The Samba-Bugzilla – Attachment 8793 Details for
Bug 9467
nfsv4 ACLs: CREATOR OWNER should be mapped to the special @owner ACL entry, and named users should not
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patches adding creator owner support to nfs4:mode simple
Patches adding creator owner support to nfs4:mode simple.patch (text/plain), 14.71 KB, created by
Alexander Werth
on 2013-04-19 15:34:42 UTC
(
hide
)
Description:
Patches adding creator owner support to nfs4:mode simple
Filename:
MIME Type:
Creator:
Alexander Werth
Created:
2013-04-19 15:34:42 UTC
Size:
14.71 KB
patch
obsolete
>From d598cc4012f602d01ecd4a3c10100085af62e453 Mon Sep 17 00:00:00 2001 >From: Alexander Werth <alexander.werth@de.ibm.com> >Date: Mon, 15 Apr 2013 16:08:46 +0200 >Subject: [PATCH 1/5] s3: Move up declaration of params struct and related > function. > > We need the parameters earlier in the code so we move up > the declaration of the params struct. Since reading the > parameters is closely related the definition of the function > smbacl4_get_vfs_params has also been moved up. >--- > source3/modules/nfs4_acls.c | 98 +++++++++++++++++++++---------------------- > 1 file changed, 49 insertions(+), 49 deletions(-) > >diff --git a/source3/modules/nfs4_acls.c b/source3/modules/nfs4_acls.c >index fa6b2fe..bd30956 100644 >--- a/source3/modules/nfs4_acls.c >+++ b/source3/modules/nfs4_acls.c >@@ -54,6 +54,55 @@ typedef struct _SMB_ACL4_INT_T > SMB_ACE4_INT_T *last; > } SMB_ACL4_INT_T; > >+enum smbacl4_mode_enum {e_simple=0, e_special=1}; >+enum smbacl4_acedup_enum {e_dontcare=0, e_reject=1, e_ignore=2, e_merge=3}; >+ >+typedef struct _smbacl4_vfs_params { >+ enum smbacl4_mode_enum mode; >+ bool do_chown; >+ enum smbacl4_acedup_enum acedup; >+} smbacl4_vfs_params; >+ >+/* >+ * Gather special parameters for NFS4 ACL handling >+ */ >+static int smbacl4_get_vfs_params( >+ const char *type_name, >+ files_struct *fsp, >+ smbacl4_vfs_params *params >+) >+{ >+ static const struct enum_list enum_smbacl4_modes[] = { >+ { e_simple, "simple" }, >+ { e_special, "special" }, >+ { -1 , NULL } >+ }; >+ static const struct enum_list enum_smbacl4_acedups[] = { >+ { e_dontcare, "dontcare" }, >+ { e_reject, "reject" }, >+ { e_ignore, "ignore" }, >+ { e_merge, "merge" }, >+ { -1 , NULL } >+ }; >+ >+ memset(params, 0, sizeof(smbacl4_vfs_params)); >+ params->mode = (enum smbacl4_mode_enum)lp_parm_enum( >+ SNUM(fsp->conn), type_name, >+ "mode", enum_smbacl4_modes, e_simple); >+ params->do_chown = lp_parm_bool(SNUM(fsp->conn), type_name, >+ "chown", True); >+ params->acedup = (enum smbacl4_acedup_enum)lp_parm_enum( >+ SNUM(fsp->conn), type_name, >+ "acedup", enum_smbacl4_acedups, e_dontcare); >+ >+ DEBUG(10, ("mode:%s, do_chown:%s, acedup: %s\n", >+ enum_smbacl4_modes[params->mode].name, >+ params->do_chown ? "true" : "false", >+ enum_smbacl4_acedups[params->acedup].name)); >+ >+ return 0; >+} >+ > /************************************************ > Split the ACE flag mapping between nfs4 and Windows > into two separate functions rather than trying to do >@@ -462,55 +511,6 @@ NTSTATUS smb_get_nt_acl_nfs4(struct connection_struct *conn, > theacl); > } > >-enum smbacl4_mode_enum {e_simple=0, e_special=1}; >-enum smbacl4_acedup_enum {e_dontcare=0, e_reject=1, e_ignore=2, e_merge=3}; >- >-typedef struct _smbacl4_vfs_params { >- enum smbacl4_mode_enum mode; >- bool do_chown; >- enum smbacl4_acedup_enum acedup; >-} smbacl4_vfs_params; >- >-/* >- * Gather special parameters for NFS4 ACL handling >- */ >-static int smbacl4_get_vfs_params( >- const char *type_name, >- files_struct *fsp, >- smbacl4_vfs_params *params >-) >-{ >- static const struct enum_list enum_smbacl4_modes[] = { >- { e_simple, "simple" }, >- { e_special, "special" }, >- { -1 , NULL } >- }; >- static const struct enum_list enum_smbacl4_acedups[] = { >- { e_dontcare, "dontcare" }, >- { e_reject, "reject" }, >- { e_ignore, "ignore" }, >- { e_merge, "merge" }, >- { -1 , NULL } >- }; >- >- memset(params, 0, sizeof(smbacl4_vfs_params)); >- params->mode = (enum smbacl4_mode_enum)lp_parm_enum( >- SNUM(fsp->conn), type_name, >- "mode", enum_smbacl4_modes, e_simple); >- params->do_chown = lp_parm_bool(SNUM(fsp->conn), type_name, >- "chown", True); >- params->acedup = (enum smbacl4_acedup_enum)lp_parm_enum( >- SNUM(fsp->conn), type_name, >- "acedup", enum_smbacl4_acedups, e_dontcare); >- >- DEBUG(10, ("mode:%s, do_chown:%s, acedup: %s\n", >- enum_smbacl4_modes[params->mode].name, >- params->do_chown ? "true" : "false", >- enum_smbacl4_acedups[params->acedup].name)); >- >- return 0; >-} >- > static void smbacl4_dump_nfs4acl(int level, SMB4ACL_T *theacl) > { > SMB_ACL4_INT_T *aclint = get_validated_aclint(theacl); >-- >1.7.9.5 > >From ac8d08f0424b1b3782b4c04b514834aaa9563f5a Mon Sep 17 00:00:00 2001 >From: Alexander Werth <alexander.werth@de.ibm.com> >Date: Thu, 26 Jul 2012 17:11:03 +0200 >Subject: [PATCH 2/5] s3: Change smbacl4_get_vfs_params to use > connection_struct instead of fsp. > >--- > source3/modules/nfs4_acls.c | 11 ++++++----- > 1 file changed, 6 insertions(+), 5 deletions(-) > >diff --git a/source3/modules/nfs4_acls.c b/source3/modules/nfs4_acls.c >index bd30956..8510071 100644 >--- a/source3/modules/nfs4_acls.c >+++ b/source3/modules/nfs4_acls.c >@@ -68,7 +68,7 @@ typedef struct _smbacl4_vfs_params { > */ > static int smbacl4_get_vfs_params( > const char *type_name, >- files_struct *fsp, >+ struct connection_struct *conn, > smbacl4_vfs_params *params > ) > { >@@ -87,12 +87,12 @@ static int smbacl4_get_vfs_params( > > memset(params, 0, sizeof(smbacl4_vfs_params)); > params->mode = (enum smbacl4_mode_enum)lp_parm_enum( >- SNUM(fsp->conn), type_name, >+ SNUM(conn), type_name, > "mode", enum_smbacl4_modes, e_simple); >- params->do_chown = lp_parm_bool(SNUM(fsp->conn), type_name, >+ params->do_chown = lp_parm_bool(SNUM(conn), type_name, > "chown", True); > params->acedup = (enum smbacl4_acedup_enum)lp_parm_enum( >- SNUM(fsp->conn), type_name, >+ SNUM(conn), type_name, > "acedup", enum_smbacl4_acedups, e_dontcare); > > DEBUG(10, ("mode:%s, do_chown:%s, acedup: %s\n", >@@ -765,7 +765,8 @@ NTSTATUS smb_set_nt_acl_nfs4(vfs_handle_struct *handle, files_struct *fsp, > } > > /* Special behaviours */ >- if (smbacl4_get_vfs_params(SMBACL4_PARAM_TYPE_NAME, fsp, ¶ms)) { >+ if (smbacl4_get_vfs_params(SMBACL4_PARAM_TYPE_NAME, >+ fsp->conn, ¶ms)) { > TALLOC_FREE(frame); > return NT_STATUS_NO_MEMORY; > } >-- >1.7.9.5 > >From 4d67d2ab09df8eba244d9dabaf1ac9b329679ab9 Mon Sep 17 00:00:00 2001 >From: Alexander Werth <alexander.werth@de.ibm.com> >Date: Thu, 26 Jul 2012 17:29:12 +0200 >Subject: [PATCH 3/5] s3: Add params parameter to smbacl4_nfs42win function. > >--- > source3/modules/nfs4_acls.c | 37 +++++++++++++++++++++++++------------ > 1 file changed, 25 insertions(+), 12 deletions(-) > >diff --git a/source3/modules/nfs4_acls.c b/source3/modules/nfs4_acls.c >index 8510071..ea7261b 100644 >--- a/source3/modules/nfs4_acls.c >+++ b/source3/modules/nfs4_acls.c >@@ -307,7 +307,9 @@ static int smbacl4_fGetFileOwner(files_struct *fsp, SMB_STRUCT_STAT *psbuf) > return 0; > } > >-static bool smbacl4_nfs42win(TALLOC_CTX *mem_ctx, SMB4ACL_T *theacl, /* in */ >+static bool smbacl4_nfs42win(TALLOC_CTX *mem_ctx, >+ smbacl4_vfs_params *params, >+ SMB4ACL_T *theacl, /* in */ > struct dom_sid *psid_owner, /* in */ > struct dom_sid *psid_group, /* in */ > bool is_directory, /* in */ >@@ -417,10 +419,13 @@ static bool smbacl4_nfs42win(TALLOC_CTX *mem_ctx, SMB4ACL_T *theacl, /* in */ > } > > static NTSTATUS smb_get_nt_acl_nfs4_common(const SMB_STRUCT_STAT *sbuf, >- uint32 security_info, TALLOC_CTX *mem_ctx, >- struct security_descriptor **ppdesc, SMB4ACL_T *theacl) >+ smbacl4_vfs_params *params, >+ uint32 security_info, >+ TALLOC_CTX *mem_ctx, >+ struct security_descriptor **ppdesc, >+ SMB4ACL_T *theacl) > { >- int good_aces = 0; >+ int good_aces = 0; > struct dom_sid sid_owner, sid_group; > size_t sd_size = 0; > struct security_ace *nt_ace_list = NULL; >@@ -437,7 +442,7 @@ static NTSTATUS smb_get_nt_acl_nfs4_common(const SMB_STRUCT_STAT *sbuf, > uid_to_sid(&sid_owner, sbuf->st_ex_uid); > gid_to_sid(&sid_group, sbuf->st_ex_gid); > >- if (smbacl4_nfs42win(mem_ctx, theacl, &sid_owner, &sid_group, >+ if (smbacl4_nfs42win(mem_ctx, params, theacl, &sid_owner, &sid_group, > S_ISDIR(sbuf->st_ex_mode), > &nt_ace_list, &good_aces)==False) { > DEBUG(8,("smbacl4_nfs42win failed\n")); >@@ -479,6 +484,7 @@ NTSTATUS smb_fget_nt_acl_nfs4(files_struct *fsp, > SMB4ACL_T *theacl) > { > SMB_STRUCT_STAT sbuf; >+ smbacl4_vfs_params params; > > DEBUG(10, ("smb_fget_nt_acl_nfs4 invoked for %s\n", fsp_str_dbg(fsp))); > >@@ -486,9 +492,12 @@ NTSTATUS smb_fget_nt_acl_nfs4(files_struct *fsp, > return map_nt_error_from_unix(errno); > } > >- return smb_get_nt_acl_nfs4_common(&sbuf, security_info, >- mem_ctx, ppdesc, >- theacl); >+ /* Special behaviours */ >+ if (smbacl4_get_vfs_params(SMBACL4_PARAM_TYPE_NAME, fsp->conn, ¶ms)) >+ return NT_STATUS_NO_MEMORY; >+ >+ return smb_get_nt_acl_nfs4_common(&sbuf, ¶ms, security_info, >+ mem_ctx, ppdesc, theacl); > } > > NTSTATUS smb_get_nt_acl_nfs4(struct connection_struct *conn, >@@ -499,6 +508,7 @@ NTSTATUS smb_get_nt_acl_nfs4(struct connection_struct *conn, > SMB4ACL_T *theacl) > { > SMB_STRUCT_STAT sbuf; >+ smbacl4_vfs_params params; > > DEBUG(10, ("smb_get_nt_acl_nfs4 invoked for %s\n", name)); > >@@ -506,9 +516,12 @@ NTSTATUS smb_get_nt_acl_nfs4(struct connection_struct *conn, > return map_nt_error_from_unix(errno); > } > >- return smb_get_nt_acl_nfs4_common(&sbuf, security_info, >- mem_ctx, ppdesc, >- theacl); >+ /* Special behaviours */ >+ if (smbacl4_get_vfs_params(SMBACL4_PARAM_TYPE_NAME, conn, ¶ms)) >+ return NT_STATUS_NO_MEMORY; >+ >+ return smb_get_nt_acl_nfs4_common(&sbuf, ¶ms, security_info, >+ mem_ctx, ppdesc, theacl); > } > > static void smbacl4_dump_nfs4acl(int level, SMB4ACL_T *theacl) >@@ -548,7 +561,7 @@ static SMB_ACE4PROP_T *smbacl4_find_equal_special( > aceint=(SMB_ACE4_INT_T *)aceint->next) { > SMB_ACE4PROP_T *ace = &aceint->prop; > >- DEBUG(10,("ace type:0x%x flags:0x%x aceFlags:0x%x " >+ DEBUG(10,("ace type:0x%x flags:0x%x aceFlags:0x%x " > "new type:0x%x flags:0x%x aceFlags:0x%x\n", > ace->aceType, ace->flags, ace->aceFlags, > aceNew->aceType, aceNew->flags,aceNew->aceFlags)); >-- >1.7.9.5 > >From 9d09296bb97ff79ce7813d060f6a0d88e887d9b8 Mon Sep 17 00:00:00 2001 >From: Alexander Werth <alexander.werth@de.ibm.com> >Date: Wed, 25 Apr 2012 15:10:20 +0200 >Subject: [PATCH 4/5] s3: Mapping of special entries to creator owner in mode > simple. > >--- > source3/modules/nfs4_acls.c | 59 ++++++++++++++++++++++++++++++++++++++----- > 1 file changed, 53 insertions(+), 6 deletions(-) > >diff --git a/source3/modules/nfs4_acls.c b/source3/modules/nfs4_acls.c >index ea7261b..c4cc4fc 100644 >--- a/source3/modules/nfs4_acls.c >+++ b/source3/modules/nfs4_acls.c >@@ -326,10 +326,11 @@ static bool smbacl4_nfs42win(TALLOC_CTX *mem_ctx, > > aclint = get_validated_aclint(theacl); > /* We do not check for naces being 0 or theacl being NULL here >- * because it is done upstream */ >- /* in smb_get_nt_acl_nfs4(). */ >+ because it is done upstream in smb_get_nt_acl_nfs4(). >+ We reserve twice the number of input aces because one nfs4 >+ ace might result in 2 nt aces.*/ > nt_ace_list = (struct security_ace *)TALLOC_ZERO_SIZE( >- mem_ctx, aclint->naces * sizeof(struct security_ace)); >+ mem_ctx, 2 * aclint->naces * sizeof(struct security_ace)); > if (nt_ace_list==NULL) > { > DEBUG(10, ("talloc error")); >@@ -407,11 +408,57 @@ static bool smbacl4_nfs42win(TALLOC_CTX *mem_ctx, > if(ace->aceType == SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE) { > mask = ace->aceMask | SMB_ACE4_SYNCHRONIZE; > } >- init_sec_ace(&nt_ace_list[good_aces++], &sid, >- ace->aceType, mask, >- win_ace_flags); >+ >+ /* Mapping of special entries to creator owner. */ >+ if (params->mode == e_simple && >+ ace->flags & SMB_ACE4_ID_SPECIAL && >+ (ace->who.special_id == SMB_ACE4_WHO_OWNER || >+ ace->who.special_id == SMB_ACE4_WHO_GROUP)) { >+ DEBUG(10, ("Map special entry\n")); >+ if (!(win_ace_flags & SEC_ACE_FLAG_INHERIT_ONLY)) { >+ DEBUG(10, ("Map current sid\n")); >+ uint32_t win_ace_flags_current; >+ win_ace_flags_current = win_ace_flags & >+ ~(SEC_ACE_FLAG_OBJECT_INHERIT | >+ SEC_ACE_FLAG_CONTAINER_INHERIT); >+ init_sec_ace(&nt_ace_list[good_aces++], &sid, >+ ace->aceType, mask, >+ win_ace_flags); >+ } >+ if (ace->who.special_id == SMB_ACE4_WHO_OWNER && >+ win_ace_flags & (SEC_ACE_FLAG_OBJECT_INHERIT | >+ SEC_ACE_FLAG_CONTAINER_INHERIT)) { >+ uint32_t win_ace_flags_creator; >+ DEBUG(10, ("Map creator owner\n")); >+ win_ace_flags_creator = win_ace_flags | >+ SMB_ACE4_INHERIT_ONLY_ACE; >+ init_sec_ace(&nt_ace_list[good_aces++], >+ &global_sid_Creator_Owner, >+ ace->aceType, mask, >+ win_ace_flags_creator); >+ } >+ if (ace->who.special_id == SMB_ACE4_WHO_GROUP && >+ win_ace_flags & (SEC_ACE_FLAG_OBJECT_INHERIT | >+ SEC_ACE_FLAG_CONTAINER_INHERIT)) { >+ uint32_t win_ace_flags_creator; >+ DEBUG(10, ("Map creator owner group\n")); >+ win_ace_flags_creator = win_ace_flags | >+ SMB_ACE4_INHERIT_ONLY_ACE; >+ init_sec_ace(&nt_ace_list[good_aces++], >+ &global_sid_Creator_Group, >+ ace->aceType, mask, >+ win_ace_flags_creator); >+ } >+ } else { >+ DEBUG(10, ("Map normal sid\n")); >+ init_sec_ace(&nt_ace_list[good_aces++], &sid, >+ ace->aceType, mask, >+ win_ace_flags); >+ } > } > >+ nt_ace_list = (struct security_ace *)TALLOC_REALLOC(mem_ctx, nt_ace_list, good_aces * sizeof(struct security_ace)); >+ > *ppnt_ace_list = nt_ace_list; > *pgood_aces = good_aces; > >-- >1.7.9.5 > >From b8369bb607d9d7b96cd7ac782f740f6b868c951b Mon Sep 17 00:00:00 2001 >From: Alexander Werth <alexander.werth@de.ibm.com> >Date: Thu, 10 May 2012 14:19:41 +0200 >Subject: [PATCH 5/5] s3: Mapping of cifs creator owner to nfs owner@ ace. > >This is ignored in nfs4mode special for compatibility. >Also ensure that we drop non inheriting creator owner >aces since these don't contribute to who can access >a file. >--- > source3/modules/nfs4_acls.c | 24 ++++++++++++++++++++++++ > 1 file changed, 24 insertions(+) > >diff --git a/source3/modules/nfs4_acls.c b/source3/modules/nfs4_acls.c >index c4cc4fc..15b5f7c 100644 >--- a/source3/modules/nfs4_acls.c >+++ b/source3/modules/nfs4_acls.c >@@ -685,6 +685,30 @@ static bool smbacl4_fill_ace4( > if (dom_sid_equal(&ace_nt->trustee, &global_sid_World)) { > ace_v4->who.special_id = SMB_ACE4_WHO_EVERYONE; > ace_v4->flags |= SMB_ACE4_ID_SPECIAL; >+ } else if (params->mode!=e_special && >+ dom_sid_equal(&ace_nt->trustee, >+ &global_sid_Creator_Owner)) { >+ DEBUG(10, ("Map creator owner\n")); >+ ace_v4->who.special_id = SMB_ACE4_WHO_OWNER; >+ ace_v4->flags |= SMB_ACE4_ID_SPECIAL; >+ /* A non inheriting creator owner entry has no effect. */ >+ ace_v4->aceFlags |= SMB_ACE4_INHERIT_ONLY_ACE; >+ if (!(ace_v4->aceFlags & SMB_ACE4_DIRECTORY_INHERIT_ACE) >+ && !(ace_v4->aceFlags & SMB_ACE4_FILE_INHERIT_ACE)) { >+ return False; >+ } >+ } else if (params->mode!=e_special && >+ dom_sid_equal(&ace_nt->trustee, >+ &global_sid_Creator_Group)) { >+ DEBUG(10, ("Map creator owner group\n")); >+ ace_v4->who.special_id = SMB_ACE4_WHO_GROUP; >+ ace_v4->flags |= SMB_ACE4_ID_SPECIAL; >+ /* A non inheriting creator group entry has no effect. */ >+ ace_v4->aceFlags |= SMB_ACE4_INHERIT_ONLY_ACE; >+ if (!(ace_v4->aceFlags & SMB_ACE4_DIRECTORY_INHERIT_ACE) >+ && !(ace_v4->aceFlags & SMB_ACE4_FILE_INHERIT_ACE)) { >+ return False; >+ } > } else { > uid_t uid; > gid_t gid; >-- >1.7.9.5 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=8793">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 9467
:
8284
|
8367
|
8368
|
8369
|
8370
| 8793 |
8824
|
8825
|
9048