/src/samba/source3/lib/sharesec.c
Line | Count | Source |
1 | | /* |
2 | | * Unix SMB/Netbios implementation. |
3 | | * SEC_DESC handling functions |
4 | | * Copyright (C) Jeremy R. Allison 1995-2003. |
5 | | * |
6 | | * This program is free software; you can redistribute it and/or modify |
7 | | * it under the terms of the GNU General Public License as published by |
8 | | * the Free Software Foundation; either version 3 of the License, or |
9 | | * (at your option) any later version. |
10 | | * |
11 | | * This program is distributed in the hope that it will be useful, |
12 | | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
13 | | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
14 | | * GNU General Public License for more details. |
15 | | * |
16 | | * You should have received a copy of the GNU General Public License |
17 | | * along with this program; if not, see <http://www.gnu.org/licenses/>. |
18 | | */ |
19 | | |
20 | | #include "includes.h" |
21 | | #include "system/filesys.h" |
22 | | #include "../libcli/security/security.h" |
23 | | #include "../librpc/gen_ndr/ndr_security.h" |
24 | | #include "dbwrap/dbwrap.h" |
25 | | #include "dbwrap/dbwrap_open.h" |
26 | | #include "util_tdb.h" |
27 | | #include "libcli/util/ntstatus.h" |
28 | | |
29 | | /******************************************************************* |
30 | | Create the share security tdb. |
31 | | ********************************************************************/ |
32 | | |
33 | | static struct db_context *share_db; /* used for share security descriptors */ |
34 | 0 | #define SHARE_DATABASE_VERSION_V1 1 |
35 | 0 | #define SHARE_DATABASE_VERSION_V2 2 /* version id in little endian. */ |
36 | 0 | #define SHARE_DATABASE_VERSION_V3 3 /* canonicalized sharenames as lower case */ |
37 | | |
38 | 0 | #define SHARE_SECURITY_DB_KEY_PREFIX_STR "SECDESC/" |
39 | | /* Map generic permissions to file object specific permissions */ |
40 | | |
41 | | extern const struct generic_mapping file_generic_mapping; |
42 | | |
43 | | static int delete_fn(struct db_record *rec, void *priv) |
44 | 0 | { |
45 | 0 | dbwrap_record_delete(rec); |
46 | 0 | return 0; |
47 | 0 | } |
48 | | |
49 | | /***************************************************** |
50 | | Looking for keys of the form: SHARE_SECURITY_DB_KEY_PREFIX_STR + "non lower case str". |
51 | | If we find one re-write it into a canonical case form. |
52 | | *****************************************************/ |
53 | | |
54 | | static int upgrade_v2_to_v3(struct db_record *rec, void *priv) |
55 | 0 | { |
56 | 0 | size_t prefix_len = strlen(SHARE_SECURITY_DB_KEY_PREFIX_STR); |
57 | 0 | const char *servicename = NULL; |
58 | 0 | char *c_servicename = NULL; |
59 | 0 | char *newkey = NULL; |
60 | 0 | bool *p_upgrade_ok = (bool *)priv; |
61 | 0 | NTSTATUS status; |
62 | 0 | TDB_DATA key; |
63 | 0 | TDB_DATA value; |
64 | |
|
65 | 0 | key = dbwrap_record_get_key(rec); |
66 | | |
67 | | /* Is there space for a one character sharename ? */ |
68 | 0 | if (key.dsize <= prefix_len+2) { |
69 | 0 | return 0; |
70 | 0 | } |
71 | | |
72 | | /* Does it start with the share key prefix ? */ |
73 | 0 | if (memcmp(key.dptr, SHARE_SECURITY_DB_KEY_PREFIX_STR, |
74 | 0 | prefix_len) != 0) { |
75 | 0 | return 0; |
76 | 0 | } |
77 | | |
78 | | /* Is it a null terminated string as a key ? */ |
79 | 0 | if (key.dptr[key.dsize-1] != '\0') { |
80 | 0 | return 0; |
81 | 0 | } |
82 | | |
83 | | /* Bytes after the prefix are the sharename string. */ |
84 | 0 | servicename = (char *)&key.dptr[prefix_len]; |
85 | 0 | c_servicename = canonicalize_servicename(talloc_tos(), servicename); |
86 | 0 | if (!c_servicename) { |
87 | 0 | smb_panic("out of memory upgrading share security db from v2 -> v3"); |
88 | 0 | } |
89 | | |
90 | 0 | if (strcmp(servicename, c_servicename) == 0) { |
91 | | /* Old and new names match. No canonicalization needed. */ |
92 | 0 | TALLOC_FREE(c_servicename); |
93 | 0 | return 0; |
94 | 0 | } |
95 | | |
96 | | /* Oops. Need to canonicalize name, delete old then store new. */ |
97 | 0 | status = dbwrap_record_delete(rec); |
98 | 0 | if (!NT_STATUS_IS_OK(status)) { |
99 | 0 | DEBUG(1, ("upgrade_v2_to_v3: Failed to delete secdesc for " |
100 | 0 | "%s: %s\n", (const char *)key.dptr, |
101 | 0 | nt_errstr(status))); |
102 | 0 | TALLOC_FREE(c_servicename); |
103 | 0 | *p_upgrade_ok = false; |
104 | 0 | return -1; |
105 | 0 | } else { |
106 | 0 | DEBUG(10, ("upgrade_v2_to_v3: deleted secdesc for " |
107 | 0 | "%s\n", (const char *)key.dptr)); |
108 | 0 | } |
109 | | |
110 | 0 | if (!(newkey = talloc_asprintf(talloc_tos(), |
111 | 0 | SHARE_SECURITY_DB_KEY_PREFIX_STR "%s", |
112 | 0 | c_servicename))) { |
113 | 0 | smb_panic("out of memory upgrading share security db from v2 -> v3"); |
114 | 0 | } |
115 | | |
116 | 0 | value = dbwrap_record_get_value(rec); |
117 | 0 | status = dbwrap_store(share_db, |
118 | 0 | string_term_tdb_data(newkey), |
119 | 0 | value, |
120 | 0 | TDB_REPLACE); |
121 | |
|
122 | 0 | if (!NT_STATUS_IS_OK(status)) { |
123 | 0 | DEBUG(1, ("upgrade_v2_to_v3: Failed to store secdesc for " |
124 | 0 | "%s: %s\n", c_servicename, nt_errstr(status))); |
125 | 0 | TALLOC_FREE(c_servicename); |
126 | 0 | TALLOC_FREE(newkey); |
127 | 0 | *p_upgrade_ok = false; |
128 | 0 | return -1; |
129 | 0 | } else { |
130 | 0 | DEBUG(10, ("upgrade_v2_to_v3: stored secdesc for " |
131 | 0 | "%s\n", newkey )); |
132 | 0 | } |
133 | | |
134 | 0 | TALLOC_FREE(newkey); |
135 | 0 | TALLOC_FREE(c_servicename); |
136 | |
|
137 | 0 | return 0; |
138 | 0 | } |
139 | | |
140 | | NTSTATUS share_info_db_init(void) |
141 | 0 | { |
142 | 0 | const char *vstring = "INFO/version"; |
143 | 0 | int32_t vers_id = 0; |
144 | 0 | bool upgrade_ok = true; |
145 | 0 | NTSTATUS status; |
146 | 0 | char *db_path; |
147 | |
|
148 | 0 | if (share_db != NULL) { |
149 | 0 | return NT_STATUS_OK; |
150 | 0 | } |
151 | | |
152 | 0 | db_path = state_path(talloc_tos(), "share_info.tdb"); |
153 | 0 | if (db_path == NULL) { |
154 | 0 | return NT_STATUS_NO_MEMORY; |
155 | 0 | } |
156 | | |
157 | 0 | share_db = db_open(NULL, db_path, 0, |
158 | 0 | TDB_DEFAULT, O_RDWR|O_CREAT, 0600, |
159 | 0 | DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE); |
160 | 0 | if (share_db == NULL) { |
161 | 0 | DEBUG(0,("Failed to open share info database %s (%s)\n", |
162 | 0 | db_path, strerror(errno))); |
163 | 0 | TALLOC_FREE(db_path); |
164 | 0 | return map_nt_error_from_unix_common(errno); |
165 | 0 | } |
166 | 0 | TALLOC_FREE(db_path); |
167 | |
|
168 | 0 | status = dbwrap_fetch_int32_bystring(share_db, vstring, &vers_id); |
169 | 0 | if (!NT_STATUS_IS_OK(status)) { |
170 | 0 | vers_id = 0; |
171 | 0 | } |
172 | |
|
173 | 0 | if (vers_id == SHARE_DATABASE_VERSION_V3) { |
174 | 0 | return NT_STATUS_OK; |
175 | 0 | } |
176 | | |
177 | 0 | if (dbwrap_transaction_start(share_db) != 0) { |
178 | 0 | DEBUG(0, ("transaction_start failed\n")); |
179 | 0 | TALLOC_FREE(share_db); |
180 | 0 | return NT_STATUS_INTERNAL_DB_ERROR; |
181 | 0 | } |
182 | | |
183 | 0 | status = dbwrap_fetch_int32_bystring(share_db, vstring, &vers_id); |
184 | 0 | if (!NT_STATUS_IS_OK(status)) { |
185 | 0 | vers_id = 0; |
186 | 0 | } |
187 | |
|
188 | 0 | if (vers_id == SHARE_DATABASE_VERSION_V3) { |
189 | | /* |
190 | | * Race condition |
191 | | */ |
192 | 0 | if (dbwrap_transaction_cancel(share_db)) { |
193 | 0 | smb_panic("transaction_cancel failed"); |
194 | 0 | } |
195 | 0 | return NT_STATUS_OK; |
196 | 0 | } |
197 | | |
198 | | /* Move to at least V2. */ |
199 | | |
200 | | /* Cope with byte-reversed older versions of the db. */ |
201 | 0 | if ((vers_id == SHARE_DATABASE_VERSION_V1) || (IREV(vers_id) == SHARE_DATABASE_VERSION_V1)) { |
202 | | /* Written on a bigendian machine with old fetch_int code. Save as le. */ |
203 | |
|
204 | 0 | status = dbwrap_store_int32_bystring( |
205 | 0 | share_db, vstring, SHARE_DATABASE_VERSION_V2); |
206 | 0 | if (!NT_STATUS_IS_OK(status)) { |
207 | 0 | DEBUG(0, ("dbwrap_store_int32 failed: %s\n", |
208 | 0 | nt_errstr(status))); |
209 | 0 | goto cancel; |
210 | 0 | } |
211 | 0 | vers_id = SHARE_DATABASE_VERSION_V2; |
212 | 0 | } |
213 | | |
214 | 0 | if (vers_id != SHARE_DATABASE_VERSION_V2) { |
215 | 0 | status = dbwrap_traverse(share_db, delete_fn, NULL, NULL); |
216 | 0 | if (!NT_STATUS_IS_OK(status)) { |
217 | 0 | DEBUG(0, ("traverse failed\n")); |
218 | 0 | goto cancel; |
219 | 0 | } |
220 | 0 | status = dbwrap_store_int32_bystring( |
221 | 0 | share_db, vstring, SHARE_DATABASE_VERSION_V2); |
222 | 0 | if (!NT_STATUS_IS_OK(status)) { |
223 | 0 | DEBUG(0, ("dbwrap_store_int32 failed: %s\n", |
224 | 0 | nt_errstr(status))); |
225 | 0 | goto cancel; |
226 | 0 | } |
227 | 0 | } |
228 | | |
229 | | /* Finally upgrade to version 3, with canonicalized sharenames. */ |
230 | | |
231 | 0 | status = dbwrap_traverse(share_db, upgrade_v2_to_v3, &upgrade_ok, NULL); |
232 | 0 | if (!NT_STATUS_IS_OK(status)) { |
233 | 0 | DEBUG(0, ("traverse failed\n")); |
234 | 0 | goto cancel; |
235 | 0 | } |
236 | 0 | if (!upgrade_ok) { |
237 | 0 | DBG_ERR("upgrade failed.\n"); |
238 | 0 | status = NT_STATUS_INTERNAL_ERROR; |
239 | 0 | goto cancel; |
240 | 0 | } |
241 | | |
242 | 0 | status = dbwrap_store_int32_bystring( |
243 | 0 | share_db, vstring, SHARE_DATABASE_VERSION_V3); |
244 | 0 | if (!NT_STATUS_IS_OK(status)) { |
245 | 0 | DEBUG(0, ("dbwrap_store_int32 failed: %s\n", |
246 | 0 | nt_errstr(status))); |
247 | 0 | goto cancel; |
248 | 0 | } |
249 | | |
250 | 0 | if (dbwrap_transaction_commit(share_db) != 0) { |
251 | 0 | DEBUG(0, ("transaction_commit failed\n")); |
252 | 0 | return NT_STATUS_INTERNAL_ERROR; |
253 | 0 | } |
254 | | |
255 | 0 | return NT_STATUS_OK; |
256 | | |
257 | 0 | cancel: |
258 | 0 | if (dbwrap_transaction_cancel(share_db)) { |
259 | 0 | smb_panic("transaction_cancel failed"); |
260 | 0 | } |
261 | | |
262 | 0 | return status; |
263 | 0 | } |
264 | | |
265 | | /******************************************************************* |
266 | | Fake up a Everyone, default access as a default. |
267 | | def_access is a GENERIC_XXX access mode. |
268 | | ********************************************************************/ |
269 | | |
270 | | static struct security_descriptor *get_share_security_default(TALLOC_CTX *ctx, |
271 | | size_t *psize, |
272 | | uint32_t def_access) |
273 | 0 | { |
274 | 0 | uint32_t sa; |
275 | 0 | struct security_ace ace = { |
276 | 0 | .size = 0, |
277 | 0 | }; |
278 | 0 | struct security_acl *psa = NULL; |
279 | 0 | struct security_descriptor *psd = NULL; |
280 | 0 | uint32_t spec_access = def_access; |
281 | |
|
282 | 0 | se_map_generic(&spec_access, &file_generic_mapping); |
283 | |
|
284 | 0 | sa = (def_access | spec_access ); |
285 | 0 | init_sec_ace(&ace, &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, sa, 0); |
286 | |
|
287 | 0 | if ((psa = make_sec_acl(ctx, NT4_ACL_REVISION, 1, &ace)) != NULL) { |
288 | 0 | psd = make_sec_desc(ctx, SECURITY_DESCRIPTOR_REVISION_1, |
289 | 0 | SEC_DESC_SELF_RELATIVE, NULL, NULL, NULL, |
290 | 0 | psa, psize); |
291 | 0 | } |
292 | |
|
293 | 0 | if (!psd) { |
294 | 0 | DEBUG(0,("get_share_security: Failed to make SEC_DESC.\n")); |
295 | 0 | return NULL; |
296 | 0 | } |
297 | | |
298 | 0 | return psd; |
299 | 0 | } |
300 | | |
301 | | /******************************************************************* |
302 | | Pull a security descriptor from the share tdb. |
303 | | ********************************************************************/ |
304 | | |
305 | | struct security_descriptor *get_share_security( TALLOC_CTX *ctx, const char *servicename, |
306 | | size_t *psize) |
307 | 0 | { |
308 | 0 | char *key; |
309 | 0 | struct security_descriptor *psd = NULL; |
310 | 0 | TDB_DATA data; |
311 | 0 | char *c_servicename = canonicalize_servicename(talloc_tos(), servicename); |
312 | 0 | NTSTATUS status; |
313 | |
|
314 | 0 | if (!c_servicename) { |
315 | 0 | return NULL; |
316 | 0 | } |
317 | | |
318 | 0 | status = share_info_db_init(); |
319 | 0 | if (!NT_STATUS_IS_OK(status)) { |
320 | 0 | TALLOC_FREE(c_servicename); |
321 | 0 | return NULL; |
322 | 0 | } |
323 | | |
324 | 0 | if (!(key = talloc_asprintf(ctx, SHARE_SECURITY_DB_KEY_PREFIX_STR "%s", c_servicename))) { |
325 | 0 | TALLOC_FREE(c_servicename); |
326 | 0 | DEBUG(0, ("talloc_asprintf failed\n")); |
327 | 0 | return NULL; |
328 | 0 | } |
329 | | |
330 | 0 | TALLOC_FREE(c_servicename); |
331 | |
|
332 | 0 | status = dbwrap_fetch_bystring(share_db, talloc_tos(), key, &data); |
333 | |
|
334 | 0 | TALLOC_FREE(key); |
335 | |
|
336 | 0 | if (!NT_STATUS_IS_OK(status)) { |
337 | 0 | return get_share_security_default(ctx, psize, |
338 | 0 | SEC_RIGHTS_DIR_ALL); |
339 | 0 | } |
340 | | |
341 | 0 | status = unmarshall_sec_desc(ctx, data.dptr, data.dsize, &psd); |
342 | |
|
343 | 0 | TALLOC_FREE(data.dptr); |
344 | |
|
345 | 0 | if (!NT_STATUS_IS_OK(status)) { |
346 | 0 | return get_share_security_default(ctx, psize, |
347 | 0 | SEC_RIGHTS_DIR_ALL); |
348 | 0 | } |
349 | | |
350 | 0 | if (psd) { |
351 | 0 | *psize = ndr_size_security_descriptor(psd, 0); |
352 | 0 | } else { |
353 | 0 | return get_share_security_default(ctx, psize, |
354 | 0 | SEC_RIGHTS_DIR_ALL); |
355 | 0 | } |
356 | | |
357 | 0 | return psd; |
358 | 0 | } |
359 | | |
360 | | /******************************************************************* |
361 | | Store a security descriptor in the share db. |
362 | | ********************************************************************/ |
363 | | |
364 | | NTSTATUS set_share_security(const char *share_name, |
365 | | struct security_descriptor *psd) |
366 | 0 | { |
367 | 0 | TALLOC_CTX *frame = talloc_stackframe(); |
368 | 0 | char *key; |
369 | 0 | TDB_DATA blob; |
370 | 0 | NTSTATUS status; |
371 | 0 | char *c_share_name = canonicalize_servicename(frame, share_name); |
372 | |
|
373 | 0 | if (c_share_name == NULL) { |
374 | 0 | status = NT_STATUS_INVALID_PARAMETER; |
375 | 0 | goto out; |
376 | 0 | } |
377 | | |
378 | 0 | status = share_info_db_init(); |
379 | 0 | if (!NT_STATUS_IS_OK(status)) { |
380 | 0 | goto out; |
381 | 0 | } |
382 | | |
383 | 0 | status = marshall_sec_desc(frame, psd, &blob.dptr, &blob.dsize); |
384 | |
|
385 | 0 | if (!NT_STATUS_IS_OK(status)) { |
386 | 0 | DEBUG(0, ("marshall_sec_desc failed: %s\n", |
387 | 0 | nt_errstr(status))); |
388 | 0 | goto out; |
389 | 0 | } |
390 | | |
391 | 0 | if (!(key = talloc_asprintf(frame, SHARE_SECURITY_DB_KEY_PREFIX_STR "%s", c_share_name))) { |
392 | 0 | DEBUG(0, ("talloc_asprintf failed\n")); |
393 | 0 | status = NT_STATUS_NO_MEMORY; |
394 | 0 | goto out; |
395 | 0 | } |
396 | | |
397 | 0 | status = dbwrap_trans_store(share_db, string_term_tdb_data(key), blob, |
398 | 0 | TDB_REPLACE); |
399 | 0 | if (!NT_STATUS_IS_OK(status)) { |
400 | 0 | DEBUG(1, ("set_share_security: Failed to store secdesc for " |
401 | 0 | "%s: %s\n", share_name, nt_errstr(status))); |
402 | 0 | goto out; |
403 | 0 | } |
404 | | |
405 | 0 | DEBUG(5,("set_share_security: stored secdesc for %s\n", share_name )); |
406 | 0 | status = NT_STATUS_OK; |
407 | |
|
408 | 0 | out: |
409 | 0 | TALLOC_FREE(frame); |
410 | 0 | return status; |
411 | 0 | } |
412 | | |
413 | | /******************************************************************* |
414 | | Delete a security descriptor. |
415 | | ********************************************************************/ |
416 | | |
417 | | NTSTATUS delete_share_security(const char *servicename) |
418 | 0 | { |
419 | 0 | TDB_DATA kbuf; |
420 | 0 | char *key; |
421 | 0 | NTSTATUS status; |
422 | 0 | char *c_servicename = canonicalize_servicename(talloc_tos(), servicename); |
423 | |
|
424 | 0 | if (c_servicename == NULL) { |
425 | 0 | return NT_STATUS_INVALID_PARAMETER; |
426 | 0 | } |
427 | | |
428 | 0 | status = share_info_db_init(); |
429 | 0 | if (!NT_STATUS_IS_OK(status)) { |
430 | 0 | TALLOC_FREE(c_servicename); |
431 | 0 | return status; |
432 | 0 | } |
433 | | |
434 | 0 | if (!(key = talloc_asprintf(talloc_tos(), SHARE_SECURITY_DB_KEY_PREFIX_STR "%s", |
435 | 0 | c_servicename))) { |
436 | 0 | TALLOC_FREE(c_servicename); |
437 | 0 | return NT_STATUS_NO_MEMORY; |
438 | 0 | } |
439 | 0 | kbuf = string_term_tdb_data(key); |
440 | |
|
441 | 0 | status = dbwrap_trans_delete(share_db, kbuf); |
442 | 0 | if (!NT_STATUS_IS_OK(status)) { |
443 | 0 | DEBUG(0, ("delete_share_security: Failed to delete entry for " |
444 | 0 | "share %s: %s\n", c_servicename, nt_errstr(status))); |
445 | 0 | TALLOC_FREE(c_servicename); |
446 | 0 | return status; |
447 | 0 | } |
448 | | |
449 | 0 | TALLOC_FREE(c_servicename); |
450 | 0 | return NT_STATUS_OK; |
451 | 0 | } |
452 | | |
453 | | /******************************************************************* |
454 | | Can this user access with share with the required permissions ? |
455 | | ********************************************************************/ |
456 | | |
457 | | bool share_access_check(const struct security_token *token, |
458 | | const char *sharename, |
459 | | uint32_t desired_access, |
460 | | uint32_t *pgranted) |
461 | 0 | { |
462 | 0 | uint32_t granted; |
463 | 0 | NTSTATUS status; |
464 | 0 | struct security_descriptor *psd = NULL; |
465 | 0 | size_t sd_size; |
466 | |
|
467 | 0 | psd = get_share_security(talloc_tos(), sharename, &sd_size); |
468 | |
|
469 | 0 | if (!psd) { |
470 | 0 | if (pgranted != NULL) { |
471 | 0 | *pgranted = desired_access; |
472 | 0 | } |
473 | 0 | return false; |
474 | 0 | } |
475 | | |
476 | 0 | status = se_file_access_check(psd, token, true, desired_access, &granted); |
477 | |
|
478 | 0 | TALLOC_FREE(psd); |
479 | |
|
480 | 0 | if (pgranted != NULL) { |
481 | 0 | *pgranted = granted; |
482 | 0 | } |
483 | |
|
484 | 0 | return NT_STATUS_IS_OK(status); |
485 | 0 | } |
486 | | |
487 | | /*************************************************************************** |
488 | | Parse the contents of an acl string from a usershare file. |
489 | | ***************************************************************************/ |
490 | | |
491 | | bool parse_usershare_acl(TALLOC_CTX *ctx, const char *acl_str, struct security_descriptor **ppsd) |
492 | 0 | { |
493 | 0 | size_t s_size = 0; |
494 | 0 | const char *pacl = acl_str; |
495 | 0 | int num_aces = 0; |
496 | 0 | struct security_ace *ace_list = NULL; |
497 | 0 | struct security_acl *psa = NULL; |
498 | 0 | struct security_descriptor *psd = NULL; |
499 | 0 | size_t sd_size = 0; |
500 | 0 | int i; |
501 | |
|
502 | 0 | *ppsd = NULL; |
503 | | |
504 | | /* If the acl string is blank return "Everyone:R" */ |
505 | 0 | if (!*acl_str) { |
506 | 0 | struct security_descriptor *default_psd = get_share_security_default(ctx, &s_size, GENERIC_READ_ACCESS); |
507 | 0 | if (!default_psd) { |
508 | 0 | return False; |
509 | 0 | } |
510 | 0 | *ppsd = default_psd; |
511 | 0 | return True; |
512 | 0 | } |
513 | | |
514 | 0 | num_aces = 1; |
515 | | |
516 | | /* Add the number of ',' characters to get the number of aces. */ |
517 | 0 | num_aces += count_chars(pacl,','); |
518 | |
|
519 | 0 | ace_list = talloc_array(ctx, struct security_ace, num_aces); |
520 | 0 | if (!ace_list) { |
521 | 0 | return False; |
522 | 0 | } |
523 | | |
524 | 0 | for (i = 0; i < num_aces; i++) { |
525 | 0 | uint32_t sa; |
526 | 0 | uint32_t g_access; |
527 | 0 | uint32_t s_access; |
528 | 0 | struct dom_sid sid; |
529 | 0 | char *sidstr; |
530 | 0 | enum security_ace_type type = SEC_ACE_TYPE_ACCESS_ALLOWED; |
531 | |
|
532 | 0 | if (!next_token_talloc(ctx, &pacl, &sidstr, ":")) { |
533 | 0 | DEBUG(0,("parse_usershare_acl: malformed usershare acl looking " |
534 | 0 | "for ':' in string '%s'\n", pacl)); |
535 | 0 | return False; |
536 | 0 | } |
537 | | |
538 | 0 | if (!string_to_sid(&sid, sidstr)) { |
539 | 0 | DEBUG(0,("parse_usershare_acl: failed to convert %s to sid.\n", |
540 | 0 | sidstr )); |
541 | 0 | return False; |
542 | 0 | } |
543 | | |
544 | 0 | switch (*pacl) { |
545 | 0 | case 'F': /* Full Control, ie. R+W */ |
546 | 0 | case 'f': /* Full Control, ie. R+W */ |
547 | 0 | s_access = g_access = GENERIC_ALL_ACCESS; |
548 | 0 | break; |
549 | 0 | case 'R': /* Read only. */ |
550 | 0 | case 'r': /* Read only. */ |
551 | 0 | s_access = g_access = GENERIC_READ_ACCESS; |
552 | 0 | break; |
553 | 0 | case 'D': /* Deny all to this SID. */ |
554 | 0 | case 'd': /* Deny all to this SID. */ |
555 | 0 | type = SEC_ACE_TYPE_ACCESS_DENIED; |
556 | 0 | s_access = g_access = GENERIC_ALL_ACCESS; |
557 | 0 | break; |
558 | 0 | default: |
559 | 0 | DEBUG(0,("parse_usershare_acl: unknown acl type at %s.\n", |
560 | 0 | pacl )); |
561 | 0 | return False; |
562 | 0 | } |
563 | | |
564 | 0 | pacl++; |
565 | 0 | if (*pacl && *pacl != ',') { |
566 | 0 | DEBUG(0,("parse_usershare_acl: bad acl string at %s.\n", |
567 | 0 | pacl )); |
568 | 0 | return False; |
569 | 0 | } |
570 | 0 | pacl++; /* Go past any ',' */ |
571 | |
|
572 | 0 | se_map_generic(&s_access, &file_generic_mapping); |
573 | 0 | sa = (g_access | s_access); |
574 | 0 | init_sec_ace(&ace_list[i], &sid, type, sa, 0); |
575 | 0 | } |
576 | | |
577 | 0 | if ((psa = make_sec_acl(ctx, NT4_ACL_REVISION, num_aces, ace_list)) != NULL) { |
578 | 0 | psd = make_sec_desc(ctx, SECURITY_DESCRIPTOR_REVISION_1, |
579 | 0 | SEC_DESC_SELF_RELATIVE, NULL, NULL, NULL, |
580 | 0 | psa, &sd_size); |
581 | 0 | } |
582 | |
|
583 | 0 | if (!psd) { |
584 | 0 | DEBUG(0,("parse_usershare_acl: Failed to make SEC_DESC.\n")); |
585 | 0 | return False; |
586 | 0 | } |
587 | | |
588 | 0 | *ppsd = psd; |
589 | | return True; |
590 | 0 | } |