vfs_acl_xattr|tdb: enforced settings when ignore system acls=yes

When "ignore system acls" is set to "yes, we need to ensure filesystem permission always grant access so that when doing our own access checks we don't run into situations where we grant access but the filesystem doesn't. Bug: https://bugzilla.samba.org/show_bug.cgi?id=12181 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Ralph Böhme <slow@samba.org> Autobuild-Date(master): Wed Aug 31 18:41:20 CEST 2016 on sn-devel-144 (cherry picked from commit b72287514cc78c9019db7385af4c9b9d94f60894)
author: Ralph Boehme <slow@samba.org> 2016-08-26 10:04:53 +0200
committer: Karolin Seeger <kseeger@samba.org> 2016-09-20 10:10:18 +0200
commit: 5992c18963f3ed677fa5b92cb7322107e9990344 (patch)
tree: acfaff8365ac9d02ca1e1d0f5943857623fd0288
parent: e124785536a284f183d1affc73ee4cf64a968bc8 (diff)
download: samba-5992c18963f3ed677fa5b92cb7322107e9990344.tar.gz
5 files changed, 74 insertions, 2 deletions
diff --git a/docs-xml/manpages/vfs_acl_tdb.8.xml b/docs-xml/manpages/vfs_acl_tdb.8.xml
index 36ef22b49ae..d62f2e1cc93 100644
--- a/docs-xml/manpages/vfs_acl_tdb.8.xml
+++ b/docs-xml/manpages/vfs_acl_tdb.8.xml
@@ -70,6 +70,21 @@
 		access the data via Samba you might set this to yes to achieve
 		better NT ACL compatibility.
 		</para>
+
+		<para>
+		If <emphasis>acl_tdb:ignore system acls</emphasis>
+		is set to <emphasis>yes</emphasis>, the following
+		additional settings will be enforced:
+		<itemizedlist>
+		<listitem><para>create mask = 0666</para></listitem>
+		<listitem><para>directory mask = 0777</para></listitem>
+		<listitem><para>map archive = no</para></listitem>
+		<listitem><para>map hidden = no</para></listitem>
+		<listitem><para>map readonly = no</para></listitem>
+		<listitem><para>map system = no</para></listitem>
+		<listitem><para>store dos attributes = yes</para></listitem>
+		</itemizedlist>
+		</para>
 		</listitem>
 		</varlistentry>
 
diff --git a/docs-xml/manpages/vfs_acl_xattr.8.xml b/docs-xml/manpages/vfs_acl_xattr.8.xml
index 882817f3272..4c609cb057e 100644
--- a/docs-xml/manpages/vfs_acl_xattr.8.xml
+++ b/docs-xml/manpages/vfs_acl_xattr.8.xml
@@ -74,6 +74,21 @@
 		access the data via Samba you might set this to yes to achieve
 		better NT ACL compatibility.
 		</para>
+
+		<para>
+		If <emphasis>acl_xattr:ignore system acls</emphasis>
+		is set to <emphasis>yes</emphasis>, the following
+		additional settings will be enforced:
+		<itemizedlist>
+		<listitem><para>create mask = 0666</para></listitem>
+		<listitem><para>directory mask = 0777</para></listitem>
+		<listitem><para>map archive = no</para></listitem>
+		<listitem><para>map hidden = no</para></listitem>
+		<listitem><para>map readonly = no</para></listitem>
+		<listitem><para>map system = no</para></listitem>
+		<listitem><para>store dos attributes = yes</para></listitem>
+		</itemizedlist>
+		</para>
 		</listitem>
 		</varlistentry>
 
diff --git a/source3/modules/vfs_acl_tdb.c b/source3/modules/vfs_acl_tdb.c
index d2417d7a714..7983a894804 100644
--- a/source3/modules/vfs_acl_tdb.c
+++ b/source3/modules/vfs_acl_tdb.c
@@ -306,6 +306,7 @@ static int connect_acl_tdb(struct vfs_handle_struct *handle,
 {
 	int ret = SMB_VFS_NEXT_CONNECT(handle, service, user);
 	bool ok;
+	struct acl_common_config *config = NULL;
 
 	if (ret < 0) {
 		return ret;
@@ -333,6 +334,26 @@ static int connect_acl_tdb(struct vfs_handle_struct *handle,
 	lp_do_parameter(SNUM(handle->conn), "dos filemode", "true");
 	lp_do_parameter(SNUM(handle->conn), "force unknown acl user", "true");
 
+	SMB_VFS_HANDLE_GET_DATA(handle, config,
+				struct acl_common_config,
+				return -1);
+
+	if (config->ignore_system_acls) {
+		DBG_NOTICE("setting 'create mask = 0666', "
+			   "'directory mask = 0777', "
+			   "'store dos attributes = yes' and all "
+			   "'map ...' options to 'no'\n");
+
+		lp_do_parameter(SNUM(handle->conn), "create mask", "0666");
+		lp_do_parameter(SNUM(handle->conn), "directory mask", "0777");
+		lp_do_parameter(SNUM(handle->conn), "map archive", "no");
+		lp_do_parameter(SNUM(handle->conn), "map hidden", "no");
+		lp_do_parameter(SNUM(handle->conn), "map readonly", "no");
+		lp_do_parameter(SNUM(handle->conn), "map system", "no");
+		lp_do_parameter(SNUM(handle->conn), "store dos attributes",
+				"yes");
+	}
+
 	return 0;
 }
 
diff --git a/source3/modules/vfs_acl_xattr.c b/source3/modules/vfs_acl_xattr.c
index ae032c8bd5b..e7108991e4c 100644
--- a/source3/modules/vfs_acl_xattr.c
+++ b/source3/modules/vfs_acl_xattr.c
@@ -181,6 +181,7 @@ static int connect_acl_xattr(struct vfs_handle_struct *handle,
 {
 	int ret = SMB_VFS_NEXT_CONNECT(handle, service, user);
 	bool ok;
+	struct acl_common_config *config = NULL;
 
 	if (ret < 0) {
 		return ret;
@@ -203,6 +204,26 @@ static int connect_acl_xattr(struct vfs_handle_struct *handle,
         lp_do_parameter(SNUM(handle->conn), "dos filemode", "true");
         lp_do_parameter(SNUM(handle->conn), "force unknown acl user", "true");
 
+	SMB_VFS_HANDLE_GET_DATA(handle, config,
+				struct acl_common_config,
+				return -1);
+
+	if (config->ignore_system_acls) {
+		DBG_NOTICE("setting 'create mask = 0666', "
+			   "'directory mask = 0777', "
+			   "'store dos attributes = yes' and all "
+			   "'map ...' options to 'no'\n");
+
+		lp_do_parameter(SNUM(handle->conn), "create mask", "0666");
+		lp_do_parameter(SNUM(handle->conn), "directory mask", "0777");
+		lp_do_parameter(SNUM(handle->conn), "map archive", "no");
+		lp_do_parameter(SNUM(handle->conn), "map hidden", "no");
+		lp_do_parameter(SNUM(handle->conn), "map readonly", "no");
+		lp_do_parameter(SNUM(handle->conn), "map system", "no");
+		lp_do_parameter(SNUM(handle->conn), "store dos attributes",
+				"yes");
+	}
+
 	return 0;
 }
 
diff --git a/source4/torture/vfs/acl_xattr.c b/source4/torture/vfs/acl_xattr.c
index 7fd10d0dcd1..df4dd299fe0 100644
--- a/source4/torture/vfs/acl_xattr.c
+++ b/source4/torture/vfs/acl_xattr.c
@@ -169,8 +169,8 @@ static bool test_default_acl_posix(struct torture_context *tctx,
 	exp_sd = security_descriptor_dacl_create(
 		tctx, 0, owner_sid, group_sid,
 		owner_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_RIGHTS_FILE_ALL, 0,
-		group_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE, 0,
-		SID_WORLD, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE, 0,
+		group_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, FILE_GENERIC_READ|FILE_GENERIC_WRITE|FILE_GENERIC_EXECUTE, 0,
+		SID_WORLD, SEC_ACE_TYPE_ACCESS_ALLOWED, FILE_GENERIC_READ|FILE_GENERIC_WRITE|FILE_GENERIC_EXECUTE, 0,
 		SID_NT_SYSTEM, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_RIGHTS_FILE_ALL, 0,
 		NULL);
author	Ralph Boehme <slow@samba.org>	2016-08-26 10:04:53 +0200
committer	Karolin Seeger <kseeger@samba.org>	2016-09-20 10:10:18 +0200
commit	5992c18963f3ed677fa5b92cb7322107e9990344 (patch)
tree	acfaff8365ac9d02ca1e1d0f5943857623fd0288
parent	e124785536a284f183d1affc73ee4cf64a968bc8 (diff)
download	samba-5992c18963f3ed677fa5b92cb7322107e9990344.tar.gz