[SCM] Samba Shared Repository - branch master updated
Jeremy Allison
jra at samba.org
Tue Jan 25 21:44:02 UTC 2022
The branch, master has been updated
via d85461c4f5e s3: smbd: Rename "unix extensions" -> "smb1 unix extensions".
via 1224d463e8e s3: smbd: Cleanup - In smbd_do_query_security_desc() we don't need a talloc frame.
via 65774b51766 s3: smbd: Cleanup - Split out smbd_marshall_security_desc() from smbd_do_query_security_desc().
via 62bd38f7888 s3: smbd: Cleanup - Split out smbd_fetch_security_desc() from smbd_do_query_security_desc().
from 12464bd4c22 blackbox.ndrdump: fix test_ndrdump_fuzzed_NULL_struct_ntlmssp_CHALLENGE_MESSAGE test
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit d85461c4f5ef9c5f2e2e75bed79b6f080257808b
Author: Jeremy Allison <jra at samba.org>
Date: Fri Jan 21 14:49:11 2022 -0800
s3: smbd: Rename "unix extensions" -> "smb1 unix extensions".
Make 'unix extensions' a synonym for "smb1 unix extensions".
This will allow us to have a separate "smb2 unix extensions"
parameter that we can examine separately.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: David Mulder <dmulder at suse.com>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Tue Jan 25 21:43:59 UTC 2022 on sn-devel-184
commit 1224d463e8e067786541d7c36f8a6045e43eb831
Author: Jeremy Allison <jra at samba.org>
Date: Mon Jan 24 16:29:27 2022 -0800
s3: smbd: Cleanup - In smbd_do_query_security_desc() we don't need a talloc frame.
Just free the marshalled sd before returning.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: David Mulder <dmulder at suse.com>
commit 65774b51766e1329d7a7ddd7409e7f4717f65986
Author: Jeremy Allison <jra at samba.org>
Date: Thu Jan 20 10:58:45 2022 -0800
s3: smbd: Cleanup - Split out smbd_marshall_security_desc() from smbd_do_query_security_desc().
This is part two of a cleanup to split this up into a fetch()/marshal()
pair. Allows easy modification of the sd before returning if we need
to add the SMB2+unix mode information here on a SMB2 posix handle.
Also makes the code much clearer.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: David Mulder <dmulder at suse.com>
commit 62bd38f7888446b4f628408a1f4a746754171d2b
Author: Jeremy Allison <jra at samba.org>
Date: Thu Jan 20 10:05:51 2022 -0800
s3: smbd: Cleanup - Split out smbd_fetch_security_desc() from smbd_do_query_security_desc().
This is part one of a cleanup to split this up into a fetch()/marshal()
pair. Allows easy modification of the sd before returning if we need
to add the SMB2+unix mode information here on a SMB2 posix handle.
Also makes the code much clearer.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: David Mulder <dmulder at suse.com>
-----------------------------------------------------------------------
Summary of changes:
.../{unixextensions.xml => smb1unixextensions.xml} | 7 +-
source3/param/loadparm.c | 6 +-
source3/smbd/negprot.c | 2 +-
source3/smbd/nttrans.c | 95 +++++++++++++++-------
source3/smbd/reply.c | 2 +-
source3/smbd/trans2.c | 26 +++---
6 files changed, 89 insertions(+), 49 deletions(-)
rename docs-xml/smbdotconf/protocol/{unixextensions.xml => smb1unixextensions.xml} (78%)
Changeset truncated at 500 lines:
diff --git a/docs-xml/smbdotconf/protocol/unixextensions.xml b/docs-xml/smbdotconf/protocol/smb1unixextensions.xml
similarity index 78%
rename from docs-xml/smbdotconf/protocol/unixextensions.xml
rename to docs-xml/smbdotconf/protocol/smb1unixextensions.xml
index 61ae361ee52..b1fcf6b6dc8 100644
--- a/docs-xml/smbdotconf/protocol/unixextensions.xml
+++ b/docs-xml/smbdotconf/protocol/smb1unixextensions.xml
@@ -1,11 +1,12 @@
-<samba:parameter name="unix extensions"
+<samba:parameter name="smb1 unix extensions"
context="G"
type="boolean"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<synonym>unix extensions</synonym>
<description>
<para>This boolean parameter controls whether Samba
- implements the CIFS UNIX extensions, as defined by HP.
- These extensions enable Samba to better serve UNIX CIFS clients
+ implements the SMB1/CIFS UNIX extensions, as defined by HP.
+ These extensions enable Samba to better serve UNIX SMB1/CIFS clients
by supporting features such as symbolic links, hard links, etc...
These extensions require a similarly enabled client, and are of
no current use to Windows clients.</para>
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index a366870d1fe..199052c37a2 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -715,7 +715,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
Globals.lock_spin_time = WINDOWS_MINIMUM_LOCK_TIMEOUT_MS; /* msec. */
Globals.use_mmap = true;
Globals.unicode = true;
- Globals.unix_extensions = true;
+ Globals.smb1_unix_extensions = true;
Globals.reset_on_zero_vc = false;
Globals.log_writeable_files_on_exit = false;
Globals.create_krb5_conf = true;
@@ -4660,7 +4660,7 @@ void widelinks_warning(int snum)
return;
}
- if (lp_unix_extensions() && lp_wide_links(snum)) {
+ if (lp_smb1_unix_extensions() && lp_wide_links(snum)) {
DBG_ERR("Share '%s' has wide links and unix extensions enabled. "
"These parameters are incompatible. "
"Wide links will be disabled for this share.\n",
@@ -4671,7 +4671,7 @@ void widelinks_warning(int snum)
bool lp_widelinks(int snum)
{
/* wide links is always incompatible with unix extensions */
- if (lp_unix_extensions()) {
+ if (lp_smb1_unix_extensions()) {
/*
* Unless we have "allow insecure widelinks"
* turned on.
diff --git a/source3/smbd/negprot.c b/source3/smbd/negprot.c
index cd11c270f6b..14ce9a944fe 100644
--- a/source3/smbd/negprot.c
+++ b/source3/smbd/negprot.c
@@ -320,7 +320,7 @@ static NTSTATUS reply_nt1(struct smb_request *req, uint16_t choice)
capabilities |= CAP_UNICODE;
}
- if (lp_unix_extensions()) {
+ if (lp_smb1_unix_extensions()) {
capabilities |= CAP_UNIX;
}
diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c
index 6db17b8c685..4dcd4000b84 100644
--- a/source3/smbd/nttrans.c
+++ b/source3/smbd/nttrans.c
@@ -2103,23 +2103,18 @@ static NTSTATUS get_null_nt_acl(TALLOC_CTX *mem_ctx, struct security_descriptor
}
/****************************************************************************
- Reply to query a security descriptor.
- Callable from SMB1 and SMB2.
- If it returns NT_STATUS_BUFFER_TOO_SMALL, pdata_size is initialized with
- the required size.
+ Get a security descriptor from the file system, normalize for components
+ requested.
****************************************************************************/
-NTSTATUS smbd_do_query_security_desc(connection_struct *conn,
- TALLOC_CTX *mem_ctx,
- files_struct *fsp,
- uint32_t security_info_wanted,
- uint32_t max_data_count,
- uint8_t **ppmarshalled_sd,
- size_t *psd_size)
+static NTSTATUS smbd_fetch_security_desc(connection_struct *conn,
+ TALLOC_CTX *mem_ctx,
+ files_struct *fsp,
+ uint32_t security_info_wanted,
+ struct security_descriptor **ppsd)
{
NTSTATUS status;
struct security_descriptor *psd = NULL;
- TALLOC_CTX *frame = talloc_stackframe();
bool need_to_read_sd = false;
/*
@@ -2129,14 +2124,12 @@ NTSTATUS smbd_do_query_security_desc(connection_struct *conn,
if ((security_info_wanted & SECINFO_SACL) &&
!(fsp->access_mask & SEC_FLAG_SYSTEM_SECURITY)) {
DEBUG(10, ("Access to SACL denied.\n"));
- TALLOC_FREE(frame);
return NT_STATUS_ACCESS_DENIED;
}
if ((security_info_wanted & (SECINFO_DACL|SECINFO_OWNER|SECINFO_GROUP)) &&
!(fsp->access_mask & SEC_STD_READ_CONTROL)) {
DEBUG(10, ("Access to DACL, OWNER, or GROUP denied.\n"));
- TALLOC_FREE(frame);
return NT_STATUS_ACCESS_DENIED;
}
@@ -2144,7 +2137,6 @@ NTSTATUS smbd_do_query_security_desc(connection_struct *conn,
if (!NT_STATUS_IS_OK(status)) {
DBG_DEBUG("ACL get on symlink %s denied.\n",
fsp_str_dbg(fsp));
- TALLOC_FREE(frame);
return status;
}
@@ -2176,13 +2168,12 @@ NTSTATUS smbd_do_query_security_desc(connection_struct *conn,
sd_fsp = fsp->base_fsp;
}
status = SMB_VFS_FGET_NT_ACL(
- sd_fsp, security_info_wanted, frame, &psd);
+ sd_fsp, security_info_wanted, mem_ctx, &psd);
} else {
- status = get_null_nt_acl(frame, &psd);
+ status = get_null_nt_acl(mem_ctx, &psd);
}
if (!NT_STATUS_IS_OK(status)) {
- TALLOC_FREE(frame);
return status;
}
@@ -2219,32 +2210,80 @@ NTSTATUS smbd_do_query_security_desc(connection_struct *conn,
psd->type &= ~(SEC_DESC_DACL_PRESENT|SEC_DESC_SACL_PRESENT);
}
+ *ppsd = psd;
+ return NT_STATUS_OK;
+}
+
+/****************************************************************************
+ Write a securty descriptor into marshalled format.
+****************************************************************************/
+
+static NTSTATUS smbd_marshall_security_desc(TALLOC_CTX *mem_ctx,
+ files_struct *fsp,
+ struct security_descriptor *psd,
+ uint32_t max_data_count,
+ uint8_t **ppmarshalled_sd,
+ size_t *psd_size)
+{
*psd_size = ndr_size_security_descriptor(psd, 0);
- DEBUG(3,("smbd_do_query_security_desc: sd_size = %lu.\n",
- (unsigned long)*psd_size));
+ DBG_NOTICE("sd_size = %zu.\n", *psd_size);
if (DEBUGLEVEL >= 10) {
- DEBUG(10,("smbd_do_query_security_desc for file %s\n",
- fsp_str_dbg(fsp)));
+ DBG_DEBUG("security desc for file %s\n",
+ fsp_str_dbg(fsp));
NDR_PRINT_DEBUG(security_descriptor, psd);
}
if (max_data_count < *psd_size) {
- TALLOC_FREE(frame);
return NT_STATUS_BUFFER_TOO_SMALL;
}
- status = marshall_sec_desc(mem_ctx, psd,
- ppmarshalled_sd, psd_size);
+ return marshall_sec_desc(mem_ctx,
+ psd,
+ ppmarshalled_sd,
+ psd_size);
+}
+
+/****************************************************************************
+ Reply to query a security descriptor.
+ Callable from SMB1 and SMB2.
+ If it returns NT_STATUS_BUFFER_TOO_SMALL, psd_size is initialized with
+ the required size.
+****************************************************************************/
+
+NTSTATUS smbd_do_query_security_desc(connection_struct *conn,
+ TALLOC_CTX *mem_ctx,
+ files_struct *fsp,
+ uint32_t security_info_wanted,
+ uint32_t max_data_count,
+ uint8_t **ppmarshalled_sd,
+ size_t *psd_size)
+{
+ NTSTATUS status;
+ struct security_descriptor *psd = NULL;
+
+ /*
+ * Get the permissions to return.
+ */
+ status = smbd_fetch_security_desc(conn,
+ mem_ctx,
+ fsp,
+ security_info_wanted,
+ &psd);
if (!NT_STATUS_IS_OK(status)) {
- TALLOC_FREE(frame);
return status;
}
- TALLOC_FREE(frame);
- return NT_STATUS_OK;
+ status = smbd_marshall_security_desc(mem_ctx,
+ fsp,
+ psd,
+ max_data_count,
+ ppmarshalled_sd,
+ psd_size);
+ TALLOC_FREE(psd);
+ return status;
}
/****************************************************************************
diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
index ac5f253b353..7886e48279e 100644
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -4293,7 +4293,7 @@ static size_t calc_max_read_pdu(const struct smb_request *req)
return 0x1FFFF;
}
- if (!lp_unix_extensions()) {
+ if (!lp_smb1_unix_extensions()) {
return 0x1FFFF;
}
diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
index a4ff1844e64..456b928a4c4 100644
--- a/source3/smbd/trans2.c
+++ b/source3/smbd/trans2.c
@@ -2720,7 +2720,7 @@ static void call_trans2findfirst(connection_struct *conn,
break;
case SMB_FIND_FILE_UNIX:
case SMB_FIND_FILE_UNIX_INFO2:
- if (!lp_unix_extensions()) {
+ if (!lp_smb1_unix_extensions()) {
reply_nterror(req, NT_STATUS_INVALID_LEVEL);
goto out;
}
@@ -3190,7 +3190,7 @@ resume_key = %d resume name = %s continue=%d level = %d\n",
case SMB_FIND_FILE_UNIX_INFO2:
/* Always use filesystem for UNIX mtime query. */
ask_sharemode = false;
- if (!lp_unix_extensions()) {
+ if (!lp_smb1_unix_extensions()) {
reply_nterror(req, NT_STATUS_INVALID_LEVEL);
return;
}
@@ -3918,7 +3918,7 @@ cBytesSector=%u, cUnitTotal=%u, cUnitAvail=%d\n", (unsigned int)bsize, (unsigned
bool large_read = !srv_is_signing_active(xconn);
int encrypt_caps = 0;
- if (!lp_unix_extensions()) {
+ if (!lp_smb1_unix_extensions()) {
return NT_STATUS_INVALID_LEVEL;
}
@@ -3964,7 +3964,7 @@ cBytesSector=%u, cUnitTotal=%u, cUnitAvail=%d\n", (unsigned int)bsize, (unsigned
int rc;
vfs_statvfs_struct svfs;
- if (!lp_unix_extensions()) {
+ if (!lp_smb1_unix_extensions()) {
return NT_STATUS_INVALID_LEVEL;
}
@@ -3998,7 +3998,7 @@ cBytesSector=%u, cUnitTotal=%u, cUnitAvail=%d\n", (unsigned int)bsize, (unsigned
uint32_t sid_bytes;
uint32_t i;
- if (!lp_unix_extensions()) {
+ if (!lp_smb1_unix_extensions()) {
return NT_STATUS_INVALID_LEVEL;
}
@@ -4303,7 +4303,7 @@ static void call_trans2setfsinfo(connection_struct *conn,
switch(info_level) {
case SMB_SET_CIFS_UNIX_INFO:
- if (!lp_unix_extensions()) {
+ if (!lp_smb1_unix_extensions()) {
DEBUG(2,("call_trans2setfsinfo: "
"SMB_SET_CIFS_UNIX_INFO is invalid with "
"unix extensions off\n"));
@@ -4359,7 +4359,7 @@ static void call_trans2setfsinfo(connection_struct *conn,
size_t param_len = 0;
size_t data_len = total_data;
- if (!lp_unix_extensions()) {
+ if (!lp_smb1_unix_extensions()) {
reply_nterror(
req,
NT_STATUS_INVALID_LEVEL);
@@ -5163,7 +5163,7 @@ NTSTATUS smbd_do_qfilepathinfo(connection_struct *conn,
size_t len = 0;
if (INFO_LEVEL_IS_UNIX(info_level)) {
- if (!lp_unix_extensions()) {
+ if (!lp_smb1_unix_extensions()) {
return NT_STATUS_INVALID_LEVEL;
}
if (!req->posix_pathnames) {
@@ -5983,7 +5983,7 @@ static void call_trans2qfilepathinfo(connection_struct *conn,
DEBUG(3,("call_trans2qfilepathinfo: TRANSACT2_QFILEINFO: level = %d\n", info_level));
if (INFO_LEVEL_IS_UNIX(info_level)) {
- if (!lp_unix_extensions()) {
+ if (!lp_smb1_unix_extensions()) {
reply_nterror(req, NT_STATUS_INVALID_LEVEL);
return;
}
@@ -6066,7 +6066,7 @@ static void call_trans2qfilepathinfo(connection_struct *conn,
DEBUG(3,("call_trans2qfilepathinfo: TRANSACT2_QPATHINFO: level = %d\n", info_level));
if (INFO_LEVEL_IS_UNIX(info_level)) {
- if (!lp_unix_extensions()) {
+ if (!lp_smb1_unix_extensions()) {
reply_nterror(req, NT_STATUS_INVALID_LEVEL);
return;
}
@@ -9052,7 +9052,7 @@ NTSTATUS smbd_do_setfilepathinfo(connection_struct *conn,
int data_return_size = 0;
if (INFO_LEVEL_IS_UNIX(info_level)) {
- if (!lp_unix_extensions()) {
+ if (!lp_smb1_unix_extensions()) {
return NT_STATUS_INVALID_LEVEL;
}
if (!req->posix_pathnames) {
@@ -9280,7 +9280,7 @@ static void call_trans2setfilepathinfo(connection_struct *conn,
info_level = SVAL(params,2);
if (INFO_LEVEL_IS_UNIX(info_level)) {
- if (!lp_unix_extensions()) {
+ if (!lp_smb1_unix_extensions()) {
reply_nterror(req, NT_STATUS_INVALID_LEVEL);
return;
}
@@ -9359,7 +9359,7 @@ static void call_trans2setfilepathinfo(connection_struct *conn,
info_level = SVAL(params,0);
if (INFO_LEVEL_IS_UNIX(info_level)) {
- if (!lp_unix_extensions()) {
+ if (!lp_smb1_unix_extensions()) {
reply_nterror(req, NT_STATUS_INVALID_LEVEL);
return;
}
--
Samba Shared Repository
More information about the samba-cvs
mailing list