From patchwork Fri Jan 17 02:28:03 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve French X-Patchwork-Id: 11338199 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 8559B138D for ; Fri, 17 Jan 2020 02:28:16 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 58B79206E6 for ; Fri, 17 Jan 2020 02:28:16 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="C1GzlNB6" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388783AbgAQC2Q (ORCPT ); Thu, 16 Jan 2020 21:28:16 -0500 Received: from mail-il1-f173.google.com ([209.85.166.173]:35357 "EHLO mail-il1-f173.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388334AbgAQC2P (ORCPT ); Thu, 16 Jan 2020 21:28:15 -0500 Received: by mail-il1-f173.google.com with SMTP id g12so20072924ild.2 for ; Thu, 16 Jan 2020 18:28:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=IdPlpkcq90MtmxsMdzgYSKR5kfEpqL6xCI+6fmuC+50=; b=C1GzlNB6v5kCz4oOfF5r8qB/uRQ4y4e+uvLXMgt8qN+TtS4AC5hUtLShD/HIn4YdjR K2h70yHYJeewaA0N5UPAbvSNx4LIE3BDUMZTXAgcsMa1RtmPz3LgethcS/MEdvY+1mzu AUm6CYUN+t2LbhiBirjbtkIW5MMcAh7ZcK1UcI5WYjNXJwY8vfOA1jl5YkwRYIW87QT0 bX/mLJqgkq6u/WHPIjTKBzngl6Qecjt6XxhM+TgI/CFe42OQjP+HUXrhqC5PlC68ZkoM RPxtrI9kMBFqaVxo3H7s+mMNBs3+nD3nHTIUPJKFlIIiUEQRNmeuQf+tJr7JSOSd/eH7 PUrw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=IdPlpkcq90MtmxsMdzgYSKR5kfEpqL6xCI+6fmuC+50=; b=YLCOPVlJhNhJbpXnvu7VOnongGSV2VyjxLooxay2Aiu94hifiDS28fUUyo6ssULs/T PQPbHgdUTff2UMUx9y0p+71Zcw4eRMb66KjqzaE5cfJkyCA1gBmJpqo7KIP1aMW6bwJx 8mHkOKfwfmOTNrAYQIuSMFL1P8u98xoez0TNXDfLe4BXGM4ZH4ZGB6108xJiTYexm13o 4NmpYIuJA+c6t71ByAPn9wfzUUHVXAoGJDQvlH1w2Wc1d1bznywdGi+yoSkd81qlbwep cwA8M1jfm2CQp/axas1C6sFQLpdgygD2ABFuhrxyza8FhBN9PCzYfyXxwir1fnXJsPTT /O7Q== X-Gm-Message-State: APjAAAXlhXH9P7riGmySax4zUYcJpCoV3fof9jSP9t3Fn6HJOXwjAIhq XQupQ8vOs6Ga0e0dRyknKyTTaMUz/IosRqyfw4sNrFO9r/E= X-Google-Smtp-Source: APXvYqy/otHKfRLGVped59HBXdw0o9S3bSskkWj8YYvKswauUHyOafJzeNGGd5e5GLp9YRPF86yVeJopCCaIk3dc+h0= X-Received: by 2002:a92:9a90:: with SMTP id c16mr1240186ill.3.1579228094607; Thu, 16 Jan 2020 18:28:14 -0800 (PST) MIME-Version: 1.0 From: Steve French Date: Thu, 16 Jan 2020 20:28:03 -0600 Message-ID: Subject: [PATCH][SMB3] Fix modefromsid newly created files to allow more permission on server To: CIFS Sender: linux-cifs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-cifs@vger.kernel.org When mounting with "modefromsid" mount parm most servers will require that some default permissions are given to users in the ACL on newly created files, and for files created with the new 'sd context' - when passing in an sd context on create, permissions are not inherited from the parent directory, so in addition to the ACE with the special SID (which contains the mode), we also must pass in an ACE allowing users to access the file (GENERIC_ALL for authenticated users seemed like a reasonable default, although later we could allow a mount option or config switch to make it GENERIC_ALL for EVERYONE special sid). Reviewed-By: Ronnie Sahlberg Reviewed-by: Pavel Shilovsky From 5cc1624433deead76820bb1b65c393433355df89 Mon Sep 17 00:00:00 2001 From: Steve French Date: Thu, 16 Jan 2020 19:55:33 -0600 Subject: [PATCH 2/3] smb3: fix default permissions on new files when mounting with modefromsid When mounting with "modefromsid" mount parm most servers will require that some default permissions are given to users in the ACL on newly created files, files created with the new 'sd context' - when passing in an sd context on create, permissions are not inherited from the parent directory, so in addition to the ACE with the special SID which contains the mode, we also must pass in an ACE allowing users to access the file (GENERIC_ALL for authenticated users seemed like a reasonable default, although later we could allow a mount option or config switch to make it GENERIC_ALL for EVERYONE special sid). CC: Stable Signed-off-by: Steve French --- fs/cifs/cifsacl.c | 20 ++++++++++++++++++++ fs/cifs/cifsproto.h | 1 + fs/cifs/smb2pdu.c | 11 ++++++++--- 3 files changed, 29 insertions(+), 3 deletions(-) diff --git a/fs/cifs/cifsacl.c b/fs/cifs/cifsacl.c index 96ae72b556ac..fb41e51dd574 100644 --- a/fs/cifs/cifsacl.c +++ b/fs/cifs/cifsacl.c @@ -802,6 +802,26 @@ static void parse_dacl(struct cifs_acl *pdacl, char *end_of_acl, return; } +unsigned int setup_authusers_ACE(struct cifs_ace *pntace) +{ + int i; + unsigned int ace_size = 20; + + pntace->type = ACCESS_ALLOWED_ACE_TYPE; + pntace->flags = 0x0; + pntace->access_req = cpu_to_le32(GENERIC_ALL); + pntace->sid.num_subauth = 1; + pntace->sid.revision = 1; + for (i = 0; i < NUM_AUTHS; i++) + pntace->sid.authority[i] = sid_authusers.authority[i]; + + pntace->sid.sub_auth[0] = sid_authusers.sub_auth[0]; + + /* size = 1 + 1 + 2 + 4 + 1 + 1 + 6 + (psid->num_subauth*4) */ + pntace->size = cpu_to_le16(ace_size); + return ace_size; +} + /* * Fill in the special SID based on the mode. See * http://technet.microsoft.com/en-us/library/hh509017(v=ws.10).aspx diff --git a/fs/cifs/cifsproto.h b/fs/cifs/cifsproto.h index f6f3cc90cd18..948bf3474db1 100644 --- a/fs/cifs/cifsproto.h +++ b/fs/cifs/cifsproto.h @@ -213,6 +213,7 @@ extern struct cifs_ntsd *get_cifs_acl_by_fid(struct cifs_sb_info *, const struct cifs_fid *, u32 *); extern int set_cifs_acl(struct cifs_ntsd *, __u32, struct inode *, const char *, int); +extern unsigned int setup_authusers_ACE(struct cifs_ace *pace); extern unsigned int setup_special_mode_ACE(struct cifs_ace *pace, __u64 nmode); extern void dequeue_mid(struct mid_q_entry *mid, bool malformed); diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c index a23ca3d0dcd9..7083d79de4e4 100644 --- a/fs/cifs/smb2pdu.c +++ b/fs/cifs/smb2pdu.c @@ -2199,13 +2199,14 @@ create_sd_buf(umode_t mode, unsigned int *len) struct cifs_ace *pace; unsigned int sdlen, acelen; - *len = roundup(sizeof(struct crt_sd_ctxt) + sizeof(struct cifs_ace), 8); + *len = roundup(sizeof(struct crt_sd_ctxt) + sizeof(struct cifs_ace) * 2, + 8); buf = kzalloc(*len, GFP_KERNEL); if (buf == NULL) return buf; sdlen = sizeof(struct smb3_sd) + sizeof(struct smb3_acl) + - sizeof(struct cifs_ace); + (2 * sizeof(struct cifs_ace)); buf->ccontext.DataOffset = cpu_to_le16(offsetof (struct crt_sd_ctxt, sd)); @@ -2232,8 +2233,12 @@ create_sd_buf(umode_t mode, unsigned int *len) /* create one ACE to hold the mode embedded in reserved special SID */ pace = (struct cifs_ace *)(sizeof(struct crt_sd_ctxt) + (char *)buf); acelen = setup_special_mode_ACE(pace, (__u64)mode); + /* and one more ACE to allow access for authenticated users */ + pace = (struct cifs_ace *)(acelen + (sizeof(struct crt_sd_ctxt) + + (char *)buf)); + acelen += setup_authusers_ACE(pace); buf->acl.AclSize = cpu_to_le16(sizeof(struct cifs_acl) + acelen); - buf->acl.AceCount = cpu_to_le16(1); + buf->acl.AceCount = cpu_to_le16(2); return buf; } -- 2.24.1