The Samba-Bugzilla – Attachment 16299 Details for
Bug 14471
vfs_zfsacl: only grant DELETE_CHILD if ACL tag is special
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch for 4.12 and 4.13 cherry-picked from master
bug14471-v412,v413.patch (text/plain), 5.29 KB, created by
Ralph Böhme
on 2020-10-22 07:49:15 UTC
(
hide
)
Description:
Patch for 4.12 and 4.13 cherry-picked from master
Filename:
MIME Type:
Creator:
Ralph Böhme
Created:
2020-10-22 07:49:15 UTC
Size:
5.29 KB
patch
obsolete
>From 216fc8f840cb87686be3ef58df1cdf8b8ae21d17 Mon Sep 17 00:00:00 2001 >From: Ralph Boehme <slow@samba.org> >Date: Thu, 20 Aug 2020 16:42:17 +0200 >Subject: [PATCH 1/3] vfs_zfsacl: README.Coding fix > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14471 > >Pair-Programmed-With: Andrew Walker <awalker@ixsystems.com> >Signed-off-by: Ralph Boehme <slow@samba.org> >Signed-off-by: Andrew Walker <awalker@ixsystems.com> >Reviewed-by: Jeremy Allison <jra@samba.org> >(cherry picked from commit a182f2e6cdded739812e209430d340097acc0031) >--- > source3/modules/vfs_zfsacl.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > >diff --git a/source3/modules/vfs_zfsacl.c b/source3/modules/vfs_zfsacl.c >index c5c4718d6ce..a71cda72697 100644 >--- a/source3/modules/vfs_zfsacl.c >+++ b/source3/modules/vfs_zfsacl.c >@@ -130,8 +130,9 @@ static NTSTATUS zfs_get_nt_acl_common(struct connection_struct *conn, > } else { > aceprop.flags = 0; > } >- if(smb_add_ace4(pacl, &aceprop) == NULL) >+ if (smb_add_ace4(pacl, &aceprop) == NULL) { > return NT_STATUS_NO_MEMORY; >+ } > } > > #ifdef ACE_INHERITED_ACE >-- >2.26.2 > > >From ddae1e0a539a4217a7e27ad84e43b9384fa6401b Mon Sep 17 00:00:00 2001 >From: Ralph Boehme <slow@samba.org> >Date: Thu, 20 Aug 2020 16:41:36 +0200 >Subject: [PATCH 2/3] vfs_zfsacl: use a helper variable in > zfs_get_nt_acl_common() > >No change in behaviour. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14471 > >Pair-Programmed-With: Andrew Walker <awalker@ixsystems.com> >Signed-off-by: Ralph Boehme <slow@samba.org> >Signed-off-by: Andrew Walker <awalker@ixsystems.com> >Reviewed-by: Jeremy Allison <jra@samba.org> >(cherry picked from commit 13b4f913b06457d8e1f7cf71c85722bbecabd990) >--- > source3/modules/vfs_zfsacl.c | 15 +++++++++++---- > 1 file changed, 11 insertions(+), 4 deletions(-) > >diff --git a/source3/modules/vfs_zfsacl.c b/source3/modules/vfs_zfsacl.c >index a71cda72697..17478ad116e 100644 >--- a/source3/modules/vfs_zfsacl.c >+++ b/source3/modules/vfs_zfsacl.c >@@ -87,6 +87,7 @@ static NTSTATUS zfs_get_nt_acl_common(struct connection_struct *conn, > } > for(i=0; i<naces; i++) { > SMB_ACE4PROP_T aceprop; >+ uint16_t special = 0; > > aceprop.aceType = (uint32_t) acebuf[i].a_type; > aceprop.aceFlags = (uint32_t) acebuf[i].a_flags; >@@ -109,6 +110,8 @@ static NTSTATUS zfs_get_nt_acl_common(struct connection_struct *conn, > aceprop.aceMask |= SMB_ACE4_SYNCHRONIZE; > } > >+ special = acebuf[i].a_flags & (ACE_OWNER|ACE_GROUP|ACE_EVERYONE); >+ > if (is_dir && (aceprop.aceMask & SMB_ACE4_ADD_FILE)) { > aceprop.aceMask |= SMB_ACE4_DELETE_CHILD; > } >@@ -118,16 +121,20 @@ static NTSTATUS zfs_get_nt_acl_common(struct connection_struct *conn, > inherited_is_present = true; > } > #endif >- if(aceprop.aceFlags & ACE_OWNER) { >+ switch(special) { >+ case(ACE_OWNER): > aceprop.flags = SMB_ACE4_ID_SPECIAL; > aceprop.who.special_id = SMB_ACE4_WHO_OWNER; >- } else if(aceprop.aceFlags & ACE_GROUP) { >+ break; >+ case(ACE_GROUP): > aceprop.flags = SMB_ACE4_ID_SPECIAL; > aceprop.who.special_id = SMB_ACE4_WHO_GROUP; >- } else if(aceprop.aceFlags & ACE_EVERYONE) { >+ break; >+ case(ACE_EVERYONE): > aceprop.flags = SMB_ACE4_ID_SPECIAL; > aceprop.who.special_id = SMB_ACE4_WHO_EVERYONE; >- } else { >+ break; >+ default: > aceprop.flags = 0; > } > if (smb_add_ace4(pacl, &aceprop) == NULL) { >-- >2.26.2 > > >From 4bbe44b5552b0f47f871009470a2bec734f08de0 Mon Sep 17 00:00:00 2001 >From: Andrew Walker <awalker@ixsystems.com> >Date: Thu, 24 Sep 2020 16:04:12 -0400 >Subject: [PATCH 3/3] vfs_zfsacl: only grant DELETE_CHILD if ACL tag is special > >When ZFS aclmode is set to "passthrough" chmod(2)/fchmod(2) will result >in special entries being modified in a way such that delete, delete_child, >write_named_attr, write_attribute are stripped from the returned ACL entry, >and the kernel / ZFS treats this as having rights equivalent to the desired >POSIX mode. Historically, samba has added delete_child to the NFSv4 ACL, but >this is only really called for in the case of special entries in this >particular circumstance. > >Alter circumstances in which delete_child is granted so that it only >is added to special entries. This preserves the intend post-chmod behavior, >but avoids unnecessarily increasing permissions in cases where it's not >intended. Further modification of this behavior may be required so that >we grant a general read or general write permissions set in case of >POSIX read / POSIX write on special entries. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14471 >RN: vfs_zfsacl: only grant DELETE_CHILD if ACL tag is special > >Signed-off-by: Andrew Walker <awalker@ixsystems.com> >Reviewed-by: Ralph Boehme <slow@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> >(cherry picked from commit c1a37b4f31d5252ce074d41f69e526aa84b0d3b3) >--- > source3/modules/vfs_zfsacl.c | 5 ++++- > 1 file changed, 4 insertions(+), 1 deletion(-) > >diff --git a/source3/modules/vfs_zfsacl.c b/source3/modules/vfs_zfsacl.c >index 17478ad116e..093eb5111e1 100644 >--- a/source3/modules/vfs_zfsacl.c >+++ b/source3/modules/vfs_zfsacl.c >@@ -112,7 +112,10 @@ static NTSTATUS zfs_get_nt_acl_common(struct connection_struct *conn, > > special = acebuf[i].a_flags & (ACE_OWNER|ACE_GROUP|ACE_EVERYONE); > >- if (is_dir && (aceprop.aceMask & SMB_ACE4_ADD_FILE)) { >+ if (is_dir && >+ (aceprop.aceMask & SMB_ACE4_ADD_FILE) && >+ (special != 0)) >+ { > aceprop.aceMask |= SMB_ACE4_DELETE_CHILD; > } > >-- >2.26.2 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
jra
:
review+
Actions:
View
Attachments on
bug 14471
: 16299