From d598cc4012f602d01ecd4a3c10100085af62e453 Mon Sep 17 00:00:00 2001
From: Alexander Werth <alexander.werth@de.ibm.com>
Date: Mon, 15 Apr 2013 16:08:46 +0200
Subject: [PATCH 1/5]     s3: Move up declaration of params struct and related
 function.

    We need the parameters earlier in the code so we move up
    the declaration of the params struct. Since reading the
    parameters is closely related the definition of the function
    smbacl4_get_vfs_params has also been moved up.
---
 source3/modules/nfs4_acls.c |   98 +++++++++++++++++++++----------------------
 1 file changed, 49 insertions(+), 49 deletions(-)

diff --git a/source3/modules/nfs4_acls.c b/source3/modules/nfs4_acls.c
index fa6b2fe..bd30956 100644
--- a/source3/modules/nfs4_acls.c
+++ b/source3/modules/nfs4_acls.c
@@ -54,6 +54,55 @@ typedef struct _SMB_ACL4_INT_T
 	SMB_ACE4_INT_T	*last;
 } SMB_ACL4_INT_T;
 
+enum smbacl4_mode_enum {e_simple=0, e_special=1};
+enum smbacl4_acedup_enum {e_dontcare=0, e_reject=1, e_ignore=2, e_merge=3};
+
+typedef struct _smbacl4_vfs_params {
+	enum smbacl4_mode_enum mode;
+	bool do_chown;
+	enum smbacl4_acedup_enum acedup;
+} smbacl4_vfs_params;
+
+/*
+ * Gather special parameters for NFS4 ACL handling
+ */
+static int smbacl4_get_vfs_params(
+	const char *type_name,
+	files_struct *fsp,
+	smbacl4_vfs_params *params
+)
+{
+	static const struct enum_list enum_smbacl4_modes[] = {
+		{ e_simple, "simple" },
+		{ e_special, "special" },
+		{ -1 , NULL }
+	};
+	static const struct enum_list enum_smbacl4_acedups[] = {
+		{ e_dontcare, "dontcare" },
+		{ e_reject, "reject" },
+		{ e_ignore, "ignore" },
+		{ e_merge, "merge" },
+		{ -1 , NULL }
+	};
+
+	memset(params, 0, sizeof(smbacl4_vfs_params));
+	params->mode = (enum smbacl4_mode_enum)lp_parm_enum(
+		SNUM(fsp->conn), type_name,
+		"mode", enum_smbacl4_modes, e_simple);
+	params->do_chown = lp_parm_bool(SNUM(fsp->conn), type_name,
+		"chown", True);
+	params->acedup = (enum smbacl4_acedup_enum)lp_parm_enum(
+		SNUM(fsp->conn), type_name,
+		"acedup", enum_smbacl4_acedups, e_dontcare);
+
+	DEBUG(10, ("mode:%s, do_chown:%s, acedup: %s\n",
+		enum_smbacl4_modes[params->mode].name,
+		params->do_chown ? "true" : "false",
+		enum_smbacl4_acedups[params->acedup].name));
+
+	return 0;
+}
+
 /************************************************
  Split the ACE flag mapping between nfs4 and Windows
  into two separate functions rather than trying to do
@@ -462,55 +511,6 @@ NTSTATUS smb_get_nt_acl_nfs4(struct connection_struct *conn,
 					  theacl);
 }
 
-enum smbacl4_mode_enum {e_simple=0, e_special=1};
-enum smbacl4_acedup_enum {e_dontcare=0, e_reject=1, e_ignore=2, e_merge=3};
-
-typedef struct _smbacl4_vfs_params {
-	enum smbacl4_mode_enum mode;
-	bool do_chown;
-	enum smbacl4_acedup_enum acedup;
-} smbacl4_vfs_params;
-
-/*
- * Gather special parameters for NFS4 ACL handling
- */
-static int smbacl4_get_vfs_params(
-	const char *type_name,
-	files_struct *fsp,
-	smbacl4_vfs_params *params
-)
-{
-	static const struct enum_list enum_smbacl4_modes[] = {
-		{ e_simple, "simple" },
-		{ e_special, "special" },
-		{ -1 , NULL }
-	};
-	static const struct enum_list enum_smbacl4_acedups[] = {
-		{ e_dontcare, "dontcare" },
-		{ e_reject, "reject" },
-		{ e_ignore, "ignore" },
-		{ e_merge, "merge" },
-		{ -1 , NULL }
-	};
-
-	memset(params, 0, sizeof(smbacl4_vfs_params));
-	params->mode = (enum smbacl4_mode_enum)lp_parm_enum(
-		SNUM(fsp->conn), type_name,
-		"mode", enum_smbacl4_modes, e_simple);
-	params->do_chown = lp_parm_bool(SNUM(fsp->conn), type_name,
-		"chown", True);
-	params->acedup = (enum smbacl4_acedup_enum)lp_parm_enum(
-		SNUM(fsp->conn), type_name,
-		"acedup", enum_smbacl4_acedups, e_dontcare);
-
-	DEBUG(10, ("mode:%s, do_chown:%s, acedup: %s\n",
-		enum_smbacl4_modes[params->mode].name,
-		params->do_chown ? "true" : "false",
-		enum_smbacl4_acedups[params->acedup].name));
-
-	return 0;
-}
-
 static void smbacl4_dump_nfs4acl(int level, SMB4ACL_T *theacl)
 {
 	SMB_ACL4_INT_T *aclint = get_validated_aclint(theacl);
-- 
1.7.9.5

From ac8d08f0424b1b3782b4c04b514834aaa9563f5a Mon Sep 17 00:00:00 2001
From: Alexander Werth <alexander.werth@de.ibm.com>
Date: Thu, 26 Jul 2012 17:11:03 +0200
Subject: [PATCH 2/5] s3: Change smbacl4_get_vfs_params to use
 connection_struct instead of fsp.

---
 source3/modules/nfs4_acls.c |   11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/source3/modules/nfs4_acls.c b/source3/modules/nfs4_acls.c
index bd30956..8510071 100644
--- a/source3/modules/nfs4_acls.c
+++ b/source3/modules/nfs4_acls.c
@@ -68,7 +68,7 @@ typedef struct _smbacl4_vfs_params {
  */
 static int smbacl4_get_vfs_params(
 	const char *type_name,
-	files_struct *fsp,
+	struct connection_struct *conn,
 	smbacl4_vfs_params *params
 )
 {
@@ -87,12 +87,12 @@ static int smbacl4_get_vfs_params(
 
 	memset(params, 0, sizeof(smbacl4_vfs_params));
 	params->mode = (enum smbacl4_mode_enum)lp_parm_enum(
-		SNUM(fsp->conn), type_name,
+		SNUM(conn), type_name,
 		"mode", enum_smbacl4_modes, e_simple);
-	params->do_chown = lp_parm_bool(SNUM(fsp->conn), type_name,
+	params->do_chown = lp_parm_bool(SNUM(conn), type_name,
 		"chown", True);
 	params->acedup = (enum smbacl4_acedup_enum)lp_parm_enum(
-		SNUM(fsp->conn), type_name,
+		SNUM(conn), type_name,
 		"acedup", enum_smbacl4_acedups, e_dontcare);
 
 	DEBUG(10, ("mode:%s, do_chown:%s, acedup: %s\n",
@@ -765,7 +765,8 @@ NTSTATUS smb_set_nt_acl_nfs4(vfs_handle_struct *handle, files_struct *fsp,
 	}
 
 	/* Special behaviours */
-	if (smbacl4_get_vfs_params(SMBACL4_PARAM_TYPE_NAME, fsp, &params)) {
+	if (smbacl4_get_vfs_params(SMBACL4_PARAM_TYPE_NAME,
+				   fsp->conn, &params)) {
 		TALLOC_FREE(frame);
 		return NT_STATUS_NO_MEMORY;
 	}
-- 
1.7.9.5

From 4d67d2ab09df8eba244d9dabaf1ac9b329679ab9 Mon Sep 17 00:00:00 2001
From: Alexander Werth <alexander.werth@de.ibm.com>
Date: Thu, 26 Jul 2012 17:29:12 +0200
Subject: [PATCH 3/5] s3: Add params parameter to smbacl4_nfs42win function.

---
 source3/modules/nfs4_acls.c |   37 +++++++++++++++++++++++++------------
 1 file changed, 25 insertions(+), 12 deletions(-)

diff --git a/source3/modules/nfs4_acls.c b/source3/modules/nfs4_acls.c
index 8510071..ea7261b 100644
--- a/source3/modules/nfs4_acls.c
+++ b/source3/modules/nfs4_acls.c
@@ -307,7 +307,9 @@ static int smbacl4_fGetFileOwner(files_struct *fsp, SMB_STRUCT_STAT *psbuf)
 	return 0;
 }
 
-static bool smbacl4_nfs42win(TALLOC_CTX *mem_ctx, SMB4ACL_T *theacl, /* in */
+static bool smbacl4_nfs42win(TALLOC_CTX *mem_ctx,
+	smbacl4_vfs_params *params,
+	SMB4ACL_T *theacl, /* in */
 	struct dom_sid *psid_owner, /* in */
 	struct dom_sid *psid_group, /* in */
 	bool is_directory, /* in */
@@ -417,10 +419,13 @@ static bool smbacl4_nfs42win(TALLOC_CTX *mem_ctx, SMB4ACL_T *theacl, /* in */
 }
 
 static NTSTATUS smb_get_nt_acl_nfs4_common(const SMB_STRUCT_STAT *sbuf,
-					   uint32 security_info, TALLOC_CTX *mem_ctx,
-	struct security_descriptor **ppdesc, SMB4ACL_T *theacl)
+					   smbacl4_vfs_params *params,
+					   uint32 security_info,
+					   TALLOC_CTX *mem_ctx,
+					   struct security_descriptor **ppdesc,
+					   SMB4ACL_T *theacl)
 {
-	int	good_aces = 0;
+	int good_aces = 0;
 	struct dom_sid sid_owner, sid_group;
 	size_t sd_size = 0;
 	struct security_ace *nt_ace_list = NULL;
@@ -437,7 +442,7 @@ static NTSTATUS smb_get_nt_acl_nfs4_common(const SMB_STRUCT_STAT *sbuf,
 	uid_to_sid(&sid_owner, sbuf->st_ex_uid);
 	gid_to_sid(&sid_group, sbuf->st_ex_gid);
 
-	if (smbacl4_nfs42win(mem_ctx, theacl, &sid_owner, &sid_group,
+	if (smbacl4_nfs42win(mem_ctx, params, theacl, &sid_owner, &sid_group,
 			     S_ISDIR(sbuf->st_ex_mode),
 				&nt_ace_list, &good_aces)==False) {
 		DEBUG(8,("smbacl4_nfs42win failed\n"));
@@ -479,6 +484,7 @@ NTSTATUS smb_fget_nt_acl_nfs4(files_struct *fsp,
 			      SMB4ACL_T *theacl)
 {
 	SMB_STRUCT_STAT sbuf;
+	smbacl4_vfs_params params;
 
 	DEBUG(10, ("smb_fget_nt_acl_nfs4 invoked for %s\n", fsp_str_dbg(fsp)));
 
@@ -486,9 +492,12 @@ NTSTATUS smb_fget_nt_acl_nfs4(files_struct *fsp,
 		return map_nt_error_from_unix(errno);
 	}
 
-	return smb_get_nt_acl_nfs4_common(&sbuf, security_info,
-					  mem_ctx, ppdesc,
-					  theacl);
+	/* Special behaviours */
+	if (smbacl4_get_vfs_params(SMBACL4_PARAM_TYPE_NAME, fsp->conn, &params))
+		return NT_STATUS_NO_MEMORY;
+
+	return smb_get_nt_acl_nfs4_common(&sbuf, &params, security_info,
+					  mem_ctx, ppdesc, theacl);
 }
 
 NTSTATUS smb_get_nt_acl_nfs4(struct connection_struct *conn,
@@ -499,6 +508,7 @@ NTSTATUS smb_get_nt_acl_nfs4(struct connection_struct *conn,
 			     SMB4ACL_T *theacl)
 {
 	SMB_STRUCT_STAT sbuf;
+	smbacl4_vfs_params params;
 
 	DEBUG(10, ("smb_get_nt_acl_nfs4 invoked for %s\n", name));
 
@@ -506,9 +516,12 @@ NTSTATUS smb_get_nt_acl_nfs4(struct connection_struct *conn,
 		return map_nt_error_from_unix(errno);
 	}
 
-	return smb_get_nt_acl_nfs4_common(&sbuf, security_info,
-					  mem_ctx, ppdesc,
-					  theacl);
+	/* Special behaviours */
+	if (smbacl4_get_vfs_params(SMBACL4_PARAM_TYPE_NAME, conn, &params))
+		return NT_STATUS_NO_MEMORY;
+
+	return smb_get_nt_acl_nfs4_common(&sbuf, &params, security_info,
+					  mem_ctx, ppdesc, theacl);
 }
 
 static void smbacl4_dump_nfs4acl(int level, SMB4ACL_T *theacl)
@@ -548,7 +561,7 @@ static SMB_ACE4PROP_T *smbacl4_find_equal_special(
 	     aceint=(SMB_ACE4_INT_T *)aceint->next) {
 		SMB_ACE4PROP_T *ace = &aceint->prop;
 
-                DEBUG(10,("ace type:0x%x flags:0x%x aceFlags:0x%x "
+		DEBUG(10,("ace type:0x%x flags:0x%x aceFlags:0x%x "
 			  "new type:0x%x flags:0x%x aceFlags:0x%x\n",
 			  ace->aceType, ace->flags, ace->aceFlags,
 			  aceNew->aceType, aceNew->flags,aceNew->aceFlags));
-- 
1.7.9.5

From 9d09296bb97ff79ce7813d060f6a0d88e887d9b8 Mon Sep 17 00:00:00 2001
From: Alexander Werth <alexander.werth@de.ibm.com>
Date: Wed, 25 Apr 2012 15:10:20 +0200
Subject: [PATCH 4/5] s3: Mapping of special entries to creator owner in mode
 simple.

---
 source3/modules/nfs4_acls.c |   59 ++++++++++++++++++++++++++++++++++++++-----
 1 file changed, 53 insertions(+), 6 deletions(-)

diff --git a/source3/modules/nfs4_acls.c b/source3/modules/nfs4_acls.c
index ea7261b..c4cc4fc 100644
--- a/source3/modules/nfs4_acls.c
+++ b/source3/modules/nfs4_acls.c
@@ -326,10 +326,11 @@ static bool smbacl4_nfs42win(TALLOC_CTX *mem_ctx,
 
 	aclint = get_validated_aclint(theacl);
 	/* We do not check for naces being 0 or theacl being NULL here
-	 * because it is done upstream */
-	/* in smb_get_nt_acl_nfs4(). */
+	   because it is done upstream in smb_get_nt_acl_nfs4().
+	   We reserve twice the number of input aces because one nfs4
+	   ace might result in 2 nt aces.*/
 	nt_ace_list = (struct security_ace *)TALLOC_ZERO_SIZE(
-		mem_ctx, aclint->naces * sizeof(struct security_ace));
+		mem_ctx, 2 * aclint->naces * sizeof(struct security_ace));
 	if (nt_ace_list==NULL)
 	{
 		DEBUG(10, ("talloc error"));
@@ -407,11 +408,57 @@ static bool smbacl4_nfs42win(TALLOC_CTX *mem_ctx,
 		if(ace->aceType == SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE) {
 			mask = ace->aceMask | SMB_ACE4_SYNCHRONIZE;
 		}
-		init_sec_ace(&nt_ace_list[good_aces++], &sid,
-			ace->aceType, mask,
-			win_ace_flags);
+
+		/* Mapping of special entries to creator owner. */
+		if (params->mode == e_simple &&
+		    ace->flags & SMB_ACE4_ID_SPECIAL &&
+		    (ace->who.special_id == SMB_ACE4_WHO_OWNER ||
+		     ace->who.special_id == SMB_ACE4_WHO_GROUP)) {
+			DEBUG(10, ("Map special entry\n"));
+			if (!(win_ace_flags & SEC_ACE_FLAG_INHERIT_ONLY)) {
+				DEBUG(10, ("Map current sid\n"));
+				uint32_t win_ace_flags_current;
+				win_ace_flags_current = win_ace_flags &
+					~(SEC_ACE_FLAG_OBJECT_INHERIT |
+					  SEC_ACE_FLAG_CONTAINER_INHERIT);
+				init_sec_ace(&nt_ace_list[good_aces++], &sid,
+					     ace->aceType, mask,
+					     win_ace_flags);
+			}
+			if (ace->who.special_id == SMB_ACE4_WHO_OWNER &&
+			    win_ace_flags & (SEC_ACE_FLAG_OBJECT_INHERIT |
+					     SEC_ACE_FLAG_CONTAINER_INHERIT)) {
+				uint32_t win_ace_flags_creator;
+				DEBUG(10, ("Map creator owner\n"));
+				win_ace_flags_creator = win_ace_flags |
+					SMB_ACE4_INHERIT_ONLY_ACE;
+				init_sec_ace(&nt_ace_list[good_aces++],
+					     &global_sid_Creator_Owner,
+					     ace->aceType, mask,
+					     win_ace_flags_creator);
+			}
+			if (ace->who.special_id == SMB_ACE4_WHO_GROUP &&
+			    win_ace_flags & (SEC_ACE_FLAG_OBJECT_INHERIT |
+					     SEC_ACE_FLAG_CONTAINER_INHERIT)) {
+				uint32_t win_ace_flags_creator;
+				DEBUG(10, ("Map creator owner group\n"));
+				win_ace_flags_creator = win_ace_flags |
+					SMB_ACE4_INHERIT_ONLY_ACE;
+				init_sec_ace(&nt_ace_list[good_aces++],
+					     &global_sid_Creator_Group,
+					     ace->aceType, mask,
+					     win_ace_flags_creator);
+			}
+		} else {
+			DEBUG(10, ("Map normal sid\n"));
+			init_sec_ace(&nt_ace_list[good_aces++], &sid,
+				     ace->aceType, mask,
+				     win_ace_flags);
+		}
 	}
 
+	nt_ace_list = (struct security_ace *)TALLOC_REALLOC(mem_ctx, nt_ace_list, good_aces * sizeof(struct security_ace));
+
 	*ppnt_ace_list = nt_ace_list;
 	*pgood_aces = good_aces;
 
-- 
1.7.9.5

From b8369bb607d9d7b96cd7ac782f740f6b868c951b Mon Sep 17 00:00:00 2001
From: Alexander Werth <alexander.werth@de.ibm.com>
Date: Thu, 10 May 2012 14:19:41 +0200
Subject: [PATCH 5/5] s3: Mapping of cifs creator owner to nfs owner@ ace.

This is ignored in nfs4mode special for compatibility.
Also ensure that we drop non inheriting creator owner
aces since these don't contribute to who can access
a file.
---
 source3/modules/nfs4_acls.c |   24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/source3/modules/nfs4_acls.c b/source3/modules/nfs4_acls.c
index c4cc4fc..15b5f7c 100644
--- a/source3/modules/nfs4_acls.c
+++ b/source3/modules/nfs4_acls.c
@@ -685,6 +685,30 @@ static bool smbacl4_fill_ace4(
 	if (dom_sid_equal(&ace_nt->trustee, &global_sid_World)) {
 		ace_v4->who.special_id = SMB_ACE4_WHO_EVERYONE;
 		ace_v4->flags |= SMB_ACE4_ID_SPECIAL;
+	} else if (params->mode!=e_special &&
+		   dom_sid_equal(&ace_nt->trustee,
+				 &global_sid_Creator_Owner)) {
+		DEBUG(10, ("Map creator owner\n"));
+		ace_v4->who.special_id = SMB_ACE4_WHO_OWNER;
+		ace_v4->flags |= SMB_ACE4_ID_SPECIAL;
+		/* A non inheriting creator owner entry has no effect. */
+		ace_v4->aceFlags |= SMB_ACE4_INHERIT_ONLY_ACE;
+		if (!(ace_v4->aceFlags & SMB_ACE4_DIRECTORY_INHERIT_ACE)
+		    && !(ace_v4->aceFlags & SMB_ACE4_FILE_INHERIT_ACE)) {
+			return False;
+		}
+	} else if (params->mode!=e_special &&
+		   dom_sid_equal(&ace_nt->trustee,
+				 &global_sid_Creator_Group)) {
+		DEBUG(10, ("Map creator owner group\n"));
+		ace_v4->who.special_id = SMB_ACE4_WHO_GROUP;
+		ace_v4->flags |= SMB_ACE4_ID_SPECIAL;
+		/* A non inheriting creator group entry has no effect. */
+		ace_v4->aceFlags |= SMB_ACE4_INHERIT_ONLY_ACE;
+		if (!(ace_v4->aceFlags & SMB_ACE4_DIRECTORY_INHERIT_ACE)
+		    && !(ace_v4->aceFlags & SMB_ACE4_FILE_INHERIT_ACE)) {
+			return False;
+		}
 	} else {
 		uid_t uid;
 		gid_t gid;
-- 
1.7.9.5