The branch, master has been updated
via bd18d99 Clean up client timeout definitions [rev. 2]
via 4eb53da s3:smbd: fix a cut and paste error in a debug message
via 1ff1597 Documentation fixes for bug #9462 - Users can not be given
write permissions any more by default
via 2013bb9 s3:smbd: don't apply create/directory mask and modes in
apply_default_perms()
from 943797c Fix bug #9460 - Samba 3.6.x and Master respond incorrectly
to FILE_STREAM_INFO requests.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit bd18d996e2dc3e6b984d20196e9825b8b3f4dea3
Author: Scott Lovenberg <[email protected]>
Date: Tue Dec 4 09:15:38 2012 -0500
Clean up client timeout definitions [rev. 2]
The definitions for default client timeout values have been moved to
client.h. When initializing a client struct we use this value instead of the
old hardcoded value. The timeout value remains 20 seconds.
Signed-off-by: Scott Lovenberg <[email protected]>
Reviewed by: Jeremy Allison <[email protected]>
Autobuild-User(master): Jeremy Allison <[email protected]>
Autobuild-Date(master): Thu Dec 6 03:25:58 CET 2012 on sn-devel-104
commit 4eb53da3fe139b8d89ab98cc1df211267669a612
Author: Michael Adam <[email protected]>
Date: Tue Dec 4 16:26:36 2012 +0100
s3:smbd: fix a cut and paste error in a debug message
Signed-off-by: Michael Adam <[email protected]>
Reviewed by: Jeremy Allison <[email protected]>
commit 1ff1597e1feb45fd54b0d8dc6d8eabc7ace9073a
Author: Jeremy Allison <[email protected]>
Date: Tue Dec 4 15:47:06 2012 -0800
Documentation fixes for bug #9462 - Users can not be given write
permissions any more by default
Ensure we don't apply the masks + force modes on security setting
changes, only on create.
Signed-off-by: Jeremy Allison <[email protected]>
Reviewed-by: Michael Adam <[email protected]>
commit 2013bb9b4dbed747921df2591068e2765428f57d
Author: Michael Adam <[email protected]>
Date: Wed Dec 5 15:04:01 2012 +0100
s3:smbd: don't apply create/directory mask and modes in
apply_default_perms()
The mask/mode parameters should only apply to a situation with only
pure posix permissions.
Once we are dealing with ACLs and inheritance, we need to do it correctly.
This fixes bug #9462: Users can not be given write permissions any more by
default
Signed-off-by: Michael Adam <[email protected]>
Reviewed by: Jeremy Allison <[email protected]>
-----------------------------------------------------------------------
Summary of changes:
docs-xml/smbdotconf/security/createmask.xml | 5 -
docs-xml/smbdotconf/security/directorymask.xml | 5 -
.../smbdotconf/security/directorysecuritymask.xml | 4 +-
docs-xml/smbdotconf/security/forcecreatemode.xml | 6 --
.../smbdotconf/security/forcedirectorymode.xml | 6 --
.../security/forcedirectorysecuritymode.xml | 5 +-
docs-xml/smbdotconf/security/forcesecuritymode.xml | 5 +-
docs-xml/smbdotconf/security/securitymask.xml | 4 +-
source3/client/client.c | 4 -
source3/client/clitar.c | 3 -
source3/include/client.h | 3 +
source3/libsmb/clientgen.c | 3 +-
source3/smbd/posix_acls.c | 92 +++-----------------
13 files changed, 22 insertions(+), 123 deletions(-)
Changeset truncated at 500 lines:
diff --git a/docs-xml/smbdotconf/security/createmask.xml
b/docs-xml/smbdotconf/security/createmask.xml
index 59e208d..5df0718 100644
--- a/docs-xml/smbdotconf/security/createmask.xml
+++ b/docs-xml/smbdotconf/security/createmask.xml
@@ -26,11 +26,6 @@
This parameter does not affect directory masks. See the parameter
<smbconfoption name="directory mask"/>
for details.
</para>
-
- <para>
- New in Samba 4.0.0. This mask is applied whenever permissions are
changed on a file. To allow clients full control
- over permission changes it should be set to 0777.
- </para>
</description>
<related>force create mode</related>
diff --git a/docs-xml/smbdotconf/security/directorymask.xml
b/docs-xml/smbdotconf/security/directorymask.xml
index 2ebfc16..b17625c 100644
--- a/docs-xml/smbdotconf/security/directorymask.xml
+++ b/docs-xml/smbdotconf/security/directorymask.xml
@@ -23,11 +23,6 @@
<para>Following this Samba will bit-wise 'OR' the UNIX mode
created from this parameter with the value of the <smbconfoption
name="force directory mode"/> parameter.
This parameter is set to 000 by default (i.e. no extra mode bits are
added).</para>
-
- <para>
- New in Samba 4.0.0. This mask is applied whenever permissions are changed
on a directory. To allow clients full control
- over permission changes it should be set to 0777.
- </para>
</description>
<related>force directory mode</related>
diff --git a/docs-xml/smbdotconf/security/directorysecuritymask.xml
b/docs-xml/smbdotconf/security/directorysecuritymask.xml
index c5c8c65..ad208f4 100644
--- a/docs-xml/smbdotconf/security/directorysecuritymask.xml
+++ b/docs-xml/smbdotconf/security/directorysecuritymask.xml
@@ -5,9 +5,7 @@
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc";>
<description>
<para>
- This parameter has been removed for Samba 4.0.0. The parameter
- <smbconfoption name="directory mask"/> is now used instead to mask
- any permission bit changes on directories.
+ This parameter has been removed for Samba 4.0.0.
</para>
</description>
diff --git a/docs-xml/smbdotconf/security/forcecreatemode.xml
b/docs-xml/smbdotconf/security/forcecreatemode.xml
index 5a57a29..a3f1c2c 100644
--- a/docs-xml/smbdotconf/security/forcecreatemode.xml
+++ b/docs-xml/smbdotconf/security/forcecreatemode.xml
@@ -10,12 +10,6 @@
mode after the mask set in the <parameter moreinfo="none">create
mask</parameter>
parameter is applied.</para>
- <para>
- New in Samba 4.0.0. This mode is also 'OR'ed into the mode bits whenever
- permissions are changed on a file, not just when the file is created.
- This replaces the now removed <parameter moreinfo="none">force security
mode</parameter>.
- </para>
-
<para>The example below would force all newly created files to have read
and execute
permissions set for 'group' and 'other' as well as the
read/write/execute bits set for the 'user'.</para>
diff --git a/docs-xml/smbdotconf/security/forcedirectorymode.xml
b/docs-xml/smbdotconf/security/forcedirectorymode.xml
index e5b37ea..7effc0e 100644
--- a/docs-xml/smbdotconf/security/forcedirectorymode.xml
+++ b/docs-xml/smbdotconf/security/forcedirectorymode.xml
@@ -12,12 +12,6 @@
mask in the parameter <parameter moreinfo="none">directory
mask</parameter> is
applied.</para>
- <para>
- New in Samba 4.0.0. This mode is also 'OR'ed into the mode bits whenever
- permissions are changed on a directory, not just when the file is created.
- This replaces the now removed <parameter moreinfo="none">force directory
security mode</parameter>.
- </para>
-
<para>The example below would force all created directories to have
read and execute
permissions set for 'group' and 'other' as well as the
read/write/execute bits set for the 'user'.</para>
diff --git a/docs-xml/smbdotconf/security/forcedirectorysecuritymode.xml
b/docs-xml/smbdotconf/security/forcedirectorysecuritymode.xml
index 3ea3b5c..a45395d 100644
--- a/docs-xml/smbdotconf/security/forcedirectorysecuritymode.xml
+++ b/docs-xml/smbdotconf/security/forcedirectorysecuritymode.xml
@@ -5,10 +5,7 @@
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc";>
<description>
<para>
- This parameter has been removed for Samba 4.0.0. The parameter
- <smbconfoption name="force directory mode"/> is now used instead to
- force any permission changes on directories to include specific UNIX
- permission bits.
+ This parameter has been removed for Samba 4.0.0.
</para>
</description>
</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/forcesecuritymode.xml
b/docs-xml/smbdotconf/security/forcesecuritymode.xml
index 2568bcc..5a9479e 100644
--- a/docs-xml/smbdotconf/security/forcesecuritymode.xml
+++ b/docs-xml/smbdotconf/security/forcesecuritymode.xml
@@ -5,10 +5,7 @@
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc";>
<description>
<para>
- This parameter has been removed for Samba 4.0.0. The parameter
- <smbconfoption name="force create mode"/> is now used instead to
- force any permission changes on files to include specific UNIX
- permission bits.
+ This parameter has been removed for Samba 4.0.0.
</para>
</description>
</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/securitymask.xml
b/docs-xml/smbdotconf/security/securitymask.xml
index cb7fcfa..e535d32 100644
--- a/docs-xml/smbdotconf/security/securitymask.xml
+++ b/docs-xml/smbdotconf/security/securitymask.xml
@@ -5,9 +5,7 @@
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc";>
<description>
<para>
- This parameter has been removed for Samba 4.0.0. The parameter
- <smbconfoption name="create mask"/> is now used instead to mask
- any permission bit changes on files.
+ This parameter has been removed for Samba 4.0.0.
</para>
</description>
</samba:parameter>
diff --git a/source3/client/client.c b/source3/client/client.c
index 0e2e07b..6aed9d3 100644
--- a/source3/client/client.c
+++ b/source3/client/client.c
@@ -65,10 +65,6 @@ static int cmd_help(void);
#define CREATE_ACCESS_READ READ_CONTROL_ACCESS
-/* 30 second timeout on most commands */
-#define CLIENT_TIMEOUT (30*1000)
-#define SHORT_TIMEOUT (5*1000)
-
/* value for unused fid field in trans2 secondary request */
#define FID_UNUSED (0xFFFF)
diff --git a/source3/client/clitar.c b/source3/client/clitar.c
index d352571..7bbd6ad 100644
--- a/source3/client/clitar.c
+++ b/source3/client/clitar.c
@@ -73,9 +73,6 @@ extern struct cli_state *cli;
static uint16 attribute = FILE_ATTRIBUTE_DIRECTORY | FILE_ATTRIBUTE_SYSTEM |
FILE_ATTRIBUTE_HIDDEN;
-#ifndef CLIENT_TIMEOUT
-#define CLIENT_TIMEOUT (30*1000)
-#endif
static char *tarbuf, *buffer_p;
static int tp, ntarf, tbufsiz;
diff --git a/source3/include/client.h b/source3/include/client.h
index f6aacea..52e2212 100644
--- a/source3/include/client.h
+++ b/source3/include/client.h
@@ -24,6 +24,9 @@
#define CLI_BUFFER_SIZE (0xFFFF)
+/* default client timeout to 20 seconds on most commands */
+#define CLIENT_TIMEOUT (20 * 1000)
+
/*
* These definitions depend on smb.h
*/
diff --git a/source3/libsmb/clientgen.c b/source3/libsmb/clientgen.c
index 6bc8d0c..98ea711 100644
--- a/source3/libsmb/clientgen.c
+++ b/source3/libsmb/clientgen.c
@@ -26,6 +26,7 @@
#include "async_smb.h"
#include "../libcli/smb/smbXcli_base.h"
#include "../librpc/ndr/libndr.h"
+#include "../include/client.h"
/*******************************************************************
Setup the word count and byte count for a client smb message.
@@ -175,7 +176,7 @@ struct cli_state *cli_state_create(TALLOC_CTX *mem_ctx,
}
cli->raw_status = NT_STATUS_INTERNAL_ERROR;
cli->map_dos_errors = true; /* remove this */
- cli->timeout = 20000; /* Timeout is in milliseconds. */
+ cli->timeout = CLIENT_TIMEOUT;
cli->case_sensitive = false;
/* Set the CLI_FORCE_DOSERR environment variable to test
diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c
index 9a136c0..0f3951f 100644
--- a/source3/smbd/posix_acls.c
+++ b/source3/smbd/posix_acls.c
@@ -1236,48 +1236,19 @@ NTSTATUS unpack_nt_owners(struct connection_struct
*conn,
return NT_STATUS_OK;
}
-/****************************************************************************
- Ensure the enforced permissions for this share apply.
-****************************************************************************/
-static void apply_default_perms(const struct share_params *params,
- const bool is_directory, canon_ace *pace,
- mode_t type)
+static void trim_ace_perms(canon_ace *pace)
{
- mode_t and_bits = (mode_t)0;
- mode_t or_bits = (mode_t)0;
-
- /* Get the initial bits to apply. */
+ pace->perms = pace->perms & (S_IXUSR|S_IWUSR|S_IRUSR);
+}
+static void ensure_minimal_owner_ace_perms(const bool is_directory,
+ canon_ace *pace)
+{
+ pace->perms |= S_IRUSR;
if (is_directory) {
- and_bits = lp_dir_mask(params->service);
- or_bits = lp_force_dir_mode(params->service);
- } else {
- and_bits = lp_create_mask(params->service);
- or_bits = lp_force_create_mode(params->service);
- }
-
- /* Now bounce them into the S_USR space. */
- switch(type) {
- case S_IRUSR:
- /* Ensure owner has read access. */
- pace->perms |= S_IRUSR;
- if (is_directory)
- pace->perms |= (S_IWUSR|S_IXUSR);
- and_bits = unix_perms_to_acl_perms(and_bits, S_IRUSR, S_IWUSR,
S_IXUSR);
- or_bits = unix_perms_to_acl_perms(or_bits, S_IRUSR, S_IWUSR,
S_IXUSR);
- break;
- case S_IRGRP:
- and_bits = unix_perms_to_acl_perms(and_bits, S_IRGRP, S_IWGRP,
S_IXGRP);
- or_bits = unix_perms_to_acl_perms(or_bits, S_IRGRP, S_IWGRP,
S_IXGRP);
- break;
- case S_IROTH:
- and_bits = unix_perms_to_acl_perms(and_bits, S_IROTH, S_IWOTH,
S_IXOTH);
- or_bits = unix_perms_to_acl_perms(or_bits, S_IROTH, S_IWOTH,
S_IXOTH);
- break;
+ pace->perms |= (S_IWUSR|S_IXUSR);
}
-
- pace->perms = ((pace->perms & and_bits)|or_bits);
}
/****************************************************************************
@@ -1430,45 +1401,14 @@ static bool
ensure_canon_entry_valid_on_set(connection_struct *conn,
bool got_duplicate_group = false;
for (pace = *pp_ace; pace; pace = pace->next) {
+ trim_ace_perms(pace);
if (pace->type == SMB_ACL_USER_OBJ) {
- /*
- * Ensure we have default parameters for the
- * user (owner) even on default ACLs.
- */
- apply_default_perms(params, is_directory, pace,
S_IRUSR);
+ ensure_minimal_owner_ace_perms(is_directory, pace);
pace_user = pace;
-
} else if (pace->type == SMB_ACL_GROUP_OBJ) {
-
- /*
- * Ensure create mask/force create mode is respected on
set.
- */
-
- if (!is_default_acl) {
- apply_default_perms(params, is_directory, pace,
S_IRGRP);
- }
pace_group = pace;
-
} else if (pace->type == SMB_ACL_OTHER) {
-
- /*
- * Ensure create mask/force create mode is respected on
set.
- */
-
- if (!is_default_acl) {
- apply_default_perms(params, is_directory, pace,
S_IROTH);
- }
pace_other = pace;
-
- } else if (pace->type == SMB_ACL_USER || pace->type ==
SMB_ACL_GROUP) {
-
- /*
- * Ensure create mask/force create mode is respected on
set.
- */
-
- if (!is_default_acl) {
- apply_default_perms(params, is_directory, pace,
S_IRGRP);
- }
}
}
@@ -1520,7 +1460,7 @@ static bool
ensure_canon_entry_valid_on_set(connection_struct *conn,
* Ensure we have default parameters for the
* user (owner) even on default ACLs.
*/
- apply_default_perms(params, is_directory, pace, S_IRUSR);
+ ensure_minimal_owner_ace_perms(is_directory, pace);
DLIST_ADD(*pp_ace, pace);
pace_user = pace;
@@ -1546,9 +1486,6 @@ static bool
ensure_canon_entry_valid_on_set(connection_struct *conn,
} else {
pace->perms = 0;
}
- if (!is_default_acl) {
- apply_default_perms(params, is_directory, pace,
S_IRGRP);
- }
DLIST_ADD(*pp_ace, pace);
pace_group = pace;
@@ -1568,9 +1505,6 @@ static bool
ensure_canon_entry_valid_on_set(connection_struct *conn,
pace->trustee = global_sid_World;
pace->attr = ALLOW_ACE;
pace->perms = 0;
- if (!is_default_acl) {
- apply_default_perms(params, is_directory, pace,
S_IROTH);
- }
DLIST_ADD(*pp_ace, pace);
pace_other = pace;
@@ -4701,8 +4635,8 @@ NTSTATUS get_nt_acl_no_snum(TALLOC_CTX *ctx, const char
*fname,
status = SMB_VFS_GET_NT_ACL(conn, fname, security_info_wanted, ctx, sd);
if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0,("set_nt_acl_no_snum: fset_nt_acl returned %s.\n",
- nt_errstr(status)));
+ DEBUG(0, ("get_nt_acl_no_snum: SMB_VFS_GET_NT_ACL returned
%s.\n",
+ nt_errstr(status)));
}
conn_free(conn);
--
Samba Shared Repository
