From 863cd2d1c354f6e9533d0c9d2b2121ea0c00bf3f Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 2 Mar 2018 13:07:48 -0800 Subject: [PATCH 1/4] s3: vfs_fruit. Ensure we only return one set of the 'virtual' UNIX ACE entries. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319 Signed-off-by: Jeremy Allison Reviewed-by: Ralph Boehme (cherry picked from commit e9059c7b40069cfb036bfb95958b78c6a2c800e4) --- source3/modules/vfs_fruit.c | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/source3/modules/vfs_fruit.c b/source3/modules/vfs_fruit.c index ec76f718c37..50fbd6cb447 100644 --- a/source3/modules/vfs_fruit.c +++ b/source3/modules/vfs_fruit.c @@ -5687,6 +5687,7 @@ static NTSTATUS fruit_fget_nt_acl(vfs_handle_struct *handle, struct security_ace ace; struct dom_sid sid; struct fruit_config_data *config; + bool remove_ok = false; SMB_VFS_HANDLE_GET_DATA(handle, config, struct fruit_config_data, @@ -5711,6 +5712,15 @@ static NTSTATUS fruit_fget_nt_acl(vfs_handle_struct *handle, /* MS NFS style mode */ sid_compose(&sid, &global_sid_Unix_NFS_Mode, fsp->fsp_name->st.st_ex_mode); init_sec_ace(&ace, &sid, SEC_ACE_TYPE_ACCESS_DENIED, 0, 0); + + /* First remove any existing ACE's with this SID. */ + status = security_descriptor_dacl_del(*ppdesc, &sid); + remove_ok = (NT_STATUS_IS_OK(status) || + NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)); + if (!remove_ok) { + DBG_WARNING("failed to remove MS NFS_mode style ACE\n"); + return status; + } status = security_descriptor_dacl_add(*ppdesc, &ace); if (!NT_STATUS_IS_OK(status)) { DEBUG(1,("failed to add MS NFS style ACE\n")); @@ -5720,6 +5730,15 @@ static NTSTATUS fruit_fget_nt_acl(vfs_handle_struct *handle, /* MS NFS style uid */ sid_compose(&sid, &global_sid_Unix_NFS_Users, fsp->fsp_name->st.st_ex_uid); init_sec_ace(&ace, &sid, SEC_ACE_TYPE_ACCESS_DENIED, 0, 0); + + /* First remove any existing ACE's with this SID. */ + status = security_descriptor_dacl_del(*ppdesc, &sid); + remove_ok = (NT_STATUS_IS_OK(status) || + NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)); + if (!remove_ok) { + DBG_WARNING("failed to remove MS NFS_users style ACE\n"); + return status; + } status = security_descriptor_dacl_add(*ppdesc, &ace); if (!NT_STATUS_IS_OK(status)) { DEBUG(1,("failed to add MS NFS style ACE\n")); @@ -5729,6 +5748,15 @@ static NTSTATUS fruit_fget_nt_acl(vfs_handle_struct *handle, /* MS NFS style gid */ sid_compose(&sid, &global_sid_Unix_NFS_Groups, fsp->fsp_name->st.st_ex_gid); init_sec_ace(&ace, &sid, SEC_ACE_TYPE_ACCESS_DENIED, 0, 0); + + /* First remove any existing ACE's with this SID. */ + status = security_descriptor_dacl_del(*ppdesc, &sid); + remove_ok = (NT_STATUS_IS_OK(status) || + NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)); + if (!remove_ok) { + DBG_WARNING("failed to remove MS NFS_groups style ACE\n"); + return status; + } status = security_descriptor_dacl_add(*ppdesc, &ace); if (!NT_STATUS_IS_OK(status)) { DEBUG(1,("failed to add MS NFS style ACE\n")); -- 2.14.1 From 94924797daf878a0524e8213e178ac5c2e06a55b Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 2 Mar 2018 13:21:37 -0800 Subject: [PATCH 2/4] s3: vfs_fruit: Ensure we operate on a copy of the incoming security descriptor. This will allow us to modify it in the next commit. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319 Signed-off-by: Jeremy Allison Reviewed-by: Ralph Boehme (cherry picked from commit 019a1bc4caf3439adcaac48b384e86d84a1ad383) --- source3/modules/vfs_fruit.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/source3/modules/vfs_fruit.c b/source3/modules/vfs_fruit.c index 50fbd6cb447..4f383bc990d 100644 --- a/source3/modules/vfs_fruit.c +++ b/source3/modules/vfs_fruit.c @@ -5769,24 +5769,32 @@ static NTSTATUS fruit_fget_nt_acl(vfs_handle_struct *handle, static NTSTATUS fruit_fset_nt_acl(vfs_handle_struct *handle, files_struct *fsp, uint32_t security_info_sent, - const struct security_descriptor *psd) + const struct security_descriptor *orig_psd) { NTSTATUS status; bool do_chmod; mode_t ms_nfs_mode = 0; int result; + struct security_descriptor *psd = NULL; + + psd = security_descriptor_copy(talloc_tos(), orig_psd); + if (psd == NULL) { + return NT_STATUS_NO_MEMORY; + } DBG_DEBUG("fruit_fset_nt_acl: %s\n", fsp_str_dbg(fsp)); status = check_ms_nfs(handle, fsp, psd, &ms_nfs_mode, &do_chmod); if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("fruit_fset_nt_acl: check_ms_nfs failed%s\n", fsp_str_dbg(fsp))); + TALLOC_FREE(psd); return status; } status = SMB_VFS_NEXT_FSET_NT_ACL(handle, fsp, security_info_sent, psd); if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("fruit_fset_nt_acl: SMB_VFS_NEXT_FSET_NT_ACL failed%s\n", fsp_str_dbg(fsp))); + TALLOC_FREE(psd); return status; } @@ -5804,10 +5812,12 @@ static NTSTATUS fruit_fset_nt_acl(vfs_handle_struct *handle, result, (unsigned)ms_nfs_mode, strerror(errno))); status = map_nt_error_from_unix(errno); + TALLOC_FREE(psd); return status; } } + TALLOC_FREE(psd); return NT_STATUS_OK; } -- 2.14.1 From a306156e7eb0b6b3fb1913f50b39b9265edc327f Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 2 Mar 2018 13:51:54 -0800 Subject: [PATCH 3/4] s3: vfs_fruit. If the security descriptor was modified, ensure we set the flags correctly to reflect the ACE's left. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319 Signed-off-by: Jeremy Allison Reviewed-by: Ralph Boehme (cherry picked from commit 8edad37e476295e25932778721d8ef33713f6853) --- source3/modules/vfs_fruit.c | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/source3/modules/vfs_fruit.c b/source3/modules/vfs_fruit.c index 4f383bc990d..8909bcc7c37 100644 --- a/source3/modules/vfs_fruit.c +++ b/source3/modules/vfs_fruit.c @@ -5776,6 +5776,11 @@ static NTSTATUS fruit_fset_nt_acl(vfs_handle_struct *handle, mode_t ms_nfs_mode = 0; int result; struct security_descriptor *psd = NULL; + uint32_t orig_num_aces = 0; + + if (orig_psd->dacl != NULL) { + orig_num_aces = orig_psd->dacl->num_aces; + } psd = security_descriptor_copy(talloc_tos(), orig_psd); if (psd == NULL) { @@ -5791,6 +5796,22 @@ static NTSTATUS fruit_fset_nt_acl(vfs_handle_struct *handle, return status; } + /* + * If only ms_nfs ACE entries were sent, ensure we set the DACL + * sent/present flags correctly now we've removed them. + */ + + if (orig_num_aces != 0) { + /* + * Are there any ACE's left ? + */ + if (psd->dacl->num_aces == 0) { + /* No - clear the DACL sent/present flags. */ + security_info_sent &= ~SECINFO_DACL; + psd->type &= ~SEC_DESC_DACL_PRESENT; + } + } + status = SMB_VFS_NEXT_FSET_NT_ACL(handle, fsp, security_info_sent, psd); if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("fruit_fset_nt_acl: SMB_VFS_NEXT_FSET_NT_ACL failed%s\n", fsp_str_dbg(fsp))); -- 2.14.1 From 56cf1034a1ccb6e47ff8290d37376f997c153ff0 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 2 Mar 2018 13:53:55 -0800 Subject: [PATCH 4/4] s3: vfs_fruit. Change check_ms_nfs() to remove the virtual ACE's generated by fruit_fget_nt_acl(). MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Ensures they don't get stored in the underlying ACL. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319 Signed-off-by: Jeremy Allison Reviewed-by: Ralph Boehme Autobuild-User(master): Ralph Böhme Autobuild-Date(master): Thu Mar 8 04:09:38 CET 2018 on sn-devel-144 (cherry picked from commit e0b147f650fe59f606d1faffe57059e6e9d7837b) --- source3/modules/vfs_fruit.c | 43 ++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 42 insertions(+), 1 deletion(-) diff --git a/source3/modules/vfs_fruit.c b/source3/modules/vfs_fruit.c index 8909bcc7c37..29372e90174 100644 --- a/source3/modules/vfs_fruit.c +++ b/source3/modules/vfs_fruit.c @@ -2957,12 +2957,15 @@ static NTSTATUS readdir_attr_macmeta(struct vfs_handle_struct *handle, /* Search MS NFS style ACE with UNIX mode */ static NTSTATUS check_ms_nfs(vfs_handle_struct *handle, files_struct *fsp, - const struct security_descriptor *psd, + struct security_descriptor *psd, mode_t *pmode, bool *pdo_chmod) { uint32_t i; struct fruit_config_data *config = NULL; + struct dom_sid sid; + NTSTATUS status = NT_STATUS_OK; + bool remove_ok = false; *pdo_chmod = false; @@ -2991,6 +2994,44 @@ static NTSTATUS check_ms_nfs(vfs_handle_struct *handle, } } + /* + * Remove any incoming virtual ACE entries generated by + * fruit_fget_nt_acl(). + */ + + /* MS NFS style mode */ + sid_compose(&sid, &global_sid_Unix_NFS_Mode, + fsp->fsp_name->st.st_ex_mode); + status = security_descriptor_dacl_del(psd, &sid); + remove_ok = (NT_STATUS_IS_OK(status) || + NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)); + if (!remove_ok) { + DBG_WARNING("failed to remove MS NFS_mode style ACE\n"); + return status; + } + + /* MS NFS style uid */ + sid_compose(&sid, &global_sid_Unix_NFS_Users, + fsp->fsp_name->st.st_ex_uid); + status = security_descriptor_dacl_del(psd, &sid); + remove_ok = (NT_STATUS_IS_OK(status) || + NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)); + if (!remove_ok) { + DBG_WARNING("failed to remove MS NFS_users style ACE\n"); + return status; + } + + /* MS NFS style gid */ + sid_compose(&sid, &global_sid_Unix_NFS_Groups, + fsp->fsp_name->st.st_ex_gid); + status = security_descriptor_dacl_del(psd, &sid); + remove_ok = (NT_STATUS_IS_OK(status) || + NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)); + if (!remove_ok) { + DBG_WARNING("failed to remove MS NFS_groups style ACE\n"); + return status; + } + return NT_STATUS_OK; } -- 2.14.1