[SCM] Samba Shared Repository - branch master updated

Jeremy Allison jra at samba.org
Tue Oct 2 14:28:02 MDT 2012 

The branch, master has been updated
       via  c251a6b When creating a new file/directory, we need to obey the create mask/directory mask parameters.
       via  8f0ecbb Add functions to programatically set the security mask and directory security mask parameters.
       via  6575d1d When setting a non-default ACL, don't forget to apply masks to SMB_ACL_USER and SMB_ACL_GROUP entries.
       via  5d5ddbd Only apply masks on non-default ACL entries when setting the ACL.
       via  82e7132 Use is_default_acl variable in canonicalise_acl().
       via  efb446a Reformat spacing to be even.
      from  a168a7c tdb: Fix a typo

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit c251a6b0442abc13bc8be4ff8de324c1d7706a78
Author: Jeremy Allison <jra at samba.org>
Date:   Tue Oct 2 10:25:14 2012 -0700

    When creating a new file/directory, we need to obey the create mask/directory mask parameters.
    
    Currently we call FSET_NT_ACL to inherit any ACLs on create. However
    FSET_NT_ACL uses the security mask/directory security mask parameters
    instead of the create mask/directory mask parameters.
    
    Swap them temporarily when creating to ensure the correct masks
    are applied.
    
    Autobuild-User(master): Jeremy Allison <jra at samba.org>
    Autobuild-Date(master): Tue Oct  2 22:27:17 CEST 2012 on sn-devel-104

commit 8f0ecbbbeebff0174579a78827d384067cd4cbb7
Author: Jeremy Allison <jra at samba.org>
Date:   Tue Oct 2 10:22:39 2012 -0700

    Add functions to programatically set the security mask and directory security mask parameters.

commit 6575d1d34fee45c7a965c7c9641cc52b566a9e7f
Author: Jeremy Allison <jra at samba.org>
Date:   Tue Oct 2 10:15:54 2012 -0700

    When setting a non-default ACL, don't forget to apply masks to SMB_ACL_USER and SMB_ACL_GROUP entries.

commit 5d5ddbd62490d3e87dd990554a2c7b7eaf2cc24e
Author: Jeremy Allison <jra at samba.org>
Date:   Tue Oct 2 10:12:45 2012 -0700

    Only apply masks on non-default ACL entries when setting the ACL.

commit 82e7132bdf7c9d4ddead3cd5d845bfe68b93448b
Author: Jeremy Allison <jra at samba.org>
Date:   Tue Oct 2 09:55:09 2012 -0700

    Use is_default_acl variable in canonicalise_acl().

commit efb446a38cca448855977666499603d12e1477b4
Author: Jeremy Allison <jra at samba.org>
Date:   Tue Oct 2 09:21:17 2012 -0700

    Reformat spacing to be even.

-----------------------------------------------------------------------

Summary of changes:
 source3/include/proto.h   |    2 +
 source3/param/loadparm.c  |   14 +++++++++++
 source3/smbd/open.c       |   15 +++++++++++
 source3/smbd/posix_acls.c |   58 +++++++++++++++++++++++++++++++--------------
 4 files changed, 71 insertions(+), 18 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/include/proto.h b/source3/include/proto.h
index b3fa55a..e42c33d 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -1188,6 +1188,8 @@ bool lp_getwd_cache(void);
 int lp_srv_maxprotocol(void);
 int lp_srv_minprotocol(void);
 int lp_security(void);
+int lp_set_security_mask(int snum, int new_val);
+int lp_set_directory_security_mask(int snum, int new_mask);
 int lp__server_role(void);
 int lp__security(void);
 int lp__domain_master(void);
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 61606ce..960a644 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -5476,3 +5476,17 @@ int lp_security(void)
 	return lp_find_security(lp__server_role(),
 				lp__security());
 }
+
+int lp_set_security_mask(int snum, int new_val)
+{
+	int ret = ServicePtrs[snum]->iSecurity_mask;
+	ServicePtrs[snum]->iSecurity_mask = new_val;
+	return ret;
+}
+
+int lp_set_directory_security_mask(int snum, int new_val)
+{
+	int ret = ServicePtrs[snum]->iDir_Security_mask;
+	ServicePtrs[snum]->iDir_Security_mask = new_val;
+	return ret;
+}
diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index d4babd4..bea4d99 100644
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -3436,6 +3436,9 @@ static NTSTATUS inherit_new_acl(files_struct *fsp)
 	bool inherit_owner = lp_inherit_owner(SNUM(fsp->conn));
 	bool inheritable_components = false;
 	size_t size = 0;
+	int orig_security_mask = 0;
+	int orig_directory_security_mask = 0;
+	int snum = SNUM(fsp->conn);
 
 	if (!parent_dirname(ctx, fsp->fsp_name->base_name, &parent_name, NULL)) {
 		return NT_STATUS_NO_MEMORY;
@@ -3506,6 +3509,14 @@ static NTSTATUS inherit_new_acl(files_struct *fsp)
 		NDR_PRINT_DEBUG(security_descriptor, psd);
 	}
 
+	/* Temporarily replace the security masks with the create masks,
+	   as we're actually doing a create here - we only call this
+	   when we've created a file or directory - but there's no
+	   way for FSET_NT_ACL to know the difference. */
+
+	orig_security_mask = lp_set_security_mask(snum, lp_create_mask(snum));
+	orig_directory_security_mask = lp_set_directory_security_mask(snum, lp_dir_mask(snum));
+
 	if (inherit_owner) {
 		/* We need to be root to force this. */
 		become_root();
@@ -3516,6 +3527,10 @@ static NTSTATUS inherit_new_acl(files_struct *fsp)
 	if (inherit_owner) {
 		unbecome_root();
 	}
+
+	(void)lp_set_security_mask(snum, orig_security_mask);
+	(void)lp_set_directory_security_mask(snum, orig_directory_security_mask);
+
 	return status;
 }
 
diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c
index 016acf4..b00f1ec 100644
--- a/source3/smbd/posix_acls.c
+++ b/source3/smbd/posix_acls.c
@@ -1351,13 +1351,15 @@ static bool uid_entry_in_group(connection_struct *conn, canon_ace *uid_ace, cano
  type.
 ****************************************************************************/
 
-static bool ensure_canon_entry_valid(connection_struct *conn, canon_ace **pp_ace,
-				     const struct share_params *params,
-				     const bool is_directory,
-							const struct dom_sid *pfile_owner_sid,
-							const struct dom_sid *pfile_grp_sid,
-							const SMB_STRUCT_STAT *pst,
-							bool setting_acl)
+static bool ensure_canon_entry_valid(connection_struct *conn,
+					canon_ace **pp_ace,
+					bool is_default_acl,
+					const struct share_params *params,
+					const bool is_directory,
+					const struct dom_sid *pfile_owner_sid,
+					const struct dom_sid *pfile_grp_sid,
+					const SMB_STRUCT_STAT *pst,
+					bool setting_acl)
 {
 	canon_ace *pace;
 	canon_ace *pace_user = NULL;
@@ -1367,8 +1369,9 @@ static bool ensure_canon_entry_valid(connection_struct *conn, canon_ace **pp_ace
 	for (pace = *pp_ace; pace; pace = pace->next) {
 		if (pace->type == SMB_ACL_USER_OBJ) {
 
-			if (setting_acl)
+			if (setting_acl && !is_default_acl) {
 				apply_default_perms(params, is_directory, pace, S_IRUSR);
+			}
 			pace_user = pace;
 
 		} else if (pace->type == SMB_ACL_GROUP_OBJ) {
@@ -1377,8 +1380,9 @@ static bool ensure_canon_entry_valid(connection_struct *conn, canon_ace **pp_ace
 			 * Ensure create mask/force create mode is respected on set.
 			 */
 
-			if (setting_acl)
+			if (setting_acl && !is_default_acl) {
 				apply_default_perms(params, is_directory, pace, S_IRGRP);
+			}
 			pace_group = pace;
 
 		} else if (pace->type == SMB_ACL_OTHER) {
@@ -1387,9 +1391,20 @@ static bool ensure_canon_entry_valid(connection_struct *conn, canon_ace **pp_ace
 			 * Ensure create mask/force create mode is respected on set.
 			 */
 
-			if (setting_acl)
+			if (setting_acl && !is_default_acl) {
 				apply_default_perms(params, is_directory, pace, S_IROTH);
+			}
 			pace_other = pace;
+
+		} else if (pace->type == SMB_ACL_USER || pace->type == SMB_ACL_GROUP) {
+
+			/*
+			 * Ensure create mask/force create mode is respected on set.
+			 */
+
+			if (setting_acl && !is_default_acl) {
+				apply_default_perms(params, is_directory, pace, S_IRGRP);
+			}
 		}
 	}
 
@@ -1437,7 +1452,9 @@ static bool ensure_canon_entry_valid(connection_struct *conn, canon_ace **pp_ace
 					pace->perms = pace_other->perms;
 			}
 
-			apply_default_perms(params, is_directory, pace, S_IRUSR);
+			if (!is_default_acl) {
+				apply_default_perms(params, is_directory, pace, S_IRUSR);
+			}
 		} else {
 			pace->perms = unix_perms_to_acl_perms(pst->st_ex_mode, S_IRUSR, S_IWUSR, S_IXUSR);
 		}
@@ -1465,7 +1482,9 @@ static bool ensure_canon_entry_valid(connection_struct *conn, canon_ace **pp_ace
 				pace->perms = pace_other->perms;
 			else
 				pace->perms = 0;
-			apply_default_perms(params, is_directory, pace, S_IRGRP);
+			if (!is_default_acl) {
+				apply_default_perms(params, is_directory, pace, S_IRGRP);
+			}
 		} else {
 			pace->perms = unix_perms_to_acl_perms(pst->st_ex_mode, S_IRGRP, S_IWGRP, S_IXGRP);
 		}
@@ -1489,7 +1508,9 @@ static bool ensure_canon_entry_valid(connection_struct *conn, canon_ace **pp_ace
 		pace->attr = ALLOW_ACE;
 		if (setting_acl) {
 			pace->perms = 0;
-			apply_default_perms(params, is_directory, pace, S_IROTH);
+			if (!is_default_acl) {
+				apply_default_perms(params, is_directory, pace, S_IROTH);
+			}
 		} else
 			pace->perms = unix_perms_to_acl_perms(pst->st_ex_mode, S_IROTH, S_IWOTH, S_IXOTH);
 
@@ -2530,7 +2551,7 @@ static bool unpack_canon_ace(files_struct *fsp,
 
 	print_canon_ace_list( "file ace - before valid", file_ace);
 
-	if (!ensure_canon_entry_valid(fsp->conn, &file_ace, fsp->conn->params,
+	if (!ensure_canon_entry_valid(fsp->conn, &file_ace, false, fsp->conn->params,
 			fsp->is_directory, pfile_owner_sid, pfile_grp_sid, pst, True)) {
 		free_canon_ace_list(file_ace);
 		free_canon_ace_list(dir_ace);
@@ -2539,7 +2560,7 @@ static bool unpack_canon_ace(files_struct *fsp,
 
 	print_canon_ace_list( "dir ace - before valid", dir_ace);
 
-	if (dir_ace && !ensure_canon_entry_valid(fsp->conn, &dir_ace, fsp->conn->params,
+	if (dir_ace && !ensure_canon_entry_valid(fsp->conn, &dir_ace, true, fsp->conn->params,
 			fsp->is_directory, pfile_owner_sid, pfile_grp_sid, pst, True)) {
 		free_canon_ace_list(file_ace);
 		free_canon_ace_list(dir_ace);
@@ -2628,6 +2649,7 @@ static canon_ace *canonicalise_acl(struct connection_struct *conn,
 	canon_ace *ace = NULL;
 	canon_ace *next_ace = NULL;
 	int entry_id = SMB_ACL_FIRST_ENTRY;
+	bool is_default_acl = (the_acl_type == SMB_ACL_TYPE_DEFAULT);
 	SMB_ACL_ENTRY_T entry;
 	size_t ace_count;
 
@@ -2718,7 +2740,7 @@ static canon_ace *canonicalise_acl(struct connection_struct *conn,
 		ace->trustee = sid;
 		ace->unix_ug = unix_ug;
 		ace->owner_type = owner_type;
-		ace->ace_flags = get_pai_flags(pal, ace, (the_acl_type == SMB_ACL_TYPE_DEFAULT));
+		ace->ace_flags = get_pai_flags(pal, ace, is_default_acl);
 
 		DLIST_ADD(l_head, ace);
 	}
@@ -2727,7 +2749,7 @@ static canon_ace *canonicalise_acl(struct connection_struct *conn,
 	 * This next call will ensure we have at least a user/group/world set.
 	 */
 
-	if (!ensure_canon_entry_valid(conn, &l_head, conn->params,
+	if (!ensure_canon_entry_valid(conn, &l_head, is_default_acl, conn->params,
 				      S_ISDIR(psbuf->st_ex_mode), powner, pgroup,
 				      psbuf, False))
 		goto fail;
@@ -2737,7 +2759,7 @@ static canon_ace *canonicalise_acl(struct connection_struct *conn,
 	 * acl_mask. Ensure all DENY Entries are at the start of the list.
 	 */
 
-	DEBUG(10,("canonicalise_acl: %s ace entries before arrange :\n", the_acl_type == SMB_ACL_TYPE_ACCESS ? "Access" : "Default" ));
+	DEBUG(10,("canonicalise_acl: %s ace entries before arrange :\n", is_default_acl ?  "Default" : "Access"));
 
 	for ( ace_count = 0, ace = l_head; ace; ace = next_ace, ace_count++) {
 		next_ace = ace->next;


-- 
Samba Shared Repository

More information about the samba-cvs mailing list