diff options
-rw-r--r-- | librpc/idl/xattr.idl | 10 | ||||
-rw-r--r-- | source3/librpc/gen_ndr/ndr_xattr.c | 48 | ||||
-rw-r--r-- | source3/librpc/gen_ndr/ndr_xattr.h | 6 | ||||
-rw-r--r-- | source3/librpc/gen_ndr/xattr.h | 6 | ||||
-rw-r--r-- | source3/modules/vfs_acl_tdb.c | 30 | ||||
-rw-r--r-- | source3/modules/vfs_acl_xattr.c | 30 |
6 files changed, 55 insertions, 75 deletions
diff --git a/librpc/idl/xattr.idl b/librpc/idl/xattr.idl index c1af4791ae..4191ea67ce 100644 --- a/librpc/idl/xattr.idl +++ b/librpc/idl/xattr.idl @@ -117,20 +117,20 @@ interface xattr stored in "security.NTACL" Version 1. raw SD stored as Samba4 does it. - Version 2. raw SD + last changed timestamp so we - can discard if this doesn't match the POSIX st_ctime. + Version 2. raw SD + last changed hash so we + can discard if this doesn't match the underlying ACL hash. */ const char *XATTR_NTACL_NAME = "security.NTACL"; typedef [public] struct { security_descriptor *sd; - NTTIME last_changed; - } security_descriptor_timestamp; + uint8 hash[16]; + } security_descriptor_hash; typedef [switch_type(uint16)] union { [case(1)] security_descriptor *sd; - [case(2)] security_descriptor_timestamp *sd_ts; + [case(2)] security_descriptor_hash *sd_hs; } xattr_NTACL_Info; typedef [public] struct { diff --git a/source3/librpc/gen_ndr/ndr_xattr.c b/source3/librpc/gen_ndr/ndr_xattr.c index 0e9dda9f47..75781d763d 100644 --- a/source3/librpc/gen_ndr/ndr_xattr.c +++ b/source3/librpc/gen_ndr/ndr_xattr.c @@ -546,12 +546,12 @@ _PUBLIC_ void ndr_print_xattr_DosStreams(struct ndr_print *ndr, const char *name ndr->depth--; } -_PUBLIC_ enum ndr_err_code ndr_push_security_descriptor_timestamp(struct ndr_push *ndr, int ndr_flags, const struct security_descriptor_timestamp *r) +_PUBLIC_ enum ndr_err_code ndr_push_security_descriptor_hash(struct ndr_push *ndr, int ndr_flags, const struct security_descriptor_hash *r) { if (ndr_flags & NDR_SCALARS) { NDR_CHECK(ndr_push_align(ndr, 4)); NDR_CHECK(ndr_push_unique_ptr(ndr, r->sd)); - NDR_CHECK(ndr_push_NTTIME(ndr, NDR_SCALARS, r->last_changed)); + NDR_CHECK(ndr_push_array_uint8(ndr, NDR_SCALARS, r->hash, 16)); } if (ndr_flags & NDR_BUFFERS) { if (r->sd) { @@ -561,7 +561,7 @@ _PUBLIC_ enum ndr_err_code ndr_push_security_descriptor_timestamp(struct ndr_pus return NDR_ERR_SUCCESS; } -_PUBLIC_ enum ndr_err_code ndr_pull_security_descriptor_timestamp(struct ndr_pull *ndr, int ndr_flags, struct security_descriptor_timestamp *r) +_PUBLIC_ enum ndr_err_code ndr_pull_security_descriptor_hash(struct ndr_pull *ndr, int ndr_flags, struct security_descriptor_hash *r) { uint32_t _ptr_sd; TALLOC_CTX *_mem_save_sd_0; @@ -573,7 +573,7 @@ _PUBLIC_ enum ndr_err_code ndr_pull_security_descriptor_timestamp(struct ndr_pul } else { r->sd = NULL; } - NDR_CHECK(ndr_pull_NTTIME(ndr, NDR_SCALARS, &r->last_changed)); + NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->hash, 16)); } if (ndr_flags & NDR_BUFFERS) { if (r->sd) { @@ -586,9 +586,9 @@ _PUBLIC_ enum ndr_err_code ndr_pull_security_descriptor_timestamp(struct ndr_pul return NDR_ERR_SUCCESS; } -_PUBLIC_ void ndr_print_security_descriptor_timestamp(struct ndr_print *ndr, const char *name, const struct security_descriptor_timestamp *r) +_PUBLIC_ void ndr_print_security_descriptor_hash(struct ndr_print *ndr, const char *name, const struct security_descriptor_hash *r) { - ndr_print_struct(ndr, name, "security_descriptor_timestamp"); + ndr_print_struct(ndr, name, "security_descriptor_hash"); ndr->depth++; ndr_print_ptr(ndr, "sd", r->sd); ndr->depth++; @@ -596,7 +596,7 @@ _PUBLIC_ void ndr_print_security_descriptor_timestamp(struct ndr_print *ndr, con ndr_print_security_descriptor(ndr, "sd", r->sd); } ndr->depth--; - ndr_print_NTTIME(ndr, "last_changed", r->last_changed); + ndr_print_array_uint8(ndr, "hash", r->hash, 16); ndr->depth--; } @@ -611,7 +611,7 @@ static enum ndr_err_code ndr_push_xattr_NTACL_Info(struct ndr_push *ndr, int ndr break; } case 2: { - NDR_CHECK(ndr_push_unique_ptr(ndr, r->sd_ts)); + NDR_CHECK(ndr_push_unique_ptr(ndr, r->sd_hs)); break; } default: @@ -628,8 +628,8 @@ static enum ndr_err_code ndr_push_xattr_NTACL_Info(struct ndr_push *ndr, int ndr break; case 2: - if (r->sd_ts) { - NDR_CHECK(ndr_push_security_descriptor_timestamp(ndr, NDR_SCALARS|NDR_BUFFERS, r->sd_ts)); + if (r->sd_hs) { + NDR_CHECK(ndr_push_security_descriptor_hash(ndr, NDR_SCALARS|NDR_BUFFERS, r->sd_hs)); } break; @@ -645,7 +645,7 @@ static enum ndr_err_code ndr_pull_xattr_NTACL_Info(struct ndr_pull *ndr, int ndr int level; uint16_t _level; TALLOC_CTX *_mem_save_sd_0; - TALLOC_CTX *_mem_save_sd_ts_0; + TALLOC_CTX *_mem_save_sd_hs_0; level = ndr_pull_get_switch_value(ndr, r); if (ndr_flags & NDR_SCALARS) { NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &_level)); @@ -664,12 +664,12 @@ static enum ndr_err_code ndr_pull_xattr_NTACL_Info(struct ndr_pull *ndr, int ndr break; } case 2: { - uint32_t _ptr_sd_ts; - NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_sd_ts)); - if (_ptr_sd_ts) { - NDR_PULL_ALLOC(ndr, r->sd_ts); + uint32_t _ptr_sd_hs; + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_sd_hs)); + if (_ptr_sd_hs) { + NDR_PULL_ALLOC(ndr, r->sd_hs); } else { - r->sd_ts = NULL; + r->sd_hs = NULL; } break; } @@ -689,11 +689,11 @@ static enum ndr_err_code ndr_pull_xattr_NTACL_Info(struct ndr_pull *ndr, int ndr break; case 2: - if (r->sd_ts) { - _mem_save_sd_ts_0 = NDR_PULL_GET_MEM_CTX(ndr); - NDR_PULL_SET_MEM_CTX(ndr, r->sd_ts, 0); - NDR_CHECK(ndr_pull_security_descriptor_timestamp(ndr, NDR_SCALARS|NDR_BUFFERS, r->sd_ts)); - NDR_PULL_SET_MEM_CTX(ndr, _mem_save_sd_ts_0, 0); + if (r->sd_hs) { + _mem_save_sd_hs_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->sd_hs, 0); + NDR_CHECK(ndr_pull_security_descriptor_hash(ndr, NDR_SCALARS|NDR_BUFFERS, r->sd_hs)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_sd_hs_0, 0); } break; @@ -720,10 +720,10 @@ _PUBLIC_ void ndr_print_xattr_NTACL_Info(struct ndr_print *ndr, const char *name break; case 2: - ndr_print_ptr(ndr, "sd_ts", r->sd_ts); + ndr_print_ptr(ndr, "sd_hs", r->sd_hs); ndr->depth++; - if (r->sd_ts) { - ndr_print_security_descriptor_timestamp(ndr, "sd_ts", r->sd_ts); + if (r->sd_hs) { + ndr_print_security_descriptor_hash(ndr, "sd_hs", r->sd_hs); } ndr->depth--; break; diff --git a/source3/librpc/gen_ndr/ndr_xattr.h b/source3/librpc/gen_ndr/ndr_xattr.h index 38701b1aca..c565e8513a 100644 --- a/source3/librpc/gen_ndr/ndr_xattr.h +++ b/source3/librpc/gen_ndr/ndr_xattr.h @@ -24,9 +24,9 @@ void ndr_print_xattr_DosStream(struct ndr_print *ndr, const char *name, const st enum ndr_err_code ndr_push_xattr_DosStreams(struct ndr_push *ndr, int ndr_flags, const struct xattr_DosStreams *r); enum ndr_err_code ndr_pull_xattr_DosStreams(struct ndr_pull *ndr, int ndr_flags, struct xattr_DosStreams *r); void ndr_print_xattr_DosStreams(struct ndr_print *ndr, const char *name, const struct xattr_DosStreams *r); -enum ndr_err_code ndr_push_security_descriptor_timestamp(struct ndr_push *ndr, int ndr_flags, const struct security_descriptor_timestamp *r); -enum ndr_err_code ndr_pull_security_descriptor_timestamp(struct ndr_pull *ndr, int ndr_flags, struct security_descriptor_timestamp *r); -void ndr_print_security_descriptor_timestamp(struct ndr_print *ndr, const char *name, const struct security_descriptor_timestamp *r); +enum ndr_err_code ndr_push_security_descriptor_hash(struct ndr_push *ndr, int ndr_flags, const struct security_descriptor_hash *r); +enum ndr_err_code ndr_pull_security_descriptor_hash(struct ndr_pull *ndr, int ndr_flags, struct security_descriptor_hash *r); +void ndr_print_security_descriptor_hash(struct ndr_print *ndr, const char *name, const struct security_descriptor_hash *r); void ndr_print_xattr_NTACL_Info(struct ndr_print *ndr, const char *name, const union xattr_NTACL_Info *r); enum ndr_err_code ndr_push_xattr_NTACL(struct ndr_push *ndr, int ndr_flags, const struct xattr_NTACL *r); enum ndr_err_code ndr_pull_xattr_NTACL(struct ndr_pull *ndr, int ndr_flags, struct xattr_NTACL *r); diff --git a/source3/librpc/gen_ndr/xattr.h b/source3/librpc/gen_ndr/xattr.h index 1d8da3f5e2..1148a0acec 100644 --- a/source3/librpc/gen_ndr/xattr.h +++ b/source3/librpc/gen_ndr/xattr.h @@ -73,14 +73,14 @@ struct xattr_DosStreams { struct xattr_DosStream *streams;/* [unique,size_is(num_streams)] */ }/* [public] */; -struct security_descriptor_timestamp { +struct security_descriptor_hash { struct security_descriptor *sd;/* [unique] */ - NTTIME last_changed; + uint8_t hash[16]; }/* [public] */; union xattr_NTACL_Info { struct security_descriptor *sd;/* [unique,case] */ - struct security_descriptor_timestamp *sd_ts;/* [unique,case(2)] */ + struct security_descriptor_hash *sd_hs;/* [unique,case(2)] */ }/* [switch_type(uint16)] */; struct xattr_NTACL { diff --git a/source3/modules/vfs_acl_tdb.c b/source3/modules/vfs_acl_tdb.c index 202c1a8469..1924812cf7 100644 --- a/source3/modules/vfs_acl_tdb.c +++ b/source3/modules/vfs_acl_tdb.c @@ -125,15 +125,15 @@ static NTSTATUS parse_acl_blob(const DATA_BLOB *pblob, return NT_STATUS_REVISION_MISMATCH; } - *ppdesc = make_sec_desc(ctx, SEC_DESC_REVISION, xacl.info.sd_ts->sd->type | SEC_DESC_SELF_RELATIVE, + *ppdesc = make_sec_desc(ctx, SEC_DESC_REVISION, xacl.info.sd_hs->sd->type | SEC_DESC_SELF_RELATIVE, (security_info & OWNER_SECURITY_INFORMATION) - ? xacl.info.sd_ts->sd->owner_sid : NULL, + ? xacl.info.sd_hs->sd->owner_sid : NULL, (security_info & GROUP_SECURITY_INFORMATION) - ? xacl.info.sd_ts->sd->group_sid : NULL, + ? xacl.info.sd_hs->sd->group_sid : NULL, (security_info & SACL_SECURITY_INFORMATION) - ? xacl.info.sd_ts->sd->sacl : NULL, + ? xacl.info.sd_hs->sd->sacl : NULL, (security_info & DACL_SECURITY_INFORMATION) - ? xacl.info.sd_ts->sd->dacl : NULL, + ? xacl.info.sd_hs->sd->dacl : NULL, &sd_size); TALLOC_FREE(xacl.info.sd); @@ -199,27 +199,17 @@ static NTSTATUS get_acl_blob(TALLOC_CTX *ctx, static NTSTATUS create_acl_blob(const struct security_descriptor *psd, DATA_BLOB *pblob) { struct xattr_NTACL xacl; - struct security_descriptor_timestamp sd_ts; + struct security_descriptor_hash sd_hs; enum ndr_err_code ndr_err; TALLOC_CTX *ctx = talloc_tos(); - struct timespec curr = timespec_current(); ZERO_STRUCT(xacl); - ZERO_STRUCT(sd_ts); - - /* Horrid hack as setting an xattr changes the ctime - * on Linux. This gives a race of 1 second during - * which we would not see a POSIX ACL set. - */ - curr.tv_sec += 1; + ZERO_STRUCT(sd_hs); xacl.version = 2; - xacl.info.sd_ts = &sd_ts; - xacl.info.sd_ts->sd = CONST_DISCARD(struct security_descriptor *, psd); - unix_timespec_to_nt_time(&xacl.info.sd_ts->last_changed, curr); - - DEBUG(10, ("create_acl_blob: timestamp stored as %s\n", - timestring(ctx, curr.tv_sec) )); + xacl.info.sd_hs = &sd_hs; + xacl.info.sd_hs->sd = CONST_DISCARD(struct security_descriptor *, psd); + memset(&xacl.info.sd_hs->hash[0], '\0', 16); ndr_err = ndr_push_struct_blob( pblob, ctx, NULL, &xacl, diff --git a/source3/modules/vfs_acl_xattr.c b/source3/modules/vfs_acl_xattr.c index 2b4e68bdea..bc3edd7d04 100644 --- a/source3/modules/vfs_acl_xattr.c +++ b/source3/modules/vfs_acl_xattr.c @@ -53,15 +53,15 @@ static NTSTATUS parse_acl_blob(const DATA_BLOB *pblob, return NT_STATUS_REVISION_MISMATCH; } - *ppdesc = make_sec_desc(ctx, SEC_DESC_REVISION, xacl.info.sd_ts->sd->type | SEC_DESC_SELF_RELATIVE, + *ppdesc = make_sec_desc(ctx, SEC_DESC_REVISION, xacl.info.sd_hs->sd->type | SEC_DESC_SELF_RELATIVE, (security_info & OWNER_SECURITY_INFORMATION) - ? xacl.info.sd_ts->sd->owner_sid : NULL, + ? xacl.info.sd_hs->sd->owner_sid : NULL, (security_info & GROUP_SECURITY_INFORMATION) - ? xacl.info.sd_ts->sd->group_sid : NULL, + ? xacl.info.sd_hs->sd->group_sid : NULL, (security_info & SACL_SECURITY_INFORMATION) - ? xacl.info.sd_ts->sd->sacl : NULL, + ? xacl.info.sd_hs->sd->sacl : NULL, (security_info & DACL_SECURITY_INFORMATION) - ? xacl.info.sd_ts->sd->dacl : NULL, + ? xacl.info.sd_hs->sd->dacl : NULL, &sd_size); TALLOC_FREE(xacl.info.sd); @@ -134,27 +134,17 @@ static NTSTATUS get_acl_blob(TALLOC_CTX *ctx, static NTSTATUS create_acl_blob(const struct security_descriptor *psd, DATA_BLOB *pblob) { struct xattr_NTACL xacl; - struct security_descriptor_timestamp sd_ts; + struct security_descriptor_hash sd_hs; enum ndr_err_code ndr_err; TALLOC_CTX *ctx = talloc_tos(); - struct timespec curr = timespec_current(); ZERO_STRUCT(xacl); - ZERO_STRUCT(sd_ts); - - /* Horrid hack as setting an xattr changes the ctime - * on Linux. This gives a race of 1 second during - * which we would not see a POSIX ACL set. - */ - curr.tv_sec += 1; + ZERO_STRUCT(sd_hs); xacl.version = 2; - xacl.info.sd_ts = &sd_ts; - xacl.info.sd_ts->sd = CONST_DISCARD(struct security_descriptor *, psd); - unix_timespec_to_nt_time(&xacl.info.sd_ts->last_changed, curr); - - DEBUG(10, ("create_acl_blob: timestamp stored as %s\n", - timestring(ctx, curr.tv_sec) )); + xacl.info.sd_hs = &sd_hs; + xacl.info.sd_hs->sd = CONST_DISCARD(struct security_descriptor *, psd); + memset(&xacl.info.sd_hs->hash[0], '\0', 16); ndr_err = ndr_push_struct_blob( pblob, ctx, NULL, &xacl, |