sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-03-09 08:58:35 +03:00
Code

vfs_acl_xattr|tdb: enforced settings when ignore system acls=yes

Browse Source 
When "ignore system acls" is set to "yes, we need to ensure filesystem
permission always grant access so that when doing our own access checks
we don't run into situations where we grant access but the filesystem
doesn't.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12181

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed Aug 31 18:41:20 CEST 2016 on sn-devel-144

(cherry picked from commit b72287514cc78c9019db7385af4c9b9d94f60894)
This commit is contained in:
Ralph Boehme 2016-08-26 10:04:53 +02:00 committed by Karolin Seeger
parent 7f3a8573f3
commit b064dfde2e
5 changed files with 74 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
docs-xml/manpages/vfs_acl_tdb.8.xml
View File

@ -70,6 +70,21 @@
access the data via Samba you might set this to yes to achieve
better NT ACL compatibility.
</para>
<para>
If <emphasis>acl_tdb:ignore system acls</emphasis>
is set to <emphasis>yes</emphasis>, the following
additional settings will be enforced:
<itemizedlist>
<listitem><para>create mask = 0666</para></listitem>
<listitem><para>directory mask = 0777</para></listitem>
<listitem><para>map archive = no</para></listitem>
<listitem><para>map hidden = no</para></listitem>
<listitem><para>map readonly = no</para></listitem>
<listitem><para>map system = no</para></listitem>
<listitem><para>store dos attributes = yes</para></listitem>
</itemizedlist>
</para>
</listitem>
</varlistentry>

15
docs-xml/manpages/vfs_acl_xattr.8.xml
View File

@ -74,6 +74,21 @@
access the data via Samba you might set this to yes to achieve
better NT ACL compatibility.
</para>
<para>
If <emphasis>acl_xattr:ignore system acls</emphasis>
is set to <emphasis>yes</emphasis>, the following
additional settings will be enforced:
<itemizedlist>
<listitem><para>create mask = 0666</para></listitem>
<listitem><para>directory mask = 0777</para></listitem>
<listitem><para>map archive = no</para></listitem>
<listitem><para>map hidden = no</para></listitem>
<listitem><para>map readonly = no</para></listitem>
<listitem><para>map system = no</para></listitem>
<listitem><para>store dos attributes = yes</para></listitem>
</itemizedlist>
</para>
</listitem>
</varlistentry>

21
source3/modules/vfs_acl_tdb.c
View File

@ -306,6 +306,7 @@ static int connect_acl_tdb(struct vfs_handle_struct *handle,
{
int ret = SMB_VFS_NEXT_CONNECT(handle, service, user);
bool ok;
struct acl_common_config *config = NULL;
if (ret < 0) {
return ret;
@ -333,6 +334,26 @@ static int connect_acl_tdb(struct vfs_handle_struct *handle,
lp_do_parameter(SNUM(handle->conn), "dos filemode", "true");
lp_do_parameter(SNUM(handle->conn), "force unknown acl user", "true");
SMB_VFS_HANDLE_GET_DATA(handle, config,
struct acl_common_config,
return -1);
if (config->ignore_system_acls) {
DBG_NOTICE("setting 'create mask = 0666', "
"'directory mask = 0777', "
"'store dos attributes = yes' and all "
"'map ...' options to 'no'\n");
lp_do_parameter(SNUM(handle->conn), "create mask", "0666");
lp_do_parameter(SNUM(handle->conn), "directory mask", "0777");
lp_do_parameter(SNUM(handle->conn), "map archive", "no");
lp_do_parameter(SNUM(handle->conn), "map hidden", "no");
lp_do_parameter(SNUM(handle->conn), "map readonly", "no");
lp_do_parameter(SNUM(handle->conn), "map system", "no");
lp_do_parameter(SNUM(handle->conn), "store dos attributes",
"yes");
}
return 0;
}

21
source3/modules/vfs_acl_xattr.c
View File

@ -181,6 +181,7 @@ static int connect_acl_xattr(struct vfs_handle_struct *handle,
{
int ret = SMB_VFS_NEXT_CONNECT(handle, service, user);
bool ok;
struct acl_common_config *config = NULL;
if (ret < 0) {
return ret;
@ -203,6 +204,26 @@ static int connect_acl_xattr(struct vfs_handle_struct *handle,
lp_do_parameter(SNUM(handle->conn), "dos filemode", "true");
lp_do_parameter(SNUM(handle->conn), "force unknown acl user", "true");
SMB_VFS_HANDLE_GET_DATA(handle, config,
struct acl_common_config,
return -1);
if (config->ignore_system_acls) {
DBG_NOTICE("setting 'create mask = 0666', "
"'directory mask = 0777', "
"'store dos attributes = yes' and all "
"'map ...' options to 'no'\n");
lp_do_parameter(SNUM(handle->conn), "create mask", "0666");
lp_do_parameter(SNUM(handle->conn), "directory mask", "0777");
lp_do_parameter(SNUM(handle->conn), "map archive", "no");
lp_do_parameter(SNUM(handle->conn), "map hidden", "no");
lp_do_parameter(SNUM(handle->conn), "map readonly", "no");
lp_do_parameter(SNUM(handle->conn), "map system", "no");
lp_do_parameter(SNUM(handle->conn), "store dos attributes",
"yes");
}
return 0;
}

4
source4/torture/vfs/acl_xattr.c
View File

@ -169,8 +169,8 @@ static bool test_default_acl_posix(struct torture_context *tctx,
exp_sd = security_descriptor_dacl_create(
tctx, 0, owner_sid, group_sid,
owner_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_RIGHTS_FILE_ALL, 0,
group_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE, 0,
SID_WORLD, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE, 0,
group_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, FILE_GENERIC_READ|FILE_GENERIC_WRITE|FILE_GENERIC_EXECUTE, 0,
SID_WORLD, SEC_ACE_TYPE_ACCESS_ALLOWED, FILE_GENERIC_READ|FILE_GENERIC_WRITE|FILE_GENERIC_EXECUTE, 0,
SID_NT_SYSTEM, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_RIGHTS_FILE_ALL, 0,
NULL);