[SCM] Samba Shared Repository - branch v4-4-test updated
Karolin Seeger
kseeger at samba.org
Mon Apr 18 14:34:06 UTC 2016
The branch, v4-4-test has been updated
via eb96e15 vfs_catia: Fix bug 11827, memleak
via 6b66061 s3: libsmb: Fix error where short name length was read as 2 bytes, should be 1.
via a6a4532 smbcquotas: print "NO LIMIT" only if returned quota value is 0.
via 811fbb2 vfs_acl_common: avoid setting POSIX ACLs if "ignore system acls" is set
via 26f5b40 winbind: Fix CID 1357100 Unchecked return value
via fb0c85b52 idmap_hash: only allow the hash module for default idmap config.
via dab38c3 idmap_hash: rename be_init() --> idmap_hash_initialize()
via 8bd67a1 s3:winbindd:idmap: check loadparm in domain_has_idmap_config() helper as well.
via 87fcc70 s3:winbindd:idmap_hash: skip domains that already have their own idmap configuration.
via 9d56304 s3:winbindd:idmap: add domain_has_idmap_config() helper function.
from e8918a1 VERSION: Bump version up to 4.4.3...
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-4-test
- Log -----------------------------------------------------------------
commit eb96e1519726df4b5d0d0182b4c78cb47805021b
Author: Volker Lendecke <vl at samba.org>
Date: Sun Apr 10 12:51:15 2016 +0200
vfs_catia: Fix bug 11827, memleak
add_srt should add the mappings to the linked list even if
mappings==NULL (the default)
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11827
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Mon Apr 11 14:25:59 CEST 2016 on sn-devel-144
(cherry picked from commit 3e2af1568d150de1cb12fef40580f4880ac787ff)
Autobuild-User(v4-4-test): Karolin Seeger <kseeger at samba.org>
Autobuild-Date(v4-4-test): Mon Apr 18 16:33:23 CEST 2016 on sn-devel-144
commit 6b66061732cf37ea41d2b8cde5666e54c68ad4f4
Author: Jeremy Allison <jra at samba.org>
Date: Tue Apr 5 13:07:06 2016 -0700
s3: libsmb: Fix error where short name length was read as 2 bytes, should be 1.
Reported by Thomas Dvorachek <tdvorachek at yahoo.com> from a Windows 10 server.
Confirmed in MS-CIFS 2.2.8.1.7.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11822
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Wed Apr 6 03:46:55 CEST 2016 on sn-devel-144
(cherry picked from commit f63b9a73b03971f41947c694e6952cd1e49b67c3)
commit a6a45324eb37cd50f3158b4763820c540397a4dc
Author: Uri Simchoni <uri at samba.org>
Date: Wed Mar 30 14:20:44 2016 +0300
smbcquotas: print "NO LIMIT" only if returned quota value is 0.
If the user being queried has no quota, the server returns 0 as
its quota. This is the observed smbd and Windows behavior, which
is also documented in [MS-FSA] 2.5.1.20.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11815
Signed-off-by: Uri Simchoni <uri at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 9d6d62010be2a54b6828cc4cc9c13b5657c8b4a0)
commit 811fbb2a7dfd4d589d148ab4a80f3de8cc949dd1
Author: Uri Simchoni <uri at samba.org>
Date: Mon Mar 21 23:04:24 2016 +0200
vfs_acl_common: avoid setting POSIX ACLs if "ignore system acls" is set
When "ignore system acls" is set, do not mess at all with POSIX ACLS,
do not even calculate the would-be POSIX-ACL-based security descriptor
(for performance reasons).
Instead, just store a V3 blob with zero hash. This means that if we
later read the ACL without ignoring system ACLs, the NT ACL shall be
reset to the info derivable from the POSIX ACL.
File ownership is still modified as it has bearing on disk quotas.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11806
Signed-off-by: Uri Simchoni <uri at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 765e5f1f2670d3d5d8d62a04b4ccf38a680bcb37)
commit 26f5b40d947a4351c944034f7093c5c92c512753
Author: Volker Lendecke <vl at samba.org>
Date: Tue Mar 22 11:24:23 2016 +0100
winbind: Fix CID 1357100 Unchecked return value
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Tue Mar 22 15:49:14 CET 2016 on sn-devel-144
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11786
commit fb0c85b52ca27b9511ff41f108fabe030b828ba4
Author: Michael Adam <obnox at samba.org>
Date: Mon Mar 14 17:07:34 2016 +0100
idmap_hash: only allow the hash module for default idmap config.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11786
This module only makes sense as the default idmap config
("idmap config * : backend = hash" ...)
Pair-Programmed-With: Guenther Deschner <gd at samba.org>
Signed-off-by: Michael Adam <obnox at samba.org>
Signed-off-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit dab38c3befa1fbf1f729788106517f839804790b
Author: Michael Adam <obnox at samba.org>
Date: Mon Mar 14 17:06:34 2016 +0100
idmap_hash: rename be_init() --> idmap_hash_initialize()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11786
Pair-Programmed-With: Guenther Deschner <gd at samba.org>
Signed-off-by: Michael Adam <obnox at samba.org>
Signed-off-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 8bd67a1ef21ea7c431ded5d7544e8bc9e9f13477
Author: Günther Deschner <gd at samba.org>
Date: Thu Mar 10 12:21:52 2016 +0100
s3:winbindd:idmap: check loadparm in domain_has_idmap_config() helper as well.
Guenther
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11786
Pair-Programmed-With: Michael Adam <obnox at samba.org>
Signed-off-by: Guenther Deschner <gd at samba.org>
Signed-off-by: Michael Adam <obnox at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 87fcc70eeac1ed875ca9c779d23f366b1120267b
Author: Günther Deschner <gd at samba.org>
Date: Thu Mar 10 10:39:15 2016 +0100
s3:winbindd:idmap_hash: skip domains that already have their own idmap configuration.
Check if the domain from the list is not already configured to use another idmap
backend. Not checking this makes the idmap_hash module map IDs for *all* domains
implicitly. This is quite dangeorous in multi-idmap-config setups.
Guenther
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11786
Pair-Programmed-With: Michael Adam <obnox at samba.org>
Signed-off-by: Guenther Deschner <gd at samba.org>
Signed-off-by: Michael Adam <obnox at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 9d56304e32dab02e07e21066b69fa1b96b14cbfb
Author: Michael Adam <obnox at samba.org>
Date: Thu Mar 10 10:38:29 2016 +0100
s3:winbindd:idmap: add domain_has_idmap_config() helper function.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11786
Pair-Programmed-With: Guenther Deschner <gd at samba.org>
Signed-off-by: Michael Adam <obnox at samba.org>
Signed-off-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
-----------------------------------------------------------------------
Summary of changes:
source3/libsmb/clilist.c | 2 +-
source3/modules/vfs_acl_common.c | 147 +++++++++++++++++++++----------
source3/modules/vfs_catia.c | 6 +-
source3/utils/smbcquotas.c | 2 +-
source3/winbindd/idmap.c | 41 +++++++++
source3/winbindd/idmap_hash/idmap_hash.c | 32 +++++--
source3/winbindd/winbindd_proto.h | 1 +
7 files changed, 172 insertions(+), 59 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/libsmb/clilist.c b/source3/libsmb/clilist.c
index 94bbc57..6438d3b 100644
--- a/source3/libsmb/clilist.c
+++ b/source3/libsmb/clilist.c
@@ -186,7 +186,7 @@ static size_t interpret_long_filename(TALLOC_CTX *ctx,
namelen = IVAL(p,0);
p += 4;
p += 4; /* EA size */
- slen = SVAL(p, 0);
+ slen = CVAL(p, 0);
if (slen > 24) {
/* Bad short name length. */
return pdata_end - base;
diff --git a/source3/modules/vfs_acl_common.c b/source3/modules/vfs_acl_common.c
index f73e80c..76ac598 100644
--- a/source3/modules/vfs_acl_common.c
+++ b/source3/modules/vfs_acl_common.c
@@ -738,6 +738,81 @@ static NTSTATUS get_nt_acl_common(vfs_handle_struct *handle,
}
/*********************************************************************
+ Set the underlying ACL (e.g. POSIX ACLS, POSIX owner, etc)
+*********************************************************************/
+static NTSTATUS set_underlying_acl(vfs_handle_struct *handle, files_struct *fsp,
+ struct security_descriptor *psd,
+ uint32_t security_info_sent,
+ bool chown_needed)
+{
+ NTSTATUS status =
+ SMB_VFS_NEXT_FSET_NT_ACL(handle, fsp, security_info_sent, psd);
+ if (!NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
+ return status;
+ }
+
+ /* We got access denied here. If we're already root,
+ or we didn't need to do a chown, or the fsp isn't
+ open with WRITE_OWNER access, just return. */
+ if (get_current_uid(handle->conn) == 0 || chown_needed == false ||
+ !(fsp->access_mask & SEC_STD_WRITE_OWNER)) {
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
+ DEBUG(10, ("fset_nt_acl_common: overriding chown on file %s "
+ "for sid %s\n",
+ fsp_str_dbg(fsp), sid_string_tos(psd->owner_sid)));
+
+ /* Ok, we failed to chown and we have
+ SEC_STD_WRITE_OWNER access - override. */
+ become_root();
+ status = SMB_VFS_NEXT_FSET_NT_ACL(handle, fsp, security_info_sent, psd);
+ unbecome_root();
+
+ return status;
+}
+
+/*********************************************************************
+ Store a v3 security descriptor
+*********************************************************************/
+static NTSTATUS store_v3_blob(vfs_handle_struct *handle, files_struct *fsp,
+ struct security_descriptor *psd,
+ struct security_descriptor *pdesc_next,
+ uint8_t hash[XATTR_SD_HASH_SIZE])
+{
+ NTSTATUS status;
+ DATA_BLOB blob;
+
+ if (DEBUGLEVEL >= 10) {
+ DEBUG(10, ("fset_nt_acl_xattr: storing xattr sd for file %s\n",
+ fsp_str_dbg(fsp)));
+ NDR_PRINT_DEBUG(
+ security_descriptor,
+ discard_const_p(struct security_descriptor, psd));
+
+ if (pdesc_next != NULL) {
+ DEBUG(10, ("fset_nt_acl_xattr: storing has in xattr sd "
+ "based on \n"));
+ NDR_PRINT_DEBUG(
+ security_descriptor,
+ discard_const_p(struct security_descriptor,
+ pdesc_next));
+ } else {
+ DEBUG(10,
+ ("fset_nt_acl_xattr: ignoring underlying sd\n"));
+ }
+ }
+ status = create_acl_blob(psd, &blob, XATTR_SD_HASH_TYPE_SHA256, hash);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(10, ("fset_nt_acl_xattr: create_acl_blob failed\n"));
+ return status;
+ }
+
+ status = store_acl_blob_fsp(handle, fsp, &blob);
+ return status;
+}
+
+/*********************************************************************
Store a security descriptor given an fsp.
*********************************************************************/
@@ -754,6 +829,8 @@ static NTSTATUS fset_nt_acl_common(vfs_handle_struct *handle, files_struct *fsp,
bool chown_needed = false;
char *sys_acl_description;
TALLOC_CTX *frame = talloc_stackframe();
+ bool ignore_file_system_acl = lp_parm_bool(
+ SNUM(handle->conn), ACL_MODULE_NAME, "ignore system acls", false);
if (DEBUGLEVEL >= 10) {
DEBUG(10,("fset_nt_acl_xattr: incoming sd for file %s\n",
@@ -809,38 +886,29 @@ static NTSTATUS fset_nt_acl_common(vfs_handle_struct *handle, files_struct *fsp,
psd->type |= SEC_DESC_SACL_PRESENT;
}
- status = SMB_VFS_NEXT_FSET_NT_ACL(handle, fsp, security_info_sent, psd);
- if (!NT_STATUS_IS_OK(status)) {
- if (!NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
- TALLOC_FREE(frame);
- return status;
- }
- /* We got access denied here. If we're already root,
- or we didn't need to do a chown, or the fsp isn't
- open with WRITE_OWNER access, just return. */
- if (get_current_uid(handle->conn) == 0 ||
- chown_needed == false ||
- !(fsp->access_mask & SEC_STD_WRITE_OWNER)) {
- TALLOC_FREE(frame);
- return NT_STATUS_ACCESS_DENIED;
+ if (ignore_file_system_acl) {
+ if (chown_needed) {
+ /* send only ownership stuff to lower layer */
+ security_info_sent &= (SECINFO_OWNER | SECINFO_GROUP);
+ status = set_underlying_acl(handle, fsp, psd,
+ security_info_sent, true);
+ if (!NT_STATUS_IS_OK(status)) {
+ TALLOC_FREE(frame);
+ return status;
+ }
}
+ ZERO_ARRAY(hash);
+ status = store_v3_blob(handle, fsp, psd, NULL, hash);
- DEBUG(10,("fset_nt_acl_common: overriding chown on file %s "
- "for sid %s\n",
- fsp_str_dbg(fsp),
- sid_string_tos(psd->owner_sid)
- ));
-
- /* Ok, we failed to chown and we have
- SEC_STD_WRITE_OWNER access - override. */
- become_root();
- status = SMB_VFS_NEXT_FSET_NT_ACL(handle, fsp,
- security_info_sent, psd);
- unbecome_root();
- if (!NT_STATUS_IS_OK(status)) {
- TALLOC_FREE(frame);
- return status;
- }
+ TALLOC_FREE(frame);
+ return status;
+ }
+
+ status = set_underlying_acl(handle, fsp, psd, security_info_sent,
+ chown_needed);
+ if (!NT_STATUS_IS_OK(status)) {
+ TALLOC_FREE(frame);
+ return status;
}
/* Get the full underlying sd, then hash. */
@@ -871,24 +939,7 @@ static NTSTATUS fset_nt_acl_common(vfs_handle_struct *handle, files_struct *fsp,
/* If we fail to get the ACL blob (for some reason) then this
* is not fatal, we just work based on the NT ACL only */
if (ret != 0) {
- if (DEBUGLEVEL >= 10) {
- DEBUG(10,("fset_nt_acl_xattr: storing xattr sd for file %s\n",
- fsp_str_dbg(fsp)));
- NDR_PRINT_DEBUG(security_descriptor,
- discard_const_p(struct security_descriptor, psd));
-
- DEBUG(10,("fset_nt_acl_xattr: storing has in xattr sd based on \n"));
- NDR_PRINT_DEBUG(security_descriptor,
- discard_const_p(struct security_descriptor, pdesc_next));
- }
- status = create_acl_blob(psd, &blob, XATTR_SD_HASH_TYPE_SHA256, hash);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(10, ("fset_nt_acl_xattr: create_acl_blob failed\n"));
- TALLOC_FREE(frame);
- return status;
- }
-
- status = store_acl_blob_fsp(handle, fsp, &blob);
+ status = store_v3_blob(handle, fsp, psd, pdesc_next, hash);
TALLOC_FREE(frame);
return status;
diff --git a/source3/modules/vfs_catia.c b/source3/modules/vfs_catia.c
index c17ffa8..e270c0b 100644
--- a/source3/modules/vfs_catia.c
+++ b/source3/modules/vfs_catia.c
@@ -141,6 +141,9 @@ static struct share_mapping_entry *add_srt(int snum, const char **mappings)
ret->snum = snum;
+ ret->next = srt_head;
+ srt_head = ret;
+
if (mappings) {
ret->mappings = (struct char_mappings**) ((unsigned char*) ret +
sizeof(struct share_mapping_entry));
@@ -176,9 +179,6 @@ static struct share_mapping_entry *add_srt(int snum, const char **mappings)
}
}
- ret->next = srt_head;
- srt_head = ret;
-
return ret;
}
diff --git a/source3/utils/smbcquotas.c b/source3/utils/smbcquotas.c
index 9e64319..e6f1dfb 100644
--- a/source3/utils/smbcquotas.c
+++ b/source3/utils/smbcquotas.c
@@ -236,7 +236,7 @@ static const char *quota_str_static(uint64_t val, bool special, bool _numeric)
{
const char *result;
- if (!_numeric&&special&&(val == SMB_NTQUOTAS_NO_LIMIT)) {
+ if (!_numeric && special && val == 0) {
return "NO LIMIT";
}
result = talloc_asprintf(talloc_tos(), "%"PRIu64, val);
diff --git a/source3/winbindd/idmap.c b/source3/winbindd/idmap.c
index 4012e70..7eb7e58 100644
--- a/source3/winbindd/idmap.c
+++ b/source3/winbindd/idmap.c
@@ -120,6 +120,47 @@ static bool idmap_init(void)
return true;
}
+bool domain_has_idmap_config(const char *domname)
+{
+ int i;
+ char *config_option;
+ const char *range = NULL;
+ const char *backend = NULL;
+ bool ok;
+
+ ok = idmap_init();
+ if (!ok) {
+ return false;
+ }
+
+ for (i=0; i<num_domains; i++) {
+ if (strequal(idmap_domains[i]->name, domname)) {
+ return true;
+ }
+ }
+
+ /* fallback: also check loadparm */
+
+ config_option = talloc_asprintf(talloc_tos(), "idmap config %s",
+ domname);
+ if (config_option == NULL) {
+ DEBUG(0, ("out of memory\n"));
+ return false;
+ }
+
+ range = lp_parm_const_string(-1, config_option, "range", NULL);
+ backend = lp_parm_const_string(-1, config_option, "backend", NULL);
+ if (range != NULL && backend != NULL) {
+ DEBUG(5, ("idmap configuration specified for domain '%s'\n",
+ domname));
+ TALLOC_FREE(config_option);
+ return true;
+ }
+
+ TALLOC_FREE(config_option);
+ return false;
+}
+
static bool idmap_found_domain_backend(
const char *string, regmatch_t matches[], void *private_data)
{
diff --git a/source3/winbindd/idmap_hash/idmap_hash.c b/source3/winbindd/idmap_hash/idmap_hash.c
index 51bbf5b..0aba36c 100644
--- a/source3/winbindd/idmap_hash/idmap_hash.c
+++ b/source3/winbindd/idmap_hash/idmap_hash.c
@@ -104,7 +104,7 @@ static void separate_hashes(uint32_t id,
/*********************************************************************
********************************************************************/
-static NTSTATUS be_init(struct idmap_domain *dom)
+static NTSTATUS idmap_hash_initialize(struct idmap_domain *dom)
{
struct sid_hash_table *hashed_domains;
NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
@@ -112,6 +112,13 @@ static NTSTATUS be_init(struct idmap_domain *dom)
size_t num_domains = 0;
int i;
+ if (!strequal(dom->name, "*")) {
+ DBG_ERR("Error: idmap_hash configured for domain '%s'. "
+ "But the hash module can only be used for the default "
+ "idmap configuration.\n", dom->name);
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
/* If the domain SID hash table has been initialized, assume
that we completed this function previously */
@@ -137,13 +144,26 @@ static NTSTATUS be_init(struct idmap_domain *dom)
if (is_null_sid(&dom_list[i].sid))
continue;
+
+ /*
+ * Check if the domain from the list is not already configured
+ * to use another idmap backend. Not checking this makes the
+ * idmap_hash module map IDs for *all* domains implicitly. This
+ * is quite dangerous in setups that use multiple idmap
+ * configurations.
+ */
+
+ if (domain_has_idmap_config(dom_list[i].domain_name)) {
+ continue;
+ }
+
if ((hash = hash_domain_sid(&dom_list[i].sid)) == 0)
continue;
- DEBUG(5,("hash:be_init() Adding %s (%s) -> %d\n",
+ DBG_INFO("Adding %s (%s) -> %d\n",
dom_list[i].domain_name,
sid_string_dbg(&dom_list[i].sid),
- hash));
+ hash);
hashed_domains[hash].sid = talloc(hashed_domains, struct dom_sid);
sid_copy(hashed_domains[hash].sid, &dom_list[i].sid);
@@ -176,7 +196,7 @@ static NTSTATUS unixids_to_sids(struct idmap_domain *dom,
ids[i]->status = ID_UNKNOWN;
}
- nt_status = be_init(dom);
+ nt_status = idmap_hash_initialize(dom);
BAIL_ON_NTSTATUS_ERROR(nt_status);
for (i=0; ids[i]; i++) {
@@ -226,7 +246,7 @@ static NTSTATUS sids_to_unixids(struct idmap_domain *dom,
ids[i]->status = ID_UNKNOWN;
}
- nt_status = be_init(dom);
+ nt_status = idmap_hash_initialize(dom);
BAIL_ON_NTSTATUS_ERROR(nt_status);
for (i=0; ids[i]; i++) {
@@ -347,7 +367,7 @@ static NTSTATUS nss_hash_close(void)
********************************************************************/
static struct idmap_methods hash_idmap_methods = {
- .init = be_init,
+ .init = idmap_hash_initialize,
.unixids_to_sids = unixids_to_sids,
.sids_to_unixids = sids_to_unixids,
};
diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h
index 6e50718..89699f1 100644
--- a/source3/winbindd/winbindd_proto.h
+++ b/source3/winbindd/winbindd_proto.h
@@ -330,6 +330,7 @@ void init_idmap_child(void);
struct winbindd_child *idmap_child(void);
struct idmap_domain *idmap_find_domain_with_sid(const char *domname,
const struct dom_sid *sid);
+bool domain_has_idmap_config(const char *domname);
/* The following definitions come from winbindd/winbindd_locator.c */
--
Samba Shared Repository
More information about the samba-cvs
mailing list