[RFC] vfs_nfs4acl_xattr NFS4.1 support, support for XDR encoding and more...

Tue Nov 7 22:15:33 UTC 2017

On Tue, Nov 07, 2017 at 01:47:33PM -0800, Jeremy Allison via samba-technical wrote:
> On Tue, Nov 07, 2017 at 01:16:27PM +0100, Ralph Böhme wrote:
> > On Mon, Nov 06, 2017 at 04:26:13PM -0800, Jeremy Allison wrote:
> > > On Thu, Nov 02, 2017 at 07:44:21PM +0100, Ralph Böhme via samba-technical wrote:
> > > > On Thu, Nov 02, 2017 at 11:56:23AM +0100, Ralph Böhme wrote:
> > > > > Ok, I'll then follow-up with a patchset that changes the ACL version to 4.1 and
> > > > > the xattr name to "security.nfs4acl_ndr" instead of "security.nfs4acl".
> > > > 
> > > > attached.
> > > > 
> > > > Please review & push if happy. Thanks!
> > > 
> > > Doing a thorough review on this.
> > > 
> > > One quick question - the default for
> > > 
> > > nfs4acl_xattr:default acl style
> > > 
> > > is everyone. That's the least secure one.
> > > 
> > > Why was that chosen ? Did I miss or forget
> > > the discussion ?
> > 
> > that's just the current behaviour of the unpatched module...
> 
> OK, RB+ and pushed with just one change, in make_default_acl_everyone()
> you had:
> 
> struct security_ace aces[4];
> 
> which was cut-n-paste left over - we are only adding one
> ace here so it should be:
> 
> struct security_ace aces[1];

Ah. On submission to autobuild it caught a use-before-initialize
error I missed. Can you also fix the initialization errors below
and re-submit ?

Sorry,

Jeremy.

In:

source3/modules/nfs4acl_xattr_xdr.c

static NTSTATUS nfs4acl_to_smb4acl(struct vfs_handle_struct *handle,
                                   TALLOC_CTX *mem_ctx,
                                   nfsacl41 *nacl,
                                   struct SMB4ACL_T **_smb4acl)
{
        struct nfs4acl_config *config = NULL;
        struct SMB4ACL_T *smb4acl = NULL;
        unsigned nfsacl41_flag;
        uint16_t smb4acl_flags;            <------------------------ uninitialized.
        unsigned naces = nfs4acl_get_naces(nacl);
        int i;

        SMB_VFS_HANDLE_GET_DATA(handle, config,
                                struct nfs4acl_config,
                                return NT_STATUS_INTERNAL_ERROR);

        smb4acl = smb_create_smb4acl(mem_ctx);
        if (smb4acl == NULL) {
                return NT_STATUS_INTERNAL_ERROR;
        }

        if (config->nfs_version > ACL4_XATTR_VERSION_40) {
                nfsacl41_flag = nfs4acl_get_flags(nacl);
                smb4acl_flags = nfs4acl_to_smb4acl_flags(nfsacl41_flag); <--------- only set here.
                smbacl4_set_controlflags(smb4acl, smb4acl_flags);
        }

        DBG_DEBUG("flags [%x] nace [%u]\n", smb4acl_flags, naces); <--------- use without initialize.