The Samba-Bugzilla – Attachment 12271 Details for
Bug 12024
Read list and write list ordering can by confusing
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
0001-s3-Prefer-user-accounts-in-read-and-write-lists.patch (text/plain), 5.26 KB, created by
Justin Maggard
on 2016-07-15 23:34:29 UTC
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
Justin Maggard
Created:
2016-07-15 23:34:29 UTC
Size:
5.26 KB
patch
obsolete
>From 46cb3be0cf3f14bc2b95101189983b6d3afdacad Mon Sep 17 00:00:00 2001 >From: Justin Maggard <jmaggard@netgear.com> >Date: Fri, 15 Jul 2016 16:21:21 -0700 >Subject: [PATCH] s3: Prefer user accounts in read and write lists > >Currently, objects in the write list always override the same objects in >the read list. This includes cases where you have an individual user >account in the read list, and a group he belongs to in the write list. >This seems unintuitive, as normally user account settings take precedence >over group account settings. > >Change this behavior by keeping track of the object type, and giving >preference to user account objects. > >Signed-off-by: Justin Maggard <jmaggard@netgear.com> >--- > source3/smbd/proto.h | 3 ++- > source3/smbd/share_access.c | 41 +++++++++++++++++++++++++++++++---------- > source3/smbd/uid.c | 3 ++- > 3 files changed, 35 insertions(+), 12 deletions(-) > >diff --git a/source3/smbd/proto.h b/source3/smbd/proto.h >index 81bdc87..1a7956f 100644 >--- a/source3/smbd/proto.h >+++ b/source3/smbd/proto.h >@@ -1076,7 +1076,8 @@ bool token_contains_name_in_list(const char *username, > const char *domain, > const char *sharename, > const struct security_token *token, >- const char **list); >+ const char **list, >+ uint32_t *type); > bool user_ok_token(const char *username, const char *domain, > const struct security_token *token, int snum); > bool is_share_read_only_for_token(const char *username, >diff --git a/source3/smbd/share_access.c b/source3/smbd/share_access.c >index fa56063..75b8b87 100644 >--- a/source3/smbd/share_access.c >+++ b/source3/smbd/share_access.c >@@ -72,7 +72,8 @@ static bool token_contains_name(TALLOC_CTX *mem_ctx, > const char *domain, > const char *sharename, > const struct security_token *token, >- const char *name) >+ const char *name, >+ uint32_t *sid_type) > { > const char *prefix; > struct dom_sid sid; >@@ -104,6 +105,9 @@ static bool token_contains_name(TALLOC_CTX *mem_ctx, > DEBUG(5, ("lookup_name %s failed\n", name)); > return False; > } >+ if (sid_type) { >+ *sid_type = type; >+ } > if (type != SID_NAME_USER) { > DEBUG(5, ("%s is a %s, expected a user\n", > name, sid_type_lookup(type))); >@@ -120,6 +124,9 @@ static bool token_contains_name(TALLOC_CTX *mem_ctx, > DEBUG(5, ("lookup_name %s failed\n", name)); > return False; > } >+ if (sid_type) { >+ *sid_type = type; >+ } > if ((type != SID_NAME_DOM_GRP) && > (type != SID_NAME_ALIAS) && > (type != SID_NAME_WKN_GRP)) { >@@ -160,8 +167,11 @@ bool token_contains_name_in_list(const char *username, > const char *domain, > const char *sharename, > const struct security_token *token, >- const char **list) >+ const char **list, >+ uint32_t *type) > { >+ bool found = False; >+ > if (list == NULL) { > return False; > } >@@ -170,14 +180,17 @@ bool token_contains_name_in_list(const char *username, > bool ret; > > ret = token_contains_name(frame, username, domain, sharename, >- token, *list); >+ token, *list, type); > TALLOC_FREE(frame); > if (ret) { >- return true; >+ found = True; >+ if (type && *type == SID_NAME_USER) { >+ break; >+ } > } > list += 1; > } >- return False; >+ return found; > } > > /* >@@ -200,7 +213,7 @@ bool user_ok_token(const char *username, const char *domain, > if (token_contains_name_in_list(username, domain, > lp_servicename(talloc_tos(), snum), > token, >- lp_invalid_users(snum))) { >+ lp_invalid_users(snum), NULL)) { > DEBUG(10, ("User %s in 'invalid users'\n", username)); > return False; > } >@@ -210,7 +223,7 @@ bool user_ok_token(const char *username, const char *domain, > if (!token_contains_name_in_list(username, domain, > lp_servicename(talloc_tos(), snum), > token, >- lp_valid_users(snum))) { >+ lp_valid_users(snum), NULL)) { > DEBUG(10, ("User %s not in 'valid users'\n", > username)); > return False; >@@ -244,13 +257,18 @@ bool is_share_read_only_for_token(const char *username, > { > int snum = SNUM(conn); > bool result = conn->read_only; >+ bool user_match = False; >+ uint32_t type; > > if (lp_read_list(snum) != NULL) { > if (token_contains_name_in_list(username, domain, > lp_servicename(talloc_tos(), snum), > token, >- lp_read_list(snum))) { >+ lp_read_list(snum), &type)) { > result = True; >+ if (type == SID_NAME_USER) { >+ user_match = True; >+ } > } > } > >@@ -258,8 +276,11 @@ bool is_share_read_only_for_token(const char *username, > if (token_contains_name_in_list(username, domain, > lp_servicename(talloc_tos(), snum), > token, >- lp_write_list(snum))) { >- result = False; >+ lp_write_list(snum), &type)) { >+ /* Prefer user accounts to groups */ >+ if (type == SID_NAME_USER || !user_match) { >+ result = False; >+ } > } > } > >diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c >index 6eb5392..76a86d6 100644 >--- a/source3/smbd/uid.c >+++ b/source3/smbd/uid.c >@@ -217,7 +217,8 @@ static bool check_user_ok(connection_struct *conn, > admin_user = token_contains_name_in_list( > session_info->unix_info->unix_name, > session_info->info->domain_name, >- NULL, session_info->security_token, lp_admin_users(snum)); >+ NULL, session_info->security_token, lp_admin_users(snum), >+ NULL); > > ent = &conn->vuid_cache->array[conn->vuid_cache->next_entry]; > >-- >2.9.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 12024
: 12271