[SCM] Samba Shared Repository - branch master updated
Jeremy Allison
jra at samba.org
Tue Oct 2 14:28:02 MDT 2012
The branch, master has been updated
via c251a6b When creating a new file/directory, we need to obey the create mask/directory mask parameters.
via 8f0ecbb Add functions to programatically set the security mask and directory security mask parameters.
via 6575d1d When setting a non-default ACL, don't forget to apply masks to SMB_ACL_USER and SMB_ACL_GROUP entries.
via 5d5ddbd Only apply masks on non-default ACL entries when setting the ACL.
via 82e7132 Use is_default_acl variable in canonicalise_acl().
via efb446a Reformat spacing to be even.
from a168a7c tdb: Fix a typo
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit c251a6b0442abc13bc8be4ff8de324c1d7706a78
Author: Jeremy Allison <jra at samba.org>
Date: Tue Oct 2 10:25:14 2012 -0700
When creating a new file/directory, we need to obey the create mask/directory mask parameters.
Currently we call FSET_NT_ACL to inherit any ACLs on create. However
FSET_NT_ACL uses the security mask/directory security mask parameters
instead of the create mask/directory mask parameters.
Swap them temporarily when creating to ensure the correct masks
are applied.
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Tue Oct 2 22:27:17 CEST 2012 on sn-devel-104
commit 8f0ecbbbeebff0174579a78827d384067cd4cbb7
Author: Jeremy Allison <jra at samba.org>
Date: Tue Oct 2 10:22:39 2012 -0700
Add functions to programatically set the security mask and directory security mask parameters.
commit 6575d1d34fee45c7a965c7c9641cc52b566a9e7f
Author: Jeremy Allison <jra at samba.org>
Date: Tue Oct 2 10:15:54 2012 -0700
When setting a non-default ACL, don't forget to apply masks to SMB_ACL_USER and SMB_ACL_GROUP entries.
commit 5d5ddbd62490d3e87dd990554a2c7b7eaf2cc24e
Author: Jeremy Allison <jra at samba.org>
Date: Tue Oct 2 10:12:45 2012 -0700
Only apply masks on non-default ACL entries when setting the ACL.
commit 82e7132bdf7c9d4ddead3cd5d845bfe68b93448b
Author: Jeremy Allison <jra at samba.org>
Date: Tue Oct 2 09:55:09 2012 -0700
Use is_default_acl variable in canonicalise_acl().
commit efb446a38cca448855977666499603d12e1477b4
Author: Jeremy Allison <jra at samba.org>
Date: Tue Oct 2 09:21:17 2012 -0700
Reformat spacing to be even.
-----------------------------------------------------------------------
Summary of changes:
source3/include/proto.h | 2 +
source3/param/loadparm.c | 14 +++++++++++
source3/smbd/open.c | 15 +++++++++++
source3/smbd/posix_acls.c | 58 +++++++++++++++++++++++++++++++--------------
4 files changed, 71 insertions(+), 18 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/include/proto.h b/source3/include/proto.h
index b3fa55a..e42c33d 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -1188,6 +1188,8 @@ bool lp_getwd_cache(void);
int lp_srv_maxprotocol(void);
int lp_srv_minprotocol(void);
int lp_security(void);
+int lp_set_security_mask(int snum, int new_val);
+int lp_set_directory_security_mask(int snum, int new_mask);
int lp__server_role(void);
int lp__security(void);
int lp__domain_master(void);
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 61606ce..960a644 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -5476,3 +5476,17 @@ int lp_security(void)
return lp_find_security(lp__server_role(),
lp__security());
}
+
+int lp_set_security_mask(int snum, int new_val)
+{
+ int ret = ServicePtrs[snum]->iSecurity_mask;
+ ServicePtrs[snum]->iSecurity_mask = new_val;
+ return ret;
+}
+
+int lp_set_directory_security_mask(int snum, int new_val)
+{
+ int ret = ServicePtrs[snum]->iDir_Security_mask;
+ ServicePtrs[snum]->iDir_Security_mask = new_val;
+ return ret;
+}
diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index d4babd4..bea4d99 100644
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -3436,6 +3436,9 @@ static NTSTATUS inherit_new_acl(files_struct *fsp)
bool inherit_owner = lp_inherit_owner(SNUM(fsp->conn));
bool inheritable_components = false;
size_t size = 0;
+ int orig_security_mask = 0;
+ int orig_directory_security_mask = 0;
+ int snum = SNUM(fsp->conn);
if (!parent_dirname(ctx, fsp->fsp_name->base_name, &parent_name, NULL)) {
return NT_STATUS_NO_MEMORY;
@@ -3506,6 +3509,14 @@ static NTSTATUS inherit_new_acl(files_struct *fsp)
NDR_PRINT_DEBUG(security_descriptor, psd);
}
+ /* Temporarily replace the security masks with the create masks,
+ as we're actually doing a create here - we only call this
+ when we've created a file or directory - but there's no
+ way for FSET_NT_ACL to know the difference. */
+
+ orig_security_mask = lp_set_security_mask(snum, lp_create_mask(snum));
+ orig_directory_security_mask = lp_set_directory_security_mask(snum, lp_dir_mask(snum));
+
if (inherit_owner) {
/* We need to be root to force this. */
become_root();
@@ -3516,6 +3527,10 @@ static NTSTATUS inherit_new_acl(files_struct *fsp)
if (inherit_owner) {
unbecome_root();
}
+
+ (void)lp_set_security_mask(snum, orig_security_mask);
+ (void)lp_set_directory_security_mask(snum, orig_directory_security_mask);
+
return status;
}
diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c
index 016acf4..b00f1ec 100644
--- a/source3/smbd/posix_acls.c
+++ b/source3/smbd/posix_acls.c
@@ -1351,13 +1351,15 @@ static bool uid_entry_in_group(connection_struct *conn, canon_ace *uid_ace, cano
type.
****************************************************************************/
-static bool ensure_canon_entry_valid(connection_struct *conn, canon_ace **pp_ace,
- const struct share_params *params,
- const bool is_directory,
- const struct dom_sid *pfile_owner_sid,
- const struct dom_sid *pfile_grp_sid,
- const SMB_STRUCT_STAT *pst,
- bool setting_acl)
+static bool ensure_canon_entry_valid(connection_struct *conn,
+ canon_ace **pp_ace,
+ bool is_default_acl,
+ const struct share_params *params,
+ const bool is_directory,
+ const struct dom_sid *pfile_owner_sid,
+ const struct dom_sid *pfile_grp_sid,
+ const SMB_STRUCT_STAT *pst,
+ bool setting_acl)
{
canon_ace *pace;
canon_ace *pace_user = NULL;
@@ -1367,8 +1369,9 @@ static bool ensure_canon_entry_valid(connection_struct *conn, canon_ace **pp_ace
for (pace = *pp_ace; pace; pace = pace->next) {
if (pace->type == SMB_ACL_USER_OBJ) {
- if (setting_acl)
+ if (setting_acl && !is_default_acl) {
apply_default_perms(params, is_directory, pace, S_IRUSR);
+ }
pace_user = pace;
} else if (pace->type == SMB_ACL_GROUP_OBJ) {
@@ -1377,8 +1380,9 @@ static bool ensure_canon_entry_valid(connection_struct *conn, canon_ace **pp_ace
* Ensure create mask/force create mode is respected on set.
*/
- if (setting_acl)
+ if (setting_acl && !is_default_acl) {
apply_default_perms(params, is_directory, pace, S_IRGRP);
+ }
pace_group = pace;
} else if (pace->type == SMB_ACL_OTHER) {
@@ -1387,9 +1391,20 @@ static bool ensure_canon_entry_valid(connection_struct *conn, canon_ace **pp_ace
* Ensure create mask/force create mode is respected on set.
*/
- if (setting_acl)
+ if (setting_acl && !is_default_acl) {
apply_default_perms(params, is_directory, pace, S_IROTH);
+ }
pace_other = pace;
+
+ } else if (pace->type == SMB_ACL_USER || pace->type == SMB_ACL_GROUP) {
+
+ /*
+ * Ensure create mask/force create mode is respected on set.
+ */
+
+ if (setting_acl && !is_default_acl) {
+ apply_default_perms(params, is_directory, pace, S_IRGRP);
+ }
}
}
@@ -1437,7 +1452,9 @@ static bool ensure_canon_entry_valid(connection_struct *conn, canon_ace **pp_ace
pace->perms = pace_other->perms;
}
- apply_default_perms(params, is_directory, pace, S_IRUSR);
+ if (!is_default_acl) {
+ apply_default_perms(params, is_directory, pace, S_IRUSR);
+ }
} else {
pace->perms = unix_perms_to_acl_perms(pst->st_ex_mode, S_IRUSR, S_IWUSR, S_IXUSR);
}
@@ -1465,7 +1482,9 @@ static bool ensure_canon_entry_valid(connection_struct *conn, canon_ace **pp_ace
pace->perms = pace_other->perms;
else
pace->perms = 0;
- apply_default_perms(params, is_directory, pace, S_IRGRP);
+ if (!is_default_acl) {
+ apply_default_perms(params, is_directory, pace, S_IRGRP);
+ }
} else {
pace->perms = unix_perms_to_acl_perms(pst->st_ex_mode, S_IRGRP, S_IWGRP, S_IXGRP);
}
@@ -1489,7 +1508,9 @@ static bool ensure_canon_entry_valid(connection_struct *conn, canon_ace **pp_ace
pace->attr = ALLOW_ACE;
if (setting_acl) {
pace->perms = 0;
- apply_default_perms(params, is_directory, pace, S_IROTH);
+ if (!is_default_acl) {
+ apply_default_perms(params, is_directory, pace, S_IROTH);
+ }
} else
pace->perms = unix_perms_to_acl_perms(pst->st_ex_mode, S_IROTH, S_IWOTH, S_IXOTH);
@@ -2530,7 +2551,7 @@ static bool unpack_canon_ace(files_struct *fsp,
print_canon_ace_list( "file ace - before valid", file_ace);
- if (!ensure_canon_entry_valid(fsp->conn, &file_ace, fsp->conn->params,
+ if (!ensure_canon_entry_valid(fsp->conn, &file_ace, false, fsp->conn->params,
fsp->is_directory, pfile_owner_sid, pfile_grp_sid, pst, True)) {
free_canon_ace_list(file_ace);
free_canon_ace_list(dir_ace);
@@ -2539,7 +2560,7 @@ static bool unpack_canon_ace(files_struct *fsp,
print_canon_ace_list( "dir ace - before valid", dir_ace);
- if (dir_ace && !ensure_canon_entry_valid(fsp->conn, &dir_ace, fsp->conn->params,
+ if (dir_ace && !ensure_canon_entry_valid(fsp->conn, &dir_ace, true, fsp->conn->params,
fsp->is_directory, pfile_owner_sid, pfile_grp_sid, pst, True)) {
free_canon_ace_list(file_ace);
free_canon_ace_list(dir_ace);
@@ -2628,6 +2649,7 @@ static canon_ace *canonicalise_acl(struct connection_struct *conn,
canon_ace *ace = NULL;
canon_ace *next_ace = NULL;
int entry_id = SMB_ACL_FIRST_ENTRY;
+ bool is_default_acl = (the_acl_type == SMB_ACL_TYPE_DEFAULT);
SMB_ACL_ENTRY_T entry;
size_t ace_count;
@@ -2718,7 +2740,7 @@ static canon_ace *canonicalise_acl(struct connection_struct *conn,
ace->trustee = sid;
ace->unix_ug = unix_ug;
ace->owner_type = owner_type;
- ace->ace_flags = get_pai_flags(pal, ace, (the_acl_type == SMB_ACL_TYPE_DEFAULT));
+ ace->ace_flags = get_pai_flags(pal, ace, is_default_acl);
DLIST_ADD(l_head, ace);
}
@@ -2727,7 +2749,7 @@ static canon_ace *canonicalise_acl(struct connection_struct *conn,
* This next call will ensure we have at least a user/group/world set.
*/
- if (!ensure_canon_entry_valid(conn, &l_head, conn->params,
+ if (!ensure_canon_entry_valid(conn, &l_head, is_default_acl, conn->params,
S_ISDIR(psbuf->st_ex_mode), powner, pgroup,
psbuf, False))
goto fail;
@@ -2737,7 +2759,7 @@ static canon_ace *canonicalise_acl(struct connection_struct *conn,
* acl_mask. Ensure all DENY Entries are at the start of the list.
*/
- DEBUG(10,("canonicalise_acl: %s ace entries before arrange :\n", the_acl_type == SMB_ACL_TYPE_ACCESS ? "Access" : "Default" ));
+ DEBUG(10,("canonicalise_acl: %s ace entries before arrange :\n", is_default_acl ? "Default" : "Access"));
for ( ace_count = 0, ace = l_head; ace; ace = next_ace, ace_count++) {
next_ace = ace->next;
--
Samba Shared Repository
More information about the samba-cvs
mailing list