[SCM] Samba Shared Repository - branch master updated
Jeremy Allison
jra at samba.org
Thu Aug 30 13:39:01 MDT 2012
The branch, master has been updated
via 4ff4466 The NTVFS server doesn't pass the SMB1 INHERITFLAGS test.
via 7c4ae72 Now ACL inheritance flags are working, add test_inheritance_flags() back into raw.acls to ensure we don't regress.
via da670e4 With the inheritance ACL changes we now pass samba3.smb2.acls.INHERITFLAGS.
via cf29863 Fix bug #9124 - Samba fails to set "inherited" bit on inherited ACE's.
via 3d34406 Windows does canonicalization of inheritance bits. Do the same.
via 795920c Change the other two places where we set a security descriptor given by the client to got through set_sd(), the canonicalize sd function.
via 70ebf1d Re-add set_sd(), called from set_sd_blob(). Allows us to centralize all ACL canonicalization.
via 8c84ece Rename set_sd() to set_sd_blob() - this describes what it does.
from 02aacb1 s3:libsmb correctly set isFsctl for snapshot list
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 4ff446636a40ca27105033fc52db5313cb7fc85a
Author: Jeremy Allison <jra at samba.org>
Date: Thu Aug 30 08:45:43 2012 -0700
The NTVFS server doesn't pass the SMB1 INHERITFLAGS test.
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Thu Aug 30 21:38:02 CEST 2012 on sn-devel-104
commit 7c4ae7285152777410c31a429ea590501b1c1fe8
Author: Jeremy Allison <jra at samba.org>
Date: Wed Aug 29 15:18:19 2012 -0700
Now ACL inheritance flags are working, add test_inheritance_flags() back into raw.acls to ensure we don't regress.
commit da670e4830ab487c1f56efbea90b1cf33247938c
Author: Jeremy Allison <jra at samba.org>
Date: Wed Aug 29 14:22:33 2012 -0700
With the inheritance ACL changes we now pass samba3.smb2.acls.INHERITFLAGS.
commit cf29863c69b36224564c27ef1610010b943857c0
Author: Jeremy Allison <jra at samba.org>
Date: Wed Aug 29 13:44:57 2012 -0700
Fix bug #9124 - Samba fails to set "inherited" bit on inherited ACE's.
Change se_create_child_secdesc() to handle inheritance correctly.
commit 3d34406c7bd70576b1705e98b4b3901ac75537c9
Author: Jeremy Allison <jra at samba.org>
Date: Wed Aug 29 13:40:29 2012 -0700
Windows does canonicalization of inheritance bits. Do the same.
We need to filter out the
SEC_DESC_DACL_AUTO_INHERITED|SEC_DESC_DACL_AUTO_INHERIT_REQ
bits. If both are set we store SEC_DESC_DACL_AUTO_INHERITED
as this alters whether SEC_ACE_FLAG_INHERITED_ACE is set
when an ACE is inherited. Otherwise we zero these bits out.
See:
http://social.msdn.microsoft.com/Forums/eu/os_fileservices/thread/11f77b68-731e-407d-b1b3-064750716531
for details.
commit 795920cf4a25ab4ea061d5620b19ba27884921dd
Author: Jeremy Allison <jra at samba.org>
Date: Wed Aug 29 13:37:51 2012 -0700
Change the other two places where we set a security descriptor given by the client to got through set_sd(),
the canonicalize sd function.
commit 70ebf1da67e30b585543ffe55a6d7c9da6023138
Author: Jeremy Allison <jra at samba.org>
Date: Wed Aug 29 13:29:34 2012 -0700
Re-add set_sd(), called from set_sd_blob(). Allows us to centralize all ACL canonicalization.
commit 8c84ecef89dfbfd2cd76b92272fbd32fb13d00b8
Author: Jeremy Allison <jra at samba.org>
Date: Wed Aug 29 13:23:06 2012 -0700
Rename set_sd() to set_sd_blob() - this describes what it does.
-----------------------------------------------------------------------
Summary of changes:
libcli/security/secdesc.c | 10 +++-
selftest/knownfail | 2 +-
source3/rpc_server/srvsvc/srv_srvsvc_nt.c | 21 +--------
source3/smbd/nttrans.c | 73 +++++++++++++++++++++++-----
source3/smbd/open.c | 6 +--
source3/smbd/proto.h | 4 +-
source3/smbd/smb2_setinfo.c | 2 +-
source4/torture/raw/acls.c | 15 ++++--
8 files changed, 84 insertions(+), 49 deletions(-)
Changeset truncated at 500 lines:
diff --git a/libcli/security/secdesc.c b/libcli/security/secdesc.c
index 84128e4..a3db1b6 100644
--- a/libcli/security/secdesc.c
+++ b/libcli/security/secdesc.c
@@ -571,6 +571,7 @@ NTSTATUS se_create_child_secdesc(TALLOC_CTX *ctx,
struct security_acl *new_dacl = NULL, *the_acl = NULL;
struct security_ace *new_ace_list = NULL;
unsigned int new_ace_list_ndx = 0, i;
+ bool set_inherited_flags = (parent_ctr->type & SEC_DESC_DACL_AUTO_INHERITED);
TALLOC_CTX *frame;
@@ -637,7 +638,8 @@ NTSTATUS se_create_child_secdesc(TALLOC_CTX *ctx,
/* First add the regular ACE entry. */
init_sec_ace(new_ace, ptrustee, ace->type,
- ace->access_mask, 0);
+ ace->access_mask,
+ set_inherited_flags ? SEC_ACE_FLAG_INHERITED_ACE : 0);
DEBUG(5,("se_create_child_secdesc(): %s:%d/0x%02x/0x%08x"
" inherited as %s:%d/0x%02x/0x%08x\n",
@@ -661,7 +663,8 @@ NTSTATUS se_create_child_secdesc(TALLOC_CTX *ctx,
}
init_sec_ace(new_ace, ptrustee, ace->type,
- ace->access_mask, new_flags);
+ ace->access_mask, new_flags |
+ (set_inherited_flags ? SEC_ACE_FLAG_INHERITED_ACE : 0));
DEBUG(5, ("se_create_child_secdesc(): %s:%d/0x%02x/0x%08x "
" inherited as %s:%d/0x%02x/0x%08x\n",
@@ -690,7 +693,8 @@ NTSTATUS se_create_child_secdesc(TALLOC_CTX *ctx,
*ppsd = make_sec_desc(ctx,
SECURITY_DESCRIPTOR_REVISION_1,
- SEC_DESC_SELF_RELATIVE|SEC_DESC_DACL_PRESENT,
+ SEC_DESC_SELF_RELATIVE|SEC_DESC_DACL_PRESENT|
+ (set_inherited_flags ? SEC_DESC_DACL_AUTO_INHERITED : 0),
owner_sid,
group_sid,
NULL,
diff --git a/selftest/knownfail b/selftest/knownfail
index ca5bef2..93f1dfc 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -126,6 +126,7 @@
^samba4.raw.streams.*.delete
^samba4.raw.streams.*.createdisp
^samba4.raw.streams.*.sumtab
+^samba4.raw.acls.INHERITFLAGS
^samba4.raw.acls.*.create_dir
^samba4.raw.acls.*.create_file
^samba4.smb2.create.*.acldir
@@ -206,7 +207,6 @@
^samba3.smb2.oplock.batch12
^samba3.smb2.oplock.batch20
^samba3.smb2.acls.GENERIC
-^samba3.smb2.acls.INHERITFLAGS
^samba3.smb2.streams.rename
^samba3.smb2.streams.rename2
^samba3.smb2.streams.attributes
diff --git a/source3/rpc_server/srvsvc/srv_srvsvc_nt.c b/source3/rpc_server/srvsvc/srv_srvsvc_nt.c
index 7f34ec2..2d34b9b 100644
--- a/source3/rpc_server/srvsvc/srv_srvsvc_nt.c
+++ b/source3/rpc_server/srvsvc/srv_srvsvc_nt.c
@@ -2332,26 +2332,7 @@ WERROR _srvsvc_NetSetFileSecurity(struct pipes_struct *p,
psd = r->in.sd_buf->sd;
security_info_sent = r->in.securityinformation;
- if (psd->owner_sid==0) {
- security_info_sent &= ~SECINFO_OWNER;
- }
- if (psd->group_sid==0) {
- security_info_sent &= ~SECINFO_GROUP;
- }
- if (psd->sacl==0) {
- security_info_sent &= ~SECINFO_SACL;
- }
- if (psd->dacl==0) {
- security_info_sent &= ~SECINFO_DACL;
- }
-
- /* Convert all the generic bits. */
- security_acl_map_generic(psd->dacl, &file_generic_mapping);
- security_acl_map_generic(psd->sacl, &file_generic_mapping);
-
- nt_status = SMB_VFS_FSET_NT_ACL(fsp,
- security_info_sent,
- psd);
+ nt_status = set_sd(fsp, psd, security_info_sent);
if (!NT_STATUS_IS_OK(nt_status) ) {
DEBUG(3,("_srvsvc_NetSetFileSecurity: Unable to set NT ACL "
diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c
index a0a3f59..997f721 100644
--- a/source3/smbd/nttrans.c
+++ b/source3/smbd/nttrans.c
@@ -830,20 +830,48 @@ static void do_nt_transact_create_pipe(connection_struct *conn,
return;
}
+/*********************************************************************
+ Windows seems to do canonicalization of inheritance bits. Do the
+ same.
+*********************************************************************/
+
+static void canonicalize_inheritance_bits(struct security_descriptor *psd)
+{
+ bool set_auto_inherited = false;
+
+ /*
+ * We need to filter out the
+ * SEC_DESC_DACL_AUTO_INHERITED|SEC_DESC_DACL_AUTO_INHERIT_REQ
+ * bits. If both are set we store SEC_DESC_DACL_AUTO_INHERITED
+ * as this alters whether SEC_ACE_FLAG_INHERITED_ACE is set
+ * when an ACE is inherited. Otherwise we zero these bits out.
+ * See:
+ *
+ * http://social.msdn.microsoft.com/Forums/eu/os_fileservices/thread/11f77b68-731e-407d-b1b3-064750716531
+ *
+ * for details.
+ */
+
+ if ((psd->type & (SEC_DESC_DACL_AUTO_INHERITED|SEC_DESC_DACL_AUTO_INHERIT_REQ))
+ == (SEC_DESC_DACL_AUTO_INHERITED|SEC_DESC_DACL_AUTO_INHERIT_REQ)) {
+ set_auto_inherited = true;
+ }
+
+ psd->type &= ~(SEC_DESC_DACL_AUTO_INHERITED|SEC_DESC_DACL_AUTO_INHERIT_REQ);
+ if (set_auto_inherited) {
+ psd->type |= SEC_DESC_DACL_AUTO_INHERITED;
+ }
+}
+
/****************************************************************************
Internal fn to set security descriptors.
****************************************************************************/
-NTSTATUS set_sd(files_struct *fsp, uint8_t *data, uint32_t sd_len,
+NTSTATUS set_sd(files_struct *fsp, struct security_descriptor *psd,
uint32_t security_info_sent)
{
- struct security_descriptor *psd = NULL;
NTSTATUS status;
- if (sd_len == 0) {
- return NT_STATUS_INVALID_PARAMETER;
- }
-
if (!CAN_WRITE(fsp->conn)) {
return NT_STATUS_ACCESS_DENIED;
}
@@ -852,12 +880,6 @@ NTSTATUS set_sd(files_struct *fsp, uint8_t *data, uint32_t sd_len,
return NT_STATUS_OK;
}
- status = unmarshall_sec_desc(talloc_tos(), data, sd_len, &psd);
-
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
-
if (psd->owner_sid == NULL) {
security_info_sent &= ~SECINFO_OWNER;
}
@@ -909,6 +931,8 @@ NTSTATUS set_sd(files_struct *fsp, uint8_t *data, uint32_t sd_len,
}
}
+ canonicalize_inheritance_bits(psd);
+
if (DEBUGLEVEL >= 10) {
DEBUG(10,("set_sd for file %s\n", fsp_str_dbg(fsp)));
NDR_PRINT_DEBUG(security_descriptor, psd);
@@ -922,6 +946,29 @@ NTSTATUS set_sd(files_struct *fsp, uint8_t *data, uint32_t sd_len,
}
/****************************************************************************
+ Internal fn to set security descriptors from a data blob.
+****************************************************************************/
+
+NTSTATUS set_sd_blob(files_struct *fsp, uint8_t *data, uint32_t sd_len,
+ uint32_t security_info_sent)
+{
+ struct security_descriptor *psd = NULL;
+ NTSTATUS status;
+
+ if (sd_len == 0) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ status = unmarshall_sec_desc(talloc_tos(), data, sd_len, &psd);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ return set_sd(fsp, psd, security_info_sent);
+}
+
+/****************************************************************************
Read a list of EA names and data from an incoming data buffer. Create an ea_list with them.
****************************************************************************/
@@ -2101,7 +2148,7 @@ static void call_nt_transact_set_security_desc(connection_struct *conn,
return;
}
- status = set_sd(fsp, (uint8 *)data, data_count, security_info_sent);
+ status = set_sd_blob(fsp, (uint8 *)data, data_count, security_info_sent);
if (!NT_STATUS_IS_OK(status)) {
reply_nterror(req, status);
diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index d078638..415f6ad 100644
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -3757,15 +3757,11 @@ static NTSTATUS create_file_unixpath(connection_struct *conn,
fsp->access_mask = FILE_GENERIC_ALL;
- /* Convert all the generic bits. */
- security_acl_map_generic(sd->dacl, &file_generic_mapping);
- security_acl_map_generic(sd->sacl, &file_generic_mapping);
-
if (sec_info_sent & (SECINFO_OWNER|
SECINFO_GROUP|
SECINFO_DACL|
SECINFO_SACL)) {
- status = SMB_VFS_FSET_NT_ACL(fsp, sec_info_sent, sd);
+ status = set_sd(fsp, sd, sec_info_sent);
}
fsp->access_mask = saved_access_mask;
diff --git a/source3/smbd/proto.h b/source3/smbd/proto.h
index 5a38474..5f4947e 100644
--- a/source3/smbd/proto.h
+++ b/source3/smbd/proto.h
@@ -577,7 +577,9 @@ void *init_quota_handle(TALLOC_CTX *mem_ctx);
/* The following definitions come from smbd/nttrans.c */
void reply_ntcreate_and_X(struct smb_request *req);
-NTSTATUS set_sd(files_struct *fsp, uint8_t *data, uint32_t sd_len,
+NTSTATUS set_sd(files_struct *fsp, struct security_descriptor *psd,
+ uint32_t security_info_sent);
+NTSTATUS set_sd_blob(files_struct *fsp, uint8_t *data, uint32_t sd_len,
uint32_t security_info_sent);
struct ea_list *read_nttrans_ea_list(TALLOC_CTX *ctx, const char *pdata, size_t data_size);
void reply_ntcancel(struct smb_request *req);
diff --git a/source3/smbd/smb2_setinfo.c b/source3/smbd/smb2_setinfo.c
index 1b79a64..d88f7ac 100644
--- a/source3/smbd/smb2_setinfo.c
+++ b/source3/smbd/smb2_setinfo.c
@@ -308,7 +308,7 @@ static struct tevent_req *smbd_smb2_setinfo_send(TALLOC_CTX *mem_ctx,
return tevent_req_post(req, ev);
}
- status = set_sd(fsp,
+ status = set_sd_blob(fsp,
in_input_buffer.data,
in_input_buffer.length,
in_additional_information);
diff --git a/source4/torture/raw/acls.c b/source4/torture/raw/acls.c
index 01ee8be..0342bf9 100644
--- a/source4/torture/raw/acls.c
+++ b/source4/torture/raw/acls.c
@@ -1846,7 +1846,6 @@ done:
return ret;
}
-#if 0
static bool test_inheritance_flags(struct torture_context *tctx,
struct smbcli_state *cli)
{
@@ -1867,7 +1866,7 @@ static bool test_inheritance_flags(struct torture_context *tctx,
uint32_t parent_get_ace_inherit;
uint32_t child_get_sd_type;
uint32_t child_get_ace_inherit;
- } tflags[16]; /* 2^4 */
+ } tflags[16] = {{0}}; /* 2^4 */
for (i = 0; i < 15; i++) {
torture_comment(tctx, "i=%d:", i);
@@ -1926,6 +1925,8 @@ static bool test_inheritance_flags(struct torture_context *tctx,
torture_comment(tctx, "TESTING ACL INHERITANCE FLAGS\n");
+ ZERO_STRUCT(io);
+
io.generic.level = RAW_OPEN_NTCREATEX;
io.ntcreatex.in.root_fid.fnum = 0;
io.ntcreatex.in.flags = 0;
@@ -2072,9 +2073,15 @@ done:
smbcli_close(cli->tree, fnum);
smb_raw_exit(cli->session);
smbcli_deltree(cli->tree, BASEDIR);
+
+ if (!ret) {
+ torture_result(tctx,
+ TORTURE_FAIL, "(%s) test_inheritance_flags\n",
+ __location__);
+ }
+
return ret;
}
-#endif
/*
test dynamic acl inheritance
@@ -2456,9 +2463,7 @@ struct torture_suite *torture_raw_acls(TALLOC_CTX *mem_ctx)
torture_suite_add_1smb_test(suite, "owner", test_owner_bits);
torture_suite_add_1smb_test(suite, "inheritance", test_inheritance);
-#if 0
torture_suite_add_1smb_test(suite, "INHERITFLAGS", test_inheritance_flags);
-#endif
torture_suite_add_1smb_test(suite, "dynamic", test_inheritance_dynamic);
#if 0
/* XXX This test does not work against XP or Vista. */
--
Samba Shared Repository
More information about the samba-cvs
mailing list