|
1 Samba.org patch source is referenced below. |
|
2 WiKi page is: |
|
3 https://wiki.samba.org/index.php/VFS/vfs_worm |
|
4 changes against the community version: |
|
5 - removed support of grace time on file |
|
6 - slightly modified to run on VFS rev.28 |
|
7 -- Jiri Sasek |
|
8 |
|
9 From 2004317c09d781a4ec1275aaa4a29289e798eff3 Mon Sep 17 00:00:00 2001 |
|
10 From: Volker Lendecke <[email protected]> |
|
11 Date: Wed, 20 Nov 2013 12:09:47 +0100 |
|
12 Subject: [PATCH] s3-modules: add new vfs_worm module |
|
13 |
|
14 VFS module to disallow writes for older files. |
|
15 |
|
16 Signed-off-by: Volker Lendecke <[email protected]> |
|
17 Reviewed-by: Stefan Metzmacher <[email protected]> |
|
18 Reviewed-by: Jeremy Allison <[email protected]> |
|
19 --- |
|
20 source3/modules/vfs_worm.c | 97 ++++++++++++++++++++++++++++++++++++++++++++ |
|
21 1 files changed, 97 insertions(+), 0 deletions(-) |
|
22 create mode 100644 source3/modules/vfs_worm.c |
|
23 |
|
24 diff --git a/source3/modules/vfs_worm.c b/source3/modules/vfs_worm.c |
|
25 new file mode 100644 |
|
26 index 0000000..77a18ca |
|
27 --- /dev/null |
|
28 +++ b/source3/modules/vfs_worm.c |
|
29 @@ -0,0 +1,93 @@ |
|
30 +/* |
|
31 + * VFS module to disallow writes for older files |
|
32 + * |
|
33 + * Copyright (C) 2013, Volker Lendecke |
|
34 + * |
|
35 + * This program is free software; you can redistribute it and/or modify |
|
36 + * it under the terms of the GNU General Public License as published by |
|
37 + * the Free Software Foundation; either version 3 of the License, or |
|
38 + * (at your option) any later version. |
|
39 + * |
|
40 + * This program is distributed in the hope that it will be useful, |
|
41 + * but WITHOUT ANY WARRANTY; without even the implied warranty of |
|
42 + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
|
43 + * GNU General Public License for more details. |
|
44 + * |
|
45 + * You should have received a copy of the GNU General Public License |
|
46 + * along with this program; if not, see <http://www.gnu.org/licenses/>. |
|
47 + */ |
|
48 + |
|
49 +#include "includes.h" |
|
50 +#include "smbd/smbd.h" |
|
51 +#include "system/filesys.h" |
|
52 +#include "libcli/security/security.h" |
|
53 + |
|
54 +static NTSTATUS vfs_worm_create_file(vfs_handle_struct *handle, |
|
55 + struct smb_request *req, |
|
56 + uint16_t root_dir_fid, |
|
57 + struct smb_filename *smb_fname, |
|
58 + uint32_t access_mask, |
|
59 + uint32_t share_access, |
|
60 + uint32_t create_disposition, |
|
61 + uint32_t create_options, |
|
62 + uint32_t file_attributes, |
|
63 + uint32_t oplock_request, |
|
64 + uint64_t allocation_size, |
|
65 + uint32_t private_flags, |
|
66 + struct security_descriptor *sd, |
|
67 + struct ea_list *ea_list, |
|
68 + files_struct **result, |
|
69 + int *pinfo) |
|
70 +{ |
|
71 + bool readonly = false; |
|
72 + const uint32_t write_access_flags = |
|
73 + FILE_WRITE_DATA | FILE_APPEND_DATA | |
|
74 + FILE_WRITE_ATTRIBUTES | DELETE_ACCESS | |
|
75 + WRITE_DAC_ACCESS | WRITE_OWNER_ACCESS; |
|
76 + NTSTATUS status; |
|
77 + |
|
78 + if (VALID_STAT(smb_fname->st)) { |
|
79 + /* no grace_period supported */ |
|
80 + readonly = true; |
|
81 + } |
|
82 + |
|
83 + if (readonly && (access_mask & write_access_flags)) { |
|
84 + return NT_STATUS_ACCESS_DENIED; |
|
85 + } |
|
86 + |
|
87 + status = SMB_VFS_NEXT_CREATE_FILE( |
|
88 + handle, req, root_dir_fid, smb_fname, access_mask, |
|
89 + share_access, create_disposition, create_options, |
|
90 + file_attributes, oplock_request, allocation_size, |
|
91 + private_flags, sd, ea_list, result, pinfo); |
|
92 + if (!NT_STATUS_IS_OK(status)) { |
|
93 + return status; |
|
94 + } |
|
95 + |
|
96 + /* |
|
97 + * Access via MAXIMUM_ALLOWED_ACCESS? |
|
98 + */ |
|
99 + if (readonly && ((*result)->access_mask & write_access_flags)) { |
|
100 + close_file(req, *result, NORMAL_CLOSE); |
|
101 + return NT_STATUS_ACCESS_DENIED; |
|
102 + } |
|
103 + return NT_STATUS_OK; |
|
104 +} |
|
105 + |
|
106 +static struct vfs_fn_pointers vfs_worm_fns = { |
|
107 + .create_file = vfs_worm_create_file, |
|
108 +}; |
|
109 + |
|
110 +NTSTATUS vfs_worm_init(void); |
|
111 +NTSTATUS vfs_worm_init(void) |
|
112 +{ |
|
113 + NTSTATUS ret; |
|
114 + |
|
115 + ret = smb_register_vfs(SMB_VFS_INTERFACE_VERSION, "worm", |
|
116 + &vfs_worm_fns); |
|
117 + if (!NT_STATUS_IS_OK(ret)) { |
|
118 + return ret; |
|
119 + } |
|
120 + |
|
121 + return ret; |
|
122 +} |
|
123 -- |
|
124 1.7.0.4 |
|
125 |
|
126 Makefile.in and configure.in adds |
|
127 |
|
128 --- a/source3/configure.in 2013-01-17 15:54:47.194376100 -0800 |
|
129 +++ b/source3/configure.in 2013-01-17 15:58:39.854303900 -0800 |
|
130 @@ -6994,6 +6994,7 @@ |
|
131 SMB_MODULE(vfs_preopen, \$(VFS_PREOPEN_OBJ), "bin/preopen.$SHLIBEXT", VFS) |
|
132 SMB_MODULE(vfs_syncops, \$(VFS_SYNCOPS_OBJ), "bin/syncops.$SHLIBEXT", VFS) |
|
133 SMB_MODULE(vfs_zfsacl, \$(VFS_ZFSACL_OBJ), "bin/zfsacl.$SHLIBEXT", VFS) |
|
134 +SMB_MODULE(vfs_worm, \$(VFS_WORM_OBJ), "bin/worm.$SHLIBEXT", VFS) |
|
135 AC_SUBST(SAMFS_LIBS) |
|
136 SMB_MODULE(vfs_samfs, \$(VFS_SAMFS_OBJ), "bin/samfs.$SHLIBEXT", VFS) |
|
137 SMB_MODULE(vfs_notify_fam, \$(VFS_NOTIFY_FAM_OBJ), "bin/notify_fam.$SHLIBEXT", VFS) |
|
138 --- a/source3/Makefile.in 2013-01-17 15:55:00.777531900 -0800 |
|
139 +++ b/source3/Makefile.in 2013-01-17 16:02:06.513093500 -0800 |
|
140 @@ -813,6 +813,7 @@ |
|
141 VFS_AIXACL2_OBJ = modules/vfs_aixacl2.o modules/vfs_aixacl_util.o modules/nfs4_acls.o |
|
142 VFS_SOLARISACL_OBJ = modules/vfs_solarisacl.o |
|
143 VFS_ZFSACL_OBJ = modules/vfs_zfsacl.o modules/nfs4_acls.o |
|
144 +VFS_WORM_OBJ = modules/vfs_worm.o |
|
145 VFS_SAMFS_OBJ = modules/vfs_samfs.o |
|
146 VFS_HPUXACL_OBJ = modules/vfs_hpuxacl.o |
|
147 VFS_IRIXACL_OBJ = modules/vfs_irixacl.o |
|
148 @@ -2967,6 +2968,10 @@ |
|
149 @echo "Building plugin $@" |
|
150 @$(SHLD_MODULE) $(VFS_ZFSACL_OBJ) @ZFSACL_LIBS@ |
|
151 |
|
152 +bin/worm.@SHLIBEXT@: $(BINARY_PREREQS) $(VFS_WORM_OBJ) |
|
153 + @echo "Building plugin $@" |
|
154 + @$(SHLD_MODULE) $(VFS_WORM_OBJ) |
|
155 + |
|
156 bin/samfs.@SHLIBEXT@: $(BINARY_PREREQS) $(VFS_SAMFS_OBJ) |
|
157 @echo "Building plugin $@" |
|
158 @$(SHLD_MODULE) $(VFS_SAMFS_OBJ) @SAMFS_LIBS@ |