[CIFS] Fix incorrect mode when ACL had deny access control entries
When mounted with the cifsacl mount option, we were treating any deny ACEs found like allow ACEs and it turns out for SFU and SUA Windows set these type of access control entries often. The order of ACEs is important too. The canonical order that most ACL tools and Windows explorer consruct ACLs with is to begin with DENY entries then follow with ALLOW, otherwise an allow entry could be encountered first, making the subsequent deny entry like "dead code which would be superflous since Windows stops when a match is made for the operation you are trying to perform for your user We start with no permissions in the mode and build up as we find permissions (ie allow ACEs). This fixes deny ACEs so they affect the mask used to set the subsequent allow ACEs. Acked-by: Shirish Pargaonkar <shirishp@us.ibm.com> CC: Alexander Bokovoy <ab@samba.org> Signed-off-by: Steve French <sfrench@us.ibm.com>
This commit is contained in:
parent
9eae8a8903
commit
15b0395911
|
@ -134,12 +134,39 @@ int compare_sids(const struct cifs_sid *ctsid, const struct cifs_sid *cwsid)
|
||||||
pmode is the existing mode (we only want to overwrite part of this
|
pmode is the existing mode (we only want to overwrite part of this
|
||||||
bits to set can be: S_IRWXU, S_IRWXG or S_IRWXO ie 00700 or 00070 or 00007
|
bits to set can be: S_IRWXU, S_IRWXG or S_IRWXO ie 00700 or 00070 or 00007
|
||||||
*/
|
*/
|
||||||
static void access_flags_to_mode(__u32 ace_flags, umode_t *pmode,
|
static void access_flags_to_mode(__u32 ace_flags, int type, umode_t *pmode,
|
||||||
umode_t bits_to_set)
|
umode_t *pbits_to_set)
|
||||||
{
|
{
|
||||||
|
/* the order of ACEs is important. The canonical order is to begin with
|
||||||
|
DENY entries then follow with ALLOW, otherwise an allow entry could be
|
||||||
|
encountered first, making the subsequent deny entry like "dead code"
|
||||||
|
which would be superflous since Windows stops when a match is made
|
||||||
|
for the operation you are trying to perform for your user */
|
||||||
|
|
||||||
|
/* For deny ACEs we change the mask so that subsequent allow access
|
||||||
|
control entries do not turn on the bits we are denying */
|
||||||
|
if (type == ACCESS_DENIED) {
|
||||||
|
if (ace_flags & GENERIC_ALL) {
|
||||||
|
*pbits_to_set &= ~S_IRWXUGO;
|
||||||
|
}
|
||||||
|
if ((ace_flags & GENERIC_WRITE) ||
|
||||||
|
((ace_flags & FILE_WRITE_RIGHTS) == FILE_WRITE_RIGHTS))
|
||||||
|
*pbits_to_set &= ~S_IWUGO;
|
||||||
|
if ((ace_flags & GENERIC_READ) ||
|
||||||
|
((ace_flags & FILE_READ_RIGHTS) == FILE_READ_RIGHTS))
|
||||||
|
*pbits_to_set &= ~S_IRUGO;
|
||||||
|
if ((ace_flags & GENERIC_EXECUTE) ||
|
||||||
|
((ace_flags & FILE_EXEC_RIGHTS) == FILE_EXEC_RIGHTS))
|
||||||
|
*pbits_to_set &= ~S_IXUGO;
|
||||||
|
return;
|
||||||
|
} else if (type != ACCESS_ALLOWED) {
|
||||||
|
cERROR(1, ("unknown access control type %d", type));
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
/* else ACCESS_ALLOWED type */
|
||||||
|
|
||||||
if (ace_flags & GENERIC_ALL) {
|
if (ace_flags & GENERIC_ALL) {
|
||||||
*pmode |= (S_IRWXUGO & bits_to_set);
|
*pmode |= (S_IRWXUGO & (*pbits_to_set));
|
||||||
#ifdef CONFIG_CIFS_DEBUG2
|
#ifdef CONFIG_CIFS_DEBUG2
|
||||||
cFYI(1, ("all perms"));
|
cFYI(1, ("all perms"));
|
||||||
#endif
|
#endif
|
||||||
|
@ -147,13 +174,13 @@ static void access_flags_to_mode(__u32 ace_flags, umode_t *pmode,
|
||||||
}
|
}
|
||||||
if ((ace_flags & GENERIC_WRITE) ||
|
if ((ace_flags & GENERIC_WRITE) ||
|
||||||
((ace_flags & FILE_WRITE_RIGHTS) == FILE_WRITE_RIGHTS))
|
((ace_flags & FILE_WRITE_RIGHTS) == FILE_WRITE_RIGHTS))
|
||||||
*pmode |= (S_IWUGO & bits_to_set);
|
*pmode |= (S_IWUGO & (*pbits_to_set));
|
||||||
if ((ace_flags & GENERIC_READ) ||
|
if ((ace_flags & GENERIC_READ) ||
|
||||||
((ace_flags & FILE_READ_RIGHTS) == FILE_READ_RIGHTS))
|
((ace_flags & FILE_READ_RIGHTS) == FILE_READ_RIGHTS))
|
||||||
*pmode |= (S_IRUGO & bits_to_set);
|
*pmode |= (S_IRUGO & (*pbits_to_set));
|
||||||
if ((ace_flags & GENERIC_EXECUTE) ||
|
if ((ace_flags & GENERIC_EXECUTE) ||
|
||||||
((ace_flags & FILE_EXEC_RIGHTS) == FILE_EXEC_RIGHTS))
|
((ace_flags & FILE_EXEC_RIGHTS) == FILE_EXEC_RIGHTS))
|
||||||
*pmode |= (S_IXUGO & bits_to_set);
|
*pmode |= (S_IXUGO & (*pbits_to_set));
|
||||||
|
|
||||||
#ifdef CONFIG_CIFS_DEBUG2
|
#ifdef CONFIG_CIFS_DEBUG2
|
||||||
cFYI(1, ("access flags 0x%x mode now 0x%x", ace_flags, *pmode));
|
cFYI(1, ("access flags 0x%x mode now 0x%x", ace_flags, *pmode));
|
||||||
|
@ -239,6 +266,10 @@ static void parse_dacl(struct cifs_acl *pdacl, char *end_of_acl,
|
||||||
|
|
||||||
num_aces = le32_to_cpu(pdacl->num_aces);
|
num_aces = le32_to_cpu(pdacl->num_aces);
|
||||||
if (num_aces > 0) {
|
if (num_aces > 0) {
|
||||||
|
umode_t user_mask = S_IRWXU;
|
||||||
|
umode_t group_mask = S_IRWXG;
|
||||||
|
umode_t other_mask = S_IRWXO;
|
||||||
|
|
||||||
ppace = kmalloc(num_aces * sizeof(struct cifs_ace *),
|
ppace = kmalloc(num_aces * sizeof(struct cifs_ace *),
|
||||||
GFP_KERNEL);
|
GFP_KERNEL);
|
||||||
|
|
||||||
|
@ -253,13 +284,19 @@ static void parse_dacl(struct cifs_acl *pdacl, char *end_of_acl,
|
||||||
#endif
|
#endif
|
||||||
if (compare_sids(&(ppace[i]->sid), pownersid))
|
if (compare_sids(&(ppace[i]->sid), pownersid))
|
||||||
access_flags_to_mode(ppace[i]->access_req,
|
access_flags_to_mode(ppace[i]->access_req,
|
||||||
&(inode->i_mode), S_IRWXU);
|
ppace[i]->type,
|
||||||
|
&(inode->i_mode),
|
||||||
|
&user_mask);
|
||||||
if (compare_sids(&(ppace[i]->sid), pgrpsid))
|
if (compare_sids(&(ppace[i]->sid), pgrpsid))
|
||||||
access_flags_to_mode(ppace[i]->access_req,
|
access_flags_to_mode(ppace[i]->access_req,
|
||||||
&(inode->i_mode), S_IRWXG);
|
ppace[i]->type,
|
||||||
|
&(inode->i_mode),
|
||||||
|
&group_mask);
|
||||||
if (compare_sids(&(ppace[i]->sid), &sid_everyone))
|
if (compare_sids(&(ppace[i]->sid), &sid_everyone))
|
||||||
access_flags_to_mode(ppace[i]->access_req,
|
access_flags_to_mode(ppace[i]->access_req,
|
||||||
&(inode->i_mode), S_IRWXO);
|
ppace[i]->type,
|
||||||
|
&(inode->i_mode),
|
||||||
|
&other_mask);
|
||||||
|
|
||||||
/* memcpy((void *)(&(cifscred->aces[i])),
|
/* memcpy((void *)(&(cifscred->aces[i])),
|
||||||
(void *)ppace[i],
|
(void *)ppace[i],
|
||||||
|
|
Loading…
Reference in New Issue