IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
Commit 86f7af84 introduced a problem that a chown is always attempted,
even when the owning gid did not change. Then the ACL is set in the file
system as root. Fix the check by correctly comparing with gid, not uid.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15120
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Christof Schmitt <cs@samba.org>
Autobuild-Date(master): Wed Jul 13 17:30:30 UTC 2022 on sn-devel-184
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14648
Signed-off-by: Peter Eriksson <pen@lysator.liu.se>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: David Mulder <dmulder@samba.org>
Autobuild-User(master): David Mulder <dmulder@samba.org>
Autobuild-Date(master): Thu Feb 25 20:46:02 UTC 2021 on sn-devel-184
We apply the same "ignore" logic already in the POSIX ACL code and in the
vfs_acl_xattr|tdb VFS modules to smb_set_nt_acl_nfs4() in the nfs4_acl helper
subsystem which is common to a bunch of VFS modules: GPFS, ZFS, NFS4_xattr and
aixacl2.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14307
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Mar 3 19:15:10 UTC 2020 on sn-devel-184
Instead of having a local buffer for the stat data, update the one kept
in the fsp. With this change the local stat buffer and the helper
function smbacl4_fGetFileOwner are no longer needed and can be removed.
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Christof Schmitt <cs@samba.org>
Autobuild-Date(master): Tue Jul 23 19:45:05 UTC 2019 on sn-devel-184
All tutorials i could find that configure Samba with NFSv4 ACLs set this
parameter to "merge". As this seems to be the main usecase, make this
setting the default.
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
The default setting for nfs4:acedup is "dontcare". The only
recommendation i could find is setting this to "merge". The setting of
"ignore" is dangerous as it would silently drop ACEs. "reject" also
seems less useful as it would disallow setting of ACLs that can easily
be stored.
Report "ignore" and "reject" as deprecated. Maybe these can be removed
in the future to simplify the code.
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
The documentation states this has been deprecated for years. Add logging
a warning when this is set. Maybe this can be removed in the future.
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
The function always returned true and the return code was never checked,
so simply change to void.
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
After a chown, the cached stat data is obviously no longer valid. The
code in smb_set_nt_acl_nfs4 checked the file correctly, but did only use
a local buffer for the stat data. So later checks of the stat buffer
under the fsp->fsp_name->st would still see the old information.
Fix this by removing the local stat buffer and always update the one
under fsp->fsp_name->st.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
The previous patch added an additional entry for IDMAP_TYPE_BOTH. When
mapping back to a DACL, there should be no additional entry. Add a loop
that will check and remove entries that are exact duplicates.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
As this function now maps the ACE and also adds it to the NFSv4 ACE,
change the name to better describe its behavior.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
With IDMAP_TYPE_BOTH, all entries have to be mapped to group entries.
In order to have the file system reflect the owner permissions in the
POSIX modebits, create a second entry for the user. This will be mapped
to the "special owner" entry.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
The previous patch introduced a pointer to a local variable to reduce
the amount of lines changed. Remove that pointer and adjust all usage
accordingly.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Logging flags in case they do not match seems unnecessary. Other log
messages should show the flags as well.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
This static function will be called earlier in later patches.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
This is only used for logging of a rejected ACL, but does not provide
additional useful information. Remove it to simplify the function a bit.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
This avoids some code duplication. Do not make this static, as it will
be used in a later patch.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmit <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
uid and gid are members of the same union so this makes no difference,
but for type correctness and readability use the gid to check for
ownerGID.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
This is the newer API to lookup id mappings and will make it easier to
add to the IDMAP_TYPE_BOTH case.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Only the information whether the ACL is for a file or a directory is
required. Replacing the fsp with a flag is clearer and allows for unit
testing of the mapping functions.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
This reverts commit 5d4f7bfda5.
That patch broke the case with ID_TYPE_BOTH where a file is owned by a
group (e.g. using autorid and having a file owned by
BUILTIN\Administrators). In this case, the ACE entry for the group gets
mapped a to a user ACL entry and the group no longer has access (as in
the user's token the group is not mapped to a uid).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
The comment was a bit confusing to me, it took a few seconds too many to figure
out *why* setting NULL is not required. Remove it :-)
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
This was added in e6a5f11865 to adopt the
NFSv4 framework to follow ZFS permission rules. But this is the wrong
place, other filesystems like GPFS do not allow deletion when the user
has SEC_DIR_ADD_FILE.
This patch therefor moves the change from the NFS4 framework into the
ZFS module.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=6133
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Sep 9 04:59:51 CEST 2017 on sn-devel-144
Commit 99a74ff5e6 added special handling
of SMB_ACE4_SYNCHRONIZE, always setting it in the access_mask when
fabricating an ACL. While at the same time removing it from the
access_mask when setting an ACL, but this is done direclty in
vfs_zfsacl, not it the common code.
Forcing SMB_ACE4_SYNCHRONIZE to be always set is only needed on ZFS, the
other VFS modules using the common NFSv4 infrastructure should not be
made victims of the special ZFS behaviour.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=7909
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Sep 27 04:03:03 CEST 2016 on sn-devel-144
This fixes a corner case when using NFS4 ACLs with ID_TYPE_BOTH. Before
this patch, the owner entry in the ACL would be mapped to a gid entry in
the NFSv4 ACL, and not the expected special owner entry. This is caused
by the id mapping returning a valid gid and the nfs4 mapping assumed
that this was actually a group.
Fix this by asking for the uid first, and explicitly checking if the
mapped uid matches the owner. That creates a uid entry in the NFSv4 ACL
that can be changed later in smbacl4_substitute_{simple,special} to the
expected special owner entry.
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
vfs_gpfs & others will be able to embed this structure in their special config.
We could have gone with an anonymous struct and a talloc'ed object, but for my
taste this is specialized and hidden enough that it's not worth the
indirection.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Pure placeholder right now, this will allow vfs modules to load the params in
advance
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Pure placeholder right now, this will allow vfs modules to load the params in
advance
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Pure placeholder right now, this will allow vfs modules to load the params
in advance. nfs4 acl parameters should not change while a tcon is live,
and lp_parm_get_* show up in profiles. Loading the parameters once at
tcon time will remove this.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Push the struct further down closer to places that use
lp_posix_pathname() functions.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <rb@sernet.de>
It is kindof unexpected that we get params for something else but
"nfs4:"
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Aug 13 17:45:31 CEST 2015 on sn-devel-104
We don't need the nt_ace_list beyond this function, make_sec_acl makes
a copy and make_sec_desc makes another one
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
