vfs_acl_xattr|tdb: add option to control default ACL style

Existing behaviour is "posix" style. Next commit will (re)add the "windows" style. This commit doesn't change behaviour in any way. Bug: https://bugzilla.samba.org/show_bug.cgi?id=12177 Signed-off-by: Ralph Boehme <[email protected]> Reviewed-by: Jeremy Allison <[email protected]>
alagoutte · Aug 30, 2016 · 26a9867 · 26a9867
1 parent f46179e
commit 26a9867
Show file tree

Hide file tree

Showing 3 changed files with 92 additions and 6 deletions.
diff --git a/docs-xml/manpages/vfs_acl_tdb.8.xml b/docs-xml/manpages/vfs_acl_tdb.8.xml
@@ -63,6 +63,31 @@
 		</para>
 		</listitem>
 		</varlistentry>
+
+		<varlistentry>
+		<term>acl_tdb:default acl style = [posix|windows]</term>
+		<listitem>
+		<para>
+		This parameter determines the type of ACL that is synthesized in
+		case a file or directory lacks an
+		<emphasis>security.NTACL</emphasis> xattr.
+		</para>
+		<para>
+		When set to <emphasis>posix</emphasis>, an ACL will be
+		synthesized based on the POSIX mode permissions for user, group
+		and others, with an additional ACE for <emphasis>NT
+		Authority\SYSTEM</emphasis> will full rights.
+		</para>
+		<para>
+		When set to <emphasis>windows</emphasis>, an ACL is synthesized
+		the same way Windows does it, only including permissions for the
+		owner and <emphasis>NT Authority\SYSTEM</emphasis>.
+		</para>
+		<para>
+		The default for this option is <emphasis>posix</emphasis>.
+		</para>
+		</listitem>
+		</varlistentry>
 	</variablelist>
 
 </refsect1>

diff --git a/docs-xml/manpages/vfs_acl_xattr.8.xml b/docs-xml/manpages/vfs_acl_xattr.8.xml
@@ -67,6 +67,31 @@
 		</para>
 		</listitem>
 		</varlistentry>
+
+		<varlistentry>
+		<term>acl_xattr:default acl style = [posix|windows]</term>
+		<listitem>
+		<para>
+		This parameter determines the type of ACL that is synthesized in
+		case a file or directory lacks an
+		<emphasis>security.NTACL</emphasis> xattr.
+		</para>
+		<para>
+		When set to <emphasis>posix</emphasis>, an ACL will be
+		synthesized based on the POSIX mode permissions for user, group
+		and others, with an additional ACE for <emphasis>NT
+		Authority\SYSTEM</emphasis> will full rights.
+		</para>
+		<para>
+		When set to <emphasis>windows</emphasis>, an ACL is synthesized
+		the same way Windows does it, only including permissions for the
+		owner and <emphasis>NT Authority\SYSTEM</emphasis>.
+		</para>
+		<para>
+		The default for this option is <emphasis>posix</emphasis>.
+		</para>
+		</listitem>
+		</varlistentry>
 	</variablelist>
 
 </refsect1>

diff --git a/source3/modules/vfs_acl_common.c b/source3/modules/vfs_acl_common.c
@@ -46,8 +46,16 @@ static NTSTATUS store_acl_blob_fsp(vfs_handle_struct *handle,
 				SECINFO_DACL | \
 				SECINFO_SACL)
 
+enum default_acl_style {DEFAULT_ACL_POSIX, DEFAULT_ACL_WINDOWS};
+
+static const struct enum_list default_acl_style[] = {
+	{DEFAULT_ACL_POSIX,	"posix"},
+	{DEFAULT_ACL_WINDOWS,	"windows"}
+};
+
 struct acl_common_config {
 	bool ignore_system_acls;
+	enum default_acl_style default_acl_style;
 };
 
 static bool init_acl_common_config(vfs_handle_struct *handle)
@@ -65,6 +73,11 @@ static bool init_acl_common_config(vfs_handle_struct *handle)
 						  ACL_MODULE_NAME,
 						  "ignore system acls",
 						  false);
+	config->default_acl_style = lp_parm_enum(SNUM(handle->conn),
+						 ACL_MODULE_NAME,
+						 "default acl style",
+						 default_acl_style,
+						 DEFAULT_ACL_POSIX);
 
 	SMB_VFS_HANDLE_SET_DATA(handle, config, NULL,
 				struct acl_common_config,
@@ -387,10 +400,10 @@ static NTSTATUS add_directory_inheritable_components(vfs_handle_struct *handle,
 	return NT_STATUS_OK;
 }
 
-static NTSTATUS make_default_filesystem_acl(TALLOC_CTX *ctx,
-					    const char *name,
-					    SMB_STRUCT_STAT *psbuf,
-					    struct security_descriptor **ppdesc)
+static NTSTATUS make_default_acl_posix(TALLOC_CTX *ctx,
+				       const char *name,
+				       SMB_STRUCT_STAT *psbuf,
+				       struct security_descriptor **ppdesc)
 {
 	struct dom_sid owner_sid, group_sid;
 	size_t size = 0;
@@ -400,8 +413,7 @@ static NTSTATUS make_default_filesystem_acl(TALLOC_CTX *ctx,
 	struct security_acl *new_dacl = NULL;
 	int idx = 0;
 
-	DEBUG(10,("make_default_filesystem_acl: file %s mode = 0%o\n",
-		name, (int)mode ));
+	DBG_DEBUG("file %s mode = 0%o\n",name, (int)mode);
 
 	uid_to_sid(&owner_sid, psbuf->st_ex_uid);
 	gid_to_sid(&group_sid, psbuf->st_ex_gid);
@@ -495,6 +507,29 @@ static NTSTATUS make_default_filesystem_acl(TALLOC_CTX *ctx,
 	return NT_STATUS_OK;
 }
 
+static NTSTATUS make_default_filesystem_acl(TALLOC_CTX *ctx,
+					    struct acl_common_config *config,
+					    const char *name,
+					    SMB_STRUCT_STAT *psbuf,
+					    struct security_descriptor **ppdesc)
+{
+	NTSTATUS status;
+
+	switch (config->default_acl_style) {
+
+	case DEFAULT_ACL_POSIX:
+		status =  make_default_acl_posix(ctx, name, psbuf, ppdesc);
+		break;
+
+	default:
+		DBG_ERR("unknown acl style %d", config->default_acl_style);
+		status = NT_STATUS_INTERNAL_ERROR;
+		break;
+	}
+
+	return status;
+}
+
 /**
  * Validate an ACL blob
  *
@@ -805,6 +840,7 @@ static NTSTATUS get_nt_acl_internal(vfs_handle_struct *handle,
 
 			status = make_default_filesystem_acl(
 				mem_ctx,
+				config,
 				smb_fname->base_name,
 				psbuf,
 				&psd);