[SCM] Samba Shared Repository - branch master updated
Ralph Böhme
slow at samba.org
Tue Jul 19 08:23:04 UTC 2016
The branch, master has been updated
via 961c4b5 vfs_acl_xattr: objects without NT ACL xattr
via afc2417 s3/smbd: move make_default_filesystem_acl() to vfs_acl_common.c
from 5a58a14 notify_inotify: Map inotify mask back to filter
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 961c4b591bb102751079d9cc92d7aa1c37f1958c
Author: Ralph Boehme <slow at samba.org>
Date: Fri Jul 15 17:48:19 2016 +0200
vfs_acl_xattr: objects without NT ACL xattr
Even with "ignore system acls" set to "yes", for objects without NT ACL
xattr we use the underlying filesystem permissions to construct an NT
ACL. This can result in *very* unexpected permissions, eg:
- a directory with the following ACL:
$ ./bin/smbcacls -Uslow%pass //localhost/normal ""
REVISION:1
CONTROL:SR|DP
OWNER:SLOW\slow
GROUP:Unix Group\root
ACL:SLOW\slow:ALLOWED/0x0/FULL
So only one non-inheritable(!) ACE.
- creating a subdirectory:
$ ./bin/smbclient -Uslow%pass //localhost/normal -c "mkdir dir1"
- checking whether there's an ACL xattr:
$ getfattr -m "" /Volumes/normal/dir1
getfattr: Removing leading '/' from absolute path names
system.posix_acl_access
system.posix_acl_default
user.DOSATTRIB
So there isn't an ACL xattr, because there where no inheritable ACEs on
the parent folder.
- reading the new subdirectories ACL:
$ ./bin/smbcacls -Uslow%pass //localhost/normal "dir1"
REVISION:1
CONTROL:SR|DP
OWNER:SLOW\slow
GROUP:Unix Group\slow
ACL:SLOW\slow:ALLOWED/0x0/FULL
ACL:Unix Group\slow:ALLOWED/0x0/READ
ACL:Everyone:ALLOWED/0x0/READ
ACL:NT Authority\SYSTEM:ALLOWED/0x0/FULL
The ACES for "SLOW\slow", "Unix Group\slow" and "Everyone" are coming
from the underlying filesystem. This is the problem.
- Windows assigns the following ACL in this situation:
$ ./bin/smbcacls -UAdministrator%Passw0rd //10.10.10.14/data "dir"
REVISION:1
CONTROL:SR|PD|DI|DP
OWNER:VORDEFINIERT\Administratoren
GROUP:WIN2008R2\Domänen-Benutzer
ACL:WIN2008R2\Administrator:ALLOWED/0x0/FULL
$ ./bin/smbclient -UAdministrator%Passw0rd //10.10.10.14/data -c "mkdir dir\dir1"
$ ./bin/smbcacls -UAdministrator%Passw0rd //10.10.10.14/data "dir\dir1"
REVISION:1
CONTROL:SR|DI|DP
OWNER:VORDEFINIERT\Administratoren
GROUP:WIN2008R2\Domänen-Benutzer
ACL:VORDEFINIERT\Administratoren:ALLOWED/0x0/FULL
ACL:NT-AUTORITÄT\SYSTEM:ALLOWED/0x0/FULL
By changing make_default_filesystem_acl() to only adds user and system
ACE to the ACL of objects that lack an ACL xattr, we match Windows
behaviour:
$ ./bin/smbclient -Uslow%pass //localhost/normal -c "mkdir dir2"
$ ./bin/smbcacls -Uslow%pass //localhost/normal "dir2"
REVISION:1
CONTROL:SR|DP
OWNER:SLOW\slow
GROUP:Unix Group\slow
ACL:SLOW\slow:ALLOWED/0x0/FULL
ACL:NT Authority\SYSTEM:ALLOWED/0x0/FULL
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12028
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Tue Jul 19 10:22:05 CEST 2016 on sn-devel-144
commit afc2417b107af572081974ff9d013ddec890d31f
Author: Ralph Boehme <slow at samba.org>
Date: Fri Jul 15 17:56:02 2016 +0200
s3/smbd: move make_default_filesystem_acl() to vfs_acl_common.c
This function is only used in vfs_acl_common.c and will be modified in
the next commit.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12028
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
-----------------------------------------------------------------------
Summary of changes:
source3/modules/vfs_acl_common.c | 74 ++++++++++++++++++++++++++
source3/smbd/posix_acls.c | 110 ---------------------------------------
source3/smbd/proto.h | 4 --
3 files changed, 74 insertions(+), 114 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/modules/vfs_acl_common.c b/source3/modules/vfs_acl_common.c
index 98e1b8e..2fda938e 100644
--- a/source3/modules/vfs_acl_common.c
+++ b/source3/modules/vfs_acl_common.c
@@ -24,6 +24,7 @@
#include "../libcli/security/security.h"
#include "../librpc/gen_ndr/ndr_security.h"
#include "../lib/util/bitmap.h"
+#include "passdb/lookup_sid.h"
static NTSTATUS create_acl_blob(const struct security_descriptor *psd,
DATA_BLOB *pblob,
@@ -358,6 +359,79 @@ static NTSTATUS add_directory_inheritable_components(vfs_handle_struct *handle,
return NT_STATUS_OK;
}
+static NTSTATUS make_default_filesystem_acl(TALLOC_CTX *ctx,
+ const char *name,
+ SMB_STRUCT_STAT *psbuf,
+ struct security_descriptor **ppdesc)
+{
+ struct dom_sid owner_sid, group_sid;
+ size_t size = 0;
+ struct security_ace aces[4];
+ uint32_t access_mask = 0;
+ mode_t mode = psbuf->st_ex_mode;
+ struct security_acl *new_dacl = NULL;
+ int idx = 0;
+
+ DEBUG(10,("make_default_filesystem_acl: file %s mode = 0%o\n",
+ name, (int)mode ));
+
+ uid_to_sid(&owner_sid, psbuf->st_ex_uid);
+ gid_to_sid(&group_sid, psbuf->st_ex_gid);
+
+ /*
+ * We provide 2 ACEs:
+ * - Owner
+ * - NT System
+ */
+
+ if (mode & S_IRUSR) {
+ if (mode & S_IWUSR) {
+ access_mask |= SEC_RIGHTS_FILE_ALL;
+ } else {
+ access_mask |= SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE;
+ }
+ }
+ if (mode & S_IWUSR) {
+ access_mask |= SEC_RIGHTS_FILE_WRITE | SEC_STD_DELETE;
+ }
+
+ init_sec_ace(&aces[idx],
+ &owner_sid,
+ SEC_ACE_TYPE_ACCESS_ALLOWED,
+ access_mask,
+ 0);
+ idx++;
+
+ init_sec_ace(&aces[idx],
+ &global_sid_System,
+ SEC_ACE_TYPE_ACCESS_ALLOWED,
+ SEC_RIGHTS_FILE_ALL,
+ 0);
+ idx++;
+
+ new_dacl = make_sec_acl(ctx,
+ NT4_ACL_REVISION,
+ idx,
+ aces);
+
+ if (!new_dacl) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ *ppdesc = make_sec_desc(ctx,
+ SECURITY_DESCRIPTOR_REVISION_1,
+ SEC_DESC_SELF_RELATIVE|SEC_DESC_DACL_PRESENT,
+ &owner_sid,
+ &group_sid,
+ NULL,
+ new_dacl,
+ &size);
+ if (!*ppdesc) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ return NT_STATUS_OK;
+}
+
/*******************************************************************
Pull a DATA_BLOB from an xattr given a pathname.
If the hash doesn't match, or doesn't exist - return the underlying
diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c
index 2bb90c4..c575568 100644
--- a/source3/smbd/posix_acls.c
+++ b/source3/smbd/posix_acls.c
@@ -4688,116 +4688,6 @@ NTSTATUS get_nt_acl_no_snum(TALLOC_CTX *ctx, const char *fname,
return status;
}
-/* Stolen shamelessly from pvfs_default_acl() in source4 :-). */
-
-NTSTATUS make_default_filesystem_acl(TALLOC_CTX *ctx,
- const char *name,
- SMB_STRUCT_STAT *psbuf,
- struct security_descriptor **ppdesc)
-{
- struct dom_sid owner_sid, group_sid;
- size_t size = 0;
- struct security_ace aces[4];
- uint32_t access_mask = 0;
- mode_t mode = psbuf->st_ex_mode;
- struct security_acl *new_dacl = NULL;
- int idx = 0;
-
- DEBUG(10,("make_default_filesystem_acl: file %s mode = 0%o\n",
- name, (int)mode ));
-
- uid_to_sid(&owner_sid, psbuf->st_ex_uid);
- gid_to_sid(&group_sid, psbuf->st_ex_gid);
-
- /*
- We provide up to 4 ACEs
- - Owner
- - Group
- - Everyone
- - NT System
- */
-
- if (mode & S_IRUSR) {
- if (mode & S_IWUSR) {
- access_mask |= SEC_RIGHTS_FILE_ALL;
- } else {
- access_mask |= SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE;
- }
- }
- if (mode & S_IWUSR) {
- access_mask |= SEC_RIGHTS_FILE_WRITE | SEC_STD_DELETE;
- }
-
- init_sec_ace(&aces[idx],
- &owner_sid,
- SEC_ACE_TYPE_ACCESS_ALLOWED,
- access_mask,
- 0);
- idx++;
-
- access_mask = 0;
- if (mode & S_IRGRP) {
- access_mask |= SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE;
- }
- if (mode & S_IWGRP) {
- /* note that delete is not granted - this matches posix behaviour */
- access_mask |= SEC_RIGHTS_FILE_WRITE;
- }
- if (access_mask) {
- init_sec_ace(&aces[idx],
- &group_sid,
- SEC_ACE_TYPE_ACCESS_ALLOWED,
- access_mask,
- 0);
- idx++;
- }
-
- access_mask = 0;
- if (mode & S_IROTH) {
- access_mask |= SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE;
- }
- if (mode & S_IWOTH) {
- access_mask |= SEC_RIGHTS_FILE_WRITE;
- }
- if (access_mask) {
- init_sec_ace(&aces[idx],
- &global_sid_World,
- SEC_ACE_TYPE_ACCESS_ALLOWED,
- access_mask,
- 0);
- idx++;
- }
-
- init_sec_ace(&aces[idx],
- &global_sid_System,
- SEC_ACE_TYPE_ACCESS_ALLOWED,
- SEC_RIGHTS_FILE_ALL,
- 0);
- idx++;
-
- new_dacl = make_sec_acl(ctx,
- NT4_ACL_REVISION,
- idx,
- aces);
-
- if (!new_dacl) {
- return NT_STATUS_NO_MEMORY;
- }
-
- *ppdesc = make_sec_desc(ctx,
- SECURITY_DESCRIPTOR_REVISION_1,
- SEC_DESC_SELF_RELATIVE|SEC_DESC_DACL_PRESENT,
- &owner_sid,
- &group_sid,
- NULL,
- new_dacl,
- &size);
- if (!*ppdesc) {
- return NT_STATUS_NO_MEMORY;
- }
- return NT_STATUS_OK;
-}
-
int posix_sys_acl_blob_get_file(vfs_handle_struct *handle,
const char *path_p,
TALLOC_CTX *mem_ctx,
diff --git a/source3/smbd/proto.h b/source3/smbd/proto.h
index f330b4c..86fafe5 100644
--- a/source3/smbd/proto.h
+++ b/source3/smbd/proto.h
@@ -780,10 +780,6 @@ bool set_unix_posix_acl(connection_struct *conn, files_struct *fsp, const char *
NTSTATUS get_nt_acl_no_snum( TALLOC_CTX *ctx, const char *fname,
uint32_t security_info_wanted,
struct security_descriptor **sd);
-NTSTATUS make_default_filesystem_acl(TALLOC_CTX *ctx,
- const char *name,
- SMB_STRUCT_STAT *psbuf,
- struct security_descriptor **ppdesc);
int posix_sys_acl_blob_get_file(vfs_handle_struct *handle,
const char *path_p,
TALLOC_CTX *mem_ctx,
--
Samba Shared Repository
More information about the samba-cvs
mailing list