Change get_nt_acl_no_snum() to return an NTSTATUS, not a struct security_descriptor *.

Internally change the implementation to use SMB_VFS_GET_NT_ACL()
instead of SMB_VFS_FGET_NT_ACL() with a faked-up file struct.

Andrew Bartlett

Reviewed by: Jeremy Allison <jra@samba.org>

diff --git a/source3/rpc_server/eventlog/srv_eventlog_nt.c b/source3/rpc_server/eventlog/srv_eventlog_nt.c
index a05ea3fcbe7a87938fa936b0369756b01d3a2f57..a3e719a38bc36f612369b0d8423a96c0acabcbfa 100644 (file)
--- a/source3/rpc_server/eventlog/srv_eventlog_nt.c
+++ b/source3/rpc_server/eventlog/srv_eventlog_nt.c
@@ -91,12 +91,15 @@ static bool elog_check_access( EVENTLOG_INFO *info, const struct security_token
 
        /* get the security descriptor for the file */
 
-       sec_desc = get_nt_acl_no_snum( info, tdbname, SECINFO_OWNER | SECINFO_GROUP | SECINFO_DACL);
+       status = get_nt_acl_no_snum( info,
+                       tdbname,
+                       SECINFO_OWNER | SECINFO_GROUP | SECINFO_DACL,
+                       &sec_desc);
        TALLOC_FREE( tdbname );
 
-       if ( !sec_desc ) {
-               DEBUG(5,("elog_check_access: Unable to get NT ACL for %s\n",
-                       tdbname));
+       if (!NT_STATUS_IS_OK(status)) {
+               DEBUG(5,("elog_check_access: Unable to get NT ACL for %s: %s\n",
+                       tdbname, nt_errstr(status)));
                return False;
        }
 

diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c
index d46a16dbc13e1a06ae00958a37bb7e1323fdbb76..74ea257d363d083f19f07b269a88fe8c7b23dcbc 100644 (file)
--- a/source3/smbd/posix_acls.c
+++ b/source3/smbd/posix_acls.c
@@ -4963,30 +4963,34 @@ bool set_unix_posix_acl(connection_struct *conn, files_struct *fsp, const char *
  check.  Caller is responsible for freeing the returned security
  descriptor via TALLOC_FREE().  This is designed for dealing with 
  user space access checks in smbd outside of the VFS.  For example,
- checking access rights in OpenEventlog().
+ checking access rights in OpenEventlog() or from python.
 
- Assume we are dealing with files (for now)
 ********************************************************************/
 
-struct security_descriptor *get_nt_acl_no_snum( TALLOC_CTX *ctx, const char *fname, uint32 security_info_wanted)
+NTSTATUS get_nt_acl_no_snum(TALLOC_CTX *ctx, const char *fname,
+                               uint32 security_info_wanted,
+                               struct security_descriptor **sd)
 {
-       struct security_descriptor *ret_sd;
-       connection_struct *conn;
-       files_struct finfo;
-       struct fd_handle fh;
-       NTSTATUS status;
        TALLOC_CTX *frame = talloc_stackframe();
+       connection_struct *conn;
+       NTSTATUS status = NT_STATUS_OK;
+
+       if (!posix_locking_init(false)) {
+               TALLOC_FREE(frame);
+               return NT_STATUS_NO_MEMORY;
+       }
 
        conn = talloc_zero(frame, connection_struct);
        if (conn == NULL) {
+               TALLOC_FREE(frame);
                DEBUG(0, ("talloc failed\n"));
-               return NULL;
+               return NT_STATUS_NO_MEMORY;
        }
 
        if (!(conn->params = talloc(conn, struct share_params))) {
-               DEBUG(0,("get_nt_acl_no_snum: talloc() failed!\n"));
+               DEBUG(0, ("talloc failed\n"));
                TALLOC_FREE(frame);
-               return NULL;
+               return NT_STATUS_NO_MEMORY;
        }
 
        conn->params->service = -1;
@@ -4994,43 +4998,21 @@ struct security_descriptor *get_nt_acl_no_snum( TALLOC_CTX *ctx, const char *fna
        set_conn_connectpath(conn, "/");
 
        if (!smbd_vfs_init(conn)) {
-               DEBUG(0,("get_nt_acl_no_snum: Unable to create a fake connection struct!\n"));
-               conn_free(conn);
-               TALLOC_FREE(frame);
-               return NULL;
-        }
-
-       ZERO_STRUCT( finfo );
-       ZERO_STRUCT( fh );
-
-       finfo.fnum = FNUM_FIELD_INVALID;
-       finfo.conn = conn;
-       finfo.fh = &fh;
-       finfo.fh->fd = -1;
-
-       status = create_synthetic_smb_fname(frame, fname, NULL, NULL,
-                                           &finfo.fsp_name);
-       if (!NT_STATUS_IS_OK(status)) {
-               conn_free(conn);
+               DEBUG(0,("smbd_vfs_init() failed!\n"));
                TALLOC_FREE(frame);
-               return NULL;
+               return NT_STATUS_INTERNAL_ERROR;
        }
 
-       if (!NT_STATUS_IS_OK(SMB_VFS_FGET_NT_ACL( &finfo,
-                                                 security_info_wanted,
-                                                 ctx, &ret_sd))) {
-               DEBUG(0,("get_nt_acl_no_snum: get_nt_acl returned zero.\n"));
-               TALLOC_FREE(finfo.fsp_name);
-               conn_free(conn);
-               TALLOC_FREE(frame);
-               return NULL;
+       status = SMB_VFS_GET_NT_ACL(conn, fname, security_info_wanted, ctx, sd);
+       if (!NT_STATUS_IS_OK(status)) {
+               DEBUG(0,("set_nt_acl_no_snum: fset_nt_acl returned %s.\n",
+                       nt_errstr(status)));
        }
 
-       TALLOC_FREE(finfo.fsp_name);
        conn_free(conn);
        TALLOC_FREE(frame);
 
-       return ret_sd;
+       return status;
 }
 
 /* Stolen shamelessly from pvfs_default_acl() in source4 :-). */

diff --git a/source3/smbd/proto.h b/source3/smbd/proto.h
index 221499cead63fca5c461d8a40937dae2727e78b7..aae4bd02dbe827f5c80c796a6f5ebfbe52d780dd 100644 (file)
--- a/source3/smbd/proto.h
+++ b/source3/smbd/proto.h
@@ -732,7 +732,8 @@ bool set_unix_posix_default_acl(connection_struct *conn, const char *fname,
                                const SMB_STRUCT_STAT *psbuf,
                                uint16 num_def_acls, const char *pdata);
 bool set_unix_posix_acl(connection_struct *conn, files_struct *fsp, const char *fname, uint16 num_acls, const char *pdata);
-struct security_descriptor *get_nt_acl_no_snum( TALLOC_CTX *ctx, const char *fname, uint32 security_info_wanted);
+NTSTATUS get_nt_acl_no_snum( TALLOC_CTX *ctx, const char *fname, uint32 security_info_wanted,
+                               struct security_descriptor **sd);
 NTSTATUS make_default_filesystem_acl(TALLOC_CTX *ctx,
                                        const char *name,
                                        SMB_STRUCT_STAT *psbuf,

diff --git a/source3/smbd/pysmbd.c b/source3/smbd/pysmbd.c
index 436e881b10058e8c558822435b145ceaa6a38d73..42694cb47c285c74b0974befa24e32d2c7397711 100644 (file)
--- a/source3/smbd/pysmbd.c
+++ b/source3/smbd/pysmbd.c
@@ -495,11 +495,13 @@ static PyObject *py_smbd_get_nt_acl(PyObject *self, PyObject *args)
        PyObject *py_sd;
        struct security_descriptor *sd;
        TALLOC_CTX *tmp_ctx = talloc_new(NULL);
+       NTSTATUS status;
 
        if (!PyArg_ParseTuple(args, "si", &fname, &security_info_wanted))
                return NULL;
 
-       sd = get_nt_acl_no_snum(tmp_ctx, fname, security_info_wanted);
+       status = get_nt_acl_no_snum(tmp_ctx, fname, security_info_wanted, &sd);
+       PyErr_NTSTATUS_IS_ERR_RAISE(status);
 
        py_sd = py_return_ndr_struct("samba.dcerpc.security", "descriptor", sd, sd);