[SCM] Samba Shared Repository - branch master updated - ec5d09dbff94d909f5ef65fb30165672947455b8

Jeremy Allison jra at samba.org
Wed Oct 8 00:51:28 GMT 2008


The branch, master has been updated
       via  ec5d09dbff94d909f5ef65fb30165672947455b8 (commit)
      from  2024d87cf5ffa0633225ed189fa48f0f56151e7e (commit)

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit ec5d09dbff94d909f5ef65fb30165672947455b8
Author: Jeremy Allison <jra at samba.org>
Date:   Tue Oct 7 17:50:01 2008 -0700

    Update vfs version as I've added a const to the security_descriptor paramter in fset_nt_acl().
    Need to watch the build farm to make sure I haven't broken the AIX or Solaris ACL modules.
    Jeremy.

-----------------------------------------------------------------------

Summary of changes:
 examples/VFS/skel_opaque.c       |    2 +-
 examples/VFS/skel_transparent.c  |    2 +-
 source3/include/proto.h          |    4 +-
 source3/include/vfs.h            |    5 ++-
 source3/modules/nfs4_acls.c      |   10 ++-----
 source3/modules/vfs_acl_xattr.c  |    4 +-
 source3/modules/vfs_afsacl.c     |   10 +++---
 source3/modules/vfs_aixacl2.c    |    4 +-
 source3/modules/vfs_default.c    |    2 +-
 source3/modules/vfs_full_audit.c |    4 +-
 source3/modules/vfs_gpfs.c       |    4 +-
 source3/modules/vfs_zfsacl.c     |    4 +-
 source3/smbd/posix_acls.c        |   51 +++++++++++++++++++------------------
 13 files changed, 52 insertions(+), 54 deletions(-)


Changeset truncated at 500 lines:

diff --git a/examples/VFS/skel_opaque.c b/examples/VFS/skel_opaque.c
index 89d8ce5..3df1fcd 100644
--- a/examples/VFS/skel_opaque.c
+++ b/examples/VFS/skel_opaque.c
@@ -315,7 +315,7 @@ static size_t skel_get_nt_acl(vfs_handle_struct *handle,
 }
 
 static NTSTATUS skel_fset_nt_acl(vfs_handle_struct *handle, files_struct *fsp,
-	uint32 security_info_sent, SEC_DESC *psd)
+	uint32 security_info_sent, const SEC_DESC *psd)
 {
 	errno = ENOSYS;
 	return NT_STATUS_NOT_IMPLEMENTED;
diff --git a/examples/VFS/skel_transparent.c b/examples/VFS/skel_transparent.c
index ea8530d..e6dee97 100644
--- a/examples/VFS/skel_transparent.c
+++ b/examples/VFS/skel_transparent.c
@@ -302,7 +302,7 @@ static NTSTATUS skel_get_nt_acl(vfs_handle_struct *handle,
 }
 
 static NTSTATUS skel_fset_nt_acl(vfs_handle_struct *handle, files_struct *fsp,
-	uint32 security_info_sent, SEC_DESC *psd)
+	uint32 security_info_sent, const SEC_DESC *psd)
 {
 	return SMB_VFS_NEXT_FSET_NT_ACL(handle, fsp, security_info_sent, psd);
 }
diff --git a/source3/include/proto.h b/source3/include/proto.h
index d7acdcb..efa29be 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -9923,14 +9923,14 @@ void reply_pipe_close(connection_struct *conn, struct smb_request *req);
 
 /* The following definitions come from smbd/posix_acls.c  */
 
-NTSTATUS unpack_nt_owners(int snum, uid_t *puser, gid_t *pgrp, uint32 security_info_sent, SEC_DESC *psd);
+NTSTATUS unpack_nt_owners(int snum, uid_t *puser, gid_t *pgrp, uint32 security_info_sent, const SEC_DESC *psd);
 SMB_ACL_T free_empty_sys_acl(connection_struct *conn, SMB_ACL_T the_acl);
 NTSTATUS posix_fget_nt_acl(struct files_struct *fsp, uint32_t security_info,
 			   SEC_DESC **ppdesc);
 NTSTATUS posix_get_nt_acl(struct connection_struct *conn, const char *name,
 			  uint32_t security_info, SEC_DESC **ppdesc);
 int try_chown(connection_struct *conn, const char *fname, uid_t uid, gid_t gid);
-NTSTATUS set_nt_acl(files_struct *fsp, uint32 security_info_sent, SEC_DESC *psd);
+NTSTATUS set_nt_acl(files_struct *fsp, uint32 security_info_sent, const SEC_DESC *psd);
 int get_acl_group_bits( connection_struct *conn, const char *fname, mode_t *mode );
 int chmod_acl(connection_struct *conn, const char *name, mode_t mode);
 int inherit_access_posix_acl(connection_struct *conn, const char *inherit_from_dir,
diff --git a/source3/include/vfs.h b/source3/include/vfs.h
index 9b72f69..a3d38f6 100644
--- a/source3/include/vfs.h
+++ b/source3/include/vfs.h
@@ -108,8 +108,9 @@
 /* Leave at 22 - not yet released. Remove parameter fd from close_fn. - obnox */
 /* Changed to version 23 - remove set_nt_acl call. This can only be done via an
    open handle. JRA. */
+/* Changed to version 24 - make security descriptor const in fset_nt_acl. JRA. */
 
-#define SMB_VFS_INTERFACE_VERSION 23
+#define SMB_VFS_INTERFACE_VERSION 24
 
 
 /* to bug old modules which are trying to compile with the old functions */
@@ -365,7 +366,7 @@ struct vfs_ops {
 		NTSTATUS (*fset_nt_acl)(struct vfs_handle_struct *handle,
 					struct files_struct *fsp,
 					uint32 security_info_sent,
-					struct security_descriptor *psd);
+					const struct security_descriptor *psd);
 
 		/* POSIX ACL operations. */
 
diff --git a/source3/modules/nfs4_acls.c b/source3/modules/nfs4_acls.c
index 9e28db8..f1b8cff 100644
--- a/source3/modules/nfs4_acls.c
+++ b/source3/modules/nfs4_acls.c
@@ -44,10 +44,6 @@ typedef struct _SMB_ACL4_INT_T
 	SMB_ACE4_INT_T	*last;
 } SMB_ACL4_INT_T;
 
-extern int try_chown(connection_struct *conn, const char *fname, uid_t uid, gid_t gid);
-extern NTSTATUS unpack_nt_owners(int snum, uid_t *puser, gid_t *pgrp,
-	uint32 security_info_sent, SEC_DESC *psd);
-
 static SMB_ACL4_INT_T *get_validated_aclint(SMB4ACL_T *acl)
 {
 	SMB_ACL4_INT_T *aclint = (SMB_ACL4_INT_T *)acl;
@@ -518,7 +514,7 @@ static bool smbacl4_fill_ace4(
 	smbacl4_vfs_params *params,
 	uid_t ownerUID,
 	gid_t ownerGID,
-	SEC_ACE *ace_nt, /* input */
+	const SEC_ACE *ace_nt, /* input */
 	SMB_ACE4PROP_T *ace_v4 /* output */
 )
 {
@@ -650,7 +646,7 @@ static int smbacl4_MergeIgnoreReject(
 
 static SMB4ACL_T *smbacl4_win2nfs4(
 	const char *filename,
-	SEC_ACL *dacl,
+	const SEC_ACL *dacl,
 	smbacl4_vfs_params *pparams,
 	uid_t ownerUID,
 	gid_t ownerGID
@@ -694,7 +690,7 @@ static SMB4ACL_T *smbacl4_win2nfs4(
 
 NTSTATUS smb_set_nt_acl_nfs4(files_struct *fsp,
 	uint32 security_info_sent,
-	SEC_DESC *psd,
+	const SEC_DESC *psd,
 	set_nfs4acl_native_fn_t set_nfs4_native)
 {
 	smbacl4_vfs_params params;
diff --git a/source3/modules/vfs_acl_xattr.c b/source3/modules/vfs_acl_xattr.c
index 80e44e5..2b3fc2e 100644
--- a/source3/modules/vfs_acl_xattr.c
+++ b/source3/modules/vfs_acl_xattr.c
@@ -238,7 +238,7 @@ static NTSTATUS get_nt_acl_xattr(vfs_handle_struct *handle,
 			security_info, ppdesc);
 }
 
-static NTSTATUS create_acl_blob(SEC_DESC *psd, DATA_BLOB *pblob)
+static NTSTATUS create_acl_blob(const SEC_DESC *psd, DATA_BLOB *pblob)
 {
 	struct xattr_NTACL xacl;
 	struct security_descriptor_timestamp sd_ts;
@@ -307,7 +307,7 @@ static NTSTATUS store_acl_blob(files_struct *fsp,
 }
 
 static NTSTATUS fset_nt_acl_xattr(vfs_handle_struct *handle, files_struct *fsp,
-        uint32 security_info_sent, SEC_DESC *psd)
+        uint32 security_info_sent, const SEC_DESC *psd)
 {
 	NTSTATUS status;
 	DATA_BLOB blob;
diff --git a/source3/modules/vfs_afsacl.c b/source3/modules/vfs_afsacl.c
index 9409f3f..c78369a 100644
--- a/source3/modules/vfs_afsacl.c
+++ b/source3/modules/vfs_afsacl.c
@@ -717,12 +717,12 @@ static bool mappable_sid(const DOM_SID *sid)
 
 static bool nt_to_afs_acl(const char *filename,
 			  uint32 security_info_sent,
-			  struct security_descriptor *psd,
+			  const struct security_descriptor *psd,
 			  uint32 (*nt_to_afs_rights)(const char *filename,
 						     const SEC_ACE *ace),
 			  struct afs_acl *afs_acl)
 {
-	SEC_ACL *dacl;
+	const SEC_ACL *dacl;
 	int i;
 
 	/* Currently we *only* look at the dacl */
@@ -737,7 +737,7 @@ static bool nt_to_afs_acl(const char *filename,
 	dacl = psd->dacl;
 
 	for (i = 0; i < dacl->num_aces; i++) {
-		SEC_ACE *ace = &(dacl->aces[i]);
+		const SEC_ACE *ace = &(dacl->aces[i]);
 		const char *dom_name, *name;
 		enum lsa_SidType name_type;
 		char *p;
@@ -887,7 +887,7 @@ static void merge_unknown_aces(struct afs_acl *src, struct afs_acl *dst)
 
 static NTSTATUS afs_set_nt_acl(vfs_handle_struct *handle, files_struct *fsp,
 			   uint32 security_info_sent,
-			   struct security_descriptor *psd)
+			   const struct security_descriptor *psd)
 {
 	struct afs_acl old_afs_acl, new_afs_acl;
 	struct afs_acl dir_acl, file_acl;
@@ -1040,7 +1040,7 @@ static NTSTATUS afsacl_get_nt_acl(struct vfs_handle_struct *handle,
 NTSTATUS afsacl_fset_nt_acl(vfs_handle_struct *handle,
 			 files_struct *fsp,
 			 uint32 security_info_sent,
-			 SEC_DESC *psd)
+			 const SEC_DESC *psd)
 {
 	return afs_set_nt_acl(handle, fsp, security_info_sent, psd);
 }
diff --git a/source3/modules/vfs_aixacl2.c b/source3/modules/vfs_aixacl2.c
index 23c4d88..a078b9f 100644
--- a/source3/modules/vfs_aixacl2.c
+++ b/source3/modules/vfs_aixacl2.c
@@ -371,7 +371,7 @@ static bool aixjfs2_process_smbacl(files_struct *fsp, SMB4ACL_T *smbacl)
 	return True;
 }
 
-static NTSTATUS aixjfs2_set_nt_acl_common(files_struct *fsp, uint32 security_info_sent, SEC_DESC *psd)
+static NTSTATUS aixjfs2_set_nt_acl_common(files_struct *fsp, uint32 security_info_sent, const SEC_DESC *psd)
 {
 	acl_type_t	acl_type_info;
 	NTSTATUS	result = NT_STATUS_ACCESS_DENIED;
@@ -395,7 +395,7 @@ static NTSTATUS aixjfs2_set_nt_acl_common(files_struct *fsp, uint32 security_inf
 	return result;
 }
 
-NTSTATUS aixjfs2_fset_nt_acl(vfs_handle_struct *handle, files_struct *fsp, uint32 security_info_sent, SEC_DESC *psd)
+NTSTATUS aixjfs2_fset_nt_acl(vfs_handle_struct *handle, files_struct *fsp, uint32 security_info_sent, const SEC_DESC *psd)
 {
 	return aixjfs2_set_nt_acl_common(fsp, security_info_sent, psd);
 }
diff --git a/source3/modules/vfs_default.c b/source3/modules/vfs_default.c
index 381aa18..372cdf2 100644
--- a/source3/modules/vfs_default.c
+++ b/source3/modules/vfs_default.c
@@ -1036,7 +1036,7 @@ static NTSTATUS vfswrap_get_nt_acl(vfs_handle_struct *handle,
 	return result;
 }
 
-static NTSTATUS vfswrap_fset_nt_acl(vfs_handle_struct *handle, files_struct *fsp, uint32 security_info_sent, SEC_DESC *psd)
+static NTSTATUS vfswrap_fset_nt_acl(vfs_handle_struct *handle, files_struct *fsp, uint32 security_info_sent, const SEC_DESC *psd)
 {
 	NTSTATUS result;
 
diff --git a/source3/modules/vfs_full_audit.c b/source3/modules/vfs_full_audit.c
index 1224ec3..9fadcd9 100644
--- a/source3/modules/vfs_full_audit.c
+++ b/source3/modules/vfs_full_audit.c
@@ -202,7 +202,7 @@ static NTSTATUS smb_full_audit_get_nt_acl(vfs_handle_struct *handle,
 			       SEC_DESC **ppdesc);
 static NTSTATUS smb_full_audit_fset_nt_acl(vfs_handle_struct *handle, files_struct *fsp,
 			      uint32 security_info_sent,
-			      SEC_DESC *psd);
+			      const SEC_DESC *psd);
 static int smb_full_audit_chmod_acl(vfs_handle_struct *handle,
 			   const char *path, mode_t mode);
 static int smb_full_audit_fchmod_acl(vfs_handle_struct *handle, files_struct *fsp,
@@ -1582,7 +1582,7 @@ static NTSTATUS smb_full_audit_get_nt_acl(vfs_handle_struct *handle,
 
 static NTSTATUS smb_full_audit_fset_nt_acl(vfs_handle_struct *handle, files_struct *fsp,
 			      uint32 security_info_sent,
-			      SEC_DESC *psd)
+			      const SEC_DESC *psd)
 {
 	NTSTATUS result;
 
diff --git a/source3/modules/vfs_gpfs.c b/source3/modules/vfs_gpfs.c
index 39d2bb6..29ea7f0 100644
--- a/source3/modules/vfs_gpfs.c
+++ b/source3/modules/vfs_gpfs.c
@@ -365,7 +365,7 @@ static bool gpfsacl_process_smbacl(files_struct *fsp, SMB4ACL_T *smbacl)
 	return True;
 }
 
-static NTSTATUS gpfsacl_set_nt_acl_internal(files_struct *fsp, uint32 security_info_sent, SEC_DESC *psd)
+static NTSTATUS gpfsacl_set_nt_acl_internal(files_struct *fsp, uint32 security_info_sent, const SEC_DESC *psd)
 {
 	struct gpfs_acl *acl;
 	NTSTATUS result = NT_STATUS_ACCESS_DENIED;
@@ -386,7 +386,7 @@ static NTSTATUS gpfsacl_set_nt_acl_internal(files_struct *fsp, uint32 security_i
 	return result;
 }
 
-static NTSTATUS gpfsacl_fset_nt_acl(vfs_handle_struct *handle, files_struct *fsp, uint32 security_info_sent, SEC_DESC *psd)
+static NTSTATUS gpfsacl_fset_nt_acl(vfs_handle_struct *handle, files_struct *fsp, uint32 security_info_sent, const SEC_DESC *psd)
 {
 	return gpfsacl_set_nt_acl_internal(fsp, security_info_sent, psd);
 }
diff --git a/source3/modules/vfs_zfsacl.c b/source3/modules/vfs_zfsacl.c
index e933e47..3688b23 100644
--- a/source3/modules/vfs_zfsacl.c
+++ b/source3/modules/vfs_zfsacl.c
@@ -166,7 +166,7 @@ static bool zfs_process_smbacl(files_struct *fsp, SMB4ACL_T *smbacl)
  */
 static NTSTATUS zfs_set_nt_acl(vfs_handle_struct *handle, files_struct *fsp,
 			   uint32 security_info_sent,
-			   struct security_descriptor *psd)
+			   const struct security_descriptor *psd)
 {
 	return smb_set_nt_acl_nfs4(fsp, security_info_sent, psd,
 			zfs_process_smbacl);
@@ -207,7 +207,7 @@ static NTSTATUS zfsacl_get_nt_acl(struct vfs_handle_struct *handle,
 static NTSTATUS zfsacl_fset_nt_acl(vfs_handle_struct *handle,
 			 files_struct *fsp,
 			 uint32 security_info_sent,
-			 SEC_DESC *psd)
+			 const SEC_DESC *psd)
 {
 	return zfs_set_nt_acl(handle, fsp, security_info_sent, psd);
 }
diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c
index 7479aea..48ea993 100644
--- a/source3/smbd/posix_acls.c
+++ b/source3/smbd/posix_acls.c
@@ -988,7 +988,7 @@ static mode_t map_nt_perms( uint32 *mask, int type)
  Unpack a SEC_DESC into a UNIX owner and group.
 ****************************************************************************/
 
-NTSTATUS unpack_nt_owners(int snum, uid_t *puser, gid_t *pgrp, uint32 security_info_sent, SEC_DESC *psd)
+NTSTATUS unpack_nt_owners(int snum, uid_t *puser, gid_t *pgrp, uint32 security_info_sent, const SEC_DESC *psd)
 {
 	DOM_SID owner_sid;
 	DOM_SID grp_sid;
@@ -1329,11 +1329,13 @@ static void check_owning_objs(canon_ace *ace, DOM_SID *pfile_owner_sid, DOM_SID
  Unpack a SEC_DESC into two canonical ace lists.
 ****************************************************************************/
 
-static bool create_canon_ace_lists(files_struct *fsp, SMB_STRUCT_STAT *pst,
-							DOM_SID *pfile_owner_sid,
-							DOM_SID *pfile_grp_sid,
-							canon_ace **ppfile_ace, canon_ace **ppdir_ace,
-							SEC_ACL *dacl)
+static bool create_canon_ace_lists(files_struct *fsp,
+					SMB_STRUCT_STAT *pst,
+					DOM_SID *pfile_owner_sid,
+					DOM_SID *pfile_grp_sid,
+					canon_ace **ppfile_ace,
+					canon_ace **ppdir_ace,
+					const SEC_ACL *dacl)
 {
 	bool all_aces_are_inherit_only = (fsp->is_directory ? True : False);
 	canon_ace *file_ace = NULL;
@@ -2016,12 +2018,14 @@ static mode_t create_default_mode(files_struct *fsp, bool interitable_mode)
  succeeding.
 ****************************************************************************/
 
-static bool unpack_canon_ace(files_struct *fsp, 
-							SMB_STRUCT_STAT *pst,
-							DOM_SID *pfile_owner_sid,
-							DOM_SID *pfile_grp_sid,
-							canon_ace **ppfile_ace, canon_ace **ppdir_ace,
-							uint32 security_info_sent, SEC_DESC *psd)
+static bool unpack_canon_ace(files_struct *fsp,
+				SMB_STRUCT_STAT *pst,
+				DOM_SID *pfile_owner_sid,
+				DOM_SID *pfile_grp_sid,
+				canon_ace **ppfile_ace,
+				canon_ace **ppdir_ace,
+				uint32 security_info_sent,
+				const SEC_DESC *psd)
 {
 	canon_ace *file_ace = NULL;
 	canon_ace *dir_ace = NULL;
@@ -3224,25 +3228,25 @@ int try_chown(connection_struct *conn, const char *fname, uid_t uid, gid_t gid)
 ****************************************************************************/
 
 static NTSTATUS append_parent_acl(files_struct *fsp,
-				SMB_STRUCT_STAT *psbuf,
-				SEC_DESC *psd,
+				const SEC_DESC *pcsd,
 				SEC_DESC **pp_new_sd)
 {
 	SEC_DESC *parent_sd = NULL;
 	files_struct *parent_fsp = NULL;
-	TALLOC_CTX *mem_ctx = talloc_parent(psd);
+	TALLOC_CTX *mem_ctx = talloc_tos();
 	char *parent_name = NULL;
 	SEC_ACE *new_ace = NULL;
-	unsigned int num_aces = psd->dacl->num_aces;
+	unsigned int num_aces = pcsd->dacl->num_aces;
 	SMB_STRUCT_STAT sbuf;
 	NTSTATUS status;
 	int info;
 	unsigned int i, j;
-	bool is_dacl_protected = (psd->type & SE_DESC_DACL_PROTECTED);
+	SEC_DESC *psd = dup_sec_desc(talloc_tos(), pcsd);
+	bool is_dacl_protected = (pcsd->type & SE_DESC_DACL_PROTECTED);
 
 	ZERO_STRUCT(sbuf);
 
-	if (mem_ctx == NULL) {
+	if (psd == NULL) {
 		return NT_STATUS_NO_MEMORY;
 	}
 
@@ -3398,11 +3402,6 @@ static NTSTATUS append_parent_acl(files_struct *fsp,
 			parent_name));
 	}
 
-	/* This sucks. psd should be const and we should
-	 * be doing a deep-copy here. We're getting away
-	 * with is as we know parent_sd is talloced off
-	 * talloc_tos() as well as psd. JRA. */
-
 	psd->dacl->aces = new_ace;
 	psd->dacl->num_aces = i;
 	psd->type &= ~(SE_DESC_DACL_AUTO_INHERITED|
@@ -3418,7 +3417,7 @@ static NTSTATUS append_parent_acl(files_struct *fsp,
  This should be the only external function needed for the UNIX style set ACL.
 ****************************************************************************/
 
-NTSTATUS set_nt_acl(files_struct *fsp, uint32 security_info_sent, SEC_DESC *psd)
+NTSTATUS set_nt_acl(files_struct *fsp, uint32 security_info_sent, const SEC_DESC *psd)
 {
 	connection_struct *conn = fsp->conn;
 	uid_t user = (uid_t)-1;
@@ -3529,10 +3528,12 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32 security_info_sent, SEC_DESC *psd)
 			      SE_DESC_DACL_AUTO_INHERIT_REQ))==
 			(SE_DESC_DACL_AUTO_INHERITED|
 			 SE_DESC_DACL_AUTO_INHERIT_REQ) ) {
-		status = append_parent_acl(fsp, &sbuf, psd, &psd);
+		SEC_DESC *new_sd = NULL;
+		status = append_parent_acl(fsp, psd, &new_sd);
 		if (!NT_STATUS_IS_OK(status)) {
 			return status;
 		}
+		psd = new_sd;
 	}
 
 	acl_perms = unpack_canon_ace( fsp, &sbuf, &file_owner_sid, &file_grp_sid,


-- 
Samba Shared Repository


More information about the samba-cvs mailing list