s3: smbd: Consistently map EAs to user namespace

Samba has always been mapping Windows EAs to the 'user' namespace on the
POSIX side. However, in the opposite direction, the mapping would also map
other user-readable POSIX EA namespaces to Windows EAs, only stripping the
'user' namespace prefix, and passing all other EA names verbatim.

This means any POSIX EA 'other.foo' collides with 'user.other.foo' on the
Windows side, hence the mapping of non-user namespaces is unreliable.
Also, copy operations via Windows would rename an existing POSIX EA
'other.foo' in the source file to 'user.other.foo' in the destination. The
'user' namespace, however, may not be enabled on the underlying filesystem,
leading to subtle failure modes like the ones reported in eg.
<https://bugzilla.samba.org/show_bug.cgi?id=15186>

Fix the issues by restricting the mapping to the 'user' POSIX EA namespace
consistently for either direction.

Link: https://lists.samba.org/archive/samba-technical/2022-September/137634.html
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15186

Signed-off-by: Daniel Kobras <kobras@puzzle-itc.de>
Reviewed-by: Michael Weiser <michael.weiser@atos.net>
Tested-by: Michael Weiser <michael.weiser@atos.net>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

diff --git a/source3/smbd/smb2_trans2.c b/source3/smbd/smb2_trans2.c
index 95cecce96e11ef45a3b1353cdeb8f048a4c26a2f..69f6184bff1cf0d701dfb5e809ca5b7ce62e33ee 100644 (file)
--- a/source3/smbd/smb2_trans2.c
+++ b/source3/smbd/smb2_trans2.c
@@ -454,7 +454,19 @@ static NTSTATUS get_ea_list_from_fsp(TALLOC_CTX *mem_ctx,
                struct ea_list *listp;
                fstring dos_ea_name;
 
-               if (strnequal(names[i], "system.", 7)
+               /*
+                * POSIX EA names are divided into several namespaces by
+                * means of string prefixes. Usually, the system controls
+                * semantics for each namespace, but the 'user' namespace is
+                * available for arbitrary use, which comes closest to
+                * Windows EA semantics. Hence, we map POSIX EAs from the
+                * 'user' namespace to Windows EAs, and just ignore all the
+                * other namespaces. Also, a few specific names in the 'user'
+                * namespace are used by Samba internally. Filter them out as
+                * well, and only present the EAs that are available for
+                * arbitrary use.
+                */
+               if (!strnequal(names[i], "user.", 5)
                    || samba_private_attr_name(names[i]))
                        continue;
 
@@ -780,7 +792,14 @@ NTSTATUS set_ea(connection_struct *conn, files_struct *fsp,
                int ret;
                fstring unix_ea_name;
 
-               fstrcpy(unix_ea_name, "user."); /* All EA's must start with user. */
+               /*
+                * Complementing the forward mapping from POSIX EAs to
+                * Windows EAs in get_ea_list_from_fsp(), here we map in the
+                * opposite direction from Windows EAs to the 'user' namespace
+                * of POSIX EAs. Hence, all POSIX EA names the we set here must
+                * start with a 'user.' prefix.
+                */
+               fstrcpy(unix_ea_name, "user.");
                fstrcat(unix_ea_name, ea_list->ea.name);
 
                canonicalize_ea_name(fsp, unix_ea_name);