diff options
author | Ralph Boehme <slow@samba.org> | 2016-08-26 10:04:53 +0200 |
---|---|---|
committer | Karolin Seeger <kseeger@samba.org> | 2016-09-20 10:10:18 +0200 |
commit | 5992c18963f3ed677fa5b92cb7322107e9990344 (patch) | |
tree | acfaff8365ac9d02ca1e1d0f5943857623fd0288 | |
parent | e124785536a284f183d1affc73ee4cf64a968bc8 (diff) | |
download | samba-5992c18963f3ed677fa5b92cb7322107e9990344.tar.gz |
vfs_acl_xattr|tdb: enforced settings when ignore system acls=yes
When "ignore system acls" is set to "yes, we need to ensure filesystem
permission always grant access so that when doing our own access checks
we don't run into situations where we grant access but the filesystem
doesn't.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12181
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed Aug 31 18:41:20 CEST 2016 on sn-devel-144
(cherry picked from commit b72287514cc78c9019db7385af4c9b9d94f60894)
-rw-r--r-- | docs-xml/manpages/vfs_acl_tdb.8.xml | 15 | ||||
-rw-r--r-- | docs-xml/manpages/vfs_acl_xattr.8.xml | 15 | ||||
-rw-r--r-- | source3/modules/vfs_acl_tdb.c | 21 | ||||
-rw-r--r-- | source3/modules/vfs_acl_xattr.c | 21 | ||||
-rw-r--r-- | source4/torture/vfs/acl_xattr.c | 4 |
5 files changed, 74 insertions, 2 deletions
diff --git a/docs-xml/manpages/vfs_acl_tdb.8.xml b/docs-xml/manpages/vfs_acl_tdb.8.xml index 36ef22b49ae..d62f2e1cc93 100644 --- a/docs-xml/manpages/vfs_acl_tdb.8.xml +++ b/docs-xml/manpages/vfs_acl_tdb.8.xml @@ -70,6 +70,21 @@ access the data via Samba you might set this to yes to achieve better NT ACL compatibility. </para> + + <para> + If <emphasis>acl_tdb:ignore system acls</emphasis> + is set to <emphasis>yes</emphasis>, the following + additional settings will be enforced: + <itemizedlist> + <listitem><para>create mask = 0666</para></listitem> + <listitem><para>directory mask = 0777</para></listitem> + <listitem><para>map archive = no</para></listitem> + <listitem><para>map hidden = no</para></listitem> + <listitem><para>map readonly = no</para></listitem> + <listitem><para>map system = no</para></listitem> + <listitem><para>store dos attributes = yes</para></listitem> + </itemizedlist> + </para> </listitem> </varlistentry> diff --git a/docs-xml/manpages/vfs_acl_xattr.8.xml b/docs-xml/manpages/vfs_acl_xattr.8.xml index 882817f3272..4c609cb057e 100644 --- a/docs-xml/manpages/vfs_acl_xattr.8.xml +++ b/docs-xml/manpages/vfs_acl_xattr.8.xml @@ -74,6 +74,21 @@ access the data via Samba you might set this to yes to achieve better NT ACL compatibility. </para> + + <para> + If <emphasis>acl_xattr:ignore system acls</emphasis> + is set to <emphasis>yes</emphasis>, the following + additional settings will be enforced: + <itemizedlist> + <listitem><para>create mask = 0666</para></listitem> + <listitem><para>directory mask = 0777</para></listitem> + <listitem><para>map archive = no</para></listitem> + <listitem><para>map hidden = no</para></listitem> + <listitem><para>map readonly = no</para></listitem> + <listitem><para>map system = no</para></listitem> + <listitem><para>store dos attributes = yes</para></listitem> + </itemizedlist> + </para> </listitem> </varlistentry> diff --git a/source3/modules/vfs_acl_tdb.c b/source3/modules/vfs_acl_tdb.c index d2417d7a714..7983a894804 100644 --- a/source3/modules/vfs_acl_tdb.c +++ b/source3/modules/vfs_acl_tdb.c @@ -306,6 +306,7 @@ static int connect_acl_tdb(struct vfs_handle_struct *handle, { int ret = SMB_VFS_NEXT_CONNECT(handle, service, user); bool ok; + struct acl_common_config *config = NULL; if (ret < 0) { return ret; @@ -333,6 +334,26 @@ static int connect_acl_tdb(struct vfs_handle_struct *handle, lp_do_parameter(SNUM(handle->conn), "dos filemode", "true"); lp_do_parameter(SNUM(handle->conn), "force unknown acl user", "true"); + SMB_VFS_HANDLE_GET_DATA(handle, config, + struct acl_common_config, + return -1); + + if (config->ignore_system_acls) { + DBG_NOTICE("setting 'create mask = 0666', " + "'directory mask = 0777', " + "'store dos attributes = yes' and all " + "'map ...' options to 'no'\n"); + + lp_do_parameter(SNUM(handle->conn), "create mask", "0666"); + lp_do_parameter(SNUM(handle->conn), "directory mask", "0777"); + lp_do_parameter(SNUM(handle->conn), "map archive", "no"); + lp_do_parameter(SNUM(handle->conn), "map hidden", "no"); + lp_do_parameter(SNUM(handle->conn), "map readonly", "no"); + lp_do_parameter(SNUM(handle->conn), "map system", "no"); + lp_do_parameter(SNUM(handle->conn), "store dos attributes", + "yes"); + } + return 0; } diff --git a/source3/modules/vfs_acl_xattr.c b/source3/modules/vfs_acl_xattr.c index ae032c8bd5b..e7108991e4c 100644 --- a/source3/modules/vfs_acl_xattr.c +++ b/source3/modules/vfs_acl_xattr.c @@ -181,6 +181,7 @@ static int connect_acl_xattr(struct vfs_handle_struct *handle, { int ret = SMB_VFS_NEXT_CONNECT(handle, service, user); bool ok; + struct acl_common_config *config = NULL; if (ret < 0) { return ret; @@ -203,6 +204,26 @@ static int connect_acl_xattr(struct vfs_handle_struct *handle, lp_do_parameter(SNUM(handle->conn), "dos filemode", "true"); lp_do_parameter(SNUM(handle->conn), "force unknown acl user", "true"); + SMB_VFS_HANDLE_GET_DATA(handle, config, + struct acl_common_config, + return -1); + + if (config->ignore_system_acls) { + DBG_NOTICE("setting 'create mask = 0666', " + "'directory mask = 0777', " + "'store dos attributes = yes' and all " + "'map ...' options to 'no'\n"); + + lp_do_parameter(SNUM(handle->conn), "create mask", "0666"); + lp_do_parameter(SNUM(handle->conn), "directory mask", "0777"); + lp_do_parameter(SNUM(handle->conn), "map archive", "no"); + lp_do_parameter(SNUM(handle->conn), "map hidden", "no"); + lp_do_parameter(SNUM(handle->conn), "map readonly", "no"); + lp_do_parameter(SNUM(handle->conn), "map system", "no"); + lp_do_parameter(SNUM(handle->conn), "store dos attributes", + "yes"); + } + return 0; } diff --git a/source4/torture/vfs/acl_xattr.c b/source4/torture/vfs/acl_xattr.c index 7fd10d0dcd1..df4dd299fe0 100644 --- a/source4/torture/vfs/acl_xattr.c +++ b/source4/torture/vfs/acl_xattr.c @@ -169,8 +169,8 @@ static bool test_default_acl_posix(struct torture_context *tctx, exp_sd = security_descriptor_dacl_create( tctx, 0, owner_sid, group_sid, owner_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_RIGHTS_FILE_ALL, 0, - group_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE, 0, - SID_WORLD, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE, 0, + group_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, FILE_GENERIC_READ|FILE_GENERIC_WRITE|FILE_GENERIC_EXECUTE, 0, + SID_WORLD, SEC_ACE_TYPE_ACCESS_ALLOWED, FILE_GENERIC_READ|FILE_GENERIC_WRITE|FILE_GENERIC_EXECUTE, 0, SID_NT_SYSTEM, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_RIGHTS_FILE_ALL, 0, NULL); |