Added 'nt acl support' parameter - defaults to off.

smbd/nttrans.c: Added correct mapping from UNIX rwx to NT 'read' 'write' 'execute'.
Jeremy.

diff --git a/source/include/proto.h b/source/include/proto.h
index 50a24441009f10510cf8fc808689136ac7876688..c28dd10dcb6a0e2372fb2abb3c8d0480c8145ac8 100644 (file)
--- a/source/include/proto.h
+++ b/source/include/proto.h
@@ -1049,6 +1049,7 @@ BOOL lp_passwd_chat_debug(void);
 BOOL lp_ole_locking_compat(void);
 BOOL lp_nt_smb_support(void);
 BOOL lp_nt_pipe_support(void);
+BOOL lp_nt_acl_support(void);
 BOOL lp_stat_cache(void);
 int lp_os_level(void);
 int lp_max_ttl(void);

diff --git a/source/include/smb.h b/source/include/smb.h
index 73848e804ad112db8ea62b5f7e6403f3fc9ac834..f3bd1f9a04f18c8a20628e1f77ad1d0d0ee06106 100644 (file)
--- a/source/include/smb.h
+++ b/source/include/smb.h
@@ -1207,6 +1207,8 @@ struct bitmap {
 #define FILE_DELETE_CHILD     0x040
 #define FILE_READ_ATTRIBUTES  0x080
 #define FILE_WRITE_ATTRIBUTES 0x100
+
+#define FILE_ALL_ATTRIBUTES   0x1FF
  
 /* Generic access masks & rights. */
 #define SPECIFIC_RIGHTS_MASK 0x00FFFFL
@@ -1216,12 +1218,26 @@ struct bitmap {
 #define WRITE_DAC_ACCESS     (1L<<18)
 #define WRITE_OWNER_ACCESS   (1L<<19)
 #define SYNCHRONIZE_ACCESS   (1L<<20)
+
 #define SYSTEM_SECURITY_ACCESS (1L<<24)
 #define GENERIC_ALL_ACCESS   (1<<28)
 #define GENERIC_EXECUTE_ACCESS  (1<<29)
 #define GENERIC_WRITE_ACCESS   (1<<30)
 #define GENERIC_READ_ACCESS   (1<<31)
 
+#define FILE_ALL_STANDARD_ACCESS 0x1F0000
+
+/* Mapping of access rights to UNIX perms. */
+#define UNIX_ACCESS_RWX (FILE_ALL_ATTRIBUTES|FILE_ALL_STANDARD_ACCESS)
+#define UNIX_ACCESS_R (READ_CONTROL_ACCESS|SYNCHRONIZE_ACCESS|\
+                       FILE_READ_ATTRIBUTES|FILE_READ_EA|FILE_READ_DATA)
+#define UNIX_ACCESS_W (READ_CONTROL_ACCESS|SYNCHRONIZE_ACCESS|\
+                       FILE_WRITE_ATTRIBUTES|FILE_WRITE_EA|\
+                       FILE_APPEND_DATA|FILE_WRITE_DATA)
+#define UNIX_ACCESS_X (READ_CONTROL_ACCESS|SYNCHRONIZE_ACCESS|\
+                       FILE_EXECUTE|FILE_READ_ATTRIBUTES)
+
+
 /* Flags field. */
 #define REQUEST_OPLOCK 2
 #define REQUEST_BATCH_OPLOCK 4

diff --git a/source/param/loadparm.c b/source/param/loadparm.c
index 78e9eda538c868a23b587081eaf5ab974f67e05b..dc92bcd4e8cfb128877ad7fa8d8627a1487d5d8a 100644 (file)
--- a/source/param/loadparm.c
+++ b/source/param/loadparm.c
@@ -233,6 +233,7 @@ typedef struct
   BOOL bTimestampLogs;
   BOOL bNTSmbSupport;
   BOOL bNTPipeSupport;
+  BOOL bNTAclSupport;
   BOOL bStatCache;
   BOOL bKernelOplocks;
 } global;
@@ -601,8 +602,9 @@ static struct parm_struct parm_table[] =
   {"read bmpx",        P_BOOL,    P_GLOBAL, &Globals.bReadbmpx,         NULL,   NULL,  0},
   {"read raw",         P_BOOL,    P_GLOBAL, &Globals.bReadRaw,          NULL,   NULL,  0},
   {"write raw",        P_BOOL,    P_GLOBAL, &Globals.bWriteRaw,         NULL,   NULL,  0},
-  {"nt smb support",   P_BOOL,    P_GLOBAL, &Globals.bNTSmbSupport,    NULL,   NULL,  0},
-  {"nt pipe support",   P_BOOL,    P_GLOBAL, &Globals.bNTPipeSupport,    NULL,   NULL,  0},
+  {"nt smb support",   P_BOOL,    P_GLOBAL, &Globals.bNTSmbSupport,     NULL,   NULL,  0},
+  {"nt pipe support",  P_BOOL,    P_GLOBAL, &Globals.bNTPipeSupport,    NULL,   NULL,  0},
+  {"nt acl support",   P_BOOL,    P_GLOBAL, &Globals.bNTAclSupport,     NULL,   NULL,  0},
   {"announce version", P_STRING,  P_GLOBAL, &Globals.szAnnounceVersion, NULL,   NULL,  0},
   {"announce as",      P_ENUM,    P_GLOBAL, &Globals.announce_as,       NULL,   enum_announce_as, 0},
   {"max mux",          P_INTEGER, P_GLOBAL, &Globals.max_mux,           NULL,   NULL,  0},
@@ -899,6 +901,7 @@ static void init_globals(void)
   Globals.bOleLockingCompat = True;
   Globals.bNTSmbSupport = True; /* Do NT SMB's by default. */
   Globals.bNTPipeSupport = True; /* Do NT pipes by default. */
+  Globals.bNTAclSupport = False; /* Don't use NT ACLs by default. */
   Globals.bStatCache = True; /* use stat cache by default */
   Globals.map_to_guest = 0; /* By Default, "Never" */
 
@@ -1195,6 +1198,7 @@ FN_GLOBAL_BOOL(lp_passwd_chat_debug,&Globals.bPasswdChatDebug)
 FN_GLOBAL_BOOL(lp_ole_locking_compat,&Globals.bOleLockingCompat)
 FN_GLOBAL_BOOL(lp_nt_smb_support,&Globals.bNTSmbSupport)
 FN_GLOBAL_BOOL(lp_nt_pipe_support,&Globals.bNTPipeSupport)
+FN_GLOBAL_BOOL(lp_nt_acl_support,&Globals.bNTAclSupport)
 FN_GLOBAL_BOOL(lp_stat_cache,&Globals.bStatCache)
 
 FN_GLOBAL_INTEGER(lp_os_level,&Globals.os_level)

diff --git a/source/smbd/nttrans.c b/source/smbd/nttrans.c
index 26abb86d5f188e6775762fff70c2cb5b5b919530..77906972e922d20f5b5138bbfc35ece19f623c97 100644 (file)
--- a/source/smbd/nttrans.c
+++ b/source/smbd/nttrans.c
@@ -1609,15 +1609,16 @@ static SEC_ACCESS map_unix_perms( mode_t perm, int r_mask, int w_mask, int x_mas
        SEC_ACCESS sa;
        uint32 nt_mask = 0;
 
-       nt_mask |= (perm & r_mask) ? GENERIC_READ_ACCESS|FILE_READ_DATA|FILE_READ_ATTRIBUTES : 0;
-       if(is_directory)
-               nt_mask |= (perm & w_mask) ? GENERIC_WRITE_ACCESS|FILE_DELETE_CHILD : 0;
-       else
-               nt_mask |= (perm & w_mask) ? GENERIC_WRITE_ACCESS|FILE_WRITE_DATA|FILE_WRITE_ATTRIBUTES : 0;
-       nt_mask |= (perm & x_mask) ? GENERIC_EXECUTE_ACCESS|FILE_EXECUTE : 0;
-
-       if(perm & (r_mask|w_mask|x_mask))
-               nt_mask |= GENERIC_ALL_ACCESS;
+       if((perm & (r_mask|w_mask|x_mask)) == (r_mask|w_mask|x_mask)) {
+               nt_mask = UNIX_ACCESS_RWX;
+       } else {
+               nt_mask |= (perm & r_mask) ? UNIX_ACCESS_R : 0;
+               if(is_directory)
+                       nt_mask |= (perm & w_mask) ? UNIX_ACCESS_W : 0;
+               else
+                       nt_mask |= (perm & w_mask) ? UNIX_ACCESS_W : 0;
+               nt_mask |= (perm & x_mask) ? UNIX_ACCESS_X : 0;
+       }
        init_sec_access(&sa,nt_mask);
        return sa;
 }
@@ -1629,20 +1630,16 @@ static SEC_ACCESS map_unix_perms( mode_t perm, int r_mask, int w_mask, int x_mas
 
 static size_t get_nt_acl(files_struct *fsp, SEC_DESC **ppdesc)
 {
-#if 1
+  extern DOM_SID global_sam_sid;
   static DOM_SID world_sid;
   static BOOL world_sid_initialized = False;
-  SEC_ACL *daclp;
+  SMB_STRUCT_STAT sbuf;
+  SEC_ACE ace_list[3];
   DOM_SID owner_sid;
   DOM_SID group_sid;
   size_t sec_desc_size;
-
-  /*
-   * The security descriptor returned has no SACL and no DACL
-   * and the owner and group sids are S-1-1-0 (World Sid).
-   * JRA.
-   */
-
+  SEC_ACL *psa = NULL;
+  
   *ppdesc = NULL;
 
   if(!world_sid_initialized) {
@@ -1650,70 +1647,45 @@ static size_t get_nt_acl(files_struct *fsp, SEC_DESC **ppdesc)
     string_to_sid( &world_sid, "S-1-1-0");
   }
 
-  sid_copy( &owner_sid, &world_sid);
-  sid_copy( &group_sid, &world_sid);
-
-  *ppdesc = make_standard_sec_desc( &owner_sid, &group_sid, NULL, &sec_desc_size);
-
-  if(!*ppdesc) {
-    DEBUG(0,("get_nt_acl: Unable to malloc space for security descriptor.\n"));
-    return 0;
-  }
-
-  return sec_desc_size;
-
-#else
-
-  extern DOM_SID global_sam_sid;
-  static DOM_SID world_sid;
-  static BOOL world_sid_initialized = False;
-  SMB_STRUCT_STAT sbuf;
-  SEC_ACE ace_list[3];
-  DOM_SID owner_sid;
-  DOM_SID group_sid;
-  size_t sec_desc_size;
-  SEC_ACL *psa;
-  
-  *ppdesc = NULL;
-
-  if(fsp->is_directory) {
-    if(sys_stat(fsp->fsp_name, &sbuf) != 0) {
-      return 0;
-    }
+  if(!lp_nt_acl_support()) {
+    sid_copy( &owner_sid, &world_sid);
+    sid_copy( &group_sid, &world_sid);
   } else {
-    if(sys_fstat(fsp->fd_ptr->fd,&sbuf) != 0) {
-      return 0;
-    }
-  }
 
-  /*
-   * Get the owner, group and world SIDs.
-   */
+    if(fsp->is_directory) {
+      if(sys_stat(fsp->fsp_name, &sbuf) != 0) {
+        return 0;
+      }
+    } else {
+      if(sys_fstat(fsp->fd_ptr->fd,&sbuf) != 0) {
+        return 0;
+      }
+    }
 
-  sid_copy(&owner_sid, &global_sam_sid);
-  sid_copy(&group_sid, &global_sam_sid);
-  sid_append_rid(&owner_sid, pdb_uid_to_user_rid(sbuf.st_uid));
-  sid_append_rid(&group_sid, pdb_uid_to_user_rid(sbuf.st_gid));
+    /*
+     * Get the owner, group and world SIDs.
+     */
 
-  if(!world_sid_initialized) {
-    world_sid_initialized = True;
-    string_to_sid( &world_sid, "S-1-1-0");
-  }
+    sid_copy(&owner_sid, &global_sam_sid);
+    sid_copy(&group_sid, &global_sam_sid);
+    sid_append_rid(&owner_sid, pdb_uid_to_user_rid(sbuf.st_uid));
+    sid_append_rid(&group_sid, pdb_uid_to_user_rid(sbuf.st_gid));
 
-  /*
-   * Create the generic 3 element UNIX acl.
-   */
+    /*
+     * Create the generic 3 element UNIX acl.
+     */
 
-  init_sec_ace(&ace_list[0], &owner_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, 
+    init_sec_ace(&ace_list[0], &owner_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, 
                                map_unix_perms(sbuf.st_mode, S_IRUSR, S_IWUSR, S_IXUSR, fsp->is_directory), 0);
-  init_sec_ace(&ace_list[1], &group_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, 
+    init_sec_ace(&ace_list[1], &group_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, 
                                map_unix_perms(sbuf.st_mode, S_IRGRP, S_IWGRP, S_IXGRP, fsp->is_directory), 0);
-  init_sec_ace(&ace_list[2], &world_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, 
+    init_sec_ace(&ace_list[2], &world_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, 
                                map_unix_perms(sbuf.st_mode, S_IROTH, S_IWOTH, S_IXOTH, fsp->is_directory), 0);
 
-  if((psa = make_sec_acl( 3, 3, ace_list)) == NULL) {
-    DEBUG(0,("get_nt_acl: Unable to malloc space for acl.\n"));
-    return 0;
+    if((psa = make_sec_acl( 3, 3, ace_list)) == NULL) {
+      DEBUG(0,("get_nt_acl: Unable to malloc space for acl.\n"));
+      return 0;
+    }
   }
 
   *ppdesc = make_standard_sec_desc( &owner_sid, &group_sid, psa, &sec_desc_size);
@@ -1726,7 +1698,6 @@ static size_t get_nt_acl(files_struct *fsp, SEC_DESC **ppdesc)
   free_sec_acl(&psa);
 
   return sec_desc_size;
-#endif
 }
 
 /****************************************************************************