[PATCH] Fix bug 10196 - RW Deny for a specific user is not overriding RW Allow for a group.
Jeremy Allison
jra at samba.org
Wed Oct 23 16:12:02 MDT 2013
On Wed, Oct 23, 2013 at 01:50:03PM +0200, David Disseldorp wrote:
> Hi Jeremy,
>
> On Tue, 22 Oct 2013 10:52:55 -0700
> Jeremy Allison <jra at samba.org> wrote:
>
> > Here is a fix for a POSIX ACL mapping problem when winbindd
> > returns an ID_TYPE_BOTH id to smbd.
> >
> > Confirmed as fixing the problem by the reporter.
> >
> > It is just removing the "if (unixid.id == pst->st_ex_uid)"
> > condition that was previously tested before adding the
> > specific user id ACE and now always adds it if the type
> > is ID_TYPE_BOTH. Only applies to ACL set.
> >
> > Please review !
>
> The code looks okay, but test_setntacl_policies_check_getposixacl fails
> with MismatchError: 15 != 10 at:
>
> 590 def test_setntacl_policies_check_getposixacl(self):
> ...
> 624 self.assertEquals(posix_acl.count, 10)
>
> I expect it should account for the new ID_TYPE_BOTH entries.
Updated patch that fixes the test as well as the underlying
code (and also fixes the comment showing how to print out POSIX ACE entries :-).
Please review.
Thanks !
Jeremy.
-------------- next part --------------
From 46dbade0287d4705c0748557eb6e36a34f6568e3 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra at samba.org>
Date: Mon, 21 Oct 2013 16:59:11 -0700
Subject: [PATCH 1/3] Fix bug 10196 - RW Deny for a specific user is not
overriding RW Allow for a group.
When the ID returned is ID_TYPE_BOTH we must *always* add it as both
a user and a group, not just in the owning case. Otherwise DENY
entries are not correctly processed.
Confirmed by the reporter as fixing the problem.
Signed-off-by: Jeremy Allison <jra at samba.org>
---
source3/smbd/posix_acls.c | 79 ++++++++++++++++++++++++-----------------------
1 file changed, 41 insertions(+), 38 deletions(-)
diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c
index ad1431d..621457e 100644
--- a/source3/smbd/posix_acls.c
+++ b/source3/smbd/posix_acls.c
@@ -1981,47 +1981,50 @@ static bool create_canon_ace_lists(files_struct *fsp,
}
if (unixid.type == ID_TYPE_BOTH) {
- /* If it's the owning user, this is a
- * user_obj, not a user. This way, we
- * get a valid ACL for groups that own
- * files, without putting user ACL
- * entries in for groups otherwise */
- if (unixid.id == pst->st_ex_uid) {
- current_ace->owner_type = UID_ACE;
- current_ace->unix_ug.type = ID_TYPE_UID;
- current_ace->unix_ug.id = unixid.id;
- current_ace->type = SMB_ACL_USER_OBJ;
-
- /* Add the user object to the posix ACL,
- and proceed to the group mapping
- below. This handles the talloc_free
- of current_ace if not added for some
- reason */
- if (!add_current_ace_to_acl(fsp,
- psa,
- &file_ace,
- &dir_ace,
- &got_file_allow,
- &got_dir_allow,
- &all_aces_are_inherit_only,
- current_ace)) {
- free_canon_ace_list(file_ace);
- free_canon_ace_list(dir_ace);
- return false;
- }
-
- if ((current_ace = talloc(talloc_tos(),
- canon_ace)) == NULL) {
- free_canon_ace_list(file_ace);
- free_canon_ace_list(dir_ace);
- DEBUG(0,("create_canon_ace_lists: "
- "malloc fail.\n"));
- return False;
- }
+ /*
+ * We must add both a user and group
+ * entry POSIX_ACL.
+ * This is due to the fact that in POSIX
+ * user entries are more specific than
+ * groups.
+ */
+ current_ace->owner_type = UID_ACE;
+ current_ace->unix_ug.type = ID_TYPE_UID;
+ current_ace->unix_ug.id = unixid.id;
+ current_ace->type =
+ (unixid.id == pst->st_ex_uid) ?
+ SMB_ACL_USER_OBJ :
+ SMB_ACL_USER;
+
+ /* Add the user object to the posix ACL,
+ and proceed to the group mapping
+ below. This handles the talloc_free
+ of current_ace if not added for some
+ reason */
+ if (!add_current_ace_to_acl(fsp,
+ psa,
+ &file_ace,
+ &dir_ace,
+ &got_file_allow,
+ &got_dir_allow,
+ &all_aces_are_inherit_only,
+ current_ace)) {
+ free_canon_ace_list(file_ace);
+ free_canon_ace_list(dir_ace);
+ return false;
+ }
- ZERO_STRUCTP(current_ace);
+ if ((current_ace = talloc(talloc_tos(),
+ canon_ace)) == NULL) {
+ free_canon_ace_list(file_ace);
+ free_canon_ace_list(dir_ace);
+ DEBUG(0,("create_canon_ace_lists: "
+ "malloc fail.\n"));
+ return False;
}
+ ZERO_STRUCTP(current_ace);
+
sid_copy(¤t_ace->trustee, &psa->trustee);
current_ace->unix_ug.type = ID_TYPE_GID;
--
1.8.4.1
From 2080baf927ad89bf3ec2a6241e9a709d2e580d8c Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra at samba.org>
Date: Wed, 23 Oct 2013 15:06:40 -0700
Subject: [PATCH 2/3] Fix bug 10196 - RW Deny for a specific user is not
overriding RW Allow for a group.
Fix posix_acl tests to match the change in writing ACLs
with ID_TYPE_BOTH.
Signed-off-by: Jeremy Allison <jra at samba.org>
---
python/samba/tests/posixacl.py | 160 +++++++++++++++++++++++++++++------------
1 file changed, 116 insertions(+), 44 deletions(-)
diff --git a/python/samba/tests/posixacl.py b/python/samba/tests/posixacl.py
index f3a4772..bb104f7 100644
--- a/python/samba/tests/posixacl.py
+++ b/python/samba/tests/posixacl.py
@@ -336,7 +336,7 @@ class PosixAclMappingTests(TestCaseInTempDir):
(AU_gid,AU_type) = s4_passdb.sid_to_id(AU_sid)
self.assertEquals(AU_type, idmap.ID_TYPE_BOTH)
- self.assertEquals(posix_acl.count, 9)
+ self.assertEquals(posix_acl.count, 13)
self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_GROUP)
self.assertEquals(posix_acl.acl[0].a_perm, 7)
@@ -352,23 +352,39 @@ class PosixAclMappingTests(TestCaseInTempDir):
self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_USER_OBJ)
self.assertEquals(posix_acl.acl[3].a_perm, 6)
- self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
+ self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_USER)
self.assertEquals(posix_acl.acl[4].a_perm, 7)
+ self.assertEquals(posix_acl.acl[4].info.uid, BA_gid)
- self.assertEquals(posix_acl.acl[5].a_type, smb_acl.SMB_ACL_GROUP)
- self.assertEquals(posix_acl.acl[5].a_perm, 5)
- self.assertEquals(posix_acl.acl[5].info.gid, SO_gid)
+ self.assertEquals(posix_acl.acl[5].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
+ self.assertEquals(posix_acl.acl[5].a_perm, 7)
- self.assertEquals(posix_acl.acl[6].a_type, smb_acl.SMB_ACL_GROUP)
- self.assertEquals(posix_acl.acl[6].a_perm, 7)
- self.assertEquals(posix_acl.acl[6].info.gid, SY_gid)
+ self.assertEquals(posix_acl.acl[6].a_type, smb_acl.SMB_ACL_USER)
+ self.assertEquals(posix_acl.acl[6].a_perm, 5)
+ self.assertEquals(posix_acl.acl[6].info.uid, SO_gid)
self.assertEquals(posix_acl.acl[7].a_type, smb_acl.SMB_ACL_GROUP)
self.assertEquals(posix_acl.acl[7].a_perm, 5)
- self.assertEquals(posix_acl.acl[7].info.gid, AU_gid)
+ self.assertEquals(posix_acl.acl[7].info.gid, SO_gid)
- self.assertEquals(posix_acl.acl[8].a_type, smb_acl.SMB_ACL_MASK)
+ self.assertEquals(posix_acl.acl[8].a_type, smb_acl.SMB_ACL_USER)
self.assertEquals(posix_acl.acl[8].a_perm, 7)
+ self.assertEquals(posix_acl.acl[8].info.uid, SY_gid)
+
+ self.assertEquals(posix_acl.acl[9].a_type, smb_acl.SMB_ACL_GROUP)
+ self.assertEquals(posix_acl.acl[9].a_perm, 7)
+ self.assertEquals(posix_acl.acl[9].info.gid, SY_gid)
+
+ self.assertEquals(posix_acl.acl[10].a_type, smb_acl.SMB_ACL_USER)
+ self.assertEquals(posix_acl.acl[10].a_perm, 5)
+ self.assertEquals(posix_acl.acl[10].info.uid, AU_gid)
+
+ self.assertEquals(posix_acl.acl[11].a_type, smb_acl.SMB_ACL_GROUP)
+ self.assertEquals(posix_acl.acl[11].a_perm, 5)
+ self.assertEquals(posix_acl.acl[11].info.gid, AU_gid)
+
+ self.assertEquals(posix_acl.acl[12].a_type, smb_acl.SMB_ACL_MASK)
+ self.assertEquals(posix_acl.acl[12].a_perm, 7)
# check that it matches:
@@ -454,7 +470,7 @@ class PosixAclMappingTests(TestCaseInTempDir):
(AU_gid,AU_type) = s4_passdb.sid_to_id(AU_sid)
self.assertEquals(AU_type, idmap.ID_TYPE_BOTH)
- self.assertEquals(posix_acl.count, 9)
+ self.assertEquals(posix_acl.count, 13)
self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_GROUP)
self.assertEquals(posix_acl.acl[0].a_perm, 7)
@@ -470,23 +486,39 @@ class PosixAclMappingTests(TestCaseInTempDir):
self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_USER_OBJ)
self.assertEquals(posix_acl.acl[3].a_perm, 7)
- self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
+ self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_USER)
self.assertEquals(posix_acl.acl[4].a_perm, 7)
+ self.assertEquals(posix_acl.acl[4].info.uid, BA_gid)
- self.assertEquals(posix_acl.acl[5].a_type, smb_acl.SMB_ACL_GROUP)
- self.assertEquals(posix_acl.acl[5].a_perm, 5)
- self.assertEquals(posix_acl.acl[5].info.gid, SO_gid)
+ self.assertEquals(posix_acl.acl[5].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
+ self.assertEquals(posix_acl.acl[5].a_perm, 7)
- self.assertEquals(posix_acl.acl[6].a_type, smb_acl.SMB_ACL_GROUP)
- self.assertEquals(posix_acl.acl[6].a_perm, 7)
- self.assertEquals(posix_acl.acl[6].info.gid, SY_gid)
+ self.assertEquals(posix_acl.acl[6].a_type, smb_acl.SMB_ACL_USER)
+ self.assertEquals(posix_acl.acl[6].a_perm, 5)
+ self.assertEquals(posix_acl.acl[6].info.uid, SO_gid)
self.assertEquals(posix_acl.acl[7].a_type, smb_acl.SMB_ACL_GROUP)
self.assertEquals(posix_acl.acl[7].a_perm, 5)
- self.assertEquals(posix_acl.acl[7].info.gid, AU_gid)
+ self.assertEquals(posix_acl.acl[7].info.gid, SO_gid)
- self.assertEquals(posix_acl.acl[8].a_type, smb_acl.SMB_ACL_MASK)
+ self.assertEquals(posix_acl.acl[8].a_type, smb_acl.SMB_ACL_USER)
self.assertEquals(posix_acl.acl[8].a_perm, 7)
+ self.assertEquals(posix_acl.acl[8].info.uid, SY_gid)
+
+ self.assertEquals(posix_acl.acl[9].a_type, smb_acl.SMB_ACL_GROUP)
+ self.assertEquals(posix_acl.acl[9].a_perm, 7)
+ self.assertEquals(posix_acl.acl[9].info.gid, SY_gid)
+
+ self.assertEquals(posix_acl.acl[10].a_type, smb_acl.SMB_ACL_USER)
+ self.assertEquals(posix_acl.acl[10].a_perm, 5)
+ self.assertEquals(posix_acl.acl[10].info.uid, AU_gid)
+
+ self.assertEquals(posix_acl.acl[11].a_type, smb_acl.SMB_ACL_GROUP)
+ self.assertEquals(posix_acl.acl[11].a_perm, 5)
+ self.assertEquals(posix_acl.acl[11].info.gid, AU_gid)
+
+ self.assertEquals(posix_acl.acl[12].a_type, smb_acl.SMB_ACL_MASK)
+ self.assertEquals(posix_acl.acl[12].a_perm, 7)
# check that it matches:
@@ -534,7 +566,7 @@ class PosixAclMappingTests(TestCaseInTempDir):
(PA_gid,PA_type) = s4_passdb.sid_to_id(PA_sid)
self.assertEquals(PA_type, idmap.ID_TYPE_BOTH)
- self.assertEquals(posix_acl.count, 10)
+ self.assertEquals(posix_acl.count, 15)
self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_GROUP)
self.assertEquals(posix_acl.acl[0].a_perm, 7)
@@ -550,27 +582,47 @@ class PosixAclMappingTests(TestCaseInTempDir):
self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_USER_OBJ)
self.assertEquals(posix_acl.acl[3].a_perm, 7)
- self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
+ self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_USER)
self.assertEquals(posix_acl.acl[4].a_perm, 7)
+ self.assertEquals(posix_acl.acl[4].info.uid, BA_gid)
- self.assertEquals(posix_acl.acl[5].a_type, smb_acl.SMB_ACL_GROUP)
- self.assertEquals(posix_acl.acl[5].a_perm, 5)
- self.assertEquals(posix_acl.acl[5].info.gid, SO_gid)
+ self.assertEquals(posix_acl.acl[5].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
+ self.assertEquals(posix_acl.acl[5].a_perm, 7)
- self.assertEquals(posix_acl.acl[6].a_type, smb_acl.SMB_ACL_GROUP)
- self.assertEquals(posix_acl.acl[6].a_perm, 7)
- self.assertEquals(posix_acl.acl[6].info.gid, SY_gid)
+ self.assertEquals(posix_acl.acl[6].a_type, smb_acl.SMB_ACL_USER)
+ self.assertEquals(posix_acl.acl[6].a_perm, 5)
+ self.assertEquals(posix_acl.acl[6].info.uid, SO_gid)
self.assertEquals(posix_acl.acl[7].a_type, smb_acl.SMB_ACL_GROUP)
self.assertEquals(posix_acl.acl[7].a_perm, 5)
- self.assertEquals(posix_acl.acl[7].info.gid, AU_gid)
+ self.assertEquals(posix_acl.acl[7].info.gid, SO_gid)
- self.assertEquals(posix_acl.acl[8].a_type, smb_acl.SMB_ACL_GROUP)
+ self.assertEquals(posix_acl.acl[8].a_type, smb_acl.SMB_ACL_USER)
self.assertEquals(posix_acl.acl[8].a_perm, 7)
- self.assertEquals(posix_acl.acl[8].info.gid, PA_gid)
+ self.assertEquals(posix_acl.acl[8].info.uid, SY_gid)
- self.assertEquals(posix_acl.acl[9].a_type, smb_acl.SMB_ACL_MASK)
+ self.assertEquals(posix_acl.acl[9].a_type, smb_acl.SMB_ACL_GROUP)
self.assertEquals(posix_acl.acl[9].a_perm, 7)
+ self.assertEquals(posix_acl.acl[9].info.gid, SY_gid)
+
+ self.assertEquals(posix_acl.acl[10].a_type, smb_acl.SMB_ACL_USER)
+ self.assertEquals(posix_acl.acl[10].a_perm, 5)
+ self.assertEquals(posix_acl.acl[10].info.uid, AU_gid)
+
+ self.assertEquals(posix_acl.acl[11].a_type, smb_acl.SMB_ACL_GROUP)
+ self.assertEquals(posix_acl.acl[11].a_perm, 5)
+ self.assertEquals(posix_acl.acl[11].info.gid, AU_gid)
+
+ self.assertEquals(posix_acl.acl[12].a_type, smb_acl.SMB_ACL_USER)
+ self.assertEquals(posix_acl.acl[12].a_perm, 7)
+ self.assertEquals(posix_acl.acl[12].info.uid, PA_gid)
+
+ self.assertEquals(posix_acl.acl[13].a_type, smb_acl.SMB_ACL_GROUP)
+ self.assertEquals(posix_acl.acl[13].a_perm, 7)
+ self.assertEquals(posix_acl.acl[13].info.gid, PA_gid)
+
+ self.assertEquals(posix_acl.acl[14].a_type, smb_acl.SMB_ACL_MASK)
+ self.assertEquals(posix_acl.acl[14].a_perm, 7)
# check that it matches:
@@ -621,7 +673,7 @@ class PosixAclMappingTests(TestCaseInTempDir):
(PA_gid,PA_type) = s4_passdb.sid_to_id(PA_sid)
self.assertEquals(PA_type, idmap.ID_TYPE_BOTH)
- self.assertEquals(posix_acl.count, 10)
+ self.assertEquals(posix_acl.count, 15)
self.assertEquals(posix_acl.acl[0].a_type, smb_acl.SMB_ACL_GROUP)
self.assertEquals(posix_acl.acl[0].a_perm, 7)
@@ -637,27 +689,47 @@ class PosixAclMappingTests(TestCaseInTempDir):
self.assertEquals(posix_acl.acl[3].a_type, smb_acl.SMB_ACL_USER_OBJ)
self.assertEquals(posix_acl.acl[3].a_perm, 6)
- self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
+ self.assertEquals(posix_acl.acl[4].a_type, smb_acl.SMB_ACL_USER)
self.assertEquals(posix_acl.acl[4].a_perm, 7)
+ self.assertEquals(posix_acl.acl[4].info.uid, BA_gid)
- self.assertEquals(posix_acl.acl[5].a_type, smb_acl.SMB_ACL_GROUP)
- self.assertEquals(posix_acl.acl[5].a_perm, 5)
- self.assertEquals(posix_acl.acl[5].info.gid, SO_gid)
+ self.assertEquals(posix_acl.acl[5].a_type, smb_acl.SMB_ACL_GROUP_OBJ)
+ self.assertEquals(posix_acl.acl[5].a_perm, 7)
- self.assertEquals(posix_acl.acl[6].a_type, smb_acl.SMB_ACL_GROUP)
- self.assertEquals(posix_acl.acl[6].a_perm, 7)
- self.assertEquals(posix_acl.acl[6].info.gid, SY_gid)
+ self.assertEquals(posix_acl.acl[6].a_type, smb_acl.SMB_ACL_USER)
+ self.assertEquals(posix_acl.acl[6].a_perm, 5)
+ self.assertEquals(posix_acl.acl[6].info.uid, SO_gid)
self.assertEquals(posix_acl.acl[7].a_type, smb_acl.SMB_ACL_GROUP)
self.assertEquals(posix_acl.acl[7].a_perm, 5)
- self.assertEquals(posix_acl.acl[7].info.gid, AU_gid)
+ self.assertEquals(posix_acl.acl[7].info.gid, SO_gid)
- self.assertEquals(posix_acl.acl[8].a_type, smb_acl.SMB_ACL_GROUP)
+ self.assertEquals(posix_acl.acl[8].a_type, smb_acl.SMB_ACL_USER)
self.assertEquals(posix_acl.acl[8].a_perm, 7)
- self.assertEquals(posix_acl.acl[8].info.gid, PA_gid)
+ self.assertEquals(posix_acl.acl[8].info.uid, SY_gid)
- self.assertEquals(posix_acl.acl[9].a_type, smb_acl.SMB_ACL_MASK)
+ self.assertEquals(posix_acl.acl[9].a_type, smb_acl.SMB_ACL_GROUP)
self.assertEquals(posix_acl.acl[9].a_perm, 7)
+ self.assertEquals(posix_acl.acl[9].info.gid, SY_gid)
+
+ self.assertEquals(posix_acl.acl[10].a_type, smb_acl.SMB_ACL_USER)
+ self.assertEquals(posix_acl.acl[10].a_perm, 5)
+ self.assertEquals(posix_acl.acl[10].info.uid, AU_gid)
+
+ self.assertEquals(posix_acl.acl[11].a_type, smb_acl.SMB_ACL_GROUP)
+ self.assertEquals(posix_acl.acl[11].a_perm, 5)
+ self.assertEquals(posix_acl.acl[11].info.gid, AU_gid)
+
+ self.assertEquals(posix_acl.acl[12].a_type, smb_acl.SMB_ACL_USER)
+ self.assertEquals(posix_acl.acl[12].a_perm, 7)
+ self.assertEquals(posix_acl.acl[12].info.uid, PA_gid)
+
+ self.assertEquals(posix_acl.acl[13].a_type, smb_acl.SMB_ACL_GROUP)
+ self.assertEquals(posix_acl.acl[13].a_perm, 7)
+ self.assertEquals(posix_acl.acl[13].info.gid, PA_gid)
+
+ self.assertEquals(posix_acl.acl[14].a_type, smb_acl.SMB_ACL_MASK)
+ self.assertEquals(posix_acl.acl[14].a_perm, 7)
# check that it matches:
--
1.8.4.1
From 9d495f1c6e34aa0a23946c69c33f6fc9e1caf9f0 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra at samba.org>
Date: Wed, 23 Oct 2013 15:07:31 -0700
Subject: [PATCH 3/3] Fix comment showing how to print an ACL to allow debug.
Signed-off-by: Jeremy Allison <jra at samba.org>
---
python/samba/tests/posixacl.py | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/python/samba/tests/posixacl.py b/python/samba/tests/posixacl.py
index bb104f7..a6b5118 100644
--- a/python/samba/tests/posixacl.py
+++ b/python/samba/tests/posixacl.py
@@ -32,8 +32,10 @@ from samba.samba3 import param as s3param
# for entry in posix_acl.acl:
# print "a_type: %d" % entry.a_type
# print "a_perm: %o" % entry.a_perm
-# print "uid: %d" % entry.uid
-# print "gid: %d" % entry.gid
+# if entry.a_type == smb_acl.SMB_ACL_USER:
+# print "uid: %d" % entry.uid
+# if entry.a_type == smb_acl.SMB_ACL_GROUP:
+# print "gid: %d" % entry.gid
class PosixAclMappingTests(TestCaseInTempDir):
--
1.8.4.1
More information about the samba-technical
mailing list