BOOL share_access_check(const NT_USER_TOKEN *token, const char *sharename,
uint32 desired_access)
{
uint32 granted;
NTSTATUS status;
TALLOC_CTX *mem_ctx = NULL;
SEC_DESC *psd = NULL;
size_t sd_size;
BOOL ret = True;
if (!(mem_ctx = talloc_init("share_access_check"))) {
return False;
}
psd = get_share_security(mem_ctx, sharename, &sd_size);
if (!psd) {
TALLOC_FREE(mem_ctx);
return True;
}
ret = se_access_check(psd, token, desired_access, &granted, &status);
talloc_destroy(mem_ctx);
return ret;
}
bool share_access_check(const struct security_token *token,
const char *sharename,
uint32 desired_access,
uint32_t *pgranted)
{
uint32 granted;
NTSTATUS status;
struct security_descriptor *psd = NULL;
size_t sd_size;
psd = get_share_security(talloc_tos(), sharename, &sd_size);
if (!psd) {
if (pgranted != NULL) {
*pgranted = desired_access;
}
return false;
}
status = se_access_check(psd, token, desired_access, &granted);
TALLOC_FREE(psd);
if (pgranted != NULL) {
*pgranted = granted;
}
return NT_STATUS_IS_OK(status);
}
bool share_access_check(const NT_USER_TOKEN *token, const char *sharename,
uint32 desired_access)
{
uint32 granted;
NTSTATUS status;
SEC_DESC *psd = NULL;
size_t sd_size;
psd = get_share_security(talloc_tos(), sharename, &sd_size);
if (!psd) {
return True;
}
status = se_access_check(psd, token, desired_access, &granted);
TALLOC_FREE(psd);
return NT_STATUS_IS_OK(status);
}
/*
* Expose a new share using libsmbconf, cloning the existing configuration
* from the base share. The base share may be defined in either the registry
* or smb.conf.
* XXX this is called as root
*/
static uint32_t fss_sc_expose(struct smbconf_ctx *fconf_ctx,
struct smbconf_ctx *rconf_ctx,
TALLOC_CTX *mem_ctx,
struct fss_sc *sc)
{
struct fss_sc_smap *sc_smap;
uint32_t err = 0;
for (sc_smap = sc->smaps; sc_smap; sc_smap = sc_smap->next) {
sbcErr cerr;
struct smbconf_service *base_service = NULL;
struct security_descriptor *sd;
size_t sd_size;
cerr = fss_conf_get_share_def(fconf_ctx, rconf_ctx, mem_ctx,
sc_smap->share_name, &base_service);
if (!SBC_ERROR_IS_OK(cerr)) {
DEBUG(0, ("failed to get base share %s definition: "
"%s\n", sc_smap->share_name,
sbcErrorString(cerr)));
err = HRES_ERROR_V(HRES_E_FAIL);
break;
}
/* smap share name already defined when added */
err = map_share_comment(sc_smap, sc);
if (err) {
DEBUG(0, ("failed to map share comment\n"));
break;
}
base_service->name = sc_smap->sc_share_name;
cerr = smbconf_create_set_share(rconf_ctx, base_service);
if (!SBC_ERROR_IS_OK(cerr)) {
DEBUG(0, ("failed to create share %s: %s\n",
base_service->name, sbcErrorString(cerr)));
err = HRES_ERROR_V(HRES_E_FAIL);
break;
}
cerr = smbconf_set_parameter(rconf_ctx, sc_smap->sc_share_name,
"path", sc->sc_path);
if (!SBC_ERROR_IS_OK(cerr)) {
DEBUG(0, ("failed to set path param: %s\n",
sbcErrorString(cerr)));
err = HRES_ERROR_V(HRES_E_FAIL);
break;
}
if (sc_smap->sc_share_comment != NULL) {
cerr = smbconf_set_parameter(rconf_ctx,
sc_smap->sc_share_name,
"comment",
sc_smap->sc_share_comment);
if (!SBC_ERROR_IS_OK(cerr)) {
DEBUG(0, ("failed to set comment param: %s\n",
sbcErrorString(cerr)));
err = HRES_ERROR_V(HRES_E_FAIL);
break;
}
}
talloc_free(base_service);
/*
* Obtain the base share SD, which also needs to be cloned.
* Share SDs are stored in share_info.tdb, so are not covered by
* the registry transaction.
* The base share SD should be cloned at the time of exposure,
* rather than when the snapshot is taken. This matches Windows
* Server 2012 behaviour.
*/
sd = get_share_security(mem_ctx, sc_smap->share_name, &sd_size);
if (sd == NULL) {
DEBUG(2, ("no share SD to clone for %s snapshot\n",
sc_smap->share_name));
} else {
bool ok;
ok = set_share_security(sc_smap->sc_share_name, sd);
TALLOC_FREE(sd);
if (!ok) {
DEBUG(0, ("failed to set %s share SD\n",
sc_smap->sc_share_name));
err = HRES_ERROR_V(HRES_E_FAIL);
break;
}
}
}
return err;
}
static int change_share_sec(TALLOC_CTX *mem_ctx, const char *sharename, char *the_acl, enum acl_mode mode)
{
SEC_DESC *sd = NULL;
SEC_DESC *old = NULL;
size_t sd_size = 0;
uint32 i, j;
if (mode != SMB_ACL_SET) {
if (!(old = get_share_security( mem_ctx, sharename, &sd_size )) ) {
fprintf(stderr, "Unable to retrieve permissions for share [%s]\n", sharename);
return -1;
}
}
if ( (mode != SMB_ACL_VIEW) && !(sd = parse_acl_string(mem_ctx, the_acl, &sd_size )) ) {
fprintf( stderr, "Failed to parse acl\n");
return -1;
}
switch (mode) {
case SMB_ACL_VIEW:
sec_desc_print( stdout, old);
return 0;
case SMB_ACL_DELETE:
for (i=0;sd->dacl && i<sd->dacl->num_aces;i++) {
bool found = False;
for (j=0;old->dacl && j<old->dacl->num_aces;j++) {
if (sec_ace_equal(&sd->dacl->aces[i], &old->dacl->aces[j])) {
uint32 k;
for (k=j; k<old->dacl->num_aces-1;k++) {
old->dacl->aces[k] = old->dacl->aces[k+1];
}
old->dacl->num_aces--;
found = True;
break;
}
}
if (!found) {
printf("ACL for ACE:");
print_ace(stdout, &sd->dacl->aces[i]);
printf(" not found\n");
}
}
break;
case SMB_ACL_MODIFY:
for (i=0;sd->dacl && i<sd->dacl->num_aces;i++) {
bool found = False;
for (j=0;old->dacl && j<old->dacl->num_aces;j++) {
if (sid_equal(&sd->dacl->aces[i].trustee,
&old->dacl->aces[j].trustee)) {
old->dacl->aces[j] = sd->dacl->aces[i];
found = True;
}
}
if (!found) {
printf("ACL for SID %s not found\n",
sid_string_tos(&sd->dacl->aces[i].trustee));
}
}
if (sd->owner_sid) {
old->owner_sid = sd->owner_sid;
}
if (sd->group_sid) {
old->group_sid = sd->group_sid;
}
break;
case SMB_ACL_ADD:
for (i=0;sd->dacl && i<sd->dacl->num_aces;i++) {
add_ace(mem_ctx, &old->dacl, &sd->dacl->aces[i]);
}
break;
case SMB_ACL_SET:
old = sd;
break;
}
/* Denied ACE entries must come before allowed ones */
sort_acl(old->dacl);
if ( !set_share_security( sharename, old ) ) {
fprintf( stderr, "Failed to store acl for share [%s]\n", sharename );
return 2;
}
return 0;
}