[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Thu May 9 00:06:02 MDT 2013
The branch, master has been updated
via 392b01f s4:torture fix a build break on AIX
via e0ca7c4 s3:modules/vfs_aixacl2 fix compile errors
via c1c9b99 Fix missing TALLOC_FREE of stackframes.
via fb1847f Tidy up old bool usage. False -> false, True -> true.
via 00cb635 vfs: Allow CREATOR GROUP to be used with vfs_zfsacl
via 6fa3f7d s4-smbtorture: Run tests for nfs4:modes simple and special.
via 381812e s3: Update vfs_gpfs man page with new nfs4:mode help text.
via dae5f19 s3: Update README.nfs4acls.txt
via a9f75bd s3: Use mode bits in some cases in mode simple.
via ec138b2 s3: Add changes that keep nfs4:mode special behavior.
via 877f833 s3: Mapping of cifs creator owner to nfs owner@ ace.
via 83774a8 s3: Mapping of special entries to creator owner in mode simple.
via 4a3bf4d s3: Add params parameter to smbacl4_nfs42win function.
via 7978fe2 s3: Change smbacl4_get_vfs_params to use connection_struct instead of fsp.
via be0e269 s3: Move up declaration of params struct and related function.
via 9018aa8 s4-smbtorture: Set result message when failing the inheritance test.
via 97eb8f7 vfs: Add inheritance emulation to vfs_nfs4acl_xattr.
via fe8a1fc selftest: Run raw.acls test against the nfs4acl_xattr module
via 7874a43 librpc: Add special owner/group/other constants to nfs4acl.idl
via a0d1685 build: Add vfs_nfs4acl to the autoconf build
via 76969ab vfs: Add new VFS module vfs_nfs4acl_xattr to use nfs4acl.idl
via 5d517f4 vfs: Remove unused security_info argument in vfz_zfsacl.c
via 188d0f0 vfs: Fix compile of vfs_gpfs.c.
via a655687 vfs: Allocate SMB4ACL_T on an explict memory context
via 67bb7d9 vfs: Add vfs_handle_struct argument to smb_set_nt_acl_nfs4 and the callback
via d87b81f build: Move nfs4acl to the top level
from 41f1c39 pidl:NDR/Parser: correctly set $ndr->[relative_highest_]offset for relative_short pointers
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 392b01f53c73e10c596a435040225766a188cda1
Author: Christian Ambach <ambi at samba.org>
Date: Mon May 6 19:00:29 2013 +0200
s4:torture fix a build break on AIX
Signed-off-by: Christian Ambach <ambi at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Thu May 9 08:05:12 CEST 2013 on sn-devel-104
commit e0ca7c4cff49f39559531aafb892fdf95ddfc2ce
Author: Christian Ambach <ambi at samba.org>
Date: Mon May 6 16:56:09 2013 +0000
s3:modules/vfs_aixacl2 fix compile errors
fix various compile errors that were introduced with latest ACL changes
Signed-off-by: Christian Ambach <ambi at samba.org>
Pair-Programmed-With: Alexander Werth <alexander.werth at de.ibm.com>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit c1c9b99054f28f9c10f79a2bbc95be9864270705
Author: Jeremy Allison <jra at samba.org>
Date: Tue May 7 14:04:24 2013 -0700
Fix missing TALLOC_FREE of stackframes.
Signed-off-by: Jeremy Allison <jra at samba.org>
commit fb1847f41cf3d7ef45d8df9a61720305aea965d9
Author: Jeremy Allison <jra at samba.org>
Date: Tue May 7 13:58:26 2013 -0700
Tidy up old bool usage. False -> false, True -> true.
Signed-off-by: Jeremy Allison <jra at samba.org>
commit 00cb6354cfe007e4c0c25a508ce5008f9a69e5d2
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sun Apr 28 18:20:04 2013 +1000
vfs: Allow CREATOR GROUP to be used with vfs_zfsacl
The solaris acl() code requires that both ACE_GROUP|ACE_IDENTIFIER_GROUP be
set to indicate the @group permissions.
Otherwise, it would return Invalid Paramter to clients.
Andrew Bartlett
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 6fa3f7d0f4f5de8b6ef85fa729e0a572b831a738
Author: Alexander Werth <alexander.werth at de.ibm.com>
Date: Sun Apr 28 19:06:59 2013 +0200
s4-smbtorture: Run tests for nfs4:modes simple and special.
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 381812e9f62a7cf66cdd9e08460890b149e4773e
Author: Alexander Werth <alexander.werth at de.ibm.com>
Date: Fri May 3 05:46:25 2013 +0200
s3: Update vfs_gpfs man page with new nfs4:mode help text.
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit dae5f1943e321f3ba9c8b25a0d49a7323eeae25d
Author: Alexander Werth <alexander.werth at de.ibm.com>
Date: Thu May 2 17:45:23 2013 +0200
s3: Update README.nfs4acls.txt
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit a9f75bd3b7e86090eb95ae3d9c3dce787befcfc1
Author: Alexander Werth <alexander.werth at de.ibm.com>
Date: Thu May 2 16:53:35 2013 +0200
s3: Use mode bits in some cases in mode simple.
Non inheriting ACL entries will show mode bits.
With this an file owner change does affect the effective ACL because
the special owner acl will now refer to the new owner.
This could be fixed by updating the ACL on a file owner change.
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit ec138b2f8218a9b13dac06c66d208bf27f0cb78b
Author: Alexander Werth <alexander.werth at de.ibm.com>
Date: Thu May 2 16:50:55 2013 +0200
s3: Add changes that keep nfs4:mode special behavior.
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 877f833af4a03116daa76e6317a0675b24be972c
Author: Alexander Werth <alexander.werth at de.ibm.com>
Date: Thu May 10 14:19:41 2012 +0200
s3: Mapping of cifs creator owner to nfs owner@ ace.
This is ignored in nfs4mode special for compatibility.
Also ensure that we drop non inheriting creator owner
aces since these don't contribute to who can access
a file.
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 83774a8bc23e59837181bc155d90b162008c6407
Author: Alexander Werth <alexander.werth at de.ibm.com>
Date: Wed Apr 25 15:10:20 2012 +0200
s3: Mapping of special entries to creator owner in mode simple.
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 4a3bf4dd9b0034d910d12642ddb52f99fda44628
Author: Alexander Werth <alexander.werth at de.ibm.com>
Date: Thu Jul 26 17:29:12 2012 +0200
s3: Add params parameter to smbacl4_nfs42win function.
Reviewed-By: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 7978fe25846ef2d61dc694dcb96085fbda6d038f
Author: Alexander Werth <alexander.werth at de.ibm.com>
Date: Thu Jul 26 17:11:03 2012 +0200
s3: Change smbacl4_get_vfs_params to use connection_struct instead of fsp.
Reviewed-By: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit be0e2692461831dada5f5a497189a81e409e88f0
Author: Alexander Werth <alexander.werth at de.ibm.com>
Date: Mon Apr 15 16:08:46 2013 +0200
s3: Move up declaration of params struct and related function.
We need the parameters earlier in the code so we move up
the declaration of the params struct. Since reading the
parameters is closely related the definition of the function
smbacl4_get_vfs_params has also been moved up.
Reviewed-By: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 9018aa82c7c8cf02950bb03e9075d1243f65c6e0
Author: Alexander Werth <alexander.werth at de.ibm.com>
Date: Thu Apr 18 14:12:34 2013 +0200
s4-smbtorture: Set result message when failing the inheritance test.
Reviewed-By: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 97eb8f73e5d106781344895d3bb02767b0ac5c94
Author: Alexander Werth <alexander.werth at de.ibm.com>
Date: Tue Apr 16 14:11:27 2013 +0200
vfs: Add inheritance emulation to vfs_nfs4acl_xattr.
Recursively inherit ACL from parent directory if no acl xattr is
found on the current file.
Use a default ACL if a non-inheriting ACL is encountered.
With this the nfs4acl_xattr.dynamic test passes.
But the nfs4acl_xattr.inheritance test results in an error because
of warnings that cause the test to pass a failed result.
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit fe8a1fcda792ee38faaadf1da2905b62302ce3e1
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sun Apr 14 20:04:45 2013 +1000
selftest: Run raw.acls test against the nfs4acl_xattr module
This is the first time we have tested the NFSv4 ACL mapping code.
Sadly most tests fail but these can be fixed from here.
This at least shows that the code does not segfault.
Andrew Bartlett
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 7874a431541e10a1846fe3732568496b2b753de1
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sun Apr 14 19:51:42 2013 +1000
librpc: Add special owner/group/other constants to nfs4acl.idl
As per nfs4acl-0.9/lib/nfs4acl.c (the package where this structure is originally defined)
Andrew Bartlett
Reviewed-by: Jeremy Allison <jra at samba.org>
commit a0d16850393f59fef4883fb5fa6c97ec4b2af2c2
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed May 8 18:30:30 2013 +1200
build: Add vfs_nfs4acl to the autoconf build
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 76969abba0453b232274520182c0c2cdfab93428
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sun Apr 14 20:06:57 2013 +1000
vfs: Add new VFS module vfs_nfs4acl_xattr to use nfs4acl.idl
This uses the xattr format used by the patches at http://users.suse.com/~agruen/nfs4acl/
Andrew Bartlett
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 5d517f41664920faa5863cbf36b5953ad4700ebd
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sun Apr 14 19:22:37 2013 +1000
vfs: Remove unused security_info argument in vfz_zfsacl.c
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 188d0f097572955f643d926edf40e6841b874c1e
Author: Alexander Werth <alexander.werth at de.ibm.com>
Date: Mon Apr 15 16:35:36 2013 +0200
vfs: Fix compile of vfs_gpfs.c.
Since the smb4acl is now correctly allocated on mem_ctx and not
the talloc stack frame we can free the stack frame correctly.
And the chmod emulation code now needs the vfs handle since
that is now required by the callback function to set the smb4acl.
Reviewed-By: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit a65568750be92439de26dd2ecb88c09468264fe7
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sun Apr 14 18:13:42 2013 +1000
vfs: Allocate SMB4ACL_T on an explict memory context
This ensures the caller knows exactly what the memory lifetime of this
returned object is. This makes the NFSv4 ACL code consistent with the
POSIX and NT ACL code, to avoid supprising developers who have worked
on those other parts of the ACL code.
Most of this patch is adding a memory context to the callers and passing it in.
Andrew Bartlett
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 67bb7d93ba8fccd030bd8d01536f3222c85134b7
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sun Apr 14 17:31:42 2013 +1000
vfs: Add vfs_handle_struct argument to smb_set_nt_acl_nfs4 and the callback
This allows the callback to call xattr based storage functions that need this argument.
Andrew Bartlett
Reviewed-by: Jeremy Allison <jra at samba.org>
commit d87b81fa303ee297685f4eb5599010901ed68145
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Apr 12 20:24:44 2013 +1000
build: Move nfs4acl to the top level
This is to create IDL-stored NFSv4 ACLs, just as we use for posix ACLs
to permit better testing.
Andrew Bartlett
Reviewed-by: Jeremy Allison <jra at samba.org>
-----------------------------------------------------------------------
Summary of changes:
docs-xml/manpages/vfs_gpfs.8.xml | 12 +-
{source4/librpc => librpc}/idl/nfs4acl.idl | 4 +
librpc/idl/wscript_build | 2 +-
librpc/wscript_build | 5 +
selftest/knownfail | 16 +
selftest/target/Samba3.pm | 13 +
source3/Makefile.in | 7 +
source3/configure.in | 3 +-
source3/modules/README.nfs4acls.txt | 23 +-
source3/modules/nfs4_acls.c | 369 ++++++++++++----
source3/modules/nfs4_acls.h | 6 +-
source3/modules/vfs_aixacl2.c | 41 +-
source3/modules/vfs_gpfs.c | 85 +++--
source3/modules/vfs_nfs4acl_xattr.c | 648 ++++++++++++++++++++++++++++
source3/modules/vfs_zfsacl.c | 43 ++-
source3/modules/wscript_build | 9 +
source3/selftest/tests.py | 5 +
source3/wscript | 2 +-
source4/librpc/idl/wscript_build | 2 +-
source4/librpc/wscript_build | 7 -
source4/torture/raw/acls.c | 7 +
source4/torture/smb2/delete-on-close.c | 1 -
22 files changed, 1133 insertions(+), 177 deletions(-)
rename {source4/librpc => librpc}/idl/nfs4acl.idl (83%)
create mode 100644 source3/modules/vfs_nfs4acl_xattr.c
Changeset truncated at 500 lines:
diff --git a/docs-xml/manpages/vfs_gpfs.8.xml b/docs-xml/manpages/vfs_gpfs.8.xml
index 3ddf946..7f560ca 100644
--- a/docs-xml/manpages/vfs_gpfs.8.xml
+++ b/docs-xml/manpages/vfs_gpfs.8.xml
@@ -311,16 +311,16 @@
<term>nfs4:mode = [ simple | special ]</term>
<listitem>
<para>
- Enable/Disable substitution of special IDs on GPFS. This parameter
- should not affect the windows users in anyway. It only ensures that Samba
- sets the special IDs - OWNER@ and GROUP@ ( mappings to simple uids )
- that are relevant to GPFS.
+ Controls substitution of special IDs (OWNER@ and GROUP@) on GPFS.
+ The use of mode simple is recommended.
+ In this mode only non inheriting ACL entries for the file owner
+ and group are mapped to special IDs.
</para>
<para>The following MODEs are understood by the module:</para>
<itemizedlist>
- <listitem><para><command>simple(default)</command> - do not use special IDs in GPFS ACEs</para></listitem>
- <listitem><para><command>special</command> - use special IDs in GPFS ACEs. </para> </listitem>
+ <listitem><para><command>simple(default)</command> - use OWNER@ and GROUP@ special IDs for non inheriting ACEs only.</para></listitem>
+ <listitem><para><command>special(deprecated)</command> - use OWNER@ and GROUP@ special IDs in ACEs for all file owner and group ACEs.</para></listitem>
</itemizedlist>
</listitem>
diff --git a/source4/librpc/idl/nfs4acl.idl b/librpc/idl/nfs4acl.idl
similarity index 83%
rename from source4/librpc/idl/nfs4acl.idl
rename to librpc/idl/nfs4acl.idl
index 3d4379a..aeab0a0 100644
--- a/source4/librpc/idl/nfs4acl.idl
+++ b/librpc/idl/nfs4acl.idl
@@ -15,6 +15,10 @@ interface nfs4acl
{
const char *NFS4ACL_XATTR_NAME = "system.nfs4acl";
+ const char *NFS4ACL_XATTR_OWNER_WHO = "OWNER@";
+ const char *NFS4ACL_XATTR_GROUP_WHO = "GROUP@";
+ const char *NFS4ACL_XATTR_EVERYONE_WHO = "EVERYONE@";
+
/* these structures use the same bit values and other constants as
in security.idl */
typedef [flag(NDR_BIG_ENDIAN)] struct {
diff --git a/librpc/idl/wscript_build b/librpc/idl/wscript_build
index 2dbf1a3..854a2e2 100644
--- a/librpc/idl/wscript_build
+++ b/librpc/idl/wscript_build
@@ -32,6 +32,6 @@ bld.SAMBA_PIDL_LIST('PIDL',
output_dir='../gen_ndr')
bld.SAMBA_PIDL_LIST('PIDL',
- 'dnsp.idl',
+ 'dnsp.idl nfs4acl.idl',
options='--header --ndr-parser --client --python',
output_dir='../gen_ndr')
diff --git a/librpc/wscript_build b/librpc/wscript_build
index 8a4c169..cc5d617 100644
--- a/librpc/wscript_build
+++ b/librpc/wscript_build
@@ -217,6 +217,11 @@ bld.SAMBA_SUBSYSTEM('NDR_DNSP',
public_deps='ndr'
)
+bld.SAMBA_SUBSYSTEM('NDR_NFS4ACL',
+ source='gen_ndr/ndr_nfs4acl.c',
+ public_deps='ndr NDR_SECURITY'
+ )
+
bld.SAMBA_SUBSYSTEM('NDR_NTPRINTING',
source='gen_ndr/ndr_ntprinting.c ndr/ndr_ntprinting.c',
public_deps='ndr'
diff --git a/selftest/knownfail b/selftest/knownfail
index cb7630f..a7f347e 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -45,6 +45,22 @@
^samba3.blackbox.smbclient_machine_auth.plain \(s3dc:local\)# the S3dc does not currently set up a self-join
^samba3.raw.samba3hide.samba3hide\((s3dc|plugin_s4_dc)\) # This test fails against an smbd environment with NT ACLs enabled
^samba3.raw.samba3closeerr.samba3closeerr\(s3dc\) # This test fails against an smbd environment with NT ACLs enabled
+^samba3.raw.acls nfs4acl_xattr-simple.INHERITFLAGS\(s3dc\) # This (and the follow nfs4acl_xattr tests fail because our NFSv4 backend isn't a complete mapping yet.
+^samba3.raw.acls nfs4acl_xattr-simple.sd\(s3dc\)
+^samba3.raw.acls nfs4acl_xattr-simple.create_file\(s3dc\)
+^samba3.raw.acls nfs4acl_xattr-simple.create_dir\(s3dc\)
+^samba3.raw.acls nfs4acl_xattr-simple.nulldacl\(s3dc\)
+^samba3.raw.acls nfs4acl_xattr-simple.generic\(s3dc\)
+^samba3.raw.acls nfs4acl_xattr-simple.inheritance\(s3dc\)
+^samba3.raw.acls nfs4acl_xattr-special.INHERITFLAGS\(s3dc\)
+^samba3.raw.acls nfs4acl_xattr-special.sd\(s3dc\)
+^samba3.raw.acls nfs4acl_xattr-special.create_file\(s3dc\)
+^samba3.raw.acls nfs4acl_xattr-special.create_dir\(s3dc\)
+^samba3.raw.acls nfs4acl_xattr-special.nulldacl\(s3dc\)
+^samba3.raw.acls nfs4acl_xattr-special.generic\(s3dc\)
+^samba3.raw.acls nfs4acl_xattr-special.inheritance\(s3dc\)
+^samba3.raw.acls nfs4acl_xattr-special.inherit_creator_owner\(s3dc\)
+^samba3.raw.acls nfs4acl_xattr-special.inherit_creator_group\(s3dc\)
^samba3.base.delete.deltest16a
^samba3.base.delete.deltest17a
^samba3.unix.whoami anonymous connection.whoami\(plugin_s4_dc\) # We need to resolve if we should be including SID_NT_WORLD and SID_NT_NETWORK in this token
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 1b14f1c..f907386 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -1081,6 +1081,19 @@ sub provision($$$$$$)
default devmode = no
[lp]
copy = print1
+
+[nfs4acl_simple]
+ path = $shrdir
+ comment = smb username is [%U]
+ nfs4:mode = simple
+ vfs objects = $vfs_modulesdir_abs/nfs4acl_xattr.so $vfs_modulesdir_abs/xattr_tdb.so
+
+[nfs4acl_special]
+ path = $shrdir
+ comment = smb username is [%U]
+ nfs4:mode = special
+ vfs objects = $vfs_modulesdir_abs/nfs4acl_xattr.so $vfs_modulesdir_abs/xattr_tdb.so
+
[xcopy_share]
path = $shrdir
comment = smb username is [%U]
diff --git a/source3/Makefile.in b/source3/Makefile.in
index f4977ca..d55a9cd 100644
--- a/source3/Makefile.in
+++ b/source3/Makefile.in
@@ -348,6 +348,8 @@ LIBNDR_PREG_OBJ = autoconf/librpc/gen_ndr/ndr_preg.o \
LIBNDR_XATTR_OBJ = autoconf/librpc/gen_ndr/ndr_xattr.o \
../librpc/ndr/ndr_xattr.o
+LIBNDR_NFS4ACL_OBJ = autoconf/librpc/gen_ndr/ndr_nfs4acl.o
+
LIBCLI_SPOOLSS_OBJ = autoconf/librpc/gen_ndr/ndr_spoolss_c.o \
rpc_client/cli_spoolss.o \
rpc_client/init_spoolss.o \
@@ -883,6 +885,7 @@ VFS_AIXACL_OBJ = modules/vfs_aixacl.o modules/vfs_aixacl_util.o
VFS_AIXACL2_OBJ = modules/vfs_aixacl2.o modules/vfs_aixacl_util.o $(NFS4ACL_OBJ)
VFS_SOLARISACL_OBJ = modules/vfs_solarisacl.o
VFS_ZFSACL_OBJ = modules/vfs_zfsacl.o $(NFS4ACL_OBJ)
+VFS_NFS4ACL_XATTR_OBJ = modules/vfs_nfs4acl_xattr.o $(LIBNDR_NFS4ACL_OBJ) $(NFS4ACL_OBJ)
VFS_HPUXACL_OBJ = modules/vfs_hpuxacl.o
VFS_TRU64ACL_OBJ = modules/vfs_tru64acl.o
VFS_CATIA_OBJ = modules/vfs_catia.o
@@ -2838,6 +2841,10 @@ bin/zfsacl. at SHLIBEXT@: $(BINARY_PREREQS) $(VFS_ZFSACL_OBJ)
@echo "Building plugin $@"
@$(SHLD_MODULE) $(VFS_ZFSACL_OBJ) @ZFSACL_LIBS@
+bin/nfs4acl_xattr. at SHLIBEXT@: $(BINARY_PREREQS) $(VFS_NFS4ACL_XATTR_OBJ)
+ @echo "Building plugin $@"
+ @$(SHLD_MODULE) $(VFS_NFS4ACL_XATTR_OBJ)
+
bin/hpuxacl. at SHLIBEXT@: $(BINARY_PREREQS) $(VFS_HPUXACL_OBJ)
@echo "Building plugin $@"
@$(SHLD_MODULE) $(VFS_HPUXACL_OBJ)
diff --git a/source3/configure.in b/source3/configure.in
index d2aa215..8fef7b1 100644
--- a/source3/configure.in
+++ b/source3/configure.in
@@ -474,7 +474,7 @@ if test "x$developer" = xyes; then
fi
if test x"$selftest" = x"yes" -o "x$developer" = xyes; then
- default_shared_modules="$default_shared_modules vfs_fake_acls"
+ default_shared_modules="$default_shared_modules vfs_fake_acls vfs_nfs4acl_xattr"
fi
#
@@ -6451,6 +6451,7 @@ SMB_MODULE(vfs_shadow_copy, \$(VFS_SHADOW_COPY_OBJ), "bin/shadow_copy.$SHLIBEXT"
SMB_MODULE(vfs_shadow_copy2, \$(VFS_SHADOW_COPY2_OBJ), "bin/shadow_copy2.$SHLIBEXT", VFS)
SMB_MODULE(vfs_afsacl, \$(VFS_AFSACL_OBJ), "bin/afsacl.$SHLIBEXT", VFS)
SMB_MODULE(vfs_xattr_tdb, \$(VFS_XATTR_TDB_OBJ), "bin/xattr_tdb.$SHLIBEXT", VFS)
+SMB_MODULE(vfs_nfs4acl_xattr, \$(VFS_XATTR_TDB_OBJ), "bin/nfs4acl_xattr.$SHLIBEXT", VFS)
SMB_MODULE(vfs_posixacl, \$(VFS_POSIXACL_OBJ), "bin/posixacl.$SHLIBEXT", VFS)
SMB_MODULE(vfs_aixacl, \$(VFS_AIXACL_OBJ), "bin/aixacl.$SHLIBEXT", VFS)
SMB_MODULE(vfs_aixacl2, \$(VFS_AIXACL2_OBJ), "bin/aixacl2.$SHLIBEXT", VFS)
diff --git a/source3/modules/README.nfs4acls.txt b/source3/modules/README.nfs4acls.txt
index 1cb0887..3594aaf 100644
--- a/source3/modules/README.nfs4acls.txt
+++ b/source3/modules/README.nfs4acls.txt
@@ -1,7 +1,7 @@
Configuring NFS4 ACLs in Samba3
===============================
Created: Peter Somogyi, 2006-JUN-06
-Last modified: Peter Somogyi, 2006-JUL-20
+Last modified: Alexander Werth, 2013-MAY-02
Revision no.: 4
-------------------------------
@@ -13,13 +13,20 @@ Each parameter must have a prefix "nfs4:".
Each one affects the behaviour only when _setting_ an acl on a file/dir:
mode = [simple|special]
-- simple: don't use OWNER@ and GROUP@ special IDs in ACEs. - default
-- special: use OWNER@ and GROUP@ special IDs in ACEs instead of simple user&group ids.
-Note: EVERYONE@ is always processed (if found such an ACE).
-Note2: special mode will have side effect when _only_ chown is performed. Later this may be worked out.
-
-Use "simple" mode when the share is used mainly by windows users and unix side is not significant. You will loose unix bits in this case.
-It's strongly advised setting "store dos attributes = yes" in smb.conf.
+- simple: Use OWNER@ and GROUP@ special IDs for non inheriting ACEs only.
+ This mode is the default.
+- special: use OWNER@ and GROUP@ special IDs in ACEs instead of simple
+ user&group ids. This mode is deprecated.
+
+Note1: EVERYONE@ is always processed (if found such an ACE).
+Note2: There is a side effect when _only_ chown is performed.
+ Later this may be worked out.
+Note3: Mode special inherits incorrect ACL entries when the user creating
+ a file is different from the owner of the caurrent folder.
+Note4: Mode simple uses inheriting OWNER@ and GROUP@ special IDs to
+ support Creator Owner and Creator Group.
+
+It's strongly advised to set "store dos attributes = yes" in smb.conf.
chown = [true|false]
- true => enable changing owner and group - default.
diff --git a/source3/modules/nfs4_acls.c b/source3/modules/nfs4_acls.c
index 67db6b0..ceae6d9 100644
--- a/source3/modules/nfs4_acls.c
+++ b/source3/modules/nfs4_acls.c
@@ -54,6 +54,55 @@ typedef struct _SMB_ACL4_INT_T
SMB_ACE4_INT_T *last;
} SMB_ACL4_INT_T;
+enum smbacl4_mode_enum {e_simple=0, e_special=1};
+enum smbacl4_acedup_enum {e_dontcare=0, e_reject=1, e_ignore=2, e_merge=3};
+
+typedef struct _smbacl4_vfs_params {
+ enum smbacl4_mode_enum mode;
+ bool do_chown;
+ enum smbacl4_acedup_enum acedup;
+} smbacl4_vfs_params;
+
+/*
+ * Gather special parameters for NFS4 ACL handling
+ */
+static int smbacl4_get_vfs_params(
+ const char *type_name,
+ struct connection_struct *conn,
+ smbacl4_vfs_params *params
+)
+{
+ static const struct enum_list enum_smbacl4_modes[] = {
+ { e_simple, "simple" },
+ { e_special, "special" },
+ { -1 , NULL }
+ };
+ static const struct enum_list enum_smbacl4_acedups[] = {
+ { e_dontcare, "dontcare" },
+ { e_reject, "reject" },
+ { e_ignore, "ignore" },
+ { e_merge, "merge" },
+ { -1 , NULL }
+ };
+
+ memset(params, 0, sizeof(smbacl4_vfs_params));
+ params->mode = (enum smbacl4_mode_enum)lp_parm_enum(
+ SNUM(conn), type_name,
+ "mode", enum_smbacl4_modes, e_simple);
+ params->do_chown = lp_parm_bool(SNUM(conn), type_name,
+ "chown", true);
+ params->acedup = (enum smbacl4_acedup_enum)lp_parm_enum(
+ SNUM(conn), type_name,
+ "acedup", enum_smbacl4_acedups, e_dontcare);
+
+ DEBUG(10, ("mode:%s, do_chown:%s, acedup: %s\n",
+ enum_smbacl4_modes[params->mode].name,
+ params->do_chown ? "true" : "false",
+ enum_smbacl4_acedups[params->acedup].name));
+
+ return 0;
+}
+
/************************************************
Split the ACE flag mapping between nfs4 and Windows
into two separate functions rather than trying to do
@@ -142,9 +191,8 @@ static SMB_ACE4_INT_T *get_validated_aceint(SMB4ACE_T *ace)
return aceint;
}
-SMB4ACL_T *smb_create_smb4acl(void)
+SMB4ACL_T *smb_create_smb4acl(TALLOC_CTX *mem_ctx)
{
- TALLOC_CTX *mem_ctx = talloc_tos();
SMB_ACL4_INT_T *theacl = (SMB_ACL4_INT_T *)TALLOC_ZERO_SIZE(
mem_ctx, sizeof(SMB_ACL4_INT_T));
if (theacl==NULL)
@@ -259,7 +307,9 @@ static int smbacl4_fGetFileOwner(files_struct *fsp, SMB_STRUCT_STAT *psbuf)
return 0;
}
-static bool smbacl4_nfs42win(TALLOC_CTX *mem_ctx, SMB4ACL_T *theacl, /* in */
+static bool smbacl4_nfs42win(TALLOC_CTX *mem_ctx,
+ smbacl4_vfs_params *params,
+ SMB4ACL_T *theacl, /* in */
struct dom_sid *psid_owner, /* in */
struct dom_sid *psid_group, /* in */
bool is_directory, /* in */
@@ -276,15 +326,16 @@ static bool smbacl4_nfs42win(TALLOC_CTX *mem_ctx, SMB4ACL_T *theacl, /* in */
aclint = get_validated_aclint(theacl);
/* We do not check for naces being 0 or theacl being NULL here
- * because it is done upstream */
- /* in smb_get_nt_acl_nfs4(). */
+ because it is done upstream in smb_get_nt_acl_nfs4().
+ We reserve twice the number of input aces because one nfs4
+ ace might result in 2 nt aces.*/
nt_ace_list = (struct security_ace *)TALLOC_ZERO_SIZE(
- mem_ctx, aclint->naces * sizeof(struct security_ace));
+ mem_ctx, 2 * aclint->naces * sizeof(struct security_ace));
if (nt_ace_list==NULL)
{
DEBUG(10, ("talloc error"));
errno = ENOMEM;
- return False;
+ return false;
}
for (aceint=aclint->first;
@@ -357,39 +408,97 @@ static bool smbacl4_nfs42win(TALLOC_CTX *mem_ctx, SMB4ACL_T *theacl, /* in */
if(ace->aceType == SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE) {
mask = ace->aceMask | SMB_ACE4_SYNCHRONIZE;
}
- init_sec_ace(&nt_ace_list[good_aces++], &sid,
- ace->aceType, mask,
- win_ace_flags);
+
+ /* Mapping of owner@ and group@ to creator owner and
+ creator group. Keep old behavior in mode special. */
+ if (params->mode != e_special &&
+ ace->flags & SMB_ACE4_ID_SPECIAL &&
+ (ace->who.special_id == SMB_ACE4_WHO_OWNER ||
+ ace->who.special_id == SMB_ACE4_WHO_GROUP)) {
+ DEBUG(10, ("Map special entry\n"));
+ if (!(win_ace_flags & SEC_ACE_FLAG_INHERIT_ONLY)) {
+ DEBUG(10, ("Map current sid\n"));
+ uint32_t win_ace_flags_current;
+ win_ace_flags_current = win_ace_flags &
+ ~(SEC_ACE_FLAG_OBJECT_INHERIT |
+ SEC_ACE_FLAG_CONTAINER_INHERIT);
+ init_sec_ace(&nt_ace_list[good_aces++], &sid,
+ ace->aceType, mask,
+ win_ace_flags_current);
+ }
+ if (ace->who.special_id == SMB_ACE4_WHO_OWNER &&
+ win_ace_flags & (SEC_ACE_FLAG_OBJECT_INHERIT |
+ SEC_ACE_FLAG_CONTAINER_INHERIT)) {
+ uint32_t win_ace_flags_creator;
+ DEBUG(10, ("Map creator owner\n"));
+ win_ace_flags_creator = win_ace_flags |
+ SMB_ACE4_INHERIT_ONLY_ACE;
+ init_sec_ace(&nt_ace_list[good_aces++],
+ &global_sid_Creator_Owner,
+ ace->aceType, mask,
+ win_ace_flags_creator);
+ }
+ if (ace->who.special_id == SMB_ACE4_WHO_GROUP &&
+ win_ace_flags & (SEC_ACE_FLAG_OBJECT_INHERIT |
+ SEC_ACE_FLAG_CONTAINER_INHERIT)) {
+ uint32_t win_ace_flags_creator;
+ DEBUG(10, ("Map creator owner group\n"));
+ win_ace_flags_creator = win_ace_flags |
+ SMB_ACE4_INHERIT_ONLY_ACE;
+ init_sec_ace(&nt_ace_list[good_aces++],
+ &global_sid_Creator_Group,
+ ace->aceType, mask,
+ win_ace_flags_creator);
+ }
+ } else {
+ DEBUG(10, ("Map normal sid\n"));
+ init_sec_ace(&nt_ace_list[good_aces++], &sid,
+ ace->aceType, mask,
+ win_ace_flags);
+ }
+ }
+
+ nt_ace_list = (struct security_ace *)TALLOC_REALLOC(mem_ctx,
+ nt_ace_list,
+ good_aces * sizeof(struct security_ace));
+ if (nt_ace_list == NULL) {
+ errno = ENOMEM;
+ return false;
}
*ppnt_ace_list = nt_ace_list;
*pgood_aces = good_aces;
- return True;
+ return true;
}
static NTSTATUS smb_get_nt_acl_nfs4_common(const SMB_STRUCT_STAT *sbuf,
- uint32 security_info, TALLOC_CTX *mem_ctx,
- struct security_descriptor **ppdesc, SMB4ACL_T *theacl)
+ smbacl4_vfs_params *params,
+ uint32 security_info,
+ TALLOC_CTX *mem_ctx,
+ struct security_descriptor **ppdesc,
+ SMB4ACL_T *theacl)
{
- int good_aces = 0;
+ int good_aces = 0;
struct dom_sid sid_owner, sid_group;
size_t sd_size = 0;
struct security_ace *nt_ace_list = NULL;
struct security_acl *psa = NULL;
TALLOC_CTX *frame = talloc_stackframe();
- if (theacl==NULL || smb_get_naces(theacl)==0)
+ if (theacl==NULL || smb_get_naces(theacl)==0) {
+ TALLOC_FREE(frame);
return NT_STATUS_ACCESS_DENIED; /* special because we
* shouldn't alloc 0 for
* win */
+ }
uid_to_sid(&sid_owner, sbuf->st_ex_uid);
gid_to_sid(&sid_group, sbuf->st_ex_gid);
- if (smbacl4_nfs42win(mem_ctx, theacl, &sid_owner, &sid_group,
+ if (smbacl4_nfs42win(mem_ctx, params, theacl, &sid_owner, &sid_group,
S_ISDIR(sbuf->st_ex_mode),
- &nt_ace_list, &good_aces)==False) {
+ &nt_ace_list, &good_aces)==false) {
DEBUG(8,("smbacl4_nfs42win failed\n"));
TALLOC_FREE(frame);
return map_nt_error_from_unix(errno);
@@ -429,6 +538,7 @@ NTSTATUS smb_fget_nt_acl_nfs4(files_struct *fsp,
SMB4ACL_T *theacl)
{
SMB_STRUCT_STAT sbuf;
+ smbacl4_vfs_params params;
DEBUG(10, ("smb_fget_nt_acl_nfs4 invoked for %s\n", fsp_str_dbg(fsp)));
@@ -436,9 +546,13 @@ NTSTATUS smb_fget_nt_acl_nfs4(files_struct *fsp,
return map_nt_error_from_unix(errno);
}
- return smb_get_nt_acl_nfs4_common(&sbuf, security_info,
- mem_ctx, ppdesc,
- theacl);
+ /* Special behaviours */
+ if (smbacl4_get_vfs_params(SMBACL4_PARAM_TYPE_NAME, fsp->conn, ¶ms)) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ return smb_get_nt_acl_nfs4_common(&sbuf, ¶ms, security_info,
+ mem_ctx, ppdesc, theacl);
}
NTSTATUS smb_get_nt_acl_nfs4(struct connection_struct *conn,
@@ -449,6 +563,7 @@ NTSTATUS smb_get_nt_acl_nfs4(struct connection_struct *conn,
SMB4ACL_T *theacl)
{
SMB_STRUCT_STAT sbuf;
+ smbacl4_vfs_params params;
DEBUG(10, ("smb_get_nt_acl_nfs4 invoked for %s\n", name));
@@ -456,58 +571,13 @@ NTSTATUS smb_get_nt_acl_nfs4(struct connection_struct *conn,
return map_nt_error_from_unix(errno);
}
- return smb_get_nt_acl_nfs4_common(&sbuf, security_info,
- mem_ctx, ppdesc,
- theacl);
-}
-
-enum smbacl4_mode_enum {e_simple=0, e_special=1};
-enum smbacl4_acedup_enum {e_dontcare=0, e_reject=1, e_ignore=2, e_merge=3};
-
-typedef struct _smbacl4_vfs_params {
- enum smbacl4_mode_enum mode;
- bool do_chown;
- enum smbacl4_acedup_enum acedup;
-} smbacl4_vfs_params;
-
-/*
- * Gather special parameters for NFS4 ACL handling
- */
-static int smbacl4_get_vfs_params(
- const char *type_name,
- files_struct *fsp,
- smbacl4_vfs_params *params
-)
-{
- static const struct enum_list enum_smbacl4_modes[] = {
- { e_simple, "simple" },
- { e_special, "special" },
- { -1 , NULL }
- };
- static const struct enum_list enum_smbacl4_acedups[] = {
- { e_dontcare, "dontcare" },
- { e_reject, "reject" },
- { e_ignore, "ignore" },
- { e_merge, "merge" },
- { -1 , NULL }
--
Samba Shared Repository
More information about the samba-cvs
mailing list