vfs_acl_xattr|tdb: enforced settings when ignore system acls=yes
authorRalph Boehme <slow@samba.org>
Fri, 26 Aug 2016 08:04:53 +0000 (10:04 +0200)
committerRalph Boehme <slow@samba.org>
Wed, 31 Aug 2016 16:41:20 +0000 (18:41 +0200)
When "ignore system acls" is set to "yes, we need to ensure filesystem
permission always grant access so that when doing our own access checks
we don't run into situations where we grant access but the filesystem
doesn't.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12181

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Ralph B√∂hme <slow@samba.org>
Autobuild-Date(master): Wed Aug 31 18:41:20 CEST 2016 on sn-devel-144

docs-xml/manpages/vfs_acl_tdb.8.xml
docs-xml/manpages/vfs_acl_xattr.8.xml
source3/modules/vfs_acl_tdb.c
source3/modules/vfs_acl_xattr.c
source4/torture/vfs/acl_xattr.c

index 68e41797aad97144599e62d5aa77bc38244369bc..2510f0804a17d3ec79b3bb1d0e15075e4b9900b6 100644 (file)
                access the data via Samba you might set this to yes to achieve
                better NT ACL compatibility.
                </para>
+
+               <para>
+               If <emphasis>acl_tdb:ignore system acls</emphasis>
+               is set to <emphasis>yes</emphasis>, the following
+               additional settings will be enforced:
+               <itemizedlist>
+               <listitem><para>create mask = 0666</para></listitem>
+               <listitem><para>directory mask = 0777</para></listitem>
+               <listitem><para>map archive = no</para></listitem>
+               <listitem><para>map hidden = no</para></listitem>
+               <listitem><para>map readonly = no</para></listitem>
+               <listitem><para>map system = no</para></listitem>
+               <listitem><para>store dos attributes = yes</para></listitem>
+               </itemizedlist>
+               </para>
                </listitem>
                </varlistentry>
 
index 8396ced4e48525c7b75af51f46b16a2dc85c8e43..9d212900871c17c6645ae09514a5091788c24305 100644 (file)
                access the data via Samba you might set this to yes to achieve
                better NT ACL compatibility.
                </para>
+
+               <para>
+               If <emphasis>acl_xattr:ignore system acls</emphasis>
+               is set to <emphasis>yes</emphasis>, the following
+               additional settings will be enforced:
+               <itemizedlist>
+               <listitem><para>create mask = 0666</para></listitem>
+               <listitem><para>directory mask = 0777</para></listitem>
+               <listitem><para>map archive = no</para></listitem>
+               <listitem><para>map hidden = no</para></listitem>
+               <listitem><para>map readonly = no</para></listitem>
+               <listitem><para>map system = no</para></listitem>
+               <listitem><para>store dos attributes = yes</para></listitem>
+               </itemizedlist>
+               </para>
                </listitem>
                </varlistentry>
 
index 0c92b729b3ba4deaf7942beded37c04dba34c037..174affe9ae0f2972acd9a46c6c40b10e82bf01df 100644 (file)
@@ -309,6 +309,7 @@ static int connect_acl_tdb(struct vfs_handle_struct *handle,
 {
        int ret = SMB_VFS_NEXT_CONNECT(handle, service, user);
        bool ok;
+       struct acl_common_config *config = NULL;
 
        if (ret < 0) {
                return ret;
@@ -336,6 +337,26 @@ static int connect_acl_tdb(struct vfs_handle_struct *handle,
        lp_do_parameter(SNUM(handle->conn), "dos filemode", "true");
        lp_do_parameter(SNUM(handle->conn), "force unknown acl user", "true");
 
+       SMB_VFS_HANDLE_GET_DATA(handle, config,
+                               struct acl_common_config,
+                               return -1);
+
+       if (config->ignore_system_acls) {
+               DBG_NOTICE("setting 'create mask = 0666', "
+                          "'directory mask = 0777', "
+                          "'store dos attributes = yes' and all "
+                          "'map ...' options to 'no'\n");
+
+               lp_do_parameter(SNUM(handle->conn), "create mask", "0666");
+               lp_do_parameter(SNUM(handle->conn), "directory mask", "0777");
+               lp_do_parameter(SNUM(handle->conn), "map archive", "no");
+               lp_do_parameter(SNUM(handle->conn), "map hidden", "no");
+               lp_do_parameter(SNUM(handle->conn), "map readonly", "no");
+               lp_do_parameter(SNUM(handle->conn), "map system", "no");
+               lp_do_parameter(SNUM(handle->conn), "store dos attributes",
+                               "yes");
+       }
+
        return 0;
 }
 
index 307ab6af7967897472f29494de7a0c4ae29cfe1a..e1f90fff281b0d87f5557cd0c6eba8469502d147 100644 (file)
@@ -181,6 +181,7 @@ static int connect_acl_xattr(struct vfs_handle_struct *handle,
 {
        int ret = SMB_VFS_NEXT_CONNECT(handle, service, user);
        bool ok;
+       struct acl_common_config *config = NULL;
 
        if (ret < 0) {
                return ret;
@@ -203,6 +204,26 @@ static int connect_acl_xattr(struct vfs_handle_struct *handle,
         lp_do_parameter(SNUM(handle->conn), "dos filemode", "true");
         lp_do_parameter(SNUM(handle->conn), "force unknown acl user", "true");
 
+       SMB_VFS_HANDLE_GET_DATA(handle, config,
+                               struct acl_common_config,
+                               return -1);
+
+       if (config->ignore_system_acls) {
+               DBG_NOTICE("setting 'create mask = 0666', "
+                          "'directory mask = 0777', "
+                          "'store dos attributes = yes' and all "
+                          "'map ...' options to 'no'\n");
+
+               lp_do_parameter(SNUM(handle->conn), "create mask", "0666");
+               lp_do_parameter(SNUM(handle->conn), "directory mask", "0777");
+               lp_do_parameter(SNUM(handle->conn), "map archive", "no");
+               lp_do_parameter(SNUM(handle->conn), "map hidden", "no");
+               lp_do_parameter(SNUM(handle->conn), "map readonly", "no");
+               lp_do_parameter(SNUM(handle->conn), "map system", "no");
+               lp_do_parameter(SNUM(handle->conn), "store dos attributes",
+                               "yes");
+       }
+
        return 0;
 }
 
index 7fd10d0dcd177567bc18b6803505a60661a7efdb..df4dd299fe02ae4ffb214696717836c0d3292fcf 100644 (file)
@@ -169,8 +169,8 @@ static bool test_default_acl_posix(struct torture_context *tctx,
        exp_sd = security_descriptor_dacl_create(
                tctx, 0, owner_sid, group_sid,
                owner_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_RIGHTS_FILE_ALL, 0,
-               group_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE, 0,
-               SID_WORLD, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_RIGHTS_FILE_READ | SEC_FILE_EXECUTE, 0,
+               group_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, FILE_GENERIC_READ|FILE_GENERIC_WRITE|FILE_GENERIC_EXECUTE, 0,
+               SID_WORLD, SEC_ACE_TYPE_ACCESS_ALLOWED, FILE_GENERIC_READ|FILE_GENERIC_WRITE|FILE_GENERIC_EXECUTE, 0,
                SID_NT_SYSTEM, SEC_ACE_TYPE_ACCESS_ALLOWED, SEC_RIGHTS_FILE_ALL, 0,
                NULL);