[PATCH] vfs_gpfs: Retry getacl with DAC capability if necessary
Jeremy Allison
jra at samba.org
Fri Jul 22 00:26:43 UTC 2016
On Wed, Jul 20, 2016 at 03:55:40PM -0700, Christof Schmitt wrote:
> Here is another minor update based on input from Volker. This avoids the
> bool parameter for the gpfs_getacl_with_capability function.
> From 60bbceff4f7fb925d35bdabd6e17a73614df1343 Mon Sep 17 00:00:00 2001
> From: Christof Schmitt <cs at samba.org>
> Date: Wed, 25 May 2016 15:56:49 -0700
> Subject: [PATCH] vfs_gpfs: Retry getacl with DAC capability if necessary
>
> Samba always tries to read the ACL of a file and checks it internally.
> If the READ_ACL permission is missing in GPFS, then then reading the ACL
> for Samba internal evaluation will be denied and opening the file or
> directory fails. Change this by retrying reading the ACL with the DAC
> capability if access was denied.
>
> Signed-off-by: Christof Schmitt <cs at samba.org>
> ---
> source3/modules/vfs_gpfs.c | 30 ++++++++++++++++++++++++++++--
> 1 file changed, 28 insertions(+), 2 deletions(-)
>
> diff --git a/source3/modules/vfs_gpfs.c b/source3/modules/vfs_gpfs.c
> index 42a3c72..f096dd5 100644
> --- a/source3/modules/vfs_gpfs.c
> +++ b/source3/modules/vfs_gpfs.c
> @@ -358,6 +358,21 @@ static void gpfs_dumpacl(int level, struct gpfs_acl *gacl)
> }
> }
>
> +static int gpfs_getacl_with_capability(const char *fname, int flags, void *buf)
> +{
> + int ret, saved_errno;
> +
> + set_effective_capability(DAC_OVERRIDE_CAPABILITY);
> +
> + ret = gpfswrap_getacl(discard_const_p(char, fname), flags, buf);
> + saved_errno = errno;
> +
> + drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
> +
> + errno = saved_errno;
> + return ret;
> +}
> +
> /*
> * get the ACL from GPFS, allocated on the specified mem_ctx
> * internally retries when initial buffer was too small
> @@ -378,6 +393,7 @@ static void *vfs_gpfs_getacl(TALLOC_CTX *mem_ctx,
> int ret, flags;
> unsigned int *len;
> size_t struct_size;
> + bool use_capability = false;
>
> again:
>
> @@ -406,8 +422,18 @@ again:
> /* set the length of the buffer as input value */
> *len = size;
>
> - errno = 0;
> - ret = gpfswrap_getacl(discard_const_p(char, fname), flags, aclbuf);
> + if (use_capability) {
> + ret = gpfs_getacl_with_capability(fname, flags, aclbuf);
I don't understand the 2 lines above. use_capability is a local
bool, not a static one and you just set it to false above so this
can never be true. Am I missing something ?
> + } else {
> + ret = gpfswrap_getacl(discard_const_p(char, fname),
> + flags, aclbuf);
> + if ((ret != 0) && (errno == EACCES)) {
> + DBG_DEBUG("Retry with DAC capability for %s\n", fname);
> + use_capability = true;
> + ret = gpfs_getacl_with_capability(fname, flags, aclbuf);
> + }
> + }
> +
Looks like the above block (without the else {...}) is all
you need for this.
Jeremy.
More information about the samba-technical
mailing list