The Samba-Bugzilla – Attachment 12446 Details for
Bug 12181
vfs_acl_common not setting filesystem permissions anymore
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch for 4.3, 4.4 and 4.5 cherry-picked from master
v45-bug12181.patch (text/plain), 8.49 KB, created by
Ralph Böhme
on 2016-09-06 15:03:35 UTC
(
hide
)
Description:
Patch for 4.3, 4.4 and 4.5 cherry-picked from master
Filename:
MIME Type:
Creator:
Ralph Böhme
Created:
2016-09-06 15:03:35 UTC
Size:
8.49 KB
patch
obsolete
>From 4704a6fb50e919bb003d2fa8a2fb3c23c4a393f8 Mon Sep 17 00:00:00 2001 >From: Ralph Boehme <slow@samba.org> >Date: Fri, 26 Aug 2016 10:22:37 +0200 >Subject: [PATCH 1/2] docs: document vfs_acl_xattr|tdb enforced settings > >Bug: https://bugzilla.samba.org/show_bug.cgi?id=12181 > >Signed-off-by: Ralph Boehme <slow@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> >(cherry picked from commit cbe8f0d63b90e4380da35e9f9f5a05d8ccc2058b) >--- > docs-xml/manpages/vfs_acl_tdb.8.xml | 9 +++++++++ > docs-xml/manpages/vfs_acl_xattr.8.xml | 9 +++++++++ > 2 files changed, 18 insertions(+) > >diff --git a/docs-xml/manpages/vfs_acl_tdb.8.xml b/docs-xml/manpages/vfs_acl_tdb.8.xml >index 4bbd44b..ec8a15b 100644 >--- a/docs-xml/manpages/vfs_acl_tdb.8.xml >+++ b/docs-xml/manpages/vfs_acl_tdb.8.xml >@@ -40,6 +40,15 @@ > <filename>$LOCKDIR/file_ntacls.tdb</filename>. > </para> > >+ <para> >+ This module forces the following parameters: >+ <itemizedlist> >+ <listitem><para>inherit acls = true</para></listitem> >+ <listitem><para>dos filemode = true</para></listitem> >+ <listitem><para>force unknown acl user = true</para></listitem> >+ </itemizedlist> >+ </para> >+ > <para>This module is stackable.</para> > </refsect1> > >diff --git a/docs-xml/manpages/vfs_acl_xattr.8.xml b/docs-xml/manpages/vfs_acl_xattr.8.xml >index c4eb407..713c937 100644 >--- a/docs-xml/manpages/vfs_acl_xattr.8.xml >+++ b/docs-xml/manpages/vfs_acl_xattr.8.xml >@@ -44,6 +44,15 @@ > </command>). > </para> > >+ <para> >+ This module forces the following parameters: >+ <itemizedlist> >+ <listitem><para>inherit acls = true</para></listitem> >+ <listitem><para>dos filemode = true</para></listitem> >+ <listitem><para>force unknown acl user = true</para></listitem> >+ </itemizedlist> >+ </para> >+ > <para>This module is stackable.</para> > </refsect1> > >-- >2.7.4 > > >From a7ac06dd72f29d9530f0b022102ae212b85cfc27 Mon Sep 17 00:00:00 2001 >From: Ralph Boehme <slow@samba.org> >Date: Fri, 26 Aug 2016 10:04:53 +0200 >Subject: [PATCH 2/2] vfs_acl_xattr|tdb: enforced settings when ignore system > acls=yes >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >When "ignore system acls" is set to "yes, we need to ensure filesystem >permission always grant access so that when doing our own access checks >we don't run into situations where we grant access but the filesystem >doesn't. > >Bug: https://bugzilla.samba.org/show_bug.cgi?id=12181 > >Signed-off-by: Ralph Boehme <slow@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> > >Autobuild-User(master): Ralph Böhme <slow@samba.org> >Autobuild-Date(master): Wed Aug 31 18:41:20 CEST 2016 on sn-devel-144 > >(cherry picked from commit b72287514cc78c9019db7385af4c9b9d94f60894) >--- > docs-xml/manpages/vfs_acl_tdb.8.xml | 15 +++++++++++++++ > docs-xml/manpages/vfs_acl_xattr.8.xml | 15 +++++++++++++++ > source3/modules/vfs_acl_tdb.c | 21 +++++++++++++++++++++ > source3/modules/vfs_acl_xattr.c | 21 +++++++++++++++++++++ > source4/torture/vfs/acl_xattr.c | 4 ++-- > 5 files changed, 74 insertions(+), 2 deletions(-) > >diff --git a/docs-xml/manpages/vfs_acl_tdb.8.xml b/docs-xml/manpages/vfs_acl_tdb.8.xml >index ec8a15b..5ac6510 100644 >--- a/docs-xml/manpages/vfs_acl_tdb.8.xml >+++ b/docs-xml/manpages/vfs_acl_tdb.8.xml >@@ -70,6 +70,21 @@ > access the data via Samba you might set this to yes to achieve > better NT ACL compatibility. > </para> >+ >+ <para> >+ If <emphasis>acl_tdb:ignore system acls</emphasis> >+ is set to <emphasis>yes</emphasis>, the following >+ additional settings will be enforced: >+ <itemizedlist> >+ <listitem><para>create mask = 0666</para></listitem> >+ <listitem><para>directory mask = 0777</para></listitem> >+ <listitem><para>map archive = no</para></listitem> >+ <listitem><para>map hidden = no</para></listitem> >+ <listitem><para>map readonly = no</para></listitem> >+ <listitem><para>map system = no</para></listitem> >+ <listitem><para>store dos attributes = yes</para></listitem> >+ </itemizedlist> >+ </para> > </listitem> > </varlistentry> > >diff --git a/docs-xml/manpages/vfs_acl_xattr.8.xml b/docs-xml/manpages/vfs_acl_xattr.8.xml >index 713c937..60837fc 100644 >--- a/docs-xml/manpages/vfs_acl_xattr.8.xml >+++ b/docs-xml/manpages/vfs_acl_xattr.8.xml >@@ -74,6 +74,21 @@ > access the data via Samba you might set this to yes to achieve > better NT ACL compatibility. > </para> >+ >+ <para> >+ If <emphasis>acl_xattr:ignore system acls</emphasis> >+ is set to <emphasis>yes</emphasis>, the following >+ additional settings will be enforced: >+ <itemizedlist> >+ <listitem><para>create mask = 0666</para></listitem> >+ <listitem><para>directory mask = 0777</para></listitem> >+ <listitem><para>map archive = no</para></listitem> >+ <listitem><para>map hidden = no</para></listitem> >+ <listitem><para>map readonly = no</para></listitem> >+ <listitem><para>map system = no</para></listitem> >+ <listitem><para>store dos attributes = yes</para></listitem> >+ </itemizedlist> >+ </para> > </listitem> > </varlistentry> > >diff --git a/source3/modules/vfs_acl_tdb.c b/source3/modules/vfs_acl_tdb.c >index 0c92b72..174affe 100644 >--- a/source3/modules/vfs_acl_tdb.c >+++ b/source3/modules/vfs_acl_tdb.c >@@ -309,6 +309,7 @@ static int connect_acl_tdb(struct vfs_handle_struct *handle, > { > int ret = SMB_VFS_NEXT_CONNECT(handle, service, user); > bool ok; >+ struct acl_common_config *config = NULL; > > if (ret < 0) { > return ret; >@@ -336,6 +337,26 @@ static int connect_acl_tdb(struct vfs_handle_struct *handle, > lp_do_parameter(SNUM(handle->conn), "dos filemode", "true"); > lp_do_parameter(SNUM(handle->conn), "force unknown acl user", "true"); > >+ SMB_VFS_HANDLE_GET_DATA(handle, config, >+ struct acl_common_config, >+ return -1); >+ >+ if (config->ignore_system_acls) { >+ DBG_NOTICE("setting 'create mask = 0666', " >+ "'directory mask = 0777', " >+ "'store dos attributes = yes' and all " >+ "'map ...' options to 'no'\n"); >+ >+ lp_do_parameter(SNUM(handle->conn), "create mask", "0666"); >+ lp_do_parameter(SNUM(handle->conn), "directory mask", "0777"); >+ lp_do_parameter(SNUM(handle->conn), "map archive", "no"); >+ lp_do_parameter(SNUM(handle->conn), "map hidden", "no"); >+ lp_do_parameter(SNUM(handle->conn), "map readonly", "no"); >+ lp_do_parameter(SNUM(handle->conn), "map system", "no"); >+ lp_do_parameter(SNUM(handle->conn), "store dos attributes", >+ "yes"); >+ } >+ > return 0; > } > >diff --git a/source3/modules/vfs_acl_xattr.c b/source3/modules/vfs_acl_xattr.c >index 307ab6a..e1f90ff 100644 >--- a/source3/modules/vfs_acl_xattr.c >+++ b/source3/modules/vfs_acl_xattr.c >@@ -181,6 +181,7 @@ static int connect_acl_xattr(struct vfs_handle_struct *handle, > { > int ret = SMB_VFS_NEXT_CONNECT(handle, service, user); > bool ok; >+ struct acl_common_config *config = NULL; > > if (ret < 0) { > return ret; >@@ -203,6 +204,26 @@ static int connect_acl_xattr(struct vfs_handle_struct *handle, > lp_do_parameter(SNUM(handle->conn), "dos filemode", "true"); > lp_do_parameter(SNUM(handle->conn), "force unknown acl user", "true"); > >+ SMB_VFS_HANDLE_GET_DATA(handle, config, >+ struct acl_common_config, >+ return -1); >+ >+ if (config->ignore_system_acls) { >+ DBG_NOTICE("setting 'create mask = 0666', " >+ "'directory mask = 0777', " >+ "'store dos attributes = yes' and all " >+ "'map ...' options to 'no'\n"); >+ >+ lp_do_parameter(SNUM(handle->conn), "create mask", "0666"); >+ lp_do_parameter(SNUM(handle->conn), "directory mask", "0777"); >+ lp_do_parameter(SNUM(handle->conn), "map archive", "no"); >+ lp_do_parameter(SNUM(handle->conn), "map hidden", "no"); >+ lp_do_parameter(SNUM(handle->conn), "map readonly", "no"); >+ lp_do_parameter(SNUM(handle->conn), "map system", "no"); >+ lp_do_parameter(SNUM(handle->conn), "store dos attributes", >+ "yes"); >+ } >+ > return 0; > } > >diff --git a/source4/torture/vfs/acl_xattr.c b/source4/torture/vfs/acl_xattr.c >index 7fd10d0..df4dd29 100644 >--- a/source4/torture/vfs/acl_xattr.c >+++ b/source4/torture/vfs/acl_xattr.c >@@ -169,8 +169,8 @@ static bool test_default_acl_posix(struct torture_context *tctx, > exp_sd = security_descriptor_dacl_create( > tctx, 0, owner_sid, group_sid, > owner_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_RIGHTS_FILE_ALL, 0, >- group_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE, 0, >- SID_WORLD, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE, 0, >+ group_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, FILE_GENERIC_READ|FILE_GENERIC_WRITE|FILE_GENERIC_EXECUTE, 0, >+ SID_WORLD, SEC_ACE_TYPE_ACCESS_ALLOWED, FILE_GENERIC_READ|FILE_GENERIC_WRITE|FILE_GENERIC_EXECUTE, 0, > SID_NT_SYSTEM, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_RIGHTS_FILE_ALL, 0, > NULL); > >-- >2.7.4 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=12446">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
jra
:
review+
Actions:
View
Attachments on
bug 12181
: 12446