The Samba-Bugzilla – Attachment 9651 Details for
Bug 10427
smbd 4.0/4.1 does not provide WORM functionality
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
proposed patch for 4.0, cherry-picked from master
worm_4.0.patches (text/plain), 11.83 KB, created by
Björn Baumbach
on 2014-02-07 10:39:20 UTC
(
hide
)
Description:
proposed patch for 4.0, cherry-picked from master
Filename:
MIME Type:
Creator:
Björn Baumbach
Created:
2014-02-07 10:39:20 UTC
Size:
11.83 KB
patch
obsolete
>From 8b886b364282ab2cab3e8b0d0fce71a88100b56c Mon Sep 17 00:00:00 2001 >From: Volker Lendecke <vl@samba.org> >Date: Wed, 20 Nov 2013 12:00:17 +0100 >Subject: [PATCH 1/5] lib-util: add functions to get elapsed from given > timespec structs > >Signed-off-by: Volker Lendecke <vl@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> >--- > lib/util/time.c | 18 ++++++++++++++++++ > lib/util/time.h | 10 ++++++++++ > 2 files changed, 28 insertions(+) > >diff --git a/lib/util/time.c b/lib/util/time.c >index d5a429a..44d4eb7 100644 >--- a/lib/util/time.c >+++ b/lib/util/time.c >@@ -640,6 +640,24 @@ _PUBLIC_ double timeval_elapsed(const struct timeval *tv) > struct timeval tv2 = timeval_current(); > return timeval_elapsed2(tv, &tv2); > } >+/** >+ * return the number of seconds elapsed between two times >+ **/ >+_PUBLIC_ double timespec_elapsed2(const struct timespec *ts1, >+ const struct timespec *ts2) >+{ >+ return (ts2->tv_sec - ts1->tv_sec) + >+ (ts2->tv_nsec - ts1->tv_nsec)*1.0e-9; >+} >+ >+/** >+ * return the number of seconds elapsed since a given time >+ */ >+_PUBLIC_ double timespec_elapsed(const struct timespec *ts) >+{ >+ struct timespec ts2 = timespec_current(); >+ return timespec_elapsed2(ts, &ts2); >+} > > /** > return the lesser of two timevals >diff --git a/lib/util/time.h b/lib/util/time.h >index 69ba783..b5302f8 100644 >--- a/lib/util/time.h >+++ b/lib/util/time.h >@@ -247,6 +247,16 @@ double timeval_elapsed2(const struct timeval *tv1, const struct timeval *tv2); > double timeval_elapsed(const struct timeval *tv); > > /** >+ return the number of seconds elapsed between two times >+*/ >+double timespec_elapsed2(const struct timespec *ts1, >+ const struct timespec *ts2); >+/** >+ return the number of seconds elapsed since a given time >+*/ >+double timespec_elapsed(const struct timespec *ts); >+ >+/** > return the lesser of two timevals > */ > struct timeval timeval_min(const struct timeval *tv1, >-- >1.8.3.2 > > >From 09121cef6d0a65fe4cae35c557e5002ca357bdb1 Mon Sep 17 00:00:00 2001 >From: Volker Lendecke <vl@samba.org> >Date: Wed, 20 Nov 2013 12:09:47 +0100 >Subject: [PATCH 2/5] s3-modules: add new vfs_worm module > >VFS module to disallow writes for older files. > >Signed-off-by: Volker Lendecke <vl@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> >(cherry picked from commit 2004317c09d781a4ec1275aaa4a29289e798eff3) >--- > source3/modules/vfs_worm.c | 97 ++++++++++++++++++++++++++++++++++++++++++++++ > 1 file changed, 97 insertions(+) > create mode 100644 source3/modules/vfs_worm.c > >diff --git a/source3/modules/vfs_worm.c b/source3/modules/vfs_worm.c >new file mode 100644 >index 0000000..77a18ca >--- /dev/null >+++ b/source3/modules/vfs_worm.c >@@ -0,0 +1,97 @@ >+/* >+ * VFS module to disallow writes for older files >+ * >+ * Copyright (C) 2013, Volker Lendecke >+ * >+ * This program is free software; you can redistribute it and/or modify >+ * it under the terms of the GNU General Public License as published by >+ * the Free Software Foundation; either version 3 of the License, or >+ * (at your option) any later version. >+ * >+ * This program is distributed in the hope that it will be useful, >+ * but WITHOUT ANY WARRANTY; without even the implied warranty of >+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the >+ * GNU General Public License for more details. >+ * >+ * You should have received a copy of the GNU General Public License >+ * along with this program; if not, see <http://www.gnu.org/licenses/>. >+ */ >+ >+#include "includes.h" >+#include "smbd/smbd.h" >+#include "system/filesys.h" >+#include "libcli/security/security.h" >+ >+static NTSTATUS vfs_worm_create_file(vfs_handle_struct *handle, >+ struct smb_request *req, >+ uint16_t root_dir_fid, >+ struct smb_filename *smb_fname, >+ uint32_t access_mask, >+ uint32_t share_access, >+ uint32_t create_disposition, >+ uint32_t create_options, >+ uint32_t file_attributes, >+ uint32_t oplock_request, >+ uint64_t allocation_size, >+ uint32_t private_flags, >+ struct security_descriptor *sd, >+ struct ea_list *ea_list, >+ files_struct **result, >+ int *pinfo) >+{ >+ bool readonly = false; >+ const uint32_t write_access_flags = >+ FILE_WRITE_DATA | FILE_APPEND_DATA | >+ FILE_WRITE_ATTRIBUTES | DELETE_ACCESS | >+ WRITE_DAC_ACCESS | WRITE_OWNER_ACCESS; >+ NTSTATUS status; >+ >+ if (VALID_STAT(smb_fname->st)) { >+ double age; >+ age = timespec_elapsed(&smb_fname->st.st_ex_ctime); >+ if (age > lp_parm_int(SNUM(handle->conn), "worm", >+ "grace_period", 3600)) { >+ readonly = true; >+ } >+ } >+ >+ if (readonly && (access_mask & write_access_flags)) { >+ return NT_STATUS_ACCESS_DENIED; >+ } >+ >+ status = SMB_VFS_NEXT_CREATE_FILE( >+ handle, req, root_dir_fid, smb_fname, access_mask, >+ share_access, create_disposition, create_options, >+ file_attributes, oplock_request, allocation_size, >+ private_flags, sd, ea_list, result, pinfo); >+ if (!NT_STATUS_IS_OK(status)) { >+ return status; >+ } >+ >+ /* >+ * Access via MAXIMUM_ALLOWED_ACCESS? >+ */ >+ if (readonly && ((*result)->access_mask & write_access_flags)) { >+ close_file(req, *result, NORMAL_CLOSE); >+ return NT_STATUS_ACCESS_DENIED; >+ } >+ return NT_STATUS_OK; >+} >+ >+static struct vfs_fn_pointers vfs_worm_fns = { >+ .create_file_fn = vfs_worm_create_file, >+}; >+ >+NTSTATUS vfs_worm_init(void); >+NTSTATUS vfs_worm_init(void) >+{ >+ NTSTATUS ret; >+ >+ ret = smb_register_vfs(SMB_VFS_INTERFACE_VERSION, "worm", >+ &vfs_worm_fns); >+ if (!NT_STATUS_IS_OK(ret)) { >+ return ret; >+ } >+ >+ return ret; >+} >-- >1.8.3.2 > > >From b3f51bb9d67e15f34e9c1782b4240410dd442748 Mon Sep 17 00:00:00 2001 >From: Volker Lendecke <vl@samba.org> >Date: Wed, 20 Nov 2013 12:11:41 +0100 >Subject: [PATCH 3/5] s3-waf: build new vfs_worm module > >Signed-off-by: Volker Lendecke <vl@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> >(cherry picked from commit 5b127a6f6be78174c46973bf3d9630528710b199) >--- > source3/modules/wscript_build | 8 ++++++++ > source3/wscript | 1 + > 2 files changed, 9 insertions(+) > >diff --git a/source3/modules/wscript_build b/source3/modules/wscript_build >index 16ed276..c8e8b53 100644 >--- a/source3/modules/wscript_build >+++ b/source3/modules/wscript_build >@@ -497,3 +497,11 @@ bld.SAMBA3_MODULE('perfcount_test', > init_function='', > internal_module=bld.SAMBA3_IS_STATIC_MODULE('perfcount_test'), > enabled=bld.SAMBA3_IS_ENABLED_MODULE('perfcount_test')) >+ >+bld.SAMBA3_MODULE('vfs_worm', >+ subsystem='vfs', >+ source='vfs_worm.c', >+ deps='samba-util', >+ init_function='', >+ internal_module=bld.SAMBA3_IS_STATIC_MODULE('vfs_worm'), >+ enabled=bld.SAMBA3_IS_ENABLED_MODULE('vfs_worm')) >diff --git a/source3/wscript b/source3/wscript >index 1a862d2..f459f40 100644 >--- a/source3/wscript >+++ b/source3/wscript >@@ -1721,6 +1721,7 @@ main() { > vfs_smb_traffic_analyzer vfs_preopen vfs_catia vfs_scannedonly > vfs_media_harmony > vfs_commit >+ vfs_worm > vfs_crossrename vfs_linux_xfs_sgid > vfs_time_audit idmap_autorid idmap_tdb2 > idmap_rid idmap_hash''')) >-- >1.8.3.2 > > >From 6e1645ece8ceee1294f829b4e0badc1ecb9a1475 Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?Bj=C3=B6rn=20Baumbach?= <bb@sernet.de> >Date: Wed, 20 Nov 2013 13:00:04 +0100 >Subject: [PATCH 4/5] docs-man: add manual page for the new worm vfs module >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >Signed-off-by: Björn Baumbach <bb@sernet.de> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Volker Lendecke <vl@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> >(cherry picked from commit 8a1cda83fc0a63c20cc3212578ef9310cf7df12d) >--- > docs-xml/manpages/vfs_worm.8.xml | 93 ++++++++++++++++++++++++++++++++++++++++ > 1 file changed, 93 insertions(+) > create mode 100644 docs-xml/manpages/vfs_worm.8.xml > >diff --git a/docs-xml/manpages/vfs_worm.8.xml b/docs-xml/manpages/vfs_worm.8.xml >new file mode 100644 >index 0000000..9758cac >--- /dev/null >+++ b/docs-xml/manpages/vfs_worm.8.xml >@@ -0,0 +1,93 @@ >+<?xml version="1.0" encoding="iso-8859-1"?> >+<!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc"> >+<refentry id="vfs_worm.8"> >+ >+<refmeta> >+ <refentrytitle>vfs_worm</refentrytitle> >+ <manvolnum>8</manvolnum> >+ <refmiscinfo class="source">Samba</refmiscinfo> >+ <refmiscinfo class="manual">System Administration tools</refmiscinfo> >+ <refmiscinfo class="version">4.1</refmiscinfo> >+</refmeta> >+ >+ >+<refnamediv> >+ <refname>vfs_worm</refname> >+ <refpurpose>disallows writes for older file</refpurpose> >+</refnamediv> >+ >+<refsynopsisdiv> >+ <cmdsynopsis> >+ <command>vfs objects = worm</command> >+ </cmdsynopsis> >+</refsynopsisdiv> >+ >+<refsect1> >+ <title>DESCRIPTION</title> >+ >+ <para>This VFS module is part of the >+ <citerefentry><refentrytitle>samba</refentrytitle> >+ <manvolnum>7</manvolnum></citerefentry> suite.</para> >+ >+ <para>The <command>vfs_worm</command> module controls the writability >+ of files and folders depending on their change time and a >+ adjustable grace period.</para> >+ >+ <para>If the change time of a file or directory is older than >+ the specified grace period, the write access will be denied, >+ independent of further access controls (e.g. by the filesystem).</para> >+ >+ <para>In the case that the grace period is not exceed, the worm >+ module will not impact any access controls.</para> >+</refsect1> >+ >+<refsect1> >+ <title>OPTIONS</title> >+ >+ <variablelist> >+ >+ <varlistentry> >+ <term>worm:grace_period = SECONDS</term> >+ <listitem> >+ <para>Period in seconds which defines the time how long the >+ write access should be handled by the normal access controls. >+ After this grace period the file or directory becomes read >+ only.</para> >+ </listitem> >+ </varlistentry> >+ >+ </variablelist> >+</refsect1> >+ >+<refsect1> >+ <title>EXAMPLES</title> >+ >+ <para>Deny the write access to files and folders, which are older >+ than five minutes (300 seconds):</para> >+ >+<programlisting> >+ <smbconfsection name="[wormshare]"/> >+ <smbconfoption name="vfs objects">worm</smbconfoption> >+ <smbconfoption name="worm:grace_period">300</smbconfoption> >+</programlisting> >+ >+</refsect1> >+ >+<refsect1> >+ <title>VERSION</title> >+ >+ <para>This man page is correct for version 4.2 of the Samba suite. >+ </para> >+</refsect1> >+ >+<refsect1> >+ <title>AUTHOR</title> >+ >+ <para>The original Samba software and related utilities >+ were created by Andrew Tridgell. Samba is now developed >+ by the Samba Team as an Open Source project similar >+ to the way the Linux kernel is developed.</para> >+ >+</refsect1> >+ >+</refentry> >-- >1.8.3.2 > > >From bd2129bf8c9950db261d80f44f9e45d557ad8a64 Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?Bj=C3=B6rn=20Baumbach?= <bb@sernet.de> >Date: Wed, 20 Nov 2013 14:24:21 +0100 >Subject: [PATCH 5/5] waf docs: build the new vfs worm man page >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >Signed-off-by: Björn Baumbach <bb@sernet.de> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Volker Lendecke <vl@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> >(cherry picked from commit 0275410e02d9c8fd8c728b1d7811a3dfc05ab4e4) >--- > docs-xml/wscript_build | 1 + > 1 file changed, 1 insertion(+) > >diff --git a/docs-xml/wscript_build b/docs-xml/wscript_build >index 25e381e..6f1cb5b 100644 >--- a/docs-xml/wscript_build >+++ b/docs-xml/wscript_build >@@ -76,6 +76,7 @@ manpages=''' > manpages/vfs_streams_xattr.8 > manpages/vfs_time_audit.8 > manpages/vfs_tsmsm.8 >+ manpages/vfs_worm.8 > manpages/vfs_xattr_tdb.8 > manpages/vfstest.1 > manpages/wbinfo.1 >-- >1.8.3.2 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
jra
:
review+
vl
:
review+
obnox
:
review+
Actions:
View
Attachments on
bug 10427
: 9651 |
9652