[acl] converting group sid to GROUP@
when we process aces from windows, if we see an ace with sids of the primary group, replace that with GROUP@ special who identifier.
This commit is contained in:
Olga Kornievskaia
parent
2db91a3001
commit
0d0cee6ad6
1 changed files with 30 additions and 16 deletions
46
daemon/acl.c
46
daemon/acl.c
|
|
@ -543,7 +543,7 @@ static void map_acemask(ACCESS_MASK mask, int file_type, uint32_t *nfs4_mask)
|
||||||
print_nfs_access_mask(0, *nfs4_mask);
|
print_nfs_access_mask(0, *nfs4_mask);
|
||||||
}
|
}
|
||||||
|
|
||||||
static int map_nfs4ace_who(PSID sid, PSID owner_sid, char *who_out, char *domain)
|
static int map_nfs4ace_who(PSID sid, PSID owner_sid, PSID group_sid, char *who_out, char *domain)
|
||||||
{
|
{
|
||||||
int status = ERROR_INTERNAL_ERROR;
|
int status = ERROR_INTERNAL_ERROR;
|
||||||
DWORD size = 0, tmp_size = 0;
|
DWORD size = 0, tmp_size = 0;
|
||||||
|
|
@ -560,22 +560,30 @@ static int map_nfs4ace_who(PSID sid, PSID owner_sid, char *who_out, char *domain
|
||||||
* but for set_owner attribute we want to map owner into a user name
|
* but for set_owner attribute we want to map owner into a user name
|
||||||
* same applies to group
|
* same applies to group
|
||||||
*/
|
*/
|
||||||
|
status = 0;
|
||||||
if (owner_sid) {
|
if (owner_sid) {
|
||||||
if (EqualSid(sid, owner_sid)) {
|
if (EqualSid(sid, owner_sid)) {
|
||||||
dprintf(1, "map_nfs4ace_who: this is owner's sid\n");
|
dprintf(1, "map_nfs4ace_who: this is owner's sid\n");
|
||||||
memcpy(who_out, ACE4_OWNER, strlen(ACE4_OWNER)+1);
|
memcpy(who_out, ACE4_OWNER, strlen(ACE4_OWNER)+1);
|
||||||
return ERROR_SUCCESS;
|
return ERROR_SUCCESS;
|
||||||
}
|
}
|
||||||
status = is_well_known_sid(sid, who_out);
|
}
|
||||||
if (status) {
|
if (group_sid) {
|
||||||
if (!strncmp(who_out, ACE4_NOBODY, strlen(ACE4_NOBODY))) {
|
if (EqualSid(sid, group_sid)) {
|
||||||
size = strlen(ACE4_NOBODY);
|
dprintf(1, "map_nfs4ace_who: this is group's sid\n");
|
||||||
goto add_domain;
|
memcpy(who_out, ACE4_GROUP, strlen(ACE4_GROUP)+1);
|
||||||
}
|
return ERROR_SUCCESS;
|
||||||
else
|
|
||||||
return ERROR_SUCCESS;
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
status = is_well_known_sid(sid, who_out);
|
||||||
|
if (status) {
|
||||||
|
if (!strncmp(who_out, ACE4_NOBODY, strlen(ACE4_NOBODY))) {
|
||||||
|
size = strlen(ACE4_NOBODY);
|
||||||
|
goto add_domain;
|
||||||
|
}
|
||||||
|
else
|
||||||
|
return ERROR_SUCCESS;
|
||||||
|
}
|
||||||
|
|
||||||
status = LookupAccountSid(NULL, sid, who, &size, tmp_buf,
|
status = LookupAccountSid(NULL, sid, who, &size, tmp_buf,
|
||||||
&tmp_size, &sid_type);
|
&tmp_size, &sid_type);
|
||||||
|
|
@ -617,7 +625,7 @@ out_free_who:
|
||||||
status = GetLastError();
|
status = GetLastError();
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
static int map_dacl_2_nfs4acl(PACL acl, PSID sid, nfsacl41 *nfs4_acl,
|
static int map_dacl_2_nfs4acl(PACL acl, PSID sid, PSID gsid, nfsacl41 *nfs4_acl,
|
||||||
int file_type, char *domain)
|
int file_type, char *domain)
|
||||||
{
|
{
|
||||||
int status;
|
int status;
|
||||||
|
|
@ -679,7 +687,7 @@ static int map_dacl_2_nfs4acl(PACL acl, PSID sid, nfsacl41 *nfs4_acl,
|
||||||
&nfs4_acl->aces[i].acemask);
|
&nfs4_acl->aces[i].acemask);
|
||||||
|
|
||||||
tmp_pointer += sizeof(ACCESS_MASK) + sizeof(ACE_HEADER);
|
tmp_pointer += sizeof(ACCESS_MASK) + sizeof(ACE_HEADER);
|
||||||
status = map_nfs4ace_who(tmp_pointer, sid, nfs4_acl->aces[i].who,
|
status = map_nfs4ace_who(tmp_pointer, sid, gsid, nfs4_acl->aces[i].who,
|
||||||
domain);
|
domain);
|
||||||
if (status)
|
if (status)
|
||||||
goto out_free;
|
goto out_free;
|
||||||
|
|
@ -701,8 +709,8 @@ static int handle_setacl(nfs41_upcall *upcall)
|
||||||
nfs41_file_info info;
|
nfs41_file_info info;
|
||||||
stateid_arg stateid;
|
stateid_arg stateid;
|
||||||
nfsacl41 nfs4_acl;
|
nfsacl41 nfs4_acl;
|
||||||
PSID sid = NULL;
|
PSID sid = NULL, gsid = NULL;
|
||||||
BOOL sid_default;
|
BOOL sid_default, gsid_default;
|
||||||
|
|
||||||
ZeroMemory(&info, sizeof(info));
|
ZeroMemory(&info, sizeof(info));
|
||||||
|
|
||||||
|
|
@ -714,7 +722,7 @@ static int handle_setacl(nfs41_upcall *upcall)
|
||||||
eprintf("GetSecurityDescriptorOwner failed with %d\n", status);
|
eprintf("GetSecurityDescriptorOwner failed with %d\n", status);
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
status = map_nfs4ace_who(sid, NULL, (char *)info.owner,
|
status = map_nfs4ace_who(sid, NULL, NULL, (char *)info.owner,
|
||||||
state->session->client->domain_name);
|
state->session->client->domain_name);
|
||||||
if (status)
|
if (status)
|
||||||
goto out;
|
goto out;
|
||||||
|
|
@ -732,7 +740,7 @@ static int handle_setacl(nfs41_upcall *upcall)
|
||||||
eprintf("GetSecurityDescriptorOwner failed with %d\n", status);
|
eprintf("GetSecurityDescriptorOwner failed with %d\n", status);
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
status = map_nfs4ace_who(sid, NULL, (char *)info.owner_group,
|
status = map_nfs4ace_who(sid, NULL, NULL, (char *)info.owner_group,
|
||||||
state->session->client->domain_name);
|
state->session->client->domain_name);
|
||||||
if (status)
|
if (status)
|
||||||
goto out;
|
goto out;
|
||||||
|
|
@ -759,7 +767,13 @@ static int handle_setacl(nfs41_upcall *upcall)
|
||||||
eprintf("GetSecurityDescriptorOwner failed with %d\n", status);
|
eprintf("GetSecurityDescriptorOwner failed with %d\n", status);
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
status = map_dacl_2_nfs4acl(acl, sid, &nfs4_acl, state->type,
|
status = GetSecurityDescriptorGroup(args->sec_desc, &gsid, &gsid_default);
|
||||||
|
if (!status) {
|
||||||
|
status = GetLastError();
|
||||||
|
eprintf("GetSecurityDescriptorOwner failed with %d\n", status);
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
status = map_dacl_2_nfs4acl(acl, sid, gsid, &nfs4_acl, state->type,
|
||||||
state->session->client->domain_name);
|
state->session->client->domain_name);
|
||||||
if (status)
|
if (status)
|
||||||
goto out;
|
goto out;
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue