The Samba-Bugzilla – Attachment 9048 Details for
Bug 9467
nfsv4 ACLs: CREATOR OWNER should be mapped to the special @owner ACL entry, and named users should not
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Backport to the v3-6-stable branch
backport.v3-6-stable.patch (text/plain), 25.63 KB, created by
Alexander Werth
on 2013-07-15 15:27:57 UTC
(
hide
)
Description:
Backport to the v3-6-stable branch
Filename:
MIME Type:
Creator:
Alexander Werth
Created:
2013-07-15 15:27:57 UTC
Size:
25.63 KB
patch
obsolete
>From 9dda2e8f5bf435f686637aa3a6a46c31f13da1e2 Mon Sep 17 00:00:00 2001 >From: Alexander Werth <alexander.werth@de.ibm.com> >Date: Mon, 15 Apr 2013 16:08:46 +0200 >Subject: s3: Move up declaration of params struct and related function. > > We need the parameters earlier in the code so we move up > the declaration of the params struct. Since reading the > parameters is closely related the definition of the function > smbacl4_get_vfs_params has also been moved up. >--- > source3/modules/nfs4_acls.c | 96 +++++++++++++++++++++---------------------- > 1 file changed, 48 insertions(+), 48 deletions(-) > >diff --git a/source3/modules/nfs4_acls.c b/source3/modules/nfs4_acls.c >index e5cc32d..1d64ea2 100644 >--- a/source3/modules/nfs4_acls.c >+++ b/source3/modules/nfs4_acls.c >@@ -52,6 +52,54 @@ typedef struct _SMB_ACL4_INT_T > SMB_ACE4_INT_T *last; > } SMB_ACL4_INT_T; > >+enum smbacl4_mode_enum {e_simple=0, e_special=1}; >+enum smbacl4_acedup_enum {e_dontcare=0, e_reject=1, e_ignore=2, e_merge=3}; >+ >+typedef struct _smbacl4_vfs_params { >+ enum smbacl4_mode_enum mode; >+ bool do_chown; >+ enum smbacl4_acedup_enum acedup; >+ struct db_context *sid_mapping_table; >+} smbacl4_vfs_params; >+ >+/* >+ * Gather special parameters for NFS4 ACL handling >+ */ >+static int smbacl4_get_vfs_params( >+ const char *type_name, >+ files_struct *fsp, >+ smbacl4_vfs_params *params >+) >+{ >+ static const struct enum_list enum_smbacl4_modes[] = { >+ { e_simple, "simple" }, >+ { e_special, "special" }, >+ }; >+ static const struct enum_list enum_smbacl4_acedups[] = { >+ { e_dontcare, "dontcare" }, >+ { e_reject, "reject" }, >+ { e_ignore, "ignore" }, >+ { e_merge, "merge" }, >+ }; >+ >+ memset(params, 0, sizeof(smbacl4_vfs_params)); >+ params->mode = (enum smbacl4_mode_enum)lp_parm_enum( >+ SNUM(fsp->conn), type_name, >+ "mode", enum_smbacl4_modes, e_simple); >+ params->do_chown = lp_parm_bool(SNUM(fsp->conn), type_name, >+ "chown", true); >+ params->acedup = (enum smbacl4_acedup_enum)lp_parm_enum( >+ SNUM(fsp->conn), type_name, >+ "acedup", enum_smbacl4_acedups, e_dontcare); >+ >+ DEBUG(10, ("mode:%s, do_chown:%s, acedup: %s\n", >+ enum_smbacl4_modes[params->mode].name, >+ params->do_chown ? "true" : "false", >+ enum_smbacl4_acedups[params->acedup].name)); >+ >+ return 0; >+} >+ > /************************************************ > Split the ACE flag mapping between nfs4 and Windows > into two separate functions rather than trying to do >@@ -433,54 +481,6 @@ NTSTATUS smb_get_nt_acl_nfs4(struct connection_struct *conn, > return smb_get_nt_acl_nfs4_common(&sbuf, security_info, ppdesc, theacl); > } > >-enum smbacl4_mode_enum {e_simple=0, e_special=1}; >-enum smbacl4_acedup_enum {e_dontcare=0, e_reject=1, e_ignore=2, e_merge=3}; >- >-typedef struct _smbacl4_vfs_params { >- enum smbacl4_mode_enum mode; >- bool do_chown; >- enum smbacl4_acedup_enum acedup; >- struct db_context *sid_mapping_table; >-} smbacl4_vfs_params; >- >-/* >- * Gather special parameters for NFS4 ACL handling >- */ >-static int smbacl4_get_vfs_params( >- const char *type_name, >- files_struct *fsp, >- smbacl4_vfs_params *params >-) >-{ >- static const struct enum_list enum_smbacl4_modes[] = { >- { e_simple, "simple" }, >- { e_special, "special" } >- }; >- static const struct enum_list enum_smbacl4_acedups[] = { >- { e_dontcare, "dontcare" }, >- { e_reject, "reject" }, >- { e_ignore, "ignore" }, >- { e_merge, "merge" }, >- }; >- >- memset(params, 0, sizeof(smbacl4_vfs_params)); >- params->mode = (enum smbacl4_mode_enum)lp_parm_enum( >- SNUM(fsp->conn), type_name, >- "mode", enum_smbacl4_modes, e_simple); >- params->do_chown = lp_parm_bool(SNUM(fsp->conn), type_name, >- "chown", True); >- params->acedup = (enum smbacl4_acedup_enum)lp_parm_enum( >- SNUM(fsp->conn), type_name, >- "acedup", enum_smbacl4_acedups, e_dontcare); >- >- DEBUG(10, ("mode:%s, do_chown:%s, acedup: %s\n", >- enum_smbacl4_modes[params->mode].name, >- params->do_chown ? "true" : "false", >- enum_smbacl4_acedups[params->acedup].name)); >- >- return 0; >-} >- > static void smbacl4_dump_nfs4acl(int level, SMB4ACL_T *theacl) > { > SMB_ACL4_INT_T *aclint = get_validated_aclint(theacl); >-- >1.7.9.5 > >From bd6bc66c827a1d386ec1a96bfb5bf7e67d0ef95c Mon Sep 17 00:00:00 2001 >From: Alexander Werth <alexander.werth@de.ibm.com> >Date: Thu, 26 Jul 2012 17:11:03 +0200 >Subject: s3: Change smbacl4_get_vfs_params to use connection_struct instead > of fsp. > >--- > source3/modules/nfs4_acls.c | 12 +++++++----- > 1 file changed, 7 insertions(+), 5 deletions(-) > >diff --git a/source3/modules/nfs4_acls.c b/source3/modules/nfs4_acls.c >index 1d64ea2..5515c0d 100644 >--- a/source3/modules/nfs4_acls.c >+++ b/source3/modules/nfs4_acls.c >@@ -67,7 +67,7 @@ typedef struct _smbacl4_vfs_params { > */ > static int smbacl4_get_vfs_params( > const char *type_name, >- files_struct *fsp, >+ struct connection_struct *conn, > smbacl4_vfs_params *params > ) > { >@@ -84,12 +84,12 @@ static int smbacl4_get_vfs_params( > > memset(params, 0, sizeof(smbacl4_vfs_params)); > params->mode = (enum smbacl4_mode_enum)lp_parm_enum( >- SNUM(fsp->conn), type_name, >+ SNUM(conn), type_name, > "mode", enum_smbacl4_modes, e_simple); >- params->do_chown = lp_parm_bool(SNUM(fsp->conn), type_name, >+ params->do_chown = lp_parm_bool(SNUM(conn), type_name, > "chown", true); > params->acedup = (enum smbacl4_acedup_enum)lp_parm_enum( >- SNUM(fsp->conn), type_name, >+ SNUM(conn), type_name, > "acedup", enum_smbacl4_acedups, e_dontcare); > > DEBUG(10, ("mode:%s, do_chown:%s, acedup: %s\n", >@@ -806,8 +806,10 @@ NTSTATUS smb_set_nt_acl_nfs4(files_struct *fsp, > } > > /* Special behaviours */ >- if (smbacl4_get_vfs_params(SMBACL4_PARAM_TYPE_NAME, fsp, ¶ms)) >+ if (smbacl4_get_vfs_params(SMBACL4_PARAM_TYPE_NAME, >+ fsp->conn, ¶ms)) { > return NT_STATUS_NO_MEMORY; >+ } > > if (smbacl4_fGetFileOwner(fsp, &sbuf)) > return map_nt_error_from_unix(errno); >-- >1.7.9.5 > >From 1bb1a6b218d17c109ab41e1c737cf3f154b6d24c Mon Sep 17 00:00:00 2001 >From: Alexander Werth <alexander.werth@de.ibm.com> >Date: Thu, 26 Jul 2012 17:29:12 +0200 >Subject: s3: Add params parameter to smbacl4_nfs42win function. > >--- > source3/modules/nfs4_acls.c | 34 ++++++++++++++++++++++++++-------- > 1 file changed, 26 insertions(+), 8 deletions(-) > >diff --git a/source3/modules/nfs4_acls.c b/source3/modules/nfs4_acls.c >index 5515c0d..6ebe0b5 100644 >--- a/source3/modules/nfs4_acls.c >+++ b/source3/modules/nfs4_acls.c >@@ -303,7 +303,9 @@ static int smbacl4_fGetFileOwner(files_struct *fsp, SMB_STRUCT_STAT *psbuf) > return 0; > } > >-static bool smbacl4_nfs42win(TALLOC_CTX *mem_ctx, SMB4ACL_T *theacl, /* in */ >+static bool smbacl4_nfs42win(TALLOC_CTX *mem_ctx, >+ smbacl4_vfs_params *params, >+ SMB4ACL_T *theacl, /* in */ > struct dom_sid *psid_owner, /* in */ > struct dom_sid *psid_group, /* in */ > bool is_directory, /* in */ >@@ -403,10 +405,12 @@ static bool smbacl4_nfs42win(TALLOC_CTX *mem_ctx, SMB4ACL_T *theacl, /* in */ > } > > static NTSTATUS smb_get_nt_acl_nfs4_common(const SMB_STRUCT_STAT *sbuf, >- uint32 security_info, >- struct security_descriptor **ppdesc, SMB4ACL_T *theacl) >+ smbacl4_vfs_params *params, >+ uint32 security_info, >+ struct security_descriptor **ppdesc, >+ SMB4ACL_T *theacl) > { >- int good_aces = 0; >+ int good_aces = 0; > struct dom_sid sid_owner, sid_group; > size_t sd_size = 0; > struct security_ace *nt_ace_list = NULL; >@@ -421,7 +425,7 @@ static NTSTATUS smb_get_nt_acl_nfs4_common(const SMB_STRUCT_STAT *sbuf, > uid_to_sid(&sid_owner, sbuf->st_ex_uid); > gid_to_sid(&sid_group, sbuf->st_ex_gid); > >- if (smbacl4_nfs42win(mem_ctx, theacl, &sid_owner, &sid_group, >+ if (smbacl4_nfs42win(mem_ctx, params, theacl, &sid_owner, &sid_group, > S_ISDIR(sbuf->st_ex_mode), > &nt_ace_list, &good_aces)==False) { > DEBUG(8,("smbacl4_nfs42win failed\n")); >@@ -455,6 +459,7 @@ NTSTATUS smb_fget_nt_acl_nfs4(files_struct *fsp, > struct security_descriptor **ppdesc, SMB4ACL_T *theacl) > { > SMB_STRUCT_STAT sbuf; >+ smbacl4_vfs_params params; > > DEBUG(10, ("smb_fget_nt_acl_nfs4 invoked for %s\n", fsp_str_dbg(fsp))); > >@@ -462,7 +467,13 @@ NTSTATUS smb_fget_nt_acl_nfs4(files_struct *fsp, > return map_nt_error_from_unix(errno); > } > >- return smb_get_nt_acl_nfs4_common(&sbuf, security_info, ppdesc, theacl); >+ /* Special behaviours */ >+ if (smbacl4_get_vfs_params(SMBACL4_PARAM_TYPE_NAME, fsp->conn, ¶ms)) { >+ return NT_STATUS_NO_MEMORY; >+ } >+ >+ return smb_get_nt_acl_nfs4_common(&sbuf, ¶ms, security_info, >+ ppdesc, theacl); > } > > NTSTATUS smb_get_nt_acl_nfs4(struct connection_struct *conn, >@@ -471,6 +482,7 @@ NTSTATUS smb_get_nt_acl_nfs4(struct connection_struct *conn, > struct security_descriptor **ppdesc, SMB4ACL_T *theacl) > { > SMB_STRUCT_STAT sbuf; >+ smbacl4_vfs_params params; > > DEBUG(10, ("smb_get_nt_acl_nfs4 invoked for %s\n", name)); > >@@ -478,7 +490,13 @@ NTSTATUS smb_get_nt_acl_nfs4(struct connection_struct *conn, > return map_nt_error_from_unix(errno); > } > >- return smb_get_nt_acl_nfs4_common(&sbuf, security_info, ppdesc, theacl); >+ /* Special behaviours */ >+ if (smbacl4_get_vfs_params(SMBACL4_PARAM_TYPE_NAME, conn, ¶ms)) { >+ return NT_STATUS_NO_MEMORY; >+ } >+ >+ return smb_get_nt_acl_nfs4_common(&sbuf, ¶ms, security_info, >+ ppdesc, theacl); > } > > static void smbacl4_dump_nfs4acl(int level, SMB4ACL_T *theacl) >@@ -514,7 +532,7 @@ static SMB_ACE4PROP_T *smbacl4_find_equal_special( > for(aceint = aclint->first; aceint!=NULL; aceint=(SMB_ACE4_INT_T *)aceint->next) { > SMB_ACE4PROP_T *ace = &aceint->prop; > >- DEBUG(10,("ace type:0x%x flags:0x%x aceFlags:0x%x " >+ DEBUG(10,("ace type:0x%x flags:0x%x aceFlags:0x%x " > "new type:0x%x flags:0x%x aceFlags:0x%x\n", > ace->aceType, ace->flags, ace->aceFlags, > aceNew->aceType, aceNew->flags,aceNew->aceFlags)); >-- >1.7.9.5 > >From a7574fc00c374964991f4ab58715eb650ca29e38 Mon Sep 17 00:00:00 2001 >From: Alexander Werth <alexander.werth@de.ibm.com> >Date: Wed, 25 Apr 2012 15:10:20 +0200 >Subject: s3: Mapping of special entries to creator owner in mode simple. > >--- > source3/modules/nfs4_acls.c | 68 +++++++++++++++++++++++++++++++++++++++---- > 1 file changed, 62 insertions(+), 6 deletions(-) > >diff --git a/source3/modules/nfs4_acls.c b/source3/modules/nfs4_acls.c >index 6ebe0b5..0afa74d 100644 >--- a/source3/modules/nfs4_acls.c >+++ b/source3/modules/nfs4_acls.c >@@ -321,9 +321,12 @@ static bool smbacl4_nfs42win(TALLOC_CTX *mem_ctx, > DEBUG(10, ("smbacl_nfs42win entered\n")); > > aclint = get_validated_aclint(theacl); >- /* We do not check for naces being 0 or theacl being NULL here because it is done upstream */ >- /* in smb_get_nt_acl_nfs4(). */ >- nt_ace_list = (struct security_ace *)TALLOC_ZERO_SIZE(mem_ctx, aclint->naces * sizeof(struct security_ace)); >+ /* We do not check for naces being 0 or theacl being NULL here >+ because it is done upstream in smb_get_nt_acl_nfs4(). >+ We reserve twice the number of input aces because one nfs4 >+ ace might result in 2 nt aces.*/ >+ nt_ace_list = (struct security_ace *)TALLOC_ZERO_SIZE( >+ mem_ctx, 2 * aclint->naces * sizeof(struct security_ace)); > if (nt_ace_list==NULL) > { > DEBUG(10, ("talloc error")); >@@ -393,9 +396,62 @@ static bool smbacl4_nfs42win(TALLOC_CTX *mem_ctx, > if(ace->aceType == SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE) { > mask = ace->aceMask | SMB_ACE4_SYNCHRONIZE; > } >- init_sec_ace(&nt_ace_list[good_aces++], &sid, >- ace->aceType, mask, >- win_ace_flags); >+ >+ /* Mapping of owner@ and group@ to creator owner and >+ creator group. Keep old behavior in mode special. */ >+ if (params->mode != e_special && >+ ace->flags & SMB_ACE4_ID_SPECIAL && >+ (ace->who.special_id == SMB_ACE4_WHO_OWNER || >+ ace->who.special_id == SMB_ACE4_WHO_GROUP)) { >+ DEBUG(10, ("Map special entry\n")); >+ if (!(win_ace_flags & SEC_ACE_FLAG_INHERIT_ONLY)) { >+ DEBUG(10, ("Map current sid\n")); >+ uint32_t win_ace_flags_current; >+ win_ace_flags_current = win_ace_flags & >+ ~(SEC_ACE_FLAG_OBJECT_INHERIT | >+ SEC_ACE_FLAG_CONTAINER_INHERIT); >+ init_sec_ace(&nt_ace_list[good_aces++], &sid, >+ ace->aceType, mask, >+ win_ace_flags_current); >+ } >+ if (ace->who.special_id == SMB_ACE4_WHO_OWNER && >+ win_ace_flags & (SEC_ACE_FLAG_OBJECT_INHERIT | >+ SEC_ACE_FLAG_CONTAINER_INHERIT)) { >+ uint32_t win_ace_flags_creator; >+ DEBUG(10, ("Map creator owner\n")); >+ win_ace_flags_creator = win_ace_flags | >+ SMB_ACE4_INHERIT_ONLY_ACE; >+ init_sec_ace(&nt_ace_list[good_aces++], >+ &global_sid_Creator_Owner, >+ ace->aceType, mask, >+ win_ace_flags_creator); >+ } >+ if (ace->who.special_id == SMB_ACE4_WHO_GROUP && >+ win_ace_flags & (SEC_ACE_FLAG_OBJECT_INHERIT | >+ SEC_ACE_FLAG_CONTAINER_INHERIT)) { >+ uint32_t win_ace_flags_creator; >+ DEBUG(10, ("Map creator owner group\n")); >+ win_ace_flags_creator = win_ace_flags | >+ SMB_ACE4_INHERIT_ONLY_ACE; >+ init_sec_ace(&nt_ace_list[good_aces++], >+ &global_sid_Creator_Group, >+ ace->aceType, mask, >+ win_ace_flags_creator); >+ } >+ } else { >+ DEBUG(10, ("Map normal sid\n")); >+ init_sec_ace(&nt_ace_list[good_aces++], &sid, >+ ace->aceType, mask, >+ win_ace_flags); >+ } >+ } >+ >+ nt_ace_list = (struct security_ace *)TALLOC_REALLOC(mem_ctx, >+ nt_ace_list, >+ good_aces * sizeof(struct security_ace)); >+ if (nt_ace_list == NULL) { >+ errno = ENOMEM; >+ return false; > } > > *ppnt_ace_list = nt_ace_list; >-- >1.7.9.5 > >From 47edde69846458558ee2f5691ff131e6758055b9 Mon Sep 17 00:00:00 2001 >From: Alexander Werth <alexander.werth@de.ibm.com> >Date: Thu, 10 May 2012 14:19:41 +0200 >Subject: s3: Mapping of cifs creator owner to nfs owner@ ace. > >This is ignored in nfs4mode special for compatibility. >Also ensure that we drop non inheriting creator owner >aces since these don't contribute to who can access >a file. > >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> >--- > source3/modules/nfs4_acls.c | 24 ++++++++++++++++++++++++ > 1 file changed, 24 insertions(+) > >diff --git a/source3/modules/nfs4_acls.c b/source3/modules/nfs4_acls.c >index 0afa74d..ec47d36 100644 >--- a/source3/modules/nfs4_acls.c >+++ b/source3/modules/nfs4_acls.c >@@ -705,6 +705,30 @@ static bool smbacl4_fill_ace4( > if (dom_sid_equal(&ace_nt->trustee, &global_sid_World)) { > ace_v4->who.special_id = SMB_ACE4_WHO_EVERYONE; > ace_v4->flags |= SMB_ACE4_ID_SPECIAL; >+ } else if (params->mode!=e_special && >+ dom_sid_equal(&ace_nt->trustee, >+ &global_sid_Creator_Owner)) { >+ DEBUG(10, ("Map creator owner\n")); >+ ace_v4->who.special_id = SMB_ACE4_WHO_OWNER; >+ ace_v4->flags |= SMB_ACE4_ID_SPECIAL; >+ /* A non inheriting creator owner entry has no effect. */ >+ ace_v4->aceFlags |= SMB_ACE4_INHERIT_ONLY_ACE; >+ if (!(ace_v4->aceFlags & SMB_ACE4_DIRECTORY_INHERIT_ACE) >+ && !(ace_v4->aceFlags & SMB_ACE4_FILE_INHERIT_ACE)) { >+ return False; >+ } >+ } else if (params->mode!=e_special && >+ dom_sid_equal(&ace_nt->trustee, >+ &global_sid_Creator_Group)) { >+ DEBUG(10, ("Map creator owner group\n")); >+ ace_v4->who.special_id = SMB_ACE4_WHO_GROUP; >+ ace_v4->flags |= SMB_ACE4_ID_SPECIAL; >+ /* A non inheriting creator group entry has no effect. */ >+ ace_v4->aceFlags |= SMB_ACE4_INHERIT_ONLY_ACE; >+ if (!(ace_v4->aceFlags & SMB_ACE4_DIRECTORY_INHERIT_ACE) >+ && !(ace_v4->aceFlags & SMB_ACE4_FILE_INHERIT_ACE)) { >+ return False; >+ } > } else { > const char *dom, *name; > enum lsa_SidType type; >-- >1.7.9.5 > >From fa3dfaaab3ee76d13ca1592d00e1a3c290a88d27 Mon Sep 17 00:00:00 2001 >From: Alexander Werth <alexander.werth@de.ibm.com> >Date: Thu, 2 May 2013 16:50:55 +0200 >Subject: s3: Add changes that keep nfs4:mode special behavior. > >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> >--- > source3/modules/nfs4_acls.c | 42 +++++++++++++++++++++++++++++++++++++++++- > 1 file changed, 41 insertions(+), 1 deletion(-) > >diff --git a/source3/modules/nfs4_acls.c b/source3/modules/nfs4_acls.c >index ec47d36..ced278d 100644 >--- a/source3/modules/nfs4_acls.c >+++ b/source3/modules/nfs4_acls.c >@@ -573,7 +573,7 @@ static void smbacl4_dump_nfs4acl(int level, SMB4ACL_T *theacl) > } > } > >-/* >+/* > * Find 2 NFS4 who-special ACE property (non-copy!!!) > * match nonzero if "special" and who is equal > * return ace if found matching; otherwise NULL >@@ -834,6 +834,42 @@ static int smbacl4_MergeIgnoreReject( > return result; > } > >+static int smbacl4_substitute_special( >+ SMB4ACL_T *theacl, >+ uid_t ownerUID, >+ gid_t ownerGID >+) >+{ >+ SMB_ACL4_INT_T *aclint = get_validated_aclint(theacl); >+ SMB_ACE4_INT_T *aceint; >+ >+ for(aceint = aclint->first; aceint!=NULL; aceint=(SMB_ACE4_INT_T *)aceint->next) { >+ SMB_ACE4PROP_T *ace = &aceint->prop; >+ >+ DEBUG(10,("ace type: %d, iflags: %x, flags: %x, " >+ "mask: %x, who: %d\n", >+ ace->aceType, ace->flags, ace->aceFlags, >+ ace->aceMask, ace->who.id)); >+ >+ if (!(ace->flags & SMB_ACE4_ID_SPECIAL) && >+ !(ace->aceFlags & SMB_ACE4_IDENTIFIER_GROUP) && >+ ace->who.uid == ownerUID) { >+ ace->flags |= SMB_ACE4_ID_SPECIAL; >+ ace->who.special_id = SMB_ACE4_WHO_OWNER; >+ DEBUG(10,("replaced with special owner ace\n")); >+ } >+ >+ if (!(ace->flags & SMB_ACE4_ID_SPECIAL) && >+ ace->aceFlags & SMB_ACE4_IDENTIFIER_GROUP && >+ ace->who.uid == ownerGID) { >+ ace->flags |= SMB_ACE4_ID_SPECIAL; >+ ace->who.special_id = SMB_ACE4_WHO_GROUP; >+ DEBUG(10,("replaced with special group ace\n")); >+ } >+ } >+ return True; /* OK */ >+} >+ > static SMB4ACL_T *smbacl4_win2nfs4( > const char *filename, > const struct security_acl *dacl, >@@ -875,6 +911,10 @@ static SMB4ACL_T *smbacl4_win2nfs4( > smb_add_ace4(theacl, &ace_v4); > } > >+ if (pparams->mode==e_special) { >+ smbacl4_substitute_special(theacl, ownerUID, ownerGID); >+ } >+ > return theacl; > } > >-- >1.7.9.5 > >From 107cae056b990e103719865588d87c3ff927a208 Mon Sep 17 00:00:00 2001 >From: Alexander Werth <alexander.werth@de.ibm.com> >Date: Thu, 2 May 2013 16:53:35 +0200 >Subject: s3: Use mode bits in some cases in mode simple. > >Non inheriting ACL entries will show mode bits. >With this an file owner change does affect the effective ACL because >the special owner acl will now refer to the new owner. >This could be fixed by updating the ACL on a file owner change. > >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> >--- > source3/modules/nfs4_acls.c | 46 +++++++++++++++++++++++++++++++++++++++++++ > 1 file changed, 46 insertions(+) > >diff --git a/source3/modules/nfs4_acls.c b/source3/modules/nfs4_acls.c >index ced278d..91fd0d7 100644 >--- a/source3/modules/nfs4_acls.c >+++ b/source3/modules/nfs4_acls.c >@@ -870,6 +870,48 @@ static int smbacl4_substitute_special( > return True; /* OK */ > } > >+static int smbacl4_substitute_simple( >+ SMB4ACL_T *theacl, >+ uid_t ownerUID, >+ gid_t ownerGID >+) >+{ >+ SMB_ACL4_INT_T *aclint = get_validated_aclint(theacl); >+ SMB_ACE4_INT_T *aceint; >+ >+ for(aceint = aclint->first; aceint!=NULL; aceint=(SMB_ACE4_INT_T *)aceint->next) { >+ SMB_ACE4PROP_T *ace = &aceint->prop; >+ >+ DEBUG(10,("ace type: %d, iflags: %x, flags: %x, " >+ "mask: %x, who: %d\n", >+ ace->aceType, ace->flags, ace->aceFlags, >+ ace->aceMask, ace->who.id)); >+ >+ if (!(ace->flags & SMB_ACE4_ID_SPECIAL) && >+ !(ace->aceFlags & SMB_ACE4_IDENTIFIER_GROUP) && >+ ace->who.uid == ownerUID && >+ !(ace->aceFlags & SMB_ACE4_INHERIT_ONLY_ACE) && >+ !(ace->aceFlags & SMB_ACE4_FILE_INHERIT_ACE) && >+ !(ace->aceFlags & SMB_ACE4_DIRECTORY_INHERIT_ACE)) { >+ ace->flags |= SMB_ACE4_ID_SPECIAL; >+ ace->who.special_id = SMB_ACE4_WHO_OWNER; >+ DEBUG(10,("replaced with special owner ace\n")); >+ } >+ >+ if (!(ace->flags & SMB_ACE4_ID_SPECIAL) && >+ ace->aceFlags & SMB_ACE4_IDENTIFIER_GROUP && >+ ace->who.uid == ownerGID && >+ !(ace->aceFlags & SMB_ACE4_INHERIT_ONLY_ACE) && >+ !(ace->aceFlags & SMB_ACE4_FILE_INHERIT_ACE) && >+ !(ace->aceFlags & SMB_ACE4_DIRECTORY_INHERIT_ACE)) { >+ ace->flags |= SMB_ACE4_ID_SPECIAL; >+ ace->who.special_id = SMB_ACE4_WHO_GROUP; >+ DEBUG(10,("replaced with special group ace\n")); >+ } >+ } >+ return True; /* OK */ >+} >+ > static SMB4ACL_T *smbacl4_win2nfs4( > const char *filename, > const struct security_acl *dacl, >@@ -911,6 +953,10 @@ static SMB4ACL_T *smbacl4_win2nfs4( > smb_add_ace4(theacl, &ace_v4); > } > >+ if (pparams->mode==e_simple) { >+ smbacl4_substitute_simple(theacl, ownerUID, ownerGID); >+ } >+ > if (pparams->mode==e_special) { > smbacl4_substitute_special(theacl, ownerUID, ownerGID); > } >-- >1.7.9.5 > >From c8b2adda6a6cf0f572dcbd6e6191a080db4e5ff0 Mon Sep 17 00:00:00 2001 >From: Alexander Werth <alexander.werth@de.ibm.com> >Date: Thu, 2 May 2013 17:45:23 +0200 >Subject: s3: Update README.nfs4acls.txt > >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> >--- > source3/modules/README.nfs4acls.txt | 23 +++++++++++++++-------- > 1 file changed, 15 insertions(+), 8 deletions(-) > >diff --git a/source3/modules/README.nfs4acls.txt b/source3/modules/README.nfs4acls.txt >index 1cb0887..3594aaf 100644 >--- a/source3/modules/README.nfs4acls.txt >+++ b/source3/modules/README.nfs4acls.txt >@@ -1,7 +1,7 @@ > Configuring NFS4 ACLs in Samba3 > =============================== > Created: Peter Somogyi, 2006-JUN-06 >-Last modified: Peter Somogyi, 2006-JUL-20 >+Last modified: Alexander Werth, 2013-MAY-02 > Revision no.: 4 > ------------------------------- > >@@ -13,13 +13,20 @@ Each parameter must have a prefix "nfs4:". > Each one affects the behaviour only when _setting_ an acl on a file/dir: > > mode = [simple|special] >-- simple: don't use OWNER@ and GROUP@ special IDs in ACEs. - default >-- special: use OWNER@ and GROUP@ special IDs in ACEs instead of simple user&group ids. >-Note: EVERYONE@ is always processed (if found such an ACE). >-Note2: special mode will have side effect when _only_ chown is performed. Later this may be worked out. >- >-Use "simple" mode when the share is used mainly by windows users and unix side is not significant. You will loose unix bits in this case. >-It's strongly advised setting "store dos attributes = yes" in smb.conf. >+- simple: Use OWNER@ and GROUP@ special IDs for non inheriting ACEs only. >+ This mode is the default. >+- special: use OWNER@ and GROUP@ special IDs in ACEs instead of simple >+ user&group ids. This mode is deprecated. >+ >+Note1: EVERYONE@ is always processed (if found such an ACE). >+Note2: There is a side effect when _only_ chown is performed. >+ Later this may be worked out. >+Note3: Mode special inherits incorrect ACL entries when the user creating >+ a file is different from the owner of the caurrent folder. >+Note4: Mode simple uses inheriting OWNER@ and GROUP@ special IDs to >+ support Creator Owner and Creator Group. >+ >+It's strongly advised to set "store dos attributes = yes" in smb.conf. > > chown = [true|false] > - true => enable changing owner and group - default. >-- >1.7.9.5 > >From 1dd84958e1a7bd086a582a1053dbae9ab1591949 Mon Sep 17 00:00:00 2001 >From: Alexander Werth <alexander.werth@de.ibm.com> >Date: Fri, 3 May 2013 05:46:25 +0200 >Subject: s3: Update vfs_gpfs man page with new nfs4:mode help text. > >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> >--- > docs-xml/manpages-3/vfs_gpfs.8.xml | 12 ++++++------ > 1 file changed, 6 insertions(+), 6 deletions(-) > >diff --git a/docs-xml/manpages-3/vfs_gpfs.8.xml b/docs-xml/manpages-3/vfs_gpfs.8.xml >index a6b3124..73dd96c 100644 >--- a/docs-xml/manpages-3/vfs_gpfs.8.xml >+++ b/docs-xml/manpages-3/vfs_gpfs.8.xml >@@ -224,16 +224,16 @@ > <term>nfs4:mode = [ simple | special ]</term> > <listitem> > <para> >- Enable/Disable substitution of special IDs on GPFS. This parameter >- should not affect the windows users in anyway. It only ensures that Samba >- sets the special IDs - OWNER@ and GROUP@ ( mappings to simple uids ) >- that are relevant to GPFS. >+ Controls substitution of special IDs (OWNER@ and GROUP@) on GPFS. >+ The use of mode simple is recommended. >+ In this mode only non inheriting ACL entries for the file owner >+ and group are mapped to special IDs. > </para> > > <para>The following MODEs are understood by the module:</para> > <itemizedlist> >- <listitem><para><command>simple(default)</command> - do not use special IDs in GPFS ACEs</para></listitem> >- <listitem><para><command>special</command> - use special IDs in GPFS ACEs. </para> </listitem> >+ <listitem><para><command>simple(default)</command> - use OWNER@ and GROUP@ special IDs for non inheriting ACEs only.</para></listitem> >+ <listitem><para><command>special(deprecated)</command> - use OWNER@ and GROUP@ special IDs in ACEs for all file owner and group ACEs.</para></listitem> > </itemizedlist> > </listitem> > >-- >1.7.9.5 > >From 7d6e6c180095d3c6fd4322996b45deebb9188853 Mon Sep 17 00:00:00 2001 >From: Alexander Werth <alexander.werth@de.ibm.com> >Date: Fri, 14 Jun 2013 19:19:31 +0200 >Subject: s3: Remove old mode special substitution. > >The mode special substitution now happens in a separate function. >--- > source3/modules/nfs4_acls.c | 17 ++--------------- > 1 file changed, 2 insertions(+), 15 deletions(-) > >diff --git a/source3/modules/nfs4_acls.c b/source3/modules/nfs4_acls.c >index 91fd0d7..a9dfd2b 100644 >--- a/source3/modules/nfs4_acls.c >+++ b/source3/modules/nfs4_acls.c >@@ -771,13 +771,7 @@ static bool smbacl4_fill_ace4( > sid_string_dbg(&sid))); > return False; > } >- >- if (params->mode==e_special && uid==ownerUID) { >- ace_v4->flags |= SMB_ACE4_ID_SPECIAL; >- ace_v4->who.special_id = SMB_ACE4_WHO_OWNER; >- } else { >- ace_v4->who.uid = uid; >- } >+ ace_v4->who.uid = uid; > } else { /* else group? - TODO check it... */ > if (!sid_to_gid(&sid, &gid)) { > DEBUG(1, ("nfs4_acls.c: file [%s]: could not " >@@ -785,15 +779,8 @@ static bool smbacl4_fill_ace4( > sid_string_dbg(&sid))); > return False; > } >- > ace_v4->aceFlags |= SMB_ACE4_IDENTIFIER_GROUP; >- >- if (params->mode==e_special && gid==ownerGID) { >- ace_v4->flags |= SMB_ACE4_ID_SPECIAL; >- ace_v4->who.special_id = SMB_ACE4_WHO_GROUP; >- } else { >- ace_v4->who.gid = gid; >- } >+ ace_v4->who.gid = gid; > } > } > >-- >1.7.9.5 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=9048">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 9467
:
8284
|
8367
|
8368
|
8369
|
8370
|
8793
|
8824
|
8825
| 9048