/* get the security descriptor for the file */
- sec_desc = get_nt_acl_no_snum( info, tdbname, SECINFO_OWNER | SECINFO_GROUP | SECINFO_DACL);
+ status = get_nt_acl_no_snum( info,
+ tdbname,
+ SECINFO_OWNER | SECINFO_GROUP | SECINFO_DACL,
+ &sec_desc);
TALLOC_FREE( tdbname );
- if ( !sec_desc ) {
- DEBUG(5,("elog_check_access: Unable to get NT ACL for %s\n",
- tdbname));
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(5,("elog_check_access: Unable to get NT ACL for %s: %s\n",
+ tdbname, nt_errstr(status)));
return False;
}
check. Caller is responsible for freeing the returned security
descriptor via TALLOC_FREE(). This is designed for dealing with
user space access checks in smbd outside of the VFS. For example,
- checking access rights in OpenEventlog().
+ checking access rights in OpenEventlog() or from python.
- Assume we are dealing with files (for now)
********************************************************************/
-struct security_descriptor *get_nt_acl_no_snum( TALLOC_CTX *ctx, const char *fname, uint32 security_info_wanted)
+NTSTATUS get_nt_acl_no_snum(TALLOC_CTX *ctx, const char *fname,
+ uint32 security_info_wanted,
+ struct security_descriptor **sd)
{
- struct security_descriptor *ret_sd;
- connection_struct *conn;
- files_struct finfo;
- struct fd_handle fh;
- NTSTATUS status;
TALLOC_CTX *frame = talloc_stackframe();
+ connection_struct *conn;
+ NTSTATUS status = NT_STATUS_OK;
+
+ if (!posix_locking_init(false)) {
+ TALLOC_FREE(frame);
+ return NT_STATUS_NO_MEMORY;
+ }
conn = talloc_zero(frame, connection_struct);
if (conn == NULL) {
+ TALLOC_FREE(frame);
DEBUG(0, ("talloc failed\n"));
- return NULL;
+ return NT_STATUS_NO_MEMORY;
}
if (!(conn->params = talloc(conn, struct share_params))) {
- DEBUG(0,("get_nt_acl_no_snum: talloc() failed!\n"));
+ DEBUG(0, ("talloc failed\n"));
TALLOC_FREE(frame);
- return NULL;
+ return NT_STATUS_NO_MEMORY;
}
conn->params->service = -1;
set_conn_connectpath(conn, "/");
if (!smbd_vfs_init(conn)) {
- DEBUG(0,("get_nt_acl_no_snum: Unable to create a fake connection struct!\n"));
- conn_free(conn);
- TALLOC_FREE(frame);
- return NULL;
- }
-
- ZERO_STRUCT( finfo );
- ZERO_STRUCT( fh );
-
- finfo.fnum = FNUM_FIELD_INVALID;
- finfo.conn = conn;
- finfo.fh = &fh;
- finfo.fh->fd = -1;
-
- status = create_synthetic_smb_fname(frame, fname, NULL, NULL,
- &finfo.fsp_name);
- if (!NT_STATUS_IS_OK(status)) {
- conn_free(conn);
+ DEBUG(0,("smbd_vfs_init() failed!\n"));
TALLOC_FREE(frame);
- return NULL;
+ return NT_STATUS_INTERNAL_ERROR;
}
- if (!NT_STATUS_IS_OK(SMB_VFS_FGET_NT_ACL( &finfo,
- security_info_wanted,
- ctx, &ret_sd))) {
- DEBUG(0,("get_nt_acl_no_snum: get_nt_acl returned zero.\n"));
- TALLOC_FREE(finfo.fsp_name);
- conn_free(conn);
- TALLOC_FREE(frame);
- return NULL;
+ status = SMB_VFS_GET_NT_ACL(conn, fname, security_info_wanted, ctx, sd);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0,("set_nt_acl_no_snum: fset_nt_acl returned %s.\n",
+ nt_errstr(status)));
}
- TALLOC_FREE(finfo.fsp_name);
conn_free(conn);
TALLOC_FREE(frame);
- return ret_sd;
+ return status;
}
/* Stolen shamelessly from pvfs_default_acl() in source4 :-). */
const SMB_STRUCT_STAT *psbuf,
uint16 num_def_acls, const char *pdata);
bool set_unix_posix_acl(connection_struct *conn, files_struct *fsp, const char *fname, uint16 num_acls, const char *pdata);
-struct security_descriptor *get_nt_acl_no_snum( TALLOC_CTX *ctx, const char *fname, uint32 security_info_wanted);
+NTSTATUS get_nt_acl_no_snum( TALLOC_CTX *ctx, const char *fname, uint32 security_info_wanted,
+ struct security_descriptor **sd);
NTSTATUS make_default_filesystem_acl(TALLOC_CTX *ctx,
const char *name,
SMB_STRUCT_STAT *psbuf,
PyObject *py_sd;
struct security_descriptor *sd;
TALLOC_CTX *tmp_ctx = talloc_new(NULL);
+ NTSTATUS status;
if (!PyArg_ParseTuple(args, "si", &fname, &security_info_wanted))
return NULL;
- sd = get_nt_acl_no_snum(tmp_ctx, fname, security_info_wanted);
+ status = get_nt_acl_no_snum(tmp_ctx, fname, security_info_wanted, &sd);
+ PyErr_NTSTATUS_IS_ERR_RAISE(status);
py_sd = py_return_ndr_struct("samba.dcerpc.security", "descriptor", sd, sd);