The Samba-Bugzilla – Attachment 8367 Details for
Bug 9467
nfsv4 ACLs: CREATOR OWNER should be mapped to the special @owner ACL entry, and named users should not
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patches adding creator owner support to nfs4:mode simple
simple-mode-with-creator.patch (text/plain), 13.87 KB, created by
Alexander Werth
on 2012-12-25 22:40:24 UTC
(
hide
)
Description:
Patches adding creator owner support to nfs4:mode simple
Filename:
MIME Type:
Creator:
Alexander Werth
Created:
2012-12-25 22:40:24 UTC
Size:
13.87 KB
patch
obsolete
>From 58721f9b42b492e3b8b1a8061d2c27f23e3051d8 Mon Sep 17 00:00:00 2001 >From: Alexander Werth <alexander.werth@de.ibm.com> >Date: Wed, 25 Jul 2012 16:23:57 +0200 >Subject: [PATCH 1/5] s3: Move up declaration of params struct and related > function. > >We need the parameters earlier in the code so we move up >the declaration of the params struct. Since reading the >parameters is closely related the definition of the function >smbacl4_get_vfs_params has also been moved up. >--- > source3/modules/nfs4_acls.c | 98 +++++++++++++++++++++---------------------- > 1 file changed, 49 insertions(+), 49 deletions(-) > >diff --git a/source3/modules/nfs4_acls.c b/source3/modules/nfs4_acls.c >index 67db6b0..b2a5406 100644 >--- a/source3/modules/nfs4_acls.c >+++ b/source3/modules/nfs4_acls.c >@@ -54,6 +54,55 @@ typedef struct _SMB_ACL4_INT_T > SMB_ACE4_INT_T *last; > } SMB_ACL4_INT_T; > >+enum smbacl4_mode_enum {e_simple=0, e_special=1}; >+enum smbacl4_acedup_enum {e_dontcare=0, e_reject=1, e_ignore=2, e_merge=3}; >+ >+typedef struct _smbacl4_vfs_params { >+ enum smbacl4_mode_enum mode; >+ bool do_chown; >+ enum smbacl4_acedup_enum acedup; >+} smbacl4_vfs_params; >+ >+/* >+ * Gather special parameters for NFS4 ACL handling >+ */ >+static int smbacl4_get_vfs_params( >+ const char *type_name, >+ files_struct *fsp, >+ smbacl4_vfs_params *params >+) >+{ >+ static const struct enum_list enum_smbacl4_modes[] = { >+ { e_simple, "simple" }, >+ { e_special, "special" }, >+ { -1 , NULL } >+ }; >+ static const struct enum_list enum_smbacl4_acedups[] = { >+ { e_dontcare, "dontcare" }, >+ { e_reject, "reject" }, >+ { e_ignore, "ignore" }, >+ { e_merge, "merge" }, >+ { -1 , NULL } >+ }; >+ >+ memset(params, 0, sizeof(smbacl4_vfs_params)); >+ params->mode = (enum smbacl4_mode_enum)lp_parm_enum( >+ SNUM(fsp->conn), type_name, >+ "mode", enum_smbacl4_modes, e_simple); >+ params->do_chown = lp_parm_bool(SNUM(fsp->conn), type_name, >+ "chown", True); >+ params->acedup = (enum smbacl4_acedup_enum)lp_parm_enum( >+ SNUM(fsp->conn), type_name, >+ "acedup", enum_smbacl4_acedups, e_dontcare); >+ >+ DEBUG(10, ("mode:%s, do_chown:%s, acedup: %s\n", >+ enum_smbacl4_modes[params->mode].name, >+ params->do_chown ? "true" : "false", >+ enum_smbacl4_acedups[params->acedup].name)); >+ >+ return 0; >+} >+ > /************************************************ > Split the ACE flag mapping between nfs4 and Windows > into two separate functions rather than trying to do >@@ -461,55 +510,6 @@ NTSTATUS smb_get_nt_acl_nfs4(struct connection_struct *conn, > theacl); > } > >-enum smbacl4_mode_enum {e_simple=0, e_special=1}; >-enum smbacl4_acedup_enum {e_dontcare=0, e_reject=1, e_ignore=2, e_merge=3}; >- >-typedef struct _smbacl4_vfs_params { >- enum smbacl4_mode_enum mode; >- bool do_chown; >- enum smbacl4_acedup_enum acedup; >-} smbacl4_vfs_params; >- >-/* >- * Gather special parameters for NFS4 ACL handling >- */ >-static int smbacl4_get_vfs_params( >- const char *type_name, >- files_struct *fsp, >- smbacl4_vfs_params *params >-) >-{ >- static const struct enum_list enum_smbacl4_modes[] = { >- { e_simple, "simple" }, >- { e_special, "special" }, >- { -1 , NULL } >- }; >- static const struct enum_list enum_smbacl4_acedups[] = { >- { e_dontcare, "dontcare" }, >- { e_reject, "reject" }, >- { e_ignore, "ignore" }, >- { e_merge, "merge" }, >- { -1 , NULL } >- }; >- >- memset(params, 0, sizeof(smbacl4_vfs_params)); >- params->mode = (enum smbacl4_mode_enum)lp_parm_enum( >- SNUM(fsp->conn), type_name, >- "mode", enum_smbacl4_modes, e_simple); >- params->do_chown = lp_parm_bool(SNUM(fsp->conn), type_name, >- "chown", True); >- params->acedup = (enum smbacl4_acedup_enum)lp_parm_enum( >- SNUM(fsp->conn), type_name, >- "acedup", enum_smbacl4_acedups, e_dontcare); >- >- DEBUG(10, ("mode:%s, do_chown:%s, acedup: %s\n", >- enum_smbacl4_modes[params->mode].name, >- params->do_chown ? "true" : "false", >- enum_smbacl4_acedups[params->acedup].name)); >- >- return 0; >-} >- > static void smbacl4_dump_nfs4acl(int level, SMB4ACL_T *theacl) > { > SMB_ACL4_INT_T *aclint = get_validated_aclint(theacl); >-- >1.7.9.5 > >From 2fe0b651d00e4e4c9bf6707cf6b52d55f4b69f6b Mon Sep 17 00:00:00 2001 >From: Alexander Werth <alexander.werth@de.ibm.com> >Date: Thu, 26 Jul 2012 17:11:03 +0200 >Subject: [PATCH 2/5] s3: Change smbacl4_get_vfs_params to use > connection_struct instead of fsp. > >--- > source3/modules/nfs4_acls.c | 11 ++++++----- > 1 file changed, 6 insertions(+), 5 deletions(-) > >diff --git a/source3/modules/nfs4_acls.c b/source3/modules/nfs4_acls.c >index b2a5406..7a064be 100644 >--- a/source3/modules/nfs4_acls.c >+++ b/source3/modules/nfs4_acls.c >@@ -68,7 +68,7 @@ typedef struct _smbacl4_vfs_params { > */ > static int smbacl4_get_vfs_params( > const char *type_name, >- files_struct *fsp, >+ struct connection_struct *conn, > smbacl4_vfs_params *params > ) > { >@@ -87,12 +87,12 @@ static int smbacl4_get_vfs_params( > > memset(params, 0, sizeof(smbacl4_vfs_params)); > params->mode = (enum smbacl4_mode_enum)lp_parm_enum( >- SNUM(fsp->conn), type_name, >+ SNUM(conn), type_name, > "mode", enum_smbacl4_modes, e_simple); >- params->do_chown = lp_parm_bool(SNUM(fsp->conn), type_name, >+ params->do_chown = lp_parm_bool(SNUM(conn), type_name, > "chown", True); > params->acedup = (enum smbacl4_acedup_enum)lp_parm_enum( >- SNUM(fsp->conn), type_name, >+ SNUM(conn), type_name, > "acedup", enum_smbacl4_acedups, e_dontcare); > > DEBUG(10, ("mode:%s, do_chown:%s, acedup: %s\n", >@@ -761,7 +761,8 @@ NTSTATUS smb_set_nt_acl_nfs4(files_struct *fsp, > } > > /* Special behaviours */ >- if (smbacl4_get_vfs_params(SMBACL4_PARAM_TYPE_NAME, fsp, ¶ms)) >+ if (smbacl4_get_vfs_params(SMBACL4_PARAM_TYPE_NAME, >+ fsp->conn, ¶ms)) > return NT_STATUS_NO_MEMORY; > > if (smbacl4_fGetFileOwner(fsp, &sbuf)) >-- >1.7.9.5 > >From e537df44d71612607ac5e18e7327ba2bcbba0f6c Mon Sep 17 00:00:00 2001 >From: Alexander Werth <alexander.werth@de.ibm.com> >Date: Thu, 26 Jul 2012 17:29:12 +0200 >Subject: [PATCH 3/5] s3: Add params parameter to smbacl4_nfs42win function. > >--- > source3/modules/nfs4_acls.c | 37 +++++++++++++++++++++++++------------ > 1 file changed, 25 insertions(+), 12 deletions(-) > >diff --git a/source3/modules/nfs4_acls.c b/source3/modules/nfs4_acls.c >index 7a064be..5bb4847 100644 >--- a/source3/modules/nfs4_acls.c >+++ b/source3/modules/nfs4_acls.c >@@ -308,7 +308,9 @@ static int smbacl4_fGetFileOwner(files_struct *fsp, SMB_STRUCT_STAT *psbuf) > return 0; > } > >-static bool smbacl4_nfs42win(TALLOC_CTX *mem_ctx, SMB4ACL_T *theacl, /* in */ >+static bool smbacl4_nfs42win(TALLOC_CTX *mem_ctx, >+ smbacl4_vfs_params *params, >+ SMB4ACL_T *theacl, /* in */ > struct dom_sid *psid_owner, /* in */ > struct dom_sid *psid_group, /* in */ > bool is_directory, /* in */ >@@ -418,10 +420,13 @@ static bool smbacl4_nfs42win(TALLOC_CTX *mem_ctx, SMB4ACL_T *theacl, /* in */ > } > > static NTSTATUS smb_get_nt_acl_nfs4_common(const SMB_STRUCT_STAT *sbuf, >- uint32 security_info, TALLOC_CTX *mem_ctx, >- struct security_descriptor **ppdesc, SMB4ACL_T *theacl) >+ smbacl4_vfs_params *params, >+ uint32 security_info, >+ TALLOC_CTX *mem_ctx, >+ struct security_descriptor **ppdesc, >+ SMB4ACL_T *theacl) > { >- int good_aces = 0; >+ int good_aces = 0; > struct dom_sid sid_owner, sid_group; > size_t sd_size = 0; > struct security_ace *nt_ace_list = NULL; >@@ -436,7 +441,7 @@ static NTSTATUS smb_get_nt_acl_nfs4_common(const SMB_STRUCT_STAT *sbuf, > uid_to_sid(&sid_owner, sbuf->st_ex_uid); > gid_to_sid(&sid_group, sbuf->st_ex_gid); > >- if (smbacl4_nfs42win(mem_ctx, theacl, &sid_owner, &sid_group, >+ if (smbacl4_nfs42win(mem_ctx, params, theacl, &sid_owner, &sid_group, > S_ISDIR(sbuf->st_ex_mode), > &nt_ace_list, &good_aces)==False) { > DEBUG(8,("smbacl4_nfs42win failed\n")); >@@ -478,6 +483,7 @@ NTSTATUS smb_fget_nt_acl_nfs4(files_struct *fsp, > SMB4ACL_T *theacl) > { > SMB_STRUCT_STAT sbuf; >+ smbacl4_vfs_params params; > > DEBUG(10, ("smb_fget_nt_acl_nfs4 invoked for %s\n", fsp_str_dbg(fsp))); > >@@ -485,9 +491,12 @@ NTSTATUS smb_fget_nt_acl_nfs4(files_struct *fsp, > return map_nt_error_from_unix(errno); > } > >- return smb_get_nt_acl_nfs4_common(&sbuf, security_info, >- mem_ctx, ppdesc, >- theacl); >+ /* Special behaviours */ >+ if (smbacl4_get_vfs_params(SMBACL4_PARAM_TYPE_NAME, fsp->conn, ¶ms)) >+ return NT_STATUS_NO_MEMORY; >+ >+ return smb_get_nt_acl_nfs4_common(&sbuf, ¶ms, security_info, >+ mem_ctx, ppdesc, theacl); > } > > NTSTATUS smb_get_nt_acl_nfs4(struct connection_struct *conn, >@@ -498,6 +507,7 @@ NTSTATUS smb_get_nt_acl_nfs4(struct connection_struct *conn, > SMB4ACL_T *theacl) > { > SMB_STRUCT_STAT sbuf; >+ smbacl4_vfs_params params; > > DEBUG(10, ("smb_get_nt_acl_nfs4 invoked for %s\n", name)); > >@@ -505,9 +515,12 @@ NTSTATUS smb_get_nt_acl_nfs4(struct connection_struct *conn, > return map_nt_error_from_unix(errno); > } > >- return smb_get_nt_acl_nfs4_common(&sbuf, security_info, >- mem_ctx, ppdesc, >- theacl); >+ /* Special behaviours */ >+ if (smbacl4_get_vfs_params(SMBACL4_PARAM_TYPE_NAME, conn, ¶ms)) >+ return NT_STATUS_NO_MEMORY; >+ >+ return smb_get_nt_acl_nfs4_common(&sbuf, ¶ms, security_info, >+ mem_ctx, ppdesc, theacl); > } > > static void smbacl4_dump_nfs4acl(int level, SMB4ACL_T *theacl) >@@ -547,7 +560,7 @@ static SMB_ACE4PROP_T *smbacl4_find_equal_special( > aceint=(SMB_ACE4_INT_T *)aceint->next) { > SMB_ACE4PROP_T *ace = &aceint->prop; > >- DEBUG(10,("ace type:0x%x flags:0x%x aceFlags:0x%x " >+ DEBUG(10,("ace type:0x%x flags:0x%x aceFlags:0x%x " > "new type:0x%x flags:0x%x aceFlags:0x%x\n", > ace->aceType, ace->flags, ace->aceFlags, > aceNew->aceType, aceNew->flags,aceNew->aceFlags)); >-- >1.7.9.5 > >From 518d89dd2e2ddfc8d72f3ee25d81da813221dc5b Mon Sep 17 00:00:00 2001 >From: Alexander Werth <alexander.werth@de.ibm.com> >Date: Wed, 25 Apr 2012 15:10:20 +0200 >Subject: [PATCH 4/5] s3: Mapping of special entries to creator owner in mode > simple. > >--- > source3/modules/nfs4_acls.c | 59 ++++++++++++++++++++++++++++++++++++++----- > 1 file changed, 53 insertions(+), 6 deletions(-) > >diff --git a/source3/modules/nfs4_acls.c b/source3/modules/nfs4_acls.c >index 5bb4847..730ab02 100644 >--- a/source3/modules/nfs4_acls.c >+++ b/source3/modules/nfs4_acls.c >@@ -327,10 +327,11 @@ static bool smbacl4_nfs42win(TALLOC_CTX *mem_ctx, > > aclint = get_validated_aclint(theacl); > /* We do not check for naces being 0 or theacl being NULL here >- * because it is done upstream */ >- /* in smb_get_nt_acl_nfs4(). */ >+ because it is done upstream in smb_get_nt_acl_nfs4(). >+ We reserve twice the number of input aces because one nfs4 >+ ace might result in 2 nt aces.*/ > nt_ace_list = (struct security_ace *)TALLOC_ZERO_SIZE( >- mem_ctx, aclint->naces * sizeof(struct security_ace)); >+ mem_ctx, 2 * aclint->naces * sizeof(struct security_ace)); > if (nt_ace_list==NULL) > { > DEBUG(10, ("talloc error")); >@@ -408,11 +409,57 @@ static bool smbacl4_nfs42win(TALLOC_CTX *mem_ctx, > if(ace->aceType == SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE) { > mask = ace->aceMask | SMB_ACE4_SYNCHRONIZE; > } >- init_sec_ace(&nt_ace_list[good_aces++], &sid, >- ace->aceType, mask, >- win_ace_flags); >+ >+ /* Mapping of special entries to creator owner. */ >+ if (params->mode == e_simple && >+ ace->flags & SMB_ACE4_ID_SPECIAL && >+ (ace->who.special_id == SMB_ACE4_WHO_OWNER || >+ ace->who.special_id == SMB_ACE4_WHO_GROUP)) { >+ DEBUG(10, ("Map special entry\n")); >+ >+ if (ace->who.special_id == SMB_ACE4_WHO_OWNER && >+ win_ace_flags & (SEC_ACE_FLAG_OBJECT_INHERIT | >+ SEC_ACE_FLAG_CONTAINER_INHERIT)) { >+ uint32_t win_ace_flags_creator; >+ DEBUG(10, ("Map creator owner\n")); >+ win_ace_flags_creator = win_ace_flags | >+ SMB_ACE4_INHERIT_ONLY_ACE; >+ init_sec_ace(&nt_ace_list[good_aces++], >+ &global_sid_Creator_Owner, >+ ace->aceType, mask, >+ win_ace_flags_creator); >+ } >+ if (ace->who.special_id == SMB_ACE4_WHO_GROUP && >+ win_ace_flags & (SEC_ACE_FLAG_OBJECT_INHERIT | >+ SEC_ACE_FLAG_CONTAINER_INHERIT)) { >+ uint32_t win_ace_flags_creator; >+ DEBUG(10, ("Map creator owner group\n")); >+ win_ace_flags_creator = win_ace_flags | >+ SMB_ACE4_INHERIT_ONLY_ACE; >+ init_sec_ace(&nt_ace_list[good_aces++], >+ &global_sid_Creator_Group, >+ ace->aceType, mask, >+ win_ace_flags_creator); >+ } >+ if (!(win_ace_flags & SEC_ACE_FLAG_INHERIT_ONLY)) { >+ DEBUG(10, ("Map current sid\n")); >+ win_ace_flags &= >+ ~(SEC_ACE_FLAG_OBJECT_INHERIT | >+ SEC_ACE_FLAG_CONTAINER_INHERIT); >+ init_sec_ace(&nt_ace_list[good_aces++], &sid, >+ ace->aceType, mask, >+ win_ace_flags); >+ } >+ } else { >+ DEBUG(10, ("Map normal sid\n")); >+ init_sec_ace(&nt_ace_list[good_aces++], &sid, >+ ace->aceType, mask, >+ win_ace_flags); >+ } > } > >+ nt_ace_list = (struct security_ace *)TALLOC_REALLOC(mem_ctx, nt_ace_list, good_aces * sizeof(struct security_ace)); >+ > *ppnt_ace_list = nt_ace_list; > *pgood_aces = good_aces; > >-- >1.7.9.5 > >From b49afe298abadc18153ea88ab57ab275cbbf9a8a Mon Sep 17 00:00:00 2001 >From: Alexander Werth <alexander.werth@de.ibm.com> >Date: Thu, 10 May 2012 14:19:41 +0200 >Subject: [PATCH 5/5] s3: Mapping of cifs creator owner to nfs owner@ ace. > >--- > source3/modules/nfs4_acls.c | 8 ++++++++ > 1 file changed, 8 insertions(+) > >diff --git a/source3/modules/nfs4_acls.c b/source3/modules/nfs4_acls.c >index 730ab02..e112728 100644 >--- a/source3/modules/nfs4_acls.c >+++ b/source3/modules/nfs4_acls.c >@@ -684,6 +684,14 @@ static bool smbacl4_fill_ace4( > if (dom_sid_equal(&ace_nt->trustee, &global_sid_World)) { > ace_v4->who.special_id = SMB_ACE4_WHO_EVERYONE; > ace_v4->flags |= SMB_ACE4_ID_SPECIAL; >+ } else if (dom_sid_equal(&ace_nt->trustee, &global_sid_Creator_Owner)) { >+ DEBUG(10, ("Map creator owner\n")); >+ ace_v4->who.special_id = SMB_ACE4_WHO_OWNER; >+ ace_v4->flags |= SMB_ACE4_ID_SPECIAL; >+ } else if (dom_sid_equal(&ace_nt->trustee, &global_sid_Creator_Group)) { >+ DEBUG(10, ("Map creator owner group\n")); >+ ace_v4->who.special_id = SMB_ACE4_WHO_GROUP; >+ ace_v4->flags |= SMB_ACE4_ID_SPECIAL; > } else { > uid_t uid; > gid_t gid; >-- >1.7.9.5 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=8367">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 9467
:
8284
|
8367
|
8368
|
8369
|
8370
|
8793
|
8824
|
8825
|
9048