The Samba-Bugzilla – Attachment 11936 Details for
Bug 11806
vfs_acl_xattr/vfs_acl_tdb: POSIX ACLs set even if "ignore system acls" is true
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
git-am fix for 4.4.next and 4.3.next
ignore-sys-acls.patch (text/plain), 7.12 KB, created by
Uri Simchoni
on 2016-03-24 13:07:57 UTC
(
hide
)
Description:
git-am fix for 4.4.next and 4.3.next
Filename:
MIME Type:
Creator:
Uri Simchoni
Created:
2016-03-24 13:07:57 UTC
Size:
7.12 KB
patch
obsolete
>From b9f2ffe0020138aed11d1ddda80bd29dd1482165 Mon Sep 17 00:00:00 2001 >From: Uri Simchoni <uri@samba.org> >Date: Mon, 21 Mar 2016 23:04:24 +0200 >Subject: [PATCH] vfs_acl_common: avoid setting POSIX ACLs if "ignore system > acls" is set > >When "ignore system acls" is set, do not mess at all with POSIX ACLS, >do not even calculate the would-be POSIX-ACL-based security descriptor >(for performance reasons). >Instead, just store a V3 blob with zero hash. This means that if we >later read the ACL without ignoring system ACLs, the NT ACL shall be >reset to the info derivable from the POSIX ACL. > >File ownership is still modified as it has bearing on disk quotas. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=11806 > >Signed-off-by: Uri Simchoni <uri@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> >(cherry picked from commit 765e5f1f2670d3d5d8d62a04b4ccf38a680bcb37) >--- > source3/modules/vfs_acl_common.c | 147 ++++++++++++++++++++++++++------------- > 1 file changed, 99 insertions(+), 48 deletions(-) > >diff --git a/source3/modules/vfs_acl_common.c b/source3/modules/vfs_acl_common.c >index f73e80c..76ac598 100644 >--- a/source3/modules/vfs_acl_common.c >+++ b/source3/modules/vfs_acl_common.c >@@ -738,6 +738,81 @@ static NTSTATUS get_nt_acl_common(vfs_handle_struct *handle, > } > > /********************************************************************* >+ Set the underlying ACL (e.g. POSIX ACLS, POSIX owner, etc) >+*********************************************************************/ >+static NTSTATUS set_underlying_acl(vfs_handle_struct *handle, files_struct *fsp, >+ struct security_descriptor *psd, >+ uint32_t security_info_sent, >+ bool chown_needed) >+{ >+ NTSTATUS status = >+ SMB_VFS_NEXT_FSET_NT_ACL(handle, fsp, security_info_sent, psd); >+ if (!NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) { >+ return status; >+ } >+ >+ /* We got access denied here. If we're already root, >+ or we didn't need to do a chown, or the fsp isn't >+ open with WRITE_OWNER access, just return. */ >+ if (get_current_uid(handle->conn) == 0 || chown_needed == false || >+ !(fsp->access_mask & SEC_STD_WRITE_OWNER)) { >+ return NT_STATUS_ACCESS_DENIED; >+ } >+ >+ DEBUG(10, ("fset_nt_acl_common: overriding chown on file %s " >+ "for sid %s\n", >+ fsp_str_dbg(fsp), sid_string_tos(psd->owner_sid))); >+ >+ /* Ok, we failed to chown and we have >+ SEC_STD_WRITE_OWNER access - override. */ >+ become_root(); >+ status = SMB_VFS_NEXT_FSET_NT_ACL(handle, fsp, security_info_sent, psd); >+ unbecome_root(); >+ >+ return status; >+} >+ >+/********************************************************************* >+ Store a v3 security descriptor >+*********************************************************************/ >+static NTSTATUS store_v3_blob(vfs_handle_struct *handle, files_struct *fsp, >+ struct security_descriptor *psd, >+ struct security_descriptor *pdesc_next, >+ uint8_t hash[XATTR_SD_HASH_SIZE]) >+{ >+ NTSTATUS status; >+ DATA_BLOB blob; >+ >+ if (DEBUGLEVEL >= 10) { >+ DEBUG(10, ("fset_nt_acl_xattr: storing xattr sd for file %s\n", >+ fsp_str_dbg(fsp))); >+ NDR_PRINT_DEBUG( >+ security_descriptor, >+ discard_const_p(struct security_descriptor, psd)); >+ >+ if (pdesc_next != NULL) { >+ DEBUG(10, ("fset_nt_acl_xattr: storing has in xattr sd " >+ "based on \n")); >+ NDR_PRINT_DEBUG( >+ security_descriptor, >+ discard_const_p(struct security_descriptor, >+ pdesc_next)); >+ } else { >+ DEBUG(10, >+ ("fset_nt_acl_xattr: ignoring underlying sd\n")); >+ } >+ } >+ status = create_acl_blob(psd, &blob, XATTR_SD_HASH_TYPE_SHA256, hash); >+ if (!NT_STATUS_IS_OK(status)) { >+ DEBUG(10, ("fset_nt_acl_xattr: create_acl_blob failed\n")); >+ return status; >+ } >+ >+ status = store_acl_blob_fsp(handle, fsp, &blob); >+ return status; >+} >+ >+/********************************************************************* > Store a security descriptor given an fsp. > *********************************************************************/ > >@@ -754,6 +829,8 @@ static NTSTATUS fset_nt_acl_common(vfs_handle_struct *handle, files_struct *fsp, > bool chown_needed = false; > char *sys_acl_description; > TALLOC_CTX *frame = talloc_stackframe(); >+ bool ignore_file_system_acl = lp_parm_bool( >+ SNUM(handle->conn), ACL_MODULE_NAME, "ignore system acls", false); > > if (DEBUGLEVEL >= 10) { > DEBUG(10,("fset_nt_acl_xattr: incoming sd for file %s\n", >@@ -809,38 +886,29 @@ static NTSTATUS fset_nt_acl_common(vfs_handle_struct *handle, files_struct *fsp, > psd->type |= SEC_DESC_SACL_PRESENT; > } > >- status = SMB_VFS_NEXT_FSET_NT_ACL(handle, fsp, security_info_sent, psd); >- if (!NT_STATUS_IS_OK(status)) { >- if (!NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) { >- TALLOC_FREE(frame); >- return status; >- } >- /* We got access denied here. If we're already root, >- or we didn't need to do a chown, or the fsp isn't >- open with WRITE_OWNER access, just return. */ >- if (get_current_uid(handle->conn) == 0 || >- chown_needed == false || >- !(fsp->access_mask & SEC_STD_WRITE_OWNER)) { >- TALLOC_FREE(frame); >- return NT_STATUS_ACCESS_DENIED; >+ if (ignore_file_system_acl) { >+ if (chown_needed) { >+ /* send only ownership stuff to lower layer */ >+ security_info_sent &= (SECINFO_OWNER | SECINFO_GROUP); >+ status = set_underlying_acl(handle, fsp, psd, >+ security_info_sent, true); >+ if (!NT_STATUS_IS_OK(status)) { >+ TALLOC_FREE(frame); >+ return status; >+ } > } >+ ZERO_ARRAY(hash); >+ status = store_v3_blob(handle, fsp, psd, NULL, hash); > >- DEBUG(10,("fset_nt_acl_common: overriding chown on file %s " >- "for sid %s\n", >- fsp_str_dbg(fsp), >- sid_string_tos(psd->owner_sid) >- )); >- >- /* Ok, we failed to chown and we have >- SEC_STD_WRITE_OWNER access - override. */ >- become_root(); >- status = SMB_VFS_NEXT_FSET_NT_ACL(handle, fsp, >- security_info_sent, psd); >- unbecome_root(); >- if (!NT_STATUS_IS_OK(status)) { >- TALLOC_FREE(frame); >- return status; >- } >+ TALLOC_FREE(frame); >+ return status; >+ } >+ >+ status = set_underlying_acl(handle, fsp, psd, security_info_sent, >+ chown_needed); >+ if (!NT_STATUS_IS_OK(status)) { >+ TALLOC_FREE(frame); >+ return status; > } > > /* Get the full underlying sd, then hash. */ >@@ -871,24 +939,7 @@ static NTSTATUS fset_nt_acl_common(vfs_handle_struct *handle, files_struct *fsp, > /* If we fail to get the ACL blob (for some reason) then this > * is not fatal, we just work based on the NT ACL only */ > if (ret != 0) { >- if (DEBUGLEVEL >= 10) { >- DEBUG(10,("fset_nt_acl_xattr: storing xattr sd for file %s\n", >- fsp_str_dbg(fsp))); >- NDR_PRINT_DEBUG(security_descriptor, >- discard_const_p(struct security_descriptor, psd)); >- >- DEBUG(10,("fset_nt_acl_xattr: storing has in xattr sd based on \n")); >- NDR_PRINT_DEBUG(security_descriptor, >- discard_const_p(struct security_descriptor, pdesc_next)); >- } >- status = create_acl_blob(psd, &blob, XATTR_SD_HASH_TYPE_SHA256, hash); >- if (!NT_STATUS_IS_OK(status)) { >- DEBUG(10, ("fset_nt_acl_xattr: create_acl_blob failed\n")); >- TALLOC_FREE(frame); >- return status; >- } >- >- status = store_acl_blob_fsp(handle, fsp, &blob); >+ status = store_v3_blob(handle, fsp, psd, pdesc_next, hash); > > TALLOC_FREE(frame); > return status; >-- >2.5.0 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
jra
:
review+
Actions:
View
Attachments on
bug 11806
: 11936