The Samba-Bugzilla – Attachment 8213 Details for
Bug 9374
Allow smb2.acls torture test to pass against smbd with a POSIX ACLs backend.
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
git-am fix for 4.0.0rc.next
9374-fix-4.0.patch (text/plain), 5.84 KB, created by
Jeremy Allison
on 2012-11-20 01:03:37 UTC
(
hide
)
Description:
git-am fix for 4.0.0rc.next
Filename:
MIME Type:
Creator:
Jeremy Allison
Created:
2012-11-20 01:03:37 UTC
Size:
5.84 KB
patch
obsolete
>From 13e65afe1c925277e128f90dcb6ef83f31e40218 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Wed, 14 Nov 2012 14:40:50 -0800 >Subject: [PATCH 1/2] Add comments explaining exactly *why* we don't check > FILE_READ_ATTRIBUTES when evaluating file/directory > ACE's. > >If we can access the path to this file, by >default we have FILE_READ_ATTRIBUTES from the >containing directory. See the section. >"Algorithm to Check Access to an Existing File" >in MS-FSA.pdf. > >Signed-off-by: Jeremy Allison <jra@samba.org> >Reviewed-by: Michael Adam <obnox@samba.org> >(cherry picked from commit 4985332b951d8cd46c9c0cd877875ab7839b4edb) >--- > source3/smbd/open.c | 24 +++++++++++++++++++++--- > 1 files changed, 21 insertions(+), 3 deletions(-) > >diff --git a/source3/smbd/open.c b/source3/smbd/open.c >index a9a9198..7e0dee2 100644 >--- a/source3/smbd/open.c >+++ b/source3/smbd/open.c >@@ -130,7 +130,13 @@ NTSTATUS smbd_check_access_rights(struct connection_struct *conn, > } > > /* >- * Never test FILE_READ_ATTRIBUTES. se_file_access_check() also takes care of >+ * If we can access the path to this file, by >+ * default we have FILE_READ_ATTRIBUTES from the >+ * containing directory. See the section: >+ * "Algorithm to Check Access to an Existing File" >+ * in MS-FSA.pdf. >+ * >+ * se_file_access_check() also takes care of > * owner WRITE_DAC and READ_CONTROL. > */ > status = se_file_access_check(sd, >@@ -247,7 +253,13 @@ static NTSTATUS check_parent_access(struct connection_struct *conn, > } > > /* >- * Never test FILE_READ_ATTRIBUTES. se_file_access_check() also takes care of >+ * If we can access the path to this file, by >+ * default we have FILE_READ_ATTRIBUTES from the >+ * containing directory. See the section: >+ * "Algorithm to Check Access to an Existing File" >+ * in MS-FSA.pdf. >+ * >+ * se_file_access_check() also takes care of > * owner WRITE_DAC and READ_CONTROL. > */ > status = se_file_access_check(parent_sd, >@@ -1693,7 +1705,13 @@ static NTSTATUS smbd_calculate_maximum_allowed_access( > } > > /* >- * Never test FILE_READ_ATTRIBUTES. se_file_access_check() >+ * If we can access the path to this file, by >+ * default we have FILE_READ_ATTRIBUTES from the >+ * containing directory. See the section: >+ * "Algorithm to Check Access to an Existing File" >+ * in MS-FSA.pdf. >+ * >+ * se_file_access_check() > * also takes care of owner WRITE_DAC and READ_CONTROL. > */ > status = se_file_access_check(sd, >-- >1.7.7.3 > > >From 6508089254d73a39ce1ab7901dfa28294a8c505c Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Wed, 14 Nov 2012 14:40:51 -0800 >Subject: [PATCH 2/2] More for #9374 - Allow smb2.acls torture test to pass > against smbd with a POSIX ACLs backend. > >Change can_delete_directory() to can_delete_directory_fsp(), as >we only ever call this from an open directory file handle. > >This allows us to use OpenDir_fsp() instead of OpenDir(). >OpenDir() re-checks the ACL on the directory, which may >refuse DIR_LIST permissions. OpenDir_fsp() does not. As >this is a file-server internal check to see if the directory >actually contains any files before setting delete on close, >we can ignore the ACL here (Windows does). > >Signed-off-by: Jeremy Allison <jra@samba.org> >Reviewed-by: Michael Adam <obnox@samba.org> > >Autobuild-User(master): Michael Adam <obnox@samba.org> >Autobuild-Date(master): Tue Nov 20 01:46:28 CET 2012 on sn-devel-104 >(cherry picked from commit c5ad5029fd87b36426927d57425d5debbb26394c) >--- > source3/include/proto.h | 3 +-- > source3/smbd/dir.c | 14 +++++++++----- > source3/smbd/file_access.c | 3 +-- > 3 files changed, 11 insertions(+), 9 deletions(-) > >diff --git a/source3/include/proto.h b/source3/include/proto.h >index 7c5a5a7..449bbc1 100644 >--- a/source3/include/proto.h >+++ b/source3/include/proto.h >@@ -1628,8 +1628,7 @@ void cancel_pending_lock_requests_by_fid(files_struct *fsp, > enum file_close_type close_type); > void send_stat_cache_delete_message(struct messaging_context *msg_ctx, > const char *name); >-NTSTATUS can_delete_directory(struct connection_struct *conn, >- const char *dirname); >+NTSTATUS can_delete_directory_fsp(files_struct *fsp); > bool change_to_root_user(void); > void contend_level2_oplocks_begin(files_struct *fsp, > enum level2_contention_type type); >diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c >index cb27110..1a9aa43 100644 >--- a/source3/smbd/dir.c >+++ b/source3/smbd/dir.c >@@ -1740,16 +1740,20 @@ bool SearchDir(struct smb_Dir *dirp, const char *name, long *poffset) > Is this directory empty ? > *****************************************************************/ > >-NTSTATUS can_delete_directory(struct connection_struct *conn, >- const char *dirname) >+NTSTATUS can_delete_directory_fsp(files_struct *fsp) > { > NTSTATUS status = NT_STATUS_OK; > long dirpos = 0; > const char *dname = NULL; >+ const char *dirname = fsp->fsp_name->base_name; > char *talloced = NULL; > SMB_STRUCT_STAT st; >- struct smb_Dir *dir_hnd = OpenDir(talloc_tos(), conn, >- dirname, NULL, 0); >+ struct connection_struct *conn = fsp->conn; >+ struct smb_Dir *dir_hnd = OpenDir_fsp(talloc_tos(), >+ conn, >+ fsp, >+ NULL, >+ 0); > > if (!dir_hnd) { > return map_nt_error_from_unix(errno); >@@ -1769,7 +1773,7 @@ NTSTATUS can_delete_directory(struct connection_struct *conn, > continue; > } > >- DEBUG(10,("can_delete_directory: got name %s - can't delete\n", >+ DEBUG(10,("got name %s - can't delete\n", > dname )); > status = NT_STATUS_DIRECTORY_NOT_EMPTY; > break; >diff --git a/source3/smbd/file_access.c b/source3/smbd/file_access.c >index 6ced6a6..9bf7e9b 100644 >--- a/source3/smbd/file_access.c >+++ b/source3/smbd/file_access.c >@@ -226,8 +226,7 @@ NTSTATUS can_set_delete_on_close(files_struct *fsp, uint32 dosmode) > return NT_STATUS_ACCESS_DENIED; > } > >- return can_delete_directory(fsp->conn, >- fsp->fsp_name->base_name); >+ return can_delete_directory_fsp(fsp); > } > > return NT_STATUS_OK; >-- >1.7.7.3 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
obnox
:
review+
Actions:
View
Attachments on
bug 9374
:
8186
| 8213