Changeset 989 for vendor/current/source3/modules
- Timestamp:
- Nov 25, 2016, 8:04:54 PM (9 years ago)
- Location:
- vendor/current/source3/modules
- Files:
-
- 11 edited
-
getdate.c (modified) (1 diff)
-
getdate.y (modified) (1 diff)
-
vfs_acl_common.c (modified) (28 diffs)
-
vfs_acl_tdb.c (modified) (3 diffs)
-
vfs_acl_xattr.c (modified) (2 diffs)
-
vfs_ceph.c (modified) (1 diff)
-
vfs_default.c (modified) (1 diff)
-
vfs_fake_dfq.c (modified) (4 diffs)
-
vfs_fruit.c (modified) (3 diffs)
-
vfs_glusterfs.c (modified) (2 diffs)
-
vfs_shadow_copy2.c (modified) (3 diffs)
Legend:
- Unmodified
- Added
- Removed
-
vendor/current/source3/modules/getdate.c
r414 r989 182 182 #endif 183 183 184 #if __GNUC__ < 2 || (__GNUC__ == 2 && __GNUC_MINOR__ < 8) || __STRICT_ANSI__184 #ifndef HAVE___ATTRIBUTE__ 185 185 # define __attribute__(x) 186 186 #endif -
vendor/current/source3/modules/getdate.y
r414 r989 73 73 #endif 74 74 75 #if __GNUC__ < 2 || (__GNUC__ == 2 && __GNUC_MINOR__ < 8) || __STRICT_ANSI__75 #ifndef HAVE___ATTRIBUTE__ 76 76 # define __attribute__(x) 77 77 #endif -
vendor/current/source3/modules/vfs_acl_common.c
r988 r989 25 25 #include "../librpc/gen_ndr/ndr_security.h" 26 26 #include "../lib/util/bitmap.h" 27 #include "passdb/lookup_sid.h" 27 28 28 29 static NTSTATUS create_acl_blob(const struct security_descriptor *psd, … … 45 46 SECINFO_DACL | \ 46 47 SECINFO_SACL) 48 49 enum default_acl_style {DEFAULT_ACL_POSIX, DEFAULT_ACL_WINDOWS}; 50 51 static const struct enum_list default_acl_style[] = { 52 {DEFAULT_ACL_POSIX, "posix"}, 53 {DEFAULT_ACL_WINDOWS, "windows"} 54 }; 55 56 struct acl_common_config { 57 bool ignore_system_acls; 58 enum default_acl_style default_acl_style; 59 }; 60 61 static bool init_acl_common_config(vfs_handle_struct *handle) 62 { 63 struct acl_common_config *config = NULL; 64 65 config = talloc_zero(handle->conn, struct acl_common_config); 66 if (config == NULL) { 67 DBG_ERR("talloc_zero() failed\n"); 68 errno = ENOMEM; 69 return false; 70 } 71 72 config->ignore_system_acls = lp_parm_bool(SNUM(handle->conn), 73 ACL_MODULE_NAME, 74 "ignore system acls", 75 false); 76 config->default_acl_style = lp_parm_enum(SNUM(handle->conn), 77 ACL_MODULE_NAME, 78 "default acl style", 79 default_acl_style, 80 DEFAULT_ACL_POSIX); 81 82 SMB_VFS_HANDLE_SET_DATA(handle, config, NULL, 83 struct acl_common_config, 84 return false); 85 86 return true; 87 } 88 47 89 48 90 /******************************************************************* … … 103 145 104 146 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { 105 D EBUG(5, ("parse_acl_blob:ndr_pull_xattr_NTACL failed: %s\n",106 ndr_errstr(ndr_err)));147 DBG_INFO("ndr_pull_xattr_NTACL failed: %s\n", 148 ndr_errstr(ndr_err)); 107 149 TALLOC_FREE(frame); 108 150 return ndr_map_error2ntstatus(ndr_err); … … 200 242 201 243 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { 202 D EBUG(5, ("create_acl_blob:ndr_push_xattr_NTACL failed: %s\n",203 ndr_errstr(ndr_err)));244 DBG_INFO("ndr_push_xattr_NTACL failed: %s\n", 245 ndr_errstr(ndr_err)); 204 246 return ndr_map_error2ntstatus(ndr_err); 205 247 } … … 246 288 247 289 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { 248 D EBUG(5, ("create_acl_blob:ndr_push_xattr_NTACL failed: %s\n",249 ndr_errstr(ndr_err)));290 DBG_INFO("ndr_push_xattr_NTACL failed: %s\n", 291 ndr_errstr(ndr_err)); 250 292 return ndr_map_error2ntstatus(ndr_err); 251 293 } … … 304 346 mode = dir_mode | file_mode; 305 347 306 DEBUG(10, ("add_directory_inheritable_components: directory %s, " 307 "mode = 0%o\n", 308 name, 309 (unsigned int)mode )); 348 DBG_DEBUG("directory %s, mode = 0%o\n", name, (unsigned int)mode); 310 349 311 350 if (num_aces) { … … 359 398 } 360 399 361 /******************************************************************* 362 Pull a DATA_BLOB from an xattr given a pathname. 363 If the hash doesn't match, or doesn't exist - return the underlying 364 filesystem sd. 365 *******************************************************************/ 366 367 static NTSTATUS get_nt_acl_internal(vfs_handle_struct *handle, 368 files_struct *fsp, 369 const char *name, 370 uint32_t security_info, 371 TALLOC_CTX *mem_ctx, 372 struct security_descriptor **ppdesc) 373 { 374 DATA_BLOB blob = data_blob_null; 400 static NTSTATUS make_default_acl_posix(TALLOC_CTX *ctx, 401 const char *name, 402 SMB_STRUCT_STAT *psbuf, 403 struct security_descriptor **ppdesc) 404 { 405 struct dom_sid owner_sid, group_sid; 406 size_t size = 0; 407 struct security_ace aces[4]; 408 uint32_t access_mask = 0; 409 mode_t mode = psbuf->st_ex_mode; 410 struct security_acl *new_dacl = NULL; 411 int idx = 0; 412 413 DBG_DEBUG("file %s mode = 0%o\n",name, (int)mode); 414 415 uid_to_sid(&owner_sid, psbuf->st_ex_uid); 416 gid_to_sid(&group_sid, psbuf->st_ex_gid); 417 418 /* 419 We provide up to 4 ACEs 420 - Owner 421 - Group 422 - Everyone 423 - NT System 424 */ 425 426 if (mode & S_IRUSR) { 427 if (mode & S_IWUSR) { 428 access_mask |= SEC_RIGHTS_FILE_ALL; 429 } else { 430 access_mask |= SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE; 431 } 432 } 433 if (mode & S_IWUSR) { 434 access_mask |= SEC_RIGHTS_FILE_WRITE | SEC_STD_DELETE; 435 } 436 437 init_sec_ace(&aces[idx], 438 &owner_sid, 439 SEC_ACE_TYPE_ACCESS_ALLOWED, 440 access_mask, 441 0); 442 idx++; 443 444 access_mask = 0; 445 if (mode & S_IRGRP) { 446 access_mask |= SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE; 447 } 448 if (mode & S_IWGRP) { 449 /* note that delete is not granted - this matches posix behaviour */ 450 access_mask |= SEC_RIGHTS_FILE_WRITE; 451 } 452 if (access_mask) { 453 init_sec_ace(&aces[idx], 454 &group_sid, 455 SEC_ACE_TYPE_ACCESS_ALLOWED, 456 access_mask, 457 0); 458 idx++; 459 } 460 461 access_mask = 0; 462 if (mode & S_IROTH) { 463 access_mask |= SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE; 464 } 465 if (mode & S_IWOTH) { 466 access_mask |= SEC_RIGHTS_FILE_WRITE; 467 } 468 if (access_mask) { 469 init_sec_ace(&aces[idx], 470 &global_sid_World, 471 SEC_ACE_TYPE_ACCESS_ALLOWED, 472 access_mask, 473 0); 474 idx++; 475 } 476 477 init_sec_ace(&aces[idx], 478 &global_sid_System, 479 SEC_ACE_TYPE_ACCESS_ALLOWED, 480 SEC_RIGHTS_FILE_ALL, 481 0); 482 idx++; 483 484 new_dacl = make_sec_acl(ctx, 485 NT4_ACL_REVISION, 486 idx, 487 aces); 488 489 if (!new_dacl) { 490 return NT_STATUS_NO_MEMORY; 491 } 492 493 *ppdesc = make_sec_desc(ctx, 494 SECURITY_DESCRIPTOR_REVISION_1, 495 SEC_DESC_SELF_RELATIVE|SEC_DESC_DACL_PRESENT, 496 &owner_sid, 497 &group_sid, 498 NULL, 499 new_dacl, 500 &size); 501 if (!*ppdesc) { 502 return NT_STATUS_NO_MEMORY; 503 } 504 return NT_STATUS_OK; 505 } 506 507 static NTSTATUS make_default_acl_windows(TALLOC_CTX *ctx, 508 const char *name, 509 SMB_STRUCT_STAT *psbuf, 510 struct security_descriptor **ppdesc) 511 { 512 struct dom_sid owner_sid, group_sid; 513 size_t size = 0; 514 struct security_ace aces[4]; 515 uint32_t access_mask = 0; 516 mode_t mode = psbuf->st_ex_mode; 517 struct security_acl *new_dacl = NULL; 518 int idx = 0; 519 520 DBG_DEBUG("file [%s] mode [0%o]\n", name, (int)mode); 521 522 uid_to_sid(&owner_sid, psbuf->st_ex_uid); 523 gid_to_sid(&group_sid, psbuf->st_ex_gid); 524 525 /* 526 * We provide 2 ACEs: 527 * - Owner 528 * - NT System 529 */ 530 531 if (mode & S_IRUSR) { 532 if (mode & S_IWUSR) { 533 access_mask |= SEC_RIGHTS_FILE_ALL; 534 } else { 535 access_mask |= SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE; 536 } 537 } 538 if (mode & S_IWUSR) { 539 access_mask |= SEC_RIGHTS_FILE_WRITE | SEC_STD_DELETE; 540 } 541 542 init_sec_ace(&aces[idx], 543 &owner_sid, 544 SEC_ACE_TYPE_ACCESS_ALLOWED, 545 access_mask, 546 0); 547 idx++; 548 549 init_sec_ace(&aces[idx], 550 &global_sid_System, 551 SEC_ACE_TYPE_ACCESS_ALLOWED, 552 SEC_RIGHTS_FILE_ALL, 553 0); 554 idx++; 555 556 new_dacl = make_sec_acl(ctx, 557 NT4_ACL_REVISION, 558 idx, 559 aces); 560 561 if (!new_dacl) { 562 return NT_STATUS_NO_MEMORY; 563 } 564 565 *ppdesc = make_sec_desc(ctx, 566 SECURITY_DESCRIPTOR_REVISION_1, 567 SEC_DESC_SELF_RELATIVE|SEC_DESC_DACL_PRESENT, 568 &owner_sid, 569 &group_sid, 570 NULL, 571 new_dacl, 572 &size); 573 if (!*ppdesc) { 574 return NT_STATUS_NO_MEMORY; 575 } 576 return NT_STATUS_OK; 577 } 578 579 static NTSTATUS make_default_filesystem_acl(TALLOC_CTX *ctx, 580 struct acl_common_config *config, 581 const char *name, 582 SMB_STRUCT_STAT *psbuf, 583 struct security_descriptor **ppdesc) 584 { 585 NTSTATUS status; 586 587 switch (config->default_acl_style) { 588 589 case DEFAULT_ACL_POSIX: 590 status = make_default_acl_posix(ctx, name, psbuf, ppdesc); 591 break; 592 593 case DEFAULT_ACL_WINDOWS: 594 status = make_default_acl_windows(ctx, name, psbuf, ppdesc); 595 break; 596 597 default: 598 DBG_ERR("unknown acl style %d", config->default_acl_style); 599 status = NT_STATUS_INTERNAL_ERROR; 600 break; 601 } 602 603 return status; 604 } 605 606 /** 607 * Validate an ACL blob 608 * 609 * This validates an ACL blob against the underlying filesystem ACL. If this 610 * function returns NT_STATUS_OK ppsd can be 611 * 612 * 1. the ACL from the blob (psd_from_fs=false), or 613 * 2. the ACL from the fs (psd_from_fs=true), or 614 * 3. NULL (!) 615 * 616 * If the return value is anything else then NT_STATUS_OK, ppsd is set to NULL 617 * and psd_from_fs set to false. 618 * 619 * Returning the underlying filesystem ACL in case no. 2 is really just an 620 * optimisation, because some validations have to fetch the filesytem ACL as 621 * part of the validation, so we already have it available and callers might 622 * need it as well. 623 **/ 624 static NTSTATUS validate_nt_acl_blob(TALLOC_CTX *mem_ctx, 625 vfs_handle_struct *handle, 626 files_struct *fsp, 627 const char *name, 628 const DATA_BLOB *blob, 629 struct security_descriptor **ppsd, 630 bool *psd_is_from_fs) 631 { 375 632 NTSTATUS status; 376 633 uint16_t hash_type = XATTR_SD_HASH_TYPE_NONE; … … 381 638 uint8_t sys_acl_hash_tmp[XATTR_SD_HASH_SIZE]; 382 639 struct security_descriptor *psd = NULL; 383 struct security_descriptor *pdesc_next = NULL; 384 bool ignore_file_system_acl = lp_parm_bool(SNUM(handle->conn), 385 ACL_MODULE_NAME, 386 "ignore system acls", 387 false); 388 TALLOC_CTX *frame = talloc_stackframe(); 389 390 if (fsp && name == NULL) { 391 name = fsp->fsp_name->base_name; 392 } 393 394 DEBUG(10, ("get_nt_acl_internal: name=%s\n", name)); 395 396 status = get_acl_blob(frame, handle, fsp, name, &blob); 640 struct security_descriptor *psd_blob = NULL; 641 struct security_descriptor *psd_fs = NULL; 642 char *sys_acl_blob_description = NULL; 643 DATA_BLOB sys_acl_blob = { 0 }; 644 struct acl_common_config *config = NULL; 645 646 *ppsd = NULL; 647 *psd_is_from_fs = false; 648 649 SMB_VFS_HANDLE_GET_DATA(handle, config, 650 struct acl_common_config, 651 return NT_STATUS_UNSUCCESSFUL); 652 653 status = parse_acl_blob(blob, 654 mem_ctx, 655 &psd_blob, 656 &hash_type, 657 &xattr_version, 658 &hash[0], 659 &sys_acl_hash[0]); 660 397 661 if (!NT_STATUS_IS_OK(status)) { 398 DEBUG(10, ("get_nt_acl_internal: get_acl_blob returned %s\n", 399 nt_errstr(status))); 400 psd = NULL; 401 goto out; 402 } else { 403 status = parse_acl_blob(&blob, mem_ctx, &psd, 404 &hash_type, &xattr_version, &hash[0], &sys_acl_hash[0]); 405 if (!NT_STATUS_IS_OK(status)) { 406 DEBUG(10, ("parse_acl_blob returned %s\n", 407 nt_errstr(status))); 408 psd = NULL; 409 goto out; 410 } 411 } 412 413 /* Ensure we don't leak psd if we don't choose it. 414 * 415 * We don't allocate it onto frame as it is preferred not to 416 * steal from a talloc pool. 417 */ 418 talloc_steal(frame, psd); 662 DBG_DEBUG("parse_acl_blob returned %s\n", nt_errstr(status)); 663 goto fail; 664 } 419 665 420 666 /* determine which type of xattr we got */ … … 426 672 * the NTVFS file server uses version 1, but 427 673 * 'samba-tool ntacl' can set these as well */ 428 goto out; 674 *ppsd = psd_blob; 675 return NT_STATUS_OK; 429 676 case 3: 430 677 case 4: 431 if (ignore_file_system_acl) { 432 goto out; 678 if (config->ignore_system_acls) { 679 *ppsd = psd_blob; 680 return NT_STATUS_OK; 433 681 } 434 682 435 683 break; 436 684 default: 437 DEBUG(10, ("get_nt_acl_internal: ACL blob revision " 438 "mismatch (%u) for file %s\n", 439 (unsigned int)hash_type, 440 name)); 441 TALLOC_FREE(psd); 442 psd = NULL; 443 goto out; 685 DBG_DEBUG("ACL blob revision mismatch (%u) for file %s\n", 686 (unsigned int)hash_type, name); 687 TALLOC_FREE(psd_blob); 688 return NT_STATUS_OK; 444 689 } 445 690 446 691 /* determine which type of xattr we got */ 447 692 if (hash_type != XATTR_SD_HASH_TYPE_SHA256) { 448 DEBUG(10, ("get_nt_acl_internal: ACL blob hash type " 449 "(%u) unexpected for file %s\n", 450 (unsigned int)hash_type, 451 name)); 452 TALLOC_FREE(psd); 453 psd = NULL; 454 goto out; 693 DBG_DEBUG("ACL blob hash type (%u) unexpected for file %s\n", 694 (unsigned int)hash_type, name); 695 TALLOC_FREE(psd_blob); 696 return NT_STATUS_OK; 455 697 } 456 698 … … 460 702 { 461 703 int ret; 462 char *sys_acl_blob_description;463 DATA_BLOB sys_acl_blob;464 704 if (fsp) { 465 705 /* Get the full underlying sd, then hash. */ 466 706 ret = SMB_VFS_NEXT_SYS_ACL_BLOB_GET_FD(handle, 467 707 fsp, 468 frame,708 mem_ctx, 469 709 &sys_acl_blob_description, 470 710 &sys_acl_blob); … … 473 713 ret = SMB_VFS_NEXT_SYS_ACL_BLOB_GET_FILE(handle, 474 714 name, 475 frame,715 mem_ctx, 476 716 &sys_acl_blob_description, 477 717 &sys_acl_blob); … … 483 723 status = hash_blob_sha256(sys_acl_blob, sys_acl_hash_tmp); 484 724 if (!NT_STATUS_IS_OK(status)) { 485 TALLOC_FREE(frame); 486 return status; 725 goto fail; 487 726 } 727 728 TALLOC_FREE(sys_acl_blob_description); 729 TALLOC_FREE(sys_acl_blob.data); 488 730 489 731 if (memcmp(&sys_acl_hash[0], &sys_acl_hash_tmp[0], 490 732 XATTR_SD_HASH_SIZE) == 0) { 491 733 /* Hash matches, return blob sd. */ 492 D EBUG(10, ("get_nt_acl_internal: blob hash "493 "matches for file %s\n",494 name ));495 goto out;734 DBG_DEBUG("blob hash matches for file %s\n", 735 name); 736 *ppsd = psd_blob; 737 return NT_STATUS_OK; 496 738 } 497 739 } … … 507 749 HASH_SECURITY_INFO, 508 750 mem_ctx, 509 &p desc_next);751 &psd_fs); 510 752 } else { 511 753 status = SMB_VFS_NEXT_GET_NT_ACL(handle, … … 513 755 HASH_SECURITY_INFO, 514 756 mem_ctx, 515 &p desc_next);757 &psd_fs); 516 758 } 517 759 518 760 if (!NT_STATUS_IS_OK(status)) { 519 DEBUG(10, ("get_nt_acl_internal: get_next_acl for file %s " 520 "returned %s\n", 521 name, 522 nt_errstr(status))); 523 TALLOC_FREE(frame); 524 return status; 525 } 526 527 /* Ensure we don't leak psd_next if we don't choose it. 528 * 529 * We don't allocate it onto frame as it is preferred not to 530 * steal from a talloc pool. 531 */ 532 talloc_steal(frame, pdesc_next); 533 534 status = hash_sd_sha256(pdesc_next, hash_tmp); 761 DBG_DEBUG("get_next_acl for file %s returned %s\n", 762 name, nt_errstr(status)); 763 goto fail; 764 } 765 766 status = hash_sd_sha256(psd_fs, hash_tmp); 535 767 if (!NT_STATUS_IS_OK(status)) { 536 TALLOC_FREE(psd); 537 psd = pdesc_next; 538 goto out; 768 TALLOC_FREE(psd_blob); 769 *ppsd = psd_fs; 770 *psd_is_from_fs = true; 771 return NT_STATUS_OK; 539 772 } 540 773 541 774 if (memcmp(&hash[0], &hash_tmp[0], XATTR_SD_HASH_SIZE) == 0) { 542 775 /* Hash matches, return blob sd. */ 543 DEBUG(10, ("get_nt_acl_internal: blob hash " 544 "matches for file %s\n", 545 name )); 546 goto out; 776 DBG_DEBUG("blob hash matches for file %s\n", name); 777 *ppsd = psd_blob; 778 return NT_STATUS_OK; 547 779 } 548 780 549 781 /* Hash doesn't match, return underlying sd. */ 550 DEBUG(10, ("get_nt_acl_internal: blob hash " 551 "does not match for file %s - returning " 552 "file system SD mapping.\n", 553 name )); 782 DBG_DEBUG("blob hash does not match for file %s - returning " 783 "file system SD mapping.\n", name); 554 784 555 785 if (DEBUGLEVEL >= 10) { 556 DEBUG(10,("get_nt_acl_internal: acl for blob hash for %s is:\n", 557 name )); 558 NDR_PRINT_DEBUG(security_descriptor, pdesc_next); 559 } 560 561 TALLOC_FREE(psd); 562 psd = pdesc_next; 563 } 564 out: 786 DBG_DEBUG("acl for blob hash for %s is:\n", name); 787 NDR_PRINT_DEBUG(security_descriptor, psd_fs); 788 } 789 790 TALLOC_FREE(psd_blob); 791 *ppsd = psd_fs; 792 *psd_is_from_fs = true; 793 } 794 795 return NT_STATUS_OK; 796 797 fail: 798 TALLOC_FREE(psd); 799 TALLOC_FREE(psd_blob); 800 TALLOC_FREE(psd_fs); 801 TALLOC_FREE(sys_acl_blob_description); 802 TALLOC_FREE(sys_acl_blob.data); 803 return status; 804 } 805 806 static NTSTATUS stat_fsp_or_name(vfs_handle_struct *handle, 807 files_struct *fsp, 808 const char *name, 809 SMB_STRUCT_STAT *sbuf, 810 SMB_STRUCT_STAT **psbuf) 811 { 812 NTSTATUS status; 813 int ret; 814 815 if (fsp) { 816 status = vfs_stat_fsp(fsp); 817 if (!NT_STATUS_IS_OK(status)) { 818 return status; 819 } 820 *psbuf = &fsp->fsp_name->st; 821 } else { 822 /* 823 * https://bugzilla.samba.org/show_bug.cgi?id=11249 824 * 825 * We are currently guaranteed that 'name' here is a 826 * smb_fname->base_name, which *cannot* contain a stream name 827 * (':'). vfs_stat_smb_fname() splits a name into a base name + 828 * stream name, which when we get here we know we've already 829 * done. So we have to call the stat or lstat VFS calls 830 * directly here. Else, a base_name that contains a ':' (from a 831 * demangled name) will get split again. 832 * 833 * FIXME. 834 * This uglyness will go away once smb_fname is fully plumbed 835 * through the VFS. 836 */ 837 ret = vfs_stat_smb_basename(handle->conn, 838 name, 839 sbuf); 840 if (ret == -1) { 841 return map_nt_error_from_unix(errno); 842 } 843 } 844 845 return NT_STATUS_OK; 846 } 847 848 /******************************************************************* 849 Pull a DATA_BLOB from an xattr given a pathname. 850 If the hash doesn't match, or doesn't exist - return the underlying 851 filesystem sd. 852 *******************************************************************/ 853 854 static NTSTATUS get_nt_acl_internal(vfs_handle_struct *handle, 855 files_struct *fsp, 856 const char *name, 857 uint32_t security_info, 858 TALLOC_CTX *mem_ctx, 859 struct security_descriptor **ppdesc) 860 { 861 DATA_BLOB blob = data_blob_null; 862 NTSTATUS status; 863 struct security_descriptor *psd = NULL; 864 bool psd_is_from_fs = false; 865 struct acl_common_config *config = NULL; 866 867 SMB_VFS_HANDLE_GET_DATA(handle, config, 868 struct acl_common_config, 869 return NT_STATUS_UNSUCCESSFUL); 870 871 if (fsp && name == NULL) { 872 name = fsp->fsp_name->base_name; 873 } 874 875 DBG_DEBUG("name=%s\n", name); 876 877 status = get_acl_blob(mem_ctx, handle, fsp, name, &blob); 878 if (NT_STATUS_IS_OK(status)) { 879 status = validate_nt_acl_blob(mem_ctx, 880 handle, 881 fsp, 882 name, 883 &blob, 884 &psd, 885 &psd_is_from_fs); 886 TALLOC_FREE(blob.data); 887 if (!NT_STATUS_IS_OK(status)) { 888 DBG_DEBUG("ACL validation for [%s] failed\n", 889 name); 890 goto fail; 891 } 892 } 565 893 566 894 if (psd == NULL) { … … 568 896 * blob for the hash, or the revision/hash type wasn't 569 897 * known */ 570 if (fsp) { 571 status = SMB_VFS_NEXT_FGET_NT_ACL(handle, 572 fsp, 573 security_info, 574 mem_ctx, 575 &pdesc_next); 898 899 if (config->ignore_system_acls) { 900 SMB_STRUCT_STAT sbuf; 901 SMB_STRUCT_STAT *psbuf = &sbuf; 902 903 status = stat_fsp_or_name(handle, fsp, name, 904 &sbuf, &psbuf); 905 if (!NT_STATUS_IS_OK(status)) { 906 goto fail; 907 } 908 909 status = make_default_filesystem_acl( 910 mem_ctx, 911 config, 912 name, 913 psbuf, 914 &psd); 915 if (!NT_STATUS_IS_OK(status)) { 916 goto fail; 917 } 576 918 } else { 577 status = SMB_VFS_NEXT_GET_NT_ACL(handle, 578 name, 579 security_info, 580 mem_ctx, 581 &pdesc_next); 582 } 583 584 if (!NT_STATUS_IS_OK(status)) { 585 DEBUG(10, ("get_nt_acl_internal: get_next_acl for file %s " 586 "returned %s\n", 587 name, 588 nt_errstr(status))); 589 TALLOC_FREE(frame); 590 return status; 591 } 592 593 /* Ensure we don't leak psd_next if we don't choose it. 594 * 595 * We don't allocate it onto frame as it is preferred not to 596 * steal from a talloc pool. 597 */ 598 talloc_steal(frame, pdesc_next); 599 psd = pdesc_next; 600 } 601 602 if (psd != pdesc_next) { 603 /* We're returning the blob, throw 604 * away the filesystem SD. */ 605 TALLOC_FREE(pdesc_next); 606 } else { 919 if (fsp) { 920 status = SMB_VFS_NEXT_FGET_NT_ACL(handle, 921 fsp, 922 security_info, 923 mem_ctx, 924 &psd); 925 } else { 926 status = SMB_VFS_NEXT_GET_NT_ACL(handle, 927 name, 928 security_info, 929 mem_ctx, 930 &psd); 931 } 932 933 if (!NT_STATUS_IS_OK(status)) { 934 DBG_DEBUG("get_next_acl for file %s " 935 "returned %s\n", name, 936 nt_errstr(status)); 937 goto fail; 938 } 939 940 psd_is_from_fs = true; 941 } 942 } 943 944 if (psd_is_from_fs) { 607 945 SMB_STRUCT_STAT sbuf; 608 946 SMB_STRUCT_STAT *psbuf = &sbuf; 609 947 bool is_directory = false; 948 610 949 /* 611 950 * We're returning the underlying ACL from the … … 613 952 * inheritable ACE entries we have to fake them. 614 953 */ 615 if (fsp) { 616 status = vfs_stat_fsp(fsp); 954 955 status = stat_fsp_or_name(handle, fsp, name, 956 &sbuf, &psbuf); 957 if (!NT_STATUS_IS_OK(status)) { 958 goto fail; 959 } 960 961 is_directory = S_ISDIR(psbuf->st_ex_mode); 962 963 if (is_directory && !sd_has_inheritable_components(psd, true)) { 964 status = add_directory_inheritable_components( 965 handle, 966 name, 967 psbuf, 968 psd); 617 969 if (!NT_STATUS_IS_OK(status)) { 618 TALLOC_FREE(frame); 619 return status; 970 goto fail; 620 971 } 621 psbuf = &fsp->fsp_name->st; 622 } else { 623 /* 624 * https://bugzilla.samba.org/show_bug.cgi?id=11249 625 * 626 * We are currently guaranteed that 'name' here is 627 * a smb_fname->base_name, which *cannot* contain 628 * a stream name (':'). vfs_stat_smb_fname() splits 629 * a name into a base name + stream name, which 630 * when we get here we know we've already done. 631 * So we have to call the stat or lstat VFS 632 * calls directly here. Else, a base_name that 633 * contains a ':' (from a demangled name) will 634 * get split again. 635 * 636 * FIXME. 637 * This uglyness will go away once smb_fname 638 * is fully plumbed through the VFS. 639 */ 640 int ret = vfs_stat_smb_basename(handle->conn, 641 name, 642 &sbuf); 643 if (ret == -1) { 644 TALLOC_FREE(frame); 645 return map_nt_error_from_unix(errno); 646 } 647 } 648 is_directory = S_ISDIR(psbuf->st_ex_mode); 649 650 if (ignore_file_system_acl) { 651 TALLOC_FREE(pdesc_next); 652 status = make_default_filesystem_acl(mem_ctx, 653 name, 654 psbuf, 655 &psd); 656 if (!NT_STATUS_IS_OK(status)) { 657 TALLOC_FREE(frame); 658 return status; 659 } 660 } else { 661 if (is_directory && 662 !sd_has_inheritable_components(psd, 663 true)) { 664 status = add_directory_inheritable_components( 665 handle, 666 name, 667 psbuf, 668 psd); 669 if (!NT_STATUS_IS_OK(status)) { 670 TALLOC_FREE(frame); 671 return status; 672 } 673 } 674 /* The underlying POSIX module always sets 675 the ~SEC_DESC_DACL_PROTECTED bit, as ACLs 676 can't be inherited in this way under POSIX. 677 Remove it for Windows-style ACLs. */ 678 psd->type &= ~SEC_DESC_DACL_PROTECTED; 679 } 972 } 973 974 /* 975 * The underlying POSIX module always sets the 976 * ~SEC_DESC_DACL_PROTECTED bit, as ACLs can't be inherited in 977 * this way under POSIX. Remove it for Windows-style ACLs. 978 */ 979 psd->type &= ~SEC_DESC_DACL_PROTECTED; 680 980 } 681 981 … … 695 995 } 696 996 697 TALLOC_FREE(blob.data);698 699 997 if (DEBUGLEVEL >= 10) { 700 DEBUG(10,("get_nt_acl_internal: returning acl for %s is:\n", 701 name )); 998 DBG_DEBUG("returning acl for %s is:\n", name); 702 999 NDR_PRINT_DEBUG(security_descriptor, psd); 703 1000 } 704 1001 705 /* The VFS API is that the ACL is expected to be on mem_ctx */ 706 *ppdesc = talloc_move(mem_ctx, &psd); 707 708 TALLOC_FREE(frame); 1002 *ppdesc = psd; 1003 709 1004 return NT_STATUS_OK; 1005 1006 fail: 1007 TALLOC_FREE(psd); 1008 return status; 710 1009 } 711 1010 … … 760 1059 } 761 1060 762 DEBUG(10, ("fset_nt_acl_common: overriding chown on file %s " 763 "for sid %s\n", 764 fsp_str_dbg(fsp), sid_string_tos(psd->owner_sid))); 1061 DBG_DEBUG("overriding chown on file %s for sid %s\n", 1062 fsp_str_dbg(fsp), sid_string_tos(psd->owner_sid)); 765 1063 766 1064 /* Ok, we failed to chown and we have … … 785 1083 786 1084 if (DEBUGLEVEL >= 10) { 787 D EBUG(10, ("fset_nt_acl_xattr:storing xattr sd for file %s\n",788 fsp_str_dbg(fsp)));1085 DBG_DEBUG("storing xattr sd for file %s\n", 1086 fsp_str_dbg(fsp)); 789 1087 NDR_PRINT_DEBUG( 790 1088 security_descriptor, … … 792 1090 793 1091 if (pdesc_next != NULL) { 794 DEBUG(10, ("fset_nt_acl_xattr: storing has in xattr sd " 795 "based on \n")); 1092 DBG_DEBUG("storing xattr sd based on \n"); 796 1093 NDR_PRINT_DEBUG( 797 1094 security_descriptor, … … 799 1096 pdesc_next)); 800 1097 } else { 801 DEBUG(10, 802 ("fset_nt_acl_xattr: ignoring underlying sd\n")); 1098 DBG_DEBUG("ignoring underlying sd\n"); 803 1099 } 804 1100 } 805 1101 status = create_acl_blob(psd, &blob, XATTR_SD_HASH_TYPE_SHA256, hash); 806 1102 if (!NT_STATUS_IS_OK(status)) { 807 D EBUG(10, ("fset_nt_acl_xattr: create_acl_blob failed\n"));1103 DBG_DEBUG("create_acl_blob failed\n"); 808 1104 return status; 809 1105 } … … 834 1130 835 1131 if (DEBUGLEVEL >= 10) { 836 DEBUG(10,("fset_nt_acl_xattr: incoming sd for file %s\n", 837 fsp_str_dbg(fsp))); 1132 DBG_DEBUG("incoming sd for file %s\n", fsp_str_dbg(fsp)); 838 1133 NDR_PRINT_DEBUG(security_descriptor, 839 1134 discard_const_p(struct security_descriptor, orig_psd)); … … 953 1248 954 1249 if (DEBUGLEVEL >= 10) { 955 D EBUG(10,("fset_nt_acl_xattr:storing xattr sd for file %s based on system ACL\n",956 fsp_str_dbg(fsp)) );1250 DBG_DEBUG("storing xattr sd for file %s based on system ACL\n", 1251 fsp_str_dbg(fsp)); 957 1252 NDR_PRINT_DEBUG(security_descriptor, 958 1253 discard_const_p(struct security_descriptor, psd)); 959 1254 960 D EBUG(10,("fset_nt_acl_xattr: storing hash in xattr sd based on system ACL and:\n"));1255 DBG_DEBUG("storing hash in xattr sd based on system ACL and:\n"); 961 1256 NDR_PRINT_DEBUG(security_descriptor, 962 1257 discard_const_p(struct security_descriptor, pdesc_next)); … … 970 1265 sys_acl_description, sys_acl_hash); 971 1266 if (!NT_STATUS_IS_OK(status)) { 972 D EBUG(10, ("fset_nt_acl_xattr: create_sys_acl_blob failed\n"));1267 DBG_DEBUG("create_sys_acl_blob failed\n"); 973 1268 TALLOC_FREE(frame); 974 1269 return status; … … 1007 1302 } 1008 1303 1009 DEBUG(10,("acl_common_remove_object: removing %s %s/%s\n", 1010 is_directory ? "directory" : "file", 1011 parent_dir, final_component )); 1304 DBG_DEBUG("removing %s %s/%s\n", is_directory ? "directory" : "file", 1305 parent_dir, final_component); 1012 1306 1013 1307 /* cd into the parent dir to pin it. */ … … 1042 1336 1043 1337 if (!fsp) { 1044 DEBUG(10,("acl_common_remove_object: %s %s/%s " 1045 "not an open file\n", 1046 is_directory ? "directory" : "file", 1047 parent_dir, final_component )); 1338 DBG_DEBUG("%s %s/%s not an open file\n", 1339 is_directory ? "directory" : "file", 1340 parent_dir, final_component); 1048 1341 saved_errno = EACCES; 1049 1342 goto out; … … 1093 1386 } 1094 1387 1095 DEBUG(10,("rmdir_acl_common: unlink of %s failed %s\n", 1096 path, 1097 strerror(errno) )); 1388 DBG_DEBUG("unlink of %s failed %s\n", path, strerror(errno)); 1098 1389 return -1; 1099 1390 } … … 1122 1413 } 1123 1414 1124 D EBUG(10,("unlink_acl_common:unlink of %s failed %s\n",1125 smb_fname->base_name,1126 strerror(errno)));1415 DBG_DEBUG("unlink of %s failed %s\n", 1416 smb_fname->base_name, 1417 strerror(errno)); 1127 1418 return -1; 1128 1419 } -
vendor/current/source3/modules/vfs_acl_tdb.c
r988 r989 306 306 { 307 307 int ret = SMB_VFS_NEXT_CONNECT(handle, service, user); 308 bool ok; 309 struct acl_common_config *config = NULL; 308 310 309 311 if (ret < 0) { … … 313 315 if (!acl_tdb_init()) { 314 316 SMB_VFS_NEXT_DISCONNECT(handle); 317 return -1; 318 } 319 320 ok = init_acl_common_config(handle); 321 if (!ok) { 322 DBG_ERR("init_acl_common_config failed\n"); 315 323 return -1; 316 324 } … … 326 334 lp_do_parameter(SNUM(handle->conn), "dos filemode", "true"); 327 335 lp_do_parameter(SNUM(handle->conn), "force unknown acl user", "true"); 336 337 SMB_VFS_HANDLE_GET_DATA(handle, config, 338 struct acl_common_config, 339 return -1); 340 341 if (config->ignore_system_acls) { 342 DBG_NOTICE("setting 'create mask = 0666', " 343 "'directory mask = 0777', " 344 "'store dos attributes = yes' and all " 345 "'map ...' options to 'no'\n"); 346 347 lp_do_parameter(SNUM(handle->conn), "create mask", "0666"); 348 lp_do_parameter(SNUM(handle->conn), "directory mask", "0777"); 349 lp_do_parameter(SNUM(handle->conn), "map archive", "no"); 350 lp_do_parameter(SNUM(handle->conn), "map hidden", "no"); 351 lp_do_parameter(SNUM(handle->conn), "map readonly", "no"); 352 lp_do_parameter(SNUM(handle->conn), "map system", "no"); 353 lp_do_parameter(SNUM(handle->conn), "store dos attributes", 354 "yes"); 355 } 328 356 329 357 return 0; -
vendor/current/source3/modules/vfs_acl_xattr.c
r988 r989 181 181 { 182 182 int ret = SMB_VFS_NEXT_CONNECT(handle, service, user); 183 bool ok; 184 struct acl_common_config *config = NULL; 183 185 184 186 if (ret < 0) { 185 187 return ret; 188 } 189 190 ok = init_acl_common_config(handle); 191 if (!ok) { 192 DBG_ERR("init_acl_common_config failed\n"); 193 return -1; 186 194 } 187 195 … … 196 204 lp_do_parameter(SNUM(handle->conn), "dos filemode", "true"); 197 205 lp_do_parameter(SNUM(handle->conn), "force unknown acl user", "true"); 206 207 SMB_VFS_HANDLE_GET_DATA(handle, config, 208 struct acl_common_config, 209 return -1); 210 211 if (config->ignore_system_acls) { 212 DBG_NOTICE("setting 'create mask = 0666', " 213 "'directory mask = 0777', " 214 "'store dos attributes = yes' and all " 215 "'map ...' options to 'no'\n"); 216 217 lp_do_parameter(SNUM(handle->conn), "create mask", "0666"); 218 lp_do_parameter(SNUM(handle->conn), "directory mask", "0777"); 219 lp_do_parameter(SNUM(handle->conn), "map archive", "no"); 220 lp_do_parameter(SNUM(handle->conn), "map hidden", "no"); 221 lp_do_parameter(SNUM(handle->conn), "map readonly", "no"); 222 lp_do_parameter(SNUM(handle->conn), "map system", "no"); 223 lp_do_parameter(SNUM(handle->conn), "store dos attributes", 224 "yes"); 225 } 198 226 199 227 return 0; -
vendor/current/source3/modules/vfs_ceph.c
r988 r989 818 818 819 819 /* available disk space is enough or not? */ 820 space_avail = get_dfree_info(fsp->conn, 821 fsp->fsp_name->base_name, 822 &bsize, &dfree, &dsize); 820 space_avail = 821 get_dfree_info(fsp->conn, fsp->fsp_name, &bsize, &dfree, &dsize); 823 822 /* space_avail is 1k blocks */ 824 823 if (space_avail == (uint64_t)-1 || -
vendor/current/source3/modules/vfs_default.c
r988 r989 1921 1921 1922 1922 /* available disk space is enough or not? */ 1923 space_avail = get_dfree_info(fsp->conn, 1924 fsp->fsp_name->base_name, 1925 &bsize, &dfree, &dsize); 1923 space_avail = 1924 get_dfree_info(fsp->conn, fsp->fsp_name, &bsize, &dfree, &dsize); 1926 1925 /* space_avail is 1k blocks */ 1927 1926 if (space_avail == (uint64_t)-1 || -
vendor/current/source3/modules/vfs_fake_dfq.c
r988 r989 111 111 (unsigned long long)id.gid); 112 112 break; 113 case SMB_USER_FS_QUOTA_TYPE: 114 section = talloc_strdup(talloc_tos(), "udflt"); 115 break; 116 case SMB_GROUP_FS_QUOTA_TYPE: 117 section = talloc_strdup(talloc_tos(), "gdflt"); 118 break; 113 119 default: 114 120 break; … … 119 125 } 120 126 121 bsize = dfq_load_param(snum, rpath, section, "block size", 0);127 bsize = dfq_load_param(snum, rpath, section, "block size", 4096); 122 128 if (bsize == 0) { 123 129 goto dflt; … … 126 132 if (dfq_load_param(snum, rpath, section, "err", 0) != 0) { 127 133 errno = ENOTSUP; 134 rc = -1; 135 goto out; 136 } 137 138 if (dfq_load_param(snum, rpath, section, "nosys", 0) != 0) { 139 errno = ENOSYS; 128 140 rc = -1; 129 141 goto out; … … 141 153 dfq_load_param(snum, rpath, section, "inode soft limit", 0); 142 154 qt->curinodes = dfq_load_param(snum, rpath, section, "cur inodes", 0); 155 qt->qflags = dfq_load_param(snum, rpath, section, "qflags", QUOTAS_DENY_DISK); 143 156 144 157 if (dfq_load_param(snum, rpath, section, "edquot", 0) != 0) { -
vendor/current/source3/modules/vfs_fruit.c
r988 r989 133 133 bool copyfile_enabled; 134 134 bool veto_appledouble; 135 bool posix_rename; 135 136 136 137 /* … … 1356 1357 "copyfile", false); 1357 1358 1359 config->posix_rename = lp_parm_bool( 1360 SNUM(handle->conn), FRUIT_PARAM_TYPE_NAME, "posix_rename", true); 1361 1358 1362 config->readdir_attr_rsize = lp_parm_bool( 1359 1363 SNUM(handle->conn), "readdir_attr", "aapl_rsize", true); … … 3428 3432 } 3429 3433 3430 if ( fsp->is_directory) {3434 if (config->posix_rename && fsp->is_directory) { 3431 3435 /* 3432 3436 * Enable POSIX directory rename behaviour -
vendor/current/source3/modules/vfs_glusterfs.c
r988 r989 42 42 #include "lib/util/dlinklist.h" 43 43 #include "lib/util/tevent_unix.h" 44 #include "lib/tevent/tevent_internal.h"45 44 #include "smbd/globals.h" 46 45 #include "lib/util/sys_rw.h" … … 224 223 DEBUG(0, ("%s: Failed to set xlator option:" 225 224 " snapdir-entry-path\n", volume)); 226 glfs_fini(fs); 227 return -1; 225 goto done; 228 226 } 229 227 -
vendor/current/source3/modules/vfs_shadow_copy2.c
r988 r989 1793 1793 char *tmp = NULL; 1794 1794 char *result = NULL; 1795 char *parent_dir = NULL; 1795 1796 int saved_errno; 1796 1797 size_t rootpath_len = 0; … … 1809 1810 &rootpath_len); 1810 1811 if (tmp == NULL) { 1811 goto done; 1812 if (errno != ENOENT) { 1813 goto done; 1814 } 1815 1816 /* 1817 * If the converted path does not exist, and converting 1818 * the parent yields something that does exist, then 1819 * this path refers to something that has not been 1820 * created yet, relative to the parent path. 1821 * The snapshot finding is relative to the parent. 1822 * (usually snapshots are read/only but this is not 1823 * necessarily true). 1824 * This code also covers getting a wildcard in the 1825 * last component, because this function is called 1826 * prior to sanitizing the path, and in SMB1 we may 1827 * get wildcards in path names. 1828 */ 1829 if (!parent_dirname(talloc_tos(), stripped, &parent_dir, 1830 NULL)) { 1831 errno = ENOMEM; 1832 goto done; 1833 } 1834 1835 tmp = shadow_copy2_do_convert(talloc_tos(), handle, parent_dir, 1836 timestamp, &rootpath_len); 1837 if (tmp == NULL) { 1838 goto done; 1839 } 1812 1840 } 1813 1841 … … 1827 1855 TALLOC_FREE(tmp); 1828 1856 TALLOC_FREE(stripped); 1857 TALLOC_FREE(parent_dir); 1829 1858 errno = saved_errno; 1830 1859 return result;
Note:
See TracChangeset
for help on using the changeset viewer.
