From b952ddfbe6e6527892cabf0076e16a4c14f952b8 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Wed, 25 Sep 2002 05:11:25 +0000
Subject: Merge of "profile acls" code. Jeremy. (This used to be commit
 cfd1bf250b417f3ba3ad21ff681ab282311bb7eb)

---
 source3/lib/util_sid.c    |  9 +++++++--
 source3/param/loadparm.c  |  6 ++++++
 source3/smbd/posix_acls.c | 30 ++++++++++++++++++++++++++++--
 3 files changed, 41 insertions(+), 4 deletions(-)

diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c
index 8bb06e8866c..e9635fc7f84 100644
--- a/source3/lib/util_sid.c
+++ b/source3/lib/util_sid.c
@@ -30,13 +30,11 @@ extern fstring global_myworkgroup;
  * Some useful sids
  */
 
-DOM_SID global_sid_Builtin; 				/* Local well-known domain */
 DOM_SID global_sid_World_Domain;	    	/* Everyone domain */
 DOM_SID global_sid_World;    				/* Everyone */
 DOM_SID global_sid_Creator_Owner_Domain;    /* Creator Owner domain */
 DOM_SID global_sid_NT_Authority;    		/* NT Authority */
 DOM_SID global_sid_NULL;            		/* NULL sid */
-DOM_SID global_sid_Builtin_Guests;			/* Builtin guest users */
 DOM_SID global_sid_Authenticated_Users;		/* All authenticated rids */
 DOM_SID global_sid_Network;					/* Network rids */
 
@@ -44,6 +42,11 @@ static DOM_SID global_sid_Creator_Owner;    		/* Creator Owner */
 static DOM_SID global_sid_Creator_Group;              /* Creator Group */
 static DOM_SID global_sid_Anonymous;				/* Anonymous login */
 
+DOM_SID global_sid_Builtin; 				/* Local well-known domain */
+DOM_SID global_sid_Builtin_Administrators;
+DOM_SID global_sid_Builtin_Users;
+DOM_SID global_sid_Builtin_Guests;			/* Builtin guest users */
+
 /*
  * An NT compatible anonymous token.
  */
@@ -99,6 +102,8 @@ const char *sid_type_lookup(uint32 sid_type)
 void generate_wellknown_sids(void)
 {
 	string_to_sid(&global_sid_Builtin, "S-1-5-32");
+	string_to_sid(&global_sid_Builtin_Administrators, "S-1-5-32-544");
+	string_to_sid(&global_sid_Builtin_Users, "S-1-5-32-545");
 	string_to_sid(&global_sid_Builtin_Guests, "S-1-5-32-546");
 	string_to_sid(&global_sid_World_Domain, "S-1-1");
 	string_to_sid(&global_sid_World, "S-1-1-0");
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index f95c03dcdbe..7b8efbd5bc7 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -388,6 +388,8 @@ typedef struct
 #ifdef WITH_SENDFILE
 	BOOL bUseSendfile;
 #endif
+	BOOL bProfileAcls;
+
 	char dummy[3];		/* for alignment */
 }
 service;
@@ -510,6 +512,7 @@ static service sDefault = {
 #ifdef WITH_SENDFILE
 	False,			/* bUseSendfile */
 #endif
+	False,			/* bProfileAcls */
 
 	""			/* dummy */
 };
@@ -811,6 +814,8 @@ static struct parm_struct parm_table[] = {
 	{"nt pipe support", P_BOOL, P_GLOBAL, &Globals.bNTPipeSupport, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
 	{"nt acl support", P_BOOL,  P_LOCAL, &sDefault.bNTAclSupport, NULL, NULL, FLAG_GLOBAL | FLAG_SHARE  | FLAG_ADVANCED | FLAG_WIZARD},
 	{"nt status support", P_BOOL, P_GLOBAL, &Globals.bNTStatusSupport, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
+	{"profile acls", P_BOOL,  P_LOCAL, &sDefault.bProfileAcls, NULL, NULL, FLAG_GLOBAL | FLAG_SHARE  | FLAG_ADVANCED | FLAG_WIZARD},
+	
 	{"announce version", P_STRING, P_GLOBAL, &Globals.szAnnounceVersion, NULL, NULL, FLAG_DEVELOPER},
 	{"announce as", P_ENUM, P_GLOBAL, &Globals.announce_as, NULL, enum_announce_as, FLAG_DEVELOPER},
 	{"max mux", P_INTEGER, P_GLOBAL, &Globals.max_mux, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
@@ -1742,6 +1747,7 @@ FN_LOCAL_BOOL(lp_nt_acl_support, bNTAclSupport)
 #ifdef WITH_SENDFILE
 FN_LOCAL_BOOL(lp_use_sendfile, bUseSendfile)
 #endif
+FN_LOCAL_BOOL(lp_profile_acls, bProfileAcls)
 FN_LOCAL_INTEGER(lp_create_mask, iCreate_mask)
 FN_LOCAL_INTEGER(lp_force_create_mode, iCreate_force_mode)
 FN_LOCAL_INTEGER(lp_security_mask, iSecurity_mask)
diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c
index 043e33e8367..e6ae1c7d799 100644
--- a/source3/smbd/posix_acls.c
+++ b/source3/smbd/posix_acls.c
@@ -1881,6 +1881,8 @@ static int nt_ace_comp( SEC_ACE *a1, SEC_ACE *a2)
 
 size_t get_nt_acl(files_struct *fsp, SEC_DESC **ppdesc)
 {
+	extern DOM_SID global_sid_Builtin_Administrators;
+	extern DOM_SID global_sid_Builtin_Users;
 	connection_struct *conn = fsp->conn;
 	SMB_STRUCT_STAT sbuf;
 	SEC_ACE *nt_ace_list = NULL;
@@ -1895,6 +1897,7 @@ size_t get_nt_acl(files_struct *fsp, SEC_DESC **ppdesc)
 	SMB_ACL_T dir_acl = NULL;
 	canon_ace *file_ace = NULL;
 	canon_ace *dir_ace = NULL;
+	size_t num_profile_acls = 0;
  
 	*ppdesc = NULL;
 
@@ -1939,7 +1942,14 @@ size_t get_nt_acl(files_struct *fsp, SEC_DESC **ppdesc)
 	 * Get the owner, group and world SIDs.
 	 */
 
-	create_file_sids(&sbuf, &owner_sid, &group_sid);
+	if (lp_profile_acls(SNUM(fsp->conn))) {
+		/* For WXP SP1 the owner must be administrators. */
+		sid_copy(&owner_sid, &global_sid_Builtin_Administrators);
+		sid_copy(&group_sid, &global_sid_Builtin_Users);
+		num_profile_acls = 2;
+	} else {
+		create_file_sids(&sbuf, &owner_sid, &group_sid);
+	}
 
 	/* Create the canon_ace lists. */
 	file_ace = canonicalise_acl( fsp, posix_acl, &sbuf,  &owner_sid, &group_sid);
@@ -1963,7 +1973,7 @@ size_t get_nt_acl(files_struct *fsp, SEC_DESC **ppdesc)
 	}
 
 	/* Allocate the ace list. */
-	if ((nt_ace_list = (SEC_ACE *)malloc((num_acls + num_dir_acls)* sizeof(SEC_ACE))) == NULL) {
+	if ((nt_ace_list = (SEC_ACE *)malloc((num_acls + num_profile_acls + num_dir_acls)* sizeof(SEC_ACE))) == NULL) {
 		DEBUG(0,("get_nt_acl: Unable to malloc space for nt_ace_list.\n"));
 		goto done;
 	}
@@ -1986,6 +1996,13 @@ size_t get_nt_acl(files_struct *fsp, SEC_DESC **ppdesc)
 			init_sec_ace(&nt_ace_list[num_aces++], &ace->trustee, nt_acl_type, acc, 0);
 		}
 
+		/* The User must have access to a profile share - even if we can't map the SID. */
+		if (lp_profile_acls(SNUM(fsp->conn))) {
+			SEC_ACCESS acc;
+			init_sec_access(&acc,FILE_GENERIC_ALL);
+			init_sec_ace(&nt_ace_list[num_aces++], &global_sid_Builtin_Users, SEC_ACE_TYPE_ACCESS_ALLOWED, acc, 0);
+		}
+
 		ace = dir_ace;
 
 		for (i = 0; i < num_dir_acls; i++, ace = ace->next) {
@@ -1994,6 +2011,15 @@ size_t get_nt_acl(files_struct *fsp, SEC_DESC **ppdesc)
 					SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_INHERIT_ONLY);
 		}
 
+		/* The User must have access to a profile share - even if we can't map the SID. */
+		if (lp_profile_acls(SNUM(fsp->conn))) {
+			SEC_ACCESS acc;
+			init_sec_access(&acc,FILE_GENERIC_ALL);
+			init_sec_ace(&nt_ace_list[num_aces++], &global_sid_Builtin_Users, SEC_ACE_TYPE_ACCESS_ALLOWED, acc,
+					SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT|
+					SEC_ACE_FLAG_INHERIT_ONLY);
+		}
+
 		/*
 		 * Sort to force deny entries to the front.
 		 */
-- 
cgit