The Samba-Bugzilla – Attachment 7979 Details for
Bug 9190
Regression (change in behavior) of default acl masks
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
git-am fix for 4.0.0rc3
look (text/plain), 11.73 KB, created by
Jeremy Allison
on 2012-10-02 18:50:36 UTC
(
hide
)
Description:
git-am fix for 4.0.0rc3
Filename:
MIME Type:
Creator:
Jeremy Allison
Created:
2012-10-02 18:50:36 UTC
Size:
11.73 KB
patch
obsolete
>From 1f4a0fb5e55609285e99583f0317a0c2c810efa7 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Tue, 2 Oct 2012 09:21:17 -0700 >Subject: [PATCH 1/6] Reformat spacing to be even. > >--- > source3/smbd/posix_acls.c | 15 ++++++++------- > 1 files changed, 8 insertions(+), 7 deletions(-) > >diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c >index 016acf4..531313b 100644 >--- a/source3/smbd/posix_acls.c >+++ b/source3/smbd/posix_acls.c >@@ -1351,13 +1351,14 @@ static bool uid_entry_in_group(connection_struct *conn, canon_ace *uid_ace, cano > type. > ****************************************************************************/ > >-static bool ensure_canon_entry_valid(connection_struct *conn, canon_ace **pp_ace, >- const struct share_params *params, >- const bool is_directory, >- const struct dom_sid *pfile_owner_sid, >- const struct dom_sid *pfile_grp_sid, >- const SMB_STRUCT_STAT *pst, >- bool setting_acl) >+static bool ensure_canon_entry_valid(connection_struct *conn, >+ canon_ace **pp_ace, >+ const struct share_params *params, >+ const bool is_directory, >+ const struct dom_sid *pfile_owner_sid, >+ const struct dom_sid *pfile_grp_sid, >+ const SMB_STRUCT_STAT *pst, >+ bool setting_acl) > { > canon_ace *pace; > canon_ace *pace_user = NULL; >-- >1.7.7.3 > > >From 2768f6c7f9c88e76842fe763d509eb51a92d6c92 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Tue, 2 Oct 2012 09:55:09 -0700 >Subject: [PATCH 2/6] Use is_default_acl variable in canonicalise_acl(). > >--- > source3/smbd/posix_acls.c | 5 +++-- > 1 files changed, 3 insertions(+), 2 deletions(-) > >diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c >index 531313b..b74c1b2 100644 >--- a/source3/smbd/posix_acls.c >+++ b/source3/smbd/posix_acls.c >@@ -2629,6 +2629,7 @@ static canon_ace *canonicalise_acl(struct connection_struct *conn, > canon_ace *ace = NULL; > canon_ace *next_ace = NULL; > int entry_id = SMB_ACL_FIRST_ENTRY; >+ bool is_default_acl = (the_acl_type == SMB_ACL_TYPE_DEFAULT); > SMB_ACL_ENTRY_T entry; > size_t ace_count; > >@@ -2719,7 +2720,7 @@ static canon_ace *canonicalise_acl(struct connection_struct *conn, > ace->trustee = sid; > ace->unix_ug = unix_ug; > ace->owner_type = owner_type; >- ace->ace_flags = get_pai_flags(pal, ace, (the_acl_type == SMB_ACL_TYPE_DEFAULT)); >+ ace->ace_flags = get_pai_flags(pal, ace, is_default_acl); > > DLIST_ADD(l_head, ace); > } >@@ -2738,7 +2739,7 @@ static canon_ace *canonicalise_acl(struct connection_struct *conn, > * acl_mask. Ensure all DENY Entries are at the start of the list. > */ > >- DEBUG(10,("canonicalise_acl: %s ace entries before arrange :\n", the_acl_type == SMB_ACL_TYPE_ACCESS ? "Access" : "Default" )); >+ DEBUG(10,("canonicalise_acl: %s ace entries before arrange :\n", is_default_acl ? "Default" : "Access")); > > for ( ace_count = 0, ace = l_head; ace; ace = next_ace, ace_count++) { > next_ace = ace->next; >-- >1.7.7.3 > > >From 776f50b0ab6788efe6d23c1d7f214ad20ed1720a Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Tue, 2 Oct 2012 10:12:45 -0700 >Subject: [PATCH 3/6] Only apply masks on non-default ACL entries when setting > the ACL. > >--- > source3/smbd/posix_acls.c | 28 +++++++++++++++++++--------- > 1 files changed, 19 insertions(+), 9 deletions(-) > >diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c >index b74c1b2..125234c 100644 >--- a/source3/smbd/posix_acls.c >+++ b/source3/smbd/posix_acls.c >@@ -1353,6 +1353,7 @@ static bool uid_entry_in_group(connection_struct *conn, canon_ace *uid_ace, cano > > static bool ensure_canon_entry_valid(connection_struct *conn, > canon_ace **pp_ace, >+ bool is_default_acl, > const struct share_params *params, > const bool is_directory, > const struct dom_sid *pfile_owner_sid, >@@ -1368,8 +1369,9 @@ static bool ensure_canon_entry_valid(connection_struct *conn, > for (pace = *pp_ace; pace; pace = pace->next) { > if (pace->type == SMB_ACL_USER_OBJ) { > >- if (setting_acl) >+ if (setting_acl && !is_default_acl) { > apply_default_perms(params, is_directory, pace, S_IRUSR); >+ } > pace_user = pace; > > } else if (pace->type == SMB_ACL_GROUP_OBJ) { >@@ -1378,8 +1380,9 @@ static bool ensure_canon_entry_valid(connection_struct *conn, > * Ensure create mask/force create mode is respected on set. > */ > >- if (setting_acl) >+ if (setting_acl && !is_default_acl) { > apply_default_perms(params, is_directory, pace, S_IRGRP); >+ } > pace_group = pace; > > } else if (pace->type == SMB_ACL_OTHER) { >@@ -1388,8 +1391,9 @@ static bool ensure_canon_entry_valid(connection_struct *conn, > * Ensure create mask/force create mode is respected on set. > */ > >- if (setting_acl) >+ if (setting_acl && !is_default_acl) { > apply_default_perms(params, is_directory, pace, S_IROTH); >+ } > pace_other = pace; > } > } >@@ -1438,7 +1442,9 @@ static bool ensure_canon_entry_valid(connection_struct *conn, > pace->perms = pace_other->perms; > } > >- apply_default_perms(params, is_directory, pace, S_IRUSR); >+ if (!is_default_acl) { >+ apply_default_perms(params, is_directory, pace, S_IRUSR); >+ } > } else { > pace->perms = unix_perms_to_acl_perms(pst->st_ex_mode, S_IRUSR, S_IWUSR, S_IXUSR); > } >@@ -1466,7 +1472,9 @@ static bool ensure_canon_entry_valid(connection_struct *conn, > pace->perms = pace_other->perms; > else > pace->perms = 0; >- apply_default_perms(params, is_directory, pace, S_IRGRP); >+ if (!is_default_acl) { >+ apply_default_perms(params, is_directory, pace, S_IRGRP); >+ } > } else { > pace->perms = unix_perms_to_acl_perms(pst->st_ex_mode, S_IRGRP, S_IWGRP, S_IXGRP); > } >@@ -1490,7 +1498,9 @@ static bool ensure_canon_entry_valid(connection_struct *conn, > pace->attr = ALLOW_ACE; > if (setting_acl) { > pace->perms = 0; >- apply_default_perms(params, is_directory, pace, S_IROTH); >+ if (!is_default_acl) { >+ apply_default_perms(params, is_directory, pace, S_IROTH); >+ } > } else > pace->perms = unix_perms_to_acl_perms(pst->st_ex_mode, S_IROTH, S_IWOTH, S_IXOTH); > >@@ -2531,7 +2541,7 @@ static bool unpack_canon_ace(files_struct *fsp, > > print_canon_ace_list( "file ace - before valid", file_ace); > >- if (!ensure_canon_entry_valid(fsp->conn, &file_ace, fsp->conn->params, >+ if (!ensure_canon_entry_valid(fsp->conn, &file_ace, false, fsp->conn->params, > fsp->is_directory, pfile_owner_sid, pfile_grp_sid, pst, True)) { > free_canon_ace_list(file_ace); > free_canon_ace_list(dir_ace); >@@ -2540,7 +2550,7 @@ static bool unpack_canon_ace(files_struct *fsp, > > print_canon_ace_list( "dir ace - before valid", dir_ace); > >- if (dir_ace && !ensure_canon_entry_valid(fsp->conn, &dir_ace, fsp->conn->params, >+ if (dir_ace && !ensure_canon_entry_valid(fsp->conn, &dir_ace, true, fsp->conn->params, > fsp->is_directory, pfile_owner_sid, pfile_grp_sid, pst, True)) { > free_canon_ace_list(file_ace); > free_canon_ace_list(dir_ace); >@@ -2729,7 +2739,7 @@ static canon_ace *canonicalise_acl(struct connection_struct *conn, > * This next call will ensure we have at least a user/group/world set. > */ > >- if (!ensure_canon_entry_valid(conn, &l_head, conn->params, >+ if (!ensure_canon_entry_valid(conn, &l_head, is_default_acl, conn->params, > S_ISDIR(psbuf->st_ex_mode), powner, pgroup, > psbuf, False)) > goto fail; >-- >1.7.7.3 > > >From 23191b3ea6ec77df86cec68fe01cba7c81a43f0a Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Tue, 2 Oct 2012 10:15:54 -0700 >Subject: [PATCH 4/6] When setting a non-default ACL, don't forget to apply > masks to SMB_ACL_USER and SMB_ACL_GROUP entries. > >--- > source3/smbd/posix_acls.c | 10 ++++++++++ > 1 files changed, 10 insertions(+), 0 deletions(-) > >diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c >index 125234c..b00f1ec 100644 >--- a/source3/smbd/posix_acls.c >+++ b/source3/smbd/posix_acls.c >@@ -1395,6 +1395,16 @@ static bool ensure_canon_entry_valid(connection_struct *conn, > apply_default_perms(params, is_directory, pace, S_IROTH); > } > pace_other = pace; >+ >+ } else if (pace->type == SMB_ACL_USER || pace->type == SMB_ACL_GROUP) { >+ >+ /* >+ * Ensure create mask/force create mode is respected on set. >+ */ >+ >+ if (setting_acl && !is_default_acl) { >+ apply_default_perms(params, is_directory, pace, S_IRGRP); >+ } > } > } > >-- >1.7.7.3 > > >From 6a9b5c0c0f5e1bb1e14a56a215588295193b44dd Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Tue, 2 Oct 2012 10:22:39 -0700 >Subject: [PATCH 5/6] Add functions to programatically set the security mask > and directory security mask parameters. > >--- > source3/include/proto.h | 2 ++ > source3/param/loadparm.c | 14 ++++++++++++++ > 2 files changed, 16 insertions(+), 0 deletions(-) > >diff --git a/source3/include/proto.h b/source3/include/proto.h >index b3fa55a..e42c33d 100644 >--- a/source3/include/proto.h >+++ b/source3/include/proto.h >@@ -1188,6 +1188,8 @@ bool lp_getwd_cache(void); > int lp_srv_maxprotocol(void); > int lp_srv_minprotocol(void); > int lp_security(void); >+int lp_set_security_mask(int snum, int new_val); >+int lp_set_directory_security_mask(int snum, int new_mask); > int lp__server_role(void); > int lp__security(void); > int lp__domain_master(void); >diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c >index 61606ce..960a644 100644 >--- a/source3/param/loadparm.c >+++ b/source3/param/loadparm.c >@@ -5476,3 +5476,17 @@ int lp_security(void) > return lp_find_security(lp__server_role(), > lp__security()); > } >+ >+int lp_set_security_mask(int snum, int new_val) >+{ >+ int ret = ServicePtrs[snum]->iSecurity_mask; >+ ServicePtrs[snum]->iSecurity_mask = new_val; >+ return ret; >+} >+ >+int lp_set_directory_security_mask(int snum, int new_val) >+{ >+ int ret = ServicePtrs[snum]->iDir_Security_mask; >+ ServicePtrs[snum]->iDir_Security_mask = new_val; >+ return ret; >+} >-- >1.7.7.3 > > >From d27b00c589f89699dc3714345827069fd228ab9d Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Tue, 2 Oct 2012 10:25:14 -0700 >Subject: [PATCH 6/6] When creating a new file/directory, we need to obey the > create mask/directory mask parameters. > >Currently we call FSET_NT_ACL to inherit any ACLs on create. However >FSET_NT_ACL uses the security mask/directory security mask parameters >instead of the create mask/directory mask parameters. > >Swap them temporarily when creating to ensure the correct masks >are applied. >--- > source3/smbd/open.c | 15 +++++++++++++++ > 1 files changed, 15 insertions(+), 0 deletions(-) > >diff --git a/source3/smbd/open.c b/source3/smbd/open.c >index d4babd4..bea4d99 100644 >--- a/source3/smbd/open.c >+++ b/source3/smbd/open.c >@@ -3436,6 +3436,9 @@ static NTSTATUS inherit_new_acl(files_struct *fsp) > bool inherit_owner = lp_inherit_owner(SNUM(fsp->conn)); > bool inheritable_components = false; > size_t size = 0; >+ int orig_security_mask = 0; >+ int orig_directory_security_mask = 0; >+ int snum = SNUM(fsp->conn); > > if (!parent_dirname(ctx, fsp->fsp_name->base_name, &parent_name, NULL)) { > return NT_STATUS_NO_MEMORY; >@@ -3506,6 +3509,14 @@ static NTSTATUS inherit_new_acl(files_struct *fsp) > NDR_PRINT_DEBUG(security_descriptor, psd); > } > >+ /* Temporarily replace the security masks with the create masks, >+ as we're actually doing a create here - we only call this >+ when we've created a file or directory - but there's no >+ way for FSET_NT_ACL to know the difference. */ >+ >+ orig_security_mask = lp_set_security_mask(snum, lp_create_mask(snum)); >+ orig_directory_security_mask = lp_set_directory_security_mask(snum, lp_dir_mask(snum)); >+ > if (inherit_owner) { > /* We need to be root to force this. */ > become_root(); >@@ -3516,6 +3527,10 @@ static NTSTATUS inherit_new_acl(files_struct *fsp) > if (inherit_owner) { > unbecome_root(); > } >+ >+ (void)lp_set_security_mask(snum, orig_security_mask); >+ (void)lp_set_directory_security_mask(snum, orig_directory_security_mask); >+ > return status; > } > >-- >1.7.7.3 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=7979">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 9190
:
7979
|
7991
|
7992
|
7993
|
8033