vfs_fruit: add option veto_appledouble

vfs_fruit adds a wildcard path "._*" to the vetolist in order to prevent
client access to ._ AppleDouble files created internally by vfs_fruit
for storing the Mac resource fork stream.

Unfortunately there are legitimite use cases where an OS X client may
want to use such filenames, extracting ZIP archives (where the archive
contains ._ files) being one of them.

A possible simple solution to this problem would be to not veto ._ files
in the first place, even though that exposes internally created ._ files
which the client shouldn't be able to access.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11305

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Tue Jun  9 14:48:14 CEST 2015 on sn-devel-104

(cherry picked from commit b26a1449a0e6d01d5ddca89547df739732c8a230)

2 files changed, 45 insertions, 20 deletions

diff --git a/docs-xml/manpages/vfs_fruit.8.xml b/docs-xml/manpages/vfs_fruit.8.xml
index 4e296a42130..e407b54ad1c 100644
--- a/docs-xml/manpages/vfs_fruit.8.xml
+++ b/docs-xml/manpages/vfs_fruit.8.xml
@@ -197,6 +197,23 @@
 	    </listitem>
 	  </varlistentry>
 
+	  <varlistentry>
+	    <term>fruit:veto_appledouble = yes | no</term>
+	    <listitem>
+	      <para>Whether ._ AppleDouble files are vetoed which
+	      prevents the client from seing and accessing internal
+	      AppleDouble files created by vfs_fruit itself for the
+	      purpose of storing a Mac resource fork.</para>
+	      <para>Vetoing ._ files may break some applications, eg
+	      extracting Mac ZIP archives from Mac clients failes,
+	      because they contain ._ files. Setting this option to
+	      false will fix this, but the abstraction leak of
+	      exposing the internally created ._ files may have other
+	      unknown side effects.</para>
+	      <para>The default is <emphasis>yes</emphasis>.</para>
+	    </listitem>
+	  </varlistentry>
+
 	</variablelist>
 </refsect1>
 
diff --git a/source3/modules/vfs_fruit.c b/source3/modules/vfs_fruit.c
index adf283b124d..8f0c4f8f2be 100644
--- a/source3/modules/vfs_fruit.c
+++ b/source3/modules/vfs_fruit.c
@@ -125,6 +125,7 @@ struct fruit_config_data {
 	bool use_aapl;
 	bool readdir_attr_enabled;
 	bool unix_info_enabled;
+	bool veto_appledouble;
 
 	/*
 	 * Additional options, all enabled by default,
@@ -1332,6 +1333,11 @@ static int init_fruit_config(vfs_handle_struct *handle)
 	}
 	config->encoding = (enum fruit_encoding)enumval;
 
+	if (lp_parm_bool(SNUM(handle->conn),
+			 FRUIT_PARAM_TYPE_NAME, "veto_appledouble", true)) {
+		config->veto_appledouble = true;
+	}
+
 	if (lp_parm_bool(-1, FRUIT_PARAM_TYPE_NAME, "aapl", true)) {
 		config->use_aapl = true;
 	}
@@ -2012,26 +2018,6 @@ static int fruit_connect(vfs_handle_struct *handle,
 		return rc;
 	}
 
-	list = lp_veto_files(talloc_tos(), SNUM(handle->conn));
-
-	if (list) {
-		if (strstr(list, "/" ADOUBLE_NAME_PREFIX "*/") == NULL) {
-			newlist = talloc_asprintf(
-				list,
-				"%s/" ADOUBLE_NAME_PREFIX "*/",
-				list);
-			lp_do_parameter(SNUM(handle->conn),
-					"veto files",
-					newlist);
-		}
-	} else {
-		lp_do_parameter(SNUM(handle->conn),
-				"veto files",
-				"/" ADOUBLE_NAME_PREFIX "*/");
-	}
-
-	TALLOC_FREE(list);
-
 	rc = init_fruit_config(handle);
 	if (rc != 0) {
 		return rc;
@@ -2040,6 +2026,28 @@ static int fruit_connect(vfs_handle_struct *handle,
 	SMB_VFS_HANDLE_GET_DATA(handle, config,
 				struct fruit_config_data, return -1);
 
+	if (config->veto_appledouble) {
+		list = lp_veto_files(talloc_tos(), SNUM(handle->conn));
+
+		if (list) {
+			if (strstr(list, "/" ADOUBLE_NAME_PREFIX "*/") == NULL) {
+				newlist = talloc_asprintf(
+					list,
+					"%s/" ADOUBLE_NAME_PREFIX "*/",
+					list);
+				lp_do_parameter(SNUM(handle->conn),
+						"veto files",
+						newlist);
+			}
+		} else {
+			lp_do_parameter(SNUM(handle->conn),
+					"veto files",
+					"/" ADOUBLE_NAME_PREFIX "*/");
+		}
+
+		TALLOC_FREE(list);
+	}
+
 	if (config->encoding == FRUIT_ENC_NATIVE) {
 		lp_do_parameter(
 			SNUM(handle->conn),