The branch, master has been updated
via 411440d replace: Fix compilation of rep_mkstemp
via 0615f68 s3: Fix vfs_zfsacl to compile.
via 1002cc9 selftest: show that Samba honours "write list" and valid
users
via fcdd609 Fixup the change_to_user_by_session() case as called from
become_user_by_session()
via 296c0c3 smbd: Remove some ()
via 38b34cc smbd: Simplify an if-expression
via 1770882 smbd: Fix a typo
via b668c90 Move create_share_access_mask() from smbd/service.c to
smbd/uid.c.
via 86d1e1d Fix bug #9518 - conn->share_access appears not be be reset
between users.
via 1abb5eb Factor code out of check_user_ok() into a call to
check_user_share_access().
via ea86f4e Initialize stack variables. Prelude to factoring out calls
to check_user_share_access().
via 8475f20 Add check_user_share_access() which factors out the share
security and read_only flag setting code.
via 6d7bffa Correctly setup the conn->share_access based on the current
user token.
via 5e9eebf Change API for create_share_access_mask() - remove conn
struct.
via 926d930 Change API for create_share_access_mask() to pass in the
token.
via 00de188 Fix API for create_share_access_mask().
via f7464bb Remove static from create_share_access_mask().
via 4983d58 Add uint32_t share_access to vuid_cache_entry.
via 7d90ae1 Clean up struct connection_struct, make struct vuid_cache a
pointer not inline.
via 5e483ab Remove unneeded variable "const struct auth_session_info
*session_info"
via 2e2f464 Remove dead code now vuser can no longer be NULL.
via 0a09ffd Remove the second set of {} braces, no longer needed.
via 45845f5 Remove one set of enclosing {} braces, no longer needed.
via 390a812 Move the definition of struct vuid_cache_entry *ent outside
blocks.
via 310c4ca Start to tidy-up check_user_ok().
via 5bffdac torture/vfstest.c: Always use create_conn_struct(). Don't
hand create connection structs.
via 7ba6850 source3/smbd/pysmbd.c: Always use create_conn_struct().
Don't hand create connection structs.
via a9730cb smbd/posix_acls.c: Use create_conn_struct(). Don't
hand-create connection structs.
via b6fe9ec Allow create_conn_struct() to be called with snum == -1.
via 97eb049 smbd: Rework create_conn_struct to use conn_new()
from 3d5c534 smbd: Fix bug 9549 -- Memleak in the async echo handler
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 411440d2d9085fe9db0e3c26c025c6b94d02c00f
Author: Jesper Larsen <[email protected]>
Date: Fri Jan 4 13:03:58 2013 +0100
replace: Fix compilation of rep_mkstemp
Commit 1fbc185 removed the variable 'p'.
Use the equivalent variable 'template' instead.
Reviewed-by: Andrew Bartlett <[email protected]>
Autobuild-User(master): Andrew Bartlett <[email protected]>
Autobuild-Date(master): Wed Jan 9 07:18:33 CET 2013 on sn-devel-104
commit 0615f68096569d00b1f262529024ad40136d445e
Author: Ira Cooper <[email protected]>
Date: Thu Dec 27 19:57:14 2012 +0000
s3: Fix vfs_zfsacl to compile.
Reviewed-by: Andrew Bartlett <[email protected]>
commit 1002cc9a669836d6cddaac350715a2b107bec01e
Author: Andrew Bartlett <[email protected]>
Date: Thu Dec 20 23:05:55 2012 +1100
selftest: show that Samba honours "write list" and valid users
Reviewed-by: Jeremy Allison <[email protected]>
Reviewed-by: Stefan Metzmacher <[email protected]>
commit fcdd6092b10a4b4406af47b989dcf1a9d693580e
Author: Jeremy Allison <[email protected]>
Date: Tue Jan 8 11:02:16 2013 -0800
Fixup the change_to_user_by_session() case as called from
become_user_by_session()
Use inside source3/printing/nt_printing.c:get_correct_cversion().
Allow check_user_ok() to be called with vuid==UID_FIELD_INVALID.
All this should do is throw away one entry in the vuid cache.
Signed-off-by: Jeremy Allison <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit 296c0c34f198dfc7a8f13f26e54fbc980f667784
Author: Volker Lendecke <[email protected]>
Date: Sun Jan 6 14:50:33 2013 +0100
smbd: Remove some ()
Reviewed-by: Jeremy Allison <[email protected]>
Reviewed-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit 38b34cc3e529e185dd3b3d9f79ae74d1c9fac435
Author: Volker Lendecke <[email protected]>
Date: Sun Jan 6 14:41:24 2013 +0100
smbd: Simplify an if-expression
Reviewed-by: Jeremy Allison <[email protected]>
Reviewed-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit 17708821ffc2d0cb771e8c5cb6415b87e20d6a0a
Author: Volker Lendecke <[email protected]>
Date: Sun Jan 6 14:39:07 2013 +0100
smbd: Fix a typo
Reviewed-by: Jeremy Allison <[email protected]>
Reviewed-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit b668c9077ba9005988146e8b1ee853ce8a6f33a4
Author: Jeremy Allison <[email protected]>
Date: Fri Jan 4 14:42:23 2013 -0800
Move create_share_access_mask() from smbd/service.c to smbd/uid.c.
Make it static. Only called from uid.c now.
Signed-off-by: Jeremy Allison <[email protected]>
Reviewed-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit 86d1e1db8e2747e30c89627cda123fde1e84f579
Author: Jeremy Allison <[email protected]>
Date: Fri Jan 4 14:40:05 2013 -0800
Fix bug #9518 - conn->share_access appears not be be reset between users.
Ensure make_connection_snum() uses the same logic as
check_user_ok() to decide if a user can access a share.
Signed-off-by: Jeremy Allison <[email protected]>
Reviewed-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit 1abb5eb89b97fab5a4c625f5492b7d26b7f17e98
Author: Jeremy Allison <[email protected]>
Date: Fri Jan 4 14:35:46 2013 -0800
Factor code out of check_user_ok() into a call to check_user_share_access().
Signed-off-by: Jeremy Allison <[email protected]>
Reviewed-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit ea86f4e100b547c8facc5f27ac025de6b60eea94
Author: Jeremy Allison <[email protected]>
Date: Thu Jan 3 16:06:40 2013 -0800
Initialize stack variables. Prelude to factoring out calls to
check_user_share_access().
Signed-off-by: Jeremy Allison <[email protected]>
Reviewed-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit 8475f206b296362fc2473bf6eb4b6d51834f8245
Author: Jeremy Allison <[email protected]>
Date: Fri Jan 4 14:27:18 2013 -0800
Add check_user_share_access() which factors out the share security and
read_only flag setting code.
Allows this to be called from both make_connection_snum() as well as
check_user_ok().
Gives a consistent share security check function.
Signed-off-by: Jeremy Allison <[email protected]>
Reviewed-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit 6d7bffa6069ef41c36c40453681372973bba0c86
Author: Jeremy Allison <[email protected]>
Date: Fri Jan 4 14:25:55 2013 -0800
Correctly setup the conn->share_access based on the current user token.
Also use this to set conn->read_only. Cache the share_access in the
struct vuid_cache_entry struct so we only evaluate this once per new
user access on this share.
Signed-off-by: Jeremy Allison <[email protected]>
Reviewed-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit 5e9eebf5dec60177a680010e011b88ae0ecf26d2
Author: Jeremy Allison <[email protected]>
Date: Fri Jan 4 14:24:13 2013 -0800
Change API for create_share_access_mask() - remove conn struct.
Eventually this will be indepentent of conn, just pass in the
readonly flag.
Signed-off-by: Jeremy Allison <[email protected]>
Reviewed-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit 926d9307f789e2ca752ee2dab6b6e653dc7de628
Author: Jeremy Allison <[email protected]>
Date: Fri Jan 4 11:43:10 2013 -0800
Change API for create_share_access_mask() to pass in the token.
Don't automatically use the one from conn->session_info->security_token.
Signed-off-by: Jeremy Allison <[email protected]>
Reviewed-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit 00de188e1f3e3b795bfdbb0c84305f4767f56349
Author: Jeremy Allison <[email protected]>
Date: Fri Dec 21 09:45:03 2012 -0800
Fix API for create_share_access_mask().
Return the uint32_t share_access rather than directly
changing the conn struct.
Signed-off-by: Jeremy Allison <[email protected]>
Reviewed-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit f7464bbf72dac41a65334c27403db8da7e08f7d3
Author: Jeremy Allison <[email protected]>
Date: Fri Dec 21 09:35:31 2012 -0800
Remove static from create_share_access_mask().
Signed-off-by: Jeremy Allison <[email protected]>
Reviewed-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit 4983d5838afcab8c675cace0723a3fc284667bec
Author: Jeremy Allison <[email protected]>
Date: Fri Dec 21 09:22:16 2012 -0800
Add uint32_t share_access to vuid_cache_entry.
Signed-off-by: Jeremy Allison <[email protected]>
Reviewed-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit 7d90ae123af115bdcb1cdcd025cf73fdbf22b142
Author: Jeremy Allison <[email protected]>
Date: Thu Dec 20 14:42:55 2012 -0800
Clean up struct connection_struct, make struct vuid_cache a pointer not
inline.
Change VFS ABI to 31 for 4.1.0.
Signed-off-by: Jeremy Allison <[email protected]>
Reviewed-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit 5e483ab14785faf5bc011e36ac07646a624c3962
Author: Jeremy Allison <[email protected]>
Date: Thu Dec 20 11:55:09 2012 -0800
Remove unneeded variable "const struct auth_session_info *session_info"
Signed-off-by: Jeremy Allison <[email protected]>
Reviewed-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit 2e2f46433c657f8e9e68aaaee15e24ed41244d82
Author: Jeremy Allison <[email protected]>
Date: Thu Dec 20 11:54:07 2012 -0800
Remove dead code now vuser can no longer be NULL.
Signed-off-by: Jeremy Allison <[email protected]>
Reviewed-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit 0a09ffd188f7bc9d8e9e4272af355e53081bf7da
Author: Jeremy Allison <[email protected]>
Date: Thu Dec 20 11:53:11 2012 -0800
Remove the second set of {} braces, no longer needed.
Reviewed-by: Andrew Bartlett <[email protected]>
Reviewed-by: Stefan Metzmacher <[email protected]>
commit 45845f5ba13ad4f5f12c22596ac5905a6cebec31
Author: Jeremy Allison <[email protected]>
Date: Thu Dec 20 11:52:27 2012 -0800
Remove one set of enclosing {} braces, no longer needed.
Signed-off-by: Jeremy Allison <[email protected]>
Reviewed-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit 390a812ccb9ba5dbc67296cc27e7aa56e6dd5ab3
Author: Jeremy Allison <[email protected]>
Date: Thu Dec 20 11:51:55 2012 -0800
Move the definition of struct vuid_cache_entry *ent outside blocks.
Signed-off-by: Jeremy Allison <[email protected]>
Reviewed-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit 310c4cac907877958f771c4933329560655f814c
Author: Jeremy Allison <[email protected]>
Date: Thu Dec 20 11:50:25 2012 -0800
Start to tidy-up check_user_ok().
Now we have removed "security=share" we cannot be
called with vuid == UID_FIELD_INVALID.
Signed-off-by: Jeremy Allison <[email protected]>
Reviewed-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit 5bffdac4ed3fa5477e025e871efff759aa0ee8d8
Author: Jeremy Allison <[email protected]>
Date: Tue Jan 8 14:18:55 2013 -0800
torture/vfstest.c: Always use create_conn_struct(). Don't hand create
connection structs.
Signed-off-by: Jeremy Allison <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit 7ba685090487410270415d3e4d69f62947ce34c3
Author: Jeremy Allison <[email protected]>
Date: Tue Jan 8 14:18:27 2013 -0800
source3/smbd/pysmbd.c: Always use create_conn_struct(). Don't hand create
connection structs.
Signed-off-by: Jeremy Allison <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit a9730cb3909d8c8aea64b35342ac763b135e0b1f
Author: Jeremy Allison <[email protected]>
Date: Tue Jan 8 14:17:51 2013 -0800
smbd/posix_acls.c: Use create_conn_struct(). Don't hand-create connection
structs.
Signed-off-by: Jeremy Allison <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit b6fe9ec6835c322f6d2d6e831bece311100bf051
Author: Jeremy Allison <[email protected]>
Date: Tue Jan 8 16:26:50 2013 -0800
Allow create_conn_struct() to be called with snum == -1.
Signed-off-by: Jeremy Allison <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit 97eb0493fc263fabe63b6846b6f6add7068098e6
Author: Andrew Bartlett <[email protected]>
Date: Wed Jan 9 08:02:23 2013 +1100
smbd: Rework create_conn_struct to use conn_new()
This avoids issues with required structure elements not being initialised.
In particular, once conn->vuid_cache becomes a pointer, this ensures
that it is initalised in all cases.
Andrew Bartlett
Reviewed by: Jeremy Allison <[email protected]>
-----------------------------------------------------------------------
Summary of changes:
lib/replace/replace.c | 2 +-
selftest/target/Samba3.pm | 7 +
source3/include/vfs.h | 10 +-
source3/modules/vfs_readonly.c | 5 +-
source3/modules/vfs_zfsacl.c | 6 +-
.../script/tests/test_smbclient_machine_auth.sh | 4 +
source3/script/tests/test_smbclient_s3.sh | 8 +-
source3/selftest/tests.py | 5 +
source3/smbd/conn.c | 4 +-
source3/smbd/msdfs.c | 53 +++---
source3/smbd/posix_acls.c | 30 +--
source3/smbd/proto.h | 4 +
source3/smbd/pysmbd.c | 34 +---
source3/smbd/service.c | 60 +-----
source3/smbd/uid.c | 219 +++++++++++++-------
source3/torture/vfstest.c | 32 ++-
16 files changed, 271 insertions(+), 212 deletions(-)
Changeset truncated at 500 lines:
diff --git a/lib/replace/replace.c b/lib/replace/replace.c
index f37d69f..8f1315a 100644
--- a/lib/replace/replace.c
+++ b/lib/replace/replace.c
@@ -405,7 +405,7 @@ int rep_mkstemp(char *template)
mktemp(template);
if (template[0] == 0)
return -1;
- return open(p, O_CREAT|O_EXCL|O_RDWR, 0600);
+ return open(template, O_CREAT|O_EXCL|O_RDWR, 0600);
}
#endif
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index adca52f..8546bd2 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -963,6 +963,13 @@ sub provision($$$$$$)
[ro-tmp]
path = $ro_shrdir
guest ok = yes
+[write-list-tmp]
+ path = $shrdir
+ read only = yes
+ write list = $unix_name
+[valid-users-tmp]
+ path = $shrdir
+ valid users = $unix_name
[msdfs-share]
path = $msdfs_shrdir
msdfs root = yes
diff --git a/source3/include/vfs.h b/source3/include/vfs.h
index 2992c1d..2bce1b7 100644
--- a/source3/include/vfs.h
+++ b/source3/include/vfs.h
@@ -147,7 +147,12 @@
/* Bump to version 30 - Samba 4.0.0 will ship with interface version 30 */
/* Leave at 30 - not yet released. Added conn->cwd to save vfs_GetWd() calls.
*/
/* Leave at 30 - not yet released. Changed sys_acl_blob_get_file interface to
remove type */
-#define SMB_VFS_INTERFACE_VERSION 30
+/* Bump to version 31 - Samba 4.1.0 will ship with interface version 31 */
+/* Leave at 31 - not yet released. Make struct vuid_cache_entry in
+ connection_struct a pointer. */
+/* Leave at 31 - not yet released. Add share_access to vuid_cache_entry. */
+
+#define SMB_VFS_INTERFACE_VERSION 31
/*
All intercepted VFS operations must be declared as static functions inside
module source
@@ -275,6 +280,7 @@ struct vuid_cache_entry {
struct auth_session_info *session_info;
uint64_t vuid; /* SMB2 compat */
bool read_only;
+ uint32_t share_access;
};
struct vuid_cache {
@@ -306,7 +312,7 @@ typedef struct connection_struct {
uint32_t cnum; /* an index passed over the wire */
struct share_params *params;
bool force_user;
- struct vuid_cache vuid_cache;
+ struct vuid_cache *vuid_cache;
bool printer;
bool ipc;
bool read_only; /* Attributes for the current user of the share. */
diff --git a/source3/modules/vfs_readonly.c b/source3/modules/vfs_readonly.c
index 7919dbc..445f947 100644
--- a/source3/modules/vfs_readonly.c
+++ b/source3/modules/vfs_readonly.c
@@ -82,12 +82,13 @@ static int readonly_connect(vfs_handle_struct *handle,
/* Wipe out the VUID cache. */
for (i=0; i< VUID_CACHE_SIZE; i++) {
- struct vuid_cache_entry *ent = &conn->vuid_cache.array[i];
+ struct vuid_cache_entry *ent = &conn->vuid_cache->array[i];
ent->vuid = UID_FIELD_INVALID;
TALLOC_FREE(ent->session_info);
ent->read_only = false;
+ ent->share_access = 0;
}
- conn->vuid_cache.next_entry = 0;
+ conn->vuid_cache->next_entry = 0;
}
return 0;
diff --git a/source3/modules/vfs_zfsacl.c b/source3/modules/vfs_zfsacl.c
index b95baa5..6934ad6 100644
--- a/source3/modules/vfs_zfsacl.c
+++ b/source3/modules/vfs_zfsacl.c
@@ -201,13 +201,13 @@ static NTSTATUS zfsacl_fget_nt_acl(struct
vfs_handle_struct *handle,
NTSTATUS status;
status = zfs_get_nt_acl_common(fsp->fsp_name->base_name,
- mem_ctx, security_info,
+ security_info,
&pacl);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
- return smb_fget_nt_acl_nfs4(fsp, security_info, ppdesc, pacl);
+ return smb_fget_nt_acl_nfs4(fsp, security_info, mem_ctx, ppdesc, pacl);
}
static NTSTATUS zfsacl_get_nt_acl(struct vfs_handle_struct *handle,
@@ -306,7 +306,7 @@ static int
zfsacl_fail__sys_acl_blob_get_file(vfs_handle_struct *handle, const c
return -1;
}
-static int zfsacl_fail__skel_sys_acl_blob_get_fd(vfs_handle_struct *handle,
files_struct *fsp, TALLOC_CTX *mem_ctx, char **blob_description, DATA_BLOB
*blob)
+static int zfsacl_fail__sys_acl_blob_get_fd(vfs_handle_struct *handle,
files_struct *fsp, TALLOC_CTX *mem_ctx, char **blob_description, DATA_BLOB
*blob)
{
return -1;
}
diff --git a/source3/script/tests/test_smbclient_machine_auth.sh
b/source3/script/tests/test_smbclient_machine_auth.sh
index f67256d..a890d48 100755
--- a/source3/script/tests/test_smbclient_machine_auth.sh
+++ b/source3/script/tests/test_smbclient_machine_auth.sh
@@ -19,3 +19,7 @@ incdir=`dirname $0`/../../../testprogs/blackbox
. $incdir/subunit.sh
testit "smbclient //$SERVER/tmp" $SMBCLIENT //$SERVER/tmp --machine-pass -I
$SERVER_IP -p 139 -c quit $ADDARGS
+
+# Testing these here helps because we know the machine account isn't already
this user/group
+testit "smbclient //$SERVER/forceuser" $SMBCLIENT //$SERVER/tmp --machine-pass
-I $SERVER_IP -p 139 -c quit $ADDARGS
+testit "smbclient //$SERVER/forcegroup" $SMBCLIENT //$SERVER/tmp
--machine-pass -I $SERVER_IP -p 139 -c quit $ADDARGS
diff --git a/source3/script/tests/test_smbclient_s3.sh
b/source3/script/tests/test_smbclient_s3.sh
index fb518c5..b240da0 100755
--- a/source3/script/tests/test_smbclient_s3.sh
+++ b/source3/script/tests/test_smbclient_s3.sh
@@ -212,7 +212,7 @@ mkdir a_test_dir
quit
EOF
- cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT "$@" -U% //$SERVER/ro-tmp -I
$SERVER_IP $ADDARGS < $tmpfile 2>&1'
+ cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT -U% //$SERVER/$1" -I $SERVER_IP
$ADDARGS < $tmpfile 2>&1'
eval echo "$cmd"
out=`eval $cmd`
ret=$?
@@ -581,7 +581,11 @@ testit "creating a good symlink and deleting it by path" \
failed=`expr $failed + 1`
testit "writing into a read-only directory fails" \
- test_read_only_dir || \
+ test_read_only_dir ro-tmp || \
+ failed=`expr $failed + 1`
+
+testit "writing into a read-only share fails" \
+ test_read_only_dir valid-users-tmp || \
failed=`expr $failed + 1`
testit "Reading a owner-only file fails" \
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index 57a67ed..44efe18 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -333,6 +333,11 @@ for t in tests:
elif t == "smb2.durable-open" or t == "smb2.durable-v2-open":
plansmbtorture4testsuite(t, "s3dc", '//$SERVER_IP/durable
-U$USERNAME%$PASSWORD')
plansmbtorture4testsuite(t, "plugin_s4_dc", '//$SERVER_IP/durable
-U$USERNAME%$PASSWORD')
+ elif t == "base.rw1":
+ plansmbtorture4testsuite(t, "s3dc", '//$SERVER_IP/tmp
-U$USERNAME%$PASSWORD')
+ plansmbtorture4testsuite(t, "s3dc", '//$SERVER_IP/valid-users-tmp
-U$USERNAME%$PASSWORD')
+ plansmbtorture4testsuite(t, "s3dc", '//$SERVER_IP/write-list-tmp
-U$USERNAME%$PASSWORD')
+ plansmbtorture4testsuite(t, "plugin_s4_dc", '//$SERVER/tmp
-U$USERNAME%$PASSWORD')
else:
plansmbtorture4testsuite(t, "s3dc", '//$SERVER_IP/tmp
-U$USERNAME%$PASSWORD')
plansmbtorture4testsuite(t, "plugin_s4_dc", '//$SERVER/tmp
-U$USERNAME%$PASSWORD')
diff --git a/source3/smbd/conn.c b/source3/smbd/conn.c
index bc5a03b..8f472c0 100644
--- a/source3/smbd/conn.c
+++ b/source3/smbd/conn.c
@@ -63,6 +63,7 @@ connection_struct *conn_new(struct smbd_server_connection
*sconn)
if (!(conn=talloc_zero(NULL, connection_struct)) ||
!(conn->params = talloc(conn, struct share_params)) ||
+ !(conn->vuid_cache = talloc_zero(conn, struct vuid_cache)) ||
!(conn->connectpath = talloc_strdup(conn, "")) ||
!(conn->origpath = talloc_strdup(conn, ""))) {
DEBUG(0,("TALLOC_ZERO() failed!\n"));
@@ -89,7 +90,7 @@ static void conn_clear_vuid_cache(connection_struct *conn,
uint64_t vuid)
for (i=0; i<VUID_CACHE_SIZE; i++) {
struct vuid_cache_entry *ent;
- ent = &conn->vuid_cache.array[i];
+ ent = &conn->vuid_cache->array[i];
if (ent->vuid == vuid) {
ent->vuid = UID_FIELD_INVALID;
@@ -117,6 +118,7 @@ static void conn_clear_vuid_cache(connection_struct *conn,
uint64_t vuid)
TALLOC_FREE(ent->session_info);
}
ent->read_only = False;
+ ent->share_access = 0;
}
}
}
diff --git a/source3/smbd/msdfs.c b/source3/smbd/msdfs.c
index e8a0610..4bf7aba 100644
--- a/source3/smbd/msdfs.c
+++ b/source3/smbd/msdfs.c
@@ -234,12 +234,34 @@ NTSTATUS create_conn_struct(TALLOC_CTX *ctx,
connection_struct *conn;
char *connpath;
const char *vfs_user;
+ struct smbd_server_connection *sconn;
+ const char *servicename = lp_const_servicename(snum);
- conn = talloc_zero(ctx, connection_struct);
+ sconn = talloc_zero(ctx, struct smbd_server_connection);
+ if (sconn == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ sconn->ev_ctx = ev;
+ sconn->msg_ctx = msg;
+ sconn->sock = -1;
+ sconn->smb1.echo_handler.trusted_fd = -1;
+ sconn->smb1.echo_handler.socket_lock_fd = -1;
+
+ conn = conn_new(sconn);
if (conn == NULL) {
+ TALLOC_FREE(sconn);
return NT_STATUS_NO_MEMORY;
}
+ /* Now we have conn, we need to make sconn a child of conn,
+ * for a proper talloc tree */
+ talloc_steal(conn, sconn);
+
+ if (snum == -1 && servicename == NULL) {
+ servicename = "Unknown Service (snum == -1)";
+ }
+
connpath = talloc_strdup(conn, path);
if (!connpath) {
TALLOC_FREE(conn);
@@ -248,38 +270,17 @@ NTSTATUS create_conn_struct(TALLOC_CTX *ctx,
connpath = talloc_string_sub(conn,
connpath,
"%S",
- lp_servicename(talloc_tos(), snum));
+ servicename);
if (!connpath) {
TALLOC_FREE(conn);
return NT_STATUS_NO_MEMORY;
}
- conn->sconn = talloc_zero(conn, struct smbd_server_connection);
- if (conn->sconn == NULL) {
- TALLOC_FREE(conn);
- return NT_STATUS_NO_MEMORY;
- }
-
- conn->sconn->ev_ctx = ev;
- conn->sconn->msg_ctx = msg;
- conn->sconn->sock = -1;
- conn->sconn->smb1.echo_handler.trusted_fd = -1;
- conn->sconn->smb1.echo_handler.socket_lock_fd = -1;
-
/* needed for smbd_vfs_init() */
- if (!(conn->params = talloc_zero(conn, struct share_params))) {
- DEBUG(0, ("TALLOC failed\n"));
- TALLOC_FREE(conn);
- return NT_STATUS_NO_MEMORY;
- }
-
conn->params->service = snum;
conn->cnum = TID_FIELD_INVALID;
- DLIST_ADD(conn->sconn->connections, conn);
- conn->sconn->num_connections++;
-
if (session_info != NULL) {
conn->session_info = copy_session_info(conn, session_info);
if (conn->session_info == NULL) {
@@ -303,7 +304,7 @@ NTSTATUS create_conn_struct(TALLOC_CTX *ctx,
*/
if (conn->session_info) {
share_access_check(conn->session_info->security_token,
- lp_servicename(talloc_tos(), snum),
+ servicename,
MAXIMUM_ALLOWED_ACCESS,
&conn->share_access);
@@ -313,7 +314,7 @@ NTSTATUS create_conn_struct(TALLOC_CTX *ctx,
DEBUG(0,("create_conn_struct: connection to %s "
"denied due to security "
"descriptor.\n",
- lp_servicename(talloc_tos(), snum)));
+ servicename));
conn_free(conn);
return NT_STATUS_ACCESS_DENIED;
} else {
@@ -333,7 +334,7 @@ NTSTATUS create_conn_struct(TALLOC_CTX *ctx,
}
/* this must be the first filesystem operation that we do */
- if (SMB_VFS_CONNECT(conn, lp_servicename(talloc_tos(), snum), vfs_user)
< 0) {
+ if (SMB_VFS_CONNECT(conn, servicename, vfs_user) < 0) {
DEBUG(0,("VFS connect failed!\n"));
conn_free(conn);
return NT_STATUS_UNSUCCESSFUL;
diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c
index 0f3951f..fbeb662 100644
--- a/source3/smbd/posix_acls.c
+++ b/source3/smbd/posix_acls.c
@@ -4610,27 +4610,19 @@ NTSTATUS get_nt_acl_no_snum(TALLOC_CTX *ctx, const char
*fname,
return NT_STATUS_NO_MEMORY;
}
- conn = talloc_zero(frame, connection_struct);
- if (conn == NULL) {
- TALLOC_FREE(frame);
- DEBUG(0, ("talloc failed\n"));
- return NT_STATUS_NO_MEMORY;
- }
+ status = create_conn_struct(ctx,
+ server_event_context(),
+ server_messaging_context(),
+ &conn,
+ -1,
+ "/",
+ NULL);
- if (!(conn->params = talloc(conn, struct share_params))) {
- DEBUG(0, ("talloc failed\n"));
- TALLOC_FREE(frame);
- return NT_STATUS_NO_MEMORY;
- }
-
- conn->params->service = -1;
-
- set_conn_connectpath(conn, "/");
-
- if (!smbd_vfs_init(conn)) {
- DEBUG(0,("smbd_vfs_init() failed!\n"));
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0,("create_conn_struct returned %s.\n",
+ nt_errstr(status)));
TALLOC_FREE(frame);
- return NT_STATUS_INTERNAL_ERROR;
+ return status;
}
status = SMB_VFS_GET_NT_ACL(conn, fname, security_info_wanted, ctx, sd);
diff --git a/source3/smbd/proto.h b/source3/smbd/proto.h
index d7bfa65..7727302 100644
--- a/source3/smbd/proto.h
+++ b/source3/smbd/proto.h
@@ -1096,6 +1096,10 @@ void reply_transs2(struct smb_request *req);
/* The following definitions come from smbd/uid.c */
bool change_to_guest(void);
+NTSTATUS check_user_share_access(connection_struct *conn,
+ const struct auth_session_info *session_info,
+ uint32_t *p_share_access,
+ bool *p_readonly_share);
bool change_to_user(connection_struct *conn, uint64_t vuid);
bool change_to_root_user(void);
bool smbd_change_to_root_user(void);
diff --git a/source3/smbd/pysmbd.c b/source3/smbd/pysmbd.c
index 1bac9c2..873fead 100644
--- a/source3/smbd/pysmbd.c
+++ b/source3/smbd/pysmbd.c
@@ -46,6 +46,9 @@ static connection_struct *get_conn(TALLOC_CTX *mem_ctx, const
char *service)
{
connection_struct *conn;
TALLOC_CTX *frame = talloc_stackframe();
+ int snum = -1;
+ NTSTATUS status;
+
if (!posix_locking_init(false)) {
PyErr_NoMemory();
TALLOC_FREE(frame);
@@ -53,39 +56,22 @@ static connection_struct *get_conn(TALLOC_CTX *mem_ctx,
const char *service)
}
if (service) {
- NTSTATUS status;
- int snum = lp_servicenumber(service);
+ snum = lp_servicenumber(service);
if (snum == -1) {
TALLOC_FREE(frame);
PyErr_SetString(PyExc_RuntimeError, "unknown service");
return NULL;
}
- status = create_conn_struct(mem_ctx, NULL, NULL, &conn, snum,
"/",
- NULL);
- PyErr_NTSTATUS_IS_ERR_RAISE(status);
- } else {
- conn = talloc_zero(mem_ctx, connection_struct);
- if (conn == NULL) {
- DEBUG(0, ("talloc failed\n"));
- TALLOC_FREE(frame);
- PyErr_NoMemory();
- return NULL;
- }
-
- if (!(conn->params = talloc(conn, struct share_params))) {
- TALLOC_FREE(frame);
- DEBUG(0,("get_conn: talloc() failed!\n"));
- PyErr_NoMemory();
- return NULL;
- }
- conn->params->service = -1;
+ }
- set_conn_connectpath(conn, "/");
+ status = create_conn_struct(mem_ctx, NULL, NULL, &conn, snum, "/",
+ NULL);
+ PyErr_NTSTATUS_IS_ERR_RAISE(status);
- smbd_vfs_init(conn);
- }
TALLOC_FREE(frame);
+ /* Ignore read-only and share restrictions */
conn->read_only = false;
+ conn->share_access = SEC_RIGHTS_FILE_ALL;
talloc_set_destructor(conn, conn_free_wrapper);
return conn;
}
diff --git a/source3/smbd/service.c b/source3/smbd/service.c
index 2214ac0..4fe3809 100644
--- a/source3/smbd/service.c
+++ b/source3/smbd/service.c
@@ -512,40 +512,6 @@ NTSTATUS set_conn_force_user_group(connection_struct
*conn, int snum)
}
/****************************************************************************
- Setup the share access mask for a connection.
-****************************************************************************/
-
-static void create_share_access_mask(connection_struct *conn, int snum)
-{
- const struct security_token *token = conn->session_info->security_token;
-
- share_access_check(token,
- lp_servicename(talloc_tos(), snum),
- MAXIMUM_ALLOWED_ACCESS,
- &conn->share_access);
-
- if (!CAN_WRITE(conn)) {
- conn->share_access &=
- ~(SEC_FILE_WRITE_DATA | SEC_FILE_APPEND_DATA |
- SEC_FILE_WRITE_EA | SEC_FILE_WRITE_ATTRIBUTE |
- SEC_DIR_DELETE_CHILD );
- }
-
- if (security_token_has_privilege(token, SEC_PRIV_SECURITY)) {
- conn->share_access |= SEC_FLAG_SYSTEM_SECURITY;
- }
- if (security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
- conn->share_access |= (SEC_RIGHTS_PRIV_RESTORE);
- }
- if (security_token_has_privilege(token, SEC_PRIV_BACKUP)) {
- conn->share_access |= (SEC_RIGHTS_PRIV_BACKUP);
- }
- if (security_token_has_privilege(token, SEC_PRIV_TAKE_OWNERSHIP)) {
- conn->share_access |= (SEC_STD_WRITE_OWNER);
- }
-}
-
-/****************************************************************************
Make a connection, given the snum to connect to, and the vuser of the
connecting user if appropriate.
****************************************************************************/
@@ -648,27 +614,17 @@ static NTSTATUS make_connection_snum(struct
smbd_server_connection *sconn,
}
/*
- * New code to check if there's a share security descripter
- * added from NT server manager. This is done after the
- * smb.conf checks are done as we need a uid and token. JRA.
- *
+ * Set up the share security descriptor
*/
- create_share_access_mask(conn, snum);
-
- if ((conn->share_access & FILE_WRITE_DATA) == 0) {
- if ((conn->share_access & FILE_READ_DATA) == 0) {
- /* No access, read or write. */
- DEBUG(0,("make_connection: connection to %s "
- "denied due to security "
- "descriptor.\n",
- lp_servicename(talloc_tos(), snum)));
- status = NT_STATUS_ACCESS_DENIED;
- goto err_root_exit;
- } else {
- conn->read_only = True;
- }
+ status = check_user_share_access(conn,
+ conn->session_info,
+ &conn->share_access,
+ &conn->read_only);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto err_root_exit;
--
Samba Shared Repository
