search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3:registry: Initialize struct security_ace ace[]
[samba4-gss.git] / source3 / modules / vfs_afsacl.c
blob3dc80d3bddc7173fdeb86e72ecbae16ae72b1356
1 /*
2 * Convert AFS acls to NT acls and vice versa.
3 *
4 * Copyright (C) Volker Lendecke, 2003
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <http://www.gnu.org/licenses/>.
18 */
19
20 #include "includes.h"
21 #include "system/filesys.h"
22 #include "smbd/smbd.h"
23 #include "../librpc/gen_ndr/lsa.h"
24 #include "../libcli/security/security.h"
25 #include "../libcli/security/dom_sid.h"
26 #include "passdb.h"
27 #include "lib/afs/afs_settoken.h"
28 #include "lib/util/string_wrappers.h"
29
30 #undef DBGC_CLASS
31 #define DBGC_CLASS DBGC_VFS
32
33 #include <afs/stds.h>
34 #include <afs/afs_args.h>
35 #include <afs/venus.h>
36 #include <afs/prs_fs.h>
37
38 #define MAXSIZE 2049
39
40 extern const struct dom_sid global_sid_World;
41 extern const struct dom_sid global_sid_Builtin_Administrators;
42 extern const struct dom_sid global_sid_Builtin_Backup_Operators;
43 extern const struct dom_sid global_sid_Authenticated_Users;
44 extern const struct dom_sid global_sid_NULL;
45
46 static char space_replacement = '%';
47
48 /* Do we expect SIDs as pts names? */
49 static bool sidpts;
50
51 struct afs_ace {
52 bool positive;
53 char *name;
54 struct dom_sid sid;
55 enum lsa_SidType type;
56 uint32_t rights;
57 struct afs_ace *next;
58 };
59
60 struct afs_acl {
61 TALLOC_CTX *ctx;
62 int type;
63 int num_aces;
64 struct afs_ace *acelist;
65 };
66
67 struct afs_iob {
68 char *in, *out;
69 uint16_t in_size, out_size;
70 };
71
72
73 static bool init_afs_acl(struct afs_acl *acl)
74 {
75 ZERO_STRUCT(*acl);
76 acl->ctx = talloc_init("afs_acl");
77 if (acl->ctx == NULL) {
78 DEBUG(10, ("Could not init afs_acl\n"));
79 return false;
80 }
81 return true;
82 }
83
84 static void free_afs_acl(struct afs_acl *acl)
85 {
86 if (acl->ctx != NULL)
87 talloc_destroy(acl->ctx);
88 acl->ctx = NULL;
89 acl->num_aces = 0;
90 acl->acelist = NULL;
91 }
92
93 static struct afs_ace *clone_afs_ace(TALLOC_CTX *mem_ctx, struct afs_ace *ace)
94 {
95 struct afs_ace *result = talloc(mem_ctx, struct afs_ace);
96
97 if (result == NULL)
98 return NULL;
99
100 *result = *ace;
101
102 result->next = NULL;
103 result->name = talloc_strdup(mem_ctx, ace->name);
104
105 if (result->name == NULL) {
106 return NULL;
107 }
108
109 return result;
110 }
111
112 static struct afs_ace *new_afs_ace(TALLOC_CTX *mem_ctx,
113 bool positive,
114 const char *name, uint32_t rights)
115 {
116 struct dom_sid sid;
117 enum lsa_SidType type;
118 struct afs_ace *result;
119
120 if (strcmp(name, "system:administrators") == 0) {
121
122 sid_copy(&sid, &global_sid_Builtin_Administrators);
123 type = SID_NAME_ALIAS;
124
125 } else if (strcmp(name, "system:anyuser") == 0) {
126
127 sid_copy(&sid, &global_sid_World);
128 type = SID_NAME_ALIAS;
129
130 } else if (strcmp(name, "system:authuser") == 0) {
131
132 sid_copy(&sid, &global_sid_Authenticated_Users);
133 type = SID_NAME_WKN_GRP;
134
135 } else if (strcmp(name, "system:backup") == 0) {
136
137 sid_copy(&sid, &global_sid_Builtin_Backup_Operators);
138 type = SID_NAME_ALIAS;
139
140 } else if (sidpts) {
141 /* All PTS users/groups are expressed as SIDs */
142
143 sid_copy(&sid, &global_sid_NULL);
144 type = SID_NAME_UNKNOWN;
145
146 if (string_to_sid(&sid, name)) {
147 const char *user, *domain;
148 /* We have to find the type, look up the SID */
149 lookup_sid(talloc_tos(), &sid,
150 &domain, &user, &type);
151 }
152
153 } else {
154
155 const char *domain, *uname;
156 char *p;
157
158 p = strchr_m(name, *lp_winbind_separator());
159 if (p != NULL) {
160 *p = '\\';
161 }
162
163 if (!lookup_name(talloc_tos(), name, LOOKUP_NAME_ALL,
164 &domain, &uname, &sid, &type)) {
165 DEBUG(10, ("Could not find AFS user %s\n", name));
166
167 sid_copy(&sid, &global_sid_NULL);
168 type = SID_NAME_UNKNOWN;
169
170 }
171 }
172
173 result = talloc(mem_ctx, struct afs_ace);
174
175 if (result == NULL) {
176 DEBUG(0, ("Could not talloc AFS ace\n"));
177 return NULL;
178 }
179
180 result->name = talloc_strdup(mem_ctx, name);
181 if (result->name == NULL) {
182 DEBUG(0, ("Could not talloc AFS ace name\n"));
183 return NULL;
184 }
185
186 result->sid = sid;
187 result->type = type;
188
189 result->positive = positive;
190 result->rights = rights;
191
192 return result;
193 }
194
195 static void add_afs_ace(struct afs_acl *acl,
196 bool positive,
197 const char *name, uint32_t rights)
198 {
199 struct afs_ace *ace;
200
201 for (ace = acl->acelist; ace != NULL; ace = ace->next) {
202 if ((ace->positive == positive) &&
203 (strequal(ace->name, name))) {
204 ace->rights |= rights;
205 return;
206 }
207 }
208
209 ace = new_afs_ace(acl->ctx, positive, name, rights);
210
211 ace->next = acl->acelist;
212 acl->acelist = ace;
213
214 acl->num_aces += 1;
215
216 DEBUG(10, ("add_afs_ace: Added %s entry for %s with rights %d\n",
217 ace->positive?"positive":"negative",
218 ace->name, ace->rights));
219 }
220
221 /* AFS ACLs in string form are a long string of fields delimited with \n.
222 *
223 * First line: Number of positive entries
224 * Second line: Number of negative entries
225 * Third and following lines: The entries themselves
226 *
227 * An ACE is a line of two fields, delimited by \t.
228 *
229 * First field: Name
230 * Second field: Rights
231 */
232
233 static bool parse_afs_acl(struct afs_acl *acl, const char *acl_str)
234 {
235 int nplus, nminus;
236 int aces;
237
238 char str[MAXSIZE];
239 char *p = str;
240
241 strlcpy(str, acl_str, MAXSIZE);
242
243 if (sscanf(p, "%d", &nplus) != 1)
244 return false;
245
246 DEBUG(10, ("Found %d positive entries\n", nplus));
247
248 if ((p = strchr(p, '\n')) == NULL)
249 return false;
250 p += 1;
251
252 if (sscanf(p, "%d", &nminus) != 1)
253 return false;
254
255 DEBUG(10, ("Found %d negative entries\n", nminus));
256
257 if ((p = strchr(p, '\n')) == NULL)
258 return false;
259 p += 1;
260
261 for (aces = nplus+nminus; aces > 0; aces--)
262 {
263
264 const char *namep;
265 fstring name;
266 uint32_t rights;
267 char *space;
268
269 namep = p;
270
271 if ((p = strchr(p, '\t')) == NULL)
272 return false;
273 *p = '\0';
274 p += 1;
275
276 if (sscanf(p, "%d", &rights) != 1)
277 return false;
278
279 if ((p = strchr(p, '\n')) == NULL)
280 return false;
281 p += 1;
282
283 fstrcpy(name, namep);
284
285 while ((space = strchr_m(name, space_replacement)) != NULL)
286 *space = ' ';
287
288 add_afs_ace(acl, nplus>0, name, rights);
289
290 nplus -= 1;
291 }
292
293 return true;
294 }
295
296 static bool unparse_afs_acl(struct afs_acl *acl, char *acl_str)
297 {
298 /* TODO: String length checks!!!! */
299
300 int positives = 0;
301 int negatives = 0;
302 fstring line;
303 struct afs_ace *ace = acl->acelist;
304
305 *acl_str = 0;
306
307 while (ace != NULL) {
308 if (ace->positive)
309 positives++;
310 else
311 negatives++;
312 ace = ace->next;
313 }
314
315 fstr_sprintf(line, "%d\n", positives);
316 if (strlcat(acl_str, line, MAXSIZE) >= MAXSIZE) {
317 return false;
318 }
319
320 fstr_sprintf(line, "%d\n", negatives);
321 if (strlcat(acl_str, line, MAXSIZE) >= MAXSIZE) {
322 return false;
323 }
324
325 ace = acl->acelist;
326
327 while (ace != NULL) {
328 fstr_sprintf(line, "%s\t%d\n", ace->name, ace->rights);
329 if (strlcat(acl_str, line, MAXSIZE) >= MAXSIZE) {
330 return false;
331 }
332 ace = ace->next;
333 }
334 return true;
335 }
336
337 static uint32_t afs_to_nt_file_rights(uint32_t rights)
338 {
339 uint32_t result = 0;
340
341 if (rights & PRSFS_READ)
342 result |= FILE_READ_DATA | FILE_READ_EA |
343 FILE_EXECUTE | FILE_READ_ATTRIBUTES |
344 READ_CONTROL_ACCESS | SYNCHRONIZE_ACCESS;
345
346 if (rights & PRSFS_WRITE)
347 result |= FILE_WRITE_DATA | FILE_WRITE_ATTRIBUTES |
348 FILE_WRITE_EA | FILE_APPEND_DATA;
349
350 if (rights & PRSFS_LOCK)
351 result |= WRITE_OWNER_ACCESS;
352
353 if (rights & PRSFS_DELETE)
354 result |= DELETE_ACCESS;
355
356 return result;
357 }
358
359 static void afs_to_nt_dir_rights(uint32_t afs_rights, uint32_t *nt_rights,
360 uint8_t *flag)
361 {
362 *nt_rights = 0;
363 *flag = SEC_ACE_FLAG_OBJECT_INHERIT |
364 SEC_ACE_FLAG_CONTAINER_INHERIT;
365
366 if (afs_rights & PRSFS_INSERT)
367 *nt_rights |= FILE_ADD_FILE | FILE_ADD_SUBDIRECTORY;
368
369 if (afs_rights & PRSFS_LOOKUP)
370 *nt_rights |= FILE_READ_DATA | FILE_READ_EA |
371 FILE_EXECUTE | FILE_READ_ATTRIBUTES |
372 READ_CONTROL_ACCESS | SYNCHRONIZE_ACCESS;
373
374 if (afs_rights & PRSFS_WRITE)
375 *nt_rights |= FILE_WRITE_ATTRIBUTES | FILE_WRITE_DATA |
376 FILE_APPEND_DATA | FILE_WRITE_EA;
377
378 if ((afs_rights & (PRSFS_INSERT|PRSFS_LOOKUP|PRSFS_DELETE)) ==
379 (PRSFS_INSERT|PRSFS_LOOKUP|PRSFS_DELETE))
380 *nt_rights |= FILE_WRITE_ATTRIBUTES | FILE_WRITE_EA |
381 GENERIC_WRITE_ACCESS;
382
383 if (afs_rights & PRSFS_DELETE)
384 *nt_rights |= DELETE_ACCESS;
385
386 if (afs_rights & PRSFS_ADMINISTER)
387 *nt_rights |= FILE_DELETE_CHILD | WRITE_DAC_ACCESS |
388 WRITE_OWNER_ACCESS;
389
390 if ( (afs_rights & PRSFS_LOOKUP) ==
391 (afs_rights & (PRSFS_LOOKUP|PRSFS_READ)) ) {
392 /* Only lookup right */
393 *flag = SEC_ACE_FLAG_CONTAINER_INHERIT;
394 }
395 }
396
397 #define AFS_FILE_RIGHTS (PRSFS_READ|PRSFS_WRITE|PRSFS_LOCK)
398 #define AFS_DIR_RIGHTS (PRSFS_INSERT|PRSFS_LOOKUP|PRSFS_DELETE|PRSFS_ADMINISTER)
399
400 static void split_afs_acl(struct afs_acl *acl,
401 struct afs_acl *dir_acl,
402 struct afs_acl *file_acl)
403 {
404 struct afs_ace *ace;
405
406 init_afs_acl(dir_acl);
407 init_afs_acl(file_acl);
408
409 for (ace = acl->acelist; ace != NULL; ace = ace->next) {
410 if (ace->rights & AFS_FILE_RIGHTS) {
411 add_afs_ace(file_acl, ace->positive, ace->name,
412 ace->rights & AFS_FILE_RIGHTS);
413 }
414
415 if (ace->rights & AFS_DIR_RIGHTS) {
416 add_afs_ace(dir_acl, ace->positive, ace->name,
417 ace->rights & AFS_DIR_RIGHTS);
418 }
419 }
420 }
421
422 static bool same_principal(struct afs_ace *x, struct afs_ace *y)
423 {
424 return ( (x->positive == y->positive) &&
425 (dom_sid_compare(&x->sid, &y->sid) == 0) );
426 }
427
428 static void merge_afs_acls(struct afs_acl *dir_acl,
429 struct afs_acl *file_acl,
430 struct afs_acl *target)
431 {
432 struct afs_ace *ace;
433
434 init_afs_acl(target);
435
436 for (ace = dir_acl->acelist; ace != NULL; ace = ace->next) {
437 struct afs_ace *file_ace;
438 bool found = false;
439
440 for (file_ace = file_acl->acelist;
441 file_ace != NULL;
442 file_ace = file_ace->next) {
443 if (!same_principal(ace, file_ace))
444 continue;
445
446 add_afs_ace(target, ace->positive, ace->name,
447 ace->rights | file_ace->rights);
448 found = true;
449 break;
450 }
451 if (!found)
452 add_afs_ace(target, ace->positive, ace->name,
453 ace->rights);
454 }
455
456 for (ace = file_acl->acelist; ace != NULL; ace = ace->next) {
457 struct afs_ace *dir_ace;
458 bool already_seen = false;
459
460 for (dir_ace = dir_acl->acelist;
461 dir_ace != NULL;
462 dir_ace = dir_ace->next) {
463 if (!same_principal(ace, dir_ace))
464 continue;
465 already_seen = true;
466 break;
467 }
468 if (!already_seen)
469 add_afs_ace(target, ace->positive, ace->name,
470 ace->rights);
471 }
472 }
473
474 #define PERMS_READ 0x001200a9
475 #define PERMS_CHANGE 0x001301bf
476 #define PERMS_FULL 0x001f01ff
477
478 static struct static_dir_ace_mapping {
479 uint8_t type;
480 uint8_t flags;
481 uint32_t mask;
482 uint32_t afs_rights;
483 } ace_mappings[] = {
484
485 /* Full control */
486 { 0, SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT,
487 PERMS_FULL, 127 /* rlidwka */ },
488
489 /* Change (write) */
490 { 0, SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT,
491 PERMS_CHANGE, 63 /* rlidwk */ },
492
493 /* Read (including list folder content) */
494 { 0, SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT,
495 PERMS_READ, 9 /* rl */ },
496
497 /* Read without list folder content -- same as "l" */
498 { 0, SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT,
499 0x00120089, 8 /* l */ },
500
501 /* some stupid workaround for preventing fallbacks */
502 { 0, 0x3, 0x0012019F, 9 /* rl */ },
503 { 0, 0x13, PERMS_FULL, 127 /* full */ },
504
505 /* read, delete and execute access plus synchronize */
506 { 0, 0x3, 0x001300A9, 9 /* should be rdl, set to rl */},
507 /* classical read list */
508 { 0, 0x13, 0x001200A9, 9 /* rl */},
509 /* almost full control, no delete */
510 { 0, 0x13, PERMS_CHANGE, 63 /* rwidlk */},
511
512 /* List folder */
513 { 0, SEC_ACE_FLAG_CONTAINER_INHERIT,
514 PERMS_READ, 8 /* l */ },
515
516 /* FULL without inheritance -- in all cases here we also get
517 the corresponding INHERIT_ONLY ACE in the same ACL */
518 { 0, 0, PERMS_FULL, 127 /* rlidwka */ },
519
520 /* FULL inherit only -- counterpart to previous one */
521 { 0, SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_INHERIT_ONLY,
522 PERMS_FULL | SEC_GENERIC_WRITE, 127 /* rlidwka */ },
523
524 /* CHANGE without inheritance -- in all cases here we also get
525 the corresponding INHERIT_ONLY ACE in the same ACL */
526 { 0, 0, PERMS_CHANGE, 63 /* rlidwk */ },
527
528 /* CHANGE inherit only -- counterpart to previous one */
529 { 0, SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_INHERIT_ONLY,
530 PERMS_CHANGE | SEC_GENERIC_WRITE, 63 /* rlidwk */ },
531
532 /* End marker, hopefully there's no afs right 9999 :-) */
533 { 0, 0, 0, 9999 }
534 };
535
536 static uint32_t nt_to_afs_dir_rights(const char *filename, const struct security_ace *ace)
537 {
538 uint32_t result = 0;
539 uint32_t rights = ace->access_mask;
540 uint8_t flags = ace->flags;
541
542 struct static_dir_ace_mapping *m;
543
544 for (m = &ace_mappings[0]; m->afs_rights != 9999; m++) {
545 if ( (ace->type == m->type) &&
546 (ace->flags == m->flags) &&
547 (ace->access_mask == m->mask) )
548 return m->afs_rights;
549 }
550
551 DEBUG(1, ("AFSACL FALLBACK: 0x%X 0x%X 0x%X %s %X\n",
552 ace->type, ace->flags, ace->access_mask, filename, rights));
553
554 if (rights & (GENERIC_ALL_ACCESS|WRITE_DAC_ACCESS)) {
555 result |= PRSFS_READ | PRSFS_WRITE | PRSFS_INSERT |
556 PRSFS_LOOKUP | PRSFS_DELETE | PRSFS_LOCK |
557 PRSFS_ADMINISTER;
558 }
559
560 if (rights & (GENERIC_READ_ACCESS|FILE_READ_DATA)) {
561 result |= PRSFS_LOOKUP;
562 if (flags & SEC_ACE_FLAG_OBJECT_INHERIT) {
563 result |= PRSFS_READ;
564 }
565 }
566
567 if (rights & (GENERIC_WRITE_ACCESS|FILE_WRITE_DATA)) {
568 result |= PRSFS_INSERT | PRSFS_DELETE;
569 if (flags & SEC_ACE_FLAG_OBJECT_INHERIT) {
570 result |= PRSFS_WRITE | PRSFS_LOCK;
571 }
572 }
573
574 return result;
575 }
576
577 static uint32_t nt_to_afs_file_rights(const char *filename, const struct security_ace *ace)
578 {
579 uint32_t result = 0;
580 uint32_t rights = ace->access_mask;
581
582 if (rights & (GENERIC_READ_ACCESS|FILE_READ_DATA)) {
583 result |= PRSFS_READ;
584 }
585
586 if (rights & (GENERIC_WRITE_ACCESS|FILE_WRITE_DATA)) {
587 result |= PRSFS_WRITE | PRSFS_LOCK;
588 }
589
590 return result;
591 }
592
593 static size_t afs_to_nt_acl_common(struct afs_acl *afs_acl,
594 SMB_STRUCT_STAT *psbuf,
595 uint32_t security_info,
596 TALLOC_CTX *mem_ctx,
597 struct security_descriptor **ppdesc)
598 {
599 struct security_ace *nt_ace_list;
600 struct dom_sid owner_sid, group_sid;
601 struct security_acl *psa = NULL;
602 int good_aces;
603 size_t sd_size;
604
605 struct afs_ace *afs_ace;
606
607 uid_to_sid(&owner_sid, psbuf->st_ex_uid);
608 gid_to_sid(&group_sid, psbuf->st_ex_gid);
609
610 if (afs_acl->num_aces) {
611 nt_ace_list = talloc_array(mem_ctx, struct security_ace, afs_acl->num_aces);
612
613 if (nt_ace_list == NULL)
614 return 0;
615 } else {
616 nt_ace_list = NULL;
617 }
618
619 afs_ace = afs_acl->acelist;
620 good_aces = 0;
621
622 while (afs_ace != NULL) {
623 uint32_t nt_rights;
624 uint8_t flag = SEC_ACE_FLAG_OBJECT_INHERIT |
625 SEC_ACE_FLAG_CONTAINER_INHERIT;
626
627 if (afs_ace->type == SID_NAME_UNKNOWN) {
628 DEBUG(10, ("Ignoring unknown name %s\n",
629 afs_ace->name));
630 afs_ace = afs_ace->next;
631 continue;
632 }
633
634 if (S_ISDIR(psbuf->st_ex_mode))
635 afs_to_nt_dir_rights(afs_ace->rights, &nt_rights,
636 &flag);
637 else
638 nt_rights = afs_to_nt_file_rights(afs_ace->rights);
639
640 init_sec_ace(&nt_ace_list[good_aces++], &(afs_ace->sid),
641 SEC_ACE_TYPE_ACCESS_ALLOWED, nt_rights, flag);
642 afs_ace = afs_ace->next;
643 }
644
645 psa = make_sec_acl(mem_ctx, NT4_ACL_REVISION,
646 good_aces, nt_ace_list);
647 if (psa == NULL)
648 return 0;
649
650 *ppdesc = make_sec_desc(mem_ctx, SD_REVISION,
651 SEC_DESC_SELF_RELATIVE,
652 (security_info & SECINFO_OWNER)
653 ? &owner_sid : NULL,
654 (security_info & SECINFO_GROUP)
655 ? &group_sid : NULL,
656 NULL, psa, &sd_size);
657
658 return sd_size;
659 }
660
661 static size_t afs_to_nt_acl(struct afs_acl *afs_acl,
662 struct connection_struct *conn,
663 struct smb_filename *smb_fname,
664 uint32_t security_info,
665 TALLOC_CTX *mem_ctx,
666 struct security_descriptor **ppdesc)
667 {
668 int ret;
669
670 /*
671 * We can directly use SMB_VFS_STAT here, as if this was a
672 * POSIX call on a symlink, we've already refused it.
673 * For a Windows acl mapped call on a symlink, we want to follow
674 * it.
675 */
676 /* Get the stat struct for the owner info. */
677 ret = SMB_VFS_STAT(conn, smb_fname);
678 if (ret == -1) {
679 return 0;
680 }
681
682 return afs_to_nt_acl_common(afs_acl, &smb_fname->st, security_info,
683 mem_ctx, ppdesc);
684 }
685
686 static size_t afs_fto_nt_acl(struct afs_acl *afs_acl,
687 struct files_struct *fsp,
688 uint32_t security_info,
689 TALLOC_CTX *mem_ctx,
690 struct security_descriptor **ppdesc)
691 {
692 SMB_STRUCT_STAT sbuf;
693
694 if (fsp_get_pathref_fd(fsp) == -1) {
695 /* Get the stat struct for the owner info. */
696 return afs_to_nt_acl(afs_acl, fsp->conn, fsp->fsp_name,
697 security_info, mem_ctx, ppdesc);
698 }
699
700 if(SMB_VFS_FSTAT(fsp, &sbuf) != 0) {
701 return 0;
702 }
703
704 return afs_to_nt_acl_common(afs_acl, &sbuf, security_info,
705 mem_ctx, ppdesc);
706 }
707
708 static bool mappable_sid(const struct dom_sid *sid)
709 {
710 struct dom_sid domain_sid;
711
712 if (dom_sid_compare(sid, &global_sid_Builtin_Administrators) == 0)
713 return true;
714
715 if (dom_sid_compare(sid, &global_sid_World) == 0)
716 return true;
717
718 if (dom_sid_compare(sid, &global_sid_Authenticated_Users) == 0)
719 return true;
720
721 if (dom_sid_compare(sid, &global_sid_Builtin_Backup_Operators) == 0)
722 return true;
723
724 string_to_sid(&domain_sid, "S-1-5-21");
725
726 if (dom_sid_compare_domain(sid, &domain_sid) == 0)
727 return true;
728
729 return false;
730 }
731
732 static bool nt_to_afs_acl(const char *filename,
733 uint32_t security_info_sent,
734 const struct security_descriptor *psd,
735 uint32_t (*nt_to_afs_rights)(const char *filename,
736 const struct security_ace *ace),
737 struct afs_acl *afs_acl)
738 {
739 const struct security_acl *dacl;
740 int i;
741
742 /* Currently we *only* look at the dacl */
743
744 if (((security_info_sent & SECINFO_DACL) == 0) ||
745 (psd->dacl == NULL))
746 return true;
747
748 if (!init_afs_acl(afs_acl))
749 return false;
750
751 dacl = psd->dacl;
752
753 for (i = 0; i < dacl->num_aces; i++) {
754 const struct security_ace *ace = &(dacl->aces[i]);
755 const char *dom_name, *name;
756 enum lsa_SidType name_type;
757 char *p;
758
759 if (ace->type != SEC_ACE_TYPE_ACCESS_ALLOWED) {
760 /* First cut: Only positive ACEs */
761 return false;
762 }
763
764 if (!mappable_sid(&ace->trustee)) {
765 struct dom_sid_buf buf;
766 DEBUG(10, ("Ignoring unmappable SID %s\n",
767 dom_sid_str_buf(&ace->trustee, &buf)));
768 continue;
769 }
770
771 if (dom_sid_compare(&ace->trustee,
772 &global_sid_Builtin_Administrators) == 0) {
773
774 name = "system:administrators";
775
776 } else if (dom_sid_compare(&ace->trustee,
777 &global_sid_World) == 0) {
778
779 name = "system:anyuser";
780
781 } else if (dom_sid_compare(&ace->trustee,
782 &global_sid_Authenticated_Users) == 0) {
783
784 name = "system:authuser";
785
786 } else if (dom_sid_compare(&ace->trustee,
787 &global_sid_Builtin_Backup_Operators)
788 == 0) {
789
790 name = "system:backup";
791
792 } else {
793
794 if (!lookup_sid(talloc_tos(), &ace->trustee,
795 &dom_name, &name, &name_type)) {
796 struct dom_sid_buf buf;
797 DEBUG(1, ("AFSACL: Could not lookup SID %s on file %s\n",
798 dom_sid_str_buf(&ace->trustee, &buf),
799 filename));
800 continue;
801 }
802
803 if ( (name_type == SID_NAME_USER) ||
804 (name_type == SID_NAME_DOM_GRP) ||
805 (name_type == SID_NAME_ALIAS) ) {
806 char *tmp;
807 tmp = talloc_asprintf(talloc_tos(), "%s%s%s",
808 dom_name, lp_winbind_separator(),
809 name);
810 if (tmp == NULL) {
811 return false;
812 }
813 if (!strlower_m(tmp)) {
814 return false;
815 }
816 name = tmp;
817 }
818
819 if (sidpts) {
820 struct dom_sid_buf buf;
821 /* Expect all users/groups in pts as SIDs */
822 name = talloc_strdup(
823 talloc_tos(),
824 dom_sid_str_buf(&ace->trustee, &buf));
825 if (name == NULL) {
826 return false;
827 }
828 }
829 }
830
831 while ((p = strchr_m(name, ' ')) != NULL)
832 *p = space_replacement;
833
834 add_afs_ace(afs_acl, true, name,
835 nt_to_afs_rights(filename, ace));
836 }
837
838 return true;
839 }
840
841 static bool afs_get_afs_acl(const char *filename, struct afs_acl *acl)
842 {
843 struct afs_iob iob;
844
845 int ret;
846
847 char space[MAXSIZE];
848
849 DEBUG(5, ("afs_get_afs_acl: %s\n", filename));
850
851 iob.in_size = 0;
852 iob.out_size = MAXSIZE;
853 iob.in = iob.out = space;
854
855 ret = afs_syscall(AFSCALL_PIOCTL, filename, VIOCGETAL,
856 (char *)&iob, 0);
857
858 if (ret) {
859 DEBUG(1, ("got error from PIOCTL: %d\n", ret));
860 return false;
861 }
862
863 if (!init_afs_acl(acl))
864 return false;
865
866 if (!parse_afs_acl(acl, space)) {
867 DEBUG(1, ("Could not parse AFS acl\n"));
868 free_afs_acl(acl);
869 return false;
870 }
871
872 return true;
873 }
874
875 /* For setting an AFS ACL we have to take care of the ACEs we could
876 * not properly map to SIDs. Merge all of them into the new ACL. */
877
878 static void merge_unknown_aces(struct afs_acl *src, struct afs_acl *dst)
879 {
880 struct afs_ace *ace;
881
882 for (ace = src->acelist; ace != NULL; ace = ace->next)
883 {
884 struct afs_ace *copy;
885
886 if (ace->type != SID_NAME_UNKNOWN) {
887 DEBUG(10, ("Not merging known ACE for %s\n",
888 ace->name));
889 continue;
890 }
891
892 DEBUG(10, ("Merging unknown ACE for %s\n", ace->name));
893
894 copy = clone_afs_ace(dst->ctx, ace);
895
896 if (copy == NULL) {
897 DEBUG(0, ("Could not clone ACE for %s\n", ace->name));
898 continue;
899 }
900
901 copy->next = dst->acelist;
902 dst->acelist = copy;
903 dst->num_aces += 1;
904 }
905 }
906
907 static NTSTATUS afs_set_nt_acl(vfs_handle_struct *handle, files_struct *fsp,
908 uint32_t security_info_sent,
909 const struct security_descriptor *psd)
910 {
911 struct afs_acl old_afs_acl, new_afs_acl;
912 struct afs_acl dir_acl, file_acl;
913 char acl_string[MAXSIZE];
914 struct afs_iob iob;
915 int ret = -1;
916 char *name = NULL;
917 const char *fileacls;
918
919 fileacls = lp_parm_const_string(SNUM(handle->conn), "afsacl", "fileacls",
920 "yes");
921
922 sidpts = lp_parm_bool(SNUM(handle->conn), "afsacl", "sidpts", false);
923
924 ZERO_STRUCT(old_afs_acl);
925 ZERO_STRUCT(new_afs_acl);
926 ZERO_STRUCT(dir_acl);
927 ZERO_STRUCT(file_acl);
928
929 name = talloc_strdup(talloc_tos(), fsp->fsp_name->base_name);
930 if (!name) {
931 return NT_STATUS_NO_MEMORY;
932 }
933
934 if (!fsp->fsp_flags.is_directory) {
935 /* We need to get the name of the directory containing the
936 * file, this is where the AFS acls live */
937 char *p = strrchr(name, '/');
938 if (p != NULL) {
939 *p = '\0';
940 } else {
941 name = talloc_strdup(talloc_tos(), ".");
942 if (!name) {
943 return NT_STATUS_NO_MEMORY;
944 }
945 }
946 }
947
948 if (!afs_get_afs_acl(name, &old_afs_acl)) {
949 DEBUG(3, ("Could not get old ACL of %s\n", fsp_str_dbg(fsp)));
950 goto done;
951 }
952
953 split_afs_acl(&old_afs_acl, &dir_acl, &file_acl);
954
955 if (fsp->fsp_flags.is_directory) {
956
957 if (!strequal(fileacls, "yes")) {
958 /* Throw away file acls, we depend on the
959 * inheritance ACEs that also give us file
960 * permissions */
961 free_afs_acl(&file_acl);
962 }
963
964 free_afs_acl(&dir_acl);
965 if (!nt_to_afs_acl(fsp->fsp_name->base_name,
966 security_info_sent, psd,
967 nt_to_afs_dir_rights, &dir_acl))
968 goto done;
969 } else {
970 if (strequal(fileacls, "no")) {
971 ret = -1;
972 goto done;
973 }
974
975 if (strequal(fileacls, "ignore")) {
976 ret = 0;
977 goto done;
978 }
979
980 free_afs_acl(&file_acl);
981 if (!nt_to_afs_acl(fsp->fsp_name->base_name,
982 security_info_sent, psd,
983 nt_to_afs_file_rights, &file_acl))
984 goto done;
985 }
986
987 merge_afs_acls(&dir_acl, &file_acl, &new_afs_acl);
988
989 merge_unknown_aces(&old_afs_acl, &new_afs_acl);
990
991 unparse_afs_acl(&new_afs_acl, acl_string);
992
993 iob.in = acl_string;
994 iob.in_size = 1+strlen(iob.in);
995 iob.out = NULL;
996 iob.out_size = 0;
997
998 DEBUG(10, ("trying to set acl '%s' on file %s\n", iob.in, name));
999
1000 ret = afs_syscall(AFSCALL_PIOCTL, name, VIOCSETAL, (char *)&iob, 0);
1001
1002 if (ret != 0) {
1003 DEBUG(10, ("VIOCSETAL returned %d\n", ret));
1004 }
1005
1006 done:
1007 free_afs_acl(&dir_acl);
1008 free_afs_acl(&file_acl);
1009 free_afs_acl(&old_afs_acl);
1010 free_afs_acl(&new_afs_acl);
1011
1012 return (ret == 0) ? NT_STATUS_OK : NT_STATUS_ACCESS_DENIED;
1013 }
1014
1015 static NTSTATUS afsacl_fget_nt_acl(struct vfs_handle_struct *handle,
1016 struct files_struct *fsp,
1017 uint32_t security_info,
1018 TALLOC_CTX *mem_ctx,
1019 struct security_descriptor **ppdesc)
1020 {
1021 struct afs_acl acl;
1022 size_t sd_size;
1023
1024 DEBUG(5, ("afsacl_fget_nt_acl: %s\n", fsp_str_dbg(fsp)));
1025
1026 sidpts = lp_parm_bool(SNUM(fsp->conn), "afsacl", "sidpts", false);
1027
1028 if (!afs_get_afs_acl(fsp->fsp_name->base_name, &acl)) {
1029 return NT_STATUS_ACCESS_DENIED;
1030 }
1031
1032 sd_size = afs_fto_nt_acl(&acl, fsp, security_info, mem_ctx, ppdesc);
1033
1034 free_afs_acl(&acl);
1035
1036 return (sd_size != 0) ? NT_STATUS_OK : NT_STATUS_ACCESS_DENIED;
1037 }
1038
1039 static NTSTATUS afsacl_fset_nt_acl(vfs_handle_struct *handle,
1040 files_struct *fsp,
1041 uint32_t security_info_sent,
1042 const struct security_descriptor *psd)
1043 {
1044 return afs_set_nt_acl(handle, fsp, security_info_sent, psd);
1045 }
1046
1047 static int afsacl_connect(vfs_handle_struct *handle,
1048 const char *service,
1049 const char *user)
1050 {
1051 const char *spc;
1052 int ret = SMB_VFS_NEXT_CONNECT(handle, service, user);
1053
1054 if (ret < 0) {
1055 return ret;
1056 }
1057
1058 spc = lp_parm_const_string(SNUM(handle->conn), "afsacl", "space", "%");
1059
1060 if (spc != NULL)
1061 space_replacement = spc[0];
1062
1063 return 0;
1064 }
1065
1066 /* We don't have a linear form of the AFS ACL yet */
1067 static int afsacl_sys_acl_blob_get_fd(vfs_handle_struct *handle, files_struct *fsp, TALLOC_CTX *mem_ctx, char **blob_description, DATA_BLOB *blob)
1068 {
1069 errno = ENOSYS;
1070 return -1;
1071 }
1072
1073 static struct vfs_fn_pointers vfs_afsacl_fns = {
1074 .connect_fn = afsacl_connect,
1075 .fget_nt_acl_fn = afsacl_fget_nt_acl,
1076 .fset_nt_acl_fn = afsacl_fset_nt_acl,
1077 .sys_acl_blob_get_fd_fn = afsacl_sys_acl_blob_get_fd
1078 };
1079
1080 static_decl_vfs;
1081 NTSTATUS vfs_afsacl_init(TALLOC_CTX *ctx)
1082 {
1083 return smb_register_vfs(SMB_VFS_INTERFACE_VERSION, "afsacl",
1084 &vfs_afsacl_fns);
1085 }
GSS-enabled samba4