The Samba-Bugzilla – Attachment 8280 Details for
Bug 9462
Users can not be given write permissions any more by default
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
git-am fixes for 4.0.0
9462.patchset (text/plain), 10.54 KB, created by
Jeremy Allison
on 2012-12-04 23:47:35 UTC
(
hide
)
Description:
git-am fixes for 4.0.0
Filename:
MIME Type:
Creator:
Jeremy Allison
Created:
2012-12-04 23:47:35 UTC
Size:
10.54 KB
patch
obsolete
>From cf9e68ccf95adfa117404aafebc78c77ab621860 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Tue, 4 Dec 2012 15:41:21 -0800 >Subject: [PATCH 1/4] Add in accessor functions to facilitate a layer > violation. > >Part of fix for bug #9462 - Users can not be given write permissions any more by default >--- > source3/smbd/globals.c | 13 +++++++++++++ > source3/smbd/globals.h | 3 +++ > 2 files changed, 16 insertions(+), 0 deletions(-) > >diff --git a/source3/smbd/globals.c b/source3/smbd/globals.c >index 3eb65a1..a0ff31e 100644 >--- a/source3/smbd/globals.c >+++ b/source3/smbd/globals.c >@@ -116,3 +116,16 @@ void smbd_init_globals(void) > > ZERO_STRUCT(sec_ctx_stack); > } >+ >+static bool create_in_progress = false; >+ >+/* Accessor functions for layer violation. This sucks... JRA. */ >+void set_create_in_progress(bool val) >+{ >+ create_in_progress = val; >+} >+ >+bool is_create_in_progress(void) >+{ >+ return create_in_progress; >+} >diff --git a/source3/smbd/globals.h b/source3/smbd/globals.h >index 0d0ebcd..ae67384 100644 >--- a/source3/smbd/globals.h >+++ b/source3/smbd/globals.h >@@ -791,3 +791,6 @@ struct smbd_server_connection { > extern struct smbXsrv_connection *global_smbXsrv_connection; > > void smbd_init_globals(void); >+ >+void set_create_in_progress(bool val); >+bool is_create_in_progress(void); >-- >1.7.7.3 > > >From 127f3e2e5af83699b085ee0d0378f8a6416cea6b Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Tue, 4 Dec 2012 15:42:29 -0800 >Subject: [PATCH 2/4] Ensure we let the lower layer know this is a create in > progress so it can calculate the correct unix > permission masks. > >Part of fix for bug #9462 - Users can not be given write permissions any more by default >--- > source3/smbd/open.c | 2 ++ > 1 files changed, 2 insertions(+), 0 deletions(-) > >diff --git a/source3/smbd/open.c b/source3/smbd/open.c >index c5529ec..9908b4b 100644 >--- a/source3/smbd/open.c >+++ b/source3/smbd/open.c >@@ -3612,9 +3612,11 @@ static NTSTATUS inherit_new_acl(files_struct *fsp) > /* We need to be root to force this. */ > become_root(); > } >+ set_create_in_progress(true); > status = SMB_VFS_FSET_NT_ACL(fsp, > security_info_sent, > psd); >+ set_create_in_progress(false); > if (inherit_owner) { > unbecome_root(); > } >-- >1.7.7.3 > > >From 4d036dd3fc934eb36b72beb9ac66f8d063da7b32 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Tue, 4 Dec 2012 15:46:14 -0800 >Subject: [PATCH 3/4] Change behavior of apply_default_perms() if we're in a > create call. > >Part of fix for bug #9462 - Users can not be given write permissions any more by default >--- > source3/smbd/posix_acls.c | 20 +++++++++++--------- > 1 files changed, 11 insertions(+), 9 deletions(-) > >diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c >index 4e93fef..97b10b5 100644 >--- a/source3/smbd/posix_acls.c >+++ b/source3/smbd/posix_acls.c >@@ -28,6 +28,7 @@ > #include "auth.h" > #include "../librpc/gen_ndr/idmap.h" > #include "lib/param/loadparm.h" >+#include "smbd/globals.h" > > extern const struct generic_mapping file_generic_mapping; > >@@ -1243,17 +1244,18 @@ static void apply_default_perms(const struct share_params *params, > const bool is_directory, canon_ace *pace, > mode_t type) > { >- mode_t and_bits = (mode_t)0; >+ /* The initial bits to apply (no restrictions). */ >+ mode_t and_bits = (mode_t)-1; > mode_t or_bits = (mode_t)0; > >- /* Get the initial bits to apply. */ >- >- if (is_directory) { >- and_bits = lp_dir_mask(params->service); >- or_bits = lp_force_dir_mode(params->service); >- } else { >- and_bits = lp_create_mask(params->service); >- or_bits = lp_force_create_mode(params->service); >+ if (is_create_in_progress()) { >+ if (is_directory) { >+ and_bits = lp_dir_mask(params->service); >+ or_bits = lp_force_dir_mode(params->service); >+ } else { >+ and_bits = lp_create_mask(params->service); >+ or_bits = lp_force_create_mode(params->service); >+ } > } > > /* Now bounce them into the S_USR space. */ >-- >1.7.7.3 > > >From 4abc2395ddb57433188ab3b6cc0e033d79ab0e5d Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Tue, 4 Dec 2012 15:47:06 -0800 >Subject: [PATCH 4/4] Documentation fixes for bug #9462 - Users can not be > given write permissions any more by default > >Ensure we don't apply the masks + force modes on security setting >changes, only on create. >--- > docs-xml/smbdotconf/security/createmask.xml | 5 ----- > docs-xml/smbdotconf/security/directorymask.xml | 5 ----- > .../smbdotconf/security/directorysecuritymask.xml | 4 +--- > docs-xml/smbdotconf/security/forcecreatemode.xml | 6 ------ > .../smbdotconf/security/forcedirectorymode.xml | 6 ------ > .../security/forcedirectorysecuritymode.xml | 5 +---- > docs-xml/smbdotconf/security/forcesecuritymode.xml | 5 +---- > docs-xml/smbdotconf/security/securitymask.xml | 4 +--- > 8 files changed, 4 insertions(+), 36 deletions(-) > >diff --git a/docs-xml/smbdotconf/security/createmask.xml b/docs-xml/smbdotconf/security/createmask.xml >index 59e208d..5df0718 100644 >--- a/docs-xml/smbdotconf/security/createmask.xml >+++ b/docs-xml/smbdotconf/security/createmask.xml >@@ -26,11 +26,6 @@ > This parameter does not affect directory masks. See the parameter <smbconfoption name="directory mask"/> > for details. > </para> >- >- <para> >- New in Samba 4.0.0. This mask is applied whenever permissions are changed on a file. To allow clients full control >- over permission changes it should be set to 0777. >- </para> > </description> > > <related>force create mode</related> >diff --git a/docs-xml/smbdotconf/security/directorymask.xml b/docs-xml/smbdotconf/security/directorymask.xml >index 2ebfc16..b17625c 100644 >--- a/docs-xml/smbdotconf/security/directorymask.xml >+++ b/docs-xml/smbdotconf/security/directorymask.xml >@@ -23,11 +23,6 @@ > <para>Following this Samba will bit-wise 'OR' the UNIX mode > created from this parameter with the value of the <smbconfoption name="force directory mode"/> parameter. > This parameter is set to 000 by default (i.e. no extra mode bits are added).</para> >- >- <para> >- New in Samba 4.0.0. This mask is applied whenever permissions are changed on a directory. To allow clients full control >- over permission changes it should be set to 0777. >- </para> > </description> > > <related>force directory mode</related> >diff --git a/docs-xml/smbdotconf/security/directorysecuritymask.xml b/docs-xml/smbdotconf/security/directorysecuritymask.xml >index c5c8c65..ad208f4 100644 >--- a/docs-xml/smbdotconf/security/directorysecuritymask.xml >+++ b/docs-xml/smbdotconf/security/directorysecuritymask.xml >@@ -5,9 +5,7 @@ > xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> > <description> > <para> >- This parameter has been removed for Samba 4.0.0. The parameter >- <smbconfoption name="directory mask"/> is now used instead to mask >- any permission bit changes on directories. >+ This parameter has been removed for Samba 4.0.0. > </para> > </description> > >diff --git a/docs-xml/smbdotconf/security/forcecreatemode.xml b/docs-xml/smbdotconf/security/forcecreatemode.xml >index 5a57a29..a3f1c2c 100644 >--- a/docs-xml/smbdotconf/security/forcecreatemode.xml >+++ b/docs-xml/smbdotconf/security/forcecreatemode.xml >@@ -10,12 +10,6 @@ > mode after the mask set in the <parameter moreinfo="none">create mask</parameter> > parameter is applied.</para> > >- <para> >- New in Samba 4.0.0. This mode is also 'OR'ed into the mode bits whenever >- permissions are changed on a file, not just when the file is created. >- This replaces the now removed <parameter moreinfo="none">force security mode</parameter>. >- </para> >- > <para>The example below would force all newly created files to have read and execute > permissions set for 'group' and 'other' as well as the > read/write/execute bits set for the 'user'.</para> >diff --git a/docs-xml/smbdotconf/security/forcedirectorymode.xml b/docs-xml/smbdotconf/security/forcedirectorymode.xml >index e5b37ea..7effc0e 100644 >--- a/docs-xml/smbdotconf/security/forcedirectorymode.xml >+++ b/docs-xml/smbdotconf/security/forcedirectorymode.xml >@@ -12,12 +12,6 @@ > mask in the parameter <parameter moreinfo="none">directory mask</parameter> is > applied.</para> > >- <para> >- New in Samba 4.0.0. This mode is also 'OR'ed into the mode bits whenever >- permissions are changed on a directory, not just when the file is created. >- This replaces the now removed <parameter moreinfo="none">force directory security mode</parameter>. >- </para> >- > <para>The example below would force all created directories to have read and execute > permissions set for 'group' and 'other' as well as the > read/write/execute bits set for the 'user'.</para> >diff --git a/docs-xml/smbdotconf/security/forcedirectorysecuritymode.xml b/docs-xml/smbdotconf/security/forcedirectorysecuritymode.xml >index 3ea3b5c..a45395d 100644 >--- a/docs-xml/smbdotconf/security/forcedirectorysecuritymode.xml >+++ b/docs-xml/smbdotconf/security/forcedirectorysecuritymode.xml >@@ -5,10 +5,7 @@ > xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> > <description> > <para> >- This parameter has been removed for Samba 4.0.0. The parameter >- <smbconfoption name="force directory mode"/> is now used instead to >- force any permission changes on directories to include specific UNIX >- permission bits. >+ This parameter has been removed for Samba 4.0.0. > </para> > </description> > </samba:parameter> >diff --git a/docs-xml/smbdotconf/security/forcesecuritymode.xml b/docs-xml/smbdotconf/security/forcesecuritymode.xml >index 2568bcc..5a9479e 100644 >--- a/docs-xml/smbdotconf/security/forcesecuritymode.xml >+++ b/docs-xml/smbdotconf/security/forcesecuritymode.xml >@@ -5,10 +5,7 @@ > xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> > <description> > <para> >- This parameter has been removed for Samba 4.0.0. The parameter >- <smbconfoption name="force create mode"/> is now used instead to >- force any permission changes on files to include specific UNIX >- permission bits. >+ This parameter has been removed for Samba 4.0.0. > </para> > </description> > </samba:parameter> >diff --git a/docs-xml/smbdotconf/security/securitymask.xml b/docs-xml/smbdotconf/security/securitymask.xml >index cb7fcfa..e535d32 100644 >--- a/docs-xml/smbdotconf/security/securitymask.xml >+++ b/docs-xml/smbdotconf/security/securitymask.xml >@@ -5,9 +5,7 @@ > xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> > <description> > <para> >- This parameter has been removed for Samba 4.0.0. The parameter >- <smbconfoption name="create mask"/> is now used instead to mask >- any permission bit changes on files. >+ This parameter has been removed for Samba 4.0.0. > </para> > </description> > </samba:parameter> >-- >1.7.7.3 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=8280">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 9462
:
8280
|
8286
|
8287
|
8288
|
8289
|
8290
|
8292