*/
#include "includes.h"
+#include "printing.h"
#include "smbd/globals.h"
+#include "fake_file.h"
+#include "librpc/gen_ndr/messaging.h"
+#include "../libcli/security/security.h"
+#include "../librpc/gen_ndr/ndr_security.h"
extern const struct generic_mapping file_generic_mapping;
struct deferred_open_record {
- bool delayed_for_oplocks;
- struct file_id id;
+ bool delayed_for_oplocks;
+ struct file_id id;
};
static NTSTATUS create_file_unixpath(connection_struct *conn,
SMB1 file varient of se_access_check. Never test FILE_READ_ATTRIBUTES.
****************************************************************************/
-NTSTATUS smb1_file_se_access_check(const struct security_descriptor *sd,
- const NT_USER_TOKEN *token,
- uint32_t access_desired,
- uint32_t *access_granted)
+NTSTATUS smb1_file_se_access_check(struct connection_struct *conn,
+ const struct security_descriptor *sd,
+ const struct security_token *token,
+ uint32_t access_desired,
+ uint32_t *access_granted)
{
+ *access_granted = 0;
+
+ if (get_current_uid(conn) == (uid_t)0) {
+ /* I'm sorry sir, I didn't know you were root... */
+ *access_granted = access_desired;
+ if (access_desired & SEC_FLAG_MAXIMUM_ALLOWED) {
+ *access_granted |= FILE_GENERIC_ALL;
+ }
+ return NT_STATUS_OK;
+ }
+
return se_access_check(sd,
token,
(access_desired & ~FILE_READ_ATTRIBUTES),
NTSTATUS status;
struct security_descriptor *sd = NULL;
- *access_granted = 0;
-
- if (conn->server_info->utok.uid == 0 || conn->admin_user) {
- /* I'm sorry sir, I didn't know you were root... */
- *access_granted = access_mask;
- if (access_mask & SEC_FLAG_MAXIMUM_ALLOWED) {
- *access_granted |= FILE_GENERIC_ALL;
- }
- return NT_STATUS_OK;
- }
-
status = SMB_VFS_GET_NT_ACL(conn, smb_fname->base_name,
- (OWNER_SECURITY_INFORMATION |
- GROUP_SECURITY_INFORMATION |
- DACL_SECURITY_INFORMATION),&sd);
+ (SECINFO_OWNER |
+ SECINFO_GROUP |
+ SECINFO_DACL),&sd);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(10, ("smbd_check_open_rights: Could not get acl "
return status;
}
- status = smb1_file_se_access_check(sd,
- conn->server_info->ptok,
+ status = smb1_file_se_access_check(conn,
+ sd,
+ get_current_nttok(conn),
access_mask,
access_granted);
fsp->can_write = (access_mask & (FILE_WRITE_DATA | FILE_APPEND_DATA)) ?
True : False;
}
- fsp->print_file = False;
+ fsp->print_file = NULL;
fsp->modified = False;
fsp->sent_oplock_break = NO_BREAK_SENT;
fsp->is_directory = False;
}
#if defined(DEVELOPER)
-static void validate_my_share_entries(int num,
+static void validate_my_share_entries(struct smbd_server_connection *sconn,
+ int num,
struct share_mode_entry *share_entry)
{
files_struct *fsp;
return;
}
- fsp = file_find_dif(share_entry->id,
+ fsp = file_find_dif(sconn, share_entry->id,
share_entry->share_file_id);
if (!fsp) {
DEBUG(0,("validate_my_share_entries: PANIC : %s\n",
#if defined(DEVELOPER)
for(i = 0; i < lck->num_share_modes; i++) {
- validate_my_share_entries(i, &lck->share_modes[i]);
+ validate_my_share_entries(conn->sconn, i,
+ &lck->share_modes[i]);
}
#endif
static NTSTATUS send_break_message(files_struct *fsp,
struct share_mode_entry *exclusive,
- uint16 mid,
+ uint64_t mid,
int oplock_request)
{
NTSTATUS status;
don't want this set in the share mode struct pointed to by lck. */
if (oplock_request & FORCE_OPLOCK_BREAK_TO_NONE) {
- SSVAL(msg,6,exclusive->op_type | FORCE_OPLOCK_BREAK_TO_NONE);
+ SSVAL(msg,OP_BREAK_MSG_OP_TYPE_OFFSET,
+ exclusive->op_type | FORCE_OPLOCK_BREAK_TO_NONE);
}
- status = messaging_send_buf(smbd_messaging_context(), exclusive->pid,
+ status = messaging_send_buf(fsp->conn->sconn->msg_ctx, exclusive->pid,
MSG_SMB_BREAK_REQUEST,
(uint8 *)msg,
MSG_SMB_SHARE_MODE_ENTRY_SIZE);
static bool delay_for_oplocks(struct share_mode_lock *lck,
files_struct *fsp,
- uint16 mid,
+ uint64_t mid,
int pass_number,
int oplock_request)
{
if (procid_is_me(&e->pid) && (e->op_mid == req->mid)) {
DEBUG(0, ("Trying to defer an already deferred "
- "request: mid=%d, exiting\n", req->mid));
+ "request: mid=%llu, exiting\n",
+ (unsigned long long)req->mid));
exit_server("attempt to defer a deferred request");
}
}
/* End paranoia check */
DEBUG(10,("defer_open_sharing_error: time [%u.%06u] adding deferred "
- "open entry for mid %u\n",
+ "open entry for mid %llu\n",
(unsigned int)request_time.tv_sec,
(unsigned int)request_time.tv_usec,
- (unsigned int)req->mid));
+ (unsigned long long)req->mid));
- if (!push_deferred_smb_message(req, request_time, timeout,
- (char *)state, sizeof(*state))) {
- exit_server("push_deferred_smb_message failed");
+ if (!push_deferred_open_message_smb(req, request_time, timeout,
+ state->id, (char *)state, sizeof(*state))) {
+ exit_server("push_deferred_open_message_smb failed");
}
- add_deferred_open(lck, req->mid, request_time, state->id);
+ add_deferred_open(lck, req->mid, request_time,
+ sconn_server_id(req->sconn), state->id);
}
DEBUG(5,("fcb_or_dos_open: attempting old open semantics for "
"file %s.\n", smb_fname_str_dbg(smb_fname)));
- for(fsp = file_find_di_first(id); fsp;
+ for(fsp = file_find_di_first(conn->sconn, id); fsp;
fsp = file_find_di_next(fsp)) {
DEBUG(10,("fcb_or_dos_open: checking file %s, fd = %d, "
uint32_t access_granted = 0;
status = SMB_VFS_GET_NT_ACL(conn, smb_fname->base_name,
- (OWNER_SECURITY_INFORMATION |
- GROUP_SECURITY_INFORMATION |
- DACL_SECURITY_INFORMATION),&sd);
+ (SECINFO_OWNER |
+ SECINFO_GROUP |
+ SECINFO_DACL),&sd);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(10, ("calculate_access_mask: Could not get acl "
return NT_STATUS_ACCESS_DENIED;
}
- status = smb1_file_se_access_check(sd,
- conn->server_info->ptok,
+ status = smb1_file_se_access_check(conn,
+ sd,
+ get_current_nttok(conn),
access_mask,
&access_granted);
return NT_STATUS_OK;
}
+/****************************************************************************
+ Remove the deferred open entry under lock.
+****************************************************************************/
+
+void remove_deferred_open_entry(struct file_id id, uint64_t mid,
+ struct server_id pid)
+{
+ struct share_mode_lock *lck = get_share_mode_lock(talloc_tos(), id,
+ NULL, NULL, NULL);
+ if (lck == NULL) {
+ DEBUG(0, ("could not get share mode lock\n"));
+ } else {
+ del_deferred_open_entry(lck, mid, pid);
+ TALLOC_FREE(lck);
+ }
+}
+
/****************************************************************************
Open a file with a share mode. Passed in an already created files_struct *.
****************************************************************************/
mode_t unx_mode = (mode_t)0;
int info;
uint32 existing_dos_attributes = 0;
- struct pending_message_list *pml = NULL;
struct timeval request_time = timeval_zero();
struct share_mode_lock *lck = NULL;
uint32 open_access_mask = access_mask;
ZERO_STRUCT(id);
+ /* Windows allows a new file to be created and
+ silently removes a FILE_ATTRIBUTE_DIRECTORY
+ sent by the client. Do the same. */
+
+ new_dos_attributes &= ~FILE_ATTRIBUTE_DIRECTORY;
+
if (conn->printer) {
/*
* Printers are handled completely differently.
return NT_STATUS_INTERNAL_ERROR;
}
- return print_fsp_open(req, conn, smb_fname->base_name,
- req->vuid, fsp);
+ return print_spool_open(fsp, smb_fname->base_name,
+ req->vuid);
}
if (!parent_dirname(talloc_tos(), smb_fname->base_name, &parent_dir,
* Only non-internal opens can be deferred at all
*/
- if ((req != NULL)
- && ((pml = get_open_deferred_message(req->mid)) != NULL)) {
- struct deferred_open_record *state =
- (struct deferred_open_record *)pml->private_data.data;
+ if (req) {
+ void *ptr;
+ if (get_deferred_open_message_state(req,
+ &request_time,
+ &ptr)) {
- /* Remember the absolute time of the original
- request with this mid. We'll use it later to
- see if this has timed out. */
+ struct deferred_open_record *state = (struct deferred_open_record *)ptr;
+ /* Remember the absolute time of the original
+ request with this mid. We'll use it later to
+ see if this has timed out. */
- request_time = pml->request_time;
+ /* Remove the deferred open entry under lock. */
+ remove_deferred_open_entry(
+ state->id, req->mid,
+ sconn_server_id(req->sconn));
- /* Remove the deferred open entry under lock. */
- lck = get_share_mode_lock(talloc_tos(), state->id, NULL, NULL,
- NULL);
- if (lck == NULL) {
- DEBUG(0, ("could not get share mode lock\n"));
- } else {
- del_deferred_open_entry(lck, req->mid);
- TALLOC_FREE(lck);
+ /* Ensure we don't reprocess this message. */
+ remove_deferred_open_message_smb(req->mid);
}
-
- /* Ensure we don't reprocess this message. */
- remove_deferred_open_smb_message(req->mid);
}
status = check_name(conn, smb_fname->base_name);
}
/* ignore any oplock requests if oplocks are disabled */
- if (!lp_oplocks(SNUM(conn)) || global_client_failed_oplock_break ||
+ if (!lp_oplocks(SNUM(conn)) ||
IS_VETO_OPLOCK_PATH(conn, smb_fname->base_name)) {
/* Mask off everything except the private Samba bits. */
oplock_request &= SAMBA_PRIVATE_OPLOCK_MASK;
if ((flags2 & O_CREAT) && lp_inherit_acls(SNUM(conn)) &&
(def_acl = directory_has_default_acl(conn, parent_dir))) {
- unx_mode = 0777;
+ unx_mode = (0777 & lp_create_mask(SNUM(conn)));
}
DEBUG(4,("calling open_file with flags=0x%X flags2=0x%X mode=0%o, "
* If requested, truncate the file.
*/
- if (flags2&O_TRUNC) {
+ if (file_existed && (flags2&O_TRUNC)) {
/*
* We are modifing the file after open - update the stat
* struct..
new_file_created = True;
}
- set_share_mode(lck, fsp, conn->server_info->utok.uid, 0,
+ set_share_mode(lck, fsp, get_current_uid(conn), 0,
fsp->oplock_type);
/* Handle strange delete on close create semantics. */
/* If this is a successful open, we must remove any deferred open
* records. */
if (req != NULL) {
- del_deferred_open_entry(lck, req->mid);
+ del_deferred_open_entry(lck, req->mid,
+ sconn_server_id(req->sconn));
}
TALLOC_FREE(lck);
SMB_ASSERT(!is_ntfs_stream_smb_fname(smb_dname));
+ /* Ensure we have a directory attribute. */
+ file_attributes |= FILE_ATTRIBUTE_DIRECTORY;
+
DEBUG(5,("open_directory: opening directory %s, access_mask = 0x%x, "
"share_access = 0x%x create_options = 0x%x, "
"create_disposition = 0x%x, file_attributes = 0x%x\n",
return status;
}
- /* We need to support SeSecurityPrivilege for this. */
- if (access_mask & SEC_FLAG_SYSTEM_SECURITY) {
+ if ((access_mask & SEC_FLAG_SYSTEM_SECURITY) &
+ !security_token_has_privilege(get_current_nttok(conn),
+ SEC_PRIV_SECURITY)) {
DEBUG(10, ("open_directory: open on %s "
"failed - SEC_FLAG_SYSTEM_SECURITY denied.\n",
smb_fname_str_dbg(smb_dname)));
* According to Samba4, SEC_FILE_READ_ATTRIBUTE is always granted,
*/
fsp->access_mask = access_mask | FILE_READ_ATTRIBUTES;
- fsp->print_file = False;
+ fsp->print_file = NULL;
fsp->modified = False;
fsp->oplock_type = NO_OPLOCK;
fsp->sent_oplock_break = NO_BREAK_SENT;
return status;
}
- set_share_mode(lck, fsp, conn->server_info->utok.uid, 0, NO_OPLOCK);
+ set_share_mode(lck, fsp, get_current_uid(conn), 0, NO_OPLOCK);
/* For directories the delete on close bit at open time seems
always to be honored on close... See test 19 in Samba4 BASE-DELETE. */
struct server_id server_id,
DATA_BLOB *data)
{
+ struct smbd_server_connection *sconn;
files_struct *fsp;
char *frm = (char *)data->data;
struct file_id id;
size_t sp_len, bn_len;
NTSTATUS status;
+ sconn = msg_ctx_to_sconn(msg);
+ if (sconn == NULL) {
+ DEBUG(1, ("could not find sconn\n"));
+ return;
+ }
+
if (data->data == NULL
|| data->length < MSG_FILE_RENAMED_MIN_SIZE + 2) {
DEBUG(0, ("msg_file_was_renamed: Got invalid msg len %d\n",
sharepath, smb_fname_str_dbg(smb_fname),
file_id_string_tos(&id)));
- for(fsp = file_find_di_first(id); fsp; fsp = file_find_di_next(fsp)) {
+ for(fsp = file_find_di_first(sconn, id); fsp;
+ fsp = file_find_di_next(fsp)) {
if (memcmp(fsp->conn->connectpath, sharepath, sp_len) == 0) {
DEBUG(10,("msg_file_was_renamed: renaming file fnum %d from %s -> %s\n",
goto fail;
}
-#if 0
- /* We need to support SeSecurityPrivilege for this. */
if ((access_mask & SEC_FLAG_SYSTEM_SECURITY) &&
- !user_has_privileges(current_user.nt_user_token,
- &se_security)) {
- status = NT_STATUS_PRIVILEGE_NOT_HELD;
- goto fail;
- }
-#else
- /* We need to support SeSecurityPrivilege for this. */
- if (access_mask & SEC_FLAG_SYSTEM_SECURITY) {
- status = NT_STATUS_PRIVILEGE_NOT_HELD;
- goto fail;
- }
- /* Don't allow a SACL set from an NTtrans create until we
- * support SeSecurityPrivilege. */
- if (!VALID_STAT(smb_fname->st) &&
- lp_nt_acl_support(SNUM(conn)) &&
- sd && (sd->sacl != NULL)) {
+ !security_token_has_privilege(get_current_nttok(conn),
+ SEC_PRIV_SECURITY)) {
+ DEBUG(10, ("create_file_unixpath: open on %s "
+ "failed - SEC_FLAG_SYSTEM_SECURITY denied.\n",
+ smb_fname_str_dbg(smb_fname)));
status = NT_STATUS_PRIVILEGE_NOT_HELD;
goto fail;
}
-#endif
if ((conn->fs_capabilities & FILE_NAMED_STREAMS)
&& is_ntfs_stream_smb_fname(smb_fname)
security_acl_map_generic(sd->dacl, &file_generic_mapping);
security_acl_map_generic(sd->sacl, &file_generic_mapping);
- if (sec_info_sent & (OWNER_SECURITY_INFORMATION|
- GROUP_SECURITY_INFORMATION|
- DACL_SECURITY_INFORMATION|
- SACL_SECURITY_INFORMATION)) {
+ if (sec_info_sent & (SECINFO_OWNER|
+ SECINFO_GROUP|
+ SECINFO_DACL|
+ SECINFO_SACL)) {
status = SMB_VFS_FSET_NT_ACL(fsp, sec_info_sent, sd);
}
int info = FILE_WAS_OPENED;
files_struct *fsp = NULL;
NTSTATUS status;
+ bool stream_name = false;
DEBUG(10,("create_file: access_mask = 0x%x "
"file_attributes = 0x%x, share_access = 0x%x, "
* Check to see if this is a mac fork of some kind.
*/
- if (is_ntfs_stream_smb_fname(smb_fname)) {
+ stream_name = is_ntfs_stream_smb_fname(smb_fname);
+ if (stream_name) {
enum FAKE_FILE_TYPE fake_file_type;
fake_file_type = is_fake_file(smb_fname);
goto fail;
}
+ if (stream_name && is_ntfs_default_stream_smb_fname(smb_fname)) {
+ int ret;
+ smb_fname->stream_name = NULL;
+ /* We have to handle this error here. */
+ if (create_options & FILE_DIRECTORY_FILE) {
+ status = NT_STATUS_NOT_A_DIRECTORY;
+ goto fail;
+ }
+ if (lp_posix_pathnames()) {
+ ret = SMB_VFS_LSTAT(conn, smb_fname);
+ } else {
+ ret = SMB_VFS_STAT(conn, smb_fname);
+ }
+
+ if (ret == 0 && VALID_STAT_OF_DIR(smb_fname->st)) {
+ status = NT_STATUS_FILE_IS_A_DIRECTORY;
+ goto fail;
+ }
+ }
+
status = create_file_unixpath(
conn, req, smb_fname, access_mask, share_access,
create_disposition, create_options, file_attributes,