diff mbox

cifs-utils: Add uid/gid to SID mapping functions (try #4)

Message ID 1312918260-23780-1-git-send-email-shirishpargonkar@gmail.com (mailing list archive)
State New, archived
Headers show

Commit Message

Shirish Pargaonkar Aug. 9, 2011, 7:31 p.m. UTC
From: Shirish Pargaonkar <shirishpargaonkar@gmail.com>


Add functions to map a uid and gid to a SID.  These functions are
similar to SID to uid and gid mapping functions.
A SID is what is returned to the cifs module.


Signed-off-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com>
---
 cifs.idmap.c |   37 +++++++++++++++++++++++++++++++++++++
 1 files changed, 37 insertions(+), 0 deletions(-)

Comments

Shirish Pargaonkar Aug. 25, 2011, 11:44 a.m. UTC | #1
On Tue, Aug 9, 2011 at 2:31 PM,  <shirishpargaonkar@gmail.com> wrote:
> From: Shirish Pargaonkar <shirishpargaonkar@gmail.com>
>
>
> Add functions to map a uid and gid to a SID.  These functions are
> similar to SID to uid and gid mapping functions.
> A SID is what is returned to the cifs module.
>
>
> Signed-off-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com>
> ---
>  cifs.idmap.c |   37 +++++++++++++++++++++++++++++++++++++
>  1 files changed, 37 insertions(+), 0 deletions(-)
>
> diff --git a/cifs.idmap.c b/cifs.idmap.c
> index 56edb58..80802d7 100644
> --- a/cifs.idmap.c
> +++ b/cifs.idmap.c
> @@ -134,6 +134,43 @@ cifs_idmap(const key_serial_t key, const char *key_descr)
>                goto cifs_idmap_ret;
>        }
>
> +       sidstr = strget(key_descr, "oi:");
> +       if (sidstr) {
> +               uid = atoi(sidstr);
> +               syslog(LOG_DEBUG, "SID: %s, uid: %d", sidstr, uid);
> +               rc = wbcUidToSid(uid, &sid);
> +               if (rc)
> +                       syslog(LOG_DEBUG, "uid %d to SID  error: %d", uid, rc);
> +               if (!rc) { /* SID has been mapped to a uid */
> +                       rc = keyctl_instantiate(key, &sid,
> +                                       sizeof(struct wbcDomainSid), 0);
> +                       if (rc)
> +                               syslog(LOG_ERR, "%s: key inst: %s",
> +                                       __func__, strerror(errno));
> +               }
> +
> +               goto cifs_idmap_ret;
> +       }
> +
> +       sidstr = strget(key_descr, "gi:");
> +       if (sidstr) {
> +               gid = atoi(sidstr);
> +               syslog(LOG_DEBUG, "SID: %s, gid: %d", sidstr, gid);
> +               rc = wbcGidToSid(gid, &sid);
> +               if (rc)
> +                       syslog(LOG_DEBUG, "gid %d to SID error: %d", gid, rc);
> +               if (!rc) { /* SID has been mapped to a gid */
> +                       rc = keyctl_instantiate(key, &sid,
> +                                       sizeof(struct wbcDomainSid), 0);
> +                       if (rc)
> +                               syslog(LOG_ERR, "%s: key inst: %s",
> +                                       __func__, strerror(errno));
> +               }
> +
> +               goto cifs_idmap_ret;
> +       }
> +
> +
>        syslog(LOG_DEBUG, "Invalid key: %s", key_descr);
>
>  cifs_idmap_ret:
> --
> 1.6.0.2
>
>

Jeff, any comments on this? I think this patch and kernel parts
of this patchset, should be doing similar to what is done currently
for server that support unix extensions.
A care is taken so that only the server ids can be assigned as
an id to change to, if an id can't be resolved, then chown/chgrp fail
and if an id can be resolved, the server is the one which whether
to apply the changed security descriptor or not.

Regards,

Shirish
--
To unsubscribe from this list: send the line "unsubscribe linux-cifs" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Jeff Layton Aug. 25, 2011, 5:54 p.m. UTC | #2
On Thu, 25 Aug 2011 06:44:29 -0500
Shirish Pargaonkar <shirishpargaonkar@gmail.com> wrote:

> On Tue, Aug 9, 2011 at 2:31 PM,  <shirishpargaonkar@gmail.com> wrote:
> > From: Shirish Pargaonkar <shirishpargaonkar@gmail.com>
> >
> >
> > Add functions to map a uid and gid to a SID.  These functions are
> > similar to SID to uid and gid mapping functions.
> > A SID is what is returned to the cifs module.
> >
> >
> > Signed-off-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com>
> > ---
> >  cifs.idmap.c |   37 +++++++++++++++++++++++++++++++++++++
> >  1 files changed, 37 insertions(+), 0 deletions(-)
> >
> > diff --git a/cifs.idmap.c b/cifs.idmap.c
> > index 56edb58..80802d7 100644
> > --- a/cifs.idmap.c
> > +++ b/cifs.idmap.c
> > @@ -134,6 +134,43 @@ cifs_idmap(const key_serial_t key, const char *key_descr)
> >                goto cifs_idmap_ret;
> >        }
> >
> > +       sidstr = strget(key_descr, "oi:");
> > +       if (sidstr) {
> > +               uid = atoi(sidstr);
> > +               syslog(LOG_DEBUG, "SID: %s, uid: %d", sidstr, uid);
> > +               rc = wbcUidToSid(uid, &sid);
> > +               if (rc)
> > +                       syslog(LOG_DEBUG, "uid %d to SID  error: %d", uid, rc);
> > +               if (!rc) { /* SID has been mapped to a uid */
> > +                       rc = keyctl_instantiate(key, &sid,
> > +                                       sizeof(struct wbcDomainSid), 0);
> > +                       if (rc)
> > +                               syslog(LOG_ERR, "%s: key inst: %s",
> > +                                       __func__, strerror(errno));
> > +               }
> > +
> > +               goto cifs_idmap_ret;
> > +       }
> > +
> > +       sidstr = strget(key_descr, "gi:");
> > +       if (sidstr) {
> > +               gid = atoi(sidstr);
> > +               syslog(LOG_DEBUG, "SID: %s, gid: %d", sidstr, gid);
> > +               rc = wbcGidToSid(gid, &sid);
> > +               if (rc)
> > +                       syslog(LOG_DEBUG, "gid %d to SID error: %d", gid, rc);
> > +               if (!rc) { /* SID has been mapped to a gid */
> > +                       rc = keyctl_instantiate(key, &sid,
> > +                                       sizeof(struct wbcDomainSid), 0);
> > +                       if (rc)
> > +                               syslog(LOG_ERR, "%s: key inst: %s",
> > +                                       __func__, strerror(errno));
> > +               }
> > +
> > +               goto cifs_idmap_ret;
> > +       }
> > +
> > +
> >        syslog(LOG_DEBUG, "Invalid key: %s", key_descr);
> >
> >  cifs_idmap_ret:
> > --
> > 1.6.0.2
> >
> >
> 
> Jeff, any comments on this? I think this patch and kernel parts
> of this patchset, should be doing similar to what is done currently
> for server that support unix extensions.
> A care is taken so that only the server ids can be assigned as
> an id to change to, if an id can't be resolved, then chown/chgrp fail
> and if an id can be resolved, the server is the one which whether
> to apply the changed security descriptor or not.
> 
> Regards,
> 
> Shirish

The userspace part of this looks fine. I don't have the time to review
the kernel pieces however. If Steve plans to review and commit those,
then I'll plan to pull the userspace patch into the next cifs-utils
release.
Steve French Aug. 25, 2011, 6:08 p.m. UTC | #3
I did a review early this month and Shirish seems to have incorporated the
feedback so I plan to rereview the kernel part of the patchset after
the ntlmv2 and FindFirst patches are done/tested/merged

On Thu, Aug 25, 2011 at 12:54 PM, Jeff Layton <jlayton@samba.org> wrote:
> On Thu, 25 Aug 2011 06:44:29 -0500
> Shirish Pargaonkar <shirishpargaonkar@gmail.com> wrote:
>
>> On Tue, Aug 9, 2011 at 2:31 PM,  <shirishpargaonkar@gmail.com> wrote:
>> > From: Shirish Pargaonkar <shirishpargaonkar@gmail.com>
>> >
>> >
>> > Add functions to map a uid and gid to a SID.  These functions are
>> > similar to SID to uid and gid mapping functions.
>> > A SID is what is returned to the cifs module.
>> >
>> >
>> > Signed-off-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com>
>> > ---
>> >  cifs.idmap.c |   37 +++++++++++++++++++++++++++++++++++++
>> >  1 files changed, 37 insertions(+), 0 deletions(-)
>> >
>> > diff --git a/cifs.idmap.c b/cifs.idmap.c
>> > index 56edb58..80802d7 100644
>> > --- a/cifs.idmap.c
>> > +++ b/cifs.idmap.c
>> > @@ -134,6 +134,43 @@ cifs_idmap(const key_serial_t key, const char *key_descr)
>> >                goto cifs_idmap_ret;
>> >        }
>> >
>> > +       sidstr = strget(key_descr, "oi:");
>> > +       if (sidstr) {
>> > +               uid = atoi(sidstr);
>> > +               syslog(LOG_DEBUG, "SID: %s, uid: %d", sidstr, uid);
>> > +               rc = wbcUidToSid(uid, &sid);
>> > +               if (rc)
>> > +                       syslog(LOG_DEBUG, "uid %d to SID  error: %d", uid, rc);
>> > +               if (!rc) { /* SID has been mapped to a uid */
>> > +                       rc = keyctl_instantiate(key, &sid,
>> > +                                       sizeof(struct wbcDomainSid), 0);
>> > +                       if (rc)
>> > +                               syslog(LOG_ERR, "%s: key inst: %s",
>> > +                                       __func__, strerror(errno));
>> > +               }
>> > +
>> > +               goto cifs_idmap_ret;
>> > +       }
>> > +
>> > +       sidstr = strget(key_descr, "gi:");
>> > +       if (sidstr) {
>> > +               gid = atoi(sidstr);
>> > +               syslog(LOG_DEBUG, "SID: %s, gid: %d", sidstr, gid);
>> > +               rc = wbcGidToSid(gid, &sid);
>> > +               if (rc)
>> > +                       syslog(LOG_DEBUG, "gid %d to SID error: %d", gid, rc);
>> > +               if (!rc) { /* SID has been mapped to a gid */
>> > +                       rc = keyctl_instantiate(key, &sid,
>> > +                                       sizeof(struct wbcDomainSid), 0);
>> > +                       if (rc)
>> > +                               syslog(LOG_ERR, "%s: key inst: %s",
>> > +                                       __func__, strerror(errno));
>> > +               }
>> > +
>> > +               goto cifs_idmap_ret;
>> > +       }
>> > +
>> > +
>> >        syslog(LOG_DEBUG, "Invalid key: %s", key_descr);
>> >
>> >  cifs_idmap_ret:
>> > --
>> > 1.6.0.2
>> >
>> >
>>
>> Jeff, any comments on this? I think this patch and kernel parts
>> of this patchset, should be doing similar to what is done currently
>> for server that support unix extensions.
>> A care is taken so that only the server ids can be assigned as
>> an id to change to, if an id can't be resolved, then chown/chgrp fail
>> and if an id can be resolved, the server is the one which whether
>> to apply the changed security descriptor or not.
>>
>> Regards,
>>
>> Shirish
>
> The userspace part of this looks fine. I don't have the time to review
> the kernel pieces however. If Steve plans to review and commit those,
> then I'll plan to pull the userspace patch into the next cifs-utils
> release.
>
> --
> Jeff Layton <jlayton@samba.org>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-cifs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>
diff mbox

Patch

diff --git a/cifs.idmap.c b/cifs.idmap.c
index 56edb58..80802d7 100644
--- a/cifs.idmap.c
+++ b/cifs.idmap.c
@@ -134,6 +134,43 @@  cifs_idmap(const key_serial_t key, const char *key_descr)
 		goto cifs_idmap_ret;
 	}
 
+	sidstr = strget(key_descr, "oi:");
+	if (sidstr) {
+		uid = atoi(sidstr);
+		syslog(LOG_DEBUG, "SID: %s, uid: %d", sidstr, uid);
+		rc = wbcUidToSid(uid, &sid);
+		if (rc)
+			syslog(LOG_DEBUG, "uid %d to SID  error: %d", uid, rc);
+		if (!rc) { /* SID has been mapped to a uid */
+			rc = keyctl_instantiate(key, &sid,
+					sizeof(struct wbcDomainSid), 0);
+			if (rc)
+				syslog(LOG_ERR, "%s: key inst: %s",
+					__func__, strerror(errno));
+		}
+
+		goto cifs_idmap_ret;
+	}
+
+	sidstr = strget(key_descr, "gi:");
+	if (sidstr) {
+		gid = atoi(sidstr);
+		syslog(LOG_DEBUG, "SID: %s, gid: %d", sidstr, gid);
+		rc = wbcGidToSid(gid, &sid);
+		if (rc)
+			syslog(LOG_DEBUG, "gid %d to SID error: %d", gid, rc);
+		if (!rc) { /* SID has been mapped to a gid */
+			rc = keyctl_instantiate(key, &sid,
+					sizeof(struct wbcDomainSid), 0);
+			if (rc)
+				syslog(LOG_ERR, "%s: key inst: %s",
+					__func__, strerror(errno));
+		}
+
+		goto cifs_idmap_ret;
+	}
+
+
 	syslog(LOG_DEBUG, "Invalid key: %s", key_descr);
 
 cifs_idmap_ret: