NTSTATUS se_create_child_secdesc_buf(TALLOC_CTX *ctx,
SEC_DESC_BUF **ppsdb,
const SEC_DESC *parent_ctr,
bool container)
{
NTSTATUS status;
size_t size = 0;
SEC_DESC *sd = NULL;
*ppsdb = NULL;
status = se_create_child_secdesc(ctx,
&sd,
&size,
parent_ctr,
parent_ctr->owner_sid,
parent_ctr->group_sid,
container);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
*ppsdb = make_sec_desc_buf(ctx, size, sd);
if (!*ppsdb) {
return NT_STATUS_NO_MEMORY;
}
return NT_STATUS_OK;
}
static NTSTATUS inherit_new_acl(vfs_handle_struct *handle,
files_struct *fsp,
struct security_descriptor *parent_desc,
bool is_directory)
{
TALLOC_CTX *ctx = talloc_tos();
NTSTATUS status = NT_STATUS_OK;
struct security_descriptor *psd = NULL;
size_t size;
if (!sd_has_inheritable_components(parent_desc, is_directory)) {
return NT_STATUS_OK;
}
/* Create an inherited descriptor from the parent. */
if (DEBUGLEVEL >= 10) {
DEBUG(10,("inherit_new_acl: parent acl for %s is:\n",
fsp_str_dbg(fsp) ));
NDR_PRINT_DEBUG(security_descriptor, parent_desc);
}
status = se_create_child_secdesc(ctx,
&psd,
&size,
parent_desc,
&handle->conn->server_info->ptok->user_sids[PRIMARY_USER_SID_INDEX],
&handle->conn->server_info->ptok->user_sids[PRIMARY_GROUP_SID_INDEX],
is_directory);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
if (DEBUGLEVEL >= 10) {
DEBUG(10,("inherit_new_acl: child acl for %s is:\n",
fsp_str_dbg(fsp) ));
NDR_PRINT_DEBUG(security_descriptor, parent_desc);
}
return SMB_VFS_FSET_NT_ACL(fsp,
(OWNER_SECURITY_INFORMATION |
GROUP_SECURITY_INFORMATION |
DACL_SECURITY_INFORMATION),
psd);
}
static NTSTATUS inherit_new_acl(vfs_handle_struct *handle,
const char *fname,
files_struct *fsp,
bool container)
{
TALLOC_CTX *ctx = talloc_tos();
NTSTATUS status;
struct security_descriptor *parent_desc = NULL;
struct security_descriptor *psd = NULL;
DATA_BLOB blob;
size_t size;
char *parent_name;
if (!parent_dirname(ctx, fname, &parent_name, NULL)) {
return NT_STATUS_NO_MEMORY;
}
DEBUG(10,("inherit_new_acl: check directory %s\n",
parent_name));
status = get_nt_acl_xattr_internal(handle,
NULL,
parent_name,
(OWNER_SECURITY_INFORMATION |
GROUP_SECURITY_INFORMATION |
DACL_SECURITY_INFORMATION),
&parent_desc);
if (NT_STATUS_IS_OK(status)) {
/* Create an inherited descriptor from the parent. */
if (DEBUGLEVEL >= 10) {
DEBUG(10,("inherit_new_acl: parent acl is:\n"));
NDR_PRINT_DEBUG(security_descriptor, parent_desc);
}
status = se_create_child_secdesc(ctx,
&psd,
&size,
parent_desc,
&handle->conn->server_info->ptok->user_sids[PRIMARY_USER_SID_INDEX],
&handle->conn->server_info->ptok->user_sids[PRIMARY_GROUP_SID_INDEX],
container);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
if (DEBUGLEVEL >= 10) {
DEBUG(10,("inherit_new_acl: child acl is:\n"));
NDR_PRINT_DEBUG(security_descriptor, psd);
}
} else {
DEBUG(10,("inherit_new_acl: directory %s failed "
"to get acl %s\n",
parent_name,
nt_errstr(status) ));
}
if (!psd || psd->dacl == NULL) {
SMB_STRUCT_STAT sbuf;
int ret;
TALLOC_FREE(psd);
if (fsp && !fsp->is_directory && fsp->fh->fd != -1) {
ret = SMB_VFS_FSTAT(fsp, &sbuf);
} else {
if (fsp && fsp->posix_open) {
ret = SMB_VFS_LSTAT(handle->conn,fname, &sbuf);
} else {
ret = SMB_VFS_STAT(handle->conn,fname, &sbuf);
}
}
if (ret == -1) {
return map_nt_error_from_unix(errno);
}
psd = default_file_sd(ctx, &sbuf);
if (!psd) {
return NT_STATUS_NO_MEMORY;
}
if (DEBUGLEVEL >= 10) {
DEBUG(10,("inherit_new_acl: default acl is:\n"));
NDR_PRINT_DEBUG(security_descriptor, psd);
}
}
status = create_acl_blob(psd, &blob);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
if (fsp) {
return store_acl_blob_fsp(handle, fsp, &blob);
} else {
return store_acl_blob_pathname(handle, fname, &blob);
}
}
