The branch, master has been updated via b722875 vfs_acl_xattr|tdb: enforced settings when ignore system acls=yes via cbe8f0d docs: document vfs_acl_xattr|tdb enforced settings from 0958010 ldb: Avoid multiple tiny allocations during full DB scan
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit b72287514cc78c9019db7385af4c9b9d94f60894 Author: Ralph Boehme <s...@samba.org> Date: Fri Aug 26 10:04:53 2016 +0200 vfs_acl_xattr|tdb: enforced settings when ignore system acls=yes When "ignore system acls" is set to "yes, we need to ensure filesystem permission always grant access so that when doing our own access checks we don't run into situations where we grant access but the filesystem doesn't. Bug: https://bugzilla.samba.org/show_bug.cgi?id=12181 Signed-off-by: Ralph Boehme <s...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> Autobuild-User(master): Ralph Böhme <s...@samba.org> Autobuild-Date(master): Wed Aug 31 18:41:20 CEST 2016 on sn-devel-144 commit cbe8f0d63b90e4380da35e9f9f5a05d8ccc2058b Author: Ralph Boehme <s...@samba.org> Date: Fri Aug 26 10:22:37 2016 +0200 docs: document vfs_acl_xattr|tdb enforced settings Bug: https://bugzilla.samba.org/show_bug.cgi?id=12181 Signed-off-by: Ralph Boehme <s...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> ----------------------------------------------------------------------- Summary of changes: docs-xml/manpages/vfs_acl_tdb.8.xml | 24 ++++++++++++++++++++++++ docs-xml/manpages/vfs_acl_xattr.8.xml | 24 ++++++++++++++++++++++++ source3/modules/vfs_acl_tdb.c | 21 +++++++++++++++++++++ source3/modules/vfs_acl_xattr.c | 21 +++++++++++++++++++++ source4/torture/vfs/acl_xattr.c | 4 ++-- 5 files changed, 92 insertions(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/docs-xml/manpages/vfs_acl_tdb.8.xml b/docs-xml/manpages/vfs_acl_tdb.8.xml index 607e344..2510f08 100644 --- a/docs-xml/manpages/vfs_acl_tdb.8.xml +++ b/docs-xml/manpages/vfs_acl_tdb.8.xml @@ -40,6 +40,15 @@ <filename>$LOCKDIR/file_ntacls.tdb</filename>. </para> + <para> + This module forces the following parameters: + <itemizedlist> + <listitem><para>inherit acls = true</para></listitem> + <listitem><para>dos filemode = true</para></listitem> + <listitem><para>force unknown acl user = true</para></listitem> + </itemizedlist> + </para> + <para>This module is stackable.</para> </refsect1> @@ -61,6 +70,21 @@ access the data via Samba you might set this to yes to achieve better NT ACL compatibility. </para> + + <para> + If <emphasis>acl_tdb:ignore system acls</emphasis> + is set to <emphasis>yes</emphasis>, the following + additional settings will be enforced: + <itemizedlist> + <listitem><para>create mask = 0666</para></listitem> + <listitem><para>directory mask = 0777</para></listitem> + <listitem><para>map archive = no</para></listitem> + <listitem><para>map hidden = no</para></listitem> + <listitem><para>map readonly = no</para></listitem> + <listitem><para>map system = no</para></listitem> + <listitem><para>store dos attributes = yes</para></listitem> + </itemizedlist> + </para> </listitem> </varlistentry> diff --git a/docs-xml/manpages/vfs_acl_xattr.8.xml b/docs-xml/manpages/vfs_acl_xattr.8.xml index 8da73e0..9d21290 100644 --- a/docs-xml/manpages/vfs_acl_xattr.8.xml +++ b/docs-xml/manpages/vfs_acl_xattr.8.xml @@ -44,6 +44,15 @@ </command>). </para> + <para> + This module forces the following parameters: + <itemizedlist> + <listitem><para>inherit acls = true</para></listitem> + <listitem><para>dos filemode = true</para></listitem> + <listitem><para>force unknown acl user = true</para></listitem> + </itemizedlist> + </para> + <para>This module is stackable.</para> </refsect1> @@ -65,6 +74,21 @@ access the data via Samba you might set this to yes to achieve better NT ACL compatibility. </para> + + <para> + If <emphasis>acl_xattr:ignore system acls</emphasis> + is set to <emphasis>yes</emphasis>, the following + additional settings will be enforced: + <itemizedlist> + <listitem><para>create mask = 0666</para></listitem> + <listitem><para>directory mask = 0777</para></listitem> + <listitem><para>map archive = no</para></listitem> + <listitem><para>map hidden = no</para></listitem> + <listitem><para>map readonly = no</para></listitem> + <listitem><para>map system = no</para></listitem> + <listitem><para>store dos attributes = yes</para></listitem> + </itemizedlist> + </para> </listitem> </varlistentry> diff --git a/source3/modules/vfs_acl_tdb.c b/source3/modules/vfs_acl_tdb.c index 0c92b72..174affe 100644 --- a/source3/modules/vfs_acl_tdb.c +++ b/source3/modules/vfs_acl_tdb.c @@ -309,6 +309,7 @@ static int connect_acl_tdb(struct vfs_handle_struct *handle, { int ret = SMB_VFS_NEXT_CONNECT(handle, service, user); bool ok; + struct acl_common_config *config = NULL; if (ret < 0) { return ret; @@ -336,6 +337,26 @@ static int connect_acl_tdb(struct vfs_handle_struct *handle, lp_do_parameter(SNUM(handle->conn), "dos filemode", "true"); lp_do_parameter(SNUM(handle->conn), "force unknown acl user", "true"); + SMB_VFS_HANDLE_GET_DATA(handle, config, + struct acl_common_config, + return -1); + + if (config->ignore_system_acls) { + DBG_NOTICE("setting 'create mask = 0666', " + "'directory mask = 0777', " + "'store dos attributes = yes' and all " + "'map ...' options to 'no'\n"); + + lp_do_parameter(SNUM(handle->conn), "create mask", "0666"); + lp_do_parameter(SNUM(handle->conn), "directory mask", "0777"); + lp_do_parameter(SNUM(handle->conn), "map archive", "no"); + lp_do_parameter(SNUM(handle->conn), "map hidden", "no"); + lp_do_parameter(SNUM(handle->conn), "map readonly", "no"); + lp_do_parameter(SNUM(handle->conn), "map system", "no"); + lp_do_parameter(SNUM(handle->conn), "store dos attributes", + "yes"); + } + return 0; } diff --git a/source3/modules/vfs_acl_xattr.c b/source3/modules/vfs_acl_xattr.c index 307ab6a..e1f90ff 100644 --- a/source3/modules/vfs_acl_xattr.c +++ b/source3/modules/vfs_acl_xattr.c @@ -181,6 +181,7 @@ static int connect_acl_xattr(struct vfs_handle_struct *handle, { int ret = SMB_VFS_NEXT_CONNECT(handle, service, user); bool ok; + struct acl_common_config *config = NULL; if (ret < 0) { return ret; @@ -203,6 +204,26 @@ static int connect_acl_xattr(struct vfs_handle_struct *handle, lp_do_parameter(SNUM(handle->conn), "dos filemode", "true"); lp_do_parameter(SNUM(handle->conn), "force unknown acl user", "true"); + SMB_VFS_HANDLE_GET_DATA(handle, config, + struct acl_common_config, + return -1); + + if (config->ignore_system_acls) { + DBG_NOTICE("setting 'create mask = 0666', " + "'directory mask = 0777', " + "'store dos attributes = yes' and all " + "'map ...' options to 'no'\n"); + + lp_do_parameter(SNUM(handle->conn), "create mask", "0666"); + lp_do_parameter(SNUM(handle->conn), "directory mask", "0777"); + lp_do_parameter(SNUM(handle->conn), "map archive", "no"); + lp_do_parameter(SNUM(handle->conn), "map hidden", "no"); + lp_do_parameter(SNUM(handle->conn), "map readonly", "no"); + lp_do_parameter(SNUM(handle->conn), "map system", "no"); + lp_do_parameter(SNUM(handle->conn), "store dos attributes", + "yes"); + } + return 0; } diff --git a/source4/torture/vfs/acl_xattr.c b/source4/torture/vfs/acl_xattr.c index 7fd10d0..df4dd29 100644 --- a/source4/torture/vfs/acl_xattr.c +++ b/source4/torture/vfs/acl_xattr.c @@ -169,8 +169,8 @@ static bool test_default_acl_posix(struct torture_context *tctx, exp_sd = security_descriptor_dacl_create( tctx, 0, owner_sid, group_sid, owner_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_RIGHTS_FILE_ALL, 0, - group_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE, 0, - SID_WORLD, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE, 0, + group_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, FILE_GENERIC_READ|FILE_GENERIC_WRITE|FILE_GENERIC_EXECUTE, 0, + SID_WORLD, SEC_ACE_TYPE_ACCESS_ALLOWED, FILE_GENERIC_READ|FILE_GENERIC_WRITE|FILE_GENERIC_EXECUTE, 0, SID_NT_SYSTEM, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_RIGHTS_FILE_ALL, 0, NULL); -- Samba Shared Repository