Beispiel #1
0
/**
 * Turn struct ifs_identity into SID
 */
static bool
onefs_identity_to_sid(struct ifs_identity *id, struct dom_sid *sid)
{
	if (!id || !sid)
		return false;

	if (id->type >= IFS_ID_TYPE_LAST)
		return false;

	switch (id->type) {
	    case IFS_ID_TYPE_UID:
	        uid_to_sid(sid, id->id.uid);
		break;
	    case IFS_ID_TYPE_GID:
		gid_to_sid(sid, id->id.gid);
		break;
	    case IFS_ID_TYPE_EVERYONE:
		sid_copy(sid, &global_sid_World);
		break;
	    case IFS_ID_TYPE_NULL:
		sid_copy(sid, &global_sid_NULL);
		break;
	    case IFS_ID_TYPE_CREATOR_OWNER:
		sid_copy(sid, &global_sid_Creator_Owner);
		break;
	    case IFS_ID_TYPE_CREATOR_GROUP:
		sid_copy(sid, &global_sid_Creator_Group);
		break;
	    default:
		DEBUG(0, ("Unknown identity type: %d\n", id->type));
		return false;
	}

	return true;
}
Beispiel #2
0
static NTSTATUS smb_get_nt_acl_nfs4_common(const SMB_STRUCT_STAT *sbuf,
					   smbacl4_vfs_params *params,
					   uint32_t security_info,
					   TALLOC_CTX *mem_ctx,
					   struct security_descriptor **ppdesc,
					   struct SMB4ACL_T *theacl)
{
	int good_aces = 0;
	struct dom_sid sid_owner, sid_group;
	size_t sd_size = 0;
	struct security_ace *nt_ace_list = NULL;
	struct security_acl *psa = NULL;
	TALLOC_CTX *frame = talloc_stackframe();
	bool ok;

	if (theacl==NULL) {
		TALLOC_FREE(frame);
		return NT_STATUS_ACCESS_DENIED; /* special because we
						 * need to think through
						 * the null case.*/
	}

	uid_to_sid(&sid_owner, sbuf->st_ex_uid);
	gid_to_sid(&sid_group, sbuf->st_ex_gid);

	ok = smbacl4_nfs42win(frame, params, theacl, &sid_owner, &sid_group,
			      S_ISDIR(sbuf->st_ex_mode),
			      &nt_ace_list, &good_aces);
	if (!ok) {
		DEBUG(8,("smbacl4_nfs42win failed\n"));
		TALLOC_FREE(frame);
		return map_nt_error_from_unix(errno);
	}

	psa = make_sec_acl(frame, NT4_ACL_REVISION, good_aces, nt_ace_list);
	if (psa == NULL) {
		DEBUG(2,("make_sec_acl failed\n"));
		TALLOC_FREE(frame);
		return NT_STATUS_NO_MEMORY;
	}

	DEBUG(10,("after make sec_acl\n"));
	*ppdesc = make_sec_desc(
		mem_ctx, SD_REVISION, smbacl4_get_controlflags(theacl),
		(security_info & SECINFO_OWNER) ? &sid_owner : NULL,
		(security_info & SECINFO_GROUP) ? &sid_group : NULL,
		NULL, psa, &sd_size);
	if (*ppdesc==NULL) {
		DEBUG(2,("make_sec_desc failed\n"));
		TALLOC_FREE(frame);
		return NT_STATUS_NO_MEMORY;
	}

	DEBUG(10, ("smb_get_nt_acl_nfs4_common successfully exited with "
		   "sd_size %d\n",
		   (int)ndr_size_security_descriptor(*ppdesc, 0)));

	TALLOC_FREE(frame);
	return NT_STATUS_OK;
}
Beispiel #3
0
BOOL afs_login(connection_struct *conn)
{
	DATA_BLOB ticket;
	pstring afs_username;
	char *cell;
	BOOL result;
	char *ticket_str;
	DOM_SID user_sid;

	struct ClearToken ct;

	pstrcpy(afs_username, lp_afs_username_map());
	standard_sub_conn(conn, afs_username, sizeof(afs_username));

	if (NT_STATUS_IS_OK(uid_to_sid(&user_sid, conn->uid)))
		pstring_sub(afs_username, "%s", sid_string_static(&user_sid));

	/* The pts command always generates completely lower-case user
	 * names. */
	strlower_m(afs_username);

	cell = strchr(afs_username, '@');

	if (cell == NULL) {
		DEBUG(1, ("AFS username doesn't contain a @, "
			  "could not find cell\n"));
		return False;
	}

	*cell = '\0';
	cell += 1;

	DEBUG(10, ("Trying to log into AFS for user %s@%s\n", 
		   afs_username, cell));

	if (!afs_createtoken(afs_username, cell, &ticket, &ct))
		return False;

	/* For which Unix-UID do we want to set the token? */
	ct.ViceId = getuid();

	ticket_str = afs_encode_token(cell, ticket, &ct);

	result = afs_settoken_str(ticket_str);

	SAFE_FREE(ticket_str);

	data_blob_free(&ticket);

	return result;
}
Beispiel #4
0
static size_t afs_to_nt_acl_common(struct afs_acl *afs_acl,
                                   SMB_STRUCT_STAT *psbuf,
                                   uint32 security_info,
                                   struct security_descriptor **ppdesc)
{
    struct security_ace *nt_ace_list;
    struct dom_sid owner_sid, group_sid;
    struct security_acl *psa = NULL;
    int good_aces;
    size_t sd_size;
    TALLOC_CTX *mem_ctx = talloc_tos();

    struct afs_ace *afs_ace;

    uid_to_sid(&owner_sid, psbuf->st_ex_uid);
    gid_to_sid(&group_sid, psbuf->st_ex_gid);

    if (afs_acl->num_aces) {
        nt_ace_list = talloc_array(mem_ctx, struct security_ace, afs_acl->num_aces);

        if (nt_ace_list == NULL)
            return 0;
    } else {
Beispiel #5
0
static struct security_descriptor *default_file_sd(TALLOC_CTX *mem_ctx,
						SMB_STRUCT_STAT *psbuf)
{
	struct dom_sid owner_sid, group_sid;
	size_t sd_size;
	struct security_ace *pace = NULL;
	struct security_acl *pacl = NULL;

	uid_to_sid(&owner_sid, psbuf->st_uid);
	gid_to_sid(&group_sid, psbuf->st_gid);

	pace = TALLOC_ARRAY(mem_ctx, struct security_ace, 2);
	if (!pace) {
		return NULL;
	}

	init_sec_ace(&pace[0], &owner_sid, SEC_ACE_TYPE_ACCESS_ALLOWED,
			SEC_RIGHTS_FILE_ALL, 0);
	init_sec_ace(&pace[1], &global_sid_System, SEC_ACE_TYPE_ACCESS_ALLOWED,
			SEC_RIGHTS_FILE_ALL, 0);

	pacl = make_sec_acl(mem_ctx,
				NT4_ACL_REVISION,
				2,
				pace);
	if (!pacl) {
		return NULL;
	}
	return make_sec_desc(mem_ctx,
			SECURITY_DESCRIPTOR_REVISION_1,
			SEC_DESC_SELF_RELATIVE|SEC_DESC_DACL_PRESENT,
			&owner_sid,
			&group_sid,
			NULL,
                        pacl,
			&sd_size);
}
Beispiel #6
0
static bool smbacl4_nfs42win(TALLOC_CTX *mem_ctx,
                             smbacl4_vfs_params *params,
                             SMB4ACL_T *theacl, /* in */
                             struct dom_sid *psid_owner, /* in */
                             struct dom_sid *psid_group, /* in */
                             bool is_directory, /* in */
                             struct security_ace **ppnt_ace_list, /* out */
                             int *pgood_aces /* out */
                            )
{
    SMB_ACL4_INT_T *aclint = (SMB_ACL4_INT_T *)theacl;
    SMB_ACE4_INT_T *aceint;
    struct security_ace *nt_ace_list = NULL;
    int good_aces = 0;

    DEBUG(10, ("smbacl_nfs42win entered\n"));

    aclint = get_validated_aclint(theacl);
    /* We do not check for naces being 0 or theacl being NULL here
       because it is done upstream in smb_get_nt_acl_nfs4().
       We reserve twice the number of input aces because one nfs4
       ace might result in 2 nt aces.*/
    nt_ace_list = (struct security_ace *)TALLOC_ZERO_SIZE(
                      mem_ctx, 2 * aclint->naces * sizeof(struct security_ace));
    if (nt_ace_list==NULL)
    {
        DEBUG(10, ("talloc error"));
        errno = ENOMEM;
        return false;
    }

    for (aceint=aclint->first;
            aceint!=NULL;
            aceint=(SMB_ACE4_INT_T *)aceint->next) {
        uint32_t mask;
        struct dom_sid sid;
        SMB_ACE4PROP_T	*ace = &aceint->prop;
        uint32_t win_ace_flags;

        DEBUG(10, ("magic: 0x%x, type: %d, iflags: %x, flags: %x, "
                   "mask: %x, who: %d\n",
                   aceint->magic, ace->aceType, ace->flags,
                   ace->aceFlags, ace->aceMask, ace->who.id));

        SMB_ASSERT(aceint->magic==SMB_ACE4_INT_MAGIC);

        if (ace->flags & SMB_ACE4_ID_SPECIAL) {
            switch (ace->who.special_id) {
            case SMB_ACE4_WHO_OWNER:
                sid_copy(&sid, psid_owner);
                break;
            case SMB_ACE4_WHO_GROUP:
                sid_copy(&sid, psid_group);
                break;
            case SMB_ACE4_WHO_EVERYONE:
                sid_copy(&sid, &global_sid_World);
                break;
            default:
                DEBUG(8, ("invalid special who id %d "
                          "ignored\n", ace->who.special_id));
                continue;
            }
        } else {
            if (ace->aceFlags & SMB_ACE4_IDENTIFIER_GROUP) {
                gid_to_sid(&sid, ace->who.gid);
            } else {
                uid_to_sid(&sid, ace->who.uid);
            }
        }
        DEBUG(10, ("mapped %d to %s\n", ace->who.id,
                   sid_string_dbg(&sid)));

        if (is_directory && (ace->aceMask & SMB_ACE4_ADD_FILE)) {
            ace->aceMask |= SMB_ACE4_DELETE_CHILD;
        }

        if (!is_directory && params->map_full_control) {
            /*
             * Do we have all access except DELETE_CHILD
             * (not caring about the delete bit).
             */
            uint32_t test_mask = ((ace->aceMask|SMB_ACE4_DELETE|SMB_ACE4_DELETE_CHILD) &
                                  SMB_ACE4_ALL_MASKS);
            if (test_mask == SMB_ACE4_ALL_MASKS) {
                ace->aceMask |= SMB_ACE4_DELETE_CHILD;
            }
        }

        win_ace_flags = map_nfs4_ace_flags_to_windows_ace_flags(
                            ace->aceFlags);
        if (!is_directory &&
                (win_ace_flags & (SEC_ACE_FLAG_OBJECT_INHERIT|
                                  SEC_ACE_FLAG_CONTAINER_INHERIT))) {
            /*
             * GPFS sets inherits dir_inhert and file_inherit flags
             * to files, too, which confuses windows, and seems to
             * be wrong anyways. ==> Map these bits away for files.
             */
            DEBUG(10, ("removing inherit flags from nfs4 ace\n"));
            win_ace_flags &= ~(SEC_ACE_FLAG_OBJECT_INHERIT|
                               SEC_ACE_FLAG_CONTAINER_INHERIT);
        }
        DEBUG(10, ("Windows mapped ace flags: 0x%x => 0x%x\n",
                   ace->aceFlags, win_ace_flags));

        mask = ace->aceMask;
        /* Windows clients expect SYNC on acls to
           correctly allow rename. See bug #7909. */
        /* But not on DENY ace entries. See
           bug #8442. */
        if(ace->aceType == SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE) {
            mask = ace->aceMask | SMB_ACE4_SYNCHRONIZE;
        }

        /* Mapping of owner@ and group@ to creator owner and
           creator group. Keep old behavior in mode special. */
        if (params->mode != e_special &&
                ace->flags & SMB_ACE4_ID_SPECIAL &&
                (ace->who.special_id == SMB_ACE4_WHO_OWNER ||
                 ace->who.special_id == SMB_ACE4_WHO_GROUP)) {
            DEBUG(10, ("Map special entry\n"));
            if (!(win_ace_flags & SEC_ACE_FLAG_INHERIT_ONLY)) {
                uint32_t win_ace_flags_current;
                DEBUG(10, ("Map current sid\n"));
                win_ace_flags_current = win_ace_flags &
                                        ~(SEC_ACE_FLAG_OBJECT_INHERIT |
                                          SEC_ACE_FLAG_CONTAINER_INHERIT);
                init_sec_ace(&nt_ace_list[good_aces++], &sid,
                             ace->aceType, mask,
                             win_ace_flags_current);
            }
            if (ace->who.special_id == SMB_ACE4_WHO_OWNER &&
                    win_ace_flags & (SEC_ACE_FLAG_OBJECT_INHERIT |
                                     SEC_ACE_FLAG_CONTAINER_INHERIT)) {
                uint32_t win_ace_flags_creator;
                DEBUG(10, ("Map creator owner\n"));
                win_ace_flags_creator = win_ace_flags |
                                        SMB_ACE4_INHERIT_ONLY_ACE;
                init_sec_ace(&nt_ace_list[good_aces++],
                             &global_sid_Creator_Owner,
                             ace->aceType, mask,
                             win_ace_flags_creator);
            }
            if (ace->who.special_id == SMB_ACE4_WHO_GROUP &&
                    win_ace_flags & (SEC_ACE_FLAG_OBJECT_INHERIT |
                                     SEC_ACE_FLAG_CONTAINER_INHERIT)) {
                uint32_t win_ace_flags_creator;
                DEBUG(10, ("Map creator owner group\n"));
                win_ace_flags_creator = win_ace_flags |
                                        SMB_ACE4_INHERIT_ONLY_ACE;
                init_sec_ace(&nt_ace_list[good_aces++],
                             &global_sid_Creator_Group,
                             ace->aceType, mask,
                             win_ace_flags_creator);
            }
        } else {
            DEBUG(10, ("Map normal sid\n"));
            init_sec_ace(&nt_ace_list[good_aces++], &sid,
                         ace->aceType, mask,
                         win_ace_flags);
        }
    }

    nt_ace_list = (struct security_ace *)TALLOC_REALLOC(mem_ctx,
                  nt_ace_list,
                  good_aces * sizeof(struct security_ace));
    if (nt_ace_list == NULL) {
        errno = ENOMEM;
        return false;
    }

    *ppnt_ace_list = nt_ace_list;
    *pgood_aces = good_aces;

    return true;
}
Beispiel #7
0
int vfs_get_user_ntquota_list(files_struct *fsp, SMB_NTQUOTA_LIST **qt_list)
{
	struct passwd *usr;
	TALLOC_CTX *mem_ctx = NULL;

	if (!fsp||!fsp->conn||!qt_list)
		return (-1);

	*qt_list = NULL;

	if ((mem_ctx=talloc_init("SMB_USER_QUOTA_LIST"))==NULL) {
		DEBUG(0,("talloc_init() failed\n"));
		return (-1);
	}

	sys_setpwent();
	while ((usr = sys_getpwent()) != NULL) {
		SMB_NTQUOTA_STRUCT tmp_qt;
		SMB_NTQUOTA_LIST *tmp_list_ent;
		DOM_SID	sid;

		ZERO_STRUCT(tmp_qt);

		if (allready_in_quota_list((*qt_list),usr->pw_uid)) {
			DEBUG(5,("record for uid[%ld] allready in the list\n",(long)usr->pw_uid));
			continue;
		}

		uid_to_sid(&sid, usr->pw_uid);

		if (vfs_get_ntquota(fsp, SMB_USER_QUOTA_TYPE, &sid, &tmp_qt)!=0) {
			DEBUG(5,("no quota entry for sid[%s] path[%s]\n",
				sid_string_static(&sid),fsp->conn->connectpath));
			continue;
		}

		DEBUG(15,("quota entry for id[%s] path[%s]\n",
			sid_string_static(&sid),fsp->conn->connectpath));

		if ((tmp_list_ent=TALLOC_ZERO_P(mem_ctx,SMB_NTQUOTA_LIST))==NULL) {
			DEBUG(0,("TALLOC_ZERO() failed\n"));
			*qt_list = NULL;
			talloc_destroy(mem_ctx);
			return (-1);
		}

		if ((tmp_list_ent->quotas=TALLOC_ZERO_P(mem_ctx,SMB_NTQUOTA_STRUCT))==NULL) {
			DEBUG(0,("TALLOC_ZERO() failed\n"));
			*qt_list = NULL;
			talloc_destroy(mem_ctx);
			return (-1);
		}

		tmp_list_ent->uid = usr->pw_uid;
		memcpy(tmp_list_ent->quotas,&tmp_qt,sizeof(tmp_qt));
		tmp_list_ent->mem_ctx = mem_ctx;

		DLIST_ADD((*qt_list),tmp_list_ent);
		
	}
	sys_endpwent();

	return 0;
}
Beispiel #8
0
static size_t afs_to_nt_acl(struct afs_acl *afs_acl, 
			    struct files_struct *fsp,
			    uint32 security_info,
			    struct security_descriptor **ppdesc)
{
	SEC_ACE *nt_ace_list;
	DOM_SID owner_sid, group_sid;
	SEC_ACCESS mask;
	SMB_STRUCT_STAT sbuf;
	SEC_ACL *psa = NULL;
	int good_aces;
	size_t sd_size;
	TALLOC_CTX *mem_ctx = main_loop_talloc_get();

	struct afs_ace *afs_ace;

	if (fsp->is_directory || fsp->fh->fd == -1) {
		/* Get the stat struct for the owner info. */
		if(SMB_VFS_STAT(fsp->conn,fsp->fsp_name, &sbuf) != 0) {
			return 0;
		}
	} else {
		if(SMB_VFS_FSTAT(fsp,fsp->fh->fd,&sbuf) != 0) {
			return 0;
		}
	}

	uid_to_sid(&owner_sid, sbuf.st_uid);
	gid_to_sid(&group_sid, sbuf.st_gid);

	if (afs_acl->num_aces) {
		nt_ace_list = TALLOC_ARRAY(mem_ctx, SEC_ACE, afs_acl->num_aces);

		if (nt_ace_list == NULL)
			return 0;
	} else {
		nt_ace_list = NULL;
	}

	afs_ace = afs_acl->acelist;
	good_aces = 0;

	while (afs_ace != NULL) {
		uint32 nt_rights;
		uint8 flag = SEC_ACE_FLAG_OBJECT_INHERIT |
			SEC_ACE_FLAG_CONTAINER_INHERIT;

		if (afs_ace->type == SID_NAME_UNKNOWN) {
			DEBUG(10, ("Ignoring unknown name %s\n",
				   afs_ace->name));
			afs_ace = afs_ace->next;
			continue;
		}

		if (fsp->is_directory)
			afs_to_nt_dir_rights(afs_ace->rights, &nt_rights,
					     &flag);
		else
			nt_rights = afs_to_nt_file_rights(afs_ace->rights);

		init_sec_access(&mask, nt_rights);
		init_sec_ace(&nt_ace_list[good_aces++], &(afs_ace->sid),
			     SEC_ACE_TYPE_ACCESS_ALLOWED, mask, flag);
		afs_ace = afs_ace->next;
	}

	psa = make_sec_acl(mem_ctx, NT4_ACL_REVISION,
			   good_aces, nt_ace_list);
	if (psa == NULL)
		return 0;

	
	*ppdesc = make_sec_desc(mem_ctx, SEC_DESC_REVISION,
				SEC_DESC_SELF_RELATIVE,
				(security_info & OWNER_SECURITY_INFORMATION)
				? &owner_sid : NULL,
				(security_info & GROUP_SECURITY_INFORMATION)
				? &group_sid : NULL,
				NULL, psa, &sd_size);

	return sd_size;
}
Beispiel #9
0
static size_t afs_to_nt_acl_common(struct afs_acl *afs_acl,
				   SMB_STRUCT_STAT *psbuf,
				   uint32 security_info,
				   struct security_descriptor **ppdesc)
{
	SEC_ACE *nt_ace_list;
	DOM_SID owner_sid, group_sid;
	SEC_ACL *psa = NULL;
	int good_aces;
	size_t sd_size;
	TALLOC_CTX *mem_ctx = talloc_tos();

	struct afs_ace *afs_ace;

	uid_to_sid(&owner_sid, psbuf->st_uid);
	gid_to_sid(&group_sid, psbuf->st_gid);

	if (afs_acl->num_aces) {
		nt_ace_list = TALLOC_ARRAY(mem_ctx, SEC_ACE, afs_acl->num_aces);

		if (nt_ace_list == NULL)
			return 0;
	} else {
		nt_ace_list = NULL;
	}

	afs_ace = afs_acl->acelist;
	good_aces = 0;

	while (afs_ace != NULL) {
		uint32_t nt_rights;
		uint8 flag = SEC_ACE_FLAG_OBJECT_INHERIT |
			SEC_ACE_FLAG_CONTAINER_INHERIT;

		if (afs_ace->type == SID_NAME_UNKNOWN) {
			DEBUG(10, ("Ignoring unknown name %s\n",
				   afs_ace->name));
			afs_ace = afs_ace->next;
			continue;
		}

		if (S_ISDIR(psbuf->st_mode))
			afs_to_nt_dir_rights(afs_ace->rights, &nt_rights,
					     &flag);
		else
			nt_rights = afs_to_nt_file_rights(afs_ace->rights);

		init_sec_ace(&nt_ace_list[good_aces++], &(afs_ace->sid),
			     SEC_ACE_TYPE_ACCESS_ALLOWED, nt_rights, flag);
		afs_ace = afs_ace->next;
	}

	psa = make_sec_acl(mem_ctx, NT4_ACL_REVISION,
			   good_aces, nt_ace_list);
	if (psa == NULL)
		return 0;

	*ppdesc = make_sec_desc(mem_ctx, SEC_DESC_REVISION,
				SEC_DESC_SELF_RELATIVE,
				(security_info & OWNER_SECURITY_INFORMATION)
				? &owner_sid : NULL,
				(security_info & GROUP_SECURITY_INFORMATION)
				? &group_sid : NULL,
				NULL, psa, &sd_size);

	return sd_size;
}