The branch, master has been updated via a073799ded5 nfs4_acls: Use fsp stat buffer in smb_fget_nt_acl_nfs4 via d28b55198a8 WHATSNEW: Document change of default for nfs4:acedup parameter via f466f4d3e84 docs: Update vfs_gpfs manpage for the new default of nfs4:acedup via f81191d51bb nfs4_acls: Change default of nfs4:acedup to "merge" via 4aac7d37278 docs: Update manpages for deprecated nfs4:acedup settings via b52b5de76a8 nfs4_acls: Mark nfs4:acedup ignore and reject as deprecated via ab4e91d24df docs: Update nfs4:mode example for vfs_zfs via de4a11589f1 nfs4_acls: Update copyright header via 728de597409 nfs4_acls: Add warning for deprecated setting nfs4:mode special via 54a0b1ca664 nfs4_acls: Use C99 initializer instead of ZERO_STRUCTP for params struct via 3a71d619a93 nfs4_acls: Change type of smbacl4_substitute_simple to void via 8f3ebad2e84 nfs4_acls: Remove unused SMB_ACLTYPE_ defines via c1770ed96fd vfs_gpfs: Implement special case for denying owner access to ACL via fbf3a090a9e vfs_gpfs: Move mapping from generic NFSv ACL to GPFS ACL to separate function via 8bd79ecc373 docs: Remove gpfs:merge_writeappend from vfs_gpfs manpage via 0aca678fcf1 vfs_gpfs: Remove merge_writeappend parameter via 86f7af84f04 nfs4_acls: Use correct owner information for ACL after owner change via 1a137a2f20c nfs4_acls: Add test for merging duplicates when mapping from NFS4 ACL to DACL via 9c886021285 nfs4_acls: Remove duplicate entries when mapping from NFS4 ACL to DACL via 169812943de nfs4_acls: Rename smbacl4_fill_ace4 function via b796119e2df nfs4_acls: Add additional owner entry when mapping to NFS4 ACL with IDMAP_TYPE_BOTH via aa464419363 nfs4_acls: Remove redundant pointer variable via 7ab0003ffc0 nfs4_acls: Remove redundant logging from smbacl4_fill_ace4 via abb58b17599 nfs4_acls: Move adding of NFS4 ACE to ACL to smbacl4_fill_ace4 via 3499d974631 nfs4_acls: Move smbacl4_MergeIgnoreReject function via 44790721e4f nfs4_acls: Remove i argument from smbacl4_MergeIgnoreReject via ba73d2363d9 nfs4_acls: Add missing braces in smbacl4_win2nfs4 via 336e8668c1c nfs4_acls: Add helper function for checking INHERIT flags. via 3b3d722ce57 nfs4_acls: Use correct type when checking ownerGID via f198a0867e7 nfs4_acls: Use switch/case for checking idmap type via d9a2ff559e1 nfs4_acls: Use sids_to_unixids to lookup uid or gid via 38331b00521 test_nfs4_acls: Add test for mapping from DACL to NFS4 ACL with IDMAP_TYPE_BOTH via 86480410aec test_nfs4_acls: Add test for mapping from NFS4 ACL to DACL with IDMAP_TYPE_BOTH via 829c5ea9968 test_nfs4_acls: Add test for mapping from NFS4 to DACL in config mode special via 7ae06d96eb5 test_nfs4_acls: Add test for mapping from DACL to NFS4 ACL with config special via f55cdf42a14 test_nfs4_acls: Add test for matching DACL entries for acedup via 9671bf2b9f0 test_nfs4_acls: Add test for acedup settings via 30677df4dac test_nfs4_acls: Add test for 'map full control' option via 3c9cda0f6d8 test_nfs4_acls: Add test for mapping from NFS4 to DACL CREATOR entries via bfcc19b705f test_nfs4_acls: Add test for mapping CREATOR entries to NFS4 ACL entries via 1f1fa5bde2c test_nfs4_acls: Add test for mapping from DACL to special NFS4 ACL entries via f86148948c7 test_nfs4_acls: Add test for mapping of special NFS4 ACL entries to DACL entries via e4840e68074 test_nfs4_acls: Add test for mapping permissions from DACL to NFS4 ACL via 1767027b44a test_nfs4_acls: Add test for mapping permissions from NFS4 ACL to DACL via bccd2612761 test_nfs4_acls: Add test for flags mapping from DACL to NFS4 ACL via 16eb61a900c test_nfs4_acls: Add test for flags mapping from NFS4 ACL to DACL via dd593479752 test_nfs4_acls: Add tests for mapping of ACL types via 00f494b25f4 test_nfs4_acls: Add tests for mapping of empty ACLs via 8fb906a1860 selftest: Start implementing unit test for nfs4_acls via a06486bb110 nfs4_acls: Remove fsp from smbacl4_win2nfs4 via 42bd3a72a25 Revert "nfs4acl: Fix owner mapping with ID_TYPE_BOTH" from 0348dd4b310 dcerpc: use anon creds for unknown transport
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit a073799ded5d26dfc7b37b82e7309e06034f95b1 Author: Christof Schmitt <c...@samba.org> Date: Thu Jul 18 11:16:33 2019 -0700 nfs4_acls: Use fsp stat buffer in smb_fget_nt_acl_nfs4 Instead of having a local buffer for the stat data, update the one kept in the fsp. With this change the local stat buffer and the helper function smbacl4_fGetFileOwner are no longer needed and can be removed. Signed-off-by: Christof Schmitt <c...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> Autobuild-User(master): Christof Schmitt <c...@samba.org> Autobuild-Date(master): Tue Jul 23 19:45:05 UTC 2019 on sn-devel-184 commit d28b55198a823f94399698843fa62967bb197a7b Author: Christof Schmitt <c...@samba.org> Date: Thu Jul 18 10:59:14 2019 -0700 WHATSNEW: Document change of default for nfs4:acedup parameter Signed-off-by: Christof Schmitt <c...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> commit f466f4d3e8435a2e0a4a7ec2ca50e02df1f7869e Author: Christof Schmitt <c...@samba.org> Date: Thu Jul 18 10:22:28 2019 -0700 docs: Update vfs_gpfs manpage for the new default of nfs4:acedup Signed-off-by: Christof Schmitt <c...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> commit f81191d51bb345ac13402dc4c8100576b4b381cb Author: Christof Schmitt <c...@samba.org> Date: Thu Jul 18 10:13:48 2019 -0700 nfs4_acls: Change default of nfs4:acedup to "merge" All tutorials i could find that configure Samba with NFSv4 ACLs set this parameter to "merge". As this seems to be the main usecase, make this setting the default. Signed-off-by: Christof Schmitt <c...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> commit 4aac7d37278d7707ac366c48e49f6d7b49ac5380 Author: Christof Schmitt <c...@samba.org> Date: Wed Jul 17 10:46:45 2019 -0700 docs: Update manpages for deprecated nfs4:acedup settings Signed-off-by: Christof Schmitt <c...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> commit b52b5de76a87a332d7eb74d77e93180c723bf0b9 Author: Christof Schmitt <c...@samba.org> Date: Wed Jul 17 10:51:18 2019 -0700 nfs4_acls: Mark nfs4:acedup ignore and reject as deprecated The default setting for nfs4:acedup is "dontcare". The only recommendation i could find is setting this to "merge". The setting of "ignore" is dangerous as it would silently drop ACEs. "reject" also seems less useful as it would disallow setting of ACLs that can easily be stored. Report "ignore" and "reject" as deprecated. Maybe these can be removed in the future to simplify the code. Signed-off-by: Christof Schmitt <c...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> commit ab4e91d24df19ce820bc092cb91cede42d11037d Author: Christof Schmitt <c...@samba.org> Date: Wed Jun 19 13:56:57 2019 -0700 docs: Update nfs4:mode example for vfs_zfs nfs4:mode special has been deprecated. Switch the example to "simple" to avoid the deprecated setting in the example. Signed-off-by: Christof Schmitt <c...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> commit de4a11589f15bd983d9f610f532636ac6233d05c Author: Christof Schmitt <c...@samba.org> Date: Thu Jul 18 12:06:06 2019 -0700 nfs4_acls: Update copyright header Signed-off-by: Christof Schmitt <c...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> commit 728de59740925665d55c72c7f67c85c7b6b4a5e1 Author: Christof Schmitt <c...@samba.org> Date: Wed Jun 19 13:53:54 2019 -0700 nfs4_acls: Add warning for deprecated setting nfs4:mode special The documentation states this has been deprecated for years. Add logging a warning when this is set. Maybe this can be removed in the future. Signed-off-by: Christof Schmitt <c...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> commit 54a0b1ca664dcde017dcc46c4398c7c3806ec4c3 Author: Christof Schmitt <c...@samba.org> Date: Tue Jul 9 14:41:01 2019 -0700 nfs4_acls: Use C99 initializer instead of ZERO_STRUCTP for params struct Signed-off-by: Christof Schmitt <c...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> commit 3a71d619a935b57acacb6a8ba7c80b0ae938eacd Author: Christof Schmitt <c...@samba.org> Date: Wed Jun 19 13:42:19 2019 -0700 nfs4_acls: Change type of smbacl4_substitute_simple to void The function always returned true and the return code was never checked, so simply change to void. Signed-off-by: Christof Schmitt <c...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> commit 8f3ebad2e84317997a9be705c809695529455eb6 Author: Christof Schmitt <c...@samba.org> Date: Wed Jun 19 11:14:20 2019 -0700 nfs4_acls: Remove unused SMB_ACLTYPE_ defines Signed-off-by: Christof Schmitt <c...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> commit c1770ed96fd3137f45d584ba9328333d5505e3af Author: Christof Schmitt <c...@samba.org> Date: Tue Jul 9 13:39:55 2019 -0700 vfs_gpfs: Implement special case for denying owner access to ACL In GPFS, it is not possible to deny ACL or attribute access through a SPECIAL_OWNER entry. The best that can be done is mapping this to a named user entry, as this one can at least be stored in an ACL. The same cannot be done for inheriting SPECIAL_OWNER entries, as these represent CREATOR OWNER entries, and the limitation of not being able to deny owner access to ACL or attributes remains. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032 Signed-off-by: Christof Schmitt <c...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> commit fbf3a090a9ec94262b2924461cc1d6336af9919c Author: Christof Schmitt <c...@samba.org> Date: Tue Jul 9 13:08:35 2019 -0700 vfs_gpfs: Move mapping from generic NFSv ACL to GPFS ACL to separate function This is not functional change. It cleans up the code a bit and makes expanding this codepath in a later patch easier. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032 Signed-off-by: Christof Schmitt <c...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> commit 8bd79ecc37376dbaa35606f9c2777653eb3d55e3 Author: Christof Schmitt <c...@samba.org> Date: Wed Jul 10 11:06:19 2019 -0700 docs: Remove gpfs:merge_writeappend from vfs_gpfs manpage BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032 Signed-off-by: Christof Schmitt <c...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> commit 0aca678fcf1788a76cf0ff11399211c795aa7d2f Author: Christof Schmitt <c...@samba.org> Date: Tue Jul 9 12:04:35 2019 -0700 vfs_gpfs: Remove merge_writeappend parameter All supported GPFS versions now support setting WRITE and APPEND in the ACLs independently. Remove this now unused parameter to simplify the code. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032 Signed-off-by: Christof Schmitt <c...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> commit 86f7af84f04b06ed96b30f936ace92aa0937be06 Author: Christof Schmitt <c...@samba.org> Date: Wed Jul 17 15:29:06 2019 -0700 nfs4_acls: Use correct owner information for ACL after owner change After a chown, the cached stat data is obviously no longer valid. The code in smb_set_nt_acl_nfs4 checked the file correctly, but did only use a local buffer for the stat data. So later checks of the stat buffer under the fsp->fsp_name->st would still see the old information. Fix this by removing the local stat buffer and always update the one under fsp->fsp_name->st. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032 Signed-off-by: Christof Schmitt <c...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> commit 1a137a2f20c2f159c5feaef230a2b85bb9fb23b5 Author: Christof Schmitt <c...@samba.org> Date: Wed Jul 10 13:14:32 2019 -0700 nfs4_acls: Add test for merging duplicates when mapping from NFS4 ACL to DACL The previous patch introduced merging of duplicates on the mapping path from NFS4 ACL entries to DACL entries. Add a testcase to verify the expected behavior of this codepath. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032 Signed-off-by: Christof Schmitt <c...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> commit 9c88602128592ddad537bf70cbe3c51f0b2cebe5 Author: Christof Schmitt <c...@samba.org> Date: Tue Jul 2 15:08:11 2019 -0700 nfs4_acls: Remove duplicate entries when mapping from NFS4 ACL to DACL The previous patch added an additional entry for IDMAP_TYPE_BOTH. When mapping back to a DACL, there should be no additional entry. Add a loop that will check and remove entries that are exact duplicates. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032 Signed-off-by: Christof Schmitt <c...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> commit 169812943de23cf2752289c63331d786b0b063bd Author: Christof Schmitt <c...@samba.org> Date: Thu Jul 18 11:49:29 2019 -0700 nfs4_acls: Rename smbacl4_fill_ace4 function As this function now maps the ACE and also adds it to the NFSv4 ACE, change the name to better describe its behavior. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032 Signed-off-by: Christof Schmitt <c...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> commit b796119e2df38d1935064556934dd10da6f3d339 Author: Christof Schmitt <c...@samba.org> Date: Wed Jul 17 10:49:47 2019 -0700 nfs4_acls: Add additional owner entry when mapping to NFS4 ACL with IDMAP_TYPE_BOTH With IDMAP_TYPE_BOTH, all entries have to be mapped to group entries. In order to have the file system reflect the owner permissions in the POSIX modebits, create a second entry for the user. This will be mapped to the "special owner" entry. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032 Signed-off-by: Christof Schmitt <c...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> commit aa4644193635d846c2e08e8c1e7b512e8009c2ef Author: Christof Schmitt <c...@samba.org> Date: Tue Jul 16 15:56:12 2019 -0700 nfs4_acls: Remove redundant pointer variable The previous patch introduced a pointer to a local variable to reduce the amount of lines changed. Remove that pointer and adjust all usage accordingly. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032 Signed-off-by: Christof Schmitt <c...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> commit 7ab0003ffc098247c3ee3962d7061f2af5a2d00e Author: Christof Schmitt <c...@samba.org> Date: Tue Jul 16 15:50:36 2019 -0700 nfs4_acls: Remove redundant logging from smbacl4_fill_ace4 Logging flags in case they do not match seems unnecessary. Other log messages should show the flags as well. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032 Signed-off-by: Christof Schmitt <c...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> commit abb58b17599bd3f9a06037e208dcc5033c7fdd8b Author: Christof Schmitt <c...@samba.org> Date: Tue Jul 16 15:30:36 2019 -0700 nfs4_acls: Move adding of NFS4 ACE to ACL to smbacl4_fill_ace4 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032 Signed-off-by: Christof Schmitt <c...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> commit 3499d97463110f042415d917160bc2743805a544 Author: Christof Schmitt <c...@samba.org> Date: Tue Jul 16 15:20:25 2019 -0700 nfs4_acls: Move smbacl4_MergeIgnoreReject function This static function will be called earlier in later patches. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032 Signed-off-by: Christof Schmitt <c...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> commit 44790721e4f2c6ee6f46de7ac88123ce1a9f6e39 Author: Christof Schmitt <c...@samba.org> Date: Mon Jul 15 14:43:01 2019 -0700 nfs4_acls: Remove i argument from smbacl4_MergeIgnoreReject This is only used for logging of a rejected ACL, but does not provide additional useful information. Remove it to simplify the function a bit. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032 Signed-off-by: Christof Schmitt <c...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> commit ba73d2363d93a376ba4947963c9de45a7e683f02 Author: Christof Schmitt <c...@samba.org> Date: Tue Jul 2 13:20:44 2019 -0700 nfs4_acls: Add missing braces in smbacl4_win2nfs4 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032 Signed-off-by: Christof Schmitt <c...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> commit 336e8668c1cc3682cb3c198eb6dc49baf522a79a Author: Christof Schmitt <c...@samba.org> Date: Wed Jun 26 13:20:17 2019 -0700 nfs4_acls: Add helper function for checking INHERIT flags. This avoids some code duplication. Do not make this static, as it will be used in a later patch. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032 Signed-off-by: Christof Schmit <c...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> commit 3b3d722ce579c19c7b08d06a3adea275537545dc Author: Christof Schmitt <c...@samba.org> Date: Tue Jun 25 15:21:06 2019 -0700 nfs4_acls: Use correct type when checking ownerGID uid and gid are members of the same union so this makes no difference, but for type correctness and readability use the gid to check for ownerGID. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032 Signed-off-by: Christof Schmitt <c...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> commit f198a0867e71f248d4887ab0b6f2832123b16d11 Author: Christof Schmitt <c...@samba.org> Date: Mon Jul 15 13:15:32 2019 -0700 nfs4_acls: Use switch/case for checking idmap type BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032 Signed-off-by: Christof Schmitt <c...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> commit d9a2ff559e1ad953141b1118a9e370496f1f61fa Author: Christof Schmitt <c...@samba.org> Date: Wed Jun 26 13:24:16 2019 -0700 nfs4_acls: Use sids_to_unixids to lookup uid or gid This is the newer API to lookup id mappings and will make it easier to add to the IDMAP_TYPE_BOTH case. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032 Signed-off-by: Christof Schmitt <c...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> commit 38331b00521ef764893a74add01758f14567d901 Author: Christof Schmitt <c...@samba.org> Date: Tue Jul 2 13:04:44 2019 -0700 test_nfs4_acls: Add test for mapping from DACL to NFS4 ACL with IDMAP_TYPE_BOTH When id mappings use IDMAP_TYPE_BOTH, the NFSv4 ACL mapping code is not aware whether a particular entry is for a user or a group. The underlying assumption then is that is should not matter, as both the ACL mapping maps everything to NFSv4 ACL group entries and the user's token will contain gid entries for the groups. Add a testcase to verify that when mapping from DACLS to NFSv4 ACL entries with IDMAP_TYPE_BOTH, all entries are mapped as expected. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032 Signed-off-by: Christof Schmitt <c...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> commit 86480410aec1d2331c65826a13f909492165a291 Author: Christof Schmitt <c...@samba.org> Date: Tue Jul 2 12:50:42 2019 -0700 test_nfs4_acls: Add test for mapping from NFS4 ACL to DACL with IDMAP_TYPE_BOTH When id mappings use IDMAP_TYPE_BOTH, the NFSv4 ACL mapping code is not aware whether a particular entry is for a user or a group. The underlying assumption then is that is should not matter, as both the ACL mapping maps everything to NFSv4 ACL group entries and the user's token will contain gid entries for the groups. Add a testcase to verify that when mapping from NFSv4 ACL entries to DACLs with IDMAP_TYPE_BOTH, all entries are mapped as expected. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032 Signed-off-by: Christof Schmitt <c...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> commit 829c5ea99685c0629fd67ed0528897534ff35b36 Author: Christof Schmitt <c...@samba.org> Date: Tue Jul 2 12:23:02 2019 -0700 test_nfs4_acls: Add test for mapping from NFS4 to DACL in config mode special The mapping code between NFSv4 ACLs and security descriptors still has the deprecated config setting "nfs4:mode = special". This should not be used as it has security problems: All entries matching owner or group are mapped to "special owner" or "special group", which can change its meaning when being inherited to a new file or directory with different owner and owning group. This mode should eventually be removed, but as long as it still exists add testcases to verify the expected behavior. This patch adds the testcase for "nfs4:mode = special" when mapping from the NFS4 ACL to the DACL in the security descriptor. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032 Signed-off-by: Christof Schmitt <c...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> commit 7ae06d96eb59722154d30e21949f9dba4f2f0bc6 Author: Christof Schmitt <c...@samba.org> Date: Tue Jul 2 12:16:08 2019 -0700 test_nfs4_acls: Add test for mapping from DACL to NFS4 ACL with config special The mapping code between NFSv4 ACLs and security descriptors still has the deprecated config setting "nfs4:mode = special". This should not be used as it has security problems: All entries matching owner or group are mapped to "special owner" or "special group", which can change its meaning when being inherited to a new file or directory with different owner and owning group. This mode should eventually be removed, but as long as it still exists add testcases to verify the expected behavior. This patch adds the testcase for "nfs4:mode = special" when mapping from the DACL in the security descriptor to the NFSv4 ACL. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032 Signed-off-by: Christof Schmitt <c...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> commit f55cdf42a14f314102f2e13cb06d4db48c08ad4b Author: Christof Schmitt <c...@samba.org> Date: Tue Jul 2 12:09:04 2019 -0700 test_nfs4_acls: Add test for matching DACL entries for acedup The NFSv4 mapping code has a config option nfs4:acedup for the mapping path from DACLs to NFSv4 ACLs. Part of this codepath is detecting duplicate ACL entries. Add a testcase with different ACL entries and verify that only exactly matching entries are detected as duplicates and treated accordingly. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032 Signed-off-by: Christof Schmitt <c...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> commit 9671bf2b9f055012057620207624aa2f4ea6833e Author: Christof Schmitt <c...@samba.org> Date: Tue Jul 2 12:07:36 2019 -0700 test_nfs4_acls: Add test for acedup settings The NFSv4 ACL mapping code has a setting nfs4:acedup. Depending on the setting, when mapping from DACLs to NFSv4 ACLs, duplicate ACL entries are either merged, ignored or rejected. Add a testcase that has duplicate ACL entries and verify the expected behavior for all possible settings of the nfs4:acedup option. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032 Signed-off-by: Christof Schmitt <c...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> commit 30677df4dac4ebfcf4e3198db33f14be37948197 Author: Christof Schmitt <c...@samba.org> Date: Tue Jul 2 12:02:58 2019 -0700 test_nfs4_acls: Add test for 'map full control' option "map full control" when enabled adds the DELETE_CHILD permission, when all other permissions are present. This allows Windows clients to display the "FULL CONTROL" permissions. Add a testcase that verifies this mapping when mapping from NFSv4 ACL to the DACL in the security descriptor. Also verify that switching the option off disables this behavior. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032 Signed-off-by: Christof Schmitt <c...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> commit 3c9cda0f6d80258ef0c2a80d6e24dfb650fea1b1 Author: Christof Schmitt <c...@samba.org> Date: Tue Jul 2 11:57:45 2019 -0700 test_nfs4_acls: Add test for mapping from NFS4 to DACL CREATOR entries Add testcase for mapping from NFSv4 ACL entries for "special owner" and "special group" to DACL entries in the security descriptor. Each NFSv4 entry here with INHERIT_ONLY maps directly to a CREATOR OWNER or CREATOR GROUP entry in the DACL. Entries without INHERIT_ONLY map to the CREATOR entry and an additional explicit entry granting permission on the current object. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032 Signed-off-by: Christof Schmitt <c...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> commit bfcc19b705f83bdd5cf665fd4daf43e7eae997a9 Author: Christof Schmitt <c...@samba.org> Date: Tue Jul 2 11:55:59 2019 -0700 test_nfs4_acls: Add test for mapping CREATOR entries to NFS4 ACL entries Add testcase for mapping DACL entries CREATOR OWNER and CREATOR GROUP with inheritance flag in the security descriptor to NFSv4 "special owner" and "special group" entries. This is the correct mapping for these entries as inheriting "special owner" and "special group" grants permissions to the actual owner and owning group of the new file or directory, similar to what CREATOR entries do. The other side is that CREATOR entries without any inheritance flags do not make sense, so these are not mapped to NFSv4 ACL entries. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032 Signed-off-by: Christof Schmitt <c...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> commit 1f1fa5bde2c76636c1beec39c21067b252ea10be Author: Christof Schmitt <c...@samba.org> Date: Tue Jul 2 11:53:15 2019 -0700 test_nfs4_acls: Add test for mapping from DACL to special NFS4 ACL entries Add testcase for mapping from entries in the DACL security descriptor to "special" entries in the NFSv4 ACL. Verify that the WORLD well-known SID maps to "everyone" in the NFSv4 ACL. Verify that the "Unix NFS" SID is ignored, as there is no meaningful mapping for this entry. Verify that SID entries matching the owner or group are mapped to "special owner" or "special group", but only if no inheritance flags are used. "special owner" and "special group" with inheritance flags have the meaning of CREATOR OWNER and CREATOR GROUP and will be tested in another testcase. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032 Signed-off-by: Christof Schmitt <c...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> commit f86148948c7f89307a34e31f6ddede6923149d34 Author: Christof Schmitt <c...@samba.org> Date: Tue Jul 2 11:46:23 2019 -0700 test_nfs4_acls: Add test for mapping of special NFS4 ACL entries to DACL entries In addition to entries for users and groups, NFSv4 ACLs have the concept of entries for "special" entries. Only the "owner", "group" and "everyone" entries are currently used in the ACL mapping. Add a testcase that verifies the mapping from NFSv4 "special" entries to the DACL in the security descriptor. Verify that only "owner", "group" and "everyone" are mapped and all other "special" entries are ignored. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032 Signed-off-by: Christof Schmitt <c...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> commit e4840e680744bd860beedeb5123704c3c0d6a4d7 Author: Christof Schmitt <c...@samba.org> Date: Tue Jul 2 11:35:34 2019 -0700 test_nfs4_acls: Add test for mapping permissions from DACL to NFS4 ACL Add testcase for mapping the permission flags from the DACL in the Security Descriptor to a NFSv4 ACL. The mapping is straight-forward as the same permission bits exist for Security Descriptors and NFSv4 ACLs. In addition, the code also maps from the generic DACL permissions to a set of NFSv4 permissions, also verify this mapping. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032 Signed-off-by: Christof Schmitt <c...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> commit 1767027b44a9e4ebd865022e3f8abb0c72bf15c6 Author: Christof Schmitt <c...@samba.org> Date: Tue Jul 2 11:33:29 2019 -0700 test_nfs4_acls: Add test for mapping permissions from NFS4 ACL to DACL Add testcase for mapping permissions from the NFSv4 ACL to DACL in the security descriptor. The mapping is simple as each permission bit exists on both sides. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032 Signed-off-by: Christof Schmitt <c...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> commit bccd2612761e26ee2514935d56927b2c0c000859 Author: Christof Schmitt <c...@samba.org> Date: Tue Jul 2 11:30:12 2019 -0700 test_nfs4_acls: Add test for flags mapping from DACL to NFS4 ACL Add testcase for the mapping of inheritance flags from the DACL in the security descriptor to the NFSv4 ACL. The mapping is different for files and directories as some inheritance flags should not be present for files. Also other flags are not mapped at all, verify this behavior. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032 Signed-off-by: Christof Schmitt <c...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> commit 16eb61a900c6749c2554d635ce2dd903f5de1704 Author: Christof Schmitt <c...@samba.org> Date: Tue Jul 2 11:28:31 2019 -0700 test_nfs4_acls: Add test for flags mapping from NFS4 ACL to DACL Add testcase for the mapping of inheritance flags when mapping from a NFSv4 ACL to a DACL in the security descriptor. The mapping is different between files and directories, as some inheritance flags should never be present for files. Some defined flags like SUCCESSFUL_ACCESS are also not mapped at this point, also verify this behavior. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032 Signed-off-by: Christof Schmitt <c...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> commit dd5934797526ebb4c6f3027a809401dad3abf701 Author: Christof Schmitt <c...@samba.org> Date: Tue Jul 2 11:25:33 2019 -0700 test_nfs4_acls: Add tests for mapping of ACL types Add testcases for mapping the type field (ALLOW or DENY) between NFSv4 ACLs and security descriptors. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032 Signed-off-by: Christof Schmitt <c...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> commit 00f494b25f4e1d1aecf6191523e30f20a90b1e4f Author: Christof Schmitt <c...@samba.org> Date: Tue Jul 2 11:23:40 2019 -0700 test_nfs4_acls: Add tests for mapping of empty ACLs This is a fairly simple test that ensures the mapping of empty ACLs (without any ACL entries) is always done the same way. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032 Signed-off-by: Christof Schmitt <c...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> commit 8fb906a1860452a320c79ac87917a97303729c19 Author: Christof Schmitt <c...@samba.org> Date: Tue Jul 2 11:22:13 2019 -0700 selftest: Start implementing unit test for nfs4_acls Existing smbtorture tests set and query ACLs through SMB, only working with the DACLs in the Security Descriptors, but never check the NFSv4 ACL representation. This patch introduces a unit test to verify the mapping between between Security Descriptors and NFSv4 ACLs. As the mapping code queries id mappings, the id mapping cache is first primed with the mappings used by the tests and those mappings are removed again during teardown. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032 Signed-off-by: Christof Schmitt <c...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> commit a06486bb110d04a90b66a0bca4b1b600ef3c0ebf Author: Christof Schmitt <c...@samba.org> Date: Tue Jun 11 16:15:10 2019 -0700 nfs4_acls: Remove fsp from smbacl4_win2nfs4 Only the information whether the ACL is for a file or a directory is required. Replacing the fsp with a flag is clearer and allows for unit testing of the mapping functions. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032 Signed-off-by: Christof Schmitt <c...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> commit 42bd3a72a2525aa8a918f4bf7067b30ce8e0e197 Author: Christof Schmitt <c...@samba.org> Date: Fri Jun 7 12:55:32 2019 -0700 Revert "nfs4acl: Fix owner mapping with ID_TYPE_BOTH" This reverts commit 5d4f7bfda579cecb123cfb1d7130688f1d1c98b7. That patch broke the case with ID_TYPE_BOTH where a file is owned by a group (e.g. using autorid and having a file owned by BUILTIN\Administrators). In this case, the ACE entry for the group gets mapped a to a user ACL entry and the group no longer has access (as in the user's token the group is not mapped to a uid). BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032 Signed-off-by: Christof Schmitt <c...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> ----------------------------------------------------------------------- Summary of changes: WHATSNEW.txt | 1 + docs-xml/manpages/vfs_gpfs.8.xml | 28 +- docs-xml/manpages/vfs_zfsacl.8.xml | 6 +- source3/modules/README.nfs4acls.txt | 8 +- source3/modules/nfs4_acls.c | 416 ++++---- source3/modules/nfs4_acls.h | 7 +- source3/modules/test_nfs4_acls.c | 1898 +++++++++++++++++++++++++++++++++++ source3/modules/vfs_gpfs.c | 121 ++- source3/modules/wscript_build | 5 + source3/selftest/tests.py | 4 + 10 files changed, 2230 insertions(+), 264 deletions(-) create mode 100644 source3/modules/test_nfs4_acls.c Changeset truncated at 500 lines: diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 510ee2c89db..8a15c4449af 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -27,6 +27,7 @@ smb.conf changes Parameter Name Description Default -------------- ----------- ------- + nfs4:acedup Changed default merge KNOWN ISSUES ============ diff --git a/docs-xml/manpages/vfs_gpfs.8.xml b/docs-xml/manpages/vfs_gpfs.8.xml index 2f3b4274e4b..eb0cc72f8f0 100644 --- a/docs-xml/manpages/vfs_gpfs.8.xml +++ b/docs-xml/manpages/vfs_gpfs.8.xml @@ -204,26 +204,6 @@ </varlistentry> <varlistentry> - <term>gpfs:merge_writeappend = [ yes | no ]</term> - <listitem> - <para> - GPFS ACLs doesn't know about the 'APPEND' right. - This option lets Samba map the 'APPEND' right to 'WRITE'. - </para> - - <itemizedlist> - <listitem><para> - <command>yes(default)</command> - map 'APPEND' to 'WRITE'. - </para></listitem> - <listitem><para> - <command>no</command> - do not map 'APPEND' to 'WRITE'. - </para></listitem> - </itemizedlist> - </listitem> - - </varlistentry> - <varlistentry> - <term>gpfs:acl = [ yes | no ]</term> <listitem> <para> @@ -391,10 +371,10 @@ <para>Following is the behaviour of Samba for different values :</para> <itemizedlist> - <listitem><para><command>dontcare (default)</command> - copy the ACEs as they come</para></listitem> - <listitem><para><command>reject</command> - stop operation and exit with error on ACL set op</para></listitem> - <listitem><para><command>ignore</command> - don't include the second matching ACE</para></listitem> - <listitem><para><command>merge</command> - bitwise OR the 2 ace.flag fields and 2 ace.mask fields of the 2 duplicate ACEs into 1 ACE</para></listitem> + <listitem><para><command>dontcare</command> - copy the ACEs as they come</para></listitem> + <listitem><para><command>reject (deprecated)</command> - stop operation and exit with error on ACL set op</para></listitem> + <listitem><para><command>ignore (deprecated)</command> - don't include the second matching ACE</para></listitem> + <listitem><para><command>merge (default)</command> - bitwise OR the 2 ace.flag fields and 2 ace.mask fields of the 2 duplicate ACEs into 1 ACE</para></listitem> </itemizedlist> </listitem> </varlistentry> diff --git a/docs-xml/manpages/vfs_zfsacl.8.xml b/docs-xml/manpages/vfs_zfsacl.8.xml index 4827e2407e6..56d1d06cce1 100644 --- a/docs-xml/manpages/vfs_zfsacl.8.xml +++ b/docs-xml/manpages/vfs_zfsacl.8.xml @@ -100,8 +100,8 @@ <para>Following is the behaviour of Samba for different values :</para> <itemizedlist> <listitem><para><command>dontcare (default)</command> - copy the ACEs as they come</para></listitem> - <listitem><para><command>reject</command> - stop operation and exit with error on ACL set op</para></listitem> - <listitem><para><command>ignore</command> - don't include the second matching ACE</para></listitem> + <listitem><para><command>reject (deprecated)</command> - stop operation and exit with error on ACL set op</para></listitem> + <listitem><para><command>ignore (deprecated)</command> - don't include the second matching ACE</para></listitem> <listitem><para><command>merge</command> - bitwise OR the 2 ace.flag fields and 2 ace.mask fields of the 2 duplicate ACEs into 1 ACE</para></listitem> </itemizedlist> </listitem> @@ -137,7 +137,7 @@ <smbconfsection name="[samba_zfs_share]"/> <smbconfoption name="vfs objects">zfsacl</smbconfoption> <smbconfoption name="path">/test/zfs_mount</smbconfoption> - <smbconfoption name="nfs4: mode">special</smbconfoption> + <smbconfoption name="nfs4: mode">simple</smbconfoption> <smbconfoption name="nfs4: acedup">merge</smbconfoption> </programlisting> </refsect1> diff --git a/source3/modules/README.nfs4acls.txt b/source3/modules/README.nfs4acls.txt index 3594aafee8e..c16b8220fbb 100644 --- a/source3/modules/README.nfs4acls.txt +++ b/source3/modules/README.nfs4acls.txt @@ -33,10 +33,10 @@ chown = [true|false] - false => disable support for changing owner or group acedup = [dontcare|reject|ignore|merge] -- dontcare: copy ACEs as they come, don't care with "duplicate" records. Default. -- reject: stop operation, exit acl setter operation with an error -- ignore: don't include the second matching ACE -- merge: OR 2 ace.flag fields and 2 ace.mask fields of the 2 duplicate ACEs into 1 ACE +- dontcare: copy ACEs as they come, don't care with "duplicate" records. +- reject: stop operation, exit acl setter operation with an error. (deprecated) +- ignore: don't include the second matching ACE. (deprecated) +- merge: OR 2 ace.flag fields and 2 ace.mask fields of the 2 duplicate ACEs into 1 ACE (default) Two ACEs are considered here "duplicate" when their type and id fields are matching. diff --git a/source3/modules/nfs4_acls.c b/source3/modules/nfs4_acls.c index 7776caa16d2..4d50223c795 100644 --- a/source3/modules/nfs4_acls.c +++ b/source3/modules/nfs4_acls.c @@ -2,6 +2,7 @@ * NFS4 ACL handling * * Copyright (C) Jim McDonough, 2006 + * Copyright (C) Christof Schmitt 2019 * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -21,6 +22,7 @@ #include "smbd/smbd.h" #include "nfs4_acls.h" #include "librpc/gen_ndr/ndr_security.h" +#include "librpc/gen_ndr/idmap.h" #include "../libcli/security/dom_sid.h" #include "../libcli/security/security.h" #include "dbwrap/dbwrap.h" @@ -71,7 +73,7 @@ int smbacl4_get_vfs_params(struct connection_struct *conn, }; int enumval; - ZERO_STRUCTP(params); + *params = (struct smbacl4_vfs_params) { 0 }; enumval = lp_parm_enum(SNUM(conn), SMBACL4_PARAM_TYPE_NAME, "mode", enum_smbacl4_modes, e_simple); @@ -81,18 +83,27 @@ int smbacl4_get_vfs_params(struct connection_struct *conn, return -1; } params->mode = (enum smbacl4_mode_enum)enumval; + if (params->mode == e_special) { + DBG_WARNING("nfs4:mode special is deprecated.\n"); + } params->do_chown = lp_parm_bool(SNUM(conn), SMBACL4_PARAM_TYPE_NAME, "chown", true); enumval = lp_parm_enum(SNUM(conn), SMBACL4_PARAM_TYPE_NAME, "acedup", - enum_smbacl4_acedups, e_dontcare); + enum_smbacl4_acedups, e_merge); if (enumval == -1) { DEBUG(10, ("value for %s:acedup unknown\n", SMBACL4_PARAM_TYPE_NAME)); return -1; } params->acedup = (enum smbacl4_acedup_enum)enumval; + if (params->acedup == e_ignore) { + DBG_WARNING("nfs4:acedup ignore is deprecated.\n"); + } + if (params->acedup == e_reject) { + DBG_WARNING("nfs4:acedup ignore is deprecated.\n"); + } params->map_full_control = lp_acl_map_full_control(SNUM(conn)); @@ -254,6 +265,13 @@ bool smbacl4_set_controlflags(struct SMB4ACL_T *acl, uint16_t controlflags) return true; } +bool nfs_ace_is_inherit(SMB_ACE4PROP_T *ace) +{ + return ace->aceFlags & (SMB_ACE4_INHERIT_ONLY_ACE| + SMB_ACE4_FILE_INHERIT_ACE| + SMB_ACE4_DIRECTORY_INHERIT_ACE); +} + static int smbacl4_GetFileOwner(struct connection_struct *conn, const struct smb_filename *smb_fname, SMB_STRUCT_STAT *psbuf) @@ -271,22 +289,33 @@ static int smbacl4_GetFileOwner(struct connection_struct *conn, return 0; } -static int smbacl4_fGetFileOwner(files_struct *fsp, SMB_STRUCT_STAT *psbuf) +static void check_for_duplicate_sec_ace(struct security_ace *nt_ace_list, + int *good_aces) { - ZERO_STRUCTP(psbuf); + struct security_ace *last = NULL; + int i; - if (fsp->fh->fd == -1) { - return smbacl4_GetFileOwner(fsp->conn, - fsp->fsp_name, psbuf); - } - if (SMB_VFS_FSTAT(fsp, psbuf) != 0) - { - DEBUG(8, ("SMB_VFS_FSTAT failed with error %s\n", - strerror(errno))); - return -1; + if (*good_aces < 2) { + return; } - return 0; + last = &nt_ace_list[(*good_aces) - 1]; + + for (i = 0; i < (*good_aces) - 1; i++) { + struct security_ace *cur = &nt_ace_list[i]; + + if (cur->type == last->type && + cur->flags == last->flags && + cur->access_mask == last->access_mask && + dom_sid_equal(&cur->trustee, &last->trustee)) + { + struct dom_sid_buf sid_buf; + + DBG_INFO("Removing duplicate entry for SID %s.\n", + dom_sid_str_buf(&last->trustee, &sid_buf)); + (*good_aces)--; + } + } } static bool smbacl4_nfs42win(TALLOC_CTX *mem_ctx, @@ -430,6 +459,8 @@ static bool smbacl4_nfs42win(TALLOC_CTX *mem_ctx, ace->aceType, mask, win_ace_flags); } + + check_for_duplicate_sec_ace(nt_ace_list, &good_aces); } nt_ace_list = talloc_realloc(mem_ctx, nt_ace_list, struct security_ace, @@ -516,21 +547,17 @@ NTSTATUS smb_fget_nt_acl_nfs4(files_struct *fsp, struct security_descriptor **ppdesc, struct SMB4ACL_T *theacl) { - SMB_STRUCT_STAT sbuf; struct smbacl4_vfs_params params; - SMB_STRUCT_STAT *psbuf = NULL; DEBUG(10, ("smb_fget_nt_acl_nfs4 invoked for %s\n", fsp_str_dbg(fsp))); - if (VALID_STAT(fsp->fsp_name->st)) { - psbuf = &fsp->fsp_name->st; - } + if (!VALID_STAT(fsp->fsp_name->st)) { + NTSTATUS status; - if (psbuf == NULL) { - if (smbacl4_fGetFileOwner(fsp, &sbuf)) { - return map_nt_error_from_unix(errno); + status = vfs_stat_fsp(fsp); + if (!NT_STATUS_IS_OK(status)) { + return status; } - psbuf = &sbuf; } if (pparams == NULL) { @@ -541,7 +568,8 @@ NTSTATUS smb_fget_nt_acl_nfs4(files_struct *fsp, pparams = ¶ms; } - return smb_get_nt_acl_nfs4_common(psbuf, pparams, security_info, + return smb_get_nt_acl_nfs4_common(&fsp->fsp_name->st, pparams, + security_info, mem_ctx, ppdesc, theacl); } @@ -646,149 +674,196 @@ static SMB_ACE4PROP_T *smbacl4_find_equal_special( return NULL; } +static int smbacl4_MergeIgnoreReject(enum smbacl4_acedup_enum acedup, + struct SMB4ACL_T *theacl, + SMB_ACE4PROP_T *ace, + bool *paddNewACE) +{ + int result = 0; + SMB_ACE4PROP_T *ace4found = smbacl4_find_equal_special(theacl, ace); + if (ace4found) + { + switch(acedup) + { + case e_merge: /* "merge" flags */ + *paddNewACE = false; + ace4found->aceFlags |= ace->aceFlags; + ace4found->aceMask |= ace->aceMask; + break; + case e_ignore: /* leave out this record */ + *paddNewACE = false; + break; + case e_reject: /* do an error */ + DBG_INFO("ACL rejected by duplicate nt ace.\n"); + errno = EINVAL; /* SHOULD be set on any _real_ error */ + result = -1; + break; + default: + break; + } + } + return result; +} -static bool smbacl4_fill_ace4( - const struct smb_filename *filename, - const struct smbacl4_vfs_params *params, - uid_t ownerUID, - gid_t ownerGID, - const struct security_ace *ace_nt, /* input */ - SMB_ACE4PROP_T *ace_v4 /* output */ -) +static int nfs4_acl_add_ace(enum smbacl4_acedup_enum acedup, + struct SMB4ACL_T *nfs4_acl, + SMB_ACE4PROP_T *nfs4_ace) +{ + bool add_ace = true; + + if (acedup != e_dontcare) { + int ret; + + ret = smbacl4_MergeIgnoreReject(acedup, nfs4_acl, + nfs4_ace, &add_ace); + if (ret == -1) { + return -1; + } + } + + if (add_ace) { + smb_add_ace4(nfs4_acl, nfs4_ace); + } + + return 0; +} + +static int nfs4_acl_add_sec_ace(bool is_directory, + const struct smbacl4_vfs_params *params, + uid_t ownerUID, + gid_t ownerGID, + const struct security_ace *ace_nt, + struct SMB4ACL_T *nfs4_acl) { struct dom_sid_buf buf; + SMB_ACE4PROP_T nfs4_ace = { 0 }; + SMB_ACE4PROP_T nfs4_ace_2 = { 0 }; + bool add_ace2 = false; + int ret; DEBUG(10, ("got ace for %s\n", dom_sid_str_buf(&ace_nt->trustee, &buf))); - ZERO_STRUCTP(ace_v4); - /* only ACCESS|DENY supported right now */ - ace_v4->aceType = ace_nt->type; + nfs4_ace.aceType = ace_nt->type; - ace_v4->aceFlags = map_windows_ace_flags_to_nfs4_ace_flags( - ace_nt->flags); + nfs4_ace.aceFlags = + map_windows_ace_flags_to_nfs4_ace_flags(ace_nt->flags); /* remove inheritance flags on files */ - if (VALID_STAT(filename->st) && - !S_ISDIR(filename->st.st_ex_mode)) { + if (!is_directory) { DEBUG(10, ("Removing inheritance flags from a file\n")); - ace_v4->aceFlags &= ~(SMB_ACE4_FILE_INHERIT_ACE| - SMB_ACE4_DIRECTORY_INHERIT_ACE| - SMB_ACE4_NO_PROPAGATE_INHERIT_ACE| - SMB_ACE4_INHERIT_ONLY_ACE); + nfs4_ace.aceFlags &= ~(SMB_ACE4_FILE_INHERIT_ACE| + SMB_ACE4_DIRECTORY_INHERIT_ACE| + SMB_ACE4_NO_PROPAGATE_INHERIT_ACE| + SMB_ACE4_INHERIT_ONLY_ACE); } - ace_v4->aceMask = ace_nt->access_mask & - (SEC_STD_ALL | SEC_FILE_ALL); - - se_map_generic(&ace_v4->aceMask, &file_generic_mapping); + nfs4_ace.aceMask = ace_nt->access_mask & (SEC_STD_ALL | SEC_FILE_ALL); - if (ace_v4->aceFlags!=ace_nt->flags) - DEBUG(9, ("ace_v4->aceFlags(0x%x)!=ace_nt->flags(0x%x)\n", - ace_v4->aceFlags, ace_nt->flags)); - - if (ace_v4->aceMask!=ace_nt->access_mask) - DEBUG(9, ("ace_v4->aceMask(0x%x)!=ace_nt->access_mask(0x%x)\n", - ace_v4->aceMask, ace_nt->access_mask)); + se_map_generic(&nfs4_ace.aceMask, &file_generic_mapping); if (dom_sid_equal(&ace_nt->trustee, &global_sid_World)) { - ace_v4->who.special_id = SMB_ACE4_WHO_EVERYONE; - ace_v4->flags |= SMB_ACE4_ID_SPECIAL; + nfs4_ace.who.special_id = SMB_ACE4_WHO_EVERYONE; + nfs4_ace.flags |= SMB_ACE4_ID_SPECIAL; } else if (params->mode!=e_special && dom_sid_equal(&ace_nt->trustee, &global_sid_Creator_Owner)) { DEBUG(10, ("Map creator owner\n")); - ace_v4->who.special_id = SMB_ACE4_WHO_OWNER; - ace_v4->flags |= SMB_ACE4_ID_SPECIAL; + nfs4_ace.who.special_id = SMB_ACE4_WHO_OWNER; + nfs4_ace.flags |= SMB_ACE4_ID_SPECIAL; /* A non inheriting creator owner entry has no effect. */ - ace_v4->aceFlags |= SMB_ACE4_INHERIT_ONLY_ACE; - if (!(ace_v4->aceFlags & SMB_ACE4_DIRECTORY_INHERIT_ACE) - && !(ace_v4->aceFlags & SMB_ACE4_FILE_INHERIT_ACE)) { - return false; + nfs4_ace.aceFlags |= SMB_ACE4_INHERIT_ONLY_ACE; + if (!(nfs4_ace.aceFlags & SMB_ACE4_DIRECTORY_INHERIT_ACE) + && !(nfs4_ace.aceFlags & SMB_ACE4_FILE_INHERIT_ACE)) { + return 0; } } else if (params->mode!=e_special && dom_sid_equal(&ace_nt->trustee, &global_sid_Creator_Group)) { DEBUG(10, ("Map creator owner group\n")); - ace_v4->who.special_id = SMB_ACE4_WHO_GROUP; - ace_v4->flags |= SMB_ACE4_ID_SPECIAL; + nfs4_ace.who.special_id = SMB_ACE4_WHO_GROUP; + nfs4_ace.flags |= SMB_ACE4_ID_SPECIAL; /* A non inheriting creator group entry has no effect. */ - ace_v4->aceFlags |= SMB_ACE4_INHERIT_ONLY_ACE; - if (!(ace_v4->aceFlags & SMB_ACE4_DIRECTORY_INHERIT_ACE) - && !(ace_v4->aceFlags & SMB_ACE4_FILE_INHERIT_ACE)) { - return false; + nfs4_ace.aceFlags |= SMB_ACE4_INHERIT_ONLY_ACE; + if (!(nfs4_ace.aceFlags & SMB_ACE4_DIRECTORY_INHERIT_ACE) + && !(nfs4_ace.aceFlags & SMB_ACE4_FILE_INHERIT_ACE)) { + return 0; } } else { - uid_t uid; - gid_t gid; - - /* - * ID_TYPE_BOTH returns both uid and gid. Explicitly - * check for ownerUID to allow the mapping of the - * owner to a special entry in this idmap config. - */ - if (sid_to_uid(&ace_nt->trustee, &uid) && uid == ownerUID) { - ace_v4->who.uid = uid; - } else if (sid_to_gid(&ace_nt->trustee, &gid)) { - ace_v4->aceFlags |= SMB_ACE4_IDENTIFIER_GROUP; - ace_v4->who.gid = gid; - } else if (sid_to_uid(&ace_nt->trustee, &uid)) { - ace_v4->who.uid = uid; - } else if (dom_sid_compare_domain(&ace_nt->trustee, - &global_sid_Unix_NFS) == 0) { - return false; - } else { - DEBUG(1, ("nfs4_acls.c: file [%s]: could not " - "convert %s to uid or gid\n", - filename->base_name, - dom_sid_str_buf(&ace_nt->trustee, &buf))); - return false; + struct unixid unixid; + bool ok; + + ok = sids_to_unixids(&ace_nt->trustee, 1, &unixid); + if (!ok) { + DBG_WARNING("Could not convert %s to uid or gid.\n", + dom_sid_str_buf(&ace_nt->trustee, &buf)); + return 0; } - } - return true; /* OK */ -} + if (dom_sid_compare_domain(&ace_nt->trustee, + &global_sid_Unix_NFS) == 0) { + return 0; + } -static int smbacl4_MergeIgnoreReject( - enum smbacl4_acedup_enum acedup, - struct SMB4ACL_T *theacl, /* may modify it */ - SMB_ACE4PROP_T *ace, /* the "new" ACE */ - bool *paddNewACE, - int i -) -{ - int result = 0; - SMB_ACE4PROP_T *ace4found = smbacl4_find_equal_special(theacl, ace); - if (ace4found) - { - switch(acedup) - { - case e_merge: /* "merge" flags */ - *paddNewACE = false; - ace4found->aceFlags |= ace->aceFlags; - ace4found->aceMask |= ace->aceMask; + switch (unixid.type) { + case ID_TYPE_BOTH: + nfs4_ace.aceFlags |= SMB_ACE4_IDENTIFIER_GROUP; + nfs4_ace.who.gid = unixid.id; + + if (ownerUID == unixid.id && + !nfs_ace_is_inherit(&nfs4_ace)) + { + /* + * IDMAP_TYPE_BOTH for owner. Add -- Samba Shared Repository