1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

51 Commits

Author SHA1 Message Date
Jeremy Allison
218cccfdf1 Fix bug Bug 8422 - Infinite loop in ACL module code.
Missing assignment means this loop will never terminate. Need to be applied
to 3.5.x and 3.6.1.
2011-08-29 16:46:15 -07:00
Jeremy Allison
a6d06c0697 Fix bug #8370 - vfs_chown_fsp broken -- returns in the wrong directory
Ensure we always use vfs_ChDir() to keep the singleton cache coherent.

Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Fri Aug 19 00:43:05 CEST 2011 on sn-devel-104
2011-08-19 00:43:04 +02:00
Andrew Bartlett
6e6aaacedb lib/util Move bitmap.c to lib/util 2011-07-08 11:23:23 +02:00
Andrew Bartlett
5e26e94092 s3-talloc Change TALLOC_ZERO_ARRAY() to talloc_zero_array()
Using the standard macro makes it easier to move code into common, as
TALLOC_ZERO_ARRAY isn't standard talloc.
2011-06-09 12:40:08 +02:00
Jeremy Allison
aff6c52370 Fix re-opened bug 8083 - "inherit owner = yes" doesn't interact correctly with vfs_acl_xattr or vfs_acl_tdb module.
Fix incorrect interaction when all of

"inherit permissions = yes"
"inherit acls = yes"
"inherit owner = yes"

are set. Found by Björn Jacke. Thanks Björn !

Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Tue Jun  7 22:32:18 CEST 2011 on sn-devel-104
2011-06-07 22:32:18 +02:00
Jeremy Allison
7d6ebe0de7 More const fixes. Remove CONST_DISCARD. 2011-05-06 01:44:07 +02:00
Jeremy Allison
182eea9ae2 Fix bug #8083 - "inherit owner = yes" doesn't interact correctly with vfs_acl_xattr or vfs_acl_tdb module.
If "inherit owner = yes", pass in the directory owner and group
owner as the target for CREATOR_OWNER and CREATOR_GROUP substitutions,
and also as the owner and primary group of the new security descriptor
being applied to the object.

Jeremy.
2011-04-14 13:20:08 -07:00
Björn Baumbach
e6cf92c574 s3-modules: Fix debug message
Print child descriptor instead of parent.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Mon Apr 11 11:48:42 CEST 2011 on sn-devel-104
2011-04-11 11:48:42 +02:00
Jeremy Allison
af45636166 Fix bug 8072 - PANIC: create_file_acl_common frees handle two times.
Caused by premature optimisation storing the parent ACL on the
module handle instead of (correctly) on the file fsp. Previous
code wasn't reentrant safe. This is less optimal but doesn't
crash in the specific case :-).

Jeremy.

Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Sat Apr  9 02:05:15 CEST 2011 on sn-devel-104
2011-04-09 02:05:15 +02:00
Andrew Tridgell
49ab2df28a lib/crypto: rename the SHA256_ functions to samba_SHA256_
this prevents a symbol duplication with the openssl library, which may
be linked in via a secondary library dependency

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-04-06 08:12:19 +02:00
Jeremy Allison
00224d06c3 Fix bug #7987 - ACL can get lost when files are being renamed.
There is no reason for smbd with Windows ACLs to use chmod
or fchmod unless it's a file opened with UNIX extensions or
with posix pathnames.

Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Sat Apr  2 02:40:43 CEST 2011 on sn-devel-104
2011-04-02 02:40:43 +02:00
Günther Deschner
45364f5e69 s3-vfs: include smbd/smbd.h in vfs modules.
Guenther
2011-03-30 01:13:08 +02:00
Günther Deschner
0e771263ee s3-includes: only include system/filesys.h when needed.
Guenther
2011-03-30 01:13:07 +02:00
Andrew Bartlett
2e69e89456 s3-auth Rename auth_serversupplied_info varaiables: server_info -> session_info
These variables, of type struct auth_serversupplied_info were poorly
named when added into 2001, and in good consistant practice, this has
extended all over the codebase in the years since.

The structure is also not ideal for it's current purpose.  Originally
intended to convey the results of the authentication modules, it
really describes all the essential attributes of a session.  This
rename will reduce the volume of a future patch to replaced these with
a struct auth_session_info, with auth_serversupplied_info confined to
the lower levels of the auth subsystem, and then eliminated.

(The new structure will be the output of create_local_token(), and the
change in struct definition will ensure that this is always run, populating
local groups and privileges).

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-02-22 16:20:10 +11:00
Andrew Bartlett
2b05ba77b4 s3-auth Rename cryptic 'ptok' to security_token
This will allow the auth_serversupplied_info struct to be migrated
to auth_session_info easier.

Adnrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-02-10 06:51:06 +01:00
Günther Deschner
50be0b2c1e s3: Remove superfluous ;
Guenther

Autobuild-User: Günther Deschner <gd@samba.org>
Autobuild-Date: Wed Feb  2 15:44:21 CET 2011 on sn-devel-104
2011-02-02 15:44:21 +01:00
Jeremy Allison
6af05f10c1 Fix bug #7812 - vfs_acl_xattr/vfs_acl_tdb: ACL inheritance cannot be disabled
We were losing the incoming security descriptor revision number and
most importantly the "type" field as sent by the client. Ensure we
correctly store these in the xattr object.

Jeremy.

Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Wed Nov 24 00:18:57 CET 2010 on sn-devel-104
2010-11-24 00:18:57 +01:00
Jeremy Allison
06fc79f1fd Add acl_xattr:ignore system acls boolean (normally false) to allow
Samba ACL module to ignore mapping to lower POSIX layer. With this
fix Samba 3.6.x now passes RAW-ACLs (with certain smb.conf parameters
set).

Jeremy.

Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Sat Oct 16 01:26:31 UTC 2010 on sn-devel-104
2010-10-16 01:26:30 +00:00
Jeremy Allison
f4a9d25cfc Add debug message to get_nt_acl_internal() to see what we got. 2010-10-15 17:38:21 -07:00
Jeremy Allison
625126dc8d Fix valgrind "uninitialized read" error on "info" when returning !NT_STATUS_OK.
Jeremy.
2010-10-15 17:38:21 -07:00
Andrew Bartlett
f768b32e37 libcli/security Provide a common, top level libcli/security/security.h
This will reduce the noise from merges of the rest of the
libcli/security code, without this commit changing what code
is actually used.

This includes (along with other security headers) dom_sid.h and
security_token.h

Andrew Bartlett

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Tue Oct 12 05:54:10 UTC 2010 on sn-devel-104
2010-10-12 05:54:10 +00:00
Jeremy Allison
6f6094076f Make the vfs_acl_xattr and other modules work with NULL SD's. Fix
the "protected" inheritance problem (bleeding up from the POSIX
layer).

Jeremy

Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Tue Oct 12 00:57:41 UTC 2010 on sn-devel-104
2010-10-12 00:57:41 +00:00
Volker Lendecke
75c6e0e5c7 s3: Lift smbd_server_conn from file_find_di_first 2010-09-28 07:36:17 +02:00
Andrew Bartlett
8c15cf54ae s3-auth Rename NT_USER_TOKEN user_sids -> sids
This is closer to the struct security_token from security.idl
2010-08-31 10:20:14 +10:00
Volker Lendecke
c59ab01e33 s3: Fix an uninitialized variable 2010-08-01 18:16:19 +02:00
Günther Deschner
a75436e3ee s3-security: use shared SECINFO_DACL define.
Guenther
2010-06-03 11:00:12 +02:00
Günther Deschner
e24a59f932 s3-security: use shared SECINFO_SACL define.
Guenther
2010-06-03 10:59:54 +02:00
Günther Deschner
630c27bdad s3-security: use shared SECINFO_GROUP define.
Guenther
2010-06-03 10:59:38 +02:00
Günther Deschner
415d3d5fe7 s3-security: use shared SECINFO_OWNER define.
Guenther
2010-06-03 10:59:15 +02:00
Günther Deschner
f9f8007361 s3-build: only use ndr_security.h where needed.
Guenther
2010-05-31 11:32:37 +02:00
Günther Deschner
d4474ba470 s3-secdesc: use SD_REVISION from security.idl.
Guenther
2010-05-18 12:52:18 +02:00
Jelmer Vernooij
b8268cf7b0 s3: Remove use of iconv_convenience. 2010-05-18 11:45:31 +02:00
Jeremy Allison
a2be29dfa3 Missed a couple more uses of conn->server_info->ptok that need to be get_current_nttok(conn)
Centralize the root check into smb1_file_se_access_check()
so this is used by modules/vfs_acl_common.c also.

Jeremy.
2010-03-12 14:31:47 -08:00
Jeremy Allison
c61c9c3a4c Fix for bug #7189 - Open txt files with notepad on samba shares creates problem.
Ensure we don't use any of the create_options for Samba private
use. Add a new parameter to the VFS_CREATE call (private_flags)
which is only used internally. Renumber NTCREATEX_OPTIONS_PRIVATE_DENY_DOS
and NTCREATEX_OPTIONS_PRIVATE_DENY_FCB to match the S4 code).
Rev. the VFS interface to version 28.

Jeremy.
2010-03-05 15:13:37 -08:00
Björn Jacke
328a6264a7 s3: fix build issue on Tru64
Thanks, Volker for the hint - acl_type is a macro on Tru64. Renamed it
to acltype. This fixes #7103.
2010-02-07 21:07:13 +01:00
Jeremy Allison
98a495f1e6 Modification of fix for bug 6876 - Delete of an object whose parent folder does not have delete rights fails even if the delete right is set on the object
Suggested by Volker. Reduce the surface area of the
become_root() unbecome_root() code to reduce the chance
of errors.

Jeremy.
2010-01-16 17:03:06 -08:00
Jeremy Allison
47c1d9b39f Fix bug #6876 - Delete of an object whose parent folder does not have delete rights fails even if the delete right is set on the object.
Final fix for the vfs_acl_xattr and vfs_acl_tdb code.
Ensure we can delete a file even if the underlying POSIX
permissions don't allow it, if the Windows permissions do.

Jeremy.
2010-01-12 16:04:44 -08:00
Jeremy Allison
6dcbb84d48 Attempt to fix one of the last two bugs with the full Windows ACL support.
When returning an underlying ACL on a directory, normally on a
POSIX system it has no inheritable entries, which breaks the
Windows ACL when a user does a get/set of a Windows ACL on a
POSIX directory with no existing stored Windows ACL from
the Windows ACL editor. What happens is any new entry added
by the user gets set inheritable, but none of the others
entries are (as returned by default). So any new files then
only inherit the single new ACE entry (the one marked inheritable
by the ACL editor).

Fix this by faking up a default 3 element inheritable ACL that
represents what a user creating a POSIX file or directory will
get by default from the smbd code.

Jeremy.
2009-12-23 17:19:22 -08:00
Jeremy Allison
a24631007e parent_sd can never be null in this function, so don't
check for it.

Jeremy.
2009-12-07 14:41:09 -08:00
Jeremy Allison
12bac42a93 Hopefullt final fix for 6802 - acl_xattr.c module: A created folder does not properly inherit permissions from parent and 6938 - No hook exists to check creation rights when using acl_xattr module
Volker was right (dammit :-). It's much easier to catch
this case in the create_file() vfs call instead of trying
to do everything inside open() and mkdir(). Hook all these
functions to gain the desired effect.
Jeremy.
2009-12-07 14:36:12 -08:00
Jeremy Allison
3fe7dfd1d9 Remove smb_fname duplicates that just keep the same information as in fsp->fsp_name.
Moving towards making VFS_OPEN/VFS_MKDIR/VFS_RMDIR
handle based...
Jeremy.
2009-12-03 16:45:35 -08:00
Jeremy Allison
365c6b4ce0 Restructure the ACL code some more, get the internal semantics
right. The previous bugs were due to the fact that get_nt_acl_internal()
could return an NTSTATUS error if there was no stored ACL blob, but
otherwise would return the underlying ACL from the filysystem. Fix
this so it always returns a valid acl if it can, and if it does not
its an error to be reported back to the client. This then changes
the inherit acl code. Previously we were trying to match Windows
by setting a minimal ACL on a new file that didn't inherit anything
from a parent directory. This is silly - the returned ACL wouldn't
match the underlying UNIX permissions. The current code will correctly
inherit from a parent if a parent has any inheritable ACE entries
that apply to the new object, but will return a mapping from the
underlying UNIX permissions if the parent has no inheritable entries.
This makes much more sense for new files/directories.
Jeremy.
2009-12-02 15:02:28 -08:00
Jeremy Allison
148e79d156 Ensure check_parent_acl_common() only looks at stored
blobs - returns NT_STATUS_OK if there aren't any.
Jeremy.
2009-12-02 12:29:16 -08:00
Jeremy Allison
486c8d57ec Ensure get_nt_acl_internal() only looks at the ACL blobs, not
reads off the underlying filesystem. Ensure that vfs_acl_tdb.c
returns NT_STATUS_NOT_FOUND, not NT_STATUS_OBJECT_NAME_NOT_FOUND
when it can't find a blob matching the file.
Jeremy.
2009-12-02 12:09:48 -08:00
Jeremy Allison
48f40793ae Fix DEBUG 0 -> DEBUG 10 (left over code).
Fix opendir status return if access denied.
Jeremy.
2009-11-30 16:56:35 -08:00
Jeremy Allison
bdc8c9d37c Fix bug 6938 : No hook exists to check creation rights when using acl_xattr module
Fix ACL modules to test for permissions on open/mkdir/opendir.
Ensure that underlying ACLs are returned for directories/files with
no Windows xattr or tdb acls stored.
Jeremy.
2009-11-30 16:50:34 -08:00
Jeremy Allison
7ed6f9f096 Fix bug 6892 - When a chown operation is issued via Windows Explorer, all ACLS are wiped out.
Merges existing DACLs when a ACL set operation comes in with only owner or group values set.
Jeremy.
2009-11-25 10:20:38 -08:00
Barry Sabsevitz
3054fe46d9 Fix bug 6802 - A created folder does not properly inherit permissions from parent. 2009-10-23 11:50:29 -07:00
Jeremy Allison
6f22cd10ad Remove lots of duplicate code and move it into one
function vfs_stat_fsp(). Stops code looking at fsp->posix_open
except for exceptional circumstances.
Jeremy.
2009-10-02 13:45:38 -07:00
Jeremy Allison
9297b975f5 Fix the build breakage by #including modules/vfs_acl_common.c
into acl_tdb and acl_xattr. Duplicates the code size, but keeps
the code in common so I don't have to do bug fixes in two places
(which is what I really cared about).
Jeremy.
2009-07-27 12:09:40 -07:00