ab55e6e8c5
Basic handling of owner and group security query (no dacl). Added new upcall for NFS41_ACL_QUERY (driver and daemon code). Daemon, upon getting NFS41_ACL_QUERY first places a getattr that has owner, group attribute request. We currently don't cache them!!! Then, we parse nfs4name format (ie user@domain or group@domain) into user and domain. We currently ignore domain part!!! Then, we assume that whatever we are mapping is "known" locally (ie LookupAccountName() api which retrieves a SID for a given name). Mapping from name to SID can only be done in the userland. We then copy the bytes via the upcall pipe to the kernel. If the received user or group cant be mapped via LookupAccoundName(), we create a well known null SID as the reply. Kernel creates a security descriptor in the absolute-format and adds owner and group sids to it. Important: RtlSetOwner/Group functions only work with absolute-format security descriptor, however the reply to the user needs to be in the self-relative format. The way security query works is that it passes us a buffer to be filled with the security context. However the user doesn't know how big the buffer should be so, the user is allowed to pass a null buffer and have the kernel return how much memory is needed. This leads to 2 security queries => 2 NFS41_ACL_QUERY upcalls => 2 getattr rpcs... It should be improved. TODO: - need to add caching of owner/group attributes for a file? - need to add calls to LDAP for more general mapping? - need to cache reply of the ACL if supplied length is 0?
232 lines
8 KiB
C
232 lines
8 KiB
C
/* Copyright (c) 2010
|
|
* The Regents of the University of Michigan
|
|
* All Rights Reserved
|
|
*
|
|
* Permission is granted to use, copy and redistribute this software
|
|
* for noncommercial education and research purposes, so long as no
|
|
* fee is charged, and so long as the name of the University of Michigan
|
|
* is not used in any advertising or publicity pertaining to the use
|
|
* or distribution of this software without specific, written prior
|
|
* authorization. Permission to modify or otherwise create derivative
|
|
* works of this software is not granted.
|
|
*
|
|
* This software is provided as is, without representation or warranty
|
|
* of any kind either express or implied, including without limitation
|
|
* the implied warranties of merchantability, fitness for a particular
|
|
* purpose, or noninfringement. The Regents of the University of
|
|
* Michigan shall not be liable for any damages, including special,
|
|
* indirect, incidental, or consequential damages, with respect to any
|
|
* claim arising out of or in connection with the use of the software,
|
|
* even if it has been or is hereafter advised of the possibility of
|
|
* such damages.
|
|
*/
|
|
#include <Windows.h>
|
|
#include <strsafe.h>
|
|
#include <sddl.h>
|
|
|
|
#include "nfs41.h"
|
|
#include "nfs41_ops.h"
|
|
#include "daemon_debug.h"
|
|
#include "util.h"
|
|
#include "upcall.h"
|
|
|
|
static int parse_getacl(unsigned char *buffer, uint32_t length, nfs41_upcall *upcall)
|
|
{
|
|
int status;
|
|
getacl_upcall_args *args = &upcall->args.getacl;
|
|
|
|
status = safe_read(&buffer, &length, &args->root, sizeof(HANDLE));
|
|
if (status) goto out;
|
|
upcall_root_ref(upcall, args->root);
|
|
status = safe_read(&buffer, &length, &args->state, sizeof(args->state));
|
|
if (status) goto out;
|
|
upcall_open_state_ref(upcall, args->state);
|
|
status = safe_read(&buffer, &length, &args->query, sizeof(args->query));
|
|
if (status) goto out;
|
|
|
|
dprintf(1, "parsing NFS41_ACL_QUERY: info_class=%d root=0x%p open_state=0x%p\n",
|
|
args->query, args->root, args->state);
|
|
out:
|
|
return status;
|
|
}
|
|
|
|
static int create_unknownsid(WELL_KNOWN_SID_TYPE type, PSID *sid, DWORD *sid_len)
|
|
{
|
|
int status;
|
|
*sid_len = 0;
|
|
*sid = NULL;
|
|
if (!CreateWellKnownSid(type, NULL, *sid, sid_len)) {
|
|
status = GetLastError();
|
|
if (status == ERROR_INSUFFICIENT_BUFFER) {
|
|
*sid = malloc(*sid_len);
|
|
if (*sid == NULL) return ERROR_INSUFFICIENT_BUFFER;
|
|
if (!CreateWellKnownSid(type, NULL, *sid, sid_len)) {
|
|
free(*sid);
|
|
status = GetLastError();
|
|
dprintf(1, "CreateWellKnownSid failed with %d\n", status);
|
|
return status;
|
|
} else return 0;
|
|
} else return status;
|
|
} else return ERROR_INTERNAL_ERROR;
|
|
}
|
|
|
|
static void convert_nfs4name_2_user_domain(LPSTR nfs4name,
|
|
LPSTR *domain)
|
|
{
|
|
LPSTR p = nfs4name;
|
|
for(; p[0] != '\0'; p++) {
|
|
if (p[0] == '@') {
|
|
p[0] = '\0';
|
|
*domain = &p[1];
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
|
|
static int map_name_2_sid(DWORD *sid_len, PSID *sid, LPCSTR name)
|
|
{
|
|
int status;
|
|
SID_NAME_USE sid_type;
|
|
LPSTR tmp_buf = NULL;
|
|
DWORD tmp = 0;
|
|
|
|
status = LookupAccountName(NULL, name, NULL, sid_len, NULL, &tmp, &sid_type);
|
|
dprintf(1, "LookupAccountName returned %d GetLastError %d owner len %d "
|
|
"domain len %d\n", status, GetLastError(), *sid_len, tmp);
|
|
if (!status) {
|
|
status = GetLastError();
|
|
switch(status) {
|
|
case ERROR_INSUFFICIENT_BUFFER:
|
|
*sid = malloc(*sid_len);
|
|
if (*sid == NULL) {
|
|
status = GetLastError();
|
|
goto out;
|
|
}
|
|
tmp_buf = (LPSTR) malloc(tmp);
|
|
if (tmp_buf == NULL) {
|
|
status = GetLastError();
|
|
free(*sid);
|
|
goto out;
|
|
}
|
|
status = LookupAccountName(NULL, name, *sid, sid_len, tmp_buf,
|
|
&tmp, &sid_type);
|
|
dprintf(1, "sid_type = %d\n", sid_type);
|
|
free(tmp_buf);
|
|
if (!status) {
|
|
status = GetLastError();
|
|
free(*sid);
|
|
dprintf(1, "handle_getacl: LookupAccountName for owner failed "
|
|
"with %d\n", status);
|
|
goto out;
|
|
} else {
|
|
LPSTR ssid = NULL;
|
|
if (IsValidSid(*sid))
|
|
if (ConvertSidToStringSidA(*sid, &ssid))
|
|
printf("SID %s\n", ssid);
|
|
else
|
|
printf("ConvertSidToStringSidA failed with %d\n", GetLastError());
|
|
else
|
|
printf("Invalid Sid\n");
|
|
if (ssid) LocalFree(ssid);
|
|
}
|
|
status = 0;
|
|
break;
|
|
case ERROR_NONE_MAPPED:
|
|
status = create_unknownsid(WinNullSid, sid, sid_len);
|
|
break;
|
|
}
|
|
} else // This shouldn't happen
|
|
status = ERROR_INTERNAL_ERROR;
|
|
out:
|
|
return status;
|
|
}
|
|
|
|
static int handle_getacl(nfs41_upcall *upcall)
|
|
{
|
|
int status = ERROR_NOT_SUPPORTED;
|
|
getacl_upcall_args *args = &upcall->args.getacl;
|
|
nfs41_open_state *state = args->state;
|
|
nfs41_file_info info;
|
|
bitmap4 attr_request;
|
|
LPSTR domain = NULL;
|
|
|
|
// need to cache owner/group information XX
|
|
ZeroMemory(&info, sizeof(info));
|
|
init_getattr_request(&attr_request);
|
|
status = nfs41_getattr(state->session, &state->file, &attr_request, &info);
|
|
if (status) {
|
|
eprintf("nfs41_cached_getattr() failed with %d\n", status);
|
|
goto out;
|
|
}
|
|
|
|
args->osid_len = args->gsid_len = 0;
|
|
if (args->query & OWNER_SECURITY_INFORMATION) {
|
|
// parse user@domain. currently ignoring domain part XX
|
|
convert_nfs4name_2_user_domain((LPSTR)info.owner, &domain);
|
|
dprintf(1, "handle_getacl: OWNER_SECURITY_INFORMATION: for user=%s domain=%s\n",
|
|
info.owner, domain?domain:"<null>");
|
|
status = map_name_2_sid(&args->osid_len, &args->osid, (LPSTR)info.owner);
|
|
if (status)
|
|
goto out;
|
|
}
|
|
if (args->query & GROUP_SECURITY_INFORMATION) {
|
|
convert_nfs4name_2_user_domain((LPSTR)info.owner_group, &domain);
|
|
dprintf(1, "handle_getacl: GROUP_SECURITY_INFORMATION: for %s domain=%s\n",
|
|
info.owner_group, domain?domain:"<null>");
|
|
status = map_name_2_sid(&args->gsid_len, &args->gsid, (LPSTR)info.owner_group);
|
|
if (status)
|
|
goto out;
|
|
}
|
|
if (args->query & DACL_SECURITY_INFORMATION)
|
|
dprintf(1, "handle_getacl: DACL_SECURITY_INFORMATION\n");
|
|
if (args->query & SACL_SECURITY_INFORMATION)
|
|
dprintf(1, "handle_getacl: SACL_SECURITY_INFORMATION\n");
|
|
|
|
out:
|
|
return status;
|
|
}
|
|
|
|
static int marshall_acl(unsigned char **buffer, uint32_t *remaining, uint32_t sid_len, PSID sid)
|
|
{
|
|
int status;
|
|
status = safe_write(buffer, remaining, &sid_len, sizeof(sid_len));
|
|
if (status) goto out;
|
|
if (*remaining < sid_len)
|
|
return ERROR_BUFFER_OVERFLOW;
|
|
status = CopySid(sid_len, *buffer, sid);
|
|
free(sid);
|
|
if (!status) {
|
|
status = GetLastError();
|
|
dprintf(1, "marshall_acl: CopySid failed %d\n", status);
|
|
goto out;
|
|
} else {
|
|
status = 0;
|
|
*buffer += sid_len;
|
|
*remaining -= sid_len;
|
|
}
|
|
out:
|
|
return status;
|
|
}
|
|
|
|
static int marshall_getacl(unsigned char *buffer, uint32_t *length, nfs41_upcall *upcall)
|
|
{
|
|
int status = ERROR_NOT_SUPPORTED;
|
|
getacl_upcall_args *args = &upcall->args.getacl;
|
|
|
|
if (args->query & OWNER_SECURITY_INFORMATION) {
|
|
status = marshall_acl(&buffer, length, args->osid_len, args->osid);
|
|
if (status) goto out;
|
|
}
|
|
if (args->query & GROUP_SECURITY_INFORMATION) {
|
|
status = marshall_acl(&buffer, length, args->gsid_len, args->gsid);
|
|
if (status) goto out;
|
|
}
|
|
out:
|
|
return status;
|
|
}
|
|
|
|
const nfs41_upcall_op nfs41_op_getacl = {
|
|
parse_getacl,
|
|
handle_getacl,
|
|
marshall_getacl
|
|
};
|