vfs_afsacl.c

samba-3.0.22.tar.gz 编译smb服务器的源码

	/* CHANGE inherit only -- counterpart to previous one */
	{ 0, SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_INHERIT_ONLY,
	  PERMS_CHANGE | GENERIC_RIGHT_WRITE_ACCESS, 63 /* rlidwk */ },

	/* End marker, hopefully there's no afs right 9999 :-) */
	{ 0, 0, 0, 9999 }
};

static uint32 nt_to_afs_dir_rights(const char *filename, const SEC_ACE *ace)
{
	uint32 result = 0;
	uint32 rights = ace->info.mask;
	uint8 flags = ace->flags;

	struct static_dir_ace_mapping *m;

	for (m = &ace_mappings[0]; m->afs_rights != 9999; m++) {
		if ( (ace->type == m->type) &&
		     (ace->flags == m->flags) &&
		     (ace->info.mask == m->mask) )
			return m->afs_rights;
	}

	DEBUG(1, ("AFSACL FALLBACK: 0x%X 0x%X 0x%X %s %X\n",
		  ace->type, ace->flags, ace->info.mask, filename, rights));

	if (rights & (GENERIC_ALL_ACCESS|WRITE_DAC_ACCESS)) {
		result |= PRSFS_READ | PRSFS_WRITE | PRSFS_INSERT |
			PRSFS_LOOKUP | PRSFS_DELETE | PRSFS_LOCK |
			PRSFS_ADMINISTER;
	}

	if (rights & (GENERIC_READ_ACCESS|FILE_READ_DATA)) {
		result |= PRSFS_LOOKUP;
		if (flags & SEC_ACE_FLAG_OBJECT_INHERIT) {
			result |= PRSFS_READ;
		}
	}

	if (rights & (GENERIC_WRITE_ACCESS|FILE_WRITE_DATA)) {
		result |= PRSFS_INSERT | PRSFS_DELETE;
		if (flags & SEC_ACE_FLAG_OBJECT_INHERIT) {
			result |= PRSFS_WRITE | PRSFS_LOCK;
		}
	}

	return result;
}

static uint32 nt_to_afs_file_rights(const char *filename, const SEC_ACE *ace)
{
	uint32 result = 0;
	uint32 rights = ace->info.mask;

	if (rights & (GENERIC_READ_ACCESS|FILE_READ_DATA)) {
		result |= PRSFS_READ;
	}

	if (rights & (GENERIC_WRITE_ACCESS|FILE_WRITE_DATA)) {
		result |= PRSFS_WRITE | PRSFS_LOCK;
	}

	return result;
}

static size_t afs_to_nt_acl(struct afs_acl *afs_acl, 
			    struct files_struct *fsp,
			    uint32 security_info,
			    struct security_descriptor_info **ppdesc)
{
	SEC_ACE *nt_ace_list;
	DOM_SID owner_sid, group_sid;
	SEC_ACCESS mask;
	SMB_STRUCT_STAT sbuf;
	SEC_ACL *psa = NULL;
	int good_aces;
	size_t sd_size;
	TALLOC_CTX *mem_ctx = main_loop_talloc_get();

	struct afs_ace *afs_ace;

	if (fsp->is_directory || fsp->fh->fd == -1) {
		/* Get the stat struct for the owner info. */
		if(SMB_VFS_STAT(fsp->conn,fsp->fsp_name, &sbuf) != 0) {
			return 0;
		}
	} else {
		if(SMB_VFS_FSTAT(fsp,fsp->fh->fd,&sbuf) != 0) {
			return 0;
		}
	}

	uid_to_sid(&owner_sid, sbuf.st_uid);
	gid_to_sid(&group_sid, sbuf.st_gid);

	nt_ace_list = TALLOC_ARRAY(mem_ctx, SEC_ACE, afs_acl->num_aces);

	if (nt_ace_list == NULL)
		return 0;

	afs_ace = afs_acl->acelist;
	good_aces = 0;

	while (afs_ace != NULL) {
		uint32 nt_rights;
		uint8 flag = SEC_ACE_FLAG_OBJECT_INHERIT |
			SEC_ACE_FLAG_CONTAINER_INHERIT;

		if (afs_ace->type == SID_NAME_UNKNOWN) {
			DEBUG(10, ("Ignoring unknown name %s\n",
				   afs_ace->name));
			afs_ace = afs_ace->next;
			continue;
		}

		if (fsp->is_directory)
			afs_to_nt_dir_rights(afs_ace->rights, &nt_rights,
					     &flag);
		else
			nt_rights = afs_to_nt_file_rights(afs_ace->rights);

		init_sec_access(&mask, nt_rights);
		init_sec_ace(&nt_ace_list[good_aces++], &(afs_ace->sid),
			     SEC_ACE_TYPE_ACCESS_ALLOWED, mask, flag);
		afs_ace = afs_ace->next;
	}

	psa = make_sec_acl(mem_ctx, NT4_ACL_REVISION,
			   good_aces, nt_ace_list);
	if (psa == NULL)
		return 0;

	
	*ppdesc = make_sec_desc(mem_ctx, SEC_DESC_REVISION,
				SEC_DESC_SELF_RELATIVE,
				(security_info & OWNER_SECURITY_INFORMATION)
				? &owner_sid : NULL,
				(security_info & GROUP_SECURITY_INFORMATION)
				? &group_sid : NULL,
				NULL, psa, &sd_size);

	return sd_size;
}

static BOOL mappable_sid(const DOM_SID *sid)
{
	DOM_SID domain_sid;
	
	if (sid_compare(sid, &global_sid_Builtin_Administrators) == 0)
		return True;

	if (sid_compare(sid, &global_sid_World) == 0)
		return True;

	if (sid_compare(sid, &global_sid_Authenticated_Users) == 0)
		return True;

	if (sid_compare(sid, &global_sid_Builtin_Backup_Operators) == 0)
		return True;

	string_to_sid(&domain_sid, "S-1-5-21");

	if (sid_compare_domain(sid, &domain_sid) == 0)
		return True;

	return False;
}

static BOOL nt_to_afs_acl(const char *filename,
			  uint32 security_info_sent,
			  struct security_descriptor_info *psd,
			  uint32 (*nt_to_afs_rights)(const char *filename,
						     const SEC_ACE *ace),
			  struct afs_acl *afs_acl)
{
	SEC_ACL *dacl;
	int i;

	/* Currently we *only* look at the dacl */

	if (((security_info_sent & DACL_SECURITY_INFORMATION) == 0) ||
	    (psd->dacl == NULL))
		return True;

	if (!init_afs_acl(afs_acl))
		return False;

	dacl = psd->dacl;

	for (i = 0; i < dacl->num_aces; i++) {
		SEC_ACE *ace = &(dacl->ace[i]);
		fstring dom_name;
		fstring name;
		enum SID_NAME_USE name_type;
		char *p;

		if (ace->type != SEC_ACE_TYPE_ACCESS_ALLOWED) {
			/* First cut: Only positive ACEs */
			return False;
		}

		if (!mappable_sid(&ace->trustee)) {
			DEBUG(10, ("Ignoring unmappable SID %s\n",
				   sid_string_static(&ace->trustee)));
			continue;
		}

		if (sid_compare(&ace->trustee,
				&global_sid_Builtin_Administrators) == 0) {

			fstrcpy(name, "system:administrators");

		} else if (sid_compare(&ace->trustee,
				       &global_sid_World) == 0) {

			fstrcpy(name, "system:anyuser");

		} else if (sid_compare(&ace->trustee,
				       &global_sid_Authenticated_Users) == 0) {

			fstrcpy(name, "system:authuser");

		} else if (sid_compare(&ace->trustee,
				       &global_sid_Builtin_Backup_Operators)
			   == 0) {

			fstrcpy(name, "system:backup");

		} else {

			if (!lookup_sid(&ace->trustee,
					dom_name, name, &name_type)) {
				DEBUG(1, ("AFSACL: Could not lookup SID %s on file %s\n",
					  sid_string_static(&ace->trustee), filename));
				continue;
			}

			if ( (name_type == SID_NAME_USER) ||
			     (name_type == SID_NAME_DOM_GRP) ||
			     (name_type == SID_NAME_ALIAS) ) { 
				fstring only_username;
				fstrcpy(only_username, name);
				fstr_sprintf(name, "%s%s%s",
					     dom_name, lp_winbind_separator(),
					     only_username);
				strlower_m(name);
			}

			if (sidpts) {
				/* Expect all users/groups in pts as SIDs */
				sid_to_string(name, &ace->trustee);
			}
		}

		while ((p = strchr_m(name, ' ')) != NULL)
			*p = space_replacement;

		add_afs_ace(afs_acl, True, name,
			    nt_to_afs_rights(filename, ace));
	}

	return True;
}

static BOOL afs_get_afs_acl(char *filename, struct afs_acl *acl)
{
	struct afs_iob iob;

	int ret;

	char space[MAXSIZE];

	DEBUG(5, ("afs_get_afs_acl: %s\n", filename));

	iob.in_size = 0;
	iob.out_size = MAXSIZE;
	iob.in = iob.out = space;

	ret = afs_syscall(AFSCALL_PIOCTL, filename, VIOCGETAL,
			  (char *)&iob, 0);

	if (ret) {
		DEBUG(1, ("got error from PIOCTL: %d\n", ret));
		return False;
	}

	if (!init_afs_acl(acl))
		return False;

	if (!parse_afs_acl(acl, space)) {
		DEBUG(1, ("Could not parse AFS acl\n"));
		free_afs_acl(acl);
		return False;
	}

	return True;
}

static size_t afs_get_nt_acl(struct files_struct *fsp, uint32 security_info,
			     struct security_descriptor_info **ppdesc)
{
	struct afs_acl acl;
	size_t sd_size;

	DEBUG(5, ("afs_get_nt_acl: %s\n", fsp->fsp_name));

	sidpts = lp_parm_bool(SNUM(fsp->conn), "afsacl", "sidpts", False);

	if (!afs_get_afs_acl(fsp->fsp_name, &acl)) {
		return 0;
	}

	sd_size = afs_to_nt_acl(&acl, fsp, security_info, ppdesc);

	free_afs_acl(&acl);

	return sd_size;
}

/* For setting an AFS ACL we have to take care of the ACEs we could
 * not properly map to SIDs. Merge all of them into the new ACL. */

static void merge_unknown_aces(struct afs_acl *src, struct afs_acl *dst)
{
	struct afs_ace *ace;

	for (ace = src->acelist; ace != NULL; ace = ace->next)
	{
		struct afs_ace *copy;

		if (ace->type != SID_NAME_UNKNOWN) {
			DEBUG(10, ("Not merging known ACE for %s\n",
				   ace->name));
			continue;
		}

		DEBUG(10, ("Merging unknown ACE for %s\n", ace->name));

		copy = clone_afs_ace(dst->ctx, ace);

		if (copy == NULL) {
			DEBUG(0, ("Could not clone ACE for %s\n", ace->name));
			continue;
		}

		copy->next = dst->acelist;
		dst->acelist = copy;
		dst->num_aces += 1;
	}
}

static BOOL afs_set_nt_acl(vfs_handle_struct *handle, files_struct *fsp,
			   uint32 security_info_sent,
			   struct security_descriptor_info *psd)
{
	struct afs_acl old_afs_acl, new_afs_acl;
	struct afs_acl dir_acl, file_acl;
	char acl_string[2049];
	struct afs_iob iob;
	int ret = -1;
	pstring name;
	const char *fileacls;

	fileacls = lp_parm_const_string(SNUM(handle->conn), "afsacl", "fileacls",
					"yes");

	sidpts = lp_parm_bool(SNUM(handle->conn), "afsacl", "sidpts", False);

	ZERO_STRUCT(old_afs_acl);
	ZERO_STRUCT(new_afs_acl);
	ZERO_STRUCT(dir_acl);
	ZERO_STRUCT(file_acl);

	pstr_sprintf(name, fsp->fsp_name);

	if (!fsp->is_directory) {
		/* We need to get the name of the directory containing the
		 * file, this is where the AFS acls live */
		char *p = strrchr(name, '/');
		if (p != NULL) {
			*p = '\0';
		} else {
			pstrcpy(name, ".");
		}
	}

	if (!afs_get_afs_acl(name, &old_afs_acl)) {
		DEBUG(3, ("Could not get old ACL of %s\n", fsp->fsp_name));
		goto done;
	}

	split_afs_acl(&old_afs_acl, &dir_acl, &file_acl);

	if (fsp->is_directory) {

		if (!strequal(fileacls, "yes")) {
			/* Throw away file acls, we depend on the
			 * inheritance ACEs that also give us file
			 * permissions */
			free_afs_acl(&file_acl);
		}

		free_afs_acl(&dir_acl);
		if (!nt_to_afs_acl(fsp->fsp_name, security_info_sent, psd,
				   nt_to_afs_dir_rights, &dir_acl))
			goto done;
	} else {
		if (strequal(fileacls, "no")) {
			ret = -1;
			goto done;
		}

		if (strequal(fileacls, "ignore")) {
			ret = 0;
			goto done;
		}

		free_afs_acl(&file_acl);
		if (!nt_to_afs_acl(fsp->fsp_name, security_info_sent, psd,
				   nt_to_afs_file_rights, &file_acl))
			goto done;
	}

	merge_afs_acls(&dir_acl, &file_acl, &new_afs_acl);

	merge_unknown_aces(&old_afs_acl, &new_afs_acl);

	unparse_afs_acl(&new_afs_acl, acl_string);

	iob.in = acl_string;
	iob.in_size = 1+strlen(iob.in);
	iob.out = NULL;
	iob.out_size = 0;

	DEBUG(10, ("trying to set acl '%s' on file %s\n", iob.in, name));

	ret = afs_syscall(AFSCALL_PIOCTL, name, VIOCSETAL, (char *)&iob, 0);

	if (ret != 0) {
		DEBUG(10, ("VIOCSETAL returned %d\n", ret));
	}

 done:
	free_afs_acl(&dir_acl);
	free_afs_acl(&file_acl);
	free_afs_acl(&old_afs_acl);
	free_afs_acl(&new_afs_acl);

	return (ret == 0);
}

static size_t afsacl_fget_nt_acl(struct vfs_handle_struct *handle,
				 struct files_struct *fsp,
				 int fd,  uint32 security_info,
				 struct security_descriptor_info **ppdesc)
{
	return afs_get_nt_acl(fsp, security_info, ppdesc);
}
static size_t afsacl_get_nt_acl(struct vfs_handle_struct *handle,
				struct files_struct *fsp,
				const char *name,  uint32 security_info,
				struct security_descriptor_info **ppdesc)
{
	return afs_get_nt_acl(fsp, security_info, ppdesc);
}

BOOL afsacl_fset_nt_acl(vfs_handle_struct *handle,
			 files_struct *fsp,
			 int fd, uint32 security_info_sent,
			 SEC_DESC *psd)
{
	return afs_set_nt_acl(handle, fsp, security_info_sent, psd);
}

BOOL afsacl_set_nt_acl(vfs_handle_struct *handle,
		       files_struct *fsp,
		       const char *name, uint32 security_info_sent,
		       SEC_DESC *psd)
{
	return afs_set_nt_acl(handle, fsp, security_info_sent, psd);
}

static int afsacl_connect(vfs_handle_struct *handle, 
			  connection_struct *conn, 
			  const char *service, 
			  const char *user)
{
	char *spc;

	spc = lp_parm_const_string(SNUM(handle->conn), "afsacl", "space", "%");

	if (spc != NULL)
		space_replacement = spc[0];
	
	return SMB_VFS_NEXT_CONNECT(handle, conn, service, user);
}

/* VFS operations structure */

static vfs_op_tuple afsacl_ops[] = {	
	{SMB_VFS_OP(afsacl_connect), SMB_VFS_OP_CONNECT,
	 SMB_VFS_LAYER_TRANSPARENT},
	{SMB_VFS_OP(afsacl_fget_nt_acl), SMB_VFS_OP_FGET_NT_ACL,
	 SMB_VFS_LAYER_TRANSPARENT},
	{SMB_VFS_OP(afsacl_get_nt_acl), SMB_VFS_OP_GET_NT_ACL,
	 SMB_VFS_LAYER_TRANSPARENT},
	{SMB_VFS_OP(afsacl_fset_nt_acl), SMB_VFS_OP_FSET_NT_ACL,
	 SMB_VFS_LAYER_TRANSPARENT},
	{SMB_VFS_OP(afsacl_set_nt_acl), SMB_VFS_OP_SET_NT_ACL,
	 SMB_VFS_LAYER_TRANSPARENT},
	{SMB_VFS_OP(NULL), SMB_VFS_OP_NOOP, SMB_VFS_LAYER_NOOP}
};

NTSTATUS vfs_afsacl_init(void)
{
	return smb_register_vfs(SMB_VFS_INTERFACE_VERSION, "afsacl",
				afsacl_ops);
}