From: Ralph Boehme Date: Fri, 5 Jul 2024 14:22:18 +0000 (+0200) Subject: smbd: use metadata_fsp(fsp) in copy_access_posix_acl() for SMB_VFS_SYS_ACL_SET_FD X-Git-Tag: tdb-1.4.13~1240 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=ecb8a99a2c7ba36f9adc50ef13cd8465a0c49b19;p=thirdparty%2Fsamba.git smbd: use metadata_fsp(fsp) in copy_access_posix_acl() for SMB_VFS_SYS_ACL_SET_FD When inherting permissions on the created stream, we call into the VFS to fetch the streams security descriptor via inherit_access_posix_acl() -> copy_access_posix_acl() -> SMB_VFS_SYS_ACL_SET_FD() passing the stream fsp which triggers the assert SMB_ASSERT(!fsp_is_alternate_stream(fsp)) in vfswrap_sys_acl_set_fd() in vfs_default. Just passing the base fsp to the VFS fixes this. vfs_streams_depot which *does use* distinct backend filesystem files for the streams, currently does not apply permissions to the stream files at all, so the incomplete behaviour of vfs_streams_depot is not affected by this change. If in the future someone want to fix this defficiency in vfs_streams_depot, the module code can use fsp->stream_fsp to base decisions in VFS ops whether the module should carry out some action. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15695 Signed-off-by: Ralph Boehme Reviewed-by: Volker Lendecke Autobuild-User(master): Volker Lendecke Autobuild-Date(master): Mon Sep 2 08:55:28 UTC 2024 on atb-devel-224 --- diff --git a/selftest/knownfail.d/samba3.smb2.stream-inherit-perms b/selftest/knownfail.d/samba3.smb2.stream-inherit-perms deleted file mode 100644 index fa311ac924d..00000000000 --- a/selftest/knownfail.d/samba3.smb2.stream-inherit-perms +++ /dev/null @@ -1 +0,0 @@ -^samba3.smb2.stream-inherit-perms.stream-inherit-perms\(fileserver\) diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c index 0f6a0d52e01..53a9c53f54a 100644 --- a/source3/smbd/posix_acls.c +++ b/source3/smbd/posix_acls.c @@ -4000,7 +4000,9 @@ static int copy_access_posix_acl(struct files_struct *from, goto done; } - ret = SMB_VFS_SYS_ACL_SET_FD(to, SMB_ACL_TYPE_ACCESS, posix_acl); + ret = SMB_VFS_SYS_ACL_SET_FD(metadata_fsp(to), + SMB_ACL_TYPE_ACCESS, + posix_acl); done: