Attachment 4986 Details for Bug 6877 – Proposed/untested patch for a suggested change to default_file_sd()

[patch] Proposed/untested patch for a suggested change to default_file_sd()

patch (text/plain), 4.67 KB, created by Barry Sabsevitz (mail address dead) on 2009-11-23 15:22:03 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Barry Sabsevitz (mail address dead)

Created: 2009-11-23 15:22:03 UTC

Size: 4.67 KB

patch

obsolete

>--- vfs_acl_xattr.c.orig	2009-11-23 13:14:38.000000000 -0800
>+++ vfs_acl_xattr.c.tmp	2009-11-23 13:11:18.000000000 -0800
>@@ -275,29 +275,61 @@
> *********************************************************************/
> 
> static struct security_descriptor *default_file_sd(TALLOC_CTX *mem_ctx,
>-						SMB_STRUCT_STAT *psbuf)
>+						SMB_STRUCT_STAT *psbuf,
>+						int force_inherit)
> {
> 	struct dom_sid owner_sid, group_sid;
> 	size_t sd_size;
> 	struct security_ace *pace = NULL;
> 	struct security_acl *pacl = NULL;
> 
>+	/* Create SID for Everyone user - leveraged this code from somewhere 
>+	 * else in Samba.
>+	 */
>+
>+	struct dom_sid  global_sid_World = 		/* Everyone */
>+			{ 1, 1, {0,0,0,0,0,1}, {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
>+
> 	uid_to_sid(&owner_sid, psbuf->st_uid);
> 	gid_to_sid(&group_sid, psbuf->st_gid);
> 
>-	pace = TALLOC_ARRAY(mem_ctx, struct security_ace, 2);
>+	pace = TALLOC_ARRAY(mem_ctx, struct security_ace, 3);
> 	if (!pace) {
> 		return NULL;
> 	}
> 
>+	/* If force_inherit is set, this means we are initializing the ACEs for
>+	 * a container and that we want the ACEs for owner and system to be
>+	 * inheritable by their children (See Bug #6802). 
>+	 */
>+
> 	init_sec_ace(&pace[0], &owner_sid, SEC_ACE_TYPE_ACCESS_ALLOWED,
>-			SEC_RIGHTS_FILE_ALL, 0);
>-	init_sec_ace(&pace[1], &global_sid_System, SEC_ACE_TYPE_ACCESS_ALLOWED,
>-			SEC_RIGHTS_FILE_ALL, 0);
>+			SEC_RIGHTS_FILE_ALL, (force_inherit ? 
>+					     (SEC_ACE_FLAG_OBJECT_INHERIT|
>+					     SEC_ACE_FLAG_CONTAINER_INHERIT) : 
>+					     0));
>+
>+	/* Create ACE for Primary group. */
>+	
>+	init_sec_ace(&pace[1], &group_sid, SEC_ACE_TYPE_ACCESS_ALLOWED,
>+			(force_inherit ? SEC_RIGHTS_FILE_READ|
>+					 SEC_RIGHTS_FILE_EXECUTE :
>+					 SEC_RIGHTS_FILE_READ), 
>+			(force_inherit ? 
>+					(SEC_ACE_FLAG_OBJECT_INHERIT|
>+				     	SEC_ACE_FLAG_CONTAINER_INHERIT) :
>+					0));
>+
>+	/* Create ACE for Everyone user */
>+	init_sec_ace(&pace[2], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED,
>+			SEC_RIGHTS_FILE_READ, (force_inherit ? 
>+						(SEC_ACE_FLAG_OBJECT_INHERIT|
>+					     	SEC_ACE_FLAG_CONTAINER_INHERIT) :
>+						0));
> 
> 	pacl = make_sec_acl(mem_ctx,
> 				NT4_ACL_REVISION,
>-				2,
>+				3,
> 				pace);
> 	if (!pacl) {
> 		return NULL;
>@@ -327,6 +359,7 @@
> 	DATA_BLOB blob;
> 	size_t size;
> 	char *parent_name;
>+	int force_inherit = 0;
> 
> 	if (!parent_dirname(ctx, fname, &parent_name, NULL)) {
> 		return NT_STATUS_NO_MEMORY;
>@@ -390,7 +423,29 @@
> 		if (ret == -1) {
> 			return map_nt_error_from_unix(errno);
> 		}
>-		psd = default_file_sd(ctx, &sbuf);
>+
>+		/* If we get here, we could have the following possibilities:
>+		 *	1. No ACLs exist on the parent container.
>+		 *	2. ACLs exist on the parent container but they were
>+		 *	not inheritable.
>+		 *
>+		 *	Check to see if case #1 occurred.
>+		 *
>+		 */
>+		if (container && 
>+			(parent_desc == NULL || parent_desc->dacl == NULL ||
>+			 parent_desc->dacl->num_aces == 0)) {
>+
>+			/* If no parent descriptor exists, then there were
>+			 * no ACLs on the parent and then we must create
>+			 * the ACLs on this newly created folder so that they
>+			 * will be inherited by their children (See Bug #6802).
>+			 */
>+			
>+			force_inherit = 1;
>+		} 
>+
>+		psd = default_file_sd(ctx, &sbuf, force_inherit);
> 		if (!psd) {
> 			return NT_STATUS_NO_MEMORY;
> 		}
>@@ -412,6 +467,8 @@
> 	}
> }
> 
>+	
>+
> /*********************************************************************
>  Check ACL on open. For new files inherit from parent directory.
> *********************************************************************/
>@@ -425,6 +482,9 @@
> 	uint32_t access_granted = 0;
> 	struct security_descriptor *pdesc = NULL;
> 	bool file_existed = true;
>+
>+	DEBUG(10, ("XATTR OPEN OF %s\n", fname));
>+
> 	NTSTATUS status = get_nt_acl_xattr_internal(handle,
> 					NULL,
> 					fname,
>@@ -455,9 +515,12 @@
> 		fname,
> 		nt_errstr(status) ));
> 
>+			
>+
> 	fsp->fh->fd = SMB_VFS_NEXT_OPEN(handle, fname, fsp, flags, mode);
> 
> 	if (!file_existed && fsp->fh->fd != -1) {
>+
> 		/* File was created. Inherit from parent directory. */
> 		string_set(&fsp->fsp_name, fname);
> 		inherit_new_acl(handle, fname, fsp, false);
>@@ -631,6 +694,8 @@
> 		return -1;
> 	}
> 
>+
>+
> 	become_root();
> 	SMB_VFS_REMOVEXATTR(handle->conn, name, XATTR_NTACL_NAME);
> 	unbecome_root();
>@@ -653,6 +718,7 @@
> 		return -1;
> 	}
> 
>+
> 	become_root();
> 	SMB_VFS_FREMOVEXATTR(fsp, XATTR_NTACL_NAME);
> 	unbecome_root();
>@@ -660,6 +726,7 @@
> 	return ret;
> }
> 
>+
> /* VFS operations structure */
> 
> static vfs_op_tuple skel_op_tuples[] =
>@@ -676,7 +743,6 @@
> 	/* POSIX ACL operations. */
> 	{SMB_VFS_OP(sys_acl_set_file_xattr), SMB_VFS_OP_SYS_ACL_SET_FILE, SMB_VFS_LAYER_TRANSPARENT},
> 	{SMB_VFS_OP(sys_acl_set_fd_xattr), SMB_VFS_OP_SYS_ACL_SET_FD, SMB_VFS_LAYER_TRANSPARENT},
>-
> 	{SMB_VFS_OP(NULL), SMB_VFS_OP_NOOP, SMB_VFS_LAYER_NOOP}
> };
>

Actions: View

Attachments on bug 6877: 4986