                                  * but no non-INHERIT_ONLY entry for one SID. So we only
3100                                  * remove entries from the Access ACL if the
3101                                  * corresponding Default ACL entries have also been
3102                                  * removed. ACEs for CREATOR-OWNER and CREATOR-GROUP
3103                                  * are exceptions. We can do nothing
3104                                  * intelligent if the Default ACL contains entries that
3105                                  * are not also contained in the Access ACL, so this
3106                                  * case will still fail under NT 4.
3107                                  */
3108
3109                                 ace = canon_ace_entry_for(dir_ace, SMB_ACL_OTHER, NULL);
3110                                 if (ace && !ace->perms) {
3111                                         DLIST_REMOVE(dir_ace, ace);
3112                                         SAFE_FREE(ace);
3113
3114                                         ace = canon_ace_entry_for(file_ace, SMB_ACL_OTHER, NULL);
3115                                         if (ace && !ace->perms) {
3116                                                 DLIST_REMOVE(file_ace, ace);
3117                                                 SAFE_FREE(ace);
3118                                         }
3119                                 }
3120
3121                                 /*
3122                                  * WinNT doesn't usually have Creator Group
3123                                  * in browse lists, so we send this entry to
3124                                  * WinNT even if it contains no relevant
3125                                  * permissions. Once we can add
3126                                  * Creator Group to browse lists we can
3127                                  * re-enable this.
3128                                  */
3129
3130 #if 0
3131                                 ace = canon_ace_entry_for(dir_ace, SMB_ACL_GROUP_OBJ, NULL);
3132                                 if (ace && !ace->perms) {
3133                                         DLIST_REMOVE(dir_ace, ace);
3134                                         SAFE_FREE(ace);
3135                                 }
3136 #endif
3137
3138                                 ace = canon_ace_entry_for(file_ace, SMB_ACL_GROUP_OBJ, NULL);
3139                                 if (ace && !ace->perms) {
3140                                         DLIST_REMOVE(file_ace, ace);
3141                                         SAFE_FREE(ace);
3142                                 }
3143                         }
3144
3145                         num_acls = count_canon_ace_list(file_ace);
3146                         num_def_acls = count_canon_ace_list(dir_ace);
3147
3148                         /* Allocate the ace list. */
3149                         if ((nt_ace_list = SMB_MALLOC_ARRAY(SEC_ACE,num_acls + num_profile_acls + num_def_acls)) == NULL) {
3150                                 DEBUG(0,("get_nt_acl: Unable to malloc space for nt_ace_list.\n"));
3151                                 goto done;
3152                         }
3153
3154                         memset(nt_ace_list, '\0', (num_acls + num_def_acls) * sizeof(SEC_ACE) );
3155
3156                         /*
3157                          * Create the NT ACE list from the canonical ace lists.
3158                          */
3159
3160                         for (ace = file_ace; ace != NULL; ace = ace->next) {
3161                                 uint32_t acc = map_canon_ace_perms(SNUM(conn),
3162                                                 &nt_acl_type,
3163                                                 ace->perms,
3164                                                 S_ISDIR(sbuf->st_mode));
3165                                 init_sec_ace(&nt_ace_list[num_aces++],
3166                                         &ace->trustee,
3167                                         nt_acl_type,
3168                                         acc,
3169                                         ace->ace_flags);
3170                         }
3171
3172                         /* The User must have access to a profile share - even
3173                          * if we can't map the SID. */
3174                         if (lp_profile_acls(SNUM(conn))) {
3175                                 add_or_replace_ace(nt_ace_list, &num_aces,
3176                                                    &global_sid_Builtin_Users,
3177                                                    SEC_ACE_TYPE_ACCESS_ALLOWED,
3178                                                    FILE_GENERIC_ALL, 0);
3179                         }
3180
3181                         for (ace = dir_ace; ace != NULL; ace = ace->next) {
3182                                 uint32_t acc = map_canon_ace_perms(SNUM(conn),
3183                                                 &nt_acl_type,
3184                                                 ace->perms,
3185                                                 S_ISDIR(sbuf->st_mode));
3186                                 init_sec_ace(&nt_ace_list[num_aces++],
3187                                         &ace->trustee,
3188                                         nt_acl_type,
3189                                         acc,
3190                                         ace->ace_flags |
3191                                         SEC_ACE_FLAG_OBJECT_INHERIT|
3192                                         SEC_ACE_FLAG_CONTAINER_INHERIT|
3193                                         SEC_ACE_FLAG_INHERIT_ONLY);
3194                         }
3195
3196                         /* The User must have access to a profile share - even
3197                          * if we can't map the SID. */
3198                         if (lp_profile_acls(SNUM(conn))) {
3199                                 add_or_replace_ace(nt_ace_list, &num_aces,
3200                                                 &global_sid_Builtin_Users,
3201                                                 SEC_ACE_TYPE_ACCESS_ALLOWED,
3202                                                 FILE_GENERIC_ALL,
3203                                                 SEC_ACE_FLAG_OBJECT_INHERIT |
3204                                                 SEC_ACE_FLAG_CONTAINER_INHERIT |
3205                                                 SEC_ACE_FLAG_INHERIT_ONLY);
3206                         }
3207
3208                         /*
3209                          * Merge POSIX default ACLs and normal ACLs into one NT ACE.
3210                          * Win2K needs this to get the inheritance correct when replacing ACLs
3211                          * on a directory tree. Based on work by Jim @ IBM.
3212                          */
3213
3214                         num_aces = merge_default_aces(nt_ace_list, num_aces);
3215
3216                         if (lp_profile_acls(SNUM(conn))) {
3217                                 for (i = 0; i < num_aces; i++) {
3218                                         if (sid_equal(&nt_ace_list[i].trustee, &owner_sid)) {
3219                                                 add_or_replace_ace(nt_ace_list, &num_aces,
3220                                                                    &orig_owner_sid,
3221                                                                    nt_ace_list[i].type,
3222                                                                    nt_ace_list[i].access_mask,
3223                                                                    nt_ace_list[i].flags);
3224                                                 break;
3225                                         }
3226                                 }
3227                         }
3228                 }
3229
3230                 if (num_aces) {
3231                         if((psa = make_sec_acl( talloc_tos(), NT4_ACL_REVISION, num_aces, nt_ace_list)) == NULL) {
3232                                 DEBUG(0,("get_nt_acl: Unable to malloc space for acl.\n"));
3233                                 goto done;
3234                         }
3235                 }
3236         } /* security_info & DACL_SECURITY_INFORMATION */
3237
3238         psd = make_standard_sec_desc( talloc_tos(),
3239                         (security_info & OWNER_SECURITY_INFORMATION) ? &owner_sid : NULL,
3240                         (security_info & GROUP_SECURITY_INFORMATION) ? &group_sid : NULL,
3241                         psa,
3242                         &sd_size);
3243
3244         if(!psd) {
3245                 DEBUG(0,("get_nt_acl: Unable to malloc space for security descriptor.\n"));
3246                 sd_size = 0;
3247                 goto done;
3248         }
3249
3250         /*
3251          * Windows 2000: The DACL_PROTECTED flag in the security
3252          * descriptor marks the ACL as non-inheriting, i.e., no
3253          * ACEs from higher level directories propagate to this
3254          * ACL. In the POSIX ACL model permissions are only
3255          * inherited at file create time, so ACLs never contain
3256          * any ACEs that are inherited dynamically. The DACL_PROTECTED
3257          * flag doesn't seem to bother Windows NT.
3258          * Always set this if map acl inherit is turned off.
3259          */
3260         if (pal == NULL || !lp_map_acl_inherit(SNUM(conn))) {
3261                 psd->type |= SEC_DESC_DACL_PROTECTED;
3262         } else {
3263                 psd->type |= pal->sd_type;
3264         }
3265
3266         if (psd->dacl) {
3267                 dacl_sort_into_canonical_order(psd->dacl->aces, (unsigned int)psd->dacl->num_aces);
3268         }
3269
3270         *ppdesc = psd;
3271
3272  done:
3273
3274         if (posix_acl) {
3275                 SMB_VFS_SYS_ACL_FREE_ACL(conn, posix_acl);
3276         }
3277         if (def_acl) {
3278                 SMB_VFS_SYS_ACL_FREE_ACL(conn, def_acl);
3279         }
3280         free_canon_ace_list(file_ace);
3281         free_canon_ace_list(dir_ace);
3282         free_inherited_info(pal);
3283         SAFE_FREE(nt_ace_list);
3284
3285         return NT_STATUS_OK;
3286 }
3287
3288 NTSTATUS posix_fget_nt_acl(struct files_struct *fsp, uint32_t security_info,
3289                            SEC_DESC **ppdesc)
3290 {
3291         SMB_STRUCT_STAT sbuf;
3292         SMB_ACL_T posix_acl = NULL;
3293         struct pai_val *pal;
3294
3295         *ppdesc = NULL;
3296
3297         DEBUG(10,("posix_fget_nt_acl: called for file %s\n", fsp->fsp_name ));
3298
3299         /* can it happen that fsp_name == NULL ? */
3300         if (fsp->is_directory ||  fsp->fh->fd == -1) {
3301                 return posix_get_nt_acl(fsp->conn, fsp->fsp_name,
3302                                         security_info, ppdesc);
3303         }
3304
3305         /* Get the stat struct for the owner info. */
3306         if(SMB_VFS_FSTAT(fsp, &sbuf) != 0) {
3307                 return map_nt_error_from_unix(errno);
3308         }
3309
3310         /* Get the ACL from the fd. */
3311         posix_acl = SMB_VFS_SYS_ACL_GET_FD(fsp);
3312
3313         pal = fload_inherited_info(fsp);
3314
3315         return posix_get_nt_acl_common(fsp->conn, fsp->fsp_name, &sbuf, pal,
3316                                        posix_acl, NULL, security_info, ppdesc);
3317 }
3318
3319 NTSTATUS posix_get_nt_acl(struct connection_struct *conn, const char *name,
3320                           uint32_t security_info, SEC_DESC **ppdesc)
3321 {
3322         SMB_STRUCT_STAT sbuf;
3323         SMB_ACL_T posix_acl = NULL;
3324         SMB_ACL_T def_acl = NULL;
3325         struct pai_val *pal;
3326
3327         *ppdesc = NULL;
3328
3329         DEBUG(10,("posix_get_nt_acl: called for file %s\n", name ));
3330
3331         /* Get the stat struct for the owner info. */
3332         if(SMB_VFS_STAT(conn, name, &sbuf) != 0) {
3333                 return map_nt_error_from_unix(errno);
3334         }
3335
3336         /* Get the ACL from the path. */
3337         posix_acl = SMB_VFS_SYS_ACL_GET_FILE(conn, name, SMB_ACL_TYPE_ACCESS);
3338
3339         /* If it's a directory get the default POSIX ACL. */
3340         if(S_ISDIR(sbuf.st_mode)) {
3341                 def_acl = SMB_VFS_SYS_ACL_GET_FILE(conn, name, SMB_ACL_TYPE_DEFAULT);
3342                 def_acl = free_empty_sys_acl(conn, def_acl);
3343         }
3344
3345         pal = load_inherited_info(conn, name);
3346
3347         return posix_get_nt_acl_common(conn, name, &sbuf, pal, posix_acl,
3348                                        def_acl, security_info, ppdesc);
3349 }
3350
3351 /****************************************************************************
3352  Try to chown a file. We will be able to chown it under the following conditions.
3353
3354   1) If we have root privileges, then it will just work.
3355   2) If we have SeTakeOwnershipPrivilege we can change the user to the current user.
3356   3) If we have SeRestorePrivilege we can change the user to any other user. 
3357   4) If we have write permission to the file and dos_filemodes is set
3358      then allow chown to the currently authenticated user.
3359 ****************************************************************************/
3360
3361 int try_chown(connection_struct *conn, const char *fname, uid_t uid, gid_t gid)
3362 {
3363         int ret;
3364         files_struct *fsp;
3365         SMB_STRUCT_STAT st;
3366
3367         if(!CAN_WRITE(conn)) {
3368                 return -1;
3369         }
3370
3371         /* Case (1). */
3372         /* try the direct way first */
3373         ret = SMB_VFS_CHOWN(conn, fname, uid, gid);
3374         if (ret == 0)
3375                 return 0;
3376
3377         /* Case (2) / (3) */
3378         if (lp_enable_privileges()) {
3379
3380                 bool has_take_ownership_priv = user_has_privileges(current_user.nt_user_token,
3381                                                               &se_take_ownership);
3382                 bool has_restore_priv = user_has_privileges(current_user.nt_user_token,
3383                                                        &se_restore);
3384
3385                 /* Case (2) */
3386                 if ( ( has_take_ownership_priv && ( uid == current_user.ut.uid ) ) ||
3387                 /* Case (3) */
3388                      ( has_restore_priv ) ) {
3389
3390                         become_root();
3391                         /* Keep the current file gid the same - take ownership doesn't imply group change. */
3392                         ret = SMB_VFS_CHOWN(conn, fname, uid, (gid_t)-1);
3393                         unbecome_root();
3394                         return ret;
3395                 }
3396         }
3397
3398         /* Case (4). */
3399         if (!lp_dos_filemode(SNUM(conn))) {
3400                 errno = EPERM;
3401                 return -1;
3402         }
3403
3404         /* only allow chown to the current user. This is more secure,
3405            and also copes with the case where the SID in a take ownership ACL is
3406            a local SID on the users workstation
3407         */
3408         if (uid != current_user.ut.uid) {
3409                 errno = EPERM;
3410                 return -1;
3411         }
3412
3413         if (SMB_VFS_STAT(conn,fname,&st)) {
3414                 return -1;
3415         }
3416
3417         if (!NT_STATUS_IS_OK(open_file_fchmod(NULL, conn, fname, &st, &fsp))) {
3418                 return -1;
3419         }
3420
3421         become_root();
3422         /* Keep the current file gid the same. */
3423         ret = SMB_VFS_FCHOWN(fsp, uid, (gid_t)-1);
3424         unbecome_root();
3425
3426         close_file_fchmod(NULL, fsp);
3427
3428         return ret;
3429 }
3430
3431 #if 0
3432 /* Disable this - prevents ACL inheritance from the ACL editor. JRA. */
3433
3434 /****************************************************************************
3435  Take care of parent ACL inheritance.
3436 ****************************************************************************/
3437
3438 NTSTATUS append_parent_acl(files_struct *fsp,
3439                                 const SEC_DESC *pcsd,
3440                                 SEC_DESC **pp_new_sd)
3441 {
3442         SEC_DESC *parent_sd = NULL;
3443         files_struct *parent_fsp = NULL;
3444         TALLOC_CTX *mem_ctx = talloc_tos();
3445         char *parent_name = NULL;
3446         SEC_ACE *new_ace = NULL;
3447         unsigned int num_aces = pcsd->dacl->num_aces;
3448         SMB_STRUCT_STAT sbuf;
3449         NTSTATUS status;
3450         int info;
3451         unsigned int i, j;
3452         SEC_DESC *psd = dup_sec_desc(talloc_tos(), pcsd);
3453         bool is_dacl_protected = (pcsd->type & SEC_DESC_DACL_PROTECTED);
3454
3455         ZERO_STRUCT(sbuf);
3456
3457         if (psd == NULL) {
3458                 return NT_STATUS_NO_MEMORY;
3459         }
3460
3461         if (!parent_dirname(mem_ctx, fsp->fsp_name, &parent_name, NULL)) {
3462                 return NT_STATUS_NO_MEMORY;
3463         }
3464
3465         status = SMB_VFS_CREATE_FILE(
3466                 fsp->conn,                              /* conn */
3467                 NULL,                                   /* req */
3468                 0,                                      /* root_dir_fid */
3469                 parent_name,                            /* fname */
3470                 0,                                      /* create_file_flags */
3471                 FILE_READ_ATTRIBUTES,                   /* access_mask */
3472                 FILE_SHARE_NONE,                        /* share_access */
3473                 FILE_OPEN,                              /* create_disposition*/
3474                 FILE_DIRECTORY_FILE,                    /* create_options */
3475                 0,                                      /* file_attributes */
3476                 INTERNAL_OPEN_ONLY,                     /* oplock_request */
3477                 0,                                      /* allocation_size */
3478                 NULL,                                   /* sd */
3479                 NULL,                                   /* ea_list */
3480                 &parent_fsp,                            /* result */
3481                 &info,                                  /* pinfo */
3482                 &sbuf);                                 /* psbuf */
3483
3484         if (!NT_STATUS_IS_OK(status)) {
3485                 return status;
3486         }
3487
3488         status = SMB_VFS_GET_NT_ACL(parent_fsp->conn, parent_fsp->fsp_name,
3489                                     DACL_SECURITY_INFORMATION, &parent_sd );
3490
3491         close_file(NULL, parent_fsp, NORMAL_CLOSE);
3492
3493         if (!NT_STATUS_IS_OK(status)) {
3494                 return status;
3495         }
3496
3497         /*
3498          * Make room for potentially all the ACLs from
3499          * the parent. We used to add the ugw triple here,
3500          * as we knew we were dealing with POSIX ACLs.
3501          * We no longer need to do so as we can guarentee
3502          * that a default ACL from the parent directory will
3503          * be well formed for POSIX ACLs if it came from a
3504          * POSIX ACL source, and if we're not writing to a
3505          * POSIX ACL sink then we don't care if it's not well
3506          * formed. JRA.
3507          */
3508
3509         num_aces += parent_sd->dacl->num_aces;
3510
3511         if((new_ace = TALLOC_ZERO_ARRAY(mem_ctx, SEC_ACE,
3512                                         num_aces)) == NULL) {
3513                 return NT_STATUS_NO_MEMORY;
3514         }
3515
3516         /* Start by copying in all the given ACE entries. */
3517         for (i = 0; i < psd->dacl->num_aces; i++) {
3518                 sec_ace_copy(&new_ace[i], &psd->dacl->aces[i]);
3519         }
3520
3521         /*
3522          * Note that we're ignoring "inherit permissions" here
3523          * as that really only applies to newly created files. JRA.
3524          */
3525
3526         /* Finally append any inherited ACEs. */
3527         for (j = 0; j < parent_sd->dacl->num_aces; j++) {
3528                 SEC_ACE *se = &parent_sd->dacl->aces[j];
3529
3530                 if (fsp->is_directory) {
3531                         if (!(se->flags & SEC_ACE_FLAG_CONTAINER_INHERIT)) {
3532                                 /* Doesn't apply to a directory - ignore. */
3533                                 DEBUG(10,("append_parent_acl: directory %s "
3534                                         "ignoring non container "
3535                                         "inherit flags %u on ACE with sid %s "
3536                                         "from parent %s\n",
3537                                         fsp->fsp_name,
3538                                         (unsigned int)se->flags,
3539                                         sid_string_dbg(&se->trustee),
3540                                         parent_name));
3541                                 continue;
3542                         }
3543                 } else {
3544                         if (!(se->flags & SEC_ACE_FLAG_OBJECT_INHERIT)) {
3545                                 /* Doesn't apply to a file - ignore. */
3546                                 DEBUG(10,("append_parent_acl: file %s "
3547                                         "ignoring non object "
3548                                         "inherit flags %u on ACE with sid %s "
3549                                         "from parent %s\n",
3550                                         fsp->fsp_name,
3551                                         (unsigned int)se->flags,
3552                                         sid_string_dbg(&se->trustee),
3553                                         parent_name));
3554                                 continue;
3555                         }
3556                 }
3557
3558                 if (is_dacl_protected) {
3559                         /* If the DACL is protected it means we must
3560                          * not overwrite an existing ACE entry with the
3561                          * same SID. This is order N^2. Ouch :-(. JRA. */
3562                         unsigned int k;
3563                         for (k = 0; k < psd->dacl->num_aces; k++) {
3564                                 if (sid_equal(&psd->dacl->aces[k].trustee,
3565                                                 &se->trustee)) {
3566                                         break;
3567                                 }
3568                         }
3569                         if (k < psd->dacl->num_aces) {
3570                                 /* SID matched. Ignore. */
3571                                 DEBUG(10,("append_parent_acl: path %s "
3572                                         "ignoring ACE with protected sid %s "
3573                                         "from parent %s\n",
3574                                         fsp->fsp_name,
3575                                         sid_string_dbg(&se->trustee),
3576                                         parent_name));
3577                                 continue;
3578                         }
3579                 }
3580
3581                 sec_ace_copy(&new_ace[i], se);
3582                 if (se->flags & SEC_ACE_FLAG_NO_PROPAGATE_INHERIT) {
3583                         new_ace[i].flags &= ~(SEC_ACE_FLAG_VALID_INHERIT);
3584                 }
3585                 new_ace[i].flags |= SEC_ACE_FLAG_INHERITED_ACE;
3586
3587                 if (fsp->is_directory) {
3588                         /*
3589                          * Strip off any inherit only. It's applied.
3590                          */
3591                         new_ace[i].flags &= ~(SEC_ACE_FLAG_INHERIT_ONLY);
3592                         if (se->flags & SEC_ACE_FLAG_NO_PROPAGATE_INHERIT) {
3593                                 /* No further inheritance. */
3594                                 new_ace[i].flags &=
3595                                         ~(SEC_ACE_FLAG_CONTAINER_INHERIT|
3596                                         SEC_ACE_FLAG_OBJECT_INHERIT);
3597                         }
3598                 } else {
3599                         /*
3600                          * Strip off any container or inherit
3601                          * flags, they can't apply to objects.
3602                          */
3603                         new_ace[i].flags &= ~(SEC_ACE_FLAG_CONTAINER_INHERIT|
3604                                                 SEC_ACE_FLAG_INHERIT_ONLY|
3605                                                 SEC_ACE_FLAG_NO_PROPAGATE_INHERIT);
3606                 }
3607                 i++;
3608
3609                 DEBUG(10,("append_parent_acl: path %s "
3610                         "inheriting ACE with sid %s "
3611                         "from parent %s\n",
3612                         fsp->fsp_name,
3613                         sid_string_dbg(&se->trustee),
3614                         parent_name));
3615         }
3616
3617         psd->dacl->aces = new_ace;
3618         psd->dacl->num_aces = i;
3619         psd->type &= ~(SE_DESC_DACL_AUTO_INHERITED|
3620                          SE_DESC_DACL_AUTO_INHERIT_REQ);
3621
3622         *pp_new_sd = psd;
3623         return status;
3624 }
3625 #endif
3626
3627 /****************************************************************************
3628  Reply to set a security descriptor on an fsp. security_info_sent is the
3629  description of the following NT ACL.
3630  This should be the only external function needed for the UNIX style set ACL.
3631 ****************************************************************************/
3632
3633 NTSTATUS set_nt_acl(files_struct *fsp, uint32 security_info_sent, const SEC_DESC *psd)
3634 {
3635         connection_struct *conn = fsp->conn;
3636         uid_t user = (uid_t)-1;
3637         gid_t grp = (gid_t)-1;
3638         SMB_STRUCT_STAT sbuf;
3639         DOM_SID file_owner_sid;
3640         DOM_SID file_grp_sid;
3641         canon_ace *file_ace_list = NULL;
3642         canon_ace *dir_ace_list = NULL;
3643         bool acl_perms = False;
3644         mode_t orig_mode = (mode_t)0;
3645         NTSTATUS status;
3646         bool set_acl_as_root = false;
3647         bool acl_set_support = false;
3648         bool ret = false;
3649
3650         DEBUG(10,("set_nt_acl: called for file %s\n", fsp->fsp_name ));
3651
3652         if (!CAN_WRITE(conn)) {
3653                 DEBUG(10,("set acl rejected on read-only share\n"));
3654                 return NT_STATUS_MEDIA_WRITE_PROTECTED;
3655         }
3656
3657         /*
3658          * Get the current state of the file.
3659          */
3660
3661         if(fsp->is_directory || fsp->fh->fd == -1) {
3662                 if(SMB_VFS_STAT(fsp->conn,fsp->fsp_name, &sbuf) != 0)
3663                         return map_nt_error_from_unix(errno);
3664         } else {
3665                 if(SMB_VFS_FSTAT(fsp, &sbuf) != 0)
3666                         return map_nt_error_from_unix(errno);
3667         }
3668
3669         /* Save the original element we check against. */
3670         orig_mode = sbuf.st_mode;
3671
3672         /*
3673          * Unpack the user/group/world id's.
3674          */
3675
3676         status = unpack_nt_owners( SNUM(conn), &user, &grp, security_info_sent, psd);
3677         if (!NT_STATUS_IS_OK(status)) {
3678                 return status;
3679         }
3680
3681         /*
3682          * Do we need to chown ? If so this must be done first as the incoming
3683          * CREATOR_OWNER acl will be relative to the *new* owner, not the old.
3684          * Noticed by Simo.
3685          */
3686
3687         if (((user != (uid_t)-1) && (sbuf.st_uid != user)) || (( grp != (gid_t)-1) && (sbuf.st_gid != grp))) {
3688
3689                 DEBUG(3,("set_nt_acl: chown %s. uid = %u, gid = %u.\n",
3690                                 fsp->fsp_name, (unsigned int)user, (unsigned int)grp ));
3691
3692                 if(try_chown( fsp->conn, fsp->fsp_name, user, grp) == -1) {
3693                         DEBUG(3,("set_nt_acl: chown %s, %u, %u failed. Error = %s.\n",
3694                                 fsp->fsp_name, (unsigned int)user, (unsigned int)grp, strerror(errno) ));
3695                         if (errno == EPERM) {
3696                                 return NT_STATUS_INVALID_OWNER;
3697                         }
3698                         return map_nt_error_from_unix(errno);
3699                 }
3700
3701                 /*
3702                  * Recheck the current state of the file, which may have changed.
3703                  * (suid/sgid bits, for instance)
3704                  */
3705
3706                 if(fsp->is_directory) {
3707                         if(SMB_VFS_STAT(fsp->conn, fsp->fsp_name, &sbuf) != 0) {
3708                                 return map_nt_error_from_unix(errno);
3709                         }
3710                 } else {
3711
3712                         int sret;
3713
3714                         if(fsp->fh->fd == -1)
3715                                 sret = SMB_VFS_STAT(fsp->conn, fsp->fsp_name, &sbuf);
3716                         else
3717                                 sret = SMB_VFS_FSTAT(fsp, &sbuf);
3718
3719                         if(sret != 0)
3720                                 return map_nt_error_from_unix(errno);
3721                 }
3722
3723                 /* Save the original element we check against. */
3724                 orig_mode = sbuf.st_mode;
3725
3726                 /* If we successfully chowned, we know we must
3727                  * be able to set the acl, so do it as root.
3728                  */
3729                 set_acl_as_root = true;
3730         }
3731
3732         create_file_sids(&sbuf, &file_owner_sid, &file_grp_sid);
3733
3734         acl_perms = unpack_canon_ace( fsp, &sbuf, &file_owner_sid, &file_grp_sid,
3735                                         &file_ace_list, &dir_ace_list, security_info_sent, psd);
3736
3737         /* Ignore W2K traverse DACL set. */
3738         if (!file_ace_list && !dir_ace_list) {
3739                 return NT_STATUS_OK;
3740         }
3741
3742         if (!acl_perms) {
3743                 DEBUG(3,("set_nt_acl: cannot set permissions\n"));
3744                 free_canon_ace_list(file_ace_list);
3745                 free_canon_ace_list(dir_ace_list);
3746                 return NT_STATUS_ACCESS_DENIED;
3747         }
3748
3749         /*
3750          * Only change security if we got a DACL.
3751          */
3752
3753         if(!(security_info_sent & DACL_SECURITY_INFORMATION) || (psd->dacl == NULL)) {
3754                 free_canon_ace_list(file_ace_list);
3755                 free_canon_ace_list(dir_ace_list);
3756                 return NT_STATUS_OK;
3757         }
3758
3759         /*
3760          * Try using the POSIX ACL set first. Fall back to chmod if
3761          * we have no ACL support on this filesystem.
3762          */
3763
3764         if (acl_perms && file_ace_list) {
3765                 if (set_acl_as_root) {
3766                         become_root();
3767                 }
3768                 ret = set_canon_ace_list(fsp, file_ace_list, False, sbuf.st_gid, &acl_set_support);
3769                 if (set_acl_as_root) {
3770                         unbecome_root();
3771                 }
3772                 if (acl_set_support && ret == false) {
3773                         DEBUG(3,("set_nt_acl: failed to set file acl on file %s (%s).\n", fsp->fsp_name, strerror(errno) ));
3774                         free_canon_ace_list(file_ace_list);
3775                         free_canon_ace_list(dir_ace_list);
3776                         return map_nt_error_from_unix(errno);
3777                 }
3778         }
3779
3780         if (acl_perms && acl_set_support && fsp->is_directory) {
3781                 if (dir_ace_list) {
3782                         if (set_acl_as_root) {
3783                                 become_root();
3784                         }
3785                         ret = set_canon_ace_list(fsp, dir_ace_list, True, sbuf.st_gid, &acl_set_support);
3786                         if (set_acl_as_root) {
3787                                 unbecome_root();
3788                         }
3789                         if (ret == false) {
3790                                 DEBUG(3,("set_nt_acl: failed to set default acl on directory %s (%s).\n", fsp->fsp_name, strerror(errno) ));
3791                                 free_canon_ace_list(file_ace_list);
3792                                 free_canon_ace_list(dir_ace_list);
3793                                 return map_nt_error_from_unix(errno);
3794                         }
3795                 } else {
3796                         int sret = -1;
3797
3798                         /*
3799                          * No default ACL - delete one if it exists.
3800                          */
3801
3802                         if (set_acl_as_root) {
3803                                 become_root();
3804                         }
3805                         sret = SMB_VFS_SYS_ACL_DELETE_DEF_FILE(conn, fsp->fsp_name);
3806                         if (set_acl_as_root) {
3807                                 unbecome_root();
3808                         }
3809                         if (sret == -1) {
3810                                 if (acl_group_override(conn, sbuf.st_gid, fsp->fsp_name)) {
3811                                         DEBUG(5,("set_nt_acl: acl group control on and "
3812                                                 "current user in file %s primary group. Override delete_def_acl\n",
3813                                                 fsp->fsp_name ));
3814
3815                                         become_root();
3816                                         sret = SMB_VFS_SYS_ACL_DELETE_DEF_FILE(conn, fsp->fsp_name);
3817                                         unbecome_root();
3818                                 }
3819
3820                                 if (sret == -1) {
3821                                         DEBUG(3,("set_nt_acl: sys_acl_delete_def_file failed (%s)\n", strerror(errno)));
3822                                         free_canon_ace_list(file_ace_list);
3823                                         free_canon_ace_list(dir_ace_list);
3824                                         return map_nt_error_from_unix(errno);
3825                                 }
3826                         }
3827                 }
3828         }
3829
3830         if (acl_set_support) {
3831                 if (set_acl_as_root) {
3832                         become_root();
3833                 }
3834                 store_inheritance_attributes(fsp,
3835                                 file_ace_list,
3836                                 dir_ace_list,
3837                                 psd->type);
3838                 if (set_acl_as_root) {
3839                         unbecome_root();
3840                 }
3841         }
3842
3843         /*
3844          * If we cannot set using POSIX ACLs we fall back to checking if we need to chmod.
3845          */
3846
3847         if(!acl_set_support && acl_perms) {
3848                 mode_t posix_perms;
3849
3850                 if (!convert_canon_ace_to_posix_perms( fsp, file_ace_list, &posix_perms)) {
3851                         free_canon_ace_list(file_ace_list);
3852                         free_canon_ace_list(dir_ace_list);
3853                         DEBUG(3,("set_nt_acl: failed to convert file acl to posix permissions for file %s.\n",
3854                                 fsp->fsp_name ));
3855                         return NT_STATUS_ACCESS_DENIED;
3856                 }
3857
3858                 if (orig_mode != posix_perms) {
3859                         int sret = -1;
3860
3861                         DEBUG(3,("set_nt_acl: chmod %s. perms = 0%o.\n",
3862                                 fsp->fsp_name, (unsigned int)posix_perms ));
3863
3864                         if (set_acl_as_root) {
3865                                 become_root();
3866                         }
3867                         sret = SMB_VFS_CHMOD(conn,fsp->fsp_name, posix_perms);
3868                         if (set_acl_as_root) {
3869                                 unbecome_root();
3870                         }
3871                         if(sret == -1) {
3872                                 if (acl_group_override(conn, sbuf.st_gid, fsp->fsp_name)) {
3873                                         DEBUG(5,("set_nt_acl: acl group control on and "
3874                                                 "current user in file %s primary group. Override chmod\n",
3875                                                 fsp->fsp_name ));
3876
3877                                         become_root();
3878                                         sret = SMB_VFS_CHMOD(conn,fsp->fsp_name, posix_perms);
3879                                         unbecome_root();
3880                                 }
3881
3882                                 if (sret == -1) {
3883                                         DEBUG(3,("set_nt_acl: chmod %s, 0%o failed. Error = %s.\n",
3884                                                 fsp->fsp_name, (unsigned int)posix_perms, strerror(errno) ));
3885                                         free_canon_ace_list(file_ace_list);
3886                                         free_canon_ace_list(dir_ace_list);
3887                                         return map_nt_error_from_unix(errno);
3888                                 }
3889                         }
3890                 }
3891         }
3892
3893         free_canon_ace_list(file_ace_list);
3894         free_canon_ace_list(dir_ace_list);
3895
3896         return NT_STATUS_OK;
3897 }
3898
3899 /****************************************************************************
3900  Get the actual group bits stored on a file with an ACL. Has no effect if
3901  the file has no ACL. Needed in dosmode code where the stat() will return
3902  the mask bits, not the real group bits, for a file with an ACL.
3903 ****************************************************************************/
3904
3905 int get_acl_group_bits( connection_struct *conn, const char *fname, mode_t *mode )
3906 {
3907         int entry_id = SMB_ACL_FIRST_ENTRY;
3908         SMB_ACL_ENTRY_T entry;
3909         SMB_ACL_T posix_acl;
3910         int result = -1;
3911
3912         posix_acl = SMB_VFS_SYS_ACL_GET_FILE(conn, fname, SMB_ACL_TYPE_ACCESS);
3913         if (posix_acl == (SMB_ACL_T)NULL)
3914                 return -1;
3915
3916         while (SMB_VFS_SYS_ACL_GET_ENTRY(conn, posix_acl, entry_id, &entry) == 1) {
3917                 SMB_ACL_TAG_T tagtype;
3918                 SMB_ACL_PERMSET_T permset;
3919
3920                 entry_id = SMB_ACL_NEXT_ENTRY;
3921
3922                 if (SMB_VFS_SYS_ACL_GET_TAG_TYPE(conn, entry, &tagtype) ==-1)
3923                         break;
3924
3925                 if (tagtype == SMB_ACL_GROUP_OBJ) {
3926                         if (SMB_VFS_SYS_ACL_GET_PERMSET(conn, entry, &permset) == -1) {
3927                                 break;
3928                         } else {
3929                                 *mode &= ~(S_IRGRP|S_IWGRP|S_IXGRP);
3930                                 *mode |= (SMB_VFS_SYS_ACL_GET_PERM(conn, permset, SMB_ACL_READ) ? S_IRGRP : 0);
3931                                 *mode |= (SMB_VFS_SYS_ACL_GET_PERM(conn, permset, SMB_ACL_WRITE) ? S_IWGRP : 0);
3932                                 *mode |= (SMB_VFS_SYS_ACL_GET_PERM(conn, permset, SMB_ACL_EXECUTE) ? S_IXGRP : 0);
3933                                 result = 0;
3934                                 break;
3935                         }
3936                 }
3937         }
3938         SMB_VFS_SYS_ACL_FREE_ACL(conn, posix_acl);
3939         return result;
3940 }
3941
3942 /****************************************************************************
3943  Do a chmod by setting the ACL USER_OBJ, GROUP_OBJ and OTHER bits in an ACL
3944  and set the mask to rwx. Needed to preserve complex ACLs set by NT.
3945 ****************************************************************************/
3946
3947 static int chmod_acl_internals( connection_struct *conn, SMB_ACL_T posix_acl, mode_t mode)
3948 {
3949         int entry_id = SMB_ACL_FIRST_ENTRY;
3950         SMB_ACL_ENTRY_T entry;
3951         int num_entries = 0;
3952
3953         while ( SMB_VFS_SYS_ACL_GET_ENTRY(conn, posix_acl, entry_id, &entry) == 1) {
3954                 SMB_ACL_TAG_T tagtype;
3955                 SMB_ACL_PERMSET_T permset;
3956                 mode_t perms;
3957
3958                 entry_id = SMB_ACL_NEXT_ENTRY;
3959
3960                 if (SMB_VFS_SYS_ACL_GET_TAG_TYPE(conn, entry, &tagtype) == -1)
3961                         return -1;
3962
3963                 if (SMB_VFS_SYS_ACL_GET_PERMSET(conn, entry, &permset) == -1)
3964                         return -1;
3965
3966                 num_entries++;
3967
3968                 switch(tagtype) {
3969                         case SMB_ACL_USER_OBJ:
3970                                 perms = unix_perms_to_acl_perms(mode, S_IRUSR, S_IWUSR, S_IXUSR);
3971                                 break;
3972                         case SMB_ACL_GROUP_OBJ:
3973                                 perms = unix_perms_to_acl_perms(mode, S_IRGRP, S_IWGRP, S_IXGRP);
3974                                 break;
3975                         case SMB_ACL_MASK:
3976                                 /*
3977                                  * FIXME: The ACL_MASK entry permissions should really be set to
3978                                  * the union of the permissions of all ACL_USER,
3979                                  * ACL_GROUP_OBJ, and ACL_GROUP entries. That's what
3980                                  * acl_calc_mask() does, but Samba ACLs doesn't provide it.
3981                                  */
3982                                 perms = S_IRUSR|S_IWUSR|S_IXUSR;
3983                                 break;
3984                         case SMB_ACL_OTHER:
3985                                 perms = unix_perms_to_acl_perms(mode, S_IROTH, S_IWOTH, S_IXOTH);
3986                                 break;
3987                         default:
3988                                 continue;
3989                 }
3990
3991                 if (map_acl_perms_to_permset(conn, perms, &permset) == -1)
3992                         return -1;
3993
3994                 if (SMB_VFS_SYS_ACL_SET_PERMSET(conn, entry, permset) == -1)
3995                         return -1;
3996         }
3997
3998         /*
3999          * If this is a simple 3 element ACL or no elements then it's a standard
4000          * UNIX permission set. Just use chmod...       
4001          */
4002
4003         if ((num_entries == 3) || (num_entries == 0))
4004                 return -1;
4005
4006         return 0;
4007 }
4008
4009 /****************************************************************************
4010  Get the access ACL of FROM, do a chmod by setting the ACL USER_OBJ,
4011  GROUP_OBJ and OTHER bits in an ACL and set the mask to rwx. Set the
4012  resulting ACL on TO.  Note that name is in UNIX character set.
4013 ****************************************************************************/
4014
4015 static int copy_access_posix_acl(connection_struct *conn, const char *from, const char *to, mode_t mode)
4016 {
4017         SMB_ACL_T posix_acl = NULL;
4018         int ret = -1;
4019
4020         if ((posix_acl = SMB_VFS_SYS_ACL_GET_FILE(conn, from, SMB_ACL_TYPE_ACCESS)) == NULL)
4021                 return -1;
4022
4023         if ((ret = chmod_acl_internals(conn, posix_acl, mode)) == -1)
4024                 goto done;
4025
4026         ret = SMB_VFS_SYS_ACL_SET_FILE(conn, to, SMB_ACL_TYPE_ACCESS, posix_acl);
4027
4028  done:
4029
4030         SMB_VFS_SYS_ACL_FREE_ACL(conn, posix_acl);
4031         return ret;
4032 }
4033
4034 /****************************************************************************
4035  Do a chmod by setting the ACL USER_OBJ, GROUP_OBJ and OTHER bits in an ACL
4036  and set the mask to rwx. Needed to preserve complex ACLs set by NT.
4037  Note that name is in UNIX character set.
4038 ****************************************************************************/
4039
4040 int chmod_acl(connection_struct *conn, const char *name, mode_t mode)
4041 {
4042         return copy_access_posix_acl(conn, name, name, mode);
4043 }
4044
4045 /****************************************************************************
4046  Check for an existing default POSIX ACL on a directory.
4047 ****************************************************************************/
4048
4049 static bool directory_has_default_posix_acl(connection_struct *conn, const char *fname)
4050 {
4051         SMB_ACL_T def_acl = SMB_VFS_SYS_ACL_GET_FILE( conn, fname, SMB_ACL_TYPE_DEFAULT);
4052         bool has_acl = False;
4053         SMB_ACL_ENTRY_T entry;
4054
4055         if (def_acl != NULL && (SMB_VFS_SYS_ACL_GET_ENTRY(conn, def_acl, SMB_ACL_FIRST_ENTRY, &entry) == 1)) {
4056                 has_acl = True;
4057         }
4058
4059         if (def_acl) {
4060                 SMB_VFS_SYS_ACL_FREE_ACL(conn, def_acl);
4061         }
4062         return has_acl;
4063 }
4064
4065 /****************************************************************************
4066  If the parent directory has no default ACL but it does have an Access ACL,
4067  inherit this Access ACL to file name.
4068 ****************************************************************************/
4069
4070 int inherit_access_posix_acl(connection_struct *conn, const char *inherit_from_dir,
4071                        const char *name, mode_t mode)
4072 {
4073         if (directory_has_default_posix_acl(conn, inherit_from_dir))
4074                 return 0;
4075
4076         return copy_access_posix_acl(conn, inherit_from_dir, name, mode);
4077 }
4078
4079 /****************************************************************************
4080  Do an fchmod by setting the ACL USER_OBJ, GROUP_OBJ and OTHER bits in an ACL
4081  and set the mask to rwx. Needed to preserve complex ACLs set by NT.
4082 ****************************************************************************/
4083
4084 int fchmod_acl(files_struct *fsp, mode_t mode)
4085 {
4086         connection_struct *conn = fsp->conn;
4087         SMB_ACL_T posix_acl = NULL;
4088         int ret = -1;
4089
4090         if ((posix_acl = SMB_VFS_SYS_ACL_GET_FD(fsp)) == NULL)
4091                 return -1;
4092
4093         if ((ret = chmod_acl_internals(conn, posix_acl, mode)) == -1)
4094                 goto done;
4095
4096         ret = SMB_VFS_SYS_ACL_SET_FD(fsp, posix_acl);
4097
4098   done:
4099
4100         SMB_VFS_SYS_ACL_FREE_ACL(conn, posix_acl);
4101         return ret;
4102 }
4103
4104 /****************************************************************************
4105  Map from wire type to permset.
4106 ****************************************************************************/
4107
4108 static bool unix_ex_wire_to_permset(connection_struct *conn, unsigned char wire_perm, SMB_ACL_PERMSET_T *p_permset)
4109 {
4110         if (wire_perm & ~(SMB_POSIX_ACL_READ|SMB_POSIX_ACL_WRITE|SMB_POSIX_ACL_EXECUTE)) {
4111                 return False;
4112         }
4113
4114         if (SMB_VFS_SYS_ACL_CLEAR_PERMS(conn, *p_permset) ==  -1) {
4115                 return False;
4116         }
4117
4118         if (wire_perm & SMB_POSIX_ACL_READ) {
4119                 if (SMB_VFS_SYS_ACL_ADD_PERM(conn, *p_permset, SMB_ACL_READ) == -1) {
4120                         return False;
4121                 }
4122         }
4123         if (wire_perm & SMB_POSIX_ACL_WRITE) {
4124                 if (SMB_VFS_SYS_ACL_ADD_PERM(conn, *p_permset, SMB_ACL_WRITE) == -1) {
4125                         return False;
4126                 }
4127         }
4128         if (wire_perm & SMB_POSIX_ACL_EXECUTE) {
4129                 if (SMB_VFS_SYS_ACL_ADD_PERM(conn, *p_permset, SMB_ACL_EXECUTE) == -1) {
4130                         return False;
4131                 }
4132         }
4133         return True;
4134 }
4135
4136 /****************************************************************************
4137  Map from wire type to tagtype.
4138 ****************************************************************************/
4139
4140 static bool unix_ex_wire_to_tagtype(unsigned char wire_tt, SMB_ACL_TAG_T *p_tt)
4141 {
4142         switch (wire_tt) {
4143                 case SMB_POSIX_ACL_USER_OBJ:
4144                         *p_tt = SMB_ACL_USER_OBJ;
4145                         break;
4146                 case SMB_POSIX_ACL_USER:
4147                         *p_tt = SMB_ACL_USER;
4148                         break;
4149                 case SMB_POSIX_ACL_GROUP_OBJ:
4150                         *p_tt = SMB_ACL_GROUP_OBJ;
4151                         break;
4152                 case SMB_POSIX_ACL_GROUP:
4153                         *p_tt = SMB_ACL_GROUP;
4154                         break;
4155                 case SMB_POSIX_ACL_MASK:
4156                         *p_tt = SMB_ACL_MASK;
4157                         break;
4158                 case SMB_POSIX_ACL_OTHER:
4159                         *p_tt = SMB_ACL_OTHER;
4160                         break;
4161                 default:
4162                         return False;
4163         }
4164         return True;
4165 }
4166
4167 /****************************************************************************
4168  Create a new POSIX acl from wire permissions.
4169  FIXME ! How does the share mask/mode fit into this.... ?
4170 ****************************************************************************/
4171
4172 static SMB_ACL_T create_posix_acl_from_wire(connection_struct *conn, uint16 num_acls, const char *pdata)
4173 {
4174         unsigned int i;
4175         SMB_ACL_T the_acl = SMB_VFS_SYS_ACL_INIT(conn, num_acls);
4176
4177         if (the_acl == NULL) {
4178                 return NULL;
4179         }
4180
4181         for (i = 0; i < num_acls; i++) {
4182                 SMB_ACL_ENTRY_T the_entry;
4183                 SMB_ACL_PERMSET_T the_permset;
4184                 SMB_ACL_TAG_T tag_type;
4185
4186                 if (SMB_VFS_SYS_ACL_CREATE_ENTRY(conn, &the_acl, &the_entry) == -1) {
4187                         DEBUG(0,("create_posix_acl_from_wire: Failed to create entry %u. (%s)\n",
4188                                 i, strerror(errno) ));
4189                         goto fail;
4190                 }
4191
4192                 if (!unix_ex_wire_to_tagtype(CVAL(pdata,(i*SMB_POSIX_ACL_ENTRY_SIZE)), &tag_type)) {
4193                         DEBUG(0,("create_posix_acl_from_wire: invalid wire tagtype %u on entry %u.\n",
4194                                 CVAL(pdata,(i*SMB_POSIX_ACL_ENTRY_SIZE)), i ));
4195                         goto fail;
4196                 }
4197
4198                 if (SMB_VFS_SYS_ACL_SET_TAG_TYPE(conn, the_entry, tag_type) == -1) {
4199                         DEBUG(0,("create_posix_acl_from_wire: Failed to set tagtype on entry %u. (%s)\n",
4200                                 i, strerror(errno) ));
4201                         goto fail;
4202                 }
4203
4204                 /* Get the permset pointer from the new ACL entry. */
4205                 if (SMB_VFS_SYS_ACL_GET_PERMSET(conn, the_entry, &the_permset) == -1) {
4206                         DEBUG(0,("create_posix_acl_from_wire: Failed to get permset on entry %u. (%s)\n",
4207                                 i, strerror(errno) ));
4208                         goto fail;
4209                 }
4210
4211                 /* Map from wire to permissions. */
4212                 if (!unix_ex_wire_to_permset(conn, CVAL(pdata,(i*SMB_POSIX_ACL_ENTRY_SIZE)+1), &the_permset)) {
4213                         DEBUG(0,("create_posix_acl_from_wire: invalid permset %u on entry %u.\n",
4214                                 CVAL(pdata,(i*SMB_POSIX_ACL_ENTRY_SIZE) + 1), i ));
4215                         goto fail;
4216                 }
4217
4218                 /* Now apply to the new ACL entry. */
4219                 if (SMB_VFS_SYS_ACL_SET_PERMSET(conn, the_entry, the_permset) == -1) {
4220                         DEBUG(0,("create_posix_acl_from_wire: Failed to add permset on entry %u. (%s)\n",
4221                                 i, strerror(errno) ));
4222                         goto fail;
4223                 }
4224
4225                 if (tag_type == SMB_ACL_USER) {
4226                         uint32 uidval = IVAL(pdata,(i*SMB_POSIX_ACL_ENTRY_SIZE)+2);
4227                         uid_t uid = (uid_t)uidval;
4228                         if (SMB_VFS_SYS_ACL_SET_QUALIFIER(conn, the_entry,(void *)&uid) == -1) {
4229                                 DEBUG(0,("create_posix_acl_from_wire: Failed to set uid %u on entry %u. (%s)\n",
4230                                         (unsigned int)uid, i, strerror(errno) ));
4231                                 goto fail;
4232                         }
4233                 }
4234
4235                 if (tag_type == SMB_ACL_GROUP) {
4236                         uint32 gidval = IVAL(pdata,(i*SMB_POSIX_ACL_ENTRY_SIZE)+2);
4237                         gid_t gid = (uid_t)gidval;
4238                         if (SMB_VFS_SYS_ACL_SET_QUALIFIER(conn, the_entry,(void *)&gid) == -1) {
4239                                 DEBUG(0,("create_posix_acl_from_wire: Failed to set gid %u on entry %u. (%s)\n",
4240                                         (unsigned int)gid, i, strerror(errno) ));
4241                                 goto fail;
4242                         }
4243                 }
4244         }
4245
4246         return the_acl;
4247
4248  fail:
4249
4250         if (the_acl != NULL) {
4251                 SMB_VFS_SYS_ACL_FREE_ACL(conn, the_acl);
4252         }
4253         return NULL;
4254 }
4255
4256 /****************************************************************************
4257  Calls from UNIX extensions - Default POSIX ACL set.
4258  If num_def_acls == 0 and not a directory just return. If it is a directory
4259  and num_def_acls == 0 then remove the default acl. Else set the default acl
4260  on the directory.
4261 ****************************************************************************/
4262
4263 bool set_unix_posix_default_acl(connection_struct *conn, const char *fname, SMB_STRUCT_STAT *psbuf,
4264                                 uint16 num_def_acls, const char *pdata)
4265 {
4266         SMB_ACL_T def_acl = NULL;
4267
4268         if (!S_ISDIR(psbuf->st_mode)) {
4269                 if (num_def_acls) {
4270                         DEBUG(5,("set_unix_posix_default_acl: Can't set default ACL on non-directory file %s\n", fname ));
4271                         errno = EISDIR;
4272                         return False;
4273                 } else {
4274                         return True;
4275                 }
4276         }
4277
4278         if (!num_def_acls) {
4279                 /* Remove the default ACL. */
4280                 if (SMB_VFS_SYS_ACL_DELETE_DEF_FILE(conn, fname) == -1) {
4281                         DEBUG(5,("set_unix_posix_default_acl: acl_delete_def_file failed on directory %s (%s)\n",
4282                                 fname, strerror(errno) ));
4283                         return False;
4284                 }
4285                 return True;
4286         }
4287
4288         if ((def_acl = create_posix_acl_from_wire(conn, num_def_acls, pdata)) == NULL) {
4289                 return False;
4290         }
4291
4292         if (SMB_VFS_SYS_ACL_SET_FILE(conn, fname, SMB_ACL_TYPE_DEFAULT, def_acl) == -1) {
4293                 DEBUG(5,("set_unix_posix_default_acl: acl_set_file failed on directory %s (%s)\n",
4294                         fname, strerror(errno) ));
4295                 SMB_VFS_SYS_ACL_FREE_ACL(conn, def_acl);
4296                 return False;
4297         }
4298
4299         DEBUG(10,("set_unix_posix_default_acl: set default acl for file %s\n", fname ));
4300         SMB_VFS_SYS_ACL_FREE_ACL(conn, def_acl);
4301         return True;
4302 }
4303
4304 /****************************************************************************
4305  Remove an ACL from a file. As we don't have acl_delete_entry() available
4306  we must read the current acl and copy all entries except MASK, USER and GROUP
4307  to a new acl, then set that. This (at least on Linux) causes any ACL to be
4308  removed.
4309  FIXME ! How does the share mask/mode fit into this.... ?
4310 ****************************************************************************/
4311
4312 static bool remove_posix_acl(connection_struct *conn, files_struct *fsp, const char *fname)
4313 {
4314         SMB_ACL_T file_acl = NULL;
4315         int entry_id = SMB_ACL_FIRST_ENTRY;
4316         SMB_ACL_ENTRY_T entry;
4317         bool ret = False;
4318         /* Create a new ACL with only 3 entries, u/g/w. */
4319         SMB_ACL_T new_file_acl = SMB_VFS_SYS_ACL_INIT(conn, 3);
4320         SMB_ACL_ENTRY_T user_ent = NULL;
4321         SMB_ACL_ENTRY_T group_ent = NULL;
4322         SMB_ACL_ENTRY_T other_ent = NULL;
4323
4324         if (new_file_acl == NULL) {
4325                 DEBUG(5,("remove_posix_acl: failed to init new ACL with 3 entries for file %s.\n", fname));
4326                 return False;
4327         }
4328
4329         /* Now create the u/g/w entries. */
4330         if (SMB_VFS_SYS_ACL_CREATE_ENTRY(conn, &new_file_acl, &user_ent) == -1) {
4331                 DEBUG(5,("remove_posix_acl: Failed to create user entry for file %s. (%s)\n",
4332                         fname, strerror(errno) ));
4333                 goto done;
4334         }
4335         if (SMB_VFS_SYS_ACL_SET_TAG_TYPE(conn, user_ent, SMB_ACL_USER_OBJ) == -1) {
4336                 DEBUG(5,("remove_posix_acl: Failed to set user entry for file %s. (%s)\n",
4337                         fname, strerror(errno) ));
4338                 goto done;
4339         }
4340
4341         if (SMB_VFS_SYS_ACL_CREATE_ENTRY(conn, &new_file_acl, &group_ent) == -1) {
4342                 DEBUG(5,("remove_posix_acl: Failed to create group entry for file %s. (%s)\n",
4343                         fname, strerror(errno) ));
4344                 goto done;
4345         }
4346         if (SMB_VFS_SYS_ACL_SET_TAG_TYPE(conn, group_ent, SMB_ACL_GROUP_OBJ) == -1) {
4347                 DEBUG(5,("remove_posix_acl: Failed to set group entry for file %s. (%s)\n",
4348                         fname, strerror(errno) ));
4349                 goto done;
4350         }
4351
4352         if (SMB_VFS_SYS_ACL_CREATE_ENTRY(conn, &new_file_acl, &other_ent) == -1) {
4353                 DEBUG(5,("remove_posix_acl: Failed to create other entry for file %s. (%s)\n",
4354                         fname, strerror(errno) ));
4355                 goto done;
4356         }
4357         if (SMB_VFS_SYS_ACL_SET_TAG_TYPE(conn, other_ent, SMB_ACL_OTHER) == -1) {
4358                 DEBUG(5,("remove_posix_acl: Failed to set other entry for file %s. (%s)\n",
4359                         fname, strerror(errno) ));
4360                 goto done;
4361         }
4362
4363         /* Get the current file ACL. */
4364         if (fsp && fsp->fh->fd != -1) {
4365                 file_acl = SMB_VFS_SYS_ACL_GET_FD(fsp);
4366         } else {
4367                 file_acl = SMB_VFS_SYS_ACL_GET_FILE( conn, fname, SMB_ACL_TYPE_ACCESS);
4368         }
4369
4370         if (file_acl == NULL) {
4371                 /* This is only returned if an error occurred. Even for a file with
4372                    no acl a u/g/w acl should be returned. */
4373                 DEBUG(5,("remove_posix_acl: failed to get ACL from file %s (%s).\n",
4374                         fname, strerror(errno) ));
4375                 goto done;
4376         }
4377
4378         while ( SMB_VFS_SYS_ACL_GET_ENTRY(conn, file_acl, entry_id, &entry) == 1) {
4379                 SMB_ACL_TAG_T tagtype;
4380                 SMB_ACL_PERMSET_T permset;
4381
4382                 entry_id = SMB_ACL_NEXT_ENTRY;
4383
4384                 if (SMB_VFS_SYS_ACL_GET_TAG_TYPE(conn, entry, &tagtype) == -1) {
4385                         DEBUG(5,("remove_posix_acl: failed to get tagtype from ACL on file %s (%s).\n",
4386                                 fname, strerror(errno) ));
4387                         goto done;
4388                 }
4389
4390                 if (SMB_VFS_SYS_ACL_GET_PERMSET(conn, entry, &permset) == -1) {
4391                         DEBUG(5,("remove_posix_acl: failed to get permset from ACL on file %s (%s).\n",
4392                                 fname, strerror(errno) ));
4393                         goto done;
4394                 }
4395
4396                 if (tagtype == SMB_ACL_USER_OBJ) {
4397                         if (SMB_VFS_SYS_ACL_SET_PERMSET(conn, user_ent, permset) == -1) {
4398                                 DEBUG(5,("remove_posix_acl: failed to set permset from ACL on file %s (%s).\n",
4399                                         fname, strerror(errno) ));
4400                         }
4401                 } else if (tagtype == SMB_ACL_GROUP_OBJ) {
4402                         if (SMB_VFS_SYS_ACL_SET_PERMSET(conn, group_ent, permset) == -1) {
4403                                 DEBUG(5,("remove_posix_acl: failed to set permset from ACL on file %s (%s).\n",
4404                                         fname, strerror(errno) ));
4405                         }
4406                 } else if (tagtype == SMB_ACL_OTHER) {
4407                         if (SMB_VFS_SYS_ACL_SET_PERMSET(conn, other_ent, permset) == -1) {
4408                                 DEBUG(5,("remove_posix_acl: failed to set permset from ACL on file %s (%s).\n",
4409                                         fname, strerror(errno) ));
4410                         }
4411                 }
4412         }
4413
4414         /* Set the new empty file ACL. */
4415         if (fsp && fsp->fh->fd != -1) {
4416                 if (SMB_VFS_SYS_ACL_SET_FD(fsp, new_file_acl) == -1) {
4417                         DEBUG(5,("remove_posix_acl: acl_set_file failed on %s (%s)\n",
4418                                 fname, strerror(errno) ));
4419                         goto done;
4420                 }
4421         } else {
4422                 if (SMB_VFS_SYS_ACL_SET_FILE(conn, fname, SMB_ACL_TYPE_ACCESS, new_file_acl) == -1) {
4423                         DEBUG(5,("remove_posix_acl: acl_set_file failed on %s (%s)\n",
4424                                 fname, strerror(errno) ));
4425                         goto done;
4426                 }
4427         }
4428
4429         ret = True;
4430
4431  done:
4432
4433         if (file_acl) {
4434                 SMB_VFS_SYS_ACL_FREE_ACL(conn, file_acl);
4435         }
4436         if (new_file_acl) {
4437                 SMB_VFS_SYS_ACL_FREE_ACL(conn, new_file_acl);
4438         }
4439         return ret;
4440 }
4441
4442 /****************************************************************************
4443  Calls from UNIX extensions - POSIX ACL set.
4444  If num_def_acls == 0 then read/modify/write acl after removing all entries
4445  except SMB_ACL_USER_OBJ, SMB_ACL_GROUP_OBJ, SMB_ACL_OTHER.
4446 ****************************************************************************/
4447
4448 bool set_unix_posix_acl(connection_struct *conn, files_struct *fsp, const char *fname, uint16 num_acls, const char *pdata)
4449 {
4450         SMB_ACL_T file_acl = NULL;
4451
4452         if (!num_acls) {
4453                 /* Remove the ACL from the file. */
4454                 return remove_posix_acl(conn, fsp, fname);
4455         }
4456
4457         if ((file_acl = create_posix_acl_from_wire(conn, num_acls, pdata)) == NULL) {
4458                 return False;
4459         }
4460
4461         if (fsp && fsp->fh->fd != -1) {
4462                 /* The preferred way - use an open fd. */
4463                 if (SMB_VFS_SYS_ACL_SET_FD(fsp, file_acl) == -1) {
4464                         DEBUG(5,("set_unix_posix_acl: acl_set_file failed on %s (%s)\n",
4465                                 fname, strerror(errno) ));
4466                         SMB_VFS_SYS_ACL_FREE_ACL(conn, file_acl);
4467                         return False;
4468                 }
4469         } else {
4470                 if (SMB_VFS_SYS_ACL_SET_FILE(conn, fname, SMB_ACL_TYPE_ACCESS, file_acl) == -1) {
4471                         DEBUG(5,("set_unix_posix_acl: acl_set_file failed on %s (%s)\n",
4472                                 fname, strerror(errno) ));
4473                         SMB_VFS_SYS_ACL_FREE_ACL(conn, file_acl);
4474                         return False;
4475                 }
4476         }
4477
4478         DEBUG(10,("set_unix_posix_acl: set acl for file %s\n", fname ));
4479         SMB_VFS_SYS_ACL_FREE_ACL(conn, file_acl);
4480         return True;
4481 }
4482
4483 /********************************************************************
4484  Pull the NT ACL from a file on disk or the OpenEventlog() access
4485  check.  Caller is responsible for freeing the returned security
4486  descriptor via TALLOC_FREE().  This is designed for dealing with 
4487  user space access checks in smbd outside of the VFS.  For example,
4488  checking access rights in OpenEventlog().
4489
4490  Assume we are dealing with files (for now)
4491 ********************************************************************/
4492
4493 SEC_DESC *get_nt_acl_no_snum( TALLOC_CTX *ctx, const char *fname)
4494 {
4495         SEC_DESC *psd, *ret_sd;
4496         connection_struct *conn;
4497         files_struct finfo;
4498         struct fd_handle fh;
4499
4500         conn = TALLOC_ZERO_P(ctx, connection_struct);
4501         if (conn == NULL) {
4502                 DEBUG(0, ("talloc failed\n"));
4503                 return NULL;
4504         }
4505
4506         if (!(conn->params = TALLOC_P(conn, struct share_params))) {
4507                 DEBUG(0,("get_nt_acl_no_snum: talloc() failed!\n"));
4508                 TALLOC_FREE(conn);
4509                 return NULL;
4510         }
4511
4512         conn->params->service = -1;
4513
4514         set_conn_connectpath(conn, "/");
4515
4516         if (!smbd_vfs_init(conn)) {
4517                 DEBUG(0,("get_nt_acl_no_snum: Unable to create a fake connection struct!\n"));
4518                 conn_free_internal( conn );
4519                 return NULL;
4520         }
4521
4522         ZERO_STRUCT( finfo );
4523         ZERO_STRUCT( fh );
4524
4525         finfo.fnum = -1;
4526         finfo.conn = conn;
4527         finfo.fh = &fh;
4528         finfo.fh->fd = -1;
4529         finfo.fsp_name = CONST_DISCARD(char *,fname);
4530
4531         if (!NT_STATUS_IS_OK(SMB_VFS_FGET_NT_ACL( &finfo, DACL_SECURITY_INFORMATION, &psd))) {
4532                 DEBUG(0,("get_nt_acl_no_snum: get_nt_acl returned zero.\n"));
4533                 conn_free_internal( conn );
4534                 return NULL;
4535         }
4536
4537         ret_sd = dup_sec_desc( ctx, psd );
4538
4539         conn_free_internal( conn );
4540
4541         return ret_sd;
4542 }