2 * Unix SMB/CIFS implementation.
4 * Support for OneFS native NTFS ACLs
6 * Copyright (C) Steven Danneman, 2008
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 3 of the License, or
11 * (at your option) any later version.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, see <http://www.gnu.org/licenses/>.
24 #include <sys/isi_acl.h>
25 #include <isi_acl/isi_acl_util.h>
26 #include <sys/isi_oplock.h>
27 #include <ifs/ifs_syscalls.h>
32 * Turn SID into UID/GID and setup a struct ifs_identity
35 onefs_sid_to_identity(DOM_SID *sid, struct ifs_identity *id, bool is_group)
37 enum ifs_identity_type type = IFS_ID_TYPE_LAST+1;
41 if (!sid || sid_equal(sid, &global_sid_NULL))
42 type = IFS_ID_TYPE_NULL;
43 else if (sid_equal(sid, &global_sid_World))
44 type = IFS_ID_TYPE_EVERYONE;
45 else if (sid_equal(sid, &global_sid_Creator_Owner))
46 type = IFS_ID_TYPE_CREATOR_OWNER;
47 else if (sid_equal(sid, &global_sid_Creator_Group))
48 type = IFS_ID_TYPE_CREATOR_GROUP;
50 if (!sid_to_gid(sid, &gid))
52 type = IFS_ID_TYPE_GID;
54 if (sid_to_uid(sid, &uid))
55 type = IFS_ID_TYPE_UID;
56 else if (sid_to_gid(sid, &gid))
57 type = IFS_ID_TYPE_GID;
62 if (aclu_initialize_identity(id, type, uid, gid, is_group)) {
63 DEBUG(3, ("Call to aclu_initialize_identity failed! id=%x, "
64 "type=%d, uid=%u, gid=%u, is_group=%d\n",
65 (unsigned int)id, type, uid, gid, is_group));
73 * Turn struct ifs_identity into SID
76 onefs_identity_to_sid(struct ifs_identity *id, DOM_SID *sid)
81 if (id->type >= IFS_ID_TYPE_LAST)
86 uid_to_sid(sid, id->id.uid);
89 gid_to_sid(sid, id->id.gid);
91 case IFS_ID_TYPE_EVERYONE:
92 sid_copy(sid, &global_sid_World);
94 case IFS_ID_TYPE_NULL:
95 sid_copy(sid, &global_sid_NULL);
97 case IFS_ID_TYPE_CREATOR_OWNER:
98 sid_copy(sid, &global_sid_Creator_Owner);
100 case IFS_ID_TYPE_CREATOR_GROUP:
101 sid_copy(sid, &global_sid_Creator_Group);
104 DEBUG(0, ("Unknown identity type: %d\n", id->type));
112 * Convert a SEC_ACL to a struct ifs_security_acl
115 onefs_samba_acl_to_acl(SEC_ACL *samba_acl, struct ifs_security_acl **acl)
118 struct ifs_ace *aces = NULL;
119 struct ifs_identity temp;
123 if ((!acl) || (!samba_acl))
126 samba_aces = samba_acl->aces;
128 if (samba_acl->num_aces > 0 && samba_aces) {
130 num_aces = samba_acl->num_aces;
131 aces = SMB_MALLOC_ARRAY(struct ifs_ace, num_aces);
133 for (i = 0, j = 0; j < num_aces; i++, j++) {
134 if (!onefs_sid_to_identity(&samba_aces[j].trustee,
139 * XXX Act like we did pre-Thai: Silently fail setting
140 * ACEs for BUILTIN accounts.
142 if (temp.id.uid == -1) {
143 DEBUG(3, ("Silently failing to set ACE "
144 "because our id was == -1.\n"));
149 if (aclu_initialize_ace(&aces[i], samba_aces[i].type,
150 samba_aces[i].access_mask, samba_aces[i].flags,
154 if ((aces[i].trustee.type == IFS_ID_TYPE_CREATOR_OWNER ||
155 aces[i].trustee.type == IFS_ID_TYPE_CREATOR_GROUP) &&
156 nt4_compatible_acls())
157 aces[i].flags |= IFS_ACE_FLAG_INHERIT_ONLY;
162 if (aclu_initialize_acl(acl, aces, num_aces))
165 /* Currently aclu_initialize_acl should copy the aces over, allowing us
166 * to immediately free */
176 * Convert a struct ifs_security_acl to a SEC_ACL
179 onefs_acl_to_samba_acl(struct ifs_security_acl *acl, SEC_ACL **samba_acl)
181 SEC_ACE *samba_aces = NULL;
182 SEC_ACL *tmp_samba_acl = NULL;
194 /* Determine number of aces in ACL */
198 num_aces = acl->num_aces;
200 /* Allocate the ace list. */
202 if ((samba_aces = SMB_MALLOC_ARRAY(SEC_ACE, num_aces)) == NULL)
204 DEBUG(0, ("Unable to malloc space for %d aces.\n",
208 memset(samba_aces, '\0', (num_aces) * sizeof(SEC_ACE));
211 for (i = 0; i < num_aces; i++) {
214 if (!onefs_identity_to_sid(&acl->aces[i].trustee, &sid))
217 init_sec_ace(&samba_aces[i], &sid, acl->aces[i].type,
218 acl->aces[i].access_mask, acl->aces[i].flags);
221 if ((tmp_samba_acl = make_sec_acl(talloc_tos(), acl->revision, num_aces,
222 samba_aces)) == NULL) {
223 DEBUG(0, ("Unable to malloc space for acl.\n"));
227 *samba_acl = tmp_samba_acl;
228 SAFE_FREE(samba_aces);
231 SAFE_FREE(samba_aces);
236 * @brief Reorder ACLs into the "correct" order for Windows Explorer.
238 * Windows Explorer expects ACLs to be in a standard order (inherited first,
239 * then deny, then permit.) When ACLs are composed from POSIX file permissions
240 * bits, they may not match these expectations, generating an annoying warning
241 * dialog for the user. This function will, if configured appropriately,
242 * reorder the ACLs for these "synthetic" (POSIX-derived) descriptors to prevent
243 * this. The list is changed within the security descriptor passed in.
245 * @param fsp files_struct with service configs; must not be NULL
246 * @param sd security descriptor being normalized;
247 * sd->dacl->aces is rewritten in-place, so must not be NULL
248 * @return true on success, errno will be set on error
250 * @bug Although Windows Explorer likes the reordering, they seem to cause
251 * problems with Excel and Word sending back the reordered ACLs to us and
252 * changing policy; see Isilon bug 30165.
255 onefs_canon_acl(files_struct *fsp, struct ifs_security_descriptor *sd)
259 struct ifs_ace *new_aces = NULL;
260 int new_aces_count = 0;
261 SMB_STRUCT_STAT sbuf;
263 if (sd == NULL || sd->dacl == NULL || sd->dacl->num_aces == 0)
267 * Find out if this is a windows bit, and if the smb policy wants us to
270 SMB_ASSERT(fsp != NULL);
271 switch (lp_parm_enum(SNUM(fsp->conn), PARM_ONEFS_TYPE,
272 PARM_ACL_WIRE_FORMAT, enum_onefs_acl_wire_format,
273 PARM_ACL_WIRE_FORMAT_DEFAULT)) {
277 case ACL_FORMAT_WINDOWS_SD:
278 error = SMB_VFS_FSTAT(fsp, &sbuf);
282 if ((sbuf.st_flags & SF_HASNTFSACL) != 0) {
283 DEBUG(10, ("Did not canonicalize ACLs because a "
284 "Windows ACL set was found for file %s\n",
290 case ACL_FORMAT_ALWAYS:
298 new_aces = SMB_MALLOC_ARRAY(struct ifs_ace, sd->dacl->num_aces);
299 if (new_aces == NULL)
303 * By walking down the list 3 separate times, we can avoid the need
304 * to create multiple temp buffers and extra copies.
306 for (cur = 0; cur < sd->dacl->num_aces; cur++) {
307 if (sd->dacl->aces[cur].flags & IFS_ACE_FLAG_INHERITED_ACE)
308 new_aces[new_aces_count++] = sd->dacl->aces[cur];
311 for (cur = 0; cur < sd->dacl->num_aces; cur++) {
312 if (!(sd->dacl->aces[cur].flags & IFS_ACE_FLAG_INHERITED_ACE) &&
313 (sd->dacl->aces[cur].type == IFS_ACE_TYPE_ACCESS_DENIED))
314 new_aces[new_aces_count++] = sd->dacl->aces[cur];
317 for (cur = 0; cur < sd->dacl->num_aces; cur++) {
318 if (!(sd->dacl->aces[cur].flags & IFS_ACE_FLAG_INHERITED_ACE) &&
319 !(sd->dacl->aces[cur].type == IFS_ACE_TYPE_ACCESS_DENIED))
320 new_aces[new_aces_count++] = sd->dacl->aces[cur];
323 SMB_ASSERT(new_aces_count == sd->dacl->num_aces);
324 DEBUG(10, ("Performed canonicalization of ACLs for file %s\n",
328 * At this point you would think we could just do this:
329 * SAFE_FREE(sd->dacl->aces);
330 * sd->dacl->aces = new_aces;
331 * However, in some cases the existing aces pointer does not point
332 * to the beginning of an allocated block. So we have to do a more
335 memcpy(sd->dacl->aces, new_aces,
336 sizeof(struct ifs_ace) * new_aces_count);
344 * This enum is a helper for onefs_fget_nt_acl() to communicate with
347 enum mode_ident { USR, GRP, OTH };
350 * Initializes an ACE for addition to a synthetic ACL.
352 static struct ifs_ace onefs_init_ace(struct connection_struct *conn,
355 enum mode_ident ident)
357 struct ifs_ace result;
358 enum ifs_ace_rights r,w,x;
360 r = isdir ? UNIX_DIRECTORY_ACCESS_R : UNIX_ACCESS_R;
361 w = isdir ? UNIX_DIRECTORY_ACCESS_W : UNIX_ACCESS_W;
362 x = isdir ? UNIX_DIRECTORY_ACCESS_X : UNIX_ACCESS_X;
364 result.type = IFS_ACE_TYPE_ACCESS_ALLOWED;
365 result.ifs_flags = 0;
366 result.flags = isdir ? IFS_ACE_FLAG_CONTAINER_INHERIT :
367 IFS_ACE_FLAG_OBJECT_INHERIT;
368 result.flags |= IFS_ACE_FLAG_INHERIT_ONLY;
373 ((mode & S_IRUSR) ? r : 0 ) |
374 ((mode & S_IWUSR) ? w : 0 ) |
375 ((mode & S_IXUSR) ? x : 0 );
376 if (lp_parm_bool(SNUM(conn), PARM_ONEFS_TYPE,
377 PARM_CREATOR_OWNER_GETS_FULL_CONTROL,
378 PARM_CREATOR_OWNER_GETS_FULL_CONTROL_DEFAULT))
379 result.access_mask |= GENERIC_ALL_ACCESS;
380 result.trustee.type = IFS_ID_TYPE_CREATOR_OWNER;
384 ((mode & S_IRGRP) ? r : 0 ) |
385 ((mode & S_IWGRP) ? w : 0 ) |
386 ((mode & S_IXGRP) ? x : 0 );
387 result.trustee.type = IFS_ID_TYPE_CREATOR_GROUP;
391 ((mode & S_IROTH) ? r : 0 ) |
392 ((mode & S_IWOTH) ? w : 0 ) |
393 ((mode & S_IXOTH) ? x : 0 );
394 result.trustee.type = IFS_ID_TYPE_EVERYONE;
402 * This adds inheritable ACEs to the end of the DACL, with the ACEs
403 * being derived from the mode bits. This is useful for clients that have the
404 * MoveSecurityAttributes regkey set to 0 or are in Simple File Sharing Mode.
406 * On these clients, when copying files from one folder to another inside the
407 * same volume/share, the DACL is explicitely cleared. Without inheritable
408 * aces on the target folder the mode bits of the copied file are set to 000.
410 * See Isilon Bug 27990
412 * Note: This function allocates additional memory onto sd->dacl->aces, that
413 * must be freed by the caller.
415 static bool add_sfs_aces(files_struct *fsp, struct ifs_security_descriptor *sd)
418 SMB_STRUCT_STAT sbuf;
420 error = SMB_VFS_FSTAT(fsp, &sbuf);
422 DEBUG(0, ("Failed to stat %s in simple files sharing "
423 "compatibility mode. errno=%d\n",
424 fsp->fsp_name, errno));
428 /* Only continue if this is a synthetic ACL and a directory. */
429 if (S_ISDIR(sbuf.st_mode) && (sbuf.st_flags & SF_HASNTFSACL) == 0) {
430 struct ifs_ace new_aces[6];
431 struct ifs_ace *old_aces;
432 int i, num_aces_to_add = 0;
433 mode_t file_mode = 0, dir_mode = 0;
435 /* Use existing samba logic to derive the mode bits. */
436 file_mode = unix_mode(fsp->conn, 0, fsp->fsp_name, false);
437 dir_mode = unix_mode(fsp->conn, aDIR, fsp->fsp_name, false);
439 /* Initialize ACEs. */
440 new_aces[0] = onefs_init_ace(fsp->conn, file_mode, false, USR);
441 new_aces[1] = onefs_init_ace(fsp->conn, file_mode, false, GRP);
442 new_aces[2] = onefs_init_ace(fsp->conn, file_mode, false, OTH);
443 new_aces[3] = onefs_init_ace(fsp->conn, dir_mode, true, USR);
444 new_aces[4] = onefs_init_ace(fsp->conn, dir_mode, true, GRP);
445 new_aces[5] = onefs_init_ace(fsp->conn, dir_mode, true, OTH);
447 for (i = 0; i < 6; i++)
448 if (new_aces[i].access_mask != 0)
451 /* Expand the ACEs array */
452 if (num_aces_to_add != 0) {
453 old_aces = sd->dacl->aces;
455 sd->dacl->aces = SMB_MALLOC_ARRAY(struct ifs_ace,
456 sd->dacl->num_aces + num_aces_to_add);
457 if (!sd->dacl->aces) {
458 DEBUG(0, ("Unable to malloc space for "
460 sd->dacl->num_aces + num_aces_to_add));
463 memcpy(sd->dacl->aces, old_aces,
464 sizeof(struct ifs_ace) * sd->dacl->num_aces);
466 /* Add the new ACEs to the DACL. */
467 for (i = 0; i < 6; i++) {
468 if (new_aces[i].access_mask != 0) {
469 sd->dacl->aces[sd->dacl->num_aces] =
471 sd->dacl->num_aces++;
480 * Isilon-specific function for getting an NTFS ACL from an open file.
482 * @param[out] ppdesc SecDesc to allocate and fill in
484 * @return NTSTATUS based off errno on error
487 onefs_fget_nt_acl(vfs_handle_struct *handle, files_struct *fsp,
488 uint32 security_info, SEC_DESC **ppdesc)
491 uint32_t sd_size = 0;
493 struct ifs_security_descriptor *sd = NULL;
494 DOM_SID owner_sid, group_sid;
495 DOM_SID *ownerp, *groupp;
496 SEC_ACL *dacl, *sacl;
498 bool alloced = false;
499 bool new_aces_alloced = false;
500 bool fopened = false;
501 NTSTATUS status = NT_STATUS_OK;
505 DEBUG(5, ("Getting sd for file %s. security_info=%u\n",
506 fsp->fsp_name, security_info));
508 if (fsp->fh->fd == -1) {
509 enum ifs_ace_rights desired_access = 0;
511 if (security_info & (OWNER_SECURITY_INFORMATION |
512 GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION))
513 desired_access |= IFS_RTS_STD_READ_CONTROL;
514 if (security_info & SACL_SECURITY_INFORMATION)
515 desired_access |= IFS_RTS_SACL_ACCESS;
517 if ((fsp->fh->fd = ifs_createfile(-1,
523 NULL, 0, NULL)) == -1) {
524 DEBUG(0, ("Error opening file %s. errno=%d\n",
525 fsp->fsp_name, errno));
526 status = map_nt_error_from_unix(errno);
532 /* Get security descriptor */
535 /* Allocate memory for get_security_descriptor */
537 sd = SMB_REALLOC(sd, sd_size);
539 DEBUG(0, ("Unable to malloc %u bytes of space "
540 "for security descriptor.\n", sd_size));
541 status = map_nt_error_from_unix(errno);
548 error = ifs_get_security_descriptor(fsp->fh->fd, security_info,
550 if (error && (errno != EMSGSIZE)) {
551 DEBUG(0, ("Failed getting size of security descriptor! "
552 "errno=%d\n", errno));
553 status = map_nt_error_from_unix(errno);
558 DEBUG(5, ("Got sd, size=%u:\n", sd_size));
560 if (lp_parm_bool(SNUM(fsp->conn),
562 PARM_SIMPLE_FILE_SHARING_COMPATIBILITY_MODE,
563 PARM_SIMPLE_FILE_SHARING_COMPATIBILITY_MODE_DEFAULT) &&
565 if(!(new_aces_alloced = add_sfs_aces(fsp, sd)))
569 if (!(onefs_canon_acl(fsp, sd))) {
570 status = map_nt_error_from_unix(errno);
574 DEBUG(5, ("Finished canonicalizing ACL\n"));
581 /* Copy owner into ppdesc */
582 if (security_info & OWNER_SECURITY_INFORMATION) {
583 if (!onefs_identity_to_sid(sd->owner, &owner_sid)) {
584 status = NT_STATUS_INVALID_PARAMETER;
591 /* Copy group into ppdesc */
592 if (security_info & GROUP_SECURITY_INFORMATION) {
593 if (!onefs_identity_to_sid(sd->group, &group_sid)) {
594 status = NT_STATUS_INVALID_PARAMETER;
601 /* Copy DACL into ppdesc */
602 if (security_info & DACL_SECURITY_INFORMATION) {
603 if (!onefs_acl_to_samba_acl(sd->dacl, &dacl)) {
604 status = NT_STATUS_INVALID_PARAMETER;
609 /* Copy SACL into ppdesc */
610 if (security_info & SACL_SECURITY_INFORMATION) {
611 if (!onefs_acl_to_samba_acl(sd->sacl, &sacl)) {
612 status = NT_STATUS_INVALID_PARAMETER;
617 /* AUTO_INHERIT_REQ bits are not returned over the wire so strip them
618 * off. Eventually we should stop storing these in the kernel
619 * all together. See Isilon bug 40364 */
620 sd->control &= ~(IFS_SD_CTRL_DACL_AUTO_INHERIT_REQ |
621 IFS_SD_CTRL_SACL_AUTO_INHERIT_REQ);
623 pdesc = make_sec_desc(talloc_tos(), sd->revision, sd->control,
624 ownerp, groupp, sacl, dacl, &size);
627 DEBUG(0, ("Problem with make_sec_desc. Memory?\n"));
628 status = map_nt_error_from_unix(errno);
634 DEBUG(5, ("Finished retrieving/canonicalizing SD!\n"));
638 if (new_aces_alloced && sd->dacl->aces)
639 SAFE_FREE(sd->dacl->aces);
653 * Isilon-specific function for getting an NTFS ACL from a file path.
655 * Since onefs_fget_nt_acl() needs to open a filepath if the fd is invalid,
656 * we just mock up a files_struct with the path and bad fd and call into it.
658 * @param[out] ppdesc SecDesc to allocate and fill in
660 * @return NTSTATUS based off errno on error
663 onefs_get_nt_acl(vfs_handle_struct *handle, const char* name,
664 uint32 security_info, SEC_DESC **ppdesc)
673 finfo.conn = handle->conn;
676 finfo.fsp_name = CONST_DISCARD(char *, name);
678 return onefs_fget_nt_acl(handle, &finfo, security_info, ppdesc);
682 * Isilon-specific function for setting an NTFS ACL on an open file.
684 * @return NT_STATUS_UNSUCCESSFUL for userspace errors, NTSTATUS based off
685 * errno on syscall errors
688 onefs_fset_nt_acl(vfs_handle_struct *handle, files_struct *fsp,
689 uint32 security_info_sent, SEC_DESC *psd)
691 struct ifs_security_descriptor sd = {};
692 struct ifs_security_acl dacl, sacl, *daclp, *saclp;
693 struct ifs_identity owner, group, *ownerp, *groupp;
695 bool fopened = false;
697 DEBUG(5,("Setting SD on file %s.\n", fsp->fsp_name ));
705 if (security_info_sent & OWNER_SECURITY_INFORMATION) {
706 if (!onefs_sid_to_identity(psd->owner_sid, &owner, false))
707 return NT_STATUS_UNSUCCESSFUL;
710 * XXX Act like we did pre-Thai: Silently fail setting the
711 * owner to a BUILTIN account.
713 if (owner.id.uid == -1) {
714 DEBUG(3, ("Silently failing to set owner because our "
716 security_info_sent &= ~OWNER_SECURITY_INFORMATION;
717 if (!security_info_sent)
725 if (security_info_sent & GROUP_SECURITY_INFORMATION) {
726 if (!onefs_sid_to_identity(psd->group_sid, &group, true))
727 return NT_STATUS_UNSUCCESSFUL;
730 * XXX Act like we did pre-Thai: Silently fail setting the
731 * group to a BUILTIN account.
733 if (group.id.gid == -1) {
734 DEBUG(3, ("Silently failing to set group because our "
736 security_info_sent &= ~GROUP_SECURITY_INFORMATION;
737 if (!security_info_sent)
745 if ((security_info_sent & DACL_SECURITY_INFORMATION) && (psd->dacl)) {
748 if (!onefs_samba_acl_to_acl(psd->dacl, &daclp))
749 return NT_STATUS_UNSUCCESSFUL;
753 if ((security_info_sent & SACL_SECURITY_INFORMATION) && (psd->sacl)) {
756 if (!onefs_samba_acl_to_acl(psd->sacl, &saclp))
757 return NT_STATUS_UNSUCCESSFUL;
760 /* Setup ifs_security_descriptor */
761 DEBUG(5,("Setting up SD\n"));
762 if (aclu_initialize_sd(&sd, psd->type, ownerp, groupp,
763 (daclp ? &daclp : NULL), (saclp ? &saclp : NULL), false))
764 return NT_STATUS_UNSUCCESSFUL;
768 enum ifs_ace_rights desired_access = 0;
770 if (security_info_sent &
771 (OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION))
772 desired_access |= IFS_RTS_STD_WRITE_OWNER;
773 if (security_info_sent & DACL_SECURITY_INFORMATION)
774 desired_access |= IFS_RTS_STD_WRITE_DAC;
775 if (security_info_sent & SACL_SECURITY_INFORMATION)
776 desired_access |= IFS_RTS_SACL_ACCESS;
778 if ((fd = ifs_createfile(-1,
784 NULL, 0, NULL)) == -1) {
785 DEBUG(0, ("Error opening file %s. errno=%d\n",
786 fsp->fsp_name, errno));
787 return map_nt_error_from_unix(errno);
793 if (ifs_set_security_descriptor(fd, security_info_sent, &sd)) {
794 DEBUG(0, ("Error setting security descriptor = %d\n", errno));
798 DEBUG(5, ("Security descriptor set correctly!\n"));
805 aclu_free_sd(&sd, false);
806 return errno ? map_nt_error_from_unix(errno) : NT_STATUS_OK;