The Samba-Bugzilla – Attachment 7991 Details for
Bug 9190
Regression (change in behavior) of default acl masks
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
git-am fix for 4.0.0rc3
look1 (text/plain), 29.86 KB, created by
Jeremy Allison
on 2012-10-04 18:37:21 UTC
(
hide
)
Description:
git-am fix for 4.0.0rc3
Filename:
MIME Type:
Creator:
Jeremy Allison
Created:
2012-10-04 18:37:21 UTC
Size:
29.86 KB
patch
obsolete
>From d6e35dc39117e629aa035ae060e7d25796316c77 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Tue, 2 Oct 2012 09:21:17 -0700 >Subject: [PATCH 1/6] Reformat spacing to be even. > >--- > source3/smbd/posix_acls.c | 15 ++++++++------- > 1 files changed, 8 insertions(+), 7 deletions(-) > >diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c >index 016acf4..531313b 100644 >--- a/source3/smbd/posix_acls.c >+++ b/source3/smbd/posix_acls.c >@@ -1351,13 +1351,14 @@ static bool uid_entry_in_group(connection_struct *conn, canon_ace *uid_ace, cano > type. > ****************************************************************************/ > >-static bool ensure_canon_entry_valid(connection_struct *conn, canon_ace **pp_ace, >- const struct share_params *params, >- const bool is_directory, >- const struct dom_sid *pfile_owner_sid, >- const struct dom_sid *pfile_grp_sid, >- const SMB_STRUCT_STAT *pst, >- bool setting_acl) >+static bool ensure_canon_entry_valid(connection_struct *conn, >+ canon_ace **pp_ace, >+ const struct share_params *params, >+ const bool is_directory, >+ const struct dom_sid *pfile_owner_sid, >+ const struct dom_sid *pfile_grp_sid, >+ const SMB_STRUCT_STAT *pst, >+ bool setting_acl) > { > canon_ace *pace; > canon_ace *pace_user = NULL; >-- >1.7.7.3 > > >From c1ce91416fae6519b64aad36b8498040e02f12b2 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Tue, 2 Oct 2012 09:55:09 -0700 >Subject: [PATCH 2/6] Use is_default_acl variable in canonicalise_acl(). > >--- > source3/smbd/posix_acls.c | 5 +++-- > 1 files changed, 3 insertions(+), 2 deletions(-) > >diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c >index 531313b..b74c1b2 100644 >--- a/source3/smbd/posix_acls.c >+++ b/source3/smbd/posix_acls.c >@@ -2629,6 +2629,7 @@ static canon_ace *canonicalise_acl(struct connection_struct *conn, > canon_ace *ace = NULL; > canon_ace *next_ace = NULL; > int entry_id = SMB_ACL_FIRST_ENTRY; >+ bool is_default_acl = (the_acl_type == SMB_ACL_TYPE_DEFAULT); > SMB_ACL_ENTRY_T entry; > size_t ace_count; > >@@ -2719,7 +2720,7 @@ static canon_ace *canonicalise_acl(struct connection_struct *conn, > ace->trustee = sid; > ace->unix_ug = unix_ug; > ace->owner_type = owner_type; >- ace->ace_flags = get_pai_flags(pal, ace, (the_acl_type == SMB_ACL_TYPE_DEFAULT)); >+ ace->ace_flags = get_pai_flags(pal, ace, is_default_acl); > > DLIST_ADD(l_head, ace); > } >@@ -2738,7 +2739,7 @@ static canon_ace *canonicalise_acl(struct connection_struct *conn, > * acl_mask. Ensure all DENY Entries are at the start of the list. > */ > >- DEBUG(10,("canonicalise_acl: %s ace entries before arrange :\n", the_acl_type == SMB_ACL_TYPE_ACCESS ? "Access" : "Default" )); >+ DEBUG(10,("canonicalise_acl: %s ace entries before arrange :\n", is_default_acl ? "Default" : "Access")); > > for ( ace_count = 0, ace = l_head; ace; ace = next_ace, ace_count++) { > next_ace = ace->next; >-- >1.7.7.3 > > >From 9ccf56aea9c5c1b89c4c459b40026302ddc92309 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Tue, 2 Oct 2012 10:12:45 -0700 >Subject: [PATCH 3/6] Only apply masks on non-default ACL entries when setting > the ACL. > >--- > source3/smbd/posix_acls.c | 28 +++++++++++++++++++--------- > 1 files changed, 19 insertions(+), 9 deletions(-) > >diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c >index b74c1b2..125234c 100644 >--- a/source3/smbd/posix_acls.c >+++ b/source3/smbd/posix_acls.c >@@ -1353,6 +1353,7 @@ static bool uid_entry_in_group(connection_struct *conn, canon_ace *uid_ace, cano > > static bool ensure_canon_entry_valid(connection_struct *conn, > canon_ace **pp_ace, >+ bool is_default_acl, > const struct share_params *params, > const bool is_directory, > const struct dom_sid *pfile_owner_sid, >@@ -1368,8 +1369,9 @@ static bool ensure_canon_entry_valid(connection_struct *conn, > for (pace = *pp_ace; pace; pace = pace->next) { > if (pace->type == SMB_ACL_USER_OBJ) { > >- if (setting_acl) >+ if (setting_acl && !is_default_acl) { > apply_default_perms(params, is_directory, pace, S_IRUSR); >+ } > pace_user = pace; > > } else if (pace->type == SMB_ACL_GROUP_OBJ) { >@@ -1378,8 +1380,9 @@ static bool ensure_canon_entry_valid(connection_struct *conn, > * Ensure create mask/force create mode is respected on set. > */ > >- if (setting_acl) >+ if (setting_acl && !is_default_acl) { > apply_default_perms(params, is_directory, pace, S_IRGRP); >+ } > pace_group = pace; > > } else if (pace->type == SMB_ACL_OTHER) { >@@ -1388,8 +1391,9 @@ static bool ensure_canon_entry_valid(connection_struct *conn, > * Ensure create mask/force create mode is respected on set. > */ > >- if (setting_acl) >+ if (setting_acl && !is_default_acl) { > apply_default_perms(params, is_directory, pace, S_IROTH); >+ } > pace_other = pace; > } > } >@@ -1438,7 +1442,9 @@ static bool ensure_canon_entry_valid(connection_struct *conn, > pace->perms = pace_other->perms; > } > >- apply_default_perms(params, is_directory, pace, S_IRUSR); >+ if (!is_default_acl) { >+ apply_default_perms(params, is_directory, pace, S_IRUSR); >+ } > } else { > pace->perms = unix_perms_to_acl_perms(pst->st_ex_mode, S_IRUSR, S_IWUSR, S_IXUSR); > } >@@ -1466,7 +1472,9 @@ static bool ensure_canon_entry_valid(connection_struct *conn, > pace->perms = pace_other->perms; > else > pace->perms = 0; >- apply_default_perms(params, is_directory, pace, S_IRGRP); >+ if (!is_default_acl) { >+ apply_default_perms(params, is_directory, pace, S_IRGRP); >+ } > } else { > pace->perms = unix_perms_to_acl_perms(pst->st_ex_mode, S_IRGRP, S_IWGRP, S_IXGRP); > } >@@ -1490,7 +1498,9 @@ static bool ensure_canon_entry_valid(connection_struct *conn, > pace->attr = ALLOW_ACE; > if (setting_acl) { > pace->perms = 0; >- apply_default_perms(params, is_directory, pace, S_IROTH); >+ if (!is_default_acl) { >+ apply_default_perms(params, is_directory, pace, S_IROTH); >+ } > } else > pace->perms = unix_perms_to_acl_perms(pst->st_ex_mode, S_IROTH, S_IWOTH, S_IXOTH); > >@@ -2531,7 +2541,7 @@ static bool unpack_canon_ace(files_struct *fsp, > > print_canon_ace_list( "file ace - before valid", file_ace); > >- if (!ensure_canon_entry_valid(fsp->conn, &file_ace, fsp->conn->params, >+ if (!ensure_canon_entry_valid(fsp->conn, &file_ace, false, fsp->conn->params, > fsp->is_directory, pfile_owner_sid, pfile_grp_sid, pst, True)) { > free_canon_ace_list(file_ace); > free_canon_ace_list(dir_ace); >@@ -2540,7 +2550,7 @@ static bool unpack_canon_ace(files_struct *fsp, > > print_canon_ace_list( "dir ace - before valid", dir_ace); > >- if (dir_ace && !ensure_canon_entry_valid(fsp->conn, &dir_ace, fsp->conn->params, >+ if (dir_ace && !ensure_canon_entry_valid(fsp->conn, &dir_ace, true, fsp->conn->params, > fsp->is_directory, pfile_owner_sid, pfile_grp_sid, pst, True)) { > free_canon_ace_list(file_ace); > free_canon_ace_list(dir_ace); >@@ -2729,7 +2739,7 @@ static canon_ace *canonicalise_acl(struct connection_struct *conn, > * This next call will ensure we have at least a user/group/world set. > */ > >- if (!ensure_canon_entry_valid(conn, &l_head, conn->params, >+ if (!ensure_canon_entry_valid(conn, &l_head, is_default_acl, conn->params, > S_ISDIR(psbuf->st_ex_mode), powner, pgroup, > psbuf, False)) > goto fail; >-- >1.7.7.3 > > >From 86d32250dedf8961f5fbee11290fd2e1bb437ae6 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Tue, 2 Oct 2012 10:15:54 -0700 >Subject: [PATCH 4/6] When setting a non-default ACL, don't forget to apply > masks to SMB_ACL_USER and SMB_ACL_GROUP entries. > >--- > source3/smbd/posix_acls.c | 10 ++++++++++ > 1 files changed, 10 insertions(+), 0 deletions(-) > >diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c >index 125234c..b00f1ec 100644 >--- a/source3/smbd/posix_acls.c >+++ b/source3/smbd/posix_acls.c >@@ -1395,6 +1395,16 @@ static bool ensure_canon_entry_valid(connection_struct *conn, > apply_default_perms(params, is_directory, pace, S_IROTH); > } > pace_other = pace; >+ >+ } else if (pace->type == SMB_ACL_USER || pace->type == SMB_ACL_GROUP) { >+ >+ /* >+ * Ensure create mask/force create mode is respected on set. >+ */ >+ >+ if (setting_acl && !is_default_acl) { >+ apply_default_perms(params, is_directory, pace, S_IRGRP); >+ } > } > } > >-- >1.7.7.3 > > >From c3042857fd8b9286be92d49b1e662225564931e4 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Wed, 3 Oct 2012 14:49:01 -0700 >Subject: [PATCH 5/6] Remove all uses of > lp_security_mask/lp_force_security_mode/lp_dir_security_mask/lp_force_dir_security_mode > and replace with the normal masks. Now these parameters > can be removed. > >--- > source3/smbd/posix_acls.c | 16 ++++++++-------- > source3/smbd/trans2.c | 14 ++------------ > 2 files changed, 10 insertions(+), 20 deletions(-) > >diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c >index b00f1ec..503727f 100644 >--- a/source3/smbd/posix_acls.c >+++ b/source3/smbd/posix_acls.c >@@ -1270,11 +1270,11 @@ static void apply_default_perms(const struct share_params *params, > /* Get the initial bits to apply. */ > > if (is_directory) { >- and_bits = lp_dir_security_mask(params->service); >- or_bits = lp_force_dir_security_mode(params->service); >+ and_bits = lp_dir_mask(params->service); >+ or_bits = lp_force_dir_mode(params->service); > } else { >- and_bits = lp_security_mask(params->service); >- or_bits = lp_force_security_mode(params->service); >+ and_bits = lp_create_mask(params->service); >+ or_bits = lp_force_create_mode(params->service); > } > > /* Now bounce them into the S_USR space. */ >@@ -3185,11 +3185,11 @@ static bool convert_canon_ace_to_posix_perms( files_struct *fsp, canon_ace *file > /* Get the initial bits to apply. */ > > if (fsp->is_directory) { >- and_bits = lp_dir_security_mask(snum); >- or_bits = lp_force_dir_security_mode(snum); >+ and_bits = lp_dir_mask(snum); >+ or_bits = lp_force_dir_mode(snum); > } else { >- and_bits = lp_security_mask(snum); >- or_bits = lp_force_security_mode(snum); >+ and_bits = lp_create_mask(snum); >+ or_bits = lp_force_create_mode(snum); > } > > *posix_perms = (((*posix_perms) & and_bits)|or_bits); >diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c >index 2bc85bf..90d07d4 100644 >--- a/source3/smbd/trans2.c >+++ b/source3/smbd/trans2.c >@@ -1364,28 +1364,18 @@ static NTSTATUS unix_perms_from_wire( connection_struct *conn, > > switch (ptype) { > case PERM_NEW_FILE: >+ case PERM_EXISTING_FILE: > /* Apply mode mask */ > ret &= lp_create_mask(SNUM(conn)); > /* Add in force bits */ > ret |= lp_force_create_mode(SNUM(conn)); > break; > case PERM_NEW_DIR: >+ case PERM_EXISTING_DIR: > ret &= lp_dir_mask(SNUM(conn)); > /* Add in force bits */ > ret |= lp_force_dir_mode(SNUM(conn)); > break; >- case PERM_EXISTING_FILE: >- /* Apply mode mask */ >- ret &= lp_security_mask(SNUM(conn)); >- /* Add in force bits */ >- ret |= lp_force_security_mode(SNUM(conn)); >- break; >- case PERM_EXISTING_DIR: >- /* Apply mode mask */ >- ret &= lp_dir_security_mask(SNUM(conn)); >- /* Add in force bits */ >- ret |= lp_force_dir_security_mode(SNUM(conn)); >- break; > } > > *ret_perms = ret; >-- >1.7.7.3 > > >From 3cb1c3c8393e5c72bf7995418cecca0c4a1249d5 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Wed, 3 Oct 2012 16:04:18 -0700 >Subject: [PATCH 6/6] Remove the parameters: > >security mask >force security mode >directory mask >force directory security mode > >and update the docs. >--- > docs-xml/smbdotconf/security/createmask.xml | 5 +-- > docs-xml/smbdotconf/security/directorymask.xml | 8 ++-- > .../smbdotconf/security/directorysecuritymask.xml | 32 ++--------------- > docs-xml/smbdotconf/security/forcecreatemode.xml | 6 +++ > .../smbdotconf/security/forcedirectorymode.xml | 6 +++ > .../security/forcedirectorysecuritymode.xml | 38 ++----------------- > docs-xml/smbdotconf/security/forcesecuritymode.xml | 38 +++----------------- > docs-xml/smbdotconf/security/securitymask.xml | 33 ++--------------- > examples/scripts/shares/python/smbparm.py | 4 -- > lib/param/param_functions.c | 4 -- > lib/param/param_table.c | 36 ------------------ > source3/include/proto.h | 4 -- > source3/param/loadparm.c | 4 -- > 13 files changed, 33 insertions(+), 185 deletions(-) > >diff --git a/docs-xml/smbdotconf/security/createmask.xml b/docs-xml/smbdotconf/security/createmask.xml >index cf6864c..59e208d 100644 >--- a/docs-xml/smbdotconf/security/createmask.xml >+++ b/docs-xml/smbdotconf/security/createmask.xml >@@ -28,9 +28,8 @@ > </para> > > <para> >- Note that this parameter does not apply to permissions set by Windows NT/2000 ACL editors. If the >- administrator wishes to enforce a mask on access control lists also, they need to set the <smbconfoption >- name="security mask"/>. >+ New in Samba 4.0.0. This mask is applied whenever permissions are changed on a file. To allow clients full control >+ over permission changes it should be set to 0777. > </para> > </description> > >diff --git a/docs-xml/smbdotconf/security/directorymask.xml b/docs-xml/smbdotconf/security/directorymask.xml >index 7b67f79..2ebfc16 100644 >--- a/docs-xml/smbdotconf/security/directorymask.xml >+++ b/docs-xml/smbdotconf/security/directorymask.xml >@@ -24,14 +24,14 @@ > created from this parameter with the value of the <smbconfoption name="force directory mode"/> parameter. > This parameter is set to 000 by default (i.e. no extra mode bits are added).</para> > >- <para>Note that this parameter does not apply to permissions >- set by Windows NT/2000 ACL editors. If the administrator wishes to enforce >- a mask on access control lists also, they need to set the <smbconfoption name="directory security mask"/>.</para> >+ <para> >+ New in Samba 4.0.0. This mask is applied whenever permissions are changed on a directory. To allow clients full control >+ over permission changes it should be set to 0777. >+ </para> > </description> > > <related>force directory mode</related> > <related>create mask</related> >-<related>directory security mask</related> > <related>inherit permissions</related> > <value type="default">0755</value> > <value type="example">0775</value> >diff --git a/docs-xml/smbdotconf/security/directorysecuritymask.xml b/docs-xml/smbdotconf/security/directorysecuritymask.xml >index 5ed85ae..0bd5d93 100644 >--- a/docs-xml/smbdotconf/security/directorysecuritymask.xml >+++ b/docs-xml/smbdotconf/security/directorysecuritymask.xml >@@ -3,37 +3,11 @@ > type="string" > xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> > <description> >- <para>This parameter controls what UNIX permission bits >- will be set when a Windows NT client is manipulating the UNIX >- permission on a directory using the native NT security dialog >- box.</para> >- > <para> >- This parameter is applied as a mask (AND'ed with) to the incoming permission bits, thus resetting >- any bits not in this mask. Make sure not to mix up this parameter with <smbconfoption name="force >- directory security mode"/>, which works similar like this one but uses logical OR instead of AND. >- Essentially, zero bits in this mask are a set of bits that will always be set to zero. >- </para> >- >+ This parameter has been removed for Samba 4.0.0. The parameter >+ <smbconfoption name="directory mask"/> is now used instead to mask >+ any permission bit changes on directories. > <para> >- Essentially, all bits set to zero in this mask will result in setting to zero the corresponding bits on the >- file permissions regardless of the previous status of this bits on the file. >- </para> >- >- <para>If not set explicitly this parameter is set to 0777 >- meaning a user is allowed to set all the user/group/world >- permissions on a directory.</para> >- >- <para><emphasis>Note</emphasis> that users who can access the >- Samba server through other means can easily bypass this restriction, >- so it is primarily useful for standalone "appliance" systems. >- Administrators of most normal systems will probably want to leave >- it as the default of <constant>0777</constant>.</para> > </description> > >-<related>force directory security mode</related> >-<related>security mask</related> >-<related>force security mode</related> >-<value type="default">0777</value> >-<value type="example">0700</value> > </samba:parameter> >diff --git a/docs-xml/smbdotconf/security/forcecreatemode.xml b/docs-xml/smbdotconf/security/forcecreatemode.xml >index a3f1c2c..5a57a29 100644 >--- a/docs-xml/smbdotconf/security/forcecreatemode.xml >+++ b/docs-xml/smbdotconf/security/forcecreatemode.xml >@@ -10,6 +10,12 @@ > mode after the mask set in the <parameter moreinfo="none">create mask</parameter> > parameter is applied.</para> > >+ <para> >+ New in Samba 4.0.0. This mode is also 'OR'ed into the mode bits whenever >+ permissions are changed on a file, not just when the file is created. >+ This replaces the now removed <parameter moreinfo="none">force security mode</parameter>. >+ </para> >+ > <para>The example below would force all newly created files to have read and execute > permissions set for 'group' and 'other' as well as the > read/write/execute bits set for the 'user'.</para> >diff --git a/docs-xml/smbdotconf/security/forcedirectorymode.xml b/docs-xml/smbdotconf/security/forcedirectorymode.xml >index 7effc0e..e5b37ea 100644 >--- a/docs-xml/smbdotconf/security/forcedirectorymode.xml >+++ b/docs-xml/smbdotconf/security/forcedirectorymode.xml >@@ -12,6 +12,12 @@ > mask in the parameter <parameter moreinfo="none">directory mask</parameter> is > applied.</para> > >+ <para> >+ New in Samba 4.0.0. This mode is also 'OR'ed into the mode bits whenever >+ permissions are changed on a directory, not just when the file is created. >+ This replaces the now removed <parameter moreinfo="none">force directory security mode</parameter>. >+ </para> >+ > <para>The example below would force all created directories to have read and execute > permissions set for 'group' and 'other' as well as the > read/write/execute bits set for the 'user'.</para> >diff --git a/docs-xml/smbdotconf/security/forcedirectorysecuritymode.xml b/docs-xml/smbdotconf/security/forcedirectorysecuritymode.xml >index 2c15ec2..01e5fe9 100644 >--- a/docs-xml/smbdotconf/security/forcedirectorysecuritymode.xml >+++ b/docs-xml/smbdotconf/security/forcedirectorysecuritymode.xml >@@ -4,40 +4,10 @@ > xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> > <description> > <para> >- This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating >- the UNIX permission on a directory using the native NT security dialog box. >- </para> >- >+ This parameter has been removed for Samba 4.0.0. The parameter >+ <smbconfoption name="force directory mode"/> is now used instead to >+ force any permission changes on directories to include specific UNIX >+ permission bits. > <para> >- This parameter is applied as a mask (OR'ed with) to the changed permission bits, thus forcing any bits in this >- mask that the user may have modified to be on. Make sure not to mix up this parameter with <smbconfoption >- name="directory security mask"/>, which works in a similar manner to this one, but uses a logical AND instead >- of an OR. >- </para> >- >- <para> >- Essentially, this mask may be treated as a set of bits that, when modifying security on a directory, >- to will enable (1) any flags that are off (0) but which the mask has set to on (1). >- </para> >- >- <para> >- If not set explicitly this parameter is 0000, which allows a user to modify all the user/group/world >- permissions on a directory without restrictions. >- </para> >- >- <note><para> >- Users who can access the Samba server through other means can easily bypass this restriction, so it is >- primarily useful for standalone "appliance" systems. Administrators of most normal systems will >- probably want to leave it set as 0000. >- </para></note> >- > </description> >- >-<value type="default">0</value> >-<value type="example">700</value> >- >-<related>directory security mask</related> >-<related>security mask</related> >-<related>force security mode</related> >- > </samba:parameter> >diff --git a/docs-xml/smbdotconf/security/forcesecuritymode.xml b/docs-xml/smbdotconf/security/forcesecuritymode.xml >index 7451ef9..b6713b1 100644 >--- a/docs-xml/smbdotconf/security/forcesecuritymode.xml >+++ b/docs-xml/smbdotconf/security/forcesecuritymode.xml >@@ -4,38 +4,10 @@ > xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> > <description> > <para> >- This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating >- the UNIX permission on a file using the native NT security dialog box. >- </para> >- >- <para> >- This parameter is applied as a mask (OR'ed with) to the changed permission bits, thus forcing any bits in this >- mask that the user may have modified to be on. Make sure not to mix up this parameter with <smbconfoption >- name="security mask"/>, which works similar like this one but uses logical AND instead of OR. >- </para> >- >- <para> >- Essentially, one bits in this mask may be treated as a set of bits that, when modifying security on a file, >- the user has always set to be on. >- </para> >- >- <para> >- If not set explicitly this parameter is set to 0, and allows a user to modify all the user/group/world >- permissions on a file, with no restrictions. >- </para> >- >- <para><emphasis> >- Note</emphasis> that users who can access the Samba server through other means can easily bypass this >- restriction, so it is primarily useful for standalone "appliance" systems. Administrators of most >- normal systems will probably want to leave this set to 0000. >- </para> >- >+ This parameter has been removed for Samba 4.0.0. The parameter >+ <smbconfoption name="force create mode"/> is now used instead to >+ force any permission changes on files to include specific UNIX >+ permission bits. >+ </para> > </description> >- >-<value type="default">0</value> >-<value type="example">700</value> >- >-<related>force directory security mode</related> >-<related>directory security mask</related> >-<related>security mask</related> > </samba:parameter> >diff --git a/docs-xml/smbdotconf/security/securitymask.xml b/docs-xml/smbdotconf/security/securitymask.xml >index 23bc280..d1e78be 100644 >--- a/docs-xml/smbdotconf/security/securitymask.xml >+++ b/docs-xml/smbdotconf/security/securitymask.xml >@@ -4,36 +4,9 @@ > xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> > <description> > <para> >- This parameter controls what UNIX permission bits will be set when a Windows NT client is manipulating the >- UNIX permission on a file using the native NT security dialog box. >- </para> >- >- <para> >- This parameter is applied as a mask (AND'ed with) to the incoming permission bits, thus resetting >- any bits not in this mask. Make sure not to mix up this parameter with <smbconfoption name="force >- security mode"/>, which works in a manner similar to this one but uses a logical OR instead of an AND. >- </para> >- >- <para> >- Essentially, all bits set to zero in this mask will result in setting to zero the corresponding bits on the >- file permissions regardless of the previous status of this bits on the file. >- </para> >- >- <para> >- If not set explicitly this parameter is 0777, allowing a user to set all the user/group/world permissions on a file. >+ This parameter has been removed for Samba 4.0.0. The parameter >+ <smbconfoption name="create mask"/> is now used instead to mask >+ any permission bit changes on files. > </para> >- >- <para><emphasis> >- Note</emphasis> that users who can access the Samba server through other means can easily bypass this >- restriction, so it is primarily useful for standalone "appliance" systems. Administrators of >- most normal systems will probably want to leave it set to <constant>0777</constant>. >- </para> > </description> >- >-<related>force directory security mode</related> >-<related>directory security mask</related> >-<related>force security mode</related> >- >-<value type="default">0777</value> >-<value type="example">0770</value> > </samba:parameter> >diff --git a/examples/scripts/shares/python/smbparm.py b/examples/scripts/shares/python/smbparm.py >index 8dca781..f0bc1ec 100644 >--- a/examples/scripts/shares/python/smbparm.py >+++ b/examples/scripts/shares/python/smbparm.py >@@ -89,7 +89,6 @@ parm_table = { > "ROOTPREEXEC" : ("root preexec", SambaParmString, P_LOCAL, ""), > "WRITEOK" : ("read only", SambaParmBoolRev, P_LOCAL, "Yes"), > "MAXLOGSIZE" : ("max log size", SambaParmString, P_GLOBAL, "5000"), >- "FORCESECURITYMODE" : ("force security mode", SambaParmString, P_LOCAL, "00"), > "VFSOBJECT" : ("vfs objects", SambaParmString, P_LOCAL, ""), > "CHECKPASSWORDSCRIPT" : ("check password script", SambaParmString, P_GLOBAL, ""), > "DELETEPRINTERCOMMAND" : ("deleteprinter command", SambaParmString, P_GLOBAL, ""), >@@ -102,7 +101,6 @@ parm_table = { > "DOSFILEMODE" : ("dos filemode", SambaParmBool, P_LOCAL, "No"), > "LOGFILE" : ("log file", SambaParmString, P_GLOBAL, ""), > "WORKGROUP" : ("workgroup", SambaParmString, P_GLOBAL, "WORKGROUP"), >- "DIRECTORYSECURITYMASK" : ("directory security mask", SambaParmString, P_LOCAL, "0777"), > "ENCRYPTPASSWORDS" : ("encrypt passwords", SambaParmBool, P_GLOBAL, "Yes"), > "PRINTABLE" : ("printable", SambaParmBool, P_LOCAL, "No"), > "MAXPROTOCOL" : ("max protocol", SambaParmString, P_GLOBAL, "NT1"), >@@ -147,7 +145,6 @@ parm_table = { > "LEVEL2OPLOCKS" : ("level2 oplocks", SambaParmBool, P_LOCAL, "Yes"), > "LARGEREADWRITE" : ("large readwrite", SambaParmBool, P_GLOBAL, "Yes"), > "LDAPREPLICATIONSLEEP" : ("ldap replication sleep", SambaParmString, P_GLOBAL, "1000"), >- "SECURITYMASK" : ("security mask", SambaParmString, P_LOCAL, "0777"), > "LDAPUSERSUFFIX" : ("ldap user suffix", SambaParmString, P_GLOBAL, ""), > "NETBIOSNAME" : ("netbios name", SambaParmString, P_GLOBAL, "PANTHER"), > "LOCKSPINCOUNT" : ("lock spin count", SambaParmString, P_GLOBAL, "3"), >@@ -184,7 +181,6 @@ parm_table = { > "POSIXLOCKING" : ("posix locking", SambaParmBool, P_LOCAL, "Yes"), > "INCLUDE" : ("include", SambaParmString, P_LOCAL, ""), > "ALGORITHMICRIDBASE" : ("algorithmic rid base", SambaParmString, P_GLOBAL, "1000"), >- "FORCEDIRECTORYSECURITYMODE": ("force directory security mode", SambaParmString, P_LOCAL, "00"), > "ANNOUNCEVERSION" : ("announce version", SambaParmString, P_GLOBAL, "4.9"), > "USERNAMEMAP" : ("username map", SambaParmString, P_GLOBAL, ""), > "MANGLEDNAMES" : ("mangled names", SambaParmBool, P_LOCAL, "Yes"), >diff --git a/lib/param/param_functions.c b/lib/param/param_functions.c >index ce2f671..d5cd018 100644 >--- a/lib/param/param_functions.c >+++ b/lib/param/param_functions.c >@@ -134,10 +134,6 @@ FN_LOCAL_BOOL(afs_share, bAfs_Share) > FN_LOCAL_BOOL(acl_check_permissions, bAclCheckPermissions) > FN_LOCAL_BOOL(acl_group_control, bAclGroupControl) > FN_LOCAL_BOOL(acl_map_full_control, bAclMapFullControl) >-FN_LOCAL_INTEGER(security_mask, iSecurity_mask) >-FN_LOCAL_INTEGER(force_security_mode, iSecurity_force_mode) >-FN_LOCAL_INTEGER(dir_security_mask, iDir_Security_mask) >-FN_LOCAL_INTEGER(force_dir_security_mode, iDir_Security_force_mode) > FN_LOCAL_INTEGER(defaultcase, iDefaultCase) > FN_LOCAL_INTEGER(minprintspace, iMinPrintSpace) > FN_LOCAL_INTEGER(printing, iPrinting) >diff --git a/lib/param/param_table.c b/lib/param/param_table.c >index 325f295..01f65fe 100644 >--- a/lib/param/param_table.c >+++ b/lib/param/param_table.c >@@ -957,24 +957,6 @@ static struct parm_struct parm_table[] = { > .flags = FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE, > }, > { >- .label = "security mask", >- .type = P_OCTAL, >- .p_class = P_LOCAL, >- .offset = LOCAL_VAR(iSecurity_mask), >- .special = NULL, >- .enum_list = NULL, >- .flags = FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE, >- }, >- { >- .label = "force security mode", >- .type = P_OCTAL, >- .p_class = P_LOCAL, >- .offset = LOCAL_VAR(iSecurity_force_mode), >- .special = NULL, >- .enum_list = NULL, >- .flags = FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE, >- }, >- { > .label = "directory mask", > .type = P_OCTAL, > .p_class = P_LOCAL, >@@ -1002,24 +984,6 @@ static struct parm_struct parm_table[] = { > .flags = FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE, > }, > { >- .label = "directory security mask", >- .type = P_OCTAL, >- .p_class = P_LOCAL, >- .offset = LOCAL_VAR(iDir_Security_mask), >- .special = NULL, >- .enum_list = NULL, >- .flags = FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE, >- }, >- { >- .label = "force directory security mode", >- .type = P_OCTAL, >- .p_class = P_LOCAL, >- .offset = LOCAL_VAR(iDir_Security_force_mode), >- .special = NULL, >- .enum_list = NULL, >- .flags = FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE, >- }, >- { > .label = "force unknown acl user", > .type = P_BOOL, > .p_class = P_LOCAL, >diff --git a/source3/include/proto.h b/source3/include/proto.h >index b3fa55a..ac3d205 100644 >--- a/source3/include/proto.h >+++ b/source3/include/proto.h >@@ -1330,12 +1330,8 @@ bool lp_acl_map_full_control(int ); > bool lp_durable_handles(int); > int lp_create_mask(int ); > int lp_force_create_mode(int ); >-int lp_security_mask(int ); >-int lp_force_security_mode(int ); > int lp_dir_mask(int ); > int lp_force_dir_mode(int ); >-int lp_dir_security_mask(int ); >-int lp_force_dir_security_mode(int ); > int lp_max_connections(int ); > int lp_defaultcase(int ); > int lp_minprintspace(int ); >diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c >index 61606ce..42bf11d 100644 >--- a/source3/param/loadparm.c >+++ b/source3/param/loadparm.c >@@ -191,12 +191,8 @@ static struct loadparm_service sDefault = > .iWriteCacheSize = 0, > .iCreate_mask = 0744, > .iCreate_force_mode = 0, >- .iSecurity_mask = 0777, >- .iSecurity_force_mode = 0, > .iDir_mask = 0755, > .iDir_force_mode = 0, >- .iDir_Security_mask = 0777, >- .iDir_Security_force_mode = 0, > .iMaxConnections = 0, > .iDefaultCase = CASE_LOWER, > .iPrinting = DEFAULT_PRINTING, >-- >1.7.7.3 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 9190
:
7979
|
7991
|
7992
|
7993
|
8033