Print this page
NEX-13644 File access audit logging
Reviewed by: Gordon Ross <gordon.ross@nexenta.com>
Reviewed by: Roman Strashkin <roman.strashkin@nexenta.com>
Reviewed by: Saso Kiselkov <saso.kiselkov@nexenta.com>
Reviewed by: Rick McNeal <rick.mcneal@nexenta.com>
Reviewed by: Yuri Pankov <yuri.pankov@nexenta.com>
NEX-9808 SMB3 persistent handles
Reviewed by: Matt Barden <matt.barden@nexenta.com>
Reviewed by: Evan Layton <evan.layton@nexenta.com>
NEX-9808 SMB3 persistent handles
Reviewed by: Matt Barden <matt.barden@nexenta.com>
Reviewed by: Evan Layton <evan.layton@nexenta.com>
NEX-9497 SMB should bypass ACL traverse checking
Reviewed by: Evan Layton <evan.layton@nexenta.com>
Reviewed by: Roman Strashkin <roman.strashkin@nexenta.com>
NEX-3787 Sync. up SMB server with: Merge with illumos-gate 12380e1e
NEX-1440 Unable to take ownership, view permissions, or delete files...
Reviewed by: Alek Pinchuk <alek@nexenta.com>
SMB-56 extended security NTLMSSP, inbound
*** 18,28 ****
*
* CDDL HEADER END
*/
/*
* Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
! * Copyright 2014 Nexenta Systems, Inc. All rights reserved.
*/
/*
* Authentication helpers for building credentials
*/
--- 18,28 ----
*
* CDDL HEADER END
*/
/*
* Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
! * Copyright 2018 Nexenta Systems, Inc. All rights reserved.
*/
/*
* Authentication helpers for building credentials
*/
*** 47,65 ****
* to the Solaris user's primary group.
*
* If the mapped UID is ephemeral, or the primary group could not be
* obtained, the cred gid is set to whatever Solaris group is mapped
* to the token's primary group.
*/
cred_t *
! smb_cred_create(smb_token_t *token)
{
ksid_t ksid;
ksidlist_t *ksidlist = NULL;
smb_posix_grps_t *posix_grps;
cred_t *cr;
gid_t gid;
ASSERT(token);
ASSERT(token->tkn_posix_grps);
posix_grps = token->tkn_posix_grps;
--- 47,71 ----
* to the Solaris user's primary group.
*
* If the mapped UID is ephemeral, or the primary group could not be
* obtained, the cred gid is set to whatever Solaris group is mapped
* to the token's primary group.
+ *
+ * Also add any privileges that should always be in effect for this user.
+ * Note that an SMB user object also gets a u_privcred which is used
+ * when the client opens an object with "backup/restore intent".
+ * That cred is setup later, in smb_user_setcred().
*/
cred_t *
! smb_cred_create(smb_token_t *token, smb_session_t *s)
{
ksid_t ksid;
ksidlist_t *ksidlist = NULL;
smb_posix_grps_t *posix_grps;
cred_t *cr;
gid_t gid;
+ auditinfo_addr_t *au;
ASSERT(token);
ASSERT(token->tkn_posix_grps);
posix_grps = token->tkn_posix_grps;
*** 107,116 ****
--- 113,149 ----
PRIV_FILE_DAC_WRITE,
PRIV_FILE_OWNER,
NULL);
}
+ /*
+ * See smb.4 bypass_traverse_checking
+ *
+ * For historical reasons, the Windows privilege is named
+ * SeChangeNotifyPrivilege, though the description is
+ * "Bypass traverse checking".
+ */
+ if (smb_token_query_privilege(token, SE_CHANGE_NOTIFY_LUID)) {
+ (void) crsetpriv(cr, PRIV_FILE_DAC_SEARCH, NULL);
+ }
+
+ au = crgetauinfo_modifiable(cr);
+ if (au != NULL) {
+ au->ai_auid = token->tkn_auid;
+ au->ai_mask = token->tkn_amask;
+ au->ai_asid = token->tkn_asid;
+ au->ai_termid.at_port = s->s_local_port;
+
+ if (s->ipaddr.a_family == AF_INET) {
+ au->ai_termid.at_addr[0] = s->ipaddr.a_ipv4;
+ au->ai_termid.at_type = AU_IPv4;
+ } else {
+ bcopy(&s->ipaddr.a_ip, au->ai_termid.at_addr,
+ sizeof (in6_addr_t));
+ au->ai_termid.at_type = AU_IPv6;
+ }
+ }
return (cr);
}
/*
* Initialize the ksid based on the given smb_id_t.
*** 152,157 ****
--- 185,206 ----
if (lp->ksl_sids[i].ks_id > IDMAP_WK__MAX_GID)
lp->ksl_neid++;
}
return (lp);
+ }
+
+ /*
+ * Special variant of smb_cred_create() used when we need an
+ * SMB kcred (i.e. DH import). The returned cred must be
+ * from crget() so it can be passed to smb_user_setcred().
+ */
+ cred_t *
+ smb_kcred_create(void)
+ {
+ cred_t *cr;
+
+ cr = crget();
+ ASSERT(cr != NULL);
+
+ return (cr);
}