From 6c22402f160d905ff73a00f22a469fd0cc21dad4 Mon Sep 17 00:00:00 2001 From: Uri Simchoni Date: Tue, 5 Dec 2017 20:49:03 +0200 Subject: [PATCH 1/2] pysmbd: fix use of sysacl API Fix pysmbd to use the sysacl (POSIX ACL support) as intended, and not assume too much about the inner structure and implementation of the permissions in the sysacl API. This will allow the inner structure to change in a following commit. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13176 Signed-off-by: Uri Simchoni Reviewed-by: Jeremy Allison (cherry picked from commit d6f5ee6707fa5404e2bef6fc81ae06b393ebd8ff) --- source3/smbd/pysmbd.c | 43 ++++++++++++++++++++++++++++++++++++++----- 1 file changed, 38 insertions(+), 5 deletions(-) diff --git a/source3/smbd/pysmbd.c b/source3/smbd/pysmbd.c index 63fc5d68c33..be30b866e20 100644 --- a/source3/smbd/pysmbd.c +++ b/source3/smbd/pysmbd.c @@ -234,6 +234,39 @@ static NTSTATUS get_nt_acl_conn(TALLOC_CTX *mem_ctx, return status; } +static int set_acl_entry_perms(SMB_ACL_ENTRY_T entry, mode_t perm_mask) +{ + SMB_ACL_PERMSET_T perms = NULL; + + if (sys_acl_get_permset(entry, &perms) != 0) { + return -1; + } + + if (sys_acl_clear_perms(perms) != 0) { + return -1; + } + + if ((perm_mask & SMB_ACL_READ) != 0 && + sys_acl_add_perm(perms, SMB_ACL_READ) != 0) { + return -1; + } + + if ((perm_mask & SMB_ACL_WRITE) != 0 && + sys_acl_add_perm(perms, SMB_ACL_WRITE) != 0) { + return -1; + } + + if ((perm_mask & SMB_ACL_EXECUTE) != 0 && + sys_acl_add_perm(perms, SMB_ACL_EXECUTE) != 0) { + return -1; + } + + if (sys_acl_set_permset(entry, perms) != 0) { + return -1; + } + + return 0; +} static SMB_ACL_T make_simple_acl(gid_t gid, mode_t chmod_mode) { @@ -261,7 +294,7 @@ static SMB_ACL_T make_simple_acl(gid_t gid, mode_t chmod_mode) return NULL; } - if (sys_acl_set_permset(entry, &mode_user) != 0) { + if (set_acl_entry_perms(entry, mode_user) != 0) { TALLOC_FREE(frame); return NULL; } @@ -276,7 +309,7 @@ static SMB_ACL_T make_simple_acl(gid_t gid, mode_t chmod_mode) return NULL; } - if (sys_acl_set_permset(entry, &mode_group) != 0) { + if (set_acl_entry_perms(entry, mode_group) != 0) { TALLOC_FREE(frame); return NULL; } @@ -291,7 +324,7 @@ static SMB_ACL_T make_simple_acl(gid_t gid, mode_t chmod_mode) return NULL; } - if (sys_acl_set_permset(entry, &mode_other) != 0) { + if (set_acl_entry_perms(entry, mode_other) != 0) { TALLOC_FREE(frame); return NULL; } @@ -312,7 +345,7 @@ static SMB_ACL_T make_simple_acl(gid_t gid, mode_t chmod_mode) return NULL; } - if (sys_acl_set_permset(entry, &mode_group) != 0) { + if (set_acl_entry_perms(entry, mode_group) != 0) { TALLOC_FREE(frame); return NULL; } @@ -328,7 +361,7 @@ static SMB_ACL_T make_simple_acl(gid_t gid, mode_t chmod_mode) return NULL; } - if (sys_acl_set_permset(entry, &mode) != 0) { + if (set_acl_entry_perms(entry, mode) != 0) { TALLOC_FREE(frame); return NULL; } -- 2.15.1.620.gb9897f4670-goog From a1c495255075821d8c42f7a7c9f5676dd1d70a96 Mon Sep 17 00:00:00 2001 From: Uri Simchoni Date: Tue, 5 Dec 2017 20:56:49 +0200 Subject: [PATCH 2/2] sysacls: change datatypes to 32 bits The SMB_ACL_PERMSET_T and SMB_ACL_PERM_T were defined as mode_t, which is 16-bits on some (non-Linux) systems. However, pidl *always* encodes mode_t as uint32_t. That created a bug on big-endian systems as sys_acl_get_permset() returns a SMB_ACL_PERMSET_T pointer to an internal a_perm structure member defined in IDL as a mode_t, which pidl turns into a uin32_t in the emitted header file. Changing to 32 bits fixes that. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13176 Signed-off-by: Uri Simchoni Reviewed-by: Jeremy Allison (cherry picked from commit 75e7da9741c529f96fa409655ac5b326a6c071c5) --- source3/include/smb_acls.h | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/source3/include/smb_acls.h b/source3/include/smb_acls.h index 73b67af020e..c5a2339f1db 100644 --- a/source3/include/smb_acls.h +++ b/source3/include/smb_acls.h @@ -27,8 +27,14 @@ struct files_struct; struct smb_filename; typedef int SMB_ACL_TYPE_T; -typedef mode_t *SMB_ACL_PERMSET_T; -typedef mode_t SMB_ACL_PERM_T; +/* + * struct smb_acl_entry is defined in IDL as + * using mode_t values, pidl always converts these + * to uint32_t. Ensure the external type definitions + * match. + */ +typedef uint32_t *SMB_ACL_PERMSET_T; +typedef uint32_t SMB_ACL_PERM_T; typedef enum smb_acl_tag_t SMB_ACL_TAG_T; typedef struct smb_acl_t *SMB_ACL_T; -- 2.15.1.620.gb9897f4670-goog