From 4fab11fc3a27fda23b0d6ac2005bf9a64e09bb52 Mon Sep 17 00:00:00 2001 From: Andrew Walker Date: Tue, 2 Mar 2021 09:00:32 -0500 Subject: [PATCH] s3:modules:nfs4_acl - fix posix write edge case for special entries This commit improves behavior for how we handle edge case where users have native NFSv4 ACLs, and have used tools that aren't ACL-aware to modify the POSIX mode. Interplay between tools for the less advanced permissions model and the NFSv4 ACL can be varied depending on operating system and filesystem configuration, but the general strategy appears to be to at a minimum modify / create non-inheriting ACL entries for the nfsv4 special ids owner@, group@, and everyone@ that have permissions equivalent to the mode specified in the chmod request represented in allow entries in the ACL. Unfortunately, if we strictly interpret the resulting permissions set for the special entries, then a mode granting posix "write" will not map to a security descriptor dacl entry with SEC_FILE_WRITE_DATA|SEC_FILE_WRITE_EA|SEC_FILE_WRITE_ATTRIBUTE, which is more in line with the permissions expected from the posix write bit. And so, WRITE_DATA is mapped to WRITE_ATTRIBUTES and WRITE_NAMED_ATTRS if the following conditions obtain: 1) entry is for a special id 2) entry is of allow type 3) entry lacks inheritance flags Signed-off-by: Andrew Walker --- source3/modules/nfs4_acls.c | 7 +++++++ source3/modules/nfs4_acls.h | 2 ++ 2 files changed, 9 insertions(+) diff --git a/source3/modules/nfs4_acls.c b/source3/modules/nfs4_acls.c index 7f32e681694..e1af4572b9a 100644 --- a/source3/modules/nfs4_acls.c +++ b/source3/modules/nfs4_acls.c @@ -381,6 +381,13 @@ static bool smbacl4_nfs42win(TALLOC_CTX *mem_ctx, DEBUG(10, ("mapped %d to %s\n", ace->who.id, dom_sid_str_buf(&sid, &buf))); + if ((ace->flags & SMB_ACE4_ID_SPECIAL) && + (ace->aceType == SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE) && + ((ace->aceFlags & SMB_ACE4_INHERITANCE_FLAGS) == 0) && + (ace->aceMask & SMB_ACE4_WRITE_DATA)) { + ace->aceMask |= SMB_ACE4_WRITE_ATTRIBUTES|SMB_ACE4_WRITE_NAMED_ATTRS; + } + if (!is_directory && params->map_full_control) { /* * Do we have all access except DELETE_CHILD diff --git a/source3/modules/nfs4_acls.h b/source3/modules/nfs4_acls.h index c9fcf6d250b..d2a7d63f706 100644 --- a/source3/modules/nfs4_acls.h +++ b/source3/modules/nfs4_acls.h @@ -75,6 +75,8 @@ typedef struct _SMB_ACE4PROP_T { #define SMB_ACE4_ALL_FLAGS ( SMB_ACE4_FILE_INHERIT_ACE | SMB_ACE4_DIRECTORY_INHERIT_ACE \ | SMB_ACE4_NO_PROPAGATE_INHERIT_ACE | SMB_ACE4_INHERIT_ONLY_ACE | SMB_ACE4_SUCCESSFUL_ACCESS_ACE_FLAG \ | SMB_ACE4_FAILED_ACCESS_ACE_FLAG | SMB_ACE4_IDENTIFIER_GROUP | SMB_ACE4_INHERITED_ACE) +#define SMB_ACE4_INHERITANCE_FLAGS ( SMB_ACE4_FILE_INHERIT_ACE | SMB_ACE4_DIRECTORY_INHERIT_ACE \ +| SMB_ACE4_NO_PROPAGATE_INHERIT_ACE | SMB_ACE4_INHERIT_ONLY_ACE ) uint32_t aceMask; /* Access rights */ /*The bitmask constants used for the access mask field are as follows: */ -- 2.21.0 (Apple Git-122)