From 4704a6fb50e919bb003d2fa8a2fb3c23c4a393f8 Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Fri, 26 Aug 2016 10:22:37 +0200 Subject: [PATCH 1/2] docs: document vfs_acl_xattr|tdb enforced settings Bug: https://bugzilla.samba.org/show_bug.cgi?id=12181 Signed-off-by: Ralph Boehme Reviewed-by: Jeremy Allison (cherry picked from commit cbe8f0d63b90e4380da35e9f9f5a05d8ccc2058b) --- docs-xml/manpages/vfs_acl_tdb.8.xml | 9 +++++++++ docs-xml/manpages/vfs_acl_xattr.8.xml | 9 +++++++++ 2 files changed, 18 insertions(+) diff --git a/docs-xml/manpages/vfs_acl_tdb.8.xml b/docs-xml/manpages/vfs_acl_tdb.8.xml index 4bbd44b..ec8a15b 100644 --- a/docs-xml/manpages/vfs_acl_tdb.8.xml +++ b/docs-xml/manpages/vfs_acl_tdb.8.xml @@ -40,6 +40,15 @@ $LOCKDIR/file_ntacls.tdb. + + This module forces the following parameters: + + inherit acls = true + dos filemode = true + force unknown acl user = true + + + This module is stackable. diff --git a/docs-xml/manpages/vfs_acl_xattr.8.xml b/docs-xml/manpages/vfs_acl_xattr.8.xml index c4eb407..713c937 100644 --- a/docs-xml/manpages/vfs_acl_xattr.8.xml +++ b/docs-xml/manpages/vfs_acl_xattr.8.xml @@ -44,6 +44,15 @@ ). + + This module forces the following parameters: + + inherit acls = true + dos filemode = true + force unknown acl user = true + + + This module is stackable. -- 2.7.4 From a7ac06dd72f29d9530f0b022102ae212b85cfc27 Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Fri, 26 Aug 2016 10:04:53 +0200 Subject: [PATCH 2/2] vfs_acl_xattr|tdb: enforced settings when ignore system acls=yes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When "ignore system acls" is set to "yes, we need to ensure filesystem permission always grant access so that when doing our own access checks we don't run into situations where we grant access but the filesystem doesn't. Bug: https://bugzilla.samba.org/show_bug.cgi?id=12181 Signed-off-by: Ralph Boehme Reviewed-by: Jeremy Allison Autobuild-User(master): Ralph Böhme Autobuild-Date(master): Wed Aug 31 18:41:20 CEST 2016 on sn-devel-144 (cherry picked from commit b72287514cc78c9019db7385af4c9b9d94f60894) --- docs-xml/manpages/vfs_acl_tdb.8.xml | 15 +++++++++++++++ docs-xml/manpages/vfs_acl_xattr.8.xml | 15 +++++++++++++++ source3/modules/vfs_acl_tdb.c | 21 +++++++++++++++++++++ source3/modules/vfs_acl_xattr.c | 21 +++++++++++++++++++++ source4/torture/vfs/acl_xattr.c | 4 ++-- 5 files changed, 74 insertions(+), 2 deletions(-) diff --git a/docs-xml/manpages/vfs_acl_tdb.8.xml b/docs-xml/manpages/vfs_acl_tdb.8.xml index ec8a15b..5ac6510 100644 --- a/docs-xml/manpages/vfs_acl_tdb.8.xml +++ b/docs-xml/manpages/vfs_acl_tdb.8.xml @@ -70,6 +70,21 @@ access the data via Samba you might set this to yes to achieve better NT ACL compatibility. + + + If acl_tdb:ignore system acls + is set to yes, the following + additional settings will be enforced: + + create mask = 0666 + directory mask = 0777 + map archive = no + map hidden = no + map readonly = no + map system = no + store dos attributes = yes + + diff --git a/docs-xml/manpages/vfs_acl_xattr.8.xml b/docs-xml/manpages/vfs_acl_xattr.8.xml index 713c937..60837fc 100644 --- a/docs-xml/manpages/vfs_acl_xattr.8.xml +++ b/docs-xml/manpages/vfs_acl_xattr.8.xml @@ -74,6 +74,21 @@ access the data via Samba you might set this to yes to achieve better NT ACL compatibility. + + + If acl_xattr:ignore system acls + is set to yes, the following + additional settings will be enforced: + + create mask = 0666 + directory mask = 0777 + map archive = no + map hidden = no + map readonly = no + map system = no + store dos attributes = yes + + diff --git a/source3/modules/vfs_acl_tdb.c b/source3/modules/vfs_acl_tdb.c index 0c92b72..174affe 100644 --- a/source3/modules/vfs_acl_tdb.c +++ b/source3/modules/vfs_acl_tdb.c @@ -309,6 +309,7 @@ static int connect_acl_tdb(struct vfs_handle_struct *handle, { int ret = SMB_VFS_NEXT_CONNECT(handle, service, user); bool ok; + struct acl_common_config *config = NULL; if (ret < 0) { return ret; @@ -336,6 +337,26 @@ static int connect_acl_tdb(struct vfs_handle_struct *handle, lp_do_parameter(SNUM(handle->conn), "dos filemode", "true"); lp_do_parameter(SNUM(handle->conn), "force unknown acl user", "true"); + SMB_VFS_HANDLE_GET_DATA(handle, config, + struct acl_common_config, + return -1); + + if (config->ignore_system_acls) { + DBG_NOTICE("setting 'create mask = 0666', " + "'directory mask = 0777', " + "'store dos attributes = yes' and all " + "'map ...' options to 'no'\n"); + + lp_do_parameter(SNUM(handle->conn), "create mask", "0666"); + lp_do_parameter(SNUM(handle->conn), "directory mask", "0777"); + lp_do_parameter(SNUM(handle->conn), "map archive", "no"); + lp_do_parameter(SNUM(handle->conn), "map hidden", "no"); + lp_do_parameter(SNUM(handle->conn), "map readonly", "no"); + lp_do_parameter(SNUM(handle->conn), "map system", "no"); + lp_do_parameter(SNUM(handle->conn), "store dos attributes", + "yes"); + } + return 0; } diff --git a/source3/modules/vfs_acl_xattr.c b/source3/modules/vfs_acl_xattr.c index 307ab6a..e1f90ff 100644 --- a/source3/modules/vfs_acl_xattr.c +++ b/source3/modules/vfs_acl_xattr.c @@ -181,6 +181,7 @@ static int connect_acl_xattr(struct vfs_handle_struct *handle, { int ret = SMB_VFS_NEXT_CONNECT(handle, service, user); bool ok; + struct acl_common_config *config = NULL; if (ret < 0) { return ret; @@ -203,6 +204,26 @@ static int connect_acl_xattr(struct vfs_handle_struct *handle, lp_do_parameter(SNUM(handle->conn), "dos filemode", "true"); lp_do_parameter(SNUM(handle->conn), "force unknown acl user", "true"); + SMB_VFS_HANDLE_GET_DATA(handle, config, + struct acl_common_config, + return -1); + + if (config->ignore_system_acls) { + DBG_NOTICE("setting 'create mask = 0666', " + "'directory mask = 0777', " + "'store dos attributes = yes' and all " + "'map ...' options to 'no'\n"); + + lp_do_parameter(SNUM(handle->conn), "create mask", "0666"); + lp_do_parameter(SNUM(handle->conn), "directory mask", "0777"); + lp_do_parameter(SNUM(handle->conn), "map archive", "no"); + lp_do_parameter(SNUM(handle->conn), "map hidden", "no"); + lp_do_parameter(SNUM(handle->conn), "map readonly", "no"); + lp_do_parameter(SNUM(handle->conn), "map system", "no"); + lp_do_parameter(SNUM(handle->conn), "store dos attributes", + "yes"); + } + return 0; } diff --git a/source4/torture/vfs/acl_xattr.c b/source4/torture/vfs/acl_xattr.c index 7fd10d0..df4dd29 100644 --- a/source4/torture/vfs/acl_xattr.c +++ b/source4/torture/vfs/acl_xattr.c @@ -169,8 +169,8 @@ static bool test_default_acl_posix(struct torture_context *tctx, exp_sd = security_descriptor_dacl_create( tctx, 0, owner_sid, group_sid, owner_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_RIGHTS_FILE_ALL, 0, - group_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE, 0, - SID_WORLD, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE, 0, + group_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, FILE_GENERIC_READ|FILE_GENERIC_WRITE|FILE_GENERIC_EXECUTE, 0, + SID_WORLD, SEC_ACE_TYPE_ACCESS_ALLOWED, FILE_GENERIC_READ|FILE_GENERIC_WRITE|FILE_GENERIC_EXECUTE, 0, SID_NT_SYSTEM, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_RIGHTS_FILE_ALL, 0, NULL); -- 2.7.4