Age | Commit message (Collapse) | Author | Files | Lines |
|
entry never to match - it matches but if doesn't grant access is recorded
so the "other" entry isn't subsequently checked.
Fix the algorithm.
Jeremy.
(This used to be commit e3c7d08bb68f51bc05768467feb0af896a059e91)
|
|
Jeremy.
(This used to be commit 6609b209f513f0859040686a88ee6c7106c06008)
|
|
a "allow" entry of GROUP or GROUP_OBJ, then access is allowed. It doesn't
terminate on the first match. Added debug to show where the match occured
(or didn't).
Jeremy.
(This used to be commit 81fb3372867fa66a092841222e02bd1c104b2d19)
|
|
Jeremy.
(This used to be commit e831cef618d55c362e8d3a8a4c2b9f2ed7d4d7bd)
|
|
"read-only"
issue.
Jeremy.
(This used to be commit 80e788143a6c3d973d3b8e57d91ca5c4a83605b2)
|
|
SMB_ACL_MASK.
Fix bug #2521.
Jeremy.
(This used to be commit 21e3cf2f8f6129324ebb799f959f8d2afe0285d2)
|
|
this is set
then only the owner or root can delete a file. We now use
the same algorithm to check file delete.
Jeremy.
(This used to be commit eb18104d10428a5daef2316088edc3dbaff58708)
|
|
Jeremy.
(This used to be commit ecc134a2e3546ed77ab6f1dafc0249c78897e1f3)
|
|
to a WXPSP2 client we must do permission checking in userspace first
(this is a race condition but what can you do...). Needed for bugid #2227.
Jeremy.
(This used to be commit da23577f162b6bdca7d631fca256a9b3b04043e4)
|
|
allocation
functions so we can funnel through some well known functions. Should help greatly with
malloc checking.
HEAD patch to follow.
Jeremy.
(This used to be commit 620f2e608f70ba92f032720c031283d295c5c06a)
|
|
POSIX ACL set. You need to *get* a permset_t pointer from the entry before
any of the permset code will accept it as a valid value
Jeremy.
(This used to be commit 7e78059948612fa9f5d179a1e3f5f59e7ad5e456)
|
|
not an existing one.
Jeremy.
(This used to be commit fbbdb72cf1adfe567112556626f26b031747f440)
|
|
ensure
SE_DESC_DACL_PROTECTED is set if "map acl inherit = no".
Jeremy.
(This used to be commit 934c41b474c8959310389378bfa7d3332bd5ec79)
|
|
Use def_acl everywhere instead of dir_acl.
Jeremy.
(This used to be commit d28611c960f87830aa8449725951984aa155b089)
|
|
How do the share mask/modes fit into this code... Need to think about this.
Jeremy.
(This used to be commit 1aa1c2f489f5b92c3696e7b9123061d91babc34e)
|
|
One part missing - delete file acl (to be added asap). No client
code yet, also needs testing with valgrind.
Jeremy.
(This used to be commit 6101ec2247c182fde6ea3e7e1f64a92b353ec4e8)
|
|
Jeremy
(This used to be commit 089a76f611187e2ba4c3363b657905d04576109e)
|
|
Guenther
(This used to be commit 3acc74eef5dae16d7e2792206640904265c42494)
|
|
SATOH Fumiyasu <fumiya@samba.gr.jp>.
Jeremy.
(This used to be commit 7e35900bc6894d69f83c99ac6eb260d7cc35683a)
|
|
Memory leak in posix acl code.
Jeremy.
(This used to be commit c97aab7ee6bf1f385b445b4b0eb0e1df7e9a56f5)
|
|
Jeremy.
(This used to be commit 31505acf033c7d76592bb5b4ef80b29a00658c49)
|
|
security
descriptor for a file, if the owner sid is not known, the owner uid is set to
the current uid. Same for group sid.
This makes xcopy /o possible for files that are owned by local users/groups
(local administrators for example).
Thanks to Guenther for his persistence :-)
Volker
(This used to be commit 80e57d27909a9a1edad962e3f43c2178d2da2a92)
|
|
kawasa_r@itg.hitachi.co.jp. A couple of mem leak fixes in
mainline code paths though :-).
Jeremy.
(This used to be commit 4695cc95fe576b6da0d0cb0686f208fc306b2646)
|
|
(This used to be commit b7703799f8899affda205eacb0bf79cf8e2b9362)
|
|
swap lookups for user and group - group will do an
algorithmic lookup if it fails, user won't.
Jeremy.
(This used to be commit a205c56a75c93c82796fd68687e8c0db26459073)
|
|
dos attributes in an EA. Based on an original patch from tridge, but
modified somewhat to cover all cases.
Jeremy.
(This used to be commit ed653cd468213e0be901bc654aa3748ce5837947)
|
|
New protocol option "ea support" to turn them on (off by default). Conrad
at Apple may like this as it allows MacOS resource forks to be stored on
a file. Passes valgrind. Documentation to follow.
Jeremy.
(This used to be commit 8cc10a6c0550c017a62e8a3790afd2172d173e00)
|
|
if the file has an ACL.
Jeremy.
(This used to be commit 7bf5ed30ce74ba658ca35059955748c1d8cbd6d2)
|
|
(This used to be commit 23443e3aa079710221557e18158d0ddb8ff48a36)
|
|
CREATOR_OWNER/CREATOR_GROUP uid/gid entries in the SAMBA_PAI attribute.
Creator Owner and Creator group now show up as inherited correctly (I
think :-). Jim please test.
Jeremy.
(This used to be commit dbbd8dd15582f95fb9c160c6c42ce9f0971ac4b7)
|
|
not sorting returned ACE's correctly w.r.t. W2K - implemented the correct
algorithm.
Jeremy.
(This used to be commit fa23a4158ec23c0b8dbdc6c53f29958243107dee)
|
|
Hopefully will fix jcmd bugs :-).
Jeremy.
(This used to be commit 482e6c79edefc8aaacbb37f807d2076e59b40e26)
|
|
As abartlet rememberd me NT_STATUS_IS_ERR != !NT_STATUS_IS_OK
This patch will cure the problem.
Working on this one I found 16 functions where I think NT_STATUS_IS_ERR() is
used correctly, but I'm not 100% sure, coders should check the use of
NT_STATUS_IS_ERR() in samba is ok now.
Simo.
(This used to be commit c501e84d412563eb3f674f76038ec48c2b458687)
|
|
Jeremy.
(This used to be commit fa8ca20ed440673d02ac5669f8d4c6623c1fdb6d)
|
|
if available. Adds new parameter "map acl inheritance" (docs coming soon)
off by default. Allows W2K acl inheritance dialogs to work correctly on
POSIX acls.
Jeremy.
(This used to be commit a83595e80ae539135fa1a65d6066b10ac94fbad1)
|
|
allow them to be changed. Works well with W2K and above.
Jeremy.
(This used to be commit 685e4e518236079f201650f26152f6f9ad3c61ab)
|
|
This gets us closer to W2k+ in what we return for file ACLs. Fix horribly
broken make_sec_desc() that screwed up the size when given a SD with no
owner or group (how did it get this bad... ?).
Jeremy.
(This used to be commit 183c9ed4052ab14e269ed1234ca557053f77e77a)
|
|
be applied to new ACE set calls. This is incorrect. Don't think this
has a bugzilla id.
Jeremy.
(This used to be commit cb70d8c9e87801c314d1b926d4e43ee451c04135)
|
|
(This used to be commit 1b2b7766c8fa89f46f4d1c881ee91c4b0b15773a)
|
|
moment as I don't think cumulative permission sets make sense in POSIX even
though that's the way Windows works....
Jeremy.
(This used to be commit 6ddd5b6ca7dde45ce866f852861e143434c84c7e)
|
|
VFS_ macros at system side. We currently have one clash with AIX and its VFS_LOCK. Compiled and tested -- no new functionality or code, just plain rename of macros for yet-unreleased VFS API version. Needs to be done before a24 is out
(This used to be commit c2689ed118b490e49497a76ed6a2251262018769)
|
|
We really need idmap_ldap to have a good solution with ldapsam, porting
it from the prvious code is beeing made, the code is really simple to do
so I am confident it is not a problem to commit this code in.
Not committing it would have been worst.
I really would have been able to finish also the group code, maybe we can
put it into a followin release after 3.0.0 even if it may be an upgrade
problem.
The code has been tested and seem to work right, more testing is needed for
corner cases.
Currently winbind pdc (working only for users and not for groups) is
disabled as I was not able to make a complete group code replacement that
works somewhat in a week (I have a complete patch, but there are bugs)
Simo.
(This used to be commit 0e58085978f984436815114a2ec347cf7899a89d)
|
|
1. Finally work with cascaded modules with private data storage per module
2. Convert VFS API to macro calls to simplify cascading
3. Add quota support to VFS layer (prepare to NT quota support)
Patch by Stefan (metze) Metzemacher, with review of Jelmer and me
Tested in past few weeks. Documentation to new VFS API for third-party developers to follow
(This used to be commit 91984ef5caa2d13c5d52e1f535bd3bbbae1ec978)
|
|
(This used to be commit a369c2ff2637dc808035217eaada4cf923c5cf6d)
|
|
"changed the order of checking whether a SID is a UID or a GID in posix
acls. This is needed because sid_to_uid always claims that the sid is
a user, due ot a change I made some months back.
This change was suggested by Chere Zhou, but is really an interim
measure. Chere is looking at a longer term solution."
REMEMBER - 3.0 is the one we will SHIP !
Jeremy.
(This used to be commit a4d7496994b740e074398d98c999a803afff4404)
|
|
Jeremy.
(This used to be commit 7f8d3a49b2cebab4b94db3cda54b3923442378c8)
|
|
-------------------------------------------------------------------------
I think there are basically two problem:
1. Windows clients do not always send ACEs for SMB_ACL_USER_OBJ, SMB_ACL_GROUP_OBJ,
and SMB_ACL_OTHER.
The function ensure_canon_entry_valid() is prepared for that, but tries
to "guess" values from group or other permissions, respectively, otherwise
falling back to minimum r-- for the owner. Even if the owner had full
permissions before setting ACL. This is the problem with W2k clients.
2. Function set_nt_acl() always chowns *before* attempting to set POSIX ACLs.
This is ok in a take-ownership situation, but must fail if the file is
to be given away. This is the problem with XP clients, trying to transfer
ownership of the original file to the temp file.
The problem with NT4 clients (no ACEs are transferred to the temp file, thus
are lost after moving the temp file to the original name) is a client problem.
It simply doesn't attempt to.
I have played around with that using posic_acls.c from 3.0 merged into 2.2.
As a result I can now present two patches, one for each branch. They
basically modify:
1. Interpret missing SMB_ACL_USER_OBJ, SMB_ACL_GROUP_OBJ, or SMB_ACL_OTHER
as "preserve current value" instead of attempting to build one ourself.
The original code is still in, but only as fallback in case current values
can't be retrieved.
2. Rearrange set_nt_acl() such that chown is only done before setting
ACLs if there is either no change of owning user, or change of owning
user is towards the current user. Otherwise chown is done after setting
ACLs.
It now seems to produce reasonable results. (Well, as far as it can. If
NT4 doesn't even try to transfer ACEs, only deliberate use of named default
ACEs and/or "force group" or the crystal ball can help :)
-------------------------------------------------------------------------
Jeremy.
(This used to be commit 1d3b8c528bebfa1971d1affe454a03453335786e)
|
|
- user_ok() and user_in_group() now take a list of groups, instead of
looking for the user in the members of all groups.
- The 'server_info' returned from the authentication is now kept around
- in future we won't copy the sesion key, username etc, we will just
referece them directly.
- rhosts upgraded to use the SAM if possible, otherwise fake up based on
getpwnam().
- auth_util code to deal with groups upgraded to deal with non-winbind domain
members again.
Andrew Bartlett
(This used to be commit 74b5436c75114170ce7c780c19226103d0df9060)
|
|
must not be freed afterwards.
Jeremy.
(This used to be commit 4015e39d3666dbe240808c9007a8b8faca012a3d)
|
|
perms.
Jeremy.
(This used to be commit 793609cbc2f657b91a59aec4a3f403bf826c7156)
|