From 182e4e18ce8af2f8fb693ac8f121ad6c4785b46a Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Wed, 20 Nov 2013 12:00:17 +0100 Subject: [PATCH 1/5] lib-util: add functions to get elapsed from given timespec structs Signed-off-by: Volker Lendecke Reviewed-by: Stefan Metzmacher Reviewed-by: Jeremy Allison --- lib/util/time.c | 18 ++++++++++++++++++ lib/util/time.h | 10 ++++++++++ 2 files changed, 28 insertions(+) diff --git a/lib/util/time.c b/lib/util/time.c index 56b2ec5..c583903 100644 --- a/lib/util/time.c +++ b/lib/util/time.c @@ -649,6 +649,24 @@ _PUBLIC_ double timeval_elapsed(const struct timeval *tv) struct timeval tv2 = timeval_current(); return timeval_elapsed2(tv, &tv2); } +/** + * return the number of seconds elapsed between two times + **/ +_PUBLIC_ double timespec_elapsed2(const struct timespec *ts1, + const struct timespec *ts2) +{ + return (ts2->tv_sec - ts1->tv_sec) + + (ts2->tv_nsec - ts1->tv_nsec)*1.0e-9; +} + +/** + * return the number of seconds elapsed since a given time + */ +_PUBLIC_ double timespec_elapsed(const struct timespec *ts) +{ + struct timespec ts2 = timespec_current(); + return timespec_elapsed2(ts, &ts2); +} /** return the lesser of two timevals diff --git a/lib/util/time.h b/lib/util/time.h index 69ba783..b5302f8 100644 --- a/lib/util/time.h +++ b/lib/util/time.h @@ -247,6 +247,16 @@ double timeval_elapsed2(const struct timeval *tv1, const struct timeval *tv2); double timeval_elapsed(const struct timeval *tv); /** + return the number of seconds elapsed between two times +*/ +double timespec_elapsed2(const struct timespec *ts1, + const struct timespec *ts2); +/** + return the number of seconds elapsed since a given time +*/ +double timespec_elapsed(const struct timespec *ts); + +/** return the lesser of two timevals */ struct timeval timeval_min(const struct timeval *tv1, -- 1.8.3.2 From 87ffb60dfdb1cc27c64d5d1e6672e3024225c961 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Wed, 20 Nov 2013 12:09:47 +0100 Subject: [PATCH 2/5] s3-modules: add new vfs_worm module VFS module to disallow writes for older files. Signed-off-by: Volker Lendecke Reviewed-by: Stefan Metzmacher Reviewed-by: Jeremy Allison (cherry picked from commit 2004317c09d781a4ec1275aaa4a29289e798eff3) --- source3/modules/vfs_worm.c | 97 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 97 insertions(+) create mode 100644 source3/modules/vfs_worm.c diff --git a/source3/modules/vfs_worm.c b/source3/modules/vfs_worm.c new file mode 100644 index 0000000..77a18ca --- /dev/null +++ b/source3/modules/vfs_worm.c @@ -0,0 +1,97 @@ +/* + * VFS module to disallow writes for older files + * + * Copyright (C) 2013, Volker Lendecke + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, see . + */ + +#include "includes.h" +#include "smbd/smbd.h" +#include "system/filesys.h" +#include "libcli/security/security.h" + +static NTSTATUS vfs_worm_create_file(vfs_handle_struct *handle, + struct smb_request *req, + uint16_t root_dir_fid, + struct smb_filename *smb_fname, + uint32_t access_mask, + uint32_t share_access, + uint32_t create_disposition, + uint32_t create_options, + uint32_t file_attributes, + uint32_t oplock_request, + uint64_t allocation_size, + uint32_t private_flags, + struct security_descriptor *sd, + struct ea_list *ea_list, + files_struct **result, + int *pinfo) +{ + bool readonly = false; + const uint32_t write_access_flags = + FILE_WRITE_DATA | FILE_APPEND_DATA | + FILE_WRITE_ATTRIBUTES | DELETE_ACCESS | + WRITE_DAC_ACCESS | WRITE_OWNER_ACCESS; + NTSTATUS status; + + if (VALID_STAT(smb_fname->st)) { + double age; + age = timespec_elapsed(&smb_fname->st.st_ex_ctime); + if (age > lp_parm_int(SNUM(handle->conn), "worm", + "grace_period", 3600)) { + readonly = true; + } + } + + if (readonly && (access_mask & write_access_flags)) { + return NT_STATUS_ACCESS_DENIED; + } + + status = SMB_VFS_NEXT_CREATE_FILE( + handle, req, root_dir_fid, smb_fname, access_mask, + share_access, create_disposition, create_options, + file_attributes, oplock_request, allocation_size, + private_flags, sd, ea_list, result, pinfo); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + /* + * Access via MAXIMUM_ALLOWED_ACCESS? + */ + if (readonly && ((*result)->access_mask & write_access_flags)) { + close_file(req, *result, NORMAL_CLOSE); + return NT_STATUS_ACCESS_DENIED; + } + return NT_STATUS_OK; +} + +static struct vfs_fn_pointers vfs_worm_fns = { + .create_file_fn = vfs_worm_create_file, +}; + +NTSTATUS vfs_worm_init(void); +NTSTATUS vfs_worm_init(void) +{ + NTSTATUS ret; + + ret = smb_register_vfs(SMB_VFS_INTERFACE_VERSION, "worm", + &vfs_worm_fns); + if (!NT_STATUS_IS_OK(ret)) { + return ret; + } + + return ret; +} -- 1.8.3.2 From 9a4d7fe7135077ee0cf37dd791f16e27f8f23f41 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Wed, 20 Nov 2013 12:11:41 +0100 Subject: [PATCH 3/5] s3-waf: build new vfs_worm module Signed-off-by: Volker Lendecke Reviewed-by: Stefan Metzmacher Reviewed-by: Jeremy Allison (cherry picked from commit 5b127a6f6be78174c46973bf3d9630528710b199) --- source3/modules/wscript_build | 8 ++++++++ source3/wscript | 1 + 2 files changed, 9 insertions(+) diff --git a/source3/modules/wscript_build b/source3/modules/wscript_build index 469b2f3..ebec505 100644 --- a/source3/modules/wscript_build +++ b/source3/modules/wscript_build @@ -532,3 +532,11 @@ bld.SAMBA3_MODULE('vfs_glusterfs', internal_module=bld.SAMBA3_IS_STATIC_MODULE('vfs_glusterfs'), enabled=bld.SAMBA3_IS_ENABLED_MODULE('vfs_glusterfs'), allow_undefined_symbols=False) + +bld.SAMBA3_MODULE('vfs_worm', + subsystem='vfs', + source='vfs_worm.c', + deps='samba-util', + init_function='', + internal_module=bld.SAMBA3_IS_STATIC_MODULE('vfs_worm'), + enabled=bld.SAMBA3_IS_ENABLED_MODULE('vfs_worm')) diff --git a/source3/wscript b/source3/wscript index 271314d..b47849b 100644 --- a/source3/wscript +++ b/source3/wscript @@ -1785,6 +1785,7 @@ main() { vfs_smb_traffic_analyzer vfs_preopen vfs_catia vfs_scannedonly vfs_media_harmony vfs_commit + vfs_worm vfs_crossrename vfs_linux_xfs_sgid vfs_time_audit idmap_autorid idmap_tdb2 idmap_rid idmap_hash idmap_rfc2307''')) -- 1.8.3.2 From 6aae211ac3f17aeb013cc15caa6b5f0ae5b7ab85 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Baumbach?= Date: Wed, 20 Nov 2013 13:00:04 +0100 Subject: [PATCH 4/5] docs-man: add manual page for the new worm vfs module MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Björn Baumbach Reviewed-by: Stefan Metzmacher Reviewed-by: Volker Lendecke Reviewed-by: Jeremy Allison (cherry picked from commit 8a1cda83fc0a63c20cc3212578ef9310cf7df12d) --- docs-xml/manpages/vfs_worm.8.xml | 93 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 93 insertions(+) create mode 100644 docs-xml/manpages/vfs_worm.8.xml diff --git a/docs-xml/manpages/vfs_worm.8.xml b/docs-xml/manpages/vfs_worm.8.xml new file mode 100644 index 0000000..9758cac --- /dev/null +++ b/docs-xml/manpages/vfs_worm.8.xml @@ -0,0 +1,93 @@ + + + + + + vfs_worm + 8 + Samba + System Administration tools + 4.1 + + + + + vfs_worm + disallows writes for older file + + + + + vfs objects = worm + + + + + DESCRIPTION + + This VFS module is part of the + samba + 7 suite. + + The vfs_worm module controls the writability + of files and folders depending on their change time and a + adjustable grace period. + + If the change time of a file or directory is older than + the specified grace period, the write access will be denied, + independent of further access controls (e.g. by the filesystem). + + In the case that the grace period is not exceed, the worm + module will not impact any access controls. + + + + OPTIONS + + + + + worm:grace_period = SECONDS + + Period in seconds which defines the time how long the + write access should be handled by the normal access controls. + After this grace period the file or directory becomes read + only. + + + + + + + + EXAMPLES + + Deny the write access to files and folders, which are older + than five minutes (300 seconds): + + + + worm + 300 + + + + + + VERSION + + This man page is correct for version 4.2 of the Samba suite. + + + + + AUTHOR + + The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed. + + + + -- 1.8.3.2 From 62c1f9f43279cd95501f32e973bdbd8f62d65003 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Baumbach?= Date: Wed, 20 Nov 2013 14:24:21 +0100 Subject: [PATCH 5/5] waf docs: build the new vfs worm man page MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Björn Baumbach Reviewed-by: Stefan Metzmacher Reviewed-by: Volker Lendecke Reviewed-by: Jeremy Allison (cherry picked from commit 0275410e02d9c8fd8c728b1d7811a3dfc05ab4e4) --- docs-xml/wscript_build | 1 + 1 file changed, 1 insertion(+) diff --git a/docs-xml/wscript_build b/docs-xml/wscript_build index 9c6042f..a752758 100644 --- a/docs-xml/wscript_build +++ b/docs-xml/wscript_build @@ -80,6 +80,7 @@ manpages=''' manpages/vfs_syncops.8 manpages/vfs_time_audit.8 manpages/vfs_tsmsm.8 + manpages/vfs_worm.8 manpages/vfs_xattr_tdb.8 manpages/vfstest.1 manpages/wbinfo.1 -- 1.8.3.2