[SCM] Samba Shared Repository - branch master updated
Ralph Böhme
slow at samba.org
Thu Mar 8 03:10:02 UTC 2018
The branch, master has been updated
via e0b147f s3: vfs_fruit. Change check_ms_nfs() to remove the virtual ACE's generated by fruit_fget_nt_acl().
via 8edad37 s3: vfs_fruit. If the security descriptor was modified, ensure we set the flags correctly to reflect the ACE's left.
via 019a1bc s3: vfs_fruit: Ensure we operate on a copy of the incoming security descriptor.
via e9059c7 s3: vfs_fruit. Ensure we only return one set of the 'virtual' UNIX ACE entries.
from 7f625f9 ldb_mod_op_test: Make sure that closing the database frees locks
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit e0b147f650fe59f606d1faffe57059e6e9d7837b
Author: Jeremy Allison <jra at samba.org>
Date: Fri Mar 2 13:53:55 2018 -0800
s3: vfs_fruit. Change check_ms_nfs() to remove the virtual ACE's generated by fruit_fget_nt_acl().
Ensures they don't get stored in the underlying ACL.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Thu Mar 8 04:09:38 CET 2018 on sn-devel-144
commit 8edad37e476295e25932778721d8ef33713f6853
Author: Jeremy Allison <jra at samba.org>
Date: Fri Mar 2 13:51:54 2018 -0800
s3: vfs_fruit. If the security descriptor was modified, ensure we set the flags correctly to reflect the ACE's left.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 019a1bc4caf3439adcaac48b384e86d84a1ad383
Author: Jeremy Allison <jra at samba.org>
Date: Fri Mar 2 13:21:37 2018 -0800
s3: vfs_fruit: Ensure we operate on a copy of the incoming security descriptor.
This will allow us to modify it in the next commit.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit e9059c7b40069cfb036bfb95958b78c6a2c800e4
Author: Jeremy Allison <jra at samba.org>
Date: Fri Mar 2 13:07:48 2018 -0800
s3: vfs_fruit. Ensure we only return one set of the 'virtual' UNIX ACE entries.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
-----------------------------------------------------------------------
Summary of changes:
source3/modules/vfs_fruit.c | 104 +++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 102 insertions(+), 2 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/modules/vfs_fruit.c b/source3/modules/vfs_fruit.c
index ec76f71..29372e9 100644
--- a/source3/modules/vfs_fruit.c
+++ b/source3/modules/vfs_fruit.c
@@ -2957,12 +2957,15 @@ static NTSTATUS readdir_attr_macmeta(struct vfs_handle_struct *handle,
/* Search MS NFS style ACE with UNIX mode */
static NTSTATUS check_ms_nfs(vfs_handle_struct *handle,
files_struct *fsp,
- const struct security_descriptor *psd,
+ struct security_descriptor *psd,
mode_t *pmode,
bool *pdo_chmod)
{
uint32_t i;
struct fruit_config_data *config = NULL;
+ struct dom_sid sid;
+ NTSTATUS status = NT_STATUS_OK;
+ bool remove_ok = false;
*pdo_chmod = false;
@@ -2991,6 +2994,44 @@ static NTSTATUS check_ms_nfs(vfs_handle_struct *handle,
}
}
+ /*
+ * Remove any incoming virtual ACE entries generated by
+ * fruit_fget_nt_acl().
+ */
+
+ /* MS NFS style mode */
+ sid_compose(&sid, &global_sid_Unix_NFS_Mode,
+ fsp->fsp_name->st.st_ex_mode);
+ status = security_descriptor_dacl_del(psd, &sid);
+ remove_ok = (NT_STATUS_IS_OK(status) ||
+ NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND));
+ if (!remove_ok) {
+ DBG_WARNING("failed to remove MS NFS_mode style ACE\n");
+ return status;
+ }
+
+ /* MS NFS style uid */
+ sid_compose(&sid, &global_sid_Unix_NFS_Users,
+ fsp->fsp_name->st.st_ex_uid);
+ status = security_descriptor_dacl_del(psd, &sid);
+ remove_ok = (NT_STATUS_IS_OK(status) ||
+ NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND));
+ if (!remove_ok) {
+ DBG_WARNING("failed to remove MS NFS_users style ACE\n");
+ return status;
+ }
+
+ /* MS NFS style gid */
+ sid_compose(&sid, &global_sid_Unix_NFS_Groups,
+ fsp->fsp_name->st.st_ex_gid);
+ status = security_descriptor_dacl_del(psd, &sid);
+ remove_ok = (NT_STATUS_IS_OK(status) ||
+ NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND));
+ if (!remove_ok) {
+ DBG_WARNING("failed to remove MS NFS_groups style ACE\n");
+ return status;
+ }
+
return NT_STATUS_OK;
}
@@ -5687,6 +5728,7 @@ static NTSTATUS fruit_fget_nt_acl(vfs_handle_struct *handle,
struct security_ace ace;
struct dom_sid sid;
struct fruit_config_data *config;
+ bool remove_ok = false;
SMB_VFS_HANDLE_GET_DATA(handle, config,
struct fruit_config_data,
@@ -5711,6 +5753,15 @@ static NTSTATUS fruit_fget_nt_acl(vfs_handle_struct *handle,
/* MS NFS style mode */
sid_compose(&sid, &global_sid_Unix_NFS_Mode, fsp->fsp_name->st.st_ex_mode);
init_sec_ace(&ace, &sid, SEC_ACE_TYPE_ACCESS_DENIED, 0, 0);
+
+ /* First remove any existing ACE's with this SID. */
+ status = security_descriptor_dacl_del(*ppdesc, &sid);
+ remove_ok = (NT_STATUS_IS_OK(status) ||
+ NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND));
+ if (!remove_ok) {
+ DBG_WARNING("failed to remove MS NFS_mode style ACE\n");
+ return status;
+ }
status = security_descriptor_dacl_add(*ppdesc, &ace);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1,("failed to add MS NFS style ACE\n"));
@@ -5720,6 +5771,15 @@ static NTSTATUS fruit_fget_nt_acl(vfs_handle_struct *handle,
/* MS NFS style uid */
sid_compose(&sid, &global_sid_Unix_NFS_Users, fsp->fsp_name->st.st_ex_uid);
init_sec_ace(&ace, &sid, SEC_ACE_TYPE_ACCESS_DENIED, 0, 0);
+
+ /* First remove any existing ACE's with this SID. */
+ status = security_descriptor_dacl_del(*ppdesc, &sid);
+ remove_ok = (NT_STATUS_IS_OK(status) ||
+ NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND));
+ if (!remove_ok) {
+ DBG_WARNING("failed to remove MS NFS_users style ACE\n");
+ return status;
+ }
status = security_descriptor_dacl_add(*ppdesc, &ace);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1,("failed to add MS NFS style ACE\n"));
@@ -5729,6 +5789,15 @@ static NTSTATUS fruit_fget_nt_acl(vfs_handle_struct *handle,
/* MS NFS style gid */
sid_compose(&sid, &global_sid_Unix_NFS_Groups, fsp->fsp_name->st.st_ex_gid);
init_sec_ace(&ace, &sid, SEC_ACE_TYPE_ACCESS_DENIED, 0, 0);
+
+ /* First remove any existing ACE's with this SID. */
+ status = security_descriptor_dacl_del(*ppdesc, &sid);
+ remove_ok = (NT_STATUS_IS_OK(status) ||
+ NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND));
+ if (!remove_ok) {
+ DBG_WARNING("failed to remove MS NFS_groups style ACE\n");
+ return status;
+ }
status = security_descriptor_dacl_add(*ppdesc, &ace);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1,("failed to add MS NFS style ACE\n"));
@@ -5741,24 +5810,53 @@ static NTSTATUS fruit_fget_nt_acl(vfs_handle_struct *handle,
static NTSTATUS fruit_fset_nt_acl(vfs_handle_struct *handle,
files_struct *fsp,
uint32_t security_info_sent,
- const struct security_descriptor *psd)
+ const struct security_descriptor *orig_psd)
{
NTSTATUS status;
bool do_chmod;
mode_t ms_nfs_mode = 0;
int result;
+ struct security_descriptor *psd = NULL;
+ uint32_t orig_num_aces = 0;
+
+ if (orig_psd->dacl != NULL) {
+ orig_num_aces = orig_psd->dacl->num_aces;
+ }
+
+ psd = security_descriptor_copy(talloc_tos(), orig_psd);
+ if (psd == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
DBG_DEBUG("fruit_fset_nt_acl: %s\n", fsp_str_dbg(fsp));
status = check_ms_nfs(handle, fsp, psd, &ms_nfs_mode, &do_chmod);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("fruit_fset_nt_acl: check_ms_nfs failed%s\n", fsp_str_dbg(fsp)));
+ TALLOC_FREE(psd);
return status;
}
+ /*
+ * If only ms_nfs ACE entries were sent, ensure we set the DACL
+ * sent/present flags correctly now we've removed them.
+ */
+
+ if (orig_num_aces != 0) {
+ /*
+ * Are there any ACE's left ?
+ */
+ if (psd->dacl->num_aces == 0) {
+ /* No - clear the DACL sent/present flags. */
+ security_info_sent &= ~SECINFO_DACL;
+ psd->type &= ~SEC_DESC_DACL_PRESENT;
+ }
+ }
+
status = SMB_VFS_NEXT_FSET_NT_ACL(handle, fsp, security_info_sent, psd);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("fruit_fset_nt_acl: SMB_VFS_NEXT_FSET_NT_ACL failed%s\n", fsp_str_dbg(fsp)));
+ TALLOC_FREE(psd);
return status;
}
@@ -5776,10 +5874,12 @@ static NTSTATUS fruit_fset_nt_acl(vfs_handle_struct *handle,
result, (unsigned)ms_nfs_mode,
strerror(errno)));
status = map_nt_error_from_unix(errno);
+ TALLOC_FREE(psd);
return status;
}
}
+ TALLOC_FREE(psd);
return NT_STATUS_OK;
}
--
Samba Shared Repository
More information about the samba-cvs
mailing list