Attachment 6868 Details for Bug 7509 – git-am fix for 3.6.1

[patch] git-am fix for 3.6.1

look (text/plain), 8.20 KB, created by Jeremy Allison on 2011-09-08 18:59:03 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Jeremy Allison

Created: 2011-09-08 18:59:03 UTC

Size: 8.20 KB

patch

obsolete

>From a5574cd2f7e9176d793436098d0ef316eeaa8876 Mon Sep 17 00:00:00 2001
>From: Jeremy Allison <jra@samba.org>
>Date: Fri, 2 Sep 2011 11:21:08 -0700
>Subject: [PATCH 1/3] Part 1 of bugfix for bug #7509 - smb_acl_to_posix: ACL is invalid for set (Invalid argument)
>
>Remove the code I added for bug "6878 - Cannot change ACL's inherit flag". It is incorrect
>and causes the POSIX ACL ACL_USER_OBJ duplication.
>(cherry picked from commit 2b935b49f3d975759eb1cbcf2b11bf7c9d982804)
>---
> source3/smbd/posix_acls.c |   72 ---------------------------------------------
> 1 files changed, 0 insertions(+), 72 deletions(-)
>
>diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c
>index 9252ee6..442f743 100644
>--- a/source3/smbd/posix_acls.c
>+++ b/source3/smbd/posix_acls.c
>@@ -1538,50 +1538,6 @@ static void check_owning_objs(canon_ace *ace, struct dom_sid *pfile_owner_sid, s
> }
> 
> /****************************************************************************
>- If an ACE entry is SMB_ACL_USER_OBJ and not CREATOR_OWNER, map to SMB_ACL_USER.
>- If an ACE entry is SMB_ACL_GROUP_OBJ and not CREATOR_GROUP, map to SMB_ACL_GROUP
>-****************************************************************************/
>-
>-static bool dup_owning_ace(canon_ace *dir_ace, canon_ace *ace)
>-{
>-	/* dir ace must be followings.
>-	   SMB_ACL_USER_OBJ : trustee(CREATOR_OWNER) -> Posix ACL d:u::perm
>-	   SMB_ACL_USER     : not trustee    -> Posix ACL u:user:perm
>-	   SMB_ACL_USER_OBJ : trustee -> convert to SMB_ACL_USER : trustee
>-	   Posix ACL u:trustee:perm
>-
>-	   SMB_ACL_GROUP_OBJ: trustee(CREATOR_GROUP) -> Posix ACL d:g::perm
>-	   SMB_ACL_GROUP    : not trustee   -> Posix ACL g:group:perm
>-	   SMB_ACL_GROUP_OBJ: trustee -> convert to SMB_ACL_GROUP : trustee
>-	   Posix ACL g:trustee:perm
>-	*/
>-
>-	if (ace->type == SMB_ACL_USER_OBJ &&
>-			!(dom_sid_equal(&ace->trustee, &global_sid_Creator_Owner))) {
>-		canon_ace *dup_ace = dup_canon_ace(ace);
>-
>-		if (dup_ace == NULL) {
>-			return false;
>-		}
>-		dup_ace->type = SMB_ACL_USER;
>-		DLIST_ADD_END(dir_ace, dup_ace, canon_ace *);
>-	}
>-
>-	if (ace->type == SMB_ACL_GROUP_OBJ &&
>-			!(dom_sid_equal(&ace->trustee, &global_sid_Creator_Group))) {
>-		canon_ace *dup_ace = dup_canon_ace(ace);
>-
>-		if (dup_ace == NULL) {
>-			return false;
>-		}
>-		dup_ace->type = SMB_ACL_GROUP;
>-		DLIST_ADD_END(dir_ace, dup_ace, canon_ace *);
>-	}
>-
>-	return true;
>-}
>-
>-/****************************************************************************
>  Unpack a struct security_descriptor into two canonical ace lists.
> ****************************************************************************/
> 
>@@ -1832,34 +1788,6 @@ static bool create_canon_ace_lists(files_struct *fsp,
> 				}
> 
> 				/*
>-				 * We have a lossy mapping: directory ACE entries
>-				 * CREATOR_OWNER ------\
>-				 *     (map to)         +---> SMB_ACL_USER_OBJ
>-				 * owning sid    ------/
>-				 *
>-				 * CREATOR_GROUP ------\
>-				 *     (map to)         +---> SMB_ACL_GROUP_OBJ
>-				 * primary group sid --/
>-				 *
>-				 * on set. And on read of a directory ACL
>-				 *
>-				 * SMB_ACL_USER_OBJ ----> CREATOR_OWNER
>-				 * SMB_ACL_GROUP_OBJ ---> CREATOR_GROUP.
>-				 *
>-				 * Deal with this on set by duplicating
>-				 * owning sid and primary group sid ACE
>-				 * entries into the directory ACL.
>-				 * Fix from Tsukasa Hamano <hamano@osstech.co.jp>.
>-				 */
>-
>-				if (!dup_owning_ace(dir_ace, current_ace)) {
>-					DEBUG(0,("create_canon_ace_lists: malloc fail !\n"));
>-					free_canon_ace_list(file_ace);
>-					free_canon_ace_list(dir_ace);
>-					return false;
>-				}
>-
>-				/*
> 				 * If this is not an inherit only ACE we need to add a duplicate
> 				 * to the file acl.
> 				 */
>-- 
>1.7.3.1
>
>
>From e4d5fb489140c144ee15af02e9876b2524436504 Mon Sep 17 00:00:00 2001
>From: Jeremy Allison <jra@samba.org>
>Date: Fri, 2 Sep 2011 11:58:56 -0700
>Subject: [PATCH 2/3] Part 2 of bugfix for bug #7509 - smb_acl_to_posix: ACL is invalid for set (Invalid argument)
>
>Only map CREATOR_OWNER/CREATOR_GROUP to ACL_USER_OBJ/ACL_GROUP_OBJ in
>a default(directory) ACL set.
>(cherry picked from commit a5038ace24559bb02eec8262d3af5b5e78634d16)
>---
> source3/smbd/posix_acls.c |   38 ++++++++++++++++++++++++++++++++++++++
> 1 files changed, 38 insertions(+), 0 deletions(-)
>
>diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c
>index 442f743..5e407d3 100644
>--- a/source3/smbd/posix_acls.c
>+++ b/source3/smbd/posix_acls.c
>@@ -1760,6 +1760,7 @@ static bool create_canon_ace_lists(files_struct *fsp,
> 			if ((psa->flags & (SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT)) ==
> 				(SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT)) {
> 
>+				canon_ace *current_dir_ace = current_ace;
> 				DLIST_ADD_END(dir_ace, current_ace, canon_ace *);
> 
> 				/*
>@@ -1821,6 +1822,43 @@ static bool create_canon_ace_lists(files_struct *fsp,
> 					 */
> 					current_ace = NULL;
> 				}
>+
>+				/*
>+				 * current_ace is now either owned by file_ace
>+				 * or is NULL. We can safely operate on current_dir_ace
>+				 * to treat mapping for default acl entries differently
>+				 * than access acl entries.
>+				 */
>+
>+				if (current_dir_ace->owner_type == UID_ACE) {
>+					/*
>+					 * We already decided above this is a uid,
>+					 * for default acls ace's only CREATOR_OWNER
>+					 * maps to ACL_USER_OBJ. All other uid
>+					 * ace's are ACL_USER.
>+					 */
>+					if (dom_sid_equal(&current_dir_ace->trustee,
>+							&global_sid_Creator_Owner)) {
>+						current_dir_ace->type = SMB_ACL_USER_OBJ;
>+					} else {
>+						current_dir_ace->type = SMB_ACL_USER;
>+					}
>+				}
>+
>+				if (current_dir_ace->owner_type == GID_ACE) {
>+					/*
>+					 * We already decided above this is a gid,
>+					 * for default acls ace's only CREATOR_GROUP
>+					 * maps to ACL_GROUP_OBJ. All other uid
>+					 * ace's are ACL_GROUP.
>+					 */
>+					if (dom_sid_equal(&current_dir_ace->trustee,
>+							&global_sid_Creator_Group)) {
>+						current_dir_ace->type = SMB_ACL_GROUP_OBJ;
>+					} else {
>+						current_dir_ace->type = SMB_ACL_GROUP;
>+					}
>+				}
> 			}
> 		}
> 
>-- 
>1.7.3.1
>
>
>From de373b987031805e3280b52b3d1d1332abf6de84 Mon Sep 17 00:00:00 2001
>From: Jeremy Allison <jra@samba.org>
>Date: Fri, 2 Sep 2011 12:22:34 -0700
>Subject: [PATCH 3/3] Part 3 of bugfix for bug #7509 - smb_acl_to_posix: ACL is invalid for set (Invalid argument)
>
>Don't call check_owning_objs() to convert ACL_USER->ACL_USER_OBJ and
>AC_GROUP->ACL_GROUP_OBJ for default (directory) ACLs, we do this separately
>inside ensure_canon_entry_valid().
>(cherry picked from commit c528fc5cacaae7e0e83041eb98150052b436071e)
>---
> source3/smbd/posix_acls.c |   13 ++++++-------
> 1 files changed, 6 insertions(+), 7 deletions(-)
>
>diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c
>index 5e407d3..d1e5083 100644
>--- a/source3/smbd/posix_acls.c
>+++ b/source3/smbd/posix_acls.c
>@@ -1496,6 +1496,7 @@ static bool ensure_canon_entry_valid(connection_struct *conn, canon_ace **pp_ace
>  Check if a POSIX ACL has the required SMB_ACL_USER_OBJ and SMB_ACL_GROUP_OBJ entries.
>  If it does not have them, check if there are any entries where the trustee is the
>  file owner or the owning group, and map these to SMB_ACL_USER_OBJ and SMB_ACL_GROUP_OBJ.
>+ Note we must not do this to default directory ACLs.
> ****************************************************************************/
> 
> static void check_owning_objs(canon_ace *ace, struct dom_sid *pfile_owner_sid, struct dom_sid *pfile_grp_sid)
>@@ -1920,17 +1921,15 @@ static bool create_canon_ace_lists(files_struct *fsp,
> 		dir_ace = NULL;
> 	} else {
> 		/*
>-		 * Check if we have SMB_ACL_USER_OBJ and SMB_ACL_GROUP_OBJ entries in each
>-		 * ACL. If we don't have them, check if any SMB_ACL_USER/SMB_ACL_GROUP
>-		 * entries can be converted to *_OBJ. Usually we will already have these
>-		 * entries in the Default ACL, and the Access ACL will not have them.
>+		 * Check if we have SMB_ACL_USER_OBJ and SMB_ACL_GROUP_OBJ entries in
>+		 * the file ACL. If we don't have them, check if any SMB_ACL_USER/SMB_ACL_GROUP
>+		 * entries can be converted to *_OBJ. Don't do this for the default
>+		 * ACL, we will create them separately for this if needed inside
>+		 * ensure_canon_entry_valid().
> 		 */
> 		if (file_ace) {
> 			check_owning_objs(file_ace, pfile_owner_sid, pfile_grp_sid);
> 		}
>-		if (dir_ace) {
>-			check_owning_objs(dir_ace, pfile_owner_sid, pfile_grp_sid);
>-		}
> 	}
> 
> 	*ppfile_ace = file_ace;
>-- 
>1.7.3.1
>

Flags:

metze: review+
obnox: review+

Actions: View

Attachments on bug 7509: 5789 | 6787 | 6853 | 6854 | 6864 | 6865 | 6868 | 6869