From da73bf9a2c572131abf8ede48d871353c0ea094d Mon Sep 17 00:00:00 2001 From: yuzu367 Date: Thu, 11 Apr 2024 11:31:07 +0300 Subject: [PATCH 1/2] python/samba/tests/blackbox: Add tests for Inherit-only flag propagation BUG: https://bugzilla.samba.org/show_bug.cgi?id=15636 Signed-off-by: Anna Popova Reviewed-by: Noel Power Reviewed-by: Ralph Boehme (cherry picked from commit eba2bfde347041a395f0fbd3c57235be63b1890d) --- .../blackbox/smbcacls_propagate_inhertance.py | 108 ++++++++++++++++++ selftest/knownfail.d/smbcacls | 6 + 2 files changed, 114 insertions(+) create mode 100644 selftest/knownfail.d/smbcacls diff --git a/python/samba/tests/blackbox/smbcacls_propagate_inhertance.py b/python/samba/tests/blackbox/smbcacls_propagate_inhertance.py index cc13727b8fb..5b3a27111d5 100644 --- a/python/samba/tests/blackbox/smbcacls_propagate_inhertance.py +++ b/python/samba/tests/blackbox/smbcacls_propagate_inhertance.py @@ -1288,3 +1288,111 @@ class InheritanceSmbCaclsTests(SmbCaclsBlockboxTestBase): except BlackboxProcessError as e: self.fail(str(e)) + + def test_simple_iocioi_add(self): + """test smbcacls '--propagate-inheritance --add' which attempts to add the ACL + for the file and additionally use inheritance rules to propagate appropriate + changes to children + + This test adds an ACL with (IO)(CI)(OI)(READ) + + before: + + +-tar_test_dir/ (OI)(CI)(I)(F) + +-oi_dir/ (OI)(CI)(I)(F) + | +-file.1 (I)(F) + | +-nested/ (OI)(CI)(I)(F) + | +-file.2 (I)(F) + | +-nested_again/ (OI)(CI)(I)(F) + | +-file.3 (I)(F) + + after/expected: + + +-tar_test_dir/ (OI)(CI)(I)(F) + +-oi_dir/ (OI)(CI)(I)(F), (IO)(CI)(OI)(READ) + | +-file.1 (I)(F), (I)(READ) + | +-nested/ (OI)(CI)(I)(F), (I)(CI)(OI)(READ) + | +-file.2 (I)(F), (I)(READ) + | +-nested_again/ (OI)(CI)(I)(F), (I)(CI)(OI)(READ) + | +-file.3 (I)(F), (I)(READ)""" + + dir_add_acl_str = "ACL:%s:ALLOWED/OI|CI|IO/READ" % self.user + obj_inherited_ace_str = "ACL:%s:ALLOWED/I/READ" % self.user + dir_inherited_ace_str = "ACL:%s:ALLOWED/OI|CI|I/READ" % self.user + + try: + + self.smb_cacls(["--propagate-inheritance", "--add", + dir_add_acl_str, self.oi_dir]) + + # check top level container 'oi_dir' has IO|CI|OI/READ + dir_ace = self.ace_parse_str(dir_add_acl_str) + self.assertTrue(self.file_ace_check(self.oi_dir, dir_ace)) + + # file 'oi_dir/file-1' should have inherited I/READ + child_file_ace = self.ace_parse_str(obj_inherited_ace_str) + self.assertTrue(self.file_ace_check(self.f1, child_file_ace)) + + # nested dir 'oi_dir/nested/' should have I|CI|OI/READ + child_dir_ace = self.ace_parse_str(dir_inherited_ace_str) + self.assertTrue(self.file_ace_check(self.nested_dir, child_dir_ace)) + + # nested file 'oi_dir/nested/file-2' should have inherited I/READ + self.assertTrue(self.file_ace_check(self.f2, child_file_ace)) + + # nested_again dir 'oi_dir/nested/nested_again' should have I|CI|OI/READ + child_dir_ace = self.ace_parse_str(dir_inherited_ace_str) + self.assertTrue(self.file_ace_check(self.nested_again_dir, child_dir_ace)) + # nested_again file 'oi_dir/nested/nested_again/file-3' should have inherited I/READ + self.assertTrue(self.file_ace_check(self.f3, child_file_ace)) + except BlackboxProcessError as e: + self.fail(str(e)) + + def test_simple_ioci_add(self): + """test smbcacls '--propagate-inheritance --add' which attempts to add the ACL + for the file and additionally use inheritance rules to propagate appropriate + changes to children + + This test adds an ACL with (IO)(CI)(READ) + + before: + + +-tar_test_dir/ (OI)(CI)(I)(F) + +-oi_dir/ (OI)(CI)(I)(F) + | +-file.1 (I)(F) + | +-nested/ (OI)(CI)(I)(F) + | +-file.2 (I)(F) + | +-nested_again/ (OI)(CI)(I)(F) + | +-file.3 (I)(F) + + after/expected: + + +-tar_test_dir/ (OI)(CI)(I)(F) + +-oi_dir/ (OI)(CI)(I)(F), (IO)(CI)(READ) + | +-file.1 (I)(F) + | +-nested/ (OI)(CI)(I)(F), (I)(CI)(READ) + | +-file.2 (I)(F) + | +-nested_again/ (OI)(CI)(I)(F), (I)(CI)(READ) + | +-file.3 (I)(F)""" + + dir_add_acl_str = "ACL:%s:ALLOWED/CI|IO/READ" % self.user + dir_inherited_ace_str = "ACL:%s:ALLOWED/CI|I/READ" % self.user + + try: + + self.smb_cacls(["--propagate-inheritance", "--add", + dir_add_acl_str, self.oi_dir]) + + # check top level container 'oi_dir' has IO|CI/READ + dir_ace = self.ace_parse_str(dir_add_acl_str) + self.assertTrue(self.file_ace_check(self.oi_dir, dir_ace)) + + # nested dir 'oi_dir/nested/' should have I|CI/READ + child_dir_ace = self.ace_parse_str(dir_inherited_ace_str) + self.assertTrue(self.file_ace_check(self.nested_dir, child_dir_ace)) + + # nested_again dir 'oi_dir/nested/nested_again' should have I|CI/READ + child_dir_ace = self.ace_parse_str(dir_inherited_ace_str) + self.assertTrue(self.file_ace_check(self.nested_again_dir, child_dir_ace)) + except BlackboxProcessError as e: + self.fail(str(e)) diff --git a/selftest/knownfail.d/smbcacls b/selftest/knownfail.d/smbcacls new file mode 100644 index 00000000000..5e201dfc9b7 --- /dev/null +++ b/selftest/knownfail.d/smbcacls @@ -0,0 +1,6 @@ +^samba.tests.blackbox.smbcacls_propagate_inhertance.samba.tests.blackbox.smbcacls_propagate_inhertance.InheritanceSmbCaclsTests.test_simple_iocioi_add +^samba.tests.blackbox.smbcacls_propagate_inhertance.samba.tests.blackbox.smbcacls_propagate_inhertance.InheritanceSmbCaclsTests.test_simple_ioci_add +^samba.tests.blackbox.smbcacls_dfs_propagate_inherit\(DFS-msdfs-root\).samba.tests.blackbox.smbcacls_propagate_inhertance.InheritanceSmbCaclsTests.test_simple_iocioi_add +^samba.tests.blackbox.smbcacls_dfs_propagate_inherit\(DFS-msdfs-root\).samba.tests.blackbox.smbcacls_propagate_inhertance.InheritanceSmbCaclsTests.test_simple_ioci_add +^samba.tests.blackbox.smbcacls_dfs_propagate_inherit\(DFS-msdfs-root\).samba.tests.blackbox.smbcacls_dfs_propagate_inherit.DfsInheritanceSmbCaclsTests.test_simple_iocioi_add +^samba.tests.blackbox.smbcacls_dfs_propagate_inherit\(DFS-msdfs-root\).samba.tests.blackbox.smbcacls_dfs_propagate_inherit.DfsInheritanceSmbCaclsTests.test_simple_ioci_add \ No newline at end of file -- 2.35.3 From 1877f905f071eeae3339d7f290e8bfbce7711d51 Mon Sep 17 00:00:00 2001 From: Anna Popova Date: Fri, 12 Apr 2024 17:32:37 +0300 Subject: [PATCH 2/2] s3:utils: Fix Inherit-Only flag being automatically propagated to children MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Inherit-only flag applies only to the container it was set to and it shouldn't be automatically propagated to children. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15636 Signed-off-by: Anna Popova Reviewed-by: Noel Power Reviewed-by: Ralph Boehme Autobuild-User(master): Ralph Böhme Autobuild-Date(master): Mon Apr 29 10:56:48 UTC 2024 on atb-devel-224 (cherry picked from commit 80159018e411c643fbfe7ef82bd33e30b6147901) --- selftest/knownfail.d/smbcacls | 6 ------ source3/utils/smbcacls.c | 4 ++++ 2 files changed, 4 insertions(+), 6 deletions(-) delete mode 100644 selftest/knownfail.d/smbcacls diff --git a/selftest/knownfail.d/smbcacls b/selftest/knownfail.d/smbcacls deleted file mode 100644 index 5e201dfc9b7..00000000000 --- a/selftest/knownfail.d/smbcacls +++ /dev/null @@ -1,6 +0,0 @@ -^samba.tests.blackbox.smbcacls_propagate_inhertance.samba.tests.blackbox.smbcacls_propagate_inhertance.InheritanceSmbCaclsTests.test_simple_iocioi_add -^samba.tests.blackbox.smbcacls_propagate_inhertance.samba.tests.blackbox.smbcacls_propagate_inhertance.InheritanceSmbCaclsTests.test_simple_ioci_add -^samba.tests.blackbox.smbcacls_dfs_propagate_inherit\(DFS-msdfs-root\).samba.tests.blackbox.smbcacls_propagate_inhertance.InheritanceSmbCaclsTests.test_simple_iocioi_add -^samba.tests.blackbox.smbcacls_dfs_propagate_inherit\(DFS-msdfs-root\).samba.tests.blackbox.smbcacls_propagate_inhertance.InheritanceSmbCaclsTests.test_simple_ioci_add -^samba.tests.blackbox.smbcacls_dfs_propagate_inherit\(DFS-msdfs-root\).samba.tests.blackbox.smbcacls_dfs_propagate_inherit.DfsInheritanceSmbCaclsTests.test_simple_iocioi_add -^samba.tests.blackbox.smbcacls_dfs_propagate_inherit\(DFS-msdfs-root\).samba.tests.blackbox.smbcacls_dfs_propagate_inherit.DfsInheritanceSmbCaclsTests.test_simple_ioci_add \ No newline at end of file diff --git a/source3/utils/smbcacls.c b/source3/utils/smbcacls.c index ff11ba4d7d7..e0591ac076b 100644 --- a/source3/utils/smbcacls.c +++ b/source3/utils/smbcacls.c @@ -914,6 +914,10 @@ static uint8_t get_flags_to_propagate(bool is_container, /* Assume we are not propagating the ACE */ newflags &= ~SEC_ACE_FLAG_INHERITED_ACE; + + /* Inherit-only flag is not propagated to children */ + + newflags &= ~SEC_ACE_FLAG_INHERIT_ONLY; /* all children need to have the SEC_ACE_FLAG_INHERITED_ACE set */ if (acl_cntrinherit || acl_objinherit) { /* -- 2.35.3