[SCM] Samba Shared Repository - branch master updated

Jeremy Allison jra at samba.org
Fri Aug 10 17:18:02 MDT 2012


The branch, master has been updated
       via  f36e28d s3-nfs4acls: Remove lookup_sid and sidmap from NFSv4 ACL mapping and check gid first
       via  c991ac0 s3-smbd: Merge ACE entries based on mapped UID/GID not SID
       via  d3188a0 s3-smbd: Convert posix_acls.c to use struct unixid internally
       via  1c3c5e2 s3-smbd: Create a shortcut for building the token of a user by SID for posix_acls
       via  d7515b6 torture: Reproducer for 64c0367
      from  1f50b6c tdb/test: fix build on OSF/1

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit f36e28d1316bc0bd210933bbdb77241376fe3500
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Mon May 7 08:48:24 2012 +1000

    s3-nfs4acls: Remove lookup_sid and sidmap from NFSv4 ACL mapping and check gid first
    
    By checking just the IDMAP, and by removing the sidmap and lookup_sid calls, we support
    IDMAP_BOTH.  This is because by checking for a mapping to a GID first, we can rely on
    the fact that IDMAP_BOTH will resolve to a GID.
    
    If the sidmap idea is valued - it allows multiple SIDs to map to a single unix ID, this should
    be done in the IDMAP layer.
    
    Andrew Bartlett
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    
    Autobuild-User(master): Jeremy Allison <jra at samba.org>
    Autobuild-Date(master): Sat Aug 11 01:17:36 CEST 2012 on sn-devel-104

commit c991ac0ebf13bf7832b33dffca388f6f14755fbb
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Tue Aug 7 12:11:50 2012 +1000

    s3-smbd: Merge ACE entries based on mapped UID/GID not SID
    
    As the test for a valid posix ACL is based on the unix uid/gid only appearing once in the ACL
    the merge process also needs to be UID/GID based.
    
    This is a problem when we have multiple builtin groups mapped to the same POSIX group
    as happens in a Samba4 provision.
    
    Andrew Bartlett
    
    Signed-off-by: Jeremy Allison <jra at samba.org>

commit d3188a0480e067ecd8c7ac65ebd9dfc5f2132b41
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Tue Aug 7 12:02:49 2012 +1000

    s3-smbd: Convert posix_acls.c to use struct unixid internally
    
    This is consistent with the rest of Samba which uses this structure to represent
    a unix uid or gid.
    
    World values remain represented by the owner_type being WORLD_ACE in the containing
    structure.  A -1 value is filled in to the unixid.id in the same way the .world value
    was initialised in the union.
    
    Andrew Bartlett
    
    Signed-off-by: Jeremy Allison <jra at samba.org>

commit 1c3c5e2156d9096f60bd53a96b88c2f1001d898a
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Thu May 10 09:19:46 2012 +1000

    s3-smbd: Create a shortcut for building the token of a user by SID for posix_acls
    
    When a user owns a file, but does not have specific permissions on that file, we need to
    make up the user permissions.  This change ensures that the first thing that we do
    is to look up the SID, and confirm it is a user.  Then, we avoid the getpwnam()
    and directly create the token via the SID.
    
    Andrew Bartlett
    
    Signed-off-by: Jeremy Allison <jra at samba.org>

commit d7515b6a8886b282995a2ed433db92835783c393
Author: Volker Lendecke <vl at samba.org>
Date:   Tue Aug 7 17:12:19 2012 +0200

    torture: Reproducer for 64c0367
    
    Signed-off-by: Jeremy Allison <jra at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 source3/auth/proto.h        |    1 +
 source3/auth/token_util.c   |  189 ++++++++++++++++++++++++++++++++-----------
 source3/modules/nfs4_acls.c |  128 +++--------------------------
 source3/smbd/posix_acls.c   |  149 ++++++++++++++++++----------------
 source4/torture/raw/lock.c  |   20 +++++
 5 files changed, 254 insertions(+), 233 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/auth/proto.h b/source3/auth/proto.h
index e2f5a57..5b229f9 100644
--- a/source3/auth/proto.h
+++ b/source3/auth/proto.h
@@ -204,6 +204,7 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username,
 				    char **found_username,
 				    struct security_token **token);
 bool user_in_group_sid(const char *username, const struct dom_sid *group_sid);
+bool user_sid_in_group_sid(const struct dom_sid *sid, const struct dom_sid *group_sid);
 bool user_in_group(const char *username, const char *groupname);
 struct passwd;
 NTSTATUS make_server_info_pw(struct auth_serversupplied_info **server_info,
diff --git a/source3/auth/token_util.c b/source3/auth/token_util.c
index 59295fd..aad34cb 100644
--- a/source3/auth/token_util.c
+++ b/source3/auth/token_util.c
@@ -536,11 +536,7 @@ void debug_unix_user_token(int dbg_class, int dbg_lev, uid_t uid, gid_t gid,
 }
 
 /*
- * Create an artificial NT token given just a username. (Initially intended
- * for force user)
- *
- * We go through lookup_name() to avoid problems we had with 'winbind use
- * default domain'.
+ * Create an artificial NT token given just a domain SID.
  *
  * We have 3 cases:
  *
@@ -554,16 +550,15 @@ void debug_unix_user_token(int dbg_class, int dbg_lev, uid_t uid, gid_t gid,
  * http://lists.samba.org/archive/samba-technical/2006-January/044803.html.
  */
 
-NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username,
-				    bool is_guest,
-				    uid_t *uid, gid_t *gid,
-				    char **found_username,
-				    struct security_token **token)
+static NTSTATUS create_token_from_sid(TALLOC_CTX *mem_ctx,
+				      const struct dom_sid *user_sid,
+				      bool is_guest,
+				      uid_t *uid, gid_t *gid,
+				      char **found_username,
+				      struct security_token **token)
 {
 	NTSTATUS result = NT_STATUS_NO_SUCH_USER;
 	TALLOC_CTX *tmp_ctx = talloc_stackframe();
-	struct dom_sid user_sid;
-	enum lsa_SidType type;
 	gid_t *gids;
 	struct dom_sid *group_sids;
 	struct dom_sid unix_group_sid;
@@ -571,19 +566,7 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username,
 	uint32_t num_gids;
 	uint32_t i;
 
-	if (!lookup_name_smbconf(tmp_ctx, username, LOOKUP_NAME_ALL,
-			 NULL, NULL, &user_sid, &type)) {
-		DEBUG(1, ("lookup_name_smbconf for %s failed\n", username));
-		goto done;
-	}
-
-	if (type != SID_NAME_USER) {
-		DEBUG(1, ("%s is a %s, not a user\n", username,
-			  sid_type_lookup(type)));
-		goto done;
-	}
-
-	if (sid_check_is_in_our_sam(&user_sid)) {
+	if (sid_check_is_in_our_sam(user_sid)) {
 		bool ret;
 		uint32_t pdb_num_group_sids;
 		/* This is a passdb user, so ask passdb */
@@ -596,13 +579,13 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username,
 		}
 
 		become_root();
-		ret = pdb_getsampwsid(sam_acct, &user_sid);
+		ret = pdb_getsampwsid(sam_acct, user_sid);
 		unbecome_root();
 
 		if (!ret) {
-			DEBUG(1, ("pdb_getsampwsid(%s) for user %s failed\n",
-				  sid_string_dbg(&user_sid), username));
-			DEBUGADD(1, ("Fall back to unix user %s\n", username));
+			DEBUG(1, ("pdb_getsampwsid(%s) failed\n",
+				  sid_string_dbg(user_sid)));
+			DEBUGADD(1, ("Fall back to unix user\n"));
 			goto unix_user;
 		}
 
@@ -610,10 +593,10 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username,
 						    &group_sids, &gids,
 						    &pdb_num_group_sids);
 		if (!NT_STATUS_IS_OK(result)) {
-			DEBUG(1, ("enum_group_memberships failed for %s (%s): "
-				  "%s\n", username, sid_string_dbg(&user_sid),
+			DEBUG(1, ("enum_group_memberships failed for %s: "
+				  "%s\n", sid_string_dbg(user_sid),
 				  nt_errstr(result)));
-			DEBUGADD(1, ("Fall back to unix user %s\n", username));
+			DEBUGADD(1, ("Fall back to unix uid lookup\n"));
 			goto unix_user;
 		}
 		num_group_sids = pdb_num_group_sids;
@@ -654,7 +637,8 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username,
 		}
 		*uid = sam_acct->unix_pw->pw_uid;
 
-	} else 	if (sid_check_is_in_unix_users(&user_sid)) {
+	} else 	if (sid_check_is_in_unix_users(user_sid)) {
+		struct dom_sid tmp_sid;
 		uint32_t getgroups_num_group_sids;
 		/* This is a unix user not in passdb. We need to ask nss
 		 * directly, without consulting passdb */
@@ -669,26 +653,27 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username,
 
 	unix_user:
 
-		if (!sid_to_uid(&user_sid, uid)) {
-			DEBUG(1, ("unix_user case, sid_to_uid for %s (%s) failed\n",
-				  username, sid_string_dbg(&user_sid)));
+		if (!sid_to_uid(user_sid, uid)) {
+			DEBUG(1, ("unix_user case, sid_to_uid for %s failed\n",
+				  sid_string_dbg(user_sid)));
 			result = NT_STATUS_NO_SUCH_USER;
 			goto done;
 		}
 
-		uid_to_unix_users_sid(*uid, &user_sid);
+		uid_to_unix_users_sid(*uid, &tmp_sid);
+		user_sid = &tmp_sid;
 
 		pass = getpwuid_alloc(tmp_ctx, *uid);
 		if (pass == NULL) {
-			DEBUG(1, ("getpwuid(%u) for user %s failed\n",
-				  (unsigned int)*uid, username));
+			DEBUG(1, ("getpwuid(%u) failed\n",
+				  (unsigned int)*uid));
 			goto done;
 		}
 
-		if (!getgroups_unix_user(tmp_ctx, username, pass->pw_gid,
+		if (!getgroups_unix_user(tmp_ctx, pass->pw_name, pass->pw_gid,
 					 &gids, &getgroups_num_group_sids)) {
 			DEBUG(1, ("getgroups_unix_user for user %s failed\n",
-				  username));
+				  pass->pw_name));
 			goto done;
 		}
 		num_group_sids = getgroups_num_group_sids;
@@ -725,9 +710,9 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username,
 		 * information. */
 
 		/* We must always assign the *uid. */
-		if (!sid_to_uid(&user_sid, uid)) {
-			DEBUG(1, ("winbindd case, sid_to_uid for %s (%s) failed\n",
-				  username, sid_string_dbg(&user_sid)));
+		if (!sid_to_uid(user_sid, uid)) {
+			DEBUG(1, ("winbindd case, sid_to_uid for %s failed\n",
+				  sid_string_dbg(user_sid)));
 			result = NT_STATUS_NO_SUCH_USER;
 			goto done;
 		}
@@ -740,7 +725,7 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username,
 			goto done;
 		}
 
-		sid_copy(&group_sids[0], &user_sid);
+		sid_copy(&group_sids[0], user_sid);
 		sid_split_rid(&group_sids[0], NULL);
 		sid_append_rid(&group_sids[0], DOMAIN_RID_USERS);
 
@@ -753,7 +738,7 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username,
 		gids = gid;
 
 		/* Ensure we're returning the found_username on the right context. */
-		*found_username = talloc_strdup(mem_ctx, username);
+		*found_username = NULL;
 	}
 
 	/* Add the "Unix Group" SID for each gid to catch mapped groups
@@ -782,7 +767,7 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username,
 	}
 
 	/* Ensure we're creating the nt_token on the right context. */
-	*token = create_local_nt_token(mem_ctx, &user_sid,
+	*token = create_local_nt_token(mem_ctx, user_sid,
 				       is_guest, num_group_sids, group_sids);
 
 	if ((*token == NULL) || (*found_username == NULL)) {
@@ -796,6 +781,116 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username,
 	return result;
 }
 
+/*
+ * Create an artificial NT token given just a username. (Initially intended
+ * for force user)
+ *
+ * We go through lookup_name() to avoid problems we had with 'winbind use
+ * default domain'.
+ *
+ * We have 3 cases:
+ *
+ * unmapped unix users: Go directly to nss to find the user's group.
+ *
+ * A passdb user: The list of groups is provided by pdb_enum_group_memberships.
+ *
+ * If the user is provided by winbind, the primary gid is set to "domain
+ * users" of the user's domain. For an explanation why this is necessary, see
+ * the thread starting at
+ * http://lists.samba.org/archive/samba-technical/2006-January/044803.html.
+ */
+
+NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username,
+				    bool is_guest,
+				    uid_t *uid, gid_t *gid,
+				    char **found_username,
+				    struct security_token **token)
+{
+	NTSTATUS result = NT_STATUS_NO_SUCH_USER;
+	TALLOC_CTX *tmp_ctx = talloc_stackframe();
+	struct dom_sid user_sid;
+	enum lsa_SidType type;
+
+	if (!lookup_name_smbconf(tmp_ctx, username, LOOKUP_NAME_ALL,
+			 NULL, NULL, &user_sid, &type)) {
+		DEBUG(1, ("lookup_name_smbconf for %s failed\n", username));
+		goto done;
+	}
+
+	if (type != SID_NAME_USER) {
+		DEBUG(1, ("%s is a %s, not a user\n", username,
+			  sid_type_lookup(type)));
+		goto done;
+	}
+
+	result = create_token_from_sid(mem_ctx, &user_sid, is_guest, uid, gid, found_username, token);
+
+	if (!NT_STATUS_IS_OK(result)) {
+		goto done;
+	}
+
+	if (*found_username == NULL) {
+		*found_username = talloc_strdup(mem_ctx, username);
+	}
+
+	if ((*token == NULL) || (*found_username == NULL)) {
+		result = NT_STATUS_NO_MEMORY;
+		goto done;
+	}
+
+	result = NT_STATUS_OK;
+done:
+	TALLOC_FREE(tmp_ctx);
+	return result;
+}
+
+/***************************************************************************
+ Build upon create_token_from_username:
+
+ Expensive helper function to figure out whether a user given its name is
+ member of a particular group.
+***************************************************************************/
+
+bool user_sid_in_group_sid(const struct dom_sid *sid, const struct dom_sid *group_sid)
+{
+	NTSTATUS status;
+	uid_t uid;
+	gid_t gid;
+	char *found_username;
+	struct security_token *token;
+	bool result;
+	enum lsa_SidType type;
+	TALLOC_CTX *mem_ctx = talloc_stackframe();
+
+	if (!lookup_sid(mem_ctx, sid,
+			 NULL, NULL, &type)) {
+		DEBUG(1, ("lookup_sid for %s failed\n", dom_sid_string(mem_ctx, sid)));
+		goto done;
+	}
+
+	if (type != SID_NAME_USER) {
+		DEBUG(5, ("%s is a %s, not a user\n", dom_sid_string(mem_ctx, sid),
+			  sid_type_lookup(type)));
+		goto done;
+	}
+
+	status = create_token_from_sid(mem_ctx, sid, False,
+				       &uid, &gid, &found_username,
+				       &token);
+
+	if (!NT_STATUS_IS_OK(status)) {
+		DEBUG(10, ("could not create token for %s\n", dom_sid_string(mem_ctx, sid)));
+		TALLOC_FREE(mem_ctx);
+		return False;
+	}
+
+	result = security_token_has_sid(token, group_sid);
+
+done:
+	TALLOC_FREE(mem_ctx);
+	return result;
+}
+
 /***************************************************************************
  Build upon create_token_from_username:
 
diff --git a/source3/modules/nfs4_acls.c b/source3/modules/nfs4_acls.c
index bcc7937..ac56bfb 100644
--- a/source3/modules/nfs4_acls.c
+++ b/source3/modules/nfs4_acls.c
@@ -461,7 +461,6 @@ typedef struct _smbacl4_vfs_params {
 	enum smbacl4_mode_enum mode;
 	bool do_chown;
 	enum smbacl4_acedup_enum acedup;
-	struct db_context *sid_mapping_table;
 } smbacl4_vfs_params;
 
 /*
@@ -572,64 +571,6 @@ static SMB_ACE4PROP_T *smbacl4_find_equal_special(
 	return NULL;
 }
 
-static bool nfs4_map_sid(smbacl4_vfs_params *params, const struct dom_sid *src,
-			 struct dom_sid *dst)
-{
-	static struct db_context *mapping_db = NULL;
-	TDB_DATA data;
-	NTSTATUS status;
-
-	if (mapping_db == NULL) {
-		const char *dbname = lp_parm_const_string(
-			-1, SMBACL4_PARAM_TYPE_NAME, "sidmap", NULL);
-
-		if (dbname == NULL) {
-			DEBUG(10, ("%s:sidmap not defined\n",
-				   SMBACL4_PARAM_TYPE_NAME));
-			return False;
-		}
-
-		become_root();
-		mapping_db = db_open(NULL, dbname, 0, TDB_DEFAULT,
-				     O_RDONLY, 0600,
-				     DBWRAP_LOCK_ORDER_1);
-		unbecome_root();
-
-		if (mapping_db == NULL) {
-			DEBUG(1, ("could not open sidmap: %s\n",
-				  strerror(errno)));
-			return False;
-		}
-	}
-
-	status = dbwrap_fetch(mapping_db, NULL,
-			      string_term_tdb_data(sid_string_tos(src)),
-			      &data);
-	if (!NT_STATUS_IS_OK(status)) {
-		DEBUG(10, ("could not find mapping for SID %s\n",
-			   sid_string_dbg(src)));
-		return False;
-	}
-
-	if ((data.dptr == NULL) || (data.dsize <= 0)
-	    || (data.dptr[data.dsize-1] != '\0')) {
-		DEBUG(5, ("invalid mapping for SID %s\n",
-			  sid_string_dbg(src)));
-		TALLOC_FREE(data.dptr);
-		return False;
-	}
-
-	if (!string_to_sid(dst, (char *)data.dptr)) {
-		DEBUG(1, ("invalid mapping %s for SID %s\n",
-			  (char *)data.dptr, sid_string_dbg(src)));
-		TALLOC_FREE(data.dptr);
-		return False;
-	}
-
-	TALLOC_FREE(data.dptr);
-
-	return True;
-}
 
 static bool smbacl4_fill_ace4(
 	TALLOC_CTX *mem_ctx,
@@ -667,65 +608,10 @@ static bool smbacl4_fill_ace4(
 		ace_v4->who.special_id = SMB_ACE4_WHO_EVERYONE;
 		ace_v4->flags |= SMB_ACE4_ID_SPECIAL;
 	} else {
-		const char *dom, *name;
-		enum lsa_SidType type;
 		uid_t uid;
 		gid_t gid;
-		struct dom_sid sid;
-
-		sid_copy(&sid, &ace_nt->trustee);
-
-		if (!lookup_sid(mem_ctx, &sid, &dom, &name, &type)) {
-
-			struct dom_sid mapped;
-
-			if (!nfs4_map_sid(params, &sid, &mapped)) {
-				DEBUG(1, ("nfs4_acls.c: file [%s]: SID %s "
-					  "unknown\n", filename,
-					  sid_string_dbg(&sid)));
-				errno = EINVAL;
-				return False;
-			}
-
-			DEBUG(2, ("nfs4_acls.c: file [%s]: mapped SID %s "
-				  "to %s\n", filename, sid_string_dbg(&sid),
-				  sid_string_dbg(&mapped)));
-
-			if (!lookup_sid(mem_ctx, &mapped, &dom,
-					&name, &type)) {
-				DEBUG(1, ("nfs4_acls.c: file [%s]: SID %s "
-					  "mapped from %s is unknown\n",
-					  filename, sid_string_dbg(&mapped),
-					  sid_string_dbg(&sid)));
-				errno = EINVAL;
-				return False;
-			}
-
-			sid_copy(&sid, &mapped);
-		}
-
-		if (type == SID_NAME_USER) {
-			if (!sid_to_uid(&sid, &uid)) {
-				DEBUG(1, ("nfs4_acls.c: file [%s]: could not "
-					  "convert %s to uid\n", filename,
-					  sid_string_dbg(&sid)));
-				return False;
-			}
-
-			if (params->mode==e_special && uid==ownerUID) {
-				ace_v4->flags |= SMB_ACE4_ID_SPECIAL;
-				ace_v4->who.special_id = SMB_ACE4_WHO_OWNER;
-			} else {
-				ace_v4->who.uid = uid;
-			}
-		} else { /* else group? - TODO check it... */
-			if (!sid_to_gid(&sid, &gid)) {
-				DEBUG(1, ("nfs4_acls.c: file [%s]: could not "
-					  "convert %s to gid\n", filename,
-					  sid_string_dbg(&sid)));
-				return False;
-			}
 
+		if (sid_to_gid(&ace_nt->trustee, &gid)) {
 			ace_v4->aceFlags |= SMB_ACE4_IDENTIFIER_GROUP;
 
 			if (params->mode==e_special && gid==ownerGID) {
@@ -734,6 +620,18 @@ static bool smbacl4_fill_ace4(
 			} else {
 				ace_v4->who.gid = gid;
 			}
+		} else if (sid_to_uid(&ace_nt->trustee, &uid)) {
+			if (params->mode==e_special && uid==ownerUID) {
+				ace_v4->flags |= SMB_ACE4_ID_SPECIAL;
+				ace_v4->who.special_id = SMB_ACE4_WHO_OWNER;
+			} else {
+				ace_v4->who.uid = uid;
+			}
+		} else {
+			DEBUG(1, ("nfs4_acls.c: file [%s]: could not "
+				  "convert %s to uid or gid\n", filename,
+				  sid_string_dbg(&ace_nt->trustee)));
+			return False;
 		}
 	}
 
diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c
index 59f8e0c..3485974 100644
--- a/source3/smbd/posix_acls.c
+++ b/source3/smbd/posix_acls.c
@@ -41,12 +41,6 @@ extern const struct generic_mapping file_generic_mapping;
 enum ace_owner {UID_ACE, GID_ACE, WORLD_ACE};
 enum ace_attribute {ALLOW_ACE, DENY_ACE}; /* Used for incoming NT ACLS. */
 
-typedef union posix_id {
-		uid_t uid;
-		gid_t gid;
-		int world;
-} posix_id;
-
 typedef struct canon_ace {
 	struct canon_ace *next, *prev;
 	SMB_ACL_TAG_T type;
@@ -54,7 +48,7 @@ typedef struct canon_ace {
 	struct dom_sid trustee;
 	enum ace_owner owner_type;
 	enum ace_attribute attr;
-	posix_id unix_ug;
+	struct unixid unix_ug;
 	uint8_t ace_flags; /* From windows ACE entry. */
 } canon_ace;
 
@@ -123,7 +117,7 @@ struct pai_entry {
 	struct pai_entry *next, *prev;
 	uint8_t ace_flags;


-- 
Samba Shared Repository


More information about the samba-cvs mailing list