Age | Commit message (Collapse) | Author | Files | Lines |
|
This adds a parameter "gpfs:refuse_dacl_protected" that defaults to false.
GPFS has no place to store the SEC_DESC_DACL_PROTECTED ACL bit. With this
parameter we give customers an option to either ignore this bit or refuse
setting an ACL with it.
|
|
clearer.
Jeremy.
|
|
GPFS sets inherits dir_inhert and file_inherit flags
to files, too, which confuses windows, and seems to
be wrong anyways.
So when mapping a nfs4 acl to a windows acl, we map these
flags away for files.
Michael
|
|
until the last link to the file is gone (fixes the
build farm RAW-RENAME test with xattr's in tdb's).
Jeremy.
|
|
that stores the create time in the user.DosTimestamps EA.
Jeremy.
|
|
Jeremy.
|
|
layer (as it's done in onefs). This simplifies greatly the
code in smb_set_file_time() w.r.t. changenotify messages.
Jeremy.
|
|
|
|
|
|
This fixes viewing the content of snapshots in the share root directory. We
have to treat the filename that *just* consists of "@GMT-YYYY.MM.DD-HH.MM.SS"
like the share root, which is the current working directory.
|
|
into acl_tdb and acl_xattr. Duplicates the code size, but keeps
the code in common so I don't have to do bug fixes in two places
(which is what I really cared about).
Jeremy.
|
|
|
|
|
|
|
|
Jeremy.
|
|
code here needs tidying up. Compiles but not yet tested.
Jeremy.
|
|
the hash function selectable. Upgrade version.
Compiles but not fully tested yet (coming). Make
vfs_acl_tdb.c compile - this needs updating to
match acl_xattr (also coming soon).
Jeremy.
|
|
It's only used there now. Someone should now go in and simplify full_audit...
:-)
|
|
|
|
|
|
|
|
This often times means explicitly denying certain operations on a stream
as they are not supported or don't make sense at a particular level. At
some point in the future these can be enabled, but for now it's better to
remove ambiguity
|
|
|
|
|
|
as GPFS does not support the ACE4_FLAG_NO_PROPAGATE NFSv4 flag (which would be the mapping for the DESC_DACL_PROTECTED flag), the status of this flag is currently silently ignored by Samba. That means that if you deselect the "Allow inheritable permissions..." checkbox in Windows' ACL dialog and then apply the ACL, the flag will be back immediately.
To make sure that automatic migration with e.g. robocopy does not lead to ACLs silently (and unintentionally) changed, this patch adds an explicit check for this flag and if set, it will return NT_STATUS_NOT_SUPPORTED so errors are shown up on the Windows side and the Administrator is aware of the ACLs not being settable like intended
Signed-off-by: Christian Ambach <christian.ambach@de.ibm.com>
|
|
an underlying POSIX ACL is changed out from under us.
Passes RAW-ACL test up to "invalid owner" problem when
trying to create a file owned by Everyone. Now needs
porting to modules/vfs_acl_tdb.c
Jeremy.
|
|
|
|
|
|
Actually I moved split_ntfs_stream_name into torture.c which is the one
consumer of it. This could probably be changed at some point.
|
|
|
|
|
|
|
|
|
|
through the vfs
|
|
|
|
|
|
|
|
SMB_VFS_CHFLAGS isn't actually getting the smb_filename struct for now
since it only operates on the basefile. This is the strategy for all
path-based operations that will never actually operate on a stream.
By clarifying the meaning of path based operations that don't take an
smb_filename struct, modules that implement streams such as vfs_onefs
no longer need to implement SMB_VFS_CHFLAGS to ensure it's only called
on the base_name.
|
|
|
|
|
|
modules
|
|
The return value of readlink was a bool instead of an int,
which caused the length of the returned value to never be
>1.
|
|
|
|
to wrong inheritance flags in the ACL e.g. (on GPFS) user:10000036:rwxc:allow (X)READ/LIST (X)WRITE/CREATE (X)MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED (X)DELETE (X)DELETE_CHILD (X)CHOWN (X)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED
user:10000036:rwxc:allow:FileInherit:DirInherit:InheritOnly
(X)READ/LIST (X)WRITE/CREATE (X)MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED
(X)DELETE (X)DELETE_CHILD (X)CHOWN (X)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED
group:10000005:rwxc:allow
(X)READ/LIST (X)WRITE/CREATE (X)MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED
(X)DELETE (X)DELETE_CHILD (X)CHOWN (X)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED
group:10000005:rwxc:allow:FileInherit:DirInherit:InheritOnly
(X)READ/LIST (X)WRITE/CREATE (X)MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED
(X)DELETE (X)DELETE_CHILD (X)CHOWN (X)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED
would be merged to
user:10000036:rwxc:allow:FileInherit:DirInherit:InheritOnly
(X)READ/LIST (X)WRITE/CREATE (X)MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED
(X)DELETE (X)DELETE_CHILD (X)CHOWN (X)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED
group:10000005:rwxc:allow:FileInherit:DirInherit:InheritOnly
(X)READ/LIST (X)WRITE/CREATE (X)MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED
(X)DELETE (X)DELETE_CHILD (X)CHOWN (X)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED
so the explicit right for the user on the parent directory will be gone (the InheritOnly flag only accounts to subdirectories)
thus leaving the user without access to the directory itself
Signed-off-by: Christian Ambach <christian.ambach@de.ibm.com>
|
|
metze
|
|
|
|
|
|
This patch introduces two new temporary helper functions
vfs_stat_smb_fname and vfs_lstat_smb_fname. They basically allowed me
to call the new smb_filename version of stat, while avoiding plumbing
it through callers that are still too inconvenient. As the conversion
moves along, I will be able to remove callers of this, with the goal
being to remove all callers.
There was also a bug in create_synthetic_smb_fname_split (also a
temporary utility function) that caused it to incorrectly handle
filenames with ':'s in them when in posix mode. This is now fixed.
|
|
at a higher level
|
|
This was a little messy because of all of the vfs modules I had to
touch. Most of them were pretty straight forward, but the streams
modules required a little attention to handle smb_filename. Since the
use of smb_filename enables the vfs modules to access the raw,
over-the-wire stream, a little bit of the handling that was being done
by split_ntfs_stream_name has now been shifted into the individual
stream modules. It may be a little more code, but overall it gives
more flexibility to the streams modules, while also allowing correct
stream handling.
|