pastebin - collaborative debugging tool
rovema.kpaste.net RSS


msnfs41client: Patches for default ACLs, 2024-03-14
Posted by Anonymous on Thu 14th Mar 2024 19:02
raw | new post

  1. From ae1cc2fa2fb885ba445d4606d40f81fe2123e1b6 Mon Sep 17 00:00:00 2001
  2. From: Roland Mainz <roland.mainz@nrubsig.org>
  3. Date: Thu, 14 Mar 2024 18:02:34 +0100
  4. Subject: [PATCH 1/2] daemon: Add more debugging output to set/get ACL
  5.  codepath+cleanup
  6.  
  7. Add more debugging output to set/get ACL codepath, and rename
  8. |map_acemask()| to |map_winaccessmask2nfs4acemask()| and
  9. |map_aceflags()| to |map_winace2nfs4aceflags()| to indicate
  10. the mapping direction.
  11.  
  12. Signed-off-by: Cedric Blancher <cedric.blancher@gmail.com>
  13. ---
  14. daemon/acl.c | 34 +++++++++++++++++++++++++---------
  15.  1 file changed, 25 insertions(+), 9 deletions(-)
  16.  
  17. diff --git a/daemon/acl.c b/daemon/acl.c
  18. index 47aa5ba..f7fb870 100644
  19. --- a/daemon/acl.c
  20. +++ b/daemon/acl.c
  21. @@ -106,6 +106,9 @@ static int convert_nfs4acl_2_dacl(nfs41_daemon_globals *nfs41dg,
  22.      LPSTR domain = NULL;
  23.      BOOLEAN flag;
  24.  
  25. +    DPRINTF(ACLLVL, ("--> convert_nfs4acl_2_dacl(acl=0x%p,file_type=%d)\n",
  26. +        acl, file_type));
  27. +
  28.      sids = malloc(acl->count * sizeof(PSID));
  29.      if (sids == NULL) {
  30.          status = GetLastError();
  31. @@ -113,7 +116,7 @@ static int convert_nfs4acl_2_dacl(nfs41_daemon_globals *nfs41dg,
  32.      }
  33.      for (i = 0; i < acl->count; i++) {
  34.          convert_nfs4name_2_user_domain(acl->aces[i].who, &domain);
  35. -        DPRINTF(ACLLVL, ("handle_getacl: for user='%s' domain='%s'\n",
  36. +        DPRINTF(ACLLVL, ("convert_nfs4acl_2_dacl: for user='%s' domain='%s'\n",
  37.                  acl->aces[i].who, domain?domain:"<null>"));
  38.          status = check_4_special_identifiers(acl->aces[i].who, &sids[i],
  39.                                               &sid_len, &flag);
  40. @@ -178,6 +181,8 @@ static int convert_nfs4acl_2_dacl(nfs41_daemon_globals *nfs41dg,
  41.      *sids_out = sids;
  42.      *dacl_out = dacl;
  43.  out:
  44. +    DPRINTF(ACLLVL, ("<-- convert_nfs4acl_2_dacl(acl=0x%p,file_type=%d) returning %d\n",
  45. +        acl, file_type, status));
  46.      return status;
  47.  out_free_dacl:
  48.      free(dacl);
  49. @@ -203,6 +208,8 @@ static int handle_getacl(void *daemon_context, nfs41_upcall *upcall)
  50.      char owner[NFS4_OPAQUE_LIMIT+1], group[NFS4_OPAQUE_LIMIT+1];
  51.      nfsacl41 acl = { 0 };
  52.  
  53. +    DPRINTF(ACLLVL, ("--> handle_getacl()\n"));
  54. +
  55.      if (args->query & DACL_SECURITY_INFORMATION) {
  56.  use_nfs41_getattr:
  57.          bitmap4 attr_request = { 0 };
  58. @@ -354,6 +361,9 @@ out:
  59.          free(dacl);
  60.          nfsacl41_free(info.acl);
  61.      }
  62. +
  63. +    DPRINTF(ACLLVL, ("<-- handle_getacl() returning %d\n", status));
  64. +
  65.      return status;
  66.  }
  67.  
  68. @@ -449,7 +459,7 @@ static int is_well_known_sid(PSID sid, char *who)
  69.      return FALSE;
  70.  }
  71.  
  72. -static void map_aceflags(BYTE win_aceflags, uint32_t *nfs4_aceflags)
  73. +static void map_winace2nfs4aceflags(BYTE win_aceflags, uint32_t *nfs4_aceflags)
  74.  {
  75.      if (win_aceflags & OBJECT_INHERIT_ACE)
  76.          *nfs4_aceflags |= ACE4_FILE_INHERIT_ACE;
  77. @@ -461,13 +471,16 @@ static void map_aceflags(BYTE win_aceflags, uint32_t *nfs4_aceflags)
  78.          *nfs4_aceflags |= ACE4_INHERIT_ONLY_ACE;
  79.      if (win_aceflags & INHERITED_ACE)
  80.          *nfs4_aceflags |= ACE4_INHERITED_ACE;
  81. -    DPRINTF(ACLLVL, ("ACE FLAGS: %x nfs4 aceflags %x\n",
  82. -            win_aceflags, *nfs4_aceflags));
  83. +    DPRINTF(ACLLVL,
  84. +        ("map_winace2nfs4aceflags: win_aceflags=0x%x nfs4_aceflags=0x%x\n",
  85. +        (int)win_aceflags, (int)*nfs4_aceflags));
  86.  }
  87.  
  88. -static void map_acemask(ACCESS_MASK mask, int file_type, uint32_t *nfs4_mask)
  89. +static void map_winaccessmask2nfs4acemask(ACCESS_MASK mask, int file_type, uint32_t *nfs4_mask)
  90.  {
  91. -    DPRINTF(ACLLVL, ("ACE MASK: %x\n", mask));
  92. +    DPRINTF(ACLLVL,
  93. +        ("--> map_winaccessmask2nfs4acemask(mask=0x%x)\n",
  94. +        (int)mask));
  95.      print_windows_access_mask(ACLLVL, mask);
  96.      /* check if any GENERIC bits set */
  97.      if (mask & 0xf000000) {
  98. @@ -488,6 +501,9 @@ static void map_acemask(ACCESS_MASK mask, int file_type, uint32_t *nfs4_mask)
  99.      else /* ignoring generic and reserved bits */
  100.          *nfs4_mask = mask & 0x00ffffff;
  101.      print_nfs_access_mask(ACLLVL, *nfs4_mask);
  102. +    DPRINTF(ACLLVL,
  103. +        ("<-- map_winaccessmask2nfs4acemask(mask=0x%x, *nfs4_mask=0x%x)\n",
  104. +        (int)mask, (int)*nfs4_mask));
  105.  }
  106.  
  107.  static int map_nfs4ace_who(PSID sid, PSID owner_sid, PSID group_sid, char *who_out, char *domain, SID_NAME_USE *sid_type_out)
  108. @@ -686,9 +702,9 @@ static int map_dacl_2_nfs4acl(PACL acl, PSID sid, PSID gsid, nfsacl41 *nfs4_acl,
  109.                  goto out_free;
  110.              }
  111.  
  112. -            map_aceflags(ace->AceFlags, &nfs4_acl->aces[i].aceflag);            
  113. -            map_acemask(*(PACCESS_MASK)(ace + 1), file_type,
  114. -                        &nfs4_acl->aces[i].acemask);
  115. +            map_winace2nfs4aceflags(ace->AceFlags, &nfs4_acl->aces[i].aceflag);
  116. +            map_winaccessmask2nfs4acemask(*(PACCESS_MASK)(ace + 1),
  117. +                file_type, &nfs4_acl->aces[i].acemask);
  118.  
  119.              tmp_pointer += sizeof(ACCESS_MASK) + sizeof(ACE_HEADER);
  120.  
  121. --
  122. 2.43.0
  123.  
  124. From fa4dc2ddb4c65b34eec6bab2a78190f0c3d49881 Mon Sep 17 00:00:00 2001
  125. From: Roland Mainz <roland.mainz@nrubsig.org>
  126. Date: Thu, 14 Mar 2024 19:49:21 +0100
  127. Subject: [PATCH 2/2] daemon: Return default ACLs
  128.  
  129. Fix getting the default ACLs.
  130.  
  131. Testcase:
  132. ---- snip ----
  133. $ mkdir d1
  134. $ setfacl -m u::rwx,g::rwx,o::rwx,d:u::rwx,d:g::rwx,d:o::rwx d1
  135. $ getfacl d1
  136. user::rwx
  137. group::rwx
  138. other::rwx
  139. default:user::rwx
  140. default:group::rwx
  141. default:other::rwx
  142. ---- snip ----
  143.  
  144. Reported-by: Dan Shelton <dan.f.shelton@gmail.com>
  145. Signed-off-by: Cedric Blancher <cedric.blancher@gmail.com>
  146. ---
  147. daemon/acl.c | 72 ++++++++++++++++++++++++++++++++++++++++++----------
  148.  1 file changed, 59 insertions(+), 13 deletions(-)
  149.  
  150. diff --git a/daemon/acl.c b/daemon/acl.c
  151. index f7fb870..10c6f77 100644
  152. --- a/daemon/acl.c
  153. +++ b/daemon/acl.c
  154. @@ -38,6 +38,11 @@
  155.  
  156.  #define ACLLVL 2 /* dprintf level for acl logging */
  157.  
  158. +/* Local prototypes */
  159. +static void map_winace2nfs4aceflags(BYTE win_aceflags, uint32_t *nfs4_aceflags);
  160. +static void map_nfs4aceflags2winaceflags(uint32_t nfs4_aceflags, DWORD *win_aceflags);
  161. +
  162. +
  163.  static int parse_getacl(unsigned char *buffer, uint32_t length,
  164.                          nfs41_upcall *upcall)
  165.  {
  166. @@ -125,8 +130,17 @@ static int convert_nfs4acl_2_dacl(nfs41_daemon_globals *nfs41dg,
  167.              goto out;
  168.          }
  169.          if (!flag) {
  170. +            bool isgroupacl = (acl->aces[i].aceflag & ACE4_IDENTIFIER_GROUP)?true:false;
  171. +
  172. +            if (isgroupacl) {
  173. +                DPRINTF(ACLLVL,
  174. +                    ("convert_nfs4acl_2_dacl: aces[%d].who='%s': "
  175. +                    "Setting group flag\n",
  176. +                    i, acl->aces[i].who));
  177. +            }
  178. +
  179.              status = map_nfs4servername_2_sid(nfs41dg,
  180. -                0xFFFF /* fixme: Unknown whether user or group */,
  181. +                (isgroupacl?GROUP_SECURITY_INFORMATION:OWNER_SECURITY_INFORMATION),
  182.                  &sid_len, &sids[i], acl->aces[i].who);
  183.              if (status) {
  184.                  free_sids(sids, i);
  185. @@ -143,24 +157,39 @@ static int convert_nfs4acl_2_dacl(nfs41_daemon_globals *nfs41dg,
  186.      
  187.      if (InitializeAcl(dacl, size, ACL_REVISION)) {
  188.          ACCESS_MASK mask;
  189. +        DWORD win_aceflags;
  190. +
  191.          for (i = 0; i < acl->count; i++) {
  192. +            win_aceflags = 0;
  193. +
  194.              // nfs4 acemask should be exactly the same as file access mask
  195.              mask = acl->aces[i].acemask;
  196. -            DPRINTF(ACLLVL, ("access mask %x ace type '%s'\n", mask,
  197. -                acl->aces[i].acetype?"DENIED ACE":"ALLOWED ACE"));
  198. +            map_nfs4aceflags2winaceflags(acl->aces[i].aceflag, &win_aceflags);
  199. +
  200. +            DPRINTF(ACLLVL, ("aces[%d].who='%s': "
  201. +                "access mask=0x%x, acetype='%s', win_aceflags=0x%x\n",
  202. +                i, acl->aces[i].who,
  203. +                (int)mask,
  204. +                acl->aces[i].acetype?"DENIED ACE":"ALLOWED ACE",
  205. +                (int)win_aceflags));
  206. +
  207.              if (acl->aces[i].acetype == ACE4_ACCESS_ALLOWED_ACE_TYPE) {
  208. -                status = AddAccessAllowedAce(dacl, ACL_REVISION, mask, sids[i]);
  209. +                status = AddAccessAllowedAceEx(dacl, ACL_REVISION, win_aceflags, mask, sids[i]);
  210.                  if (!status) {
  211. -                    eprintf("convert_nfs4acl_2_dacl: AddAccessAllowedAce failed "
  212. -                            "with %d\n", status);
  213. +                    eprintf("convert_nfs4acl_2_dacl: "
  214. +                        "AddAccessAllowedAceEx(dacl=0x%p,win_aceflags=0x%x,mask=0x%x) failed "
  215. +                        "with status=%d\n",
  216. +                        dacl, (int)win_aceflags, (int)mask, status);
  217.                      goto out_free_dacl;
  218.                  }
  219.                  else status = ERROR_SUCCESS;
  220.              } else if (acl->aces[i].acetype == ACE4_ACCESS_DENIED_ACE_TYPE) {
  221. -                status = AddAccessDeniedAce(dacl, ACL_REVISION, mask, sids[i]);
  222. +                status = AddAccessDeniedAceEx(dacl, ACL_REVISION, win_aceflags, mask, sids[i]);
  223.                  if (!status) {
  224. -                    eprintf("convert_nfs4acl_2_dacl: AddAccessDeniedAce failed "
  225. -                            "with %d\n", status);
  226. +                    eprintf("convert_nfs4acl_2_dacl: "
  227. +                        "AddAccessDeniedAceEx(dacl=0x%p,win_aceflags=0x%x,mask=0x%x) failed "
  228. +                        "with status=%d\n",
  229. +                        dacl, (int)win_aceflags, (int)mask, status);
  230.                      goto out_free_dacl;
  231.                  }
  232.                  else status = ERROR_SUCCESS;
  233. @@ -476,6 +505,23 @@ static void map_winace2nfs4aceflags(BYTE win_aceflags, uint32_t *nfs4_aceflags)
  234.          (int)win_aceflags, (int)*nfs4_aceflags));
  235.  }
  236.  
  237. +static void map_nfs4aceflags2winaceflags(uint32_t nfs4_aceflags, DWORD *win_aceflags)
  238. +{
  239. +    if (nfs4_aceflags & ACE4_FILE_INHERIT_ACE)
  240. +        *win_aceflags |= OBJECT_INHERIT_ACE;
  241. +    if (nfs4_aceflags & ACE4_DIRECTORY_INHERIT_ACE)
  242. +        *win_aceflags |= CONTAINER_INHERIT_ACE;
  243. +    if (nfs4_aceflags & ACE4_NO_PROPAGATE_INHERIT_ACE)
  244. +        *win_aceflags |= NO_PROPAGATE_INHERIT_ACE;
  245. +    if (nfs4_aceflags & ACE4_INHERIT_ONLY_ACE)
  246. +        *win_aceflags |= INHERIT_ONLY_ACE;
  247. +    if (nfs4_aceflags & ACE4_INHERITED_ACE)
  248. +        *win_aceflags |= INHERITED_ACE;
  249. +    DPRINTF(ACLLVL,
  250. +        ("map_nfs4aceflags2winace: nfs4_aceflags=0x%x win_aceflags=0x%x\n",
  251. +        (int)nfs4_aceflags, (int)*win_aceflags));
  252. +}
  253. +
  254.  static void map_winaccessmask2nfs4acemask(ACCESS_MASK mask, int file_type, uint32_t *nfs4_mask)
  255.  {
  256.      DPRINTF(ACLLVL,
  257. @@ -725,13 +771,13 @@ static int map_dacl_2_nfs4acl(PACL acl, PSID sid, PSID gsid, nfsacl41 *nfs4_acl,
  258.               */
  259.              if ((who_sid_type == SidTypeGroup) ||
  260.                  (who_sid_type == SidTypeAlias)) {
  261. -                DPRINTF(ACLLVL, ("map_dacl_2_nfs4acl: "
  262. -                    "who_sid_type=%d, setting group flag for '%s'\n",
  263. +                DPRINTF(ACLLVL, ("map_dacl_2_nfs4acl: who_sid_type=%d: "
  264. +                    "aces[%d].who='%s': "
  265. +                    "setting group flag\n",
  266.                      (int)who_sid_type,
  267. -                    nfs4_acl->aces[i].who));
  268. +                    i, nfs4_acl->aces[i].who));
  269.                  nfs4_acl->aces[i].aceflag |= ACE4_IDENTIFIER_GROUP;
  270.              }
  271. -
  272.          }
  273.      }
  274.      status = ERROR_SUCCESS;
  275. --
  276. 2.43.0

Submit a correction or amendment below (click here to make a fresh posting)
After submitting an amendment, you'll be able to view the differences between the old and new posts easily.

Syntax highlighting:

To highlight particular lines, prefix each line with {%HIGHLIGHT}




All content is user-submitted.
The administrators of this site (kpaste.net) are not responsible for their content.
Abuse reports should be emailed to us at