Home
My Posts

Archive
Login
Signup

Recent Posts

Free subdomains

Want your own xyz.kpaste.net sub-domain for your community? Just type the address into your browser address bar (foo.xyz.kpaste.net is also supported).

Suggestions/Bugs?

Email us at . Try to include as much info as possible.

About

Pastebin is a tool for collaborative debugging or editing.

 

msnfs41client: Prototype uid2sid mapping, try #001
Posted by Anonymous on Fri 6th Oct 2023 11:40
raw | new post
modification of post by Anonymous (view diff)

Submit a correction or amendment below (click here to make a fresh posting)
After submitting an amendment, you'll be able to view the differences between the old and new posts easily.

Syntax highlighting: None Bash C C++ CSS Diff HTML mIRC Script Perl PHP Python Smarty XML ---------------------------- ABAP Actionscript ADA Apache Log AppleScript APT sources.list ASM ASP AutoIT Bash C C# C++ C++ (with QT) CSS Diff HTML INI (Config Files) Java Javascript Lua Make mIRC Script MySQL NSIS Perl PHP Python Q(uick)BASIC robots Ruby Ruby on Rails SDLBasic Smarty SQL TCL Text VB.NET Visual BASIC Visual Fox Pro Visual Prolog Windows Registry Files XML Xorg.conf

To highlight particular lines, prefix each line with {%HIGHLIGHT}
diff --git a/daemon/acl.c b/daemon/acl.c index 3a86735..80287e1 100644 --- a/daemon/acl.c +++ b/daemon/acl.c @@ -60,19 +60,28 @@ static int create_unknownsid(WELL_KNOWN_SID_TYPE type, PSID *sid, dprintf(ACLLVL, "create_unknownsid: CreateWellKnownSid type %d returned %d " "GetLastError %d sid len %d needed\n", type, status, GetLastError(), *sid_len); - if (status) - return ERROR_INTERNAL_ERROR; + if (status) { + status = ERROR_INTERNAL_ERROR; + goto err; + } status = GetLastError(); - if (status != ERROR_INSUFFICIENT_BUFFER) - return status; + if (status != ERROR_INSUFFICIENT_BUFFER) + goto err; +#if 1 +(*sid_len) += 128; +#endif *sid = malloc(*sid_len); - if (*sid == NULL) - return ERROR_INSUFFICIENT_BUFFER; + if (*sid == NULL) { + status = ERROR_INSUFFICIENT_BUFFER; + goto err; + } status = CreateWellKnownSid(type, NULL, *sid, sid_len); - if (status) + if (status) return ERROR_SUCCESS; free(*sid); + *sid = NULL; status = GetLastError(); +err: eprintf("create_unknownsid: CreateWellKnownSid failed with %d\n", status); return status; } @@ -90,20 +99,223 @@ static void convert_nfs4name_2_user_domain(LPSTR nfs4name, } } -static int map_name_2_sid(DWORD *sid_len, PSID *sid, LPCSTR name) +/* + * Allocate a SID from SECURITY_SAMBA_UNIX_AUTHORITY, which encodes an + * UNIX/POSIX uid directly into a SID. + * + * Examples: + * UID 1616 gets mapped to "Unix_User+1616", encoding the UID into the + * SID as "S-1-22-1-1616": + * $ getent passwd Unix_User+1616 + * Unix_User+1616:*:4278191696:4278191696:U-Unix_User\1616,S-1-22-1-1616:/:/sbin/nologin + * + * GID 1984 gets mapped to "Unix_Group+1984", encoding the GID into the + * SID as "S-1-22-2-1984": + * $ getent group Unix_Group+1984 + * Unix_Group+1984:S-1-22-2-1984:4278192064: + * + */ + +#define SECURITY_SAMBA_UNIX_AUTHORITY { { 0,0,0,0,0,22 } } +SID_IDENTIFIER_AUTHORITY sid_id_auth = SECURITY_SAMBA_UNIX_AUTHORITY; + +static +BOOL allocate_unixuser_sid(unsigned long uid, PSID *pSid) +{ + PSID sid = NULL; + PSID malloced_sid = NULL; + DWORD sid_len; + + if (AllocateAndInitializeSid(&sid_id_auth, 2, 1, (DWORD)uid, + 0, 0, 0, 0, 0, 0, &sid)) { + sid_len = GetLengthSid(sid); +#if 1 +sid_len += 128; +#endif + malloced_sid = malloc(sid_len); + + if (malloced_sid) { + /* + * |AllocateAndInitializeSid()| has an own memory + * allocator, but we need the sid in memory from + * |malloc()| + */ + if (CopySid(sid_len, malloced_sid, sid)) { + FreeSid(sid); + *pSid = malloced_sid; + dprintf(ACLLVL, "allocate_unixuser_sid(): Allocated " + "Unix_User+%lu: success, len=%ld\n", + uid, (long)sid_len); + return TRUE; + } + } + } + + FreeSid(sid); + free(malloced_sid); + dprintf(ACLLVL, "allocate_unixuser_sid(): Failed to allocate " + "SID for Unix_User+%lu: error code %d\n", + uid, GetLastError()); + return FALSE; +} + +static +BOOL allocate_unixgroup_sid(unsigned long gid, PSID *pSid) +{ + PSID sid = NULL; + PSID malloced_sid = NULL; + DWORD sid_len; + + if (AllocateAndInitializeSid(&sid_id_auth, 2, 2, (DWORD)gid, + 0, 0, 0, 0, 0, 0, &sid)) { + sid_len = GetLengthSid(sid); +#if 1 +sid_len += 128; +#endif + malloced_sid = malloc(sid_len); + + if (malloced_sid) { + /* + * |AllocateAndInitializeSid()| has an own memory + * allocator, but we need the sid in memory from + * |malloc()| + */ + if (CopySid(sid_len, malloced_sid, sid)) { + FreeSid(sid); + *pSid = malloced_sid; + dprintf(ACLLVL, "allocate_unixgroup_sid(): Allocated " + "Unix_Group+%lu: success, len=%ld\n", + gid, (long)sid_len); + return TRUE; + } + } + } + + FreeSid(sid); + free(malloced_sid); + dprintf(ACLLVL, "allocate_unixgroup_sid(): Failed to allocate " + "SID for Unix_Group+%lu: error code %d\n", + gid, GetLastError()); + return FALSE; +} + +static int map_name_2_sid(int query, DWORD *sid_len, PSID *sid, LPCSTR name) { int status = ERROR_INTERNAL_ERROR; SID_NAME_USE sid_type; LPSTR tmp_buf = NULL; DWORD tmp = 0; + signed long user_uid = -1; + signed long group_gid = -1; + + if (query & OWNER_SECURITY_INFORMATION) { + if (isdigit(name[0])) { + user_uid = atol(name); + } + else if(!strcmp(name, "nobody")) { + user_uid = 65534; + } + else if(!strcmp(name, "root")) { + user_uid = 0; + } + else if(!strcmp(name, "rmainz")) { + user_uid = 1616; + } + else if(!strcmp(name, "swulsch")) { + user_uid = 1818; + } + else if(!strcmp(name, "mwenzel")) { + user_uid = 8239; + } + else if(!strcmp(name, "test001")) { + user_uid = 1000; + } + } + + if (query & GROUP_SECURITY_INFORMATION) { + if (isdigit(name[0])) { + group_gid = atol(name); + } + else if(!strcmp(name, "nobody")) { + group_gid = 65534; + } + else if(!strcmp(name, "root")) { + group_gid = 0; + } + else if(!strcmp(name, "rmainz")) { + group_gid = 1616; + } + else if(!strcmp(name, "swulsch")) { + group_gid = 1818; + } + else if(!strcmp(name, "mwenzel")) { + group_gid = 8239; + } + else if(!strcmp(name, "test001")) { + group_gid = 1000; + } + } + + if (user_uid != -1) { + switch (user_uid) { + case 1000: + case 197608: + dprintf(ACLLVL, "map_name_2_sid(query=%x,name='%s'): " + "remap %ld to 'roland_mainz'\n", query, name, user_uid); + name = "roland_mainz"; + break; + default: + if (allocate_unixuser_sid(user_uid, sid)) { + dprintf(ACLLVL, "map_name_2_sid(query=%x,name='%s'): " + "allocate_unixuser_sid(uid=%ld) success\n", + query, name, user_uid); + return ERROR_SUCCESS; + } + + status = GetLastError(); + dprintf(ACLLVL, "map_name_2_sid(query=%x,name='%s'): " + "allocate_unixuser_sid(uid=%ld) failed, error=%d\n", + query, name, user_uid, status); + return status; + } + } + + if (group_gid != -1) { + switch (group_gid) { + case 1000: + case 197121: /* Win10 group "Kein" == gid(197121) */ + dprintf(ACLLVL, "map_name_2_sid(query=%x,name='%s'): " + "remap %ld to 'Kein'\n", query, name, group_gid); + name = "Kein"; + break; + default: + if (allocate_unixgroup_sid(group_gid, sid)) { + dprintf(ACLLVL, "map_name_2_sid(query=%x,name='%s'): " + "allocate_unixgroup_sid(gid=%ld) success\n", + query, name, group_gid); + return ERROR_SUCCESS; + } + + status = GetLastError(); + dprintf(ACLLVL, "map_name_2_sid(query=%x,name='%s'): " + "allocate_unixgroup_sid(gid=%ld) failed, error=%d\n", + query, name, group_gid, status); + return status; + } + } status = LookupAccountName(NULL, name, NULL, sid_len, NULL, &tmp, &sid_type); - dprintf(ACLLVL, "map_name_2_sid: LookupAccountName for %s returned %d " - "GetLastError %d name len %d domain len %d\n", name, status, - GetLastError(), *sid_len, tmp); + dprintf(ACLLVL, "map_name_2_sid(query=%x,name='%s'): LookupAccountName returned %d " + "GetLastError %d name len %d domain len %d\n", + query, name, status, GetLastError(), *sid_len, tmp); if (status) return ERROR_INTERNAL_ERROR; +#if 1 + (*sid_len)+=128; + tmp += 128; +#endif + status = GetLastError(); switch(status) { case ERROR_INSUFFICIENT_BUFFER: @@ -119,8 +331,8 @@ static int map_name_2_sid(DWORD *sid_len, PSID *sid, LPCSTR name) &tmp, &sid_type); free(tmp_buf); if (!status) { - eprintf("map_name_2_sid: LookupAccountName for %s failed " - "with %d\n", name, GetLastError()); + eprintf("map_name_2_sid(query=%x,name='%s'): LookupAccountName failed " + "with %d\n", query, name, GetLastError()); goto out_free_sid; } else { #ifdef DEBUG_ACLS @@ -140,15 +352,23 @@ static int map_name_2_sid(DWORD *sid_len, PSID *sid, LPCSTR name) status = ERROR_SUCCESS; break; case ERROR_NONE_MAPPED: + dprintf(1, "map_name_2_sid(query=%x,name='%s'): none mapped, using WinNullSid mapping\n", + query, name); status = create_unknownsid(WinNullSid, sid, sid_len); if (status) goto out_free_sid; + break; + default: + dprintf(1, "map_name_2_sid(query=%x,name='%s'): error %d not handled\n", + query, name, GetLastError()); + break; } out: return status; out_free_sid: status = GetLastError(); free(*sid); + *sid = NULL; goto out; } @@ -208,7 +428,8 @@ static int convert_nfs4acl_2_dacl(nfsacl41 *acl, int file_type, goto out; } if (!flag) { - status = map_name_2_sid(&sid_len, &sids[i], acl->aces[i].who); + status = map_name_2_sid(0xFFFF /* fixme: Unknown whether user or group */, + &sid_len, &sids[i], acl->aces[i].who); if (status) { free_sids(sids, i); goto out; @@ -322,7 +543,7 @@ static int handle_getacl(nfs41_upcall *upcall) dprintf(ACLLVL, "handle_getacl: OWNER_SECURITY_INFORMATION: for user=%s " "domain=%s\n", info.owner, domain?domain:"<null>"); sid_len = 0; - status = map_name_2_sid(&sid_len, &osid, info.owner); + status = map_name_2_sid(OWNER_SECURITY_INFORMATION, &sid_len, &osid, info.owner); if (status) goto out; status = SetSecurityDescriptorOwner(&sec_desc, osid, TRUE); @@ -333,12 +554,13 @@ static int handle_getacl(nfs41_upcall *upcall) goto out; } } + if (args->query & GROUP_SECURITY_INFORMATION) { convert_nfs4name_2_user_domain(info.owner_group, &domain); dprintf(ACLLVL, "handle_getacl: GROUP_SECURITY_INFORMATION: for %s " "domain=%s\n", info.owner_group, domain?domain:"<null>"); sid_len = 0; - status = map_name_2_sid(&sid_len, &gsid, info.owner_group); + status = map_name_2_sid(GROUP_SECURITY_INFORMATION, &sid_len, &gsid, info.owner_group); if (status) goto out; status = SetSecurityDescriptorGroup(&sec_desc, gsid, TRUE); @@ -798,4 +1020,4 @@ const nfs41_upcall_op nfs41_op_setacl = { parse_setacl, handle_setacl, marshall_setacl -}; \ No newline at end of file +};

Title:

Privacy: Public Private

How long should your post be retained?

15 mins an hour a day a week a month forever

All content is user-submitted.
The administrators of this site (kpaste.net) are not responsible for their content.
Abuse reports should be emailed to us at