[PATCH] nfs4acl: Fix owner mapping with ID_TYPE_BOTH
Jeremy Allison
jra at samba.org
Tue Sep 13 23:26:03 UTC 2016
On Mon, Sep 12, 2016 at 05:34:21PM -0700, Christof Schmitt wrote:
> From f1883adf6ed027a03be2a3d4f1631d8bdb283e38 Mon Sep 17 00:00:00 2001
> From: Christof Schmitt <cs at samba.org>
> Date: Mon, 12 Sep 2016 16:22:16 -0700
> Subject: [PATCH] nfs4acl: Fix owner mapping with ID_TYPE_BOTH
>
> This fixes a corner case when using NFS4 ACLs with ID_TYPE_BOTH. Before
> this patch, the owner entry in the ACL would be mapped to a gid entry in
> the NFSv4 ACL, and not the expected special owner entry. This is caused
> by the id mapping returning a valid gid and the nfs4 mapping assumed
> that this was actually a group.
>
> Fix this by asking for the uid first, and explicitly checking if the
> mapped uid matches the owner. That creates a uid entry in the NFSv4 ACL
> that can be changed later in smbacl4_substitute_{simple,special} to the
> expected special owner entry.
OK, went through the logic here very carefully (w.r.t chown
interactions), and I think this is the correct thing to do.
Pushed.
> Signed-off-by: Christof Schmitt <cs at samba.org>
> ---
> source3/modules/nfs4_acls.c | 11 ++++++++---
> 1 file changed, 8 insertions(+), 3 deletions(-)
>
> diff --git a/source3/modules/nfs4_acls.c b/source3/modules/nfs4_acls.c
> index 71f4d8d..996dbab 100644
> --- a/source3/modules/nfs4_acls.c
> +++ b/source3/modules/nfs4_acls.c
> @@ -715,11 +715,16 @@ static bool smbacl4_fill_ace4(
> uid_t uid;
> gid_t gid;
>
> - if (sid_to_gid(&ace_nt->trustee, &gid)) {
> + /*
> + * ID_TYPE_BOTH returns both uid and gid. Explicitly
> + * check for ownerUID to allow the mapping of the
> + * owner to a special entry in this idmap config.
> + */
> + if (sid_to_uid(&ace_nt->trustee, &uid) && uid == ownerUID) {
> + ace_v4->who.uid = uid;
> + } else if (sid_to_gid(&ace_nt->trustee, &gid)) {
> ace_v4->aceFlags |= SMB_ACE4_IDENTIFIER_GROUP;
> ace_v4->who.gid = gid;
> - } else if (sid_to_uid(&ace_nt->trustee, &uid)) {
> - ace_v4->who.uid = uid;
> } else if (dom_sid_compare_domain(&ace_nt->trustee,
> &global_sid_Unix_NFS) == 0) {
> return false;
> --
> 1.8.3.1
>
More information about the samba-technical
mailing list