#define FILE_DELETE_CHILD 0x040
#define FILE_READ_ATTRIBUTES 0x080
#define FILE_WRITE_ATTRIBUTES 0x100
+
+#define FILE_ALL_ATTRIBUTES 0x1FF
/* Generic access masks & rights. */
#define SPECIFIC_RIGHTS_MASK 0x00FFFFL
#define WRITE_DAC_ACCESS (1L<<18)
#define WRITE_OWNER_ACCESS (1L<<19)
#define SYNCHRONIZE_ACCESS (1L<<20)
+
#define SYSTEM_SECURITY_ACCESS (1L<<24)
#define GENERIC_ALL_ACCESS (1<<28)
#define GENERIC_EXECUTE_ACCESS (1<<29)
#define GENERIC_WRITE_ACCESS (1<<30)
#define GENERIC_READ_ACCESS (1<<31)
+#define FILE_ALL_STANDARD_ACCESS 0x1F0000
+
+/* Mapping of access rights to UNIX perms. */
+#define UNIX_ACCESS_RWX (FILE_ALL_ATTRIBUTES|FILE_ALL_STANDARD_ACCESS)
+#define UNIX_ACCESS_R (READ_CONTROL_ACCESS|SYNCHRONIZE_ACCESS|\
+ FILE_READ_ATTRIBUTES|FILE_READ_EA|FILE_READ_DATA)
+#define UNIX_ACCESS_W (READ_CONTROL_ACCESS|SYNCHRONIZE_ACCESS|\
+ FILE_WRITE_ATTRIBUTES|FILE_WRITE_EA|\
+ FILE_APPEND_DATA|FILE_WRITE_DATA)
+#define UNIX_ACCESS_X (READ_CONTROL_ACCESS|SYNCHRONIZE_ACCESS|\
+ FILE_EXECUTE|FILE_READ_ATTRIBUTES)
+
+
/* Flags field. */
#define REQUEST_OPLOCK 2
#define REQUEST_BATCH_OPLOCK 4
BOOL bTimestampLogs;
BOOL bNTSmbSupport;
BOOL bNTPipeSupport;
+ BOOL bNTAclSupport;
BOOL bStatCache;
BOOL bKernelOplocks;
} global;
{"read bmpx", P_BOOL, P_GLOBAL, &Globals.bReadbmpx, NULL, NULL, 0},
{"read raw", P_BOOL, P_GLOBAL, &Globals.bReadRaw, NULL, NULL, 0},
{"write raw", P_BOOL, P_GLOBAL, &Globals.bWriteRaw, NULL, NULL, 0},
- {"nt smb support", P_BOOL, P_GLOBAL, &Globals.bNTSmbSupport, NULL, NULL, 0},
- {"nt pipe support", P_BOOL, P_GLOBAL, &Globals.bNTPipeSupport, NULL, NULL, 0},
+ {"nt smb support", P_BOOL, P_GLOBAL, &Globals.bNTSmbSupport, NULL, NULL, 0},
+ {"nt pipe support", P_BOOL, P_GLOBAL, &Globals.bNTPipeSupport, NULL, NULL, 0},
+ {"nt acl support", P_BOOL, P_GLOBAL, &Globals.bNTAclSupport, NULL, NULL, 0},
{"announce version", P_STRING, P_GLOBAL, &Globals.szAnnounceVersion, NULL, NULL, 0},
{"announce as", P_ENUM, P_GLOBAL, &Globals.announce_as, NULL, enum_announce_as, 0},
{"max mux", P_INTEGER, P_GLOBAL, &Globals.max_mux, NULL, NULL, 0},
Globals.bOleLockingCompat = True;
Globals.bNTSmbSupport = True; /* Do NT SMB's by default. */
Globals.bNTPipeSupport = True; /* Do NT pipes by default. */
+ Globals.bNTAclSupport = False; /* Don't use NT ACLs by default. */
Globals.bStatCache = True; /* use stat cache by default */
Globals.map_to_guest = 0; /* By Default, "Never" */
FN_GLOBAL_BOOL(lp_ole_locking_compat,&Globals.bOleLockingCompat)
FN_GLOBAL_BOOL(lp_nt_smb_support,&Globals.bNTSmbSupport)
FN_GLOBAL_BOOL(lp_nt_pipe_support,&Globals.bNTPipeSupport)
+FN_GLOBAL_BOOL(lp_nt_acl_support,&Globals.bNTAclSupport)
FN_GLOBAL_BOOL(lp_stat_cache,&Globals.bStatCache)
FN_GLOBAL_INTEGER(lp_os_level,&Globals.os_level)
SEC_ACCESS sa;
uint32 nt_mask = 0;
- nt_mask |= (perm & r_mask) ? GENERIC_READ_ACCESS|FILE_READ_DATA|FILE_READ_ATTRIBUTES : 0;
- if(is_directory)
- nt_mask |= (perm & w_mask) ? GENERIC_WRITE_ACCESS|FILE_DELETE_CHILD : 0;
- else
- nt_mask |= (perm & w_mask) ? GENERIC_WRITE_ACCESS|FILE_WRITE_DATA|FILE_WRITE_ATTRIBUTES : 0;
- nt_mask |= (perm & x_mask) ? GENERIC_EXECUTE_ACCESS|FILE_EXECUTE : 0;
-
- if(perm & (r_mask|w_mask|x_mask))
- nt_mask |= GENERIC_ALL_ACCESS;
+ if((perm & (r_mask|w_mask|x_mask)) == (r_mask|w_mask|x_mask)) {
+ nt_mask = UNIX_ACCESS_RWX;
+ } else {
+ nt_mask |= (perm & r_mask) ? UNIX_ACCESS_R : 0;
+ if(is_directory)
+ nt_mask |= (perm & w_mask) ? UNIX_ACCESS_W : 0;
+ else
+ nt_mask |= (perm & w_mask) ? UNIX_ACCESS_W : 0;
+ nt_mask |= (perm & x_mask) ? UNIX_ACCESS_X : 0;
+ }
init_sec_access(&sa,nt_mask);
return sa;
}
static size_t get_nt_acl(files_struct *fsp, SEC_DESC **ppdesc)
{
-#if 1
+ extern DOM_SID global_sam_sid;
static DOM_SID world_sid;
static BOOL world_sid_initialized = False;
- SEC_ACL *daclp;
+ SMB_STRUCT_STAT sbuf;
+ SEC_ACE ace_list[3];
DOM_SID owner_sid;
DOM_SID group_sid;
size_t sec_desc_size;
-
- /*
- * The security descriptor returned has no SACL and no DACL
- * and the owner and group sids are S-1-1-0 (World Sid).
- * JRA.
- */
-
+ SEC_ACL *psa = NULL;
+
*ppdesc = NULL;
if(!world_sid_initialized) {
string_to_sid( &world_sid, "S-1-1-0");
}
- sid_copy( &owner_sid, &world_sid);
- sid_copy( &group_sid, &world_sid);
-
- *ppdesc = make_standard_sec_desc( &owner_sid, &group_sid, NULL, &sec_desc_size);
-
- if(!*ppdesc) {
- DEBUG(0,("get_nt_acl: Unable to malloc space for security descriptor.\n"));
- return 0;
- }
-
- return sec_desc_size;
-
-#else
-
- extern DOM_SID global_sam_sid;
- static DOM_SID world_sid;
- static BOOL world_sid_initialized = False;
- SMB_STRUCT_STAT sbuf;
- SEC_ACE ace_list[3];
- DOM_SID owner_sid;
- DOM_SID group_sid;
- size_t sec_desc_size;
- SEC_ACL *psa;
-
- *ppdesc = NULL;
-
- if(fsp->is_directory) {
- if(sys_stat(fsp->fsp_name, &sbuf) != 0) {
- return 0;
- }
+ if(!lp_nt_acl_support()) {
+ sid_copy( &owner_sid, &world_sid);
+ sid_copy( &group_sid, &world_sid);
} else {
- if(sys_fstat(fsp->fd_ptr->fd,&sbuf) != 0) {
- return 0;
- }
- }
- /*
- * Get the owner, group and world SIDs.
- */
+ if(fsp->is_directory) {
+ if(sys_stat(fsp->fsp_name, &sbuf) != 0) {
+ return 0;
+ }
+ } else {
+ if(sys_fstat(fsp->fd_ptr->fd,&sbuf) != 0) {
+ return 0;
+ }
+ }
- sid_copy(&owner_sid, &global_sam_sid);
- sid_copy(&group_sid, &global_sam_sid);
- sid_append_rid(&owner_sid, pdb_uid_to_user_rid(sbuf.st_uid));
- sid_append_rid(&group_sid, pdb_uid_to_user_rid(sbuf.st_gid));
+ /*
+ * Get the owner, group and world SIDs.
+ */
- if(!world_sid_initialized) {
- world_sid_initialized = True;
- string_to_sid( &world_sid, "S-1-1-0");
- }
+ sid_copy(&owner_sid, &global_sam_sid);
+ sid_copy(&group_sid, &global_sam_sid);
+ sid_append_rid(&owner_sid, pdb_uid_to_user_rid(sbuf.st_uid));
+ sid_append_rid(&group_sid, pdb_uid_to_user_rid(sbuf.st_gid));
- /*
- * Create the generic 3 element UNIX acl.
- */
+ /*
+ * Create the generic 3 element UNIX acl.
+ */
- init_sec_ace(&ace_list[0], &owner_sid, SEC_ACE_TYPE_ACCESS_ALLOWED,
+ init_sec_ace(&ace_list[0], &owner_sid, SEC_ACE_TYPE_ACCESS_ALLOWED,
map_unix_perms(sbuf.st_mode, S_IRUSR, S_IWUSR, S_IXUSR, fsp->is_directory), 0);
- init_sec_ace(&ace_list[1], &group_sid, SEC_ACE_TYPE_ACCESS_ALLOWED,
+ init_sec_ace(&ace_list[1], &group_sid, SEC_ACE_TYPE_ACCESS_ALLOWED,
map_unix_perms(sbuf.st_mode, S_IRGRP, S_IWGRP, S_IXGRP, fsp->is_directory), 0);
- init_sec_ace(&ace_list[2], &world_sid, SEC_ACE_TYPE_ACCESS_ALLOWED,
+ init_sec_ace(&ace_list[2], &world_sid, SEC_ACE_TYPE_ACCESS_ALLOWED,
map_unix_perms(sbuf.st_mode, S_IROTH, S_IWOTH, S_IXOTH, fsp->is_directory), 0);
- if((psa = make_sec_acl( 3, 3, ace_list)) == NULL) {
- DEBUG(0,("get_nt_acl: Unable to malloc space for acl.\n"));
- return 0;
+ if((psa = make_sec_acl( 3, 3, ace_list)) == NULL) {
+ DEBUG(0,("get_nt_acl: Unable to malloc space for acl.\n"));
+ return 0;
+ }
}
*ppdesc = make_standard_sec_desc( &owner_sid, &group_sid, psa, &sec_desc_size);
free_sec_acl(&psa);
return sec_desc_size;
-#endif
}
/****************************************************************************