Home
My Posts

Archive
Login
Signup

Recent Posts

Free subdomains

Want your own xyz.kpaste.net sub-domain for your community? Just type the address into your browser address bar (foo.xyz.kpaste.net is also supported).

Suggestions/Bugs?

Email us at . Try to include as much info as possible.

About

Pastebin is a tool for collaborative debugging or editing.

 

msnfs41client: Patches for testing (group) ACLs, performance, misc, 2024-03-12
Posted by Anonymous on Tue 12th Mar 2024 11:25
raw | new post

Submit a correction or amendment below (click here to make a fresh posting)
After submitting an amendment, you'll be able to view the differences between the old and new posts easily.

Syntax highlighting: None Bash C C++ CSS Diff HTML mIRC Script Perl PHP Python Smarty XML ---------------------------- ABAP Actionscript ADA Apache Log AppleScript APT sources.list ASM ASP AutoIT Bash C C# C++ C++ (with QT) CSS Diff HTML INI (Config Files) Java Javascript Lua Make mIRC Script MySQL NSIS Perl PHP Python Q(uick)BASIC robots Ruby Ruby on Rails SDLBasic Smarty SQL TCL Text VB.NET Visual BASIC Visual Fox Pro Visual Prolog Windows Registry Files XML Xorg.conf

To highlight particular lines, prefix each line with {%HIGHLIGHT}
From 55dc2ac55387e25f708a924d15c4f04542bb966d Mon Sep 17 00:00:00 2001 From: Roland Mainz <roland.mainz@nrubsig.org> Date: Mon, 11 Mar 2024 13:22:52 +0100 Subject: [PATCH 1/6] cygwin: bintarball README should automagically get filename+sha256 hash The bintarball README should get the tar.bz2 tarball filename and it's sha256 hash automatically during $ make bintarball # time. Signed-off-by: Cedric Blancher <cedric.blancher@gmail.com> --- cygwin/Makefile | 11 +++++++---- cygwin/README.bintarball.txt | 8 +++++--- 2 files changed, 12 insertions(+), 7 deletions(-) diff --git a/cygwin/Makefile b/cygwin/Makefile index 2ef2d29..71afd3c 100644 --- a/cygwin/Makefile +++ b/cygwin/Makefile @@ -107,16 +107,19 @@ installdest: $(VS_BUILD_DIR)/nfsd.exe \ "$(DESTDIR)/cygdrive/c/cygwin64/sbin/" bintarball: installdest - set -o errexit ; \ + set -o errexit ; set -o xtrace ; \ base_filename="msnfs41client_cygwin_binaries_$$(date +%Y%m%d_%Hh%Mm)_git$$(git rev-parse --short HEAD)" ; \ ( \ cd "$(DESTDIR)" && \ - cp "../cygwin/README.bintarball.txt" "$${base_filename}.readme" && \ - tar -cvf - \ + true tar -cvf - \ --owner=SYSTEM:18 \ --group=SYSTEM:18 \ cygdrive/c/cygwin64 | \ - bzip2 -9 >"$${base_filename}.tar.bz2" \ + bzip2 -9 >"$${base_filename}.tar.bz2" ; \ + archive_sha256hash="$$(openssl sha256 -r "$${base_filename}.tar.bz2" | while read a dummy ; do printf "%s\n" "$$a" ; done)" ; \ + sed -E <"../cygwin/README.bintarball.txt" \ + -e "s/\\$$\{bintarball.base_filename\}/$${base_filename}/g" \ + -e "s/\\$$\{bintarball.archive_sha256hash\}/$${archive_sha256hash}/g" >"$${base_filename}.readme" \ ) ; \ printf "\n#\n# tarball is ready now\n#\n" ; \ ls -l "$(DESTDIR)/$${base_filename}.tar.bz2" ; \ diff --git a/cygwin/README.bintarball.txt b/cygwin/README.bintarball.txt index 4c52ec8..912a449 100644 --- a/cygwin/README.bintarball.txt +++ b/cygwin/README.bintarball.txt @@ -98,13 +98,15 @@ NFSv4.1 client and filesystem driver for Windows 10/11 # $ mkdir -p ~/download $ cd ~/download -$ wget 'http://www.nrubsig.org/people/gisburn/work/msnfs41client/releases/testing/msnfs41client_cygwin_binaries_git148e927_20231214_12h31m.tar.bz2' +$ wget 'http://www.nrubsig.org/people/gisburn/work/msnfs41client/releases/testing/${bintarball.base_filename}.tar.bz2' +$ openssl sha256 "${bintarball.base_filename}.tar.bz2" +SHA2-256(${bintarball.base_filename}.tar.bz2)= ${bintarball.archive_sha256hash} # # 5. Installation (as "Administrator"): # -$ (cd / && tar -xf ~/download/msnfs41client_cygwin_binaries_git148e927_20231214_12h31m.tar.bz2 ) +$ (cd / && tar -xf ~/download/${bintarball.base_filename}.tar.bz2 ) $ /sbin/msnfs41client install <REBOOT> @@ -112,7 +114,7 @@ $ /sbin/msnfs41client install # # 6. Deinstallation: # -$ (set -x ; cd / && tar -tf ~/download/msnfs41client_cygwin_binaries_git148e927_20231214_12h31m.tar.bz2 | while read i ; do [[ -f "$i" ]] && rm "$i" ; done) +$ (set -o xtrace ; cd / && tar -tf ~/download/${bintarball.base_filename}.tar.bz2 | while read i ; do [[ -f "$i" ]] && rm "$i" ; done) <REBOOT> -- 2.43.0 From da9d40e81cb2c21ca007fee47e72f5fa36c411cd Mon Sep 17 00:00:00 2001 From: Roland Mainz <roland.mainz@nrubsig.org> Date: Mon, 11 Mar 2024 15:23:16 +0100 Subject: [PATCH 2/6] cygwin,tests: Document usage for group ACLs Document usage for group ACLs in bintarball README and manual test documentation. Signed-off-by: Cedric Blancher <cedric.blancher@gmail.com> --- cygwin/README.bintarball.txt | 17 +++++++++++++++-- tests/manual_testing.txt | 35 +++++++++++++++++++++++++++++++++++ 2 files changed, 50 insertions(+), 2 deletions(-) diff --git a/cygwin/README.bintarball.txt b/cygwin/README.bintarball.txt index 912a449..26cc9c3 100644 --- a/cygwin/README.bintarball.txt +++ b/cygwin/README.bintarball.txt @@ -203,9 +203,9 @@ $ /sbin/nfs_mount - ACLs are supported via the normal Windows ACL tools, but on Linux require the nfs4_getfacl/nfs4_setfacl utilities to see the data. - Example (assuming that Windows, Linux NFSv4 client and NFSv4 + * Example 1 (assuming that Windows, Linux NFSv4 client and NFSv4 server have a user "siegfried_wulsch"): - - On Windows on a NFSv4 filesystem, : + - On Windows on a NFSv4 filesystem: $ icacls myhorribledata.txt /grant "siegfried_wulsch:WD" # - On Linux NFSv4 clients you will then see this: ---- snip ---- @@ -216,6 +216,19 @@ $ /sbin/nfs_mount A::EVERYONE@:rtcy ---- snip ---- + * Example 2 (assuming that Windows, Linux NFSv4 client and NFSv4 + server have a group "cygwingrp2"): + - On Windows on a NFSv4 filesystem: + $ icacls myhorribledata.txt /grant "cygwingrp2:(WDAC)" /t /c # + - On Linux NFSv4 clients you will then see this: + ---- snip ---- + $ nfs4_getfacl myhorribledata.txt + A::OWNER@:rwatTcCy + A::GROUP@:rtcy + A:g:cygwingrp2@global.loc:rtcy + A::EVERYONE@:rtcy + ---- snip ---- + - nfs_mount only works when the NFSv4 server allows connections from ports >= 1024, as Windows does not allow the Windows NFSv4 client to use a "privileged port" (i.e. TCP port number < 1024)). diff --git a/tests/manual_testing.txt b/tests/manual_testing.txt index c9c34a6..8ebe9a6 100644 --- a/tests/manual_testing.txt +++ b/tests/manual_testing.txt @@ -93,6 +93,41 @@ root@DERFWNB4966:~# usermod -a -G cygwingrp1 roland_mainz root@DERFWNB4966:~# usermod -a -G cygwingrp2 roland_mainz ---- snip --- +# +# Test for group ACLs +# +Testcase: +-------- snip -------- +# cd to a NFSv4.1 filesystem +$ rm -f test1.txt +$ touch test1.txt +$ icacls test1.txt /grant:r 'cygwingrp1:(WDAC)' /t /c +Bearbeitete Datei: test1.txt +1 Dateien erfolgreich verarbeitet, bei 0 Dateien ist ein Verarbeitungsfehler aufgetreten. + +$ icacls test1.txt /grant:r 'cygwingrp2:(WDAC)' /t /c +Bearbeitete Datei: test1.txt +1 Dateien erfolgreich verarbeitet, bei 0 Dateien ist ein Verarbeitungsfehler aufgetreten. + +# expectation: +# getfact output should contain both "cygwingrp1" and "cygwingrp2": +$ getfacl test1.txt +user::r-- +group::r-- +group:cygwingrp1:r-- +group:cygwingrp2:r-- +mask::r-- +other::r-- +-------- snip -------- + +or one-liner: +-------- snip -------- +# cd to a NFSv4.1 filesystem +# getfact output should contain both "cygwingrp1" and "cygwingrp2" +ksh93 -c 'rm -f test1.txt ; touch test1.txt ; icacls test1.txt /grant:r "cygwingrp1:(WDAC)" /grant:r "cygwingrp2:(WDAC)" /t /c ; getfacl test1.txt | grep -C 20 --colour -E "cygwingrp[12]"' +-------- snip -------- + + # # Compile each of the following package -- 2.43.0 From 89e18b784b00fb8bafb7b7cd37d7f87c1ba128c9 Mon Sep 17 00:00:00 2001 From: Roland Mainz <roland.mainz@nrubsig.org> Date: Mon, 11 Mar 2024 15:41:57 +0100 Subject: [PATCH 3/6] sys: Add missing whitespace in |marshal_nfs41_dirquery()| debug output Add missing whitespace in |marshal_nfs41_dirquery()| debug output Reported-by: Cedric Blancher <cedric.blancher@gmail.com> Signed-off-by: Cedric Blancher <cedric.blancher@gmail.com> --- sys/nfs41_driver.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sys/nfs41_driver.c b/sys/nfs41_driver.c index 3d1b992..2d06e7d 100644 --- a/sys/nfs41_driver.c +++ b/sys/nfs41_driver.c @@ -1020,7 +1020,7 @@ NTSTATUS marshal_nfs41_dirquery( *len = header_len; #ifdef DEBUG_MARSHAL_DETAIL - DbgP("marshal_nfs41_dirquery: filter='%wZ'class=%d len=%d " + DbgP("marshal_nfs41_dirquery: filter='%wZ' class=%d len=%d " "1st\\restart\\single=%d\\%d\\%d\n", entry->u.QueryFile.filter, entry->u.QueryFile.InfoClass, entry->buf_len, entry->u.QueryFile.initial_query, entry->u.QueryFile.restart_scan, -- 2.43.0 From c8e4f68451942f757e888e901ebd3ab898d4e6f3 Mon Sep 17 00:00:00 2001 From: Roland Mainz <roland.mainz@nrubsig.org> Date: Tue, 12 Mar 2024 09:35:00 +0100 Subject: [PATCH 4/6] daemon: cleanup: SID code should use |ULEN|+prefix varnames nfs/win32 Minor cleanup: SID code should use |ULEN|+prefix varnames with nfs* or win32*, depening on whether the name is from the Win32 account or NFS account namespace. Signed-off-by: Cedric Blancher <cedric.blancher@gmail.com> --- daemon/acl.c | 2 +- daemon/sid.c | 129 ++++++++++++++++++++++++++------------------------- 2 files changed, 66 insertions(+), 65 deletions(-) diff --git a/daemon/acl.c b/daemon/acl.c index c34461d..65c20e9 100644 --- a/daemon/acl.c +++ b/daemon/acl.c @@ -200,7 +200,7 @@ static int handle_getacl(void *daemon_context, nfs41_upcall *upcall) PSID *sids = NULL; PSID osid = NULL, gsid = NULL; DWORD sid_len; - char owner[NFS4_OPAQUE_LIMIT], group[NFS4_OPAQUE_LIMIT]; + char owner[NFS4_OPAQUE_LIMIT+1], group[NFS4_OPAQUE_LIMIT+1]; nfsacl41 acl = { 0 }; if (args->query & DACL_SECURITY_INFORMATION) { diff --git a/daemon/sid.c b/daemon/sid.c index cbeac13..db0df3a 100644 --- a/daemon/sid.c +++ b/daemon/sid.c @@ -25,6 +25,7 @@ #include <time.h> #include <strsafe.h> #include <sddl.h> +#include <Lmcons.h> #include "nfs41_ops.h" #include "nfs41_build_features.h" @@ -181,8 +182,8 @@ BOOL allocate_unixgroup_sid(unsigned long gid, PSID *pSid) typedef struct _sidcache_entry { -#define SIDCACHE_ENTRY_NAME_SIZE (128) - char name[SIDCACHE_ENTRY_NAME_SIZE]; /* must fit something like "user@domain" */ +#define SIDCACHE_ENTRY_NAME_SIZE (UNLEN + 1) + char win32name[SIDCACHE_ENTRY_NAME_SIZE]; /* must fit something like "user@domain" */ PSID sid; DWORD sid_len; char sid_buffer[SECURITY_MAX_SID_SIZE+1]; @@ -209,7 +210,7 @@ void sidcache_init(void) } /* copy SID |value| into cache */ -void sidcache_add(sidcache *cache, const char* name, PSID value) +void sidcache_add(sidcache *cache, const char* win32name, PSID value) { int i; ssize_t freeEntryIndex; @@ -225,7 +226,7 @@ void sidcache_add(sidcache *cache, const char* name, PSID value) if ((e->sid != NULL) && (e->timestamp < (currentTimestamp - SIDCACHE_TTL))) { e->sid = NULL; - e->name[0] = '\0'; + e->win32name[0] = '\0'; e->sid_len = 0; } } @@ -251,13 +252,13 @@ void sidcache_add(sidcache *cache, const char* name, PSID value) e->sid = (PSID)e->sid_buffer; if (!CopySid(sid_len, e->sid, value)) { e->sid = NULL; - e->name[0] = '\0'; + e->win32name[0] = '\0'; e->sid_len = 0; goto done; } e->sid_len = sid_len; - (void)strcpy_s(e->name, SIDCACHE_ENTRY_NAME_SIZE, name); + (void)strcpy(e->win32name, win32name); e->timestamp = currentTimestamp; cache->cacheIndex = (cache->cacheIndex + 1) % SIDCACHE_SIZE; @@ -267,7 +268,7 @@ done: } /* return |malloc()|'ed copy of SID from cache entry */ -PSID *sidcache_getcached(sidcache *cache, const char *name) +PSID *sidcache_getcached(sidcache *cache, const char *win32name) { int i; time_t currentTimestamp; @@ -281,7 +282,7 @@ PSID *sidcache_getcached(sidcache *cache, const char *name) e = &cache->entries[i]; if ((e->sid != NULL) && - (!strcmp(e->name, name)) && + (!strcmp(e->win32name, win32name)) && ((currentTimestamp - e->timestamp) < SIDCACHE_TTL)) { PSID malloced_sid = malloc(e->sid_len); if (!malloced_sid) @@ -304,22 +305,22 @@ done: #endif /* NFS41_DRIVER_SID_CACHE */ -int map_nfs4servername_2_sid(nfs41_daemon_globals *nfs41dg, int query, DWORD *sid_len, PSID *sid, LPCSTR name) +int map_nfs4servername_2_sid(nfs41_daemon_globals *nfs41dg, int query, DWORD *sid_len, PSID *sid, LPCSTR nfsname) { - const char *orig_name = name; + const char *orig_nfsname = nfsname; int status = ERROR_INTERNAL_ERROR; SID_NAME_USE sid_type = 0; - char name_buff[256+2]; - char domain_buff[256+2]; + char nfsname_buff[UNLEN+1]; + char domain_buff[UNLEN+1]; DWORD domain_len = 0; #ifdef NFS41_DRIVER_FEATURE_MAP_UNMAPPED_USER_TO_UNIXUSER_SID signed long user_uid = -1; signed long group_gid = -1; #endif /* NFS41_DRIVER_FEATURE_MAP_UNMAPPED_USER_TO_UNIXUSER_SID */ - DPRINTF(ACLLVL, ("--> map_nfs4servername_2_sid(query=%x,name='%s')\n", - query, name)); + DPRINTF(ACLLVL, ("--> map_nfs4servername_2_sid(query=%x,nfsname='%s')\n", + query, nfsname)); #ifdef NFS41_DRIVER_FEATURE_MAP_UNMAPPED_USER_TO_UNIXUSER_SID /* use our own idmapper script to map nfsv4 owner string to local Windows account */ @@ -328,9 +329,9 @@ int map_nfs4servername_2_sid(nfs41_daemon_globals *nfs41dg, int query, DWORD *si gid_t gdummy = -1; #ifdef NFS41_DRIVER_SID_CACHE - if (*sid = sidcache_getcached(&user_sidcache, name)) { + if (*sid = sidcache_getcached(&user_sidcache, nfsname)) { *sid_len = GetLengthSid(*sid); - DPRINTF(1, ("map_nfs4servername_2_sid: returning cached sid for user '%s'\n", name)); + DPRINTF(1, ("map_nfs4servername_2_sid: returning cached sid for user '%s'\n", nfsname)); status = 0; goto out; } @@ -339,13 +340,13 @@ int map_nfs4servername_2_sid(nfs41_daemon_globals *nfs41dg, int query, DWORD *si #ifndef NFS41_DRIVER_SID_CACHE /* gisburn: fixme: We must cache this, or the performance impact will be devastating!! */ #endif /* !NFS41_DRIVER_SID_CACHE */ - if (!cygwin_getent_passwd(name, name_buff, &udummy, &gdummy)) { - if (strcmp(name, name_buff)) { + if (!cygwin_getent_passwd(nfsname, nfsname_buff, &udummy, &gdummy)) { + if (strcmp(nfsname, nfsname_buff)) { DPRINTF(1, ("map_nfs4servername_2_sid: remap user '%s' --> '%s'\n", - name, - name_buff)); - name = name_buff; + nfsname, + nfsname_buff)); + nfsname = nfsname_buff; } } } @@ -358,9 +359,9 @@ int map_nfs4servername_2_sid(nfs41_daemon_globals *nfs41dg, int query, DWORD *si gid_t gdummy = -1; #ifdef NFS41_DRIVER_SID_CACHE - if (*sid = sidcache_getcached(&group_sidcache, name)) { + if (*sid = sidcache_getcached(&group_sidcache, nfsname)) { *sid_len = GetLengthSid(*sid); - DPRINTF(1, ("map_nfs4servername_2_sid: returning cached sid for group '%s'\n", name)); + DPRINTF(1, ("map_nfs4servername_2_sid: returning cached sid for group '%s'\n", nfsname)); status = 0; goto out; } @@ -369,13 +370,13 @@ int map_nfs4servername_2_sid(nfs41_daemon_globals *nfs41dg, int query, DWORD *si #ifndef NFS41_DRIVER_SID_CACHE /* gisburn: fixme: We must cache this, or the performance impact will be devastating!! */ #endif /* !NFS41_DRIVER_SID_CACHE */ - if (!cygwin_getent_group(name, name_buff, &gdummy)) { - if (strcmp(name, name_buff)) { + if (!cygwin_getent_group(nfsname, nfsname_buff, &gdummy)) { + if (strcmp(nfsname, nfsname_buff)) { DPRINTF(1, ("map_nfs4servername_2_sid: remap group '%s' --> '%s'\n", - name, - name_buff)); - name = name_buff; + nfsname, + nfsname_buff)); + nfsname = nfsname_buff; } } } @@ -389,16 +390,16 @@ int map_nfs4servername_2_sid(nfs41_daemon_globals *nfs41dg, int query, DWORD *si *sid_len = SECURITY_MAX_SID_SIZE; domain_len = sizeof(domain_buff); - status = LookupAccountNameA(NULL, name, *sid, sid_len, + status = LookupAccountNameA(NULL, nfsname, *sid, sid_len, domain_buff, &domain_len, &sid_type); if (status) { /* |LookupAccountNameA()| success */ - DPRINTF(ACLLVL, ("map_nfs4servername_2_sid(query=%x,name='%s'): " + DPRINTF(ACLLVL, ("map_nfs4servername_2_sid(query=%x,nfsname='%s'): " "LookupAccountNameA() returned status=%d " "GetLastError=%d *sid_len=%d domain_buff='%s' domain_len=%d\n", - query, name, status, GetLastError(), *sid_len, domain_buff, + query, nfsname, status, GetLastError(), *sid_len, domain_buff, domain_len)); status = 0; @@ -407,10 +408,10 @@ int map_nfs4servername_2_sid(nfs41_daemon_globals *nfs41dg, int query, DWORD *si } /* |LookupAccountNameA()| failed... */ - DPRINTF(ACLLVL, ("map_nfs4servername_2_sid(query=%x,name='%s'): " + DPRINTF(ACLLVL, ("map_nfs4servername_2_sid(query=%x,nfsname='%s'): " "LookupAccountNameA() returned status=%d " "GetLastError=%d\n", - query, name, status, GetLastError())); + query, nfsname, status, GetLastError())); status = GetLastError(); switch(status) { @@ -419,19 +420,19 @@ int map_nfs4servername_2_sid(nfs41_daemon_globals *nfs41dg, int query, DWORD *si * This should never happen, as |SECURITY_MAX_SID_SIZE| is * the largest possible SID buffer size for Windows */ - eprintf("map_nfs4servername_2_sid(query=%x,name='%s'): " + eprintf("map_nfs4servername_2_sid(query=%x,nfsname='%s'): " "LookupAccountName failed with " - "ERROR_INSUFFICIENT_BUFFER\n", query, name); + "ERROR_INSUFFICIENT_BUFFER\n", query, nfsname); status = ERROR_INTERNAL_ERROR; goto out; break; case ERROR_NONE_MAPPED: #ifdef NFS41_DRIVER_FEATURE_MAP_UNMAPPED_USER_TO_UNIXUSER_SID - DPRINTF(1, ("map_nfs4servername_2_sid(query=%x,name='%s'): " + DPRINTF(1, ("map_nfs4servername_2_sid(query=%x,nfsname='%s'): " "none mapped, " "trying Unix_User+/Unix_Group+ mapping\n", - query, name)); + query, nfsname)); if ((user_uid == -1) && (query & OWNER_SECURITY_INFORMATION)) { uid_t map_uid = -1; @@ -439,14 +440,14 @@ int map_nfs4servername_2_sid(nfs41_daemon_globals *nfs41dg, int query, DWORD *si if (nfs41_idmap_name_to_ids( nfs41dg->idmapper, - name, + nfsname, &map_uid, &gid_dummy) == 0) { user_uid = map_uid; } else { DPRINTF(1, ("map_nfs4servername_2_sid(query=%x,name='%s'): nfs41_idmap_name_to_ids() failed\n", - query, name)); + query, nfsname)); /* fixme: try harder here, "1234" should to to |atol()| */ } } @@ -456,63 +457,63 @@ int map_nfs4servername_2_sid(nfs41_daemon_globals *nfs41dg, int query, DWORD *si if (nfs41_idmap_group_to_gid( nfs41dg->idmapper, - name, + nfsname, &map_gid) == 0) { group_gid = map_gid; } else { - DPRINTF(1, ("map_nfs4servername_2_sid(query=%x,name='%s'): nfs41_idmap_group_to_gid() failed\n", - query, name)); + DPRINTF(1, ("map_nfs4servername_2_sid(query=%x,nfsname='%s'): nfs41_idmap_group_to_gid() failed\n", + query, nfsname)); /* fixme: try harder here, "1234" should to to |atol()| */ } } if (user_uid != -1) { if (allocate_unixuser_sid(user_uid, sid)) { - DPRINTF(ACLLVL, ("map_nfs4servername_2_sid(query=%x,name='%s'): " + DPRINTF(ACLLVL, ("map_nfs4servername_2_sid(query=%x,nfsname='%s'): " "allocate_unixuser_sid(uid=%ld) success\n", - query, name, user_uid)); + query, nfsname, user_uid)); status = ERROR_SUCCESS; sid_type = SidTypeUser; goto out_cache; } status = GetLastError(); - DPRINTF(ACLLVL, ("map_nfs4servername_2_sid(query=%x,name='%s'): " + DPRINTF(ACLLVL, ("map_nfs4servername_2_sid(query=%x,nfsname='%s'): " "allocate_unixuser_sid(uid=%ld) failed, error=%d\n", - query, name, user_uid, status)); + query, nfsname, user_uid, status)); goto out; } if (group_gid != -1) { if (allocate_unixgroup_sid(group_gid, sid)) { - DPRINTF(ACLLVL, ("map_nfs4servername_2_sid(query=%x,name='%s'): " + DPRINTF(ACLLVL, ("map_nfs4servername_2_sid(query=%x,nfsname='%s'): " "allocate_unixgroup_sid(gid=%ld) success\n", - query, name, group_gid)); + query, nfsname, group_gid)); status = ERROR_SUCCESS; sid_type = SidTypeGroup; goto out_cache; } status = GetLastError(); - DPRINTF(ACLLVL, ("map_nfs4servername_2_sid(query=%x,name='%s'): " + DPRINTF(ACLLVL, ("map_nfs4servername_2_sid(query=%x,nfsname='%s'): " "allocate_unixgroup_sid(gid=%ld) failed, error=%d\n", - query, name, group_gid, status)); + query, nfsname, group_gid, status)); goto out; } #endif /* NFS41_DRIVER_FEATURE_MAP_UNMAPPED_USER_TO_UNIXUSER_SID */ - DPRINTF(1, ("map_nfs4servername_2_sid(query=%x,name='%s'): none mapped, " + DPRINTF(1, ("map_nfs4servername_2_sid(query=%x,nfsname='%s'): none mapped, " "using WinNullSid mapping\n", - query, name)); + query, nfsname)); status = create_unknownsid(WinNullSid, sid, sid_len); if (status) goto out_free_sid; break; default: - DPRINTF(1, ("map_nfs4servername_2_sid(query=%x,name='%s'): error %d not handled\n", - query, name, GetLastError())); + DPRINTF(1, ("map_nfs4servername_2_sid(query=%x,nfsname='%s'): error %d not handled\n", + query, nfsname, GetLastError())); break; } out_cache: @@ -530,23 +531,23 @@ out_cache: * References: * - https://stackoverflow.com/questions/39373188/lookupaccountnamew-returns-sidtypealias-but-expected-sidtypegroup */ - DPRINTF(1, ("map_nfs4servername_2_sid(query=%x,name='%s'): " + DPRINTF(1, ("map_nfs4servername_2_sid(query=%x,nfsname='%s'): " "SID_TYPE='SidTypeAlias' mapped to 'SidTypeGroup'\n", - query, orig_name, sid_type)); + query, orig_nfsname, sid_type)); sid_type = SidTypeGroup; } switch (sid_type) { case SidTypeUser: - sidcache_add(&user_sidcache, orig_name, *sid); + sidcache_add(&user_sidcache, orig_nfsname, *sid); break; case SidTypeGroup: - sidcache_add(&group_sidcache, orig_name, *sid); + sidcache_add(&group_sidcache, orig_nfsname, *sid); break; default: - eprintf("map_nfs4servername_2_sid(query=%x,name='%s'): " + eprintf("map_nfs4servername_2_sid(query=%x,nfsname='%s'): " "Unknown SID_TYPE=%d\n", - query, orig_name, sid_type); + query, orig_nfsname, sid_type); break; } } @@ -555,8 +556,8 @@ out_cache: out: if (DPRINTF_LEVEL_ENABLED(ACLLVL)) { if (status) { - dprintf_out("<-- map_nfs4servername_2_sid(query=%x,name='%s'): " - "status=%d\n", query, name, status); + dprintf_out("<-- map_nfs4servername_2_sid(query=%x,nfsname='%s'): " + "status=%d\n", query, nfsname, status); } else { PSTR sidstr = NULL; @@ -569,9 +570,9 @@ out: sidstr = errsidstrbuf; } - dprintf_out("<-- map_nfs4servername_2_sid(query=%x,name='%s'): " + dprintf_out("<-- map_nfs4servername_2_sid(query=%x,nfsname='%s'): " "status=%d sidstr='%s' *sid_len=%d\n", - query, name, status, sidstr, *sid_len); + query, nfsname, status, sidstr, *sid_len); if (sidstr && (sidstr != errsidstrbuf)) LocalFree(sidstr); -- 2.43.0 From 83061e52d123e4ac8291b136cbb4eb4742b2805b Mon Sep 17 00:00:00 2001 From: Roland Mainz <roland.mainz@nrubsig.org> Date: Tue, 12 Mar 2024 11:51:24 +0100 Subject: [PATCH 5/6] daemon: Improve |map_nfs4ace_who()| performance Improve |map_nfs4ace_who()| performance, by avoiding calling |LookupAccountSidA()| twice, and using stack buffers instead of |malloc()|. Signed-off-by: Cedric Blancher <cedric.blancher@gmail.com> --- daemon/acl.c | 135 ++++++++++++++++++++++++--------------------------- 1 file changed, 64 insertions(+), 71 deletions(-) diff --git a/daemon/acl.c b/daemon/acl.c index 65c20e9..af93535 100644 --- a/daemon/acl.c +++ b/daemon/acl.c @@ -24,6 +24,7 @@ #include <stdio.h> #include <strsafe.h> #include <sddl.h> +#include <Lmcons.h> #include "nfs41_ops.h" #include "nfs41_build_features.h" @@ -35,7 +36,6 @@ #include "nfs41_xdr.h" #include "sid.h" -//#define DEBUG_ACLS #define ACLLVL 2 /* dprintf level for acl logging */ static int parse_getacl(unsigned char *buffer, uint32_t length, @@ -492,10 +492,12 @@ static void map_acemask(ACCESS_MASK mask, int file_type, uint32_t *nfs4_mask) static int map_nfs4ace_who(PSID sid, PSID owner_sid, PSID group_sid, char *who_out, char *domain, SID_NAME_USE *sid_type_out) { - int status; - DWORD size = 0, tmp_size = 0; + int status, lasterr; SID_NAME_USE sid_type = 0; - LPSTR tmp_buf = NULL, who = NULL; + /* |(UNLEN+sizeof('\0'))*2| so we have space for user+domain */ + char who_buf[(UNLEN+1)*2]; + char domain_buf[UNLEN+1]; + DWORD who_size = sizeof(who_buf), domain_size = sizeof(domain_buf); LPSTR sidstr = NULL; DPRINTF(ACLLVL, ("--> map_nfs4ace_who(sid=0x%p,owner_sid=0x%p, group_sid=0x%p)\n")); @@ -534,12 +536,12 @@ static int map_nfs4ace_who(PSID sid, PSID owner_sid, PSID group_sid, char *who_o status = is_well_known_sid(sid, who_out); if (status) { if (!strncmp(who_out, ACE4_NOBODY, strlen(ACE4_NOBODY))) { - size = (DWORD)strlen(ACE4_NOBODY); + who_size = (DWORD)strlen(ACE4_NOBODY); sid_type = SidTypeUser; goto add_domain; } - /* fixme: What about |sid_type| */ + /* fixme: What about |sid_type| ? */ status = ERROR_SUCCESS; goto out; } @@ -551,78 +553,72 @@ static int map_nfs4ace_who(PSID sid, PSID owner_sid, PSID group_sid, char *who_o goto out; } - status = LookupAccountSidA(NULL, sid, who, &size, tmp_buf, - &tmp_size, &sid_type); - DPRINTF(ACLLVL, ("map_nfs4ace_who: " - "LookupAccountSid(sidtostr(sid)='%s', namelen=%d, domainlen=%d) " - "returned %d, GetLastError=%d\n", - sidstr, size, tmp_size, status, GetLastError())); + status = LookupAccountSidA(NULL, sid, who_buf, &who_size, domain_buf, + &domain_size, &sid_type); + lasterr = GetLastError(); - /* - * No SID to local account mapping. Can happen for some system - * SIDs, and Unix_User+<uid> or Unix_Group+<gid> SIDs - */ - switch (status) { - /* |LookupAccountSidA()| success */ - case 0: - break; - /* This happens for Unix_User+<uid> or Unix_Group+<gid> SIDs */ - case ERROR_NONE_MAPPED: - /* Catch other cases */ - case ERROR_NO_SUCH_USER: - case ERROR_NO_SUCH_GROUP: - goto out; - default: - eprintf("map_nfs4ace_who: Internal error, " - "LookupAccountSidA() returned unexpected ERROR_%d " - "for sidstr='%s'\n", - status, - sidstr); - status = ERROR_INTERNAL_ERROR; - goto out; + if (status) { + DPRINTF(ACLLVL, ("map_nfs4ace_who: " + "LookupAccountSid(sidtostr(sid)='%s', who_buf='%s', " + "who_size=%d, domain='%s', domain_size=%d) " + "returned success, status=%d, GetLastError=%d\n", + sidstr, who_buf, who_size, + domain_buf, domain_size, status, lasterr)); } + else { + DPRINTF(ACLLVL, ("map_nfs4ace_who: " + "LookupAccountSid(sidtostr(sid)='%s', who_size=%d, " + "domain_size=%d) returned failure, status=%d, " + "GetLastError=%d\n", + sidstr, who_size, domain_size, status, lasterr)); - status = GetLastError(); - if (status == ERROR_NONE_MAPPED) { - DPRINTF(1, ("LookupAccountSidA() returned success, " - "GetLastError() returned ERROR_NONE_MAPPED\n")); - goto out; + /* + * No SID to local account mapping. Can happen for some system + * SIDs, and Unix_User+<uid> or Unix_Group+<gid> SIDs + */ + switch (lasterr) { + /* + * This happens for Unix_User+<uid> or Unix_Group+<gid> + * SIDs + */ + case ERROR_NONE_MAPPED: + DPRINTF(ACLLVL, ("map_nfs4ace_who: LookupAccountSidA() " + "returned ERROR_NONE_MAPPED for sidstr='%s'\n", + sidstr)); + goto out; + /* Catch other cases */ + case ERROR_NO_SUCH_USER: + case ERROR_NO_SUCH_GROUP: + eprintf("map_nfs4ace_who: LookupAccountSidA() " + "returned ERROR_NO_SUCH_@(USER|GROUP) for " + "sidstr='%s'\n", + sidstr); + goto out; + default: + eprintf("map_nfs4ace_who: Internal error, " + "LookupAccountSidA() returned unexpected ERROR_%d " + "for sidstr='%s'\n", + status, sidstr); + status = ERROR_INTERNAL_ERROR; + goto out; + } } - if (status != ERROR_INSUFFICIENT_BUFFER) { - DPRINTF(1, ("LookupAccountSidA() returned success, " - "GetLastError() returned %d\n", status)); - status = ERROR_INTERNAL_ERROR; - goto out; - } - who = malloc(size); - if (who == NULL) { - status = GetLastError(); - goto out; - } - tmp_buf = malloc(tmp_size); - if (tmp_buf == NULL) - goto out_free_who; - status = LookupAccountSidA(NULL, sid, who, &size, tmp_buf, - &tmp_size, &sid_type); - free(tmp_buf); - if (!status) { - eprintf("map_nfs4ace_who: LookupAccountSid failed with %d\n", - GetLastError()); - goto out_free_who; - } - memcpy(who_out, who, size); + (void)memcpy(who_out, who_buf, who_size); add_domain: - memcpy(who_out+size, "@", sizeof(char)); - memcpy(who_out+size+1, domain, strlen(domain)+1); - if (who) free(who); + (void)memcpy(who_out+who_size, "@", sizeof(char)); + (void)memcpy(who_out+who_size+1, domain, strlen(domain)+1); status = ERROR_SUCCESS; out: if (status) { - DPRINTF(ACLLVL, ("<-- map_nfs4ace_who() returns %d\n", status)); + DPRINTF(ACLLVL, + ("<-- map_nfs4ace_who() returns %d\n", status)); } else { - DPRINTF(ACLLVL, ("<-- map_nfs4ace_who(who_out='%s', sid_type=%d) returns %d\n", who_out, status, sid_type)); + DPRINTF(ACLLVL, + ("<-- map_nfs4ace_who(who_out='%s', sid_type=%d) " + "returns %d\n", + who_out, sid_type, status)); if (sid_type_out) { *sid_type_out = sid_type; } @@ -630,11 +626,8 @@ out: if (sidstr) LocalFree(sidstr); return status; -out_free_who: - free(who); - status = GetLastError(); - goto out; } + static int map_dacl_2_nfs4acl(PACL acl, PSID sid, PSID gsid, nfsacl41 *nfs4_acl, int file_type, char *domain) { -- 2.43.0 From 23bf6de8cee5157adf28aa69620f601e0bf7fa38 Mon Sep 17 00:00:00 2001 From: Roland Mainz <roland.mainz@nrubsig.org> Date: Tue, 12 Mar 2024 11:56:14 +0100 Subject: [PATCH 6/6] daemon: Demote |DPRINTF()| for owner/owner_group lookup if not cached Demote |DPRINTF()| from debug level |0| to |ACLLVL| for owner/owner_group lookup if the data are not in name cache. Signed-off-by: Cedric Blancher <cedric.blancher@gmail.com> --- daemon/acl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/daemon/acl.c b/daemon/acl.c index af93535..0da4538 100644 --- a/daemon/acl.c +++ b/daemon/acl.c @@ -242,7 +242,7 @@ use_nfs41_getattr: */ if ((info.attrmask.arr[1] & (FATTR4_WORD1_OWNER|FATTR4_WORD1_OWNER_GROUP)) != (FATTR4_WORD1_OWNER|FATTR4_WORD1_OWNER_GROUP)) { - DPRINTF(0, ("handle_getattr: owner/owner_group not in cache, doing full lookup...\n")); + DPRINTF(ACLLVL, ("handle_getattr: owner/owner_group not in cache, doing full lookup...\n")); goto use_nfs41_getattr; } } -- 2.43.0

Title:

Privacy: Public Private

How long should your post be retained?

15 mins an hour a day a week a month forever

All content is user-submitted.
The administrators of this site (kpaste.net) are not responsible for their content.
Abuse reports should be emailed to us at