From 69925edc7dfd48529b9e265d2b190bae034a52e4 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 2 Mar 2018 13:07:48 -0800 Subject: [PATCH 01/11] s3: vfs_fruit. Ensure we only return one set of the 'virtual' UNIX ACE entries. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319 Signed-off-by: Jeremy Allison Reviewed-by: Ralph Boehme (cherry picked from commit e9059c7b40069cfb036bfb95958b78c6a2c800e4) --- source3/modules/vfs_fruit.c | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/source3/modules/vfs_fruit.c b/source3/modules/vfs_fruit.c index ec76f718c37..50fbd6cb447 100644 --- a/source3/modules/vfs_fruit.c +++ b/source3/modules/vfs_fruit.c @@ -5687,6 +5687,7 @@ static NTSTATUS fruit_fget_nt_acl(vfs_handle_struct *handle, struct security_ace ace; struct dom_sid sid; struct fruit_config_data *config; + bool remove_ok = false; SMB_VFS_HANDLE_GET_DATA(handle, config, struct fruit_config_data, @@ -5711,6 +5712,15 @@ static NTSTATUS fruit_fget_nt_acl(vfs_handle_struct *handle, /* MS NFS style mode */ sid_compose(&sid, &global_sid_Unix_NFS_Mode, fsp->fsp_name->st.st_ex_mode); init_sec_ace(&ace, &sid, SEC_ACE_TYPE_ACCESS_DENIED, 0, 0); + + /* First remove any existing ACE's with this SID. */ + status = security_descriptor_dacl_del(*ppdesc, &sid); + remove_ok = (NT_STATUS_IS_OK(status) || + NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)); + if (!remove_ok) { + DBG_WARNING("failed to remove MS NFS_mode style ACE\n"); + return status; + } status = security_descriptor_dacl_add(*ppdesc, &ace); if (!NT_STATUS_IS_OK(status)) { DEBUG(1,("failed to add MS NFS style ACE\n")); @@ -5720,6 +5730,15 @@ static NTSTATUS fruit_fget_nt_acl(vfs_handle_struct *handle, /* MS NFS style uid */ sid_compose(&sid, &global_sid_Unix_NFS_Users, fsp->fsp_name->st.st_ex_uid); init_sec_ace(&ace, &sid, SEC_ACE_TYPE_ACCESS_DENIED, 0, 0); + + /* First remove any existing ACE's with this SID. */ + status = security_descriptor_dacl_del(*ppdesc, &sid); + remove_ok = (NT_STATUS_IS_OK(status) || + NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)); + if (!remove_ok) { + DBG_WARNING("failed to remove MS NFS_users style ACE\n"); + return status; + } status = security_descriptor_dacl_add(*ppdesc, &ace); if (!NT_STATUS_IS_OK(status)) { DEBUG(1,("failed to add MS NFS style ACE\n")); @@ -5729,6 +5748,15 @@ static NTSTATUS fruit_fget_nt_acl(vfs_handle_struct *handle, /* MS NFS style gid */ sid_compose(&sid, &global_sid_Unix_NFS_Groups, fsp->fsp_name->st.st_ex_gid); init_sec_ace(&ace, &sid, SEC_ACE_TYPE_ACCESS_DENIED, 0, 0); + + /* First remove any existing ACE's with this SID. */ + status = security_descriptor_dacl_del(*ppdesc, &sid); + remove_ok = (NT_STATUS_IS_OK(status) || + NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)); + if (!remove_ok) { + DBG_WARNING("failed to remove MS NFS_groups style ACE\n"); + return status; + } status = security_descriptor_dacl_add(*ppdesc, &ace); if (!NT_STATUS_IS_OK(status)) { DEBUG(1,("failed to add MS NFS style ACE\n")); -- 2.17.0.rc0.231.g781580f067-goog From 85de0b241545378599dfca667cfdef02faadf618 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 2 Mar 2018 13:21:37 -0800 Subject: [PATCH 02/11] s3: vfs_fruit: Ensure we operate on a copy of the incoming security descriptor. This will allow us to modify it in the next commit. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319 Signed-off-by: Jeremy Allison Reviewed-by: Ralph Boehme (cherry picked from commit 019a1bc4caf3439adcaac48b384e86d84a1ad383) --- source3/modules/vfs_fruit.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/source3/modules/vfs_fruit.c b/source3/modules/vfs_fruit.c index 50fbd6cb447..4f383bc990d 100644 --- a/source3/modules/vfs_fruit.c +++ b/source3/modules/vfs_fruit.c @@ -5769,24 +5769,32 @@ static NTSTATUS fruit_fget_nt_acl(vfs_handle_struct *handle, static NTSTATUS fruit_fset_nt_acl(vfs_handle_struct *handle, files_struct *fsp, uint32_t security_info_sent, - const struct security_descriptor *psd) + const struct security_descriptor *orig_psd) { NTSTATUS status; bool do_chmod; mode_t ms_nfs_mode = 0; int result; + struct security_descriptor *psd = NULL; + + psd = security_descriptor_copy(talloc_tos(), orig_psd); + if (psd == NULL) { + return NT_STATUS_NO_MEMORY; + } DBG_DEBUG("fruit_fset_nt_acl: %s\n", fsp_str_dbg(fsp)); status = check_ms_nfs(handle, fsp, psd, &ms_nfs_mode, &do_chmod); if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("fruit_fset_nt_acl: check_ms_nfs failed%s\n", fsp_str_dbg(fsp))); + TALLOC_FREE(psd); return status; } status = SMB_VFS_NEXT_FSET_NT_ACL(handle, fsp, security_info_sent, psd); if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("fruit_fset_nt_acl: SMB_VFS_NEXT_FSET_NT_ACL failed%s\n", fsp_str_dbg(fsp))); + TALLOC_FREE(psd); return status; } @@ -5804,10 +5812,12 @@ static NTSTATUS fruit_fset_nt_acl(vfs_handle_struct *handle, result, (unsigned)ms_nfs_mode, strerror(errno))); status = map_nt_error_from_unix(errno); + TALLOC_FREE(psd); return status; } } + TALLOC_FREE(psd); return NT_STATUS_OK; } -- 2.17.0.rc0.231.g781580f067-goog From a8ac0a99f25b0112255f8afcd08bf0bce0492f1b Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 2 Mar 2018 13:51:54 -0800 Subject: [PATCH 03/11] s3: vfs_fruit. If the security descriptor was modified, ensure we set the flags correctly to reflect the ACE's left. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319 Signed-off-by: Jeremy Allison Reviewed-by: Ralph Boehme (cherry picked from commit 8edad37e476295e25932778721d8ef33713f6853) --- source3/modules/vfs_fruit.c | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/source3/modules/vfs_fruit.c b/source3/modules/vfs_fruit.c index 4f383bc990d..8909bcc7c37 100644 --- a/source3/modules/vfs_fruit.c +++ b/source3/modules/vfs_fruit.c @@ -5776,6 +5776,11 @@ static NTSTATUS fruit_fset_nt_acl(vfs_handle_struct *handle, mode_t ms_nfs_mode = 0; int result; struct security_descriptor *psd = NULL; + uint32_t orig_num_aces = 0; + + if (orig_psd->dacl != NULL) { + orig_num_aces = orig_psd->dacl->num_aces; + } psd = security_descriptor_copy(talloc_tos(), orig_psd); if (psd == NULL) { @@ -5791,6 +5796,22 @@ static NTSTATUS fruit_fset_nt_acl(vfs_handle_struct *handle, return status; } + /* + * If only ms_nfs ACE entries were sent, ensure we set the DACL + * sent/present flags correctly now we've removed them. + */ + + if (orig_num_aces != 0) { + /* + * Are there any ACE's left ? + */ + if (psd->dacl->num_aces == 0) { + /* No - clear the DACL sent/present flags. */ + security_info_sent &= ~SECINFO_DACL; + psd->type &= ~SEC_DESC_DACL_PRESENT; + } + } + status = SMB_VFS_NEXT_FSET_NT_ACL(handle, fsp, security_info_sent, psd); if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("fruit_fset_nt_acl: SMB_VFS_NEXT_FSET_NT_ACL failed%s\n", fsp_str_dbg(fsp))); -- 2.17.0.rc0.231.g781580f067-goog From b1cd9aff5b1ff361586deb24a363d41df8adcddf Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 2 Mar 2018 13:53:55 -0800 Subject: [PATCH 04/11] s3: vfs_fruit. Change check_ms_nfs() to remove the virtual ACE's generated by fruit_fget_nt_acl(). MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Ensures they don't get stored in the underlying ACL. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319 Signed-off-by: Jeremy Allison Reviewed-by: Ralph Boehme Autobuild-User(master): Ralph Böhme Autobuild-Date(master): Thu Mar 8 04:09:38 CET 2018 on sn-devel-144 (cherry picked from commit e0b147f650fe59f606d1faffe57059e6e9d7837b) --- source3/modules/vfs_fruit.c | 43 ++++++++++++++++++++++++++++++++++++- 1 file changed, 42 insertions(+), 1 deletion(-) diff --git a/source3/modules/vfs_fruit.c b/source3/modules/vfs_fruit.c index 8909bcc7c37..29372e90174 100644 --- a/source3/modules/vfs_fruit.c +++ b/source3/modules/vfs_fruit.c @@ -2957,12 +2957,15 @@ static NTSTATUS readdir_attr_macmeta(struct vfs_handle_struct *handle, /* Search MS NFS style ACE with UNIX mode */ static NTSTATUS check_ms_nfs(vfs_handle_struct *handle, files_struct *fsp, - const struct security_descriptor *psd, + struct security_descriptor *psd, mode_t *pmode, bool *pdo_chmod) { uint32_t i; struct fruit_config_data *config = NULL; + struct dom_sid sid; + NTSTATUS status = NT_STATUS_OK; + bool remove_ok = false; *pdo_chmod = false; @@ -2991,6 +2994,44 @@ static NTSTATUS check_ms_nfs(vfs_handle_struct *handle, } } + /* + * Remove any incoming virtual ACE entries generated by + * fruit_fget_nt_acl(). + */ + + /* MS NFS style mode */ + sid_compose(&sid, &global_sid_Unix_NFS_Mode, + fsp->fsp_name->st.st_ex_mode); + status = security_descriptor_dacl_del(psd, &sid); + remove_ok = (NT_STATUS_IS_OK(status) || + NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)); + if (!remove_ok) { + DBG_WARNING("failed to remove MS NFS_mode style ACE\n"); + return status; + } + + /* MS NFS style uid */ + sid_compose(&sid, &global_sid_Unix_NFS_Users, + fsp->fsp_name->st.st_ex_uid); + status = security_descriptor_dacl_del(psd, &sid); + remove_ok = (NT_STATUS_IS_OK(status) || + NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)); + if (!remove_ok) { + DBG_WARNING("failed to remove MS NFS_users style ACE\n"); + return status; + } + + /* MS NFS style gid */ + sid_compose(&sid, &global_sid_Unix_NFS_Groups, + fsp->fsp_name->st.st_ex_gid); + status = security_descriptor_dacl_del(psd, &sid); + remove_ok = (NT_STATUS_IS_OK(status) || + NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)); + if (!remove_ok) { + DBG_WARNING("failed to remove MS NFS_groups style ACE\n"); + return status; + } + return NT_STATUS_OK; } -- 2.17.0.rc0.231.g781580f067-goog From 3831079fe0c69d38becfcdcdccf698c9329f7e94 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 15 Mar 2018 09:52:30 -0700 Subject: [PATCH 05/11] s3: smbd: vfs_fruit: Add remove_virtual_nfs_aces() a generic NFS ACE remover. Not yet used, will be used to tidyup existing code. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319 Signed-off-by: Jeremy Allison Reviewed-by: Ralph Boehme (cherry picked from commit ef091e2cf836793e2aa533990913609ccab5119a) --- source3/modules/vfs_fruit.c | 43 +++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) diff --git a/source3/modules/vfs_fruit.c b/source3/modules/vfs_fruit.c index 29372e90174..67af69843ed 100644 --- a/source3/modules/vfs_fruit.c +++ b/source3/modules/vfs_fruit.c @@ -2954,6 +2954,49 @@ static NTSTATUS readdir_attr_macmeta(struct vfs_handle_struct *handle, return status; } +static NTSTATUS remove_virtual_nfs_aces(struct security_descriptor *psd) +{ + NTSTATUS status; + uint32_t i; + + if (psd->dacl == NULL) { + return NT_STATUS_OK; + } + + for (i = 0; i < psd->dacl->num_aces; i++) { + /* MS NFS style mode/uid/gid */ + if (!dom_sid_compare_domain( + &global_sid_Unix_NFS, + &psd->dacl->aces[i].trustee) == 0) { + /* Normal ACE entry. */ + continue; + } + + /* + * security_descriptor_dacl_del() + * *must* return NT_STATUS_OK as we know + * we have something to remove. + */ + + status = security_descriptor_dacl_del(psd, + &psd->dacl->aces[i].trustee); + if (!NT_STATUS_IS_OK(status)) { + DBG_WARNING("failed to remove MS NFS style ACE: %s\n", + nt_errstr(status)); + return status; + } + + /* + * security_descriptor_dacl_del() may delete more + * then one entry subsequent to this one if the + * SID matches, but we only need to ensure that + * we stay looking at the same element in the array. + */ + i--; + } + return NT_STATUS_OK; +} + /* Search MS NFS style ACE with UNIX mode */ static NTSTATUS check_ms_nfs(vfs_handle_struct *handle, files_struct *fsp, -- 2.17.0.rc0.231.g781580f067-goog From ca879a5a5a41228acc49a4b91fe77e9b32b8e8b9 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 15 Mar 2018 09:54:41 -0700 Subject: [PATCH 06/11] s3: smbd: vfs_fruit: Replace code in check_ms_nfs() with remove_virtual_nfs_aces(). BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319 Signed-off-by: Jeremy Allison Reviewed-by: Ralph Boehme (cherry picked from commit a3c925d80433e3d4fe1b1b315edf6520cacf0a9e) --- source3/modules/vfs_fruit.c | 38 +------------------------------------ 1 file changed, 1 insertion(+), 37 deletions(-) diff --git a/source3/modules/vfs_fruit.c b/source3/modules/vfs_fruit.c index 67af69843ed..38f421c337d 100644 --- a/source3/modules/vfs_fruit.c +++ b/source3/modules/vfs_fruit.c @@ -3006,9 +3006,6 @@ static NTSTATUS check_ms_nfs(vfs_handle_struct *handle, { uint32_t i; struct fruit_config_data *config = NULL; - struct dom_sid sid; - NTSTATUS status = NT_STATUS_OK; - bool remove_ok = false; *pdo_chmod = false; @@ -3042,40 +3039,7 @@ static NTSTATUS check_ms_nfs(vfs_handle_struct *handle, * fruit_fget_nt_acl(). */ - /* MS NFS style mode */ - sid_compose(&sid, &global_sid_Unix_NFS_Mode, - fsp->fsp_name->st.st_ex_mode); - status = security_descriptor_dacl_del(psd, &sid); - remove_ok = (NT_STATUS_IS_OK(status) || - NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)); - if (!remove_ok) { - DBG_WARNING("failed to remove MS NFS_mode style ACE\n"); - return status; - } - - /* MS NFS style uid */ - sid_compose(&sid, &global_sid_Unix_NFS_Users, - fsp->fsp_name->st.st_ex_uid); - status = security_descriptor_dacl_del(psd, &sid); - remove_ok = (NT_STATUS_IS_OK(status) || - NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)); - if (!remove_ok) { - DBG_WARNING("failed to remove MS NFS_users style ACE\n"); - return status; - } - - /* MS NFS style gid */ - sid_compose(&sid, &global_sid_Unix_NFS_Groups, - fsp->fsp_name->st.st_ex_gid); - status = security_descriptor_dacl_del(psd, &sid); - remove_ok = (NT_STATUS_IS_OK(status) || - NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)); - if (!remove_ok) { - DBG_WARNING("failed to remove MS NFS_groups style ACE\n"); - return status; - } - - return NT_STATUS_OK; + return remove_virtual_nfs_aces(psd); } /**************************************************************************** -- 2.17.0.rc0.231.g781580f067-goog From 46dcdf6f0d78c5d2335a19771c17173437726790 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 15 Mar 2018 09:57:09 -0700 Subject: [PATCH 07/11] s3: smbd: vfs_fruit: Replace code in fruit_fget_nt_acl() with remove_virtual_nfs_aces(). BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319 Signed-off-by: Jeremy Allison Reviewed-by: Ralph Boehme (cherry picked from commit 875ff2575feb96d06cf2290e5b6a226b32ef9758) --- source3/modules/vfs_fruit.c | 35 +++++++---------------------------- 1 file changed, 7 insertions(+), 28 deletions(-) diff --git a/source3/modules/vfs_fruit.c b/source3/modules/vfs_fruit.c index 38f421c337d..19b78edb949 100644 --- a/source3/modules/vfs_fruit.c +++ b/source3/modules/vfs_fruit.c @@ -5735,7 +5735,6 @@ static NTSTATUS fruit_fget_nt_acl(vfs_handle_struct *handle, struct security_ace ace; struct dom_sid sid; struct fruit_config_data *config; - bool remove_ok = false; SMB_VFS_HANDLE_GET_DATA(handle, config, struct fruit_config_data, @@ -5757,18 +5756,16 @@ static NTSTATUS fruit_fget_nt_acl(vfs_handle_struct *handle, return NT_STATUS_OK; } + /* First remove any existing ACE's with NFS style mode/uid/gid SIDs. */ + status = remove_virtual_nfs_aces(*ppdesc); + if (!NT_STATUS_IS_OK(status)) { + DBG_WARNING("failed to remove MS NFS style ACEs\n"); + return status; + } + /* MS NFS style mode */ sid_compose(&sid, &global_sid_Unix_NFS_Mode, fsp->fsp_name->st.st_ex_mode); init_sec_ace(&ace, &sid, SEC_ACE_TYPE_ACCESS_DENIED, 0, 0); - - /* First remove any existing ACE's with this SID. */ - status = security_descriptor_dacl_del(*ppdesc, &sid); - remove_ok = (NT_STATUS_IS_OK(status) || - NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)); - if (!remove_ok) { - DBG_WARNING("failed to remove MS NFS_mode style ACE\n"); - return status; - } status = security_descriptor_dacl_add(*ppdesc, &ace); if (!NT_STATUS_IS_OK(status)) { DEBUG(1,("failed to add MS NFS style ACE\n")); @@ -5778,15 +5775,6 @@ static NTSTATUS fruit_fget_nt_acl(vfs_handle_struct *handle, /* MS NFS style uid */ sid_compose(&sid, &global_sid_Unix_NFS_Users, fsp->fsp_name->st.st_ex_uid); init_sec_ace(&ace, &sid, SEC_ACE_TYPE_ACCESS_DENIED, 0, 0); - - /* First remove any existing ACE's with this SID. */ - status = security_descriptor_dacl_del(*ppdesc, &sid); - remove_ok = (NT_STATUS_IS_OK(status) || - NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)); - if (!remove_ok) { - DBG_WARNING("failed to remove MS NFS_users style ACE\n"); - return status; - } status = security_descriptor_dacl_add(*ppdesc, &ace); if (!NT_STATUS_IS_OK(status)) { DEBUG(1,("failed to add MS NFS style ACE\n")); @@ -5796,15 +5784,6 @@ static NTSTATUS fruit_fget_nt_acl(vfs_handle_struct *handle, /* MS NFS style gid */ sid_compose(&sid, &global_sid_Unix_NFS_Groups, fsp->fsp_name->st.st_ex_gid); init_sec_ace(&ace, &sid, SEC_ACE_TYPE_ACCESS_DENIED, 0, 0); - - /* First remove any existing ACE's with this SID. */ - status = security_descriptor_dacl_del(*ppdesc, &sid); - remove_ok = (NT_STATUS_IS_OK(status) || - NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)); - if (!remove_ok) { - DBG_WARNING("failed to remove MS NFS_groups style ACE\n"); - return status; - } status = security_descriptor_dacl_add(*ppdesc, &ace); if (!NT_STATUS_IS_OK(status)) { DEBUG(1,("failed to add MS NFS style ACE\n")); -- 2.17.0.rc0.231.g781580f067-goog From 5c22a763b12c2e3b0ab406610489bb63fcbf5605 Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Fri, 16 Mar 2018 21:55:26 +0100 Subject: [PATCH 08/11] selftest: run vfs.fruit_netatalk test against seperate share These tests require a fs with xattr support. This allows adding xattr_tdb to all other shares in the next commit. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319 Signed-off-by: Ralph Boehme Reviewed-by: Jeremy Allison (cherry picked from commit 013aaffe7ff0ed4c30495761bb3208c29b3b5de2) --- selftest/target/Samba3.pm | 10 ++++++++++ source3/selftest/tests.py | 2 +- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm index f2dcdd1489b..970f86491db 100755 --- a/selftest/target/Samba3.pm +++ b/selftest/target/Samba3.pm @@ -1936,6 +1936,16 @@ sub provision($$$$$$$$$) fruit:encoding = native fruit:veto_appledouble = no +[vfs_fruit_xattr] + path = $shrdir + # This is used by vfs.fruit tests that require real fs xattr + vfs objects = catia fruit streams_xattr acl_xattr + fruit:resource = file + fruit:metadata = netatalk + fruit:locking = netatalk + fruit:encoding = native + fruit:veto_appledouble = no + [vfs_fruit_metadata_stream] path = $shrdir vfs objects = fruit streams_xattr acl_xattr diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py index 8c5b744f0b3..e1b0e35e8d9 100755 --- a/source3/selftest/tests.py +++ b/source3/selftest/tests.py @@ -500,7 +500,7 @@ for t in tests: plansmbtorture4testsuite(t, "nt4_dc", '//$SERVER_IP/vfs_fruit_metadata_stream -U$USERNAME%$PASSWORD --option=torture:localdir=$SELFTEST_PREFIX/nt4_dc/share --option=torture:share2=vfs_wo_fruit', 'metadata_stream') plansmbtorture4testsuite(t, "nt4_dc", '//$SERVER_IP/vfs_fruit_stream_depot -U$USERNAME%$PASSWORD --option=torture:localdir=$SELFTEST_PREFIX/nt4_dc/share --option=torture:share2=vfs_wo_fruit_stream_depot', 'streams_depot') elif t == "vfs.fruit_netatalk": - plansmbtorture4testsuite(t, "nt4_dc", '//$SERVER_IP/vfs_fruit -U$USERNAME%$PASSWORD --option=torture:localdir=$SELFTEST_PREFIX/nt4_dc/share') + plansmbtorture4testsuite(t, "nt4_dc", '//$SERVER_IP/vfs_fruit_xattr -U$USERNAME%$PASSWORD --option=torture:localdir=$SELFTEST_PREFIX/nt4_dc/share') elif t == "vfs.fruit_timemachine": plansmbtorture4testsuite(t, "nt4_dc", '//$SERVER_IP/vfs_fruit_timemachine -U$USERNAME%$PASSWORD --option=torture:localdir=$SELFTEST_PREFIX/nt4_dc/share') elif t == "vfs.fruit_file_id": -- 2.17.0.rc0.231.g781580f067-goog From 77d8d0557728fcbcd754d43d9f3b133e96ed945d Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Fri, 16 Mar 2018 21:57:31 +0100 Subject: [PATCH 09/11] selftest: vfs.fruit: add xattr_tdb where possible This makes the tests indepent from fs xattr support. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319 Signed-off-by: Ralph Boehme Reviewed-by: Jeremy Allison (cherry picked from commit 49996ca9324596b6cd72eb8051ca3676dab17191) --- selftest/target/Samba3.pm | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm index 970f86491db..7e4224a4578 100755 --- a/selftest/target/Samba3.pm +++ b/selftest/target/Samba3.pm @@ -1929,7 +1929,7 @@ sub provision($$$$$$$$$) [vfs_fruit] path = $shrdir - vfs objects = catia fruit streams_xattr acl_xattr + vfs objects = catia fruit streams_xattr acl_xattr xattr_tdb fruit:resource = file fruit:metadata = netatalk fruit:locking = netatalk @@ -1948,29 +1948,29 @@ sub provision($$$$$$$$$) [vfs_fruit_metadata_stream] path = $shrdir - vfs objects = fruit streams_xattr acl_xattr + vfs objects = fruit streams_xattr acl_xattr xattr_tdb fruit:resource = file fruit:metadata = stream fruit:veto_appledouble = no [vfs_fruit_stream_depot] path = $shrdir - vfs objects = fruit streams_depot acl_xattr + vfs objects = fruit streams_depot acl_xattr xattr_tdb fruit:resource = stream fruit:metadata = stream fruit:veto_appledouble = no [vfs_wo_fruit] path = $shrdir - vfs objects = streams_xattr acl_xattr + vfs objects = streams_xattr acl_xattr xattr_tdb [vfs_wo_fruit_stream_depot] path = $shrdir - vfs objects = streams_depot acl_xattr + vfs objects = streams_depot acl_xattr xattr_tdb [vfs_fruit_timemachine] path = $shrdir - vfs objects = fruit streams_xattr acl_xattr + vfs objects = fruit streams_xattr acl_xattr xattr_tdb fruit:resource = file fruit:metadata = stream fruit:time machine = yes -- 2.17.0.rc0.231.g781580f067-goog From c01dee310290e08b98a91b1b740a08d4924ebe69 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 15 Mar 2018 14:45:06 -0700 Subject: [PATCH 10/11] s4: vfs: fruit tests: Add regression test for dealing with NFS ACE entries. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319 Signed-off-by: Jeremy Allison Reviewed-by: Ralph Boehme Autobuild-User(master): Jeremy Allison Autobuild-Date(master): Sat Mar 17 04:04:32 CET 2018 on sn-devel-144 (cherry picked from commit a6054c01c29c2507e0d5a6aa110fee4fd5c5eeb9) --- source4/torture/vfs/fruit.c | 171 ++++++++++++++++++++++++++++++++++++ 1 file changed, 171 insertions(+) diff --git a/source4/torture/vfs/fruit.c b/source4/torture/vfs/fruit.c index d071cf6f9af..65109cc1934 100644 --- a/source4/torture/vfs/fruit.c +++ b/source4/torture/vfs/fruit.c @@ -36,6 +36,10 @@ #include "torture/smb2/proto.h" #include "torture/vfs/proto.h" #include "librpc/gen_ndr/ndr_ioctl.h" +#include "libcli/security/dom_sid.h" +#include "../librpc/gen_ndr/ndr_security.h" +#include "libcli/security/secace.h" +#include "libcli/security/security_descriptor.h" #define BASEDIR "vfs_fruit_dir" #define FNAME_CC_SRC "testfsctl.dat" @@ -4425,6 +4429,172 @@ done: return ok; } +/* + * Ensure this security descriptor has exactly one mode, uid + * and gid. + */ + +static NTSTATUS check_nfs_sd(const struct security_descriptor *psd) +{ + uint32_t i; + bool got_one_mode = false; + bool got_one_uid = false; + bool got_one_gid = false; + + if (psd->dacl == NULL) { + return NT_STATUS_INVALID_SECURITY_DESCR; + } + + for (i = 0; i < psd->dacl->num_aces; i++) { + if (dom_sid_compare_domain(&global_sid_Unix_NFS_Mode, + &psd->dacl->aces[i].trustee) == 0) { + if (got_one_mode == true) { + /* Can't have more than one. */ + return NT_STATUS_INVALID_SECURITY_DESCR; + } + got_one_mode = true; + } + } + for (i = 0; i < psd->dacl->num_aces; i++) { + if (dom_sid_compare_domain(&global_sid_Unix_NFS_Users, + &psd->dacl->aces[i].trustee) == 0) { + if (got_one_uid == true) { + /* Can't have more than one. */ + return NT_STATUS_INVALID_SECURITY_DESCR; + } + got_one_uid = true; + } + } + for (i = 0; i < psd->dacl->num_aces; i++) { + if (dom_sid_compare_domain(&global_sid_Unix_NFS_Groups, + &psd->dacl->aces[i].trustee) == 0) { + if (got_one_gid == true) { + /* Can't have more than one. */ + return NT_STATUS_INVALID_SECURITY_DESCR; + } + got_one_gid = true; + } + } + /* Must have at least one of each. */ + if (got_one_mode == false || + got_one_uid == false || + got_one_gid == false) { + return NT_STATUS_INVALID_SECURITY_DESCR; + } + return NT_STATUS_OK; +} + +static bool test_nfs_aces(struct torture_context *tctx, + struct smb2_tree *tree) +{ + TALLOC_CTX *mem_ctx = talloc_new(tctx); + struct security_ace ace; + struct dom_sid sid; + const char *fname = BASEDIR "\\nfs_aces.txt"; + struct smb2_handle h = {{0}}; + union smb_fileinfo finfo2; + union smb_setfileinfo set; + struct security_descriptor *psd = NULL; + NTSTATUS status; + bool ret = true; + + ret = enable_aapl(tctx, tree); + torture_assert(tctx, ret == true, "enable_aapl failed"); + + /* clean slate ...*/ + smb2_util_unlink(tree, fname); + smb2_deltree(tree, fname); + smb2_deltree(tree, BASEDIR); + + status = torture_smb2_testdir(tree, BASEDIR, &h); + CHECK_STATUS(status, NT_STATUS_OK); + smb2_util_close(tree, h); + + /* Create a test file. */ + status = torture_smb2_testfile_access(tree, + fname, + &h, + SEC_STD_READ_CONTROL | + SEC_STD_WRITE_DAC | + SEC_RIGHTS_FILE_ALL); + CHECK_STATUS(status, NT_STATUS_OK); + + /* Get the ACL. */ + finfo2.query_secdesc.in.secinfo_flags = + SECINFO_OWNER | + SECINFO_GROUP | + SECINFO_DACL; + finfo2.generic.level = RAW_FILEINFO_SEC_DESC; + finfo2.generic.in.file.handle = h; + status = smb2_getinfo_file(tree, tctx, &finfo2); + CHECK_STATUS(status, NT_STATUS_OK); + + psd = finfo2.query_secdesc.out.sd; + + /* Ensure we have only single mode/uid/gid NFS entries. */ + status = check_nfs_sd(psd); + if (!NT_STATUS_IS_OK(status)) { + NDR_PRINT_DEBUG( + security_descriptor, + discard_const_p(struct security_descriptor, psd)); + } + CHECK_STATUS(status, NT_STATUS_OK); + + /* Add a couple of extra NFS uids and gids. */ + sid_compose(&sid, &global_sid_Unix_NFS_Users, 27); + init_sec_ace(&ace, &sid, SEC_ACE_TYPE_ACCESS_DENIED, 0, 0); + status = security_descriptor_dacl_add(psd, &ace); + CHECK_STATUS(status, NT_STATUS_OK); + status = security_descriptor_dacl_add(psd, &ace); + CHECK_STATUS(status, NT_STATUS_OK); + + sid_compose(&sid, &global_sid_Unix_NFS_Groups, 300); + init_sec_ace(&ace, &sid, SEC_ACE_TYPE_ACCESS_DENIED, 0, 0); + status = security_descriptor_dacl_add(psd, &ace); + CHECK_STATUS(status, NT_STATUS_OK); + status = security_descriptor_dacl_add(psd, &ace); + CHECK_STATUS(status, NT_STATUS_OK); + + /* Now set on the file handle. */ + set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC; + set.set_secdesc.in.file.handle = h; + set.set_secdesc.in.secinfo_flags = SECINFO_DACL; + set.set_secdesc.in.sd = psd; + status = smb2_setinfo_file(tree, &set); + CHECK_STATUS(status, NT_STATUS_OK); + + /* Get the ACL again. */ + finfo2.query_secdesc.in.secinfo_flags = + SECINFO_OWNER | + SECINFO_GROUP | + SECINFO_DACL; + finfo2.generic.level = RAW_FILEINFO_SEC_DESC; + finfo2.generic.in.file.handle = h; + status = smb2_getinfo_file(tree, tctx, &finfo2); + CHECK_STATUS(status, NT_STATUS_OK); + + psd = finfo2.query_secdesc.out.sd; + + /* Ensure we have only single mode/uid/gid NFS entries. */ + status = check_nfs_sd(psd); + if (!NT_STATUS_IS_OK(status)) { + NDR_PRINT_DEBUG( + security_descriptor, + discard_const_p(struct security_descriptor, psd)); + } + CHECK_STATUS(status, NT_STATUS_OK); + +done: + if (!smb2_util_handle_empty(h)) { + smb2_util_close(tree, h); + } + smb2_util_unlink(tree, fname); + smb2_deltree(tree, fname); + smb2_deltree(tree, BASEDIR); + talloc_free(mem_ctx); + return ret; +} + /* * Note: This test depends on "vfs objects = catia fruit streams_xattr". For * some tests torture must be run on the host it tests and takes an additional @@ -4465,6 +4635,7 @@ struct torture_suite *torture_vfs_fruit(TALLOC_CTX *ctx) torture_suite_add_1smb2_test(suite, "creating rsrc with read-only access", test_rfork_create_ro); torture_suite_add_1smb2_test(suite, "copy-chunk streams", test_copy_chunk_streams); torture_suite_add_1smb2_test(suite, "OS X AppleDouble file conversion", test_adouble_conversion); + torture_suite_add_1smb2_test(suite, "NFS ACE entries", test_nfs_aces); return suite; } -- 2.17.0.rc0.231.g781580f067-goog From 45a4f7aa1652c832e4f7f1f135a67ff0aec0a9e2 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 19 Mar 2018 15:46:41 -0700 Subject: [PATCH 11/11] s3: smbd: Fruit. Make the use of dom_sid_compare_domain() much clearer. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319 Signed-off-by: Jeremy Allison Reviewed-by: Ralph Boehme (cherry picked from commit 5c909ea4530d4e7e4aa27046c45e3e48b094a411) --- source3/modules/vfs_fruit.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/source3/modules/vfs_fruit.c b/source3/modules/vfs_fruit.c index 19b78edb949..1a05d0bae34 100644 --- a/source3/modules/vfs_fruit.c +++ b/source3/modules/vfs_fruit.c @@ -2965,9 +2965,10 @@ static NTSTATUS remove_virtual_nfs_aces(struct security_descriptor *psd) for (i = 0; i < psd->dacl->num_aces; i++) { /* MS NFS style mode/uid/gid */ - if (!dom_sid_compare_domain( + int cmp = dom_sid_compare_domain( &global_sid_Unix_NFS, - &psd->dacl->aces[i].trustee) == 0) { + &psd->dacl->aces[i].trustee); + if (cmp != 0) { /* Normal ACE entry. */ continue; } -- 2.17.0.rc0.231.g781580f067-goog