1751
if (lp_force_unknown_acl_user(SNUM(fsp->conn))) {
1752
DEBUG(10, ("create_canon_ace_lists: ignoring "
1753
"unknown or foreign SID %s\n",
1754
sid_string_dbg(&psa->trustee)));
1755
SAFE_FREE(current_ace);
1751
1759
free_canon_ace_list(file_ace);
1752
1760
free_canon_ace_list(dir_ace);
1753
1761
DEBUG(0, ("create_canon_ace_lists: unable to map SID "
3594
if (!NT_STATUS_IS_OK(open_file_fchmod(NULL, conn, smb_fname, &fsp))) {
3602
if (!NT_STATUS_IS_OK(open_file_fchmod(conn, smb_fname, &fsp))) {
3822
3830
This should be the only external function needed for the UNIX style set ACL.
3823
3831
****************************************************************************/
3825
NTSTATUS set_nt_acl(files_struct *fsp, uint32 security_info_sent, const SEC_DESC *psd)
3833
NTSTATUS set_nt_acl(files_struct *fsp, uint32 security_info_sent, const SEC_DESC *psd_orig)
3827
3835
connection_struct *conn = fsp->conn;
3828
3836
uid_t user = (uid_t)-1;
3846
3855
return NT_STATUS_MEDIA_WRITE_PROTECTED;
3859
return NT_STATUS_INVALID_PARAMETER;
3862
psd = dup_sec_desc(talloc_tos(), psd_orig);
3864
return NT_STATUS_NO_MEMORY;
3850
3868
* Get the current state of the file.
3862
3880
* Unpack the user/group/world id's.
3883
/* POSIX can't cope with missing owner/group. */
3884
if ((security_info_sent & SECINFO_OWNER) && (psd->owner_sid == NULL)) {
3885
security_info_sent &= ~SECINFO_OWNER;
3887
if ((security_info_sent & SECINFO_GROUP) && (psd->group_sid == NULL)) {
3888
security_info_sent &= ~SECINFO_GROUP;
3865
3891
status = unpack_nt_owners( SNUM(conn), &user, &grp, security_info_sent, psd);
3866
3892
if (!NT_STATUS_IS_OK(status)) {
3913
3939
create_file_sids(&fsp->fsp_name->st, &file_owner_sid, &file_grp_sid);
3941
if((security_info_sent & SECINFO_DACL) &&
3942
(psd->type & SEC_DESC_DACL_PRESENT) &&
3943
(psd->dacl == NULL)) {
3946
/* We can't have NULL DACL in POSIX.
3947
Use owner/group/Everyone -> full access. */
3949
init_sec_ace(&ace[0],
3951
SEC_ACE_TYPE_ACCESS_ALLOWED,
3954
init_sec_ace(&ace[1],
3956
SEC_ACE_TYPE_ACCESS_ALLOWED,
3959
init_sec_ace(&ace[2],
3961
SEC_ACE_TYPE_ACCESS_ALLOWED,
3964
psd->dacl = make_sec_acl(talloc_tos(),
3968
if (psd->dacl == NULL) {
3969
return NT_STATUS_NO_MEMORY;
3971
security_acl_map_generic(psd->dacl, &file_generic_mapping);
3915
3974
acl_perms = unpack_canon_ace(fsp, &fsp->fsp_name->st, &file_owner_sid,
3916
3975
&file_grp_sid, &file_ace_list,
3917
3976
&dir_ace_list, security_info_sent, psd);
4819
/* Stolen shamelessly from pvfs_default_acl() in source4 :-). */
4821
NTSTATUS make_default_filesystem_acl(TALLOC_CTX *ctx,
4823
SMB_STRUCT_STAT *psbuf,
4826
struct dom_sid owner_sid, group_sid;
4829
uint32_t access_mask = 0;
4830
mode_t mode = psbuf->st_ex_mode;
4831
SEC_ACL *new_dacl = NULL;
4834
DEBUG(10,("make_default_filesystem_acl: file %s mode = 0%o\n",
4837
uid_to_sid(&owner_sid, psbuf->st_ex_uid);
4838
gid_to_sid(&group_sid, psbuf->st_ex_gid);
4841
We provide up to 4 ACEs
4848
if (mode & S_IRUSR) {
4849
if (mode & S_IWUSR) {
4850
access_mask |= SEC_RIGHTS_FILE_ALL;
4852
access_mask |= SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE;
4855
if (mode & S_IWUSR) {
4856
access_mask |= SEC_RIGHTS_FILE_WRITE | SEC_STD_DELETE;
4859
init_sec_ace(&aces[idx],
4861
SEC_ACE_TYPE_ACCESS_ALLOWED,
4867
if (mode & S_IRGRP) {
4868
access_mask |= SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE;
4870
if (mode & S_IWGRP) {
4871
/* note that delete is not granted - this matches posix behaviour */
4872
access_mask |= SEC_RIGHTS_FILE_WRITE;
4875
init_sec_ace(&aces[idx],
4877
SEC_ACE_TYPE_ACCESS_ALLOWED,
4884
if (mode & S_IROTH) {
4885
access_mask |= SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE;
4887
if (mode & S_IWOTH) {
4888
access_mask |= SEC_RIGHTS_FILE_WRITE;
4891
init_sec_ace(&aces[idx],
4893
SEC_ACE_TYPE_ACCESS_ALLOWED,
4899
init_sec_ace(&aces[idx],
4901
SEC_ACE_TYPE_ACCESS_ALLOWED,
4902
SEC_RIGHTS_FILE_ALL,
4906
new_dacl = make_sec_acl(ctx,
4912
return NT_STATUS_NO_MEMORY;
4915
*ppdesc = make_sec_desc(ctx,
4916
SECURITY_DESCRIPTOR_REVISION_1,
4917
SEC_DESC_SELF_RELATIVE|SEC_DESC_DACL_PRESENT,
4924
return NT_STATUS_NO_MEMORY;
4926
return NT_STATUS_OK;