doing this saves on building a full security descriptor
for the common case of access check on files with no
specific NT ACL
+
+ If name is NULL then treat as a new file creation
*/
NTSTATUS pvfs_access_check_unix(struct pvfs_state *pvfs,
struct ntvfs_request *req,
return NT_STATUS_ACCESS_DENIED;
}
- if (uid == name->st.st_uid) {
+ if (name == NULL || uid == name->st.st_uid) {
max_bits |= SEC_STD_ALL;
} else if (security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
max_bits |= SEC_STD_DELETE;
}
- if ((name->st.st_mode & S_IWOTH) ||
+ if (name == NULL ||
+ (name->st.st_mode & S_IWOTH) ||
((name->st.st_mode & S_IWGRP) &&
pvfs_group_member(pvfs, name->st.st_gid))) {
max_bits |= SEC_STD_ALL;
if (*access_mask & ~max_bits) {
DEBUG(0,(__location__ " denied access to '%s' - wanted 0x%08x but got 0x%08x (missing 0x%08x)\n",
- name->full_name, *access_mask, max_bits, *access_mask & ~max_bits));
+ name?name->full_name:"(new file)", *access_mask, max_bits, *access_mask & ~max_bits));
return NT_STATUS_ACCESS_DENIED;
}
NTSTATUS pvfs_access_check_create(struct pvfs_state *pvfs,
struct ntvfs_request *req,
struct pvfs_filename *name,
- uint32_t *access_mask)
+ uint32_t *access_mask,
+ bool container,
+ struct security_descriptor **sd)
{
struct pvfs_filename *parent;
NTSTATUS status;
+ struct security_token *token = req->session_info->security_token;
+
+ if (pvfs_read_only(pvfs, *access_mask)) {
+ return NT_STATUS_ACCESS_DENIED;
+ }
status = pvfs_resolve_parent(pvfs, req, name, &parent);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
- status = pvfs_access_check(pvfs, req, parent, access_mask);
+ status = pvfs_access_check_simple(pvfs, req, parent, SEC_DIR_ADD_FILE);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
- if (! ((*access_mask) & SEC_DIR_ADD_FILE)) {
- return pvfs_access_check_simple(pvfs, req, parent, SEC_DIR_ADD_FILE);
+ if (*sd == NULL) {
+ status = pvfs_acl_inherited_sd(pvfs, req, req, parent, container, sd);
}
- return status;
+ talloc_free(parent);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ /* expand the generic access bits to file specific bits */
+ *access_mask = pvfs_translate_mask(*access_mask);
+ if (pvfs->ntvfs->ctx->protocol != PROTOCOL_SMB2) {
+ *access_mask &= ~SEC_FILE_READ_ATTRIBUTE;
+ }
+
+ if (*sd == NULL) {
+ return pvfs_access_check_unix(pvfs, req, NULL, access_mask);
+ }
+ return sec_access_check(*sd, token, *access_mask, access_mask);
}
/*
/*
- setup an ACL on a new file/directory based on the inherited ACL from
- the parent. If there is no inherited ACL then we don't set anything,
- as the default ACL applies anyway
+ calculate the ACL on a new file/directory based on the inherited ACL
+ from the parent. If there is no inherited ACL then return a NULL
+ ACL, which means the default ACL should be used
*/
-NTSTATUS pvfs_acl_inherit(struct pvfs_state *pvfs,
- struct ntvfs_request *req,
- struct pvfs_filename *name,
- int fd)
+NTSTATUS pvfs_acl_inherited_sd(struct pvfs_state *pvfs,
+ TALLOC_CTX *mem_ctx,
+ struct ntvfs_request *req,
+ struct pvfs_filename *parent,
+ bool container,
+ struct security_descriptor **ret_sd)
{
struct xattr_NTACL *acl;
NTSTATUS status;
- struct pvfs_filename *parent;
struct security_descriptor *parent_sd, *sd;
- bool container;
struct id_mapping *ids;
struct composite_context *ctx;
+ TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
- /* form the parents path */
- status = pvfs_resolve_parent(pvfs, req, name, &parent);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
+ *ret_sd = NULL;
acl = talloc(req, struct xattr_NTACL);
- if (acl == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
+ NT_STATUS_HAVE_NO_MEMORY_AND_FREE(acl, tmp_ctx);
status = pvfs_acl_load(pvfs, parent, -1, acl);
if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
+ talloc_free(tmp_ctx);
return NT_STATUS_OK;
}
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
+ NT_STATUS_NOT_OK_RETURN_AND_FREE(status, tmp_ctx);
switch (acl->version) {
case 1:
parent_sd = acl->info.sd;
break;
default:
+ talloc_free(tmp_ctx);
return NT_STATUS_INVALID_ACL;
}
parent_sd->dacl == NULL ||
parent_sd->dacl->num_aces == 0) {
/* go with the default ACL */
+ talloc_free(tmp_ctx);
return NT_STATUS_OK;
}
/* create the new sd */
sd = security_descriptor_initialise(req);
- if (sd == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
+ NT_STATUS_HAVE_NO_MEMORY_AND_FREE(sd, tmp_ctx);
ids = talloc_array(sd, struct id_mapping, 2);
- NT_STATUS_HAVE_NO_MEMORY(ids);
+ NT_STATUS_HAVE_NO_MEMORY_AND_FREE(ids, tmp_ctx);
ids[0].unixid = talloc(ids, struct unixid);
- NT_STATUS_HAVE_NO_MEMORY(ids[0].unixid);
- ids[0].unixid->id = name->st.st_uid;
+ NT_STATUS_HAVE_NO_MEMORY_AND_FREE(ids[0].unixid, tmp_ctx);
+ ids[0].unixid->id = geteuid();
ids[0].unixid->type = ID_TYPE_UID;
ids[0].sid = NULL;
ids[0].status = NT_STATUS_NONE_MAPPED;
ids[1].unixid = talloc(ids, struct unixid);
- NT_STATUS_HAVE_NO_MEMORY(ids[1].unixid);
- ids[1].unixid->id = name->st.st_gid;
+ NT_STATUS_HAVE_NO_MEMORY_AND_FREE(ids[1].unixid, tmp_ctx);
+ ids[1].unixid->id = getegid();
ids[1].unixid->type = ID_TYPE_GID;
ids[1].sid = NULL;
ids[1].status = NT_STATUS_NONE_MAPPED;
ctx = wbc_xids_to_sids_send(pvfs->wbc_ctx, ids, 2, ids);
- NT_STATUS_HAVE_NO_MEMORY(ctx);
+ NT_STATUS_HAVE_NO_MEMORY_AND_FREE(ctx, tmp_ctx);
status = wbc_xids_to_sids_recv(ctx, &ids);
- NT_STATUS_NOT_OK_RETURN(status);
+ NT_STATUS_NOT_OK_RETURN_AND_FREE(status, tmp_ctx);
sd->owner_sid = talloc_steal(sd, ids[0].sid);
sd->group_sid = talloc_steal(sd, ids[1].sid);
sd->type |= SEC_DESC_DACL_PRESENT;
- container = (name->dos.attrib & FILE_ATTRIBUTE_DIRECTORY) ? true:false;
-
/* fill in the aces from the parent */
status = pvfs_acl_inherit_aces(pvfs, parent_sd, sd, container);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
+ NT_STATUS_NOT_OK_RETURN_AND_FREE(status, tmp_ctx);
/* if there is nothing to inherit then we fallback to the
default acl */
if (sd->dacl == NULL || sd->dacl->num_aces == 0) {
+ talloc_free(tmp_ctx);
return NT_STATUS_OK;
}
- acl->info.sd = sd;
+ *ret_sd = talloc_steal(mem_ctx, sd);
+
+ talloc_free(tmp_ctx);
+ return NT_STATUS_OK;
+}
+
+
+/*
+ setup an ACL on a new file/directory based on the inherited ACL from
+ the parent. If there is no inherited ACL then we don't set anything,
+ as the default ACL applies anyway
+*/
+NTSTATUS pvfs_acl_inherit(struct pvfs_state *pvfs,
+ struct ntvfs_request *req,
+ struct pvfs_filename *name,
+ int fd)
+{
+ struct xattr_NTACL acl;
+ NTSTATUS status;
+ struct security_descriptor *sd;
+ struct pvfs_filename *parent;
+ bool container;
+
+ /* form the parents path */
+ status = pvfs_resolve_parent(pvfs, req, name, &parent);
+ NT_STATUS_NOT_OK_RETURN(status);
+
+ container = (name->dos.attrib & FILE_ATTRIBUTE_DIRECTORY) ? true:false;
+
+ status = pvfs_acl_inherited_sd(pvfs, req, req, parent, container, &sd);
+ if (!NT_STATUS_IS_OK(status)) {
+ talloc_free(parent);
+ return status;
+ }
+
+ if (sd == NULL) {
+ return NT_STATUS_OK;
+ }
+
+ acl.version = 1;
+ acl.info.sd = sd;
+
+ status = pvfs_acl_save(pvfs, name, fd, &acl);
+ talloc_free(sd);
+ talloc_free(parent);
- status = pvfs_acl_save(pvfs, name, fd, acl);
-
return status;
}
struct ntvfs_request *req,
struct pvfs_filename *name,
int fd, struct pvfs_file *f,
- union smb_open *io)
+ union smb_open *io,
+ struct security_descriptor *sd)
{
NTSTATUS status;
- struct security_descriptor *sd;
/* setup any EAs that were asked for */
if (io->ntcreatex.in.ea_list) {
}
}
- sd = io->ntcreatex.in.sec_desc;
/* setup an initial sec_desc if requested */
if (sd && (sd->type & SEC_DESC_DACL_PRESENT)) {
union smb_setfileinfo set;
set.set_secdesc.in.sd = sd;
status = pvfs_acl_set(pvfs, req, name, fd, SEC_STD_WRITE_DAC, &set);
- } else {
- /* otherwise setup an inherited acl from the parent */
- status = pvfs_acl_inherit(pvfs, req, name, fd);
}
return status;
uint32_t create_options;
uint32_t share_access;
bool forced;
+ struct security_descriptor *sd = NULL;
create_options = io->generic.in.create_options;
share_access = io->generic.in.share_access;
if (name->exists) {
/* check the security descriptor */
status = pvfs_access_check(pvfs, req, name, &access_mask);
- } else {
- status = pvfs_access_check_create(pvfs, req, name, &access_mask);
+ } else {
+ sd = io->ntcreatex.in.sec_desc;
+ status = pvfs_access_check_create(pvfs, req, name, &access_mask, true, &sd);
}
NT_STATUS_NOT_OK_RETURN(status);
goto cleanup_delete;
}
- status = pvfs_open_setup_eas_acl(pvfs, req, name, -1, f, io);
+ status = pvfs_open_setup_eas_acl(pvfs, req, name, -1, f, io, sd);
if (!NT_STATUS_IS_OK(status)) {
goto cleanup_delete;
}
struct pvfs_filename *parent;
uint32_t oplock_level = OPLOCK_NONE, oplock_granted;
bool allow_level_II_oplock = false;
+ struct security_descriptor *sd = NULL;
if (io->ntcreatex.in.file_attr & ~FILE_ATTRIBUTE_ALL_MASK) {
return NT_STATUS_INVALID_PARAMETER;
return NT_STATUS_CANNOT_DELETE;
}
- status = pvfs_access_check_create(pvfs, req, name, &access_mask);
+ sd = io->ntcreatex.in.sec_desc;
+ status = pvfs_access_check_create(pvfs, req, name, &access_mask, false, &sd);
NT_STATUS_NOT_OK_RETURN(status);
/* check that the parent isn't opened with delete on close set */
}
- status = pvfs_open_setup_eas_acl(pvfs, req, name, fd, f, io);
+ status = pvfs_open_setup_eas_acl(pvfs, req, name, fd, f, io, sd);
if (!NT_STATUS_IS_OK(status)) {
goto cleanup_delete;
}
git.samba.org / metze / samba / wip.git / commitdiff