| Message ID | 1312918260-23780-1-git-send-email-shirishpargonkar@gmail.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On Tue, Aug 9, 2011 at 2:31 PM, <shirishpargaonkar@gmail.com> wrote: > From: Shirish Pargaonkar <shirishpargaonkar@gmail.com> > > > Add functions to map a uid and gid to a SID. These functions are > similar to SID to uid and gid mapping functions. > A SID is what is returned to the cifs module. > > > Signed-off-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com> > --- > cifs.idmap.c | 37 +++++++++++++++++++++++++++++++++++++ > 1 files changed, 37 insertions(+), 0 deletions(-) > > diff --git a/cifs.idmap.c b/cifs.idmap.c > index 56edb58..80802d7 100644 > --- a/cifs.idmap.c > +++ b/cifs.idmap.c > @@ -134,6 +134,43 @@ cifs_idmap(const key_serial_t key, const char *key_descr) > goto cifs_idmap_ret; > } > > + sidstr = strget(key_descr, "oi:"); > + if (sidstr) { > + uid = atoi(sidstr); > + syslog(LOG_DEBUG, "SID: %s, uid: %d", sidstr, uid); > + rc = wbcUidToSid(uid, &sid); > + if (rc) > + syslog(LOG_DEBUG, "uid %d to SID error: %d", uid, rc); > + if (!rc) { /* SID has been mapped to a uid */ > + rc = keyctl_instantiate(key, &sid, > + sizeof(struct wbcDomainSid), 0); > + if (rc) > + syslog(LOG_ERR, "%s: key inst: %s", > + __func__, strerror(errno)); > + } > + > + goto cifs_idmap_ret; > + } > + > + sidstr = strget(key_descr, "gi:"); > + if (sidstr) { > + gid = atoi(sidstr); > + syslog(LOG_DEBUG, "SID: %s, gid: %d", sidstr, gid); > + rc = wbcGidToSid(gid, &sid); > + if (rc) > + syslog(LOG_DEBUG, "gid %d to SID error: %d", gid, rc); > + if (!rc) { /* SID has been mapped to a gid */ > + rc = keyctl_instantiate(key, &sid, > + sizeof(struct wbcDomainSid), 0); > + if (rc) > + syslog(LOG_ERR, "%s: key inst: %s", > + __func__, strerror(errno)); > + } > + > + goto cifs_idmap_ret; > + } > + > + > syslog(LOG_DEBUG, "Invalid key: %s", key_descr); > > cifs_idmap_ret: > -- > 1.6.0.2 > > Jeff, any comments on this? I think this patch and kernel parts of this patchset, should be doing similar to what is done currently for server that support unix extensions. A care is taken so that only the server ids can be assigned as an id to change to, if an id can't be resolved, then chown/chgrp fail and if an id can be resolved, the server is the one which whether to apply the changed security descriptor or not. Regards, Shirish -- To unsubscribe from this list: send the line "unsubscribe linux-cifs" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Thu, 25 Aug 2011 06:44:29 -0500 Shirish Pargaonkar <shirishpargaonkar@gmail.com> wrote: > On Tue, Aug 9, 2011 at 2:31 PM, <shirishpargaonkar@gmail.com> wrote: > > From: Shirish Pargaonkar <shirishpargaonkar@gmail.com> > > > > > > Add functions to map a uid and gid to a SID. These functions are > > similar to SID to uid and gid mapping functions. > > A SID is what is returned to the cifs module. > > > > > > Signed-off-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com> > > --- > > cifs.idmap.c | 37 +++++++++++++++++++++++++++++++++++++ > > 1 files changed, 37 insertions(+), 0 deletions(-) > > > > diff --git a/cifs.idmap.c b/cifs.idmap.c > > index 56edb58..80802d7 100644 > > --- a/cifs.idmap.c > > +++ b/cifs.idmap.c > > @@ -134,6 +134,43 @@ cifs_idmap(const key_serial_t key, const char *key_descr) > > goto cifs_idmap_ret; > > } > > > > + sidstr = strget(key_descr, "oi:"); > > + if (sidstr) { > > + uid = atoi(sidstr); > > + syslog(LOG_DEBUG, "SID: %s, uid: %d", sidstr, uid); > > + rc = wbcUidToSid(uid, &sid); > > + if (rc) > > + syslog(LOG_DEBUG, "uid %d to SID error: %d", uid, rc); > > + if (!rc) { /* SID has been mapped to a uid */ > > + rc = keyctl_instantiate(key, &sid, > > + sizeof(struct wbcDomainSid), 0); > > + if (rc) > > + syslog(LOG_ERR, "%s: key inst: %s", > > + __func__, strerror(errno)); > > + } > > + > > + goto cifs_idmap_ret; > > + } > > + > > + sidstr = strget(key_descr, "gi:"); > > + if (sidstr) { > > + gid = atoi(sidstr); > > + syslog(LOG_DEBUG, "SID: %s, gid: %d", sidstr, gid); > > + rc = wbcGidToSid(gid, &sid); > > + if (rc) > > + syslog(LOG_DEBUG, "gid %d to SID error: %d", gid, rc); > > + if (!rc) { /* SID has been mapped to a gid */ > > + rc = keyctl_instantiate(key, &sid, > > + sizeof(struct wbcDomainSid), 0); > > + if (rc) > > + syslog(LOG_ERR, "%s: key inst: %s", > > + __func__, strerror(errno)); > > + } > > + > > + goto cifs_idmap_ret; > > + } > > + > > + > > syslog(LOG_DEBUG, "Invalid key: %s", key_descr); > > > > cifs_idmap_ret: > > -- > > 1.6.0.2 > > > > > > Jeff, any comments on this? I think this patch and kernel parts > of this patchset, should be doing similar to what is done currently > for server that support unix extensions. > A care is taken so that only the server ids can be assigned as > an id to change to, if an id can't be resolved, then chown/chgrp fail > and if an id can be resolved, the server is the one which whether > to apply the changed security descriptor or not. > > Regards, > > Shirish The userspace part of this looks fine. I don't have the time to review the kernel pieces however. If Steve plans to review and commit those, then I'll plan to pull the userspace patch into the next cifs-utils release.
I did a review early this month and Shirish seems to have incorporated the feedback so I plan to rereview the kernel part of the patchset after the ntlmv2 and FindFirst patches are done/tested/merged On Thu, Aug 25, 2011 at 12:54 PM, Jeff Layton <jlayton@samba.org> wrote: > On Thu, 25 Aug 2011 06:44:29 -0500 > Shirish Pargaonkar <shirishpargaonkar@gmail.com> wrote: > >> On Tue, Aug 9, 2011 at 2:31 PM, <shirishpargaonkar@gmail.com> wrote: >> > From: Shirish Pargaonkar <shirishpargaonkar@gmail.com> >> > >> > >> > Add functions to map a uid and gid to a SID. These functions are >> > similar to SID to uid and gid mapping functions. >> > A SID is what is returned to the cifs module. >> > >> > >> > Signed-off-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com> >> > --- >> > cifs.idmap.c | 37 +++++++++++++++++++++++++++++++++++++ >> > 1 files changed, 37 insertions(+), 0 deletions(-) >> > >> > diff --git a/cifs.idmap.c b/cifs.idmap.c >> > index 56edb58..80802d7 100644 >> > --- a/cifs.idmap.c >> > +++ b/cifs.idmap.c >> > @@ -134,6 +134,43 @@ cifs_idmap(const key_serial_t key, const char *key_descr) >> > goto cifs_idmap_ret; >> > } >> > >> > + sidstr = strget(key_descr, "oi:"); >> > + if (sidstr) { >> > + uid = atoi(sidstr); >> > + syslog(LOG_DEBUG, "SID: %s, uid: %d", sidstr, uid); >> > + rc = wbcUidToSid(uid, &sid); >> > + if (rc) >> > + syslog(LOG_DEBUG, "uid %d to SID error: %d", uid, rc); >> > + if (!rc) { /* SID has been mapped to a uid */ >> > + rc = keyctl_instantiate(key, &sid, >> > + sizeof(struct wbcDomainSid), 0); >> > + if (rc) >> > + syslog(LOG_ERR, "%s: key inst: %s", >> > + __func__, strerror(errno)); >> > + } >> > + >> > + goto cifs_idmap_ret; >> > + } >> > + >> > + sidstr = strget(key_descr, "gi:"); >> > + if (sidstr) { >> > + gid = atoi(sidstr); >> > + syslog(LOG_DEBUG, "SID: %s, gid: %d", sidstr, gid); >> > + rc = wbcGidToSid(gid, &sid); >> > + if (rc) >> > + syslog(LOG_DEBUG, "gid %d to SID error: %d", gid, rc); >> > + if (!rc) { /* SID has been mapped to a gid */ >> > + rc = keyctl_instantiate(key, &sid, >> > + sizeof(struct wbcDomainSid), 0); >> > + if (rc) >> > + syslog(LOG_ERR, "%s: key inst: %s", >> > + __func__, strerror(errno)); >> > + } >> > + >> > + goto cifs_idmap_ret; >> > + } >> > + >> > + >> > syslog(LOG_DEBUG, "Invalid key: %s", key_descr); >> > >> > cifs_idmap_ret: >> > -- >> > 1.6.0.2 >> > >> > >> >> Jeff, any comments on this? I think this patch and kernel parts >> of this patchset, should be doing similar to what is done currently >> for server that support unix extensions. >> A care is taken so that only the server ids can be assigned as >> an id to change to, if an id can't be resolved, then chown/chgrp fail >> and if an id can be resolved, the server is the one which whether >> to apply the changed security descriptor or not. >> >> Regards, >> >> Shirish > > The userspace part of this looks fine. I don't have the time to review > the kernel pieces however. If Steve plans to review and commit those, > then I'll plan to pull the userspace patch into the next cifs-utils > release. > > -- > Jeff Layton <jlayton@samba.org> > -- > To unsubscribe from this list: send the line "unsubscribe linux-cifs" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html >
diff --git a/cifs.idmap.c b/cifs.idmap.c index 56edb58..80802d7 100644 --- a/cifs.idmap.c +++ b/cifs.idmap.c @@ -134,6 +134,43 @@ cifs_idmap(const key_serial_t key, const char *key_descr) goto cifs_idmap_ret; } + sidstr = strget(key_descr, "oi:"); + if (sidstr) { + uid = atoi(sidstr); + syslog(LOG_DEBUG, "SID: %s, uid: %d", sidstr, uid); + rc = wbcUidToSid(uid, &sid); + if (rc) + syslog(LOG_DEBUG, "uid %d to SID error: %d", uid, rc); + if (!rc) { /* SID has been mapped to a uid */ + rc = keyctl_instantiate(key, &sid, + sizeof(struct wbcDomainSid), 0); + if (rc) + syslog(LOG_ERR, "%s: key inst: %s", + __func__, strerror(errno)); + } + + goto cifs_idmap_ret; + } + + sidstr = strget(key_descr, "gi:"); + if (sidstr) { + gid = atoi(sidstr); + syslog(LOG_DEBUG, "SID: %s, gid: %d", sidstr, gid); + rc = wbcGidToSid(gid, &sid); + if (rc) + syslog(LOG_DEBUG, "gid %d to SID error: %d", gid, rc); + if (!rc) { /* SID has been mapped to a gid */ + rc = keyctl_instantiate(key, &sid, + sizeof(struct wbcDomainSid), 0); + if (rc) + syslog(LOG_ERR, "%s: key inst: %s", + __func__, strerror(errno)); + } + + goto cifs_idmap_ret; + } + + syslog(LOG_DEBUG, "Invalid key: %s", key_descr); cifs_idmap_ret: