big-one Cdiff usr/src/uts/common/fs/zfs/zfs

Print this page

NEX-19350 User ACE incorrectly grants access to matching group IDs
Reviewed by: Rick McNeal <rick.mcneal@nexenta.com>
Reviewed by: Joyce McIntosh <joyce.mcintosh@nexenta.com>
Reviewed by: Evan Layton <evan.layton@nexenta.com>
NEX-15035 Allow user ACE in ACL to match SID in token extra SIDs (part 2)
Reviewed by: Evan Layton <evan.layton@nexenta.com>
Reviewed by: Sanjay Nadkarni <sanjay.nadkarni@nexenta.com>
NEX-15035 Allow user ACE in ACL to match SID in token extra SIDs (part 2)
Reviewed by: Evan Layton <evan.layton@nexenta.com>
Reviewed by: Sanjay Nadkarni <sanjay.nadkarni@nexenta.com>
NEX-15035 Allow user ACE in ACL to match SID in token extra SIDs
Reviewed by: Roman Strashkin <roman.strashkin@nexenta.com>
Reviewed by: Sanjay Nadkarni <sanjay.nadkarni@nexenta.com>
NEX-15035 Allow user ACE in ACL to match SID in token extra SIDs
Reviewed by: Roman Strashkin <roman.strashkin@nexenta.com>
Reviewed by: Sanjay Nadkarni <sanjay.nadkarni@nexenta.com>


*** 18,27 ****
--- 18,28 ----
   *
   * CDDL HEADER END
   */
  /*
   * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
+  * Copyright 2018 Nexenta Systems, Inc.  All rights reserved.
   */
  
  #include <sys/zfs_context.h>
  #include <sys/dmu.h>
  #include <sys/avl.h>
*** 687,696 ****
--- 688,748 ----
          }
  
          kmem_free(fuidp, sizeof (zfs_fuid_info_t));
  }
  
+ /*
+  * Check to see if user ID is in the list of SIDs in CR.
+  */
+ boolean_t
+ zfs_user_in_cred(zfsvfs_t *zfsvfs, uint64_t id, cred_t *cr)
+ {
+         ksid_t          *ksid = crgetsid(cr, KSID_USER);
+         ksidlist_t      *ksidlist = crgetsidlist(cr);
+         uid_t           uid;
+ 
+         /* Check for match with cred->cr_uid */
+         uid = zfs_fuid_map_id(zfsvfs, id, cr, ZFS_ACE_USER);
+         if (uid != IDMAP_WK_CREATOR_OWNER_UID &&
+             uid == crgetuid(cr))
+                 return (B_TRUE);
+ 
+         /* Check for any match in the ksidlist */
+         if (ksid && ksidlist) {
+                 int             i;
+                 ksid_t          *ksid_vec;
+                 uint32_t        idx = FUID_INDEX(id);
+                 uint32_t        rid = FUID_RID(id);
+                 const char      *domain;
+ 
+                 if (idx == 0) {
+                         /*
+                          * The ID passed in has idx zero, which means
+                          * it's just a Unix UID.  That can never match
+                          * anything in ksid_vec[] because those all
+                          * have ksid->ks_id set to a Group ID.
+                          */
+                         return (B_FALSE);
+                 }
+ 
+                 domain = zfs_fuid_find_by_idx(zfsvfs, idx);
+                 ASSERT(domain != NULL);
+ 
+                 if (strcmp(domain, IDMAP_WK_CREATOR_SID_AUTHORITY) == 0)
+                         return (B_FALSE);
+ 
+                 ksid_vec = ksidlist->ksl_sids;
+                 for (i = 0; i != ksidlist->ksl_nsid; i++) {
+                         if ((strcmp(domain,
+                             ksid_vec[i].ks_domain->kd_name) == 0) &&
+                             rid == ksid_vec[i].ks_rid)
+                                 return (B_TRUE);
+                 }
+         }
+         return (B_FALSE);
+ }
+ 
  /*
   * Check to see if id is a groupmember.  If cred
   * has ksid info then sidlist is checked first
   * and if still not found then POSIX groups are checked
   *