The Samba-Bugzilla – Attachment 6868 Details for
Bug 7509
smb_acl_to_posix: ACL is invalid for set (Invalid argument)
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
git-am fix for 3.6.1
look (text/plain), 8.20 KB, created by
Jeremy Allison
on 2011-09-08 18:59:03 UTC
(
hide
)
Description:
git-am fix for 3.6.1
Filename:
MIME Type:
Creator:
Jeremy Allison
Created:
2011-09-08 18:59:03 UTC
Size:
8.20 KB
patch
obsolete
>From a5574cd2f7e9176d793436098d0ef316eeaa8876 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Fri, 2 Sep 2011 11:21:08 -0700 >Subject: [PATCH 1/3] Part 1 of bugfix for bug #7509 - smb_acl_to_posix: ACL is invalid for set (Invalid argument) > >Remove the code I added for bug "6878 - Cannot change ACL's inherit flag". It is incorrect >and causes the POSIX ACL ACL_USER_OBJ duplication. >(cherry picked from commit 2b935b49f3d975759eb1cbcf2b11bf7c9d982804) >--- > source3/smbd/posix_acls.c | 72 --------------------------------------------- > 1 files changed, 0 insertions(+), 72 deletions(-) > >diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c >index 9252ee6..442f743 100644 >--- a/source3/smbd/posix_acls.c >+++ b/source3/smbd/posix_acls.c >@@ -1538,50 +1538,6 @@ static void check_owning_objs(canon_ace *ace, struct dom_sid *pfile_owner_sid, s > } > > /**************************************************************************** >- If an ACE entry is SMB_ACL_USER_OBJ and not CREATOR_OWNER, map to SMB_ACL_USER. >- If an ACE entry is SMB_ACL_GROUP_OBJ and not CREATOR_GROUP, map to SMB_ACL_GROUP >-****************************************************************************/ >- >-static bool dup_owning_ace(canon_ace *dir_ace, canon_ace *ace) >-{ >- /* dir ace must be followings. >- SMB_ACL_USER_OBJ : trustee(CREATOR_OWNER) -> Posix ACL d:u::perm >- SMB_ACL_USER : not trustee -> Posix ACL u:user:perm >- SMB_ACL_USER_OBJ : trustee -> convert to SMB_ACL_USER : trustee >- Posix ACL u:trustee:perm >- >- SMB_ACL_GROUP_OBJ: trustee(CREATOR_GROUP) -> Posix ACL d:g::perm >- SMB_ACL_GROUP : not trustee -> Posix ACL g:group:perm >- SMB_ACL_GROUP_OBJ: trustee -> convert to SMB_ACL_GROUP : trustee >- Posix ACL g:trustee:perm >- */ >- >- if (ace->type == SMB_ACL_USER_OBJ && >- !(dom_sid_equal(&ace->trustee, &global_sid_Creator_Owner))) { >- canon_ace *dup_ace = dup_canon_ace(ace); >- >- if (dup_ace == NULL) { >- return false; >- } >- dup_ace->type = SMB_ACL_USER; >- DLIST_ADD_END(dir_ace, dup_ace, canon_ace *); >- } >- >- if (ace->type == SMB_ACL_GROUP_OBJ && >- !(dom_sid_equal(&ace->trustee, &global_sid_Creator_Group))) { >- canon_ace *dup_ace = dup_canon_ace(ace); >- >- if (dup_ace == NULL) { >- return false; >- } >- dup_ace->type = SMB_ACL_GROUP; >- DLIST_ADD_END(dir_ace, dup_ace, canon_ace *); >- } >- >- return true; >-} >- >-/**************************************************************************** > Unpack a struct security_descriptor into two canonical ace lists. > ****************************************************************************/ > >@@ -1832,34 +1788,6 @@ static bool create_canon_ace_lists(files_struct *fsp, > } > > /* >- * We have a lossy mapping: directory ACE entries >- * CREATOR_OWNER ------\ >- * (map to) +---> SMB_ACL_USER_OBJ >- * owning sid ------/ >- * >- * CREATOR_GROUP ------\ >- * (map to) +---> SMB_ACL_GROUP_OBJ >- * primary group sid --/ >- * >- * on set. And on read of a directory ACL >- * >- * SMB_ACL_USER_OBJ ----> CREATOR_OWNER >- * SMB_ACL_GROUP_OBJ ---> CREATOR_GROUP. >- * >- * Deal with this on set by duplicating >- * owning sid and primary group sid ACE >- * entries into the directory ACL. >- * Fix from Tsukasa Hamano <hamano@osstech.co.jp>. >- */ >- >- if (!dup_owning_ace(dir_ace, current_ace)) { >- DEBUG(0,("create_canon_ace_lists: malloc fail !\n")); >- free_canon_ace_list(file_ace); >- free_canon_ace_list(dir_ace); >- return false; >- } >- >- /* > * If this is not an inherit only ACE we need to add a duplicate > * to the file acl. > */ >-- >1.7.3.1 > > >From e4d5fb489140c144ee15af02e9876b2524436504 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Fri, 2 Sep 2011 11:58:56 -0700 >Subject: [PATCH 2/3] Part 2 of bugfix for bug #7509 - smb_acl_to_posix: ACL is invalid for set (Invalid argument) > >Only map CREATOR_OWNER/CREATOR_GROUP to ACL_USER_OBJ/ACL_GROUP_OBJ in >a default(directory) ACL set. >(cherry picked from commit a5038ace24559bb02eec8262d3af5b5e78634d16) >--- > source3/smbd/posix_acls.c | 38 ++++++++++++++++++++++++++++++++++++++ > 1 files changed, 38 insertions(+), 0 deletions(-) > >diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c >index 442f743..5e407d3 100644 >--- a/source3/smbd/posix_acls.c >+++ b/source3/smbd/posix_acls.c >@@ -1760,6 +1760,7 @@ static bool create_canon_ace_lists(files_struct *fsp, > if ((psa->flags & (SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT)) == > (SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT)) { > >+ canon_ace *current_dir_ace = current_ace; > DLIST_ADD_END(dir_ace, current_ace, canon_ace *); > > /* >@@ -1821,6 +1822,43 @@ static bool create_canon_ace_lists(files_struct *fsp, > */ > current_ace = NULL; > } >+ >+ /* >+ * current_ace is now either owned by file_ace >+ * or is NULL. We can safely operate on current_dir_ace >+ * to treat mapping for default acl entries differently >+ * than access acl entries. >+ */ >+ >+ if (current_dir_ace->owner_type == UID_ACE) { >+ /* >+ * We already decided above this is a uid, >+ * for default acls ace's only CREATOR_OWNER >+ * maps to ACL_USER_OBJ. All other uid >+ * ace's are ACL_USER. >+ */ >+ if (dom_sid_equal(¤t_dir_ace->trustee, >+ &global_sid_Creator_Owner)) { >+ current_dir_ace->type = SMB_ACL_USER_OBJ; >+ } else { >+ current_dir_ace->type = SMB_ACL_USER; >+ } >+ } >+ >+ if (current_dir_ace->owner_type == GID_ACE) { >+ /* >+ * We already decided above this is a gid, >+ * for default acls ace's only CREATOR_GROUP >+ * maps to ACL_GROUP_OBJ. All other uid >+ * ace's are ACL_GROUP. >+ */ >+ if (dom_sid_equal(¤t_dir_ace->trustee, >+ &global_sid_Creator_Group)) { >+ current_dir_ace->type = SMB_ACL_GROUP_OBJ; >+ } else { >+ current_dir_ace->type = SMB_ACL_GROUP; >+ } >+ } > } > } > >-- >1.7.3.1 > > >From de373b987031805e3280b52b3d1d1332abf6de84 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Fri, 2 Sep 2011 12:22:34 -0700 >Subject: [PATCH 3/3] Part 3 of bugfix for bug #7509 - smb_acl_to_posix: ACL is invalid for set (Invalid argument) > >Don't call check_owning_objs() to convert ACL_USER->ACL_USER_OBJ and >AC_GROUP->ACL_GROUP_OBJ for default (directory) ACLs, we do this separately >inside ensure_canon_entry_valid(). >(cherry picked from commit c528fc5cacaae7e0e83041eb98150052b436071e) >--- > source3/smbd/posix_acls.c | 13 ++++++------- > 1 files changed, 6 insertions(+), 7 deletions(-) > >diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c >index 5e407d3..d1e5083 100644 >--- a/source3/smbd/posix_acls.c >+++ b/source3/smbd/posix_acls.c >@@ -1496,6 +1496,7 @@ static bool ensure_canon_entry_valid(connection_struct *conn, canon_ace **pp_ace > Check if a POSIX ACL has the required SMB_ACL_USER_OBJ and SMB_ACL_GROUP_OBJ entries. > If it does not have them, check if there are any entries where the trustee is the > file owner or the owning group, and map these to SMB_ACL_USER_OBJ and SMB_ACL_GROUP_OBJ. >+ Note we must not do this to default directory ACLs. > ****************************************************************************/ > > static void check_owning_objs(canon_ace *ace, struct dom_sid *pfile_owner_sid, struct dom_sid *pfile_grp_sid) >@@ -1920,17 +1921,15 @@ static bool create_canon_ace_lists(files_struct *fsp, > dir_ace = NULL; > } else { > /* >- * Check if we have SMB_ACL_USER_OBJ and SMB_ACL_GROUP_OBJ entries in each >- * ACL. If we don't have them, check if any SMB_ACL_USER/SMB_ACL_GROUP >- * entries can be converted to *_OBJ. Usually we will already have these >- * entries in the Default ACL, and the Access ACL will not have them. >+ * Check if we have SMB_ACL_USER_OBJ and SMB_ACL_GROUP_OBJ entries in >+ * the file ACL. If we don't have them, check if any SMB_ACL_USER/SMB_ACL_GROUP >+ * entries can be converted to *_OBJ. Don't do this for the default >+ * ACL, we will create them separately for this if needed inside >+ * ensure_canon_entry_valid(). > */ > if (file_ace) { > check_owning_objs(file_ace, pfile_owner_sid, pfile_grp_sid); > } >- if (dir_ace) { >- check_owning_objs(dir_ace, pfile_owner_sid, pfile_grp_sid); >- } > } > > *ppfile_ace = file_ace; >-- >1.7.3.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
metze
:
review+
obnox
:
review+
Actions:
View
Attachments on
bug 7509
:
5789
|
6787
|
6853
|
6854
|
6864
|
6865
| 6868 |
6869