Attachment 9651 Details for Bug 10427 – proposed patch for 4.0, cherry-picked from master

[patch] proposed patch for 4.0, cherry-picked from master

worm_4.0.patches (text/plain), 11.83 KB, created by Björn Baumbach on 2014-02-07 10:39:20 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Björn Baumbach

Created: 2014-02-07 10:39:20 UTC

Size: 11.83 KB

patch

obsolete

>From 8b886b364282ab2cab3e8b0d0fce71a88100b56c Mon Sep 17 00:00:00 2001
>From: Volker Lendecke <vl@samba.org>
>Date: Wed, 20 Nov 2013 12:00:17 +0100
>Subject: [PATCH 1/5] lib-util: add functions to get elapsed from given
> timespec structs
>
>Signed-off-by: Volker Lendecke <vl@samba.org>
>Reviewed-by: Stefan Metzmacher <metze@samba.org>
>Reviewed-by: Jeremy Allison <jra@samba.org>
>---
> lib/util/time.c | 18 ++++++++++++++++++
> lib/util/time.h | 10 ++++++++++
> 2 files changed, 28 insertions(+)
>
>diff --git a/lib/util/time.c b/lib/util/time.c
>index d5a429a..44d4eb7 100644
>--- a/lib/util/time.c
>+++ b/lib/util/time.c
>@@ -640,6 +640,24 @@ _PUBLIC_ double timeval_elapsed(const struct timeval *tv)
> 	struct timeval tv2 = timeval_current();
> 	return timeval_elapsed2(tv, &tv2);
> }
>+/**
>+ *   return the number of seconds elapsed between two times
>+ **/
>+_PUBLIC_ double timespec_elapsed2(const struct timespec *ts1,
>+				const struct timespec *ts2)
>+{
>+	return (ts2->tv_sec - ts1->tv_sec) +
>+	       (ts2->tv_nsec - ts1->tv_nsec)*1.0e-9;
>+}
>+
>+/**
>+ *   return the number of seconds elapsed since a given time
>+ */
>+_PUBLIC_ double timespec_elapsed(const struct timespec *ts)
>+{
>+	struct timespec ts2 = timespec_current();
>+	return timespec_elapsed2(ts, &ts2);
>+}
> 
> /**
>   return the lesser of two timevals
>diff --git a/lib/util/time.h b/lib/util/time.h
>index 69ba783..b5302f8 100644
>--- a/lib/util/time.h
>+++ b/lib/util/time.h
>@@ -247,6 +247,16 @@ double timeval_elapsed2(const struct timeval *tv1, const struct timeval *tv2);
> double timeval_elapsed(const struct timeval *tv);
> 
> /**
>+  return the number of seconds elapsed between two times
>+*/
>+double timespec_elapsed2(const struct timespec *ts1,
>+			 const struct timespec *ts2);
>+/**
>+  return the number of seconds elapsed since a given time
>+*/
>+double timespec_elapsed(const struct timespec *ts);
>+
>+/**
>   return the lesser of two timevals
> */
> struct timeval timeval_min(const struct timeval *tv1,
>-- 
>1.8.3.2
>
>
>From 09121cef6d0a65fe4cae35c557e5002ca357bdb1 Mon Sep 17 00:00:00 2001
>From: Volker Lendecke <vl@samba.org>
>Date: Wed, 20 Nov 2013 12:09:47 +0100
>Subject: [PATCH 2/5] s3-modules: add new vfs_worm module
>
>VFS module to disallow writes for older files.
>
>Signed-off-by: Volker Lendecke <vl@samba.org>
>Reviewed-by: Stefan Metzmacher <metze@samba.org>
>Reviewed-by: Jeremy Allison <jra@samba.org>
>(cherry picked from commit 2004317c09d781a4ec1275aaa4a29289e798eff3)
>---
> source3/modules/vfs_worm.c | 97 ++++++++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 97 insertions(+)
> create mode 100644 source3/modules/vfs_worm.c
>
>diff --git a/source3/modules/vfs_worm.c b/source3/modules/vfs_worm.c
>new file mode 100644
>index 0000000..77a18ca
>--- /dev/null
>+++ b/source3/modules/vfs_worm.c
>@@ -0,0 +1,97 @@
>+/*
>+ * VFS module to disallow writes for older files
>+ *
>+ * Copyright (C) 2013, Volker Lendecke
>+ *
>+ * This program is free software; you can redistribute it and/or modify
>+ * it under the terms of the GNU General Public License as published by
>+ * the Free Software Foundation; either version 3 of the License, or
>+ * (at your option) any later version.
>+ *
>+ * This program is distributed in the hope that it will be useful,
>+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
>+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
>+ * GNU General Public License for more details.
>+ *
>+ * You should have received a copy of the GNU General Public License
>+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
>+ */
>+
>+#include "includes.h"
>+#include "smbd/smbd.h"
>+#include "system/filesys.h"
>+#include "libcli/security/security.h"
>+
>+static NTSTATUS vfs_worm_create_file(vfs_handle_struct *handle,
>+				     struct smb_request *req,
>+				     uint16_t root_dir_fid,
>+				     struct smb_filename *smb_fname,
>+				     uint32_t access_mask,
>+				     uint32_t share_access,
>+				     uint32_t create_disposition,
>+				     uint32_t create_options,
>+				     uint32_t file_attributes,
>+				     uint32_t oplock_request,
>+				     uint64_t allocation_size,
>+				     uint32_t private_flags,
>+				     struct security_descriptor *sd,
>+				     struct ea_list *ea_list,
>+				     files_struct **result,
>+				     int *pinfo)
>+{
>+	bool readonly = false;
>+	const uint32_t write_access_flags =
>+		FILE_WRITE_DATA | FILE_APPEND_DATA |
>+		FILE_WRITE_ATTRIBUTES | DELETE_ACCESS |
>+		WRITE_DAC_ACCESS | WRITE_OWNER_ACCESS;
>+	NTSTATUS status;
>+
>+	if (VALID_STAT(smb_fname->st)) {
>+		double age;
>+		age = timespec_elapsed(&smb_fname->st.st_ex_ctime);
>+		if (age > lp_parm_int(SNUM(handle->conn), "worm",
>+				      "grace_period", 3600)) {
>+			readonly = true;
>+		}
>+	}
>+
>+	if (readonly && (access_mask & write_access_flags)) {
>+		return NT_STATUS_ACCESS_DENIED;
>+	}
>+
>+	status = SMB_VFS_NEXT_CREATE_FILE(
>+		handle, req, root_dir_fid, smb_fname, access_mask,
>+		share_access, create_disposition, create_options,
>+		file_attributes, oplock_request, allocation_size,
>+		private_flags, sd, ea_list, result, pinfo);
>+	if (!NT_STATUS_IS_OK(status)) {
>+		return status;
>+	}
>+
>+	/*
>+	 * Access via MAXIMUM_ALLOWED_ACCESS?
>+	 */
>+	if (readonly && ((*result)->access_mask & write_access_flags)) {
>+		close_file(req, *result, NORMAL_CLOSE);
>+		return NT_STATUS_ACCESS_DENIED;
>+	}
>+	return NT_STATUS_OK;
>+}
>+
>+static struct vfs_fn_pointers vfs_worm_fns = {
>+	.create_file_fn = vfs_worm_create_file,
>+};
>+
>+NTSTATUS vfs_worm_init(void);
>+NTSTATUS vfs_worm_init(void)
>+{
>+	NTSTATUS ret;
>+
>+	ret = smb_register_vfs(SMB_VFS_INTERFACE_VERSION, "worm",
>+			       &vfs_worm_fns);
>+	if (!NT_STATUS_IS_OK(ret)) {
>+		return ret;
>+	}
>+
>+	return ret;
>+}
>-- 
>1.8.3.2
>
>
>From b3f51bb9d67e15f34e9c1782b4240410dd442748 Mon Sep 17 00:00:00 2001
>From: Volker Lendecke <vl@samba.org>
>Date: Wed, 20 Nov 2013 12:11:41 +0100
>Subject: [PATCH 3/5] s3-waf: build new vfs_worm module
>
>Signed-off-by: Volker Lendecke <vl@samba.org>
>Reviewed-by: Stefan Metzmacher <metze@samba.org>
>Reviewed-by: Jeremy Allison <jra@samba.org>
>(cherry picked from commit 5b127a6f6be78174c46973bf3d9630528710b199)
>---
> source3/modules/wscript_build | 8 ++++++++
> source3/wscript               | 1 +
> 2 files changed, 9 insertions(+)
>
>diff --git a/source3/modules/wscript_build b/source3/modules/wscript_build
>index 16ed276..c8e8b53 100644
>--- a/source3/modules/wscript_build
>+++ b/source3/modules/wscript_build
>@@ -497,3 +497,11 @@ bld.SAMBA3_MODULE('perfcount_test',
>                  init_function='',
>                  internal_module=bld.SAMBA3_IS_STATIC_MODULE('perfcount_test'),
>                  enabled=bld.SAMBA3_IS_ENABLED_MODULE('perfcount_test'))
>+
>+bld.SAMBA3_MODULE('vfs_worm',
>+                  subsystem='vfs',
>+                  source='vfs_worm.c',
>+                  deps='samba-util',
>+                  init_function='',
>+                  internal_module=bld.SAMBA3_IS_STATIC_MODULE('vfs_worm'),
>+                  enabled=bld.SAMBA3_IS_ENABLED_MODULE('vfs_worm'))
>diff --git a/source3/wscript b/source3/wscript
>index 1a862d2..f459f40 100644
>--- a/source3/wscript
>+++ b/source3/wscript
>@@ -1721,6 +1721,7 @@ main() {
>                                       vfs_smb_traffic_analyzer vfs_preopen vfs_catia vfs_scannedonly
> 				      vfs_media_harmony
> 				      vfs_commit
>+				      vfs_worm
>                                       vfs_crossrename vfs_linux_xfs_sgid
>                                       vfs_time_audit idmap_autorid idmap_tdb2
>                                       idmap_rid idmap_hash'''))
>-- 
>1.8.3.2
>
>
>From 6e1645ece8ceee1294f829b4e0badc1ecb9a1475 Mon Sep 17 00:00:00 2001
>From: =?UTF-8?q?Bj=C3=B6rn=20Baumbach?= <bb@sernet.de>
>Date: Wed, 20 Nov 2013 13:00:04 +0100
>Subject: [PATCH 4/5] docs-man: add manual page for the new worm vfs module
>MIME-Version: 1.0
>Content-Type: text/plain; charset=UTF-8
>Content-Transfer-Encoding: 8bit
>
>Signed-off-by: BjÃ¶rn Baumbach <bb@sernet.de>
>Reviewed-by: Stefan Metzmacher <metze@samba.org>
>Reviewed-by: Volker Lendecke <vl@samba.org>
>Reviewed-by: Jeremy Allison <jra@samba.org>
>(cherry picked from commit 8a1cda83fc0a63c20cc3212578ef9310cf7df12d)
>---
> docs-xml/manpages/vfs_worm.8.xml | 93 ++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 93 insertions(+)
> create mode 100644 docs-xml/manpages/vfs_worm.8.xml
>
>diff --git a/docs-xml/manpages/vfs_worm.8.xml b/docs-xml/manpages/vfs_worm.8.xml
>new file mode 100644
>index 0000000..9758cac
>--- /dev/null
>+++ b/docs-xml/manpages/vfs_worm.8.xml
>@@ -0,0 +1,93 @@
>+<?xml version="1.0" encoding="iso-8859-1"?>
>+<!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
>+<refentry id="vfs_worm.8">
>+
>+<refmeta>
>+	<refentrytitle>vfs_worm</refentrytitle>
>+	<manvolnum>8</manvolnum>
>+	<refmiscinfo class="source">Samba</refmiscinfo>
>+	<refmiscinfo class="manual">System Administration tools</refmiscinfo>
>+	<refmiscinfo class="version">4.1</refmiscinfo>
>+</refmeta>
>+
>+
>+<refnamediv>
>+	<refname>vfs_worm</refname>
>+	<refpurpose>disallows writes for older file</refpurpose>
>+</refnamediv>
>+
>+<refsynopsisdiv>
>+	<cmdsynopsis>
>+		<command>vfs objects = worm</command>
>+	</cmdsynopsis>
>+</refsynopsisdiv>
>+
>+<refsect1>
>+	<title>DESCRIPTION</title>
>+
>+	<para>This VFS module is part of the
>+	<citerefentry><refentrytitle>samba</refentrytitle>
>+	<manvolnum>7</manvolnum></citerefentry> suite.</para>
>+
>+	<para>The <command>vfs_worm</command> module controls the writability
>+	of files and folders depending on their change time and a
>+	adjustable grace period.</para>
>+
>+	<para>If the change time of a file or directory is older than
>+	the specified grace period, the write access will be denied,
>+	independent of further access controls (e.g. by the filesystem).</para>
>+
>+	<para>In the case that the grace period is not exceed, the worm
>+	module will not impact any access controls.</para>
>+</refsect1>
>+
>+<refsect1>
>+	<title>OPTIONS</title>
>+
>+	<variablelist>
>+
>+		<varlistentry>
>+		<term>worm:grace_period = SECONDS</term>
>+		<listitem>
>+		<para>Period in seconds which defines the time how long the
>+		write access should be handled by the normal access controls.
>+		After this grace period the file or directory becomes read
>+		only.</para>
>+		</listitem>
>+		</varlistentry>
>+
>+	</variablelist>
>+</refsect1>
>+
>+<refsect1>
>+	<title>EXAMPLES</title>
>+
>+	<para>Deny the write access to files and folders, which are older
>+	than five minutes (300 seconds):</para>
>+
>+<programlisting>
>+	<smbconfsection name="[wormshare]"/>
>+	<smbconfoption name="vfs objects">worm</smbconfoption>
>+	<smbconfoption name="worm:grace_period">300</smbconfoption>
>+</programlisting>
>+
>+</refsect1>
>+
>+<refsect1>
>+	<title>VERSION</title>
>+
>+	<para>This man page is correct for version 4.2 of the Samba suite.
>+	</para>
>+</refsect1>
>+
>+<refsect1>
>+	<title>AUTHOR</title>
>+
>+	<para>The original Samba software and related utilities
>+	were created by Andrew Tridgell. Samba is now developed
>+	by the Samba Team as an Open Source project similar
>+	to the way the Linux kernel is developed.</para>
>+
>+</refsect1>
>+
>+</refentry>
>-- 
>1.8.3.2
>
>
>From bd2129bf8c9950db261d80f44f9e45d557ad8a64 Mon Sep 17 00:00:00 2001
>From: =?UTF-8?q?Bj=C3=B6rn=20Baumbach?= <bb@sernet.de>
>Date: Wed, 20 Nov 2013 14:24:21 +0100
>Subject: [PATCH 5/5] waf docs: build the new vfs worm man page
>MIME-Version: 1.0
>Content-Type: text/plain; charset=UTF-8
>Content-Transfer-Encoding: 8bit
>
>Signed-off-by: BjÃ¶rn Baumbach <bb@sernet.de>
>Reviewed-by: Stefan Metzmacher <metze@samba.org>
>Reviewed-by: Volker Lendecke <vl@samba.org>
>Reviewed-by: Jeremy Allison <jra@samba.org>
>(cherry picked from commit 0275410e02d9c8fd8c728b1d7811a3dfc05ab4e4)
>---
> docs-xml/wscript_build | 1 +
> 1 file changed, 1 insertion(+)
>
>diff --git a/docs-xml/wscript_build b/docs-xml/wscript_build
>index 25e381e..6f1cb5b 100644
>--- a/docs-xml/wscript_build
>+++ b/docs-xml/wscript_build
>@@ -76,6 +76,7 @@ manpages='''
>          manpages/vfs_streams_xattr.8
>          manpages/vfs_time_audit.8
>          manpages/vfs_tsmsm.8
>+         manpages/vfs_worm.8
>          manpages/vfs_xattr_tdb.8
>          manpages/vfstest.1
>          manpages/wbinfo.1
>-- 
>1.8.3.2
>

Flags:

jra: review+
vl: review+
obnox: review+

Actions: View

Attachments on bug 10427: 9651 | 9652