26
31
static struct db_context *share_db; /* used for share security descriptors */
27
32
#define SHARE_DATABASE_VERSION_V1 1
28
33
#define SHARE_DATABASE_VERSION_V2 2 /* version id in little endian. */
34
#define SHARE_DATABASE_VERSION_V3 3 /* canonicalized sharenames as lower case */
36
#define SHARE_SECURITY_DB_KEY_PREFIX_STR "SECDESC/"
30
37
/* Map generic permissions to file object specific permissions */
32
39
extern const struct generic_mapping file_generic_mapping;
47
/*****************************************************
48
Looking for keys of the form: SHARE_SECURITY_DB_KEY_PREFIX_STR + "non lower case str".
49
If we find one re-write it into a canonical case form.
50
*****************************************************/
52
static int upgrade_v2_to_v3(struct db_record *rec, void *priv)
54
size_t prefix_len = strlen(SHARE_SECURITY_DB_KEY_PREFIX_STR);
55
const char *servicename = NULL;
56
char *c_servicename = NULL;
58
bool *p_upgrade_ok = (bool *)priv;
61
/* Is there space for a one character sharename ? */
62
if (rec->key.dsize <= prefix_len+2) {
66
/* Does it start with the share key prefix ? */
67
if (memcmp(rec->key.dptr, SHARE_SECURITY_DB_KEY_PREFIX_STR,
72
/* Is it a null terminated string as a key ? */
73
if (rec->key.dptr[rec->key.dsize-1] != '\0') {
77
/* Bytes after the prefix are the sharename string. */
78
servicename = (char *)&rec->key.dptr[prefix_len];
79
c_servicename = canonicalize_servicename(talloc_tos(), servicename);
81
smb_panic("out of memory upgrading share security db from v2 -> v3");
84
if (strcmp(servicename, c_servicename) == 0) {
85
/* Old and new names match. No canonicalization needed. */
86
TALLOC_FREE(c_servicename);
90
/* Oops. Need to canonicalize name, delete old then store new. */
91
status = rec->delete_rec(rec);
92
if (!NT_STATUS_IS_OK(status)) {
93
DEBUG(1, ("upgrade_v2_to_v3: Failed to delete secdesc for "
94
"%s: %s\n", rec->key.dptr, nt_errstr(status)));
95
TALLOC_FREE(c_servicename);
96
*p_upgrade_ok = false;
99
DEBUG(10, ("upgrade_v2_to_v3: deleted secdesc for "
100
"%s\n", rec->key.dptr ));
103
if (!(newkey = talloc_asprintf(talloc_tos(),
104
SHARE_SECURITY_DB_KEY_PREFIX_STR "%s",
106
smb_panic("out of memory upgrading share security db from v2 -> v3");
109
status = dbwrap_store(share_db,
110
string_term_tdb_data(newkey),
114
if (!NT_STATUS_IS_OK(status)) {
115
DEBUG(1, ("upgrade_v2_to_v3: Failed to store secdesc for "
116
"%s: %s\n", c_servicename, nt_errstr(status)));
117
TALLOC_FREE(c_servicename);
119
*p_upgrade_ok = false;
122
DEBUG(10, ("upgrade_v2_to_v3: stored secdesc for "
127
TALLOC_FREE(c_servicename);
40
132
bool share_info_db_init(void)
42
134
const char *vstring = "INFO/version";
137
bool upgrade_ok = true;
45
139
if (share_db != NULL) {
200
/* Finally upgrade to version 3, with canonicalized sharenames. */
202
ret = share_db->traverse(share_db, upgrade_v2_to_v3, &upgrade_ok);
203
if (ret < 0 || upgrade_ok == false) {
204
DEBUG(0, ("traverse failed\n"));
207
if (dbwrap_store_int32(share_db, vstring,
208
SHARE_DATABASE_VERSION_V3) != 0) {
209
DEBUG(0, ("dbwrap_store_int32 failed\n"));
105
213
if (share_db->transaction_commit(share_db) != 0) {
106
214
DEBUG(0, ("transaction_commit failed\n"));
122
230
def_access is a GENERIC_XXX access mode.
123
231
********************************************************************/
125
SEC_DESC *get_share_security_default( TALLOC_CTX *ctx, size_t *psize, uint32 def_access)
233
struct security_descriptor *get_share_security_default( TALLOC_CTX *ctx, size_t *psize, uint32 def_access)
130
SEC_DESC *psd = NULL;
236
struct security_ace ace;
237
struct security_acl *psa = NULL;
238
struct security_descriptor *psd = NULL;
131
239
uint32 spec_access = def_access;
133
241
se_map_generic(&spec_access, &file_generic_mapping);
153
261
Pull a security descriptor from the share tdb.
154
262
********************************************************************/
156
SEC_DESC *get_share_security( TALLOC_CTX *ctx, const char *servicename,
264
struct security_descriptor *get_share_security( TALLOC_CTX *ctx, const char *servicename,
160
SEC_DESC *psd = NULL;
268
struct security_descriptor *psd = NULL;
270
char *c_servicename = canonicalize_servicename(talloc_tos(), servicename);
273
if (!c_servicename) {
164
277
if (!share_info_db_init()) {
278
TALLOC_FREE(c_servicename);
168
if (!(key = talloc_asprintf(ctx, "SECDESC/%s", servicename))) {
282
if (!(key = talloc_asprintf(ctx, SHARE_SECURITY_DB_KEY_PREFIX_STR "%s", c_servicename))) {
283
TALLOC_FREE(c_servicename);
169
284
DEBUG(0, ("talloc_asprintf failed\n"));
288
TALLOC_FREE(c_servicename);
173
290
data = dbwrap_fetch_bystring(share_db, talloc_tos(), key);
175
292
TALLOC_FREE(key);
186
303
if (!NT_STATUS_IS_OK(status)) {
187
304
DEBUG(0, ("unmarshall_sec_desc failed: %s\n",
188
305
nt_errstr(status)));
306
return get_share_security_default(ctx, psize,
193
*psize = ndr_size_security_descriptor(psd, NULL, 0);
311
*psize = ndr_size_security_descriptor(psd, 0);
313
return get_share_security_default(ctx, psize,
199
321
Store a security descriptor in the share db.
200
322
********************************************************************/
202
bool set_share_security(const char *share_name, SEC_DESC *psd)
324
bool set_share_security(const char *share_name, struct security_descriptor *psd)
326
TALLOC_CTX *frame = talloc_stackframe();
206
328
bool ret = False;
331
char *c_share_name = canonicalize_servicename(frame, share_name);
210
337
if (!share_info_db_init()) {
214
frame = talloc_stackframe();
216
341
status = marshall_sec_desc(frame, psd, &blob.dptr, &blob.dsize);
218
343
if (!NT_STATUS_IS_OK(status)) {
379
char *c_servicename = canonicalize_servicename(talloc_tos(), servicename);
381
if (!c_servicename) {
255
385
if (!share_info_db_init()) {
386
TALLOC_FREE(c_servicename);
259
if (!(key = talloc_asprintf(talloc_tos(), "SECDESC/%s",
390
if (!(key = talloc_asprintf(talloc_tos(), SHARE_SECURITY_DB_KEY_PREFIX_STR "%s",
392
TALLOC_FREE(c_servicename);
263
395
kbuf = string_term_tdb_data(key);
265
397
status = dbwrap_trans_delete(share_db, kbuf);
266
398
if (!NT_STATUS_IS_OK(status)) {
267
399
DEBUG(0, ("delete_share_security: Failed to delete entry for "
268
"share %s: %s\n", servicename, nt_errstr(status)));
400
"share %s: %s\n", c_servicename, nt_errstr(status)));
401
TALLOC_FREE(c_servicename);
405
TALLOC_FREE(c_servicename);
276
410
Can this user access with share with the required permissions ?
277
411
********************************************************************/
279
bool share_access_check(const NT_USER_TOKEN *token, const char *sharename,
280
uint32 desired_access)
413
bool share_access_check(const struct security_token *token,
414
const char *sharename,
415
uint32 desired_access,
284
SEC_DESC *psd = NULL;
420
struct security_descriptor *psd = NULL;
287
423
psd = get_share_security(talloc_tos(), sharename, &sd_size);
301
441
Parse the contents of an acl string from a usershare file.
302
442
***************************************************************************/
304
bool parse_usershare_acl(TALLOC_CTX *ctx, const char *acl_str, SEC_DESC **ppsd)
444
bool parse_usershare_acl(TALLOC_CTX *ctx, const char *acl_str, struct security_descriptor **ppsd)
306
446
size_t s_size = 0;
307
447
const char *pacl = acl_str;
308
448
int num_aces = 0;
309
SEC_ACE *ace_list = NULL;
311
SEC_DESC *psd = NULL;
449
struct security_ace *ace_list = NULL;
450
struct security_acl *psa = NULL;
451
struct security_descriptor *psd = NULL;
312
452
size_t sd_size = 0;
329
469
/* Add the number of ',' characters to get the number of aces. */
330
470
num_aces += count_chars(pacl,',');
332
ace_list = TALLOC_ARRAY(ctx, SEC_ACE, num_aces);
472
ace_list = TALLOC_ARRAY(ctx, struct security_ace, num_aces);