[PR PATCH] [Updated] acess based share enum: handle permission set in configuration files
Uri Simchoni
uri at samba.org
Tue Mar 1 04:05:34 UTC 2016
Here's an updated patch with cleaned-up indentation, and a blackbox test.
Alberto - please confirm that it's OK.
Can I get another team reviewer?
Thanks,
Uri.
On 02/29/2016 05:23 PM, github at samba.org wrote:
> There is an updated pull request by bud4 against master on the Samba Samba Github repository
>
> https://github.com/bud4/samba master
> https://github.com/samba-team/samba/pull/54
>
> acess based share enum: handle permission set in configuration files
> ** access based share enum** not work with permission set in config file.
> change function is_enumeration_allowed to check permissions set by
> fields: valid users, invalid users, only user.
>
> Signed-off-by: Alberto Maria Fiaschi <alberto.fiaschi at estar.toscana.it>
>
> A patch file from https://github.com/samba-team/samba/pull/54.patch is attached
>
-------------- next part --------------
From a71ca525d7a87780b35fd48883e0fe97e22df257 Mon Sep 17 00:00:00 2001
From: Alberto Maria Fiaschi <alberto.fiaschi at estar.toscana.it>
Date: Tue, 23 Feb 2016 18:22:10 +0100
Subject: [PATCH 1/2] access based share enum: handle permission set in
configuration files
change function is_enumeration_allowed to check permissions set by
fields: valid users, invalid users, only user.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=8093
Signed-off-by: Alberto Maria Fiaschi <alberto.fiaschi at estar.toscana.it>
Reviewed-by: Uri Simchoni <uri at samba.org>
---
source3/rpc_server/srvsvc/srv_srvsvc_nt.c | 17 ++++++++++++-----
1 file changed, 12 insertions(+), 5 deletions(-)
diff --git a/source3/rpc_server/srvsvc/srv_srvsvc_nt.c b/source3/rpc_server/srvsvc/srv_srvsvc_nt.c
index b1e9d13..279cd9e 100644
--- a/source3/rpc_server/srvsvc/srv_srvsvc_nt.c
+++ b/source3/rpc_server/srvsvc/srv_srvsvc_nt.c
@@ -477,12 +477,19 @@ static bool is_hidden_share(int snum)
static bool is_enumeration_allowed(struct pipes_struct *p,
int snum)
{
- if (!lp_access_based_share_enum(snum))
- return true;
+ if (!lp_access_based_share_enum(snum)) {
+ return true;
+ }
+
+ if (!user_ok_token(p->session_info->unix_info->unix_name,
+ p->session_info->info->domain_name,
+ p->session_info->security_token, snum)) {
+ return false;
+ }
- return share_access_check(p->session_info->security_token,
- lp_servicename(talloc_tos(), snum),
- FILE_READ_DATA, NULL);
+ return share_access_check(p->session_info->security_token,
+ lp_servicename(talloc_tos(), snum),
+ FILE_READ_DATA, NULL);
}
/****************************************************************************
--
2.5.0
From d058fb89fd1618cf4bb34da7a953d7946401b67b Mon Sep 17 00:00:00 2001
From: Uri Simchoni <uri at samba.org>
Date: Mon, 29 Feb 2016 22:09:57 +0200
Subject: [PATCH 2/2] selftest: test access based share enum parameter
BUG: https://bugzilla.samba.org/show_bug.cgi?id=8093
Signed-off-by: Uri Simchoni <uri at samba.org>
---
selftest/selftesthelpers.py | 1 +
selftest/target/Samba3.pm | 1 +
source3/script/tests/test_shareenum.sh | 30 ++++++++++++++++++++++++++++++
source3/selftest/tests.py | 1 +
4 files changed, 33 insertions(+)
create mode 100755 source3/script/tests/test_shareenum.sh
diff --git a/selftest/selftesthelpers.py b/selftest/selftesthelpers.py
index 42499b0..f26484b 100644
--- a/selftest/selftesthelpers.py
+++ b/selftest/selftesthelpers.py
@@ -185,3 +185,4 @@ dbwrap_tool = binpath('dbwrap_tool')
vfstest = binpath('vfstest')
smbcquotas = binpath('smbcquotas')
smbget = binpath('smbget')
+rpcclient = binpath('rpcclient')
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 2dde4ca..5dc4b17 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -1512,6 +1512,7 @@ sub provision($$$$$$$$)
[valid-users-tmp]
path = $shrdir
valid users = $unix_name
+ access based share enum = yes
[msdfs-share]
path = $msdfs_shrdir
msdfs root = yes
diff --git a/source3/script/tests/test_shareenum.sh b/source3/script/tests/test_shareenum.sh
new file mode 100755
index 0000000..3904b51
--- /dev/null
+++ b/source3/script/tests/test_shareenum.sh
@@ -0,0 +1,30 @@
+#!/bin/sh
+
+# this tests share enumeration with "access based share enum"
+
+if [ $# -lt 4 ]; then
+cat <<EOF
+Usage: $0 SERVER USERNAME PASSWORD RPCCLIENT
+EOF
+exit 1;
+fi
+
+SERVER="$1"
+USERNAME="$2"
+PASSWORD="$3"
+RPCCLIENT="$4"
+RPCCLIENT="$VALGRIND ${RPCCLIENT}"
+
+incdir=`dirname $0`/../../../testprogs/blackbox
+. $incdir/subunit.sh
+
+user_see_share() {
+ local user=$1
+ local share=$2
+ $RPCCLIENT //$SERVER -U$user%$PASSWORD -c "netshareenumall" | grep $share > /dev/null 2>&1
+}
+
+testit "$USERNAME sees tmp" user_see_share $USERNAME tmp
+testit "$USERNAME sees valid-users-tmp" user_see_share $USERNAME valid-users-tmp
+testit "force_user sees tmp" user_see_share force_user tmp
+testit_expect_failure "force_user does not see valid-users-tmp" user_see_share force_user valid-users-tmp
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index 48e082f..5851110 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -183,6 +183,7 @@ for env in ["fileserver"]:
plantestsuite("samba3.blackbox.shadow_copy2 (%s)" % env, env, [os.path.join(samba3srcdir, "script/tests/test_shadow_copy.sh"), '$SERVER', '$SERVER_IP', '$DOMAIN', '$USERNAME', '$PASSWORD', '$LOCAL_PATH/shadow', smbclient3])
plantestsuite("samba3.blackbox.smbclient.forceuser_validusers (%s)" % env, env, [os.path.join(samba3srcdir, "script/tests/test_forceuser_validusers.sh"), '$SERVER', '$DOMAIN', '$USERNAME', '$PASSWORD', '$LOCAL_PATH', smbclient3])
plantestsuite("samba3.blackbox.smbget (%s)" % env, env, [os.path.join(samba3srcdir, "script/tests/test_smbget.sh"), '$SERVER', '$SERVER_IP', '$DOMAIN', 'smbget_user', '$PASSWORD', '$LOCAL_PATH/smbget', smbget])
+ plantestsuite("samba3.blackbox.netshareenum (%s)" % env, env, [os.path.join(samba3srcdir, "script/tests/test_shareenum.sh"), '$SERVER', '$USERNAME', '$PASSWORD', rpcclient])
#
# tar command tests
--
2.5.0
More information about the samba-technical
mailing list