[SCM] Samba Shared Repository - branch master updated

Michael Adam obnox at samba.org
Tue Oct 11 21:21:04 MDT 2011


The branch, master has been updated
       via  7fff4e7 s3:dbwrap: remove m_all marshall buffer from ctdb transaction.
       via  a6cd71d s3:dbwrap: traverse records created within this transaction.
       via  240d621 s3:registry: improve regdb_create_subkey_internal() to always complete incomlete keys
       via  9d688cd s3:smbcacls fix leaking talloc stackframce on tcon failure
       via  858e4cb s3:smbcacls fix possible SEGFAULT
       via  724b48b s3:smbcacls add option domain-sid
       via  61631f4 s3:smbcacls get_domain_sid for sddl parsing/formating from lsarpc
       via  2c78d4c s3:smbcacls pretty print acl control field
      from  bd01ae2 Add new contributing FAQ announcing acceptance of corporate (C).

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 7fff4e7f845a44cf56dfd85d7dd4709fa2d17ce3
Author: Gregor Beck <gbeck at sernet.de>
Date:   Fri Sep 23 11:58:35 2011 +0200

    s3:dbwrap: remove m_all marshall buffer from ctdb transaction.
    
    it was only used by ctdb_replay_transaction and was a actually write only
    
    Signed-off-by: Michael Adam <obnox at samba.org>
    
    Autobuild-User: Michael Adam <obnox at samba.org>
    Autobuild-Date: Wed Oct 12 05:20:36 CEST 2011 on sn-devel-104

commit a6cd71da858062a66f83775cf655b79b6c8d75e7
Author: Gregor Beck <gbeck at sernet.de>
Date:   Thu Sep 22 13:58:24 2011 +0200

    s3:dbwrap: traverse records created within this transaction.
    
    Signed-off-by: Michael Adam <obnox at samba.org>

commit 240d6217dd4d75a69b3f57f9668aa81ed042a6cf
Author: Michael Adam <obnox at samba.org>
Date:   Fri Sep 30 15:42:31 2011 +0200

    s3:registry: improve regdb_create_subkey_internal() to always complete incomlete keys
    
    Originally, this function did not create the key's subkey list record if only
    the record was listed in the subkeylist of its parent key. Now this is fixed.
    
    Pair-Programmed-With: Gregor Beck <gbeck at sernet.de>

commit 9d688cd7be2d21af1f881a3e65549bff03619c46
Author: Gregor Beck <gbeck at sernet.de>
Date:   Tue Jun 14 13:19:59 2011 +0200

    s3:smbcacls fix leaking talloc stackframce on tcon failure
    
    Signed-off-by: Michael Adam <obnox at samba.org>

commit 858e4cb1b605d37cc5b585d7292049c774f53ceb
Author: Gregor Beck <gbeck at sernet.de>
Date:   Tue Jun 14 13:56:22 2011 +0200

    s3:smbcacls fix possible SEGFAULT
    
    sddl_encode returns NULL on failure
    
    Signed-off-by: Michael Adam <obnox at samba.org>

commit 724b48bc084100de54813685e656d510c17880f9
Author: Gregor Beck <gbeck at sernet.de>
Date:   Thu Jun 9 15:29:32 2011 +0200

    s3:smbcacls add option domain-sid
    
    Signed-off-by: Michael Adam <obnox at samba.org>

commit 61631f427ad62d8a178f69de483500cdfa881620
Author: Gregor Beck <gbeck at sernet.de>
Date:   Thu Jun 9 14:32:27 2011 +0200

    s3:smbcacls get_domain_sid for sddl parsing/formating from lsarpc
    
    get_global_sid panics if we are not root and may give the wrong answer anyway.
    
    Signed-off-by: Michael Adam <obnox at samba.org>

commit 2c78d4c89d4b5b5ba3189fc72d95fc13b5ccb02e
Author: Gregor Beck <gbeck at sernet.de>
Date:   Tue Jun 7 10:54:16 2011 +0200

    s3:smbcacls pretty print acl control field
    
    Signed-off-by: Michael Adam <obnox at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 source3/lib/dbwrap/dbwrap_ctdb.c  |   64 ++++++++++------
 source3/registry/reg_backend_db.c |   14 +++-
 source3/utils/smbcacls.c          |  157 +++++++++++++++++++++++++++++++++----
 3 files changed, 195 insertions(+), 40 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/lib/dbwrap/dbwrap_ctdb.c b/source3/lib/dbwrap/dbwrap_ctdb.c
index 5823ab4..85ae5c1 100644
--- a/source3/lib/dbwrap/dbwrap_ctdb.c
+++ b/source3/lib/dbwrap/dbwrap_ctdb.c
@@ -54,11 +54,8 @@
 struct db_ctdb_transaction_handle {
 	struct db_ctdb_ctx *ctx;
 	/*
-	 * we store the reads and writes done under a transaction:
-	 * - one list stores both reads and writes (m_all),
-	 * - the other just writes (m_write)
+	 * we store the writes done under a transaction:
 	 */
-	struct ctdb_marshall_buffer *m_all;
 	struct ctdb_marshall_buffer *m_write;
 	uint32_t nesting;
 	bool nested_cancel;
@@ -490,16 +487,6 @@ static int db_ctdb_transaction_fetch(struct db_ctdb_ctx *db,
 		return -1;
 	}
 
-	h->m_all = db_ctdb_marshall_add(h, h->m_all, h->ctx->db_id, 1, key,
-					NULL, *data);
-	if (h->m_all == NULL) {
-		DEBUG(0,(__location__ " Failed to add to marshalling "
-			 "record\n"));
-		data->dsize = 0;
-		talloc_free(data->dptr);
-		return -1;
-	}
-
 	return 0;
 }
 
@@ -676,15 +663,6 @@ static NTSTATUS db_ctdb_transaction_store(struct db_ctdb_transaction_handle *h,
 	header.dmaster = get_my_vnn();
 	header.rsn++;
 
-	h->m_all = db_ctdb_marshall_add(h, h->m_all, h->ctx->db_id, 0, key,
-					NULL, data);
-	if (h->m_all == NULL) {
-		DEBUG(0,(__location__ " Failed to add to marshalling "
-			 "record\n"));
-		talloc_free(tmp_ctx);
-		return NT_STATUS_NO_MEMORY;
-	}
-
 	h->m_write = db_ctdb_marshall_add(h, h->m_write, h->ctx->db_id, 0, key, &header, data);
 	if (h->m_write == NULL) {
 		DEBUG(0,(__location__ " Failed to add to marshalling record\n"));
@@ -1285,6 +1263,13 @@ done:
 	return ret;
 }
 
+/* wrapper to use traverse_persistent_callback with dbwrap */
+static int traverse_persistent_callback_dbwrap(struct db_record *rec, void* data)
+{
+	return traverse_persistent_callback(NULL, rec->key, rec->value, data);
+}
+
+
 static int db_ctdb_traverse(struct db_context *db,
 			    int (*fn)(struct db_record *rec,
 				      void *private_data),
@@ -1299,9 +1284,40 @@ static int db_ctdb_traverse(struct db_context *db,
 	state.private_data = private_data;
 
 	if (db->persistent) {
+		struct tdb_context *ltdb = ctx->wtdb->tdb;
+		int ret;
+
 		/* for persistent databases we don't need to do a ctdb traverse,
 		   we can do a faster local traverse */
-		return tdb_traverse(ctx->wtdb->tdb, traverse_persistent_callback, &state);
+		ret = tdb_traverse(ltdb, traverse_persistent_callback, &state);
+		if (ret < 0) {
+			return ret;
+		}
+		if (ctx->transaction && ctx->transaction->m_write) {
+			/* we now have to handle keys not yet present at transaction start */
+			struct db_context *newkeys = db_open_rbt(talloc_tos());
+			struct ctdb_marshall_buffer *mbuf = ctx->transaction->m_write;
+			struct ctdb_rec_data *rec=NULL;
+			NTSTATUS status;
+			int i;
+			for (i=0; i<mbuf->count; i++) {
+				TDB_DATA key;
+				rec =db_ctdb_marshall_loop_next(mbuf, rec,
+								NULL, NULL,
+								&key, NULL);
+				SMB_ASSERT(rec != NULL);
+
+				if (!tdb_exists(ltdb, key)) {
+					dbwrap_store(newkeys, key, tdb_null, 0);
+				}
+			}
+			status = dbwrap_traverse(newkeys,
+						 traverse_persistent_callback_dbwrap,
+						 &state);
+			ret = NT_STATUS_IS_OK(status) ? 0 : -1;
+			talloc_free(newkeys);
+		}
+		return ret;
 	}
 
 
diff --git a/source3/registry/reg_backend_db.c b/source3/registry/reg_backend_db.c
index 64c466d..fad6c08 100644
--- a/source3/registry/reg_backend_db.c
+++ b/source3/registry/reg_backend_db.c
@@ -1298,8 +1298,18 @@ static WERROR regdb_create_subkey_internal(struct db_context *db,
 	W_ERROR_NOT_OK_GOTO_DONE(werr);
 
 	if (regsubkey_ctr_key_exists(subkeys, subkey)) {
-		werr = WERR_OK;
-		goto done;
+		char *newkey;
+
+		newkey = talloc_asprintf(mem_ctx, "%s\\%s", key, subkey);
+		if (newkey == NULL) {
+			werr = WERR_NOMEM;
+			goto done;
+		}
+
+		if (regdb_key_exists(db, newkey)) {
+			werr = WERR_OK;
+			goto done;
+		}
 	}
 
 	talloc_free(subkeys);
diff --git a/source3/utils/smbcacls.c b/source3/utils/smbcacls.c
index aa71840..9a6c283 100644
--- a/source3/utils/smbcacls.c
+++ b/source3/utils/smbcacls.c
@@ -30,6 +30,7 @@
 #include "libsmb/libsmb.h"
 #include "libsmb/clirap.h"
 #include "passdb/machine_sid.h"
+#include "../librpc/gen_ndr/ndr_lsa_c.h"
 
 static int test_args;
 
@@ -41,6 +42,8 @@ static int numeric;
 
 static int sddl;
 
+static const char *domain_sid = NULL;
+
 enum acl_mode {SMB_ACL_SET, SMB_ACL_DELETE, SMB_ACL_MODIFY, SMB_ACL_ADD };
 enum chown_mode {REQUEST_NONE, REQUEST_CHOWN, REQUEST_CHGRP, REQUEST_INHERIT};
 enum exit_values {EXIT_OK, EXIT_FAILED, EXIT_PARSE_ERROR};
@@ -88,7 +91,7 @@ static NTSTATUS cli_lsa_lookup_sid(struct cli_state *cli,
 
 	status = cli_tcon_andx(cli, "IPC$", "?????", "", 0);
 	if (!NT_STATUS_IS_OK(status)) {
-		return status;
+		goto tcon_fail;
 	}
 
 	status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
@@ -117,6 +120,7 @@ static NTSTATUS cli_lsa_lookup_sid(struct cli_state *cli,
  fail:
 	TALLOC_FREE(p);
 	cli_tdis(cli);
+ tcon_fail:
 	cli_state_set_tid(cli, orig_cnum);
 	TALLOC_FREE(frame);
 	return status;
@@ -137,7 +141,7 @@ static NTSTATUS cli_lsa_lookup_name(struct cli_state *cli,
 
 	status = cli_tcon_andx(cli, "IPC$", "?????", "", 0);
 	if (!NT_STATUS_IS_OK(status)) {
-		return status;
+		goto tcon_fail;
 	}
 
 	status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
@@ -165,11 +169,89 @@ static NTSTATUS cli_lsa_lookup_name(struct cli_state *cli,
  fail:
 	TALLOC_FREE(p);
 	cli_tdis(cli);
+ tcon_fail:
+	cli_state_set_tid(cli, orig_cnum);
+	TALLOC_FREE(frame);
+	return status;
+}
+
+
+static NTSTATUS cli_lsa_lookup_domain_sid(struct cli_state *cli,
+					  struct dom_sid *sid)
+{
+	union lsa_PolicyInformation *info = NULL;
+	uint16 orig_cnum = cli_state_get_tid(cli);
+	struct rpc_pipe_client *rpc_pipe = NULL;
+	struct policy_handle handle;
+	NTSTATUS status, result;
+	TALLOC_CTX *frame = talloc_stackframe();
+	const struct ndr_syntax_id *lsarpc_syntax = &ndr_table_lsarpc.syntax_id;
+
+	status = cli_tcon_andx(cli, "IPC$", "?????", "", 0);
+	if (!NT_STATUS_IS_OK(status)) {
+		goto done;
+	}
+
+	status = cli_rpc_pipe_open_noauth(cli, lsarpc_syntax, &rpc_pipe);
+	if (!NT_STATUS_IS_OK(status)) {
+		goto tdis;
+	}
+
+	status = rpccli_lsa_open_policy(rpc_pipe, frame, True,
+					GENERIC_EXECUTE_ACCESS, &handle);
+	if (!NT_STATUS_IS_OK(status)) {
+		goto tdis;
+	}
+
+	status = dcerpc_lsa_QueryInfoPolicy2(rpc_pipe->binding_handle,
+					     frame, &handle,
+					     LSA_POLICY_INFO_DOMAIN,
+					     &info, &result);
+
+	if (any_nt_status_not_ok(status, result, &status)) {
+		goto tdis;
+	}
+
+	*sid = *info->domain.sid;
+
+tdis:
+	TALLOC_FREE(rpc_pipe);
+	cli_tdis(cli);
+done:
 	cli_state_set_tid(cli, orig_cnum);
 	TALLOC_FREE(frame);
 	return status;
 }
 
+struct dom_sid* get_domain_sid(struct cli_state *cli) {
+	NTSTATUS status;
+
+	struct dom_sid *sid = talloc(talloc_tos(), struct dom_sid);
+	if (sid == NULL) {
+		DEBUG(0, ("Out of memory\n"));
+		return NULL;
+	}
+
+	if (domain_sid) {
+		if (!dom_sid_parse(domain_sid, sid)) {
+			DEBUG(0,("failed to parse domain sid\n"));
+			TALLOC_FREE(sid);
+		}
+	} else {
+		status = cli_lsa_lookup_domain_sid(cli, sid);
+
+		if (!NT_STATUS_IS_OK(status)) {
+			DEBUG(0,("failed to lookup domain sid: %s\n", nt_errstr(status)));
+			TALLOC_FREE(sid);
+		}
+
+	}
+
+	DEBUG(2,("Domain SID: %s\n", sid_string_dbg(sid)));
+	return sid;
+}
+
+
 /* convert a SID to a string, either numeric or username/group */
 static void SidToString(struct cli_state *cli, fstring str, const struct dom_sid *sid)
 {
@@ -632,6 +714,48 @@ static struct security_descriptor *sec_desc_parse(TALLOC_CTX *ctx, struct cli_st
 	return ret;
 }
 
+static const struct {
+	uint16_t mask;
+	const char *str;
+	const char *desc;
+} sec_desc_ctrl_bits[] = {
+	{SEC_DESC_OWNER_DEFAULTED,       "OD", "Owner Defaulted"},
+	{SEC_DESC_GROUP_DEFAULTED,       "GD", "Group Defaulted"},
+	{SEC_DESC_DACL_PRESENT,          "DP", "DACL Present"},
+	{SEC_DESC_DACL_DEFAULTED,        "DD", "DACL Defaulted"},
+	{SEC_DESC_SACL_PRESENT,          "SP", "SACL Present"},
+	{SEC_DESC_SACL_DEFAULTED,        "SD", "SACL Defaulted"},
+	{SEC_DESC_DACL_TRUSTED,          "DT", "DACL Trusted"},
+	{SEC_DESC_SERVER_SECURITY,       "SS", "Server Security"},
+	{SEC_DESC_DACL_AUTO_INHERIT_REQ, "DR", "DACL Inheritance Required"},
+	{SEC_DESC_SACL_AUTO_INHERIT_REQ, "SR", "SACL Inheritance Required"},
+	{SEC_DESC_DACL_AUTO_INHERITED,   "DI", "DACL Auto Inherited"},
+	{SEC_DESC_SACL_AUTO_INHERITED,   "SI", "SACL Auto Inherited"},
+	{SEC_DESC_DACL_PROTECTED,        "PD", "DACL Protected"},
+	{SEC_DESC_SACL_PROTECTED,        "PS", "SACL Protected"},
+	{SEC_DESC_RM_CONTROL_VALID,      "RM", "RM Control Valid"},
+	{SEC_DESC_SELF_RELATIVE ,        "SR", "Self Relative"},
+};
+
+static void print_acl_ctrl(FILE *file, uint16_t ctrl)
+{
+	int i;
+	const char* separator = "";
+
+	fprintf(file, "CONTROL:");
+	if (numeric) {
+		fprintf(file, "0x%x\n", ctrl);
+		return;
+	}
+
+	for (i = ARRAY_SIZE(sec_desc_ctrl_bits) - 1; i >= 0; i--) {
+		if (ctrl & sec_desc_ctrl_bits[i].mask) {
+			fprintf(file, "%s%s", separator, sec_desc_ctrl_bits[i].str);
+			separator = "|";
+		}
+	}
+	fputc('\n', file);
+}
 
 /* print a ascii version of a security descriptor on a FILE handle */
 static void sec_desc_print(struct cli_state *cli, FILE *f, struct security_descriptor *sd)
@@ -640,7 +764,7 @@ static void sec_desc_print(struct cli_state *cli, FILE *f, struct security_descr
 	uint32 i;
 
 	fprintf(f, "REVISION:%d\n", sd->revision);
-	fprintf(f, "CONTROL:0x%x\n", sd->type);
+	print_acl_ctrl(f, sd->type);
 
 	/* Print owner and group sid */
 
@@ -772,25 +896,29 @@ dump the acls for a file
 *******************************************************/
 static int cacl_dump(struct cli_state *cli, const char *filename)
 {
-	int result = EXIT_FAILED;
 	struct security_descriptor *sd;
 
-	if (test_args)
+	if (test_args) {
 		return EXIT_OK;
+	}
 
 	sd = get_secdesc(cli, filename);
+	if (sd == NULL) {
+		return EXIT_FAILED;
+	}
 
-	if (sd) {
-		if (sddl) {
-			printf("%s\n", sddl_encode(talloc_tos(), sd,
-					   get_global_sam_sid()));
-		} else {
-			sec_desc_print(cli, stdout, sd);
+	if (sddl) {
+		char *str = sddl_encode(talloc_tos(), sd, get_domain_sid(cli));
+		if (str == NULL) {
+			return EXIT_FAILED;
 		}
-		result = EXIT_OK;
+		printf("%s\n", str);
+		TALLOC_FREE(str);
+	} else {
+		sec_desc_print(cli, stdout, sd);
 	}
 
-	return result;
+	return EXIT_OK;
 }
 
 /***************************************************** 
@@ -901,7 +1029,7 @@ static int cacl_set(struct cli_state *cli, const char *filename,
 	int result = EXIT_OK;
 
 	if (sddl) {
-		sd = sddl_decode(talloc_tos(), the_acl, get_global_sam_sid());
+		sd = sddl_decode(talloc_tos(), the_acl, get_domain_sid(cli));
 	} else {
 		sd = sec_desc_parse(talloc_tos(), cli, the_acl);
 	}
@@ -1202,6 +1330,7 @@ static struct cli_state *connect_one(struct user_auth_info *auth_info,
 		{ "numeric", 0, POPT_ARG_NONE, &numeric, 1, "Don't resolve sids or masks to names" },
 		{ "sddl", 0, POPT_ARG_NONE, &sddl, 1, "Output and input acls in sddl format" },
 		{ "test-args", 't', POPT_ARG_NONE, &test_args, 1, "Test arguments"},
+		{ "domain-sid", 0, POPT_ARG_STRING, &domain_sid, 0, "Domain SID for sddl", "SID"},
 		POPT_COMMON_SAMBA
 		POPT_COMMON_CONNECTION
 		POPT_COMMON_CREDENTIALS


-- 
Samba Shared Repository


More information about the samba-cvs mailing list