static int fchmod_acl_module_common(struct vfs_handle_struct *handle,
struct files_struct *fsp, mode_t mode)
{
if (fsp->posix_open) {
/* Only allow this on POSIX opens. */
return SMB_VFS_NEXT_FCHMOD(handle, fsp, mode);
}
return 0;
}
static int audit_fchmod(vfs_handle_struct *handle, files_struct *fsp, mode_t mode)
{
int result;
result = SMB_VFS_NEXT_FCHMOD(handle, fsp, mode);
syslog(audit_syslog_priority(handle), "fchmod %s mode 0x%x %s%s\n",
fsp->fsp_name->base_name, mode,
(result < 0) ? "failed: " : "",
(result < 0) ? strerror(errno) : "");
return result;
}
static int audit_fchmod(vfs_handle_struct *handle, files_struct *fsp, mode_t mode)
{
int result;
result = SMB_VFS_NEXT_FCHMOD(handle, fsp, mode);
if (lp_syslog() > 0) {
syslog(audit_syslog_priority(handle), "fchmod %s mode 0x%x %s%s\n",
fsp->fsp_name->base_name, mode,
(result < 0) ? "failed: " : "",
(result < 0) ? strerror(errno) : "");
}
DEBUG(1, ("vfs_extd_audit: fchmod %s mode 0x%x %s %s",
fsp_str_dbg(fsp), (unsigned int)mode,
(result < 0) ? "failed: " : "",
(result < 0) ? strerror(errno) : ""));
return result;
}
static int skel_fchmod(vfs_handle_struct *handle, files_struct *fsp, mode_t mode)
{
return SMB_VFS_NEXT_FCHMOD(handle, fsp, mode);
}
static NTSTATUS nfs4acl_xattr_fset_nt_acl(vfs_handle_struct *handle,
files_struct *fsp,
uint32_t security_info_sent,
const struct security_descriptor *psd)
{
struct nfs4acl_config *config = NULL;
const struct security_token *token = NULL;
mode_t existing_mode;
mode_t expected_mode;
mode_t restored_mode;
bool chown_needed = false;
NTSTATUS status;
int ret;
SMB_VFS_HANDLE_GET_DATA(handle, config,
struct nfs4acl_config,
return NT_STATUS_INTERNAL_ERROR);
if (!VALID_STAT(fsp->fsp_name->st)) {
DBG_ERR("Invalid stat info on [%s]\n", fsp_str_dbg(fsp));
return NT_STATUS_INTERNAL_ERROR;
}
existing_mode = fsp->fsp_name->st.st_ex_mode;
if (S_ISDIR(existing_mode)) {
expected_mode = 0777;
} else {
expected_mode = 0666;
}
if ((existing_mode & expected_mode) != expected_mode) {
int saved_errno = 0;
restored_mode = existing_mode | expected_mode;
become_root();
if (fsp->fh->fd != -1) {
ret = SMB_VFS_NEXT_FCHMOD(handle,
fsp,
restored_mode);
} else {
ret = SMB_VFS_NEXT_CHMOD(handle,
fsp->fsp_name,
restored_mode);
}
if (ret != 0) {
saved_errno = errno;
}
unbecome_root();
if (saved_errno != 0) {
errno = saved_errno;
}
if (ret != 0) {
DBG_ERR("Resetting POSIX mode on [%s] from [0%o]: %s\n",
fsp_str_dbg(fsp), existing_mode,
strerror(errno));
return map_nt_error_from_unix(errno);
}
}
status = smb_set_nt_acl_nfs4(handle,
fsp,
&config->nfs4_params,
security_info_sent,
psd,
nfs4acl_smb4acl_set_fn);
if (NT_STATUS_IS_OK(status)) {
return NT_STATUS_OK;
}
/*
* We got access denied. If we're already root, or we didn't
* need to do a chown, or the fsp isn't open with WRITE_OWNER
* access, just return.
*/
if ((security_info_sent & SECINFO_OWNER) &&
(psd->owner_sid != NULL))
{
chown_needed = true;
}
if ((security_info_sent & SECINFO_GROUP) &&
(psd->group_sid != NULL))
{
chown_needed = true;
}
if (get_current_uid(handle->conn) == 0 ||
chown_needed == false ||
!(fsp->access_mask & SEC_STD_WRITE_OWNER))
{
return NT_STATUS_ACCESS_DENIED;
}
/*
* Only allow take-ownership, not give-ownership. That's the way Windows
* implements SEC_STD_WRITE_OWNER. MS-FSA 2.1.5.16 just states: If
* InputBuffer.OwnerSid is not a valid owner SID for a file in the
* objectstore, as determined in an implementation specific manner, the
* object store MUST return STATUS_INVALID_OWNER.
*/
token = get_current_nttok(fsp->conn);
if (!security_token_is_sid(token, psd->owner_sid)) {
return NT_STATUS_INVALID_OWNER;
}
DBG_DEBUG("overriding chown on file %s for sid %s\n",
fsp_str_dbg(fsp), sid_string_tos(psd->owner_sid));
become_root();
status = smb_set_nt_acl_nfs4(handle,
fsp,
&config->nfs4_params,
security_info_sent,
psd,
nfs4acl_smb4acl_set_fn);
unbecome_root();
return status;
}