[SCM] Samba Shared Repository - branch master updated

Andrew Bartlett abartlet at samba.org
Tue Jan 8 23:19:02 MST 2013


The branch, master has been updated
       via  411440d replace: Fix compilation of rep_mkstemp
       via  0615f68 s3: Fix vfs_zfsacl to compile.
       via  1002cc9 selftest: show that Samba honours "write list" and valid users
       via  fcdd609 Fixup the change_to_user_by_session() case as called from become_user_by_session()
       via  296c0c3 smbd: Remove some ()
       via  38b34cc smbd: Simplify an if-expression
       via  1770882 smbd: Fix a typo
       via  b668c90 Move create_share_access_mask() from smbd/service.c to smbd/uid.c.
       via  86d1e1d Fix bug #9518 - conn->share_access appears not be be reset between users.
       via  1abb5eb Factor code out of check_user_ok() into a call to check_user_share_access().
       via  ea86f4e Initialize stack variables. Prelude to factoring out calls to check_user_share_access().
       via  8475f20 Add check_user_share_access() which factors out the share security and read_only flag setting code.
       via  6d7bffa Correctly setup the conn->share_access based on the current user token.
       via  5e9eebf Change API for create_share_access_mask() - remove conn struct.
       via  926d930 Change API for create_share_access_mask() to pass in the token.
       via  00de188 Fix API for create_share_access_mask().
       via  f7464bb Remove static from create_share_access_mask().
       via  4983d58 Add uint32_t share_access to vuid_cache_entry.
       via  7d90ae1 Clean up struct connection_struct, make struct vuid_cache a pointer not inline.
       via  5e483ab Remove unneeded variable "const struct auth_session_info *session_info"
       via  2e2f464 Remove dead code now vuser can no longer be NULL.
       via  0a09ffd Remove the second set of {} braces, no longer needed.
       via  45845f5 Remove one set of enclosing {} braces, no longer needed.
       via  390a812 Move the definition of struct vuid_cache_entry *ent outside blocks.
       via  310c4ca Start to tidy-up check_user_ok().
       via  5bffdac torture/vfstest.c: Always use create_conn_struct(). Don't hand create connection structs.
       via  7ba6850 source3/smbd/pysmbd.c: Always use create_conn_struct(). Don't hand create connection structs.
       via  a9730cb smbd/posix_acls.c: Use create_conn_struct(). Don't hand-create connection structs.
       via  b6fe9ec Allow create_conn_struct() to be called with snum == -1.
       via  97eb049 smbd: Rework create_conn_struct to use conn_new()
      from  3d5c534 smbd: Fix bug 9549 -- Memleak in the async echo handler

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 411440d2d9085fe9db0e3c26c025c6b94d02c00f
Author: Jesper Larsen <jesper.larsen at ixonos.com>
Date:   Fri Jan 4 13:03:58 2013 +0100

    replace: Fix compilation of rep_mkstemp
    
    Commit 1fbc185 removed the variable 'p'.
    Use the equivalent variable 'template' instead.
    
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    
    Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
    Autobuild-Date(master): Wed Jan  9 07:18:33 CET 2013 on sn-devel-104

commit 0615f68096569d00b1f262529024ad40136d445e
Author: Ira Cooper <ira at samba.org>
Date:   Thu Dec 27 19:57:14 2012 +0000

    s3: Fix vfs_zfsacl to compile.
    
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 1002cc9a669836d6cddaac350715a2b107bec01e
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Thu Dec 20 23:05:55 2012 +1100

    selftest: show that Samba honours "write list" and valid users
    
    Reviewed-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit fcdd6092b10a4b4406af47b989dcf1a9d693580e
Author: Jeremy Allison <jra at samba.org>
Date:   Tue Jan 8 11:02:16 2013 -0800

    Fixup the change_to_user_by_session() case as called from become_user_by_session()
    
    Use inside source3/printing/nt_printing.c:get_correct_cversion().
    
    Allow check_user_ok() to be called with vuid==UID_FIELD_INVALID.
    All this should do is throw away one entry in the vuid cache.
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 296c0c34f198dfc7a8f13f26e54fbc980f667784
Author: Volker Lendecke <vl at samba.org>
Date:   Sun Jan 6 14:50:33 2013 +0100

    smbd: Remove some ()
    
    Reviewed-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 38b34cc3e529e185dd3b3d9f79ae74d1c9fac435
Author: Volker Lendecke <vl at samba.org>
Date:   Sun Jan 6 14:41:24 2013 +0100

    smbd: Simplify an if-expression
    
    Reviewed-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 17708821ffc2d0cb771e8c5cb6415b87e20d6a0a
Author: Volker Lendecke <vl at samba.org>
Date:   Sun Jan 6 14:39:07 2013 +0100

    smbd: Fix a typo
    
    Reviewed-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit b668c9077ba9005988146e8b1ee853ce8a6f33a4
Author: Jeremy Allison <jra at samba.org>
Date:   Fri Jan 4 14:42:23 2013 -0800

    Move create_share_access_mask() from smbd/service.c to smbd/uid.c.
    
    Make it static. Only called from uid.c now.
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 86d1e1db8e2747e30c89627cda123fde1e84f579
Author: Jeremy Allison <jra at samba.org>
Date:   Fri Jan 4 14:40:05 2013 -0800

    Fix bug #9518 - conn->share_access appears not be be reset between users.
    
    Ensure make_connection_snum() uses the same logic as
    check_user_ok() to decide if a user can access a share.
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 1abb5eb89b97fab5a4c625f5492b7d26b7f17e98
Author: Jeremy Allison <jra at samba.org>
Date:   Fri Jan 4 14:35:46 2013 -0800

    Factor code out of check_user_ok() into a call to check_user_share_access().
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit ea86f4e100b547c8facc5f27ac025de6b60eea94
Author: Jeremy Allison <jra at samba.org>
Date:   Thu Jan 3 16:06:40 2013 -0800

    Initialize stack variables. Prelude to factoring out calls to check_user_share_access().
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 8475f206b296362fc2473bf6eb4b6d51834f8245
Author: Jeremy Allison <jra at samba.org>
Date:   Fri Jan 4 14:27:18 2013 -0800

    Add check_user_share_access() which factors out the share security and read_only flag setting code.
    
    Allows this to be called from both make_connection_snum() as well as check_user_ok().
    Gives a consistent share security check function.
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 6d7bffa6069ef41c36c40453681372973bba0c86
Author: Jeremy Allison <jra at samba.org>
Date:   Fri Jan 4 14:25:55 2013 -0800

    Correctly setup the conn->share_access based on the current user token.
    
    Also use this to set conn->read_only. Cache the share_access in the
    struct vuid_cache_entry struct so we only evaluate this once per new
    user access on this share.
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 5e9eebf5dec60177a680010e011b88ae0ecf26d2
Author: Jeremy Allison <jra at samba.org>
Date:   Fri Jan 4 14:24:13 2013 -0800

    Change API for create_share_access_mask() - remove conn struct.
    
    Eventually this will be indepentent of conn, just pass in the
    readonly flag.
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 926d9307f789e2ca752ee2dab6b6e653dc7de628
Author: Jeremy Allison <jra at samba.org>
Date:   Fri Jan 4 11:43:10 2013 -0800

    Change API for create_share_access_mask() to pass in the token.
    
    Don't automatically use the one from conn->session_info->security_token.
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 00de188e1f3e3b795bfdbb0c84305f4767f56349
Author: Jeremy Allison <jra at samba.org>
Date:   Fri Dec 21 09:45:03 2012 -0800

    Fix API for create_share_access_mask().
    
    Return the uint32_t share_access rather than directly
    changing the conn struct.
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit f7464bbf72dac41a65334c27403db8da7e08f7d3
Author: Jeremy Allison <jra at samba.org>
Date:   Fri Dec 21 09:35:31 2012 -0800

    Remove static from create_share_access_mask().
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 4983d5838afcab8c675cace0723a3fc284667bec
Author: Jeremy Allison <jra at samba.org>
Date:   Fri Dec 21 09:22:16 2012 -0800

    Add uint32_t share_access to vuid_cache_entry.
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 7d90ae123af115bdcb1cdcd025cf73fdbf22b142
Author: Jeremy Allison <jra at samba.org>
Date:   Thu Dec 20 14:42:55 2012 -0800

    Clean up struct connection_struct, make struct vuid_cache a pointer not inline.
    
    Change VFS ABI to 31 for 4.1.0.
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 5e483ab14785faf5bc011e36ac07646a624c3962
Author: Jeremy Allison <jra at samba.org>
Date:   Thu Dec 20 11:55:09 2012 -0800

    Remove unneeded variable "const struct auth_session_info *session_info"
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 2e2f46433c657f8e9e68aaaee15e24ed41244d82
Author: Jeremy Allison <jra at samba.org>
Date:   Thu Dec 20 11:54:07 2012 -0800

    Remove dead code now vuser can no longer be NULL.
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 0a09ffd188f7bc9d8e9e4272af355e53081bf7da
Author: Jeremy Allison <jra at samba.org>
Date:   Thu Dec 20 11:53:11 2012 -0800

    Remove the second set of {} braces, no longer needed.
    
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit 45845f5ba13ad4f5f12c22596ac5905a6cebec31
Author: Jeremy Allison <jra at samba.org>
Date:   Thu Dec 20 11:52:27 2012 -0800

    Remove one set of enclosing {} braces, no longer needed.
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 390a812ccb9ba5dbc67296cc27e7aa56e6dd5ab3
Author: Jeremy Allison <jra at samba.org>
Date:   Thu Dec 20 11:51:55 2012 -0800

    Move the definition of struct vuid_cache_entry *ent outside blocks.
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 310c4cac907877958f771c4933329560655f814c
Author: Jeremy Allison <jra at samba.org>
Date:   Thu Dec 20 11:50:25 2012 -0800

    Start to tidy-up check_user_ok().
    
    Now we have removed "security=share" we cannot be
    called with vuid == UID_FIELD_INVALID.
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 5bffdac4ed3fa5477e025e871efff759aa0ee8d8
Author: Jeremy Allison <jra at samba.org>
Date:   Tue Jan 8 14:18:55 2013 -0800

    torture/vfstest.c: Always use create_conn_struct(). Don't hand create connection structs.
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 7ba685090487410270415d3e4d69f62947ce34c3
Author: Jeremy Allison <jra at samba.org>
Date:   Tue Jan 8 14:18:27 2013 -0800

    source3/smbd/pysmbd.c: Always use create_conn_struct(). Don't hand create connection structs.
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit a9730cb3909d8c8aea64b35342ac763b135e0b1f
Author: Jeremy Allison <jra at samba.org>
Date:   Tue Jan 8 14:17:51 2013 -0800

    smbd/posix_acls.c: Use create_conn_struct(). Don't hand-create connection structs.
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit b6fe9ec6835c322f6d2d6e831bece311100bf051
Author: Jeremy Allison <jra at samba.org>
Date:   Tue Jan 8 16:26:50 2013 -0800

    Allow create_conn_struct() to be called with snum == -1.
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 97eb0493fc263fabe63b6846b6f6add7068098e6
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Wed Jan 9 08:02:23 2013 +1100

    smbd: Rework create_conn_struct to use conn_new()
    
    This avoids issues with required structure elements not being initialised.
    
    In particular, once conn->vuid_cache becomes a pointer, this ensures
    that it is initalised in all cases.
    
    Andrew Bartlett
    
    Reviewed by: Jeremy Allison <jra at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 lib/replace/replace.c                              |    2 +-
 selftest/target/Samba3.pm                          |    7 +
 source3/include/vfs.h                              |   10 +-
 source3/modules/vfs_readonly.c                     |    5 +-
 source3/modules/vfs_zfsacl.c                       |    6 +-
 .../script/tests/test_smbclient_machine_auth.sh    |    4 +
 source3/script/tests/test_smbclient_s3.sh          |    8 +-
 source3/selftest/tests.py                          |    5 +
 source3/smbd/conn.c                                |    4 +-
 source3/smbd/msdfs.c                               |   53 +++---
 source3/smbd/posix_acls.c                          |   30 +--
 source3/smbd/proto.h                               |    4 +
 source3/smbd/pysmbd.c                              |   34 +---
 source3/smbd/service.c                             |   60 +-----
 source3/smbd/uid.c                                 |  219 +++++++++++++-------
 source3/torture/vfstest.c                          |   32 ++-
 16 files changed, 271 insertions(+), 212 deletions(-)


Changeset truncated at 500 lines:

diff --git a/lib/replace/replace.c b/lib/replace/replace.c
index f37d69f..8f1315a 100644
--- a/lib/replace/replace.c
+++ b/lib/replace/replace.c
@@ -405,7 +405,7 @@ int rep_mkstemp(char *template)
 	mktemp(template);
 	if (template[0] == 0)
 		return -1;
-	return open(p, O_CREAT|O_EXCL|O_RDWR, 0600);
+	return open(template, O_CREAT|O_EXCL|O_RDWR, 0600);
 }
 #endif
 
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index adca52f..8546bd2 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -963,6 +963,13 @@ sub provision($$$$$$)
 [ro-tmp]
 	path = $ro_shrdir
 	guest ok = yes
+[write-list-tmp]
+	path = $shrdir
+        read only = yes
+	write list = $unix_name
+[valid-users-tmp]
+	path = $shrdir
+	valid users = $unix_name
 [msdfs-share]
 	path = $msdfs_shrdir
 	msdfs root = yes
diff --git a/source3/include/vfs.h b/source3/include/vfs.h
index 2992c1d..2bce1b7 100644
--- a/source3/include/vfs.h
+++ b/source3/include/vfs.h
@@ -147,7 +147,12 @@
 /* Bump to version 30 - Samba 4.0.0 will ship with interface version 30 */
 /* Leave at 30 - not yet released. Added conn->cwd to save vfs_GetWd() calls. */
 /* Leave at 30 - not yet released. Changed sys_acl_blob_get_file interface to remove type */
-#define SMB_VFS_INTERFACE_VERSION 30
+/* Bump to version 31 - Samba 4.1.0 will ship with interface version 31 */
+/* Leave at 31 - not yet released. Make struct vuid_cache_entry in
+		connection_struct a pointer. */
+/* Leave at 31 - not yet released. Add share_access to vuid_cache_entry. */
+
+#define SMB_VFS_INTERFACE_VERSION 31
 
 /*
     All intercepted VFS operations must be declared as static functions inside module source
@@ -275,6 +280,7 @@ struct vuid_cache_entry {
 	struct auth_session_info *session_info;
 	uint64_t vuid; /* SMB2 compat */
 	bool read_only;
+	uint32_t share_access;
 };
 
 struct vuid_cache {
@@ -306,7 +312,7 @@ typedef struct connection_struct {
 	uint32_t cnum; /* an index passed over the wire */
 	struct share_params *params;
 	bool force_user;
-	struct vuid_cache vuid_cache;
+	struct vuid_cache *vuid_cache;
 	bool printer;
 	bool ipc;
 	bool read_only; /* Attributes for the current user of the share. */
diff --git a/source3/modules/vfs_readonly.c b/source3/modules/vfs_readonly.c
index 7919dbc..445f947 100644
--- a/source3/modules/vfs_readonly.c
+++ b/source3/modules/vfs_readonly.c
@@ -82,12 +82,13 @@ static int readonly_connect(vfs_handle_struct *handle,
 
       /* Wipe out the VUID cache. */
       for (i=0; i< VUID_CACHE_SIZE; i++) {
-        struct vuid_cache_entry *ent = &conn->vuid_cache.array[i];
+        struct vuid_cache_entry *ent = &conn->vuid_cache->array[i];
         ent->vuid = UID_FIELD_INVALID;
         TALLOC_FREE(ent->session_info);
         ent->read_only = false;
+        ent->share_access = 0;
       }
-      conn->vuid_cache.next_entry = 0;
+      conn->vuid_cache->next_entry = 0;
     }
 
     return 0;
diff --git a/source3/modules/vfs_zfsacl.c b/source3/modules/vfs_zfsacl.c
index b95baa5..6934ad6 100644
--- a/source3/modules/vfs_zfsacl.c
+++ b/source3/modules/vfs_zfsacl.c
@@ -201,13 +201,13 @@ static NTSTATUS zfsacl_fget_nt_acl(struct vfs_handle_struct *handle,
 	NTSTATUS status;
 
 	status = zfs_get_nt_acl_common(fsp->fsp_name->base_name,
-				       mem_ctx, security_info,
+				       security_info,
 				       &pacl);
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
 	}
 
-	return smb_fget_nt_acl_nfs4(fsp, security_info, ppdesc, pacl);
+	return smb_fget_nt_acl_nfs4(fsp, security_info, mem_ctx, ppdesc, pacl);
 }
 
 static NTSTATUS zfsacl_get_nt_acl(struct vfs_handle_struct *handle,
@@ -306,7 +306,7 @@ static int zfsacl_fail__sys_acl_blob_get_file(vfs_handle_struct *handle, const c
 	return -1;
 }
 
-static int zfsacl_fail__skel_sys_acl_blob_get_fd(vfs_handle_struct *handle, files_struct *fsp, TALLOC_CTX *mem_ctx, char **blob_description, DATA_BLOB *blob)
+static int zfsacl_fail__sys_acl_blob_get_fd(vfs_handle_struct *handle, files_struct *fsp, TALLOC_CTX *mem_ctx, char **blob_description, DATA_BLOB *blob)
 {
 	return -1;
 }
diff --git a/source3/script/tests/test_smbclient_machine_auth.sh b/source3/script/tests/test_smbclient_machine_auth.sh
index f67256d..a890d48 100755
--- a/source3/script/tests/test_smbclient_machine_auth.sh
+++ b/source3/script/tests/test_smbclient_machine_auth.sh
@@ -19,3 +19,7 @@ incdir=`dirname $0`/../../../testprogs/blackbox
 . $incdir/subunit.sh
 
 testit "smbclient //$SERVER/tmp" $SMBCLIENT //$SERVER/tmp --machine-pass -I $SERVER_IP -p 139 -c quit $ADDARGS
+
+# Testing these here helps because we know the machine account isn't already this user/group
+testit "smbclient //$SERVER/forceuser" $SMBCLIENT //$SERVER/tmp --machine-pass -I $SERVER_IP -p 139 -c quit $ADDARGS
+testit "smbclient //$SERVER/forcegroup" $SMBCLIENT //$SERVER/tmp --machine-pass -I $SERVER_IP -p 139 -c quit $ADDARGS
diff --git a/source3/script/tests/test_smbclient_s3.sh b/source3/script/tests/test_smbclient_s3.sh
index fb518c5..b240da0 100755
--- a/source3/script/tests/test_smbclient_s3.sh
+++ b/source3/script/tests/test_smbclient_s3.sh
@@ -212,7 +212,7 @@ mkdir a_test_dir
 quit
 EOF
 
-    cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT "$@" -U% //$SERVER/ro-tmp -I $SERVER_IP $ADDARGS < $tmpfile 2>&1'
+    cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT -U% //$SERVER/$1" -I $SERVER_IP $ADDARGS < $tmpfile 2>&1'
     eval echo "$cmd"
     out=`eval $cmd`
     ret=$?
@@ -581,7 +581,11 @@ testit "creating a good symlink and deleting it by path" \
    failed=`expr $failed + 1`
 
 testit "writing into a read-only directory fails" \
-   test_read_only_dir || \
+   test_read_only_dir ro-tmp || \
+   failed=`expr $failed + 1`
+
+testit "writing into a read-only share fails" \
+   test_read_only_dir valid-users-tmp || \
    failed=`expr $failed + 1`
 
 testit "Reading a owner-only file fails" \
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index 57a67ed..44efe18 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -333,6 +333,11 @@ for t in tests:
     elif t == "smb2.durable-open" or t == "smb2.durable-v2-open":
         plansmbtorture4testsuite(t, "s3dc", '//$SERVER_IP/durable -U$USERNAME%$PASSWORD')
         plansmbtorture4testsuite(t, "plugin_s4_dc", '//$SERVER_IP/durable -U$USERNAME%$PASSWORD')
+    elif t == "base.rw1":
+        plansmbtorture4testsuite(t, "s3dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD')
+        plansmbtorture4testsuite(t, "s3dc", '//$SERVER_IP/valid-users-tmp -U$USERNAME%$PASSWORD')
+        plansmbtorture4testsuite(t, "s3dc", '//$SERVER_IP/write-list-tmp -U$USERNAME%$PASSWORD')
+        plansmbtorture4testsuite(t, "plugin_s4_dc", '//$SERVER/tmp -U$USERNAME%$PASSWORD')
     else:
         plansmbtorture4testsuite(t, "s3dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD')
         plansmbtorture4testsuite(t, "plugin_s4_dc", '//$SERVER/tmp -U$USERNAME%$PASSWORD')
diff --git a/source3/smbd/conn.c b/source3/smbd/conn.c
index bc5a03b..8f472c0 100644
--- a/source3/smbd/conn.c
+++ b/source3/smbd/conn.c
@@ -63,6 +63,7 @@ connection_struct *conn_new(struct smbd_server_connection *sconn)
 
 	if (!(conn=talloc_zero(NULL, connection_struct)) ||
 	    !(conn->params = talloc(conn, struct share_params)) ||
+	    !(conn->vuid_cache = talloc_zero(conn, struct vuid_cache)) ||
 	    !(conn->connectpath = talloc_strdup(conn, "")) ||
 	    !(conn->origpath = talloc_strdup(conn, ""))) {
 		DEBUG(0,("TALLOC_ZERO() failed!\n"));
@@ -89,7 +90,7 @@ static void conn_clear_vuid_cache(connection_struct *conn, uint64_t vuid)
 	for (i=0; i<VUID_CACHE_SIZE; i++) {
 		struct vuid_cache_entry *ent;
 
-		ent = &conn->vuid_cache.array[i];
+		ent = &conn->vuid_cache->array[i];
 
 		if (ent->vuid == vuid) {
 			ent->vuid = UID_FIELD_INVALID;
@@ -117,6 +118,7 @@ static void conn_clear_vuid_cache(connection_struct *conn, uint64_t vuid)
 				TALLOC_FREE(ent->session_info);
 			}
 			ent->read_only = False;
+			ent->share_access = 0;
 		}
 	}
 }
diff --git a/source3/smbd/msdfs.c b/source3/smbd/msdfs.c
index e8a0610..4bf7aba 100644
--- a/source3/smbd/msdfs.c
+++ b/source3/smbd/msdfs.c
@@ -234,12 +234,34 @@ NTSTATUS create_conn_struct(TALLOC_CTX *ctx,
 	connection_struct *conn;
 	char *connpath;
 	const char *vfs_user;
+	struct smbd_server_connection *sconn;
+	const char *servicename = lp_const_servicename(snum);
 
-	conn = talloc_zero(ctx, connection_struct);
+	sconn = talloc_zero(ctx, struct smbd_server_connection);
+	if (sconn == NULL) {
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	sconn->ev_ctx = ev;
+	sconn->msg_ctx = msg;
+	sconn->sock = -1;
+	sconn->smb1.echo_handler.trusted_fd = -1;
+	sconn->smb1.echo_handler.socket_lock_fd = -1;
+
+	conn = conn_new(sconn);
 	if (conn == NULL) {
+		TALLOC_FREE(sconn);
 		return NT_STATUS_NO_MEMORY;
 	}
 
+	/* Now we have conn, we need to make sconn a child of conn,
+	 * for a proper talloc tree */
+	talloc_steal(conn, sconn);
+
+	if (snum == -1 && servicename == NULL) {
+		servicename = "Unknown Service (snum == -1)";
+	}
+
 	connpath = talloc_strdup(conn, path);
 	if (!connpath) {
 		TALLOC_FREE(conn);
@@ -248,38 +270,17 @@ NTSTATUS create_conn_struct(TALLOC_CTX *ctx,
 	connpath = talloc_string_sub(conn,
 				     connpath,
 				     "%S",
-				     lp_servicename(talloc_tos(), snum));
+				     servicename);
 	if (!connpath) {
 		TALLOC_FREE(conn);
 		return NT_STATUS_NO_MEMORY;
 	}
 
-	conn->sconn = talloc_zero(conn, struct smbd_server_connection);
-	if (conn->sconn == NULL) {
-		TALLOC_FREE(conn);
-		return NT_STATUS_NO_MEMORY;
-	}
-
-	conn->sconn->ev_ctx = ev;
-	conn->sconn->msg_ctx = msg;
-	conn->sconn->sock = -1;
-	conn->sconn->smb1.echo_handler.trusted_fd = -1;
-	conn->sconn->smb1.echo_handler.socket_lock_fd = -1;
-
 	/* needed for smbd_vfs_init() */
 
-	if (!(conn->params = talloc_zero(conn, struct share_params))) {
-		DEBUG(0, ("TALLOC failed\n"));
-		TALLOC_FREE(conn);
-		return NT_STATUS_NO_MEMORY;
-	}
-
 	conn->params->service = snum;
 	conn->cnum = TID_FIELD_INVALID;
 
-	DLIST_ADD(conn->sconn->connections, conn);
-	conn->sconn->num_connections++;
-
 	if (session_info != NULL) {
 		conn->session_info = copy_session_info(conn, session_info);
 		if (conn->session_info == NULL) {
@@ -303,7 +304,7 @@ NTSTATUS create_conn_struct(TALLOC_CTX *ctx,
 	 */
 	if (conn->session_info) {
 		share_access_check(conn->session_info->security_token,
-				   lp_servicename(talloc_tos(), snum),
+				   servicename,
 				   MAXIMUM_ALLOWED_ACCESS,
 				   &conn->share_access);
 
@@ -313,7 +314,7 @@ NTSTATUS create_conn_struct(TALLOC_CTX *ctx,
 				DEBUG(0,("create_conn_struct: connection to %s "
 					 "denied due to security "
 					 "descriptor.\n",
-					 lp_servicename(talloc_tos(), snum)));
+					 servicename));
 				conn_free(conn);
 				return NT_STATUS_ACCESS_DENIED;
 			} else {
@@ -333,7 +334,7 @@ NTSTATUS create_conn_struct(TALLOC_CTX *ctx,
 	}
 
 	/* this must be the first filesystem operation that we do */
-	if (SMB_VFS_CONNECT(conn, lp_servicename(talloc_tos(), snum), vfs_user) < 0) {
+	if (SMB_VFS_CONNECT(conn, servicename, vfs_user) < 0) {
 		DEBUG(0,("VFS connect failed!\n"));
 		conn_free(conn);
 		return NT_STATUS_UNSUCCESSFUL;
diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c
index 0f3951f..fbeb662 100644
--- a/source3/smbd/posix_acls.c
+++ b/source3/smbd/posix_acls.c
@@ -4610,27 +4610,19 @@ NTSTATUS get_nt_acl_no_snum(TALLOC_CTX *ctx, const char *fname,
 		return NT_STATUS_NO_MEMORY;
 	}
 
-	conn = talloc_zero(frame, connection_struct);
-	if (conn == NULL) {
-		TALLOC_FREE(frame);
-		DEBUG(0, ("talloc failed\n"));
-		return NT_STATUS_NO_MEMORY;
-	}
+	status = create_conn_struct(ctx,
+				server_event_context(),
+				server_messaging_context(),
+				&conn,
+				-1,
+				"/",
+				NULL);
 
-	if (!(conn->params = talloc(conn, struct share_params))) {
-		DEBUG(0, ("talloc failed\n"));
-		TALLOC_FREE(frame);
-		return NT_STATUS_NO_MEMORY;
-	}
-
-	conn->params->service = -1;
-
-	set_conn_connectpath(conn, "/");
-
-	if (!smbd_vfs_init(conn)) {
-		DEBUG(0,("smbd_vfs_init() failed!\n"));
+	if (!NT_STATUS_IS_OK(status)) {
+		DEBUG(0,("create_conn_struct returned %s.\n",
+			nt_errstr(status)));
 		TALLOC_FREE(frame);
-		return NT_STATUS_INTERNAL_ERROR;
+		return status;
 	}
 
 	status = SMB_VFS_GET_NT_ACL(conn, fname, security_info_wanted, ctx, sd);
diff --git a/source3/smbd/proto.h b/source3/smbd/proto.h
index d7bfa65..7727302 100644
--- a/source3/smbd/proto.h
+++ b/source3/smbd/proto.h
@@ -1096,6 +1096,10 @@ void reply_transs2(struct smb_request *req);
 /* The following definitions come from smbd/uid.c  */
 
 bool change_to_guest(void);
+NTSTATUS check_user_share_access(connection_struct *conn,
+				const struct auth_session_info *session_info,
+				uint32_t *p_share_access,
+				bool *p_readonly_share);
 bool change_to_user(connection_struct *conn, uint64_t vuid);
 bool change_to_root_user(void);
 bool smbd_change_to_root_user(void);
diff --git a/source3/smbd/pysmbd.c b/source3/smbd/pysmbd.c
index 1bac9c2..873fead 100644
--- a/source3/smbd/pysmbd.c
+++ b/source3/smbd/pysmbd.c
@@ -46,6 +46,9 @@ static connection_struct *get_conn(TALLOC_CTX *mem_ctx, const char *service)
 {
 	connection_struct *conn;
 	TALLOC_CTX *frame = talloc_stackframe();
+	int snum = -1;
+	NTSTATUS status;
+
 	if (!posix_locking_init(false)) {
 		PyErr_NoMemory();
 		TALLOC_FREE(frame);
@@ -53,39 +56,22 @@ static connection_struct *get_conn(TALLOC_CTX *mem_ctx, const char *service)
 	}
 
 	if (service) {
-		NTSTATUS status;
-		int snum = lp_servicenumber(service);
+		snum = lp_servicenumber(service);
 		if (snum == -1) {
 			TALLOC_FREE(frame);
 			PyErr_SetString(PyExc_RuntimeError, "unknown service");
 			return NULL;
 		}
-		status = create_conn_struct(mem_ctx, NULL, NULL, &conn, snum, "/",
-					    NULL);
-		PyErr_NTSTATUS_IS_ERR_RAISE(status);
-	} else {
-		conn = talloc_zero(mem_ctx, connection_struct);
-		if (conn == NULL) {
-			DEBUG(0, ("talloc failed\n"));
-			TALLOC_FREE(frame);
-			PyErr_NoMemory();
-			return NULL;
-		}
-
-		if (!(conn->params = talloc(conn, struct share_params))) {
-			TALLOC_FREE(frame);
-			DEBUG(0,("get_conn: talloc() failed!\n"));
-			PyErr_NoMemory();
-			return NULL;
-		}
-		conn->params->service = -1;
+	}
 
-		set_conn_connectpath(conn, "/");
+	status = create_conn_struct(mem_ctx, NULL, NULL, &conn, snum, "/",
+					    NULL);
+	PyErr_NTSTATUS_IS_ERR_RAISE(status);
 
-		smbd_vfs_init(conn);
-	}
 	TALLOC_FREE(frame);
+	/* Ignore read-only and share restrictions */
 	conn->read_only = false;
+	conn->share_access = SEC_RIGHTS_FILE_ALL;
 	talloc_set_destructor(conn, conn_free_wrapper);
 	return conn;
 }
diff --git a/source3/smbd/service.c b/source3/smbd/service.c
index 2214ac0..4fe3809 100644
--- a/source3/smbd/service.c
+++ b/source3/smbd/service.c
@@ -512,40 +512,6 @@ NTSTATUS set_conn_force_user_group(connection_struct *conn, int snum)
 }
 
 /****************************************************************************
-  Setup the share access mask for a connection.
-****************************************************************************/
-
-static void create_share_access_mask(connection_struct *conn, int snum)
-{
-	const struct security_token *token = conn->session_info->security_token;
-
-	share_access_check(token,
-			lp_servicename(talloc_tos(), snum),
-			MAXIMUM_ALLOWED_ACCESS,
-			&conn->share_access);
-
-	if (!CAN_WRITE(conn)) {
-		conn->share_access &=
-			~(SEC_FILE_WRITE_DATA | SEC_FILE_APPEND_DATA |
-			  SEC_FILE_WRITE_EA | SEC_FILE_WRITE_ATTRIBUTE |
-			  SEC_DIR_DELETE_CHILD );
-	}
-
-	if (security_token_has_privilege(token, SEC_PRIV_SECURITY)) {
-		conn->share_access |= SEC_FLAG_SYSTEM_SECURITY;
-	}
-	if (security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
-		conn->share_access |= (SEC_RIGHTS_PRIV_RESTORE);
-	}
-	if (security_token_has_privilege(token, SEC_PRIV_BACKUP)) {
-		conn->share_access |= (SEC_RIGHTS_PRIV_BACKUP);
-	}
-	if (security_token_has_privilege(token, SEC_PRIV_TAKE_OWNERSHIP)) {
-		conn->share_access |= (SEC_STD_WRITE_OWNER);
-	}
-}
-
-/****************************************************************************
   Make a connection, given the snum to connect to, and the vuser of the
   connecting user if appropriate.
 ****************************************************************************/
@@ -648,27 +614,17 @@ static NTSTATUS make_connection_snum(struct smbd_server_connection *sconn,
 	}
 
 	/*
-	 * New code to check if there's a share security descripter
-	 * added from NT server manager. This is done after the
-	 * smb.conf checks are done as we need a uid and token. JRA.
-	 *
+	 * Set up the share security descriptor
 	 */
 
-	create_share_access_mask(conn, snum);
-
-	if ((conn->share_access & FILE_WRITE_DATA) == 0) {
-		if ((conn->share_access & FILE_READ_DATA) == 0) {
-			/* No access, read or write. */
-			DEBUG(0,("make_connection: connection to %s "
-				 "denied due to security "
-				 "descriptor.\n",
-				 lp_servicename(talloc_tos(), snum)));
-			status = NT_STATUS_ACCESS_DENIED;
-			goto err_root_exit;
-		} else {
-			conn->read_only = True;
-		}
+	status = check_user_share_access(conn,
+					conn->session_info,
+					&conn->share_access,
+					&conn->read_only);
+	if (!NT_STATUS_IS_OK(status)) {
+		goto err_root_exit;


-- 
Samba Shared Repository


More information about the samba-cvs mailing list