vfs_acl_xattr|tdb: enforced settings when ignore system acls=yes

When "ignore system acls" is set to "yes, we need to ensure filesystem permission always grant access so that when doing our own access checks we don't run into situations where we grant access but the filesystem doesn't. Bug: https://bugzilla.samba.org/show_bug.cgi?id=12181 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Ralph Böhme <slow@samba.org> Autobuild-Date(master): Wed Aug 31 18:41:20 CEST 2016 on sn-devel-144
author: Ralph Boehme <slow@samba.org> 2016-08-26 10:04:53 +0200
committer: Ralph Boehme <slow@samba.org> 2016-08-31 18:41:20 +0200
commit: b72287514cc78c9019db7385af4c9b9d94f60894 (patch)
tree: b421b812d5632c60d469aa09761180efae446441
parent: cbe8f0d63b90e4380da35e9f9f5a05d8ccc2058b (diff)
download: samba-b72287514cc78c9019db7385af4c9b9d94f60894.tar.gz
5 files changed, 74 insertions, 2 deletions
diff --git a/docs-xml/manpages/vfs_acl_tdb.8.xml b/docs-xml/manpages/vfs_acl_tdb.8.xml
index 68e41797aad..2510f0804a1 100644
--- a/docs-xml/manpages/vfs_acl_tdb.8.xml
+++ b/docs-xml/manpages/vfs_acl_tdb.8.xml
@@ -70,6 +70,21 @@
 		access the data via Samba you might set this to yes to achieve
 		better NT ACL compatibility.
 		</para>
+
+		<para>
+		If <emphasis>acl_tdb:ignore system acls</emphasis>
+		is set to <emphasis>yes</emphasis>, the following
+		additional settings will be enforced:
+		<itemizedlist>
+		<listitem><para>create mask = 0666</para></listitem>
+		<listitem><para>directory mask = 0777</para></listitem>
+		<listitem><para>map archive = no</para></listitem>
+		<listitem><para>map hidden = no</para></listitem>
+		<listitem><para>map readonly = no</para></listitem>
+		<listitem><para>map system = no</para></listitem>
+		<listitem><para>store dos attributes = yes</para></listitem>
+		</itemizedlist>
+		</para>
 		</listitem>
 		</varlistentry>
 
diff --git a/docs-xml/manpages/vfs_acl_xattr.8.xml b/docs-xml/manpages/vfs_acl_xattr.8.xml
index 8396ced4e48..9d212900871 100644
--- a/docs-xml/manpages/vfs_acl_xattr.8.xml
+++ b/docs-xml/manpages/vfs_acl_xattr.8.xml
@@ -74,6 +74,21 @@
 		access the data via Samba you might set this to yes to achieve
 		better NT ACL compatibility.
 		</para>
+
+		<para>
+		If <emphasis>acl_xattr:ignore system acls</emphasis>
+		is set to <emphasis>yes</emphasis>, the following
+		additional settings will be enforced:
+		<itemizedlist>
+		<listitem><para>create mask = 0666</para></listitem>
+		<listitem><para>directory mask = 0777</para></listitem>
+		<listitem><para>map archive = no</para></listitem>
+		<listitem><para>map hidden = no</para></listitem>
+		<listitem><para>map readonly = no</para></listitem>
+		<listitem><para>map system = no</para></listitem>
+		<listitem><para>store dos attributes = yes</para></listitem>
+		</itemizedlist>
+		</para>
 		</listitem>
 		</varlistentry>
 
diff --git a/source3/modules/vfs_acl_tdb.c b/source3/modules/vfs_acl_tdb.c
index 0c92b729b3b..174affe9ae0 100644
--- a/source3/modules/vfs_acl_tdb.c
+++ b/source3/modules/vfs_acl_tdb.c
@@ -309,6 +309,7 @@ static int connect_acl_tdb(struct vfs_handle_struct *handle,
 {
 	int ret = SMB_VFS_NEXT_CONNECT(handle, service, user);
 	bool ok;
+	struct acl_common_config *config = NULL;
 
 	if (ret < 0) {
 		return ret;
@@ -336,6 +337,26 @@ static int connect_acl_tdb(struct vfs_handle_struct *handle,
 	lp_do_parameter(SNUM(handle->conn), "dos filemode", "true");
 	lp_do_parameter(SNUM(handle->conn), "force unknown acl user", "true");
 
+	SMB_VFS_HANDLE_GET_DATA(handle, config,
+				struct acl_common_config,
+				return -1);
+
+	if (config->ignore_system_acls) {
+		DBG_NOTICE("setting 'create mask = 0666', "
+			   "'directory mask = 0777', "
+			   "'store dos attributes = yes' and all "
+			   "'map ...' options to 'no'\n");
+
+		lp_do_parameter(SNUM(handle->conn), "create mask", "0666");
+		lp_do_parameter(SNUM(handle->conn), "directory mask", "0777");
+		lp_do_parameter(SNUM(handle->conn), "map archive", "no");
+		lp_do_parameter(SNUM(handle->conn), "map hidden", "no");
+		lp_do_parameter(SNUM(handle->conn), "map readonly", "no");
+		lp_do_parameter(SNUM(handle->conn), "map system", "no");
+		lp_do_parameter(SNUM(handle->conn), "store dos attributes",
+				"yes");
+	}
+
 	return 0;
 }
 
diff --git a/source3/modules/vfs_acl_xattr.c b/source3/modules/vfs_acl_xattr.c
index 307ab6af796..e1f90fff281 100644
--- a/source3/modules/vfs_acl_xattr.c
+++ b/source3/modules/vfs_acl_xattr.c
@@ -181,6 +181,7 @@ static int connect_acl_xattr(struct vfs_handle_struct *handle,
 {
 	int ret = SMB_VFS_NEXT_CONNECT(handle, service, user);
 	bool ok;
+	struct acl_common_config *config = NULL;
 
 	if (ret < 0) {
 		return ret;
@@ -203,6 +204,26 @@ static int connect_acl_xattr(struct vfs_handle_struct *handle,
         lp_do_parameter(SNUM(handle->conn), "dos filemode", "true");
         lp_do_parameter(SNUM(handle->conn), "force unknown acl user", "true");
 
+	SMB_VFS_HANDLE_GET_DATA(handle, config,
+				struct acl_common_config,
+				return -1);
+
+	if (config->ignore_system_acls) {
+		DBG_NOTICE("setting 'create mask = 0666', "
+			   "'directory mask = 0777', "
+			   "'store dos attributes = yes' and all "
+			   "'map ...' options to 'no'\n");
+
+		lp_do_parameter(SNUM(handle->conn), "create mask", "0666");
+		lp_do_parameter(SNUM(handle->conn), "directory mask", "0777");
+		lp_do_parameter(SNUM(handle->conn), "map archive", "no");
+		lp_do_parameter(SNUM(handle->conn), "map hidden", "no");
+		lp_do_parameter(SNUM(handle->conn), "map readonly", "no");
+		lp_do_parameter(SNUM(handle->conn), "map system", "no");
+		lp_do_parameter(SNUM(handle->conn), "store dos attributes",
+				"yes");
+	}
+
 	return 0;
 }
 
diff --git a/source4/torture/vfs/acl_xattr.c b/source4/torture/vfs/acl_xattr.c
index 7fd10d0dcd1..df4dd299fe0 100644
--- a/source4/torture/vfs/acl_xattr.c
+++ b/source4/torture/vfs/acl_xattr.c
@@ -169,8 +169,8 @@ static bool test_default_acl_posix(struct torture_context *tctx,
 	exp_sd = security_descriptor_dacl_create(
 		tctx, 0, owner_sid, group_sid,
 		owner_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_RIGHTS_FILE_ALL, 0,
-		group_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE, 0,
-		SID_WORLD, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE, 0,
+		group_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, FILE_GENERIC_READ|FILE_GENERIC_WRITE|FILE_GENERIC_EXECUTE, 0,
+		SID_WORLD, SEC_ACE_TYPE_ACCESS_ALLOWED, FILE_GENERIC_READ|FILE_GENERIC_WRITE|FILE_GENERIC_EXECUTE, 0,
 		SID_NT_SYSTEM, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_RIGHTS_FILE_ALL, 0,
 		NULL);
author	Ralph Boehme <slow@samba.org>	2016-08-26 10:04:53 +0200
committer	Ralph Boehme <slow@samba.org>	2016-08-31 18:41:20 +0200
commit	b72287514cc78c9019db7385af4c9b9d94f60894 (patch)
tree	b421b812d5632c60d469aa09761180efae446441
parent	cbe8f0d63b90e4380da35e9f9f5a05d8ccc2058b (diff)
download	samba-b72287514cc78c9019db7385af4c9b9d94f60894.tar.gz