The Samba-Bugzilla – Attachment 14058 Details for
Bug 13319
Round-tripping ACL get/set through vfs_fruit will increase the number of ACE entries without limit.
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
git-am fix for 4.8.next.
bug-13319-v4.8 (text/plain), 28.93 KB, created by
Jeremy Allison
on 2018-03-19 18:46:58 UTC
(
hide
)
Description:
git-am fix for 4.8.next.
Filename:
MIME Type:
Creator:
Jeremy Allison
Created:
2018-03-19 18:46:58 UTC
Size:
28.93 KB
patch
obsolete
>From ed8c014b3b76ecc31da8685c265518a30c662291 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Fri, 2 Mar 2018 13:07:48 -0800 >Subject: [PATCH 01/10] s3: vfs_fruit. Ensure we only return one set of the > 'virtual' UNIX ACE entries. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319 > >Signed-off-by: Jeremy Allison <jra@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> >(cherry picked from commit e9059c7b40069cfb036bfb95958b78c6a2c800e4) >--- > source3/modules/vfs_fruit.c | 28 ++++++++++++++++++++++++++++ > 1 file changed, 28 insertions(+) > >diff --git a/source3/modules/vfs_fruit.c b/source3/modules/vfs_fruit.c >index ec76f718c37..50fbd6cb447 100644 >--- a/source3/modules/vfs_fruit.c >+++ b/source3/modules/vfs_fruit.c >@@ -5687,6 +5687,7 @@ static NTSTATUS fruit_fget_nt_acl(vfs_handle_struct *handle, > struct security_ace ace; > struct dom_sid sid; > struct fruit_config_data *config; >+ bool remove_ok = false; > > SMB_VFS_HANDLE_GET_DATA(handle, config, > struct fruit_config_data, >@@ -5711,6 +5712,15 @@ static NTSTATUS fruit_fget_nt_acl(vfs_handle_struct *handle, > /* MS NFS style mode */ > sid_compose(&sid, &global_sid_Unix_NFS_Mode, fsp->fsp_name->st.st_ex_mode); > init_sec_ace(&ace, &sid, SEC_ACE_TYPE_ACCESS_DENIED, 0, 0); >+ >+ /* First remove any existing ACE's with this SID. */ >+ status = security_descriptor_dacl_del(*ppdesc, &sid); >+ remove_ok = (NT_STATUS_IS_OK(status) || >+ NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)); >+ if (!remove_ok) { >+ DBG_WARNING("failed to remove MS NFS_mode style ACE\n"); >+ return status; >+ } > status = security_descriptor_dacl_add(*ppdesc, &ace); > if (!NT_STATUS_IS_OK(status)) { > DEBUG(1,("failed to add MS NFS style ACE\n")); >@@ -5720,6 +5730,15 @@ static NTSTATUS fruit_fget_nt_acl(vfs_handle_struct *handle, > /* MS NFS style uid */ > sid_compose(&sid, &global_sid_Unix_NFS_Users, fsp->fsp_name->st.st_ex_uid); > init_sec_ace(&ace, &sid, SEC_ACE_TYPE_ACCESS_DENIED, 0, 0); >+ >+ /* First remove any existing ACE's with this SID. */ >+ status = security_descriptor_dacl_del(*ppdesc, &sid); >+ remove_ok = (NT_STATUS_IS_OK(status) || >+ NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)); >+ if (!remove_ok) { >+ DBG_WARNING("failed to remove MS NFS_users style ACE\n"); >+ return status; >+ } > status = security_descriptor_dacl_add(*ppdesc, &ace); > if (!NT_STATUS_IS_OK(status)) { > DEBUG(1,("failed to add MS NFS style ACE\n")); >@@ -5729,6 +5748,15 @@ static NTSTATUS fruit_fget_nt_acl(vfs_handle_struct *handle, > /* MS NFS style gid */ > sid_compose(&sid, &global_sid_Unix_NFS_Groups, fsp->fsp_name->st.st_ex_gid); > init_sec_ace(&ace, &sid, SEC_ACE_TYPE_ACCESS_DENIED, 0, 0); >+ >+ /* First remove any existing ACE's with this SID. */ >+ status = security_descriptor_dacl_del(*ppdesc, &sid); >+ remove_ok = (NT_STATUS_IS_OK(status) || >+ NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)); >+ if (!remove_ok) { >+ DBG_WARNING("failed to remove MS NFS_groups style ACE\n"); >+ return status; >+ } > status = security_descriptor_dacl_add(*ppdesc, &ace); > if (!NT_STATUS_IS_OK(status)) { > DEBUG(1,("failed to add MS NFS style ACE\n")); >-- >2.16.2.804.g6dcf76e118-goog > > >From eb790c263ddcefaadf3583201e56fc8a7eaeaaf2 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Fri, 2 Mar 2018 13:21:37 -0800 >Subject: [PATCH 02/10] s3: vfs_fruit: Ensure we operate on a copy of the > incoming security descriptor. > >This will allow us to modify it in the next commit. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319 > >Signed-off-by: Jeremy Allison <jra@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> >(cherry picked from commit 019a1bc4caf3439adcaac48b384e86d84a1ad383) >--- > source3/modules/vfs_fruit.c | 12 +++++++++++- > 1 file changed, 11 insertions(+), 1 deletion(-) > >diff --git a/source3/modules/vfs_fruit.c b/source3/modules/vfs_fruit.c >index 50fbd6cb447..4f383bc990d 100644 >--- a/source3/modules/vfs_fruit.c >+++ b/source3/modules/vfs_fruit.c >@@ -5769,24 +5769,32 @@ static NTSTATUS fruit_fget_nt_acl(vfs_handle_struct *handle, > static NTSTATUS fruit_fset_nt_acl(vfs_handle_struct *handle, > files_struct *fsp, > uint32_t security_info_sent, >- const struct security_descriptor *psd) >+ const struct security_descriptor *orig_psd) > { > NTSTATUS status; > bool do_chmod; > mode_t ms_nfs_mode = 0; > int result; >+ struct security_descriptor *psd = NULL; >+ >+ psd = security_descriptor_copy(talloc_tos(), orig_psd); >+ if (psd == NULL) { >+ return NT_STATUS_NO_MEMORY; >+ } > > DBG_DEBUG("fruit_fset_nt_acl: %s\n", fsp_str_dbg(fsp)); > > status = check_ms_nfs(handle, fsp, psd, &ms_nfs_mode, &do_chmod); > if (!NT_STATUS_IS_OK(status)) { > DEBUG(1, ("fruit_fset_nt_acl: check_ms_nfs failed%s\n", fsp_str_dbg(fsp))); >+ TALLOC_FREE(psd); > return status; > } > > status = SMB_VFS_NEXT_FSET_NT_ACL(handle, fsp, security_info_sent, psd); > if (!NT_STATUS_IS_OK(status)) { > DEBUG(1, ("fruit_fset_nt_acl: SMB_VFS_NEXT_FSET_NT_ACL failed%s\n", fsp_str_dbg(fsp))); >+ TALLOC_FREE(psd); > return status; > } > >@@ -5804,10 +5812,12 @@ static NTSTATUS fruit_fset_nt_acl(vfs_handle_struct *handle, > result, (unsigned)ms_nfs_mode, > strerror(errno))); > status = map_nt_error_from_unix(errno); >+ TALLOC_FREE(psd); > return status; > } > } > >+ TALLOC_FREE(psd); > return NT_STATUS_OK; > } > >-- >2.16.2.804.g6dcf76e118-goog > > >From 51ac4ae5e8d2790e48d6091c7ada4be217bbf19a Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Fri, 2 Mar 2018 13:51:54 -0800 >Subject: [PATCH 03/10] s3: vfs_fruit. If the security descriptor was modified, > ensure we set the flags correctly to reflect the ACE's left. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319 > >Signed-off-by: Jeremy Allison <jra@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> >(cherry picked from commit 8edad37e476295e25932778721d8ef33713f6853) >--- > source3/modules/vfs_fruit.c | 21 +++++++++++++++++++++ > 1 file changed, 21 insertions(+) > >diff --git a/source3/modules/vfs_fruit.c b/source3/modules/vfs_fruit.c >index 4f383bc990d..8909bcc7c37 100644 >--- a/source3/modules/vfs_fruit.c >+++ b/source3/modules/vfs_fruit.c >@@ -5776,6 +5776,11 @@ static NTSTATUS fruit_fset_nt_acl(vfs_handle_struct *handle, > mode_t ms_nfs_mode = 0; > int result; > struct security_descriptor *psd = NULL; >+ uint32_t orig_num_aces = 0; >+ >+ if (orig_psd->dacl != NULL) { >+ orig_num_aces = orig_psd->dacl->num_aces; >+ } > > psd = security_descriptor_copy(talloc_tos(), orig_psd); > if (psd == NULL) { >@@ -5791,6 +5796,22 @@ static NTSTATUS fruit_fset_nt_acl(vfs_handle_struct *handle, > return status; > } > >+ /* >+ * If only ms_nfs ACE entries were sent, ensure we set the DACL >+ * sent/present flags correctly now we've removed them. >+ */ >+ >+ if (orig_num_aces != 0) { >+ /* >+ * Are there any ACE's left ? >+ */ >+ if (psd->dacl->num_aces == 0) { >+ /* No - clear the DACL sent/present flags. */ >+ security_info_sent &= ~SECINFO_DACL; >+ psd->type &= ~SEC_DESC_DACL_PRESENT; >+ } >+ } >+ > status = SMB_VFS_NEXT_FSET_NT_ACL(handle, fsp, security_info_sent, psd); > if (!NT_STATUS_IS_OK(status)) { > DEBUG(1, ("fruit_fset_nt_acl: SMB_VFS_NEXT_FSET_NT_ACL failed%s\n", fsp_str_dbg(fsp))); >-- >2.16.2.804.g6dcf76e118-goog > > >From e38e47d76535774a939cbea028c3564d8af715a0 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Fri, 2 Mar 2018 13:53:55 -0800 >Subject: [PATCH 04/10] s3: vfs_fruit. Change check_ms_nfs() to remove the > virtual ACE's generated by fruit_fget_nt_acl(). >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >Ensures they don't get stored in the underlying ACL. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319 > >Signed-off-by: Jeremy Allison <jra@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> > >Autobuild-User(master): Ralph Böhme <slow@samba.org> >Autobuild-Date(master): Thu Mar 8 04:09:38 CET 2018 on sn-devel-144 > >(cherry picked from commit e0b147f650fe59f606d1faffe57059e6e9d7837b) >--- > source3/modules/vfs_fruit.c | 43 ++++++++++++++++++++++++++++++++++++- > 1 file changed, 42 insertions(+), 1 deletion(-) > >diff --git a/source3/modules/vfs_fruit.c b/source3/modules/vfs_fruit.c >index 8909bcc7c37..29372e90174 100644 >--- a/source3/modules/vfs_fruit.c >+++ b/source3/modules/vfs_fruit.c >@@ -2957,12 +2957,15 @@ static NTSTATUS readdir_attr_macmeta(struct vfs_handle_struct *handle, > /* Search MS NFS style ACE with UNIX mode */ > static NTSTATUS check_ms_nfs(vfs_handle_struct *handle, > files_struct *fsp, >- const struct security_descriptor *psd, >+ struct security_descriptor *psd, > mode_t *pmode, > bool *pdo_chmod) > { > uint32_t i; > struct fruit_config_data *config = NULL; >+ struct dom_sid sid; >+ NTSTATUS status = NT_STATUS_OK; >+ bool remove_ok = false; > > *pdo_chmod = false; > >@@ -2991,6 +2994,44 @@ static NTSTATUS check_ms_nfs(vfs_handle_struct *handle, > } > } > >+ /* >+ * Remove any incoming virtual ACE entries generated by >+ * fruit_fget_nt_acl(). >+ */ >+ >+ /* MS NFS style mode */ >+ sid_compose(&sid, &global_sid_Unix_NFS_Mode, >+ fsp->fsp_name->st.st_ex_mode); >+ status = security_descriptor_dacl_del(psd, &sid); >+ remove_ok = (NT_STATUS_IS_OK(status) || >+ NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)); >+ if (!remove_ok) { >+ DBG_WARNING("failed to remove MS NFS_mode style ACE\n"); >+ return status; >+ } >+ >+ /* MS NFS style uid */ >+ sid_compose(&sid, &global_sid_Unix_NFS_Users, >+ fsp->fsp_name->st.st_ex_uid); >+ status = security_descriptor_dacl_del(psd, &sid); >+ remove_ok = (NT_STATUS_IS_OK(status) || >+ NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)); >+ if (!remove_ok) { >+ DBG_WARNING("failed to remove MS NFS_users style ACE\n"); >+ return status; >+ } >+ >+ /* MS NFS style gid */ >+ sid_compose(&sid, &global_sid_Unix_NFS_Groups, >+ fsp->fsp_name->st.st_ex_gid); >+ status = security_descriptor_dacl_del(psd, &sid); >+ remove_ok = (NT_STATUS_IS_OK(status) || >+ NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)); >+ if (!remove_ok) { >+ DBG_WARNING("failed to remove MS NFS_groups style ACE\n"); >+ return status; >+ } >+ > return NT_STATUS_OK; > } > >-- >2.16.2.804.g6dcf76e118-goog > > >From f7ff89865ad6da65026a014dd2a283527d4383ff Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Thu, 15 Mar 2018 09:52:30 -0700 >Subject: [PATCH 05/10] s3: smbd: vfs_fruit: Add remove_virtual_nfs_aces() a > generic NFS ACE remover. > >Not yet used, will be used to tidyup existing code. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319 > >Signed-off-by: Jeremy Allison <jra@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> >(cherry picked from commit ef091e2cf836793e2aa533990913609ccab5119a) >--- > source3/modules/vfs_fruit.c | 43 +++++++++++++++++++++++++++++++++++++ > 1 file changed, 43 insertions(+) > >diff --git a/source3/modules/vfs_fruit.c b/source3/modules/vfs_fruit.c >index 29372e90174..67af69843ed 100644 >--- a/source3/modules/vfs_fruit.c >+++ b/source3/modules/vfs_fruit.c >@@ -2954,6 +2954,49 @@ static NTSTATUS readdir_attr_macmeta(struct vfs_handle_struct *handle, > return status; > } > >+static NTSTATUS remove_virtual_nfs_aces(struct security_descriptor *psd) >+{ >+ NTSTATUS status; >+ uint32_t i; >+ >+ if (psd->dacl == NULL) { >+ return NT_STATUS_OK; >+ } >+ >+ for (i = 0; i < psd->dacl->num_aces; i++) { >+ /* MS NFS style mode/uid/gid */ >+ if (!dom_sid_compare_domain( >+ &global_sid_Unix_NFS, >+ &psd->dacl->aces[i].trustee) == 0) { >+ /* Normal ACE entry. */ >+ continue; >+ } >+ >+ /* >+ * security_descriptor_dacl_del() >+ * *must* return NT_STATUS_OK as we know >+ * we have something to remove. >+ */ >+ >+ status = security_descriptor_dacl_del(psd, >+ &psd->dacl->aces[i].trustee); >+ if (!NT_STATUS_IS_OK(status)) { >+ DBG_WARNING("failed to remove MS NFS style ACE: %s\n", >+ nt_errstr(status)); >+ return status; >+ } >+ >+ /* >+ * security_descriptor_dacl_del() may delete more >+ * then one entry subsequent to this one if the >+ * SID matches, but we only need to ensure that >+ * we stay looking at the same element in the array. >+ */ >+ i--; >+ } >+ return NT_STATUS_OK; >+} >+ > /* Search MS NFS style ACE with UNIX mode */ > static NTSTATUS check_ms_nfs(vfs_handle_struct *handle, > files_struct *fsp, >-- >2.16.2.804.g6dcf76e118-goog > > >From 62e00116f79c74c0bbd907c8f3d99bf7e869a6dc Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Thu, 15 Mar 2018 09:54:41 -0700 >Subject: [PATCH 06/10] s3: smbd: vfs_fruit: Replace code in check_ms_nfs() > with remove_virtual_nfs_aces(). > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319 > >Signed-off-by: Jeremy Allison <jra@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> >(cherry picked from commit a3c925d80433e3d4fe1b1b315edf6520cacf0a9e) >--- > source3/modules/vfs_fruit.c | 38 +------------------------------------ > 1 file changed, 1 insertion(+), 37 deletions(-) > >diff --git a/source3/modules/vfs_fruit.c b/source3/modules/vfs_fruit.c >index 67af69843ed..38f421c337d 100644 >--- a/source3/modules/vfs_fruit.c >+++ b/source3/modules/vfs_fruit.c >@@ -3006,9 +3006,6 @@ static NTSTATUS check_ms_nfs(vfs_handle_struct *handle, > { > uint32_t i; > struct fruit_config_data *config = NULL; >- struct dom_sid sid; >- NTSTATUS status = NT_STATUS_OK; >- bool remove_ok = false; > > *pdo_chmod = false; > >@@ -3042,40 +3039,7 @@ static NTSTATUS check_ms_nfs(vfs_handle_struct *handle, > * fruit_fget_nt_acl(). > */ > >- /* MS NFS style mode */ >- sid_compose(&sid, &global_sid_Unix_NFS_Mode, >- fsp->fsp_name->st.st_ex_mode); >- status = security_descriptor_dacl_del(psd, &sid); >- remove_ok = (NT_STATUS_IS_OK(status) || >- NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)); >- if (!remove_ok) { >- DBG_WARNING("failed to remove MS NFS_mode style ACE\n"); >- return status; >- } >- >- /* MS NFS style uid */ >- sid_compose(&sid, &global_sid_Unix_NFS_Users, >- fsp->fsp_name->st.st_ex_uid); >- status = security_descriptor_dacl_del(psd, &sid); >- remove_ok = (NT_STATUS_IS_OK(status) || >- NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)); >- if (!remove_ok) { >- DBG_WARNING("failed to remove MS NFS_users style ACE\n"); >- return status; >- } >- >- /* MS NFS style gid */ >- sid_compose(&sid, &global_sid_Unix_NFS_Groups, >- fsp->fsp_name->st.st_ex_gid); >- status = security_descriptor_dacl_del(psd, &sid); >- remove_ok = (NT_STATUS_IS_OK(status) || >- NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)); >- if (!remove_ok) { >- DBG_WARNING("failed to remove MS NFS_groups style ACE\n"); >- return status; >- } >- >- return NT_STATUS_OK; >+ return remove_virtual_nfs_aces(psd); > } > > /**************************************************************************** >-- >2.16.2.804.g6dcf76e118-goog > > >From 1c56350a565f652ccaec584bf2fc62e3dee707b3 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Thu, 15 Mar 2018 09:57:09 -0700 >Subject: [PATCH 07/10] s3: smbd: vfs_fruit: Replace code in > fruit_fget_nt_acl() with remove_virtual_nfs_aces(). > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319 > >Signed-off-by: Jeremy Allison <jra@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> >(cherry picked from commit 875ff2575feb96d06cf2290e5b6a226b32ef9758) >--- > source3/modules/vfs_fruit.c | 35 +++++++---------------------------- > 1 file changed, 7 insertions(+), 28 deletions(-) > >diff --git a/source3/modules/vfs_fruit.c b/source3/modules/vfs_fruit.c >index 38f421c337d..19b78edb949 100644 >--- a/source3/modules/vfs_fruit.c >+++ b/source3/modules/vfs_fruit.c >@@ -5735,7 +5735,6 @@ static NTSTATUS fruit_fget_nt_acl(vfs_handle_struct *handle, > struct security_ace ace; > struct dom_sid sid; > struct fruit_config_data *config; >- bool remove_ok = false; > > SMB_VFS_HANDLE_GET_DATA(handle, config, > struct fruit_config_data, >@@ -5757,18 +5756,16 @@ static NTSTATUS fruit_fget_nt_acl(vfs_handle_struct *handle, > return NT_STATUS_OK; > } > >+ /* First remove any existing ACE's with NFS style mode/uid/gid SIDs. */ >+ status = remove_virtual_nfs_aces(*ppdesc); >+ if (!NT_STATUS_IS_OK(status)) { >+ DBG_WARNING("failed to remove MS NFS style ACEs\n"); >+ return status; >+ } >+ > /* MS NFS style mode */ > sid_compose(&sid, &global_sid_Unix_NFS_Mode, fsp->fsp_name->st.st_ex_mode); > init_sec_ace(&ace, &sid, SEC_ACE_TYPE_ACCESS_DENIED, 0, 0); >- >- /* First remove any existing ACE's with this SID. */ >- status = security_descriptor_dacl_del(*ppdesc, &sid); >- remove_ok = (NT_STATUS_IS_OK(status) || >- NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)); >- if (!remove_ok) { >- DBG_WARNING("failed to remove MS NFS_mode style ACE\n"); >- return status; >- } > status = security_descriptor_dacl_add(*ppdesc, &ace); > if (!NT_STATUS_IS_OK(status)) { > DEBUG(1,("failed to add MS NFS style ACE\n")); >@@ -5778,15 +5775,6 @@ static NTSTATUS fruit_fget_nt_acl(vfs_handle_struct *handle, > /* MS NFS style uid */ > sid_compose(&sid, &global_sid_Unix_NFS_Users, fsp->fsp_name->st.st_ex_uid); > init_sec_ace(&ace, &sid, SEC_ACE_TYPE_ACCESS_DENIED, 0, 0); >- >- /* First remove any existing ACE's with this SID. */ >- status = security_descriptor_dacl_del(*ppdesc, &sid); >- remove_ok = (NT_STATUS_IS_OK(status) || >- NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)); >- if (!remove_ok) { >- DBG_WARNING("failed to remove MS NFS_users style ACE\n"); >- return status; >- } > status = security_descriptor_dacl_add(*ppdesc, &ace); > if (!NT_STATUS_IS_OK(status)) { > DEBUG(1,("failed to add MS NFS style ACE\n")); >@@ -5796,15 +5784,6 @@ static NTSTATUS fruit_fget_nt_acl(vfs_handle_struct *handle, > /* MS NFS style gid */ > sid_compose(&sid, &global_sid_Unix_NFS_Groups, fsp->fsp_name->st.st_ex_gid); > init_sec_ace(&ace, &sid, SEC_ACE_TYPE_ACCESS_DENIED, 0, 0); >- >- /* First remove any existing ACE's with this SID. */ >- status = security_descriptor_dacl_del(*ppdesc, &sid); >- remove_ok = (NT_STATUS_IS_OK(status) || >- NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)); >- if (!remove_ok) { >- DBG_WARNING("failed to remove MS NFS_groups style ACE\n"); >- return status; >- } > status = security_descriptor_dacl_add(*ppdesc, &ace); > if (!NT_STATUS_IS_OK(status)) { > DEBUG(1,("failed to add MS NFS style ACE\n")); >-- >2.16.2.804.g6dcf76e118-goog > > >From fe9af1676829cd9576b492895eff86205e50be69 Mon Sep 17 00:00:00 2001 >From: Ralph Boehme <slow@samba.org> >Date: Fri, 16 Mar 2018 21:55:26 +0100 >Subject: [PATCH 08/10] selftest: run vfs.fruit_netatalk test against seperate > share > >These tests require a fs with xattr support. This allows adding >xattr_tdb to all other shares in the next commit. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319 > >Signed-off-by: Ralph Boehme <slow@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> >(cherry picked from commit 013aaffe7ff0ed4c30495761bb3208c29b3b5de2) >--- > selftest/target/Samba3.pm | 10 ++++++++++ > source3/selftest/tests.py | 2 +- > 2 files changed, 11 insertions(+), 1 deletion(-) > >diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm >index f2dcdd1489b..970f86491db 100755 >--- a/selftest/target/Samba3.pm >+++ b/selftest/target/Samba3.pm >@@ -1936,6 +1936,16 @@ sub provision($$$$$$$$$) > fruit:encoding = native > fruit:veto_appledouble = no > >+[vfs_fruit_xattr] >+ path = $shrdir >+ # This is used by vfs.fruit tests that require real fs xattr >+ vfs objects = catia fruit streams_xattr acl_xattr >+ fruit:resource = file >+ fruit:metadata = netatalk >+ fruit:locking = netatalk >+ fruit:encoding = native >+ fruit:veto_appledouble = no >+ > [vfs_fruit_metadata_stream] > path = $shrdir > vfs objects = fruit streams_xattr acl_xattr >diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py >index 54969f8cc81..f73b8aa2f2c 100755 >--- a/source3/selftest/tests.py >+++ b/source3/selftest/tests.py >@@ -499,7 +499,7 @@ for t in tests: > plansmbtorture4testsuite(t, "nt4_dc", '//$SERVER_IP/vfs_fruit_metadata_stream -U$USERNAME%$PASSWORD --option=torture:localdir=$SELFTEST_PREFIX/nt4_dc/share --option=torture:share2=vfs_wo_fruit', 'metadata_stream') > plansmbtorture4testsuite(t, "nt4_dc", '//$SERVER_IP/vfs_fruit_stream_depot -U$USERNAME%$PASSWORD --option=torture:localdir=$SELFTEST_PREFIX/nt4_dc/share --option=torture:share2=vfs_wo_fruit_stream_depot', 'streams_depot') > elif t == "vfs.fruit_netatalk": >- plansmbtorture4testsuite(t, "nt4_dc", '//$SERVER_IP/vfs_fruit -U$USERNAME%$PASSWORD --option=torture:localdir=$SELFTEST_PREFIX/nt4_dc/share') >+ plansmbtorture4testsuite(t, "nt4_dc", '//$SERVER_IP/vfs_fruit_xattr -U$USERNAME%$PASSWORD --option=torture:localdir=$SELFTEST_PREFIX/nt4_dc/share') > elif t == "vfs.fruit_timemachine": > plansmbtorture4testsuite(t, "nt4_dc", '//$SERVER_IP/vfs_fruit_timemachine -U$USERNAME%$PASSWORD --option=torture:localdir=$SELFTEST_PREFIX/nt4_dc/share') > elif t == "vfs.fruit_file_id": >-- >2.16.2.804.g6dcf76e118-goog > > >From 3585fe5e625841a42c4c8e3cd0a81c458f7c8bb2 Mon Sep 17 00:00:00 2001 >From: Ralph Boehme <slow@samba.org> >Date: Fri, 16 Mar 2018 21:57:31 +0100 >Subject: [PATCH 09/10] selftest: vfs.fruit: add xattr_tdb where possible > >This makes the tests indepent from fs xattr support. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319 > >Signed-off-by: Ralph Boehme <slow@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> >(cherry picked from commit 49996ca9324596b6cd72eb8051ca3676dab17191) >--- > selftest/target/Samba3.pm | 12 ++++++------ > 1 file changed, 6 insertions(+), 6 deletions(-) > >diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm >index 970f86491db..7e4224a4578 100755 >--- a/selftest/target/Samba3.pm >+++ b/selftest/target/Samba3.pm >@@ -1929,7 +1929,7 @@ sub provision($$$$$$$$$) > > [vfs_fruit] > path = $shrdir >- vfs objects = catia fruit streams_xattr acl_xattr >+ vfs objects = catia fruit streams_xattr acl_xattr xattr_tdb > fruit:resource = file > fruit:metadata = netatalk > fruit:locking = netatalk >@@ -1948,29 +1948,29 @@ sub provision($$$$$$$$$) > > [vfs_fruit_metadata_stream] > path = $shrdir >- vfs objects = fruit streams_xattr acl_xattr >+ vfs objects = fruit streams_xattr acl_xattr xattr_tdb > fruit:resource = file > fruit:metadata = stream > fruit:veto_appledouble = no > > [vfs_fruit_stream_depot] > path = $shrdir >- vfs objects = fruit streams_depot acl_xattr >+ vfs objects = fruit streams_depot acl_xattr xattr_tdb > fruit:resource = stream > fruit:metadata = stream > fruit:veto_appledouble = no > > [vfs_wo_fruit] > path = $shrdir >- vfs objects = streams_xattr acl_xattr >+ vfs objects = streams_xattr acl_xattr xattr_tdb > > [vfs_wo_fruit_stream_depot] > path = $shrdir >- vfs objects = streams_depot acl_xattr >+ vfs objects = streams_depot acl_xattr xattr_tdb > > [vfs_fruit_timemachine] > path = $shrdir >- vfs objects = fruit streams_xattr acl_xattr >+ vfs objects = fruit streams_xattr acl_xattr xattr_tdb > fruit:resource = file > fruit:metadata = stream > fruit:time machine = yes >-- >2.16.2.804.g6dcf76e118-goog > > >From 0d91c2d2827d74036732fe57d684667fe834d78a Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Thu, 15 Mar 2018 14:45:06 -0700 >Subject: [PATCH 10/10] s4: vfs: fruit tests: Add regression test for dealing > with NFS ACE entries. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319 > >Signed-off-by: Jeremy Allison <jra@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> > >Autobuild-User(master): Jeremy Allison <jra@samba.org> >Autobuild-Date(master): Sat Mar 17 04:04:32 CET 2018 on sn-devel-144 > >(cherry picked from commit a6054c01c29c2507e0d5a6aa110fee4fd5c5eeb9) >--- > source4/torture/vfs/fruit.c | 171 ++++++++++++++++++++++++++++++++++++ > 1 file changed, 171 insertions(+) > >diff --git a/source4/torture/vfs/fruit.c b/source4/torture/vfs/fruit.c >index d071cf6f9af..65109cc1934 100644 >--- a/source4/torture/vfs/fruit.c >+++ b/source4/torture/vfs/fruit.c >@@ -36,6 +36,10 @@ > #include "torture/smb2/proto.h" > #include "torture/vfs/proto.h" > #include "librpc/gen_ndr/ndr_ioctl.h" >+#include "libcli/security/dom_sid.h" >+#include "../librpc/gen_ndr/ndr_security.h" >+#include "libcli/security/secace.h" >+#include "libcli/security/security_descriptor.h" > > #define BASEDIR "vfs_fruit_dir" > #define FNAME_CC_SRC "testfsctl.dat" >@@ -4425,6 +4429,172 @@ done: > return ok; > } > >+/* >+ * Ensure this security descriptor has exactly one mode, uid >+ * and gid. >+ */ >+ >+static NTSTATUS check_nfs_sd(const struct security_descriptor *psd) >+{ >+ uint32_t i; >+ bool got_one_mode = false; >+ bool got_one_uid = false; >+ bool got_one_gid = false; >+ >+ if (psd->dacl == NULL) { >+ return NT_STATUS_INVALID_SECURITY_DESCR; >+ } >+ >+ for (i = 0; i < psd->dacl->num_aces; i++) { >+ if (dom_sid_compare_domain(&global_sid_Unix_NFS_Mode, >+ &psd->dacl->aces[i].trustee) == 0) { >+ if (got_one_mode == true) { >+ /* Can't have more than one. */ >+ return NT_STATUS_INVALID_SECURITY_DESCR; >+ } >+ got_one_mode = true; >+ } >+ } >+ for (i = 0; i < psd->dacl->num_aces; i++) { >+ if (dom_sid_compare_domain(&global_sid_Unix_NFS_Users, >+ &psd->dacl->aces[i].trustee) == 0) { >+ if (got_one_uid == true) { >+ /* Can't have more than one. */ >+ return NT_STATUS_INVALID_SECURITY_DESCR; >+ } >+ got_one_uid = true; >+ } >+ } >+ for (i = 0; i < psd->dacl->num_aces; i++) { >+ if (dom_sid_compare_domain(&global_sid_Unix_NFS_Groups, >+ &psd->dacl->aces[i].trustee) == 0) { >+ if (got_one_gid == true) { >+ /* Can't have more than one. */ >+ return NT_STATUS_INVALID_SECURITY_DESCR; >+ } >+ got_one_gid = true; >+ } >+ } >+ /* Must have at least one of each. */ >+ if (got_one_mode == false || >+ got_one_uid == false || >+ got_one_gid == false) { >+ return NT_STATUS_INVALID_SECURITY_DESCR; >+ } >+ return NT_STATUS_OK; >+} >+ >+static bool test_nfs_aces(struct torture_context *tctx, >+ struct smb2_tree *tree) >+{ >+ TALLOC_CTX *mem_ctx = talloc_new(tctx); >+ struct security_ace ace; >+ struct dom_sid sid; >+ const char *fname = BASEDIR "\\nfs_aces.txt"; >+ struct smb2_handle h = {{0}}; >+ union smb_fileinfo finfo2; >+ union smb_setfileinfo set; >+ struct security_descriptor *psd = NULL; >+ NTSTATUS status; >+ bool ret = true; >+ >+ ret = enable_aapl(tctx, tree); >+ torture_assert(tctx, ret == true, "enable_aapl failed"); >+ >+ /* clean slate ...*/ >+ smb2_util_unlink(tree, fname); >+ smb2_deltree(tree, fname); >+ smb2_deltree(tree, BASEDIR); >+ >+ status = torture_smb2_testdir(tree, BASEDIR, &h); >+ CHECK_STATUS(status, NT_STATUS_OK); >+ smb2_util_close(tree, h); >+ >+ /* Create a test file. */ >+ status = torture_smb2_testfile_access(tree, >+ fname, >+ &h, >+ SEC_STD_READ_CONTROL | >+ SEC_STD_WRITE_DAC | >+ SEC_RIGHTS_FILE_ALL); >+ CHECK_STATUS(status, NT_STATUS_OK); >+ >+ /* Get the ACL. */ >+ finfo2.query_secdesc.in.secinfo_flags = >+ SECINFO_OWNER | >+ SECINFO_GROUP | >+ SECINFO_DACL; >+ finfo2.generic.level = RAW_FILEINFO_SEC_DESC; >+ finfo2.generic.in.file.handle = h; >+ status = smb2_getinfo_file(tree, tctx, &finfo2); >+ CHECK_STATUS(status, NT_STATUS_OK); >+ >+ psd = finfo2.query_secdesc.out.sd; >+ >+ /* Ensure we have only single mode/uid/gid NFS entries. */ >+ status = check_nfs_sd(psd); >+ if (!NT_STATUS_IS_OK(status)) { >+ NDR_PRINT_DEBUG( >+ security_descriptor, >+ discard_const_p(struct security_descriptor, psd)); >+ } >+ CHECK_STATUS(status, NT_STATUS_OK); >+ >+ /* Add a couple of extra NFS uids and gids. */ >+ sid_compose(&sid, &global_sid_Unix_NFS_Users, 27); >+ init_sec_ace(&ace, &sid, SEC_ACE_TYPE_ACCESS_DENIED, 0, 0); >+ status = security_descriptor_dacl_add(psd, &ace); >+ CHECK_STATUS(status, NT_STATUS_OK); >+ status = security_descriptor_dacl_add(psd, &ace); >+ CHECK_STATUS(status, NT_STATUS_OK); >+ >+ sid_compose(&sid, &global_sid_Unix_NFS_Groups, 300); >+ init_sec_ace(&ace, &sid, SEC_ACE_TYPE_ACCESS_DENIED, 0, 0); >+ status = security_descriptor_dacl_add(psd, &ace); >+ CHECK_STATUS(status, NT_STATUS_OK); >+ status = security_descriptor_dacl_add(psd, &ace); >+ CHECK_STATUS(status, NT_STATUS_OK); >+ >+ /* Now set on the file handle. */ >+ set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC; >+ set.set_secdesc.in.file.handle = h; >+ set.set_secdesc.in.secinfo_flags = SECINFO_DACL; >+ set.set_secdesc.in.sd = psd; >+ status = smb2_setinfo_file(tree, &set); >+ CHECK_STATUS(status, NT_STATUS_OK); >+ >+ /* Get the ACL again. */ >+ finfo2.query_secdesc.in.secinfo_flags = >+ SECINFO_OWNER | >+ SECINFO_GROUP | >+ SECINFO_DACL; >+ finfo2.generic.level = RAW_FILEINFO_SEC_DESC; >+ finfo2.generic.in.file.handle = h; >+ status = smb2_getinfo_file(tree, tctx, &finfo2); >+ CHECK_STATUS(status, NT_STATUS_OK); >+ >+ psd = finfo2.query_secdesc.out.sd; >+ >+ /* Ensure we have only single mode/uid/gid NFS entries. */ >+ status = check_nfs_sd(psd); >+ if (!NT_STATUS_IS_OK(status)) { >+ NDR_PRINT_DEBUG( >+ security_descriptor, >+ discard_const_p(struct security_descriptor, psd)); >+ } >+ CHECK_STATUS(status, NT_STATUS_OK); >+ >+done: >+ if (!smb2_util_handle_empty(h)) { >+ smb2_util_close(tree, h); >+ } >+ smb2_util_unlink(tree, fname); >+ smb2_deltree(tree, fname); >+ smb2_deltree(tree, BASEDIR); >+ talloc_free(mem_ctx); >+ return ret; >+} >+ > /* > * Note: This test depends on "vfs objects = catia fruit streams_xattr". For > * some tests torture must be run on the host it tests and takes an additional >@@ -4465,6 +4635,7 @@ struct torture_suite *torture_vfs_fruit(TALLOC_CTX *ctx) > torture_suite_add_1smb2_test(suite, "creating rsrc with read-only access", test_rfork_create_ro); > torture_suite_add_1smb2_test(suite, "copy-chunk streams", test_copy_chunk_streams); > torture_suite_add_1smb2_test(suite, "OS X AppleDouble file conversion", test_adouble_conversion); >+ torture_suite_add_1smb2_test(suite, "NFS ACE entries", test_nfs_aces); > > return suite; > } >-- >2.16.2.804.g6dcf76e118-goog >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=14058">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
jra
:
review-
Actions:
View
Attachments on
bug 13319
:
14020
|
14027
|
14058
|
14059
|
14068
|
14069