[PATCH] Allow stat call with capability in vfs_gpfs

Thu Oct 10 05:10:58 MDT 2013

Hi Volker,

Thanks, I removed it as per your suggestion. Please find new patch

Thanks and Regards
Abhidnya
__________________

On Wed, Oct 09, 2013 at 07:31:49AM -0700, Christof Schmitt wrote:
> Hi Abhidnya,
>
> On Wed, Oct 09, 2013 at 10:14:36AM +0530, Abhidnya S Joshi wrote:
> > Please find attached patch to handle stat call in vfs_gpfs using
> > capability. stat call will not succeed if READ_ATTR (nfsv4 perm) is 
not
> > allowed in GPFS but will succeed in NTFS.
>
> [...]
> --- a/source3/modules/vfs_gpfs.c
> +++ b/source3/modules/vfs_gpfs.c
> @@ -1238,9 +1238,13 @@ static int vfs_gpfs_stat(struct vfs_handle_struct 
*handle,
>                               return -1);
>
>       ret = SMB_VFS_NEXT_STAT(handle, smb_fname);
> -     if (ret == -1) {
> -             return -1;
> +     if (ret == -1 && errno == EACCES) {
> +             set_effective_capability(DAC_READ_CAPABILITY);
> +             ret = SMB_VFS_NEXT_STAT(handle, smb_fname);
> +             drop_effective_capability(DAC_READ_CAPABILITY);
>       }
> +     if (ret == -1)
> +             return -1;
>
>       if (!config->winattr) {
>               return 0;
> @@ -1274,6 +1278,11 @@ static int vfs_gpfs_fstat(struct 
vfs_handle_struct *handle,
>                               return -1);
>
>       ret = SMB_VFS_NEXT_FSTAT(handle, fsp, sbuf);
> +     if (ret == -1 && errno == EACCES) {
> +             set_effective_capability(DAC_READ_CAPABILITY);
> +             ret = SMB_VFS_NEXT_FSTAT(handle, fsp, sbuf);
> +             drop_effective_capability(DAC_READ_CAPABILITY);
> +     }
>       if (ret == -1) {
>               return -1;
>       }
> @@ -1307,6 +1316,11 @@ static int vfs_gpfs_lstat(struct 
vfs_handle_struct *handle,
>                               return -1);
>
>       ret = SMB_VFS_NEXT_LSTAT(handle, smb_fname);
> +     if (ret == -1 && errno == EACCES) {
> +             set_effective_capability(DAC_READ_CAPABILITY);
> +             ret = SMB_VFS_NEXT_LSTAT(handle, smb_fname);
> +             drop_effective_capability(DAC_READ_CAPABILITY);
> +     }
>       if (ret == -1) {
>               return -1;
>       }
>
> Overall this looks good. Is there a reason for trying the stat calls
> twice, first without setting the capability and if that fails again
> while setting the capability? Always setting the capability for a stat
> call would save some lines of code.

... at a performance penalty for the normal case. We're
already doing a lot of syscalls :-)

One question I have: Is the fstat flavor required? Can you
open a file that you don't have READ_ATTR privileges for?

Volker

--
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de

*****************************************************************
visit us on it-sa:IT security exhibitions in Nürnberg, Germany
October 8th - 10th 2013, hall 12, booth 333
free tickets available via code 270691 on: www.it-sa.de/gutschein
******************************************************************

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-s3-Allow-stat-call-with-capability-in-vfs_gpfs.patch
Type: application/octet-stream
Size: 2215 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20131010/75424df6/attachment.obj>