diff options
| -rw-r--r-- | docs-xml/smbdotconf/vfs/aclcompatibility.xml | 17 | ||||
| -rw-r--r-- | lib/param/param_functions.c | 1 | ||||
| -rw-r--r-- | lib/param/param_table.c | 19 | ||||
| -rw-r--r-- | source3/include/proto.h | 1 | ||||
| -rw-r--r-- | source3/smbd/posix_acls.c | 108 | ||||
| -rw-r--r-- | source3/smbd/proto.h | 1 | ||||
| -rw-r--r-- | source4/libcli/pysmb.c | 7 | ||||
| -rw-r--r-- | source4/scripting/python/samba/tests/posixacl.py | 12 |
8 files changed, 11 insertions, 155 deletions
diff --git a/docs-xml/smbdotconf/vfs/aclcompatibility.xml b/docs-xml/smbdotconf/vfs/aclcompatibility.xml deleted file mode 100644 index 95f42cfe2a..0000000000 --- a/docs-xml/smbdotconf/vfs/aclcompatibility.xml +++ /dev/null @@ -1,17 +0,0 @@ -<samba:parameter name="acl compatibility" - context="G" - type="enum" - advanced="1" developer="1" - xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> -<description> - <para>This parameter specifies what OS ACL semantics should - be compatible with. Possible values are <emphasis>winnt</emphasis> for Windows NT 4, - <emphasis>win2k</emphasis> for Windows 2000 and above and <emphasis>auto</emphasis>. - If you specify <emphasis>auto</emphasis>, the value for this parameter - will be based upon the version of the client. There should - be no reason to change this parameter from the default.</para> -</description> - -<value type="default">Auto</value> -<value type="example">win2k</value> -</samba:parameter> diff --git a/lib/param/param_functions.c b/lib/param/param_functions.c index d5cd0181c5..94652fad89 100644 --- a/lib/param/param_functions.c +++ b/lib/param/param_functions.c @@ -266,7 +266,6 @@ FN_GLOBAL_CONST_STRING(winbindd_socket_directory, szWinbinddSocketDirectory) FN_GLOBAL_CONST_STRING(winbind_separator, szWinbindSeparator) FN_GLOBAL_CONST_STRING(workgroup, szWorkgroup) FN_GLOBAL_CONST_STRING(wtmpdir, szWtmpDir) -FN_GLOBAL_INTEGER(acl_compatibility, iAclCompat) FN_GLOBAL_INTEGER(afs_token_lifetime, iAfsTokenLifetime) FN_GLOBAL_INTEGER(algorithmic_rid_base, AlgorithmicRidBase) FN_GLOBAL_INTEGER(allow_dns_updates, allow_dns_updates) diff --git a/lib/param/param_table.c b/lib/param/param_table.c index 01f65fef97..a73cd966bc 100644 --- a/lib/param/param_table.c +++ b/lib/param/param_table.c @@ -180,16 +180,6 @@ static const struct enum_list enum_kerberos_method[] = { {-1, NULL} }; - -/* ACL compatibility options. */ -static const struct enum_list enum_acl_compat_vals[] = { - { ACL_COMPAT_AUTO, "auto" }, - { ACL_COMPAT_WINNT, "winnt" }, - { ACL_COMPAT_WIN2K, "win2k" }, - { -1, NULL} -}; - - static const struct enum_list enum_printing[] = { {PRINT_SYSV, "sysv"}, {PRINT_AIX, "aix"}, @@ -1459,15 +1449,6 @@ static struct parm_struct parm_table[] = { .flags = FLAG_ADVANCED, }, { - .label = "acl compatibility", - .type = P_ENUM, - .p_class = P_GLOBAL, - .offset = GLOBAL_VAR(iAclCompat), - .special = NULL, - .enum_list = enum_acl_compat_vals, - .flags = FLAG_ADVANCED | FLAG_SHARE | FLAG_GLOBAL, - }, - { .label = "defer sharing violations", .type = P_BOOL, .p_class = P_GLOBAL, diff --git a/source3/include/proto.h b/source3/include/proto.h index 7c5a5a7346..5f3d937ee0 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -1068,7 +1068,6 @@ char *lp_wins_hook(TALLOC_CTX *ctx); const char *lp_template_homedir(void); const char *lp_template_shell(void); const char *lp_winbind_separator(void); -int lp_acl_compatibility(void); bool lp_winbind_enum_users(void); bool lp_winbind_enum_groups(void); bool lp_winbind_use_default_domain(void); diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c index 74ea257d36..b8e0d4aba4 100644 --- a/source3/smbd/posix_acls.c +++ b/source3/smbd/posix_acls.c @@ -1059,24 +1059,6 @@ static void merge_aces( canon_ace **pp_list_head, bool dir_acl) } /**************************************************************************** - Check if we need to return NT4.x compatible ACL entries. -****************************************************************************/ - -bool nt4_compatible_acls(void) -{ - int compat = lp_acl_compatibility(); - - if (compat == ACL_COMPAT_AUTO) { - enum remote_arch_types ra_type = get_remote_arch(); - - /* Automatically adapt to client */ - return (ra_type <= RA_WINNT); - } else - return (compat == ACL_COMPAT_WINNT); -} - - -/**************************************************************************** Map canon_ace perms to permission bits NT. The attr element is not used here - we only process deny entries on set, not get. Deny entries are implicit on get with ace->perms = 0. @@ -1107,10 +1089,7 @@ uint32_t map_canon_ace_perms(int snum, * to be changed in the future. */ - if (nt4_compatible_acls()) - nt_mask = UNIX_ACCESS_NONE; - else - nt_mask = 0; + nt_mask = 0; } else { if (directory_ace) { nt_mask |= ((perms & S_IRUSR) ? UNIX_DIRECTORY_ACCESS_R : 0 ); @@ -1954,26 +1933,6 @@ static bool create_canon_ace_lists(files_struct *fsp, DEBUG(3,("create_canon_ace_lists: unable to set anything but an ALLOW or DENY ACE.\n")); return False; } - - if (nt4_compatible_acls()) { - /* - * The security mask may be UNIX_ACCESS_NONE which should map into - * no permissions (we overload the WRITE_OWNER bit for this) or it - * should be one of the ALL/EXECUTE/READ/WRITE bits. Arrange for this - * to be so. Any other bits override the UNIX_ACCESS_NONE bit. - */ - - /* - * Convert GENERIC bits to specific bits. - */ - - se_map_generic(&psa->access_mask, &file_generic_mapping); - - psa->access_mask &= (UNIX_ACCESS_NONE|FILE_ALL_ACCESS); - - if(psa->access_mask != UNIX_ACCESS_NONE) - psa->access_mask &= ~UNIX_ACCESS_NONE; - } } /* @@ -3164,22 +3123,6 @@ static bool set_canon_ace_list(files_struct *fsp, } /**************************************************************************** - Find a particular canon_ace entry. -****************************************************************************/ - -static struct canon_ace *canon_ace_entry_for(struct canon_ace *list, SMB_ACL_TAG_T type, struct unixid *id) -{ - while (list) { - if (list->type == type && ((type != SMB_ACL_USER && type != SMB_ACL_GROUP) || - (type == SMB_ACL_USER && id && id->id == list->unix_ug.id) || - (type == SMB_ACL_GROUP && id && id->id == list->unix_ug.id))) - break; - list = list->next; - } - return list; -} - -/**************************************************************************** ****************************************************************************/ @@ -3461,55 +3404,6 @@ static NTSTATUS posix_get_nt_acl_common(struct connection_struct *conn, canon_ace *ace; enum security_ace_type nt_acl_type; - if (nt4_compatible_acls() && dir_ace) { - /* - * NT 4 chokes if an ACL contains an INHERIT_ONLY entry - * but no non-INHERIT_ONLY entry for one SID. So we only - * remove entries from the Access ACL if the - * corresponding Default ACL entries have also been - * removed. ACEs for CREATOR-OWNER and CREATOR-GROUP - * are exceptions. We can do nothing - * intelligent if the Default ACL contains entries that - * are not also contained in the Access ACL, so this - * case will still fail under NT 4. - */ - - ace = canon_ace_entry_for(dir_ace, SMB_ACL_OTHER, NULL); - if (ace && !ace->perms) { - DLIST_REMOVE(dir_ace, ace); - TALLOC_FREE(ace); - - ace = canon_ace_entry_for(file_ace, SMB_ACL_OTHER, NULL); - if (ace && !ace->perms) { - DLIST_REMOVE(file_ace, ace); - TALLOC_FREE(ace); - } - } - - /* - * WinNT doesn't usually have Creator Group - * in browse lists, so we send this entry to - * WinNT even if it contains no relevant - * permissions. Once we can add - * Creator Group to browse lists we can - * re-enable this. - */ - -#if 0 - ace = canon_ace_entry_for(dir_ace, SMB_ACL_GROUP_OBJ, NULL); - if (ace && !ace->perms) { - DLIST_REMOVE(dir_ace, ace); - TALLOC_FREE(ace); - } -#endif - - ace = canon_ace_entry_for(file_ace, SMB_ACL_GROUP_OBJ, NULL); - if (ace && !ace->perms) { - DLIST_REMOVE(file_ace, ace); - TALLOC_FREE(ace); - } - } - num_acls = count_canon_ace_list(file_ace); num_def_acls = count_canon_ace_list(dir_ace); diff --git a/source3/smbd/proto.h b/source3/smbd/proto.h index aae4bd02db..f95fddd0c6 100644 --- a/source3/smbd/proto.h +++ b/source3/smbd/proto.h @@ -703,7 +703,6 @@ void reply_pipe_read_and_X(struct smb_request *req); /* The following definitions come from smbd/posix_acls.c */ void create_file_sids(const SMB_STRUCT_STAT *psbuf, struct dom_sid *powner_sid, struct dom_sid *pgroup_sid); -bool nt4_compatible_acls(void); uint32_t map_canon_ace_perms(int snum, enum security_ace_type *pacl_type, mode_t perms, diff --git a/source4/libcli/pysmb.c b/source4/libcli/pysmb.c index 1122305c28..fb981c7f18 100644 --- a/source4/libcli/pysmb.c +++ b/source4/libcli/pysmb.c @@ -317,10 +317,11 @@ static PyObject *py_smb_getacl(pytalloc_Object *self, PyObject *args, PyObject * union smb_fileinfo fio; struct smb_private_data *spdata; const char *filename; - int sinfo = 0; + uint32_t sinfo = 0; + int access_mask = SEC_FLAG_MAXIMUM_ALLOWED; int fnum; - if (!PyArg_ParseTuple(args, "s|i:get_acl", &filename, &sinfo)) { + if (!PyArg_ParseTuple(args, "s|Ii:get_acl", &filename, &sinfo, &access_mask)) { return NULL; } @@ -331,7 +332,7 @@ static PyObject *py_smb_getacl(pytalloc_Object *self, PyObject *args, PyObject * io.generic.level = RAW_OPEN_NTCREATEX; io.ntcreatex.in.root_fid.fnum = 0; io.ntcreatex.in.flags = 0; - io.ntcreatex.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED; + io.ntcreatex.in.access_mask = access_mask; io.ntcreatex.in.create_options = 0; io.ntcreatex.in.file_attr = FILE_ATTRIBUTE_NORMAL; io.ntcreatex.in.share_access = NTCREATEX_SHARE_ACCESS_READ | diff --git a/source4/scripting/python/samba/tests/posixacl.py b/source4/scripting/python/samba/tests/posixacl.py index f949ab47b3..652721f4f1 100644 --- a/source4/scripting/python/samba/tests/posixacl.py +++ b/source4/scripting/python/samba/tests/posixacl.py @@ -92,7 +92,7 @@ class PosixAclMappingTests(TestCaseInTempDir): def test_setntacl_smbd_invalidate_getntacl_smbd(self): acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)" - simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x001200a9;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;WO;;;WD)" + simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x001200a9;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;;;;WD)" os.chmod(self.tempf, 0750) setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False) @@ -122,7 +122,7 @@ class PosixAclMappingTests(TestCaseInTempDir): def test_setntacl_smbd_setposixacl_getntacl_smbd(self): acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)" - simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f019f;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x00120089;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;WO;;;WD)" + simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f019f;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x00120089;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;;;;WD)" setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False) # This invalidates the hash of the NT acl just set because there is a hook in the posix ACL set code smbd.set_simple_acl(self.tempf, 0640) @@ -133,7 +133,7 @@ class PosixAclMappingTests(TestCaseInTempDir): def test_setntacl_smbd_setposixacl_group_getntacl_smbd(self): acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)" BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS) - simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f019f;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x00120089;;;BA)(A;;0x00120089;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;WO;;;WD)" + simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f019f;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x00120089;;;BA)(A;;0x00120089;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;;;;WD)" setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False) # This invalidates the hash of the NT acl just set because there is a hook in the posix ACL set code s4_passdb = passdb.PDB(self.lp.get("passdb backend")) @@ -193,7 +193,7 @@ class PosixAclMappingTests(TestCaseInTempDir): user_SID = s4_passdb.uid_to_sid(os.stat(self.tempf).st_uid) smbd.set_simple_acl(self.tempf, 0640) facl = getntacl(self.lp, self.tempf, direct_db_access=False) - acl = "O:%sG:%sD:(A;;0x001f019f;;;%s)(A;;0x00120089;;;%s)(A;;WO;;;WD)" % (user_SID, group_SID, user_SID, group_SID) + acl = "O:%sG:%sD:(A;;0x001f019f;;;%s)(A;;0x00120089;;;%s)(A;;;;;WD)" % (user_SID, group_SID, user_SID, group_SID) anysid = security.dom_sid(security.SID_NT_SELF) self.assertEquals(acl, facl.as_sddl(anysid)) @@ -210,7 +210,7 @@ class PosixAclMappingTests(TestCaseInTempDir): smbd.chown(self.tempdir, BA_id, SO_id) smbd.set_simple_acl(self.tempdir, 0750) facl = getntacl(self.lp, self.tempdir, direct_db_access=False) - acl = "O:BAG:SOD:(A;;0x001f01ff;;;BA)(A;;0x001200a9;;;SO)(A;;WO;;;WD)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x001f01ff;;;CG)(A;OICIIO;0x001f01ff;;;WD)" + acl = "O:BAG:SOD:(A;;0x001f01ff;;;BA)(A;;0x001200a9;;;SO)(A;;;;;WD)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x001f01ff;;;CG)(A;OICIIO;0x001f01ff;;;WD)" anysid = security.dom_sid(security.SID_NT_SELF) self.assertEquals(acl, facl.as_sddl(anysid)) @@ -225,7 +225,7 @@ class PosixAclMappingTests(TestCaseInTempDir): smbd.set_simple_acl(self.tempf, 0640, BA_gid) facl = getntacl(self.lp, self.tempf, direct_db_access=False) domsid = passdb.get_global_sam_sid() - acl = "O:%sG:%sD:(A;;0x001f019f;;;%s)(A;;0x00120089;;;BA)(A;;0x00120089;;;%s)(A;;WO;;;WD)" % (user_SID, group_SID, user_SID, group_SID) + acl = "O:%sG:%sD:(A;;0x001f019f;;;%s)(A;;0x00120089;;;BA)(A;;0x00120089;;;%s)(A;;;;;WD)" % (user_SID, group_SID, user_SID, group_SID) anysid = security.dom_sid(security.SID_NT_SELF) self.assertEquals(acl, facl.as_sddl(anysid)) |