From patchwork Mon Jan 27 05:49:45 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Steve French X-Patchwork-Id: 13950990 Received: from mail-lf1-f48.google.com (mail-lf1-f48.google.com [209.85.167.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 27C04163 for ; Mon, 27 Jan 2025 05:50:00 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.167.48 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1737957003; cv=none; b=HXOP3Kw/oOGbncUOwYl+RAq0C6p4UPuvMQ/xf511+7JV3veQFc0m56cBmm0bdZduG/SopKZMIh5OJQg39yi63LoL7/6OglQgCsMCZGLbnKH57cOfPeW2aeOt4eyqlR9xhv4olQLBRBjK64w+m/gB3Uuu5o1HFRqPRvdzK6AdlCo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1737957003; c=relaxed/simple; bh=ComKQnhfyKuysWI9BGjO4pSW4t5+WSTwhGI1sOZ5zbg=; h=MIME-Version:From:Date:Message-ID:Subject:To:Cc:Content-Type; b=kwMXUaC+1qabP3FRX37agtzYaMLEXO+FN78E6M5Cz3N+4zXxoomQJTAKOmNvFz7kpRhWfKCjdV0Bq/vJQ4VadbuYuA1dMTD7V660i/W/XSOe56R/6/BYOXIiHnG1JPdph8LbC2MsCf76iVf6ER+OxnnXS8gplqwf2B1fJihtZQ0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=GE8fcUBK; arc=none smtp.client-ip=209.85.167.48 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="GE8fcUBK" Received: by mail-lf1-f48.google.com with SMTP id 2adb3069b0e04-540201cfedbso3959498e87.3 for ; Sun, 26 Jan 2025 21:50:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1737956998; x=1738561798; darn=vger.kernel.org; h=cc:to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=uNMRfOwbh6PTBtt8jZ938cbk8OhIBtkxSkJkj08jOOE=; b=GE8fcUBKT7RYS488B8ONU9jKM8ExiFXbDXXvDUBe1MjrJrBbEL+2OpttxQATzPqdEZ BASRtTvbxlaNBWdjQRXg/xJYfBASxSUCTKMJW7WpKX5Ew4rSgibE0PpsnME/oGj/MP25 GGL29SJeGsi7GSFFimofByzK420d+wyBrYjCXI0545EzTLiteXcxJigX1y6nWQ9VRbxV 9HJQpUxqivE/39EnKOxEID0cxoP2RlJozXonRLJA1J9ybG7lShj/Zdu8If3Jy1unvFej R/wNNOUTwY0C0nx66JbQOBIzPyK0Zkl0gYqz1D0Vz/kc0c/1X+9D6C/ybd/cZmED9HmO 8axA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1737956998; x=1738561798; h=cc:to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=uNMRfOwbh6PTBtt8jZ938cbk8OhIBtkxSkJkj08jOOE=; b=A9fxIQq4fZxoUkWDZFd/i72FW8p+P/PtH+/GsenxvjX8SVOp73QdNzTRDJV+m/oW2R UC5wk8yFbhoNx8ag/hZhKzaiNRTeEOPSV0WaJZdSQRcXkkfjFW384qz9DIkE/bUMzso3 cvm7F1fPeuvbtGuwMeM3CmDU1Oj/bcAX6H+5+FEKJQ//DyJ3bJj9fsjJiVRVbjUJd+Ap igx84mZLCNPPC/oI6tWUS7I4BFIPkU9C9EXS84p5iVNAuT+YR3uqKvrCv9sj+rhiX5DV 2ZTF3IxzQC1Af1Gg0TYBz3rR9dE0tAJRRNzQOV3slDBAYW1+xvFRedKb52IkyXU/mNlI gIDw== X-Gm-Message-State: AOJu0YzosDar/hrwUU59XQw2ALw/FnmNRlQgAuybqYfWDcQxtD6kTjO8 9wnV4rhhCyyPs+q+qrWt/r+tX413y3GQzFRi/v52wTGRuug9FNEF7eZDEpwS7iovTnW0WXMU7pu HcA7b/B3TG+utMFKnoNPDsV/bpjPlwO8l X-Gm-Gg: ASbGncs7FRSanVlB3uBlauxSMkfxh4kcRbUZTZ0Ry9NRTMCkrqcn0n1dazTzDyneIvS 9ooEFAgMaKPjauE2Lo0J3JLyyT2B8kwS36pC0BtPL0jn7ligRQ5US+fYM41gfGQE9WeIpB0sz5d y1fsESTOugywye3hLOpG4j X-Google-Smtp-Source: AGHT+IE2rGNC6yyXnTRb+dg3AI/Glgsv19ysLp4ly6IQnuKB4viv3Y9yMRLRgxtxLCtbu+OPPeOsOl8u6lvuqCHfQgM= X-Received: by 2002:a05:6512:230f:b0:540:1e65:1d7d with SMTP id 2adb3069b0e04-5439c2481ffmr14485459e87.23.1737956998157; Sun, 26 Jan 2025 21:49:58 -0800 (PST) Precedence: bulk X-Mailing-List: linux-cifs@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 From: Steve French Date: Sun, 26 Jan 2025 23:49:45 -0600 X-Gm-Features: AWEUYZmo3kxeZQ2TJw3uOhf0a2Oio9Dg01JBzJBX0XADkPpxrUQX3-qqTsloNQ0 Message-ID: Subject: [PATCHES][SMB3 client] additional patches in for-next for error translation and reparse points To: CIFS Cc: =?utf-8?q?Pali_Roh=C3=A1r?= Any comments/objections on these six recently rebased patches from Pali which I have tentatively merged into cifs-2.6.git for-next pending additional review and testing. See attached (There are also 56 additional CIFS/SMB3 client patches from Pali in the cifs branch of his https://git.kernel.org/pub/scm/linux/kernel/git/pali/linux.git to go through so additional review feedback or testing on those would also be very welcome) From 96aca5fa96c0d1fdb1c70b6fa3fcbe51e3cbcceb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pali=20Roh=C3=A1r?= Date: Tue, 24 Dec 2024 15:31:22 +0100 Subject: [PATCH 6/6] cifs: Update description about ACL permissions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit There are some incorrect information about individual SMB permission constants like WRITE_DAC can change ownership, or incomplete information to distinguish between ACL types (discretionary vs system) and there is completely missing information how permissions apply for directory objects and what is meaning of GENERIC_* bits. Also there is missing constant for MAXIMUM_ALLOWED permission. Fix and extend description of all SMB permission constants to match the reality, how the reference Windows SMB / NTFS implementation handles them. Links to official Microsoft documentation related to permissions: https://learn.microsoft.com/en-us/windows/win32/fileio/file-access-rights-constants https://learn.microsoft.com/en-us/windows/win32/secauthz/access-mask https://learn.microsoft.com/en-us/windows/win32/secauthz/standard-access-rights https://learn.microsoft.com/en-us/windows/win32/secauthz/generic-access-rights https://learn.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntcreatefile https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-ntcreatefile Signed-off-by: Pali Rohár Signed-off-by: Steve French --- fs/smb/client/cifspdu.h | 82 ++++++++++++++++++++++++++++++----------- 1 file changed, 61 insertions(+), 21 deletions(-) diff --git a/fs/smb/client/cifspdu.h b/fs/smb/client/cifspdu.h index 5c047b00516f..9cada09204df 100644 --- a/fs/smb/client/cifspdu.h +++ b/fs/smb/client/cifspdu.h @@ -190,42 +190,82 @@ */ #define FILE_READ_DATA 0x00000001 /* Data can be read from the file */ + /* or directory child entries can */ + /* be listed together with the */ + /* associated child attributes */ + /* (so the FILE_READ_ATTRIBUTES on */ + /* the child entry is not needed) */ #define FILE_WRITE_DATA 0x00000002 /* Data can be written to the file */ + /* or new file can be created in */ + /* the directory */ #define FILE_APPEND_DATA 0x00000004 /* Data can be appended to the file */ + /* (for non-local files over SMB it */ + /* is same as FILE_WRITE_DATA) */ + /* or new subdirectory can be */ + /* created in the directory */ #define FILE_READ_EA 0x00000008 /* Extended attributes associated */ /* with the file can be read */ #define FILE_WRITE_EA 0x00000010 /* Extended attributes associated */ /* with the file can be written */ #define FILE_EXECUTE 0x00000020 /*Data can be read into memory from */ /* the file using system paging I/O */ -#define FILE_DELETE_CHILD 0x00000040 + /* for executing the file / script */ + /* or right to traverse directory */ + /* (but by default all users have */ + /* directory bypass traverse */ + /* privilege and do not need this */ + /* permission on directories at all)*/ +#define FILE_DELETE_CHILD 0x00000040 /* Child entry can be deleted from */ + /* the directory (so the DELETE on */ + /* the child entry is not needed) */ #define FILE_READ_ATTRIBUTES 0x00000080 /* Attributes associated with the */ - /* file can be read */ + /* file or directory can be read */ #define FILE_WRITE_ATTRIBUTES 0x00000100 /* Attributes associated with the */ - /* file can be written */ -#define DELETE 0x00010000 /* The file can be deleted */ -#define READ_CONTROL 0x00020000 /* The access control list and */ - /* ownership associated with the */ - /* file can be read */ -#define WRITE_DAC 0x00040000 /* The access control list and */ - /* ownership associated with the */ - /* file can be written. */ + /* file or directory can be written */ +#define DELETE 0x00010000 /* The file or dir can be deleted */ +#define READ_CONTROL 0x00020000 /* The discretionary access control */ + /* list and ownership associated */ + /* with the file or dir can be read */ +#define WRITE_DAC 0x00040000 /* The discretionary access control */ + /* list associated with the file or */ + /* directory can be written */ #define WRITE_OWNER 0x00080000 /* Ownership information associated */ - /* with the file can be written */ + /* with the file/dir can be written */ #define SYNCHRONIZE 0x00100000 /* The file handle can waited on to */ /* synchronize with the completion */ /* of an input/output request */ #define SYSTEM_SECURITY 0x01000000 /* The system access control list */ - /* can be read and changed */ -#define GENERIC_ALL 0x10000000 -#define GENERIC_EXECUTE 0x20000000 -#define GENERIC_WRITE 0x40000000 -#define GENERIC_READ 0x80000000 - /* In summary - Relevant file */ - /* access flags from CIFS are */ - /* file_read_data, file_write_data */ - /* file_execute, file_read_attributes*/ - /* write_dac, and delete. */ + /* associated with the file or */ + /* directory can be read or written */ + /* (cannot be in DACL, can in SACL) */ +#define MAXIMUM_ALLOWED 0x02000000 /* Maximal subset of GENERIC_ALL */ + /* permissions which can be granted */ + /* (cannot be in DACL nor SACL) */ +#define GENERIC_ALL 0x10000000 /* Same as: GENERIC_EXECUTE | */ + /* GENERIC_WRITE | */ + /* GENERIC_READ | */ + /* FILE_DELETE_CHILD | */ + /* DELETE | */ + /* WRITE_DAC | */ + /* WRITE_OWNER */ + /* So GENERIC_ALL contains all bits */ + /* mentioned above except these two */ + /* SYSTEM_SECURITY MAXIMUM_ALLOWED */ +#define GENERIC_EXECUTE 0x20000000 /* Same as: FILE_EXECUTE | */ + /* FILE_READ_ATTRIBUTES | */ + /* READ_CONTROL | */ + /* SYNCHRONIZE */ +#define GENERIC_WRITE 0x40000000 /* Same as: FILE_WRITE_DATA | */ + /* FILE_APPEND_DATA | */ + /* FILE_WRITE_EA | */ + /* FILE_WRITE_ATTRIBUTES | */ + /* READ_CONTROL | */ + /* SYNCHRONIZE */ +#define GENERIC_READ 0x80000000 /* Same as: FILE_READ_DATA | */ + /* FILE_READ_EA | */ + /* FILE_READ_ATTRIBUTES | */ + /* READ_CONTROL | */ + /* SYNCHRONIZE */ #define FILE_READ_RIGHTS (FILE_READ_DATA | FILE_READ_EA | FILE_READ_ATTRIBUTES) #define FILE_WRITE_RIGHTS (FILE_WRITE_DATA | FILE_APPEND_DATA \ -- 2.43.0