The branch, v3-6-test has been updated
via 1bb5d20 Fix bug #9124 - Samba fails to set "inherited" bit on
inherited ACE's.
via c36e78f Windows does canonicalization of inheritance bits. Do the
same.
via 7e03ebf Change the other two places where we set a security
descriptor given by the client to got through set_sd(), the canonicalize sd
function.
via 67f82b4 Re-add set_sd(), called from set_sd_blob(). Allows us to
centralize all ACL canonicalization. (cherry picked from commit
05734b67b8ed5516d81000eac48acd0915567629)
via b6791f4 Rename set_sd() to set_sd_blob() - this describes what it
does. (cherry picked from commit 61957ff9f6124eabae050f5425d7d0597ae6a127)
from 4f4a972 s3-smbd: Fix flooding the logs with records we don't find
in pcap.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-6-test
- Log -----------------------------------------------------------------
commit 1bb5d205ecc071a98ce5717e2e009fb1875aeae2
Author: Jeremy Allison <[email protected]>
Date: Wed Aug 29 16:55:21 2012 -0700
Fix bug #9124 - Samba fails to set "inherited" bit on inherited ACE's.
Change se_create_child_secdesc() to handle inheritance correctly.
commit c36e78f98f45b51a2d1fba6bedb5e4d39c0f4bbe
Author: Jeremy Allison <[email protected]>
Date: Wed Aug 29 13:40:29 2012 -0700
Windows does canonicalization of inheritance bits. Do the same.
We need to filter out the
SEC_DESC_DACL_AUTO_INHERITED|SEC_DESC_DACL_AUTO_INHERIT_REQ
bits. If both are set we store SEC_DESC_DACL_AUTO_INHERITED
as this alters whether SEC_ACE_FLAG_INHERITED_ACE is set
when an ACE is inherited. Otherwise we zero these bits out.
See:
http://social.msdn.microsoft.com/Forums/eu/os_fileservices/thread/11f77b68-731e-407d-b1b3-064750716531
for details.
(cherry picked from commit d02f39f97624260bd226977b30c80974d0ce0fe0)
commit 7e03ebf094a98c572816cb81ef3cf4c02aaafcfd
Author: Jeremy Allison <[email protected]>
Date: Wed Aug 29 16:52:02 2012 -0700
Change the other two places where we set a security descriptor given by the
client to got through set_sd(), the canonicalize sd function.
commit 67f82b4cb65294dc2e3c3a144d91df9bbfdaa90c
Author: Jeremy Allison <[email protected]>
Date: Wed Aug 29 13:29:34 2012 -0700
Re-add set_sd(), called from set_sd_blob(). Allows us to centralize all ACL
canonicalization. (cherry picked from commit
05734b67b8ed5516d81000eac48acd0915567629)
commit b6791f4878bfdd2266f27b1e962324966ef03e31
Author: Jeremy Allison <[email protected]>
Date: Wed Aug 29 13:23:06 2012 -0700
Rename set_sd() to set_sd_blob() - this describes what it does. (cherry
picked from commit 61957ff9f6124eabae050f5425d7d0597ae6a127)
-----------------------------------------------------------------------
Summary of changes:
source3/lib/secdesc.c | 10 +++-
source3/rpc_server/srvsvc/srv_srvsvc_nt.c | 21 +--------
source3/smbd/nttrans.c | 73 +++++++++++++++++++++++-----
source3/smbd/open.c | 6 +--
source3/smbd/proto.h | 4 +-
source3/smbd/smb2_setinfo.c | 2 +-
6 files changed, 73 insertions(+), 43 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/lib/secdesc.c b/source3/lib/secdesc.c
index 007e097..b7c9fc5 100644
--- a/source3/lib/secdesc.c
+++ b/source3/lib/secdesc.c
@@ -563,6 +563,7 @@ NTSTATUS se_create_child_secdesc(TALLOC_CTX *ctx,
struct security_acl *new_dacl = NULL, *the_acl = NULL;
struct security_ace *new_ace_list = NULL;
unsigned int new_ace_list_ndx = 0, i;
+ bool set_inherited_flags = (parent_ctr->type &
SEC_DESC_DACL_AUTO_INHERITED);
*ppsd = NULL;
*psize = 0;
@@ -625,7 +626,8 @@ NTSTATUS se_create_child_secdesc(TALLOC_CTX *ctx,
/* First add the regular ACE entry. */
init_sec_ace(new_ace, ptrustee, ace->type,
- ace->access_mask, 0);
+ ace->access_mask,
+ set_inherited_flags ?
SEC_ACE_FLAG_INHERITED_ACE : 0);
DEBUG(5,("se_create_child_secdesc():
%s:%d/0x%02x/0x%08x"
" inherited as %s:%d/0x%02x/0x%08x\n",
@@ -648,7 +650,8 @@ NTSTATUS se_create_child_secdesc(TALLOC_CTX *ctx,
}
init_sec_ace(new_ace, ptrustee, ace->type,
- ace->access_mask, new_flags);
+ ace->access_mask, new_flags |
+ (set_inherited_flags ?
SEC_ACE_FLAG_INHERITED_ACE : 0));
DEBUG(5, ("se_create_child_secdesc(): %s:%d/0x%02x/0x%08x "
" inherited as %s:%d/0x%02x/0x%08x\n",
@@ -675,7 +678,8 @@ NTSTATUS se_create_child_secdesc(TALLOC_CTX *ctx,
*ppsd = make_sec_desc(ctx,
SECURITY_DESCRIPTOR_REVISION_1,
- SEC_DESC_SELF_RELATIVE|SEC_DESC_DACL_PRESENT,
+ SEC_DESC_SELF_RELATIVE|SEC_DESC_DACL_PRESENT|
+ (set_inherited_flags ? SEC_DESC_DACL_AUTO_INHERITED :
0),
owner_sid,
group_sid,
NULL,
diff --git a/source3/rpc_server/srvsvc/srv_srvsvc_nt.c
b/source3/rpc_server/srvsvc/srv_srvsvc_nt.c
index a078395..b9345d6 100644
--- a/source3/rpc_server/srvsvc/srv_srvsvc_nt.c
+++ b/source3/rpc_server/srvsvc/srv_srvsvc_nt.c
@@ -2318,26 +2318,7 @@ WERROR _srvsvc_NetSetFileSecurity(struct pipes_struct *p,
psd = r->in.sd_buf->sd;
security_info_sent = r->in.securityinformation;
- if (psd->owner_sid==0) {
- security_info_sent &= ~SECINFO_OWNER;
- }
- if (psd->group_sid==0) {
- security_info_sent &= ~SECINFO_GROUP;
- }
- if (psd->sacl==0) {
- security_info_sent &= ~SECINFO_SACL;
- }
- if (psd->dacl==0) {
- security_info_sent &= ~SECINFO_DACL;
- }
-
- /* Convert all the generic bits. */
- security_acl_map_generic(psd->dacl, &file_generic_mapping);
- security_acl_map_generic(psd->sacl, &file_generic_mapping);
-
- nt_status = SMB_VFS_FSET_NT_ACL(fsp,
- security_info_sent,
- psd);
+ nt_status = set_sd(fsp, psd, security_info_sent);
if (!NT_STATUS_IS_OK(nt_status) ) {
DEBUG(3,("_srvsvc_NetSetFileSecurity: Unable to set NT ACL "
diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c
index e87d132..ea9d417 100644
--- a/source3/smbd/nttrans.c
+++ b/source3/smbd/nttrans.c
@@ -826,20 +826,48 @@ static void do_nt_transact_create_pipe(connection_struct
*conn,
return;
}
+/*********************************************************************
+ Windows seems to do canonicalization of inheritance bits. Do the
+ same.
+*********************************************************************/
+
+static void canonicalize_inheritance_bits(struct security_descriptor *psd)
+{
+ bool set_auto_inherited = false;
+
+ /*
+ * We need to filter out the
+ * SEC_DESC_DACL_AUTO_INHERITED|SEC_DESC_DACL_AUTO_INHERIT_REQ
+ * bits. If both are set we store SEC_DESC_DACL_AUTO_INHERITED
+ * as this alters whether SEC_ACE_FLAG_INHERITED_ACE is set
+ * when an ACE is inherited. Otherwise we zero these bits out.
+ * See:
+ *
+ *
http://social.msdn.microsoft.com/Forums/eu/os_fileservices/thread/11f77b68-731e-407d-b1b3-064750716531
+ *
+ * for details.
+ */
+
+ if ((psd->type &
(SEC_DESC_DACL_AUTO_INHERITED|SEC_DESC_DACL_AUTO_INHERIT_REQ))
+ ==
(SEC_DESC_DACL_AUTO_INHERITED|SEC_DESC_DACL_AUTO_INHERIT_REQ)) {
+ set_auto_inherited = true;
+ }
+
+ psd->type &=
~(SEC_DESC_DACL_AUTO_INHERITED|SEC_DESC_DACL_AUTO_INHERIT_REQ);
+ if (set_auto_inherited) {
+ psd->type |= SEC_DESC_DACL_AUTO_INHERITED;
+ }
+}
+
/****************************************************************************
Internal fn to set security descriptors.
****************************************************************************/
-NTSTATUS set_sd(files_struct *fsp, uint8_t *data, uint32_t sd_len,
+NTSTATUS set_sd(files_struct *fsp, struct security_descriptor *psd,
uint32_t security_info_sent)
{
- struct security_descriptor *psd = NULL;
NTSTATUS status;
- if (sd_len == 0) {
- return NT_STATUS_INVALID_PARAMETER;
- }
-
if (!CAN_WRITE(fsp->conn)) {
return NT_STATUS_ACCESS_DENIED;
}
@@ -848,12 +876,6 @@ NTSTATUS set_sd(files_struct *fsp, uint8_t *data, uint32_t
sd_len,
return NT_STATUS_OK;
}
- status = unmarshall_sec_desc(talloc_tos(), data, sd_len, &psd);
-
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
-
if (psd->owner_sid == NULL) {
security_info_sent &= ~SECINFO_OWNER;
}
@@ -905,6 +927,8 @@ NTSTATUS set_sd(files_struct *fsp, uint8_t *data, uint32_t
sd_len,
}
}
+ canonicalize_inheritance_bits(psd);
+
if (DEBUGLEVEL >= 10) {
DEBUG(10,("set_sd for file %s\n", fsp_str_dbg(fsp)));
NDR_PRINT_DEBUG(security_descriptor, psd);
@@ -918,6 +942,29 @@ NTSTATUS set_sd(files_struct *fsp, uint8_t *data, uint32_t
sd_len,
}
/****************************************************************************
+ Internal fn to set security descriptors from a data blob.
+****************************************************************************/
+
+NTSTATUS set_sd_blob(files_struct *fsp, uint8_t *data, uint32_t sd_len,
+ uint32_t security_info_sent)
+{
+ struct security_descriptor *psd = NULL;
+ NTSTATUS status;
+
+ if (sd_len == 0) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ status = unmarshall_sec_desc(talloc_tos(), data, sd_len, &psd);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ return set_sd(fsp, psd, security_info_sent);
+}
+
+/****************************************************************************
Read a list of EA names and data from an incoming data buffer. Create an
ea_list with them.
****************************************************************************/
@@ -2095,7 +2142,7 @@ static void
call_nt_transact_set_security_desc(connection_struct *conn,
return;
}
- status = set_sd(fsp, (uint8 *)data, data_count, security_info_sent);
+ status = set_sd_blob(fsp, (uint8 *)data, data_count,
security_info_sent);
if (!NT_STATUS_IS_OK(status)) {
reply_nterror(req, status);
diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index 72b7d8e..3100ad0 100644
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -3363,15 +3363,11 @@ static NTSTATUS create_file_unixpath(connection_struct
*conn,
fsp->access_mask = FILE_GENERIC_ALL;
- /* Convert all the generic bits. */
- security_acl_map_generic(sd->dacl, &file_generic_mapping);
- security_acl_map_generic(sd->sacl, &file_generic_mapping);
-
if (sec_info_sent & (SECINFO_OWNER|
SECINFO_GROUP|
SECINFO_DACL|
SECINFO_SACL)) {
- status = SMB_VFS_FSET_NT_ACL(fsp, sec_info_sent, sd);
+ status = set_sd(fsp, sd, sec_info_sent);
}
fsp->access_mask = saved_access_mask;
diff --git a/source3/smbd/proto.h b/source3/smbd/proto.h
index d75138b..e80e01e 100644
--- a/source3/smbd/proto.h
+++ b/source3/smbd/proto.h
@@ -561,7 +561,9 @@ void send_nt_replies(connection_struct *conn,
char *params, int paramsize,
char *pdata, int datasize);
void reply_ntcreate_and_X(struct smb_request *req);
-NTSTATUS set_sd(files_struct *fsp, uint8_t *data, uint32_t sd_len,
+NTSTATUS set_sd(files_struct *fsp, struct security_descriptor *psd,
+ uint32_t security_info_sent);
+NTSTATUS set_sd_blob(files_struct *fsp, uint8_t *data, uint32_t sd_len,
uint32_t security_info_sent);
NTSTATUS smb_fsctl(struct files_struct *fsp,
TALLOC_CTX *ctx,
diff --git a/source3/smbd/smb2_setinfo.c b/source3/smbd/smb2_setinfo.c
index ba91466..d97caa4 100644
--- a/source3/smbd/smb2_setinfo.c
+++ b/source3/smbd/smb2_setinfo.c
@@ -298,7 +298,7 @@ static struct tevent_req *smbd_smb2_setinfo_send(TALLOC_CTX
*mem_ctx,
return tevent_req_post(req, ev);
}
- status = set_sd(fsp,
+ status = set_sd_blob(fsp,
in_input_buffer.data,
in_input_buffer.length,
in_additional_information);
--
Samba Shared Repository
