Attachment 16488 Details for Bug 13809 – General nfs4 acls patch

[patch] General nfs4 acls patch

s3-modules-nfs4_acl-fix-posix-write-edge-case.patch (text/plain), 3.01 KB, created by Andrew Walker on 2021-03-02 14:16:42 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Andrew Walker

Created: 2021-03-02 14:16:42 UTC

Size: 3.01 KB

patch

obsolete

>From 4fab11fc3a27fda23b0d6ac2005bf9a64e09bb52 Mon Sep 17 00:00:00 2001
>From: Andrew Walker <awalker@ixsystems.com>
>Date: Tue, 2 Mar 2021 09:00:32 -0500
>Subject: [PATCH] s3:modules:nfs4_acl - fix posix write edge case for special
> entries
>
>This commit improves behavior for how we handle edge case where users
>have native NFSv4 ACLs, and have used tools that aren't ACL-aware to
>modify the POSIX mode. Interplay between tools for the less advanced
>permissions model and the NFSv4 ACL can be varied depending on
>operating system and filesystem configuration, but the general strategy
>appears to be to at a minimum modify / create non-inheriting ACL entries
>for the nfsv4 special ids owner@, group@, and everyone@ that have permissions
>equivalent to the mode specified in the chmod request represented in
>allow entries in the ACL.
>
>Unfortunately, if we strictly interpret the resulting permissions set
>for the special entries, then a mode granting posix "write" will not
>map to a security descriptor dacl entry with
>SEC_FILE_WRITE_DATA|SEC_FILE_WRITE_EA|SEC_FILE_WRITE_ATTRIBUTE, which
>is more in line with the permissions expected from the posix write bit.
>
>And so, WRITE_DATA is mapped to WRITE_ATTRIBUTES and WRITE_NAMED_ATTRS
>if the following conditions obtain:
>1) entry is for a special id
>2) entry is of allow type
>3) entry lacks inheritance flags
>
>Signed-off-by: Andrew Walker <awalker@ixsystems.com>
>---
> source3/modules/nfs4_acls.c | 7 +++++++
> source3/modules/nfs4_acls.h | 2 ++
> 2 files changed, 9 insertions(+)
>
>diff --git a/source3/modules/nfs4_acls.c b/source3/modules/nfs4_acls.c
>index 7f32e681694..e1af4572b9a 100644
>--- a/source3/modules/nfs4_acls.c
>+++ b/source3/modules/nfs4_acls.c
>@@ -381,6 +381,13 @@ static bool smbacl4_nfs42win(TALLOC_CTX *mem_ctx,
> 		DEBUG(10, ("mapped %d to %s\n", ace->who.id,
> 			   dom_sid_str_buf(&sid, &buf)));
> 
>+		if ((ace->flags & SMB_ACE4_ID_SPECIAL) &&
>+		    (ace->aceType == SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE) &&
>+		    ((ace->aceFlags & SMB_ACE4_INHERITANCE_FLAGS) == 0) &&
>+		    (ace->aceMask & SMB_ACE4_WRITE_DATA)) {
>+			ace->aceMask |= SMB_ACE4_WRITE_ATTRIBUTES|SMB_ACE4_WRITE_NAMED_ATTRS;
>+		}
>+
> 		if (!is_directory && params->map_full_control) {
> 			/*
> 			 * Do we have all access except DELETE_CHILD
>diff --git a/source3/modules/nfs4_acls.h b/source3/modules/nfs4_acls.h
>index c9fcf6d250b..d2a7d63f706 100644
>--- a/source3/modules/nfs4_acls.h
>+++ b/source3/modules/nfs4_acls.h
>@@ -75,6 +75,8 @@ typedef struct _SMB_ACE4PROP_T {
> #define SMB_ACE4_ALL_FLAGS	( SMB_ACE4_FILE_INHERIT_ACE | SMB_ACE4_DIRECTORY_INHERIT_ACE \
> | SMB_ACE4_NO_PROPAGATE_INHERIT_ACE | SMB_ACE4_INHERIT_ONLY_ACE | SMB_ACE4_SUCCESSFUL_ACCESS_ACE_FLAG \
> | SMB_ACE4_FAILED_ACCESS_ACE_FLAG | SMB_ACE4_IDENTIFIER_GROUP | SMB_ACE4_INHERITED_ACE)
>+#define SMB_ACE4_INHERITANCE_FLAGS	( SMB_ACE4_FILE_INHERIT_ACE | SMB_ACE4_DIRECTORY_INHERIT_ACE \
>+| SMB_ACE4_NO_PROPAGATE_INHERIT_ACE | SMB_ACE4_INHERIT_ONLY_ACE )
> 
> 	uint32_t aceMask;	/* Access rights */
> /*The bitmask constants used for the access mask field are as follows: */
>-- 
>2.21.0 (Apple Git-122)
>

Flags:

bjacke: review-

Actions: View

Attachments on bug 13809: 16478 | 16479 | 16488