[PATCH] vfs_gpfs: Retry getacl with DAC capability if necessary
Jeremy Allison
jra at samba.org
Fri Apr 29 23:39:38 UTC 2016
On Fri, Apr 29, 2016 at 11:02:04AM -0700, Christof Schmitt wrote:
> From 45a42c1a3fb2aad6efe3e8fd806adb7ba834fab0 Mon Sep 17 00:00:00 2001
> From: Christof Schmitt <cs at samba.org>
> Date: Tue, 26 Apr 2016 13:09:09 -0700
> Subject: [PATCH] vfs_gpfs: Retry getacl with DAC capability if necessary
>
> Samba always tries to read the ACL of a file and checks it internally.
> If the READ_ACL permission is missing in GPFS, then then reading the ACL
> for Samba internal evaluation will be denied and opening the file or
> directory fails. Change this by retrying reading the ACL with the DAC
> capability if access was denied.
Comments inline below. Code with capabilities always scares me,
but I think this is mostly right :-).
> Signed-off-by: Christof Schmitt <cs at samba.org>
> ---
> source3/modules/vfs_gpfs.c | 30 ++++++++++++++++++++++++++++--
> 1 file changed, 28 insertions(+), 2 deletions(-)
>
> diff --git a/source3/modules/vfs_gpfs.c b/source3/modules/vfs_gpfs.c
> index 42a3c72..ae2c598 100644
> --- a/source3/modules/vfs_gpfs.c
> +++ b/source3/modules/vfs_gpfs.c
> @@ -358,6 +358,25 @@ static void gpfs_dumpacl(int level, struct gpfs_acl *gacl)
> }
> }
>
> +static int vfs_gpfs_getacl_cap(bool use_capability, const char *fname,
> + int flags, void *aclbuf)
> +{
> + int ret;
> +
> + if (use_capability) {
> + set_effective_capability(DAC_OVERRIDE_CAPABILITY);
> + }
> +
> + errno = 0;
> + ret = gpfswrap_getacl(discard_const_p(char, fname), flags, aclbuf);
I think you need to check for ret == -1 here and if so
save off errno.
> + if (use_capability) {
> + drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
> + }
> +
Then restore it here in order for vfs_gpfs_getacl_cap()
to correctly return a ret/errno pair.
> + return ret;
> +}
> +
> /*
> * get the ACL from GPFS, allocated on the specified mem_ctx
> * internally retries when initial buffer was too small
> @@ -378,6 +397,7 @@ static void *vfs_gpfs_getacl(TALLOC_CTX *mem_ctx,
> int ret, flags;
> unsigned int *len;
> size_t struct_size;
> + bool use_capability = false;
>
> again:
>
> @@ -406,8 +426,14 @@ again:
> /* set the length of the buffer as input value */
> *len = size;
>
> - errno = 0;
> - ret = gpfswrap_getacl(discard_const_p(char, fname), flags, aclbuf);
> + ret = vfs_gpfs_getacl_cap(use_capability, fname, flags, aclbuf);
> +
> + if ((ret != 0) && (errno == EACCES) && !use_capability) {
> + DBG_DEBUG("Retry with DAC capability for %s\n", fname);
> + use_capability = true;
> + ret = vfs_gpfs_getacl_cap(use_capability, fname, flags, aclbuf);
> + }
> +
> if ((ret != 0) && (errno == ENOSPC)) {
> /*
> * get the size needed to accommodate the complete buffer
> --
> 1.8.3.1
>
More information about the samba-technical
mailing list