diff options
| author | Nils Goroll <nils.goroll@hamburg.de> | 2008-11-17 00:55:16 +0100 |
|---|---|---|
| committer | Michael Adam <obnox@samba.org> | 2008-11-25 11:29:40 +0100 |
| commit | bf04324592695fd6e711ba25a89d47e1b61fa33e (patch) | |
| tree | 3a52e808dade5decd75c6e2bf92f155e3b9d9424 /source3/modules/vfs_zfsacl.c | |
| parent | 9d2c2a7a0e9e69c8fa2ce81af79007da0e32605b (diff) | |
| download | samba-bf04324592695fd6e711ba25a89d47e1b61fa33e.tar.gz samba-bf04324592695fd6e711ba25a89d47e1b61fa33e.tar.bz2 samba-bf04324592695fd6e711ba25a89d47e1b61fa33e.zip | |
[s3]zfsacl: Prevent calling POSIX ACL vfs methods on zfs share.
This is a proposed fix for Bugs #5135 and #5446.
Signed-off-by: Michael Adam <obnox@samba.org>
Diffstat (limited to 'source3/modules/vfs_zfsacl.c')
| -rw-r--r-- | source3/modules/vfs_zfsacl.c | 83 |
1 files changed, 83 insertions, 0 deletions
diff --git a/source3/modules/vfs_zfsacl.c b/source3/modules/vfs_zfsacl.c index 3688b2386e..650666e921 100644 --- a/source3/modules/vfs_zfsacl.c +++ b/source3/modules/vfs_zfsacl.c @@ -212,9 +212,92 @@ static NTSTATUS zfsacl_fset_nt_acl(vfs_handle_struct *handle, return zfs_set_nt_acl(handle, fsp, security_info_sent, psd); } +/* nils.goroll@hamburg.de 2008-06-16 : + + See also + - https://bugzilla.samba.org/show_bug.cgi?id=5446 + - http://bugs.opensolaris.org/view_bug.do?bug_id=6688240 + + Solaris supports NFSv4 and ZFS ACLs through a common system call, acl(2) + with ACE_SETACL / ACE_GETACL / ACE_GETACLCNT, which is being wrapped for + use by samba in this module. + + As the acl(2) interface is identical for ZFS and for NFS, this module, + vfs_zfsacl, can not only be used for ZFS, but also for sharing NFSv4 + mounts on Solaris. + + But while "traditional" POSIX DRAFT ACLs (using acl(2) with SETACL + / GETACL / GETACLCNT) fail for ZFS, the Solaris NFS client + implemets a compatibility wrapper, which will make calls to + traditional ACL calls though vfs_solarisacl succeed. As the + compatibility wrapper's implementation is (by design) incomplete, + we want to make sure that it is never being called. + + As long as Samba does not support an exiplicit method for a module + to define conflicting vfs methods, we should override all conflicting + methods here. + + For this to work, we need to make sure that this module is initialised + *after* vfs_solarisacl + + Function declarations taken from vfs_solarisacl +*/ + +SMB_ACL_T zfsacl_fail__sys_acl_get_file(vfs_handle_struct *handle, + const char *path_p, + SMB_ACL_TYPE_T type) +{ + return (SMB_ACL_T)NULL; +} +SMB_ACL_T zfsacl_fail__sys_acl_get_fd(vfs_handle_struct *handle, + files_struct *fsp, + int fd) +{ + return (SMB_ACL_T)NULL; +} + +int zfsacl_fail__sys_acl_set_file(vfs_handle_struct *handle, + const char *name, + SMB_ACL_TYPE_T type, + SMB_ACL_T theacl) +{ + return(-1); +} + +int zfsacl_fail__sys_acl_set_fd(vfs_handle_struct *handle, + files_struct *fsp, + int fd, SMB_ACL_T theacl) +{ + return(-1); +} + +int zfsacl_fail__sys_acl_delete_def_file(vfs_handle_struct *handle, + const char *path) +{ + return(-1); +} + /* VFS operations structure */ static vfs_op_tuple zfsacl_ops[] = { + /* invalidate conflicting VFS methods */ + {SMB_VFS_OP(zfsacl_fail__sys_acl_get_file), + SMB_VFS_OP_SYS_ACL_GET_FILE, + SMB_VFS_LAYER_OPAQUE}, + {SMB_VFS_OP(zfsacl_fail__sys_acl_get_fd), + SMB_VFS_OP_SYS_ACL_GET_FD, + SMB_VFS_LAYER_OPAQUE}, + {SMB_VFS_OP(zfsacl_fail__sys_acl_set_file), + SMB_VFS_OP_SYS_ACL_SET_FILE, + SMB_VFS_LAYER_OPAQUE}, + {SMB_VFS_OP(zfsacl_fail__sys_acl_set_fd), + SMB_VFS_OP_SYS_ACL_SET_FD, + SMB_VFS_LAYER_OPAQUE}, + {SMB_VFS_OP(zfsacl_fail__sys_acl_delete_def_file), + SMB_VFS_OP_SYS_ACL_DELETE_DEF_FILE, + SMB_VFS_LAYER_OPAQUE}, + + /* actual methods */ {SMB_VFS_OP(zfsacl_fget_nt_acl), SMB_VFS_OP_FGET_NT_ACL, SMB_VFS_LAYER_OPAQUE}, {SMB_VFS_OP(zfsacl_get_nt_acl), SMB_VFS_OP_GET_NT_ACL, |