From 1649d8eeb3cac44638234b44921b6feee2536951 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Mon, 29 Jul 2024 06:27:51 -0700 Subject: [PATCH 1/9] loadparm: Factor out lp_wi_scan_parametrics We'll scan share parametrics soon as well. Bug: https://bugzilla.samba.org/show_bug.cgi?id=15688 Signed-off-by: Volker Lendecke Reviewed-by: Stefan Metzmacher (cherry picked from commit 0536ac96e927c00121e220f45cd63682726bc8e3) --- source3/param/loadparm.c | 25 +++++++++++++++++++------ 1 file changed, 19 insertions(+), 6 deletions(-) diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index 663edb2c653a..246e0378d652 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -1204,11 +1204,13 @@ static void discard_whitespace(char *str) * See "man regexec" for possible errors */ -int lp_wi_scan_global_parametrics( - const char *regex_str, size_t max_matches, - bool (*cb)(const char *string, regmatch_t matches[], - void *private_data), - void *private_data) +static int lp_wi_scan_parametrics(struct parmlist_entry *parmlist, + const char *regex_str, + size_t max_matches, + bool (*cb)(const char *string, + regmatch_t matches[], + void *private_data), + void *private_data) { struct parmlist_entry *data; regex_t regex; @@ -1219,7 +1221,7 @@ int lp_wi_scan_global_parametrics( return ret; } - for (data = Globals.param_opt; data != NULL; data = data->next) { + for (data = parmlist; data != NULL; data = data->next) { size_t keylen = strlen(data->key); char key[keylen+1]; regmatch_t matches[max_matches]; @@ -1248,6 +1250,17 @@ fail: return ret; } +int lp_wi_scan_global_parametrics(const char *regex_str, + size_t max_matches, + bool (*cb)(const char *string, + regmatch_t matches[], + void *private_data), + void *private_data) +{ + int ret = lp_wi_scan_parametrics( + Globals.param_opt, regex_str, max_matches, cb, private_data); + return ret; +} #define MISSING_PARAMETER(name) \ DEBUG(0, ("%s(): value is NULL or empty!\n", #name)) -- 2.34.1 From 1a01f42563a0cc75e1424523dd40260e70b7632e Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Mon, 29 Jul 2024 07:17:21 -0700 Subject: [PATCH 2/9] loadparm: Add lp_wi_scan_share_parametrics Bug: https://bugzilla.samba.org/show_bug.cgi?id=15688 Signed-off-by: Volker Lendecke Reviewed-by: Stefan Metzmacher (cherry picked from commit 89da15756d81746d80b43c2fe04c51fc07591849) --- source3/param/loadparm.c | 25 +++++++++++++++++++++++++ source3/param/loadparm.h | 7 +++++++ 2 files changed, 32 insertions(+) diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index 246e0378d652..f9bc1c427961 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -1262,6 +1262,31 @@ int lp_wi_scan_global_parametrics(const char *regex_str, return ret; } +int lp_wi_scan_share_parametrics(int snum, + const char *regex_str, + size_t max_matches, + bool (*cb)(const char *string, + regmatch_t matches[], + void *private_data), + void *private_data) +{ + struct loadparm_service *s = NULL; + int ret; + + if (!LP_SNUM_OK(snum)) { + /* + * We return regex return values here, REG_NOMATCH is + * the closest I could find. + */ + return REG_NOMATCH; + } + s = ServicePtrs[snum]; + + ret = lp_wi_scan_parametrics( + s->param_opt, regex_str, max_matches, cb, private_data); + return ret; +} + #define MISSING_PARAMETER(name) \ DEBUG(0, ("%s(): value is NULL or empty!\n", #name)) diff --git a/source3/param/loadparm.h b/source3/param/loadparm.h index 622e2290d3cf..e8f06ddbc2ca 100644 --- a/source3/param/loadparm.h +++ b/source3/param/loadparm.h @@ -75,6 +75,13 @@ int lp_wi_scan_global_parametrics( bool (*cb)(const char *string, regmatch_t matches[], void *private_data), void *private_data); +int lp_wi_scan_share_parametrics(int snum, + const char *regex_str, + size_t max_matches, + bool (*cb)(const char *string, + regmatch_t matches[], + void *private_data), + void *private_data); const char *lp_parm_const_string(int snum, const char *type, const char *option, const char *def); struct loadparm_service; -- 2.34.1 From 7854f37a7eeaaf6a11f81fa0f784b04439257df6 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Tue, 30 Jul 2024 13:07:22 +0200 Subject: [PATCH 3/9] lib: Factor out append_namearray from set_namearray We'll have to add to an existing namearray soon. This turns one talloc_array() into a set of reallocs. This is slower, but set_namearray is only used for smb.conf entries where we don't expect hundreds or more entries to add. I've done this to avoid array length calculations, but if it turns out to be too slow we can get smarter again. Bug: https://bugzilla.samba.org/show_bug.cgi?id=15688 Signed-off-by: Volker Lendecke Reviewed-by: Stefan Metzmacher (cherry picked from commit fcd595a4642a08169b427af534a00116daf220bf) --- source3/include/proto.h | 4 ++ source3/lib/util_namearray.c | 84 ++++++++++++++++++++++++------------ 2 files changed, 60 insertions(+), 28 deletions(-) diff --git a/source3/include/proto.h b/source3/include/proto.h index 966d038cc404..d7e074b7899c 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -326,6 +326,10 @@ bool token_contains_name(TALLOC_CTX *mem_ctx, const struct security_token *token, const char *name, bool *match); +bool append_to_namearray(TALLOC_CTX *mem_ctx, + const char *namelist_in, + const struct security_token *token, + struct name_compare_entry **_name_array); bool set_namearray(TALLOC_CTX *mem_ctx, const char *namelist, const struct security_token *token, diff --git a/source3/lib/util_namearray.c b/source3/lib/util_namearray.c index ca3344e09f14..707ab235b85e 100644 --- a/source3/lib/util_namearray.c +++ b/source3/lib/util_namearray.c @@ -179,6 +179,17 @@ bool token_contains_name(TALLOC_CTX *mem_ctx, return true; } +static size_t namearray_len(const struct name_compare_entry *array) +{ + size_t i = 0; + + while (array[i].name != NULL) { + i += 1; + } + + return i; +} + /******************************************************************* Strip a '/' separated list into an array of name_compare_enties structures suitable for @@ -190,46 +201,38 @@ bool token_contains_name(TALLOC_CTX *mem_ctx, if possible. ********************************************************************/ -bool set_namearray(TALLOC_CTX *mem_ctx, - const char *namelist_in, - const struct security_token *token, - struct name_compare_entry **_name_array) +bool append_to_namearray(TALLOC_CTX *mem_ctx, + const char *namelist_in, + const struct security_token *token, + struct name_compare_entry **_name_array) { - struct name_compare_entry *name_array = NULL; - struct name_compare_entry *e = NULL; + struct name_compare_entry *name_array = *_name_array; + size_t len; char *namelist = NULL; const char *p = NULL; - size_t num_entries; bool ok; - *_name_array = NULL; - if ((namelist_in == NULL) || (namelist_in[0] == '\0')) { return true; } - namelist = path_to_strv(mem_ctx, namelist_in); - if (namelist == NULL) { - DBG_ERR("path_to_strv failed\n"); - return false; + if (name_array == NULL) { + name_array = talloc_zero(mem_ctx, struct name_compare_entry); + if (name_array == NULL) { + return false; + } } + len = namearray_len(name_array); - num_entries = strv_count(namelist); - - name_array = talloc_zero_array(mem_ctx, - struct name_compare_entry, - num_entries + 1); - if (name_array == NULL) { - DBG_ERR("talloc failed\n"); - TALLOC_FREE(namelist); + namelist = path_to_strv(name_array, namelist_in); + if (namelist == NULL) { + DBG_ERR("path_to_strv failed\n"); return false; } - namelist = talloc_reparent(mem_ctx, name_array, namelist); - - e = &name_array[0]; - while ((p = strv_next(namelist, p)) != NULL) { + struct name_compare_entry *tmp = NULL; + if (*p == '\0') { /* cope with multiple (useless) /s) */ continue; @@ -273,11 +276,36 @@ bool set_namearray(TALLOC_CTX *mem_ctx, } } - e->name = p; - e->is_wild = ms_has_wild(e->name); - e++; + tmp = talloc_realloc(mem_ctx, + name_array, + struct name_compare_entry, + len + 2); + if (tmp == NULL) { + return false; + } + name_array = tmp; + + name_array[len] = (struct name_compare_entry){ + .name = p, + .is_wild = ms_has_wild(p), + }; + name_array[len + 1] = (struct name_compare_entry){}; + len += 1; } *_name_array = name_array; return true; } + +bool set_namearray(TALLOC_CTX *mem_ctx, + const char *namelist_in, + const struct security_token *token, + struct name_compare_entry **_name_array) +{ + bool ret; + + *_name_array = NULL; + + ret = append_to_namearray(mem_ctx, namelist_in, token, _name_array); + return ret; +} -- 2.34.1 From f7e0630d1a3f6d3d5a25ce4e5c49d5b9e134947f Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Mon, 29 Jul 2024 17:49:49 +0200 Subject: [PATCH 4/9] smbd: Respect per-user hide and veto files with parametric options For my taste this is a nicer configuration syntax than /../username1/file1/../username2/file2/ Is this too expensive? I don't think so. The scanning only happens an tcon time, and it only walks the parametric options. If this turns out to be a performance problem, we should think about smarter data structures for parametric options instead of just a linked list of string triples for everything. Bug: https://bugzilla.samba.org/show_bug.cgi?id=15688 Signed-off-by: Volker Lendecke Reviewed-by: Stefan Metzmacher (cherry picked from commit 17becb5f526015de56d00cd1c8f603f8ddacd0ba) --- source3/smbd/uid.c | 131 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 131 insertions(+) diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c index fa5f9bcc2f66..e0e448e3bea9 100644 --- a/source3/smbd/uid.c +++ b/source3/smbd/uid.c @@ -179,6 +179,82 @@ NTSTATUS check_user_share_access(connection_struct *conn, return NT_STATUS_OK; } +struct scan_file_list_state { + TALLOC_CTX *mem_ctx; + const struct loadparm_substitution *lp_sub; + int snum; + const char *param_type; + struct security_token *token; + struct name_compare_entry **list; + bool ok; +}; + +static bool scan_file_list_cb(const char *string, + regmatch_t matches[], + void *private_data) +{ + struct scan_file_list_state *state = private_data; + + if (matches[1].rm_so == -1) { + DBG_WARNING("Found match, but no name??\n"); + goto fail; + } + if (matches[1].rm_eo <= matches[1].rm_so) { + DBG_WARNING("Invalid match\n"); + goto fail; + } + + { + regoff_t len = matches[1].rm_eo - matches[1].rm_so; + char name[len + 1]; + bool ok, match; + char *files = NULL; + + memcpy(name, string + matches[1].rm_so, len); + name[len] = '\0'; + + DBG_DEBUG("Found name \"%s : %s\"\n", state->param_type, name); + + ok = token_contains_name(talloc_tos(), + NULL, + NULL, + NULL, + state->token, + name, + &match); + if (!ok) { + goto fail; + } + if (!match) { + return false; /* don't stop traverse */ + } + + files = lp_parm_substituted_string(state->mem_ctx, + state->lp_sub, + state->snum, + state->param_type, + name, + NULL); + if (files == NULL) { + goto fail; + } + + ok = append_to_namearray(state->mem_ctx, + files, + NULL, + state->list); + if (!ok) { + goto fail; + } + + return false; /* don't stop traverse */ + } + +fail: + state->ok = false; + return true; /* stop traverse */ +} + /******************************************************************* Check if a username is OK. @@ -284,6 +360,15 @@ static bool check_user_ok(connection_struct *conn, /* Add veto/hide lists */ if (!IS_IPC(conn) && !IS_PRINT(conn)) { + struct scan_file_list_state state = { + .mem_ctx = conn, + .lp_sub = lp_sub, + .snum = snum, + .token = session_info->security_token, + .ok = true, + }; + int ret; + ok = set_namearray(conn, lp_veto_files(talloc_tos(), lp_sub, snum), session_info->security_token, @@ -291,6 +376,33 @@ static bool check_user_ok(connection_struct *conn, if (!ok) { return false; } + + /* + * A bit of boilerplate code duplication for userlevel + * hide and veto files in the share and global + * sections, but not enough to justify putting this + * into functions for now :-) + */ + + state.param_type = "veto files"; + state.list = &ent->veto_list; + + ret = lp_wi_scan_global_parametrics("vetofiles:\\(.*\\)", + 2, + scan_file_list_cb, + &state); + if ((ret != 0) || !state.ok) { + return false; + } + ret = lp_wi_scan_share_parametrics(snum, + "vetofiles:\\(.*\\)", + 2, + scan_file_list_cb, + &state); + if ((ret != 0) || !state.ok) { + return false; + } + ok = set_namearray(conn, lp_hide_files(talloc_tos(), lp_sub, snum), session_info->security_token, @@ -298,6 +410,25 @@ static bool check_user_ok(connection_struct *conn, if (!ok) { return false; } + + state.param_type = "hide files"; + state.list = &ent->hide_list; + + ret = lp_wi_scan_global_parametrics("hidefiles:\\(.*\\)", + 2, + scan_file_list_cb, + &state); + if ((ret != 0) || !state.ok) { + return false; + } + ret = lp_wi_scan_share_parametrics(snum, + "hidefiles:\\(.*\\)", + 2, + scan_file_list_cb, + &state); + if ((ret != 0) || !state.ok) { + return false; + } } free_conn_state_if_unused(conn); -- 2.34.1 From e0f0cf0807648d99d9f249f4bc176f49c57d1f94 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Tue, 30 Jul 2024 14:11:53 +0200 Subject: [PATCH 5/9] tests: Test parametric per-user syntax for hide/veto files Bug: https://bugzilla.samba.org/show_bug.cgi?id=15688 Signed-off-by: Volker Lendecke Reviewed-by: Stefan Metzmacher (cherry picked from commit b5a128685e68f05a3688aa1391393b9095bf32b0) --- selftest/target/Samba3.pm | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm index 8d7f690ecf62..aea64bf5d5df 100755 --- a/selftest/target/Samba3.pm +++ b/selftest/target/Samba3.pm @@ -1968,6 +1968,8 @@ sub setup_fileserver get quota command = $prefix_abs/getset_quota.py set quota command = $prefix_abs/getset_quota.py + veto files : user1 = /user1file/ + veto files : +group1 = /group1file/ [tarmode] path = $tarmode_sharedir comment = tar test share @@ -2079,7 +2081,9 @@ sub setup_fileserver [veto_files] path = $veto_sharedir - veto files = /veto_name*/../user1/user1file/../user2/user2file/../+group1/group1file/../+group2/group2file + veto files = /veto_name*/ + veto files : user2 = /user2file/ + veto files : +group2 = /group2file/ [delete_yes_unwrite] read only = no -- 2.34.1 From 8b26a8131513d8a56d43d896b4b6277c85e98b03 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Tue, 30 Jul 2024 13:30:21 +0200 Subject: [PATCH 6/9] lib: Remove per-user support from append_to_namearray This is done in check_user_ok now Bug: https://bugzilla.samba.org/show_bug.cgi?id=15688 Signed-off-by: Volker Lendecke Reviewed-by: Stefan Metzmacher (cherry picked from commit b5169dd717ed5cf66d1e1e90aaf1a4646f7b5ea5) --- source3/lib/util_namearray.c | 39 ------------------------------------ 1 file changed, 39 deletions(-) diff --git a/source3/lib/util_namearray.c b/source3/lib/util_namearray.c index 707ab235b85e..4bd82b6c6261 100644 --- a/source3/lib/util_namearray.c +++ b/source3/lib/util_namearray.c @@ -210,7 +210,6 @@ bool append_to_namearray(TALLOC_CTX *mem_ctx, size_t len; char *namelist = NULL; const char *p = NULL; - bool ok; if ((namelist_in == NULL) || (namelist_in[0] == '\0')) { return true; @@ -238,44 +237,6 @@ bool append_to_namearray(TALLOC_CTX *mem_ctx, continue; } - if (ISDOTDOT(p) && token != NULL) { - const char *username = NULL; - bool match; - - /* Get the username */ - p = strv_next(namelist, p); - if (p == NULL) { - DBG_ERR("Missing username\n"); - TALLOC_FREE(namelist); - return false; - } - username = p; - - /* Get the filename */ - p = strv_next(namelist, p); - if (p == NULL) { - DBG_ERR("Missing filename after username '%s'\n", - username); - TALLOC_FREE(namelist); - return false; - } - - ok = token_contains_name(talloc_tos(), - NULL, - NULL, - NULL, - token, - username, - &match); - if (!ok) { - TALLOC_FREE(namelist); - return false; - } - if (!match) { - continue; - } - } - tmp = talloc_realloc(mem_ctx, name_array, struct name_compare_entry, -- 2.34.1 From b4ea4eb5677bdbea562cae4f1f3726d7be1fad9b Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Tue, 30 Jul 2024 13:55:57 +0200 Subject: [PATCH 7/9] lib: Remove "token" parameter from set_namearray Not needed anymore Bug: https://bugzilla.samba.org/show_bug.cgi?id=15688 Signed-off-by: Volker Lendecke Reviewed-by: Stefan Metzmacher (cherry picked from commit a150714cc64294d75028bac47132084bdf6f72c9) --- source3/include/proto.h | 2 -- source3/lib/util_namearray.c | 4 +--- source3/modules/vfs_virusfilter.c | 2 -- source3/smbd/smb2_service.c | 2 -- source3/smbd/uid.c | 3 --- source3/torture/test_matching.c | 2 +- 6 files changed, 2 insertions(+), 13 deletions(-) diff --git a/source3/include/proto.h b/source3/include/proto.h index d7e074b7899c..f398106e5a2f 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -328,11 +328,9 @@ bool token_contains_name(TALLOC_CTX *mem_ctx, bool *match); bool append_to_namearray(TALLOC_CTX *mem_ctx, const char *namelist_in, - const struct security_token *token, struct name_compare_entry **_name_array); bool set_namearray(TALLOC_CTX *mem_ctx, const char *namelist, - const struct security_token *token, struct name_compare_entry **_name_array); bool fcntl_lock(int fd, int op, off_t offset, off_t count, int type); bool fcntl_getlock(int fd, int op, off_t *poffset, off_t *pcount, int *ptype, pid_t *ppid); diff --git a/source3/lib/util_namearray.c b/source3/lib/util_namearray.c index 4bd82b6c6261..1c5b4ac6a0eb 100644 --- a/source3/lib/util_namearray.c +++ b/source3/lib/util_namearray.c @@ -203,7 +203,6 @@ static size_t namearray_len(const struct name_compare_entry *array) bool append_to_namearray(TALLOC_CTX *mem_ctx, const char *namelist_in, - const struct security_token *token, struct name_compare_entry **_name_array) { struct name_compare_entry *name_array = *_name_array; @@ -260,13 +259,12 @@ bool append_to_namearray(TALLOC_CTX *mem_ctx, bool set_namearray(TALLOC_CTX *mem_ctx, const char *namelist_in, - const struct security_token *token, struct name_compare_entry **_name_array) { bool ret; *_name_array = NULL; - ret = append_to_namearray(mem_ctx, namelist_in, token, _name_array); + ret = append_to_namearray(mem_ctx, namelist_in, _name_array); return ret; } diff --git a/source3/modules/vfs_virusfilter.c b/source3/modules/vfs_virusfilter.c index 6d4a6fdb98c1..b566b628ed2f 100644 --- a/source3/modules/vfs_virusfilter.c +++ b/source3/modules/vfs_virusfilter.c @@ -258,7 +258,6 @@ static int virusfilter_vfs_connect( if (exclude_files != NULL) { ok = set_namearray(config, exclude_files, - NULL, &config->exclude_files); if (!ok) { DBG_ERR("set_namearray failed\n"); @@ -271,7 +270,6 @@ static int virusfilter_vfs_connect( if (infected_files != NULL) { ok = set_namearray(config, infected_files, - NULL, &config->infected_files); if (!ok) { DBG_ERR("set_namearray failed\n"); diff --git a/source3/smbd/smb2_service.c b/source3/smbd/smb2_service.c index 06c20c167498..b6e8ca54e859 100644 --- a/source3/smbd/smb2_service.c +++ b/source3/smbd/smb2_service.c @@ -755,7 +755,6 @@ NTSTATUS make_connection_snum(struct smbXsrv_connection *xconn, if (!IS_IPC(conn) && !IS_PRINT(conn)) { ok = set_namearray(conn, lp_veto_oplock_files(talloc_tos(), lp_sub, snum), - NULL, &conn->veto_oplock_list); if (!ok) { status = NT_STATUS_NO_MEMORY; @@ -763,7 +762,6 @@ NTSTATUS make_connection_snum(struct smbXsrv_connection *xconn, } ok = set_namearray(conn, lp_aio_write_behind(talloc_tos(), lp_sub, snum), - NULL, &conn->aio_write_behind_list); if (!ok) { status = NT_STATUS_NO_MEMORY; diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c index e0e448e3bea9..2f390651a0ef 100644 --- a/source3/smbd/uid.c +++ b/source3/smbd/uid.c @@ -241,7 +241,6 @@ static bool scan_file_list_cb(const char *string, ok = append_to_namearray(state->mem_ctx, files, - NULL, state->list); if (!ok) { goto fail; @@ -371,7 +370,6 @@ static bool check_user_ok(connection_struct *conn, ok = set_namearray(conn, lp_veto_files(talloc_tos(), lp_sub, snum), - session_info->security_token, &ent->veto_list); if (!ok) { return false; @@ -405,7 +403,6 @@ static bool check_user_ok(connection_struct *conn, ok = set_namearray(conn, lp_hide_files(talloc_tos(), lp_sub, snum), - session_info->security_token, &ent->hide_list); if (!ok) { return false; diff --git a/source3/torture/test_matching.c b/source3/torture/test_matching.c index 8ee06e858770..78ecadef2980 100644 --- a/source3/torture/test_matching.c +++ b/source3/torture/test_matching.c @@ -66,7 +66,7 @@ bool run_str_match_mswild(int dummy) d_fprintf(stderr, "namelist: %s\n", namelist); - ret = set_namearray(talloc_tos(), namelist, NULL, &name_entries); + ret = set_namearray(talloc_tos(), namelist, &name_entries); SMB_ASSERT(ret && name_entries != NULL); status = samba_path_matching_mswild_create(talloc_tos(), -- 2.34.1 From eb0508ec82e5c8cae2d6128d341422056689f598 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Tue, 30 Jul 2024 14:06:21 +0200 Subject: [PATCH 8/9] docs: Document parametric form of hide and veto files Bug: https://bugzilla.samba.org/show_bug.cgi?id=15688 Signed-off-by: Volker Lendecke Reviewed-by: Stefan Metzmacher Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Wed Jul 31 09:41:54 UTC 2024 on atb-devel-224 (cherry picked from commit 10e9b858a3f9ca8d7e5dfd1c4e1e7937a03db671) --- docs-xml/smbdotconf/filename/hidefiles.xml | 29 +++++++++++++++------- docs-xml/smbdotconf/filename/vetofiles.xml | 29 +++++++++++++++------- 2 files changed, 40 insertions(+), 18 deletions(-) diff --git a/docs-xml/smbdotconf/filename/hidefiles.xml b/docs-xml/smbdotconf/filename/hidefiles.xml index f93885e43a3d..3290f8df8db9 100644 --- a/docs-xml/smbdotconf/filename/hidefiles.xml +++ b/docs-xml/smbdotconf/filename/hidefiles.xml @@ -14,14 +14,22 @@ as in DOS wildcards. - If a file or directory name is prefixed by "../USERNAME/" - or "../GROUPNAME/", then the subsequent filename is only hidden for the - given user or group. Instead of specifying users or groups by name, they - can also be specified by SID. + can also be used as a + parametric option where NAME in + + + hide files : NAME = - User and group names use the same format as . + + specifies a user or group name with the same syntax as + . This parametric form can + be specified multiple times for different users or + groups. This means that "hide files : NAME" set both + in the [global] and the share section add up, whereas normally + options set in a share section overwrite the default in the + [global] section. + Each entry must be a Unix path, not a DOS path and must not include the Unix directory separator '/'. @@ -46,9 +54,12 @@ hide files = /.*/DesktopFolderDB/TrashFor%m/resource.frk/ ; Hide some files for anyone and some files for specific users and groups -hide files = hideforall1/../joe/hideforuserjoe/hideforall2/../students/hideforstudents/hideforall3 -hide files = ../UNIVERSITY\Alumnis/somefile.txt/../john@university.org/anotherfile.txt -hide files = ../S-1-5-21-123-456-789-1000/secretfile.txt +hide files = /hideforall1/ +hide files : USER = /hidetoforuser/ +hide files : GROUP = /hideforgroup/ +hide files : UNIVERSITY\Alumnis = /somefile.txt/ +hide files : john@university.org = /anotherfile.txt/ +hide files : S-1-5-21-123-456-789-1000 = /secretfile.txt/ diff --git a/docs-xml/smbdotconf/filename/vetofiles.xml b/docs-xml/smbdotconf/filename/vetofiles.xml index e47490ee49dd..e90cf707c2d0 100644 --- a/docs-xml/smbdotconf/filename/vetofiles.xml +++ b/docs-xml/smbdotconf/filename/vetofiles.xml @@ -11,14 +11,22 @@ - If a file or directory name is prefixed by "../USERNAME/" - or "../GROUPNAME/", then the subsequent filename is only hidden for the - given user or group. Instead of specifying users or groups by name, they - can also be specified by SID. + can also be used as a + parametric option where NAME in + + + veto files : NAME = - User and group names use the same format as . + + specifies a user or group name with the same syntax as + . This parametric form can + be specified multiple times for different users or + groups. This means that "veto files : NAME" set both + in the [global] and the share section add up, whereas normally + options set in a share section overwrite the default in the + [global] section. + Each filename must be a unix path, not a DOS path and must @@ -51,9 +59,12 @@ veto files = /*Security*/*.tmp/*root*/ ; Veto some files for anyone and some files for specific users and groups -veto files = /vetoforall1/../USER/vetoforuser/vetoforall2/../GROUP/vetoforgroup/vetoforall3/ -veto files = ../UNIVERSITY\Alumnis/somefile.txt/../john@university.org/anotherfile.txt -veto files = ../S-1-5-21-123-456-789-1000/secretfile.txt +veto files = /vetoforall1/ +veto files : USER = /vetotoforuser/ +veto files : GROUP = /vetoforgroup/ +veto files : UNIVERSITY\Alumnis = /somefile.txt/ +veto files : john@university.org = /anotherfile.txt/ +veto files : S-1-5-21-123-456-789-1000 = /secretfile.txt/ ; Veto the Apple specific files that a NetAtalk server ; creates. -- 2.34.1 From faadd2f4d26b1efe689e94d100da1802a81fe32b Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 31 Jul 2024 11:56:35 +0200 Subject: [PATCH 9/9] WHATSNEW: update the Per-user and group "veto files" and "hide files" section BUG: https://bugzilla.samba.org/show_bug.cgi?id=15688 Signed-off-by: Stefan Metzmacher --- WHATSNEW.txt | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 99f9f0aa7a69..bf2dbb94b3aa 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -180,8 +180,10 @@ Per-user and group "veto files" and "hide files" "veto files" and "hide files" can optionally be restricted to certain users and groups. To apply a veto or hide directive to a filename for a specific user or -group, prefix the filename with "../USERNAME/" or "../GROUPNAME/". For details -consult the updated smb.conf manpage. +group, a parametric option like this can be used: + hide files : USERNAME = /somefile.txt/ + veto files : GROUPNAME = /otherfile.txt/ +For details consult the updated smb.conf manpage. Automatic keytab update after machine password change ----------------------------------------------------- -- 2.34.1