The Samba-Bugzilla – Attachment 18293 Details for
Bug 15636
Smbcacls incorrectly propagates inheritance with Inherit-Only flag
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
backported patch for 4.20
bug15636-4.20.patch (text/plain), 9.73 KB, created by
Noel Power
on 2024-04-30 10:57:49 UTC
(
hide
)
Description:
backported patch for 4.20
Filename:
MIME Type:
Creator:
Noel Power
Created:
2024-04-30 10:57:49 UTC
Size:
9.73 KB
patch
obsolete
>From da73bf9a2c572131abf8ede48d871353c0ea094d Mon Sep 17 00:00:00 2001 >From: yuzu367 <popova.anna235@gmail.com> >Date: Thu, 11 Apr 2024 11:31:07 +0300 >Subject: [PATCH 1/2] python/samba/tests/blackbox: Add tests for Inherit-only > flag propagation > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15636 > >Signed-off-by: Anna Popova <popova.anna235@gmail.com> >Reviewed-by: Noel Power <noel.power@suse.com> >Reviewed-by: Ralph Boehme <slow@samba.org> >(cherry picked from commit eba2bfde347041a395f0fbd3c57235be63b1890d) >--- > .../blackbox/smbcacls_propagate_inhertance.py | 108 ++++++++++++++++++ > selftest/knownfail.d/smbcacls | 6 + > 2 files changed, 114 insertions(+) > create mode 100644 selftest/knownfail.d/smbcacls > >diff --git a/python/samba/tests/blackbox/smbcacls_propagate_inhertance.py b/python/samba/tests/blackbox/smbcacls_propagate_inhertance.py >index cc13727b8fb..5b3a27111d5 100644 >--- a/python/samba/tests/blackbox/smbcacls_propagate_inhertance.py >+++ b/python/samba/tests/blackbox/smbcacls_propagate_inhertance.py >@@ -1288,3 +1288,111 @@ class InheritanceSmbCaclsTests(SmbCaclsBlockboxTestBase): > > except BlackboxProcessError as e: > self.fail(str(e)) >+ >+ def test_simple_iocioi_add(self): >+ """test smbcacls '--propagate-inheritance --add' which attempts to add the ACL >+ for the file and additionally use inheritance rules to propagate appropriate >+ changes to children >+ >+ This test adds an ACL with (IO)(CI)(OI)(READ) >+ >+ before: >+ >+ +-tar_test_dir/ (OI)(CI)(I)(F) >+ +-oi_dir/ (OI)(CI)(I)(F) >+ | +-file.1 (I)(F) >+ | +-nested/ (OI)(CI)(I)(F) >+ | +-file.2 (I)(F) >+ | +-nested_again/ (OI)(CI)(I)(F) >+ | +-file.3 (I)(F) >+ >+ after/expected: >+ >+ +-tar_test_dir/ (OI)(CI)(I)(F) >+ +-oi_dir/ (OI)(CI)(I)(F), (IO)(CI)(OI)(READ) >+ | +-file.1 (I)(F), (I)(READ) >+ | +-nested/ (OI)(CI)(I)(F), (I)(CI)(OI)(READ) >+ | +-file.2 (I)(F), (I)(READ) >+ | +-nested_again/ (OI)(CI)(I)(F), (I)(CI)(OI)(READ) >+ | +-file.3 (I)(F), (I)(READ)""" >+ >+ dir_add_acl_str = "ACL:%s:ALLOWED/OI|CI|IO/READ" % self.user >+ obj_inherited_ace_str = "ACL:%s:ALLOWED/I/READ" % self.user >+ dir_inherited_ace_str = "ACL:%s:ALLOWED/OI|CI|I/READ" % self.user >+ >+ try: >+ >+ self.smb_cacls(["--propagate-inheritance", "--add", >+ dir_add_acl_str, self.oi_dir]) >+ >+ # check top level container 'oi_dir' has IO|CI|OI/READ >+ dir_ace = self.ace_parse_str(dir_add_acl_str) >+ self.assertTrue(self.file_ace_check(self.oi_dir, dir_ace)) >+ >+ # file 'oi_dir/file-1' should have inherited I/READ >+ child_file_ace = self.ace_parse_str(obj_inherited_ace_str) >+ self.assertTrue(self.file_ace_check(self.f1, child_file_ace)) >+ >+ # nested dir 'oi_dir/nested/' should have I|CI|OI/READ >+ child_dir_ace = self.ace_parse_str(dir_inherited_ace_str) >+ self.assertTrue(self.file_ace_check(self.nested_dir, child_dir_ace)) >+ >+ # nested file 'oi_dir/nested/file-2' should have inherited I/READ >+ self.assertTrue(self.file_ace_check(self.f2, child_file_ace)) >+ >+ # nested_again dir 'oi_dir/nested/nested_again' should have I|CI|OI/READ >+ child_dir_ace = self.ace_parse_str(dir_inherited_ace_str) >+ self.assertTrue(self.file_ace_check(self.nested_again_dir, child_dir_ace)) >+ # nested_again file 'oi_dir/nested/nested_again/file-3' should have inherited I/READ >+ self.assertTrue(self.file_ace_check(self.f3, child_file_ace)) >+ except BlackboxProcessError as e: >+ self.fail(str(e)) >+ >+ def test_simple_ioci_add(self): >+ """test smbcacls '--propagate-inheritance --add' which attempts to add the ACL >+ for the file and additionally use inheritance rules to propagate appropriate >+ changes to children >+ >+ This test adds an ACL with (IO)(CI)(READ) >+ >+ before: >+ >+ +-tar_test_dir/ (OI)(CI)(I)(F) >+ +-oi_dir/ (OI)(CI)(I)(F) >+ | +-file.1 (I)(F) >+ | +-nested/ (OI)(CI)(I)(F) >+ | +-file.2 (I)(F) >+ | +-nested_again/ (OI)(CI)(I)(F) >+ | +-file.3 (I)(F) >+ >+ after/expected: >+ >+ +-tar_test_dir/ (OI)(CI)(I)(F) >+ +-oi_dir/ (OI)(CI)(I)(F), (IO)(CI)(READ) >+ | +-file.1 (I)(F) >+ | +-nested/ (OI)(CI)(I)(F), (I)(CI)(READ) >+ | +-file.2 (I)(F) >+ | +-nested_again/ (OI)(CI)(I)(F), (I)(CI)(READ) >+ | +-file.3 (I)(F)""" >+ >+ dir_add_acl_str = "ACL:%s:ALLOWED/CI|IO/READ" % self.user >+ dir_inherited_ace_str = "ACL:%s:ALLOWED/CI|I/READ" % self.user >+ >+ try: >+ >+ self.smb_cacls(["--propagate-inheritance", "--add", >+ dir_add_acl_str, self.oi_dir]) >+ >+ # check top level container 'oi_dir' has IO|CI/READ >+ dir_ace = self.ace_parse_str(dir_add_acl_str) >+ self.assertTrue(self.file_ace_check(self.oi_dir, dir_ace)) >+ >+ # nested dir 'oi_dir/nested/' should have I|CI/READ >+ child_dir_ace = self.ace_parse_str(dir_inherited_ace_str) >+ self.assertTrue(self.file_ace_check(self.nested_dir, child_dir_ace)) >+ >+ # nested_again dir 'oi_dir/nested/nested_again' should have I|CI/READ >+ child_dir_ace = self.ace_parse_str(dir_inherited_ace_str) >+ self.assertTrue(self.file_ace_check(self.nested_again_dir, child_dir_ace)) >+ except BlackboxProcessError as e: >+ self.fail(str(e)) >diff --git a/selftest/knownfail.d/smbcacls b/selftest/knownfail.d/smbcacls >new file mode 100644 >index 00000000000..5e201dfc9b7 >--- /dev/null >+++ b/selftest/knownfail.d/smbcacls >@@ -0,0 +1,6 @@ >+^samba.tests.blackbox.smbcacls_propagate_inhertance.samba.tests.blackbox.smbcacls_propagate_inhertance.InheritanceSmbCaclsTests.test_simple_iocioi_add >+^samba.tests.blackbox.smbcacls_propagate_inhertance.samba.tests.blackbox.smbcacls_propagate_inhertance.InheritanceSmbCaclsTests.test_simple_ioci_add >+^samba.tests.blackbox.smbcacls_dfs_propagate_inherit\(DFS-msdfs-root\).samba.tests.blackbox.smbcacls_propagate_inhertance.InheritanceSmbCaclsTests.test_simple_iocioi_add >+^samba.tests.blackbox.smbcacls_dfs_propagate_inherit\(DFS-msdfs-root\).samba.tests.blackbox.smbcacls_propagate_inhertance.InheritanceSmbCaclsTests.test_simple_ioci_add >+^samba.tests.blackbox.smbcacls_dfs_propagate_inherit\(DFS-msdfs-root\).samba.tests.blackbox.smbcacls_dfs_propagate_inherit.DfsInheritanceSmbCaclsTests.test_simple_iocioi_add >+^samba.tests.blackbox.smbcacls_dfs_propagate_inherit\(DFS-msdfs-root\).samba.tests.blackbox.smbcacls_dfs_propagate_inherit.DfsInheritanceSmbCaclsTests.test_simple_ioci_add >\ No newline at end of file >-- >2.35.3 > > >From 1877f905f071eeae3339d7f290e8bfbce7711d51 Mon Sep 17 00:00:00 2001 >From: Anna Popova <popova.anna235@gmail.com> >Date: Fri, 12 Apr 2024 17:32:37 +0300 >Subject: [PATCH 2/2] s3:utils: Fix Inherit-Only flag being automatically > propagated to children >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >Inherit-only flag applies only to the container it was set to and it >shouldn't be automatically propagated to children. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15636 > >Signed-off-by: Anna Popova <popova.anna235@gmail.com> >Reviewed-by: Noel Power <noel.power@suse.com> >Reviewed-by: Ralph Boehme <slow@samba.org> > >Autobuild-User(master): Ralph Böhme <slow@samba.org> >Autobuild-Date(master): Mon Apr 29 10:56:48 UTC 2024 on atb-devel-224 > >(cherry picked from commit 80159018e411c643fbfe7ef82bd33e30b6147901) >--- > selftest/knownfail.d/smbcacls | 6 ------ > source3/utils/smbcacls.c | 4 ++++ > 2 files changed, 4 insertions(+), 6 deletions(-) > delete mode 100644 selftest/knownfail.d/smbcacls > >diff --git a/selftest/knownfail.d/smbcacls b/selftest/knownfail.d/smbcacls >deleted file mode 100644 >index 5e201dfc9b7..00000000000 >--- a/selftest/knownfail.d/smbcacls >+++ /dev/null >@@ -1,6 +0,0 @@ >-^samba.tests.blackbox.smbcacls_propagate_inhertance.samba.tests.blackbox.smbcacls_propagate_inhertance.InheritanceSmbCaclsTests.test_simple_iocioi_add >-^samba.tests.blackbox.smbcacls_propagate_inhertance.samba.tests.blackbox.smbcacls_propagate_inhertance.InheritanceSmbCaclsTests.test_simple_ioci_add >-^samba.tests.blackbox.smbcacls_dfs_propagate_inherit\(DFS-msdfs-root\).samba.tests.blackbox.smbcacls_propagate_inhertance.InheritanceSmbCaclsTests.test_simple_iocioi_add >-^samba.tests.blackbox.smbcacls_dfs_propagate_inherit\(DFS-msdfs-root\).samba.tests.blackbox.smbcacls_propagate_inhertance.InheritanceSmbCaclsTests.test_simple_ioci_add >-^samba.tests.blackbox.smbcacls_dfs_propagate_inherit\(DFS-msdfs-root\).samba.tests.blackbox.smbcacls_dfs_propagate_inherit.DfsInheritanceSmbCaclsTests.test_simple_iocioi_add >-^samba.tests.blackbox.smbcacls_dfs_propagate_inherit\(DFS-msdfs-root\).samba.tests.blackbox.smbcacls_dfs_propagate_inherit.DfsInheritanceSmbCaclsTests.test_simple_ioci_add >\ No newline at end of file >diff --git a/source3/utils/smbcacls.c b/source3/utils/smbcacls.c >index ff11ba4d7d7..e0591ac076b 100644 >--- a/source3/utils/smbcacls.c >+++ b/source3/utils/smbcacls.c >@@ -914,6 +914,10 @@ static uint8_t get_flags_to_propagate(bool is_container, > /* Assume we are not propagating the ACE */ > > newflags &= ~SEC_ACE_FLAG_INHERITED_ACE; >+ >+ /* Inherit-only flag is not propagated to children */ >+ >+ newflags &= ~SEC_ACE_FLAG_INHERIT_ONLY; > /* all children need to have the SEC_ACE_FLAG_INHERITED_ACE set */ > if (acl_cntrinherit || acl_objinherit) { > /* >-- >2.35.3 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
slow
:
review+
Actions:
View
Attachments on
bug 15636
:
18292
| 18293