2 * Store Windows ACLs in xattrs.
4 * Copyright (C) Volker Lendecke, 2008
5 * Copyright (C) Jeremy Allison, 2008
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 3 of the License, or
10 * (at your option) any later version.
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, see <http://www.gnu.org/licenses/>.
22 #include "smbd/smbd.h"
23 #include "system/filesys.h"
24 #include "librpc/gen_ndr/xattr.h"
26 #include "vfs_acl_common.h"
27 #include "lib/util/tevent_ntstatus.h"
28 #include "lib/util/tevent_unix.h"
30 /* Pull in the common functions. */
31 #define ACL_MODULE_NAME "acl_xattr"
34 #define DBGC_CLASS DBGC_VFS
36 /*******************************************************************
37 Pull a security descriptor into a DATA_BLOB from a xattr.
38 *******************************************************************/
40 static ssize_t getxattr_do(vfs_handle_struct *handle,
42 const char *xattr_name,
50 sizeret = SMB_VFS_FGETXATTR(fsp, xattr_name, val, size);
56 if (saved_errno != 0) {
63 static NTSTATUS fget_acl_blob(TALLOC_CTX *ctx,
64 vfs_handle_struct *handle,
77 tmp = talloc_realloc(ctx, val, uint8_t, size);
80 return NT_STATUS_NO_MEMORY;
85 getxattr_do(handle, fsp, XATTR_NTACL_NAME, val, size);
89 pblob->length = sizeret;
93 if (errno != ERANGE) {
97 /* Too small, try again. */
99 getxattr_do(handle, fsp, XATTR_NTACL_NAME, NULL, 0);
104 if (size < sizeret) {
109 /* Max ACL size is 65536 bytes. */
116 /* Real error - exit here. */
118 return map_nt_error_from_unix(errno);
121 /*******************************************************************
122 Store a DATA_BLOB into an xattr given an fsp pointer.
123 *******************************************************************/
125 static NTSTATUS store_acl_blob_fsp(vfs_handle_struct *handle,
132 DEBUG(10,("store_acl_blob_fsp: storing blob length %u on file %s\n",
133 (unsigned int)pblob->length, fsp_str_dbg(fsp)));
136 ret = SMB_VFS_FSETXATTR(fsp, XATTR_NTACL_NAME,
137 pblob->data, pblob->length, 0);
143 DEBUG(5, ("store_acl_blob_fsp: setting attr failed for file %s"
146 strerror(saved_errno) ));
148 return map_nt_error_from_unix(saved_errno);
153 /*********************************************************************
154 Remove a Windows ACL - we're setting the underlying POSIX ACL.
155 *********************************************************************/
157 static int sys_acl_set_fd_xattr(vfs_handle_struct *handle,
162 struct acl_common_fsp_ext *ext = (struct acl_common_fsp_ext *)
163 VFS_FETCH_FSP_EXTENSION(handle, fsp);
166 ret = SMB_VFS_NEXT_SYS_ACL_SET_FD(handle,
174 if (ext != NULL && ext->setting_nt_acl) {
179 SMB_VFS_FREMOVEXATTR(fsp, XATTR_NTACL_NAME);
185 static int connect_acl_xattr(struct vfs_handle_struct *handle,
189 const char *security_acl_xattr_name = NULL;
190 int ret = SMB_VFS_NEXT_CONNECT(handle, service, user);
192 struct acl_common_config *config = NULL;
198 ok = init_acl_common_config(handle, ACL_MODULE_NAME);
200 DBG_ERR("init_acl_common_config failed\n");
204 /* Ensure we have the parameters correct if we're
205 * using this module. */
206 DEBUG(2,("connect_acl_xattr: setting 'inherit acls = true' "
207 "'dos filemode = true' and "
208 "'force unknown acl user = true' for service %s\n",
211 lp_do_parameter(SNUM(handle->conn), "inherit acls", "true");
212 lp_do_parameter(SNUM(handle->conn), "dos filemode", "true");
213 lp_do_parameter(SNUM(handle->conn), "force unknown acl user", "true");
215 SMB_VFS_HANDLE_GET_DATA(handle, config,
216 struct acl_common_config,
219 if (config->ignore_system_acls) {
220 mode_t create_mask = lp_create_mask(SNUM(handle->conn));
221 char *create_mask_str = NULL;
223 if ((create_mask & 0666) != 0666) {
225 create_mask_str = talloc_asprintf(handle, "0%o",
227 if (create_mask_str == NULL) {
228 DBG_ERR("talloc_asprintf failed\n");
232 DBG_NOTICE("setting 'create mask = %s'\n", create_mask_str);
234 lp_do_parameter (SNUM(handle->conn),
235 "create mask", create_mask_str);
237 TALLOC_FREE(create_mask_str);
240 DBG_NOTICE("setting 'directory mask = 0777', "
241 "'store dos attributes = yes' and all "
242 "'map ...' options to 'no'\n");
244 lp_do_parameter(SNUM(handle->conn), "directory mask", "0777");
245 lp_do_parameter(SNUM(handle->conn), "map archive", "no");
246 lp_do_parameter(SNUM(handle->conn), "map hidden", "no");
247 lp_do_parameter(SNUM(handle->conn), "map readonly", "no");
248 lp_do_parameter(SNUM(handle->conn), "map system", "no");
249 lp_do_parameter(SNUM(handle->conn), "store dos attributes",
253 security_acl_xattr_name = lp_parm_const_string(SNUM(handle->conn),
257 if (security_acl_xattr_name != NULL) {
258 config->security_acl_xattr_name = talloc_strdup(config, security_acl_xattr_name);
259 if (config->security_acl_xattr_name == NULL) {
267 static int acl_xattr_unlinkat(vfs_handle_struct *handle,
268 struct files_struct *dirfsp,
269 const struct smb_filename *smb_fname,
274 if (flags & AT_REMOVEDIR) {
275 ret = rmdir_acl_common(handle,
279 ret = unlink_acl_common(handle,
287 static NTSTATUS acl_xattr_fget_nt_acl(vfs_handle_struct *handle,
289 uint32_t security_info,
291 struct security_descriptor **ppdesc)
294 status = fget_nt_acl_common(fget_acl_blob, handle, fsp,
295 security_info, mem_ctx, ppdesc);
299 static NTSTATUS acl_xattr_fset_nt_acl(vfs_handle_struct *handle,
301 uint32_t security_info_sent,
302 const struct security_descriptor *psd)
305 status = fset_nt_acl_common(fget_acl_blob, store_acl_blob_fsp,
307 handle, fsp, security_info_sent, psd);
311 struct acl_xattr_getxattrat_state {
312 struct vfs_aio_state aio_state;
314 uint8_t *xattr_value;
317 static void acl_xattr_getxattrat_done(struct tevent_req *subreq);
319 static struct tevent_req *acl_xattr_getxattrat_send(
321 struct tevent_context *ev,
322 struct vfs_handle_struct *handle,
323 files_struct *dirfsp,
324 const struct smb_filename *smb_fname,
325 const char *xattr_name,
328 struct tevent_req *req = NULL;
329 struct tevent_req *subreq = NULL;
330 struct acl_xattr_getxattrat_state *state = NULL;
331 struct acl_common_config *config = NULL;
333 SMB_VFS_HANDLE_GET_DATA(handle, config,
334 struct acl_common_config,
337 req = tevent_req_create(mem_ctx, &state,
338 struct acl_xattr_getxattrat_state);
343 if (strequal(xattr_name, config->security_acl_xattr_name)) {
344 tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
345 return tevent_req_post(req, ev);
347 if (config->security_acl_xattr_name != NULL &&
348 strequal(xattr_name, XATTR_NTACL_NAME))
350 xattr_name = config->security_acl_xattr_name;
353 subreq = SMB_VFS_NEXT_GETXATTRAT_SEND(state,
360 if (tevent_req_nomem(subreq, req)) {
361 return tevent_req_post(req, ev);
363 tevent_req_set_callback(subreq, acl_xattr_getxattrat_done, req);
368 static void acl_xattr_getxattrat_done(struct tevent_req *subreq)
370 struct tevent_req *req = tevent_req_callback_data(
371 subreq, struct tevent_req);
372 struct acl_xattr_getxattrat_state *state = tevent_req_data(
373 req, struct acl_xattr_getxattrat_state);
375 state->xattr_size = SMB_VFS_NEXT_GETXATTRAT_RECV(subreq,
378 &state->xattr_value);
380 if (state->xattr_size == -1) {
381 tevent_req_error(req, state->aio_state.error);
385 tevent_req_done(req);
388 static ssize_t acl_xattr_getxattrat_recv(struct tevent_req *req,
389 struct vfs_aio_state *aio_state,
391 uint8_t **xattr_value)
393 struct acl_xattr_getxattrat_state *state = tevent_req_data(
394 req, struct acl_xattr_getxattrat_state);
397 if (tevent_req_is_unix_error(req, &aio_state->error)) {
398 tevent_req_received(req);
402 *aio_state = state->aio_state;
403 xattr_size = state->xattr_size;
404 if (xattr_value != NULL) {
405 *xattr_value = talloc_move(mem_ctx, &state->xattr_value);
408 tevent_req_received(req);
412 static ssize_t acl_xattr_fgetxattr(struct vfs_handle_struct *handle,
413 struct files_struct *fsp,
418 struct acl_common_config *config = NULL;
420 SMB_VFS_HANDLE_GET_DATA(handle, config,
421 struct acl_common_config,
424 if (strequal(name, config->security_acl_xattr_name)) {
428 if (config->security_acl_xattr_name != NULL &&
429 strequal(name, XATTR_NTACL_NAME))
431 name = config->security_acl_xattr_name;
434 return SMB_VFS_NEXT_FGETXATTR(handle, fsp, name, value, size);
437 static ssize_t acl_xattr_flistxattr(struct vfs_handle_struct *handle,
438 struct files_struct *fsp,
442 struct acl_common_config *config = NULL;
445 size_t nlen, consumed;
447 SMB_VFS_HANDLE_GET_DATA(handle, config,
448 struct acl_common_config,
451 size = SMB_VFS_NEXT_FLISTXATTR(handle, fsp, listbuf, bufsize);
457 while (p - listbuf < size) {
458 nlen = strlen(p) + 1;
459 if (strequal(p, config->security_acl_xattr_name)) {
464 if (p - listbuf >= size) {
470 * The consumed helper variable just makes the math
471 * a bit more digestible.
473 consumed = p - listbuf;
474 if (consumed + nlen < size) {
475 /* If not the last name move, else just skip */
476 memmove(p, p + nlen, size - consumed - nlen);
483 static int acl_xattr_fremovexattr(struct vfs_handle_struct *handle,
484 struct files_struct *fsp,
487 struct acl_common_config *config = NULL;
489 SMB_VFS_HANDLE_GET_DATA(handle, config,
490 struct acl_common_config,
493 if (strequal(name, config->security_acl_xattr_name)) {
497 if (config->security_acl_xattr_name != NULL &&
498 strequal(name, XATTR_NTACL_NAME))
500 name = config->security_acl_xattr_name;
503 return SMB_VFS_NEXT_FREMOVEXATTR(handle, fsp, name);
506 static int acl_xattr_fsetxattr(struct vfs_handle_struct *handle,
507 struct files_struct *fsp,
513 struct acl_common_config *config = NULL;
515 SMB_VFS_HANDLE_GET_DATA(handle, config,
516 struct acl_common_config,
519 if (strequal(name, config->security_acl_xattr_name)) {
523 if (config->security_acl_xattr_name != NULL &&
524 strequal(name, XATTR_NTACL_NAME))
526 name = config->security_acl_xattr_name;
529 return SMB_VFS_NEXT_FSETXATTR(handle, fsp, name, value, size, flags);
532 static struct vfs_fn_pointers vfs_acl_xattr_fns = {
533 .connect_fn = connect_acl_xattr,
534 .unlinkat_fn = acl_xattr_unlinkat,
535 .fchmod_fn = fchmod_acl_module_common,
536 .fget_nt_acl_fn = acl_xattr_fget_nt_acl,
537 .fset_nt_acl_fn = acl_xattr_fset_nt_acl,
538 .sys_acl_set_fd_fn = sys_acl_set_fd_xattr,
539 .getxattrat_send_fn = acl_xattr_getxattrat_send,
540 .getxattrat_recv_fn = acl_xattr_getxattrat_recv,
541 .fgetxattr_fn = acl_xattr_fgetxattr,
542 .flistxattr_fn = acl_xattr_flistxattr,
543 .fremovexattr_fn = acl_xattr_fremovexattr,
544 .fsetxattr_fn = acl_xattr_fsetxattr,
548 NTSTATUS vfs_acl_xattr_init(TALLOC_CTX *ctx)
550 return smb_register_vfs(SMB_VFS_INTERFACE_VERSION, "acl_xattr",