[PATCH] Second part of bugfix for bug #13319 (round-tripping ACE's through vfs_fruit).
Jeremy Allison
jra at samba.org
Fri Mar 16 21:18:37 UTC 2018
On Fri, Mar 16, 2018 at 10:05:42PM +0100, Ralph Böhme wrote:
> On Fri, Mar 16, 2018 at 12:02:26PM -0700, Jeremy Allison wrote:
> >
> > Yeah, but that changes all the existing tests. I really
> > didn't want to do that (I didn't want to get into a rathole
> > of debugging stuff that was nothing to do with my changes :-).
>
> :) And you were right, it does a break an existing fruit test-suite.
Oh how sweet it is to have your prejudices confirmed :-) :-).
> What about the attached version?
Reviewing now, thanks Ralph !!!
> --
> Ralph Boehme, Samba Team https://samba.org/
> Samba Developer, SerNet GmbH https://sernet.de/en/samba/
> GPG Key Fingerprint: FAE2 C608 8A24 2520 51C5
> 59E4 AA1E 9B71 2639 9E46
> From e5d7bc830724b546d2e246d67876ace072264e7b Mon Sep 17 00:00:00 2001
> From: Jeremy Allison <jra at samba.org>
> Date: Thu, 15 Mar 2018 09:52:30 -0700
> Subject: [PATCH 1/6] s3: smbd: vfs_fruit: Add remove_virtual_nfs_aces() a
> generic NFS ACE remover.
>
> Not yet used, will be used to tidyup existing code.
>
> BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319
>
> Signed-off-by: Jeremy Allison <jra at samba.org>
> Reviewed-by: Ralph Boehme <slow at samba.org>
> ---
> source3/modules/vfs_fruit.c | 43 +++++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 43 insertions(+)
>
> diff --git a/source3/modules/vfs_fruit.c b/source3/modules/vfs_fruit.c
> index 29372e90174..67af69843ed 100644
> --- a/source3/modules/vfs_fruit.c
> +++ b/source3/modules/vfs_fruit.c
> @@ -2954,6 +2954,49 @@ static NTSTATUS readdir_attr_macmeta(struct vfs_handle_struct *handle,
> return status;
> }
>
> +static NTSTATUS remove_virtual_nfs_aces(struct security_descriptor *psd)
> +{
> + NTSTATUS status;
> + uint32_t i;
> +
> + if (psd->dacl == NULL) {
> + return NT_STATUS_OK;
> + }
> +
> + for (i = 0; i < psd->dacl->num_aces; i++) {
> + /* MS NFS style mode/uid/gid */
> + if (!dom_sid_compare_domain(
> + &global_sid_Unix_NFS,
> + &psd->dacl->aces[i].trustee) == 0) {
> + /* Normal ACE entry. */
> + continue;
> + }
> +
> + /*
> + * security_descriptor_dacl_del()
> + * *must* return NT_STATUS_OK as we know
> + * we have something to remove.
> + */
> +
> + status = security_descriptor_dacl_del(psd,
> + &psd->dacl->aces[i].trustee);
> + if (!NT_STATUS_IS_OK(status)) {
> + DBG_WARNING("failed to remove MS NFS style ACE: %s\n",
> + nt_errstr(status));
> + return status;
> + }
> +
> + /*
> + * security_descriptor_dacl_del() may delete more
> + * then one entry subsequent to this one if the
> + * SID matches, but we only need to ensure that
> + * we stay looking at the same element in the array.
> + */
> + i--;
> + }
> + return NT_STATUS_OK;
> +}
> +
> /* Search MS NFS style ACE with UNIX mode */
> static NTSTATUS check_ms_nfs(vfs_handle_struct *handle,
> files_struct *fsp,
> --
> 2.13.6
>
>
> From dd8aae44c55ae0e4c7d710afeddd7736055db390 Mon Sep 17 00:00:00 2001
> From: Jeremy Allison <jra at samba.org>
> Date: Thu, 15 Mar 2018 09:54:41 -0700
> Subject: [PATCH 2/6] s3: smbd: vfs_fruit: Replace code in check_ms_nfs() with
> remove_virtual_nfs_aces().
>
> BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319
>
> Signed-off-by: Jeremy Allison <jra at samba.org>
> Reviewed-by: Ralph Boehme <slow at samba.org>
> ---
> source3/modules/vfs_fruit.c | 38 +-------------------------------------
> 1 file changed, 1 insertion(+), 37 deletions(-)
>
> diff --git a/source3/modules/vfs_fruit.c b/source3/modules/vfs_fruit.c
> index 67af69843ed..38f421c337d 100644
> --- a/source3/modules/vfs_fruit.c
> +++ b/source3/modules/vfs_fruit.c
> @@ -3006,9 +3006,6 @@ static NTSTATUS check_ms_nfs(vfs_handle_struct *handle,
> {
> uint32_t i;
> struct fruit_config_data *config = NULL;
> - struct dom_sid sid;
> - NTSTATUS status = NT_STATUS_OK;
> - bool remove_ok = false;
>
> *pdo_chmod = false;
>
> @@ -3042,40 +3039,7 @@ static NTSTATUS check_ms_nfs(vfs_handle_struct *handle,
> * fruit_fget_nt_acl().
> */
>
> - /* MS NFS style mode */
> - sid_compose(&sid, &global_sid_Unix_NFS_Mode,
> - fsp->fsp_name->st.st_ex_mode);
> - status = security_descriptor_dacl_del(psd, &sid);
> - remove_ok = (NT_STATUS_IS_OK(status) ||
> - NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND));
> - if (!remove_ok) {
> - DBG_WARNING("failed to remove MS NFS_mode style ACE\n");
> - return status;
> - }
> -
> - /* MS NFS style uid */
> - sid_compose(&sid, &global_sid_Unix_NFS_Users,
> - fsp->fsp_name->st.st_ex_uid);
> - status = security_descriptor_dacl_del(psd, &sid);
> - remove_ok = (NT_STATUS_IS_OK(status) ||
> - NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND));
> - if (!remove_ok) {
> - DBG_WARNING("failed to remove MS NFS_users style ACE\n");
> - return status;
> - }
> -
> - /* MS NFS style gid */
> - sid_compose(&sid, &global_sid_Unix_NFS_Groups,
> - fsp->fsp_name->st.st_ex_gid);
> - status = security_descriptor_dacl_del(psd, &sid);
> - remove_ok = (NT_STATUS_IS_OK(status) ||
> - NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND));
> - if (!remove_ok) {
> - DBG_WARNING("failed to remove MS NFS_groups style ACE\n");
> - return status;
> - }
> -
> - return NT_STATUS_OK;
> + return remove_virtual_nfs_aces(psd);
> }
>
> /****************************************************************************
> --
> 2.13.6
>
>
> From b778cd9e6bff62a7aa816f6638c6a6a48b04879e Mon Sep 17 00:00:00 2001
> From: Jeremy Allison <jra at samba.org>
> Date: Thu, 15 Mar 2018 09:57:09 -0700
> Subject: [PATCH 3/6] s3: smbd: vfs_fruit: Replace code in fruit_fget_nt_acl()
> with remove_virtual_nfs_aces().
>
> BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319
>
> Signed-off-by: Jeremy Allison <jra at samba.org>
> Reviewed-by: Ralph Boehme <slow at samba.org>
> ---
> source3/modules/vfs_fruit.c | 35 +++++++----------------------------
> 1 file changed, 7 insertions(+), 28 deletions(-)
>
> diff --git a/source3/modules/vfs_fruit.c b/source3/modules/vfs_fruit.c
> index 38f421c337d..19b78edb949 100644
> --- a/source3/modules/vfs_fruit.c
> +++ b/source3/modules/vfs_fruit.c
> @@ -5735,7 +5735,6 @@ static NTSTATUS fruit_fget_nt_acl(vfs_handle_struct *handle,
> struct security_ace ace;
> struct dom_sid sid;
> struct fruit_config_data *config;
> - bool remove_ok = false;
>
> SMB_VFS_HANDLE_GET_DATA(handle, config,
> struct fruit_config_data,
> @@ -5757,18 +5756,16 @@ static NTSTATUS fruit_fget_nt_acl(vfs_handle_struct *handle,
> return NT_STATUS_OK;
> }
>
> + /* First remove any existing ACE's with NFS style mode/uid/gid SIDs. */
> + status = remove_virtual_nfs_aces(*ppdesc);
> + if (!NT_STATUS_IS_OK(status)) {
> + DBG_WARNING("failed to remove MS NFS style ACEs\n");
> + return status;
> + }
> +
> /* MS NFS style mode */
> sid_compose(&sid, &global_sid_Unix_NFS_Mode, fsp->fsp_name->st.st_ex_mode);
> init_sec_ace(&ace, &sid, SEC_ACE_TYPE_ACCESS_DENIED, 0, 0);
> -
> - /* First remove any existing ACE's with this SID. */
> - status = security_descriptor_dacl_del(*ppdesc, &sid);
> - remove_ok = (NT_STATUS_IS_OK(status) ||
> - NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND));
> - if (!remove_ok) {
> - DBG_WARNING("failed to remove MS NFS_mode style ACE\n");
> - return status;
> - }
> status = security_descriptor_dacl_add(*ppdesc, &ace);
> if (!NT_STATUS_IS_OK(status)) {
> DEBUG(1,("failed to add MS NFS style ACE\n"));
> @@ -5778,15 +5775,6 @@ static NTSTATUS fruit_fget_nt_acl(vfs_handle_struct *handle,
> /* MS NFS style uid */
> sid_compose(&sid, &global_sid_Unix_NFS_Users, fsp->fsp_name->st.st_ex_uid);
> init_sec_ace(&ace, &sid, SEC_ACE_TYPE_ACCESS_DENIED, 0, 0);
> -
> - /* First remove any existing ACE's with this SID. */
> - status = security_descriptor_dacl_del(*ppdesc, &sid);
> - remove_ok = (NT_STATUS_IS_OK(status) ||
> - NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND));
> - if (!remove_ok) {
> - DBG_WARNING("failed to remove MS NFS_users style ACE\n");
> - return status;
> - }
> status = security_descriptor_dacl_add(*ppdesc, &ace);
> if (!NT_STATUS_IS_OK(status)) {
> DEBUG(1,("failed to add MS NFS style ACE\n"));
> @@ -5796,15 +5784,6 @@ static NTSTATUS fruit_fget_nt_acl(vfs_handle_struct *handle,
> /* MS NFS style gid */
> sid_compose(&sid, &global_sid_Unix_NFS_Groups, fsp->fsp_name->st.st_ex_gid);
> init_sec_ace(&ace, &sid, SEC_ACE_TYPE_ACCESS_DENIED, 0, 0);
> -
> - /* First remove any existing ACE's with this SID. */
> - status = security_descriptor_dacl_del(*ppdesc, &sid);
> - remove_ok = (NT_STATUS_IS_OK(status) ||
> - NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND));
> - if (!remove_ok) {
> - DBG_WARNING("failed to remove MS NFS_groups style ACE\n");
> - return status;
> - }
> status = security_descriptor_dacl_add(*ppdesc, &ace);
> if (!NT_STATUS_IS_OK(status)) {
> DEBUG(1,("failed to add MS NFS style ACE\n"));
> --
> 2.13.6
>
>
> From 4db7fd03392208c8a76814889cfafc5f0cb8c259 Mon Sep 17 00:00:00 2001
> From: Ralph Boehme <slow at samba.org>
> Date: Fri, 16 Mar 2018 21:55:26 +0100
> Subject: [PATCH 4/6] selftest: run vfs.fruit_netatalk test against seperate
> share
>
> These tests require a fs with xattr support. This allows adding
> xattr_tdb to all other shares in the next commit.
>
> BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319
>
> Signed-off-by: Ralph Boehme <slow at samba.org>
> ---
> selftest/target/Samba3.pm | 10 ++++++++++
> source3/selftest/tests.py | 2 +-
> 2 files changed, 11 insertions(+), 1 deletion(-)
>
> diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
> index e6c95fa991a..343ca074fb6 100755
> --- a/selftest/target/Samba3.pm
> +++ b/selftest/target/Samba3.pm
> @@ -1896,6 +1896,16 @@ sub provision($$$$$$$$$)
> fruit:encoding = native
> fruit:veto_appledouble = no
>
> +[vfs_fruit_xattr]
> + path = $shrdir
> + # This is used by vfs.fruit tests that require real fs xattr
> + vfs objects = catia fruit streams_xattr acl_xattr
> + fruit:resource = file
> + fruit:metadata = netatalk
> + fruit:locking = netatalk
> + fruit:encoding = native
> + fruit:veto_appledouble = no
> +
> [vfs_fruit_metadata_stream]
> path = $shrdir
> vfs objects = fruit streams_xattr acl_xattr
> diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
> index 402f44ff6ee..c93abf5e632 100755
> --- a/source3/selftest/tests.py
> +++ b/source3/selftest/tests.py
> @@ -503,7 +503,7 @@ tests= base + raw + smb2 + rpc + unix + local + rap + nbt + libsmbclient + idmap
> plansmbtorture4testsuite(t, "nt4_dc", '//$SERVER_IP/vfs_fruit_metadata_stream -U$USERNAME%$PASSWORD --option=torture:localdir=$SELFTEST_PREFIX/nt4_dc/share --option=torture:share2=vfs_wo_fruit', 'metadata_stream')
> plansmbtorture4testsuite(t, "nt4_dc", '//$SERVER_IP/vfs_fruit_stream_depot -U$USERNAME%$PASSWORD --option=torture:localdir=$SELFTEST_PREFIX/nt4_dc/share --option=torture:share2=vfs_wo_fruit_stream_depot', 'streams_depot')
> elif t == "vfs.fruit_netatalk":
> - plansmbtorture4testsuite(t, "nt4_dc", '//$SERVER_IP/vfs_fruit -U$USERNAME%$PASSWORD --option=torture:localdir=$SELFTEST_PREFIX/nt4_dc/share')
> + plansmbtorture4testsuite(t, "nt4_dc", '//$SERVER_IP/vfs_fruit_xattr -U$USERNAME%$PASSWORD --option=torture:localdir=$SELFTEST_PREFIX/nt4_dc/share')
> elif t == "vfs.fruit_timemachine":
> plansmbtorture4testsuite(t, "nt4_dc", '//$SERVER_IP/vfs_fruit_timemachine -U$USERNAME%$PASSWORD --option=torture:localdir=$SELFTEST_PREFIX/nt4_dc/share')
> elif t == "vfs.fruit_file_id":
> --
> 2.13.6
>
>
> From 3cf5421ac9ab551870714ab8e1dfa6dc0bda9938 Mon Sep 17 00:00:00 2001
> From: Ralph Boehme <slow at samba.org>
> Date: Fri, 16 Mar 2018 21:57:31 +0100
> Subject: [PATCH 5/6] selftest: vfs.fruit: add xattr_tdb where possible
>
> This makes the tests indepent from fs xattr support.
>
> BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319
>
> Signed-off-by: Ralph Boehme <slow at samba.org>
> ---
> selftest/target/Samba3.pm | 12 ++++++------
> 1 file changed, 6 insertions(+), 6 deletions(-)
>
> diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
> index 343ca074fb6..6bedbde832f 100755
> --- a/selftest/target/Samba3.pm
> +++ b/selftest/target/Samba3.pm
> @@ -1889,7 +1889,7 @@ sub provision($$$$$$$$$)
>
> [vfs_fruit]
> path = $shrdir
> - vfs objects = catia fruit streams_xattr acl_xattr
> + vfs objects = catia fruit streams_xattr acl_xattr xattr_tdb
> fruit:resource = file
> fruit:metadata = netatalk
> fruit:locking = netatalk
> @@ -1908,29 +1908,29 @@ sub provision($$$$$$$$$)
>
> [vfs_fruit_metadata_stream]
> path = $shrdir
> - vfs objects = fruit streams_xattr acl_xattr
> + vfs objects = fruit streams_xattr acl_xattr xattr_tdb
> fruit:resource = file
> fruit:metadata = stream
> fruit:veto_appledouble = no
>
> [vfs_fruit_stream_depot]
> path = $shrdir
> - vfs objects = fruit streams_depot acl_xattr
> + vfs objects = fruit streams_depot acl_xattr xattr_tdb
> fruit:resource = stream
> fruit:metadata = stream
> fruit:veto_appledouble = no
>
> [vfs_wo_fruit]
> path = $shrdir
> - vfs objects = streams_xattr acl_xattr
> + vfs objects = streams_xattr acl_xattr xattr_tdb
>
> [vfs_wo_fruit_stream_depot]
> path = $shrdir
> - vfs objects = streams_depot acl_xattr
> + vfs objects = streams_depot acl_xattr xattr_tdb
>
> [vfs_fruit_timemachine]
> path = $shrdir
> - vfs objects = fruit streams_xattr acl_xattr
> + vfs objects = fruit streams_xattr acl_xattr xattr_tdb
> fruit:resource = file
> fruit:metadata = stream
> fruit:time machine = yes
> --
> 2.13.6
>
>
> From 690802cde9528dfd6021e7a7441f7a1a39d27230 Mon Sep 17 00:00:00 2001
> From: Jeremy Allison <jra at samba.org>
> Date: Thu, 15 Mar 2018 14:45:06 -0700
> Subject: [PATCH 6/6] s4: vfs: fruit tests: Add regression test for dealing
> with NFS ACE entries.
>
> BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319
>
> Signed-off-by: Jeremy Allison <jra at samba.org>
> Reviewed-by: Ralph Boehme <slow at samba.org>
> ---
> source4/torture/vfs/fruit.c | 171 ++++++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 171 insertions(+)
>
> diff --git a/source4/torture/vfs/fruit.c b/source4/torture/vfs/fruit.c
> index d071cf6f9af..65109cc1934 100644
> --- a/source4/torture/vfs/fruit.c
> +++ b/source4/torture/vfs/fruit.c
> @@ -36,6 +36,10 @@
> #include "torture/smb2/proto.h"
> #include "torture/vfs/proto.h"
> #include "librpc/gen_ndr/ndr_ioctl.h"
> +#include "libcli/security/dom_sid.h"
> +#include "../librpc/gen_ndr/ndr_security.h"
> +#include "libcli/security/secace.h"
> +#include "libcli/security/security_descriptor.h"
>
> #define BASEDIR "vfs_fruit_dir"
> #define FNAME_CC_SRC "testfsctl.dat"
> @@ -4426,6 +4430,172 @@ static bool test_copy_chunk_streams(struct torture_context *torture,
> }
>
> /*
> + * Ensure this security descriptor has exactly one mode, uid
> + * and gid.
> + */
> +
> +static NTSTATUS check_nfs_sd(const struct security_descriptor *psd)
> +{
> + uint32_t i;
> + bool got_one_mode = false;
> + bool got_one_uid = false;
> + bool got_one_gid = false;
> +
> + if (psd->dacl == NULL) {
> + return NT_STATUS_INVALID_SECURITY_DESCR;
> + }
> +
> + for (i = 0; i < psd->dacl->num_aces; i++) {
> + if (dom_sid_compare_domain(&global_sid_Unix_NFS_Mode,
> + &psd->dacl->aces[i].trustee) == 0) {
> + if (got_one_mode == true) {
> + /* Can't have more than one. */
> + return NT_STATUS_INVALID_SECURITY_DESCR;
> + }
> + got_one_mode = true;
> + }
> + }
> + for (i = 0; i < psd->dacl->num_aces; i++) {
> + if (dom_sid_compare_domain(&global_sid_Unix_NFS_Users,
> + &psd->dacl->aces[i].trustee) == 0) {
> + if (got_one_uid == true) {
> + /* Can't have more than one. */
> + return NT_STATUS_INVALID_SECURITY_DESCR;
> + }
> + got_one_uid = true;
> + }
> + }
> + for (i = 0; i < psd->dacl->num_aces; i++) {
> + if (dom_sid_compare_domain(&global_sid_Unix_NFS_Groups,
> + &psd->dacl->aces[i].trustee) == 0) {
> + if (got_one_gid == true) {
> + /* Can't have more than one. */
> + return NT_STATUS_INVALID_SECURITY_DESCR;
> + }
> + got_one_gid = true;
> + }
> + }
> + /* Must have at least one of each. */
> + if (got_one_mode == false ||
> + got_one_uid == false ||
> + got_one_gid == false) {
> + return NT_STATUS_INVALID_SECURITY_DESCR;
> + }
> + return NT_STATUS_OK;
> +}
> +
> +static bool test_nfs_aces(struct torture_context *tctx,
> + struct smb2_tree *tree)
> +{
> + TALLOC_CTX *mem_ctx = talloc_new(tctx);
> + struct security_ace ace;
> + struct dom_sid sid;
> + const char *fname = BASEDIR "\\nfs_aces.txt";
> + struct smb2_handle h = {{0}};
> + union smb_fileinfo finfo2;
> + union smb_setfileinfo set;
> + struct security_descriptor *psd = NULL;
> + NTSTATUS status;
> + bool ret = true;
> +
> + ret = enable_aapl(tctx, tree);
> + torture_assert(tctx, ret == true, "enable_aapl failed");
> +
> + /* clean slate ...*/
> + smb2_util_unlink(tree, fname);
> + smb2_deltree(tree, fname);
> + smb2_deltree(tree, BASEDIR);
> +
> + status = torture_smb2_testdir(tree, BASEDIR, &h);
> + CHECK_STATUS(status, NT_STATUS_OK);
> + smb2_util_close(tree, h);
> +
> + /* Create a test file. */
> + status = torture_smb2_testfile_access(tree,
> + fname,
> + &h,
> + SEC_STD_READ_CONTROL |
> + SEC_STD_WRITE_DAC |
> + SEC_RIGHTS_FILE_ALL);
> + CHECK_STATUS(status, NT_STATUS_OK);
> +
> + /* Get the ACL. */
> + finfo2.query_secdesc.in.secinfo_flags =
> + SECINFO_OWNER |
> + SECINFO_GROUP |
> + SECINFO_DACL;
> + finfo2.generic.level = RAW_FILEINFO_SEC_DESC;
> + finfo2.generic.in.file.handle = h;
> + status = smb2_getinfo_file(tree, tctx, &finfo2);
> + CHECK_STATUS(status, NT_STATUS_OK);
> +
> + psd = finfo2.query_secdesc.out.sd;
> +
> + /* Ensure we have only single mode/uid/gid NFS entries. */
> + status = check_nfs_sd(psd);
> + if (!NT_STATUS_IS_OK(status)) {
> + NDR_PRINT_DEBUG(
> + security_descriptor,
> + discard_const_p(struct security_descriptor, psd));
> + }
> + CHECK_STATUS(status, NT_STATUS_OK);
> +
> + /* Add a couple of extra NFS uids and gids. */
> + sid_compose(&sid, &global_sid_Unix_NFS_Users, 27);
> + init_sec_ace(&ace, &sid, SEC_ACE_TYPE_ACCESS_DENIED, 0, 0);
> + status = security_descriptor_dacl_add(psd, &ace);
> + CHECK_STATUS(status, NT_STATUS_OK);
> + status = security_descriptor_dacl_add(psd, &ace);
> + CHECK_STATUS(status, NT_STATUS_OK);
> +
> + sid_compose(&sid, &global_sid_Unix_NFS_Groups, 300);
> + init_sec_ace(&ace, &sid, SEC_ACE_TYPE_ACCESS_DENIED, 0, 0);
> + status = security_descriptor_dacl_add(psd, &ace);
> + CHECK_STATUS(status, NT_STATUS_OK);
> + status = security_descriptor_dacl_add(psd, &ace);
> + CHECK_STATUS(status, NT_STATUS_OK);
> +
> + /* Now set on the file handle. */
> + set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
> + set.set_secdesc.in.file.handle = h;
> + set.set_secdesc.in.secinfo_flags = SECINFO_DACL;
> + set.set_secdesc.in.sd = psd;
> + status = smb2_setinfo_file(tree, &set);
> + CHECK_STATUS(status, NT_STATUS_OK);
> +
> + /* Get the ACL again. */
> + finfo2.query_secdesc.in.secinfo_flags =
> + SECINFO_OWNER |
> + SECINFO_GROUP |
> + SECINFO_DACL;
> + finfo2.generic.level = RAW_FILEINFO_SEC_DESC;
> + finfo2.generic.in.file.handle = h;
> + status = smb2_getinfo_file(tree, tctx, &finfo2);
> + CHECK_STATUS(status, NT_STATUS_OK);
> +
> + psd = finfo2.query_secdesc.out.sd;
> +
> + /* Ensure we have only single mode/uid/gid NFS entries. */
> + status = check_nfs_sd(psd);
> + if (!NT_STATUS_IS_OK(status)) {
> + NDR_PRINT_DEBUG(
> + security_descriptor,
> + discard_const_p(struct security_descriptor, psd));
> + }
> + CHECK_STATUS(status, NT_STATUS_OK);
> +
> +done:
> + if (!smb2_util_handle_empty(h)) {
> + smb2_util_close(tree, h);
> + }
> + smb2_util_unlink(tree, fname);
> + smb2_deltree(tree, fname);
> + smb2_deltree(tree, BASEDIR);
> + talloc_free(mem_ctx);
> + return ret;
> +}
> +
> +/*
> * Note: This test depends on "vfs objects = catia fruit streams_xattr". For
> * some tests torture must be run on the host it tests and takes an additional
> * argument with the local path to the share:
> @@ -4465,6 +4635,7 @@ struct torture_suite *torture_vfs_fruit(TALLOC_CTX *ctx)
> torture_suite_add_1smb2_test(suite, "creating rsrc with read-only access", test_rfork_create_ro);
> torture_suite_add_1smb2_test(suite, "copy-chunk streams", test_copy_chunk_streams);
> torture_suite_add_1smb2_test(suite, "OS X AppleDouble file conversion", test_adouble_conversion);
> + torture_suite_add_1smb2_test(suite, "NFS ACE entries", test_nfs_aces);
>
> return suite;
> }
> --
> 2.13.6
>
More information about the samba-technical
mailing list