From 9dda2e8f5bf435f686637aa3a6a46c31f13da1e2 Mon Sep 17 00:00:00 2001 From: Alexander Werth Date: Mon, 15 Apr 2013 16:08:46 +0200 Subject: s3: Move up declaration of params struct and related function. We need the parameters earlier in the code so we move up the declaration of the params struct. Since reading the parameters is closely related the definition of the function smbacl4_get_vfs_params has also been moved up. --- source3/modules/nfs4_acls.c | 96 +++++++++++++++++++++---------------------- 1 file changed, 48 insertions(+), 48 deletions(-) diff --git a/source3/modules/nfs4_acls.c b/source3/modules/nfs4_acls.c index e5cc32d..1d64ea2 100644 --- a/source3/modules/nfs4_acls.c +++ b/source3/modules/nfs4_acls.c @@ -52,6 +52,54 @@ typedef struct _SMB_ACL4_INT_T SMB_ACE4_INT_T *last; } SMB_ACL4_INT_T; +enum smbacl4_mode_enum {e_simple=0, e_special=1}; +enum smbacl4_acedup_enum {e_dontcare=0, e_reject=1, e_ignore=2, e_merge=3}; + +typedef struct _smbacl4_vfs_params { + enum smbacl4_mode_enum mode; + bool do_chown; + enum smbacl4_acedup_enum acedup; + struct db_context *sid_mapping_table; +} smbacl4_vfs_params; + +/* + * Gather special parameters for NFS4 ACL handling + */ +static int smbacl4_get_vfs_params( + const char *type_name, + files_struct *fsp, + smbacl4_vfs_params *params +) +{ + static const struct enum_list enum_smbacl4_modes[] = { + { e_simple, "simple" }, + { e_special, "special" }, + }; + static const struct enum_list enum_smbacl4_acedups[] = { + { e_dontcare, "dontcare" }, + { e_reject, "reject" }, + { e_ignore, "ignore" }, + { e_merge, "merge" }, + }; + + memset(params, 0, sizeof(smbacl4_vfs_params)); + params->mode = (enum smbacl4_mode_enum)lp_parm_enum( + SNUM(fsp->conn), type_name, + "mode", enum_smbacl4_modes, e_simple); + params->do_chown = lp_parm_bool(SNUM(fsp->conn), type_name, + "chown", true); + params->acedup = (enum smbacl4_acedup_enum)lp_parm_enum( + SNUM(fsp->conn), type_name, + "acedup", enum_smbacl4_acedups, e_dontcare); + + DEBUG(10, ("mode:%s, do_chown:%s, acedup: %s\n", + enum_smbacl4_modes[params->mode].name, + params->do_chown ? "true" : "false", + enum_smbacl4_acedups[params->acedup].name)); + + return 0; +} + /************************************************ Split the ACE flag mapping between nfs4 and Windows into two separate functions rather than trying to do @@ -433,54 +481,6 @@ NTSTATUS smb_get_nt_acl_nfs4(struct connection_struct *conn, return smb_get_nt_acl_nfs4_common(&sbuf, security_info, ppdesc, theacl); } -enum smbacl4_mode_enum {e_simple=0, e_special=1}; -enum smbacl4_acedup_enum {e_dontcare=0, e_reject=1, e_ignore=2, e_merge=3}; - -typedef struct _smbacl4_vfs_params { - enum smbacl4_mode_enum mode; - bool do_chown; - enum smbacl4_acedup_enum acedup; - struct db_context *sid_mapping_table; -} smbacl4_vfs_params; - -/* - * Gather special parameters for NFS4 ACL handling - */ -static int smbacl4_get_vfs_params( - const char *type_name, - files_struct *fsp, - smbacl4_vfs_params *params -) -{ - static const struct enum_list enum_smbacl4_modes[] = { - { e_simple, "simple" }, - { e_special, "special" } - }; - static const struct enum_list enum_smbacl4_acedups[] = { - { e_dontcare, "dontcare" }, - { e_reject, "reject" }, - { e_ignore, "ignore" }, - { e_merge, "merge" }, - }; - - memset(params, 0, sizeof(smbacl4_vfs_params)); - params->mode = (enum smbacl4_mode_enum)lp_parm_enum( - SNUM(fsp->conn), type_name, - "mode", enum_smbacl4_modes, e_simple); - params->do_chown = lp_parm_bool(SNUM(fsp->conn), type_name, - "chown", True); - params->acedup = (enum smbacl4_acedup_enum)lp_parm_enum( - SNUM(fsp->conn), type_name, - "acedup", enum_smbacl4_acedups, e_dontcare); - - DEBUG(10, ("mode:%s, do_chown:%s, acedup: %s\n", - enum_smbacl4_modes[params->mode].name, - params->do_chown ? "true" : "false", - enum_smbacl4_acedups[params->acedup].name)); - - return 0; -} - static void smbacl4_dump_nfs4acl(int level, SMB4ACL_T *theacl) { SMB_ACL4_INT_T *aclint = get_validated_aclint(theacl); -- 1.7.9.5 From bd6bc66c827a1d386ec1a96bfb5bf7e67d0ef95c Mon Sep 17 00:00:00 2001 From: Alexander Werth Date: Thu, 26 Jul 2012 17:11:03 +0200 Subject: s3: Change smbacl4_get_vfs_params to use connection_struct instead of fsp. --- source3/modules/nfs4_acls.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/source3/modules/nfs4_acls.c b/source3/modules/nfs4_acls.c index 1d64ea2..5515c0d 100644 --- a/source3/modules/nfs4_acls.c +++ b/source3/modules/nfs4_acls.c @@ -67,7 +67,7 @@ typedef struct _smbacl4_vfs_params { */ static int smbacl4_get_vfs_params( const char *type_name, - files_struct *fsp, + struct connection_struct *conn, smbacl4_vfs_params *params ) { @@ -84,12 +84,12 @@ static int smbacl4_get_vfs_params( memset(params, 0, sizeof(smbacl4_vfs_params)); params->mode = (enum smbacl4_mode_enum)lp_parm_enum( - SNUM(fsp->conn), type_name, + SNUM(conn), type_name, "mode", enum_smbacl4_modes, e_simple); - params->do_chown = lp_parm_bool(SNUM(fsp->conn), type_name, + params->do_chown = lp_parm_bool(SNUM(conn), type_name, "chown", true); params->acedup = (enum smbacl4_acedup_enum)lp_parm_enum( - SNUM(fsp->conn), type_name, + SNUM(conn), type_name, "acedup", enum_smbacl4_acedups, e_dontcare); DEBUG(10, ("mode:%s, do_chown:%s, acedup: %s\n", @@ -806,8 +806,10 @@ NTSTATUS smb_set_nt_acl_nfs4(files_struct *fsp, } /* Special behaviours */ - if (smbacl4_get_vfs_params(SMBACL4_PARAM_TYPE_NAME, fsp, ¶ms)) + if (smbacl4_get_vfs_params(SMBACL4_PARAM_TYPE_NAME, + fsp->conn, ¶ms)) { return NT_STATUS_NO_MEMORY; + } if (smbacl4_fGetFileOwner(fsp, &sbuf)) return map_nt_error_from_unix(errno); -- 1.7.9.5 From 1bb1a6b218d17c109ab41e1c737cf3f154b6d24c Mon Sep 17 00:00:00 2001 From: Alexander Werth Date: Thu, 26 Jul 2012 17:29:12 +0200 Subject: s3: Add params parameter to smbacl4_nfs42win function. --- source3/modules/nfs4_acls.c | 34 ++++++++++++++++++++++++++-------- 1 file changed, 26 insertions(+), 8 deletions(-) diff --git a/source3/modules/nfs4_acls.c b/source3/modules/nfs4_acls.c index 5515c0d..6ebe0b5 100644 --- a/source3/modules/nfs4_acls.c +++ b/source3/modules/nfs4_acls.c @@ -303,7 +303,9 @@ static int smbacl4_fGetFileOwner(files_struct *fsp, SMB_STRUCT_STAT *psbuf) return 0; } -static bool smbacl4_nfs42win(TALLOC_CTX *mem_ctx, SMB4ACL_T *theacl, /* in */ +static bool smbacl4_nfs42win(TALLOC_CTX *mem_ctx, + smbacl4_vfs_params *params, + SMB4ACL_T *theacl, /* in */ struct dom_sid *psid_owner, /* in */ struct dom_sid *psid_group, /* in */ bool is_directory, /* in */ @@ -403,10 +405,12 @@ static bool smbacl4_nfs42win(TALLOC_CTX *mem_ctx, SMB4ACL_T *theacl, /* in */ } static NTSTATUS smb_get_nt_acl_nfs4_common(const SMB_STRUCT_STAT *sbuf, - uint32 security_info, - struct security_descriptor **ppdesc, SMB4ACL_T *theacl) + smbacl4_vfs_params *params, + uint32 security_info, + struct security_descriptor **ppdesc, + SMB4ACL_T *theacl) { - int good_aces = 0; + int good_aces = 0; struct dom_sid sid_owner, sid_group; size_t sd_size = 0; struct security_ace *nt_ace_list = NULL; @@ -421,7 +425,7 @@ static NTSTATUS smb_get_nt_acl_nfs4_common(const SMB_STRUCT_STAT *sbuf, uid_to_sid(&sid_owner, sbuf->st_ex_uid); gid_to_sid(&sid_group, sbuf->st_ex_gid); - if (smbacl4_nfs42win(mem_ctx, theacl, &sid_owner, &sid_group, + if (smbacl4_nfs42win(mem_ctx, params, theacl, &sid_owner, &sid_group, S_ISDIR(sbuf->st_ex_mode), &nt_ace_list, &good_aces)==False) { DEBUG(8,("smbacl4_nfs42win failed\n")); @@ -455,6 +459,7 @@ NTSTATUS smb_fget_nt_acl_nfs4(files_struct *fsp, struct security_descriptor **ppdesc, SMB4ACL_T *theacl) { SMB_STRUCT_STAT sbuf; + smbacl4_vfs_params params; DEBUG(10, ("smb_fget_nt_acl_nfs4 invoked for %s\n", fsp_str_dbg(fsp))); @@ -462,7 +467,13 @@ NTSTATUS smb_fget_nt_acl_nfs4(files_struct *fsp, return map_nt_error_from_unix(errno); } - return smb_get_nt_acl_nfs4_common(&sbuf, security_info, ppdesc, theacl); + /* Special behaviours */ + if (smbacl4_get_vfs_params(SMBACL4_PARAM_TYPE_NAME, fsp->conn, ¶ms)) { + return NT_STATUS_NO_MEMORY; + } + + return smb_get_nt_acl_nfs4_common(&sbuf, ¶ms, security_info, + ppdesc, theacl); } NTSTATUS smb_get_nt_acl_nfs4(struct connection_struct *conn, @@ -471,6 +482,7 @@ NTSTATUS smb_get_nt_acl_nfs4(struct connection_struct *conn, struct security_descriptor **ppdesc, SMB4ACL_T *theacl) { SMB_STRUCT_STAT sbuf; + smbacl4_vfs_params params; DEBUG(10, ("smb_get_nt_acl_nfs4 invoked for %s\n", name)); @@ -478,7 +490,13 @@ NTSTATUS smb_get_nt_acl_nfs4(struct connection_struct *conn, return map_nt_error_from_unix(errno); } - return smb_get_nt_acl_nfs4_common(&sbuf, security_info, ppdesc, theacl); + /* Special behaviours */ + if (smbacl4_get_vfs_params(SMBACL4_PARAM_TYPE_NAME, conn, ¶ms)) { + return NT_STATUS_NO_MEMORY; + } + + return smb_get_nt_acl_nfs4_common(&sbuf, ¶ms, security_info, + ppdesc, theacl); } static void smbacl4_dump_nfs4acl(int level, SMB4ACL_T *theacl) @@ -514,7 +532,7 @@ static SMB_ACE4PROP_T *smbacl4_find_equal_special( for(aceint = aclint->first; aceint!=NULL; aceint=(SMB_ACE4_INT_T *)aceint->next) { SMB_ACE4PROP_T *ace = &aceint->prop; - DEBUG(10,("ace type:0x%x flags:0x%x aceFlags:0x%x " + DEBUG(10,("ace type:0x%x flags:0x%x aceFlags:0x%x " "new type:0x%x flags:0x%x aceFlags:0x%x\n", ace->aceType, ace->flags, ace->aceFlags, aceNew->aceType, aceNew->flags,aceNew->aceFlags)); -- 1.7.9.5 From a7574fc00c374964991f4ab58715eb650ca29e38 Mon Sep 17 00:00:00 2001 From: Alexander Werth Date: Wed, 25 Apr 2012 15:10:20 +0200 Subject: s3: Mapping of special entries to creator owner in mode simple. --- source3/modules/nfs4_acls.c | 68 +++++++++++++++++++++++++++++++++++++++---- 1 file changed, 62 insertions(+), 6 deletions(-) diff --git a/source3/modules/nfs4_acls.c b/source3/modules/nfs4_acls.c index 6ebe0b5..0afa74d 100644 --- a/source3/modules/nfs4_acls.c +++ b/source3/modules/nfs4_acls.c @@ -321,9 +321,12 @@ static bool smbacl4_nfs42win(TALLOC_CTX *mem_ctx, DEBUG(10, ("smbacl_nfs42win entered\n")); aclint = get_validated_aclint(theacl); - /* We do not check for naces being 0 or theacl being NULL here because it is done upstream */ - /* in smb_get_nt_acl_nfs4(). */ - nt_ace_list = (struct security_ace *)TALLOC_ZERO_SIZE(mem_ctx, aclint->naces * sizeof(struct security_ace)); + /* We do not check for naces being 0 or theacl being NULL here + because it is done upstream in smb_get_nt_acl_nfs4(). + We reserve twice the number of input aces because one nfs4 + ace might result in 2 nt aces.*/ + nt_ace_list = (struct security_ace *)TALLOC_ZERO_SIZE( + mem_ctx, 2 * aclint->naces * sizeof(struct security_ace)); if (nt_ace_list==NULL) { DEBUG(10, ("talloc error")); @@ -393,9 +396,62 @@ static bool smbacl4_nfs42win(TALLOC_CTX *mem_ctx, if(ace->aceType == SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE) { mask = ace->aceMask | SMB_ACE4_SYNCHRONIZE; } - init_sec_ace(&nt_ace_list[good_aces++], &sid, - ace->aceType, mask, - win_ace_flags); + + /* Mapping of owner@ and group@ to creator owner and + creator group. Keep old behavior in mode special. */ + if (params->mode != e_special && + ace->flags & SMB_ACE4_ID_SPECIAL && + (ace->who.special_id == SMB_ACE4_WHO_OWNER || + ace->who.special_id == SMB_ACE4_WHO_GROUP)) { + DEBUG(10, ("Map special entry\n")); + if (!(win_ace_flags & SEC_ACE_FLAG_INHERIT_ONLY)) { + DEBUG(10, ("Map current sid\n")); + uint32_t win_ace_flags_current; + win_ace_flags_current = win_ace_flags & + ~(SEC_ACE_FLAG_OBJECT_INHERIT | + SEC_ACE_FLAG_CONTAINER_INHERIT); + init_sec_ace(&nt_ace_list[good_aces++], &sid, + ace->aceType, mask, + win_ace_flags_current); + } + if (ace->who.special_id == SMB_ACE4_WHO_OWNER && + win_ace_flags & (SEC_ACE_FLAG_OBJECT_INHERIT | + SEC_ACE_FLAG_CONTAINER_INHERIT)) { + uint32_t win_ace_flags_creator; + DEBUG(10, ("Map creator owner\n")); + win_ace_flags_creator = win_ace_flags | + SMB_ACE4_INHERIT_ONLY_ACE; + init_sec_ace(&nt_ace_list[good_aces++], + &global_sid_Creator_Owner, + ace->aceType, mask, + win_ace_flags_creator); + } + if (ace->who.special_id == SMB_ACE4_WHO_GROUP && + win_ace_flags & (SEC_ACE_FLAG_OBJECT_INHERIT | + SEC_ACE_FLAG_CONTAINER_INHERIT)) { + uint32_t win_ace_flags_creator; + DEBUG(10, ("Map creator owner group\n")); + win_ace_flags_creator = win_ace_flags | + SMB_ACE4_INHERIT_ONLY_ACE; + init_sec_ace(&nt_ace_list[good_aces++], + &global_sid_Creator_Group, + ace->aceType, mask, + win_ace_flags_creator); + } + } else { + DEBUG(10, ("Map normal sid\n")); + init_sec_ace(&nt_ace_list[good_aces++], &sid, + ace->aceType, mask, + win_ace_flags); + } + } + + nt_ace_list = (struct security_ace *)TALLOC_REALLOC(mem_ctx, + nt_ace_list, + good_aces * sizeof(struct security_ace)); + if (nt_ace_list == NULL) { + errno = ENOMEM; + return false; } *ppnt_ace_list = nt_ace_list; -- 1.7.9.5 From 47edde69846458558ee2f5691ff131e6758055b9 Mon Sep 17 00:00:00 2001 From: Alexander Werth Date: Thu, 10 May 2012 14:19:41 +0200 Subject: s3: Mapping of cifs creator owner to nfs owner@ ace. This is ignored in nfs4mode special for compatibility. Also ensure that we drop non inheriting creator owner aces since these don't contribute to who can access a file. Reviewed-by: Andrew Bartlett Reviewed-by: Jeremy Allison --- source3/modules/nfs4_acls.c | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/source3/modules/nfs4_acls.c b/source3/modules/nfs4_acls.c index 0afa74d..ec47d36 100644 --- a/source3/modules/nfs4_acls.c +++ b/source3/modules/nfs4_acls.c @@ -705,6 +705,30 @@ static bool smbacl4_fill_ace4( if (dom_sid_equal(&ace_nt->trustee, &global_sid_World)) { ace_v4->who.special_id = SMB_ACE4_WHO_EVERYONE; ace_v4->flags |= SMB_ACE4_ID_SPECIAL; + } else if (params->mode!=e_special && + dom_sid_equal(&ace_nt->trustee, + &global_sid_Creator_Owner)) { + DEBUG(10, ("Map creator owner\n")); + ace_v4->who.special_id = SMB_ACE4_WHO_OWNER; + ace_v4->flags |= SMB_ACE4_ID_SPECIAL; + /* A non inheriting creator owner entry has no effect. */ + ace_v4->aceFlags |= SMB_ACE4_INHERIT_ONLY_ACE; + if (!(ace_v4->aceFlags & SMB_ACE4_DIRECTORY_INHERIT_ACE) + && !(ace_v4->aceFlags & SMB_ACE4_FILE_INHERIT_ACE)) { + return False; + } + } else if (params->mode!=e_special && + dom_sid_equal(&ace_nt->trustee, + &global_sid_Creator_Group)) { + DEBUG(10, ("Map creator owner group\n")); + ace_v4->who.special_id = SMB_ACE4_WHO_GROUP; + ace_v4->flags |= SMB_ACE4_ID_SPECIAL; + /* A non inheriting creator group entry has no effect. */ + ace_v4->aceFlags |= SMB_ACE4_INHERIT_ONLY_ACE; + if (!(ace_v4->aceFlags & SMB_ACE4_DIRECTORY_INHERIT_ACE) + && !(ace_v4->aceFlags & SMB_ACE4_FILE_INHERIT_ACE)) { + return False; + } } else { const char *dom, *name; enum lsa_SidType type; -- 1.7.9.5 From fa3dfaaab3ee76d13ca1592d00e1a3c290a88d27 Mon Sep 17 00:00:00 2001 From: Alexander Werth Date: Thu, 2 May 2013 16:50:55 +0200 Subject: s3: Add changes that keep nfs4:mode special behavior. Reviewed-by: Andrew Bartlett Reviewed-by: Jeremy Allison --- source3/modules/nfs4_acls.c | 42 +++++++++++++++++++++++++++++++++++++++++- 1 file changed, 41 insertions(+), 1 deletion(-) diff --git a/source3/modules/nfs4_acls.c b/source3/modules/nfs4_acls.c index ec47d36..ced278d 100644 --- a/source3/modules/nfs4_acls.c +++ b/source3/modules/nfs4_acls.c @@ -573,7 +573,7 @@ static void smbacl4_dump_nfs4acl(int level, SMB4ACL_T *theacl) } } -/* +/* * Find 2 NFS4 who-special ACE property (non-copy!!!) * match nonzero if "special" and who is equal * return ace if found matching; otherwise NULL @@ -834,6 +834,42 @@ static int smbacl4_MergeIgnoreReject( return result; } +static int smbacl4_substitute_special( + SMB4ACL_T *theacl, + uid_t ownerUID, + gid_t ownerGID +) +{ + SMB_ACL4_INT_T *aclint = get_validated_aclint(theacl); + SMB_ACE4_INT_T *aceint; + + for(aceint = aclint->first; aceint!=NULL; aceint=(SMB_ACE4_INT_T *)aceint->next) { + SMB_ACE4PROP_T *ace = &aceint->prop; + + DEBUG(10,("ace type: %d, iflags: %x, flags: %x, " + "mask: %x, who: %d\n", + ace->aceType, ace->flags, ace->aceFlags, + ace->aceMask, ace->who.id)); + + if (!(ace->flags & SMB_ACE4_ID_SPECIAL) && + !(ace->aceFlags & SMB_ACE4_IDENTIFIER_GROUP) && + ace->who.uid == ownerUID) { + ace->flags |= SMB_ACE4_ID_SPECIAL; + ace->who.special_id = SMB_ACE4_WHO_OWNER; + DEBUG(10,("replaced with special owner ace\n")); + } + + if (!(ace->flags & SMB_ACE4_ID_SPECIAL) && + ace->aceFlags & SMB_ACE4_IDENTIFIER_GROUP && + ace->who.uid == ownerGID) { + ace->flags |= SMB_ACE4_ID_SPECIAL; + ace->who.special_id = SMB_ACE4_WHO_GROUP; + DEBUG(10,("replaced with special group ace\n")); + } + } + return True; /* OK */ +} + static SMB4ACL_T *smbacl4_win2nfs4( const char *filename, const struct security_acl *dacl, @@ -875,6 +911,10 @@ static SMB4ACL_T *smbacl4_win2nfs4( smb_add_ace4(theacl, &ace_v4); } + if (pparams->mode==e_special) { + smbacl4_substitute_special(theacl, ownerUID, ownerGID); + } + return theacl; } -- 1.7.9.5 From 107cae056b990e103719865588d87c3ff927a208 Mon Sep 17 00:00:00 2001 From: Alexander Werth Date: Thu, 2 May 2013 16:53:35 +0200 Subject: s3: Use mode bits in some cases in mode simple. Non inheriting ACL entries will show mode bits. With this an file owner change does affect the effective ACL because the special owner acl will now refer to the new owner. This could be fixed by updating the ACL on a file owner change. Reviewed-by: Andrew Bartlett Reviewed-by: Jeremy Allison --- source3/modules/nfs4_acls.c | 46 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) diff --git a/source3/modules/nfs4_acls.c b/source3/modules/nfs4_acls.c index ced278d..91fd0d7 100644 --- a/source3/modules/nfs4_acls.c +++ b/source3/modules/nfs4_acls.c @@ -870,6 +870,48 @@ static int smbacl4_substitute_special( return True; /* OK */ } +static int smbacl4_substitute_simple( + SMB4ACL_T *theacl, + uid_t ownerUID, + gid_t ownerGID +) +{ + SMB_ACL4_INT_T *aclint = get_validated_aclint(theacl); + SMB_ACE4_INT_T *aceint; + + for(aceint = aclint->first; aceint!=NULL; aceint=(SMB_ACE4_INT_T *)aceint->next) { + SMB_ACE4PROP_T *ace = &aceint->prop; + + DEBUG(10,("ace type: %d, iflags: %x, flags: %x, " + "mask: %x, who: %d\n", + ace->aceType, ace->flags, ace->aceFlags, + ace->aceMask, ace->who.id)); + + if (!(ace->flags & SMB_ACE4_ID_SPECIAL) && + !(ace->aceFlags & SMB_ACE4_IDENTIFIER_GROUP) && + ace->who.uid == ownerUID && + !(ace->aceFlags & SMB_ACE4_INHERIT_ONLY_ACE) && + !(ace->aceFlags & SMB_ACE4_FILE_INHERIT_ACE) && + !(ace->aceFlags & SMB_ACE4_DIRECTORY_INHERIT_ACE)) { + ace->flags |= SMB_ACE4_ID_SPECIAL; + ace->who.special_id = SMB_ACE4_WHO_OWNER; + DEBUG(10,("replaced with special owner ace\n")); + } + + if (!(ace->flags & SMB_ACE4_ID_SPECIAL) && + ace->aceFlags & SMB_ACE4_IDENTIFIER_GROUP && + ace->who.uid == ownerGID && + !(ace->aceFlags & SMB_ACE4_INHERIT_ONLY_ACE) && + !(ace->aceFlags & SMB_ACE4_FILE_INHERIT_ACE) && + !(ace->aceFlags & SMB_ACE4_DIRECTORY_INHERIT_ACE)) { + ace->flags |= SMB_ACE4_ID_SPECIAL; + ace->who.special_id = SMB_ACE4_WHO_GROUP; + DEBUG(10,("replaced with special group ace\n")); + } + } + return True; /* OK */ +} + static SMB4ACL_T *smbacl4_win2nfs4( const char *filename, const struct security_acl *dacl, @@ -911,6 +953,10 @@ static SMB4ACL_T *smbacl4_win2nfs4( smb_add_ace4(theacl, &ace_v4); } + if (pparams->mode==e_simple) { + smbacl4_substitute_simple(theacl, ownerUID, ownerGID); + } + if (pparams->mode==e_special) { smbacl4_substitute_special(theacl, ownerUID, ownerGID); } -- 1.7.9.5 From c8b2adda6a6cf0f572dcbd6e6191a080db4e5ff0 Mon Sep 17 00:00:00 2001 From: Alexander Werth Date: Thu, 2 May 2013 17:45:23 +0200 Subject: s3: Update README.nfs4acls.txt Reviewed-by: Andrew Bartlett Reviewed-by: Jeremy Allison --- source3/modules/README.nfs4acls.txt | 23 +++++++++++++++-------- 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/source3/modules/README.nfs4acls.txt b/source3/modules/README.nfs4acls.txt index 1cb0887..3594aaf 100644 --- a/source3/modules/README.nfs4acls.txt +++ b/source3/modules/README.nfs4acls.txt @@ -1,7 +1,7 @@ Configuring NFS4 ACLs in Samba3 =============================== Created: Peter Somogyi, 2006-JUN-06 -Last modified: Peter Somogyi, 2006-JUL-20 +Last modified: Alexander Werth, 2013-MAY-02 Revision no.: 4 ------------------------------- @@ -13,13 +13,20 @@ Each parameter must have a prefix "nfs4:". Each one affects the behaviour only when _setting_ an acl on a file/dir: mode = [simple|special] -- simple: don't use OWNER@ and GROUP@ special IDs in ACEs. - default -- special: use OWNER@ and GROUP@ special IDs in ACEs instead of simple user&group ids. -Note: EVERYONE@ is always processed (if found such an ACE). -Note2: special mode will have side effect when _only_ chown is performed. Later this may be worked out. - -Use "simple" mode when the share is used mainly by windows users and unix side is not significant. You will loose unix bits in this case. -It's strongly advised setting "store dos attributes = yes" in smb.conf. +- simple: Use OWNER@ and GROUP@ special IDs for non inheriting ACEs only. + This mode is the default. +- special: use OWNER@ and GROUP@ special IDs in ACEs instead of simple + user&group ids. This mode is deprecated. + +Note1: EVERYONE@ is always processed (if found such an ACE). +Note2: There is a side effect when _only_ chown is performed. + Later this may be worked out. +Note3: Mode special inherits incorrect ACL entries when the user creating + a file is different from the owner of the caurrent folder. +Note4: Mode simple uses inheriting OWNER@ and GROUP@ special IDs to + support Creator Owner and Creator Group. + +It's strongly advised to set "store dos attributes = yes" in smb.conf. chown = [true|false] - true => enable changing owner and group - default. -- 1.7.9.5 From 1dd84958e1a7bd086a582a1053dbae9ab1591949 Mon Sep 17 00:00:00 2001 From: Alexander Werth Date: Fri, 3 May 2013 05:46:25 +0200 Subject: s3: Update vfs_gpfs man page with new nfs4:mode help text. Reviewed-by: Andrew Bartlett Reviewed-by: Jeremy Allison --- docs-xml/manpages-3/vfs_gpfs.8.xml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/docs-xml/manpages-3/vfs_gpfs.8.xml b/docs-xml/manpages-3/vfs_gpfs.8.xml index a6b3124..73dd96c 100644 --- a/docs-xml/manpages-3/vfs_gpfs.8.xml +++ b/docs-xml/manpages-3/vfs_gpfs.8.xml @@ -224,16 +224,16 @@ nfs4:mode = [ simple | special ] - Enable/Disable substitution of special IDs on GPFS. This parameter - should not affect the windows users in anyway. It only ensures that Samba - sets the special IDs - OWNER@ and GROUP@ ( mappings to simple uids ) - that are relevant to GPFS. + Controls substitution of special IDs (OWNER@ and GROUP@) on GPFS. + The use of mode simple is recommended. + In this mode only non inheriting ACL entries for the file owner + and group are mapped to special IDs. The following MODEs are understood by the module: - simple(default) - do not use special IDs in GPFS ACEs - special - use special IDs in GPFS ACEs. + simple(default) - use OWNER@ and GROUP@ special IDs for non inheriting ACEs only. + special(deprecated) - use OWNER@ and GROUP@ special IDs in ACEs for all file owner and group ACEs. -- 1.7.9.5 From 7d6e6c180095d3c6fd4322996b45deebb9188853 Mon Sep 17 00:00:00 2001 From: Alexander Werth Date: Fri, 14 Jun 2013 19:19:31 +0200 Subject: s3: Remove old mode special substitution. The mode special substitution now happens in a separate function. --- source3/modules/nfs4_acls.c | 17 ++--------------- 1 file changed, 2 insertions(+), 15 deletions(-) diff --git a/source3/modules/nfs4_acls.c b/source3/modules/nfs4_acls.c index 91fd0d7..a9dfd2b 100644 --- a/source3/modules/nfs4_acls.c +++ b/source3/modules/nfs4_acls.c @@ -771,13 +771,7 @@ static bool smbacl4_fill_ace4( sid_string_dbg(&sid))); return False; } - - if (params->mode==e_special && uid==ownerUID) { - ace_v4->flags |= SMB_ACE4_ID_SPECIAL; - ace_v4->who.special_id = SMB_ACE4_WHO_OWNER; - } else { - ace_v4->who.uid = uid; - } + ace_v4->who.uid = uid; } else { /* else group? - TODO check it... */ if (!sid_to_gid(&sid, &gid)) { DEBUG(1, ("nfs4_acls.c: file [%s]: could not " @@ -785,15 +779,8 @@ static bool smbacl4_fill_ace4( sid_string_dbg(&sid))); return False; } - ace_v4->aceFlags |= SMB_ACE4_IDENTIFIER_GROUP; - - if (params->mode==e_special && gid==ownerGID) { - ace_v4->flags |= SMB_ACE4_ID_SPECIAL; - ace_v4->who.special_id = SMB_ACE4_WHO_GROUP; - } else { - ace_v4->who.gid = gid; - } + ace_v4->who.gid = gid; } } -- 1.7.9.5