The Samba-Bugzilla – Attachment 14027 Details for
Bug 13319
Round-tripping ACL get/set through vfs_fruit will increase the number of ACE entries without limit.
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
git-am fix for 4.8.0rcX, 4.7.next, 4.6.next.
bug-13319-4.8.patch (text/plain), 9.89 KB, created by
Jeremy Allison
on 2018-03-08 19:19:06 UTC
(
hide
)
Description:
git-am fix for 4.8.0rcX, 4.7.next, 4.6.next.
Filename:
MIME Type:
Creator:
Jeremy Allison
Created:
2018-03-08 19:19:06 UTC
Size:
9.89 KB
patch
obsolete
>From 863cd2d1c354f6e9533d0c9d2b2121ea0c00bf3f Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Fri, 2 Mar 2018 13:07:48 -0800 >Subject: [PATCH 1/4] s3: vfs_fruit. Ensure we only return one set of the > 'virtual' UNIX ACE entries. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319 > >Signed-off-by: Jeremy Allison <jra@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> >(cherry picked from commit e9059c7b40069cfb036bfb95958b78c6a2c800e4) >--- > source3/modules/vfs_fruit.c | 28 ++++++++++++++++++++++++++++ > 1 file changed, 28 insertions(+) > >diff --git a/source3/modules/vfs_fruit.c b/source3/modules/vfs_fruit.c >index ec76f718c37..50fbd6cb447 100644 >--- a/source3/modules/vfs_fruit.c >+++ b/source3/modules/vfs_fruit.c >@@ -5687,6 +5687,7 @@ static NTSTATUS fruit_fget_nt_acl(vfs_handle_struct *handle, > struct security_ace ace; > struct dom_sid sid; > struct fruit_config_data *config; >+ bool remove_ok = false; > > SMB_VFS_HANDLE_GET_DATA(handle, config, > struct fruit_config_data, >@@ -5711,6 +5712,15 @@ static NTSTATUS fruit_fget_nt_acl(vfs_handle_struct *handle, > /* MS NFS style mode */ > sid_compose(&sid, &global_sid_Unix_NFS_Mode, fsp->fsp_name->st.st_ex_mode); > init_sec_ace(&ace, &sid, SEC_ACE_TYPE_ACCESS_DENIED, 0, 0); >+ >+ /* First remove any existing ACE's with this SID. */ >+ status = security_descriptor_dacl_del(*ppdesc, &sid); >+ remove_ok = (NT_STATUS_IS_OK(status) || >+ NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)); >+ if (!remove_ok) { >+ DBG_WARNING("failed to remove MS NFS_mode style ACE\n"); >+ return status; >+ } > status = security_descriptor_dacl_add(*ppdesc, &ace); > if (!NT_STATUS_IS_OK(status)) { > DEBUG(1,("failed to add MS NFS style ACE\n")); >@@ -5720,6 +5730,15 @@ static NTSTATUS fruit_fget_nt_acl(vfs_handle_struct *handle, > /* MS NFS style uid */ > sid_compose(&sid, &global_sid_Unix_NFS_Users, fsp->fsp_name->st.st_ex_uid); > init_sec_ace(&ace, &sid, SEC_ACE_TYPE_ACCESS_DENIED, 0, 0); >+ >+ /* First remove any existing ACE's with this SID. */ >+ status = security_descriptor_dacl_del(*ppdesc, &sid); >+ remove_ok = (NT_STATUS_IS_OK(status) || >+ NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)); >+ if (!remove_ok) { >+ DBG_WARNING("failed to remove MS NFS_users style ACE\n"); >+ return status; >+ } > status = security_descriptor_dacl_add(*ppdesc, &ace); > if (!NT_STATUS_IS_OK(status)) { > DEBUG(1,("failed to add MS NFS style ACE\n")); >@@ -5729,6 +5748,15 @@ static NTSTATUS fruit_fget_nt_acl(vfs_handle_struct *handle, > /* MS NFS style gid */ > sid_compose(&sid, &global_sid_Unix_NFS_Groups, fsp->fsp_name->st.st_ex_gid); > init_sec_ace(&ace, &sid, SEC_ACE_TYPE_ACCESS_DENIED, 0, 0); >+ >+ /* First remove any existing ACE's with this SID. */ >+ status = security_descriptor_dacl_del(*ppdesc, &sid); >+ remove_ok = (NT_STATUS_IS_OK(status) || >+ NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)); >+ if (!remove_ok) { >+ DBG_WARNING("failed to remove MS NFS_groups style ACE\n"); >+ return status; >+ } > status = security_descriptor_dacl_add(*ppdesc, &ace); > if (!NT_STATUS_IS_OK(status)) { > DEBUG(1,("failed to add MS NFS style ACE\n")); >-- >2.14.1 > > >From 94924797daf878a0524e8213e178ac5c2e06a55b Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Fri, 2 Mar 2018 13:21:37 -0800 >Subject: [PATCH 2/4] s3: vfs_fruit: Ensure we operate on a copy of the > incoming security descriptor. > >This will allow us to modify it in the next commit. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319 > >Signed-off-by: Jeremy Allison <jra@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> >(cherry picked from commit 019a1bc4caf3439adcaac48b384e86d84a1ad383) >--- > source3/modules/vfs_fruit.c | 12 +++++++++++- > 1 file changed, 11 insertions(+), 1 deletion(-) > >diff --git a/source3/modules/vfs_fruit.c b/source3/modules/vfs_fruit.c >index 50fbd6cb447..4f383bc990d 100644 >--- a/source3/modules/vfs_fruit.c >+++ b/source3/modules/vfs_fruit.c >@@ -5769,24 +5769,32 @@ static NTSTATUS fruit_fget_nt_acl(vfs_handle_struct *handle, > static NTSTATUS fruit_fset_nt_acl(vfs_handle_struct *handle, > files_struct *fsp, > uint32_t security_info_sent, >- const struct security_descriptor *psd) >+ const struct security_descriptor *orig_psd) > { > NTSTATUS status; > bool do_chmod; > mode_t ms_nfs_mode = 0; > int result; >+ struct security_descriptor *psd = NULL; >+ >+ psd = security_descriptor_copy(talloc_tos(), orig_psd); >+ if (psd == NULL) { >+ return NT_STATUS_NO_MEMORY; >+ } > > DBG_DEBUG("fruit_fset_nt_acl: %s\n", fsp_str_dbg(fsp)); > > status = check_ms_nfs(handle, fsp, psd, &ms_nfs_mode, &do_chmod); > if (!NT_STATUS_IS_OK(status)) { > DEBUG(1, ("fruit_fset_nt_acl: check_ms_nfs failed%s\n", fsp_str_dbg(fsp))); >+ TALLOC_FREE(psd); > return status; > } > > status = SMB_VFS_NEXT_FSET_NT_ACL(handle, fsp, security_info_sent, psd); > if (!NT_STATUS_IS_OK(status)) { > DEBUG(1, ("fruit_fset_nt_acl: SMB_VFS_NEXT_FSET_NT_ACL failed%s\n", fsp_str_dbg(fsp))); >+ TALLOC_FREE(psd); > return status; > } > >@@ -5804,10 +5812,12 @@ static NTSTATUS fruit_fset_nt_acl(vfs_handle_struct *handle, > result, (unsigned)ms_nfs_mode, > strerror(errno))); > status = map_nt_error_from_unix(errno); >+ TALLOC_FREE(psd); > return status; > } > } > >+ TALLOC_FREE(psd); > return NT_STATUS_OK; > } > >-- >2.14.1 > > >From a306156e7eb0b6b3fb1913f50b39b9265edc327f Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Fri, 2 Mar 2018 13:51:54 -0800 >Subject: [PATCH 3/4] s3: vfs_fruit. If the security descriptor was modified, > ensure we set the flags correctly to reflect the ACE's left. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319 > >Signed-off-by: Jeremy Allison <jra@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> >(cherry picked from commit 8edad37e476295e25932778721d8ef33713f6853) >--- > source3/modules/vfs_fruit.c | 21 +++++++++++++++++++++ > 1 file changed, 21 insertions(+) > >diff --git a/source3/modules/vfs_fruit.c b/source3/modules/vfs_fruit.c >index 4f383bc990d..8909bcc7c37 100644 >--- a/source3/modules/vfs_fruit.c >+++ b/source3/modules/vfs_fruit.c >@@ -5776,6 +5776,11 @@ static NTSTATUS fruit_fset_nt_acl(vfs_handle_struct *handle, > mode_t ms_nfs_mode = 0; > int result; > struct security_descriptor *psd = NULL; >+ uint32_t orig_num_aces = 0; >+ >+ if (orig_psd->dacl != NULL) { >+ orig_num_aces = orig_psd->dacl->num_aces; >+ } > > psd = security_descriptor_copy(talloc_tos(), orig_psd); > if (psd == NULL) { >@@ -5791,6 +5796,22 @@ static NTSTATUS fruit_fset_nt_acl(vfs_handle_struct *handle, > return status; > } > >+ /* >+ * If only ms_nfs ACE entries were sent, ensure we set the DACL >+ * sent/present flags correctly now we've removed them. >+ */ >+ >+ if (orig_num_aces != 0) { >+ /* >+ * Are there any ACE's left ? >+ */ >+ if (psd->dacl->num_aces == 0) { >+ /* No - clear the DACL sent/present flags. */ >+ security_info_sent &= ~SECINFO_DACL; >+ psd->type &= ~SEC_DESC_DACL_PRESENT; >+ } >+ } >+ > status = SMB_VFS_NEXT_FSET_NT_ACL(handle, fsp, security_info_sent, psd); > if (!NT_STATUS_IS_OK(status)) { > DEBUG(1, ("fruit_fset_nt_acl: SMB_VFS_NEXT_FSET_NT_ACL failed%s\n", fsp_str_dbg(fsp))); >-- >2.14.1 > > >From 56cf1034a1ccb6e47ff8290d37376f997c153ff0 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Fri, 2 Mar 2018 13:53:55 -0800 >Subject: [PATCH 4/4] s3: vfs_fruit. Change check_ms_nfs() to remove the > virtual ACE's generated by fruit_fget_nt_acl(). >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >Ensures they don't get stored in the underlying ACL. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319 > >Signed-off-by: Jeremy Allison <jra@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> > >Autobuild-User(master): Ralph Böhme <slow@samba.org> >Autobuild-Date(master): Thu Mar 8 04:09:38 CET 2018 on sn-devel-144 > >(cherry picked from commit e0b147f650fe59f606d1faffe57059e6e9d7837b) >--- > source3/modules/vfs_fruit.c | 43 ++++++++++++++++++++++++++++++++++++++++++- > 1 file changed, 42 insertions(+), 1 deletion(-) > >diff --git a/source3/modules/vfs_fruit.c b/source3/modules/vfs_fruit.c >index 8909bcc7c37..29372e90174 100644 >--- a/source3/modules/vfs_fruit.c >+++ b/source3/modules/vfs_fruit.c >@@ -2957,12 +2957,15 @@ static NTSTATUS readdir_attr_macmeta(struct vfs_handle_struct *handle, > /* Search MS NFS style ACE with UNIX mode */ > static NTSTATUS check_ms_nfs(vfs_handle_struct *handle, > files_struct *fsp, >- const struct security_descriptor *psd, >+ struct security_descriptor *psd, > mode_t *pmode, > bool *pdo_chmod) > { > uint32_t i; > struct fruit_config_data *config = NULL; >+ struct dom_sid sid; >+ NTSTATUS status = NT_STATUS_OK; >+ bool remove_ok = false; > > *pdo_chmod = false; > >@@ -2991,6 +2994,44 @@ static NTSTATUS check_ms_nfs(vfs_handle_struct *handle, > } > } > >+ /* >+ * Remove any incoming virtual ACE entries generated by >+ * fruit_fget_nt_acl(). >+ */ >+ >+ /* MS NFS style mode */ >+ sid_compose(&sid, &global_sid_Unix_NFS_Mode, >+ fsp->fsp_name->st.st_ex_mode); >+ status = security_descriptor_dacl_del(psd, &sid); >+ remove_ok = (NT_STATUS_IS_OK(status) || >+ NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)); >+ if (!remove_ok) { >+ DBG_WARNING("failed to remove MS NFS_mode style ACE\n"); >+ return status; >+ } >+ >+ /* MS NFS style uid */ >+ sid_compose(&sid, &global_sid_Unix_NFS_Users, >+ fsp->fsp_name->st.st_ex_uid); >+ status = security_descriptor_dacl_del(psd, &sid); >+ remove_ok = (NT_STATUS_IS_OK(status) || >+ NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)); >+ if (!remove_ok) { >+ DBG_WARNING("failed to remove MS NFS_users style ACE\n"); >+ return status; >+ } >+ >+ /* MS NFS style gid */ >+ sid_compose(&sid, &global_sid_Unix_NFS_Groups, >+ fsp->fsp_name->st.st_ex_gid); >+ status = security_descriptor_dacl_del(psd, &sid); >+ remove_ok = (NT_STATUS_IS_OK(status) || >+ NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)); >+ if (!remove_ok) { >+ DBG_WARNING("failed to remove MS NFS_groups style ACE\n"); >+ return status; >+ } >+ > return NT_STATUS_OK; > } > >-- >2.14.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
jra
:
review-
Actions:
View
Attachments on
bug 13319
:
14020
|
14027
|
14058
|
14059
|
14068
|
14069