The Samba-Bugzilla – Attachment 18387 Details for
Bug 15688
per user veto and hide file syntax is to complex
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patches for v4-21-test
bfixes-tmp421.txt (text/plain), 27.76 KB, created by
Stefan Metzmacher
on 2024-07-31 09:58:39 UTC
(
hide
)
Description:
Patches for v4-21-test
Filename:
MIME Type:
Creator:
Stefan Metzmacher
Created:
2024-07-31 09:58:39 UTC
Size:
27.76 KB
patch
obsolete
>From 1649d8eeb3cac44638234b44921b6feee2536951 Mon Sep 17 00:00:00 2001 >From: Volker Lendecke <vl@samba.org> >Date: Mon, 29 Jul 2024 06:27:51 -0700 >Subject: [PATCH 1/9] loadparm: Factor out lp_wi_scan_parametrics > >We'll scan share parametrics soon as well. > >Bug: https://bugzilla.samba.org/show_bug.cgi?id=15688 >Signed-off-by: Volker Lendecke <vl@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit 0536ac96e927c00121e220f45cd63682726bc8e3) >--- > source3/param/loadparm.c | 25 +++++++++++++++++++------ > 1 file changed, 19 insertions(+), 6 deletions(-) > >diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c >index 663edb2c653a..246e0378d652 100644 >--- a/source3/param/loadparm.c >+++ b/source3/param/loadparm.c >@@ -1204,11 +1204,13 @@ static void discard_whitespace(char *str) > * See "man regexec" for possible errors > */ > >-int lp_wi_scan_global_parametrics( >- const char *regex_str, size_t max_matches, >- bool (*cb)(const char *string, regmatch_t matches[], >- void *private_data), >- void *private_data) >+static int lp_wi_scan_parametrics(struct parmlist_entry *parmlist, >+ const char *regex_str, >+ size_t max_matches, >+ bool (*cb)(const char *string, >+ regmatch_t matches[], >+ void *private_data), >+ void *private_data) > { > struct parmlist_entry *data; > regex_t regex; >@@ -1219,7 +1221,7 @@ int lp_wi_scan_global_parametrics( > return ret; > } > >- for (data = Globals.param_opt; data != NULL; data = data->next) { >+ for (data = parmlist; data != NULL; data = data->next) { > size_t keylen = strlen(data->key); > char key[keylen+1]; > regmatch_t matches[max_matches]; >@@ -1248,6 +1250,17 @@ fail: > return ret; > } > >+int lp_wi_scan_global_parametrics(const char *regex_str, >+ size_t max_matches, >+ bool (*cb)(const char *string, >+ regmatch_t matches[], >+ void *private_data), >+ void *private_data) >+{ >+ int ret = lp_wi_scan_parametrics( >+ Globals.param_opt, regex_str, max_matches, cb, private_data); >+ return ret; >+} > > #define MISSING_PARAMETER(name) \ > DEBUG(0, ("%s(): value is NULL or empty!\n", #name)) >-- >2.34.1 > > >From 1a01f42563a0cc75e1424523dd40260e70b7632e Mon Sep 17 00:00:00 2001 >From: Volker Lendecke <vl@samba.org> >Date: Mon, 29 Jul 2024 07:17:21 -0700 >Subject: [PATCH 2/9] loadparm: Add lp_wi_scan_share_parametrics > >Bug: https://bugzilla.samba.org/show_bug.cgi?id=15688 >Signed-off-by: Volker Lendecke <vl@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit 89da15756d81746d80b43c2fe04c51fc07591849) >--- > source3/param/loadparm.c | 25 +++++++++++++++++++++++++ > source3/param/loadparm.h | 7 +++++++ > 2 files changed, 32 insertions(+) > >diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c >index 246e0378d652..f9bc1c427961 100644 >--- a/source3/param/loadparm.c >+++ b/source3/param/loadparm.c >@@ -1262,6 +1262,31 @@ int lp_wi_scan_global_parametrics(const char *regex_str, > return ret; > } > >+int lp_wi_scan_share_parametrics(int snum, >+ const char *regex_str, >+ size_t max_matches, >+ bool (*cb)(const char *string, >+ regmatch_t matches[], >+ void *private_data), >+ void *private_data) >+{ >+ struct loadparm_service *s = NULL; >+ int ret; >+ >+ if (!LP_SNUM_OK(snum)) { >+ /* >+ * We return regex return values here, REG_NOMATCH is >+ * the closest I could find. >+ */ >+ return REG_NOMATCH; >+ } >+ s = ServicePtrs[snum]; >+ >+ ret = lp_wi_scan_parametrics( >+ s->param_opt, regex_str, max_matches, cb, private_data); >+ return ret; >+} >+ > #define MISSING_PARAMETER(name) \ > DEBUG(0, ("%s(): value is NULL or empty!\n", #name)) > >diff --git a/source3/param/loadparm.h b/source3/param/loadparm.h >index 622e2290d3cf..e8f06ddbc2ca 100644 >--- a/source3/param/loadparm.h >+++ b/source3/param/loadparm.h >@@ -75,6 +75,13 @@ int lp_wi_scan_global_parametrics( > bool (*cb)(const char *string, regmatch_t matches[], > void *private_data), > void *private_data); >+int lp_wi_scan_share_parametrics(int snum, >+ const char *regex_str, >+ size_t max_matches, >+ bool (*cb)(const char *string, >+ regmatch_t matches[], >+ void *private_data), >+ void *private_data); > > const char *lp_parm_const_string(int snum, const char *type, const char *option, const char *def); > struct loadparm_service; >-- >2.34.1 > > >From 7854f37a7eeaaf6a11f81fa0f784b04439257df6 Mon Sep 17 00:00:00 2001 >From: Volker Lendecke <vl@samba.org> >Date: Tue, 30 Jul 2024 13:07:22 +0200 >Subject: [PATCH 3/9] lib: Factor out append_namearray from set_namearray > >We'll have to add to an existing namearray soon. > >This turns one talloc_array() into a set of reallocs. This is slower, >but set_namearray is only used for smb.conf entries where we don't >expect hundreds or more entries to add. I've done this to avoid array >length calculations, but if it turns out to be too slow we can get >smarter again. > >Bug: https://bugzilla.samba.org/show_bug.cgi?id=15688 >Signed-off-by: Volker Lendecke <vl@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit fcd595a4642a08169b427af534a00116daf220bf) >--- > source3/include/proto.h | 4 ++ > source3/lib/util_namearray.c | 84 ++++++++++++++++++++++++------------ > 2 files changed, 60 insertions(+), 28 deletions(-) > >diff --git a/source3/include/proto.h b/source3/include/proto.h >index 966d038cc404..d7e074b7899c 100644 >--- a/source3/include/proto.h >+++ b/source3/include/proto.h >@@ -326,6 +326,10 @@ bool token_contains_name(TALLOC_CTX *mem_ctx, > const struct security_token *token, > const char *name, > bool *match); >+bool append_to_namearray(TALLOC_CTX *mem_ctx, >+ const char *namelist_in, >+ const struct security_token *token, >+ struct name_compare_entry **_name_array); > bool set_namearray(TALLOC_CTX *mem_ctx, > const char *namelist, > const struct security_token *token, >diff --git a/source3/lib/util_namearray.c b/source3/lib/util_namearray.c >index ca3344e09f14..707ab235b85e 100644 >--- a/source3/lib/util_namearray.c >+++ b/source3/lib/util_namearray.c >@@ -179,6 +179,17 @@ bool token_contains_name(TALLOC_CTX *mem_ctx, > return true; > } > >+static size_t namearray_len(const struct name_compare_entry *array) >+{ >+ size_t i = 0; >+ >+ while (array[i].name != NULL) { >+ i += 1; >+ } >+ >+ return i; >+} >+ > /******************************************************************* > Strip a '/' separated list into an array of > name_compare_enties structures suitable for >@@ -190,46 +201,38 @@ bool token_contains_name(TALLOC_CTX *mem_ctx, > if possible. > ********************************************************************/ > >-bool set_namearray(TALLOC_CTX *mem_ctx, >- const char *namelist_in, >- const struct security_token *token, >- struct name_compare_entry **_name_array) >+bool append_to_namearray(TALLOC_CTX *mem_ctx, >+ const char *namelist_in, >+ const struct security_token *token, >+ struct name_compare_entry **_name_array) > { >- struct name_compare_entry *name_array = NULL; >- struct name_compare_entry *e = NULL; >+ struct name_compare_entry *name_array = *_name_array; >+ size_t len; > char *namelist = NULL; > const char *p = NULL; >- size_t num_entries; > bool ok; > >- *_name_array = NULL; >- > if ((namelist_in == NULL) || (namelist_in[0] == '\0')) { > return true; > } > >- namelist = path_to_strv(mem_ctx, namelist_in); >- if (namelist == NULL) { >- DBG_ERR("path_to_strv failed\n"); >- return false; >+ if (name_array == NULL) { >+ name_array = talloc_zero(mem_ctx, struct name_compare_entry); >+ if (name_array == NULL) { >+ return false; >+ } > } >+ len = namearray_len(name_array); > >- num_entries = strv_count(namelist); >- >- name_array = talloc_zero_array(mem_ctx, >- struct name_compare_entry, >- num_entries + 1); >- if (name_array == NULL) { >- DBG_ERR("talloc failed\n"); >- TALLOC_FREE(namelist); >+ namelist = path_to_strv(name_array, namelist_in); >+ if (namelist == NULL) { >+ DBG_ERR("path_to_strv failed\n"); > return false; > } > >- namelist = talloc_reparent(mem_ctx, name_array, namelist); >- >- e = &name_array[0]; >- > while ((p = strv_next(namelist, p)) != NULL) { >+ struct name_compare_entry *tmp = NULL; >+ > if (*p == '\0') { > /* cope with multiple (useless) /s) */ > continue; >@@ -273,11 +276,36 @@ bool set_namearray(TALLOC_CTX *mem_ctx, > } > } > >- e->name = p; >- e->is_wild = ms_has_wild(e->name); >- e++; >+ tmp = talloc_realloc(mem_ctx, >+ name_array, >+ struct name_compare_entry, >+ len + 2); >+ if (tmp == NULL) { >+ return false; >+ } >+ name_array = tmp; >+ >+ name_array[len] = (struct name_compare_entry){ >+ .name = p, >+ .is_wild = ms_has_wild(p), >+ }; >+ name_array[len + 1] = (struct name_compare_entry){}; >+ len += 1; > } > > *_name_array = name_array; > return true; > } >+ >+bool set_namearray(TALLOC_CTX *mem_ctx, >+ const char *namelist_in, >+ const struct security_token *token, >+ struct name_compare_entry **_name_array) >+{ >+ bool ret; >+ >+ *_name_array = NULL; >+ >+ ret = append_to_namearray(mem_ctx, namelist_in, token, _name_array); >+ return ret; >+} >-- >2.34.1 > > >From f7e0630d1a3f6d3d5a25ce4e5c49d5b9e134947f Mon Sep 17 00:00:00 2001 >From: Volker Lendecke <vl@samba.org> >Date: Mon, 29 Jul 2024 17:49:49 +0200 >Subject: [PATCH 4/9] smbd: Respect per-user hide and veto files with > parametric options > >For my taste this is a nicer configuration syntax than > >/../username1/file1/../username2/file2/ > >Is this too expensive? I don't think so. The scanning only happens an >tcon time, and it only walks the parametric options. If this turns out >to be a performance problem, we should think about smarter data >structures for parametric options instead of just a linked list of >string triples for everything. > >Bug: https://bugzilla.samba.org/show_bug.cgi?id=15688 >Signed-off-by: Volker Lendecke <vl@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit 17becb5f526015de56d00cd1c8f603f8ddacd0ba) >--- > source3/smbd/uid.c | 131 +++++++++++++++++++++++++++++++++++++++++++++ > 1 file changed, 131 insertions(+) > >diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c >index fa5f9bcc2f66..e0e448e3bea9 100644 >--- a/source3/smbd/uid.c >+++ b/source3/smbd/uid.c >@@ -179,6 +179,82 @@ NTSTATUS check_user_share_access(connection_struct *conn, > return NT_STATUS_OK; > } > >+struct scan_file_list_state { >+ TALLOC_CTX *mem_ctx; >+ const struct loadparm_substitution *lp_sub; >+ int snum; >+ const char *param_type; >+ struct security_token *token; >+ struct name_compare_entry **list; >+ bool ok; >+}; >+ >+static bool scan_file_list_cb(const char *string, >+ regmatch_t matches[], >+ void *private_data) >+{ >+ struct scan_file_list_state *state = private_data; >+ >+ if (matches[1].rm_so == -1) { >+ DBG_WARNING("Found match, but no name??\n"); >+ goto fail; >+ } >+ if (matches[1].rm_eo <= matches[1].rm_so) { >+ DBG_WARNING("Invalid match\n"); >+ goto fail; >+ } >+ >+ { >+ regoff_t len = matches[1].rm_eo - matches[1].rm_so; >+ char name[len + 1]; >+ bool ok, match; >+ char *files = NULL; >+ >+ memcpy(name, string + matches[1].rm_so, len); >+ name[len] = '\0'; >+ >+ DBG_DEBUG("Found name \"%s : %s\"\n", state->param_type, name); >+ >+ ok = token_contains_name(talloc_tos(), >+ NULL, >+ NULL, >+ NULL, >+ state->token, >+ name, >+ &match); >+ if (!ok) { >+ goto fail; >+ } >+ if (!match) { >+ return false; /* don't stop traverse */ >+ } >+ >+ files = lp_parm_substituted_string(state->mem_ctx, >+ state->lp_sub, >+ state->snum, >+ state->param_type, >+ name, >+ NULL); >+ if (files == NULL) { >+ goto fail; >+ } >+ >+ ok = append_to_namearray(state->mem_ctx, >+ files, >+ NULL, >+ state->list); >+ if (!ok) { >+ goto fail; >+ } >+ >+ return false; /* don't stop traverse */ >+ } >+ >+fail: >+ state->ok = false; >+ return true; /* stop traverse */ >+} >+ > /******************************************************************* > Check if a username is OK. > >@@ -284,6 +360,15 @@ static bool check_user_ok(connection_struct *conn, > > /* Add veto/hide lists */ > if (!IS_IPC(conn) && !IS_PRINT(conn)) { >+ struct scan_file_list_state state = { >+ .mem_ctx = conn, >+ .lp_sub = lp_sub, >+ .snum = snum, >+ .token = session_info->security_token, >+ .ok = true, >+ }; >+ int ret; >+ > ok = set_namearray(conn, > lp_veto_files(talloc_tos(), lp_sub, snum), > session_info->security_token, >@@ -291,6 +376,33 @@ static bool check_user_ok(connection_struct *conn, > if (!ok) { > return false; > } >+ >+ /* >+ * A bit of boilerplate code duplication for userlevel >+ * hide and veto files in the share and global >+ * sections, but not enough to justify putting this >+ * into functions for now :-) >+ */ >+ >+ state.param_type = "veto files"; >+ state.list = &ent->veto_list; >+ >+ ret = lp_wi_scan_global_parametrics("vetofiles:\\(.*\\)", >+ 2, >+ scan_file_list_cb, >+ &state); >+ if ((ret != 0) || !state.ok) { >+ return false; >+ } >+ ret = lp_wi_scan_share_parametrics(snum, >+ "vetofiles:\\(.*\\)", >+ 2, >+ scan_file_list_cb, >+ &state); >+ if ((ret != 0) || !state.ok) { >+ return false; >+ } >+ > ok = set_namearray(conn, > lp_hide_files(talloc_tos(), lp_sub, snum), > session_info->security_token, >@@ -298,6 +410,25 @@ static bool check_user_ok(connection_struct *conn, > if (!ok) { > return false; > } >+ >+ state.param_type = "hide files"; >+ state.list = &ent->hide_list; >+ >+ ret = lp_wi_scan_global_parametrics("hidefiles:\\(.*\\)", >+ 2, >+ scan_file_list_cb, >+ &state); >+ if ((ret != 0) || !state.ok) { >+ return false; >+ } >+ ret = lp_wi_scan_share_parametrics(snum, >+ "hidefiles:\\(.*\\)", >+ 2, >+ scan_file_list_cb, >+ &state); >+ if ((ret != 0) || !state.ok) { >+ return false; >+ } > } > > free_conn_state_if_unused(conn); >-- >2.34.1 > > >From e0f0cf0807648d99d9f249f4bc176f49c57d1f94 Mon Sep 17 00:00:00 2001 >From: Volker Lendecke <vl@samba.org> >Date: Tue, 30 Jul 2024 14:11:53 +0200 >Subject: [PATCH 5/9] tests: Test parametric per-user syntax for hide/veto > files > >Bug: https://bugzilla.samba.org/show_bug.cgi?id=15688 >Signed-off-by: Volker Lendecke <vl@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit b5a128685e68f05a3688aa1391393b9095bf32b0) >--- > selftest/target/Samba3.pm | 6 +++++- > 1 file changed, 5 insertions(+), 1 deletion(-) > >diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm >index 8d7f690ecf62..aea64bf5d5df 100755 >--- a/selftest/target/Samba3.pm >+++ b/selftest/target/Samba3.pm >@@ -1968,6 +1968,8 @@ sub setup_fileserver > > get quota command = $prefix_abs/getset_quota.py > set quota command = $prefix_abs/getset_quota.py >+ veto files : user1 = /user1file/ >+ veto files : +group1 = /group1file/ > [tarmode] > path = $tarmode_sharedir > comment = tar test share >@@ -2079,7 +2081,9 @@ sub setup_fileserver > > [veto_files] > path = $veto_sharedir >- veto files = /veto_name*/../user1/user1file/../user2/user2file/../+group1/group1file/../+group2/group2file >+ veto files = /veto_name*/ >+ veto files : user2 = /user2file/ >+ veto files : +group2 = /group2file/ > > [delete_yes_unwrite] > read only = no >-- >2.34.1 > > >From 8b26a8131513d8a56d43d896b4b6277c85e98b03 Mon Sep 17 00:00:00 2001 >From: Volker Lendecke <vl@samba.org> >Date: Tue, 30 Jul 2024 13:30:21 +0200 >Subject: [PATCH 6/9] lib: Remove per-user support from append_to_namearray > >This is done in check_user_ok now > >Bug: https://bugzilla.samba.org/show_bug.cgi?id=15688 >Signed-off-by: Volker Lendecke <vl@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit b5169dd717ed5cf66d1e1e90aaf1a4646f7b5ea5) >--- > source3/lib/util_namearray.c | 39 ------------------------------------ > 1 file changed, 39 deletions(-) > >diff --git a/source3/lib/util_namearray.c b/source3/lib/util_namearray.c >index 707ab235b85e..4bd82b6c6261 100644 >--- a/source3/lib/util_namearray.c >+++ b/source3/lib/util_namearray.c >@@ -210,7 +210,6 @@ bool append_to_namearray(TALLOC_CTX *mem_ctx, > size_t len; > char *namelist = NULL; > const char *p = NULL; >- bool ok; > > if ((namelist_in == NULL) || (namelist_in[0] == '\0')) { > return true; >@@ -238,44 +237,6 @@ bool append_to_namearray(TALLOC_CTX *mem_ctx, > continue; > } > >- if (ISDOTDOT(p) && token != NULL) { >- const char *username = NULL; >- bool match; >- >- /* Get the username */ >- p = strv_next(namelist, p); >- if (p == NULL) { >- DBG_ERR("Missing username\n"); >- TALLOC_FREE(namelist); >- return false; >- } >- username = p; >- >- /* Get the filename */ >- p = strv_next(namelist, p); >- if (p == NULL) { >- DBG_ERR("Missing filename after username '%s'\n", >- username); >- TALLOC_FREE(namelist); >- return false; >- } >- >- ok = token_contains_name(talloc_tos(), >- NULL, >- NULL, >- NULL, >- token, >- username, >- &match); >- if (!ok) { >- TALLOC_FREE(namelist); >- return false; >- } >- if (!match) { >- continue; >- } >- } >- > tmp = talloc_realloc(mem_ctx, > name_array, > struct name_compare_entry, >-- >2.34.1 > > >From b4ea4eb5677bdbea562cae4f1f3726d7be1fad9b Mon Sep 17 00:00:00 2001 >From: Volker Lendecke <vl@samba.org> >Date: Tue, 30 Jul 2024 13:55:57 +0200 >Subject: [PATCH 7/9] lib: Remove "token" parameter from set_namearray > >Not needed anymore > >Bug: https://bugzilla.samba.org/show_bug.cgi?id=15688 >Signed-off-by: Volker Lendecke <vl@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit a150714cc64294d75028bac47132084bdf6f72c9) >--- > source3/include/proto.h | 2 -- > source3/lib/util_namearray.c | 4 +--- > source3/modules/vfs_virusfilter.c | 2 -- > source3/smbd/smb2_service.c | 2 -- > source3/smbd/uid.c | 3 --- > source3/torture/test_matching.c | 2 +- > 6 files changed, 2 insertions(+), 13 deletions(-) > >diff --git a/source3/include/proto.h b/source3/include/proto.h >index d7e074b7899c..f398106e5a2f 100644 >--- a/source3/include/proto.h >+++ b/source3/include/proto.h >@@ -328,11 +328,9 @@ bool token_contains_name(TALLOC_CTX *mem_ctx, > bool *match); > bool append_to_namearray(TALLOC_CTX *mem_ctx, > const char *namelist_in, >- const struct security_token *token, > struct name_compare_entry **_name_array); > bool set_namearray(TALLOC_CTX *mem_ctx, > const char *namelist, >- const struct security_token *token, > struct name_compare_entry **_name_array); > bool fcntl_lock(int fd, int op, off_t offset, off_t count, int type); > bool fcntl_getlock(int fd, int op, off_t *poffset, off_t *pcount, int *ptype, pid_t *ppid); >diff --git a/source3/lib/util_namearray.c b/source3/lib/util_namearray.c >index 4bd82b6c6261..1c5b4ac6a0eb 100644 >--- a/source3/lib/util_namearray.c >+++ b/source3/lib/util_namearray.c >@@ -203,7 +203,6 @@ static size_t namearray_len(const struct name_compare_entry *array) > > bool append_to_namearray(TALLOC_CTX *mem_ctx, > const char *namelist_in, >- const struct security_token *token, > struct name_compare_entry **_name_array) > { > struct name_compare_entry *name_array = *_name_array; >@@ -260,13 +259,12 @@ bool append_to_namearray(TALLOC_CTX *mem_ctx, > > bool set_namearray(TALLOC_CTX *mem_ctx, > const char *namelist_in, >- const struct security_token *token, > struct name_compare_entry **_name_array) > { > bool ret; > > *_name_array = NULL; > >- ret = append_to_namearray(mem_ctx, namelist_in, token, _name_array); >+ ret = append_to_namearray(mem_ctx, namelist_in, _name_array); > return ret; > } >diff --git a/source3/modules/vfs_virusfilter.c b/source3/modules/vfs_virusfilter.c >index 6d4a6fdb98c1..b566b628ed2f 100644 >--- a/source3/modules/vfs_virusfilter.c >+++ b/source3/modules/vfs_virusfilter.c >@@ -258,7 +258,6 @@ static int virusfilter_vfs_connect( > if (exclude_files != NULL) { > ok = set_namearray(config, > exclude_files, >- NULL, > &config->exclude_files); > if (!ok) { > DBG_ERR("set_namearray failed\n"); >@@ -271,7 +270,6 @@ static int virusfilter_vfs_connect( > if (infected_files != NULL) { > ok = set_namearray(config, > infected_files, >- NULL, > &config->infected_files); > if (!ok) { > DBG_ERR("set_namearray failed\n"); >diff --git a/source3/smbd/smb2_service.c b/source3/smbd/smb2_service.c >index 06c20c167498..b6e8ca54e859 100644 >--- a/source3/smbd/smb2_service.c >+++ b/source3/smbd/smb2_service.c >@@ -755,7 +755,6 @@ NTSTATUS make_connection_snum(struct smbXsrv_connection *xconn, > if (!IS_IPC(conn) && !IS_PRINT(conn)) { > ok = set_namearray(conn, > lp_veto_oplock_files(talloc_tos(), lp_sub, snum), >- NULL, > &conn->veto_oplock_list); > if (!ok) { > status = NT_STATUS_NO_MEMORY; >@@ -763,7 +762,6 @@ NTSTATUS make_connection_snum(struct smbXsrv_connection *xconn, > } > ok = set_namearray(conn, > lp_aio_write_behind(talloc_tos(), lp_sub, snum), >- NULL, > &conn->aio_write_behind_list); > if (!ok) { > status = NT_STATUS_NO_MEMORY; >diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c >index e0e448e3bea9..2f390651a0ef 100644 >--- a/source3/smbd/uid.c >+++ b/source3/smbd/uid.c >@@ -241,7 +241,6 @@ static bool scan_file_list_cb(const char *string, > > ok = append_to_namearray(state->mem_ctx, > files, >- NULL, > state->list); > if (!ok) { > goto fail; >@@ -371,7 +370,6 @@ static bool check_user_ok(connection_struct *conn, > > ok = set_namearray(conn, > lp_veto_files(talloc_tos(), lp_sub, snum), >- session_info->security_token, > &ent->veto_list); > if (!ok) { > return false; >@@ -405,7 +403,6 @@ static bool check_user_ok(connection_struct *conn, > > ok = set_namearray(conn, > lp_hide_files(talloc_tos(), lp_sub, snum), >- session_info->security_token, > &ent->hide_list); > if (!ok) { > return false; >diff --git a/source3/torture/test_matching.c b/source3/torture/test_matching.c >index 8ee06e858770..78ecadef2980 100644 >--- a/source3/torture/test_matching.c >+++ b/source3/torture/test_matching.c >@@ -66,7 +66,7 @@ bool run_str_match_mswild(int dummy) > > d_fprintf(stderr, "namelist: %s\n", namelist); > >- ret = set_namearray(talloc_tos(), namelist, NULL, &name_entries); >+ ret = set_namearray(talloc_tos(), namelist, &name_entries); > SMB_ASSERT(ret && name_entries != NULL); > > status = samba_path_matching_mswild_create(talloc_tos(), >-- >2.34.1 > > >From eb0508ec82e5c8cae2d6128d341422056689f598 Mon Sep 17 00:00:00 2001 >From: Volker Lendecke <vl@samba.org> >Date: Tue, 30 Jul 2024 14:06:21 +0200 >Subject: [PATCH 8/9] docs: Document parametric form of hide and veto files > >Bug: https://bugzilla.samba.org/show_bug.cgi?id=15688 >Signed-off-by: Volker Lendecke <vl@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> > >Autobuild-User(master): Stefan Metzmacher <metze@samba.org> >Autobuild-Date(master): Wed Jul 31 09:41:54 UTC 2024 on atb-devel-224 > >(cherry picked from commit 10e9b858a3f9ca8d7e5dfd1c4e1e7937a03db671) >--- > docs-xml/smbdotconf/filename/hidefiles.xml | 29 +++++++++++++++------- > docs-xml/smbdotconf/filename/vetofiles.xml | 29 +++++++++++++++------- > 2 files changed, 40 insertions(+), 18 deletions(-) > >diff --git a/docs-xml/smbdotconf/filename/hidefiles.xml b/docs-xml/smbdotconf/filename/hidefiles.xml >index f93885e43a3d..3290f8df8db9 100644 >--- a/docs-xml/smbdotconf/filename/hidefiles.xml >+++ b/docs-xml/smbdotconf/filename/hidefiles.xml >@@ -14,14 +14,22 @@ > as in DOS wildcards.</para> > > <para> >- If a file or directory name is prefixed by "../USERNAME/" >- or "../GROUPNAME/", then the subsequent filename is only hidden for the >- given user or group. Instead of specifying users or groups by name, they >- can also be specified by SID. >+ <smbconfoption name="hide files"/> can also be used as a >+ parametric option where NAME in</para> >+ >+ <para> >+ hide files : NAME = > </para> > >- <para>User and group names use the same format as <smbconfoption >- name="valid users"/>.</para> >+ <para> >+ specifies a user or group name with the same syntax as >+ <smbconfoption name="valid users"/>. This parametric form can >+ be specified multiple times for different users or >+ groups. This means that "hide files : NAME" set both >+ in the [global] and the share section add up, whereas normally >+ options set in a share section overwrite the default in the >+ [global] section. >+ </para> > > <para>Each entry must be a Unix path, not a DOS path and must > not include the Unix directory separator '/'.</para> >@@ -46,9 +54,12 @@ > hide files = /.*/DesktopFolderDB/TrashFor%m/resource.frk/ > > ; Hide some files for anyone and some files for specific users and groups >-hide files = hideforall1/../joe/hideforuserjoe/hideforall2/../students/hideforstudents/hideforall3 >-hide files = ../UNIVERSITY\Alumnis/somefile.txt/../john@university.org/anotherfile.txt >-hide files = ../S-1-5-21-123-456-789-1000/secretfile.txt >+hide files = /hideforall1/ >+hide files : USER = /hidetoforuser/ >+hide files : GROUP = /hideforgroup/ >+hide files : UNIVERSITY\Alumnis = /somefile.txt/ >+hide files : john@university.org = /anotherfile.txt/ >+hide files : S-1-5-21-123-456-789-1000 = /secretfile.txt/ > > </programlisting> > </para> >diff --git a/docs-xml/smbdotconf/filename/vetofiles.xml b/docs-xml/smbdotconf/filename/vetofiles.xml >index e47490ee49dd..e90cf707c2d0 100644 >--- a/docs-xml/smbdotconf/filename/vetofiles.xml >+++ b/docs-xml/smbdotconf/filename/vetofiles.xml >@@ -11,14 +11,22 @@ > </para> > > <para> >- If a file or directory name is prefixed by "../USERNAME/" >- or "../GROUPNAME/", then the subsequent filename is only hidden for the >- given user or group. Instead of specifying users or groups by name, they >- can also be specified by SID. >+ <smbconfoption name="veto files"/> can also be used as a >+ parametric option where NAME in</para> >+ >+ <para> >+ veto files : NAME = > </para> > >- <para>User and group names use the same format as <smbconfoption >- name="valid users"/>.</para> >+ <para> >+ specifies a user or group name with the same syntax as >+ <smbconfoption name="valid users"/>. This parametric form can >+ be specified multiple times for different users or >+ groups. This means that "veto files : NAME" set both >+ in the [global] and the share section add up, whereas normally >+ options set in a share section overwrite the default in the >+ [global] section. >+ </para> > > <para> > Each filename must be a unix path, not a DOS path and must >@@ -51,9 +59,12 @@ > veto files = /*Security*/*.tmp/*root*/ > > ; Veto some files for anyone and some files for specific users and groups >-veto files = /vetoforall1/../USER/vetoforuser/vetoforall2/../GROUP/vetoforgroup/vetoforall3/ >-veto files = ../UNIVERSITY\Alumnis/somefile.txt/../john@university.org/anotherfile.txt >-veto files = ../S-1-5-21-123-456-789-1000/secretfile.txt >+veto files = /vetoforall1/ >+veto files : USER = /vetotoforuser/ >+veto files : GROUP = /vetoforgroup/ >+veto files : UNIVERSITY\Alumnis = /somefile.txt/ >+veto files : john@university.org = /anotherfile.txt/ >+veto files : S-1-5-21-123-456-789-1000 = /secretfile.txt/ > > ; Veto the Apple specific files that a NetAtalk server > ; creates. >-- >2.34.1 > > >From faadd2f4d26b1efe689e94d100da1802a81fe32b Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 31 Jul 2024 11:56:35 +0200 >Subject: [PATCH 9/9] WHATSNEW: update the Per-user and group "veto files" and > "hide files" section > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15688 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >--- > WHATSNEW.txt | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > >diff --git a/WHATSNEW.txt b/WHATSNEW.txt >index 99f9f0aa7a69..bf2dbb94b3aa 100644 >--- a/WHATSNEW.txt >+++ b/WHATSNEW.txt >@@ -180,8 +180,10 @@ Per-user and group "veto files" and "hide files" > > "veto files" and "hide files" can optionally be restricted to certain users and > groups. To apply a veto or hide directive to a filename for a specific user or >-group, prefix the filename with "../USERNAME/" or "../GROUPNAME/". For details >-consult the updated smb.conf manpage. >+group, a parametric option like this can be used: >+ hide files : USERNAME = /somefile.txt/ >+ veto files : GROUPNAME = /otherfile.txt/ >+For details consult the updated smb.conf manpage. > > Automatic keytab update after machine password change > ----------------------------------------------------- >-- >2.34.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
vl
:
review+
Actions:
View
Attachments on
bug 15688
: 18387