The Samba-Bugzilla – Attachment 16488 Details for
Bug 13809
"Unix perms" Group Write permissions getting "lost" to Windows client when accessing files with "zfsacl" VFS enabled on FreeBSD
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
General nfs4 acls patch
s3-modules-nfs4_acl-fix-posix-write-edge-case.patch (text/plain), 3.01 KB, created by
Andrew Walker
on 2021-03-02 14:16:42 UTC
(
hide
)
Description:
General nfs4 acls patch
Filename:
MIME Type:
Creator:
Andrew Walker
Created:
2021-03-02 14:16:42 UTC
Size:
3.01 KB
patch
obsolete
>From 4fab11fc3a27fda23b0d6ac2005bf9a64e09bb52 Mon Sep 17 00:00:00 2001 >From: Andrew Walker <awalker@ixsystems.com> >Date: Tue, 2 Mar 2021 09:00:32 -0500 >Subject: [PATCH] s3:modules:nfs4_acl - fix posix write edge case for special > entries > >This commit improves behavior for how we handle edge case where users >have native NFSv4 ACLs, and have used tools that aren't ACL-aware to >modify the POSIX mode. Interplay between tools for the less advanced >permissions model and the NFSv4 ACL can be varied depending on >operating system and filesystem configuration, but the general strategy >appears to be to at a minimum modify / create non-inheriting ACL entries >for the nfsv4 special ids owner@, group@, and everyone@ that have permissions >equivalent to the mode specified in the chmod request represented in >allow entries in the ACL. > >Unfortunately, if we strictly interpret the resulting permissions set >for the special entries, then a mode granting posix "write" will not >map to a security descriptor dacl entry with >SEC_FILE_WRITE_DATA|SEC_FILE_WRITE_EA|SEC_FILE_WRITE_ATTRIBUTE, which >is more in line with the permissions expected from the posix write bit. > >And so, WRITE_DATA is mapped to WRITE_ATTRIBUTES and WRITE_NAMED_ATTRS >if the following conditions obtain: >1) entry is for a special id >2) entry is of allow type >3) entry lacks inheritance flags > >Signed-off-by: Andrew Walker <awalker@ixsystems.com> >--- > source3/modules/nfs4_acls.c | 7 +++++++ > source3/modules/nfs4_acls.h | 2 ++ > 2 files changed, 9 insertions(+) > >diff --git a/source3/modules/nfs4_acls.c b/source3/modules/nfs4_acls.c >index 7f32e681694..e1af4572b9a 100644 >--- a/source3/modules/nfs4_acls.c >+++ b/source3/modules/nfs4_acls.c >@@ -381,6 +381,13 @@ static bool smbacl4_nfs42win(TALLOC_CTX *mem_ctx, > DEBUG(10, ("mapped %d to %s\n", ace->who.id, > dom_sid_str_buf(&sid, &buf))); > >+ if ((ace->flags & SMB_ACE4_ID_SPECIAL) && >+ (ace->aceType == SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE) && >+ ((ace->aceFlags & SMB_ACE4_INHERITANCE_FLAGS) == 0) && >+ (ace->aceMask & SMB_ACE4_WRITE_DATA)) { >+ ace->aceMask |= SMB_ACE4_WRITE_ATTRIBUTES|SMB_ACE4_WRITE_NAMED_ATTRS; >+ } >+ > if (!is_directory && params->map_full_control) { > /* > * Do we have all access except DELETE_CHILD >diff --git a/source3/modules/nfs4_acls.h b/source3/modules/nfs4_acls.h >index c9fcf6d250b..d2a7d63f706 100644 >--- a/source3/modules/nfs4_acls.h >+++ b/source3/modules/nfs4_acls.h >@@ -75,6 +75,8 @@ typedef struct _SMB_ACE4PROP_T { > #define SMB_ACE4_ALL_FLAGS ( SMB_ACE4_FILE_INHERIT_ACE | SMB_ACE4_DIRECTORY_INHERIT_ACE \ > | SMB_ACE4_NO_PROPAGATE_INHERIT_ACE | SMB_ACE4_INHERIT_ONLY_ACE | SMB_ACE4_SUCCESSFUL_ACCESS_ACE_FLAG \ > | SMB_ACE4_FAILED_ACCESS_ACE_FLAG | SMB_ACE4_IDENTIFIER_GROUP | SMB_ACE4_INHERITED_ACE) >+#define SMB_ACE4_INHERITANCE_FLAGS ( SMB_ACE4_FILE_INHERIT_ACE | SMB_ACE4_DIRECTORY_INHERIT_ACE \ >+| SMB_ACE4_NO_PROPAGATE_INHERIT_ACE | SMB_ACE4_INHERIT_ONLY_ACE ) > > uint32_t aceMask; /* Access rights */ > /*The bitmask constants used for the access mask field are as follows: */ >-- >2.21.0 (Apple Git-122) >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
bjacke
:
review-
Actions:
View
Attachments on
bug 13809
:
16478
|
16479
| 16488