[SCM] Samba Shared Repository - branch master updated

Ralph Böhme slow at samba.org
Fri Jan 26 11:31:01 UTC 2024


The branch, master has been updated
       via  d63e972aa09 WHATSNEW: Add entry for new save/restore options for smbcacls
       via  a9028f25e6a WHATSNEW: Add entry for wspsearch client utility
       via  49b6137f7c2 s3: Make build of wspsearch client enabled by default
       via  697d41420b4 Revert "vfs_acl_xattr.c: prefer capabilities over become_root"
      from  39e3300b8d8 smbd: Some README.Coding in smbd_do_qfilepathinfo()

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit d63e972aa098a2bd0f76f03734c8d0790857b605
Author: Noel Power <noel.power at suse.com>
Date:   Tue Jan 9 11:02:28 2024 +0000

    WHATSNEW: Add entry for new save/restore options for smbcacls
    
    Signed-off-by: Noel Power <noel.power at suse.com>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    
    Autobuild-User(master): Ralph Böhme <slow at samba.org>
    Autobuild-Date(master): Fri Jan 26 11:30:07 UTC 2024 on atb-devel-224

commit a9028f25e6a7251b104d11aab3c4d0494c086c7b
Author: Noel Power <noel.power at suse.com>
Date:   Mon Jan 8 17:01:26 2024 +0000

    WHATSNEW: Add entry for wspsearch client utility
    
    Signed-off-by: Noel Power <noel.power at suse.com>
    Reviewed-by: Ralph Boehme <slow at samba.org>

commit 49b6137f7c2244aeb3cf9b65fc9d46fcf0b8dc55
Author: Noel Power <noel.power at suse.com>
Date:   Mon Jan 8 16:45:16 2024 +0000

    s3: Make build of wspsearch client enabled by default
    
    Although wspsearch client is experimental it is probably better to
    enable its building by default so it gets has some opportunity to be
    used/tested by users.
    
    Signed-off-by: Noel Power <noel.power at suse.com>

commit 697d41420b4f4830396acfbc96bd1f1c1f0531f4
Author: Anoop C S <anoopcs at samba.org>
Date:   Wed Jan 24 15:06:53 2024 +0530

    Revert "vfs_acl_xattr.c: prefer capabilities over become_root"
    
    This reverts commit 0e3836e3961f2b7c39173ce1023d3c92addef630.
    
    With capabilities preferred over become_root() we failed to achieve
    the basic goal of storing NT ACLs in xattrs using vfs_acl_xattr. This
    is due to the fact that apart from CAP_DAC_OVERRIDE it is manadatory
    to have CAP_SYS_ADMIN for write access to xattrs from security
    namespace[1]. Despite the option to configure the xattr name within
    the module we should not anticipate and miss to consider xattrs from
    security namespace which is far more protected even with our default
    name "security.NTACL".
    
    Theorotically we could make it work by adding another capability on
    top of existing ones. But given the functions designed around this
    area we may not be able to come up with a cleaner change which can
    handle the fallback mechanism to become_root(). Any failure to set
    the very first capability would put us in become_root() path where
    further capabilities are mostly not required. Thus reverting to old
    behaviour to always become_root() until we have a cleaner approach
    to handle the fallback while modifying multiple capabilities at once.
    
    [1] https://www.man7.org/linux/man-pages/man7/xattr.7.html
    
    Signed-off-by: Anoop C S <anoopcs at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 WHATSNEW.txt                    | 27 +++++++++++++++++++++++++++
 source3/modules/vfs_acl_xattr.c | 12 ++++++------
 source3/wscript                 |  2 +-
 3 files changed, 34 insertions(+), 7 deletions(-)


Changeset truncated at 500 lines:

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index aba6726840c..e2bd54a1d01 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -81,6 +81,33 @@ Supported operations include:
    credentials cache with a new command
    "samba-tool user get-kerberos-ticket"
 
+New Windows Search Protocol Client
+----------------------------------
+
+Samba now by default builds new experimental Windows Search Protocol (WSP)
+command line client "wspsearch"
+
+The "wspsearch" cmd-line utility allows a WSP search request to be sent
+to a server (such as a windows server) that has the (WSP)
+Windows Search Protocol service configured and enabled.
+
+For more details see the wspsearch man page.
+
+Allow 'smbcacls' to save/restore DACLs to file
+--------------------------------------------
+
+'smbcacls' has been extended to allow DACLs to be saved and restored
+to/from a file. This feature mimics the functionality that windows cmd
+line tool 'icacls.exe' provides. Additionally files created either
+by 'smbcalcs' or 'icacls.exe' are interchangeable and can be used by
+either tool as the same file format is used.
+
+New options added are:
+ - '--save savefile'    Saves DACLs in sddl format to file
+ - '--recurse'          Performs the '--save' operation above on directory
+                        and all files/directories below.
+ - '--restore savefile' Restores the stored DACLS to files in directory
+
 REMOVED FEATURES
 ================
 
diff --git a/source3/modules/vfs_acl_xattr.c b/source3/modules/vfs_acl_xattr.c
index ee247a312f7..1a3ab34d659 100644
--- a/source3/modules/vfs_acl_xattr.c
+++ b/source3/modules/vfs_acl_xattr.c
@@ -46,12 +46,12 @@ static ssize_t getxattr_do(vfs_handle_struct *handle,
 	ssize_t sizeret;
 	int saved_errno = 0;
 
-	set_effective_capability(DAC_OVERRIDE_CAPABILITY);
+	become_root();
 	sizeret = SMB_VFS_FGETXATTR(fsp, xattr_name, val, size);
 	if (sizeret == -1) {
 		saved_errno = errno;
 	}
-	drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
+	unbecome_root();
 
 	if (saved_errno != 0) {
 		errno = saved_errno;
@@ -132,13 +132,13 @@ static NTSTATUS store_acl_blob_fsp(vfs_handle_struct *handle,
 	DEBUG(10,("store_acl_blob_fsp: storing blob length %u on file %s\n",
 		  (unsigned int)pblob->length, fsp_str_dbg(fsp)));
 
-	set_effective_capability(DAC_OVERRIDE_CAPABILITY);
+	become_root();
 	ret = SMB_VFS_FSETXATTR(fsp, XATTR_NTACL_NAME,
 			pblob->data, pblob->length, 0);
 	if (ret) {
 		saved_errno = errno;
 	}
-	drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
+	unbecome_root();
 	if (ret) {
 		DEBUG(5, ("store_acl_blob_fsp: setting attr failed for file %s"
 			"with error %s\n",
@@ -175,9 +175,9 @@ static int sys_acl_set_fd_xattr(vfs_handle_struct *handle,
 		return 0;
 	}
 
-	set_effective_capability(DAC_OVERRIDE_CAPABILITY);
+	become_root();
 	SMB_VFS_FREMOVEXATTR(fsp, XATTR_NTACL_NAME);
-	drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
+	unbecome_root();
 
 	return 0;
 }
diff --git a/source3/wscript b/source3/wscript
index 42af1f44975..12394ef84b1 100644
--- a/source3/wscript
+++ b/source3/wscript
@@ -100,7 +100,7 @@ def options(opt):
 
     # default = None means autodetection
     opt.samba_add_onoff_option('spotlight', with_name="enable", without_name="disable", default=None)
-    opt.samba_add_onoff_option('wsp', with_name="enable", without_name="disable", default=False)
+    opt.samba_add_onoff_option('wsp', with_name="enable", without_name="disable", default=True)
 
 def configure(conf):
     default_static_modules = []


-- 
Samba Shared Repository



More information about the samba-cvs mailing list