>From ee0292948f6d43e68ff6020f9f47e76c65583267 Mon Sep 17 00:00:00 2001 From: Alexander Werth Date: Wed, 25 Jul 2012 16:23:57 +0200 Subject: s3: Move up declaration of params struct and related function. We need the parameters earlier in the code so we move up the declaration of the params struct. Since reading the parameters is closely related the definition of the function smbacl4_get_vfs_params has also been moved up. --- source3/modules/nfs4_acls.c | 96 +++++++++++++++++++++--------------------- 1 files changed, 48 insertions(+), 48 deletions(-) diff --git a/source3/modules/nfs4_acls.c b/source3/modules/nfs4_acls.c index 3f31c5a..c4864cf 100644 --- a/source3/modules/nfs4_acls.c +++ b/source3/modules/nfs4_acls.c @@ -52,6 +52,54 @@ typedef struct _SMB_ACL4_INT_T SMB_ACE4_INT_T *last; } SMB_ACL4_INT_T; +enum smbacl4_mode_enum {e_simple=0, e_special=1}; +enum smbacl4_acedup_enum {e_dontcare=0, e_reject=1, e_ignore=2, e_merge=3}; + +typedef struct _smbacl4_vfs_params { + enum smbacl4_mode_enum mode; + bool do_chown; + enum smbacl4_acedup_enum acedup; + struct db_context *sid_mapping_table; +} smbacl4_vfs_params; + +/* + * Gather special parameters for NFS4 ACL handling + */ +static int smbacl4_get_vfs_params( + const char *type_name, + files_struct *fsp, + smbacl4_vfs_params *params +) +{ + static const struct enum_list enum_smbacl4_modes[] = { + { e_simple, "simple" }, + { e_special, "special" } + }; + static const struct enum_list enum_smbacl4_acedups[] = { + { e_dontcare, "dontcare" }, + { e_reject, "reject" }, + { e_ignore, "ignore" }, + { e_merge, "merge" }, + }; + + memset(params, 0, sizeof(smbacl4_vfs_params)); + params->mode = (enum smbacl4_mode_enum)lp_parm_enum( + SNUM(fsp->conn), type_name, + "mode", enum_smbacl4_modes, e_simple); + params->do_chown = lp_parm_bool(SNUM(fsp->conn), type_name, + "chown", True); + params->acedup = (enum smbacl4_acedup_enum)lp_parm_enum( + SNUM(fsp->conn), type_name, + "acedup", enum_smbacl4_acedups, e_dontcare); + + DEBUG(10, ("mode:%s, do_chown:%s, acedup: %s\n", + enum_smbacl4_modes[params->mode].name, + params->do_chown ? "true" : "false", + enum_smbacl4_acedups[params->acedup].name)); + + return 0; +} + /************************************************ Split the ACE flag mapping between nfs4 and Windows into two separate functions rather than trying to do @@ -437,54 +485,6 @@ NTSTATUS smb_get_nt_acl_nfs4(struct connection_struct *conn, return smb_get_nt_acl_nfs4_common(&sbuf, security_info, ppdesc, theacl); } -enum smbacl4_mode_enum {e_simple=0, e_special=1}; -enum smbacl4_acedup_enum {e_dontcare=0, e_reject=1, e_ignore=2, e_merge=3}; - -typedef struct _smbacl4_vfs_params { - enum smbacl4_mode_enum mode; - bool do_chown; - enum smbacl4_acedup_enum acedup; - struct db_context *sid_mapping_table; -} smbacl4_vfs_params; - -/* - * Gather special parameters for NFS4 ACL handling - */ -static int smbacl4_get_vfs_params( - const char *type_name, - files_struct *fsp, - smbacl4_vfs_params *params -) -{ - static const struct enum_list enum_smbacl4_modes[] = { - { e_simple, "simple" }, - { e_special, "special" } - }; - static const struct enum_list enum_smbacl4_acedups[] = { - { e_dontcare, "dontcare" }, - { e_reject, "reject" }, - { e_ignore, "ignore" }, - { e_merge, "merge" }, - }; - - memset(params, 0, sizeof(smbacl4_vfs_params)); - params->mode = (enum smbacl4_mode_enum)lp_parm_enum( - SNUM(fsp->conn), type_name, - "mode", enum_smbacl4_modes, e_simple); - params->do_chown = lp_parm_bool(SNUM(fsp->conn), type_name, - "chown", True); - params->acedup = (enum smbacl4_acedup_enum)lp_parm_enum( - SNUM(fsp->conn), type_name, - "acedup", enum_smbacl4_acedups, e_dontcare); - - DEBUG(10, ("mode:%s, do_chown:%s, acedup: %s\n", - enum_smbacl4_modes[params->mode].name, - params->do_chown ? "true" : "false", - enum_smbacl4_acedups[params->acedup].name)); - - return 0; -} - static void smbacl4_dump_nfs4acl(int level, SMB4ACL_T *theacl) { SMB_ACL4_INT_T *aclint = get_validated_aclint(theacl); -- 1.7.5.4 >From 7be98281927a08e9f43b97748f9c56ff0abfa140 Mon Sep 17 00:00:00 2001 From: Alexander Werth Date: Thu, 26 Jul 2012 17:11:03 +0200 Subject: s3: Change smbacl4_get_vfs_params to use connection_struct instead of fsp. Not all VFS functions are using a files struct. Some are just using a connection struct. But the connection struct is all we really need in smbacl4_get_vfs_params. In particular we need to get the parameters in smb_get_nt_acl_nfs4. --- source3/modules/nfs4_acls.c | 11 ++++++----- 1 files changed, 6 insertions(+), 5 deletions(-) diff --git a/source3/modules/nfs4_acls.c b/source3/modules/nfs4_acls.c index c4864cf..d95d33f 100644 --- a/source3/modules/nfs4_acls.c +++ b/source3/modules/nfs4_acls.c @@ -67,7 +67,7 @@ typedef struct _smbacl4_vfs_params { */ static int smbacl4_get_vfs_params( const char *type_name, - files_struct *fsp, + struct connection_struct *conn, smbacl4_vfs_params *params ) { @@ -84,12 +84,12 @@ static int smbacl4_get_vfs_params( memset(params, 0, sizeof(smbacl4_vfs_params)); params->mode = (enum smbacl4_mode_enum)lp_parm_enum( - SNUM(fsp->conn), type_name, + SNUM(conn), type_name, "mode", enum_smbacl4_modes, e_simple); - params->do_chown = lp_parm_bool(SNUM(fsp->conn), type_name, + params->do_chown = lp_parm_bool(SNUM(conn), type_name, "chown", True); params->acedup = (enum smbacl4_acedup_enum)lp_parm_enum( - SNUM(fsp->conn), type_name, + SNUM(conn), type_name, "acedup", enum_smbacl4_acedups, e_dontcare); DEBUG(10, ("mode:%s, do_chown:%s, acedup: %s\n", @@ -810,7 +810,8 @@ NTSTATUS smb_set_nt_acl_nfs4(files_struct *fsp, } /* Special behaviours */ - if (smbacl4_get_vfs_params(SMBACL4_PARAM_TYPE_NAME, fsp, ¶ms)) + if (smbacl4_get_vfs_params(SMBACL4_PARAM_TYPE_NAME, + fsp->conn, ¶ms)) return NT_STATUS_NO_MEMORY; if (smbacl4_fGetFileOwner(fsp, &sbuf)) -- 1.7.5.4 >From 7d0851fd85a2e970a6717c7898e47684499e5b69 Mon Sep 17 00:00:00 2001 From: Alexander Werth Date: Thu, 26 Jul 2012 17:29:12 +0200 Subject: s3: Add params parameter to smbacl4_nfs42win function. This is needed to get different behavior depending on nfs4:mode in smbacl4_nfs42win. --- source3/modules/nfs4_acls.c | 27 +++++++++++++++++++++------ 1 files changed, 21 insertions(+), 6 deletions(-) diff --git a/source3/modules/nfs4_acls.c b/source3/modules/nfs4_acls.c index d95d33f..7eb83cd 100644 --- a/source3/modules/nfs4_acls.c +++ b/source3/modules/nfs4_acls.c @@ -303,7 +303,9 @@ static int smbacl4_fGetFileOwner(files_struct *fsp, SMB_STRUCT_STAT *psbuf) return 0; } -static bool smbacl4_nfs42win(TALLOC_CTX *mem_ctx, SMB4ACL_T *theacl, /* in */ +static bool smbacl4_nfs42win(TALLOC_CTX *mem_ctx, + smbacl4_vfs_params *params, + SMB4ACL_T *theacl, /* in */ struct dom_sid *psid_owner, /* in */ struct dom_sid *psid_group, /* in */ bool is_directory, /* in */ @@ -407,10 +409,11 @@ static bool smbacl4_nfs42win(TALLOC_CTX *mem_ctx, SMB4ACL_T *theacl, /* in */ } static NTSTATUS smb_get_nt_acl_nfs4_common(const SMB_STRUCT_STAT *sbuf, + smbacl4_vfs_params *params, uint32 security_info, struct security_descriptor **ppdesc, SMB4ACL_T *theacl) { - int good_aces = 0; + int good_aces = 0; struct dom_sid sid_owner, sid_group; size_t sd_size = 0; struct security_ace *nt_ace_list = NULL; @@ -425,7 +428,7 @@ static NTSTATUS smb_get_nt_acl_nfs4_common(const SMB_STRUCT_STAT *sbuf, uid_to_sid(&sid_owner, sbuf->st_ex_uid); gid_to_sid(&sid_group, sbuf->st_ex_gid); - if (smbacl4_nfs42win(mem_ctx, theacl, &sid_owner, &sid_group, + if (smbacl4_nfs42win(mem_ctx, params, theacl, &sid_owner, &sid_group, S_ISDIR(sbuf->st_ex_mode), &nt_ace_list, &good_aces)==False) { DEBUG(8,("smbacl4_nfs42win failed\n")); @@ -459,6 +462,7 @@ NTSTATUS smb_fget_nt_acl_nfs4(files_struct *fsp, struct security_descriptor **ppdesc, SMB4ACL_T *theacl) { SMB_STRUCT_STAT sbuf; + smbacl4_vfs_params params; DEBUG(10, ("smb_fget_nt_acl_nfs4 invoked for %s\n", fsp_str_dbg(fsp))); @@ -466,7 +470,12 @@ NTSTATUS smb_fget_nt_acl_nfs4(files_struct *fsp, return map_nt_error_from_unix(errno); } - return smb_get_nt_acl_nfs4_common(&sbuf, security_info, ppdesc, theacl); + /* Special behaviours */ + if (smbacl4_get_vfs_params(SMBACL4_PARAM_TYPE_NAME, fsp->conn, ¶ms)) + return NT_STATUS_NO_MEMORY; + + return smb_get_nt_acl_nfs4_common(&sbuf, ¶ms, + security_info, ppdesc, theacl); } NTSTATUS smb_get_nt_acl_nfs4(struct connection_struct *conn, @@ -475,6 +484,7 @@ NTSTATUS smb_get_nt_acl_nfs4(struct connection_struct *conn, struct security_descriptor **ppdesc, SMB4ACL_T *theacl) { SMB_STRUCT_STAT sbuf; + smbacl4_vfs_params params; DEBUG(10, ("smb_get_nt_acl_nfs4 invoked for %s\n", name)); @@ -482,7 +492,12 @@ NTSTATUS smb_get_nt_acl_nfs4(struct connection_struct *conn, return map_nt_error_from_unix(errno); } - return smb_get_nt_acl_nfs4_common(&sbuf, security_info, ppdesc, theacl); + /* Special behaviours */ + if (smbacl4_get_vfs_params(SMBACL4_PARAM_TYPE_NAME, conn, ¶ms)) + return NT_STATUS_NO_MEMORY; + + return smb_get_nt_acl_nfs4_common(&sbuf, ¶ms, + security_info, ppdesc, theacl); } static void smbacl4_dump_nfs4acl(int level, SMB4ACL_T *theacl) @@ -518,7 +533,7 @@ static SMB_ACE4PROP_T *smbacl4_find_equal_special( for(aceint = aclint->first; aceint!=NULL; aceint=(SMB_ACE4_INT_T *)aceint->next) { SMB_ACE4PROP_T *ace = &aceint->prop; - DEBUG(10,("ace type:0x%x flags:0x%x aceFlags:0x%x " + DEBUG(10,("ace type:0x%x flags:0x%x aceFlags:0x%x " "new type:0x%x flags:0x%x aceFlags:0x%x\n", ace->aceType, ace->flags, ace->aceFlags, aceNew->aceType, aceNew->flags,aceNew->aceFlags)); -- 1.7.5.4 >From 1310fdc106191281d83f480750e84e62a3ec1ae1 Mon Sep 17 00:00:00 2001 From: Alexander Werth Date: Wed, 25 Apr 2012 15:10:20 +0200 Subject: s3: Mapping of special entries to creator owner in mode simple. The nfs4 inheritonly special id's (owner@ and group@) are behaving similar to the cifs "creator owner" and "creator owner group" ACEs. However if the special ids are not inhertonly they have to be split up into a creator owner part and an explicit non inheriting user ace. --- source3/modules/nfs4_acls.c | 60 ++++++++++++++++++++++++++++++++++++++---- 1 files changed, 54 insertions(+), 6 deletions(-) diff --git a/source3/modules/nfs4_acls.c b/source3/modules/nfs4_acls.c index 7eb83cd..36bae9e 100644 --- a/source3/modules/nfs4_acls.c +++ b/source3/modules/nfs4_acls.c @@ -321,9 +321,11 @@ static bool smbacl4_nfs42win(TALLOC_CTX *mem_ctx, DEBUG(10, ("smbacl_nfs42win entered\n")); aclint = get_validated_aclint(theacl); - /* We do not check for naces being 0 or theacl being NULL here because it is done upstream */ - /* in smb_get_nt_acl_nfs4(). */ - nt_ace_list = (struct security_ace *)TALLOC_ZERO_SIZE(mem_ctx, aclint->naces * sizeof(struct security_ace)); + /* We do not check for naces being 0 or theacl being NULL here + because it is done upstream in smb_get_nt_acl_nfs4(). + We reserve twice the number of input aces because one nfs4 + ace might result in 2 nt aces.*/ + nt_ace_list = (struct security_ace *)TALLOC_ZERO_SIZE(mem_ctx, 2 * aclint->naces * sizeof(struct security_ace)); if (nt_ace_list==NULL) { DEBUG(10, ("talloc error")); @@ -397,11 +399,57 @@ static bool smbacl4_nfs42win(TALLOC_CTX *mem_ctx, if(ace->aceType == SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE) { mask = ace->aceMask | SMB_ACE4_SYNCHRONIZE; } - init_sec_ace(&nt_ace_list[good_aces++], &sid, - ace->aceType, mask, - win_ace_flags); + + /* Mapping of special entries to creator owner. */ + if (params->mode == e_simple && + ace->flags & SMB_ACE4_ID_SPECIAL && + (ace->who.special_id == SMB_ACE4_WHO_OWNER || + ace->who.special_id == SMB_ACE4_WHO_GROUP)) { + DEBUG(10, ("Map special entry\n")); + + if (ace->who.special_id == SMB_ACE4_WHO_OWNER && + win_ace_flags & (SEC_ACE_FLAG_OBJECT_INHERIT | + SEC_ACE_FLAG_CONTAINER_INHERIT)) { + uint32_t win_ace_flags_creator; + DEBUG(10, ("Map creator owner\n")); + win_ace_flags_creator = win_ace_flags | + SMB_ACE4_INHERIT_ONLY_ACE; + init_sec_ace(&nt_ace_list[good_aces++], + &global_sid_Creator_Owner, + ace->aceType, mask, + win_ace_flags_creator); + } + if (ace->who.special_id == SMB_ACE4_WHO_GROUP && + win_ace_flags & (SEC_ACE_FLAG_OBJECT_INHERIT | + SEC_ACE_FLAG_CONTAINER_INHERIT)) { + uint32_t win_ace_flags_creator; + DEBUG(10, ("Map creator owner group\n")); + win_ace_flags_creator = win_ace_flags | + SMB_ACE4_INHERIT_ONLY_ACE; + init_sec_ace(&nt_ace_list[good_aces++], + &global_sid_Creator_Group, + ace->aceType, mask, + win_ace_flags_creator); + } + if (!(win_ace_flags & SEC_ACE_FLAG_INHERIT_ONLY)) { + DEBUG(10, ("Map current sid\n")); + win_ace_flags &= + ~(SEC_ACE_FLAG_OBJECT_INHERIT | + SEC_ACE_FLAG_CONTAINER_INHERIT); + init_sec_ace(&nt_ace_list[good_aces++], &sid, + ace->aceType, mask, + win_ace_flags); + } + } else { + DEBUG(10, ("Map normal sid\n")); + init_sec_ace(&nt_ace_list[good_aces++], &sid, + ace->aceType, mask, + win_ace_flags); + } } + nt_ace_list = (struct security_ace *)TALLOC_REALLOC(mem_ctx, nt_ace_list, good_aces * sizeof(struct security_ace)); + *ppnt_ace_list = nt_ace_list; *pgood_aces = good_aces; -- 1.7.5.4 >From 6db4dd0371c2b4f8323ee5ba3c4f0a6e255c4658 Mon Sep 17 00:00:00 2001 From: Alexander Werth Date: Thu, 10 May 2012 14:19:41 +0200 Subject: s3: Mapping of cifs creator owner to nfs owner@ ace. The nfs4 inheritonly special id's (owner@ and group@) are behaving similar to the cifs "creator owner" and "creator owner group" ACEs. With this patch the cifs "creator owner" aces are mapped to special ids. This happens in all modes, including the special nfs4:mode. In nfs4:mode special the written special id would be interpreted as explicit user ACEs when reading back the ACEs. So while the creator owner aces previously would have gotten dropped they are now displayed as user aces. But they do still behave like "creator owner" aces. That's why dropping them silently isn't obviously better than always storing them. --- source3/modules/nfs4_acls.c | 8 ++++++++ 1 files changed, 8 insertions(+), 0 deletions(-) diff --git a/source3/modules/nfs4_acls.c b/source3/modules/nfs4_acls.c index 36bae9e..a6f9948 100644 --- a/source3/modules/nfs4_acls.c +++ b/source3/modules/nfs4_acls.c @@ -698,6 +698,14 @@ static bool smbacl4_fill_ace4( if (dom_sid_equal(&ace_nt->trustee, &global_sid_World)) { ace_v4->who.special_id = SMB_ACE4_WHO_EVERYONE; ace_v4->flags |= SMB_ACE4_ID_SPECIAL; + } else if (dom_sid_equal(&ace_nt->trustee, &global_sid_Creator_Owner)) { + DEBUG(10, ("Map creator owner\n")); + ace_v4->who.special_id = SMB_ACE4_WHO_OWNER; + ace_v4->flags |= SMB_ACE4_ID_SPECIAL; + } else if (dom_sid_equal(&ace_nt->trustee, &global_sid_Creator_Group)) { + DEBUG(10, ("Map creator owner group\n")); + ace_v4->who.special_id = SMB_ACE4_WHO_GROUP; + ace_v4->flags |= SMB_ACE4_ID_SPECIAL; } else { const char *dom, *name; enum lsa_SidType type; -- 1.7.5.4