The branch, master has been updated
via 685af03 doc: Add new parameters to vfs_full_audit man page
via 4d9432f vfs_full_audit: Optionally log security descriptors in
FSET_NT_ACL
via 221afae vfs_full_audit: Add "full_audit:syslog"
via b76bc4b vfs_full_audit: Save full_audit:priority in private_data
via 7efee03 vfs_full_audit: Save full_audit:facility in private_data
via 02d22d6 vfs_full_audit: Pass "vfs_full_audit_private_data" to
log_failure/success()
via a6e098f s4:torture: use torture_assert instead of torture_comment
and return in defer_open test
via 3f42217 s4:torture: consistently log "pid %u: ..." in the
defer_open test
via 5c6a1da s4:torture: remove an unused variable and bogus check from
the defer_open test
from 4639f6d docs: Fix typos in smb.conf (inherit acls)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 685af0342ea7324086661a506e1d0ee15ab07f16
Author: Christof Schmitt <[email protected]>
Date: Thu Aug 7 12:01:56 2014 -0700
doc: Add new parameters to vfs_full_audit man page
Signed-off-by: Christof Schmitt <[email protected]>
Reviewed-by: Jeremy Allison <[email protected]>
Autobuild-User(master): Jeremy Allison <[email protected]>
Autobuild-Date(master): Fri Aug 8 00:37:48 CEST 2014 on sn-devel-104
commit 4d9432fd2486ebd157787e9b0318e3901e833367
Author: Volker Lendecke <[email protected]>
Date: Thu Aug 7 10:53:33 2014 +0000
vfs_full_audit: Optionally log security descriptors in FSET_NT_ACL
Signed-off-by: Volker Lendecke <[email protected]>
Reviewed-by: Jeremy Allison <[email protected]>
commit 221afae9ae4c8b168399565e7f9f0970a3471afb
Author: Volker Lendecke <[email protected]>
Date: Thu Aug 7 10:44:01 2014 +0000
vfs_full_audit: Add "full_audit:syslog"
Defaults to true (for compatibility)
With full_audit:syslog=false we DEBUG the messages with level 1.
You can explicitly [en|dis]able this with debug class full_audit:0/1
Signed-off-by: Volker Lendecke <[email protected]>
Reviewed-by: Jeremy Allison <[email protected]>
commit b76bc4b71363401850e18ef1dce14f5a737635d3
Author: Volker Lendecke <[email protected]>
Date: Thu Aug 7 10:34:18 2014 +0000
vfs_full_audit: Save full_audit:priority in private_data
lp_parm_enum can become expensive
Signed-off-by: Volker Lendecke <[email protected]>
Reviewed-by: Jeremy Allison <[email protected]>
commit 7efee03c84fed372689fff73839cb4fb8724a558
Author: Volker Lendecke <[email protected]>
Date: Thu Aug 7 10:34:18 2014 +0000
vfs_full_audit: Save full_audit:facility in private_data
lp_parm_enum can become expensive
Signed-off-by: Volker Lendecke <[email protected]>
Reviewed-by: Jeremy Allison <[email protected]>
commit 02d22d6a6143d5ed818932f9190cf1a8a94e250a
Author: Volker Lendecke <[email protected]>
Date: Thu Aug 7 10:23:25 2014 +0000
vfs_full_audit: Pass "vfs_full_audit_private_data" to log_failure/success()
Signed-off-by: Volker Lendecke <[email protected]>
Reviewed-by: Jeremy Allison <[email protected]>
commit a6e098fb221eb581b99e9b31f221462ee6b7b1cb
Author: Michael Adam <[email protected]>
Date: Fri Jul 25 00:24:56 2014 +0200
s4:torture: use torture_assert instead of torture_comment and return in
defer_open test
Signed-off-by: Michael Adam <[email protected]>
Reviewed-by: Jeremy Allison <[email protected]>
commit 3f422177cedadd376c7691381c9b76222b469dd2
Author: Michael Adam <[email protected]>
Date: Fri Jul 25 00:22:17 2014 +0200
s4:torture: consistently log "pid %u: ..." in the defer_open test
Signed-off-by: Michael Adam <[email protected]>
Reviewed-by: Jeremy Allison <[email protected]>
commit 5c6a1da82cddf5f4a3cb0db251610ee5c447ce60
Author: Michael Adam <[email protected]>
Date: Fri Jul 25 00:20:47 2014 +0200
s4:torture: remove an unused variable and bogus check from the defer_open
test
Signed-off-by: Michael Adam <[email protected]>
Reviewed-by: Jeremy Allison <[email protected]>
-----------------------------------------------------------------------
Summary of changes:
docs-xml/manpages/vfs_full_audit.8.xml | 38 ++++++++++++
source3/modules/vfs_full_audit.c | 97 ++++++++++++++++++++++----------
source4/torture/basic/base.c | 23 +++----
3 files changed, 115 insertions(+), 43 deletions(-)
Changeset truncated at 500 lines:
diff --git a/docs-xml/manpages/vfs_full_audit.8.xml
b/docs-xml/manpages/vfs_full_audit.8.xml
index 2be26b0..875feec 100644
--- a/docs-xml/manpages/vfs_full_audit.8.xml
+++ b/docs-xml/manpages/vfs_full_audit.8.xml
@@ -202,6 +202,44 @@
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>full_audit:syslog = true/false</term>
+ <listitem>
+ <para>Log messages to syslog (default) or as a debug level 1
+ message.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>full_audit:log_secdesc = true/false</term>
+ <listitem>
+ <para>Log an sddl form of the security descriptor coming in
+ when a client sets an acl. Defaults to false.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>full_audit:syslog = BOOL</term>
+ <listitem>
+ <para>If set to true, then send the audit messages to
+ syslog. If set to false, the normal Samba log will be
+ used with a debug level of 1. The default is true.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>full_audit:log_secdesc = BOOL</term>
+ <listitem>
+ <para>Log security descriptor changes. If set to true,
+ also log security descriptor changes requested by
+ clients. The default is false.
+ </para>
+ </listitem>
+ </varlistentry>
+
</variablelist>
</refsect1>
diff --git a/source3/modules/vfs_full_audit.c b/source3/modules/vfs_full_audit.c
index 262b241..7f0222c 100644
--- a/source3/modules/vfs_full_audit.c
+++ b/source3/modules/vfs_full_audit.c
@@ -67,12 +67,18 @@
#include "lib/param/loadparm.h"
#include "lib/util/bitmap.h"
#include "lib/util/tevent_unix.h"
+#include "libcli/security/sddl.h"
+#include "passdb/machine_sid.h"
static int vfs_full_audit_debug_level = DBGC_VFS;
struct vfs_full_audit_private_data {
struct bitmap *success_ops;
struct bitmap *failure_ops;
+ int syslog_facility;
+ int syslog_priority;
+ bool log_secdesc;
+ bool do_syslog;
};
#undef DBGC_CLASS
@@ -385,14 +391,8 @@ static char *audit_prefix(TALLOC_CTX *ctx,
connection_struct *conn)
return result;
}
-static bool log_success(vfs_handle_struct *handle, vfs_op_type op)
+static bool log_success(struct vfs_full_audit_private_data *pd, vfs_op_type op)
{
- struct vfs_full_audit_private_data *pd = NULL;
-
- SMB_VFS_HANDLE_GET_DATA(handle, pd,
- struct vfs_full_audit_private_data,
- return True);
-
if (pd->success_ops == NULL) {
return True;
}
@@ -400,14 +400,8 @@ static bool log_success(vfs_handle_struct *handle,
vfs_op_type op)
return bitmap_query(pd->success_ops, op);
}
-static bool log_failure(vfs_handle_struct *handle, vfs_op_type op)
+static bool log_failure(struct vfs_full_audit_private_data *pd, vfs_op_type op)
{
- struct vfs_full_audit_private_data *pd = NULL;
-
- SMB_VFS_HANDLE_GET_DATA(handle, pd,
- struct vfs_full_audit_private_data,
- return True);
-
if (pd->failure_ops == NULL)
return True;
@@ -498,16 +492,20 @@ static TALLOC_CTX *do_log_ctx(void)
static void do_log(vfs_op_type op, bool success, vfs_handle_struct *handle,
const char *format, ...)
{
+ struct vfs_full_audit_private_data *pd;
fstring err_msg;
char *audit_pre = NULL;
va_list ap;
char *op_msg = NULL;
- int priority;
- if (success && (!log_success(handle, op)))
+ SMB_VFS_HANDLE_GET_DATA(handle, pd,
+ struct vfs_full_audit_private_data,
+ return;);
+
+ if (success && (!log_success(pd, op)))
goto out;
- if (!success && (!log_failure(handle, op)))
+ if (!success && (!log_failure(pd, op)))
goto out;
if (success)
@@ -523,18 +521,25 @@ static void do_log(vfs_op_type op, bool success,
vfs_handle_struct *handle,
goto out;
}
- /*
- * Specify the facility to interoperate with other syslog callers
- * (smbd for example).
- */
- priority = audit_syslog_priority(handle) |
- audit_syslog_facility(handle);
-
audit_pre = audit_prefix(talloc_tos(), handle->conn);
- syslog(priority, "%s|%s|%s|%s\n",
- audit_pre ? audit_pre : "",
- audit_opname(op), err_msg, op_msg);
+ if (pd->do_syslog) {
+ int priority;
+
+ /*
+ * Specify the facility to interoperate with other syslog
+ * callers (smbd for example).
+ */
+ priority = pd->syslog_priority | pd->syslog_facility;
+
+ syslog(priority, "%s|%s|%s|%s\n",
+ audit_pre ? audit_pre : "",
+ audit_opname(op), err_msg, op_msg);
+ } else {
+ DEBUG(1, ("%s|%s|%s|%s\n",
+ audit_pre ? audit_pre : "",
+ audit_opname(op), err_msg, op_msg));
+ }
out:
TALLOC_FREE(audit_pre);
TALLOC_FREE(op_msg);
@@ -587,8 +592,28 @@ static int smb_full_audit_connect(vfs_handle_struct
*handle,
return -1;
}
+ pd->syslog_facility = audit_syslog_facility(handle);
+ if (pd->syslog_facility == -1) {
+ DEBUG(1, ("%s: Unknown facility %s\n", __func__,
+ lp_parm_const_string(SNUM(handle->conn),
+ "full_audit", "facility",
+ "USER")));
+ SMB_VFS_NEXT_DISCONNECT(handle);
+ return -1;
+ }
+
+ pd->syslog_priority = audit_syslog_priority(handle);
+
+ pd->log_secdesc = lp_parm_bool(SNUM(handle->conn),
+ "full_audit", "log_secdesc", false);
+
+ pd->do_syslog = lp_parm_bool(SNUM(handle->conn),
+ "full_audit", "syslog", true);
+
#ifdef WITH_SYSLOG
- openlog("smbd_audit", 0, audit_syslog_facility(handle));
+ if (pd->do_syslog) {
+ openlog("smbd_audit", 0, pd->syslog_facility);
+ }
#endif
pd->success_ops = init_bitmap(
@@ -1844,12 +1869,24 @@ static NTSTATUS
smb_full_audit_fset_nt_acl(vfs_handle_struct *handle, files_stru
uint32 security_info_sent,
const struct security_descriptor *psd)
{
+ struct vfs_full_audit_private_data *pd;
NTSTATUS result;
+ char *sd = NULL;
+
+ SMB_VFS_HANDLE_GET_DATA(handle, pd,
+ struct vfs_full_audit_private_data,
+ return NT_STATUS_INTERNAL_ERROR);
+
+ if (pd->log_secdesc) {
+ sd = sddl_encode(talloc_tos(), psd, get_global_sam_sid());
+ }
result = SMB_VFS_NEXT_FSET_NT_ACL(handle, fsp, security_info_sent, psd);
- do_log(SMB_VFS_OP_FSET_NT_ACL, NT_STATUS_IS_OK(result), handle, "%s",
- fsp_str_do_log(fsp));
+ do_log(SMB_VFS_OP_FSET_NT_ACL, NT_STATUS_IS_OK(result), handle,
+ "%s [%s]", fsp_str_do_log(fsp), sd ? sd : "");
+
+ TALLOC_FREE(sd);
return result;
}
diff --git a/source4/torture/basic/base.c b/source4/torture/basic/base.c
index 4f2240e..1d04b35 100644
--- a/source4/torture/basic/base.c
+++ b/source4/torture/basic/base.c
@@ -649,7 +649,6 @@ test the timing of deferred open requests
static bool run_deferopen(struct torture_context *tctx, struct smbcli_state
*cli, int dummy)
{
const char *fname = "\\defer_open_test.dat";
- int retries=4;
int i = 0;
bool correct = true;
int nsec;
@@ -660,12 +659,8 @@ static bool run_deferopen(struct torture_context *tctx,
struct smbcli_state *cli
msec = nsec / 1000;
sec = ((double)nsec) / ((double) 1000000);
- if (retries <= 0) {
- torture_comment(tctx, "failed to connect\n");
- return false;
- }
-
- torture_comment(tctx, "Testing deferred open requests.\n");
+ torture_comment(tctx, "pid %u: Testing deferred open requests.\n",
+ (unsigned)getpid());
while (i < 4) {
int fnum = -1;
@@ -691,12 +686,13 @@ static bool run_deferopen(struct torture_context *tctx,
struct smbcli_state *cli
}
} while
(NT_STATUS_EQUAL(smbcli_nt_error(cli->tree),NT_STATUS_SHARING_VIOLATION));
- if (fnum == -1) {
- torture_comment(tctx,"Failed to open %s, error=%s\n",
fname, smbcli_errstr(cli->tree));
- return false;
- }
+ torture_assert(tctx, fnum != -1,
+ talloc_asprintf(tctx,
+ "pid %u: Failed to open %s, error=%s\n",
+ (unsigned)getpid(), fname,
+ smbcli_errstr(cli->tree)));
- torture_comment(tctx, "pid %u open %d\n", (unsigned)getpid(),
i);
+ torture_comment(tctx, "pid %u: open %d\n", (unsigned)getpid(),
i);
smb_msleep(10 * msec);
i++;
@@ -719,7 +715,8 @@ static bool run_deferopen(struct torture_context *tctx,
struct smbcli_state *cli
}
}
- torture_comment(tctx, "deferred test finished\n");
+ torture_comment(tctx, "pid %u: deferred test finished\n",
+ (unsigned)getpid());
return correct;
}
--
Samba Shared Repository
