From: Ralph Boehme Date: Tue, 25 May 2021 17:04:10 +0000 (+0200) Subject: loadparam: add option "acl flag inherited canonicalization" X-Git-Tag: tevent-0.11.0~736 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=9f57a3194a4cf5e0c383a8c6fdcf60c4e922a978;p=thirdparty%2Fsamba.git loadparam: add option "acl flag inherited canonicalization" Signed-off-by: Ralph Boehme Reviewed-by: Jeremy Allison Autobuild-User(master): Jeremy Allison Autobuild-Date(master): Thu May 27 19:51:57 UTC 2021 on sn-devel-184 --- diff --git a/docs-xml/smbdotconf/security/aclflaginheritedcanonicalization.xml b/docs-xml/smbdotconf/security/aclflaginheritedcanonicalization.xml new file mode 100644 index 00000000000..676d5b478a3 --- /dev/null +++ b/docs-xml/smbdotconf/security/aclflaginheritedcanonicalization.xml @@ -0,0 +1,30 @@ + + + This option controls the way Samba handles client requests setting + the Security Descriptor of files and directories and the effect the + operation has on the Security Descriptor flag "DACL + auto-inherited" (DI). Generally, this flag is set on a file (or + directory) upon creation if the parent directory has DI set and also has + inheritable ACEs. + + + On the other hand when a Security Descriptor is explicitly set on + a file, the DI flag is cleared, unless the flag "DACL Inheritance + Required" (DR) is also set in the new Security Descriptor (fwiw, DR is + never stored on disk). + + This is the default behaviour when this option is enabled (the + default). When setting this option to no, the + resulting value of the DI flag on-disk is directly taken from the DI + value of the to-be-set Security Descriptor. This can be used so dump + tools like rsync that copy data blobs from xattrs that represent ACLs + created by the acl_xattr VFS module will result in copies of the ACL + that are identical to the source. Without this option, the copied ACLs + would all loose the DI flag if set on the source. + + +yes + diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c index b674858e706..54920b85027 100644 --- a/lib/param/loadparm.c +++ b/lib/param/loadparm.c @@ -2960,6 +2960,10 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) "smbd max xattr size", "65536"); + lpcfg_do_global_parameter(lp_ctx, + "acl flag inherited canonicalization", + "yes"); + for (i = 0; parm_table[i].label; i++) { if (!(lp_ctx->flags[i] & FLAG_CMDLINE)) { lp_ctx->flags[i] |= FLAG_DEFAULT; diff --git a/selftest/knownfail.d/samba3.smb2.acls_non_canonical b/selftest/knownfail.d/samba3.smb2.acls_non_canonical deleted file mode 100644 index b3ebece42be..00000000000 --- a/selftest/knownfail.d/samba3.smb2.acls_non_canonical +++ /dev/null @@ -1 +0,0 @@ -^samba3.smb2.acls_non_canonical.flags.* diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm index 5143eda4194..84d3fd362ec 100755 --- a/selftest/target/Samba3.pm +++ b/selftest/target/Samba3.pm @@ -3070,6 +3070,7 @@ sub provision($$) [acls_non_canonical] copy = tmp + acl flag inherited canonicalization = no "; close(CONF); diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index 85e578eda9e..d3b9de4a09a 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -240,6 +240,7 @@ static const struct loadparm_service _sDefault = .acl_map_full_control = true, .acl_group_control = false, .acl_allow_execute_always = false, + .acl_flag_inherited_canonicalization = true, .aio_read_size = 1, .aio_write_size = 1, .map_readonly = MAP_READONLY_NO, diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c index 50e0a5f2f01..00f551595d7 100644 --- a/source3/smbd/nttrans.c +++ b/source3/smbd/nttrans.c @@ -965,6 +965,11 @@ static void canonicalize_inheritance_bits(struct files_struct *fsp, * for details. */ + if (!lp_acl_flag_inherited_canonicalization(SNUM(fsp->conn))) { + psd->type &= ~SEC_DESC_DACL_AUTO_INHERIT_REQ; + return; + } + if ((psd->type & (SEC_DESC_DACL_AUTO_INHERITED|SEC_DESC_DACL_AUTO_INHERIT_REQ)) == (SEC_DESC_DACL_AUTO_INHERITED|SEC_DESC_DACL_AUTO_INHERIT_REQ)) { set_auto_inherited = true;