diff options
author | Ralph Boehme <slow@samba.org> | 2016-08-26 10:04:53 +0200 |
---|---|---|
committer | Ralph Boehme <slow@samba.org> | 2016-08-31 18:41:20 +0200 |
commit | b72287514cc78c9019db7385af4c9b9d94f60894 (patch) | |
tree | b421b812d5632c60d469aa09761180efae446441 | |
parent | cbe8f0d63b90e4380da35e9f9f5a05d8ccc2058b (diff) | |
download | samba-b72287514cc78c9019db7385af4c9b9d94f60894.tar.gz |
vfs_acl_xattr|tdb: enforced settings when ignore system acls=yes
When "ignore system acls" is set to "yes, we need to ensure filesystem
permission always grant access so that when doing our own access checks
we don't run into situations where we grant access but the filesystem
doesn't.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12181
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed Aug 31 18:41:20 CEST 2016 on sn-devel-144
-rw-r--r-- | docs-xml/manpages/vfs_acl_tdb.8.xml | 15 | ||||
-rw-r--r-- | docs-xml/manpages/vfs_acl_xattr.8.xml | 15 | ||||
-rw-r--r-- | source3/modules/vfs_acl_tdb.c | 21 | ||||
-rw-r--r-- | source3/modules/vfs_acl_xattr.c | 21 | ||||
-rw-r--r-- | source4/torture/vfs/acl_xattr.c | 4 |
5 files changed, 74 insertions, 2 deletions
diff --git a/docs-xml/manpages/vfs_acl_tdb.8.xml b/docs-xml/manpages/vfs_acl_tdb.8.xml index 68e41797aad..2510f0804a1 100644 --- a/docs-xml/manpages/vfs_acl_tdb.8.xml +++ b/docs-xml/manpages/vfs_acl_tdb.8.xml @@ -70,6 +70,21 @@ access the data via Samba you might set this to yes to achieve better NT ACL compatibility. </para> + + <para> + If <emphasis>acl_tdb:ignore system acls</emphasis> + is set to <emphasis>yes</emphasis>, the following + additional settings will be enforced: + <itemizedlist> + <listitem><para>create mask = 0666</para></listitem> + <listitem><para>directory mask = 0777</para></listitem> + <listitem><para>map archive = no</para></listitem> + <listitem><para>map hidden = no</para></listitem> + <listitem><para>map readonly = no</para></listitem> + <listitem><para>map system = no</para></listitem> + <listitem><para>store dos attributes = yes</para></listitem> + </itemizedlist> + </para> </listitem> </varlistentry> diff --git a/docs-xml/manpages/vfs_acl_xattr.8.xml b/docs-xml/manpages/vfs_acl_xattr.8.xml index 8396ced4e48..9d212900871 100644 --- a/docs-xml/manpages/vfs_acl_xattr.8.xml +++ b/docs-xml/manpages/vfs_acl_xattr.8.xml @@ -74,6 +74,21 @@ access the data via Samba you might set this to yes to achieve better NT ACL compatibility. </para> + + <para> + If <emphasis>acl_xattr:ignore system acls</emphasis> + is set to <emphasis>yes</emphasis>, the following + additional settings will be enforced: + <itemizedlist> + <listitem><para>create mask = 0666</para></listitem> + <listitem><para>directory mask = 0777</para></listitem> + <listitem><para>map archive = no</para></listitem> + <listitem><para>map hidden = no</para></listitem> + <listitem><para>map readonly = no</para></listitem> + <listitem><para>map system = no</para></listitem> + <listitem><para>store dos attributes = yes</para></listitem> + </itemizedlist> + </para> </listitem> </varlistentry> diff --git a/source3/modules/vfs_acl_tdb.c b/source3/modules/vfs_acl_tdb.c index 0c92b729b3b..174affe9ae0 100644 --- a/source3/modules/vfs_acl_tdb.c +++ b/source3/modules/vfs_acl_tdb.c @@ -309,6 +309,7 @@ static int connect_acl_tdb(struct vfs_handle_struct *handle, { int ret = SMB_VFS_NEXT_CONNECT(handle, service, user); bool ok; + struct acl_common_config *config = NULL; if (ret < 0) { return ret; @@ -336,6 +337,26 @@ static int connect_acl_tdb(struct vfs_handle_struct *handle, lp_do_parameter(SNUM(handle->conn), "dos filemode", "true"); lp_do_parameter(SNUM(handle->conn), "force unknown acl user", "true"); + SMB_VFS_HANDLE_GET_DATA(handle, config, + struct acl_common_config, + return -1); + + if (config->ignore_system_acls) { + DBG_NOTICE("setting 'create mask = 0666', " + "'directory mask = 0777', " + "'store dos attributes = yes' and all " + "'map ...' options to 'no'\n"); + + lp_do_parameter(SNUM(handle->conn), "create mask", "0666"); + lp_do_parameter(SNUM(handle->conn), "directory mask", "0777"); + lp_do_parameter(SNUM(handle->conn), "map archive", "no"); + lp_do_parameter(SNUM(handle->conn), "map hidden", "no"); + lp_do_parameter(SNUM(handle->conn), "map readonly", "no"); + lp_do_parameter(SNUM(handle->conn), "map system", "no"); + lp_do_parameter(SNUM(handle->conn), "store dos attributes", + "yes"); + } + return 0; } diff --git a/source3/modules/vfs_acl_xattr.c b/source3/modules/vfs_acl_xattr.c index 307ab6af796..e1f90fff281 100644 --- a/source3/modules/vfs_acl_xattr.c +++ b/source3/modules/vfs_acl_xattr.c @@ -181,6 +181,7 @@ static int connect_acl_xattr(struct vfs_handle_struct *handle, { int ret = SMB_VFS_NEXT_CONNECT(handle, service, user); bool ok; + struct acl_common_config *config = NULL; if (ret < 0) { return ret; @@ -203,6 +204,26 @@ static int connect_acl_xattr(struct vfs_handle_struct *handle, lp_do_parameter(SNUM(handle->conn), "dos filemode", "true"); lp_do_parameter(SNUM(handle->conn), "force unknown acl user", "true"); + SMB_VFS_HANDLE_GET_DATA(handle, config, + struct acl_common_config, + return -1); + + if (config->ignore_system_acls) { + DBG_NOTICE("setting 'create mask = 0666', " + "'directory mask = 0777', " + "'store dos attributes = yes' and all " + "'map ...' options to 'no'\n"); + + lp_do_parameter(SNUM(handle->conn), "create mask", "0666"); + lp_do_parameter(SNUM(handle->conn), "directory mask", "0777"); + lp_do_parameter(SNUM(handle->conn), "map archive", "no"); + lp_do_parameter(SNUM(handle->conn), "map hidden", "no"); + lp_do_parameter(SNUM(handle->conn), "map readonly", "no"); + lp_do_parameter(SNUM(handle->conn), "map system", "no"); + lp_do_parameter(SNUM(handle->conn), "store dos attributes", + "yes"); + } + return 0; } diff --git a/source4/torture/vfs/acl_xattr.c b/source4/torture/vfs/acl_xattr.c index 7fd10d0dcd1..df4dd299fe0 100644 --- a/source4/torture/vfs/acl_xattr.c +++ b/source4/torture/vfs/acl_xattr.c @@ -169,8 +169,8 @@ static bool test_default_acl_posix(struct torture_context *tctx, exp_sd = security_descriptor_dacl_create( tctx, 0, owner_sid, group_sid, owner_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_RIGHTS_FILE_ALL, 0, - group_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE, 0, - SID_WORLD, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE, 0, + group_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, FILE_GENERIC_READ|FILE_GENERIC_WRITE|FILE_GENERIC_EXECUTE, 0, + SID_WORLD, SEC_ACE_TYPE_ACCESS_ALLOWED, FILE_GENERIC_READ|FILE_GENERIC_WRITE|FILE_GENERIC_EXECUTE, 0, SID_NT_SYSTEM, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_RIGHTS_FILE_ALL, 0, NULL); |