Context Navigation

← Previous Change
Next Change →

Changeset 594 for vendor/current/source3/smbd

Timestamp:

Jul 1, 2011, 4:02:23 PM (14 years ago)

Author:

Herwig Bauernfeind

Message:

Samba 3.5: Update vendor to version 3.5.8

Location:

vendor/current/source3/smbd

Files:

: 10 edited

conn.c (modified) (4 diffs)
dosmode.c (modified) (4 diffs)
msdfs.c (modified) (3 diffs)
nttrans.c (modified) (4 diffs)
open.c (modified) (12 diffs)
password.c (modified) (1 diff)
posix_acls.c (modified) (9 diffs)
process.c (modified) (2 diffs)
uid.c (modified) (1 diff)
vfs.c (modified) (4 diffs)

Legend:

: Unmodified
: Added
: Removed

vendor/current/source3/smbd/conn.c

r414	r594
198	198	pipes_struct *plist = NULL;
199	199	connection_struct *conn;
	200	bool ret = true;
200	201
201	202	if (deadtime <= 0)
…	…
210	211	conn->lastused = t;
211	212	conn->lastused_count = t;
	213	age = 0;
212	214	}
213	215
…	…
218	220
219	221	if (conn->num_files_open > 0 \|\| age < deadtime) {
220		ret~~urn F~~alse;
	222	ret = false;
221	223	}
222	224	}
…	…
230	232	plist = get_next_internal_pipe(plist)) {
231	233	if (num_pipe_handles(plist->pipe_handles) != 0) {
232		return False;
	234	ret = false;
	235	break;
233	236	}
234	237	}
235	238
236		return ~~True~~;
	239	return ret;
237	240	}
238	241

vendor/current/source3/smbd/dosmode.c

-              r414
+              r594
                  */
                 if (!NT_STATUS_IS_OK(open_file_fchmod(NULL, conn, smb_fname,
+                if (!NT_STATUS_IS_OK(open_file_fchmod(conn, smb_fname,
                                                       &fsp)))
                         return ret;
 …
+                }
                 unbecome_root();
                 close_file_fchmod(NULL, fsp);
+                close_file(NULL, fsp, NORMAL_CLOSE);
                 return ret;
+        }
 …
                  * still in our current user context. This ensures we
                  * are not violating security in doing the fchmod.
-                 * This file open does *not* break any oplocks we are
-                 * holding. We need to review this.... may need to
-                 * break batch oplocks open by others. JRA.
                  */
                 files_struct *fsp;
                 if (!NT_STATUS_IS_OK(open_file_fchmod(NULL, conn, smb_fname,
+                if (!NT_STATUS_IS_OK(open_file_fchmod(conn, smb_fname,
                                      &fsp)))
                         return -1;
 …
                 ret = SMB_VFS_FCHMOD(fsp, unixmode);
                 unbecome_root();
                 close_file_fchmod(NULL, fsp);
+                close_file(NULL, fsp, NORMAL_CLOSE);
                 if (!newfile) {
                         notify_fname(conn, NOTIFY_ACTION_MODIFIED,

vendor/current/source3/smbd/msdfs.c

-              r478
+              r594
 NTSTATUS get_referred_path(TALLOC_CTX *ctx,
+                        struct auth_serversupplied_info *server_info,
                         const char *dfs_path,
                         struct junction_map *jucn,
 …
         status = create_conn_struct(ctx, &conn, snum, lp_pathname(snum),
                                     NULL, &oldpath);
+                                    server_info, &oldpath);
         if (!NT_STATUS_IS_OK(status)) {
                 TALLOC_FREE(pdp);
 …
         /* The following call can change cwd. */
+        *pstatus = get_referred_path(ctx, pathnamep, junction,
+                        &consumedcnt, &self_referral);
+        *pstatus = get_referred_path(ctx, orig_conn->server_info,
+                                     pathnamep, junction,
+                                     &consumedcnt, &self_referral);
         if (!NT_STATUS_IS_OK(*pstatus)) {
                 vfs_ChDir(orig_conn,orig_conn->connectpath);

vendor/current/source3/smbd/nttrans.c

-              r581
+              r594
         NTSTATUS status;
+        if (sd_len == 0 || !lp_nt_acl_support(SNUM(fsp->conn))) {
+        if (sd_len == 0) {
+                return NT_STATUS_INVALID_PARAMETER;
+        }
+        if (!CAN_WRITE(fsp->conn)) {
+                return NT_STATUS_ACCESS_DENIED;
+        }
+        if (!lp_nt_acl_support(SNUM(fsp->conn))) {
                 return NT_STATUS_OK;
+        }
 …
+        }
+        /* Convert all the generic bits. */
+        security_acl_map_generic(psd->dacl, &file_generic_mapping);
+        security_acl_map_generic(psd->sacl, &file_generic_mapping);
+        /* Ensure we have at least one thing set. */
+        if ((security_info_sent & (SECINFO_OWNER|SECINFO_GROUP|SECINFO_DACL|SECINFO_SACL)) == 0) {
+                return NT_STATUS_INVALID_PARAMETER;
+        }
+        /* Ensure we have the rights to do this. */
+        if (security_info_sent & SECINFO_OWNER) {
+                if (!(fsp->access_mask & SEC_STD_WRITE_OWNER)) {
+                        return NT_STATUS_ACCESS_DENIED;
+                }
+        }
+        if (security_info_sent & SECINFO_GROUP) {
+                if (!(fsp->access_mask & SEC_STD_WRITE_OWNER)) {
+                        return NT_STATUS_ACCESS_DENIED;
+                }
+        }
+        if (security_info_sent & SECINFO_DACL) {
+                if (!(fsp->access_mask & SEC_STD_WRITE_DAC)) {
+                        return NT_STATUS_ACCESS_DENIED;
+                }
+                /* Convert all the generic bits. */
+                if (psd->dacl) {
+                        security_acl_map_generic(psd->dacl, &file_generic_mapping);
+                }
+        }
+        if (security_info_sent & SECINFO_SACL) {
+                if (!(fsp->access_mask & SEC_FLAG_SYSTEM_SECURITY)) {
+                        return NT_STATUS_ACCESS_DENIED;
+                }
+                /* Convert all the generic bits. */
+                if (psd->sacl) {
+                        security_acl_map_generic(psd->sacl, &file_generic_mapping);
+                }
+        }
         if (DEBUGLEVEL >= 10) {
 …
          */
+        if ((security_info_wanted & SECINFO_SACL) &&
+                        !(fsp->access_mask & SEC_FLAG_SYSTEM_SECURITY)) {
+                reply_nterror(req,  NT_STATUS_ACCESS_DENIED);
+                return;
+        }
+        if ((security_info_wanted & (SECINFO_DACL|SECINFO_OWNER|SECINFO_GROUP)) &&
+                        !(fsp->access_mask & SEC_STD_READ_CONTROL)) {
+                reply_nterror(req, NT_STATUS_ACCESS_DENIED);
+                return;
+        }
         if (!lp_nt_acl_support(SNUM(conn))) {
                 status = get_null_nt_acl(talloc_tos(), &psd);
 …
                 reply_nterror(req, status);
                 return;
+        }
+        if (!(security_info_wanted & SECINFO_OWNER)) {
+                psd->owner_sid = NULL;
+        }
+        if (!(security_info_wanted & SECINFO_GROUP)) {
+                psd->group_sid = NULL;
+        }
+        if (!(security_info_wanted & SECINFO_DACL)) {
+                psd->dacl = NULL;
+        }
+        if (!(security_info_wanted & SECINFO_SACL)) {
+                psd->sacl = NULL;
+        }

vendor/current/source3/smbd/open.c

-              r587
+              r594
 #include "smbd/globals.h"
+extern struct current_user current_user;
 extern const struct generic_mapping file_generic_mapping;
 …
         ZERO_STRUCT(id);
+        /* Windows allows a new file to be created and
+           silently removes a FILE_ATTRIBUTE_DIRECTORY
+           sent by the client. Do the same. */
+        new_dos_attributes &= ~FILE_ATTRIBUTE_DIRECTORY;
         if (conn->printer) {
                 /*
 …
         if ((flags2 & O_CREAT) && lp_inherit_acls(SNUM(conn)) &&
             (def_acl = directory_has_default_acl(conn, parent_dir))) {
                 unx_mode = 0777;
+                unx_mode = (0777 & lp_create_mask(SNUM(conn)));
+        }
 …
 ****************************************************************************/
 NTSTATUS open_file_fchmod(struct smb_request *req, connection_struct *conn,
+NTSTATUS open_file_fchmod(connection_struct *conn,
                           struct smb_filename *smb_fname,
                           files_struct **result)
+{
-        files_struct *fsp = NULL;
-        NTSTATUS status;
         if (!VALID_STAT(smb_fname->st)) {
                 return NT_STATUS_INVALID_PARAMETER;
+        }
+        status = file_new(req, conn, &fsp);
+        if(!NT_STATUS_IS_OK(status)) {
+                return status;
+        }
+        status = SMB_VFS_CREATE_FILE(
+        return SMB_VFS_CREATE_FILE(
                 conn,                                   /* conn */
                 NULL,                                   /* req */
 …
 ,                                      /* create_options */
 ,                                      /* file_attributes */
 ,                                      /* oplock_request */
+                INTERNAL_OPEN_ONLY,                     /* oplock_request */
 ,                                      /* allocation_size */
                 NULL,                                   /* sd */
                 NULL,                                   /* ea_list */
                 &fsp,                                   /* result */
+                result,                                 /* result */
                 NULL);                                  /* pinfo */
-        /*
-         * This is not a user visible file open.
-         * Don't set a share mode.
-         */
-        if (!NT_STATUS_IS_OK(status)) {
-                file_free(req, fsp);
-                return status;
+        }
-        *result = fsp;
-        return NT_STATUS_OK;
+}
-/****************************************************************************
- Close the fchmod file fd - ensure no locks are lost.
-****************************************************************************/
-NTSTATUS close_file_fchmod(struct smb_request *req, files_struct *fsp)
+{
-        NTSTATUS status = fd_close(fsp);
-        file_free(req, fsp);
-        return status;
+}
 …
         SMB_ASSERT(!is_ntfs_stream_smb_fname(smb_dname));
+        /* Ensure we have a directory attribute. */
+        file_attributes |= FILE_ATTRIBUTE_DIRECTORY;
         DEBUG(5,("open_directory: opening directory %s, access_mask = 0x%x, "
                  "share_access = 0x%x create_options = 0x%x, "
 …
+        }
         /* We need to support SeSecurityPrivilege for this. */
         if (access_mask & SEC_FLAG_SYSTEM_SECURITY) {
+        if ((access_mask & SEC_FLAG_SYSTEM_SECURITY) &&
+                        !user_has_privileges(current_user.nt_user_token, &se_security)) {
                 DEBUG(10, ("open_directory: open on %s "
                         "failed - SEC_FLAG_SYSTEM_SECURITY denied.\n",
 …
+        }
-#if 0
-        /* We need to support SeSecurityPrivilege for this. */
         if ((access_mask & SEC_FLAG_SYSTEM_SECURITY) &&
+            !user_has_privileges(current_user.nt_user_token,
+                                 &se_security)) {
+                        !user_has_privileges(current_user.nt_user_token, &se_security)) {
+                DEBUG(10, ("create_file_unixpath:: open on %s "
+                        "failed - SEC_FLAG_SYSTEM_SECURITY denied.\n",
+                        smb_fname_str_dbg(smb_fname)));
                 status = NT_STATUS_PRIVILEGE_NOT_HELD;
                 goto fail;
+        }
-#else
-        /* We need to support SeSecurityPrivilege for this. */
-        if (access_mask & SEC_FLAG_SYSTEM_SECURITY) {
-                status = NT_STATUS_PRIVILEGE_NOT_HELD;
-                goto fail;
+        }
-        /* Don't allow a SACL set from an NTtrans create until we
-         * support SeSecurityPrivilege. */
-        if (!VALID_STAT(smb_fname->st) &&
-                        lp_nt_acl_support(SNUM(conn)) &&
-                        sd && (sd->sacl != NULL)) {
-                status = NT_STATUS_PRIVILEGE_NOT_HELD;
-                goto fail;
+        }
-#endif
         if ((conn->fs_capabilities & FILE_NAMED_STREAMS)
 …
                                    struct smb_request *req,
                                    uint16_t root_dir_fid,
+                                   struct smb_filename *smb_fname)
+                                   const struct smb_filename *smb_fname,
+                                   struct smb_filename **smb_fname_out)
+{
         files_struct *dir_fsp;
 …
+        }
         new_base_name = talloc_asprintf(smb_fname, "%s%s", parent_fname,
+        new_base_name = talloc_asprintf(talloc_tos(), "%s%s", parent_fname,
                                         smb_fname->base_name);
         if (new_base_name == NULL) {
 …
+        }
+        TALLOC_FREE(smb_fname->base_name);
+        smb_fname->base_name = new_base_name;
+        status = NT_STATUS_OK;
+        status = filename_convert(req,
+                                conn,
+                                req->flags2 & FLAGS2_DFS_PATHNAMES,
+                                new_base_name,
+,
+                                NULL,
+                                smb_fname_out);
+        if (!NT_STATUS_IS_OK(status)) {
+                goto out;
+        }
  out:
 …
         if (root_dir_fid != 0) {
+                struct smb_filename *smb_fname_out = NULL;
                 status = get_relative_fid_filename(conn, req, root_dir_fid,
                                                    smb_fname);
+                                                   smb_fname, &smb_fname_out);
                 if (!NT_STATUS_IS_OK(status)) {
                         goto fail;
+                }
+                smb_fname = smb_fname_out;
+        }

vendor/current/source3/smbd/password.c

r414	r594
211	211	}
212	212
213		pwd = ~~getp~~wnam_alloc(talloc_tos(), username);
	213	pwd = Get_Pwnam_alloc(talloc_tos(), username);
214	214
215	215	if ((pwd == NULL) \|\| (pwd->pw_dir[0] == '\0')) {

vendor/current/source3/smbd/posix_acls.c

-              r427
+              r594
                                            sid_string_dbg(&psa->trustee)));
                                 SAFE_FREE(current_ace);
+                                continue;
+                        }
+                        if (lp_force_unknown_acl_user(SNUM(fsp->conn))) {
+                                DEBUG(10, ("create_canon_ace_lists: ignoring "
+                                        "unknown or foreign SID %s\n",
+                                        sid_string_dbg(&psa->trustee)));
+                                        SAFE_FREE(current_ace);
                                 continue;
+                        }
 …
+        }
         if (!NT_STATUS_IS_OK(open_file_fchmod(NULL, conn, smb_fname, &fsp))) {
+        if (!NT_STATUS_IS_OK(open_file_fchmod(conn, smb_fname, &fsp))) {
                 return -1;
+        }
 …
         unbecome_root();
         close_file_fchmod(NULL, fsp);
+        close_file(NULL, fsp, NORMAL_CLOSE);
         return ret;
 …
 ****************************************************************************/
 NTSTATUS set_nt_acl(files_struct *fsp, uint32 security_info_sent, const SEC_DESC *psd)
+NTSTATUS set_nt_acl(files_struct *fsp, uint32 security_info_sent, const SEC_DESC *psd_orig)
+{
         connection_struct *conn = fsp->conn;
 …
         bool acl_set_support = false;
         bool ret = false;
+        SEC_DESC *psd = NULL;
         DEBUG(10,("set_nt_acl: called for file %s\n",
 …
+        }
+        if (!psd_orig) {
+                return NT_STATUS_INVALID_PARAMETER;
+        }
+        psd = dup_sec_desc(talloc_tos(), psd_orig);
+        if (!psd) {
+                return NT_STATUS_NO_MEMORY;
+        }
         /*
          * Get the current state of the file.
 …
          * Unpack the user/group/world id's.
          */
+        /* POSIX can't cope with missing owner/group. */
+        if ((security_info_sent & SECINFO_OWNER) && (psd->owner_sid == NULL)) {
+                security_info_sent &= ~SECINFO_OWNER;
+        }
+        if ((security_info_sent & SECINFO_GROUP) && (psd->group_sid == NULL)) {
+                security_info_sent &= ~SECINFO_GROUP;
+        }
         status = unpack_nt_owners( SNUM(conn), &user, &grp, security_info_sent, psd);
 …
         create_file_sids(&fsp->fsp_name->st, &file_owner_sid, &file_grp_sid);
+        if((security_info_sent & SECINFO_DACL) &&
+                        (psd->type & SEC_DESC_DACL_PRESENT) &&
+                        (psd->dacl == NULL)) {
+                SEC_ACE ace[3];
+                /* We can't have NULL DACL in POSIX.
+                   Use owner/group/Everyone -> full access. */
+                init_sec_ace(&ace[0],
+                                &file_owner_sid,
+                                SEC_ACE_TYPE_ACCESS_ALLOWED,
+                                GENERIC_ALL_ACCESS,
+);
+                init_sec_ace(&ace[1],
+                                &file_grp_sid,
+                                SEC_ACE_TYPE_ACCESS_ALLOWED,
+                                GENERIC_ALL_ACCESS,
+);
+                init_sec_ace(&ace[2],
+                                &global_sid_World,
+                                SEC_ACE_TYPE_ACCESS_ALLOWED,
+                                GENERIC_ALL_ACCESS,
+);
+                psd->dacl = make_sec_acl(talloc_tos(),
+                                        NT4_ACL_REVISION,
+,
+                                        ace);
+                if (psd->dacl == NULL) {
+                        return NT_STATUS_NO_MEMORY;
+                }
+                security_acl_map_generic(psd->dacl, &file_generic_mapping);
+        }
         acl_perms = unpack_canon_ace(fsp, &fsp->fsp_name->st, &file_owner_sid,
 …
         return ret_sd;
+}
+/* Stolen shamelessly from pvfs_default_acl() in source4 :-). */
+NTSTATUS make_default_filesystem_acl(TALLOC_CTX *ctx,
+                                        const char *name,
+                                        SMB_STRUCT_STAT *psbuf,
+                                        SEC_DESC **ppdesc)
+{
+        struct dom_sid owner_sid, group_sid;
+        size_t size = 0;
+        SEC_ACE aces[4];
+        uint32_t access_mask = 0;
+        mode_t mode = psbuf->st_ex_mode;
+        SEC_ACL *new_dacl = NULL;
+        int idx = 0;
+        DEBUG(10,("make_default_filesystem_acl: file %s mode = 0%o\n",
+                name, (int)mode ));
+        uid_to_sid(&owner_sid, psbuf->st_ex_uid);
+        gid_to_sid(&group_sid, psbuf->st_ex_gid);
+        /*
+         We provide up to 4 ACEs
+                - Owner
+                - Group
+                - Everyone
+                - NT System
+        */
+        if (mode & S_IRUSR) {
+                if (mode & S_IWUSR) {
+                        access_mask |= SEC_RIGHTS_FILE_ALL;
+                } else {
+                        access_mask |= SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE;
+                }
+        }
+        if (mode & S_IWUSR) {
+                access_mask |= SEC_RIGHTS_FILE_WRITE | SEC_STD_DELETE;
+        }
+        init_sec_ace(&aces[idx],
+                        &owner_sid,
+                        SEC_ACE_TYPE_ACCESS_ALLOWED,
+                        access_mask,
+);
+        idx++;
+        access_mask = 0;
+        if (mode & S_IRGRP) {
+                access_mask |= SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE;
+        }
+        if (mode & S_IWGRP) {
+                /* note that delete is not granted - this matches posix behaviour */
+                access_mask |= SEC_RIGHTS_FILE_WRITE;
+        }
+        if (access_mask) {
+                init_sec_ace(&aces[idx],
+                        &group_sid,
+                        SEC_ACE_TYPE_ACCESS_ALLOWED,
+                        access_mask,
+);
+                idx++;
+        }
+        access_mask = 0;
+        if (mode & S_IROTH) {
+                access_mask |= SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE;
+        }
+        if (mode & S_IWOTH) {
+                access_mask |= SEC_RIGHTS_FILE_WRITE;
+        }
+        if (access_mask) {
+                init_sec_ace(&aces[idx],
+                        &global_sid_World,
+                        SEC_ACE_TYPE_ACCESS_ALLOWED,
+                        access_mask,
+);
+                idx++;
+        }
+        init_sec_ace(&aces[idx],
+                        &global_sid_System,
+                        SEC_ACE_TYPE_ACCESS_ALLOWED,
+                        SEC_RIGHTS_FILE_ALL,
+);
+        idx++;
+        new_dacl = make_sec_acl(ctx,
+                        NT4_ACL_REVISION,
+                        idx,
+                        aces);
+        if (!new_dacl) {
+                return NT_STATUS_NO_MEMORY;
+        }
+        *ppdesc = make_sec_desc(ctx,
+                        SECURITY_DESCRIPTOR_REVISION_1,
+                        SEC_DESC_SELF_RELATIVE|SEC_DESC_DACL_PRESENT,
+                        &owner_sid,
+                        &group_sid,
+                        NULL,
+                        new_dacl,
+                        &size);
+        if (!*ppdesc) {
+                return NT_STATUS_NO_MEMORY;
+        }
+        return NT_STATUS_OK;
+}

vendor/current/source3/smbd/process.c

-              r587
+              r594
                 END_PROFILE(smbd_idle);
                 errno = sav;
+        }
+        if (selrtn == -1 && errno != EINTR) {
+                return map_nt_error_from_unix(errno);
+        }
 …
                  * may have updated them.
                  */
                 SCVAL(req->chain_outbuf, smb_tid, CVAL(req->outbuf, smb_tid));
                 SCVAL(req->chain_outbuf, smb_uid, CVAL(req->outbuf, smb_uid));
+                SSVAL(req->chain_outbuf, smb_tid, SVAL(req->outbuf, smb_tid));
+                SSVAL(req->chain_outbuf, smb_uid, SVAL(req->outbuf, smb_uid));
                 if (!smb_splice_chain(&req->chain_outbuf,

vendor/current/source3/smbd/uid.c

r414	r594
32	32	struct passwd *pass;
33	33
34		pass = ~~getp~~wnam_alloc(talloc_autofree_context(), lp_guestaccount());
	34	pass = Get_Pwnam_alloc(talloc_autofree_context(), lp_guestaccount());
35	35	if (!pass) {
36	36	return false;

vendor/current/source3/smbd/vfs.c

-              r414
+              r594
+        }
+#ifdef S_ISFIFO
+        if (S_ISFIFO(st.st_ex_mode)) {
+                return 0;
+        }
+#endif
         DEBUG(10,("vfs_fill_sparse: write zeros in file %s from len %.0f to "
                   "len %.0f (%.0f bytes)\n", fsp_str_dbg(fsp),
 …
         flush_write_cache(fsp, SIZECHANGE_FLUSH);
+        offset = st.st_ex_size;
+        num_to_write = len - st.st_ex_size;
+        /* Only do this on non-stream file handles. */
+        if (fsp->base_fsp == NULL) {
+                /* for allocation try posix_fallocate first. This can fail on some
+                 * platforms e.g. when the filesystem doesn't support it and no
+                 * emulation is being done by the libc (like on AIX with JFS1). In that
+                 * case we do our own emulation. posix_fallocate implementations can
+                 * return ENOTSUP or EINVAL in cases like that. */
+                ret = sys_posix_fallocate(fsp->fh->fd, offset, num_to_write);
+                if (ret == ENOSPC) {
+                        errno = ENOSPC;
+                        ret = -1;
+                        goto out;
+                }
+                if (ret == 0) {
+                        set_filelen_write_cache(fsp, len);
+                        goto out;
+                }
+                DEBUG(10,("vfs_fill_sparse: sys_posix_fallocate failed with "
+                        "error %d. Falling back to slow manual allocation\n", ret));
+        }
         if (!sparse_buf) {
 …
+        }
-        offset = st.st_ex_size;
-        num_to_write = len - st.st_ex_size;
         total = 0;
 …
+                        }
                         default:
                                 DEBUG(1,("check_reduced_name: couldn't get "
+                                DEBUG(3,("check_reduced_name: couldn't get "
                                          "realpath for %s\n", fname));
                                 return map_nt_error_from_unix(errno);

Note: See TracChangeset for help on using the changeset viewer.

Download in other formats: