[SCM] Samba Shared Repository - branch master updated

Christof Schmitt cs at samba.org
Fri Jul 17 18:34:02 UTC 2020


The branch, master has been updated
       via  63b9b2a103a vfs_posixacl: Remove unnecessary call to acl_set_permset
       via  0b1bec434d1 test_vfs_posixacl: Add unit test for Linux POSIX ACL mapping
       via  fd364b01e2d pam_winbind: Fix CID 242274 Time of check time of use
      from  71b7140fd0a docs: Fix documentation for require_membership_of of pam_winbind.conf

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 63b9b2a103a6762e18d0bf0f820f42bd85a8bdcc
Author: Christof Schmitt <cs at samba.org>
Date:   Mon Jul 6 22:27:59 2020 -0700

    vfs_posixacl: Remove unnecessary call to acl_set_permset
    
    After the initial acl_get_permset, the permset is alreadying pointing to
    the ACL entry and all changes are done on the ACL entry. There is no
    need to overwrite the permissions in the ACL entry again with the same
    value in the acl_set_permset call.
    
    Signed-off-by: Christof Schmitt <cs at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    
    Autobuild-User(master): Christof Schmitt <cs at samba.org>
    Autobuild-Date(master): Fri Jul 17 18:33:41 UTC 2020 on sn-devel-184

commit 0b1bec434d1017216f4dd281db3fa3504b1039e4
Author: Christof Schmitt <cs at samba.org>
Date:   Tue Jul 7 20:02:42 2020 -0700

    test_vfs_posixacl: Add unit test for Linux POSIX ACL mapping
    
    Signed-off-by: Christof Schmitt <cs at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit fd364b01e2defb5f48238db64d3ef7f6d828c517
Author: Christof Schmitt <cs at samba.org>
Date:   Wed Jul 8 20:03:44 2020 -0700

    pam_winbind: Fix CID 242274 Time of check time of use
    
    Always issue the mkdir call to avoid the TOCTOU issue. Only if there is
    already an object with the requested name, check whether it is a
    directory.
    
    Signed-off-by: Christof Schmitt <cs at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 nsswitch/pam_winbind.c              |  19 +++--
 source3/modules/test_vfs_posixacl.c | 159 ++++++++++++++++++++++++++++++++++++
 source3/modules/vfs_posixacl.c      |   3 +-
 source3/modules/wscript_build       |   5 ++
 source3/selftest/tests.py           |   4 +
 5 files changed, 184 insertions(+), 6 deletions(-)
 create mode 100644 source3/modules/test_vfs_posixacl.c


Changeset truncated at 500 lines:

diff --git a/nsswitch/pam_winbind.c b/nsswitch/pam_winbind.c
index 61ce4fd6b21..aee45bfe9bc 100644
--- a/nsswitch/pam_winbind.c
+++ b/nsswitch/pam_winbind.c
@@ -1582,14 +1582,23 @@ static int _pam_create_homedir(struct pwb_context *ctx,
 			       const char *dirname,
 			       mode_t mode)
 {
-	struct stat sbuf;
+	int ret;
 
-	if (stat(dirname, &sbuf) == 0) {
-		return PAM_SUCCESS;
-	}
+	ret = mkdir(dirname, mode);
+	if (ret != 0 && errno == EEXIST) {
+		struct stat sbuf;
 
-	if (mkdir(dirname, mode) != 0) {
+		ret = stat(dirname, &sbuf);
+		if (ret != 0) {
+			return PAM_PERM_DENIED;
+		}
+
+		if (!S_ISDIR(sbuf.st_mode)) {
+			return PAM_PERM_DENIED;
+		}
+	}
 
+	if (ret != 0) {
 		_make_remark_format(ctx, PAM_TEXT_INFO,
 				    _("Creating directory: %s failed: %s"),
 				    dirname, strerror(errno));
diff --git a/source3/modules/test_vfs_posixacl.c b/source3/modules/test_vfs_posixacl.c
new file mode 100644
index 00000000000..e5a333334ed
--- /dev/null
+++ b/source3/modules/test_vfs_posixacl.c
@@ -0,0 +1,159 @@
+/*
+ *  Unix SMB/CIFS implementation.
+ *
+ *  Unit test for vfs_posixacl
+ *
+ *  Copyright (C) Christof Schmitt 2020
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "vfs_posixacl.c"
+#include <cmocka.h>
+
+static void smb_acl_add_entry(struct smb_acl_t * smb_acl,
+			      SMB_ACL_TAG_T tag, uint32_t id,
+			      bool read, bool write, bool execute)
+{
+	int ret;
+	struct smb_acl_entry *smb_acl_entry = NULL;
+	SMB_ACL_PERMSET_T smb_permset = NULL;
+
+	ret = sys_acl_create_entry(&smb_acl, &smb_acl_entry);
+	assert_int_equal(ret, 0);
+
+	ret = sys_acl_set_tag_type(smb_acl_entry, tag);
+	assert_int_equal(ret, 0);
+
+	if (tag == SMB_ACL_USER || tag == SMB_ACL_GROUP) {
+		ret = sys_acl_set_qualifier(smb_acl_entry, &id);
+		assert_int_equal(ret, 0);
+	}
+
+	ret = sys_acl_get_permset(smb_acl_entry, &smb_permset);
+	assert_int_equal(ret, 0);
+
+	if (read) {
+		ret = sys_acl_add_perm(smb_permset, SMB_ACL_READ);
+		assert_int_equal(ret, 0);
+	}
+
+	if (write) {
+		ret = sys_acl_add_perm(smb_permset, SMB_ACL_WRITE);
+		assert_int_equal(ret, 0);
+	}
+
+	if (execute) {
+		ret = sys_acl_add_perm(smb_permset, SMB_ACL_EXECUTE);
+		assert_int_equal(ret, 0);
+	}
+
+	ret = sys_acl_set_permset(smb_acl_entry, smb_permset);
+	assert_int_equal(ret, 0);
+}
+
+static void acl_check_entry(acl_entry_t acl_entry, SMB_ACL_TAG_T tag,
+			    uint32_t id,
+			    bool read, bool write, bool execute)
+{
+	int ret;
+	acl_permset_t acl_permset = NULL;
+	acl_tag_t acl_tag;
+
+	ret = acl_get_permset(acl_entry, &acl_permset);
+	assert_int_equal(ret, 0);
+
+	ret = acl_get_tag_type(acl_entry, &acl_tag);
+	assert_int_equal(ret, 0);
+	assert_int_equal(acl_tag, tag);
+
+	if (tag == ACL_USER || tag == ACL_GROUP) {
+		uint32_t *id_p;
+
+		id_p = acl_get_qualifier(acl_entry);
+		assert_non_null(id_p);
+		assert_int_equal(*id_p, id);
+	}
+
+	ret = acl_get_perm(acl_permset, ACL_READ);
+	assert_int_equal(ret, read ? 1 : 0);
+
+	ret = acl_get_perm(acl_permset, ACL_WRITE);
+	assert_int_equal(ret, write ? 1 : 0);
+
+	ret = acl_get_perm(acl_permset, ACL_EXECUTE);
+	assert_int_equal(ret, execute ? 1 : 0);
+}
+
+static void test_smb_acl_to_posix_simple_acl(void **state)
+{
+	TALLOC_CTX *mem_ctx = talloc_stackframe();
+	struct smb_acl_t *smb_acl = NULL;
+	acl_t acl = NULL;
+	acl_entry_t acl_entry = NULL;
+	int ret;
+
+	smb_acl = sys_acl_init(mem_ctx);
+	assert_non_null(smb_acl);
+
+	smb_acl_add_entry(smb_acl, SMB_ACL_USER_OBJ, 0, false, true, false);
+	smb_acl_add_entry(smb_acl, SMB_ACL_GROUP_OBJ, 0, true, false, false);
+	smb_acl_add_entry(smb_acl, SMB_ACL_OTHER, 0, false, false, true);
+
+	acl = smb_acl_to_posix(smb_acl);
+	assert_non_null(acl);
+
+	ret = acl_get_entry(acl, ACL_FIRST_ENTRY, &acl_entry);
+	assert_int_equal(ret, 1);
+	acl_check_entry(acl_entry, ACL_USER_OBJ, 0, false, true, false);
+
+	ret = acl_get_entry(acl, ACL_NEXT_ENTRY, &acl_entry);
+	assert_int_equal(ret, 1);
+	acl_check_entry(acl_entry, ACL_GROUP_OBJ, 0, true, false, false);
+
+	ret = acl_get_entry(acl, ACL_NEXT_ENTRY, &acl_entry);
+	assert_int_equal(ret, 1);
+	acl_check_entry(acl_entry, ACL_OTHER, 0, false, false, true);
+
+	ret = acl_get_entry(acl, ACL_NEXT_ENTRY, &acl_entry);
+	assert_int_equal(ret, 0);
+
+	ret = acl_free(acl);
+	assert_int_equal(ret, 0);
+
+	TALLOC_FREE(mem_ctx);
+}
+
+int main(int argc, char **argv)
+{
+	const struct CMUnitTest tests[] = {
+		cmocka_unit_test(test_smb_acl_to_posix_simple_acl),
+	};
+
+	cmocka_set_message_output(CM_OUTPUT_SUBUNIT);
+
+	if (argc != 2) {
+		print_error("Usage: %s smb.conf\n", argv[0]);
+		exit(1);
+	}
+
+	/*
+	 * Initialize enough of the Samba internals to have the
+	 * mappings tests work.
+	 */
+	talloc_stackframe();
+	lp_load_global(argv[1]);
+
+	return cmocka_run_group_tests(tests, NULL, NULL);
+}
diff --git a/source3/modules/vfs_posixacl.c b/source3/modules/vfs_posixacl.c
index 83fb0455b3a..80115ebc6df 100644
--- a/source3/modules/vfs_posixacl.c
+++ b/source3/modules/vfs_posixacl.c
@@ -274,7 +274,8 @@ static int smb_acl_set_mode(acl_entry_t entry, SMB_ACL_PERM_T perm)
 	    ((ret = acl_add_perm(permset, ACL_EXECUTE)) != 0)) {
 		return ret;
 	}
-        return acl_set_permset(entry, permset);
+
+	return 0;
 }
 
 static acl_t smb_acl_to_posix(const struct smb_acl_t *acl)
diff --git a/source3/modules/wscript_build b/source3/modules/wscript_build
index 09528f38070..2b1f264bab5 100644
--- a/source3/modules/wscript_build
+++ b/source3/modules/wscript_build
@@ -218,6 +218,11 @@ bld.SAMBA3_MODULE('vfs_posixacl',
                  internal_module=bld.SAMBA3_IS_STATIC_MODULE('vfs_posixacl'),
                  enabled=bld.SAMBA3_IS_ENABLED_MODULE('vfs_posixacl'))
 
+bld.SAMBA3_BINARY('test_vfs_posixacl',
+                  source='test_vfs_posixacl.c',
+                  deps='smbd_base cmocka',
+                  for_selftest=True)
+
 bld.SAMBA3_MODULE('vfs_aixacl',
                  subsystem='vfs',
                  source='vfs_aixacl.c',
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index e2aebdcb6e2..5e4fbf8a603 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -561,6 +561,10 @@ plantestsuite("samba3.test_vfs_full_audit", "none",
               [os.path.join(bindir(), "test_vfs_full_audit"),
                "$SMB_CONF_PATH"])
 
+plantestsuite("samba3.test_vfs_posixacl", "none",
+              [os.path.join(bindir(), "test_vfs_posixacl"),
+               "$SMB_CONF_PATH"])
+
 plantestsuite(
     "samba3.resolvconf", "none",
     [os.path.join(samba3srcdir, "script/tests/test_resolvconf.sh")])


-- 
Samba Shared Repository



More information about the samba-cvs mailing list