The branch, master has been updated via 7fff4e7 s3:dbwrap: remove m_all marshall buffer from ctdb transaction. via a6cd71d s3:dbwrap: traverse records created within this transaction. via 240d621 s3:registry: improve regdb_create_subkey_internal() to always complete incomlete keys via 9d688cd s3:smbcacls fix leaking talloc stackframce on tcon failure via 858e4cb s3:smbcacls fix possible SEGFAULT via 724b48b s3:smbcacls add option domain-sid via 61631f4 s3:smbcacls get_domain_sid for sddl parsing/formating from lsarpc via 2c78d4c s3:smbcacls pretty print acl control field from bd01ae2 Add new contributing FAQ announcing acceptance of corporate (C).
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 7fff4e7f845a44cf56dfd85d7dd4709fa2d17ce3 Author: Gregor Beck <gb...@sernet.de> Date: Fri Sep 23 11:58:35 2011 +0200 s3:dbwrap: remove m_all marshall buffer from ctdb transaction. it was only used by ctdb_replay_transaction and was a actually write only Signed-off-by: Michael Adam <ob...@samba.org> Autobuild-User: Michael Adam <ob...@samba.org> Autobuild-Date: Wed Oct 12 05:20:36 CEST 2011 on sn-devel-104 commit a6cd71da858062a66f83775cf655b79b6c8d75e7 Author: Gregor Beck <gb...@sernet.de> Date: Thu Sep 22 13:58:24 2011 +0200 s3:dbwrap: traverse records created within this transaction. Signed-off-by: Michael Adam <ob...@samba.org> commit 240d6217dd4d75a69b3f57f9668aa81ed042a6cf Author: Michael Adam <ob...@samba.org> Date: Fri Sep 30 15:42:31 2011 +0200 s3:registry: improve regdb_create_subkey_internal() to always complete incomlete keys Originally, this function did not create the key's subkey list record if only the record was listed in the subkeylist of its parent key. Now this is fixed. Pair-Programmed-With: Gregor Beck <gb...@sernet.de> commit 9d688cd7be2d21af1f881a3e65549bff03619c46 Author: Gregor Beck <gb...@sernet.de> Date: Tue Jun 14 13:19:59 2011 +0200 s3:smbcacls fix leaking talloc stackframce on tcon failure Signed-off-by: Michael Adam <ob...@samba.org> commit 858e4cb1b605d37cc5b585d7292049c774f53ceb Author: Gregor Beck <gb...@sernet.de> Date: Tue Jun 14 13:56:22 2011 +0200 s3:smbcacls fix possible SEGFAULT sddl_encode returns NULL on failure Signed-off-by: Michael Adam <ob...@samba.org> commit 724b48bc084100de54813685e656d510c17880f9 Author: Gregor Beck <gb...@sernet.de> Date: Thu Jun 9 15:29:32 2011 +0200 s3:smbcacls add option domain-sid Signed-off-by: Michael Adam <ob...@samba.org> commit 61631f427ad62d8a178f69de483500cdfa881620 Author: Gregor Beck <gb...@sernet.de> Date: Thu Jun 9 14:32:27 2011 +0200 s3:smbcacls get_domain_sid for sddl parsing/formating from lsarpc get_global_sid panics if we are not root and may give the wrong answer anyway. Signed-off-by: Michael Adam <ob...@samba.org> commit 2c78d4c89d4b5b5ba3189fc72d95fc13b5ccb02e Author: Gregor Beck <gb...@sernet.de> Date: Tue Jun 7 10:54:16 2011 +0200 s3:smbcacls pretty print acl control field Signed-off-by: Michael Adam <ob...@samba.org> ----------------------------------------------------------------------- Summary of changes: source3/lib/dbwrap/dbwrap_ctdb.c | 64 ++++++++++------ source3/registry/reg_backend_db.c | 14 +++- source3/utils/smbcacls.c | 157 +++++++++++++++++++++++++++++++++---- 3 files changed, 195 insertions(+), 40 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/lib/dbwrap/dbwrap_ctdb.c b/source3/lib/dbwrap/dbwrap_ctdb.c index 5823ab4..85ae5c1 100644 --- a/source3/lib/dbwrap/dbwrap_ctdb.c +++ b/source3/lib/dbwrap/dbwrap_ctdb.c @@ -54,11 +54,8 @@ struct db_ctdb_transaction_handle { struct db_ctdb_ctx *ctx; /* - * we store the reads and writes done under a transaction: - * - one list stores both reads and writes (m_all), - * - the other just writes (m_write) + * we store the writes done under a transaction: */ - struct ctdb_marshall_buffer *m_all; struct ctdb_marshall_buffer *m_write; uint32_t nesting; bool nested_cancel; @@ -490,16 +487,6 @@ static int db_ctdb_transaction_fetch(struct db_ctdb_ctx *db, return -1; } - h->m_all = db_ctdb_marshall_add(h, h->m_all, h->ctx->db_id, 1, key, - NULL, *data); - if (h->m_all == NULL) { - DEBUG(0,(__location__ " Failed to add to marshalling " - "record\n")); - data->dsize = 0; - talloc_free(data->dptr); - return -1; - } - return 0; } @@ -676,15 +663,6 @@ static NTSTATUS db_ctdb_transaction_store(struct db_ctdb_transaction_handle *h, header.dmaster = get_my_vnn(); header.rsn++; - h->m_all = db_ctdb_marshall_add(h, h->m_all, h->ctx->db_id, 0, key, - NULL, data); - if (h->m_all == NULL) { - DEBUG(0,(__location__ " Failed to add to marshalling " - "record\n")); - talloc_free(tmp_ctx); - return NT_STATUS_NO_MEMORY; - } - h->m_write = db_ctdb_marshall_add(h, h->m_write, h->ctx->db_id, 0, key, &header, data); if (h->m_write == NULL) { DEBUG(0,(__location__ " Failed to add to marshalling record\n")); @@ -1285,6 +1263,13 @@ done: return ret; } +/* wrapper to use traverse_persistent_callback with dbwrap */ +static int traverse_persistent_callback_dbwrap(struct db_record *rec, void* data) +{ + return traverse_persistent_callback(NULL, rec->key, rec->value, data); +} + + static int db_ctdb_traverse(struct db_context *db, int (*fn)(struct db_record *rec, void *private_data), @@ -1299,9 +1284,40 @@ static int db_ctdb_traverse(struct db_context *db, state.private_data = private_data; if (db->persistent) { + struct tdb_context *ltdb = ctx->wtdb->tdb; + int ret; + /* for persistent databases we don't need to do a ctdb traverse, we can do a faster local traverse */ - return tdb_traverse(ctx->wtdb->tdb, traverse_persistent_callback, &state); + ret = tdb_traverse(ltdb, traverse_persistent_callback, &state); + if (ret < 0) { + return ret; + } + if (ctx->transaction && ctx->transaction->m_write) { + /* we now have to handle keys not yet present at transaction start */ + struct db_context *newkeys = db_open_rbt(talloc_tos()); + struct ctdb_marshall_buffer *mbuf = ctx->transaction->m_write; + struct ctdb_rec_data *rec=NULL; + NTSTATUS status; + int i; + for (i=0; i<mbuf->count; i++) { + TDB_DATA key; + rec =db_ctdb_marshall_loop_next(mbuf, rec, + NULL, NULL, + &key, NULL); + SMB_ASSERT(rec != NULL); + + if (!tdb_exists(ltdb, key)) { + dbwrap_store(newkeys, key, tdb_null, 0); + } + } + status = dbwrap_traverse(newkeys, + traverse_persistent_callback_dbwrap, + &state); + ret = NT_STATUS_IS_OK(status) ? 0 : -1; + talloc_free(newkeys); + } + return ret; } diff --git a/source3/registry/reg_backend_db.c b/source3/registry/reg_backend_db.c index 64c466d..fad6c08 100644 --- a/source3/registry/reg_backend_db.c +++ b/source3/registry/reg_backend_db.c @@ -1298,8 +1298,18 @@ static WERROR regdb_create_subkey_internal(struct db_context *db, W_ERROR_NOT_OK_GOTO_DONE(werr); if (regsubkey_ctr_key_exists(subkeys, subkey)) { - werr = WERR_OK; - goto done; + char *newkey; + + newkey = talloc_asprintf(mem_ctx, "%s\\%s", key, subkey); + if (newkey == NULL) { + werr = WERR_NOMEM; + goto done; + } + + if (regdb_key_exists(db, newkey)) { + werr = WERR_OK; + goto done; + } } talloc_free(subkeys); diff --git a/source3/utils/smbcacls.c b/source3/utils/smbcacls.c index aa71840..9a6c283 100644 --- a/source3/utils/smbcacls.c +++ b/source3/utils/smbcacls.c @@ -30,6 +30,7 @@ #include "libsmb/libsmb.h" #include "libsmb/clirap.h" #include "passdb/machine_sid.h" +#include "../librpc/gen_ndr/ndr_lsa_c.h" static int test_args; @@ -41,6 +42,8 @@ static int numeric; static int sddl; +static const char *domain_sid = NULL; + enum acl_mode {SMB_ACL_SET, SMB_ACL_DELETE, SMB_ACL_MODIFY, SMB_ACL_ADD }; enum chown_mode {REQUEST_NONE, REQUEST_CHOWN, REQUEST_CHGRP, REQUEST_INHERIT}; enum exit_values {EXIT_OK, EXIT_FAILED, EXIT_PARSE_ERROR}; @@ -88,7 +91,7 @@ static NTSTATUS cli_lsa_lookup_sid(struct cli_state *cli, status = cli_tcon_andx(cli, "IPC$", "?????", "", 0); if (!NT_STATUS_IS_OK(status)) { - return status; + goto tcon_fail; } status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id, @@ -117,6 +120,7 @@ static NTSTATUS cli_lsa_lookup_sid(struct cli_state *cli, fail: TALLOC_FREE(p); cli_tdis(cli); + tcon_fail: cli_state_set_tid(cli, orig_cnum); TALLOC_FREE(frame); return status; @@ -137,7 +141,7 @@ static NTSTATUS cli_lsa_lookup_name(struct cli_state *cli, status = cli_tcon_andx(cli, "IPC$", "?????", "", 0); if (!NT_STATUS_IS_OK(status)) { - return status; + goto tcon_fail; } status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id, @@ -165,11 +169,89 @@ static NTSTATUS cli_lsa_lookup_name(struct cli_state *cli, fail: TALLOC_FREE(p); cli_tdis(cli); + tcon_fail: + cli_state_set_tid(cli, orig_cnum); + TALLOC_FREE(frame); + return status; +} + + +static NTSTATUS cli_lsa_lookup_domain_sid(struct cli_state *cli, + struct dom_sid *sid) +{ + union lsa_PolicyInformation *info = NULL; + uint16 orig_cnum = cli_state_get_tid(cli); + struct rpc_pipe_client *rpc_pipe = NULL; + struct policy_handle handle; + NTSTATUS status, result; + TALLOC_CTX *frame = talloc_stackframe(); + const struct ndr_syntax_id *lsarpc_syntax = &ndr_table_lsarpc.syntax_id; + + status = cli_tcon_andx(cli, "IPC$", "?????", "", 0); + if (!NT_STATUS_IS_OK(status)) { + goto done; + } + + status = cli_rpc_pipe_open_noauth(cli, lsarpc_syntax, &rpc_pipe); + if (!NT_STATUS_IS_OK(status)) { + goto tdis; + } + + status = rpccli_lsa_open_policy(rpc_pipe, frame, True, + GENERIC_EXECUTE_ACCESS, &handle); + if (!NT_STATUS_IS_OK(status)) { + goto tdis; + } + + status = dcerpc_lsa_QueryInfoPolicy2(rpc_pipe->binding_handle, + frame, &handle, + LSA_POLICY_INFO_DOMAIN, + &info, &result); + + if (any_nt_status_not_ok(status, result, &status)) { + goto tdis; + } + + *sid = *info->domain.sid; + +tdis: + TALLOC_FREE(rpc_pipe); + cli_tdis(cli); +done: cli_state_set_tid(cli, orig_cnum); TALLOC_FREE(frame); return status; } +struct dom_sid* get_domain_sid(struct cli_state *cli) { + NTSTATUS status; + + struct dom_sid *sid = talloc(talloc_tos(), struct dom_sid); + if (sid == NULL) { + DEBUG(0, ("Out of memory\n")); + return NULL; + } + + if (domain_sid) { + if (!dom_sid_parse(domain_sid, sid)) { + DEBUG(0,("failed to parse domain sid\n")); + TALLOC_FREE(sid); + } + } else { + status = cli_lsa_lookup_domain_sid(cli, sid); + + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0,("failed to lookup domain sid: %s\n", nt_errstr(status))); + TALLOC_FREE(sid); + } + + } + + DEBUG(2,("Domain SID: %s\n", sid_string_dbg(sid))); + return sid; +} + + /* convert a SID to a string, either numeric or username/group */ static void SidToString(struct cli_state *cli, fstring str, const struct dom_sid *sid) { @@ -632,6 +714,48 @@ static struct security_descriptor *sec_desc_parse(TALLOC_CTX *ctx, struct cli_st return ret; } +static const struct { + uint16_t mask; + const char *str; + const char *desc; +} sec_desc_ctrl_bits[] = { + {SEC_DESC_OWNER_DEFAULTED, "OD", "Owner Defaulted"}, + {SEC_DESC_GROUP_DEFAULTED, "GD", "Group Defaulted"}, + {SEC_DESC_DACL_PRESENT, "DP", "DACL Present"}, + {SEC_DESC_DACL_DEFAULTED, "DD", "DACL Defaulted"}, + {SEC_DESC_SACL_PRESENT, "SP", "SACL Present"}, + {SEC_DESC_SACL_DEFAULTED, "SD", "SACL Defaulted"}, + {SEC_DESC_DACL_TRUSTED, "DT", "DACL Trusted"}, + {SEC_DESC_SERVER_SECURITY, "SS", "Server Security"}, + {SEC_DESC_DACL_AUTO_INHERIT_REQ, "DR", "DACL Inheritance Required"}, + {SEC_DESC_SACL_AUTO_INHERIT_REQ, "SR", "SACL Inheritance Required"}, + {SEC_DESC_DACL_AUTO_INHERITED, "DI", "DACL Auto Inherited"}, + {SEC_DESC_SACL_AUTO_INHERITED, "SI", "SACL Auto Inherited"}, + {SEC_DESC_DACL_PROTECTED, "PD", "DACL Protected"}, + {SEC_DESC_SACL_PROTECTED, "PS", "SACL Protected"}, + {SEC_DESC_RM_CONTROL_VALID, "RM", "RM Control Valid"}, + {SEC_DESC_SELF_RELATIVE , "SR", "Self Relative"}, +}; + +static void print_acl_ctrl(FILE *file, uint16_t ctrl) +{ + int i; + const char* separator = ""; + + fprintf(file, "CONTROL:"); + if (numeric) { + fprintf(file, "0x%x\n", ctrl); + return; + } + + for (i = ARRAY_SIZE(sec_desc_ctrl_bits) - 1; i >= 0; i--) { + if (ctrl & sec_desc_ctrl_bits[i].mask) { + fprintf(file, "%s%s", separator, sec_desc_ctrl_bits[i].str); + separator = "|"; + } + } + fputc('\n', file); +} /* print a ascii version of a security descriptor on a FILE handle */ static void sec_desc_print(struct cli_state *cli, FILE *f, struct security_descriptor *sd) @@ -640,7 +764,7 @@ static void sec_desc_print(struct cli_state *cli, FILE *f, struct security_descr uint32 i; fprintf(f, "REVISION:%d\n", sd->revision); - fprintf(f, "CONTROL:0x%x\n", sd->type); + print_acl_ctrl(f, sd->type); /* Print owner and group sid */ @@ -772,25 +896,29 @@ dump the acls for a file *******************************************************/ static int cacl_dump(struct cli_state *cli, const char *filename) { - int result = EXIT_FAILED; struct security_descriptor *sd; - if (test_args) + if (test_args) { return EXIT_OK; + } sd = get_secdesc(cli, filename); + if (sd == NULL) { + return EXIT_FAILED; + } - if (sd) { - if (sddl) { - printf("%s\n", sddl_encode(talloc_tos(), sd, - get_global_sam_sid())); - } else { - sec_desc_print(cli, stdout, sd); + if (sddl) { + char *str = sddl_encode(talloc_tos(), sd, get_domain_sid(cli)); + if (str == NULL) { + return EXIT_FAILED; } - result = EXIT_OK; + printf("%s\n", str); + TALLOC_FREE(str); + } else { + sec_desc_print(cli, stdout, sd); } - return result; + return EXIT_OK; } /***************************************************** @@ -901,7 +1029,7 @@ static int cacl_set(struct cli_state *cli, const char *filename, int result = EXIT_OK; if (sddl) { - sd = sddl_decode(talloc_tos(), the_acl, get_global_sam_sid()); + sd = sddl_decode(talloc_tos(), the_acl, get_domain_sid(cli)); } else { sd = sec_desc_parse(talloc_tos(), cli, the_acl); } @@ -1202,6 +1330,7 @@ static struct cli_state *connect_one(struct user_auth_info *auth_info, { "numeric", 0, POPT_ARG_NONE, &numeric, 1, "Don't resolve sids or masks to names" }, { "sddl", 0, POPT_ARG_NONE, &sddl, 1, "Output and input acls in sddl format" }, { "test-args", 't', POPT_ARG_NONE, &test_args, 1, "Test arguments"}, + { "domain-sid", 0, POPT_ARG_STRING, &domain_sid, 0, "Domain SID for sddl", "SID"}, POPT_COMMON_SAMBA POPT_COMMON_CONNECTION POPT_COMMON_CREDENTIALS -- Samba Shared Repository