From e8651d17a41aa2bfce8a99ddb93ed1532f3b0e23 Mon Sep 17 00:00:00 2001 From: Uri Simchoni Date: Tue, 5 Dec 2017 20:49:03 +0200 Subject: [PATCH 1/2] pysmbd: fix use of sysacl API Fix pysmbd to use the sysacl (POSIX ACL support) as intended, and not assume too much about the inner structure and implementation of the permissions in the sysacl API. This will allow the inner structure to change in a following commit. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13176 Signed-off-by: Uri Simchoni Reviewed-by: Jeremy Allison (cherry picked from commit d6f5ee6707fa5404e2bef6fc81ae06b393ebd8ff) --- source3/smbd/pysmbd.c | 43 ++++++++++++++++++++++++++++++++++++++----- 1 file changed, 38 insertions(+), 5 deletions(-) diff --git a/source3/smbd/pysmbd.c b/source3/smbd/pysmbd.c index fca8f108b57..06a02cbeeb3 100644 --- a/source3/smbd/pysmbd.c +++ b/source3/smbd/pysmbd.c @@ -224,6 +224,39 @@ static NTSTATUS get_nt_acl_conn(TALLOC_CTX *mem_ctx, return status; } +static int set_acl_entry_perms(SMB_ACL_ENTRY_T entry, mode_t perm_mask) +{ + SMB_ACL_PERMSET_T perms = NULL; + + if (sys_acl_get_permset(entry, &perms) != 0) { + return -1; + } + + if (sys_acl_clear_perms(perms) != 0) { + return -1; + } + + if ((perm_mask & SMB_ACL_READ) != 0 && + sys_acl_add_perm(perms, SMB_ACL_READ) != 0) { + return -1; + } + + if ((perm_mask & SMB_ACL_WRITE) != 0 && + sys_acl_add_perm(perms, SMB_ACL_WRITE) != 0) { + return -1; + } + + if ((perm_mask & SMB_ACL_EXECUTE) != 0 && + sys_acl_add_perm(perms, SMB_ACL_EXECUTE) != 0) { + return -1; + } + + if (sys_acl_set_permset(entry, perms) != 0) { + return -1; + } + + return 0; +} static SMB_ACL_T make_simple_acl(gid_t gid, mode_t chmod_mode) { @@ -251,7 +284,7 @@ static SMB_ACL_T make_simple_acl(gid_t gid, mode_t chmod_mode) return NULL; } - if (sys_acl_set_permset(entry, &mode_user) != 0) { + if (set_acl_entry_perms(entry, mode_user) != 0) { TALLOC_FREE(frame); return NULL; } @@ -266,7 +299,7 @@ static SMB_ACL_T make_simple_acl(gid_t gid, mode_t chmod_mode) return NULL; } - if (sys_acl_set_permset(entry, &mode_group) != 0) { + if (set_acl_entry_perms(entry, mode_group) != 0) { TALLOC_FREE(frame); return NULL; } @@ -281,7 +314,7 @@ static SMB_ACL_T make_simple_acl(gid_t gid, mode_t chmod_mode) return NULL; } - if (sys_acl_set_permset(entry, &mode_other) != 0) { + if (set_acl_entry_perms(entry, mode_other) != 0) { TALLOC_FREE(frame); return NULL; } @@ -302,7 +335,7 @@ static SMB_ACL_T make_simple_acl(gid_t gid, mode_t chmod_mode) return NULL; } - if (sys_acl_set_permset(entry, &mode_group) != 0) { + if (set_acl_entry_perms(entry, mode_group) != 0) { TALLOC_FREE(frame); return NULL; } @@ -318,7 +351,7 @@ static SMB_ACL_T make_simple_acl(gid_t gid, mode_t chmod_mode) return NULL; } - if (sys_acl_set_permset(entry, &mode) != 0) { + if (set_acl_entry_perms(entry, mode) != 0) { TALLOC_FREE(frame); return NULL; } -- 2.15.1.620.gb9897f4670-goog From 527338d0bc51512d63f53d53bc33c788f3dca7e6 Mon Sep 17 00:00:00 2001 From: Uri Simchoni Date: Tue, 5 Dec 2017 20:56:49 +0200 Subject: [PATCH 2/2] sysacls: change datatypes to 32 bits The SMB_ACL_PERMSET_T and SMB_ACL_PERM_T were defined as mode_t, which is 16-bits on some (non-Linux) systems. However, pidl *always* encodes mode_t as uint32_t. That created a bug on big-endian systems as sys_acl_get_permset() returns a SMB_ACL_PERMSET_T pointer to an internal a_perm structure member defined in IDL as a mode_t, which pidl turns into a uin32_t in the emitted header file. Changing to 32 bits fixes that. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13176 Signed-off-by: Uri Simchoni Reviewed-by: Jeremy Allison (back-ported from commit 75e7da9741c529f96fa409655ac5b326a6c071c5) --- source3/include/smb_acls.h | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/source3/include/smb_acls.h b/source3/include/smb_acls.h index 3ac23dbbfd3..cd2452b4f78 100644 --- a/source3/include/smb_acls.h +++ b/source3/include/smb_acls.h @@ -26,8 +26,14 @@ struct vfs_handle_struct; struct files_struct; typedef int SMB_ACL_TYPE_T; -typedef mode_t *SMB_ACL_PERMSET_T; -typedef mode_t SMB_ACL_PERM_T; +/* + * struct smb_acl_entry is defined in IDL as + * using mode_t values, pidl always converts these + * to uint32_t. Ensure the external type definitions + * match. + */ +typedef uint32_t *SMB_ACL_PERMSET_T; +typedef uint32_t SMB_ACL_PERM_T; typedef enum smb_acl_tag_t SMB_ACL_TAG_T; typedef struct smb_acl_t *SMB_ACL_T; -- 2.15.1.620.gb9897f4670-goog