[rsbac] samba / bugfix

Amon Ott rsbac@rsbac.org
Mon, 11 Mar 2002 10:59:42 +0100
Previous message: [rsbac] samba
Next message: [rsbac] Examples of real live implementations
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
--------------Boundary-00=_IRZSU31QL9ZONCMDQWTS
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 8bit

On Monday, 4. March 2002 13:28, Arkady A Drovosekov wrote:
> samba on the way:
> I tried to assign separate role for samba daemon (smbd) with rw rights
> for only one directory.
> I've created role and make it forced role for smbd, assign acl for
> directory to make read/write possible for new role. I didn't change fd_type
> of this directory, so it is a general fd.
>
> And there is a problem: samba can't access this dir.
> In logs there is a message:
>
> Mar  4 16:23:16 host kernel: rsbac_adf_request(): request GET_STATUS_DATA,
> caller_pid 4854, caller_prog_name smbd, caller_uid 0, target-type DIR, tid
> Device 3:8 Inode 68545 Path /home/user/out, attr none, value 0, result
> NOT_GRANTED by ACL

Congratulation, you hit a bug in RSBAC, which has been there for ages. The 
role used for checking is the user default role, but should be the process 
role. This has been put there, because acl_rights and the decision used the 
same functions, but it is no longer needed in 1.2.0.

I attached a patch against v1.2.0-pre4 for files rsbac/adf/acl/acl_main.c and 
acl_syscalls.c.

A bugfix for 1.1.2 would be rather complicated.

Amon.
--
http://www.rsbac.org

--------------Boundary-00=_IRZSU31QL9ZONCMDQWTS
Content-Type: text/x-diff;
  charset="iso-8859-1";
  name="acl_roles.diff"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="acl_roles.diff"

LS0tIGFjbF9tYWluLmN+CVdlZCBKYW4gMzAgMTE6NDI6MTkgMjAwMgorKysgYWNsX21haW4uYwlN
b24gTWFyIDExIDEwOjQ2OjAzIDIwMDIKQEAgLTYsNyArNiw3IEBACiAvKiAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAqLwogLyogQXV0aG9yIGFuZCAo
YykgMTk5OS0yMDAyOiBBbW9uIE90dCA8YW9AcnNiYWMub3JnPiAgKi8KIC8qICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICovCi0vKiBMYXN0IG1vZGlm
aWVkOiAxNy9KYW4vMjAwMiAgICAgICAgICAgICAgICAgICAgICAgICAqLworLyogTGFzdCBtb2Rp
ZmllZDogMTEvTWFyLzIwMDIgICAgICAgICAgICAgICAgICAgICAgICAgKi8KIC8qKioqKioqKioq
KioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqICovCiAKICNpbmNsdWRl
IDxsaW51eC9zdHJpbmcuaD4KQEAgLTM2LDYgKzM2LDcgQEAKIGJvb2xlYW4gcnNiYWNfYWNsX2No
ZWNrX3JpZ2h0KGVudW0gIHJzYmFjX3RhcmdldF90IHRhcmdldCwKICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgIHVuaW9uIHJzYmFjX3RhcmdldF9pZF90IHRpZCwKICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgIHJzYmFjX3VpZF90IHVzZXIsCisgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICByc2JhY19waWRfdCBjYWxsZXJfcGlkLAogICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgZW51bSAgcnNiYWNfYWRmX3JlcXVlc3RfdCByZXF1ZXN0KQogICB7
CiAgICAgYm9vbGVhbiAgICAgICAgICAgICAgICAgICByZXN1bHQgPSBGQUxTRTsKQEAgLTExNSwx
MyArMTE2LDEzIEBACiAgICAgICByZXR1cm4oVFJVRSk7CiAKICAgICAjaWYgZGVmaW5lZChDT05G
SUdfUlNCQUNfUkMpCi0gICAgLyogdXNlIHVzZXIgcm9sZSAqLworICAgIC8qIHVzZSBwcm9jZXNz
IHJvbGUgKi8KICAgICAvKiBmaXJzdCBnZXQgcm9sZSAqLwotICAgIGlfdGlkLnVzZXIgPSB1c2Vy
OworICAgIGlfdGlkLnByb2Nlc3MgPSBjYWxsZXJfcGlkOwogICAgIGlmIChyc2JhY19nZXRfYXR0
cihSQywKLSAgICAgICAgICAgICAgICAgICAgICAgVF9VU0VSLAorICAgICAgICAgICAgICAgICAg
ICAgICBUX1BST0NFU1MsCiAgICAgICAgICAgICAgICAgICAgICAgIGlfdGlkLAotICAgICAgICAg
ICAgICAgICAgICAgICBBX3JjX2RlZl9yb2xlLAorICAgICAgICAgICAgICAgICAgICAgICBBX3Jj
X3JvbGUsCiAgICAgICAgICAgICAgICAgICAgICAgICZpX2F0dHJfdmFsMSwKICAgICAgICAgICAg
ICAgICAgICAgICAgRkFMU0UpKQogICAgICAgewpAQCAtMjkxLDcgKzI5Miw3IEBACiAgICAgICAg
ICAgICAgICAgY2FzZSBBX2F1dGhfYWRkX2ZfY2FwOgogICAgICAgICAgICAgICAgIGNhc2UgQV9h
dXRoX3JlbW92ZV9mX2NhcDoKICAgICAgICAgICAgICAgICAgIHRpZC5zY2QgPSBBU1RfYXV0aF9h
ZG1pbmlzdHJhdGlvbjsKLSAgICAgICAgICAgICAgICAgIGlmIChyc2JhY19hY2xfY2hlY2tfcmln
aHQoVF9TQ0QsIHRpZCwgb3duZXIsIHJlcXVlc3QpKQorICAgICAgICAgICAgICAgICAgaWYgKHJz
YmFjX2FjbF9jaGVja19yaWdodChUX1NDRCwgdGlkLCBvd25lciwgY2FsbGVyX3BpZCwgcmVxdWVz
dCkpCiAgICAgICAgICAgICAgICAgICAgIHJldHVybihHUkFOVEVEKTsKICAgICAgICAgICAgICAg
ICAgIGVsc2UKICAgICAgICAgICAgICAgICAgICAgcmV0dXJuKE5PVF9HUkFOVEVEKTsKQEAgLTMw
Niw3ICszMDcsNyBAQAogICAgICAgICAgICAgICAgIGNhc2UgQV9zeW1saW5rX2FkZF91aWQ6CiAg
ICAgICAgICAgICAgICAgY2FzZSBBX3N5bWxpbmtfYWRkX3JjX3JvbGU6CiAgICAgICAgICAgICAg
ICAgY2FzZSBBX2xpbnV4X2RhY19kaXNhYmxlOgotICAgICAgICAgICAgICAgICAgaWYgKCFyc2Jh
Y19hY2xfY2hlY2tfcmlnaHQodGFyZ2V0LCB0aWQsIG93bmVyLCByZXF1ZXN0KSkKKyAgICAgICAg
ICAgICAgICAgIGlmICghcnNiYWNfYWNsX2NoZWNrX3JpZ2h0KHRhcmdldCwgdGlkLCBvd25lciwg
Y2FsbGVyX3BpZCwgcmVxdWVzdCkpCiAgICAgICAgICAgICAgICAgICAgIHJldHVybihOT1RfR1JB
TlRFRCk7CiAgICAgICAgICAgICAgICAgICBlbHNlCiAgICAgICAgICAgICAgICAgICAgIHJldHVy
bihHUkFOVEVEKTsKQEAgLTMxNCwxMSArMzE1LDExIEBACiAKICAgICAgICAgICAgICAgICAvKiBB
bGwgYXR0cmlidXRlcyAocmVtb3ZlIHRhcmdldCEpICovCiAgICAgICAgICAgICAgICAgY2FzZSBB
X25vbmU6Ci0gICAgICAgICAgICAgICAgICBpZiAoIXJzYmFjX2FjbF9jaGVja19yaWdodCh0YXJn
ZXQsIHRpZCwgb3duZXIsIHJlcXVlc3QpKQorICAgICAgICAgICAgICAgICAgaWYgKCFyc2JhY19h
Y2xfY2hlY2tfcmlnaHQodGFyZ2V0LCB0aWQsIG93bmVyLCBjYWxsZXJfcGlkLCByZXF1ZXN0KSkK
ICAgICAgICAgICAgICAgICAgICAgcmV0dXJuKE5PVF9HUkFOVEVEKTsKICAgICAgICAgICAgICAg
ICAgICNpZmRlZiBDT05GSUdfUlNCQUNfQUNMX0FVVEhfUFJPVAogICAgICAgICAgICAgICAgICAg
dGlkLnNjZCA9IEFTVF9hdXRoX2FkbWluaXN0cmF0aW9uOwotICAgICAgICAgICAgICAgICAgaWYg
KCFyc2JhY19hY2xfY2hlY2tfcmlnaHQoVF9TQ0QsIHRpZCwgb3duZXIsIHJlcXVlc3QpKQorICAg
ICAgICAgICAgICAgICAgaWYgKCFyc2JhY19hY2xfY2hlY2tfcmlnaHQoVF9TQ0QsIHRpZCwgb3du
ZXIsIGNhbGxlcl9waWQsIHJlcXVlc3QpKQogICAgICAgICAgICAgICAgICAgICByZXR1cm4oTk9U
X0dSQU5URUQpOwogICAgICAgICAgICAgICAgICAgI2VuZGlmCiAgICAgICAgICAgICAgICAgICBy
ZXR1cm4oR1JBTlRFRCk7CkBAIC0zMzksNyArMzQwLDcgQEAKICAgICAgICAgICAgICAgICAgICAg
ICByZXR1cm4oRE9fTk9UX0NBUkUpOwogCiAgICAgICAgICAgICAgICAgICAgIHRpZC5zY2QgPSBT
VF9vdGhlcjsKLSAgICAgICAgICAgICAgICAgICAgaWYgKHJzYmFjX2FjbF9jaGVja19yaWdodChU
X1NDRCwgdGlkLCBvd25lciwgcmVxdWVzdCkpCisgICAgICAgICAgICAgICAgICAgIGlmIChyc2Jh
Y19hY2xfY2hlY2tfcmlnaHQoVF9TQ0QsIHRpZCwgb3duZXIsIGNhbGxlcl9waWQsIHJlcXVlc3Qp
KQogICAgICAgICAgICAgICAgICAgICAgIHJldHVybihHUkFOVEVEKTsKICAgICAgICAgICAgICAg
ICAgICAgZWxzZQogICAgICAgICAgICAgICAgICAgICAgIHJldHVybihOT1RfR1JBTlRFRCk7CkBA
IC0zNTYsNyArMzU3LDcgQEAKICAgICAgICAgICAgICAgdGFyZ2V0ID0gVF9TQ0Q7CiAgICAgICAg
ICAgICAgIHRpZC5zY2QgPSBTVF9vdGhlcjsKICAgICAgICAgICAgIH0KLSAgICAgICAgICBpZiAo
cnNiYWNfYWNsX2NoZWNrX3JpZ2h0KHRhcmdldCwgdGlkLCBvd25lciwgcmVxdWVzdCkpCisgICAg
ICAgICAgaWYgKHJzYmFjX2FjbF9jaGVja19yaWdodCh0YXJnZXQsIHRpZCwgb3duZXIsIGNhbGxl
cl9waWQsIHJlcXVlc3QpKQogICAgICAgICAgICAgcmV0dXJuKEdSQU5URUQpOwogICAgICAgICAg
IGVsc2UKICAgICAgICAgICAgIHJldHVybihOT1RfR1JBTlRFRCk7Ci0tLSBhY2xfc3lzY2FsbHMu
Y34JV2VkIEZlYiAyNyAxMjoyOTo0MiAyMDAyCisrKyBhY2xfc3lzY2FsbHMuYwlNb24gTWFyIDEx
IDEwOjQ5OjEyIDIwMDIKQEAgLTYsNyArNiw3IEBACiAvKiAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICovCiAvKiBBdXRob3IgYW5kIChjKSAxOTk5LTIw
MDI6IEFtb24gT3R0IDxhb0Byc2JhYy5vcmc+ICovCiAvKiAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICovCi0vKiBMYXN0IG1vZGlmaWVkOiAyNy9GZWIv
MjAwMiAgICAgICAgICAgICAgICAgICAgICAgICovCisvKiBMYXN0IG1vZGlmaWVkOiAxMS9NYXIv
MjAwMiAgICAgICAgICAgICAgICAgICAgICAgICovCiAvKioqKioqKioqKioqKioqKioqKioqKioq
KioqKioqKioqKioqKioqKioqKioqKioqKioqICovCiAKICNpbmNsdWRlIDxsaW51eC9zdHJpbmcu
aD4KQEAgLTExMywxMyArMTEzLDEzIEBACiAgICAgICByZXR1cm4oVFJVRSk7CiAKICAgICAjaWYg
ZGVmaW5lZChDT05GSUdfUlNCQUNfUkMpCi0gICAgLyogdXNlIHVzZXIgcm9sZSAqLworICAgIC8q
IHVzZSBwcm9jZXNzIHJvbGUgKi8KICAgICAvKiBmaXJzdCBnZXQgcm9sZSAqLwotICAgIGlfdGlk
LnVzZXIgPSB1c2VyOworICAgIGlfdGlkLnByb2Nlc3MgPSBjdXJyZW50LT5waWQ7CiAgICAgaWYg
KHJzYmFjX2dldF9hdHRyKFJDLAotICAgICAgICAgICAgICAgICAgICAgICBUX1VTRVIsCisgICAg
ICAgICAgICAgICAgICAgICAgIFRfUFJPQ0VTUywKICAgICAgICAgICAgICAgICAgICAgICAgaV90
aWQsCi0gICAgICAgICAgICAgICAgICAgICAgIEFfcmNfZGVmX3JvbGUsCisgICAgICAgICAgICAg
ICAgICAgICAgIEFfcmNfcm9sZSwKICAgICAgICAgICAgICAgICAgICAgICAgJmlfYXR0cl92YWwx
LAogICAgICAgICAgICAgICAgICAgICAgICBGQUxTRSkpCiAgICAgICB7CkBAIC0yMjAsNiArMjIw
LDcgQEAKIGJvb2xlYW4gcnNiYWNfYWNsX2NoZWNrX3JpZ2h0KGVudW0gIHJzYmFjX3RhcmdldF90
IHRhcmdldCwKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHVuaW9uIHJzYmFjX3Rhcmdl
dF9pZF90IHRpZCwKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHJzYmFjX3Vp
ZF90IHVzZXIsCisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICByc2JhY19waWRf
dCBjYWxsZXJfcGlkLAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZW51bSAgcnNiYWNf
YWRmX3JlcXVlc3RfdCByZXF1ZXN0KTsKICNlbmRpZgogCkBAIC0yNTksNyArMjYwLDcgQEAKICAg
ICAgICAgaWYocnNiYWNfZ2V0X293bmVyKCZ1c2VyKSkKICAgICAgICAgICByZXR1cm4gLVJTQkFD
X0VSRUFERkFJTEVEOwogICAgICAgICAvKiBmaXJzdCB0cnkgYWNjZXNzIGNvbnRyb2wgcmlnaHQg
KFNVUEVSVklTT1IgdHJ5IGlzIGluY2x1ZGVkKSAqLwotICAgICAgICBpZighcnNiYWNfYWNsX2No
ZWNrX3JpZ2h0KHRhcmdldCwgdGlkLCB1c2VyLCBBQ0xSX0FDQ0VTU19DT05UUk9MKSkKKyAgICAg
ICAgaWYoIXJzYmFjX2FjbF9jaGVja19yaWdodCh0YXJnZXQsIHRpZCwgdXNlciwgY3VycmVudC0+
cGlkLCBBQ0xSX0FDQ0VTU19DT05UUk9MKSkKICAgICAgICAgICB7CiAgICAgICAgICAgICAvKiBu
byBhY2Nlc3MgY29udHJvbCAtPiB0cnkgZm9yd2FyZCBmb3IgdGhlc2UgcmlnaHRzICovCiAgICAg
ICAgICAgICAvKiBidXQgb25seSwgaWYgbm8gdHRsIHJlcXVlc3RlZCAqLwpAQCAtNDE3LDcgKzQx
OCw3IEBACiAgICAgICAgIGlmKHJzYmFjX2dldF9vd25lcigmdXNlcikpCiAgICAgICAgICAgcmV0
dXJuIC1SU0JBQ19FUkVBREZBSUxFRDsKICAgICAgICAgLyogZmlyc3QgdHJ5IGFjY2VzcyBjb250
cm9sIHJpZ2h0IChTVVBFUlZJU09SIGlzIGluY2x1ZGVkKSAqLwotICAgICAgICBpZighcnNiYWNf
YWNsX2NoZWNrX3JpZ2h0KHRhcmdldCwgdGlkLCB1c2VyLCBBQ0xSX0FDQ0VTU19DT05UUk9MKSkK
KyAgICAgICAgaWYoIXJzYmFjX2FjbF9jaGVja19yaWdodCh0YXJnZXQsIHRpZCwgdXNlciwgY3Vy
cmVudC0+cGlkLCBBQ0xSX0FDQ0VTU19DT05UUk9MKSkKICAgICAgICAgICB7CiAgICAgICAgICAg
ICBjaGFyICogc3ViamVjdF90eXBlX25hbWUgPSByc2JhY19rbWFsbG9jKFJTQkFDX01BWE5BTUVM
RU4pOwogICAgICAgICAgICAgY2hhciAqIHRhcmdldF90eXBlX25hbWUgPSByc2JhY19rbWFsbG9j
KFJTQkFDX01BWE5BTUVMRU4pOwpAQCAtNjUyLDcgKzY1Myw3IEBACiAgICAgICAgIGlmKHJzYmFj
X2dldF9vd25lcigmdXNlcikpCiAgICAgICAgICAgcmV0dXJuIC1SU0JBQ19FUkVBREZBSUxFRDsK
ICAgICAgICAgLyogZmlyc3QgdHJ5IGFjY2VzcyBjb250cm9sIHJpZ2h0IChTVVBFUlZJU09SIGlz
IGluY2x1ZGVkKSAqLwotICAgICAgICBpZighcnNiYWNfYWNsX2NoZWNrX3JpZ2h0KHRhcmdldCwg
dGlkLCB1c2VyLCBBQ0xSX0FDQ0VTU19DT05UUk9MKSkKKyAgICAgICAgaWYoIXJzYmFjX2FjbF9j
aGVja19yaWdodCh0YXJnZXQsIHRpZCwgdXNlciwgY3VycmVudC0+cGlkLCBBQ0xSX0FDQ0VTU19D
T05UUk9MKSkKICAgICAgICAgICB7CiAgICAgICAgICAgICAvKiBubyBhY2Nlc3MgY29udHJvbCAt
PiB0cnkgZm9yd2FyZCBmb3IgdGhlc2UgcmlnaHRzICovCiAgICAgICAgICAgICAvKiBidXQgb25s
eSwgaWYgbm8gdHRsIHJlcXVlc3RlZCAqLwpAQCAtODA5LDcgKzgxMCw3IEBACiAgICAgICAgIGlm
KHJzYmFjX2dldF9vd25lcigmdXNlcikpCiAgICAgICAgICAgcmV0dXJuIC1SU0JBQ19FUkVBREZB
SUxFRDsKICAgICAgICAgLyogZmlyc3QgdHJ5IGFjY2VzcyBjb250cm9sIHJpZ2h0IChTVVBFUlZJ
U09SIGlzIGluY2x1ZGVkKSAqLwotICAgICAgICBpZighcnNiYWNfYWNsX2NoZWNrX3JpZ2h0KHRh
cmdldCwgdGlkLCB1c2VyLCBBQ0xSX0FDQ0VTU19DT05UUk9MKSkKKyAgICAgICAgaWYoIXJzYmFj
X2FjbF9jaGVja19yaWdodCh0YXJnZXQsIHRpZCwgdXNlciwgY3VycmVudC0+cGlkLCBBQ0xSX0FD
Q0VTU19DT05UUk9MKSkKICAgICAgICAgICB7CiAgICAgICAgICAgICBjaGFyICogcmlnaHRzX3N0
cmluZyA9IHJzYmFjX2ttYWxsb2MoUlNCQUNfTUFYTkFNRUxFTik7CiAgICAgICAgICAgICBjaGFy
ICogc3ViamVjdF90eXBlX25hbWUgPSByc2JhY19rbWFsbG9jKFJTQkFDX01BWE5BTUVMRU4pOwpA
QCAtOTYwLDcgKzk2MSw3IEBACiAjZW5kaWYKICAgICAgIHsKICAgICAgICAgLyogZmlyc3QgdHJ5
IGFjY2VzcyBjb250cm9sIHJpZ2h0IChTVVBFUlZJU09SIGlzIGluY2x1ZGVkKSAqLwotICAgICAg
ICBpZighcnNiYWNfYWNsX2NoZWNrX3JpZ2h0KHRhcmdldCwgdGlkLCB1c2VyLCBBQ0xSX0FDQ0VT
U19DT05UUk9MKSkKKyAgICAgICAgaWYoIXJzYmFjX2FjbF9jaGVja19yaWdodCh0YXJnZXQsIHRp
ZCwgdXNlciwgY3VycmVudC0+cGlkLCBBQ0xSX0FDQ0VTU19DT05UUk9MKSkKICAgICAgICAgICB7
CiAgICAgICAgICAgICBjaGFyICogcmlnaHRzX3N0cmluZyA9IHJzYmFjX2ttYWxsb2MoUlNCQUNf
TUFYTkFNRUxFTik7CiAgICAgICAgICAgICBjaGFyICogdGFyZ2V0X3R5cGVfbmFtZSA9IHJzYmFj
X2ttYWxsb2MoUlNCQUNfTUFYTkFNRUxFTik7CkBAIC0xMDU4LDcgKzEwNTksNyBAQAogICAgICAg
ICAgIHJldHVybiAtUlNCQUNfRVJFQURGQUlMRUQ7CiAgICAgICAgIHRpZC51c2VyID0gdWlkOwog
ICAgICAgICAvKiBmaXJzdCB0cnkgYWNjZXNzIGNvbnRyb2wgcmlnaHQgKFNVUEVSVklTT1IgaXMg
aW5jbHVkZWQpICovCi0gICAgICAgIGlmKCFyc2JhY19hY2xfY2hlY2tfcmlnaHQoVF9VU0VSLCB0
aWQsIHVzZXIsIFJfREVMRVRFKSkKKyAgICAgICAgaWYoIXJzYmFjX2FjbF9jaGVja19yaWdodChU
X1VTRVIsIHRpZCwgdXNlciwgY3VycmVudC0+cGlkLCBSX0RFTEVURSkpCiAgICAgICAgICAgewog
I2lmZGVmIENPTkZJR19SU0JBQ19STVNHCiAgICAgICAgICAgICByc2JhY19wcmludGsoS0VSTl9J
TkZPCg==

--------------Boundary-00=_IRZSU31QL9ZONCMDQWTS--
Previous message: [rsbac] samba
Next message: [rsbac] Examples of real live implementations
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]