The Samba-Bugzilla – Attachment 4986 Details for
Bug 6877
enhancement: acl_xattr module default acls created in default_file_sd
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Proposed/untested patch for a suggested change to default_file_sd()
patch (text/plain), 4.67 KB, created by
Barry Sabsevitz (mail address dead)
on 2009-11-23 15:22:03 UTC
(
hide
)
Description:
Proposed/untested patch for a suggested change to default_file_sd()
Filename:
MIME Type:
Creator:
Barry Sabsevitz (mail address dead)
Created:
2009-11-23 15:22:03 UTC
Size:
4.67 KB
patch
obsolete
>--- vfs_acl_xattr.c.orig 2009-11-23 13:14:38.000000000 -0800 >+++ vfs_acl_xattr.c.tmp 2009-11-23 13:11:18.000000000 -0800 >@@ -275,29 +275,61 @@ > *********************************************************************/ > > static struct security_descriptor *default_file_sd(TALLOC_CTX *mem_ctx, >- SMB_STRUCT_STAT *psbuf) >+ SMB_STRUCT_STAT *psbuf, >+ int force_inherit) > { > struct dom_sid owner_sid, group_sid; > size_t sd_size; > struct security_ace *pace = NULL; > struct security_acl *pacl = NULL; > >+ /* Create SID for Everyone user - leveraged this code from somewhere >+ * else in Samba. >+ */ >+ >+ struct dom_sid global_sid_World = /* Everyone */ >+ { 1, 1, {0,0,0,0,0,1}, {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}}; >+ > uid_to_sid(&owner_sid, psbuf->st_uid); > gid_to_sid(&group_sid, psbuf->st_gid); > >- pace = TALLOC_ARRAY(mem_ctx, struct security_ace, 2); >+ pace = TALLOC_ARRAY(mem_ctx, struct security_ace, 3); > if (!pace) { > return NULL; > } > >+ /* If force_inherit is set, this means we are initializing the ACEs for >+ * a container and that we want the ACEs for owner and system to be >+ * inheritable by their children (See Bug #6802). >+ */ >+ > init_sec_ace(&pace[0], &owner_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, >- SEC_RIGHTS_FILE_ALL, 0); >- init_sec_ace(&pace[1], &global_sid_System, SEC_ACE_TYPE_ACCESS_ALLOWED, >- SEC_RIGHTS_FILE_ALL, 0); >+ SEC_RIGHTS_FILE_ALL, (force_inherit ? >+ (SEC_ACE_FLAG_OBJECT_INHERIT| >+ SEC_ACE_FLAG_CONTAINER_INHERIT) : >+ 0)); >+ >+ /* Create ACE for Primary group. */ >+ >+ init_sec_ace(&pace[1], &group_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, >+ (force_inherit ? SEC_RIGHTS_FILE_READ| >+ SEC_RIGHTS_FILE_EXECUTE : >+ SEC_RIGHTS_FILE_READ), >+ (force_inherit ? >+ (SEC_ACE_FLAG_OBJECT_INHERIT| >+ SEC_ACE_FLAG_CONTAINER_INHERIT) : >+ 0)); >+ >+ /* Create ACE for Everyone user */ >+ init_sec_ace(&pace[2], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, >+ SEC_RIGHTS_FILE_READ, (force_inherit ? >+ (SEC_ACE_FLAG_OBJECT_INHERIT| >+ SEC_ACE_FLAG_CONTAINER_INHERIT) : >+ 0)); > > pacl = make_sec_acl(mem_ctx, > NT4_ACL_REVISION, >- 2, >+ 3, > pace); > if (!pacl) { > return NULL; >@@ -327,6 +359,7 @@ > DATA_BLOB blob; > size_t size; > char *parent_name; >+ int force_inherit = 0; > > if (!parent_dirname(ctx, fname, &parent_name, NULL)) { > return NT_STATUS_NO_MEMORY; >@@ -390,7 +423,29 @@ > if (ret == -1) { > return map_nt_error_from_unix(errno); > } >- psd = default_file_sd(ctx, &sbuf); >+ >+ /* If we get here, we could have the following possibilities: >+ * 1. No ACLs exist on the parent container. >+ * 2. ACLs exist on the parent container but they were >+ * not inheritable. >+ * >+ * Check to see if case #1 occurred. >+ * >+ */ >+ if (container && >+ (parent_desc == NULL || parent_desc->dacl == NULL || >+ parent_desc->dacl->num_aces == 0)) { >+ >+ /* If no parent descriptor exists, then there were >+ * no ACLs on the parent and then we must create >+ * the ACLs on this newly created folder so that they >+ * will be inherited by their children (See Bug #6802). >+ */ >+ >+ force_inherit = 1; >+ } >+ >+ psd = default_file_sd(ctx, &sbuf, force_inherit); > if (!psd) { > return NT_STATUS_NO_MEMORY; > } >@@ -412,6 +467,8 @@ > } > } > >+ >+ > /********************************************************************* > Check ACL on open. For new files inherit from parent directory. > *********************************************************************/ >@@ -425,6 +482,9 @@ > uint32_t access_granted = 0; > struct security_descriptor *pdesc = NULL; > bool file_existed = true; >+ >+ DEBUG(10, ("XATTR OPEN OF %s\n", fname)); >+ > NTSTATUS status = get_nt_acl_xattr_internal(handle, > NULL, > fname, >@@ -455,9 +515,12 @@ > fname, > nt_errstr(status) )); > >+ >+ > fsp->fh->fd = SMB_VFS_NEXT_OPEN(handle, fname, fsp, flags, mode); > > if (!file_existed && fsp->fh->fd != -1) { >+ > /* File was created. Inherit from parent directory. */ > string_set(&fsp->fsp_name, fname); > inherit_new_acl(handle, fname, fsp, false); >@@ -631,6 +694,8 @@ > return -1; > } > >+ >+ > become_root(); > SMB_VFS_REMOVEXATTR(handle->conn, name, XATTR_NTACL_NAME); > unbecome_root(); >@@ -653,6 +718,7 @@ > return -1; > } > >+ > become_root(); > SMB_VFS_FREMOVEXATTR(fsp, XATTR_NTACL_NAME); > unbecome_root(); >@@ -660,6 +726,7 @@ > return ret; > } > >+ > /* VFS operations structure */ > > static vfs_op_tuple skel_op_tuples[] = >@@ -676,7 +743,6 @@ > /* POSIX ACL operations. */ > {SMB_VFS_OP(sys_acl_set_file_xattr), SMB_VFS_OP_SYS_ACL_SET_FILE, SMB_VFS_LAYER_TRANSPARENT}, > {SMB_VFS_OP(sys_acl_set_fd_xattr), SMB_VFS_OP_SYS_ACL_SET_FD, SMB_VFS_LAYER_TRANSPARENT}, >- > {SMB_VFS_OP(NULL), SMB_VFS_OP_NOOP, SMB_VFS_LAYER_NOOP} > }; >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 6877
: 4986