svn commit: samba r3990 - in branches/SAMBA_4_0/source/ntvfs/posix: .

Mon Nov 29 03:22:44 GMT 2004

Author: tridge
Date: 2004-11-29 03:22:44 +0000 (Mon, 29 Nov 2004)
New Revision: 3990

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=3990

Log:
take advantage of the uid->sid and gid->sid code to create a much
better default NT ACL in pvfs

Modified:
   branches/SAMBA_4_0/source/ntvfs/posix/pvfs_acl.c
   branches/SAMBA_4_0/source/ntvfs/posix/vfs_posix.c
   branches/SAMBA_4_0/source/ntvfs/posix/vfs_posix.h


Changeset:
Modified: branches/SAMBA_4_0/source/ntvfs/posix/pvfs_acl.c
===================================================================

--- branches/SAMBA_4_0/source/ntvfs/posix/pvfs_acl.c	2004-11-29 03:21:46 UTC (rev 3989)
+++ branches/SAMBA_4_0/source/ntvfs/posix/pvfs_acl.c	2004-11-29 03:22:44 UTC (rev 3990)
@@ -36,33 +36,110 @@
 				 struct xattr_NTACL *acl)
 {
 	struct security_descriptor *sd;
-	struct nt_user_token *token = req->session->session_info->nt_user_token;
 	int i;
+	struct security_ace ace;
+	NTSTATUS status;
+	const char *sid_names[] = {
+		SID_BUILTIN_ADMINISTRATORS,
+		SID_CREATOR_OWNER,
+		SID_CREATOR_GROUP,
+		SID_WORLD
+	};
+	uint32_t access_masks[4];
+	mode_t mode;
 
 	sd = security_descriptor_initialise(req);
 	if (sd == NULL) {
 		return NT_STATUS_NO_MEMORY;
 	}
 
-	/* nasty hack to get a reasonable sec desc - should be based on posix uid/gid
-	   and perms */
-	if (token->num_sids > 0) {
-		sd->owner_sid = token->user_sids[0];
+	status = sidmap_uid_to_sid(pvfs->sidmap, sd, name->st.st_uid, &sd->owner_sid);
+	if (!NT_STATUS_IS_OK(status)) {
+		return status;
 	}
-	if (token->num_sids > 1) {
-		sd->group_sid = token->user_sids[1];
+	status = sidmap_gid_to_sid(pvfs->sidmap, sd, name->st.st_gid, &sd->group_sid);
+	if (!NT_STATUS_IS_OK(status)) {
+		return status;
 	}
+
 	sd->type |= SEC_DESC_DACL_PRESENT;
 
-	for (i=0;i<token->num_sids;i++) {
-		struct security_ace ace;
-		NTSTATUS status;
+	/*
+	  we provide 4 ACEs
+	    - Administrator
+	    - Owner
+	    - Group
+	    - Everyone
+	 */
+	access_masks[0] = SEC_RIGHTS_FULL_CTRL | STD_RIGHT_ALL_ACCESS;
+	access_masks[1] = 0;
+	access_masks[2] = 0;
+	access_masks[3] = 0;
 
-		ace.type = SEC_ACE_TYPE_ACCESS_ALLOWED;
-		ace.flags = 0;
-		ace.access_mask = SEC_RIGHTS_FULL_CTRL | STD_RIGHT_ALL_ACCESS;
-		ace.trustee = *token->user_sids[i];
+	mode = name->st.st_mode;
 
+	if (mode & S_IRUSR) {
+		access_masks[1] |= 
+			SA_RIGHT_FILE_READ_DATA | 
+			SA_RIGHT_FILE_READ_EA |
+			SA_RIGHT_FILE_READ_ATTRIBUTES |
+			SA_RIGHT_FILE_EXECUTE;
+	}
+	if (mode & S_IWUSR) {
+		access_masks[1] |= 
+			SA_RIGHT_FILE_WRITE_DATA | 
+			SA_RIGHT_FILE_APPEND_DATA |
+			SA_RIGHT_FILE_WRITE_EA |
+			SA_RIGHT_FILE_DELETE_CHILD |
+			SA_RIGHT_FILE_WRITE_ATTRIBUTES;
+	}
+
+	if (mode & S_IRGRP) {
+		access_masks[2] |= 
+			SA_RIGHT_FILE_READ_DATA | 
+			SA_RIGHT_FILE_READ_EA |
+			SA_RIGHT_FILE_READ_ATTRIBUTES |
+			SA_RIGHT_FILE_EXECUTE;
+	}
+	if (mode & S_IWGRP) {
+		access_masks[2] |= 
+			SA_RIGHT_FILE_WRITE_DATA | 
+			SA_RIGHT_FILE_APPEND_DATA |
+			SA_RIGHT_FILE_WRITE_EA |
+			SA_RIGHT_FILE_DELETE_CHILD |
+			SA_RIGHT_FILE_WRITE_ATTRIBUTES;
+	}
+
+	if (mode & S_IROTH) {
+		access_masks[3] |= 
+			SA_RIGHT_FILE_READ_DATA | 
+			SA_RIGHT_FILE_READ_EA |
+			SA_RIGHT_FILE_READ_ATTRIBUTES |
+			SA_RIGHT_FILE_EXECUTE;
+	}
+	if (mode & S_IWOTH) {
+		access_masks[3] |= 
+			SA_RIGHT_FILE_WRITE_DATA | 
+			SA_RIGHT_FILE_APPEND_DATA |
+			SA_RIGHT_FILE_WRITE_EA |
+			SA_RIGHT_FILE_DELETE_CHILD |
+			SA_RIGHT_FILE_WRITE_ATTRIBUTES;
+	}
+
+	ace.type = SEC_ACE_TYPE_ACCESS_ALLOWED;
+	ace.flags = 0;
+
+	for (i=0;i<ARRAY_SIZE(sid_names);i++) {
+		struct dom_sid *sid;
+
+		ace.access_mask = access_masks[i];
+
+		sid = dom_sid_parse_talloc(sd, sid_names[i]);
+		if (sid == NULL) {
+			return NT_STATUS_NO_MEMORY;
+		}
+		ace.trustee = *sid;
+
 		status = security_descriptor_dacl_add(sd, &ace);
 		if (!NT_STATUS_IS_OK(status)) {
 			return status;

Modified: branches/SAMBA_4_0/source/ntvfs/posix/vfs_posix.c
===================================================================
--- branches/SAMBA_4_0/source/ntvfs/posix/vfs_posix.c	2004-11-29 03:21:46 UTC (rev 3989)
+++ branches/SAMBA_4_0/source/ntvfs/posix/vfs_posix.c	2004-11-29 03:22:44 UTC (rev 3990)
@@ -130,6 +130,11 @@
 		return NT_STATUS_INTERNAL_DB_CORRUPTION;
 	}
 
+	pvfs->sidmap = sidmap_open(pvfs);
+	if (pvfs->sidmap == NULL) {
+		return NT_STATUS_INTERNAL_DB_CORRUPTION;
+	}
+
 	/* allocate the fnum id -> ptr tree */
 	pvfs->idtree_fnum = idr_init(pvfs);
 	if (pvfs->idtree_fnum == NULL) {

Modified: branches/SAMBA_4_0/source/ntvfs/posix/vfs_posix.h
===================================================================
--- branches/SAMBA_4_0/source/ntvfs/posix/vfs_posix.h	2004-11-29 03:21:46 UTC (rev 3989)
+++ branches/SAMBA_4_0/source/ntvfs/posix/vfs_posix.h	2004-11-29 03:22:44 UTC (rev 3990)
@@ -40,6 +40,7 @@
 
 	struct brl_context *brl_context;
 	struct odb_context *odb_context;
+	struct sidmap_context *sidmap;
 
 	/* an id tree mapping open search ID to a pvfs_search_state structure */
 	struct idr_context *idtree_search;

