[SCM] Samba Shared Repository - branch master updated
Volker Lendecke
vlendec at samba.org
Thu Sep 15 17:40:02 MDT 2011
The branch, master has been updated
via e952c69 s3: Trim lines in nfs4_acls.c
via 9021934 s3: Fix some nonempty blank lines
via d68ed1b s3: Make sharesec optionally use sddl
from 4117c29 s4:upgrade_from_s3 - old s3 versions < 3.4.x don't have a "state directory" param
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit e952c693174268077921ca61b68d7ff076dd4983
Author: Volker Lendecke <vl at samba.org>
Date: Thu Sep 15 23:35:05 2011 +0200
s3: Trim lines in nfs4_acls.c
Autobuild-User: Volker Lendecke <vlendec at samba.org>
Autobuild-Date: Fri Sep 16 01:39:36 CEST 2011 on sn-devel-104
commit 9021934887b6098a3e0d21ddd1675b270ae7291c
Author: Volker Lendecke <vl at samba.org>
Date: Thu Sep 15 23:24:51 2011 +0200
s3: Fix some nonempty blank lines
commit d68ed1b9c603aebadcf986fe776f995e0b7959d1
Author: Volker Lendecke <vl at samba.org>
Date: Thu Sep 15 19:27:07 2011 +0200
s3: Make sharesec optionally use sddl
-----------------------------------------------------------------------
Summary of changes:
source3/modules/nfs4_acls.c | 150 ++++++++++++++++++++++++++-----------------
source3/utils/sharesec.c | 77 ++++++++++++++++++++++-
2 files changed, 168 insertions(+), 59 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/modules/nfs4_acls.c b/source3/modules/nfs4_acls.c
index a60d98f..05bad5d 100644
--- a/source3/modules/nfs4_acls.c
+++ b/source3/modules/nfs4_acls.c
@@ -61,7 +61,8 @@ typedef struct _SMB_ACL4_INT_T
are mapped to what in one place.
************************************************/
-static uint32_t map_nfs4_ace_flags_to_windows_ace_flags(uint32_t nfs4_ace_flags)
+static uint32_t map_nfs4_ace_flags_to_windows_ace_flags(
+ uint32_t nfs4_ace_flags)
{
uint32_t win_ace_flags = 0;
@@ -144,7 +145,8 @@ static SMB_ACE4_INT_T *get_validated_aceint(SMB4ACE_T *ace)
SMB4ACL_T *smb_create_smb4acl(void)
{
TALLOC_CTX *mem_ctx = talloc_tos();
- SMB_ACL4_INT_T *theacl = (SMB_ACL4_INT_T *)TALLOC_ZERO_SIZE(mem_ctx, sizeof(SMB_ACL4_INT_T));
+ SMB_ACL4_INT_T *theacl = (SMB_ACL4_INT_T *)TALLOC_ZERO_SIZE(
+ mem_ctx, sizeof(SMB_ACL4_INT_T));
if (theacl==NULL)
{
DEBUG(0, ("TALLOC_SIZE failed\n"));
@@ -162,7 +164,8 @@ SMB4ACE_T *smb_add_ace4(SMB4ACL_T *theacl, SMB_ACE4PROP_T *prop)
TALLOC_CTX *mem_ctx = talloc_tos();
SMB_ACE4_INT_T *ace;
- ace = (SMB_ACE4_INT_T *)TALLOC_ZERO_SIZE(mem_ctx, sizeof(SMB_ACE4_INT_T));
+ ace = (SMB_ACE4_INT_T *)TALLOC_ZERO_SIZE(
+ mem_ctx, sizeof(SMB_ACE4_INT_T));
if (ace==NULL)
{
DEBUG(0, ("TALLOC_SIZE failed\n"));
@@ -273,9 +276,11 @@ static bool smbacl4_nfs42win(TALLOC_CTX *mem_ctx, SMB4ACL_T *theacl, /* in */
DEBUG(10, ("smbacl_nfs42win entered\n"));
aclint = get_validated_aclint(theacl);
- /* We do not check for naces being 0 or theacl being NULL here because it is done upstream */
+ /* We do not check for naces being 0 or theacl being NULL here
+ * because it is done upstream */
/* in smb_get_nt_acl_nfs4(). */
- nt_ace_list = (struct security_ace *)TALLOC_ZERO_SIZE(mem_ctx, aclint->naces * sizeof(struct security_ace));
+ nt_ace_list = (struct security_ace *)TALLOC_ZERO_SIZE(
+ mem_ctx, aclint->naces * sizeof(struct security_ace));
if (nt_ace_list==NULL)
{
DEBUG(10, ("talloc error"));
@@ -283,15 +288,18 @@ static bool smbacl4_nfs42win(TALLOC_CTX *mem_ctx, SMB4ACL_T *theacl, /* in */
return False;
}
- for (aceint=aclint->first; aceint!=NULL; aceint=(SMB_ACE4_INT_T *)aceint->next) {
+ for (aceint=aclint->first;
+ aceint!=NULL;
+ aceint=(SMB_ACE4_INT_T *)aceint->next) {
uint32_t mask;
struct dom_sid sid;
SMB_ACE4PROP_T *ace = &aceint->prop;
uint32_t win_ace_flags;
- DEBUG(10, ("magic: 0x%x, type: %d, iflags: %x, flags: %x, mask: %x, "
- "who: %d\n", aceint->magic, ace->aceType, ace->flags,
- ace->aceFlags, ace->aceMask, ace->who.id));
+ DEBUG(10, ("magic: 0x%x, type: %d, iflags: %x, flags: %x, "
+ "mask: %x, who: %d\n",
+ aceint->magic, ace->aceType, ace->flags,
+ ace->aceFlags, ace->aceMask, ace->who.id));
SMB_ASSERT(aceint->magic==SMB_ACE4_INT_MAGIC);
@@ -324,15 +332,19 @@ static bool smbacl4_nfs42win(TALLOC_CTX *mem_ctx, SMB4ACL_T *theacl, /* in */
ace->aceMask |= SMB_ACE4_DELETE_CHILD;
}
- win_ace_flags = map_nfs4_ace_flags_to_windows_ace_flags(ace->aceFlags);
- if (!is_directory && (win_ace_flags & (SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT))) {
+ win_ace_flags = map_nfs4_ace_flags_to_windows_ace_flags(
+ ace->aceFlags);
+ if (!is_directory &&
+ (win_ace_flags & (SEC_ACE_FLAG_OBJECT_INHERIT|
+ SEC_ACE_FLAG_CONTAINER_INHERIT))) {
/*
* GPFS sets inherits dir_inhert and file_inherit flags
* to files, too, which confuses windows, and seems to
* be wrong anyways. ==> Map these bits away for files.
*/
DEBUG(10, ("removing inherit flags from nfs4 ace\n"));
- win_ace_flags &= ~(SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT);
+ win_ace_flags &= ~(SEC_ACE_FLAG_OBJECT_INHERIT|
+ SEC_ACE_FLAG_CONTAINER_INHERIT);
}
DEBUG(10, ("Windows mapped ace flags: 0x%x => 0x%x\n",
ace->aceFlags, win_ace_flags));
@@ -389,24 +401,27 @@ static NTSTATUS smb_get_nt_acl_nfs4_common(const SMB_STRUCT_STAT *sbuf,
}
DEBUG(10,("after make sec_acl\n"));
- *ppdesc = make_sec_desc(mem_ctx, SD_REVISION, SEC_DESC_SELF_RELATIVE,
- (security_info & SECINFO_OWNER) ? &sid_owner : NULL,
- (security_info & SECINFO_GROUP) ? &sid_group : NULL,
- NULL, psa, &sd_size);
+ *ppdesc = make_sec_desc(
+ mem_ctx, SD_REVISION, SEC_DESC_SELF_RELATIVE,
+ (security_info & SECINFO_OWNER) ? &sid_owner : NULL,
+ (security_info & SECINFO_GROUP) ? &sid_group : NULL,
+ NULL, psa, &sd_size);
if (*ppdesc==NULL) {
DEBUG(2,("make_sec_desc failed\n"));
return NT_STATUS_NO_MEMORY;
}
- DEBUG(10, ("smb_get_nt_acl_nfs4_common successfully exited with sd_size %d\n",
+ DEBUG(10, ("smb_get_nt_acl_nfs4_common successfully exited with "
+ "sd_size %d\n",
(int)ndr_size_security_descriptor(*ppdesc, 0)));
return NT_STATUS_OK;
}
NTSTATUS smb_fget_nt_acl_nfs4(files_struct *fsp,
- uint32 security_info,
- struct security_descriptor **ppdesc, SMB4ACL_T *theacl)
+ uint32 security_info,
+ struct security_descriptor **ppdesc,
+ SMB4ACL_T *theacl)
{
SMB_STRUCT_STAT sbuf;
@@ -416,13 +431,15 @@ NTSTATUS smb_fget_nt_acl_nfs4(files_struct *fsp,
return map_nt_error_from_unix(errno);
}
- return smb_get_nt_acl_nfs4_common(&sbuf, security_info, ppdesc, theacl);
+ return smb_get_nt_acl_nfs4_common(&sbuf, security_info, ppdesc,
+ theacl);
}
NTSTATUS smb_get_nt_acl_nfs4(struct connection_struct *conn,
- const char *name,
- uint32 security_info,
- struct security_descriptor **ppdesc, SMB4ACL_T *theacl)
+ const char *name,
+ uint32 security_info,
+ struct security_descriptor **ppdesc,
+ SMB4ACL_T *theacl)
{
SMB_STRUCT_STAT sbuf;
@@ -432,7 +449,8 @@ NTSTATUS smb_get_nt_acl_nfs4(struct connection_struct *conn,
return map_nt_error_from_unix(errno);
}
- return smb_get_nt_acl_nfs4_common(&sbuf, security_info, ppdesc, theacl);
+ return smb_get_nt_acl_nfs4_common(&sbuf, security_info, ppdesc,
+ theacl);
}
enum smbacl4_mode_enum {e_simple=0, e_special=1};
@@ -492,14 +510,17 @@ static void smbacl4_dump_nfs4acl(int level, SMB4ACL_T *theacl)
DEBUG(level, ("NFS4ACL: size=%d\n", aclint->naces));
- for(aceint = aclint->first; aceint!=NULL; aceint=(SMB_ACE4_INT_T *)aceint->next) {
+ for (aceint = aclint->first;
+ aceint!=NULL;
+ aceint=(SMB_ACE4_INT_T *)aceint->next) {
SMB_ACE4PROP_T *ace = &aceint->prop;
- DEBUG(level, ("\tACE: type=%d, flags=0x%x, fflags=0x%x, mask=0x%x, id=%d\n",
- ace->aceType,
- ace->aceFlags, ace->flags,
- ace->aceMask,
- ace->who.id));
+ DEBUG(level, ("\tACE: type=%d, flags=0x%x, fflags=0x%x, "
+ "mask=0x%x, id=%d\n",
+ ace->aceType,
+ ace->aceFlags, ace->flags,
+ ace->aceMask,
+ ace->who.id));
}
}
@@ -515,7 +536,8 @@ static SMB_ACE4PROP_T *smbacl4_find_equal_special(
SMB_ACL4_INT_T *aclint = get_validated_aclint(theacl);
SMB_ACE4_INT_T *aceint;
- for(aceint = aclint->first; aceint!=NULL; aceint=(SMB_ACE4_INT_T *)aceint->next) {
+ for (aceint = aclint->first; aceint != NULL;
+ aceint=(SMB_ACE4_INT_T *)aceint->next) {
SMB_ACE4PROP_T *ace = &aceint->prop;
DEBUG(10,("ace type:0x%x flags:0x%x aceFlags:0x%x "
@@ -530,7 +552,8 @@ static SMB_ACE4PROP_T *smbacl4_find_equal_special(
/* keep type safety; e.g. gid is an u.short */
if (ace->flags & SMB_ACE4_ID_SPECIAL)
{
- if (ace->who.special_id==aceNew->who.special_id)
+ if (ace->who.special_id ==
+ aceNew->who.special_id)
return ace;
} else {
if (ace->aceFlags & SMB_ACE4_IDENTIFIER_GROUP)
@@ -553,29 +576,29 @@ static bool nfs4_map_sid(smbacl4_vfs_params *params, const struct dom_sid *src,
{
static struct db_context *mapping_db = NULL;
TDB_DATA data;
-
+
if (mapping_db == NULL) {
const char *dbname = lp_parm_const_string(
-1, SMBACL4_PARAM_TYPE_NAME, "sidmap", NULL);
-
+
if (dbname == NULL) {
DEBUG(10, ("%s:sidmap not defined\n",
SMBACL4_PARAM_TYPE_NAME));
return False;
}
-
+
become_root();
mapping_db = db_open(NULL, dbname, 0, TDB_DEFAULT,
O_RDONLY, 0600);
unbecome_root();
-
+
if (mapping_db == NULL) {
DEBUG(1, ("could not open sidmap: %s\n",
strerror(errno)));
return False;
}
}
-
+
if (mapping_db->fetch(mapping_db, NULL,
string_term_tdb_data(sid_string_tos(src)),
&data) != 0) {
@@ -583,7 +606,7 @@ static bool nfs4_map_sid(smbacl4_vfs_params *params, const struct dom_sid *src,
sid_string_dbg(src)));
return False;
}
-
+
if ((data.dptr == NULL) || (data.dsize <= 0)
|| (data.dptr[data.dsize-1] != '\0')) {
DEBUG(5, ("invalid mapping for SID %s\n",
@@ -591,7 +614,7 @@ static bool nfs4_map_sid(smbacl4_vfs_params *params, const struct dom_sid *src,
TALLOC_FREE(data.dptr);
return False;
}
-
+
if (!string_to_sid(dst, (char *)data.dptr)) {
DEBUG(1, ("invalid mapping %s for SID %s\n",
(char *)data.dptr, sid_string_dbg(src)));
@@ -600,7 +623,7 @@ static bool nfs4_map_sid(smbacl4_vfs_params *params, const struct dom_sid *src,
}
TALLOC_FREE(data.dptr);
-
+
return True;
}
@@ -617,8 +640,12 @@ static bool smbacl4_fill_ace4(
DEBUG(10, ("got ace for %s\n", sid_string_dbg(&ace_nt->trustee)));
memset(ace_v4, 0, sizeof(SMB_ACE4PROP_T));
- ace_v4->aceType = ace_nt->type; /* only ACCESS|DENY supported right now */
- ace_v4->aceFlags = map_windows_ace_flags_to_nfs4_ace_flags(ace_nt->flags);
+
+ /* only ACCESS|DENY supported right now */
+ ace_v4->aceType = ace_nt->type;
+
+ ace_v4->aceFlags = map_windows_ace_flags_to_nfs4_ace_flags(
+ ace_nt->flags);
ace_v4->aceMask = ace_nt->access_mask &
(SEC_STD_ALL | SEC_FILE_ALL);
@@ -641,35 +668,38 @@ static bool smbacl4_fill_ace4(
uid_t uid;
gid_t gid;
struct dom_sid sid;
-
+
sid_copy(&sid, &ace_nt->trustee);
-
+
if (!lookup_sid(mem_ctx, &sid, &dom, &name, &type)) {
-
+
struct dom_sid mapped;
-
+
if (!nfs4_map_sid(params, &sid, &mapped)) {
DEBUG(1, ("nfs4_acls.c: file [%s]: SID %s "
- "unknown\n", filename, sid_string_dbg(&sid)));
+ "unknown\n", filename,
+ sid_string_dbg(&sid)));
errno = EINVAL;
return False;
}
-
+
DEBUG(2, ("nfs4_acls.c: file [%s]: mapped SID %s "
- "to %s\n", filename, sid_string_dbg(&sid), sid_string_dbg(&mapped)));
-
+ "to %s\n", filename, sid_string_dbg(&sid),
+ sid_string_dbg(&mapped)));
+
if (!lookup_sid(mem_ctx, &mapped, &dom,
&name, &type)) {
DEBUG(1, ("nfs4_acls.c: file [%s]: SID %s "
"mapped from %s is unknown\n",
- filename, sid_string_dbg(&mapped), sid_string_dbg(&sid)));
+ filename, sid_string_dbg(&mapped),
+ sid_string_dbg(&sid)));
errno = EINVAL;
return False;
}
-
+
sid_copy(&sid, &mapped);
}
-
+
if (type == SID_NAME_USER) {
if (!sid_to_uid(&sid, &uid)) {
DEBUG(1, ("nfs4_acls.c: file [%s]: could not "
@@ -691,7 +721,7 @@ static bool smbacl4_fill_ace4(
sid_string_dbg(&sid)));
return False;
}
-
+
ace_v4->aceFlags |= SMB_ACE4_IDENTIFIER_GROUP;
if (params->mode==e_special && gid==ownerGID) {
@@ -806,7 +836,8 @@ NTSTATUS smb_set_nt_acl_nfs4(files_struct *fsp,
{
DEBUG(9, ("security_info_sent (0x%x) ignored\n",
security_info_sent));
- return NT_STATUS_OK; /* won't show error - later to be refined... */
+ return NT_STATUS_OK; /* won't show error - later to be
+ * refined... */
}
/* Special behaviours */
@@ -818,7 +849,8 @@ NTSTATUS smb_set_nt_acl_nfs4(files_struct *fsp,
if (params.do_chown) {
/* chown logic is a copy/paste from posix_acl.c:set_nt_acl */
- NTSTATUS status = unpack_nt_owners(fsp->conn, &newUID, &newGID, security_info_sent, psd);
+ NTSTATUS status = unpack_nt_owners(fsp->conn, &newUID, &newGID,
+ security_info_sent, psd);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(8, ("unpack_nt_owners failed"));
return status;
@@ -852,7 +884,8 @@ NTSTATUS smb_set_nt_acl_nfs4(files_struct *fsp,
}
if (!(security_info_sent & SECINFO_DACL) || psd->dacl ==NULL) {
- DEBUG(10, ("no dacl found; security_info_sent = 0x%x\n", security_info_sent));
+ DEBUG(10, ("no dacl found; security_info_sent = 0x%x\n",
+ security_info_sent));
return NT_STATUS_OK;
}
@@ -873,7 +906,8 @@ NTSTATUS smb_set_nt_acl_nfs4(files_struct *fsp,
}
if (result!=True) {
errno = saved_errno;
- DEBUG(10, ("set_nfs4_native failed with %s\n", strerror(errno)));
+ DEBUG(10, ("set_nfs4_native failed with %s\n",
+ strerror(errno)));
return map_nt_error_from_unix(errno);
}
diff --git a/source3/utils/sharesec.c b/source3/utils/sharesec.c
index ab52e47..641a2ce 100644
--- a/source3/utils/sharesec.c
+++ b/source3/utils/sharesec.c
@@ -34,6 +34,8 @@ enum acl_mode { SMB_ACL_DELETE,
SMB_ACL_ADD,
SMB_ACL_SET,
SMB_SD_DELETE,
+ SMB_SD_SETSDDL,
+ SMB_SD_VIEWSDDL,
SMB_ACL_VIEW };
struct perm_value {
@@ -497,6 +499,9 @@ static int change_share_sec(TALLOC_CTX *mem_ctx, const char *sharename, char *th
return -1;
}
return 0;
+ default:
+ fprintf(stderr, "invalid command\n");
+ return -1;
}
/* Denied ACE entries must come before allowed ones */
@@ -509,6 +514,53 @@ static int change_share_sec(TALLOC_CTX *mem_ctx, const char *sharename, char *th
return 0;
}
+static int set_sharesec_sddl(const char *sharename, const char *sddl)
+{
+ struct security_descriptor *sd;
+ bool ret;
+
+ sd = sddl_decode(talloc_tos(), sddl, get_global_sam_sid());
+ if (sd == NULL) {
+ fprintf(stderr, "Failed to parse acl\n");
+ return -1;
+ }
+
+ ret = set_share_security(sharename, sd);
+ TALLOC_FREE(sd);
+ if (!ret) {
+ fprintf(stderr, "Failed to store acl for share [%s]\n",
+ sharename);
+ return -1;
+ }
+
+ return 0;
+}
+
+static int view_sharesec_sddl(const char *sharename)
+{
+ struct security_descriptor *sd;
+ size_t sd_size;
+ char *acl;
+
+ sd = get_share_security(talloc_tos(), sharename, &sd_size);
+ if (sd == NULL) {
+ fprintf(stderr, "Unable to retrieve permissions for share "
+ "[%s]\n", sharename);
+ return -1;
+ }
+
+ acl = sddl_encode(talloc_tos(), sd, get_global_sam_sid());
+ TALLOC_FREE(sd);
+ if (acl == NULL) {
+ fprintf(stderr, "Unable to sddl-encode permissions for share "
+ "[%s]\n", sharename);
+ return -1;
+ }
+ printf("%s\n", acl);
+ TALLOC_FREE(acl);
+ return 0;
+}
+
/********************************************************************
main program
********************************************************************/
@@ -531,6 +583,10 @@ int main(int argc, const char *argv[])
{ "add", 'a', POPT_ARG_STRING, &the_acl, 'a', "Add ACEs", "ACL" },
{ "replace", 'R', POPT_ARG_STRING, &the_acl, 'R', "Overwrite share permission ACL", "ACLS" },
{ "delete", 'D', POPT_ARG_NONE, NULL, 'D', "Delete the entire security descriptor" },
+ { "setsddl", 'S', POPT_ARG_STRING, the_acl, 'S',
+ "Set the SD in sddl format" },
+ { "viewsddl", 'V', POPT_ARG_NONE, the_acl, 'V',
+ "View the SD in sddl format" },
{ "view", 'v', POPT_ARG_NONE, NULL, 'v', "View current share permissions" },
{ "machine-sid", 'M', POPT_ARG_NONE, NULL, 'M', "Initialize the machine SID" },
{ "force", 'F', POPT_ARG_NONE, NULL, 'F', "Force storing the ACL", "ACLS" },
@@ -580,6 +636,15 @@ int main(int argc, const char *argv[])
mode = SMB_SD_DELETE;
break;
+ case 'S':
+ mode = SMB_SD_SETSDDL;
+ the_acl = smb_xstrdup(poptGetOptArg(pc));
+ break;
+
+ case 'V':
+ mode = SMB_SD_VIEWSDDL;
+ break;
+
case 'v':
mode = SMB_ACL_VIEW;
break;
@@ -634,7 +699,17 @@ int main(int argc, const char *argv[])
return -1;
}
- retval = change_share_sec(ctx, sharename, the_acl, mode);
+ switch (mode) {
+ case SMB_SD_SETSDDL:
+ retval = set_sharesec_sddl(sharename, the_acl);
+ break;
+ case SMB_SD_VIEWSDDL:
+ retval = view_sharesec_sddl(sharename);
+ break;
+ default:
+ retval = change_share_sec(ctx, sharename, the_acl, mode);
+ break;
+ }
--
Samba Shared Repository
More information about the samba-cvs
mailing list