[SCM] Samba Shared Repository - branch master updated
Jeremy Allison
jra at samba.org
Tue Apr 18 02:42:03 UTC 2017
The branch, master has been updated
via 05d83cc vfs_acl_xattr: avoid needlessly supplying a large buffer to getxattr()
via 7b775ab vfs_acl_xattr: factor out fetching of an extended attribute
via 4dfa2d6 vfs_xattr_tdb: handle case of zero size.
via 5017dfe selftest: test fetching a large ACL from vfs_acl_xattr
via 0e0f564 docs: Update idmap_rid manpage
from ab597b9 s4: server: Use state as the talloc context for open_schannel_session_store.
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 05d83ccf7a6fecf963fcb980acd50cebfc0c3ea9
Author: Uri Simchoni <uri at samba.org>
Date: Thu Apr 13 12:44:58 2017 +0300
vfs_acl_xattr: avoid needlessly supplying a large buffer to getxattr()
When obtaining the security descriptor via getxattr(), first try
optimistically to supply a buffer of 4K, and if that turns out
to be too small, determine the correct buffer size.
The previous behavior of falling back to a 64K buffer encountered
problem with Linux prior to version 3.6, due to pyisical memory
fragmentation. With those kernels, as long as the buffer is 8K or
smaller, getting the xattr is much less prone to failure due to
memory fragmentation.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12737
Signed-off-by: Uri Simchoni <uri at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Tue Apr 18 04:41:16 CEST 2017 on sn-devel-144
commit 7b775abd9278ae34110ec87d94a736be7f64884a
Author: Uri Simchoni <uri at samba.org>
Date: Sun Apr 9 00:40:44 2017 +0300
vfs_acl_xattr: factor out fetching of an extended attribute
Pure refactoring - add a function that fetches an extended attribute
based on either the file descriptor or the file name.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12737
Signed-off-by: Uri Simchoni <uri at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 4dfa2d6a0972847e3b21ddf05077e50ed72c4ea8
Author: Uri Simchoni <uri at samba.org>
Date: Thu Apr 13 12:50:47 2017 +0300
vfs_xattr_tdb: handle case of zero size.
With getxattr(), passing a zero buffer size is a
way of obtaining actual xattr size.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12737
Signed-off-by: Uri Simchoni <uri at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 5017dfeef24b8d568e0146c085f3f979d688acf2
Author: Uri Simchoni <uri at samba.org>
Date: Sun Apr 9 00:20:40 2017 +0300
selftest: test fetching a large ACL from vfs_acl_xattr
Add a test that fetches an ACL whose size is larger than 4K.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12737
Signed-off-by: Uri Simchoni <uri at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 0e0f56485e83b5ab1c4a4ad44a9bf55103c9981c
Author: Andreas Schneider <asn at samba.org>
Date: Wed Apr 12 13:17:16 2017 +0200
docs: Update idmap_rid manpage
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
-----------------------------------------------------------------------
Summary of changes:
docs-xml/manpages/idmap_rid.8.xml | 12 ++---
source3/modules/vfs_acl_xattr.c | 84 ++++++++++++++++++++++++----------
source3/modules/vfs_xattr_tdb.c | 12 +++++
source3/script/tests/test_large_acl.sh | 59 ++++++++++++++++++++++++
source3/selftest/tests.py | 1 +
5 files changed, 135 insertions(+), 33 deletions(-)
create mode 100755 source3/script/tests/test_large_acl.sh
Changeset truncated at 500 lines:
diff --git a/docs-xml/manpages/idmap_rid.8.xml b/docs-xml/manpages/idmap_rid.8.xml
index b00d01e..19d89ef 100644
--- a/docs-xml/manpages/idmap_rid.8.xml
+++ b/docs-xml/manpages/idmap_rid.8.xml
@@ -23,22 +23,18 @@
in this case as the mapping is deterministic.</para>
<para>
- Note that the idmap_rid module has changed considerably since Samba
- versions 3.0. and 3.2.
Currently, there should to be an explicit idmap configuration for each
domain that should use the idmap_rid backend, using disjoint ranges.
+ </para>
+
+ <para>
+ NOTE: The idmap_rid backend can NOT bet used as the default backend.
One usually needs to define a writeable default idmap range, using
a backend like <parameter>tdb</parameter> or <parameter>ldap</parameter>
that can create unix ids, in order to be able to map the BUILTIN sids
and other domains, and also in order to be able to create group mappings.
See the example below.
</para>
-
- <para>
- Note that the old syntax
- <parameter>idmap backend = rid:"DOM1=range DOM2=range2 ..."</parameter>
- is not supported any more since Samba version 3.0.25.
- </para>
</refsynopsisdiv>
<refsect1>
diff --git a/source3/modules/vfs_acl_xattr.c b/source3/modules/vfs_acl_xattr.c
index e1f90ff..421860b 100644
--- a/source3/modules/vfs_acl_xattr.c
+++ b/source3/modules/vfs_acl_xattr.c
@@ -37,17 +37,45 @@
Pull a security descriptor into a DATA_BLOB from a xattr.
*******************************************************************/
+static ssize_t getxattr_do(vfs_handle_struct *handle,
+ files_struct *fsp,
+ const struct smb_filename *smb_fname,
+ const char *xattr_name,
+ uint8_t *val,
+ size_t size)
+{
+ ssize_t sizeret;
+ int saved_errno = 0;
+
+ become_root();
+ if (fsp && fsp->fh->fd != -1) {
+ sizeret = SMB_VFS_FGETXATTR(fsp, xattr_name, val, size);
+ } else {
+ sizeret = SMB_VFS_GETXATTR(handle->conn, smb_fname->base_name,
+ XATTR_NTACL_NAME, val, size);
+ }
+ if (sizeret == -1) {
+ saved_errno = errno;
+ }
+ unbecome_root();
+
+ if (saved_errno != 0) {
+ errno = saved_errno;
+ }
+
+ return sizeret;
+}
+
static NTSTATUS get_acl_blob(TALLOC_CTX *ctx,
vfs_handle_struct *handle,
files_struct *fsp,
const struct smb_filename *smb_fname,
DATA_BLOB *pblob)
{
- size_t size = 1024;
+ size_t size = 4096;
uint8_t *val = NULL;
uint8_t *tmp;
ssize_t sizeret;
- int saved_errno = 0;
ZERO_STRUCTP(pblob);
@@ -60,35 +88,41 @@ static NTSTATUS get_acl_blob(TALLOC_CTX *ctx,
}
val = tmp;
- become_root();
- if (fsp && fsp->fh->fd != -1) {
- sizeret = SMB_VFS_FGETXATTR(fsp, XATTR_NTACL_NAME, val, size);
- } else {
- sizeret = SMB_VFS_GETXATTR(handle->conn, smb_fname->base_name,
- XATTR_NTACL_NAME, val, size);
+ sizeret =
+ getxattr_do(handle, fsp, smb_fname, XATTR_NTACL_NAME, val, size);
+
+ if (sizeret >= 0) {
+ pblob->data = val;
+ pblob->length = sizeret;
+ return NT_STATUS_OK;
}
- if (sizeret == -1) {
- saved_errno = errno;
+
+ if (errno != ERANGE) {
+ goto err;
}
- unbecome_root();
- /* Max ACL size is 65536 bytes. */
- if (sizeret == -1) {
- errno = saved_errno;
- if ((errno == ERANGE) && (size != 65536)) {
- /* Too small, try again. */
- size = 65536;
- goto again;
- }
+ /* Too small, try again. */
+ sizeret =
+ getxattr_do(handle, fsp, smb_fname, XATTR_NTACL_NAME, NULL, 0);
+ if (sizeret < 0) {
+ goto err;
+ }
- /* Real error - exit here. */
- TALLOC_FREE(val);
- return map_nt_error_from_unix(errno);
+ if (size < sizeret) {
+ size = sizeret;
}
- pblob->data = val;
- pblob->length = sizeret;
- return NT_STATUS_OK;
+ if (size > 65536) {
+ /* Max ACL size is 65536 bytes. */
+ errno = ERANGE;
+ goto err;
+ }
+
+ goto again;
+ err:
+ /* Real error - exit here. */
+ TALLOC_FREE(val);
+ return map_nt_error_from_unix(errno);
}
/*******************************************************************
diff --git a/source3/modules/vfs_xattr_tdb.c b/source3/modules/vfs_xattr_tdb.c
index b32fbc1..58acf44 100644
--- a/source3/modules/vfs_xattr_tdb.c
+++ b/source3/modules/vfs_xattr_tdb.c
@@ -85,6 +85,12 @@ static ssize_t xattr_tdb_getxattr(struct vfs_handle_struct *handle,
TALLOC_FREE(frame);
return -1;
}
+
+ if (size == 0) {
+ TALLOC_FREE(frame);
+ return xattr_size;
+ }
+
if (blob.length > size) {
TALLOC_FREE(frame);
errno = ERANGE;
@@ -125,6 +131,12 @@ static ssize_t xattr_tdb_fgetxattr(struct vfs_handle_struct *handle,
TALLOC_FREE(frame);
return -1;
}
+
+ if (size == 0) {
+ TALLOC_FREE(frame);
+ return xattr_size;
+ }
+
if (blob.length > size) {
TALLOC_FREE(frame);
errno = ERANGE;
diff --git a/source3/script/tests/test_large_acl.sh b/source3/script/tests/test_large_acl.sh
new file mode 100755
index 0000000..9b6901f
--- /dev/null
+++ b/source3/script/tests/test_large_acl.sh
@@ -0,0 +1,59 @@
+#!/bin/bash
+#
+# Blackbox test for fetching a large ACL
+#
+
+if [ $# -lt 5 ]; then
+cat <<EOF
+Usage: $0 SERVER USERNAME PASSWORD SMBCLIENT SMBCACLS PARAMS
+EOF
+exit 1;
+fi
+
+SERVER=${1}
+USERNAME=${2}
+PASSWORD=${3}
+SMBCLIENT=${4}
+SMBCACLS=${5}
+shift 5
+ADDARGS="$*"
+SMBCLIENT="$VALGRIND ${SMBCLIENT} ${ADDARGS}"
+SMBCACLS="$VALGRIND ${SMBCACLS} ${ADDARGS}"
+
+incdir=`dirname $0`/../../../testprogs/blackbox
+. $incdir/subunit.sh
+
+# build a file to work with
+build_files()
+{
+ touch large_acl
+ $SMBCLIENT //$SERVER/acl_xattr_ign_sysacl_windows -U $USERNAME%$PASSWORD -c 'put large_acl' > /dev/null 2>&1
+ rm -rf large_acl > /dev/null
+}
+
+cleanup()
+{
+ $SMBCLIENT //$SERVER/acl_xattr_ign_sysacl_windows -U $USERNAME%$PASSWORD -c 'rm large_acl' > /dev/null 2>&1
+}
+
+build_files
+
+test_large_acl()
+{
+ #An ACL with 200 entries, ~7K
+ new_acl=$(seq 1001 1200 | sed -r -e '1 i\D:(A;;0x001f01ff;;;WD)' -e 's/(.*)/(A;;0x001f01ff;;;S-1-5-21-11111111-22222222-33333333-\1)/' | tr -d '\n')
+ $SMBCACLS //$SERVER/acl_xattr_ign_sysacl_windows -U $USERNAME%$PASSWORD --sddl -S $new_acl large_acl
+ actual_acl=$($SMBCACLS //$SERVER/acl_xattr_ign_sysacl_windows -U $USERNAME%$PASSWORD --sddl --numeric large_acl 2>/dev/null | sed -rn 's/.*(D:.*)/\1/p' | tr -d '\n')
+ if [ ! "$new_acl" = "$actual_acl" ] ; then
+ echo -e "expected:\n$new_acl\nactual:\n$actual_acl\n"
+ return 1
+ fi
+}
+
+failed=0
+
+testit "able to retrieve a large ACL if VFS supports it" test_large_acl || failed=`expr $failed + 1`
+
+cleanup
+
+exit $failed
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index d0e2ae6..3959439 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -228,6 +228,7 @@ for env in ["fileserver"]:
plantestsuite("samba3.blackbox.inherit_owner.default(%s)" % env, env, [os.path.join(samba3srcdir, "script/tests/test_inherit_owner.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$PREFIX', smbclient3, smbcacls, 'tmp', '0', '0', '-m', 'NT1'])
plantestsuite("samba3.blackbox.inherit_owner.full (%s)" % env, env, [os.path.join(samba3srcdir, "script/tests/test_inherit_owner.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$PREFIX', smbclient3, smbcacls, 'inherit_owner', '1', '1', '-m', 'NT1'])
plantestsuite("samba3.blackbox.inherit_owner.unix (%s)" % env, env, [os.path.join(samba3srcdir, "script/tests/test_inherit_owner.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$PREFIX', smbclient3, smbcacls, 'inherit_owner_u', '0', '1', '-m', 'NT1'])
+ plantestsuite("samba3.blackbox.large_acl (%s)" % env, env, [os.path.join(samba3srcdir, "script/tests/test_large_acl.sh"), '$SERVER', '$USERNAME', '$PASSWORD', smbclient3, smbcacls])
#
# tar command tests
--
Samba Shared Repository
More information about the samba-cvs
mailing list