The Samba-Bugzilla – Attachment 8284 Details for
Bug 9467
nfsv4 ACLs: CREATOR OWNER should be mapped to the special @owner ACL entry, and named users should not
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
Patch to modify mapping behaviour of creator owner ACL
simple-mode-with-creator.patch (text/plain), 15.12 KB, created by
Orlando Richards
on 2012-12-05 16:26:05 UTC
(
hide
)
Description:
Patch to modify mapping behaviour of creator owner ACL
Filename:
MIME Type:
Creator:
Orlando Richards
Created:
2012-12-05 16:26:05 UTC
Size:
15.12 KB
patch
obsolete
>>From ee0292948f6d43e68ff6020f9f47e76c65583267 Mon Sep 17 00:00:00 2001 >From: Alexander Werth <alexander.werth@xxxxxxxxxx> >Date: Wed, 25 Jul 2012 16:23:57 +0200 >Subject: s3: Move up declaration of params struct and related function. > >We need the parameters earlier in the code so we move up >the declaration of the params struct. Since reading the >parameters is closely related the definition of the function >smbacl4_get_vfs_params has also been moved up. >--- > source3/modules/nfs4_acls.c | 96 +++++++++++++++++++++--------------------- > 1 files changed, 48 insertions(+), 48 deletions(-) > >diff --git a/source3/modules/nfs4_acls.c b/source3/modules/nfs4_acls.c >index 3f31c5a..c4864cf 100644 >--- a/source3/modules/nfs4_acls.c >+++ b/source3/modules/nfs4_acls.c >@@ -52,6 +52,54 @@ typedef struct _SMB_ACL4_INT_T > SMB_ACE4_INT_T *last; > } SMB_ACL4_INT_T; > >+enum smbacl4_mode_enum {e_simple=0, e_special=1}; >+enum smbacl4_acedup_enum {e_dontcare=0, e_reject=1, e_ignore=2, e_merge=3}; >+ >+typedef struct _smbacl4_vfs_params { >+ enum smbacl4_mode_enum mode; >+ bool do_chown; >+ enum smbacl4_acedup_enum acedup; >+ struct db_context *sid_mapping_table; >+} smbacl4_vfs_params; >+ >+/* >+ * Gather special parameters for NFS4 ACL handling >+ */ >+static int smbacl4_get_vfs_params( >+ const char *type_name, >+ files_struct *fsp, >+ smbacl4_vfs_params *params >+) >+{ >+ static const struct enum_list enum_smbacl4_modes[] = { >+ { e_simple, "simple" }, >+ { e_special, "special" } >+ }; >+ static const struct enum_list enum_smbacl4_acedups[] = { >+ { e_dontcare, "dontcare" }, >+ { e_reject, "reject" }, >+ { e_ignore, "ignore" }, >+ { e_merge, "merge" }, >+ }; >+ >+ memset(params, 0, sizeof(smbacl4_vfs_params)); >+ params->mode = (enum smbacl4_mode_enum)lp_parm_enum( >+ SNUM(fsp->conn), type_name, >+ "mode", enum_smbacl4_modes, e_simple); >+ params->do_chown = lp_parm_bool(SNUM(fsp->conn), type_name, >+ "chown", True); >+ params->acedup = (enum smbacl4_acedup_enum)lp_parm_enum( >+ SNUM(fsp->conn), type_name, >+ "acedup", enum_smbacl4_acedups, e_dontcare); >+ >+ DEBUG(10, ("mode:%s, do_chown:%s, acedup: %s\n", >+ enum_smbacl4_modes[params->mode].name, >+ params->do_chown ? "true" : "false", >+ enum_smbacl4_acedups[params->acedup].name)); >+ >+ return 0; >+} >+ > /************************************************ > Split the ACE flag mapping between nfs4 and Windows > into two separate functions rather than trying to do >@@ -437,54 +485,6 @@ NTSTATUS smb_get_nt_acl_nfs4(struct connection_struct *conn, > return smb_get_nt_acl_nfs4_common(&sbuf, security_info, ppdesc, theacl); > } > >-enum smbacl4_mode_enum {e_simple=0, e_special=1}; >-enum smbacl4_acedup_enum {e_dontcare=0, e_reject=1, e_ignore=2, e_merge=3}; >- >-typedef struct _smbacl4_vfs_params { >- enum smbacl4_mode_enum mode; >- bool do_chown; >- enum smbacl4_acedup_enum acedup; >- struct db_context *sid_mapping_table; >-} smbacl4_vfs_params; >- >-/* >- * Gather special parameters for NFS4 ACL handling >- */ >-static int smbacl4_get_vfs_params( >- const char *type_name, >- files_struct *fsp, >- smbacl4_vfs_params *params >-) >-{ >- static const struct enum_list enum_smbacl4_modes[] = { >- { e_simple, "simple" }, >- { e_special, "special" } >- }; >- static const struct enum_list enum_smbacl4_acedups[] = { >- { e_dontcare, "dontcare" }, >- { e_reject, "reject" }, >- { e_ignore, "ignore" }, >- { e_merge, "merge" }, >- }; >- >- memset(params, 0, sizeof(smbacl4_vfs_params)); >- params->mode = (enum smbacl4_mode_enum)lp_parm_enum( >- SNUM(fsp->conn), type_name, >- "mode", enum_smbacl4_modes, e_simple); >- params->do_chown = lp_parm_bool(SNUM(fsp->conn), type_name, >- "chown", True); >- params->acedup = (enum smbacl4_acedup_enum)lp_parm_enum( >- SNUM(fsp->conn), type_name, >- "acedup", enum_smbacl4_acedups, e_dontcare); >- >- DEBUG(10, ("mode:%s, do_chown:%s, acedup: %s\n", >- enum_smbacl4_modes[params->mode].name, >- params->do_chown ? "true" : "false", >- enum_smbacl4_acedups[params->acedup].name)); >- >- return 0; >-} >- > static void smbacl4_dump_nfs4acl(int level, SMB4ACL_T *theacl) > { > SMB_ACL4_INT_T *aclint = get_validated_aclint(theacl); >-- >1.7.5.4 > > >>From 7be98281927a08e9f43b97748f9c56ff0abfa140 Mon Sep 17 00:00:00 2001 >From: Alexander Werth <alexander.werth@xxxxxxxxxx> >Date: Thu, 26 Jul 2012 17:11:03 +0200 >Subject: s3: Change smbacl4_get_vfs_params to use connection_struct instead > of fsp. > >Not all VFS functions are using a files struct. Some are just using >a connection struct. But the connection struct is all we really need >in smbacl4_get_vfs_params. >In particular we need to get the parameters in smb_get_nt_acl_nfs4. >--- > source3/modules/nfs4_acls.c | 11 ++++++----- > 1 files changed, 6 insertions(+), 5 deletions(-) > >diff --git a/source3/modules/nfs4_acls.c b/source3/modules/nfs4_acls.c >index c4864cf..d95d33f 100644 >--- a/source3/modules/nfs4_acls.c >+++ b/source3/modules/nfs4_acls.c >@@ -67,7 +67,7 @@ typedef struct _smbacl4_vfs_params { > */ > static int smbacl4_get_vfs_params( > const char *type_name, >- files_struct *fsp, >+ struct connection_struct *conn, > smbacl4_vfs_params *params > ) > { >@@ -84,12 +84,12 @@ static int smbacl4_get_vfs_params( > > memset(params, 0, sizeof(smbacl4_vfs_params)); > params->mode = (enum smbacl4_mode_enum)lp_parm_enum( >- SNUM(fsp->conn), type_name, >+ SNUM(conn), type_name, > "mode", enum_smbacl4_modes, e_simple); >- params->do_chown = lp_parm_bool(SNUM(fsp->conn), type_name, >+ params->do_chown = lp_parm_bool(SNUM(conn), type_name, > "chown", True); > params->acedup = (enum smbacl4_acedup_enum)lp_parm_enum( >- SNUM(fsp->conn), type_name, >+ SNUM(conn), type_name, > "acedup", enum_smbacl4_acedups, e_dontcare); > > DEBUG(10, ("mode:%s, do_chown:%s, acedup: %s\n", >@@ -810,7 +810,8 @@ NTSTATUS smb_set_nt_acl_nfs4(files_struct *fsp, > } > > /* Special behaviours */ >- if (smbacl4_get_vfs_params(SMBACL4_PARAM_TYPE_NAME, fsp, ¶ms)) >+ if (smbacl4_get_vfs_params(SMBACL4_PARAM_TYPE_NAME, >+ fsp->conn, ¶ms)) > return NT_STATUS_NO_MEMORY; > > if (smbacl4_fGetFileOwner(fsp, &sbuf)) >-- >1.7.5.4 > > >>From 7d0851fd85a2e970a6717c7898e47684499e5b69 Mon Sep 17 00:00:00 2001 >From: Alexander Werth <alexander.werth@xxxxxxxxxx> >Date: Thu, 26 Jul 2012 17:29:12 +0200 >Subject: s3: Add params parameter to smbacl4_nfs42win function. > >This is needed to get different behavior depending on nfs4:mode >in smbacl4_nfs42win. >--- > source3/modules/nfs4_acls.c | 27 +++++++++++++++++++++------ > 1 files changed, 21 insertions(+), 6 deletions(-) > >diff --git a/source3/modules/nfs4_acls.c b/source3/modules/nfs4_acls.c >index d95d33f..7eb83cd 100644 >--- a/source3/modules/nfs4_acls.c >+++ b/source3/modules/nfs4_acls.c >@@ -303,7 +303,9 @@ static int smbacl4_fGetFileOwner(files_struct *fsp, SMB_STRUCT_STAT *psbuf) > return 0; > } > >-static bool smbacl4_nfs42win(TALLOC_CTX *mem_ctx, SMB4ACL_T *theacl, /* in */ >+static bool smbacl4_nfs42win(TALLOC_CTX *mem_ctx, >+ smbacl4_vfs_params *params, >+ SMB4ACL_T *theacl, /* in */ > struct dom_sid *psid_owner, /* in */ > struct dom_sid *psid_group, /* in */ > bool is_directory, /* in */ >@@ -407,10 +409,11 @@ static bool smbacl4_nfs42win(TALLOC_CTX *mem_ctx, SMB4ACL_T *theacl, /* in */ > } > > static NTSTATUS smb_get_nt_acl_nfs4_common(const SMB_STRUCT_STAT *sbuf, >+ smbacl4_vfs_params *params, > uint32 security_info, > struct security_descriptor **ppdesc, SMB4ACL_T *theacl) > { >- int good_aces = 0; >+ int good_aces = 0; > struct dom_sid sid_owner, sid_group; > size_t sd_size = 0; > struct security_ace *nt_ace_list = NULL; >@@ -425,7 +428,7 @@ static NTSTATUS smb_get_nt_acl_nfs4_common(const SMB_STRUCT_STAT *sbuf, > uid_to_sid(&sid_owner, sbuf->st_ex_uid); > gid_to_sid(&sid_group, sbuf->st_ex_gid); > >- if (smbacl4_nfs42win(mem_ctx, theacl, &sid_owner, &sid_group, >+ if (smbacl4_nfs42win(mem_ctx, params, theacl, &sid_owner, &sid_group, > S_ISDIR(sbuf->st_ex_mode), > &nt_ace_list, &good_aces)==False) { > DEBUG(8,("smbacl4_nfs42win failed\n")); >@@ -459,6 +462,7 @@ NTSTATUS smb_fget_nt_acl_nfs4(files_struct *fsp, > struct security_descriptor **ppdesc, SMB4ACL_T *theacl) > { > SMB_STRUCT_STAT sbuf; >+ smbacl4_vfs_params params; > > DEBUG(10, ("smb_fget_nt_acl_nfs4 invoked for %s\n", fsp_str_dbg(fsp))); > >@@ -466,7 +470,12 @@ NTSTATUS smb_fget_nt_acl_nfs4(files_struct *fsp, > return map_nt_error_from_unix(errno); > } > >- return smb_get_nt_acl_nfs4_common(&sbuf, security_info, ppdesc, theacl); >+ /* Special behaviours */ >+ if (smbacl4_get_vfs_params(SMBACL4_PARAM_TYPE_NAME, fsp->conn, ¶ms)) >+ return NT_STATUS_NO_MEMORY; >+ >+ return smb_get_nt_acl_nfs4_common(&sbuf, ¶ms, >+ security_info, ppdesc, theacl); > } > > NTSTATUS smb_get_nt_acl_nfs4(struct connection_struct *conn, >@@ -475,6 +484,7 @@ NTSTATUS smb_get_nt_acl_nfs4(struct connection_struct *conn, > struct security_descriptor **ppdesc, SMB4ACL_T *theacl) > { > SMB_STRUCT_STAT sbuf; >+ smbacl4_vfs_params params; > > DEBUG(10, ("smb_get_nt_acl_nfs4 invoked for %s\n", name)); > >@@ -482,7 +492,12 @@ NTSTATUS smb_get_nt_acl_nfs4(struct connection_struct *conn, > return map_nt_error_from_unix(errno); > } > >- return smb_get_nt_acl_nfs4_common(&sbuf, security_info, ppdesc, theacl); >+ /* Special behaviours */ >+ if (smbacl4_get_vfs_params(SMBACL4_PARAM_TYPE_NAME, conn, ¶ms)) >+ return NT_STATUS_NO_MEMORY; >+ >+ return smb_get_nt_acl_nfs4_common(&sbuf, ¶ms, >+ security_info, ppdesc, theacl); > } > > static void smbacl4_dump_nfs4acl(int level, SMB4ACL_T *theacl) >@@ -518,7 +533,7 @@ static SMB_ACE4PROP_T *smbacl4_find_equal_special( > for(aceint = aclint->first; aceint!=NULL; aceint=(SMB_ACE4_INT_T *)aceint->next) { > SMB_ACE4PROP_T *ace = &aceint->prop; > >- DEBUG(10,("ace type:0x%x flags:0x%x aceFlags:0x%x " >+ DEBUG(10,("ace type:0x%x flags:0x%x aceFlags:0x%x " > "new type:0x%x flags:0x%x aceFlags:0x%x\n", > ace->aceType, ace->flags, ace->aceFlags, > aceNew->aceType, aceNew->flags,aceNew->aceFlags)); >-- >1.7.5.4 > > >>From 1310fdc106191281d83f480750e84e62a3ec1ae1 Mon Sep 17 00:00:00 2001 >From: Alexander Werth <alexander.werth@xxxxxxxxxx> >Date: Wed, 25 Apr 2012 15:10:20 +0200 >Subject: s3: Mapping of special entries to creator owner in mode simple. > >The nfs4 inheritonly special id's (owner@ and group@) are behaving >similar to the cifs "creator owner" and "creator owner group" ACEs. >However if the special ids are not inhertonly they have to be split >up into a creator owner part and an explicit non inheriting user ace. >--- > source3/modules/nfs4_acls.c | 60 ++++++++++++++++++++++++++++++++++++++---- > 1 files changed, 54 insertions(+), 6 deletions(-) > >diff --git a/source3/modules/nfs4_acls.c b/source3/modules/nfs4_acls.c >index 7eb83cd..36bae9e 100644 >--- a/source3/modules/nfs4_acls.c >+++ b/source3/modules/nfs4_acls.c >@@ -321,9 +321,11 @@ static bool smbacl4_nfs42win(TALLOC_CTX *mem_ctx, > DEBUG(10, ("smbacl_nfs42win entered\n")); > > aclint = get_validated_aclint(theacl); >- /* We do not check for naces being 0 or theacl being NULL here because it is done upstream */ >- /* in smb_get_nt_acl_nfs4(). */ >- nt_ace_list = (struct security_ace *)TALLOC_ZERO_SIZE(mem_ctx, aclint->naces * sizeof(struct security_ace)); >+ /* We do not check for naces being 0 or theacl being NULL here >+ because it is done upstream in smb_get_nt_acl_nfs4(). >+ We reserve twice the number of input aces because one nfs4 >+ ace might result in 2 nt aces.*/ >+ nt_ace_list = (struct security_ace *)TALLOC_ZERO_SIZE(mem_ctx, 2 * aclint->naces * sizeof(struct security_ace)); > if (nt_ace_list==NULL) > { > DEBUG(10, ("talloc error")); >@@ -397,11 +399,57 @@ static bool smbacl4_nfs42win(TALLOC_CTX *mem_ctx, > if(ace->aceType == SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE) { > mask = ace->aceMask | SMB_ACE4_SYNCHRONIZE; > } >- init_sec_ace(&nt_ace_list[good_aces++], &sid, >- ace->aceType, mask, >- win_ace_flags); >+ >+ /* Mapping of special entries to creator owner. */ >+ if (params->mode == e_simple && >+ ace->flags & SMB_ACE4_ID_SPECIAL && >+ (ace->who.special_id == SMB_ACE4_WHO_OWNER || >+ ace->who.special_id == SMB_ACE4_WHO_GROUP)) { >+ DEBUG(10, ("Map special entry\n")); >+ >+ if (ace->who.special_id == SMB_ACE4_WHO_OWNER && >+ win_ace_flags & (SEC_ACE_FLAG_OBJECT_INHERIT | >+ SEC_ACE_FLAG_CONTAINER_INHERIT)) { >+ uint32_t win_ace_flags_creator; >+ DEBUG(10, ("Map creator owner\n")); >+ win_ace_flags_creator = win_ace_flags | >+ SMB_ACE4_INHERIT_ONLY_ACE; >+ init_sec_ace(&nt_ace_list[good_aces++], >+ &global_sid_Creator_Owner, >+ ace->aceType, mask, >+ win_ace_flags_creator); >+ } >+ if (ace->who.special_id == SMB_ACE4_WHO_GROUP && >+ win_ace_flags & (SEC_ACE_FLAG_OBJECT_INHERIT | >+ SEC_ACE_FLAG_CONTAINER_INHERIT)) { >+ uint32_t win_ace_flags_creator; >+ DEBUG(10, ("Map creator owner group\n")); >+ win_ace_flags_creator = win_ace_flags | >+ SMB_ACE4_INHERIT_ONLY_ACE; >+ init_sec_ace(&nt_ace_list[good_aces++], >+ &global_sid_Creator_Group, >+ ace->aceType, mask, >+ win_ace_flags_creator); >+ } >+ if (!(win_ace_flags & SEC_ACE_FLAG_INHERIT_ONLY)) { >+ DEBUG(10, ("Map current sid\n")); >+ win_ace_flags &= >+ ~(SEC_ACE_FLAG_OBJECT_INHERIT | >+ SEC_ACE_FLAG_CONTAINER_INHERIT); >+ init_sec_ace(&nt_ace_list[good_aces++], &sid, >+ ace->aceType, mask, >+ win_ace_flags); >+ } >+ } else { >+ DEBUG(10, ("Map normal sid\n")); >+ init_sec_ace(&nt_ace_list[good_aces++], &sid, >+ ace->aceType, mask, >+ win_ace_flags); >+ } > } > >+ nt_ace_list = (struct security_ace *)TALLOC_REALLOC(mem_ctx, nt_ace_list, good_aces * sizeof(struct security_ace)); >+ > *ppnt_ace_list = nt_ace_list; > *pgood_aces = good_aces; > >-- >1.7.5.4 > > >>From 6db4dd0371c2b4f8323ee5ba3c4f0a6e255c4658 Mon Sep 17 00:00:00 2001 >From: Alexander Werth <alexander.werth@xxxxxxxxxx> >Date: Thu, 10 May 2012 14:19:41 +0200 >Subject: s3: Mapping of cifs creator owner to nfs owner@ ace. > >The nfs4 inheritonly special id's (owner@ and group@) are behaving >similar to the cifs "creator owner" and "creator owner group" ACEs. >With this patch the cifs "creator owner" aces are mapped to special >ids. This happens in all modes, including the special nfs4:mode. >In nfs4:mode special the written special id would be interpreted as >explicit user ACEs when reading back the ACEs. So while the creator >owner aces previously would have gotten dropped they are now >displayed as user aces. But they do still behave like "creator owner" >aces. That's why dropping them silently isn't obviously better than >always storing them. >--- > source3/modules/nfs4_acls.c | 8 ++++++++ > 1 files changed, 8 insertions(+), 0 deletions(-) > >diff --git a/source3/modules/nfs4_acls.c b/source3/modules/nfs4_acls.c >index 36bae9e..a6f9948 100644 >--- a/source3/modules/nfs4_acls.c >+++ b/source3/modules/nfs4_acls.c >@@ -698,6 +698,14 @@ static bool smbacl4_fill_ace4( > if (dom_sid_equal(&ace_nt->trustee, &global_sid_World)) { > ace_v4->who.special_id = SMB_ACE4_WHO_EVERYONE; > ace_v4->flags |= SMB_ACE4_ID_SPECIAL; >+ } else if (dom_sid_equal(&ace_nt->trustee, &global_sid_Creator_Owner)) { >+ DEBUG(10, ("Map creator owner\n")); >+ ace_v4->who.special_id = SMB_ACE4_WHO_OWNER; >+ ace_v4->flags |= SMB_ACE4_ID_SPECIAL; >+ } else if (dom_sid_equal(&ace_nt->trustee, &global_sid_Creator_Group)) { >+ DEBUG(10, ("Map creator owner group\n")); >+ ace_v4->who.special_id = SMB_ACE4_WHO_GROUP; >+ ace_v4->flags |= SMB_ACE4_ID_SPECIAL; > } else { > const char *dom, *name; > enum lsa_SidType type; >-- >1.7.5.4 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 9467
: 8284 |
8367
|
8368
|
8369
|
8370
|
8793
|
8824
|
8825
|
9048