Attachment 14027 Details for Bug 13319 – git-am fix for 4.8.0rcX, 4.7.next, 4.6.next.

[patch] git-am fix for 4.8.0rcX, 4.7.next, 4.6.next.

bug-13319-4.8.patch (text/plain), 9.89 KB, created by Jeremy Allison on 2018-03-08 19:19:06 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Jeremy Allison

Created: 2018-03-08 19:19:06 UTC

Size: 9.89 KB

patch

obsolete

>From 863cd2d1c354f6e9533d0c9d2b2121ea0c00bf3f Mon Sep 17 00:00:00 2001
>From: Jeremy Allison <jra@samba.org>
>Date: Fri, 2 Mar 2018 13:07:48 -0800
>Subject: [PATCH 1/4] s3: vfs_fruit. Ensure we only return one set of the
> 'virtual' UNIX ACE entries.
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319
>
>Signed-off-by: Jeremy Allison <jra@samba.org>
>Reviewed-by: Ralph Boehme <slow@samba.org>
>(cherry picked from commit e9059c7b40069cfb036bfb95958b78c6a2c800e4)
>---
> source3/modules/vfs_fruit.c | 28 ++++++++++++++++++++++++++++
> 1 file changed, 28 insertions(+)
>
>diff --git a/source3/modules/vfs_fruit.c b/source3/modules/vfs_fruit.c
>index ec76f718c37..50fbd6cb447 100644
>--- a/source3/modules/vfs_fruit.c
>+++ b/source3/modules/vfs_fruit.c
>@@ -5687,6 +5687,7 @@ static NTSTATUS fruit_fget_nt_acl(vfs_handle_struct *handle,
> 	struct security_ace ace;
> 	struct dom_sid sid;
> 	struct fruit_config_data *config;
>+	bool remove_ok = false;
> 
> 	SMB_VFS_HANDLE_GET_DATA(handle, config,
> 				struct fruit_config_data,
>@@ -5711,6 +5712,15 @@ static NTSTATUS fruit_fget_nt_acl(vfs_handle_struct *handle,
> 	/* MS NFS style mode */
> 	sid_compose(&sid, &global_sid_Unix_NFS_Mode, fsp->fsp_name->st.st_ex_mode);
> 	init_sec_ace(&ace, &sid, SEC_ACE_TYPE_ACCESS_DENIED, 0, 0);
>+
>+	/* First remove any existing ACE's with this SID. */
>+	status = security_descriptor_dacl_del(*ppdesc, &sid);
>+	remove_ok = (NT_STATUS_IS_OK(status) ||
>+		     NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND));
>+	if (!remove_ok) {
>+		DBG_WARNING("failed to remove MS NFS_mode style ACE\n");
>+		return status;
>+	}
> 	status = security_descriptor_dacl_add(*ppdesc, &ace);
> 	if (!NT_STATUS_IS_OK(status)) {
> 		DEBUG(1,("failed to add MS NFS style ACE\n"));
>@@ -5720,6 +5730,15 @@ static NTSTATUS fruit_fget_nt_acl(vfs_handle_struct *handle,
> 	/* MS NFS style uid */
> 	sid_compose(&sid, &global_sid_Unix_NFS_Users, fsp->fsp_name->st.st_ex_uid);
> 	init_sec_ace(&ace, &sid, SEC_ACE_TYPE_ACCESS_DENIED, 0, 0);
>+
>+	/* First remove any existing ACE's with this SID. */
>+	status = security_descriptor_dacl_del(*ppdesc, &sid);
>+	remove_ok = (NT_STATUS_IS_OK(status) ||
>+		     NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND));
>+	if (!remove_ok) {
>+		DBG_WARNING("failed to remove MS NFS_users style ACE\n");
>+		return status;
>+	}
> 	status = security_descriptor_dacl_add(*ppdesc, &ace);
> 	if (!NT_STATUS_IS_OK(status)) {
> 		DEBUG(1,("failed to add MS NFS style ACE\n"));
>@@ -5729,6 +5748,15 @@ static NTSTATUS fruit_fget_nt_acl(vfs_handle_struct *handle,
> 	/* MS NFS style gid */
> 	sid_compose(&sid, &global_sid_Unix_NFS_Groups, fsp->fsp_name->st.st_ex_gid);
> 	init_sec_ace(&ace, &sid, SEC_ACE_TYPE_ACCESS_DENIED, 0, 0);
>+
>+	/* First remove any existing ACE's with this SID. */
>+	status = security_descriptor_dacl_del(*ppdesc, &sid);
>+	remove_ok = (NT_STATUS_IS_OK(status) ||
>+		     NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND));
>+	if (!remove_ok) {
>+		DBG_WARNING("failed to remove MS NFS_groups style ACE\n");
>+		return status;
>+	}
> 	status = security_descriptor_dacl_add(*ppdesc, &ace);
> 	if (!NT_STATUS_IS_OK(status)) {
> 		DEBUG(1,("failed to add MS NFS style ACE\n"));
>-- 
>2.14.1
>
>
>From 94924797daf878a0524e8213e178ac5c2e06a55b Mon Sep 17 00:00:00 2001
>From: Jeremy Allison <jra@samba.org>
>Date: Fri, 2 Mar 2018 13:21:37 -0800
>Subject: [PATCH 2/4] s3: vfs_fruit: Ensure we operate on a copy of the
> incoming security descriptor.
>
>This will allow us to modify it in the next commit.
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319
>
>Signed-off-by: Jeremy Allison <jra@samba.org>
>Reviewed-by: Ralph Boehme <slow@samba.org>
>(cherry picked from commit 019a1bc4caf3439adcaac48b384e86d84a1ad383)
>---
> source3/modules/vfs_fruit.c | 12 +++++++++++-
> 1 file changed, 11 insertions(+), 1 deletion(-)
>
>diff --git a/source3/modules/vfs_fruit.c b/source3/modules/vfs_fruit.c
>index 50fbd6cb447..4f383bc990d 100644
>--- a/source3/modules/vfs_fruit.c
>+++ b/source3/modules/vfs_fruit.c
>@@ -5769,24 +5769,32 @@ static NTSTATUS fruit_fget_nt_acl(vfs_handle_struct *handle,
> static NTSTATUS fruit_fset_nt_acl(vfs_handle_struct *handle,
> 				  files_struct *fsp,
> 				  uint32_t security_info_sent,
>-				  const struct security_descriptor *psd)
>+				  const struct security_descriptor *orig_psd)
> {
> 	NTSTATUS status;
> 	bool do_chmod;
> 	mode_t ms_nfs_mode = 0;
> 	int result;
>+	struct security_descriptor *psd = NULL;
>+
>+	psd = security_descriptor_copy(talloc_tos(), orig_psd);
>+	if (psd == NULL) {
>+		return NT_STATUS_NO_MEMORY;
>+	}
> 
> 	DBG_DEBUG("fruit_fset_nt_acl: %s\n", fsp_str_dbg(fsp));
> 
> 	status = check_ms_nfs(handle, fsp, psd, &ms_nfs_mode, &do_chmod);
> 	if (!NT_STATUS_IS_OK(status)) {
> 		DEBUG(1, ("fruit_fset_nt_acl: check_ms_nfs failed%s\n", fsp_str_dbg(fsp)));
>+		TALLOC_FREE(psd);
> 		return status;
> 	}
> 
> 	status = SMB_VFS_NEXT_FSET_NT_ACL(handle, fsp, security_info_sent, psd);
> 	if (!NT_STATUS_IS_OK(status)) {
> 		DEBUG(1, ("fruit_fset_nt_acl: SMB_VFS_NEXT_FSET_NT_ACL failed%s\n", fsp_str_dbg(fsp)));
>+		TALLOC_FREE(psd);
> 		return status;
> 	}
> 
>@@ -5804,10 +5812,12 @@ static NTSTATUS fruit_fset_nt_acl(vfs_handle_struct *handle,
> 				  result, (unsigned)ms_nfs_mode,
> 				  strerror(errno)));
> 			status = map_nt_error_from_unix(errno);
>+			TALLOC_FREE(psd);
> 			return status;
> 		}
> 	}
> 
>+	TALLOC_FREE(psd);
> 	return NT_STATUS_OK;
> }
> 
>-- 
>2.14.1
>
>
>From a306156e7eb0b6b3fb1913f50b39b9265edc327f Mon Sep 17 00:00:00 2001
>From: Jeremy Allison <jra@samba.org>
>Date: Fri, 2 Mar 2018 13:51:54 -0800
>Subject: [PATCH 3/4] s3: vfs_fruit. If the security descriptor was modified,
> ensure we set the flags correctly to reflect the ACE's left.
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319
>
>Signed-off-by: Jeremy Allison <jra@samba.org>
>Reviewed-by: Ralph Boehme <slow@samba.org>
>(cherry picked from commit 8edad37e476295e25932778721d8ef33713f6853)
>---
> source3/modules/vfs_fruit.c | 21 +++++++++++++++++++++
> 1 file changed, 21 insertions(+)
>
>diff --git a/source3/modules/vfs_fruit.c b/source3/modules/vfs_fruit.c
>index 4f383bc990d..8909bcc7c37 100644
>--- a/source3/modules/vfs_fruit.c
>+++ b/source3/modules/vfs_fruit.c
>@@ -5776,6 +5776,11 @@ static NTSTATUS fruit_fset_nt_acl(vfs_handle_struct *handle,
> 	mode_t ms_nfs_mode = 0;
> 	int result;
> 	struct security_descriptor *psd = NULL;
>+	uint32_t orig_num_aces = 0;
>+
>+	if (orig_psd->dacl != NULL) {
>+		orig_num_aces = orig_psd->dacl->num_aces;
>+	}
> 
> 	psd = security_descriptor_copy(talloc_tos(), orig_psd);
> 	if (psd == NULL) {
>@@ -5791,6 +5796,22 @@ static NTSTATUS fruit_fset_nt_acl(vfs_handle_struct *handle,
> 		return status;
> 	}
> 
>+	/*
>+	 * If only ms_nfs ACE entries were sent, ensure we set the DACL
>+	 * sent/present flags correctly now we've removed them.
>+	 */
>+
>+	if (orig_num_aces != 0) {
>+		/*
>+		 * Are there any ACE's left ?
>+		 */
>+		if (psd->dacl->num_aces == 0) {
>+			/* No - clear the DACL sent/present flags. */
>+			security_info_sent &= ~SECINFO_DACL;
>+			psd->type &= ~SEC_DESC_DACL_PRESENT;
>+		}
>+	}
>+
> 	status = SMB_VFS_NEXT_FSET_NT_ACL(handle, fsp, security_info_sent, psd);
> 	if (!NT_STATUS_IS_OK(status)) {
> 		DEBUG(1, ("fruit_fset_nt_acl: SMB_VFS_NEXT_FSET_NT_ACL failed%s\n", fsp_str_dbg(fsp)));
>-- 
>2.14.1
>
>
>From 56cf1034a1ccb6e47ff8290d37376f997c153ff0 Mon Sep 17 00:00:00 2001
>From: Jeremy Allison <jra@samba.org>
>Date: Fri, 2 Mar 2018 13:53:55 -0800
>Subject: [PATCH 4/4] s3: vfs_fruit. Change check_ms_nfs() to remove the
> virtual ACE's generated by fruit_fget_nt_acl().
>MIME-Version: 1.0
>Content-Type: text/plain; charset=UTF-8
>Content-Transfer-Encoding: 8bit
>
>Ensures they don't get stored in the underlying ACL.
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319
>
>Signed-off-by: Jeremy Allison <jra@samba.org>
>Reviewed-by: Ralph Boehme <slow@samba.org>
>
>Autobuild-User(master): Ralph BÃ¶hme <slow@samba.org>
>Autobuild-Date(master): Thu Mar  8 04:09:38 CET 2018 on sn-devel-144
>
>(cherry picked from commit e0b147f650fe59f606d1faffe57059e6e9d7837b)
>---
> source3/modules/vfs_fruit.c | 43 ++++++++++++++++++++++++++++++++++++++++++-
> 1 file changed, 42 insertions(+), 1 deletion(-)
>
>diff --git a/source3/modules/vfs_fruit.c b/source3/modules/vfs_fruit.c
>index 8909bcc7c37..29372e90174 100644
>--- a/source3/modules/vfs_fruit.c
>+++ b/source3/modules/vfs_fruit.c
>@@ -2957,12 +2957,15 @@ static NTSTATUS readdir_attr_macmeta(struct vfs_handle_struct *handle,
> /* Search MS NFS style ACE with UNIX mode */
> static NTSTATUS check_ms_nfs(vfs_handle_struct *handle,
> 			     files_struct *fsp,
>-			     const struct security_descriptor *psd,
>+			     struct security_descriptor *psd,
> 			     mode_t *pmode,
> 			     bool *pdo_chmod)
> {
> 	uint32_t i;
> 	struct fruit_config_data *config = NULL;
>+	struct dom_sid sid;
>+	NTSTATUS status = NT_STATUS_OK;
>+	bool remove_ok = false;
> 
> 	*pdo_chmod = false;
> 
>@@ -2991,6 +2994,44 @@ static NTSTATUS check_ms_nfs(vfs_handle_struct *handle,
> 		}
> 	}
> 
>+	/*
>+	 * Remove any incoming virtual ACE entries generated by
>+	 * fruit_fget_nt_acl().
>+	 */
>+
>+	/* MS NFS style mode */
>+	sid_compose(&sid, &global_sid_Unix_NFS_Mode,
>+		    fsp->fsp_name->st.st_ex_mode);
>+	status = security_descriptor_dacl_del(psd, &sid);
>+	remove_ok = (NT_STATUS_IS_OK(status) ||
>+		     NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND));
>+	if (!remove_ok) {
>+		DBG_WARNING("failed to remove MS NFS_mode style ACE\n");
>+		return status;
>+	}
>+
>+	/* MS NFS style uid */
>+	sid_compose(&sid, &global_sid_Unix_NFS_Users,
>+		    fsp->fsp_name->st.st_ex_uid);
>+	status = security_descriptor_dacl_del(psd, &sid);
>+	remove_ok = (NT_STATUS_IS_OK(status) ||
>+		     NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND));
>+	if (!remove_ok) {
>+		DBG_WARNING("failed to remove MS NFS_users style ACE\n");
>+		return status;
>+	}
>+
>+	/* MS NFS style gid */
>+	sid_compose(&sid, &global_sid_Unix_NFS_Groups,
>+		    fsp->fsp_name->st.st_ex_gid);
>+	status = security_descriptor_dacl_del(psd, &sid);
>+	remove_ok = (NT_STATUS_IS_OK(status) ||
>+		     NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND));
>+	if (!remove_ok) {
>+		DBG_WARNING("failed to remove MS NFS_groups style ACE\n");
>+		return status;
>+	}
>+
> 	return NT_STATUS_OK;
> }
> 
>-- 
>2.14.1
>

Flags:

jra: review-

Actions: View

Attachments on bug 13319: 14020 | 14027 | 14058 | 14059 | 14068 | 14069