Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp3708562ybv; Mon, 10 Feb 2020 05:06:02 -0800 (PST) X-Google-Smtp-Source: APXvYqws+ArlHZZWgjg+kcClt2Fnreqe4sCWUUqf2YbQN/2FikroYqq1lnNRzDpCjbXPxZbz2dZy X-Received: by 2002:aca:f20b:: with SMTP id q11mr729268oih.78.1581339962715; Mon, 10 Feb 2020 05:06:02 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1581339962; cv=none; d=google.com; s=arc-20160816; b=0cu8t2m9FfVWQvyhiHnpfApiYp4IdkWMbv9qmSTpQsXmRUWzrO15Lsc+Kd8RRec0pn wpfpG7yfmv9oNajXBbv/+N3hx3laPEQBA/mELrBmE8SJqv2dC8JdDrNtMURqv/b6zCU+ JdDMqrZX85AnThr3M22Tc9nl0lg+CfiG6hZdmWPqfU89SyDit7xu5eiEtmnzThCA3MOZ ZWiov7UkhdKT69HaTZaiddD8O6TGzRhCAcdpHcP73WikVWcnlKtBav16afIQGFz0no6j T/EgQ4W+aIQfffA3+DHNmWsia6fAem0N8kpHgrMzzlux8h5bhaPbDfd70HUcz4X9uL3+ bifQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=vGhN8408fUKp75dclo+CWTSFkKJkZ97EZ/twe0SYyQ4=; b=xbkStTNRu+c52s7Ltkd81gXK6qN6lKBbB+W2ytANPxEmExZDFRslYY1iuc+A2UcRl3 f7fYKIFHU2CfkyEpDVr1eRwvz6spS4ivp/yRssF7yqgYWJHNqwBjJofV3ck5s2Ue0DFv 9/SI/ibQ5VSiWJoZek6GSzopE44VKrfATOaxm7thtedPJ/czPcONLNK3wzEva5Vwv1E3 ae6yywuWUQ67LLXr9JGG81+W397jivmz4XCO5q/6vu2lNuVv3rkbo48cOduT95+w+Ynb vbg1bqvqI9tvYZuxYEM+SWtRudpT/6vf73UjmnUHzwNo9c/NCoZvpSZSvXSdi1ciELEE Qu6Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=p0eTCOBN; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v13si155910otp.273.2020.02.10.05.05.51; Mon, 10 Feb 2020 05:06:02 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=p0eTCOBN; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730832AbgBJNFb (ORCPT + 99 others); Mon, 10 Feb 2020 08:05:31 -0500 Received: from mail.kernel.org ([198.145.29.99]:39106 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728759AbgBJMkB (ORCPT ); Mon, 10 Feb 2020 07:40:01 -0500 Received: from localhost (unknown [209.37.97.194]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id DCC6F208C4; Mon, 10 Feb 2020 12:40:00 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1581338401; bh=pcYjza1vJD3GTXeNK0U17dkKSU+/KESF8oYozpwbETc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=p0eTCOBN7bS28Jhi6WQ2eOULIcUxfvxY4734JiLAO89fxb26L4r3eUnRhC/26qm/M o6fno4jcOadSryYO5Er+X9T7UH+gmL9zp7nwoZkl1LHvWfTko+TdphYEV7MjEn3Ugt khm+uA8zTrfaNVQgLuNgWC65Fbl8YsBqYiY1JwuM= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Steve French , Ronnie Sahlberg , Pavel Shilovsky Subject: [PATCH 5.5 099/367] smb3: fix default permissions on new files when mounting with modefromsid Date: Mon, 10 Feb 2020 04:30:12 -0800 Message-Id: <20200210122433.511214096@linuxfoundation.org> X-Mailer: git-send-email 2.25.0 In-Reply-To: <20200210122423.695146547@linuxfoundation.org> References: <20200210122423.695146547@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Steve French commit 643fbceef48e5b22bf8e0905f903e908b5d2ba69 upstream. When mounting with "modefromsid" mount parm most servers will require that some default permissions are given to users in the ACL on newly created files, files created with the new 'sd context' - when passing in an sd context on create, permissions are not inherited from the parent directory, so in addition to the ACE with the special SID which contains the mode, we also must pass in an ACE allowing users to access the file (GENERIC_ALL for authenticated users seemed like a reasonable default, although later we could allow a mount option or config switch to make it GENERIC_ALL for EVERYONE special sid). CC: Stable Signed-off-by: Steve French Reviewed-By: Ronnie Sahlberg Reviewed-by: Pavel Shilovsky Signed-off-by: Greg Kroah-Hartman --- fs/cifs/cifsacl.c | 20 ++++++++++++++++++++ fs/cifs/cifsproto.h | 1 + fs/cifs/smb2pdu.c | 11 ++++++++--- 3 files changed, 29 insertions(+), 3 deletions(-) --- a/fs/cifs/cifsacl.c +++ b/fs/cifs/cifsacl.c @@ -802,6 +802,26 @@ static void parse_dacl(struct cifs_acl * return; } +unsigned int setup_authusers_ACE(struct cifs_ace *pntace) +{ + int i; + unsigned int ace_size = 20; + + pntace->type = ACCESS_ALLOWED_ACE_TYPE; + pntace->flags = 0x0; + pntace->access_req = cpu_to_le32(GENERIC_ALL); + pntace->sid.num_subauth = 1; + pntace->sid.revision = 1; + for (i = 0; i < NUM_AUTHS; i++) + pntace->sid.authority[i] = sid_authusers.authority[i]; + + pntace->sid.sub_auth[0] = sid_authusers.sub_auth[0]; + + /* size = 1 + 1 + 2 + 4 + 1 + 1 + 6 + (psid->num_subauth*4) */ + pntace->size = cpu_to_le16(ace_size); + return ace_size; +} + /* * Fill in the special SID based on the mode. See * http://technet.microsoft.com/en-us/library/hh509017(v=ws.10).aspx --- a/fs/cifs/cifsproto.h +++ b/fs/cifs/cifsproto.h @@ -213,6 +213,7 @@ extern struct cifs_ntsd *get_cifs_acl_by const struct cifs_fid *, u32 *); extern int set_cifs_acl(struct cifs_ntsd *, __u32, struct inode *, const char *, int); +extern unsigned int setup_authusers_ACE(struct cifs_ace *pace); extern unsigned int setup_special_mode_ACE(struct cifs_ace *pace, __u64 nmode); extern void dequeue_mid(struct mid_q_entry *mid, bool malformed); --- a/fs/cifs/smb2pdu.c +++ b/fs/cifs/smb2pdu.c @@ -2199,13 +2199,14 @@ create_sd_buf(umode_t mode, unsigned int struct cifs_ace *pace; unsigned int sdlen, acelen; - *len = roundup(sizeof(struct crt_sd_ctxt) + sizeof(struct cifs_ace), 8); + *len = roundup(sizeof(struct crt_sd_ctxt) + sizeof(struct cifs_ace) * 2, + 8); buf = kzalloc(*len, GFP_KERNEL); if (buf == NULL) return buf; sdlen = sizeof(struct smb3_sd) + sizeof(struct smb3_acl) + - sizeof(struct cifs_ace); + 2 * sizeof(struct cifs_ace); buf->ccontext.DataOffset = cpu_to_le16(offsetof (struct crt_sd_ctxt, sd)); @@ -2232,8 +2233,12 @@ create_sd_buf(umode_t mode, unsigned int /* create one ACE to hold the mode embedded in reserved special SID */ pace = (struct cifs_ace *)(sizeof(struct crt_sd_ctxt) + (char *)buf); acelen = setup_special_mode_ACE(pace, (__u64)mode); + /* and one more ACE to allow access for authenticated users */ + pace = (struct cifs_ace *)(acelen + (sizeof(struct crt_sd_ctxt) + + (char *)buf)); + acelen += setup_authusers_ACE(pace); buf->acl.AclSize = cpu_to_le16(sizeof(struct cifs_acl) + acelen); - buf->acl.AceCount = cpu_to_le16(1); + buf->acl.AceCount = cpu_to_le16(2); return buf; }