[SCM] Samba Shared Repository - branch master updated - 543c6a02ae1dcb903de800c88af1f9e221827d61

Jeremy Allison jra at samba.org
Thu Oct 9 01:11:46 GMT 2008 

The branch, master has been updated
       via  543c6a02ae1dcb903de800c88af1f9e221827d61 (commit)
      from  88a58ae0eeb553969c903a94e578375e109ad05a (commit)

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 543c6a02ae1dcb903de800c88af1f9e221827d61
Author: Jeremy Allison <jra at samba.org>
Date:   Wed Oct 8 18:06:58 2008 -0700

    For the vfs_acl_xattr.c module, make sure we map GENERIC file and directory bits
    to specific bits every time a security descriptor is set. The S4 torture suite proves
    that generic bits are not returned when querying an ACL set using them (ie. only
    the specific bits are stored on disk).
    Jeremy.

-----------------------------------------------------------------------

Summary of changes:
 source3/include/proto.h            |    1 +
 source3/lib/util_seaccess.c        |   18 ++++++++++++++++++
 source3/rpc_server/srv_srvsvc_nt.c |   26 ++++++++++++++++++++++++--
 source3/smbd/nttrans.c             |    5 +++++
 source3/smbd/open.c                |    4 ++++
 5 files changed, 52 insertions(+), 2 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/include/proto.h b/source3/include/proto.h
index 535adf7..b7e3632 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -1431,6 +1431,7 @@ WERROR registry_push_value(TALLOC_CTX *mem_ctx,
 /* The following definitions come from lib/util_seaccess.c  */
 
 void se_map_generic(uint32 *access_mask, const struct generic_mapping *mapping);
+void security_acl_map_generic(struct security_acl *sa, const struct generic_mapping *mapping);
 void se_map_standard(uint32 *access_mask, struct standard_mapping *mapping);
 bool se_access_check(const SEC_DESC *sd, const NT_USER_TOKEN *token,
 		     uint32 acc_desired, uint32 *acc_granted, 
diff --git a/source3/lib/util_seaccess.c b/source3/lib/util_seaccess.c
index 87e70bb..cab4261 100644
--- a/source3/lib/util_seaccess.c
+++ b/source3/lib/util_seaccess.c
@@ -176,6 +176,24 @@ void se_map_generic(uint32 *access_mask, const struct generic_mapping *mapping)
 	}
 }
 
+/* Map generic access rights to object specific rights for all the ACE's
+ * in a security_acl.
+ */
+
+void security_acl_map_generic(struct security_acl *sa,
+				const struct generic_mapping *mapping)
+{
+	unsigned int i;
+
+	if (!sa) {
+		return;
+	}
+
+	for (i = 0; i < sa->num_aces; i++) {
+		se_map_generic(&sa->aces[i].access_mask, mapping);
+	}
+}
+
 /* Map standard access rights to object specific rights.  This technique is
    used to give meaning to assigning read, write, execute and all access to
    objects.  Each type of object has its own mapping of standard to object
diff --git a/source3/rpc_server/srv_srvsvc_nt.c b/source3/rpc_server/srv_srvsvc_nt.c
index fb74786..47688b1 100644
--- a/source3/rpc_server/srv_srvsvc_nt.c
+++ b/source3/rpc_server/srv_srvsvc_nt.c
@@ -2150,6 +2150,8 @@ WERROR _srvsvc_NetSetFileSecurity(pipes_struct *p,
 	connection_struct *conn = NULL;
 	int snum;
 	char *oldcwd = NULL;
+	struct security_descriptor *psd = NULL;
+	uint32_t security_info_sent = 0;
 
 	ZERO_STRUCT(st);
 
@@ -2198,9 +2200,29 @@ WERROR _srvsvc_NetSetFileSecurity(pipes_struct *p,
 		goto error_exit;
 	}
 
+	psd = r->in.sd_buf->sd;
+	security_info_sent = r->in.securityinformation;
+
+	if (psd->owner_sid==0) {
+		security_info_sent &= ~OWNER_SECURITY_INFORMATION;
+	}
+	if (psd->group_sid==0) {
+		security_info_sent &= ~GROUP_SECURITY_INFORMATION;
+	}
+	if (psd->sacl==0) {
+		security_info_sent &= ~SACL_SECURITY_INFORMATION;
+	}
+	if (psd->dacl==0) {
+		security_info_sent &= ~DACL_SECURITY_INFORMATION;
+	}
+
+	/* Convert all the generic bits. */
+	security_acl_map_generic(psd->dacl, &file_generic_mapping);
+	security_acl_map_generic(psd->sacl, &file_generic_mapping);
+
 	nt_status = SMB_VFS_FSET_NT_ACL(fsp,
-				       r->in.securityinformation,
-				       r->in.sd_buf->sd);
+					security_info_sent,
+					psd);
 
 	if (!NT_STATUS_IS_OK(nt_status) ) {
 		DEBUG(3,("_srvsvc_NetSetFileSecurity: Unable to set NT ACL "
diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c
index 584399c..0618558 100644
--- a/source3/smbd/nttrans.c
+++ b/source3/smbd/nttrans.c
@@ -713,6 +713,7 @@ static void do_nt_transact_create_pipe(connection_struct *conn,
 static NTSTATUS set_sd(files_struct *fsp, uint8 *data, uint32 sd_len,
 		       uint32 security_info_sent)
 {
+	extern const struct generic_mapping file_generic_mapping;
 	SEC_DESC *psd = NULL;
 	NTSTATUS status;
 
@@ -739,6 +740,10 @@ static NTSTATUS set_sd(files_struct *fsp, uint8 *data, uint32 sd_len,
 		security_info_sent &= ~DACL_SECURITY_INFORMATION;
 	}
 
+	/* Convert all the generic bits. */
+	security_acl_map_generic(psd->dacl, &file_generic_mapping);
+	security_acl_map_generic(psd->sacl, &file_generic_mapping);
+
 	status = SMB_VFS_FSET_NT_ACL(fsp, security_info_sent, psd);
 
 	TALLOC_FREE(psd);
diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index ad024a5..8727e80 100644
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -2764,6 +2764,10 @@ NTSTATUS create_file_unixpath(connection_struct *conn,
 
 		fsp->access_mask = FILE_GENERIC_ALL;
 
+		/* Convert all the generic bits. */
+		security_acl_map_generic(sd->dacl, &file_generic_mapping);
+		security_acl_map_generic(sd->sacl, &file_generic_mapping);
+
 		status = SMB_VFS_FSET_NT_ACL(fsp, sec_info_sent, sd);
 
 		fsp->access_mask = saved_access_mask;


-- 
Samba Shared Repository

More information about the samba-cvs mailing list