mirror of
https://github.com/samba-team/samba.git
synced 2025-01-22 22:04:08 +03:00
s3-nfs4acls: Remove lookup_sid and sidmap from NFSv4 ACL mapping and check gid first
By checking just the IDMAP, and by removing the sidmap and lookup_sid calls, we support IDMAP_BOTH. This is because by checking for a mapping to a GID first, we can rely on the fact that IDMAP_BOTH will resolve to a GID. If the sidmap idea is valued - it allows multiple SIDs to map to a single unix ID, this should be done in the IDMAP layer. Andrew Bartlett Signed-off-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Sat Aug 11 01:17:36 CEST 2012 on sn-devel-104
This commit is contained in:
Andrew Bartlett
Jeremy Allison
parent
c991ac0ebf
commit
f36e28d131
@ -461,7 +461,6 @@ typedef struct _smbacl4_vfs_params {
|
||||
enum smbacl4_mode_enum mode;
|
||||
bool do_chown;
|
||||
enum smbacl4_acedup_enum acedup;
|
||||
struct db_context *sid_mapping_table;
|
||||
} smbacl4_vfs_params;
|
||||
|
||||
/*
|
||||
@ -572,64 +571,6 @@ static SMB_ACE4PROP_T *smbacl4_find_equal_special(
|
||||
return NULL;
|
||||
}
|
||||
|
||||
static bool nfs4_map_sid(smbacl4_vfs_params *params, const struct dom_sid *src,
|
||||
struct dom_sid *dst)
|
||||
{
|
||||
static struct db_context *mapping_db = NULL;
|
||||
TDB_DATA data;
|
||||
NTSTATUS status;
|
||||
|
||||
if (mapping_db == NULL) {
|
||||
const char *dbname = lp_parm_const_string(
|
||||
-1, SMBACL4_PARAM_TYPE_NAME, "sidmap", NULL);
|
||||
|
||||
if (dbname == NULL) {
|
||||
DEBUG(10, ("%s:sidmap not defined\n",
|
||||
SMBACL4_PARAM_TYPE_NAME));
|
||||
return False;
|
||||
}
|
||||
|
||||
become_root();
|
||||
mapping_db = db_open(NULL, dbname, 0, TDB_DEFAULT,
|
||||
O_RDONLY, 0600,
|
||||
DBWRAP_LOCK_ORDER_1);
|
||||
unbecome_root();
|
||||
|
||||
if (mapping_db == NULL) {
|
||||
DEBUG(1, ("could not open sidmap: %s\n",
|
||||
strerror(errno)));
|
||||
return False;
|
||||
}
|
||||
}
|
||||
|
||||
status = dbwrap_fetch(mapping_db, NULL,
|
||||
string_term_tdb_data(sid_string_tos(src)),
|
||||
&data);
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
DEBUG(10, ("could not find mapping for SID %s\n",
|
||||
sid_string_dbg(src)));
|
||||
return False;
|
||||
}
|
||||
|
||||
if ((data.dptr == NULL) || (data.dsize <= 0)
|
||||
|| (data.dptr[data.dsize-1] != '\0')) {
|
||||
DEBUG(5, ("invalid mapping for SID %s\n",
|
||||
sid_string_dbg(src)));
|
||||
TALLOC_FREE(data.dptr);
|
||||
return False;
|
||||
}
|
||||
|
||||
if (!string_to_sid(dst, (char *)data.dptr)) {
|
||||
DEBUG(1, ("invalid mapping %s for SID %s\n",
|
||||
(char *)data.dptr, sid_string_dbg(src)));
|
||||
TALLOC_FREE(data.dptr);
|
||||
return False;
|
||||
}
|
||||
|
||||
TALLOC_FREE(data.dptr);
|
||||
|
||||
return True;
|
||||
}
|
||||
|
||||
static bool smbacl4_fill_ace4(
|
||||
TALLOC_CTX *mem_ctx,
|
||||
@ -667,65 +608,10 @@ static bool smbacl4_fill_ace4(
|
||||
ace_v4->who.special_id = SMB_ACE4_WHO_EVERYONE;
|
||||
ace_v4->flags |= SMB_ACE4_ID_SPECIAL;
|
||||
} else {
|
||||
const char *dom, *name;
|
||||
enum lsa_SidType type;
|
||||
uid_t uid;
|
||||
gid_t gid;
|
||||
struct dom_sid sid;
|
||||
|
||||
sid_copy(&sid, &ace_nt->trustee);
|
||||
|
||||
if (!lookup_sid(mem_ctx, &sid, &dom, &name, &type)) {
|
||||
|
||||
struct dom_sid mapped;
|
||||
|
||||
if (!nfs4_map_sid(params, &sid, &mapped)) {
|
||||
DEBUG(1, ("nfs4_acls.c: file [%s]: SID %s "
|
||||
"unknown\n", filename,
|
||||
sid_string_dbg(&sid)));
|
||||
errno = EINVAL;
|
||||
return False;
|
||||
}
|
||||
|
||||
DEBUG(2, ("nfs4_acls.c: file [%s]: mapped SID %s "
|
||||
"to %s\n", filename, sid_string_dbg(&sid),
|
||||
sid_string_dbg(&mapped)));
|
||||
|
||||
if (!lookup_sid(mem_ctx, &mapped, &dom,
|
||||
&name, &type)) {
|
||||
DEBUG(1, ("nfs4_acls.c: file [%s]: SID %s "
|
||||
"mapped from %s is unknown\n",
|
||||
filename, sid_string_dbg(&mapped),
|
||||
sid_string_dbg(&sid)));
|
||||
errno = EINVAL;
|
||||
return False;
|
||||
}
|
||||
|
||||
sid_copy(&sid, &mapped);
|
||||
}
|
||||
|
||||
if (type == SID_NAME_USER) {
|
||||
if (!sid_to_uid(&sid, &uid)) {
|
||||
DEBUG(1, ("nfs4_acls.c: file [%s]: could not "
|
||||
"convert %s to uid\n", filename,
|
||||
sid_string_dbg(&sid)));
|
||||
return False;
|
||||
}
|
||||
|
||||
if (params->mode==e_special && uid==ownerUID) {
|
||||
ace_v4->flags |= SMB_ACE4_ID_SPECIAL;
|
||||
ace_v4->who.special_id = SMB_ACE4_WHO_OWNER;
|
||||
} else {
|
||||
ace_v4->who.uid = uid;
|
||||
}
|
||||
} else { /* else group? - TODO check it... */
|
||||
if (!sid_to_gid(&sid, &gid)) {
|
||||
DEBUG(1, ("nfs4_acls.c: file [%s]: could not "
|
||||
"convert %s to gid\n", filename,
|
||||
sid_string_dbg(&sid)));
|
||||
return False;
|
||||
}
|
||||
|
||||
if (sid_to_gid(&ace_nt->trustee, &gid)) {
|
||||
ace_v4->aceFlags |= SMB_ACE4_IDENTIFIER_GROUP;
|
||||
|
||||
if (params->mode==e_special && gid==ownerGID) {
|
||||
@ -734,6 +620,18 @@ static bool smbacl4_fill_ace4(
|
||||
} else {
|
||||
ace_v4->who.gid = gid;
|
||||
}
|
||||
} else if (sid_to_uid(&ace_nt->trustee, &uid)) {
|
||||
if (params->mode==e_special && uid==ownerUID) {
|
||||
ace_v4->flags |= SMB_ACE4_ID_SPECIAL;
|
||||
ace_v4->who.special_id = SMB_ACE4_WHO_OWNER;
|
||||
} else {
|
||||
ace_v4->who.uid = uid;
|
||||
}
|
||||
} else {
|
||||
DEBUG(1, ("nfs4_acls.c: file [%s]: could not "
|
||||
"convert %s to uid or gid\n", filename,
|
||||
sid_string_dbg(&ace_nt->trustee)));
|
||||
return False;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user