From 68c2ab599939f599715e272ab811977058c026fb Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 2 Mar 2018 13:07:48 -0800 Subject: [PATCH 01/10] s3: vfs_fruit. Ensure we only return one set of the 'virtual' UNIX ACE entries. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319 Signed-off-by: Jeremy Allison Reviewed-by: Ralph Boehme (cherry picked from commit e9059c7b40069cfb036bfb95958b78c6a2c800e4) --- source3/modules/vfs_fruit.c | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/source3/modules/vfs_fruit.c b/source3/modules/vfs_fruit.c index 1e9ec589d05..35967d475a4 100644 --- a/source3/modules/vfs_fruit.c +++ b/source3/modules/vfs_fruit.c @@ -5656,6 +5656,7 @@ static NTSTATUS fruit_fget_nt_acl(vfs_handle_struct *handle, struct security_ace ace; struct dom_sid sid; struct fruit_config_data *config; + bool remove_ok = false; SMB_VFS_HANDLE_GET_DATA(handle, config, struct fruit_config_data, @@ -5680,6 +5681,15 @@ static NTSTATUS fruit_fget_nt_acl(vfs_handle_struct *handle, /* MS NFS style mode */ sid_compose(&sid, &global_sid_Unix_NFS_Mode, fsp->fsp_name->st.st_ex_mode); init_sec_ace(&ace, &sid, SEC_ACE_TYPE_ACCESS_DENIED, 0, 0); + + /* First remove any existing ACE's with this SID. */ + status = security_descriptor_dacl_del(*ppdesc, &sid); + remove_ok = (NT_STATUS_IS_OK(status) || + NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)); + if (!remove_ok) { + DBG_WARNING("failed to remove MS NFS_mode style ACE\n"); + return status; + } status = security_descriptor_dacl_add(*ppdesc, &ace); if (!NT_STATUS_IS_OK(status)) { DEBUG(1,("failed to add MS NFS style ACE\n")); @@ -5689,6 +5699,15 @@ static NTSTATUS fruit_fget_nt_acl(vfs_handle_struct *handle, /* MS NFS style uid */ sid_compose(&sid, &global_sid_Unix_NFS_Users, fsp->fsp_name->st.st_ex_uid); init_sec_ace(&ace, &sid, SEC_ACE_TYPE_ACCESS_DENIED, 0, 0); + + /* First remove any existing ACE's with this SID. */ + status = security_descriptor_dacl_del(*ppdesc, &sid); + remove_ok = (NT_STATUS_IS_OK(status) || + NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)); + if (!remove_ok) { + DBG_WARNING("failed to remove MS NFS_users style ACE\n"); + return status; + } status = security_descriptor_dacl_add(*ppdesc, &ace); if (!NT_STATUS_IS_OK(status)) { DEBUG(1,("failed to add MS NFS style ACE\n")); @@ -5698,6 +5717,15 @@ static NTSTATUS fruit_fget_nt_acl(vfs_handle_struct *handle, /* MS NFS style gid */ sid_compose(&sid, &global_sid_Unix_NFS_Groups, fsp->fsp_name->st.st_ex_gid); init_sec_ace(&ace, &sid, SEC_ACE_TYPE_ACCESS_DENIED, 0, 0); + + /* First remove any existing ACE's with this SID. */ + status = security_descriptor_dacl_del(*ppdesc, &sid); + remove_ok = (NT_STATUS_IS_OK(status) || + NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)); + if (!remove_ok) { + DBG_WARNING("failed to remove MS NFS_groups style ACE\n"); + return status; + } status = security_descriptor_dacl_add(*ppdesc, &ace); if (!NT_STATUS_IS_OK(status)) { DEBUG(1,("failed to add MS NFS style ACE\n")); -- 2.16.2.804.g6dcf76e118-goog From 9d18d109ad108624ae43ab2bc7c2d4d776d20e59 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 2 Mar 2018 13:21:37 -0800 Subject: [PATCH 02/10] s3: vfs_fruit: Ensure we operate on a copy of the incoming security descriptor. This will allow us to modify it in the next commit. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319 Signed-off-by: Jeremy Allison Reviewed-by: Ralph Boehme (cherry picked from commit 019a1bc4caf3439adcaac48b384e86d84a1ad383) --- source3/modules/vfs_fruit.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/source3/modules/vfs_fruit.c b/source3/modules/vfs_fruit.c index 35967d475a4..c1087652ec7 100644 --- a/source3/modules/vfs_fruit.c +++ b/source3/modules/vfs_fruit.c @@ -5738,24 +5738,32 @@ static NTSTATUS fruit_fget_nt_acl(vfs_handle_struct *handle, static NTSTATUS fruit_fset_nt_acl(vfs_handle_struct *handle, files_struct *fsp, uint32_t security_info_sent, - const struct security_descriptor *psd) + const struct security_descriptor *orig_psd) { NTSTATUS status; bool do_chmod; mode_t ms_nfs_mode = 0; int result; + struct security_descriptor *psd = NULL; + + psd = security_descriptor_copy(talloc_tos(), orig_psd); + if (psd == NULL) { + return NT_STATUS_NO_MEMORY; + } DBG_DEBUG("fruit_fset_nt_acl: %s\n", fsp_str_dbg(fsp)); status = check_ms_nfs(handle, fsp, psd, &ms_nfs_mode, &do_chmod); if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("fruit_fset_nt_acl: check_ms_nfs failed%s\n", fsp_str_dbg(fsp))); + TALLOC_FREE(psd); return status; } status = SMB_VFS_NEXT_FSET_NT_ACL(handle, fsp, security_info_sent, psd); if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("fruit_fset_nt_acl: SMB_VFS_NEXT_FSET_NT_ACL failed%s\n", fsp_str_dbg(fsp))); + TALLOC_FREE(psd); return status; } @@ -5773,10 +5781,12 @@ static NTSTATUS fruit_fset_nt_acl(vfs_handle_struct *handle, result, (unsigned)ms_nfs_mode, strerror(errno))); status = map_nt_error_from_unix(errno); + TALLOC_FREE(psd); return status; } } + TALLOC_FREE(psd); return NT_STATUS_OK; } -- 2.16.2.804.g6dcf76e118-goog From e627e0ec75e0010154e07480ddcb1ec3688fc176 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 2 Mar 2018 13:51:54 -0800 Subject: [PATCH 03/10] s3: vfs_fruit. If the security descriptor was modified, ensure we set the flags correctly to reflect the ACE's left. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319 Signed-off-by: Jeremy Allison Reviewed-by: Ralph Boehme (cherry picked from commit 8edad37e476295e25932778721d8ef33713f6853) --- source3/modules/vfs_fruit.c | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/source3/modules/vfs_fruit.c b/source3/modules/vfs_fruit.c index c1087652ec7..cc0f99eaa99 100644 --- a/source3/modules/vfs_fruit.c +++ b/source3/modules/vfs_fruit.c @@ -5745,6 +5745,11 @@ static NTSTATUS fruit_fset_nt_acl(vfs_handle_struct *handle, mode_t ms_nfs_mode = 0; int result; struct security_descriptor *psd = NULL; + uint32_t orig_num_aces = 0; + + if (orig_psd->dacl != NULL) { + orig_num_aces = orig_psd->dacl->num_aces; + } psd = security_descriptor_copy(talloc_tos(), orig_psd); if (psd == NULL) { @@ -5760,6 +5765,22 @@ static NTSTATUS fruit_fset_nt_acl(vfs_handle_struct *handle, return status; } + /* + * If only ms_nfs ACE entries were sent, ensure we set the DACL + * sent/present flags correctly now we've removed them. + */ + + if (orig_num_aces != 0) { + /* + * Are there any ACE's left ? + */ + if (psd->dacl->num_aces == 0) { + /* No - clear the DACL sent/present flags. */ + security_info_sent &= ~SECINFO_DACL; + psd->type &= ~SEC_DESC_DACL_PRESENT; + } + } + status = SMB_VFS_NEXT_FSET_NT_ACL(handle, fsp, security_info_sent, psd); if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("fruit_fset_nt_acl: SMB_VFS_NEXT_FSET_NT_ACL failed%s\n", fsp_str_dbg(fsp))); -- 2.16.2.804.g6dcf76e118-goog From e161048806bf2f9ae092c5d86844073f69aeb06b Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 2 Mar 2018 13:53:55 -0800 Subject: [PATCH 04/10] s3: vfs_fruit. Change check_ms_nfs() to remove the virtual ACE's generated by fruit_fget_nt_acl(). MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Ensures they don't get stored in the underlying ACL. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319 Signed-off-by: Jeremy Allison Reviewed-by: Ralph Boehme Autobuild-User(master): Ralph Böhme Autobuild-Date(master): Thu Mar 8 04:09:38 CET 2018 on sn-devel-144 (cherry picked from commit e0b147f650fe59f606d1faffe57059e6e9d7837b) --- source3/modules/vfs_fruit.c | 43 ++++++++++++++++++++++++++++++++++++- 1 file changed, 42 insertions(+), 1 deletion(-) diff --git a/source3/modules/vfs_fruit.c b/source3/modules/vfs_fruit.c index cc0f99eaa99..c8b318cacca 100644 --- a/source3/modules/vfs_fruit.c +++ b/source3/modules/vfs_fruit.c @@ -2939,12 +2939,15 @@ static NTSTATUS readdir_attr_macmeta(struct vfs_handle_struct *handle, /* Search MS NFS style ACE with UNIX mode */ static NTSTATUS check_ms_nfs(vfs_handle_struct *handle, files_struct *fsp, - const struct security_descriptor *psd, + struct security_descriptor *psd, mode_t *pmode, bool *pdo_chmod) { uint32_t i; struct fruit_config_data *config = NULL; + struct dom_sid sid; + NTSTATUS status = NT_STATUS_OK; + bool remove_ok = false; *pdo_chmod = false; @@ -2973,6 +2976,44 @@ static NTSTATUS check_ms_nfs(vfs_handle_struct *handle, } } + /* + * Remove any incoming virtual ACE entries generated by + * fruit_fget_nt_acl(). + */ + + /* MS NFS style mode */ + sid_compose(&sid, &global_sid_Unix_NFS_Mode, + fsp->fsp_name->st.st_ex_mode); + status = security_descriptor_dacl_del(psd, &sid); + remove_ok = (NT_STATUS_IS_OK(status) || + NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)); + if (!remove_ok) { + DBG_WARNING("failed to remove MS NFS_mode style ACE\n"); + return status; + } + + /* MS NFS style uid */ + sid_compose(&sid, &global_sid_Unix_NFS_Users, + fsp->fsp_name->st.st_ex_uid); + status = security_descriptor_dacl_del(psd, &sid); + remove_ok = (NT_STATUS_IS_OK(status) || + NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)); + if (!remove_ok) { + DBG_WARNING("failed to remove MS NFS_users style ACE\n"); + return status; + } + + /* MS NFS style gid */ + sid_compose(&sid, &global_sid_Unix_NFS_Groups, + fsp->fsp_name->st.st_ex_gid); + status = security_descriptor_dacl_del(psd, &sid); + remove_ok = (NT_STATUS_IS_OK(status) || + NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)); + if (!remove_ok) { + DBG_WARNING("failed to remove MS NFS_groups style ACE\n"); + return status; + } + return NT_STATUS_OK; } -- 2.16.2.804.g6dcf76e118-goog From f7f52c7ab8cfcc7e3e8c90349da6680de9658720 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 15 Mar 2018 09:52:30 -0700 Subject: [PATCH 05/10] s3: smbd: vfs_fruit: Add remove_virtual_nfs_aces() a generic NFS ACE remover. Not yet used, will be used to tidyup existing code. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319 Signed-off-by: Jeremy Allison Reviewed-by: Ralph Boehme (cherry picked from commit ef091e2cf836793e2aa533990913609ccab5119a) --- source3/modules/vfs_fruit.c | 43 +++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) diff --git a/source3/modules/vfs_fruit.c b/source3/modules/vfs_fruit.c index c8b318cacca..f63d53b9a99 100644 --- a/source3/modules/vfs_fruit.c +++ b/source3/modules/vfs_fruit.c @@ -2936,6 +2936,49 @@ static NTSTATUS readdir_attr_macmeta(struct vfs_handle_struct *handle, return status; } +static NTSTATUS remove_virtual_nfs_aces(struct security_descriptor *psd) +{ + NTSTATUS status; + uint32_t i; + + if (psd->dacl == NULL) { + return NT_STATUS_OK; + } + + for (i = 0; i < psd->dacl->num_aces; i++) { + /* MS NFS style mode/uid/gid */ + if (!dom_sid_compare_domain( + &global_sid_Unix_NFS, + &psd->dacl->aces[i].trustee) == 0) { + /* Normal ACE entry. */ + continue; + } + + /* + * security_descriptor_dacl_del() + * *must* return NT_STATUS_OK as we know + * we have something to remove. + */ + + status = security_descriptor_dacl_del(psd, + &psd->dacl->aces[i].trustee); + if (!NT_STATUS_IS_OK(status)) { + DBG_WARNING("failed to remove MS NFS style ACE: %s\n", + nt_errstr(status)); + return status; + } + + /* + * security_descriptor_dacl_del() may delete more + * then one entry subsequent to this one if the + * SID matches, but we only need to ensure that + * we stay looking at the same element in the array. + */ + i--; + } + return NT_STATUS_OK; +} + /* Search MS NFS style ACE with UNIX mode */ static NTSTATUS check_ms_nfs(vfs_handle_struct *handle, files_struct *fsp, -- 2.16.2.804.g6dcf76e118-goog From f7418d106cac7fe3efe870d5a2fb21f4f99b6c7c Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 15 Mar 2018 09:54:41 -0700 Subject: [PATCH 06/10] s3: smbd: vfs_fruit: Replace code in check_ms_nfs() with remove_virtual_nfs_aces(). BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319 Signed-off-by: Jeremy Allison Reviewed-by: Ralph Boehme (cherry picked from commit a3c925d80433e3d4fe1b1b315edf6520cacf0a9e) --- source3/modules/vfs_fruit.c | 38 +------------------------------------ 1 file changed, 1 insertion(+), 37 deletions(-) diff --git a/source3/modules/vfs_fruit.c b/source3/modules/vfs_fruit.c index f63d53b9a99..b2ff8f434b5 100644 --- a/source3/modules/vfs_fruit.c +++ b/source3/modules/vfs_fruit.c @@ -2988,9 +2988,6 @@ static NTSTATUS check_ms_nfs(vfs_handle_struct *handle, { uint32_t i; struct fruit_config_data *config = NULL; - struct dom_sid sid; - NTSTATUS status = NT_STATUS_OK; - bool remove_ok = false; *pdo_chmod = false; @@ -3024,40 +3021,7 @@ static NTSTATUS check_ms_nfs(vfs_handle_struct *handle, * fruit_fget_nt_acl(). */ - /* MS NFS style mode */ - sid_compose(&sid, &global_sid_Unix_NFS_Mode, - fsp->fsp_name->st.st_ex_mode); - status = security_descriptor_dacl_del(psd, &sid); - remove_ok = (NT_STATUS_IS_OK(status) || - NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)); - if (!remove_ok) { - DBG_WARNING("failed to remove MS NFS_mode style ACE\n"); - return status; - } - - /* MS NFS style uid */ - sid_compose(&sid, &global_sid_Unix_NFS_Users, - fsp->fsp_name->st.st_ex_uid); - status = security_descriptor_dacl_del(psd, &sid); - remove_ok = (NT_STATUS_IS_OK(status) || - NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)); - if (!remove_ok) { - DBG_WARNING("failed to remove MS NFS_users style ACE\n"); - return status; - } - - /* MS NFS style gid */ - sid_compose(&sid, &global_sid_Unix_NFS_Groups, - fsp->fsp_name->st.st_ex_gid); - status = security_descriptor_dacl_del(psd, &sid); - remove_ok = (NT_STATUS_IS_OK(status) || - NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)); - if (!remove_ok) { - DBG_WARNING("failed to remove MS NFS_groups style ACE\n"); - return status; - } - - return NT_STATUS_OK; + return remove_virtual_nfs_aces(psd); } /**************************************************************************** -- 2.16.2.804.g6dcf76e118-goog From 85262f4afd2dbe775061fb8bd949647c276a8193 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 15 Mar 2018 09:57:09 -0700 Subject: [PATCH 07/10] s3: smbd: vfs_fruit: Replace code in fruit_fget_nt_acl() with remove_virtual_nfs_aces(). BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319 Signed-off-by: Jeremy Allison Reviewed-by: Ralph Boehme (cherry picked from commit 875ff2575feb96d06cf2290e5b6a226b32ef9758) --- source3/modules/vfs_fruit.c | 35 +++++++---------------------------- 1 file changed, 7 insertions(+), 28 deletions(-) diff --git a/source3/modules/vfs_fruit.c b/source3/modules/vfs_fruit.c index b2ff8f434b5..c05ce7ed0c8 100644 --- a/source3/modules/vfs_fruit.c +++ b/source3/modules/vfs_fruit.c @@ -5704,7 +5704,6 @@ static NTSTATUS fruit_fget_nt_acl(vfs_handle_struct *handle, struct security_ace ace; struct dom_sid sid; struct fruit_config_data *config; - bool remove_ok = false; SMB_VFS_HANDLE_GET_DATA(handle, config, struct fruit_config_data, @@ -5726,18 +5725,16 @@ static NTSTATUS fruit_fget_nt_acl(vfs_handle_struct *handle, return NT_STATUS_OK; } + /* First remove any existing ACE's with NFS style mode/uid/gid SIDs. */ + status = remove_virtual_nfs_aces(*ppdesc); + if (!NT_STATUS_IS_OK(status)) { + DBG_WARNING("failed to remove MS NFS style ACEs\n"); + return status; + } + /* MS NFS style mode */ sid_compose(&sid, &global_sid_Unix_NFS_Mode, fsp->fsp_name->st.st_ex_mode); init_sec_ace(&ace, &sid, SEC_ACE_TYPE_ACCESS_DENIED, 0, 0); - - /* First remove any existing ACE's with this SID. */ - status = security_descriptor_dacl_del(*ppdesc, &sid); - remove_ok = (NT_STATUS_IS_OK(status) || - NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)); - if (!remove_ok) { - DBG_WARNING("failed to remove MS NFS_mode style ACE\n"); - return status; - } status = security_descriptor_dacl_add(*ppdesc, &ace); if (!NT_STATUS_IS_OK(status)) { DEBUG(1,("failed to add MS NFS style ACE\n")); @@ -5747,15 +5744,6 @@ static NTSTATUS fruit_fget_nt_acl(vfs_handle_struct *handle, /* MS NFS style uid */ sid_compose(&sid, &global_sid_Unix_NFS_Users, fsp->fsp_name->st.st_ex_uid); init_sec_ace(&ace, &sid, SEC_ACE_TYPE_ACCESS_DENIED, 0, 0); - - /* First remove any existing ACE's with this SID. */ - status = security_descriptor_dacl_del(*ppdesc, &sid); - remove_ok = (NT_STATUS_IS_OK(status) || - NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)); - if (!remove_ok) { - DBG_WARNING("failed to remove MS NFS_users style ACE\n"); - return status; - } status = security_descriptor_dacl_add(*ppdesc, &ace); if (!NT_STATUS_IS_OK(status)) { DEBUG(1,("failed to add MS NFS style ACE\n")); @@ -5765,15 +5753,6 @@ static NTSTATUS fruit_fget_nt_acl(vfs_handle_struct *handle, /* MS NFS style gid */ sid_compose(&sid, &global_sid_Unix_NFS_Groups, fsp->fsp_name->st.st_ex_gid); init_sec_ace(&ace, &sid, SEC_ACE_TYPE_ACCESS_DENIED, 0, 0); - - /* First remove any existing ACE's with this SID. */ - status = security_descriptor_dacl_del(*ppdesc, &sid); - remove_ok = (NT_STATUS_IS_OK(status) || - NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)); - if (!remove_ok) { - DBG_WARNING("failed to remove MS NFS_groups style ACE\n"); - return status; - } status = security_descriptor_dacl_add(*ppdesc, &ace); if (!NT_STATUS_IS_OK(status)) { DEBUG(1,("failed to add MS NFS style ACE\n")); -- 2.16.2.804.g6dcf76e118-goog From 8215b8ab493fdf2ababad65136c1104ca13f8395 Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Fri, 16 Mar 2018 21:55:26 +0100 Subject: [PATCH 08/10] selftest: run vfs.fruit_netatalk test against seperate share These tests require a fs with xattr support. This allows adding xattr_tdb to all other shares in the next commit. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319 Signed-off-by: Ralph Boehme Reviewed-by: Jeremy Allison (cherry picked from commit 013aaffe7ff0ed4c30495761bb3208c29b3b5de2) --- selftest/target/Samba3.pm | 10 ++++++++++ source3/selftest/tests.py | 2 +- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm index 4178ed2fdfd..571d25369f9 100755 --- a/selftest/target/Samba3.pm +++ b/selftest/target/Samba3.pm @@ -1811,6 +1811,16 @@ sub provision($$$$$$$$$) fruit:encoding = native fruit:veto_appledouble = no +[vfs_fruit_xattr] + path = $shrdir + # This is used by vfs.fruit tests that require real fs xattr + vfs objects = catia fruit streams_xattr acl_xattr + fruit:resource = file + fruit:metadata = netatalk + fruit:locking = netatalk + fruit:encoding = native + fruit:veto_appledouble = no + [vfs_fruit_metadata_stream] path = $shrdir vfs objects = fruit streams_xattr acl_xattr diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py index 108d0c46ff9..03193399925 100755 --- a/source3/selftest/tests.py +++ b/source3/selftest/tests.py @@ -485,7 +485,7 @@ for t in tests: plansmbtorture4testsuite(t, "nt4_dc", '//$SERVER_IP/vfs_fruit_metadata_stream -U$USERNAME%$PASSWORD --option=torture:localdir=$SELFTEST_PREFIX/nt4_dc/share --option=torture:share2=vfs_wo_fruit', 'metadata_stream') plansmbtorture4testsuite(t, "nt4_dc", '//$SERVER_IP/vfs_fruit_stream_depot -U$USERNAME%$PASSWORD --option=torture:localdir=$SELFTEST_PREFIX/nt4_dc/share --option=torture:share2=vfs_wo_fruit_stream_depot', 'streams_depot') elif t == "vfs.fruit_netatalk": - plansmbtorture4testsuite(t, "nt4_dc", '//$SERVER_IP/vfs_fruit -U$USERNAME%$PASSWORD --option=torture:localdir=$SELFTEST_PREFIX/nt4_dc/share') + plansmbtorture4testsuite(t, "nt4_dc", '//$SERVER_IP/vfs_fruit_xattr -U$USERNAME%$PASSWORD --option=torture:localdir=$SELFTEST_PREFIX/nt4_dc/share') elif t == "vfs.fruit_file_id": plansmbtorture4testsuite(t, "nt4_dc", '//$SERVER_IP/vfs_fruit -U$USERNAME%$PASSWORD') elif t == "rpc.schannel_anon_setpw": -- 2.16.2.804.g6dcf76e118-goog From c7a9cbfc8e382e0b66f4e3a687e3ef85d6d77cfa Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Fri, 16 Mar 2018 21:57:31 +0100 Subject: [PATCH 09/10] selftest: vfs.fruit: add xattr_tdb where possible This makes the tests indepent from fs xattr support. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319 Signed-off-by: Ralph Boehme Reviewed-by: Jeremy Allison (cherry picked from commit 49996ca9324596b6cd72eb8051ca3676dab17191) --- selftest/target/Samba3.pm | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm index 571d25369f9..f1e29bf3dca 100755 --- a/selftest/target/Samba3.pm +++ b/selftest/target/Samba3.pm @@ -1804,7 +1804,7 @@ sub provision($$$$$$$$$) [vfs_fruit] path = $shrdir - vfs objects = catia fruit streams_xattr acl_xattr + vfs objects = catia fruit streams_xattr acl_xattr xattr_tdb fruit:resource = file fruit:metadata = netatalk fruit:locking = netatalk @@ -1823,25 +1823,25 @@ sub provision($$$$$$$$$) [vfs_fruit_metadata_stream] path = $shrdir - vfs objects = fruit streams_xattr acl_xattr + vfs objects = fruit streams_xattr acl_xattr xattr_tdb fruit:resource = file fruit:metadata = stream fruit:veto_appledouble = no [vfs_fruit_stream_depot] path = $shrdir - vfs objects = fruit streams_depot acl_xattr + vfs objects = fruit streams_depot acl_xattr xattr_tdb fruit:resource = stream fruit:metadata = stream fruit:veto_appledouble = no [vfs_wo_fruit] path = $shrdir - vfs objects = streams_xattr acl_xattr + vfs objects = streams_xattr acl_xattr xattr_tdb [vfs_wo_fruit_stream_depot] path = $shrdir - vfs objects = streams_depot acl_xattr + vfs objects = streams_depot acl_xattr xattr_tdb [badname-tmp] path = $badnames_shrdir -- 2.16.2.804.g6dcf76e118-goog From dd90d9025c5eac6884d5e1b8f34c5dc63edcf813 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 15 Mar 2018 14:45:06 -0700 Subject: [PATCH 10/10] s4: vfs: fruit tests: Add regression test for dealing with NFS ACE entries. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319 Signed-off-by: Jeremy Allison Reviewed-by: Ralph Boehme Autobuild-User(master): Jeremy Allison Autobuild-Date(master): Sat Mar 17 04:04:32 CET 2018 on sn-devel-144 (cherry picked from commit a6054c01c29c2507e0d5a6aa110fee4fd5c5eeb9) --- source4/torture/vfs/fruit.c | 171 ++++++++++++++++++++++++++++++++++++ 1 file changed, 171 insertions(+) diff --git a/source4/torture/vfs/fruit.c b/source4/torture/vfs/fruit.c index 0f5d93ec12f..597eb1abeff 100644 --- a/source4/torture/vfs/fruit.c +++ b/source4/torture/vfs/fruit.c @@ -36,6 +36,10 @@ #include "torture/smb2/proto.h" #include "torture/vfs/proto.h" #include "librpc/gen_ndr/ndr_ioctl.h" +#include "libcli/security/dom_sid.h" +#include "../librpc/gen_ndr/ndr_security.h" +#include "libcli/security/secace.h" +#include "libcli/security/security_descriptor.h" #define BASEDIR "vfs_fruit_dir" #define FNAME_CC_SRC "testfsctl.dat" @@ -4425,6 +4429,172 @@ done: return ok; } +/* + * Ensure this security descriptor has exactly one mode, uid + * and gid. + */ + +static NTSTATUS check_nfs_sd(const struct security_descriptor *psd) +{ + uint32_t i; + bool got_one_mode = false; + bool got_one_uid = false; + bool got_one_gid = false; + + if (psd->dacl == NULL) { + return NT_STATUS_INVALID_SECURITY_DESCR; + } + + for (i = 0; i < psd->dacl->num_aces; i++) { + if (dom_sid_compare_domain(&global_sid_Unix_NFS_Mode, + &psd->dacl->aces[i].trustee) == 0) { + if (got_one_mode == true) { + /* Can't have more than one. */ + return NT_STATUS_INVALID_SECURITY_DESCR; + } + got_one_mode = true; + } + } + for (i = 0; i < psd->dacl->num_aces; i++) { + if (dom_sid_compare_domain(&global_sid_Unix_NFS_Users, + &psd->dacl->aces[i].trustee) == 0) { + if (got_one_uid == true) { + /* Can't have more than one. */ + return NT_STATUS_INVALID_SECURITY_DESCR; + } + got_one_uid = true; + } + } + for (i = 0; i < psd->dacl->num_aces; i++) { + if (dom_sid_compare_domain(&global_sid_Unix_NFS_Groups, + &psd->dacl->aces[i].trustee) == 0) { + if (got_one_gid == true) { + /* Can't have more than one. */ + return NT_STATUS_INVALID_SECURITY_DESCR; + } + got_one_gid = true; + } + } + /* Must have at least one of each. */ + if (got_one_mode == false || + got_one_uid == false || + got_one_gid == false) { + return NT_STATUS_INVALID_SECURITY_DESCR; + } + return NT_STATUS_OK; +} + +static bool test_nfs_aces(struct torture_context *tctx, + struct smb2_tree *tree) +{ + TALLOC_CTX *mem_ctx = talloc_new(tctx); + struct security_ace ace; + struct dom_sid sid; + const char *fname = BASEDIR "\\nfs_aces.txt"; + struct smb2_handle h = {{0}}; + union smb_fileinfo finfo2; + union smb_setfileinfo set; + struct security_descriptor *psd = NULL; + NTSTATUS status; + bool ret = true; + + ret = enable_aapl(tctx, tree); + torture_assert(tctx, ret == true, "enable_aapl failed"); + + /* clean slate ...*/ + smb2_util_unlink(tree, fname); + smb2_deltree(tree, fname); + smb2_deltree(tree, BASEDIR); + + status = torture_smb2_testdir(tree, BASEDIR, &h); + CHECK_STATUS(status, NT_STATUS_OK); + smb2_util_close(tree, h); + + /* Create a test file. */ + status = torture_smb2_testfile_access(tree, + fname, + &h, + SEC_STD_READ_CONTROL | + SEC_STD_WRITE_DAC | + SEC_RIGHTS_FILE_ALL); + CHECK_STATUS(status, NT_STATUS_OK); + + /* Get the ACL. */ + finfo2.query_secdesc.in.secinfo_flags = + SECINFO_OWNER | + SECINFO_GROUP | + SECINFO_DACL; + finfo2.generic.level = RAW_FILEINFO_SEC_DESC; + finfo2.generic.in.file.handle = h; + status = smb2_getinfo_file(tree, tctx, &finfo2); + CHECK_STATUS(status, NT_STATUS_OK); + + psd = finfo2.query_secdesc.out.sd; + + /* Ensure we have only single mode/uid/gid NFS entries. */ + status = check_nfs_sd(psd); + if (!NT_STATUS_IS_OK(status)) { + NDR_PRINT_DEBUG( + security_descriptor, + discard_const_p(struct security_descriptor, psd)); + } + CHECK_STATUS(status, NT_STATUS_OK); + + /* Add a couple of extra NFS uids and gids. */ + sid_compose(&sid, &global_sid_Unix_NFS_Users, 27); + init_sec_ace(&ace, &sid, SEC_ACE_TYPE_ACCESS_DENIED, 0, 0); + status = security_descriptor_dacl_add(psd, &ace); + CHECK_STATUS(status, NT_STATUS_OK); + status = security_descriptor_dacl_add(psd, &ace); + CHECK_STATUS(status, NT_STATUS_OK); + + sid_compose(&sid, &global_sid_Unix_NFS_Groups, 300); + init_sec_ace(&ace, &sid, SEC_ACE_TYPE_ACCESS_DENIED, 0, 0); + status = security_descriptor_dacl_add(psd, &ace); + CHECK_STATUS(status, NT_STATUS_OK); + status = security_descriptor_dacl_add(psd, &ace); + CHECK_STATUS(status, NT_STATUS_OK); + + /* Now set on the file handle. */ + set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC; + set.set_secdesc.in.file.handle = h; + set.set_secdesc.in.secinfo_flags = SECINFO_DACL; + set.set_secdesc.in.sd = psd; + status = smb2_setinfo_file(tree, &set); + CHECK_STATUS(status, NT_STATUS_OK); + + /* Get the ACL again. */ + finfo2.query_secdesc.in.secinfo_flags = + SECINFO_OWNER | + SECINFO_GROUP | + SECINFO_DACL; + finfo2.generic.level = RAW_FILEINFO_SEC_DESC; + finfo2.generic.in.file.handle = h; + status = smb2_getinfo_file(tree, tctx, &finfo2); + CHECK_STATUS(status, NT_STATUS_OK); + + psd = finfo2.query_secdesc.out.sd; + + /* Ensure we have only single mode/uid/gid NFS entries. */ + status = check_nfs_sd(psd); + if (!NT_STATUS_IS_OK(status)) { + NDR_PRINT_DEBUG( + security_descriptor, + discard_const_p(struct security_descriptor, psd)); + } + CHECK_STATUS(status, NT_STATUS_OK); + +done: + if (!smb2_util_handle_empty(h)) { + smb2_util_close(tree, h); + } + smb2_util_unlink(tree, fname); + smb2_deltree(tree, fname); + smb2_deltree(tree, BASEDIR); + talloc_free(mem_ctx); + return ret; +} + /* * Note: This test depends on "vfs objects = catia fruit streams_xattr". For * some tests torture must be run on the host it tests and takes an additional @@ -4465,6 +4635,7 @@ struct torture_suite *torture_vfs_fruit(TALLOC_CTX *ctx) torture_suite_add_1smb2_test(suite, "creating rsrc with read-only access", test_rfork_create_ro); torture_suite_add_1smb2_test(suite, "copy-chunk streams", test_copy_chunk_streams); torture_suite_add_1smb2_test(suite, "OS X AppleDouble file conversion", test_adouble_conversion); + torture_suite_add_1smb2_test(suite, "NFS ACE entries", test_nfs_aces); return suite; } -- 2.16.2.804.g6dcf76e118-goog