The branch, master has been updated
       via  b722875 vfs_acl_xattr|tdb: enforced settings when ignore system 
acls=yes
       via  cbe8f0d docs: document vfs_acl_xattr|tdb enforced settings
      from  0958010 ldb: Avoid multiple tiny allocations during full DB scan

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit b72287514cc78c9019db7385af4c9b9d94f60894
Author: Ralph Boehme <s...@samba.org>
Date:   Fri Aug 26 10:04:53 2016 +0200

    vfs_acl_xattr|tdb: enforced settings when ignore system acls=yes
    
    When "ignore system acls" is set to "yes, we need to ensure filesystem
    permission always grant access so that when doing our own access checks
    we don't run into situations where we grant access but the filesystem
    doesn't.
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=12181
    
    Signed-off-by: Ralph Boehme <s...@samba.org>
    Reviewed-by: Jeremy Allison <j...@samba.org>
    
    Autobuild-User(master): Ralph Böhme <s...@samba.org>
    Autobuild-Date(master): Wed Aug 31 18:41:20 CEST 2016 on sn-devel-144

commit cbe8f0d63b90e4380da35e9f9f5a05d8ccc2058b
Author: Ralph Boehme <s...@samba.org>
Date:   Fri Aug 26 10:22:37 2016 +0200

    docs: document vfs_acl_xattr|tdb enforced settings
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=12181
    
    Signed-off-by: Ralph Boehme <s...@samba.org>
    Reviewed-by: Jeremy Allison <j...@samba.org>

-----------------------------------------------------------------------

Summary of changes:
 docs-xml/manpages/vfs_acl_tdb.8.xml   | 24 ++++++++++++++++++++++++
 docs-xml/manpages/vfs_acl_xattr.8.xml | 24 ++++++++++++++++++++++++
 source3/modules/vfs_acl_tdb.c         | 21 +++++++++++++++++++++
 source3/modules/vfs_acl_xattr.c       | 21 +++++++++++++++++++++
 source4/torture/vfs/acl_xattr.c       |  4 ++--
 5 files changed, 92 insertions(+), 2 deletions(-)


Changeset truncated at 500 lines:

diff --git a/docs-xml/manpages/vfs_acl_tdb.8.xml 
b/docs-xml/manpages/vfs_acl_tdb.8.xml
index 607e344..2510f08 100644
--- a/docs-xml/manpages/vfs_acl_tdb.8.xml
+++ b/docs-xml/manpages/vfs_acl_tdb.8.xml
@@ -40,6 +40,15 @@
        <filename>$LOCKDIR/file_ntacls.tdb</filename>.
        </para>
 
+       <para>
+       This module forces the following parameters:
+       <itemizedlist>
+       <listitem><para>inherit acls = true</para></listitem>
+       <listitem><para>dos filemode = true</para></listitem>
+       <listitem><para>force unknown acl user = true</para></listitem>
+       </itemizedlist>
+       </para>
+
        <para>This module is stackable.</para>
 </refsect1>
 
@@ -61,6 +70,21 @@
                access the data via Samba you might set this to yes to achieve
                better NT ACL compatibility.
                </para>
+
+               <para>
+               If <emphasis>acl_tdb:ignore system acls</emphasis>
+               is set to <emphasis>yes</emphasis>, the following
+               additional settings will be enforced:
+               <itemizedlist>
+               <listitem><para>create mask = 0666</para></listitem>
+               <listitem><para>directory mask = 0777</para></listitem>
+               <listitem><para>map archive = no</para></listitem>
+               <listitem><para>map hidden = no</para></listitem>
+               <listitem><para>map readonly = no</para></listitem>
+               <listitem><para>map system = no</para></listitem>
+               <listitem><para>store dos attributes = yes</para></listitem>
+               </itemizedlist>
+               </para>
                </listitem>
                </varlistentry>
 
diff --git a/docs-xml/manpages/vfs_acl_xattr.8.xml 
b/docs-xml/manpages/vfs_acl_xattr.8.xml
index 8da73e0..9d21290 100644
--- a/docs-xml/manpages/vfs_acl_xattr.8.xml
+++ b/docs-xml/manpages/vfs_acl_xattr.8.xml
@@ -44,6 +44,15 @@
        </command>).
        </para>
 
+       <para>
+       This module forces the following parameters:
+       <itemizedlist>
+       <listitem><para>inherit acls = true</para></listitem>
+       <listitem><para>dos filemode = true</para></listitem>
+       <listitem><para>force unknown acl user = true</para></listitem>
+       </itemizedlist>
+       </para>
+
        <para>This module is stackable.</para>
 </refsect1>
 
@@ -65,6 +74,21 @@
                access the data via Samba you might set this to yes to achieve
                better NT ACL compatibility.
                </para>
+
+               <para>
+               If <emphasis>acl_xattr:ignore system acls</emphasis>
+               is set to <emphasis>yes</emphasis>, the following
+               additional settings will be enforced:
+               <itemizedlist>
+               <listitem><para>create mask = 0666</para></listitem>
+               <listitem><para>directory mask = 0777</para></listitem>
+               <listitem><para>map archive = no</para></listitem>
+               <listitem><para>map hidden = no</para></listitem>
+               <listitem><para>map readonly = no</para></listitem>
+               <listitem><para>map system = no</para></listitem>
+               <listitem><para>store dos attributes = yes</para></listitem>
+               </itemizedlist>
+               </para>
                </listitem>
                </varlistentry>
 
diff --git a/source3/modules/vfs_acl_tdb.c b/source3/modules/vfs_acl_tdb.c
index 0c92b72..174affe 100644
--- a/source3/modules/vfs_acl_tdb.c
+++ b/source3/modules/vfs_acl_tdb.c
@@ -309,6 +309,7 @@ static int connect_acl_tdb(struct vfs_handle_struct *handle,
 {
        int ret = SMB_VFS_NEXT_CONNECT(handle, service, user);
        bool ok;
+       struct acl_common_config *config = NULL;
 
        if (ret < 0) {
                return ret;
@@ -336,6 +337,26 @@ static int connect_acl_tdb(struct vfs_handle_struct 
*handle,
        lp_do_parameter(SNUM(handle->conn), "dos filemode", "true");
        lp_do_parameter(SNUM(handle->conn), "force unknown acl user", "true");
 
+       SMB_VFS_HANDLE_GET_DATA(handle, config,
+                               struct acl_common_config,
+                               return -1);
+
+       if (config->ignore_system_acls) {
+               DBG_NOTICE("setting 'create mask = 0666', "
+                          "'directory mask = 0777', "
+                          "'store dos attributes = yes' and all "
+                          "'map ...' options to 'no'\n");
+
+               lp_do_parameter(SNUM(handle->conn), "create mask", "0666");
+               lp_do_parameter(SNUM(handle->conn), "directory mask", "0777");
+               lp_do_parameter(SNUM(handle->conn), "map archive", "no");
+               lp_do_parameter(SNUM(handle->conn), "map hidden", "no");
+               lp_do_parameter(SNUM(handle->conn), "map readonly", "no");
+               lp_do_parameter(SNUM(handle->conn), "map system", "no");
+               lp_do_parameter(SNUM(handle->conn), "store dos attributes",
+                               "yes");
+       }
+
        return 0;
 }
 
diff --git a/source3/modules/vfs_acl_xattr.c b/source3/modules/vfs_acl_xattr.c
index 307ab6a..e1f90ff 100644
--- a/source3/modules/vfs_acl_xattr.c
+++ b/source3/modules/vfs_acl_xattr.c
@@ -181,6 +181,7 @@ static int connect_acl_xattr(struct vfs_handle_struct 
*handle,
 {
        int ret = SMB_VFS_NEXT_CONNECT(handle, service, user);
        bool ok;
+       struct acl_common_config *config = NULL;
 
        if (ret < 0) {
                return ret;
@@ -203,6 +204,26 @@ static int connect_acl_xattr(struct vfs_handle_struct 
*handle,
         lp_do_parameter(SNUM(handle->conn), "dos filemode", "true");
         lp_do_parameter(SNUM(handle->conn), "force unknown acl user", "true");
 
+       SMB_VFS_HANDLE_GET_DATA(handle, config,
+                               struct acl_common_config,
+                               return -1);
+
+       if (config->ignore_system_acls) {
+               DBG_NOTICE("setting 'create mask = 0666', "
+                          "'directory mask = 0777', "
+                          "'store dos attributes = yes' and all "
+                          "'map ...' options to 'no'\n");
+
+               lp_do_parameter(SNUM(handle->conn), "create mask", "0666");
+               lp_do_parameter(SNUM(handle->conn), "directory mask", "0777");
+               lp_do_parameter(SNUM(handle->conn), "map archive", "no");
+               lp_do_parameter(SNUM(handle->conn), "map hidden", "no");
+               lp_do_parameter(SNUM(handle->conn), "map readonly", "no");
+               lp_do_parameter(SNUM(handle->conn), "map system", "no");
+               lp_do_parameter(SNUM(handle->conn), "store dos attributes",
+                               "yes");
+       }
+
        return 0;
 }
 
diff --git a/source4/torture/vfs/acl_xattr.c b/source4/torture/vfs/acl_xattr.c
index 7fd10d0..df4dd29 100644
--- a/source4/torture/vfs/acl_xattr.c
+++ b/source4/torture/vfs/acl_xattr.c
@@ -169,8 +169,8 @@ static bool test_default_acl_posix(struct torture_context 
*tctx,
        exp_sd = security_descriptor_dacl_create(
                tctx, 0, owner_sid, group_sid,
                owner_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_RIGHTS_FILE_ALL, 0,
-               group_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_RIGHTS_FILE_READ | 
SEC_FILE_EXECUTE, 0,
-               SID_WORLD, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_RIGHTS_FILE_READ | 
SEC_FILE_EXECUTE, 0,
+               group_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, 
FILE_GENERIC_READ|FILE_GENERIC_WRITE|FILE_GENERIC_EXECUTE, 0,
+               SID_WORLD, SEC_ACE_TYPE_ACCESS_ALLOWED, 
FILE_GENERIC_READ|FILE_GENERIC_WRITE|FILE_GENERIC_EXECUTE, 0,
                SID_NT_SYSTEM, SEC_ACE_TYPE_ACCESS_ALLOWED, 
SEC_RIGHTS_FILE_ALL, 0,
                NULL);
 


-- 
Samba Shared Repository

Reply via email to