summaryrefslogtreecommitdiff
path: root/source3/modules/vfs_acl_common.c
AgeCommit message (Collapse)AuthorFilesLines
2013-02-04vfs_acl_common: Do not fetch the underlying NT ACL unless we need itAndrew Bartlett1-44/+80
This avoids asking for the posix ACL on disk twice, and avoids running a good deal of mapping code if it is not needed. Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Christian Ambach <ambi@samba.org>
2013-02-04vfs: Whitespace fix only to get_nt_acl_internal indentationAndrew Bartlett1-4/+4
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Christian Ambach <ambi@samba.org>
2013-02-04vfs: Implement an improved vfs_acl_common that uses the hash of the system ACLAndrew Bartlett1-51/+250
Where supported by the system ACL backend, this avoids hashing the result of the ACL mapping, instead hashing the original ACL, linearlised. For maximum robustness, the hash of the NT and system ACL are stored, along with the time and a description of the system ACL. This variety of extra metadata may assist some future implementation in determining which hash to validate. Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Christian Ambach <ambi@samba.org>
2013-02-04vfs: Add helper function hash_blob_sha256 to vfs_acl_common.cAndrew Bartlett1-7/+19
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Christian Ambach <ambi@samba.org>
2012-12-04s3:smbd:vfs_acl: fix a PANIC when setting an ACL fails with ACCESS_DENIEDMichael Adam1-0/+1
Omission to free the talloc frame causes a panic (at least in developer mode) in the next main event loop due to "Frame not freed in order." (Freed frame ../source3/smbd/process.c:3617, expected ../source3/modules/vfs_acl_common.c:534.) Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Tue Dec 4 09:03:25 CET 2012 on sn-devel-104
2012-11-02vfs_acl_common: In add_directory_inheritable_components allocate on psd as ↵Andrew Bartlett1-4/+16
parent When we add a new DACL to the security descriptor, we need to use the SD as the memory context, so we can talloc_move() it as a tree to a new parent. Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Fri Nov 2 22:16:14 CET 2012 on sn-devel-104
2012-10-11smbd: Add mem_ctx to {f,}get_nt_acl VFS callAndrew Bartlett1-23/+45
This makes it clear which context the returned SD is allocated on, as a number of callers do not want it on talloc_tos(). As the ACL transformation allocates and then no longer needs a great deal of memory, a talloc_stackframe() call is used to contain the memory that is not returned further up the stack. Andrew Bartlett
2012-09-11smbd: Print ACL used to create hash in vfs_xattr_commonAndrew Bartlett1-0/+10
This should help us understand why sometimes an ACL set won't stick. Andrew Bartlett Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Tue Sep 11 18:19:53 CEST 2012 on sn-devel-104
2012-07-17Add debug message when SD hash doesn't match.Jeremy Allison1-0/+5
2012-05-17Check the return from create_acl_blobRichard Sharpe1-4/+6
Autobuild-User: Richard Sharpe <sharpe@samba.org> Autobuild-Date: Thu May 17 07:17:29 CEST 2012 on sn-devel-104
2012-05-16Fix the overwriting of errno before use in a DEBUG statement and use the ↵Richard Sharpe1-2/+5
return value from store_acl_blob_fsp rather than ignoring it. Autobuild-User: Richard Sharpe <sharpe@samba.org> Autobuild-Date: Wed May 16 03:43:41 CEST 2012 on sn-devel-104
2012-03-17Fix second part of bug #8811 - sd_has_inheritable_components segfaults on an ↵Jeremy Allison1-5/+20
SD that se_access_check accepts. This fixes a coredump with a NULL DACL in add_directory_inheritable_components(). Autobuild-User: Jeremy Allison <jra@samba.org> Autobuild-Date: Sat Mar 17 01:05:57 CET 2012 on sn-devel-104
2012-02-03Fix bug #7933 - samba fails to honor SEC_STD_WRITE_OWNER bit with the ↵Jeremy Allison1-1/+36
acl_xattr module.
2012-01-11First part of fix for bug #8673 - NT ACL issue.Jeremy Allison1-18/+31
Simplify the logic in the unlink/rmdir calls - makes it readable (and correct).
2011-12-02Fix bug #8644 - vfs_acl_xattr and vfs_acl_tdb modules can fail to add ↵Jeremy Allison1-1/+1
inheritable entries on a directory with no stored ACL. If referring to an fsp sbuf can be left as an uninitialized variable, causing the 'is_directory' variable to be false when it should be true. Autobuild-User: Jeremy Allison <jra@samba.org> Autobuild-Date: Fri Dec 2 22:13:03 CET 2011 on sn-devel-104
2011-11-30Fix bug 8636 - When returning an ACL without SECINFO_DACL requested, we ↵Jeremy Allison1-0/+2
still set SEC_DESC_DACL_PRESENT in the type field. Autobuild-User: Jeremy Allison <jra@samba.org> Autobuild-Date: Wed Nov 30 04:59:07 CET 2011 on sn-devel-104
2011-11-22Remove the setting of the inherited ACL on new files/directories. This isJeremy Allison1-222/+0
now done correctly in the main codepath. The vfs_acl_XXXX modules are now thin shims that simply store/retrieve ACLs as they should be.
2011-11-02Remove opendir() VFS code from ACL modules.Jeremy Allison1-48/+0
Autobuild-User: Jeremy Allison <jra@samba.org> Autobuild-Date: Wed Nov 2 02:13:51 CET 2011 on sn-devel-104
2011-10-28Remove the mkdir and open functions from the ACL modules - main code paths ↵Jeremy Allison1-134/+6
now handle this.
2011-10-11s3:vfs_acl_common: also parse xattr.NTACL version 1Stefan Metzmacher1-0/+12
This is what the source4/ntvfs/posix code uses. It's also used at provision time to setup the sysvol permissions. metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Tue Oct 11 14:16:25 CEST 2011 on sn-devel-104
2011-09-23Fix bug 8480 - acl_xattr can free an invalid pointer if no blob is loaded.David Disseldorp1-1/+1
Autobuild-User: Jeremy Allison <jra@samba.org> Autobuild-Date: Fri Sep 23 22:20:55 CEST 2011 on sn-devel-104
2011-09-18s3: Fix a c++ warningVolker Lendecke1-1/+2
Autobuild-User: Volker Lendecke <vlendec@samba.org> Autobuild-Date: Sun Sep 18 18:55:48 CEST 2011 on sn-devel-104
2011-08-29Fix bug Bug 8422 - Infinite loop in ACL module code.Jeremy Allison1-1/+1
Missing assignment means this loop will never terminate. Need to be applied to 3.5.x and 3.6.1.
2011-08-19Fix bug #8370 - vfs_chown_fsp broken -- returns in the wrong directoryJeremy Allison1-2/+11
Ensure we always use vfs_ChDir() to keep the singleton cache coherent. Autobuild-User: Jeremy Allison <jra@samba.org> Autobuild-Date: Fri Aug 19 00:43:05 CEST 2011 on sn-devel-104
2011-07-08lib/util Move bitmap.c to lib/utilAndrew Bartlett1-0/+1
2011-06-09s3-talloc Change TALLOC_ZERO_ARRAY() to talloc_zero_array()Andrew Bartlett1-1/+1
Using the standard macro makes it easier to move code into common, as TALLOC_ZERO_ARRAY isn't standard talloc.
2011-06-07Fix re-opened bug 8083 - "inherit owner = yes" doesn't interact correctly ↵Jeremy Allison1-4/+17
with vfs_acl_xattr or vfs_acl_tdb module. Fix incorrect interaction when all of "inherit permissions = yes" "inherit acls = yes" "inherit owner = yes" are set. Found by Björn Jacke. Thanks Björn ! Autobuild-User: Jeremy Allison <jra@samba.org> Autobuild-Date: Tue Jun 7 22:32:18 CEST 2011 on sn-devel-104
2011-05-06More const fixes. Remove CONST_DISCARD.Jeremy Allison1-5/+5
2011-04-14Fix bug #8083 - "inherit owner = yes" doesn't interact correctly with ↵Jeremy Allison1-3/+27
vfs_acl_xattr or vfs_acl_tdb module. If "inherit owner = yes", pass in the directory owner and group owner as the target for CREATOR_OWNER and CREATOR_GROUP substitutions, and also as the owner and primary group of the new security descriptor being applied to the object. Jeremy.
2011-04-11s3-modules: Fix debug messageBjörn Baumbach1-1/+1
Print child descriptor instead of parent. Signed-off-by: Stefan Metzmacher <metze@samba.org> Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Mon Apr 11 11:48:42 CEST 2011 on sn-devel-104
2011-04-09Fix bug 8072 - PANIC: create_file_acl_common frees handle two times.Jeremy Allison1-51/+48
Caused by premature optimisation storing the parent ACL on the module handle instead of (correctly) on the file fsp. Previous code wasn't reentrant safe. This is less optimal but doesn't crash in the specific case :-). Jeremy. Autobuild-User: Jeremy Allison <jra@samba.org> Autobuild-Date: Sat Apr 9 02:05:15 CEST 2011 on sn-devel-104
2011-04-06lib/crypto: rename the SHA256_ functions to samba_SHA256_Andrew Tridgell1-3/+3
this prevents a symbol duplication with the openssl library, which may be linked in via a secondary library dependency Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-04-02Fix bug #7987 - ACL can get lost when files are being renamed.Jeremy Allison1-0/+40
There is no reason for smbd with Windows ACLs to use chmod or fchmod unless it's a file opened with UNIX extensions or with posix pathnames. Autobuild-User: Jeremy Allison <jra@samba.org> Autobuild-Date: Sat Apr 2 02:40:43 CEST 2011 on sn-devel-104
2011-03-30s3-vfs: include smbd/smbd.h in vfs modules.Günther Deschner1-0/+1
Guenther
2011-03-30s3-includes: only include system/filesys.h when needed.Günther Deschner1-0/+1
Guenther
2011-02-22s3-auth Rename auth_serversupplied_info varaiables: server_info -> session_infoAndrew Bartlett1-2/+2
These variables, of type struct auth_serversupplied_info were poorly named when added into 2001, and in good consistant practice, this has extended all over the codebase in the years since. The structure is also not ideal for it's current purpose. Originally intended to convey the results of the authentication modules, it really describes all the essential attributes of a session. This rename will reduce the volume of a future patch to replaced these with a struct auth_session_info, with auth_serversupplied_info confined to the lower levels of the auth subsystem, and then eliminated. (The new structure will be the output of create_local_token(), and the change in struct definition will ensure that this is always run, populating local groups and privileges). Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-02-10s3-auth Rename cryptic 'ptok' to security_tokenAndrew Bartlett1-2/+2
This will allow the auth_serversupplied_info struct to be migrated to auth_session_info easier. Adnrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-02-02s3: Remove superfluous ;Günther Deschner1-2/+2
Guenther Autobuild-User: Günther Deschner <gd@samba.org> Autobuild-Date: Wed Feb 2 15:44:21 CET 2011 on sn-devel-104
2010-11-24Fix bug #7812 - vfs_acl_xattr/vfs_acl_tdb: ACL inheritance cannot be disabledJeremy Allison1-0/+6
We were losing the incoming security descriptor revision number and most importantly the "type" field as sent by the client. Ensure we correctly store these in the xattr object. Jeremy. Autobuild-User: Jeremy Allison <jra@samba.org> Autobuild-Date: Wed Nov 24 00:18:57 CET 2010 on sn-devel-104
2010-10-16Add acl_xattr:ignore system acls boolean (normally false) to allowJeremy Allison1-11/+35
Samba ACL module to ignore mapping to lower POSIX layer. With this fix Samba 3.6.x now passes RAW-ACLs (with certain smb.conf parameters set). Jeremy. Autobuild-User: Jeremy Allison <jra@samba.org> Autobuild-Date: Sat Oct 16 01:26:31 UTC 2010 on sn-devel-104
2010-10-15Add debug message to get_nt_acl_internal() to see what we got.Jeremy Allison1-0/+7
2010-10-15Fix valgrind "uninitialized read" error on "info" when returning !NT_STATUS_OK.Jeremy Allison1-1/+5
Jeremy.
2010-10-12libcli/security Provide a common, top level libcli/security/security.hAndrew Bartlett1-0/+1
This will reduce the noise from merges of the rest of the libcli/security code, without this commit changing what code is actually used. This includes (along with other security headers) dom_sid.h and security_token.h Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Tue Oct 12 05:54:10 UTC 2010 on sn-devel-104
2010-10-12Make the vfs_acl_xattr and other modules work with NULL SD's. FixJeremy Allison1-41/+29
the "protected" inheritance problem (bleeding up from the POSIX layer). Jeremy Autobuild-User: Jeremy Allison <jra@samba.org> Autobuild-Date: Tue Oct 12 00:57:41 UTC 2010 on sn-devel-104
2010-09-28s3: Lift smbd_server_conn from file_find_di_firstVolker Lendecke1-1/+2
2010-08-31s3-auth Rename NT_USER_TOKEN user_sids -> sidsAndrew Bartlett1-2/+2
This is closer to the struct security_token from security.idl
2010-08-01s3: Fix an uninitialized variableVolker Lendecke1-1/+1
2010-06-03s3-security: use shared SECINFO_DACL define.Günther Deschner1-10/+10
Guenther
2010-06-03s3-security: use shared SECINFO_SACL define.Günther Deschner1-2/+2
Guenther
2010-06-03s3-security: use shared SECINFO_GROUP define.Günther Deschner1-10/+10
Guenther