From ecb8a99a2c7ba36f9adc50ef13cd8465a0c49b19 Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Fri, 5 Jul 2024 16:22:18 +0200 Subject: [PATCH] smbd: use metadata_fsp(fsp) in copy_access_posix_acl() for SMB_VFS_SYS_ACL_SET_FD When inherting permissions on the created stream, we call into the VFS to fetch the streams security descriptor via inherit_access_posix_acl() -> copy_access_posix_acl() -> SMB_VFS_SYS_ACL_SET_FD() passing the stream fsp which triggers the assert SMB_ASSERT(!fsp_is_alternate_stream(fsp)) in vfswrap_sys_acl_set_fd() in vfs_default. Just passing the base fsp to the VFS fixes this. vfs_streams_depot which *does use* distinct backend filesystem files for the streams, currently does not apply permissions to the stream files at all, so the incomplete behaviour of vfs_streams_depot is not affected by this change. If in the future someone want to fix this defficiency in vfs_streams_depot, the module code can use fsp->stream_fsp to base decisions in VFS ops whether the module should carry out some action. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15695 Signed-off-by: Ralph Boehme Reviewed-by: Volker Lendecke Autobuild-User(master): Volker Lendecke Autobuild-Date(master): Mon Sep 2 08:55:28 UTC 2024 on atb-devel-224 --- selftest/knownfail.d/samba3.smb2.stream-inherit-perms | 1 - source3/smbd/posix_acls.c | 4 +++- 2 files changed, 3 insertions(+), 2 deletions(-) delete mode 100644 selftest/knownfail.d/samba3.smb2.stream-inherit-perms diff --git a/selftest/knownfail.d/samba3.smb2.stream-inherit-perms b/selftest/knownfail.d/samba3.smb2.stream-inherit-perms deleted file mode 100644 index fa311ac924d..00000000000 --- a/selftest/knownfail.d/samba3.smb2.stream-inherit-perms +++ /dev/null @@ -1 +0,0 @@ -^samba3.smb2.stream-inherit-perms.stream-inherit-perms\(fileserver\) diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c index 0f6a0d52e01..53a9c53f54a 100644 --- a/source3/smbd/posix_acls.c +++ b/source3/smbd/posix_acls.c @@ -4000,7 +4000,9 @@ static int copy_access_posix_acl(struct files_struct *from, goto done; } - ret = SMB_VFS_SYS_ACL_SET_FD(to, SMB_ACL_TYPE_ACCESS, posix_acl); + ret = SMB_VFS_SYS_ACL_SET_FD(metadata_fsp(to), + SMB_ACL_TYPE_ACCESS, + posix_acl); done: -- 2.47.2