void str_to_ace(SEC_ACE *ace, char *ace_str)
{
SEC_ACCESS sa;
struct dom_sid sid;
uint32 mask;
uint8 type, flags;
init_sec_access(&sa, mask);
init_sec_ace(ace, &sid, type, sa, flags);
}
SEC_ACL *build_acl(struct ace_entry *ace_list)
{
SEC_ACE *aces = NULL;
SEC_ACL *result;
int num_aces = 0;
if (ace_list == NULL) return NULL;
/* Create aces */
while(ace_list->sid) {
SEC_ACCESS sa;
struct dom_sid sid;
/* Create memory for new ACE */
if (!(aces = Realloc(aces,
sizeof(SEC_ACE) * (num_aces + 1)))) {
return NULL;
}
/* Create ace */
init_sec_access(&sa, ace_list->mask);
char_to_sid(&sid, ace_list->sid);
init_sec_ace(&aces[num_aces], &sid, ace_list->type,
sa, ace_list->flags);
num_aces++;
ace_list++;
}
/* Create ACL from list of ACEs */
result = make_sec_acl(ACL_REVISION, num_aces, aces);
free(aces);
return result;
}
SEC_DESC *get_share_security_default( TALLOC_CTX *ctx, size_t *psize, uint32 def_access)
{
SEC_ACCESS sa;
SEC_ACE ace;
SEC_ACL *psa = NULL;
SEC_DESC *psd = NULL;
uint32 spec_access = def_access;
se_map_generic(&spec_access, &file_generic_mapping);
init_sec_access(&sa, def_access | spec_access );
init_sec_ace(&ace, &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, sa, 0);
if ((psa = make_sec_acl(ctx, NT4_ACL_REVISION, 1, &ace)) != NULL) {
psd = make_sec_desc(ctx, SEC_DESC_REVISION, SEC_DESC_SELF_RELATIVE, NULL, NULL, NULL, psa, psize);
}
if (!psd) {
DEBUG(0,("get_share_security: Failed to make SEC_DESC.\n"));
return NULL;
}
return psd;
}
BOOL parse_usershare_acl(TALLOC_CTX *ctx, const char *acl_str, SEC_DESC **ppsd)
{
size_t s_size = 0;
const char *pacl = acl_str;
int num_aces = 0;
SEC_ACE *ace_list = NULL;
SEC_ACL *psa = NULL;
SEC_DESC *psd = NULL;
size_t sd_size = 0;
int i;
*ppsd = NULL;
/* If the acl string is blank return "Everyone:R" */
if (!*acl_str) {
SEC_DESC *default_psd = get_share_security_default(ctx, &s_size, GENERIC_READ_ACCESS);
if (!default_psd) {
return False;
}
*ppsd = default_psd;
return True;
}
num_aces = 1;
/* Add the number of ',' characters to get the number of aces. */
num_aces += count_chars(pacl,',');
ace_list = TALLOC_ARRAY(ctx, SEC_ACE, num_aces);
if (!ace_list) {
return False;
}
for (i = 0; i < num_aces; i++) {
SEC_ACCESS sa;
uint32 g_access;
uint32 s_access;
DOM_SID sid;
fstring sidstr;
uint8 type = SEC_ACE_TYPE_ACCESS_ALLOWED;
if (!next_token(&pacl, sidstr, ":", sizeof(sidstr))) {
DEBUG(0,("parse_usershare_acl: malformed usershare acl looking "
"for ':' in string '%s'\n", pacl));
return False;
}
if (!string_to_sid(&sid, sidstr)) {
DEBUG(0,("parse_usershare_acl: failed to convert %s to sid.\n",
sidstr ));
return False;
}
switch (*pacl) {
case 'F': /* Full Control, ie. R+W */
case 'f': /* Full Control, ie. R+W */
s_access = g_access = GENERIC_ALL_ACCESS;
break;
case 'R': /* Read only. */
case 'r': /* Read only. */
s_access = g_access = GENERIC_READ_ACCESS;
break;
case 'D': /* Deny all to this SID. */
case 'd': /* Deny all to this SID. */
type = SEC_ACE_TYPE_ACCESS_DENIED;
s_access = g_access = GENERIC_ALL_ACCESS;
break;
default:
DEBUG(0,("parse_usershare_acl: unknown acl type at %s.\n",
pacl ));
return False;
}
pacl++;
if (*pacl && *pacl != ',') {
DEBUG(0,("parse_usershare_acl: bad acl string at %s.\n",
pacl ));
return False;
}
pacl++; /* Go past any ',' */
se_map_generic(&s_access, &file_generic_mapping);
init_sec_access(&sa, g_access | s_access );
init_sec_ace(&ace_list[i], &sid, type, sa, 0);
}
if ((psa = make_sec_acl(ctx, NT4_ACL_REVISION, num_aces, ace_list)) != NULL) {
psd = make_sec_desc(ctx, SEC_DESC_REVISION, SEC_DESC_SELF_RELATIVE, NULL, NULL, NULL, psa, &sd_size);
}
if (!psd) {
DEBUG(0,("parse_usershare_acl: Failed to make SEC_DESC.\n"));
return False;
}
*ppsd = psd;
return True;
}
SEC_DESC_BUF *se_create_child_secdesc(TALLOC_CTX *ctx, SEC_DESC *parent_ctr,
bool child_container)
{
SEC_DESC_BUF *sdb;
SEC_DESC *sd;
SEC_ACL *new_dacl, *the_acl;
SEC_ACE *new_ace_list = NULL;
unsigned int new_ace_list_ndx = 0, i;
size_t size;
/* Currently we only process the dacl when creating the child. The
sacl should also be processed but this is left out as sacls are
not implemented in Samba at the moment.*/
the_acl = parent_ctr->dacl;
if (the_acl->num_aces) {
if (!(new_ace_list = TALLOC_ARRAY(ctx, SEC_ACE, the_acl->num_aces)))
return NULL;
} else {
new_ace_list = NULL;
}
for (i = 0; i < the_acl->num_aces; i++) {
SEC_ACE *ace = &the_acl->aces[i];
SEC_ACE *new_ace = &new_ace_list[new_ace_list_ndx];
uint8 new_flags = 0;
bool inherit = False;
/* The OBJECT_INHERIT_ACE flag causes the ACE to be
inherited by non-container children objects. Container
children objects will inherit it as an INHERIT_ONLY
ACE. */
if (ace->flags & SEC_ACE_FLAG_OBJECT_INHERIT) {
if (!child_container) {
new_flags |= SEC_ACE_FLAG_OBJECT_INHERIT;
} else {
new_flags |= SEC_ACE_FLAG_INHERIT_ONLY;
}
inherit = True;
}
/* The CONAINER_INHERIT_ACE flag means all child container
objects will inherit and use the ACE. */
if (ace->flags & SEC_ACE_FLAG_CONTAINER_INHERIT) {
if (!child_container) {
inherit = False;
} else {
new_flags |= SEC_ACE_FLAG_CONTAINER_INHERIT;
}
}
/* The INHERIT_ONLY_ACE is not used by the se_access_check()
function for the parent container, but is inherited by
all child objects as a normal ACE. */
if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
/* Move along, nothing to see here */
}
/* The SEC_ACE_FLAG_NO_PROPAGATE_INHERIT flag means the ACE
is inherited by child objects but not grandchildren
objects. We clear the object inherit and container
inherit flags in the inherited ACE. */
if (ace->flags & SEC_ACE_FLAG_NO_PROPAGATE_INHERIT) {
new_flags &= ~(SEC_ACE_FLAG_OBJECT_INHERIT |
SEC_ACE_FLAG_CONTAINER_INHERIT);
}
/* Add ACE to ACE list */
if (!inherit)
continue;
init_sec_access(&new_ace->access_mask, ace->access_mask);
init_sec_ace(new_ace, &ace->trustee, ace->type,
new_ace->access_mask, new_flags);
DEBUG(5, ("se_create_child_secdesc(): %s:%d/0x%02x/0x%08x "
" inherited as %s:%d/0x%02x/0x%08x\n",
sid_string_dbg(&ace->trustee),
ace->type, ace->flags, ace->access_mask,
sid_string_dbg(&ace->trustee),
new_ace->type, new_ace->flags,
new_ace->access_mask));
new_ace_list_ndx++;
}
/* Create child security descriptor to return */
new_dacl = make_sec_acl(ctx, ACL_REVISION, new_ace_list_ndx, new_ace_list);
/* Use the existing user and group sids. I don't think this is
correct. Perhaps the user and group should be passed in as
parameters by the caller? */
sd = make_sec_desc(ctx, SECURITY_DESCRIPTOR_REVISION_1,
SEC_DESC_SELF_RELATIVE,
parent_ctr->owner_sid,
parent_ctr->group_sid,
parent_ctr->sacl,
new_dacl, &size);
sdb = make_sec_desc_buf(ctx, size, sd);
return sdb;
}
static size_t afs_to_nt_acl(struct afs_acl *afs_acl,
struct files_struct *fsp,
uint32 security_info,
struct security_descriptor **ppdesc)
{
SEC_ACE *nt_ace_list;
DOM_SID owner_sid, group_sid;
SEC_ACCESS mask;
SMB_STRUCT_STAT sbuf;
SEC_ACL *psa = NULL;
int good_aces;
size_t sd_size;
TALLOC_CTX *mem_ctx = main_loop_talloc_get();
struct afs_ace *afs_ace;
if (fsp->is_directory || fsp->fh->fd == -1) {
/* Get the stat struct for the owner info. */
if(SMB_VFS_STAT(fsp->conn,fsp->fsp_name, &sbuf) != 0) {
return 0;
}
} else {
if(SMB_VFS_FSTAT(fsp,fsp->fh->fd,&sbuf) != 0) {
return 0;
}
}
uid_to_sid(&owner_sid, sbuf.st_uid);
gid_to_sid(&group_sid, sbuf.st_gid);
if (afs_acl->num_aces) {
nt_ace_list = TALLOC_ARRAY(mem_ctx, SEC_ACE, afs_acl->num_aces);
if (nt_ace_list == NULL)
return 0;
} else {
nt_ace_list = NULL;
}
afs_ace = afs_acl->acelist;
good_aces = 0;
while (afs_ace != NULL) {
uint32 nt_rights;
uint8 flag = SEC_ACE_FLAG_OBJECT_INHERIT |
SEC_ACE_FLAG_CONTAINER_INHERIT;
if (afs_ace->type == SID_NAME_UNKNOWN) {
DEBUG(10, ("Ignoring unknown name %s\n",
afs_ace->name));
afs_ace = afs_ace->next;
continue;
}
if (fsp->is_directory)
afs_to_nt_dir_rights(afs_ace->rights, &nt_rights,
&flag);
else
nt_rights = afs_to_nt_file_rights(afs_ace->rights);
init_sec_access(&mask, nt_rights);
init_sec_ace(&nt_ace_list[good_aces++], &(afs_ace->sid),
SEC_ACE_TYPE_ACCESS_ALLOWED, mask, flag);
afs_ace = afs_ace->next;
}
psa = make_sec_acl(mem_ctx, NT4_ACL_REVISION,
good_aces, nt_ace_list);
if (psa == NULL)
return 0;
*ppdesc = make_sec_desc(mem_ctx, SEC_DESC_REVISION,
SEC_DESC_SELF_RELATIVE,
(security_info & OWNER_SECURITY_INFORMATION)
? &owner_sid : NULL,
(security_info & GROUP_SECURITY_INFORMATION)
? &group_sid : NULL,
NULL, psa, &sd_size);
return sd_size;
}
int psec_setsec(char *printer)
{
struct dom_sid user_sid, group_sid;
SEC_ACE *ace_list = NULL;
SEC_ACL *dacl = NULL;
SEC_DESC *sd;
SEC_DESC_BUF *sdb = NULL;
int result = 0, num_aces = 0;
fstring line, keystr, tdb_path;
size_t size;
prs_struct ps;
TALLOC_CTX *mem_ctx = NULL;
BOOL has_user_sid = False, has_group_sid = False;
ZERO_STRUCT(ps);
/* Open tdb for reading */
slprintf(tdb_path, sizeof(tdb_path) - 1, "%s/ntdrivers.tdb",
lp_lockdir());
tdb = tdb_open(tdb_path, 0, 0, O_RDWR, 0600);
if (!tdb) {
printf("psec: failed to open nt drivers database: %s\n",
sys_errlist[errno]);
result = 1;
goto done;
}
/* Read owner and group sid */
fgets(line, sizeof(fstring), stdin);
if (line[0] != '\n') {
string_to_sid(&user_sid, line);
has_user_sid = True;
}
fgets(line, sizeof(fstring), stdin);
if (line[0] != '\n') {
string_to_sid(&group_sid, line);
has_group_sid = True;
}
/* Read ACEs from standard input for discretionary ACL */
while(fgets(line, sizeof(fstring), stdin)) {
int ace_type, ace_flags;
uint32 ace_mask;
fstring sidstr;
struct dom_sid sid;
SEC_ACCESS sa;
if (sscanf(line, "%d %d 0x%x %s", &ace_type, &ace_flags,
&ace_mask, sidstr) != 4) {
continue;
}
string_to_sid(&sid, sidstr);
ace_list = Realloc(ace_list, sizeof(SEC_ACE) *
(num_aces + 1));
init_sec_access(&sa, ace_mask);
init_sec_ace(&ace_list[num_aces], &sid, ace_type, sa,
ace_flags);
num_aces++;
}
dacl = make_sec_acl(ACL_REVISION, num_aces, ace_list);
free(ace_list);
/* Create security descriptor */
sd = make_sec_desc(SEC_DESC_REVISION,
has_user_sid ? &user_sid : NULL,
has_group_sid ? &group_sid : NULL
int psec_setsec(char *printer)
{
DOM_SID user_sid, group_sid;
SEC_ACE *ace_list = NULL;
SEC_ACL *dacl = NULL;
SEC_DESC *sd;
SEC_DESC_BUF *sdb = NULL;
int result = 0, num_aces = 0;
fstring line, keystr, tdb_path;
size_t size;
prs_struct ps;
TALLOC_CTX *mem_ctx = NULL;
BOOL has_user_sid = False, has_group_sid = False;
ZERO_STRUCT(ps);
/* Open tdb for reading */
slprintf(tdb_path, sizeof(tdb_path) - 1, "%s/ntdrivers.tdb",
lp_lockdir());
tdb = tdb_open(tdb_path, 0, 0, O_RDWR, 0600);
if (!tdb) {
printf("psec: failed to open nt drivers database: %s\n",
sys_errlist[errno]);
result = 1;
goto done;
}
/* Read owner and group sid */
fgets(line, sizeof(fstring), stdin);
if (line[0] != '\n') {
string_to_sid(&user_sid, line);
has_user_sid = True;
}
fgets(line, sizeof(fstring), stdin);
if (line[0] != '\n') {
string_to_sid(&group_sid, line);
has_group_sid = True;
}
/* Read ACEs from standard input for discretionary ACL */
while(fgets(line, sizeof(fstring), stdin)) {
int ace_type, ace_flags;
uint32 ace_mask;
fstring sidstr;
DOM_SID sid;
SEC_ACCESS sa;
if (sscanf(line, "%d %d 0x%x %s", &ace_type, &ace_flags,
&ace_mask, sidstr) != 4) {
continue;
}
string_to_sid(&sid, sidstr);
ace_list = Realloc(ace_list, sizeof(SEC_ACE) *
(num_aces + 1));
init_sec_access(&sa, ace_mask);
init_sec_ace(&ace_list[num_aces], &sid, ace_type, sa,
ace_flags);
num_aces++;
}
dacl = make_sec_acl(ACL_REVISION, num_aces, ace_list);
free(ace_list);
/* Create security descriptor */
sd = make_sec_desc(SEC_DESC_REVISION,
has_user_sid ? &user_sid : NULL,
has_group_sid ? &group_sid : NULL,
NULL, /* System ACL */
dacl, /* Discretionary ACL */
&size);
free_sec_acl(&dacl);
sdb = make_sec_desc_buf(size, sd);
free_sec_desc(&sd);
/* Write security descriptor to tdb */
mem_ctx = talloc_init();
if (!mem_ctx) {
printf("memory allocation error\n");
result = 1;
goto done;
}
prs_init(&ps, (uint32)sec_desc_size(sdb->sec) +
sizeof(SEC_DESC_BUF), 4, mem_ctx, MARSHALL);
if (!sec_io_desc_buf("nt_printing_setsec", &sdb, &ps, 1)) {
printf("sec_io_desc_buf failed\n");
goto done;
}
slprintf(keystr, sizeof(keystr) - 1, "SECDESC/%s", printer);
if (!tdb_prs_store(tdb, keystr, &ps)==0) {
printf("Failed to store secdesc for %s\n", printer);
goto done;
}
done:
if (tdb) tdb_close(tdb);
if (sdb) free_sec_desc_buf(&sdb);
if (mem_ctx) talloc_destroy(mem_ctx);
prs_mem_free(&ps);
return result;
}
