The branch, v4-5-test has been updated
via d58fb55 s3-spoolss: fix _spoolss_GetPrinterDataEx by moving the
keyname lengthcheck.
via 3989032 s4-torture: test GetPrinterData with server handle and 0
keylength.
via 2419d59 idmap_script: add missing "IDTOSID" argument to the script
command line.
via 3987f0e vfs_acl_xattr|tdb: enforced settings when ignore system
acls=yes
via 1f1d54c docs: document vfs_acl_xattr|tdb enforced settings
via 0069137 vfs_acl_common: use DBG_LEVEL and remove function prefixes
in DEBUG statements
via 2aa1aea s4/torture: tests for vfs_acl_xattr default ACL styles
via 54e6a40 vfs_acl_common: Windows style default ACL
via 497e828 vfs_acl_xattr|tdb: add option to control default ACL style
via 7c657fc vfs_acl_common: check for ignore_system_acls before
fetching filesystem ACL
via 694c5d0 vfs_acl_common: move stat stuff to a helper function
via eabd4f8 vfs_acl_tdb|xattr: use a config handle
via a48d106 vfs_acl_common: move the ACL blob validation to a helper
function
via 8a8c2ce vfs_acl_common: simplify ACL logic, cleanup and talloc
hierarchy
via a2fb0fb vfs_acl_common: remove redundant NULL assignment
via abbc4be vfs_acl_common: rename pdesc_next to psd_fs
via 32f3f7b vfs_acl_common: rename psd to psd_blob in
get_nt_acl_internal()
via 8a02f97 Revert "vfs_acl_xattr: objects without NT ACL xattr"
via 64e1f55 s3/rpc_server: shared rpc modules directory may not exist
via 1349c67 gensec/spnego: work around missing server mechListMIC in
SMB servers
from 73e24ec Merge tag 'samba-4.5.0rc3' into v4-5-test
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-5-test
- Log -----------------------------------------------------------------
commit d58fb556d9ac778dfe45e109d1d843f6f0254bdb
Author: Günther Deschner <g...@samba.org>
Date: Thu Sep 1 19:55:40 2016 +0200
s3-spoolss: fix _spoolss_GetPrinterDataEx by moving the keyname lengthcheck.
Guenther
Signed-off-by: Guenther Deschner <g...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
Autobuild-User(master): Günther Deschner <g...@samba.org>
Autobuild-Date(master): Wed Sep 7 03:00:14 CEST 2016 on sn-devel-144
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12245
(cherry picked from commit d8b57e3828eac084ad302a90b33c35ff4e918e5a)
Autobuild-User(v4-5-test): Karolin Seeger <ksee...@samba.org>
Autobuild-Date(v4-5-test): Wed Sep 7 16:26:48 CEST 2016 on sn-devel-144
commit 398903202574284f810e954341a05e9bd4916c72
Author: Günther Deschner <g...@samba.org>
Date: Thu Sep 1 19:54:46 2016 +0200
s4-torture: test GetPrinterData with server handle and 0 keylength.
This is what e.g. Windows 10 does a lot.
Guenther
Signed-off-by: Guenther Deschner <g...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12245
(cherry picked from commit 518b2a3f5f3a4814e96546505487b775b5dbca40)
commit 2419d59be9d76aa96375c5dd0eb55d7b59bbdb31
Author: Björn Baumbach <b...@sernet.de>
Date: Fri Aug 26 17:16:51 2016 +0200
idmap_script: add missing "IDTOSID" argument to the script command line.
According to the documentation the commands should look like
"IDTOSID UID xxxx" instead of "UID xxxx".
This fixes changes of commit b4239ca096738f553b0f9d7fa6aaa4219b72ef7f:
idmap_script: Parallelize script calls
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12194
Signed-off-by: Björn Baumbach <b...@sernet.de>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Michael Adam <ob...@samba.org>
Autobuild-User(master): Stefan Metzmacher <me...@samba.org>
Autobuild-Date(master): Tue Sep 6 19:32:57 CEST 2016 on sn-devel-144
(cherry picked from commit 4f654acad01dbb1b17e933a855bb53ea6a7bb34d)
commit 3987f0e35905d89e7e690566054328b0d3f16bb3
Author: Ralph Boehme <s...@samba.org>
Date: Fri Aug 26 10:04:53 2016 +0200
vfs_acl_xattr|tdb: enforced settings when ignore system acls=yes
When "ignore system acls" is set to "yes, we need to ensure filesystem
permission always grant access so that when doing our own access checks
we don't run into situations where we grant access but the filesystem
doesn't.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12181
Signed-off-by: Ralph Boehme <s...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
Autobuild-User(master): Ralph Böhme <s...@samba.org>
Autobuild-Date(master): Wed Aug 31 18:41:20 CEST 2016 on sn-devel-144
(cherry picked from commit b72287514cc78c9019db7385af4c9b9d94f60894)
commit 1f1d54c49fc459eba9f49b6b1e588914ff08d815
Author: Ralph Boehme <s...@samba.org>
Date: Fri Aug 26 10:22:37 2016 +0200
docs: document vfs_acl_xattr|tdb enforced settings
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12181
Signed-off-by: Ralph Boehme <s...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
(cherry picked from commit cbe8f0d63b90e4380da35e9f9f5a05d8ccc2058b)
commit 006913794f1ca7185574b031fc6f67e026de27b6
Author: Ralph Boehme <s...@samba.org>
Date: Sat Aug 27 10:11:14 2016 +0200
vfs_acl_common: use DBG_LEVEL and remove function prefixes in DEBUG
statements
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12177
Signed-off-by: Ralph Boehme <s...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
(cherry picked from commit 11dddd59aa01195152199443bc26e3141f162c8f)
commit 2aa1aeacf8cd09f5cf529fd81d31bab48beb3f4a
Author: Ralph Boehme <s...@samba.org>
Date: Thu Aug 25 16:30:24 2016 +0200
s4/torture: tests for vfs_acl_xattr default ACL styles
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12177
Signed-off-by: Ralph Boehme <s...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
(cherry picked from commit 946b93d0e3f6f23fa2325d7aaba4dc6f4cc17cb6)
commit 54e6a40b116dc4e83781372bfb5784f7974ae9b9
Author: Ralph Boehme <s...@samba.org>
Date: Thu Aug 25 07:45:34 2016 +0200
vfs_acl_common: Windows style default ACL
Reintroduce Windows style default ACL, but this time as an optional
feature, not changing default behaviour.
Original bugreport that got reverted because it changed the default
behaviour: https://bugzilla.samba.org/show_bug.cgi?id=12028
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12177
Signed-off-by: Ralph Boehme <s...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
(cherry picked from commit 0730cb7e1ce33dbc5fc48a7363204c1220400c68)
commit 497e828e7b783d38e96893106c74883989d108b1
Author: Ralph Boehme <s...@samba.org>
Date: Wed Aug 24 20:31:00 2016 +0200
vfs_acl_xattr|tdb: add option to control default ACL style
Existing behaviour is "posix" style. Next commit will (re)add the
"windows" style. This commit doesn't change behaviour in any way.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12177
Signed-off-by: Ralph Boehme <s...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
(cherry picked from commit 26a9867ae1a9c69659252ce03c280c7c18a6c58f)
commit 7c657fcebe71dde1a7cf228f252e08c59eca2130
Author: Ralph Boehme <s...@samba.org>
Date: Wed Aug 24 10:43:47 2016 +0200
vfs_acl_common: check for ignore_system_acls before fetching filesystem ACL
If ignore_system_acls is set and we're synthesizing a default ACL, we
were fetching the filesystem ACL just to free it again. This change
avoids this.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12177
Signed-off-by: Ralph Boehme <s...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
(cherry picked from commit f46179ef7310959af095b0ea6234df7523d15457)
commit 694c5d0fe41021f19d526a3c22bd3b295b9654b9
Author: Ralph Boehme <s...@samba.org>
Date: Wed Aug 24 10:30:15 2016 +0200
vfs_acl_common: move stat stuff to a helper function
Will be reused in the next commit when moving the
make_default_filesystem_acl() stuff to a different place.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12177
Signed-off-by: Ralph Boehme <s...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
(cherry picked from commit 10959698e20de381beec7ab532c8bdc32fa6401c)
commit eabd4f8a738e02e2dd61ef63852a3b82cf9d9047
Author: Ralph Boehme <s...@samba.org>
Date: Wed Aug 24 10:01:17 2016 +0200
vfs_acl_tdb|xattr: use a config handle
Better for performance and a subsequent commit will add one more option
where this will pay off.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12177
Signed-off-by: Ralph Boehme <s...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
(cherry picked from commit 61c3d2124fb1a180fae4c8c0b5ab5b32bd56c8ad)
commit a48d106a5870c237f5da3cdb3c6f335ff9a3ca02
Author: Ralph Boehme <s...@samba.org>
Date: Tue Aug 23 22:32:57 2016 +0200
vfs_acl_common: move the ACL blob validation to a helper function
No change in behaviour.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12177
Signed-off-by: Ralph Boehme <s...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
(cherry picked from commit 0de5a128cee90694979d074c2590ddbca0071e82)
commit 8a8c2ce61c3d70a6f858b9f4cd268b21b45edf19
Author: Ralph Boehme <s...@samba.org>
Date: Tue Aug 23 17:07:20 2016 +0200
vfs_acl_common: simplify ACL logic, cleanup and talloc hierarchy
No change in behaviour (hopefully! :-). This paves the way for moving
the ACL blob validation to a helper function in the next commit.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12177
Signed-off-by: Ralph Boehme <s...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
(cherry picked from commit 335527c647331148927feea2a7ae2f2c88986bc6)
commit a2fb0fb611f519ad2106a1e1e9c4adc618cd5abe
Author: Ralph Boehme <s...@samba.org>
Date: Tue Aug 23 13:14:50 2016 +0200
vfs_acl_common: remove redundant NULL assignment
The variables are already set to NULL by TALLOC_FREE.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12177
Signed-off-by: Ralph Boehme <s...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
(cherry picked from commit e6f1254a00a6bf85b8d95bfbafef7d3e39ce1dde)
commit abbc4be4b1256ed6f08dabfea63f6abfc72829fa
Author: Ralph Boehme <s...@samba.org>
Date: Tue Aug 23 13:11:24 2016 +0200
vfs_acl_common: rename pdesc_next to psd_fs
In most realistic cases the "next" VFS op will return the permissions
from the filesystem. This rename makes it explicit where the SD is
originating from. No change in behaviour.
This just paves the way for a later change that will simplify the whole
logic and talloc hierarchy.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12177
Signed-off-by: Ralph Boehme <s...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
(cherry picked from commit 9f79084f166208820f586c8e43e1e315d32cd5ce)
commit 32f3f7b01d3b611f90d3c5fcf9874058a004099f
Author: Ralph Boehme <s...@samba.org>
Date: Tue Aug 23 13:08:12 2016 +0200
vfs_acl_common: rename psd to psd_blob in get_nt_acl_internal()
This makes it explicit where the SD is originating from. No change in
behaviour.
This just paves the way for a later change that will simplify the whole
logic and talloc hierarchy, therefor this also strictly renames the
occurences after the out label.
Logically, behind the out label, we're dealing with a variable that
points to what we're going to return, so the name psd_blob is
misleading, but I'm desperately trying to avoid logic changes in this
commit and therefor I'm just strictly renaming.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12177
Signed-off-by: Ralph Boehme <s...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
(cherry picked from commit 2367eea928593f12f8914f7e7ba613b1b15516de)
commit 8a02f974fc1ab701b879707dc1f97d3588b460c4
Author: Ralph Boehme <s...@samba.org>
Date: Wed Aug 24 10:04:24 2016 +0200
Revert "vfs_acl_xattr: objects without NT ACL xattr"
This reverts commit 961c4b591bb102751079d9cc92d7aa1c37f1958c.
Subsequent commits will add the same functionality as an optional
feature.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12177
Signed-off-by: Ralph Boehme <s...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
(cherry picked from commit 590b80490c00587b5a4035856891e10defb654f6)
commit 64e1f55b7768402b9276e9b5bc239a1cc831fef7
Author: Ralph Boehme <s...@samba.org>
Date: Sat Aug 27 17:56:56 2016 +0200
s3/rpc_server: shared rpc modules directory may not exist
A shared rpc modules directory may not exist if all RPC modules are built
static.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12184
Signed-off-by: Ralph Boehme <s...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
(cherry picked from commit 58889e04bd545d7420d1193e134351bd0ccb8430)
commit 1349c67a75e5fda9a63b9ffed1932a68f99990f5
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Sep 1 08:08:23 2016 +0200
gensec/spnego: work around missing server mechListMIC in SMB servers
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11994
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Christian Ambach <a...@samba.org>
Autobuild-User(master): Christian Ambach <a...@samba.org>
Autobuild-Date(master): Fri Sep 2 18:10:44 CEST 2016 on sn-devel-144
(cherry picked from commit 9b45ba5cd53bd513eb777590815a0b8408af64e2)
-----------------------------------------------------------------------
Summary of changes:
auth/gensec/spnego.c | 69 ++-
docs-xml/manpages/vfs_acl_tdb.8.xml | 49 ++
docs-xml/manpages/vfs_acl_xattr.8.xml | 49 ++
selftest/target/Samba3.pm | 8 +
source3/modules/vfs_acl_common.c | 729 ++++++++++++++++++----------
source3/modules/vfs_acl_tdb.c | 28 ++
source3/modules/vfs_acl_xattr.c | 28 ++
source3/rpc_server/rpc_service_setup.c | 12 +-
source3/rpc_server/spoolss/srv_spoolss_nt.c | 12 +-
source3/selftest/tests.py | 4 +-
source3/winbindd/idmap_script.c | 2 +-
source4/torture/rpc/spoolss.c | 22 +-
source4/torture/vfs/acl_xattr.c | 314 ++++++++++++
source4/torture/vfs/vfs.c | 1 +
source4/torture/wscript_build | 2 +-
15 files changed, 1058 insertions(+), 271 deletions(-)
create mode 100644 source4/torture/vfs/acl_xattr.c
Changeset truncated at 500 lines:
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index ef30ab7..5f5047a 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -55,9 +55,11 @@ struct spnego_state {
DATA_BLOB mech_types;
size_t num_targs;
+ bool downgraded;
bool mic_requested;
bool needs_mic_sign;
bool needs_mic_check;
+ bool may_skip_mic_check;
bool done_mic_check;
bool simulate_w2k;
@@ -434,6 +436,7 @@ static NTSTATUS gensec_spnego_parse_negTokenInit(struct
gensec_security *gensec_
* Indicate the downgrade and request a
* mic.
*/
+ spnego_state->downgraded = true;
spnego_state->mic_requested = true;
break;
}
@@ -1078,7 +1081,7 @@ static NTSTATUS gensec_spnego_update(struct
gensec_security *gensec_security, TA
DEBUG(3,("GENSEC SPNEGO: client preferred mech (%s) not
accepted, server wants: %s\n",
gensec_get_name_by_oid(gensec_security,
spnego_state->neg_oid),
gensec_get_name_by_oid(gensec_security,
spnego.negTokenTarg.supportedMech)));
-
+ spnego_state->downgraded = true;
spnego_state->no_response_expected = false;
talloc_free(spnego_state->sub_sec_security);
nt_status = gensec_subcontext_start(spnego_state,
@@ -1135,6 +1138,23 @@ static NTSTATUS gensec_spnego_update(struct
gensec_security *gensec_security, TA
return NT_STATUS_INVALID_PARAMETER;
}
+ if (spnego.negTokenTarg.mechListMIC.length == 0
+ && spnego_state->may_skip_mic_check) {
+ /*
+ * In this case we don't require
+ * a mechListMIC from the server.
+ *
+ * This works around bugs in the Azure
+ * and Apple spnego implementations.
+ *
+ * See
+ *
https://bugzilla.samba.org/show_bug.cgi?id=11994
+ */
+ spnego_state->needs_mic_check = false;
+ nt_status = NT_STATUS_OK;
+ goto client_response;
+ }
+
nt_status =
gensec_check_packet(spnego_state->sub_sec_security,
spnego_state->mech_types.data,
spnego_state->mech_types.length,
@@ -1190,9 +1210,56 @@ static NTSTATUS gensec_spnego_update(struct
gensec_security *gensec_security, TA
*/
new_spnego = false;
}
+
break;
case SPNEGO_ACCEPT_INCOMPLETE:
+ if (spnego.negTokenTarg.mechListMIC.length > 0)
{
+ new_spnego = true;
+ break;
+ }
+
+ if (spnego_state->downgraded) {
+ /*
+ * A downgrade should be protected if
+ * supported
+ */
+ break;
+ }
+
+ /*
+ * The caller may just asked for
+ * GENSEC_FEATURE_SESSION_KEY, this
+ * is only reflected in the want_features.
+ *
+ * As it will imply
+ * gensec_have_features(GENSEC_FEATURE_SIGN)
+ * to return true.
+ */
+ if (gensec_security->want_features &
GENSEC_FEATURE_SIGN) {
+ break;
+ }
+ if (gensec_security->want_features &
GENSEC_FEATURE_SEAL) {
+ break;
+ }
+ /*
+ * Here we're sure our preferred mech was
+ * selected by the server and our caller doesn't
+ * need GENSEC_FEATURE_SIGN nor
+ * GENSEC_FEATURE_SEAL support.
+ *
+ * In this case we don't require
+ * a mechListMIC from the server.
+ *
+ * This works around bugs in the Azure
+ * and Apple spnego implementations.
+ *
+ * See
+ *
https://bugzilla.samba.org/show_bug.cgi?id=11994
+ */
+ spnego_state->may_skip_mic_check = true;
+ break;
+
case SPNEGO_REQUEST_MIC:
if (spnego.negTokenTarg.mechListMIC.length > 0)
{
new_spnego = true;
diff --git a/docs-xml/manpages/vfs_acl_tdb.8.xml
b/docs-xml/manpages/vfs_acl_tdb.8.xml
index 724776d..5ac6510 100644
--- a/docs-xml/manpages/vfs_acl_tdb.8.xml
+++ b/docs-xml/manpages/vfs_acl_tdb.8.xml
@@ -40,6 +40,15 @@
<filename>$LOCKDIR/file_ntacls.tdb</filename>.
</para>
+ <para>
+ This module forces the following parameters:
+ <itemizedlist>
+ <listitem><para>inherit acls = true</para></listitem>
+ <listitem><para>dos filemode = true</para></listitem>
+ <listitem><para>force unknown acl user = true</para></listitem>
+ </itemizedlist>
+ </para>
+
<para>This module is stackable.</para>
</refsect1>
@@ -61,6 +70,46 @@
access the data via Samba you might set this to yes to achieve
better NT ACL compatibility.
</para>
+
+ <para>
+ If <emphasis>acl_tdb:ignore system acls</emphasis>
+ is set to <emphasis>yes</emphasis>, the following
+ additional settings will be enforced:
+ <itemizedlist>
+ <listitem><para>create mask = 0666</para></listitem>
+ <listitem><para>directory mask = 0777</para></listitem>
+ <listitem><para>map archive = no</para></listitem>
+ <listitem><para>map hidden = no</para></listitem>
+ <listitem><para>map readonly = no</para></listitem>
+ <listitem><para>map system = no</para></listitem>
+ <listitem><para>store dos attributes = yes</para></listitem>
+ </itemizedlist>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>acl_tdb:default acl style = [posix|windows]</term>
+ <listitem>
+ <para>
+ This parameter determines the type of ACL that is synthesized in
+ case a file or directory lacks an
+ <emphasis>security.NTACL</emphasis> xattr.
+ </para>
+ <para>
+ When set to <emphasis>posix</emphasis>, an ACL will be
+ synthesized based on the POSIX mode permissions for user, group
+ and others, with an additional ACE for <emphasis>NT
+ Authority\SYSTEM</emphasis> will full rights.
+ </para>
+ <para>
+ When set to <emphasis>windows</emphasis>, an ACL is synthesized
+ the same way Windows does it, only including permissions for the
+ owner and <emphasis>NT Authority\SYSTEM</emphasis>.
+ </para>
+ <para>
+ The default for this option is <emphasis>posix</emphasis>.
+ </para>
</listitem>
</varlistentry>
</variablelist>
diff --git a/docs-xml/manpages/vfs_acl_xattr.8.xml
b/docs-xml/manpages/vfs_acl_xattr.8.xml
index 5a972a9..60837fc 100644
--- a/docs-xml/manpages/vfs_acl_xattr.8.xml
+++ b/docs-xml/manpages/vfs_acl_xattr.8.xml
@@ -44,6 +44,15 @@
</command>).
</para>
+ <para>
+ This module forces the following parameters:
+ <itemizedlist>
+ <listitem><para>inherit acls = true</para></listitem>
+ <listitem><para>dos filemode = true</para></listitem>
+ <listitem><para>force unknown acl user = true</para></listitem>
+ </itemizedlist>
+ </para>
+
<para>This module is stackable.</para>
</refsect1>
@@ -65,6 +74,46 @@
access the data via Samba you might set this to yes to achieve
better NT ACL compatibility.
</para>
+
+ <para>
+ If <emphasis>acl_xattr:ignore system acls</emphasis>
+ is set to <emphasis>yes</emphasis>, the following
+ additional settings will be enforced:
+ <itemizedlist>
+ <listitem><para>create mask = 0666</para></listitem>
+ <listitem><para>directory mask = 0777</para></listitem>
+ <listitem><para>map archive = no</para></listitem>
+ <listitem><para>map hidden = no</para></listitem>
+ <listitem><para>map readonly = no</para></listitem>
+ <listitem><para>map system = no</para></listitem>
+ <listitem><para>store dos attributes = yes</para></listitem>
+ </itemizedlist>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>acl_xattr:default acl style = [posix|windows]</term>
+ <listitem>
+ <para>
+ This parameter determines the type of ACL that is synthesized in
+ case a file or directory lacks an
+ <emphasis>security.NTACL</emphasis> xattr.
+ </para>
+ <para>
+ When set to <emphasis>posix</emphasis>, an ACL will be
+ synthesized based on the POSIX mode permissions for user, group
+ and others, with an additional ACE for <emphasis>NT
+ Authority\SYSTEM</emphasis> will full rights.
+ </para>
+ <para>
+ When set to <emphasis>windows</emphasis>, an ACL is synthesized
+ the same way Windows does it, only including permissions for the
+ owner and <emphasis>NT Authority\SYSTEM</emphasis>.
+ </para>
+ <para>
+ The default for this option is <emphasis>posix</emphasis>.
+ </para>
</listitem>
</varlistentry>
</variablelist>
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 27036b5..eb1e083 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -1783,6 +1783,14 @@ sub provision($$$$$$$$)
vfs objects = acl_xattr fake_acls xattr_tdb fake_dfq
inherit owner = yes
include = $dfqconffile
+[acl_xattr_ign_sysacl_posix]
+ copy = tmp
+ acl_xattr:ignore system acls = yes
+ acl_xattr:default acl style = posix
+[acl_xattr_ign_sysacl_windows]
+ copy = tmp
+ acl_xattr:ignore system acls = yes
+ acl_xattr:default acl style = windows
";
close(CONF);
diff --git a/source3/modules/vfs_acl_common.c b/source3/modules/vfs_acl_common.c
index 2fda938e..870e6da 100644
--- a/source3/modules/vfs_acl_common.c
+++ b/source3/modules/vfs_acl_common.c
@@ -46,6 +46,47 @@ static NTSTATUS store_acl_blob_fsp(vfs_handle_struct *handle,
SECINFO_DACL | \
SECINFO_SACL)
+enum default_acl_style {DEFAULT_ACL_POSIX, DEFAULT_ACL_WINDOWS};
+
+static const struct enum_list default_acl_style[] = {
+ {DEFAULT_ACL_POSIX, "posix"},
+ {DEFAULT_ACL_WINDOWS, "windows"}
+};
+
+struct acl_common_config {
+ bool ignore_system_acls;
+ enum default_acl_style default_acl_style;
+};
+
+static bool init_acl_common_config(vfs_handle_struct *handle)
+{
+ struct acl_common_config *config = NULL;
+
+ config = talloc_zero(handle->conn, struct acl_common_config);
+ if (config == NULL) {
+ DBG_ERR("talloc_zero() failed\n");
+ errno = ENOMEM;
+ return false;
+ }
+
+ config->ignore_system_acls = lp_parm_bool(SNUM(handle->conn),
+ ACL_MODULE_NAME,
+ "ignore system acls",
+ false);
+ config->default_acl_style = lp_parm_enum(SNUM(handle->conn),
+ ACL_MODULE_NAME,
+ "default acl style",
+ default_acl_style,
+ DEFAULT_ACL_POSIX);
+
+ SMB_VFS_HANDLE_SET_DATA(handle, config, NULL,
+ struct acl_common_config,
+ return false);
+
+ return true;
+}
+
+
/*******************************************************************
Hash a security descriptor.
*******************************************************************/
@@ -103,8 +144,8 @@ static NTSTATUS parse_acl_blob(const DATA_BLOB *pblob,
(ndr_pull_flags_fn_t)ndr_pull_xattr_NTACL);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
- DEBUG(5, ("parse_acl_blob: ndr_pull_xattr_NTACL failed: %s\n",
- ndr_errstr(ndr_err)));
+ DBG_INFO("ndr_pull_xattr_NTACL failed: %s\n",
+ ndr_errstr(ndr_err));
TALLOC_FREE(frame);
return ndr_map_error2ntstatus(ndr_err);
}
@@ -200,8 +241,8 @@ static NTSTATUS create_acl_blob(const struct
security_descriptor *psd,
(ndr_push_flags_fn_t)ndr_push_xattr_NTACL);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
- DEBUG(5, ("create_acl_blob: ndr_push_xattr_NTACL failed: %s\n",
- ndr_errstr(ndr_err)));
+ DBG_INFO("ndr_push_xattr_NTACL failed: %s\n",
+ ndr_errstr(ndr_err));
return ndr_map_error2ntstatus(ndr_err);
}
@@ -246,8 +287,8 @@ static NTSTATUS create_sys_acl_blob(const struct
security_descriptor *psd,
(ndr_push_flags_fn_t)ndr_push_xattr_NTACL);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
- DEBUG(5, ("create_acl_blob: ndr_push_xattr_NTACL failed: %s\n",
- ndr_errstr(ndr_err)));
+ DBG_INFO("ndr_push_xattr_NTACL failed: %s\n",
+ ndr_errstr(ndr_err));
return ndr_map_error2ntstatus(ndr_err);
}
@@ -304,10 +345,7 @@ static NTSTATUS
add_directory_inheritable_components(vfs_handle_struct *handle,
mode = dir_mode | file_mode;
- DEBUG(10, ("add_directory_inheritable_components: directory %s, "
- "mode = 0%o\n",
- name,
- (unsigned int)mode ));
+ DBG_DEBUG("directory %s, mode = 0%o\n", name, (unsigned int)mode);
if (num_aces) {
memcpy(new_ace_list, psd->dacl->aces,
@@ -359,10 +397,10 @@ static NTSTATUS
add_directory_inheritable_components(vfs_handle_struct *handle,
return NT_STATUS_OK;
}
-static NTSTATUS make_default_filesystem_acl(TALLOC_CTX *ctx,
- const char *name,
- SMB_STRUCT_STAT *psbuf,
- struct security_descriptor **ppdesc)
+static NTSTATUS make_default_acl_posix(TALLOC_CTX *ctx,
+ const char *name,
+ SMB_STRUCT_STAT *psbuf,
+ struct security_descriptor **ppdesc)
{
struct dom_sid owner_sid, group_sid;
size_t size = 0;
@@ -372,17 +410,18 @@ static NTSTATUS make_default_filesystem_acl(TALLOC_CTX
*ctx,
struct security_acl *new_dacl = NULL;
int idx = 0;
- DEBUG(10,("make_default_filesystem_acl: file %s mode = 0%o\n",
- name, (int)mode ));
+ DBG_DEBUG("file %s mode = 0%o\n",name, (int)mode);
uid_to_sid(&owner_sid, psbuf->st_ex_uid);
gid_to_sid(&group_sid, psbuf->st_ex_gid);
/*
- * We provide 2 ACEs:
- * - Owner
- * - NT System
- */
+ We provide up to 4 ACEs
+ - Owner
+ - Group
+ - Everyone
+ - NT System
+ */
if (mode & S_IRUSR) {
if (mode & S_IWUSR) {
@@ -402,6 +441,39 @@ static NTSTATUS make_default_filesystem_acl(TALLOC_CTX
*ctx,
0);
idx++;
+ access_mask = 0;
+ if (mode & S_IRGRP) {
+ access_mask |= SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE;
+ }
+ if (mode & S_IWGRP) {
+ /* note that delete is not granted - this matches posix
behaviour */
+ access_mask |= SEC_RIGHTS_FILE_WRITE;
+ }
+ if (access_mask) {
+ init_sec_ace(&aces[idx],
+ &group_sid,
+ SEC_ACE_TYPE_ACCESS_ALLOWED,
+ access_mask,
+ 0);
+ idx++;
+ }
+
+ access_mask = 0;
+ if (mode & S_IROTH) {
+ access_mask |= SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE;
+ }
+ if (mode & S_IWOTH) {
+ access_mask |= SEC_RIGHTS_FILE_WRITE;
+ }
+ if (access_mask) {
+ init_sec_ace(&aces[idx],
+ &global_sid_World,
+ SEC_ACE_TYPE_ACCESS_ALLOWED,
+ access_mask,
+ 0);
+ idx++;
+ }
+
init_sec_ace(&aces[idx],
&global_sid_System,
SEC_ACE_TYPE_ACCESS_ALLOWED,
@@ -432,20 +504,131 @@ static NTSTATUS make_default_filesystem_acl(TALLOC_CTX
*ctx,
return NT_STATUS_OK;
}
-/*******************************************************************
- Pull a DATA_BLOB from an xattr given a pathname.
- If the hash doesn't match, or doesn't exist - return the underlying
- filesystem sd.
-*******************************************************************/
+static NTSTATUS make_default_acl_windows(TALLOC_CTX *ctx,
+ const char *name,
+ SMB_STRUCT_STAT *psbuf,
+ struct security_descriptor **ppdesc)
+{
+ struct dom_sid owner_sid, group_sid;
+ size_t size = 0;
+ struct security_ace aces[4];
+ uint32_t access_mask = 0;
+ mode_t mode = psbuf->st_ex_mode;
+ struct security_acl *new_dacl = NULL;
+ int idx = 0;
-static NTSTATUS get_nt_acl_internal(vfs_handle_struct *handle,
- files_struct *fsp,
- const struct smb_filename *smb_fname_in,
- uint32_t security_info,
- TALLOC_CTX *mem_ctx,
- struct security_descriptor **ppdesc)
+ DBG_DEBUG("file [%s] mode [0%o]\n", name, (int)mode);
+
+ uid_to_sid(&owner_sid, psbuf->st_ex_uid);
+ gid_to_sid(&group_sid, psbuf->st_ex_gid);
+
+ /*
+ * We provide 2 ACEs:
+ * - Owner
+ * - NT System
+ */
+
+ if (mode & S_IRUSR) {
+ if (mode & S_IWUSR) {
+ access_mask |= SEC_RIGHTS_FILE_ALL;
+ } else {
+ access_mask |= SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE;
+ }
+ }
+ if (mode & S_IWUSR) {
+ access_mask |= SEC_RIGHTS_FILE_WRITE | SEC_STD_DELETE;
+ }
+
+ init_sec_ace(&aces[idx],
+ &owner_sid,
+ SEC_ACE_TYPE_ACCESS_ALLOWED,
+ access_mask,
+ 0);
+ idx++;
--
Samba Shared Repository
