2
* Store Windows ACLs in xattrs.
4
* Copyright (C) Volker Lendecke, 2008
5
* Copyright (C) Jeremy Allison, 2008
7
* This program is free software; you can redistribute it and/or modify
8
* it under the terms of the GNU General Public License as published by
9
* the Free Software Foundation; either version 3 of the License, or
10
* (at your option) any later version.
12
* This program is distributed in the hope that it will be useful,
13
* but WITHOUT ANY WARRANTY; without even the implied warranty of
14
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15
* GNU General Public License for more details.
17
* You should have received a copy of the GNU General Public License
18
* along with this program; if not, see <http://www.gnu.org/licenses/>.
21
/* NOTE: This is an experimental module, not yet finished. JRA. */
24
#include "librpc/gen_ndr/xattr.h"
25
#include "librpc/gen_ndr/ndr_xattr.h"
28
#define DBGC_CLASS DBGC_VFS
30
/*******************************************************************
31
Parse out a struct security_descriptor from a DATA_BLOB.
32
*******************************************************************/
34
static NTSTATUS parse_acl_blob(const DATA_BLOB *pblob,
36
struct security_descriptor **ppdesc)
38
TALLOC_CTX *ctx = talloc_tos();
39
struct xattr_NTACL xacl;
40
enum ndr_err_code ndr_err;
43
ndr_err = ndr_pull_struct_blob(pblob, ctx, NULL, &xacl,
44
(ndr_pull_flags_fn_t)ndr_pull_xattr_NTACL);
46
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
47
DEBUG(5, ("parse_acl_blob: ndr_pull_xattr_NTACL failed: %s\n",
48
ndr_errstr(ndr_err)));
49
return ndr_map_error2ntstatus(ndr_err);;
52
if (xacl.version != 2) {
53
return NT_STATUS_REVISION_MISMATCH;
56
*ppdesc = make_sec_desc(ctx, SEC_DESC_REVISION, xacl.info.sd_hs->sd->type | SEC_DESC_SELF_RELATIVE,
57
(security_info & OWNER_SECURITY_INFORMATION)
58
? xacl.info.sd_hs->sd->owner_sid : NULL,
59
(security_info & GROUP_SECURITY_INFORMATION)
60
? xacl.info.sd_hs->sd->group_sid : NULL,
61
(security_info & SACL_SECURITY_INFORMATION)
62
? xacl.info.sd_hs->sd->sacl : NULL,
63
(security_info & DACL_SECURITY_INFORMATION)
64
? xacl.info.sd_hs->sd->dacl : NULL,
67
TALLOC_FREE(xacl.info.sd);
69
return (*ppdesc != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
72
/*******************************************************************
73
Pull a security descriptor into a DATA_BLOB from a xattr.
74
*******************************************************************/
76
static NTSTATUS get_acl_blob(TALLOC_CTX *ctx,
77
vfs_handle_struct *handle,
92
tmp = TALLOC_REALLOC_ARRAY(ctx, val, uint8_t, size);
95
return NT_STATUS_NO_MEMORY;
100
if (fsp && fsp->fh->fd != -1) {
101
sizeret = SMB_VFS_FGETXATTR(fsp, XATTR_NTACL_NAME, val, size);
103
sizeret = SMB_VFS_GETXATTR(handle->conn, name,
104
XATTR_NTACL_NAME, val, size);
111
/* Max ACL size is 65536 bytes. */
114
if ((errno == ERANGE) && (size != 65536)) {
115
/* Too small, try again. */
120
/* Real error - exit here. */
122
return map_nt_error_from_unix(errno);
126
pblob->length = sizeret;
130
/*******************************************************************
131
Create a DATA_BLOB from a security descriptor.
132
*******************************************************************/
134
static NTSTATUS create_acl_blob(const struct security_descriptor *psd, DATA_BLOB *pblob)
136
struct xattr_NTACL xacl;
137
struct security_descriptor_hash sd_hs;
138
enum ndr_err_code ndr_err;
139
TALLOC_CTX *ctx = talloc_tos();
145
xacl.info.sd_hs = &sd_hs;
146
xacl.info.sd_hs->sd = CONST_DISCARD(struct security_descriptor *, psd);
147
memset(&xacl.info.sd_hs->hash[0], '\0', 16);
149
ndr_err = ndr_push_struct_blob(
150
pblob, ctx, NULL, &xacl,
151
(ndr_push_flags_fn_t)ndr_push_xattr_NTACL);
153
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
154
DEBUG(5, ("create_acl_blob: ndr_push_xattr_NTACL failed: %s\n",
155
ndr_errstr(ndr_err)));
156
return ndr_map_error2ntstatus(ndr_err);;
162
/*******************************************************************
163
Store a DATA_BLOB into an xattr given an fsp pointer.
164
*******************************************************************/
166
static NTSTATUS store_acl_blob_fsp(vfs_handle_struct *handle,
173
DEBUG(10,("store_acl_blob_fsp: storing blob length %u on file %s\n",
174
(unsigned int)pblob->length, fsp->fsp_name));
177
if (fsp->fh->fd != -1) {
178
ret = SMB_VFS_FSETXATTR(fsp, XATTR_NTACL_NAME,
179
pblob->data, pblob->length, 0);
181
ret = SMB_VFS_SETXATTR(fsp->conn, fsp->fsp_name,
183
pblob->data, pblob->length, 0);
191
DEBUG(5, ("store_acl_blob_fsp: setting attr failed for file %s"
195
return map_nt_error_from_unix(errno);
200
/*******************************************************************
201
Store a DATA_BLOB into an xattr given a pathname.
202
*******************************************************************/
204
static NTSTATUS store_acl_blob_pathname(vfs_handle_struct *handle,
208
connection_struct *conn = handle->conn;
212
DEBUG(10,("store_acl_blob_pathname: storing blob "
213
"length %u on file %s\n",
214
(unsigned int)pblob->length, fname));
217
ret = SMB_VFS_SETXATTR(conn, fname,
219
pblob->data, pblob->length, 0);
226
DEBUG(5, ("store_acl_blob_pathname: setting attr failed "
227
"for file %s with error %s\n",
230
return map_nt_error_from_unix(errno);
235
/*******************************************************************
236
Store a DATA_BLOB into an xattr given a pathname.
237
*******************************************************************/
239
static NTSTATUS get_nt_acl_xattr_internal(vfs_handle_struct *handle,
242
uint32 security_info,
243
struct security_descriptor **ppdesc)
245
TALLOC_CTX *ctx = talloc_tos();
249
if (fsp && name == NULL) {
250
name = fsp->fsp_name;
253
DEBUG(10, ("get_nt_acl_xattr_internal: name=%s\n", name));
255
status = get_acl_blob(ctx, handle, fsp, name, &blob);
256
if (!NT_STATUS_IS_OK(status)) {
257
DEBUG(10, ("get_acl_blob returned %s\n", nt_errstr(status)));
261
status = parse_acl_blob(&blob, security_info, ppdesc);
262
if (!NT_STATUS_IS_OK(status)) {
263
DEBUG(10, ("parse_acl_blob returned %s\n",
268
TALLOC_FREE(blob.data);
272
/*********************************************************************
273
Create a default security descriptor for a file in case no inheritance
274
exists. All permissions to the owner and SYSTEM.
275
*********************************************************************/
277
static struct security_descriptor *default_file_sd(TALLOC_CTX *mem_ctx,
278
SMB_STRUCT_STAT *psbuf)
280
struct dom_sid owner_sid, group_sid;
282
struct security_ace *pace = NULL;
283
struct security_acl *pacl = NULL;
285
uid_to_sid(&owner_sid, psbuf->st_uid);
286
gid_to_sid(&group_sid, psbuf->st_gid);
288
pace = TALLOC_ARRAY(mem_ctx, struct security_ace, 2);
293
init_sec_ace(&pace[0], &owner_sid, SEC_ACE_TYPE_ACCESS_ALLOWED,
294
SEC_RIGHTS_FILE_ALL, 0);
295
init_sec_ace(&pace[1], &global_sid_System, SEC_ACE_TYPE_ACCESS_ALLOWED,
296
SEC_RIGHTS_FILE_ALL, 0);
298
pacl = make_sec_acl(mem_ctx,
305
return make_sec_desc(mem_ctx,
306
SECURITY_DESCRIPTOR_REVISION_1,
307
SEC_DESC_SELF_RELATIVE|SEC_DESC_DACL_PRESENT,
315
/*********************************************************************
316
*********************************************************************/
318
static NTSTATUS inherit_new_acl(vfs_handle_struct *handle,
323
TALLOC_CTX *ctx = talloc_tos();
325
struct security_descriptor *parent_desc = NULL;
326
struct security_descriptor *psd = NULL;
331
if (!parent_dirname(ctx, fname, &parent_name, NULL)) {
332
return NT_STATUS_NO_MEMORY;
335
DEBUG(10,("inherit_new_acl: check directory %s\n",
338
status = get_nt_acl_xattr_internal(handle,
341
(OWNER_SECURITY_INFORMATION |
342
GROUP_SECURITY_INFORMATION |
343
DACL_SECURITY_INFORMATION),
345
if (NT_STATUS_IS_OK(status)) {
346
/* Create an inherited descriptor from the parent. */
348
if (DEBUGLEVEL >= 10) {
349
DEBUG(10,("inherit_new_acl: parent acl is:\n"));
350
NDR_PRINT_DEBUG(security_descriptor, parent_desc);
353
status = se_create_child_secdesc(ctx,
357
&handle->conn->server_info->ptok->user_sids[PRIMARY_USER_SID_INDEX],
358
&handle->conn->server_info->ptok->user_sids[PRIMARY_GROUP_SID_INDEX],
360
if (!NT_STATUS_IS_OK(status)) {
364
if (DEBUGLEVEL >= 10) {
365
DEBUG(10,("inherit_new_acl: child acl is:\n"));
366
NDR_PRINT_DEBUG(security_descriptor, psd);
370
DEBUG(10,("inherit_new_acl: directory %s failed "
373
nt_errstr(status) ));
376
if (!psd || psd->dacl == NULL) {
377
SMB_STRUCT_STAT sbuf;
381
if (fsp && !fsp->is_directory && fsp->fh->fd != -1) {
382
ret = SMB_VFS_FSTAT(fsp, &sbuf);
384
if (fsp && fsp->posix_open) {
385
ret = SMB_VFS_LSTAT(handle->conn,fname, &sbuf);
387
ret = SMB_VFS_STAT(handle->conn,fname, &sbuf);
391
return map_nt_error_from_unix(errno);
393
psd = default_file_sd(ctx, &sbuf);
395
return NT_STATUS_NO_MEMORY;
398
if (DEBUGLEVEL >= 10) {
399
DEBUG(10,("inherit_new_acl: default acl is:\n"));
400
NDR_PRINT_DEBUG(security_descriptor, psd);
404
status = create_acl_blob(psd, &blob);
405
if (!NT_STATUS_IS_OK(status)) {
409
return store_acl_blob_fsp(handle, fsp, &blob);
411
return store_acl_blob_pathname(handle, fname, &blob);
415
/*********************************************************************
416
Check ACL on open. For new files inherit from parent directory.
417
*********************************************************************/
419
static int open_acl_xattr(vfs_handle_struct *handle,
425
uint32_t access_granted = 0;
426
struct security_descriptor *pdesc = NULL;
427
bool file_existed = true;
428
NTSTATUS status = get_nt_acl_xattr_internal(handle,
431
(OWNER_SECURITY_INFORMATION |
432
GROUP_SECURITY_INFORMATION |
433
DACL_SECURITY_INFORMATION),
435
if (NT_STATUS_IS_OK(status)) {
436
/* See if we can access it. */
437
status = smb1_file_se_access_check(pdesc,
438
handle->conn->server_info->ptok,
441
if (!NT_STATUS_IS_OK(status)) {
442
DEBUG(10,("open_acl_xattr: file %s open "
443
"refused with error %s\n",
445
nt_errstr(status) ));
446
errno = map_errno_from_nt_status(status);
449
} else if (NT_STATUS_EQUAL(status,NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
450
file_existed = false;
453
DEBUG(10,("open_acl_xattr: get_nt_acl_attr_internal for "
454
"file %s returned %s\n",
456
nt_errstr(status) ));
458
fsp->fh->fd = SMB_VFS_NEXT_OPEN(handle, fname, fsp, flags, mode);
460
if (!file_existed && fsp->fh->fd != -1) {
461
/* File was created. Inherit from parent directory. */
462
string_set(&fsp->fsp_name, fname);
463
inherit_new_acl(handle, fname, fsp, false);
469
static int mkdir_acl_xattr(vfs_handle_struct *handle, const char *path, mode_t mode)
471
int ret = SMB_VFS_NEXT_MKDIR(handle, path, mode);
476
/* New directory - inherit from parent. */
477
inherit_new_acl(handle, path, NULL, true);
481
/*********************************************************************
482
Fetch a security descriptor given an fsp.
483
*********************************************************************/
485
static NTSTATUS fget_nt_acl_xattr(vfs_handle_struct *handle, files_struct *fsp,
486
uint32 security_info, struct security_descriptor **ppdesc)
488
NTSTATUS status = get_nt_acl_xattr_internal(handle, fsp,
489
NULL, security_info, ppdesc);
490
if (NT_STATUS_IS_OK(status)) {
491
if (DEBUGLEVEL >= 10) {
492
DEBUG(10,("fget_nt_acl_xattr: returning xattr sd for file %s\n",
494
NDR_PRINT_DEBUG(security_descriptor, *ppdesc);
499
DEBUG(10,("fget_nt_acl_xattr: failed to get xattr sd for file %s, Error %s\n",
501
nt_errstr(status) ));
503
return SMB_VFS_NEXT_FGET_NT_ACL(handle, fsp,
504
security_info, ppdesc);
507
/*********************************************************************
508
Fetch a security descriptor given a pathname.
509
*********************************************************************/
511
static NTSTATUS get_nt_acl_xattr(vfs_handle_struct *handle,
512
const char *name, uint32 security_info, struct security_descriptor **ppdesc)
514
NTSTATUS status = get_nt_acl_xattr_internal(handle, NULL,
515
name, security_info, ppdesc);
516
if (NT_STATUS_IS_OK(status)) {
517
if (DEBUGLEVEL >= 10) {
518
DEBUG(10,("get_nt_acl_xattr: returning xattr sd for file %s\n",
520
NDR_PRINT_DEBUG(security_descriptor, *ppdesc);
525
DEBUG(10,("get_nt_acl_xattr: failed to get xattr sd for file %s, Error %s\n",
527
nt_errstr(status) ));
529
return SMB_VFS_NEXT_GET_NT_ACL(handle, name,
530
security_info, ppdesc);
533
/*********************************************************************
534
Store a security descriptor given an fsp.
535
*********************************************************************/
537
static NTSTATUS fset_nt_acl_xattr(vfs_handle_struct *handle, files_struct *fsp,
538
uint32 security_info_sent, const struct security_descriptor *psd)
543
if (DEBUGLEVEL >= 10) {
544
DEBUG(10,("fset_nt_acl_xattr: incoming sd for file %s\n",
546
NDR_PRINT_DEBUG(security_descriptor,
547
CONST_DISCARD(struct security_descriptor *,psd));
550
status = SMB_VFS_NEXT_FSET_NT_ACL(handle, fsp, security_info_sent, psd);
551
if (!NT_STATUS_IS_OK(status)) {
555
/* Ensure owner and group are set. */
556
if (!psd->owner_sid || !psd->group_sid) {
558
SMB_STRUCT_STAT sbuf;
559
DOM_SID owner_sid, group_sid;
560
struct security_descriptor *nc_psd = dup_sec_desc(talloc_tos(), psd);
565
if (fsp->is_directory || fsp->fh->fd == -1) {
566
if (fsp->posix_open) {
567
ret = SMB_VFS_LSTAT(fsp->conn,fsp->fsp_name, &sbuf);
569
ret = SMB_VFS_STAT(fsp->conn,fsp->fsp_name, &sbuf);
572
ret = SMB_VFS_FSTAT(fsp, &sbuf);
575
/* Lower level acl set succeeded,
576
* so still return OK. */
579
create_file_sids(&sbuf, &owner_sid, &group_sid);
580
/* This is safe as nc_psd is discarded at fn exit. */
581
nc_psd->owner_sid = &owner_sid;
582
nc_psd->group_sid = &group_sid;
583
security_info_sent |= (OWNER_SECURITY_INFORMATION|GROUP_SECURITY_INFORMATION);
588
if ((security_info_sent & DACL_SECURITY_INFORMATION) &&
590
(psd->type & (SE_DESC_DACL_AUTO_INHERITED|
591
SE_DESC_DACL_AUTO_INHERIT_REQ))==
592
(SE_DESC_DACL_AUTO_INHERITED|
593
SE_DESC_DACL_AUTO_INHERIT_REQ) ) {
594
struct security_descriptor *new_psd = NULL;
595
status = append_parent_acl(fsp, psd, &new_psd);
596
if (!NT_STATUS_IS_OK(status)) {
597
/* Lower level acl set succeeded,
598
* so still return OK. */
605
if (DEBUGLEVEL >= 10) {
606
DEBUG(10,("fset_nt_acl_xattr: storing xattr sd for file %s\n",
608
NDR_PRINT_DEBUG(security_descriptor,
609
CONST_DISCARD(struct security_descriptor *,psd));
611
create_acl_blob(psd, &blob);
612
store_acl_blob_fsp(handle, fsp, &blob);
617
/*********************************************************************
618
Remove a Windows ACL - we're setting the underlying POSIX ACL.
619
*********************************************************************/
621
static int sys_acl_set_file_xattr(vfs_handle_struct *handle,
626
int ret = SMB_VFS_NEXT_SYS_ACL_SET_FILE(handle,
635
SMB_VFS_REMOVEXATTR(handle->conn, name, XATTR_NTACL_NAME);
641
/*********************************************************************
642
Remove a Windows ACL - we're setting the underlying POSIX ACL.
643
*********************************************************************/
645
static int sys_acl_set_fd_xattr(vfs_handle_struct *handle,
649
int ret = SMB_VFS_NEXT_SYS_ACL_SET_FD(handle,
657
SMB_VFS_FREMOVEXATTR(fsp, XATTR_NTACL_NAME);
663
/* VFS operations structure */
665
static vfs_op_tuple skel_op_tuples[] =
667
{SMB_VFS_OP(mkdir_acl_xattr), SMB_VFS_OP_MKDIR, SMB_VFS_LAYER_TRANSPARENT},
668
{SMB_VFS_OP(open_acl_xattr), SMB_VFS_OP_OPEN, SMB_VFS_LAYER_TRANSPARENT},
670
/* NT File ACL operations */
672
{SMB_VFS_OP(fget_nt_acl_xattr),SMB_VFS_OP_FGET_NT_ACL,SMB_VFS_LAYER_TRANSPARENT},
673
{SMB_VFS_OP(get_nt_acl_xattr), SMB_VFS_OP_GET_NT_ACL, SMB_VFS_LAYER_TRANSPARENT},
674
{SMB_VFS_OP(fset_nt_acl_xattr),SMB_VFS_OP_FSET_NT_ACL,SMB_VFS_LAYER_TRANSPARENT},
676
/* POSIX ACL operations. */
677
{SMB_VFS_OP(sys_acl_set_file_xattr), SMB_VFS_OP_SYS_ACL_SET_FILE, SMB_VFS_LAYER_TRANSPARENT},
678
{SMB_VFS_OP(sys_acl_set_fd_xattr), SMB_VFS_OP_SYS_ACL_SET_FD, SMB_VFS_LAYER_TRANSPARENT},
680
{SMB_VFS_OP(NULL), SMB_VFS_OP_NOOP, SMB_VFS_LAYER_NOOP}
683
NTSTATUS vfs_acl_xattr_init(void)
685
return smb_register_vfs(SMB_VFS_INTERFACE_VERSION, "acl_xattr", skel_op_tuples);