[PATCH] nfs4acl: Fix owner mapping with ID_TYPE_BOTH

Jeremy Allison jra at samba.org
Wed Sep 14 16:00:55 UTC 2016 

On Tue, Sep 13, 2016 at 04:26:03PM -0700, Jeremy Allison wrote:
> On Mon, Sep 12, 2016 at 05:34:21PM -0700, Christof Schmitt wrote:
> > From f1883adf6ed027a03be2a3d4f1631d8bdb283e38 Mon Sep 17 00:00:00 2001
> > From: Christof Schmitt <cs at samba.org>
> > Date: Mon, 12 Sep 2016 16:22:16 -0700
> > Subject: [PATCH] nfs4acl: Fix owner mapping with ID_TYPE_BOTH
> > 
> > This fixes a corner case when using NFS4 ACLs with ID_TYPE_BOTH.  Before
> > this patch, the owner entry in the ACL would be mapped to a gid entry in
> > the NFSv4 ACL, and not the expected special owner entry. This is caused
> > by the id mapping returning a valid gid and the nfs4 mapping assumed
> > that this was actually a group.
> > 
> > Fix this by asking for the uid first, and explicitly checking if the
> > mapped uid matches the owner. That creates a uid entry in the NFSv4 ACL
> > that can be changed later in smbacl4_substitute_{simple,special} to the
> > expected special owner entry.
> 
> OK, went through the logic here very carefully (w.r.t chown
> interactions), and I think this is the correct thing to do.
> 
> Pushed.

The push failed (unrelated issue :-) and in the shower
this morning I had a thought (something about this patch
must have been bothering me :-).

This patch adds logic to check the uid first - if the
mapped uid matches the owner, which is correct, but
it also removes the fallback mapping of:

 -           } else if (sid_to_uid(&ace_nt->trustee, &uid)) {
 -                   ace_v4->who.uid = uid;

I don't think that's right. I think the logic should be:

check the uid first - if the mapped uid matches the owner
check if mapped to group
check if mapped to user.

(i.e. keep the final fallback code). Given that, I think
the following patch is correct. Christof, can you confirm ?

Thanks,

Jeremy.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-nfs4acl-Fix-owner-mapping-with-ID_TYPE_BOTH.patch
Type: text/x-diff
Size: 1733 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20160914/4ecc090b/0001-nfs4acl-Fix-owner-mapping-with-ID_TYPE_BOTH.diff>

More information about the samba-technical mailing list