[PATCH] Version 3: VFS cleanup - remove chmod_acl and fchmod_acl

Jeremy Allison jra at samba.org
Fri May 18 23:37:39 UTC 2018


On Fri, May 18, 2018 at 04:27:43PM -0700, Jeremy Allison wrote:
> > After a conversation with Volker, I realized it's
> > time (for 4.9.0) to remove the hideous VFS
> > calls SMB_VFS_CHMOD_ACL() and SMB_VFS_FCHMOD_ACL().
> >
> > They exist because I utterly misunderstood the
> > meaning of the ACL_MASK ace entry in POSIX
> > ACLs when I was first writing an ACL backend
> > for Samba.
> >
> > I assumed that for ACL mapping from Windows
> > we would always have to set the ACL_MASK to
> > "rwx", so hand-implemented the copying of
> > u/g/o bits on a mode change to individual
> > ACE entries in a POSIX ACL (see the code
> > in chmod_acl_internals() in source3/smbd/posix_acls.c
> > for details).
> >
> > This is just silly - doing a [f]chmod
> > implements exactly the same effect
> > by changing the mask bits (and is
> > correctly read and applied in canonicalise_acl(),
> > also in source3/smbd/posix_acls.c).
> >
> > So this patchset removes the two
> > VFS calls SMB_VFS_CHMOD_ACL() and SMB_VFS_FCHMOD_ACL()
> > and replaces their use with simple SMB_VFS_CHMOD()
> > and SMB_VFS_FCHMOD() instead.
> >
> > This change should only be visible to
> > unix extensions POSIX clients doing
> > direct chmod and posix ACL get/set calls,
> > and it will cause Samba to be closer
> > to expected POSIX behavior.
> 
> Here is version #2. It's actually the same
> base patch as version #1 but with 4 more patches
> appended.
> 
> These patches implement the SMB_VFS_CHMOD
> and SMB_VFS_FCHMOD calls in the vfs_fake_acls
> module, which is used in some older tests
> that test the SMB1 unix extensions ACL
> get/set (that's mainly the raw.samba3hide test).
> These calls (along with the old chmod_acl/fchmod_acl
> interface) were not previously implemented in that
> module, which was why my original patchset
> without these ran into a problem.
> 
> These fixes allowed me to remove the
> samba3hide(nt4_dc) test from the selftest/knownfail
> file as we now pass it (the vfs_fake_acls module
> never implemented SMB_VFS_CHMOD_ACL
> or SMB_VFS_FCHMOD_ACL which would have
> been required to make the strict POSIX
> ACL checks work).
> 
> This patchset survives a full local
> make test, so I'm pretty confident about
> this (famous last words, I know :-).

Sigh - V3 - now with the missing TALLOC_FREE(frame)
calls I had missed in the error paths in the new:

fake_acls_chmod()
fake_acls_fchmod()

code :-).

That's the only change from V2.

Cheers,

	Jeremy.
-------------- next part --------------
From aa1f2c341714529c1a8909176c92c6e3b1155faf Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra at samba.org>
Date: Thu, 17 May 2018 09:37:23 -0700
Subject: [PATCH 01/21] s3: smbd: Remove existing_unx_mode, an unused parameter
 to open_match_attributes().

Signed-off-by: Jeremy Allison <jra at samba.org>
---
 source3/smbd/open.c | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index 61a42e29a10..9d581a53359 100644
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -2530,7 +2530,6 @@ static void setup_kernel_oplock_poll_open(struct timeval request_time,
 static bool open_match_attributes(connection_struct *conn,
 				  uint32_t old_dos_attr,
 				  uint32_t new_dos_attr,
-				  mode_t existing_unx_mode,
 				  mode_t new_unx_mode,
 				  mode_t *returned_unx_mode)
 {
@@ -2547,10 +2546,9 @@ static bool open_match_attributes(connection_struct *conn,
 	}
 
 	DEBUG(10,("open_match_attributes: old_dos_attr = 0x%x, "
-		  "existing_unx_mode = 0%o, new_dos_attr = 0x%x "
+		  "new_dos_attr = 0x%x "
 		  "returned_unx_mode = 0%o\n",
 		  (unsigned int)old_dos_attr,
-		  (unsigned int)existing_unx_mode,
 		  (unsigned int)new_dos_attr,
 		  (unsigned int)*returned_unx_mode ));
 
@@ -3174,7 +3172,6 @@ static NTSTATUS open_file_ntcreate(connection_struct *conn,
 	     (create_disposition == FILE_OVERWRITE_IF))) {
 		if (!open_match_attributes(conn, existing_dos_attributes,
 					   new_dos_attributes,
-					   smb_fname->st.st_ex_mode,
 					   unx_mode, &new_unx_mode)) {
 			DEBUG(5,("open_file_ntcreate: attributes mismatch "
 				 "for file %s (%x %x) (0%o, 0%o)\n",
-- 
2.17.0.441.gb46fe60e1d-goog


From 16b0ec52ede8179b9295418ba91015eb3a29a17c Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra at samba.org>
Date: Thu, 17 May 2018 10:24:35 -0700
Subject: [PATCH 02/21] s3: smbd: Add clarifying comment on mode change on
 overwritten files.

Signed-off-by: Jeremy Allison <jra at samba.org>
---
 source3/smbd/open.c | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index 9d581a53359..1b83e8403d2 100644
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -3786,6 +3786,25 @@ static NTSTATUS open_file_ntcreate(connection_struct *conn,
 		}
 
 	} else if (new_unx_mode) {
+		/*
+		 * We only get here in the case of:
+		 *
+		 * a). Not a POSIX open.
+		 * b). File already existed.
+		 * c). File was overwritten.
+		 * d). Requested DOS attributes didn't match
+		 *     the DOS attributes on the existing file.
+		 *
+		 * In that case new_unx_mode has been set
+		 * equal to the calculated mode (including
+		 * possible inheritance of the mode from the
+		 * containing directory).
+		 *
+		 * Note this mode was calculated with the
+		 * DOS attribute FILE_ATTRIBUTE_ARCHIVE added,
+		 * so the mode change here is suitable for
+		 * an overwritten file.
+		 */
 
 		int ret = -1;
 
-- 
2.17.0.441.gb46fe60e1d-goog


From e38881b551a2dcd0f65ef293a314761f98b9718d Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra at samba.org>
Date: Thu, 17 May 2018 10:27:11 -0700
Subject: [PATCH 03/21] s3: smbd: Remove use of SMB_VFS_FCHMOD_ACL() in
 overwrite case.

We have potentially called SMB_VFS_FCHMOD() here in
the file_set_dosmode() call associated with the comment
/* Overwritten files should be initially set as archive */
at line 3755 above, so there is no need to do any POSIX ACL
mask protection.

Signed-off-by: Jeremy Allison <jra at samba.org>
---
 source3/smbd/open.c | 29 +++++------------------------
 1 file changed, 5 insertions(+), 24 deletions(-)

diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index 1b83e8403d2..7763a095733 100644
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -3806,32 +3806,13 @@ static NTSTATUS open_file_ntcreate(connection_struct *conn,
 		 * an overwritten file.
 		 */
 
-		int ret = -1;
-
-		/* Attributes need changing. File already existed. */
-
-		{
-			int saved_errno = errno; /* We might get ENOSYS in the
-						  * next call.. */
-			ret = SMB_VFS_FCHMOD_ACL(fsp, new_unx_mode);
-
-			if (ret == -1 && errno == ENOSYS) {
-				errno = saved_errno; /* Ignore ENOSYS */
-			} else {
-				DEBUG(5, ("open_file_ntcreate: reset "
-					  "attributes of file %s to 0%o\n",
-					  smb_fname_str_dbg(smb_fname),
-					  (unsigned int)new_unx_mode));
-				ret = 0; /* Don't do the fchmod below. */
-			}
-		}
-
-		if ((ret == -1) &&
-		    (SMB_VFS_FCHMOD(fsp, new_unx_mode) == -1))
-			DEBUG(5, ("open_file_ntcreate: failed to reset "
+		int ret = SMB_VFS_FCHMOD(fsp, new_unx_mode);
+		if (ret == -1) {
+			DBG_INFO("failed to reset "
 				  "attributes of file %s to 0%o\n",
 				  smb_fname_str_dbg(smb_fname),
-				  (unsigned int)new_unx_mode));
+				  (unsigned int)new_unx_mode);
+		}
 	}
 
 	{
-- 
2.17.0.441.gb46fe60e1d-goog


From aa063b9b60e3259449206e3f6774cd2f586e3a3e Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra at samba.org>
Date: Thu, 17 May 2018 10:33:38 -0700
Subject: [PATCH 04/21] s3: smbd: optimization. Only do the FCHMOD call if
 needed.

Signed-off-by: Jeremy Allison <jra at samba.org>
---
 source3/smbd/open.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index 7763a095733..99e0e0462e3 100644
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -3806,12 +3806,14 @@ static NTSTATUS open_file_ntcreate(connection_struct *conn,
 		 * an overwritten file.
 		 */
 
-		int ret = SMB_VFS_FCHMOD(fsp, new_unx_mode);
-		if (ret == -1) {
-			DBG_INFO("failed to reset "
+		if (new_unx_mode != smb_fname->st.st_ex_mode) {
+			int ret = SMB_VFS_FCHMOD(fsp, new_unx_mode);
+			if (ret == -1) {
+				DBG_INFO("failed to reset "
 				  "attributes of file %s to 0%o\n",
 				  smb_fname_str_dbg(smb_fname),
 				  (unsigned int)new_unx_mode);
+			}
 		}
 	}
 
-- 
2.17.0.441.gb46fe60e1d-goog


From 2313a6c7191452f9ff882fc9bdcc21148fb6fbd6 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra at samba.org>
Date: Thu, 17 May 2018 10:35:58 -0700
Subject: [PATCH 05/21] s3: smbd: Optimization. Only do the FCHMOD_ACL call if
 mode bits not equal.

Signed-off-by: Jeremy Allison <jra at samba.org>
---
 source3/smbd/open.c | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index 99e0e0462e3..e98936559f8 100644
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -3776,13 +3776,14 @@ static NTSTATUS open_file_ntcreate(connection_struct *conn,
 	 */
 
 	if (!posix_open && new_file_created && !def_acl) {
+		if (unx_mode != smb_fname->st.st_ex_mode) {
+			/* We might get ENOSYS in the next call.. */
+			int saved_errno = errno;
 
-		int saved_errno = errno; /* We might get ENOSYS in the next
-					  * call.. */
-
-		if (SMB_VFS_FCHMOD_ACL(fsp, unx_mode) == -1 &&
-		    errno == ENOSYS) {
-			errno = saved_errno; /* Ignore ENOSYS */
+			if (SMB_VFS_FCHMOD_ACL(fsp, unx_mode) == -1 &&
+			    errno == ENOSYS) {
+				errno = saved_errno; /* Ignore ENOSYS */
+			}
 		}
 
 	} else if (new_unx_mode) {
-- 
2.17.0.441.gb46fe60e1d-goog


From f650c61634844eb4966dbaef4dbdd8bf6810ee73 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra at samba.org>
Date: Thu, 17 May 2018 10:38:34 -0700
Subject: [PATCH 06/21] s3: smbd: Use FCHMOD call, not FCHMOD_ACL call if mode
 bits reset needed.

This is a behavior change, it will modify the POSIX ACL mask
from a value of rwx instead of modifying the existing ACE
entries to be ANDed with the passed in mode. However it
will have no effect on the underlying permissions, and
better reflects the proper use of POSIX ACLs (i.e. I
didn't understand the use of the mask entry in the
ACL when I first wrote the POSIX ACL code).

In addition, the vfs_acl_common.c module already
filters these calls for all but POSIX opens, which
means the only place this change is exposed to the
client would be a cifsfs unix extensions client doing
posix acl calls (and they would expect the mask to
be set like this on chmod).

Signed-off-by: Jeremy Allison <jra at samba.org>
---
 source3/smbd/open.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index e98936559f8..c54d380c7b5 100644
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -3777,12 +3777,12 @@ static NTSTATUS open_file_ntcreate(connection_struct *conn,
 
 	if (!posix_open && new_file_created && !def_acl) {
 		if (unx_mode != smb_fname->st.st_ex_mode) {
-			/* We might get ENOSYS in the next call.. */
-			int saved_errno = errno;
-
-			if (SMB_VFS_FCHMOD_ACL(fsp, unx_mode) == -1 &&
-			    errno == ENOSYS) {
-				errno = saved_errno; /* Ignore ENOSYS */
+			int ret = SMB_VFS_FCHMOD(fsp, unx_mode);
+			if (ret == -1) {
+				DBG_INFO("failed to reset "
+				  "attributes of file %s to 0%o\n",
+				  smb_fname_str_dbg(smb_fname),
+				  (unsigned int)unx_mode);
 			}
 		}
 
-- 
2.17.0.441.gb46fe60e1d-goog


From 8741e4907df7282191ca9805f605494bc63f3cfd Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra at samba.org>
Date: Thu, 17 May 2018 11:03:53 -0700
Subject: [PATCH 07/21] s3: modules: vfs_default: Remove CHMOD_ACL in mkdir.

Now I understand the use of the mask in POSIX ACLs
this extra step is no longer needed. If the mkdir
succeeded it's already set the correct mode.

Signed-off-by: Jeremy Allison <jra at samba.org>
---
 source3/modules/vfs_default.c | 18 +-----------------
 1 file changed, 1 insertion(+), 17 deletions(-)

diff --git a/source3/modules/vfs_default.c b/source3/modules/vfs_default.c
index e335e270650..956cebfd592 100644
--- a/source3/modules/vfs_default.c
+++ b/source3/modules/vfs_default.c
@@ -498,7 +498,6 @@ static int vfswrap_mkdir(vfs_handle_struct *handle,
 			mode_t mode)
 {
 	int result;
-	bool has_dacl = False;
 	const char *path = smb_fname->base_name;
 	char *parent = NULL;
 
@@ -506,7 +505,7 @@ static int vfswrap_mkdir(vfs_handle_struct *handle,
 
 	if (lp_inherit_acls(SNUM(handle->conn))
 	    && parent_dirname(talloc_tos(), path, &parent, NULL)
-	    && (has_dacl = directory_has_default_acl(handle->conn, parent))) {
+	    && directory_has_default_acl(handle->conn, parent)) {
 		mode = (0777 & lp_directory_mask(SNUM(handle->conn)));
 	}
 
@@ -514,21 +513,6 @@ static int vfswrap_mkdir(vfs_handle_struct *handle,
 
 	result = mkdir(path, mode);
 
-	if (result == 0 && !has_dacl) {
-		/*
-		 * We need to do this as the default behavior of POSIX ACLs
-		 * is to set the mask to be the requested group permission
-		 * bits, not the group permission bits to be the requested
-		 * group permission bits. This is not what we want, as it will
-		 * mess up any inherited ACL bits that were set. JRA.
-		 */
-		int saved_errno = errno; /* We may get ENOSYS */
-		if ((SMB_VFS_CHMOD_ACL(handle->conn, smb_fname, mode) == -1) &&
-				(errno == ENOSYS)) {
-			errno = saved_errno;
-		}
-	}
-
 	END_PROFILE(syscall_mkdir);
 	return result;
 }
-- 
2.17.0.441.gb46fe60e1d-goog


From dc5ef3173465515705b657b9801a14501aa074a0 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra at samba.org>
Date: Thu, 17 May 2018 11:05:20 -0700
Subject: [PATCH 08/21] s3: modules: vfs_default: Remove CHMOD_ACL in chmod.

Now I understand the use of the mask in POSIX ACLs
this extra step is no longer needed.

Signed-off-by: Jeremy Allison <jra at samba.org>
---
 source3/modules/vfs_default.c | 21 ---------------------
 1 file changed, 21 deletions(-)

diff --git a/source3/modules/vfs_default.c b/source3/modules/vfs_default.c
index 956cebfd592..a2bc7c0e9f9 100644
--- a/source3/modules/vfs_default.c
+++ b/source3/modules/vfs_default.c
@@ -1983,27 +1983,6 @@ static int vfswrap_chmod(vfs_handle_struct *handle,
 	int result;
 
 	START_PROFILE(syscall_chmod);
-
-	/*
-	 * We need to do this due to the fact that the default POSIX ACL
-	 * chmod modifies the ACL *mask* for the group owner, not the
-	 * group owner bits directly. JRA.
-	 */
-
-
-	{
-		int saved_errno = errno; /* We might get ENOSYS */
-		result = SMB_VFS_CHMOD_ACL(handle->conn,
-				smb_fname,
-				mode);
-		if (result == 0) {
-			END_PROFILE(syscall_chmod);
-			return result;
-		}
-		/* Error - return the old errno. */
-		errno = saved_errno;
-	}
-
 	result = chmod(smb_fname->base_name, mode);
 	END_PROFILE(syscall_chmod);
 	return result;
-- 
2.17.0.441.gb46fe60e1d-goog


From 60e37cb9f81033c566ea2cf60a96aef4c34eb74c Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra at samba.org>
Date: Thu, 17 May 2018 11:18:12 -0700
Subject: [PATCH 09/21] s3: modules: vfs_ceph: Remove CHMOD_ACL in
 cephwrap_mkdir().

Now I understand the use of the mask in POSIX ACLs
this extra step is no longer needed.

Signed-off-by: Jeremy Allison <jra at samba.org>
---
 source3/modules/vfs_ceph.c | 27 +++------------------------
 1 file changed, 3 insertions(+), 24 deletions(-)

diff --git a/source3/modules/vfs_ceph.c b/source3/modules/vfs_ceph.c
index bac88581133..f3b651b894e 100644
--- a/source3/modules/vfs_ceph.c
+++ b/source3/modules/vfs_ceph.c
@@ -368,7 +368,6 @@ static int cephwrap_mkdir(struct vfs_handle_struct *handle,
 			  mode_t mode)
 {
 	int result;
-	bool has_dacl = False;
 	char *parent = NULL;
 	const char *path = smb_fname->base_name;
 
@@ -376,34 +375,14 @@ static int cephwrap_mkdir(struct vfs_handle_struct *handle,
 
 	if (lp_inherit_acls(SNUM(handle->conn))
 	    && parent_dirname(talloc_tos(), path, &parent, NULL)
-	    && (has_dacl = directory_has_default_acl(handle->conn, parent)))
+	    && directory_has_default_acl(handle->conn, parent)) {
 		mode = 0777;
+	}
 
 	TALLOC_FREE(parent);
 
 	result = ceph_mkdir(handle->data, path, mode);
-
-	/*
-	 * Note. This order is important
-	 */
-	if (result) {
-		WRAP_RETURN(result);
-	} else if (result == 0 && !has_dacl) {
-		/*
-		 * We need to do this as the default behavior of POSIX ACLs
-		 * is to set the mask to be the requested group permission
-		 * bits, not the group permission bits to be the requested
-		 * group permission bits. This is not what we want, as it will
-		 * mess up any inherited ACL bits that were set. JRA.
-		 */
-		int saved_errno = errno; /* We may get ENOSYS */
-		if ((SMB_VFS_CHMOD_ACL(handle->conn, smb_fname, mode) == -1) &&
-				(errno == ENOSYS)) {
-			errno = saved_errno;
-		}
-	}
-
-	return result;
+	return WRAP_RETURN(result);
 }
 
 static int cephwrap_rmdir(struct vfs_handle_struct *handle,
-- 
2.17.0.441.gb46fe60e1d-goog


From 899848786a1cebac8c64423f7630249c84422872 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra at samba.org>
Date: Thu, 17 May 2018 11:19:33 -0700
Subject: [PATCH 10/21] s3: modules: vfs_ceph: Remove CHMOD_ACL in
 cephwrap_chmod().

Now I understand the use of the mask in POSIX ACLs
this extra step is no longer needed.

Signed-off-by: Jeremy Allison <jra at samba.org>
---
 source3/modules/vfs_ceph.c | 20 --------------------
 1 file changed, 20 deletions(-)

diff --git a/source3/modules/vfs_ceph.c b/source3/modules/vfs_ceph.c
index f3b651b894e..818d0cb5490 100644
--- a/source3/modules/vfs_ceph.c
+++ b/source3/modules/vfs_ceph.c
@@ -946,26 +946,6 @@ static int cephwrap_chmod(struct vfs_handle_struct *handle,
 	int result;
 
 	DBG_DEBUG("[CEPH] chmod(%p, %s, %d)\n", handle, smb_fname->base_name, mode);
-
-	/*
-	 * We need to do this due to the fact that the default POSIX ACL
-	 * chmod modifies the ACL *mask* for the group owner, not the
-	 * group owner bits directly. JRA.
-	 */
-
-
-	{
-		int saved_errno = errno; /* We might get ENOSYS */
-		result = SMB_VFS_CHMOD_ACL(handle->conn,
-					smb_fname,
-					mode);
-		if (result == 0) {
-			return result;
-		}
-		/* Error - return the old errno. */
-		errno = saved_errno;
-	}
-
 	result = ceph_chmod(handle->data, smb_fname->base_name, mode);
 	DBG_DEBUG("[CEPH] chmod(...) = %d\n", result);
 	WRAP_RETURN(result);
-- 
2.17.0.441.gb46fe60e1d-goog


From f5d003a170711878570a8755cf3164b8684220b7 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra at samba.org>
Date: Thu, 17 May 2018 11:21:14 -0700
Subject: [PATCH 11/21] s3: torture: Remove cmd_chmod_acl().

No longer needed.

Signed-off-by: Jeremy Allison <jra at samba.org>
---
 docs-xml/manpages/vfstest.1.xml |  1 -
 source3/torture/cmd_vfs.c       | 32 --------------------------------
 2 files changed, 33 deletions(-)

diff --git a/docs-xml/manpages/vfstest.1.xml b/docs-xml/manpages/vfstest.1.xml
index 9990e2778b1..5a4ea1254b9 100644
--- a/docs-xml/manpages/vfstest.1.xml
+++ b/docs-xml/manpages/vfstest.1.xml
@@ -125,7 +125,6 @@
 		<listitem><para><command>fset_nt_acl</command> - VFS fset_nt_acl()</para></listitem>
 		<listitem><para><command>set_nt_acl</command> - VFS open() and fset_nt_acl()</para></listitem>
 		<listitem><para><command>fchmod_acl</command> - VFS fchmod_acl()</para></listitem>
-		<listitem><para><command>chmod_acl</command> - VFS chmod_acl()</para></listitem>
 		<listitem><para><command>sys_acl_get_file</command> - VFS sys_acl_get_file()</para></listitem>
 		<listitem><para><command>sys_acl_get_fd</command> - VFS sys_acl_get_fd()</para></listitem>
 		<listitem><para><command>sys_acl_blob_get_file</command> - VFS sys_acl_blob_get_file()</para></listitem>
diff --git a/source3/torture/cmd_vfs.c b/source3/torture/cmd_vfs.c
index a8c7685e1d3..793faf09d12 100644
--- a/source3/torture/cmd_vfs.c
+++ b/source3/torture/cmd_vfs.c
@@ -930,37 +930,6 @@ static NTSTATUS cmd_fchmod(struct vfs_state *vfs, TALLOC_CTX *mem_ctx, int argc,
 	return NT_STATUS_OK;
 }
 
-
-static NTSTATUS cmd_chmod_acl(struct vfs_state *vfs, TALLOC_CTX *mem_ctx, int argc, const char **argv)
-{
-	struct smb_filename *smb_fname = NULL;
-	mode_t mode;
-	if (argc != 3) {
-		printf("Usage: chmod_acl <path> <mode>\n");
-		return NT_STATUS_OK;
-	}
-
-	mode = atoi(argv[2]);
-
-	smb_fname = synthetic_smb_fname(talloc_tos(),
-					argv[1],
-					NULL,
-					NULL,
-					ssf_flags());
-	if (smb_fname == NULL) {
-		return NT_STATUS_NO_MEMORY;
-	}
-
-	if (SMB_VFS_CHMOD_ACL(vfs->conn, smb_fname, mode) == -1) {
-		printf("chmod_acl: error=%d (%s)\n", errno, strerror(errno));
-		return NT_STATUS_UNSUCCESSFUL;
-	}
-
-	printf("chmod_acl: ok\n");
-	return NT_STATUS_OK;
-}
-
-
 static NTSTATUS cmd_fchmod_acl(struct vfs_state *vfs, TALLOC_CTX *mem_ctx, int argc, const char **argv)
 {
 	int fd;
@@ -2055,7 +2024,6 @@ struct cmd_set vfs_commands[] = {
 	{ "set_nt_acl", cmd_set_nt_acl, "VFS open() and fset_nt_acl()", 
 	  "set_nt_acl <file>\n" },
 	{ "fchmod_acl",   cmd_fchmod_acl,   "VFS fchmod_acl()",    "fchmod_acl <fd> <mode>" },
-	{ "chmod_acl",   cmd_chmod_acl,   "VFS chmod_acl()",    "chmod_acl <path> <mode>" },
 	{ "sys_acl_get_file", cmd_sys_acl_get_file, "VFS sys_acl_get_file()", "sys_acl_get_file <path>" },
 	{ "sys_acl_get_fd", cmd_sys_acl_get_fd, "VFS sys_acl_get_fd()", "sys_acl_get_fd <fd>" },
 	{ "sys_acl_blob_get_file", cmd_sys_acl_blob_get_file,
-- 
2.17.0.441.gb46fe60e1d-goog


From 0b69b212867073b103c7265b74a1d62a77869a7d Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra at samba.org>
Date: Thu, 17 May 2018 11:32:58 -0700
Subject: [PATCH 12/21] s3: VFS: Remove SMB_VFS_CHMOD_ACL().

No longer used.

Signed-off-by: Jeremy Allison <jra at samba.org>
---
 docs-xml/Samba-Developers-Guide/vfs.xml |  1 -
 docs-xml/manpages/vfs_audit.8.xml       |  1 -
 docs-xml/manpages/vfs_full_audit.8.xml  |  1 -
 examples/VFS/skel_opaque.c              |  9 -----
 examples/VFS/skel_transparent.c         |  8 ----
 source3/include/smbprofile.h            |  1 -
 source3/include/vfs.h                   |  4 +-
 source3/include/vfs_macros.h            |  5 ---
 source3/modules/vfs_acl_common.c        | 11 ------
 source3/modules/vfs_acl_tdb.c           |  1 -
 source3/modules/vfs_acl_xattr.c         |  1 -
 source3/modules/vfs_audit.c             | 17 ---------
 source3/modules/vfs_cap.c               | 34 -----------------
 source3/modules/vfs_catia.c             | 39 --------------------
 source3/modules/vfs_default.c           | 18 ---------
 source3/modules/vfs_extd_audit.c        | 23 ------------
 source3/modules/vfs_full_audit.c        | 17 ---------
 source3/modules/vfs_glusterfs.c         |  1 -
 source3/modules/vfs_linux_xfs_sgid.c    |  9 -----
 source3/modules/vfs_media_harmony.c     | 35 ------------------
 source3/modules/vfs_shadow_copy2.c      | 49 -------------------------
 source3/modules/vfs_snapper.c           | 45 -----------------------
 source3/modules/vfs_time_audit.c        | 25 -------------
 source3/modules/vfs_unityed_media.c     | 32 ----------------
 source3/smbd/vfs.c                      |  8 ----
 25 files changed, 1 insertion(+), 394 deletions(-)

diff --git a/docs-xml/Samba-Developers-Guide/vfs.xml b/docs-xml/Samba-Developers-Guide/vfs.xml
index 99ef33ff3fb..4c4e39c4fc3 100644
--- a/docs-xml/Samba-Developers-Guide/vfs.xml
+++ b/docs-xml/Samba-Developers-Guide/vfs.xml
@@ -630,7 +630,6 @@ struct vfs_ops example_ops = {
 	NULL,				/* fset_nt_acl */
 	NULL,				/* set_nt_acl */
 
-	NULL,				/* chmod_acl */
 	NULL,				/* fchmod_acl */
 
 	NULL,				/* sys_acl_get_entry */
diff --git a/docs-xml/manpages/vfs_audit.8.xml b/docs-xml/manpages/vfs_audit.8.xml
index d2b0e9045e7..e04e9572af0 100644
--- a/docs-xml/manpages/vfs_audit.8.xml
+++ b/docs-xml/manpages/vfs_audit.8.xml
@@ -47,7 +47,6 @@
 	<member>unlink</member>
 	<member>chmod</member>
 	<member>fchmod</member>
-	<member>chmod_acl</member>
 	<member>fchmod_acl</member>
 	</simplelist>
 
diff --git a/docs-xml/manpages/vfs_full_audit.8.xml b/docs-xml/manpages/vfs_full_audit.8.xml
index 392c7e4b177..68df0a20747 100644
--- a/docs-xml/manpages/vfs_full_audit.8.xml
+++ b/docs-xml/manpages/vfs_full_audit.8.xml
@@ -41,7 +41,6 @@
         <member>chdir</member>
         <member>chflags</member>
         <member>chmod</member>
-        <member>chmod_acl</member>
         <member>chown</member>
         <member>close</member>
         <member>closedir</member>
diff --git a/examples/VFS/skel_opaque.c b/examples/VFS/skel_opaque.c
index 5529ec76aa1..61fa21b679c 100644
--- a/examples/VFS/skel_opaque.c
+++ b/examples/VFS/skel_opaque.c
@@ -751,14 +751,6 @@ static NTSTATUS skel_fset_nt_acl(vfs_handle_struct *handle, files_struct *fsp,
 	return NT_STATUS_NOT_IMPLEMENTED;
 }
 
-static int skel_chmod_acl(vfs_handle_struct *handle,
-			const struct smb_filename *smb_fname,
-			mode_t mode)
-{
-	errno = ENOSYS;
-	return -1;
-}
-
 static int skel_fchmod_acl(vfs_handle_struct *handle, files_struct *fsp,
 			   mode_t mode)
 {
@@ -1005,7 +997,6 @@ struct vfs_fn_pointers skel_opaque_fns = {
 
 	/* POSIX ACL operations. */
 
-	.chmod_acl_fn = skel_chmod_acl,
 	.fchmod_acl_fn = skel_fchmod_acl,
 
 	.sys_acl_get_file_fn = skel_sys_acl_get_file,
diff --git a/examples/VFS/skel_transparent.c b/examples/VFS/skel_transparent.c
index fde24fbc4db..018a18768ac 100644
--- a/examples/VFS/skel_transparent.c
+++ b/examples/VFS/skel_transparent.c
@@ -942,13 +942,6 @@ static NTSTATUS skel_fset_nt_acl(vfs_handle_struct *handle, files_struct *fsp,
 	return SMB_VFS_NEXT_FSET_NT_ACL(handle, fsp, security_info_sent, psd);
 }
 
-static int skel_chmod_acl(vfs_handle_struct *handle,
-			const struct smb_filename *smb_fname,
-			mode_t mode)
-{
-	return SMB_VFS_NEXT_CHMOD_ACL(handle, smb_fname, mode);
-}
-
 static int skel_fchmod_acl(vfs_handle_struct *handle, files_struct *fsp,
 			   mode_t mode)
 {
@@ -1181,7 +1174,6 @@ struct vfs_fn_pointers skel_transparent_fns = {
 
 	/* POSIX ACL operations. */
 
-	.chmod_acl_fn = skel_chmod_acl,
 	.fchmod_acl_fn = skel_fchmod_acl,
 
 	.sys_acl_get_file_fn = skel_sys_acl_get_file,
diff --git a/source3/include/smbprofile.h b/source3/include/smbprofile.h
index a4c3f241eba..3c8ba2d8e2a 100644
--- a/source3/include/smbprofile.h
+++ b/source3/include/smbprofile.h
@@ -101,7 +101,6 @@ struct tevent_context;
 	SMBPROFILE_STATS_BASIC(get_nt_acl) \
 	SMBPROFILE_STATS_BASIC(fget_nt_acl) \
 	SMBPROFILE_STATS_BASIC(fset_nt_acl) \
-	SMBPROFILE_STATS_BASIC(chmod_acl) \
 	SMBPROFILE_STATS_BASIC(fchmod_acl) \
 	SMBPROFILE_STATS_SECTION_END \
 	\
diff --git a/source3/include/vfs.h b/source3/include/vfs.h
index cc7948a115d..48d97b133c9 100644
--- a/source3/include/vfs.h
+++ b/source3/include/vfs.h
@@ -251,6 +251,7 @@
 		All users are now pread or async versions. */
 /* Version 39 - Remove SMB_VFS_WRITE
 		All users are now pwrite or async versions. */
+/* Version 39 - Remove SMB_VFS_CHMOD_ACL - no longer used. */
 
 #define SMB_VFS_INTERFACE_VERSION 39
 
@@ -916,9 +917,6 @@ struct vfs_fn_pointers {
 
 	/* POSIX ACL operations. */
 
-	int (*chmod_acl_fn)(struct vfs_handle_struct *handle,
-					const struct smb_filename *smb_fname,
-					mode_t mode);
 	int (*fchmod_acl_fn)(struct vfs_handle_struct *handle, struct files_struct *fsp, mode_t mode);
 
 	SMB_ACL_T (*sys_acl_get_file_fn)(struct vfs_handle_struct *handle,
diff --git a/source3/include/vfs_macros.h b/source3/include/vfs_macros.h
index d4836134697..dda275fa968 100644
--- a/source3/include/vfs_macros.h
+++ b/source3/include/vfs_macros.h
@@ -460,11 +460,6 @@
 #define SMB_VFS_NEXT_FSET_NT_ACL(handle, fsp, security_info_sent, psd) \
 	smb_vfs_call_fset_nt_acl((handle)->next, (fsp), (security_info_sent), (psd))
 
-#define SMB_VFS_CHMOD_ACL(conn, smb_fname, mode) \
-	smb_vfs_call_chmod_acl((conn)->vfs_handles, (smb_fname), (mode))
-#define SMB_VFS_NEXT_CHMOD_ACL(handle, smb_fname, mode) \
-	smb_vfs_call_chmod_acl((handle)->next, (smb_fname), (mode))
-
 #define SMB_VFS_FCHMOD_ACL(fsp, mode) \
 	smb_vfs_call_fchmod_acl((fsp)->conn->vfs_handles, (fsp), (mode))
 #define SMB_VFS_NEXT_FCHMOD_ACL(handle, fsp, mode) \
diff --git a/source3/modules/vfs_acl_common.c b/source3/modules/vfs_acl_common.c
index 5b2b2ef60e3..0fd625bec1d 100644
--- a/source3/modules/vfs_acl_common.c
+++ b/source3/modules/vfs_acl_common.c
@@ -1245,17 +1245,6 @@ int fchmod_acl_module_common(struct vfs_handle_struct *handle,
 	return 0;
 }
 
-int chmod_acl_acl_module_common(struct vfs_handle_struct *handle,
-				const struct smb_filename *smb_fname,
-				mode_t mode)
-{
-	if (smb_fname->flags & SMB_FILENAME_POSIX_PATH) {
-		/* Only allow this on POSIX pathnames. */
-		return SMB_VFS_NEXT_CHMOD_ACL(handle, smb_fname, mode);
-	}
-	return 0;
-}
-
 int fchmod_acl_acl_module_common(struct vfs_handle_struct *handle,
 				 struct files_struct *fsp, mode_t mode)
 {
diff --git a/source3/modules/vfs_acl_tdb.c b/source3/modules/vfs_acl_tdb.c
index c5ffa5e305b..4b61c274441 100644
--- a/source3/modules/vfs_acl_tdb.c
+++ b/source3/modules/vfs_acl_tdb.c
@@ -496,7 +496,6 @@ static struct vfs_fn_pointers vfs_acl_tdb_fns = {
 	.fget_nt_acl_fn = acl_tdb_fget_nt_acl,
 	.get_nt_acl_fn = acl_tdb_get_nt_acl,
 	.fset_nt_acl_fn = acl_tdb_fset_nt_acl,
-	.chmod_acl_fn = chmod_acl_acl_module_common,
 	.fchmod_acl_fn = fchmod_acl_acl_module_common,
 	.sys_acl_set_file_fn = sys_acl_set_file_tdb,
 	.sys_acl_set_fd_fn = sys_acl_set_fd_tdb
diff --git a/source3/modules/vfs_acl_xattr.c b/source3/modules/vfs_acl_xattr.c
index 38ad81cc244..62d26781fd5 100644
--- a/source3/modules/vfs_acl_xattr.c
+++ b/source3/modules/vfs_acl_xattr.c
@@ -323,7 +323,6 @@ static struct vfs_fn_pointers vfs_acl_xattr_fns = {
 	.fget_nt_acl_fn = acl_xattr_fget_nt_acl,
 	.get_nt_acl_fn = acl_xattr_get_nt_acl,
 	.fset_nt_acl_fn = acl_xattr_fset_nt_acl,
-	.chmod_acl_fn = chmod_acl_acl_module_common,
 	.fchmod_acl_fn = fchmod_acl_acl_module_common,
 	.sys_acl_set_file_fn = sys_acl_set_file_xattr,
 	.sys_acl_set_fd_fn = sys_acl_set_fd_xattr
diff --git a/source3/modules/vfs_audit.c b/source3/modules/vfs_audit.c
index 12477d5b01f..f34bcd19161 100644
--- a/source3/modules/vfs_audit.c
+++ b/source3/modules/vfs_audit.c
@@ -233,22 +233,6 @@ static int audit_chmod(vfs_handle_struct *handle,
 	return result;
 }
 
-static int audit_chmod_acl(vfs_handle_struct *handle,
-			const struct smb_filename *smb_fname,
-			mode_t mode)
-{
-	int result;
-
-	result = SMB_VFS_NEXT_CHMOD_ACL(handle, smb_fname, mode);
-
-	syslog(audit_syslog_priority(handle), "chmod_acl %s mode 0x%x %s%s\n",
-	       smb_fname->base_name, mode,
-	       (result < 0) ? "failed: " : "",
-	       (result < 0) ? strerror(errno) : "");
-
-	return result;
-}
-
 static int audit_fchmod(vfs_handle_struct *handle, files_struct *fsp, mode_t mode)
 {
 	int result;
@@ -289,7 +273,6 @@ static struct vfs_fn_pointers vfs_audit_fns = {
 	.unlink_fn = audit_unlink,
 	.chmod_fn = audit_chmod,
 	.fchmod_fn = audit_fchmod,
-	.chmod_acl_fn = audit_chmod_acl,
 	.fchmod_acl_fn = audit_fchmod_acl
 };
 
diff --git a/source3/modules/vfs_cap.c b/source3/modules/vfs_cap.c
index 0684c794c76..ffc35d60407 100644
--- a/source3/modules/vfs_cap.c
+++ b/source3/modules/vfs_cap.c
@@ -703,39 +703,6 @@ static struct smb_filename *cap_realpath(vfs_handle_struct *handle,
 	return return_fname;
 }
 
-static int cap_chmod_acl(vfs_handle_struct *handle,
-			const struct smb_filename *smb_fname,
-			mode_t mode)
-{
-	struct smb_filename *cap_smb_fname = NULL;
-	char *cappath = capencode(talloc_tos(), smb_fname->base_name);
-	int ret;
-	int saved_errno;
-
-	/* If the underlying VFS doesn't have ACL support... */
-	if (!cappath) {
-		errno = ENOMEM;
-		return -1;
-	}
-	cap_smb_fname = synthetic_smb_fname(talloc_tos(),
-					cappath,
-					NULL,
-					NULL,
-					smb_fname->flags);
-	if (cap_smb_fname == NULL) {
-		TALLOC_FREE(cappath);
-		errno = ENOMEM;
-		return -1;
-	}
-
-	ret = SMB_VFS_NEXT_CHMOD_ACL(handle, cap_smb_fname, mode);
-	saved_errno = errno;
-	TALLOC_FREE(cappath);
-	TALLOC_FREE(cap_smb_fname);
-	errno = saved_errno;
-	return ret;
-}
-
 static SMB_ACL_T cap_sys_acl_get_file(vfs_handle_struct *handle,
 				const struct smb_filename *smb_fname,
 				SMB_ACL_TYPE_T type,
@@ -1056,7 +1023,6 @@ static struct vfs_fn_pointers vfs_cap_fns = {
 	.link_fn = cap_link,
 	.mknod_fn = cap_mknod,
 	.realpath_fn = cap_realpath,
-	.chmod_acl_fn = cap_chmod_acl,
 	.sys_acl_get_file_fn = cap_sys_acl_get_file,
 	.sys_acl_set_file_fn = cap_sys_acl_set_file,
 	.sys_acl_delete_def_file_fn = cap_sys_acl_delete_def_file,
diff --git a/source3/modules/vfs_catia.c b/source3/modules/vfs_catia.c
index ed22fa833b3..d26f7978290 100644
--- a/source3/modules/vfs_catia.c
+++ b/source3/modules/vfs_catia.c
@@ -1128,44 +1128,6 @@ catia_get_nt_acl(struct vfs_handle_struct *handle,
 	return status;
 }
 
-static int
-catia_chmod_acl(vfs_handle_struct *handle,
-		const struct smb_filename *smb_fname,
-		mode_t mode)
-{
-	char *mapped_name = NULL;
-	struct smb_filename *mapped_smb_fname = NULL;
-	NTSTATUS status;
-	int ret;
-	int saved_errno;
-
-	status = catia_string_replace_allocate(handle->conn,
-				smb_fname->base_name,
-				&mapped_name,
-				vfs_translate_to_unix);
-	if (!NT_STATUS_IS_OK(status)) {
-		errno = map_errno_from_nt_status(status);
-		return -1;
-	}
-
-	mapped_smb_fname = synthetic_smb_fname(talloc_tos(),
-					mapped_name,
-					NULL,
-					NULL,
-					smb_fname->flags);
-	if (mapped_smb_fname == NULL) {
-		TALLOC_FREE(mapped_name);
-		errno = ENOMEM;
-		return -1;
-	}
-	ret = SMB_VFS_NEXT_CHMOD_ACL(handle, mapped_smb_fname, mode);
-	saved_errno = errno;
-	TALLOC_FREE(mapped_name);
-	TALLOC_FREE(mapped_smb_fname);
-	errno = saved_errno;
-	return ret;
-}
-
 static SMB_ACL_T
 catia_sys_acl_get_file(vfs_handle_struct *handle,
 			const struct smb_filename *smb_fname,
@@ -2516,7 +2478,6 @@ static struct vfs_fn_pointers vfs_catia_fns = {
 	.fset_nt_acl_fn = catia_fset_nt_acl,
 
 	/* POSIX ACL operations. */
-	.chmod_acl_fn = catia_chmod_acl,
 	.fchmod_acl_fn = catia_fchmod_acl,
 
 	.sys_acl_get_file_fn = catia_sys_acl_get_file,
diff --git a/source3/modules/vfs_default.c b/source3/modules/vfs_default.c
index a2bc7c0e9f9..d05015fd297 100644
--- a/source3/modules/vfs_default.c
+++ b/source3/modules/vfs_default.c
@@ -2691,23 +2691,6 @@ static NTSTATUS vfswrap_audit_file(struct vfs_handle_struct *handle,
 	return NT_STATUS_OK; /* Nothing to do here ... */
 }
 
-static int vfswrap_chmod_acl(vfs_handle_struct *handle,
-				const struct smb_filename *smb_fname,
-				mode_t mode)
-{
-#ifdef HAVE_NO_ACL
-	errno = ENOSYS;
-	return -1;
-#else
-	int result;
-
-	START_PROFILE(chmod_acl);
-	result = chmod_acl(handle->conn, smb_fname, mode);
-	END_PROFILE(chmod_acl);
-	return result;
-#endif
-}
-
 static int vfswrap_fchmod_acl(vfs_handle_struct *handle, files_struct *fsp, mode_t mode)
 {
 #ifdef HAVE_NO_ACL
@@ -2984,7 +2967,6 @@ static struct vfs_fn_pointers vfs_default_fns = {
 
 	/* POSIX ACL operations. */
 
-	.chmod_acl_fn = vfswrap_chmod_acl,
 	.fchmod_acl_fn = vfswrap_fchmod_acl,
 
 	.sys_acl_get_file_fn = vfswrap_sys_acl_get_file,
diff --git a/source3/modules/vfs_extd_audit.c b/source3/modules/vfs_extd_audit.c
index 7d1fe273978..abb019081e0 100644
--- a/source3/modules/vfs_extd_audit.c
+++ b/source3/modules/vfs_extd_audit.c
@@ -292,28 +292,6 @@ static int audit_chmod(vfs_handle_struct *handle,
 	return result;
 }
 
-static int audit_chmod_acl(vfs_handle_struct *handle,
-			const struct smb_filename *smb_fname,
-			mode_t mode)
-{
-	int result;
-
-	result = SMB_VFS_NEXT_CHMOD_ACL(handle, smb_fname, mode);
-
-	if (lp_syslog() > 0) {
-		syslog(audit_syslog_priority(handle), "chmod_acl %s mode 0x%x %s%s\n",
-		       smb_fname->base_name, mode,
-		       (result < 0) ? "failed: " : "",
-		       (result < 0) ? strerror(errno) : "");
-	}
-	DEBUG(1, ("vfs_extd_audit: chmod_acl %s mode 0x%x %s %s\n",
-	       smb_fname->base_name, (unsigned int)mode,
-	       (result < 0) ? "failed: " : "",
-	       (result < 0) ? strerror(errno) : ""));
-
-	return result;
-}
-
 static int audit_fchmod(vfs_handle_struct *handle, files_struct *fsp, mode_t mode)
 {
 	int result;
@@ -366,7 +344,6 @@ static struct vfs_fn_pointers vfs_extd_audit_fns = {
 	.unlink_fn = audit_unlink,
 	.chmod_fn = audit_chmod,
 	.fchmod_fn = audit_fchmod,
-	.chmod_acl_fn = audit_chmod_acl,
 	.fchmod_acl_fn = audit_fchmod_acl,
 };
 
diff --git a/source3/modules/vfs_full_audit.c b/source3/modules/vfs_full_audit.c
index ee8dbbcff2c..bb8c306ea40 100644
--- a/source3/modules/vfs_full_audit.c
+++ b/source3/modules/vfs_full_audit.c
@@ -191,7 +191,6 @@ typedef enum _vfs_op_type {
 
 	/* POSIX ACL operations. */
 
-	SMB_VFS_OP_CHMOD_ACL,
 	SMB_VFS_OP_FCHMOD_ACL,
 
 	SMB_VFS_OP_SYS_ACL_GET_FILE,
@@ -325,7 +324,6 @@ static struct {
 	{ SMB_VFS_OP_GET_NT_ACL,	"get_nt_acl" },
 	{ SMB_VFS_OP_FSET_NT_ACL,	"fset_nt_acl" },
 	{ SMB_VFS_OP_AUDIT_FILE,	"audit_file" },
-	{ SMB_VFS_OP_CHMOD_ACL,	"chmod_acl" },
 	{ SMB_VFS_OP_FCHMOD_ACL,	"fchmod_acl" },
 	{ SMB_VFS_OP_SYS_ACL_GET_FILE,	"sys_acl_get_file" },
 	{ SMB_VFS_OP_SYS_ACL_GET_FD,	"sys_acl_get_fd" },
@@ -2132,20 +2130,6 @@ static NTSTATUS smb_full_audit_audit_file(struct vfs_handle_struct *handle,
 	return result;
 }
 
-static int smb_full_audit_chmod_acl(vfs_handle_struct *handle,
-				const struct smb_filename *smb_fname,
-				mode_t mode)
-{
-	int result;
-	
-	result = SMB_VFS_NEXT_CHMOD_ACL(handle, smb_fname, mode);
-
-	do_log(SMB_VFS_OP_CHMOD_ACL, (result >= 0), handle,
-	       "%s|%o", smb_fname->base_name, mode);
-
-	return result;
-}
-
 static int smb_full_audit_fchmod_acl(vfs_handle_struct *handle, files_struct *fsp,
 				     mode_t mode)
 {
@@ -2545,7 +2529,6 @@ static struct vfs_fn_pointers vfs_full_audit_fns = {
 	.get_nt_acl_fn = smb_full_audit_get_nt_acl,
 	.fset_nt_acl_fn = smb_full_audit_fset_nt_acl,
 	.audit_file_fn = smb_full_audit_audit_file,
-	.chmod_acl_fn = smb_full_audit_chmod_acl,
 	.fchmod_acl_fn = smb_full_audit_fchmod_acl,
 	.sys_acl_get_file_fn = smb_full_audit_sys_acl_get_file,
 	.sys_acl_get_fd_fn = smb_full_audit_sys_acl_get_fd,
diff --git a/source3/modules/vfs_glusterfs.c b/source3/modules/vfs_glusterfs.c
index b022e9869ff..f000906261c 100644
--- a/source3/modules/vfs_glusterfs.c
+++ b/source3/modules/vfs_glusterfs.c
@@ -1499,7 +1499,6 @@ static struct vfs_fn_pointers glusterfs_fns = {
 	.audit_file_fn = NULL,
 
 	/* Posix ACL Operations */
-	.chmod_acl_fn = NULL,	/* passthrough to default */
 	.fchmod_acl_fn = NULL,	/* passthrough to default */
 	.sys_acl_get_file_fn = posixacl_xattr_acl_get_file,
 	.sys_acl_get_fd_fn = posixacl_xattr_acl_get_fd,
diff --git a/source3/modules/vfs_linux_xfs_sgid.c b/source3/modules/vfs_linux_xfs_sgid.c
index ab41031d17f..b7c77069b89 100644
--- a/source3/modules/vfs_linux_xfs_sgid.c
+++ b/source3/modules/vfs_linux_xfs_sgid.c
@@ -95,17 +95,8 @@ static int linux_xfs_sgid_mkdir(vfs_handle_struct *handle,
 	return mkdir_res;
 }
 
-static int linux_xfs_sgid_chmod_acl(vfs_handle_struct *handle,
-			const struct smb_filename *smb_fname,
-			mode_t mode)
-{
-	errno = ENOSYS;
-	return -1;
-}
-
 static struct vfs_fn_pointers linux_xfs_sgid_fns = {
 	.mkdir_fn = linux_xfs_sgid_mkdir,
-	.chmod_acl_fn = linux_xfs_sgid_chmod_acl,
 };
 
 static_decl_vfs;
diff --git a/source3/modules/vfs_media_harmony.c b/source3/modules/vfs_media_harmony.c
index f0815d79f95..32ba45a7fe8 100644
--- a/source3/modules/vfs_media_harmony.c
+++ b/source3/modules/vfs_media_harmony.c
@@ -2014,39 +2014,6 @@ out:
 	return status;
 }
 
-/*
- * Success: return 0
- * Failure: set errno, return -1
- */
-static int mh_chmod_acl(vfs_handle_struct *handle,
-		const struct smb_filename *smb_fname,
-		mode_t mode)
-{
-	int status;
-	struct smb_filename *clientFname = NULL;
-
-	DEBUG(MH_INFO_DEBUG, ("Entering mh_chmod_acl\n"));
-	if (!is_in_media_files(smb_fname->base_name))
-	{
-		status = SMB_VFS_NEXT_CHMOD_ACL(handle, smb_fname, mode);
-		goto out;
-	}
-
-	status = alloc_get_client_smb_fname(handle,
-				talloc_tos(),
-				smb_fname,
-				&clientFname);
-	if (status != 0) {
-		goto err;
-	}
-
-	status = SMB_VFS_NEXT_CHMOD_ACL(handle, clientFname, mode);
-err:
-	TALLOC_FREE(clientFname);
-out:
-	return status;
-}
-
 /*
  * Success: return acl pointer
  * Failure: set errno, return NULL
@@ -2338,8 +2305,6 @@ static struct vfs_fn_pointers vfs_mh_fns = {
 
 	/* POSIX ACL operations. */
 
-	.chmod_acl_fn = mh_chmod_acl,
-
 	.sys_acl_get_file_fn = mh_sys_acl_get_file,
 	.sys_acl_set_file_fn = mh_sys_acl_set_file,
 	.sys_acl_delete_def_file_fn = mh_sys_acl_delete_def_file,
diff --git a/source3/modules/vfs_shadow_copy2.c b/source3/modules/vfs_shadow_copy2.c
index b6745cf169b..aa7cd9c61d0 100644
--- a/source3/modules/vfs_shadow_copy2.c
+++ b/source3/modules/vfs_shadow_copy2.c
@@ -2605,54 +2605,6 @@ static int shadow_copy2_setxattr(struct vfs_handle_struct *handle,
 	return ret;
 }
 
-static int shadow_copy2_chmod_acl(vfs_handle_struct *handle,
-			const struct smb_filename *smb_fname,
-			mode_t mode)
-{
-	time_t timestamp = 0;
-	char *stripped = NULL;
-	ssize_t ret;
-	int saved_errno = 0;
-	char *conv = NULL;
-	struct smb_filename *conv_smb_fname = NULL;
-
-	if (!shadow_copy2_strip_snapshot(talloc_tos(),
-				handle,
-				smb_fname->base_name,
-				&timestamp,
-				&stripped)) {
-		return -1;
-	}
-	if (timestamp == 0) {
-		return SMB_VFS_NEXT_CHMOD_ACL(handle, smb_fname, mode);
-	}
-	conv = shadow_copy2_convert(talloc_tos(), handle, stripped, timestamp);
-	TALLOC_FREE(stripped);
-	if (conv == NULL) {
-		return -1;
-	}
-	conv_smb_fname = synthetic_smb_fname(talloc_tos(),
-					conv,
-					NULL,
-					NULL,
-					smb_fname->flags);
-	if (conv_smb_fname == NULL) {
-		TALLOC_FREE(conv);
-		errno = ENOMEM;
-		return -1;
-	}
-	ret = SMB_VFS_NEXT_CHMOD_ACL(handle, conv_smb_fname, mode);
-	if (ret == -1) {
-		saved_errno = errno;
-	}
-	TALLOC_FREE(conv);
-	TALLOC_FREE(conv_smb_fname);
-	if (saved_errno != 0) {
-		errno = saved_errno;
-	}
-	return ret;
-}
-
 static int shadow_copy2_get_real_filename(struct vfs_handle_struct *handle,
 					  const char *path,
 					  const char *name,
@@ -3263,7 +3215,6 @@ static struct vfs_fn_pointers vfs_shadow_copy2_fns = {
 	.listxattr_fn = shadow_copy2_listxattr,
 	.removexattr_fn = shadow_copy2_removexattr,
 	.setxattr_fn = shadow_copy2_setxattr,
-	.chmod_acl_fn = shadow_copy2_chmod_acl,
 	.chflags_fn = shadow_copy2_chflags,
 	.get_real_filename_fn = shadow_copy2_get_real_filename,
 	.connectpath_fn = shadow_copy2_connectpath,
diff --git a/source3/modules/vfs_snapper.c b/source3/modules/vfs_snapper.c
index 60851501a51..6b935c3df41 100644
--- a/source3/modules/vfs_snapper.c
+++ b/source3/modules/vfs_snapper.c
@@ -2955,50 +2955,6 @@ static int snapper_gmt_setxattr(struct vfs_handle_struct *handle,
 	return ret;
 }
 
-static int snapper_gmt_chmod_acl(vfs_handle_struct *handle,
-			const struct smb_filename *smb_fname,
-			mode_t mode)
-{
-	time_t timestamp;
-	char *stripped;
-	ssize_t ret;
-	int saved_errno;
-	char *conv;
-	struct smb_filename *conv_smb_fname = NULL;
-
-	if (!snapper_gmt_strip_snapshot(talloc_tos(),
-				handle,
-				smb_fname->base_name,
-				&timestamp,
-				&stripped)) {
-		return -1;
-	}
-	if (timestamp == 0) {
-		return SMB_VFS_NEXT_CHMOD_ACL(handle, smb_fname, mode);
-	}
-	conv = snapper_gmt_convert(talloc_tos(), handle, stripped, timestamp);
-	TALLOC_FREE(stripped);
-	if (conv == NULL) {
-		return -1;
-	}
-	conv_smb_fname = synthetic_smb_fname(talloc_tos(),
-					conv,
-					NULL,
-					NULL,
-					smb_fname->flags);
-	if (conv_smb_fname == NULL) {
-		TALLOC_FREE(conv);
-		errno = ENOMEM;
-		return -1;
-	}
-	ret = SMB_VFS_NEXT_CHMOD_ACL(handle, conv_smb_fname, mode);
-	saved_errno = errno;
-	TALLOC_FREE(conv);
-	TALLOC_FREE(conv_smb_fname);
-	errno = saved_errno;
-	return ret;
-}
-
 static int snapper_gmt_get_real_filename(struct vfs_handle_struct *handle,
 					 const char *path,
 					 const char *name,
@@ -3172,7 +3128,6 @@ static struct vfs_fn_pointers snapper_fns = {
 	.listxattr_fn = snapper_gmt_listxattr,
 	.removexattr_fn = snapper_gmt_removexattr,
 	.setxattr_fn = snapper_gmt_setxattr,
-	.chmod_acl_fn = snapper_gmt_chmod_acl,
 	.chflags_fn = snapper_gmt_chflags,
 	.get_real_filename_fn = snapper_gmt_get_real_filename,
 };
diff --git a/source3/modules/vfs_time_audit.c b/source3/modules/vfs_time_audit.c
index 084c209510d..8ce9c2818ca 100644
--- a/source3/modules/vfs_time_audit.c
+++ b/source3/modules/vfs_time_audit.c
@@ -2159,30 +2159,6 @@ static NTSTATUS smb_time_audit_audit_file(struct vfs_handle_struct *handle,
 	return result;
 }
 
-
-
-static int smb_time_audit_chmod_acl(vfs_handle_struct *handle,
-			const struct smb_filename *smb_fname,
-			mode_t mode)
-{
-	int result;
-	struct timespec ts1,ts2;
-	double timediff;
-
-	clock_gettime_mono(&ts1);
-	result = SMB_VFS_NEXT_CHMOD_ACL(handle, smb_fname, mode);
-	clock_gettime_mono(&ts2);
-	timediff = nsec_time_diff(&ts2,&ts1)*1.0e-9;
-
-	if (timediff > audit_timeout) {
-		smb_time_audit_log_fname("chmod_acl",
-			timediff,
-			smb_fname->base_name);
-	}
-
-	return result;
-}
-
 static int smb_time_audit_fchmod_acl(vfs_handle_struct *handle,
 				     files_struct *fsp, mode_t mode)
 {
@@ -2702,7 +2678,6 @@ static struct vfs_fn_pointers vfs_time_audit_fns = {
 	.get_nt_acl_fn = smb_time_audit_get_nt_acl,
 	.fset_nt_acl_fn = smb_time_audit_fset_nt_acl,
 	.audit_file_fn = smb_time_audit_audit_file,
-	.chmod_acl_fn = smb_time_audit_chmod_acl,
 	.fchmod_acl_fn = smb_time_audit_fchmod_acl,
 	.sys_acl_get_file_fn = smb_time_audit_sys_acl_get_file,
 	.sys_acl_get_fd_fn = smb_time_audit_sys_acl_get_fd,
diff --git a/source3/modules/vfs_unityed_media.c b/source3/modules/vfs_unityed_media.c
index 9859037722e..328a93d7043 100644
--- a/source3/modules/vfs_unityed_media.c
+++ b/source3/modules/vfs_unityed_media.c
@@ -1577,36 +1577,6 @@ err:
 	return status;
 }
 
-static int um_chmod_acl(vfs_handle_struct *handle,
-			const struct smb_filename *smb_fname,
-			mode_t mode)
-{
-	int status;
-	int saved_errno;
-	struct smb_filename *client_fname = NULL;
-
-	DEBUG(10, ("Entering um_chmod_acl\n"));
-
-	if (!is_in_media_files(smb_fname->base_name)) {
-		return SMB_VFS_NEXT_CHMOD_ACL(handle, smb_fname, mode);
-	}
-
-	status = alloc_get_client_smb_fname(handle,
-				talloc_tos(),
-				smb_fname,
-				&client_fname);
-	if (status != 0) {
-		goto err;
-	}
-	status = SMB_VFS_NEXT_CHMOD_ACL(handle, client_fname, mode);
-
-err:
-	saved_errno = errno;
-	TALLOC_FREE(client_fname);
-	errno = saved_errno;
-	return status;
-}
-
 static SMB_ACL_T um_sys_acl_get_file(vfs_handle_struct *handle,
 				const struct smb_filename *smb_fname,
 				SMB_ACL_TYPE_T type,
@@ -1928,8 +1898,6 @@ static struct vfs_fn_pointers vfs_um_fns = {
 
 	/* POSIX ACL operations. */
 
-	.chmod_acl_fn = um_chmod_acl,
-
 	.sys_acl_get_file_fn = um_sys_acl_get_file,
 	.sys_acl_set_file_fn = um_sys_acl_set_file,
 	.sys_acl_delete_def_file_fn = um_sys_acl_delete_def_file,
diff --git a/source3/smbd/vfs.c b/source3/smbd/vfs.c
index 386e955243f..99119e1fddc 100644
--- a/source3/smbd/vfs.c
+++ b/source3/smbd/vfs.c
@@ -2490,14 +2490,6 @@ NTSTATUS smb_vfs_call_audit_file(struct vfs_handle_struct *handle,
 					  access_denied);
 }
 
-int smb_vfs_call_chmod_acl(struct vfs_handle_struct *handle,
-		const struct smb_filename *smb_fname,
-		mode_t mode)
-{
-	VFS_FIND(chmod_acl);
-	return handle->fns->chmod_acl_fn(handle, smb_fname, mode);
-}
-
 int smb_vfs_call_fchmod_acl(struct vfs_handle_struct *handle,
 			    struct files_struct *fsp, mode_t mode)
 {
-- 
2.17.0.441.gb46fe60e1d-goog


From 26717a22378db56ca32b08ec3268839e8871fa52 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra at samba.org>
Date: Thu, 17 May 2018 11:45:05 -0700
Subject: [PATCH 13/21] s3: modules: vfs_default: Remove FCHMOD_ACL in fchmod.

Now I understand the use of the mask in POSIX ACLs
this extra step is no longer needed.

Signed-off-by: Jeremy Allison <jra at samba.org>
---
 source3/modules/vfs_default.c | 17 -----------------
 1 file changed, 17 deletions(-)

diff --git a/source3/modules/vfs_default.c b/source3/modules/vfs_default.c
index d05015fd297..8e0831cace4 100644
--- a/source3/modules/vfs_default.c
+++ b/source3/modules/vfs_default.c
@@ -1993,23 +1993,6 @@ static int vfswrap_fchmod(vfs_handle_struct *handle, files_struct *fsp, mode_t m
 	int result;
 
 	START_PROFILE(syscall_fchmod);
-
-	/*
-	 * We need to do this due to the fact that the default POSIX ACL
-	 * chmod modifies the ACL *mask* for the group owner, not the
-	 * group owner bits directly. JRA.
-	 */
-
-	{
-		int saved_errno = errno; /* We might get ENOSYS */
-		if ((result = SMB_VFS_FCHMOD_ACL(fsp, mode)) == 0) {
-			END_PROFILE(syscall_fchmod);
-			return result;
-		}
-		/* Error - return the old errno. */
-		errno = saved_errno;
-	}
-
 #if defined(HAVE_FCHMOD)
 	result = fchmod(fsp->fh->fd, mode);
 #else
-- 
2.17.0.441.gb46fe60e1d-goog


From c61ab04682d0e7ca0f245c2dececa1a97ff3220f Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra at samba.org>
Date: Thu, 17 May 2018 11:46:21 -0700
Subject: [PATCH 14/21] s3: modules: vfs_ceph: Remove FCHMOD_ACL in
 cephwrap_fchmod().

Now I understand the use of the mask in POSIX ACLs
this extra step is no longer needed.

Signed-off-by: Jeremy Allison <jra at samba.org>
---
 source3/modules/vfs_ceph.c | 15 ---------------
 1 file changed, 15 deletions(-)

diff --git a/source3/modules/vfs_ceph.c b/source3/modules/vfs_ceph.c
index 818d0cb5490..b6ca27dd47e 100644
--- a/source3/modules/vfs_ceph.c
+++ b/source3/modules/vfs_ceph.c
@@ -957,21 +957,6 @@ static int cephwrap_fchmod(struct vfs_handle_struct *handle, files_struct *fsp,
 
 	DBG_DEBUG("[CEPH] fchmod(%p, %p, %d)\n", handle, fsp, mode);
 
-	/*
-	 * We need to do this due to the fact that the default POSIX ACL
-	 * chmod modifies the ACL *mask* for the group owner, not the
-	 * group owner bits directly. JRA.
-	 */
-
-	{
-		int saved_errno = errno; /* We might get ENOSYS */
-		if ((result = SMB_VFS_FCHMOD_ACL(fsp, mode)) == 0) {
-			return result;
-		}
-		/* Error - return the old errno. */
-		errno = saved_errno;
-	}
-
 #if defined(HAVE_FCHMOD)
 	result = ceph_fchmod(handle->data, fsp->fh->fd, mode);
 	DBG_DEBUG("[CEPH] fchmod(...) = %d\n", result);
-- 
2.17.0.441.gb46fe60e1d-goog


From 685c3bd3b6824301891c48ab9ead6b22a7bac0ee Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra at samba.org>
Date: Thu, 17 May 2018 11:42:03 -0700
Subject: [PATCH 15/21] s3: torture: Remove cmd_fchmod_acl().

No longer needed.

Signed-off-by: Jeremy Allison <jra at samba.org>
---
 docs-xml/manpages/vfstest.1.xml |  1 -
 source3/torture/cmd_vfs.c       | 31 -------------------------------
 2 files changed, 32 deletions(-)

diff --git a/docs-xml/manpages/vfstest.1.xml b/docs-xml/manpages/vfstest.1.xml
index 5a4ea1254b9..dc6acd06f87 100644
--- a/docs-xml/manpages/vfstest.1.xml
+++ b/docs-xml/manpages/vfstest.1.xml
@@ -124,7 +124,6 @@
 		<listitem><para><command>get_nt_acl</command> - VFS get_nt_acl()</para></listitem>
 		<listitem><para><command>fset_nt_acl</command> - VFS fset_nt_acl()</para></listitem>
 		<listitem><para><command>set_nt_acl</command> - VFS open() and fset_nt_acl()</para></listitem>
-		<listitem><para><command>fchmod_acl</command> - VFS fchmod_acl()</para></listitem>
 		<listitem><para><command>sys_acl_get_file</command> - VFS sys_acl_get_file()</para></listitem>
 		<listitem><para><command>sys_acl_get_fd</command> - VFS sys_acl_get_fd()</para></listitem>
 		<listitem><para><command>sys_acl_blob_get_file</command> - VFS sys_acl_blob_get_file()</para></listitem>
diff --git a/source3/torture/cmd_vfs.c b/source3/torture/cmd_vfs.c
index 793faf09d12..3ba26031ed8 100644
--- a/source3/torture/cmd_vfs.c
+++ b/source3/torture/cmd_vfs.c
@@ -930,36 +930,6 @@ static NTSTATUS cmd_fchmod(struct vfs_state *vfs, TALLOC_CTX *mem_ctx, int argc,
 	return NT_STATUS_OK;
 }
 
-static NTSTATUS cmd_fchmod_acl(struct vfs_state *vfs, TALLOC_CTX *mem_ctx, int argc, const char **argv)
-{
-	int fd;
-	mode_t mode;
-	if (argc != 3) {
-		printf("Usage: fchmod_acl <fd> <mode>\n");
-		return NT_STATUS_OK;
-	}
-
-	fd = atoi(argv[1]);
-	mode = atoi(argv[2]);
-	if (fd < 0 || fd >= 1024) {
-		printf("fchmod_acl: error=%d (file descriptor out of range)\n", EBADF);
-		return NT_STATUS_OK;
-	}
-	if (vfs->files[fd] == NULL) {
-		printf("fchmod_acl: error=%d (invalid file descriptor)\n", EBADF);
-		return NT_STATUS_OK;
-	}
-
-	if (SMB_VFS_FCHMOD_ACL(vfs->files[fd], mode) == -1) {
-		printf("fchmod_acl: error=%d (%s)\n", errno, strerror(errno));
-		return NT_STATUS_UNSUCCESSFUL;
-	}
-
-	printf("fchmod_acl: ok\n");
-	return NT_STATUS_OK;
-}
-
-
 static NTSTATUS cmd_chown(struct vfs_state *vfs, TALLOC_CTX *mem_ctx, int argc, const char **argv)
 {
 	struct smb_filename *smb_fname = NULL;
@@ -2023,7 +1993,6 @@ struct cmd_set vfs_commands[] = {
 	  "fset_nt_acl <fd>\n" },
 	{ "set_nt_acl", cmd_set_nt_acl, "VFS open() and fset_nt_acl()", 
 	  "set_nt_acl <file>\n" },
-	{ "fchmod_acl",   cmd_fchmod_acl,   "VFS fchmod_acl()",    "fchmod_acl <fd> <mode>" },
 	{ "sys_acl_get_file", cmd_sys_acl_get_file, "VFS sys_acl_get_file()", "sys_acl_get_file <path>" },
 	{ "sys_acl_get_fd", cmd_sys_acl_get_fd, "VFS sys_acl_get_fd()", "sys_acl_get_fd <fd>" },
 	{ "sys_acl_blob_get_file", cmd_sys_acl_blob_get_file,
-- 
2.17.0.441.gb46fe60e1d-goog


From 3b175089cba8723c7fa21e3d97a0333ad05d2e65 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra at samba.org>
Date: Thu, 17 May 2018 11:48:55 -0700
Subject: [PATCH 16/21] s3: VFS: Remove SMB_VFS_FCHMOD_ACL().

No longer used.

Signed-off-by: Jeremy Allison <jra at samba.org>
---
 docs-xml/Samba-Developers-Guide/vfs.xml |  2 --
 docs-xml/manpages/vfs_audit.8.xml       |  1 -
 docs-xml/manpages/vfs_full_audit.8.xml  |  1 -
 examples/VFS/skel_opaque.c              |  9 ---------
 examples/VFS/skel_transparent.c         |  8 --------
 source3/include/smbprofile.h            |  1 -
 source3/include/vfs.h                   |  5 +----
 source3/include/vfs_macros.h            |  5 -----
 source3/modules/vfs_acl_common.c        | 10 ----------
 source3/modules/vfs_acl_common.h        |  3 ---
 source3/modules/vfs_acl_tdb.c           |  1 -
 source3/modules/vfs_acl_xattr.c         |  1 -
 source3/modules/vfs_audit.c             | 15 ---------------
 source3/modules/vfs_catia.c             | 21 ---------------------
 source3/modules/vfs_default.c           | 17 -----------------
 source3/modules/vfs_extd_audit.c        | 21 ---------------------
 source3/modules/vfs_full_audit.c        | 15 ---------------
 source3/modules/vfs_glusterfs.c         |  1 -
 source3/modules/vfs_streams_xattr.c     | 16 ----------------
 source3/modules/vfs_time_audit.c        | 20 --------------------
 source3/smbd/vfs.c                      |  7 -------
 21 files changed, 1 insertion(+), 179 deletions(-)

diff --git a/docs-xml/Samba-Developers-Guide/vfs.xml b/docs-xml/Samba-Developers-Guide/vfs.xml
index 4c4e39c4fc3..b58410b369d 100644
--- a/docs-xml/Samba-Developers-Guide/vfs.xml
+++ b/docs-xml/Samba-Developers-Guide/vfs.xml
@@ -630,8 +630,6 @@ struct vfs_ops example_ops = {
 	NULL,				/* fset_nt_acl */
 	NULL,				/* set_nt_acl */
 
-	NULL,				/* fchmod_acl */
-
 	NULL,				/* sys_acl_get_entry */
 	NULL,				/* sys_acl_get_tag_type */
 	NULL,				/* sys_acl_get_permset */
diff --git a/docs-xml/manpages/vfs_audit.8.xml b/docs-xml/manpages/vfs_audit.8.xml
index e04e9572af0..3a1576d6b40 100644
--- a/docs-xml/manpages/vfs_audit.8.xml
+++ b/docs-xml/manpages/vfs_audit.8.xml
@@ -47,7 +47,6 @@
 	<member>unlink</member>
 	<member>chmod</member>
 	<member>fchmod</member>
-	<member>fchmod_acl</member>
 	</simplelist>
 
 	<para>This module is stackable.</para>
diff --git a/docs-xml/manpages/vfs_full_audit.8.xml b/docs-xml/manpages/vfs_full_audit.8.xml
index 68df0a20747..7da3e3bb81c 100644
--- a/docs-xml/manpages/vfs_full_audit.8.xml
+++ b/docs-xml/manpages/vfs_full_audit.8.xml
@@ -50,7 +50,6 @@
         <member>disconnect</member>
         <member>disk_free</member>
         <member>fchmod</member>
-        <member>fchmod_acl</member>
         <member>fchown</member>
         <member>fget_nt_acl</member>
         <member>fgetxattr</member>
diff --git a/examples/VFS/skel_opaque.c b/examples/VFS/skel_opaque.c
index 61fa21b679c..446cfd5767e 100644
--- a/examples/VFS/skel_opaque.c
+++ b/examples/VFS/skel_opaque.c
@@ -751,13 +751,6 @@ static NTSTATUS skel_fset_nt_acl(vfs_handle_struct *handle, files_struct *fsp,
 	return NT_STATUS_NOT_IMPLEMENTED;
 }
 
-static int skel_fchmod_acl(vfs_handle_struct *handle, files_struct *fsp,
-			   mode_t mode)
-{
-	errno = ENOSYS;
-	return -1;
-}
-
 static SMB_ACL_T skel_sys_acl_get_file(vfs_handle_struct *handle,
 				       const struct smb_filename *smb_fname,
 				       SMB_ACL_TYPE_T type,
@@ -997,8 +990,6 @@ struct vfs_fn_pointers skel_opaque_fns = {
 
 	/* POSIX ACL operations. */
 
-	.fchmod_acl_fn = skel_fchmod_acl,
-
 	.sys_acl_get_file_fn = skel_sys_acl_get_file,
 	.sys_acl_get_fd_fn = skel_sys_acl_get_fd,
 	.sys_acl_blob_get_file_fn = skel_sys_acl_blob_get_file,
diff --git a/examples/VFS/skel_transparent.c b/examples/VFS/skel_transparent.c
index 018a18768ac..7f2c78b2e3b 100644
--- a/examples/VFS/skel_transparent.c
+++ b/examples/VFS/skel_transparent.c
@@ -942,12 +942,6 @@ static NTSTATUS skel_fset_nt_acl(vfs_handle_struct *handle, files_struct *fsp,
 	return SMB_VFS_NEXT_FSET_NT_ACL(handle, fsp, security_info_sent, psd);
 }
 
-static int skel_fchmod_acl(vfs_handle_struct *handle, files_struct *fsp,
-			   mode_t mode)
-{
-	return SMB_VFS_NEXT_FCHMOD_ACL(handle, fsp, mode);
-}
-
 static SMB_ACL_T skel_sys_acl_get_file(vfs_handle_struct *handle,
 				       const struct smb_filename *smb_fname,
 				       SMB_ACL_TYPE_T type,
@@ -1174,8 +1168,6 @@ struct vfs_fn_pointers skel_transparent_fns = {
 
 	/* POSIX ACL operations. */
 
-	.fchmod_acl_fn = skel_fchmod_acl,
-
 	.sys_acl_get_file_fn = skel_sys_acl_get_file,
 	.sys_acl_get_fd_fn = skel_sys_acl_get_fd,
 	.sys_acl_blob_get_file_fn = skel_sys_acl_blob_get_file,
diff --git a/source3/include/smbprofile.h b/source3/include/smbprofile.h
index 3c8ba2d8e2a..327c16ac2d9 100644
--- a/source3/include/smbprofile.h
+++ b/source3/include/smbprofile.h
@@ -101,7 +101,6 @@ struct tevent_context;
 	SMBPROFILE_STATS_BASIC(get_nt_acl) \
 	SMBPROFILE_STATS_BASIC(fget_nt_acl) \
 	SMBPROFILE_STATS_BASIC(fset_nt_acl) \
-	SMBPROFILE_STATS_BASIC(fchmod_acl) \
 	SMBPROFILE_STATS_SECTION_END \
 	\
 	SMBPROFILE_STATS_SECTION_START(statcache, "Stat Cache") \
diff --git a/source3/include/vfs.h b/source3/include/vfs.h
index 48d97b133c9..945e4b6b8b0 100644
--- a/source3/include/vfs.h
+++ b/source3/include/vfs.h
@@ -252,6 +252,7 @@
 /* Version 39 - Remove SMB_VFS_WRITE
 		All users are now pwrite or async versions. */
 /* Version 39 - Remove SMB_VFS_CHMOD_ACL - no longer used. */
+/* Version 39 - Remove SMB_VFS_FCHMOD_ACL - no longer used. */
 
 #define SMB_VFS_INTERFACE_VERSION 39
 
@@ -917,8 +918,6 @@ struct vfs_fn_pointers {
 
 	/* POSIX ACL operations. */
 
-	int (*fchmod_acl_fn)(struct vfs_handle_struct *handle, struct files_struct *fsp, mode_t mode);
-
 	SMB_ACL_T (*sys_acl_get_file_fn)(struct vfs_handle_struct *handle,
 					 const struct smb_filename *smb_fname,
 					 SMB_ACL_TYPE_T type,
@@ -1408,8 +1407,6 @@ NTSTATUS smb_vfs_call_audit_file(struct vfs_handle_struct *handle,
 int smb_vfs_call_chmod_acl(struct vfs_handle_struct *handle,
 				const struct smb_filename *file,
 				mode_t mode);
-int smb_vfs_call_fchmod_acl(struct vfs_handle_struct *handle,
-			    struct files_struct *fsp, mode_t mode);
 SMB_ACL_T smb_vfs_call_sys_acl_get_file(struct vfs_handle_struct *handle,
 					const struct smb_filename *smb_fname,
 					SMB_ACL_TYPE_T type,
diff --git a/source3/include/vfs_macros.h b/source3/include/vfs_macros.h
index dda275fa968..46d6728629c 100644
--- a/source3/include/vfs_macros.h
+++ b/source3/include/vfs_macros.h
@@ -460,11 +460,6 @@
 #define SMB_VFS_NEXT_FSET_NT_ACL(handle, fsp, security_info_sent, psd) \
 	smb_vfs_call_fset_nt_acl((handle)->next, (fsp), (security_info_sent), (psd))
 
-#define SMB_VFS_FCHMOD_ACL(fsp, mode) \
-	smb_vfs_call_fchmod_acl((fsp)->conn->vfs_handles, (fsp), (mode))
-#define SMB_VFS_NEXT_FCHMOD_ACL(handle, fsp, mode) \
-	smb_vfs_call_fchmod_acl((handle)->next, (fsp), (mode))
-
 #define SMB_VFS_SYS_ACL_GET_FILE(conn, smb_fname, type, mem_ctx)		\
 	smb_vfs_call_sys_acl_get_file((conn)->vfs_handles, (smb_fname), (type), (mem_ctx))
 #define SMB_VFS_NEXT_SYS_ACL_GET_FILE(handle, smb_fname, type, mem_ctx)		\
diff --git a/source3/modules/vfs_acl_common.c b/source3/modules/vfs_acl_common.c
index 0fd625bec1d..6c0d931bf43 100644
--- a/source3/modules/vfs_acl_common.c
+++ b/source3/modules/vfs_acl_common.c
@@ -1244,13 +1244,3 @@ int fchmod_acl_module_common(struct vfs_handle_struct *handle,
 	}
 	return 0;
 }
-
-int fchmod_acl_acl_module_common(struct vfs_handle_struct *handle,
-				 struct files_struct *fsp, mode_t mode)
-{
-	if (fsp->posix_flags & FSP_POSIX_FLAGS_OPEN) {
-		/* Only allow this on POSIX opens. */
-		return SMB_VFS_NEXT_FCHMOD_ACL(handle, fsp, mode);
-	}
-	return 0;
-}
diff --git a/source3/modules/vfs_acl_common.h b/source3/modules/vfs_acl_common.h
index 24803e0215e..f8bc48bf65b 100644
--- a/source3/modules/vfs_acl_common.h
+++ b/source3/modules/vfs_acl_common.h
@@ -44,9 +44,6 @@ int fchmod_acl_module_common(struct vfs_handle_struct *handle,
 int chmod_acl_acl_module_common(struct vfs_handle_struct *handle,
 				const struct smb_filename *smb_fname,
 				mode_t mode);
-int fchmod_acl_acl_module_common(struct vfs_handle_struct *handle,
-				 struct files_struct *fsp, mode_t mode);
-
 NTSTATUS get_nt_acl_common(
 	NTSTATUS (*get_acl_blob_fn)(TALLOC_CTX *ctx,
 				    vfs_handle_struct *handle,
diff --git a/source3/modules/vfs_acl_tdb.c b/source3/modules/vfs_acl_tdb.c
index 4b61c274441..bb69170c910 100644
--- a/source3/modules/vfs_acl_tdb.c
+++ b/source3/modules/vfs_acl_tdb.c
@@ -496,7 +496,6 @@ static struct vfs_fn_pointers vfs_acl_tdb_fns = {
 	.fget_nt_acl_fn = acl_tdb_fget_nt_acl,
 	.get_nt_acl_fn = acl_tdb_get_nt_acl,
 	.fset_nt_acl_fn = acl_tdb_fset_nt_acl,
-	.fchmod_acl_fn = fchmod_acl_acl_module_common,
 	.sys_acl_set_file_fn = sys_acl_set_file_tdb,
 	.sys_acl_set_fd_fn = sys_acl_set_fd_tdb
 };
diff --git a/source3/modules/vfs_acl_xattr.c b/source3/modules/vfs_acl_xattr.c
index 62d26781fd5..94626cb8e03 100644
--- a/source3/modules/vfs_acl_xattr.c
+++ b/source3/modules/vfs_acl_xattr.c
@@ -323,7 +323,6 @@ static struct vfs_fn_pointers vfs_acl_xattr_fns = {
 	.fget_nt_acl_fn = acl_xattr_fget_nt_acl,
 	.get_nt_acl_fn = acl_xattr_get_nt_acl,
 	.fset_nt_acl_fn = acl_xattr_fset_nt_acl,
-	.fchmod_acl_fn = fchmod_acl_acl_module_common,
 	.sys_acl_set_file_fn = sys_acl_set_file_xattr,
 	.sys_acl_set_fd_fn = sys_acl_set_fd_xattr
 };
diff --git a/source3/modules/vfs_audit.c b/source3/modules/vfs_audit.c
index f34bcd19161..24bc1e8db5f 100644
--- a/source3/modules/vfs_audit.c
+++ b/source3/modules/vfs_audit.c
@@ -247,20 +247,6 @@ static int audit_fchmod(vfs_handle_struct *handle, files_struct *fsp, mode_t mod
 	return result;
 }
 
-static int audit_fchmod_acl(vfs_handle_struct *handle, files_struct *fsp, mode_t mode)
-{
-	int result;
-
-	result = SMB_VFS_NEXT_FCHMOD_ACL(handle, fsp, mode);
-
-	syslog(audit_syslog_priority(handle), "fchmod_acl %s mode 0x%x %s%s\n",
-	       fsp->fsp_name->base_name, mode,
-	       (result < 0) ? "failed: " : "",
-	       (result < 0) ? strerror(errno) : "");
-
-	return result;
-}
-
 static struct vfs_fn_pointers vfs_audit_fns = {
 	.connect_fn = audit_connect,
 	.disconnect_fn = audit_disconnect,
@@ -273,7 +259,6 @@ static struct vfs_fn_pointers vfs_audit_fns = {
 	.unlink_fn = audit_unlink,
 	.chmod_fn = audit_chmod,
 	.fchmod_fn = audit_fchmod,
-	.fchmod_acl_fn = audit_fchmod_acl
 };
 
 static_decl_vfs;
diff --git a/source3/modules/vfs_catia.c b/source3/modules/vfs_catia.c
index d26f7978290..fce2dcf8ca5 100644
--- a/source3/modules/vfs_catia.c
+++ b/source3/modules/vfs_catia.c
@@ -1731,25 +1731,6 @@ static int catia_sys_acl_set_fd(vfs_handle_struct *handle,
 	return ret;
 }
 
-static int catia_fchmod_acl(vfs_handle_struct *handle,
-			    files_struct *fsp,
-			    mode_t mode)
-{
-	struct catia_cache *cc = NULL;
-	int ret;
-
-	ret = CATIA_FETCH_FSP_PRE_NEXT(talloc_tos(), handle, fsp, &cc);
-	if (ret != 0) {
-		return ret;
-	}
-
-	ret = SMB_VFS_NEXT_FCHMOD_ACL(handle, fsp, mode);
-
-	CATIA_FETCH_FSP_POST_NEXT(&cc, fsp);
-
-	return ret;
-}
-
 static NTSTATUS catia_fget_nt_acl(vfs_handle_struct *handle,
 				  files_struct *fsp,
 				  uint32_t security_info,
@@ -2478,8 +2459,6 @@ static struct vfs_fn_pointers vfs_catia_fns = {
 	.fset_nt_acl_fn = catia_fset_nt_acl,
 
 	/* POSIX ACL operations. */
-	.fchmod_acl_fn = catia_fchmod_acl,
-
 	.sys_acl_get_file_fn = catia_sys_acl_get_file,
 	.sys_acl_get_fd_fn = catia_sys_acl_get_fd,
 	.sys_acl_blob_get_fd_fn = catia_sys_acl_blob_get_fd,
diff --git a/source3/modules/vfs_default.c b/source3/modules/vfs_default.c
index 8e0831cace4..82afb054a13 100644
--- a/source3/modules/vfs_default.c
+++ b/source3/modules/vfs_default.c
@@ -2674,21 +2674,6 @@ static NTSTATUS vfswrap_audit_file(struct vfs_handle_struct *handle,
 	return NT_STATUS_OK; /* Nothing to do here ... */
 }
 
-static int vfswrap_fchmod_acl(vfs_handle_struct *handle, files_struct *fsp, mode_t mode)
-{
-#ifdef HAVE_NO_ACL
-	errno = ENOSYS;
-	return -1;
-#else
-	int result;
-
-	START_PROFILE(fchmod_acl);
-	result = fchmod_acl(fsp, mode);
-	END_PROFILE(fchmod_acl);
-	return result;
-#endif
-}
-
 static SMB_ACL_T vfswrap_sys_acl_get_file(vfs_handle_struct *handle,
 					  const struct smb_filename *smb_fname,
 					  SMB_ACL_TYPE_T type,
@@ -2950,8 +2935,6 @@ static struct vfs_fn_pointers vfs_default_fns = {
 
 	/* POSIX ACL operations. */
 
-	.fchmod_acl_fn = vfswrap_fchmod_acl,
-
 	.sys_acl_get_file_fn = vfswrap_sys_acl_get_file,
 	.sys_acl_get_fd_fn = vfswrap_sys_acl_get_fd,
 	.sys_acl_blob_get_file_fn = posix_sys_acl_blob_get_file,
diff --git a/source3/modules/vfs_extd_audit.c b/source3/modules/vfs_extd_audit.c
index abb019081e0..50bd6f8f758 100644
--- a/source3/modules/vfs_extd_audit.c
+++ b/source3/modules/vfs_extd_audit.c
@@ -312,26 +312,6 @@ static int audit_fchmod(vfs_handle_struct *handle, files_struct *fsp, mode_t mod
 	return result;
 }
 
-static int audit_fchmod_acl(vfs_handle_struct *handle, files_struct *fsp, mode_t mode)
-{
-	int result;
-
-	result = SMB_VFS_NEXT_FCHMOD_ACL(handle, fsp, mode);
-
-	if (lp_syslog() > 0) {
-		syslog(audit_syslog_priority(handle), "fchmod_acl %s mode 0x%x %s%s\n",
-		       fsp->fsp_name->base_name, mode,
-		       (result < 0) ? "failed: " : "",
-		       (result < 0) ? strerror(errno) : "");
-	}
-	DEBUG(1, ("vfs_extd_audit: fchmod_acl %s mode 0x%x %s %s",
-		fsp_str_dbg(fsp),  (unsigned int)mode,
-	       (result < 0) ? "failed: " : "",
-	       (result < 0) ? strerror(errno) : ""));
-
-	return result;
-}
-
 static struct vfs_fn_pointers vfs_extd_audit_fns = {
 	.connect_fn = audit_connect,
 	.disconnect_fn = audit_disconnect,
@@ -344,7 +324,6 @@ static struct vfs_fn_pointers vfs_extd_audit_fns = {
 	.unlink_fn = audit_unlink,
 	.chmod_fn = audit_chmod,
 	.fchmod_fn = audit_fchmod,
-	.fchmod_acl_fn = audit_fchmod_acl,
 };
 
 static_decl_vfs;
diff --git a/source3/modules/vfs_full_audit.c b/source3/modules/vfs_full_audit.c
index bb8c306ea40..c6b229a376a 100644
--- a/source3/modules/vfs_full_audit.c
+++ b/source3/modules/vfs_full_audit.c
@@ -324,7 +324,6 @@ static struct {
 	{ SMB_VFS_OP_GET_NT_ACL,	"get_nt_acl" },
 	{ SMB_VFS_OP_FSET_NT_ACL,	"fset_nt_acl" },
 	{ SMB_VFS_OP_AUDIT_FILE,	"audit_file" },
-	{ SMB_VFS_OP_FCHMOD_ACL,	"fchmod_acl" },
 	{ SMB_VFS_OP_SYS_ACL_GET_FILE,	"sys_acl_get_file" },
 	{ SMB_VFS_OP_SYS_ACL_GET_FD,	"sys_acl_get_fd" },
 	{ SMB_VFS_OP_SYS_ACL_BLOB_GET_FILE,	"sys_acl_blob_get_file" },
@@ -2130,19 +2129,6 @@ static NTSTATUS smb_full_audit_audit_file(struct vfs_handle_struct *handle,
 	return result;
 }
 
-static int smb_full_audit_fchmod_acl(vfs_handle_struct *handle, files_struct *fsp,
-				     mode_t mode)
-{
-	int result;
-	
-	result = SMB_VFS_NEXT_FCHMOD_ACL(handle, fsp, mode);
-
-	do_log(SMB_VFS_OP_FCHMOD_ACL, (result >= 0), handle,
-	       "%s|%o", fsp_str_do_log(fsp), mode);
-
-	return result;
-}
-
 static SMB_ACL_T smb_full_audit_sys_acl_get_file(vfs_handle_struct *handle,
 				const struct smb_filename *smb_fname,
 				SMB_ACL_TYPE_T type,
@@ -2529,7 +2515,6 @@ static struct vfs_fn_pointers vfs_full_audit_fns = {
 	.get_nt_acl_fn = smb_full_audit_get_nt_acl,
 	.fset_nt_acl_fn = smb_full_audit_fset_nt_acl,
 	.audit_file_fn = smb_full_audit_audit_file,
-	.fchmod_acl_fn = smb_full_audit_fchmod_acl,
 	.sys_acl_get_file_fn = smb_full_audit_sys_acl_get_file,
 	.sys_acl_get_fd_fn = smb_full_audit_sys_acl_get_fd,
 	.sys_acl_blob_get_file_fn = smb_full_audit_sys_acl_blob_get_file,
diff --git a/source3/modules/vfs_glusterfs.c b/source3/modules/vfs_glusterfs.c
index f000906261c..985a895257f 100644
--- a/source3/modules/vfs_glusterfs.c
+++ b/source3/modules/vfs_glusterfs.c
@@ -1499,7 +1499,6 @@ static struct vfs_fn_pointers glusterfs_fns = {
 	.audit_file_fn = NULL,
 
 	/* Posix ACL Operations */
-	.fchmod_acl_fn = NULL,	/* passthrough to default */
 	.sys_acl_get_file_fn = posixacl_xattr_acl_get_file,
 	.sys_acl_get_fd_fn = posixacl_xattr_acl_get_fd,
 	.sys_acl_blob_get_file_fn = posix_sys_acl_blob_get_file,
diff --git a/source3/modules/vfs_streams_xattr.c b/source3/modules/vfs_streams_xattr.c
index 5355dd8ca44..8714007cb8d 100644
--- a/source3/modules/vfs_streams_xattr.c
+++ b/source3/modules/vfs_streams_xattr.c
@@ -1390,20 +1390,6 @@ static int streams_xattr_fsetxattr(struct vfs_handle_struct *handle,
 	return -1;
 }
 
-static int streams_xattr_fchmod_acl(vfs_handle_struct *handle,
-				    files_struct *fsp,
-				    mode_t mode)
-{
-	struct stream_io *sio =
-		(struct stream_io *)VFS_FETCH_FSP_EXTENSION(handle, fsp);
-
-	if (sio == NULL) {
-		return SMB_VFS_NEXT_FCHMOD_ACL(handle, fsp, mode);
-	}
-
-	return 0;
-}
-
 static SMB_ACL_T streams_xattr_sys_acl_get_fd(vfs_handle_struct *handle,
 					      files_struct *fsp,
 					      TALLOC_CTX *mem_ctx)
@@ -1677,8 +1663,6 @@ static struct vfs_fn_pointers vfs_streams_xattr_fns = {
 	.fremovexattr_fn = streams_xattr_fremovexattr,
 	.fsetxattr_fn = streams_xattr_fsetxattr,
 
-	.fchmod_acl_fn = streams_xattr_fchmod_acl,
-
 	.sys_acl_get_fd_fn = streams_xattr_sys_acl_get_fd,
 	.sys_acl_blob_get_fd_fn = streams_xattr_sys_acl_blob_get_fd,
 	.sys_acl_set_fd_fn = streams_xattr_sys_acl_set_fd,
diff --git a/source3/modules/vfs_time_audit.c b/source3/modules/vfs_time_audit.c
index 8ce9c2818ca..2565c032bdc 100644
--- a/source3/modules/vfs_time_audit.c
+++ b/source3/modules/vfs_time_audit.c
@@ -2159,25 +2159,6 @@ static NTSTATUS smb_time_audit_audit_file(struct vfs_handle_struct *handle,
 	return result;
 }
 
-static int smb_time_audit_fchmod_acl(vfs_handle_struct *handle,
-				     files_struct *fsp, mode_t mode)
-{
-	int result;
-	struct timespec ts1,ts2;
-	double timediff;
-
-	clock_gettime_mono(&ts1);
-	result = SMB_VFS_NEXT_FCHMOD_ACL(handle, fsp, mode);
-	clock_gettime_mono(&ts2);
-	timediff = nsec_time_diff(&ts2,&ts1)*1.0e-9;
-
-	if (timediff > audit_timeout) {
-		smb_time_audit_log_fsp("fchmod_acl", timediff, fsp);
-	}
-
-	return result;
-}
-
 static SMB_ACL_T smb_time_audit_sys_acl_get_file(vfs_handle_struct *handle,
 					const struct smb_filename *smb_fname,
 					SMB_ACL_TYPE_T type,
@@ -2678,7 +2659,6 @@ static struct vfs_fn_pointers vfs_time_audit_fns = {
 	.get_nt_acl_fn = smb_time_audit_get_nt_acl,
 	.fset_nt_acl_fn = smb_time_audit_fset_nt_acl,
 	.audit_file_fn = smb_time_audit_audit_file,
-	.fchmod_acl_fn = smb_time_audit_fchmod_acl,
 	.sys_acl_get_file_fn = smb_time_audit_sys_acl_get_file,
 	.sys_acl_get_fd_fn = smb_time_audit_sys_acl_get_fd,
 	.sys_acl_blob_get_file_fn = smb_time_audit_sys_acl_blob_get_file,
diff --git a/source3/smbd/vfs.c b/source3/smbd/vfs.c
index 99119e1fddc..c3f39f32474 100644
--- a/source3/smbd/vfs.c
+++ b/source3/smbd/vfs.c
@@ -2490,13 +2490,6 @@ NTSTATUS smb_vfs_call_audit_file(struct vfs_handle_struct *handle,
 					  access_denied);
 }
 
-int smb_vfs_call_fchmod_acl(struct vfs_handle_struct *handle,
-			    struct files_struct *fsp, mode_t mode)
-{
-	VFS_FIND(fchmod_acl);
-	return handle->fns->fchmod_acl_fn(handle, fsp, mode);
-}
-
 SMB_ACL_T smb_vfs_call_sys_acl_get_file(struct vfs_handle_struct *handle,
 					const struct smb_filename *smb_fname,
 					SMB_ACL_TYPE_T type,
-- 
2.17.0.441.gb46fe60e1d-goog


From cbe57dfa965ace881a94868414b2b11e6e70e3b8 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra at samba.org>
Date: Thu, 17 May 2018 11:49:55 -0700
Subject: [PATCH 17/21] s3: posix_acls: Remove dead functions
 fchmod_acl()/chmod_acl().

No longer used.

Signed-off-by: Jeremy Allison <jra at samba.org>
---
 source3/smbd/posix_acls.c | 38 --------------------------------------
 source3/smbd/proto.h      |  4 ----
 2 files changed, 42 deletions(-)

diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c
index 6396f818176..8c57e7a959a 100644
--- a/source3/smbd/posix_acls.c
+++ b/source3/smbd/posix_acls.c
@@ -4102,19 +4102,6 @@ static int copy_access_posix_acl(connection_struct *conn,
 	return ret;
 }
 
-/****************************************************************************
- Do a chmod by setting the ACL USER_OBJ, GROUP_OBJ and OTHER bits in an ACL
- and set the mask to rwx. Needed to preserve complex ACLs set by NT.
- Note that name is in UNIX character set.
-****************************************************************************/
-
-int chmod_acl(connection_struct *conn,
-			const struct smb_filename *smb_fname,
-			mode_t mode)
-{
-	return copy_access_posix_acl(conn, smb_fname, smb_fname, mode);
-}
-
 /****************************************************************************
  Check for an existing default POSIX ACL on a directory.
 ****************************************************************************/
@@ -4164,31 +4151,6 @@ int inherit_access_posix_acl(connection_struct *conn,
 	return copy_access_posix_acl(conn, inherit_from_fname, smb_fname, mode);
 }
 
-/****************************************************************************
- Do an fchmod by setting the ACL USER_OBJ, GROUP_OBJ and OTHER bits in an ACL
- and set the mask to rwx. Needed to preserve complex ACLs set by NT.
-****************************************************************************/
-
-int fchmod_acl(files_struct *fsp, mode_t mode)
-{
-	connection_struct *conn = fsp->conn;
-	SMB_ACL_T posix_acl = NULL;
-	int ret = -1;
-
-	if ((posix_acl = SMB_VFS_SYS_ACL_GET_FD(fsp, talloc_tos())) == NULL)
-		return -1;
-
-	if ((ret = chmod_acl_internals(conn, posix_acl, mode)) == -1)
-		goto done;
-
-	ret = SMB_VFS_SYS_ACL_SET_FD(fsp, posix_acl);
-
-  done:
-
-	TALLOC_FREE(posix_acl);
-	return ret;
-}
-
 /****************************************************************************
  Map from wire type to permset.
 ****************************************************************************/
diff --git a/source3/smbd/proto.h b/source3/smbd/proto.h
index 262338d81e4..23cc46bec0b 100644
--- a/source3/smbd/proto.h
+++ b/source3/smbd/proto.h
@@ -782,14 +782,10 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32_t security_info_sent, const struct
 int get_acl_group_bits( connection_struct *conn,
 			const struct smb_filename *smb_fname,
 			mode_t *mode);
-int chmod_acl(connection_struct *conn,
-			const struct smb_filename *smb_fname,
-			mode_t mode);
 int inherit_access_posix_acl(connection_struct *conn,
 			const char *inherit_from_dir,
 			const struct smb_filename *smb_fname,
 			mode_t mode);
-int fchmod_acl(files_struct *fsp, mode_t mode);
 bool set_unix_posix_default_acl(connection_struct *conn,
 				const struct smb_filename *smb_fname,
 				uint16_t num_def_acls, const char *pdata);
-- 
2.17.0.441.gb46fe60e1d-goog


From b0048583d71f137f83a0c9b644f348bdbd04a7bd Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra at samba.org>
Date: Fri, 18 May 2018 11:37:22 -0700
Subject: [PATCH 18/21] s3: posix_acls: Remove unused 'connection_struct *conn'
 parameter to map_acl_perms_to_permset().

Signed-off-by: Jeremy Allison <jra at samba.org>
---
 source3/smbd/posix_acls.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c
index 8c57e7a959a..ffe3416d20a 100644
--- a/source3/smbd/posix_acls.c
+++ b/source3/smbd/posix_acls.c
@@ -889,7 +889,7 @@ static mode_t unix_perms_to_acl_perms(mode_t mode, int r_mask, int w_mask, int x
  an SMB_ACL_PERMSET_T.
 ****************************************************************************/
 
-static int map_acl_perms_to_permset(connection_struct *conn, mode_t mode, SMB_ACL_PERMSET_T *p_permset)
+static int map_acl_perms_to_permset(mode_t mode, SMB_ACL_PERMSET_T *p_permset)
 {
 	if (sys_acl_clear_perms(*p_permset) ==  -1)
 		return -1;
@@ -2918,7 +2918,7 @@ static bool set_canon_ace_list(files_struct *fsp,
 			goto fail;
 		}
 
-		if (map_acl_perms_to_permset(conn, p_ace->perms, &the_permset) == -1) {
+		if (map_acl_perms_to_permset(p_ace->perms, &the_permset) == -1) {
 			DEBUG(0,("set_canon_ace_list: Failed to create permset for mode (%u) on entry %d. (%s)\n",
 				(unsigned int)p_ace->perms, i, strerror(errno) ));
 			goto fail;
@@ -2955,7 +2955,7 @@ static bool set_canon_ace_list(files_struct *fsp,
 			goto fail;
 		}
 
-		if (map_acl_perms_to_permset(conn, S_IRUSR|S_IWUSR|S_IXUSR, &mask_permset) == -1) {
+		if (map_acl_perms_to_permset(S_IRUSR|S_IWUSR|S_IXUSR, &mask_permset) == -1) {
 			DEBUG(0,("set_canon_ace_list: Failed to create mask permset. (%s)\n", strerror(errno) ));
 			goto fail;
 		}
@@ -4053,7 +4053,7 @@ static int chmod_acl_internals( connection_struct *conn, SMB_ACL_T posix_acl, mo
 				continue;
 		}
 
-		if (map_acl_perms_to_permset(conn, perms, &permset) == -1)
+		if (map_acl_perms_to_permset(perms, &permset) == -1)
 			return -1;
 
 		if (sys_acl_set_permset(entry, permset) == -1)
-- 
2.17.0.441.gb46fe60e1d-goog


From 227e55b448ad0a67af5874d742a7ae0d60373678 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra at samba.org>
Date: Fri, 18 May 2018 11:49:09 -0700
Subject: [PATCH 19/21] s3: smbd: Make unix_perms_to_acl_perms() extern.

The vfs_fake_acl module will need it to implement chown/fchown.

Signed-off-by: Jeremy Allison <jra at samba.org>
---
 source3/smbd/posix_acls.c | 2 +-
 source3/smbd/proto.h      | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c
index ffe3416d20a..426d96611d7 100644
--- a/source3/smbd/posix_acls.c
+++ b/source3/smbd/posix_acls.c
@@ -870,7 +870,7 @@ static mode_t convert_permset_to_mode_t(SMB_ACL_PERMSET_T permset)
  Map generic UNIX permissions to canon_ace permissions (a mode_t containing only S_(R|W|X)USR bits).
 ****************************************************************************/
 
-static mode_t unix_perms_to_acl_perms(mode_t mode, int r_mask, int w_mask, int x_mask)
+mode_t unix_perms_to_acl_perms(mode_t mode, int r_mask, int w_mask, int x_mask)
 {
 	mode_t ret = 0;
 
diff --git a/source3/smbd/proto.h b/source3/smbd/proto.h
index 23cc46bec0b..c3d3638772a 100644
--- a/source3/smbd/proto.h
+++ b/source3/smbd/proto.h
@@ -762,6 +762,7 @@ void reply_pipe_read_and_X(struct smb_request *req);
 
 /* The following definitions come from smbd/posix_acls.c  */
 
+mode_t unix_perms_to_acl_perms(mode_t mode, int r_mask, int w_mask, int x_mask);
 uint32_t map_canon_ace_perms(int snum,
                                 enum security_ace_type *pacl_type,
                                 mode_t perms,
-- 
2.17.0.441.gb46fe60e1d-goog


From 308914ea74230c3117f68eb9b7cc21c739783838 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra at samba.org>
Date: Fri, 18 May 2018 11:50:44 -0700
Subject: [PATCH 20/21] s3: smbd: Make map_acl_perms_to_permset() extern.

The vfs_fake_acl module will need it to implement chown/fchown.

Signed-off-by: Jeremy Allison <jra at samba.org>
---
 source3/smbd/posix_acls.c | 2 +-
 source3/smbd/proto.h      | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c
index 426d96611d7..fb074772134 100644
--- a/source3/smbd/posix_acls.c
+++ b/source3/smbd/posix_acls.c
@@ -889,7 +889,7 @@ mode_t unix_perms_to_acl_perms(mode_t mode, int r_mask, int w_mask, int x_mask)
  an SMB_ACL_PERMSET_T.
 ****************************************************************************/
 
-static int map_acl_perms_to_permset(mode_t mode, SMB_ACL_PERMSET_T *p_permset)
+int map_acl_perms_to_permset(mode_t mode, SMB_ACL_PERMSET_T *p_permset)
 {
 	if (sys_acl_clear_perms(*p_permset) ==  -1)
 		return -1;
diff --git a/source3/smbd/proto.h b/source3/smbd/proto.h
index c3d3638772a..86b65515289 100644
--- a/source3/smbd/proto.h
+++ b/source3/smbd/proto.h
@@ -763,6 +763,7 @@ void reply_pipe_read_and_X(struct smb_request *req);
 /* The following definitions come from smbd/posix_acls.c  */
 
 mode_t unix_perms_to_acl_perms(mode_t mode, int r_mask, int w_mask, int x_mask);
+int map_acl_perms_to_permset(mode_t mode, SMB_ACL_PERMSET_T *p_permset);
 uint32_t map_canon_ace_perms(int snum,
                                 enum security_ace_type *pacl_type,
                                 mode_t perms,
-- 
2.17.0.441.gb46fe60e1d-goog


From 814b16f6e8aab82b5e4f30030938fba5fcf9b987 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra at samba.org>
Date: Fri, 18 May 2018 11:52:23 -0700
Subject: [PATCH 21/21] s3: vfs_fake_acls: Correctly implement the chmod/fchmod
 algorithm on fake acls.

We now pass samba3hide(nt4_dc), so remove it from knownfail.

Signed-off-by: Jeremy Allison <jra at samba.org>
---
 selftest/knownfail              |   2 +-
 source3/modules/vfs_fake_acls.c | 216 ++++++++++++++++++++++++++++++++
 2 files changed, 217 insertions(+), 1 deletion(-)

diff --git a/selftest/knownfail b/selftest/knownfail
index 8c70d6a6172..f718f452073 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -20,7 +20,7 @@
 ^samba3.smb2.rename.*.simple_nodelete
 ^samba3.smb2.rename.*.no_share_delete_no_delete_access
 ^samba3.blackbox.smbclient_machine_auth.plain \(nt4_dc:local\)# the NT4 DC does not currently set up a self-join
-^samba3.raw.samba3hide.samba3hide\((nt4_dc|ad_dc)\) # This test fails against an smbd environment with NT ACLs enabled
+^samba3.raw.samba3hide.samba3hide\(ad_dc\) # This test fails against the ad_dc environment.
 ^samba3.raw.samba3closeerr.samba3closeerr\(nt4_dc\) # This test fails against an smbd environment with NT ACLs enabled
 ^samba3.raw.acls nfs4acl_xattr-simple-40.INHERITFLAGS\(nt4_dc\) # This (and the follow nfs4acl_xattr tests fail because our NFSv4 backend isn't a complete mapping yet.
 ^samba3.raw.acls nfs4acl_xattr-simple-40.create_owner_file\(nt4_dc\)
diff --git a/source3/modules/vfs_fake_acls.c b/source3/modules/vfs_fake_acls.c
index e6983d49c58..6360af8a8f1 100644
--- a/source3/modules/vfs_fake_acls.c
+++ b/source3/modules/vfs_fake_acls.c
@@ -520,11 +520,227 @@ static int fake_acls_fchown(vfs_handle_struct *handle, files_struct *fsp, uid_t
 	return 0;
 }
 
+/*
+ * Implement the chmod uid/mask/other mode changes on a fake ACL.
+ */
+
+static int fake_acl_process_chmod(SMB_ACL_T *pp_the_acl,
+				uid_t owner,
+				mode_t mode)
+{
+	bool got_mask = false;
+	int entry_id = SMB_ACL_FIRST_ENTRY;
+	mode_t umode = 0;
+	mode_t mmode = 0;
+	mode_t omode = 0;
+	int ret = -1;
+	SMB_ACL_T the_acl = *pp_the_acl;
+
+	/* Split the mode into u/mask/other masks. */
+	umode = unix_perms_to_acl_perms(mode, S_IRUSR, S_IWUSR, S_IXUSR);
+	mmode = unix_perms_to_acl_perms(mode, S_IRGRP, S_IWGRP, S_IXGRP);
+	omode = unix_perms_to_acl_perms(mode, S_IROTH, S_IWOTH, S_IXOTH);
+
+	while (1) {
+		SMB_ACL_ENTRY_T entry;
+		SMB_ACL_TAG_T tagtype;
+		SMB_ACL_PERMSET_T permset;
+		uid_t *puid = NULL;
+
+		ret = sys_acl_get_entry(the_acl,
+					entry_id,
+					&entry);
+		if (ret == 0) {
+			/* End of ACL */
+			break;
+		}
+		if (ret == -1) {
+			return -1;
+		}
+
+		ret = sys_acl_get_tag_type(entry, &tagtype);
+		if (ret == -1) {
+			return -1;
+		}
+		ret = sys_acl_get_permset(entry, &permset);
+		if (ret == -1) {
+			return -1;
+		}
+		switch (tagtype) {
+			case SMB_ACL_USER_OBJ:
+				map_acl_perms_to_permset(umode, &permset);
+				break;
+			case SMB_ACL_USER:
+				puid = (uid_t *)sys_acl_get_qualifier(entry);
+				if (puid == NULL) {
+					return -1;
+				}
+				if (owner != *puid) {
+					break;
+				}
+				map_acl_perms_to_permset(umode, &permset);
+				break;
+			case SMB_ACL_GROUP_OBJ:
+			case SMB_ACL_GROUP:
+				/* Ignore all group entries. */
+				break;
+			case SMB_ACL_MASK:
+				map_acl_perms_to_permset(mmode, &permset);
+				got_mask = true;
+				break;
+			case SMB_ACL_OTHER:
+				map_acl_perms_to_permset(omode, &permset);
+				break;
+			default:
+				errno = EINVAL;
+				return -1;
+		}
+		ret = sys_acl_set_permset(entry, permset);
+		if (ret == -1) {
+			return -1;
+		}
+		/* Move to next entry. */
+		if (entry_id == SMB_ACL_FIRST_ENTRY) {
+			entry_id = SMB_ACL_NEXT_ENTRY;
+		}
+	}
+
+	/*
+	 * If we didn't see a mask entry, add one.
+	 */
+
+	if (got_mask == false) {
+		SMB_ACL_ENTRY_T mask_entry;
+		SMB_ACL_PERMSET_T mask_permset;
+		ret = sys_acl_create_entry(&the_acl, &mask_entry);
+		if (ret == -1) {
+			return -1;
+		}
+		map_acl_perms_to_permset(mmode, &mask_permset);
+		ret = sys_acl_set_permset(mask_entry, mask_permset);
+		if (ret == -1) {
+			return -1;
+		}
+		ret = sys_acl_set_tag_type(mask_entry, SMB_ACL_MASK);
+		if (ret == -1) {
+			return -1;
+		}
+		/* In case we were realloced and moved. */
+		*pp_the_acl = the_acl;
+	}
+
+	return 0;
+}
+
+static int fake_acls_chmod(vfs_handle_struct *handle,
+			const struct smb_filename *smb_fname_in,
+			mode_t mode)
+{
+	TALLOC_CTX *frame = talloc_stackframe();
+	int ret = -1;
+	SMB_ACL_T the_acl = NULL;
+	struct smb_filename *smb_fname = cp_smb_filename_nostream(talloc_tos(),
+						smb_fname_in);
+
+	if (smb_fname == NULL) {
+		TALLOC_FREE(frame);
+		return -1;
+	}
+
+	/*
+	 * Passthrough first to preserve the
+	 * S_ISUID | S_ISGID | S_ISVTX
+	 * bits.
+	 */
+
+	ret = SMB_VFS_NEXT_CHMOD(handle,
+				smb_fname,
+				mode);
+	if (ret == -1) {
+		TALLOC_FREE(frame);
+		return -1;
+	}
+
+	the_acl = fake_acls_sys_acl_get_file(handle,
+				smb_fname,
+				SMB_ACL_TYPE_ACCESS,
+				talloc_tos());
+	if (the_acl == NULL) {
+		TALLOC_FREE(frame);
+		if (errno == ENOATTR) {
+			/* No ACL on this file. Just passthrough. */
+			return 0;
+		}
+		return -1;
+	}
+	ret = fake_acl_process_chmod(&the_acl,
+			smb_fname->st.st_ex_uid,
+			mode);
+	if (ret == -1) {
+		TALLOC_FREE(frame);
+		return -1;
+	}
+	ret = fake_acls_sys_acl_set_file(handle,
+				smb_fname,
+				SMB_ACL_TYPE_ACCESS,
+				the_acl);
+	TALLOC_FREE(frame);
+	return ret;
+}
+
+static int fake_acls_fchmod(vfs_handle_struct *handle,
+			files_struct *fsp,
+			mode_t mode)
+{
+	TALLOC_CTX *frame = talloc_stackframe();
+	int ret = -1;
+	SMB_ACL_T the_acl = NULL;
+
+	/*
+	 * Passthrough first to preserve the
+	 * S_ISUID | S_ISGID | S_ISVTX
+	 * bits.
+	 */
+
+	ret = SMB_VFS_NEXT_FCHMOD(handle,
+				fsp,
+				mode);
+	if (ret == -1) {
+		TALLOC_FREE(frame);
+		return -1;
+	}
+
+	the_acl = fake_acls_sys_acl_get_fd(handle,
+				fsp,
+				talloc_tos());
+	if (the_acl == NULL) {
+		TALLOC_FREE(frame);
+		if (errno == ENOATTR) {
+			/* No ACL on this file. Just passthrough. */
+			return 0;
+		}
+		return -1;
+	}
+	ret = fake_acl_process_chmod(&the_acl,
+			fsp->fsp_name->st.st_ex_uid,
+			mode);
+	if (ret == -1) {
+		TALLOC_FREE(frame);
+		return -1;
+	}
+	ret = fake_acls_sys_acl_set_fd(handle,
+				fsp,
+				the_acl);
+	TALLOC_FREE(frame);
+	return ret;
+}
 
 static struct vfs_fn_pointers vfs_fake_acls_fns = {
 	.stat_fn = fake_acls_stat,
 	.lstat_fn = fake_acls_lstat,
 	.fstat_fn = fake_acls_fstat,
+	.chmod_fn = fake_acls_chmod,
+	.fchmod_fn = fake_acls_fchmod,
 	.sys_acl_get_file_fn = fake_acls_sys_acl_get_file,
 	.sys_acl_get_fd_fn = fake_acls_sys_acl_get_fd,
 	.sys_acl_blob_get_file_fn = posix_sys_acl_blob_get_file,
-- 
2.17.0.441.gb46fe60e1d-goog



More information about the samba-technical mailing list